Merge branch 'master' into Basilisk-releasev2018.12.18

1212 files changed, 66928 insertions, 69790 deletions

diff --git a/CLOBBER b/CLOBBER
index 12431db715..481f9e1dd8 100644
--- a/CLOBBER
+++ b/CLOBBER
@@ -22,4 +22,4 @@
 # changes to stick? As of bug 928195, this shouldn't be necessary! Please
 # don't change CLOBBER for WebIDL changes any more.
 
-Clobber for updating ffvpx to 4.0.2
+Clobber for NSPR+NSS update
diff --git a/application/basilisk/base/content/browser-fxaccounts.js b/application/basilisk/base/content/browser-fxaccounts.js
index 94a591f1e5..e1d556bff5 100644
--- a/application/basilisk/base/content/browser-fxaccounts.js
+++ b/application/basilisk/base/content/browser-fxaccounts.js
@@ -77,15 +77,6 @@ var gFxAccounts = {
     return Weave.Status.login == Weave.LOGIN_FAILED_LOGIN_REJECTED;
   },
 
-  get sendTabToDeviceEnabled() {
-    return Services.prefs.getBoolPref("services.sync.sendTabToDevice.enabled");
-  },
-
-  get remoteClients() {
-    return Weave.Service.clientsEngine.remoteClients
-           .sort((a, b) => a.name.localeCompare(b.name));
-  },
-
   init: function () {
     // Bail out if we're already initialized and for pop-up windows.
     if (this._initialized || !window.toolbar.visible) {
@@ -153,11 +144,6 @@ var gFxAccounts = {
       profileInfoEnabled = Services.prefs.getBoolPref("identity.fxaccounts.profile_image.enabled");
     } catch (e) { }
 
-    // Bail out if FxA is disabled.
-    if (!this.weave.fxAccountsEnabled) {
-      return Promise.resolve();
-    }
-
     this.panelUIFooter.hidden = false;
 
     // Make sure the button is disabled in customization mode.
@@ -176,6 +162,7 @@ var gFxAccounts = {
     let defaultLabel = this.panelUIStatus.getAttribute("defaultlabel");
     let errorLabel = this.panelUIStatus.getAttribute("errorlabel");
     let unverifiedLabel = this.panelUIStatus.getAttribute("unverifiedlabel");
+    let settingslabel = this.panelUIStatus.getAttribute("settingslabel");
     // The localization string is for the signed in text, but it's the default text as well
     let defaultTooltiptext = this.panelUIStatus.getAttribute("signedinTooltiptext");
 
@@ -191,34 +178,19 @@ var gFxAccounts = {
       this.panelUIFooter.removeAttribute("fxastatus");
       this.panelUIFooter.removeAttribute("fxaprofileimage");
       this.panelUIAvatar.style.removeProperty("list-style-image");
-      let showErrorBadge = false;
-      if (userData) {
-        // At this point we consider the user as logged-in (but still can be in an error state)
-        if (this.loginFailed) {
-          let tooltipDescription = this.strings.formatStringFromName("reconnectDescription", [userData.email], 1);
-          this.panelUIFooter.setAttribute("fxastatus", "error");
-          this.panelUILabel.setAttribute("label", errorLabel);
-          this.panelUIStatus.setAttribute("tooltiptext", tooltipDescription);
-          showErrorBadge = true;
-        } else if (!userData.verified) {
-          let tooltipDescription = this.strings.formatStringFromName("verifyDescription", [userData.email], 1);
-          this.panelUIFooter.setAttribute("fxastatus", "error");
-          this.panelUIFooter.setAttribute("unverified", "true");
-          this.panelUILabel.setAttribute("label", unverifiedLabel);
-          this.panelUIStatus.setAttribute("tooltiptext", tooltipDescription);
-          showErrorBadge = true;
-        } else {
-          this.panelUIFooter.setAttribute("fxastatus", "signedin");
-          this.panelUILabel.setAttribute("label", userData.email);
-        }
-        if (profileInfoEnabled) {
-          this.panelUIFooter.setAttribute("fxaprofileimage", "enabled");
-        }
+
+      if (Weave.Status.service == Weave.CLIENT_NOT_CONFIGURED) {
+        // Leave the default state
+        return;
       }
-      if (showErrorBadge) {
-        gMenuButtonBadgeManager.addBadge(gMenuButtonBadgeManager.BADGEID_FXA, "fxa-needs-authentication");
+
+      if (this.loginFailed) {
+        this.panelUIFooter.setAttribute("fxastatus", "error");
+        this.panelUILabel.setAttribute("label", errorLabel);
       } else {
-        gMenuButtonBadgeManager.removeBadge(gMenuButtonBadgeManager.BADGEID_FXA);
+        this.panelUIFooter.setAttribute("fxastatus", "signedin");
+        this.panelUILabel.setAttribute("label", settingslabel);
+        this.panelUIStatus.setAttribute("tooltiptext", "");       
       }
     }
 
@@ -322,81 +294,12 @@ var gFxAccounts = {
     this.openAccountsPage("reauth", { entrypoint: entryPoint });
   },
 
-  sendTabToDevice: function (url, clientId, title) {
-    Weave.Service.clientsEngine.sendURIToClientForDisplay(url, clientId, title);
-  },
-
-  populateSendTabToDevicesMenu: function (devicesPopup, url, title) {
-    // remove existing menu items
-    while (devicesPopup.hasChildNodes()) {
-      devicesPopup.removeChild(devicesPopup.firstChild);
-    }
-
-    const fragment = document.createDocumentFragment();
-
-    const onTargetDeviceCommand = (event) => {
-      const clientId = event.target.getAttribute("clientId");
-      const clients = clientId
-                      ? [clientId]
-                      : this.remoteClients.map(client => client.id);
-
-      clients.forEach(clientId => this.sendTabToDevice(url, clientId, title));
-    }
-
-    function addTargetDevice(clientId, name) {
-      const targetDevice = document.createElement("menuitem");
-      targetDevice.addEventListener("command", onTargetDeviceCommand, true);
-      targetDevice.setAttribute("class", "sendtab-target");
-      targetDevice.setAttribute("clientId", clientId);
-      targetDevice.setAttribute("label", name);
-      fragment.appendChild(targetDevice);
-    }
-
-    const clients = this.remoteClients;
-    for (let client of clients) {
-      addTargetDevice(client.id, client.name);
-    }
-
-    // "All devices" menu item
-    if (clients.length > 1) {
-      const separator = document.createElement("menuseparator");
-      fragment.appendChild(separator);
-      const allDevicesLabel = this.strings.GetStringFromName("sendTabToAllDevices.menuitem");
-      addTargetDevice("", allDevicesLabel);
-    }
-
-    devicesPopup.appendChild(fragment);
-  },
-
   updateTabContextMenu: function (aPopupMenu) {
-    if (!this.sendTabToDeviceEnabled) {
-      return;
-    }
-
-    const remoteClientPresent = this.remoteClients.length > 0;
-    ["context_sendTabToDevice", "context_sendTabToDevice_separator"]
-    .forEach(id => { document.getElementById(id).hidden = !remoteClientPresent });
+    // STUB
   },
 
   initPageContextMenu: function (contextMenu) {
-    if (!this.sendTabToDeviceEnabled) {
-      return;
-    }
-
-    const remoteClientPresent = this.remoteClients.length > 0;
-    // showSendLink and showSendPage are mutually exclusive
-    const showSendLink = remoteClientPresent
-                         && (contextMenu.onSaveableLink || contextMenu.onPlainTextLink);
-    const showSendPage = !showSendLink && remoteClientPresent
-                         && !(contextMenu.isContentSelected ||
-                              contextMenu.onImage || contextMenu.onCanvas ||
-                              contextMenu.onVideo || contextMenu.onAudio ||
-                              contextMenu.onLink || contextMenu.onTextInput);
-
-    ["context-sendpagetodevice", "context-sep-sendpagetodevice"]
-    .forEach(id => contextMenu.showItem(id, showSendPage));
-    ["context-sendlinktodevice", "context-sep-sendlinktodevice"]
-    .forEach(id => contextMenu.showItem(id, showSendLink));
+    // STUB
   }
 };
 
diff --git a/application/basilisk/base/content/browser-syncui.js b/application/basilisk/base/content/browser-syncui.js
index 51bcb15d5f..3a57140f29 100644
--- a/application/basilisk/base/content/browser-syncui.js
+++ b/application/basilisk/base/content/browser-syncui.js
@@ -19,6 +19,7 @@ var gSyncUI = {
   _obs: ["weave:service:sync:start",
          "weave:service:sync:finish",
          "weave:service:sync:error",
+         "weave:service:quota:remaining",
          "weave:service:setup-complete",
          "weave:service:login:start",
          "weave:service:login:finish",
@@ -246,6 +247,21 @@ var gSyncUI = {
     this.updateUI();
   },
 
+  onQuotaNotice: function onQuotaNotice(subject, data) {
+    let title = this._stringBundle.GetStringFromName("warning.sync.quota.label");
+    let description = this._stringBundle.GetStringFromName("warning.sync.quota.description");
+    let buttons = [];
+    buttons.push(new Weave.NotificationButton(
+      this._stringBundle.GetStringFromName("error.sync.viewQuotaButton.label"),
+      this._stringBundle.GetStringFromName("error.sync.viewQuotaButton.accesskey"),
+      function() { gSyncUI.openQuotaDialog(); return true; }
+    ));
+
+    let notification = new Weave.Notification(
+      title, description, null, Weave.Notifications.PRIORITY_WARNING, buttons);
+    Weave.Notifications.replaceTitle(notification);
+  },
+
   _getAppName: function () {
     let brand = new StringBundle("chrome://branding/locale/brand.properties");
     return brand.get("brandShortName");
@@ -293,17 +309,13 @@ var gSyncUI = {
    */
 
   openSetup: function SUI_openSetup(wizardType, entryPoint = "syncbutton") {
-    if (this.weaveService.fxAccountsEnabled) {
-      this.openPrefs(entryPoint);
-    } else {
-      let win = Services.wm.getMostRecentWindow("Weave:AccountSetup");
-      if (win)
-        win.focus();
-      else {
-        window.openDialog("chrome://browser/content/sync/setup.xul",
-                          "weaveSetup", "centerscreen,chrome,resizable=no",
-                          wizardType);
-      }
+    let win = Services.wm.getMostRecentWindow("Weave:AccountSetup");
+    if (win)
+      win.focus();
+    else {
+      window.openDialog("chrome://browser/content/sync/setup.xul",
+                        "weaveSetup", "centerscreen,chrome,resizable=no",
+                        wizardType);
     }
   },
 
@@ -328,23 +340,6 @@ var gSyncUI = {
     gFxAccounts.openSignInAgainPage(entryPoint);
   },
 
-  openSyncedTabsPanel() {
-    let placement = CustomizableUI.getPlacementOfWidget("sync-button");
-    let area = placement ? placement.area : CustomizableUI.AREA_NAVBAR;
-    let anchor = document.getElementById("sync-button") ||
-                 document.getElementById("PanelUI-menu-button");
-    if (area == CustomizableUI.AREA_PANEL) {
-      // The button is in the panel, so we need to show the panel UI, then our
-      // subview.
-      PanelUI.show().then(() => {
-        PanelUI.showSubView("PanelUI-remotetabs", anchor, area);
-      }).catch(Cu.reportError);
-    } else {
-      // It is placed somewhere else - just try and show it.
-      PanelUI.showSubView("PanelUI-remotetabs", anchor, area);
-    }
-  },
-
   /* After Sync is initialized we perform a once-only check for the sync
      button being in "customize purgatory" and if so, move it to the panel.
      This is done primarily for profiles created before SyncedTabs landed,
@@ -456,6 +451,32 @@ var gSyncUI = {
     }
   },
 
+  onSyncError: function SUI_onSyncError() {
+    this.log.debug("onSyncError: login=${login}, sync=${sync}", Weave.Status);
+    let title = this._stringBundle.GetStringFromName("error.sync.title");
+    let error = Weave.Utils.getErrorString(Weave.Status.sync);
+    let description =
+        this._stringBundle.formatStringFromName("error.sync.description", [error], 1);
+    let priority = Weave.Notifications.PRIORITY_WARNING;
+    let buttons = [];
+
+    if (Weave.Status.sync == Weave.OVER_QUOTA) {
+      description = this._stringBundle.GetStringFromName("error.sync.quota.description");
+      buttons.push(new Weave.NotificationButton(
+        this._stringBundle.GetStringFromName("error.sync.viewQuotaButton.label"),
+        this._stringBundle.GetStringFromName("error.sync.viewQuotaButton.accesskey"),
+        function() { gSyncUI.openQuotaDialog(); return true; } )
+      );
+      // Only show the notification bar on Quota error. the panel will show the rest.
+      let notification =
+        new Weave.Notification(title, description, null, priority, buttons);
+      Weave.Notifications.replaceTitle(notification);
+    }
+
+    this.updateUI();
+  },
+
+
   observe: function SUI_observe(subject, topic, data) {
     this.log.debug("observed", topic);
     if (this._unloaded) {
@@ -487,12 +508,17 @@ var gSyncUI = {
         // Do nothing.
         break;
       case "weave:ui:sync:error":
+        this.onSyncError();
+        break;
       case "weave:service:setup-complete":
       case "weave:service:login:finish":
       case "weave:service:login:start":
       case "weave:service:start-over":
         this.updateUI();
         break;
+      case "weave:service:quota:remaining":
+        this.onQuotaNotice();
+        break;
       case "weave:ui:login:error":
       case "weave:service:login:error":
         this.onLoginError();
diff --git a/application/basilisk/base/content/browser.js b/application/basilisk/base/content/browser.js
index d459561913..9fb997a429 100644
--- a/application/basilisk/base/content/browser.js
+++ b/application/basilisk/base/content/browser.js
@@ -6347,7 +6347,7 @@ function checkEmptyPageOrigin(browser = gBrowser.selectedBrowser,
 }
 
 function BrowserOpenSyncTabs() {
-  gSyncUI.openSyncedTabsPanel();
+  switchToTabHavingURI("about:sync-tabs", true);
 }
 
 /**
diff --git a/application/palemoon/base/content/sync/quota.js b/application/basilisk/base/content/sync/quota.js
index 1285a8d54d..b416a44cc2 100644
--- a/application/palemoon/base/content/sync/quota.js
+++ b/application/basilisk/base/content/sync/quota.js
@@ -174,38 +174,6 @@ var gUsageTreeView = {
     let collection = this._collections[row];
     collection.enabled = !collection.enabled;
     this.treeBox.invalidateRow(row);
-
-    // Display which ones will be removed 
-    let freeup = 0;
-    let toremove = [];
-    for each (collection in this._collections) {
-      if (collection.enabled)
-        continue;
-      toremove.push(collection.name);
-      freeup += collection.size;
-    }
-
-    let caption = document.getElementById("treeCaption");
-    if (!toremove.length) {
-      caption.className = "";
-      caption.firstChild.nodeValue = gSyncQuota.bundle.getString(
-        "quota.treeCaption.label");
-      return;
-    }
-
-    // Tycho: toremove = [this._byname[coll].title for each (coll in toremove)];
-    let toremovetitles = [];
-    for (let coll in toremove) {
-      toremovetitles.push(this._byname[coll].title);
-    }
-    
-    toremovetitles = toremovetitles.join(gSyncQuota.bundle.getString("quota.list.separator"));
-    caption.firstChild.nodeValue = gSyncQuota.bundle.getFormattedString(
-      "quota.removal.label", [toremovetitles]);
-    if (freeup)
-      caption.firstChild.nodeValue += gSyncQuota.bundle.getFormattedString(
-        "quota.freeup.label", gSyncQuota.convertKB(freeup));
-    caption.className = "captionWarning";
   },
 
   /*
diff --git a/application/palemoon/base/content/sync/quota.xul b/application/basilisk/base/content/sync/quota.xul
index 99e6ed78b7..99e6ed78b7 100644
--- a/application/palemoon/base/content/sync/quota.xul
+++ b/application/basilisk/base/content/sync/quota.xul
diff --git a/application/basilisk/base/jar.mn b/application/basilisk/base/jar.mn
index 5ec92d79a8..c288685b94 100644
--- a/application/basilisk/base/jar.mn
+++ b/application/basilisk/base/jar.mn
@@ -150,6 +150,8 @@ browser.jar:
         content/browser/sync/customize.xul            (content/sync/customize.xul)
         content/browser/sync/customize.js             (content/sync/customize.js)
         content/browser/sync/customize.css            (content/sync/customize.css)
+        content/browser/sync/quota.xul                (content/sync/quota.xul)
+        content/browser/sync/quota.js                 (content/sync/quota.js)
         content/browser/safeMode.css                  (content/safeMode.css)
         content/browser/safeMode.js                   (content/safeMode.js)
         content/browser/safeMode.xul                  (content/safeMode.xul)
diff --git a/application/basilisk/components/customizableui/CustomizableWidgets.jsm b/application/basilisk/components/customizableui/CustomizableWidgets.jsm
index 642e06f0fb..09b3f167e3 100644
--- a/application/basilisk/components/customizableui/CustomizableWidgets.jsm
+++ b/application/basilisk/components/customizableui/CustomizableWidgets.jsm
@@ -23,8 +23,6 @@ XPCOMUtils.defineLazyModuleGetter(this, "CharsetMenu",
   "resource://gre/modules/CharsetMenu.jsm");
 XPCOMUtils.defineLazyModuleGetter(this, "PrivateBrowsingUtils",
   "resource://gre/modules/PrivateBrowsingUtils.jsm");
-XPCOMUtils.defineLazyModuleGetter(this, "SyncedTabs",
-  "resource://services-sync/SyncedTabs.jsm");
 XPCOMUtils.defineLazyModuleGetter(this, "ContextualIdentityService",
   "resource://gre/modules/ContextualIdentityService.jsm");
 
@@ -312,77 +310,6 @@ const CustomizableWidgets = [
       obnode.setAttribute("element", "sync-status");
       obnode.setAttribute("attribute", "syncstatus");
       aNode.appendChild(obnode);
-
-      // A somewhat complicated dance to format the mobilepromo label.
-      let bundle = doc.getElementById("bundle_browser");
-      let formatArgs = ["android", "ios"].map(os => {
-        let link = doc.createElement("label");
-        link.textContent = bundle.getString(`appMenuRemoteTabs.mobilePromo.${os}`);
-        link.setAttribute("mobile-promo-os", os);
-        link.className = "text-link remotetabs-promo-link";
-        return link.outerHTML;
-      });
-      let promoParentElt = doc.getElementById("PanelUI-remotetabs-mobile-promo");
-      // Put it all together...
-      let contents = bundle.getFormattedString("appMenuRemoteTabs.mobilePromo.text2", formatArgs);
-      promoParentElt.innerHTML = contents;
-      // We manually manage the "click" event to open the promo links because
-      // allowing the "text-link" widget handle it has 2 problems: (1) it only
-      // supports button 0 and (2) it's tricky to intercept when it does the
-      // open and auto-close the panel. (1) can probably be fixed, but (2) is
-      // trickier without hard-coding here the knowledge of exactly what buttons
-      // it does support.
-      // So we allow left and middle clicks to open the link in a new tab and
-      // close the panel; not setting a "href" attribute prevents the text-link
-      // widget handling it, and we build the final URL in the click handler to
-      // make testing easier (ie, so tests can change the pref after the links
-      // were created and have the new pref value used.)
-      promoParentElt.addEventListener("click", e => {
-        let os = e.target.getAttribute("mobile-promo-os");
-        if (!os || e.button > 1) {
-          return;
-        }
-        let link = Services.prefs.getCharPref(`identity.mobilepromo.${os}`) + "synced-tabs";
-        doc.defaultView.openUILinkIn(link, "tab");
-        CustomizableUI.hidePanelForNode(e.target);
-      });
-    },
-    onViewShowing(aEvent) {
-      let doc = aEvent.target.ownerDocument;
-      this._tabsList = doc.getElementById("PanelUI-remotetabs-tabslist");
-      Services.obs.addObserver(this, SyncedTabs.TOPIC_TABS_CHANGED, false);
-
-      if (SyncedTabs.isConfiguredToSyncTabs) {
-        if (SyncedTabs.hasSyncedThisSession) {
-          this.setDeckIndex(this.deckIndices.DECKINDEX_TABS);
-        } else {
-          // Sync hasn't synced tabs yet, so show the "fetching" panel.
-          this.setDeckIndex(this.deckIndices.DECKINDEX_FETCHING);
-        }
-        // force a background sync.
-        SyncedTabs.syncTabs().catch(ex => {
-          Cu.reportError(ex);
-        });
-        // show the current list - it will be updated by our observer.
-        this._showTabs();
-      } else {
-        // not configured to sync tabs, so no point updating the list.
-        this.setDeckIndex(this.deckIndices.DECKINDEX_TABSDISABLED);
-      }
-    },
-    onViewHiding() {
-      Services.obs.removeObserver(this, SyncedTabs.TOPIC_TABS_CHANGED);
-      this._tabsList = null;
-    },
-    _tabsList: null,
-    observe(subject, topic, data) {
-      switch (topic) {
-        case SyncedTabs.TOPIC_TABS_CHANGED:
-          this._showTabs();
-          break;
-        default:
-          break;
-      }
     },
     setDeckIndex(index) {
       let deck = this._tabsList.ownerDocument.getElementById("PanelUI-remotetabs-deck");
diff --git a/application/basilisk/components/customizableui/content/panelUI.inc.xul b/application/basilisk/components/customizableui/content/panelUI.inc.xul
index e389b14bfb..8ebd933278 100644
--- a/application/basilisk/components/customizableui/content/panelUI.inc.xul
+++ b/application/basilisk/components/customizableui/content/panelUI.inc.xul
@@ -23,10 +23,11 @@
         <hbox id="PanelUI-footer-fxa">
           <hbox id="PanelUI-fxa-status"
                 defaultlabel="&fxaSignIn.label;"
-                signedinTooltiptext="&fxaSignedIn.tooltip;"
-                tooltiptext="&fxaSignedIn.tooltip;"
+                signedinTooltiptext="&syncSettings.label;"
+                tooltiptext="&syncSettings.label;"
                 errorlabel="&fxaSignInError.label;"
                 unverifiedlabel="&fxaUnverified.label;"
+                settingslabel="&syncSettings.label;"
                 onclick="if (event.which == 1) gFxAccounts.onMenuPanelCommand();">
             <image id="PanelUI-fxa-avatar"/>
             <toolbarbutton id="PanelUI-fxa-label"
@@ -111,7 +112,7 @@
           <vbox id="PanelUI-remotetabs-buttons">
             <toolbarbutton id="PanelUI-remotetabs-view-sidebar"
                            class="subviewbutton"
-                           observes="viewTabsSidebar"
+                           oncommand="BrowserOpenSyncTabs();"
                            label="&appMenuRemoteTabs.sidebar.label;"/>
             <toolbarbutton id="PanelUI-remotetabs-syncnow"
                            observes="sync-status"
diff --git a/application/basilisk/components/preferences/in-content/sync.js b/application/basilisk/components/preferences/in-content/sync.js
index 27f7cd48ce..2600677a82 100644
--- a/application/basilisk/components/preferences/in-content/sync.js
+++ b/application/basilisk/components/preferences/in-content/sync.js
@@ -306,113 +306,8 @@ var gSyncPane = {
     let service = Components.classes["@mozilla.org/weave/service;1"]
                   .getService(Components.interfaces.nsISupports)
                   .wrappedJSObject;
-    // service.fxAccountsEnabled is false iff sync is already configured for
-    // the legacy provider.
-    if (service.fxAccountsEnabled) {
-      let displayNameLabel = document.getElementById("fxaDisplayName");
-      let fxaEmailAddress1Label = document.getElementById("fxaEmailAddress1");
-      fxaEmailAddress1Label.hidden = false;
-      displayNameLabel.hidden = true;
-
-      let profileInfoEnabled;
-      try {
-        profileInfoEnabled = Services.prefs.getBoolPref("identity.fxaccounts.profile_image.enabled");
-      } catch (ex) {}
-
-      // determine the fxa status...
-      this._showLoadPage(service);
-
-      fxAccounts.getSignedInUser().then(data => {
-        if (!data) {
-          this.page = FXA_PAGE_LOGGED_OUT;
-          return false;
-        }
-        this.page = FXA_PAGE_LOGGED_IN;
-        // We are logged in locally, but maybe we are in a state where the
-        // server rejected our credentials (eg, password changed on the server)
-        let fxaLoginStatus = document.getElementById("fxaLoginStatus");
-        let syncReady;
-        // Not Verfied implies login error state, so check that first.
-        if (!data.verified) {
-          fxaLoginStatus.selectedIndex = FXA_LOGIN_UNVERIFIED;
-          syncReady = false;
-        // So we think we are logged in, so login problems are next.
-        // (Although if the Sync identity manager is still initializing, we
-        // ignore login errors and assume all will eventually be good.)
-        // LOGIN_FAILED_LOGIN_REJECTED explicitly means "you must log back in".
-        // All other login failures are assumed to be transient and should go
-        // away by themselves, so aren't reflected here.
-        } else if (Weave.Status.login == Weave.LOGIN_FAILED_LOGIN_REJECTED) {
-          fxaLoginStatus.selectedIndex = FXA_LOGIN_FAILED;
-          syncReady = false;
-        // Else we must be golden (or in an error state we expect to magically
-        // resolve itself)
-        } else {
-          fxaLoginStatus.selectedIndex = FXA_LOGIN_VERIFIED;
-          syncReady = true;
-        }
-        fxaEmailAddress1Label.textContent = data.email;
-        document.getElementById("fxaEmailAddress2").textContent = data.email;
-        document.getElementById("fxaEmailAddress3").textContent = data.email;
-        this._populateComputerName(Weave.Service.clientsEngine.localName);
-        let engines = document.getElementById("fxaSyncEngines")
-        for (let checkbox of engines.querySelectorAll("checkbox")) {
-          checkbox.disabled = !syncReady;
-        }
-        document.getElementById("fxaChangeDeviceName").disabled = !syncReady;
-
-        // Clear the profile image (if any) of the previously logged in account.
-        document.getElementById("fxaProfileImage").style.removeProperty("list-style-image");
-
-        // If the account is verified the next promise in the chain will
-        // fetch profile data.
-        return data.verified;
-      }).then(isVerified => {
-        if (isVerified) {
-          return fxAccounts.getSignedInUserProfile();
-        }
-        return null;
-      }).then(data => {
-        let fxaLoginStatus = document.getElementById("fxaLoginStatus");
-        if (data && profileInfoEnabled) {
-          if (data.displayName) {
-            fxaLoginStatus.setAttribute("hasName", true);
-            displayNameLabel.hidden = false;
-            displayNameLabel.textContent = data.displayName;
-          } else {
-            fxaLoginStatus.removeAttribute("hasName");
-          }
-          if (data.avatar) {
-            let bgImage = "url(\"" + data.avatar + "\")";
-            let profileImageElement = document.getElementById("fxaProfileImage");
-            profileImageElement.style.listStyleImage = bgImage;
-
-            let img = new Image();
-            img.onerror = () => {
-              // Clear the image if it has trouble loading. Since this callback is asynchronous
-              // we check to make sure the image is still the same before we clear it.
-              if (profileImageElement.style.listStyleImage === bgImage) {
-                profileImageElement.style.removeProperty("list-style-image");
-              }
-            };
-            img.src = data.avatar;
-          }
-        } else {
-          fxaLoginStatus.removeAttribute("hasName");
-        }
-      }, err => {
-        FxAccountsCommon.log.error(err);
-      }).catch(err => {
-        // If we get here something's really busted
-        Cu.reportError(String(err));
-      });
-
-    // If fxAccountEnabled is false and we are in a "not configured" state,
-    // then fxAccounts is probably fully disabled rather than just unconfigured,
-    // so handle this case.  This block can be removed once we remove support
-    // for fxAccounts being disabled.
-    } else if (Weave.Status.service == Weave.CLIENT_NOT_CONFIGURED ||
-               Weave.Svc.Prefs.get("firstSync", "") == "notReady") {
+    if (Weave.Status.service == Weave.CLIENT_NOT_CONFIGURED ||
+        Weave.Svc.Prefs.get("firstSync", "") == "notReady") {
       this.page = PAGE_NO_ACCOUNT;
     // else: sync was previously configured for the legacy provider, so we
     // make the "old" panels available.
@@ -646,6 +541,16 @@ var gSyncPane = {
     });
   },
 
+  openQuotaDialog: function () {
+    let win = Services.wm.getMostRecentWindow("Sync:ViewQuota");
+    if (win) {
+      win.focus();
+    } else {
+      window.openDialog("chrome://browser/content/sync/quota.xul", "",
+                        "centerscreen,chrome,dialog,modal");
+    }
+  },
+
   openAddDevice: function () {
     if (!Weave.Utils.ensureMPUnlocked())
       return;
diff --git a/application/basilisk/components/preferences/in-content/sync.xul b/application/basilisk/components/preferences/in-content/sync.xul
index f1aebf2aad..cf0e81ca1c 100644
--- a/application/basilisk/components/preferences/in-content/sync.xul
+++ b/application/basilisk/components/preferences/in-content/sync.xul
@@ -71,6 +71,9 @@
                 label="&manageAccount.label;"
                 accesskey="&manageAccount.accesskey;">
           <menupopup>
+            <menuitem id="syncViewQuota" label="&viewQuota.label;"
+                      oncommand="gSyncPane.openQuotaDialog();"/>
+            <menuseparator/> 
             <menuitem id="syncChangePassword" label="&changePassword2.label;"/>
             <menuitem id="syncResetPassphrase" label="&myRecoveryKey.label;"/>
             <menuseparator/>
@@ -91,11 +94,6 @@
         <richlistbox id="syncEnginesList"
                      orient="vertical">
           <richlistitem>
-            <checkbox label="&engine.addons.label;"
-                      accesskey="&engine.addons.accesskey;"
-                      preference="engine.addons"/>
-          </richlistitem>
-          <richlistitem>
             <checkbox label="&engine.bookmarks.label;"
                       accesskey="&engine.bookmarks.accesskey;"
                       preference="engine.bookmarks"/>
diff --git a/application/basilisk/confvars.sh b/application/basilisk/confvars.sh
index 48985f16ad..62aa1a84f6 100644
--- a/application/basilisk/confvars.sh
+++ b/application/basilisk/confvars.sh
@@ -8,7 +8,7 @@ MOZ_APP_VENDOR=Moonchild
 MOZ_PHOENIX=1
 MOZ_AUSTRALIS=1
 MC_BASILISK=1
-MOZ_UPDATER=1
+MOZ_UPDATER=
 
 if test "$OS_ARCH" = "WINNT" -o \
         "$OS_ARCH" = "Linux"; then
@@ -45,9 +45,9 @@ MOZ_APP_ID={ec8030f7-c20a-464f-9b0e-13a3a9e97384}
 # This should usually be the same as the value MAR_CHANNEL_ID.
 # If more than one ID is needed, then you should use a comma separated list
 # of values.
-ACCEPTED_MAR_CHANNEL_IDS=basilisk-release
+ACCEPTED_MAR_CHANNEL_IDS=unofficial,unstable,release
 # The MAR_CHANNEL_ID must not contain the following 3 characters: ",\t "
-MAR_CHANNEL_ID=basilisk-release
+MAR_CHANNEL_ID=unofficial
 
 # Features
 MOZ_PROFILE_MIGRATOR=1
@@ -61,7 +61,7 @@ MOZ_SERVICES_COMMON=1
 MOZ_SERVICES_SYNC=1
 MOZ_SERVICES_HEALTHREPORT=
 MOZ_SAFE_BROWSING=
-
+MOZ_GAMEPAD=1
 # Disable checking that add-ons are signed by the trusted root
 MOZ_ADDON_SIGNING=0
 MOZ_REQUIRE_SIGNING=0
diff --git a/application/basilisk/installer/package-manifest.in b/application/basilisk/installer/package-manifest.in
index 35060ea5ea..485bc49174 100644
--- a/application/basilisk/installer/package-manifest.in
+++ b/application/basilisk/installer/package-manifest.in
@@ -140,13 +140,6 @@
 @RESPATH@/run-mozilla.sh
 #endif
 #endif
-#ifdef XP_WIN
-#ifdef _AMD64_
-@BINPATH@/@DLL_PREFIX@qipcap64@DLL_SUFFIX@
-#else
-@BINPATH@/@DLL_PREFIX@qipcap@DLL_SUFFIX@
-#endif
-#endif
 
 ; [Components]
 #ifdef MOZ_ARTIFACT_BUILDS
diff --git a/application/basilisk/locales/en-US/chrome/browser/browser.dtd b/application/basilisk/locales/en-US/chrome/browser/browser.dtd
index 09da91dee2..d02a6eedb6 100644
--- a/application/basilisk/locales/en-US/chrome/browser/browser.dtd
+++ b/application/basilisk/locales/en-US/chrome/browser/browser.dtd
@@ -116,10 +116,9 @@ These should match what Safari and other Apple applications use on OS X Lion. --
 <!ENTITY toggleReaderMode.key "R">
 
 <!ENTITY fxaSignIn.label "Sign in to &syncBrand.shortName.label;">
-<!ENTITY fxaSignedIn.tooltip "Open &syncBrand.shortName.label; preferences">
 <!ENTITY fxaSignInError.label "Reconnect to &syncBrand.shortName.label;">
 <!ENTITY fxaUnverified.label "Verify Your Account">
-
+<!ENTITY syncSettings.label "Open &syncBrand.shortName.label; settings">
 
 <!ENTITY fullScreenMinimize.tooltip "Minimize">
 <!ENTITY fullScreenRestore.tooltip "Restore">
@@ -349,7 +348,7 @@ These should match what Safari and other Apple applications use on OS X Lion. --
 <!ENTITY appMenuRemoteTabs.openprefs.label "Sync Preferences">
 <!ENTITY appMenuRemoteTabs.notsignedin.label "Sign in to view a list of tabs from your other devices.">
 <!ENTITY appMenuRemoteTabs.signin.label "Sign in to Sync">
-<!ENTITY appMenuRemoteTabs.sidebar.label "View Synced Tabs Sidebar">
+<!ENTITY appMenuRemoteTabs.sidebar.label "View Synced Tabs">
 
 <!ENTITY customizeMenu.addToToolbar.label "Add to Toolbar">
 <!ENTITY customizeMenu.addToToolbar.accesskey "A">
diff --git a/application/basilisk/locales/en-US/chrome/browser/preferences/sync.dtd b/application/basilisk/locales/en-US/chrome/browser/preferences/sync.dtd
index 78cadd74c2..a5b2900521 100644
--- a/application/basilisk/locales/en-US/chrome/browser/preferences/sync.dtd
+++ b/application/basilisk/locales/en-US/chrome/browser/preferences/sync.dtd
@@ -16,6 +16,7 @@
 <!-- Manage Account -->
 <!ENTITY manageAccount.label          "Manage Account">
 <!ENTITY manageAccount.accesskey      "n">
+<!ENTITY viewQuota.label              "View Quota">
 <!ENTITY changePassword2.label        "Change Password…">
 <!ENTITY myRecoveryKey.label          "My Recovery Key">
 <!ENTITY resetSync2.label             "Reset Sync…">
diff --git a/application/basilisk/locales/en-US/chrome/browser/syncBrand.dtd b/application/basilisk/locales/en-US/chrome/browser/syncBrand.dtd
index 0c9e9201ac..71a9f68af8 100644
--- a/application/basilisk/locales/en-US/chrome/browser/syncBrand.dtd
+++ b/application/basilisk/locales/en-US/chrome/browser/syncBrand.dtd
@@ -3,5 +3,5 @@
    - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
 
 <!ENTITY syncBrand.shortName.label  "Sync">
-<!ENTITY syncBrand.fullName.label   "Firefox Sync">
+<!ENTITY syncBrand.fullName.label   "Pale Moon Sync">
 <!ENTITY syncBrand.fxAccount.label  "Firefox Account">
diff --git a/application/basilisk/locales/en-US/chrome/browser/syncSetup.dtd b/application/basilisk/locales/en-US/chrome/browser/syncSetup.dtd
index 950a83553f..2657156b75 100644
--- a/application/basilisk/locales/en-US/chrome/browser/syncSetup.dtd
+++ b/application/basilisk/locales/en-US/chrome/browser/syncSetup.dtd
@@ -16,7 +16,7 @@
 
 <!-- New Account AND Existing Account -->
 <!ENTITY server.label               "Server">
-<!ENTITY serverType.default.label      "Default: Mozilla &syncBrand.fullName.label; server">
+<!ENTITY serverType.default.label      "Default: &syncBrand.fullName.label; server">
 <!ENTITY serverType.custom2.label   "Use a custom server…">
 <!ENTITY signIn.account2.label      "Account">
 <!ENTITY signIn.account2.accesskey  "A">
diff --git a/application/palemoon/app/moz.build b/application/palemoon/app/moz.build
index 8b358b6228..c11f4c37ed 100644
--- a/application/palemoon/app/moz.build
+++ b/application/palemoon/app/moz.build
@@ -6,7 +6,6 @@
 
 DIRS += ['profile/extensions']
 
-
 GeckoProgram(CONFIG['MOZ_APP_NAME'])
 
 JS_PREFERENCE_PP_FILES += [
@@ -18,18 +17,14 @@ if CONFIG['LIBXUL_SDK']:
         'profile/channel-prefs.js',
     ]
 
-SOURCES += [
-    'nsBrowserApp.cpp',
-]
+SOURCES += ['nsBrowserApp.cpp']
 
 FINAL_TARGET_FILES += ['blocklist.xml']
 FINAL_TARGET_FILES.defaults.profile += ['profile/prefs.js']
 
 DEFINES['APP_VERSION'] = CONFIG['MOZ_APP_VERSION']
 
-LOCAL_INCLUDES += [
-    '!/build',
-]
+LOCAL_INCLUDES += ['!/build']
 
 LOCAL_INCLUDES += [
     '/toolkit/xre',
@@ -37,9 +32,7 @@ LOCAL_INCLUDES += [
     '/xpcom/build',
 ]
 
-USE_LIBS += [
-    'mozglue',
-]
+USE_LIBS += ['mozglue']
 
 if CONFIG['_MSC_VER']:
     # Always enter a Windows program through wmain, whether or not we're
diff --git a/application/palemoon/app/profile/palemoon.js b/application/palemoon/app/profile/palemoon.js
index 15accd1467..1c6016f0fb 100644
--- a/application/palemoon/app/profile/palemoon.js
+++ b/application/palemoon/app/profile/palemoon.js
@@ -229,10 +229,10 @@ pref("keyword.enabled", true);
 pref("general.useragent.locale", "@AB_CD@");
 pref("general.skins.selectedSkin", "classic/1.0");
 
-// Native UA mode by default
+// Native UA mode by default for unbranded
 pref("general.useragent.compatMode", 0);
-pref("general.useragent.compatmode.gecko", false);
-pref("general.useragent.compatmode.firefox", false);
+pref("general.useragent.compatMode.gecko", false);
+pref("general.useragent.compatMode.firefox", false);
 
 pref("general.smoothScroll", true);
 #ifdef UNIX_BUT_NOT_MAC
@@ -264,6 +264,9 @@ pref("browser.slowStartup.maxSamples", 5);
 pref("browser.enable_automatic_image_resizing", true);
 pref("browser.chrome.site_icons", true);
 pref("browser.chrome.favicons", true);
+// If enabled, will process favicons by drawing them on a canvas,
+// optimizing display size for the UI. This also strips animations.
+pref("browser.chrome.favicons.process", false);
 // browser.warnOnQuit == false will override all other possible prompts when quitting or restarting
 pref("browser.warnOnQuit", true);
 // browser.showQuitWarning specifically controls the quit warning dialog. We
@@ -463,6 +466,10 @@ pref("browser.tabs.closeButtons", 1);
 // false  return to the adjacent tab (old default)
 pref("browser.tabs.selectOwnerOnClose", true);
 
+pref("browser.tabs.showAudioPlayingIcon", true);
+// This should match Chromium's audio indicator delay.
+pref("browser.tabs.delayHidingAudioPlayingIconMS", 3000);
+
 pref("browser.allTabs.previews", true);
 pref("browser.ctrlTab.previews", true);
 pref("browser.ctrlTab.recentlyUsedLimit", 7);
@@ -1148,19 +1155,6 @@ pref("toolkit.pageThumbs.minHeight", 180);
 pref("ui.key.menuAccessKeyFocuses", true);
 #endif
 
-// ****************** domain-specific UAs ******************
-
-// AMO needs "Firefox", obviously - pass on the OS (determined at build time)
-#ifdef XP_UNIX
-#ifdef XP_MACOSX
-pref("general.useragent.override.addons.mozilla.org","Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:27.0) Gecko/20100101 Firefox/27.0");
-#else
-pref("general.useragent.override.addons.mozilla.org","Mozilla/5.0 (Linux; X11; rv:27.0) Gecko/20100101 Firefox/27.0");
-#endif
-#else
-pref("general.useragent.override.addons.mozilla.org","Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0");
-#endif
-
 // ****************** s4e prefs ******************
 pref("status4evar.addonbar.borderStyle", false);
 pref("status4evar.addonbar.closeButton", false);
diff --git a/application/palemoon/base/content/browser-sets.inc b/application/palemoon/base/content/browser-sets.inc
index 25794a65ce..78fce26709 100644
--- a/application/palemoon/base/content/browser-sets.inc
+++ b/application/palemoon/base/content/browser-sets.inc
@@ -32,6 +32,7 @@
     <command id="cmd_printPreview" oncommand="PrintUtils.printPreview(PrintPreviewListener);"/>
     <command id="cmd_close" oncommand="BrowserCloseTabOrWindow()"/>
     <command id="cmd_closeWindow" oncommand="BrowserTryToCloseWindow()"/>
+	<command id="cmd_toggleMute" oncommand="gBrowser.selectedTab.toggleMuteAudio()"/>
     <command id="cmd_ToggleTabsOnTop" oncommand="TabsOnTop.toggle()"/>
     <command id="cmd_CustomizeToolbars" oncommand="BrowserCustomizeToolbar()"/>
     <command id="cmd_restartApplication" oncommand="restart(false);"/>
@@ -212,6 +213,7 @@
     <key id="printKb" key="&printCmd.commandkey;" command="cmd_print"  modifiers="accel"/>
     <key id="key_close" key="&closeCmd.key;" command="cmd_close" modifiers="accel"/>
     <key id="key_closeWindow" key="&closeCmd.key;" command="cmd_closeWindow" modifiers="accel,shift"/>
+	<key id="key_toggleMute" key="&toggleMuteCmd.key;" command="cmd_toggleMute" modifiers="control"/>
     <key id="key_undo"
          key="&undoCmd.key;"
          modifiers="accel"/>
diff --git a/application/palemoon/base/content/browser-tabPreviews.js b/application/palemoon/base/content/browser-tabPreviews.js
index eaae78ba84..e0755b81d4 100644
--- a/application/palemoon/base/content/browser-tabPreviews.js
+++ b/application/palemoon/base/content/browser-tabPreviews.js
@@ -940,6 +940,13 @@ var allTabs = {
       aPreview.setAttribute("image", aPreview._tab.image);
     else
       aPreview.removeAttribute("image");
+  
+    aPreview.removeAttribute("soundplaying");
+    aPreview.removeAttribute("muted");
+    if (aPreview._tab.hasAttribute("muted"))
+      aPreview.setAttribute("muted", "true");
+    else if (aPreview._tab.hasAttribute("soundplaying"))
+      aPreview.setAttribute("soundplaying", "true");
 
     var thumbnail = tabPreviews.get(aPreview._tab);
     if (aPreview.firstChild) {
diff --git a/application/palemoon/base/content/browser-tabPreviews.xml b/application/palemoon/base/content/browser-tabPreviews.xml
index e957649e75..4f54321eac 100644
--- a/application/palemoon/base/content/browser-tabPreviews.xml
+++ b/application/palemoon/base/content/browser-tabPreviews.xml
@@ -42,7 +42,10 @@
           <xul:hbox class="tabPreview-canvas" xbl:inherits="style=canvasstyle">
             <children/>
           </xul:hbox>
-          <xul:label flex="1" xbl:inherits="value=label,crop" class="allTabs-preview-label plain"/>
+          <xul:hbox align="center">
+            <xul:image xbl:inherits="soundplaying,muted" class="allTabs-endimage"/>
+            <xul:label flex="1" xbl:inherits="value=label,crop" class="allTabs-preview-label plain"/>
+          </xul:hbox>
         </xul:vbox>
         <xul:hbox class="allTabs-favicon-container">
           <xul:image class="allTabs-favicon" xbl:inherits="src=image"/>
diff --git a/application/palemoon/base/content/browser.js b/application/palemoon/base/content/browser.js
index 4167f186c4..591d00fbb1 100644
--- a/application/palemoon/base/content/browser.js
+++ b/application/palemoon/base/content/browser.js
@@ -976,6 +976,7 @@ var gBrowserInit = {
     CombinedStopReload.init();
     allTabs.readPref();
     TabsOnTop.init();
+    AudioIndicator.init();
     gPrivateBrowsingUI.init();
     TabsInTitlebar.init();
     retrieveToolbarIconsizesFromTheme();
@@ -1364,6 +1365,8 @@ var gBrowserInit = {
     BookmarkingUI.uninit();
 
     TabsOnTop.uninit();
+    
+    AudioIndicator.uninit();
 
     TabsInTitlebar.uninit();
     
@@ -4597,6 +4600,42 @@ function setToolbarVisibility(toolbar, isVisible) {
     ToolbarIconColor.inferFromText();
 }
 
+var AudioIndicator = {
+  init: function () {
+    Services.prefs.addObserver(this._prefName, this, false);
+    this.syncUI();
+  },
+
+  uninit: function () {
+    Services.prefs.removeObserver(this._prefName, this);
+  },
+
+  toggle: function () {
+    this.enabled = !Services.prefs.getBoolPref(this._prefName);
+  },
+
+  syncUI: function () {
+    document.getElementById("context_toggleMuteTab").setAttribute("hidden", this.enabled);
+    document.getElementById("key_toggleMute").setAttribute("disabled", this.enabled);
+  },
+
+  get enabled () {
+    return !Services.prefs.getBoolPref(this._prefName);
+  },
+
+  set enabled (val) {
+    Services.prefs.setBoolPref(this._prefName, !!val);
+    return val;
+  },
+
+  observe: function (subject, topic, data) {
+    if (topic == "nsPref:changed")
+      this.syncUI();
+  },
+
+  _prefName: "browser.tabs.showAudioPlayingIcon"
+}
+
 var TabsOnTop = {
   init: function TabsOnTop_init() {
     Services.prefs.addObserver(this._prefName, this, false);
@@ -7021,6 +7060,17 @@ function restoreLastSession() {
 
 var TabContextMenu = {
   contextTab: null,
+  _updateToggleMuteMenuItem(aTab, aConditionFn) {
+    ["muted", "soundplaying"].forEach(attr => {
+      if (!aConditionFn || aConditionFn(attr)) {
+        if (aTab.hasAttribute(attr)) {
+          aTab.toggleMuteMenuItem.setAttribute(attr, "true");
+        } else {
+          aTab.toggleMuteMenuItem.removeAttribute(attr);
+        }
+      }
+    });
+  },
   updateContextMenu: function updateContextMenu(aPopupMenu) {
     this.contextTab = aPopupMenu.triggerNode.localName == "tab" ?
                       aPopupMenu.triggerNode : gBrowser.selectedTab;
@@ -7067,6 +7117,35 @@ var TabContextMenu = {
     bookmarkAllTabs.hidden = this.contextTab.pinned;
     if (!bookmarkAllTabs.hidden)
       PlacesCommandHook.updateBookmarkAllTabsCommand();
+
+    // Adjust the state of the toggle mute menu item.
+    let toggleMute = document.getElementById("context_toggleMuteTab");
+    if (this.contextTab.hasAttribute("muted")) {
+      toggleMute.label = gNavigatorBundle.getString("unmuteTab.label");
+      toggleMute.accessKey = gNavigatorBundle.getString("unmuteTab.accesskey");
+    } else {
+      toggleMute.label = gNavigatorBundle.getString("muteTab.label");
+      toggleMute.accessKey = gNavigatorBundle.getString("muteTab.accesskey");
+    }
+    
+    this.contextTab.toggleMuteMenuItem = toggleMute;
+    this._updateToggleMuteMenuItem(this.contextTab);
+
+    this.contextTab.addEventListener("TabAttrModified", this, false);
+    aPopupMenu.addEventListener("popuphiding", this, false);
+  },
+  handleEvent(aEvent) {
+    switch (aEvent.type) {
+      case "popuphiding":
+        gBrowser.removeEventListener("TabAttrModified", this);
+        aEvent.target.removeEventListener("popuphiding", this);
+        break;
+      case "TabAttrModified":
+        let tab = aEvent.target;
+        this._updateToggleMuteMenuItem(tab,
+          attr => aEvent.detail.changed.indexOf(attr) >= 0);
+        break;
+    }
   }
 };
 
diff --git a/application/palemoon/base/content/browser.xul b/application/palemoon/base/content/browser.xul
index 07ca547222..ce2a7c5a8f 100644
--- a/application/palemoon/base/content/browser.xul
+++ b/application/palemoon/base/content/browser.xul
@@ -87,6 +87,7 @@
                onpopuphidden="if (event.target == this) TabContextMenu.contextTab = null;">
       <menuitem id="context_reloadTab" label="&reloadTab.label;" accesskey="&reloadTab.accesskey;"
                 oncommand="gBrowser.reloadTab(TabContextMenu.contextTab);"/>
+      <menuitem id="context_toggleMuteTab" oncommand="TabContextMenu.contextTab.toggleMuteAudio();"/>
       <menuseparator/>
       <menuitem id="context_pinTab" label="&pinTab.label;"
                 accesskey="&pinTab.accesskey;"
diff --git a/application/palemoon/base/content/sanitize.js b/application/palemoon/base/content/sanitize.js
index 0c85fa215c..b4d13d8954 100644
--- a/application/palemoon/base/content/sanitize.js
+++ b/application/palemoon/base/content/sanitize.js
@@ -257,18 +257,13 @@ Sanitizer.prototype = {
                                       .getService(Components.interfaces.nsIWindowMediator);
         var windows = windowManager.getEnumerator("navigator:browser");
         while (windows.hasMoreElements()) {
-          let currentWindow = windows.getNext();
-          let currentDocument = currentWindow.document;
+          let currentDocument = windows.getNext().document;
           let searchBar = currentDocument.getElementById("searchbar");
           if (searchBar)
             searchBar.textbox.reset();
-          let tabBrowser = currentWindow.gBrowser;
-          for (let tab of tabBrowser.tabs) {
-            if (tabBrowser.isFindBarInitialized(tab))
-              tabBrowser.getFindBar(tab).clear();
-          }
-          // Clear any saved find value
-          tabBrowser._lastFindValue = "";
+          let findBar = currentDocument.getElementById("FindToolbar");
+          if (findBar)
+            findBar.clear();
         }
 
         let change = { op: "remove" };
@@ -284,8 +279,7 @@ Sanitizer.prototype = {
                                       .getService(Components.interfaces.nsIWindowMediator);
         var windows = windowManager.getEnumerator("navigator:browser");
         while (windows.hasMoreElements()) {
-          let currentWindow = windows.getNext();
-          let currentDocument = currentWindow.document;
+          let currentDocument = windows.getNext().document;
           let searchBar = currentDocument.getElementById("searchbar");
           if (searchBar) {
             let transactionMgr = searchBar.textbox.editor.transactionManager;
@@ -296,12 +290,8 @@ Sanitizer.prototype = {
               return false;
             }
           }
-          let tabBrowser = currentWindow.gBrowser;
-          let findBarCanClear = Array.some(tabBrowser.tabs, function (aTab) {
-            return tabBrowser.isFindBarInitialized(aTab) &&
-                   tabBrowser.getFindBar(aTab).canClear;
-          });
-          if (findBarCanClear) {
+          let findBar = currentDocument.getElementById("FindToolbar");
+          if (findBar && findBar.canClear) {
             aCallback("formdata", true, aArg);
             return false;
           }
diff --git a/application/palemoon/base/content/tabbrowser.css b/application/palemoon/base/content/tabbrowser.css
index 94d6dbb2ef..43536b27af 100644
--- a/application/palemoon/base/content/tabbrowser.css
+++ b/application/palemoon/base/content/tabbrowser.css
@@ -45,10 +45,19 @@ tabpanels {
 }
 
 .tab-throbber:not([busy]),
-.tab-throbber[busy] + .tab-icon-image {
+.tab-throbber[busy] + .tab-icon-image,
+.tab-icon-sound:not([soundplaying]):not([muted]):not([blocked]),
+.tab-icon-sound[pinned],
+.tab-icon-overlay {
   display: none;
 }
 
+.tab-icon-overlay[soundplaying][pinned],
+.tab-icon-overlay[muted][pinned],
+.tab-icon-overlay[blocked][pinned] {
+  display: -moz-box;
+}
+
 .closing-tabs-spacer {
   pointer-events: none;
 }
diff --git a/application/palemoon/base/content/tabbrowser.xml b/application/palemoon/base/content/tabbrowser.xml
index dc6cb0a9d1..988cae55c4 100644
--- a/application/palemoon/base/content/tabbrowser.xml
+++ b/application/palemoon/base/content/tabbrowser.xml
@@ -438,6 +438,22 @@
         </body>
       </method>
 
+      <method name="getTabFromAudioEvent">
+        <parameter name="aEvent"/>
+        <body>
+        <![CDATA[
+          if (!Services.prefs.getBoolPref("browser.tabs.showAudioPlayingIcon") ||
+              !aEvent.isTrusted) {
+            return null;
+          }
+
+          var browser = aEvent.originalTarget;
+          var tab = this.getTabForBrowser(browser);
+          return tab;
+        ]]>
+        </body>
+      </method>
+
       <method name="_callProgressListeners">
         <parameter name="aBrowser"/>
         <parameter name="aMethod"/>
@@ -616,7 +632,7 @@
 
                 if (this.mTab.hasAttribute("busy")) {
                   this.mTab.removeAttribute("busy");
-                  this.mTabBrowser._tabAttrModified(this.mTab);
+                  this.mTabBrowser._tabAttrModified(this.mTab, ["busy"]);
                   if (!this.mTab.selected)
                     this.mTab.setAttribute("unread", "true");
                 }
@@ -686,6 +702,8 @@
               let topLevel = aWebProgress.isTopLevel;
 
               if (topLevel) {
+                let isSameDocument =
+                  !!(aFlags & Ci.nsIWebProgressListener.LOCATION_CHANGE_SAME_DOCUMENT);
                 // We need to clear the typed value
                 // if the document failed to load, to make sure the urlbar reflects the
                 // failed URI (particularly for SSL errors). However, don't clear the value
@@ -696,6 +714,19 @@
                      aLocation.spec != "about:blank"))
                   this.mBrowser.userTypedValue = null;
 
+                // If the browser was playing audio, we should remove the playing state.
+                if (this.mTab.hasAttribute("soundplaying") && !isSameDocument) {
+                  clearTimeout(this.mTab._soundPlayingAttrRemovalTimer);
+                  this.mTab._soundPlayingAttrRemovalTimer = 0;
+                  this.mTab.removeAttribute("soundplaying");
+                  this.mTabBrowser._tabAttrModified(this.mTab, ["soundplaying"]);
+                }
+
+                // If the browser was previously muted, we should restore the muted state.
+                if (this.mTab.hasAttribute("muted")) {
+                  this.mTab.linkedBrowser.mute();
+                }
+
                 // Don't clear the favicon if this onLocationChange was
                 // triggered by a pushState or a replaceState.  See bug 550565.
                 if (!gMultiProcessBrowser) {
@@ -800,13 +831,40 @@
                               "-moz-resolution=" + size + "," + size;
             }
             if (sizedIconUrl != aTab.getAttribute("image")) {
-              if (browser.mIconURL) //PMed
+              if (browser.mIconURL)
                 aTab.setAttribute("image", sizedIconUrl);
               else
                 aTab.removeAttribute("image");
-              this._tabAttrModified(aTab);
+              this._tabAttrModified(aTab, ["image"]);
             }
 
+            if (Services.prefs.getBoolPref("browser.chrome.favicons.process")) {
+              let favImage = new Image;
+              favImage.src = browser.mIconURL;
+              var tabBrowser = this;
+              favImage.onload = function () {
+                try {
+                  // Draw the icon on a hidden canvas
+                  var canvas = document.createElementNS("http://www.w3.org/1999/xhtml", "canvas");
+                  var tabImg = document.getAnonymousElementByAttribute(aTab, "anonid", "tab-icon");
+                  var w = tabImg.boxObject.width;
+                  var h = tabImg.boxObject.height;
+                  canvas.width = w;
+                  canvas.height = h;
+                  var ctx = canvas.getContext('2d');
+                  ctx.drawImage(favImage, 0, 0, w, h);
+                  icon = canvas.toDataURL();
+                  browser.mIconURL = icon;
+                  aTab.setAttribute("image", icon);
+                }
+                catch (e) {
+                  console.warn("Processing of favicon failed.");
+                  // Canvas failed: icon remains as it was
+                }
+                tabBrowser._callProgressListeners(browser, "onLinkIconAvailable", [browser.mIconURL]);
+              }
+            }
+                
             this._callProgressListeners(browser, "onLinkIconAvailable", [browser.mIconURL]);
           ]]>
         </body>
@@ -1116,8 +1174,8 @@
               });
               this.mCurrentTab.dispatchEvent(event);
 
-              this._tabAttrModified(oldTab);
-              this._tabAttrModified(this.mCurrentTab);
+              this._tabAttrModified(oldTab, ["selected"]);
+              this._tabAttrModified(this.mCurrentTab, ["selected"]);
 
               // Adjust focus
               oldBrowser._urlbarFocused = (gURLBar && gURLBar.focused);
@@ -1187,14 +1245,18 @@
 
       <method name="_tabAttrModified">
         <parameter name="aTab"/>
+        <parameter name="aChanged"/>
         <body><![CDATA[
           if (aTab.closing)
             return;
 
-          // This event should be dispatched when any of these attributes change:
-          // label, crop, busy, image, selected
-          var event = document.createEvent("Events");
-          event.initEvent("TabAttrModified", true, false);
+          let event = new CustomEvent("TabAttrModified", {
+            bubbles: true,
+            cancelable: false,
+            detail: {
+              changed: aChanged,
+            }
+          });
           aTab.dispatchEvent(event);
         ]]></body>
       </method>
@@ -1205,7 +1267,7 @@
           <![CDATA[
             aTab.label = this.mStringBundle.getString("tabs.connecting");
             aTab.crop = "end";
-            this._tabAttrModified(aTab);
+            this._tabAttrModified(aTab, ["label", "crop"]);
           ]]>
         </body>
       </method>
@@ -1250,7 +1312,7 @@
 
             aTab.label = title;
             aTab.crop = crop;
-            this._tabAttrModified(aTab);
+            this._tabAttrModified(aTab, ["label", "crop"]);
 
             if (aTab.selected)
               this.updateTitlebar();
@@ -2239,6 +2301,14 @@
             var remoteBrowser = aOtherTab.ownerDocument.defaultView.gBrowser;
             var isPending = aOtherTab.hasAttribute("pending");
 
+            // Expedite the removal of the icon if it was already scheduled.
+            if (aOtherTab._soundPlayingAttrRemovalTimer) {
+              clearTimeout(aOtherTab._soundPlayingAttrRemovalTimer);
+              aOtherTab._soundPlayingAttrRemovalTimer = 0;
+              aOtherTab.removeAttribute("soundplaying");
+              remoteBrowser._tabAttrModified(aOtherTab, ["soundplaying"]);
+            }
+
             // First, start teardown of the other browser.  Make sure to not
             // fire the beforeunload event in the process.  Close the other
             // window if this was its last tab.
@@ -2248,6 +2318,18 @@
             let ourBrowser = this.getBrowserForTab(aOurTab);
             let otherBrowser = aOtherTab.linkedBrowser;
 
+            let modifiedAttrs = [];
+            if (aOtherTab.hasAttribute("muted")) {
+              aOurTab.setAttribute("muted", "true");
+              aOurTab.muteReason = aOtherTab.muteReason;
+              ourBrowser.mute();
+              modifiedAttrs.push("muted");
+            }
+            if (aOtherTab.hasAttribute("soundplaying")) {
+              aOurTab.setAttribute("soundplaying", "true");
+              modifiedAttrs.push("soundplaying");
+            }
+
             // If the other tab is pending (i.e. has not been restored, yet)
             // then do not switch docShells but retrieve the other tab's state
             // and apply it to our tab.
@@ -2266,7 +2348,7 @@
               var isBusy = aOtherTab.hasAttribute("busy");
               if (isBusy) {
                 aOurTab.setAttribute("busy", "true");
-                this._tabAttrModified(aOurTab);
+                modifiedAttrs.push("busy");
                 if (aOurTab.selected)
                   this.mIsBusy = true;
               }
@@ -2286,6 +2368,10 @@
             // of replaceTabWithWindow), notify onLocationChange, etc.
             if (aOurTab.selected)
               this.updateCurrentBrowser(true);
+
+            if (modifiedAttrs.length) {
+              this._tabAttrModified(aOurTab, modifiedAttrs);
+            }
           ]]>
         </body>
       </method>
@@ -3084,9 +3170,25 @@
             event.preventDefault();
             return;
           }
-          event.target.setAttribute("label", tab.mOverCloseButton ?
-                                             tab.getAttribute("closetabtext") :
-                                             tab.getAttribute("label"));
+
+          var stringID, label;
+          if (tab.mOverCloseButton) {
+            stringID = "tabs.closeTab";
+          } else if (tab._overPlayingIcon) {
+            if (tab.linkedBrowser.audioBlocked) {
+              stringID = "tabs.unblockAudio.tooltip";
+            } else {
+              stringID = tab.linkedBrowser.audioMuted ?
+                "tabs.unmuteAudio.tooltip" :
+                "tabs.muteAudio.tooltip";
+            }
+          } else {
+            label = tab.getAttribute("label");
+          }
+          if (stringID && !label) {
+            label = this.mStringBundle.getString(stringID);
+          }
+          event.target.setAttribute("label", label);
         ]]></body>
       </method>
 
@@ -3300,6 +3402,7 @@
         ]]>
         </getter>
       </property>
+      <field name="_soundPlayingAttrRemovalTimer">0</field>
     </implementation>
 
     <handlers>
@@ -3347,6 +3450,78 @@
             tab.setAttribute("titlechanged", "true");
         ]]>
       </handler>
+      <handler event="DOMAudioPlaybackStarted">
+        <![CDATA[
+          var tab = getTabFromAudioEvent(event)
+          if (!tab) {
+            return;
+          }
+
+          clearTimeout(tab._soundPlayingAttrRemovalTimer);
+          tab._soundPlayingAttrRemovalTimer = 0;
+
+          let modifiedAttrs = [];
+          if (tab.hasAttribute("soundplaying-scheduledremoval")) {
+            tab.removeAttribute("soundplaying-scheduledremoval");
+            modifiedAttrs.push("soundplaying-scheduledremoval");
+          }
+
+          if (!tab.hasAttribute("soundplaying")) {
+            tab.setAttribute("soundplaying", true);
+            modifiedAttrs.push("soundplaying");
+          }
+
+          this._tabAttrModified(tab, modifiedAttrs);
+        ]]>
+      </handler>
+      <handler event="DOMAudioPlaybackStopped">
+        <![CDATA[
+          var tab = getTabFromAudioEvent(event)
+          if (!tab) {
+            return;
+          }
+
+          if (tab.hasAttribute("soundplaying")) {
+            let removalDelay = Services.prefs.getIntPref("browser.tabs.delayHidingAudioPlayingIconMS");
+
+            tab.style.setProperty("--soundplaying-removal-delay", `${removalDelay - 300}ms`);
+            tab.setAttribute("soundplaying-scheduledremoval", "true");
+            this._tabAttrModified(tab, ["soundplaying-scheduledremoval"]);
+
+            tab._soundPlayingAttrRemovalTimer = setTimeout(() => {
+              tab.removeAttribute("soundplaying-scheduledremoval");
+              tab.removeAttribute("soundplaying");
+              this._tabAttrModified(tab, ["soundplaying", "soundplaying-scheduledremoval"]);
+            }, removalDelay);
+          }
+        ]]>
+      </handler>
+      <handler event="DOMAudioPlaybackBlockStarted">
+        <![CDATA[
+          var tab = getTabFromAudioEvent(event)
+          if (!tab) {
+            return;
+          }
+
+          if (!tab.hasAttribute("blocked")) {
+            tab.setAttribute("blocked", true);
+            this._tabAttrModified(tab, ["blocked"]);
+          }
+        ]]>
+      </handler>
+      <handler event="DOMAudioPlaybackBlockStopped">
+        <![CDATA[
+          var tab = getTabFromAudioEvent(event)
+          if (!tab) {
+            return;
+          }
+
+          if (tab.hasAttribute("blocked")) {
+            tab.removeAttribute("blocked");
+            this._tabAttrModified(tab, ["blocked"]);
+          }
+        ]]>
+      </handler>
     </handlers>
   </binding>
 
@@ -4758,10 +4933,18 @@
                      class="tab-icon-image"
                      role="presentation"
                      anonid="tab-icon"/>
+          <xul:image xbl:inherits="busy,soundplaying,soundplaying-scheduledremoval,pinned,muted,blocked,selected"
+                     anonid="overlay-icon"
+                     class="tab-icon-overlay"
+                     role="presentation"/>
           <xul:label flex="1"
                      xbl:inherits="value=label,crop,accesskey,fadein,pinned,selected"
                      class="tab-text tab-label"
                      role="presentation"/>
+          <xul:image xbl:inherits="soundplaying,soundplaying-scheduledremoval,pinned,muted,blocked,selected"
+                     anonid="soundplaying-icon"
+                     class="tab-icon-sound"
+                     role="presentation"/>
           <xul:toolbarbutton anonid="close-button"
                              xbl:inherits="fadein,pinned,selected"
                              class="tab-close-button close-icon"/>
@@ -4782,9 +4965,59 @@
       </property>
 
       <field name="mOverCloseButton">false</field>
+      <property name="_overPlayingIcon" readonly="true">
+        <getter><![CDATA[
+          let iconVisible = this.hasAttribute("soundplaying") ||
+                            this.hasAttribute("muted") ||
+                            this.hasAttribute("blocked");
+          let soundPlayingIcon =
+            document.getAnonymousElementByAttribute(this, "anonid", "soundplaying-icon");
+          let overlayIcon =
+            document.getAnonymousElementByAttribute(this, "anonid", "overlay-icon");
+
+          return soundPlayingIcon && soundPlayingIcon.matches(":hover") ||
+                 (overlayIcon && overlayIcon.matches(":hover") && iconVisible);
+        ]]></getter>
+      </property>
       <field name="mCorrespondingMenuitem">null</field>
       <field name="closing">false</field>
       <field name="lastAccessed">0</field>
+      
+      <method name="toggleMuteAudio">
+        <parameter name="aMuteReason"/>
+        <body>
+        <![CDATA[
+          let tabContainer = this.parentNode;
+          let browser = this.linkedBrowser;
+          let modifiedAttrs = [];
+          if (browser.audioBlocked) {
+            this.removeAttribute("blocked");
+            modifiedAttrs.push("blocked");
+
+            // We don't want sound icon flickering between "blocked", "none" and
+            // "sound-playing", here adding the "soundplaying" is to keep the
+            // transition smoothly.
+            if (!this.hasAttribute("soundplaying")) {
+              this.setAttribute("soundplaying", true);
+              modifiedAttrs.push("soundplaying");
+            }
+
+            browser.resumeMedia();
+          } else {
+            if (browser.audioMuted) {
+              browser.unmute();
+              this.removeAttribute("muted");
+            } else {
+              browser.mute();
+              this.setAttribute("muted", "true");
+            }
+            this.muteReason = aMuteReason || null;
+            modifiedAttrs.push("muted");
+          }
+          tabContainer.tabbrowser._tabAttrModified(this, modifiedAttrs);
+        ]]>
+        </body>
+      </method>
     </implementation>
 
     <handlers>
@@ -4843,7 +5076,8 @@
         if (this.selected) {
           this.style.MozUserFocus = 'ignore';
           this.clientTop; // just using this to flush style updates
-        } else if (this.mOverCloseButton) {
+        } else if (this.mOverCloseButton ||
+                   this._overPlayingIcon) {
           // Prevent tabbox.xml from selecting the tab.
           event.stopPropagation();
         }
@@ -4852,6 +5086,17 @@
       <handler event="mouseup">
         this.style.MozUserFocus = '';
       </handler>
+      <handler event="click">
+      <![CDATA[
+        if (event.button != 0) {
+          return;
+        }
+
+        if (this._overPlayingIcon) {
+          this.toggleMuteAudio();
+        }
+      ]]>
+      </handler>
     </handlers>
   </binding>
 
@@ -4957,6 +5202,24 @@
             aMenuitem.setAttribute("selected", "true");
           else
             aMenuitem.removeAttribute("selected");
+
+          function addEndImage() {
+            let endImage = document.createElement("image");
+            endImage.setAttribute("class", "allTabs-endimage");
+            let endImageContainer = document.createElement("hbox");
+            endImageContainer.setAttribute("align", "center");
+            endImageContainer.setAttribute("pack", "center");
+            endImageContainer.appendChild(endImage);
+            aMenuitem.appendChild(endImageContainer);
+            return endImage;
+          }
+
+          if (aMenuitem.firstChild)
+            aMenuitem.firstChild.remove();
+          if (aTab.hasAttribute("muted"))
+            addEndImage().setAttribute("muted", "true");
+          else if (aTab.hasAttribute("soundplaying"))
+            addEndImage().setAttribute("soundplaying", "true");
         ]]></body>
       </method>
     </implementation>
diff --git a/application/palemoon/base/jar.mn b/application/palemoon/base/jar.mn
index d8c3f4b213..8931c02608 100644
--- a/application/palemoon/base/jar.mn
+++ b/application/palemoon/base/jar.mn
@@ -2,135 +2,81 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 browser.jar:
-%  content browser %content/browser/ contentaccessible=yes
+% content browser %content/browser/ contentaccessible=yes
 #ifdef XP_MACOSX
-%  overlay chrome://mozapps/content/downloads/downloads.xul chrome://browser/content/downloadManagerOverlay.xul
-%  overlay chrome://global/content/console.xul chrome://browser/content/jsConsoleOverlay.xul
-%  overlay chrome://mozapps/content/update/updates.xul chrome://browser/content/softwareUpdateOverlay.xul
+% overlay chrome://mozapps/content/downloads/downloads.xul chrome://browser/content/downloadManagerOverlay.xul
+% overlay chrome://global/content/console.xul chrome://browser/content/jsConsoleOverlay.xul
+% overlay chrome://mozapps/content/update/updates.xul chrome://browser/content/softwareUpdateOverlay.xul
 #endif
 #ifdef XP_WIN
-%  overlay chrome://browser/content/browser.xul chrome://browser/content/win6BrowserOverlay.xul os=WINNT osversion>=6
+% overlay chrome://browser/content/browser.xul chrome://browser/content/win6BrowserOverlay.xul os=WINNT osversion>=6
 #endif
-%  overlay chrome://global/content/viewSource.xul chrome://browser/content/viewSourceOverlay.xul
-%  overlay chrome://global/content/viewPartialSource.xul chrome://browser/content/viewSourceOverlay.xul
-%  style chrome://global/content/customizeToolbar.xul chrome://browser/content/browser.css
-%  style chrome://global/content/customizeToolbar.xul chrome://browser/skin/
-*       content/browser/aboutDialog.xul               (content/aboutDialog.xul)
-*       content/browser/aboutDialog.js                (content/aboutDialog.js)
-        content/browser/aboutDialog.css               (content/aboutDialog.css)
-        content/browser/aboutRobots.xhtml             (content/aboutRobots.xhtml)
-        content/browser/abouthome/aboutHome.xhtml     (content/abouthome/aboutHome.xhtml)
-        content/browser/abouthome/aboutHome.js        (content/abouthome/aboutHome.js)
-*       content/browser/abouthome/aboutHome.css       (content/abouthome/aboutHome.css)
-        content/browser/abouthome/noise.png           (content/abouthome/noise.png)
-        content/browser/abouthome/snippet1.png        (content/abouthome/snippet1.png)
-        content/browser/abouthome/snippet2.png        (content/abouthome/snippet2.png)
-        content/browser/abouthome/downloads.png       (content/abouthome/downloads.png)
-        content/browser/abouthome/bookmarks.png       (content/abouthome/bookmarks.png)
-        content/browser/abouthome/history.png         (content/abouthome/history.png)
-        content/browser/abouthome/addons.png          (content/abouthome/addons.png)
-        content/browser/abouthome/sync.png            (content/abouthome/sync.png)
-        content/browser/abouthome/settings.png        (content/abouthome/settings.png)
-        content/browser/abouthome/restore.png         (content/abouthome/restore.png)
-        content/browser/abouthome/restore-large.png   (content/abouthome/restore-large.png)
-        content/browser/abouthome/snippet1@2x.png      (content/abouthome/snippet1@2x.png)
-        content/browser/abouthome/snippet2@2x.png      (content/abouthome/snippet2@2x.png)
-        content/browser/abouthome/downloads@2x.png     (content/abouthome/downloads@2x.png)
-        content/browser/abouthome/bookmarks@2x.png     (content/abouthome/bookmarks@2x.png)
-        content/browser/abouthome/history@2x.png       (content/abouthome/history@2x.png)
-        content/browser/abouthome/addons@2x.png        (content/abouthome/addons@2x.png)
-        content/browser/abouthome/sync@2x.png          (content/abouthome/sync@2x.png)
-        content/browser/abouthome/settings@2x.png      (content/abouthome/settings@2x.png)
-        content/browser/abouthome/restore@2x.png       (content/abouthome/restore@2x.png)
-        content/browser/abouthome/restore-large@2x.png (content/abouthome/restore-large@2x.png)
-        content/browser/aboutRobots-icon.png          (content/aboutRobots-icon.png)
-        content/browser/aboutRobots-widget-left.png   (content/aboutRobots-widget-left.png)
-        content/browser/autorecovery.js               (content/autorecovery.js)
-        content/browser/autorecovery.xul              (content/autorecovery.xul)
-*       content/browser/browser.css                   (content/browser.css)
-        content/browser/browser-menudragging.xul      (content/browser-menudragging.xul)
-        content/browser/browser-menudragging.js       (content/browser-menudragging.js)
-        content/browser/browser-title.css             (content/browser-title.css)
-*       content/browser/browser.js                    (content/browser.js)
-*       content/browser/browser.xul                   (content/browser.xul)
+% overlay chrome://global/content/viewSource.xul chrome://browser/content/viewSourceOverlay.xul
+% overlay chrome://global/content/viewPartialSource.xul chrome://browser/content/viewSourceOverlay.xul
+% style chrome://global/content/customizeToolbar.xul chrome://browser/content/browser.css
+% style chrome://global/content/customizeToolbar.xul chrome://browser/skin/
+* content/browser/aboutDialog.xul               (content/aboutDialog.xul)
+* content/browser/aboutDialog.js                (content/aboutDialog.js)
+  content/browser/aboutDialog.css               (content/aboutDialog.css)
+  content/browser/aboutRobots.xhtml             (content/aboutRobots.xhtml)
+  content/browser/aboutRobots-icon.png          (content/aboutRobots-icon.png)
+  content/browser/aboutRobots-widget-left.png   (content/aboutRobots-widget-left.png)
+  content/browser/autorecovery.js               (content/autorecovery.js)
+  content/browser/autorecovery.xul              (content/autorecovery.xul)
+* content/browser/browser.css                   (content/browser.css)
+  content/browser/browser-menudragging.xul      (content/browser-menudragging.xul)
+  content/browser/browser-menudragging.js       (content/browser-menudragging.js)
+  content/browser/browser-title.css             (content/browser-title.css)
+* content/browser/browser.js                    (content/browser.js)
+* content/browser/browser.xul                   (content/browser.xul)
 #ifdef MOZ_DEVTOOLS
-        content/browser/browser-devtools-theme.js     (content/browser-devtools-theme.js)
+  content/browser/browser-devtools-theme.js     (content/browser-devtools-theme.js)
 #endif
-*       content/browser/browser-tabPreviews.xml       (content/browser-tabPreviews.xml)
-        content/browser/content.js                    (content/content.js)
-        content/browser/padlock.xul                   (content/padlock.xul)
-        content/browser/padlock.js                    (content/padlock.js)
-        content/browser/padlock.css                   (content/padlock.css)
-        content/browser/padlock_mod_ev.png            (content/padlock_mod_ev.png)
-        content/browser/padlock_mod_https.png         (content/padlock_mod_https.png)
-        content/browser/padlock_mod_low.png           (content/padlock_mod_low.png)
-        content/browser/padlock_mod_broken.png        (content/padlock_mod_broken.png)
-        content/browser/padlock_classic_ev.png        (content/padlock_classic_ev.png)
-        content/browser/padlock_classic_https.png     (content/padlock_classic_https.png)
-        content/browser/padlock_classic_low.png       (content/padlock_classic_low.png)
-        content/browser/padlock_classic_broken.png    (content/padlock_classic_broken.png)
-        content/browser/palemoon.xhtml                (content/palemoon.xhtml)
-        content/browser/newtab/newTab.xhtml           (content/newtab/newTab.xhtml)
-*       content/browser/newtab/newTab.js              (content/newtab/newTab.js)
-        content/browser/newtab/newTab.css             (content/newtab/newTab.css)
-*       content/browser/pageinfo/pageInfo.xul         (content/pageinfo/pageInfo.xul)
-        content/browser/pageinfo/pageInfo.js          (content/pageinfo/pageInfo.js)
-        content/browser/pageinfo/pageInfo.css         (content/pageinfo/pageInfo.css)
-        content/browser/pageinfo/pageInfo.xml         (content/pageinfo/pageInfo.xml)
-        content/browser/pageinfo/feeds.js             (content/pageinfo/feeds.js)
-        content/browser/pageinfo/feeds.xml            (content/pageinfo/feeds.xml)
-        content/browser/pageinfo/permissions.js       (content/pageinfo/permissions.js)
-        content/browser/pageinfo/security.js          (content/pageinfo/security.js)
-#ifdef MOZ_SERVICES_SYNC
-        content/browser/sync/aboutSyncTabs.xul        (content/sync/aboutSyncTabs.xul)
-        content/browser/sync/aboutSyncTabs.js         (content/sync/aboutSyncTabs.js)
-        content/browser/sync/aboutSyncTabs.css        (content/sync/aboutSyncTabs.css)
-        content/browser/sync/aboutSyncTabs-bindings.xml  (content/sync/aboutSyncTabs-bindings.xml)
-        content/browser/sync/setup.xul                (content/sync/setup.xul)
-        content/browser/sync/addDevice.js             (content/sync/addDevice.js)
-        content/browser/sync/addDevice.xul            (content/sync/addDevice.xul)
-        content/browser/sync/setup.js                 (content/sync/setup.js)
-        content/browser/sync/genericChange.xul        (content/sync/genericChange.xul)
-        content/browser/sync/genericChange.js         (content/sync/genericChange.js)
-        content/browser/sync/key.xhtml                (content/sync/key.xhtml)
-        content/browser/sync/notification.xml         (content/sync/notification.xml)
-        content/browser/sync/quota.xul                (content/sync/quota.xul)
-        content/browser/sync/quota.js                 (content/sync/quota.js)
-        content/browser/sync/utils.js                 (content/sync/utils.js)
-        content/browser/sync/progress.js              (content/sync/progress.js)
-        content/browser/sync/progress.xhtml           (content/sync/progress.xhtml)
-#endif
-        content/browser/openLocation.js               (content/openLocation.js)
-        content/browser/openLocation.xul              (content/openLocation.xul)
-        content/browser/safeMode.css                  (content/safeMode.css)
-        content/browser/safeMode.js                   (content/safeMode.js)
-*       content/browser/safeMode.xul                  (content/safeMode.xul)
-*       content/browser/sanitize.js                   (content/sanitize.js)
-*       content/browser/sanitize.xul                  (content/sanitize.xul)
-*       content/browser/sanitizeDialog.js             (content/sanitizeDialog.js)
-        content/browser/sanitizeDialog.css            (content/sanitizeDialog.css)
-        content/browser/autocomplete.css              (content/autocomplete.css)
-*       content/browser/autocomplete.xml              (content/autocomplete.xml)
-        content/browser/tabbrowser.css                (content/tabbrowser.css)
-*       content/browser/tabbrowser.xml                (content/tabbrowser.xml)
-*       content/browser/urlbarBindings.xml            (content/urlbarBindings.xml)
-*       content/browser/utilityOverlay.js             (content/utilityOverlay.js)
-        content/browser/web-panels.js                 (content/web-panels.js)
-*       content/browser/web-panels.xul                (content/web-panels.xul)
-*       content/browser/baseMenuOverlay.xul           (content/baseMenuOverlay.xul)
-*       content/browser/nsContextMenu.js              (content/nsContextMenu.js)
+* content/browser/browser-tabPreviews.xml       (content/browser-tabPreviews.xml)
+  content/browser/content.js                    (content/content.js)
+  content/browser/padlock.xul                   (content/padlock.xul)
+  content/browser/padlock.js                    (content/padlock.js)
+  content/browser/padlock.css                   (content/padlock.css)
+  content/browser/padlock_mod_ev.png            (content/padlock_mod_ev.png)
+  content/browser/padlock_mod_https.png         (content/padlock_mod_https.png)
+  content/browser/padlock_mod_low.png           (content/padlock_mod_low.png)
+  content/browser/padlock_mod_broken.png        (content/padlock_mod_broken.png)
+  content/browser/padlock_classic_ev.png        (content/padlock_classic_ev.png)
+  content/browser/padlock_classic_https.png     (content/padlock_classic_https.png)
+  content/browser/padlock_classic_low.png       (content/padlock_classic_low.png)
+  content/browser/padlock_classic_broken.png    (content/padlock_classic_broken.png)
+  content/browser/palemoon.xhtml                (content/palemoon.xhtml)
+  content/browser/openLocation.js               (content/openLocation.js)
+  content/browser/openLocation.xul              (content/openLocation.xul)
+  content/browser/safeMode.css                  (content/safeMode.css)
+  content/browser/safeMode.js                   (content/safeMode.js)
+* content/browser/safeMode.xul                  (content/safeMode.xul)
+* content/browser/sanitize.js                   (content/sanitize.js)
+* content/browser/sanitize.xul                  (content/sanitize.xul)
+* content/browser/sanitizeDialog.js             (content/sanitizeDialog.js)
+  content/browser/sanitizeDialog.css            (content/sanitizeDialog.css)
+  content/browser/autocomplete.css              (content/autocomplete.css)
+* content/browser/autocomplete.xml              (content/autocomplete.xml)
+  content/browser/tabbrowser.css                (content/tabbrowser.css)
+* content/browser/tabbrowser.xml                (content/tabbrowser.xml)
+* content/browser/urlbarBindings.xml            (content/urlbarBindings.xml)
+* content/browser/utilityOverlay.js             (content/utilityOverlay.js)
+  content/browser/web-panels.js                 (content/web-panels.js)
+* content/browser/web-panels.xul                (content/web-panels.xul)
+* content/browser/baseMenuOverlay.xul           (content/baseMenuOverlay.xul)
+* content/browser/nsContextMenu.js              (content/nsContextMenu.js)
 # XXX: We should exclude this one as well (bug 71895)
-*       content/browser/hiddenWindow.xul              (content/hiddenWindow.xul)
+* content/browser/hiddenWindow.xul              (content/hiddenWindow.xul)
 #ifdef XP_MACOSX
-*       content/browser/macBrowserOverlay.xul         (content/macBrowserOverlay.xul)
-*       content/browser/downloadManagerOverlay.xul    (content/downloadManagerOverlay.xul)
-*       content/browser/jsConsoleOverlay.xul          (content/jsConsoleOverlay.xul)
-*       content/browser/softwareUpdateOverlay.xul  (content/softwareUpdateOverlay.xul)
+* content/browser/macBrowserOverlay.xul         (content/macBrowserOverlay.xul)
+* content/browser/downloadManagerOverlay.xul    (content/downloadManagerOverlay.xul)
+* content/browser/jsConsoleOverlay.xul          (content/jsConsoleOverlay.xul)
+* content/browser/softwareUpdateOverlay.xul     (content/softwareUpdateOverlay.xul)
 #endif
-*       content/browser/viewSourceOverlay.xul         (content/viewSourceOverlay.xul)
+* content/browser/viewSourceOverlay.xul         (content/viewSourceOverlay.xul)
 #ifdef XP_WIN
-        content/browser/win6BrowserOverlay.xul        (content/win6BrowserOverlay.xul)
+  content/browser/win6BrowserOverlay.xul        (content/win6BrowserOverlay.xul)
 #endif
 # the following files are browser-specific overrides
-*       content/browser/license.html                  (/toolkit/content/license.html)
+* content/browser/license.html                  (/toolkit/content/license.html)
 % override chrome://global/content/license.html chrome://browser/content/license.html
diff --git a/application/palemoon/branding/official/content/moz.build b/application/palemoon/branding/official/content/moz.build
index 35f6d454ac..c97072bba2 100644
--- a/application/palemoon/branding/official/content/moz.build
+++ b/application/palemoon/branding/official/content/moz.build
@@ -4,5 +4,4 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-
 JAR_MANIFESTS += ['jar.mn']
\ No newline at end of file
diff --git a/application/palemoon/branding/official/locales/jar.mn b/application/palemoon/branding/official/locales/jar.mn
index 79078217e2..f02dd95f30 100644
--- a/application/palemoon/branding/official/locales/jar.mn
+++ b/application/palemoon/branding/official/locales/jar.mn
@@ -6,6 +6,6 @@
 
 @AB_CD@.jar:
 % locale branding @AB_CD@ %locale/branding/
-  locale/branding/brand.dtd        (%brand.dtd)
-  locale/branding/brand.properties (%brand.properties)
-  locale/branding/browserconfig.properties (../../shared/locales/browserconfig.properties)
+  locale/branding/brand.dtd                     (%brand.dtd)
+  locale/branding/brand.properties              (%brand.properties)
+  locale/branding/browserconfig.properties      (../../shared/locales/browserconfig.properties)
diff --git a/application/palemoon/branding/official/locales/moz.build b/application/palemoon/branding/official/locales/moz.build
index 35f6d454ac..c97072bba2 100644
--- a/application/palemoon/branding/official/locales/moz.build
+++ b/application/palemoon/branding/official/locales/moz.build
@@ -4,5 +4,4 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-
 JAR_MANIFESTS += ['jar.mn']
\ No newline at end of file
diff --git a/application/palemoon/branding/shared/pref/uaoverrides.inc b/application/palemoon/branding/shared/pref/uaoverrides.inc
index e5e727ee59..5679566408 100644
--- a/application/palemoon/branding/shared/pref/uaoverrides.inc
+++ b/application/palemoon/branding/shared/pref/uaoverrides.inc
@@ -21,6 +21,11 @@
 #define OS_SLICE Windows NT 6.1; WOW64;

 #endif

 

+// Special-case AMO

+// We send the native UA slice now, since they no longer offer any compatible extensions for us.

+// This will result in an "only with Firefox" message which suits us fine, because it's the truth.

+pref("@GUAO_PREF@.addons.mozilla.org","Mozilla/5.0 (@OS_SLICE@ rv:@GRE_VERSION@) @GRE_DATE_SLICE@ @PM_SLICE@");

+

 // Required for domains that have proven unresponsive to requests from users

 pref("@GUAO_PREF@.live.com","Mozilla/5.0 (@OS_SLICE@ rv:@GK_VERSION@) @GK_SLICE@ @FX_SLICE@ (Pale Moon)");

 pref("@GUAO_PREF@.msn.com","Mozilla/5.0 (@OS_SLICE@ rv:@GK_VERSION@) @GK_SLICE@ @FX_SLICE@ (Pale Moon)");

@@ -35,8 +40,8 @@ pref("@GUAO_PREF@.gstatic.com","Mozilla/5.0 (@OS_SLICE@ rv:31.9) @GK_SLICE@ @GRE
 pref("@GUAO_PREF@.yahoo.com","Mozilla/5.0 (@OS_SLICE@ rv:99.9) @GK_SLICE@ Firefox/99.9 (Pale Moon)");

 pref("@GUAO_PREF@.youtube.com","Mozilla/5.0 (@OS_SLICE@ rv:42.0) @GK_SLICE@ Firefox/42.0 @PM_SLICE@");

 pref("@GUAO_PREF@.gaming.youtube.com","Mozilla/5.0 (@OS_SLICE@ rv:42.0) @GK_SLICE@ Firefox/42.0");

+pref("@GUAO_PREF@.dropbox.com","Mozilla/5.0 (@OS_SLICE@ rv:99.9) @GK_SLICE@ Firefox/99.9 (Pale Moon)");

 

-pref("@GUAO_PREF@.dropbox.com","Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko");

 pref("@GUAO_PREF@.players.brightcove.net","Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko");

 

 // The never-ending Facebook debacle...

diff --git a/application/palemoon/branding/unofficial/content/jar.mn b/application/palemoon/branding/unofficial/content/jar.mn
index 821aa03bc4..bdb1e81296 100644
--- a/application/palemoon/branding/unofficial/content/jar.mn
+++ b/application/palemoon/branding/unofficial/content/jar.mn
@@ -4,13 +4,13 @@
 
 browser.jar:
 % content branding %content/branding/ contentaccessible=yes
-  content/branding/about.png                     (about.png)
-  content/branding/about-background.png          (about-background.png)
-  content/branding/about-logo.png                (about-logo.png)
-  content/branding/about-logo@2x.png             (about-logo@2x.png)
-  content/branding/about-wordmark.svg            (about-wordmark.svg)
-  content/branding/icon48.png                    (icon48.png)
-  content/branding/icon64.png                    (icon64.png)
-  content/branding/icon16.png                    (../default16.png)
-  content/branding/icon32.png                    (../default32.png)
-  content/branding/aboutDialog.css               (aboutDialog.css)
+  content/branding/about.png                  (about.png)
+  content/branding/about-background.png       (about-background.png)
+  content/branding/about-logo.png             (about-logo.png)
+  content/branding/about-logo@2x.png          (about-logo@2x.png)
+  content/branding/about-wordmark.svg         (about-wordmark.svg)
+  content/branding/icon48.png                 (icon48.png)
+  content/branding/icon64.png                 (icon64.png)
+  content/branding/icon16.png                 (../default16.png)
+  content/branding/icon32.png                 (../default32.png)
+  content/branding/aboutDialog.css            (aboutDialog.css)
diff --git a/application/palemoon/branding/unofficial/content/moz.build b/application/palemoon/branding/unofficial/content/moz.build
index 35f6d454ac..c97072bba2 100644
--- a/application/palemoon/branding/unofficial/content/moz.build
+++ b/application/palemoon/branding/unofficial/content/moz.build
@@ -4,5 +4,4 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-
 JAR_MANIFESTS += ['jar.mn']
\ No newline at end of file
diff --git a/application/palemoon/branding/unofficial/locales/jar.mn b/application/palemoon/branding/unofficial/locales/jar.mn
index 88aa074345..9de6cfc838 100644
--- a/application/palemoon/branding/unofficial/locales/jar.mn
+++ b/application/palemoon/branding/unofficial/locales/jar.mn
@@ -7,6 +7,6 @@
 @AB_CD@.jar:
 % locale branding @AB_CD@ %locale/branding/
 # Unofficial branding only exists in en-US
-  locale/branding/brand.dtd        (en-US/brand.dtd)
-  locale/branding/brand.properties (en-US/brand.properties)
-  locale/branding/browserconfig.properties (../../shared/locales/browserconfig.properties)
+  locale/branding/brand.dtd                   (en-US/brand.dtd)
+  locale/branding/brand.properties            (en-US/brand.properties)
+  locale/branding/browserconfig.properties    (../../shared/locales/browserconfig.properties)
diff --git a/application/palemoon/branding/unstable/content/jar.mn b/application/palemoon/branding/unstable/content/jar.mn
index d8038bf9e1..6903e9ac52 100644
--- a/application/palemoon/branding/unstable/content/jar.mn
+++ b/application/palemoon/branding/unstable/content/jar.mn
@@ -4,13 +4,13 @@
 
 browser.jar:
 % content branding %content/branding/ contentaccessible=yes
-  content/branding/about.png                     (about.png)
-  content/branding/about-background.png          (about-background.png)
-  content/branding/about-logo.png                (about-logo.png)
-  content/branding/about-logo@2x.png             (about-logo@2x.png)
-  content/branding/about-wordmark.png            (about-wordmark.png)
-  content/branding/icon48.png                    (icon48.png)
-  content/branding/icon64.png                    (icon64.png)
-  content/branding/icon16.png                    (../default16.png)
-  content/branding/icon32.png                    (../default32.png)
-  content/branding/aboutDialog.css               (aboutDialog.css)
+  content/branding/about.png                (about.png)
+  content/branding/about-background.png     (about-background.png)
+  content/branding/about-logo.png           (about-logo.png)
+  content/branding/about-logo@2x.png        (about-logo@2x.png)
+  content/branding/about-wordmark.png       (about-wordmark.png)
+  content/branding/icon48.png               (icon48.png)
+  content/branding/icon64.png               (icon64.png)
+  content/branding/icon16.png               (../default16.png)
+  content/branding/icon32.png               (../default32.png)
+  content/branding/aboutDialog.css          (aboutDialog.css)
diff --git a/application/palemoon/branding/unstable/content/moz.build b/application/palemoon/branding/unstable/content/moz.build
index 35f6d454ac..c97072bba2 100644
--- a/application/palemoon/branding/unstable/content/moz.build
+++ b/application/palemoon/branding/unstable/content/moz.build
@@ -4,5 +4,4 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-
 JAR_MANIFESTS += ['jar.mn']
\ No newline at end of file
diff --git a/application/palemoon/branding/unstable/locales/jar.mn b/application/palemoon/branding/unstable/locales/jar.mn
index 88aa074345..9de6cfc838 100644
--- a/application/palemoon/branding/unstable/locales/jar.mn
+++ b/application/palemoon/branding/unstable/locales/jar.mn
@@ -7,6 +7,6 @@
 @AB_CD@.jar:
 % locale branding @AB_CD@ %locale/branding/
 # Unofficial branding only exists in en-US
-  locale/branding/brand.dtd        (en-US/brand.dtd)
-  locale/branding/brand.properties (en-US/brand.properties)
-  locale/branding/browserconfig.properties (../../shared/locales/browserconfig.properties)
+  locale/branding/brand.dtd                   (en-US/brand.dtd)
+  locale/branding/brand.properties            (en-US/brand.properties)
+  locale/branding/browserconfig.properties    (../../shared/locales/browserconfig.properties)
diff --git a/application/palemoon/components/BrowserComponents.manifest b/application/palemoon/components/BrowserComponents.manifest
index 1e4bff59a4..b7f054eab0 100644
--- a/application/palemoon/components/BrowserComponents.manifest
+++ b/application/palemoon/components/BrowserComponents.manifest
@@ -1,3 +1,22 @@
+# nsAboutRedirector.js
+component {8cc51368-6aa0-43e8-b762-bde9b9fd828c} nsAboutRedirector.js
+# Each entry here should be coupled with an entry in nsAboutRedirector.js
+contract @mozilla.org/network/protocol/about;1?what=certerror {8cc51368-6aa0-43e8-b762-bde9b9fd828c}
+contract @mozilla.org/network/protocol/about;1?what=downloads {8cc51368-6aa0-43e8-b762-bde9b9fd828c}
+contract @mozilla.org/network/protocol/about;1?what=feeds {8cc51368-6aa0-43e8-b762-bde9b9fd828c}
+contract @mozilla.org/network/protocol/about;1?what=home {8cc51368-6aa0-43e8-b762-bde9b9fd828c}
+contract @mozilla.org/network/protocol/about;1?what=newtab {8cc51368-6aa0-43e8-b762-bde9b9fd828c}
+contract @mozilla.org/network/protocol/about;1?what=palemoon {8cc51368-6aa0-43e8-b762-bde9b9fd828c}
+contract @mozilla.org/network/protocol/about;1?what=permissions {8cc51368-6aa0-43e8-b762-bde9b9fd828c}
+contract @mozilla.org/network/protocol/about;1?what=privatebrowsing {8cc51368-6aa0-43e8-b762-bde9b9fd828c}
+contract @mozilla.org/network/protocol/about;1?what=rights {8cc51368-6aa0-43e8-b762-bde9b9fd828c}
+contract @mozilla.org/network/protocol/about;1?what=robots {8cc51368-6aa0-43e8-b762-bde9b9fd828c}
+contract @mozilla.org/network/protocol/about;1?what=sessionrestore {8cc51368-6aa0-43e8-b762-bde9b9fd828c}
+#ifdef MOZ_SERVICES_SYNC
+contract @mozilla.org/network/protocol/about;1?what=sync-progress {8cc51368-6aa0-43e8-b762-bde9b9fd828c}
+contract @mozilla.org/network/protocol/about;1?what=sync-tabs {8cc51368-6aa0-43e8-b762-bde9b9fd828c}
+#endif
+
 # nsBrowserContentHandler.js
 component {5d0ce354-df01-421a-83fb-7ead0990c24e} nsBrowserContentHandler.js application={8de7fcbb-c55c-4fbe-bfc5-fc555c87dbc4}
 contract @mozilla.org/browser/clh;1 {5d0ce354-df01-421a-83fb-7ead0990c24e} application={8de7fcbb-c55c-4fbe-bfc5-fc555c87dbc4}
diff --git a/application/palemoon/components/about/AboutRedirector.cpp b/application/palemoon/components/about/AboutRedirector.cpp
deleted file mode 100644
index fbcad6094a..0000000000
--- a/application/palemoon/components/about/AboutRedirector.cpp
+++ /dev/null
@@ -1,184 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-// See also: docshell/base/nsAboutRedirector.cpp
-
-#include "AboutRedirector.h"
-#include "nsNetUtil.h"
-#include "nsIScriptSecurityManager.h"
-#include "mozilla/ArrayUtils.h"
-
-namespace mozilla {
-namespace browser {
-
-NS_IMPL_ISUPPORTS(AboutRedirector, nsIAboutModule)
-
-struct RedirEntry {
-  const char* id;
-  const char* url;
-  uint32_t flags;
-};
-
-/*
-  Entries which do not have URI_SAFE_FOR_UNTRUSTED_CONTENT will run with chrome
-  privileges. This is potentially dangerous. Please use
-  URI_SAFE_FOR_UNTRUSTED_CONTENT in the third argument to each map item below
-  unless your about: page really needs chrome privileges. Security review is
-  required before adding new map entries without
-  URI_SAFE_FOR_UNTRUSTED_CONTENT.
-*/
-static RedirEntry kRedirMap[] = {
-  {
-    "certerror", "chrome://browser/content/certerror/aboutCertError.xhtml",
-    nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT |
-    nsIAboutModule::ALLOW_SCRIPT |
-    nsIAboutModule::HIDE_FROM_ABOUTABOUT
-  },
-  {
-    "downloads", "chrome://browser/content/downloads/contentAreaDownloadsView.xul",
-    nsIAboutModule::ALLOW_SCRIPT
-  },
-  {
-    "feeds", "chrome://browser/content/feeds/subscribe.xhtml",
-    nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT |
-    nsIAboutModule::ALLOW_SCRIPT |
-    nsIAboutModule::HIDE_FROM_ABOUTABOUT
-  },
-  {
-    "home", "chrome://browser/content/abouthome/aboutHome.xhtml",
-    nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT |
-    nsIAboutModule::MAKE_LINKABLE |
-    nsIAboutModule::ALLOW_SCRIPT
-  },
-  {
-    "newtab", "chrome://browser/content/newtab/newTab.xhtml",
-    nsIAboutModule::ALLOW_SCRIPT
-  },
-  {
-    "palemoon", "chrome://browser/content/palemoon.xhtml",
-    nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT |
-    nsIAboutModule::HIDE_FROM_ABOUTABOUT
-  },
-  {
-    "permissions", "chrome://browser/content/permissions/aboutPermissions.xul",
-    nsIAboutModule::ALLOW_SCRIPT
-  },
-  {
-    "privatebrowsing", "chrome://browser/content/aboutPrivateBrowsing.xhtml",
-    nsIAboutModule::ALLOW_SCRIPT
-  },
-  {
-    "rights", "chrome://global/content/aboutRights.xhtml",
-    nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT |
-    nsIAboutModule::MAKE_LINKABLE |
-    nsIAboutModule::ALLOW_SCRIPT
-  },
-  {
-    "robots", "chrome://browser/content/aboutRobots.xhtml",
-    nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT |
-    nsIAboutModule::ALLOW_SCRIPT
-  },
-  {
-    "sessionrestore", "chrome://browser/content/aboutSessionRestore.xhtml",
-    nsIAboutModule::ALLOW_SCRIPT
-  },
-#ifdef MOZ_SERVICES_SYNC
-  {
-    "sync-progress", "chrome://browser/content/sync/progress.xhtml",
-    nsIAboutModule::ALLOW_SCRIPT
-  },
-  {
-    "sync-tabs", "chrome://browser/content/sync/aboutSyncTabs.xul",
-    nsIAboutModule::ALLOW_SCRIPT
-  },
-#endif
-};
-static const int kRedirTotal = ArrayLength(kRedirMap);
-
-static nsAutoCString
-GetAboutModuleName(nsIURI *aURI)
-{
-  nsAutoCString path;
-  aURI->GetPath(path);
-
-  int32_t f = path.FindChar('#');
-  if (f >= 0)
-    path.SetLength(f);
-
-  f = path.FindChar('?');
-  if (f >= 0)
-    path.SetLength(f);
-
-  ToLowerCase(path);
-  return path;
-}
-
-NS_IMETHODIMP
-AboutRedirector::NewChannel(nsIURI* aURI,
-                            nsILoadInfo* aLoadInfo,
-                            nsIChannel** result)
-{
-  NS_ENSURE_ARG_POINTER(aURI);
-  NS_ASSERTION(result, "must not be null");
-
-  nsAutoCString path = GetAboutModuleName(aURI);
-
-  nsresult rv;
-  nsCOMPtr<nsIIOService> ioService = do_GetIOService(&rv);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  for (int i = 0; i < kRedirTotal; i++) {
-    if (!strcmp(path.get(), kRedirMap[i].id)) {
-      nsCOMPtr<nsIChannel> tempChannel;
-      nsCOMPtr<nsIURI> tempURI;
-      rv = NS_NewURI(getter_AddRefs(tempURI),
-                     nsDependentCString(kRedirMap[i].url));
-      NS_ENSURE_SUCCESS(rv, rv);
-      rv = NS_NewChannelInternal(getter_AddRefs(tempChannel),
-                                 tempURI,
-                                 aLoadInfo);
-      NS_ENSURE_SUCCESS(rv, rv);
-
-      tempChannel->SetOriginalURI(aURI);
-
-      NS_ADDREF(*result = tempChannel);
-      return rv;
-    }
-  }
-
-  return NS_ERROR_ILLEGAL_VALUE;
-}
-
-NS_IMETHODIMP
-AboutRedirector::GetURIFlags(nsIURI *aURI, uint32_t *result)
-{
-  NS_ENSURE_ARG_POINTER(aURI);
-
-  nsAutoCString name = GetAboutModuleName(aURI);
-
-  for (int i = 0; i < kRedirTotal; i++) {
-    if (name.Equals(kRedirMap[i].id)) {
-      *result = kRedirMap[i].flags;
-      return NS_OK;
-    }
-  }
-
-  return NS_ERROR_ILLEGAL_VALUE;
-}
-
-nsresult
-AboutRedirector::Create(nsISupports *aOuter, REFNSIID aIID, void **result)
-{
-  AboutRedirector* about = new AboutRedirector();
-  if (about == nullptr)
-    return NS_ERROR_OUT_OF_MEMORY;
-  NS_ADDREF(about);
-  nsresult rv = about->QueryInterface(aIID, result);
-  NS_RELEASE(about);
-  return rv;
-}
-
-} // namespace browser
-} // namespace mozilla
diff --git a/application/palemoon/components/about/AboutRedirector.h b/application/palemoon/components/about/AboutRedirector.h
deleted file mode 100644
index 8feeb74912..0000000000
--- a/application/palemoon/components/about/AboutRedirector.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef AboutRedirector_h__
-#define AboutRedirector_h__
-
-#include "nsIAboutModule.h"
-
-namespace mozilla {
-namespace browser {
-
-class AboutRedirector : public nsIAboutModule
-{
-public:
-  NS_DECL_ISUPPORTS
-  NS_DECL_NSIABOUTMODULE
- 
-  AboutRedirector() {}
-
-  static nsresult
-    Create(nsISupports *aOuter, REFNSIID aIID, void **aResult);
-
-protected:
-  virtual ~AboutRedirector() {}
-};
-
-} // namespace browser
-} // namespace mozilla
-
-#endif // AboutRedirector_h__
diff --git a/application/palemoon/base/content/abouthome/aboutHome.css b/application/palemoon/components/abouthome/aboutHome.css
index 73c6862021..2b062e8e7e 100644
--- a/application/palemoon/base/content/abouthome/aboutHome.css
+++ b/application/palemoon/components/abouthome/aboutHome.css
@@ -262,9 +262,11 @@ body[narrow] #restorePreviousSession {
   content: url("chrome://browser/content/abouthome/addons.png");
 }
 
+%ifdef MOZ_SERVICES_SYNC
 #sync::before {
   content: url("chrome://browser/content/abouthome/sync.png");
 }
+%endif
 
 #settings::before {
   content: url("chrome://browser/content/abouthome/settings.png");
@@ -320,9 +322,11 @@ body[narrow] #restorePreviousSession::before {
     content: url("chrome://browser/content/abouthome/addons@2x.png");
   }
 
+%ifdef MOZ_SERVICES_SYNC
   #sync::before {
     content: url("chrome://browser/content/abouthome/sync@2x.png");
   }
+%endif
 
   #settings::before {
     content: url("chrome://browser/content/abouthome/settings@2x.png");
diff --git a/application/palemoon/base/content/abouthome/aboutHome.js b/application/palemoon/components/abouthome/aboutHome.js
index 6ff8eee984..6ff8eee984 100644
--- a/application/palemoon/base/content/abouthome/aboutHome.js
+++ b/application/palemoon/components/abouthome/aboutHome.js
diff --git a/application/palemoon/base/content/abouthome/aboutHome.xhtml b/application/palemoon/components/abouthome/aboutHome.xhtml
index cb3fa634a6..d72ec492ea 100644
--- a/application/palemoon/base/content/abouthome/aboutHome.xhtml
+++ b/application/palemoon/components/abouthome/aboutHome.xhtml
@@ -51,7 +51,9 @@
       <button class="launchButton" id="bookmarks">&abouthome.bookmarksButton.label;</button>
       <button class="launchButton" id="history">&abouthome.historyButton.label;</button>
       <button class="launchButton" id="addons">&abouthome.addonsButton.label;</button>
+#ifdef MOZ_SERVICES_SYNC
       <button class="launchButton" id="sync">&abouthome.syncButton.label;</button>
+#endif
       <button class="launchButton" id="settings">&abouthome.settingsButton.label;</button>
       <div id="restorePreviousSessionSeparator"/>
       <button class="launchButton" id="restorePreviousSession">&historyRestoreLastSession.label;</button>
diff --git a/application/palemoon/base/content/abouthome/addons.png b/application/palemoon/components/abouthome/addons.png
index 41519ce498..41519ce498 100644
--- a/application/palemoon/base/content/abouthome/addons.png
+++ b/application/palemoon/components/abouthome/addons.png
diff --git a/application/palemoon/base/content/abouthome/addons@2x.png b/application/palemoon/components/abouthome/addons@2x.png
index d4d04ee8ca..d4d04ee8ca 100644
--- a/application/palemoon/base/content/abouthome/addons@2x.png
+++ b/application/palemoon/components/abouthome/addons@2x.png
diff --git a/application/palemoon/base/content/abouthome/bookmarks.png b/application/palemoon/components/abouthome/bookmarks.png
index 5c7e194a61..5c7e194a61 100644
--- a/application/palemoon/base/content/abouthome/bookmarks.png
+++ b/application/palemoon/components/abouthome/bookmarks.png
diff --git a/application/palemoon/base/content/abouthome/bookmarks@2x.png b/application/palemoon/components/abouthome/bookmarks@2x.png
index 7ede00744c..7ede00744c 100644
--- a/application/palemoon/base/content/abouthome/bookmarks@2x.png
+++ b/application/palemoon/components/abouthome/bookmarks@2x.png
diff --git a/application/palemoon/base/content/abouthome/downloads.png b/application/palemoon/components/abouthome/downloads.png
index 3d4d10e7ab..3d4d10e7ab 100644
--- a/application/palemoon/base/content/abouthome/downloads.png
+++ b/application/palemoon/components/abouthome/downloads.png
diff --git a/application/palemoon/base/content/abouthome/downloads@2x.png b/application/palemoon/components/abouthome/downloads@2x.png
index d384a22c6d..d384a22c6d 100644
--- a/application/palemoon/base/content/abouthome/downloads@2x.png
+++ b/application/palemoon/components/abouthome/downloads@2x.png
diff --git a/application/palemoon/base/content/abouthome/history.png b/application/palemoon/components/abouthome/history.png
index ae742b1aa8..ae742b1aa8 100644
--- a/application/palemoon/base/content/abouthome/history.png
+++ b/application/palemoon/components/abouthome/history.png
diff --git a/application/palemoon/base/content/abouthome/history@2x.png b/application/palemoon/components/abouthome/history@2x.png
index 696902e7ca..696902e7ca 100644
--- a/application/palemoon/base/content/abouthome/history@2x.png
+++ b/application/palemoon/components/abouthome/history@2x.png
diff --git a/application/palemoon/components/abouthome/jar.mn b/application/palemoon/components/abouthome/jar.mn
new file mode 100644
index 0000000000..e1ae4ac421
--- /dev/null
+++ b/application/palemoon/components/abouthome/jar.mn
@@ -0,0 +1,33 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+browser.jar:
+* content/browser/abouthome/aboutHome.xhtml
+  content/browser/abouthome/aboutHome.js
+* content/browser/abouthome/aboutHome.css
+  content/browser/abouthome/noise.png
+  content/browser/abouthome/snippet1.png
+  content/browser/abouthome/snippet2.png
+  content/browser/abouthome/downloads.png
+  content/browser/abouthome/bookmarks.png
+  content/browser/abouthome/history.png
+  content/browser/abouthome/addons.png
+#ifdef MOZ_SERVICES_SYNC
+  content/browser/abouthome/sync.png
+#endif
+  content/browser/abouthome/settings.png
+  content/browser/abouthome/restore.png
+  content/browser/abouthome/restore-large.png
+  content/browser/abouthome/snippet1@2x.png
+  content/browser/abouthome/snippet2@2x.png
+  content/browser/abouthome/downloads@2x.png
+  content/browser/abouthome/bookmarks@2x.png
+  content/browser/abouthome/history@2x.png
+  content/browser/abouthome/addons@2x.png
+#ifdef MOZ_SERVICES_SYNC
+  content/browser/abouthome/sync@2x.png
+#endif
+  content/browser/abouthome/settings@2x.png
+  content/browser/abouthome/restore@2x.png
+  content/browser/abouthome/restore-large@2x.png
\ No newline at end of file
diff --git a/toolkit/library/dummydll/moz.build b/application/palemoon/components/abouthome/moz.build
index 01a0ddba88..2d64d506c1 100644
--- a/toolkit/library/dummydll/moz.build
+++ b/application/palemoon/components/abouthome/moz.build
@@ -4,16 +4,5 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-# Bug 1294650 - populate our install with a shim dll to work around a
-# 3rd party code injection crash.
+JAR_MANIFESTS += ['jar.mn']
 
-SOURCES += [
-    'dummydll.cpp',
-]
-
-if CONFIG['CPU_ARCH'] == 'x86_64':
-  GeckoSharedLibrary('qipcap64')
-else:
-  GeckoSharedLibrary('qipcap')
-
-NO_VISIBILITY_FLAGS = True
diff --git a/application/palemoon/base/content/abouthome/noise.png b/application/palemoon/components/abouthome/noise.png
index 3467cf4d47..3467cf4d47 100644
--- a/application/palemoon/base/content/abouthome/noise.png
+++ b/application/palemoon/components/abouthome/noise.png
diff --git a/application/palemoon/base/content/abouthome/restore-large.png b/application/palemoon/components/abouthome/restore-large.png
index ef593e6e14..ef593e6e14 100644
--- a/application/palemoon/base/content/abouthome/restore-large.png
+++ b/application/palemoon/components/abouthome/restore-large.png
diff --git a/application/palemoon/base/content/abouthome/restore-large@2x.png b/application/palemoon/components/abouthome/restore-large@2x.png
index d5c71d0b04..d5c71d0b04 100644
--- a/application/palemoon/base/content/abouthome/restore-large@2x.png
+++ b/application/palemoon/components/abouthome/restore-large@2x.png
diff --git a/application/palemoon/base/content/abouthome/restore.png b/application/palemoon/components/abouthome/restore.png
index 5c3d6f4376..5c3d6f4376 100644
--- a/application/palemoon/base/content/abouthome/restore.png
+++ b/application/palemoon/components/abouthome/restore.png
diff --git a/application/palemoon/base/content/abouthome/restore@2x.png b/application/palemoon/components/abouthome/restore@2x.png
index 5acb630522..5acb630522 100644
--- a/application/palemoon/base/content/abouthome/restore@2x.png
+++ b/application/palemoon/components/abouthome/restore@2x.png
diff --git a/application/palemoon/base/content/abouthome/settings.png b/application/palemoon/components/abouthome/settings.png
index 4b0c309909..4b0c309909 100644
--- a/application/palemoon/base/content/abouthome/settings.png
+++ b/application/palemoon/components/abouthome/settings.png
diff --git a/application/palemoon/base/content/abouthome/settings@2x.png b/application/palemoon/components/abouthome/settings@2x.png
index c77cb9a92c..c77cb9a92c 100644
--- a/application/palemoon/base/content/abouthome/settings@2x.png
+++ b/application/palemoon/components/abouthome/settings@2x.png
diff --git a/application/palemoon/base/content/abouthome/snippet1.png b/application/palemoon/components/abouthome/snippet1.png
index ce2ec55c23..ce2ec55c23 100644
--- a/application/palemoon/base/content/abouthome/snippet1.png
+++ b/application/palemoon/components/abouthome/snippet1.png
diff --git a/application/palemoon/base/content/abouthome/snippet1@2x.png b/application/palemoon/components/abouthome/snippet1@2x.png
index f57cd0a827..f57cd0a827 100644
--- a/application/palemoon/base/content/abouthome/snippet1@2x.png
+++ b/application/palemoon/components/abouthome/snippet1@2x.png
diff --git a/application/palemoon/base/content/abouthome/snippet2.png b/application/palemoon/components/abouthome/snippet2.png
index e0724fb6df..e0724fb6df 100644
--- a/application/palemoon/base/content/abouthome/snippet2.png
+++ b/application/palemoon/components/abouthome/snippet2.png
diff --git a/application/palemoon/base/content/abouthome/snippet2@2x.png b/application/palemoon/components/abouthome/snippet2@2x.png
index 40577f52f6..40577f52f6 100644
--- a/application/palemoon/base/content/abouthome/snippet2@2x.png
+++ b/application/palemoon/components/abouthome/snippet2@2x.png
diff --git a/application/palemoon/base/content/abouthome/sync.png b/application/palemoon/components/abouthome/sync.png
index 11e40cc937..11e40cc937 100644
--- a/application/palemoon/base/content/abouthome/sync.png
+++ b/application/palemoon/components/abouthome/sync.png
diff --git a/application/palemoon/base/content/abouthome/sync@2x.png b/application/palemoon/components/abouthome/sync@2x.png
index 6354f5bf90..6354f5bf90 100644
--- a/application/palemoon/base/content/abouthome/sync@2x.png
+++ b/application/palemoon/components/abouthome/sync@2x.png
diff --git a/application/palemoon/components/build/moz.build b/application/palemoon/components/build/moz.build
index c85723e16e..ea1f77163e 100644
--- a/application/palemoon/components/build/moz.build
+++ b/application/palemoon/components/build/moz.build
@@ -4,18 +4,13 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-EXPORTS += [
-    'nsBrowserCompsCID.h',
-]
+EXPORTS += ['nsBrowserCompsCID.h']
 
-SOURCES += [
-    'nsModule.cpp',
-]
+SOURCES += ['nsModule.cpp']
 
 XPCOMBinaryComponent('browsercomps')
 
 LOCAL_INCLUDES += [
-    '../about',
     '../dirprovider',
     '../feeds',
     '../shell',
diff --git a/application/palemoon/components/build/nsBrowserCompsCID.h b/application/palemoon/components/build/nsBrowserCompsCID.h
index 23670ae807..bbaa9ab8a1 100644
--- a/application/palemoon/components/build/nsBrowserCompsCID.h
+++ b/application/palemoon/components/build/nsBrowserCompsCID.h
@@ -26,10 +26,6 @@
 #define NS_PRIVATE_BROWSING_SERVICE_WRAPPER_CID \
 { 0x136e2c4d, 0xc5a4, 0x477c, { 0xb1, 0x31, 0xd9, 0x3d, 0x7d, 0x70, 0x4f, 0x64 } }
 
-// 7e4bb6ad-2fc4-4dc6-89ef-23e8e5ccf980
-#define NS_BROWSER_ABOUT_REDIRECTOR_CID \
-{ 0x7e4bb6ad, 0x2fc4, 0x4dc6, { 0x89, 0xef, 0x23, 0xe8, 0xe5, 0xcc, 0xf9, 0x80 } }
-
 // {6DEB193C-F87D-4078-BC78-5E64655B4D62}
 #define NS_BROWSERDIRECTORYPROVIDER_CID \
 { 0x6deb193c, 0xf87d, 0x4078, { 0xbc, 0x78, 0x5e, 0x64, 0x65, 0x5b, 0x4d, 0x62 } }
diff --git a/application/palemoon/components/build/nsModule.cpp b/application/palemoon/components/build/nsModule.cpp
index 304280ca97..f98fc08d7a 100644
--- a/application/palemoon/components/build/nsModule.cpp
+++ b/application/palemoon/components/build/nsModule.cpp
@@ -18,8 +18,6 @@
 
 #include "rdf.h"
 #include "nsFeedSniffer.h"
-#include "AboutRedirector.h"
-#include "nsIAboutModule.h"
 
 #include "nsNetCID.h"
 
@@ -45,7 +43,6 @@ NS_DEFINE_NAMED_CID(NS_SHELLSERVICE_CID);
 NS_DEFINE_NAMED_CID(NS_SHELLSERVICE_CID);
 #endif
 NS_DEFINE_NAMED_CID(NS_FEEDSNIFFER_CID);
-NS_DEFINE_NAMED_CID(NS_BROWSER_ABOUT_REDIRECTOR_CID);
 #ifdef XP_MACOSX
 NS_DEFINE_NAMED_CID(NS_SHELLSERVICE_CID);
 #endif
@@ -58,7 +55,6 @@ static const mozilla::Module::CIDEntry kBrowserCIDs[] = {
     { &kNS_SHELLSERVICE_CID, false, nullptr, nsGNOMEShellServiceConstructor },
 #endif
     { &kNS_FEEDSNIFFER_CID, false, nullptr, nsFeedSnifferConstructor },
-    { &kNS_BROWSER_ABOUT_REDIRECTOR_CID, false, nullptr, AboutRedirector::Create },
 #ifdef XP_MACOSX
     { &kNS_SHELLSERVICE_CID, false, nullptr, nsMacShellServiceConstructor },
 #endif
@@ -73,22 +69,6 @@ static const mozilla::Module::ContractIDEntry kBrowserContracts[] = {
     { NS_SHELLSERVICE_CONTRACTID, &kNS_SHELLSERVICE_CID },
 #endif
     { NS_FEEDSNIFFER_CONTRACTID, &kNS_FEEDSNIFFER_CID },
-    { NS_ABOUT_MODULE_CONTRACTID_PREFIX "certerror", &kNS_BROWSER_ABOUT_REDIRECTOR_CID },
-    { NS_ABOUT_MODULE_CONTRACTID_PREFIX "socialerror", &kNS_BROWSER_ABOUT_REDIRECTOR_CID },
-    { NS_ABOUT_MODULE_CONTRACTID_PREFIX "feeds", &kNS_BROWSER_ABOUT_REDIRECTOR_CID },
-    { NS_ABOUT_MODULE_CONTRACTID_PREFIX "privatebrowsing", &kNS_BROWSER_ABOUT_REDIRECTOR_CID },
-    { NS_ABOUT_MODULE_CONTRACTID_PREFIX "rights", &kNS_BROWSER_ABOUT_REDIRECTOR_CID },
-    { NS_ABOUT_MODULE_CONTRACTID_PREFIX "palemoon", &kNS_BROWSER_ABOUT_REDIRECTOR_CID },
-    { NS_ABOUT_MODULE_CONTRACTID_PREFIX "robots", &kNS_BROWSER_ABOUT_REDIRECTOR_CID },
-    { NS_ABOUT_MODULE_CONTRACTID_PREFIX "sessionrestore", &kNS_BROWSER_ABOUT_REDIRECTOR_CID },
-#ifdef MOZ_SERVICES_SYNC
-    { NS_ABOUT_MODULE_CONTRACTID_PREFIX "sync-tabs", &kNS_BROWSER_ABOUT_REDIRECTOR_CID },
-    { NS_ABOUT_MODULE_CONTRACTID_PREFIX "sync-progress", &kNS_BROWSER_ABOUT_REDIRECTOR_CID },
-#endif
-    { NS_ABOUT_MODULE_CONTRACTID_PREFIX "home", &kNS_BROWSER_ABOUT_REDIRECTOR_CID },
-    { NS_ABOUT_MODULE_CONTRACTID_PREFIX "newtab", &kNS_BROWSER_ABOUT_REDIRECTOR_CID },
-    { NS_ABOUT_MODULE_CONTRACTID_PREFIX "permissions", &kNS_BROWSER_ABOUT_REDIRECTOR_CID },
-    { NS_ABOUT_MODULE_CONTRACTID_PREFIX "downloads", &kNS_BROWSER_ABOUT_REDIRECTOR_CID },
 #ifdef XP_MACOSX
     { NS_SHELLSERVICE_CONTRACTID, &kNS_SHELLSERVICE_CID },
 #endif
diff --git a/application/palemoon/components/certerror/jar.mn b/application/palemoon/components/certerror/jar.mn
index 64aecae929..08e0710275 100644
--- a/application/palemoon/components/certerror/jar.mn
+++ b/application/palemoon/components/certerror/jar.mn
@@ -3,5 +3,5 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 browser.jar:
-  content/browser/certerror/aboutCertError.xhtml               (content/aboutCertError.xhtml)
-  content/browser/certerror/aboutCertError.css                 (content/aboutCertError.css)
+  content/browser/certerror/aboutCertError.xhtml      (content/aboutCertError.xhtml)
+  content/browser/certerror/aboutCertError.css        (content/aboutCertError.css)
diff --git a/application/palemoon/components/certerror/moz.build b/application/palemoon/components/certerror/moz.build
index 35f6d454ac..c97072bba2 100644
--- a/application/palemoon/components/certerror/moz.build
+++ b/application/palemoon/components/certerror/moz.build
@@ -4,5 +4,4 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-
 JAR_MANIFESTS += ['jar.mn']
\ No newline at end of file
diff --git a/application/palemoon/components/dirprovider/moz.build b/application/palemoon/components/dirprovider/moz.build
index e51e634494..b01c4a3bcd 100644
--- a/application/palemoon/components/dirprovider/moz.build
+++ b/application/palemoon/components/dirprovider/moz.build
@@ -4,16 +4,10 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-EXPORTS.mozilla.browser += [
-    'DirectoryProvider.h',
-]
+EXPORTS.mozilla.browser += ['DirectoryProvider.h']
 
-SOURCES += [
-    'DirectoryProvider.cpp',
-]
+SOURCES += ['DirectoryProvider.cpp']
 
 FINAL_LIBRARY = 'browsercomps'
 
-LOCAL_INCLUDES += [
-    '../build'
-]
+LOCAL_INCLUDES += ['../build']
diff --git a/application/palemoon/components/downloads/jar.mn b/application/palemoon/components/downloads/jar.mn
index 8f8c66dd7f..8c0b51902b 100644
--- a/application/palemoon/components/downloads/jar.mn
+++ b/application/palemoon/components/downloads/jar.mn
@@ -3,16 +3,16 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 browser.jar:
-*       content/browser/downloads/download.xml           (content/download.xml)
-        content/browser/downloads/download.css           (content/download.css)
-        content/browser/downloads/downloads.css          (content/downloads.css)
-*       content/browser/downloads/downloads.js           (content/downloads.js)
-*       content/browser/downloads/downloadsOverlay.xul   (content/downloadsOverlay.xul)
-        content/browser/downloads/indicator.js           (content/indicator.js)
-        content/browser/downloads/indicatorOverlay.xul   (content/indicatorOverlay.xul)
-*       content/browser/downloads/allDownloadsViewOverlay.xul (content/allDownloadsViewOverlay.xul)
-        content/browser/downloads/allDownloadsViewOverlay.js  (content/allDownloadsViewOverlay.js)
-        content/browser/downloads/allDownloadsViewOverlay.css (content/allDownloadsViewOverlay.css)
-*       content/browser/downloads/contentAreaDownloadsView.xul (content/contentAreaDownloadsView.xul)
-        content/browser/downloads/contentAreaDownloadsView.js  (content/contentAreaDownloadsView.js)
-        content/browser/downloads/contentAreaDownloadsView.css (content/contentAreaDownloadsView.css)
+* content/browser/downloads/download.xml                      (content/download.xml)
+  content/browser/downloads/download.css                      (content/download.css)
+  content/browser/downloads/downloads.css                     (content/downloads.css)
+* content/browser/downloads/downloads.js                      (content/downloads.js)
+* content/browser/downloads/downloadsOverlay.xul              (content/downloadsOverlay.xul)
+  content/browser/downloads/indicator.js                      (content/indicator.js)
+  content/browser/downloads/indicatorOverlay.xul              (content/indicatorOverlay.xul)
+* content/browser/downloads/allDownloadsViewOverlay.xul       (content/allDownloadsViewOverlay.xul)
+  content/browser/downloads/allDownloadsViewOverlay.js        (content/allDownloadsViewOverlay.js)
+  content/browser/downloads/allDownloadsViewOverlay.css       (content/allDownloadsViewOverlay.css)
+* content/browser/downloads/contentAreaDownloadsView.xul      (content/contentAreaDownloadsView.xul)
+  content/browser/downloads/contentAreaDownloadsView.js       (content/contentAreaDownloadsView.js)
+  content/browser/downloads/contentAreaDownloadsView.css      (content/contentAreaDownloadsView.css)
diff --git a/application/palemoon/components/feeds/FeedWriter.js b/application/palemoon/components/feeds/FeedWriter.js
index 2ae31dffa2..d704835bb7 100644
--- a/application/palemoon/components/feeds/FeedWriter.js
+++ b/application/palemoon/components/feeds/FeedWriter.js
@@ -692,21 +692,6 @@ FeedWriter.prototype = {
   },
 
   /**
-   * Get moz-icon url for a file
-   * @param   file
-   *          A nsIFile object for which the moz-icon:// is returned
-   * @returns moz-icon url of the given file as a string
-   */
-  _getFileIconURL: function FW__getFileIconURL(file) {
-    var ios = Cc["@mozilla.org/network/io-service;1"].
-              getService(Ci.nsIIOService);
-    var fph = ios.getProtocolHandler("file")
-                 .QueryInterface(Ci.nsIFileProtocolHandler);
-    var urlSpec = fph.getURLSpecFromFile(file);
-    return "moz-icon://" + urlSpec + "?size=16";
-  },
-
-  /**
    * Helper method to set the selected application and system default
    * reader menuitems details from a file object
    *   @param aMenuItem
@@ -717,7 +702,10 @@ FeedWriter.prototype = {
   _initMenuItemWithFile: function(aMenuItem, aFile) {
     this._contentSandbox.menuitem = aMenuItem;
     this._contentSandbox.label = this._getFileDisplayName(aFile);
-    this._contentSandbox.image = this._getFileIconURL(aFile);
+    // For security reasons, access to moz-icon:file://... URIs is
+    // no longer allowed (indirect file system access from content).
+    // We use a dummy application instead to get a generic icon.
+    this._contentSandbox.image = "moz-icon://dummy.exe?size=16";
     var codeStr = "menuitem.setAttribute('label', label); " +
                   "menuitem.setAttribute('image', image);"
     Cu.evalInSandbox(codeStr, this._contentSandbox);
diff --git a/application/palemoon/components/feeds/WebContentConverter.js b/application/palemoon/components/feeds/WebContentConverter.js
index 674c8f3638..41679b0281 100644
--- a/application/palemoon/components/feeds/WebContentConverter.js
+++ b/application/palemoon/components/feeds/WebContentConverter.js
@@ -63,7 +63,7 @@ const PREF_SELECTED_WEB = "browser.feeds.handlers.webservice";
 const PREF_SELECTED_ACTION = "browser.feeds.handler";
 const PREF_SELECTED_READER = "browser.feeds.handler.default";
 const PREF_HANDLER_EXTERNAL_PREFIX = "network.protocol-handler.external";
-const PREF_ALLOW_DIFFERENT_HOST = "goanna.handlerService.allowRegisterFromDifferentHost";
+const PREF_ALLOW_DIFFERENT_HOST = "gecko.handlerService.allowRegisterFromDifferentHost";
 
 const STRING_BUNDLE_URI = "chrome://browser/locale/feeds/subscribe.properties";
 
diff --git a/application/palemoon/components/feeds/jar.mn b/application/palemoon/components/feeds/jar.mn
index 2fae7efae8..f8896f8772 100644
--- a/application/palemoon/components/feeds/jar.mn
+++ b/application/palemoon/components/feeds/jar.mn
@@ -3,7 +3,7 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 browser.jar:
-    content/browser/feeds/subscribe.xhtml               (content/subscribe.xhtml) 
-    content/browser/feeds/subscribe.js                  (content/subscribe.js)
-    content/browser/feeds/subscribe.xml                 (content/subscribe.xml)
-    content/browser/feeds/subscribe.css                 (content/subscribe.css)
+  content/browser/feeds/subscribe.xhtml       (content/subscribe.xhtml) 
+  content/browser/feeds/subscribe.js          (content/subscribe.js)
+  content/browser/feeds/subscribe.xml         (content/subscribe.xml)
+  content/browser/feeds/subscribe.css         (content/subscribe.css)
diff --git a/application/palemoon/components/feeds/moz.build b/application/palemoon/components/feeds/moz.build
index 7ae9141aa4..736920a735 100644
--- a/application/palemoon/components/feeds/moz.build
+++ b/application/palemoon/components/feeds/moz.build
@@ -13,9 +13,7 @@ XPIDL_SOURCES += [
 
 XPIDL_MODULE = 'browser-feeds'
 
-SOURCES += [
-    'nsFeedSniffer.cpp',
-]
+SOURCES += ['nsFeedSniffer.cpp']
 
 EXTRA_COMPONENTS += [
     'BrowserFeeds.manifest',
@@ -32,6 +30,4 @@ FINAL_LIBRARY = 'browsercomps'
 for var in ('MOZ_APP_NAME', 'MOZ_MACBUNDLE_NAME'):
     DEFINES[var] = CONFIG[var]
 
-LOCAL_INCLUDES += [
-    '../build',
-]
+LOCAL_INCLUDES += ['../build']
diff --git a/application/palemoon/components/fuel/moz.build b/application/palemoon/components/fuel/moz.build
index e78eda0882..5c468f27d3 100644
--- a/application/palemoon/components/fuel/moz.build
+++ b/application/palemoon/components/fuel/moz.build
@@ -4,17 +4,11 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-XPIDL_SOURCES += [
-    'fuelIApplication.idl',
-]
+XPIDL_SOURCES += ['fuelIApplication.idl']
 
 XPIDL_MODULE = 'fuel'
 
-EXTRA_COMPONENTS += [
-    'fuelApplication.manifest',
-]
+EXTRA_COMPONENTS += ['fuelApplication.manifest']
 
-EXTRA_PP_COMPONENTS += [
-    'fuelApplication.js',
-]
+EXTRA_PP_COMPONENTS += ['fuelApplication.js']
 
diff --git a/application/palemoon/components/moz.build b/application/palemoon/components/moz.build
index 397bf5142d..eb2771c487 100644
--- a/application/palemoon/components/moz.build
+++ b/application/palemoon/components/moz.build
@@ -5,12 +5,14 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 DIRS += [
-    'about',
+    'abouthome',
     'certerror',
     'dirprovider',
     'downloads',
     'feeds',
     'fuel',
+    'newtab',
+    'pageinfo',
     'places',
     'permissions',
     'preferences',
@@ -23,6 +25,9 @@ DIRS += [
 if CONFIG['MOZ_BROWSER_STATUSBAR']:
     DIRS += ['statusbar']
 
+if CONFIG['MOZ_SERVICES_SYNC']:
+    DIRS += ['sync']
+
 DIRS += ['build']
 
 XPIDL_SOURCES += [
@@ -32,9 +37,9 @@ XPIDL_SOURCES += [
 
 XPIDL_MODULE = 'browsercompsbase'
 
-EXTRA_COMPONENTS += [ 'BrowserComponents.manifest' ]
-
 EXTRA_PP_COMPONENTS += [
+    'BrowserComponents.manifest',
+    'nsAboutRedirector.js',
     'nsBrowserContentHandler.js',
     'nsBrowserGlue.js',
 ]
diff --git a/application/palemoon/base/content/newtab/cells.js b/application/palemoon/components/newtab/cells.js
index 47d4ef52d7..47d4ef52d7 100644
--- a/application/palemoon/base/content/newtab/cells.js
+++ b/application/palemoon/components/newtab/cells.js
diff --git a/application/palemoon/base/content/newtab/drag.js b/application/palemoon/components/newtab/drag.js
index e3928ebd0b..e3928ebd0b 100644
--- a/application/palemoon/base/content/newtab/drag.js
+++ b/application/palemoon/components/newtab/drag.js
diff --git a/application/palemoon/base/content/newtab/dragDataHelper.js b/application/palemoon/components/newtab/dragDataHelper.js
index 675ff26711..675ff26711 100644
--- a/application/palemoon/base/content/newtab/dragDataHelper.js
+++ b/application/palemoon/components/newtab/dragDataHelper.js
diff --git a/application/palemoon/base/content/newtab/drop.js b/application/palemoon/components/newtab/drop.js
index 748652455c..748652455c 100644
--- a/application/palemoon/base/content/newtab/drop.js
+++ b/application/palemoon/components/newtab/drop.js
diff --git a/application/palemoon/base/content/newtab/dropPreview.js b/application/palemoon/components/newtab/dropPreview.js
index fd7587a35e..fd7587a35e 100644
--- a/application/palemoon/base/content/newtab/dropPreview.js
+++ b/application/palemoon/components/newtab/dropPreview.js
diff --git a/application/palemoon/base/content/newtab/dropTargetShim.js b/application/palemoon/components/newtab/dropTargetShim.js
index 57a97fa00a..57a97fa00a 100644
--- a/application/palemoon/base/content/newtab/dropTargetShim.js
+++ b/application/palemoon/components/newtab/dropTargetShim.js
diff --git a/application/palemoon/base/content/newtab/grid.js b/application/palemoon/components/newtab/grid.js
index db3d319c32..db3d319c32 100644
--- a/application/palemoon/base/content/newtab/grid.js
+++ b/application/palemoon/components/newtab/grid.js
diff --git a/application/palemoon/components/newtab/jar.mn b/application/palemoon/components/newtab/jar.mn
new file mode 100644
index 0000000000..2d62914220
--- /dev/null
+++ b/application/palemoon/components/newtab/jar.mn
@@ -0,0 +1,8 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+browser.jar:
+  content/browser/newtab/newTab.xhtml
+* content/browser/newtab/newTab.js
+  content/browser/newtab/newTab.css
\ No newline at end of file
diff --git a/application/palemoon/components/newtab/moz.build b/application/palemoon/components/newtab/moz.build
new file mode 100644
index 0000000000..2d64d506c1
--- /dev/null
+++ b/application/palemoon/components/newtab/moz.build
@@ -0,0 +1,8 @@
+# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+JAR_MANIFESTS += ['jar.mn']
+
diff --git a/application/palemoon/base/content/newtab/newTab.css b/application/palemoon/components/newtab/newTab.css
index 3c7cfa1027..3c7cfa1027 100644
--- a/application/palemoon/base/content/newtab/newTab.css
+++ b/application/palemoon/components/newtab/newTab.css
diff --git a/application/palemoon/base/content/newtab/newTab.js b/application/palemoon/components/newtab/newTab.js
index 0022f21bb4..0022f21bb4 100644
--- a/application/palemoon/base/content/newtab/newTab.js
+++ b/application/palemoon/components/newtab/newTab.js
diff --git a/application/palemoon/base/content/newtab/newTab.xhtml b/application/palemoon/components/newtab/newTab.xhtml
index de000e723d..de000e723d 100644
--- a/application/palemoon/base/content/newtab/newTab.xhtml
+++ b/application/palemoon/components/newtab/newTab.xhtml
diff --git a/application/palemoon/base/content/newtab/page.js b/application/palemoon/components/newtab/page.js
index 7117d45273..7117d45273 100644
--- a/application/palemoon/base/content/newtab/page.js
+++ b/application/palemoon/components/newtab/page.js
diff --git a/application/palemoon/base/content/newtab/search.js b/application/palemoon/components/newtab/search.js
index 8bc959eee7..8bc959eee7 100644
--- a/application/palemoon/base/content/newtab/search.js
+++ b/application/palemoon/components/newtab/search.js
diff --git a/application/palemoon/base/content/newtab/sites.js b/application/palemoon/components/newtab/sites.js
index a368146bb0..a368146bb0 100644
--- a/application/palemoon/base/content/newtab/sites.js
+++ b/application/palemoon/components/newtab/sites.js
diff --git a/application/palemoon/base/content/newtab/transformations.js b/application/palemoon/components/newtab/transformations.js
index f7db0ad84f..f7db0ad84f 100644
--- a/application/palemoon/base/content/newtab/transformations.js
+++ b/application/palemoon/components/newtab/transformations.js
diff --git a/application/palemoon/base/content/newtab/undo.js b/application/palemoon/components/newtab/undo.js
index b856914d2c..b856914d2c 100644
--- a/application/palemoon/base/content/newtab/undo.js
+++ b/application/palemoon/components/newtab/undo.js
diff --git a/application/palemoon/base/content/newtab/updater.js b/application/palemoon/components/newtab/updater.js
index 2bab74d708..2bab74d708 100644
--- a/application/palemoon/base/content/newtab/updater.js
+++ b/application/palemoon/components/newtab/updater.js
diff --git a/application/palemoon/components/nsAboutRedirector.js b/application/palemoon/components/nsAboutRedirector.js
new file mode 100644
index 0000000000..9c7d7953fe
--- /dev/null
+++ b/application/palemoon/components/nsAboutRedirector.js
@@ -0,0 +1,118 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+var Ci = Components.interfaces;
+var Cr = Components.results;
+var Cu = Components.utils;
+
+Cu.import("resource://gre/modules/XPCOMUtils.jsm");
+Cu.import("resource://gre/modules/Services.jsm");
+
+// See: netwerk/protocol/about/nsIAboutModule.idl
+const URI_SAFE_FOR_UNTRUSTED_CONTENT  = Ci.nsIAboutModule.URI_SAFE_FOR_UNTRUSTED_CONTENT;
+const ALLOW_SCRIPT                    = Ci.nsIAboutModule.ALLOW_SCRIPT;
+const HIDE_FROM_ABOUTABOUT            = Ci.nsIAboutModule.HIDE_FROM_ABOUTABOUT;
+const MAKE_LINKABLE                   = Ci.nsIAboutModule.MAKE_LINKABLE;
+
+function AboutRedirector() {}
+AboutRedirector.prototype = {
+  classDescription: "Browser about: Redirector",
+  classID: Components.ID("{8cc51368-6aa0-43e8-b762-bde9b9fd828c}"),
+  QueryInterface: XPCOMUtils.generateQI([Ci.nsIAboutModule]),
+
+  // Each entry in the map has the key as the part after the "about:" and the
+  // value as a record with url and flags entries. Note that each addition here
+  // should be coupled with a corresponding addition in BrowserComponents.manifest.
+  _redirMap: {
+    "certerror": {
+      url: "chrome://browser/content/certerror/aboutCertError.xhtml",
+      flags: (URI_SAFE_FOR_UNTRUSTED_CONTENT | ALLOW_SCRIPT | HIDE_FROM_ABOUTABOUT)
+    },
+    "downloads": {
+      url: "chrome://browser/content/downloads/contentAreaDownloadsView.xul",
+      flags: ALLOW_SCRIPT
+    },
+    "feeds": {
+      url: "chrome://browser/content/feeds/subscribe.xhtml",
+      flags: (URI_SAFE_FOR_UNTRUSTED_CONTENT | ALLOW_SCRIPT | HIDE_FROM_ABOUTABOUT)
+    },
+    "home": {
+      url: "chrome://browser/content/abouthome/aboutHome.xhtml",
+      flags: (URI_SAFE_FOR_UNTRUSTED_CONTENT | MAKE_LINKABLE | ALLOW_SCRIPT)
+    },
+    "newtab": {
+      url: "chrome://browser/content/newtab/newTab.xhtml",
+      flags: ALLOW_SCRIPT
+    },
+    "palemoon": {
+      url: "chrome://browser/content/palemoon.xhtml",
+      flags: (URI_SAFE_FOR_UNTRUSTED_CONTENT | HIDE_FROM_ABOUTABOUT)
+    },
+    "permissions": {
+      url: "chrome://browser/content/permissions/aboutPermissions.xul",
+      flags: ALLOW_SCRIPT
+    },
+    "privatebrowsing": {
+      url: "chrome://browser/content/aboutPrivateBrowsing.xhtml",
+      flags: ALLOW_SCRIPT
+    },
+    "rights": {
+      url: "chrome://global/content/aboutRights.xhtml",
+      flags: (URI_SAFE_FOR_UNTRUSTED_CONTENT | MAKE_LINKABLE | ALLOW_SCRIPT)
+    },
+    "robots": {
+      url: "chrome://browser/content/aboutRobots.xhtml",
+      flags: (URI_SAFE_FOR_UNTRUSTED_CONTENT | ALLOW_SCRIPT | HIDE_FROM_ABOUTABOUT)
+    },
+    "sessionrestore": {
+      url: "chrome://browser/content/aboutSessionRestore.xhtml",
+      flags: ALLOW_SCRIPT
+    },
+#ifdef MOZ_SERVICES_SYNC
+    "sync-progress": {
+      url: "chrome://browser/content/sync/progress.xhtml",
+      flags: ALLOW_SCRIPT
+    },
+    "sync-tabs": {
+      url: "chrome://browser/content/sync/aboutSyncTabs.xul",
+      flags: ALLOW_SCRIPT
+    },
+#endif
+  },
+
+  /**
+   * Gets the module name from the given URI.
+   */
+  _getModuleName: function AboutRedirector__getModuleName(aURI) {
+    // Strip out the first ? or #, and anything following it
+    let name = (/[^?#]+/.exec(aURI.path))[0];
+    return name.toLowerCase();
+  },
+
+  getURIFlags: function(aURI) {
+    let name = this._getModuleName(aURI);
+    if (!(name in this._redirMap))
+      throw Cr.NS_ERROR_ILLEGAL_VALUE;
+    return this._redirMap[name].flags;
+  },
+
+  newChannel: function(aURI, aLoadInfo) {
+    let name = this._getModuleName(aURI);
+    if (!(name in this._redirMap))
+      throw Cr.NS_ERROR_ILLEGAL_VALUE;
+
+    let newURI = Services.io.newURI(this._redirMap[name].url, null, null);
+    let channel = Services.io.newChannelFromURIWithLoadInfo(newURI, aLoadInfo);
+    channel.originalURI = aURI;
+
+    if (this._redirMap[name].flags & Ci.nsIAboutModule.URI_SAFE_FOR_UNTRUSTED_CONTENT) {
+      let principal = Services.scriptSecurityManager.getNoAppCodebasePrincipal(aURI);
+      channel.owner = principal;
+    }
+
+    return channel;
+  }
+};
+
+var NSGetFactory = XPCOMUtils.generateNSGetFactory([AboutRedirector]);
diff --git a/application/palemoon/base/content/pageinfo/feeds.js b/application/palemoon/components/pageinfo/feeds.js
index 468d8c19db..468d8c19db 100644
--- a/application/palemoon/base/content/pageinfo/feeds.js
+++ b/application/palemoon/components/pageinfo/feeds.js
diff --git a/application/palemoon/base/content/pageinfo/feeds.xml b/application/palemoon/components/pageinfo/feeds.xml
index 782c05a73d..782c05a73d 100644
--- a/application/palemoon/base/content/pageinfo/feeds.xml
+++ b/application/palemoon/components/pageinfo/feeds.xml
diff --git a/application/palemoon/components/pageinfo/jar.mn b/application/palemoon/components/pageinfo/jar.mn
new file mode 100644
index 0000000000..229f991682
--- /dev/null
+++ b/application/palemoon/components/pageinfo/jar.mn
@@ -0,0 +1,13 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+browser.jar:
+* content/browser/pageinfo/pageInfo.xul
+  content/browser/pageinfo/pageInfo.js
+  content/browser/pageinfo/pageInfo.css
+  content/browser/pageinfo/pageInfo.xml
+  content/browser/pageinfo/feeds.js
+  content/browser/pageinfo/feeds.xml
+  content/browser/pageinfo/permissions.js
+  content/browser/pageinfo/security.js
\ No newline at end of file
diff --git a/application/palemoon/components/pageinfo/moz.build b/application/palemoon/components/pageinfo/moz.build
new file mode 100644
index 0000000000..2d64d506c1
--- /dev/null
+++ b/application/palemoon/components/pageinfo/moz.build
@@ -0,0 +1,8 @@
+# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+JAR_MANIFESTS += ['jar.mn']
+
diff --git a/application/palemoon/base/content/pageinfo/pageInfo.css b/application/palemoon/components/pageinfo/pageInfo.css
index 622b56bb57..622b56bb57 100644
--- a/application/palemoon/base/content/pageinfo/pageInfo.css
+++ b/application/palemoon/components/pageinfo/pageInfo.css
diff --git a/application/palemoon/base/content/pageinfo/pageInfo.js b/application/palemoon/components/pageinfo/pageInfo.js
index 600174ad96..600174ad96 100644
--- a/application/palemoon/base/content/pageinfo/pageInfo.js
+++ b/application/palemoon/components/pageinfo/pageInfo.js
diff --git a/application/palemoon/base/content/pageinfo/pageInfo.xml b/application/palemoon/components/pageinfo/pageInfo.xml
index 20d3300467..20d3300467 100644
--- a/application/palemoon/base/content/pageinfo/pageInfo.xml
+++ b/application/palemoon/components/pageinfo/pageInfo.xml
diff --git a/application/palemoon/base/content/pageinfo/pageInfo.xul b/application/palemoon/components/pageinfo/pageInfo.xul
index e3a61d31ee..c7c486ab92 100644
--- a/application/palemoon/base/content/pageinfo/pageInfo.xul
+++ b/application/palemoon/components/pageinfo/pageInfo.xul
@@ -501,7 +501,7 @@
   </deck>
 
 #ifdef XP_MACOSX
-#include ../browserMountPoints.inc
+#include ../../base/content/browserMountPoints.inc
 #endif
 
 </window>
diff --git a/application/palemoon/base/content/pageinfo/permissions.js b/application/palemoon/components/pageinfo/permissions.js
index 4f8382f661..4f8382f661 100644
--- a/application/palemoon/base/content/pageinfo/permissions.js
+++ b/application/palemoon/components/pageinfo/permissions.js
diff --git a/application/palemoon/base/content/pageinfo/security.js b/application/palemoon/components/pageinfo/security.js
index e791ab92a8..e791ab92a8 100644
--- a/application/palemoon/base/content/pageinfo/security.js
+++ b/application/palemoon/components/pageinfo/security.js
diff --git a/application/palemoon/components/permissions/jar.mn b/application/palemoon/components/permissions/jar.mn
index 53fb2b41e6..c788938379 100644
--- a/application/palemoon/components/permissions/jar.mn
+++ b/application/palemoon/components/permissions/jar.mn
@@ -3,7 +3,7 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 browser.jar:
-    content/browser/permissions/aboutPermissions.xul
-    content/browser/permissions/aboutPermissions.js
-    content/browser/permissions/aboutPermissions.css
-    content/browser/permissions/aboutPermissions.xml
+  content/browser/permissions/aboutPermissions.xul
+  content/browser/permissions/aboutPermissions.js
+  content/browser/permissions/aboutPermissions.css
+  content/browser/permissions/aboutPermissions.xml
diff --git a/application/palemoon/components/permissions/moz.build b/application/palemoon/components/permissions/moz.build
index a4c26de893..3bbe672975 100644
--- a/application/palemoon/components/permissions/moz.build
+++ b/application/palemoon/components/permissions/moz.build
@@ -4,5 +4,4 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-
 JAR_MANIFESTS += ['jar.mn']
diff --git a/application/palemoon/components/places/PlacesUIUtils.jsm b/application/palemoon/components/places/PlacesUIUtils.jsm
index f625356136..05d79241ce 100644
--- a/application/palemoon/components/places/PlacesUIUtils.jsm
+++ b/application/palemoon/components/places/PlacesUIUtils.jsm
@@ -146,14 +146,21 @@ this.PlacesUIUtils = {
    *       annotations are synced from the old one.
    * @see this._copyableAnnotations for the list of copyable annotations.
    */
-  _getFolderCopyTransaction:
-  function PUIU__getFolderCopyTransaction(aData, aContainer, aIndex)
-  {
-    function getChildItemsTransactions(aChildren)
-    {
+  _getFolderCopyTransaction(aData, aContainer, aIndex) {
+    function getChildItemsTransactions(aRoot) {
       let transactions = [];
       let index = aIndex;
-      aChildren.forEach(function (node, i) {
+      for (let i = 0; i < aRoot.childCount; ++i) {
+        let child = aRoot.getChild(i);
+        // Temporary hacks until we switch to PlacesTransactions.jsm.
+        let isLivemark =
+          PlacesUtils.annotations.itemHasAnnotation(child.itemId,
+                                                    PlacesUtils.LMANNO_FEEDURI);
+        let [node] = PlacesUtils.unwrapNodes(
+          PlacesUtils.wrapNode(child, PlacesUtils.TYPE_X_MOZ_PLACE, isLivemark),
+          PlacesUtils.TYPE_X_MOZ_PLACE
+        );
+
         // Make sure that items are given the correct index, this will be
         // passed by the transaction manager to the backend for the insertion.
         // Insertion behaves differently for DEFAULT_INDEX (append).
@@ -184,19 +191,21 @@ this.PlacesUIUtils = {
         else {
           throw new Error("Unexpected item under a bookmarks folder");
         }
-      });
+      }
       return transactions;
     }
 
-    if (aContainer == PlacesUtils.tagsFolderId) { // Copying a tag folder.
+    if (aContainer == PlacesUtils.tagsFolderId) { // Copying into a tag folder.
       let transactions = [];
-      if (aData.children) {
-        aData.children.forEach(function(aChild) {
+      if (!aData.livemark && aData.type == PlacesUtils.TYPE_X_MOZ_PLACE_CONTAINER) {
+        let {root} = PlacesUtils.getFolderContents(aData.id, false, false);
+        let urls = PlacesUtils.getURLsForContainerNode(root);
+        root.containerOpen = false;
+        for (let { uri } of urls) {
           transactions.push(
-            new PlacesTagURITransaction(PlacesUtils._uri(aChild.uri),
-                                        [aData.title])
+            new PlacesTagURITransaction(NetUtil.newURI(uri), [aData.title])
           );
-        });
+        }
       }
       return new PlacesAggregatedTransaction("addTags", transactions);
     }
@@ -205,7 +214,10 @@ this.PlacesUIUtils = {
       return this._getLivemarkCopyTransaction(aData, aContainer, aIndex);
     }
 
-    let transactions = getChildItemsTransactions(aData.children);
+    let {root} = PlacesUtils.getFolderContents(aData.id, false, false);
+    let transactions = getChildItemsTransactions(root);
+    root.containerOpen = false;
+
     if (aData.dateAdded) {
       transactions.push(
         new PlacesEditItemDateAddedTransaction(null, aData.dateAdded)
diff --git a/application/palemoon/components/places/content/bookmarkProperties.js b/application/palemoon/components/places/content/bookmarkProperties.js
index 685ef57d22..e1d1077ab6 100644
--- a/application/palemoon/components/places/content/bookmarkProperties.js
+++ b/application/palemoon/components/places/content/bookmarkProperties.js
@@ -382,6 +382,11 @@ var BookmarkPropertiesPanel = {
             .addEventListener("input", this, false);
       }
     }
+    
+    // Ensure the Name Picker textbox is focused on load
+    var namePickerElem = document.getElementById('editBMPanel_namePicker');
+    namePickerElem.focus();
+    namePickerElem.select();
   }),
 
   // nsIDOMEventListener
diff --git a/application/palemoon/components/places/content/controller.js b/application/palemoon/components/places/content/controller.js
index 7f27e83478..7f5f7f6521 100644
--- a/application/palemoon/components/places/content/controller.js
+++ b/application/palemoon/components/places/content/controller.js
@@ -1287,15 +1287,15 @@ PlacesController.prototype = {
     if (!didSuppressNotifications)
       result.suppressNotifications = true;
 
-    function addData(type, index, overrideURI) {
-      let wrapNode = PlacesUtils.wrapNode(node, type, overrideURI, doCopy);
+    function addData(type, index, feedURI) {
+      let wrapNode = PlacesUtils.wrapNode(node, type, feedURI);
       dt.mozSetDataAt(type, wrapNode, index);
     }
 
-    function addURIData(index, overrideURI) {
-      addData(PlacesUtils.TYPE_X_MOZ_URL, index, overrideURI);
-      addData(PlacesUtils.TYPE_UNICODE, index, overrideURI);
-      addData(PlacesUtils.TYPE_HTML, index, overrideURI);
+    function addURIData(index, feedURI) {
+      addData(PlacesUtils.TYPE_X_MOZ_URL, index, feedURI);
+      addData(PlacesUtils.TYPE_UNICODE, index, feedURI);
+      addData(PlacesUtils.TYPE_HTML, index, feedURI);
     }
 
     try {
@@ -1387,12 +1387,11 @@ PlacesController.prototype = {
         copiedFolders.push(node);
 
       let livemarkInfo = this.getCachedLivemarkInfo(node);
-      let overrideURI = livemarkInfo ? livemarkInfo.feedURI.spec : null;
-      let resolveShortcuts = !PlacesControllerDragHelper.canMoveNode(node);
+      let feedURI = livemarkInfo && livemarkInfo.feedURI.spec;
 
       contents.forEach(function (content) {
         content.entries.push(
-          PlacesUtils.wrapNode(node, content.type, overrideURI, resolveShortcuts)
+          PlacesUtils.wrapNode(node, content.type, feedURI)
         );
       });
     }, this);
diff --git a/application/palemoon/components/places/content/editBookmarkOverlay.js b/application/palemoon/components/places/content/editBookmarkOverlay.js
index e3d4537c7b..69d7d32eb5 100644
--- a/application/palemoon/components/places/content/editBookmarkOverlay.js
+++ b/application/palemoon/components/places/content/editBookmarkOverlay.js
@@ -222,11 +222,6 @@ var gEditItemOverlay = {
     }
 
     let focusElement = () => {
-      let elt = document.querySelector("textbox:not([collapsed=true])");
-      if (elt) {
-        elt.focus();
-        elt.select();
-      }
       this._initialized = true;
     };
 
diff --git a/application/palemoon/components/places/jar.mn b/application/palemoon/components/places/jar.mn
index 44ae61fd3b..41222e156c 100644
--- a/application/palemoon/components/places/jar.mn
+++ b/application/palemoon/components/places/jar.mn
@@ -6,29 +6,29 @@ browser.jar:
 % overlay chrome://browser/content/places/places.xul chrome://browser/content/places/downloadsViewOverlay.xul
 # Provide another URI for the bookmarkProperties dialog so we can persist the
 # attributes separately
-    content/browser/places/bookmarkProperties2.xul       (content/bookmarkProperties.xul)
-*   content/browser/places/places.xul                    (content/places.xul) 
-*   content/browser/places/places.js                     (content/places.js)
-    content/browser/places/places.css                    (content/places.css)
-    content/browser/places/organizer.css                 (content/organizer.css)
-    content/browser/places/bookmarkProperties.xul        (content/bookmarkProperties.xul)
-    content/browser/places/bookmarkProperties.js         (content/bookmarkProperties.js)
-    content/browser/places/placesOverlay.xul             (content/placesOverlay.xul)
-*   content/browser/places/menu.xml                      (content/menu.xml)
-    content/browser/places/tree.xml                      (content/tree.xml)
-    content/browser/places/controller.js                 (content/controller.js)
-    content/browser/places/treeView.js                   (content/treeView.js)
-*   content/browser/places/browserPlacesViews.js         (content/browserPlacesViews.js)
+  content/browser/places/bookmarkProperties2.xul       (content/bookmarkProperties.xul)
+* content/browser/places/places.xul                    (content/places.xul) 
+* content/browser/places/places.js                     (content/places.js)
+  content/browser/places/places.css                    (content/places.css)
+  content/browser/places/organizer.css                 (content/organizer.css)
+  content/browser/places/bookmarkProperties.xul        (content/bookmarkProperties.xul)
+  content/browser/places/bookmarkProperties.js         (content/bookmarkProperties.js)
+  content/browser/places/placesOverlay.xul             (content/placesOverlay.xul)
+* content/browser/places/menu.xml                      (content/menu.xml)
+  content/browser/places/tree.xml                      (content/tree.xml)
+  content/browser/places/controller.js                 (content/controller.js)
+  content/browser/places/treeView.js                   (content/treeView.js)
+* content/browser/places/browserPlacesViews.js         (content/browserPlacesViews.js)
 # keep the Places version of the history sidebar at history/history-panel.xul 
 # to prevent having to worry about between versions of the browser
-*   content/browser/history/history-panel.xul            (content/history-panel.xul) 
-    content/browser/places/history-panel.js              (content/history-panel.js)
+* content/browser/history/history-panel.xul            (content/history-panel.xul) 
+  content/browser/places/history-panel.js              (content/history-panel.js)
 # ditto for the bookmarks sidebar
-    content/browser/bookmarks/bookmarksPanel.xul         (content/bookmarksPanel.xul)
-    content/browser/bookmarks/bookmarksPanel.js          (content/bookmarksPanel.js)
-*   content/browser/bookmarks/sidebarUtils.js            (content/sidebarUtils.js)
-    content/browser/places/moveBookmarks.xul             (content/moveBookmarks.xul)
-    content/browser/places/moveBookmarks.js              (content/moveBookmarks.js)
-    content/browser/places/editBookmarkOverlay.xul       (content/editBookmarkOverlay.xul)
-    content/browser/places/editBookmarkOverlay.js        (content/editBookmarkOverlay.js)
-*   content/browser/places/downloadsViewOverlay.xul      (content/downloadsViewOverlay.xul)
+  content/browser/bookmarks/bookmarksPanel.xul         (content/bookmarksPanel.xul)
+  content/browser/bookmarks/bookmarksPanel.js          (content/bookmarksPanel.js)
+* content/browser/bookmarks/sidebarUtils.js            (content/sidebarUtils.js)
+  content/browser/places/moveBookmarks.xul             (content/moveBookmarks.xul)
+  content/browser/places/moveBookmarks.js              (content/moveBookmarks.js)
+  content/browser/places/editBookmarkOverlay.xul       (content/editBookmarkOverlay.xul)
+  content/browser/places/editBookmarkOverlay.js        (content/editBookmarkOverlay.js)
+* content/browser/places/downloadsViewOverlay.xul      (content/downloadsViewOverlay.xul)
diff --git a/application/palemoon/components/places/moz.build b/application/palemoon/components/places/moz.build
index 2e35e19514..f8b0d125d9 100644
--- a/application/palemoon/components/places/moz.build
+++ b/application/palemoon/components/places/moz.build
@@ -7,4 +7,3 @@
 JAR_MANIFESTS += ['jar.mn']
 
 EXTRA_JS_MODULES += [ 'PlacesUIUtils.jsm' ]
-
diff --git a/application/palemoon/components/preferences/jar.mn b/application/palemoon/components/preferences/jar.mn
index 47909ddc9d..6e143dea39 100644
--- a/application/palemoon/components/preferences/jar.mn
+++ b/application/palemoon/components/preferences/jar.mn
@@ -3,42 +3,42 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 browser.jar:
-*   content/browser/preferences/advanced.xul
-*   content/browser/preferences/advanced.js
-    content/browser/preferences/applications.xul
-*   content/browser/preferences/applications.js
-    content/browser/preferences/applicationManager.xul
-*   content/browser/preferences/applicationManager.js
-*   content/browser/preferences/colors.xul
-*   content/browser/preferences/cookies.xul
-*   content/browser/preferences/cookies.js
-    content/browser/preferences/content.xul
-    content/browser/preferences/content.js
-*   content/browser/preferences/connection.xul
-    content/browser/preferences/connection.js
-*   content/browser/preferences/fonts.xul
-    content/browser/preferences/fonts.js
-    content/browser/preferences/handlers.xml
-    content/browser/preferences/handlers.css
-*   content/browser/preferences/languages.xul
-    content/browser/preferences/languages.js
-*   content/browser/preferences/main.xul
-    content/browser/preferences/main.js
-    content/browser/preferences/newtaburl.js
-    content/browser/preferences/permissions.xul
-*   content/browser/preferences/permissions.js
-*   content/browser/preferences/preferences.xul
-    content/browser/preferences/privacy.xul
-    content/browser/preferences/privacy.js
-    content/browser/preferences/sanitize.xul
-    content/browser/preferences/sanitize.js
-    content/browser/preferences/security.xul
-    content/browser/preferences/security.js
-    content/browser/preferences/selectBookmark.xul
-    content/browser/preferences/selectBookmark.js
+* content/browser/preferences/advanced.xul
+* content/browser/preferences/advanced.js
+  content/browser/preferences/applications.xul
+* content/browser/preferences/applications.js
+  content/browser/preferences/applicationManager.xul
+* content/browser/preferences/applicationManager.js
+* content/browser/preferences/colors.xul
+* content/browser/preferences/cookies.xul
+* content/browser/preferences/cookies.js
+  content/browser/preferences/content.xul
+  content/browser/preferences/content.js
+* content/browser/preferences/connection.xul
+  content/browser/preferences/connection.js
+* content/browser/preferences/fonts.xul
+  content/browser/preferences/fonts.js
+  content/browser/preferences/handlers.xml
+  content/browser/preferences/handlers.css
+* content/browser/preferences/languages.xul
+  content/browser/preferences/languages.js
+* content/browser/preferences/main.xul
+  content/browser/preferences/main.js
+  content/browser/preferences/newtaburl.js
+  content/browser/preferences/permissions.xul
+* content/browser/preferences/permissions.js
+* content/browser/preferences/preferences.xul
+  content/browser/preferences/privacy.xul
+  content/browser/preferences/privacy.js
+  content/browser/preferences/sanitize.xul
+  content/browser/preferences/sanitize.js
+  content/browser/preferences/security.xul
+  content/browser/preferences/security.js
+  content/browser/preferences/selectBookmark.xul
+  content/browser/preferences/selectBookmark.js
 #ifdef MOZ_SERVICES_SYNC
-    content/browser/preferences/sync.xul
-    content/browser/preferences/sync.js
+  content/browser/preferences/sync.xul
+  content/browser/preferences/sync.js
 #endif
-*   content/browser/preferences/tabs.xul
-*   content/browser/preferences/tabs.js
+* content/browser/preferences/tabs.xul
+* content/browser/preferences/tabs.js
diff --git a/application/palemoon/components/privatebrowsing/jar.mn b/application/palemoon/components/privatebrowsing/jar.mn
index a01b7f0d3e..75e985c139 100644
--- a/application/palemoon/components/privatebrowsing/jar.mn
+++ b/application/palemoon/components/privatebrowsing/jar.mn
@@ -3,4 +3,4 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 browser.jar:
-*   content/browser/aboutPrivateBrowsing.xhtml            (content/aboutPrivateBrowsing.xhtml) 
+* content/browser/aboutPrivateBrowsing.xhtml      (content/aboutPrivateBrowsing.xhtml) 
diff --git a/application/palemoon/components/search/jar.mn b/application/palemoon/components/search/jar.mn
index 88a33a98c0..e6c42f97d5 100644
--- a/application/palemoon/components/search/jar.mn
+++ b/application/palemoon/components/search/jar.mn
@@ -3,7 +3,7 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 browser.jar:
-*       content/browser/search/search.xml                           (content/search.xml)
-        content/browser/search/searchbarBindings.css                (content/searchbarBindings.css)
-        content/browser/search/engineManager.xul                    (content/engineManager.xul)
-        content/browser/search/engineManager.js                     (content/engineManager.js)
+* content/browser/search/search.xml                 (content/search.xml)
+  content/browser/search/searchbarBindings.css      (content/searchbarBindings.css)
+  content/browser/search/engineManager.xul          (content/engineManager.xul)
+  content/browser/search/engineManager.js           (content/engineManager.js)
diff --git a/application/palemoon/components/search/moz.build b/application/palemoon/components/search/moz.build
index 35f6d454ac..c97072bba2 100644
--- a/application/palemoon/components/search/moz.build
+++ b/application/palemoon/components/search/moz.build
@@ -4,5 +4,4 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-
 JAR_MANIFESTS += ['jar.mn']
\ No newline at end of file
diff --git a/application/palemoon/components/sessionstore/jar.mn b/application/palemoon/components/sessionstore/jar.mn
index 529692e7eb..825b00fbbb 100644
--- a/application/palemoon/components/sessionstore/jar.mn
+++ b/application/palemoon/components/sessionstore/jar.mn
@@ -3,6 +3,6 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 browser.jar:
-*   content/browser/aboutSessionRestore.xhtml             (content/aboutSessionRestore.xhtml)
-*   content/browser/aboutSessionRestore.js                (content/aboutSessionRestore.js)
-    content/browser/content-sessionStore.js               (content/content-sessionStore.js)
+* content/browser/aboutSessionRestore.xhtml             (content/aboutSessionRestore.xhtml)
+* content/browser/aboutSessionRestore.js                (content/aboutSessionRestore.js)
+  content/browser/content-sessionStore.js               (content/content-sessionStore.js)
diff --git a/application/palemoon/components/sessionstore/moz.build b/application/palemoon/components/sessionstore/moz.build
index 8b38aeba5f..84278dafa0 100644
--- a/application/palemoon/components/sessionstore/moz.build
+++ b/application/palemoon/components/sessionstore/moz.build
@@ -26,6 +26,4 @@ EXTRA_JS_MODULES.sessionstore = [
     'XPathGenerator.jsm',
 ]
 
-EXTRA_PP_JS_MODULES.sessionstore += [
-    'SessionStore.jsm',
-]
\ No newline at end of file
+EXTRA_PP_JS_MODULES.sessionstore += ['SessionStore.jsm']
\ No newline at end of file
diff --git a/application/palemoon/components/shell/jar.mn b/application/palemoon/components/shell/jar.mn
index 1f33b5d56c..0864e1b306 100644
--- a/application/palemoon/components/shell/jar.mn
+++ b/application/palemoon/components/shell/jar.mn
@@ -3,5 +3,5 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 browser.jar:
-*       content/browser/setDesktopBackground.xul              (content/setDesktopBackground.xul)
-        content/browser/setDesktopBackground.js               (content/setDesktopBackground.js)
+* content/browser/setDesktopBackground.xul      (content/setDesktopBackground.xul)
+  content/browser/setDesktopBackground.js       (content/setDesktopBackground.js)
diff --git a/application/palemoon/components/shell/moz.build b/application/palemoon/components/shell/moz.build
index 94ec885714..16bffd7d9d 100644
--- a/application/palemoon/components/shell/moz.build
+++ b/application/palemoon/components/shell/moz.build
@@ -6,37 +6,23 @@
 
 JAR_MANIFESTS += ['jar.mn']
 
-XPIDL_SOURCES += [
-    'nsIShellService.idl',
-]
+XPIDL_SOURCES += ['nsIShellService.idl']
 
 if CONFIG['OS_ARCH'] == 'WINNT':
-    XPIDL_SOURCES += [
-        'nsIWindowsShellService.idl',
-    ]
+    XPIDL_SOURCES += ['nsIWindowsShellService.idl']
 elif CONFIG['MOZ_WIDGET_TOOLKIT'] == 'cocoa':
-    XPIDL_SOURCES += [
-        'nsIMacShellService.idl',
-    ]
+    XPIDL_SOURCES += ['nsIMacShellService.idl']
 elif 'gtk' in CONFIG['MOZ_WIDGET_TOOLKIT']:
-    XPIDL_SOURCES += [
-        'nsIGNOMEShellService.idl',
-    ]
+    XPIDL_SOURCES += ['nsIGNOMEShellService.idl']
 
 XPIDL_MODULE = 'shellservice'
 
 if CONFIG['OS_ARCH'] == 'WINNT':
-    SOURCES += [
-        'nsWindowsShellService.cpp',
-    ]
+    SOURCES += ['nsWindowsShellService.cpp']
 elif CONFIG['MOZ_WIDGET_TOOLKIT'] == 'cocoa':
-    SOURCES += [
-        'nsMacShellService.cpp',
-    ]
+    SOURCES += ['nsMacShellService.cpp']
 elif 'gtk' in CONFIG['MOZ_WIDGET_TOOLKIT']:
-    SOURCES += [
-        'nsGNOMEShellService.cpp',
-    ]
+    SOURCES += ['nsGNOMEShellService.cpp']
 
 if SOURCES:
     FINAL_LIBRARY = 'browsercomps'
@@ -46,9 +32,7 @@ EXTRA_COMPONENTS += [
     'nsSetDefaultBrowser.manifest',
 ]
 
-EXTRA_JS_MODULES += [
-    'ShellService.jsm',
-]
+EXTRA_JS_MODULES += ['ShellService.jsm']
 
 for var in ('MOZ_APP_NAME', 'MOZ_APP_VERSION'):
     DEFINES[var] = '"%s"' % CONFIG[var]
diff --git a/application/palemoon/components/statusbar/jar.mn b/application/palemoon/components/statusbar/jar.mn
index db7f278c71..b5a8d09b28 100644
--- a/application/palemoon/components/statusbar/jar.mn
+++ b/application/palemoon/components/statusbar/jar.mn
@@ -3,13 +3,13 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 browser.jar:
-% overlay chrome://browser/content/browser.xul                  chrome://browser/content/statusbar/overlay.xul
-% style chrome://global/content/customizeToolbar.xul            chrome://browser/skin/statusbar/overlay.css
-        content/browser/statusbar/overlay.js                    (content/overlay.js)
-        content/browser/statusbar/prefs.js                      (content/prefs.js)
-        content/browser/statusbar/prefs.xml                     (content/prefs.xml)
-        content/browser/statusbar/tabbrowser.xml                (content/tabbrowser.xml)
-        content/browser/statusbar/overlay.xul                   (content/overlay.xul)
-        content/browser/statusbar/prefs.xul                     (content/prefs.xul)
-        content/browser/statusbar/overlay.css                   (content/overlay.css)
-        content/browser/statusbar/prefs.css                     (content/prefs.css)
\ No newline at end of file
+% overlay chrome://browser/content/browser.xul chrome://browser/content/statusbar/overlay.xul
+% style chrome://global/content/customizeToolbar.xul chrome://browser/skin/statusbar/overlay.css
+  content/browser/statusbar/overlay.js          (content/overlay.js)
+  content/browser/statusbar/prefs.js            (content/prefs.js)
+  content/browser/statusbar/prefs.xml           (content/prefs.xml)
+  content/browser/statusbar/tabbrowser.xml      (content/tabbrowser.xml)
+  content/browser/statusbar/overlay.xul         (content/overlay.xul)
+  content/browser/statusbar/prefs.xul           (content/prefs.xul)
+  content/browser/statusbar/overlay.css         (content/overlay.css)
+  content/browser/statusbar/prefs.css           (content/prefs.css)
\ No newline at end of file
diff --git a/application/palemoon/base/content/sync/aboutSyncTabs-bindings.xml b/application/palemoon/components/sync/aboutSyncTabs-bindings.xml
index e6108209a4..e6108209a4 100644
--- a/application/palemoon/base/content/sync/aboutSyncTabs-bindings.xml
+++ b/application/palemoon/components/sync/aboutSyncTabs-bindings.xml
diff --git a/application/palemoon/base/content/sync/aboutSyncTabs.css b/application/palemoon/components/sync/aboutSyncTabs.css
index 5a353175b1..5a353175b1 100644
--- a/application/palemoon/base/content/sync/aboutSyncTabs.css
+++ b/application/palemoon/components/sync/aboutSyncTabs.css
diff --git a/application/palemoon/base/content/sync/aboutSyncTabs.js b/application/palemoon/components/sync/aboutSyncTabs.js
index 410494b5bd..410494b5bd 100644
--- a/application/palemoon/base/content/sync/aboutSyncTabs.js
+++ b/application/palemoon/components/sync/aboutSyncTabs.js
diff --git a/application/palemoon/base/content/sync/aboutSyncTabs.xul b/application/palemoon/components/sync/aboutSyncTabs.xul
index a4aa0032f1..a4aa0032f1 100644
--- a/application/palemoon/base/content/sync/aboutSyncTabs.xul
+++ b/application/palemoon/components/sync/aboutSyncTabs.xul
diff --git a/application/palemoon/base/content/sync/addDevice.js b/application/palemoon/components/sync/addDevice.js
index 0390d43970..0390d43970 100644
--- a/application/palemoon/base/content/sync/addDevice.js
+++ b/application/palemoon/components/sync/addDevice.js
diff --git a/application/palemoon/base/content/sync/addDevice.xul b/application/palemoon/components/sync/addDevice.xul
index f2371aad0d..f2371aad0d 100644
--- a/application/palemoon/base/content/sync/addDevice.xul
+++ b/application/palemoon/components/sync/addDevice.xul
diff --git a/application/palemoon/base/content/sync/genericChange.js b/application/palemoon/components/sync/genericChange.js
index df66391789..df66391789 100644
--- a/application/palemoon/base/content/sync/genericChange.js
+++ b/application/palemoon/components/sync/genericChange.js
diff --git a/application/palemoon/base/content/sync/genericChange.xul b/application/palemoon/components/sync/genericChange.xul
index 3c0b2cd6c2..3c0b2cd6c2 100644
--- a/application/palemoon/base/content/sync/genericChange.xul
+++ b/application/palemoon/components/sync/genericChange.xul
diff --git a/application/palemoon/components/sync/jar.mn b/application/palemoon/components/sync/jar.mn
new file mode 100644
index 0000000000..3782038cd3
--- /dev/null
+++ b/application/palemoon/components/sync/jar.mn
@@ -0,0 +1,22 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+browser.jar:
+  content/browser/sync/aboutSyncTabs.xul
+  content/browser/sync/aboutSyncTabs.js
+  content/browser/sync/aboutSyncTabs.css
+  content/browser/sync/aboutSyncTabs-bindings.xml
+  content/browser/sync/setup.xul
+  content/browser/sync/addDevice.js
+  content/browser/sync/addDevice.xul
+  content/browser/sync/setup.js
+  content/browser/sync/genericChange.xul
+  content/browser/sync/genericChange.js
+  content/browser/sync/key.xhtml
+  content/browser/sync/notification.xml
+  content/browser/sync/quota.xul
+  content/browser/sync/quota.js
+  content/browser/sync/utils.js
+  content/browser/sync/progress.js
+  content/browser/sync/progress.xhtml
\ No newline at end of file
diff --git a/application/palemoon/base/content/sync/key.xhtml b/application/palemoon/components/sync/key.xhtml
index 92abf0ee64..92abf0ee64 100644
--- a/application/palemoon/base/content/sync/key.xhtml
+++ b/application/palemoon/components/sync/key.xhtml
diff --git a/application/palemoon/components/sync/moz.build b/application/palemoon/components/sync/moz.build
new file mode 100644
index 0000000000..2d64d506c1
--- /dev/null
+++ b/application/palemoon/components/sync/moz.build
@@ -0,0 +1,8 @@
+# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+JAR_MANIFESTS += ['jar.mn']
+
diff --git a/application/palemoon/base/content/sync/notification.xml b/application/palemoon/components/sync/notification.xml
index 7a2b773821..8ac881e080 100644
--- a/application/palemoon/base/content/sync/notification.xml
+++ b/application/palemoon/components/sync/notification.xml
@@ -88,7 +88,7 @@
                            tooltiptext="&closeNotification.tooltip;"
                            oncommand="document.getBindingParent(this).close()"/>
         <xul:hbox anonid="details" align="center" flex="1">
-          <xul:image anonid="messageImage" class="messageImage" xbl:inherits="src=image"/>
+          <xul:image anonid="messageImage" class="messageImage" xbl:inherits="src=image,type"/>
           <xul:description anonid="messageText" class="messageText" xbl:inherits="xbl:text=label"/>
 
           <!-- The children are the buttons defined by the notification. -->
diff --git a/application/palemoon/base/content/sync/progress.js b/application/palemoon/components/sync/progress.js
index 101160fa87..101160fa87 100644
--- a/application/palemoon/base/content/sync/progress.js
+++ b/application/palemoon/components/sync/progress.js
diff --git a/application/palemoon/base/content/sync/progress.xhtml b/application/palemoon/components/sync/progress.xhtml
index d403cb20d8..d403cb20d8 100644
--- a/application/palemoon/base/content/sync/progress.xhtml
+++ b/application/palemoon/components/sync/progress.xhtml
diff --git a/application/palemoon/components/sync/quota.js b/application/palemoon/components/sync/quota.js
new file mode 100644
index 0000000000..b416a44cc2
--- /dev/null
+++ b/application/palemoon/components/sync/quota.js
@@ -0,0 +1,247 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+const Ci = Components.interfaces;
+const Cc = Components.classes;
+const Cr = Components.results;
+const Cu = Components.utils;
+
+Cu.import("resource://services-sync/main.js");
+Cu.import("resource://gre/modules/DownloadUtils.jsm");
+
+var gSyncQuota = {
+
+  init: function init() {
+    this.bundle = document.getElementById("quotaStrings");
+    let caption = document.getElementById("treeCaption");
+    caption.firstChild.nodeValue = this.bundle.getString("quota.treeCaption.label");
+
+    gUsageTreeView.init();
+    this.tree = document.getElementById("usageTree");
+    this.tree.view = gUsageTreeView;
+
+    this.loadData();
+  },
+
+  loadData: function loadData() {
+    this._usage_req = Weave.Service.getStorageInfo(Weave.INFO_COLLECTION_USAGE,
+                                                   function (error, usage) {
+      delete gSyncQuota._usage_req;
+      // displayUsageData handles null values, so no need to check 'error'.
+      gUsageTreeView.displayUsageData(usage);
+    });
+
+    let usageLabel = document.getElementById("usageLabel");
+    let bundle = this.bundle;
+
+    this._quota_req = Weave.Service.getStorageInfo(Weave.INFO_QUOTA,
+                                                   function (error, quota) {
+      delete gSyncQuota._quota_req;
+
+      if (error) {
+        usageLabel.value = bundle.getString("quota.usageError.label");
+        return;
+      }
+      let used = gSyncQuota.convertKB(quota[0]);
+      if (!quota[1]) {
+        // No quota on the server.
+        usageLabel.value = bundle.getFormattedString(
+          "quota.usageNoQuota.label", used);
+        return;
+      }
+      let percent = Math.round(100 * quota[0] / quota[1]);
+      let total = gSyncQuota.convertKB(quota[1]);
+      usageLabel.value = bundle.getFormattedString(
+        "quota.usagePercentage.label", [percent].concat(used).concat(total));
+    });
+  },
+
+  onCancel: function onCancel() {
+    if (this._usage_req) {
+      this._usage_req.abort();
+    }
+    if (this._quota_req) {
+      this._quota_req.abort();
+    }
+    return true;
+  },
+
+  onAccept: function onAccept() {
+    let engines = gUsageTreeView.getEnginesToDisable();
+    for each (let engine in engines) {
+      Weave.Service.engineManager.get(engine).enabled = false;
+    }
+    if (engines.length) {
+      // The 'Weave' object will disappear once the window closes.
+      let Service = Weave.Service;
+      Weave.Utils.nextTick(function() { Service.sync(); });
+    }
+    return this.onCancel();
+  },
+
+  convertKB: function convertKB(value) {
+    return DownloadUtils.convertByteUnits(value * 1024);
+  }
+
+};
+
+var gUsageTreeView = {
+
+  _ignored: {keys: true,
+             meta: true,
+             clients: true},
+
+  /*
+   * Internal data structures underlaying the tree.
+   */
+  _collections: [],
+  _byname: {},
+
+  init: function init() {
+    let retrievingLabel = gSyncQuota.bundle.getString("quota.retrieving.label");
+    for each (let engine in Weave.Service.engineManager.getEnabled()) {
+      if (this._ignored[engine.name])
+        continue;
+
+      // Some engines use the same pref, which means they can only be turned on
+      // and off together. We need to combine them here as well.
+      let existing = this._byname[engine.prefName];
+      if (existing) {
+        existing.engines.push(engine.name);
+        continue;
+      }
+
+      let obj = {name: engine.prefName,
+                 title: this._collectionTitle(engine),
+                 engines: [engine.name],
+                 enabled: true,
+                 sizeLabel: retrievingLabel};
+      this._collections.push(obj);
+      this._byname[engine.prefName] = obj;
+    }
+  },
+
+  _collectionTitle: function _collectionTitle(engine) {
+    try {
+      return gSyncQuota.bundle.getString(
+        "collection." + engine.prefName + ".label");
+    } catch (ex) {
+      return engine.Name;
+    }
+  },
+
+  /*
+   * Process the quota information as returned by info/collection_usage.
+   */
+  displayUsageData: function displayUsageData(data) {
+    for each (let coll in this._collections) {
+      coll.size = 0;
+      // If we couldn't retrieve any data, just blank out the label.
+      if (!data) {
+        coll.sizeLabel = "";
+        continue;
+      }
+
+      for each (let engineName in coll.engines)
+        coll.size += data[engineName] || 0;
+      let sizeLabel = "";
+      sizeLabel = gSyncQuota.bundle.getFormattedString(
+        "quota.sizeValueUnit.label", gSyncQuota.convertKB(coll.size));
+      coll.sizeLabel = sizeLabel;
+    }
+    let sizeColumn = this.treeBox.columns.getNamedColumn("size");
+    this.treeBox.invalidateColumn(sizeColumn);
+  },
+
+  /*
+   * Handle click events on the tree.
+   */
+  onTreeClick: function onTreeClick(event) {
+    if (event.button == 2)
+      return;
+
+    let cell = this.treeBox.getCellAt(event.clientX, event.clientY);
+    if (cell.col && cell.col.id == "enabled")
+      this.toggle(cell.row);
+  },
+
+  /*
+   * Toggle enabled state of an engine.
+   */
+  toggle: function toggle(row) {
+    // Update the tree
+    let collection = this._collections[row];
+    collection.enabled = !collection.enabled;
+    this.treeBox.invalidateRow(row);
+  },
+
+  /*
+   * Return a list of engines (or rather their pref names) that should be
+   * disabled.
+   */
+  getEnginesToDisable: function getEnginesToDisable() {
+    // Tycho: return [coll.name for each (coll in this._collections) if (!coll.enabled)];
+    let engines = [];
+    for each (let coll in this._collections) {
+      if (!coll.enabled) {
+        engines.push(coll.name);
+      }
+    }
+    return engines;
+  },
+
+  // nsITreeView
+
+  get rowCount() {
+    return this._collections.length;
+  },
+
+  getRowProperties: function(index) { return ""; },
+  getCellProperties: function(row, col) { return ""; },
+  getColumnProperties: function(col) { return ""; },
+  isContainer: function(index) { return false; },
+  isContainerOpen: function(index) { return false; },
+  isContainerEmpty: function(index) { return false; },
+  isSeparator: function(index) { return false; },
+  isSorted: function() { return false; },
+  canDrop: function(index, orientation, dataTransfer) { return false; },
+  drop: function(row, orientation, dataTransfer) {},
+  getParentIndex: function(rowIndex) {},
+  hasNextSibling: function(rowIndex, afterIndex) { return false; },
+  getLevel: function(index) { return 0; },
+  getImageSrc: function(row, col) {},
+
+  getCellValue: function(row, col) {
+    return this._collections[row].enabled;
+  },
+
+  getCellText: function getCellText(row, col) {
+    let collection = this._collections[row];
+    switch (col.id) {
+      case "collection":
+        return collection.title;
+      case "size":
+        return collection.sizeLabel;
+      default:
+        return "";
+    }
+  },
+
+  setTree: function setTree(tree) {
+    this.treeBox = tree;
+  },
+
+  toggleOpenState: function(index) {},
+  cycleHeader: function(col) {},
+  selectionChanged: function() {},
+  cycleCell: function(row, col) {},
+  isEditable: function(row, col) { return false; },
+  isSelectable: function (row, col) { return false; },
+  setCellValue: function(row, col, value) {},
+  setCellText: function(row, col, value) {},
+  performAction: function(action) {},
+  performActionOnRow: function(action, row) {},
+  performActionOnCell: function(action, row, col) {}
+
+};
diff --git a/application/palemoon/components/sync/quota.xul b/application/palemoon/components/sync/quota.xul
new file mode 100644
index 0000000000..99e6ed78b7
--- /dev/null
+++ b/application/palemoon/components/sync/quota.xul
@@ -0,0 +1,65 @@
+<?xml version="1.0"?>
+
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+   - License, v. 2.0. If a copy of the MPL was not distributed with this
+   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
+<?xml-stylesheet href="chrome://browser/skin/syncQuota.css"?>
+
+<!DOCTYPE dialog [
+<!ENTITY % brandDTD SYSTEM "chrome://branding/locale/brand.dtd">
+<!ENTITY % syncBrandDTD SYSTEM "chrome://browser/locale/syncBrand.dtd">
+<!ENTITY % syncQuotaDTD SYSTEM "chrome://browser/locale/syncQuota.dtd">
+%brandDTD;
+%syncBrandDTD;
+%syncQuotaDTD;
+]>
+<dialog id="quotaDialog"
+        windowtype="Sync:ViewQuota"
+        persist="screenX screenY width height"
+        xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+        xmlns:html="http://www.w3.org/1999/xhtml"
+        onload="gSyncQuota.init()"
+        buttons="accept,cancel"
+        title="&quota.dialogTitle.label;"
+        ondialogcancel="return gSyncQuota.onCancel();"
+        ondialogaccept="return gSyncQuota.onAccept();">
+
+  <script type="application/javascript"
+          src="chrome://browser/content/sync/quota.js"/>
+
+  <stringbundleset id="stringbundleset">
+    <stringbundle id="quotaStrings"
+                  src="chrome://browser/locale/syncQuota.properties"/>
+  </stringbundleset>
+
+  <vbox flex="1">
+    <label id="usageLabel"
+           value="&quota.retrievingInfo.label;"/>
+    <separator/>
+    <tree id="usageTree"
+          seltype="single"
+          hidecolumnpicker="true"
+          onclick="gUsageTreeView.onTreeClick(event);"
+          flex="1">
+      <treecols>
+        <treecol id="enabled"
+                 type="checkbox"
+                 fixed="true"/>
+        <splitter class="tree-splitter"/>
+        <treecol id="collection"
+                 label="&quota.typeColumn.label;"
+                 flex="1"/>
+        <splitter class="tree-splitter"/>
+        <treecol id="size"
+                 label="&quota.sizeColumn.label;"
+                 flex="1"/>
+      </treecols>
+      <treechildren flex="1"/>
+    </tree>
+    <separator/>
+    <description id="treeCaption"> </description>
+  </vbox>
+
+</dialog>
diff --git a/application/palemoon/base/content/sync/setup.js b/application/palemoon/components/sync/setup.js
index e8d67a5f6d..e8d67a5f6d 100644
--- a/application/palemoon/base/content/sync/setup.js
+++ b/application/palemoon/components/sync/setup.js
diff --git a/application/palemoon/base/content/sync/setup.xul b/application/palemoon/components/sync/setup.xul
index cf2cc77e40..cf2cc77e40 100644
--- a/application/palemoon/base/content/sync/setup.xul
+++ b/application/palemoon/components/sync/setup.xul
diff --git a/application/palemoon/base/content/sync/utils.js b/application/palemoon/components/sync/utils.js
index d41ecf18a3..d41ecf18a3 100644
--- a/application/palemoon/base/content/sync/utils.js
+++ b/application/palemoon/components/sync/utils.js
diff --git a/application/palemoon/config/version.txt b/application/palemoon/config/version.txt
index f35c734b3f..4efefb3160 100644
--- a/application/palemoon/config/version.txt
+++ b/application/palemoon/config/version.txt
@@ -1 +1 @@
-28.2.0a1
\ No newline at end of file
+28.3.0a1
\ No newline at end of file
diff --git a/application/palemoon/configure.in b/application/palemoon/configure.in
index 0dbb0d8bc1..96f63781e2 100644
--- a/application/palemoon/configure.in
+++ b/application/palemoon/configure.in
@@ -27,3 +27,16 @@ if test -n "$MOZ_BROWSER_STATUSBAR"; then
 fi
 
 AC_SUBST(MOZ_BROWSER_STATUSBAR)
+
+dnl ========================================================
+dnl = Disable Sync
+dnl ========================================================
+MOZ_ARG_DISABLE_BOOL(sync,
+[  --disable-sync           Disable Sync],
+    MOZ_SERVICES_SYNC=,
+    MOZ_SERVICES_SYNC=1)
+
+if test -z "$MOZ_SERVICES_SYNC"; then
+    MOZ_SERVICES_CLOUDSYNC=
+fi
+
diff --git a/application/palemoon/confvars.sh b/application/palemoon/confvars.sh
index 8305237780..26b02fc854 100644
--- a/application/palemoon/confvars.sh
+++ b/application/palemoon/confvars.sh
@@ -53,9 +53,9 @@ MOZ_PROFILE_MIGRATOR=
 # MAR_CHANNEL_ID must not contained the follow 3 characters: ",\t"
 # ACCEPTED_MAR_CHANNEL_IDS should usually be the same as MAR_CHANNEL_ID
 # If more than one ID is needed, then you should use a comma seperated list.
-MOZ_UPDATER=1
-MAR_CHANNEL_ID=palemoon-release
-ACCEPTED_MAR_CHANNEL_IDS=palemoon-release
+MOZ_UPDATER=
+MAR_CHANNEL_ID=unofficial
+ACCEPTED_MAR_CHANNEL_IDS=unofficial,unstable,release
 
 # Platform Feature: Developer Tools
 # XXX: Devtools are disabled until they can be made to work with Pale Moon
diff --git a/application/palemoon/fonts/moz.build b/application/palemoon/fonts/moz.build
index 02c027c462..8840a87f89 100644
--- a/application/palemoon/fonts/moz.build
+++ b/application/palemoon/fonts/moz.build
@@ -6,6 +6,4 @@
 
 if CONFIG['OS_ARCH'] in ('WINNT', 'Linux'):
     DIST_SUBDIR = ''
-    FINAL_TARGET_FILES.fonts += [
-        'TwemojiMozilla.ttf'
-    ]
+    FINAL_TARGET_FILES.fonts += ['TwemojiMozilla.ttf']
diff --git a/application/palemoon/installer/package-manifest.in b/application/palemoon/installer/package-manifest.in
index e63af40136..a218a34874 100644
--- a/application/palemoon/installer/package-manifest.in
+++ b/application/palemoon/installer/package-manifest.in
@@ -141,13 +141,6 @@
 @RESPATH@/run-mozilla.sh
 #endif
 #endif
-#ifdef XP_WIN
-#ifdef _AMD64_
-@BINPATH@/@DLL_PREFIX@qipcap64@DLL_SUFFIX@
-#else
-@BINPATH@/@DLL_PREFIX@qipcap@DLL_SUFFIX@
-#endif
-#endif
 
 ; [Components]
 @RESPATH@/components/*
@@ -248,8 +241,10 @@
 ; gre location for now.
 @RESPATH@/defaults/pref/channel-prefs.js
 
+#ifdef MOZ_SERVICES_SYNC
 ; Services (gre) prefs
 @RESPATH@/defaults/pref/services-sync.js
+#endif
 
 ; [Layout Engine Resources]
 ; Style Sheets, Graphics and other Resources used by the layout engine.
diff --git a/application/palemoon/locales/Makefile.in b/application/palemoon/locales/Makefile.in
index c81329a9a4..38a867658b 100644
--- a/application/palemoon/locales/Makefile.in
+++ b/application/palemoon/locales/Makefile.in
@@ -121,7 +121,9 @@ searchplugins: $(addprefix $(FINAL_TARGET)/searchplugins/,$(SEARCHPLUGINS))
 libs-%:
 	$(NSINSTALL) -D $(DIST)/install
 	@$(MAKE) -C ../../../toolkit/locales libs-$*
+ifdef MOZ_SERVICES_SYNC
 	@$(MAKE) -C ../../../services/sync/locales AB_CD=$* XPI_NAME=locale-$*
+endif
 	@$(MAKE) -C ../../../extensions/spellcheck/locales AB_CD=$* XPI_NAME=locale-$*
 	@$(MAKE) -C ../../../intl/locales AB_CD=$* XPI_NAME=locale-$*
 ifdef MOZ_DEVTOOLS
diff --git a/application/palemoon/locales/en-US/chrome/browser/aboutHome.dtd b/application/palemoon/locales/en-US/chrome/browser/aboutHome.dtd
index 03ffe629dd..d3bd85fc80 100644
--- a/application/palemoon/locales/en-US/chrome/browser/aboutHome.dtd
+++ b/application/palemoon/locales/en-US/chrome/browser/aboutHome.dtd
@@ -4,8 +4,10 @@
 
 <!ENTITY % brandDTD SYSTEM "chrome://branding/locale/brand.dtd">
 %brandDTD;
+#ifdef MOZ_SERVICES_SYNC
 <!ENTITY % syncBrandDTD SYSTEM "chrome://browser/locale/syncBrand.dtd">
 %syncBrandDTD;
+#endif
 
 <!-- These strings are used in the about:home page -->
 
@@ -19,4 +21,6 @@
 <!ENTITY abouthome.addonsButton.label    "Add-ons">
 <!ENTITY abouthome.appsButton.label      "Marketplace">
 <!ENTITY abouthome.downloadsButton.label "Downloads">
+#ifdef MOZ_SERVICES_SYNC
 <!ENTITY abouthome.syncButton.label      "&syncBrand.shortName.label;">
+#endif
\ No newline at end of file
diff --git a/application/palemoon/locales/en-US/chrome/browser/browser.dtd b/application/palemoon/locales/en-US/chrome/browser/browser.dtd
index 2d80c80784..439057a84b 100644
--- a/application/palemoon/locales/en-US/chrome/browser/browser.dtd
+++ b/application/palemoon/locales/en-US/chrome/browser/browser.dtd
@@ -507,6 +507,8 @@ you can use these alternative items. Otherwise, their values should be empty.  -
 <!ENTITY closeCmd.key                   "W">  
 <!ENTITY closeCmd.accesskey             "C">
 
+<!ENTITY toggleMuteCmd.key              "M">
+
 <!ENTITY pageStyleMenu.label "Page Style">
 <!ENTITY pageStyleMenu.accesskey "y">
 <!ENTITY pageStyleNoStyle.label "No Style">
@@ -565,6 +567,7 @@ just addresses the organization to follow, e.g. "This site is run by " -->
      The word "toolbar" is appended automatically and should not be contained below! -->
 <!ENTITY tabsToolbar.label "Browser tabs">
 
+#ifdef MOZ_SERVICES_SYNC
 <!-- LOCALIZATION NOTE (syncTabsMenu2.label): This appears in the history menu -->
 <!ENTITY syncTabsMenu2.label     "Tabs From Other Devices">
 
@@ -575,6 +578,7 @@ just addresses the organization to follow, e.g. "This site is run by " -->
 <!ENTITY syncSyncNowItem.label        "Sync Now">
 <!ENTITY syncSyncNowItem.accesskey    "S">
 <!ENTITY syncToolbarButton.label      "Sync">
+#endif
 
 <!ENTITY addonBarCloseButton.tooltip  "Close Add-on Bar">
 <!ENTITY toggleAddonBarCmd.key        "/">
diff --git a/application/palemoon/locales/en-US/chrome/browser/browser.properties b/application/palemoon/locales/en-US/chrome/browser/browser.properties
index 9969bd753b..dbe6dbaa1a 100644
--- a/application/palemoon/locales/en-US/chrome/browser/browser.properties
+++ b/application/palemoon/locales/en-US/chrome/browser/browser.properties
@@ -397,3 +397,8 @@ slowStartup.helpButton.label = Learn How to Speed It Up
 slowStartup.helpButton.accesskey = L
 slowStartup.disableNotificationButton.label = Don't Tell Me Again
 slowStartup.disableNotificationButton.accesskey = A
+
+muteTab.label = Mute Tab
+muteTab.accesskey = M
+unmuteTab.label = Unmute Tab
+unmuteTab.accesskey = M
\ No newline at end of file
diff --git a/application/palemoon/locales/en-US/chrome/browser/tabbrowser.properties b/application/palemoon/locales/en-US/chrome/browser/tabbrowser.properties
index 0d21d4d148..a4a0be0a0b 100644
--- a/application/palemoon/locales/en-US/chrome/browser/tabbrowser.properties
+++ b/application/palemoon/locales/en-US/chrome/browser/tabbrowser.properties
@@ -24,3 +24,7 @@ tabs.closeWarningTitle=Confirm close
 tabs.closeWarningMultipleTabs=You are about to close %S tabs. Are you sure you want to continue?
 tabs.closeButtonMultiple=Close tabs
 tabs.closeWarningPromptMe=Warn me when I attempt to close multiple tabs
+
+tabs.muteAudio.tooltip=Mute tab
+tabs.unmuteAudio.tooltip=Unmute tab
+tabs.unblockAudio.tooltip=Play tab
diff --git a/application/palemoon/locales/jar.mn b/application/palemoon/locales/jar.mn
index e3477c320d..0fc7f2c9b1 100644
--- a/application/palemoon/locales/jar.mn
+++ b/application/palemoon/locales/jar.mn
@@ -6,93 +6,93 @@
 
 @AB_CD@.jar:
 % locale browser @AB_CD@ %locale/browser/
-    locale/browser/aboutCertError.dtd              (%chrome/browser/aboutCertError.dtd)
-    locale/browser/aboutDialog.dtd                 (%chrome/browser/aboutDialog.dtd)
-    locale/browser/aboutPrivateBrowsing.dtd        (%chrome/browser/aboutPrivateBrowsing.dtd)
-    locale/browser/aboutRobots.dtd                 (%chrome/browser/aboutRobots.dtd)
-    locale/browser/aboutHome.dtd                   (%chrome/browser/aboutHome.dtd)
-    locale/browser/aboutSessionRestore.dtd         (%chrome/browser/aboutSessionRestore.dtd)
+  locale/browser/aboutCertError.dtd                             (%chrome/browser/aboutCertError.dtd)
+  locale/browser/aboutDialog.dtd                                (%chrome/browser/aboutDialog.dtd)
+  locale/browser/aboutPrivateBrowsing.dtd                       (%chrome/browser/aboutPrivateBrowsing.dtd)
+  locale/browser/aboutRobots.dtd                                (%chrome/browser/aboutRobots.dtd)
+* locale/browser/aboutHome.dtd                                  (%chrome/browser/aboutHome.dtd)
+  locale/browser/aboutSessionRestore.dtd                        (%chrome/browser/aboutSessionRestore.dtd)
 #ifdef MOZ_SERVICES_SYNC
-    locale/browser/syncProgress.dtd                (%chrome/browser/syncProgress.dtd)
-    locale/browser/aboutSyncTabs.dtd               (%chrome/browser/aboutSyncTabs.dtd)
+  locale/browser/syncProgress.dtd                               (%chrome/browser/syncProgress.dtd)
+  locale/browser/aboutSyncTabs.dtd                              (%chrome/browser/aboutSyncTabs.dtd)
 #endif
-*   locale/browser/browser.dtd                     (%chrome/browser/browser.dtd)
-    locale/browser/baseMenuOverlay.dtd             (%chrome/browser/baseMenuOverlay.dtd)
-    locale/browser/charsetOverlay.dtd              (%chrome/browser/charsetOverlay.dtd)
-    locale/browser/browser.properties              (%chrome/browser/browser.properties)
-    locale/browser/charsetMenu.properties          (%chrome/browser/charsetMenu.properties)
-    locale/browser/charsetMenu.dtd                 (%chrome/browser/charsetMenu.dtd)
-    locale/browser/newTab.dtd                      (%chrome/browser/newTab.dtd)
-    locale/browser/newTab.properties               (%chrome/browser/newTab.properties)
-    locale/browser/openLocation.dtd                (%chrome/browser/openLocation.dtd)
-    locale/browser/openLocation.properties         (%chrome/browser/openLocation.properties)
-    locale/browser/pageInfo.dtd                    (%chrome/browser/pageInfo.dtd)
-    locale/browser/pageInfo.properties             (%chrome/browser/pageInfo.properties)
-    locale/browser/palemoon.dtd                    (%chrome/browser/palemoon.dtd)
-    locale/browser/quitDialog.properties           (%chrome/browser/quitDialog.properties)
-    locale/browser/safeMode.dtd                    (%chrome/browser/safeMode.dtd)
-    locale/browser/sanitize.dtd                    (%chrome/browser/sanitize.dtd)
-    locale/browser/search.properties               (%chrome/browser/search.properties)
-    locale/browser/searchbar.dtd                   (%chrome/browser/searchbar.dtd)
-    locale/browser/engineManager.dtd               (%chrome/browser/engineManager.dtd)
-    locale/browser/engineManager.properties        (%chrome/browser/engineManager.properties)
-    locale/browser/setDesktopBackground.dtd        (%chrome/browser/setDesktopBackground.dtd)
-    locale/browser/shellservice.properties         (%chrome/browser/shellservice.properties)
-    locale/browser/statusbar/statusbar-overlay.dtd (%chrome/browser/statusbar/statusbar-overlay.dtd)
-    locale/browser/statusbar/statusbar-prefs.dtd   (%chrome/browser/statusbar/statusbar-prefs.dtd)
-    locale/browser/statusbar/meta.properties       (%chrome/browser/statusbar/meta.properties)
-    locale/browser/statusbar/overlay.properties    (%chrome/browser/statusbar/overlay.properties)
-    locale/browser/statusbar/prefs.properties      (%chrome/browser/statusbar/prefs.properties)
-    locale/browser/tabbrowser.dtd                  (%chrome/browser/tabbrowser.dtd)
-    locale/browser/tabbrowser.properties           (%chrome/browser/tabbrowser.properties)
-    locale/browser/taskbar.properties              (%chrome/browser/taskbar.properties)
-    locale/browser/downloads/downloads.dtd         (%chrome/browser/downloads/downloads.dtd)
-    locale/browser/downloads/downloads.properties  (%chrome/browser/downloads/downloads.properties)
-    locale/browser/places/places.dtd               (%chrome/browser/places/places.dtd)
-    locale/browser/places/places.properties        (%chrome/browser/places/places.properties)
-    locale/browser/places/editBookmarkOverlay.dtd  (%chrome/browser/places/editBookmarkOverlay.dtd)
-    locale/browser/places/bookmarkProperties.properties (%chrome/browser/places/bookmarkProperties.properties)
-    locale/browser/preferences/selectBookmark.dtd  (%chrome/browser/preferences/selectBookmark.dtd)
-    locale/browser/places/moveBookmarks.dtd        (%chrome/browser/places/moveBookmarks.dtd)
-    locale/browser/feeds/subscribe.dtd              (%chrome/browser/feeds/subscribe.dtd)
-    locale/browser/feeds/subscribe.properties       (%chrome/browser/feeds/subscribe.properties)
-    locale/browser/permissions/aboutPermissions.dtd          (%chrome/browser/permissions/aboutPermissions.dtd)
-    locale/browser/permissions/aboutPermissions.properties   (%chrome/browser/permissions/aboutPermissions.properties)
-    locale/browser/preferences/advanced.dtd           (%chrome/browser/preferences/advanced.dtd)
-    locale/browser/preferences/applicationManager.dtd        (%chrome/browser/preferences/applicationManager.dtd)
-    locale/browser/preferences/applicationManager.properties (%chrome/browser/preferences/applicationManager.properties)
-    locale/browser/preferences/colors.dtd             (%chrome/browser/preferences/colors.dtd)
-    locale/browser/preferences/cookies.dtd            (%chrome/browser/preferences/cookies.dtd)
-    locale/browser/preferences/content.dtd            (%chrome/browser/preferences/content.dtd)
-    locale/browser/preferences/connection.dtd         (%chrome/browser/preferences/connection.dtd)
-    locale/browser/preferences/applications.dtd       (%chrome/browser/preferences/applications.dtd)
-    locale/browser/preferences/fonts.dtd              (%chrome/browser/preferences/fonts.dtd)
-    locale/browser/preferences/main.dtd               (%chrome/browser/preferences/main.dtd)
-    locale/browser/preferences/languages.dtd          (%chrome/browser/preferences/languages.dtd)
-    locale/browser/preferences/permissions.dtd        (%chrome/browser/preferences/permissions.dtd)
-    locale/browser/preferences/preferences.dtd        (%chrome/browser/preferences/preferences.dtd)
-    locale/browser/preferences/preferences.properties (%chrome/browser/preferences/preferences.properties)
-    locale/browser/preferences/privacy.dtd            (%chrome/browser/preferences/privacy.dtd)
-    locale/browser/preferences/security.dtd           (%chrome/browser/preferences/security.dtd)
+* locale/browser/browser.dtd                                    (%chrome/browser/browser.dtd)
+  locale/browser/baseMenuOverlay.dtd                            (%chrome/browser/baseMenuOverlay.dtd)
+  locale/browser/charsetOverlay.dtd                             (%chrome/browser/charsetOverlay.dtd)
+  locale/browser/browser.properties                             (%chrome/browser/browser.properties)
+  locale/browser/charsetMenu.properties                         (%chrome/browser/charsetMenu.properties)
+  locale/browser/charsetMenu.dtd                                (%chrome/browser/charsetMenu.dtd)
+  locale/browser/newTab.dtd                                     (%chrome/browser/newTab.dtd)
+  locale/browser/newTab.properties                              (%chrome/browser/newTab.properties)
+  locale/browser/openLocation.dtd                               (%chrome/browser/openLocation.dtd)
+  locale/browser/openLocation.properties                        (%chrome/browser/openLocation.properties)
+  locale/browser/pageInfo.dtd                                   (%chrome/browser/pageInfo.dtd)
+  locale/browser/pageInfo.properties                            (%chrome/browser/pageInfo.properties)
+  locale/browser/palemoon.dtd                                   (%chrome/browser/palemoon.dtd)
+  locale/browser/quitDialog.properties                          (%chrome/browser/quitDialog.properties)
+  locale/browser/safeMode.dtd                                   (%chrome/browser/safeMode.dtd)
+  locale/browser/sanitize.dtd                                   (%chrome/browser/sanitize.dtd)
+  locale/browser/search.properties                              (%chrome/browser/search.properties)
+  locale/browser/searchbar.dtd                                  (%chrome/browser/searchbar.dtd)
+  locale/browser/engineManager.dtd                              (%chrome/browser/engineManager.dtd)
+  locale/browser/engineManager.properties                       (%chrome/browser/engineManager.properties)
+  locale/browser/setDesktopBackground.dtd                       (%chrome/browser/setDesktopBackground.dtd)
+  locale/browser/shellservice.properties                        (%chrome/browser/shellservice.properties)
+  locale/browser/statusbar/statusbar-overlay.dtd                (%chrome/browser/statusbar/statusbar-overlay.dtd)
+  locale/browser/statusbar/statusbar-prefs.dtd                  (%chrome/browser/statusbar/statusbar-prefs.dtd)
+  locale/browser/statusbar/meta.properties                      (%chrome/browser/statusbar/meta.properties)
+  locale/browser/statusbar/overlay.properties                   (%chrome/browser/statusbar/overlay.properties)
+  locale/browser/statusbar/prefs.properties                     (%chrome/browser/statusbar/prefs.properties)
+  locale/browser/tabbrowser.dtd                                 (%chrome/browser/tabbrowser.dtd)
+  locale/browser/tabbrowser.properties                          (%chrome/browser/tabbrowser.properties)
+  locale/browser/taskbar.properties                             (%chrome/browser/taskbar.properties)
+  locale/browser/downloads/downloads.dtd                        (%chrome/browser/downloads/downloads.dtd)
+  locale/browser/downloads/downloads.properties                 (%chrome/browser/downloads/downloads.properties)
+  locale/browser/places/places.dtd                              (%chrome/browser/places/places.dtd)
+  locale/browser/places/places.properties                       (%chrome/browser/places/places.properties)
+  locale/browser/places/editBookmarkOverlay.dtd                 (%chrome/browser/places/editBookmarkOverlay.dtd)
+  locale/browser/places/bookmarkProperties.properties           (%chrome/browser/places/bookmarkProperties.properties)
+  locale/browser/preferences/selectBookmark.dtd                 (%chrome/browser/preferences/selectBookmark.dtd)
+  locale/browser/places/moveBookmarks.dtd                       (%chrome/browser/places/moveBookmarks.dtd)
+  locale/browser/feeds/subscribe.dtd                            (%chrome/browser/feeds/subscribe.dtd)
+  locale/browser/feeds/subscribe.properties                     (%chrome/browser/feeds/subscribe.properties)
+  locale/browser/permissions/aboutPermissions.dtd               (%chrome/browser/permissions/aboutPermissions.dtd)
+  locale/browser/permissions/aboutPermissions.properties        (%chrome/browser/permissions/aboutPermissions.properties)
+  locale/browser/preferences/advanced.dtd                       (%chrome/browser/preferences/advanced.dtd)
+  locale/browser/preferences/applicationManager.dtd             (%chrome/browser/preferences/applicationManager.dtd)
+  locale/browser/preferences/applicationManager.properties      (%chrome/browser/preferences/applicationManager.properties)
+  locale/browser/preferences/colors.dtd                         (%chrome/browser/preferences/colors.dtd)
+  locale/browser/preferences/cookies.dtd                        (%chrome/browser/preferences/cookies.dtd)
+  locale/browser/preferences/content.dtd                        (%chrome/browser/preferences/content.dtd)
+  locale/browser/preferences/connection.dtd                     (%chrome/browser/preferences/connection.dtd)
+  locale/browser/preferences/applications.dtd                   (%chrome/browser/preferences/applications.dtd)
+  locale/browser/preferences/fonts.dtd                          (%chrome/browser/preferences/fonts.dtd)
+  locale/browser/preferences/main.dtd                           (%chrome/browser/preferences/main.dtd)
+  locale/browser/preferences/languages.dtd                      (%chrome/browser/preferences/languages.dtd)
+  locale/browser/preferences/permissions.dtd                    (%chrome/browser/preferences/permissions.dtd)
+  locale/browser/preferences/preferences.dtd                    (%chrome/browser/preferences/preferences.dtd)
+  locale/browser/preferences/preferences.properties             (%chrome/browser/preferences/preferences.properties)
+  locale/browser/preferences/privacy.dtd                        (%chrome/browser/preferences/privacy.dtd)
+  locale/browser/preferences/security.dtd                       (%chrome/browser/preferences/security.dtd)
 #ifdef MOZ_SERVICES_SYNC
-    locale/browser/preferences/sync.dtd               (%chrome/browser/preferences/sync.dtd)
+  locale/browser/preferences/sync.dtd                           (%chrome/browser/preferences/sync.dtd)
 #endif
-    locale/browser/preferences/tabs.dtd               (%chrome/browser/preferences/tabs.dtd)
+  locale/browser/preferences/tabs.dtd                           (%chrome/browser/preferences/tabs.dtd)
 #ifdef MOZ_SERVICES_SYNC
-    locale/browser/syncBrand.dtd                (%chrome/browser/syncBrand.dtd)
-    locale/browser/syncSetup.dtd                (%chrome/browser/syncSetup.dtd)
-    locale/browser/syncSetup.properties         (%chrome/browser/syncSetup.properties)
-    locale/browser/syncGenericChange.properties         (%chrome/browser/syncGenericChange.properties)
-    locale/browser/syncKey.dtd                  (%chrome/browser/syncKey.dtd)
-    locale/browser/syncQuota.dtd                (%chrome/browser/syncQuota.dtd)
-    locale/browser/syncQuota.properties         (%chrome/browser/syncQuota.properties)
+  locale/browser/syncBrand.dtd                                  (%chrome/browser/syncBrand.dtd)
+  locale/browser/syncSetup.dtd                                  (%chrome/browser/syncSetup.dtd)
+  locale/browser/syncSetup.properties                           (%chrome/browser/syncSetup.properties)
+  locale/browser/syncGenericChange.properties                   (%chrome/browser/syncGenericChange.properties)
+  locale/browser/syncKey.dtd                                    (%chrome/browser/syncKey.dtd)
+  locale/browser/syncQuota.dtd                                  (%chrome/browser/syncQuota.dtd)
+  locale/browser/syncQuota.properties                           (%chrome/browser/syncQuota.properties)
 #endif
 % locale browser-region @AB_CD@ %locale/browser-region/
-    locale/browser-region/region.properties        (%chrome/browser-region/region.properties)
+  locale/browser-region/region.properties                       (%chrome/browser-region/region.properties)
 # the following files are browser-specific overrides
-    locale/browser/netError.dtd                (%chrome/overrides/netError.dtd)
-    locale/browser/appstrings.properties       (%chrome/overrides/appstrings.properties)
-    locale/browser/downloads/settingsChange.dtd  (%chrome/overrides/settingsChange.dtd)
+  locale/browser/netError.dtd                                   (%chrome/overrides/netError.dtd)
+  locale/browser/appstrings.properties                          (%chrome/overrides/appstrings.properties)
+  locale/browser/downloads/settingsChange.dtd                   (%chrome/overrides/settingsChange.dtd)
 % override chrome://global/locale/netError.dtd chrome://browser/locale/netError.dtd
 % override chrome://global/locale/appstrings.properties chrome://browser/locale/appstrings.properties
 % override chrome://mozapps/locale/downloads/settingsChange.dtd chrome://browser/locale/downloads/settingsChange.dtd
diff --git a/application/palemoon/modules/moz.build b/application/palemoon/modules/moz.build
index 8032930b2a..12a3ece2ef 100644
--- a/application/palemoon/modules/moz.build
+++ b/application/palemoon/modules/moz.build
@@ -4,7 +4,6 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-
 EXTRA_JS_MODULES += [
     'AutoCompletePopup.jsm',
     'BrowserNewTabPreloader.jsm',
@@ -38,5 +37,6 @@ EXTRA_PP_JS_MODULES += [
 # Pass down 'official build' flags
 if CONFIG['MC_OFFICIAL']:
     DEFINES['MC_OFFICIAL'] = 1
+
 if CONFIG['MOZILLA_OFFICIAL']:
     DEFINES['MOZILLA_OFFICIAL'] = 1
diff --git a/application/palemoon/moz.build b/application/palemoon/moz.build
index 2b9d8f09ba..72e37673cc 100644
--- a/application/palemoon/moz.build
+++ b/application/palemoon/moz.build
@@ -15,9 +15,7 @@ DIRS += [
     'themes',
 ]
 
-DIRS += [
-    'app',
-]
+DIRS += ['app']
 
 if CONFIG['MAKENSISU']:
     DIRS += ['installer/windows']
diff --git a/application/palemoon/themes/linux/browser.css b/application/palemoon/themes/linux/browser.css
index c6587babcc..516677fe60 100644
--- a/application/palemoon/themes/linux/browser.css
+++ b/application/palemoon/themes/linux/browser.css
@@ -1758,6 +1758,90 @@ richlistitem[type~="action"][actiontype="switchtab"] > .ac-url-box > .ac-action-
   -moz-margin-end: -1px;
 }
 
+/* Tab sound indicator */
+.tab-icon-sound {
+  -moz-margin-start: 4px;
+  width: 16px;
+  height: 16px;
+  padding: 0;
+}
+
+.allTabs-endimage[soundplaying],
+.tab-icon-sound[soundplaying] {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio.svg#tab-audio");
+}
+
+.allTabs-endimage[muted],
+.tab-icon-sound[muted] {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio.svg#tab-audio-muted");
+}
+
+.allTabs-endimage[blocked],
+.tab-icon-sound[blocked] {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio.svg#tab-audio-blocked");
+}
+
+#TabsToolbar[brighttext] .tab-icon-sound[soundplaying],
+#TabsToolbar[brighttext] .tab-icon-sound[blocked],
+#TabsToolbar[brighttext] .tab-icon-sound[muted] {
+  filter: invert(1);
+}
+
+.tab-icon-sound[soundplaying-scheduledremoval]:not([muted]):not(:hover),
+.tab-icon-overlay[soundplaying-scheduledremoval]:not([muted]):not(:hover) {
+  transition: opacity .3s linear var(--soundplaying-removal-delay);
+  opacity: 0;
+}
+
+/* Tab icon overlay */
+.tab-icon-overlay {
+  width: 16px;
+  height: 16px;
+  margin-top: -8px;
+  margin-inline-start: -15px;
+  margin-inline-end: -1px;
+  position: relative;
+}
+
+.tab-icon-overlay[soundplaying],
+.tab-icon-overlay[muted]:not([crashed]),
+.tab-icon-overlay[blocked]:not([crashed]) {
+  border-radius: 10px;
+}
+
+.tab-icon-overlay[soundplaying]:hover,
+.tab-icon-overlay[muted]:not([crashed]):hover,
+.tab-icon-overlay[blocked]:not([crashed]):hover {
+  background-color: white;
+}
+
+.tab-icon-overlay[soundplaying] {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio-small.svg#tab-audio");
+}
+
+.tab-icon-overlay[muted] {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio-small.svg#tab-audio-muted");
+}
+
+.tab-icon-overlay[blocked] {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio-small.svg#tab-audio-blocked");
+}
+
+#TabsToolbar[brighttext] .tab-icon-overlay[soundplaying]:not([selected]):not(:hover),
+.tab-icon-overlay[soundplaying][selected]:-moz-lwtheme-brighttext:not(:hover) {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio-small.svg#tab-audio-white");
+}
+
+#TabsToolbar[brighttext] .tab-icon-overlay[muted]:not([crashed]):not([selected]):not(:hover),
+.tab-icon-overlay[muted][selected]:-moz-lwtheme-brighttext:not(:hover) {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio-small.svg#tab-audio-white-muted");
+}
+
+#TabsToolbar[brighttext] .tab-icon-overlay[blocked]:not([crashed]):not([selected]):not(:hover),
+.tab-icon-overlay[blocked][selected]:-moz-lwtheme-brighttext:not(:hover) {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio-small.svg#tab-audio-white-blocked");
+}
+
 /* Tabstrip new tab button */
 .tabs-newtab-button,
 #TabsToolbar > #new-tab-button ,
diff --git a/application/palemoon/themes/linux/communicator/jar.mn b/application/palemoon/themes/linux/communicator/jar.mn
index dfd20c5236..612d133352 100644
--- a/application/palemoon/themes/linux/communicator/jar.mn
+++ b/application/palemoon/themes/linux/communicator/jar.mn
@@ -4,4 +4,4 @@
 
 browser.jar:
 % skin communicator classic/1.0 %skin/classic/communicator/
-        skin/classic/communicator/communicator.css
+  skin/classic/communicator/communicator.css
diff --git a/application/palemoon/themes/linux/jar.mn b/application/palemoon/themes/linux/jar.mn
index 8b2e9dc77e..a79487c7f4 100644
--- a/application/palemoon/themes/linux/jar.mn
+++ b/application/palemoon/themes/linux/jar.mn
@@ -59,70 +59,72 @@ browser.jar:
   skin/classic/browser/webRTC-shareDevice-64.png
   skin/classic/browser/webRTC-sharingDevice-16.png
 #endif
-  skin/classic/browser/downloads/buttons.png          (downloads/buttons.png)
-  skin/classic/browser/downloads/download-glow.png    (downloads/download-glow.png)
-  skin/classic/browser/downloads/download-glow-small.png (downloads/download-glow-small.png)
-  skin/classic/browser/downloads/download-notification-finish.png (downloads/download-notification-finish.png)
-  skin/classic/browser/downloads/download-notification-start.png (downloads/download-notification-start.png)
-  skin/classic/browser/downloads/download-summary.png (downloads/download-summary.png)
-  skin/classic/browser/downloads/downloads.css        (downloads/downloads.css)
-  skin/classic/browser/downloads/allDownloadsViewOverlay.css   (downloads/allDownloadsViewOverlay.css)
-  skin/classic/browser/downloads/contentAreaDownloadsView.css  (downloads/contentAreaDownloadsView.css)
-  skin/classic/browser/feeds/feedIcon.png             (feeds/feedIcon.png)
-  skin/classic/browser/feeds/feedIcon16.png           (feeds/feedIcon16.png)
-  skin/classic/browser/feeds/videoFeedIcon.png        (feeds/feedIcon.png)
-  skin/classic/browser/feeds/videoFeedIcon16.png      (feeds/feedIcon16.png)
-  skin/classic/browser/feeds/audioFeedIcon.png        (feeds/feedIcon.png)
-  skin/classic/browser/feeds/audioFeedIcon16.png      (feeds/feedIcon16.png)
-  skin/classic/browser/feeds/subscribe.css            (feeds/subscribe.css)
-  skin/classic/browser/feeds/subscribe-ui.css         (feeds/subscribe-ui.css)
-* skin/classic/browser/newtab/newTab.css              (newtab/newTab.css)
-  skin/classic/browser/newtab/controls.png            (../shared/newtab/controls.png)
-  skin/classic/browser/newtab/noise.png               (../shared/newtab/noise.png)
-  skin/classic/browser/newtab/pinned.png              (../shared/newtab/pinned.png)
-  skin/classic/browser/places/bookmarksMenu.png       (places/bookmarksMenu.png)
-  skin/classic/browser/places/bookmarksToolbar.png    (places/bookmarksToolbar.png)
-  skin/classic/browser/places/calendar.png            (places/calendar.png)
-* skin/classic/browser/places/editBookmarkOverlay.css (places/editBookmarkOverlay.css)
-  skin/classic/browser/places/livemark-item.png       (places/livemark-item.png)
-  skin/classic/browser/places/pageStarred.png         (places/pageStarred.png)
-  skin/classic/browser/places/star-icons.png          (places/star-icons.png)
-  skin/classic/browser/places/starred48.png           (places/starred48.png)
-  skin/classic/browser/places/unstarred48.png         (places/unstarred48.png)
-  skin/classic/browser/places/places.css              (places/places.css)
-  skin/classic/browser/places/organizer.css           (places/organizer.css)
-  skin/classic/browser/places/organizer.xml           (places/organizer.xml)
-  skin/classic/browser/places/query.png               (places/query.png)
-  skin/classic/browser/places/starPage.png            (places/starPage.png)
-  skin/classic/browser/places/tag.png                 (places/tag.png)
-  skin/classic/browser/places/toolbarDropMarker.png   (places/toolbarDropMarker.png)
-  skin/classic/browser/places/unsortedBookmarks.png   (places/unsortedBookmarks.png)
-  skin/classic/browser/places/downloads.png           (places/downloads.png)
-  skin/classic/browser/permissions/aboutPermissions.css (permissions/aboutPermissions.css)
-  skin/classic/browser/preferences/alwaysAsk.png      (preferences/alwaysAsk.png)
-  skin/classic/browser/preferences/mail.png           (preferences/mail.png)
-  skin/classic/browser/preferences/Options.png        (preferences/Options.png)
+  skin/classic/browser/downloads/buttons.png                          (downloads/buttons.png)
+  skin/classic/browser/downloads/download-glow.png                    (downloads/download-glow.png)
+  skin/classic/browser/downloads/download-glow-small.png              (downloads/download-glow-small.png)
+  skin/classic/browser/downloads/download-notification-finish.png     (downloads/download-notification-finish.png)
+  skin/classic/browser/downloads/download-notification-start.png      (downloads/download-notification-start.png)
+  skin/classic/browser/downloads/download-summary.png                 (downloads/download-summary.png)
+  skin/classic/browser/downloads/downloads.css                        (downloads/downloads.css)
+  skin/classic/browser/downloads/allDownloadsViewOverlay.css          (downloads/allDownloadsViewOverlay.css)
+  skin/classic/browser/downloads/contentAreaDownloadsView.css         (downloads/contentAreaDownloadsView.css)
+  skin/classic/browser/feeds/feedIcon.png                             (feeds/feedIcon.png)
+  skin/classic/browser/feeds/feedIcon16.png                           (feeds/feedIcon16.png)
+  skin/classic/browser/feeds/videoFeedIcon.png                        (feeds/feedIcon.png)
+  skin/classic/browser/feeds/videoFeedIcon16.png                      (feeds/feedIcon16.png)
+  skin/classic/browser/feeds/audioFeedIcon.png                        (feeds/feedIcon.png)
+  skin/classic/browser/feeds/audioFeedIcon16.png                      (feeds/feedIcon16.png)
+  skin/classic/browser/feeds/subscribe.css                            (feeds/subscribe.css)
+  skin/classic/browser/feeds/subscribe-ui.css                         (feeds/subscribe-ui.css)
+* skin/classic/browser/newtab/newTab.css                              (newtab/newTab.css)
+  skin/classic/browser/newtab/controls.png                            (../shared/newtab/controls.png)
+  skin/classic/browser/newtab/noise.png                               (../shared/newtab/noise.png)
+  skin/classic/browser/newtab/pinned.png                              (../shared/newtab/pinned.png)
+  skin/classic/browser/places/bookmarksMenu.png                       (places/bookmarksMenu.png)
+  skin/classic/browser/places/bookmarksToolbar.png                    (places/bookmarksToolbar.png)
+  skin/classic/browser/places/calendar.png                            (places/calendar.png)
+* skin/classic/browser/places/editBookmarkOverlay.css                 (places/editBookmarkOverlay.css)
+  skin/classic/browser/places/livemark-item.png                       (places/livemark-item.png)
+  skin/classic/browser/places/pageStarred.png                         (places/pageStarred.png)
+  skin/classic/browser/places/star-icons.png                          (places/star-icons.png)
+  skin/classic/browser/places/starred48.png                           (places/starred48.png)
+  skin/classic/browser/places/unstarred48.png                         (places/unstarred48.png)
+  skin/classic/browser/places/places.css                              (places/places.css)
+  skin/classic/browser/places/organizer.css                           (places/organizer.css)
+  skin/classic/browser/places/organizer.xml                           (places/organizer.xml)
+  skin/classic/browser/places/query.png                               (places/query.png)
+  skin/classic/browser/places/starPage.png                            (places/starPage.png)
+  skin/classic/browser/places/tag.png                                 (places/tag.png)
+  skin/classic/browser/places/toolbarDropMarker.png                   (places/toolbarDropMarker.png)
+  skin/classic/browser/places/unsortedBookmarks.png                   (places/unsortedBookmarks.png)
+  skin/classic/browser/places/downloads.png                           (places/downloads.png)
+  skin/classic/browser/permissions/aboutPermissions.css               (permissions/aboutPermissions.css)
+  skin/classic/browser/preferences/alwaysAsk.png                      (preferences/alwaysAsk.png)
+  skin/classic/browser/preferences/mail.png                           (preferences/mail.png)
+  skin/classic/browser/preferences/Options.png                        (preferences/Options.png)
 #ifdef MOZ_SERVICES_SYNC
-  skin/classic/browser/preferences/Options-sync.png   (preferences/Options-sync.png)
+  skin/classic/browser/preferences/Options-sync.png                   (preferences/Options-sync.png)
 #endif
-* skin/classic/browser/preferences/preferences.css    (preferences/preferences.css)
-  skin/classic/browser/preferences/applications.css   (preferences/applications.css)
+* skin/classic/browser/preferences/preferences.css                    (preferences/preferences.css)
+  skin/classic/browser/preferences/applications.css                   (preferences/applications.css)
 #ifdef MOZ_BROWSER_STATUSBAR
-  skin/classic/browser/statusbar/dynamic.css                   (../shared/statusbar/dynamic.css)
-* skin/classic/browser/statusbar/overlay.css                   (statusbar/overlay.css)
-* skin/classic/browser/statusbar/prefs.css                     (statusbar/prefs.css)
-  skin/classic/browser/statusbar/pulse.png                     (../shared/statusbar/pulse.png)
-  skin/classic/browser/statusbar/pms16.png                     (../shared/statusbar/pms16.png)
-  skin/classic/browser/statusbar/pms24.png                     (../shared/statusbar/pms24.png)
-  skin/classic/browser/statusbar/throbber-idle.png             (../shared/statusbar/throbber-idle.png)
-  skin/classic/browser/statusbar/throbberStatic.png            (../shared/statusbar/throbberStatic.png)
+  skin/classic/browser/statusbar/dynamic.css                          (../shared/statusbar/dynamic.css)
+* skin/classic/browser/statusbar/overlay.css                          (statusbar/overlay.css)
+* skin/classic/browser/statusbar/prefs.css                            (statusbar/prefs.css)
+  skin/classic/browser/statusbar/pulse.png                            (../shared/statusbar/pulse.png)
+  skin/classic/browser/statusbar/pms16.png                            (../shared/statusbar/pms16.png)
+  skin/classic/browser/statusbar/pms24.png                            (../shared/statusbar/pms24.png)
+  skin/classic/browser/statusbar/throbber-idle.png                    (../shared/statusbar/throbber-idle.png)
+  skin/classic/browser/statusbar/throbberStatic.png                   (../shared/statusbar/throbberStatic.png)
 #endif
-  skin/classic/browser/tabbrowser/alltabs.png         (tabbrowser/alltabs.png)
-  skin/classic/browser/tabbrowser/connecting.png      (tabbrowser/connecting.png)
-  skin/classic/browser/tabbrowser/loading.png         (tabbrowser/loading.png)
-  skin/classic/browser/tabbrowser/tab.png             (tabbrowser/tab.png)
-  skin/classic/browser/tabbrowser/tab-overflow-border.png (tabbrowser/tab-overflow-border.png)
-  skin/classic/browser/tabbrowser/tabDragIndicator.png (tabbrowser/tabDragIndicator.png)
+  skin/classic/browser/tabbrowser/alltabs.png                         (tabbrowser/alltabs.png)
+  skin/classic/browser/tabbrowser/connecting.png                      (tabbrowser/connecting.png)
+  skin/classic/browser/tabbrowser/loading.png                         (tabbrowser/loading.png)
+  skin/classic/browser/tabbrowser/tab.png                             (tabbrowser/tab.png)
+  skin/classic/browser/tabbrowser/tab-overflow-border.png             (tabbrowser/tab-overflow-border.png)
+  skin/classic/browser/tabbrowser/tabDragIndicator.png                (tabbrowser/tabDragIndicator.png)
+  skin/classic/browser/tabbrowser/tab-audio.svg                       (../shared/tabbrowser/tab-audio.svg)
+  skin/classic/browser/tabbrowser/tab-audio-small.svg                 (../shared/tabbrowser/tab-audio-small.svg)
 #ifdef MOZ_SERVICES_SYNC
   skin/classic/browser/sync-16-throbber.png
   skin/classic/browser/sync-16.png
@@ -137,6 +139,6 @@ browser.jar:
   skin/classic/browser/syncQuota.css
   skin/classic/browser/syncProgress.css
 #endif
-  skin/classic/browser/notification-pluginNormal.png  (../shared/plugins/notification-pluginNormal.png)
-  skin/classic/browser/notification-pluginAlert.png   (../shared/plugins/notification-pluginAlert.png)
-  skin/classic/browser/notification-pluginBlocked.png (../shared/plugins/notification-pluginBlocked.png)
+  skin/classic/browser/notification-pluginNormal.png                  (../shared/plugins/notification-pluginNormal.png)
+  skin/classic/browser/notification-pluginAlert.png                   (../shared/plugins/notification-pluginAlert.png)
+  skin/classic/browser/notification-pluginBlocked.png                 (../shared/plugins/notification-pluginBlocked.png)
diff --git a/application/palemoon/themes/moz.build b/application/palemoon/themes/moz.build
index d82bda3efb..5040c10c15 100644
--- a/application/palemoon/themes/moz.build
+++ b/application/palemoon/themes/moz.build
@@ -12,4 +12,3 @@ elif toolkit in ('gtk2', 'gtk3', 'qt'):
     DIRS += ['linux']
 else:
     DIRS += ['windows']
-    
diff --git a/application/palemoon/themes/osx/browser.css b/application/palemoon/themes/osx/browser.css
index a915af3a3c..a7bd683bd0 100644
--- a/application/palemoon/themes/osx/browser.css
+++ b/application/palemoon/themes/osx/browser.css
@@ -1821,6 +1821,90 @@ richlistitem[type~="action"][actiontype="switchtab"][selected="true"] > .ac-url-
     }
 }
   
+/* Tab sound indicator */
+.tab-icon-sound {
+  -moz-margin-start: 4px;
+  width: 16px;
+  height: 16px;
+  padding: 0;
+}
+
+.allTabs-endimage[soundplaying],
+.tab-icon-sound[soundplaying] {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio.svg#tab-audio");
+}
+
+.allTabs-endimage[muted],
+.tab-icon-sound[muted] {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio.svg#tab-audio-muted");
+}
+
+.allTabs-endimage[blocked],
+.tab-icon-sound[blocked] {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio.svg#tab-audio-blocked");
+}
+
+#TabsToolbar[brighttext] .tab-icon-sound[soundplaying],
+#TabsToolbar[brighttext] .tab-icon-sound[blocked],
+#TabsToolbar[brighttext] .tab-icon-sound[muted] {
+  filter: invert(1);
+}
+
+.tab-icon-sound[soundplaying-scheduledremoval]:not([muted]):not(:hover),
+.tab-icon-overlay[soundplaying-scheduledremoval]:not([muted]):not(:hover) {
+  transition: opacity .3s linear var(--soundplaying-removal-delay);
+  opacity: 0;
+}
+
+/* Tab icon overlay */
+.tab-icon-overlay {
+  width: 16px;
+  height: 16px;
+  margin-top: -8px;
+  margin-inline-start: -15px;
+  margin-inline-end: -1px;
+  position: relative;
+}
+
+.tab-icon-overlay[soundplaying],
+.tab-icon-overlay[muted]:not([crashed]),
+.tab-icon-overlay[blocked]:not([crashed]) {
+  border-radius: 10px;
+}
+
+.tab-icon-overlay[soundplaying]:hover,
+.tab-icon-overlay[muted]:not([crashed]):hover,
+.tab-icon-overlay[blocked]:not([crashed]):hover {
+  background-color: white;
+}
+
+.tab-icon-overlay[soundplaying] {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio-small.svg#tab-audio");
+}
+
+.tab-icon-overlay[muted] {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio-small.svg#tab-audio-muted");
+}
+
+.tab-icon-overlay[blocked] {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio-small.svg#tab-audio-blocked");
+}
+
+#TabsToolbar[brighttext] .tab-icon-overlay[soundplaying]:not([selected]):not(:hover),
+.tab-icon-overlay[soundplaying][selected]:-moz-lwtheme-brighttext:not(:hover) {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio-small.svg#tab-audio-white");
+}
+
+#TabsToolbar[brighttext] .tab-icon-overlay[muted]:not([crashed]):not([selected]):not(:hover),
+.tab-icon-overlay[muted][selected]:-moz-lwtheme-brighttext:not(:hover) {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio-small.svg#tab-audio-white-muted");
+}
+
+#TabsToolbar[brighttext] .tab-icon-overlay[blocked]:not([crashed]):not([selected]):not(:hover),
+.tab-icon-overlay[blocked][selected]:-moz-lwtheme-brighttext:not(:hover) {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio-small.svg#tab-audio-white-blocked");
+}
+
 /* Tab scrollbox arrow, tabstrip new tab and all-tabs buttons */
 
 .tabbrowser-arrowscrollbox > .scrollbutton-up,
diff --git a/application/palemoon/themes/osx/communicator/jar.mn b/application/palemoon/themes/osx/communicator/jar.mn
index dfd20c5236..612d133352 100644
--- a/application/palemoon/themes/osx/communicator/jar.mn
+++ b/application/palemoon/themes/osx/communicator/jar.mn
@@ -4,4 +4,4 @@
 
 browser.jar:
 % skin communicator classic/1.0 %skin/classic/communicator/
-        skin/classic/communicator/communicator.css
+  skin/classic/communicator/communicator.css
diff --git a/application/palemoon/themes/osx/jar.mn b/application/palemoon/themes/osx/jar.mn
index a665639894..c59fb1c725 100644
--- a/application/palemoon/themes/osx/jar.mn
+++ b/application/palemoon/themes/osx/jar.mn
@@ -4,178 +4,180 @@
 
 browser.jar:
 % skin browser classic/1.0 %skin/classic/browser/
-        skin/classic/browser/sanitizeDialog.css
-*       skin/classic/browser/aboutPrivateBrowsing.css
-*       skin/classic/browser/aboutSessionRestore.css
-        skin/classic/browser/aboutSessionRestore-window-icon.png     (preferences/application.png)
-        skin/classic/browser/aboutCertError.css
-        skin/classic/browser/aboutCertError_sectionCollapsed.png
-        skin/classic/browser/aboutCertError_sectionCollapsed-rtl.png
-        skin/classic/browser/aboutCertError_sectionExpanded.png
+  skin/classic/browser/sanitizeDialog.css
+* skin/classic/browser/aboutPrivateBrowsing.css
+* skin/classic/browser/aboutSessionRestore.css
+  skin/classic/browser/aboutSessionRestore-window-icon.png     (preferences/application.png)
+  skin/classic/browser/aboutCertError.css
+  skin/classic/browser/aboutCertError_sectionCollapsed.png
+  skin/classic/browser/aboutCertError_sectionCollapsed-rtl.png
+  skin/classic/browser/aboutCertError_sectionExpanded.png
 #ifdef MOZ_SERVICES_SYNC
-        skin/classic/browser/aboutSyncTabs.css
+  skin/classic/browser/aboutSyncTabs.css
 #endif
-*       skin/classic/browser/autocomplete.css
-        skin/classic/browser/actionicon-tab.png
-        skin/classic/browser/appmenu-icons.png
-        skin/classic/browser/appmenu-dropmarker.png
-*       skin/classic/browser/browser.css
-        skin/classic/browser/click-to-play-warning-stripes.png
-*       skin/classic/browser/engineManager.css
-        skin/classic/browser/Geolocation-16.png
-        skin/classic/browser/Geolocation-64.png
-        skin/classic/browser/Info.png
-        skin/classic/browser/identity.png
-        skin/classic/browser/imagedocument.png 
-        skin/classic/browser/identity-icons-generic.png
-        skin/classic/browser/identity-icons-https.png
-        skin/classic/browser/identity-icons-https-ev.png
-        skin/classic/browser/identity-icons-https-mixed-active.png
-        skin/classic/browser/keyhole-forward-mask.svg
-        skin/classic/browser/KUI-background.png
-        skin/classic/browser/KUI-close.png
-        skin/classic/browser/livemark-folder.png
-        skin/classic/browser/menu-back.png
-        skin/classic/browser/menu-forward.png
-        skin/classic/browser/mixed-content-blocked-16.png
-        skin/classic/browser/mixed-content-blocked-64.png
-        skin/classic/browser/monitor.png
-        skin/classic/browser/monitor_16-10.png
+* skin/classic/browser/autocomplete.css
+  skin/classic/browser/actionicon-tab.png
+  skin/classic/browser/appmenu-icons.png
+  skin/classic/browser/appmenu-dropmarker.png
+* skin/classic/browser/browser.css
+  skin/classic/browser/click-to-play-warning-stripes.png
+* skin/classic/browser/engineManager.css
+  skin/classic/browser/Geolocation-16.png
+  skin/classic/browser/Geolocation-64.png
+  skin/classic/browser/Info.png
+  skin/classic/browser/identity.png
+  skin/classic/browser/imagedocument.png 
+  skin/classic/browser/identity-icons-generic.png
+  skin/classic/browser/identity-icons-https.png
+  skin/classic/browser/identity-icons-https-ev.png
+  skin/classic/browser/identity-icons-https-mixed-active.png
+  skin/classic/browser/keyhole-forward-mask.svg
+  skin/classic/browser/KUI-background.png
+  skin/classic/browser/KUI-close.png
+  skin/classic/browser/livemark-folder.png
+  skin/classic/browser/menu-back.png
+  skin/classic/browser/menu-forward.png
+  skin/classic/browser/mixed-content-blocked-16.png
+  skin/classic/browser/mixed-content-blocked-64.png
+  skin/classic/browser/monitor.png
+  skin/classic/browser/monitor_16-10.png
   skin/classic/browser/panel-expander-closed.png
   skin/classic/browser/panel-expander-closed@2x.png
   skin/classic/browser/panel-expander-open.png
   skin/classic/browser/panel-expander-open@2x.png
   skin/classic/browser/panel-plus-sign.png
-        skin/classic/browser/pageInfo.css
-        skin/classic/browser/pageInfo.png
-        skin/classic/browser/page-livemarks.png
-        skin/classic/browser/page-livemarks@2x.png
-        skin/classic/browser/pointerLock-16.png
-        skin/classic/browser/pointerLock-64.png
-        skin/classic/browser/Privacy-16.png
-        skin/classic/browser/Privacy-32.png
-        skin/classic/browser/Privacy-48.png
+  skin/classic/browser/pageInfo.css
+  skin/classic/browser/pageInfo.png
+  skin/classic/browser/page-livemarks.png
+  skin/classic/browser/page-livemarks@2x.png
+  skin/classic/browser/pointerLock-16.png
+  skin/classic/browser/pointerLock-64.png
+  skin/classic/browser/Privacy-16.png
+  skin/classic/browser/Privacy-32.png
+  skin/classic/browser/Privacy-48.png
   skin/classic/browser/privatebrowsing-mask.png
   skin/classic/browser/privatebrowsing-mask@2x.png
-        skin/classic/browser/privatebrowsing-light.png
-        skin/classic/browser/privatebrowsing-dark.png
-        skin/classic/browser/reload-stop-go.png
-        skin/classic/browser/Search-glass.png
-        skin/classic/browser/searchbar.css
-        skin/classic/browser/searchbar-dropdown-arrow.png
-        skin/classic/browser/Secure24.png
-        skin/classic/browser/setDesktopBackground.css
-        skin/classic/browser/slowStartup-16.png
-        skin/classic/browser/Toolbar.png
-        skin/classic/browser/Toolbar-inverted.png
-        skin/classic/browser/toolbarbutton-dropdown-arrow.png
-        skin/classic/browser/toolbarbutton-dropdown-arrow-inverted.png
-        skin/classic/browser/urlbar-arrow.png
-        skin/classic/browser/urlbar-popup-blocked.png
-        skin/classic/browser/urlbar-history-dropmarker.png
-        skin/classic/browser/web-notifications-icon.svg
-        skin/classic/browser/web-notifications-tray.svg
-        skin/classic/browser/notification-pluginNormal.png           (../shared/plugins/notification-pluginNormal.png)
-        skin/classic/browser/notification-pluginAlert.png            (../shared/plugins/notification-pluginAlert.png)
-        skin/classic/browser/notification-pluginBlocked.png          (../shared/plugins/notification-pluginBlocked.png)
+  skin/classic/browser/privatebrowsing-light.png
+  skin/classic/browser/privatebrowsing-dark.png
+  skin/classic/browser/reload-stop-go.png
+  skin/classic/browser/Search-glass.png
+  skin/classic/browser/searchbar.css
+  skin/classic/browser/searchbar-dropdown-arrow.png
+  skin/classic/browser/Secure24.png
+  skin/classic/browser/setDesktopBackground.css
+  skin/classic/browser/slowStartup-16.png
+  skin/classic/browser/Toolbar.png
+  skin/classic/browser/Toolbar-inverted.png
+  skin/classic/browser/toolbarbutton-dropdown-arrow.png
+  skin/classic/browser/toolbarbutton-dropdown-arrow-inverted.png
+  skin/classic/browser/urlbar-arrow.png
+  skin/classic/browser/urlbar-popup-blocked.png
+  skin/classic/browser/urlbar-history-dropmarker.png
+  skin/classic/browser/web-notifications-icon.svg
+  skin/classic/browser/web-notifications-tray.svg
+  skin/classic/browser/notification-pluginNormal.png                  (../shared/plugins/notification-pluginNormal.png)
+  skin/classic/browser/notification-pluginAlert.png                   (../shared/plugins/notification-pluginAlert.png)
+  skin/classic/browser/notification-pluginBlocked.png                 (../shared/plugins/notification-pluginBlocked.png)
 #ifdef MOZ_WEBRTC
-        skin/classic/browser/webRTC-shareDevice-16.png
-        skin/classic/browser/webRTC-shareDevice-64.png
-        skin/classic/browser/webRTC-sharingDevice-16.png
+  skin/classic/browser/webRTC-shareDevice-16.png
+  skin/classic/browser/webRTC-shareDevice-64.png
+  skin/classic/browser/webRTC-sharingDevice-16.png
 #endif
-        skin/classic/browser/downloads/buttons.png                   (downloads/buttons.png)
-        skin/classic/browser/downloads/download-glow.png             (downloads/download-glow.png)
-        skin/classic/browser/downloads/download-notification-finish.png (downloads/download-notification-finish.png)
-        skin/classic/browser/downloads/download-notification-start.png (downloads/download-notification-start.png)
-        skin/classic/browser/downloads/download-summary.png          (downloads/download-summary.png)
-*       skin/classic/browser/downloads/downloads.css                 (downloads/downloads.css)
-*       skin/classic/browser/downloads/allDownloadsViewOverlay.css   (downloads/allDownloadsViewOverlay.css)
-        skin/classic/browser/downloads/contentAreaDownloadsView.css  (downloads/contentAreaDownloadsView.css)
-        skin/classic/browser/feeds/feedIcon.png                      (feeds/feedIcon.png)
-        skin/classic/browser/feeds/feedIcon16.png                    (feeds/feedIcon16.png)
-        skin/classic/browser/feeds/feed-icons-16.png                 (feeds/feed-icons-16.png)
-        skin/classic/browser/feeds/audioFeedIcon.png                 (feeds/feedIcon.png)
-        skin/classic/browser/feeds/audioFeedIcon16.png               (feeds/feedIcon16.png)
-        skin/classic/browser/feeds/videoFeedIcon.png                 (feeds/feedIcon.png)
-        skin/classic/browser/feeds/videoFeedIcon16.png               (feeds/feedIcon16.png)
-        skin/classic/browser/feeds/subscribe.css                     (feeds/subscribe.css)
-        skin/classic/browser/feeds/subscribe-ui.css                  (feeds/subscribe-ui.css)
-*       skin/classic/browser/newtab/newTab.css                       (newtab/newTab.css)
-        skin/classic/browser/newtab/controls.png                     (../shared/newtab/controls.png)
-        skin/classic/browser/newtab/noise.png                        (../shared/newtab/noise.png)
-        skin/classic/browser/newtab/pinned.png                       (../shared/newtab/pinned.png)
-        skin/classic/browser/places/places.css                       (places/places.css)
-*       skin/classic/browser/places/organizer.css                    (places/organizer.css)
-        skin/classic/browser/places/editBookmark.png                 (places/editBookmark.png)
-        skin/classic/browser/places/bookmark.png                     (places/bookmark.png)
-        skin/classic/browser/places/query.png                        (places/query.png)
-        skin/classic/browser/places/query@2x.png                     (places/query@2x.png)
-        skin/classic/browser/places/bookmarksMenu.png                (places/bookmarksMenu.png)
-        skin/classic/browser/places/bookmarksToolbar.png             (places/bookmarksToolbar.png)
-        skin/classic/browser/places/bookmarksToolbar@2x.png          (places/bookmarksToolbar@2x.png)
-        skin/classic/browser/places/calendar.png                     (places/calendar.png)
-        skin/classic/browser/places/folderDropArrow.png              (places/folderDropArrow.png)
-        skin/classic/browser/places/folderDropArrow@2x.png           (places/folderDropArrow@2x.png)
-        skin/classic/browser/places/toolbarDropMarker.png            (places/toolbarDropMarker.png)
-        skin/classic/browser/places/editBookmarkOverlay.css          (places/editBookmarkOverlay.css)
-        skin/classic/browser/places/libraryToolbar.png               (places/libraryToolbar.png)
-        skin/classic/browser/places/starred48.png                    (places/starred48.png)
-        skin/classic/browser/places/unstarred48.png                  (places/unstarred48.png)
-  skin/classic/browser/places/unfiledBookmarks.png          (places/unfiledBookmarks.png)
-  skin/classic/browser/places/unfiledBookmarks@2x.png       (places/unfiledBookmarks@2x.png)
-        skin/classic/browser/places/tag.png                          (places/tag.png)
-        skin/classic/browser/places/tag@2x.png                       (places/tag@2x.png)
-        skin/classic/browser/places/history.png                      (places/history.png)
-        skin/classic/browser/places/history@2x.png                   (places/history@2x.png)
-        skin/classic/browser/places/allBookmarks.png                 (places/allBookmarks.png)
-        skin/classic/browser/places/unsortedBookmarks.png            (places/unsortedBookmarks.png)
-        skin/classic/browser/places/downloads.png                    (places/downloads.png)
-  skin/classic/browser/places/expander-closed-active.png    (places/expander-closed-active.png)
-  skin/classic/browser/places/expander-open-active.png      (places/expander-open-active.png)
-        skin/classic/browser/places/livemark-item.png                (places/livemark-item.png)
-        skin/classic/browser/places/expander-closed.png              (places/expander-closed.png)
-        skin/classic/browser/places/expander-open.png                (places/expander-open.png)
-        skin/classic/browser/permissions/aboutPermissions.css        (permissions/aboutPermissions.css)
-        skin/classic/browser/preferences/alwaysAsk.png               (preferences/alwaysAsk.png)
-        skin/classic/browser/preferences/application.png             (preferences/application.png)
-        skin/classic/browser/preferences/mail.png                    (preferences/mail.png)
-        skin/classic/browser/preferences/Options.png                 (preferences/Options.png)
+  skin/classic/browser/downloads/buttons.png                          (downloads/buttons.png)
+  skin/classic/browser/downloads/download-glow.png                    (downloads/download-glow.png)
+  skin/classic/browser/downloads/download-notification-finish.png     (downloads/download-notification-finish.png)
+  skin/classic/browser/downloads/download-notification-start.png      (downloads/download-notification-start.png)
+  skin/classic/browser/downloads/download-summary.png                 (downloads/download-summary.png)
+* skin/classic/browser/downloads/downloads.css                        (downloads/downloads.css)
+* skin/classic/browser/downloads/allDownloadsViewOverlay.css          (downloads/allDownloadsViewOverlay.css)
+  skin/classic/browser/downloads/contentAreaDownloadsView.css         (downloads/contentAreaDownloadsView.css)
+  skin/classic/browser/feeds/feedIcon.png                             (feeds/feedIcon.png)
+  skin/classic/browser/feeds/feedIcon16.png                           (feeds/feedIcon16.png)
+  skin/classic/browser/feeds/feed-icons-16.png                        (feeds/feed-icons-16.png)
+  skin/classic/browser/feeds/audioFeedIcon.png                        (feeds/feedIcon.png)
+  skin/classic/browser/feeds/audioFeedIcon16.png                      (feeds/feedIcon16.png)
+  skin/classic/browser/feeds/videoFeedIcon.png                        (feeds/feedIcon.png)
+  skin/classic/browser/feeds/videoFeedIcon16.png                      (feeds/feedIcon16.png)
+  skin/classic/browser/feeds/subscribe.css                            (feeds/subscribe.css)
+  skin/classic/browser/feeds/subscribe-ui.css                         (feeds/subscribe-ui.css)
+* skin/classic/browser/newtab/newTab.css                              (newtab/newTab.css)
+  skin/classic/browser/newtab/controls.png                            (../shared/newtab/controls.png)
+  skin/classic/browser/newtab/noise.png                               (../shared/newtab/noise.png)
+  skin/classic/browser/newtab/pinned.png                              (../shared/newtab/pinned.png)
+  skin/classic/browser/places/places.css                              (places/places.css)
+* skin/classic/browser/places/organizer.css                           (places/organizer.css)
+  skin/classic/browser/places/editBookmark.png                        (places/editBookmark.png)
+  skin/classic/browser/places/bookmark.png                            (places/bookmark.png)
+  skin/classic/browser/places/query.png                               (places/query.png)
+  skin/classic/browser/places/query@2x.png                            (places/query@2x.png)
+  skin/classic/browser/places/bookmarksMenu.png                       (places/bookmarksMenu.png)
+  skin/classic/browser/places/bookmarksToolbar.png                    (places/bookmarksToolbar.png)
+  skin/classic/browser/places/bookmarksToolbar@2x.png                 (places/bookmarksToolbar@2x.png)
+  skin/classic/browser/places/calendar.png                            (places/calendar.png)
+  skin/classic/browser/places/folderDropArrow.png                     (places/folderDropArrow.png)
+  skin/classic/browser/places/folderDropArrow@2x.png                  (places/folderDropArrow@2x.png)
+  skin/classic/browser/places/toolbarDropMarker.png                   (places/toolbarDropMarker.png)
+  skin/classic/browser/places/editBookmarkOverlay.css                 (places/editBookmarkOverlay.css)
+  skin/classic/browser/places/libraryToolbar.png                      (places/libraryToolbar.png)
+  skin/classic/browser/places/starred48.png                           (places/starred48.png)
+  skin/classic/browser/places/unstarred48.png                         (places/unstarred48.png)
+  skin/classic/browser/places/unfiledBookmarks.png                    (places/unfiledBookmarks.png)
+  skin/classic/browser/places/unfiledBookmarks@2x.png                 (places/unfiledBookmarks@2x.png)
+  skin/classic/browser/places/tag.png                                 (places/tag.png)
+  skin/classic/browser/places/tag@2x.png                              (places/tag@2x.png)
+  skin/classic/browser/places/history.png                             (places/history.png)
+  skin/classic/browser/places/history@2x.png                          (places/history@2x.png)
+  skin/classic/browser/places/allBookmarks.png                        (places/allBookmarks.png)
+  skin/classic/browser/places/unsortedBookmarks.png                   (places/unsortedBookmarks.png)
+  skin/classic/browser/places/downloads.png                           (places/downloads.png)
+  skin/classic/browser/places/expander-closed-active.png              (places/expander-closed-active.png)
+  skin/classic/browser/places/expander-open-active.png                (places/expander-open-active.png)
+  skin/classic/browser/places/livemark-item.png                       (places/livemark-item.png)
+  skin/classic/browser/places/expander-closed.png                     (places/expander-closed.png)
+  skin/classic/browser/places/expander-open.png                       (places/expander-open.png)
+  skin/classic/browser/permissions/aboutPermissions.css               (permissions/aboutPermissions.css)
+  skin/classic/browser/preferences/alwaysAsk.png                      (preferences/alwaysAsk.png)
+  skin/classic/browser/preferences/application.png                    (preferences/application.png)
+  skin/classic/browser/preferences/mail.png                           (preferences/mail.png)
+  skin/classic/browser/preferences/Options.png                        (preferences/Options.png)
 #ifdef MOZ_SERVICES_SYNC
-        skin/classic/browser/preferences/Options-sync.png            (preferences/Options-sync.png)
+  skin/classic/browser/preferences/Options-sync.png                   (preferences/Options-sync.png)
 #endif
-        skin/classic/browser/preferences/saveFile.png                (preferences/saveFile.png)
-*       skin/classic/browser/preferences/preferences.css             (preferences/preferences.css)
-        skin/classic/browser/preferences/applications.css            (preferences/applications.css)
+  skin/classic/browser/preferences/saveFile.png                       (preferences/saveFile.png)
+* skin/classic/browser/preferences/preferences.css                    (preferences/preferences.css)
+  skin/classic/browser/preferences/applications.css                   (preferences/applications.css)
 #ifdef MOZ_BROWSER_STATUSBAR
-        skin/classic/browser/statusbar/dynamic.css                   (../shared/statusbar/dynamic.css)
-*       skin/classic/browser/statusbar/overlay.css                   (statusbar/overlay.css)
-*       skin/classic/browser/statusbar/prefs.css                     (statusbar/prefs.css)
-        skin/classic/browser/statusbar/pulse.png                     (../shared/statusbar/pulse.png)
-        skin/classic/browser/statusbar/pms16.png                     (../shared/statusbar/pms16.png)
-        skin/classic/browser/statusbar/pms24.png                     (../shared/statusbar/pms24.png)
-        skin/classic/browser/statusbar/throbber-idle.png             (../shared/statusbar/throbber-idle.png)
-        skin/classic/browser/statusbar/throbberStatic.png            (../shared/statusbar/throbberStatic.png)
+  skin/classic/browser/statusbar/dynamic.css                          (../shared/statusbar/dynamic.css)
+* skin/classic/browser/statusbar/overlay.css                          (statusbar/overlay.css)
+* skin/classic/browser/statusbar/prefs.css                            (statusbar/prefs.css)
+  skin/classic/browser/statusbar/pulse.png                            (../shared/statusbar/pulse.png)
+  skin/classic/browser/statusbar/pms16.png                            (../shared/statusbar/pms16.png)
+  skin/classic/browser/statusbar/pms24.png                            (../shared/statusbar/pms24.png)
+  skin/classic/browser/statusbar/throbber-idle.png                    (../shared/statusbar/throbber-idle.png)
+  skin/classic/browser/statusbar/throbberStatic.png                   (../shared/statusbar/throbberStatic.png)
 #endif
-        skin/classic/browser/tabbrowser/alltabs.png                  (tabbrowser/alltabs.png)
-        skin/classic/browser/tabbrowser/alltabs-inverted.png         (tabbrowser/alltabs-inverted.png)
-        skin/classic/browser/tabbrowser/newtab.png                   (tabbrowser/newtab.png)
-        skin/classic/browser/tabbrowser/newtab-inverted.png          (tabbrowser/newtab-inverted.png)
-        skin/classic/browser/tabbrowser/connecting.png               (tabbrowser/connecting.png)
-        skin/classic/browser/tabbrowser/loading.png                  (tabbrowser/loading.png)
-        skin/classic/browser/tabbrowser/tab-arrow-left.png           (tabbrowser/tab-arrow-left.png)
-        skin/classic/browser/tabbrowser/tab-arrow-left-inverted.png  (tabbrowser/tab-arrow-left-inverted.png)
-        skin/classic/browser/tabbrowser/tab-overflow-border.png      (tabbrowser/tab-overflow-border.png)
-        skin/classic/browser/tabbrowser/tabDragIndicator.png         (tabbrowser/tabDragIndicator.png)
+  skin/classic/browser/tabbrowser/alltabs.png                         (tabbrowser/alltabs.png)
+  skin/classic/browser/tabbrowser/alltabs-inverted.png                (tabbrowser/alltabs-inverted.png)
+  skin/classic/browser/tabbrowser/newtab.png                          (tabbrowser/newtab.png)
+  skin/classic/browser/tabbrowser/newtab-inverted.png                 (tabbrowser/newtab-inverted.png)
+  skin/classic/browser/tabbrowser/connecting.png                      (tabbrowser/connecting.png)
+  skin/classic/browser/tabbrowser/loading.png                         (tabbrowser/loading.png)
+  skin/classic/browser/tabbrowser/tab-arrow-left.png                  (tabbrowser/tab-arrow-left.png)
+  skin/classic/browser/tabbrowser/tab-arrow-left-inverted.png         (tabbrowser/tab-arrow-left-inverted.png)
+  skin/classic/browser/tabbrowser/tab-overflow-border.png             (tabbrowser/tab-overflow-border.png)
+  skin/classic/browser/tabbrowser/tabDragIndicator.png                (tabbrowser/tabDragIndicator.png)
+  skin/classic/browser/tabbrowser/tab-audio.svg                       (../shared/tabbrowser/tab-audio.svg)
+  skin/classic/browser/tabbrowser/tab-audio-small.svg                 (../shared/tabbrowser/tab-audio-small.svg)
 #ifdef MOZ_SERVICES_SYNC
-        skin/classic/browser/sync-throbber.png
-        skin/classic/browser/sync-16.png
-        skin/classic/browser/sync-32.png
-        skin/classic/browser/sync-128.png
-        skin/classic/browser/sync-bg.png
-        skin/classic/browser/sync-desktopIcon.png
-        skin/classic/browser/sync-mobileIcon.png
-        skin/classic/browser/syncSetup.css
-        skin/classic/browser/syncCommon.css
-        skin/classic/browser/syncQuota.css
-        skin/classic/browser/syncProgress.css
+  skin/classic/browser/sync-throbber.png
+  skin/classic/browser/sync-16.png
+  skin/classic/browser/sync-32.png
+  skin/classic/browser/sync-128.png
+  skin/classic/browser/sync-bg.png
+  skin/classic/browser/sync-desktopIcon.png
+  skin/classic/browser/sync-mobileIcon.png
+  skin/classic/browser/syncSetup.css
+  skin/classic/browser/syncCommon.css
+  skin/classic/browser/syncQuota.css
+  skin/classic/browser/syncProgress.css
 #endif
diff --git a/application/palemoon/themes/shared/tabbrowser/tab-audio-small.svg b/application/palemoon/themes/shared/tabbrowser/tab-audio-small.svg
new file mode 100644
index 0000000000..abfe712685
--- /dev/null
+++ b/application/palemoon/themes/shared/tabbrowser/tab-audio-small.svg
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+   - License, v. 2.0. If a copy of the MPL was not distributed with this
+   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="16" height="16" viewBox="0 0 16 16">
+  <style>
+    .icon:not(:target) {
+      display: none;
+    }
+
+    .icon {
+      fill: #262626;
+    }
+    .icon > .outline {
+      fill: #fff;
+    }
+
+    .icon.white {
+      fill: #fff;
+    }
+    .icon.white > .outline {
+      fill: #000;
+      fill-opacity: .5;
+    }
+  </style>
+
+  <g id="tab-audio" class="icon">
+    <path class="outline" d="M12.4,3.6l-1-0.6l-0.9,2.5H10V1.8c0-0.4-0.5-0.7-0.9-0.4L5.6,5H4C2.9,5,2,5.9,2,7v2c0,1.1,0.9,2,2,2h1.6l3.6,3.6 c0.3,0.3,0.9,0.1,0.9-0.4v-3.7h0.5l0.9,2.5l1-0.6C14,11.5,15,9.8,15,8S14,4.5,12.4,3.6z M9,13l-3-3H4c-0.6,0-1-0.4-1-1V7 c0-0.6,0.4-1,1-1h2l3-3V13z M10,9.5v-3c0.8,0,1.5,0.7,1.5,1.5S10.8,9.5,10,9.5z M11.9,11.5l-0.4-0.9C12.4,10,13,9.1,13,8 s-0.6-2-1.4-2.5l0.3-1C13.2,5.2,14,6.5,14,8S13.2,10.8,11.9,11.5z"/>
+    <path d="M4,6C3.4,6,3,6.4,3,7v2c0,0.6,0.4,1,1,1h2l3,3V3L6,6H4z M10,6.5v3c0.8,0,1.5-0.7,1.5-1.5S10.8,6.5,10,6.5z M11.9,4.5 l-0.4,0.9C12.4,6,13,6.9,13,8s-0.6,2-1.4,2.5l0.4,0.9c1.2-0.7,2.1-2,2.1-3.5S13.2,5.2,11.9,4.5z"/>
+  </g>
+  <g id="tab-audio-muted" class="icon">
+    <path class="outline" d="M5.6,5H4C2.9,5,2,5.9,2,7v2c0,0.7,0.3,1.3,0.9,1.7l-1.8,1.8l2.5,2.5l3-3l2.6,2.6c0.3,0.3,0.9,0.1,0.9-0.4V8.5l3.9-3.9 l-2.5-2.5L10,3.5V1.8c0-0.4-0.5-0.7-0.9-0.4L5.6,5z"/>
+    <path d="M11.5,3.5L9,5.9V3L6,6H4C3.4,6,3,6.4,3,7v2c0,0.6,0.4,1,1,1h0.9l-2.5,2.5l1.1,1.1l9-9L11.5,3.5z M9,13V9.7l-1.7,1.7L9,13z"/>
+  </g>
+
+  <g id="tab-audio-white" class="icon white">
+    <path class="outline" d="M12.4,3.6l-1-0.6l-0.9,2.5H10V1.8c0-0.4-0.5-0.7-0.9-0.4L5.6,5H4C2.9,5,2,5.9,2,7v2c0,1.1,0.9,2,2,2h1.6l3.6,3.6 c0.3,0.3,0.9,0.1,0.9-0.4v-3.7h0.5l0.9,2.5l1-0.6C14,11.5,15,9.8,15,8S14,4.5,12.4,3.6z M9,13l-3-3H4c-0.6,0-1-0.4-1-1V7 c0-0.6,0.4-1,1-1h2l3-3V13z M10,9.5v-3c0.8,0,1.5,0.7,1.5,1.5S10.8,9.5,10,9.5z M11.9,11.5l-0.4-0.9C12.4,10,13,9.1,13,8 s-0.6-2-1.4-2.5l0.3-1C13.2,5.2,14,6.5,14,8S13.2,10.8,11.9,11.5z"/>
+    <path d="M4,6C3.4,6,3,6.4,3,7v2c0,0.6,0.4,1,1,1h2l3,3V3L6,6H4z M10,6.5v3c0.8,0,1.5-0.7,1.5-1.5S10.8,6.5,10,6.5z M11.9,4.5 l-0.4,0.9C12.4,6,13,6.9,13,8s-0.6,2-1.4,2.5l0.4,0.9c1.2-0.7,2.1-2,2.1-3.5S13.2,5.2,11.9,4.5z"/>
+  </g>
+  <g id="tab-audio-white-muted" class="icon white">
+    <path class="outline" d="M5.6,5H4C2.9,5,2,5.9,2,7v2c0,0.7,0.3,1.3,0.9,1.7l-1.8,1.8l2.5,2.5l3-3l2.6,2.6c0.3,0.3,0.9,0.1,0.9-0.4V8.5l3.9-3.9 l-2.5-2.5L10,3.5V1.8c0-0.4-0.5-0.7-0.9-0.4L5.6,5z"/>
+    <path d="M11.5,3.5L9,5.9V3L6,6H4C3.4,6,3,6.4,3,7v2c0,0.6,0.4,1,1,1h0.9l-2.5,2.5l1.1,1.1l9-9L11.5,3.5z M9,13V9.7l-1.7,1.7L9,13z"/>
+  </g>
+
+  <g id="tab-audio-blocked" class="icon">
+    <path class="outline" d="M8,1.2C4.3,1.2,1.2,4.3,1.2,8s3.1,6.8,6.8,6.8s6.8-3.1,6.8-6.8S11.7,1.2,8,1.2z M8,11.9
+      c-2.1,0-3.9-1.7-3.9-3.9c0-2.1,1.7-3.9,3.9-3.9s3.9,1.7,3.9,3.9C11.9,10.1,10.1,11.9,8,11.9z M11.1,7.3L6.6,4.6L5.4,3.9v1.4v5.3V12
+      l1.2-0.7L11,8.6L12.2,8L11.1,7.3z"/>
+    <path d="M8,2C4.7,2,2,4.7,2,8s2.7,6,6,6s6-2.7,6-6S11.3,2,8,2z M8,12.7c-2.6,0-4.7-2.1-4.7-4.7
+      S5.4,3.3,8,3.3s4.7,2.1,4.7,4.7S10.6,12.7,8,12.7z M10.7,8L6.2,5.3v5.4L10.7,8z"/>
+  </g>
+  <g id="tab-audio-white-blocked" class="icon">
+    <path class="outline" d="M8,0c3.3,0,6.4,2.2,7.5,5.3c1.1,3.1,0.1,6.7-2.5,8.9c-2.6,2.1-6.3,2.4-9.2,0.7
+      C1,13.1-0.5,9.8,0.1,6.5C0.9,2.8,4.2,0,8,0z"/>
+    <path d="M8,2C4.7,2,2,4.7,2,8s2.7,6,6,6s6-2.7,6-6S11.3,2,8,2z M8,12.7c-2.6,0-4.7-2.1-4.7-4.7
+      S5.4,3.3,8,3.3s4.7,2.1,4.7,4.7S10.6,12.7,8,12.7z M10.7,8L6.2,5.3v5.4L10.7,8z"/>
+  </g>
+</svg>
diff --git a/application/palemoon/themes/shared/tabbrowser/tab-audio.svg b/application/palemoon/themes/shared/tabbrowser/tab-audio.svg
new file mode 100644
index 0000000000..274e10c295
--- /dev/null
+++ b/application/palemoon/themes/shared/tabbrowser/tab-audio.svg
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- This Source Code Form is subject to the terms of the Mozilla Public
+   - License, v. 2.0. If a copy of the MPL was not distributed with this
+   - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 16 16">
+  <style>
+    path:not(:target) {
+      display: none;
+    }
+  </style>
+
+  <path id="tab-audio" d="M4,5C2.9,5,2,5.9,2,7v2c0,1.1,0.9,2,2,2h1.2L9,14V2L5.2,5H4z M11,8c0-0.6-0.4-1-1-1v2C10.6,9,11,8.6,11,8z M13,8 c0-1.4-1-2.6-2.3-2.9L10.4,6C11.3,6.2,12,7,12,8s-0.7,1.8-1.6,2l0.4,0.9C12,10.6,13,9.4,13,8z M11.4,3.2l-0.4,0.9 C12.8,4.6,14,6.2,14,8s-1.2,3.4-2.9,3.8l0.4,0.9C13.5,12.2,15,10.3,15,8S13.5,3.8,11.4,3.2z"/>
+
+  <path id="tab-audio-muted" d="M12.5,3.4L9,6.3V2L5.2,5H4C2.9,5,2,5.9,2,7v2c0,0.9,0.6,1.6,1.4,1.9l-1.9,1.5l1,1.2l11-9L12.5,3.4z M9,14v-4l-2.5,2L9,14z"/>
+
+  <path id="tab-audio-blocked" d="M8,0C3.6,0,0,3.6,0,8s3.6,8,8,8s8-3.6,8-8S12.4,0,8,0z M5.6,11.6l6-3.6l-6-3.6V11.6z M8,14.2
+  c-3.4,0-6.2-2.8-6.2-6.2S4.6,1.8,8,1.8s6.2,2.8,6.2,6.2S11.4,14.2,8,14.2z"/>
+</svg>
diff --git a/application/palemoon/themes/windows/Toolbar-glass.png b/application/palemoon/themes/windows/Toolbar-glass.png
deleted file mode 100644
index 23cc4bfaf4..0000000000
--- a/application/palemoon/themes/windows/Toolbar-glass.png
+++ /dev/null
diff --git a/application/palemoon/themes/windows/Toolbar-glass.svg b/application/palemoon/themes/windows/Toolbar-glass.svg
new file mode 100644
index 0000000000..5212e45e74
--- /dev/null
+++ b/application/palemoon/themes/windows/Toolbar-glass.svg
@@ -0,0 +1,2174 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   enable-background="new 0 0 378 38"
+   viewBox="0 0 378 38"
+   height="38"
+   width="378"
+   y="0px"
+   x="0px"
+   id="PaleMoonToolbarSVG"
+   version="1.1">
+  <metadata
+     id="metadata146">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title></dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <defs
+     id="defs144">
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,1.1087088,0,-1.2351844)"
+       r="7.1399999"
+       fy="14.778796"
+       fx="10.529827"
+       cy="14.778796"
+       cx="10.529827"
+       id="radialGradient4669"
+       xlink:href="#linearGradient4635" />
+    <linearGradient
+       id="linearGradient4635">
+      <stop
+         id="stop4631"
+         offset="0"
+         style="stop-color:#6198cb;stop-opacity:1" />
+      <stop
+         id="stop4633"
+         offset="1"
+         style="stop-color:#3a78b2;stop-opacity:1" />
+    </linearGradient>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,1.0853313,0,-3.029369)"
+       r="8.7600002"
+       fy="38.79744"
+       fx="11.063469"
+       cy="38.79744"
+       cx="11.063469"
+       id="radialGradient4637"
+       xlink:href="#linearGradient4635" />
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,1.1003056,0,-1.1335797)"
+       r="7.1399999"
+       fy="14.552581"
+       fx="34.841751"
+       cy="14.552581"
+       cx="34.841751"
+       id="radialGradient4677"
+       xlink:href="#linearGradient4635" />
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,0.99218759,0,0.09141507)"
+       r="7.6799994"
+       fy="12.761739"
+       fx="58.062626"
+       cy="12.761739"
+       cx="58.062626"
+       id="radialGradient4605"
+       xlink:href="#linearGradient4603" />
+    <linearGradient
+       id="linearGradient4603">
+      <stop
+         id="stop4599"
+         offset="0"
+         style="stop-color:#e72b1d;stop-opacity:1" />
+      <stop
+         id="stop4601"
+         offset="1"
+         style="stop-color:#cc4338;stop-opacity:1" />
+    </linearGradient>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,1.0769231,0,-0.86932835)"
+       r="7.8000002"
+       fy="13.939252"
+       fx="79.305222"
+       cy="13.939252"
+       cx="79.305222"
+       id="radialGradient4525"
+       xlink:href="#linearGradient4523-3" />
+    <linearGradient
+       id="linearGradient4523-3">
+      <stop
+         id="stop4519"
+         offset="0"
+         style="stop-color:#4fb55d;stop-opacity:1" />
+      <stop
+         id="stop4521"
+         offset="1"
+         style="stop-color:#2d8539;stop-opacity:1" />
+    </linearGradient>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,0.87507716,0,1.3868386)"
+       r="9.5995998"
+       fy="12.664675"
+       fx="103.23091"
+       cy="12.664675"
+       cx="103.23091"
+       id="radialGradient4529"
+       xlink:href="#linearGradient4527" />
+    <linearGradient
+       id="linearGradient4527">
+      <stop
+         id="stop4523"
+         offset="0"
+         style="stop-color:#3f6bbd;stop-opacity:1" />
+      <stop
+         id="stop4525"
+         offset="1"
+         style="stop-color:#29467b;stop-opacity:1" />
+    </linearGradient>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,1.0032611,0,-0.03620244)"
+       r="8.3726959"
+       fy="16.659737"
+       fx="125.30523"
+       cy="16.659737"
+       cx="125.30523"
+       id="radialGradient4709"
+       xlink:href="#linearGradient4707" />
+    <linearGradient
+       id="linearGradient4707">
+      <stop
+         id="stop4703"
+         offset="0"
+         style="stop-color:#8c9ba5;stop-opacity:1" />
+      <stop
+         id="stop4705"
+         offset="1"
+         style="stop-color:#607480;stop-opacity:1" />
+    </linearGradient>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,0.993055,0,0.07848724)"
+       r="8.6400051"
+       fy="12.784631"
+       fx="149.26262"
+       cy="12.784631"
+       cx="149.26262"
+       id="radialGradient4729"
+       xlink:href="#linearGradient4727" />
+    <linearGradient
+       id="linearGradient4727">
+      <stop
+         id="stop4723"
+         offset="0"
+         style="stop-color:#3eb796;stop-opacity:1" />
+      <stop
+         id="stop4725"
+         offset="1"
+         style="stop-color:#31a886;stop-opacity:1" />
+    </linearGradient>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.79035186,0,0,0.79508811,-0.14216924,6.9389816e-4)"
+       r="9.6007004"
+       fy="12.037849"
+       fx="466.94476"
+       cy="12.037849"
+       cx="466.94476"
+       id="radialGradient5017"
+       xlink:href="#linearGradient5023" />
+    <linearGradient
+       id="linearGradient5023">
+      <stop
+         style="stop-color:#c6cdd2;stop-opacity:1"
+         offset="0"
+         id="stop5019" />
+      <stop
+         style="stop-color:#9cabb4;stop-opacity:1"
+         offset="1"
+         id="stop5021" />
+    </linearGradient>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,0.87500048,0,1.3876528)"
+       r="9.5999947"
+       fy="13.746766"
+       fx="194.44176"
+       cy="13.746766"
+       cx="194.44176"
+       id="radialGradient4793"
+       xlink:href="#linearGradient4707" />
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,0.87500002,0,1.3876579)"
+       r="9.6000004"
+       fy="11.101265"
+       fx="239.2"
+       cy="11.101265"
+       cx="239.2"
+       id="radialGradient4833"
+       xlink:href="#linearGradient4707" />
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.79274533,0,0,0.78327978,-0.14435628,0.11758726)"
+       r="3.5288758"
+       fy="12.418613"
+       fx="242.0894"
+       cy="12.418613"
+       cx="242.0894"
+       id="radialGradient4841"
+       xlink:href="#linearGradient4707" />
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,0.99992718,0,0.00247197)"
+       r="9.7507105"
+       fy="31.105829"
+       fx="466.39926"
+       cy="31.105829"
+       cx="466.39926"
+       id="radialGradient5031"
+       xlink:href="#linearGradient5037" />
+    <linearGradient
+       id="linearGradient5037">
+      <stop
+         style="stop-color:#e8e1a1;stop-opacity:1"
+         offset="0"
+         id="stop5033" />
+      <stop
+         style="stop-color:#baad3e;stop-opacity:1"
+         offset="1"
+         id="stop5035" />
+    </linearGradient>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,0.8160434,0,2.0506693)"
+       r="10.35937"
+       fy="16.56296"
+       fx="217.95329"
+       cy="16.56296"
+       cx="217.95329"
+       id="radialGradient4813"
+       xlink:href="#linearGradient4707" />
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,0.9969072,0,0.03528241)"
+       r="8.5577164"
+       fy="15.840806"
+       fx="262.79288"
+       cy="15.840806"
+       cx="262.79288"
+       id="radialGradient4861"
+       xlink:href="#linearGradient4707" />
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       r="8.53125"
+       fy="14.171478"
+       fx="286.58698"
+       cy="14.171478"
+       cx="286.58698"
+       id="radialGradient4881"
+       xlink:href="#linearGradient4707" />
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,1.4,0,-4.4901397)"
+       r="6.09375"
+       fy="14.457072"
+       fx="308.97141"
+       cy="14.457072"
+       cx="308.97141"
+       id="radialGradient4901"
+       xlink:href="#linearGradient4707" />
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       r="8.53125"
+       fy="13.119289"
+       fx="331.15933"
+       cy="13.119289"
+       cx="331.15933"
+       id="radialGradient4921"
+       xlink:href="#linearGradient4707" />
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.79035186,0,0,0.15902921,-0.14216924,7.1987363)"
+       r="6.09375"
+       fy="11.316628"
+       fx="353.15076"
+       cy="11.316628"
+       cx="353.15076"
+       id="radialGradient4941"
+       xlink:href="#linearGradient4707" />
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       r="6.09375"
+       fy="11.407905"
+       fx="375.97003"
+       cy="11.407905"
+       cx="375.97003"
+       id="radialGradient4949"
+       xlink:href="#linearGradient4707"
+       gradientTransform="matrix(0.79035186,0,0,0.79514603,-0.14216924,3.8580698e-5)" />
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,0.99701325,0,0.03407254)"
+       r="8.5350475"
+       fy="13.518586"
+       fx="400.5007"
+       cy="13.518586"
+       cx="400.5007"
+       id="radialGradient4957"
+       xlink:href="#linearGradient4707" />
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1.357667,-0.02466618,0.02411975,1.3275908,-149.53429,5.1574131)"
+       r="8.53125"
+       fy="15.742972"
+       fx="417.02075"
+       cy="15.742972"
+       cx="417.02075"
+       id="radialGradient4977"
+       xlink:href="#linearGradient4975" />
+    <linearGradient
+       id="linearGradient4975">
+      <stop
+         id="stop4971"
+         offset="0"
+         style="stop-color:#f79729;stop-opacity:1" />
+      <stop
+         id="stop4973"
+         offset="1"
+         style="stop-color:#d2831f;stop-opacity:1" />
+    </linearGradient>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,0.71428563,0,3.2333231)"
+       r="8.53125"
+       fy="11.316628"
+       fx="444.33652"
+       cy="11.316628"
+       cx="444.33652"
+       id="radialGradient4997"
+       xlink:href="#linearGradient4707" />
+    <radialGradient
+       r="7.9746099"
+       fy="9"
+       fx="134.97461"
+       cy="9"
+       cx="134.97461"
+       gradientTransform="matrix(1.265625,0,0,1.1109477,-0.05703897,1.4865748)"
+       gradientUnits="userSpaceOnUse"
+       id="radialGradient4710"
+       xlink:href="#linearGradient4747" />
+    <linearGradient
+       id="linearGradient4747">
+      <stop
+         id="stop4743"
+         offset="0"
+         style="stop-color:#c5b631;stop-opacity:1" />
+      <stop
+         id="stop4745"
+         offset="1"
+         style="stop-color:#baad3e;stop-opacity:1" />
+    </linearGradient>
+    <radialGradient
+       r="7.9746099"
+       fy="9.0947113"
+       fx="132.6468"
+       cy="9.0947113"
+       cx="132.6468"
+       gradientTransform="matrix(1.265625,0,0,1.1109477,-0.05703897,1.4865748)"
+       gradientUnits="userSpaceOnUse"
+       id="radialGradient4712"
+       xlink:href="#linearGradient5037" />
+    <radialGradient
+       r="7.9746099"
+       fy="9"
+       fx="134.97461"
+       cy="9"
+       cx="134.97461"
+       gradientTransform="matrix(1.265625,0,0,1.1109477,-0.05703897,1.4865748)"
+       gradientUnits="userSpaceOnUse"
+       id="radialGradient4714"
+       xlink:href="#linearGradient4747" />
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,28.000001,0,-310.09784)"
+       r="0.31640625"
+       fy="11.485105"
+       fx="166.37157"
+       cy="11.485105"
+       cx="166.37157"
+       id="radialGradient4750"
+       xlink:href="#linearGradient4707" />
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,1.0032611,0.11563445,22.233158)"
+       r="8.3726959"
+       fy="16.659737"
+       fx="125.30523"
+       cy="16.659737"
+       cx="125.30523"
+       id="radialGradient4709-1"
+       xlink:href="#linearGradient4832" />
+    <linearGradient
+       id="linearGradient4832">
+      <stop
+         style="stop-color:#22e23d;stop-opacity:1"
+         offset="0"
+         id="stop5029" />
+      <stop
+         style="stop-color:#38a748;stop-opacity:1"
+         offset="1"
+         id="stop4830" />
+    </linearGradient>
+    <filter
+       id="filter4883"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood4873"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite4875"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4877"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset4879"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite4881"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6673"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6675" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6677"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6679" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6681" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6683"
+         in2="offset" />
+    </filter>
+    <filter
+       id="filter4895"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood4885"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite4887"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4889"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset4891"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite4893"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6685"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6687" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6689"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6691" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6693" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6695"
+         in2="offset" />
+    </filter>
+    <filter
+       id="filter4907"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood4897"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite4899"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4901"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset4903"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite4905"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6697"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6699" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6701"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6703" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6705" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6707"
+         in2="offset" />
+    </filter>
+    <filter
+       id="filter4919"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood4909"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite4911"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4913"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset4915"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite4917"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6709"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6711" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6713"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6715" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6717" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6719"
+         in2="offset" />
+    </filter>
+    <filter
+       id="filter4931"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood4921"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite4923"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4925"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset4927"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite4929"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6721"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6723" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6725"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6727" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6729" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6731"
+         in2="offset" />
+    </filter>
+    <filter
+       id="filter4943"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood4933"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite4935"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4937"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset4939"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite4941"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6733"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6735" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6737"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6739" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6741" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6743"
+         in2="offset" />
+    </filter>
+    <filter
+       id="filter4955"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood4945"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite4947"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4949"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset4951"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite4953"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6745"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6747" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6749"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6751" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6753" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6755"
+         in2="offset" />
+    </filter>
+    <filter
+       id="filter4967"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood4957"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite4959"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4961"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset4963"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite4965"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6757"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6759" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6761"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6763" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6765" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6767"
+         in2="offset" />
+    </filter>
+    <filter
+       id="filter4979"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood4969"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite4971"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4973"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset4975"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite4977"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6769"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6771" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6773"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6775" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6777" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6779"
+         in2="offset" />
+    </filter>
+    <filter
+       id="filter4991"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood4981"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite4983"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4985"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset4987"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite4989"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6781"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6783" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6785"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6787" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6789" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6791"
+         in2="offset" />
+    </filter>
+    <filter
+       id="filter5003"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood4993"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite4995"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4997"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset4999"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite5001"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6793"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6795" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6797"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6799" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6801" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6803"
+         in2="offset" />
+    </filter>
+    <filter
+       id="filter5015"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood5005"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite5007"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur5009"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset5011"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite5013"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6805"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6807" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6809"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6811" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6813" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6815"
+         in2="offset" />
+    </filter>
+    <filter
+       id="filter5027"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood5017"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite5019"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur5021"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset5023"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite5025"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6817"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6819" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6821"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6823" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6825" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6827"
+         in2="offset" />
+    </filter>
+    <filter
+       id="filter5039"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood5029"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite5031"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur5033"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset5035"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite5037"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6829"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6831" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6833"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6835" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6837" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6839"
+         in2="offset" />
+    </filter>
+    <filter
+       id="filter5051"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood5041"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite5043"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur5045"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset5047"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite5049"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6841"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6843" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6845"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6847" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6849" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6851"
+         in2="offset" />
+    </filter>
+    <filter
+       id="filter5063"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood5053"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite5055"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur5057"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset5059"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite5061"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6853"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6855" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6857"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6859" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6861" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6863"
+         in2="offset" />
+    </filter>
+    <filter
+       id="filter5075"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood5065"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite5067"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur5069"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset5071"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite5073"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6865"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6867" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6869"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6871" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6873" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6875"
+         in2="offset" />
+    </filter>
+    <filter
+       id="filter5087"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood5077"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite5079"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur5081"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset5083"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite5085"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6877"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6879" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6881"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6883" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6885" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6887"
+         in2="offset" />
+    </filter>
+    <filter
+       id="filter5099"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood5089"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite5091"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur5093"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset5095"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite5097"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6889"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6891" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6893"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6895" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6897" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6899"
+         in2="offset" />
+    </filter>
+    <filter
+       id="filter5111"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood5101"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite5103"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur5105"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset5107"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite5109"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6901"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6903" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6905"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6907" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6909" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6911"
+         in2="offset" />
+    </filter>
+    <filter
+       id="filter5123"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood5113"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite5115"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur5117"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset5119"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite5121"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6913"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6915" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6917"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6919" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6921" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6923"
+         in2="offset" />
+    </filter>
+    <filter
+       id="filter5135"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood5125"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite5127"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur5129"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset5131"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite5133"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6925"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6927" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6929"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6931" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6933" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6935"
+         in2="offset" />
+    </filter>
+    <filter
+       id="filter5147"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood5137"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite5139"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur5141"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset5143"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite5145"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6937"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6939" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6941"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6943" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6945" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6947"
+         in2="offset" />
+    </filter>
+    <filter
+       id="filter5159"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood5149"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite5151"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur5153"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset5155"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite5157"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6949"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6951" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6953"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6955" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6957" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6959"
+         in2="offset" />
+    </filter>
+    <filter
+       id="filter5171"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood5161"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite5163"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur5165"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset5167"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite5169"
+         result="fbSourceGraphic"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+      <feColorMatrix
+         id="feColorMatrix6961"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(255,255,255)"
+         flood-opacity="1"
+         id="feFlood6963" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite6965"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="1"
+         in="composite1"
+         id="feGaussianBlur6967" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="2.77556e-017"
+         id="feOffset6969" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite6971"
+         in2="offset" />
+    </filter>
+  </defs>
+  <g
+     id="layer1">
+    <path
+       id="path4"
+       d="m 17.311578,13.702319 h -5.76 l 2.28,2.28 c 0.6,0.6 0.72,1.44 0.24,1.92 l -0.96,1.08 c -0.48,0.48 -1.32,0.36 -1.92,-0.24 l -6.4800001,-6.6 c -0.12,0 -0.36,-0.48 -0.48,-0.84 0,-0.359999 0.36,-0.719999 0.48,-0.839999 l 6.3600001,-6.48 c 0.6,-0.6000001 1.44,-0.7200001 1.92,-0.24 l 0.96,1.0799999 c 0.48,0.48 0.36,1.32 -0.24,1.9200001 l -2.16,2.1599999 h 5.76 c 0.72,0 1.2,0.48 1.2,1.2000001 v 2.399999 c 0,0.72 -0.48,1.2 -1.2,1.2 z"
+       style="display:inline;fill:url(#radialGradient4669);fill-opacity:1;stroke-width:1;filter:url(#filter4883)"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       d="m 19.271765,37.987692 h -7.987059 l 3.607059,3.507571 c 0.515294,0.50108 0.644117,1.377974 0.257648,1.753785 l -1.545884,1.503245 C 13.217059,45.128104 12.315294,45.128104 11.8,44.501752 L 3.5552941,36.609718 c 0,0 -0.5152941,-0.626352 -0.5152941,-1.127434 0,-0.501081 0.5152941,-1.002163 0.5152941,-1.002163 L 11.8,26.462816 c 0.515294,-0.50108 1.417059,-0.626351 1.803529,-0.25054 l 1.545884,1.503245 c 0.386469,0.375811 0.386469,1.252704 -0.257648,1.753785 l -3.478236,3.50757 h 7.858236 c 0.772941,0 1.288236,0.501082 1.288236,1.252705 v 2.505407 c 0,0.751622 -0.515295,1.252704 -1.288236,1.252704 z"
+       id="path4154"
+       style="display:inline;fill:url(#radialGradient4637);fill-opacity:1;stroke-width:1;filter:url(#filter4895)"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       d="m 26.86,12.501265 v -2.4 c 0,-0.7200003 0.48,-1.2000003 1.2,-1.2000003 h 5.76 L 31.66,6.7412646 c -0.6,-0.5999999 -0.72,-1.4399999 -0.24,-1.92 l 0.96,-1.08 c 0.48,-0.48 1.32,-0.36 1.92,0.24 l 6.36,6.4800004 c 0.12,0.12 0.48,0.48 0.48,0.84 0,0.36 -0.36,0.84 -0.48,0.84 l -6.48,6.48 c -0.6,0.6 -1.44,0.72 -1.92,0.24 l -0.96,-1.08 c -0.48,-0.48 -0.36,-1.32 0.24,-1.92 l 2.28,-2.16 h -5.76 c -0.72,0 -1.2,-0.48 -1.2,-1.2 z"
+       id="path4165"
+       style="display:inline;fill:url(#radialGradient4677);fill-opacity:1;stroke-width:1;filter:url(#filter4907)"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       d="m 64.48,6.6012647 -5.039999,5.0400003 5.039999,5.04 -2.519999,2.52 -5.16,-4.92 -5.04,5.04 -2.52,-2.52 5.04,-5.16 -5.16,-5.0400003 2.52,-2.5200001 5.16,5.04 5.04,-5.04 z"
+       id="path4176"
+       style="display:inline;fill:url(#radialGradient4605);fill-opacity:1;stroke-width:1;filter:url(#filter4919)"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       d="m 87.000001,11.301265 h -8.4 l 3.36,-3.3600004 c -0.84,-0.6 -1.68,-0.84 -2.76,-0.84 -2.64,0 -4.8,2.1600001 -4.8,4.8000004 0,2.64 2.16,4.8 4.8,4.8 1.68,0 3.24,-0.84 4.08,-2.28 l 2.76,1.2 c -1.32,2.4 -3.84,4.08 -6.84,4.08 -4.32,0 -7.8,-3.48 -7.8,-7.8 0,-4.3200004 3.48,-7.8000004 7.8,-7.8000004 1.8,0 3.48,0.6 4.92,1.6800001 l 2.88,-2.8800001 z"
+       id="path4187"
+       style="display:inline;fill:url(#radialGradient4525);fill-opacity:1;stroke-width:1;filter:url(#filter4931)"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       id="path4209"
+       d="M 102.59961,2.7011715 93,11.101561 h 2.400391 l 1.242188,-0.03516 -0.04297,0.03516 v 8.400392 h 4.800781 v -6.000001 h 2.40039 v 6.000001 h 4.79884 v -8.400392 l -0.043,-0.03516 1.24415,0.03516 h 2.39843 z"
+       style="display:inline;fill:url(#radialGradient4529);fill-opacity:1;stroke:none;stroke-width:1;stroke-opacity:1;filter:url(#filter4943)"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       d="m 133.15407,12.421265 -6.72001,6.6 c -0.24,0.36 -0.72,0.48 -1.2,0.48 -0.48,0 -0.96,-0.12 -1.32,-0.48 l -6.72,-6.6 c -0.6,-0.72 -0.48,-1.32 0.48,-1.32 h 3.96 V 3.9012646 c 0,-0.72 0.48,-1.2 1.2,-1.2 h 4.8 c 0.72,0 1.2,0.48 1.2,1.2 v 7.2000004 h 3.84 c 0.96001,0 1.20001,0.6 0.48001,1.32 z"
+       id="path4214"
+       style="display:inline;fill:url(#radialGradient4709);fill-opacity:1;stroke-width:1;filter:url(#filter4955)"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       d="m 148,19.881265 c -4.8,0 -8.64,-3.84 -8.64,-8.64 0,-4.6800004 3.84,-8.5200004 8.64,-8.5200004 4.8,0 8.64001,3.84 8.64001,8.6400004 0,4.68 -3.84001,8.52 -8.64001,8.52 z m 0,-14.5200003 c -3.36,0 -6,2.6399999 -6,6.0000003 0,3.24 2.64,6 6,6 3.36,0 6.00001,-2.64 6.00001,-6 0,-3.3600004 -2.64001,-6.0000003 -6.00001,-6.0000003 z m -0.36,7.0800003 c -0.48,-0.12 -0.84,-0.6 -0.84,-1.08 V 7.7612646 c 0,-0.72 0.48,-1.2 1.2,-1.2 0.72,0 1.2,0.48 1.2,1.2 v 3.3600004 c 1.32,1.32 2.4,3.84 2.4,3.84 0,0 -2.64,-1.2 -3.96,-2.52 z"
+       id="path4225"
+       style="display:inline;fill:url(#radialGradient4729);fill-opacity:1;stroke-width:1;filter:url(#filter4967)"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       d="m 369.00476,4.7878231 0.94842,1.9083504 0.47422,0.858758 0.94842,0.190835 2.18136,0.3816699 -1.61231,1.7175156 -0.6639,0.667923 0.0948,0.954175 0.37937,2.290022 -1.89685,-0.954178 -0.85358,-0.477086 -0.85358,0.477086 -1.89685,0.954178 0.37938,-2.290022 0.0948,-0.954175 -0.6639,-0.667923 -1.61232,-1.7175156 2.27622,-0.3816699 0.94842,-0.190835 0.37936,-0.858758 0.94843,-1.9083504 m 0,-3.4350309 c -0.28454,0 -0.56906,0.1908348 -0.75874,0.667922 l -1.89683,3.9121193 -4.07821,0.6679227 c -0.94842,0.190835 -1.13812,0.8587576 -0.47421,1.5266802 l 2.94011,3.1487776 -0.66391,4.389208 c -0.0948,0.572504 0.1897,0.954174 0.66391,0.954174 0.18967,0 0.37936,-0.09542 0.56905,-0.190835 l 3.69885,-2.003768 3.69884,2.003768 c 0.18969,0.09543 0.47421,0.190835 0.56906,0.190835 0.4742,0 0.75873,-0.38167 0.6639,-1.049592 l -0.6639,-4.389207 2.9401,-3.1487781 c 0.66391,-0.6679226 0.37938,-1.3358454 -0.4742,-1.5266803 L 371.66031,5.837416 369.76347,1.9252968 C 369.5738,1.543627 369.28926,1.3527922 369.00474,1.3527922 Z"
+       id="path4355"
+       style="display:inline;fill:url(#radialGradient5017);fill-opacity:1;stroke-width:0.79274529;filter:url(#filter4979)" />
+    <path
+       d="m 202,17.101265 h -2.4 l 1.2,2.4 h -14.39999 l 1.2,-2.4 h -2.4 c -0.72,0 -1.2,-0.48 -1.2,-1.2 V 9.9012647 c 0,-0.7200001 0.48,-1.2000001 1.2,-1.2000001 h 1.2 V 6.3012647 c 0,-0.7200001 0.48,-1.2000001 1.2,-1.2000001 v -1.2 c 0,-0.72 0.48,-1.2 1.2,-1.2 H 198.4 c 0.72,0 1.2,0.48 1.2,1.2 v 1.2 c 0.72,0 1.2,0.48 1.2,1.2000001 v 2.3999999 h 1.2 c 0.72,0 1.2,0.48 1.2,1.2000001 v 6.0000003 c 0,0.72 -0.48,1.2 -1.2,1.2 z m -14.39999,0 0.6,-1.2 h -0.6 z m 0.6,-6 h -0.6 -0.6 c -0.36,0 -0.6,0.24 -0.6,0.6 0,0.36 0.24,0.6 0.6,0.6 h 1.2 c 0.36,0 0.6,-0.24 0.6,-0.6 0,-0.36 -0.24,-0.6 -0.6,-0.6 z M 198.4,5.1012646 c 0,-0.72 -0.48,-1.2 -1.2,-1.2 h -7.19999 c -0.72,0 -1.2,0.48 -1.2,1.2 v 3.6 c 0,0.7200001 0.48,1.2000001 1.2,1.2000001 H 197.2 c 0.72,0 1.2,-0.48 1.2,-1.2000001 z m -1.08,10.8000004 h -7.43999 l -1.08,2.4 H 198.4 Z m 2.28,0 H 199 l 0.6,1.2 z"
+       id="path4366"
+       style="display:inline;fill:url(#radialGradient4793);fill-opacity:1;stroke-width:1;filter:url(#filter4991)"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       d="m 247,19.501265 h -15.6 c -0.96,0 -1.8,-0.84 -1.8,-1.8 V 4.5012646 c 0,-0.9599999 0.84,-1.8 1.8,-1.8 H 247 c 0.96,0 1.8,0.8400001 1.8,1.8 V 17.701265 c 0,0.96 -0.84,1.8 -1.8,1.8 z M 239.8,3.9012646 c -0.36,0 -0.6,0.24 -0.6,0.6 0,0.36 0.24,0.6 0.6,0.6 0.36,0 0.6,-0.24 0.6,-0.6 0,-0.36 -0.24,-0.6 -0.6,-0.6 z m 2.28,0 c -0.36,0 -0.6,0.24 -0.6,0.6 0,0.36 0.36,0.6 0.6,0.6 0.36,0 0.6,-0.24 0.6,-0.6 0,-0.36 -0.24,-0.6 -0.6,-0.6 z m 3.72,0 h -1.2 c -0.36,0 -0.6,0.24 -0.6,0.6 0,0.36 0.24,0.6 0.6,0.6 h 1.2 c 0.36,0 0.6,-0.24 0.6,-0.6 0,-0.36 -0.24,-0.6 -0.6,-0.6 z m 0.6,4.8 c 0,-0.72 -0.48,-1.1999999 -1.2,-1.1999999 h -12 c -0.72,0 -1.2,0.4799999 -1.2,1.1999999 v 7.2000004 c 0,0.72 0.48,1.2 1.2,1.2 h 12 c 0.72,0 1.2,-0.48 1.2,-1.2 z"
+       id="path4388"
+       style="display:inline;fill:url(#radialGradient4833);fill-opacity:1;stroke-width:1;filter:url(#filter5003)"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <text
+       transform="scale(0.98484982,1.0153832)"
+       id="text4409"
+       y="12.608931"
+       x="188.06316"
+       style="font-style:normal;font-weight:normal;font-size:9.51294327px;line-height:0%;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;display:inline;fill:url(#radialGradient4841);fill-opacity:1;stroke:none;stroke-width:0.79274535px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;filter:url(#filter5015)"
+       xml:space="preserve"><tspan
+         style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:8.55116463px;line-height:125%;font-family:sans-serif;-inkscape-font-specification:'sans-serif, Bold';text-align:start;writing-mode:lr-tb;text-anchor:start;fill:url(#radialGradient4841);fill-opacity:1;stroke-width:0.79274535px;"
+         y="12.608931"
+         x="188.06316"
+         id="tspan4411">+</tspan></text>
+    <path
+       style="display:inline;fill:url(#radialGradient5031);fill-opacity:1;stroke-width:1.21875;filter:url(#filter5027)"
+       id="path6182"
+       d="m 467.25784,24.196945 c -0.36562,0 -0.73125,0.24375 -0.975,0.853125 l -2.4375,4.996876 -5.24062,0.853125 c -1.21875,0.24375 -1.4625,1.096875 -0.60938,1.95 l 3.77813,4.021875 -0.85313,5.60625 c -0.12181,0.73125 0.24375,1.21875 0.85313,1.21875 0.24375,0 0.4875,-0.121875 0.73125,-0.24375 l 4.75312,-2.559375 4.75313,2.559375 c 0.24375,0.121875 0.60937,0.24375 0.73125,0.24375 0.60937,0 0.975,-0.4875 0.85312,-1.340625 l -0.85312,-5.60625 3.77812,-4.021875 c 0.85313,-0.853125 0.4875,-1.70625 -0.60937,-1.95 l -5.24063,-0.853125 -2.4375,-4.996876 c -0.24375,-0.4875 -0.60937,-0.73125 -0.975,-0.73125 z"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       style="display:inline;fill:url(#radialGradient4813);fill-opacity:1;stroke-width:1.21875;filter:url(#filter5039)"
+       id="path7318"
+       d="m 226.73438,15.945016 v 2.437501 c 0,0.673097 -0.54566,1.21875 -1.21875,1.21875 h -18.28124 c -0.67311,0 -1.21875,-0.545653 -1.21875,-1.21875 v -2.437501 c 0,-0.673097 0.54564,-1.21875 1.21875,-1.21875 h -1.04571 c 2.80313,0 2.36053,-3.256168 2.77368,-5.9703239 0.4278,-2.8226251 0.1927,-6.1069689 3.90598,-6.0616014 l 7.47091,0.091277 c 3.73276,0.045605 3.22143,3.1476992 3.65164,5.9703243 0.41438,2.715376 -0.20346,5.970324 2.60942,5.970324 h -1.08468 c 0.67309,0 1.21875,0.545653 1.21875,1.21875 z m -7.92188,-4.874999 h -1.82811 V 9.2418912 c 0,-0.8124995 -1.21875,-0.8124995 -1.21875,0 v 1.8281258 h -1.82814 c -0.8125,0 -0.8125,1.218749 0,1.218749 h 1.82814 v 1.828125 c 0,0.812501 1.21875,0.812501 1.21875,0 v -1.828125 h 1.82811 c 0.8125,0 0.8125,-1.218749 0,-1.218749 z"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       style="display:inline;fill:url(#radialGradient4861);fill-opacity:1;stroke-width:1.21875;filter:url(#filter5051)"
+       id="path7886"
+       d="m 269.02823,19.939154 c -0.975,0 -1.82813,-0.24375 -2.80313,-1.584375 -0.975,-1.340625 -2.07187,-3.046875 -2.07187,-3.046875 0,0 -0.85313,-1.096875 -1.34063,-1.95 -0.60937,-0.853125 -1.34062,-0.609375 -1.34062,-0.609375 0,0 -3.53438,-5.7281239 -4.14375,-6.581249 -0.73125,-1.21875 0.73125,-3.290625 0.73125,-3.290625 l 5.3625,8.531249 c 0,0 1.70625,2.315625 2.31562,2.803125 0.60938,0.4875 1.70625,-0.4875 3.4125,1.096875 2.31563,2.19375 1.58438,4.63125 -0.12181,4.63125 z m -0.36563,-3.534375 c -1.09687,-1.21875 -2.07187,-1.096875 -2.31562,-0.73125 -0.24375,0.365625 0,1.4625 0.4875,2.071875 0.4875,0.609375 0.975,0.853125 1.70625,0.853125 0.73125,0.121875 1.34062,-0.853125 0.1218,-2.19375 z m -4.63125,-5.728124 -1.4625,-2.19375 3.53438,-5.60625 c 0,0 1.4625,2.071875 0.73125,3.290625 -0.36563,0.4875001 -1.70625,2.803125 -2.80313,4.509375 z m -5.60625,3.534374 c 0.36563,-0.365625 1.21875,-1.340625 1.70625,-2.071875 l 0.975,1.4625 c -0.4875,0.73125 -1.09687,1.70625 -1.09687,1.70625 0,0 -1.09688,1.70625 -2.07188,3.046875 -0.85312,1.340625 -1.70625,1.584375 -2.80312,1.584375 -1.70625,0 -2.55938,-2.4375 -0.12181,-4.63125 1.70625,-1.4625 2.80312,-0.609375 3.4125,-1.096875 z m -2.925,2.19375 c -1.09687,1.21875 -0.4875,2.19375 0.24375,2.19375 0.73125,0 1.21875,-0.24375 1.70625,-0.853125 0.4875,-0.609375 0.73125,-1.828125 0.4875,-2.071875 -0.36562,-0.365625 -1.34062,-0.4875 -2.4375,0.73125 z"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       style="display:inline;fill:url(#radialGradient4881);fill-opacity:1;stroke-width:1.21875;filter:url(#filter5063)"
+       id="path8454"
+       d="m 292.00552,19.7566 h -7.3125 c -0.73125,0 -1.21875,-0.4875 -1.21875,-1.21875 v -3.656249 -3.16875 -2.9250003 c 0,-0.73125 0.4875,-1.21875 1.21875,-1.21875 0,0 3.9,0 6.09375,0 0,0 2.4375,2.4375003 2.4375,2.4375003 0,2.68125 0,8.531249 0,8.531249 0,0.73125 -0.4875,1.21875 -1.21875,1.21875 z m -2.4375,-10.9687493 v 2.4375003 h 2.4375 z m -7.3125,-1.3406249 v 1.3406249 2.3156253 3.778125 h -4.875 c -0.73125,0 -1.21875,-0.4875 -1.21875,-1.21875 V 3.9128507 c 0,-0.7312499 0.4875,-1.21875 1.21875,-1.21875 0,0 3.9,0 6.09375,0 0,0 2.4375,2.4375 2.4375,2.4375 0,0.4875 0,0.9750001 0,1.5843751 h -3.04688 c -0.36562,0.121875 -0.60937,0.365625 -0.60937,0.73125 z m 0,-3.5343751 v 2.4375001 h 2.4375 z"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       style="display:inline;fill:url(#radialGradient4901);fill-opacity:1;stroke-width:1.21875;filter:url(#filter5075)"
+       id="path9022"
+       d="m 311.86917,19.7566 h -8.53125 c -0.97501,0 -1.82812,-0.853125 -1.82812,-1.828124 V 6.9597255 c 0,-0.9750001 0.85311,-1.8281251 1.82812,-1.8281251 h 1.82813 c 0,0 0,-2.4375 2.4375,-2.4375 2.4375,0 2.4375,2.4375 2.4375,2.4375 h 1.82812 c 0.975,0 1.82813,0.853125 1.82813,1.8281251 V 17.928476 c 0,0.974999 -0.85313,1.828124 -1.82813,1.828124 z m -0.97501,-13.4062496 -1.34061,-0.609375 c 0,0 0,-1.8281249 -1.95,-1.8281249 -1.95,0 -1.95,1.8281249 -1.95,1.8281249 l -1.34063,0.609375 -0.60937,1.2187501 h 3.04687 3.9 0.975 z m 0.12182,2.071875 h -5.72812 l -3.65625,2.0718756 3.4125,5.971875 8.04375,-4.63125 z"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       style="display:inline;fill:url(#radialGradient4921);fill-opacity:1;stroke-width:1.21875;filter:url(#filter5087)"
+       id="path9590"
+       d="M 335.29779,14.881601 V 7.5691009 l 3.65625,3.6562501 z m -8.53125,1.21875 h 7.3125 l -3.65625,3.656249 z m 6.09375,-1.21875 h -4.875 c -0.73125,0 -1.21875,-0.4875 -1.21875,-1.21875 v -4.875 c 0,-0.7312501 0.4875,-1.2187501 1.21875,-1.2187501 h 4.875 c 0.73125,0 1.21875,0.4875 1.21875,1.2187501 v 4.875 c 0,0.609375 -0.4875,1.21875 -1.21875,1.21875 z m 0,-3.65625 c 0,-0.73125 -0.4875,-1.21875 -1.21875,-1.21875 h -2.4375 c -0.73125,0 -1.21875,0.4875 -1.21875,1.21875 v 1.21875 c 0,0.73125 0.4875,1.21875 1.21875,1.21875 h 2.4375 c 0.73125,0 1.21875,-0.4875 1.21875,-1.21875 z m -2.4375,-8.5312501 3.65625,3.6562501 h -7.3125 z m -4.875,4.875 v 7.3125001 l -3.65625,-3.65625 z"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       style="display:inline;fill:url(#radialGradient4941);fill-opacity:1;stroke-width:0.96615839;filter:url(#filter5099)"
+       id="path10158"
+       d="m 274.15498,8.0293266 h 9.6324 v 1.9381685 h -9.6324 z" />
+    <path
+       style="display:inline;fill:url(#radialGradient4949);fill-opacity:1;stroke-width:0.96615839;filter:url(#filter5111)"
+       id="path10726"
+       d="m 301.82263,10.040073 h -3.85298 v 3.876338 h -1.92648 v -3.876338 h -3.85298 V 8.1019059 h 3.85298 V 4.2255681 h 1.92648 v 3.8763378 h 3.85298 z" />
+    <path
+       style="display:inline;fill:url(#radialGradient4957);fill-opacity:1;stroke-width:1.21875;filter:url(#filter5123)"
+       id="path11294"
+       d="m 407.09514,12.361211 c -0.12181,0.73125 -0.24375,1.4625 -0.4875,2.071875 -0.4875,1.584375 -1.4625,3.046875 -3.04686,4.021874 0.4875,0.4875 1.58436,1.096875 1.58436,1.096875 0,0 -2.4375,0.365625 -4.99686,0.365625 0,0 -0.12181,-0.121875 -0.12181,-0.121875 v 0.121875 c -1.21875,0 -2.4375,-0.365625 -3.65625,-0.73125 0.85311,-0.73125 1.4625,-1.584374 1.95,-2.559374 0.73125,-1.4625 0.73125,-3.65625 0.73125,-3.65625 0,0 1.09686,1.828125 1.70625,2.559375 1.4625,-0.73125 2.4375,-2.19375 2.55936,-3.65625 0.12181,-1.096875 -0.24375,-2.0718751 -0.73125,-2.8031251 -0.4875,-0.8531251 -1.21875,-1.3406251 -2.07186,-1.7062501 0.24375,-0.4874999 0.60936,-1.0968749 0.975,-1.584375 0.4875,-0.73125 1.09686,-1.21875 1.58436,-1.4625 2.55939,1.340625 4.3875,4.5093751 4.02189,8.0437502 z m -8.53125,-2.4375001 c 0,0 -1.34061,-1.8281251 -1.95,-2.4375001 -1.70625,0.853125 -2.68125,2.4375001 -2.68125,4.1437502 0.12181,1.828125 1.34064,3.290625 2.925,4.021875 -0.36561,0.609375 -0.73125,1.21875 -1.21875,1.70625 -0.4875,0.609375 -1.09686,0.974999 -1.4625,1.340624 -2.80311,-1.706249 -4.50936,-4.874999 -4.02186,-8.287499 0.1218,-0.8531251 0.36561,-1.7062502 0.60936,-2.4375002 0.4875,-1.3406249 1.34064,-2.4375 2.55939,-3.290625 0.1218,-0.121875 0.24375,-0.121875 0.36561,-0.24375 -0.4875,-0.4875 -1.95,-0.975 -1.95,-0.975 0,0 3.04689,-0.975 8.2875,-0.365625 -1.58436,2.315625 -1.4625,6.8250001 -1.4625,6.8250001 z"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       style="display:inline;fill:url(#radialGradient4977);fill-opacity:1;stroke-width:1.21875;filter:url(#filter5135)"
+       id="path11862"
+       d="m 429.01283,20.243326 h -1.82812 c -0.4875,0 -0.975,-0.365625 -0.975,-0.975 0,0 0.36562,-4.387501 -3.9,-8.775 -3.04688,-3.6562503 -8.53125,-3.9000003 -8.53125,-3.9000003 -0.60938,0 -0.975,-0.365625 -0.975,-0.8531249 V 4.0339507 c 0,-0.4875 0.36562,-0.853125 0.975,-0.853125 0,0 7.67812,0.4875 11.7,5.4843751 4.02187,3.7781242 4.3875,10.7250002 4.3875,10.7250002 0,0.4875 -0.24375,0.853125 -0.85313,0.853125 z M 413.77846,9.2745758 c 0,0 4.50937,0.609375 7.06875,2.9249992 2.55937,2.4375 3.04687,7.190626 3.04687,7.190626 0,0.4875 -0.12181,0.975 -0.60937,0.975 h -1.82813 c -0.4875,0 -0.73125,-0.365625 -0.73125,-0.975 0,0 0.12181,-2.925001 -2.19375,-5.118751 -1.82812,-1.584375 -4.75312,-1.70625 -4.75312,-1.70625 -0.60938,0 -0.975,-0.365625 -0.975,-0.853125 v -1.584374 c 0,-0.4875002 0.36562,-0.8531252 0.975,-0.8531252 z m 1.4625,6.0937492 c 1.34062,0 2.4375,1.096875 2.4375,2.4375 0,1.340626 -1.09688,2.437501 -2.4375,2.437501 -1.34063,0 -2.4375,-1.096875 -2.4375,-2.437501 0,-1.340625 1.09687,-2.4375 2.4375,-2.4375 z"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       style="display:inline;fill:url(#radialGradient4997);fill-opacity:1;stroke-width:1.21875;filter:url(#filter5147)"
+       id="path12430"
+       d="m 451.64901,16.435377 -3.65625,-3.290625 v 2.559375 c 0,0.975 -0.73125,1.70625 -1.58436,1.70625 h -9.01875 c -0.85314,0 -1.58439,-0.73125 -1.58439,-1.70625 V 6.9291285 c 0,-0.9750001 0.73125,-1.7062501 1.58439,-1.7062501 h 9.01875 c 0.85311,0 1.58436,0.73125 1.58436,1.7062501 v 2.437499 l 3.65625,-3.2906241 c 0.36564,-0.365625 0.73125,-0.4875 1.21875,-0.365625 V 16.801002 c -0.36561,0.121875 -0.85311,0 -1.21875,-0.365625 z"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <g
+       id="g4779"
+       style="display:inline;filter:url(#filter5159)"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)">
+      <path
+         style="fill:url(#radialGradient4710);fill-opacity:1;stroke-width:1.265625;"
+         d="M 165.73984,2.6257296 V 20.34448 h 9.42792 0.69708 2.46698 c 1.25518,-0.32709 2.23657,-1.314095 2.53125,-2.53125 v -2.53125 -7.5937504 -2.53125 c -0.29468,-1.2171559 -1.27607,-2.2041601 -2.53125,-2.53125 h -2.07148 -1.09258 z m 7.73958,3.0577697 1.33485,2.2420349 c 0,0 0.36967,0.6174141 0.65753,0.813263 0.26974,0.1834496 0.93438,0.2892151 0.93438,0.2892151 h 2.72901 l -1.89596,3.0800167 c 0,0 -0.27577,0.604831 -0.41281,0.907196 -0.20593,0.452534 0.006,1.243536 0.0742,1.982484 0.10732,1.162403 0.19033,2.286529 0.19033,2.286529 l -2.21484,-1.132141 c 0,0 -0.90763,-0.426918 -1.39416,-0.427644 -0.5721,0 -1.64383,0.496858 -1.64383,0.496858 l -2.2198,1.065398 c 0,0 0.16319,-1.013778 0.33866,-2.128325 0.11606,-0.733074 0.43611,-1.567458 0.17798,-2.071473 -0.13995,-0.274086 -0.42023,-0.820679 -0.42023,-0.820679 L 167.532,9.0996981 h 2.71169 c 0,0 0.88228,-0.06226 1.24339,-0.2892151 0.27408,-0.1711231 0.61056,-0.7539368 0.61056,-0.7539368 z"
+         id="bookmarks-star-4" />
+      <path
+         style="fill:url(#radialGradient4712);fill-opacity:1;stroke:none;stroke-width:1.265625;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:markers stroke fill;"
+         d="m 163.20859,2.6257296 c -1.25519,0.3270899 -2.23658,1.3140942 -2.53125,2.53125 v 2.53125 7.5937504 2.53125 c 0.29467,1.217155 1.27606,2.20416 2.53125,2.53125 h 3.16406 v -5.0625 -7.5937504 -5.0625 z"
+         id="bookmarks-overlay-1" />
+      <path
+         style="opacity:0.66300001;fill:url(#radialGradient4714);fill-opacity:1;stroke:url(#radialGradient4750);stroke-width:0.6328125;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;"
+         d="M 166.37156,2.6257296 V 20.34448"
+         id="bookmarks-divider-7" />
+    </g>
+    <path
+       d="m 133.26971,34.690626 -6.72001,6.6 c -0.24,0.36 -0.72,0.48 -1.2,0.48 -0.48,0 -0.96,-0.12 -1.32,-0.48 l -6.72,-6.6 c -0.6,-0.72 -0.48,-1.32 0.48,-1.32 h 3.96 v -7.200001 c 0,-0.72 0.48,-1.2 1.2,-1.2 h 4.8 c 0.72,0 1.2,0.48 1.2,1.2 v 7.200001 h 3.84 c 0.96001,0 1.20001,0.6 0.48001,1.32 z"
+       id="path4214-3"
+       style="display:inline;fill:url(#radialGradient4709-1);fill-opacity:1;stroke-width:1;filter:url(#filter5171)"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+  </g>
+</svg>
diff --git a/application/palemoon/themes/windows/Toolbar-inverted.png b/application/palemoon/themes/windows/Toolbar-inverted.png
deleted file mode 100644
index 2c3253fe80..0000000000
--- a/application/palemoon/themes/windows/Toolbar-inverted.png
+++ /dev/null
diff --git a/application/palemoon/themes/windows/Toolbar-inverted.svg b/application/palemoon/themes/windows/Toolbar-inverted.svg
new file mode 100644
index 0000000000..ce59313e68
--- /dev/null
+++ b/application/palemoon/themes/windows/Toolbar-inverted.svg
@@ -0,0 +1,302 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   enable-background="new 0 0 378 38"
+   viewBox="0 0 378 38"
+   height="38"
+   width="378"
+   y="0px"
+   x="0px"
+   id="strataToolbarSVG"
+   version="1.1">
+  <metadata
+     id="metadata146">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title></dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <defs
+     id="defs144">
+    <filter
+       id="filter1070"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood1060"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039" />
+      <feComposite
+         id="feComposite1062"
+         result="composite1"
+         operator="in"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur1064"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset1066"
+         result="offset"
+         dy="0"
+         dx="0" />
+      <feComposite
+         id="feComposite1068"
+         result="fbSourceGraphic"
+         operator="over"
+         in2="offset"
+         in="SourceGraphic" />
+      <feColorMatrix
+         id="feColorMatrix1072"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039"
+         id="feFlood1074" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite1076"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1"
+         id="feGaussianBlur1078" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="0"
+         id="feOffset1080" />
+      <feComposite
+         result="fbSourceGraphic"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite1082"
+         in2="offset" />
+      <feColorMatrix
+         id="feColorMatrix1084"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039"
+         id="feFlood1086" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite1088"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1"
+         id="feGaussianBlur1090" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="0"
+         id="feOffset1092" />
+      <feComposite
+         result="fbSourceGraphic"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite1094"
+         in2="offset" />
+      <feColorMatrix
+         id="feColorMatrix1096"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039"
+         id="feFlood1098" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite1100"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1"
+         id="feGaussianBlur1102" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="0"
+         id="feOffset1104" />
+      <feComposite
+         result="fbSourceGraphic"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite1106"
+         in2="offset" />
+      <feColorMatrix
+         id="feColorMatrix1108"
+         values="0 0 0 -1 0 0 0 0 -1 0 0 0 0 -1 0 0 0 0 1 0"
+         in="fbSourceGraphic"
+         result="fbSourceGraphicAlpha" />
+      <feFlood
+         in="fbSourceGraphic"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039"
+         id="feFlood1110" />
+      <feComposite
+         result="composite1"
+         operator="in"
+         in="flood"
+         id="feComposite1112"
+         in2="fbSourceGraphic" />
+      <feGaussianBlur
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1"
+         id="feGaussianBlur1114" />
+      <feOffset
+         result="offset"
+         dy="0"
+         dx="0"
+         id="feOffset1116" />
+      <feComposite
+         result="composite2"
+         operator="over"
+         in="fbSourceGraphic"
+         id="feComposite1118"
+         in2="offset" />
+    </filter>
+  </defs>
+  <g
+     style="fill:#ffffff;filter:url(#filter1070)"
+     id="toolbar">
+    <path
+       style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="M 14.7,10.7 C 14.464283,10.935746 14.000125,11 14.000125,11 H 9 l 2.132,2.085573 c 0.519423,0.508112 0.595,1.2729 0.198,1.6979 l -0.793,0.9549 c -0.396,0.424 -1.091,0.318 -1.587,-0.212 L 3.595,9.690773 3,8.946873 l 0.595,-0.743 5.256,-5.7295 c 0.496,-0.531 1.19,-0.637 1.587,-0.212 l 0.794,0.9549 c 0.396,0.425 0.297,1.1669 -0.198,1.6979 L 9,7 h 4.999875 c 0,0 0.464437,0.064342 0.700125,0.3 0.235717,0.2356875 0.299875,0.7 0.299875,0.7 l 2.5e-4,2 c 0,0 -0.06444,0.464283 -0.300125,0.7 z"
+       id="back" />
+    <path
+       style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       id="back-large"
+       d="m 16.441631,29.733331 c -0.275,0.275034 -0.816512,0.349996 -0.816512,0.349996 H 8.999927 l 2.487308,2.516543 c 0.595913,0.602917 0.694159,1.485034 0.230997,1.980862 l -0.925157,1.114039 C 10.33108,36.189432 9.5202547,36.065767 8.9415947,35.44744 L 2.6941594,28.639311 2,27.771437 2.6941594,26.904612 8.8260957,20.220265 c 0.57866,-0.619493 1.3883193,-0.743159 1.8514803,-0.24733 l 0.926324,1.114038 c 0.461995,0.495828 0.346497,1.361369 -0.230997,1.980863 l -2.37283,2.348836 h 6.6249 c 0,0 0.541837,0.07506 0.816804,0.349997 0.275,0.274966 0.34985,0.816658 0.34985,0.816658 l 1.46e-4,2.333346 c 0,0 -0.07518,0.541658 -0.350142,0.816658 z" />
+    <path
+       style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       id="forward"
+       d="m 21.30025,10.7 c 0.235717,0.235746 0.699875,0.3 0.699875,0.3 h 5.000125 l -2.132,2.085573 c -0.519423,0.508112 -0.595,1.2729 -0.198,1.6979 l 0.793,0.9549 c 0.396,0.424 1.091,0.318 1.587,-0.212 l 5.355,-5.8356 0.595,-0.7439 -0.595,-0.743 -5.256,-5.7295 c -0.496,-0.531 -1.19,-0.637 -1.587,-0.212 l -0.794,0.9549 c -0.396,0.425 -0.297,1.1669 0.198,1.6979 L 27.00025,7 h -4.999875 c 0,0 -0.464437,0.064342 -0.700125,0.3 C 21.064533,7.5356875 21.000375,8 21.000375,8 l -2.5e-4,2 c 0,0 0.06444,0.464283 0.300125,0.7 z" />
+    <path
+       style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="M 51.5,4.64955 47.233834,8.949625 51.5,13.248616 49.366916,15.398166 45,11.201008 40.733834,15.5 38.60075,13.35045 42.866916,8.9485416 38.5,4.64955 40.633084,2.5 45,6.800075 49.266166,2.5 Z"
+       id="stop" />
+    <path
+       style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="M 69,9 H 62 L 64.8,6.2 C 64.1,5.7 63.4,5.5 62.5,5.5 c -2.2,0 -4,1.8 -4,4 0,2.2 1.8,4 4,4 1.399,0 2.7,-0.7 3.399,-1.9 l 2.301,1 C 67.099,14.6 65,16 62.5,16 58.899,16 56,13.1 56,9.5 56,5.9 58.899,3 62.5,3 64,3 65.399,3.5 66.6,4.4 L 69,2 Z"
+       id="reload" />
+    <path
+       style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 76,9 h -3 l 8,-7 8,7 h -3 v 6.5 H 82 V 12 h -2 v 3.5 h -4 z"
+       id="home" />
+    <path
+       style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 91.5,9 h 4.453 V 2 h 6.093 V 9 H 106.5 L 99,16 Z"
+       id="download" />
+    <path
+       style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 117,2 c -3.866,0 -7,3.134 -7,7 0,3.866 3.134,7 7,7 3.866,0 7,-3.134 7,-7 0,-3.866 -3.134,-7 -7,-7 z m 0,2 c 2.761,0 5,2.238 5,5 0,2.762 -2.239,5 -5,5 -2.762,0 -5,-2.238 -5,-5 0,-2.762 2.239,-5 5,-5 z m -0.7,1.2 C 116.0643,5.4357023 116,6 116,6 v 4 l 4,2 -2,-3 V 6 C 118,6 117.9357,5.4357023 117.7,5.2 117.4643,4.9642977 117,5 117,5 c 0,0 -0.4643,-0.035702 -0.7,0.2 z"
+       id="history" />
+    <g
+       style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       id="bookmarks">
+      <path
+         style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 131,2 v 14 h 7.44922 0.55078 1.94922 c 0.99175,-0.258441 1.76717,-1.038297 2,-2 V 12 6 4 c -0.23283,-0.9617034 -1.00825,-1.7415586 -2,-2 h -1.63672 -0.86328 z m 6.11523,2.4160156 1.05469,1.7714844 c 0,0 0.29209,0.4878333 0.51953,0.6425781 0.21313,0.1449479 0.73828,0.2285157 0.73828,0.2285157 h 2.15625 l -1.49804,2.4335937 c 0,0 -0.21789,0.4778906 -0.32617,0.7167965 -0.16271,0.357558 0.005,0.982547 0.0586,1.566407 0.0848,0.918442 0.15039,1.80664 0.15039,1.80664 l -1.75,-0.894531 c 0,0 -0.71714,-0.337318 -1.10156,-0.337891 -0.45203,0 -1.29883,0.392579 -1.29883,0.392579 l -1.75391,0.841796 c 0,0 0.12894,-0.80101 0.26758,-1.68164 0.0917,-0.579219 0.34458,-1.238485 0.14063,-1.636719 -0.11058,-0.216562 -0.33204,-0.6484375 -0.33204,-0.6484375 l -1.7246,-2.5019531 h 2.14257 c 0,0 0.69711,-0.049193 0.98243,-0.2285156 0.21656,-0.1352084 0.48242,-0.5957032 0.48242,-0.5957032 z"
+         id="bookmarks-star" />
+      <path
+         style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 129,2 c -0.99175,0.2584414 -1.76717,1.0382967 -2,2 v 2 6 2 c 0.23283,0.961703 1.00825,1.741559 2,2 h 2.5 V 12 6 2 Z"
+         id="bookmarks-overlay" />
+      <path
+         style="stroke:#000000;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="M 131.49914,2 V 16"
+         id="bookmarks-divider" />
+    </g>
+    <path
+       style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 160,14 h -2 l 1,2 h -12 l 1,-2 h -2 c -0.601,0 -1,-0.4 -1,-1 V 8 c 0,-0.6 0.70113,-0.635443 1,-1 0.38098,-0.4647208 0.61902,-1.0352792 1,-1.5 0.29887,-0.364557 0.399,-1 1,-1 V 3 c 0,-0.6 0.399,-1 1,-1 h 8 c 0.6,0 1,0.4 1,1 v 1.5 c 0.6,0 0.70113,0.635443 1,1 0.38098,0.4647208 0.61902,1.0352792 1,1.5 0.29887,0.364557 1,0.4 1,1 v 5 c 0,0.6 -0.4,1 -1,1 z M 148.5,9 h -0.5 -0.5 c -0.3,0 -0.5,0.2 -0.5,0.5 0,0.3 0.2,0.5 0.5,0.5 h 1 C 148.8,10 149,9.8 149,9.5 149,9.2 148.8,9 148.5,9 Z M 157,4 c 0,-0.6 -0.4,-1 -1,-1 h -6 c -0.601,0 -1,0.4 -1,1 v 3 c 0,0.6 0.399,1 1,1 h 6 c 0.6,0 1,-0.4 1,-1 z m -0.9,9 h -6.2 l -0.899,2 h 8 z"
+       id="print" />
+    <path
+       style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       id="newtab"
+       d="m 170.93359,2 -4.01562,0.00195 c 0,0.00178 -0.87681,0.216686 -0.87695,1.4980469 v 2.8164062 c 0,0 -0.0732,0.3643751 -0.19922,0.484375 C 165.69982,6.9357812 165.29102,7 165.29102,7 c 0,0 -0.53242,-0.057 -0.7754,0 -0.36297,0.086 -0.73599,0.236 -1,0.5 -0.26399,0.264 -0.41502,0.637 -0.5,1 -0.038,0.162 0,0.5 0,0.5 v 5.537109 c 0,0 0.24003,0.710891 0.5,0.962891 0.27398,0.267 1.03516,0.5 1.03516,0.5 h 13.0957 c 0,0 0.60287,-0.276 0.83985,-0.5 0.21699,-0.205 0.49023,-0.742188 0.49023,-0.742188 V 9 c 0.026,-0.322 0.038,-0.338 0,-0.5 -0.086,-0.363 -0.22624,-0.736 -0.49023,-1 -0.26398,-0.264 -0.63802,-0.415 -1,-0.5 -0.22799,-0.054 -0.69922,0 -0.69922,0 0,0 -0.44657,-0.056219 -0.60156,-0.1992188 -0.12799,-0.1189999 -0.19922,-0.484375 -0.19922,-0.484375 L 175.98828,3.5 C 175.98843,2.1047456 174.9707,2 174.9707,2 Z m -0.79101,5 h 1.71484 V 9.1425781 H 174 v 1.7148439 h -2.14258 V 13 h -1.71484 V 10.857422 H 168 V 9.1425781 h 2.14258 z" />
+    <path
+       style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       id="newwindow"
+       d="M 182.4375,2 C 181.52354,2.2781435 181.28553,2.8114358 181,3.6875 V 14.125 c 0.21642,1.330001 0.75257,1.636052 2.0625,1.875 H 195 c 1.30474,-0.204204 1.70477,-0.57308 2,-1.875 V 4 C 196.8019,2.7723315 196.4998,2.3703399 195.3125,2 Z M 190,3 h 1 v 1 h -1 z m 2,0 h 1 v 1 h -1 z m 2,0 h 2 v 1 h -2 z m -11,3 h 12 v 8 h -12 z m 5.14258,1 V 9.1425781 H 186 v 1.7148439 h 2.14258 V 13 h 1.71484 V 10.857422 H 192 V 9.1425781 h -2.14258 V 7 Z" />
+    <path
+       style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 212.70159,16 c -0.79707,0 -1.49513,-0.2 -2.2922,-1.3 -0.79807,-1.1 -1.69515,-2.5 -1.69515,-2.5 0,0 -0.69706,-0.9 -1.09709,-1.6 -0.49805,-0.7 -1.0971,-0.5 -1.0971,-0.5 0,0 -2.89125,-4.7 -3.3903,-5.4 -0.59805,-1 0.59906,-2.7 0.59906,-2.7 l 4.38738,7 c 0,0 1.39612,1.9 1.89417,2.3 0.49904,0.4 1.39612,-0.4 2.79224,0.9 1.89417,1.8 1.29611,3.8 -0.10101,3.8 z m -0.29802,-2.9 c -0.89708,-1 -1.69415,-0.9 -1.89417,-0.6 -0.20002,0.3 0,1.2 0.39804,1.7 0.39803,0.5 0.79806,0.7 1.39612,0.7 0.59905,0.1 1.09709,-0.7 0.10001,-1.8 z m -3.78934,-4.7 -1.1961,-1.8 2.89125,-4.6 c 0,0 1.19611,1.7 0.59906,2.7 -0.29903,0.4 -1.39613,2.3 -2.29421,3.7 z m -4.5854,2.899 c 0.29903,-0.3 0.99709,-1.1 1.39613,-1.7 l 0.79806,1.2 c -0.39803,0.6 -0.89707,1.4 -0.89707,1.4 0,0 -0.89608,1.4 -1.69415,2.5 -0.69806,1.1 -1.39612,1.3 -2.2932,1.3 -1.39613,0 -2.09419,-2 -0.10001,-3.8 1.39412,-1.199 2.2912,-0.499 2.79024,-0.9 z m -2.39321,1.801 c -0.89708,1 -0.39803,1.8 0.19902,1.8 0.59905,0 0.99709,-0.2 1.39612,-0.7 0.39804,-0.5 0.59806,-1.5 0.39804,-1.7 -0.29803,-0.3 -1.0961,-0.4 -1.99318,0.6 z"
+       id="cut" />
+    <path
+       style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 231,16 h -6 c -0.601,0 -1,-0.4 -1,-1 V 12 9.4 7 c 0,-0.6 0.399,-1 1,-1 0,0 3.2,0 5,0 l 2,2 c 0,2.2 0,7 0,7 0,0.6 -0.4,1 -1,1 z m -2,-9 v 2 h 2 z M 223,5.9 V 7 8.9 12 h -4 c -0.601,0 -1,-0.4 -1,-1 V 3 c 0,-0.6 0.399,-1 1,-1 0,0 3.2,0 5,0 l 2,2 c 0,0.4 0,0.8 0,1.3 h -2.5 C 223.2,5.4 223,5.6 223,5.9 Z M 223,3 v 2 h 2 z"
+       id="copy" />
+    <path
+       style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 246.8507,16 h -7.7014 C 238.26914,16 237.5,15.3 237.5,14.5 v -9 c 0,-0.8 0.77014,-1.5 1.6493,-1.5 h 1.6503 c 0,0 0,-2 2.2004,-2 2.2004,0 2.2004,2 2.2004,2 h 1.6493 c 0.88016,0 1.6503,0.7 1.6503,1.5 v 9 c 0.001,0.799 -0.76914,1.5 -1.6493,1.5 z M 245.97054,5 244.76032,4.5 c 0,0 0,-1.5 -1.76032,-1.5 -1.76032,0 -1.76032,1.5 -1.76032,1.5 l -1.21122,0.5 -0.5501,1 h 2.7505 3.52164 0.88016 z m 0.11002,1.7 h -5.17094 l -3.3016,1.7 3.08056,4.9 7.26232,-3.8 z"
+       id="paste" />
+    <path
+       style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="M 265,12 V 6 l 3,3 z m -7,1 h 6 l -3,3 z m 0,-1 V 6 h 6 v 6 z m 5,-4 h -4 v 3 h 4 z m -2,-6 3,3 h -6 z m -4,4 v 6 l -3,-3 z"
+       id="fullscreen" />
+    <path
+       style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 274,8 h 10 v 2 h -10 z"
+       id="minus" />
+    <path
+       style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 302,10 h -4 v 4 h -2 v -4 h -4 V 8 h 4 V 4 h 2 v 4 h 4 z"
+       id="plus" />
+    <path
+       style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 321.96164,9.3589991 c -0.0996,0.5880529 -0.19907,1.1749739 -0.39904,1.6649929 -0.39904,1.272996 -2.49721,3.230982 -2.49721,3.230982 l 1.23012,1.745023 -4.92726,6e-6 V 9.849 c 0,0 0.89889,1.46799 1.39795,2.05599 1.19912,-0.588025 1.99814,-1.762997 2.09818,-2.9380158 0.10109,-0.8810027 -0.19905,-1.6639894 -0.59902,-2.2510039 -0.18813,-0.3229439 -0.42109,-0.5799624 -0.68685,-0.7931908 -0.30005,-0.23897 -1.01208,-0.5779774 -1.01208,-0.5779774 l 0.0174,-3.3306603 c 1.03186,0.2680556 1.4999,0.3864246 2.85781,1.3686643 1.67715,1.2509803 2.78224,3.5019854 2.52022,5.9759989 z m -6.99262,-1.9580198 c 0,0 -1.09884,-1.4681946 -1.59912,-1.9580122 -1.39809,0.6859994 -2.19718,1.957993 -2.19714,3.3290059 0.39151,1.955025 1.15486,2.878079 2.87049,3.728027 V 16 c -1.14823,-0.14515 -2.89657,-1.144129 -3.76062,-2.017966 -1.64214,-1.695027 -2.56324,-3.735 -2.20626,-6.1889776 0.1,-0.6850241 0.30006,-1.3699914 0.49903,-1.9580159 0.40011,-1.0769929 1.10011,-1.957978 2.09921,-2.6429982 0.0997,-0.098323 0.199,-0.098023 0.29929,-0.1955973 -0.39905,-0.3919885 -1.2861,-0.9964444 -1.2861,-0.9964444 l 5.35545,-1.3e-6 z"
+       id="sync" />
+    <path
+       style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 339.29905,15.9 h -1.49989 c -0.39997,0 -0.79995,-0.3 -0.79995,-0.8 0,0 0.29998,-3.6 -3.19977,-7.2 -2.49982,-3 -6.9995,-3.2 -6.9995,-3.2 C 326.29998,4.7 326,4.4 326,4 V 2.6 c 0,-0.4 0.29998,-0.7 0.79994,-0.7 0,0 6.29955,0.4 9.59932,4.5 3.29976,3.1 3.60074,8.8 3.60074,8.8 -10e-4,0.4 -0.20099,0.7 -0.70095,0.7 z m -12.49911,-9 c 0,0 3.69974,0.5 5.79959,2.4 2.09985,2 2.49982,5.9 2.49982,5.9 0,0.4 -0.1,0.8 -0.49996,0.8 h -1.4999 c -0.39997,0 -0.59995,-0.3 -0.59995,-0.8 0,0 0.1,-2.4 -1.80088,-4.2 C 329.19877,9.7 326.79994,9.6 326.79994,9.6 326.29998,9.6 326,9.3 326,8.9 V 7.6 c 0,-0.4 0.29998,-0.7 0.79994,-0.7 z m 1.19992,5 c 1.09992,0 1.99985,0.9 1.99985,2 0,1.1 -0.89993,2 -1.99985,2 C 326.89894,15.9 326,15 326,13.9 c 0,-1.1 0.89994,-2 1.99986,-2 z"
+       id="rss" />
+    <path
+       style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 344.5,5 c 0,0 0.0643,-0.4642977 0.3,-0.7 0.2357,-0.2357023 0.7,-0.3 0.7,-0.3 h 7.5 c 0,0 0.4643,0.064298 0.7,0.3 0.2357,0.2357023 0.3,0.7 0.3,0.7 v 2 l 4.0245,-3 -0.049,10 L 354,11 v 2 c 0,0 -0.0643,0.464298 -0.3,0.7 -0.2357,0.235702 -0.7,0.3 -0.7,0.3 h -7.5 c 0,0 -0.4643,-0.0643 -0.7,-0.3 -0.2357,-0.235702 -0.3,-0.7 -0.3,-0.7 z"
+       id="webrtc" />
+    <path
+       style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       id="bookmark-none"
+       d="m 369.20312,1 -1.9082,3.2734375 c 0,0 -0.46184,0.8030625 -0.83984,1.0390625 -0.498,0.313 -1.71875,0.3984375 -1.71875,0.3984375 H 361 l 3.00781,4.3652345 c 0,0 0.38708,0.754812 0.58008,1.132812 0.356,0.6951 -0.0841,1.844469 -0.24414,2.855469 -0.242,1.5371 -0.4668,2.935547 -0.4668,2.935547 l 3.06055,-1.466797 c 0,0 1.47663,-0.685547 2.26562,-0.685547 0.671,10e-4 1.92579,0.587891 1.92579,0.587891 l 3.05273,1.5625 c 0,0 -0.11177,-1.549244 -0.25976,-3.152344 -0.093,-1.0191 -0.38752,-2.112228 -0.10352,-2.736328 0.189,-0.417 0.56836,-1.2519531 0.56836,-1.2519531 L 377,5.6113281 h -3.76172 c 0,0 -0.91706,-0.1454375 -1.28906,-0.3984375 -0.397,-0.2701 -0.90625,-1.1210937 -0.90625,-1.1210937 z m -0.0762,3 1.15039,1.9316406 c 0,0 0.31633,0.5323647 0.56446,0.7011719 0.23249,0.1581201 0.80664,0.25 0.80664,0.25 H 374 l -1.63281,2.6542969 c 0,0 -0.23929,0.5206326 -0.35742,0.7812496 -0.17749,0.39005 0.008,1.074021 0.0664,1.710938 C 372.16866,13.031203 372.23828,14 372.23828,14 l -1.9082,-0.978516 c 0,0 -0.78376,-0.366562 -1.20313,-0.367187 -0.4931,0 -1.41601,0.429687 -1.41601,0.429687 L 365.79883,14 c 0,0 0.13977,-0.873327 0.29101,-1.833984 0.1,-0.631855 0.37484,-1.350734 0.15235,-1.785157 -0.12063,-0.236243 -0.36133,-0.708984 -0.36133,-0.708984 L 364,6.9453125 h 2.33594 c 0,0 0.76298,-0.054381 1.07422,-0.25 0.23624,-0.1474953 0.52343,-0.6484375 0.52343,-0.6484375 z" />
+    <path
+       style="stroke:none;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       id="bookmark-added"
+       d="m 369.202,19 -1.908,3.2732 c 0,0 -0.461,0.8031 -0.839,1.0391 -0.498,0.313 -1.718,0.399 -1.718,0.399 H 361 l 3.008,4.3643 c 0,0 0.387,0.755 0.58,1.133 0.356,0.6951 -0.084,1.8452 -0.244,2.8562 C 364.102,33.6019 363.877,35 363.877,35 l 3.06,-1.4671 c 0,0 1.477,-0.686 2.266,-0.686 0.671,0.001 1.925,0.588 1.925,0.588 l 3.053,1.5641 c 0,0 -0.112,-1.5501 -0.26,-3.1532 -0.093,-1.0191 -0.388,-2.1121 -0.104,-2.7362 0.189,-0.417 0.57,-1.252 0.57,-1.252 L 377,23.6123 h -3.763 c 0,0 -0.917,-0.146 -1.289,-0.399 -0.397,-0.2701 -0.906,-1.1221 -0.906,-1.1221 z" />
+  </g>
+</svg>
diff --git a/application/palemoon/themes/windows/Toolbar.png b/application/palemoon/themes/windows/Toolbar.png
deleted file mode 100644
index 3d1b80ec70..0000000000
--- a/application/palemoon/themes/windows/Toolbar.png
+++ /dev/null
diff --git a/application/palemoon/themes/windows/Toolbar.svg b/application/palemoon/themes/windows/Toolbar.svg
new file mode 100644
index 0000000000..314e020fb1
--- /dev/null
+++ b/application/palemoon/themes/windows/Toolbar.svg
@@ -0,0 +1,1357 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   enable-background="new 0 0 378 38"
+   viewBox="0 0 378 38"
+   height="38"
+   width="378"
+   y="0px"
+   x="0px"
+   id="PaleMoonToolbarSVG"
+   version="1.1">
+  <metadata
+     id="metadata146">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title></dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <defs
+     id="defs144">
+    <radialGradient
+       cy="0.69999999"
+       id="globalGradient">
+      <stop
+         style="stop-color:#87939b;stop-opacity:1"
+         id="stop4"
+         offset="0.05" />
+      <stop
+         style="stop-color:#45555f;stop-opacity:1"
+         id="stop6"
+         offset="1" />
+    </radialGradient>
+    <filter
+       id="insetShadow">
+      <feFlood
+         id="feFlood1875"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039" />
+      <feComposite
+         id="feComposite1877"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur1879"
+         result="blur"
+         stdDeviation="2"
+         in="composite1" />
+      <feOffset
+         id="feOffset1881"
+         result="offset"
+         dy="0"
+         dx="0" />
+      <feComposite
+         id="feComposite1883"
+         result="composite2"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+    </filter>
+    <filter
+       id="filter2164"
+       style="color-interpolation-filters:sRGB;">
+      <feFlood
+         id="feFlood2154"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="1" />
+      <feComposite
+         id="feComposite2156"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur2158"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset2160"
+         result="offset"
+         dy="0"
+         dx="0" />
+      <feComposite
+         id="feComposite2162"
+         result="composite2"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+    </filter>
+    <radialGradient
+       cy="12.21416"
+       id="globalGradient-8"
+       gradientTransform="matrix(1.0350983,0,0,0.96609178,0,18)"
+       cx="95.643087"
+       fx="95.643087"
+       fy="12.21416"
+       r="7.2456884"
+       gradientUnits="userSpaceOnUse">
+      <stop
+         style="stop-color:#12d92d;stop-opacity:1"
+         id="stop4-5"
+         offset="0.05" />
+      <stop
+         style="stop-color:#01b222;stop-opacity:1"
+         id="stop6-5"
+         offset="1" />
+    </radialGradient>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,1.1087088,0,-1.2351844)"
+       r="7.1399999"
+       fy="14.778796"
+       fx="10.529827"
+       cy="14.778796"
+       cx="10.529827"
+       id="radialGradient4669"
+       xlink:href="#linearGradient4635" />
+    <linearGradient
+       id="linearGradient4635">
+      <stop
+         id="stop4631"
+         offset="0"
+         style="stop-color:#6198cb;stop-opacity:1" />
+      <stop
+         id="stop4633"
+         offset="1"
+         style="stop-color:#3a78b2;stop-opacity:1" />
+    </linearGradient>
+    <filter
+       id="filter4701"
+       style="color-interpolation-filters:sRGB">
+      <feFlood
+         id="feFlood4691"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039" />
+      <feComposite
+         id="feComposite4693"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4695"
+         result="blur"
+         stdDeviation="1"
+         in="composite1" />
+      <feOffset
+         id="feOffset4697"
+         result="offset"
+         dy="0"
+         dx="0" />
+      <feComposite
+         id="feComposite4699"
+         result="composite2"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+    </filter>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,1.0853313,0,-3.029369)"
+       r="8.7600002"
+       fy="38.79744"
+       fx="11.063469"
+       cy="38.79744"
+       cx="11.063469"
+       id="radialGradient4637"
+       xlink:href="#linearGradient4635" />
+    <filter
+       id="filter4661"
+       style="color-interpolation-filters:sRGB">
+      <feFlood
+         id="feFlood4651"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039" />
+      <feComposite
+         id="feComposite4653"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4655"
+         result="blur"
+         stdDeviation="1"
+         in="composite1" />
+      <feOffset
+         id="feOffset4657"
+         result="offset"
+         dy="0"
+         dx="0" />
+      <feComposite
+         id="feComposite4659"
+         result="composite2"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+    </filter>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,1.1003056,0,-1.1335797)"
+       r="7.1399999"
+       fy="14.552581"
+       fx="34.841751"
+       cy="14.552581"
+       cx="34.841751"
+       id="radialGradient4677"
+       xlink:href="#linearGradient4635" />
+    <filter
+       id="filter4689"
+       style="color-interpolation-filters:sRGB">
+      <feFlood
+         id="feFlood4679"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039" />
+      <feComposite
+         id="feComposite4681"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4683"
+         result="blur"
+         stdDeviation="1"
+         in="composite1" />
+      <feOffset
+         id="feOffset4685"
+         result="offset"
+         dy="0"
+         dx="0" />
+      <feComposite
+         id="feComposite4687"
+         result="composite2"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+    </filter>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,0.99218759,0,0.09141507)"
+       r="7.6799994"
+       fy="12.761739"
+       fx="58.062626"
+       cy="12.761739"
+       cx="58.062626"
+       id="radialGradient4605"
+       xlink:href="#linearGradient4603" />
+    <linearGradient
+       id="linearGradient4603">
+      <stop
+         id="stop4599"
+         offset="0"
+         style="stop-color:#e72b1d;stop-opacity:1" />
+      <stop
+         id="stop4601"
+         offset="1"
+         style="stop-color:#cc4338;stop-opacity:1" />
+    </linearGradient>
+    <filter
+       id="filter4629"
+       style="color-interpolation-filters:sRGB">
+      <feFlood
+         id="feFlood4619"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039" />
+      <feComposite
+         id="feComposite4621"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4623"
+         result="blur"
+         stdDeviation="1"
+         in="composite1" />
+      <feOffset
+         id="feOffset4625"
+         result="offset"
+         dy="0"
+         dx="0" />
+      <feComposite
+         id="feComposite4627"
+         result="composite2"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+    </filter>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,1.0769231,0,-0.86932835)"
+       r="7.8000002"
+       fy="13.939252"
+       fx="79.305222"
+       cy="13.939252"
+       cx="79.305222"
+       id="radialGradient4525"
+       xlink:href="#linearGradient4523-3" />
+    <linearGradient
+       id="linearGradient4523-3">
+      <stop
+         id="stop4519"
+         offset="0"
+         style="stop-color:#4fb55d;stop-opacity:1" />
+      <stop
+         id="stop4521"
+         offset="1"
+         style="stop-color:#2d8539;stop-opacity:1" />
+    </linearGradient>
+    <filter
+       id="filter4597"
+       style="color-interpolation-filters:sRGB">
+      <feFlood
+         id="feFlood4587"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039" />
+      <feComposite
+         id="feComposite4589"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4591"
+         result="blur"
+         stdDeviation="1"
+         in="composite1" />
+      <feOffset
+         id="feOffset4593"
+         result="offset"
+         dy="0"
+         dx="0" />
+      <feComposite
+         id="feComposite4595"
+         result="composite2"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+    </filter>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,0.87507716,0,1.3868386)"
+       r="9.5995998"
+       fy="12.664675"
+       fx="103.23091"
+       cy="12.664675"
+       cx="103.23091"
+       id="radialGradient4529"
+       xlink:href="#linearGradient4527" />
+    <linearGradient
+       id="linearGradient4527">
+      <stop
+         id="stop4523"
+         offset="0"
+         style="stop-color:#3f6bbd;stop-opacity:1" />
+      <stop
+         id="stop4525"
+         offset="1"
+         style="stop-color:#29467b;stop-opacity:1" />
+    </linearGradient>
+    <filter
+       id="filter4783"
+       style="color-interpolation-filters:sRGB">
+      <feFlood
+         id="feFlood4773"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039" />
+      <feComposite
+         id="feComposite4775"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4777"
+         result="blur"
+         stdDeviation="1"
+         in="composite1" />
+      <feOffset
+         id="feOffset4779"
+         result="offset"
+         dy="0"
+         dx="0" />
+      <feComposite
+         id="feComposite4781"
+         result="composite2"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+    </filter>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,1.0032611,0,-0.03620244)"
+       r="8.3726959"
+       fy="16.659737"
+       fx="125.30523"
+       cy="16.659737"
+       cx="125.30523"
+       id="radialGradient4709"
+       xlink:href="#linearGradient4707" />
+    <linearGradient
+       id="linearGradient4707">
+      <stop
+         id="stop4703"
+         offset="0"
+         style="stop-color:#8c9ba5;stop-opacity:1" />
+      <stop
+         id="stop4705"
+         offset="1"
+         style="stop-color:#607480;stop-opacity:1" />
+    </linearGradient>
+    <filter
+       id="filter4721"
+       style="color-interpolation-filters:sRGB">
+      <feFlood
+         id="feFlood4711"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039" />
+      <feComposite
+         id="feComposite4713"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4715"
+         result="blur"
+         stdDeviation="1"
+         in="composite1" />
+      <feOffset
+         id="feOffset4717"
+         result="offset"
+         dy="0"
+         dx="0" />
+      <feComposite
+         id="feComposite4719"
+         result="composite2"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+    </filter>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,0.993055,0,0.07848724)"
+       r="8.6400051"
+       fy="12.784631"
+       fx="149.26262"
+       cy="12.784631"
+       cx="149.26262"
+       id="radialGradient4729"
+       xlink:href="#linearGradient4727" />
+    <linearGradient
+       id="linearGradient4727">
+      <stop
+         id="stop4723"
+         offset="0"
+         style="stop-color:#3eb796;stop-opacity:1" />
+      <stop
+         id="stop4725"
+         offset="1"
+         style="stop-color:#31a886;stop-opacity:1" />
+    </linearGradient>
+    <filter
+       id="filter4741"
+       style="color-interpolation-filters:sRGB">
+      <feFlood
+         id="feFlood4731"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039" />
+      <feComposite
+         id="feComposite4733"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4735"
+         result="blur"
+         stdDeviation="1"
+         in="composite1" />
+      <feOffset
+         id="feOffset4737"
+         result="offset"
+         dy="0"
+         dx="0" />
+      <feComposite
+         id="feComposite4739"
+         result="composite2"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+    </filter>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.79035186,0,0,0.79508811,-0.14216924,6.9389816e-4)"
+       r="9.6007004"
+       fy="12.037849"
+       fx="466.94476"
+       cy="12.037849"
+       cx="466.94476"
+       id="radialGradient5017"
+       xlink:href="#linearGradient5023" />
+    <linearGradient
+       id="linearGradient5023">
+      <stop
+         style="stop-color:#c6cdd2;stop-opacity:1"
+         offset="0"
+         id="stop5019" />
+      <stop
+         style="stop-color:#9cabb4;stop-opacity:1"
+         offset="1"
+         id="stop5021" />
+    </linearGradient>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,0.87500048,0,1.3876528)"
+       r="9.5999947"
+       fy="13.746766"
+       fx="194.44176"
+       cy="13.746766"
+       cx="194.44176"
+       id="radialGradient4793"
+       xlink:href="#linearGradient4707" />
+    <filter
+       id="filter4805"
+       style="color-interpolation-filters:sRGB">
+      <feFlood
+         id="feFlood4795"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039" />
+      <feComposite
+         id="feComposite4797"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4799"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset4801"
+         result="offset"
+         dy="0"
+         dx="0" />
+      <feComposite
+         id="feComposite4803"
+         result="composite2"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+    </filter>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,0.87500002,0,1.3876579)"
+       r="9.6000004"
+       fy="11.101265"
+       fx="239.2"
+       cy="11.101265"
+       cx="239.2"
+       id="radialGradient4833"
+       xlink:href="#linearGradient4707" />
+    <filter
+       id="filter4853"
+       style="color-interpolation-filters:sRGB">
+      <feFlood
+         id="feFlood4843"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039" />
+      <feComposite
+         id="feComposite4845"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4847"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset4849"
+         result="offset"
+         dy="0"
+         dx="0" />
+      <feComposite
+         id="feComposite4851"
+         result="composite2"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+    </filter>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.79274533,0,0,0.78327978,-0.14435628,0.11758726)"
+       r="3.5288758"
+       fy="12.418613"
+       fx="242.0894"
+       cy="12.418613"
+       cx="242.0894"
+       id="radialGradient4841"
+       xlink:href="#linearGradient4707" />
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,0.9880597,0,0.14828194)"
+       r="3.5288758"
+       fy="12.418613"
+       fx="242.0894"
+       cy="12.418613"
+       cx="242.0894"
+       id="radialGradient4858"
+       xlink:href="#linearGradient4707" />
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,0.99992718,0,0.00247197)"
+       r="9.7507105"
+       fy="31.105829"
+       fx="466.39926"
+       cy="31.105829"
+       cx="466.39926"
+       id="radialGradient5031"
+       xlink:href="#linearGradient5037" />
+    <linearGradient
+       id="linearGradient5037">
+      <stop
+         style="stop-color:#e8e1a1;stop-opacity:1"
+         offset="0"
+         id="stop5033" />
+      <stop
+         style="stop-color:#baad3e;stop-opacity:1"
+         offset="1"
+         id="stop5035" />
+    </linearGradient>
+    <filter
+       id="filter5049"
+       style="color-interpolation-filters:sRGB">
+      <feFlood
+         id="feFlood5039"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039" />
+      <feComposite
+         id="feComposite5041"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur5043"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset5045"
+         result="offset"
+         dy="0"
+         dx="0" />
+      <feComposite
+         id="feComposite5047"
+         result="composite2"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+    </filter>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,0.8160434,0,2.0506693)"
+       r="10.35937"
+       fy="16.56296"
+       fx="217.95329"
+       cy="16.56296"
+       cx="217.95329"
+       id="radialGradient4813"
+       xlink:href="#linearGradient4707" />
+    <filter
+       id="filter4825"
+       style="color-interpolation-filters:sRGB">
+      <feFlood
+         id="feFlood4815"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039" />
+      <feComposite
+         id="feComposite4817"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4819"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset4821"
+         result="offset"
+         dy="0"
+         dx="0" />
+      <feComposite
+         id="feComposite4823"
+         result="composite2"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+    </filter>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,0.9969072,0,0.03528241)"
+       r="8.5577164"
+       fy="15.840806"
+       fx="262.79288"
+       cy="15.840806"
+       cx="262.79288"
+       id="radialGradient4861"
+       xlink:href="#linearGradient4707" />
+    <filter
+       id="filter4873"
+       style="color-interpolation-filters:sRGB">
+      <feFlood
+         id="feFlood4863"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039" />
+      <feComposite
+         id="feComposite4865"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4867"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset4869"
+         result="offset"
+         dy="0"
+         dx="0" />
+      <feComposite
+         id="feComposite4871"
+         result="composite2"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+    </filter>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       r="8.53125"
+       fy="14.171478"
+       fx="286.58698"
+       cy="14.171478"
+       cx="286.58698"
+       id="radialGradient4881"
+       xlink:href="#linearGradient4707" />
+    <filter
+       id="filter4893"
+       style="color-interpolation-filters:sRGB">
+      <feFlood
+         id="feFlood4883"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039" />
+      <feComposite
+         id="feComposite4885"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4887"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset4889"
+         result="offset"
+         dy="0"
+         dx="0" />
+      <feComposite
+         id="feComposite4891"
+         result="composite2"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+    </filter>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,1.4,0,-4.4901397)"
+       r="6.09375"
+       fy="14.457072"
+       fx="308.97141"
+       cy="14.457072"
+       cx="308.97141"
+       id="radialGradient4901"
+       xlink:href="#linearGradient4707" />
+    <filter
+       id="filter4913"
+       style="color-interpolation-filters:sRGB">
+      <feFlood
+         id="feFlood4903"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039" />
+      <feComposite
+         id="feComposite4905"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4907"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset4909"
+         result="offset"
+         dy="0"
+         dx="0" />
+      <feComposite
+         id="feComposite4911"
+         result="composite2"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+    </filter>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       r="8.53125"
+       fy="13.119289"
+       fx="331.15933"
+       cy="13.119289"
+       cx="331.15933"
+       id="radialGradient4921"
+       xlink:href="#linearGradient4707" />
+    <filter
+       id="filter4933"
+       style="color-interpolation-filters:sRGB">
+      <feFlood
+         id="feFlood4923"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039" />
+      <feComposite
+         id="feComposite4925"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4927"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset4929"
+         result="offset"
+         dy="0"
+         dx="0" />
+      <feComposite
+         id="feComposite4931"
+         result="composite2"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+    </filter>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.79035186,0,0,0.15902921,-0.14216924,7.1987363)"
+       r="6.09375"
+       fy="11.316628"
+       fx="353.15076"
+       cy="11.316628"
+       cx="353.15076"
+       id="radialGradient4941"
+       xlink:href="#linearGradient4707" />
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       r="6.09375"
+       fy="11.407905"
+       fx="375.97003"
+       cy="11.407905"
+       cx="375.97003"
+       id="radialGradient4949"
+       xlink:href="#linearGradient4707"
+       gradientTransform="matrix(0.79035186,0,0,0.79514603,-0.14216924,3.8580698e-5)" />
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,0.99701325,0,0.03407254)"
+       r="8.5350475"
+       fy="13.518586"
+       fx="400.5007"
+       cy="13.518586"
+       cx="400.5007"
+       id="radialGradient4957"
+       xlink:href="#linearGradient4707" />
+    <filter
+       id="filter4969"
+       style="color-interpolation-filters:sRGB">
+      <feFlood
+         id="feFlood4959"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039" />
+      <feComposite
+         id="feComposite4961"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4963"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset4965"
+         result="offset"
+         dy="0"
+         dx="0" />
+      <feComposite
+         id="feComposite4967"
+         result="composite2"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+    </filter>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1.357667,-0.02466618,0.02411975,1.3275908,-149.53429,5.1574131)"
+       r="8.53125"
+       fy="15.742972"
+       fx="417.02075"
+       cy="15.742972"
+       cx="417.02075"
+       id="radialGradient4977"
+       xlink:href="#linearGradient4975" />
+    <linearGradient
+       id="linearGradient4975">
+      <stop
+         id="stop4971"
+         offset="0"
+         style="stop-color:#f79729;stop-opacity:1" />
+      <stop
+         id="stop4973"
+         offset="1"
+         style="stop-color:#d2831f;stop-opacity:1" />
+    </linearGradient>
+    <filter
+       id="filter4989"
+       style="color-interpolation-filters:sRGB">
+      <feFlood
+         id="feFlood4979"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039" />
+      <feComposite
+         id="feComposite4981"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4983"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset4985"
+         result="offset"
+         dy="0"
+         dx="0" />
+      <feComposite
+         id="feComposite4987"
+         result="composite2"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+    </filter>
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,0.71428563,0,3.2333231)"
+       r="8.53125"
+       fy="11.316628"
+       fx="444.33652"
+       cy="11.316628"
+       cx="444.33652"
+       id="radialGradient4997"
+       xlink:href="#linearGradient4707" />
+    <filter
+       id="filter5009"
+       style="color-interpolation-filters:sRGB">
+      <feFlood
+         id="feFlood4999"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039" />
+      <feComposite
+         id="feComposite5001"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur5003"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset5005"
+         result="offset"
+         dy="0"
+         dx="0" />
+      <feComposite
+         id="feComposite5007"
+         result="composite2"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+    </filter>
+    <radialGradient
+       r="7.9746099"
+       fy="9"
+       fx="134.97461"
+       cy="9"
+       cx="134.97461"
+       gradientTransform="matrix(1.265625,0,0,1.1109477,-0.05703897,1.4865748)"
+       gradientUnits="userSpaceOnUse"
+       id="radialGradient4710"
+       xlink:href="#linearGradient4747" />
+    <linearGradient
+       id="linearGradient4747">
+      <stop
+         id="stop4743"
+         offset="0"
+         style="stop-color:#c5b631;stop-opacity:1" />
+      <stop
+         id="stop4745"
+         offset="1"
+         style="stop-color:#baad3e;stop-opacity:1" />
+    </linearGradient>
+    <filter
+       id="filter4729"
+       style="color-interpolation-filters:sRGB">
+      <feFlood
+         id="feFlood4719"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039" />
+      <feComposite
+         id="feComposite4721"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4723"
+         result="blur"
+         stdDeviation="1"
+         in="composite1" />
+      <feOffset
+         id="feOffset4725"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite4727"
+         result="composite2"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+    </filter>
+    <radialGradient
+       r="7.9746099"
+       fy="9.0947113"
+       fx="132.6468"
+       cy="9.0947113"
+       cx="132.6468"
+       gradientTransform="matrix(1.265625,0,0,1.1109477,-0.05703897,1.4865748)"
+       gradientUnits="userSpaceOnUse"
+       id="radialGradient4712"
+       xlink:href="#linearGradient5037" />
+    <filter
+       id="filter4774"
+       style="color-interpolation-filters:sRGB">
+      <feFlood
+         id="feFlood4764"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039" />
+      <feComposite
+         id="feComposite4766"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4768"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset4770"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite4772"
+         result="composite2"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+    </filter>
+    <radialGradient
+       r="7.9746099"
+       fy="9"
+       fx="134.97461"
+       cy="9"
+       cx="134.97461"
+       gradientTransform="matrix(1.265625,0,0,1.1109477,-0.05703897,1.4865748)"
+       gradientUnits="userSpaceOnUse"
+       id="radialGradient4714"
+       xlink:href="#linearGradient4747" />
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,28.000001,0,-310.09784)"
+       r="0.31640625"
+       fy="11.485105"
+       fx="166.37157"
+       cy="11.485105"
+       cx="166.37157"
+       id="radialGradient4750"
+       xlink:href="#linearGradient4707" />
+    <radialGradient
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(1,0,0,1.0032611,0.11563445,22.233158)"
+       r="8.3726959"
+       fy="16.659737"
+       fx="125.30523"
+       cy="16.659737"
+       cx="125.30523"
+       id="radialGradient4709-1"
+       xlink:href="#linearGradient4832" />
+    <linearGradient
+       id="linearGradient4832">
+      <stop
+         style="stop-color:#22e23d;stop-opacity:1"
+         offset="0"
+         id="stop5029" />
+      <stop
+         style="stop-color:#38a748;stop-opacity:1"
+         offset="1"
+         id="stop4830" />
+    </linearGradient>
+    <filter
+       id="filter4844"
+       style="color-interpolation-filters:sRGB">
+      <feFlood
+         id="feFlood4834"
+         result="flood"
+         flood-color="rgb(0,0,0)"
+         flood-opacity="0.498039" />
+      <feComposite
+         id="feComposite4836"
+         result="composite1"
+         operator="out"
+         in2="SourceGraphic"
+         in="flood" />
+      <feGaussianBlur
+         id="feGaussianBlur4838"
+         result="blur"
+         stdDeviation="0.5"
+         in="composite1" />
+      <feOffset
+         id="feOffset4840"
+         result="offset"
+         dy="0"
+         dx="2.77556e-017" />
+      <feComposite
+         id="feComposite4842"
+         result="composite2"
+         operator="atop"
+         in2="SourceGraphic"
+         in="offset" />
+    </filter>
+  </defs>
+  <g
+     id="layer1">
+    <path
+       id="path4"
+       d="m 17.311578,13.702319 h -5.76 l 2.28,2.28 c 0.6,0.6 0.72,1.44 0.24,1.92 l -0.96,1.08 c -0.48,0.48 -1.32,0.36 -1.92,-0.24 l -6.4800001,-6.6 c -0.12,0 -0.36,-0.48 -0.48,-0.84 0,-0.359999 0.36,-0.719999 0.48,-0.839999 l 6.3600001,-6.48 c 0.6,-0.6000001 1.44,-0.7200001 1.92,-0.24 l 0.96,1.0799999 c 0.48,0.48 0.36,1.32 -0.24,1.9200001 l -2.16,2.1599999 h 5.76 c 0.72,0 1.2,0.48 1.2,1.2000001 v 2.399999 c 0,0.72 -0.48,1.2 -1.2,1.2 z"
+       style="display:inline;fill:url(#radialGradient4669);fill-opacity:1;stroke-width:1;filter:url(#filter4701)"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       d="m 19.271765,37.987692 h -7.987059 l 3.607059,3.507571 c 0.515294,0.50108 0.644117,1.377974 0.257648,1.753785 l -1.545884,1.503245 C 13.217059,45.128104 12.315294,45.128104 11.8,44.501752 L 3.5552941,36.609718 c 0,0 -0.5152941,-0.626352 -0.5152941,-1.127434 0,-0.501081 0.5152941,-1.002163 0.5152941,-1.002163 L 11.8,26.462816 c 0.515294,-0.50108 1.417059,-0.626351 1.803529,-0.25054 l 1.545884,1.503245 c 0.386469,0.375811 0.386469,1.252704 -0.257648,1.753785 l -3.478236,3.50757 h 7.858236 c 0.772941,0 1.288236,0.501082 1.288236,1.252705 v 2.505407 c 0,0.751622 -0.515295,1.252704 -1.288236,1.252704 z"
+       id="path4154"
+       style="display:inline;fill:url(#radialGradient4637);fill-opacity:1;stroke-width:1;filter:url(#filter4661)"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       d="m 26.86,12.501265 v -2.4 c 0,-0.7200003 0.48,-1.2000003 1.2,-1.2000003 h 5.76 L 31.66,6.7412646 c -0.6,-0.5999999 -0.72,-1.4399999 -0.24,-1.92 l 0.96,-1.08 c 0.48,-0.48 1.32,-0.36 1.92,0.24 l 6.36,6.4800004 c 0.12,0.12 0.48,0.48 0.48,0.84 0,0.36 -0.36,0.84 -0.48,0.84 l -6.48,6.48 c -0.6,0.6 -1.44,0.72 -1.92,0.24 l -0.96,-1.08 c -0.48,-0.48 -0.36,-1.32 0.24,-1.92 l 2.28,-2.16 h -5.76 c -0.72,0 -1.2,-0.48 -1.2,-1.2 z"
+       id="path4165"
+       style="display:inline;fill:url(#radialGradient4677);fill-opacity:1;stroke-width:1;filter:url(#filter4689)"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       d="m 64.48,6.6012647 -5.039999,5.0400003 5.039999,5.04 -2.519999,2.52 -5.16,-4.92 -5.04,5.04 -2.52,-2.52 5.04,-5.16 -5.16,-5.0400003 2.52,-2.5200001 5.16,5.04 5.04,-5.04 z"
+       id="path4176"
+       style="display:inline;fill:url(#radialGradient4605);fill-opacity:1;stroke-width:1;filter:url(#filter4629)"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       d="m 87.000001,11.301265 h -8.4 l 3.36,-3.3600004 c -0.84,-0.6 -1.68,-0.84 -2.76,-0.84 -2.64,0 -4.8,2.1600001 -4.8,4.8000004 0,2.64 2.16,4.8 4.8,4.8 1.68,0 3.24,-0.84 4.08,-2.28 l 2.76,1.2 c -1.32,2.4 -3.84,4.08 -6.84,4.08 -4.32,0 -7.8,-3.48 -7.8,-7.8 0,-4.3200004 3.48,-7.8000004 7.8,-7.8000004 1.8,0 3.48,0.6 4.92,1.6800001 l 2.88,-2.8800001 z"
+       id="path4187"
+       style="display:inline;fill:url(#radialGradient4525);fill-opacity:1;stroke-width:1;filter:url(#filter4597)"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       id="path4209"
+       d="M 102.59961,2.7011715 93,11.101561 h 2.400391 l 1.242188,-0.03516 -0.04297,0.03516 v 8.400392 h 4.800781 v -6.000001 h 2.40039 v 6.000001 h 4.79884 v -8.400392 l -0.043,-0.03516 1.24415,0.03516 h 2.39843 z"
+       style="display:inline;fill:url(#radialGradient4529);fill-opacity:1;stroke:none;stroke-width:1;stroke-opacity:1;filter:url(#filter4783)"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       d="m 133.15407,12.421265 -6.72001,6.6 c -0.24,0.36 -0.72,0.48 -1.2,0.48 -0.48,0 -0.96,-0.12 -1.32,-0.48 l -6.72,-6.6 c -0.6,-0.72 -0.48,-1.32 0.48,-1.32 h 3.96 V 3.9012646 c 0,-0.72 0.48,-1.2 1.2,-1.2 h 4.8 c 0.72,0 1.2,0.48 1.2,1.2 v 7.2000004 h 3.84 c 0.96001,0 1.20001,0.6 0.48001,1.32 z"
+       id="path4214"
+       style="display:inline;fill:url(#radialGradient4709);fill-opacity:1;stroke-width:1;filter:url(#filter4721)"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       d="m 148,19.881265 c -4.8,0 -8.64,-3.84 -8.64,-8.64 0,-4.6800004 3.84,-8.5200004 8.64,-8.5200004 4.8,0 8.64001,3.84 8.64001,8.6400004 0,4.68 -3.84001,8.52 -8.64001,8.52 z m 0,-14.5200003 c -3.36,0 -6,2.6399999 -6,6.0000003 0,3.24 2.64,6 6,6 3.36,0 6.00001,-2.64 6.00001,-6 0,-3.3600004 -2.64001,-6.0000003 -6.00001,-6.0000003 z m -0.36,7.0800003 c -0.48,-0.12 -0.84,-0.6 -0.84,-1.08 V 7.7612646 c 0,-0.72 0.48,-1.2 1.2,-1.2 0.72,0 1.2,0.48 1.2,1.2 v 3.3600004 c 1.32,1.32 2.4,3.84 2.4,3.84 0,0 -2.64,-1.2 -3.96,-2.52 z"
+       id="path4225"
+       style="display:inline;fill:url(#radialGradient4729);fill-opacity:1;stroke-width:1;filter:url(#filter4741)"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       d="m 369.00476,4.7878231 0.94842,1.9083504 0.47422,0.858758 0.94842,0.190835 2.18136,0.3816699 -1.61231,1.7175156 -0.6639,0.667923 0.0948,0.954175 0.37937,2.290022 -1.89685,-0.954178 -0.85358,-0.477086 -0.85358,0.477086 -1.89685,0.954178 0.37938,-2.290022 0.0948,-0.954175 -0.6639,-0.667923 -1.61232,-1.7175156 2.27622,-0.3816699 0.94842,-0.190835 0.37936,-0.858758 0.94843,-1.9083504 m 0,-3.4350309 c -0.28454,0 -0.56906,0.1908348 -0.75874,0.667922 l -1.89683,3.9121193 -4.07821,0.6679227 c -0.94842,0.190835 -1.13812,0.8587576 -0.47421,1.5266802 l 2.94011,3.1487776 -0.66391,4.389208 c -0.0948,0.572504 0.1897,0.954174 0.66391,0.954174 0.18967,0 0.37936,-0.09542 0.56905,-0.190835 l 3.69885,-2.003768 3.69884,2.003768 c 0.18969,0.09543 0.47421,0.190835 0.56906,0.190835 0.4742,0 0.75873,-0.38167 0.6639,-1.049592 l -0.6639,-4.389207 2.9401,-3.1487781 c 0.66391,-0.6679226 0.37938,-1.3358454 -0.4742,-1.5266803 L 371.66031,5.837416 369.76347,1.9252968 C 369.5738,1.543627 369.28926,1.3527922 369.00474,1.3527922 Z"
+       id="path4355"
+       style="display:inline;fill:url(#radialGradient5017);fill-opacity:1;stroke-width:0.79274529" />
+    <path
+       d="m 202,17.101265 h -2.4 l 1.2,2.4 h -14.39999 l 1.2,-2.4 h -2.4 c -0.72,0 -1.2,-0.48 -1.2,-1.2 V 9.9012647 c 0,-0.7200001 0.48,-1.2000001 1.2,-1.2000001 h 1.2 V 6.3012647 c 0,-0.7200001 0.48,-1.2000001 1.2,-1.2000001 v -1.2 c 0,-0.72 0.48,-1.2 1.2,-1.2 H 198.4 c 0.72,0 1.2,0.48 1.2,1.2 v 1.2 c 0.72,0 1.2,0.48 1.2,1.2000001 v 2.3999999 h 1.2 c 0.72,0 1.2,0.48 1.2,1.2000001 v 6.0000003 c 0,0.72 -0.48,1.2 -1.2,1.2 z m -14.39999,0 0.6,-1.2 h -0.6 z m 0.6,-6 h -0.6 -0.6 c -0.36,0 -0.6,0.24 -0.6,0.6 0,0.36 0.24,0.6 0.6,0.6 h 1.2 c 0.36,0 0.6,-0.24 0.6,-0.6 0,-0.36 -0.24,-0.6 -0.6,-0.6 z M 198.4,5.1012646 c 0,-0.72 -0.48,-1.2 -1.2,-1.2 h -7.19999 c -0.72,0 -1.2,0.48 -1.2,1.2 v 3.6 c 0,0.7200001 0.48,1.2000001 1.2,1.2000001 H 197.2 c 0.72,0 1.2,-0.48 1.2,-1.2000001 z m -1.08,10.8000004 h -7.43999 l -1.08,2.4 H 198.4 Z m 2.28,0 H 199 l 0.6,1.2 z"
+       id="path4366"
+       style="display:inline;fill:url(#radialGradient4793);fill-opacity:1;stroke-width:1;filter:url(#filter4805)"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       d="m 247,19.501265 h -15.6 c -0.96,0 -1.8,-0.84 -1.8,-1.8 V 4.5012646 c 0,-0.9599999 0.84,-1.8 1.8,-1.8 H 247 c 0.96,0 1.8,0.8400001 1.8,1.8 V 17.701265 c 0,0.96 -0.84,1.8 -1.8,1.8 z M 239.8,3.9012646 c -0.36,0 -0.6,0.24 -0.6,0.6 0,0.36 0.24,0.6 0.6,0.6 0.36,0 0.6,-0.24 0.6,-0.6 0,-0.36 -0.24,-0.6 -0.6,-0.6 z m 2.28,0 c -0.36,0 -0.6,0.24 -0.6,0.6 0,0.36 0.36,0.6 0.6,0.6 0.36,0 0.6,-0.24 0.6,-0.6 0,-0.36 -0.24,-0.6 -0.6,-0.6 z m 3.72,0 h -1.2 c -0.36,0 -0.6,0.24 -0.6,0.6 0,0.36 0.24,0.6 0.6,0.6 h 1.2 c 0.36,0 0.6,-0.24 0.6,-0.6 0,-0.36 -0.24,-0.6 -0.6,-0.6 z m 0.6,4.8 c 0,-0.72 -0.48,-1.1999999 -1.2,-1.1999999 h -12 c -0.72,0 -1.2,0.4799999 -1.2,1.1999999 v 7.2000004 c 0,0.72 0.48,1.2 1.2,1.2 h 12 c 0.72,0 1.2,-0.48 1.2,-1.2 z"
+       id="path4388"
+       style="display:inline;fill:url(#radialGradient4833);fill-opacity:1;stroke-width:1;filter:url(#filter4853)"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <text
+       transform="scale(0.98484982,1.0153832)"
+       id="text4409"
+       y="12.608931"
+       x="188.06316"
+       style="font-style:normal;font-weight:normal;font-size:9.51294327px;line-height:0%;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;display:inline;fill:url(#radialGradient4841);fill-opacity:1;stroke:none;stroke-width:0.79274535px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+       xml:space="preserve"><tspan
+         style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:8.55116463px;line-height:125%;font-family:sans-serif;-inkscape-font-specification:'sans-serif, Bold';text-align:start;writing-mode:lr-tb;text-anchor:start;fill:url(#radialGradient4841);fill-opacity:1;stroke-width:0.79274535px"
+         y="12.608931"
+         x="188.06316"
+         id="tspan4411">+</tspan></text>
+    <path
+       style="display:inline;fill:url(#radialGradient5031);fill-opacity:1;stroke-width:1.21875;filter:url(#filter5049)"
+       id="path6182"
+       d="m 467.25784,24.196945 c -0.36562,0 -0.73125,0.24375 -0.975,0.853125 l -2.4375,4.996876 -5.24062,0.853125 c -1.21875,0.24375 -1.4625,1.096875 -0.60938,1.95 l 3.77813,4.021875 -0.85313,5.60625 c -0.12181,0.73125 0.24375,1.21875 0.85313,1.21875 0.24375,0 0.4875,-0.121875 0.73125,-0.24375 l 4.75312,-2.559375 4.75313,2.559375 c 0.24375,0.121875 0.60937,0.24375 0.73125,0.24375 0.60937,0 0.975,-0.4875 0.85312,-1.340625 l -0.85312,-5.60625 3.77812,-4.021875 c 0.85313,-0.853125 0.4875,-1.70625 -0.60937,-1.95 l -5.24063,-0.853125 -2.4375,-4.996876 c -0.24375,-0.4875 -0.60937,-0.73125 -0.975,-0.73125 z"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       style="display:inline;fill:url(#radialGradient4813);fill-opacity:1;stroke-width:1.21875;filter:url(#filter4825)"
+       id="path7318"
+       d="m 226.73438,15.945016 v 2.437501 c 0,0.673097 -0.54566,1.21875 -1.21875,1.21875 h -18.28124 c -0.67311,0 -1.21875,-0.545653 -1.21875,-1.21875 v -2.437501 c 0,-0.673097 0.54564,-1.21875 1.21875,-1.21875 h -1.04571 c 2.80313,0 2.36053,-3.256168 2.77368,-5.9703239 0.4278,-2.8226251 0.1927,-6.1069689 3.90598,-6.0616014 l 7.47091,0.091277 c 3.73276,0.045605 3.22143,3.1476992 3.65164,5.9703243 0.41438,2.715376 -0.20346,5.970324 2.60942,5.970324 h -1.08468 c 0.67309,0 1.21875,0.545653 1.21875,1.21875 z m -7.92188,-4.874999 h -1.82811 V 9.2418912 c 0,-0.8124995 -1.21875,-0.8124995 -1.21875,0 v 1.8281258 h -1.82814 c -0.8125,0 -0.8125,1.218749 0,1.218749 h 1.82814 v 1.828125 c 0,0.812501 1.21875,0.812501 1.21875,0 v -1.828125 h 1.82811 c 0.8125,0 0.8125,-1.218749 0,-1.218749 z"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       style="display:inline;fill:url(#radialGradient4861);fill-opacity:1;stroke-width:1.21875;filter:url(#filter4873)"
+       id="path7886"
+       d="m 269.02823,19.939154 c -0.975,0 -1.82813,-0.24375 -2.80313,-1.584375 -0.975,-1.340625 -2.07187,-3.046875 -2.07187,-3.046875 0,0 -0.85313,-1.096875 -1.34063,-1.95 -0.60937,-0.853125 -1.34062,-0.609375 -1.34062,-0.609375 0,0 -3.53438,-5.7281239 -4.14375,-6.581249 -0.73125,-1.21875 0.73125,-3.290625 0.73125,-3.290625 l 5.3625,8.531249 c 0,0 1.70625,2.315625 2.31562,2.803125 0.60938,0.4875 1.70625,-0.4875 3.4125,1.096875 2.31563,2.19375 1.58438,4.63125 -0.12181,4.63125 z m -0.36563,-3.534375 c -1.09687,-1.21875 -2.07187,-1.096875 -2.31562,-0.73125 -0.24375,0.365625 0,1.4625 0.4875,2.071875 0.4875,0.609375 0.975,0.853125 1.70625,0.853125 0.73125,0.121875 1.34062,-0.853125 0.1218,-2.19375 z m -4.63125,-5.728124 -1.4625,-2.19375 3.53438,-5.60625 c 0,0 1.4625,2.071875 0.73125,3.290625 -0.36563,0.4875001 -1.70625,2.803125 -2.80313,4.509375 z m -5.60625,3.534374 c 0.36563,-0.365625 1.21875,-1.340625 1.70625,-2.071875 l 0.975,1.4625 c -0.4875,0.73125 -1.09687,1.70625 -1.09687,1.70625 0,0 -1.09688,1.70625 -2.07188,3.046875 -0.85312,1.340625 -1.70625,1.584375 -2.80312,1.584375 -1.70625,0 -2.55938,-2.4375 -0.12181,-4.63125 1.70625,-1.4625 2.80312,-0.609375 3.4125,-1.096875 z m -2.925,2.19375 c -1.09687,1.21875 -0.4875,2.19375 0.24375,2.19375 0.73125,0 1.21875,-0.24375 1.70625,-0.853125 0.4875,-0.609375 0.73125,-1.828125 0.4875,-2.071875 -0.36562,-0.365625 -1.34062,-0.4875 -2.4375,0.73125 z"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       style="display:inline;fill:url(#radialGradient4881);fill-opacity:1;stroke-width:1.21875;filter:url(#filter4893)"
+       id="path8454"
+       d="m 292.00552,19.7566 h -7.3125 c -0.73125,0 -1.21875,-0.4875 -1.21875,-1.21875 v -3.656249 -3.16875 -2.9250003 c 0,-0.73125 0.4875,-1.21875 1.21875,-1.21875 0,0 3.9,0 6.09375,0 0,0 2.4375,2.4375003 2.4375,2.4375003 0,2.68125 0,8.531249 0,8.531249 0,0.73125 -0.4875,1.21875 -1.21875,1.21875 z m -2.4375,-10.9687493 v 2.4375003 h 2.4375 z m -7.3125,-1.3406249 v 1.3406249 2.3156253 3.778125 h -4.875 c -0.73125,0 -1.21875,-0.4875 -1.21875,-1.21875 V 3.9128507 c 0,-0.7312499 0.4875,-1.21875 1.21875,-1.21875 0,0 3.9,0 6.09375,0 0,0 2.4375,2.4375 2.4375,2.4375 0,0.4875 0,0.9750001 0,1.5843751 h -3.04688 c -0.36562,0.121875 -0.60937,0.365625 -0.60937,0.73125 z m 0,-3.5343751 v 2.4375001 h 2.4375 z"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       style="display:inline;fill:url(#radialGradient4901);fill-opacity:1;stroke-width:1.21875;filter:url(#filter4913)"
+       id="path9022"
+       d="m 311.86917,19.7566 h -8.53125 c -0.97501,0 -1.82812,-0.853125 -1.82812,-1.828124 V 6.9597255 c 0,-0.9750001 0.85311,-1.8281251 1.82812,-1.8281251 h 1.82813 c 0,0 0,-2.4375 2.4375,-2.4375 2.4375,0 2.4375,2.4375 2.4375,2.4375 h 1.82812 c 0.975,0 1.82813,0.853125 1.82813,1.8281251 V 17.928476 c 0,0.974999 -0.85313,1.828124 -1.82813,1.828124 z m -0.97501,-13.4062496 -1.34061,-0.609375 c 0,0 0,-1.8281249 -1.95,-1.8281249 -1.95,0 -1.95,1.8281249 -1.95,1.8281249 l -1.34063,0.609375 -0.60937,1.2187501 h 3.04687 3.9 0.975 z m 0.12182,2.071875 h -5.72812 l -3.65625,2.0718756 3.4125,5.971875 8.04375,-4.63125 z"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       style="display:inline;fill:url(#radialGradient4921);fill-opacity:1;stroke-width:1.21875;filter:url(#filter4933)"
+       id="path9590"
+       d="M 335.29779,14.881601 V 7.5691009 l 3.65625,3.6562501 z m -8.53125,1.21875 h 7.3125 l -3.65625,3.656249 z m 6.09375,-1.21875 h -4.875 c -0.73125,0 -1.21875,-0.4875 -1.21875,-1.21875 v -4.875 c 0,-0.7312501 0.4875,-1.2187501 1.21875,-1.2187501 h 4.875 c 0.73125,0 1.21875,0.4875 1.21875,1.2187501 v 4.875 c 0,0.609375 -0.4875,1.21875 -1.21875,1.21875 z m 0,-3.65625 c 0,-0.73125 -0.4875,-1.21875 -1.21875,-1.21875 h -2.4375 c -0.73125,0 -1.21875,0.4875 -1.21875,1.21875 v 1.21875 c 0,0.73125 0.4875,1.21875 1.21875,1.21875 h 2.4375 c 0.73125,0 1.21875,-0.4875 1.21875,-1.21875 z m -2.4375,-8.5312501 3.65625,3.6562501 h -7.3125 z m -4.875,4.875 v 7.3125001 l -3.65625,-3.65625 z"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       style="display:inline;fill:url(#radialGradient4941);fill-opacity:1;stroke-width:0.96615839"
+       id="path10158"
+       d="m 274.15498,8.0293266 h 9.6324 v 1.9381685 h -9.6324 z" />
+    <path
+       style="display:inline;fill:url(#radialGradient4949);fill-opacity:1;stroke-width:0.96615839"
+       id="path10726"
+       d="m 301.82263,10.040073 h -3.85298 v 3.876338 h -1.92648 v -3.876338 h -3.85298 V 8.1019059 h 3.85298 V 4.2255681 h 1.92648 v 3.8763378 h 3.85298 z" />
+    <path
+       style="display:inline;fill:url(#radialGradient4957);fill-opacity:1;stroke-width:1.21875;filter:url(#filter4969)"
+       id="path11294"
+       d="m 407.09514,12.361211 c -0.12181,0.73125 -0.24375,1.4625 -0.4875,2.071875 -0.4875,1.584375 -1.4625,3.046875 -3.04686,4.021874 0.4875,0.4875 1.58436,1.096875 1.58436,1.096875 0,0 -2.4375,0.365625 -4.99686,0.365625 0,0 -0.12181,-0.121875 -0.12181,-0.121875 v 0.121875 c -1.21875,0 -2.4375,-0.365625 -3.65625,-0.73125 0.85311,-0.73125 1.4625,-1.584374 1.95,-2.559374 0.73125,-1.4625 0.73125,-3.65625 0.73125,-3.65625 0,0 1.09686,1.828125 1.70625,2.559375 1.4625,-0.73125 2.4375,-2.19375 2.55936,-3.65625 0.12181,-1.096875 -0.24375,-2.0718751 -0.73125,-2.8031251 -0.4875,-0.8531251 -1.21875,-1.3406251 -2.07186,-1.7062501 0.24375,-0.4874999 0.60936,-1.0968749 0.975,-1.584375 0.4875,-0.73125 1.09686,-1.21875 1.58436,-1.4625 2.55939,1.340625 4.3875,4.5093751 4.02189,8.0437502 z m -8.53125,-2.4375001 c 0,0 -1.34061,-1.8281251 -1.95,-2.4375001 -1.70625,0.853125 -2.68125,2.4375001 -2.68125,4.1437502 0.12181,1.828125 1.34064,3.290625 2.925,4.021875 -0.36561,0.609375 -0.73125,1.21875 -1.21875,1.70625 -0.4875,0.609375 -1.09686,0.974999 -1.4625,1.340624 -2.80311,-1.706249 -4.50936,-4.874999 -4.02186,-8.287499 0.1218,-0.8531251 0.36561,-1.7062502 0.60936,-2.4375002 0.4875,-1.3406249 1.34064,-2.4375 2.55939,-3.290625 0.1218,-0.121875 0.24375,-0.121875 0.36561,-0.24375 -0.4875,-0.4875 -1.95,-0.975 -1.95,-0.975 0,0 3.04689,-0.975 8.2875,-0.365625 -1.58436,2.315625 -1.4625,6.8250001 -1.4625,6.8250001 z"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       style="display:inline;fill:url(#radialGradient4977);fill-opacity:1;stroke-width:1.21875;filter:url(#filter4989)"
+       id="path11862"
+       d="m 429.01283,20.243326 h -1.82812 c -0.4875,0 -0.975,-0.365625 -0.975,-0.975 0,0 0.36562,-4.387501 -3.9,-8.775 -3.04688,-3.6562503 -8.53125,-3.9000003 -8.53125,-3.9000003 -0.60938,0 -0.975,-0.365625 -0.975,-0.8531249 V 4.0339507 c 0,-0.4875 0.36562,-0.853125 0.975,-0.853125 0,0 7.67812,0.4875 11.7,5.4843751 4.02187,3.7781242 4.3875,10.7250002 4.3875,10.7250002 0,0.4875 -0.24375,0.853125 -0.85313,0.853125 z M 413.77846,9.2745758 c 0,0 4.50937,0.609375 7.06875,2.9249992 2.55937,2.4375 3.04687,7.190626 3.04687,7.190626 0,0.4875 -0.12181,0.975 -0.60937,0.975 h -1.82813 c -0.4875,0 -0.73125,-0.365625 -0.73125,-0.975 0,0 0.12181,-2.925001 -2.19375,-5.118751 -1.82812,-1.584375 -4.75312,-1.70625 -4.75312,-1.70625 -0.60938,0 -0.975,-0.365625 -0.975,-0.853125 v -1.584374 c 0,-0.4875002 0.36562,-0.8531252 0.975,-0.8531252 z m 1.4625,6.0937492 c 1.34062,0 2.4375,1.096875 2.4375,2.4375 0,1.340626 -1.09688,2.437501 -2.4375,2.437501 -1.34063,0 -2.4375,-1.096875 -2.4375,-2.437501 0,-1.340625 1.09687,-2.4375 2.4375,-2.4375 z"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <path
+       style="display:inline;fill:url(#radialGradient4997);fill-opacity:1;stroke-width:1.21875;filter:url(#filter5009)"
+       id="path12430"
+       d="m 451.64901,16.435377 -3.65625,-3.290625 v 2.559375 c 0,0.975 -0.73125,1.70625 -1.58436,1.70625 h -9.01875 c -0.85314,0 -1.58439,-0.73125 -1.58439,-1.70625 V 6.9291285 c 0,-0.9750001 0.73125,-1.7062501 1.58439,-1.7062501 h 9.01875 c 0.85311,0 1.58436,0.73125 1.58436,1.7062501 v 2.437499 l 3.65625,-3.2906241 c 0.36564,-0.365625 0.73125,-0.4875 1.21875,-0.365625 V 16.801002 c -0.36561,0.121875 -0.85311,0 -1.21875,-0.365625 z"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+    <g
+       id="g4779"
+       style="display:inline"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)">
+      <path
+         style="fill:url(#radialGradient4710);fill-opacity:1;stroke-width:1.265625;filter:url(#filter4729)"
+         d="M 165.73984,2.6257296 V 20.34448 h 9.42792 0.69708 2.46698 c 1.25518,-0.32709 2.23657,-1.314095 2.53125,-2.53125 v -2.53125 -7.5937504 -2.53125 c -0.29468,-1.2171559 -1.27607,-2.2041601 -2.53125,-2.53125 h -2.07148 -1.09258 z m 7.73958,3.0577697 1.33485,2.2420349 c 0,0 0.36967,0.6174141 0.65753,0.813263 0.26974,0.1834496 0.93438,0.2892151 0.93438,0.2892151 h 2.72901 l -1.89596,3.0800167 c 0,0 -0.27577,0.604831 -0.41281,0.907196 -0.20593,0.452534 0.006,1.243536 0.0742,1.982484 0.10732,1.162403 0.19033,2.286529 0.19033,2.286529 l -2.21484,-1.132141 c 0,0 -0.90763,-0.426918 -1.39416,-0.427644 -0.5721,0 -1.64383,0.496858 -1.64383,0.496858 l -2.2198,1.065398 c 0,0 0.16319,-1.013778 0.33866,-2.128325 0.11606,-0.733074 0.43611,-1.567458 0.17798,-2.071473 -0.13995,-0.274086 -0.42023,-0.820679 -0.42023,-0.820679 L 167.532,9.0996981 h 2.71169 c 0,0 0.88228,-0.06226 1.24339,-0.2892151 0.27408,-0.1711231 0.61056,-0.7539368 0.61056,-0.7539368 z"
+         id="bookmarks-star-4" />
+      <path
+         style="fill:url(#radialGradient4712);fill-opacity:1;stroke:none;stroke-width:1.265625;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:markers stroke fill;filter:url(#filter4774)"
+         d="m 163.20859,2.6257296 c -1.25519,0.3270899 -2.23658,1.3140942 -2.53125,2.53125 v 2.53125 7.5937504 2.53125 c 0.29467,1.217155 1.27606,2.20416 2.53125,2.53125 h 3.16406 v -5.0625 -7.5937504 -5.0625 z"
+         id="bookmarks-overlay-1" />
+      <path
+         style="opacity:0.66300001;fill:url(#radialGradient4714);fill-opacity:1;stroke:url(#radialGradient4750);stroke-width:0.6328125;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="M 166.37156,2.6257296 V 20.34448"
+         id="bookmarks-divider-7" />
+    </g>
+    <path
+       d="m 133.26971,34.690626 -6.72001,6.6 c -0.24,0.36 -0.72,0.48 -1.2,0.48 -0.48,0 -0.96,-0.12 -1.32,-0.48 l -6.72,-6.6 c -0.6,-0.72 -0.48,-1.32 0.48,-1.32 h 3.96 v -7.200001 c 0,-0.72 0.48,-1.2 1.2,-1.2 h 4.8 c 0.72,0 1.2,0.48 1.2,1.2 v 7.200001 h 3.84 c 0.96001,0 1.20001,0.6 0.48001,1.32 z"
+       id="path4214-3"
+       style="display:inline;fill:url(#radialGradient4709-1);fill-opacity:1;stroke-width:1;filter:url(#filter4844)"
+       transform="matrix(0.79035179,0,0,0.79514606,-0.14216927,3.8570695e-5)" />
+  </g>
+</svg>
diff --git a/application/palemoon/themes/windows/browser.css b/application/palemoon/themes/windows/browser.css
index 45f0e066c2..f921554dfc 100644
--- a/application/palemoon/themes/windows/browser.css
+++ b/application/palemoon/themes/windows/browser.css
@@ -39,9 +39,9 @@
   --toolbarbutton-border-radius: 2.5px;
   --toolbarbutton-border-color: hsla(210,54%,20%,.2);
 
-  --toolbarbutton-image: url("chrome://browser/skin/Toolbar.png");
-  --toolbarbutton-glass-image: url("chrome://browser/skin/Toolbar-glass.png");
-  --toolbarbutton-inverted-image: url("chrome://browser/skin/Toolbar-inverted.png");
+  --toolbarbutton-image: url("chrome://browser/skin/Toolbar.svg");
+  --toolbarbutton-glass-image: url("chrome://browser/skin/Toolbar-glass.svg");
+  --toolbarbutton-inverted-image: url("chrome://browser/skin/Toolbar-inverted.svg");
 
   --tab-background: linear-gradient(transparent, hsla(0,0%,45%,.1) 1px, hsla(0,0%,32%,.2) 80%, hsla(0,0%,0%,.2));
   --tab-background-hover: linear-gradient(hsla(0,0%,100%,.3) 1px, hsla(0,0%,75%,.2) 80%, hsla(0,0%,60%,.2));
@@ -2018,6 +2018,90 @@ richlistitem[type~="action"][actiontype="switchtab"] > .ac-url-box > .ac-action-
   list-style-image: url("chrome://global/skin/icons/close-inverted.svg");
 }
 
+/* Tab sound indicator */
+.tab-icon-sound {
+  -moz-margin-start: 4px;
+  width: 16px;
+  height: 16px;
+  padding: 0;
+}
+
+.allTabs-endimage[soundplaying],
+.tab-icon-sound[soundplaying] {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio.svg#tab-audio");
+}
+
+.allTabs-endimage[muted],
+.tab-icon-sound[muted] {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio.svg#tab-audio-muted");
+}
+
+.allTabs-endimage[blocked],
+.tab-icon-sound[blocked] {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio.svg#tab-audio-blocked");
+}
+
+#TabsToolbar[brighttext] .tab-icon-sound[soundplaying],
+#TabsToolbar[brighttext] .tab-icon-sound[blocked],
+#TabsToolbar[brighttext] .tab-icon-sound[muted] {
+  filter: invert(1);
+}
+
+.tab-icon-sound[soundplaying-scheduledremoval]:not([muted]):not(:hover),
+.tab-icon-overlay[soundplaying-scheduledremoval]:not([muted]):not(:hover) {
+  transition: opacity .3s linear var(--soundplaying-removal-delay);
+  opacity: 0;
+}
+
+/* Tab icon overlay */
+.tab-icon-overlay {
+  width: 16px;
+  height: 16px;
+  margin-top: -8px;
+  margin-inline-start: -15px;
+  margin-inline-end: -1px;
+  position: relative;
+}
+
+.tab-icon-overlay[soundplaying],
+.tab-icon-overlay[muted]:not([crashed]),
+.tab-icon-overlay[blocked]:not([crashed]) {
+  border-radius: 10px;
+}
+
+.tab-icon-overlay[soundplaying]:hover,
+.tab-icon-overlay[muted]:not([crashed]):hover,
+.tab-icon-overlay[blocked]:not([crashed]):hover {
+  background-color: white;
+}
+
+.tab-icon-overlay[soundplaying] {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio-small.svg#tab-audio");
+}
+
+.tab-icon-overlay[muted] {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio-small.svg#tab-audio-muted");
+}
+
+.tab-icon-overlay[blocked] {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio-small.svg#tab-audio-blocked");
+}
+
+#TabsToolbar[brighttext] .tab-icon-overlay[soundplaying]:not([selected]):not(:hover),
+.tab-icon-overlay[soundplaying][selected]:-moz-lwtheme-brighttext:not(:hover) {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio-small.svg#tab-audio-white");
+}
+
+#TabsToolbar[brighttext] .tab-icon-overlay[muted]:not([crashed]):not([selected]):not(:hover),
+.tab-icon-overlay[muted][selected]:-moz-lwtheme-brighttext:not(:hover) {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio-small.svg#tab-audio-white-muted");
+}
+
+#TabsToolbar[brighttext] .tab-icon-overlay[blocked]:not([crashed]):not([selected]):not(:hover),
+.tab-icon-overlay[blocked][selected]:-moz-lwtheme-brighttext:not(:hover) {
+  list-style-image: url("chrome://browser/skin/tabbrowser/tab-audio-small.svg#tab-audio-white-blocked");
+}
+
 /* Tab scrollbox arrow, tabstrip new tab and all-tabs buttons */
 
 .tabbrowser-arrowscrollbox > .scrollbutton-up,
diff --git a/application/palemoon/themes/windows/communicator/jar.mn b/application/palemoon/themes/windows/communicator/jar.mn
index dfd20c5236..612d133352 100644
--- a/application/palemoon/themes/windows/communicator/jar.mn
+++ b/application/palemoon/themes/windows/communicator/jar.mn
@@ -4,4 +4,4 @@
 
 browser.jar:
 % skin communicator classic/1.0 %skin/classic/communicator/
-        skin/classic/communicator/communicator.css
+  skin/classic/communicator/communicator.css
diff --git a/application/palemoon/themes/windows/downloads/downloads.css b/application/palemoon/themes/windows/downloads/downloads.css
index 91ea652ed6..f16989655b 100644
--- a/application/palemoon/themes/windows/downloads/downloads.css
+++ b/application/palemoon/themes/windows/downloads/downloads.css
@@ -326,6 +326,11 @@ toolbar[brighttext] #downloads-indicator-icon {
                               0, 108, 18, 90) center no-repeat;
 }
 
+#downloads-indicator[attention] > #downloads-indicator-anchor > #downloads-indicator-icon {
+  background: -moz-image-rect(var(--toolbarbutton-image),
+                                19, 108, 36, 90) center no-repeat;
+}
+
 @media (-moz-windows-compositor) {
   :-moz-any(#toolbar-menubar, #nav-bar[tabsontop=false]) #downloads-indicator-icon:not(:-moz-lwtheme),
   #TabsToolbar[tabsontop=true] #downloads-indicator-icon:not(:-moz-lwtheme),
@@ -333,10 +338,12 @@ toolbar[brighttext] #downloads-indicator-icon {
     background: -moz-image-rect(var(--toolbarbutton-glass-image),
                                 0, 108, 18, 90) center no-repeat;
   }
+  #downloads-indicator[attention] > #downloads-indicator-anchor > #downloads-indicator-icon {
+    background: -moz-image-rect(var(--toolbarbutton-glass-image),
+                                19, 108, 36, 90) center no-repeat;
 }
 
-#downloads-indicator[attention] > #downloads-indicator-anchor > #downloads-indicator-icon {
-  background-image: url("chrome://browser/skin/downloads/download-glow.png");
+
 }
 
 /* In the next few rules, we use :not([counter]) as a shortcut that is
@@ -360,10 +367,10 @@ toolbar[brighttext] #downloads-indicator:not([counter]) > #downloads-indicator-a
     background: -moz-image-rect(var(--toolbarbutton-glass-image),
                                 0, 108, 18, 90) center no-repeat;
   }
-}
-
-#downloads-indicator:not([counter])[attention] > #downloads-indicator-anchor > #downloads-indicator-progress-area > #downloads-indicator-counter {
-  background-image: url("chrome://browser/skin/downloads/download-glow.png");
+  #downloads-indicator:not([counter])[attention] > #downloads-indicator-anchor > #downloads-indicator-progress-area > #downloads-indicator-counter {
+    background: -moz-image-rect(var(--toolbarbutton-glass-image),
+                                19, 108, 36, 90) center no-repeat;
+  }
 }
 
 /*** Download notifications ***/
diff --git a/application/palemoon/themes/windows/jar.mn b/application/palemoon/themes/windows/jar.mn
index 0a4342d403..8a00d8b708 100644
--- a/application/palemoon/themes/windows/jar.mn
+++ b/application/palemoon/themes/windows/jar.mn
@@ -4,163 +4,164 @@
 
 browser.jar:
 % skin browser classic/1.0 %skin/classic/browser/
-        skin/classic/browser/sanitizeDialog.css
-*       skin/classic/browser/aboutPrivateBrowsing.css
-*       skin/classic/browser/aboutSessionRestore.css
-        skin/classic/browser/aboutSessionRestore-window-icon.png
-        skin/classic/browser/aboutCertError.css
-        skin/classic/browser/aboutCertError_sectionCollapsed.png
-        skin/classic/browser/aboutCertError_sectionCollapsed-rtl.png
-        skin/classic/browser/aboutCertError_sectionExpanded.png
+  skin/classic/browser/sanitizeDialog.css
+* skin/classic/browser/aboutPrivateBrowsing.css
+* skin/classic/browser/aboutSessionRestore.css
+  skin/classic/browser/aboutSessionRestore-window-icon.png
+  skin/classic/browser/aboutCertError.css
+  skin/classic/browser/aboutCertError_sectionCollapsed.png
+  skin/classic/browser/aboutCertError_sectionCollapsed-rtl.png
+  skin/classic/browser/aboutCertError_sectionExpanded.png
 #ifdef MOZ_SERVICES_SYNC
-        skin/classic/browser/aboutSyncTabs.css
+  skin/classic/browser/aboutSyncTabs.css
 #endif
-*       skin/classic/browser/autocomplete.css
-        skin/classic/browser/actionicon-tab.png
-        skin/classic/browser/appmenu-icons.png
-        skin/classic/browser/appmenu-dropmarker.png
-*       skin/classic/browser/browser.css
-        skin/classic/browser/caption-buttons.svg
-        skin/classic/browser/click-to-play-warning-stripes.png
-*       skin/classic/browser/engineManager.css
-        skin/classic/browser/Geolocation-16.png
-        skin/classic/browser/Geolocation-64.png
-        skin/classic/browser/Info.png
-        skin/classic/browser/identity.png
-        skin/classic/browser/imagedocument.png					
-        skin/classic/browser/identity-icons-generic.png
-        skin/classic/browser/identity-icons-https.png
-        skin/classic/browser/identity-icons-https-ev.png
-        skin/classic/browser/identity-icons-https-mixed-active.png
-        skin/classic/browser/keyhole-forward-mask.svg
-        skin/classic/browser/KUI-background.png
-        skin/classic/browser/KUI-close.png
-        skin/classic/browser/livemark-folder.png
-        skin/classic/browser/menu-back.png
-        skin/classic/browser/menu-forward.png
-        skin/classic/browser/mixed-content-blocked-16.png
-        skin/classic/browser/mixed-content-blocked-64.png
-        skin/classic/browser/monitor.png
-        skin/classic/browser/monitor_16-10.png
-        skin/classic/browser/pageInfo.css
-        skin/classic/browser/pageInfo.png
-        skin/classic/browser/page-livemarks.png                      (feeds/feedIcon16.png)
-        skin/classic/browser/pointerLock-16.png
-        skin/classic/browser/pointerLock-64.png
-        skin/classic/browser/Privacy-16.png
-        skin/classic/browser/Privacy-32.png
-        skin/classic/browser/Privacy-48.png
-        skin/classic/browser/Privacy-64.png
-        skin/classic/browser/privatebrowsing-light.png
-        skin/classic/browser/privatebrowsing-dark.png
-        skin/classic/browser/reload-stop-go.png
-        skin/classic/browser/sanitize.png
-        skin/classic/browser/searchbar.css
-        skin/classic/browser/searchbar-dropdown-arrow.png
-        skin/classic/browser/Secure24.png
-        skin/classic/browser/setDesktopBackground.css
-        skin/classic/browser/slowStartup-16.png
-        skin/classic/browser/Toolbar.png
-        skin/classic/browser/Toolbar-glass.png
-        skin/classic/browser/Toolbar-inverted.png
-        skin/classic/browser/toolbarbutton-dropdown-arrow.png
-        skin/classic/browser/toolbarbutton-dropdown-arrow-inverted.png
-        skin/classic/browser/urlbar-arrow.png
-        skin/classic/browser/urlbar-popup-blocked.png
-        skin/classic/browser/urlbar-history-dropmarker.png
-        skin/classic/browser/web-notifications-icon.svg
-        skin/classic/browser/web-notifications-tray.svg
-        skin/classic/browser/notification-pluginNormal.png           (../shared/plugins/notification-pluginNormal.png)
-        skin/classic/browser/notification-pluginAlert.png            (../shared/plugins/notification-pluginAlert.png)
-        skin/classic/browser/notification-pluginBlocked.png          (../shared/plugins/notification-pluginBlocked.png)
+* skin/classic/browser/autocomplete.css
+  skin/classic/browser/actionicon-tab.png
+  skin/classic/browser/appmenu-icons.png
+  skin/classic/browser/appmenu-dropmarker.png
+* skin/classic/browser/browser.css
+  skin/classic/browser/caption-buttons.svg
+  skin/classic/browser/click-to-play-warning-stripes.png
+* skin/classic/browser/engineManager.css
+  skin/classic/browser/Geolocation-16.png
+  skin/classic/browser/Geolocation-64.png
+  skin/classic/browser/Info.png
+  skin/classic/browser/identity.png
+  skin/classic/browser/imagedocument.png					
+  skin/classic/browser/identity-icons-generic.png
+  skin/classic/browser/identity-icons-https.png
+  skin/classic/browser/identity-icons-https-ev.png
+  skin/classic/browser/identity-icons-https-mixed-active.png
+  skin/classic/browser/keyhole-forward-mask.svg
+  skin/classic/browser/KUI-background.png
+  skin/classic/browser/KUI-close.png
+  skin/classic/browser/livemark-folder.png
+  skin/classic/browser/menu-back.png
+  skin/classic/browser/menu-forward.png
+  skin/classic/browser/mixed-content-blocked-16.png
+  skin/classic/browser/mixed-content-blocked-64.png
+  skin/classic/browser/monitor.png
+  skin/classic/browser/monitor_16-10.png
+  skin/classic/browser/pageInfo.css
+  skin/classic/browser/pageInfo.png
+  skin/classic/browser/page-livemarks.png                             (feeds/feedIcon16.png)
+  skin/classic/browser/pointerLock-16.png
+  skin/classic/browser/pointerLock-64.png
+  skin/classic/browser/Privacy-16.png
+  skin/classic/browser/Privacy-32.png
+  skin/classic/browser/Privacy-48.png
+  skin/classic/browser/Privacy-64.png
+  skin/classic/browser/privatebrowsing-light.png
+  skin/classic/browser/privatebrowsing-dark.png
+  skin/classic/browser/reload-stop-go.png
+  skin/classic/browser/sanitize.png
+  skin/classic/browser/searchbar.css
+  skin/classic/browser/searchbar-dropdown-arrow.png
+  skin/classic/browser/Secure24.png
+  skin/classic/browser/setDesktopBackground.css
+  skin/classic/browser/slowStartup-16.png
+  skin/classic/browser/Toolbar.svg
+  skin/classic/browser/Toolbar-glass.svg
+  skin/classic/browser/Toolbar-inverted.svg
+  skin/classic/browser/toolbarbutton-dropdown-arrow.png
+  skin/classic/browser/toolbarbutton-dropdown-arrow-inverted.png
+  skin/classic/browser/urlbar-arrow.png
+  skin/classic/browser/urlbar-popup-blocked.png
+  skin/classic/browser/urlbar-history-dropmarker.png
+  skin/classic/browser/web-notifications-icon.svg
+  skin/classic/browser/web-notifications-tray.svg
+  skin/classic/browser/notification-pluginNormal.png                  (../shared/plugins/notification-pluginNormal.png)
+  skin/classic/browser/notification-pluginAlert.png                   (../shared/plugins/notification-pluginAlert.png)
+  skin/classic/browser/notification-pluginBlocked.png                 (../shared/plugins/notification-pluginBlocked.png)
 #ifdef MOZ_WEBRTC
-        skin/classic/browser/webRTC-shareDevice-16.png
-        skin/classic/browser/webRTC-shareDevice-64.png
-        skin/classic/browser/webRTC-sharingDevice-16.png
+  skin/classic/browser/webRTC-shareDevice-16.png
+  skin/classic/browser/webRTC-shareDevice-64.png
+  skin/classic/browser/webRTC-sharingDevice-16.png
 #endif
-        skin/classic/browser/downloads/buttons.png                   (downloads/buttons.png)
-        skin/classic/browser/downloads/download-glow.png             (downloads/download-glow.png)
-        skin/classic/browser/downloads/download-notification-finish.png (downloads/download-notification-finish.png)
-        skin/classic/browser/downloads/download-notification-start.png (downloads/download-notification-start.png)
-        skin/classic/browser/downloads/download-summary.png          (downloads/download-summary.png)
-        skin/classic/browser/downloads/downloads.css                 (downloads/downloads.css)
-        skin/classic/browser/downloads/allDownloadsViewOverlay.css   (downloads/allDownloadsViewOverlay.css)
-        skin/classic/browser/downloads/contentAreaDownloadsView.css  (downloads/contentAreaDownloadsView.css)
-        skin/classic/browser/feeds/feedIcon.png                      (feeds/feedIcon.png)
-        skin/classic/browser/feeds/feedIcon16.png                    (feeds/feedIcon16.png)
-        skin/classic/browser/feeds/videoFeedIcon.png                 (feeds/feedIcon.png)
-        skin/classic/browser/feeds/videoFeedIcon16.png               (feeds/feedIcon16.png)
-        skin/classic/browser/feeds/audioFeedIcon.png                 (feeds/feedIcon.png)
-        skin/classic/browser/feeds/audioFeedIcon16.png               (feeds/feedIcon16.png)
-        skin/classic/browser/feeds/feed-icons-16.png                 (feeds/feed-icons-16.png)
-        skin/classic/browser/feeds/subscribe.css                     (feeds/subscribe.css)
-        skin/classic/browser/feeds/subscribe-ui.css                  (feeds/subscribe-ui.css)
-*       skin/classic/browser/newtab/newTab.css                       (newtab/newTab.css)
-        skin/classic/browser/newtab/controls.png                     (../shared/newtab/controls.png)
-        skin/classic/browser/newtab/noise.png                        (../shared/newtab/noise.png)
-        skin/classic/browser/newtab/pinned.png                       (../shared/newtab/pinned.png)
-        skin/classic/browser/places/places.css                       (places/places.css)
-*       skin/classic/browser/places/organizer.css                    (places/organizer.css)
-        skin/classic/browser/places/editBookmark.png                 (places/editBookmark.png)
-        skin/classic/browser/places/bookmark.png                     (places/bookmark.png)
-        skin/classic/browser/places/query.png                        (places/query.png)
-        skin/classic/browser/places/bookmarksMenu.png                (places/bookmarksMenu.png)
-        skin/classic/browser/places/bookmarksToolbar.png             (places/bookmarksToolbar.png)
-        skin/classic/browser/places/calendar.png                     (places/calendar.png)
-        skin/classic/browser/places/toolbarDropMarker.png            (places/toolbarDropMarker.png)
-        skin/classic/browser/places/editBookmarkOverlay.css          (places/editBookmarkOverlay.css)
-        skin/classic/browser/places/libraryToolbar.png               (places/libraryToolbar.png)
-        skin/classic/browser/places/starred48.png                    (places/starred48.png)
-        skin/classic/browser/places/unstarred48.png                  (places/unstarred48.png)
-        skin/classic/browser/places/tag.png                          (places/tag.png)
-        skin/classic/browser/places/history.png                      (places/history.png)
-        skin/classic/browser/places/allBookmarks.png                 (places/allBookmarks.png)
-        skin/classic/browser/places/unsortedBookmarks.png            (places/unsortedBookmarks.png)
-        skin/classic/browser/places/downloads.png                    (places/downloads.png)
-        skin/classic/browser/places/livemark-item.png                (places/livemark-item.png)
-        skin/classic/browser/permissions/aboutPermissions.css        (permissions/aboutPermissions.css)
-        skin/classic/browser/preferences/alwaysAsk.png               (preferences/alwaysAsk.png)
-        skin/classic/browser/preferences/application.png             (preferences/application.png)
-        skin/classic/browser/preferences/mail.png                    (preferences/mail.png)
-        skin/classic/browser/preferences/Options.png                 (preferences/Options.png)
+  skin/classic/browser/downloads/buttons.png                          (downloads/buttons.png)
+  skin/classic/browser/downloads/download-notification-finish.png     (downloads/download-notification-finish.png)
+  skin/classic/browser/downloads/download-notification-start.png      (downloads/download-notification-start.png)
+  skin/classic/browser/downloads/download-summary.png                 (downloads/download-summary.png)
+  skin/classic/browser/downloads/downloads.css                        (downloads/downloads.css)
+  skin/classic/browser/downloads/allDownloadsViewOverlay.css          (downloads/allDownloadsViewOverlay.css)
+  skin/classic/browser/downloads/contentAreaDownloadsView.css         (downloads/contentAreaDownloadsView.css)
+  skin/classic/browser/feeds/feedIcon.png                             (feeds/feedIcon.png)
+  skin/classic/browser/feeds/feedIcon16.png                           (feeds/feedIcon16.png)
+  skin/classic/browser/feeds/videoFeedIcon.png                        (feeds/feedIcon.png)
+  skin/classic/browser/feeds/videoFeedIcon16.png                      (feeds/feedIcon16.png)
+  skin/classic/browser/feeds/audioFeedIcon.png                        (feeds/feedIcon.png)
+  skin/classic/browser/feeds/audioFeedIcon16.png                      (feeds/feedIcon16.png)
+  skin/classic/browser/feeds/feed-icons-16.png                        (feeds/feed-icons-16.png)
+  skin/classic/browser/feeds/subscribe.css                            (feeds/subscribe.css)
+  skin/classic/browser/feeds/subscribe-ui.css                         (feeds/subscribe-ui.css)
+* skin/classic/browser/newtab/newTab.css                              (newtab/newTab.css)
+  skin/classic/browser/newtab/controls.png                            (../shared/newtab/controls.png)
+  skin/classic/browser/newtab/noise.png                               (../shared/newtab/noise.png)
+  skin/classic/browser/newtab/pinned.png                              (../shared/newtab/pinned.png)
+  skin/classic/browser/places/places.css                              (places/places.css)
+* skin/classic/browser/places/organizer.css                           (places/organizer.css)
+  skin/classic/browser/places/editBookmark.png                        (places/editBookmark.png)
+  skin/classic/browser/places/bookmark.png                            (places/bookmark.png)
+  skin/classic/browser/places/query.png                               (places/query.png)
+  skin/classic/browser/places/bookmarksMenu.png                       (places/bookmarksMenu.png)
+  skin/classic/browser/places/bookmarksToolbar.png                    (places/bookmarksToolbar.png)
+  skin/classic/browser/places/calendar.png                            (places/calendar.png)
+  skin/classic/browser/places/toolbarDropMarker.png                   (places/toolbarDropMarker.png)
+  skin/classic/browser/places/editBookmarkOverlay.css                 (places/editBookmarkOverlay.css)
+  skin/classic/browser/places/libraryToolbar.png                      (places/libraryToolbar.png)
+  skin/classic/browser/places/starred48.png                           (places/starred48.png)
+  skin/classic/browser/places/unstarred48.png                         (places/unstarred48.png)
+  skin/classic/browser/places/tag.png                                 (places/tag.png)
+  skin/classic/browser/places/history.png                             (places/history.png)
+  skin/classic/browser/places/allBookmarks.png                        (places/allBookmarks.png)
+  skin/classic/browser/places/unsortedBookmarks.png                   (places/unsortedBookmarks.png)
+  skin/classic/browser/places/downloads.png                           (places/downloads.png)
+  skin/classic/browser/places/livemark-item.png                       (places/livemark-item.png)
+  skin/classic/browser/permissions/aboutPermissions.css               (permissions/aboutPermissions.css)
+  skin/classic/browser/preferences/alwaysAsk.png                      (preferences/alwaysAsk.png)
+  skin/classic/browser/preferences/application.png                    (preferences/application.png)
+  skin/classic/browser/preferences/mail.png                           (preferences/mail.png)
+  skin/classic/browser/preferences/Options.png                        (preferences/Options.png)
 #ifdef MOZ_SERVICES_SYNC
-        skin/classic/browser/preferences/Options-sync.png            (preferences/Options-sync.png)
+  skin/classic/browser/preferences/Options-sync.png                   (preferences/Options-sync.png)
 #endif
-        skin/classic/browser/preferences/saveFile.png                (preferences/saveFile.png)
-*       skin/classic/browser/preferences/preferences.css             (preferences/preferences.css)
-        skin/classic/browser/preferences/applications.css            (preferences/applications.css)
+  skin/classic/browser/preferences/saveFile.png                       (preferences/saveFile.png)
+* skin/classic/browser/preferences/preferences.css                    (preferences/preferences.css)
+  skin/classic/browser/preferences/applications.css                   (preferences/applications.css)
 #ifdef MOZ_BROWSER_STATUSBAR
-        skin/classic/browser/statusbar/dynamic.css                   (../shared/statusbar/dynamic.css)
-*       skin/classic/browser/statusbar/overlay.css                   (statusbar/overlay.css)
-*       skin/classic/browser/statusbar/prefs.css                     (statusbar/prefs.css)
-        skin/classic/browser/statusbar/pulse.png                     (../shared/statusbar/pulse.png)
-        skin/classic/browser/statusbar/pms16.png                     (../shared/statusbar/pms16.png)
-        skin/classic/browser/statusbar/pms24.png                     (../shared/statusbar/pms24.png)
-        skin/classic/browser/statusbar/throbber-idle.png             (../shared/statusbar/throbber-idle.png)
-        skin/classic/browser/statusbar/throbberStatic.png            (../shared/statusbar/throbberStatic.png)
+  skin/classic/browser/statusbar/dynamic.css                          (../shared/statusbar/dynamic.css)
+* skin/classic/browser/statusbar/overlay.css                          (statusbar/overlay.css)
+* skin/classic/browser/statusbar/prefs.css                            (statusbar/prefs.css)
+  skin/classic/browser/statusbar/pulse.png                            (../shared/statusbar/pulse.png)
+  skin/classic/browser/statusbar/pms16.png                            (../shared/statusbar/pms16.png)
+  skin/classic/browser/statusbar/pms24.png                            (../shared/statusbar/pms24.png)
+  skin/classic/browser/statusbar/throbber-idle.png                    (../shared/statusbar/throbber-idle.png)
+  skin/classic/browser/statusbar/throbberStatic.png                   (../shared/statusbar/throbberStatic.png)
 #endif
-        skin/classic/browser/tabbrowser/alltabs.png                  (tabbrowser/alltabs.png)
-        skin/classic/browser/tabbrowser/alltabs-inverted.png         (tabbrowser/alltabs-inverted.png)
-        skin/classic/browser/tabbrowser/newtab.png                   (tabbrowser/newtab.png)
-        skin/classic/browser/tabbrowser/newtab-glass.png             (tabbrowser/newtab-glass.png)
-        skin/classic/browser/tabbrowser/newtab-inverted.png          (tabbrowser/newtab-inverted.png)
-        skin/classic/browser/tabbrowser/connecting.png               (tabbrowser/connecting.png)
-        skin/classic/browser/tabbrowser/loading.png                  (tabbrowser/loading.png)
-        skin/classic/browser/tabbrowser/tab-arrow-left.png           (tabbrowser/tab-arrow-left.png)
-        skin/classic/browser/tabbrowser/tab-arrow-left-glass.png     (tabbrowser/tab-arrow-left-glass.png)
-        skin/classic/browser/tabbrowser/tab-arrow-left-inverted.png  (tabbrowser/tab-arrow-left-inverted.png)
-        skin/classic/browser/tabbrowser/tab-overflow-border.png      (tabbrowser/tab-overflow-border.png)
-        skin/classic/browser/tabbrowser/tabDragIndicator.png         (tabbrowser/tabDragIndicator.png)
+  skin/classic/browser/tabbrowser/alltabs.png                         (tabbrowser/alltabs.png)
+  skin/classic/browser/tabbrowser/alltabs-inverted.png                (tabbrowser/alltabs-inverted.png)
+  skin/classic/browser/tabbrowser/newtab.png                          (tabbrowser/newtab.png)
+  skin/classic/browser/tabbrowser/newtab-glass.png                    (tabbrowser/newtab-glass.png)
+  skin/classic/browser/tabbrowser/newtab-inverted.png                 (tabbrowser/newtab-inverted.png)
+  skin/classic/browser/tabbrowser/connecting.png                      (tabbrowser/connecting.png)
+  skin/classic/browser/tabbrowser/loading.png                         (tabbrowser/loading.png)
+  skin/classic/browser/tabbrowser/tab-arrow-left.png                  (tabbrowser/tab-arrow-left.png)
+  skin/classic/browser/tabbrowser/tab-arrow-left-glass.png            (tabbrowser/tab-arrow-left-glass.png)
+  skin/classic/browser/tabbrowser/tab-arrow-left-inverted.png         (tabbrowser/tab-arrow-left-inverted.png)
+  skin/classic/browser/tabbrowser/tab-overflow-border.png             (tabbrowser/tab-overflow-border.png)
+  skin/classic/browser/tabbrowser/tabDragIndicator.png                (tabbrowser/tabDragIndicator.png)
+  skin/classic/browser/tabbrowser/tab-audio.svg                       (../shared/tabbrowser/tab-audio.svg)
+  skin/classic/browser/tabbrowser/tab-audio-small.svg                 (../shared/tabbrowser/tab-audio-small.svg)
 #ifdef MOZ_SERVICES_SYNC
-        skin/classic/browser/sync-throbber.png
-        skin/classic/browser/sync-16.png
-        skin/classic/browser/sync-32.png
-        skin/classic/browser/sync-128.png
-        skin/classic/browser/sync-bg.png
-        skin/classic/browser/sync-desktopIcon.png
-        skin/classic/browser/sync-mobileIcon.png
-        skin/classic/browser/syncSetup.css
-        skin/classic/browser/syncCommon.css
-        skin/classic/browser/syncQuota.css
-        skin/classic/browser/syncProgress.css
+  skin/classic/browser/sync-throbber.png
+  skin/classic/browser/sync-16.png
+  skin/classic/browser/sync-32.png
+  skin/classic/browser/sync-128.png
+  skin/classic/browser/sync-bg.png
+  skin/classic/browser/sync-desktopIcon.png
+  skin/classic/browser/sync-mobileIcon.png
+  skin/classic/browser/syncSetup.css
+  skin/classic/browser/syncCommon.css
+  skin/classic/browser/syncQuota.css
+  skin/classic/browser/syncProgress.css
 #endif
diff --git a/build/moz.configure/old.configure b/build/moz.configure/old.configure
index e6eaa8228a..59dc8b57b6 100644
--- a/build/moz.configure/old.configure
+++ b/build/moz.configure/old.configure
@@ -157,7 +157,6 @@ def old_configure_options(*options):
     '--enable-accessibility',
     '--enable-address-sanitizer',
     '--enable-alsa',
-    '--enable-android-omx',
     '--enable-b2g-bt',
     '--enable-b2g-camera',
     '--enable-b2g-ril',
@@ -206,7 +205,6 @@ def old_configure_options(*options):
     '--enable-nspr-build',
     '--enable-official-branding',
     '--enable-official-vendor',
-    '--enable-omx-plugin',
     '--enable-oom-breakpoint',
     '--enable-optimize',
     '--enable-parental-controls',
@@ -309,6 +307,10 @@ def old_configure_options(*options):
     '--enable-calendar',
     '--enable-incomplete-external-linkage',
     
+    # Below are configure flags used by Pale Moon
+    '--disable-browser-statusbar',
+    '--disable-sync',
+    
     # Below are configure flags used by Basilisk
     '--disable-webextensions',
 )
diff --git a/config/milestone.txt b/config/milestone.txt
index 752d23fca9..776b58af7c 100644
--- a/config/milestone.txt
+++ b/config/milestone.txt
@@ -10,4 +10,4 @@
 # hardcoded milestones in the tree from these two files.
 #--------------------------------------------------------
 
-4.1.7
+4.1.8
diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
index ae307431d9..e6fa5a2004 100644
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -1263,6 +1263,7 @@ nsDocShell::LoadURI(nsIURI* aURI,
   nsCOMPtr<nsIURI> referrer;
   nsCOMPtr<nsIURI> originalURI;
   bool loadReplace = false;
+  bool isFromProcessingFrameAttributes = false;
   nsCOMPtr<nsIInputStream> postStream;
   nsCOMPtr<nsIInputStream> headersStream;
   nsCOMPtr<nsIPrincipal> triggeringPrincipal;
@@ -1292,6 +1293,7 @@ nsDocShell::LoadURI(nsIURI* aURI,
     aLoadInfo->GetReferrer(getter_AddRefs(referrer));
     aLoadInfo->GetOriginalURI(getter_AddRefs(originalURI));
     aLoadInfo->GetLoadReplace(&loadReplace);
+    aLoadInfo->GetIsFromProcessingFrameAttributes(&isFromProcessingFrameAttributes);
     nsDocShellInfoLoadType lt = nsIDocShellLoadInfo::loadNormal;
     aLoadInfo->GetLoadType(&lt);
     // Get the appropriate loadType from nsIDocShellLoadInfo type
@@ -1571,6 +1573,7 @@ nsDocShell::LoadURI(nsIURI* aURI,
   return InternalLoad(aURI,
                       originalURI,
                       loadReplace,
+                      isFromProcessingFrameAttributes,
                       referrer,
                       referrerPolicy,
                       triggeringPrincipal,
@@ -5340,8 +5343,8 @@ nsDocShell::LoadErrorPage(nsIURI* aURI, const char16_t* aURL,
   rv = NS_NewURI(getter_AddRefs(errorPageURI), errorPageUrl);
   NS_ENSURE_SUCCESS(rv, rv);
 
-  return InternalLoad(errorPageURI, nullptr, false, nullptr,
-                      mozilla::net::RP_Default,
+  return InternalLoad(errorPageURI, nullptr, false, false,
+                      nullptr, mozilla::net::RP_Default,
                       nsContentUtils::GetSystemPrincipal(), nullptr,
                       INTERNAL_LOAD_FLAGS_NONE, EmptyString(),
                       nullptr, NullString(), nullptr, nullptr, LOAD_ERROR_PAGE,
@@ -5427,6 +5430,7 @@ nsDocShell::Reload(uint32_t aReloadFlags)
     rv = InternalLoad(currentURI,
                       originalURI,
                       loadReplace,
+                      false,           // Is from processing frame attributes
                       referrerURI,
                       referrerPolicy,
                       triggeringPrincipal,
@@ -9578,6 +9582,7 @@ class InternalLoadEvent : public Runnable
 public:
   InternalLoadEvent(nsDocShell* aDocShell, nsIURI* aURI,
                     nsIURI* aOriginalURI, bool aLoadReplace,
+                    bool aIsFromProcessingFrameAttributes,
                     nsIURI* aReferrer, uint32_t aReferrerPolicy,
                     nsIPrincipal* aTriggeringPrincipal,
                     nsIPrincipal* aPrincipalToInherit, uint32_t aFlags,
@@ -9591,6 +9596,7 @@ public:
     , mURI(aURI)
     , mOriginalURI(aOriginalURI)
     , mLoadReplace(aLoadReplace)
+    , mIsFromProcessingFrameAttributes(aIsFromProcessingFrameAttributes)
     , mReferrer(aReferrer)
     , mReferrerPolicy(aReferrerPolicy)
     , mTriggeringPrincipal(aTriggeringPrincipal)
@@ -9615,6 +9621,7 @@ public:
   {
     return mDocShell->InternalLoad(mURI, mOriginalURI,
                                    mLoadReplace,
+                                   mIsFromProcessingFrameAttributes,
                                    mReferrer,
                                    mReferrerPolicy,
                                    mTriggeringPrincipal, mPrincipalToInherit,
@@ -9635,6 +9642,7 @@ private:
   nsCOMPtr<nsIURI> mURI;
   nsCOMPtr<nsIURI> mOriginalURI;
   bool mLoadReplace;
+  bool mIsFromProcessingFrameAttributes;
   nsCOMPtr<nsIURI> mReferrer;
   uint32_t mReferrerPolicy;
   nsCOMPtr<nsIPrincipal> mTriggeringPrincipal;
@@ -9703,6 +9711,7 @@ NS_IMETHODIMP
 nsDocShell::InternalLoad(nsIURI* aURI,
                          nsIURI* aOriginalURI,
                          bool aLoadReplace,
+                         bool aIsFromProcessingFrameAttributes,
                          nsIURI* aReferrer,
                          uint32_t aReferrerPolicy,
                          nsIPrincipal* aTriggeringPrincipal,
@@ -10005,6 +10014,7 @@ nsDocShell::InternalLoad(nsIURI* aURI,
                                     INTERNAL_LOAD_FLAGS_DONT_SEND_REFERRER));
         loadInfo->SetOriginalURI(aOriginalURI);
         loadInfo->SetLoadReplace(aLoadReplace);
+        loadInfo->SetIsFromProcessingFrameAttributes(aIsFromProcessingFrameAttributes);
         loadInfo->SetTriggeringPrincipal(aTriggeringPrincipal);
         loadInfo->SetInheritPrincipal(
           aFlags & INTERNAL_LOAD_FLAGS_INHERIT_PRINCIPAL);
@@ -10053,6 +10063,7 @@ nsDocShell::InternalLoad(nsIURI* aURI,
       rv = targetDocShell->InternalLoad(aURI,
                                         aOriginalURI,
                                         aLoadReplace,
+                                        aIsFromProcessingFrameAttributes,
                                         aReferrer,
                                         aReferrerPolicy,
                                         aTriggeringPrincipal,
@@ -10135,6 +10146,7 @@ nsDocShell::InternalLoad(nsIURI* aURI,
       // Do this asynchronously
       nsCOMPtr<nsIRunnable> ev =
         new InternalLoadEvent(this, aURI, aOriginalURI, aLoadReplace,
+                              aIsFromProcessingFrameAttributes,
                               aReferrer, aReferrerPolicy,
                               aTriggeringPrincipal, principalToInherit,
                               aFlags, aTypeHint, aPostData, aHeadersData,
@@ -10661,7 +10673,8 @@ nsDocShell::InternalLoad(nsIURI* aURI,
                         nsINetworkPredictor::PREDICT_LOAD, this, nullptr);
 
   nsCOMPtr<nsIRequest> req;
-  rv = DoURILoad(aURI, aOriginalURI, aLoadReplace, loadFromExternal,
+  rv = DoURILoad(aURI, aOriginalURI, aLoadReplace, 
+                 aIsFromProcessingFrameAttributes, loadFromExternal,
                  (aFlags & INTERNAL_LOAD_FLAGS_FORCE_ALLOW_DATA_URI),
                  aReferrer,
                  !(aFlags & INTERNAL_LOAD_FLAGS_DONT_SEND_REFERRER),
@@ -10743,6 +10756,7 @@ nsresult
 nsDocShell::DoURILoad(nsIURI* aURI,
                       nsIURI* aOriginalURI,
                       bool aLoadReplace,
+                      bool aIsFromProcessingFrameAttributes,
                       bool aLoadFromExternal,
                       bool aForceAllowDataURI,
                       nsIURI* aReferrerURI,
@@ -10903,7 +10917,7 @@ nsDocShell::DoURILoad(nsIURI* aURI,
     securityFlags |= nsILoadInfo::SEC_SANDBOXED;
   }
 
-  nsCOMPtr<nsILoadInfo> loadInfo =
+  RefPtr<LoadInfo> loadInfo =
     (aContentPolicyType == nsIContentPolicy::TYPE_DOCUMENT) ?
       new LoadInfo(loadingWindow, aTriggeringPrincipal, topLevelLoadingContext,
                    securityFlags) :
@@ -10929,6 +10943,10 @@ nsDocShell::DoURILoad(nsIURI* aURI,
     return rv;
   }
 
+  if (aIsFromProcessingFrameAttributes) {
+    loadInfo->SetIsFromProcessingFrameAttributes();
+  }
+
   if (!isSrcdoc) {
     rv = NS_NewChannelInternal(getter_AddRefs(channel),
                                aURI,
@@ -12581,6 +12599,7 @@ nsDocShell::LoadHistoryEntry(nsISHEntry* aEntry, uint32_t aLoadType)
   rv = InternalLoad(uri,
                     originalURI,
                     loadReplace,
+                    false,              // Is from processing frame attributes
                     referrerURI,
                     referrerPolicy,
                     triggeringPrincipal,
@@ -14084,6 +14103,7 @@ nsDocShell::OnLinkClickSync(nsIContent* aContent,
   nsresult rv = InternalLoad(clonedURI,                 // New URI
                              nullptr,                   // Original URI
                              false,                     // LoadReplace
+                             false,                     // From frame attributes
                              referer,                   // Referer URI
                              refererPolicy,             // Referer policy
                              triggeringPrincipal,
diff --git a/docshell/base/nsDocShell.h b/docshell/base/nsDocShell.h
index f510a15b00..8de3995fc6 100644
--- a/docshell/base/nsDocShell.h
+++ b/docshell/base/nsDocShell.h
@@ -371,6 +371,7 @@ protected:
   nsresult DoURILoad(nsIURI* aURI,
                      nsIURI* aOriginalURI,
                      bool aLoadReplace,
+                     bool aIsFromProcessingFrameAttributes,
                      bool aLoadFromExternal,
                      bool aForceAllowDataURI,
                      nsIURI* aReferrer,
diff --git a/docshell/base/nsDocShellLoadInfo.cpp b/docshell/base/nsDocShellLoadInfo.cpp
index b00e8e3603..b1a9902675 100644
--- a/docshell/base/nsDocShellLoadInfo.cpp
+++ b/docshell/base/nsDocShellLoadInfo.cpp
@@ -20,6 +20,7 @@ nsDocShellLoadInfo::nsDocShellLoadInfo()
   , mReferrerPolicy(mozilla::net::RP_Default)
   , mLoadType(nsIDocShellLoadInfo::loadNormal)
   , mIsSrcdocLoad(false)
+  , mIsFromProcessingFrameAttributes(false)
 {
 }
 
@@ -310,3 +311,19 @@ nsDocShellLoadInfo::SetBaseURI(nsIURI* aBaseURI)
   mBaseURI = aBaseURI;
   return NS_OK;
 }
+
+NS_IMETHODIMP
+nsDocShellLoadInfo::GetIsFromProcessingFrameAttributes(bool* aIsFromProcessingFrameAttributes)
+{
+  NS_ENSURE_ARG_POINTER(aIsFromProcessingFrameAttributes);
+
+  *aIsFromProcessingFrameAttributes = mIsFromProcessingFrameAttributes;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+nsDocShellLoadInfo::SetIsFromProcessingFrameAttributes(bool aIsFromProcessingFrameAttributes)
+{
+  mIsFromProcessingFrameAttributes = aIsFromProcessingFrameAttributes;
+  return NS_OK;
+}
diff --git a/docshell/base/nsDocShellLoadInfo.h b/docshell/base/nsDocShellLoadInfo.h
index f3ddcca1e6..09479683b0 100644
--- a/docshell/base/nsDocShellLoadInfo.h
+++ b/docshell/base/nsDocShellLoadInfo.h
@@ -49,6 +49,10 @@ protected:
   nsString mSrcdocData;
   nsCOMPtr<nsIDocShell> mSourceDocShell;
   nsCOMPtr<nsIURI> mBaseURI;
+
+  // This will be true if this load is triggered by attribute changes.
+  // See nsILoadInfo.isFromProcessingFrameAttributes
+  bool mIsFromProcessingFrameAttributes;
 };
 
 #endif /* nsDocShellLoadInfo_h__ */
diff --git a/docshell/base/nsIDocShell.idl b/docshell/base/nsIDocShell.idl
index e34e6adfdf..d205e5b0cf 100644
--- a/docshell/base/nsIDocShell.idl
+++ b/docshell/base/nsIDocShell.idl
@@ -133,6 +133,10 @@ interface nsIDocShell : nsIDocShellTreeItem
    * @param aLoadReplace         - If set LOAD_REPLACE flag will be set on the
    *                               channel. aOriginalURI is null, this argument is
    *                               ignored.
+   * @param aIsFromProcessingFrameAttributes
+   *                             - If this is a load triggered by changing frame
+   *                               attributes.
+   *                               See nsILoadInfo.isFromProcessingFrameAttributes
    * @param aReferrer            - Referring URI
    * @param aReferrerPolicy      - Referrer policy
    * @param aTriggeringPrincipal - A non-null principal that initiated that load.
@@ -178,6 +182,7 @@ interface nsIDocShell : nsIDocShellTreeItem
   [noscript]void internalLoad(in nsIURI aURI,
                               in nsIURI aOriginalURI,
                               in boolean aLoadReplace,
+                              in boolean aIsFromProcessingFrameAttributes,
                               in nsIURI aReferrer,
                               in unsigned long aReferrerPolicy,
                               in nsIPrincipal aTriggeringPrincipal,
diff --git a/docshell/base/nsIDocShellLoadInfo.idl b/docshell/base/nsIDocShellLoadInfo.idl
index 8804f63a3c..2f52ef0aa2 100644
--- a/docshell/base/nsIDocShellLoadInfo.idl
+++ b/docshell/base/nsIDocShellLoadInfo.idl
@@ -128,4 +128,10 @@ interface nsIDocShellLoadInfo : nsISupports
      * URI as this information isn't embedded in the load's URI.
      */
     attribute nsIURI baseURI;
+
+    /**
+     * This will be true if this load is triggered by attribute changes.
+     * See nsILoadInfo.isFromProcessingFrameAttributes
+     */
+    attribute boolean isFromProcessingFrameAttributes;
 };
diff --git a/dom/base/Element.cpp b/dom/base/Element.cpp
index 79b36a3149..3760dc43f4 100644
--- a/dom/base/Element.cpp
+++ b/dom/base/Element.cpp
@@ -145,7 +145,6 @@
 #include "mozilla/dom/KeyframeEffectBinding.h"
 #include "mozilla/dom/WindowBinding.h"
 #include "mozilla/dom/ElementBinding.h"
-#include "mozilla/dom/VRDisplay.h"
 #include "mozilla/IntegerPrintfMacros.h"
 #include "mozilla/Preferences.h"
 #include "nsComputedDOMStyle.h"
diff --git a/dom/base/Location.cpp b/dom/base/Location.cpp
index 7b3722f09e..e312cffe00 100644
--- a/dom/base/Location.cpp
+++ b/dom/base/Location.cpp
@@ -33,6 +33,7 @@
 #include "nsCycleCollectionParticipant.h"
 #include "nsNullPrincipal.h"
 #include "ScriptSettings.h"
+#include "mozilla/Unused.h"
 #include "mozilla/dom/LocationBinding.h"
 
 namespace mozilla {
@@ -716,9 +717,15 @@ Location::SetProtocol(const nsAString& aProtocol)
     return rv;
   }
 
-  rv = uri->SetScheme(NS_ConvertUTF16toUTF8(aProtocol));
+  nsAString::const_iterator start, end;
+  aProtocol.BeginReading(start);
+  aProtocol.EndReading(end);
+  nsAString::const_iterator iter(start);
+  Unused << FindCharInReadable(':', iter, end);
+
+  rv = uri->SetScheme(NS_ConvertUTF16toUTF8(Substring(start, iter)));
   if (NS_WARN_IF(NS_FAILED(rv))) {
-    return rv;
+    return NS_ERROR_DOM_SYNTAX_ERR;
   }
   nsAutoCString newSpec;
   rv = uri->GetSpec(newSpec);
@@ -728,8 +735,28 @@ Location::SetProtocol(const nsAString& aProtocol)
   // We may want a new URI class for the new URI, so recreate it:
   rv = NS_NewURI(getter_AddRefs(uri), newSpec);
   if (NS_FAILED(rv)) {
+    if (rv == NS_ERROR_MALFORMED_URI) {
+      rv = NS_ERROR_DOM_SYNTAX_ERR;
+    }
     return rv;
   }
+  
+  bool isHttp;
+  rv = uri->SchemeIs("http", &isHttp);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return rv;
+  }
+
+  bool isHttps;
+  rv = uri->SchemeIs("https", &isHttps);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return rv;
+  }
+
+  if (!isHttp && !isHttps) {
+    // No-op, per spec.
+    return NS_OK;
+  }
 
   return SetURI(uri);
 }
diff --git a/dom/base/Navigator.cpp b/dom/base/Navigator.cpp
index 1bc4f82f49..286cd0e797 100644
--- a/dom/base/Navigator.cpp
+++ b/dom/base/Navigator.cpp
@@ -44,7 +44,6 @@
 #include "mozilla/dom/ServiceWorkerContainer.h"
 #include "mozilla/dom/StorageManager.h"
 #include "mozilla/dom/TCPSocket.h"
-#include "mozilla/dom/VRDisplay.h"
 #include "mozilla/dom/workers/RuntimeService.h"
 #include "mozilla/Hal.h"
 #include "nsISiteSpecificUserAgent.h"
@@ -1471,83 +1470,6 @@ Navigator::RequestGamepadServiceTest()
 }
 #endif
 
-already_AddRefed<Promise>
-Navigator::GetVRDisplays(ErrorResult& aRv)
-{
-  if (!mWindow || !mWindow->GetDocShell()) {
-    aRv.Throw(NS_ERROR_UNEXPECTED);
-    return nullptr;
-  }
-
-  nsGlobalWindow* win = nsGlobalWindow::Cast(mWindow);
-  win->NotifyVREventListenerAdded();
-
-  nsCOMPtr<nsIGlobalObject> go = do_QueryInterface(mWindow);
-  RefPtr<Promise> p = Promise::Create(go, aRv);
-  if (aRv.Failed()) {
-    return nullptr;
-  }
-
-  // We pass mWindow's id to RefreshVRDisplays, so NotifyVRDisplaysUpdated will
-  // be called asynchronously, resolving the promises in mVRGetDisplaysPromises.
-  if (!VRDisplay::RefreshVRDisplays(win->WindowID())) {
-    p->MaybeReject(NS_ERROR_FAILURE);
-    return p.forget();
-  }
-
-  mVRGetDisplaysPromises.AppendElement(p);
-  return p.forget();
-}
-
-void
-Navigator::GetActiveVRDisplays(nsTArray<RefPtr<VRDisplay>>& aDisplays) const
-{
-  /**
-   * Get only the active VR displays.
-   * Callers do not wish to VRDisplay::RefreshVRDisplays, as the enumeration may
-   * activate hardware that is not yet intended to be used.
-   */
-  if (!mWindow || !mWindow->GetDocShell()) {
-    return;
-  }
-  nsGlobalWindow* win = nsGlobalWindow::Cast(mWindow);
-  win->NotifyVREventListenerAdded();
-  nsTArray<RefPtr<VRDisplay>> displays;
-  if (win->UpdateVRDisplays(displays)) {
-    for (auto display : displays) {
-      if (display->IsPresenting()) {
-        aDisplays.AppendElement(display);
-      }
-    }
-  }
-}
-
-void
-Navigator::NotifyVRDisplaysUpdated()
-{
-  // Synchronize the VR devices and resolve the promises in
-  // mVRGetDisplaysPromises
-  nsGlobalWindow* win = nsGlobalWindow::Cast(mWindow);
-
-  nsTArray<RefPtr<VRDisplay>> vrDisplays;
-  if (win->UpdateVRDisplays(vrDisplays)) {
-    for (auto p : mVRGetDisplaysPromises) {
-      p->MaybeResolve(vrDisplays);
-    }
-  } else {
-    for (auto p : mVRGetDisplaysPromises) {
-      p->MaybeReject(NS_ERROR_FAILURE);
-    }
-  }
-  mVRGetDisplaysPromises.Clear();
-}
-
-void
-Navigator::NotifyActiveVRDisplaysChanged()
-{
-  NavigatorBinding::ClearCachedActiveVRDisplaysValue(this);
-}
-
 //*****************************************************************************
 //    Navigator::nsIMozNavigatorNetwork
 //*****************************************************************************
diff --git a/dom/base/Navigator.h b/dom/base/Navigator.h
index d47a80bc1c..91b7fc15ce 100644
--- a/dom/base/Navigator.h
+++ b/dom/base/Navigator.h
@@ -76,7 +76,6 @@ class Connection;
 class PowerManager;
 class Presentation;
 class LegacyMozTCPSocket;
-class VRDisplay;
 class StorageManager;
 
 namespace time {
@@ -204,8 +203,6 @@ public:
   void GetGamepads(nsTArray<RefPtr<Gamepad> >& aGamepads, ErrorResult& aRv);
   GamepadServiceTest* RequestGamepadServiceTest();
 #endif // MOZ_GAMEPAD
-  already_AddRefed<Promise> GetVRDisplays(ErrorResult& aRv);
-  void GetActiveVRDisplays(nsTArray<RefPtr<VRDisplay>>& aDisplays) const;
 #ifdef MOZ_TIME_MANAGER
   time::TimeManager* GetMozTime(ErrorResult& aRv);
 #endif // MOZ_TIME_MANAGER
@@ -269,10 +266,6 @@ private:
   RefPtr<MediaKeySystemAccessManager> mMediaKeySystemAccessManager;
 #endif
 
-public:
-  void NotifyVRDisplaysUpdated();
-  void NotifyActiveVRDisplaysChanged();
-
 private:
   virtual ~Navigator();
 
diff --git a/dom/base/nsCCUncollectableMarker.cpp b/dom/base/nsCCUncollectableMarker.cpp
index 861cda5210..db4d0d3512 100644
--- a/dom/base/nsCCUncollectableMarker.cpp
+++ b/dom/base/nsCCUncollectableMarker.cpp
@@ -188,23 +188,20 @@ MarkMessageManagers()
 }
 
 void
-MarkContentViewer(nsIContentViewer* aViewer, bool aCleanupJS,
-                  bool aPrepareForCC)
+MarkDocument(nsIDocument* aDoc, bool aCleanupJS, bool aPrepareForCC)
 {
-  if (!aViewer) {
+  if (!aDoc) {
     return;
   }
 
-  nsIDocument *doc = aViewer->GetDocument();
-  if (doc &&
-      doc->GetMarkedCCGeneration() != nsCCUncollectableMarker::sGeneration) {
-    doc->MarkUncollectableForCCGeneration(nsCCUncollectableMarker::sGeneration);
+  if (aDoc->GetMarkedCCGeneration() != nsCCUncollectableMarker::sGeneration) {
+    aDoc->MarkUncollectableForCCGeneration(nsCCUncollectableMarker::sGeneration);
     if (aCleanupJS) {
-      EventListenerManager* elm = doc->GetExistingListenerManager();
+      EventListenerManager* elm = aDoc->GetExistingListenerManager();
       if (elm) {
         elm->MarkForCC();
       }
-      nsCOMPtr<EventTarget> win = do_QueryInterface(doc->GetInnerWindow());
+      nsCOMPtr<EventTarget> win = do_QueryInterface(aDoc->GetInnerWindow());
       if (win) {
         elm = win->GetExistingListenerManager();
         if (elm) {
@@ -215,18 +212,27 @@ MarkContentViewer(nsIContentViewer* aViewer, bool aCleanupJS,
     } else if (aPrepareForCC) {
       // Unfortunately we need to still mark user data just before running CC so
       // that it has the right generation.
-      doc->PropertyTable(DOM_USER_DATA)->
+      aDoc->PropertyTable(DOM_USER_DATA)->
         EnumerateAll(MarkUserData, &nsCCUncollectableMarker::sGeneration);
     }
   }
-  if (doc) {
-    if (nsPIDOMWindowInner* inner = doc->GetInnerWindow()) {
-      inner->MarkUncollectableForCCGeneration(nsCCUncollectableMarker::sGeneration);
-    }
-    if (nsPIDOMWindowOuter* outer = doc->GetWindow()) {
-      outer->MarkUncollectableForCCGeneration(nsCCUncollectableMarker::sGeneration);
-    }
+  if (nsPIDOMWindowInner* inner = aDoc->GetInnerWindow()) {
+    inner->MarkUncollectableForCCGeneration(nsCCUncollectableMarker::sGeneration);
+  }
+  if (nsPIDOMWindowOuter* outer = aDoc->GetWindow()) {
+    outer->MarkUncollectableForCCGeneration(nsCCUncollectableMarker::sGeneration);
+  }
+}
+
+void
+MarkContentViewer(nsIContentViewer* aViewer, bool aCleanupJS,
+                  bool aPrepareForCC)
+{
+  if (!aViewer) {
+    return;
   }
+
+  MarkDocument(aViewer->GetDocument(), aCleanupJS, aPrepareForCC);
 }
 
 void MarkDocShell(nsIDocShellTreeItem* aNode, bool aCleanupJS,
diff --git a/dom/base/nsFrameLoader.cpp b/dom/base/nsFrameLoader.cpp
index 23067becd0..2804f2d4c0 100644
--- a/dom/base/nsFrameLoader.cpp
+++ b/dom/base/nsFrameLoader.cpp
@@ -588,6 +588,9 @@ nsFrameLoader::ReallyStartLoadingInternal()
     flags = nsIWebNavigation::LOAD_FLAGS_ALLOW_THIRD_PARTY_FIXUP |
             nsIWebNavigation::LOAD_FLAGS_DISALLOW_INHERIT_PRINCIPAL;
   }
+  
+  // Notify that this load resulted from attribute changes.
+  loadInfo->SetIsFromProcessingFrameAttributes(true);
 
   // Kick off the load...
   bool tmpState = mNeedsAsyncDestroy;
diff --git a/dom/base/nsGlobalWindow.cpp b/dom/base/nsGlobalWindow.cpp
index 86160c77c7..677e1a0ea4 100644
--- a/dom/base/nsGlobalWindow.cpp
+++ b/dom/base/nsGlobalWindow.cpp
@@ -202,9 +202,6 @@
 #include "mozilla/dom/GamepadManager.h"
 #endif
 
-#include "mozilla/dom/VRDisplay.h"
-#include "mozilla/dom/VREventObserver.h"
-
 #include "nsRefreshDriver.h"
 #include "Layers.h"
 
@@ -1532,7 +1529,6 @@ nsGlobalWindow::nsGlobalWindow(nsGlobalWindow *aOuterWindow)
     mShowFocusRingForContent(false),
     mFocusByKeyOccurred(false),
     mHasGamepad(false),
-    mHasVREvents(false),
 #ifdef MOZ_GAMEPAD
     mHasSeenGamepadInput(false),
 #endif
@@ -1967,12 +1963,9 @@ nsGlobalWindow::CleanUp()
   if (IsInnerWindow()) {
     DisableGamepadUpdates();
     mHasGamepad = false;
-    DisableVRUpdates();
-    mHasVREvents = false;
     DisableIdleCallbackRequests();
   } else {
     MOZ_ASSERT(!mHasGamepad);
-    MOZ_ASSERT(!mHasVREvents);
   }
 
   if (mCleanMessageManager) {
@@ -2118,9 +2111,6 @@ nsGlobalWindow::FreeInnerObjects(bool aForDocumentOpen)
   mHasGamepad = false;
   mGamepads.Clear();
 #endif
-  DisableVRUpdates();
-  mHasVREvents = false;
-  mVRDisplays.Clear();
 }
 
 //*****************************************************************************
@@ -2275,7 +2265,6 @@ NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN_INTERNAL(nsGlobalWindow)
 #endif
 
   NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mCacheStorage)
-  NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mVRDisplays)
 
   // Traverse stuff from nsPIDOMWindow
   NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mChromeEventHandler)
@@ -2352,7 +2341,6 @@ NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN(nsGlobalWindow)
 #endif
 
   NS_IMPL_CYCLE_COLLECTION_UNLINK(mCacheStorage)
-  NS_IMPL_CYCLE_COLLECTION_UNLINK(mVRDisplays)
 
   // Unlink stuff from nsPIDOMWindow
   NS_IMPL_CYCLE_COLLECTION_UNLINK(mChromeEventHandler)
@@ -10508,24 +10496,6 @@ nsGlobalWindow::DisableGamepadUpdates()
 }
 
 void
-nsGlobalWindow::EnableVRUpdates()
-{
-  MOZ_ASSERT(IsInnerWindow());
-
-  if (mHasVREvents && !mVREventObserver) {
-    mVREventObserver = new VREventObserver(this);
-  }
-}
-
-void
-nsGlobalWindow::DisableVRUpdates()
-{
-  MOZ_ASSERT(IsInnerWindow());
-
-  mVREventObserver = nullptr;
-}
-
-void
 nsGlobalWindow::SetChromeEventHandler(EventTarget* aChromeEventHandler)
 {
   MOZ_ASSERT(IsOuterWindow());
@@ -12210,7 +12180,6 @@ nsGlobalWindow::Suspend()
       ac->RemoveWindowListener(mEnabledSensors[i], this);
   }
   DisableGamepadUpdates();
-  DisableVRUpdates();
 
   mozilla::dom::workers::SuspendWorkersForWindow(AsInner());
 
@@ -12274,7 +12243,6 @@ nsGlobalWindow::Resume()
       ac->AddWindowListener(mEnabledSensors[i], this);
   }
   EnableGamepadUpdates();
-  EnableVRUpdates();
 
   // Resume all of the AudioContexts for this window
   for (uint32_t i = 0; i < mAudioContexts.Length(); ++i) {
@@ -14030,19 +13998,6 @@ nsGlobalWindow::SetHasGamepadEventListener(bool aHasGamepad/* = true*/)
 void
 nsGlobalWindow::EventListenerAdded(nsIAtom* aType)
 {
-  if (aType == nsGkAtoms::onvrdisplayconnect ||
-      aType == nsGkAtoms::onvrdisplaydisconnect ||
-      aType == nsGkAtoms::onvrdisplaypresentchange) {
-    NotifyVREventListenerAdded();
-  }
-}
-
-void
-nsGlobalWindow::NotifyVREventListenerAdded()
-{
-  MOZ_ASSERT(IsInnerWindow());
-  mHasVREvents = true;
-  EnableVRUpdates();
 }
 
 void
@@ -14187,27 +14142,6 @@ nsGlobalWindow::SyncGamepadState()
 }
 #endif // MOZ_GAMEPAD
 
-bool
-nsGlobalWindow::UpdateVRDisplays(nsTArray<RefPtr<mozilla::dom::VRDisplay>>& aDevices)
-{
-  FORWARD_TO_INNER(UpdateVRDisplays, (aDevices), false);
-
-  VRDisplay::UpdateVRDisplays(mVRDisplays, AsInner());
-  aDevices = mVRDisplays;
-  return true;
-}
-
-void
-nsGlobalWindow::NotifyActiveVRDisplaysChanged()
-{
-  MOZ_ASSERT(IsInnerWindow());
-
-  if (mNavigator) {
-    mNavigator->NotifyActiveVRDisplaysChanged();
-  }
-}
-
-
 // nsGlobalChromeWindow implementation
 
 NS_IMPL_CYCLE_COLLECTION_CLASS(nsGlobalChromeWindow)
diff --git a/dom/base/nsGlobalWindow.h b/dom/base/nsGlobalWindow.h
index 80bf33b804..1cb825a773 100644
--- a/dom/base/nsGlobalWindow.h
+++ b/dom/base/nsGlobalWindow.h
@@ -135,8 +135,6 @@ class SpeechSynthesis;
 class TabGroup;
 class Timeout;
 class U2F;
-class VRDisplay;
-class VREventObserver;
 class WakeLock;
 #if defined(MOZ_WIDGET_ANDROID)
 class WindowOrientationObserver;
@@ -745,18 +743,6 @@ public:
   void EnableGamepadUpdates();
   void DisableGamepadUpdates();
 
-  // Inner windows only.
-  // Enable/disable updates for VR
-  void EnableVRUpdates();
-  void DisableVRUpdates();
-
-  // Update the VR displays for this window
-  bool UpdateVRDisplays(nsTArray<RefPtr<mozilla::dom::VRDisplay>>& aDisplays);
-
-  // Inner windows only.
-  // Called to inform that the set of active VR displays has changed.
-  void NotifyActiveVRDisplaysChanged();
-
 #define EVENT(name_, id_, type_, struct_)                                     \
   mozilla::dom::EventHandlerNonNull* GetOn##name_()                           \
   {                                                                           \
@@ -1832,9 +1818,6 @@ protected:
   // Indicates whether this window wants gamepad input events
   bool                   mHasGamepad : 1;
 
-  // Inner windows only.
-  // Indicates whether this window wants VR events
-  bool                   mHasVREvents : 1;
 #ifdef MOZ_GAMEPAD
   nsCheapSet<nsUint32HashKey> mGamepadIndexSet;
   nsRefPtrHashtable<nsUint32HashKey, mozilla::dom::Gamepad> mGamepads;
@@ -1989,11 +1972,6 @@ protected:
   // This is the CC generation the last time we called CanSkip.
   uint32_t mCanSkipCCGeneration;
 
-  // The VR Displays for this window
-  nsTArray<RefPtr<mozilla::dom::VRDisplay>> mVRDisplays;
-
-  nsAutoPtr<mozilla::dom::VREventObserver> mVREventObserver;
-
   friend class nsDOMScriptableHelper;
   friend class nsDOMWindowUtils;
   friend class mozilla::dom::PostMessageEvent;
diff --git a/dom/base/nsScriptLoader.cpp b/dom/base/nsScriptLoader.cpp
index a6d20e363c..0eb5bbf316 100644
--- a/dom/base/nsScriptLoader.cpp
+++ b/dom/base/nsScriptLoader.cpp
@@ -81,11 +81,19 @@ ImplCycleCollectionTraverse(nsCycleCollectionTraversalCallback& aCallback,
 NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION(nsScriptLoadRequest)
 NS_INTERFACE_MAP_END
 
-NS_IMPL_CYCLE_COLLECTION_0(nsScriptLoadRequest)
-
 NS_IMPL_CYCLE_COLLECTING_ADDREF(nsScriptLoadRequest)
 NS_IMPL_CYCLE_COLLECTING_RELEASE(nsScriptLoadRequest)
 
+NS_IMPL_CYCLE_COLLECTION_CLASS(nsScriptLoadRequest)
+
+NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN(nsScriptLoadRequest)
+  NS_IMPL_CYCLE_COLLECTION_UNLINK(mElement)
+NS_IMPL_CYCLE_COLLECTION_UNLINK_END
+
+NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN(nsScriptLoadRequest)
+  NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mElement)
+NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END
+
 nsScriptLoadRequest::~nsScriptLoadRequest()
 {
   js_free(mScriptTextBuf);
diff --git a/dom/canvas/CanvasRenderingContext2D.cpp b/dom/canvas/CanvasRenderingContext2D.cpp
index 18af28e9f7..e3406fc021 100644
--- a/dom/canvas/CanvasRenderingContext2D.cpp
+++ b/dom/canvas/CanvasRenderingContext2D.cpp
@@ -783,6 +783,15 @@ public:
   : mCanvas(aCanvas)
   {}
 
+  void OnShutdown() {
+    if(!mCanvas) {
+      return;
+    }
+    
+    mCanvas = nullptr;
+    nsContentUtils::UnregisterShutdownObserver(this);
+  }
+  
   NS_DECL_ISUPPORTS
   NS_DECL_NSIOBSERVER
 private:
@@ -800,7 +809,7 @@ CanvasShutdownObserver::Observe(nsISupports* aSubject,
 {
   if (mCanvas && strcmp(aTopic, NS_XPCOM_SHUTDOWN_OBSERVER_ID) == 0) {
     mCanvas->OnShutdown();
-    nsContentUtils::UnregisterShutdownObserver(this);
+    OnShutdown();
   }
 
   return NS_OK;
@@ -1218,7 +1227,7 @@ void
 CanvasRenderingContext2D::RemoveShutdownObserver()
 {
   if (mShutdownObserver) {
-    nsContentUtils::UnregisterShutdownObserver(mShutdownObserver);
+    mShutdownObserver->OnShutdown();
     mShutdownObserver = nullptr;
   }
 }
diff --git a/dom/canvas/WebGLContext.cpp b/dom/canvas/WebGLContext.cpp
index 14bc7e3e3d..e2e05e5fd3 100644
--- a/dom/canvas/WebGLContext.cpp
+++ b/dom/canvas/WebGLContext.cpp
@@ -47,7 +47,6 @@
 #include "nsSVGEffects.h"
 #include "prenv.h"
 #include "ScopedGLHelpers.h"
-#include "VRManagerChild.h"
 #include "mozilla/layers/TextureClientSharedSurface.h"
 
 // Local
@@ -2239,84 +2238,6 @@ WebGLContext::GetUnpackSize(bool isFunc3D, uint32_t width, uint32_t height,
     return totalBytes;
 }
 
-already_AddRefed<layers::SharedSurfaceTextureClient>
-WebGLContext::GetVRFrame()
-{
-    if (!mLayerIsMirror) {
-        /**
-         * Do not allow VR frame submission until a mirroring canvas layer has
-         * been returned by GetCanvasLayer
-         */
-        return nullptr;
-    }
-
-    VRManagerChild* vrmc = VRManagerChild::Get();
-    if (!vrmc) {
-        return nullptr;
-    }
-
-    /**
-     * Swap buffers as though composition has occurred.
-     * We will then share the resulting front buffer to be submitted to the VR
-     * compositor.
-     */
-    BeginComposition();
-    EndComposition();
-
-    gl::GLScreenBuffer* screen = gl->Screen();
-    if (!screen) {
-        return nullptr;
-    }
-
-    RefPtr<SharedSurfaceTextureClient> sharedSurface = screen->Front();
-    if (!sharedSurface) {
-        return nullptr;
-    }
-
-    if (sharedSurface && sharedSurface->GetAllocator() != vrmc) {
-        RefPtr<SharedSurfaceTextureClient> dest =
-        screen->Factory()->NewTexClient(sharedSurface->GetSize());
-        if (!dest) {
-            return nullptr;
-        }
-        gl::SharedSurface* destSurf = dest->Surf();
-        destSurf->ProducerAcquire();
-        SharedSurface::ProdCopy(sharedSurface->Surf(), dest->Surf(),
-                                screen->Factory());
-        destSurf->ProducerRelease();
-
-        return dest.forget();
-    }
-
-  return sharedSurface.forget();
-}
-
-bool
-WebGLContext::StartVRPresentation()
-{
-    VRManagerChild* vrmc = VRManagerChild::Get();
-    if (!vrmc) {
-        return false;
-    }
-    gl::GLScreenBuffer* screen = gl->Screen();
-    if (!screen) {
-        return false;
-    }
-    gl::SurfaceCaps caps = screen->mCaps;
-
-    UniquePtr<gl::SurfaceFactory> factory =
-        gl::GLScreenBuffer::CreateFactory(gl,
-            caps,
-            vrmc,
-            vrmc->GetBackendType(),
-            TextureFlags::ORIGIN_BOTTOM_LEFT);
-
-    if (factory) {
-        screen->Morph(Move(factory));
-    }
-    return true;
-}
-
 ////////////////////////////////////////////////////////////////////////////////
 
 static inline size_t
diff --git a/dom/canvas/WebGLContext.h b/dom/canvas/WebGLContext.h
index b4d416a330..3ec307b001 100644
--- a/dom/canvas/WebGLContext.h
+++ b/dom/canvas/WebGLContext.h
@@ -656,9 +656,6 @@ public:
     void PixelStorei(GLenum pname, GLint param);
     void PolygonOffset(GLfloat factor, GLfloat units);
 
-    already_AddRefed<layers::SharedSurfaceTextureClient> GetVRFrame();
-    bool StartVRPresentation();
-
     ////
 
     webgl::PackingInfo
diff --git a/dom/crypto/WebCryptoTask.cpp b/dom/crypto/WebCryptoTask.cpp
index c4cc7080da..e5f5882e98 100644
--- a/dom/crypto/WebCryptoTask.cpp
+++ b/dom/crypto/WebCryptoTask.cpp
@@ -584,7 +584,7 @@ public:
 
       mMechanism = CKM_AES_CBC_PAD;
       telemetryAlg = TA_AES_CBC;
-      AesCbcParams params;
+      RootedDictionary<AesCbcParams> params(aCx);
       nsresult rv = Coerce(aCx, params, aAlgorithm);
       if (NS_FAILED(rv)) {
         mEarlyRv = NS_ERROR_DOM_INVALID_ACCESS_ERR;
@@ -601,7 +601,7 @@ public:
 
       mMechanism = CKM_AES_CTR;
       telemetryAlg = TA_AES_CTR;
-      AesCtrParams params;
+      RootedDictionary<AesCtrParams> params(aCx);
       nsresult rv = Coerce(aCx, params, aAlgorithm);
       if (NS_FAILED(rv)) {
         mEarlyRv = NS_ERROR_DOM_SYNTAX_ERR;
@@ -620,7 +620,7 @@ public:
 
       mMechanism = CKM_AES_GCM;
       telemetryAlg = TA_AES_GCM;
-      AesGcmParams params;
+      RootedDictionary<AesGcmParams> params(aCx);
       nsresult rv = Coerce(aCx, params, aAlgorithm);
       if (NS_FAILED(rv)) {
         mEarlyRv = NS_ERROR_DOM_SYNTAX_ERR;
diff --git a/dom/gamepad/GamepadManager.cpp b/dom/gamepad/GamepadManager.cpp
index dde71dd0a9..e178296522 100644
--- a/dom/gamepad/GamepadManager.cpp
+++ b/dom/gamepad/GamepadManager.cpp
@@ -28,7 +28,6 @@
 #include "nsIObserverService.h"
 #include "nsIServiceManager.h"
 #include "nsThreadUtils.h"
-#include "VRManagerChild.h"
 #include "mozilla/Services.h"
 #include "mozilla/Unused.h"
 
@@ -110,11 +109,6 @@ GamepadManager::StopMonitoring()
   }
   mChannelChildren.Clear();
   mGamepads.Clear();
-
-#if defined(XP_WIN) || defined(XP_MACOSX) || defined(XP_LINUX)
-  mVRChannelChild = gfx::VRManagerChild::Get();
-  mVRChannelChild->SendControllerListenerRemoved();
-#endif
 }
 
 void
@@ -211,11 +205,6 @@ uint32_t GamepadManager::GetGamepadIndexWithServiceType(uint32_t aIndex,
      newIndex = aIndex;
      break;
     }
-    case GamepadServiceType::VR:
-    {
-     newIndex = aIndex + VR_GAMEPAD_IDX_OFFSET;
-     break;
-    }
     default:
      MOZ_ASSERT(false);
      break;
@@ -679,13 +668,6 @@ GamepadManager::ActorCreated(PBackgroundChild *aActor)
   MOZ_ASSERT(initedChild == child);
   child->SendGamepadListenerAdded();
   mChannelChildren.AppendElement(child);
-
-#if defined(XP_WIN) || defined(XP_MACOSX) || defined(XP_LINUX)
-  // Construct VRManagerChannel and ask adding the connected
-  // VR controllers to GamepadManager
-  mVRChannelChild = gfx::VRManagerChild::Get();
-  mVRChannelChild->SendControllerListenerAdded();
-#endif
 }
 
 //Override nsIIPCBackgroundChildCreateCallback
diff --git a/dom/gamepad/GamepadManager.h b/dom/gamepad/GamepadManager.h
index 1bb437d8ff..a772221cac 100644
--- a/dom/gamepad/GamepadManager.h
+++ b/dom/gamepad/GamepadManager.h
@@ -16,9 +16,6 @@
 class nsGlobalWindow;
 
 namespace mozilla {
-namespace gfx {
-class VRManagerChild;
-} // namespace gfx
 namespace dom {
 
 class EventTarget;
@@ -123,7 +120,6 @@ class GamepadManager final : public nsIObserver,
   // will be destroyed during the IPDL shutdown chain, so we
   // don't need to refcount it here.
   nsTArray<GamepadEventChannelChild *> mChannelChildren;
-  gfx::VRManagerChild* mVRChannelChild;
 
  private:
 
@@ -138,8 +134,6 @@ class GamepadManager final : public nsIObserver,
   // Indicate that a window has received data from a gamepad.
   void SetWindowHasSeenGamepad(nsGlobalWindow* aWindow, uint32_t aIndex,
                                bool aHasSeen = true);
-  // Our gamepad index has VR_GAMEPAD_IDX_OFFSET while GamepadChannelType
-  // is from VRManager.
   uint32_t GetGamepadIndexWithServiceType(uint32_t aIndex, GamepadServiceType aServiceType);
 
   // Gamepads connected to the system. Copies of these are handed out
diff --git a/dom/gamepad/ipc/GamepadServiceType.h b/dom/gamepad/ipc/GamepadServiceType.h
index acc0967d1e..6200cdfa9d 100644
--- a/dom/gamepad/ipc/GamepadServiceType.h
+++ b/dom/gamepad/ipc/GamepadServiceType.h
@@ -6,11 +6,9 @@ namespace mozilla{
 namespace dom{
 
 // Standard channel is used for managing gamepads that
-// are from GamepadPlatformService. VR channel
-// is for gamepads that are from VRManagerChild.
+// are from GamepadPlatformService.
 enum class GamepadServiceType : uint16_t {
   Standard,
-  VR,
   NumGamepadServiceType
 };
 
diff --git a/dom/html/HTMLCanvasElement.cpp b/dom/html/HTMLCanvasElement.cpp
index 88b41bce0a..527135a80d 100644
--- a/dom/html/HTMLCanvasElement.cpp
+++ b/dom/html/HTMLCanvasElement.cpp
@@ -42,7 +42,6 @@
 #include "nsRefreshDriver.h"
 #include "nsStreamUtils.h"
 #include "ActiveLayerTracker.h"
-#include "VRManagerChild.h"
 #include "WebGL1Context.h"
 #include "WebGL2Context.h"
 
@@ -358,7 +357,6 @@ NS_IMPL_ISUPPORTS(HTMLCanvasElementObserver, nsIObserver)
 HTMLCanvasElement::HTMLCanvasElement(already_AddRefed<mozilla::dom::NodeInfo>& aNodeInfo)
   : nsGenericHTMLElement(aNodeInfo),
     mResetLayer(true) ,
-    mVRPresentationActive(false),
     mWriteOnly(false)
 {}
 
@@ -1111,7 +1109,7 @@ HTMLCanvasElement::GetCanvasLayer(nsDisplayListBuilder* aBuilder,
   static uint8_t sOffscreenCanvasLayerUserDataDummy = 0;
 
   if (mCurrentContext) {
-    return mCurrentContext->GetCanvasLayer(aBuilder, aOldLayer, aManager, mVRPresentationActive);
+    return mCurrentContext->GetCanvasLayer(aBuilder, aOldLayer, aManager);
   }
 
   if (mOffscreenCanvas) {
@@ -1441,42 +1439,5 @@ HTMLCanvasElement::InvalidateFromAsyncCanvasRenderer(AsyncCanvasRenderer *aRende
   element->InvalidateCanvasContent(nullptr);
 }
 
-void
-HTMLCanvasElement::StartVRPresentation()
-{
-  WebGLContext* webgl = static_cast<WebGLContext*>(GetContextAtIndex(0));
-  if (!webgl) {
-    return;
-  }
-
-  if (!webgl->StartVRPresentation()) {
-    return;
-  }
-
-  mVRPresentationActive = true;
-}
-
-void
-HTMLCanvasElement::StopVRPresentation()
-{
-  mVRPresentationActive = false;
-}
-
-already_AddRefed<layers::SharedSurfaceTextureClient>
-HTMLCanvasElement::GetVRFrame()
-{
-  if (GetCurrentContextType() != CanvasContextType::WebGL1 &&
-      GetCurrentContextType() != CanvasContextType::WebGL2) {
-    return nullptr;
-  }
-
-  WebGLContext* webgl = static_cast<WebGLContext*>(GetContextAtIndex(0));
-  if (!webgl) {
-    return nullptr;
-  }
-
-  return webgl->GetVRFrame();
-}
-
 } // namespace dom
 } // namespace mozilla
diff --git a/dom/html/HTMLCanvasElement.h b/dom/html/HTMLCanvasElement.h
index 81c141d3cc..746fab1989 100644
--- a/dom/html/HTMLCanvasElement.h
+++ b/dom/html/HTMLCanvasElement.h
@@ -350,10 +350,6 @@ public:
   static void SetAttrFromAsyncCanvasRenderer(AsyncCanvasRenderer *aRenderer);
   static void InvalidateFromAsyncCanvasRenderer(AsyncCanvasRenderer *aRenderer);
 
-  void StartVRPresentation();
-  void StopVRPresentation();
-  already_AddRefed<layers::SharedSurfaceTextureClient> GetVRFrame();
-
 protected:
   virtual ~HTMLCanvasElement();
 
diff --git a/dom/html/HTMLOptionsCollection.cpp b/dom/html/HTMLOptionsCollection.cpp
index 294493c0c3..67de97fc4c 100644
--- a/dom/html/HTMLOptionsCollection.cpp
+++ b/dom/html/HTMLOptionsCollection.cpp
@@ -35,23 +35,8 @@ namespace mozilla {
 namespace dom {
 
 HTMLOptionsCollection::HTMLOptionsCollection(HTMLSelectElement* aSelect)
-{
-  // Do not maintain a reference counted reference. When
-  // the select goes away, it will let us know.
-  mSelect = aSelect;
-}
-
-HTMLOptionsCollection::~HTMLOptionsCollection()
-{
-  DropReference();
-}
-
-void
-HTMLOptionsCollection::DropReference()
-{
-  // Drop our (non ref-counted) reference
-  mSelect = nullptr;
-}
+  : mSelect(aSelect)
+{}
 
 nsresult
 HTMLOptionsCollection::GetOptionIndex(Element* aOption,
@@ -88,7 +73,9 @@ HTMLOptionsCollection::GetOptionIndex(Element* aOption,
 }
 
 
-NS_IMPL_CYCLE_COLLECTION_WRAPPERCACHE(HTMLOptionsCollection, mElements)
+NS_IMPL_CYCLE_COLLECTION_WRAPPERCACHE(HTMLOptionsCollection,
+                                      mElements,
+                                      mSelect)
 
 // nsISupports
 
@@ -124,10 +111,6 @@ HTMLOptionsCollection::GetLength(uint32_t* aLength)
 NS_IMETHODIMP
 HTMLOptionsCollection::SetLength(uint32_t aLength)
 {
-  if (!mSelect) {
-    return NS_ERROR_UNEXPECTED;
-  }
-
   return mSelect->SetLength(aLength);
 }
 
@@ -135,10 +118,6 @@ NS_IMETHODIMP
 HTMLOptionsCollection::SetOption(uint32_t aIndex,
                                  nsIDOMHTMLOptionElement* aOption)
 {
-  if (!mSelect) {
-    return NS_OK;
-  }
-
   // if the new option is null, just remove this option.  Note that it's safe
   // to pass a too-large aIndex in here.
   if (!aOption) {
@@ -187,11 +166,6 @@ HTMLOptionsCollection::SetOption(uint32_t aIndex,
 int32_t
 HTMLOptionsCollection::GetSelectedIndex(ErrorResult& aError)
 {
-  if (!mSelect) {
-    aError.Throw(NS_ERROR_UNEXPECTED);
-    return 0;
-  }
-
   int32_t selectedIndex;
   aError = mSelect->GetSelectedIndex(&selectedIndex);
   return selectedIndex;
@@ -209,11 +183,6 @@ void
 HTMLOptionsCollection::SetSelectedIndex(int32_t aSelectedIndex,
                                         ErrorResult& aError)
 {
-  if (!mSelect) {
-    aError.Throw(NS_ERROR_UNEXPECTED);
-    return;
-  }
-
   aError = mSelect->SetSelectedIndex(aSelectedIndex);
 }
 
@@ -339,22 +308,12 @@ HTMLOptionsCollection::Add(const HTMLOptionOrOptGroupElement& aElement,
                            const Nullable<HTMLElementOrLong>& aBefore,
                            ErrorResult& aError)
 {
-  if (!mSelect) {
-    aError.Throw(NS_ERROR_NOT_INITIALIZED);
-    return;
-  }
-
   mSelect->Add(aElement, aBefore, aError);
 }
 
 void
 HTMLOptionsCollection::Remove(int32_t aIndex, ErrorResult& aError)
 {
-  if (!mSelect) {
-    aError.Throw(NS_ERROR_UNEXPECTED);
-    return;
-  }
-
   uint32_t len = 0;
   mSelect->GetLength(&len);
   if (aIndex < 0 || (uint32_t)aIndex >= len)
diff --git a/dom/html/HTMLOptionsCollection.h b/dom/html/HTMLOptionsCollection.h
index 21123b3d21..496919555e 100644
--- a/dom/html/HTMLOptionsCollection.h
+++ b/dom/html/HTMLOptionsCollection.h
@@ -46,7 +46,7 @@ public:
   using nsWrapperCache::GetWrapper;
   virtual JSObject* WrapObject(JSContext* aCx, JS::Handle<JSObject*> aGivenProto) override;
 protected:
-  virtual ~HTMLOptionsCollection();
+  virtual ~HTMLOptionsCollection() = default;
 
   virtual JSObject* GetWrapperPreserveColorInternal() override
   {
@@ -113,11 +113,6 @@ public:
   }
 
   /**
-   * Drop the reference to the select.  Called during select destruction.
-   */
-  void DropReference();
-
-  /**
    * Finds the index of a given option element.
    * If the option isn't part of the collection, return NS_ERROR_FAILURE
    * without setting aIndex.
@@ -161,7 +156,7 @@ private:
    * various members such as InsertOptionAt are also infallible. */
   nsTArray<RefPtr<mozilla::dom::HTMLOptionElement> > mElements;
   /** The select element that contains this array */
-  HTMLSelectElement* mSelect;
+  RefPtr<HTMLSelectElement> mSelect;
 };
 
 } // namespace dom
diff --git a/dom/html/HTMLSelectElement.cpp b/dom/html/HTMLSelectElement.cpp
index 53f42317a0..9ba0a1efe9 100644
--- a/dom/html/HTMLSelectElement.cpp
+++ b/dom/html/HTMLSelectElement.cpp
@@ -130,11 +130,6 @@ HTMLSelectElement::HTMLSelectElement(already_AddRefed<mozilla::dom::NodeInfo>& a
                     NS_EVENT_STATE_VALID);
 }
 
-HTMLSelectElement::~HTMLSelectElement()
-{
-  mOptions->DropReference();
-}
-
 // ISupports
 
 NS_IMPL_CYCLE_COLLECTION_CLASS(HTMLSelectElement)
diff --git a/dom/html/HTMLSelectElement.h b/dom/html/HTMLSelectElement.h
index 8a25385de6..dc1075cd7d 100644
--- a/dom/html/HTMLSelectElement.h
+++ b/dom/html/HTMLSelectElement.h
@@ -436,7 +436,7 @@ public:
   void SetOpenInParentProcess(bool aVal);
 
 protected:
-  virtual ~HTMLSelectElement();
+  virtual ~HTMLSelectElement() = default;
 
   friend class SafeOptionListMutation;
 
diff --git a/dom/html/TextTrackManager.cpp b/dom/html/TextTrackManager.cpp
index 4266575f70..cc14858b65 100644
--- a/dom/html/TextTrackManager.cpp
+++ b/dom/html/TextTrackManager.cpp
@@ -29,6 +29,13 @@ namespace dom {
 
 NS_IMPL_ISUPPORTS(TextTrackManager::ShutdownObserverProxy, nsIObserver);
 
+void
+TextTrackManager::ShutdownObserverProxy::Unregister()
+{
+  nsContentUtils::UnregisterShutdownObserver(this);
+  mManager = nullptr;
+}
+
 CompareTextTracks::CompareTextTracks(HTMLMediaElement* aMediaElement)
 {
   mMediaElement = aMediaElement;
@@ -137,7 +144,7 @@ TextTrackManager::TextTrackManager(HTMLMediaElement *aMediaElement)
 TextTrackManager::~TextTrackManager()
 {
   WEBVTT_LOG("%p ~TextTrackManager",this);
-  nsContentUtils::UnregisterShutdownObserver(mShutdownProxy);
+  mShutdownProxy->Unregister();
 }
 
 TextTrackList*
diff --git a/dom/html/TextTrackManager.h b/dom/html/TextTrackManager.h
index d20707346b..4ad1a57a74 100644
--- a/dom/html/TextTrackManager.h
+++ b/dom/html/TextTrackManager.h
@@ -170,11 +170,15 @@ private:
     {
       MOZ_ASSERT(NS_IsMainThread());
       if (strcmp(aTopic, NS_XPCOM_SHUTDOWN_OBSERVER_ID) == 0) {
-        nsContentUtils::UnregisterShutdownObserver(this);
-        mManager->NotifyShutdown();
+        if (mManager) {
+          mManager->NotifyShutdown();
+        }
+        Unregister();
       }
       return NS_OK;
     }
+    
+    void Unregister();
 
   private:
     ~ShutdownObserverProxy() {};
diff --git a/dom/ipc/ContentChild.cpp b/dom/ipc/ContentChild.cpp
index fc288e2c58..fdf0fcf3eb 100644
--- a/dom/ipc/ContentChild.cpp
+++ b/dom/ipc/ContentChild.cpp
@@ -171,7 +171,6 @@
 #include "GMPServiceChild.h"
 #include "gfxPlatform.h"
 #include "nscore.h" // for NS_FREE_PERMANENT_DATA
-#include "VRManagerChild.h"
 
 using namespace mozilla;
 using namespace mozilla::docshell;
@@ -1148,7 +1147,6 @@ ContentChild::RecvGMPsChanged(nsTArray<GMPCapabilityData>&& capabilities)
 bool
 ContentChild::RecvInitRendering(Endpoint<PCompositorBridgeChild>&& aCompositor,
                                 Endpoint<PImageBridgeChild>&& aImageBridge,
-                                Endpoint<PVRManagerChild>&& aVRBridge,
                                 Endpoint<PVideoDecoderManagerChild>&& aVideoManager)
 {
   if (!CompositorBridgeChild::InitForContent(Move(aCompositor))) {
@@ -1157,9 +1155,6 @@ ContentChild::RecvInitRendering(Endpoint<PCompositorBridgeChild>&& aCompositor,
   if (!ImageBridgeChild::InitForContent(Move(aImageBridge))) {
     return false;
   }
-  if (!gfx::VRManagerChild::InitForContent(Move(aVRBridge))) {
-    return false;
-  }
   VideoDecoderManagerChild::InitForContent(Move(aVideoManager));
   return true;
 }
@@ -1167,7 +1162,6 @@ ContentChild::RecvInitRendering(Endpoint<PCompositorBridgeChild>&& aCompositor,
 bool
 ContentChild::RecvReinitRendering(Endpoint<PCompositorBridgeChild>&& aCompositor,
                                   Endpoint<PImageBridgeChild>&& aImageBridge,
-                                  Endpoint<PVRManagerChild>&& aVRBridge,
                                   Endpoint<PVideoDecoderManagerChild>&& aVideoManager)
 {
   nsTArray<RefPtr<TabChild>> tabs = TabChild::GetAll();
@@ -1186,9 +1180,6 @@ ContentChild::RecvReinitRendering(Endpoint<PCompositorBridgeChild>&& aCompositor
   if (!ImageBridgeChild::ReinitForContent(Move(aImageBridge))) {
     return false;
   }
-  if (!gfx::VRManagerChild::ReinitForContent(Move(aVRBridge))) {
-    return false;
-  }
 
   // Establish new PLayerTransactions.
   for (const auto& tabChild : tabs) {
diff --git a/dom/ipc/ContentChild.h b/dom/ipc/ContentChild.h
index ba590b58ee..f29d17e7f6 100644
--- a/dom/ipc/ContentChild.h
+++ b/dom/ipc/ContentChild.h
@@ -152,15 +152,13 @@ public:
   RecvInitRendering(
     Endpoint<PCompositorBridgeChild>&& aCompositor,
     Endpoint<PImageBridgeChild>&& aImageBridge,
-    Endpoint<PVRManagerChild>&& aVRBridge,
-    Endpoint<PVideoDecoderManagerChild>&& aVideoManager) override;
+    Endpoint<PVideoDecoderManagerChild>&& aVideoManager);
 
   bool
   RecvReinitRendering(
     Endpoint<PCompositorBridgeChild>&& aCompositor,
     Endpoint<PImageBridgeChild>&& aImageBridge,
-    Endpoint<PVRManagerChild>&& aVRBridge,
-    Endpoint<PVideoDecoderManagerChild>&& aVideoManager) override;
+    Endpoint<PVideoDecoderManagerChild>&& aVideoManager);
 
   PProcessHangMonitorChild*
   AllocPProcessHangMonitorChild(Transport* aTransport,
diff --git a/dom/ipc/ContentParent.cpp b/dom/ipc/ContentParent.cpp
index 5c6aadb77e..417420ecb2 100644
--- a/dom/ipc/ContentParent.cpp
+++ b/dom/ipc/ContentParent.cpp
@@ -2073,21 +2073,18 @@ ContentParent::InitInternal(ProcessPriority aInitialPriority,
 
       Endpoint<PCompositorBridgeChild> compositor;
       Endpoint<PImageBridgeChild> imageBridge;
-      Endpoint<PVRManagerChild> vrBridge;
       Endpoint<PVideoDecoderManagerChild> videoManager;
 
       DebugOnly<bool> opened = gpm->CreateContentBridges(
         OtherPid(),
         &compositor,
         &imageBridge,
-        &vrBridge,
         &videoManager);
       MOZ_ASSERT(opened);
 
       Unused << SendInitRendering(
         Move(compositor),
         Move(imageBridge),
-        Move(vrBridge),
         Move(videoManager));
 
       gpm->AddListener(this);
@@ -2201,21 +2198,18 @@ ContentParent::OnCompositorUnexpectedShutdown()
 
   Endpoint<PCompositorBridgeChild> compositor;
   Endpoint<PImageBridgeChild> imageBridge;
-  Endpoint<PVRManagerChild> vrBridge;
   Endpoint<PVideoDecoderManagerChild> videoManager;
 
   DebugOnly<bool> opened = gpm->CreateContentBridges(
     OtherPid(),
     &compositor,
     &imageBridge,
-    &vrBridge,
     &videoManager);
   MOZ_ASSERT(opened);
 
   Unused << SendReinitRendering(
     Move(compositor),
     Move(imageBridge),
-    Move(vrBridge),
     Move(videoManager));
 }
 
diff --git a/dom/ipc/PContent.ipdl b/dom/ipc/PContent.ipdl
index c01ad59c16..9298f9d022 100644
--- a/dom/ipc/PContent.ipdl
+++ b/dom/ipc/PContent.ipdl
@@ -44,7 +44,6 @@ include protocol PRemoteSpellcheckEngine;
 include protocol PWebBrowserPersistDocument;
 include protocol PWebrtcGlobal;
 include protocol PPresentation;
-include protocol PVRManager;
 include protocol PVideoDecoderManager;
 include protocol PFlyWebPublishedServer;
 include DOMTypes;
@@ -311,7 +310,6 @@ child:
     async InitRendering(
       Endpoint<PCompositorBridgeChild> compositor,
       Endpoint<PImageBridgeChild> imageBridge,
-      Endpoint<PVRManagerChild> vr,
       Endpoint<PVideoDecoderManagerChild> video);
 
     // Re-create the rendering stack using the given endpoints. This is sent
@@ -320,7 +318,6 @@ child:
     async ReinitRendering(
       Endpoint<PCompositorBridgeChild> compositor,
       Endpoint<PImageBridgeChild> bridge,
-      Endpoint<PVRManagerChild> vr,
       Endpoint<PVideoDecoderManagerChild> video);
 
     /**
diff --git a/dom/ipc/TabChild.cpp b/dom/ipc/TabChild.cpp
index 244fa99699..3fe94001e8 100644
--- a/dom/ipc/TabChild.cpp
+++ b/dom/ipc/TabChild.cpp
@@ -107,7 +107,6 @@
 #include "nsDeviceContext.h"
 #include "nsSandboxFlags.h"
 #include "FrameLayerBuilder.h"
-#include "VRManagerChild.h"
 #include "nsICommandParams.h"
 #include "nsISHistory.h"
 #include "nsQueryObject.h"
@@ -2565,7 +2564,6 @@ TabChild::InitRenderingState(const TextureFactoryIdentifier& aTextureFactoryIden
       lf->SetShadowManager(shadowManager);
       lf->IdentifyTextureHost(mTextureFactoryIdentifier);
       ImageBridgeChild::IdentifyCompositorTextureHost(mTextureFactoryIdentifier);
-      gfx::VRManagerChild::IdentifyTextureHost(mTextureFactoryIdentifier);
     }
 
     mRemoteFrame = remoteFrame;
diff --git a/dom/media/DecoderTraits.cpp b/dom/media/DecoderTraits.cpp
index 56ebd9ce9d..f8cb4fd0eb 100644
--- a/dom/media/DecoderTraits.cpp
+++ b/dom/media/DecoderTraits.cpp
@@ -18,15 +18,6 @@
 #include "WebMDecoder.h"
 #include "WebMDemuxer.h"
 
-#ifdef MOZ_ANDROID_OMX
-#include "AndroidMediaDecoder.h"
-#include "AndroidMediaReader.h"
-#include "AndroidMediaPluginHost.h"
-#endif
-#ifdef MOZ_DIRECTSHOW
-#include "DirectShowDecoder.h"
-#include "DirectShowReader.h"
-#endif
 #ifdef MOZ_FMP4
 #include "MP4Decoder.h"
 #include "MP4Demuxer.h"
@@ -110,29 +101,6 @@ IsHttpLiveStreamingType(const nsACString& aType)
   return CodecListContains(gHttpLiveStreamingTypes, aType);
 }
 
-#ifdef MOZ_ANDROID_OMX
-static bool
-IsAndroidMediaType(const nsACString& aType)
-{
-  if (!MediaDecoder::IsAndroidMediaPluginEnabled()) {
-    return false;
-  }
-
-  static const char* supportedTypes[] = {
-    "audio/mpeg", "audio/mp4", "video/mp4", "video/x-m4v", nullptr
-  };
-  return CodecListContains(supportedTypes, aType);
-}
-#endif
-
-#ifdef MOZ_DIRECTSHOW
-static bool
-IsDirectShowSupportedType(const nsACString& aType)
-{
-  return DirectShowDecoder::GetSupportedCodecs(aType, nullptr);
-}
-#endif
-
 #ifdef MOZ_FMP4
 static bool
 IsMP4SupportedType(const MediaContentType& aParsedType,
@@ -247,14 +215,6 @@ CanHandleCodecsType(const MediaContentType& aType,
   if (IsFlacSupportedType(aType.GetMIMEType(), aType.GetCodecs())) {
     return CANPLAY_YES;
   }
-#ifdef MOZ_DIRECTSHOW
-  DirectShowDecoder::GetSupportedCodecs(aType.GetMIMEType(), &codecList);
-#endif
-#ifdef MOZ_ANDROID_OMX
-  if (MediaDecoder::IsAndroidMediaPluginEnabled()) {
-    EnsureAndroidMediaPluginHost()->FindDecoder(aType.GetMIMEType(), &codecList);
-  }
-#endif
   if (!codecList) {
     return CANPLAY_MAYBE;
   }
@@ -320,17 +280,6 @@ CanHandleMediaType(const MediaContentType& aType,
   if (IsFlacSupportedType(aType.GetMIMEType())) {
     return CANPLAY_MAYBE;
   }
-#ifdef MOZ_DIRECTSHOW
-  if (DirectShowDecoder::GetSupportedCodecs(aType.GetMIMEType(), nullptr)) {
-    return CANPLAY_MAYBE;
-  }
-#endif
-#ifdef MOZ_ANDROID_OMX
-  if (MediaDecoder::IsAndroidMediaPluginEnabled() &&
-      EnsureAndroidMediaPluginHost()->FindDecoder(aType.GetMIMEType(), nullptr)) {
-    return CANPLAY_MAYBE;
-  }
-#endif
   return CANPLAY_NO;
 }
 
@@ -411,28 +360,12 @@ InstantiateDecoder(const nsACString& aType,
     decoder = new FlacDecoder(aOwner);
     return decoder.forget();
   }
-#ifdef MOZ_ANDROID_OMX
-  if (MediaDecoder::IsAndroidMediaPluginEnabled() &&
-      EnsureAndroidMediaPluginHost()->FindDecoder(aType, nullptr)) {
-    decoder = new AndroidMediaDecoder(aOwner, aType);
-    return decoder.forget();
-  }
-#endif
 
   if (IsWebMSupportedType(aType)) {
     decoder = new WebMDecoder(aOwner);
     return decoder.forget();
   }
 
-#ifdef MOZ_DIRECTSHOW
-  // Note: DirectShow should come before WMF, so that we prefer DirectShow's
-  // MP3 support over WMF's.
-  if (IsDirectShowSupportedType(aType)) {
-    decoder = new DirectShowDecoder(aOwner);
-    return decoder.forget();
-  }
-#endif
-
   return nullptr;
 }
 
@@ -461,7 +394,7 @@ MediaDecoderReader* DecoderTraits::CreateReader(const nsACString& aType, Abstrac
   } else
 #endif
   if (IsMP3SupportedType(aType)) {
-    decoderReader = new MediaFormatReader(aDecoder, new mp3::MP3Demuxer(aDecoder->GetResource()));
+    decoderReader = new MediaFormatReader(aDecoder, new MP3Demuxer(aDecoder->GetResource()));
   } else
   if (IsAACSupportedType(aType)) {
     decoderReader = new MediaFormatReader(aDecoder, new ADTSDemuxer(aDecoder->GetResource()));
@@ -475,22 +408,10 @@ MediaDecoderReader* DecoderTraits::CreateReader(const nsACString& aType, Abstrac
   if (IsOggSupportedType(aType)) {
     decoderReader = new MediaFormatReader(aDecoder, new OggDemuxer(aDecoder->GetResource()));
   } else
-#ifdef MOZ_ANDROID_OMX
-  if (MediaDecoder::IsAndroidMediaPluginEnabled() &&
-      EnsureAndroidMediaPluginHost()->FindDecoder(aType, nullptr)) {
-    decoderReader = new AndroidMediaReader(aDecoder, aType);
-  } else
-#endif
   if (IsWebMSupportedType(aType)) {
     decoderReader =
       new MediaFormatReader(aDecoder, new WebMDemuxer(aDecoder->GetResource()));
-  } else
-#ifdef MOZ_DIRECTSHOW
-  if (IsDirectShowSupportedType(aType)) {
-    decoderReader = new DirectShowReader(aDecoder);
-  } else
-#endif
-  if (false) {} // dummy if to take care of the dangling else
+  }
 
   return decoderReader;
 }
@@ -509,18 +430,12 @@ bool DecoderTraits::IsSupportedInVideoDocument(const nsACString& aType)
   return
     IsOggSupportedType(aType) ||
     IsWebMSupportedType(aType) ||
-#ifdef MOZ_ANDROID_OMX
-    (MediaDecoder::IsAndroidMediaPluginEnabled() && IsAndroidMediaType(aType)) ||
-#endif
 #ifdef MOZ_FMP4
     IsMP4SupportedType(aType, /* DecoderDoctorDiagnostics* */ nullptr) ||
 #endif
     IsMP3SupportedType(aType) ||
     IsAACSupportedType(aType) ||
     IsFlacSupportedType(aType) ||
-#ifdef MOZ_DIRECTSHOW
-    IsDirectShowSupportedType(aType) ||
-#endif
     false;
 }
 
diff --git a/dom/media/MP3FrameParser.cpp b/dom/media/MP3FrameParser.cpp
deleted file mode 100644
index 242e3df00d..0000000000
--- a/dom/media/MP3FrameParser.cpp
+++ /dev/null
@@ -1,591 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include <algorithm>
-
-#include "nsMemory.h"
-#include "MP3FrameParser.h"
-#include "VideoUtils.h"
-
-
-#define FROM_BIG_ENDIAN(X) ((uint32_t)((uint8_t)(X)[0] << 24 | (uint8_t)(X)[1] << 16 | \
-                                       (uint8_t)(X)[2] << 8 | (uint8_t)(X)[3]))
-
-
-namespace mozilla {
-
-/*
- * Following code taken from http://www.hydrogenaudio.org/forums/index.php?showtopic=85125
- * with permission from the author, Nick Wallette <sirnickity@gmail.com>.
- */
-
-/* BEGIN shameless copy and paste */
-
-// Bitrates - use [version][layer][bitrate]
-const uint16_t mpeg_bitrates[4][4][16] = {
-  { // Version 2.5
-    { 0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0, 0 }, // Reserved
-    { 0,   8,  16,  24,  32,  40,  48,  56,  64,  80,  96, 112, 128, 144, 160, 0 }, // Layer 3
-    { 0,   8,  16,  24,  32,  40,  48,  56,  64,  80,  96, 112, 128, 144, 160, 0 }, // Layer 2
-    { 0,  32,  48,  56,  64,  80,  96, 112, 128, 144, 160, 176, 192, 224, 256, 0 }  // Layer 1
-  },
-  { // Reserved
-    { 0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0, 0 }, // Invalid
-    { 0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0, 0 }, // Invalid
-    { 0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0, 0 }, // Invalid
-    { 0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0, 0 }  // Invalid
-  },
-  { // Version 2
-    { 0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0, 0 }, // Reserved
-    { 0,   8,  16,  24,  32,  40,  48,  56,  64,  80,  96, 112, 128, 144, 160, 0 }, // Layer 3
-    { 0,   8,  16,  24,  32,  40,  48,  56,  64,  80,  96, 112, 128, 144, 160, 0 }, // Layer 2
-    { 0,  32,  48,  56,  64,  80,  96, 112, 128, 144, 160, 176, 192, 224, 256, 0 }  // Layer 1
-  },
-  { // Version 1
-    { 0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0, 0 }, // Reserved
-    { 0,  32,  40,  48,  56,  64,  80,  96, 112, 128, 160, 192, 224, 256, 320, 0 }, // Layer 3
-    { 0,  32,  48,  56,  64,  80,  96, 112, 128, 160, 192, 224, 256, 320, 384, 0 }, // Layer 2
-    { 0,  32,  64,  96, 128, 160, 192, 224, 256, 288, 320, 352, 384, 416, 448, 0 }, // Layer 1
-  }
-};
-
-// Sample rates - use [version][srate]
-const uint16_t mpeg_srates[4][4] = {
-    { 11025, 12000,  8000, 0 }, // MPEG 2.5
-    {     0,     0,     0, 0 }, // Reserved
-    { 22050, 24000, 16000, 0 }, // MPEG 2
-    { 44100, 48000, 32000, 0 }  // MPEG 1
-};
-
-// Samples per frame - use [version][layer]
-const uint16_t mpeg_frame_samples[4][4] = {
-//    Rsvd     3     2     1  < Layer  v Version
-    {    0,  576, 1152,  384 }, //       2.5
-    {    0,    0,    0,    0 }, //       Reserved
-    {    0,  576, 1152,  384 }, //       2
-    {    0, 1152, 1152,  384 }  //       1
-};
-
-// Slot size (MPEG unit of measurement) - use [layer]
-const uint8_t mpeg_slot_size[4] = { 0, 1, 1, 4 }; // Rsvd, 3, 2, 1
-
-uint16_t
-MP3Frame::CalculateLength()
-{
-  // Lookup real values of these fields
-  uint32_t  bitrate   = mpeg_bitrates[mVersion][mLayer][mBitrate] * 1000;
-  uint32_t  samprate  = mpeg_srates[mVersion][mSampleRate];
-  uint16_t  samples   = mpeg_frame_samples[mVersion][mLayer];
-  uint8_t   slot_size = mpeg_slot_size[mLayer];
-
-  // In-between calculations
-  float     bps       = (float)samples / 8.0;
-  float     fsize     = ( (bps * (float)bitrate) / (float)samprate )
-    + ( (mPad) ? slot_size : 0 );
-
-  // Frame sizes are truncated integers
-  return (uint16_t)fsize;
-}
-
-/* END shameless copy and paste */
-
-
-/** MP3Parser methods **/
-
-MP3Parser::MP3Parser()
-  : mCurrentChar(0)
-{ }
-
-void
-MP3Parser::Reset()
-{
-  mCurrentChar = 0;
-}
-
-uint16_t
-MP3Parser::ParseFrameLength(uint8_t ch)
-{
-  mData.mRaw[mCurrentChar] = ch;
-
-  MP3Frame &frame = mData.mFrame;
-
-  // Validate MP3 header as we read. We can't mistake the start of an MP3 frame
-  // for the middle of another frame due to the sync byte at the beginning
-  // of the frame.
-
-  // The only valid position for an all-high byte is the sync byte at the
-  // beginning of the frame.
-  if (ch == 0xff) {
-    mCurrentChar = 0;
-  }
-
-  // Make sure the current byte is valid in context. If not, reset the parser.
-  if (mCurrentChar == 2) {
-    if (frame.mBitrate == 0x0f) {
-      goto fail;
-    }
-  } else if (mCurrentChar == 1) {
-    if (frame.mSync2 != 0x07
-        || frame.mVersion == 0x01
-        || frame.mLayer == 0x00) {
-      goto fail;
-    }
-  }
-
-  // The only valid character at the beginning of the header is 0xff. Fail if
-  // it's different.
-  if (mCurrentChar == 0 && frame.mSync1 != 0xff) {
-    // Couldn't find the sync byte. Fail.
-    return 0;
-  }
-
-  mCurrentChar++;
-  MOZ_ASSERT(mCurrentChar <= sizeof(MP3Frame));
-
-  // Don't have a full header yet.
-  if (mCurrentChar < sizeof(MP3Frame)) {
-    return 0;
-  }
-
-  // Woo, valid header. Return the length.
-  mCurrentChar = 0;
-  return frame.CalculateLength();
-
-fail:
-  Reset();
-  return 0;
-}
-
-uint32_t
-MP3Parser::GetSampleRate()
-{
-  MP3Frame &frame = mData.mFrame;
-  return mpeg_srates[frame.mVersion][frame.mSampleRate];
-}
-
-uint32_t
-MP3Parser::GetSamplesPerFrame()
-{
-  MP3Frame &frame = mData.mFrame;
-  return mpeg_frame_samples[frame.mVersion][frame.mLayer];
-}
-
-
-/** ID3Parser methods **/
-
-const char sID3Head[3] = { 'I', 'D', '3' };
-const uint32_t ID3_HEADER_LENGTH = 10;
-const uint32_t ID3_FOOTER_LENGTH = 10;
-const uint8_t ID3_FOOTER_PRESENT = 0x10;
-
-ID3Parser::ID3Parser()
-  : mCurrentChar(0)
-  , mVersion(0)
-  , mFlags(0)
-  , mHeaderLength(0)
-{ }
-
-void
-ID3Parser::Reset()
-{
-  mCurrentChar = mVersion = mFlags = mHeaderLength = 0;
-}
-
-bool
-ID3Parser::ParseChar(char ch)
-{
-  switch (mCurrentChar) {
-    // The first three bytes of an ID3v2 header must match the string "ID3".
-    case 0: case 1: case 2:
-      if (ch != sID3Head[mCurrentChar]) {
-        goto fail;
-      }
-      break;
-    // The fourth and fifth bytes give the version, between 2 and 4.
-    case 3:
-      if (ch < '\2' || ch > '\4') {
-        goto fail;
-      }
-      mVersion = uint8_t(ch);
-      break;
-    case 4:
-      if (ch != '\0') {
-        goto fail;
-      }
-      break;
-    // The sixth byte gives the flags; valid flags depend on the version.
-    case 5:
-      if ((ch & (0xff >> mVersion)) != '\0') {
-        goto fail;
-      }
-      mFlags = uint8_t(ch);
-      break;
-    // Bytes seven through ten give the sum of the byte length of the extended
-    // header, the padding and the frames after unsynchronisation.
-    // These bytes form a 28-bit integer, with the high bit of each byte unset.
-    case 6: case 7: case 8: case 9:
-      if (ch & 0x80) {
-        goto fail;
-      }
-      mHeaderLength <<= 7;
-      mHeaderLength |= ch;
-      if (mCurrentChar == 9) {
-        mHeaderLength += ID3_HEADER_LENGTH;
-        mHeaderLength += (mFlags & ID3_FOOTER_PRESENT) ? ID3_FOOTER_LENGTH : 0;
-      }
-      break;
-    default:
-      MOZ_CRASH("Header already fully parsed!");
-  }
-
-  mCurrentChar++;
-
-  return IsParsed();
-
-fail:
-  if (mCurrentChar) {
-    Reset();
-    return ParseChar(ch);
-  }
-  Reset();
-  return false;
-}
-
-bool
-ID3Parser::IsParsed() const
-{
-  return mCurrentChar >= ID3_HEADER_LENGTH;
-}
-
-uint32_t
-ID3Parser::GetHeaderLength() const
-{
-  MOZ_ASSERT(IsParsed(),
-             "Queried length of ID3 header before parsing finished.");
-  return mHeaderLength;
-}
-
-
-/** VBR header helper stuff **/
-
-// Helper function to find a VBR header in an MP3 frame.
-// Based on information from
-// http://www.codeproject.com/Articles/8295/MPEG-Audio-Frame-Header
-
-const uint32_t VBRI_TAG = FROM_BIG_ENDIAN("VBRI");
-const uint32_t VBRI_OFFSET = 32 - sizeof(MP3Frame);
-const uint32_t VBRI_FRAME_COUNT_OFFSET = VBRI_OFFSET + 14;
-const uint32_t VBRI_MIN_FRAME_SIZE = VBRI_OFFSET + 26;
-
-const uint32_t XING_TAG = FROM_BIG_ENDIAN("Xing");
-enum XingFlags {
-  XING_HAS_NUM_FRAMES = 0x01,
-  XING_HAS_NUM_BYTES = 0x02,
-  XING_HAS_TOC = 0x04,
-  XING_HAS_VBR_SCALE = 0x08
-};
-
-static int64_t
-ParseXing(const char *aBuffer)
-{
-  uint32_t flags = FROM_BIG_ENDIAN(aBuffer + 4);
-
-  if (!(flags & XING_HAS_NUM_FRAMES)) {
-    NS_WARNING("VBR file without frame count. Duration estimation likely to "
-               "be totally wrong.");
-    return -1;
-  }
-
-  int64_t numFrames = -1;
-  if (flags & XING_HAS_NUM_FRAMES) {
-    numFrames = FROM_BIG_ENDIAN(aBuffer + 8);
-  }
-
-  return numFrames;
-}
-
-static int64_t
-FindNumVBRFrames(const nsCString& aFrame)
-{
-  const char *buffer = aFrame.get();
-  const char *bufferEnd = aFrame.get() + aFrame.Length();
-
-  // VBRI header is nice and well-defined; let's try to find that first.
-  if (aFrame.Length() > VBRI_MIN_FRAME_SIZE &&
-      FROM_BIG_ENDIAN(buffer + VBRI_OFFSET) == VBRI_TAG) {
-    return FROM_BIG_ENDIAN(buffer + VBRI_FRAME_COUNT_OFFSET);
-  }
-
-  // We have to search for the Xing header as its position can change.
-  for (; buffer + sizeof(XING_TAG) < bufferEnd; buffer++) {
-    if (FROM_BIG_ENDIAN(buffer) == XING_TAG) {
-      return ParseXing(buffer);
-    }
-  }
-
-  return -1;
-}
-
-
-/** MP3FrameParser methods **/
-
-// Some MP3's have large ID3v2 tags, up to 150KB, so we allow lots of
-// skipped bytes to be read, just in case, before we give up and assume
-// we're not parsing an MP3 stream.
-static const uint32_t MAX_SKIPPED_BYTES = 4096;
-
-enum {
-  MP3_HEADER_LENGTH   = 4,
-};
-
-MP3FrameParser::MP3FrameParser(int64_t aLength)
-: mLock("MP3FrameParser.mLock"),
-  mTotalID3Size(0),
-  mTotalFrameSize(0),
-  mFrameCount(0),
-  mOffset(0),
-  mLength(aLength),
-  mMP3Offset(-1),
-  mSamplesPerSecond(0),
-  mFirstFrameEnd(-1),
-  mIsMP3(MAYBE_MP3)
-{ }
-
-nsresult MP3FrameParser::ParseBuffer(const uint8_t* aBuffer,
-                                     uint32_t aLength,
-                                     int64_t aStreamOffset,
-                                     uint32_t* aOutBytesRead)
-{
-  // Iterate forwards over the buffer, looking for ID3 tag, or MP3
-  // Frame headers.
-  const uint8_t *buffer = aBuffer;
-  const uint8_t *bufferEnd = aBuffer + aLength;
-
-  // If we haven't found any MP3 frame data yet, there might be ID3 headers
-  // we can skip over.
-  if (mMP3Offset < 0) {
-    for (const uint8_t *ch = buffer; ch < bufferEnd; ch++) {
-      if (mID3Parser.ParseChar(*ch)) {
-        // Found an ID3 header. We don't care about the body of the header, so
-        // just skip past.
-        buffer = ch + mID3Parser.GetHeaderLength() - (ID3_HEADER_LENGTH - 1);
-
-        if (buffer <= ch) {
-          return NS_ERROR_FAILURE;
-        }
-
-        ch = buffer;
-
-        mTotalID3Size += mID3Parser.GetHeaderLength();
-
-        // Yes, this is an MP3!
-        mIsMP3 = DEFINITELY_MP3;
-
-        mID3Parser.Reset();
-      }
-    }
-  }
-
-  // The first MP3 frame in a variable bitrate stream can contain metadata
-  // for duration estimation and seeking, so we buffer that first frame here.
-  if (aStreamOffset < mFirstFrameEnd) {
-    uint64_t copyLen = std::min((int64_t)aLength, mFirstFrameEnd - aStreamOffset);
-    mFirstFrame.Append((const char *)buffer, copyLen);
-    buffer += copyLen;
-  }
-
-  while (buffer < bufferEnd) {
-    uint16_t frameLen = mMP3Parser.ParseFrameLength(*buffer);
-
-    if (frameLen) {
-      // We've found an MP3 frame!
-      // This is the first frame (and the only one we'll bother parsing), so:
-      // * Mark this stream as MP3;
-      // * Store the offset at which the MP3 data started; and
-      // * Start buffering the frame, as it might contain handy metadata.
-
-      // We're now sure this is an MP3 stream.
-      mIsMP3 = DEFINITELY_MP3;
-
-      // We need to know these to convert the number of frames in the stream
-      // to the length of the stream in seconds.
-      mSamplesPerSecond = mMP3Parser.GetSampleRate();
-      mSamplesPerFrame = mMP3Parser.GetSamplesPerFrame();
-
-      // If the stream has a constant bitrate, we should only need the length
-      // of the first frame and the length (in bytes) of the stream to
-      // estimate the length (in seconds).
-      mTotalFrameSize += frameLen;
-      mFrameCount++;
-
-      // If |mMP3Offset| isn't set then this is the first MP3 frame we have
-      // seen in the stream, which is useful for duration estimation.
-      if (mMP3Offset > -1) {
-        uint16_t skip = frameLen - sizeof(MP3Frame);
-        buffer += skip ? skip : 1;
-        continue;
-      }
-
-      // Remember the offset of the MP3 stream.
-      // We're at the last byte of an MP3Frame, so MP3 data started
-      // sizeof(MP3Frame) - 1 bytes ago.
-      mMP3Offset = aStreamOffset
-        + (buffer - aBuffer)
-        - (sizeof(MP3Frame) - 1);
-
-      buffer++;
-
-      // If the stream has a variable bitrate, the first frame has metadata
-      // we need for duration estimation and seeking. Start buffering it so we
-      // can parse it later.
-      mFirstFrameEnd = mMP3Offset + frameLen;
-      uint64_t currOffset = buffer - aBuffer + aStreamOffset;
-      uint64_t copyLen = std::min(mFirstFrameEnd - currOffset,
-                                  (uint64_t)(bufferEnd - buffer));
-      mFirstFrame.Append((const char *)buffer, copyLen);
-
-      buffer += copyLen;
-
-    } else {
-      // Nothing to see here. Move along.
-      buffer++;
-    }
-  }
-
-  *aOutBytesRead = buffer - aBuffer;
-
-  if (mFirstFrameEnd > -1 && mFirstFrameEnd <= aStreamOffset + buffer - aBuffer) {
-    // We have our whole first frame. Try to find a VBR header.
-    mNumFrames = FindNumVBRFrames(mFirstFrame);
-    mFirstFrameEnd = -1;
-  }
-
-  return NS_OK;
-}
-
-void MP3FrameParser::Parse(const uint8_t* aBuffer, uint32_t aLength, uint64_t aOffset)
-{
-  MutexAutoLock mon(mLock);
-
-  if (HasExactDuration()) {
-    // We know the duration; nothing to do here.
-    return;
-  }
-
-  const uint8_t* buffer = aBuffer;
-  int32_t length = aLength;
-  uint64_t offset = aOffset;
-
-  // Got some data we have seen already. Skip forward to what we need.
-  if (aOffset < mOffset) {
-    buffer += mOffset - aOffset;
-    length -= mOffset - aOffset;
-    offset = mOffset;
-
-    if (length <= 0) {
-      return;
-    }
-  }
-
-  // If there is a discontinuity in the input stream, reset the state of the
-  // parsers so we don't get any partial headers.
-  if (mOffset < aOffset) {
-    if (!mID3Parser.IsParsed()) {
-      // Only reset this if it hasn't finished yet.
-      mID3Parser.Reset();
-    }
-
-    if (mFirstFrameEnd > -1) {
-      NS_WARNING("Discontinuity in input while buffering first frame.");
-      mFirstFrameEnd = -1;
-    }
-
-    mMP3Parser.Reset();
-  }
-
-  uint32_t bytesRead = 0;
-  if (NS_FAILED(ParseBuffer(buffer,
-                            length,
-                            offset,
-                            &bytesRead))) {
-    return;
-  }
-
-  MOZ_ASSERT(length <= (int)bytesRead, "All bytes should have been consumed");
-
-  // Update next data offset
-  mOffset = offset + bytesRead;
-
-  // If we've parsed lots of data and we still have nothing, just give up.
-  // We don't count ID3 headers towards the skipped bytes count, as MP3 files
-  // can have massive ID3 sections.
-  if (!mID3Parser.IsParsed() && mMP3Offset < 0 &&
-      mOffset - mTotalID3Size > MAX_SKIPPED_BYTES) {
-    mIsMP3 = NOT_MP3;
-  }
-}
-
-int64_t MP3FrameParser::GetDuration()
-{
-  MutexAutoLock mon(mLock);
-
-  if (!ParsedHeaders() || !mSamplesPerSecond) {
-    // Not a single frame decoded yet.
-    return -1;
-  }
-
-  MOZ_ASSERT(mFrameCount > 0 && mTotalFrameSize > 0,
-             "Frame parser should have seen at least one MP3 frame of positive length.");
-
-  if (!mFrameCount || !mTotalFrameSize) {
-    // This should never happen.
-    return -1;
-  }
-
-  double frames;
-  if (mNumFrames < 0) {
-    // Estimate the number of frames in the stream based on the average frame
-    // size and the length of the MP3 file.
-    double frameSize = (double)mTotalFrameSize / mFrameCount;
-    frames = (double)(mLength - mMP3Offset) / frameSize;
-  } else {
-    // We know the exact number of frames from the VBR header.
-    frames = mNumFrames;
-  }
-
-  // The duration of each frame is constant over a given stream.
-  double usPerFrame = USECS_PER_S * mSamplesPerFrame / mSamplesPerSecond;
-
-  return frames * usPerFrame;
-}
-
-int64_t MP3FrameParser::GetMP3Offset()
-{
-  MutexAutoLock mon(mLock);
-  return mMP3Offset;
-}
-
-bool MP3FrameParser::ParsedHeaders()
-{
-  // We have seen both the beginning and the end of the first MP3 frame in the
-  // stream.
-  return mMP3Offset > -1 && mFirstFrameEnd < 0;
-}
-
-bool MP3FrameParser::HasExactDuration()
-{
-  return ParsedHeaders() && mNumFrames > -1;
-}
-
-bool MP3FrameParser::NeedsData()
-{
-  // If we don't know the duration exactly then either:
-  //  - we're still waiting for a VBR header; or
-  //  - we look at all frames to constantly update our duration estimate.
-  return IsMP3() && !HasExactDuration();
-}
-
-} // namespace mozilla
diff --git a/dom/media/MP3FrameParser.h b/dom/media/MP3FrameParser.h
deleted file mode 100644
index d2ba791fd8..0000000000
--- a/dom/media/MP3FrameParser.h
+++ /dev/null
@@ -1,219 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef MP3FrameParser_h
-#define MP3FrameParser_h
-
-#include <stdint.h>
-
-#include "mozilla/Mutex.h"
-#include "nsString.h"
-#include "Intervals.h"
-
-namespace mozilla {
-
-// Simple parser to tell whether we've found an ID3 header and how long it is,
-// so that we can skip it.
-// XXX maybe actually parse this stuff?
-class ID3Parser
-{
-public:
-  ID3Parser();
-
-  void Reset();
-  bool ParseChar(char ch);
-  bool IsParsed() const;
-  uint32_t GetHeaderLength() const;
-
-private:
-  uint32_t mCurrentChar;
-  uint8_t mVersion;
-  uint8_t mFlags;
-  uint32_t mHeaderLength;
-};
-
-struct MP3Frame {
-  uint16_t mSync1 : 8;      // Always all set
-  uint16_t mProtected : 1;  // Ignored
-  uint16_t mLayer : 2;
-  uint16_t mVersion : 2;
-  uint16_t mSync2 : 3;      // Always all set
-  uint16_t mPrivate : 1;    // Ignored
-  uint16_t mPad : 1;
-  uint16_t mSampleRate : 2; // Index into mpeg_srates above
-  uint16_t mBitrate : 4;    // Index into mpeg_bitrates above
-
-  uint16_t CalculateLength();
-};
-
-// Buffering parser for MP3 frames.
-class MP3Parser
-{
-public:
-  MP3Parser();
-
-  // Forget all data the parser has seen so far.
-  void Reset();
-
-  // Parse the given byte. If we have found a frame header, return the length of
-  // the frame.
-  uint16_t ParseFrameLength(uint8_t ch);
-
-  // Get the sample rate from the current header.
-  uint32_t GetSampleRate();
-
-  // Get the number of samples per frame.
-  uint32_t GetSamplesPerFrame();
-
-private:
-  uint32_t mCurrentChar;
-  union {
-    uint8_t mRaw[3];
-    MP3Frame mFrame;
-  } mData;
-};
-
-
-// A description of the MP3 format and its extensions is available at
-//
-//  http://www.codeproject.com/Articles/8295/MPEG-Audio-Frame-Header
-//
-// The data in MP3 streams is split into small frames, with each frame
-// containing a fixed number of samples. The duration of a frame depends
-// on the frame's bit rate and sample rate. Both values can vary among
-// frames, so it is necessary to examine each individual frame of an MP3
-// stream to calculate the stream's overall duration.
-//
-// The MP3 frame parser extracts information from an MP3 data stream. It
-// accepts a range of frames of an MP3 stream as input, and parses all
-// frames for their duration. Callers can query the stream's overall
-// duration from the parser.
-//
-// Call the methods NotifyDataArrived or Parse to add new data. If you added
-// information for a certain stream position, you cannot go back to previous
-// positions. The parser will simply ignore the input. If you skip stream
-// positions, the duration of the related MP3 frames will be estimated from
-// the stream's average.
-//
-// The method GetDuration returns calculated duration of the stream, including
-// estimates for skipped ranges.
-//
-// All public methods are thread-safe.
-
-class MP3FrameParser
-{
-public:
-  explicit MP3FrameParser(int64_t aLength=-1);
-
-  bool IsMP3() {
-    MutexAutoLock mon(mLock);
-    return mIsMP3 != NOT_MP3;
-  }
-
-  void Parse(const uint8_t* aBuffer, uint32_t aLength, uint64_t aStreamOffset);
-
-  // Returns the duration, in microseconds. If the entire stream has not
-  // been parsed yet, this is an estimate based on the bitrate of the
-  // frames parsed so far.
-  int64_t GetDuration();
-
-  // Returns the offset of the first MP3 frame in the stream, or -1 of
-  // no MP3 frame has been detected yet.
-  int64_t GetMP3Offset();
-
-  // Returns true if we've seen the whole first frame of the MP3 stream, and
-  // therefore can make an estimate on the stream duration.
-  // Otherwise, returns false.
-  bool ParsedHeaders();
-
-  // Returns true if we know the exact duration of the MP3 stream;
-  // false otherwise.
-  bool HasExactDuration();
-
-  // Returns true if the parser needs more data for duration estimation.
-  bool NeedsData();
-  // Assign the total lenght of this mp3 stream
-  void SetLength(int64_t aLength) {
-    MutexAutoLock mon(mLock);
-    mLength = aLength;
-  }
-private:
-
-  // Parses aBuffer, starting at offset 0. Returns the number of bytes
-  // parsed, relative to the start of the buffer. Note this may be
-  // greater than aLength if the headers in the buffer indicate that
-  // the frame or ID3 tag extends outside of aBuffer. Returns failure
-  // if too many non-MP3 bytes are parsed.
-  nsresult ParseBuffer(const uint8_t* aBuffer,
-                       uint32_t aLength,
-                       int64_t aStreamOffset,
-                       uint32_t* aOutBytesRead);
-
-  // A low-contention lock for protecting the parser results
-  Mutex mLock;
-
-  // ID3 header parser. Keeps state between reads in case the header falls
-  // in between.
-  ID3Parser mID3Parser;
-
-  // MP3 frame header parser.
-  MP3Parser mMP3Parser;
-
-  // If we read |MAX_SKIPPED_BYTES| from the stream without finding any MP3
-  // frames, we give up and report |NOT_MP3|. Here we track the cumulative size
-  // of any ID3 headers we've seen so big ID3 sections aren't counted towards
-  // skipped bytes.
-  uint32_t mTotalID3Size;
-
-  // All fields below are protected by mLock
-
-  // We keep stats on the size of all the frames we've seen, as well as how many
-  // so that we can estimate the duration of the rest of the stream.
-  uint64_t mTotalFrameSize;
-  uint64_t mFrameCount;
-
-  // Offset of the last data parsed. This is the end offset of the last data
-  // block parsed, so it's the start offset we expect to get on the next
-  // call to Parse().
-  uint64_t mOffset;
-
-  // Total length of the stream in bytes.
-  int64_t mLength;
-
-  // Offset of first MP3 frame in the bitstream. Has value -1 until the
-  // first MP3 frame is found.
-  int64_t mMP3Offset;
-
-  // The exact number of frames in this stream, if we know it. -1 otherwise.
-  int64_t mNumFrames;
-
-  // Number of audio samples per second and per frame. Fixed through the whole
-  // file. If we know these variables as well as the number of frames in the
-  // file, we can get an exact duration for the stream.
-  uint16_t mSamplesPerSecond;
-  uint16_t mSamplesPerFrame;
-
-  // If the MP3 has a variable bitrate, then there *should* be metadata about
-  // the encoding in the first frame. We buffer the first frame here.
-  nsCString mFirstFrame;
-
-  // While we are reading the first frame, this is the stream offset of the
-  // last byte of that frame. -1 at all other times.
-  int64_t mFirstFrameEnd;
-
-  enum eIsMP3 {
-    MAYBE_MP3, // We're giving the stream the benefit of the doubt...
-    DEFINITELY_MP3, // We've hit at least one ID3 tag or MP3 frame.
-    NOT_MP3 // Not found any evidence of the stream being MP3.
-  };
-
-  eIsMP3 mIsMP3;
-
-};
-
-} // namespace mozilla
-
-#endif
diff --git a/dom/media/MediaDecoder.cpp b/dom/media/MediaDecoder.cpp
index d027818dea..cf2266bf6d 100644
--- a/dom/media/MediaDecoder.cpp
+++ b/dom/media/MediaDecoder.cpp
@@ -35,10 +35,6 @@
 #include "Layers.h"
 #include "mozilla/layers/ShadowLayers.h"
 
-#ifdef MOZ_ANDROID_OMX
-#include "AndroidBridge.h"
-#endif
-
 using namespace mozilla::dom;
 using namespace mozilla::layers;
 using namespace mozilla::media;
@@ -1617,16 +1613,6 @@ MediaDecoder::IsWebMEnabled()
   return Preferences::GetBool("media.webm.enabled");
 }
 
-#ifdef MOZ_ANDROID_OMX
-bool
-MediaDecoder::IsAndroidMediaPluginEnabled()
-{
-  return AndroidBridge::Bridge() &&
-         AndroidBridge::Bridge()->GetAPIVersion() < 16 &&
-         Preferences::GetBool("media.plugins.enabled");
-}
-#endif
-
 NS_IMETHODIMP
 MediaMemoryTracker::CollectReports(nsIHandleReportCallback* aHandleReport,
                                    nsISupports* aData, bool aAnonymize)
diff --git a/dom/media/MediaDecoder.h b/dom/media/MediaDecoder.h
index a4edcbe727..7e93de044e 100644
--- a/dom/media/MediaDecoder.h
+++ b/dom/media/MediaDecoder.h
@@ -447,10 +447,6 @@ private:
   static bool IsWaveEnabled();
   static bool IsWebMEnabled();
 
-#ifdef MOZ_ANDROID_OMX
-  static bool IsAndroidMediaPluginEnabled();
-#endif
-
 #ifdef MOZ_WMF
   static bool IsWMFEnabled();
 #endif
diff --git a/dom/media/MediaPrefs.h b/dom/media/MediaPrefs.h
index e67796eddb..c67a899896 100644
--- a/dom/media/MediaPrefs.h
+++ b/dom/media/MediaPrefs.h
@@ -105,9 +105,6 @@ private:
   DECL_MEDIA_PREF("media.eme.enabled",                        EMEEnabled, bool, false);
   DECL_MEDIA_PREF("media.use-blank-decoder",                  PDMUseBlankDecoder, bool, false);
   DECL_MEDIA_PREF("media.gpu-process-decoder",                PDMUseGPUDecoder, bool, false);
-#ifdef MOZ_GONK_MEDIACODEC
-  DECL_MEDIA_PREF("media.gonk.enabled",                       PDMGonkDecoderEnabled, bool, true);
-#endif
 #ifdef MOZ_WIDGET_ANDROID
   DECL_MEDIA_PREF("media.android-media-codec.enabled",        PDMAndroidMediaCodecEnabled, bool, false);
   DECL_MEDIA_PREF("media.android-media-codec.preferred",      PDMAndroidMediaCodecPreferred, bool, false);
diff --git a/dom/media/ThreadPoolCOMListener.h b/dom/media/ThreadPoolCOMListener.h
index 881013a78f..424ca65d22 100644
--- a/dom/media/ThreadPoolCOMListener.h
+++ b/dom/media/ThreadPoolCOMListener.h
@@ -13,8 +13,8 @@
 namespace mozilla {
 
 // Thread pool listener which ensures that MSCOM is initialized and
-// deinitialized on the thread pool thread. We may call into WMF or
-// DirectShow on this thread, so we need MSCOM working.
+// deinitialized on the thread pool thread. We may call into WMF on
+// this thread, so we need MSCOM working.
 class MSCOMInitThreadPoolListener final : public nsIThreadPoolListener {
   ~MSCOMInitThreadPoolListener() {}
   public:
diff --git a/dom/media/WebVTTListener.h b/dom/media/WebVTTListener.h
index 67271664a8..461d7f00da 100644
--- a/dom/media/WebVTTListener.h
+++ b/dom/media/WebVTTListener.h
@@ -10,6 +10,7 @@
 #include "nsIStreamListener.h"
 #include "nsIChannelEventSink.h"
 #include "nsIInterfaceRequestor.h"
+#include "nsCOMPtr.h"
 #include "nsCycleCollectionParticipant.h"
 
 class nsIWebVTTParserWrapper;
diff --git a/dom/media/android/AndroidMediaDecoder.cpp b/dom/media/android/AndroidMediaDecoder.cpp
deleted file mode 100644
index 41ef3fcb07..0000000000
--- a/dom/media/android/AndroidMediaDecoder.cpp
+++ /dev/null
@@ -1,25 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "MediaDecoderStateMachine.h"
-#include "AndroidMediaDecoder.h"
-#include "AndroidMediaReader.h"
-
-namespace mozilla {
-
-AndroidMediaDecoder::AndroidMediaDecoder(MediaDecoderOwner* aOwner,
-                                         const nsACString& aType)
-  : MediaDecoder(aOwner), mType(aType)
-{
-}
-
-MediaDecoderStateMachine* AndroidMediaDecoder::CreateStateMachine()
-{
-  return new MediaDecoderStateMachine(this, new AndroidMediaReader(this, mType));
-}
-
-} // namespace mozilla
-
diff --git a/dom/media/android/AndroidMediaDecoder.h b/dom/media/android/AndroidMediaDecoder.h
deleted file mode 100644
index 88b5a243fd..0000000000
--- a/dom/media/android/AndroidMediaDecoder.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#if !defined(AndroidMediaDecoder_h_)
-#define AndroidMediaDecoder_h_
-
-#include "MediaDecoder.h"
-#include "AndroidMediaDecoder.h"
-
-namespace mozilla {
-
-class AndroidMediaDecoder : public MediaDecoder
-{
-  nsCString mType;
-public:
-  AndroidMediaDecoder(MediaDecoderOwner* aOwner, const nsACString& aType);
-
-  MediaDecoder* Clone(MediaDecoderOwner* aOwner) override {
-    return new AndroidMediaDecoder(aOwner, mType);
-  }
-  MediaDecoderStateMachine* CreateStateMachine() override;
-};
-
-} // namespace mozilla
-
-#endif
diff --git a/dom/media/android/AndroidMediaPluginHost.cpp b/dom/media/android/AndroidMediaPluginHost.cpp
deleted file mode 100644
index d4c4fc59e5..0000000000
--- a/dom/media/android/AndroidMediaPluginHost.cpp
+++ /dev/null
@@ -1,305 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#include "mozilla/Preferences.h"
-#include "MediaResource.h"
-#include "mozilla/dom/HTMLMediaElement.h"
-#include "mozilla/Services.h"
-#include "AndroidMediaPluginHost.h"
-#include "nsAutoPtr.h"
-#include "nsXPCOMStrings.h"
-#include "nsISeekableStream.h"
-#include "nsIGfxInfo.h"
-#include "prmem.h"
-#include "prlink.h"
-#include "AndroidMediaResourceServer.h"
-#include "nsServiceManagerUtils.h"
-
-#include "MPAPI.h"
-
-#include "nsIPropertyBag2.h"
-
-#if defined(ANDROID)
-#include "android/log.h"
-#define ALOG(args...)  __android_log_print(ANDROID_LOG_INFO, "AndroidMediaPluginHost" , ## args)
-#else
-#define ALOG(args...) /* do nothing */
-#endif
-
-using namespace MPAPI;
-
-Decoder::Decoder() :
-  mResource(nullptr), mPrivate(nullptr)
-{
-}
-
-namespace mozilla {
-
-static char* GetResource(Decoder *aDecoder)
-{
-  return static_cast<char*>(aDecoder->mResource);
-}
-
-class GetIntPrefEvent : public Runnable {
-public:
-  GetIntPrefEvent(const char* aPref, int32_t* aResult)
-    : mPref(aPref), mResult(aResult) {}
-  NS_IMETHOD Run() override {
-    return Preferences::GetInt(mPref, mResult);
-  }
-private:
-  const char* mPref;
-  int32_t*    mResult;
-};
-
-static bool GetIntPref(const char* aPref, int32_t* aResult)
-{
-  // GetIntPref() is called on the decoder thread, but the Preferences API
-  // can only be called on the main thread. Post a runnable and wait.
-  NS_ENSURE_TRUE(aPref, false);
-  NS_ENSURE_TRUE(aResult, false);
-  nsCOMPtr<nsIRunnable> event = new GetIntPrefEvent(aPref, aResult);
-  return NS_SUCCEEDED(NS_DispatchToMainThread(event, NS_DISPATCH_SYNC));
-}
-
-static bool
-GetSystemInfoString(const char *aKey, char *aResult, size_t aResultLength)
-{
-  NS_ENSURE_TRUE(aKey, false);
-  NS_ENSURE_TRUE(aResult, false);
-
-  nsCOMPtr<nsIPropertyBag2> infoService = do_GetService("@mozilla.org/system-info;1");
-  NS_ASSERTION(infoService, "Could not find a system info service");
-
-  nsAutoCString key(aKey);
-  nsAutoCString info;
-  nsresult rv = infoService->GetPropertyAsACString(NS_ConvertUTF8toUTF16(key),
-                                                  info);
-
-  NS_ENSURE_SUCCESS(rv, false);
-
-  strncpy(aResult, info.get(), aResultLength);
-
-  return true;
-}
-
-static PluginHost sPluginHost = {
-  nullptr,
-  nullptr,
-  nullptr,
-  nullptr,
-  GetIntPref,
-  GetSystemInfoString
-};
-
-// Return true if Omx decoding is supported on the device. This checks the
-// built in whitelist/blacklist and preferences to see if that is overridden.
-static bool IsOmxSupported()
-{
-  bool forceEnabled =
-      Preferences::GetBool("stagefright.force-enabled", false);
-  bool disabled =
-      Preferences::GetBool("stagefright.disabled", false);
-
-  if (disabled) {
-    NS_WARNING("XXX stagefright disabled\n");
-    return false;
-  }
-
-  if (!forceEnabled) {
-    nsCOMPtr<nsIGfxInfo> gfxInfo = services::GetGfxInfo();
-    if (gfxInfo) {
-      int32_t status;
-      nsCString discardFailure;
-      if (NS_SUCCEEDED(gfxInfo->GetFeatureStatus(nsIGfxInfo::FEATURE_STAGEFRIGHT, discardFailure, &status))) {
-        if (status != nsIGfxInfo::FEATURE_STATUS_OK) {
-          NS_WARNING("XXX stagefright blacklisted\n");
-          return false;
-        }
-      }
-    }
-  }
-
-  return true;
-}
-
-// Return the name of the shared library that implements Omx based decoding. This varies
-// depending on libstagefright version installed on the device and whether it is B2G vs Android.
-// nullptr is returned if Omx decoding is not supported on the device,
-static const char* GetOmxLibraryName()
-{
-#if defined(ANDROID)
-  nsCOMPtr<nsIPropertyBag2> infoService = do_GetService("@mozilla.org/system-info;1");
-  NS_ASSERTION(infoService, "Could not find a system info service");
-
-  int32_t version;
-  nsresult rv = infoService->GetPropertyAsInt32(NS_LITERAL_STRING("version"), &version);
-  if (NS_SUCCEEDED(rv)) {
-    ALOG("Android Version is: %d", version);
-  }
-
-  nsAutoString release_version;
-  rv = infoService->GetPropertyAsAString(NS_LITERAL_STRING("release_version"), release_version);
-  if (NS_SUCCEEDED(rv)) {
-    ALOG("Android Release Version is: %s", NS_LossyConvertUTF16toASCII(release_version).get());
-  }
-
-  nsAutoString device;
-  rv = infoService->GetPropertyAsAString(NS_LITERAL_STRING("device"), device);
-  if (NS_SUCCEEDED(rv)) {
-    ALOG("Android Device is: %s", NS_LossyConvertUTF16toASCII(device).get());
-  }
-
-  nsAutoString manufacturer;
-  rv = infoService->GetPropertyAsAString(NS_LITERAL_STRING("manufacturer"), manufacturer);
-  if (NS_SUCCEEDED(rv)) {
-    ALOG("Android Manufacturer is: %s", NS_LossyConvertUTF16toASCII(manufacturer).get());
-  }
-
-  nsAutoString hardware;
-  rv = infoService->GetPropertyAsAString(NS_LITERAL_STRING("hardware"), hardware);
-  if (NS_SUCCEEDED(rv)) {
-    ALOG("Android Hardware is: %s", NS_LossyConvertUTF16toASCII(hardware).get());
-  }
-#endif
-
-  if (!IsOmxSupported())
-    return nullptr;
-
-#if defined(ANDROID)
-  if (version >= 17) {
-    return "libomxpluginkk.so";
-  }
-
-  // Ice Cream Sandwich and Jellybean
-  return "libomxplugin.so";
-
-#else
-  return nullptr;
-#endif
-}
-
-AndroidMediaPluginHost::AndroidMediaPluginHost() {
-  MOZ_COUNT_CTOR(AndroidMediaPluginHost);
-  MOZ_ASSERT(NS_IsMainThread());
-
-  mResourceServer = AndroidMediaResourceServer::Start();
-
-  const char* name = GetOmxLibraryName();
-  ALOG("Loading OMX Plugin: %s", name ? name : "nullptr");
-  if (name) {
-    char *path = PR_GetLibraryFilePathname("libxul.so", (PRFuncPtr) GetOmxLibraryName);
-    PRLibrary *lib = nullptr;
-    if (path) {
-      nsAutoCString libpath(path);
-      PR_Free(path);
-      int32_t slash = libpath.RFindChar('/');
-      if (slash != kNotFound) {
-        libpath.Truncate(slash + 1);
-        libpath.Append(name);
-        lib = PR_LoadLibrary(libpath.get());
-      }
-    }
-    if (!lib)
-      lib = PR_LoadLibrary(name);
-
-    if (lib) {
-      Manifest *manifest = static_cast<Manifest *>(PR_FindSymbol(lib, "MPAPI_MANIFEST"));
-      if (manifest) {
-        mPlugins.AppendElement(manifest);
-        ALOG("OMX plugin successfully loaded");
-     }
-    }
-  }
-}
-
-AndroidMediaPluginHost::~AndroidMediaPluginHost() {
-  mResourceServer->Stop();
-  MOZ_COUNT_DTOR(AndroidMediaPluginHost);
-}
-
-bool AndroidMediaPluginHost::FindDecoder(const nsACString& aMimeType, const char* const** aCodecs)
-{
-  const char *chars;
-  size_t len = NS_CStringGetData(aMimeType, &chars, nullptr);
-  for (size_t n = 0; n < mPlugins.Length(); ++n) {
-    Manifest *plugin = mPlugins[n];
-    const char* const *codecs;
-    if (plugin->CanDecode(chars, len, &codecs)) {
-      if (aCodecs)
-        *aCodecs = codecs;
-      return true;
-    }
-  }
-  return false;
-}
-
-MPAPI::Decoder *AndroidMediaPluginHost::CreateDecoder(MediaResource *aResource, const nsACString& aMimeType)
-{
-  NS_ENSURE_TRUE(aResource, nullptr);
-
-  nsAutoPtr<Decoder> decoder(new Decoder());
-  if (!decoder) {
-    return nullptr;
-  }
-
-  const char *chars;
-  size_t len = NS_CStringGetData(aMimeType, &chars, nullptr);
-  for (size_t n = 0; n < mPlugins.Length(); ++n) {
-    Manifest *plugin = mPlugins[n];
-    const char* const *codecs;
-    if (!plugin->CanDecode(chars, len, &codecs)) {
-      continue;
-    }
-
-    nsCString url;
-    nsresult rv = mResourceServer->AddResource(aResource, url);
-    if (NS_FAILED (rv)) continue;
-
-    decoder->mResource = strdup(url.get());
-    if (plugin->CreateDecoder(&sPluginHost, decoder, chars, len)) {
-      return decoder.forget();
-    }
-  }
-
-  return nullptr;
-}
-
-void AndroidMediaPluginHost::DestroyDecoder(Decoder *aDecoder)
-{
-  aDecoder->DestroyDecoder(aDecoder);
-  char* resource = GetResource(aDecoder);
-  if (resource) {
-    // resource *shouldn't* be null, but check anyway just in case the plugin
-    // decoder does something stupid.
-    mResourceServer->RemoveResource(nsCString(resource));
-    free(resource);
-  }
-  delete aDecoder;
-}
-
-AndroidMediaPluginHost *sAndroidMediaPluginHost = nullptr;
-AndroidMediaPluginHost *EnsureAndroidMediaPluginHost()
-{
-  MOZ_DIAGNOSTIC_ASSERT(NS_IsMainThread());
-  if (!sAndroidMediaPluginHost) {
-    sAndroidMediaPluginHost = new AndroidMediaPluginHost();
-  }
-  return sAndroidMediaPluginHost;
-}
-
-AndroidMediaPluginHost *GetAndroidMediaPluginHost()
-{
-  MOZ_ASSERT(sAndroidMediaPluginHost);
-  return sAndroidMediaPluginHost;
-}
-
-void AndroidMediaPluginHost::Shutdown()
-{
-  delete sAndroidMediaPluginHost;
-  sAndroidMediaPluginHost = nullptr;
-}
-
-} // namespace mozilla
diff --git a/dom/media/android/AndroidMediaPluginHost.h b/dom/media/android/AndroidMediaPluginHost.h
deleted file mode 100644
index 854b7f21e1..0000000000
--- a/dom/media/android/AndroidMediaPluginHost.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#if !defined(AndroidMediaPluginHost_h_)
-#define AndroidMediaPluginHost_h_
-
-#include "nsTArray.h"
-#include "MediaResource.h"
-#include "MPAPI.h"
-#include "AndroidMediaResourceServer.h"
-
-namespace mozilla {
-
-class AndroidMediaPluginHost {
-  RefPtr<AndroidMediaResourceServer> mResourceServer;
-  nsTArray<MPAPI::Manifest *> mPlugins;
-
-  MPAPI::Manifest *FindPlugin(const nsACString& aMimeType);
-public:
-  AndroidMediaPluginHost();
-  ~AndroidMediaPluginHost();
-
-  static void Shutdown();
-
-  bool FindDecoder(const nsACString& aMimeType, const char* const** aCodecs);
-  MPAPI::Decoder *CreateDecoder(mozilla::MediaResource *aResource, const nsACString& aMimeType);
-  void DestroyDecoder(MPAPI::Decoder *aDecoder);
-};
-
-// Must be called on the main thread. Creates the plugin host if it doesn't
-// already exist.
-AndroidMediaPluginHost *EnsureAndroidMediaPluginHost();
-
-// May be called on any thread after EnsureAndroidMediaPluginHost has been called.
-AndroidMediaPluginHost *GetAndroidMediaPluginHost();
-
-} // namespace mozilla
-
-#endif
diff --git a/dom/media/android/AndroidMediaReader.cpp b/dom/media/android/AndroidMediaReader.cpp
deleted file mode 100644
index 12afacbc90..0000000000
--- a/dom/media/android/AndroidMediaReader.cpp
+++ /dev/null
@@ -1,449 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#include "AndroidMediaReader.h"
-#include "mozilla/TimeStamp.h"
-#include "mozilla/gfx/Point.h"
-#include "MediaResource.h"
-#include "VideoUtils.h"
-#include "AndroidMediaDecoder.h"
-#include "AndroidMediaPluginHost.h"
-#include "MediaDecoderStateMachine.h"
-#include "ImageContainer.h"
-#include "AbstractMediaDecoder.h"
-#include "gfx2DGlue.h"
-#include "VideoFrameContainer.h"
-#include "mozilla/CheckedInt.h"
-
-namespace mozilla {
-
-using namespace mozilla::gfx;
-using namespace mozilla::media;
-
-typedef mozilla::layers::Image Image;
-typedef mozilla::layers::PlanarYCbCrImage PlanarYCbCrImage;
-
-AndroidMediaReader::AndroidMediaReader(AbstractMediaDecoder *aDecoder,
-                                       const nsACString& aContentType) :
-  MediaDecoderReader(aDecoder),
-  mType(aContentType),
-  mPlugin(nullptr),
-  mHasAudio(false),
-  mHasVideo(false),
-  mVideoSeekTimeUs(-1),
-  mAudioSeekTimeUs(-1)
-{
-}
-
-nsresult AndroidMediaReader::ReadMetadata(MediaInfo* aInfo,
-                                          MetadataTags** aTags)
-{
-  MOZ_ASSERT(OnTaskQueue());
-
-  if (!mPlugin) {
-    mPlugin = GetAndroidMediaPluginHost()->CreateDecoder(mDecoder->GetResource(), mType);
-    if (!mPlugin) {
-      return NS_ERROR_FAILURE;
-    }
-  }
-
-  // Set the total duration (the max of the audio and video track).
-  int64_t durationUs;
-  mPlugin->GetDuration(mPlugin, &durationUs);
-  if (durationUs) {
-    mInfo.mMetadataDuration.emplace(TimeUnit::FromMicroseconds(durationUs));
-  }
-
-  if (mPlugin->HasVideo(mPlugin)) {
-    int32_t width, height;
-    mPlugin->GetVideoParameters(mPlugin, &width, &height);
-    nsIntRect pictureRect(0, 0, width, height);
-
-    // Validate the container-reported frame and pictureRect sizes. This ensures
-    // that our video frame creation code doesn't overflow.
-    nsIntSize displaySize(width, height);
-    nsIntSize frameSize(width, height);
-    if (!IsValidVideoRegion(frameSize, pictureRect, displaySize)) {
-      return NS_ERROR_FAILURE;
-    }
-
-    // Video track's frame sizes will not overflow. Activate the video track.
-    mHasVideo = true;
-    mInfo.mVideo.mDisplay = displaySize;
-    mPicture = pictureRect;
-    mInitialFrame = frameSize;
-    VideoFrameContainer* container = mDecoder->GetVideoFrameContainer();
-    if (container) {
-      container->ClearCurrentFrame(IntSize(displaySize.width, displaySize.height));
-    }
-  }
-
-  if (mPlugin->HasAudio(mPlugin)) {
-    int32_t numChannels, sampleRate;
-    mPlugin->GetAudioParameters(mPlugin, &numChannels, &sampleRate);
-    mHasAudio = true;
-    mInfo.mAudio.mChannels = numChannels;
-    mInfo.mAudio.mRate = sampleRate;
-  }
-
- *aInfo = mInfo;
- *aTags = nullptr;
-  return NS_OK;
-}
-
-RefPtr<ShutdownPromise>
-AndroidMediaReader::Shutdown()
-{
-  ResetDecode();
-  if (mPlugin) {
-    GetAndroidMediaPluginHost()->DestroyDecoder(mPlugin);
-    mPlugin = nullptr;
-  }
-
-  return MediaDecoderReader::Shutdown();
-}
-
-// Resets all state related to decoding, emptying all buffers etc.
-nsresult AndroidMediaReader::ResetDecode(TrackSet aTracks)
-{
-  if (mLastVideoFrame) {
-    mLastVideoFrame = nullptr;
-  }
-  mSeekRequest.DisconnectIfExists();
-  mSeekPromise.RejectIfExists(NS_OK, __func__);
-  return MediaDecoderReader::ResetDecode(aTracks);
-}
-
-bool AndroidMediaReader::DecodeVideoFrame(bool &aKeyframeSkip,
-                                          int64_t aTimeThreshold)
-{
-  // Record number of frames decoded and parsed. Automatically update the
-  // stats counters using the AutoNotifyDecoded stack-based class.
-  AbstractMediaDecoder::AutoNotifyDecoded a(mDecoder);
-
-  // Throw away the currently buffered frame if we are seeking.
-  if (mLastVideoFrame && mVideoSeekTimeUs != -1) {
-    mLastVideoFrame = nullptr;
-  }
-
-  ImageBufferCallback bufferCallback(mDecoder->GetImageContainer());
-  RefPtr<Image> currentImage;
-
-  // Read next frame
-  while (true) {
-    MPAPI::VideoFrame frame;
-    if (!mPlugin->ReadVideo(mPlugin, &frame, mVideoSeekTimeUs, &bufferCallback)) {
-      // We reached the end of the video stream. If we have a buffered
-      // video frame, push it the video queue using the total duration
-      // of the video as the end time.
-      if (mLastVideoFrame) {
-        int64_t durationUs;
-        mPlugin->GetDuration(mPlugin, &durationUs);
-        durationUs = std::max<int64_t>(durationUs - mLastVideoFrame->mTime, 0);
-        RefPtr<VideoData> data = VideoData::ShallowCopyUpdateDuration(mLastVideoFrame,
-                                                                        durationUs);
-        mVideoQueue.Push(data);
-        mLastVideoFrame = nullptr;
-      }
-      return false;
-    }
-    mVideoSeekTimeUs = -1;
-
-    if (aKeyframeSkip) {
-      // Disable keyframe skipping for now as
-      // stagefright doesn't seem to be telling us
-      // when a frame is a keyframe.
-#if 0
-      if (!frame.mKeyFrame) {
-        ++a.mStats.mParsedFrames;
-        ++a.mStats.mDroppedFrames;
-        continue;
-      }
-#endif
-      aKeyframeSkip = false;
-    }
-
-    if (frame.mSize == 0)
-      return true;
-
-    currentImage = bufferCallback.GetImage();
-    int64_t pos = mDecoder->GetResource()->Tell();
-    IntRect picture = mPicture;
-
-    RefPtr<VideoData> v;
-    if (currentImage) {
-      gfx::IntSize frameSize = currentImage->GetSize();
-      if (frameSize.width != mInitialFrame.width ||
-          frameSize.height != mInitialFrame.height) {
-        // Frame size is different from what the container reports. This is legal,
-        // and we will preserve the ratio of the crop rectangle as it
-        // was reported relative to the picture size reported by the container.
-        picture.x = (mPicture.x * frameSize.width) / mInitialFrame.width;
-        picture.y = (mPicture.y * frameSize.height) / mInitialFrame.height;
-        picture.width = (frameSize.width * mPicture.width) / mInitialFrame.width;
-        picture.height = (frameSize.height * mPicture.height) / mInitialFrame.height;
-      }
-
-      v = VideoData::CreateFromImage(mInfo.mVideo,
-                                     pos,
-                                     frame.mTimeUs,
-                                     1, // We don't know the duration yet.
-                                     currentImage,
-                                     frame.mKeyFrame,
-                                     -1,
-                                     picture);
-    } else {
-      // Assume YUV
-      VideoData::YCbCrBuffer b;
-      b.mPlanes[0].mData = static_cast<uint8_t *>(frame.Y.mData);
-      b.mPlanes[0].mStride = frame.Y.mStride;
-      b.mPlanes[0].mHeight = frame.Y.mHeight;
-      b.mPlanes[0].mWidth = frame.Y.mWidth;
-      b.mPlanes[0].mOffset = frame.Y.mOffset;
-      b.mPlanes[0].mSkip = frame.Y.mSkip;
-
-      b.mPlanes[1].mData = static_cast<uint8_t *>(frame.Cb.mData);
-      b.mPlanes[1].mStride = frame.Cb.mStride;
-      b.mPlanes[1].mHeight = frame.Cb.mHeight;
-      b.mPlanes[1].mWidth = frame.Cb.mWidth;
-      b.mPlanes[1].mOffset = frame.Cb.mOffset;
-      b.mPlanes[1].mSkip = frame.Cb.mSkip;
-
-      b.mPlanes[2].mData = static_cast<uint8_t *>(frame.Cr.mData);
-      b.mPlanes[2].mStride = frame.Cr.mStride;
-      b.mPlanes[2].mHeight = frame.Cr.mHeight;
-      b.mPlanes[2].mWidth = frame.Cr.mWidth;
-      b.mPlanes[2].mOffset = frame.Cr.mOffset;
-      b.mPlanes[2].mSkip = frame.Cr.mSkip;
-
-      if (frame.Y.mWidth != mInitialFrame.width ||
-          frame.Y.mHeight != mInitialFrame.height) {
-
-        // Frame size is different from what the container reports. This is legal,
-        // and we will preserve the ratio of the crop rectangle as it
-        // was reported relative to the picture size reported by the container.
-        picture.x = (mPicture.x * frame.Y.mWidth) / mInitialFrame.width;
-        picture.y = (mPicture.y * frame.Y.mHeight) / mInitialFrame.height;
-        picture.width = (frame.Y.mWidth * mPicture.width) / mInitialFrame.width;
-        picture.height = (frame.Y.mHeight * mPicture.height) / mInitialFrame.height;
-      }
-
-      // This is the approximate byte position in the stream.
-      v = VideoData::CreateAndCopyData(mInfo.mVideo,
-                                       mDecoder->GetImageContainer(),
-                                       pos,
-                                       frame.mTimeUs,
-                                       1, // We don't know the duration yet.
-                                       b,
-                                       frame.mKeyFrame,
-                                       -1,
-                                       picture);
-    }
-
-    if (!v) {
-      return false;
-    }
-    a.mStats.mParsedFrames++;
-    a.mStats.mDecodedFrames++;
-    NS_ASSERTION(a.mStats.mDecodedFrames <= a.mStats.mParsedFrames, "Expect to decode fewer frames than parsed in AndroidMedia...");
-
-    // Since MPAPI doesn't give us the end time of frames, we keep one frame
-    // buffered in AndroidMediaReader and push it into the queue as soon
-    // we read the following frame so we can use that frame's start time as
-    // the end time of the buffered frame.
-    if (!mLastVideoFrame) {
-      mLastVideoFrame = v;
-      continue;
-    }
-
-    // Calculate the duration as the timestamp of the current frame minus the
-    // timestamp of the previous frame. We can then return the previously
-    // decoded frame, and it will have a valid timestamp.
-    int64_t duration = v->mTime - mLastVideoFrame->mTime;
-    mLastVideoFrame = VideoData::ShallowCopyUpdateDuration(mLastVideoFrame, duration);
-
-    // We have the start time of the next frame, so we can push the previous
-    // frame into the queue, except if the end time is below the threshold,
-    // in which case it wouldn't be displayed anyway.
-    if (mLastVideoFrame->GetEndTime() < aTimeThreshold) {
-      mLastVideoFrame = nullptr;
-      continue;
-    }
-
-    // Buffer the current frame we just decoded.
-    mVideoQueue.Push(mLastVideoFrame);
-    mLastVideoFrame = v;
-
-    break;
-  }
-
-  return true;
-}
-
-bool AndroidMediaReader::DecodeAudioData()
-{
-  MOZ_ASSERT(OnTaskQueue());
-
-  // This is the approximate byte position in the stream.
-  int64_t pos = mDecoder->GetResource()->Tell();
-
-  // Read next frame
-  MPAPI::AudioFrame source;
-  if (!mPlugin->ReadAudio(mPlugin, &source, mAudioSeekTimeUs)) {
-    return false;
-  }
-  mAudioSeekTimeUs = -1;
-
-  // Ignore empty buffers which stagefright media read will sporadically return
-  if (source.mSize == 0)
-    return true;
-
-  uint32_t frames = source.mSize / (source.mAudioChannels *
-                                    sizeof(AudioDataValue));
-
-  typedef AudioCompactor::NativeCopy MPCopy;
-  return mAudioCompactor.Push(pos,
-                              source.mTimeUs,
-                              source.mAudioSampleRate,
-                              frames,
-                              source.mAudioChannels,
-                              MPCopy(static_cast<uint8_t *>(source.mData),
-                                     source.mSize,
-                                     source.mAudioChannels));
-}
-
-RefPtr<MediaDecoderReader::SeekPromise>
-AndroidMediaReader::Seek(SeekTarget aTarget, int64_t aEndTime)
-{
-  MOZ_ASSERT(OnTaskQueue());
-
-  RefPtr<SeekPromise> p = mSeekPromise.Ensure(__func__);
-  if (mHasAudio && mHasVideo) {
-    // The decoder seeks/demuxes audio and video streams separately. So if
-    // we seek both audio and video to aTarget, the audio stream can typically
-    // seek closer to the seek target, since typically every audio block is
-    // a sync point, whereas for video there are only keyframes once every few
-    // seconds. So if we have both audio and video, we must seek the video
-    // stream to the preceeding keyframe first, get the stream time, and then
-    // seek the audio stream to match the video stream's time. Otherwise, the
-    // audio and video streams won't be in sync after the seek.
-    mVideoSeekTimeUs = aTarget.GetTime().ToMicroseconds();
-
-    RefPtr<AndroidMediaReader> self = this;
-    mSeekRequest.Begin(DecodeToFirstVideoData()->Then(OwnerThread(), __func__, [self] (MediaData* v) {
-      self->mSeekRequest.Complete();
-      self->mAudioSeekTimeUs = v->mTime;
-      self->mSeekPromise.Resolve(media::TimeUnit::FromMicroseconds(self->mAudioSeekTimeUs), __func__);
-    }, [self, aTarget] () {
-      self->mSeekRequest.Complete();
-      self->mAudioSeekTimeUs = aTarget.GetTime().ToMicroseconds();
-      self->mSeekPromise.Resolve(aTarget.GetTime(), __func__);
-    }));
-  } else {
-    mAudioSeekTimeUs = mVideoSeekTimeUs = aTarget.GetTime().ToMicroseconds();
-    mSeekPromise.Resolve(aTarget.GetTime(), __func__);
-  }
-
-  return p;
-}
-
-AndroidMediaReader::ImageBufferCallback::ImageBufferCallback(mozilla::layers::ImageContainer *aImageContainer) :
-  mImageContainer(aImageContainer)
-{
-}
-
-void *
-AndroidMediaReader::ImageBufferCallback::operator()(size_t aWidth, size_t aHeight,
-                                                    MPAPI::ColorFormat aColorFormat)
-{
-  if (!mImageContainer) {
-    NS_WARNING("No image container to construct an image");
-    return nullptr;
-  }
-
-  RefPtr<Image> image;
-  switch(aColorFormat) {
-    case MPAPI::RGB565:
-      image = mozilla::layers::CreateSharedRGBImage(mImageContainer,
-                                                    nsIntSize(aWidth, aHeight),
-                                                    SurfaceFormat::R5G6B5_UINT16);
-      if (!image) {
-        NS_WARNING("Could not create rgb image");
-        return nullptr;
-      }
-
-      mImage = image;
-      return image->GetBuffer();
-    case MPAPI::I420:
-      return CreateI420Image(aWidth, aHeight);
-    default:
-      NS_NOTREACHED("Color format not supported");
-      return nullptr;
-  }
-}
-
-uint8_t *
-AndroidMediaReader::ImageBufferCallback::CreateI420Image(size_t aWidth,
-                                                         size_t aHeight)
-{
-  RefPtr<PlanarYCbCrImage> yuvImage = mImageContainer->CreatePlanarYCbCrImage();
-  mImage = yuvImage;
-
-  if (!yuvImage) {
-    NS_WARNING("Could not create I420 image");
-    return nullptr;
-  }
-
-  // Use uint32_t throughout to match AllocateAndGetNewBuffer's param
-  const auto checkedFrameSize =
-    CheckedInt<uint32_t>(aWidth) * aHeight;
-
-  // Allocate enough for one full resolution Y plane
-  // and two quarter resolution Cb/Cr planes.
-  const auto checkedBufferSize =
-    checkedFrameSize + checkedFrameSize / 2;
-
-  if (!checkedBufferSize.isValid()) { // checks checkedFrameSize too
-    NS_WARNING("Could not create I420 image");
-    return nullptr;
-  }
-
-  const auto frameSize = checkedFrameSize.value();
-
-  uint8_t *buffer =
-    yuvImage->AllocateAndGetNewBuffer(checkedBufferSize.value());
-
-  mozilla::layers::PlanarYCbCrData frameDesc;
-
-  frameDesc.mYChannel = buffer;
-  frameDesc.mCbChannel = buffer + frameSize;
-  frameDesc.mCrChannel = frameDesc.mCbChannel + frameSize / 4;
-
-  frameDesc.mYSize = IntSize(aWidth, aHeight);
-  frameDesc.mCbCrSize = IntSize(aWidth / 2, aHeight / 2);
-
-  frameDesc.mYStride = aWidth;
-  frameDesc.mCbCrStride = aWidth / 2;
-
-  frameDesc.mYSkip = 0;
-  frameDesc.mCbSkip = 0;
-  frameDesc.mCrSkip = 0;
-
-  frameDesc.mPicX = 0;
-  frameDesc.mPicY = 0;
-  frameDesc.mPicSize = IntSize(aWidth, aHeight);
-
-  yuvImage->AdoptData(frameDesc);
-
-  return buffer;
-}
-
-already_AddRefed<Image>
-AndroidMediaReader::ImageBufferCallback::GetImage()
-{
-  return mImage.forget();
-}
-
-} // namespace mozilla
diff --git a/dom/media/android/AndroidMediaReader.h b/dom/media/android/AndroidMediaReader.h
deleted file mode 100644
index def85a343b..0000000000
--- a/dom/media/android/AndroidMediaReader.h
+++ /dev/null
@@ -1,75 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#if !defined(AndroidMediaReader_h_)
-#define AndroidMediaReader_h_
-
-#include "mozilla/Attributes.h"
-#include "MediaResource.h"
-#include "MediaDecoderReader.h"
-#include "ImageContainer.h"
-#include "mozilla/layers/SharedRGBImage.h"
-
-#include "MPAPI.h"
-
-class nsACString;
-
-namespace mozilla {
-
-class AbstractMediaDecoder;
-
-namespace layers {
-class ImageContainer;
-}
-
-class AndroidMediaReader : public MediaDecoderReader
-{
-  nsCString mType;
-  MPAPI::Decoder *mPlugin;
-  bool mHasAudio;
-  bool mHasVideo;
-  nsIntRect mPicture;
-  nsIntSize mInitialFrame;
-  int64_t mVideoSeekTimeUs;
-  int64_t mAudioSeekTimeUs;
-  RefPtr<VideoData> mLastVideoFrame;
-  MozPromiseHolder<MediaDecoderReader::SeekPromise> mSeekPromise;
-  MozPromiseRequestHolder<MediaDecoderReader::MediaDataPromise> mSeekRequest;
-public:
-  AndroidMediaReader(AbstractMediaDecoder* aDecoder,
-                     const nsACString& aContentType);
-
-  nsresult ResetDecode(TrackSet aTracks = TrackSet(TrackInfo::kAudioTrack,
-                                                   TrackInfo::kVideoTrack)) override;
-
-  bool DecodeAudioData() override;
-  bool DecodeVideoFrame(bool &aKeyframeSkip, int64_t aTimeThreshold) override;
-
-  nsresult ReadMetadata(MediaInfo* aInfo, MetadataTags** aTags) override;
-  RefPtr<SeekPromise> Seek(SeekTarget aTarget, int64_t aEndTime) override;
-
-  RefPtr<ShutdownPromise> Shutdown() override;
-
-  class ImageBufferCallback : public MPAPI::BufferCallback {
-    typedef mozilla::layers::Image Image;
-
-  public:
-    ImageBufferCallback(mozilla::layers::ImageContainer *aImageContainer);
-    void *operator()(size_t aWidth, size_t aHeight,
-                     MPAPI::ColorFormat aColorFormat) override;
-    already_AddRefed<Image> GetImage();
-
-  private:
-    uint8_t *CreateI420Image(size_t aWidth, size_t aHeight);
-
-    mozilla::layers::ImageContainer *mImageContainer;
-    RefPtr<Image> mImage;
-  };
-
-};
-
-} // namespace mozilla
-
-#endif
diff --git a/dom/media/android/AndroidMediaResourceServer.cpp b/dom/media/android/AndroidMediaResourceServer.cpp
deleted file mode 100644
index bd76a8c68c..0000000000
--- a/dom/media/android/AndroidMediaResourceServer.cpp
+++ /dev/null
@@ -1,503 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#include "mozilla/Assertions.h"
-#include "mozilla/Base64.h"
-#include "mozilla/IntegerPrintfMacros.h"
-#include "mozilla/UniquePtr.h"
-#include "nsThreadUtils.h"
-#include "nsIServiceManager.h"
-#include "nsISocketTransport.h"
-#include "nsIOutputStream.h"
-#include "nsIInputStream.h"
-#include "nsIRandomGenerator.h"
-#include "nsReadLine.h"
-#include "nsNetCID.h"
-#include "VideoUtils.h"
-#include "MediaResource.h"
-#include "AndroidMediaResourceServer.h"
-
-#if defined(_MSC_VER)
-#define strtoll _strtoi64
-#endif
-
-using namespace mozilla;
-
-/*
-  ReadCRLF is a variant of NS_ReadLine from nsReadLine.h that deals
-  with the carriage return/line feed requirements of HTTP requests.
-*/
-template<typename CharT, class StreamType, class StringType>
-nsresult
-ReadCRLF (StreamType* aStream, nsLineBuffer<CharT> * aBuffer,
-          StringType & aLine, bool *aMore)
-{
-  // eollast is true if the last character in the buffer is a '\r',
-  // signaling a potential '\r\n' sequence split between reads.
-  bool eollast = false;
-
-  aLine.Truncate();
-
-  while (1) { // will be returning out of this loop on eol or eof
-    if (aBuffer->start == aBuffer->end) { // buffer is empty.  Read into it.
-      uint32_t bytesRead;
-      nsresult rv = aStream->Read(aBuffer->buf, kLineBufferSize, &bytesRead);
-      if (NS_FAILED(rv) || bytesRead == 0) {
-        *aMore = false;
-        return rv;
-      }
-      aBuffer->start = aBuffer->buf;
-      aBuffer->end = aBuffer->buf + bytesRead;
-      *(aBuffer->end) = '\0';
-    }
-
-    /*
-     * Walk the buffer looking for an end-of-line.
-     * There are 4 cases to consider:
-     *  1. the CR char is the last char in the buffer
-     *  2. the CRLF sequence are the last characters in the buffer
-     *  3. the CRLF sequence + one or more chars at the end of the buffer
-     *      we need at least one char after the first CRLF sequence to
-     *      set |aMore| correctly.
-     *  4. The LF character is the first char in the buffer when eollast is
-     *      true.
-     */
-    CharT* current = aBuffer->start;
-    if (eollast) { // Case 4
-      if (*current == '\n') {
-        aBuffer->start = ++current;
-        *aMore = true;
-        return NS_OK;
-      }
-      else {
-        eollast = false;
-        aLine.Append('\r');
-      }
-    }
-    // Cases 2 and 3
-    for ( ; current < aBuffer->end-1; ++current) {
-      if (*current == '\r' && *(current+1) == '\n') {
-        *current++ = '\0';
-        *current++ = '\0';
-        aLine.Append(aBuffer->start);
-        aBuffer->start = current;
-        *aMore = true;
-        return NS_OK;
-      }
-    }
-    // Case 1
-    if (*current == '\r') {
-      eollast = true;
-      *current++ = '\0';
-    }
-
-    aLine.Append(aBuffer->start);
-    aBuffer->start = aBuffer->end; // mark the buffer empty
-  }
-}
-
-// Each client HTTP request results in a thread being spawned to process it.
-// That thread has a single event dispatched to it which handles the HTTP
-// protocol. It parses the headers and forwards data from the MediaResource
-// associated with the URL back to client. When the request is complete it will
-// shutdown the thread.
-class ServeResourceEvent : public Runnable {
-private:
-  // Reading from this reads the data sent from the client.
-  nsCOMPtr<nsIInputStream> mInput;
-
-  // Writing to this sends data to the client.
-  nsCOMPtr<nsIOutputStream> mOutput;
-
-  // The AndroidMediaResourceServer that owns the MediaResource instances
-  // served. This is used to lookup the MediaResource from the URL.
-  RefPtr<AndroidMediaResourceServer> mServer;
-
-  // Write 'aBufferLength' bytes from 'aBuffer' to 'mOutput'. This
-  // method ensures all the data is written by checking the number
-  // of bytes returned from the output streams 'Write' method and
-  // looping until done.
-  nsresult WriteAll(char const* aBuffer, int32_t aBufferLength);
-
-public:
-  ServeResourceEvent(nsIInputStream* aInput, nsIOutputStream* aOutput,
-                     AndroidMediaResourceServer* aServer)
-    : mInput(aInput), mOutput(aOutput), mServer(aServer) {}
-
-  // This method runs on the thread and exits when it has completed the
-  // HTTP request.
-  NS_IMETHOD Run();
-
-  // Given the first line of an HTTP request, parse the URL requested and
-  // return the MediaResource for that URL.
-  already_AddRefed<MediaResource> GetMediaResource(nsCString const& aHTTPRequest);
-
-  // Gracefully shutdown the thread and cleanup resources
-  void Shutdown();
-};
-
-nsresult
-ServeResourceEvent::WriteAll(char const* aBuffer, int32_t aBufferLength)
-{
-  while (aBufferLength > 0) {
-    uint32_t written = 0;
-    nsresult rv = mOutput->Write(aBuffer, aBufferLength, &written);
-    if (NS_FAILED (rv)) return rv;
-
-    aBufferLength -= written;
-    aBuffer += written;
-  }
-
-  return NS_OK;
-}
-
-already_AddRefed<MediaResource>
-ServeResourceEvent::GetMediaResource(nsCString const& aHTTPRequest)
-{
-  // Check that the HTTP method is GET
-  const char* HTTP_METHOD = "GET ";
-  if (strncmp(aHTTPRequest.get(), HTTP_METHOD, strlen(HTTP_METHOD)) != 0) {
-    return nullptr;
-  }
-
-  const char* url_start = strchr(aHTTPRequest.get(), ' ');
-  if (!url_start) {
-    return nullptr;
-  }
-
-  const char* url_end = strrchr(++url_start, ' ');
-  if (!url_end) {
-    return nullptr;
-  }
-
-  // The path extracted from the HTTP request is used as a key in hash
-  // table. It is not related to retrieving data from the filesystem so
-  // we don't need to do any sanity checking on ".." paths and similar
-  // exploits.
-  nsCString relative(url_start, url_end - url_start);
-  RefPtr<MediaResource> resource =
-    mServer->GetResource(mServer->GetURLPrefix() + relative);
-  return resource.forget();
-}
-
-NS_IMETHODIMP
-ServeResourceEvent::Run() {
-  bool more = false; // Are there HTTP headers to read after the first line
-  nsCString line;    // Contains the current line read from input stream
-  nsLineBuffer<char>* buffer = new nsLineBuffer<char>();
-  nsresult rv = ReadCRLF(mInput.get(), buffer, line, &more);
-  if (NS_FAILED(rv)) { Shutdown(); return rv; }
-
-  // First line contains the HTTP GET request. Extract the URL and obtain
-  // the MediaResource for it.
-  RefPtr<MediaResource> resource = GetMediaResource(line);
-  if (!resource) {
-    const char* response_404 = "HTTP/1.1 404 Not Found\r\n"
-                               "Content-Length: 0\r\n\r\n";
-    rv = WriteAll(response_404, strlen(response_404));
-    Shutdown();
-    return rv;
-  }
-
-  // Offset in bytes to start reading from resource.
-  // This is zero by default but can be set to another starting value if
-  // this HTTP request includes a byte range request header.
-  int64_t start = 0;
-
-  // Keep reading lines until we get a zero length line, which is the HTTP
-  // protocol's way of signifying the end of headers and start of body, or
-  // until we have no more data to read.
-  while (more && line.Length() > 0) {
-    rv = ReadCRLF(mInput.get(), buffer, line, &more);
-    if (NS_FAILED(rv)) { Shutdown(); return rv; }
-
-    // Look for a byte range request header. If there is one, set the
-    // media resource offset to start from to that requested. Here we
-    // only check for the range request format used by Android rather
-    // than implementing all possibilities in the HTTP specification.
-    // That is, the range request is of the form:
-    //   Range: bytes=nnnn-
-    // Were 'nnnn' is an integer number.
-    // The end of the range is not checked, instead we return up to
-    // the end of the resource and the client is informed of this via
-    // the content-range header.
-    NS_NAMED_LITERAL_CSTRING(byteRange, "Range: bytes=");
-    const char* s = strstr(line.get(), byteRange.get());
-    if (s) {
-      start = strtoll(s+byteRange.Length(), nullptr, 10);
-
-      // Clamp 'start' to be between 0 and the resource length.
-      start = std::max(int64_t(0), std::min(resource->GetLength(), start));
-    }
-  }
-
-  // HTTP response to use if this is a non byte range request
-  const char* response_normal = "HTTP/1.1 200 OK\r\n";
-
-  // HTTP response to use if this is a byte range request
-  const char* response_range = "HTTP/1.1 206 Partial Content\r\n";
-
-  // End of HTTP reponse headers is indicated by an empty line.
-  const char* response_end = "\r\n";
-
-  // If the request was a byte range request, we need to read from the
-  // requested offset. If the resource is non-seekable, or the seek
-  // fails, then the start offset is set back to zero. This results in all
-  // HTTP response data being as if the byte range request was not made.
-  if (start > 0 && !resource->IsTransportSeekable()) {
-    start = 0;
-  }
-
-  const char* response_line = start > 0 ?
-                                response_range :
-                                response_normal;
-  rv = WriteAll(response_line, strlen(response_line));
-  if (NS_FAILED(rv)) { Shutdown(); return NS_OK; }
-
-  // Buffer used for reading from the input stream and writing to
-  // the output stream. The buffer size should be big enough for the
-  // HTTP response headers sent below. A static_assert ensures
-  // this where the buffer is used.
-  const int buffer_size = 32768;
-  auto b = MakeUnique<char[]>(buffer_size);
-
-  // If we know the length of the resource, send a Content-Length header.
-  int64_t contentlength = resource->GetLength() - start;
-  if (contentlength > 0) {
-    static_assert (buffer_size > 1024,
-                   "buffer_size must be large enough "
-                   "to hold response headers");
-    snprintf(b.get(), buffer_size, "Content-Length: %" PRId64 "\r\n", contentlength);
-    rv = WriteAll(b.get(), strlen(b.get()));
-    if (NS_FAILED(rv)) { Shutdown(); return NS_OK; }
-  }
-
-  // If the request was a byte range request, respond with a Content-Range
-  // header which details the extent of the data returned.
-  if (start > 0) {
-    static_assert (buffer_size > 1024,
-                   "buffer_size must be large enough "
-                   "to hold response headers");
-    snprintf(b.get(), buffer_size, "Content-Range: "
-             "bytes %" PRId64 "-%" PRId64 "/%" PRId64 "\r\n",
-             start, resource->GetLength() - 1, resource->GetLength());
-    rv = WriteAll(b.get(), strlen(b.get()));
-    if (NS_FAILED(rv)) { Shutdown(); return NS_OK; }
-  }
-
-  rv = WriteAll(response_end, strlen(response_end));
-  if (NS_FAILED(rv)) { Shutdown(); return NS_OK; }
-
-  rv = mOutput->Flush();
-  if (NS_FAILED(rv)) { Shutdown(); return NS_OK; }
-
-  // Read data from media resource
-  uint32_t bytesRead = 0; // Number of bytes read/written to streams
-  rv = resource->ReadAt(start, b.get(), buffer_size, &bytesRead);
-  while (NS_SUCCEEDED(rv) && bytesRead != 0) {
-    // Keep track of what we think the starting position for the next read
-    // is. This is used in subsequent ReadAt calls to ensure we are reading
-    // from the correct offset in the case where another thread is reading
-    // from th same MediaResource.
-    start += bytesRead;
-
-    // Write data obtained from media resource to output stream
-    rv = WriteAll(b.get(), bytesRead);
-    if (NS_FAILED (rv)) break;
-
-    rv = resource->ReadAt(start, b.get(), 32768, &bytesRead);
-  }
-
-  Shutdown();
-  return NS_OK;
-}
-
-void
-ServeResourceEvent::Shutdown()
-{
-  // Cleanup resources and exit.
-  mInput->Close();
-  mOutput->Close();
-
-  // To shutdown the current thread we need to first exit this event.
-  // The Shutdown event below is posted to the main thread to do this.
-  nsCOMPtr<nsIRunnable> event = new ShutdownThreadEvent(NS_GetCurrentThread());
-  NS_DispatchToMainThread(event);
-}
-
-/*
-  This is the listener attached to the server socket. When an HTTP
-  request is made by the client the OnSocketAccepted method is
-  called. This method will spawn a thread to process the request.
-  The thread receives a single event which does the parsing of
-  the HTTP request and forwarding the data from the MediaResource
-  to the output stream of the request.
-
-  The MediaResource used for providing the request data is obtained
-  from the AndroidMediaResourceServer that created this listener, using the
-  URL the client requested.
-*/
-class ResourceSocketListener : public nsIServerSocketListener
-{
-public:
-  // The AndroidMediaResourceServer used to look up the MediaResource
-  // on requests.
-  RefPtr<AndroidMediaResourceServer> mServer;
-
-  NS_DECL_THREADSAFE_ISUPPORTS
-  NS_DECL_NSISERVERSOCKETLISTENER
-
-  ResourceSocketListener(AndroidMediaResourceServer* aServer) :
-    mServer(aServer)
-  {
-  }
-
-private:
-  virtual ~ResourceSocketListener() { }
-};
-
-NS_IMPL_ISUPPORTS(ResourceSocketListener, nsIServerSocketListener)
-
-NS_IMETHODIMP
-ResourceSocketListener::OnSocketAccepted(nsIServerSocket* aServ,
-                                         nsISocketTransport* aTrans)
-{
-  nsCOMPtr<nsIInputStream> input;
-  nsCOMPtr<nsIOutputStream> output;
-  nsresult rv;
-
-  rv = aTrans->OpenInputStream(nsITransport::OPEN_BLOCKING, 0, 0, getter_AddRefs(input));
-  if (NS_FAILED(rv)) return rv;
-
-  rv = aTrans->OpenOutputStream(nsITransport::OPEN_BLOCKING, 0, 0, getter_AddRefs(output));
-  if (NS_FAILED(rv)) return rv;
-
-  nsCOMPtr<nsIThread> thread;
-  rv = NS_NewThread(getter_AddRefs(thread));
-  if (NS_FAILED(rv)) return rv;
-
-  nsCOMPtr<nsIRunnable> event = new ServeResourceEvent(input.get(), output.get(), mServer);
-  return thread->Dispatch(event, NS_DISPATCH_NORMAL);
-}
-
-NS_IMETHODIMP
-ResourceSocketListener::OnStopListening(nsIServerSocket* aServ, nsresult aStatus)
-{
-  return NS_OK;
-}
-
-AndroidMediaResourceServer::AndroidMediaResourceServer() :
-  mMutex("AndroidMediaResourceServer")
-{
-}
-
-NS_IMETHODIMP
-AndroidMediaResourceServer::Run()
-{
-  MOZ_DIAGNOSTIC_ASSERT(NS_IsMainThread());
-  MutexAutoLock lock(mMutex);
-
-  nsresult rv;
-  mSocket = do_CreateInstance(NS_SERVERSOCKET_CONTRACTID, &rv);
-  if (NS_FAILED(rv)) return rv;
-
-  rv = mSocket->InitSpecialConnection(-1,
-                                      nsIServerSocket::LoopbackOnly
-                                      | nsIServerSocket::KeepWhenOffline,
-                                      -1);
-  if (NS_FAILED(rv)) return rv;
-
-  rv = mSocket->AsyncListen(new ResourceSocketListener(this));
-  if (NS_FAILED(rv)) return rv;
-
-  return NS_OK;
-}
-
-/* static */
-already_AddRefed<AndroidMediaResourceServer>
-AndroidMediaResourceServer::Start()
-{
-  MOZ_ASSERT(NS_IsMainThread());
-  RefPtr<AndroidMediaResourceServer> server = new AndroidMediaResourceServer();
-  server->Run();
-  return server.forget();
-}
-
-void
-AndroidMediaResourceServer::Stop()
-{
-  MutexAutoLock lock(mMutex);
-  mSocket->Close();
-  mSocket = nullptr;
-}
-
-nsresult
-AndroidMediaResourceServer::AppendRandomPath(nsCString& aUrl)
-{
-  // Use a cryptographic quality PRNG to generate raw random bytes
-  // and convert that to a base64 string for use as an URL path. This
-  // is based on code from nsExternalAppHandler::SetUpTempFile.
-  nsresult rv;
-  nsAutoCString salt;
-  rv = GenerateRandomPathName(salt, 16);
-  if (NS_FAILED(rv)) return rv;
-  aUrl += "/";
-  aUrl += salt;
-  return NS_OK;
-}
-
-nsresult
-AndroidMediaResourceServer::AddResource(mozilla::MediaResource* aResource, nsCString& aUrl)
-{
-  nsCString url = GetURLPrefix();
-  nsresult rv = AppendRandomPath(url);
-  if (NS_FAILED (rv)) return rv;
-
-  {
-    MutexAutoLock lock(mMutex);
-
-    // Adding a resource URL that already exists is considered an error.
-    if (mResources.find(url) != mResources.end()) return NS_ERROR_FAILURE;
-    mResources[url] = aResource;
-  }
-
-  aUrl = url;
-
-  return NS_OK;
-}
-
-void
-AndroidMediaResourceServer::RemoveResource(nsCString const& aUrl)
-{
-  MutexAutoLock lock(mMutex);
-  mResources.erase(aUrl);
-}
-
-nsCString
-AndroidMediaResourceServer::GetURLPrefix()
-{
-  MutexAutoLock lock(mMutex);
-
-  int32_t port = 0;
-  nsresult rv = mSocket->GetPort(&port);
-  if (NS_FAILED (rv) || port < 0) {
-    return nsCString("");
-  }
-
-  char buffer[256];
-  snprintf(buffer, sizeof(buffer), "http://127.0.0.1:%d", port >= 0 ? port : 0);
-  return nsCString(buffer);
-}
-
-already_AddRefed<MediaResource>
-AndroidMediaResourceServer::GetResource(nsCString const& aUrl)
-{
-  MutexAutoLock lock(mMutex);
-  ResourceMap::const_iterator it = mResources.find(aUrl);
-  if (it == mResources.end()) return nullptr;
-
-  RefPtr<MediaResource> resource = it->second;
-  return resource.forget();
-}
diff --git a/dom/media/android/AndroidMediaResourceServer.h b/dom/media/android/AndroidMediaResourceServer.h
deleted file mode 100644
index 68200f9c0f..0000000000
--- a/dom/media/android/AndroidMediaResourceServer.h
+++ /dev/null
@@ -1,96 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#if !defined(AndroidMediaResourceServer_h_)
-#define AndroidMediaResourceServer_h_
-
-#include <map>
-#include "nsIServerSocket.h"
-#include "MediaResource.h"
-
-namespace mozilla {
-
-class MediaResource;
-
-/*
-  AndroidMediaResourceServer instantiates a socket server that understands
-  HTTP requests for MediaResource instances. The server runs on an
-  automatically selected port and MediaResource instances are registered.
-  The registration returns a string URL than can be used to fetch the
-  resource. That URL contains a randomly generated path to make it
-  difficult for other local applications on the device to guess it.
-
-  The HTTP protocol is limited in that it supports only what the
-  Android DataSource implementation uses to fetch media. It
-  understands HTTP GET and byte range requests.
-
-  The intent of this class is to be used in Media backends that
-  have a system component that does its own network requests. These
-  requests are made against this server which then uses standard
-  Gecko network requests and media cache usage.
-
-  The AndroidMediaResourceServer can be instantiated on any thread and
-  its methods are threadsafe - they can be called on any thread.
-  The server socket itself is always run on the main thread and
-  this is done by the Start() static method by synchronously
-  dispatching to the main thread.
-*/
-class AndroidMediaResourceServer : public Runnable
-{
-private:
-  // Mutex protecting private members of AndroidMediaResourceServer.
-  // All member variables below this point in the class definition
-  // must acquire the mutex before access.
-  mozilla::Mutex mMutex;
-
-  // Server socket used to listen for incoming connections
-  nsCOMPtr<nsIServerSocket> mSocket;
-
-  // Mapping between MediaResource URL's to the MediaResource
-  // object served at that URL.
-  typedef std::map<nsCString,
-                  RefPtr<mozilla::MediaResource> > ResourceMap;
-  ResourceMap mResources;
-
-  // Create a AndroidMediaResourceServer that will listen on an automatically
-  // selected port when started. This is private as it should only be
-  // called internally from the public 'Start' method.
-  AndroidMediaResourceServer();
-  NS_IMETHOD Run();
-
-  // Append a random URL path to a string. This is used for creating a
-  // unique URl for a resource which helps prevent malicious software
-  // running on the same machine as the server from guessing the URL
-  // and accessing video data.
-  nsresult AppendRandomPath(nsCString& aURL);
-
-public:
-  // Create a AndroidMediaResourceServer and start it listening. This call will
-  // perform a synchronous request on the main thread.
-  static already_AddRefed<AndroidMediaResourceServer> Start();
-
-  // Stops the server from listening and accepting further connections.
-  void Stop();
-
-  // Add a MediaResource to be served by this server. Stores the
-  // absolute URL that can be used to access the resource in 'aUrl'.
-  nsresult AddResource(mozilla::MediaResource* aResource, nsCString& aUrl);
-
-  // Remove a MediaResource so it is no longer served by this server.
-  // The URL provided must match exactly that provided by a previous
-  // call to "AddResource".
-  void RemoveResource(nsCString const& aUrl);
-
-  // Returns the prefix for HTTP requests to the server. This plus
-  // the result of AddResource results in an Absolute URL.
-  nsCString GetURLPrefix();
-
-  // Returns the resource asociated with a given URL
-  already_AddRefed<mozilla::MediaResource> GetResource(nsCString const& aUrl);
-};
-
-} // namespace mozilla
-
-#endif
diff --git a/dom/media/android/MPAPI.h b/dom/media/android/MPAPI.h
deleted file mode 100644
index 9b289ca09c..0000000000
--- a/dom/media/android/MPAPI.h
+++ /dev/null
@@ -1,165 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#if !defined(MPAPI_h_)
-#define MPAPI_h_
-
-#include <stdint.h>
-
-namespace MPAPI {
-
-enum ColorFormat {
-  I420,
-  RGB565
-};
-
-/*
- * A callback for the plugin to use to request a buffer owned by gecko. This can
- * save us a copy or two down the line.
- */
-class BufferCallback {
-public:
-  virtual void *operator()(size_t aWidth, size_t aHeight,
-                           ColorFormat aColorFormat) = 0;
-};
-
-struct VideoPlane {
-  VideoPlane() :
-    mData(0),
-    mStride(0),
-    mWidth(0),
-    mHeight(0),
-    mOffset(0),
-    mSkip(0)
-  {}
-
-  void *mData;
-  int32_t mStride;
-  int32_t mWidth;
-  int32_t mHeight;
-  int32_t mOffset;
-  int32_t mSkip;
-};
-
-struct VideoFrame {
-  int64_t mTimeUs;
-  bool mKeyFrame;
-  void *mData;
-  size_t mSize;
-  int32_t mStride;
-  int32_t mSliceHeight;
-  int32_t mRotation;
-  VideoPlane Y;
-  VideoPlane Cb;
-  VideoPlane Cr;
-
-  VideoFrame() :
-    mTimeUs(0),
-    mKeyFrame(false),
-    mData(0),
-    mSize(0),
-    mStride(0),
-    mSliceHeight(0),
-    mRotation(0)
-  {}
-
-  void Set(int64_t aTimeUs, bool aKeyFrame,
-           void *aData, size_t aSize, int32_t aStride, int32_t aSliceHeight, int32_t aRotation,
-           void *aYData, int32_t aYStride, int32_t aYWidth, int32_t aYHeight, int32_t aYOffset, int32_t aYSkip,
-           void *aCbData, int32_t aCbStride, int32_t aCbWidth, int32_t aCbHeight, int32_t aCbOffset, int32_t aCbSkip,
-           void *aCrData, int32_t aCrStride, int32_t aCrWidth, int32_t aCrHeight, int32_t aCrOffset, int32_t aCrSkip)
-  {
-    mTimeUs = aTimeUs;
-    mKeyFrame = aKeyFrame;
-    mData = aData;
-    mSize = aSize;
-    mStride = aStride;
-    mSliceHeight = aSliceHeight;
-    mRotation = aRotation;
-    Y.mData = aYData;
-    Y.mStride = aYStride;
-    Y.mWidth = aYWidth;
-    Y.mHeight = aYHeight;
-    Y.mOffset = aYOffset;
-    Y.mSkip = aYSkip;
-    Cb.mData = aCbData;
-    Cb.mStride = aCbStride;
-    Cb.mWidth = aCbWidth;
-    Cb.mHeight = aCbHeight;
-    Cb.mOffset = aCbOffset;
-    Cb.mSkip = aCbSkip;
-    Cr.mData = aCrData;
-    Cr.mStride = aCrStride;
-    Cr.mWidth = aCrWidth;
-    Cr.mHeight = aCrHeight;
-    Cr.mOffset = aCrOffset;
-    Cr.mSkip = aCrSkip;
-  }
-};
-
-struct AudioFrame {
-  int64_t mTimeUs;
-  void *mData; // 16PCM interleaved
-  size_t mSize; // Size of mData in bytes
-  int32_t mAudioChannels;
-  int32_t mAudioSampleRate;
-
-  AudioFrame() :
-    mTimeUs(0),
-    mData(0),
-    mSize(0),
-    mAudioChannels(0),
-    mAudioSampleRate(0)
-  {
-  }
-
-  void Set(int64_t aTimeUs,
-           void *aData, size_t aSize,
-           int32_t aAudioChannels, int32_t aAudioSampleRate)
-  {
-    mTimeUs = aTimeUs;
-    mData = aData;
-    mSize = aSize;
-    mAudioChannels = aAudioChannels;
-    mAudioSampleRate = aAudioSampleRate;
-  }
-};
-
-struct Decoder;
-
-struct PluginHost {
-  bool (*Read)(Decoder *aDecoder, char *aBuffer, int64_t aOffset, uint32_t aCount, uint32_t* aBytes);
-  uint64_t (*GetLength)(Decoder *aDecoder);
-  void (*SetMetaDataReadMode)(Decoder *aDecoder);
-  void (*SetPlaybackReadMode)(Decoder *aDecoder);
-  bool (*GetIntPref)(const char *aPref, int32_t *aResult);
-  bool (*GetSystemInfoString)(const char *aKey, char *aResult, size_t aResultLen);
-};
-
-struct Decoder {
-  void *mResource;
-  void *mPrivate;
-
-  Decoder();
-
-  void (*GetDuration)(Decoder *aDecoder, int64_t *durationUs);
-  void (*GetVideoParameters)(Decoder *aDecoder, int32_t *aWidth, int32_t *aHeight);
-  void (*GetAudioParameters)(Decoder *aDecoder, int32_t *aNumChannels, int32_t *aSampleRate);
-  bool (*HasVideo)(Decoder *aDecoder);
-  bool (*HasAudio)(Decoder *aDecoder);
-  bool (*ReadVideo)(Decoder *aDecoder, VideoFrame *aFrame, int64_t aSeekTimeUs, BufferCallback *aBufferCallback);
-  bool (*ReadAudio)(Decoder *aDecoder, AudioFrame *aFrame, int64_t aSeekTimeUs);
-  void (*DestroyDecoder)(Decoder *);
-};
-
-struct Manifest {
-  bool (*CanDecode)(const char *aMimeChars, size_t aMimeLen, const char* const**aCodecs);
-  bool (*CreateDecoder)(PluginHost *aPluginHost, Decoder *aDecoder,
-                        const char *aMimeChars, size_t aMimeLen);
-};
-
-}
-
-#endif
diff --git a/dom/media/android/moz.build b/dom/media/android/moz.build
deleted file mode 100644
index 3ad43cd50b..0000000000
--- a/dom/media/android/moz.build
+++ /dev/null
@@ -1,27 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-EXPORTS += [
-    'AndroidMediaDecoder.h',
-    'AndroidMediaPluginHost.h',
-    'AndroidMediaReader.h',
-    'AndroidMediaResourceServer.h',
-    'MPAPI.h',
-]
-
-UNIFIED_SOURCES += [
-    'AndroidMediaDecoder.cpp',
-    'AndroidMediaPluginHost.cpp',
-    'AndroidMediaReader.cpp',
-    'AndroidMediaResourceServer.cpp',
-]
-
-LOCAL_INCLUDES += [
-    '/dom/base',
-    '/dom/html',
-]
-
-FINAL_LIBRARY = 'xul'
diff --git a/dom/media/directshow/AudioSinkFilter.cpp b/dom/media/directshow/AudioSinkFilter.cpp
deleted file mode 100644
index 9f23c0e00a..0000000000
--- a/dom/media/directshow/AudioSinkFilter.cpp
+++ /dev/null
@@ -1,285 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "SampleSink.h"
-#include "AudioSinkFilter.h"
-#include "AudioSinkInputPin.h"
-#include "VideoUtils.h"
-#include "mozilla/Logging.h"
-
-
-#include <initguid.h>
-#include <wmsdkidl.h>
-
-#define DELETE_RESET(p) { delete (p) ; (p) = nullptr ;}
-
-DEFINE_GUID(CLSID_MozAudioSinkFilter, 0x1872d8c8, 0xea8d, 0x4c34, 0xae, 0x96, 0x69, 0xde,
-            0xf1, 0x33, 0x7b, 0x33);
-
-using namespace mozilla::media;
-
-namespace mozilla {
-
-static LazyLogModule gDirectShowLog("DirectShowDecoder");
-#define LOG(...) MOZ_LOG(gDirectShowLog, mozilla::LogLevel::Debug, (__VA_ARGS__))
-
-AudioSinkFilter::AudioSinkFilter(const wchar_t* aObjectName, HRESULT* aOutResult)
-  : BaseFilter(aObjectName, CLSID_MozAudioSinkFilter),
-    mFilterCritSec("AudioSinkFilter::mFilterCritSec")
-{
-  (*aOutResult) = S_OK;
-  mInputPin = new AudioSinkInputPin(L"AudioSinkInputPin",
-                                    this,
-                                    &mFilterCritSec,
-                                    aOutResult);
-}
-
-AudioSinkFilter::~AudioSinkFilter()
-{
-}
-
-int
-AudioSinkFilter::GetPinCount()
-{
-  return 1;
-}
-
-BasePin*
-AudioSinkFilter::GetPin(int aIndex)
-{
-  CriticalSectionAutoEnter lockFilter(mFilterCritSec);
-  return (aIndex == 0) ? static_cast<BasePin*>(mInputPin) : nullptr;
-}
-
-HRESULT
-AudioSinkFilter::Pause()
-{
-  CriticalSectionAutoEnter lockFilter(mFilterCritSec);
-  if (mState == State_Stopped) {
-    //  Change the state, THEN activate the input pin.
-    mState = State_Paused;
-    if (mInputPin && mInputPin->IsConnected()) {
-      mInputPin->Active();
-    }
-  } else if (mState == State_Running) {
-    mState = State_Paused;
-  }
-  return S_OK;
-}
-
-HRESULT
-AudioSinkFilter::Stop()
-{
-  CriticalSectionAutoEnter lockFilter(mFilterCritSec);
-  mState = State_Stopped;
-  if (mInputPin) {
-    mInputPin->Inactive();
-  }
-
-  GetSampleSink()->Flush();
-
-  return S_OK;
-}
-
-HRESULT
-AudioSinkFilter::Run(REFERENCE_TIME tStart)
-{
-  LOG("AudioSinkFilter::Run(%lld) [%4.2lf]",
-      RefTimeToUsecs(tStart),
-      double(RefTimeToUsecs(tStart)) / USECS_PER_S);
-  return media::BaseFilter::Run(tStart);
-}
-
-HRESULT
-AudioSinkFilter::GetClassID( OUT CLSID * pCLSID )
-{
-  (* pCLSID) = CLSID_MozAudioSinkFilter;
-  return S_OK;
-}
-
-HRESULT
-AudioSinkFilter::QueryInterface(REFIID aIId, void **aInterface)
-{
-  if (aIId == IID_IMediaSeeking) {
-    *aInterface = static_cast<IMediaSeeking*>(this);
-    AddRef();
-    return S_OK;
-  }
-  return mozilla::media::BaseFilter::QueryInterface(aIId, aInterface);
-}
-
-ULONG
-AudioSinkFilter::AddRef()
-{
-  return ::InterlockedIncrement(&mRefCnt);
-}
-
-ULONG
-AudioSinkFilter::Release()
-{
-  unsigned long newRefCnt = ::InterlockedDecrement(&mRefCnt);
-  if (!newRefCnt) {
-    delete this;
-  }
-  return newRefCnt;
-}
-
-SampleSink*
-AudioSinkFilter::GetSampleSink()
-{
-  return mInputPin->GetSampleSink();
-}
-
-
-// IMediaSeeking implementation.
-//
-// Calls to IMediaSeeking are forwarded to the output pin that the
-// AudioSinkInputPin is connected to, i.e. upstream towards the parser and
-// source filters, which actually implement seeking.
-#define ENSURE_CONNECTED_PIN_SEEKING \
-  if (!mInputPin) { \
-    return E_NOTIMPL; \
-  } \
-  RefPtr<IMediaSeeking> pinSeeking = mInputPin->GetConnectedPinSeeking(); \
-  if (!pinSeeking) { \
-    return E_NOTIMPL; \
-  }
-
-HRESULT
-AudioSinkFilter::GetCapabilities(DWORD* aCapabilities)
-{
-  ENSURE_CONNECTED_PIN_SEEKING
-  return pinSeeking->GetCapabilities(aCapabilities);
-}
-
-HRESULT
-AudioSinkFilter::CheckCapabilities(DWORD* aCapabilities)
-{
-  ENSURE_CONNECTED_PIN_SEEKING
-  return pinSeeking->CheckCapabilities(aCapabilities);
-}
-
-HRESULT
-AudioSinkFilter::IsFormatSupported(const GUID* aFormat)
-{
-  ENSURE_CONNECTED_PIN_SEEKING
-  return pinSeeking->IsFormatSupported(aFormat);
-}
-
-HRESULT
-AudioSinkFilter::QueryPreferredFormat(GUID* aFormat)
-{
-  ENSURE_CONNECTED_PIN_SEEKING
-  return pinSeeking->QueryPreferredFormat(aFormat);
-}
-
-HRESULT
-AudioSinkFilter::GetTimeFormat(GUID* aFormat)
-{
-  ENSURE_CONNECTED_PIN_SEEKING
-  return pinSeeking->GetTimeFormat(aFormat);
-}
-
-HRESULT
-AudioSinkFilter::IsUsingTimeFormat(const GUID* aFormat)
-{
-  ENSURE_CONNECTED_PIN_SEEKING
-  return pinSeeking->IsUsingTimeFormat(aFormat);
-}
-
-HRESULT
-AudioSinkFilter::SetTimeFormat(const GUID* aFormat)
-{
-  ENSURE_CONNECTED_PIN_SEEKING
-  return pinSeeking->SetTimeFormat(aFormat);
-}
-
-HRESULT
-AudioSinkFilter::GetDuration(LONGLONG* aDuration)
-{
-  ENSURE_CONNECTED_PIN_SEEKING
-  return pinSeeking->GetDuration(aDuration);
-}
-
-HRESULT
-AudioSinkFilter::GetStopPosition(LONGLONG* aStop)
-{
-  ENSURE_CONNECTED_PIN_SEEKING
-  return pinSeeking->GetStopPosition(aStop);
-}
-
-HRESULT
-AudioSinkFilter::GetCurrentPosition(LONGLONG* aCurrent)
-{
-  ENSURE_CONNECTED_PIN_SEEKING
-  return pinSeeking->GetCurrentPosition(aCurrent);
-}
-
-HRESULT
-AudioSinkFilter::ConvertTimeFormat(LONGLONG* aTarget,
-                                   const GUID* aTargetFormat,
-                                   LONGLONG aSource,
-                                   const GUID* aSourceFormat)
-{
-  ENSURE_CONNECTED_PIN_SEEKING
-  return pinSeeking->ConvertTimeFormat(aTarget,
-                                       aTargetFormat,
-                                       aSource,
-                                       aSourceFormat);
-}
-
-HRESULT
-AudioSinkFilter::SetPositions(LONGLONG* aCurrent,
-                              DWORD aCurrentFlags,
-                              LONGLONG* aStop,
-                              DWORD aStopFlags)
-{
-  ENSURE_CONNECTED_PIN_SEEKING
-  return pinSeeking->SetPositions(aCurrent,
-                                  aCurrentFlags,
-                                  aStop,
-                                  aStopFlags);
-}
-
-HRESULT
-AudioSinkFilter::GetPositions(LONGLONG* aCurrent,
-                              LONGLONG* aStop)
-{
-  ENSURE_CONNECTED_PIN_SEEKING
-  return pinSeeking->GetPositions(aCurrent, aStop);
-}
-
-HRESULT
-AudioSinkFilter::GetAvailable(LONGLONG* aEarliest,
-                              LONGLONG* aLatest)
-{
-  ENSURE_CONNECTED_PIN_SEEKING
-  return pinSeeking->GetAvailable(aEarliest, aLatest);
-}
-
-HRESULT
-AudioSinkFilter::SetRate(double aRate)
-{
-  ENSURE_CONNECTED_PIN_SEEKING
-  return pinSeeking->SetRate(aRate);
-}
-
-HRESULT
-AudioSinkFilter::GetRate(double* aRate)
-{
-  ENSURE_CONNECTED_PIN_SEEKING
-  return pinSeeking->GetRate(aRate);
-}
-
-HRESULT
-AudioSinkFilter::GetPreroll(LONGLONG* aPreroll)
-{
-  ENSURE_CONNECTED_PIN_SEEKING
-  return pinSeeking->GetPreroll(aPreroll);
-}
-
-} // namespace mozilla
-
diff --git a/dom/media/directshow/AudioSinkFilter.h b/dom/media/directshow/AudioSinkFilter.h
deleted file mode 100644
index 85abdfccf7..0000000000
--- a/dom/media/directshow/AudioSinkFilter.h
+++ /dev/null
@@ -1,95 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#if !defined(AudioSinkFilter_h_)
-#define AudioSinkFilter_h_
-
-#include "BaseFilter.h"
-#include "DirectShowUtils.h"
-#include "nsAutoPtr.h"
-#include "mozilla/RefPtr.h"
-
-namespace mozilla {
-
-class AudioSinkInputPin;
-class SampleSink;
-
-// Filter that acts as the end of the graph. Audio samples input into
-// this filter block the calling thread, and the calling thread is
-// unblocked when the decode thread extracts the sample. The samples
-// input into this filter are stored in the SampleSink, where the blocking
-// is implemented. The input pin owns the SampleSink.
-class AudioSinkFilter: public mozilla::media::BaseFilter,
-                       public IMediaSeeking
-{
-
-public:
-  AudioSinkFilter(const wchar_t* aObjectName, HRESULT* aOutResult);
-  virtual ~AudioSinkFilter();
-
-  // Gets the input pin's sample sink.
-  SampleSink* GetSampleSink();
-
-  // IUnknown implementation.
-  STDMETHODIMP QueryInterface(REFIID aIId, void **aInterface);
-  STDMETHODIMP_(ULONG) AddRef();
-  STDMETHODIMP_(ULONG) Release();
-
-  //  --------------------------------------------------------------------
-  //  CBaseFilter methods
-  int GetPinCount ();
-  mozilla::media::BasePin* GetPin ( IN int Index);
-  STDMETHODIMP Pause ();
-  STDMETHODIMP Stop ();
-  STDMETHODIMP GetClassID ( OUT CLSID * pCLSID);
-  STDMETHODIMP Run(REFERENCE_TIME tStart);
-  // IMediaSeeking Methods...
-
-  // We defer to SourceFilter, but we must expose the interface on
-  // the output pins. Seeking commands come upstream from the renderers,
-  // but they must be actioned at the source filters.
-  STDMETHODIMP GetCapabilities(DWORD* aCapabilities);
-  STDMETHODIMP CheckCapabilities(DWORD* aCapabilities);
-  STDMETHODIMP IsFormatSupported(const GUID* aFormat);
-  STDMETHODIMP QueryPreferredFormat(GUID* aFormat);
-  STDMETHODIMP GetTimeFormat(GUID* aFormat);
-  STDMETHODIMP IsUsingTimeFormat(const GUID* aFormat);
-  STDMETHODIMP SetTimeFormat(const GUID* aFormat);
-  STDMETHODIMP GetDuration(LONGLONG* pDuration);
-  STDMETHODIMP GetStopPosition(LONGLONG* pStop);
-  STDMETHODIMP GetCurrentPosition(LONGLONG* aCurrent);
-  STDMETHODIMP ConvertTimeFormat(LONGLONG* aTarget,
-                                 const GUID* aTargetFormat,
-                                 LONGLONG aSource,
-                                 const GUID* aSourceFormat);
-  STDMETHODIMP SetPositions(LONGLONG* aCurrent,
-                            DWORD aCurrentFlags,
-                            LONGLONG* aStop,
-                            DWORD aStopFlags);
-  STDMETHODIMP GetPositions(LONGLONG* aCurrent,
-                            LONGLONG* aStop);
-  STDMETHODIMP GetAvailable(LONGLONG* aEarliest,
-                            LONGLONG* aLatest);
-  STDMETHODIMP SetRate(double aRate);
-  STDMETHODIMP GetRate(double* aRate);
-  STDMETHODIMP GetPreroll(LONGLONG* aPreroll);
-
-  //  --------------------------------------------------------------------
-  //  class factory calls this
-  static IUnknown * CreateInstance (IN LPUNKNOWN punk, OUT HRESULT * phr);
-
-private:
-  CriticalSection mFilterCritSec;
-
-  // Note: The input pin defers its refcounting to the sink filter, so when
-  // the input pin is addrefed, what actually happens is the sink filter is
-  // addrefed.
-  nsAutoPtr<AudioSinkInputPin> mInputPin;
-};
-
-} // namespace mozilla
-
-#endif // AudioSinkFilter_h_
diff --git a/dom/media/directshow/AudioSinkInputPin.cpp b/dom/media/directshow/AudioSinkInputPin.cpp
deleted file mode 100644
index 85a6e3da3e..0000000000
--- a/dom/media/directshow/AudioSinkInputPin.cpp
+++ /dev/null
@@ -1,195 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "AudioSinkInputPin.h"
-#include "AudioSinkFilter.h"
-#include "SampleSink.h"
-#include "mozilla/Logging.h"
-
-#include <wmsdkidl.h>
-
-using namespace mozilla::media;
-
-namespace mozilla {
-
-static LazyLogModule gDirectShowLog("DirectShowDecoder");
-#define LOG(...) MOZ_LOG(gDirectShowLog, mozilla::LogLevel::Debug, (__VA_ARGS__))
-
-AudioSinkInputPin::AudioSinkInputPin(wchar_t* aObjectName,
-                                     AudioSinkFilter* aFilter,
-                                     mozilla::CriticalSection* aLock,
-                                     HRESULT* aOutResult)
-  : BaseInputPin(aObjectName, aFilter, aLock, aOutResult, aObjectName),
-    mSegmentStartTime(0)
-{
-  MOZ_COUNT_CTOR(AudioSinkInputPin);
-  mSampleSink = new SampleSink();
-}
-
-AudioSinkInputPin::~AudioSinkInputPin()
-{
-  MOZ_COUNT_DTOR(AudioSinkInputPin);
-}
-
-HRESULT
-AudioSinkInputPin::GetMediaType(int aPosition, MediaType* aOutMediaType)
-{
-  NS_ENSURE_TRUE(aPosition >= 0, E_INVALIDARG);
-  NS_ENSURE_TRUE(aOutMediaType, E_POINTER);
-
-  if (aPosition > 0) {
-    return S_FALSE;
-  }
-
-  // Note: We set output as PCM, as IEEE_FLOAT only works when using the
-  // MP3 decoder as an MFT, and we can't do that while using DirectShow.
-  aOutMediaType->SetType(&MEDIATYPE_Audio);
-  aOutMediaType->SetSubtype(&MEDIASUBTYPE_PCM);
-  aOutMediaType->SetType(&FORMAT_WaveFormatEx);
-  aOutMediaType->SetTemporalCompression(FALSE);
-
-  return S_OK;
-}
-
-HRESULT
-AudioSinkInputPin::CheckMediaType(const MediaType* aMediaType)
-{
-  if (!aMediaType) {
-    return E_INVALIDARG;
-  }
-
-  GUID majorType = *aMediaType->Type();
-  if (majorType != MEDIATYPE_Audio && majorType != WMMEDIATYPE_Audio) {
-    return E_INVALIDARG;
-  }
-
-  if (*aMediaType->Subtype() != MEDIASUBTYPE_PCM) {
-    return E_INVALIDARG;
-  }
-
-  if (*aMediaType->FormatType() != FORMAT_WaveFormatEx) {
-    return E_INVALIDARG;
-  }
-
-  // We accept the media type, stash its layout format!
-  WAVEFORMATEX* wfx = (WAVEFORMATEX*)(aMediaType->pbFormat);
-  GetSampleSink()->SetAudioFormat(wfx);
-
-  return S_OK;
-}
-
-AudioSinkFilter*
-AudioSinkInputPin::GetAudioSinkFilter()
-{
-  return reinterpret_cast<AudioSinkFilter*>(mFilter);
-}
-
-SampleSink*
-AudioSinkInputPin::GetSampleSink()
-{
-  return mSampleSink;
-}
-
-HRESULT
-AudioSinkInputPin::SetAbsoluteMediaTime(IMediaSample* aSample)
-{
-  HRESULT hr;
-  REFERENCE_TIME start = 0, end = 0;
-  hr = aSample->GetTime(&start, &end);
-  NS_ENSURE_TRUE(SUCCEEDED(hr), E_FAIL);
-  {
-    CriticalSectionAutoEnter lock(*mLock);
-    start += mSegmentStartTime;
-    end += mSegmentStartTime;
-  }
-  hr = aSample->SetMediaTime(&start, &end);
-  NS_ENSURE_TRUE(SUCCEEDED(hr), E_FAIL);
-  return S_OK;
-}
-
-HRESULT
-AudioSinkInputPin::Receive(IMediaSample* aSample )
-{
-  HRESULT hr;
-  NS_ENSURE_TRUE(aSample, E_POINTER);
-
-  hr = BaseInputPin::Receive(aSample);
-  if (SUCCEEDED(hr) && hr != S_FALSE) { // S_FALSE == flushing
-    // Set the timestamp of the sample after being adjusted for
-    // seeking/segments in the "media time" attribute. When we seek,
-    // DirectShow starts a new "segment", and starts labeling samples
-    // from time=0 again, so we need to correct for this to get the
-    // actual timestamps after seeking.
-    hr = SetAbsoluteMediaTime(aSample);
-    NS_ENSURE_TRUE(SUCCEEDED(hr), hr);
-    hr = GetSampleSink()->Receive(aSample);
-    NS_ENSURE_TRUE(SUCCEEDED(hr), hr);
-  }
-  return S_OK;
-}
-
-already_AddRefed<IMediaSeeking>
-AudioSinkInputPin::GetConnectedPinSeeking()
-{
-  RefPtr<IPin> peer = GetConnected();
-  if (!peer)
-    return nullptr;
-  RefPtr<IMediaSeeking> seeking;
-  peer->QueryInterface(static_cast<IMediaSeeking**>(getter_AddRefs(seeking)));
-  return seeking.forget();
-}
-
-HRESULT
-AudioSinkInputPin::BeginFlush()
-{
-  HRESULT hr = media::BaseInputPin::BeginFlush();
-  NS_ENSURE_TRUE(SUCCEEDED(hr), hr);
-
-  GetSampleSink()->Flush();
-
-  return S_OK;
-}
-
-HRESULT
-AudioSinkInputPin::EndFlush()
-{
-  HRESULT hr = media::BaseInputPin::EndFlush();
-  NS_ENSURE_TRUE(SUCCEEDED(hr), hr);
-
-  // Reset the EOS flag, so that if we're called after a seek we still work.
-  GetSampleSink()->Reset();
-
-  return S_OK;
-}
-
-HRESULT
-AudioSinkInputPin::EndOfStream(void)
-{
-  HRESULT hr = media::BaseInputPin::EndOfStream();
-  if (FAILED(hr) || hr == S_FALSE) {
-    // Pin is stil flushing.
-    return hr;
-  }
-  GetSampleSink()->SetEOS();
-
-  return S_OK;
-}
-
-
-HRESULT
-AudioSinkInputPin::NewSegment(REFERENCE_TIME tStart,
-                              REFERENCE_TIME tStop,
-                              double dRate)
-{
-  CriticalSectionAutoEnter lock(*mLock);
-  // Record the start time of the new segment, so that we can store the
-  // correct absolute timestamp in the "media time" each incoming sample.
-  mSegmentStartTime = tStart;
-  return S_OK;
-}
-
-} // namespace mozilla
-
diff --git a/dom/media/directshow/AudioSinkInputPin.h b/dom/media/directshow/AudioSinkInputPin.h
deleted file mode 100644
index 80503c641e..0000000000
--- a/dom/media/directshow/AudioSinkInputPin.h
+++ /dev/null
@@ -1,76 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#if !defined(AudioSinkInputPin_h_)
-#define AudioSinkInputPin_h_
-
-#include "BaseInputPin.h"
-#include "DirectShowUtils.h"
-#include "mozilla/RefPtr.h"
-#include "nsAutoPtr.h"
-
-namespace mozilla {
-
-namespace media {
-  class MediaType;
-}
-
-class AudioSinkFilter;
-class SampleSink;
-
-
-// Input pin for capturing audio output of a DirectShow filter graph.
-// This is the input pin for the AudioSinkFilter.
-class AudioSinkInputPin: public mozilla::media::BaseInputPin
-{
-public:
-  AudioSinkInputPin(wchar_t* aObjectName,
-                    AudioSinkFilter* aFilter,
-                    mozilla::CriticalSection* aLock,
-                    HRESULT* aOutResult);
-  virtual ~AudioSinkInputPin();
-
-  HRESULT GetMediaType (IN int iPos, OUT mozilla::media::MediaType * pmt);
-  HRESULT CheckMediaType (IN const mozilla::media::MediaType * pmt);
-  STDMETHODIMP Receive (IN IMediaSample *);
-  STDMETHODIMP BeginFlush() override;
-  STDMETHODIMP EndFlush() override;
-
-  // Called when we start decoding a new segment, that happens directly after
-  // a seek. This captures the segment's start time. Samples decoded by the
-  // MP3 decoder have their timestamps offset from the segment start time.
-  // Storing the segment start time enables us to set each sample's MediaTime
-  // as an offset in the stream relative to the start of the stream, rather
-  // than the start of the segment, i.e. its absolute time in the stream.
-  STDMETHODIMP NewSegment(REFERENCE_TIME tStart,
-                          REFERENCE_TIME tStop,
-                          double dRate) override;
-
-  STDMETHODIMP EndOfStream() override;
-
-  // Returns the IMediaSeeking interface of the connected output pin.
-  // We forward seeking requests upstream from the sink to the source
-  // filters.
-  already_AddRefed<IMediaSeeking> GetConnectedPinSeeking();
-
-  SampleSink* GetSampleSink();
-
-private:
-  AudioSinkFilter* GetAudioSinkFilter();
-
-  // Sets the media time on the media sample, relative to the segment
-  // start time.
-  HRESULT SetAbsoluteMediaTime(IMediaSample* aSample);
-
-  nsAutoPtr<SampleSink> mSampleSink;
-
-  // Synchronized by the filter lock; BaseInputPin::mLock.
-  REFERENCE_TIME mSegmentStartTime;
-};
-
-} // namespace mozilla
-
-#endif // AudioSinkInputPin_h_
diff --git a/dom/media/directshow/DirectShowDecoder.cpp b/dom/media/directshow/DirectShowDecoder.cpp
deleted file mode 100644
index da68b4daa1..0000000000
--- a/dom/media/directshow/DirectShowDecoder.cpp
+++ /dev/null
@@ -1,65 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "DirectShowDecoder.h"
-#include "DirectShowReader.h"
-#include "DirectShowUtils.h"
-#include "MediaDecoderStateMachine.h"
-#include "mozilla/Preferences.h"
-#include "mozilla/WindowsVersion.h"
-
-namespace mozilla {
-
-MediaDecoderStateMachine* DirectShowDecoder::CreateStateMachine()
-{
-  return new MediaDecoderStateMachine(this, new DirectShowReader(this));
-}
-
-/* static */
-bool
-DirectShowDecoder::GetSupportedCodecs(const nsACString& aType,
-                                      char const *const ** aCodecList)
-{
-  if (!IsEnabled()) {
-    return false;
-  }
-
-  static char const *const mp3AudioCodecs[] = {
-    "mp3",
-    nullptr
-  };
-  if (aType.EqualsASCII("audio/mpeg") ||
-      aType.EqualsASCII("audio/mp3")) {
-    if (aCodecList) {
-      *aCodecList = mp3AudioCodecs;
-    }
-    return true;
-  }
-
-  return false;
-}
-
-/* static */
-bool
-DirectShowDecoder::IsEnabled()
-{
-  return CanDecodeMP3UsingDirectShow() &&
-         Preferences::GetBool("media.directshow.enabled");
-}
-
-DirectShowDecoder::DirectShowDecoder(MediaDecoderOwner* aOwner)
-  : MediaDecoder(aOwner)
-{
-  MOZ_COUNT_CTOR(DirectShowDecoder);
-}
-
-DirectShowDecoder::~DirectShowDecoder()
-{
-  MOZ_COUNT_DTOR(DirectShowDecoder);
-}
-
-} // namespace mozilla
-
diff --git a/dom/media/directshow/DirectShowDecoder.h b/dom/media/directshow/DirectShowDecoder.h
deleted file mode 100644
index c4d371fbf6..0000000000
--- a/dom/media/directshow/DirectShowDecoder.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#if !defined(DirectShowDecoder_h_)
-#define DirectShowDecoder_h_
-
-#include "MediaDecoder.h"
-
-namespace mozilla {
-
-// Decoder that uses DirectShow to playback MP3 files only.
-class DirectShowDecoder : public MediaDecoder
-{
-public:
-
-  explicit DirectShowDecoder(MediaDecoderOwner* aOwner);
-  virtual ~DirectShowDecoder();
-
-  MediaDecoder* Clone(MediaDecoderOwner* aOwner) override {
-    if (!IsEnabled()) {
-      return nullptr;
-    }
-    return new DirectShowDecoder(aOwner);
-  }
-
-  MediaDecoderStateMachine* CreateStateMachine() override;
-
-  // Returns true if aType is a MIME type that we render with the
-  // DirectShow backend. If aCodecList is non null,
-  // it is filled with a (static const) null-terminated list of strings
-  // denoting the codecs we'll playback. Note that playback is strictly
-  // limited to MP3 only.
-  static bool GetSupportedCodecs(const nsACString& aType,
-                                 char const *const ** aCodecList);
-
-  // Returns true if the DirectShow backend is preffed on.
-  static bool IsEnabled();
-};
-
-} // namespace mozilla
-
-#endif
diff --git a/dom/media/directshow/DirectShowReader.cpp b/dom/media/directshow/DirectShowReader.cpp
deleted file mode 100644
index cacf6f8de8..0000000000
--- a/dom/media/directshow/DirectShowReader.cpp
+++ /dev/null
@@ -1,360 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "DirectShowReader.h"
-#include "MediaDecoderReader.h"
-#include "mozilla/RefPtr.h"
-#include "DirectShowUtils.h"
-#include "AudioSinkFilter.h"
-#include "SourceFilter.h"
-#include "SampleSink.h"
-#include "VideoUtils.h"
-
-using namespace mozilla::media;
-
-namespace mozilla {
-
-// Windows XP's MP3 decoder filter. This is available on XP only, on Vista
-// and later we can use the DMO Wrapper filter and MP3 decoder DMO.
-const GUID DirectShowReader::CLSID_MPEG_LAYER_3_DECODER_FILTER =
-{ 0x38BE3000, 0xDBF4, 0x11D0, {0x86, 0x0E, 0x00, 0xA0, 0x24, 0xCF, 0xEF, 0x6D} };
-
-
-static LazyLogModule gDirectShowLog("DirectShowDecoder");
-#define LOG(...) MOZ_LOG(gDirectShowLog, mozilla::LogLevel::Debug, (__VA_ARGS__))
-
-DirectShowReader::DirectShowReader(AbstractMediaDecoder* aDecoder)
-  : MediaDecoderReader(aDecoder),
-    mMP3FrameParser(aDecoder->GetResource()->GetLength()),
-#ifdef DIRECTSHOW_REGISTER_GRAPH
-    mRotRegister(0),
-#endif
-    mNumChannels(0),
-    mAudioRate(0),
-    mBytesPerSample(0)
-{
-  MOZ_ASSERT(NS_IsMainThread(), "Must be on main thread.");
-  MOZ_COUNT_CTOR(DirectShowReader);
-}
-
-DirectShowReader::~DirectShowReader()
-{
-  MOZ_ASSERT(NS_IsMainThread(), "Must be on main thread.");
-  MOZ_COUNT_DTOR(DirectShowReader);
-#ifdef DIRECTSHOW_REGISTER_GRAPH
-  if (mRotRegister) {
-    RemoveGraphFromRunningObjectTable(mRotRegister);
-  }
-#endif
-}
-
-// Try to parse the MP3 stream to make sure this is indeed an MP3, get the
-// estimated duration of the stream, and find the offset of the actual MP3
-// frames in the stream, as DirectShow doesn't like large ID3 sections.
-static nsresult
-ParseMP3Headers(MP3FrameParser *aParser, MediaResource *aResource)
-{
-  const uint32_t MAX_READ_SIZE = 4096;
-
-  uint64_t offset = 0;
-  while (aParser->NeedsData() && !aParser->ParsedHeaders()) {
-    uint32_t bytesRead;
-    char buffer[MAX_READ_SIZE];
-    nsresult rv = aResource->ReadAt(offset, buffer,
-                                    MAX_READ_SIZE, &bytesRead);
-    NS_ENSURE_SUCCESS(rv, rv);
-
-    if (!bytesRead) {
-      // End of stream.
-      return NS_ERROR_FAILURE;
-    }
-
-    aParser->Parse(reinterpret_cast<uint8_t*>(buffer), bytesRead, offset);
-    offset += bytesRead;
-  }
-
-  return aParser->IsMP3() ? NS_OK : NS_ERROR_FAILURE;
-}
-
-nsresult
-DirectShowReader::ReadMetadata(MediaInfo* aInfo,
-                               MetadataTags** aTags)
-{
-  MOZ_ASSERT(OnTaskQueue());
-  HRESULT hr;
-  nsresult rv;
-
-  // Create the filter graph, reference it by the GraphBuilder interface,
-  // to make graph building more convenient.
-  hr = CoCreateInstance(CLSID_FilterGraph,
-                        nullptr,
-                        CLSCTX_INPROC_SERVER,
-                        IID_IGraphBuilder,
-                        reinterpret_cast<void**>(static_cast<IGraphBuilder**>(getter_AddRefs(mGraph))));
-  NS_ENSURE_TRUE(SUCCEEDED(hr) && mGraph, NS_ERROR_FAILURE);
-
-  rv = ParseMP3Headers(&mMP3FrameParser, mDecoder->GetResource());
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  #ifdef DIRECTSHOW_REGISTER_GRAPH
-  hr = AddGraphToRunningObjectTable(mGraph, &mRotRegister);
-  NS_ENSURE_TRUE(SUCCEEDED(hr), NS_ERROR_FAILURE);
-  #endif
-
-  // Extract the interface pointers we'll need from the filter graph.
-  hr = mGraph->QueryInterface(static_cast<IMediaControl**>(getter_AddRefs(mControl)));
-  NS_ENSURE_TRUE(SUCCEEDED(hr) && mControl, NS_ERROR_FAILURE);
-
-  hr = mGraph->QueryInterface(static_cast<IMediaSeeking**>(getter_AddRefs(mMediaSeeking)));
-  NS_ENSURE_TRUE(SUCCEEDED(hr) && mMediaSeeking, NS_ERROR_FAILURE);
-
-  // Build the graph. Create the filters we need, and connect them. We
-  // build the entire graph ourselves to prevent other decoders installed
-  // on the system being created and used.
-
-  // Our source filters, wraps the MediaResource.
-  mSourceFilter = new SourceFilter(MEDIATYPE_Stream, MEDIASUBTYPE_MPEG1Audio);
-  NS_ENSURE_TRUE(mSourceFilter, NS_ERROR_FAILURE);
-
-  rv = mSourceFilter->Init(mDecoder->GetResource(), mMP3FrameParser.GetMP3Offset());
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  hr = mGraph->AddFilter(mSourceFilter, L"MozillaDirectShowSource");
-  NS_ENSURE_TRUE(SUCCEEDED(hr), NS_ERROR_FAILURE);
-
-  // The MPEG demuxer.
-  RefPtr<IBaseFilter> demuxer;
-  hr = CreateAndAddFilter(mGraph,
-                          CLSID_MPEG1Splitter,
-                          L"MPEG1Splitter",
-                          getter_AddRefs(demuxer));
-  NS_ENSURE_TRUE(SUCCEEDED(hr), NS_ERROR_FAILURE);
-
-  // Platform MP3 decoder.
-  RefPtr<IBaseFilter> decoder;
-  // Firstly try to create the MP3 decoder filter that ships with WinXP
-  // directly. This filter doesn't normally exist on later versions of
-  // Windows.
-  hr = CreateAndAddFilter(mGraph,
-                          CLSID_MPEG_LAYER_3_DECODER_FILTER,
-                          L"MPEG Layer 3 Decoder",
-                          getter_AddRefs(decoder));
-  if (FAILED(hr)) {
-    // Failed to create MP3 decoder filter. Try to instantiate
-    // the MP3 decoder DMO.
-    hr = AddMP3DMOWrapperFilter(mGraph, getter_AddRefs(decoder));
-    NS_ENSURE_TRUE(SUCCEEDED(hr), NS_ERROR_FAILURE);
-  }
-
-  // Sink, captures audio samples and inserts them into our pipeline.
-  static const wchar_t* AudioSinkFilterName = L"MozAudioSinkFilter";
-  mAudioSinkFilter = new AudioSinkFilter(AudioSinkFilterName, &hr);
-  NS_ENSURE_TRUE(mAudioSinkFilter && SUCCEEDED(hr), NS_ERROR_FAILURE);
-  hr = mGraph->AddFilter(mAudioSinkFilter, AudioSinkFilterName);
-  NS_ENSURE_TRUE(SUCCEEDED(hr), NS_ERROR_FAILURE);
-
-  // Join the filters.
-  hr = ConnectFilters(mGraph, mSourceFilter, demuxer);
-  NS_ENSURE_TRUE(SUCCEEDED(hr), NS_ERROR_FAILURE);
-
-  hr = ConnectFilters(mGraph, demuxer, decoder);
-  NS_ENSURE_TRUE(SUCCEEDED(hr), NS_ERROR_FAILURE);
-
-  hr = ConnectFilters(mGraph, decoder, mAudioSinkFilter);
-  NS_ENSURE_TRUE(SUCCEEDED(hr), NS_ERROR_FAILURE);
-
-  WAVEFORMATEX format;
-  mAudioSinkFilter->GetSampleSink()->GetAudioFormat(&format);
-  NS_ENSURE_TRUE(format.wFormatTag == WAVE_FORMAT_PCM, NS_ERROR_FAILURE);
-
-  mInfo.mAudio.mChannels = mNumChannels = format.nChannels;
-  mInfo.mAudio.mRate = mAudioRate = format.nSamplesPerSec;
-  mInfo.mAudio.mBitDepth = format.wBitsPerSample;
-  mBytesPerSample = format.wBitsPerSample / 8;
-
-  // Begin decoding!
-  hr = mControl->Run();
-  NS_ENSURE_TRUE(SUCCEEDED(hr), NS_ERROR_FAILURE);
-
-  DWORD seekCaps = 0;
-  hr = mMediaSeeking->GetCapabilities(&seekCaps);
-  mInfo.mMediaSeekable = SUCCEEDED(hr) && (AM_SEEKING_CanSeekAbsolute & seekCaps);
-
-  int64_t duration = mMP3FrameParser.GetDuration();
-  if (SUCCEEDED(hr)) {
-    mInfo.mMetadataDuration.emplace(TimeUnit::FromMicroseconds(duration));
-  }
-
-  LOG("Successfully initialized DirectShow MP3 decoder.");
-  LOG("Channels=%u Hz=%u duration=%lld bytesPerSample=%d",
-      mInfo.mAudio.mChannels,
-      mInfo.mAudio.mRate,
-      RefTimeToUsecs(duration),
-      mBytesPerSample);
-
-  *aInfo = mInfo;
-  // Note: The SourceFilter strips ID3v2 tags out of the stream.
-  *aTags = nullptr;
-
-  return NS_OK;
-}
-
-inline float
-UnsignedByteToAudioSample(uint8_t aValue)
-{
-  return aValue * (2.0f / UINT8_MAX) - 1.0f;
-}
-
-bool
-DirectShowReader::Finish(HRESULT aStatus)
-{
-  MOZ_ASSERT(OnTaskQueue());
-
-  LOG("DirectShowReader::Finish(0x%x)", aStatus);
-  // Notify the filter graph of end of stream.
-  RefPtr<IMediaEventSink> eventSink;
-  HRESULT hr = mGraph->QueryInterface(static_cast<IMediaEventSink**>(getter_AddRefs(eventSink)));
-  if (SUCCEEDED(hr) && eventSink) {
-    eventSink->Notify(EC_COMPLETE, aStatus, 0);
-  }
-  return false;
-}
-
-class DirectShowCopy
-{
-public:
-  DirectShowCopy(uint8_t *aSource, uint32_t aBytesPerSample,
-                 uint32_t aSamples, uint32_t aChannels)
-    : mSource(aSource)
-    , mBytesPerSample(aBytesPerSample)
-    , mSamples(aSamples)
-    , mChannels(aChannels)
-    , mNextSample(0)
-  { }
-
-  uint32_t operator()(AudioDataValue *aBuffer, uint32_t aSamples)
-  {
-    uint32_t maxSamples = std::min(aSamples, mSamples - mNextSample);
-    uint32_t frames = maxSamples / mChannels;
-    size_t byteOffset = mNextSample * mBytesPerSample;
-    if (mBytesPerSample == 1) {
-      for (uint32_t i = 0; i < maxSamples; ++i) {
-        uint8_t *sample = mSource + byteOffset;
-        aBuffer[i] = UnsignedByteToAudioSample(*sample);
-        byteOffset += mBytesPerSample;
-      }
-    } else if (mBytesPerSample == 2) {
-      for (uint32_t i = 0; i < maxSamples; ++i) {
-        int16_t *sample = reinterpret_cast<int16_t *>(mSource + byteOffset);
-        aBuffer[i] = AudioSampleToFloat(*sample);
-        byteOffset += mBytesPerSample;
-      }
-    }
-    mNextSample += maxSamples;
-    return frames;
-  }
-
-private:
-  uint8_t * const mSource;
-  const uint32_t mBytesPerSample;
-  const uint32_t mSamples;
-  const uint32_t mChannels;
-  uint32_t mNextSample;
-};
-
-bool
-DirectShowReader::DecodeAudioData()
-{
-  MOZ_ASSERT(OnTaskQueue());
-  HRESULT hr;
-
-  SampleSink* sink = mAudioSinkFilter->GetSampleSink();
-  if (sink->AtEOS()) {
-    // End of stream.
-    return Finish(S_OK);
-  }
-
-  // Get the next chunk of audio samples. This blocks until the sample
-  // arrives, or an error occurs (like the stream is shutdown).
-  RefPtr<IMediaSample> sample;
-  hr = sink->Extract(sample);
-  if (FAILED(hr) || hr == S_FALSE) {
-    return Finish(hr);
-  }
-
-  int64_t start = 0, end = 0;
-  sample->GetMediaTime(&start, &end);
-  LOG("DirectShowReader::DecodeAudioData [%4.2lf-%4.2lf]",
-      RefTimeToSeconds(start),
-      RefTimeToSeconds(end));
-
-  LONG length = sample->GetActualDataLength();
-  LONG numSamples = length / mBytesPerSample;
-  LONG numFrames = length / mBytesPerSample / mNumChannels;
-
-  BYTE* data = nullptr;
-  hr = sample->GetPointer(&data);
-  NS_ENSURE_TRUE(SUCCEEDED(hr), Finish(hr));
-
-  mAudioCompactor.Push(mDecoder->GetResource()->Tell(),
-                       RefTimeToUsecs(start),
-                       mInfo.mAudio.mRate,
-                       numFrames,
-                       mNumChannels,
-                       DirectShowCopy(reinterpret_cast<uint8_t *>(data),
-                                      mBytesPerSample,
-                                      numSamples,
-                                      mNumChannels));
-  return true;
-}
-
-bool
-DirectShowReader::DecodeVideoFrame(bool &aKeyframeSkip,
-                                   int64_t aTimeThreshold)
-{
-  MOZ_ASSERT(OnTaskQueue());
-  return false;
-}
-
-RefPtr<MediaDecoderReader::SeekPromise>
-DirectShowReader::Seek(SeekTarget aTarget, int64_t aEndTime)
-{
-  nsresult res = SeekInternal(aTarget.GetTime().ToMicroseconds());
-  if (NS_FAILED(res)) {
-    return SeekPromise::CreateAndReject(res, __func__);
-  } else {
-    return SeekPromise::CreateAndResolve(aTarget.GetTime(), __func__);
-  }
-}
-
-nsresult
-DirectShowReader::SeekInternal(int64_t aTargetUs)
-{
-  HRESULT hr;
-  MOZ_ASSERT(OnTaskQueue());
-
-  LOG("DirectShowReader::Seek() target=%lld", aTargetUs);
-
-  hr = mControl->Pause();
-  NS_ENSURE_TRUE(SUCCEEDED(hr), NS_ERROR_FAILURE);
-
-  nsresult rv = ResetDecode();
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  LONGLONG seekPosition = UsecsToRefTime(aTargetUs);
-  hr = mMediaSeeking->SetPositions(&seekPosition,
-                                   AM_SEEKING_AbsolutePositioning,
-                                   nullptr,
-                                   AM_SEEKING_NoPositioning);
-  NS_ENSURE_TRUE(SUCCEEDED(hr), NS_ERROR_FAILURE);
-
-  hr = mControl->Run();
-  NS_ENSURE_TRUE(SUCCEEDED(hr), NS_ERROR_FAILURE);
-
-  return NS_OK;
-}
-
-} // namespace mozilla
diff --git a/dom/media/directshow/DirectShowReader.h b/dom/media/directshow/DirectShowReader.h
deleted file mode 100644
index e1326d416e..0000000000
--- a/dom/media/directshow/DirectShowReader.h
+++ /dev/null
@@ -1,110 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#if !defined(DirectShowReader_h_)
-#define DirectShowReader_h_
-
-#include "windows.h" // HRESULT, DWORD
-#include "MediaDecoderReader.h"
-#include "MediaResource.h"
-#include "mozilla/RefPtr.h"
-#include "MP3FrameParser.h"
-
-// Add the graph to the Running Object Table so that we can connect
-// to this graph with GraphEdit/GraphStudio. Note: on Vista and up you must
-// also regsvr32 proppage.dll from the Windows SDK.
-// See: http://msdn.microsoft.com/en-us/library/ms787252(VS.85).aspx
-// #define DIRECTSHOW_REGISTER_GRAPH
-
-struct IGraphBuilder;
-struct IMediaControl;
-struct IMediaSeeking;
-
-namespace mozilla {
-
-class AudioSinkFilter;
-class SourceFilter;
-
-// Decoder backend for decoding MP3 using DirectShow. DirectShow operates as
-// a filter graph. The basic design of the DirectShowReader is that we have
-// a SourceFilter that wraps the MediaResource that connects to the
-// MP3 decoder filter. The MP3 decoder filter "pulls" data as it requires it
-// downstream on its own thread. When the MP3 decoder has produced a block of
-// decoded samples, its thread calls downstream into our AudioSinkFilter,
-// passing the decoded buffer in. The AudioSinkFilter inserts the samples into
-// a SampleSink object. The SampleSink blocks the MP3 decoder's thread until
-// the decode thread calls DecodeAudioData(), whereupon the SampleSink
-// releases the decoded samples to the decode thread, and unblocks the MP3
-// decoder's thread. The MP3 decoder can then request more data from the
-// SourceFilter, and decode more data. If the decode thread calls
-// DecodeAudioData() and there's no decoded samples waiting to be extracted
-// in the SampleSink, the SampleSink blocks the decode thread until the MP3
-// decoder produces a decoded sample.
-class DirectShowReader : public MediaDecoderReader
-{
-public:
-  DirectShowReader(AbstractMediaDecoder* aDecoder);
-
-  virtual ~DirectShowReader();
-
-  bool DecodeAudioData() override;
-  bool DecodeVideoFrame(bool &aKeyframeSkip,
-                        int64_t aTimeThreshold) override;
-
-  nsresult ReadMetadata(MediaInfo* aInfo,
-                        MetadataTags** aTags) override;
-
-  RefPtr<SeekPromise>
-  Seek(SeekTarget aTarget, int64_t aEndTime) override;
-
-  static const GUID CLSID_MPEG_LAYER_3_DECODER_FILTER;
-
-private:
-  // Notifies the filter graph that playback is complete. aStatus is
-  // the code to send to the filter graph. Always returns false, so
-  // that we can just "return Finish()" from DecodeAudioData().
-  bool Finish(HRESULT aStatus);
-
-  nsresult SeekInternal(int64_t aTime);
-
-  // DirectShow filter graph, and associated playback and seeking
-  // control interfaces.
-  RefPtr<IGraphBuilder> mGraph;
-  RefPtr<IMediaControl> mControl;
-  RefPtr<IMediaSeeking> mMediaSeeking;
-
-  // Wraps the MediaResource, and feeds undecoded data into the filter graph.
-  RefPtr<SourceFilter> mSourceFilter;
-
-  // Sits at the end of the graph, removing decoded samples from the graph.
-  // The graph will block while this is blocked, i.e. it will pause decoding.
-  RefPtr<AudioSinkFilter> mAudioSinkFilter;
-
-  // Some MP3s are variable bitrate, so DirectShow's duration estimation
-  // can make its duration estimation based on the wrong bitrate. So we parse
-  // the MP3 frames to get a more accuate estimate of the duration.
-  MP3FrameParser mMP3FrameParser;
-
-#ifdef DIRECTSHOW_REGISTER_GRAPH
-  // Used to add/remove the filter graph to the Running Object Table. You can
-  // connect GraphEdit/GraphStudio to the graph to observe and/or debug its
-  // topology and state.
-  DWORD mRotRegister;
-#endif
-
-  // Number of channels in the audio stream.
-  uint32_t mNumChannels;
-
-  // Samples per second in the audio stream.
-  uint32_t mAudioRate;
-
-  // Number of bytes per sample. Can be either 1 or 2.
-  uint32_t mBytesPerSample;
-};
-
-} // namespace mozilla
-
-#endif
diff --git a/dom/media/directshow/DirectShowUtils.cpp b/dom/media/directshow/DirectShowUtils.cpp
deleted file mode 100644
index b2afa7528c..0000000000
--- a/dom/media/directshow/DirectShowUtils.cpp
+++ /dev/null
@@ -1,369 +0,0 @@
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "DirectShowUtils.h"
-#include "dmodshow.h"
-#include "wmcodecdsp.h"
-#include "dmoreg.h"
-#include "mozilla/ArrayUtils.h"
-#include "mozilla/RefPtr.h"
-#include "nsPrintfCString.h"
-
-#define WARN(...) NS_WARNING(nsPrintfCString(__VA_ARGS__).get())
-
-namespace mozilla {
-
-// Create a table which maps GUIDs to a string representation of the GUID.
-// This is useful for debugging purposes, for logging the GUIDs of media types.
-// This is only available when logging is enabled, i.e. not in release builds.
-struct GuidToName {
-  const char* name;
-  const GUID guid;
-};
-
-#pragma push_macro("OUR_GUID_ENTRY")
-#undef OUR_GUID_ENTRY
-#define OUR_GUID_ENTRY(name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) \
-  { #name, {l, w1, w2, {b1, b2, b3, b4, b5, b6, b7, b8}} },
-
-static const GuidToName GuidToNameTable[] = {
-#include <uuids.h>
-};
-
-#pragma pop_macro("OUR_GUID_ENTRY")
-
-const char*
-GetDirectShowGuidName(const GUID& aGuid)
-{
-  const size_t len = ArrayLength(GuidToNameTable);
-  for (unsigned i = 0; i < len; i++) {
-    if (IsEqualGUID(aGuid, GuidToNameTable[i].guid)) {
-      return GuidToNameTable[i].name;
-    }
-  }
-  return "Unknown";
-}
-
-void
-RemoveGraphFromRunningObjectTable(DWORD aRotRegister)
-{
-  RefPtr<IRunningObjectTable> runningObjectTable;
-  if (SUCCEEDED(GetRunningObjectTable(0, getter_AddRefs(runningObjectTable)))) {
-    runningObjectTable->Revoke(aRotRegister);
-  }
-}
-
-HRESULT
-AddGraphToRunningObjectTable(IUnknown *aUnkGraph, DWORD *aOutRotRegister)
-{
-  HRESULT hr;
-
-  RefPtr<IMoniker> moniker;
-  RefPtr<IRunningObjectTable> runningObjectTable;
-
-  hr = GetRunningObjectTable(0, getter_AddRefs(runningObjectTable));
-  NS_ENSURE_TRUE(SUCCEEDED(hr), hr);
-
-  const size_t STRING_LENGTH = 256;
-  WCHAR wsz[STRING_LENGTH];
-
-  StringCchPrintfW(wsz,
-                   STRING_LENGTH,
-                   L"FilterGraph %08x pid %08x",
-                   (DWORD_PTR)aUnkGraph,
-                   GetCurrentProcessId());
-
-  hr = CreateItemMoniker(L"!", wsz, getter_AddRefs(moniker));
-  NS_ENSURE_TRUE(SUCCEEDED(hr), hr);
-
-  hr = runningObjectTable->Register(ROTFLAGS_REGISTRATIONKEEPSALIVE,
-                                    aUnkGraph,
-                                    moniker,
-                                    aOutRotRegister);
-  NS_ENSURE_TRUE(SUCCEEDED(hr), hr);
-
-  return S_OK;
-}
-
-const char*
-GetGraphNotifyString(long evCode)
-{
-#define CASE(x) case x: return #x
-  switch(evCode) {
-    CASE(EC_ACTIVATE); // A video window is being activated or deactivated.
-    CASE(EC_BANDWIDTHCHANGE); // Not supported.
-    CASE(EC_BUFFERING_DATA); // The graph is buffering data, or has stopped buffering data.
-    CASE(EC_BUILT); // Send by the Video Control when a graph has been built. Not forwarded to applications.
-    CASE(EC_CLOCK_CHANGED); // The reference clock has changed.
-    CASE(EC_CLOCK_UNSET); // The clock provider was disconnected.
-    CASE(EC_CODECAPI_EVENT); // Sent by an encoder to signal an encoding event.
-    CASE(EC_COMPLETE); // All data from a particular stream has been rendered.
-    CASE(EC_CONTENTPROPERTY_CHANGED); // Not supported.
-    CASE(EC_DEVICE_LOST); // A Plug and Play device was removed or has become available again.
-    CASE(EC_DISPLAY_CHANGED); // The display mode has changed.
-    CASE(EC_END_OF_SEGMENT); // The end of a segment has been reached.
-    CASE(EC_EOS_SOON); // Not supported.
-    CASE(EC_ERROR_STILLPLAYING); // An asynchronous command to run the graph has failed.
-    CASE(EC_ERRORABORT); // An operation was aborted because of an error.
-    CASE(EC_ERRORABORTEX); // An operation was aborted because of an error.
-    CASE(EC_EXTDEVICE_MODE_CHANGE); // Not supported.
-    CASE(EC_FILE_CLOSED); // The source file was closed because of an unexpected event.
-    CASE(EC_FULLSCREEN_LOST); // The video renderer is switching out of full-screen mode.
-    CASE(EC_GRAPH_CHANGED); // The filter graph has changed.
-    CASE(EC_LENGTH_CHANGED); // The length of a source has changed.
-    CASE(EC_LOADSTATUS); // Notifies the application of progress when opening a network file.
-    CASE(EC_MARKER_HIT); // Not supported.
-    CASE(EC_NEED_RESTART); // A filter is requesting that the graph be restarted.
-    CASE(EC_NEW_PIN); // Not supported.
-    CASE(EC_NOTIFY_WINDOW); // Notifies a filter of the video renderer's window.
-    CASE(EC_OLE_EVENT); // A filter is passing a text string to the application.
-    CASE(EC_OPENING_FILE); // The graph is opening a file, or has finished opening a file.
-    CASE(EC_PALETTE_CHANGED); // The video palette has changed.
-    CASE(EC_PAUSED); // A pause request has completed.
-    CASE(EC_PLEASE_REOPEN); // The source file has changed.
-    CASE(EC_PREPROCESS_COMPLETE); // Sent by the WM ASF Writer filter when it completes the pre-processing for multipass encoding.
-    CASE(EC_PROCESSING_LATENCY); // Indicates the amount of time that a component is taking to process each sample.
-    CASE(EC_QUALITY_CHANGE); // The graph is dropping samples, for quality control.
-    //CASE(EC_RENDER_FINISHED); // Not supported.
-    CASE(EC_REPAINT); // A video renderer requires a repaint.
-    CASE(EC_SAMPLE_LATENCY); // Specifies how far behind schedule a component is for processing samples.
-    //CASE(EC_SAMPLE_NEEDED); // Requests a new input sample from the Enhanced Video Renderer (EVR) filter.
-    CASE(EC_SCRUB_TIME); // Specifies the time stamp for the most recent frame step.
-    CASE(EC_SEGMENT_STARTED); // A new segment has started.
-    CASE(EC_SHUTTING_DOWN); // The filter graph is shutting down, prior to being destroyed.
-    CASE(EC_SNDDEV_IN_ERROR); // A device error has occurred in an audio capture filter.
-    CASE(EC_SNDDEV_OUT_ERROR); // A device error has occurred in an audio renderer filter.
-    CASE(EC_STARVATION); // A filter is not receiving enough data.
-    CASE(EC_STATE_CHANGE); // The filter graph has changed state.
-    CASE(EC_STATUS); // Contains two arbitrary status strings.
-    CASE(EC_STEP_COMPLETE); // A filter performing frame stepping has stepped the specified number of frames.
-    CASE(EC_STREAM_CONTROL_STARTED); // A stream-control start command has taken effect.
-    CASE(EC_STREAM_CONTROL_STOPPED); // A stream-control stop command has taken effect.
-    CASE(EC_STREAM_ERROR_STILLPLAYING); // An error has occurred in a stream. The stream is still playing.
-    CASE(EC_STREAM_ERROR_STOPPED); // A stream has stopped because of an error.
-    CASE(EC_TIMECODE_AVAILABLE); // Not supported.
-    CASE(EC_UNBUILT); // Send by the Video Control when a graph has been torn down. Not forwarded to applications.
-    CASE(EC_USERABORT); // The user has terminated playback.
-    CASE(EC_VIDEO_SIZE_CHANGED); // The native video size has changed.
-    CASE(EC_VIDEOFRAMEREADY); // A video frame is ready for display.
-    CASE(EC_VMR_RECONNECTION_FAILED); // Sent by the VMR-7 and the VMR-9 when it was unable to accept a dynamic format change request from the upstream decoder.
-    CASE(EC_VMR_RENDERDEVICE_SET); // Sent when the VMR has selected its rendering mechanism.
-    CASE(EC_VMR_SURFACE_FLIPPED); // Sent when the VMR-7's allocator presenter has called the DirectDraw Flip method on the surface being presented.
-    CASE(EC_WINDOW_DESTROYED); // The video renderer was destroyed or removed from the graph.
-    CASE(EC_WMT_EVENT); // Sent by the WM ASF Reader filter when it reads ASF files protected by digital rights management (DRM).
-    CASE(EC_WMT_INDEX_EVENT); // Sent when an application uses the WM ASF Writer to index Windows Media Video files.
-    CASE(S_OK); // Success.
-    CASE(VFW_S_AUDIO_NOT_RENDERED); // Partial success; the audio was not rendered.
-    CASE(VFW_S_DUPLICATE_NAME); // Success; the Filter Graph Manager modified a filter name to avoid duplication.
-    CASE(VFW_S_PARTIAL_RENDER); // Partial success; some of the streams in this movie are in an unsupported format.
-    CASE(VFW_S_VIDEO_NOT_RENDERED); // Partial success; the video was not rendered.
-    CASE(E_ABORT); // Operation aborted.
-    CASE(E_OUTOFMEMORY); // Insufficient memory.
-    CASE(E_POINTER); // Null pointer argument.
-    CASE(VFW_E_CANNOT_CONNECT); // No combination of intermediate filters could be found to make the connection.
-    CASE(VFW_E_CANNOT_RENDER); // No combination of filters could be found to render the stream.
-    CASE(VFW_E_NO_ACCEPTABLE_TYPES); // There is no common media type between these pins.
-    CASE(VFW_E_NOT_IN_GRAPH);
-
-    default:
-      return "Unknown Code";
-  };
-#undef CASE
-}
-
-HRESULT
-CreateAndAddFilter(IGraphBuilder* aGraph,
-                   REFGUID aFilterClsId,
-                   LPCWSTR aFilterName,
-                   IBaseFilter **aOutFilter)
-{
-  NS_ENSURE_TRUE(aGraph, E_POINTER);
-  NS_ENSURE_TRUE(aOutFilter, E_POINTER);
-  HRESULT hr;
-
-  RefPtr<IBaseFilter> filter;
-  hr = CoCreateInstance(aFilterClsId,
-                        nullptr,
-                        CLSCTX_INPROC_SERVER,
-                        IID_IBaseFilter,
-                        getter_AddRefs(filter));
-  if (FAILED(hr)) {
-    // Object probably not available on this system.
-    WARN("CoCreateInstance failed, hr=%x", hr);
-    return hr;
-  }
-
-  hr = aGraph->AddFilter(filter, aFilterName);
-  if (FAILED(hr)) {
-    WARN("AddFilter failed, hr=%x", hr);
-    return hr;
-  }
-
-  filter.forget(aOutFilter);
-
-  return S_OK;
-}
-
-HRESULT
-CreateMP3DMOWrapperFilter(IBaseFilter **aOutFilter)
-{
-  NS_ENSURE_TRUE(aOutFilter, E_POINTER);
-  HRESULT hr;
-
-  // Create the wrapper filter.
-  RefPtr<IBaseFilter> filter;
-  hr = CoCreateInstance(CLSID_DMOWrapperFilter,
-                        nullptr,
-                        CLSCTX_INPROC_SERVER,
-                        IID_IBaseFilter,
-                        getter_AddRefs(filter));
-  if (FAILED(hr)) {
-    WARN("CoCreateInstance failed, hr=%x", hr);
-    return hr;
-  }
-
-  // Query for IDMOWrapperFilter.
-  RefPtr<IDMOWrapperFilter> dmoWrapper;
-  hr = filter->QueryInterface(IID_IDMOWrapperFilter,
-                              getter_AddRefs(dmoWrapper));
-  if (FAILED(hr)) {
-    WARN("QueryInterface failed, hr=%x", hr);
-    return hr;
-  }
-
-  hr = dmoWrapper->Init(CLSID_CMP3DecMediaObject, DMOCATEGORY_AUDIO_DECODER);
-  if (FAILED(hr)) {
-    // Can't instantiate MP3 DMO. It doesn't exist on Windows XP, we're
-    // probably hitting that. Don't log warning to console, this is an
-    // expected error.
-    WARN("dmoWrapper Init failed, hr=%x", hr);
-    return hr;
-  }
-
-  filter.forget(aOutFilter);
-
-  return S_OK;
-}
-
-HRESULT
-AddMP3DMOWrapperFilter(IGraphBuilder* aGraph,
-                       IBaseFilter **aOutFilter)
-{
-  NS_ENSURE_TRUE(aGraph, E_POINTER);
-  NS_ENSURE_TRUE(aOutFilter, E_POINTER);
-  HRESULT hr;
-
-  // Create the wrapper filter.
-  RefPtr<IBaseFilter> filter;
-  hr = CreateMP3DMOWrapperFilter(getter_AddRefs(filter));
-  NS_ENSURE_TRUE(SUCCEEDED(hr), hr);
-
-  // Add the wrapper filter to graph.
-  hr = aGraph->AddFilter(filter, L"MP3 Decoder DMO");
-  if (FAILED(hr)) {
-    WARN("AddFilter failed, hr=%x", hr);
-    return hr;
-  }
-
-  filter.forget(aOutFilter);
-
-  return S_OK;
-}
-
-bool
-CanDecodeMP3UsingDirectShow()
-{
-  RefPtr<IBaseFilter> filter;
-
-  // Can we create the MP3 demuxer filter?
-  if (FAILED(CoCreateInstance(CLSID_MPEG1Splitter,
-                              nullptr,
-                              CLSCTX_INPROC_SERVER,
-                              IID_IBaseFilter,
-                              getter_AddRefs(filter)))) {
-    return false;
-  }
-
-  // Can we create either the WinXP MP3 decoder filter or the MP3 DMO decoder?
-  if (FAILED(CoCreateInstance(DirectShowReader::CLSID_MPEG_LAYER_3_DECODER_FILTER,
-                              nullptr,
-                              CLSCTX_INPROC_SERVER,
-                              IID_IBaseFilter,
-                              getter_AddRefs(filter))) &&
-      FAILED(CreateMP3DMOWrapperFilter(getter_AddRefs(filter)))) {
-    return false;
-  }
-
-  // Else, we can create all of the components we need. Assume
-  // DirectShow is going to work...
-  return true;
-}
-
-// Match a pin by pin direction and connection state.
-HRESULT
-MatchUnconnectedPin(IPin* aPin,
-                    PIN_DIRECTION aPinDir,
-                    bool *aOutMatches)
-{
-  NS_ENSURE_TRUE(aPin, E_POINTER);
-  NS_ENSURE_TRUE(aOutMatches, E_POINTER);
-
-  // Ensure the pin is unconnected.
-  RefPtr<IPin> peer;
-  HRESULT hr = aPin->ConnectedTo(getter_AddRefs(peer));
-  if (hr != VFW_E_NOT_CONNECTED) {
-    *aOutMatches = false;
-    return hr;
-  }
-
-  // Ensure the pin is of the specified direction.
-  PIN_DIRECTION pinDir;
-  hr = aPin->QueryDirection(&pinDir);
-  NS_ENSURE_TRUE(SUCCEEDED(hr), hr);
-
-  *aOutMatches = (pinDir == aPinDir);
-  return S_OK;
-}
-
-// Return the first unconnected input pin or output pin.
-already_AddRefed<IPin>
-GetUnconnectedPin(IBaseFilter* aFilter, PIN_DIRECTION aPinDir)
-{
-  RefPtr<IEnumPins> enumPins;
-
-  HRESULT hr = aFilter->EnumPins(getter_AddRefs(enumPins));
-  NS_ENSURE_TRUE(SUCCEEDED(hr), nullptr);
-
-  // Test each pin to see if it matches the direction we're looking for.
-  RefPtr<IPin> pin;
-  while (S_OK == enumPins->Next(1, getter_AddRefs(pin), nullptr)) {
-    bool matches = FALSE;
-    if (SUCCEEDED(MatchUnconnectedPin(pin, aPinDir, &matches)) &&
-        matches) {
-      return pin.forget();
-    }
-  }
-
-  return nullptr;
-}
-
-HRESULT
-ConnectFilters(IGraphBuilder* aGraph,
-               IBaseFilter* aOutputFilter,
-               IBaseFilter* aInputFilter)
-{
-  RefPtr<IPin> output = GetUnconnectedPin(aOutputFilter, PINDIR_OUTPUT);
-  NS_ENSURE_TRUE(output, E_FAIL);
-
-  RefPtr<IPin> input = GetUnconnectedPin(aInputFilter, PINDIR_INPUT);
-  NS_ENSURE_TRUE(output, E_FAIL);
-
-  return aGraph->Connect(output, input);
-}
-
-} // namespace mozilla
-
-// avoid redefined macro in unified build
-#undef WARN
diff --git a/dom/media/directshow/DirectShowUtils.h b/dom/media/directshow/DirectShowUtils.h
deleted file mode 100644
index 3bbc122fc7..0000000000
--- a/dom/media/directshow/DirectShowUtils.h
+++ /dev/null
@@ -1,125 +0,0 @@
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef _DirectShowUtils_h_
-#define _DirectShowUtils_h_
-
-#include <stdint.h>
-#include "dshow.h"
-
-// XXXbz windowsx.h defines GetFirstChild, GetNextSibling,
-// GetPrevSibling are macros, apparently... Eeevil.  We have functions
-// called that on some classes, so undef them.
-#undef GetFirstChild
-#undef GetNextSibling
-#undef GetPrevSibling
-
-#include "DShowTools.h"
-#include "mozilla/Logging.h"
-
-namespace mozilla {
-
-// Win32 "Event" wrapper. Must be paired with a CriticalSection to create a
-// Java-style "monitor".
-class Signal {
-public:
-
-  Signal(CriticalSection* aLock)
-    : mLock(aLock)
-  {
-    CriticalSectionAutoEnter lock(*mLock);
-    mEvent = CreateEvent(nullptr, FALSE, FALSE, nullptr);
-  }
-
-  ~Signal() {
-    CriticalSectionAutoEnter lock(*mLock);
-    CloseHandle(mEvent);
-  }
-
-  // Lock must be held.
-  void Notify() {
-    SetEvent(mEvent);
-  }
-
-  // Lock must be held. Check the wait condition before waiting!
-  HRESULT Wait() {
-    mLock->Leave();
-    DWORD result = WaitForSingleObject(mEvent, INFINITE);
-    mLock->Enter();
-    return result == WAIT_OBJECT_0 ? S_OK : E_FAIL;
-  }
-
-private:
-  CriticalSection* mLock;
-  HANDLE mEvent;
-};
-
-HRESULT
-AddGraphToRunningObjectTable(IUnknown *aUnkGraph, DWORD *aOutRotRegister);
-
-void
-RemoveGraphFromRunningObjectTable(DWORD aRotRegister);
-
-const char*
-GetGraphNotifyString(long evCode);
-
-// Creates a filter and adds it to a graph.
-HRESULT
-CreateAndAddFilter(IGraphBuilder* aGraph,
-                   REFGUID aFilterClsId,
-                   LPCWSTR aFilterName,
-                   IBaseFilter **aOutFilter);
-
-HRESULT
-AddMP3DMOWrapperFilter(IGraphBuilder* aGraph,
-                       IBaseFilter **aOutFilter);
-
-// Connects the output pin on aOutputFilter to an input pin on
-// aInputFilter, in aGraph.
-HRESULT
-ConnectFilters(IGraphBuilder* aGraph,
-               IBaseFilter* aOutputFilter,
-               IBaseFilter* aInputFilter);
-
-HRESULT
-MatchUnconnectedPin(IPin* aPin,
-                    PIN_DIRECTION aPinDir,
-                    bool *aOutMatches);
-
-// Converts from microseconds to DirectShow "Reference Time"
-// (hundreds of nanoseconds).
-inline int64_t
-UsecsToRefTime(const int64_t aUsecs)
-{
-  return aUsecs * 10;
-}
-
-// Converts from DirectShow "Reference Time" (hundreds of nanoseconds)
-// to microseconds.
-inline int64_t
-RefTimeToUsecs(const int64_t hRefTime)
-{
-  return hRefTime / 10;
-}
-
-// Converts from DirectShow "Reference Time" (hundreds of nanoseconds)
-// to seconds.
-inline double
-RefTimeToSeconds(const REFERENCE_TIME aRefTime)
-{
-  return double(aRefTime) / 10000000;
-}
-
-const char*
-GetDirectShowGuidName(const GUID& aGuid);
-
-// Returns true if we can instantiate an MP3 demuxer and decoder filters.
-// Use this to detect whether MP3 support is installed.
-bool
-CanDecodeMP3UsingDirectShow();
-
-} // namespace mozilla
-
-#endif
diff --git a/dom/media/directshow/SampleSink.cpp b/dom/media/directshow/SampleSink.cpp
deleted file mode 100644
index fa5dc8d19c..0000000000
--- a/dom/media/directshow/SampleSink.cpp
+++ /dev/null
@@ -1,159 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "SampleSink.h"
-#include "AudioSinkFilter.h"
-#include "AudioSinkInputPin.h"
-#include "VideoUtils.h"
-#include "mozilla/Logging.h"
-
-using namespace mozilla::media;
-
-namespace mozilla {
-
-static LazyLogModule gDirectShowLog("DirectShowDecoder");
-#define LOG(...) MOZ_LOG(gDirectShowLog, mozilla::LogLevel::Debug, (__VA_ARGS__))
-
-SampleSink::SampleSink()
-  : mMonitor("SampleSink"),
-    mIsFlushing(false),
-    mAtEOS(false)
-{
-  MOZ_COUNT_CTOR(SampleSink);
-}
-
-SampleSink::~SampleSink()
-{
-  MOZ_COUNT_DTOR(SampleSink);
-}
-
-void
-SampleSink::SetAudioFormat(const WAVEFORMATEX* aInFormat)
-{
-  NS_ENSURE_TRUE(aInFormat, );
-  ReentrantMonitorAutoEnter mon(mMonitor);
-  memcpy(&mAudioFormat, aInFormat, sizeof(WAVEFORMATEX));
-}
-
-void
-SampleSink::GetAudioFormat(WAVEFORMATEX* aOutFormat)
-{
-  MOZ_ASSERT(aOutFormat);
-  ReentrantMonitorAutoEnter mon(mMonitor);
-  memcpy(aOutFormat, &mAudioFormat, sizeof(WAVEFORMATEX));
-}
-
-HRESULT
-SampleSink::Receive(IMediaSample* aSample)
-{
-  ReentrantMonitorAutoEnter mon(mMonitor);
-
-  while (true) {
-    if (mIsFlushing) {
-      return S_FALSE;
-    }
-    if (!mSample) {
-      break;
-    }
-    if (mAtEOS) {
-      return E_UNEXPECTED;
-    }
-    // Wait until the consumer thread consumes the sample.
-    mon.Wait();
-  }
-
-  if (MOZ_LOG_TEST(gDirectShowLog, LogLevel::Debug)) {
-    REFERENCE_TIME start = 0, end = 0;
-    HRESULT hr = aSample->GetMediaTime(&start, &end);
-    LOG("SampleSink::Receive() [%4.2lf-%4.2lf]",
-        (double)RefTimeToUsecs(start) / USECS_PER_S,
-        (double)RefTimeToUsecs(end) / USECS_PER_S);
-  }
-
-  mSample = aSample;
-  // Notify the signal, to awaken the consumer thread in WaitForSample()
-  // if necessary.
-  mon.NotifyAll();
-  return S_OK;
-}
-
-HRESULT
-SampleSink::Extract(RefPtr<IMediaSample>& aOutSample)
-{
-  ReentrantMonitorAutoEnter mon(mMonitor);
-  // Loop until we have a sample, or we should abort.
-  while (true) {
-    if (mIsFlushing) {
-      return S_FALSE;
-    }
-    if (mSample) {
-      break;
-    }
-    if (mAtEOS) {
-      // Order is important here, if we have a sample, we should return it
-      // before reporting EOS.
-      return E_UNEXPECTED;
-    }
-    // Wait until the producer thread gives us a sample.
-    mon.Wait();
-  }
-  aOutSample = mSample;
-
-  if (MOZ_LOG_TEST(gDirectShowLog, LogLevel::Debug)) {
-    int64_t start = 0, end = 0;
-    mSample->GetMediaTime(&start, &end);
-    LOG("SampleSink::Extract() [%4.2lf-%4.2lf]",
-        (double)RefTimeToUsecs(start) / USECS_PER_S,
-        (double)RefTimeToUsecs(end) / USECS_PER_S);
-  }
-
-  mSample = nullptr;
-  // Notify the signal, to awaken the producer thread in Receive()
-  // if necessary.
-  mon.NotifyAll();
-  return S_OK;
-}
-
-void
-SampleSink::Flush()
-{
-  LOG("SampleSink::Flush()");
-  ReentrantMonitorAutoEnter mon(mMonitor);
-  mIsFlushing = true;
-  mSample = nullptr;
-  mon.NotifyAll();
-}
-
-void
-SampleSink::Reset()
-{
-  LOG("SampleSink::Reset()");
-  ReentrantMonitorAutoEnter mon(mMonitor);
-  mIsFlushing = false;
-  mAtEOS = false;
-}
-
-void
-SampleSink::SetEOS()
-{
-  LOG("SampleSink::SetEOS()");
-  ReentrantMonitorAutoEnter mon(mMonitor);
-  mAtEOS = true;
-  // Notify to unblock any threads waiting for samples in
-  // Extract() or Receive(). Now that we're at EOS, no more samples
-  // will come!
-  mon.NotifyAll();
-}
-
-bool
-SampleSink::AtEOS()
-{
-  ReentrantMonitorAutoEnter mon(mMonitor);
-  return mAtEOS && !mSample;
-}
-
-} // namespace mozilla
-
diff --git a/dom/media/directshow/SampleSink.h b/dom/media/directshow/SampleSink.h
deleted file mode 100644
index 6a1af9fee4..0000000000
--- a/dom/media/directshow/SampleSink.h
+++ /dev/null
@@ -1,67 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#if !defined(SampleSink_h_)
-#define SampleSink_h_
-
-#include "BaseFilter.h"
-#include "DirectShowUtils.h"
-#include "mozilla/RefPtr.h"
-#include "mozilla/ReentrantMonitor.h"
-
-namespace mozilla {
-
-class SampleSink {
-public:
-  SampleSink();
-  virtual ~SampleSink();
-
-  // Sets the audio format of the incoming samples. The upstream filter
-  // calls this. This makes a copy.
-  void SetAudioFormat(const WAVEFORMATEX* aInFormat);
-
-  // Copies the format of incoming audio samples into into *aOutFormat.
-  void GetAudioFormat(WAVEFORMATEX* aOutFormat);
-
-  // Called when a sample is delivered by the DirectShow graph to the sink.
-  // The decode thread retrieves the sample by calling WaitForSample().
-  // Blocks if there's already a sample waiting to be consumed by the decode
-  // thread.
-  HRESULT Receive(IMediaSample* aSample);
-
-  // Retrieves a sample from the sample queue, blocking until one becomes
-  // available, or until an error occurs. Returns S_FALSE on EOS.
-  HRESULT Extract(RefPtr<IMediaSample>& aOutSample);
-
-  // Unblocks any threads waiting in GetSample().
-  // Clears mSample, which unblocks upstream stream.
-  void Flush();
-
-  // Opens up the sink to receive more samples in PutSample().
-  // Clears EOS flag.
-  void Reset();
-
-  // Marks that we've reacehd the end of stream.
-  void SetEOS();
-
-  // Returns whether we're at end of stream.
-  bool AtEOS();
-
-private:
-  // All data in this class is syncronized by mMonitor.
-  ReentrantMonitor mMonitor;
-  RefPtr<IMediaSample> mSample;
-
-  // Format of the audio stream we're receiving.
-  WAVEFORMATEX mAudioFormat;
-
-  bool mIsFlushing;
-  bool mAtEOS;
-};
-
-} // namespace mozilla
-
-#endif // SampleSink_h_
diff --git a/dom/media/directshow/SourceFilter.cpp b/dom/media/directshow/SourceFilter.cpp
deleted file mode 100644
index 4c5a0882c3..0000000000
--- a/dom/media/directshow/SourceFilter.cpp
+++ /dev/null
@@ -1,683 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "SourceFilter.h"
-#include "MediaResource.h"
-#include "mozilla/RefPtr.h"
-#include "DirectShowUtils.h"
-#include "MP3FrameParser.h"
-#include "mozilla/Logging.h"
-#include <algorithm>
-
-using namespace mozilla::media;
-
-namespace mozilla {
-
-// Define to trace what's on...
-//#define DEBUG_SOURCE_TRACE 1
-
-#if defined (DEBUG_SOURCE_TRACE)
-static LazyLogModule gDirectShowLog("DirectShowDecoder");
-#define DIRECTSHOW_LOG(...) MOZ_LOG(gDirectShowLog, mozilla::LogLevel::Debug, (__VA_ARGS__))
-#else
-#define DIRECTSHOW_LOG(...)
-#endif
-
-static HRESULT
-DoGetInterface(IUnknown* aUnknown, void** aInterface)
-{
-  if (!aInterface)
-    return E_POINTER;
-  *aInterface = aUnknown;
-  aUnknown->AddRef();
-  return S_OK;
-}
-
-// Stores details of IAsyncReader::Request().
-class ReadRequest {
-public:
-
-  ReadRequest(IMediaSample* aSample,
-              DWORD_PTR aDwUser,
-              uint32_t aOffset,
-              uint32_t aCount)
-    : mSample(aSample),
-      mDwUser(aDwUser),
-      mOffset(aOffset),
-      mCount(aCount)
-  {
-    MOZ_COUNT_CTOR(ReadRequest);
-  }
-
-  ~ReadRequest() {
-    MOZ_COUNT_DTOR(ReadRequest);
-  }
-
-  RefPtr<IMediaSample> mSample;
-  DWORD_PTR mDwUser;
-  uint32_t mOffset;
-  uint32_t mCount;
-};
-
-// A wrapper around media resource that presents only a partition of the
-// underlying resource to the caller to use. The partition returned is from
-// an offset to the end of stream, and this object deals with ensuring
-// the offsets and lengths etc are translated from the reduced partition
-// exposed to the caller, to the absolute offsets of the underlying stream.
-class MediaResourcePartition {
-public:
-  MediaResourcePartition(MediaResource* aResource,
-                         int64_t aDataStart)
-    : mResource(aResource),
-      mDataOffset(aDataStart)
-  {}
-
-  int64_t GetLength() {
-    int64_t len = mResource.GetLength();
-    if (len == -1) {
-      return len;
-    }
-    return std::max<int64_t>(0, len - mDataOffset);
-  }
-  nsresult ReadAt(int64_t aOffset, char* aBuffer,
-                  uint32_t aCount, uint32_t* aBytes)
-  {
-    return mResource.ReadAt(aOffset + mDataOffset,
-                            aBuffer,
-                            aCount,
-                            aBytes);
-  }
-  int64_t GetCachedDataEnd() {
-    int64_t tell = mResource.GetResource()->Tell();
-    int64_t dataEnd =
-      mResource.GetResource()->GetCachedDataEnd(tell) - mDataOffset;
-    return dataEnd;
-  }
-private:
-  // MediaResource from which we read data.
-  MediaResourceIndex mResource;
-  int64_t mDataOffset;
-};
-
-
-// Output pin for SourceFilter, which implements IAsyncReader, to
-// allow downstream filters to pull/read data from it. Downstream pins
-// register to read data using Request(), and asynchronously wait for the
-// reads to complete using WaitForNext(). They may also synchronously read
-// using SyncRead(). This class is a delegate (tear off) of
-// SourceFilter.
-//
-// We can expose only a segment of the MediaResource to the filter graph.
-// This is used to strip off the ID3v2 tags from the stream, as DirectShow
-// has trouble parsing some headers.
-//
-// Implements:
-//  * IAsyncReader
-//  * IPin
-//  * IQualityControl
-//  * IUnknown
-//
-class DECLSPEC_UUID("18e5cfb2-1015-440c-a65c-e63853235894")
-OutputPin : public IAsyncReader,
-            public BasePin
-{
-public:
-
-  OutputPin(MediaResource* aMediaResource,
-            SourceFilter* aParent,
-            CriticalSection& aFilterLock,
-            int64_t aMP3DataStart);
-  virtual ~OutputPin();
-
-  // IUnknown
-  // Defer to ref counting to BasePin, which defers to owning nsBaseFilter.
-  STDMETHODIMP_(ULONG) AddRef() override { return BasePin::AddRef(); }
-  STDMETHODIMP_(ULONG) Release() override { return BasePin::Release(); }
-  STDMETHODIMP QueryInterface(REFIID iid, void** ppv) override;
-
-  // BasePin Overrides.
-  // Determines if the pin accepts a specific media type.
-  HRESULT CheckMediaType(const MediaType* aMediaType) override;
-
-  // Retrieves a preferred media type, by index value.
-  HRESULT GetMediaType(int aPosition, MediaType* aMediaType) override;
-
-  // Releases the pin from a connection.
-  HRESULT BreakConnect(void) override;
-
-  // Determines whether a pin connection is suitable.
-  HRESULT CheckConnect(IPin* aPin) override;
-
-
-  // IAsyncReader overrides
-
-  // The RequestAllocator method requests an allocator during the
-  // pin connection.
-  STDMETHODIMP RequestAllocator(IMemAllocator* aPreferred,
-                                ALLOCATOR_PROPERTIES* aProps,
-                                IMemAllocator** aActual) override;
-
-  // The Request method queues an asynchronous request for data. Downstream
-  // will call WaitForNext() when they want to retrieve the result.
-  STDMETHODIMP Request(IMediaSample* aSample, DWORD_PTR aUserData) override;
-
-  // The WaitForNext method waits for the next pending read request
-  // to complete. This method fails if the graph is flushing.
-  // Defers to SyncRead/5.
-  STDMETHODIMP WaitForNext(DWORD aTimeout,
-                           IMediaSample** aSamples,
-                           DWORD_PTR* aUserData) override;
-
-  // The SyncReadAligned method performs a synchronous read. The method
-  // blocks until the request is completed. Defers to SyncRead/5. This
-  // method does not fail if the graph is flushing.
-  STDMETHODIMP SyncReadAligned(IMediaSample* aSample) override;
-
-  // The SyncRead method performs a synchronous read. The method blocks
-  // until the request is completed. Defers to SyncRead/5. This
-  // method does not fail if the graph is flushing.
-  STDMETHODIMP SyncRead(LONGLONG aPosition, LONG aLength, BYTE* aBuffer) override;
-
-  // The Length method retrieves the total length of the stream.
-  STDMETHODIMP Length(LONGLONG* aTotal, LONGLONG* aAvailable) override;
-
-  // IPin Overrides
-  STDMETHODIMP BeginFlush(void) override;
-  STDMETHODIMP EndFlush(void) override;
-
-  uint32_t GetAndResetBytesConsumedCount();
-
-private:
-
-  // Protects thread-shared data/structures (mFlushCount, mPendingReads).
-  // WaitForNext() also waits on this monitor
-  CriticalSection& mPinLock;
-
-  // Signal used with mPinLock to implement WaitForNext().
-  Signal mSignal;
-
-  // The filter that owns us. Weak reference, as we're a delegate (tear off).
-  SourceFilter* mParentSource;
-
-  MediaResourcePartition mResource;
-
-  // Counter, inc'd in BeginFlush(), dec'd in EndFlush(). Calls to this can
-  // come from multiple threads and can interleave, hence the counter.
-  int32_t mFlushCount;
-
-  // Number of bytes that have been read from the output pin since the last
-  // time GetAndResetBytesConsumedCount() was called.
-  uint32_t mBytesConsumed;
-
-  // Deque of ReadRequest* for reads that are yet to be serviced.
-  // nsReadRequest's are stored on the heap, popper must delete them.
-  nsDeque mPendingReads;
-
-  // Flags if the downstream pin has QI'd for IAsyncReader. We refuse
-  // connection if they don't query, as it means they're assuming that we're
-  // a push filter, and we're not.
-  bool mQueriedForAsyncReader;
-
-};
-
-// For mingw __uuidof support
-#ifdef __CRT_UUID_DECL
-}
-__CRT_UUID_DECL(mozilla::OutputPin, 0x18e5cfb2,0x1015,0x440c,0xa6,0x5c,0xe6,0x38,0x53,0x23,0x58,0x94);
-namespace mozilla {
-#endif
-
-OutputPin::OutputPin(MediaResource* aResource,
-                     SourceFilter* aParent,
-                     CriticalSection& aFilterLock,
-                     int64_t aMP3DataStart)
-  : BasePin(static_cast<BaseFilter*>(aParent),
-            &aFilterLock,
-            L"MozillaOutputPin",
-            PINDIR_OUTPUT),
-    mPinLock(aFilterLock),
-    mSignal(&mPinLock),
-    mParentSource(aParent),
-    mResource(aResource, aMP3DataStart),
-    mFlushCount(0),
-    mBytesConsumed(0),
-    mQueriedForAsyncReader(false)
-{
-  MOZ_COUNT_CTOR(OutputPin);
-  DIRECTSHOW_LOG("OutputPin::OutputPin()");
-}
-
-OutputPin::~OutputPin()
-{
-  MOZ_COUNT_DTOR(OutputPin);
-  DIRECTSHOW_LOG("OutputPin::~OutputPin()");
-}
-
-HRESULT
-OutputPin::BreakConnect()
-{
-  mQueriedForAsyncReader = false;
-  return BasePin::BreakConnect();
-}
-
-STDMETHODIMP
-OutputPin::QueryInterface(REFIID aIId, void** aInterface)
-{
-  if (aIId == IID_IAsyncReader) {
-    mQueriedForAsyncReader = true;
-    return DoGetInterface(static_cast<IAsyncReader*>(this), aInterface);
-  }
-
-  if (aIId == __uuidof(OutputPin)) {
-    AddRef();
-    *aInterface = this;
-    return S_OK;
-  }
-
-  return BasePin::QueryInterface(aIId, aInterface);
-}
-
-HRESULT
-OutputPin::CheckConnect(IPin* aPin)
-{
-  // Our connection is only suitable if the downstream pin knows
-  // that we're asynchronous (i.e. it queried for IAsyncReader).
-  return mQueriedForAsyncReader ? S_OK : S_FALSE;
-}
-
-HRESULT
-OutputPin::CheckMediaType(const MediaType* aMediaType)
-{
-  const MediaType *myMediaType = mParentSource->GetMediaType();
-
-  if (IsEqualGUID(aMediaType->majortype, myMediaType->majortype) &&
-      IsEqualGUID(aMediaType->subtype, myMediaType->subtype) &&
-      IsEqualGUID(aMediaType->formattype, myMediaType->formattype))
-  {
-    DIRECTSHOW_LOG("OutputPin::CheckMediaType() Match: major=%s minor=%s TC=%d FSS=%d SS=%u",
-                   GetDirectShowGuidName(aMediaType->majortype),
-                   GetDirectShowGuidName(aMediaType->subtype),
-                   aMediaType->TemporalCompression(),
-                   aMediaType->bFixedSizeSamples,
-                   aMediaType->SampleSize());
-    return S_OK;
-  }
-
-  DIRECTSHOW_LOG("OutputPin::CheckMediaType() Failed to match: major=%s minor=%s TC=%d FSS=%d SS=%u",
-                 GetDirectShowGuidName(aMediaType->majortype),
-                 GetDirectShowGuidName(aMediaType->subtype),
-                 aMediaType->TemporalCompression(),
-                 aMediaType->bFixedSizeSamples,
-                 aMediaType->SampleSize());
-  return S_FALSE;
-}
-
-HRESULT
-OutputPin::GetMediaType(int aPosition, MediaType* aMediaType)
-{
-  if (!aMediaType)
-    return E_POINTER;
-
-  if (aPosition == 0) {
-    aMediaType->Assign(mParentSource->GetMediaType());
-    return S_OK;
-  }
-  return VFW_S_NO_MORE_ITEMS;
-}
-
-static inline bool
-IsPowerOf2(int32_t x) {
-  return ((-x & x) != x);
-}
-
-STDMETHODIMP
-OutputPin::RequestAllocator(IMemAllocator* aPreferred,
-                            ALLOCATOR_PROPERTIES* aProps,
-                            IMemAllocator** aActual)
-{
-  // Require the downstream pin to suggest what they want...
-  if (!aPreferred) return E_POINTER;
-  if (!aProps) return E_POINTER;
-  if (!aActual) return E_POINTER;
-
-  // We only care about alignment - our allocator will reject anything
-  // which isn't power-of-2 aligned, so  so try a 4-byte aligned allocator.
-  ALLOCATOR_PROPERTIES props;
-  memcpy(&props, aProps, sizeof(ALLOCATOR_PROPERTIES));
-  if (aProps->cbAlign == 0 || IsPowerOf2(aProps->cbAlign)) {
-    props.cbAlign = 4;
-  }
-
-  // Limit allocator's number of buffers. We know that the media will most
-  // likely be bound by network speed, not by decoding speed. We also
-  // store the incoming data in a Gecko stream, if we don't limit buffers
-  // here we'll end up duplicating a lot of storage. We must have enough
-  // space for audio key frames to fit in the first batch of buffers however,
-  // else pausing may fail for some downstream decoders.
-  if (props.cBuffers > BaseFilter::sMaxNumBuffers) {
-    props.cBuffers = BaseFilter::sMaxNumBuffers;
-  }
-
-  // The allocator properties that are actually used. We don't store
-  // this, we need it for SetProperties() below to succeed.
-  ALLOCATOR_PROPERTIES actualProps;
-  HRESULT hr;
-
-  if (aPreferred) {
-    // Play nice and prefer the downstream pin's preferred allocator.
-    hr = aPreferred->SetProperties(&props, &actualProps);
-    if (SUCCEEDED(hr)) {
-      aPreferred->AddRef();
-      *aActual = aPreferred;
-      return S_OK;
-    }
-  }
-
-  // Else downstream hasn't requested a specific allocator, so create one...
-
-  // Just create a default allocator. It's highly unlikely that we'll use
-  // this anyway, as most parsers insist on using their own allocators.
-  RefPtr<IMemAllocator> allocator;
-  hr = CoCreateInstance(CLSID_MemoryAllocator,
-                        0,
-                        CLSCTX_INPROC_SERVER,
-                        IID_IMemAllocator,
-                        getter_AddRefs(allocator));
-  if(FAILED(hr) || (allocator == nullptr)) {
-    NS_WARNING("Can't create our own DirectShow allocator.");
-    return hr;
-  }
-
-  // See if we can make it suitable
-  hr = allocator->SetProperties(&props, &actualProps);
-  if (SUCCEEDED(hr)) {
-    // We need to release our refcount on pAlloc, and addref
-    // it to pass a refcount to the caller - this is a net nothing.
-    allocator.forget(aActual);
-    return S_OK;
-  }
-
-  NS_WARNING("Failed to pick an allocator");
-  return hr;
-}
-
-STDMETHODIMP
-OutputPin::Request(IMediaSample* aSample, DWORD_PTR aDwUser)
-{
-  if (!aSample) return E_FAIL;
-
-  CriticalSectionAutoEnter lock(*mLock);
-  NS_ASSERTION(!mFlushCount, "Request() while flushing");
-
-  if (mFlushCount)
-    return VFW_E_WRONG_STATE;
-
-  REFERENCE_TIME refStart = 0, refEnd = 0;
-  if (FAILED(aSample->GetTime(&refStart, &refEnd))) {
-    NS_WARNING("Sample incorrectly timestamped");
-    return VFW_E_SAMPLE_TIME_NOT_SET;
-  }
-
-  // Convert reference time to bytes.
-  uint32_t start = (uint32_t)(refStart / 10000000);
-  uint32_t end = (uint32_t)(refEnd / 10000000);
-
-  uint32_t numBytes = end - start;
-
-  ReadRequest* request = new ReadRequest(aSample,
-                                         aDwUser,
-                                         start,
-                                         numBytes);
-  // Memory for |request| is free when it's popped from the completed
-  // reads list.
-
-  // Push this onto the queue of reads to be serviced.
-  mPendingReads.Push(request);
-
-  // Notify any threads blocked in WaitForNext() which are waiting for mPendingReads
-  // to become non-empty.
-  mSignal.Notify();
-
-  return S_OK;
-}
-
-STDMETHODIMP
-OutputPin::WaitForNext(DWORD aTimeout,
-                       IMediaSample** aOutSample,
-                       DWORD_PTR* aOutDwUser)
-{
-  NS_ASSERTION(aTimeout == 0 || aTimeout == INFINITE,
-               "Oops, we don't handle this!");
-
-  *aOutSample = nullptr;
-  *aOutDwUser = 0;
-
-  LONGLONG offset = 0;
-  LONG count = 0;
-  BYTE* buf = nullptr;
-
-  {
-    CriticalSectionAutoEnter lock(*mLock);
-
-    // Wait until there's a pending read to service.
-    while (aTimeout && mPendingReads.GetSize() == 0 && !mFlushCount) {
-      // Note: No need to guard against shutdown-during-wait here, as
-      // typically the thread doing the pull will have already called
-      // Request(), so we won't Wait() here anyway. SyncRead() will fail
-      // on shutdown.
-      mSignal.Wait();
-    }
-
-    nsAutoPtr<ReadRequest> request(reinterpret_cast<ReadRequest*>(mPendingReads.PopFront()));
-    if (!request)
-      return VFW_E_WRONG_STATE;
-
-    *aOutSample = request->mSample;
-    *aOutDwUser = request->mDwUser;
-
-    offset = request->mOffset;
-    count = request->mCount;
-    buf = nullptr;
-    request->mSample->GetPointer(&buf);
-    NS_ASSERTION(buf != nullptr, "Invalid buffer!");
-
-    if (mFlushCount) {
-      return VFW_E_TIMEOUT;
-    }
-  }
-
-  return SyncRead(offset, count, buf);
-}
-
-STDMETHODIMP
-OutputPin::SyncReadAligned(IMediaSample* aSample)
-{
-  {
-    // Ignore reads while flushing.
-    CriticalSectionAutoEnter lock(*mLock);
-    if (mFlushCount) {
-      return S_FALSE;
-    }
-  }
-
-  if (!aSample)
-    return E_FAIL;
-
-  REFERENCE_TIME lStart = 0, lEnd = 0;
-  if (FAILED(aSample->GetTime(&lStart, &lEnd))) {
-    NS_WARNING("Sample incorrectly timestamped");
-    return VFW_E_SAMPLE_TIME_NOT_SET;
-  }
-
-  // Convert reference time to bytes.
-  int32_t start = (int32_t)(lStart / 10000000);
-  int32_t end = (int32_t)(lEnd / 10000000);
-
-  int32_t numBytes = end - start;
-
-  // If the range extends off the end of stream, truncate to the end of stream
-  // as per IAsyncReader specificiation.
-  int64_t streamLength = mResource.GetLength();
-  if (streamLength != -1) {
-    // We know the exact length of the stream, fail if the requested offset
-    // is beyond it.
-    if (start > streamLength) {
-      return VFW_E_BADALIGN;
-    }
-
-    // If the end of the chunk to read is off the end of the stream,
-    // truncate it to the end of the stream.
-    if ((start + numBytes) > streamLength) {
-      numBytes = (uint32_t)(streamLength - start);
-    }
-  }
-
-  BYTE* buf=0;
-  aSample->GetPointer(&buf);
-
-  return SyncRead(start, numBytes, buf);
-}
-
-STDMETHODIMP
-OutputPin::SyncRead(LONGLONG aPosition,
-                    LONG aLength,
-                    BYTE* aBuffer)
-{
-  MOZ_ASSERT(!NS_IsMainThread());
-  NS_ENSURE_TRUE(aPosition >= 0, E_FAIL);
-  NS_ENSURE_TRUE(aLength > 0, E_FAIL);
-  NS_ENSURE_TRUE(aBuffer, E_POINTER);
-
-  DIRECTSHOW_LOG("OutputPin::SyncRead(%lld, %d)", aPosition, aLength);
-  {
-    // Ignore reads while flushing.
-    CriticalSectionAutoEnter lock(*mLock);
-    if (mFlushCount) {
-      return S_FALSE;
-    }
-  }
-
-  uint32_t totalBytesRead = 0;
-  nsresult rv = mResource.ReadAt(aPosition,
-                                 reinterpret_cast<char*>(aBuffer),
-                                 aLength,
-                                 &totalBytesRead);
-  if (NS_FAILED(rv)) {
-    return E_FAIL;
-  }
-  if (totalBytesRead > 0) {
-    CriticalSectionAutoEnter lock(*mLock);
-    mBytesConsumed += totalBytesRead;
-  }
-  return (totalBytesRead == aLength) ? S_OK : S_FALSE;
-}
-
-STDMETHODIMP
-OutputPin::Length(LONGLONG* aTotal, LONGLONG* aAvailable)
-{
-  HRESULT hr = S_OK;
-  int64_t length = mResource.GetLength();
-  if (length == -1) {
-    hr = VFW_S_ESTIMATED;
-    // Don't have a length. Just lie, it seems to work...
-    *aTotal = INT32_MAX;
-  } else {
-    *aTotal = length;
-  }
-  if (aAvailable) {
-    *aAvailable = mResource.GetCachedDataEnd();
-  }
-
-  DIRECTSHOW_LOG("OutputPin::Length() len=%lld avail=%lld", *aTotal, *aAvailable);
-
-  return hr;
-}
-
-STDMETHODIMP
-OutputPin::BeginFlush()
-{
-  CriticalSectionAutoEnter lock(*mLock);
-  mFlushCount++;
-  mSignal.Notify();
-  return S_OK;
-}
-
-STDMETHODIMP
-OutputPin::EndFlush(void)
-{
-  CriticalSectionAutoEnter lock(*mLock);
-  mFlushCount--;
-  return S_OK;
-}
-
-uint32_t
-OutputPin::GetAndResetBytesConsumedCount()
-{
-  CriticalSectionAutoEnter lock(*mLock);
-  uint32_t bytesConsumed = mBytesConsumed;
-  mBytesConsumed = 0;
-  return bytesConsumed;
-}
-
-SourceFilter::SourceFilter(const GUID& aMajorType,
-                                               const GUID& aSubType)
-  : BaseFilter(L"MozillaDirectShowSource", __uuidof(SourceFilter))
-{
-  MOZ_COUNT_CTOR(SourceFilter);
-  mMediaType.majortype = aMajorType;
-  mMediaType.subtype = aSubType;
-
-  DIRECTSHOW_LOG("SourceFilter Constructor(%s, %s)",
-                 GetDirectShowGuidName(aMajorType),
-                 GetDirectShowGuidName(aSubType));
-}
-
-SourceFilter::~SourceFilter()
-{
-  MOZ_COUNT_DTOR(SourceFilter);
-  DIRECTSHOW_LOG("SourceFilter Destructor()");
-}
-
-BasePin*
-SourceFilter::GetPin(int n)
-{
-  if (n == 0) {
-    NS_ASSERTION(mOutputPin != 0, "GetPin with no pin!");
-    return static_cast<BasePin*>(mOutputPin);
-  } else {
-    return nullptr;
-  }
-}
-
-// Get's the media type we're supplying.
-const MediaType*
-SourceFilter::GetMediaType() const
-{
-  return &mMediaType;
-}
-
-nsresult
-SourceFilter::Init(MediaResource* aResource, int64_t aMP3Offset)
-{
-  DIRECTSHOW_LOG("SourceFilter::Init()");
-
-  mOutputPin = new OutputPin(aResource,
-                             this,
-                             mLock,
-                             aMP3Offset);
-  NS_ENSURE_TRUE(mOutputPin != nullptr, NS_ERROR_FAILURE);
-
-  return NS_OK;
-}
-
-uint32_t
-SourceFilter::GetAndResetBytesConsumedCount()
-{
-  return mOutputPin->GetAndResetBytesConsumedCount();
-}
-
-
-} // namespace mozilla
diff --git a/dom/media/directshow/SourceFilter.h b/dom/media/directshow/SourceFilter.h
deleted file mode 100644
index d5ce2770e9..0000000000
--- a/dom/media/directshow/SourceFilter.h
+++ /dev/null
@@ -1,75 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#if !defined(nsDirectShowSource_h___)
-#define nsDirectShowSource_h___
-
-#include "BaseFilter.h"
-#include "BasePin.h"
-#include "MediaType.h"
-
-#include "nsDeque.h"
-#include "nsAutoPtr.h"
-#include "DirectShowUtils.h"
-#include "mozilla/RefPtr.h"
-
-namespace mozilla {
-
-class MediaResource;
-class OutputPin;
-
-
-// SourceFilter is an asynchronous DirectShow source filter which
-// reads from an MediaResource, and supplies data via a pull model downstream
-// using OutputPin. It us used to supply a generic byte stream into
-// DirectShow.
-//
-// Implements:
-//  * IBaseFilter
-//  * IMediaFilter
-//  * IPersist
-//  * IUnknown
-//
-class DECLSPEC_UUID("5c2a7ad0-ba82-4659-9178-c4719a2765d6")
-SourceFilter : public media::BaseFilter
-{
-public:
-
-  // Constructs source filter to deliver given media type.
-  SourceFilter(const GUID& aMajorType, const GUID& aSubType);
-  ~SourceFilter();
-
-  nsresult Init(MediaResource *aResource, int64_t aMP3Offset);
-
-  // BaseFilter overrides.
-  // Only one output - the byte stream.
-  int GetPinCount() override { return 1; }
-
-  media::BasePin* GetPin(int n) override;
-
-  // Get's the media type we're supplying.
-  const media::MediaType* GetMediaType() const;
-
-  uint32_t GetAndResetBytesConsumedCount();
-
-protected:
-
-  // Our async pull output pin.
-  nsAutoPtr<OutputPin> mOutputPin;
-
-  // Type of byte stream we output.
-  media::MediaType mMediaType;
-
-};
-
-} // namespace mozilla
-
-// For mingw __uuidof support
-#ifdef __CRT_UUID_DECL
-__CRT_UUID_DECL(mozilla::SourceFilter, 0x5c2a7ad0,0xba82,0x4659,0x91,0x78,0xc4,0x71,0x9a,0x27,0x65,0xd6);
-#endif
-
-#endif
diff --git a/dom/media/directshow/moz.build b/dom/media/directshow/moz.build
deleted file mode 100644
index 8a9b762000..0000000000
--- a/dom/media/directshow/moz.build
+++ /dev/null
@@ -1,41 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-EXPORTS += [
-    'AudioSinkFilter.h',
-    'AudioSinkInputPin.h',
-    'DirectShowDecoder.h',
-    'DirectShowReader.h',
-    'DirectShowUtils.h',
-]
-
-UNIFIED_SOURCES += [
-    'DirectShowDecoder.cpp',
-    'DirectShowUtils.cpp',
-    'SourceFilter.cpp',
-]
-
-SOURCES += [
-    'AudioSinkFilter.cpp',
-    'AudioSinkInputPin.cpp',
-    'DirectShowReader.cpp',
-    'SampleSink.cpp',
-]
-
-# If WebRTC isn't being built, we need to compile the DirectShow base classes so that
-# they're available at link time.
-if not CONFIG['MOZ_WEBRTC']:
-    SOURCES += [
-        '/media/webrtc/trunk/webrtc/modules/video_capture/windows/BaseFilter.cpp',
-        '/media/webrtc/trunk/webrtc/modules/video_capture/windows/BaseInputPin.cpp',
-        '/media/webrtc/trunk/webrtc/modules/video_capture/windows/BasePin.cpp',
-        '/media/webrtc/trunk/webrtc/modules/video_capture/windows/MediaType.cpp',
-    ]
-
-FINAL_LIBRARY = 'xul'
-LOCAL_INCLUDES += [
-    '/media/webrtc/trunk/webrtc/modules/video_capture/windows',
-]
diff --git a/dom/media/fmp4/MP4Decoder.cpp b/dom/media/fmp4/MP4Decoder.cpp
index fdd6f2c7e7..6954e97577 100644
--- a/dom/media/fmp4/MP4Decoder.cpp
+++ b/dom/media/fmp4/MP4Decoder.cpp
@@ -83,10 +83,6 @@ MP4Decoder::CanHandleMediaType(const MediaContentType& aType,
   const bool isMP4Audio = aType.GetMIMEType().EqualsASCII("audio/mp4") ||
                           aType.GetMIMEType().EqualsASCII("audio/x-m4a");
   const bool isMP4Video =
-  // On B2G, treat 3GPP as MP4 when Gonk PDM is available.
-#ifdef MOZ_GONK_MEDIACODEC
-      aType.GetMIMEType().EqualsASCII(VIDEO_3GPP) ||
-#endif
       aType.GetMIMEType().EqualsASCII("video/mp4") ||
       aType.GetMIMEType().EqualsASCII("video/quicktime") ||
       aType.GetMIMEType().EqualsASCII("video/x-m4v");
@@ -139,6 +135,14 @@ MP4Decoder::CanHandleMediaType(const MediaContentType& aType,
             NS_LITERAL_CSTRING("audio/flac"), aType));
         continue;
       }
+#ifdef MOZ_AV1
+      if (IsAV1CodecString(codec)) {
+        trackInfos.AppendElement(
+          CreateTrackInfoWithMIMETypeAndContentTypeExtraParameters(
+            NS_LITERAL_CSTRING("video/av1"), aType));
+        continue;
+      }
+#endif
       // Note: Only accept H.264 in a video content type, not in an audio
       // content type.
       if (IsWhitelistedH264Codec(codec) && isMP4Video) {
diff --git a/dom/media/fmp4/MP4Stream.cpp b/dom/media/fmp4/MP4Stream.cpp
index 615a7dc015..9a79cac7a1 100644
--- a/dom/media/fmp4/MP4Stream.cpp
+++ b/dom/media/fmp4/MP4Stream.cpp
@@ -48,9 +48,6 @@ MP4Stream::BlockingReadIntoCache(int64_t aOffset, size_t aCount, Monitor* aToUnl
   return true;
 }
 
-// We surreptitiously reimplement the supposedly-blocking ReadAt as a non-
-// blocking CachedReadAt, and record when it fails. This allows MP4Reader
-// to retry the read as an actual blocking read without holding the lock.
 bool
 MP4Stream::ReadAt(int64_t aOffset, void* aBuffer, size_t aCount,
                   size_t* aBytesRead)
diff --git a/dom/media/fmp4/moz.build b/dom/media/fmp4/moz.build
index 6a249ae3e5..a79fb02295 100644
--- a/dom/media/fmp4/moz.build
+++ b/dom/media/fmp4/moz.build
@@ -20,6 +20,3 @@ SOURCES += [
 ]
 
 FINAL_LIBRARY = 'xul'
-
-if CONFIG['MOZ_GONK_MEDIACODEC']:
-    DEFINES['MOZ_GONK_MEDIACODEC'] = True
diff --git a/dom/media/gmp/GMPParent.cpp b/dom/media/gmp/GMPParent.cpp
index 40c3e51416..418f147361 100644
--- a/dom/media/gmp/GMPParent.cpp
+++ b/dom/media/gmp/GMPParent.cpp
@@ -516,8 +516,7 @@ GMPCapability::Supports(const nsTArray<GMPCapability>& aCapabilities,
 #ifdef XP_WIN
         // Clearkey on Windows advertises that it can decode in its GMP info
         // file, but uses Windows Media Foundation to decode. That's not present
-        // on Windows XP, and on some Vista, Windows N, and KN variants without
-        // certain services packs.
+        // on Windows N and KN variants without certain services packs.
         if (tag.Equals(kEMEKeySystemClearkey)) {
           if (capabilities.mAPIName.EqualsLiteral(GMP_API_VIDEO_DECODER)) {
             if (!WMFDecoderModule::HasH264()) {
diff --git a/dom/media/gtest/Cargo.toml b/dom/media/gtest/Cargo.toml
deleted file mode 100644
index a55f8fb685..0000000000
--- a/dom/media/gtest/Cargo.toml
+++ /dev/null
@@ -1,7 +0,0 @@
-[package]
-name = "mp4parse-gtest"
-version = "0.1.0"
-authors = ["nobody@mozilla.org"]
-
-[lib]
-path = "hello.rs"
diff --git a/dom/media/gtest/TestMP3Demuxer.cpp b/dom/media/gtest/TestMP3Demuxer.cpp
index 8d2109f008..934acb60ec 100644
--- a/dom/media/gtest/TestMP3Demuxer.cpp
+++ b/dom/media/gtest/TestMP3Demuxer.cpp
@@ -11,7 +11,6 @@
 #include "MockMediaResource.h"
 
 using namespace mozilla;
-using namespace mozilla::mp3;
 using media::TimeUnit;
 
 
diff --git a/dom/media/gtest/TestMP4Reader.cpp b/dom/media/gtest/TestMP4Reader.cpp
deleted file mode 100644
index f08f7a40da..0000000000
--- a/dom/media/gtest/TestMP4Reader.cpp
+++ /dev/null
@@ -1,217 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "gtest/gtest.h"
-#include "MP4Reader.h"
-#include "MP4Decoder.h"
-#include "mozilla/SharedThreadPool.h"
-#include "MockMediaResource.h"
-#include "MockMediaDecoderOwner.h"
-#include "mozilla/Preferences.h"
-#include "TimeUnits.h"
-
-using namespace mozilla;
-using namespace mozilla::dom;
-
-class TestBinding
-{
-public:
-  NS_INLINE_DECL_THREADSAFE_REFCOUNTING(TestBinding);
-
-  RefPtr<MP4Decoder> decoder;
-  RefPtr<MockMediaResource> resource;
-  RefPtr<MP4Reader> reader;
-
-  explicit TestBinding(const char* aFileName = "gizmo.mp4")
-    : decoder(new MP4Decoder())
-    , resource(new MockMediaResource(aFileName))
-    , reader(new MP4Reader(decoder))
-  {
-    EXPECT_EQ(NS_OK, Preferences::SetBool(
-                       "media.use-blank-decoder", true));
-
-    EXPECT_EQ(NS_OK, resource->Open(nullptr));
-    decoder->SetResource(resource);
-
-    reader->Init(nullptr);
-    // This needs to be done before invoking GetBuffered. This is normally
-    // done by MediaDecoderStateMachine.
-    reader->DispatchSetStartTime(0);
-  }
-
-  void Init() {
-    nsCOMPtr<nsIThread> thread;
-    nsCOMPtr<nsIRunnable> r = NewRunnableMethod(this, &TestBinding::ReadMetadata);
-    nsresult rv = NS_NewThread(getter_AddRefs(thread), r);
-    EXPECT_EQ(NS_OK, rv);
-    thread->Shutdown();
-  }
-
-private:
-  virtual ~TestBinding()
-  {
-    {
-      RefPtr<TaskQueue> queue = reader->OwnerThread();
-      nsCOMPtr<nsIRunnable> task = NewRunnableMethod(reader, &MP4Reader::Shutdown);
-      // Hackily bypass the tail dispatcher so that we can AwaitShutdownAndIdle.
-      // In production code we'd use BeginShutdown + promises.
-      queue->Dispatch(task.forget(), AbstractThread::AssertDispatchSuccess,
-                      AbstractThread::TailDispatch);
-      queue->AwaitShutdownAndIdle();
-    }
-    decoder = nullptr;
-    resource = nullptr;
-    reader = nullptr;
-    SharedThreadPool::SpinUntilEmpty();
-  }
-
-  void ReadMetadata()
-  {
-    MediaInfo info;
-    MetadataTags* tags;
-    EXPECT_EQ(NS_OK, reader->ReadMetadata(&info, &tags));
-  }
-};
-
-TEST(MP4Reader, BufferedRange)
-{
-  RefPtr<TestBinding> b = new TestBinding();
-  b->Init();
-
-  // Video 3-4 sec, audio 2.986666-4.010666 sec
-  b->resource->MockAddBufferedRange(248400, 327455);
-
-  media::TimeIntervals ranges = b->reader->GetBuffered();
-  EXPECT_EQ(1U, ranges.Length());
-  EXPECT_NEAR(270000 / 90000.0, ranges.Start(0).ToSeconds(), 0.000001);
-  EXPECT_NEAR(360000 / 90000.0, ranges.End(0).ToSeconds(), 0.000001);
-}
-
-TEST(MP4Reader, BufferedRangeMissingLastByte)
-{
-  RefPtr<TestBinding> b = new TestBinding();
-  b->Init();
-
-  // Dropping the last byte of the video
-  b->resource->MockClearBufferedRanges();
-  b->resource->MockAddBufferedRange(248400, 324912);
-  b->resource->MockAddBufferedRange(324913, 327455);
-
-  media::TimeIntervals ranges = b->reader->GetBuffered();
-  EXPECT_EQ(1U, ranges.Length());
-  EXPECT_NEAR(270000.0 / 90000.0, ranges.Start(0).ToSeconds(), 0.000001);
-  EXPECT_NEAR(357000 / 90000.0, ranges.End(0).ToSeconds(), 0.000001);
-}
-
-TEST(MP4Reader, BufferedRangeSyncFrame)
-{
-  RefPtr<TestBinding> b = new TestBinding();
-  b->Init();
-
-  // Check that missing the first byte at 2 seconds skips right through to 3
-  // seconds because of a missing sync frame
-  b->resource->MockClearBufferedRanges();
-  b->resource->MockAddBufferedRange(146336, 327455);
-
-  media::TimeIntervals ranges = b->reader->GetBuffered();
-  EXPECT_EQ(1U, ranges.Length());
-  EXPECT_NEAR(270000.0 / 90000.0, ranges.Start(0).ToSeconds(), 0.000001);
-  EXPECT_NEAR(360000 / 90000.0, ranges.End(0).ToSeconds(), 0.000001);
-}
-
-TEST(MP4Reader, CompositionOrder)
-{
-  RefPtr<TestBinding> b = new TestBinding("mediasource_test.mp4");
-  b->Init();
-
-  // The first 5 video samples of this file are:
-  // Video timescale=2500
-  // Frame Start  Size  Time  Duration  Sync
-  //     1    48  5455   166        83  Yes
-  //     2  5503   145   249        83
-  //     3  6228   575   581        83
-  //     4  7383   235   415        83
-  //     5  8779   183   332        83
-  //     6  9543   191   498        83
-  //
-  // Audio timescale=44100
-  //     1  5648   580     0      1024  Yes
-  //     2  6803   580  1024      1058  Yes
-  //     3  7618   581  2082      1014  Yes
-  //     4  8199   580  3096      1015  Yes
-  //     5  8962   581  4111      1014  Yes
-  //     6  9734   580  5125      1014  Yes
-  //     7 10314   581  6139      1059  Yes
-  //     8 11207   580  7198      1014  Yes
-  //     9 12035   581  8212      1014  Yes
-  //    10 12616   580  9226      1015  Yes
-  //    11 13220   581  10241     1014  Yes
-
-  b->resource->MockClearBufferedRanges();
-  // First two frames in decoding + first audio frame
-  b->resource->MockAddBufferedRange(48, 5503);   // Video 1
-  b->resource->MockAddBufferedRange(5503, 5648); // Video 2
-  b->resource->MockAddBufferedRange(6228, 6803); // Video 3
-
-  // Audio - 5 frames; 0 - 139206 us
-  b->resource->MockAddBufferedRange(5648, 6228);
-  b->resource->MockAddBufferedRange(6803, 7383);
-  b->resource->MockAddBufferedRange(7618, 8199);
-  b->resource->MockAddBufferedRange(8199, 8779);
-  b->resource->MockAddBufferedRange(8962, 9563);
-  b->resource->MockAddBufferedRange(9734, 10314);
-  b->resource->MockAddBufferedRange(10314, 10895);
-  b->resource->MockAddBufferedRange(11207, 11787);
-  b->resource->MockAddBufferedRange(12035, 12616);
-  b->resource->MockAddBufferedRange(12616, 13196);
-  b->resource->MockAddBufferedRange(13220, 13901);
-
-  media::TimeIntervals ranges = b->reader->GetBuffered();
-  EXPECT_EQ(2U, ranges.Length());
-
-  EXPECT_NEAR(166.0 / 2500.0, ranges.Start(0).ToSeconds(), 0.000001);
-  EXPECT_NEAR(332.0 / 2500.0, ranges.End(0).ToSeconds(), 0.000001);
-
-  EXPECT_NEAR(581.0 / 2500.0, ranges.Start(1).ToSeconds(), 0.000001);
-  EXPECT_NEAR(11255.0 / 44100.0, ranges.End(1).ToSeconds(), 0.000001);
-}
-
-TEST(MP4Reader, Normalised)
-{
-  RefPtr<TestBinding> b = new TestBinding("mediasource_test.mp4");
-  b->Init();
-
-  // The first 5 video samples of this file are:
-  // Video timescale=2500
-  // Frame Start  Size  Time  Duration  Sync
-  //     1    48  5455   166        83  Yes
-  //     2  5503   145   249        83
-  //     3  6228   575   581        83
-  //     4  7383   235   415        83
-  //     5  8779   183   332        83
-  //     6  9543   191   498        83
-  //
-  // Audio timescale=44100
-  //     1  5648   580     0      1024  Yes
-  //     2  6803   580  1024      1058  Yes
-  //     3  7618   581  2082      1014  Yes
-  //     4  8199   580  3096      1015  Yes
-  //     5  8962   581  4111      1014  Yes
-  //     6  9734   580  5125      1014  Yes
-  //     7 10314   581  6139      1059  Yes
-  //     8 11207   580  7198      1014  Yes
-  //     9 12035   581  8212      1014  Yes
-  //    10 12616   580  9226      1015  Yes
-  //    11 13220   581  10241     1014  Yes
-
-  b->resource->MockClearBufferedRanges();
-  b->resource->MockAddBufferedRange(48, 13901);
-
-  media::TimeIntervals ranges = b->reader->GetBuffered();
-  EXPECT_EQ(1U, ranges.Length());
-
-  EXPECT_NEAR(166.0 / 2500.0, ranges.Start(0).ToSeconds(), 0.000001);
-  EXPECT_NEAR(11255.0 / 44100.0, ranges.End(0).ToSeconds(), 0.000001);
-}
diff --git a/dom/media/gtest/TestRust.cpp b/dom/media/gtest/TestRust.cpp
deleted file mode 100644
index 86d0e99b86..0000000000
--- a/dom/media/gtest/TestRust.cpp
+++ /dev/null
@@ -1,9 +0,0 @@
-#include <stdint.h>
-#include "gtest/gtest.h"
-
-extern "C" uint8_t* test_rust();
-
-TEST(rust, CallFromCpp) {
-  auto greeting = test_rust();
-  EXPECT_STREQ(reinterpret_cast<char*>(greeting), "hello from rust.");
-}
diff --git a/dom/media/gtest/hello.rs b/dom/media/gtest/hello.rs
deleted file mode 100644
index cd111882ae..0000000000
--- a/dom/media/gtest/hello.rs
+++ /dev/null
@@ -1,6 +0,0 @@
-#[no_mangle]
-pub extern fn test_rust() -> *const u8 {
-    // NB: rust &str aren't null terminated.
-    let greeting = "hello from rust.\0";
-    greeting.as_ptr()
-}
diff --git a/dom/media/gtest/moz.build b/dom/media/gtest/moz.build
index d5d02bcede..a7ea738073 100644
--- a/dom/media/gtest/moz.build
+++ b/dom/media/gtest/moz.build
@@ -21,7 +21,6 @@ UNIFIED_SOURCES += [
     'TestMozPromise.cpp',
     'TestMP3Demuxer.cpp',
     'TestMP4Demuxer.cpp',
-    # 'TestMP4Reader.cpp', disabled so we can turn check tests back on (bug 1175752)
     'TestTrackEncoder.cpp',
     'TestVideoSegment.cpp',
     'TestVideoUtils.cpp',
diff --git a/dom/media/mediasource/MediaSource.cpp b/dom/media/mediasource/MediaSource.cpp
index af541bbbb5..152c0085a4 100644
--- a/dom/media/mediasource/MediaSource.cpp
+++ b/dom/media/mediasource/MediaSource.cpp
@@ -62,8 +62,6 @@ namespace mozilla {
 
 // Returns true if we should enable MSE webm regardless of preferences.
 // 1. If MP4/H264 isn't supported:
-//   * Windows XP
-//   * Windows Vista and Server 2008 without the optional "Platform Update Supplement"
 //   * N/KN editions (Europe and Korea) of Windows 7/8/8.1/10 without the
 //     optional "Windows Media Feature Pack"
 // 2. If H264 hardware acceleration is not available.
diff --git a/dom/media/mediasource/moz.build b/dom/media/mediasource/moz.build
index 6ded1875d8..a1689c2169 100644
--- a/dom/media/mediasource/moz.build
+++ b/dom/media/mediasource/moz.build
@@ -38,9 +38,6 @@ TEST_DIRS += [
     'gtest',
 ]
 
-if CONFIG['MOZ_GONK_MEDIACODEC']:
-    DEFINES['MOZ_GONK_MEDIACODEC'] = True
-
 include('/ipc/chromium/chromium-config.mozbuild')
 
 FINAL_LIBRARY = 'xul'
diff --git a/dom/media/moz.build b/dom/media/moz.build
index 4d036a5f67..df8cb619dc 100644
--- a/dom/media/moz.build
+++ b/dom/media/moz.build
@@ -30,6 +30,7 @@ DIRS += [
     'ipc',
     'mediasink',
     'mediasource',
+    'mp3',
     'ogg',
     'platforms',
     'systemservices',
@@ -42,12 +43,6 @@ DIRS += [
     'standalone',
 ]
 
-if CONFIG['MOZ_DIRECTSHOW']:
-    DIRS += ['directshow']
-
-if CONFIG['MOZ_ANDROID_OMX']:
-    DIRS += ['android']
-
 if CONFIG['MOZ_FMP4']:
     DIRS += ['fmp4']
 
@@ -128,9 +123,6 @@ EXPORTS += [
     'MediaTimer.h',
     'MediaTrack.h',
     'MediaTrackList.h',
-    'MP3Decoder.h',
-    'MP3Demuxer.h',
-    'MP3FrameParser.h',
     'NextFrameSeekTask.h',
     'nsIDocumentActivity.h',
     'PrincipalChangeObserver.h',
@@ -237,9 +229,6 @@ UNIFIED_SOURCES += [
     'MediaTimer.cpp',
     'MediaTrack.cpp',
     'MediaTrackList.cpp',
-    'MP3Decoder.cpp',
-    'MP3Demuxer.cpp',
-    'MP3FrameParser.cpp',
     'NextFrameSeekTask.cpp',
     'QueueObject.cpp',
     'SeekJob.cpp',
@@ -294,11 +283,6 @@ LOCAL_INCLUDES += [
     '/netwerk/base',
 ]
 
-if CONFIG['MOZ_DIRECTSHOW']:
-    LOCAL_INCLUDES += [
-        '/media/webrtc/trunk/webrtc/modules/video_capture/windows',
-    ]
-
 if CONFIG['MOZ_WEBRTC']:
     LOCAL_INCLUDES += [
         '/media/webrtc/signaling/src/common',
diff --git a/dom/media/MP3Decoder.cpp b/dom/media/mp3/MP3Decoder.cpp
index b71111e796..074a0866d7 100644
--- a/dom/media/MP3Decoder.cpp
+++ b/dom/media/mp3/MP3Decoder.cpp
@@ -24,7 +24,7 @@ MP3Decoder::Clone(MediaDecoderOwner* aOwner) {
 MediaDecoderStateMachine*
 MP3Decoder::CreateStateMachine() {
   RefPtr<MediaDecoderReader> reader =
-      new MediaFormatReader(this, new mp3::MP3Demuxer(GetResource()));
+      new MediaFormatReader(this, new MP3Demuxer(GetResource()));
   return new MediaDecoderStateMachine(this, reader);
 }
 
diff --git a/dom/media/MP3Decoder.h b/dom/media/mp3/MP3Decoder.h
index 887251065a..887251065a 100644
--- a/dom/media/MP3Decoder.h
+++ b/dom/media/mp3/MP3Decoder.h
diff --git a/dom/media/MP3Demuxer.cpp b/dom/media/mp3/MP3Demuxer.cpp
index 7d478a41b1..5a98cabfed 100644
--- a/dom/media/MP3Demuxer.cpp
+++ b/dom/media/mp3/MP3Demuxer.cpp
@@ -33,7 +33,6 @@ using mozilla::media::TimeIntervals;
 using mp4_demuxer::ByteReader;
 
 namespace mozilla {
-namespace mp3 {
 
 // MP3Demuxer
 
@@ -1338,5 +1337,4 @@ ID3Parser::ID3Header::Update(uint8_t c) {
   return IsValid(mPos++);
 }
 
-} // namespace mp3
 } // namespace mozilla
diff --git a/dom/media/MP3Demuxer.h b/dom/media/mp3/MP3Demuxer.h
index 03e67b0d90..5331c4d54f 100644
--- a/dom/media/MP3Demuxer.h
+++ b/dom/media/mp3/MP3Demuxer.h
@@ -13,7 +13,6 @@
 #include <vector>
 
 namespace mozilla {
-namespace mp3 {
 
 class MP3TrackDemuxer;
 
@@ -468,7 +467,6 @@ private:
   UniquePtr<AudioInfo> mInfo;
 };
 
-} // namespace mp3
 } // namespace mozilla
 
 #endif
diff --git a/application/palemoon/components/about/moz.build b/dom/media/mp3/moz.build
index 95a8451baf..596d061f81 100644
--- a/application/palemoon/components/about/moz.build
+++ b/dom/media/mp3/moz.build
@@ -4,16 +4,14 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-EXPORTS.mozilla.browser += [
-    'AboutRedirector.h',
+EXPORTS += [
+    'MP3Decoder.h',
+    'MP3Demuxer.h',
 ]
 
-SOURCES += [
-    'AboutRedirector.cpp',
+UNIFIED_SOURCES += [
+    'MP3Decoder.cpp',
+    'MP3Demuxer.cpp',
 ]
 
-FINAL_LIBRARY = 'browsercomps'
-
-LOCAL_INCLUDES += [
-    '../build',
-]
+FINAL_LIBRARY = 'xul'
diff --git a/dom/media/platforms/MediaTelemetryConstants.h b/dom/media/platforms/MediaTelemetryConstants.h
deleted file mode 100644
index 5024949a8e..0000000000
--- a/dom/media/platforms/MediaTelemetryConstants.h
+++ /dev/null
@@ -1,22 +0,0 @@
-/* -*- Mode: IDL; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-#ifndef dom_media_platforms_MediaTelemetryConstants_h___
-#define dom_media_platforms_MediaTelemetryConstants_h___
-
-namespace mozilla {
-namespace media {
-
-enum class MediaDecoderBackend : uint32_t
-{
-  WMFSoftware = 0,
-  WMFDXVA2D3D9 = 1,
-  WMFDXVA2D3D11 = 2
-};
-
-} // namespace media
-} // namespace mozilla
-
-#endif // dom_media_platforms_MediaTelemetryConstants_h___
diff --git a/dom/media/platforms/PDMFactory.cpp b/dom/media/platforms/PDMFactory.cpp
index c1e58fdc2f..5bfdcffb73 100644
--- a/dom/media/platforms/PDMFactory.cpp
+++ b/dom/media/platforms/PDMFactory.cpp
@@ -19,9 +19,6 @@
 #ifdef MOZ_APPLEMEDIA
 #include "AppleDecoderModule.h"
 #endif
-#ifdef MOZ_GONK_MEDIACODEC
-#include "GonkDecoderModule.h"
-#endif
 #ifdef MOZ_WIDGET_ANDROID
 #include "AndroidDecoderModule.h"
 #endif
@@ -390,12 +387,6 @@ PDMFactory::CreatePDMs()
   m = new AppleDecoderModule();
   StartupPDM(m);
 #endif
-#ifdef MOZ_GONK_MEDIACODEC
-  if (MediaPrefs::PDMGonkDecoderEnabled()) {
-    m = new GonkDecoderModule();
-    StartupPDM(m);
-  }
-#endif
 #ifdef MOZ_WIDGET_ANDROID
   if(MediaPrefs::PDMAndroidMediaCodecEnabled()){
     m = new AndroidDecoderModule();
diff --git a/dom/media/platforms/moz.build b/dom/media/platforms/moz.build
index be13d31c44..f5fb72c5de 100644
--- a/dom/media/platforms/moz.build
+++ b/dom/media/platforms/moz.build
@@ -10,7 +10,6 @@ EXPORTS += [
     'agnostic/TheoraDecoder.h',
     'agnostic/VorbisDecoder.h',
     'agnostic/VPXDecoder.h',
-    'MediaTelemetryConstants.h',
     'PDMFactory.h',
     'PlatformDecoderModule.h',
     'wrappers/FuzzingWrapper.h',
diff --git a/dom/media/platforms/omx/OmxPlatformLayer.cpp b/dom/media/platforms/omx/OmxPlatformLayer.cpp
index 039b4a22f1..15b3062a4b 100644
--- a/dom/media/platforms/omx/OmxPlatformLayer.cpp
+++ b/dom/media/platforms/omx/OmxPlatformLayer.cpp
@@ -282,26 +282,7 @@ OmxPlatformLayer::CompressionFormat()
   }
 }
 
-// Implementations for different platforms will be defined in their own files.
-#ifdef OMX_PLATFORM_GONK
-
-bool
-OmxPlatformLayer::SupportsMimeType(const nsACString& aMimeType)
-{
-  return GonkOmxPlatformLayer::FindComponents(aMimeType);
-}
-
-OmxPlatformLayer*
-OmxPlatformLayer::Create(OmxDataDecoder* aDataDecoder,
-                         OmxPromiseLayer* aPromiseLayer,
-                         TaskQueue* aTaskQueue,
-                         layers::ImageContainer* aImageContainer)
-{
-  return new GonkOmxPlatformLayer(aDataDecoder, aPromiseLayer, aTaskQueue, aImageContainer);
-}
-
-#else // For platforms without OMX IL support.
-
+// For platforms without OMX IL support.
 bool
 OmxPlatformLayer::SupportsMimeType(const nsACString& aMimeType)
 {
@@ -317,6 +298,4 @@ OmxPlatformLayer::Create(OmxDataDecoder* aDataDecoder,
   return nullptr;
 }
 
-#endif
-
 }
diff --git a/dom/media/platforms/wmf/DXVA2Manager.cpp b/dom/media/platforms/wmf/DXVA2Manager.cpp
index 1226ea6216..69e002f7f0 100644
--- a/dom/media/platforms/wmf/DXVA2Manager.cpp
+++ b/dom/media/platforms/wmf/DXVA2Manager.cpp
@@ -14,7 +14,6 @@
 #include "mozilla/layers/D3D11ShareHandleImage.h"
 #include "mozilla/layers/ImageBridgeChild.h"
 #include "mozilla/layers/TextureForwarder.h"
-#include "MediaTelemetryConstants.h"
 #include "mfapi.h"
 #include "gfxPrefs.h"
 #include "MFTDecoder.h"
diff --git a/dom/media/platforms/wmf/WMFDecoderModule.h b/dom/media/platforms/wmf/WMFDecoderModule.h
index cd7b8c6609..6582f8056b 100644
--- a/dom/media/platforms/wmf/WMFDecoderModule.h
+++ b/dom/media/platforms/wmf/WMFDecoderModule.h
@@ -40,10 +40,8 @@ public:
   static int GetNumDecoderThreads();
 
   // Accessors that report whether we have the required MFTs available
-  // on the system to play various codecs. Windows Vista doesn't have the
-  // H.264/AAC decoders if the "Platform Update Supplement for Windows Vista"
-  // is not installed, and Window N and KN variants also require a "Media
-  // Feature Pack" to be installed. Windows XP doesn't have WMF.
+  // on the system to play various codecs. Windows N and KN variants
+  // require a "Media Feature Pack" to be installed.
   static bool HasAAC();
   static bool HasH264();
 
diff --git a/dom/media/platforms/wmf/WMFMediaDataDecoder.h b/dom/media/platforms/wmf/WMFMediaDataDecoder.h
index a4dd49f56f..75571d61e0 100644
--- a/dom/media/platforms/wmf/WMFMediaDataDecoder.h
+++ b/dom/media/platforms/wmf/WMFMediaDataDecoder.h
@@ -33,7 +33,7 @@ public:
   // Returns S_OK on success, or MF_E_TRANSFORM_NEED_MORE_INPUT if there's not
   // enough data to produce more output. If this returns a failure code other
   // than MF_E_TRANSFORM_NEED_MORE_INPUT, an error will be reported to the
-  // MP4Reader.
+  // MP4Demuxer.
   virtual HRESULT Output(int64_t aStreamOffset,
                          RefPtr<MediaData>& aOutput) = 0;
 
diff --git a/dom/media/platforms/wmf/WMFVideoMFTManager.cpp b/dom/media/platforms/wmf/WMFVideoMFTManager.cpp
index 8a51f817ab..a7633a7dee 100644
--- a/dom/media/platforms/wmf/WMFVideoMFTManager.cpp
+++ b/dom/media/platforms/wmf/WMFVideoMFTManager.cpp
@@ -27,7 +27,6 @@
 #include "mozilla/WindowsVersion.h"
 #include "mozilla/Telemetry.h"
 #include "nsPrintfCString.h"
-#include "MediaTelemetryConstants.h"
 #include "GMPUtils.h" // For SplitAt. TODO: Move SplitAt to a central place.
 #include "MP4Decoder.h"
 #include "VPXDecoder.h"
diff --git a/dom/media/test/manifest.js b/dom/media/test/manifest.js
index 7e30cc97d5..52e53a271b 100644
--- a/dom/media/test/manifest.js
+++ b/dom/media/test/manifest.js
@@ -266,10 +266,10 @@ var gPlayTests = [
   { name:"small-shot.mp3", type:"audio/mpeg", duration:0.27 },
   { name:"owl.mp3", type:"audio/mpeg", duration:3.343 },
   // owl.mp3 as above, but with something funny going on in the ID3v2 tag
-  // that causes DirectShow to fail.
+  // that caused DirectShow to fail.
   { name:"owl-funny-id3.mp3", type:"audio/mpeg", duration:3.343 },
   // owl.mp3 as above, but with something even funnier going on in the ID3v2 tag
-  // that causes DirectShow to fail.
+  // that caused DirectShow to fail.
   { name:"owl-funnier-id3.mp3", type:"audio/mpeg", duration:3.343 },
   // One second of silence with ~140KB of ID3 tags. Usually when the first MP3
   // frame is at such a high offset into the file, MP3FrameParser will give up
diff --git a/dom/media/test/test_can_play_type_mpeg.html b/dom/media/test/test_can_play_type_mpeg.html
index 89e5fabef3..514b5cc2f7 100644
--- a/dom/media/test/test_can_play_type_mpeg.html
+++ b/dom/media/test/test_can_play_type_mpeg.html
@@ -151,8 +151,7 @@ var haveMp4 = (getPref("media.wmf.enabled") && IsWindowsVistaOrLater()) ||
 
 check_mp4(document.getElementById('v'), haveMp4);
 
-var haveMp3 = getPref("media.directshow.enabled") ||
-              (getPref("media.wmf.enabled") && IsWindowsVistaOrLater()) ||
+var haveMp3 = getPref("media.wmf.enabled") ||
               (IsLinux() && getPref("media.ffmpeg.enabled")) ||
               (IsSupportedAndroid() &&
                ((IsJellyBeanOrLater() && getPref("media.android-media-codec.enabled")) ||
diff --git a/dom/moz.build b/dom/moz.build
index 358fc6411e..54dc0510e7 100644
--- a/dom/moz.build
+++ b/dom/moz.build
@@ -94,7 +94,6 @@ DIRS += [
     'xslt',
     'xul',
     'manifest',
-    'vr',
     'u2f',
     'console',
     'performance',
diff --git a/dom/vr/VRDisplay.cpp b/dom/vr/VRDisplay.cpp
deleted file mode 100644
index 80922422f9..0000000000
--- a/dom/vr/VRDisplay.cpp
+++ /dev/null
@@ -1,802 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "nsWrapperCache.h"
-
-#include "mozilla/dom/Element.h"
-#include "mozilla/dom/ElementBinding.h"
-#include "mozilla/dom/Promise.h"
-#include "mozilla/dom/VRDisplay.h"
-#include "mozilla/HoldDropJSObjects.h"
-#include "mozilla/dom/VRDisplayBinding.h"
-#include "Navigator.h"
-#include "gfxVR.h"
-#include "VRDisplayClient.h"
-#include "VRManagerChild.h"
-#include "VRDisplayPresentation.h"
-#include "nsIObserverService.h"
-#include "nsIFrame.h"
-#include "nsISupportsPrimitives.h"
-
-using namespace mozilla::gfx;
-
-namespace mozilla {
-namespace dom {
-
-VRFieldOfView::VRFieldOfView(nsISupports* aParent,
-                             double aUpDegrees, double aRightDegrees,
-                             double aDownDegrees, double aLeftDegrees)
-  : mParent(aParent)
-  , mUpDegrees(aUpDegrees)
-  , mRightDegrees(aRightDegrees)
-  , mDownDegrees(aDownDegrees)
-  , mLeftDegrees(aLeftDegrees)
-{
-}
-
-VRFieldOfView::VRFieldOfView(nsISupports* aParent, const gfx::VRFieldOfView& aSrc)
-  : mParent(aParent)
-  , mUpDegrees(aSrc.upDegrees)
-  , mRightDegrees(aSrc.rightDegrees)
-  , mDownDegrees(aSrc.downDegrees)
-  , mLeftDegrees(aSrc.leftDegrees)
-{
-}
-
-bool
-VRDisplayCapabilities::HasPosition() const
-{
-  return bool(mFlags & gfx::VRDisplayCapabilityFlags::Cap_Position);
-}
-
-bool
-VRDisplayCapabilities::HasOrientation() const
-{
-  return bool(mFlags & gfx::VRDisplayCapabilityFlags::Cap_Orientation);
-}
-
-bool
-VRDisplayCapabilities::HasExternalDisplay() const
-{
-  return bool(mFlags & gfx::VRDisplayCapabilityFlags::Cap_External);
-}
-
-bool
-VRDisplayCapabilities::CanPresent() const
-{
-  return bool(mFlags & gfx::VRDisplayCapabilityFlags::Cap_Present);
-}
-
-uint32_t
-VRDisplayCapabilities::MaxLayers() const
-{
-  return CanPresent() ? 1 : 0;
-}
-
-/*static*/ bool
-VRDisplay::RefreshVRDisplays(uint64_t aWindowId)
-{
-  gfx::VRManagerChild* vm = gfx::VRManagerChild::Get();
-  return vm && vm->RefreshVRDisplaysWithCallback(aWindowId);
-}
-
-/*static*/ void
-VRDisplay::UpdateVRDisplays(nsTArray<RefPtr<VRDisplay>>& aDisplays, nsPIDOMWindowInner* aWindow)
-{
-  nsTArray<RefPtr<VRDisplay>> displays;
-
-  gfx::VRManagerChild* vm = gfx::VRManagerChild::Get();
-  nsTArray<RefPtr<gfx::VRDisplayClient>> updatedDisplays;
-  if (vm && vm->GetVRDisplays(updatedDisplays)) {
-    for (size_t i = 0; i < updatedDisplays.Length(); i++) {
-      RefPtr<gfx::VRDisplayClient> display = updatedDisplays[i];
-      bool isNewDisplay = true;
-      for (size_t j = 0; j < aDisplays.Length(); j++) {
-        if (aDisplays[j]->GetClient()->GetDisplayInfo() == display->GetDisplayInfo()) {
-          displays.AppendElement(aDisplays[j]);
-          isNewDisplay = false;
-        }
-      }
-
-      if (isNewDisplay) {
-        displays.AppendElement(new VRDisplay(aWindow, display));
-      }
-    }
-  }
-
-  aDisplays = displays;
-}
-
-NS_IMPL_CYCLE_COLLECTION_WRAPPERCACHE(VRFieldOfView, mParent)
-NS_IMPL_CYCLE_COLLECTION_ROOT_NATIVE(VRFieldOfView, AddRef)
-NS_IMPL_CYCLE_COLLECTION_UNROOT_NATIVE(VRFieldOfView, Release)
-
-
-JSObject*
-VRFieldOfView::WrapObject(JSContext* aCx,
-                          JS::Handle<JSObject*> aGivenProto)
-{
-  return VRFieldOfViewBinding::Wrap(aCx, this, aGivenProto);
-}
-
-NS_IMPL_CYCLE_COLLECTION_CLASS(VREyeParameters)
-
-NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN(VREyeParameters)
-  NS_IMPL_CYCLE_COLLECTION_UNLINK(mParent, mFOV)
-  NS_IMPL_CYCLE_COLLECTION_UNLINK_PRESERVED_WRAPPER
-  tmp->mOffset = nullptr;
-NS_IMPL_CYCLE_COLLECTION_UNLINK_END
-
-NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN(VREyeParameters)
-  NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mParent, mFOV)
-  NS_IMPL_CYCLE_COLLECTION_TRAVERSE_SCRIPT_OBJECTS
-NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END
-
-NS_IMPL_CYCLE_COLLECTION_TRACE_BEGIN(VREyeParameters)
-  NS_IMPL_CYCLE_COLLECTION_TRACE_PRESERVED_WRAPPER
-  NS_IMPL_CYCLE_COLLECTION_TRACE_JS_MEMBER_CALLBACK(mOffset)
-NS_IMPL_CYCLE_COLLECTION_TRACE_END
-
-NS_IMPL_CYCLE_COLLECTION_ROOT_NATIVE(VREyeParameters, AddRef)
-NS_IMPL_CYCLE_COLLECTION_UNROOT_NATIVE(VREyeParameters, Release)
-
-VREyeParameters::VREyeParameters(nsISupports* aParent,
-                                 const gfx::Point3D& aEyeTranslation,
-                                 const gfx::VRFieldOfView& aFOV,
-                                 const gfx::IntSize& aRenderSize)
-  : mParent(aParent)
-  , mEyeTranslation(aEyeTranslation)
-  , mRenderSize(aRenderSize)
-{
-  mFOV = new VRFieldOfView(aParent, aFOV);
-  mozilla::HoldJSObjects(this);
-}
-
-VREyeParameters::~VREyeParameters()
-{
-  mozilla::DropJSObjects(this);
-}
-
-VRFieldOfView*
-VREyeParameters::FieldOfView()
-{
-  return mFOV;
-}
-
-void
-VREyeParameters::GetOffset(JSContext* aCx, JS::MutableHandle<JSObject*> aRetval, ErrorResult& aRv)
-{
-  if (!mOffset) {
-    // Lazily create the Float32Array
-    mOffset = dom::Float32Array::Create(aCx, this, 3, mEyeTranslation.components);
-    if (!mOffset) {
-      aRv.NoteJSContextException(aCx);
-      return;
-    }
-  }
-  aRetval.set(mOffset);
-}
-
-JSObject*
-VREyeParameters::WrapObject(JSContext* aCx, JS::Handle<JSObject*> aGivenProto)
-{
-  return VREyeParametersBinding::Wrap(aCx, this, aGivenProto);
-}
-
-VRStageParameters::VRStageParameters(nsISupports* aParent,
-                                     const gfx::Matrix4x4& aSittingToStandingTransform,
-                                     const gfx::Size& aSize)
-  : mParent(aParent)
-  , mSittingToStandingTransform(aSittingToStandingTransform)
-  , mSittingToStandingTransformArray(nullptr)
-  , mSize(aSize)
-{
-  mozilla::HoldJSObjects(this);
-}
-
-VRStageParameters::~VRStageParameters()
-{
-  mozilla::DropJSObjects(this);
-}
-
-JSObject*
-VRStageParameters::WrapObject(JSContext* aCx, JS::Handle<JSObject*> aGivenProto)
-{
-  return VRStageParametersBinding::Wrap(aCx, this, aGivenProto);
-}
-
-NS_IMPL_CYCLE_COLLECTION_CLASS(VRStageParameters)
-
-NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN(VRStageParameters)
-  NS_IMPL_CYCLE_COLLECTION_UNLINK(mParent)
-  NS_IMPL_CYCLE_COLLECTION_UNLINK_PRESERVED_WRAPPER
-  tmp->mSittingToStandingTransformArray = nullptr;
-NS_IMPL_CYCLE_COLLECTION_UNLINK_END
-
-NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN(VRStageParameters)
-  NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mParent)
-  NS_IMPL_CYCLE_COLLECTION_TRAVERSE_SCRIPT_OBJECTS
-NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END
-
-NS_IMPL_CYCLE_COLLECTION_TRACE_BEGIN(VRStageParameters)
-  NS_IMPL_CYCLE_COLLECTION_TRACE_PRESERVED_WRAPPER
-  NS_IMPL_CYCLE_COLLECTION_TRACE_JS_MEMBER_CALLBACK(mSittingToStandingTransformArray)
-NS_IMPL_CYCLE_COLLECTION_TRACE_END
-
-NS_IMPL_CYCLE_COLLECTION_ROOT_NATIVE(VRStageParameters, AddRef)
-NS_IMPL_CYCLE_COLLECTION_UNROOT_NATIVE(VRStageParameters, Release)
-
-void
-VRStageParameters::GetSittingToStandingTransform(JSContext* aCx,
-                                                 JS::MutableHandle<JSObject*> aRetval,
-                                                 ErrorResult& aRv)
-{
-  if (!mSittingToStandingTransformArray) {
-    // Lazily create the Float32Array
-    mSittingToStandingTransformArray = dom::Float32Array::Create(aCx, this, 16,
-      mSittingToStandingTransform.components);
-    if (!mSittingToStandingTransformArray) {
-      aRv.NoteJSContextException(aCx);
-      return;
-    }
-  }
-  aRetval.set(mSittingToStandingTransformArray);
-}
-
-NS_IMPL_CYCLE_COLLECTION_WRAPPERCACHE(VRDisplayCapabilities, mParent)
-NS_IMPL_CYCLE_COLLECTION_ROOT_NATIVE(VRDisplayCapabilities, AddRef)
-NS_IMPL_CYCLE_COLLECTION_UNROOT_NATIVE(VRDisplayCapabilities, Release)
-
-JSObject*
-VRDisplayCapabilities::WrapObject(JSContext* aCx, JS::Handle<JSObject*> aGivenProto)
-{
-  return VRDisplayCapabilitiesBinding::Wrap(aCx, this, aGivenProto);
-}
-
-VRPose::VRPose(nsISupports* aParent, const gfx::VRHMDSensorState& aState)
-  : Pose(aParent)
-  , mVRState(aState)
-{
-  mFrameId = aState.inputFrameID;
-  mozilla::HoldJSObjects(this);
-}
-
-VRPose::VRPose(nsISupports* aParent)
-  : Pose(aParent)
-{
-  mFrameId = 0;
-  mVRState.Clear();
-  mozilla::HoldJSObjects(this);
-}
-
-VRPose::~VRPose()
-{
-  mozilla::DropJSObjects(this);
-}
-
-void
-VRPose::GetPosition(JSContext* aCx,
-                    JS::MutableHandle<JSObject*> aRetval,
-                    ErrorResult& aRv)
-{
-  SetFloat32Array(aCx, aRetval, mPosition, mVRState.position, 3,
-    !mPosition && bool(mVRState.flags & gfx::VRDisplayCapabilityFlags::Cap_Position),
-    aRv);
-}
-
-void
-VRPose::GetLinearVelocity(JSContext* aCx,
-                          JS::MutableHandle<JSObject*> aRetval,
-                          ErrorResult& aRv)
-{
-  SetFloat32Array(aCx, aRetval, mLinearVelocity, mVRState.linearVelocity, 3,
-    !mLinearVelocity && bool(mVRState.flags & gfx::VRDisplayCapabilityFlags::Cap_Position),
-    aRv);
-}
-
-void
-VRPose::GetLinearAcceleration(JSContext* aCx,
-                              JS::MutableHandle<JSObject*> aRetval,
-                              ErrorResult& aRv)
-{
-  SetFloat32Array(aCx, aRetval, mLinearAcceleration, mVRState.linearAcceleration, 3,
-    !mLinearAcceleration && bool(mVRState.flags & gfx::VRDisplayCapabilityFlags::Cap_LinearAcceleration),
-    aRv);
-
-}
-
-void
-VRPose::GetOrientation(JSContext* aCx,
-                       JS::MutableHandle<JSObject*> aRetval,
-                       ErrorResult& aRv)
-{
-  SetFloat32Array(aCx, aRetval, mOrientation, mVRState.orientation, 4,
-    !mOrientation && bool(mVRState.flags & gfx::VRDisplayCapabilityFlags::Cap_Orientation),
-    aRv);
-}
-
-void
-VRPose::GetAngularVelocity(JSContext* aCx,
-                           JS::MutableHandle<JSObject*> aRetval,
-                           ErrorResult& aRv)
-{
-  SetFloat32Array(aCx, aRetval, mAngularVelocity, mVRState.angularVelocity, 3,
-    !mAngularVelocity && bool(mVRState.flags & gfx::VRDisplayCapabilityFlags::Cap_Orientation),
-    aRv);
-}
-
-void
-VRPose::GetAngularAcceleration(JSContext* aCx,
-                               JS::MutableHandle<JSObject*> aRetval,
-                               ErrorResult& aRv)
-{
-  SetFloat32Array(aCx, aRetval, mAngularAcceleration, mVRState.angularAcceleration, 3,
-    !mAngularAcceleration && bool(mVRState.flags & gfx::VRDisplayCapabilityFlags::Cap_AngularAcceleration),
-    aRv);
-}
-
-JSObject*
-VRPose::WrapObject(JSContext* aCx, JS::Handle<JSObject*> aGivenProto)
-{
-  return VRPoseBinding::Wrap(aCx, this, aGivenProto);
-}
-
-/* virtual */ JSObject*
-VRDisplay::WrapObject(JSContext* aCx, JS::Handle<JSObject*> aGivenProto)
-{
-  return VRDisplayBinding::Wrap(aCx, this, aGivenProto);
-}
-
-VRDisplay::VRDisplay(nsPIDOMWindowInner* aWindow, gfx::VRDisplayClient* aClient)
-  : DOMEventTargetHelper(aWindow)
-  , mClient(aClient)
-  , mDepthNear(0.01f) // Default value from WebVR Spec
-  , mDepthFar(10000.0f) // Default value from WebVR Spec
-{
-  const gfx::VRDisplayInfo& info = aClient->GetDisplayInfo();
-  mDisplayId = info.GetDisplayID();
-  mDisplayName = NS_ConvertASCIItoUTF16(info.GetDisplayName());
-  mCapabilities = new VRDisplayCapabilities(aWindow, info.GetCapabilities());
-  if (info.GetCapabilities() & gfx::VRDisplayCapabilityFlags::Cap_StageParameters) {
-    mStageParameters = new VRStageParameters(aWindow,
-                                             info.GetSittingToStandingTransform(),
-                                             info.GetStageSize());
-  }
-  mozilla::HoldJSObjects(this);
-}
-
-VRDisplay::~VRDisplay()
-{
-  ExitPresentInternal();
-  mozilla::DropJSObjects(this);
-}
-
-void
-VRDisplay::LastRelease()
-{
-  // We don't want to wait for the CC to free up the presentation
-  // for use in other documents, so we do this in LastRelease().
-  ExitPresentInternal();
-}
-
-already_AddRefed<VREyeParameters>
-VRDisplay::GetEyeParameters(VREye aEye)
-{
-  gfx::VRDisplayInfo::Eye eye = aEye == VREye::Left ? gfx::VRDisplayInfo::Eye_Left : gfx::VRDisplayInfo::Eye_Right;
-  RefPtr<VREyeParameters> params =
-    new VREyeParameters(GetParentObject(),
-                        mClient->GetDisplayInfo().GetEyeTranslation(eye),
-                        mClient->GetDisplayInfo().GetEyeFOV(eye),
-                        mClient->GetDisplayInfo().SuggestedEyeResolution());
-  return params.forget();
-}
-
-VRDisplayCapabilities*
-VRDisplay::Capabilities()
-{
-  return mCapabilities;
-}
-
-VRStageParameters*
-VRDisplay::GetStageParameters()
-{
-  return mStageParameters;
-}
-
-void
-VRDisplay::UpdateFrameInfo()
-{
-  /**
-   * The WebVR 1.1 spec Requires that VRDisplay.getPose and VRDisplay.getFrameData
-   * must return the same values until the next VRDisplay.submitFrame.
-   *
-   * mFrameInfo is marked dirty at the end of the frame or start of a new
-   * composition and lazily created here in order to receive mid-frame
-   * pose-prediction updates while still ensuring conformance to the WebVR spec
-   * requirements.
-   *
-   * If we are not presenting WebVR content, the frame will never end and we should
-   * return the latest frame data always.
-   */
-  if (mFrameInfo.IsDirty() || !mPresentation) {
-    gfx::VRHMDSensorState state = mClient->GetSensorState();
-    const gfx::VRDisplayInfo& info = mClient->GetDisplayInfo();
-    mFrameInfo.Update(info, state, mDepthNear, mDepthFar);
-  }
-}
-
-bool
-VRDisplay::GetFrameData(VRFrameData& aFrameData)
-{
-  UpdateFrameInfo();
-  aFrameData.Update(mFrameInfo);
-  return true;
-}
-
-already_AddRefed<VRPose>
-VRDisplay::GetPose()
-{
-  UpdateFrameInfo();
-  RefPtr<VRPose> obj = new VRPose(GetParentObject(), mFrameInfo.mVRState);
-
-  return obj.forget();
-}
-
-void
-VRDisplay::ResetPose()
-{
-  mClient->ZeroSensor();
-}
-
-already_AddRefed<Promise>
-VRDisplay::RequestPresent(const nsTArray<VRLayer>& aLayers, ErrorResult& aRv)
-{
-  nsCOMPtr<nsIGlobalObject> global = do_QueryInterface(GetParentObject());
-  if (!global) {
-    aRv.Throw(NS_ERROR_FAILURE);
-    return nullptr;
-  }
-
-  RefPtr<Promise> promise = Promise::Create(global, aRv);
-  NS_ENSURE_TRUE(!aRv.Failed(), nullptr);
-
-  nsCOMPtr<nsIObserverService> obs = services::GetObserverService();
-  NS_ENSURE_TRUE(obs, nullptr);
-
-  if (mClient->GetIsPresenting()) {
-    // Only one presentation allowed per VRDisplay
-    // on a first-come-first-serve basis.
-    promise->MaybeRejectWithUndefined();
-  } else {
-    mPresentation = mClient->BeginPresentation(aLayers);
-    mFrameInfo.Clear();
-
-    nsresult rv = obs->AddObserver(this, "inner-window-destroyed", false);
-    if (NS_WARN_IF(NS_FAILED(rv))) {
-      mPresentation = nullptr;
-      promise->MaybeRejectWithUndefined();
-    } else {
-      promise->MaybeResolve(JS::UndefinedHandleValue);
-    }
-  }
-  return promise.forget();
-}
-
-NS_IMETHODIMP
-VRDisplay::Observe(nsISupports* aSubject, const char* aTopic,
-  const char16_t* aData)
-{
-  MOZ_ASSERT(NS_IsMainThread());
-
-  if (strcmp(aTopic, "inner-window-destroyed") == 0) {
-    nsCOMPtr<nsISupportsPRUint64> wrapper = do_QueryInterface(aSubject);
-    NS_ENSURE_TRUE(wrapper, NS_ERROR_FAILURE);
-
-    uint64_t innerID;
-    nsresult rv = wrapper->GetData(&innerID);
-    NS_ENSURE_SUCCESS(rv, rv);
-
-    if (!GetOwner() || GetOwner()->WindowID() == innerID) {
-      ExitPresentInternal();
-    }
-
-    return NS_OK;
-  }
-
-  // This should not happen.
-  return NS_ERROR_FAILURE;
-}
-
-already_AddRefed<Promise>
-VRDisplay::ExitPresent(ErrorResult& aRv)
-{
-  nsCOMPtr<nsIGlobalObject> global = do_QueryInterface(GetParentObject());
-  if (!global) {
-    aRv.Throw(NS_ERROR_FAILURE);
-    return nullptr;
-  }
-
-
-  RefPtr<Promise> promise = Promise::Create(global, aRv);
-  NS_ENSURE_TRUE(!aRv.Failed(), nullptr);
-
-  if (!IsPresenting()) {
-    // We can not exit a presentation outside of the context that
-    // started the presentation.
-    promise->MaybeRejectWithUndefined();
-  } else {
-    promise->MaybeResolve(JS::UndefinedHandleValue);
-    ExitPresentInternal();
-  }
-
-  return promise.forget();
-}
-
-void
-VRDisplay::ExitPresentInternal()
-{
-  mPresentation = nullptr;
-}
-
-void
-VRDisplay::GetLayers(nsTArray<VRLayer>& result)
-{
-  if (mPresentation) {
-    mPresentation->GetDOMLayers(result);
-  } else {
-    result = nsTArray<VRLayer>();
-  }
-}
-
-void
-VRDisplay::SubmitFrame()
-{
-  if (mPresentation) {
-    mPresentation->SubmitFrame();
-  }
-  mFrameInfo.Clear();
-}
-
-int32_t
-VRDisplay::RequestAnimationFrame(FrameRequestCallback& aCallback,
-ErrorResult& aError)
-{
-  gfx::VRManagerChild* vm = gfx::VRManagerChild::Get();
-
-  int32_t handle;
-  aError = vm->ScheduleFrameRequestCallback(aCallback, &handle);
-  return handle;
-}
-
-void
-VRDisplay::CancelAnimationFrame(int32_t aHandle, ErrorResult& aError)
-{
-  gfx::VRManagerChild* vm = gfx::VRManagerChild::Get();
-  vm->CancelFrameRequestCallback(aHandle);
-}
-
-
-bool
-VRDisplay::IsPresenting() const
-{
-  // IsPresenting returns true only if this Javascript context is presenting
-  // and will return false if another context is presenting.
-  return mPresentation != nullptr;
-}
-
-bool
-VRDisplay::IsConnected() const
-{
-  return mClient->GetIsConnected();
-}
-
-NS_IMPL_CYCLE_COLLECTION_INHERITED(VRDisplay, DOMEventTargetHelper, mCapabilities, mStageParameters)
-
-NS_IMPL_ADDREF_INHERITED(VRDisplay, DOMEventTargetHelper)
-NS_IMPL_RELEASE_INHERITED(VRDisplay, DOMEventTargetHelper)
-
-NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION_INHERITED(VRDisplay)
-NS_INTERFACE_MAP_ENTRY(nsIObserver)
-NS_INTERFACE_MAP_ENTRY_AMBIGUOUS(nsISupports, DOMEventTargetHelper)
-NS_INTERFACE_MAP_END_INHERITING(DOMEventTargetHelper)
-
-NS_IMPL_CYCLE_COLLECTION_CLASS(VRFrameData)
-
-NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN(VRFrameData)
-  NS_IMPL_CYCLE_COLLECTION_UNLINK(mParent, mPose)
-  NS_IMPL_CYCLE_COLLECTION_UNLINK_PRESERVED_WRAPPER
-  tmp->mLeftProjectionMatrix = nullptr;
-  tmp->mLeftViewMatrix = nullptr;
-  tmp->mRightProjectionMatrix = nullptr;
-  tmp->mRightViewMatrix = nullptr;
-NS_IMPL_CYCLE_COLLECTION_UNLINK_END
-
-NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN(VRFrameData)
-  NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mParent, mPose)
-  NS_IMPL_CYCLE_COLLECTION_TRAVERSE_SCRIPT_OBJECTS
-NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END
-
-NS_IMPL_CYCLE_COLLECTION_TRACE_BEGIN(VRFrameData)
-  NS_IMPL_CYCLE_COLLECTION_TRACE_PRESERVED_WRAPPER
-  NS_IMPL_CYCLE_COLLECTION_TRACE_JS_MEMBER_CALLBACK(mLeftProjectionMatrix)
-  NS_IMPL_CYCLE_COLLECTION_TRACE_JS_MEMBER_CALLBACK(mLeftViewMatrix)
-  NS_IMPL_CYCLE_COLLECTION_TRACE_JS_MEMBER_CALLBACK(mRightProjectionMatrix)
-  NS_IMPL_CYCLE_COLLECTION_TRACE_JS_MEMBER_CALLBACK(mRightViewMatrix)
-NS_IMPL_CYCLE_COLLECTION_TRACE_END
-
-NS_IMPL_CYCLE_COLLECTION_ROOT_NATIVE(VRFrameData, AddRef)
-NS_IMPL_CYCLE_COLLECTION_UNROOT_NATIVE(VRFrameData, Release)
-
-VRFrameData::VRFrameData(nsISupports* aParent)
-  : mParent(aParent)
-  , mLeftProjectionMatrix(nullptr)
-  , mLeftViewMatrix(nullptr)
-  , mRightProjectionMatrix(nullptr)
-  , mRightViewMatrix(nullptr)
-{
-  mozilla::HoldJSObjects(this);
-  mPose = new VRPose(aParent);
-}
-
-VRFrameData::~VRFrameData()
-{
-  mozilla::DropJSObjects(this);
-}
-
-/* static */ already_AddRefed<VRFrameData>
-VRFrameData::Constructor(const GlobalObject& aGlobal, ErrorResult& aRv)
-{
-  RefPtr<VRFrameData> obj = new VRFrameData(aGlobal.GetAsSupports());
-  return obj.forget();
-}
-
-JSObject*
-VRFrameData::WrapObject(JSContext* aCx,
-                        JS::Handle<JSObject*> aGivenProto)
-{
-  return VRFrameDataBinding::Wrap(aCx, this, aGivenProto);
-}
-
-VRPose*
-VRFrameData::Pose()
-{
-  return mPose;
-}
-
-void
-VRFrameData::LazyCreateMatrix(JS::Heap<JSObject*>& aArray, gfx::Matrix4x4& aMat, JSContext* aCx,
-                              JS::MutableHandle<JSObject*> aRetval, ErrorResult& aRv)
-{
-  if (!aArray) {
-    // Lazily create the Float32Array
-    aArray = dom::Float32Array::Create(aCx, this, 16, aMat.components);
-    if (!aArray) {
-      aRv.NoteJSContextException(aCx);
-      return;
-    }
-  }
-  if (aArray) {
-    JS::ExposeObjectToActiveJS(aArray);
-  }
-  aRetval.set(aArray);
-}
-
-double
-VRFrameData::Timestamp() const
-{
-  // Converting from seconds to milliseconds
-  return mFrameInfo.mVRState.timestamp * 1000.0f;
-}
-
-void
-VRFrameData::GetLeftProjectionMatrix(JSContext* aCx,
-                                     JS::MutableHandle<JSObject*> aRetval,
-                                     ErrorResult& aRv)
-{
-  LazyCreateMatrix(mLeftProjectionMatrix, mFrameInfo.mLeftProjection, aCx,
-                   aRetval, aRv);
-}
-
-void
-VRFrameData::GetLeftViewMatrix(JSContext* aCx,
-                               JS::MutableHandle<JSObject*> aRetval,
-                               ErrorResult& aRv)
-{
-  LazyCreateMatrix(mLeftViewMatrix, mFrameInfo.mLeftView, aCx, aRetval, aRv);
-}
-
-void
-VRFrameData::GetRightProjectionMatrix(JSContext* aCx,
-                                      JS::MutableHandle<JSObject*> aRetval,
-                                      ErrorResult& aRv)
-{
-  LazyCreateMatrix(mRightProjectionMatrix, mFrameInfo.mRightProjection, aCx,
-                   aRetval, aRv);
-}
-
-void
-VRFrameData::GetRightViewMatrix(JSContext* aCx,
-                                JS::MutableHandle<JSObject*> aRetval,
-                                ErrorResult& aRv)
-{
-  LazyCreateMatrix(mRightViewMatrix, mFrameInfo.mRightView, aCx, aRetval, aRv);
-}
-
-void
-VRFrameData::Update(const VRFrameInfo& aFrameInfo)
-{
-  mFrameInfo = aFrameInfo;
-
-  mLeftProjectionMatrix = nullptr;
-  mLeftViewMatrix = nullptr;
-  mRightProjectionMatrix = nullptr;
-  mRightViewMatrix = nullptr;
-
-  mPose = new VRPose(GetParentObject(), mFrameInfo.mVRState);
-}
-
-void
-VRFrameInfo::Update(const gfx::VRDisplayInfo& aInfo,
-                    const gfx::VRHMDSensorState& aState,
-                    float aDepthNear,
-                    float aDepthFar)
-{
-  mVRState = aState;
-
-  gfx::Quaternion qt;
-  if (mVRState.flags & gfx::VRDisplayCapabilityFlags::Cap_Orientation) {
-    qt.x = mVRState.orientation[0];
-    qt.y = mVRState.orientation[1];
-    qt.z = mVRState.orientation[2];
-    qt.w = mVRState.orientation[3];
-  }
-  gfx::Point3D pos;
-  if (mVRState.flags & gfx::VRDisplayCapabilityFlags::Cap_Position) {
-    pos.x = -mVRState.position[0];
-    pos.y = -mVRState.position[1];
-    pos.z = -mVRState.position[2];
-  }
-  gfx::Matrix4x4 matHead;
-  matHead.SetRotationFromQuaternion(qt);
-  matHead.PreTranslate(pos);
-
-  mLeftView = matHead;
-  mLeftView.PostTranslate(-aInfo.mEyeTranslation[gfx::VRDisplayInfo::Eye_Left]);
-
-  mRightView = matHead;
-  mRightView.PostTranslate(-aInfo.mEyeTranslation[gfx::VRDisplayInfo::Eye_Right]);
-
-  // Avoid division by zero within ConstructProjectionMatrix
-  const float kEpsilon = 0.00001f;
-  if (fabs(aDepthFar - aDepthNear) < kEpsilon) {
-    aDepthFar = aDepthNear + kEpsilon;
-  }
-
-  const gfx::VRFieldOfView leftFOV = aInfo.mEyeFOV[gfx::VRDisplayInfo::Eye_Left];
-  mLeftProjection = leftFOV.ConstructProjectionMatrix(aDepthNear, aDepthFar, true);
-  const gfx::VRFieldOfView rightFOV = aInfo.mEyeFOV[gfx::VRDisplayInfo::Eye_Right];
-  mRightProjection = rightFOV.ConstructProjectionMatrix(aDepthNear, aDepthFar, true);
-}
-
-VRFrameInfo::VRFrameInfo()
-{
-  mVRState.Clear();
-}
-
-bool
-VRFrameInfo::IsDirty()
-{
-  return mVRState.timestamp == 0;
-}
-
-void
-VRFrameInfo::Clear()
-{
-  mVRState.Clear();
-}
-
-} // namespace dom
-} // namespace mozilla
diff --git a/dom/vr/VRDisplay.h b/dom/vr/VRDisplay.h
deleted file mode 100644
index d40d3d8aca..0000000000
--- a/dom/vr/VRDisplay.h
+++ /dev/null
@@ -1,362 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef mozilla_dom_VRDisplay_h_
-#define mozilla_dom_VRDisplay_h_
-
-#include <stdint.h>
-
-#include "mozilla/ErrorResult.h"
-#include "mozilla/dom/TypedArray.h"
-#include "mozilla/dom/VRDisplayBinding.h"
-#include "mozilla/DOMEventTargetHelper.h"
-#include "mozilla/dom/DOMPoint.h"
-#include "mozilla/dom/DOMRect.h"
-#include "mozilla/dom/Pose.h"
-
-#include "nsCOMPtr.h"
-#include "nsString.h"
-#include "nsTArray.h"
-
-#include "gfxVR.h"
-
-namespace mozilla {
-namespace gfx {
-class VRDisplayClient;
-class VRDisplayPresentation;
-struct VRFieldOfView;
-enum class VRDisplayCapabilityFlags : uint16_t;
-struct VRHMDSensorState;
-}
-namespace dom {
-class Navigator;
-
-class VRFieldOfView final : public nsWrapperCache
-{
-public:
-  VRFieldOfView(nsISupports* aParent,
-                double aUpDegrees, double aRightDegrees,
-                double aDownDegrees, double aLeftDegrees);
-  VRFieldOfView(nsISupports* aParent, const gfx::VRFieldOfView& aSrc);
-
-  NS_INLINE_DECL_CYCLE_COLLECTING_NATIVE_REFCOUNTING(VRFieldOfView)
-  NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_NATIVE_CLASS(VRFieldOfView)
-
-  double UpDegrees() const { return mUpDegrees; }
-  double RightDegrees() const { return mRightDegrees; }
-  double DownDegrees() const { return mDownDegrees; }
-  double LeftDegrees() const { return mLeftDegrees; }
-
-  nsISupports* GetParentObject() const { return mParent; }
-  virtual JSObject* WrapObject(JSContext* aCx, JS::Handle<JSObject*> aGivenProto) override;
-
-protected:
-  virtual ~VRFieldOfView() {}
-
-  nsCOMPtr<nsISupports> mParent;
-
-  double mUpDegrees;
-  double mRightDegrees;
-  double mDownDegrees;
-  double mLeftDegrees;
-};
-
-class VRDisplayCapabilities final : public nsWrapperCache
-{
-public:
-  VRDisplayCapabilities(nsISupports* aParent, const gfx::VRDisplayCapabilityFlags& aFlags)
-    : mParent(aParent)
-    , mFlags(aFlags)
-  {
-  }
-
-  NS_INLINE_DECL_CYCLE_COLLECTING_NATIVE_REFCOUNTING(VRDisplayCapabilities)
-  NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_NATIVE_CLASS(VRDisplayCapabilities)
-
-  nsISupports* GetParentObject() const
-  {
-    return mParent;
-  }
-
-  virtual JSObject* WrapObject(JSContext* aCx, JS::Handle<JSObject*> aGivenProto) override;
-
-  bool HasPosition() const;
-  bool HasOrientation() const;
-  bool HasExternalDisplay() const;
-  bool CanPresent() const;
-  uint32_t MaxLayers() const;
-
-protected:
-  ~VRDisplayCapabilities() {}
-  nsCOMPtr<nsISupports> mParent;
-  gfx::VRDisplayCapabilityFlags mFlags;
-};
-
-class VRPose final : public Pose
-{
-
-public:
-  VRPose(nsISupports* aParent, const gfx::VRHMDSensorState& aState);
-  explicit VRPose(nsISupports* aParent);
-
-  uint32_t FrameID() const { return mFrameId; }
-
-  virtual void GetPosition(JSContext* aCx,
-                           JS::MutableHandle<JSObject*> aRetval,
-                           ErrorResult& aRv) override;
-  virtual void GetLinearVelocity(JSContext* aCx,
-                                 JS::MutableHandle<JSObject*> aRetval,
-                                 ErrorResult& aRv) override;
-  virtual void GetLinearAcceleration(JSContext* aCx,
-                                     JS::MutableHandle<JSObject*> aRetval,
-                                     ErrorResult& aRv) override;
-  virtual void GetOrientation(JSContext* aCx,
-                              JS::MutableHandle<JSObject*> aRetval,
-                              ErrorResult& aRv) override;
-  virtual void GetAngularVelocity(JSContext* aCx,
-                                  JS::MutableHandle<JSObject*> aRetval,
-                                  ErrorResult& aRv) override;
-  virtual void GetAngularAcceleration(JSContext* aCx,
-                                      JS::MutableHandle<JSObject*> aRetval,
-                                      ErrorResult& aRv) override;
-
-  virtual JSObject* WrapObject(JSContext* aCx, JS::Handle<JSObject*> aGivenProto) override;
-
-protected:
-  ~VRPose();
-
-  uint32_t mFrameId;
-  gfx::VRHMDSensorState mVRState;
-};
-
-struct VRFrameInfo
-{
-  VRFrameInfo();
-
-  void Update(const gfx::VRDisplayInfo& aInfo,
-              const gfx::VRHMDSensorState& aState,
-              float aDepthNear,
-              float aDepthFar);
-
-  void Clear();
-  bool IsDirty();
-
-  gfx::VRHMDSensorState mVRState;
-  gfx::Matrix4x4 mLeftProjection;
-  gfx::Matrix4x4 mLeftView;
-  gfx::Matrix4x4 mRightProjection;
-  gfx::Matrix4x4 mRightView;
-
-};
-
-class VRFrameData final : public nsWrapperCache
-{
-public:
-  NS_INLINE_DECL_CYCLE_COLLECTING_NATIVE_REFCOUNTING(VRFrameData)
-  NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_NATIVE_CLASS(VRFrameData)
-
-  explicit VRFrameData(nsISupports* aParent);
-  static already_AddRefed<VRFrameData> Constructor(const GlobalObject& aGlobal,
-                                                   ErrorResult& aRv);
-
-  void Update(const VRFrameInfo& aFrameInfo);
-
-  // WebIDL Members
-  double Timestamp() const;
-  void GetLeftProjectionMatrix(JSContext* aCx,
-                               JS::MutableHandle<JSObject*> aRetval,
-                               ErrorResult& aRv);
-  void GetLeftViewMatrix(JSContext* aCx,
-                         JS::MutableHandle<JSObject*> aRetval,
-                         ErrorResult& aRv);
-  void GetRightProjectionMatrix(JSContext* aCx,
-                               JS::MutableHandle<JSObject*> aRetval,
-                               ErrorResult& aRv);
-  void GetRightViewMatrix(JSContext* aCx,
-                          JS::MutableHandle<JSObject*> aRetval,
-                          ErrorResult& aRv);
-
-  VRPose* Pose();
-
-  // WebIDL Boilerplate
-  nsISupports* GetParentObject() const { return mParent; }
-  virtual JSObject* WrapObject(JSContext* aCx, JS::Handle<JSObject*> aGivenProto) override;
-
-protected:
-  ~VRFrameData();
-  nsCOMPtr<nsISupports> mParent;
-
-  VRFrameInfo mFrameInfo;
-  RefPtr<VRPose> mPose;
-  JS::Heap<JSObject*> mLeftProjectionMatrix;
-  JS::Heap<JSObject*> mLeftViewMatrix;
-  JS::Heap<JSObject*> mRightProjectionMatrix;
-  JS::Heap<JSObject*> mRightViewMatrix;
-
-  void LazyCreateMatrix(JS::Heap<JSObject*>& aArray, gfx::Matrix4x4& aMat,
-                        JSContext* aCx, JS::MutableHandle<JSObject*> aRetval,
-                        ErrorResult& aRv);
-};
-
-class VRStageParameters final : public nsWrapperCache
-{
-public:
-  VRStageParameters(nsISupports* aParent,
-                    const gfx::Matrix4x4& aSittingToStandingTransform,
-                    const gfx::Size& aSize);
-
-  NS_INLINE_DECL_CYCLE_COLLECTING_NATIVE_REFCOUNTING(VRStageParameters)
-  NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_NATIVE_CLASS(VRStageParameters)
-
-  void GetSittingToStandingTransform(JSContext* aCx,
-                                     JS::MutableHandle<JSObject*> aRetval,
-                                     ErrorResult& aRv);
-  float SizeX() const { return mSize.width; }
-  float SizeZ() const { return mSize.height; }
-
-  nsISupports* GetParentObject() const { return mParent; }
-  virtual JSObject* WrapObject(JSContext* aCx, JS::Handle<JSObject*> aGivenProto) override;
-
-protected:
-  ~VRStageParameters();
-
-  nsCOMPtr<nsISupports> mParent;
-
-  gfx::Matrix4x4 mSittingToStandingTransform;
-  JS::Heap<JSObject*> mSittingToStandingTransformArray;
-  gfx::Size mSize;
-};
-
-class VREyeParameters final : public nsWrapperCache
-{
-public:
-  VREyeParameters(nsISupports* aParent,
-                  const gfx::Point3D& aEyeTranslation,
-                  const gfx::VRFieldOfView& aFOV,
-                  const gfx::IntSize& aRenderSize);
-
-  NS_INLINE_DECL_CYCLE_COLLECTING_NATIVE_REFCOUNTING(VREyeParameters)
-  NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_NATIVE_CLASS(VREyeParameters)
-
-  void GetOffset(JSContext* aCx, JS::MutableHandle<JSObject*> aRetVal,
-                 ErrorResult& aRv);
-
-  VRFieldOfView* FieldOfView();
-
-  uint32_t RenderWidth() const { return mRenderSize.width; }
-  uint32_t RenderHeight() const { return mRenderSize.height; }
-
-  nsISupports* GetParentObject() const { return mParent; }
-  virtual JSObject* WrapObject(JSContext* aCx, JS::Handle<JSObject*> aGivenProto) override;
-protected:
-  ~VREyeParameters();
-
-  nsCOMPtr<nsISupports> mParent;
-
-
-  gfx::Point3D mEyeTranslation;
-  gfx::IntSize mRenderSize;
-  JS::Heap<JSObject*> mOffset;
-  RefPtr<VRFieldOfView> mFOV;
-};
-
-class VRDisplay final : public DOMEventTargetHelper
-                      , public nsIObserver
-{
-public:
-  NS_DECL_ISUPPORTS_INHERITED
-  NS_DECL_NSIOBSERVER
-  NS_DECL_CYCLE_COLLECTION_CLASS_INHERITED(VRDisplay, DOMEventTargetHelper)
-
-  virtual JSObject* WrapObject(JSContext* aCx, JS::Handle<JSObject*> aGivenProto) override;
-
-  bool IsPresenting() const;
-  bool IsConnected() const;
-
-  VRDisplayCapabilities* Capabilities();
-  VRStageParameters* GetStageParameters();
-
-  uint32_t DisplayId() const { return mDisplayId; }
-  void GetDisplayName(nsAString& aDisplayName) const { aDisplayName = mDisplayName; }
-
-  static bool RefreshVRDisplays(uint64_t aWindowId);
-  static void UpdateVRDisplays(nsTArray<RefPtr<VRDisplay> >& aDisplays,
-                               nsPIDOMWindowInner* aWindow);
-
-  gfx::VRDisplayClient *GetClient() {
-    return mClient;
-  }
-
-  virtual already_AddRefed<VREyeParameters> GetEyeParameters(VREye aEye);
-
-  bool GetFrameData(VRFrameData& aFrameData);
-  already_AddRefed<VRPose> GetPose();
-  void ResetPose();
-
-  double DepthNear() {
-    return mDepthNear;
-  }
-
-  double DepthFar() {
-    return mDepthFar;
-  }
-
-  void SetDepthNear(double aDepthNear) {
-    // XXX When we start sending depth buffers to VRLayer's we will want
-    // to communicate this with the VRDisplayHost
-    mDepthNear = aDepthNear;
-  }
-
-  void SetDepthFar(double aDepthFar) {
-    // XXX When we start sending depth buffers to VRLayer's we will want
-    // to communicate this with the VRDisplayHost
-    mDepthFar = aDepthFar;
-  }
-
-  already_AddRefed<Promise> RequestPresent(const nsTArray<VRLayer>& aLayers, ErrorResult& aRv);
-  already_AddRefed<Promise> ExitPresent(ErrorResult& aRv);
-  void GetLayers(nsTArray<VRLayer>& result);
-  void SubmitFrame();
-
-  int32_t RequestAnimationFrame(mozilla::dom::FrameRequestCallback& aCallback,
-                                mozilla::ErrorResult& aError);
-  void CancelAnimationFrame(int32_t aHandle, mozilla::ErrorResult& aError);
-
-protected:
-  VRDisplay(nsPIDOMWindowInner* aWindow, gfx::VRDisplayClient* aClient);
-  virtual ~VRDisplay();
-  virtual void LastRelease() override;
-
-  void ExitPresentInternal();
-  void UpdateFrameInfo();
-
-  RefPtr<gfx::VRDisplayClient> mClient;
-
-  uint32_t mDisplayId;
-  nsString mDisplayName;
-
-  RefPtr<VRDisplayCapabilities> mCapabilities;
-  RefPtr<VRStageParameters> mStageParameters;
-
-  double mDepthNear;
-  double mDepthFar;
-
-  RefPtr<gfx::VRDisplayPresentation> mPresentation;
-
-  /**
-  * The WebVR 1.1 spec Requires that VRDisplay.getPose and VRDisplay.getFrameData
-  * must return the same values until the next VRDisplay.submitFrame.
-  * mFrameInfo is updated only on the first call to either function within one
-  * frame.  Subsequent calls before the next SubmitFrame or ExitPresent call
-  * will use these cached values.
-  */
-  VRFrameInfo mFrameInfo;
-};
-
-} // namespace dom
-} // namespace mozilla
-
-#endif
diff --git a/dom/vr/VREventObserver.cpp b/dom/vr/VREventObserver.cpp
deleted file mode 100644
index 1b6d1b9787..0000000000
--- a/dom/vr/VREventObserver.cpp
+++ /dev/null
@@ -1,79 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
-* License, v. 2.0. If a copy of the MPL was not distributed with this
-* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "VREventObserver.h"
-
-#include "nsContentUtils.h"
-#include "nsGlobalWindow.h"
-#include "VRManagerChild.h"
-
-namespace mozilla {
-namespace dom {
-
-using namespace gfx;
-
-/**
- * This class is used by nsGlobalWindow to implement window.onvrdisplayconnected,
- * window.onvrdisplaydisconnected, and window.onvrdisplaypresentchange.
- */
-VREventObserver::VREventObserver(nsGlobalWindow* aGlobalWindow)
-  : mWindow(aGlobalWindow)
-{
-  MOZ_ASSERT(aGlobalWindow && aGlobalWindow->IsInnerWindow());
-
-  VRManagerChild* vmc = VRManagerChild::Get();
-  if (vmc) {
-    vmc->AddListener(this);
-  }
-}
-
-VREventObserver::~VREventObserver()
-{
-  VRManagerChild* vmc = VRManagerChild::Get();
-  if (vmc) {
-    vmc->RemoveListener(this);
-  }
-}
-
-void
-VREventObserver::NotifyVRDisplayConnect()
-{
-  /**
-   * We do not call nsGlobalWindow::NotifyActiveVRDisplaysChanged here, as we
-   * can assume that a newly enumerated display is not presenting WebVR
-   * content.
-   */
-  if (mWindow->AsInner()->IsCurrentInnerWindow()) {
-    MOZ_ASSERT(nsContentUtils::IsSafeToRunScript());
-    mWindow->GetOuterWindow()->DispatchCustomEvent(
-      NS_LITERAL_STRING("vrdisplayconnected"));
-  }
-}
-
-void
-VREventObserver::NotifyVRDisplayDisconnect()
-{
-  if (mWindow->AsInner()->IsCurrentInnerWindow()) {
-    mWindow->NotifyActiveVRDisplaysChanged();
-    MOZ_ASSERT(nsContentUtils::IsSafeToRunScript());
-    mWindow->GetOuterWindow()->DispatchCustomEvent(
-      NS_LITERAL_STRING("vrdisplaydisconnected"));
-  }
-}
-
-void
-VREventObserver::NotifyVRDisplayPresentChange()
-{
-  if (mWindow->AsInner()->IsCurrentInnerWindow()) {
-    mWindow->NotifyActiveVRDisplaysChanged();
-    MOZ_ASSERT(nsContentUtils::IsSafeToRunScript());
-    mWindow->GetOuterWindow()->DispatchCustomEvent(
-      NS_LITERAL_STRING("vrdisplaypresentchange"));
-  }
-}
-
-} // namespace dom
-} // namespace mozilla
diff --git a/dom/vr/VREventObserver.h b/dom/vr/VREventObserver.h
deleted file mode 100644
index a30bb59608..0000000000
--- a/dom/vr/VREventObserver.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
-* License, v. 2.0. If a copy of the MPL was not distributed with this file,
-* You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef mozilla_dom_VREventObserver_h
-#define mozilla_dom_VREventObserver_h
-
-class nsGlobalWindow;
-
-namespace mozilla {
-namespace dom {
-
-class VREventObserver final
-{
-public:
-  ~VREventObserver();
-  explicit VREventObserver(nsGlobalWindow* aGlobalWindow);
-
-  void NotifyVRDisplayConnect();
-  void NotifyVRDisplayDisconnect();
-  void NotifyVRDisplayPresentChange();
-
-private:
-  // Weak pointer, instance is owned by mWindow.
-  nsGlobalWindow* MOZ_NON_OWNING_REF mWindow;
-};
-
-} // namespace dom
-} // namespace mozilla
-
-#endif // mozilla_dom_VREventObserver_h
diff --git a/dom/vr/moz.build b/dom/vr/moz.build
deleted file mode 100644
index a4aa8d69be..0000000000
--- a/dom/vr/moz.build
+++ /dev/null
@@ -1,22 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-EXPORTS.mozilla.dom += [
-    'VRDisplay.h',
-    'VREventObserver.h',
-    ]
-
-UNIFIED_SOURCES = [
-    'VRDisplay.cpp',
-    'VREventObserver.cpp',
-    ]
-
-include('/ipc/chromium/chromium-config.mozbuild')
-
-FINAL_LIBRARY = 'xul'
-LOCAL_INCLUDES += [
-    '/dom/base'
-]
diff --git a/dom/webidl/Navigator.webidl b/dom/webidl/Navigator.webidl
index 5452f3247a..c353e8be75 100644
--- a/dom/webidl/Navigator.webidl
+++ b/dom/webidl/Navigator.webidl
@@ -268,14 +268,6 @@ partial interface Navigator {
 };
 #endif // MOZ_GAMEPAD
 
-partial interface Navigator {
-  [Throws, Pref="dom.vr.enabled"]
-  Promise<sequence<VRDisplay>> getVRDisplays();
-  // TODO: Use FrozenArray once available. (Bug 1236777)
-  [Frozen, Cached, Pure, Pref="dom.vr.enabled"]
-  readonly attribute sequence<VRDisplay> activeVRDisplays;
-};
-
 #ifdef MOZ_TIME_MANAGER
 // nsIDOMMozNavigatorTime
 partial interface Navigator {
diff --git a/dom/webidl/VRDisplay.webidl b/dom/webidl/VRDisplay.webidl
deleted file mode 100644
index 63ebd1205b..0000000000
--- a/dom/webidl/VRDisplay.webidl
+++ /dev/null
@@ -1,286 +0,0 @@
-/* -*- Mode: IDL; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-enum VREye {
-  "left",
-  "right"
-};
-
-[Pref="dom.vr.enabled",
- HeaderFile="mozilla/dom/VRDisplay.h"]
-interface VRFieldOfView {
-  readonly attribute double upDegrees;
-  readonly attribute double rightDegrees;
-  readonly attribute double downDegrees;
-  readonly attribute double leftDegrees;
-};
-
-typedef (HTMLCanvasElement or OffscreenCanvas) VRSource;
-
-dictionary VRLayer {
-  /**
-   * XXX - When WebVR in WebWorkers is implemented, HTMLCanvasElement below
-   *       should be replaced with VRSource.
-   */
-  HTMLCanvasElement? source = null;
-
-  /**
-   * The left and right viewports contain 4 values defining the viewport
-   * rectangles within the canvas to present to the eye in UV space.
-   * [0] left offset of the viewport (0.0 - 1.0)
-   * [1] top offset of the viewport (0.0 - 1.0)
-   * [2] width of the viewport (0.0 - 1.0)
-   * [3] height of the viewport (0.0 - 1.0)
-   *
-   * When no values are passed, they will be processed as though the left
-   * and right sides of the viewport were passed:
-   *
-   * leftBounds: [0.0, 0.0, 0.5, 1.0]
-   * rightBounds: [0.5, 0.0, 0.5, 1.0]
-   */
-  sequence<float> leftBounds = [];
-  sequence<float> rightBounds = [];
-};
-
-/**
- * Values describing the capabilities of a VRDisplay.
- * These are expected to be static per-device/per-user.
- */
-[Pref="dom.vr.enabled",
- HeaderFile="mozilla/dom/VRDisplay.h"]
-interface VRDisplayCapabilities {
-  /**
-   * hasPosition is true if the VRDisplay is capable of tracking its position.
-   */
-  readonly attribute boolean hasPosition;
-
-  /**
-   * hasOrientation is true if the VRDisplay is capable of tracking its orientation.
-   */
-  readonly attribute boolean hasOrientation;
-
-  /**
-   * Whether the VRDisplay is separate from the device’s
-   * primary display. If presenting VR content will obscure
-   * other content on the device, this should be false. When
-   * false, the application should not attempt to mirror VR content
-   * or update non-VR UI because that content will not be visible.
-   */
-  readonly attribute boolean hasExternalDisplay;
-
-  /**
-   * Whether the VRDisplay is capable of presenting content to an HMD or similar device.
-   * Can be used to indicate “magic window” devices that are capable of 6DoF tracking but for
-   * which requestPresent is not meaningful. If false then calls to requestPresent should
-   * always fail, and getEyeParameters should return null.
-   */
-  readonly attribute boolean canPresent;
-
-  /**
-   * Indicates the maximum length of the array that requestPresent() will accept. MUST be 1 if
-     canPresent is true, 0 otherwise.
-   */
-  readonly attribute unsigned long maxLayers;
-};
-
-/**
- * Values describing the the stage / play area for devices
- * that support room-scale experiences.
- */
-[Pref="dom.vr.enabled",
- HeaderFile="mozilla/dom/VRDisplay.h"]
-interface VRStageParameters {
-  /**
-   * A 16-element array containing the components of a column-major 4x4
-   * affine transform matrix. This matrix transforms the sitting-space position
-   * returned by get{Immediate}Pose() to a standing-space position.
-   */
-  [Throws] readonly attribute Float32Array sittingToStandingTransform;
-
-  /**
-   * Dimensions of the play-area bounds. The bounds are defined
-   * as an axis-aligned rectangle on the floor.
-   * The center of the rectangle is at (0,0,0) in standing-space
-   * coordinates.
-   * These bounds are defined for safety purposes.
-   * Content should not require the user to move beyond these
-   * bounds; however, it is possible for the user to ignore
-   * the bounds resulting in position values outside of
-   * this rectangle.
-   */
-  readonly attribute float sizeX;
-  readonly attribute float sizeZ;
-};
-
-[Pref="dom.vr.enabled",
- HeaderFile="mozilla/dom/VRDisplay.h"]
-interface VRPose
-{
-  /**
-   * position, linearVelocity, and linearAcceleration are 3-component vectors.
-   * position is relative to a sitting space. Transforming this point with
-   * VRStageParameters.sittingToStandingTransform converts this to standing space.
-   */
-  [Constant, Throws] readonly attribute Float32Array? position;
-  [Constant, Throws] readonly attribute Float32Array? linearVelocity;
-  [Constant, Throws] readonly attribute Float32Array? linearAcceleration;
-
-  /* orientation is a 4-entry array representing the components of a quaternion. */
-  [Constant, Throws] readonly attribute Float32Array? orientation;
-  /* angularVelocity and angularAcceleration are the components of 3-dimensional vectors. */
-  [Constant, Throws] readonly attribute Float32Array? angularVelocity;
-  [Constant, Throws] readonly attribute Float32Array? angularAcceleration;
-};
-
-[Constructor,
- Pref="dom.vr.enabled",
- HeaderFile="mozilla/dom/VRDisplay.h"]
-interface VRFrameData {
-  readonly attribute DOMHighResTimeStamp timestamp;
-
-  [Throws, Pure] readonly attribute Float32Array leftProjectionMatrix;
-  [Throws, Pure] readonly attribute Float32Array leftViewMatrix;
-
-  [Throws, Pure] readonly attribute Float32Array rightProjectionMatrix;
-  [Throws, Pure] readonly attribute Float32Array rightViewMatrix;
-
-  [Pure] readonly attribute VRPose pose;
-};
-
-[Pref="dom.vr.enabled",
- HeaderFile="mozilla/dom/VRDisplay.h"]
-interface VREyeParameters {
-  /**
-   * offset is a 3-component vector representing an offset to
-   * translate the eye. This value may vary from frame
-   * to frame if the user adjusts their headset ipd.
-   */
-  [Constant, Throws] readonly attribute Float32Array offset;
-
-  /* These values may vary as the user adjusts their headset ipd. */
-  [Constant] readonly attribute VRFieldOfView fieldOfView;
-
-  /**
-   * renderWidth and renderHeight specify the recommended render target
-   * size of each eye viewport, in pixels. If multiple eyes are rendered
-   * in a single render target, then the render target should be made large
-   * enough to fit both viewports.
-   */
-  [Constant] readonly attribute unsigned long renderWidth;
-  [Constant] readonly attribute unsigned long renderHeight;
-};
-
-[Pref="dom.vr.enabled",
- HeaderFile="mozilla/dom/VRDisplay.h"]
-interface VRDisplay : EventTarget {
-  readonly attribute boolean isConnected;
-  readonly attribute boolean isPresenting;
-
-  /**
-   * Dictionary of capabilities describing the VRDisplay.
-   */
-  [Constant] readonly attribute VRDisplayCapabilities capabilities;
-
-  /**
-   * If this VRDisplay supports room-scale experiences, the optional
-   * stage attribute contains details on the room-scale parameters.
-   */
-  readonly attribute VRStageParameters? stageParameters;
-
-  /* Return the current VREyeParameters for the given eye. */
-  VREyeParameters getEyeParameters(VREye whichEye);
-
-  /**
-   * An identifier for this distinct VRDisplay. Used as an
-   * association point in the Gamepad API.
-   */
-  [Constant] readonly attribute unsigned long displayId;
-
-  /**
-   * A display name, a user-readable name identifying it.
-   */
-  [Constant] readonly attribute DOMString displayName;
-
-  /**
-   * Populates the passed VRFrameData with the information required to render
-   * the current frame.
-   */
-  boolean getFrameData(VRFrameData frameData);
-
-  /**
-   * Return a VRPose containing the future predicted pose of the VRDisplay
-   * when the current frame will be presented. Subsequent calls to getPose()
-   * MUST return a VRPose with the same values until the next call to
-   * submitFrame().
-   *
-   * The VRPose will contain the position, orientation, velocity,
-   * and acceleration of each of these properties.
-   */
-  [NewObject] VRPose getPose();
-
-  /**
-   * Reset the pose for this display, treating its current position and
-   * orientation as the "origin/zero" values. VRPose.position,
-   * VRPose.orientation, and VRStageParameters.sittingToStandingTransform may be
-   * updated when calling resetPose(). This should be called in only
-   * sitting-space experiences.
-   */
-  void resetPose();
-
-  /**
-   * z-depth defining the near plane of the eye view frustum
-   * enables mapping of values in the render target depth
-   * attachment to scene coordinates. Initially set to 0.01.
-   */
-  attribute double depthNear;
-
-  /**
-   * z-depth defining the far plane of the eye view frustum
-   * enables mapping of values in the render target depth
-   * attachment to scene coordinates. Initially set to 10000.0.
-   */
-  attribute double depthFar;
-
-  /**
-   * The callback passed to `requestAnimationFrame` will be called
-   * any time a new frame should be rendered. When the VRDisplay is
-   * presenting the callback will be called at the native refresh
-   * rate of the HMD. When not presenting this function acts
-   * identically to how window.requestAnimationFrame acts. Content should
-   * make no assumptions of frame rate or vsync behavior as the HMD runs
-   * asynchronously from other displays and at differing refresh rates.
-   */
-  [Throws] long requestAnimationFrame(FrameRequestCallback callback);
-
-  /**
-   * Passing the value returned by `requestAnimationFrame` to
-   * `cancelAnimationFrame` will unregister the callback.
-   */
-  [Throws] void cancelAnimationFrame(long handle);
-
-  /**
-   * Begin presenting to the VRDisplay. Must be called in response to a user gesture.
-   * Repeat calls while already presenting will update the VRLayers being displayed.
-   */
-  [Throws] Promise<void> requestPresent(sequence<VRLayer> layers);
-
-  /**
-   * Stops presenting to the VRDisplay.
-   */
-  [Throws] Promise<void> exitPresent();
-
-  /**
-   * Get the layers currently being presented.
-   */
-  sequence<VRLayer> getLayers();
-
-  /**
-   * The VRLayer provided to the VRDisplay will be captured and presented
-   * in the HMD. Calling this function has the same effect on the source
-   * canvas as any other operation that uses its source image, and canvases
-   * created without preserveDrawingBuffer set to true will be cleared.
-   */
-  void submitFrame();
-};
diff --git a/dom/webidl/moz.build b/dom/webidl/moz.build
index 4c2567a1c7..06fea2f20d 100644
--- a/dom/webidl/moz.build
+++ b/dom/webidl/moz.build
@@ -555,7 +555,6 @@ WEBIDL_FILES = [
     'VideoStreamTrack.webidl',
     'VideoTrack.webidl',
     'VideoTrackList.webidl',
-    'VRDisplay.webidl',
     'VTTCue.webidl',
     'VTTRegion.webidl',
     'WaveShaperNode.webidl',
diff --git a/gfx/ipc/GPUParent.cpp b/gfx/ipc/GPUParent.cpp
index b693f47289..9ff6cba9ec 100644
--- a/gfx/ipc/GPUParent.cpp
+++ b/gfx/ipc/GPUParent.cpp
@@ -28,8 +28,6 @@
 #include "nsThreadManager.h"
 #include "prenv.h"
 #include "ProcessUtils.h"
-#include "VRManager.h"
-#include "VRManagerParent.h"
 #include "VsyncBridgeParent.h"
 #if defined(XP_WIN)
 # include "DeviceManagerD3D9.h"
@@ -100,7 +98,6 @@ GPUParent::Init(base::ProcessId aParentPid,
   CompositorThreadHolder::Start();
   APZThreadUtils::SetControllerThread(CompositorThreadHolder::Loop());
   APZCTreeManager::InitializeGlobalState();
-  VRManager::ManagerInit();
   LayerTreeOwnerTracker::Initialize();
   mozilla::ipc::SetThisProcessName("GPU Process");
 #ifdef XP_WIN
@@ -203,13 +200,6 @@ GPUParent::RecvInitImageBridge(Endpoint<PImageBridgeParent>&& aEndpoint)
 }
 
 bool
-GPUParent::RecvInitVRManager(Endpoint<PVRManagerParent>&& aEndpoint)
-{
-  VRManagerParent::CreateForGPUProcess(Move(aEndpoint));
-  return true;
-}
-
-bool
 GPUParent::RecvUpdatePref(const GfxPrefSetting& setting)
 {
   gfxPrefs::Pref* pref = gfxPrefs::all()[setting.index()];
@@ -302,12 +292,6 @@ GPUParent::RecvNewContentImageBridge(Endpoint<PImageBridgeParent>&& aEndpoint)
 }
 
 bool
-GPUParent::RecvNewContentVRManager(Endpoint<PVRManagerParent>&& aEndpoint)
-{
-  return VRManagerParent::CreateForContent(Move(aEndpoint));
-}
-
-bool
 GPUParent::RecvNewContentVideoDecoderManager(Endpoint<PVideoDecoderManagerParent>&& aEndpoint)
 {
   return dom::VideoDecoderManagerParent::CreateForContent(Move(aEndpoint));
diff --git a/gfx/ipc/GPUParent.h b/gfx/ipc/GPUParent.h
index 126efce500..3c0494bd4f 100644
--- a/gfx/ipc/GPUParent.h
+++ b/gfx/ipc/GPUParent.h
@@ -32,7 +32,6 @@ public:
                 const DevicePrefs& devicePrefs) override;
   bool RecvInitVsyncBridge(Endpoint<PVsyncBridgeParent>&& aVsyncEndpoint) override;
   bool RecvInitImageBridge(Endpoint<PImageBridgeParent>&& aEndpoint) override;
-  bool RecvInitVRManager(Endpoint<PVRManagerParent>&& aEndpoint) override;
   bool RecvUpdatePref(const GfxPrefSetting& pref) override;
   bool RecvUpdateVar(const GfxVarUpdate& pref) override;
   bool RecvNewWidgetCompositor(
@@ -43,7 +42,6 @@ public:
     const IntSize& aSurfaceSize) override;
   bool RecvNewContentCompositorBridge(Endpoint<PCompositorBridgeParent>&& aEndpoint) override;
   bool RecvNewContentImageBridge(Endpoint<PImageBridgeParent>&& aEndpoint) override;
-  bool RecvNewContentVRManager(Endpoint<PVRManagerParent>&& aEndpoint) override;
   bool RecvNewContentVideoDecoderManager(Endpoint<PVideoDecoderManagerParent>&& aEndpoint) override;
   bool RecvGetDeviceStatus(GPUDeviceData* aOutStatus) override;
   bool RecvAddLayerTreeIdMapping(nsTArray<LayerTreeIdMapping>&& aMappings) override;
diff --git a/gfx/ipc/GPUProcessManager.cpp b/gfx/ipc/GPUProcessManager.cpp
index 0b55cd9b7d..8aaf0f1d0d 100644
--- a/gfx/ipc/GPUProcessManager.cpp
+++ b/gfx/ipc/GPUProcessManager.cpp
@@ -22,8 +22,6 @@
 #endif
 #include "nsBaseWidget.h"
 #include "nsContentUtils.h"
-#include "VRManagerChild.h"
-#include "VRManagerParent.h"
 #include "VsyncBridgeChild.h"
 #include "VsyncIOThreadHolder.h"
 #include "VsyncSource.h"
@@ -197,36 +195,6 @@ GPUProcessManager::EnsureImageBridgeChild()
 }
 
 void
-GPUProcessManager::EnsureVRManager()
-{
-  if (VRManagerChild::IsCreated()) {
-    return;
-  }
-
-  EnsureGPUReady();
-
-  if (!mGPUChild) {
-    VRManagerChild::InitSameProcess();
-    return;
-  }
-
-  ipc::Endpoint<PVRManagerParent> parentPipe;
-  ipc::Endpoint<PVRManagerChild> childPipe;
-  nsresult rv = PVRManager::CreateEndpoints(
-    mGPUChild->OtherPid(),
-    base::GetCurrentProcId(),
-    &parentPipe,
-    &childPipe);
-  if (NS_FAILED(rv)) {
-    DisableGPUProcess("Failed to create PVRManager endpoints");
-    return;
-  }
-
-  mGPUChild->SendInitVRManager(Move(parentPipe));
-  VRManagerChild::InitWithGPUProcess(Move(childPipe));
-}
-
-void
 GPUProcessManager::OnProcessLaunchComplete(GPUProcessHost* aHost)
 {
   MOZ_ASSERT(mProcess && mProcess == aHost);
@@ -488,7 +456,6 @@ GPUProcessManager::CreateTopLevelCompositor(nsBaseWidget* aWidget,
 
   EnsureGPUReady();
   EnsureImageBridgeChild();
-  EnsureVRManager();
 
   if (mGPUChild) {
     RefPtr<CompositorSession> session = CreateRemoteSession(
@@ -599,12 +566,10 @@ bool
 GPUProcessManager::CreateContentBridges(base::ProcessId aOtherProcess,
                                         ipc::Endpoint<PCompositorBridgeChild>* aOutCompositor,
                                         ipc::Endpoint<PImageBridgeChild>* aOutImageBridge,
-                                        ipc::Endpoint<PVRManagerChild>* aOutVRBridge,
                                         ipc::Endpoint<dom::PVideoDecoderManagerChild>* aOutVideoManager)
 {
   if (!CreateContentCompositorBridge(aOtherProcess, aOutCompositor) ||
-      !CreateContentImageBridge(aOtherProcess, aOutImageBridge) ||
-      !CreateContentVRManager(aOtherProcess, aOutVRBridge))
+      !CreateContentImageBridge(aOtherProcess, aOutImageBridge))
   {
     return false;
   }
@@ -692,40 +657,6 @@ GPUProcessManager::GPUProcessPid()
   return gpuPid;
 }
 
-bool
-GPUProcessManager::CreateContentVRManager(base::ProcessId aOtherProcess,
-                                          ipc::Endpoint<PVRManagerChild>* aOutEndpoint)
-{
-  EnsureVRManager();
-
-  base::ProcessId gpuPid = mGPUChild
-                           ? mGPUChild->OtherPid()
-                           : base::GetCurrentProcId();
-
-  ipc::Endpoint<PVRManagerParent> parentPipe;
-  ipc::Endpoint<PVRManagerChild> childPipe;
-  nsresult rv = PVRManager::CreateEndpoints(
-    gpuPid,
-    aOtherProcess,
-    &parentPipe,
-    &childPipe);
-  if (NS_FAILED(rv)) {
-    gfxCriticalNote << "Could not create content compositor bridge: " << hexa(int(rv));
-    return false;
-  }
-
-  if (mGPUChild) {
-    mGPUChild->SendNewContentVRManager(Move(parentPipe));
-  } else {
-    if (!VRManagerParent::CreateForContent(Move(parentPipe))) {
-      return false;
-    }
-  }
-
-  *aOutEndpoint = Move(childPipe);
-  return true;
-}
-
 void
 GPUProcessManager::CreateContentVideoDecoderManager(base::ProcessId aOtherProcess,
                                                     ipc::Endpoint<dom::PVideoDecoderManagerChild>* aOutEndpoint)
diff --git a/gfx/ipc/GPUProcessManager.h b/gfx/ipc/GPUProcessManager.h
index 84ed03609e..5d42790945 100644
--- a/gfx/ipc/GPUProcessManager.h
+++ b/gfx/ipc/GPUProcessManager.h
@@ -45,7 +45,6 @@ namespace gfx {
 
 class GPUChild;
 class GPUProcessListener;
-class PVRManagerChild;
 class VsyncBridgeChild;
 class VsyncIOThreadHolder;
 
@@ -91,7 +90,6 @@ public:
     base::ProcessId aOtherProcess,
     ipc::Endpoint<PCompositorBridgeChild>* aOutCompositor,
     ipc::Endpoint<PImageBridgeChild>* aOutImageBridge,
-    ipc::Endpoint<PVRManagerChild>* aOutVRBridge,
     ipc::Endpoint<dom::PVideoDecoderManagerChild>* aOutVideoManager);
 
   // This returns a reference to the APZCTreeManager to which
@@ -156,8 +154,6 @@ private:
                                      ipc::Endpoint<PCompositorBridgeChild>* aOutEndpoint);
   bool CreateContentImageBridge(base::ProcessId aOtherProcess,
                                 ipc::Endpoint<PImageBridgeChild>* aOutEndpoint);
-  bool CreateContentVRManager(base::ProcessId aOtherProcess,
-                              ipc::Endpoint<PVRManagerChild>* aOutEndpoint);
   void CreateContentVideoDecoderManager(base::ProcessId aOtherProcess,
                                         ipc::Endpoint<dom::PVideoDecoderManagerChild>* aOutEndPoint);
 
@@ -182,7 +178,6 @@ private:
   void ShutdownVsyncIOThread();
 
   void EnsureImageBridgeChild();
-  void EnsureVRManager();
 
   RefPtr<CompositorSession> CreateRemoteSession(
     nsBaseWidget* aWidget,
diff --git a/gfx/ipc/PGPU.ipdl b/gfx/ipc/PGPU.ipdl
index d36c513945..a2c035c751 100644
--- a/gfx/ipc/PGPU.ipdl
+++ b/gfx/ipc/PGPU.ipdl
@@ -6,7 +6,6 @@
 include GraphicsMessages;
 include protocol PCompositorBridge;
 include protocol PImageBridge;
-include protocol PVRManager;
 include protocol PVsyncBridge;
 include protocol PVideoDecoderManager;
 
@@ -47,7 +46,6 @@ parent:
 
   async InitVsyncBridge(Endpoint<PVsyncBridgeParent> endpoint);
   async InitImageBridge(Endpoint<PImageBridgeParent> endpoint);
-  async InitVRManager(Endpoint<PVRManagerParent> endpoint);
 
   // Called to update a gfx preference or variable.
   async UpdatePref(GfxPrefSetting pref);
@@ -63,7 +61,6 @@ parent:
   // Create a new content-process compositor bridge.
   async NewContentCompositorBridge(Endpoint<PCompositorBridgeParent> endpoint);
   async NewContentImageBridge(Endpoint<PImageBridgeParent> endpoint);
-  async NewContentVRManager(Endpoint<PVRManagerParent> endpoint);
   async NewContentVideoDecoderManager(Endpoint<PVideoDecoderManagerParent> endpoint);
 
   // Called to notify the GPU process of who owns a layersId.
diff --git a/gfx/layers/d3d11/TextureD3D11.cpp b/gfx/layers/d3d11/TextureD3D11.cpp
index 9542425855..628ca12882 100644
--- a/gfx/layers/d3d11/TextureD3D11.cpp
+++ b/gfx/layers/d3d11/TextureD3D11.cpp
@@ -1160,8 +1160,7 @@ CompositingRenderTargetD3D11::CompositingRenderTargetD3D11(ID3D11Texture2D* aTex
   mFormatOverride = aFormatOverride;
 
   // If we happen to have a typeless underlying DXGI surface, we need to be explicit
-  // about the format here. (Such a surface could come from an external source, such
-  // as the Oculus compositor)
+  // about the format here. (Such a surface could come from an external source)
   CD3D11_RENDER_TARGET_VIEW_DESC rtvDesc(D3D11_RTV_DIMENSION_TEXTURE2D, mFormatOverride);
   D3D11_RENDER_TARGET_VIEW_DESC *desc = aFormatOverride == DXGI_FORMAT_UNKNOWN ? nullptr : &rtvDesc;
 
diff --git a/gfx/layers/ipc/CompositorBridgeParent.cpp b/gfx/layers/ipc/CompositorBridgeParent.cpp
index 00602fab58..87a19f5c01 100644
--- a/gfx/layers/ipc/CompositorBridgeParent.cpp
+++ b/gfx/layers/ipc/CompositorBridgeParent.cpp
@@ -30,7 +30,6 @@
 #include "mozilla/gfx/2D.h"          // for DrawTarget
 #include "mozilla/gfx/Point.h"          // for IntSize
 #include "mozilla/gfx/Rect.h"          // for IntSize
-#include "VRManager.h"                  // for VRManager
 #include "mozilla/ipc/Transport.h"      // for Transport
 #include "mozilla/layers/APZCTreeManager.h"  // for APZCTreeManager
 #include "mozilla/layers/APZCTreeManagerParent.h"  // for APZCTreeManagerParent
@@ -475,7 +474,6 @@ CompositorVsyncScheduler::Composite(TimeStamp aVsyncTimestamp)
   }
 
   DispatchTouchEvents(aVsyncTimestamp);
-  DispatchVREvents(aVsyncTimestamp);
 
   if (mNeedsComposite || mAsapScheduling) {
     mNeedsComposite = 0;
@@ -542,15 +540,6 @@ CompositorVsyncScheduler::DispatchTouchEvents(TimeStamp aVsyncTimestamp)
 }
 
 void
-CompositorVsyncScheduler::DispatchVREvents(TimeStamp aVsyncTimestamp)
-{
-  MOZ_ASSERT(CompositorThreadHolder::IsInCompositorThread());
-
-  VRManager* vm = VRManager::Get();
-  vm->NotifyVsync(aVsyncTimestamp);
-}
-
-void
 CompositorVsyncScheduler::ScheduleTask(already_AddRefed<CancelableRunnable> aTask,
                                        int aTime)
 {
diff --git a/gfx/layers/ipc/CompositorThread.cpp b/gfx/layers/ipc/CompositorThread.cpp
index 789a5d5d3f..3f75832b61 100644
--- a/gfx/layers/ipc/CompositorThread.cpp
+++ b/gfx/layers/ipc/CompositorThread.cpp
@@ -12,11 +12,6 @@
 
 namespace mozilla {
 
-namespace gfx {
-// See VRManagerChild.cpp
-void ReleaseVRManagerParentSingleton();
-} // namespace gfx
-
 namespace layers {
 
 static StaticRefPtr<CompositorThreadHolder> sCompositorThreadHolder;
@@ -130,7 +125,6 @@ CompositorThreadHolder::Shutdown()
   MOZ_ASSERT(sCompositorThreadHolder, "The compositor thread has already been shut down!");
 
   ReleaseImageBridgeParentSingleton();
-  gfx::ReleaseVRManagerParentSingleton();
   MediaSystemResourceService::Shutdown();
 
   sCompositorThreadHolder = nullptr;
diff --git a/gfx/layers/ipc/CrossProcessCompositorBridgeParent.cpp b/gfx/layers/ipc/CrossProcessCompositorBridgeParent.cpp
index c3ea33149b..8bb5cf2d53 100644
--- a/gfx/layers/ipc/CrossProcessCompositorBridgeParent.cpp
+++ b/gfx/layers/ipc/CrossProcessCompositorBridgeParent.cpp
@@ -30,7 +30,6 @@
 #include "mozilla/gfx/2D.h"          // for DrawTarget
 #include "mozilla/gfx/Point.h"          // for IntSize
 #include "mozilla/gfx/Rect.h"          // for IntSize
-#include "VRManager.h"                  // for VRManager
 #include "mozilla/ipc/Transport.h"      // for Transport
 #include "mozilla/layers/APZCTreeManager.h"  // for APZCTreeManager
 #include "mozilla/layers/APZCTreeManagerParent.h"  // for APZCTreeManagerParent
diff --git a/gfx/layers/ipc/PTexture.ipdl b/gfx/layers/ipc/PTexture.ipdl
index bccff8627a..7c1979bf02 100644
--- a/gfx/layers/ipc/PTexture.ipdl
+++ b/gfx/layers/ipc/PTexture.ipdl
@@ -9,7 +9,6 @@ include LayersSurfaces;
 include protocol PLayerTransaction;
 include protocol PCompositorBridge;
 include protocol PImageBridge;
-include protocol PVRManager;
 include protocol PVideoBridge;
 include "mozilla/GfxMessageUtils.h";
 
@@ -23,7 +22,7 @@ namespace layers {
  * PTexture is the IPDL glue between a TextureClient and a TextureHost.
  */
 sync protocol PTexture {
-    manager PImageBridge or PCompositorBridge or PVRManager or PVideoBridge;
+    manager PImageBridge or PCompositorBridge or PVideoBridge;
 
 child:
     async __delete__();
diff --git a/gfx/moz.build b/gfx/moz.build
index 2509198912..428285a0a3 100644
--- a/gfx/moz.build
+++ b/gfx/moz.build
@@ -20,7 +20,6 @@ DIRS += [
     'ots/src',
     'thebes',
     'ipc',
-    'vr',
     'config',
 ]
 
diff --git a/gfx/thebes/gfxFT2FontList.cpp b/gfx/thebes/gfxFT2FontList.cpp
index 8a652df0dd..09c938a248 100644
--- a/gfx/thebes/gfxFT2FontList.cpp
+++ b/gfx/thebes/gfxFT2FontList.cpp
@@ -812,6 +812,15 @@ public:
         : mFontList(aFontList)
     { }
 
+    void Remove()
+    {
+        nsCOMPtr<nsIObserverService> obs = services::GetObserverService();
+        if (obs) {
+            obs->RemoveObserver(this, NS_XPCOM_WILL_SHUTDOWN_OBSERVER_ID);
+        }
+        mFontList = nullptr;
+    }
+
 protected:
     virtual ~WillShutdownObserver()
     { }
@@ -847,11 +856,7 @@ gfxFT2FontList::gfxFT2FontList()
 gfxFT2FontList::~gfxFT2FontList()
 {
     if (mObserver) {
-        nsCOMPtr<nsIObserverService> obs = services::GetObserverService();
-        if (obs) {
-            obs->RemoveObserver(mObserver, NS_XPCOM_WILL_SHUTDOWN_OBSERVER_ID);
-        }
-        mObserver = nullptr;
+        mObserver->Remove();
     }
 }
 
diff --git a/gfx/thebes/gfxFT2FontList.h b/gfx/thebes/gfxFT2FontList.h
index 63187ba265..9fb566c158 100644
--- a/gfx/thebes/gfxFT2FontList.h
+++ b/gfx/thebes/gfxFT2FontList.h
@@ -19,6 +19,7 @@ using mozilla::dom::FontListEntry;
 class FontNameCache;
 typedef struct FT_FaceRec_* FT_Face;
 class nsZipArchive;
+class WillShutdownObserver;
 
 class FT2FontEntry : public gfxFontEntry
 {
@@ -194,7 +195,7 @@ private:
 
     mozilla::UniquePtr<FontNameCache> mFontNameCache;
     int64_t mJarModifiedTime;
-    nsCOMPtr<nsIObserver> mObserver;
+    RefPtr<WillShutdownObserver> mObserver;
 };
 
 #endif /* GFX_FT2FONTLIST_H */
diff --git a/gfx/thebes/gfxPlatform.cpp b/gfx/thebes/gfxPlatform.cpp
index 65227a8a7b..70ba2fe6ab 100644
--- a/gfx/thebes/gfxPlatform.cpp
+++ b/gfx/thebes/gfxPlatform.cpp
@@ -131,8 +131,6 @@ class mozilla::gl::SkiaGLGlue : public GenericAtomicRefCounted {
 #include "SoftwareVsyncSource.h"
 #include "nscore.h" // for NS_FREE_PERMANENT_DATA
 #include "mozilla/dom/ContentChild.h"
-#include "gfxVR.h"
-#include "VRManagerChild.h"
 #include "mozilla/gfx/GPUParent.h"
 #include "prsystem.h"
 
@@ -492,8 +490,6 @@ gfxPlatform::gfxPlatform()
                      contentMask, BackendType::CAIRO);
 
     mTotalSystemMemory = PR_GetPhysicalMemorySize();
-
-    VRManager::ManagerInit();
 }
 
 gfxPlatform*
@@ -900,14 +896,12 @@ gfxPlatform::ShutdownLayersIPC()
     sLayersIPCIsUp = false;
 
     if (XRE_IsContentProcess()) {
-        gfx::VRManagerChild::ShutDown();
         // cf bug 1215265.
         if (gfxPrefs::ChildProcessShutdown()) {
           layers::CompositorBridgeChild::ShutDown();
           layers::ImageBridgeChild::ShutDown();
         }
     } else if (XRE_IsParentProcess()) {
-        gfx::VRManagerChild::ShutDown();
         layers::CompositorBridgeChild::ShutDown();
         layers::ImageBridgeChild::ShutDown();
 
diff --git a/gfx/vr/VRDisplayClient.cpp b/gfx/vr/VRDisplayClient.cpp
deleted file mode 100644
index 2f258e9878..0000000000
--- a/gfx/vr/VRDisplayClient.cpp
+++ /dev/null
@@ -1,143 +0,0 @@
-/* -*- Mode: C++; tab-width: 20; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include <math.h>
-
-#include "prlink.h"
-#include "prmem.h"
-#include "prenv.h"
-#include "gfxPrefs.h"
-#include "nsString.h"
-#include "mozilla/Preferences.h"
-#include "mozilla/Unused.h"
-#include "nsServiceManagerUtils.h"
-#include "nsIScreenManager.h"
-
-#ifdef XP_WIN
-#include "../layers/d3d11/CompositorD3D11.h"
-#endif
-
-#include "VRDisplayClient.h"
-#include "VRDisplayPresentation.h"
-#include "VRManagerChild.h"
-#include "VRLayerChild.h"
-
-using namespace mozilla;
-using namespace mozilla::gfx;
-
-VRDisplayClient::VRDisplayClient(const VRDisplayInfo& aDisplayInfo)
-  : mDisplayInfo(aDisplayInfo)
-  , bLastEventWasPresenting(false)
-  , mPresentationCount(0)
-{
-  MOZ_COUNT_CTOR(VRDisplayClient);
-}
-
-VRDisplayClient::~VRDisplayClient() {
-  MOZ_COUNT_DTOR(VRDisplayClient);
-}
-
-void
-VRDisplayClient::UpdateDisplayInfo(const VRDisplayInfo& aDisplayInfo)
-{
-  mDisplayInfo = aDisplayInfo;
-}
-
-already_AddRefed<VRDisplayPresentation>
-VRDisplayClient::BeginPresentation(const nsTArray<mozilla::dom::VRLayer>& aLayers)
-{
-  ++mPresentationCount;
-  RefPtr<VRDisplayPresentation> presentation = new VRDisplayPresentation(this, aLayers);
-  return presentation.forget();
-}
-
-void
-VRDisplayClient::PresentationDestroyed()
-{
-  --mPresentationCount;
-}
-
-void
-VRDisplayClient::ZeroSensor()
-{
-  VRManagerChild *vm = VRManagerChild::Get();
-  vm->SendResetSensor(mDisplayInfo.mDisplayID);
-}
-
-VRHMDSensorState
-VRDisplayClient::GetSensorState()
-{
-  VRHMDSensorState sensorState;
-  VRManagerChild *vm = VRManagerChild::Get();
-  Unused << vm->SendGetSensorState(mDisplayInfo.mDisplayID, &sensorState);
-  return sensorState;
-}
-
-VRHMDSensorState
-VRDisplayClient::GetImmediateSensorState()
-{
-  VRHMDSensorState sensorState;
-
-  VRManagerChild *vm = VRManagerChild::Get();
-  Unused << vm->SendGetImmediateSensorState(mDisplayInfo.mDisplayID, &sensorState);
-  return sensorState;
-}
-
-const double kVRDisplayRAFMaxDuration = 32; // milliseconds
-
-void
-VRDisplayClient::NotifyVsync()
-{
-  VRManagerChild *vm = VRManagerChild::Get();
-
-  bool isPresenting = GetIsPresenting();
-
-  bool bShouldCallback = !isPresenting;
-  if (mLastVSyncTime.IsNull()) {
-    bShouldCallback = true;
-  } else {
-    TimeDuration duration = TimeStamp::Now() - mLastVSyncTime;
-    if (duration.ToMilliseconds() > kVRDisplayRAFMaxDuration) {
-      bShouldCallback = true;
-    }
-  }
-
-  if (bShouldCallback) {
-    vm->RunFrameRequestCallbacks();
-    mLastVSyncTime = TimeStamp::Now();
-  }
-
-  // Check if we need to trigger onVRDisplayPresentChange event
-  if (bLastEventWasPresenting != isPresenting) {
-    bLastEventWasPresenting = isPresenting;
-    vm->FireDOMVRDisplayPresentChangeEvent();
-  }
-}
-
-void
-VRDisplayClient::NotifyVRVsync()
-{
-  VRManagerChild *vm = VRManagerChild::Get();
-  vm->RunFrameRequestCallbacks();
-  mLastVSyncTime = TimeStamp::Now();
-}
-
-bool
-VRDisplayClient::GetIsConnected() const
-{
-  return mDisplayInfo.GetIsConnected();
-}
-
-bool
-VRDisplayClient::GetIsPresenting() const
-{
-  return mDisplayInfo.GetIsPresenting();
-}
-
-void
-VRDisplayClient::NotifyDisconnected()
-{
-  mDisplayInfo.mIsConnected = false;
-}
diff --git a/gfx/vr/VRDisplayClient.h b/gfx/vr/VRDisplayClient.h
deleted file mode 100644
index 0cdd246828..0000000000
--- a/gfx/vr/VRDisplayClient.h
+++ /dev/null
@@ -1,61 +0,0 @@
-/* -*- Mode: C++; tab-width: 20; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef GFX_VR_DISPLAY_CLIENT_H
-#define GFX_VR_DISPLAY_CLIENT_H
-
-#include "nsIScreen.h"
-#include "nsCOMPtr.h"
-#include "mozilla/RefPtr.h"
-#include "mozilla/dom/VRDisplayBinding.h"
-
-#include "gfxVR.h"
-
-namespace mozilla {
-namespace gfx {
-class VRDisplayPresentation;
-class VRManagerChild;
-
-class VRDisplayClient
-{
-public:
-  NS_INLINE_DECL_THREADSAFE_REFCOUNTING(VRDisplayClient)
-
-  explicit VRDisplayClient(const VRDisplayInfo& aDisplayInfo);
-
-  void UpdateDisplayInfo(const VRDisplayInfo& aDisplayInfo);
-
-  const VRDisplayInfo& GetDisplayInfo() const { return mDisplayInfo; }
-  virtual VRHMDSensorState GetSensorState();
-  virtual VRHMDSensorState GetImmediateSensorState();
-
-  virtual void ZeroSensor();
-
-  already_AddRefed<VRDisplayPresentation> BeginPresentation(const nsTArray<dom::VRLayer>& aLayers);
-  void PresentationDestroyed();
-
-  void NotifyVsync();
-  void NotifyVRVsync();
-
-  bool GetIsConnected() const;
-  bool GetIsPresenting() const;
-
-  void NotifyDisconnected();
-
-protected:
-  virtual ~VRDisplayClient();
-
-  VRDisplayInfo mDisplayInfo;
-
-  bool bLastEventWasPresenting;
-
-  TimeStamp mLastVSyncTime;
-  int mPresentationCount;
-};
-
-} // namespace gfx
-} // namespace mozilla
-
-#endif /* GFX_VR_DISPLAY_CLIENT_H */
diff --git a/gfx/vr/VRDisplayHost.cpp b/gfx/vr/VRDisplayHost.cpp
deleted file mode 100644
index fd2fd6d6ad..0000000000
--- a/gfx/vr/VRDisplayHost.cpp
+++ /dev/null
@@ -1,201 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
-* This Source Code Form is subject to the terms of the Mozilla Public
-* License, v. 2.0. If a copy of the MPL was not distributed with this
-* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "VRDisplayHost.h"
-#include "gfxVR.h"
-
-#if defined(XP_WIN)
-
-#include <d3d11.h>
-#include "gfxWindowsPlatform.h"
-#include "../layers/d3d11/CompositorD3D11.h"
-#include "mozilla/layers/TextureD3D11.h"
-
-#endif
-
-using namespace mozilla;
-using namespace mozilla::gfx;
-using namespace mozilla::layers;
-
-VRDisplayHost::VRDisplayHost(VRDeviceType aType)
-  : mInputFrameID(0)
-{
-  MOZ_COUNT_CTOR(VRDisplayHost);
-  mDisplayInfo.mType = aType;
-  mDisplayInfo.mDisplayID = VRDisplayManager::AllocateDisplayID();
-  mDisplayInfo.mIsPresenting = false;
-
-  for (int i = 0; i < kMaxLatencyFrames; i++) {
-    mLastSensorState[i].Clear();
-  }
-}
-
-VRDisplayHost::~VRDisplayHost()
-{
-  MOZ_COUNT_DTOR(VRDisplayHost);
-}
-
-void
-VRDisplayHost::AddLayer(VRLayerParent *aLayer)
-{
-  mLayers.AppendElement(aLayer);
-  if (mLayers.Length() == 1) {
-    StartPresentation();
-  }
-  mDisplayInfo.mIsPresenting = mLayers.Length() > 0;
-
-  // Ensure that the content process receives the change immediately
-  VRManager* vm = VRManager::Get();
-  vm->RefreshVRDisplays();
-}
-
-void
-VRDisplayHost::RemoveLayer(VRLayerParent *aLayer)
-{
-  mLayers.RemoveElement(aLayer);
-  if (mLayers.Length() == 0) {
-    StopPresentation();
-  }
-  mDisplayInfo.mIsPresenting = mLayers.Length() > 0;
-
-  // Ensure that the content process receives the change immediately
-  VRManager* vm = VRManager::Get();
-  vm->RefreshVRDisplays();
-}
-
-#if defined(XP_WIN)
-
-void
-VRDisplayHost::SubmitFrame(VRLayerParent* aLayer, const int32_t& aInputFrameID,
-  PTextureParent* aTexture, const gfx::Rect& aLeftEyeRect,
-  const gfx::Rect& aRightEyeRect)
-{
-  // aInputFrameID is no longer controlled by content with the WebVR 1.1 API
-  // update; however, we will later use this code to enable asynchronous
-  // submission of multiple layers to be composited.  This will enable
-  // us to build browser UX that remains responsive even when content does
-  // not consistently submit frames.
-
-  int32_t inputFrameID = aInputFrameID;
-  if (inputFrameID == 0) {
-    inputFrameID = mInputFrameID;
-  }
-  if (inputFrameID < 0) {
-    // Sanity check to prevent invalid memory access on builds with assertions
-    // disabled.
-    inputFrameID = 0;
-  }
-
-  VRHMDSensorState sensorState = mLastSensorState[inputFrameID % kMaxLatencyFrames];
-  // It is possible to get a cache miss on mLastSensorState if latency is
-  // longer than kMaxLatencyFrames.  An optimization would be to find a frame
-  // that is closer than the one selected with the modulus.
-  // If we hit this; however, latency is already so high that the site is
-  // un-viewable and a more accurate pose prediction is not likely to
-  // compensate.
-
-  TextureHost* th = TextureHost::AsTextureHost(aTexture);
-  // WebVR doesn't use the compositor to compose the frame, so use
-  // AutoLockTextureHostWithoutCompositor here.
-  AutoLockTextureHostWithoutCompositor autoLock(th);
-  if (autoLock.Failed()) {
-    NS_WARNING("Failed to lock the VR layer texture");
-    return;
-  }
-
-  CompositableTextureSourceRef source;
-  if (!th->BindTextureSource(source)) {
-    NS_WARNING("The TextureHost was successfully locked but can't provide a TextureSource");
-    return;
-  }
-  MOZ_ASSERT(source);
-
-  IntSize texSize = source->GetSize();
-
-  TextureSourceD3D11* sourceD3D11 = source->AsSourceD3D11();
-  if (!sourceD3D11) {
-    NS_WARNING("WebVR support currently only implemented for D3D11");
-    return;
-  }
-
-  SubmitFrame(sourceD3D11, texSize, sensorState, aLeftEyeRect, aRightEyeRect);
-}
-
-#else
-
-void
-VRDisplayHost::SubmitFrame(VRLayerParent* aLayer, const int32_t& aInputFrameID,
-  PTextureParent* aTexture, const gfx::Rect& aLeftEyeRect,
-  const gfx::Rect& aRightEyeRect)
-{
-  NS_WARNING("WebVR only supported in Windows.");
-}
-
-#endif
-
-bool
-VRDisplayHost::CheckClearDisplayInfoDirty()
-{
-  if (mDisplayInfo == mLastUpdateDisplayInfo) {
-    return false;
-  }
-  mLastUpdateDisplayInfo = mDisplayInfo;
-  return true;
-}
-
-VRControllerHost::VRControllerHost(VRDeviceType aType)
-{
-  MOZ_COUNT_CTOR(VRControllerHost);
-  mControllerInfo.mType = aType;
-  mControllerInfo.mControllerID = VRDisplayManager::AllocateDisplayID();
-}
-
-VRControllerHost::~VRControllerHost()
-{
-  MOZ_COUNT_DTOR(VRControllerHost);
-}
-
-const VRControllerInfo&
-VRControllerHost::GetControllerInfo() const
-{
-  return mControllerInfo;
-}
-
-void
-VRControllerHost::SetIndex(uint32_t aIndex)
-{
-  mIndex = aIndex;
-}
-
-uint32_t
-VRControllerHost::GetIndex()
-{
-  return mIndex;
-}
-
-void
-VRControllerHost::SetButtonPressed(uint64_t aBit)
-{
-  mButtonPressed = aBit;
-}
-
-uint64_t
-VRControllerHost::GetButtonPressed()
-{
-  return mButtonPressed;
-}
-
-void
-VRControllerHost::SetPose(const dom::GamepadPoseState& aPose)
-{
-  mPose = aPose;
-}
-
-const dom::GamepadPoseState&
-VRControllerHost::GetPose()
-{
-  return mPose;
-}
-
diff --git a/gfx/vr/VRDisplayHost.h b/gfx/vr/VRDisplayHost.h
deleted file mode 100644
index 0e04e4fd2d..0000000000
--- a/gfx/vr/VRDisplayHost.h
+++ /dev/null
@@ -1,114 +0,0 @@
-/* -*- Mode: C++; tab-width: 20; indent-tabs-mode: nil; c-basic-offset: 2 -*-
-* This Source Code Form is subject to the terms of the Mozilla Public
-* License, v. 2.0. If a copy of the MPL was not distributed with this
-* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef GFX_VR_DISPLAY_HOST_H
-#define GFX_VR_DISPLAY_HOST_H
-
-#include "gfxVR.h"
-#include "nsTArray.h"
-#include "nsString.h"
-#include "nsCOMPtr.h"
-#include "mozilla/RefPtr.h"
-#include "mozilla/gfx/2D.h"
-#include "mozilla/Atomics.h"
-#include "mozilla/EnumeratedArray.h"
-#include "mozilla/TimeStamp.h"
-#include "mozilla/TypedEnumBits.h"
-#include "mozilla/dom/GamepadPoseState.h"
-
-namespace mozilla {
-namespace layers {
-class PTextureParent;
-#if defined(XP_WIN)
-class TextureSourceD3D11;
-#endif
-} // namespace layers
-namespace gfx {
-class VRLayerParent;
-
-class VRDisplayHost {
-public:
-  NS_INLINE_DECL_THREADSAFE_REFCOUNTING(VRDisplayHost)
-
-  const VRDisplayInfo& GetDisplayInfo() const { return mDisplayInfo; }
-
-  void AddLayer(VRLayerParent* aLayer);
-  void RemoveLayer(VRLayerParent* aLayer);
-
-  virtual VRHMDSensorState GetSensorState() = 0;
-  virtual VRHMDSensorState GetImmediateSensorState() = 0;
-  virtual void ZeroSensor() = 0;
-  virtual void StartPresentation() = 0;
-  virtual void StopPresentation() = 0;
-  virtual void NotifyVSync() { };
-
-  void SubmitFrame(VRLayerParent* aLayer,
-                   const int32_t& aInputFrameID,
-                   mozilla::layers::PTextureParent* aTexture,
-                   const gfx::Rect& aLeftEyeRect,
-                   const gfx::Rect& aRightEyeRect);
-
-  bool CheckClearDisplayInfoDirty();
-
-protected:
-  explicit VRDisplayHost(VRDeviceType aType);
-  virtual ~VRDisplayHost();
-
-#if defined(XP_WIN)
-  virtual void SubmitFrame(mozilla::layers::TextureSourceD3D11* aSource,
-                           const IntSize& aSize,
-                           const VRHMDSensorState& aSensorState,
-                           const gfx::Rect& aLeftEyeRect,
-                           const gfx::Rect& aRightEyeRect) = 0;
-#endif
-
-  VRDisplayInfo mDisplayInfo;
-
-  nsTArray<RefPtr<VRLayerParent>> mLayers;
-  // Weak reference to mLayers entries are cleared in VRLayerParent destructor
-
-  // The maximum number of frames of latency that we would expect before we
-  // should give up applying pose prediction.
-  // If latency is greater than one second, then the experience is not likely
-  // to be corrected by pose prediction.  Setting this value too
-  // high may result in unnecessary memory allocation.
-  // As the current fastest refresh rate is 90hz, 100 is selected as a
-  // conservative value.
-  static const int kMaxLatencyFrames = 100;
-  VRHMDSensorState mLastSensorState[kMaxLatencyFrames];
-  int32_t mInputFrameID;
-
-private:
-  VRDisplayInfo mLastUpdateDisplayInfo;
-};
-
-class VRControllerHost {
-public:
-  NS_INLINE_DECL_THREADSAFE_REFCOUNTING(VRControllerHost)
-
-  const VRControllerInfo& GetControllerInfo() const;
-  void SetIndex(uint32_t aIndex);
-  uint32_t GetIndex();
-  void SetButtonPressed(uint64_t aBit);
-  uint64_t GetButtonPressed();
-  void SetPose(const dom::GamepadPoseState& aPose);
-  const dom::GamepadPoseState& GetPose();
-
-protected:
-  explicit VRControllerHost(VRDeviceType aType);
-  virtual ~VRControllerHost();
-
-  VRControllerInfo mControllerInfo;
-  // The controller index in VRControllerManager.
-  uint32_t mIndex;
-  // The current button pressed bit of button mask.
-  uint64_t mButtonPressed;
-  dom::GamepadPoseState mPose;
-};
-
-} // namespace gfx
-} // namespace mozilla
-
-#endif /* GFX_VR_DISPLAY_HOST_H */
diff --git a/gfx/vr/VRDisplayPresentation.cpp b/gfx/vr/VRDisplayPresentation.cpp
deleted file mode 100644
index ba528ae7ce..0000000000
--- a/gfx/vr/VRDisplayPresentation.cpp
+++ /dev/null
@@ -1,112 +0,0 @@
-/* -*- Mode: C++; tab-width: 20; indent-tabs-mode: nil; c-basic-offset: 2 -*-
-* This Source Code Form is subject to the terms of the Mozilla Public
-* License, v. 2.0. If a copy of the MPL was not distributed with this
-* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "VRDisplayPresentation.h"
-
-#include "mozilla/Unused.h"
-#include "VRDisplayClient.h"
-#include "VRLayerChild.h"
-
-using namespace mozilla;
-using namespace mozilla::gfx;
-
-VRDisplayPresentation::VRDisplayPresentation(VRDisplayClient *aDisplayClient,
-                                             const nsTArray<mozilla::dom::VRLayer>& aLayers)
-  : mDisplayClient(aDisplayClient)
-  , mDOMLayers(aLayers)
-{
-  CreateLayers();
-}
-
-void
-VRDisplayPresentation::CreateLayers()
-{
-  if (mLayers.Length()) {
-    return;
-  }
-
-  for (dom::VRLayer& layer : mDOMLayers) {
-    dom::HTMLCanvasElement* canvasElement = layer.mSource;
-    if (!canvasElement) {
-      /// XXX In the future we will support WebVR in WebWorkers here
-      continue;
-    }
-
-    Rect leftBounds(0.0, 0.0, 0.5, 1.0);
-    if (layer.mLeftBounds.Length() == 4) {
-      leftBounds.x = layer.mLeftBounds[0];
-      leftBounds.y = layer.mLeftBounds[1];
-      leftBounds.width = layer.mLeftBounds[2];
-      leftBounds.height = layer.mLeftBounds[3];
-    } else if (layer.mLeftBounds.Length() != 0) {
-      /**
-       * We ignore layers with an incorrect number of values.
-       * In the future, VRDisplay.requestPresent may throw in
-       * this case.  See https://github.com/w3c/webvr/issues/71
-       */
-      continue;
-    }
-
-    Rect rightBounds(0.5, 0.0, 0.5, 1.0);
-    if (layer.mRightBounds.Length() == 4) {
-      rightBounds.x = layer.mRightBounds[0];
-      rightBounds.y = layer.mRightBounds[1];
-      rightBounds.width = layer.mRightBounds[2];
-      rightBounds.height = layer.mRightBounds[3];
-    } else if (layer.mRightBounds.Length() != 0) {
-      /**
-       * We ignore layers with an incorrect number of values.
-       * In the future, VRDisplay.requestPresent may throw in
-       * this case.  See https://github.com/w3c/webvr/issues/71
-       */
-      continue;
-    }
-
-    VRManagerChild *manager = VRManagerChild::Get();
-    if (!manager) {
-      NS_WARNING("VRManagerChild::Get returned null!");
-      continue;
-    }
-
-    RefPtr<VRLayerChild> vrLayer = static_cast<VRLayerChild*>(manager->CreateVRLayer(mDisplayClient->GetDisplayInfo().GetDisplayID(), leftBounds, rightBounds));
-    if (!vrLayer) {
-      NS_WARNING("CreateVRLayer returned null!");
-      continue;
-    }
-
-    vrLayer->Initialize(canvasElement);
-
-    mLayers.AppendElement(vrLayer);
-  }
-}
-
-void
-VRDisplayPresentation::DestroyLayers()
-{
-  for (VRLayerChild* layer : mLayers) {
-    Unused << layer->SendDestroy();
-  }
-  mLayers.Clear();
-}
-
-void
-VRDisplayPresentation::GetDOMLayers(nsTArray<dom::VRLayer>& result)
-{
-  result = mDOMLayers;
-}
-
-VRDisplayPresentation::~VRDisplayPresentation()
-{
-  DestroyLayers();
-  mDisplayClient->PresentationDestroyed();
-}
-
-void VRDisplayPresentation::SubmitFrame()
-{
-  for (VRLayerChild *layer : mLayers) {
-    layer->SubmitFrame();
-    break; // Currently only one layer supported, submit only the first
-  }
-}
diff --git a/gfx/vr/VRDisplayPresentation.h b/gfx/vr/VRDisplayPresentation.h
deleted file mode 100644
index 28103d8f5b..0000000000
--- a/gfx/vr/VRDisplayPresentation.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/* -*- Mode: C++; tab-width: 20; indent-tabs-mode: nil; c-basic-offset: 2 -*-
-* This Source Code Form is subject to the terms of the Mozilla Public
-* License, v. 2.0. If a copy of the MPL was not distributed with this
-* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef GFX_VR_DISPLAY_PRESENTATION_H
-#define GFX_VR_DISPLAY_PRESENTATION_H
-
-#include "mozilla/RefPtr.h"
-#include "mozilla/dom/VRDisplayBinding.h"
-
-namespace mozilla {
-namespace gfx {
-class VRDisplayClient;
-class VRLayerChild;
-
-class VRDisplayPresentation final
-{
-  NS_INLINE_DECL_THREADSAFE_REFCOUNTING(VRDisplayPresentation)
-
-public:
-  VRDisplayPresentation(VRDisplayClient *aDisplayClient, const nsTArray<dom::VRLayer>& aLayers);
-  void SubmitFrame();
-  void GetDOMLayers(nsTArray<dom::VRLayer>& result);
-
-private:
-  ~VRDisplayPresentation();
-  void CreateLayers();
-  void DestroyLayers();
-
-  RefPtr<VRDisplayClient> mDisplayClient;
-  nsTArray<dom::VRLayer> mDOMLayers;
-  nsTArray<RefPtr<VRLayerChild>> mLayers;
-};
-
-} // namespace gfx
-} // namespace mozilla
-
-#endif /* GFX_VR_DISPLAY_PRESENTAITON_H */
diff --git a/gfx/vr/VRManager.cpp b/gfx/vr/VRManager.cpp
deleted file mode 100644
index 672e9e3a13..0000000000
--- a/gfx/vr/VRManager.cpp
+++ /dev/null
@@ -1,393 +0,0 @@
-/* -*- Mode: C++; tab-width: 20; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-
-#include "VRManager.h"
-#include "VRManagerParent.h"
-#include "gfxVR.h"
-#include "gfxVROpenVR.h"
-#include "mozilla/ClearOnShutdown.h"
-#include "mozilla/dom/VRDisplay.h"
-#include "mozilla/dom/GamepadEventTypes.h"
-#include "mozilla/layers/TextureHost.h"
-#include "mozilla/Unused.h"
-
-#include "gfxPrefs.h"
-#include "gfxVR.h"
-#if defined(XP_WIN)
-#include "gfxVROculus.h"
-#endif
-#if defined(XP_WIN) || defined(XP_MACOSX) || defined(XP_LINUX)
-#include "gfxVROSVR.h"
-#endif
-#include "ipc/VRLayerParent.h"
-
-using namespace mozilla;
-using namespace mozilla::gfx;
-using namespace mozilla::layers;
-using namespace mozilla::gl;
-
-namespace mozilla {
-namespace gfx {
-
-static StaticRefPtr<VRManager> sVRManagerSingleton;
-
-/*static*/ void
-VRManager::ManagerInit()
-{
-  MOZ_ASSERT(NS_IsMainThread());
-
-  if (sVRManagerSingleton == nullptr) {
-    sVRManagerSingleton = new VRManager();
-    ClearOnShutdown(&sVRManagerSingleton);
-  }
-}
-
-VRManager::VRManager()
-  : mInitialized(false)
-{
-  MOZ_COUNT_CTOR(VRManager);
-  MOZ_ASSERT(sVRManagerSingleton == nullptr);
-
-  RefPtr<VRDisplayManager> mgr;
-  RefPtr<VRControllerManager> controllerMgr;
-
-  /**
-   * We must add the VRDisplayManager's to mManagers in a careful order to
-   * ensure that we don't detect the same VRDisplay from multiple API's.
-   *
-   * Oculus comes first, as it will only enumerate Oculus HMD's and is the
-   * native interface for Oculus HMD's.
-   *
-   * OpenvR comes second, as it is the native interface for HTC Vive
-   * which is the most common HMD at this time.
-   *
-   * OSVR will be used if Oculus SDK and OpenVR don't detect any HMDS,
-   * to support everyone else.
-   */
-
-#if defined(XP_WIN)
-  // The Oculus runtime is supported only on Windows
-  mgr = VRDisplayManagerOculus::Create();
-  if (mgr) {
-    mManagers.AppendElement(mgr);
-  }
-#endif
-
-#if defined(XP_WIN) || defined(XP_MACOSX) || defined(XP_LINUX)
-  // OpenVR is cross platform compatible
-  mgr = VRDisplayManagerOpenVR::Create();
-  if (mgr) {
-    mManagers.AppendElement(mgr);
-  }
-
-  controllerMgr = VRControllerManagerOpenVR::Create();
-  if (mgr) {
-    mControllerManagers.AppendElement(controllerMgr);
-  }
-
-  // OSVR is cross platform compatible
-  mgr = VRDisplayManagerOSVR::Create();
-  if (mgr) {
-      mManagers.AppendElement(mgr);
-  }
-#endif
-  // Enable gamepad extensions while VR is enabled.
-  if (gfxPrefs::VREnabled()) {
-    Preferences::SetBool("dom.gamepad.extensions.enabled", true);
-  }
-}
-
-VRManager::~VRManager()
-{
-  MOZ_ASSERT(NS_IsMainThread());
-  MOZ_ASSERT(!mInitialized);
-  MOZ_COUNT_DTOR(VRManager);
-}
-
-void
-VRManager::Destroy()
-{
-  mVRDisplays.Clear();
-  for (uint32_t i = 0; i < mManagers.Length(); ++i) {
-    mManagers[i]->Destroy();
-  }
-
-  mVRControllers.Clear();
-  for (uint32_t i = 0; i < mControllerManagers.Length(); ++i) {
-    mControllerManagers[i]->Destroy();
-  }
-  mInitialized = false;
-}
-
-void
-VRManager::Init()
-{
-  for (uint32_t i = 0; i < mManagers.Length(); ++i) {
-    mManagers[i]->Init();
-  }
-
-  for (uint32_t i = 0; i < mControllerManagers.Length(); ++i) {
-    mControllerManagers[i]->Init();
-  }
-  mInitialized = true;
-}
-
-/* static */VRManager*
-VRManager::Get()
-{
-  MOZ_ASSERT(sVRManagerSingleton != nullptr);
-
-  return sVRManagerSingleton;
-}
-
-void
-VRManager::AddVRManagerParent(VRManagerParent* aVRManagerParent)
-{
-  if (mVRManagerParents.IsEmpty()) {
-    Init();
-  }
-  mVRManagerParents.PutEntry(aVRManagerParent);
-}
-
-void
-VRManager::RemoveVRManagerParent(VRManagerParent* aVRManagerParent)
-{
-  mVRManagerParents.RemoveEntry(aVRManagerParent);
-  if (mVRManagerParents.IsEmpty()) {
-    Destroy();
-  }
-}
-
-void
-VRManager::NotifyVsync(const TimeStamp& aVsyncTimestamp)
-{
-  const double kVRDisplayRefreshMaxDuration = 5000; // milliseconds
-
-  bool bHaveEventListener = false;
-
-  for (auto iter = mVRManagerParents.Iter(); !iter.Done(); iter.Next()) {
-    VRManagerParent *vmp = iter.Get()->GetKey();
-    if (mVRDisplays.Count()) {
-      Unused << vmp->SendNotifyVSync();
-    }
-    bHaveEventListener |= vmp->HaveEventListener();
-  }
-
-  for (auto iter = mVRDisplays.Iter(); !iter.Done(); iter.Next()) {
-    gfx::VRDisplayHost* display = iter.UserData();
-    display->NotifyVSync();
-  }
-
-  if (bHaveEventListener) {
-    for (uint32_t i = 0; i < mControllerManagers.Length(); ++i) {
-      mControllerManagers[i]->HandleInput();
-    }
-    // If content has set an EventHandler to be notified of VR display events
-    // we must continually refresh the VR display enumeration to check
-    // for events that we must fire such as Window.onvrdisplayconnect
-    // Note that enumeration itself may activate display hardware, such
-    // as Oculus, so we only do this when we know we are displaying content
-    // that is looking for VR displays.
-    if (mLastRefreshTime.IsNull()) {
-      // This is the first vsync, must refresh VR displays
-      RefreshVRDisplays();
-      RefreshVRControllers();
-      mLastRefreshTime = TimeStamp::Now();
-    } else {
-      // We don't have to do this every frame, so check if we
-      // have refreshed recently.
-      TimeDuration duration = TimeStamp::Now() - mLastRefreshTime;
-      if (duration.ToMilliseconds() > kVRDisplayRefreshMaxDuration) {
-        RefreshVRDisplays();
-        RefreshVRControllers();
-        mLastRefreshTime = TimeStamp::Now();
-      }
-    }
-  }
-}
-
-void
-VRManager::NotifyVRVsync(const uint32_t& aDisplayID)
-{
-  for (auto iter = mVRManagerParents.Iter(); !iter.Done(); iter.Next()) {
-    Unused << iter.Get()->GetKey()->SendNotifyVRVSync(aDisplayID);
-  }
-}
-
-void
-VRManager::RefreshVRDisplays(bool aMustDispatch)
-{
-  nsTArray<RefPtr<gfx::VRDisplayHost> > displays;
-
-  /** We don't wish to enumerate the same display from multiple managers,
-   * so stop as soon as we get a display.
-   * It is still possible to get multiple displays from a single manager,
-   * but do not wish to mix-and-match for risk of reporting a duplicate.
-   *
-   * XXX - Perhaps there will be a better way to detect duplicate displays
-   *       in the future.
-   */
-  for (uint32_t i = 0; i < mManagers.Length() && displays.Length() == 0; ++i) {
-    mManagers[i]->GetHMDs(displays);
-  }
-
-  bool displayInfoChanged = false;
-
-  if (displays.Length() != mVRDisplays.Count()) {
-    // Catch cases where a VR display has been removed
-    displayInfoChanged = true;
-  }
-
-  for (const auto& display: displays) {
-    if (!GetDisplay(display->GetDisplayInfo().GetDisplayID())) {
-      // This is a new display
-      displayInfoChanged = true;
-      break;
-    }
-
-    if (display->CheckClearDisplayInfoDirty()) {
-      // This display's info has changed
-      displayInfoChanged = true;
-      break;
-    }
-  }
-
-  if (displayInfoChanged) {
-    mVRDisplays.Clear();
-    for (const auto& display: displays) {
-      mVRDisplays.Put(display->GetDisplayInfo().GetDisplayID(), display);
-    }
-  }
-
-  if (displayInfoChanged || aMustDispatch) {
-    DispatchVRDisplayInfoUpdate();
-  }
-}
-
-void
-VRManager::DispatchVRDisplayInfoUpdate()
-{
-  nsTArray<VRDisplayInfo> update;
-  GetVRDisplayInfo(update);
-
-  for (auto iter = mVRManagerParents.Iter(); !iter.Done(); iter.Next()) {
-    Unused << iter.Get()->GetKey()->SendUpdateDisplayInfo(update);
-  }
-}
-
-
-/**
- * Get any VR displays that have already been enumerated without
- * activating any new devices.
- */
-void
-VRManager::GetVRDisplayInfo(nsTArray<VRDisplayInfo>& aDisplayInfo)
-{
-  aDisplayInfo.Clear();
-  for (auto iter = mVRDisplays.Iter(); !iter.Done(); iter.Next()) {
-    gfx::VRDisplayHost* display = iter.UserData();
-    aDisplayInfo.AppendElement(VRDisplayInfo(display->GetDisplayInfo()));
-  }
-}
-
-RefPtr<gfx::VRDisplayHost>
-VRManager::GetDisplay(const uint32_t& aDisplayID)
-{
-  RefPtr<gfx::VRDisplayHost> display;
-  if (mVRDisplays.Get(aDisplayID, getter_AddRefs(display))) {
-    return display;
-  }
-  return nullptr;
-}
-
-void
-VRManager::SubmitFrame(VRLayerParent* aLayer, layers::PTextureParent* aTexture,
-                       const gfx::Rect& aLeftEyeRect,
-                       const gfx::Rect& aRightEyeRect)
-{
-  TextureHost* th = TextureHost::AsTextureHost(aTexture);
-  mLastFrame = th;
-  RefPtr<VRDisplayHost> display = GetDisplay(aLayer->GetDisplayID());
-  if (display) {
-    display->SubmitFrame(aLayer, 0, aTexture, aLeftEyeRect, aRightEyeRect);
-  }
-}
-
-RefPtr<gfx::VRControllerHost>
-VRManager::GetController(const uint32_t& aControllerID)
-{
-  RefPtr<gfx::VRControllerHost> controller;
-  if (mVRControllers.Get(aControllerID, getter_AddRefs(controller))) {
-    return controller;
-  }
-  return nullptr;
-}
-
-void
-VRManager::GetVRControllerInfo(nsTArray<VRControllerInfo>& aControllerInfo)
-{
-  aControllerInfo.Clear();
-  for (auto iter = mVRControllers.Iter(); !iter.Done(); iter.Next()) {
-    gfx::VRControllerHost* controller = iter.UserData();
-    aControllerInfo.AppendElement(VRControllerInfo(controller->GetControllerInfo()));
-  }
-}
-
-void
-VRManager::RefreshVRControllers()
-{
-  nsTArray<RefPtr<gfx::VRControllerHost>> controllers;
-
-  for (uint32_t i = 0; i < mControllerManagers.Length()
-      && controllers.Length() == 0; ++i) {
-    mControllerManagers[i]->GetControllers(controllers);
-  }
-
-  bool controllerInfoChanged = false;
-
-  if (controllers.Length() != mVRControllers.Count()) {
-    // Catch cases where VR controllers has been removed
-    controllerInfoChanged = true;
-  }
-
-  for (const auto& controller : controllers) {
-    if (!GetController(controller->GetControllerInfo().GetControllerID())) {
-      // This is a new controller
-      controllerInfoChanged = true;
-      break;
-    }
-  }
-
-  if (controllerInfoChanged) {
-    mVRControllers.Clear();
-    for (const auto& controller : controllers) {
-      mVRControllers.Put(controller->GetControllerInfo().GetControllerID(),
-                         controller);
-    }
-  }
-}
-
-void
-VRManager::ScanForDevices()
-{
-  for (uint32_t i = 0; i < mControllerManagers.Length(); ++i) {
-    mControllerManagers[i]->ScanForDevices();
-  }
-}
-
-template<class T>
-void
-VRManager::NotifyGamepadChange(const T& aInfo)
-{
-  dom::GamepadChangeEvent e(aInfo);
-
-  for (auto iter = mVRManagerParents.Iter(); !iter.Done(); iter.Next()) {
-    Unused << iter.Get()->GetKey()->SendGamepadUpdate(e);
-  }
-}
-
-} // namespace gfx
-} // namespace mozilla
diff --git a/gfx/vr/VRManager.h b/gfx/vr/VRManager.h
deleted file mode 100644
index b46a3b58f5..0000000000
--- a/gfx/vr/VRManager.h
+++ /dev/null
@@ -1,88 +0,0 @@
-/* -*- Mode: C++; tab-width: 20; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef GFX_VR_MANAGER_H
-#define GFX_VR_MANAGER_H
-
-#include "nsRefPtrHashtable.h"
-#include "nsTArray.h"
-#include "nsTHashtable.h"
-#include "nsDataHashtable.h"
-#include "mozilla/TimeStamp.h"
-#include "gfxVR.h"
-
-namespace mozilla {
-namespace layers {
-class TextureHost;
-}
-namespace gfx {
-
-class VRLayerParent;
-class VRManagerParent;
-class VRDisplayHost;
-class VRControllerManager;
-
-class VRManager
-{
-  NS_INLINE_DECL_THREADSAFE_REFCOUNTING(mozilla::gfx::VRManager)
-
-public:
-  static void ManagerInit();
-  static VRManager* Get();
-
-  void AddVRManagerParent(VRManagerParent* aVRManagerParent);
-  void RemoveVRManagerParent(VRManagerParent* aVRManagerParent);
-
-  void NotifyVsync(const TimeStamp& aVsyncTimestamp);
-  void NotifyVRVsync(const uint32_t& aDisplayID);
-  void RefreshVRDisplays(bool aMustDispatch = false);
-  void ScanForDevices();
-  template<class T> void NotifyGamepadChange(const T& aInfo);
-  RefPtr<gfx::VRDisplayHost> GetDisplay(const uint32_t& aDisplayID);
-  void GetVRDisplayInfo(nsTArray<VRDisplayInfo>& aDisplayInfo);
-
-  void SubmitFrame(VRLayerParent* aLayer, layers::PTextureParent* aTexture,
-                   const gfx::Rect& aLeftEyeRect,
-                   const gfx::Rect& aRightEyeRect);
-  RefPtr<gfx::VRControllerHost> GetController(const uint32_t& aControllerID);
-  void GetVRControllerInfo(nsTArray<VRControllerInfo>& aControllerInfo);
-
-protected:
-  VRManager();
-  ~VRManager();
-
-private:
-  RefPtr<layers::TextureHost> mLastFrame;
-
-  void Init();
-  void Destroy();
-
-  void DispatchVRDisplayInfoUpdate();
-  void RefreshVRControllers();
-
-  typedef nsTHashtable<nsRefPtrHashKey<VRManagerParent>> VRManagerParentSet;
-  VRManagerParentSet mVRManagerParents;
-
-  typedef nsTArray<RefPtr<VRDisplayManager>> VRDisplayManagerArray;
-  VRDisplayManagerArray mManagers;
-
-  typedef nsTArray<RefPtr<VRControllerManager>> VRControllerManagerArray;
-  VRControllerManagerArray mControllerManagers;
-
-  typedef nsRefPtrHashtable<nsUint32HashKey, gfx::VRDisplayHost> VRDisplayHostHashMap;
-  VRDisplayHostHashMap mVRDisplays;
-
-  typedef nsRefPtrHashtable<nsUint32HashKey, gfx::VRControllerHost> VRControllerHostHashMap;
-  VRControllerHostHashMap mVRControllers;
-
-  Atomic<bool> mInitialized;
-
-  TimeStamp mLastRefreshTime;
-};
-
-} // namespace gfx
-} // namespace mozilla
-
-#endif // GFX_VR_MANAGER_H
diff --git a/gfx/vr/gfxVR.cpp b/gfx/vr/gfxVR.cpp
deleted file mode 100644
index c0babb4f80..0000000000
--- a/gfx/vr/gfxVR.cpp
+++ /dev/null
@@ -1,127 +0,0 @@
-/* -*- Mode: C++; tab-width: 20; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include <math.h>
-
-#include "gfxVR.h"
-#ifdef MOZ_GAMEPAD
-#include "mozilla/dom/GamepadEventTypes.h"
-#include "mozilla/dom/GamepadBinding.h"
-#endif
-
-#ifndef M_PI
-# define M_PI 3.14159265358979323846
-#endif
-
-using namespace mozilla;
-using namespace mozilla::gfx;
-
-Atomic<uint32_t> VRDisplayManager::sDisplayBase(0);
-Atomic<uint32_t> VRControllerManager::sControllerBase(0);
-
-/* static */ uint32_t
-VRDisplayManager::AllocateDisplayID()
-{
-  return ++sDisplayBase;
-}
-
-Matrix4x4
-VRFieldOfView::ConstructProjectionMatrix(float zNear, float zFar,
-                                         bool rightHanded) const
-{
-  float upTan = tan(upDegrees * M_PI / 180.0);
-  float downTan = tan(downDegrees * M_PI / 180.0);
-  float leftTan = tan(leftDegrees * M_PI / 180.0);
-  float rightTan = tan(rightDegrees * M_PI / 180.0);
-
-  float handednessScale = rightHanded ? -1.0 : 1.0;
-
-  float pxscale = 2.0f / (leftTan + rightTan);
-  float pxoffset = (leftTan - rightTan) * pxscale * 0.5;
-  float pyscale = 2.0f / (upTan + downTan);
-  float pyoffset = (upTan - downTan) * pyscale * 0.5;
-
-  Matrix4x4 mobj;
-  float *m = &mobj._11;
-
-  m[0*4+0] = pxscale;
-  m[2*4+0] = pxoffset * handednessScale;
-
-  m[1*4+1] = pyscale;
-  m[2*4+1] = -pyoffset * handednessScale;
-
-  m[2*4+2] = zFar / (zNear - zFar) * -handednessScale;
-  m[3*4+2] = (zFar * zNear) / (zNear - zFar);
-
-  m[2*4+3] = handednessScale;
-  m[3*4+3] = 0.0f;
-
-  return mobj;
-}
-
-/* static */ uint32_t
-VRControllerManager::AllocateControllerID()
-{
-  return ++sControllerBase;
-}
-
-void
-VRControllerManager::AddGamepad(const char* aID, uint32_t aMapping,
-                                uint32_t aNumButtons, uint32_t aNumAxes)
-{
-  dom::GamepadAdded a(NS_ConvertUTF8toUTF16(nsDependentCString(aID)), mControllerCount,
-                     aMapping, dom::GamepadServiceType::VR, aNumButtons,
-                     aNumAxes);
-
-  VRManager* vm = VRManager::Get();
-  MOZ_ASSERT(vm);
-  vm->NotifyGamepadChange<dom::GamepadAdded>(a);
-}
-
-void
-VRControllerManager::RemoveGamepad(uint32_t aIndex)
-{
-  dom::GamepadRemoved a(aIndex, dom::GamepadServiceType::VR);
-
-  VRManager* vm = VRManager::Get();
-  MOZ_ASSERT(vm);
-  vm->NotifyGamepadChange<dom::GamepadRemoved>(a);
-}
-
-void
-VRControllerManager::NewButtonEvent(uint32_t aIndex, uint32_t aButton,
-                                    bool aPressed)
-{
-  dom::GamepadButtonInformation a(aIndex, dom::GamepadServiceType::VR,
-                                  aButton, aPressed, aPressed ? 1.0L : 0.0L);
-
-  VRManager* vm = VRManager::Get();
-  MOZ_ASSERT(vm);
-  vm->NotifyGamepadChange<dom::GamepadButtonInformation>(a);
-}
-
-void
-VRControllerManager::NewAxisMove(uint32_t aIndex, uint32_t aAxis,
-                                 double aValue)
-{
-  dom::GamepadAxisInformation a(aIndex, dom::GamepadServiceType::VR,
-                                aAxis, aValue);
-
-  VRManager* vm = VRManager::Get();
-  MOZ_ASSERT(vm);
-  vm->NotifyGamepadChange<dom::GamepadAxisInformation>(a);
-}
-
-void
-VRControllerManager::NewPoseState(uint32_t aIndex,
-                                  const dom::GamepadPoseState& aPose)
-{
-  dom::GamepadPoseInformation a(aIndex, dom::GamepadServiceType::VR,
-                                aPose);
-
-  VRManager* vm = VRManager::Get();
-  MOZ_ASSERT(vm);
-  vm->NotifyGamepadChange<dom::GamepadPoseInformation>(a);
-}
diff --git a/gfx/vr/gfxVR.h b/gfx/vr/gfxVR.h
deleted file mode 100644
index b468757413..0000000000
--- a/gfx/vr/gfxVR.h
+++ /dev/null
@@ -1,285 +0,0 @@
-/* -*- Mode: C++; tab-width: 20; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef GFX_VR_H
-#define GFX_VR_H
-
-#include "nsTArray.h"
-#include "nsString.h"
-#include "nsCOMPtr.h"
-#include "mozilla/RefPtr.h"
-#include "mozilla/gfx/2D.h"
-#include "mozilla/Atomics.h"
-#include "mozilla/EnumeratedArray.h"
-#include "mozilla/TimeStamp.h"
-#include "mozilla/TypedEnumBits.h"
-
-namespace mozilla {
-namespace layers {
-class PTextureParent;
-}
-namespace dom {
-enum class GamepadMappingType : uint32_t;
-struct GamepadPoseState;
-}
-namespace gfx {
-class VRLayerParent;
-class VRDisplayHost;
-class VRControllerHost;
-
-enum class VRDeviceType : uint16_t {
-  Oculus,
-  OpenVR,
-  OSVR,
-  NumVRDeviceTypes
-};
-
-enum class VRDisplayCapabilityFlags : uint16_t {
-  Cap_None = 0,
-  /**
-   * Cap_Position is set if the VRDisplay is capable of tracking its position.
-   */
-  Cap_Position = 1 << 1,
-  /**
-    * Cap_Orientation is set if the VRDisplay is capable of tracking its orientation.
-    */
-  Cap_Orientation = 1 << 2,
-  /**
-   * Cap_Present is set if the VRDisplay is capable of presenting content to an
-   * HMD or similar device.  Can be used to indicate "magic window" devices that
-   * are capable of 6DoF tracking but for which requestPresent is not meaningful.
-   * If false then calls to requestPresent should always fail, and
-   * getEyeParameters should return null.
-   */
-  Cap_Present = 1 << 3,
-  /**
-   * Cap_External is set if the VRDisplay is separate from the device's
-   * primary display. If presenting VR content will obscure
-   * other content on the device, this should be un-set. When
-   * un-set, the application should not attempt to mirror VR content
-   * or update non-VR UI because that content will not be visible.
-   */
-  Cap_External = 1 << 4,
-  /**
-   * Cap_AngularAcceleration is set if the VRDisplay is capable of tracking its
-   * angular acceleration.
-   */
-  Cap_AngularAcceleration = 1 << 5,
-  /**
-   * Cap_LinearAcceleration is set if the VRDisplay is capable of tracking its
-   * linear acceleration.
-   */
-  Cap_LinearAcceleration = 1 << 6,
-  /**
-   * Cap_StageParameters is set if the VRDisplay is capable of room scale VR
-   * and can report the StageParameters to describe the space.
-   */
-  Cap_StageParameters = 1 << 7,
-  /**
-   * Cap_All used for validity checking during IPC serialization
-   */
-  Cap_All = (1 << 8) - 1
-};
-
-MOZ_MAKE_ENUM_CLASS_BITWISE_OPERATORS(VRDisplayCapabilityFlags)
-
-struct VRFieldOfView {
-  VRFieldOfView() {}
-  VRFieldOfView(double up, double right, double down, double left)
-    : upDegrees(up), rightDegrees(right), downDegrees(down), leftDegrees(left)
-  {}
-
-  void SetFromTanRadians(double up, double right, double down, double left)
-  {
-    upDegrees = atan(up) * 180.0 / M_PI;
-    rightDegrees = atan(right) * 180.0 / M_PI;
-    downDegrees = atan(down) * 180.0 / M_PI;
-    leftDegrees = atan(left) * 180.0 / M_PI;
-  }
-
-  bool operator==(const VRFieldOfView& other) const {
-    return other.upDegrees == upDegrees &&
-           other.downDegrees == downDegrees &&
-           other.rightDegrees == rightDegrees &&
-           other.leftDegrees == leftDegrees;
-  }
-
-  bool operator!=(const VRFieldOfView& other) const {
-    return !(*this == other);
-  }
-
-  bool IsZero() const {
-    return upDegrees == 0.0 ||
-      rightDegrees == 0.0 ||
-      downDegrees == 0.0 ||
-      leftDegrees == 0.0;
-  }
-
-  Matrix4x4 ConstructProjectionMatrix(float zNear, float zFar, bool rightHanded) const;
-
-  double upDegrees;
-  double rightDegrees;
-  double downDegrees;
-  double leftDegrees;
-};
-
-struct VRDisplayInfo
-{
-  VRDeviceType GetType() const { return mType; }
-  uint32_t GetDisplayID() const { return mDisplayID; }
-  const nsCString& GetDisplayName() const { return mDisplayName; }
-  VRDisplayCapabilityFlags GetCapabilities() const { return mCapabilityFlags; }
-
-  const IntSize& SuggestedEyeResolution() const { return mEyeResolution; }
-  const Point3D& GetEyeTranslation(uint32_t whichEye) const { return mEyeTranslation[whichEye]; }
-  const VRFieldOfView& GetEyeFOV(uint32_t whichEye) const { return mEyeFOV[whichEye]; }
-  bool GetIsConnected() const { return mIsConnected; }
-  bool GetIsPresenting() const { return mIsPresenting; }
-  const Size& GetStageSize() const { return mStageSize; }
-  const Matrix4x4& GetSittingToStandingTransform() const { return mSittingToStandingTransform; }
-
-  enum Eye {
-    Eye_Left,
-    Eye_Right,
-    NumEyes
-  };
-
-  uint32_t mDisplayID;
-  VRDeviceType mType;
-  nsCString mDisplayName;
-  VRDisplayCapabilityFlags mCapabilityFlags;
-  VRFieldOfView mEyeFOV[VRDisplayInfo::NumEyes];
-  Point3D mEyeTranslation[VRDisplayInfo::NumEyes];
-  IntSize mEyeResolution;
-  bool mIsConnected;
-  bool mIsPresenting;
-  Size mStageSize;
-  Matrix4x4 mSittingToStandingTransform;
-
-  bool operator==(const VRDisplayInfo& other) const {
-    return mType == other.mType &&
-           mDisplayID == other.mDisplayID &&
-           mDisplayName == other.mDisplayName &&
-           mCapabilityFlags == other.mCapabilityFlags &&
-           mEyeResolution == other.mEyeResolution &&
-           mIsConnected == other.mIsConnected &&
-           mIsPresenting == other.mIsPresenting &&
-           mEyeFOV[0] == other.mEyeFOV[0] &&
-           mEyeFOV[1] == other.mEyeFOV[1] &&
-           mEyeTranslation[0] == other.mEyeTranslation[0] &&
-           mEyeTranslation[1] == other.mEyeTranslation[1] &&
-           mStageSize == other.mStageSize &&
-           mSittingToStandingTransform == other.mSittingToStandingTransform;
-  }
-
-  bool operator!=(const VRDisplayInfo& other) const {
-    return !(*this == other);
-  }
-};
-
-struct VRHMDSensorState {
-  double timestamp;
-  int32_t inputFrameID;
-  VRDisplayCapabilityFlags flags;
-  float orientation[4];
-  float position[3];
-  float angularVelocity[3];
-  float angularAcceleration[3];
-  float linearVelocity[3];
-  float linearAcceleration[3];
-
-  void Clear() {
-    memset(this, 0, sizeof(VRHMDSensorState));
-  }
-};
-
-class VRDisplayManager {
-public:
-  static uint32_t AllocateDisplayID();
-
-protected:
-  static Atomic<uint32_t> sDisplayBase;
-
-public:
-  NS_INLINE_DECL_THREADSAFE_REFCOUNTING(VRDisplayManager)
-
-  virtual bool Init() = 0;
-  virtual void Destroy() = 0;
-  virtual void GetHMDs(nsTArray<RefPtr<VRDisplayHost>>& aHMDResult) = 0;
-
-protected:
-  VRDisplayManager() { }
-  virtual ~VRDisplayManager() { }
-};
-
-struct VRControllerInfo
-{
-  VRDeviceType GetType() const { return mType; }
-  uint32_t GetControllerID() const { return mControllerID; }
-  const nsCString& GetControllerName() const { return mControllerName; }
-  uint32_t GetMappingType() const { return mMappingType; }
-  uint32_t GetNumButtons() const { return mNumButtons; }
-  uint32_t GetNumAxes() const { return mNumAxes; }
-
-  uint32_t mControllerID;
-  VRDeviceType mType;
-  nsCString mControllerName;
-  uint32_t mMappingType;
-  uint32_t mNumButtons;
-  uint32_t mNumAxes;
-
-  bool operator==(const VRControllerInfo& other) const {
-  return mType == other.mType &&
-         mControllerID == other.mControllerID &&
-         mControllerName == other.mControllerName &&
-         mMappingType == other.mMappingType &&
-         mNumButtons == other.mNumButtons &&
-         mNumAxes == other.mNumAxes;
-  }
-
-  bool operator!=(const VRControllerInfo& other) const {
-    return !(*this == other);
-  }
-};
-
-class VRControllerManager {
-public:
-  NS_INLINE_DECL_THREADSAFE_REFCOUNTING(VRControllerManager)
-
-  static uint32_t AllocateControllerID();
-  virtual bool Init() = 0;
-  virtual void Destroy() = 0;
-  virtual void HandleInput() = 0;
-  virtual void GetControllers(nsTArray<RefPtr<VRControllerHost>>& aControllerResult) = 0;
-  virtual void ScanForDevices() = 0;
-  void NewButtonEvent(uint32_t aIndex, uint32_t aButton, bool aPressed);
-  void NewAxisMove(uint32_t aIndex, uint32_t aAxis, double aValue);
-  void NewPoseState(uint32_t aIndex, const dom::GamepadPoseState& aPose);
-  void AddGamepad(const char* aID, uint32_t aMapping,
-                  uint32_t aNumButtons, uint32_t aNumAxes);
-  void RemoveGamepad(uint32_t aIndex);
-
-protected:
-  VRControllerManager() : mInstalled(false), mControllerCount(0) {}
-  virtual ~VRControllerManager() {}
-
-  bool mInstalled;
-  uint32_t mControllerCount;
-  static Atomic<uint32_t> sControllerBase;
-
-private:
-  virtual void HandleButtonPress(uint32_t aControllerIdx,
-                                 uint64_t aButtonPressed) = 0;
-  virtual void HandleAxisMove(uint32_t aControllerIdx, uint32_t aAxis,
-                              float aValue) = 0;
-  virtual void HandlePoseTracking(uint32_t aControllerIdx,
-                                  const dom::GamepadPoseState& aPose,
-                                  VRControllerHost* aController) = 0;
-};
-
-} // namespace gfx
-} // namespace mozilla
-
-#endif /* GFX_VR_H */
diff --git a/gfx/vr/gfxVROSVR.cpp b/gfx/vr/gfxVROSVR.cpp
deleted file mode 100644
index 8b275e923f..0000000000
--- a/gfx/vr/gfxVROSVR.cpp
+++ /dev/null
@@ -1,529 +0,0 @@
-/* -*- Mode: C++; tab-width: 20; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include <math.h>
-
-#include "prlink.h"
-#include "prmem.h"
-#include "prenv.h"
-#include "gfxPrefs.h"
-#include "nsString.h"
-#include "mozilla/Preferences.h"
-
-#include "mozilla/gfx/Quaternion.h"
-
-#ifdef XP_WIN
-#include "../layers/d3d11/CompositorD3D11.h"
-#include "../layers/d3d11/TextureD3D11.h"
-#endif
-
-#include "gfxVROSVR.h"
-
-#ifndef M_PI
-#define M_PI 3.14159265358979323846
-#endif
-
-using namespace mozilla::layers;
-using namespace mozilla::gfx;
-using namespace mozilla::gfx::impl;
-
-namespace {
-// need to typedef functions that will be used in the code below
-extern "C" {
-typedef OSVR_ClientContext (*pfn_osvrClientInit)(
-  const char applicationIdentifier[], uint32_t flags);
-typedef OSVR_ReturnCode (*pfn_osvrClientShutdown)(OSVR_ClientContext ctx);
-typedef OSVR_ReturnCode (*pfn_osvrClientUpdate)(OSVR_ClientContext ctx);
-typedef OSVR_ReturnCode (*pfn_osvrClientCheckStatus)(OSVR_ClientContext ctx);
-typedef OSVR_ReturnCode (*pfn_osvrClientGetInterface)(
-  OSVR_ClientContext ctx, const char path[], OSVR_ClientInterface* iface);
-typedef OSVR_ReturnCode (*pfn_osvrClientFreeInterface)(
-  OSVR_ClientContext ctx, OSVR_ClientInterface iface);
-typedef OSVR_ReturnCode (*pfn_osvrGetOrientationState)(
-  OSVR_ClientInterface iface, OSVR_TimeValue* timestamp,
-  OSVR_OrientationState* state);
-typedef OSVR_ReturnCode (*pfn_osvrGetPositionState)(OSVR_ClientInterface iface,
-                                                    OSVR_TimeValue* timestamp,
-                                                    OSVR_PositionState* state);
-typedef OSVR_ReturnCode (*pfn_osvrClientGetDisplay)(OSVR_ClientContext ctx,
-                                                    OSVR_DisplayConfig* disp);
-typedef OSVR_ReturnCode (*pfn_osvrClientFreeDisplay)(OSVR_DisplayConfig disp);
-typedef OSVR_ReturnCode (*pfn_osvrClientGetNumEyesForViewer)(
-  OSVR_DisplayConfig disp, OSVR_ViewerCount viewer, OSVR_EyeCount* eyes);
-typedef OSVR_ReturnCode (*pfn_osvrClientGetViewerEyePose)(
-  OSVR_DisplayConfig disp, OSVR_ViewerCount viewer, OSVR_EyeCount eye,
-  OSVR_Pose3* pose);
-typedef OSVR_ReturnCode (*pfn_osvrClientGetDisplayDimensions)(
-  OSVR_DisplayConfig disp, OSVR_DisplayInputCount displayInputIndex,
-  OSVR_DisplayDimension* width, OSVR_DisplayDimension* height);
-typedef OSVR_ReturnCode (
-  *pfn_osvrClientGetViewerEyeSurfaceProjectionClippingPlanes)(
-  OSVR_DisplayConfig disp, OSVR_ViewerCount viewer, OSVR_EyeCount eye,
-  OSVR_SurfaceCount surface, double* left, double* right, double* bottom,
-  double* top);
-typedef OSVR_ReturnCode (*pfn_osvrClientGetRelativeViewportForViewerEyeSurface)(
-  OSVR_DisplayConfig disp, OSVR_ViewerCount viewer, OSVR_EyeCount eye,
-  OSVR_SurfaceCount surface, OSVR_ViewportDimension* left,
-  OSVR_ViewportDimension* bottom, OSVR_ViewportDimension* width,
-  OSVR_ViewportDimension* height);
-typedef OSVR_ReturnCode (*pfn_osvrClientGetViewerEyeSurfaceProjectionMatrixf)(
-  OSVR_DisplayConfig disp, OSVR_ViewerCount viewer, OSVR_EyeCount eye,
-  OSVR_SurfaceCount surface, float near, float far,
-  OSVR_MatrixConventions flags, float* matrix);
-typedef OSVR_ReturnCode (*pfn_osvrClientCheckDisplayStartup)(
-  OSVR_DisplayConfig disp);
-typedef OSVR_ReturnCode (*pfn_osvrClientSetRoomRotationUsingHead)(
-  OSVR_ClientContext ctx);
-}
-
-static pfn_osvrClientInit osvr_ClientInit = nullptr;
-static pfn_osvrClientShutdown osvr_ClientShutdown = nullptr;
-static pfn_osvrClientUpdate osvr_ClientUpdate = nullptr;
-static pfn_osvrClientCheckStatus osvr_ClientCheckStatus = nullptr;
-static pfn_osvrClientGetInterface osvr_ClientGetInterface = nullptr;
-static pfn_osvrClientFreeInterface osvr_ClientFreeInterface = nullptr;
-static pfn_osvrGetOrientationState osvr_GetOrientationState = nullptr;
-static pfn_osvrGetPositionState osvr_GetPositionState = nullptr;
-static pfn_osvrClientGetDisplay osvr_ClientGetDisplay = nullptr;
-static pfn_osvrClientFreeDisplay osvr_ClientFreeDisplay = nullptr;
-static pfn_osvrClientGetNumEyesForViewer osvr_ClientGetNumEyesForViewer =
-  nullptr;
-static pfn_osvrClientGetViewerEyePose osvr_ClientGetViewerEyePose = nullptr;
-static pfn_osvrClientGetDisplayDimensions osvr_ClientGetDisplayDimensions =
-  nullptr;
-static pfn_osvrClientGetViewerEyeSurfaceProjectionClippingPlanes
-  osvr_ClientGetViewerEyeSurfaceProjectionClippingPlanes = nullptr;
-static pfn_osvrClientGetRelativeViewportForViewerEyeSurface
-  osvr_ClientGetRelativeViewportForViewerEyeSurface = nullptr;
-static pfn_osvrClientGetViewerEyeSurfaceProjectionMatrixf
-  osvr_ClientGetViewerEyeSurfaceProjectionMatrixf = nullptr;
-static pfn_osvrClientCheckDisplayStartup osvr_ClientCheckDisplayStartup =
-  nullptr;
-static pfn_osvrClientSetRoomRotationUsingHead
-  osvr_ClientSetRoomRotationUsingHead = nullptr;
-
-bool
-LoadOSVRRuntime()
-{
-  static PRLibrary* osvrUtilLib = nullptr;
-  static PRLibrary* osvrCommonLib = nullptr;
-  static PRLibrary* osvrClientLib = nullptr;
-  static PRLibrary* osvrClientKitLib = nullptr;
-  //this looks up the path in the about:config setting, from greprefs.js or modules\libpref\init\all.js
-  nsAdoptingCString osvrUtilPath =
-    mozilla::Preferences::GetCString("gfx.vr.osvr.utilLibPath");
-  nsAdoptingCString osvrCommonPath =
-    mozilla::Preferences::GetCString("gfx.vr.osvr.commonLibPath");
-  nsAdoptingCString osvrClientPath =
-    mozilla::Preferences::GetCString("gfx.vr.osvr.clientLibPath");
-  nsAdoptingCString osvrClientKitPath =
-    mozilla::Preferences::GetCString("gfx.vr.osvr.clientKitLibPath");
-
-  //we need all the libs to be valid
-  if ((!osvrUtilPath) || (!osvrCommonPath) || (!osvrClientPath) ||
-      (!osvrClientKitPath)) {
-    return false;
-  }
-
-  osvrUtilLib = PR_LoadLibrary(osvrUtilPath.BeginReading());
-  osvrCommonLib = PR_LoadLibrary(osvrCommonPath.BeginReading());
-  osvrClientLib = PR_LoadLibrary(osvrClientPath.BeginReading());
-  osvrClientKitLib = PR_LoadLibrary(osvrClientKitPath.BeginReading());
-
-  if (!osvrUtilLib) {
-    printf_stderr("[OSVR] Failed to load OSVR Util library!\n");
-    return false;
-  }
-  if (!osvrCommonLib) {
-    printf_stderr("[OSVR] Failed to load OSVR Common library!\n");
-    return false;
-  }
-  if (!osvrClientLib) {
-    printf_stderr("[OSVR] Failed to load OSVR Client library!\n");
-    return false;
-  }
-  if (!osvrClientKitLib) {
-    printf_stderr("[OSVR] Failed to load OSVR ClientKit library!\n");
-    return false;
-  }
-
-// make sure all functions that we'll be using are available
-#define REQUIRE_FUNCTION(_x)                                                   \
-  do {                                                                         \
-    *(void**) & osvr_##_x =                                                    \
-      (void*)PR_FindSymbol(osvrClientKitLib, "osvr" #_x);                      \
-    if (!osvr_##_x) {                                                          \
-      printf_stderr("osvr" #_x " symbol missing\n");                           \
-      goto fail;                                                               \
-    }                                                                          \
-  } while (0)
-
-  REQUIRE_FUNCTION(ClientInit);
-  REQUIRE_FUNCTION(ClientShutdown);
-  REQUIRE_FUNCTION(ClientUpdate);
-  REQUIRE_FUNCTION(ClientCheckStatus);
-  REQUIRE_FUNCTION(ClientGetInterface);
-  REQUIRE_FUNCTION(ClientFreeInterface);
-  REQUIRE_FUNCTION(GetOrientationState);
-  REQUIRE_FUNCTION(GetPositionState);
-  REQUIRE_FUNCTION(ClientGetDisplay);
-  REQUIRE_FUNCTION(ClientFreeDisplay);
-  REQUIRE_FUNCTION(ClientGetNumEyesForViewer);
-  REQUIRE_FUNCTION(ClientGetViewerEyePose);
-  REQUIRE_FUNCTION(ClientGetDisplayDimensions);
-  REQUIRE_FUNCTION(ClientGetViewerEyeSurfaceProjectionClippingPlanes);
-  REQUIRE_FUNCTION(ClientGetRelativeViewportForViewerEyeSurface);
-  REQUIRE_FUNCTION(ClientGetViewerEyeSurfaceProjectionMatrixf);
-  REQUIRE_FUNCTION(ClientCheckDisplayStartup);
-  REQUIRE_FUNCTION(ClientSetRoomRotationUsingHead);
-
-#undef REQUIRE_FUNCTION
-
-  return true;
-
-fail:
-  return false;
-}
-
-} // namespace
-
-mozilla::gfx::VRFieldOfView
-SetFromTanRadians(double left, double right, double bottom, double top)
-{
-  mozilla::gfx::VRFieldOfView fovInfo;
-  fovInfo.leftDegrees = atan(left) * 180.0 / M_PI;
-  fovInfo.rightDegrees = atan(right) * 180.0 / M_PI;
-  fovInfo.upDegrees = atan(top) * 180.0 / M_PI;
-  fovInfo.downDegrees = atan(bottom) * 180.0 / M_PI;
-  return fovInfo;
-}
-
-VRDisplayOSVR::VRDisplayOSVR(OSVR_ClientContext* context,
-                         OSVR_ClientInterface* iface,
-                         OSVR_DisplayConfig* display)
-  : VRDisplayHost(VRDeviceType::OSVR)
-  , m_ctx(context)
-  , m_iface(iface)
-  , m_display(display)
-{
-
-  MOZ_COUNT_CTOR_INHERITED(VRDisplayOSVR, VRDisplayHost);
-
-  mDisplayInfo.mIsConnected = true;
-  mDisplayInfo.mDisplayName.AssignLiteral("OSVR HMD");
-  mDisplayInfo.mCapabilityFlags = VRDisplayCapabilityFlags::Cap_None;
-  mDisplayInfo.mCapabilityFlags =
-    VRDisplayCapabilityFlags::Cap_Orientation | VRDisplayCapabilityFlags::Cap_Position;
-
-  mDisplayInfo.mCapabilityFlags |= VRDisplayCapabilityFlags::Cap_External;
-  mDisplayInfo.mCapabilityFlags |= VRDisplayCapabilityFlags::Cap_Present;
-
-  // XXX OSVR display topology allows for more than one viewer
-  // will assume only one viewer for now (most likely stay that way)
-
-  OSVR_EyeCount numEyes;
-  osvr_ClientGetNumEyesForViewer(*m_display, 0, &numEyes);
-
-  for (uint8_t eye = 0; eye < numEyes; eye++) {
-    double left, right, bottom, top;
-    // XXX for now there is only one surface per eye
-    osvr_ClientGetViewerEyeSurfaceProjectionClippingPlanes(
-      *m_display, 0, eye, 0, &left, &right, &bottom, &top);
-    mDisplayInfo.mEyeFOV[eye] =
-      SetFromTanRadians(-left, right, -bottom, top);
-  }
-
-  // XXX Assuming there is only one display input for now
-  // however, it's possible to have more than one (dSight with 2 HDMI inputs)
-  OSVR_DisplayDimension width, height;
-  osvr_ClientGetDisplayDimensions(*m_display, 0, &width, &height);
-
-
-  for (uint8_t eye = 0; eye < numEyes; eye++) {
-
-    OSVR_ViewportDimension l, b, w, h;
-    osvr_ClientGetRelativeViewportForViewerEyeSurface(*m_display, 0, eye, 0, &l,
-                                                      &b, &w, &h);
-    mDisplayInfo.mEyeResolution.width = w;
-    mDisplayInfo.mEyeResolution.height = h;
-    OSVR_Pose3 eyePose;
-    // Viewer eye pose may not be immediately available, update client context until we get it
-    OSVR_ReturnCode ret =
-      osvr_ClientGetViewerEyePose(*m_display, 0, eye, &eyePose);
-    while (ret != OSVR_RETURN_SUCCESS) {
-      osvr_ClientUpdate(*m_ctx);
-      ret = osvr_ClientGetViewerEyePose(*m_display, 0, eye, &eyePose);
-    }
-    mDisplayInfo.mEyeTranslation[eye].x = eyePose.translation.data[0];
-    mDisplayInfo.mEyeTranslation[eye].y = eyePose.translation.data[1];
-    mDisplayInfo.mEyeTranslation[eye].z = eyePose.translation.data[2];
-  }
-}
-
-void
-VRDisplayOSVR::Destroy()
-{
-  // destroy non-owning pointers
-  m_ctx = nullptr;
-  m_iface = nullptr;
-  m_display = nullptr;
-}
-
-void
-VRDisplayOSVR::ZeroSensor()
-{
-  // recenter pose aka reset yaw
-  osvr_ClientSetRoomRotationUsingHead(*m_ctx);
-}
-
-VRHMDSensorState
-VRDisplayOSVR::GetSensorState()
-{
-
-  //update client context before anything
-  //this usually goes into app's mainloop
-  osvr_ClientUpdate(*m_ctx);
-
-  VRHMDSensorState result;
-  OSVR_TimeValue timestamp;
-  result.Clear();
-
-  OSVR_OrientationState orientation;
-
-  OSVR_ReturnCode ret =
-    osvr_GetOrientationState(*m_iface, &timestamp, &orientation);
-
-  result.timestamp = timestamp.seconds;
-
-  if (ret == OSVR_RETURN_SUCCESS) {
-    result.flags |= VRDisplayCapabilityFlags::Cap_Orientation;
-    result.orientation[0] = orientation.data[1];
-    result.orientation[1] = orientation.data[2];
-    result.orientation[2] = orientation.data[3];
-    result.orientation[3] = orientation.data[0];
-  }
-
-  OSVR_PositionState position;
-  ret = osvr_GetPositionState(*m_iface, &timestamp, &position);
-  if (ret == OSVR_RETURN_SUCCESS) {
-    result.flags |= VRDisplayCapabilityFlags::Cap_Position;
-    result.position[0] = position.data[0];
-    result.position[1] = position.data[1];
-    result.position[2] = position.data[2];
-  }
-
-  return result;
-}
-
-VRHMDSensorState
-VRDisplayOSVR::GetImmediateSensorState()
-{
-  return GetSensorState();
-}
-
-#if defined(XP_WIN)
-
-void
-VRDisplayOSVR::SubmitFrame(TextureSourceD3D11* aSource,
-  const IntSize& aSize,
-  const VRHMDSensorState& aSensorState,
-  const gfx::Rect& aLeftEyeRect,
-  const gfx::Rect& aRightEyeRect)
-{
-  // XXX Add code to submit frame
-}
-
-#endif
-
-void
-VRDisplayOSVR::StartPresentation()
-{
-  // XXX Add code to start VR Presentation
-}
-
-void
-VRDisplayOSVR::StopPresentation()
-{
-  // XXX Add code to end VR Presentation
-}
-
-already_AddRefed<VRDisplayManagerOSVR>
-VRDisplayManagerOSVR::Create()
-{
-  MOZ_ASSERT(NS_IsMainThread());
-
-  if (!gfxPrefs::VREnabled() || !gfxPrefs::VROSVREnabled()) {
-    return nullptr;
-  }
-  if (!LoadOSVRRuntime()) {
-    return nullptr;
-  }
-  RefPtr<VRDisplayManagerOSVR> manager = new VRDisplayManagerOSVR();
-  return manager.forget();
-}
-
-void
-VRDisplayManagerOSVR::CheckOSVRStatus()
-{
-  if (mOSVRInitialized) {
-    return;
-  }
-
-  // client context must be initialized first
-  InitializeClientContext();
-
-  // update client context
-  osvr_ClientUpdate(m_ctx);
-
-  // initialize interface and display if they are not initialized yet
-  InitializeInterface();
-  InitializeDisplay();
-
-  // OSVR is fully initialized now
-  if (mClientContextInitialized && mDisplayConfigInitialized &&
-      mInterfaceInitialized) {
-    mOSVRInitialized = true;
-  }
-}
-
-void
-VRDisplayManagerOSVR::InitializeClientContext()
-{
-  // already initialized
-  if (mClientContextInitialized) {
-    return;
-  }
-
-  // first time creating
-  if (!m_ctx) {
-    // get client context
-    m_ctx = osvr_ClientInit("com.osvr.webvr", 0);
-    // update context
-    osvr_ClientUpdate(m_ctx);
-    // verify we are connected
-    if (OSVR_RETURN_SUCCESS == osvr_ClientCheckStatus(m_ctx)) {
-      mClientContextInitialized = true;
-    }
-  }
-  // client context exists but not up and running yet
-  else {
-    // update context
-    osvr_ClientUpdate(m_ctx);
-    if (OSVR_RETURN_SUCCESS == osvr_ClientCheckStatus(m_ctx)) {
-      mClientContextInitialized = true;
-    }
-  }
-}
-
-void
-VRDisplayManagerOSVR::InitializeInterface()
-{
-  // already initialized
-  if (mInterfaceInitialized) {
-    return;
-  }
-  //Client context must be initialized before getting interface
-  if (mClientContextInitialized) {
-    // m_iface will remain nullptr if no interface is returned
-    if (OSVR_RETURN_SUCCESS ==
-        osvr_ClientGetInterface(m_ctx, "/me/head", &m_iface)) {
-      mInterfaceInitialized = true;
-    }
-  }
-}
-
-void
-VRDisplayManagerOSVR::InitializeDisplay()
-{
-  // display is fully configured
-  if (mDisplayConfigInitialized) {
-    return;
-  }
-
-  //Client context must be initialized before getting interface
-  if (mClientContextInitialized) {
-    // first time creating display object
-    if (m_display == nullptr) {
-
-      OSVR_ReturnCode ret = osvr_ClientGetDisplay(m_ctx, &m_display);
-
-      if (ret == OSVR_RETURN_SUCCESS) {
-        osvr_ClientUpdate(m_ctx);
-        // display object may have been created but not fully startup
-        if (OSVR_RETURN_SUCCESS == osvr_ClientCheckDisplayStartup(m_display)) {
-          mDisplayConfigInitialized = true;
-        }
-      }
-
-      // Typically once we get Display object, pose data is available after
-      // clientUpdate but sometimes it takes ~ 200 ms to get
-      // a succesfull connection, so we might have to run a few update cycles
-    } else {
-
-      if (OSVR_RETURN_SUCCESS == osvr_ClientCheckDisplayStartup(m_display)) {
-        mDisplayConfigInitialized = true;
-      }
-    }
-  }
-}
-
-bool
-VRDisplayManagerOSVR::Init()
-{
-
-  // OSVR server should be running in the background
-  // It would load plugins and take care of detecting HMDs
-  if (!mOSVRInitialized) {
-    nsIThread* thread = nullptr;
-    NS_GetCurrentThread(&thread);
-    mOSVRThread = already_AddRefed<nsIThread>(thread);
-
-    // initialize client context
-    InitializeClientContext();
-    // try to initialize interface
-    InitializeInterface();
-    // try to initialize display object
-    InitializeDisplay();
-    // verify all components are initialized
-    CheckOSVRStatus();
-  }
-
-  return mOSVRInitialized;
-}
-
-void
-VRDisplayManagerOSVR::Destroy()
-{
-  if (mOSVRInitialized) {
-    MOZ_ASSERT(NS_GetCurrentThread() == mOSVRThread);
-    mOSVRThread = nullptr;
-    mHMDInfo = nullptr;
-    mOSVRInitialized = false;
-  }
-  // client context may not have been initialized
-  if (m_ctx) {
-    osvr_ClientFreeDisplay(m_display);
-  }
-  // osvr checks that m_ctx or m_iface are not null
-  osvr_ClientFreeInterface(m_ctx, m_iface);
-  osvr_ClientShutdown(m_ctx);
-}
-
-void
-VRDisplayManagerOSVR::GetHMDs(nsTArray<RefPtr<VRDisplayHost>>& aHMDResult)
-{
-  // make sure context, interface and display are initialized
-  CheckOSVRStatus();
-
-  if (!mOSVRInitialized) {
-    return;
-  }
-
-  mHMDInfo = new VRDisplayOSVR(&m_ctx, &m_iface, &m_display);
-
-  if (mHMDInfo) {
-    aHMDResult.AppendElement(mHMDInfo);
-  }
-}
diff --git a/gfx/vr/gfxVROSVR.h b/gfx/vr/gfxVROSVR.h
deleted file mode 100644
index 6bd6e93d27..0000000000
--- a/gfx/vr/gfxVROSVR.h
+++ /dev/null
@@ -1,107 +0,0 @@
-/* -*- Mode: C++; tab-width: 20; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef GFX_VR_OSVR_H
-#define GFX_VR_OSVR_H
-
-#include "nsTArray.h"
-#include "mozilla/RefPtr.h"
-#include "nsThreadUtils.h"
-
-#include "mozilla/gfx/2D.h"
-#include "mozilla/EnumeratedArray.h"
-
-#include "VRDisplayHost.h"
-
-#include <osvr/ClientKit/ClientKitC.h>
-#include <osvr/ClientKit/DisplayC.h>
-
-namespace mozilla {
-namespace gfx {
-namespace impl {
-
-class VRDisplayOSVR : public VRDisplayHost
-{
-public:
-  VRHMDSensorState GetSensorState() override;
-  VRHMDSensorState GetImmediateSensorState() override;
-  void ZeroSensor() override;
-
-protected:
-  virtual void StartPresentation() override;
-  virtual void StopPresentation() override;
-
-#if defined(XP_WIN)
-  virtual void SubmitFrame(TextureSourceD3D11* aSource,
-    const IntSize& aSize,
-    const VRHMDSensorState& aSensorState,
-    const gfx::Rect& aLeftEyeRect,
-    const gfx::Rect& aRightEyeRect) override;
-#endif
-
-public:
-  explicit VRDisplayOSVR(OSVR_ClientContext* context,
-                         OSVR_ClientInterface* iface,
-                         OSVR_DisplayConfig* display);
-
-protected:
-  virtual ~VRDisplayOSVR()
-  {
-    Destroy();
-    MOZ_COUNT_DTOR_INHERITED(VRDisplayOSVR, VRDisplayHost);
-  }
-  void Destroy();
-
-  OSVR_ClientContext* m_ctx;
-  OSVR_ClientInterface* m_iface;
-  OSVR_DisplayConfig* m_display;
-};
-
-} // namespace impl
-
-class VRDisplayManagerOSVR : public VRDisplayManager
-{
-public:
-  static already_AddRefed<VRDisplayManagerOSVR> Create();
-  virtual bool Init() override;
-  virtual void Destroy() override;
-  virtual void GetHMDs(nsTArray<RefPtr<VRDisplayHost>>& aHMDResult) override;
-
-protected:
-  VRDisplayManagerOSVR()
-    : mOSVRInitialized(false)
-    , mClientContextInitialized(false)
-    , mDisplayConfigInitialized(false)
-    , mInterfaceInitialized(false)
-    , m_ctx(nullptr)
-    , m_iface(nullptr)
-    , m_display(nullptr)
-  {
-  }
-
-  RefPtr<impl::VRDisplayOSVR> mHMDInfo;
-  bool mOSVRInitialized;
-  bool mClientContextInitialized;
-  bool mDisplayConfigInitialized;
-  bool mInterfaceInitialized;
-  RefPtr<nsIThread> mOSVRThread;
-
-  OSVR_ClientContext m_ctx;
-  OSVR_ClientInterface m_iface;
-  OSVR_DisplayConfig m_display;
-
-private:
-  // check if all components are initialized
-  // and if not, it will try to initialize them
-  void CheckOSVRStatus();
-  void InitializeClientContext();
-  void InitializeDisplay();
-  void InitializeInterface();
-};
-
-} // namespace gfx
-} // namespace mozilla
-
-#endif /* GFX_VR_OSVR_H */
\ No newline at end of file
diff --git a/gfx/vr/gfxVROculus.cpp b/gfx/vr/gfxVROculus.cpp
deleted file mode 100644
index c00a22320b..0000000000
--- a/gfx/vr/gfxVROculus.cpp
+++ /dev/null
@@ -1,896 +0,0 @@
-/* -*- Mode: C++; tab-width: 20; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef XP_WIN
-#error "Oculus 1.3 runtime support only available for Windows"
-#endif
-
-#include <math.h>
-
-
-#include "prlink.h"
-#include "prmem.h"
-#include "prenv.h"
-#include "gfxPrefs.h"
-#include "nsString.h"
-#include "mozilla/DebugOnly.h"
-#include "mozilla/Preferences.h"
-#include "mozilla/TimeStamp.h"
-#include "mozilla/gfx/DeviceManagerDx.h"
-#include "ipc/VRLayerParent.h"
-
-#include "mozilla/gfx/Quaternion.h"
-
-#include <d3d11.h>
-#include "CompositorD3D11.h"
-#include "TextureD3D11.h"
-
-#include "gfxVROculus.h"
-
-/** XXX The DX11 objects and quad blitting could be encapsulated
- *    into a separate object if either Oculus starts supporting
- *     non-Windows platforms or the blit is needed by other HMD\
- *     drivers.
- *     Alternately, we could remove the extra blit for
- *     Oculus as well with some more refactoring.
- */
-
-// See CompositorD3D11Shaders.h
-struct ShaderBytes { const void* mData; size_t mLength; };
-extern ShaderBytes sRGBShader;
-extern ShaderBytes sLayerQuadVS;
-#ifndef M_PI
-# define M_PI 3.14159265358979323846
-#endif
-
-using namespace mozilla;
-using namespace mozilla::gfx;
-using namespace mozilla::gfx::impl;
-using namespace mozilla::layers;
-
-namespace {
-
-#ifdef OVR_CAPI_LIMITED_MOZILLA
-static pfn_ovr_Initialize ovr_Initialize = nullptr;
-static pfn_ovr_Shutdown ovr_Shutdown = nullptr;
-static pfn_ovr_GetLastErrorInfo ovr_GetLastErrorInfo = nullptr;
-static pfn_ovr_GetVersionString ovr_GetVersionString = nullptr;
-static pfn_ovr_TraceMessage ovr_TraceMessage = nullptr;
-static pfn_ovr_GetHmdDesc ovr_GetHmdDesc = nullptr;
-static pfn_ovr_GetTrackerCount ovr_GetTrackerCount = nullptr;
-static pfn_ovr_GetTrackerDesc ovr_GetTrackerDesc = nullptr;
-static pfn_ovr_Create ovr_Create = nullptr;
-static pfn_ovr_Destroy ovr_Destroy = nullptr;
-static pfn_ovr_GetSessionStatus ovr_GetSessionStatus = nullptr;
-static pfn_ovr_SetTrackingOriginType ovr_SetTrackingOriginType = nullptr;
-static pfn_ovr_GetTrackingOriginType ovr_GetTrackingOriginType = nullptr;
-static pfn_ovr_RecenterTrackingOrigin ovr_RecenterTrackingOrigin = nullptr;
-static pfn_ovr_ClearShouldRecenterFlag ovr_ClearShouldRecenterFlag = nullptr;
-static pfn_ovr_GetTrackingState ovr_GetTrackingState = nullptr;
-static pfn_ovr_GetTrackerPose ovr_GetTrackerPose = nullptr;
-static pfn_ovr_GetInputState ovr_GetInputState = nullptr;
-static pfn_ovr_GetConnectedControllerTypes ovr_GetConnectedControllerTypes = nullptr;
-static pfn_ovr_SetControllerVibration ovr_SetControllerVibration = nullptr;
-static pfn_ovr_GetTextureSwapChainLength ovr_GetTextureSwapChainLength = nullptr;
-static pfn_ovr_GetTextureSwapChainCurrentIndex ovr_GetTextureSwapChainCurrentIndex = nullptr;
-static pfn_ovr_GetTextureSwapChainDesc ovr_GetTextureSwapChainDesc = nullptr;
-static pfn_ovr_CommitTextureSwapChain ovr_CommitTextureSwapChain = nullptr;
-static pfn_ovr_DestroyTextureSwapChain ovr_DestroyTextureSwapChain = nullptr;
-static pfn_ovr_DestroyMirrorTexture ovr_DestroyMirrorTexture = nullptr;
-static pfn_ovr_GetFovTextureSize ovr_GetFovTextureSize = nullptr;
-static pfn_ovr_GetRenderDesc ovr_GetRenderDesc = nullptr;
-static pfn_ovr_SubmitFrame ovr_SubmitFrame = nullptr;
-static pfn_ovr_GetPredictedDisplayTime ovr_GetPredictedDisplayTime = nullptr;
-static pfn_ovr_GetTimeInSeconds ovr_GetTimeInSeconds = nullptr;
-static pfn_ovr_GetBool ovr_GetBool = nullptr;
-static pfn_ovr_SetBool ovr_SetBool = nullptr;
-static pfn_ovr_GetInt ovr_GetInt = nullptr;
-static pfn_ovr_SetInt ovr_SetInt = nullptr;
-static pfn_ovr_GetFloat ovr_GetFloat = nullptr;
-static pfn_ovr_SetFloat ovr_SetFloat = nullptr;
-static pfn_ovr_GetFloatArray ovr_GetFloatArray = nullptr;
-static pfn_ovr_SetFloatArray ovr_SetFloatArray = nullptr;
-static pfn_ovr_GetString ovr_GetString = nullptr;
-static pfn_ovr_SetString ovr_SetString = nullptr;
-
-#ifdef XP_WIN
-static pfn_ovr_CreateTextureSwapChainDX ovr_CreateTextureSwapChainDX = nullptr;
-static pfn_ovr_GetTextureSwapChainBufferDX ovr_GetTextureSwapChainBufferDX = nullptr;
-static pfn_ovr_CreateMirrorTextureDX ovr_CreateMirrorTextureDX = nullptr;
-static pfn_ovr_GetMirrorTextureBufferDX ovr_GetMirrorTextureBufferDX = nullptr;
-#endif
-
-static pfn_ovr_CreateTextureSwapChainGL ovr_CreateTextureSwapChainGL = nullptr;
-static pfn_ovr_GetTextureSwapChainBufferGL ovr_GetTextureSwapChainBufferGL = nullptr;
-static pfn_ovr_CreateMirrorTextureGL ovr_CreateMirrorTextureGL = nullptr;
-static pfn_ovr_GetMirrorTextureBufferGL ovr_GetMirrorTextureBufferGL = nullptr;
-
-#ifdef HAVE_64BIT_BUILD
-#define BUILD_BITS 64
-#else
-#define BUILD_BITS 32
-#endif
-
-#define OVR_PRODUCT_VERSION 1
-#define OVR_MAJOR_VERSION   3
-#define OVR_MINOR_VERSION   1
-
-static bool
-InitializeOculusCAPI()
-{
-  static PRLibrary *ovrlib = nullptr;
-
-  if (!ovrlib) {
-    nsTArray<nsCString> libSearchPaths;
-    nsCString libName;
-    nsCString searchPath;
-
-#if defined(_WIN32)
-    static const char dirSep = '\\';
-#else
-    static const char dirSep = '/';
-#endif
-
-#if defined(_WIN32)
-    static const int pathLen = 260;
-    searchPath.SetCapacity(pathLen);
-    int realLen = ::GetSystemDirectoryA(searchPath.BeginWriting(), pathLen);
-    if (realLen != 0 && realLen < pathLen) {
-      searchPath.SetLength(realLen);
-      libSearchPaths.AppendElement(searchPath);
-    }
-    libName.AppendPrintf("LibOVRRT%d_%d.dll", BUILD_BITS, OVR_PRODUCT_VERSION);
-#elif defined(__APPLE__)
-    searchPath.Truncate();
-    searchPath.AppendPrintf("/Library/Frameworks/LibOVRRT_%d.framework/Versions/%d", OVR_PRODUCT_VERSION, OVR_MAJOR_VERSION);
-    libSearchPaths.AppendElement(searchPath);
-
-    if (PR_GetEnv("HOME")) {
-      searchPath.Truncate();
-      searchPath.AppendPrintf("%s/Library/Frameworks/LibOVRRT_%d.framework/Versions/%d", PR_GetEnv("HOME"), OVR_PRODUCT_VERSION, OVR_MAJOR_VERSION);
-      libSearchPaths.AppendElement(searchPath);
-    }
-    // The following will match the va_list overload of AppendPrintf if the product version is 0
-    // That's bad times.
-    //libName.AppendPrintf("LibOVRRT_%d", OVR_PRODUCT_VERSION);
-    libName.Append("LibOVRRT_");
-    libName.AppendInt(OVR_PRODUCT_VERSION);
-#else
-    libSearchPaths.AppendElement(nsCString("/usr/local/lib"));
-    libSearchPaths.AppendElement(nsCString("/usr/lib"));
-    libName.AppendPrintf("libOVRRT%d_%d.so.%d", BUILD_BITS, OVR_PRODUCT_VERSION, OVR_MAJOR_VERSION);
-#endif
-    
-    // If the pref is present, we override libName
-    nsAdoptingCString prefLibPath = mozilla::Preferences::GetCString("dom.vr.ovr_lib_path");
-    if (prefLibPath && prefLibPath.get()) {
-      libSearchPaths.InsertElementsAt(0, 1, prefLibPath);
-    }
-
-    nsAdoptingCString prefLibName = mozilla::Preferences::GetCString("dom.vr.ovr_lib_name");
-    if (prefLibName && prefLibName.get()) {
-      libName.Assign(prefLibName);
-    }
-
-    // search the path/module dir
-    libSearchPaths.InsertElementsAt(0, 1, nsCString());
-
-    // If the env var is present, we override libName
-    if (PR_GetEnv("OVR_LIB_PATH")) {
-      searchPath = PR_GetEnv("OVR_LIB_PATH");
-      libSearchPaths.InsertElementsAt(0, 1, searchPath);
-    }
-
-    if (PR_GetEnv("OVR_LIB_NAME")) {
-      libName = PR_GetEnv("OVR_LIB_NAME");
-    }
-
-    for (uint32_t i = 0; i < libSearchPaths.Length(); ++i) {
-      nsCString& libPath = libSearchPaths[i];
-      nsCString fullName;
-      if (libPath.Length() == 0) {
-        fullName.Assign(libName);
-      } else {
-        fullName.AppendPrintf("%s%c%s", libPath.BeginReading(), dirSep, libName.BeginReading());
-      }
-
-      ovrlib = PR_LoadLibrary(fullName.BeginReading());
-      if (ovrlib)
-        break;
-    }
-
-    if (!ovrlib) {
-      return false;
-    }
-  }
-
-  // was it already initialized?
-  if (ovr_Initialize)
-    return true;
-
-#define REQUIRE_FUNCTION(_x) do { \
-    *(void **)&_x = (void *) PR_FindSymbol(ovrlib, #_x);                \
-    if (!_x) { printf_stderr(#_x " symbol missing\n"); goto fail; }       \
-  } while (0)
-
-  REQUIRE_FUNCTION(ovr_Initialize);
-  REQUIRE_FUNCTION(ovr_Shutdown);
-  REQUIRE_FUNCTION(ovr_GetLastErrorInfo);
-  REQUIRE_FUNCTION(ovr_GetVersionString);
-  REQUIRE_FUNCTION(ovr_TraceMessage);
-  REQUIRE_FUNCTION(ovr_GetHmdDesc);
-  REQUIRE_FUNCTION(ovr_GetTrackerCount);
-  REQUIRE_FUNCTION(ovr_GetTrackerDesc);
-  REQUIRE_FUNCTION(ovr_Create);
-  REQUIRE_FUNCTION(ovr_Destroy);
-  REQUIRE_FUNCTION(ovr_GetSessionStatus);
-  REQUIRE_FUNCTION(ovr_SetTrackingOriginType);
-  REQUIRE_FUNCTION(ovr_GetTrackingOriginType);
-  REQUIRE_FUNCTION(ovr_RecenterTrackingOrigin);
-  REQUIRE_FUNCTION(ovr_ClearShouldRecenterFlag);
-  REQUIRE_FUNCTION(ovr_GetTrackingState);
-  REQUIRE_FUNCTION(ovr_GetTrackerPose);
-  REQUIRE_FUNCTION(ovr_GetInputState);
-  REQUIRE_FUNCTION(ovr_GetConnectedControllerTypes);
-  REQUIRE_FUNCTION(ovr_SetControllerVibration);
-  REQUIRE_FUNCTION(ovr_GetTextureSwapChainLength);
-  REQUIRE_FUNCTION(ovr_GetTextureSwapChainCurrentIndex);
-  REQUIRE_FUNCTION(ovr_GetTextureSwapChainDesc);
-  REQUIRE_FUNCTION(ovr_CommitTextureSwapChain);
-  REQUIRE_FUNCTION(ovr_DestroyTextureSwapChain);
-  REQUIRE_FUNCTION(ovr_DestroyMirrorTexture);
-  REQUIRE_FUNCTION(ovr_GetFovTextureSize);
-  REQUIRE_FUNCTION(ovr_GetRenderDesc);
-  REQUIRE_FUNCTION(ovr_SubmitFrame);
-  REQUIRE_FUNCTION(ovr_GetPredictedDisplayTime);
-  REQUIRE_FUNCTION(ovr_GetTimeInSeconds);
-  REQUIRE_FUNCTION(ovr_GetBool);
-  REQUIRE_FUNCTION(ovr_SetBool);
-  REQUIRE_FUNCTION(ovr_GetInt);
-  REQUIRE_FUNCTION(ovr_SetInt);
-  REQUIRE_FUNCTION(ovr_GetFloat);
-  REQUIRE_FUNCTION(ovr_SetFloat);
-  REQUIRE_FUNCTION(ovr_GetFloatArray);
-  REQUIRE_FUNCTION(ovr_SetFloatArray);
-  REQUIRE_FUNCTION(ovr_GetString);
-  REQUIRE_FUNCTION(ovr_SetString);
-
-#ifdef XP_WIN
-
-  REQUIRE_FUNCTION(ovr_CreateTextureSwapChainDX);
-  REQUIRE_FUNCTION(ovr_GetTextureSwapChainBufferDX);
-  REQUIRE_FUNCTION(ovr_CreateMirrorTextureDX);
-  REQUIRE_FUNCTION(ovr_GetMirrorTextureBufferDX);
-
-#endif
-
-  REQUIRE_FUNCTION(ovr_CreateTextureSwapChainGL);
-  REQUIRE_FUNCTION(ovr_GetTextureSwapChainBufferGL);
-  REQUIRE_FUNCTION(ovr_CreateMirrorTextureGL);
-  REQUIRE_FUNCTION(ovr_GetMirrorTextureBufferGL);
-
-#undef REQUIRE_FUNCTION
-
-  return true;
-
- fail:
-  ovr_Initialize = nullptr;
-  return false;
-}
-
-#else
-#include <OVR_Version.h>
-// we're statically linked; it's available
-static bool InitializeOculusCAPI()
-{
-  return true;
-}
-
-#endif
-
-ovrFovPort
-ToFovPort(const VRFieldOfView& aFOV)
-{
-  ovrFovPort fovPort;
-  fovPort.LeftTan = tan(aFOV.leftDegrees * M_PI / 180.0);
-  fovPort.RightTan = tan(aFOV.rightDegrees * M_PI / 180.0);
-  fovPort.UpTan = tan(aFOV.upDegrees * M_PI / 180.0);
-  fovPort.DownTan = tan(aFOV.downDegrees * M_PI / 180.0);
-  return fovPort;
-}
-
-VRFieldOfView
-FromFovPort(const ovrFovPort& aFOV)
-{
-  VRFieldOfView fovInfo;
-  fovInfo.leftDegrees = atan(aFOV.LeftTan) * 180.0 / M_PI;
-  fovInfo.rightDegrees = atan(aFOV.RightTan) * 180.0 / M_PI;
-  fovInfo.upDegrees = atan(aFOV.UpTan) * 180.0 / M_PI;
-  fovInfo.downDegrees = atan(aFOV.DownTan) * 180.0 / M_PI;
-  return fovInfo;
-}
-
-} // namespace
-
-VRDisplayOculus::VRDisplayOculus(ovrSession aSession)
-  : VRDisplayHost(VRDeviceType::Oculus)
-  , mSession(aSession)
-  , mTextureSet(nullptr)
-  , mQuadVS(nullptr)
-  , mQuadPS(nullptr)
-  , mLinearSamplerState(nullptr)
-  , mVSConstantBuffer(nullptr)
-  , mPSConstantBuffer(nullptr)
-  , mVertexBuffer(nullptr)
-  , mInputLayout(nullptr)
-  , mIsPresenting(false)
-{
-  MOZ_COUNT_CTOR_INHERITED(VRDisplayOculus, VRDisplayHost);
-
-  mDisplayInfo.mDisplayName.AssignLiteral("Oculus VR HMD");
-  mDisplayInfo.mIsConnected = true;
-
-  mDesc = ovr_GetHmdDesc(aSession);
-
-  mDisplayInfo.mCapabilityFlags = VRDisplayCapabilityFlags::Cap_None;
-  if (mDesc.AvailableTrackingCaps & ovrTrackingCap_Orientation) {
-    mDisplayInfo.mCapabilityFlags |= VRDisplayCapabilityFlags::Cap_Orientation;
-    mDisplayInfo.mCapabilityFlags |= VRDisplayCapabilityFlags::Cap_AngularAcceleration;
-  }
-  if (mDesc.AvailableTrackingCaps & ovrTrackingCap_Position) {
-    mDisplayInfo.mCapabilityFlags |= VRDisplayCapabilityFlags::Cap_Position;
-    mDisplayInfo.mCapabilityFlags |= VRDisplayCapabilityFlags::Cap_LinearAcceleration;
-  }
-  mDisplayInfo.mCapabilityFlags |= VRDisplayCapabilityFlags::Cap_External;
-  mDisplayInfo.mCapabilityFlags |= VRDisplayCapabilityFlags::Cap_Present;
-
-  mFOVPort[VRDisplayInfo::Eye_Left] = mDesc.DefaultEyeFov[ovrEye_Left];
-  mFOVPort[VRDisplayInfo::Eye_Right] = mDesc.DefaultEyeFov[ovrEye_Right];
-
-  mDisplayInfo.mEyeFOV[VRDisplayInfo::Eye_Left] = FromFovPort(mFOVPort[VRDisplayInfo::Eye_Left]);
-  mDisplayInfo.mEyeFOV[VRDisplayInfo::Eye_Right] = FromFovPort(mFOVPort[VRDisplayInfo::Eye_Right]);
-
-  float pixelsPerDisplayPixel = 1.0;
-  ovrSizei texSize[2];
-
-  // get eye parameters and create the mesh
-  for (uint32_t eye = 0; eye < VRDisplayInfo::NumEyes; eye++) {
-
-    ovrEyeRenderDesc renderDesc = ovr_GetRenderDesc(mSession, (ovrEyeType)eye, mFOVPort[eye]);
-
-    // As of Oculus 0.6.0, the HmdToEyeOffset values are correct and don't need to be negated.
-    mDisplayInfo.mEyeTranslation[eye] = Point3D(renderDesc.HmdToEyeOffset.x, renderDesc.HmdToEyeOffset.y, renderDesc.HmdToEyeOffset.z);
-
-    texSize[eye] = ovr_GetFovTextureSize(mSession, (ovrEyeType)eye, mFOVPort[eye], pixelsPerDisplayPixel);
-  }
-
-  // take the max of both for eye resolution
-  mDisplayInfo.mEyeResolution.width = std::max(texSize[VRDisplayInfo::Eye_Left].w, texSize[VRDisplayInfo::Eye_Right].w);
-  mDisplayInfo.mEyeResolution.height = std::max(texSize[VRDisplayInfo::Eye_Left].h, texSize[VRDisplayInfo::Eye_Right].h);
-}
-
-VRDisplayOculus::~VRDisplayOculus() {
-  StopPresentation();
-  Destroy();
-  MOZ_COUNT_DTOR_INHERITED(VRDisplayOculus, VRDisplayHost);
-}
-
-void
-VRDisplayOculus::Destroy()
-{
-  if (mSession) {
-    ovr_Destroy(mSession);
-    mSession = nullptr;
-  }
-}
-
-void
-VRDisplayOculus::ZeroSensor()
-{
-  ovr_RecenterTrackingOrigin(mSession);
-}
-
-VRHMDSensorState
-VRDisplayOculus::GetSensorState()
-{
-  mInputFrameID++;
-
-  VRHMDSensorState result;
-  double frameDelta = 0.0f;
-  if (gfxPrefs::VRPosePredictionEnabled()) {
-    // XXX We might need to call ovr_GetPredictedDisplayTime even if we don't use the result.
-    // If we don't call it, the Oculus driver will spew out many warnings...
-    double predictedFrameTime = ovr_GetPredictedDisplayTime(mSession, mInputFrameID);
-    frameDelta = predictedFrameTime - ovr_GetTimeInSeconds();
-  }
-  result = GetSensorState(frameDelta);
-  result.inputFrameID = mInputFrameID;
-  mLastSensorState[result.inputFrameID % kMaxLatencyFrames] = result;
-  return result;
-}
-
-VRHMDSensorState
-VRDisplayOculus::GetImmediateSensorState()
-{
-  return GetSensorState(0.0);
-}
-
-VRHMDSensorState
-VRDisplayOculus::GetSensorState(double timeOffset)
-{
-  VRHMDSensorState result;
-  result.Clear();
-
-  ovrTrackingState state = ovr_GetTrackingState(mSession, timeOffset, true);
-  ovrPoseStatef& pose(state.HeadPose);
-
-  result.timestamp = pose.TimeInSeconds;
-
-  if (state.StatusFlags & ovrStatus_OrientationTracked) {
-    result.flags |= VRDisplayCapabilityFlags::Cap_Orientation;
-
-    result.orientation[0] = pose.ThePose.Orientation.x;
-    result.orientation[1] = pose.ThePose.Orientation.y;
-    result.orientation[2] = pose.ThePose.Orientation.z;
-    result.orientation[3] = pose.ThePose.Orientation.w;
-    
-    result.angularVelocity[0] = pose.AngularVelocity.x;
-    result.angularVelocity[1] = pose.AngularVelocity.y;
-    result.angularVelocity[2] = pose.AngularVelocity.z;
-
-    result.flags |= VRDisplayCapabilityFlags::Cap_AngularAcceleration;
-
-    result.angularAcceleration[0] = pose.AngularAcceleration.x;
-    result.angularAcceleration[1] = pose.AngularAcceleration.y;
-    result.angularAcceleration[2] = pose.AngularAcceleration.z;
-  }
-
-  if (state.StatusFlags & ovrStatus_PositionTracked) {
-    result.flags |= VRDisplayCapabilityFlags::Cap_Position;
-
-    result.position[0] = pose.ThePose.Position.x;
-    result.position[1] = pose.ThePose.Position.y;
-    result.position[2] = pose.ThePose.Position.z;
-    
-    result.linearVelocity[0] = pose.LinearVelocity.x;
-    result.linearVelocity[1] = pose.LinearVelocity.y;
-    result.linearVelocity[2] = pose.LinearVelocity.z;
-
-    result.flags |= VRDisplayCapabilityFlags::Cap_LinearAcceleration;
-
-    result.linearAcceleration[0] = pose.LinearAcceleration.x;
-    result.linearAcceleration[1] = pose.LinearAcceleration.y;
-    result.linearAcceleration[2] = pose.LinearAcceleration.z;
-  }
-  result.flags |= VRDisplayCapabilityFlags::Cap_External;
-  result.flags |= VRDisplayCapabilityFlags::Cap_Present;
-
-  return result;
-}
-
-void
-VRDisplayOculus::StartPresentation()
-{
-  if (mIsPresenting) {
-    return;
-  }
-  mIsPresenting = true;
-
-  /**
-   * The presentation format is determined by content, which describes the
-   * left and right eye rectangles in the VRLayer.  The default, if no
-   * coordinates are passed is to place the left and right eye textures
-   * side-by-side within the buffer.
-   *
-   * XXX - An optimization would be to dynamically resize this buffer
-   *       to accomodate sites that are choosing to render in a lower
-   *       resolution or are using space outside of the left and right
-   *       eye textures for other purposes.  (Bug 1291443)
-   */
-  ovrTextureSwapChainDesc desc;
-  memset(&desc, 0, sizeof(desc));
-  desc.Type = ovrTexture_2D;
-  desc.ArraySize = 1;
-  desc.Format = OVR_FORMAT_B8G8R8A8_UNORM_SRGB;
-  desc.Width = mDisplayInfo.mEyeResolution.width * 2;
-  desc.Height = mDisplayInfo.mEyeResolution.height;
-  desc.MipLevels = 1;
-  desc.SampleCount = 1;
-  desc.StaticImage = false;
-  desc.MiscFlags = ovrTextureMisc_DX_Typeless;
-  desc.BindFlags = ovrTextureBind_DX_RenderTarget;
-
-  if (!mDevice) {
-    mDevice = gfx::DeviceManagerDx::Get()->GetCompositorDevice();
-    if (!mDevice) {
-      NS_WARNING("Failed to get a D3D11Device for Oculus");
-      return;
-    }
-  }
-
-  mDevice->GetImmediateContext(getter_AddRefs(mContext));
-  if (!mContext) {
-    NS_WARNING("Failed to get immediate context for Oculus");
-    return;
-  }
-
-  if (FAILED(mDevice->CreateVertexShader(sLayerQuadVS.mData, sLayerQuadVS.mLength, nullptr, &mQuadVS))) {
-    NS_WARNING("Failed to create vertex shader for Oculus");
-    return;
-  }
-
-  if (FAILED(mDevice->CreatePixelShader(sRGBShader.mData, sRGBShader.mLength, nullptr, &mQuadPS))) {
-    NS_WARNING("Failed to create pixel shader for Oculus");
-    return;
-  }
-
-  CD3D11_BUFFER_DESC cBufferDesc(sizeof(layers::VertexShaderConstants),
-    D3D11_BIND_CONSTANT_BUFFER,
-    D3D11_USAGE_DYNAMIC,
-    D3D11_CPU_ACCESS_WRITE);
-
-  if (FAILED(mDevice->CreateBuffer(&cBufferDesc, nullptr, getter_AddRefs(mVSConstantBuffer)))) {
-    NS_WARNING("Failed to vertex shader constant buffer for Oculus");
-    return;
-  }
-
-  cBufferDesc.ByteWidth = sizeof(layers::PixelShaderConstants);
-  if (FAILED(mDevice->CreateBuffer(&cBufferDesc, nullptr, getter_AddRefs(mPSConstantBuffer)))) {
-    NS_WARNING("Failed to pixel shader constant buffer for Oculus");
-    return;
-  }
-
-  CD3D11_SAMPLER_DESC samplerDesc(D3D11_DEFAULT);
-  if (FAILED(mDevice->CreateSamplerState(&samplerDesc, getter_AddRefs(mLinearSamplerState)))) {
-    NS_WARNING("Failed to create sampler state for Oculus");
-    return;
-  }
-
-  D3D11_INPUT_ELEMENT_DESC layout[] =
-  {
-    { "POSITION", 0, DXGI_FORMAT_R32G32_FLOAT, 0, 0, D3D11_INPUT_PER_VERTEX_DATA, 0 },
-  };
-
-  if (FAILED(mDevice->CreateInputLayout(layout,
-                                            sizeof(layout) / sizeof(D3D11_INPUT_ELEMENT_DESC),
-                                            sLayerQuadVS.mData,
-                                            sLayerQuadVS.mLength,
-                                            getter_AddRefs(mInputLayout)))) {
-    NS_WARNING("Failed to create input layout for Oculus");
-    return;
-  }
-
-  ovrResult orv = ovr_CreateTextureSwapChainDX(mSession, mDevice, &desc, &mTextureSet);
-  if (orv != ovrSuccess) {
-    NS_WARNING("ovr_CreateTextureSwapChainDX failed");
-    return;
-  }
-
-  int textureCount = 0;
-  orv = ovr_GetTextureSwapChainLength(mSession, mTextureSet, &textureCount);
-  if (orv != ovrSuccess) {
-    NS_WARNING("ovr_GetTextureSwapChainLength failed");
-    return;
-  }
-
-  Vertex vertices[] = { { { 0.0, 0.0 } },{ { 1.0, 0.0 } },{ { 0.0, 1.0 } },{ { 1.0, 1.0 } } };
-  CD3D11_BUFFER_DESC bufferDesc(sizeof(vertices), D3D11_BIND_VERTEX_BUFFER);
-  D3D11_SUBRESOURCE_DATA data;
-  data.pSysMem = (void*)vertices;
-
-  if (FAILED(mDevice->CreateBuffer(&bufferDesc, &data, getter_AddRefs(mVertexBuffer)))) {
-    NS_WARNING("Failed to create vertex buffer for Oculus");
-    return;
-  }
-
-  mRenderTargets.SetLength(textureCount);
-
-  memset(&mVSConstants, 0, sizeof(mVSConstants));
-  memset(&mPSConstants, 0, sizeof(mPSConstants));
-
-  for (int i = 0; i < textureCount; ++i) {
-    RefPtr<CompositingRenderTargetD3D11> rt;
-    ID3D11Texture2D* texture = nullptr;
-    orv = ovr_GetTextureSwapChainBufferDX(mSession, mTextureSet, i, IID_PPV_ARGS(&texture));
-    MOZ_ASSERT(orv == ovrSuccess, "ovr_GetTextureSwapChainBufferDX failed.");
-    rt = new CompositingRenderTargetD3D11(texture, IntPoint(0, 0), DXGI_FORMAT_B8G8R8A8_UNORM);
-    rt->SetSize(IntSize(mDisplayInfo.mEyeResolution.width * 2, mDisplayInfo.mEyeResolution.height));
-    mRenderTargets[i] = rt;
-    texture->Release();
-  }
-}
-
-void
-VRDisplayOculus::StopPresentation()
-{
-  if (!mIsPresenting) {
-    return;
-  }
-  mIsPresenting = false;
-
-  ovr_SubmitFrame(mSession, 0, nullptr, nullptr, 0);
-
-  if (mTextureSet) {
-    ovr_DestroyTextureSwapChain(mSession, mTextureSet);
-    mTextureSet = nullptr;
-  }
-}
-
-/*static*/ already_AddRefed<VRDisplayManagerOculus>
-VRDisplayManagerOculus::Create()
-{
-  MOZ_ASSERT(NS_IsMainThread());
-
-  if (!gfxPrefs::VREnabled() || !gfxPrefs::VROculusEnabled())
-  {
-    return nullptr;
-  }
-
-  if (!InitializeOculusCAPI()) {
-    return nullptr;
-  }
-
-  RefPtr<VRDisplayManagerOculus> manager = new VRDisplayManagerOculus();
-  return manager.forget();
-}
-
-bool
-VRDisplayManagerOculus::Init()
-{
-  if (!mOculusInitialized) {
-    nsIThread* thread = nullptr;
-    NS_GetCurrentThread(&thread);
-    mOculusThread = already_AddRefed<nsIThread>(thread);
-
-    ovrInitParams params;
-    memset(&params, 0, sizeof(params));
-    params.Flags = ovrInit_RequestVersion;
-    params.RequestedMinorVersion = OVR_MINOR_VERSION;
-    params.LogCallback = nullptr;
-    params.ConnectionTimeoutMS = 0;
-
-    ovrResult orv = ovr_Initialize(&params);
-
-    if (orv == ovrSuccess) {
-      mOculusInitialized = true;
-    }
-  }
-
-  return mOculusInitialized;
-}
-
-void
-VRDisplayManagerOculus::Destroy()
-{
-  if (mOculusInitialized) {
-    MOZ_ASSERT(NS_GetCurrentThread() == mOculusThread);
-    mOculusThread = nullptr;
-
-    mHMDInfo = nullptr;
-
-    ovr_Shutdown();
-    mOculusInitialized = false;
-  }
-}
-
-void
-VRDisplayManagerOculus::GetHMDs(nsTArray<RefPtr<VRDisplayHost>>& aHMDResult)
-{
-  if (!mOculusInitialized) {
-    return;
-  }
-
-  // ovr_Create can be slow when no HMD is present and we wish
-  // to keep the same oculus session when possible, so we detect
-  // presence of an HMD with ovr_GetHmdDesc before calling ovr_Create
-  ovrHmdDesc desc = ovr_GetHmdDesc(NULL);
-  if (desc.Type == ovrHmd_None) {
-    // No HMD connected.
-    mHMDInfo = nullptr;
-  } else if (mHMDInfo == nullptr) {
-    // HMD Detected
-    ovrSession session;
-    ovrGraphicsLuid luid;
-    ovrResult orv = ovr_Create(&session, &luid);
-    if (orv == ovrSuccess) {
-      mHMDInfo = new VRDisplayOculus(session);
-    }
-  }
-
-  if (mHMDInfo) {
-    aHMDResult.AppendElement(mHMDInfo);
-  }
-}
-
-already_AddRefed<CompositingRenderTargetD3D11>
-VRDisplayOculus::GetNextRenderTarget()
-{
-  int currentRenderTarget = 0;
-  DebugOnly<ovrResult> orv = ovr_GetTextureSwapChainCurrentIndex(mSession, mTextureSet, &currentRenderTarget);
-  MOZ_ASSERT(orv == ovrSuccess, "ovr_GetTextureSwapChainCurrentIndex failed.");
-
-  mRenderTargets[currentRenderTarget]->ClearOnBind();
-  RefPtr<CompositingRenderTargetD3D11> rt = mRenderTargets[currentRenderTarget];
-  return rt.forget();
-}
-
-bool
-VRDisplayOculus::UpdateConstantBuffers()
-{
-  HRESULT hr;
-  D3D11_MAPPED_SUBRESOURCE resource;
-  resource.pData = nullptr;
-
-  hr = mContext->Map(mVSConstantBuffer, 0, D3D11_MAP_WRITE_DISCARD, 0, &resource);
-  if (FAILED(hr) || !resource.pData) {
-    return false;
-  }
-  *(VertexShaderConstants*)resource.pData = mVSConstants;
-  mContext->Unmap(mVSConstantBuffer, 0);
-  resource.pData = nullptr;
-
-  hr = mContext->Map(mPSConstantBuffer, 0, D3D11_MAP_WRITE_DISCARD, 0, &resource);
-  if (FAILED(hr) || !resource.pData) {
-    return false;
-  }
-  *(PixelShaderConstants*)resource.pData = mPSConstants;
-  mContext->Unmap(mPSConstantBuffer, 0);
-
-  ID3D11Buffer *buffer = mVSConstantBuffer;
-  mContext->VSSetConstantBuffers(0, 1, &buffer);
-  buffer = mPSConstantBuffer;
-  mContext->PSSetConstantBuffers(0, 1, &buffer);
-  return true;
-}
-
-void
-VRDisplayOculus::SubmitFrame(TextureSourceD3D11* aSource,
-  const IntSize& aSize,
-  const VRHMDSensorState& aSensorState,
-  const gfx::Rect& aLeftEyeRect,
-  const gfx::Rect& aRightEyeRect)
-{
-  if (!mIsPresenting) {
-    return;
-  }
-  if (mRenderTargets.IsEmpty()) {
-    /**
-     * XXX - We should resolve fail the promise returned by
-     *       VRDisplay.requestPresent() when the DX11 resources fail allocation
-     *       in VRDisplayOculus::StartPresentation().
-     *       Bailing out here prevents the crash but content should be aware
-     *       that frames are not being presented.
-     *       See Bug 1299309.
-     **/
-    return;
-  }
-  MOZ_ASSERT(mDevice);
-  MOZ_ASSERT(mContext);
-
-  RefPtr<CompositingRenderTargetD3D11> surface = GetNextRenderTarget();
-
-  surface->BindRenderTarget(mContext);
-
-  Matrix viewMatrix = Matrix::Translation(-1.0, 1.0);
-  viewMatrix.PreScale(2.0f / float(aSize.width), 2.0f / float(aSize.height));
-  viewMatrix.PreScale(1.0f, -1.0f);
-  Matrix4x4 projection = Matrix4x4::From2D(viewMatrix);
-  projection._33 = 0.0f;
-
-  Matrix transform2d;
-  gfx::Matrix4x4 transform = gfx::Matrix4x4::From2D(transform2d);
-
-  D3D11_VIEWPORT viewport;
-  viewport.MinDepth = 0.0f;
-  viewport.MaxDepth = 1.0f;
-  viewport.Width = aSize.width;
-  viewport.Height = aSize.height;
-  viewport.TopLeftX = 0;
-  viewport.TopLeftY = 0;
-
-  D3D11_RECT scissor;
-  scissor.left = 0;
-  scissor.right = aSize.width;
-  scissor.top = 0;
-  scissor.bottom = aSize.height;
-
-  memcpy(&mVSConstants.layerTransform, &transform._11, sizeof(mVSConstants.layerTransform));
-  memcpy(&mVSConstants.projection, &projection._11, sizeof(mVSConstants.projection));
-  mVSConstants.renderTargetOffset[0] = 0.0f;
-  mVSConstants.renderTargetOffset[1] = 0.0f;
-  mVSConstants.layerQuad = Rect(0.0f, 0.0f, aSize.width, aSize.height);
-  mVSConstants.textureCoords = Rect(0.0f, 1.0f, 1.0f, -1.0f);
-
-  mPSConstants.layerOpacity[0] = 1.0f;
-
-  ID3D11Buffer* vbuffer = mVertexBuffer;
-  UINT vsize = sizeof(Vertex);
-  UINT voffset = 0;
-  mContext->IASetVertexBuffers(0, 1, &vbuffer, &vsize, &voffset);
-  mContext->IASetIndexBuffer(nullptr, DXGI_FORMAT_R16_UINT, 0);
-  mContext->IASetInputLayout(mInputLayout);
-  mContext->RSSetViewports(1, &viewport);
-  mContext->RSSetScissorRects(1, &scissor);
-  mContext->IASetPrimitiveTopology(D3D11_PRIMITIVE_TOPOLOGY_TRIANGLESTRIP);
-  mContext->VSSetShader(mQuadVS, nullptr, 0);
-  mContext->PSSetShader(mQuadPS, nullptr, 0);
-  ID3D11ShaderResourceView* srView = aSource->GetShaderResourceView();
-  mContext->PSSetShaderResources(0 /* 0 == TexSlot::RGB */, 1, &srView);
-  // XXX Use Constant from TexSlot in CompositorD3D11.cpp?
-
-  ID3D11SamplerState *sampler = mLinearSamplerState;
-  mContext->PSSetSamplers(0, 1, &sampler);
-
-  if (!UpdateConstantBuffers()) {
-    NS_WARNING("Failed to update constant buffers for Oculus");
-    return;
-  }
-
-  mContext->Draw(4, 0);
-
-  ovrResult orv = ovr_CommitTextureSwapChain(mSession, mTextureSet);
-  if (orv != ovrSuccess) {
-    NS_WARNING("ovr_CommitTextureSwapChain failed.\n");
-    return;
-  }
-
-  ovrLayerEyeFov layer;
-  memset(&layer, 0, sizeof(layer));
-  layer.Header.Type = ovrLayerType_EyeFov;
-  layer.Header.Flags = 0;
-  layer.ColorTexture[0] = mTextureSet;
-  layer.ColorTexture[1] = nullptr;
-  layer.Fov[0] = mFOVPort[0];
-  layer.Fov[1] = mFOVPort[1];
-  layer.Viewport[0].Pos.x = aSize.width * aLeftEyeRect.x;
-  layer.Viewport[0].Pos.y = aSize.height * aLeftEyeRect.y;
-  layer.Viewport[0].Size.w = aSize.width * aLeftEyeRect.width;
-  layer.Viewport[0].Size.h = aSize.height * aLeftEyeRect.height;
-  layer.Viewport[1].Pos.x = aSize.width * aRightEyeRect.x;
-  layer.Viewport[1].Pos.y = aSize.height * aRightEyeRect.y;
-  layer.Viewport[1].Size.w = aSize.width * aRightEyeRect.width;
-  layer.Viewport[1].Size.h = aSize.height * aRightEyeRect.height;
-
-  const Point3D& l = mDisplayInfo.mEyeTranslation[0];
-  const Point3D& r = mDisplayInfo.mEyeTranslation[1];
-  const ovrVector3f hmdToEyeViewOffset[2] = { { l.x, l.y, l.z },
-                                              { r.x, r.y, r.z } };
-
-  for (uint32_t i = 0; i < 2; ++i) {
-    Quaternion o(aSensorState.orientation[0],
-      aSensorState.orientation[1],
-      aSensorState.orientation[2],
-      aSensorState.orientation[3]);
-    Point3D vo(hmdToEyeViewOffset[i].x, hmdToEyeViewOffset[i].y, hmdToEyeViewOffset[i].z);
-    Point3D p = o.RotatePoint(vo);
-    layer.RenderPose[i].Orientation.x = o.x;
-    layer.RenderPose[i].Orientation.y = o.y;
-    layer.RenderPose[i].Orientation.z = o.z;
-    layer.RenderPose[i].Orientation.w = o.w;
-    layer.RenderPose[i].Position.x = p.x + aSensorState.position[0];
-    layer.RenderPose[i].Position.y = p.y + aSensorState.position[1];
-    layer.RenderPose[i].Position.z = p.z + aSensorState.position[2];
-  }
-
-  ovrLayerHeader *layers = &layer.Header;
-  orv = ovr_SubmitFrame(mSession, aSensorState.inputFrameID, nullptr, &layers, 1);
-
-  if (orv != ovrSuccess) {
-    printf_stderr("ovr_SubmitFrame failed.\n");
-  }
-
-  // Trigger the next VSync immediately
-  VRManager *vm = VRManager::Get();
-  MOZ_ASSERT(vm);
-  vm->NotifyVRVsync(mDisplayInfo.mDisplayID);
-}
-
-void
-VRDisplayOculus::NotifyVSync()
-{
-  ovrSessionStatus sessionStatus;
-  ovrResult ovr = ovr_GetSessionStatus(mSession, &sessionStatus);
-  mDisplayInfo.mIsConnected = (ovr == ovrSuccess && sessionStatus.HmdPresent);
-}
diff --git a/gfx/vr/gfxVROculus.h b/gfx/vr/gfxVROculus.h
deleted file mode 100644
index ff00cb1dfa..0000000000
--- a/gfx/vr/gfxVROculus.h
+++ /dev/null
@@ -1,111 +0,0 @@
-/* -*- Mode: C++; tab-width: 20; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef GFX_VR_OCULUS_H
-#define GFX_VR_OCULUS_H
-
-#include "nsTArray.h"
-#include "mozilla/RefPtr.h"
-
-#include "mozilla/gfx/2D.h"
-#include "mozilla/EnumeratedArray.h"
-
-#include "gfxVR.h"
-#include "VRDisplayHost.h"
-#include "ovr_capi_dynamic.h"
-
-struct ID3D11Device;
-
-namespace mozilla {
-namespace layers {
-class CompositingRenderTargetD3D11;
-struct VertexShaderConstants;
-struct PixelShaderConstants;
-}
-namespace gfx {
-namespace impl {
-
-class VRDisplayOculus : public VRDisplayHost
-{
-public:
-  virtual void NotifyVSync() override;
-  virtual VRHMDSensorState GetSensorState() override;
-  virtual VRHMDSensorState GetImmediateSensorState() override;
-  void ZeroSensor() override;
-
-protected:
-  virtual void StartPresentation() override;
-  virtual void StopPresentation() override;
-  virtual void SubmitFrame(mozilla::layers::TextureSourceD3D11* aSource,
-                           const IntSize& aSize,
-                           const VRHMDSensorState& aSensorState,
-                           const gfx::Rect& aLeftEyeRect,
-                           const gfx::Rect& aRightEyeRect) override;
-
-public:
-  explicit VRDisplayOculus(ovrSession aSession);
-
-protected:
-  virtual ~VRDisplayOculus();
-  void Destroy();
-
-  bool RequireSession();
-  const ovrHmdDesc& GetHmdDesc();
-
-  already_AddRefed<layers::CompositingRenderTargetD3D11> GetNextRenderTarget();
-
-  VRHMDSensorState GetSensorState(double timeOffset);
-
-  ovrHmdDesc mDesc;
-  ovrSession mSession;
-  ovrFovPort mFOVPort[2];
-  ovrTextureSwapChain mTextureSet;
-  nsTArray<RefPtr<layers::CompositingRenderTargetD3D11>> mRenderTargets;
-
-  RefPtr<ID3D11Device> mDevice;
-  RefPtr<ID3D11DeviceContext> mContext;
-  ID3D11VertexShader* mQuadVS;
-  ID3D11PixelShader* mQuadPS;
-  RefPtr<ID3D11SamplerState> mLinearSamplerState;
-  layers::VertexShaderConstants mVSConstants;
-  layers::PixelShaderConstants mPSConstants;
-  RefPtr<ID3D11Buffer> mVSConstantBuffer;
-  RefPtr<ID3D11Buffer> mPSConstantBuffer;
-  RefPtr<ID3D11Buffer> mVertexBuffer;
-  RefPtr<ID3D11InputLayout> mInputLayout;
-
-  bool mIsPresenting;
-  
-  bool UpdateConstantBuffers();
-
-  struct Vertex
-  {
-    float position[2];
-  };
-};
-
-} // namespace impl
-
-class VRDisplayManagerOculus : public VRDisplayManager
-{
-public:
-  static already_AddRefed<VRDisplayManagerOculus> Create();
-  virtual bool Init() override;
-  virtual void Destroy() override;
-  virtual void GetHMDs(nsTArray<RefPtr<VRDisplayHost> >& aHMDResult) override;
-protected:
-  VRDisplayManagerOculus()
-    : mOculusInitialized(false)
-  { }
-
-  RefPtr<impl::VRDisplayOculus> mHMDInfo;
-  bool mOculusInitialized;
-  RefPtr<nsIThread> mOculusThread;
-};
-
-} // namespace gfx
-} // namespace mozilla
-
-#endif /* GFX_VR_OCULUS_H */
diff --git a/gfx/vr/gfxVROpenVR.cpp b/gfx/vr/gfxVROpenVR.cpp
deleted file mode 100644
index 01149c9831..0000000000
--- a/gfx/vr/gfxVROpenVR.cpp
+++ /dev/null
@@ -1,749 +0,0 @@
-/* -*- Mode: C++; tab-width: 20; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include <math.h>
-
-#include "prlink.h"
-#include "prmem.h"
-#include "prenv.h"
-#include "gfxPrefs.h"
-#include "nsString.h"
-#include "mozilla/Preferences.h"
-
-#include "mozilla/gfx/Quaternion.h"
-
-#ifdef XP_WIN
-#include "CompositorD3D11.h"
-#include "TextureD3D11.h"
-#endif // XP_WIN
-
-#include "gfxVROpenVR.h"
-
-#include "nsServiceManagerUtils.h"
-#include "nsIScreenManager.h"
-#include "openvr/openvr.h"
-
-#ifdef MOZ_GAMEPAD
-#include "mozilla/dom/GamepadEventTypes.h"
-#include "mozilla/dom/GamepadBinding.h"
-#endif
-
-#ifndef M_PI
-# define M_PI 3.14159265358979323846
-#endif
-
-using namespace mozilla;
-using namespace mozilla::gfx;
-using namespace mozilla::gfx::impl;
-using namespace mozilla::layers;
-using namespace mozilla::dom;
-
-namespace {
-extern "C" {
-typedef uint32_t (VR_CALLTYPE * pfn_VR_InitInternal)(::vr::HmdError *peError, ::vr::EVRApplicationType eApplicationType);
-typedef void (VR_CALLTYPE * pfn_VR_ShutdownInternal)();
-typedef bool (VR_CALLTYPE * pfn_VR_IsHmdPresent)();
-typedef bool (VR_CALLTYPE * pfn_VR_IsRuntimeInstalled)();
-typedef const char * (VR_CALLTYPE * pfn_VR_GetStringForHmdError)(::vr::HmdError error);
-typedef void * (VR_CALLTYPE * pfn_VR_GetGenericInterface)(const char *pchInterfaceVersion, ::vr::HmdError *peError);
-} // extern "C"
-} // namespace
-
-static pfn_VR_InitInternal vr_InitInternal = nullptr;
-static pfn_VR_ShutdownInternal vr_ShutdownInternal = nullptr;
-static pfn_VR_IsHmdPresent vr_IsHmdPresent = nullptr;
-static pfn_VR_IsRuntimeInstalled vr_IsRuntimeInstalled = nullptr;
-static pfn_VR_GetStringForHmdError vr_GetStringForHmdError = nullptr;
-static pfn_VR_GetGenericInterface vr_GetGenericInterface = nullptr;
-
-// EButton_System, EButton_DPad_xx, and EButton_A
-// can not be triggered in Steam Vive in OpenVR SDK 1.0.3.
-const uint64_t gOpenVRButtonMask[] = {
-  // vr::ButtonMaskFromId(vr::EVRButtonId::k_EButton_System),
-  vr::ButtonMaskFromId(vr::EVRButtonId::k_EButton_ApplicationMenu),
-  vr::ButtonMaskFromId(vr::EVRButtonId::k_EButton_Grip),
-  // vr::ButtonMaskFromId(vr::EVRButtonId::k_EButton_DPad_Left),
-  // vr::ButtonMaskFromId(vr::EVRButtonId::k_EButton_DPad_Up),
-  // vr::ButtonMaskFromId(vr::EVRButtonId::k_EButton_DPad_Right),
-  // vr::ButtonMaskFromId(vr::EVRButtonId::k_EButton_DPad_Down),
-  // vr::ButtonMaskFromId(vr::EVRButtonId::k_EButton_A),
-  vr::ButtonMaskFromId(vr::EVRButtonId::k_EButton_SteamVR_Touchpad),
-  vr::ButtonMaskFromId(vr::EVRButtonId::k_EButton_SteamVR_Trigger)
-};
-
-const uint32_t gNumOpenVRButtonMask = sizeof(gOpenVRButtonMask) /
-                                      sizeof(uint64_t);
-
-enum class VRControllerAxisType : uint16_t {
-  TrackpadXAxis,
-  TrackpadYAxis,
-  Trigger,
-  NumVRControllerAxisType
-};
-
-#define VRControllerAxis(aButtonId) (aButtonId - vr::EVRButtonId::k_EButton_Axis0)
-
-const uint32_t gOpenVRAxes[] = {
-  VRControllerAxis(vr::EVRButtonId::k_EButton_Axis0),
-  VRControllerAxis(vr::EVRButtonId::k_EButton_Axis0),
-  VRControllerAxis(vr::EVRButtonId::k_EButton_Axis1)
-};
-
-const uint32_t gNumOpenVRAxis = sizeof(gOpenVRAxes) /
-                                sizeof(uint32_t);
-
-
-bool
-LoadOpenVRRuntime()
-{
-  static PRLibrary *openvrLib = nullptr;
-
-  nsAdoptingCString openvrPath = Preferences::GetCString("gfx.vr.openvr-runtime");
-  if (!openvrPath)
-    return false;
-
-  openvrLib = PR_LoadLibrary(openvrPath.BeginReading());
-  if (!openvrLib)
-    return false;
-
-#define REQUIRE_FUNCTION(_x) do {                                       \
-    *(void **)&vr_##_x = (void *) PR_FindSymbol(openvrLib, "VR_" #_x);  \
-    if (!vr_##_x) { printf_stderr("VR_" #_x " symbol missing\n"); return false; } \
-  } while (0)
-
-  REQUIRE_FUNCTION(InitInternal);
-  REQUIRE_FUNCTION(ShutdownInternal);
-  REQUIRE_FUNCTION(IsHmdPresent);
-  REQUIRE_FUNCTION(IsRuntimeInstalled);
-  REQUIRE_FUNCTION(GetStringForHmdError);
-  REQUIRE_FUNCTION(GetGenericInterface);
-
-#undef REQUIRE_FUNCTION
-
-  return true;
-}
-
-VRDisplayOpenVR::VRDisplayOpenVR(::vr::IVRSystem *aVRSystem,
-                                 ::vr::IVRChaperone *aVRChaperone,
-                                 ::vr::IVRCompositor *aVRCompositor)
-  : VRDisplayHost(VRDeviceType::OpenVR)
-  , mVRSystem(aVRSystem)
-  , mVRChaperone(aVRChaperone)
-  , mVRCompositor(aVRCompositor)
-  , mIsPresenting(false)
-{
-  MOZ_COUNT_CTOR_INHERITED(VRDisplayOpenVR, VRDisplayHost);
-
-  mDisplayInfo.mDisplayName.AssignLiteral("OpenVR HMD");
-  mDisplayInfo.mIsConnected = true;
-  mDisplayInfo.mCapabilityFlags = VRDisplayCapabilityFlags::Cap_None |
-                                  VRDisplayCapabilityFlags::Cap_Orientation |
-                                  VRDisplayCapabilityFlags::Cap_Position |
-                                  VRDisplayCapabilityFlags::Cap_External |
-                                  VRDisplayCapabilityFlags::Cap_Present |
-                                  VRDisplayCapabilityFlags::Cap_StageParameters;
-
-  mVRCompositor->SetTrackingSpace(::vr::TrackingUniverseSeated);
-
-  uint32_t w, h;
-  mVRSystem->GetRecommendedRenderTargetSize(&w, &h);
-  mDisplayInfo.mEyeResolution.width = w;
-  mDisplayInfo.mEyeResolution.height = h;
-
-  // SteamVR gives the application a single FOV to use; it's not configurable as with Oculus
-  for (uint32_t eye = 0; eye < 2; ++eye) {
-    // get l/r/t/b clip plane coordinates
-    float l, r, t, b;
-    mVRSystem->GetProjectionRaw(static_cast<::vr::Hmd_Eye>(eye), &l, &r, &t, &b);
-    mDisplayInfo.mEyeFOV[eye].SetFromTanRadians(-t, r, b, -l);
-
-    ::vr::HmdMatrix34_t eyeToHead = mVRSystem->GetEyeToHeadTransform(static_cast<::vr::Hmd_Eye>(eye));
-
-    mDisplayInfo.mEyeTranslation[eye].x = eyeToHead.m[0][3];
-    mDisplayInfo.mEyeTranslation[eye].y = eyeToHead.m[1][3];
-    mDisplayInfo.mEyeTranslation[eye].z = eyeToHead.m[2][3];
-  }
-
-  UpdateStageParameters();
-}
-
-VRDisplayOpenVR::~VRDisplayOpenVR()
-{
-  Destroy();
-  MOZ_COUNT_DTOR_INHERITED(VRDisplayOpenVR, VRDisplayHost);
-}
-
-void
-VRDisplayOpenVR::Destroy()
-{
-  StopPresentation();
-  vr_ShutdownInternal();
-}
-
-void
-VRDisplayOpenVR::UpdateStageParameters()
-{
-  float sizeX = 0.0f;
-  float sizeZ = 0.0f;
-  if (mVRChaperone->GetPlayAreaSize(&sizeX, &sizeZ)) {
-    ::vr::HmdMatrix34_t t = mVRSystem->GetSeatedZeroPoseToStandingAbsoluteTrackingPose();
-    mDisplayInfo.mStageSize.width = sizeX;
-    mDisplayInfo.mStageSize.height = sizeZ;
-
-    mDisplayInfo.mSittingToStandingTransform._11 = t.m[0][0];
-    mDisplayInfo.mSittingToStandingTransform._12 = t.m[1][0];
-    mDisplayInfo.mSittingToStandingTransform._13 = t.m[2][0];
-    mDisplayInfo.mSittingToStandingTransform._14 = 0.0f;
-
-    mDisplayInfo.mSittingToStandingTransform._21 = t.m[0][1];
-    mDisplayInfo.mSittingToStandingTransform._22 = t.m[1][1];
-    mDisplayInfo.mSittingToStandingTransform._23 = t.m[2][1];
-    mDisplayInfo.mSittingToStandingTransform._24 = 0.0f;
-
-    mDisplayInfo.mSittingToStandingTransform._31 = t.m[0][2];
-    mDisplayInfo.mSittingToStandingTransform._32 = t.m[1][2];
-    mDisplayInfo.mSittingToStandingTransform._33 = t.m[2][2];
-    mDisplayInfo.mSittingToStandingTransform._34 = 0.0f;
-
-    mDisplayInfo.mSittingToStandingTransform._41 = t.m[0][3];
-    mDisplayInfo.mSittingToStandingTransform._42 = t.m[1][3];
-    mDisplayInfo.mSittingToStandingTransform._43 = t.m[2][3];
-    mDisplayInfo.mSittingToStandingTransform._44 = 1.0f;
-  } else {
-    // If we fail, fall back to reasonable defaults.
-    // 1m x 1m space, 0.75m high in seated position
-
-    mDisplayInfo.mStageSize.width = 1.0f;
-    mDisplayInfo.mStageSize.height = 1.0f;
-
-    mDisplayInfo.mSittingToStandingTransform._11 = 1.0f;
-    mDisplayInfo.mSittingToStandingTransform._12 = 0.0f;
-    mDisplayInfo.mSittingToStandingTransform._13 = 0.0f;
-    mDisplayInfo.mSittingToStandingTransform._14 = 0.0f;
-
-    mDisplayInfo.mSittingToStandingTransform._21 = 0.0f;
-    mDisplayInfo.mSittingToStandingTransform._22 = 1.0f;
-    mDisplayInfo.mSittingToStandingTransform._23 = 0.0f;
-    mDisplayInfo.mSittingToStandingTransform._24 = 0.0f;
-
-    mDisplayInfo.mSittingToStandingTransform._31 = 0.0f;
-    mDisplayInfo.mSittingToStandingTransform._32 = 0.0f;
-    mDisplayInfo.mSittingToStandingTransform._33 = 1.0f;
-    mDisplayInfo.mSittingToStandingTransform._34 = 0.0f;
-
-    mDisplayInfo.mSittingToStandingTransform._41 = 0.0f;
-    mDisplayInfo.mSittingToStandingTransform._42 = 0.75f;
-    mDisplayInfo.mSittingToStandingTransform._43 = 0.0f;
-    mDisplayInfo.mSittingToStandingTransform._44 = 1.0f;
-  }
-}
-
-void
-VRDisplayOpenVR::ZeroSensor()
-{
-  mVRSystem->ResetSeatedZeroPose();
-  UpdateStageParameters();
-}
-
-VRHMDSensorState
-VRDisplayOpenVR::GetSensorState()
-{
-  return GetSensorState(0.0f);
-}
-
-VRHMDSensorState
-VRDisplayOpenVR::GetImmediateSensorState()
-{
-  return GetSensorState(0.0f);
-}
-
-VRHMDSensorState
-VRDisplayOpenVR::GetSensorState(double timeOffset)
-{
-  {
-    ::vr::VREvent_t event;
-    while (mVRSystem->PollNextEvent(&event, sizeof(event))) {
-      // ignore
-    }
-  }
-
-  ::vr::TrackedDevicePose_t poses[::vr::k_unMaxTrackedDeviceCount];
-  // Note: We *must* call WaitGetPoses in order for any rendering to happen at all
-  mVRCompositor->WaitGetPoses(poses, ::vr::k_unMaxTrackedDeviceCount, nullptr, 0);
-
-  VRHMDSensorState result;
-  result.Clear();
-  result.timestamp = PR_Now();
-
-  if (poses[::vr::k_unTrackedDeviceIndex_Hmd].bDeviceIsConnected &&
-      poses[::vr::k_unTrackedDeviceIndex_Hmd].bPoseIsValid &&
-      poses[::vr::k_unTrackedDeviceIndex_Hmd].eTrackingResult == ::vr::TrackingResult_Running_OK)
-  {
-    const ::vr::TrackedDevicePose_t& pose = poses[::vr::k_unTrackedDeviceIndex_Hmd];
-
-    gfx::Matrix4x4 m;
-    // NOTE! mDeviceToAbsoluteTracking is a 3x4 matrix, not 4x4.  But
-    // because of its arrangement, we can copy the 12 elements in and
-    // then transpose them to the right place.  We do this so we can
-    // pull out a Quaternion.
-    memcpy(&m._11, &pose.mDeviceToAbsoluteTracking, sizeof(float) * 12);
-    m.Transpose();
-
-    gfx::Quaternion rot;
-    rot.SetFromRotationMatrix(m);
-    rot.Invert();
-
-    result.flags |= VRDisplayCapabilityFlags::Cap_Orientation;
-    result.orientation[0] = rot.x;
-    result.orientation[1] = rot.y;
-    result.orientation[2] = rot.z;
-    result.orientation[3] = rot.w;
-    result.angularVelocity[0] = pose.vAngularVelocity.v[0];
-    result.angularVelocity[1] = pose.vAngularVelocity.v[1];
-    result.angularVelocity[2] = pose.vAngularVelocity.v[2];
-
-    result.flags |= VRDisplayCapabilityFlags::Cap_Position;
-    result.position[0] = m._41;
-    result.position[1] = m._42;
-    result.position[2] = m._43;
-    result.linearVelocity[0] = pose.vVelocity.v[0];
-    result.linearVelocity[1] = pose.vVelocity.v[1];
-    result.linearVelocity[2] = pose.vVelocity.v[2];
-  }
-
-  return result;
-}
-
-void
-VRDisplayOpenVR::StartPresentation()
-{
-  if (mIsPresenting) {
-    return;
-  }
-  mIsPresenting = true;
-}
-
-void
-VRDisplayOpenVR::StopPresentation()
-{
-  if (!mIsPresenting) {
-    return;
-  }
-
-  mVRCompositor->ClearLastSubmittedFrame();
-
-  mIsPresenting = false;
-}
-
-
-#if defined(XP_WIN)
-
-void
-VRDisplayOpenVR::SubmitFrame(TextureSourceD3D11* aSource,
-  const IntSize& aSize,
-  const VRHMDSensorState& aSensorState,
-  const gfx::Rect& aLeftEyeRect,
-  const gfx::Rect& aRightEyeRect)
-{
-  if (!mIsPresenting) {
-    return;
-  }
-
-  ::vr::Texture_t tex;
-  tex.handle = (void *)aSource->GetD3D11Texture();
-  tex.eType = ::vr::EGraphicsAPIConvention::API_DirectX;
-  tex.eColorSpace = ::vr::EColorSpace::ColorSpace_Auto;
-
-  ::vr::VRTextureBounds_t bounds;
-  bounds.uMin = aLeftEyeRect.x;
-  bounds.vMin = 1.0 - aLeftEyeRect.y;
-  bounds.uMax = aLeftEyeRect.x + aLeftEyeRect.width;
-  bounds.vMax = 1.0 - aLeftEyeRect.y - aLeftEyeRect.height;
-
-  ::vr::EVRCompositorError err;
-  err = mVRCompositor->Submit(::vr::EVREye::Eye_Left, &tex, &bounds);
-  if (err != ::vr::EVRCompositorError::VRCompositorError_None) {
-    printf_stderr("OpenVR Compositor Submit() failed.\n");
-  }
-
-  bounds.uMin = aRightEyeRect.x;
-  bounds.vMin = 1.0 - aRightEyeRect.y;
-  bounds.uMax = aRightEyeRect.x + aRightEyeRect.width;
-  bounds.vMax = 1.0 - aRightEyeRect.y - aRightEyeRect.height;
-
-  err = mVRCompositor->Submit(::vr::EVREye::Eye_Right, &tex, &bounds);
-  if (err != ::vr::EVRCompositorError::VRCompositorError_None) {
-    printf_stderr("OpenVR Compositor Submit() failed.\n");
-  }
-
-  mVRCompositor->PostPresentHandoff();
-
-  // Trigger the next VSync immediately
-  VRManager *vm = VRManager::Get();
-  MOZ_ASSERT(vm);
-  vm->NotifyVRVsync(mDisplayInfo.mDisplayID);
-}
-
-#endif
-
-void
-VRDisplayOpenVR::NotifyVSync()
-{
-  // We update mIsConneced once per frame.
-  mDisplayInfo.mIsConnected = vr_IsHmdPresent();
-}
-
-VRDisplayManagerOpenVR::VRDisplayManagerOpenVR()
-  : mOpenVRInstalled(false)
-{
-}
-
-/*static*/ already_AddRefed<VRDisplayManagerOpenVR>
-VRDisplayManagerOpenVR::Create()
-{
-  MOZ_ASSERT(NS_IsMainThread());
-
-  if (!gfxPrefs::VREnabled() || !gfxPrefs::VROpenVREnabled()) {
-    return nullptr;
-  }
-
-  if (!LoadOpenVRRuntime()) {
-    return nullptr;
-  }
-
-  RefPtr<VRDisplayManagerOpenVR> manager = new VRDisplayManagerOpenVR();
-  return manager.forget();
-}
-
-bool
-VRDisplayManagerOpenVR::Init()
-{
-  if (mOpenVRInstalled)
-    return true;
-
-  if (!vr_IsRuntimeInstalled())
-    return false;
-
-  mOpenVRInstalled = true;
-  return true;
-}
-
-void
-VRDisplayManagerOpenVR::Destroy()
-{
-  if (mOpenVRInstalled) {
-    if (mOpenVRHMD) {
-      mOpenVRHMD = nullptr;
-    }
-    mOpenVRInstalled = false;
-  }
-}
-
-void
-VRDisplayManagerOpenVR::GetHMDs(nsTArray<RefPtr<VRDisplayHost>>& aHMDResult)
-{
-  if (!mOpenVRInstalled) {
-    return;
-  }
-
-  if (!vr_IsHmdPresent()) {
-    if (mOpenVRHMD) {
-      mOpenVRHMD = nullptr;
-    }
-  } else if (mOpenVRHMD == nullptr) {
-    ::vr::HmdError err;
-
-    vr_InitInternal(&err, ::vr::EVRApplicationType::VRApplication_Scene);
-    if (err) {
-      return;
-    }
-
-    ::vr::IVRSystem *system = (::vr::IVRSystem *)vr_GetGenericInterface(::vr::IVRSystem_Version, &err);
-    if (err || !system) {
-      vr_ShutdownInternal();
-      return;
-    }
-    ::vr::IVRChaperone *chaperone = (::vr::IVRChaperone *)vr_GetGenericInterface(::vr::IVRChaperone_Version, &err);
-    if (err || !chaperone) {
-      vr_ShutdownInternal();
-      return;
-    }
-    ::vr::IVRCompositor *compositor = (::vr::IVRCompositor*)vr_GetGenericInterface(::vr::IVRCompositor_Version, &err);
-    if (err || !compositor) {
-      vr_ShutdownInternal();
-      return;
-    }
-
-    mOpenVRHMD = new VRDisplayOpenVR(system, chaperone, compositor);
-  }
-
-  if (mOpenVRHMD) {
-    aHMDResult.AppendElement(mOpenVRHMD);
-  }
-}
-
-VRControllerOpenVR::VRControllerOpenVR()
-  : VRControllerHost(VRDeviceType::OpenVR)
-{
-  MOZ_COUNT_CTOR_INHERITED(VRControllerOpenVR, VRControllerHost);
-  mControllerInfo.mControllerName.AssignLiteral("OpenVR HMD");
-#ifdef MOZ_GAMEPAD
-  mControllerInfo.mMappingType = static_cast<uint32_t>(GamepadMappingType::_empty);
-#else
-  mControllerInfo.mMappingType = 0;
-#endif
-  mControllerInfo.mNumButtons = gNumOpenVRButtonMask;
-  mControllerInfo.mNumAxes = gNumOpenVRAxis;
-}
-
-VRControllerOpenVR::~VRControllerOpenVR()
-{
-  MOZ_COUNT_DTOR_INHERITED(VRControllerOpenVR, VRControllerHost);
-}
-
-void
-VRControllerOpenVR::SetTrackedIndex(uint32_t aTrackedIndex)
-{
-  mTrackedIndex = aTrackedIndex;
-}
-
-uint32_t
-VRControllerOpenVR::GetTrackedIndex()
-{
-  return mTrackedIndex;
-}
-
-VRControllerManagerOpenVR::VRControllerManagerOpenVR()
-  : mOpenVRInstalled(false), mVRSystem(nullptr)
-{
-}
-
-VRControllerManagerOpenVR::~VRControllerManagerOpenVR()
-{
-  Destroy();
-}
-
-/*static*/ already_AddRefed<VRControllerManagerOpenVR>
-VRControllerManagerOpenVR::Create()
-{
-  if (!gfxPrefs::VREnabled() || !gfxPrefs::VROpenVREnabled()) {
-    return nullptr;
-  }
-
-  RefPtr<VRControllerManagerOpenVR> manager = new VRControllerManagerOpenVR();
-  return manager.forget();
-}
-
-bool
-VRControllerManagerOpenVR::Init()
-{
-  if (mOpenVRInstalled)
-    return true;
-
-  if (!vr_IsRuntimeInstalled())
-    return false;
-
-  // Loading the OpenVR Runtime
-  vr::EVRInitError err = vr::VRInitError_None;
-
-  vr_InitInternal(&err, vr::VRApplication_Scene);
-  if (err != vr::VRInitError_None) {
-    return false;
-  }
-
-  mVRSystem = (vr::IVRSystem *)vr_GetGenericInterface(vr::IVRSystem_Version, &err);
-  if ((err != vr::VRInitError_None) || !mVRSystem) {
-    vr_ShutdownInternal();
-    return false;
-  }
-
-  mOpenVRInstalled = true;
-  return true;
-}
-
-void
-VRControllerManagerOpenVR::Destroy()
-{
-  mOpenVRController.Clear();
-  mOpenVRInstalled = false;
-}
-
-void
-VRControllerManagerOpenVR::HandleInput()
-{
-  RefPtr<impl::VRControllerOpenVR> controller;
-  vr::VRControllerState_t state;
-  uint32_t axis = 0;
-
-  if (!mOpenVRInstalled) {
-    return;
-  }
-
-  MOZ_ASSERT(mVRSystem);
-
-  vr::TrackedDevicePose_t poses[vr::k_unMaxTrackedDeviceCount];
-  mVRSystem->GetDeviceToAbsoluteTrackingPose(vr::TrackingUniverseSeated, 0.0f,
-                                             poses, vr::k_unMaxTrackedDeviceCount);
-  // Process OpenVR controller state
-  for (uint32_t i = 0; i < mOpenVRController.Length(); ++i) {
-    controller = mOpenVRController[i];
-
-    MOZ_ASSERT(mVRSystem->GetTrackedDeviceClass(controller->GetTrackedIndex())
-               == vr::TrackedDeviceClass_Controller);
-
-    if (mVRSystem->GetControllerState(controller->GetTrackedIndex(), &state)) {
-      HandleButtonPress(controller->GetIndex(), state.ulButtonPressed);
-
-      axis = static_cast<uint32_t>(VRControllerAxisType::TrackpadXAxis);
-      HandleAxisMove(controller->GetIndex(), axis,
-                     state.rAxis[gOpenVRAxes[axis]].x);
-
-      axis = static_cast<uint32_t>(VRControllerAxisType::TrackpadYAxis);
-      HandleAxisMove(controller->GetIndex(), axis,
-                     state.rAxis[gOpenVRAxes[axis]].y);
-
-      axis = static_cast<uint32_t>(VRControllerAxisType::Trigger);
-      HandleAxisMove(controller->GetIndex(), axis,
-                     state.rAxis[gOpenVRAxes[axis]].x);
-    }
-
-    // Start to process pose
-    const ::vr::TrackedDevicePose_t& pose = poses[controller->GetTrackedIndex()];
-
-    if (pose.bDeviceIsConnected && pose.bPoseIsValid &&
-      pose.eTrackingResult == vr::TrackingResult_Running_OK) {
-      gfx::Matrix4x4 m;
-
-      // NOTE! mDeviceToAbsoluteTracking is a 3x4 matrix, not 4x4.  But
-      // because of its arrangement, we can copy the 12 elements in and
-      // then transpose them to the right place.  We do this so we can
-      // pull out a Quaternion.
-      memcpy(&m.components, &pose.mDeviceToAbsoluteTracking, sizeof(float) * 12);
-      m.Transpose();
-
-      gfx::Quaternion rot;
-      rot.SetFromRotationMatrix(m);
-      rot.Invert();
-
-      GamepadPoseState poseState;
-      poseState.flags |= GamepadCapabilityFlags::Cap_Orientation;
-      poseState.orientation[0] = rot.x;
-      poseState.orientation[1] = rot.y;
-      poseState.orientation[2] = rot.z;
-      poseState.orientation[3] = rot.w;
-      poseState.angularVelocity[0] = pose.vAngularVelocity.v[0];
-      poseState.angularVelocity[1] = pose.vAngularVelocity.v[1];
-      poseState.angularVelocity[2] = pose.vAngularVelocity.v[2];
-
-      poseState.flags |= GamepadCapabilityFlags::Cap_Position;
-      poseState.position[0] = m._41;
-      poseState.position[1] = m._42;
-      poseState.position[2] = m._43;
-      poseState.linearVelocity[0] = pose.vVelocity.v[0];
-      poseState.linearVelocity[1] = pose.vVelocity.v[1];
-      poseState.linearVelocity[2] = pose.vVelocity.v[2];
-      HandlePoseTracking(controller->GetIndex(), poseState, controller);
-    }
-  }
-}
-
-void
-VRControllerManagerOpenVR::HandleButtonPress(uint32_t aControllerIdx,
-                                             uint64_t aButtonPressed)
-{
-  uint64_t buttonMask = 0;
-  RefPtr<impl::VRControllerOpenVR> controller;
-  controller = mOpenVRController[aControllerIdx];
-  uint64_t diff = (controller->GetButtonPressed() ^ aButtonPressed);
-
-  if (!diff) {
-    return;
-  }
-
-  for (uint32_t i = 0; i < gNumOpenVRButtonMask; ++i) {
-    buttonMask = gOpenVRButtonMask[i];
-
-    if (diff & buttonMask) {
-      // diff & aButtonPressed would be true while a new button press
-      // event, otherwise it is an old press event and needs to notify
-      // the button has been released.
-      NewButtonEvent(aControllerIdx, i, diff & aButtonPressed);
-    }
-  }
-
-  controller->SetButtonPressed(aButtonPressed);
-}
-
-void
-VRControllerManagerOpenVR::HandleAxisMove(uint32_t aControllerIdx, uint32_t aAxis,
-                                          float aValue)
-{
-  if (aValue != 0.0f) {
-    NewAxisMove(aControllerIdx, aAxis, aValue);
-  }
-}
-
-void
-VRControllerManagerOpenVR::HandlePoseTracking(uint32_t aControllerIdx,
-                                              const GamepadPoseState& aPose,
-                                              VRControllerHost* aController)
-{
-  if (aPose != aController->GetPose()) {
-    aController->SetPose(aPose);
-    NewPoseState(aControllerIdx, aPose);
-  }
-}
-
-void
-VRControllerManagerOpenVR::GetControllers(nsTArray<RefPtr<VRControllerHost>>& aControllerResult)
-{
-  if (!mOpenVRInstalled) {
-    return;
-  }
-
-  aControllerResult.Clear();
-  for (uint32_t i = 0; i < mOpenVRController.Length(); ++i) {
-    aControllerResult.AppendElement(mOpenVRController[i]);
-  }
-}
-
-void
-VRControllerManagerOpenVR::ScanForDevices()
-{
-  // Remove the existing gamepads
-  for (uint32_t i = 0; i < mOpenVRController.Length(); ++i) {
-    RemoveGamepad(mOpenVRController[i]->GetIndex());
-  }
-  mControllerCount = 0;
-  mOpenVRController.Clear();
-
-  if (!mVRSystem)
-    return;
-
-  // Basically, we would have HMDs in the tracked devices, but we are just interested in the controllers.
-  for ( vr::TrackedDeviceIndex_t trackedDevice = vr::k_unTrackedDeviceIndex_Hmd + 1;
-        trackedDevice < vr::k_unMaxTrackedDeviceCount; ++trackedDevice ) {
-    if (!mVRSystem->IsTrackedDeviceConnected(trackedDevice)) {
-      continue;
-    }
-
-    if (mVRSystem->GetTrackedDeviceClass(trackedDevice) != vr::TrackedDeviceClass_Controller) {
-      continue;
-    }
-
-    RefPtr<VRControllerOpenVR> openVRController = new VRControllerOpenVR();
-    openVRController->SetIndex(mControllerCount);
-    openVRController->SetTrackedIndex(trackedDevice);
-    mOpenVRController.AppendElement(openVRController);
-
-// Only in MOZ_GAMEPAD platform, We add gamepads.
-#ifdef MOZ_GAMEPAD
-    // Not already present, add it.
-    AddGamepad("OpenVR Gamepad", static_cast<uint32_t>(GamepadMappingType::_empty),
-               gNumOpenVRButtonMask, gNumOpenVRAxis);
-    ++mControllerCount;
-#endif
-  }
-}
\ No newline at end of file
diff --git a/gfx/vr/gfxVROpenVR.h b/gfx/vr/gfxVROpenVR.h
deleted file mode 100644
index 829f882531..0000000000
--- a/gfx/vr/gfxVROpenVR.h
+++ /dev/null
@@ -1,140 +0,0 @@
-/* -*- Mode: C++; tab-width: 20; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef GFX_VR_OPENVR_H
-#define GFX_VR_OPENVR_H
-
-#include "nsTArray.h"
-#include "nsIScreen.h"
-#include "nsCOMPtr.h"
-#include "mozilla/RefPtr.h"
-
-#include "mozilla/gfx/2D.h"
-#include "mozilla/EnumeratedArray.h"
-
-#include "gfxVR.h"
-
-// OpenVR Interfaces
-namespace vr {
-class IVRChaperone;
-class IVRCompositor;
-class IVRSystem;
-struct TrackedDevicePose_t;
-}
-
-namespace mozilla {
-namespace gfx {
-namespace impl {
-
-class VRDisplayOpenVR : public VRDisplayHost
-{
-public:
-  virtual void NotifyVSync() override;
-  virtual VRHMDSensorState GetSensorState() override;
-  virtual VRHMDSensorState GetImmediateSensorState() override;
-  void ZeroSensor() override;
-
-protected:
-  virtual void StartPresentation() override;
-  virtual void StopPresentation() override;
-#if defined(XP_WIN)
-  virtual void SubmitFrame(mozilla::layers::TextureSourceD3D11* aSource,
-                           const IntSize& aSize,
-                           const VRHMDSensorState& aSensorState,
-                           const gfx::Rect& aLeftEyeRect,
-                           const gfx::Rect& aRightEyeRect) override;
-#endif
-
-public:
-  explicit VRDisplayOpenVR(::vr::IVRSystem *aVRSystem,
-                           ::vr::IVRChaperone *aVRChaperone,
-                           ::vr::IVRCompositor *aVRCompositor);
-
-protected:
-  virtual ~VRDisplayOpenVR();
-  void Destroy();
-
-  VRHMDSensorState GetSensorState(double timeOffset);
-
-  // not owned by us; global from OpenVR
-  ::vr::IVRSystem *mVRSystem;
-  ::vr::IVRChaperone *mVRChaperone;
-  ::vr::IVRCompositor *mVRCompositor;
-
-  bool mIsPresenting;
-
-  void UpdateStageParameters();
-};
-
-} // namespace impl
-
-class VRDisplayManagerOpenVR : public VRDisplayManager
-{
-public:
-  static already_AddRefed<VRDisplayManagerOpenVR> Create();
-
-  virtual bool Init() override;
-  virtual void Destroy() override;
-  virtual void GetHMDs(nsTArray<RefPtr<VRDisplayHost> >& aHMDResult) override;
-protected:
-  VRDisplayManagerOpenVR();
-
-  // there can only be one
-  RefPtr<impl::VRDisplayOpenVR> mOpenVRHMD;
-  bool mOpenVRInstalled;
-};
-
-namespace impl {
-
-class VRControllerOpenVR : public VRControllerHost
-{
-public:
-  explicit VRControllerOpenVR();
-  void SetTrackedIndex(uint32_t aTrackedIndex);
-  uint32_t GetTrackedIndex();
-
-protected:
-  virtual ~VRControllerOpenVR();
-
-  // The index of tracked devices from vr::IVRSystem.
-  uint32_t mTrackedIndex;
-};
-
-} // namespace impl
-
-class VRControllerManagerOpenVR : public VRControllerManager
-{
-public:
-  static already_AddRefed<VRControllerManagerOpenVR> Create();
-
-  virtual bool Init() override;
-  virtual void Destroy() override;
-  virtual void HandleInput() override;
-  virtual void GetControllers(nsTArray<RefPtr<VRControllerHost>>&
-                              aControllerResult) override;
-  virtual void ScanForDevices() override;
-
-private:
-  VRControllerManagerOpenVR();
-  ~VRControllerManagerOpenVR();
-
-  virtual void HandleButtonPress(uint32_t aControllerIdx,
-                                 uint64_t aButtonPressed) override;
-  virtual void HandleAxisMove(uint32_t aControllerIdx, uint32_t aAxis,
-                              float aValue) override;
-  virtual void HandlePoseTracking(uint32_t aControllerIdx,
-                                  const dom::GamepadPoseState& aPose,
-                                  VRControllerHost* aController) override;
-
-  bool mOpenVRInstalled;
-  nsTArray<RefPtr<impl::VRControllerOpenVR>> mOpenVRController;
-  vr::IVRSystem *mVRSystem;
-};
-
-} // namespace gfx
-} // namespace mozilla
-
-
-#endif /* GFX_VR_OPENVR_H */
diff --git a/gfx/vr/ipc/PVRLayer.ipdl b/gfx/vr/ipc/PVRLayer.ipdl
deleted file mode 100644
index 593fccdd46..0000000000
--- a/gfx/vr/ipc/PVRLayer.ipdl
+++ /dev/null
@@ -1,27 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- * vim: sw=2 ts=8 et :
- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-include protocol PVRManager;
-include protocol PTexture;
-
-namespace mozilla {
-namespace gfx {
-
-async protocol PVRLayer
-{
-  manager PVRManager;
-
-parent:
-  async SubmitFrame(PTexture aTexture);
-  async Destroy();
-
-child:
-  async __delete__();
-};
-
-} // gfx
-} // mozilla
diff --git a/gfx/vr/ipc/PVRManager.ipdl b/gfx/vr/ipc/PVRManager.ipdl
deleted file mode 100644
index 65f114fbaf..0000000000
--- a/gfx/vr/ipc/PVRManager.ipdl
+++ /dev/null
@@ -1,86 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- * vim: sw=2 ts=8 et :
- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-include LayersSurfaces;
-include protocol PLayer;
-include protocol PTexture;
-include protocol PVRLayer;
-include LayersMessages;
-include GamepadEventTypes;
-
-include "VRMessageUtils.h";
-
-using struct mozilla::gfx::VRFieldOfView from "gfxVR.h";
-using struct mozilla::gfx::VRDisplayInfo from "gfxVR.h";
-using struct mozilla::gfx::VRSensorUpdate from "gfxVR.h";
-using struct mozilla::gfx::VRHMDSensorState from "gfxVR.h";
-using struct mozilla::gfx::VRControllerInfo from "gfxVR.h";
-using mozilla::layers::LayersBackend from "mozilla/layers/LayersTypes.h";
-using mozilla::layers::TextureFlags from "mozilla/layers/CompositorTypes.h";
-
-
-namespace mozilla {
-namespace gfx {
-
-/**
- * The PVRManager protocol is used to enable communication of VR display
- * enumeration and sensor state between the compositor thread and
- * content threads/processes.
- */
-sync protocol PVRManager
-{
-  manages PTexture;
-  manages PVRLayer;
-
-parent:
-  async PTexture(SurfaceDescriptor aSharedData, LayersBackend aBackend,
-                 TextureFlags aTextureFlags, uint64_t aSerial);
-
-  async PVRLayer(uint32_t aDisplayID, float aLeftEyeX, float aLeftEyeY, float aLeftEyeWidth, float aLeftEyeHeight, float aRightEyeX, float aRightEyeY, float aRightEyeWidth, float aRightEyeHeight);
-
-  // (Re)Enumerate VR Displays.  An updated list of VR displays will be returned
-  // asynchronously to children via UpdateDisplayInfo.
-  async RefreshDisplays();
-
-  // GetDisplays synchronously returns the VR displays that have already been
-  // enumerated by RefreshDisplays() but does not enumerate new ones.
-  sync GetDisplays() returns(VRDisplayInfo[] aDisplayInfo);
-
-  // Reset the sensor of the display identified by aDisplayID so that the current
-  // sensor state is the "Zero" position.
-  async ResetSensor(uint32_t aDisplayID);
-
-  sync GetSensorState(uint32_t aDisplayID) returns(VRHMDSensorState aState);
-  sync GetImmediateSensorState(uint32_t aDisplayID) returns(VRHMDSensorState aState);
-  sync SetHaveEventListener(bool aHaveEventListener);
-
-  async ControllerListenerAdded();
-  async ControllerListenerRemoved();
-  // GetControllers synchronously returns the VR controllers that have already been
-  // enumerated by RefreshVRControllers() but does not enumerate new ones.
-  sync GetControllers() returns(VRControllerInfo[] aControllerInfo);
-
-child:
-
-  async ParentAsyncMessages(AsyncParentMessageData[] aMessages);
-
-  // Notify children of updated VR display enumeration and details.  This will
-  // be sent to all children when the parent receives RefreshDisplays, even
-  // if no changes have been detected.  This ensures that Promises exposed
-  // through DOM calls are always resolved.
-  async UpdateDisplayInfo(VRDisplayInfo[] aDisplayUpdates);
-
-  async NotifyVSync();
-  async NotifyVRVSync(uint32_t aDisplayID);
-  async GamepadUpdate(GamepadChangeEvent aGamepadEvent);
-
-  async __delete__();
-
-};
-
-} // gfx
-} // mozilla
diff --git a/gfx/vr/ipc/VRLayerChild.cpp b/gfx/vr/ipc/VRLayerChild.cpp
deleted file mode 100644
index cffe9c1f12..0000000000
--- a/gfx/vr/ipc/VRLayerChild.cpp
+++ /dev/null
@@ -1,86 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "VRLayerChild.h"
-#include "GLScreenBuffer.h"
-#include "mozilla/layers/TextureClientSharedSurface.h"
-#include "SharedSurface.h"                // for SharedSurface
-#include "SharedSurfaceGL.h"              // for SharedSurface
-#include "mozilla/layers/LayersMessages.h" // for TimedTexture
-#include "nsICanvasRenderingContextInternal.h"
-#include "mozilla/dom/HTMLCanvasElement.h"
-
-namespace mozilla {
-namespace gfx {
-
-VRLayerChild::VRLayerChild(uint32_t aVRDisplayID, VRManagerChild* aVRManagerChild)
-  : mVRDisplayID(aVRDisplayID)
-  , mCanvasElement(nullptr)
-  , mShSurfClient(nullptr)
-  , mFront(nullptr)
-{
-  MOZ_COUNT_CTOR(VRLayerChild);
-}
-
-VRLayerChild::~VRLayerChild()
-{
-  if (mCanvasElement) {
-    mCanvasElement->StopVRPresentation();
-  }
-
-  ClearSurfaces();
-
-  MOZ_COUNT_DTOR(VRLayerChild);
-}
-
-void
-VRLayerChild::Initialize(dom::HTMLCanvasElement* aCanvasElement)
-{
-  MOZ_ASSERT(aCanvasElement);
-  mCanvasElement = aCanvasElement;
-  mCanvasElement->StartVRPresentation();
-
-  VRManagerChild *vrmc = VRManagerChild::Get();
-  vrmc->RunFrameRequestCallbacks();
-}
-
-void
-VRLayerChild::SubmitFrame()
-{
-  if (!mCanvasElement) {
-    return;
-  }
-
-  mShSurfClient = mCanvasElement->GetVRFrame();
-  if (!mShSurfClient) {
-    return;
-  }
-
-  gl::SharedSurface* surf = mShSurfClient->Surf();
-  if (surf->mType == gl::SharedSurfaceType::Basic) {
-    gfxCriticalError() << "SharedSurfaceType::Basic not supported for WebVR";
-    return;
-  }
-
-  mFront = mShSurfClient;
-  mShSurfClient = nullptr;
-
-  mFront->SetAddedToCompositableClient();
-  VRManagerChild* vrmc = VRManagerChild::Get();
-  mFront->SyncWithObject(vrmc->GetSyncObject());
-  MOZ_ALWAYS_TRUE(mFront->InitIPDLActor(vrmc));
-
-  SendSubmitFrame(mFront->GetIPDLActor());
-}
-
-void
-VRLayerChild::ClearSurfaces()
-{
-  mFront = nullptr;
-  mShSurfClient = nullptr;
-}
-
-} // namespace gfx
-} // namespace mozilla
diff --git a/gfx/vr/ipc/VRLayerChild.h b/gfx/vr/ipc/VRLayerChild.h
deleted file mode 100644
index df42dddac2..0000000000
--- a/gfx/vr/ipc/VRLayerChild.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef GFX_VR_LAYERCHILD_H
-#define GFX_VR_LAYERCHILD_H
-
-#include "VRManagerChild.h"
-
-#include "mozilla/RefPtr.h"
-#include "mozilla/gfx/PVRLayerChild.h"
-#include "GLContext.h"
-#include "gfxVR.h"
-
-class nsICanvasRenderingContextInternal;
-
-namespace mozilla {
-class WebGLContext;
-namespace dom {
-class HTMLCanvasElement;
-}
-namespace layers {
-class SharedSurfaceTextureClient;
-}
-namespace gl {
-class SurfaceFactory;
-}
-namespace gfx {
-
-class VRLayerChild : public PVRLayerChild {
-  NS_INLINE_DECL_REFCOUNTING(VRLayerChild)
-
-public:
-  VRLayerChild(uint32_t aVRDisplayID, VRManagerChild* aVRManagerChild);
-  void Initialize(dom::HTMLCanvasElement* aCanvasElement);
-  void SubmitFrame();
-
-protected:
-  virtual ~VRLayerChild();
-  void ClearSurfaces();
-
-  uint32_t mVRDisplayID;
-
-  RefPtr<dom::HTMLCanvasElement> mCanvasElement;
-  RefPtr<layers::SharedSurfaceTextureClient> mShSurfClient;
-  RefPtr<layers::TextureClient> mFront;
-};
-
-} // namespace gfx
-} // namespace mozilla
-
-#endif
diff --git a/gfx/vr/ipc/VRLayerParent.cpp b/gfx/vr/ipc/VRLayerParent.cpp
deleted file mode 100644
index 6c69808174..0000000000
--- a/gfx/vr/ipc/VRLayerParent.cpp
+++ /dev/null
@@ -1,59 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-
-#include "VRLayerParent.h"
-#include "mozilla/Unused.h"
-
-namespace mozilla {
-namespace gfx {
-
-VRLayerParent::VRLayerParent(uint32_t aVRDisplayID, const Rect& aLeftEyeRect, const Rect& aRightEyeRect)
-  : mIPCOpen(true)
-  , mVRDisplayID(aVRDisplayID)
-  , mLeftEyeRect(aLeftEyeRect)
-  , mRightEyeRect(aRightEyeRect)
-{
-  MOZ_COUNT_CTOR(VRLayerParent);
-}
-
-VRLayerParent::~VRLayerParent()
-{
-  MOZ_COUNT_DTOR(VRLayerParent);
-}
-
-bool
-VRLayerParent::RecvDestroy()
-{
-  Destroy();
-  return true;
-}
-
-void
-VRLayerParent::ActorDestroy(ActorDestroyReason aWhy)
-{
-  mIPCOpen = false;
-}
-
-void
-VRLayerParent::Destroy()
-{
-  if (mIPCOpen) {
-    Unused << PVRLayerParent::Send__delete__(this);
-  }
-}
-
-bool
-VRLayerParent::RecvSubmitFrame(PTextureParent* texture)
-{
-  VRManager* vm = VRManager::Get();
-  vm->SubmitFrame(this, texture, mLeftEyeRect, mRightEyeRect);
-
-  return true;
-}
-
-
-} // namespace gfx
-} // namespace mozilla
diff --git a/gfx/vr/ipc/VRLayerParent.h b/gfx/vr/ipc/VRLayerParent.h
deleted file mode 100644
index bd69c95461..0000000000
--- a/gfx/vr/ipc/VRLayerParent.h
+++ /dev/null
@@ -1,43 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef GFX_VR_LAYERPARENT_H
-#define GFX_VR_LAYERPARENT_H
-
-#include "VRManager.h"
-
-#include "mozilla/RefPtr.h"
-#include "mozilla/gfx/PVRLayerParent.h"
-#include "gfxVR.h"
-
-namespace mozilla {
-namespace gfx {
-
-class VRLayerParent : public PVRLayerParent {
-  NS_INLINE_DECL_REFCOUNTING(VRLayerParent)
-
-public:
-  VRLayerParent(uint32_t aVRDisplayID, const Rect& aLeftEyeRect, const Rect& aRightEyeRect);
-  virtual bool RecvSubmitFrame(PTextureParent* texture) override;
-  virtual bool RecvDestroy() override;
-  uint32_t GetDisplayID() const { return mVRDisplayID; }
-protected:
-  virtual void ActorDestroy(ActorDestroyReason aWhy) override;
-
-  virtual ~VRLayerParent();
-  void Destroy();
-
-  bool mIPCOpen;
-
-  uint32_t mVRDisplayID;
-  gfx::IntSize mSize;
-  gfx::Rect mLeftEyeRect;
-  gfx::Rect mRightEyeRect;
-};
-
-} // namespace gfx
-} // namespace mozilla
-
-#endif
diff --git a/gfx/vr/ipc/VRManagerChild.cpp b/gfx/vr/ipc/VRManagerChild.cpp
deleted file mode 100644
index 70ced86c3a..0000000000
--- a/gfx/vr/ipc/VRManagerChild.cpp
+++ /dev/null
@@ -1,593 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- * vim: sw=2 ts=8 et :
- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "VRManagerChild.h"
-#include "VRManagerParent.h"
-#include "VRDisplayClient.h"
-#include "nsGlobalWindow.h"
-#include "mozilla/StaticPtr.h"
-#include "mozilla/layers/CompositorThread.h" // for CompositorThread
-#include "mozilla/dom/Navigator.h"
-#include "mozilla/dom/VREventObserver.h"
-#include "mozilla/dom/WindowBinding.h" // for FrameRequestCallback
-#include "mozilla/dom/ContentChild.h"
-#include "mozilla/layers/TextureClient.h"
-#include "nsContentUtils.h"
-
-#ifdef MOZ_GAMEPAD
-#include "mozilla/dom/GamepadManager.h"
-#endif
-
-using layers::TextureClient;
-
-namespace {
-const nsTArray<RefPtr<dom::VREventObserver>>::index_type kNoIndex =
-  nsTArray<RefPtr<dom::VREventObserver> >::NoIndex;
-} // namespace
-
-namespace mozilla {
-namespace gfx {
-
-static StaticRefPtr<VRManagerChild> sVRManagerChildSingleton;
-static StaticRefPtr<VRManagerParent> sVRManagerParentSingleton;
-
-void ReleaseVRManagerParentSingleton() {
-  sVRManagerParentSingleton = nullptr;
-}
-
-VRManagerChild::VRManagerChild()
-  : TextureForwarder()
-  , mDisplaysInitialized(false)
-  , mInputFrameID(-1)
-  , mMessageLoop(MessageLoop::current())
-  , mFrameRequestCallbackCounter(0)
-  , mBackend(layers::LayersBackend::LAYERS_NONE)
-{
-  MOZ_COUNT_CTOR(VRManagerChild);
-  MOZ_ASSERT(NS_IsMainThread());
-
-  mStartTimeStamp = TimeStamp::Now();
-}
-
-VRManagerChild::~VRManagerChild()
-{
-  MOZ_ASSERT(NS_IsMainThread());
-  MOZ_COUNT_DTOR(VRManagerChild);
-}
-
-/*static*/ void
-VRManagerChild::IdentifyTextureHost(const TextureFactoryIdentifier& aIdentifier)
-{
-  if (sVRManagerChildSingleton) {
-    sVRManagerChildSingleton->mBackend = aIdentifier.mParentBackend;
-    sVRManagerChildSingleton->mSyncObject = SyncObject::CreateSyncObject(aIdentifier.mSyncHandle);
-  }
-}
-
-layers::LayersBackend
-VRManagerChild::GetBackendType() const
-{
-  return mBackend;
-}
-
-/*static*/ VRManagerChild*
-VRManagerChild::Get()
-{
-  MOZ_ASSERT(sVRManagerChildSingleton);
-  return sVRManagerChildSingleton;
-}
-
-/* static */ bool
-VRManagerChild::IsCreated()
-{
-  return !!sVRManagerChildSingleton;
-}
-
-/* static */ bool
-VRManagerChild::InitForContent(Endpoint<PVRManagerChild>&& aEndpoint)
-{
-  MOZ_ASSERT(NS_IsMainThread());
-  MOZ_ASSERT(!sVRManagerChildSingleton);
-
-  RefPtr<VRManagerChild> child(new VRManagerChild());
-  if (!aEndpoint.Bind(child)) {
-    NS_RUNTIMEABORT("Couldn't Open() Compositor channel.");
-    return false;
-  }
-  sVRManagerChildSingleton = child;
-  return true;
-}
-
-/* static */ bool
-VRManagerChild::ReinitForContent(Endpoint<PVRManagerChild>&& aEndpoint)
-{
-  MOZ_ASSERT(NS_IsMainThread());
-
-  ShutDown();
-
-  return InitForContent(Move(aEndpoint));
-}
-
-/*static*/ void
-VRManagerChild::InitSameProcess()
-{
-  MOZ_ASSERT(NS_IsMainThread());
-  MOZ_ASSERT(!sVRManagerChildSingleton);
-
-  sVRManagerChildSingleton = new VRManagerChild();
-  sVRManagerParentSingleton = VRManagerParent::CreateSameProcess();
-  sVRManagerChildSingleton->Open(sVRManagerParentSingleton->GetIPCChannel(),
-                                 mozilla::layers::CompositorThreadHolder::Loop(),
-                                 mozilla::ipc::ChildSide);
-}
-
-/* static */ void
-VRManagerChild::InitWithGPUProcess(Endpoint<PVRManagerChild>&& aEndpoint)
-{
-  MOZ_ASSERT(NS_IsMainThread());
-  MOZ_ASSERT(!sVRManagerChildSingleton);
-
-  sVRManagerChildSingleton = new VRManagerChild();
-  if (!aEndpoint.Bind(sVRManagerChildSingleton)) {
-    NS_RUNTIMEABORT("Couldn't Open() Compositor channel.");
-    return;
-  }
-}
-
-/*static*/ void
-VRManagerChild::ShutDown()
-{
-  MOZ_ASSERT(NS_IsMainThread());
-  if (sVRManagerChildSingleton) {
-    sVRManagerChildSingleton->Destroy();
-    sVRManagerChildSingleton = nullptr;
-  }
-}
-
-/*static*/ void
-VRManagerChild::DeferredDestroy(RefPtr<VRManagerChild> aVRManagerChild)
-{
-  aVRManagerChild->Close();
-}
-
-void
-VRManagerChild::Destroy()
-{
-  mTexturesWaitingRecycled.Clear();
-
-  // Keep ourselves alive until everything has been shut down
-  RefPtr<VRManagerChild> selfRef = this;
-
-  // The DeferredDestroyVRManager task takes ownership of
-  // the VRManagerChild and will release it when it runs.
-  MessageLoop::current()->PostTask(
-             NewRunnableFunction(DeferredDestroy, selfRef));
-}
-
-layers::PTextureChild*
-VRManagerChild::AllocPTextureChild(const SurfaceDescriptor&,
-                                   const LayersBackend&,
-                                   const TextureFlags&,
-                                   const uint64_t&)
-{
-  return TextureClient::CreateIPDLActor();
-}
-
-bool
-VRManagerChild::DeallocPTextureChild(PTextureChild* actor)
-{
-  return TextureClient::DestroyIPDLActor(actor);
-}
-
-PVRLayerChild*
-VRManagerChild::AllocPVRLayerChild(const uint32_t& aDisplayID,
-                                   const float& aLeftEyeX,
-                                   const float& aLeftEyeY,
-                                   const float& aLeftEyeWidth,
-                                   const float& aLeftEyeHeight,
-                                   const float& aRightEyeX,
-                                   const float& aRightEyeY,
-                                   const float& aRightEyeWidth,
-                                   const float& aRightEyeHeight)
-{
-  RefPtr<VRLayerChild> layer = new VRLayerChild(aDisplayID, this);
-  return layer.forget().take();
-}
-
-bool
-VRManagerChild::DeallocPVRLayerChild(PVRLayerChild* actor)
-{
-  delete actor;
-  return true;
-}
-
-void
-VRManagerChild::UpdateDisplayInfo(nsTArray<VRDisplayInfo>& aDisplayUpdates)
-{
-  bool bDisplayConnected = false;
-  bool bDisplayDisconnected = false;
-
-  // Check if any displays have been disconnected
-  for (auto& display : mDisplays) {
-    bool found = false;
-    for (auto& displayUpdate : aDisplayUpdates) {
-      if (display->GetDisplayInfo().GetDisplayID() == displayUpdate.GetDisplayID()) {
-        found = true;
-        break;
-      }
-    }
-    if (!found) {
-      display->NotifyDisconnected();
-      bDisplayDisconnected = true;
-    }
-  }
-
-  // mDisplays could be a hashed container for more scalability, but not worth
-  // it now as we expect < 10 entries.
-  nsTArray<RefPtr<VRDisplayClient>> displays;
-  for (VRDisplayInfo& displayUpdate : aDisplayUpdates) {
-    bool isNewDisplay = true;
-    for (auto& display : mDisplays) {
-      const VRDisplayInfo& prevInfo = display->GetDisplayInfo();
-      if (prevInfo.GetDisplayID() == displayUpdate.GetDisplayID()) {
-        if (displayUpdate.GetIsConnected() && !prevInfo.GetIsConnected()) {
-          bDisplayConnected = true;
-        }
-        if (!displayUpdate.GetIsConnected() && prevInfo.GetIsConnected()) {
-          bDisplayDisconnected = true;
-        }
-        display->UpdateDisplayInfo(displayUpdate);
-        displays.AppendElement(display);
-        isNewDisplay = false;
-        break;
-      }
-    }
-    if (isNewDisplay) {
-      displays.AppendElement(new VRDisplayClient(displayUpdate));
-      bDisplayConnected = true;
-    }
-  }
-
-  mDisplays = displays;
-
-  if (bDisplayConnected) {
-    FireDOMVRDisplayConnectEvent();
-  }
-  if (bDisplayDisconnected) {
-    FireDOMVRDisplayDisconnectEvent();
-  }
-
-  mDisplaysInitialized = true;
-}
-
-bool
-VRManagerChild::RecvUpdateDisplayInfo(nsTArray<VRDisplayInfo>&& aDisplayUpdates)
-{
-  UpdateDisplayInfo(aDisplayUpdates);
-  for (auto& windowId : mNavigatorCallbacks) {
-    /** We must call NotifyVRDisplaysUpdated for every
-     * window's Navigator in mNavigatorCallbacks to ensure that
-     * the promise returned by Navigator.GetVRDevices
-     * can resolve.  This must happen even if no changes
-     * to VRDisplays have been detected here.
-     */
-    nsGlobalWindow* window = nsGlobalWindow::GetInnerWindowWithId(windowId);
-    if (!window) {
-      continue;
-    }
-    ErrorResult result;
-    dom::Navigator* nav = window->GetNavigator(result);
-    if (NS_WARN_IF(result.Failed())) {
-      continue;
-    }
-    nav->NotifyVRDisplaysUpdated();
-  }
-  mNavigatorCallbacks.Clear();
-  return true;
-}
-
-bool
-VRManagerChild::GetVRDisplays(nsTArray<RefPtr<VRDisplayClient>>& aDisplays)
-{
-  if (!mDisplaysInitialized) {
-    /**
-     * If we haven't received any asynchronous callback after requesting
-     * display enumeration with RefreshDisplays, get the existing displays
-     * that have already been enumerated by other VRManagerChild instances.
-     */
-    nsTArray<VRDisplayInfo> displays;
-    Unused << SendGetDisplays(&displays);
-    UpdateDisplayInfo(displays);
-  }
-  aDisplays = mDisplays;
-  return true;
-}
-
-bool
-VRManagerChild::RefreshVRDisplaysWithCallback(uint64_t aWindowId)
-{
-  bool success = SendRefreshDisplays();
-  if (success) {
-    mNavigatorCallbacks.AppendElement(aWindowId);
-  }
-  return success;
-}
-
-int
-VRManagerChild::GetInputFrameID()
-{
-  return mInputFrameID;
-}
-
-bool
-VRManagerChild::RecvParentAsyncMessages(InfallibleTArray<AsyncParentMessageData>&& aMessages)
-{
-  for (InfallibleTArray<AsyncParentMessageData>::index_type i = 0; i < aMessages.Length(); ++i) {
-    const AsyncParentMessageData& message = aMessages[i];
-
-    switch (message.type()) {
-      case AsyncParentMessageData::TOpNotifyNotUsed: {
-        const OpNotifyNotUsed& op = message.get_OpNotifyNotUsed();
-        NotifyNotUsed(op.TextureId(), op.fwdTransactionId());
-        break;
-      }
-      default:
-        NS_ERROR("unknown AsyncParentMessageData type");
-        return false;
-    }
-  }
-  return true;
-}
-
-PTextureChild*
-VRManagerChild::CreateTexture(const SurfaceDescriptor& aSharedData,
-                              LayersBackend aLayersBackend,
-                              TextureFlags aFlags,
-                              uint64_t aSerial)
-{
-  return SendPTextureConstructor(aSharedData, aLayersBackend, aFlags, aSerial);
-}
-
-void
-VRManagerChild::CancelWaitForRecycle(uint64_t aTextureId)
-{
-  RefPtr<TextureClient> client = mTexturesWaitingRecycled.Get(aTextureId);
-  if (!client) {
-    return;
-  }
-  mTexturesWaitingRecycled.Remove(aTextureId);
-}
-
-void
-VRManagerChild::NotifyNotUsed(uint64_t aTextureId, uint64_t aFwdTransactionId)
-{
-  RefPtr<TextureClient> client = mTexturesWaitingRecycled.Get(aTextureId);
-  if (!client) {
-    return;
-  }
-  mTexturesWaitingRecycled.Remove(aTextureId);
-}
-
-bool
-VRManagerChild::AllocShmem(size_t aSize,
-                           ipc::SharedMemory::SharedMemoryType aType,
-                           ipc::Shmem* aShmem)
-{
-  return PVRManagerChild::AllocShmem(aSize, aType, aShmem);
-}
-
-bool
-VRManagerChild::AllocUnsafeShmem(size_t aSize,
-                                 ipc::SharedMemory::SharedMemoryType aType,
-                                 ipc::Shmem* aShmem)
-{
-  return PVRManagerChild::AllocUnsafeShmem(aSize, aType, aShmem);
-}
-
-bool
-VRManagerChild::DeallocShmem(ipc::Shmem& aShmem)
-{
-  return PVRManagerChild::DeallocShmem(aShmem);
-}
-
-PVRLayerChild*
-VRManagerChild::CreateVRLayer(uint32_t aDisplayID, const Rect& aLeftEyeRect, const Rect& aRightEyeRect)
-{
-  return SendPVRLayerConstructor(aDisplayID,
-                                 aLeftEyeRect.x, aLeftEyeRect.y, aLeftEyeRect.width, aLeftEyeRect.height,
-                                 aRightEyeRect.x, aRightEyeRect.y, aRightEyeRect.width, aRightEyeRect.height);
-}
-
-
-// XXX TODO - VRManagerChild::FrameRequest is the same as nsIDocument::FrameRequest, should we consolodate these?
-struct VRManagerChild::FrameRequest
-{
-  FrameRequest(mozilla::dom::FrameRequestCallback& aCallback,
-    int32_t aHandle) :
-    mCallback(&aCallback),
-    mHandle(aHandle)
-  {}
-
-  // Conversion operator so that we can append these to a
-  // FrameRequestCallbackList
-  operator const RefPtr<mozilla::dom::FrameRequestCallback>& () const {
-    return mCallback;
-  }
-
-  // Comparator operators to allow RemoveElementSorted with an
-  // integer argument on arrays of FrameRequest
-  bool operator==(int32_t aHandle) const {
-    return mHandle == aHandle;
-  }
-  bool operator<(int32_t aHandle) const {
-    return mHandle < aHandle;
-  }
-
-  RefPtr<mozilla::dom::FrameRequestCallback> mCallback;
-  int32_t mHandle;
-};
-
-nsresult
-VRManagerChild::ScheduleFrameRequestCallback(mozilla::dom::FrameRequestCallback& aCallback,
-                                             int32_t *aHandle)
-{
-  if (mFrameRequestCallbackCounter == INT32_MAX) {
-    // Can't increment without overflowing; bail out
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-  int32_t newHandle = ++mFrameRequestCallbackCounter;
-
-  DebugOnly<FrameRequest*> request =
-    mFrameRequestCallbacks.AppendElement(FrameRequest(aCallback, newHandle));
-  NS_ASSERTION(request, "This is supposed to be infallible!");
-
-  *aHandle = newHandle;
-  return NS_OK;
-}
-
-void
-VRManagerChild::CancelFrameRequestCallback(int32_t aHandle)
-{
-  // mFrameRequestCallbacks is stored sorted by handle
-  mFrameRequestCallbacks.RemoveElementSorted(aHandle);
-}
-
-bool
-VRManagerChild::RecvNotifyVSync()
-{
-  for (auto& display : mDisplays) {
-    display->NotifyVsync();
-  }
-
-  return true;
-}
-
-bool
-VRManagerChild::RecvNotifyVRVSync(const uint32_t& aDisplayID)
-{
-  for (auto& display : mDisplays) {
-    if (display->GetDisplayInfo().GetDisplayID() == aDisplayID) {
-      display->NotifyVRVsync();
-    }
-  }
-
-  return true;
-}
-
-bool
-VRManagerChild::RecvGamepadUpdate(const GamepadChangeEvent& aGamepadEvent)
-{
-#ifdef MOZ_GAMEPAD
-  // VRManagerChild could be at other processes, but GamepadManager
-  // only exists at the content process or the same process
-  // in non-e10s mode.
-  MOZ_ASSERT(XRE_IsContentProcess() || IsSameProcess());
-
-  RefPtr<GamepadManager> gamepadManager(GamepadManager::GetService());
-  if (gamepadManager) {
-    gamepadManager->Update(aGamepadEvent);
-  }
-#endif
-
-  return true;
-}
-
-void
-VRManagerChild::RunFrameRequestCallbacks()
-{
-  TimeStamp nowTime = TimeStamp::Now();
-  mozilla::TimeDuration duration = nowTime - mStartTimeStamp;
-  DOMHighResTimeStamp timeStamp = duration.ToMilliseconds();
-
-
-  nsTArray<FrameRequest> callbacks;
-  callbacks.AppendElements(mFrameRequestCallbacks);
-  mFrameRequestCallbacks.Clear();
-  for (auto& callback : callbacks) {
-    callback.mCallback->Call(timeStamp);
-  }
-}
-
-void
-VRManagerChild::FireDOMVRDisplayConnectEvent()
-{
-  nsContentUtils::AddScriptRunner(NewRunnableMethod(this,
-    &VRManagerChild::FireDOMVRDisplayConnectEventInternal));
-}
-
-void
-VRManagerChild::FireDOMVRDisplayDisconnectEvent()
-{
-  nsContentUtils::AddScriptRunner(NewRunnableMethod(this,
-    &VRManagerChild::FireDOMVRDisplayDisconnectEventInternal));
-}
-
-void
-VRManagerChild::FireDOMVRDisplayPresentChangeEvent()
-{
-  nsContentUtils::AddScriptRunner(NewRunnableMethod(this,
-    &VRManagerChild::FireDOMVRDisplayPresentChangeEventInternal));
-}
-
-void
-VRManagerChild::FireDOMVRDisplayConnectEventInternal()
-{
-  for (auto& listener : mListeners) {
-    listener->NotifyVRDisplayConnect();
-  }
-}
-
-void
-VRManagerChild::FireDOMVRDisplayDisconnectEventInternal()
-{
-  for (auto& listener : mListeners) {
-    listener->NotifyVRDisplayDisconnect();
-  }
-}
-
-void
-VRManagerChild::FireDOMVRDisplayPresentChangeEventInternal()
-{
-  for (auto& listener : mListeners) {
-    listener->NotifyVRDisplayPresentChange();
-  }
-}
-
-void
-VRManagerChild::AddListener(dom::VREventObserver* aObserver)
-{
-  MOZ_ASSERT(aObserver);
-
-  if (mListeners.IndexOf(aObserver) != kNoIndex) {
-    return; // already exists
-  }
-
-  mListeners.AppendElement(aObserver);
-  if (mListeners.Length() == 1) {
-    Unused << SendSetHaveEventListener(true);
-  }
-}
-
-void
-VRManagerChild::RemoveListener(dom::VREventObserver* aObserver)
-{
-  MOZ_ASSERT(aObserver);
-
-  mListeners.RemoveElement(aObserver);
-  if (mListeners.IsEmpty()) {
-    Unused << SendSetHaveEventListener(false);
-  }
-}
-
-void
-VRManagerChild::HandleFatalError(const char* aName, const char* aMsg) const
-{
-  dom::ContentChild::FatalErrorIfNotUsingGPUProcess(aName, aMsg, OtherPid());
-}
-
-} // namespace gfx
-} // namespace mozilla
diff --git a/gfx/vr/ipc/VRManagerChild.h b/gfx/vr/ipc/VRManagerChild.h
deleted file mode 100644
index c898cd2f88..0000000000
--- a/gfx/vr/ipc/VRManagerChild.h
+++ /dev/null
@@ -1,185 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- * vim: sw=2 ts=8 et :
- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef MOZILLA_GFX_VR_VRMANAGERCHILD_H
-#define MOZILLA_GFX_VR_VRMANAGERCHILD_H
-
-#include "mozilla/gfx/PVRManagerChild.h"
-#include "mozilla/ipc/SharedMemory.h"   // for SharedMemory, etc
-#include "ThreadSafeRefcountingWithMainThreadDestruction.h"
-#include "mozilla/layers/ISurfaceAllocator.h"  // for ISurfaceAllocator
-#include "mozilla/layers/LayersTypes.h"  // for LayersBackend
-#include "mozilla/layers/TextureForwarder.h"
-
-namespace mozilla {
-namespace dom {
-class GamepadManager;
-class Navigator;
-class VRDisplay;
-class VREventObserver;
-} // namespace dom
-namespace layers {
-class PCompositableChild;
-class TextureClient;
-}
-namespace gfx {
-class VRLayerChild;
-class VRDisplayClient;
-
-class VRManagerChild : public PVRManagerChild
-                     , public layers::TextureForwarder
-                     , public layers::KnowsCompositor
-{
-public:
-  NS_INLINE_DECL_THREADSAFE_REFCOUNTING(VRManagerChild, override);
-
-  TextureForwarder* GetTextureForwarder() override { return this; }
-  LayersIPCActor* GetLayersIPCActor() override { return this; }
-
-  static VRManagerChild* Get();
-
-  // Indicate that an observer wants to receive VR events.
-  void AddListener(dom::VREventObserver* aObserver);
-  // Indicate that an observer should no longer receive VR events.
-  void RemoveListener(dom::VREventObserver* aObserver);
-
-  int GetInputFrameID();
-  bool GetVRDisplays(nsTArray<RefPtr<VRDisplayClient> >& aDisplays);
-  bool RefreshVRDisplaysWithCallback(uint64_t aWindowId);
-
-  static void InitSameProcess();
-  static void InitWithGPUProcess(Endpoint<PVRManagerChild>&& aEndpoint);
-  static bool InitForContent(Endpoint<PVRManagerChild>&& aEndpoint);
-  static bool ReinitForContent(Endpoint<PVRManagerChild>&& aEndpoint);
-  static void ShutDown();
-
-  static bool IsCreated();
-
-  virtual PTextureChild* CreateTexture(const SurfaceDescriptor& aSharedData,
-                                       layers::LayersBackend aLayersBackend,
-                                       TextureFlags aFlags,
-                                       uint64_t aSerial) override;
-  virtual void CancelWaitForRecycle(uint64_t aTextureId) override;
-
-  PVRLayerChild* CreateVRLayer(uint32_t aDisplayID, const Rect& aLeftEyeRect, const Rect& aRightEyeRect);
-
-  static void IdentifyTextureHost(const layers::TextureFactoryIdentifier& aIdentifier);
-  layers::LayersBackend GetBackendType() const;
-  layers::SyncObject* GetSyncObject() { return mSyncObject; }
-
-  virtual MessageLoop* GetMessageLoop() const override { return mMessageLoop; }
-  virtual base::ProcessId GetParentPid() const override { return OtherPid(); }
-
-  nsresult ScheduleFrameRequestCallback(mozilla::dom::FrameRequestCallback& aCallback,
-    int32_t *aHandle);
-  void CancelFrameRequestCallback(int32_t aHandle);
-  void RunFrameRequestCallbacks();
-
-  void UpdateDisplayInfo(nsTArray<VRDisplayInfo>& aDisplayUpdates);
-  void FireDOMVRDisplayConnectEvent();
-  void FireDOMVRDisplayDisconnectEvent();
-  void FireDOMVRDisplayPresentChangeEvent();
-
-  virtual void HandleFatalError(const char* aName, const char* aMsg) const override;
-
-protected:
-  explicit VRManagerChild();
-  ~VRManagerChild();
-  void Destroy();
-  static void DeferredDestroy(RefPtr<VRManagerChild> aVRManagerChild);
-
-  virtual PTextureChild* AllocPTextureChild(const SurfaceDescriptor& aSharedData,
-                                            const layers::LayersBackend& aLayersBackend,
-                                            const TextureFlags& aFlags,
-                                            const uint64_t& aSerial) override;
-  virtual bool DeallocPTextureChild(PTextureChild* actor) override;
-
-  virtual PVRLayerChild* AllocPVRLayerChild(const uint32_t& aDisplayID,
-                                            const float& aLeftEyeX,
-                                            const float& aLeftEyeY,
-                                            const float& aLeftEyeWidth,
-                                            const float& aLeftEyeHeight,
-                                            const float& aRightEyeX,
-                                            const float& aRightEyeY,
-                                            const float& aRightEyeWidth,
-                                            const float& aRightEyeHeight) override;
-  virtual bool DeallocPVRLayerChild(PVRLayerChild* actor) override;
-
-  virtual bool RecvUpdateDisplayInfo(nsTArray<VRDisplayInfo>&& aDisplayUpdates) override;
-
-  virtual bool RecvParentAsyncMessages(InfallibleTArray<AsyncParentMessageData>&& aMessages) override;
-
-  virtual bool RecvNotifyVSync() override;
-  virtual bool RecvNotifyVRVSync(const uint32_t& aDisplayID) override;
-  virtual bool RecvGamepadUpdate(const GamepadChangeEvent& aGamepadEvent) override;
-
-  // ShmemAllocator
-
-  virtual bool AllocShmem(size_t aSize,
-                          ipc::SharedMemory::SharedMemoryType aType,
-                          ipc::Shmem* aShmem) override;
-
-  virtual bool AllocUnsafeShmem(size_t aSize,
-                                ipc::SharedMemory::SharedMemoryType aType,
-                                ipc::Shmem* aShmem) override;
-
-  virtual bool DeallocShmem(ipc::Shmem& aShmem) override;
-
-  virtual bool IsSameProcess() const override
-  {
-    return OtherPid() == base::GetCurrentProcId();
-  }
-
-  friend class layers::CompositorBridgeChild;
-
-private:
-
-  void FireDOMVRDisplayConnectEventInternal();
-  void FireDOMVRDisplayDisconnectEventInternal();
-  void FireDOMVRDisplayPresentChangeEventInternal();
-  /**
-  * Notify id of Texture When host side end its use. Transaction id is used to
-  * make sure if there is no newer usage.
-  */
-  void NotifyNotUsed(uint64_t aTextureId, uint64_t aFwdTransactionId);
-
-  nsTArray<RefPtr<VRDisplayClient> > mDisplays;
-  bool mDisplaysInitialized;
-  nsTArray<uint64_t> mNavigatorCallbacks;
-
-  int32_t mInputFrameID;
-
-  MessageLoop* mMessageLoop;
-
-  struct FrameRequest;
-
-  nsTArray<FrameRequest> mFrameRequestCallbacks;
-  /**
-  * The current frame request callback handle
-  */
-  int32_t mFrameRequestCallbackCounter;
-  mozilla::TimeStamp mStartTimeStamp;
-
-  // Array of Weak pointers, instance is owned by nsGlobalWindow::mVREventObserver.
-  nsTArray<dom::VREventObserver*> mListeners;
-
-  /**
-  * Hold TextureClients refs until end of their usages on host side.
-  * It defer calling of TextureClient recycle callback.
-  */
-  nsDataHashtable<nsUint64HashKey, RefPtr<layers::TextureClient> > mTexturesWaitingRecycled;
-
-  layers::LayersBackend mBackend;
-  RefPtr<layers::SyncObject> mSyncObject;
-
-  DISALLOW_COPY_AND_ASSIGN(VRManagerChild);
-};
-
-} // namespace mozilla
-} // namespace gfx
-
-#endif // MOZILLA_GFX_VR_VRMANAGERCHILD_H
diff --git a/gfx/vr/ipc/VRManagerParent.cpp b/gfx/vr/ipc/VRManagerParent.cpp
deleted file mode 100644
index 725d7dd1dd..0000000000
--- a/gfx/vr/ipc/VRManagerParent.cpp
+++ /dev/null
@@ -1,332 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- * vim: sw=2 ts=8 et :
- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "VRManagerParent.h"
-#include "ipc/VRLayerParent.h"
-#include "mozilla/gfx/PVRManagerParent.h"
-#include "mozilla/ipc/ProtocolTypes.h"
-#include "mozilla/ipc/ProtocolUtils.h"       // for IToplevelProtocol
-#include "mozilla/TimeStamp.h"               // for TimeStamp
-#include "mozilla/layers/CompositorThread.h"
-#include "mozilla/Unused.h"
-#include "VRManager.h"
-
-namespace mozilla {
-using namespace layers;
-namespace gfx {
-
-VRManagerParent::VRManagerParent(ProcessId aChildProcessId, bool aIsContentChild)
-  : HostIPCAllocator()
-  , mHaveEventListener(false)
-  , mIsContentChild(aIsContentChild)
-{
-  MOZ_COUNT_CTOR(VRManagerParent);
-  MOZ_ASSERT(NS_IsMainThread());
-
-  SetOtherProcessId(aChildProcessId);
-}
-
-VRManagerParent::~VRManagerParent()
-{
-  MOZ_ASSERT(!mVRManagerHolder);
-
-  MOZ_COUNT_DTOR(VRManagerParent);
-}
-
-PTextureParent*
-VRManagerParent::AllocPTextureParent(const SurfaceDescriptor& aSharedData,
-                                     const LayersBackend& aLayersBackend,
-                                     const TextureFlags& aFlags,
-                                     const uint64_t& aSerial)
-{
-  return layers::TextureHost::CreateIPDLActor(this, aSharedData, aLayersBackend, aFlags, aSerial);
-}
-
-bool
-VRManagerParent::DeallocPTextureParent(PTextureParent* actor)
-{
-  return layers::TextureHost::DestroyIPDLActor(actor);
-}
-
-PVRLayerParent*
-VRManagerParent::AllocPVRLayerParent(const uint32_t& aDisplayID,
-                                     const float& aLeftEyeX,
-                                     const float& aLeftEyeY,
-                                     const float& aLeftEyeWidth,
-                                     const float& aLeftEyeHeight,
-                                     const float& aRightEyeX,
-                                     const float& aRightEyeY,
-                                     const float& aRightEyeWidth,
-                                     const float& aRightEyeHeight)
-{
-  RefPtr<VRLayerParent> layer;
-  layer = new VRLayerParent(aDisplayID,
-                            Rect(aLeftEyeX, aLeftEyeY, aLeftEyeWidth, aLeftEyeHeight),
-                            Rect(aRightEyeX, aRightEyeY, aRightEyeWidth, aRightEyeHeight));
-  VRManager* vm = VRManager::Get();
-  RefPtr<gfx::VRDisplayHost> display = vm->GetDisplay(aDisplayID);
-  if (display) {
-    display->AddLayer(layer);
-  }
-  return layer.forget().take();
-}
-
-bool
-VRManagerParent::DeallocPVRLayerParent(PVRLayerParent* actor)
-{
-  gfx::VRLayerParent* layer = static_cast<gfx::VRLayerParent*>(actor);
-
-  VRManager* vm = VRManager::Get();
-  RefPtr<gfx::VRDisplayHost> display = vm->GetDisplay(layer->GetDisplayID());
-  if (display) {
-    display->RemoveLayer(layer);
-  }
-
-  delete actor;
-  return true;
-}
-
-bool
-VRManagerParent::AllocShmem(size_t aSize,
-  ipc::SharedMemory::SharedMemoryType aType,
-  ipc::Shmem* aShmem)
-{
-  return PVRManagerParent::AllocShmem(aSize, aType, aShmem);
-}
-
-bool
-VRManagerParent::AllocUnsafeShmem(size_t aSize,
-  ipc::SharedMemory::SharedMemoryType aType,
-  ipc::Shmem* aShmem)
-{
-  return PVRManagerParent::AllocUnsafeShmem(aSize, aType, aShmem);
-}
-
-void
-VRManagerParent::DeallocShmem(ipc::Shmem& aShmem)
-{
-  PVRManagerParent::DeallocShmem(aShmem);
-}
-
-bool
-VRManagerParent::IsSameProcess() const
-{
-  return OtherPid() == base::GetCurrentProcId();
-}
-
-void
-VRManagerParent::NotifyNotUsed(PTextureParent* aTexture, uint64_t aTransactionId)
-{
-  MOZ_ASSERT_UNREACHABLE("unexpected to be called");
-}
-
-void
-VRManagerParent::SendAsyncMessage(const InfallibleTArray<AsyncParentMessageData>& aMessage)
-{
-  MOZ_ASSERT_UNREACHABLE("unexpected to be called");
-}
-
-base::ProcessId
-VRManagerParent::GetChildProcessId()
-{
-  return OtherPid();
-}
-
-void
-VRManagerParent::RegisterWithManager()
-{
-  VRManager* vm = VRManager::Get();
-  vm->AddVRManagerParent(this);
-  mVRManagerHolder = vm;
-}
-
-void
-VRManagerParent::UnregisterFromManager()
-{
-  VRManager* vm = VRManager::Get();
-  vm->RemoveVRManagerParent(this);
-  mVRManagerHolder = nullptr;
-}
-
-/* static */ bool
-VRManagerParent::CreateForContent(Endpoint<PVRManagerParent>&& aEndpoint)
-{
-  MessageLoop* loop = layers::CompositorThreadHolder::Loop();
-
-  RefPtr<VRManagerParent> vmp = new VRManagerParent(aEndpoint.OtherPid(), true);
-  loop->PostTask(NewRunnableMethod<Endpoint<PVRManagerParent>&&>(
-    vmp, &VRManagerParent::Bind, Move(aEndpoint)));
-
-  return true;
-}
-
-void
-VRManagerParent::Bind(Endpoint<PVRManagerParent>&& aEndpoint)
-{
-  if (!aEndpoint.Bind(this)) {
-    return;
-  }
-  mSelfRef = this;
-
-  RegisterWithManager();
-}
-
-/*static*/ void
-VRManagerParent::RegisterVRManagerInCompositorThread(VRManagerParent* aVRManager)
-{
-  aVRManager->RegisterWithManager();
-}
-
-/*static*/ VRManagerParent*
-VRManagerParent::CreateSameProcess()
-{
-  MessageLoop* loop = mozilla::layers::CompositorThreadHolder::Loop();
-  RefPtr<VRManagerParent> vmp = new VRManagerParent(base::GetCurrentProcId(), false);
-  vmp->mCompositorThreadHolder = layers::CompositorThreadHolder::GetSingleton();
-  vmp->mSelfRef = vmp;
-  loop->PostTask(NewRunnableFunction(RegisterVRManagerInCompositorThread, vmp.get()));
-  return vmp.get();
-}
-
-bool
-VRManagerParent::CreateForGPUProcess(Endpoint<PVRManagerParent>&& aEndpoint)
-{
-  MessageLoop* loop = mozilla::layers::CompositorThreadHolder::Loop();
-
-  RefPtr<VRManagerParent> vmp = new VRManagerParent(aEndpoint.OtherPid(), false);
-  vmp->mCompositorThreadHolder = layers::CompositorThreadHolder::GetSingleton();
-  loop->PostTask(NewRunnableMethod<Endpoint<PVRManagerParent>&&>(
-    vmp, &VRManagerParent::Bind, Move(aEndpoint)));
-  return true;
-}
-
-void
-VRManagerParent::DeferredDestroy()
-{
-  mCompositorThreadHolder = nullptr;
-  mSelfRef = nullptr;
-}
-
-void
-VRManagerParent::ActorDestroy(ActorDestroyReason why)
-{
-  UnregisterFromManager();
-  MessageLoop::current()->PostTask(NewRunnableMethod(this, &VRManagerParent::DeferredDestroy));
-}
-
-void
-VRManagerParent::OnChannelConnected(int32_t aPid)
-{
-  mCompositorThreadHolder = layers::CompositorThreadHolder::GetSingleton();
-}
-
-bool
-VRManagerParent::RecvRefreshDisplays()
-{
-  // This is called to refresh the VR Displays for Navigator.GetVRDevices().
-  // We must pass "true" to VRManager::RefreshVRDisplays()
-  // to ensure that the promise returned by Navigator.GetVRDevices
-  // can resolve even if there are no changes to the VR Displays.
-  VRManager* vm = VRManager::Get();
-  vm->RefreshVRDisplays(true);
-
-  return true;
-}
-
-bool
-VRManagerParent::RecvGetDisplays(nsTArray<VRDisplayInfo> *aDisplays)
-{
-  VRManager* vm = VRManager::Get();
-  vm->GetVRDisplayInfo(*aDisplays);
-  return true;
-}
-
-bool
-VRManagerParent::RecvResetSensor(const uint32_t& aDisplayID)
-{
-  VRManager* vm = VRManager::Get();
-  RefPtr<gfx::VRDisplayHost> display = vm->GetDisplay(aDisplayID);
-  if (display != nullptr) {
-    display->ZeroSensor();
-  }
-
-  return true;
-}
-
-bool
-VRManagerParent::RecvGetSensorState(const uint32_t& aDisplayID, VRHMDSensorState* aState)
-{
-  VRManager* vm = VRManager::Get();
-  RefPtr<gfx::VRDisplayHost> display = vm->GetDisplay(aDisplayID);
-  if (display != nullptr) {
-    *aState = display->GetSensorState();
-  }
-  return true;
-}
-
-bool
-VRManagerParent::RecvGetImmediateSensorState(const uint32_t& aDisplayID, VRHMDSensorState* aState)
-{
-  VRManager* vm = VRManager::Get();
-  RefPtr<gfx::VRDisplayHost> display = vm->GetDisplay(aDisplayID);
-  if (display != nullptr) {
-    *aState = display->GetImmediateSensorState();
-  }
-  return true;
-}
-
-bool
-VRManagerParent::HaveEventListener()
-{
-  return mHaveEventListener;
-}
-
-bool
-VRManagerParent::RecvSetHaveEventListener(const bool& aHaveEventListener)
-{
-  mHaveEventListener = aHaveEventListener;
-  return true;
-}
-
-bool
-VRManagerParent::RecvControllerListenerAdded()
-{
-  VRManager* vm = VRManager::Get();
-  // Ask the connected gamepads to be added to GamepadManager
-  vm->ScanForDevices();
-
-  return true;
-}
-
-bool
-VRManagerParent::RecvControllerListenerRemoved()
-{
-  return true;
-}
-
-bool
-VRManagerParent::RecvGetControllers(nsTArray<VRControllerInfo> *aControllers)
-{
-  VRManager* vm = VRManager::Get();
-  vm->GetVRControllerInfo(*aControllers);
-  return true;
-}
-
-bool
-VRManagerParent::SendGamepadUpdate(const GamepadChangeEvent& aGamepadEvent)
-{
-  // GamepadManager only exists at the content process
-  // or the same process in non-e10s mode.
-  if (mIsContentChild || IsSameProcess()) {
-    return PVRManagerParent::SendGamepadUpdate(aGamepadEvent);
-  } else {
-    return true;
-  }
-}
-
-} // namespace gfx
-} // namespace mozilla
diff --git a/gfx/vr/ipc/VRManagerParent.h b/gfx/vr/ipc/VRManagerParent.h
deleted file mode 100644
index d4611c187b..0000000000
--- a/gfx/vr/ipc/VRManagerParent.h
+++ /dev/null
@@ -1,118 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- * vim: sw=2 ts=8 et :
- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef MOZILLA_GFX_VR_VRMANAGERPARENT_H
-#define MOZILLA_GFX_VR_VRMANAGERPARENT_H
-
-#include "mozilla/layers/CompositableTransactionParent.h"
-#include "mozilla/layers/CompositorThread.h" // for CompositorThreadHolder
-#include "mozilla/gfx/PVRManagerParent.h" // for PVRManagerParent
-#include "mozilla/gfx/PVRLayerParent.h"   // for PVRLayerParent
-#include "mozilla/ipc/ProtocolUtils.h"    // for IToplevelProtocol
-#include "mozilla/TimeStamp.h"            // for TimeStamp
-#include "gfxVR.h"                        // for VRFieldOfView
-
-namespace mozilla {
-using namespace layers;
-namespace gfx {
-
-class VRManager;
-
-class VRManagerParent final : public PVRManagerParent
-                            , public HostIPCAllocator
-                            , public ShmemAllocator
-{
-public:
-  explicit VRManagerParent(ProcessId aChildProcessId, bool aIsContentChild);
-
-  static VRManagerParent* CreateSameProcess();
-  static bool CreateForGPUProcess(Endpoint<PVRManagerParent>&& aEndpoint);
-  static bool CreateForContent(Endpoint<PVRManagerParent>&& aEndpoint);
-
-  virtual base::ProcessId GetChildProcessId() override;
-
-  // ShmemAllocator
-
-  virtual ShmemAllocator* AsShmemAllocator() override { return this; }
-
-  virtual bool AllocShmem(size_t aSize,
-    ipc::SharedMemory::SharedMemoryType aType,
-    ipc::Shmem* aShmem) override;
-
-  virtual bool AllocUnsafeShmem(size_t aSize,
-    ipc::SharedMemory::SharedMemoryType aType,
-    ipc::Shmem* aShmem) override;
-
-  virtual void DeallocShmem(ipc::Shmem& aShmem) override;
-
-  virtual bool IsSameProcess() const override;
-  bool HaveEventListener();
-
-  virtual void NotifyNotUsed(PTextureParent* aTexture, uint64_t aTransactionId) override;
-  virtual void SendAsyncMessage(const InfallibleTArray<AsyncParentMessageData>& aMessage) override;
-  bool SendGamepadUpdate(const GamepadChangeEvent& aGamepadEvent);
-
-protected:
-  ~VRManagerParent();
-
-  virtual PTextureParent* AllocPTextureParent(const SurfaceDescriptor& aSharedData,
-                                              const LayersBackend& aLayersBackend,
-                                              const TextureFlags& aFlags,
-                                              const uint64_t& aSerial) override;
-  virtual bool DeallocPTextureParent(PTextureParent* actor) override;
-
-  virtual PVRLayerParent* AllocPVRLayerParent(const uint32_t& aDisplayID,
-                                              const float& aLeftEyeX,
-                                              const float& aLeftEyeY,
-                                              const float& aLeftEyeWidth,
-                                              const float& aLeftEyeHeight,
-                                              const float& aRightEyeX,
-                                              const float& aRightEyeY,
-                                              const float& aRightEyeWidth,
-                                              const float& aRightEyeHeight) override;
-  virtual bool DeallocPVRLayerParent(PVRLayerParent* actor) override;
-
-  virtual void ActorDestroy(ActorDestroyReason why) override;
-  void OnChannelConnected(int32_t pid) override;
-
-  virtual bool RecvRefreshDisplays() override;
-  virtual bool RecvGetDisplays(nsTArray<VRDisplayInfo> *aDisplays) override;
-  virtual bool RecvResetSensor(const uint32_t& aDisplayID) override;
-  virtual bool RecvGetSensorState(const uint32_t& aDisplayID, VRHMDSensorState* aState) override;
-  virtual bool RecvGetImmediateSensorState(const uint32_t& aDisplayID, VRHMDSensorState* aState) override;
-  virtual bool RecvSetHaveEventListener(const bool& aHaveEventListener) override;
-  virtual bool RecvControllerListenerAdded() override;
-  virtual bool RecvControllerListenerRemoved() override;
-  virtual bool RecvGetControllers(nsTArray<VRControllerInfo> *aControllers) override;
-
-private:
-  void RegisterWithManager();
-  void UnregisterFromManager();
-
-  void Bind(Endpoint<PVRManagerParent>&& aEndpoint);
-
-  static void RegisterVRManagerInCompositorThread(VRManagerParent* aVRManager);
-
-  void DeferredDestroy();
-
-  // This keeps us alive until ActorDestroy(), at which point we do a
-  // deferred destruction of ourselves.
-  RefPtr<VRManagerParent> mSelfRef;
-
-  // Keep the compositor thread alive, until we have destroyed ourselves.
-  RefPtr<layers::CompositorThreadHolder> mCompositorThreadHolder;
-
-  // Keep the VRManager alive, until we have destroyed ourselves.
-  RefPtr<VRManager> mVRManagerHolder;
-  bool mHaveEventListener;
-  bool mIsContentChild;
-};
-
-} // namespace mozilla
-} // namespace gfx
-
-#endif // MOZILLA_GFX_VR_VRMANAGERPARENT_H
diff --git a/gfx/vr/ipc/VRMessageUtils.h b/gfx/vr/ipc/VRMessageUtils.h
deleted file mode 100644
index c066047dba..0000000000
--- a/gfx/vr/ipc/VRMessageUtils.h
+++ /dev/null
@@ -1,193 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set sw=2 ts=8 et tw=80 : */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef mozilla_gfx_vr_VRMessageUtils_h
-#define mozilla_gfx_vr_VRMessageUtils_h
-
-#include "ipc/IPCMessageUtils.h"
-#include "mozilla/GfxMessageUtils.h"
-#include "VRManager.h"
-
-#include "gfxVR.h"
-
-namespace IPC {
-
-template<>
-struct ParamTraits<mozilla::gfx::VRDeviceType> :
-  public ContiguousEnumSerializer<mozilla::gfx::VRDeviceType,
-                                  mozilla::gfx::VRDeviceType(0),
-                                  mozilla::gfx::VRDeviceType(mozilla::gfx::VRDeviceType::NumVRDeviceTypes)> {};
-
-template<>
-struct ParamTraits<mozilla::gfx::VRDisplayCapabilityFlags> :
-  public BitFlagsEnumSerializer<mozilla::gfx::VRDisplayCapabilityFlags,
-                                mozilla::gfx::VRDisplayCapabilityFlags::Cap_All> {};
-
-template <>
-struct ParamTraits<mozilla::gfx::VRDisplayInfo>
-{
-  typedef mozilla::gfx::VRDisplayInfo paramType;
-
-  static void Write(Message* aMsg, const paramType& aParam)
-  {
-    WriteParam(aMsg, aParam.mType);
-    WriteParam(aMsg, aParam.mDisplayID);
-    WriteParam(aMsg, aParam.mDisplayName);
-    WriteParam(aMsg, aParam.mCapabilityFlags);
-    WriteParam(aMsg, aParam.mEyeResolution);
-    WriteParam(aMsg, aParam.mIsConnected);
-    WriteParam(aMsg, aParam.mIsPresenting);
-    WriteParam(aMsg, aParam.mStageSize);
-    WriteParam(aMsg, aParam.mSittingToStandingTransform);
-    for (int i = 0; i < mozilla::gfx::VRDisplayInfo::NumEyes; i++) {
-      WriteParam(aMsg, aParam.mEyeFOV[i]);
-      WriteParam(aMsg, aParam.mEyeTranslation[i]);
-    }
-  }
-
-  static bool Read(const Message* aMsg, PickleIterator* aIter, paramType* aResult)
-  {
-    if (!ReadParam(aMsg, aIter, &(aResult->mType)) ||
-        !ReadParam(aMsg, aIter, &(aResult->mDisplayID)) ||
-        !ReadParam(aMsg, aIter, &(aResult->mDisplayName)) ||
-        !ReadParam(aMsg, aIter, &(aResult->mCapabilityFlags)) ||
-        !ReadParam(aMsg, aIter, &(aResult->mEyeResolution)) ||
-        !ReadParam(aMsg, aIter, &(aResult->mIsConnected)) ||
-        !ReadParam(aMsg, aIter, &(aResult->mIsPresenting)) ||
-        !ReadParam(aMsg, aIter, &(aResult->mStageSize)) ||
-        !ReadParam(aMsg, aIter, &(aResult->mSittingToStandingTransform))) {
-      return false;
-    }
-    for (int i = 0; i < mozilla::gfx::VRDisplayInfo::NumEyes; i++) {
-      if (!ReadParam(aMsg, aIter, &(aResult->mEyeFOV[i])) ||
-          !ReadParam(aMsg, aIter, &(aResult->mEyeTranslation[i]))) {
-        return false;
-      }
-    }
-
-    return true;
-  }
-};
-
-template <>
-struct ParamTraits<mozilla::gfx::VRHMDSensorState>
-{
-  typedef mozilla::gfx::VRHMDSensorState paramType;
-
-  static void Write(Message* aMsg, const paramType& aParam)
-  {
-    WriteParam(aMsg, aParam.timestamp);
-    WriteParam(aMsg, aParam.inputFrameID);
-    WriteParam(aMsg, aParam.flags);
-    WriteParam(aMsg, aParam.orientation[0]);
-    WriteParam(aMsg, aParam.orientation[1]);
-    WriteParam(aMsg, aParam.orientation[2]);
-    WriteParam(aMsg, aParam.orientation[3]);
-    WriteParam(aMsg, aParam.position[0]);
-    WriteParam(aMsg, aParam.position[1]);
-    WriteParam(aMsg, aParam.position[2]);
-    WriteParam(aMsg, aParam.angularVelocity[0]);
-    WriteParam(aMsg, aParam.angularVelocity[1]);
-    WriteParam(aMsg, aParam.angularVelocity[2]);
-    WriteParam(aMsg, aParam.angularAcceleration[0]);
-    WriteParam(aMsg, aParam.angularAcceleration[1]);
-    WriteParam(aMsg, aParam.angularAcceleration[2]);
-    WriteParam(aMsg, aParam.linearVelocity[0]);
-    WriteParam(aMsg, aParam.linearVelocity[1]);
-    WriteParam(aMsg, aParam.linearVelocity[2]);
-    WriteParam(aMsg, aParam.linearAcceleration[0]);
-    WriteParam(aMsg, aParam.linearAcceleration[1]);
-    WriteParam(aMsg, aParam.linearAcceleration[2]);
-  }
-
-  static bool Read(const Message* aMsg, PickleIterator* aIter, paramType* aResult)
-  {
-    if (!ReadParam(aMsg, aIter, &(aResult->timestamp)) ||
-        !ReadParam(aMsg, aIter, &(aResult->inputFrameID)) ||
-        !ReadParam(aMsg, aIter, &(aResult->flags)) ||
-        !ReadParam(aMsg, aIter, &(aResult->orientation[0])) ||
-        !ReadParam(aMsg, aIter, &(aResult->orientation[1])) ||
-        !ReadParam(aMsg, aIter, &(aResult->orientation[2])) ||
-        !ReadParam(aMsg, aIter, &(aResult->orientation[3])) ||
-        !ReadParam(aMsg, aIter, &(aResult->position[0])) ||
-        !ReadParam(aMsg, aIter, &(aResult->position[1])) ||
-        !ReadParam(aMsg, aIter, &(aResult->position[2])) ||
-        !ReadParam(aMsg, aIter, &(aResult->angularVelocity[0])) ||
-        !ReadParam(aMsg, aIter, &(aResult->angularVelocity[1])) ||
-        !ReadParam(aMsg, aIter, &(aResult->angularVelocity[2])) ||
-        !ReadParam(aMsg, aIter, &(aResult->angularAcceleration[0])) ||
-        !ReadParam(aMsg, aIter, &(aResult->angularAcceleration[1])) ||
-        !ReadParam(aMsg, aIter, &(aResult->angularAcceleration[2])) ||
-        !ReadParam(aMsg, aIter, &(aResult->linearVelocity[0])) ||
-        !ReadParam(aMsg, aIter, &(aResult->linearVelocity[1])) ||
-        !ReadParam(aMsg, aIter, &(aResult->linearVelocity[2])) ||
-        !ReadParam(aMsg, aIter, &(aResult->linearAcceleration[0])) ||
-        !ReadParam(aMsg, aIter, &(aResult->linearAcceleration[1])) ||
-        !ReadParam(aMsg, aIter, &(aResult->linearAcceleration[2]))) {
-      return false;
-    }
-    return true;
-  }
-};
-
-template <>
-struct ParamTraits<mozilla::gfx::VRFieldOfView>
-{
-  typedef mozilla::gfx::VRFieldOfView paramType;
-
-  static void Write(Message* aMsg, const paramType& aParam)
-  {
-    WriteParam(aMsg, aParam.upDegrees);
-    WriteParam(aMsg, aParam.rightDegrees);
-    WriteParam(aMsg, aParam.downDegrees);
-    WriteParam(aMsg, aParam.leftDegrees);
-  }
-
-  static bool Read(const Message* aMsg, PickleIterator* aIter, paramType* aResult)
-  {
-    if (!ReadParam(aMsg, aIter, &(aResult->upDegrees)) ||
-        !ReadParam(aMsg, aIter, &(aResult->rightDegrees)) ||
-        !ReadParam(aMsg, aIter, &(aResult->downDegrees)) ||
-        !ReadParam(aMsg, aIter, &(aResult->leftDegrees))) {
-      return false;
-    }
-
-    return true;
-  }
-};
-
-template <>
-struct ParamTraits<mozilla::gfx::VRControllerInfo>
-{
-  typedef mozilla::gfx::VRControllerInfo paramType;
-
-  static void Write(Message* aMsg, const paramType& aParam)
-  {
-    WriteParam(aMsg, aParam.mType);
-    WriteParam(aMsg, aParam.mControllerID);
-    WriteParam(aMsg, aParam.mControllerName);
-    WriteParam(aMsg, aParam.mMappingType);
-    WriteParam(aMsg, aParam.mNumButtons);
-    WriteParam(aMsg, aParam.mNumAxes);
-  }
-
-  static bool Read(const Message* aMsg, PickleIterator* aIter, paramType* aResult)
-  {
-    if (!ReadParam(aMsg, aIter, &(aResult->mType)) ||
-        !ReadParam(aMsg, aIter, &(aResult->mControllerID)) ||
-        !ReadParam(aMsg, aIter, &(aResult->mControllerName)) ||
-        !ReadParam(aMsg, aIter, &(aResult->mMappingType)) ||
-        !ReadParam(aMsg, aIter, &(aResult->mNumButtons)) ||
-        !ReadParam(aMsg, aIter, &(aResult->mNumAxes))) {
-      return false;
-    }
-
-    return true;
-  }
-};
-} // namespace IPC
-
-#endif // mozilla_gfx_vr_VRMessageUtils_h
diff --git a/gfx/vr/moz.build b/gfx/vr/moz.build
deleted file mode 100644
index 5ab724d4a6..0000000000
--- a/gfx/vr/moz.build
+++ /dev/null
@@ -1,71 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-EXPORTS += [
-    'gfxVR.h',
-    'ipc/VRLayerChild.h',
-    'ipc/VRManagerChild.h',
-    'ipc/VRManagerParent.h',
-    'ipc/VRMessageUtils.h',
-    'VRDisplayClient.h',
-    'VRDisplayPresentation.h',
-    'VRManager.h',
-]
-
-LOCAL_INCLUDES += [
-    '/dom/base',
-    '/gfx/layers/d3d11',
-    '/gfx/thebes',
-]
-
-UNIFIED_SOURCES += [
-    'gfxVR.cpp',
-    'gfxVROpenVR.cpp',
-    'gfxVROSVR.cpp',
-    'ipc/VRLayerChild.cpp',
-    'ipc/VRLayerParent.cpp',
-    'ipc/VRManagerChild.cpp',
-    'ipc/VRManagerParent.cpp',
-    'VRDisplayClient.cpp',
-    'VRDisplayHost.cpp',
-    'VRDisplayPresentation.cpp',
-    'VRManager.cpp',
-]
-
-if CONFIG['MOZ_WIDGET_TOOLKIT'] == 'windows':
-    SOURCES += [
-        'gfxVROculus.cpp',
-    ]
-
-IPDL_SOURCES = [
-    'ipc/PVRLayer.ipdl',
-    'ipc/PVRManager.ipdl',
-]
-
-# For building with the real SDK instead of our local hack
-#SOURCES += [
-#    'OVR_CAPI_Util.cpp',
-#    'OVR_CAPIShim.c',
-#    'OVR_StereoProjection.cpp',
-#]
-#
-#CXXFLAGS += ["-Ic:/proj/ovr/OculusSDK-0.6.0-beta/LibOVR/Include"]
-#CFLAGS += ["-Ic:/proj/ovr/OculusSDK-0.6.0-beta/LibOVR/Include"]
-
-CXXFLAGS += CONFIG['MOZ_CAIRO_CFLAGS']
-CXXFLAGS += CONFIG['TK_CFLAGS']
-CFLAGS += CONFIG['MOZ_CAIRO_CFLAGS']
-CFLAGS += CONFIG['TK_CFLAGS']
-
-include('/ipc/chromium/chromium-config.mozbuild')
-
-FINAL_LIBRARY = 'xul'
-
-# This is intended as a temporary hack to enable VS2015 builds.
-if CONFIG['_MSC_VER']:
-    # ovr_capi_dynamic.h '<unnamed-tag>': Alignment specifier is less than
-    # actual alignment (8), and will be ignored
-    CXXFLAGS += ['-wd4359']
diff --git a/gfx/vr/openvr/LICENSE b/gfx/vr/openvr/LICENSE
deleted file mode 100644
index ee83337d7f..0000000000
--- a/gfx/vr/openvr/LICENSE
+++ /dev/null
@@ -1,27 +0,0 @@
-Copyright (c) 2015, Valve Corporation
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-1. Redistributions of source code must retain the above copyright notice, this
-list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright notice,
-this list of conditions and the following disclaimer in the documentation and/or
-other materials provided with the distribution.
-
-3. Neither the name of the copyright holder nor the names of its contributors
-may be used to endorse or promote products derived from this software without
-specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
-ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
-ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/gfx/vr/openvr/README b/gfx/vr/openvr/README
deleted file mode 100644
index 5e67e5a3a9..0000000000
--- a/gfx/vr/openvr/README
+++ /dev/null
@@ -1,2 +0,0 @@
-See https://github.com/ValveSoftware/openvr/
-
diff --git a/gfx/vr/openvr/openvr.h b/gfx/vr/openvr/openvr.h
deleted file mode 100644
index deb3142fd4..0000000000
--- a/gfx/vr/openvr/openvr.h
+++ /dev/null
@@ -1,3352 +0,0 @@
-#pragma once
-
-// openvr.h
-//========= Copyright Valve Corporation ============//
-// Dynamically generated file. Do not modify this file directly.
-
-#ifndef _OPENVR_API
-#define _OPENVR_API
-
-#include <stdint.h>
-
-
-
-// vrtypes.h
-#ifndef _INCLUDE_VRTYPES_H
-#define _INCLUDE_VRTYPES_H 
-
-namespace vr
-{
-
-#if defined(__linux__) || defined(__APPLE__) 
-	// The 32-bit version of gcc has the alignment requirement for uint64 and double set to
-	// 4 meaning that even with #pragma pack(8) these types will only be four-byte aligned.
-	// The 64-bit version of gcc has the alignment requirement for these types set to
-	// 8 meaning that unless we use #pragma pack(4) our structures will get bigger.
-	// The 64-bit structure packing has to match the 32-bit structure packing for each platform.
-	#pragma pack( push, 4 )
-#else
-	#pragma pack( push, 8 )
-#endif
-
-typedef void* glSharedTextureHandle_t;
-typedef int32_t glInt_t;
-typedef uint32_t glUInt_t;
-
-// right-handed system
-// +y is up
-// +x is to the right
-// -z is going away from you
-// Distance unit is  meters
-struct HmdMatrix34_t
-{
-	float m[3][4];
-};
-
-struct HmdMatrix44_t
-{
-	float m[4][4];
-};
-
-struct HmdVector3_t
-{
-	float v[3];
-};
-
-struct HmdVector4_t
-{
-	float v[4];
-};
-
-struct HmdVector3d_t
-{
-	double v[3];
-};
-
-struct HmdVector2_t
-{
-	float v[2];
-};
-
-struct HmdQuaternion_t
-{
-	double w, x, y, z;
-};
-
-struct HmdColor_t
-{
-	float r, g, b, a;
-};
-
-struct HmdQuad_t
-{
-	HmdVector3_t vCorners[ 4 ];
-};
-
-struct HmdRect2_t
-{
-	HmdVector2_t vTopLeft;
-	HmdVector2_t vBottomRight;
-};
-
-/** Used to return the post-distortion UVs for each color channel. 
-* UVs range from 0 to 1 with 0,0 in the upper left corner of the 
-* source render target. The 0,0 to 1,1 range covers a single eye. */
-struct DistortionCoordinates_t
-{
-	float rfRed[2];
-	float rfGreen[2];
-	float rfBlue[2];
-};
-
-enum EVREye
-{
-	Eye_Left = 0,
-	Eye_Right = 1
-};
-
-enum EGraphicsAPIConvention
-{
-	API_DirectX = 0, // Normalized Z goes from 0 at the viewer to 1 at the far clip plane
-	API_OpenGL = 1,  // Normalized Z goes from 1 at the viewer to -1 at the far clip plane
-};
-
-enum EColorSpace
-{
-	ColorSpace_Auto = 0,	// Assumes 'gamma' for 8-bit per component formats, otherwise 'linear'.  This mirrors the DXGI formats which have _SRGB variants.
-	ColorSpace_Gamma = 1,	// Texture data can be displayed directly on the display without any conversion (a.k.a. display native format).
-	ColorSpace_Linear = 2,	// Same as gamma but has been converted to a linear representation using DXGI's sRGB conversion algorithm.
-};
-
-struct Texture_t
-{
-	void* handle; // Native d3d texture pointer or GL texture id.
-	EGraphicsAPIConvention eType;
-	EColorSpace eColorSpace;
-};
-
-enum ETrackingResult
-{
-	TrackingResult_Uninitialized			= 1,
-
-	TrackingResult_Calibrating_InProgress	= 100,
-	TrackingResult_Calibrating_OutOfRange	= 101,
-
-	TrackingResult_Running_OK				= 200,
-	TrackingResult_Running_OutOfRange		= 201,
-};
-
-static const uint32_t k_unTrackingStringSize = 32;
-static const uint32_t k_unMaxDriverDebugResponseSize = 32768;
-
-/** Used to pass device IDs to API calls */
-typedef uint32_t TrackedDeviceIndex_t;
-static const uint32_t k_unTrackedDeviceIndex_Hmd = 0;
-static const uint32_t k_unMaxTrackedDeviceCount = 16;
-static const uint32_t k_unTrackedDeviceIndexOther = 0xFFFFFFFE;
-static const uint32_t k_unTrackedDeviceIndexInvalid = 0xFFFFFFFF;
-
-/** Describes what kind of object is being tracked at a given ID */
-enum ETrackedDeviceClass
-{
-	TrackedDeviceClass_Invalid = 0,				// the ID was not valid.
-	TrackedDeviceClass_HMD = 1,					// Head-Mounted Displays
-	TrackedDeviceClass_Controller = 2,			// Tracked controllers
-	TrackedDeviceClass_TrackingReference = 4,	// Camera and base stations that serve as tracking reference points
-
-	TrackedDeviceClass_Other = 1000,
-};
-
-
-/** Describes what specific role associated with a tracked device */
-enum ETrackedControllerRole
-{
-	TrackedControllerRole_Invalid = 0,					// Invalid value for controller type
-	TrackedControllerRole_LeftHand = 1,					// Tracked device associated with the left hand
-	TrackedControllerRole_RightHand = 2,				// Tracked device associated with the right hand
-};
-
-
-/** describes a single pose for a tracked object */
-struct TrackedDevicePose_t
-{
-	HmdMatrix34_t mDeviceToAbsoluteTracking;
-	HmdVector3_t vVelocity;				// velocity in tracker space in m/s
-	HmdVector3_t vAngularVelocity;		// angular velocity in radians/s (?)
-	ETrackingResult eTrackingResult;
-	bool bPoseIsValid;
-
-	// This indicates that there is a device connected for this spot in the pose array.
-	// It could go from true to false if the user unplugs the device.
-	bool bDeviceIsConnected;
-};
-
-/** Identifies which style of tracking origin the application wants to use
-* for the poses it is requesting */
-enum ETrackingUniverseOrigin
-{
-	TrackingUniverseSeated = 0,		// Poses are provided relative to the seated zero pose
-	TrackingUniverseStanding = 1,	// Poses are provided relative to the safe bounds configured by the user
-	TrackingUniverseRawAndUncalibrated = 2,	// Poses are provided in the coordinate system defined by the driver. You probably don't want this one.
-};
-
-
-/** Each entry in this enum represents a property that can be retrieved about a
-* tracked device. Many fields are only valid for one ETrackedDeviceClass. */
-enum ETrackedDeviceProperty
-{
-	// general properties that apply to all device classes
-	Prop_TrackingSystemName_String				= 1000,
-	Prop_ModelNumber_String						= 1001,
-	Prop_SerialNumber_String					= 1002,
-	Prop_RenderModelName_String					= 1003,
-	Prop_WillDriftInYaw_Bool					= 1004,
-	Prop_ManufacturerName_String				= 1005,
-	Prop_TrackingFirmwareVersion_String			= 1006,
-	Prop_HardwareRevision_String				= 1007,
-	Prop_AllWirelessDongleDescriptions_String	= 1008,
-	Prop_ConnectedWirelessDongle_String			= 1009,
-	Prop_DeviceIsWireless_Bool					= 1010,
-	Prop_DeviceIsCharging_Bool					= 1011,
-	Prop_DeviceBatteryPercentage_Float			= 1012, // 0 is empty, 1 is full
-	Prop_StatusDisplayTransform_Matrix34		= 1013,
-	Prop_Firmware_UpdateAvailable_Bool			= 1014,
-	Prop_Firmware_ManualUpdate_Bool				= 1015,
-	Prop_Firmware_ManualUpdateURL_String		= 1016,
-	Prop_HardwareRevision_Uint64				= 1017,
-	Prop_FirmwareVersion_Uint64					= 1018,
-	Prop_FPGAVersion_Uint64						= 1019,
-	Prop_VRCVersion_Uint64						= 1020,
-	Prop_RadioVersion_Uint64					= 1021,
-	Prop_DongleVersion_Uint64					= 1022,
-	Prop_BlockServerShutdown_Bool				= 1023,
-	Prop_CanUnifyCoordinateSystemWithHmd_Bool	= 1024,
-	Prop_ContainsProximitySensor_Bool			= 1025,
-	Prop_DeviceProvidesBatteryStatus_Bool		= 1026,
-	Prop_DeviceCanPowerOff_Bool					= 1027,
-	Prop_Firmware_ProgrammingTarget_String		= 1028,
-	Prop_DeviceClass_Int32						= 1029,
-	Prop_HasCamera_Bool							= 1030,
-	Prop_DriverVersion_String                   = 1031,
-	Prop_Firmware_ForceUpdateRequired_Bool      = 1032,
-
-	// Properties that are unique to TrackedDeviceClass_HMD
-	Prop_ReportsTimeSinceVSync_Bool				= 2000,
-	Prop_SecondsFromVsyncToPhotons_Float		= 2001,
-	Prop_DisplayFrequency_Float					= 2002,
-	Prop_UserIpdMeters_Float					= 2003,
-	Prop_CurrentUniverseId_Uint64				= 2004, 
-	Prop_PreviousUniverseId_Uint64				= 2005, 
-	Prop_DisplayFirmwareVersion_Uint64			= 2006,
-	Prop_IsOnDesktop_Bool						= 2007,
-	Prop_DisplayMCType_Int32					= 2008,
-	Prop_DisplayMCOffset_Float					= 2009,
-	Prop_DisplayMCScale_Float					= 2010,
-	Prop_EdidVendorID_Int32						= 2011,
-	Prop_DisplayMCImageLeft_String              = 2012,
-	Prop_DisplayMCImageRight_String             = 2013,
-	Prop_DisplayGCBlackClamp_Float				= 2014,
-	Prop_EdidProductID_Int32					= 2015,
-	Prop_CameraToHeadTransform_Matrix34			= 2016,
-	Prop_DisplayGCType_Int32					= 2017,
-	Prop_DisplayGCOffset_Float					= 2018,
-	Prop_DisplayGCScale_Float					= 2019,
-	Prop_DisplayGCPrescale_Float				= 2020,
-	Prop_DisplayGCImage_String					= 2021,
-	Prop_LensCenterLeftU_Float					= 2022,
-	Prop_LensCenterLeftV_Float					= 2023,
-	Prop_LensCenterRightU_Float					= 2024,
-	Prop_LensCenterRightV_Float					= 2025,
-	Prop_UserHeadToEyeDepthMeters_Float			= 2026,
-	Prop_CameraFirmwareVersion_Uint64			= 2027,
-	Prop_CameraFirmwareDescription_String		= 2028,
-	Prop_DisplayFPGAVersion_Uint64				= 2029,
-	Prop_DisplayBootloaderVersion_Uint64		= 2030,
-	Prop_DisplayHardwareVersion_Uint64			= 2031,
-	Prop_AudioFirmwareVersion_Uint64			= 2032,
-	Prop_CameraCompatibilityMode_Int32			= 2033,
-	Prop_ScreenshotHorizontalFieldOfViewDegrees_Float = 2034,
-	Prop_ScreenshotVerticalFieldOfViewDegrees_Float = 2035,
-	Prop_DisplaySuppressed_Bool					= 2036,
-
-	// Properties that are unique to TrackedDeviceClass_Controller
-	Prop_AttachedDeviceId_String				= 3000,
-	Prop_SupportedButtons_Uint64				= 3001,
-	Prop_Axis0Type_Int32						= 3002, // Return value is of type EVRControllerAxisType
-	Prop_Axis1Type_Int32						= 3003, // Return value is of type EVRControllerAxisType
-	Prop_Axis2Type_Int32						= 3004, // Return value is of type EVRControllerAxisType
-	Prop_Axis3Type_Int32						= 3005, // Return value is of type EVRControllerAxisType
-	Prop_Axis4Type_Int32						= 3006, // Return value is of type EVRControllerAxisType
-	Prop_ControllerRoleHint_Int32				= 3007, // Return value is of type ETrackedControllerRole
-
-	// Properties that are unique to TrackedDeviceClass_TrackingReference
-	Prop_FieldOfViewLeftDegrees_Float			= 4000,
-	Prop_FieldOfViewRightDegrees_Float			= 4001,
-	Prop_FieldOfViewTopDegrees_Float			= 4002,
-	Prop_FieldOfViewBottomDegrees_Float			= 4003,
-	Prop_TrackingRangeMinimumMeters_Float		= 4004,
-	Prop_TrackingRangeMaximumMeters_Float		= 4005,
-	Prop_ModeLabel_String						= 4006,
-
-	// Vendors are free to expose private debug data in this reserved region
-	Prop_VendorSpecific_Reserved_Start			= 10000,
-	Prop_VendorSpecific_Reserved_End			= 10999,
-};
-
-/** No string property will ever be longer than this length */
-static const uint32_t k_unMaxPropertyStringSize = 32 * 1024;
-
-/** Used to return errors that occur when reading properties. */
-enum ETrackedPropertyError
-{
-	TrackedProp_Success						= 0,
-	TrackedProp_WrongDataType				= 1,
-	TrackedProp_WrongDeviceClass			= 2,
-	TrackedProp_BufferTooSmall				= 3,
-	TrackedProp_UnknownProperty				= 4,
-	TrackedProp_InvalidDevice				= 5,
-	TrackedProp_CouldNotContactServer		= 6,
-	TrackedProp_ValueNotProvidedByDevice	= 7,
-	TrackedProp_StringExceedsMaximumLength	= 8,
-	TrackedProp_NotYetAvailable				= 9, // The property value isn't known yet, but is expected soon. Call again later.
-};
-
-/** Allows the application to control what part of the provided texture will be used in the
-* frame buffer. */
-struct VRTextureBounds_t
-{
-	float uMin, vMin;
-	float uMax, vMax;
-};
-
-
-/** Allows the application to control how scene textures are used by the compositor when calling Submit. */
-enum EVRSubmitFlags
-{
-	// Simple render path. App submits rendered left and right eye images with no lens distortion correction applied.
-	Submit_Default = 0x00,
-
-	// App submits final left and right eye images with lens distortion already applied (lens distortion makes the images appear
-	// barrel distorted with chromatic aberration correction applied). The app would have used the data returned by
-	// vr::IVRSystem::ComputeDistortion() to apply the correct distortion to the rendered images before calling Submit().
-	Submit_LensDistortionAlreadyApplied = 0x01,
-
-	// If the texture pointer passed in is actually a renderbuffer (e.g. for MSAA in OpenGL) then set this flag.
-	Submit_GlRenderBuffer = 0x02,
-};
-
-
-/** Status of the overall system or tracked objects */
-enum EVRState
-{
-	VRState_Undefined = -1,
-	VRState_Off = 0,
-	VRState_Searching = 1,
-	VRState_Searching_Alert = 2,
-	VRState_Ready = 3,
-	VRState_Ready_Alert = 4,
-	VRState_NotReady = 5,
-	VRState_Standby = 6,
-	VRState_Ready_Alert_Low = 7,
-};
-
-/** The types of events that could be posted (and what the parameters mean for each event type) */
-enum EVREventType
-{
-	VREvent_None = 0,
-
-	VREvent_TrackedDeviceActivated		= 100,
-	VREvent_TrackedDeviceDeactivated	= 101,
-	VREvent_TrackedDeviceUpdated		= 102,
-	VREvent_TrackedDeviceUserInteractionStarted		= 103,
-	VREvent_TrackedDeviceUserInteractionEnded	= 104,
-	VREvent_IpdChanged					= 105,
-	VREvent_EnterStandbyMode			= 106,
-	VREvent_LeaveStandbyMode			= 107,
-	VREvent_TrackedDeviceRoleChanged	= 108,
-	VREvent_WatchdogWakeUpRequested		= 109,
-
-	VREvent_ButtonPress					= 200, // data is controller
-	VREvent_ButtonUnpress				= 201, // data is controller
-	VREvent_ButtonTouch					= 202, // data is controller
-	VREvent_ButtonUntouch				= 203, // data is controller
-
-	VREvent_MouseMove					= 300, // data is mouse
-	VREvent_MouseButtonDown				= 301, // data is mouse
-	VREvent_MouseButtonUp				= 302, // data is mouse
-	VREvent_FocusEnter					= 303, // data is overlay
-	VREvent_FocusLeave					= 304, // data is overlay
-	VREvent_Scroll						= 305, // data is mouse
-	VREvent_TouchPadMove				= 306, // data is mouse
-	VREvent_OverlayFocusChanged			= 307, // data is overlay, global event
-
-	VREvent_InputFocusCaptured			= 400, // data is process DEPRECATED
-	VREvent_InputFocusReleased			= 401, // data is process DEPRECATED
-	VREvent_SceneFocusLost				= 402, // data is process
-	VREvent_SceneFocusGained			= 403, // data is process
-	VREvent_SceneApplicationChanged		= 404, // data is process - The App actually drawing the scene changed (usually to or from the compositor)
-	VREvent_SceneFocusChanged			= 405, // data is process - New app got access to draw the scene
-	VREvent_InputFocusChanged			= 406, // data is process
-	VREvent_SceneApplicationSecondaryRenderingStarted = 407, // data is process
-
-	VREvent_HideRenderModels			= 410, // Sent to the scene application to request hiding render models temporarily
-	VREvent_ShowRenderModels			= 411, // Sent to the scene application to request restoring render model visibility
-
-	VREvent_OverlayShown				= 500,
-	VREvent_OverlayHidden				= 501,
-	VREvent_DashboardActivated		= 502,
-	VREvent_DashboardDeactivated	= 503,
-	VREvent_DashboardThumbSelected	= 504, // Sent to the overlay manager - data is overlay
-	VREvent_DashboardRequested		= 505, // Sent to the overlay manager - data is overlay
-	VREvent_ResetDashboard			= 506, // Send to the overlay manager
-	VREvent_RenderToast				= 507, // Send to the dashboard to render a toast - data is the notification ID
-	VREvent_ImageLoaded				= 508, // Sent to overlays when a SetOverlayRaw or SetOverlayFromFile call finishes loading
-	VREvent_ShowKeyboard = 509, // Sent to keyboard renderer in the dashboard to invoke it
-	VREvent_HideKeyboard = 510, // Sent to keyboard renderer in the dashboard to hide it
-	VREvent_OverlayGamepadFocusGained		= 511, // Sent to an overlay when IVROverlay::SetFocusOverlay is called on it
-	VREvent_OverlayGamepadFocusLost = 512, // Send to an overlay when it previously had focus and IVROverlay::SetFocusOverlay is called on something else
-	VREvent_OverlaySharedTextureChanged = 513,
-	VREvent_DashboardGuideButtonDown = 514,
-	VREvent_DashboardGuideButtonUp = 515,
-	VREvent_ScreenshotTriggered	= 516, // Screenshot button combo was pressed, Dashboard should request a screenshot
-	VREvent_ImageFailed				= 517, // Sent to overlays when a SetOverlayRaw or SetOverlayfromFail fails to load
-
-	// Screenshot API
-	VREvent_RequestScreenshot = 520, // Sent by vrclient application to compositor to take a screenshot
-	VREvent_ScreenshotTaken = 521, // Sent by compositor to the application that the screenshot has been taken
-	VREvent_ScreenshotFailed = 522, // Sent by compositor to the application that the screenshot failed to be taken
-	VREvent_SubmitScreenshotToDashboard = 523, // Sent by compositor to the dashboard that a completed screenshot was submitted
-	VREvent_ScreenshotProgressToDashboard = 524, // Sent by compositor to the dashboard that a completed screenshot was submitted
-
-	VREvent_Notification_Shown				= 600,
-	VREvent_Notification_Hidden				= 601,
-	VREvent_Notification_BeginInteraction	= 602,
-	VREvent_Notification_Destroyed			= 603,
-
-	VREvent_Quit						= 700, // data is process
-	VREvent_ProcessQuit					= 701, // data is process
-	VREvent_QuitAborted_UserPrompt		= 702, // data is process
-	VREvent_QuitAcknowledged			= 703, // data is process
-	VREvent_DriverRequestedQuit			= 704, // The driver has requested that SteamVR shut down
-
-	VREvent_ChaperoneDataHasChanged		= 800,
-	VREvent_ChaperoneUniverseHasChanged	= 801,
-	VREvent_ChaperoneTempDataHasChanged = 802,
-	VREvent_ChaperoneSettingsHaveChanged = 803,
-	VREvent_SeatedZeroPoseReset			= 804,
-
-	VREvent_AudioSettingsHaveChanged	= 820,
-
-	VREvent_BackgroundSettingHasChanged	= 850,
-	VREvent_CameraSettingsHaveChanged	= 851,
-	VREvent_ReprojectionSettingHasChanged = 852,
-	VREvent_ModelSkinSettingsHaveChanged = 853,
-	VREvent_EnvironmentSettingsHaveChanged = 854,
-
-	VREvent_StatusUpdate				= 900,
-
-	VREvent_MCImageUpdated				= 1000,
-
-	VREvent_FirmwareUpdateStarted	= 1100,
-	VREvent_FirmwareUpdateFinished	= 1101,
-
-	VREvent_KeyboardClosed				= 1200,
-	VREvent_KeyboardCharInput			= 1201,
-	VREvent_KeyboardDone				= 1202, // Sent when DONE button clicked on keyboard
-
-	VREvent_ApplicationTransitionStarted	= 1300,
-	VREvent_ApplicationTransitionAborted	= 1301,
-	VREvent_ApplicationTransitionNewAppStarted = 1302,
-	VREvent_ApplicationListUpdated			= 1303,
-	VREvent_ApplicationMimeTypeLoad			= 1304,
-
-	VREvent_Compositor_MirrorWindowShown	= 1400,
-	VREvent_Compositor_MirrorWindowHidden	= 1401,
-	VREvent_Compositor_ChaperoneBoundsShown = 1410,
-	VREvent_Compositor_ChaperoneBoundsHidden = 1411,
-
-	VREvent_TrackedCamera_StartVideoStream  = 1500,
-	VREvent_TrackedCamera_StopVideoStream   = 1501,
-	VREvent_TrackedCamera_PauseVideoStream  = 1502,
-	VREvent_TrackedCamera_ResumeVideoStream = 1503,
-
-	VREvent_PerformanceTest_EnableCapture = 1600,
-	VREvent_PerformanceTest_DisableCapture = 1601,
-	VREvent_PerformanceTest_FidelityLevel = 1602,
-	
-	// Vendors are free to expose private events in this reserved region
-	VREvent_VendorSpecific_Reserved_Start = 10000,
-	VREvent_VendorSpecific_Reserved_End = 19999,
-};
-
-
-/** Level of Hmd activity */
-enum EDeviceActivityLevel
-{
-	k_EDeviceActivityLevel_Unknown = -1,
-	k_EDeviceActivityLevel_Idle = 0,
-	k_EDeviceActivityLevel_UserInteraction = 1,
-	k_EDeviceActivityLevel_UserInteraction_Timeout = 2,
-	k_EDeviceActivityLevel_Standby = 3,
-};
-
-
-/** VR controller button and axis IDs */
-enum EVRButtonId
-{
-	k_EButton_System			= 0,
-	k_EButton_ApplicationMenu	= 1,
-	k_EButton_Grip				= 2,
-	k_EButton_DPad_Left			= 3,
-	k_EButton_DPad_Up			= 4,
-	k_EButton_DPad_Right		= 5,
-	k_EButton_DPad_Down			= 6,
-	k_EButton_A					= 7,
-
-	k_EButton_Axis0				= 32,
-	k_EButton_Axis1				= 33,
-	k_EButton_Axis2				= 34,
-	k_EButton_Axis3				= 35,
-	k_EButton_Axis4				= 36,
-
-	// aliases for well known controllers
-	k_EButton_SteamVR_Touchpad	= k_EButton_Axis0,
-	k_EButton_SteamVR_Trigger	= k_EButton_Axis1,
-
-	k_EButton_Dashboard_Back	= k_EButton_Grip,
-
-	k_EButton_Max				= 64
-};
-
-inline uint64_t ButtonMaskFromId( EVRButtonId id ) { return 1ull << id; }
-
-/** used for controller button events */
-struct VREvent_Controller_t
-{
-	uint32_t button; // EVRButtonId enum
-};
-
-
-/** used for simulated mouse events in overlay space */
-enum EVRMouseButton
-{
-	VRMouseButton_Left					= 0x0001,
-	VRMouseButton_Right					= 0x0002,
-	VRMouseButton_Middle				= 0x0004,
-};
-
-
-/** used for simulated mouse events in overlay space */
-struct VREvent_Mouse_t
-{
-	float x, y; // co-ords are in GL space, bottom left of the texture is 0,0
-	uint32_t button; // EVRMouseButton enum
-};
-
-/** used for simulated mouse wheel scroll in overlay space */
-struct VREvent_Scroll_t
-{
-	float xdelta, ydelta; // movement in fraction of the pad traversed since last delta, 1.0 for a full swipe
-	uint32_t repeatCount;
-};
-
-/** when in mouse input mode you can receive data from the touchpad, these events are only sent if the users finger
-   is on the touchpad (or just released from it) 
-**/
-struct VREvent_TouchPadMove_t
-{
-	// true if the users finger is detected on the touch pad
-	bool bFingerDown;
-
-	// How long the finger has been down in seconds
-	float flSecondsFingerDown;
-
-	// These values indicate the starting finger position (so you can do some basic swipe stuff)
-	float fValueXFirst;
-	float fValueYFirst;
-
-	// This is the raw sampled coordinate without deadzoning
-	float fValueXRaw;
-	float fValueYRaw;
-};
-
-/** notification related events. Details will still change at this point */
-struct VREvent_Notification_t
-{
-	uint64_t ulUserValue;
-	uint32_t notificationId;
-};
-
-/** Used for events about processes */
-struct VREvent_Process_t
-{
-	uint32_t pid;
-	uint32_t oldPid;
-	bool bForced;
-};
-
-
-/** Used for a few events about overlays */
-struct VREvent_Overlay_t
-{
-	uint64_t overlayHandle;
-};
-
-
-/** Used for a few events about overlays */
-struct VREvent_Status_t
-{
-	uint32_t statusState; // EVRState enum
-};
-
-/** Used for keyboard events **/
-struct VREvent_Keyboard_t
-{
-	char cNewInput[8];	// Up to 11 bytes of new input
-	uint64_t uUserValue;	// Possible flags about the new input
-};
-
-struct VREvent_Ipd_t
-{
-	float ipdMeters;
-};
-
-struct VREvent_Chaperone_t
-{
-	uint64_t m_nPreviousUniverse;
-	uint64_t m_nCurrentUniverse;
-};
-
-/** Not actually used for any events */
-struct VREvent_Reserved_t
-{
-	uint64_t reserved0;
-	uint64_t reserved1;
-};
-
-struct VREvent_PerformanceTest_t
-{
-	uint32_t m_nFidelityLevel;
-};
-
-struct VREvent_SeatedZeroPoseReset_t
-{
-	bool bResetBySystemMenu;
-};
-
-struct VREvent_Screenshot_t
-{
-	uint32_t handle;
-	uint32_t type;
-};
-
-struct VREvent_ScreenshotProgress_t
-{
-	float progress;
-};
-
-struct VREvent_ApplicationLaunch_t
-{
-	uint32_t pid;
-	uint32_t unArgsHandle;
-};
-
-/** If you change this you must manually update openvr_interop.cs.py */
-typedef union
-{
-	VREvent_Reserved_t reserved;
-	VREvent_Controller_t controller;
-	VREvent_Mouse_t mouse;
-	VREvent_Scroll_t scroll;
-	VREvent_Process_t process;
-	VREvent_Notification_t notification;
-	VREvent_Overlay_t overlay;
-	VREvent_Status_t status;
-	VREvent_Keyboard_t keyboard;
-	VREvent_Ipd_t ipd;
-	VREvent_Chaperone_t chaperone;
-	VREvent_PerformanceTest_t performanceTest;
-	VREvent_TouchPadMove_t touchPadMove;
-	VREvent_SeatedZeroPoseReset_t seatedZeroPoseReset;
-	VREvent_Screenshot_t screenshot;
-	VREvent_ScreenshotProgress_t screenshotProgress;
-	VREvent_ApplicationLaunch_t applicationLaunch;
-} VREvent_Data_t;
-
-/** An event posted by the server to all running applications */
-struct VREvent_t
-{
-	uint32_t eventType; // EVREventType enum
-	TrackedDeviceIndex_t trackedDeviceIndex;
-	float eventAgeSeconds;
-	// event data must be the end of the struct as its size is variable
-	VREvent_Data_t data;
-};
-
-
-/** The mesh to draw into the stencil (or depth) buffer to perform 
-* early stencil (or depth) kills of pixels that will never appear on the HMD.
-* This mesh draws on all the pixels that will be hidden after distortion. 
-*
-* If the HMD does not provide a visible area mesh pVertexData will be
-* NULL and unTriangleCount will be 0. */
-struct HiddenAreaMesh_t
-{
-	const HmdVector2_t *pVertexData;
-	uint32_t unTriangleCount;
-};
-
-
-/** Identifies what kind of axis is on the controller at index n. Read this type 
-* with pVRSystem->Get( nControllerDeviceIndex, Prop_Axis0Type_Int32 + n );
-*/
-enum EVRControllerAxisType
-{
-	k_eControllerAxis_None = 0,
-	k_eControllerAxis_TrackPad = 1,
-	k_eControllerAxis_Joystick = 2,
-	k_eControllerAxis_Trigger = 3, // Analog trigger data is in the X axis
-};
-
-
-/** contains information about one axis on the controller */
-struct VRControllerAxis_t
-{
-	float x; // Ranges from -1.0 to 1.0 for joysticks and track pads. Ranges from 0.0 to 1.0 for triggers were 0 is fully released.
-	float y; // Ranges from -1.0 to 1.0 for joysticks and track pads. Is always 0.0 for triggers.
-};
-
-
-/** the number of axes in the controller state */
-static const uint32_t k_unControllerStateAxisCount = 5;
-
-
-/** Holds all the state of a controller at one moment in time. */
-struct VRControllerState001_t
-{
-	// If packet num matches that on your prior call, then the controller state hasn't been changed since 
-	// your last call and there is no need to process it
-	uint32_t unPacketNum;
-
-	// bit flags for each of the buttons. Use ButtonMaskFromId to turn an ID into a mask
-	uint64_t ulButtonPressed;
-	uint64_t ulButtonTouched;
-
-	// Axis data for the controller's analog inputs
-	VRControllerAxis_t rAxis[ k_unControllerStateAxisCount ];
-};
-
-
-typedef VRControllerState001_t VRControllerState_t;
-
-
-/** determines how to provide output to the application of various event processing functions. */
-enum EVRControllerEventOutputType
-{
-	ControllerEventOutput_OSEvents = 0,
-	ControllerEventOutput_VREvents = 1,
-};
-
-
-
-/** Collision Bounds Style */
-enum ECollisionBoundsStyle
-{
-	COLLISION_BOUNDS_STYLE_BEGINNER = 0,
-	COLLISION_BOUNDS_STYLE_INTERMEDIATE,
-	COLLISION_BOUNDS_STYLE_SQUARES,
-	COLLISION_BOUNDS_STYLE_ADVANCED,
-	COLLISION_BOUNDS_STYLE_NONE,
-
-	COLLISION_BOUNDS_STYLE_COUNT
-};
-
-/** Allows the application to customize how the overlay appears in the compositor */
-struct Compositor_OverlaySettings
-{
-	uint32_t size; // sizeof(Compositor_OverlaySettings)
-	bool curved, antialias;
-	float scale, distance, alpha;
-	float uOffset, vOffset, uScale, vScale;
-	float gridDivs, gridWidth, gridScale;
-	HmdMatrix44_t transform;
-};
-
-/** used to refer to a single VR overlay */
-typedef uint64_t VROverlayHandle_t;
-
-static const VROverlayHandle_t k_ulOverlayHandleInvalid = 0;
-
-/** Errors that can occur around VR overlays */
-enum EVROverlayError
-{
-	VROverlayError_None					= 0,
-
-	VROverlayError_UnknownOverlay		= 10,
-	VROverlayError_InvalidHandle		= 11,
-	VROverlayError_PermissionDenied		= 12,
-	VROverlayError_OverlayLimitExceeded = 13, // No more overlays could be created because the maximum number already exist
-	VROverlayError_WrongVisibilityType	= 14,
-	VROverlayError_KeyTooLong			= 15,
-	VROverlayError_NameTooLong			= 16,
-	VROverlayError_KeyInUse				= 17,
-	VROverlayError_WrongTransformType	= 18,
-	VROverlayError_InvalidTrackedDevice = 19,
-	VROverlayError_InvalidParameter		= 20,
-	VROverlayError_ThumbnailCantBeDestroyed = 21,
-	VROverlayError_ArrayTooSmall		= 22,
-	VROverlayError_RequestFailed		= 23,
-	VROverlayError_InvalidTexture		= 24,
-	VROverlayError_UnableToLoadFile		= 25,
-	VROVerlayError_KeyboardAlreadyInUse = 26,
-	VROverlayError_NoNeighbor			= 27,
-};
-
-/** enum values to pass in to VR_Init to identify whether the application will 
-* draw a 3D scene. */
-enum EVRApplicationType
-{
-	VRApplication_Other = 0,		// Some other kind of application that isn't covered by the other entries 
-	VRApplication_Scene	= 1,		// Application will submit 3D frames 
-	VRApplication_Overlay = 2,		// Application only interacts with overlays
-	VRApplication_Background = 3,	// Application should not start SteamVR if it's not already running, and should not
-									// keep it running if everything else quits.
-	VRApplication_Utility = 4,		// Init should not try to load any drivers. The application needs access to utility
-									// interfaces (like IVRSettings and IVRApplications) but not hardware.
-	VRApplication_VRMonitor = 5,	// Reserved for vrmonitor
-	VRApplication_SteamWatchdog = 6,// Reserved for Steam
-
-	VRApplication_Max
-};
-
-
-/** error codes for firmware */
-enum EVRFirmwareError
-{
-	VRFirmwareError_None = 0,
-	VRFirmwareError_Success = 1,
-	VRFirmwareError_Fail = 2,
-};
-
-
-/** error codes for notifications */
-enum EVRNotificationError
-{
-	VRNotificationError_OK = 0,
-	VRNotificationError_InvalidNotificationId = 100,
-	VRNotificationError_NotificationQueueFull = 101,
-	VRNotificationError_InvalidOverlayHandle = 102,
-	VRNotificationError_SystemWithUserValueAlreadyExists = 103,
-};
-
-
-/** error codes returned by Vr_Init */
-
-// Please add adequate error description to https://developer.valvesoftware.com/w/index.php?title=Category:SteamVRHelp
-enum EVRInitError
-{
-	VRInitError_None	= 0,
-	VRInitError_Unknown = 1,
-
-	VRInitError_Init_InstallationNotFound		= 100,
-	VRInitError_Init_InstallationCorrupt		= 101,
-	VRInitError_Init_VRClientDLLNotFound		= 102,
-	VRInitError_Init_FileNotFound				= 103,
-	VRInitError_Init_FactoryNotFound			= 104,
-	VRInitError_Init_InterfaceNotFound			= 105,
-	VRInitError_Init_InvalidInterface			= 106,
-	VRInitError_Init_UserConfigDirectoryInvalid = 107,
-	VRInitError_Init_HmdNotFound				= 108,
-	VRInitError_Init_NotInitialized				= 109,
-	VRInitError_Init_PathRegistryNotFound		= 110,
-	VRInitError_Init_NoConfigPath				= 111,
-	VRInitError_Init_NoLogPath					= 112,
-	VRInitError_Init_PathRegistryNotWritable	= 113,
-	VRInitError_Init_AppInfoInitFailed			= 114,
-	VRInitError_Init_Retry						= 115, // Used internally to cause retries to vrserver
-	VRInitError_Init_InitCanceledByUser			= 116, // The calling application should silently exit. The user canceled app startup
-	VRInitError_Init_AnotherAppLaunching		= 117, 
-	VRInitError_Init_SettingsInitFailed			= 118, 
-	VRInitError_Init_ShuttingDown				= 119,
-	VRInitError_Init_TooManyObjects				= 120,
-	VRInitError_Init_NoServerForBackgroundApp	= 121,
-	VRInitError_Init_NotSupportedWithCompositor	= 122,
-	VRInitError_Init_NotAvailableToUtilityApps	= 123,
-	VRInitError_Init_Internal				 	= 124,
-	VRInitError_Init_HmdDriverIdIsNone		 	= 125,
-	VRInitError_Init_HmdNotFoundPresenceFailed 	= 126,
-	VRInitError_Init_VRMonitorNotFound			= 127,
-	VRInitError_Init_VRMonitorStartupFailed		= 128,
-	VRInitError_Init_LowPowerWatchdogNotSupported = 129, 
-	VRInitError_Init_InvalidApplicationType		= 130,
-	VRInitError_Init_NotAvailableToWatchdogApps = 131,
-	VRInitError_Init_WatchdogDisabledInSettings = 132,
-
-	VRInitError_Driver_Failed				= 200,
-	VRInitError_Driver_Unknown				= 201,
-	VRInitError_Driver_HmdUnknown			= 202,
-	VRInitError_Driver_NotLoaded			= 203,
-	VRInitError_Driver_RuntimeOutOfDate		= 204,
-	VRInitError_Driver_HmdInUse				= 205,
-	VRInitError_Driver_NotCalibrated		= 206,
-	VRInitError_Driver_CalibrationInvalid	= 207,
-	VRInitError_Driver_HmdDisplayNotFound	= 208,
-	VRInitError_Driver_TrackedDeviceInterfaceUnknown = 209,
-	// VRInitError_Driver_HmdDisplayNotFoundAfterFix	 = 210, // not needed: here for historic reasons
-	VRInitError_Driver_HmdDriverIdOutOfBounds = 211,
-	VRInitError_Driver_HmdDisplayMirrored  = 212,
-
-	VRInitError_IPC_ServerInitFailed		= 300,
-	VRInitError_IPC_ConnectFailed			= 301,
-	VRInitError_IPC_SharedStateInitFailed	= 302,
-	VRInitError_IPC_CompositorInitFailed	= 303,
-	VRInitError_IPC_MutexInitFailed			= 304,
-	VRInitError_IPC_Failed					= 305,
-	VRInitError_IPC_CompositorConnectFailed	= 306,
-	VRInitError_IPC_CompositorInvalidConnectResponse = 307,
-	VRInitError_IPC_ConnectFailedAfterMultipleAttempts = 308,
-
-	VRInitError_Compositor_Failed					= 400,
-	VRInitError_Compositor_D3D11HardwareRequired	= 401,
-	VRInitError_Compositor_FirmwareRequiresUpdate	= 402,
-	VRInitError_Compositor_OverlayInitFailed		= 403,
-	VRInitError_Compositor_ScreenshotsInitFailed	= 404,
-
-	VRInitError_VendorSpecific_UnableToConnectToOculusRuntime = 1000,
-
-	VRInitError_VendorSpecific_HmdFound_CantOpenDevice 				= 1101,
-	VRInitError_VendorSpecific_HmdFound_UnableToRequestConfigStart	= 1102,
-	VRInitError_VendorSpecific_HmdFound_NoStoredConfig 				= 1103,
-	VRInitError_VendorSpecific_HmdFound_ConfigTooBig 				= 1104,
-	VRInitError_VendorSpecific_HmdFound_ConfigTooSmall 				= 1105,
-	VRInitError_VendorSpecific_HmdFound_UnableToInitZLib 			= 1106,
-	VRInitError_VendorSpecific_HmdFound_CantReadFirmwareVersion 	= 1107,
-	VRInitError_VendorSpecific_HmdFound_UnableToSendUserDataStart	= 1108,
-	VRInitError_VendorSpecific_HmdFound_UnableToGetUserDataStart	= 1109,
-	VRInitError_VendorSpecific_HmdFound_UnableToGetUserDataNext		= 1110,
-	VRInitError_VendorSpecific_HmdFound_UserDataAddressRange		= 1111,
-	VRInitError_VendorSpecific_HmdFound_UserDataError				= 1112,
-	VRInitError_VendorSpecific_HmdFound_ConfigFailedSanityCheck		= 1113,
-
-	VRInitError_Steam_SteamInstallationNotFound = 2000,
-};
-
-enum EVRScreenshotType
-{
-	VRScreenshotType_None = 0,
-	VRScreenshotType_Mono = 1, // left eye only
-	VRScreenshotType_Stereo = 2,
-	VRScreenshotType_Cubemap = 3,
-	VRScreenshotType_MonoPanorama = 4,
-	VRScreenshotType_StereoPanorama = 5
-};
-
-enum EVRScreenshotPropertyFilenames
-{
-	VRScreenshotPropertyFilenames_Preview = 0,
-	VRScreenshotPropertyFilenames_VR = 1,
-};
-
-enum EVRTrackedCameraError
-{
-	VRTrackedCameraError_None                       = 0,
-	VRTrackedCameraError_OperationFailed            = 100,
-	VRTrackedCameraError_InvalidHandle              = 101,	
-	VRTrackedCameraError_InvalidFrameHeaderVersion  = 102,
-	VRTrackedCameraError_OutOfHandles               = 103,
-	VRTrackedCameraError_IPCFailure                 = 104,
-	VRTrackedCameraError_NotSupportedForThisDevice  = 105,
-	VRTrackedCameraError_SharedMemoryFailure        = 106,
-	VRTrackedCameraError_FrameBufferingFailure      = 107,
-	VRTrackedCameraError_StreamSetupFailure         = 108,
-	VRTrackedCameraError_InvalidGLTextureId         = 109,
-	VRTrackedCameraError_InvalidSharedTextureHandle = 110,
-	VRTrackedCameraError_FailedToGetGLTextureId     = 111,
-	VRTrackedCameraError_SharedTextureFailure       = 112,
-	VRTrackedCameraError_NoFrameAvailable           = 113,
-	VRTrackedCameraError_InvalidArgument            = 114,
-	VRTrackedCameraError_InvalidFrameBufferSize     = 115,
-};
-
-enum EVRTrackedCameraFrameType
-{
-	VRTrackedCameraFrameType_Distorted = 0,			// This is the camera video frame size in pixels, still distorted.
-	VRTrackedCameraFrameType_Undistorted,			// In pixels, an undistorted inscribed rectangle region without invalid regions. This size is subject to changes shortly.
-	VRTrackedCameraFrameType_MaximumUndistorted,	// In pixels, maximum undistorted with invalid regions. Non zero alpha component identifies valid regions.
-	MAX_CAMERA_FRAME_TYPES
-};
-
-typedef uint64_t TrackedCameraHandle_t;
-#define INVALID_TRACKED_CAMERA_HANDLE	((vr::TrackedCameraHandle_t)0)
-
-struct CameraVideoStreamFrameHeader_t
-{
-	EVRTrackedCameraFrameType eFrameType;
-
-	uint32_t nWidth;
-	uint32_t nHeight;
-	uint32_t nBytesPerPixel;
-
-	uint32_t nFrameSequence;
-
-	TrackedDevicePose_t standingTrackedDevicePose;
-};
-
-// Screenshot types
-typedef uint32_t ScreenshotHandle_t;
-
-static const uint32_t k_unScreenshotHandleInvalid = 0;
-
-#pragma pack( pop )
-
-// figure out how to import from the VR API dll
-#if defined(_WIN32)
-
-#ifdef VR_API_EXPORT
-#define VR_INTERFACE extern "C" __declspec( dllexport )
-#else
-#define VR_INTERFACE extern "C" __declspec( dllimport )
-#endif
-
-#elif defined(__GNUC__) || defined(COMPILER_GCC) || defined(__APPLE__)
-
-#ifdef VR_API_EXPORT
-#define VR_INTERFACE extern "C" __attribute__((visibility("default")))
-#else
-#define VR_INTERFACE extern "C" 
-#endif
-
-#else
-#error "Unsupported Platform."
-#endif
-
-
-#if defined( _WIN32 )
-#define VR_CALLTYPE __cdecl
-#else
-#define VR_CALLTYPE 
-#endif
-
-} // namespace vr
-
-#endif // _INCLUDE_VRTYPES_H
-
-
-// vrannotation.h
-#ifdef API_GEN
-# define VR_CLANG_ATTR(ATTR) __attribute__((annotate( ATTR )))
-#else
-# define VR_CLANG_ATTR(ATTR)
-#endif
-
-#define VR_METHOD_DESC(DESC) VR_CLANG_ATTR( "desc:" #DESC ";" )
-#define VR_IGNOREATTR() VR_CLANG_ATTR( "ignore" )
-#define VR_OUT_STRUCT() VR_CLANG_ATTR( "out_struct: ;" )
-#define VR_OUT_STRING() VR_CLANG_ATTR( "out_string: ;" )
-#define VR_OUT_ARRAY_CALL(COUNTER,FUNCTION,PARAMS) VR_CLANG_ATTR( "out_array_call:" #COUNTER "," #FUNCTION "," #PARAMS ";" )
-#define VR_OUT_ARRAY_COUNT(COUNTER) VR_CLANG_ATTR( "out_array_count:" #COUNTER ";" )
-#define VR_ARRAY_COUNT(COUNTER) VR_CLANG_ATTR( "array_count:" #COUNTER ";" )
-#define VR_ARRAY_COUNT_D(COUNTER, DESC) VR_CLANG_ATTR( "array_count:" #COUNTER ";desc:" #DESC )
-#define VR_BUFFER_COUNT(COUNTER) VR_CLANG_ATTR( "buffer_count:" #COUNTER ";" )
-#define VR_OUT_BUFFER_COUNT(COUNTER) VR_CLANG_ATTR( "out_buffer_count:" #COUNTER ";" )
-#define VR_OUT_STRING_COUNT(COUNTER) VR_CLANG_ATTR( "out_string_count:" #COUNTER ";" )
-
-// ivrsystem.h
-namespace vr
-{
-
-class IVRSystem
-{
-public:
-
-
-	// ------------------------------------
-	// Display Methods
-	// ------------------------------------
-
-	/** Suggested size for the intermediate render target that the distortion pulls from. */
-	virtual void GetRecommendedRenderTargetSize( uint32_t *pnWidth, uint32_t *pnHeight ) = 0;
-
-	/** The projection matrix for the specified eye */
-	virtual HmdMatrix44_t GetProjectionMatrix( EVREye eEye, float fNearZ, float fFarZ, EGraphicsAPIConvention eProjType ) = 0;
-
-	/** The components necessary to build your own projection matrix in case your
-	* application is doing something fancy like infinite Z */
-	virtual void GetProjectionRaw( EVREye eEye, float *pfLeft, float *pfRight, float *pfTop, float *pfBottom ) = 0;
-
-	/** Returns the result of the distortion function for the specified eye and input UVs. UVs go from 0,0 in 
-	* the upper left of that eye's viewport and 1,1 in the lower right of that eye's viewport. */
-	virtual DistortionCoordinates_t ComputeDistortion( EVREye eEye, float fU, float fV ) = 0;
-
-	/** Returns the transform from eye space to the head space. Eye space is the per-eye flavor of head
-	* space that provides stereo disparity. Instead of Model * View * Projection the sequence is Model * View * Eye^-1 * Projection. 
-	* Normally View and Eye^-1 will be multiplied together and treated as View in your application. 
-	*/
-	virtual HmdMatrix34_t GetEyeToHeadTransform( EVREye eEye ) = 0;
-
-	/** Returns the number of elapsed seconds since the last recorded vsync event. This 
-	*	will come from a vsync timer event in the timer if possible or from the application-reported
-	*   time if that is not available. If no vsync times are available the function will 
-	*   return zero for vsync time and frame counter and return false from the method. */
-	virtual bool GetTimeSinceLastVsync( float *pfSecondsSinceLastVsync, uint64_t *pulFrameCounter ) = 0;
-
-	/** [D3D9 Only]
-	* Returns the adapter index that the user should pass into CreateDevice to set up D3D9 in such
-	* a way that it can go full screen exclusive on the HMD. Returns -1 if there was an error.
-	*/
-	virtual int32_t GetD3D9AdapterIndex() = 0;
-
-	/** [D3D10/11 Only]
-	* Returns the adapter index and output index that the user should pass into EnumAdapters and EnumOutputs 
-	* to create the device and swap chain in DX10 and DX11. If an error occurs both indices will be set to -1.
-	*/
-	virtual void GetDXGIOutputInfo( int32_t *pnAdapterIndex ) = 0;
-
-	// ------------------------------------
-	// Display Mode methods
-	// ------------------------------------
-
-	/** Use to determine if the headset display is part of the desktop (i.e. extended) or hidden (i.e. direct mode). */
-	virtual bool IsDisplayOnDesktop() = 0;
-
-	/** Set the display visibility (true = extended, false = direct mode).  Return value of true indicates that the change was successful. */
-	virtual bool SetDisplayVisibility( bool bIsVisibleOnDesktop ) = 0;
-
-	// ------------------------------------
-	// Tracking Methods
-	// ------------------------------------
-
-	/** The pose that the tracker thinks that the HMD will be in at the specified number of seconds into the 
-	* future. Pass 0 to get the state at the instant the method is called. Most of the time the application should
-	* calculate the time until the photons will be emitted from the display and pass that time into the method.
-	*
-	* This is roughly analogous to the inverse of the view matrix in most applications, though 
-	* many games will need to do some additional rotation or translation on top of the rotation
-	* and translation provided by the head pose.
-	*
-	* For devices where bPoseIsValid is true the application can use the pose to position the device
-	* in question. The provided array can be any size up to k_unMaxTrackedDeviceCount. 
-	*
-	* Seated experiences should call this method with TrackingUniverseSeated and receive poses relative
-	* to the seated zero pose. Standing experiences should call this method with TrackingUniverseStanding 
-	* and receive poses relative to the Chaperone Play Area. TrackingUniverseRawAndUncalibrated should 
-	* probably not be used unless the application is the Chaperone calibration tool itself, but will provide
-	* poses relative to the hardware-specific coordinate system in the driver.
-	*/
-	virtual void GetDeviceToAbsoluteTrackingPose( ETrackingUniverseOrigin eOrigin, float fPredictedSecondsToPhotonsFromNow, VR_ARRAY_COUNT(unTrackedDevicePoseArrayCount) TrackedDevicePose_t *pTrackedDevicePoseArray, uint32_t unTrackedDevicePoseArrayCount ) = 0;
-
-	/** Sets the zero pose for the seated tracker coordinate system to the current position and yaw of the HMD. After 
-	* ResetSeatedZeroPose all GetDeviceToAbsoluteTrackingPose calls that pass TrackingUniverseSeated as the origin 
-	* will be relative to this new zero pose. The new zero coordinate system will not change the fact that the Y axis 
-	* is up in the real world, so the next pose returned from GetDeviceToAbsoluteTrackingPose after a call to 
-	* ResetSeatedZeroPose may not be exactly an identity matrix.
-	*
-	* NOTE: This function overrides the user's previously saved seated zero pose and should only be called as the result of a user action. 
-	* Users are also able to set their seated zero pose via the OpenVR Dashboard.
-	**/
-	virtual void ResetSeatedZeroPose() = 0;
-
-	/** Returns the transform from the seated zero pose to the standing absolute tracking system. This allows 
-	* applications to represent the seated origin to used or transform object positions from one coordinate
-	* system to the other. 
-	*
-	* The seated origin may or may not be inside the Play Area or Collision Bounds returned by IVRChaperone. Its position 
-	* depends on what the user has set from the Dashboard settings and previous calls to ResetSeatedZeroPose. */
-	virtual HmdMatrix34_t GetSeatedZeroPoseToStandingAbsoluteTrackingPose() = 0;
-
-	/** Returns the transform from the tracking origin to the standing absolute tracking system. This allows
-	* applications to convert from raw tracking space to the calibrated standing coordinate system. */
-	virtual HmdMatrix34_t GetRawZeroPoseToStandingAbsoluteTrackingPose() = 0;
-
-	/** Get a sorted array of device indices of a given class of tracked devices (e.g. controllers).  Devices are sorted right to left
-	* relative to the specified tracked device (default: hmd -- pass in -1 for absolute tracking space).  Returns the number of devices
-	* in the list, or the size of the array needed if not large enough. */
-	virtual uint32_t GetSortedTrackedDeviceIndicesOfClass( ETrackedDeviceClass eTrackedDeviceClass, VR_ARRAY_COUNT(unTrackedDeviceIndexArrayCount) vr::TrackedDeviceIndex_t *punTrackedDeviceIndexArray, uint32_t unTrackedDeviceIndexArrayCount, vr::TrackedDeviceIndex_t unRelativeToTrackedDeviceIndex = k_unTrackedDeviceIndex_Hmd ) = 0;
-
-	/** Returns the level of activity on the device. */
-	virtual EDeviceActivityLevel GetTrackedDeviceActivityLevel( vr::TrackedDeviceIndex_t unDeviceId ) = 0;
-
-	/** Convenience utility to apply the specified transform to the specified pose.
-	*   This properly transforms all pose components, including velocity and angular velocity
-	*/
-	virtual void ApplyTransform( TrackedDevicePose_t *pOutputPose, const TrackedDevicePose_t *pTrackedDevicePose, const HmdMatrix34_t *pTransform ) = 0;
-
-	/** Returns the device index associated with a specific role, for example the left hand or the right hand. */
-	virtual vr::TrackedDeviceIndex_t GetTrackedDeviceIndexForControllerRole( vr::ETrackedControllerRole unDeviceType ) = 0;
-
-	/** Returns the controller type associated with a device index. */
-	virtual vr::ETrackedControllerRole GetControllerRoleForTrackedDeviceIndex( vr::TrackedDeviceIndex_t unDeviceIndex ) = 0;
-
-	// ------------------------------------
-	// Property methods
-	// ------------------------------------
-
-	/** Returns the device class of a tracked device. If there has not been a device connected in this slot
-	* since the application started this function will return TrackedDevice_Invalid. For previous detected
-	* devices the function will return the previously observed device class. 
-	*
-	* To determine which devices exist on the system, just loop from 0 to k_unMaxTrackedDeviceCount and check
-	* the device class. Every device with something other than TrackedDevice_Invalid is associated with an 
-	* actual tracked device. */
-	virtual ETrackedDeviceClass GetTrackedDeviceClass( vr::TrackedDeviceIndex_t unDeviceIndex ) = 0;
-
-	/** Returns true if there is a device connected in this slot. */
-	virtual bool IsTrackedDeviceConnected( vr::TrackedDeviceIndex_t unDeviceIndex ) = 0;
-
-	/** Returns a bool property. If the device index is not valid or the property is not a bool type this function will return false. */
-	virtual bool GetBoolTrackedDeviceProperty( vr::TrackedDeviceIndex_t unDeviceIndex, ETrackedDeviceProperty prop, ETrackedPropertyError *pError = 0L ) = 0;
-
-	/** Returns a float property. If the device index is not valid or the property is not a float type this function will return 0. */
-	virtual float GetFloatTrackedDeviceProperty( vr::TrackedDeviceIndex_t unDeviceIndex, ETrackedDeviceProperty prop, ETrackedPropertyError *pError = 0L ) = 0;
-
-	/** Returns an int property. If the device index is not valid or the property is not a int type this function will return 0. */
-	virtual int32_t GetInt32TrackedDeviceProperty( vr::TrackedDeviceIndex_t unDeviceIndex, ETrackedDeviceProperty prop, ETrackedPropertyError *pError = 0L ) = 0;
-
-	/** Returns a uint64 property. If the device index is not valid or the property is not a uint64 type this function will return 0. */
-	virtual uint64_t GetUint64TrackedDeviceProperty( vr::TrackedDeviceIndex_t unDeviceIndex, ETrackedDeviceProperty prop, ETrackedPropertyError *pError = 0L ) = 0;
-
-	/** Returns a matrix property. If the device index is not valid or the property is not a matrix type, this function will return identity. */
-	virtual HmdMatrix34_t GetMatrix34TrackedDeviceProperty( vr::TrackedDeviceIndex_t unDeviceIndex, ETrackedDeviceProperty prop, ETrackedPropertyError *pError = 0L ) = 0;
-
-	/** Returns a string property. If the device index is not valid or the property is not a string type this function will 
-	* return 0. Otherwise it returns the length of the number of bytes necessary to hold this string including the trailing
-	* null. Strings will generally fit in buffers of k_unTrackingStringSize characters. */
-	virtual uint32_t GetStringTrackedDeviceProperty( vr::TrackedDeviceIndex_t unDeviceIndex, ETrackedDeviceProperty prop, VR_OUT_STRING() char *pchValue, uint32_t unBufferSize, ETrackedPropertyError *pError = 0L ) = 0;
-
-	/** returns a string that corresponds with the specified property error. The string will be the name 
-	* of the error enum value for all valid error codes */
-	virtual const char *GetPropErrorNameFromEnum( ETrackedPropertyError error ) = 0;
-
-	// ------------------------------------
-	// Event methods
-	// ------------------------------------
-
-	/** Returns true and fills the event with the next event on the queue if there is one. If there are no events
-	* this method returns false. uncbVREvent should be the size in bytes of the VREvent_t struct */
-	virtual bool PollNextEvent( VREvent_t *pEvent, uint32_t uncbVREvent ) = 0;
-
-	/** Returns true and fills the event with the next event on the queue if there is one. If there are no events
-	* this method returns false. Fills in the pose of the associated tracked device in the provided pose struct. 
-	* This pose will always be older than the call to this function and should not be used to render the device. 
-	uncbVREvent should be the size in bytes of the VREvent_t struct */
-	virtual bool PollNextEventWithPose( ETrackingUniverseOrigin eOrigin, VREvent_t *pEvent, uint32_t uncbVREvent, vr::TrackedDevicePose_t *pTrackedDevicePose ) = 0;
-
-	/** returns the name of an EVREvent enum value */
-	virtual const char *GetEventTypeNameFromEnum( EVREventType eType ) = 0;
-
-	// ------------------------------------
-	// Rendering helper methods
-	// ------------------------------------
-
-	/** Returns the stencil mesh information for the current HMD. If this HMD does not have a stencil mesh the vertex data and count will be
-	* NULL and 0 respectively. This mesh is meant to be rendered into the stencil buffer (or into the depth buffer setting nearz) before rendering
-	* each eye's view. The pixels covered by this mesh will never be seen by the user after the lens distortion is applied and based on visibility to the panels.
-	* This will improve perf by letting the GPU early-reject pixels the user will never see before running the pixel shader.
-	* NOTE: Render this mesh with backface culling disabled since the winding order of the vertices can be different per-HMD or per-eye.
-	*/
-	virtual HiddenAreaMesh_t GetHiddenAreaMesh( EVREye eEye ) = 0;
-
-
-	// ------------------------------------
-	// Controller methods
-	// ------------------------------------
-
-	/** Fills the supplied struct with the current state of the controller. Returns false if the controller index
-	* is invalid. */
-	virtual bool GetControllerState( vr::TrackedDeviceIndex_t unControllerDeviceIndex, vr::VRControllerState_t *pControllerState ) = 0;
-
-	/** fills the supplied struct with the current state of the controller and the provided pose with the pose of 
-	* the controller when the controller state was updated most recently. Use this form if you need a precise controller
-	* pose as input to your application when the user presses or releases a button. */
-	virtual bool GetControllerStateWithPose( ETrackingUniverseOrigin eOrigin, vr::TrackedDeviceIndex_t unControllerDeviceIndex, vr::VRControllerState_t *pControllerState, TrackedDevicePose_t *pTrackedDevicePose ) = 0;
-
-	/** Trigger a single haptic pulse on a controller. After this call the application may not trigger another haptic pulse on this controller
-	* and axis combination for 5ms. */
-	virtual void TriggerHapticPulse( vr::TrackedDeviceIndex_t unControllerDeviceIndex, uint32_t unAxisId, unsigned short usDurationMicroSec ) = 0;
-
-	/** returns the name of an EVRButtonId enum value */
-	virtual const char *GetButtonIdNameFromEnum( EVRButtonId eButtonId ) = 0;
-
-	/** returns the name of an EVRControllerAxisType enum value */
-	virtual const char *GetControllerAxisTypeNameFromEnum( EVRControllerAxisType eAxisType ) = 0;
-
-	/** Tells OpenVR that this process wants exclusive access to controller button states and button events. Other apps will be notified that 
-	* they have lost input focus with a VREvent_InputFocusCaptured event. Returns false if input focus could not be captured for
-	* some reason. */
-	virtual bool CaptureInputFocus() = 0;
-
-	/** Tells OpenVR that this process no longer wants exclusive access to button states and button events. Other apps will be notified 
-	* that input focus has been released with a VREvent_InputFocusReleased event. */
-	virtual void ReleaseInputFocus() = 0;
-
-	/** Returns true if input focus is captured by another process. */
-	virtual bool IsInputFocusCapturedByAnotherProcess() = 0;
-
-	// ------------------------------------
-	// Debug Methods
-	// ------------------------------------
-
-	/** Sends a request to the driver for the specified device and returns the response. The maximum response size is 32k,
-	* but this method can be called with a smaller buffer. If the response exceeds the size of the buffer, it is truncated. 
-	* The size of the response including its terminating null is returned. */
-	virtual uint32_t DriverDebugRequest( vr::TrackedDeviceIndex_t unDeviceIndex, const char *pchRequest, char *pchResponseBuffer, uint32_t unResponseBufferSize ) = 0;
-
-
-	// ------------------------------------
-	// Firmware methods
-	// ------------------------------------
-	
-	/** Performs the actual firmware update if applicable. 
-	 * The following events will be sent, if VRFirmwareError_None was returned: VREvent_FirmwareUpdateStarted, VREvent_FirmwareUpdateFinished 
-	 * Use the properties Prop_Firmware_UpdateAvailable_Bool, Prop_Firmware_ManualUpdate_Bool, and Prop_Firmware_ManualUpdateURL_String
-	 * to figure our whether a firmware update is available, and to figure out whether its a manual update 
-	 * Prop_Firmware_ManualUpdateURL_String should point to an URL describing the manual update process */
-	virtual vr::EVRFirmwareError PerformFirmwareUpdate( vr::TrackedDeviceIndex_t unDeviceIndex ) = 0;
-
-
-	// ------------------------------------
-	// Application life cycle methods
-	// ------------------------------------
-
-	/** Call this to acknowledge to the system that VREvent_Quit has been received and that the process is exiting.
-	* This extends the timeout until the process is killed. */
-	virtual void AcknowledgeQuit_Exiting() = 0;
-
-	/** Call this to tell the system that the user is being prompted to save data. This
-	* halts the timeout and dismisses the dashboard (if it was up). Applications should be sure to actually 
-	* prompt the user to save and then exit afterward, otherwise the user will be left in a confusing state. */
-	virtual void AcknowledgeQuit_UserPrompt() = 0;
-
-};
-
-static const char * const IVRSystem_Version = "IVRSystem_012";
-
-}
-
-
-// ivrapplications.h
-namespace vr
-{
-
-	/** Used for all errors reported by the IVRApplications interface */
-	enum EVRApplicationError
-	{
-		VRApplicationError_None = 0,
-
-		VRApplicationError_AppKeyAlreadyExists = 100,	// Only one application can use any given key
-		VRApplicationError_NoManifest = 101,			// the running application does not have a manifest
-		VRApplicationError_NoApplication = 102,			// No application is running
-		VRApplicationError_InvalidIndex = 103,
-		VRApplicationError_UnknownApplication = 104,	// the application could not be found
-		VRApplicationError_IPCFailed = 105,				// An IPC failure caused the request to fail
-		VRApplicationError_ApplicationAlreadyRunning = 106, 
-		VRApplicationError_InvalidManifest = 107,
-		VRApplicationError_InvalidApplication = 108,
-		VRApplicationError_LaunchFailed = 109,			// the process didn't start
-		VRApplicationError_ApplicationAlreadyStarting = 110, // the system was already starting the same application
-		VRApplicationError_LaunchInProgress = 111,		// The system was already starting a different application
-		VRApplicationError_OldApplicationQuitting = 112, 
-		VRApplicationError_TransitionAborted = 113,
-		VRApplicationError_IsTemplate = 114, // error when you try to call LaunchApplication() on a template type app (use LaunchTemplateApplication)
-
-		VRApplicationError_BufferTooSmall = 200,		// The provided buffer was too small to fit the requested data
-		VRApplicationError_PropertyNotSet = 201,		// The requested property was not set
-		VRApplicationError_UnknownProperty = 202,
-		VRApplicationError_InvalidParameter = 203,
-	};
-
-	/** The maximum length of an application key */
-	static const uint32_t k_unMaxApplicationKeyLength = 128;
-
-	/** these are the properties available on applications. */
-	enum EVRApplicationProperty
-	{
-		VRApplicationProperty_Name_String				= 0,
-
-		VRApplicationProperty_LaunchType_String			= 11,
-		VRApplicationProperty_WorkingDirectory_String	= 12,
-		VRApplicationProperty_BinaryPath_String			= 13,
-		VRApplicationProperty_Arguments_String			= 14,
-		VRApplicationProperty_URL_String				= 15,
-
-		VRApplicationProperty_Description_String		= 50,
-		VRApplicationProperty_NewsURL_String			= 51,
-		VRApplicationProperty_ImagePath_String			= 52,
-		VRApplicationProperty_Source_String				= 53,
-
-		VRApplicationProperty_IsDashboardOverlay_Bool	= 60,
-		VRApplicationProperty_IsTemplate_Bool			= 61,
-		VRApplicationProperty_IsInstanced_Bool			= 62,
-
-		VRApplicationProperty_LastLaunchTime_Uint64		= 70,
-	};
-
-	/** These are states the scene application startup process will go through. */
-	enum EVRApplicationTransitionState
-	{
-		VRApplicationTransition_None = 0,
-
-		VRApplicationTransition_OldAppQuitSent = 10,
-		VRApplicationTransition_WaitingForExternalLaunch = 11,
-		
-		VRApplicationTransition_NewAppLaunched = 20,
-	};
-
-	struct AppOverrideKeys_t
-	{
-		const char *pchKey;
-		const char *pchValue;
-	};
-
-	class IVRApplications
-	{
-	public:
-
-		// ---------------  Application management  --------------- //
-
-		/** Adds an application manifest to the list to load when building the list of installed applications. 
-		* Temporary manifests are not automatically loaded */
-		virtual EVRApplicationError AddApplicationManifest( const char *pchApplicationManifestFullPath, bool bTemporary = false ) = 0;
-
-		/** Removes an application manifest from the list to load when building the list of installed applications. */
-		virtual EVRApplicationError RemoveApplicationManifest( const char *pchApplicationManifestFullPath ) = 0;
-
-		/** Returns true if an application is installed */
-		virtual bool IsApplicationInstalled( const char *pchAppKey ) = 0;
-
-		/** Returns the number of applications available in the list */
-		virtual uint32_t GetApplicationCount() = 0;
-
-		/** Returns the key of the specified application. The index is at least 0 and is less than the return 
-		* value of GetApplicationCount(). The buffer should be at least k_unMaxApplicationKeyLength in order to 
-		* fit the key. */
-		virtual EVRApplicationError GetApplicationKeyByIndex( uint32_t unApplicationIndex, char *pchAppKeyBuffer, uint32_t unAppKeyBufferLen ) = 0;
-
-		/** Returns the key of the application for the specified Process Id. The buffer should be at least 
-		* k_unMaxApplicationKeyLength in order to fit the key. */
-		virtual EVRApplicationError GetApplicationKeyByProcessId( uint32_t unProcessId, char *pchAppKeyBuffer, uint32_t unAppKeyBufferLen ) = 0;
-
-		/** Launches the application. The existing scene application will exit and then the new application will start.
-		* This call is not valid for dashboard overlay applications. */
-		virtual EVRApplicationError LaunchApplication( const char *pchAppKey ) = 0;
-
-		/** Launches an instance of an application of type template, with its app key being pchNewAppKey (which must be unique) and optionally override sections
-		* from the manifest file via AppOverrideKeys_t
-		*/
-		virtual EVRApplicationError LaunchTemplateApplication( const char *pchTemplateAppKey, const char *pchNewAppKey, VR_ARRAY_COUNT( unKeys ) const AppOverrideKeys_t *pKeys, uint32_t unKeys ) = 0;
-
-		/** launches the application currently associated with this mime type and passes it the option args, typically the filename or object name of the item being launched */
-		virtual vr::EVRApplicationError LaunchApplicationFromMimeType( const char *pchMimeType, const char *pchArgs ) = 0;
-
-		/** Launches the dashboard overlay application if it is not already running. This call is only valid for 
-		* dashboard overlay applications. */
-		virtual EVRApplicationError LaunchDashboardOverlay( const char *pchAppKey ) = 0;
-
-		/** Cancel a pending launch for an application */
-		virtual bool CancelApplicationLaunch( const char *pchAppKey ) = 0;
-
-		/** Identifies a running application. OpenVR can't always tell which process started in response
-		* to a URL. This function allows a URL handler (or the process itself) to identify the app key 
-		* for the now running application. Passing a process ID of 0 identifies the calling process. 
-		* The application must be one that's known to the system via a call to AddApplicationManifest. */
-		virtual EVRApplicationError IdentifyApplication( uint32_t unProcessId, const char *pchAppKey ) = 0;
-
-		/** Returns the process ID for an application. Return 0 if the application was not found or is not running. */
-		virtual uint32_t GetApplicationProcessId( const char *pchAppKey ) = 0;
-
-		/** Returns a string for an applications error */
-		virtual const char *GetApplicationsErrorNameFromEnum( EVRApplicationError error ) = 0;
-
-		// ---------------  Application properties  --------------- //
-
-		/** Returns a value for an application property. The required buffer size to fit this value will be returned. */
-		virtual uint32_t GetApplicationPropertyString( const char *pchAppKey, EVRApplicationProperty eProperty, char *pchPropertyValueBuffer, uint32_t unPropertyValueBufferLen, EVRApplicationError *peError = nullptr ) = 0;
-
-		/** Returns a bool value for an application property. Returns false in all error cases. */
-		virtual bool GetApplicationPropertyBool( const char *pchAppKey, EVRApplicationProperty eProperty, EVRApplicationError *peError = nullptr ) = 0;
-
-		/** Returns a uint64 value for an application property. Returns 0 in all error cases. */
-		virtual uint64_t GetApplicationPropertyUint64( const char *pchAppKey, EVRApplicationProperty eProperty, EVRApplicationError *peError = nullptr ) = 0;
-
-		/** Sets the application auto-launch flag. This is only valid for applications which return true for VRApplicationProperty_IsDashboardOverlay_Bool. */
-		virtual EVRApplicationError SetApplicationAutoLaunch( const char *pchAppKey, bool bAutoLaunch ) = 0;
-
-		/** Gets the application auto-launch flag. This is only valid for applications which return true for VRApplicationProperty_IsDashboardOverlay_Bool. */
-		virtual bool GetApplicationAutoLaunch( const char *pchAppKey ) = 0;
-
-		/** Adds this mime-type to the list of supported mime types for this application*/
-		virtual EVRApplicationError SetDefaultApplicationForMimeType( const char *pchAppKey, const char *pchMimeType ) = 0;
-
-		/** return the app key that will open this mime type */
-		virtual bool GetDefaultApplicationForMimeType( const char *pchMimeType, char *pchAppKeyBuffer, uint32_t unAppKeyBufferLen ) = 0;
-
-		/** Get the list of supported mime types for this application, comma-delimited */
-		virtual bool GetApplicationSupportedMimeTypes( const char *pchAppKey, char *pchMimeTypesBuffer, uint32_t unMimeTypesBuffer ) = 0;
-
-		/** Get the list of app-keys that support this mime type, comma-delimited, the return value is number of bytes you need to return the full string */
-		virtual uint32_t GetApplicationsThatSupportMimeType( const char *pchMimeType, char *pchAppKeysThatSupportBuffer, uint32_t unAppKeysThatSupportBuffer ) = 0;
-
-		/** Get the args list from an app launch that had the process already running, you call this when you get a VREvent_ApplicationMimeTypeLoad */
-		virtual uint32_t GetApplicationLaunchArguments( uint32_t unHandle, char *pchArgs, uint32_t unArgs ) = 0;
-
-		// ---------------  Transition methods --------------- //
-
-		/** Returns the app key for the application that is starting up */
-		virtual EVRApplicationError GetStartingApplication( char *pchAppKeyBuffer, uint32_t unAppKeyBufferLen ) = 0;
-
-		/** Returns the application transition state */
-		virtual EVRApplicationTransitionState GetTransitionState() = 0;
-
-		/** Returns errors that would prevent the specified application from launching immediately. Calling this function will
-		* cause the current scene application to quit, so only call it when you are actually about to launch something else.
-		* What the caller should do about these failures depends on the failure:
-		*   VRApplicationError_OldApplicationQuitting - An existing application has been told to quit. Wait for a VREvent_ProcessQuit
-		*                                               and try again.
-		*   VRApplicationError_ApplicationAlreadyStarting - This application is already starting. This is a permanent failure.
-		*   VRApplicationError_LaunchInProgress	      - A different application is already starting. This is a permanent failure.
-		*   VRApplicationError_None                   - Go ahead and launch. Everything is clear.
-		*/
-		virtual EVRApplicationError PerformApplicationPrelaunchCheck( const char *pchAppKey ) = 0;
-
-		/** Returns a string for an application transition state */
-		virtual const char *GetApplicationsTransitionStateNameFromEnum( EVRApplicationTransitionState state ) = 0;
-
-		/** Returns true if the outgoing scene app has requested a save prompt before exiting */
-		virtual bool IsQuitUserPromptRequested() = 0;
-
-		/** Starts a subprocess within the calling application. This
-		* suppresses all application transition UI and automatically identifies the new executable 
-		* as part of the same application. On success the calling process should exit immediately. 
-		* If working directory is NULL or "" the directory portion of the binary path will be 
-		* the working directory. */
-		virtual EVRApplicationError LaunchInternalProcess( const char *pchBinaryPath, const char *pchArguments, const char *pchWorkingDirectory ) = 0;
-	};
-
-	static const char * const IVRApplications_Version = "IVRApplications_006";
-
-} // namespace vr
-
-// ivrsettings.h
-namespace vr
-{
-	enum EVRSettingsError
-	{
-		VRSettingsError_None = 0,
-		VRSettingsError_IPCFailed = 1,
-		VRSettingsError_WriteFailed = 2,
-		VRSettingsError_ReadFailed = 3,
-	};
-
-	// The maximum length of a settings key
-	static const uint32_t k_unMaxSettingsKeyLength = 128;
-
-	class IVRSettings
-	{
-	public:
-		virtual const char *GetSettingsErrorNameFromEnum( EVRSettingsError eError ) = 0;
-
-		// Returns true if file sync occurred (force or settings dirty)
-		virtual bool Sync( bool bForce = false, EVRSettingsError *peError = nullptr ) = 0;
-
-		virtual bool GetBool( const char *pchSection, const char *pchSettingsKey, bool bDefaultValue, EVRSettingsError *peError = nullptr ) = 0;
-		virtual void SetBool( const char *pchSection, const char *pchSettingsKey, bool bValue, EVRSettingsError *peError = nullptr ) = 0;
-		virtual int32_t GetInt32( const char *pchSection, const char *pchSettingsKey, int32_t nDefaultValue, EVRSettingsError *peError = nullptr ) = 0;
-		virtual void SetInt32( const char *pchSection, const char *pchSettingsKey, int32_t nValue, EVRSettingsError *peError = nullptr ) = 0;
-		virtual float GetFloat( const char *pchSection, const char *pchSettingsKey, float flDefaultValue, EVRSettingsError *peError = nullptr ) = 0;
-		virtual void SetFloat( const char *pchSection, const char *pchSettingsKey, float flValue, EVRSettingsError *peError = nullptr ) = 0;
-		virtual void GetString( const char *pchSection, const char *pchSettingsKey, VR_OUT_STRING() char *pchValue, uint32_t unValueLen, const char *pchDefaultValue, EVRSettingsError *peError = nullptr ) = 0;
-		virtual void SetString( const char *pchSection, const char *pchSettingsKey, const char *pchValue, EVRSettingsError *peError = nullptr ) = 0;
-		
-		virtual void RemoveSection( const char *pchSection, EVRSettingsError *peError = nullptr ) = 0;
-		virtual void RemoveKeyInSection( const char *pchSection, const char *pchSettingsKey, EVRSettingsError *peError = nullptr ) = 0;
-	};
-
-	//-----------------------------------------------------------------------------
-	static const char * const IVRSettings_Version = "IVRSettings_001";
-
-	//-----------------------------------------------------------------------------
-	// steamvr keys
-
-	static const char * const k_pch_SteamVR_Section = "steamvr";
-	static const char * const k_pch_SteamVR_RequireHmd_String = "requireHmd";
-	static const char * const k_pch_SteamVR_ForcedDriverKey_String = "forcedDriver";
-	static const char * const k_pch_SteamVR_ForcedHmdKey_String = "forcedHmd";
-	static const char * const k_pch_SteamVR_DisplayDebug_Bool = "displayDebug";
-	static const char * const k_pch_SteamVR_DebugProcessPipe_String = "debugProcessPipe";
-	static const char * const k_pch_SteamVR_EnableDistortion_Bool = "enableDistortion";
-	static const char * const k_pch_SteamVR_DisplayDebugX_Int32 = "displayDebugX";
-	static const char * const k_pch_SteamVR_DisplayDebugY_Int32 = "displayDebugY";
-	static const char * const k_pch_SteamVR_SendSystemButtonToAllApps_Bool= "sendSystemButtonToAllApps";
-	static const char * const k_pch_SteamVR_LogLevel_Int32 = "loglevel";
-	static const char * const k_pch_SteamVR_IPD_Float = "ipd";
-	static const char * const k_pch_SteamVR_Background_String = "background";
-	static const char * const k_pch_SteamVR_BackgroundCameraHeight_Float = "backgroundCameraHeight";
-	static const char * const k_pch_SteamVR_BackgroundDomeRadius_Float = "backgroundDomeRadius";
-	static const char * const k_pch_SteamVR_Environment_String = "environment";
-	static const char * const k_pch_SteamVR_GridColor_String = "gridColor";
-	static const char * const k_pch_SteamVR_PlayAreaColor_String = "playAreaColor";
-	static const char * const k_pch_SteamVR_ShowStage_Bool = "showStage";
-	static const char * const k_pch_SteamVR_ActivateMultipleDrivers_Bool = "activateMultipleDrivers";
-	static const char * const k_pch_SteamVR_PowerOffOnExit_Bool = "powerOffOnExit";
-	static const char * const k_pch_SteamVR_StandbyAppRunningTimeout_Float = "standbyAppRunningTimeout";
-	static const char * const k_pch_SteamVR_StandbyNoAppTimeout_Float = "standbyNoAppTimeout";
-	static const char * const k_pch_SteamVR_DirectMode_Bool = "directMode";
-	static const char * const k_pch_SteamVR_DirectModeEdidVid_Int32 = "directModeEdidVid";
-	static const char * const k_pch_SteamVR_DirectModeEdidPid_Int32 = "directModeEdidPid";
-	static const char * const k_pch_SteamVR_UsingSpeakers_Bool = "usingSpeakers";
-	static const char * const k_pch_SteamVR_SpeakersForwardYawOffsetDegrees_Float = "speakersForwardYawOffsetDegrees";
-	static const char * const k_pch_SteamVR_BaseStationPowerManagement_Bool = "basestationPowerManagement";
-	static const char * const k_pch_SteamVR_NeverKillProcesses_Bool = "neverKillProcesses";
-	static const char * const k_pch_SteamVR_RenderTargetMultiplier_Float = "renderTargetMultiplier";
-	static const char * const k_pch_SteamVR_AllowReprojection_Bool = "allowReprojection";
-	static const char * const k_pch_SteamVR_ForceReprojection_Bool = "forceReprojection";
-	static const char * const k_pch_SteamVR_ForceFadeOnBadTracking_Bool = "forceFadeOnBadTracking";
-	static const char * const k_pch_SteamVR_DefaultMirrorView_Int32 = "defaultMirrorView";
-	static const char * const k_pch_SteamVR_ShowMirrorView_Bool = "showMirrorView";
-	static const char * const k_pch_SteamVR_StartMonitorFromAppLaunch = "startMonitorFromAppLaunch";
-	static const char * const k_pch_SteamVR_AutoLaunchSteamVROnButtonPress = "autoLaunchSteamVROnButtonPress";
-	static const char * const k_pch_SteamVR_UseGenericGraphcisDevice_Bool = "useGenericGraphicsDevice";
-
-
-	//-----------------------------------------------------------------------------
-	// lighthouse keys
-
-	static const char * const k_pch_Lighthouse_Section = "driver_lighthouse";
-	static const char * const k_pch_Lighthouse_DisableIMU_Bool = "disableimu";
-	static const char * const k_pch_Lighthouse_UseDisambiguation_String = "usedisambiguation";
-	static const char * const k_pch_Lighthouse_DisambiguationDebug_Int32 = "disambiguationdebug";
-
-	static const char * const k_pch_Lighthouse_PrimaryBasestation_Int32 = "primarybasestation";
-	static const char * const k_pch_Lighthouse_LighthouseName_String = "lighthousename";
-	static const char * const k_pch_Lighthouse_MaxIncidenceAngleDegrees_Float = "maxincidenceangledegrees";
-	static const char * const k_pch_Lighthouse_UseLighthouseDirect_Bool = "uselighthousedirect";
-	static const char * const k_pch_Lighthouse_DBHistory_Bool = "dbhistory";
-
-	//-----------------------------------------------------------------------------
-	// null keys
-
-	static const char * const k_pch_Null_Section = "driver_null";
-	static const char * const k_pch_Null_EnableNullDriver_Bool = "enable";
-	static const char * const k_pch_Null_SerialNumber_String = "serialNumber";
-	static const char * const k_pch_Null_ModelNumber_String = "modelNumber";
-	static const char * const k_pch_Null_WindowX_Int32 = "windowX";
-	static const char * const k_pch_Null_WindowY_Int32 = "windowY";
-	static const char * const k_pch_Null_WindowWidth_Int32 = "windowWidth";
-	static const char * const k_pch_Null_WindowHeight_Int32 = "windowHeight";
-	static const char * const k_pch_Null_RenderWidth_Int32 = "renderWidth";
-	static const char * const k_pch_Null_RenderHeight_Int32 = "renderHeight";
-	static const char * const k_pch_Null_SecondsFromVsyncToPhotons_Float = "secondsFromVsyncToPhotons";
-	static const char * const k_pch_Null_DisplayFrequency_Float = "displayFrequency";
-
-	//-----------------------------------------------------------------------------
-	// user interface keys
-	static const char * const k_pch_UserInterface_Section = "userinterface";
-	static const char * const k_pch_UserInterface_StatusAlwaysOnTop_Bool = "StatusAlwaysOnTop";
-	static const char * const k_pch_UserInterface_Screenshots_Bool = "screenshots";
-	static const char * const k_pch_UserInterface_ScreenshotType_Int = "screenshotType";
-
-	//-----------------------------------------------------------------------------
-	// notification keys
-	static const char * const k_pch_Notifications_Section = "notifications";
-	static const char * const k_pch_Notifications_DoNotDisturb_Bool = "DoNotDisturb";
-
-	//-----------------------------------------------------------------------------
-	// keyboard keys
-	static const char * const k_pch_Keyboard_Section = "keyboard";
-	static const char * const k_pch_Keyboard_TutorialCompletions = "TutorialCompletions";
-	static const char * const k_pch_Keyboard_ScaleX = "ScaleX";
-	static const char * const k_pch_Keyboard_ScaleY = "ScaleY";
-	static const char * const k_pch_Keyboard_OffsetLeftX = "OffsetLeftX";
-	static const char * const k_pch_Keyboard_OffsetRightX = "OffsetRightX";
-	static const char * const k_pch_Keyboard_OffsetY = "OffsetY";
-	static const char * const k_pch_Keyboard_Smoothing = "Smoothing";
-
-	//-----------------------------------------------------------------------------
-	// perf keys
-	static const char * const k_pch_Perf_Section = "perfcheck";
-	static const char * const k_pch_Perf_HeuristicActive_Bool = "heuristicActive";
-	static const char * const k_pch_Perf_NotifyInHMD_Bool = "warnInHMD";
-	static const char * const k_pch_Perf_NotifyOnlyOnce_Bool = "warnOnlyOnce";
-	static const char * const k_pch_Perf_AllowTimingStore_Bool = "allowTimingStore";
-	static const char * const k_pch_Perf_SaveTimingsOnExit_Bool = "saveTimingsOnExit";
-	static const char * const k_pch_Perf_TestData_Float = "perfTestData";
-
-	//-----------------------------------------------------------------------------
-	// collision bounds keys
-	static const char * const k_pch_CollisionBounds_Section = "collisionBounds";
-	static const char * const k_pch_CollisionBounds_Style_Int32 = "CollisionBoundsStyle";
-	static const char * const k_pch_CollisionBounds_GroundPerimeterOn_Bool = "CollisionBoundsGroundPerimeterOn";
-	static const char * const k_pch_CollisionBounds_CenterMarkerOn_Bool = "CollisionBoundsCenterMarkerOn";
-	static const char * const k_pch_CollisionBounds_PlaySpaceOn_Bool = "CollisionBoundsPlaySpaceOn";
-	static const char * const k_pch_CollisionBounds_FadeDistance_Float = "CollisionBoundsFadeDistance";
-	static const char * const k_pch_CollisionBounds_ColorGammaR_Int32 = "CollisionBoundsColorGammaR";
-	static const char * const k_pch_CollisionBounds_ColorGammaG_Int32 = "CollisionBoundsColorGammaG";
-	static const char * const k_pch_CollisionBounds_ColorGammaB_Int32 = "CollisionBoundsColorGammaB";
-	static const char * const k_pch_CollisionBounds_ColorGammaA_Int32 = "CollisionBoundsColorGammaA";
-
-	//-----------------------------------------------------------------------------
-	// camera keys
-	static const char * const k_pch_Camera_Section = "camera";
-	static const char * const k_pch_Camera_EnableCamera_Bool = "enableCamera";
-	static const char * const k_pch_Camera_EnableCameraInDashboard_Bool = "enableCameraInDashboard";
-	static const char * const k_pch_Camera_EnableCameraForCollisionBounds_Bool = "enableCameraForCollisionBounds";
-	static const char * const k_pch_Camera_EnableCameraForRoomView_Bool = "enableCameraForRoomView";
-	static const char * const k_pch_Camera_BoundsColorGammaR_Int32 = "cameraBoundsColorGammaR";
-	static const char * const k_pch_Camera_BoundsColorGammaG_Int32 = "cameraBoundsColorGammaG";
-	static const char * const k_pch_Camera_BoundsColorGammaB_Int32 = "cameraBoundsColorGammaB";
-	static const char * const k_pch_Camera_BoundsColorGammaA_Int32 = "cameraBoundsColorGammaA";
-
-	//-----------------------------------------------------------------------------
-	// audio keys
-	static const char * const k_pch_audio_Section = "audio";
-	static const char * const k_pch_audio_OnPlaybackDevice_String = "onPlaybackDevice";
-	static const char * const k_pch_audio_OnRecordDevice_String = "onRecordDevice";
-	static const char * const k_pch_audio_OnPlaybackMirrorDevice_String = "onPlaybackMirrorDevice";
-	static const char * const k_pch_audio_OffPlaybackDevice_String = "offPlaybackDevice";
-	static const char * const k_pch_audio_OffRecordDevice_String = "offRecordDevice";
-	static const char * const k_pch_audio_VIVEHDMIGain = "viveHDMIGain";
-
-	//-----------------------------------------------------------------------------
-	// model skin keys
-	static const char * const k_pch_modelskin_Section = "modelskins";
-
-} // namespace vr
-
-// ivrchaperone.h
-namespace vr
-{
-
-#if defined(__linux__) || defined(__APPLE__) 
-	// The 32-bit version of gcc has the alignment requirement for uint64 and double set to
-	// 4 meaning that even with #pragma pack(8) these types will only be four-byte aligned.
-	// The 64-bit version of gcc has the alignment requirement for these types set to
-	// 8 meaning that unless we use #pragma pack(4) our structures will get bigger.
-	// The 64-bit structure packing has to match the 32-bit structure packing for each platform.
-	#pragma pack( push, 4 )
-#else
-	#pragma pack( push, 8 )
-#endif
-
-enum ChaperoneCalibrationState
-{
-	// OK!
-	ChaperoneCalibrationState_OK = 1,									// Chaperone is fully calibrated and working correctly
-
-	// Warnings
-	ChaperoneCalibrationState_Warning = 100,
-	ChaperoneCalibrationState_Warning_BaseStationMayHaveMoved = 101,	// A base station thinks that it might have moved
-	ChaperoneCalibrationState_Warning_BaseStationRemoved = 102,			// There are less base stations than when calibrated
-	ChaperoneCalibrationState_Warning_SeatedBoundsInvalid = 103,		// Seated bounds haven't been calibrated for the current tracking center
-
-	// Errors
-	ChaperoneCalibrationState_Error = 200,								// The UniverseID is invalid
-	ChaperoneCalibrationState_Error_BaseStationUninitalized = 201,		// Tracking center hasn't be calibrated for at least one of the base stations
-	ChaperoneCalibrationState_Error_BaseStationConflict = 202,			// Tracking center is calibrated, but base stations disagree on the tracking space
-	ChaperoneCalibrationState_Error_PlayAreaInvalid = 203,				// Play Area hasn't been calibrated for the current tracking center
-	ChaperoneCalibrationState_Error_CollisionBoundsInvalid = 204,		// Collision Bounds haven't been calibrated for the current tracking center
-};
-
-
-/** HIGH LEVEL TRACKING SPACE ASSUMPTIONS:
-* 0,0,0 is the preferred standing area center.
-* 0Y is the floor height.
-* -Z is the preferred forward facing direction. */
-class IVRChaperone
-{
-public:
-
-	/** Get the current state of Chaperone calibration. This state can change at any time during a session due to physical base station changes. **/
-	virtual ChaperoneCalibrationState GetCalibrationState() = 0;
-
-	/** Returns the width and depth of the Play Area (formerly named Soft Bounds) in X and Z. 
-	* Tracking space center (0,0,0) is the center of the Play Area. **/
-	virtual bool GetPlayAreaSize( float *pSizeX, float *pSizeZ ) = 0;
-
-	/** Returns the 4 corner positions of the Play Area (formerly named Soft Bounds).
-	* Corners are in counter-clockwise order.
-	* Standing center (0,0,0) is the center of the Play Area.
-	* It's a rectangle.
-	* 2 sides are parallel to the X axis and 2 sides are parallel to the Z axis.
-	* Height of every corner is 0Y (on the floor). **/
-	virtual bool GetPlayAreaRect( HmdQuad_t *rect ) = 0;
-
-	/** Reload Chaperone data from the .vrchap file on disk. */
-	virtual void ReloadInfo( void ) = 0;
-
-	/** Optionally give the chaperone system a hit about the color and brightness in the scene **/
-	virtual void SetSceneColor( HmdColor_t color ) = 0;
-
-	/** Get the current chaperone bounds draw color and brightness **/
-	virtual void GetBoundsColor( HmdColor_t *pOutputColorArray, int nNumOutputColors, float flCollisionBoundsFadeDistance, HmdColor_t *pOutputCameraColor ) = 0;
-
-	/** Determine whether the bounds are showing right now **/
-	virtual bool AreBoundsVisible() = 0;
-
-	/** Force the bounds to show, mostly for utilities **/
-	virtual void ForceBoundsVisible( bool bForce ) = 0;
-};
-
-static const char * const IVRChaperone_Version = "IVRChaperone_003";
-
-#pragma pack( pop )
-
-}
-
-// ivrchaperonesetup.h
-namespace vr
-{
-
-enum EChaperoneConfigFile
-{
-	EChaperoneConfigFile_Live = 1,		// The live chaperone config, used by most applications and games
-	EChaperoneConfigFile_Temp = 2,		// The temporary chaperone config, used to live-preview collision bounds in room setup
-};
-
-enum EChaperoneImportFlags
-{
-	EChaperoneImport_BoundsOnly = 0x0001,
-};
-
-/** Manages the working copy of the chaperone info. By default this will be the same as the 
-* live copy. Any changes made with this interface will stay in the working copy until 
-* CommitWorkingCopy() is called, at which point the working copy and the live copy will be 
-* the same again. */
-class IVRChaperoneSetup
-{
-public:
-
-	/** Saves the current working copy to disk */
-	virtual bool CommitWorkingCopy( EChaperoneConfigFile configFile ) = 0;
-
-	/** Reverts the working copy to match the live chaperone calibration.
-	* To modify existing data this MUST be do WHILE getting a non-error ChaperoneCalibrationStatus.
-	* Only after this should you do gets and sets on the existing data. */
-	virtual void RevertWorkingCopy() = 0;
-
-	/** Returns the width and depth of the Play Area (formerly named Soft Bounds) in X and Z from the working copy.
-	* Tracking space center (0,0,0) is the center of the Play Area. */
-	virtual bool GetWorkingPlayAreaSize( float *pSizeX, float *pSizeZ ) = 0;
-
-	/** Returns the 4 corner positions of the Play Area (formerly named Soft Bounds) from the working copy.
-	* Corners are in clockwise order.
-	* Tracking space center (0,0,0) is the center of the Play Area.
-	* It's a rectangle.
-	* 2 sides are parallel to the X axis and 2 sides are parallel to the Z axis.
-	* Height of every corner is 0Y (on the floor). **/
-	virtual bool GetWorkingPlayAreaRect( HmdQuad_t *rect ) = 0;
-
-	/** Returns the number of Quads if the buffer points to null. Otherwise it returns Quads 
-	* into the buffer up to the max specified from the working copy. */
-	virtual bool GetWorkingCollisionBoundsInfo( VR_OUT_ARRAY_COUNT(punQuadsCount) HmdQuad_t *pQuadsBuffer, uint32_t* punQuadsCount ) = 0;
-
-	/** Returns the number of Quads if the buffer points to null. Otherwise it returns Quads 
-	* into the buffer up to the max specified. */
-	virtual bool GetLiveCollisionBoundsInfo( VR_OUT_ARRAY_COUNT(punQuadsCount) HmdQuad_t *pQuadsBuffer, uint32_t* punQuadsCount ) = 0;
-
-	/** Returns the preferred seated position from the working copy. */
-	virtual bool GetWorkingSeatedZeroPoseToRawTrackingPose( HmdMatrix34_t *pmatSeatedZeroPoseToRawTrackingPose ) = 0;
-
-	/** Returns the standing origin from the working copy. */
-	virtual bool GetWorkingStandingZeroPoseToRawTrackingPose( HmdMatrix34_t *pmatStandingZeroPoseToRawTrackingPose ) = 0;
-
-	/** Sets the Play Area in the working copy. */
-	virtual void SetWorkingPlayAreaSize( float sizeX, float sizeZ ) = 0;
-
-	/** Sets the Collision Bounds in the working copy. */
-	virtual void SetWorkingCollisionBoundsInfo( VR_ARRAY_COUNT(unQuadsCount) HmdQuad_t *pQuadsBuffer, uint32_t unQuadsCount ) = 0;
-
-	/** Sets the preferred seated position in the working copy. */
-	virtual void SetWorkingSeatedZeroPoseToRawTrackingPose( const HmdMatrix34_t *pMatSeatedZeroPoseToRawTrackingPose ) = 0;
-
-	/** Sets the preferred standing position in the working copy. */
-	virtual void SetWorkingStandingZeroPoseToRawTrackingPose( const HmdMatrix34_t *pMatStandingZeroPoseToRawTrackingPose ) = 0;
-
-	/** Tear everything down and reload it from the file on disk */
-	virtual void ReloadFromDisk( EChaperoneConfigFile configFile ) = 0;
-
-	/** Returns the preferred seated position. */
-	virtual bool GetLiveSeatedZeroPoseToRawTrackingPose( HmdMatrix34_t *pmatSeatedZeroPoseToRawTrackingPose ) = 0;
-
-	virtual void SetWorkingCollisionBoundsTagsInfo( VR_ARRAY_COUNT(unTagCount) uint8_t *pTagsBuffer, uint32_t unTagCount ) = 0;
-	virtual bool GetLiveCollisionBoundsTagsInfo( VR_OUT_ARRAY_COUNT(punTagCount) uint8_t *pTagsBuffer, uint32_t *punTagCount ) = 0;
-
-	virtual bool SetWorkingPhysicalBoundsInfo( VR_ARRAY_COUNT(unQuadsCount) HmdQuad_t *pQuadsBuffer, uint32_t unQuadsCount ) = 0;
-	virtual bool GetLivePhysicalBoundsInfo( VR_OUT_ARRAY_COUNT(punQuadsCount) HmdQuad_t *pQuadsBuffer, uint32_t* punQuadsCount ) = 0;
-
-	virtual bool ExportLiveToBuffer( VR_OUT_STRING() char *pBuffer, uint32_t *pnBufferLength ) = 0;
-	virtual bool ImportFromBufferToWorking( const char *pBuffer, uint32_t nImportFlags ) = 0;
-};
-
-static const char * const IVRChaperoneSetup_Version = "IVRChaperoneSetup_005";
-
-
-}
-
-// ivrcompositor.h
-namespace vr
-{
-
-#if defined(__linux__) || defined(__APPLE__) 
-	// The 32-bit version of gcc has the alignment requirement for uint64 and double set to
-	// 4 meaning that even with #pragma pack(8) these types will only be four-byte aligned.
-	// The 64-bit version of gcc has the alignment requirement for these types set to
-	// 8 meaning that unless we use #pragma pack(4) our structures will get bigger.
-	// The 64-bit structure packing has to match the 32-bit structure packing for each platform.
-	#pragma pack( push, 4 )
-#else
-	#pragma pack( push, 8 )
-#endif
-
-/** Errors that can occur with the VR compositor */
-enum EVRCompositorError
-{
-	VRCompositorError_None						= 0,
-	VRCompositorError_RequestFailed				= 1,
-	VRCompositorError_IncompatibleVersion		= 100,
-	VRCompositorError_DoNotHaveFocus			= 101,
-	VRCompositorError_InvalidTexture			= 102,
-	VRCompositorError_IsNotSceneApplication		= 103,
-	VRCompositorError_TextureIsOnWrongDevice	= 104,
-	VRCompositorError_TextureUsesUnsupportedFormat = 105,
-	VRCompositorError_SharedTexturesNotSupported = 106,
-	VRCompositorError_IndexOutOfRange			= 107,
-};
-
-const uint32_t VRCompositor_ReprojectionReason_Cpu = 0x01;
-const uint32_t VRCompositor_ReprojectionReason_Gpu = 0x02;
-
-/** Provides a single frame's timing information to the app */
-struct Compositor_FrameTiming
-{
-	uint32_t m_nSize; // Set to sizeof( Compositor_FrameTiming )
-	uint32_t m_nFrameIndex;
-	uint32_t m_nNumFramePresents; // number of times this frame was presented
-	uint32_t m_nNumDroppedFrames; // number of additional times previous frame was scanned out
-	uint32_t m_nReprojectionFlags;
-
-	/** Absolute time reference for comparing frames.  This aligns with the vsync that running start is relative to. */
-	double m_flSystemTimeInSeconds;
-
-	/** These times may include work from other processes due to OS scheduling.
-	* The fewer packets of work these are broken up into, the less likely this will happen.
-	* GPU work can be broken up by calling Flush.  This can sometimes be useful to get the GPU started
-	* processing that work earlier in the frame. */
-	float m_flPreSubmitGpuMs; // time spent rendering the scene (gpu work submitted between WaitGetPoses and second Submit)
-	float m_flPostSubmitGpuMs; // additional time spent rendering by application (e.g. companion window)
-	float m_flTotalRenderGpuMs; // time between work submitted immediately after present (ideally vsync) until the end of compositor submitted work
-	float m_flCompositorRenderGpuMs; // time spend performing distortion correction, rendering chaperone, overlays, etc.
-	float m_flCompositorRenderCpuMs; // time spent on cpu submitting the above work for this frame
-	float m_flCompositorIdleCpuMs; // time spent waiting for running start (application could have used this much more time)
-
-	/** Miscellaneous measured intervals. */
-	float m_flClientFrameIntervalMs; // time between calls to WaitGetPoses
-	float m_flPresentCallCpuMs; // time blocked on call to present (usually 0.0, but can go long)
-	float m_flWaitForPresentCpuMs; // time spent spin-waiting for frame index to change (not near-zero indicates wait object failure)
-	float m_flSubmitFrameMs; // time spent in IVRCompositor::Submit (not near-zero indicates driver issue)
-
-	/** The following are all relative to this frame's SystemTimeInSeconds */
-	float m_flWaitGetPosesCalledMs;
-	float m_flNewPosesReadyMs;
-	float m_flNewFrameReadyMs; // second call to IVRCompositor::Submit
-	float m_flCompositorUpdateStartMs;
-	float m_flCompositorUpdateEndMs;
-	float m_flCompositorRenderStartMs;
-
-	vr::TrackedDevicePose_t m_HmdPose; // pose used by app to render this frame
-};
-
-/** Cumulative stats for current application.  These are not cleared until a new app connects,
-* but they do stop accumulating once the associated app disconnects. */
-struct Compositor_CumulativeStats
-{
-	uint32_t m_nPid; // Process id associated with these stats (may no longer be running).
-	uint32_t m_nNumFramePresents; // total number of times we called present (includes reprojected frames)
-	uint32_t m_nNumDroppedFrames; // total number of times an old frame was re-scanned out (without reprojection)
-	uint32_t m_nNumReprojectedFrames; // total number of times a frame was scanned out a second time (with reprojection)
-
-	/** Values recorded at startup before application has fully faded in the first time. */
-	uint32_t m_nNumFramePresentsOnStartup;
-	uint32_t m_nNumDroppedFramesOnStartup;
-	uint32_t m_nNumReprojectedFramesOnStartup;
-
-	/** Applications may explicitly fade to the compositor.  This is usually to handle level transitions, and loading often causes
-	* system wide hitches.  The following stats are collected during this period.  Does not include values recorded during startup. */
-	uint32_t m_nNumLoading;
-	uint32_t m_nNumFramePresentsLoading;
-	uint32_t m_nNumDroppedFramesLoading;
-	uint32_t m_nNumReprojectedFramesLoading;
-
-	/** If we don't get a new frame from the app in less than 2.5 frames, then we assume the app has hung and start
-	* fading back to the compositor.  The following stats are a result of this, and are a subset of those recorded above.
-	* Does not include values recorded during start up or loading. */
-	uint32_t m_nNumTimedOut;
-	uint32_t m_nNumFramePresentsTimedOut;
-	uint32_t m_nNumDroppedFramesTimedOut;
-	uint32_t m_nNumReprojectedFramesTimedOut;
-};
-
-#pragma pack( pop )
-
-/** Allows the application to interact with the compositor */
-class IVRCompositor
-{
-public:
-	/** Sets tracking space returned by WaitGetPoses */
-	virtual void SetTrackingSpace( ETrackingUniverseOrigin eOrigin ) = 0;
-
-	/** Gets current tracking space returned by WaitGetPoses */
-	virtual ETrackingUniverseOrigin GetTrackingSpace() = 0;
-
-	/** Returns pose(s) to use to render scene (and optionally poses predicted two frames out for gameplay). */
-	virtual EVRCompositorError WaitGetPoses( VR_ARRAY_COUNT(unRenderPoseArrayCount) TrackedDevicePose_t* pRenderPoseArray, uint32_t unRenderPoseArrayCount,
-		VR_ARRAY_COUNT(unGamePoseArrayCount) TrackedDevicePose_t* pGamePoseArray, uint32_t unGamePoseArrayCount ) = 0;
-
-	/** Get the last set of poses returned by WaitGetPoses. */
-	virtual EVRCompositorError GetLastPoses( VR_ARRAY_COUNT( unRenderPoseArrayCount ) TrackedDevicePose_t* pRenderPoseArray, uint32_t unRenderPoseArrayCount,
-		VR_ARRAY_COUNT( unGamePoseArrayCount ) TrackedDevicePose_t* pGamePoseArray, uint32_t unGamePoseArrayCount ) = 0;
-
-	/** Interface for accessing last set of poses returned by WaitGetPoses one at a time.
-	* Returns VRCompositorError_IndexOutOfRange if unDeviceIndex not less than k_unMaxTrackedDeviceCount otherwise VRCompositorError_None.
-	* It is okay to pass NULL for either pose if you only want one of the values. */
-	virtual EVRCompositorError GetLastPoseForTrackedDeviceIndex( TrackedDeviceIndex_t unDeviceIndex, TrackedDevicePose_t *pOutputPose, TrackedDevicePose_t *pOutputGamePose ) = 0;
-
-	/** Updated scene texture to display. If pBounds is NULL the entire texture will be used.  If called from an OpenGL app, consider adding a glFlush after
-	* Submitting both frames to signal the driver to start processing, otherwise it may wait until the command buffer fills up, causing the app to miss frames.
-	*
-	* OpenGL dirty state:
-	*	glBindTexture
-	*/
-	virtual EVRCompositorError Submit( EVREye eEye, const Texture_t *pTexture, const VRTextureBounds_t* pBounds = 0, EVRSubmitFlags nSubmitFlags = Submit_Default ) = 0;
-
-	/** Clears the frame that was sent with the last call to Submit. This will cause the 
-	* compositor to show the grid until Submit is called again. */
-	virtual void ClearLastSubmittedFrame() = 0;
-
-	/** Call immediately after presenting your app's window (i.e. companion window) to unblock the compositor.
-	* This is an optional call, which only needs to be used if you can't instead call WaitGetPoses immediately after Present.
-	* For example, if your engine's render and game loop are not on separate threads, or blocking the render thread until 3ms before the next vsync would
-	* introduce a deadlock of some sort.  This function tells the compositor that you have finished all rendering after having Submitted buffers for both
-	* eyes, and it is free to start its rendering work.  This should only be called from the same thread you are rendering on. */
-	virtual void PostPresentHandoff() = 0;
-
-	/** Returns true if timing data is filled it.  Sets oldest timing info if nFramesAgo is larger than the stored history.
-	* Be sure to set timing.size = sizeof(Compositor_FrameTiming) on struct passed in before calling this function. */
-	virtual bool GetFrameTiming( Compositor_FrameTiming *pTiming, uint32_t unFramesAgo = 0 ) = 0;
-
-	/** Returns the time in seconds left in the current (as identified by FrameTiming's frameIndex) frame.
-	* Due to "running start", this value may roll over to the next frame before ever reaching 0.0. */
-	virtual float GetFrameTimeRemaining() = 0;
-
-	/** Fills out stats accumulated for the last connected application.  Pass in sizeof( Compositor_CumulativeStats ) as second parameter. */
-	virtual void GetCumulativeStats( Compositor_CumulativeStats *pStats, uint32_t nStatsSizeInBytes ) = 0;
-
-	/** Fades the view on the HMD to the specified color. The fade will take fSeconds, and the color values are between
-	* 0.0 and 1.0. This color is faded on top of the scene based on the alpha parameter. Removing the fade color instantly 
-	* would be FadeToColor( 0.0, 0.0, 0.0, 0.0, 0.0 ).  Values are in un-premultiplied alpha space. */
-	virtual void FadeToColor( float fSeconds, float fRed, float fGreen, float fBlue, float fAlpha, bool bBackground = false ) = 0;
-
-	/** Fading the Grid in or out in fSeconds */
-	virtual void FadeGrid( float fSeconds, bool bFadeIn ) = 0;
-
-	/** Override the skybox used in the compositor (e.g. for during level loads when the app can't feed scene images fast enough)
-	* Order is Front, Back, Left, Right, Top, Bottom.  If only a single texture is passed, it is assumed in lat-long format.
-	* If two are passed, it is assumed a lat-long stereo pair. */
-	virtual EVRCompositorError SetSkyboxOverride( VR_ARRAY_COUNT( unTextureCount ) const Texture_t *pTextures, uint32_t unTextureCount ) = 0;
-
-	/** Resets compositor skybox back to defaults. */
-	virtual void ClearSkyboxOverride() = 0;
-
-	/** Brings the compositor window to the front. This is useful for covering any other window that may be on the HMD
-	* and is obscuring the compositor window. */
-	virtual void CompositorBringToFront() = 0;
-
-	/** Pushes the compositor window to the back. This is useful for allowing other applications to draw directly to the HMD. */
-	virtual void CompositorGoToBack() = 0;
-
-	/** Tells the compositor process to clean up and exit. You do not need to call this function at shutdown. Under normal 
-	* circumstances the compositor will manage its own life cycle based on what applications are running. */
-	virtual void CompositorQuit() = 0;
-	
-	/** Return whether the compositor is fullscreen */
-	virtual bool IsFullscreen() = 0;
-
-	/** Returns the process ID of the process that is currently rendering the scene */
-	virtual uint32_t GetCurrentSceneFocusProcess() = 0;
-
-	/** Returns the process ID of the process that rendered the last frame (or 0 if the compositor itself rendered the frame.)
-	* Returns 0 when fading out from an app and the app's process Id when fading into an app. */
-	virtual uint32_t GetLastFrameRenderer() = 0;
-
-	/** Returns true if the current process has the scene focus */
-	virtual bool CanRenderScene() = 0;
-
-	/** Creates a window on the primary monitor to display what is being shown in the headset. */
-	virtual void ShowMirrorWindow() = 0;
-
-	/** Closes the mirror window. */
-	virtual void HideMirrorWindow() = 0;
-
-	/** Returns true if the mirror window is shown. */
-	virtual bool IsMirrorWindowVisible() = 0;
-
-	/** Writes all images that the compositor knows about (including overlays) to a 'screenshots' folder in the SteamVR runtime root. */
-	virtual void CompositorDumpImages() = 0;
-
-	/** Let an app know it should be rendering with low resources. */
-	virtual bool ShouldAppRenderWithLowResources() = 0;
-
-	/** Override interleaved reprojection logic to force on. */
-	virtual void ForceInterleavedReprojectionOn( bool bOverride ) = 0;
-
-	/** Force reconnecting to the compositor process. */
-	virtual void ForceReconnectProcess() = 0;
-
-	/** Temporarily suspends rendering (useful for finer control over scene transitions). */
-	virtual void SuspendRendering( bool bSuspend ) = 0;
-
-	/** Opens a shared D3D11 texture with the undistorted composited image for each eye. */
-	virtual vr::EVRCompositorError GetMirrorTextureD3D11( vr::EVREye eEye, void *pD3D11DeviceOrResource, void **ppD3D11ShaderResourceView ) = 0;
-
-	/** Access to mirror textures from OpenGL. */
-	virtual vr::EVRCompositorError GetMirrorTextureGL( vr::EVREye eEye, vr::glUInt_t *pglTextureId, vr::glSharedTextureHandle_t *pglSharedTextureHandle ) = 0;
-	virtual bool ReleaseSharedGLTexture( vr::glUInt_t glTextureId, vr::glSharedTextureHandle_t glSharedTextureHandle ) = 0;
-	virtual void LockGLSharedTextureForAccess( vr::glSharedTextureHandle_t glSharedTextureHandle ) = 0;
-	virtual void UnlockGLSharedTextureForAccess( vr::glSharedTextureHandle_t glSharedTextureHandle ) = 0;
-};
-
-static const char * const IVRCompositor_Version = "IVRCompositor_016";
-
-} // namespace vr
-
-
-
-// ivrnotifications.h
-namespace vr
-{
-
-#if defined(__linux__) || defined(__APPLE__) 
-	// The 32-bit version of gcc has the alignment requirement for uint64 and double set to
-	// 4 meaning that even with #pragma pack(8) these types will only be four-byte aligned.
-	// The 64-bit version of gcc has the alignment requirement for these types set to
-	// 8 meaning that unless we use #pragma pack(4) our structures will get bigger.
-	// The 64-bit structure packing has to match the 32-bit structure packing for each platform.
-	#pragma pack( push, 4 )
-#else
-	#pragma pack( push, 8 )
-#endif
-
-// Used for passing graphic data
-struct NotificationBitmap_t
-{
-	NotificationBitmap_t()
-		: m_pImageData( nullptr )
-		, m_nWidth( 0 )
-		, m_nHeight( 0 )
-		, m_nBytesPerPixel( 0 )
-	{
-	};
-
-	void *m_pImageData;
-	int32_t m_nWidth;
-	int32_t m_nHeight;
-	int32_t m_nBytesPerPixel;
-};
-
-
-/** Be aware that the notification type is used as 'priority' to pick the next notification */
-enum EVRNotificationType
-{
-	/** Transient notifications are automatically hidden after a period of time set by the user. 
-	* They are used for things like information and chat messages that do not require user interaction. */
-	EVRNotificationType_Transient = 0,
-
-	/** Persistent notifications are shown to the user until they are hidden by calling RemoveNotification().
-	* They are used for things like phone calls and alarms that require user interaction. */
-	EVRNotificationType_Persistent = 1,
-
-	/** System notifications are shown no matter what. It is expected, that the ulUserValue is used as ID.
-	 * If there is already a system notification in the queue with that ID it is not accepted into the queue
-	 * to prevent spamming with system notification */
-	EVRNotificationType_Transient_SystemWithUserValue = 2,
-};
-
-enum EVRNotificationStyle
-{
-	/** Creates a notification with minimal external styling. */
-	EVRNotificationStyle_None = 0,
-
-	/** Used for notifications about overlay-level status. In Steam this is used for events like downloads completing. */
-	EVRNotificationStyle_Application = 100,
-
-	/** Used for notifications about contacts that are unknown or not available. In Steam this is used for friend invitations and offline friends. */
-	EVRNotificationStyle_Contact_Disabled = 200,
-
-	/** Used for notifications about contacts that are available but inactive. In Steam this is used for friends that are online but not playing a game. */
-	EVRNotificationStyle_Contact_Enabled = 201,
-
-	/** Used for notifications about contacts that are available and active. In Steam this is used for friends that are online and currently running a game. */
-	EVRNotificationStyle_Contact_Active = 202,
-};
-
-static const uint32_t k_unNotificationTextMaxSize = 256;
-
-typedef uint32_t VRNotificationId;
-
-
-
-#pragma pack( pop )
-
-/** Allows notification sources to interact with the VR system
-	This current interface is not yet implemented. Do not use yet. */
-class IVRNotifications
-{
-public:
-	/** Create a notification and enqueue it to be shown to the user.
-	* An overlay handle is required to create a notification, as otherwise it would be impossible for a user to act on it.
-	* To create a two-line notification, use a line break ('\n') to split the text into two lines.
-	* The pImage argument may be NULL, in which case the specified overlay's icon will be used instead. */
-	virtual EVRNotificationError CreateNotification( VROverlayHandle_t ulOverlayHandle, uint64_t ulUserValue, EVRNotificationType type, const char *pchText, EVRNotificationStyle style, const NotificationBitmap_t *pImage, /* out */ VRNotificationId *pNotificationId ) = 0;
-
-	/** Destroy a notification, hiding it first if it currently shown to the user. */
-	virtual EVRNotificationError RemoveNotification( VRNotificationId notificationId ) = 0;
-
-};
-
-static const char * const IVRNotifications_Version = "IVRNotifications_002";
-
-} // namespace vr
-
-
-
-// ivroverlay.h
-namespace vr
-{
-
-	/** The maximum length of an overlay key in bytes, counting the terminating null character. */
-	static const uint32_t k_unVROverlayMaxKeyLength = 128;
-
-	/** The maximum length of an overlay name in bytes, counting the terminating null character. */
-	static const uint32_t k_unVROverlayMaxNameLength = 128;
-
-	/** The maximum number of overlays that can exist in the system at one time. */
-	static const uint32_t k_unMaxOverlayCount = 64;
-
-	/** Types of input supported by VR Overlays */
-	enum VROverlayInputMethod
-	{
-		VROverlayInputMethod_None		= 0, // No input events will be generated automatically for this overlay
-		VROverlayInputMethod_Mouse		= 1, // Tracked controllers will get mouse events automatically
-	};
-
-	/** Allows the caller to figure out which overlay transform getter to call. */
-	enum VROverlayTransformType
-	{
-		VROverlayTransform_Absolute					= 0,
-		VROverlayTransform_TrackedDeviceRelative	= 1,
-		VROverlayTransform_SystemOverlay			= 2,
-		VROverlayTransform_TrackedComponent 		= 3,
-	};
-
-	/** Overlay control settings */
-	enum VROverlayFlags
-	{
-		VROverlayFlags_None			= 0,
-
-		// The following only take effect when rendered using the high quality render path (see SetHighQualityOverlay).
-		VROverlayFlags_Curved		= 1,
-		VROverlayFlags_RGSS4X		= 2,
-
-		// Set this flag on a dashboard overlay to prevent a tab from showing up for that overlay
-		VROverlayFlags_NoDashboardTab = 3,
-
-		// Set this flag on a dashboard that is able to deal with gamepad focus events
-		VROverlayFlags_AcceptsGamepadEvents = 4,
-
-		// Indicates that the overlay should dim/brighten to show gamepad focus
-		VROverlayFlags_ShowGamepadFocus = 5,
-
-		// When in VROverlayInputMethod_Mouse you can optionally enable sending VRScroll_t 
-		VROverlayFlags_SendVRScrollEvents = 6,
-		VROverlayFlags_SendVRTouchpadEvents = 7,
-
-		// If set this will render a vertical scroll wheel on the primary controller, 
-		//  only needed if not using VROverlayFlags_SendVRScrollEvents but you still want to represent a scroll wheel
-		VROverlayFlags_ShowTouchPadScrollWheel = 8,
-
-		// If this is set ownership and render access to the overlay are transferred 
-		// to the new scene process on a call to IVRApplications::LaunchInternalProcess
-		VROverlayFlags_TransferOwnershipToInternalProcess = 9,
-
-		// If set, renders 50% of the texture in each eye, side by side
-		VROverlayFlags_SideBySide_Parallel = 10, // Texture is left/right
-		VROverlayFlags_SideBySide_Crossed = 11, // Texture is crossed and right/left
-
-		VROverlayFlags_Panorama = 12, // Texture is a panorama
-		VROverlayFlags_StereoPanorama = 13, // Texture is a stereo panorama
-
-		// If this is set on an overlay owned by the scene application that overlay
-		// will be sorted with the "Other" overlays on top of all other scene overlays
-		VROverlayFlags_SortWithNonSceneOverlays = 14,
-	};
-
-	struct VROverlayIntersectionParams_t
-	{
-		HmdVector3_t vSource;
-		HmdVector3_t vDirection;
-		ETrackingUniverseOrigin eOrigin;
-	};
-
-	struct VROverlayIntersectionResults_t
-	{
-		HmdVector3_t vPoint;
-		HmdVector3_t vNormal;
-		HmdVector2_t vUVs;
-		float fDistance;
-	};
-
-	// Input modes for the Big Picture gamepad text entry
-	enum EGamepadTextInputMode
-	{
-		k_EGamepadTextInputModeNormal = 0,
-		k_EGamepadTextInputModePassword = 1,
-		k_EGamepadTextInputModeSubmit = 2,
-	};
-
-	// Controls number of allowed lines for the Big Picture gamepad text entry
-	enum EGamepadTextInputLineMode
-	{
-		k_EGamepadTextInputLineModeSingleLine = 0,
-		k_EGamepadTextInputLineModeMultipleLines = 1
-	};
-
-	/** Directions for changing focus between overlays with the gamepad */
-	enum EOverlayDirection
-	{
-		OverlayDirection_Up = 0,
-		OverlayDirection_Down = 1,
-		OverlayDirection_Left = 2,
-		OverlayDirection_Right = 3,
-		
-		OverlayDirection_Count = 4,
-	};
-
-	class IVROverlay
-	{
-	public:
-
-		// ---------------------------------------------
-		// Overlay management methods
-		// ---------------------------------------------
-
-		/** Finds an existing overlay with the specified key. */
-		virtual EVROverlayError FindOverlay( const char *pchOverlayKey, VROverlayHandle_t * pOverlayHandle ) = 0;
-
-		/** Creates a new named overlay. All overlays start hidden and with default settings. */
-		virtual EVROverlayError CreateOverlay( const char *pchOverlayKey, const char *pchOverlayFriendlyName, VROverlayHandle_t * pOverlayHandle ) = 0;
-
-		/** Destroys the specified overlay. When an application calls VR_Shutdown all overlays created by that app are
-		* automatically destroyed. */
-		virtual EVROverlayError DestroyOverlay( VROverlayHandle_t ulOverlayHandle ) = 0;
-
-		/** Specify which overlay to use the high quality render path.  This overlay will be composited in during the distortion pass which
-		* results in it drawing on top of everything else, but also at a higher quality as it samples the source texture directly rather than
-		* rasterizing into each eye's render texture first.  Because if this, only one of these is supported at any given time.  It is most useful
-		* for overlays that are expected to take up most of the user's view (e.g. streaming video).
-		* This mode does not support mouse input to your overlay. */
-		virtual EVROverlayError SetHighQualityOverlay( VROverlayHandle_t ulOverlayHandle ) = 0;
-
-		/** Returns the overlay handle of the current overlay being rendered using the single high quality overlay render path.
-		* Otherwise it will return k_ulOverlayHandleInvalid. */
-		virtual vr::VROverlayHandle_t GetHighQualityOverlay() = 0;
-
-		/** Fills the provided buffer with the string key of the overlay. Returns the size of buffer required to store the key, including
-		* the terminating null character. k_unVROverlayMaxKeyLength will be enough bytes to fit the string. */
-		virtual uint32_t GetOverlayKey( VROverlayHandle_t ulOverlayHandle, VR_OUT_STRING() char *pchValue, uint32_t unBufferSize, EVROverlayError *pError = 0L ) = 0;
-
-		/** Fills the provided buffer with the friendly name of the overlay. Returns the size of buffer required to store the key, including
-		* the terminating null character. k_unVROverlayMaxNameLength will be enough bytes to fit the string. */
-		virtual uint32_t GetOverlayName( VROverlayHandle_t ulOverlayHandle, VR_OUT_STRING() char *pchValue, uint32_t unBufferSize, EVROverlayError *pError = 0L ) = 0;
-
-		/** Gets the raw image data from an overlay. Overlay image data is always returned as RGBA data, 4 bytes per pixel. If the buffer is not large enough, width and height 
-		* will be set and VROverlayError_ArrayTooSmall is returned. */
-		virtual EVROverlayError GetOverlayImageData( VROverlayHandle_t ulOverlayHandle, void *pvBuffer, uint32_t unBufferSize, uint32_t *punWidth, uint32_t *punHeight ) = 0;
-
-		/** returns a string that corresponds with the specified overlay error. The string will be the name 
-		* of the error enum value for all valid error codes */
-		virtual const char *GetOverlayErrorNameFromEnum( EVROverlayError error ) = 0;
-
-
-		// ---------------------------------------------
-		// Overlay rendering methods
-		// ---------------------------------------------
-
-		/** Sets the pid that is allowed to render to this overlay (the creator pid is always allow to render),
-		*	by default this is the pid of the process that made the overlay */
-		virtual EVROverlayError SetOverlayRenderingPid( VROverlayHandle_t ulOverlayHandle, uint32_t unPID ) = 0;
-
-		/** Gets the pid that is allowed to render to this overlay */
-		virtual uint32_t GetOverlayRenderingPid( VROverlayHandle_t ulOverlayHandle ) = 0;
-
-		/** Specify flag setting for a given overlay */
-		virtual EVROverlayError SetOverlayFlag( VROverlayHandle_t ulOverlayHandle, VROverlayFlags eOverlayFlag, bool bEnabled ) = 0;
-
-		/** Sets flag setting for a given overlay */
-		virtual EVROverlayError GetOverlayFlag( VROverlayHandle_t ulOverlayHandle, VROverlayFlags eOverlayFlag, bool *pbEnabled ) = 0;
-
-		/** Sets the color tint of the overlay quad. Use 0.0 to 1.0 per channel. */
-		virtual EVROverlayError SetOverlayColor( VROverlayHandle_t ulOverlayHandle, float fRed, float fGreen, float fBlue ) = 0;
-
-		/** Gets the color tint of the overlay quad. */
-		virtual EVROverlayError GetOverlayColor( VROverlayHandle_t ulOverlayHandle, float *pfRed, float *pfGreen, float *pfBlue ) = 0;
-
-		/** Sets the alpha of the overlay quad. Use 1.0 for 100 percent opacity to 0.0 for 0 percent opacity. */
-		virtual EVROverlayError SetOverlayAlpha( VROverlayHandle_t ulOverlayHandle, float fAlpha ) = 0;
-
-		/** Gets the alpha of the overlay quad. By default overlays are rendering at 100 percent alpha (1.0). */
-		virtual EVROverlayError GetOverlayAlpha( VROverlayHandle_t ulOverlayHandle, float *pfAlpha ) = 0;
-
-		/** Sets the aspect ratio of the texels in the overlay. 1.0 means the texels are square. 2.0 means the texels
-		* are twice as wide as they are tall. Defaults to 1.0. */
-		virtual EVROverlayError SetOverlayTexelAspect( VROverlayHandle_t ulOverlayHandle, float fTexelAspect ) = 0;
-
-		/** Gets the aspect ratio of the texels in the overlay. Defaults to 1.0 */
-		virtual EVROverlayError GetOverlayTexelAspect( VROverlayHandle_t ulOverlayHandle, float *pfTexelAspect ) = 0;
-
-		/** Sets the rendering sort order for the overlay. Overlays are rendered this order:
-		*      Overlays owned by the scene application
-		*      Overlays owned by some other application
-		*
-		*	Within a category overlays are rendered lowest sort order to highest sort order. Overlays with the same 
-		*	sort order are rendered back to front base on distance from the HMD.
-		*
-		*	Sort order defaults to 0. */
-		virtual EVROverlayError SetOverlaySortOrder( VROverlayHandle_t ulOverlayHandle, uint32_t unSortOrder ) = 0;
-
-		/** Gets the sort order of the overlay. See SetOverlaySortOrder for how this works. */
-		virtual EVROverlayError GetOverlaySortOrder( VROverlayHandle_t ulOverlayHandle, uint32_t *punSortOrder ) = 0;
-
-		/** Sets the width of the overlay quad in meters. By default overlays are rendered on a quad that is 1 meter across */
-		virtual EVROverlayError SetOverlayWidthInMeters( VROverlayHandle_t ulOverlayHandle, float fWidthInMeters ) = 0;
-
-		/** Returns the width of the overlay quad in meters. By default overlays are rendered on a quad that is 1 meter across */
-		virtual EVROverlayError GetOverlayWidthInMeters( VROverlayHandle_t ulOverlayHandle, float *pfWidthInMeters ) = 0;
-
-		/** For high-quality curved overlays only, sets the distance range in meters from the overlay used to automatically curve
-		* the surface around the viewer.  Min is distance is when the surface will be most curved.  Max is when least curved. */
-		virtual EVROverlayError SetOverlayAutoCurveDistanceRangeInMeters( VROverlayHandle_t ulOverlayHandle, float fMinDistanceInMeters, float fMaxDistanceInMeters ) = 0;
-
-		/** For high-quality curved overlays only, gets the distance range in meters from the overlay used to automatically curve
-		* the surface around the viewer.  Min is distance is when the surface will be most curved.  Max is when least curved. */
-		virtual EVROverlayError GetOverlayAutoCurveDistanceRangeInMeters( VROverlayHandle_t ulOverlayHandle, float *pfMinDistanceInMeters, float *pfMaxDistanceInMeters ) = 0;
-
-		/** Sets the colorspace the overlay texture's data is in.  Defaults to 'auto'.
-		* If the texture needs to be resolved, you should call SetOverlayTexture with the appropriate colorspace instead. */
-		virtual EVROverlayError SetOverlayTextureColorSpace( VROverlayHandle_t ulOverlayHandle, EColorSpace eTextureColorSpace ) = 0;
-
-		/** Gets the overlay's current colorspace setting. */
-		virtual EVROverlayError GetOverlayTextureColorSpace( VROverlayHandle_t ulOverlayHandle, EColorSpace *peTextureColorSpace ) = 0;
-
-		/** Sets the part of the texture to use for the overlay. UV Min is the upper left corner and UV Max is the lower right corner. */
-		virtual EVROverlayError SetOverlayTextureBounds( VROverlayHandle_t ulOverlayHandle, const VRTextureBounds_t *pOverlayTextureBounds ) = 0;
-
-		/** Gets the part of the texture to use for the overlay. UV Min is the upper left corner and UV Max is the lower right corner. */
-		virtual EVROverlayError GetOverlayTextureBounds( VROverlayHandle_t ulOverlayHandle, VRTextureBounds_t *pOverlayTextureBounds ) = 0;
-
-		/** Returns the transform type of this overlay. */
-		virtual EVROverlayError GetOverlayTransformType( VROverlayHandle_t ulOverlayHandle, VROverlayTransformType *peTransformType ) = 0;
-
-		/** Sets the transform to absolute tracking origin. */
-		virtual EVROverlayError SetOverlayTransformAbsolute( VROverlayHandle_t ulOverlayHandle, ETrackingUniverseOrigin eTrackingOrigin, const HmdMatrix34_t *pmatTrackingOriginToOverlayTransform ) = 0;
-
-		/** Gets the transform if it is absolute. Returns an error if the transform is some other type. */
-		virtual EVROverlayError GetOverlayTransformAbsolute( VROverlayHandle_t ulOverlayHandle, ETrackingUniverseOrigin *peTrackingOrigin, HmdMatrix34_t *pmatTrackingOriginToOverlayTransform ) = 0;
-
-		/** Sets the transform to relative to the transform of the specified tracked device. */
-		virtual EVROverlayError SetOverlayTransformTrackedDeviceRelative( VROverlayHandle_t ulOverlayHandle, TrackedDeviceIndex_t unTrackedDevice, const HmdMatrix34_t *pmatTrackedDeviceToOverlayTransform ) = 0;
-
-		/** Gets the transform if it is relative to a tracked device. Returns an error if the transform is some other type. */
-		virtual EVROverlayError GetOverlayTransformTrackedDeviceRelative( VROverlayHandle_t ulOverlayHandle, TrackedDeviceIndex_t *punTrackedDevice, HmdMatrix34_t *pmatTrackedDeviceToOverlayTransform ) = 0;
-
-		/** Sets the transform to draw the overlay on a rendermodel component mesh instead of a quad. This will only draw when the system is
-		* drawing the device. Overlays with this transform type cannot receive mouse events. */
-		virtual EVROverlayError SetOverlayTransformTrackedDeviceComponent( VROverlayHandle_t ulOverlayHandle, TrackedDeviceIndex_t unDeviceIndex, const char *pchComponentName ) = 0;
-
-		/** Gets the transform information when the overlay is rendering on a component. */
-		virtual EVROverlayError GetOverlayTransformTrackedDeviceComponent( VROverlayHandle_t ulOverlayHandle, TrackedDeviceIndex_t *punDeviceIndex, char *pchComponentName, uint32_t unComponentNameSize ) = 0;
-
-		/** Shows the VR overlay.  For dashboard overlays, only the Dashboard Manager is allowed to call this. */
-		virtual EVROverlayError ShowOverlay( VROverlayHandle_t ulOverlayHandle ) = 0;
-
-		/** Hides the VR overlay.  For dashboard overlays, only the Dashboard Manager is allowed to call this. */
-		virtual EVROverlayError HideOverlay( VROverlayHandle_t ulOverlayHandle ) = 0;
-
-		/** Returns true if the overlay is visible. */
-		virtual bool IsOverlayVisible( VROverlayHandle_t ulOverlayHandle ) = 0;
-
-		/** Get the transform in 3d space associated with a specific 2d point in the overlay's coordinate space (where 0,0 is the lower left). -Z points out of the overlay */
-		virtual EVROverlayError GetTransformForOverlayCoordinates( VROverlayHandle_t ulOverlayHandle, ETrackingUniverseOrigin eTrackingOrigin, HmdVector2_t coordinatesInOverlay, HmdMatrix34_t *pmatTransform ) = 0;
-
-		// ---------------------------------------------
-		// Overlay input methods
-		// ---------------------------------------------
-
-		/** Returns true and fills the event with the next event on the overlay's event queue, if there is one. 
-		* If there are no events this method returns false. uncbVREvent should be the size in bytes of the VREvent_t struct */
-		virtual bool PollNextOverlayEvent( VROverlayHandle_t ulOverlayHandle, VREvent_t *pEvent, uint32_t uncbVREvent ) = 0;
-
-		/** Returns the current input settings for the specified overlay. */
-		virtual EVROverlayError GetOverlayInputMethod( VROverlayHandle_t ulOverlayHandle, VROverlayInputMethod *peInputMethod ) = 0;
-
-		/** Sets the input settings for the specified overlay. */
-		virtual EVROverlayError SetOverlayInputMethod( VROverlayHandle_t ulOverlayHandle, VROverlayInputMethod eInputMethod ) = 0;
-
-		/** Gets the mouse scaling factor that is used for mouse events. The actual texture may be a different size, but this is
-		* typically the size of the underlying UI in pixels. */
-		virtual EVROverlayError GetOverlayMouseScale( VROverlayHandle_t ulOverlayHandle, HmdVector2_t *pvecMouseScale ) = 0;
-
-		/** Sets the mouse scaling factor that is used for mouse events. The actual texture may be a different size, but this is
-		* typically the size of the underlying UI in pixels (not in world space). */
-		virtual EVROverlayError SetOverlayMouseScale( VROverlayHandle_t ulOverlayHandle, const HmdVector2_t *pvecMouseScale ) = 0;
-
-		/** Computes the overlay-space pixel coordinates of where the ray intersects the overlay with the
-		* specified settings. Returns false if there is no intersection. */
-		virtual bool ComputeOverlayIntersection( VROverlayHandle_t ulOverlayHandle, const VROverlayIntersectionParams_t *pParams, VROverlayIntersectionResults_t *pResults ) = 0;
-
-		/** Processes mouse input from the specified controller as though it were a mouse pointed at a compositor overlay with the
-		* specified settings. The controller is treated like a laser pointer on the -z axis. The point where the laser pointer would
-		* intersect with the overlay is the mouse position, the trigger is left mouse, and the track pad is right mouse. 
-		*
-		* Return true if the controller is pointed at the overlay and an event was generated. */
-		virtual bool HandleControllerOverlayInteractionAsMouse( VROverlayHandle_t ulOverlayHandle, TrackedDeviceIndex_t unControllerDeviceIndex ) = 0;
-
-		/** Returns true if the specified overlay is the hover target. An overlay is the hover target when it is the last overlay "moused over" 
-		* by the virtual mouse pointer */
-		virtual bool IsHoverTargetOverlay( VROverlayHandle_t ulOverlayHandle ) = 0;
-
-		/** Returns the current Gamepad focus overlay */
-		virtual vr::VROverlayHandle_t GetGamepadFocusOverlay() = 0;
-
-		/** Sets the current Gamepad focus overlay */
-		virtual EVROverlayError SetGamepadFocusOverlay( VROverlayHandle_t ulNewFocusOverlay ) = 0;
-
-		/** Sets an overlay's neighbor. This will also set the neighbor of the "to" overlay
-		* to point back to the "from" overlay. If an overlay's neighbor is set to invalid both
-		* ends will be cleared */
-		virtual EVROverlayError SetOverlayNeighbor( EOverlayDirection eDirection, VROverlayHandle_t ulFrom, VROverlayHandle_t ulTo ) = 0;
-
-		/** Changes the Gamepad focus from one overlay to one of its neighbors. Returns VROverlayError_NoNeighbor if there is no
-		* neighbor in that direction */
-		virtual EVROverlayError MoveGamepadFocusToNeighbor( EOverlayDirection eDirection, VROverlayHandle_t ulFrom ) = 0;
-
-		// ---------------------------------------------
-		// Overlay texture methods
-		// ---------------------------------------------
-
-		/** Texture to draw for the overlay. This function can only be called by the overlay's creator or renderer process (see SetOverlayRenderingPid) .
-		*
-		* OpenGL dirty state:
-		*	glBindTexture
-		*/
-		virtual EVROverlayError SetOverlayTexture( VROverlayHandle_t ulOverlayHandle, const Texture_t *pTexture ) = 0;
-
-		/** Use this to tell the overlay system to release the texture set for this overlay. */
-		virtual EVROverlayError ClearOverlayTexture( VROverlayHandle_t ulOverlayHandle ) = 0;
-
-		/** Separate interface for providing the data as a stream of bytes, but there is an upper bound on data 
-		* that can be sent. This function can only be called by the overlay's renderer process. */
-		virtual EVROverlayError SetOverlayRaw( VROverlayHandle_t ulOverlayHandle, void *pvBuffer, uint32_t unWidth, uint32_t unHeight, uint32_t unDepth ) = 0;
-
-		/** Separate interface for providing the image through a filename: can be png or jpg, and should not be bigger than 1920x1080.
-		* This function can only be called by the overlay's renderer process */
-		virtual EVROverlayError SetOverlayFromFile( VROverlayHandle_t ulOverlayHandle, const char *pchFilePath ) = 0;
-
-		/** Get the native texture handle/device for an overlay you have created.
-		* On windows this handle will be a ID3D11ShaderResourceView with a ID3D11Texture2D bound.
-		*
-		* The texture will always be sized to match the backing texture you supplied in SetOverlayTexture above.
-		*
-		* You MUST call ReleaseNativeOverlayHandle() with pNativeTextureHandle once you are done with this texture.
-		*
-		* pNativeTextureHandle is an OUTPUT, it will be a pointer to a ID3D11ShaderResourceView *.
-		* pNativeTextureRef is an INPUT and should be a ID3D11Resource *. The device used by pNativeTextureRef will be used to bind pNativeTextureHandle.
-		*/
-		virtual EVROverlayError GetOverlayTexture( VROverlayHandle_t ulOverlayHandle, void **pNativeTextureHandle, void *pNativeTextureRef, uint32_t *pWidth, uint32_t *pHeight, uint32_t *pNativeFormat, EGraphicsAPIConvention *pAPI, EColorSpace *pColorSpace ) = 0;
-
-		/** Release the pNativeTextureHandle provided from the GetOverlayTexture call, this allows the system to free the underlying GPU resources for this object,
-		* so only do it once you stop rendering this texture.
-		*/
-		virtual EVROverlayError ReleaseNativeOverlayHandle( VROverlayHandle_t ulOverlayHandle, void *pNativeTextureHandle ) = 0;
-
-		/** Get the size of the overlay texture */
-		virtual EVROverlayError GetOverlayTextureSize( VROverlayHandle_t ulOverlayHandle, uint32_t *pWidth, uint32_t *pHeight ) = 0;
-
-		// ----------------------------------------------
-		// Dashboard Overlay Methods
-		// ----------------------------------------------
-
-		/** Creates a dashboard overlay and returns its handle */
-		virtual EVROverlayError CreateDashboardOverlay( const char *pchOverlayKey, const char *pchOverlayFriendlyName, VROverlayHandle_t * pMainHandle, VROverlayHandle_t *pThumbnailHandle ) = 0;
-
-		/** Returns true if the dashboard is visible */
-		virtual bool IsDashboardVisible() = 0;
-
-		/** returns true if the dashboard is visible and the specified overlay is the active system Overlay */
-		virtual bool IsActiveDashboardOverlay( VROverlayHandle_t ulOverlayHandle ) = 0;
-
-		/** Sets the dashboard overlay to only appear when the specified process ID has scene focus */
-		virtual EVROverlayError SetDashboardOverlaySceneProcess( VROverlayHandle_t ulOverlayHandle, uint32_t unProcessId ) = 0;
-
-		/** Gets the process ID that this dashboard overlay requires to have scene focus */
-		virtual EVROverlayError GetDashboardOverlaySceneProcess( VROverlayHandle_t ulOverlayHandle, uint32_t *punProcessId ) = 0;
-
-		/** Shows the dashboard. */
-		virtual void ShowDashboard( const char *pchOverlayToShow ) = 0;
-
-		/** Returns the tracked device that has the laser pointer in the dashboard */
-		virtual vr::TrackedDeviceIndex_t GetPrimaryDashboardDevice() = 0;
-
-		// ---------------------------------------------
-		// Keyboard methods
-		// ---------------------------------------------
-		
-		/** Show the virtual keyboard to accept input **/
-		virtual EVROverlayError ShowKeyboard( EGamepadTextInputMode eInputMode, EGamepadTextInputLineMode eLineInputMode, const char *pchDescription, uint32_t unCharMax, const char *pchExistingText, bool bUseMinimalMode, uint64_t uUserValue ) = 0;
-
-		virtual EVROverlayError ShowKeyboardForOverlay( VROverlayHandle_t ulOverlayHandle, EGamepadTextInputMode eInputMode, EGamepadTextInputLineMode eLineInputMode, const char *pchDescription, uint32_t unCharMax, const char *pchExistingText, bool bUseMinimalMode, uint64_t uUserValue ) = 0;
-
-		/** Get the text that was entered into the text input **/
-		virtual uint32_t GetKeyboardText( VR_OUT_STRING() char *pchText, uint32_t cchText ) = 0;
-
-		/** Hide the virtual keyboard **/
-		virtual void HideKeyboard() = 0;
-
-		/** Set the position of the keyboard in world space **/
-		virtual void SetKeyboardTransformAbsolute( ETrackingUniverseOrigin eTrackingOrigin, const HmdMatrix34_t *pmatTrackingOriginToKeyboardTransform ) = 0;
-
-		/** Set the position of the keyboard in overlay space by telling it to avoid a rectangle in the overlay. Rectangle coords have (0,0) in the bottom left **/
-		virtual void SetKeyboardPositionForOverlay( VROverlayHandle_t ulOverlayHandle, HmdRect2_t avoidRect ) = 0;
-
-	};
-
-	static const char * const IVROverlay_Version = "IVROverlay_013";
-
-} // namespace vr
-
-// ivrrendermodels.h
-namespace vr
-{
-
-static const char * const k_pch_Controller_Component_GDC2015 = "gdc2015";   // Canonical coordinate system of the gdc 2015 wired controller, provided for backwards compatibility
-static const char * const k_pch_Controller_Component_Base = "base";         // For controllers with an unambiguous 'base'.
-static const char * const k_pch_Controller_Component_Tip = "tip";           // For controllers with an unambiguous 'tip' (used for 'laser-pointing')
-static const char * const k_pch_Controller_Component_HandGrip = "handgrip"; // Neutral, ambidextrous hand-pose when holding controller. On plane between neutrally posed index finger and thumb
-static const char * const k_pch_Controller_Component_Status = "status";		// 1:1 aspect ratio status area, with canonical [0,1] uv mapping
-
-#if defined(__linux__) || defined(__APPLE__) 
-// The 32-bit version of gcc has the alignment requirement for uint64 and double set to
-// 4 meaning that even with #pragma pack(8) these types will only be four-byte aligned.
-// The 64-bit version of gcc has the alignment requirement for these types set to
-// 8 meaning that unless we use #pragma pack(4) our structures will get bigger.
-// The 64-bit structure packing has to match the 32-bit structure packing for each platform.
-#pragma pack( push, 4 )
-#else
-#pragma pack( push, 8 )
-#endif
-
-/** Errors that can occur with the VR compositor */
-enum EVRRenderModelError
-{
-	VRRenderModelError_None = 0,
-	VRRenderModelError_Loading = 100,
-	VRRenderModelError_NotSupported = 200,
-	VRRenderModelError_InvalidArg = 300,
-	VRRenderModelError_InvalidModel = 301,
-	VRRenderModelError_NoShapes = 302,
-	VRRenderModelError_MultipleShapes = 303,
-	VRRenderModelError_TooManyVertices = 304,
-	VRRenderModelError_MultipleTextures = 305,
-	VRRenderModelError_BufferTooSmall = 306,
-	VRRenderModelError_NotEnoughNormals = 307,
-	VRRenderModelError_NotEnoughTexCoords = 308,
-
-	VRRenderModelError_InvalidTexture = 400,
-};
-
-typedef uint32_t VRComponentProperties;
-
-enum EVRComponentProperty
-{
-	VRComponentProperty_IsStatic = (1 << 0),
-	VRComponentProperty_IsVisible = (1 << 1),
-	VRComponentProperty_IsTouched = (1 << 2),
-	VRComponentProperty_IsPressed = (1 << 3),
-	VRComponentProperty_IsScrolled = (1 << 4),
-};
-
-/** Describes state information about a render-model component, including transforms and other dynamic properties */
-struct RenderModel_ComponentState_t
-{
-	HmdMatrix34_t mTrackingToComponentRenderModel;  // Transform required when drawing the component render model
-	HmdMatrix34_t mTrackingToComponentLocal;        // Transform available for attaching to a local component coordinate system (-Z out from surface )
-	VRComponentProperties uProperties;
-};
-
-/** A single vertex in a render model */
-struct RenderModel_Vertex_t
-{
-	HmdVector3_t vPosition;		// position in meters in device space
-	HmdVector3_t vNormal;
-	float rfTextureCoord[2];
-};
-
-/** A texture map for use on a render model */
-struct RenderModel_TextureMap_t
-{
-	uint16_t unWidth, unHeight; // width and height of the texture map in pixels
-	const uint8_t *rubTextureMapData;	// Map texture data. All textures are RGBA with 8 bits per channel per pixel. Data size is width * height * 4ub
-};
-
-/**  Session unique texture identifier. Rendermodels which share the same texture will have the same id.
-IDs <0 denote the texture is not present */
-
-typedef int32_t TextureID_t;
-
-const TextureID_t INVALID_TEXTURE_ID = -1;
-
-struct RenderModel_t
-{
-	const RenderModel_Vertex_t *rVertexData;	// Vertex data for the mesh
-	uint32_t unVertexCount;						// Number of vertices in the vertex data
-	const uint16_t *rIndexData;					// Indices into the vertex data for each triangle
-	uint32_t unTriangleCount;					// Number of triangles in the mesh. Index count is 3 * TriangleCount
-	TextureID_t diffuseTextureId;				// Session unique texture identifier. Rendermodels which share the same texture will have the same id. <0 == texture not present
-};
-
-struct RenderModel_ControllerMode_State_t
-{
-	bool bScrollWheelVisible; // is this controller currently set to be in a scroll wheel mode
-};
-
-#pragma pack( pop )
-
-class IVRRenderModels
-{
-public:
-
-	/** Loads and returns a render model for use in the application. pchRenderModelName should be a render model name
-	* from the Prop_RenderModelName_String property or an absolute path name to a render model on disk. 
-	*
-	* The resulting render model is valid until VR_Shutdown() is called or until FreeRenderModel() is called. When the 
-	* application is finished with the render model it should call FreeRenderModel() to free the memory associated
-	* with the model.
-	*
-	* The method returns VRRenderModelError_Loading while the render model is still being loaded.
-	* The method returns VRRenderModelError_None once loaded successfully, otherwise will return an error. */
-	virtual EVRRenderModelError LoadRenderModel_Async( const char *pchRenderModelName, RenderModel_t **ppRenderModel ) = 0;
-
-	/** Frees a previously returned render model
-	*   It is safe to call this on a null ptr. */
-	virtual void FreeRenderModel( RenderModel_t *pRenderModel ) = 0;
-
-	/** Loads and returns a texture for use in the application. */
-	virtual EVRRenderModelError LoadTexture_Async( TextureID_t textureId, RenderModel_TextureMap_t **ppTexture ) = 0;
-
-	/** Frees a previously returned texture
-	*   It is safe to call this on a null ptr. */
-	virtual void FreeTexture( RenderModel_TextureMap_t *pTexture ) = 0;
-
-	/** Creates a D3D11 texture and loads data into it. */
-	virtual EVRRenderModelError LoadTextureD3D11_Async( TextureID_t textureId, void *pD3D11Device, void **ppD3D11Texture2D ) = 0;
-
-	/** Helper function to copy the bits into an existing texture. */
-	virtual EVRRenderModelError LoadIntoTextureD3D11_Async( TextureID_t textureId, void *pDstTexture ) = 0;
-
-	/** Use this to free textures created with LoadTextureD3D11_Async instead of calling Release on them. */
-	virtual void FreeTextureD3D11( void *pD3D11Texture2D ) = 0;
-
-	/** Use this to get the names of available render models.  Index does not correlate to a tracked device index, but
-	* is only used for iterating over all available render models.  If the index is out of range, this function will return 0.
-	* Otherwise, it will return the size of the buffer required for the name. */
-	virtual uint32_t GetRenderModelName( uint32_t unRenderModelIndex, VR_OUT_STRING() char *pchRenderModelName, uint32_t unRenderModelNameLen ) = 0;
-
-	/** Returns the number of available render models. */
-	virtual uint32_t GetRenderModelCount() = 0;
-
-
-	/** Returns the number of components of the specified render model.
-	*  Components are useful when client application wish to draw, label, or otherwise interact with components of tracked objects.
-	*  Examples controller components:
-	*   renderable things such as triggers, buttons
-	*   non-renderable things which include coordinate systems such as 'tip', 'base', a neutral controller agnostic hand-pose
-	*   If all controller components are enumerated and rendered, it will be equivalent to drawing the traditional render model
-	*   Returns 0 if components not supported, >0 otherwise */
-	virtual uint32_t GetComponentCount( const char *pchRenderModelName ) = 0;
-
-	/** Use this to get the names of available components.  Index does not correlate to a tracked device index, but
-	* is only used for iterating over all available components.  If the index is out of range, this function will return 0.
-	* Otherwise, it will return the size of the buffer required for the name. */
-	virtual uint32_t GetComponentName( const char *pchRenderModelName, uint32_t unComponentIndex, VR_OUT_STRING( ) char *pchComponentName, uint32_t unComponentNameLen ) = 0;
-
-	/** Get the button mask for all buttons associated with this component
-	*   If no buttons (or axes) are associated with this component, return 0
-	*   Note: multiple components may be associated with the same button. Ex: two grip buttons on a single controller.
-	*   Note: A single component may be associated with multiple buttons. Ex: A trackpad which also provides "D-pad" functionality */
-	virtual uint64_t GetComponentButtonMask( const char *pchRenderModelName, const char *pchComponentName ) = 0;
-
-	/** Use this to get the render model name for the specified rendermode/component combination, to be passed to LoadRenderModel.
-	* If the component name is out of range, this function will return 0.
-	* Otherwise, it will return the size of the buffer required for the name. */
-	virtual uint32_t GetComponentRenderModelName( const char *pchRenderModelName, const char *pchComponentName, VR_OUT_STRING( ) char *pchComponentRenderModelName, uint32_t unComponentRenderModelNameLen ) = 0;
-
-	/** Use this to query information about the component, as a function of the controller state.
-	*
-	* For dynamic controller components (ex: trigger) values will reflect component motions
-	* For static components this will return a consistent value independent of the VRControllerState_t
-	*
-	* If the pchRenderModelName or pchComponentName is invalid, this will return false (and transforms will be set to identity).
-	* Otherwise, return true
-	* Note: For dynamic objects, visibility may be dynamic. (I.e., true/false will be returned based on controller state and controller mode state ) */
-	virtual bool GetComponentState( const char *pchRenderModelName, const char *pchComponentName, const vr::VRControllerState_t *pControllerState, const RenderModel_ControllerMode_State_t *pState, RenderModel_ComponentState_t *pComponentState ) = 0;
-
-	/** Returns true if the render model has a component with the specified name */
-	virtual bool RenderModelHasComponent( const char *pchRenderModelName, const char *pchComponentName ) = 0;
-
-	/** Returns the URL of the thumbnail image for this rendermodel */
-	virtual uint32_t GetRenderModelThumbnailURL( const char *pchRenderModelName, VR_OUT_STRING() char *pchThumbnailURL, uint32_t unThumbnailURLLen, vr::EVRRenderModelError *peError ) = 0;
-
-	/** Provides a render model path that will load the unskinned model if the model name provided has been replace by the user. If the model
-	* hasn't been replaced the path value will still be a valid path to load the model. Pass this to LoadRenderModel_Async, etc. to load the
-	* model. */
-	virtual uint32_t GetRenderModelOriginalPath( const char *pchRenderModelName, VR_OUT_STRING() char *pchOriginalPath, uint32_t unOriginalPathLen, vr::EVRRenderModelError *peError ) = 0;
-
-	/** Returns a string for a render model error */
-	virtual const char *GetRenderModelErrorNameFromEnum( vr::EVRRenderModelError error ) = 0;
-};
-
-static const char * const IVRRenderModels_Version = "IVRRenderModels_005";
-
-}
-
-
-// ivrextendeddisplay.h
-namespace vr
-{
-
-	/** NOTE: Use of this interface is not recommended in production applications. It will not work for displays which use
-	* direct-to-display mode. Creating our own window is also incompatible with the VR compositor and is not available when the compositor is running. */
-	class IVRExtendedDisplay
-	{
-	public:
-
-		/** Size and position that the window needs to be on the VR display. */
-		virtual void GetWindowBounds( int32_t *pnX, int32_t *pnY, uint32_t *pnWidth, uint32_t *pnHeight ) = 0;
-
-		/** Gets the viewport in the frame buffer to draw the output of the distortion into */
-		virtual void GetEyeOutputViewport( EVREye eEye, uint32_t *pnX, uint32_t *pnY, uint32_t *pnWidth, uint32_t *pnHeight ) = 0;
-
-		/** [D3D10/11 Only]
-		* Returns the adapter index and output index that the user should pass into EnumAdapters and EnumOutputs
-		* to create the device and swap chain in DX10 and DX11. If an error occurs both indices will be set to -1.
-		*/
-		virtual void GetDXGIOutputInfo( int32_t *pnAdapterIndex, int32_t *pnAdapterOutputIndex ) = 0;
-
-	};
-
-	static const char * const IVRExtendedDisplay_Version = "IVRExtendedDisplay_001";
-
-}
-
-
-// ivrtrackedcamera.h
-namespace vr
-{
-
-class IVRTrackedCamera
-{
-public:
-	/** Returns a string for an error */
-	virtual const char *GetCameraErrorNameFromEnum( vr::EVRTrackedCameraError eCameraError ) = 0;
-
-	/** For convenience, same as tracked property request Prop_HasCamera_Bool */
-	virtual vr::EVRTrackedCameraError HasCamera( vr::TrackedDeviceIndex_t nDeviceIndex, bool *pHasCamera ) = 0;
-
-	/** Gets size of the image frame. */
-	virtual vr::EVRTrackedCameraError GetCameraFrameSize( vr::TrackedDeviceIndex_t nDeviceIndex, vr::EVRTrackedCameraFrameType eFrameType, uint32_t *pnWidth, uint32_t *pnHeight, uint32_t *pnFrameBufferSize ) = 0;
-
-	virtual vr::EVRTrackedCameraError GetCameraIntrinisics( vr::TrackedDeviceIndex_t nDeviceIndex, vr::EVRTrackedCameraFrameType eFrameType, vr::HmdVector2_t *pFocalLength, vr::HmdVector2_t *pCenter ) = 0;
-
-	virtual vr::EVRTrackedCameraError GetCameraProjection( vr::TrackedDeviceIndex_t nDeviceIndex, vr::EVRTrackedCameraFrameType eFrameType, float flZNear, float flZFar, vr::HmdMatrix44_t *pProjection ) = 0;
-
-	/** Acquiring streaming service permits video streaming for the caller. Releasing hints the system that video services do not need to be maintained for this client.
-	* If the camera has not already been activated, a one time spin up may incur some auto exposure as well as initial streaming frame delays.
-	* The camera should be considered a global resource accessible for shared consumption but not exclusive to any caller.
-	* The camera may go inactive due to lack of active consumers or headset idleness. */
-	virtual vr::EVRTrackedCameraError AcquireVideoStreamingService( vr::TrackedDeviceIndex_t nDeviceIndex, vr::TrackedCameraHandle_t *pHandle ) = 0;
-	virtual vr::EVRTrackedCameraError ReleaseVideoStreamingService( vr::TrackedCameraHandle_t hTrackedCamera ) = 0;
-
-	/** Copies the image frame into a caller's provided buffer. The image data is currently provided as RGBA data, 4 bytes per pixel.
-	* A caller can provide null for the framebuffer or frameheader if not desired. Requesting the frame header first, followed by the frame buffer allows
-	* the caller to determine if the frame as advanced per the frame header sequence. 
-	* If there is no frame available yet, due to initial camera spinup or re-activation, the error will be VRTrackedCameraError_NoFrameAvailable.
-	* Ideally a caller should be polling at ~16ms intervals */
-	virtual vr::EVRTrackedCameraError GetVideoStreamFrameBuffer( vr::TrackedCameraHandle_t hTrackedCamera, vr::EVRTrackedCameraFrameType eFrameType, void *pFrameBuffer, uint32_t nFrameBufferSize, vr::CameraVideoStreamFrameHeader_t *pFrameHeader, uint32_t nFrameHeaderSize ) = 0;
-
-	/** Gets size of the image frame. */
-	virtual vr::EVRTrackedCameraError GetVideoStreamTextureSize( vr::TrackedDeviceIndex_t nDeviceIndex, vr::EVRTrackedCameraFrameType eFrameType, vr::VRTextureBounds_t *pTextureBounds, uint32_t *pnWidth, uint32_t *pnHeight ) = 0; 
-
-	/** Access a shared D3D11 texture for the specified tracked camera stream */
-	virtual vr::EVRTrackedCameraError GetVideoStreamTextureD3D11( vr::TrackedCameraHandle_t hTrackedCamera, vr::EVRTrackedCameraFrameType eFrameType, void *pD3D11DeviceOrResource, void **ppD3D11ShaderResourceView, vr::CameraVideoStreamFrameHeader_t *pFrameHeader, uint32_t nFrameHeaderSize ) = 0;
-
-	/** Access a shared GL texture for the specified tracked camera stream */
-	virtual vr::EVRTrackedCameraError GetVideoStreamTextureGL( vr::TrackedCameraHandle_t hTrackedCamera, vr::EVRTrackedCameraFrameType eFrameType, vr::glUInt_t *pglTextureId, vr::CameraVideoStreamFrameHeader_t *pFrameHeader, uint32_t nFrameHeaderSize ) = 0;
-	virtual vr::EVRTrackedCameraError ReleaseVideoStreamTextureGL( vr::TrackedCameraHandle_t hTrackedCamera, vr::glUInt_t glTextureId ) = 0;
-};
-
-static const char * const IVRTrackedCamera_Version = "IVRTrackedCamera_003";
-
-} // namespace vr
-
-
-// ivrscreenshots.h
-namespace vr
-{
-
-/** Errors that can occur with the VR compositor */
-enum EVRScreenshotError
-{
-	VRScreenshotError_None							= 0,
-	VRScreenshotError_RequestFailed					= 1,
-	VRScreenshotError_IncompatibleVersion			= 100,
-	VRScreenshotError_NotFound						= 101,
-	VRScreenshotError_BufferTooSmall				= 102,
-	VRScreenshotError_ScreenshotAlreadyInProgress	= 108,
-};
-
-/** Allows the application to generate screenshots */
-class IVRScreenshots
-{
-public:
-	/** Request a screenshot of the requested type.
-	 *  A request of the VRScreenshotType_Stereo type will always
-	 *  work. Other types will depend on the underlying application
-	 *  support.
-	 *  The first file name is for the preview image and should be a
-	 *  regular screenshot (ideally from the left eye). The second
-	 *  is the VR screenshot in the correct format. They should be
-	 *  in the same aspect ratio.  Formats per type:
-	 *  VRScreenshotType_Mono: the VR filename is ignored (can be
-	 *  nullptr), this is a normal flat single shot.
-	 *  VRScreenshotType_Stereo:  The VR image should be a
-	 *  side-by-side with the left eye image on the left.
-	 *  VRScreenshotType_Cubemap: The VR image should be six square
-	 *  images composited horizontally.
-	 *  VRScreenshotType_StereoPanorama: above/below with left eye
-	 *  panorama being the above image.  Image is typically square
-	 *  with the panorama being 2x horizontal.
-	 *  
-	 *  Note that the VR dashboard will call this function when
-	 *  the user presses the screenshot binding (currently System
-	 *  Button + Trigger).  If Steam is running, the destination
-	 *  file names will be in %TEMP% and will be copied into
-	 *  Steam's screenshot library for the running application
-	 *  once SubmitScreenshot() is called.
-	 *  If Steam is not running, the paths will be in the user's
-	 *  documents folder under Documents\SteamVR\Screenshots.
-	 *  Other VR applications can call this to initate a
-	 *  screenshot outside of user control.
-	 *  The destination file names do not need an extension,
-	 *  will be replaced with the correct one for the format
-	 *  which is currently .png. */
-	virtual vr::EVRScreenshotError RequestScreenshot( vr::ScreenshotHandle_t *pOutScreenshotHandle, vr::EVRScreenshotType type, const char *pchPreviewFilename, const char *pchVRFilename ) = 0;
-
-	/** Called by the running VR application to indicate that it
-	 *  wishes to be in charge of screenshots.  If the
-	 *  application does not call this, the Compositor will only
-	 *  support VRScreenshotType_Stereo screenshots that will be
-	 *  captured without notification to the running app.
-	 *  Once hooked your application will receive a
-	 *  VREvent_RequestScreenshot event when the user presses the
-	 *  buttons to take a screenshot. */
-	virtual vr::EVRScreenshotError HookScreenshot( VR_ARRAY_COUNT( numTypes ) const vr::EVRScreenshotType *pSupportedTypes, int numTypes ) = 0;
-
-	/** When your application receives a
-	 *  VREvent_RequestScreenshot event, call these functions to get
-	 *  the details of the screenshot request. */
-	virtual vr::EVRScreenshotType GetScreenshotPropertyType( vr::ScreenshotHandle_t screenshotHandle, vr::EVRScreenshotError *pError ) = 0;
-
-	/** Get the filename for the preview or vr image (see
-	 *  vr::EScreenshotPropertyFilenames).  The return value is
-	 *  the size of the string.   */
- 	virtual uint32_t GetScreenshotPropertyFilename( vr::ScreenshotHandle_t screenshotHandle, vr::EVRScreenshotPropertyFilenames filenameType, VR_OUT_STRING() char *pchFilename, uint32_t cchFilename, vr::EVRScreenshotError *pError ) = 0;
-
-	/** Call this if the application is taking the screen shot
-	 *  will take more than a few ms processing. This will result
-	 *  in an overlay being presented that shows a completion
-	 *  bar. */
-	virtual vr::EVRScreenshotError UpdateScreenshotProgress( vr::ScreenshotHandle_t screenshotHandle, float flProgress ) = 0;
-
-	/** Tells the compositor to take an internal screenshot of
-	 *  type VRScreenshotType_Stereo. It will take the current
-	 *  submitted scene textures of the running application and
-	 *  write them into the preview image and a side-by-side file
-	 *  for the VR image.
-	 *  This is similiar to request screenshot, but doesn't ever
-	 *  talk to the application, just takes the shot and submits. */
-	virtual vr::EVRScreenshotError TakeStereoScreenshot( vr::ScreenshotHandle_t *pOutScreenshotHandle, const char *pchPreviewFilename, const char *pchVRFilename ) = 0;
-
-	/** Submit the completed screenshot.  If Steam is running
-	 *  this will call into the Steam client and upload the
-	 *  screenshot to the screenshots section of the library for
-	 *  the running application.  If Steam is not running, this
-	 *  function will display a notification to the user that the
-	 *  screenshot was taken. The paths should be full paths with
-	 *  extensions.
-	 *  File paths should be absolute including
-	 *  exntensions.
-	 *  screenshotHandle can be k_unScreenshotHandleInvalid if this
-	 *  was a new shot taking by the app to be saved and not
-	 *  initiated by a user (achievement earned or something) */
-	virtual vr::EVRScreenshotError SubmitScreenshot( vr::ScreenshotHandle_t screenshotHandle, vr::EVRScreenshotType type, const char *pchSourcePreviewFilename, const char *pchSourceVRFilename ) = 0;
-};
-
-static const char * const IVRScreenshots_Version = "IVRScreenshots_001";
-
-} // namespace vr
-
-
-
-// ivrresources.h
-namespace vr
-{
-
-class IVRResources
-{
-public:
-
-	// ------------------------------------
-	// Shared Resource Methods
-	// ------------------------------------
-
-	/** Loads the specified resource into the provided buffer if large enough.
-	* Returns the size in bytes of the buffer required to hold the specified resource. */
-	virtual uint32_t LoadSharedResource( const char *pchResourceName, char *pchBuffer, uint32_t unBufferLen ) = 0;
-
-	/** Provides the full path to the specified resource. Resource names can include named directories for
-	* drivers and other things, and this resolves all of those and returns the actual physical path. 
-	* pchResourceTypeDirectory is the subdirectory of resources to look in. */
-	virtual uint32_t GetResourceFullPath( const char *pchResourceName, const char *pchResourceTypeDirectory, char *pchPathBuffer, uint32_t unBufferLen ) = 0;
-};
-
-static const char * const IVRResources_Version = "IVRResources_001";
-
-
-}// End
-
-#endif // _OPENVR_API
-
-
-namespace vr
-{
-	/** Finds the active installation of the VR API and initializes it. The provided path must be absolute
-	* or relative to the current working directory. These are the local install versions of the equivalent
-	* functions in steamvr.h and will work without a local Steam install.
-	*
-	* This path is to the "root" of the VR API install. That's the directory with
-	* the "drivers" directory and a platform (i.e. "win32") directory in it, not the directory with the DLL itself.
-	*/
-	inline IVRSystem *VR_Init( EVRInitError *peError, EVRApplicationType eApplicationType );
-
-	/** unloads vrclient.dll. Any interface pointers from the interface are
-	* invalid after this point */
-	inline void VR_Shutdown();
-
-	/** Returns true if there is an HMD attached. This check is as lightweight as possible and
-	* can be called outside of VR_Init/VR_Shutdown. It should be used when an application wants
-	* to know if initializing VR is a possibility but isn't ready to take that step yet.
-	*/
-	VR_INTERFACE bool VR_CALLTYPE VR_IsHmdPresent();
-
-	/** Returns true if the OpenVR runtime is installed. */
-	VR_INTERFACE bool VR_CALLTYPE VR_IsRuntimeInstalled();
-
-	/** Returns where the OpenVR runtime is installed. */
-	VR_INTERFACE const char *VR_CALLTYPE VR_RuntimePath();
-
-	/** Returns the name of the enum value for an EVRInitError. This function may be called outside of VR_Init()/VR_Shutdown(). */
-	VR_INTERFACE const char *VR_CALLTYPE VR_GetVRInitErrorAsSymbol( EVRInitError error );
-
-	/** Returns an english string for an EVRInitError. Applications should call VR_GetVRInitErrorAsSymbol instead and
-	* use that as a key to look up their own localized error message. This function may be called outside of VR_Init()/VR_Shutdown(). */
-	VR_INTERFACE const char *VR_CALLTYPE VR_GetVRInitErrorAsEnglishDescription( EVRInitError error );
-
-	/** Returns the interface of the specified version. This method must be called after VR_Init. The
-	* pointer returned is valid until VR_Shutdown is called.
-	*/
-	VR_INTERFACE void *VR_CALLTYPE VR_GetGenericInterface( const char *pchInterfaceVersion, EVRInitError *peError );
-
-	/** Returns whether the interface of the specified version exists.
-	*/
-	VR_INTERFACE bool VR_CALLTYPE VR_IsInterfaceVersionValid( const char *pchInterfaceVersion );
-
-	/** Returns a token that represents whether the VR interface handles need to be reloaded */
-	VR_INTERFACE uint32_t VR_CALLTYPE VR_GetInitToken();
-
-	// These typedefs allow old enum names from SDK 0.9.11 to be used in applications.
-	// They will go away in the future.
-	typedef EVRInitError HmdError;
-	typedef EVREye Hmd_Eye;
-	typedef EGraphicsAPIConvention GraphicsAPIConvention;
-	typedef EColorSpace ColorSpace;
-	typedef ETrackingResult HmdTrackingResult;
-	typedef ETrackedDeviceClass TrackedDeviceClass;
-	typedef ETrackingUniverseOrigin TrackingUniverseOrigin;
-	typedef ETrackedDeviceProperty TrackedDeviceProperty;
-	typedef ETrackedPropertyError TrackedPropertyError;
-	typedef EVRSubmitFlags VRSubmitFlags_t;
-	typedef EVRState VRState_t;
-	typedef ECollisionBoundsStyle CollisionBoundsStyle_t;
-	typedef EVROverlayError VROverlayError;
-	typedef EVRFirmwareError VRFirmwareError;
-	typedef EVRCompositorError VRCompositorError;
-	typedef EVRScreenshotError VRScreenshotsError;
-
-	inline uint32_t &VRToken()
-	{
-		static uint32_t token;
-		return token;
-	}
-
-	class COpenVRContext
-	{
-	public:
-		COpenVRContext() { Clear(); }
-		void Clear();
-
-		inline void CheckClear()
-		{
-			if ( VRToken() != VR_GetInitToken() )
-			{
-				Clear();
-				VRToken() = VR_GetInitToken();
-			}
-		}
-
-		IVRSystem *VRSystem()
-		{
-			CheckClear();
-			if ( m_pVRSystem == nullptr )
-			{
-				EVRInitError eError;
-				m_pVRSystem = ( IVRSystem * )VR_GetGenericInterface( IVRSystem_Version, &eError );
-			}
-			return m_pVRSystem;
-		}
-		IVRChaperone *VRChaperone()
-		{
-			CheckClear();
-			if ( m_pVRChaperone == nullptr )
-			{
-				EVRInitError eError;
-				m_pVRChaperone = ( IVRChaperone * )VR_GetGenericInterface( IVRChaperone_Version, &eError );
-			}
-			return m_pVRChaperone;
-		}
-
-		IVRChaperoneSetup *VRChaperoneSetup()
-		{
-			CheckClear();
-			if ( m_pVRChaperoneSetup == nullptr )
-			{
-				EVRInitError eError;
-				m_pVRChaperoneSetup = ( IVRChaperoneSetup * )VR_GetGenericInterface( IVRChaperoneSetup_Version, &eError );
-			}
-			return m_pVRChaperoneSetup;
-		}
-
-		IVRCompositor *VRCompositor()
-		{
-			CheckClear();
-			if ( m_pVRCompositor == nullptr )
-			{
-				EVRInitError eError;
-				m_pVRCompositor = ( IVRCompositor * )VR_GetGenericInterface( IVRCompositor_Version, &eError );
-			}
-			return m_pVRCompositor;
-		}
-
-		IVROverlay *VROverlay()
-		{
-			CheckClear();
-			if ( m_pVROverlay == nullptr )
-			{
-				EVRInitError eError;
-				m_pVROverlay = ( IVROverlay * )VR_GetGenericInterface( IVROverlay_Version, &eError );
-			}
-			return m_pVROverlay;
-		}
-
-		IVRResources *VRResources()
-		{
-			CheckClear();
-			if ( m_pVRResources == nullptr )
-			{
-				EVRInitError eError;
-				m_pVRResources = (IVRResources *)VR_GetGenericInterface( IVRResources_Version, &eError );
-			}
-			return m_pVRResources;
-		}
-
-		IVRScreenshots *VRScreenshots()
-		{
-			CheckClear();
-			if ( m_pVRScreenshots == nullptr )
-			{
-				EVRInitError eError;
-				m_pVRScreenshots = ( IVRScreenshots * )VR_GetGenericInterface( IVRScreenshots_Version, &eError );
-			}
-			return m_pVRScreenshots;
-		}
-
-		IVRRenderModels *VRRenderModels()
-		{
-			CheckClear();
-			if ( m_pVRRenderModels == nullptr )
-			{
-				EVRInitError eError;
-				m_pVRRenderModels = ( IVRRenderModels * )VR_GetGenericInterface( IVRRenderModels_Version, &eError );
-			}
-			return m_pVRRenderModels;
-		}
-
-		IVRExtendedDisplay *VRExtendedDisplay()
-		{
-			CheckClear();
-			if ( m_pVRExtendedDisplay == nullptr )
-			{
-				EVRInitError eError;
-				m_pVRExtendedDisplay = ( IVRExtendedDisplay * )VR_GetGenericInterface( IVRExtendedDisplay_Version, &eError );
-			}
-			return m_pVRExtendedDisplay;
-		}
-
-		IVRSettings *VRSettings()
-		{
-			CheckClear();
-			if ( m_pVRSettings == nullptr )
-			{
-				EVRInitError eError;
-				m_pVRSettings = ( IVRSettings * )VR_GetGenericInterface( IVRSettings_Version, &eError );
-			}
-			return m_pVRSettings;
-		}
-
-		IVRApplications *VRApplications()
-		{
-			CheckClear();
-			if ( m_pVRApplications == nullptr )
-			{
-				EVRInitError eError;
-				m_pVRApplications = ( IVRApplications * )VR_GetGenericInterface( IVRApplications_Version, &eError );
-			}
-			return m_pVRApplications;
-		}
-
-		IVRTrackedCamera *VRTrackedCamera()
-		{
-			CheckClear();
-			if ( m_pVRTrackedCamera == nullptr )
-			{
-				EVRInitError eError;
-				m_pVRTrackedCamera = ( IVRTrackedCamera * )VR_GetGenericInterface( IVRTrackedCamera_Version, &eError );
-			}
-			return m_pVRTrackedCamera;
-		}
-
-	private:
-		IVRSystem			*m_pVRSystem;
-		IVRChaperone		*m_pVRChaperone;
-		IVRChaperoneSetup	*m_pVRChaperoneSetup;
-		IVRCompositor		*m_pVRCompositor;
-		IVROverlay			*m_pVROverlay;
-		IVRResources		*m_pVRResources;
-		IVRRenderModels		*m_pVRRenderModels;
-		IVRExtendedDisplay	*m_pVRExtendedDisplay;
-		IVRSettings			*m_pVRSettings;
-		IVRApplications		*m_pVRApplications;
-		IVRTrackedCamera	*m_pVRTrackedCamera;
-		IVRScreenshots		*m_pVRScreenshots;
-	};
-
-	inline COpenVRContext &OpenVRInternal_ModuleContext()
-	{
-		static void *ctx[ sizeof( COpenVRContext ) / sizeof( void * ) ];
-		return *( COpenVRContext * )ctx; // bypass zero-init constructor
-	}
-
-	inline IVRSystem *VR_CALLTYPE VRSystem() { return OpenVRInternal_ModuleContext().VRSystem(); }
-	inline IVRChaperone *VR_CALLTYPE VRChaperone() { return OpenVRInternal_ModuleContext().VRChaperone(); }
-	inline IVRChaperoneSetup *VR_CALLTYPE VRChaperoneSetup() { return OpenVRInternal_ModuleContext().VRChaperoneSetup(); }
-	inline IVRCompositor *VR_CALLTYPE VRCompositor() { return OpenVRInternal_ModuleContext().VRCompositor(); }
-	inline IVROverlay *VR_CALLTYPE VROverlay() { return OpenVRInternal_ModuleContext().VROverlay(); }
-	inline IVRScreenshots *VR_CALLTYPE VRScreenshots() { return OpenVRInternal_ModuleContext().VRScreenshots(); }
-	inline IVRRenderModels *VR_CALLTYPE VRRenderModels() { return OpenVRInternal_ModuleContext().VRRenderModels(); }
-	inline IVRApplications *VR_CALLTYPE VRApplications() { return OpenVRInternal_ModuleContext().VRApplications(); }
-	inline IVRSettings *VR_CALLTYPE VRSettings() { return OpenVRInternal_ModuleContext().VRSettings(); }
-	inline IVRResources *VR_CALLTYPE VRResources() { return OpenVRInternal_ModuleContext().VRResources(); }
-	inline IVRExtendedDisplay *VR_CALLTYPE VRExtendedDisplay() { return OpenVRInternal_ModuleContext().VRExtendedDisplay(); }
-	inline IVRTrackedCamera *VR_CALLTYPE VRTrackedCamera() { return OpenVRInternal_ModuleContext().VRTrackedCamera(); }
-
-	inline void COpenVRContext::Clear()
-	{
-		m_pVRSystem = nullptr;
-		m_pVRChaperone = nullptr;
-		m_pVRChaperoneSetup = nullptr;
-		m_pVRCompositor = nullptr;
-		m_pVROverlay = nullptr;
-		m_pVRRenderModels = nullptr;
-		m_pVRExtendedDisplay = nullptr;
-		m_pVRSettings = nullptr;
-		m_pVRApplications = nullptr;
-		m_pVRTrackedCamera = nullptr;
-		m_pVRResources = nullptr;
-		m_pVRScreenshots = nullptr;
-	}
-
-	VR_INTERFACE uint32_t VR_CALLTYPE VR_InitInternal( EVRInitError *peError, EVRApplicationType eApplicationType );
-	VR_INTERFACE void VR_CALLTYPE VR_ShutdownInternal();
-
-	/** Finds the active installation of vrclient.dll and initializes it */
-	inline IVRSystem *VR_Init( EVRInitError *peError, EVRApplicationType eApplicationType )
-	{
-		IVRSystem *pVRSystem = nullptr;
-
-		EVRInitError eError;
-		VRToken() = VR_InitInternal( &eError, eApplicationType );
-		COpenVRContext &ctx = OpenVRInternal_ModuleContext();
-		ctx.Clear();
-
-		if ( eError == VRInitError_None )
-		{
-			if ( VR_IsInterfaceVersionValid( IVRSystem_Version ) )
-			{
-				pVRSystem = VRSystem();
-			}
-			else
-			{
-				VR_ShutdownInternal();
-				eError = VRInitError_Init_InterfaceNotFound;
-			}
-		}
-
-		if ( peError )
-			*peError = eError;
-		return pVRSystem;
-	}
-
-	/** unloads vrclient.dll. Any interface pointers from the interface are
-	* invalid after this point */
-	inline void VR_Shutdown()
-	{
-		VR_ShutdownInternal();
-	}
-}
diff --git a/gfx/vr/osvr/ClientKit/ClientKitC.h b/gfx/vr/osvr/ClientKit/ClientKitC.h
deleted file mode 100644
index 8309e890d3..0000000000
--- a/gfx/vr/osvr/ClientKit/ClientKitC.h
+++ /dev/null
@@ -1,37 +0,0 @@
-/** @file
-    @brief Header
-
-    Must be c-safe!
-
-    @date 2014
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2014 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_ClientKitC_h_GUID_8D7DF104_892D_4CB5_2302_7C6BB5BC985C
-#define INCLUDED_ClientKitC_h_GUID_8D7DF104_892D_4CB5_2302_7C6BB5BC985C
-
-#include <osvr/ClientKit/ContextC.h>
-#include <osvr/ClientKit/InterfaceC.h>
-#include <osvr/ClientKit/InterfaceCallbackC.h>
-#include <osvr/ClientKit/SystemCallbackC.h>
-
-#endif
diff --git a/gfx/vr/osvr/ClientKit/ContextC.h b/gfx/vr/osvr/ClientKit/ContextC.h
deleted file mode 100644
index e07e1b4a77..0000000000
--- a/gfx/vr/osvr/ClientKit/ContextC.h
+++ /dev/null
@@ -1,96 +0,0 @@
-/** @file
-    @brief Header
-
-    Must be c-safe!
-
-    @todo Apply annotation macros
-
-    @date 2014
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2014 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_ContextC_h_GUID_3790F330_2425_4486_4C9F_20C300D7DED3
-#define INCLUDED_ContextC_h_GUID_3790F330_2425_4486_4C9F_20C300D7DED3
-
-/* Internal Includes */
-#include <osvr/ClientKit/Export.h>
-#include <osvr/Util/APIBaseC.h>
-#include <osvr/Util/ReturnCodesC.h>
-#include <osvr/Util/AnnotationMacrosC.h>
-#include <osvr/Util/StdInt.h>
-#include <osvr/Util/ClientOpaqueTypesC.h>
-
-/* Library/third-party includes */
-/* none */
-
-/* Standard includes */
-/* none */
-
-OSVR_EXTERN_C_BEGIN
-
-/** @addtogroup ClientKit
-    @{
-*/
-
-/** @brief Initialize the library.
-
-    @param applicationIdentifier A null terminated string identifying your
-   application. Reverse DNS format strongly suggested.
-    @param flags initialization options (reserved) - pass 0 for now.
-
-    @returns Client context - will be needed for subsequent calls
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ClientContext osvrClientInit(
-    const char applicationIdentifier[], uint32_t flags OSVR_CPP_ONLY(= 0));
-
-/** @brief Updates the state of the context - call regularly in your mainloop.
-
-    @param ctx Client context
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode osvrClientUpdate(OSVR_ClientContext ctx);
-
-/** @brief Checks to see if the client context is fully started up and connected
-    properly to a server.
-
-    If this reports that the client context is not OK, there may not be a server
-    running, or you may just have to call osvrClientUpdate() a few times to
-    permit startup to finish. The return value of this call will not change from
-    failure to success without calling osvrClientUpdate().
-
-    @param ctx Client context
-
-    @return OSVR_RETURN_FAILURE if not yet fully connected/initialized, or if
-    some other error (null context) occurs.
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode
-osvrClientCheckStatus(OSVR_ClientContext ctx);
-
-/** @brief Shutdown the library.
-    @param ctx Client context
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode
-osvrClientShutdown(OSVR_ClientContext ctx);
-
-/** @} */
-OSVR_EXTERN_C_END
-
-#endif
diff --git a/gfx/vr/osvr/ClientKit/DisplayC.h b/gfx/vr/osvr/ClientKit/DisplayC.h
deleted file mode 100644
index 75155e6b30..0000000000
--- a/gfx/vr/osvr/ClientKit/DisplayC.h
+++ /dev/null
@@ -1,506 +0,0 @@
-/** @file
-    @brief Header
-
-    Must be c-safe!
-
-    @date 2015
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2015 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//        http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_DisplayC_h_GUID_8658EDC9_32A2_49A2_5F5C_10F67852AE74
-#define INCLUDED_DisplayC_h_GUID_8658EDC9_32A2_49A2_5F5C_10F67852AE74
-
-/* Internal Includes */
-#include <osvr/ClientKit/Export.h>
-#include <osvr/Util/APIBaseC.h>
-#include <osvr/Util/ReturnCodesC.h>
-#include <osvr/Util/ClientOpaqueTypesC.h>
-#include <osvr/Util/RenderingTypesC.h>
-#include <osvr/Util/MatrixConventionsC.h>
-#include <osvr/Util/Pose3C.h>
-#include <osvr/Util/BoolC.h>
-#include <osvr/Util/RadialDistortionParametersC.h>
-
-/* Library/third-party includes */
-/* none */
-
-/* Standard includes */
-/* none */
-
-OSVR_EXTERN_C_BEGIN
-/** @addtogroup ClientKit
-    @{
-    @name Display API
-    @{
-*/
-
-/** @brief Opaque type of a display configuration. */
-typedef struct OSVR_DisplayConfigObject *OSVR_DisplayConfig;
-
-/** @brief Allocates a display configuration object populated with data from the
-    OSVR system.
-
-    Before this call will succeed, your application will need to be correctly
-   and fully connected to an OSVR server. You may consider putting this call in
-   a loop alternating with osvrClientUpdate() until this call succeeds.
-
-    Data provided by a display configuration object:
-
-    - The logical display topology (number and relationship of viewers, eyes,
-        and surfaces), which remains constant throughout the life of the
-        configuration object. (A method of notification of change here is TBD).
-    - Pose data for viewers (not required for rendering) and pose/view data for
-        eyes (used for rendering) which is based on tracker data: if used, these
-        should be queried every frame.
-    - Projection matrix data for surfaces, which while in current practice may
-        be relatively unchanging, we are not guaranteeing them to be constant:
-        these should be queried every frame.
-    - Video-input-relative viewport size/location for a surface: would like this
-        to be variable, but probably not feasible. If you have input, please
-        comment on the dev mailing list.
-    - Per-surface distortion strategy priorities/availabilities: constant. Note
-        the following, though...
-    - Per-surface distortion strategy parameters: variable, request each frame.
-        (Could make constant with a notification if needed?)
-
-    Important note: While most of this data is immediately available if you are
-   successful in getting a display config object, the pose-based data (viewer
-   pose, eye pose, eye view matrix) needs tracker state, so at least one (and in
-   practice, typically more) osvrClientUpdate() must be performed before a new
-   tracker report is available to populate that state. See
-   osvrClientCheckDisplayStartup() to query if all startup data is available.
-
-    @todo Decide if relative viewport should be constant in a display config,
-   and update docs accordingly.
-
-    @todo Decide if distortion params should be constant in a display config,
-   and update docs accordingly.
-
-    @return OSVR_RETURN_FAILURE if invalid parameters were passed or some other
-    error occurred, in which case the output argument is unmodified.
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode
-osvrClientGetDisplay(OSVR_ClientContext ctx, OSVR_DisplayConfig *disp);
-
-/** @brief Frees a display configuration object. The corresponding context must
-    still be open.
-
-    If you fail to call this, it will be automatically called as part of
-    clean-up when the corresponding context is closed.
-
-    @return OSVR_RETURN_FAILURE if a null config was passed, or if the given
-    display object was already freed.
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode
-osvrClientFreeDisplay(OSVR_DisplayConfig disp);
-
-/** @brief Checks to see if a display is fully configured and ready, including
-    having received its first pose update.
-
-    Once this first succeeds, it will continue to succeed for the lifetime of
-    the display config object, so it is not necessary to keep calling once you
-    get a successful result.
-
-    @return OSVR_RETURN_FAILURE if a null config was passed, or if the given
-    display config object was otherwise not ready for full use.
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode
-osvrClientCheckDisplayStartup(OSVR_DisplayConfig disp);
-
-/** @brief A display config can have one or more display inputs to pass pixels
-    over (HDMI/DVI connections, etc): retrieve the number of display inputs in
-   the current configuration.
-
-    @param disp Display config object.
-    @param[out] numDisplayInputs Number of display inputs in the logical display
-    topology, **constant** throughout the active, valid lifetime of a display
-    config object.
-
-    @sa OSVR_DisplayInputCount
-
-    @return OSVR_RETURN_FAILURE if invalid parameters were passed, in
-   which case the output argument is unmodified.
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode osvrClientGetNumDisplayInputs(
-    OSVR_DisplayConfig disp, OSVR_DisplayInputCount *numDisplayInputs);
-
-/** @brief Retrieve the pixel dimensions of a given display input for a display
-   config
-
-    @param disp Display config object.
-    @param displayInputIndex The zero-based index of the display input.
-    @param[out] width Width (in pixels) of the display input.
-    @param[out] height Height (in pixels) of the display input.
-
-    The out parameters are **constant** throughout the active, valid lifetime of
-    a display config object.
-
-    @sa OSVR_DisplayDimension
-
-    @return OSVR_RETURN_FAILURE if invalid parameters were passed, in
-   which case the output arguments are unmodified.
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode osvrClientGetDisplayDimensions(
-    OSVR_DisplayConfig disp, OSVR_DisplayInputCount displayInputIndex,
-    OSVR_DisplayDimension *width, OSVR_DisplayDimension *height);
-
-/** @brief A display config can have one (or theoretically more) viewers:
-    retrieve the viewer count.
-
-    @param disp Display config object.
-    @param[out] viewers Number of viewers in the logical display topology,
-    **constant** throughout the active, valid lifetime of a display config
-    object.
-
-    @sa OSVR_ViewerCount
-
-    @return OSVR_RETURN_FAILURE if invalid parameters were passed, in which case
-   the output argument is unmodified.
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode
-osvrClientGetNumViewers(OSVR_DisplayConfig disp, OSVR_ViewerCount *viewers);
-
-/** @brief Get the pose of a viewer in a display config.
-
-    Note that there may not necessarily be any surfaces rendered from this pose
-    (it's the unused "center" eye in a stereo configuration, for instance) so
-    only use this if it makes integration into your engine or existing
-    applications (not originally designed for stereo) easier.
-
-    Will only succeed if osvrClientCheckDisplayStartup() succeeds.
-
-    @return OSVR_RETURN_FAILURE if invalid parameters were passed or no pose was
-    yet available, in which case the pose argument is unmodified.
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode osvrClientGetViewerPose(
-    OSVR_DisplayConfig disp, OSVR_ViewerCount viewer, OSVR_Pose3 *pose);
-
-/** @brief Each viewer in a display config can have one or more "eyes" which
-    have a substantially similar pose: get the count.
-
-    @param disp Display config object.
-    @param viewer Viewer ID
-    @param[out] eyes Number of eyes for this viewer in the logical display
-   topology, **constant** throughout the active, valid lifetime of a display
-   config object
-
-    @sa OSVR_EyeCount
-
-    @return OSVR_RETURN_FAILURE if invalid parameters were passed, in which case
-    the output argument is unmodified.
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode osvrClientGetNumEyesForViewer(
-    OSVR_DisplayConfig disp, OSVR_ViewerCount viewer, OSVR_EyeCount *eyes);
-
-/** @brief Get the "viewpoint" for the given eye of a viewer in a display
-   config.
-
-    Will only succeed if osvrClientCheckDisplayStartup() succeeds.
-
-    @param disp Display config object
-    @param viewer Viewer ID
-    @param eye Eye ID
-    @param[out] pose Room-space pose (not relative to pose of the viewer)
-
-    @return OSVR_RETURN_FAILURE if invalid parameters were passed or no pose was
-    yet available, in which case the pose argument is unmodified.
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode
-osvrClientGetViewerEyePose(OSVR_DisplayConfig disp, OSVR_ViewerCount viewer,
-                           OSVR_EyeCount eye, OSVR_Pose3 *pose);
-
-/** @brief Get the view matrix (inverse of pose) for the given eye of a
-    viewer in a display config - matrix of **doubles**.
-
-    Will only succeed if osvrClientCheckDisplayStartup() succeeds.
-
-    @param disp Display config object
-    @param viewer Viewer ID
-    @param eye Eye ID
-    @param flags Bitwise OR of matrix convention flags (see @ref MatrixFlags)
-    @param[out] mat Pass a double[::OSVR_MATRIX_SIZE] to get the transformation
-    matrix from room space to eye space (not relative to pose of the viewer)
-
-    @return OSVR_RETURN_FAILURE if invalid parameters were passed or no pose was
-    yet available, in which case the output argument is unmodified.
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode osvrClientGetViewerEyeViewMatrixd(
-    OSVR_DisplayConfig disp, OSVR_ViewerCount viewer, OSVR_EyeCount eye,
-    OSVR_MatrixConventions flags, double *mat);
-
-/** @brief Get the view matrix (inverse of pose) for the given eye of a
-    viewer in a display config - matrix of **floats**.
-
-    Will only succeed if osvrClientCheckDisplayStartup() succeeds.
-
-    @param disp Display config object
-    @param viewer Viewer ID
-    @param eye Eye ID
-    @param flags Bitwise OR of matrix convention flags (see @ref MatrixFlags)
-    @param[out] mat Pass a float[::OSVR_MATRIX_SIZE] to get the transformation
-    matrix from room space to eye space (not relative to pose of the viewer)
-
-    @return OSVR_RETURN_FAILURE if invalid parameters were passed or no pose was
-    yet available, in which case the output argument is unmodified.
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode osvrClientGetViewerEyeViewMatrixf(
-    OSVR_DisplayConfig disp, OSVR_ViewerCount viewer, OSVR_EyeCount eye,
-    OSVR_MatrixConventions flags, float *mat);
-
-/** @brief Each eye of each viewer in a display config has one or more surfaces
-    (aka "screens") on which content should be rendered.
-
-    @param disp Display config object
-    @param viewer Viewer ID
-    @param eye Eye ID
-    @param[out] surfaces Number of surfaces (numbered [0, surfaces - 1]) for the
-    given viewer and eye. **Constant** throughout the active, valid lifetime of
-    a display config object.
-
-    @sa OSVR_SurfaceCount
-
-    @return OSVR_RETURN_FAILURE if invalid parameters were passed, in which case
-    the output argument is unmodified.
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode osvrClientGetNumSurfacesForViewerEye(
-    OSVR_DisplayConfig disp, OSVR_ViewerCount viewer, OSVR_EyeCount eye,
-    OSVR_SurfaceCount *surfaces);
-
-/** @brief Get the dimensions/location of the viewport **within the display
-    input** for a surface seen by an eye of a viewer in a display config. (This
-    does not include other video inputs that may be on a single virtual desktop,
-    etc. or explicitly account for display configurations that use multiple
-    video inputs. It does not necessarily indicate that a viewport in the sense
-    of glViewport must be created with these parameters, though the parameter
-    order matches for convenience.)
-
-    @param disp Display config object
-    @param viewer Viewer ID
-    @param eye Eye ID
-    @param surface Surface ID
-    @param[out] left Output: Distance in pixels from the left of the video input
-    to the left of the viewport.
-    @param[out] bottom Output: Distance in pixels from the bottom of the video
-    input to the bottom of the viewport.
-    @param[out] width Output: Width of viewport in pixels.
-    @param[out] height Output: Height of viewport in pixels.
-
-
-    @return OSVR_RETURN_FAILURE if invalid parameters were passed, in which case
-    the output arguments are unmodified.
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode
-osvrClientGetRelativeViewportForViewerEyeSurface(
-    OSVR_DisplayConfig disp, OSVR_ViewerCount viewer, OSVR_EyeCount eye,
-    OSVR_SurfaceCount surface, OSVR_ViewportDimension *left,
-    OSVR_ViewportDimension *bottom, OSVR_ViewportDimension *width,
-    OSVR_ViewportDimension *height);
-
-/** @brief Get the index of the display input for a surface seen by an eye of a
-   viewer in a display config.
-
-    This is the OSVR-assigned display input: it may not (and in practice,
-    usually will not) match any platform-specific display indices. This function
-    exists to associate surfaces with video inputs as enumerated by
-    osvrClientGetNumDisplayInputs().
-
-    @param disp Display config object
-    @param viewer Viewer ID
-    @param eye Eye ID
-    @param surface Surface ID
-    @param[out] displayInput Zero-based index of the display input pixels for
-    this surface are tranmitted over.
-
-    This association is **constant** throughout the active, valid lifetime of a
-    display config object.
-
-    @sa osvrClientGetNumDisplayInputs(),
-    osvrClientGetRelativeViewportForViewerEyeSurface()
-
-    @return OSVR_RETURN_FAILURE if invalid parameters were passed, in which
-    case the output argument is unmodified.
- */
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode
-osvrClientGetViewerEyeSurfaceDisplayInputIndex(
-    OSVR_DisplayConfig disp, OSVR_ViewerCount viewer, OSVR_EyeCount eye,
-    OSVR_SurfaceCount surface, OSVR_DisplayInputCount *displayInput);
-
-/** @brief Get the projection matrix for a surface seen by an eye of a viewer
-    in a display config. (double version)
-
-    @param disp Display config object
-    @param viewer Viewer ID
-    @param eye Eye ID
-    @param surface Surface ID
-    @param near Distance from viewpoint to near clipping plane - must be
-    positive.
-    @param far Distance from viewpoint to far clipping plane - must be positive
-    and not equal to near, typically greater than near.
-    @param flags Bitwise OR of matrix convention flags (see @ref MatrixFlags)
-    @param[out] matrix Output projection matrix: supply an array of 16
-    (::OSVR_MATRIX_SIZE) doubles.
-
-    @return OSVR_RETURN_FAILURE if invalid parameters were passed, in which case
-    the output argument is unmodified.
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode
-osvrClientGetViewerEyeSurfaceProjectionMatrixd(
-    OSVR_DisplayConfig disp, OSVR_ViewerCount viewer, OSVR_EyeCount eye,
-    OSVR_SurfaceCount surface, double near, double far,
-    OSVR_MatrixConventions flags, double *matrix);
-
-/** @brief Get the projection matrix for a surface seen by an eye of a viewer
-    in a display config. (float version)
-
-    @param disp Display config object
-    @param viewer Viewer ID
-    @param eye Eye ID
-    @param surface Surface ID
-    @param near Distance to near clipping plane - must be nonzero, typically
-    positive.
-    @param far Distance to far clipping plane - must be nonzero, typically
-    positive and greater than near.
-    @param flags Bitwise OR of matrix convention flags (see @ref MatrixFlags)
-    @param[out] matrix Output projection matrix: supply an array of 16
-    (::OSVR_MATRIX_SIZE) floats.
-
-    @return OSVR_RETURN_FAILURE if invalid parameters were passed, in which case
-    the output argument is unmodified.
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode
-osvrClientGetViewerEyeSurfaceProjectionMatrixf(
-    OSVR_DisplayConfig disp, OSVR_ViewerCount viewer, OSVR_EyeCount eye,
-    OSVR_SurfaceCount surface, float near, float far,
-    OSVR_MatrixConventions flags, float *matrix);
-
-/** @brief Get the clipping planes (positions at unit distance) for a surface
-   seen by an eye of a viewer
-    in a display config.
-
-    This is only for use in integrations that cannot accept a fully-formulated
-    projection matrix as returned by
-    osvrClientGetViewerEyeSurfaceProjectionMatrixf() or
-    osvrClientGetViewerEyeSurfaceProjectionMatrixd(), and may not necessarily
-    provide the same optimizations.
-
-    As all the planes are given at unit (1) distance, before passing these
-   planes to a consuming function in your application/engine, you will typically
-   divide them by your near clipping plane distance.
-
-    @param disp Display config object
-    @param viewer Viewer ID
-    @param eye Eye ID
-    @param surface Surface ID
-    @param[out] left Distance to left clipping plane
-    @param[out] right Distance to right clipping plane
-    @param[out] bottom Distance to bottom clipping plane
-    @param[out] top Distance to top clipping plane
-
-    @return OSVR_RETURN_FAILURE if invalid parameters were passed, in which case
-    the output arguments are unmodified.
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode
-osvrClientGetViewerEyeSurfaceProjectionClippingPlanes(
-    OSVR_DisplayConfig disp, OSVR_ViewerCount viewer, OSVR_EyeCount eye,
-    OSVR_SurfaceCount surface, double *left, double *right, double *bottom,
-    double *top);
-
-/** @brief Determines if a surface seen by an eye of a viewer in a display
-    config requests some distortion to be performed.
-
-    This simply reports true or false, and does not specify which kind of
-    distortion implementations have been parameterized for this display. For
-    each distortion implementation your application supports, you'll want to
-    call the corresponding priority function to find out if it is available.
-
-    @param disp Display config object
-    @param viewer Viewer ID
-    @param eye Eye ID
-    @param surface Surface ID
-    @param[out] distortionRequested Output parameter: whether distortion is
-    requested. **Constant** throughout the active, valid lifetime of a display
-    config object.
-
-    @return OSVR_RETURN_FAILURE if invalid parameters were passed, in which case
-    the output argument is unmodified.
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode
-osvrClientDoesViewerEyeSurfaceWantDistortion(OSVR_DisplayConfig disp,
-                                             OSVR_ViewerCount viewer,
-                                             OSVR_EyeCount eye,
-                                             OSVR_SurfaceCount surface,
-                                             OSVR_CBool *distortionRequested);
-
-/** @brief Returns the priority/availability of radial distortion parameters for
-    a surface seen by an eye of a viewer in a display config.
-
-    If osvrClientDoesViewerEyeSurfaceWantDistortion() reports false, then the
-    display does not request distortion of any sort, and thus neither this nor
-    any other distortion strategy priority function will report an "available"
-    priority.
-
-    @param disp Display config object
-    @param viewer Viewer ID
-    @param eye Eye ID
-    @param surface Surface ID
-    @param[out] priority Output: the priority level. Negative values
-    (canonically OSVR_DISTORTION_PRIORITY_UNAVAILABLE) indicate this technique
-    not available, higher values indicate higher preference for the given
-    technique based on the device's description. **Constant** throughout the
-    active, valid lifetime of a display config object.
-
-    @return OSVR_RETURN_FAILURE if invalid parameters were passed, in which case
-    the output argument is unmodified.
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode
-osvrClientGetViewerEyeSurfaceRadialDistortionPriority(
-    OSVR_DisplayConfig disp, OSVR_ViewerCount viewer, OSVR_EyeCount eye,
-    OSVR_SurfaceCount surface, OSVR_DistortionPriority *priority);
-
-/** @brief Returns the radial distortion parameters, if known/requested, for a
-    surface seen by an eye of a viewer in a display config.
-
-    Will only succeed if osvrClientGetViewerEyeSurfaceRadialDistortionPriority()
-    reports a non-negative priority.
-
-    @param disp Display config object
-    @param viewer Viewer ID
-    @param eye Eye ID
-    @param surface Surface ID
-    @param[out] params Output: the parameters for radial distortion
-
-    @return OSVR_RETURN_FAILURE if this surface does not have these parameters
-    described, or if invalid parameters were passed, in which case the output
-    argument is unmodified.
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode
-osvrClientGetViewerEyeSurfaceRadialDistortion(
-    OSVR_DisplayConfig disp, OSVR_ViewerCount viewer, OSVR_EyeCount eye,
-    OSVR_SurfaceCount surface, OSVR_RadialDistortionParameters *params);
-
-/** @}
-    @}
-*/
-
-OSVR_EXTERN_C_END
-
-#endif
diff --git a/gfx/vr/osvr/ClientKit/Export.h b/gfx/vr/osvr/ClientKit/Export.h
deleted file mode 100644
index 94d5f44f4e..0000000000
--- a/gfx/vr/osvr/ClientKit/Export.h
+++ /dev/null
@@ -1,138 +0,0 @@
-/** @file
-    @brief Automatically-generated export header - do not edit!
-
-    @date 2016
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-// Copyright 2016 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#ifndef OSVR_CLIENTKIT_EXPORT_H
-#define OSVR_CLIENTKIT_EXPORT_H
-
-#ifdef OSVR_CLIENTKIT_STATIC_DEFINE
-#  define OSVR_CLIENTKIT_EXPORT
-#  define OSVR_CLIENTKIT_NO_EXPORT
-#endif
-
-/* Per-compiler advance preventative definition */
-#if defined(__BORLANDC__) || defined(__CODEGEARC__) || defined(__HP_aCC) ||    \
-    defined(__PGI) || defined(__WATCOMC__)
-/* Compilers that don't support deprecated, according to CMake. */
-#  ifndef OSVR_CLIENTKIT_DEPRECATED
-#    define OSVR_CLIENTKIT_DEPRECATED
-#  endif
-#endif
-
-/* Check for attribute support */
-#if defined(__INTEL_COMPILER)
-/* Checking before GNUC because Intel implements GNU extensions,
- * so it chooses to define __GNUC__ as well. */
-#  if __INTEL_COMPILER >= 1200
-/* Intel compiler 12.0 or newer can handle these attributes per CMake */
-#    define OSVR_CLIENTKIT_EXPORT_HEADER_SUPPORTS_ATTRIBUTES
-#  endif
-
-#elif defined(__GNUC__)
-#  if (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 2))
-/* GCC 4.2+ */
-#    define OSVR_CLIENTKIT_EXPORT_HEADER_SUPPORTS_ATTRIBUTES
-#  endif
-#endif
-
-/* Per-platform defines */
-#if defined(_MSC_VER)
-/* MSVC on Windows */
-
-#ifndef OSVR_CLIENTKIT_EXPORT
-#  ifdef osvrClientKit_EXPORTS
-      /* We are building this library */
-#    define OSVR_CLIENTKIT_EXPORT __declspec(dllexport)
-#  else
-      /* We are using this library */
-#    define OSVR_CLIENTKIT_EXPORT __declspec(dllimport)
-#  endif
-#endif
-
-#ifndef OSVR_CLIENTKIT_DEPRECATED
-#  define OSVR_CLIENTKIT_DEPRECATED __declspec(deprecated)
-#endif
-
-#elif defined(_WIN32) && defined(__GNUC__)
-/* GCC-compatible on Windows */
-
-#ifndef OSVR_CLIENTKIT_EXPORT
-#  ifdef osvrClientKit_EXPORTS
-      /* We are building this library */
-#    define OSVR_CLIENTKIT_EXPORT __attribute__((dllexport))
-#  else
-      /* We are using this library */
-#    define OSVR_CLIENTKIT_EXPORT __attribute__((dllimport))
-#  endif
-#endif
-
-#ifndef OSVR_CLIENTKIT_DEPRECATED
-#  define OSVR_CLIENTKIT_DEPRECATED __attribute__((__deprecated__))
-#endif
-
-#elif defined(OSVR_CLIENTKIT_EXPORT_HEADER_SUPPORTS_ATTRIBUTES) ||         \
-    (defined(__APPLE__) && defined(__MACH__))
-/* GCC4.2+ compatible (assuming something *nix-like) and Mac OS X */
-/* (The first macro is defined at the top of the file, if applicable) */
-/* see https://gcc.gnu.org/wiki/Visibility */
-
-#ifndef OSVR_CLIENTKIT_EXPORT
-  /* We are building/using this library */
-#  define OSVR_CLIENTKIT_EXPORT __attribute__((visibility("default")))
-#endif
-
-#ifndef OSVR_CLIENTKIT_NO_EXPORT
-#  define OSVR_CLIENTKIT_NO_EXPORT __attribute__((visibility("hidden")))
-#endif
-
-#ifndef OSVR_CLIENTKIT_DEPRECATED
-#  define OSVR_CLIENTKIT_DEPRECATED __attribute__((__deprecated__))
-#endif
-
-#endif
-/* End of platform ifdefs */
-
-/* fallback def */
-#ifndef OSVR_CLIENTKIT_EXPORT
-#  define OSVR_CLIENTKIT_EXPORT
-#endif
-
-/* fallback def */
-#ifndef OSVR_CLIENTKIT_NO_EXPORT
-#  define OSVR_CLIENTKIT_NO_EXPORT
-#endif
-
-/* fallback def */
-#ifndef OSVR_CLIENTKIT_DEPRECATED_EXPORT
-#  define OSVR_CLIENTKIT_DEPRECATED_EXPORT OSVR_CLIENTKIT_EXPORT OSVR_CLIENTKIT_DEPRECATED
-#endif
-
-/* fallback def */
-#ifndef OSVR_CLIENTKIT_DEPRECATED_NO_EXPORT
-#  define OSVR_CLIENTKIT_DEPRECATED_NO_EXPORT OSVR_CLIENTKIT_NO_EXPORT OSVR_CLIENTKIT_DEPRECATED
-#endif
-
-/* Clean up after ourselves */
-#undef OSVR_CLIENTKIT_EXPORT_HEADER_SUPPORTS_ATTRIBUTES
-
-#endif
diff --git a/gfx/vr/osvr/ClientKit/InterfaceC.h b/gfx/vr/osvr/ClientKit/InterfaceC.h
deleted file mode 100644
index 728350536d..0000000000
--- a/gfx/vr/osvr/ClientKit/InterfaceC.h
+++ /dev/null
@@ -1,75 +0,0 @@
-/** @file
-    @brief Header
-
-    Must be c-safe!
-
-    @date 2014
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2014 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_InterfaceC_h_GUID_D90BBAA6_AD62_499D_C023_2F6ED8987C17
-#define INCLUDED_InterfaceC_h_GUID_D90BBAA6_AD62_499D_C023_2F6ED8987C17
-
-/* Internal Includes */
-#include <osvr/ClientKit/Export.h>
-#include <osvr/Util/APIBaseC.h>
-#include <osvr/Util/ReturnCodesC.h>
-#include <osvr/Util/AnnotationMacrosC.h>
-#include <osvr/Util/ClientOpaqueTypesC.h>
-
-/* Library/third-party includes */
-/* none */
-
-/* Standard includes */
-/* none */
-
-OSVR_EXTERN_C_BEGIN
-/** @addtogroup ClientKit
-@{
-*/
-
-/** @brief Get the interface associated with the given path.
-    @param ctx Client context
-    @param path A resource path (null-terminated string)
-    @param[out] iface The interface object. May be freed when no longer needed,
-   otherwise it will be freed when the context is closed.
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode
-osvrClientGetInterface(OSVR_ClientContext ctx, const char path[],
-                       OSVR_ClientInterface *iface);
-
-/** @brief Free an interface object before context closure.
-
-    @param ctx Client context
-    @param iface The interface object
-
-    @returns OSVR_RETURN_SUCCESS unless a null context or interface was passed
-   or the given interface was not found in the context (i.e. had already been
-   freed)
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode
-osvrClientFreeInterface(OSVR_ClientContext ctx, OSVR_ClientInterface iface);
-
-/** @} */
-OSVR_EXTERN_C_END
-
-#endif
diff --git a/gfx/vr/osvr/ClientKit/InterfaceCallbackC.h b/gfx/vr/osvr/ClientKit/InterfaceCallbackC.h
deleted file mode 100644
index dde1cef977..0000000000
--- a/gfx/vr/osvr/ClientKit/InterfaceCallbackC.h
+++ /dev/null
@@ -1,77 +0,0 @@
-/** @file
-    @brief Header
-
-    Must be c-safe!
-
-    @date 2014
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2014 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_InterfaceCallbacksC_h_GUID_8F16E6CB_F998_4ABC_5B6B_4FC1E4B71BC9
-#define INCLUDED_InterfaceCallbacksC_h_GUID_8F16E6CB_F998_4ABC_5B6B_4FC1E4B71BC9
-
-/* Internal Includes */
-#include <osvr/ClientKit/Export.h>
-#include <osvr/Util/APIBaseC.h>
-#include <osvr/Util/ReturnCodesC.h>
-#include <osvr/Util/AnnotationMacrosC.h>
-#include <osvr/Util/ClientOpaqueTypesC.h>
-#include <osvr/Util/ClientCallbackTypesC.h>
-
-/* Library/third-party includes */
-/* none */
-
-/* Standard includes */
-/* none */
-
-OSVR_EXTERN_C_BEGIN
-
-#define OSVR_INTERFACE_CALLBACK_METHOD(TYPE)                                   \
-    /** @brief Register a callback for TYPE reports on an interface */         \
-    OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode osvrRegister##TYPE##Callback(        \
-        OSVR_ClientInterface iface, OSVR_##TYPE##Callback cb, void *userdata);
-
-OSVR_INTERFACE_CALLBACK_METHOD(Pose)
-OSVR_INTERFACE_CALLBACK_METHOD(Position)
-OSVR_INTERFACE_CALLBACK_METHOD(Orientation)
-OSVR_INTERFACE_CALLBACK_METHOD(Velocity)
-OSVR_INTERFACE_CALLBACK_METHOD(LinearVelocity)
-OSVR_INTERFACE_CALLBACK_METHOD(AngularVelocity)
-OSVR_INTERFACE_CALLBACK_METHOD(Acceleration)
-OSVR_INTERFACE_CALLBACK_METHOD(LinearAcceleration)
-OSVR_INTERFACE_CALLBACK_METHOD(AngularAcceleration)
-OSVR_INTERFACE_CALLBACK_METHOD(Button)
-OSVR_INTERFACE_CALLBACK_METHOD(Analog)
-OSVR_INTERFACE_CALLBACK_METHOD(Imaging)
-OSVR_INTERFACE_CALLBACK_METHOD(Location2D)
-OSVR_INTERFACE_CALLBACK_METHOD(Direction)
-OSVR_INTERFACE_CALLBACK_METHOD(EyeTracker2D)
-OSVR_INTERFACE_CALLBACK_METHOD(EyeTracker3D)
-OSVR_INTERFACE_CALLBACK_METHOD(EyeTrackerBlink)
-OSVR_INTERFACE_CALLBACK_METHOD(NaviVelocity)
-OSVR_INTERFACE_CALLBACK_METHOD(NaviPosition)
-
-#undef OSVR_INTERFACE_CALLBACK_METHOD
-
-OSVR_EXTERN_C_END
-
-#endif
diff --git a/gfx/vr/osvr/ClientKit/InterfaceStateC.h b/gfx/vr/osvr/ClientKit/InterfaceStateC.h
deleted file mode 100644
index edf9f085cb..0000000000
--- a/gfx/vr/osvr/ClientKit/InterfaceStateC.h
+++ /dev/null
@@ -1,79 +0,0 @@
-/** @file
-    @brief Header
-
-    Must be c-safe!
-
-    @date 2014
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2014 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_InterfaceStateC_h_GUID_8F85D178_74B9_4AA9_4E9E_243089411408
-#define INCLUDED_InterfaceStateC_h_GUID_8F85D178_74B9_4AA9_4E9E_243089411408
-
-/* Internal Includes */
-#include <osvr/ClientKit/Export.h>
-#include <osvr/Util/APIBaseC.h>
-#include <osvr/Util/ReturnCodesC.h>
-#include <osvr/Util/AnnotationMacrosC.h>
-#include <osvr/Util/ClientOpaqueTypesC.h>
-#include <osvr/Util/ClientReportTypesC.h>
-#include <osvr/Util/TimeValueC.h>
-
-/* Library/third-party includes */
-/* none */
-
-/* Standard includes */
-/* none */
-
-OSVR_EXTERN_C_BEGIN
-
-#define OSVR_CALLBACK_METHODS(TYPE)                                            \
-    /** @brief Get TYPE state from an interface, returning failure if none     \
-     * exists */                                                               \
-    OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode osvrGet##TYPE##State(                \
-        OSVR_ClientInterface iface, struct OSVR_TimeValue *timestamp,          \
-        OSVR_##TYPE##State *state);
-
-OSVR_CALLBACK_METHODS(Pose)
-OSVR_CALLBACK_METHODS(Position)
-OSVR_CALLBACK_METHODS(Orientation)
-OSVR_CALLBACK_METHODS(Velocity)
-OSVR_CALLBACK_METHODS(LinearVelocity)
-OSVR_CALLBACK_METHODS(AngularVelocity)
-OSVR_CALLBACK_METHODS(Acceleration)
-OSVR_CALLBACK_METHODS(LinearAcceleration)
-OSVR_CALLBACK_METHODS(AngularAcceleration)
-OSVR_CALLBACK_METHODS(Button)
-OSVR_CALLBACK_METHODS(Analog)
-OSVR_CALLBACK_METHODS(Location2D)
-OSVR_CALLBACK_METHODS(Direction)
-OSVR_CALLBACK_METHODS(EyeTracker2D)
-OSVR_CALLBACK_METHODS(EyeTracker3D)
-OSVR_CALLBACK_METHODS(EyeTrackerBlink)
-OSVR_CALLBACK_METHODS(NaviVelocity)
-OSVR_CALLBACK_METHODS(NaviPosition)
-
-#undef OSVR_CALLBACK_METHODS
-
-OSVR_EXTERN_C_END
-
-#endif
diff --git a/gfx/vr/osvr/ClientKit/SystemCallbackC.h b/gfx/vr/osvr/ClientKit/SystemCallbackC.h
deleted file mode 100644
index 2476d5f21c..0000000000
--- a/gfx/vr/osvr/ClientKit/SystemCallbackC.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/** @file
-    @brief Header
-
-    Must be c-safe!
-
-    @date 2014
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2014 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_SystemCallbackC_h_GUID_543F3F04_343E_4389_08A0_DEA988EC23F7
-#define INCLUDED_SystemCallbackC_h_GUID_543F3F04_343E_4389_08A0_DEA988EC23F7
-
-/* Internal Includes */
-#include <osvr/ClientKit/Export.h>
-#include <osvr/Util/APIBaseC.h>
-#include <osvr/Util/ReturnCodesC.h>
-#include <osvr/Util/AnnotationMacrosC.h>
-
-/* Library/third-party includes */
-/* none */
-
-/* Standard includes */
-/* none */
-
-OSVR_EXTERN_C_BEGIN
-OSVR_EXTERN_C_END
-
-#endif
diff --git a/gfx/vr/osvr/ClientKit/TransformsC.h b/gfx/vr/osvr/ClientKit/TransformsC.h
deleted file mode 100644
index 183497dfd8..0000000000
--- a/gfx/vr/osvr/ClientKit/TransformsC.h
+++ /dev/null
@@ -1,75 +0,0 @@
-/** @file
-    @brief Header controlling the OSVR transformation hierarchy
-
-    Must be c-safe!
-
-    @date 2015
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2015 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//        http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_TransformsC_h_GUID_5B5B7438_42D4_4095_E48A_90E2CC13498E
-#define INCLUDED_TransformsC_h_GUID_5B5B7438_42D4_4095_E48A_90E2CC13498E
-
-/* Internal Includes */
-#include <osvr/ClientKit/Export.h>
-#include <osvr/Util/APIBaseC.h>
-#include <osvr/Util/ReturnCodesC.h>
-#include <osvr/Util/ClientOpaqueTypesC.h>
-
-/* Library/third-party includes */
-/* none */
-
-/* Standard includes */
-/* none */
-
-OSVR_EXTERN_C_BEGIN
-
-/** @addtogroup ClientKit
-    @{
-*/
-
-/** @brief Updates the internal "room to world" transformation (applied to all
-    tracker data for this client context instance) based on the user's head
-    orientation, so that the direction the user is facing becomes -Z to your
-    application. Only rotates about the Y axis (yaw).
-
-    Note that this method internally calls osvrClientUpdate() to get a head pose
-    so your callbacks may be called during its execution!
-
-    @param ctx Client context
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode
-osvrClientSetRoomRotationUsingHead(OSVR_ClientContext ctx);
-
-/** @brief Clears/resets the internal "room to world" transformation back to an
-   identity transformation - that is, clears the effect of any other
-   manipulation of the room to world transform.
-
-    @param ctx Client context
-*/
-OSVR_CLIENTKIT_EXPORT OSVR_ReturnCode
-osvrClientClearRoomToWorldTransform(OSVR_ClientContext ctx);
-
-/** @} */
-OSVR_EXTERN_C_END
-
-#endif
diff --git a/gfx/vr/osvr/Util/APIBaseC.h b/gfx/vr/osvr/Util/APIBaseC.h
deleted file mode 100644
index 4abe385503..0000000000
--- a/gfx/vr/osvr/Util/APIBaseC.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/** @file
-    @brief Header providing basic C macros for defining API headers.
-
-    Must be c-safe!
-
-    @date 2014
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2014 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_APIBaseC_h_GUID_C5A2E769_2ADC_429E_D250_DF0883E6E5DB
-#define INCLUDED_APIBaseC_h_GUID_C5A2E769_2ADC_429E_D250_DF0883E6E5DB
-
-#ifdef __cplusplus
-#define OSVR_C_ONLY(X)
-#define OSVR_CPP_ONLY(X) X
-#define OSVR_EXTERN_C_BEGIN extern "C" {
-#define OSVR_EXTERN_C_END }
-#define OSVR_INLINE inline
-#else
-#define OSVR_C_ONLY(X) X
-#define OSVR_CPP_ONLY(X)
-#define OSVR_EXTERN_C_BEGIN
-#define OSVR_EXTERN_C_END
-#ifdef _MSC_VER
-#define OSVR_INLINE static __inline
-#else
-#define OSVR_INLINE static inline
-#endif
-#endif
-
-#endif
diff --git a/gfx/vr/osvr/Util/AnnotationMacrosC.h b/gfx/vr/osvr/Util/AnnotationMacrosC.h
deleted file mode 100644
index e086608c13..0000000000
--- a/gfx/vr/osvr/Util/AnnotationMacrosC.h
+++ /dev/null
@@ -1,232 +0,0 @@
-/** @file
-    @brief Header containing macros for source-level annotation.
-
-    In theory, supporting MSVC SAL, as well as compatible GCC and
-    Clang attributes. In practice, expanded as time allows and requires.
-
-    Must be c-safe!
-
-    @date 2014
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2014 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_AnnotationMacrosC_h_GUID_48538D9B_35E3_4E9A_D2B0_D83D51DD5900
-#define INCLUDED_AnnotationMacrosC_h_GUID_48538D9B_35E3_4E9A_D2B0_D83D51DD5900
-
-#ifndef OSVR_DISABLE_ANALYSIS
-
-#if defined(_MSC_VER) && (_MSC_VER >= 1700)
-/* Visual C++ (2012 and newer) */
-/* Using SAL attribute format:
- * http://msdn.microsoft.com/en-us/library/ms182032(v=vs.120).aspx */
-
-#include <sal.h>
-
-#define OSVR_IN _In_
-#define OSVR_IN_PTR _In_
-#define OSVR_IN_OPT _In_opt_
-#define OSVR_IN_STRZ _In_z_
-#define OSVR_IN_READS(NUM_ELEMENTS) _In_reads_(NUM_ELEMENTS)
-
-#define OSVR_OUT _Out_
-#define OSVR_OUT_PTR _Outptr_
-#define OSVR_OUT_OPT _Out_opt_
-
-#define OSVR_INOUT _Inout_
-#define OSVR_INOUT_PTR _Inout_
-
-#define OSVR_RETURN_WARN_UNUSED _Must_inspect_result_
-#define OSVR_RETURN_SUCCESS_CONDITION(X) _Return_type_success_(X)
-
-/* end of msvc section */
-#elif defined(__GNUC__) && (__GNUC__ >= 4)
-/* section for GCC and GCC-alikes */
-
-#if defined(__clang__)
-/* clang-specific section */
-#endif
-
-#define OSVR_FUNC_NONNULL(X) __attribute__((__nonnull__ X))
-#define OSVR_RETURN_WARN_UNUSED __attribute__((warn_unused_result))
-
-/* end of gcc section and compiler detection */
-#endif
-
-/* end of ndef disable analysis */
-#endif
-
-/* Fallback declarations */
-/**
-@defgroup annotation_macros Static analysis annotation macros
-@brief Wrappers for Microsoft's SAL annotations and others
-@ingroup Util
-
-Use of these is optional, but recommended particularly for C APIs,
-as well as any methods handling a buffer with a length.
-@{
-*/
-/** @name Parameter annotations
-
-    These indicate the role and valid values for parameters to functions.
-
-    At most one of these should be placed before a parameter's type name in the
-   function parameter list, in both the declaration and definition. (They must
-   match!)
-   @{
-*/
-/** @def OSVR_IN
-    @brief Indicates a required function parameter that serves only as input.
-*/
-#ifndef OSVR_IN
-#define OSVR_IN
-#endif
-
-/** @def OSVR_IN_PTR
-    @brief Indicates a required pointer (non-null) function parameter that
-    serves only as input.
-*/
-#ifndef OSVR_IN_PTR
-#define OSVR_IN_PTR
-#endif
-
-/** @def OSVR_IN_OPT
-    @brief Indicates a function parameter (pointer) that serves only as input,
-   but is optional and might be NULL.
-*/
-#ifndef OSVR_IN_OPT
-#define OSVR_IN_OPT
-#endif
-
-/** @def OSVR_IN_STRZ
-    @brief Indicates a null-terminated string function parameter that serves
-   only as input.
-*/
-#ifndef OSVR_IN_STRZ
-#define OSVR_IN_STRZ
-#endif
-
-/** @def OSVR_IN_READS(NUM_ELEMENTS)
-    @brief Indicates a buffer containing input with the specified number of
-   elements.
-
-    The specified number of elements is typically the name of another parameter.
-*/
-#ifndef OSVR_IN_READS
-#define OSVR_IN_READS(NUM_ELEMENTS)
-#endif
-
-/** @def OSVR_OUT
-    @brief Indicates a required function parameter that serves only as output.
-    In C code, since this usually means "pointer", you probably want
-   OSVR_OUT_PTR instead.
-*/
-#ifndef OSVR_OUT
-#define OSVR_OUT
-#endif
-
-/** @def OSVR_OUT_PTR
-    @brief Indicates a required pointer (non-null) function parameter that
-    serves only as output.
-*/
-#ifndef OSVR_OUT_PTR
-#define OSVR_OUT_PTR
-#endif
-
-/** @def OSVR_OUT_OPT
-    @brief Indicates a function parameter (pointer) that serves only as output,
-   but is optional and might be NULL
-*/
-#ifndef OSVR_OUT_OPT
-#define OSVR_OUT_OPT
-#endif
-
-/** @def OSVR_INOUT
-    @brief Indicates a required function parameter that is both read and written
-   to.
-
-    In C code, since this usually means "pointer", you probably want
-   OSVR_INOUT_PTR instead.
-*/
-#ifndef OSVR_INOUT
-#define OSVR_INOUT
-#endif
-
-/** @def OSVR_INOUT_PTR
-    @brief Indicates a required pointer (non-null) function parameter that is
-    both read and written to.
-*/
-#ifndef OSVR_INOUT_PTR
-#define OSVR_INOUT_PTR
-#endif
-
-/* End of parameter annotations. */
-/** @} */
-
-/** @name Function annotations
-
-    These indicate particular relevant aspects about a function. Some
-    duplicate the effective meaning of parameter annotations: applying both
-    allows the fullest extent of static analysis tools to analyze the code,
-    and in some compilers, generate warnings.
-
-   @{
-*/
-/** @def OSVR_FUNC_NONNULL(X)
-    @brief Indicates the parameter(s) that must be non-null.
-
-    @param X A parenthesized list of parameters by number (1-based index)
-
-    Should be placed after a function declaration (but before the
-   semicolon). Repeating in the definition is not needed.
-*/
-#ifndef OSVR_FUNC_NONNULL
-#define OSVR_FUNC_NONNULL(X)
-#endif
-
-/** @def OSVR_RETURN_WARN_UNUSED
-    @brief Indicates the function has a return value that must be used (either a
-   security problem or an obvious bug if not).
-
-    Should be placed before the return value (and virtual keyword, if
-   applicable) in both declaration and definition.
-*/
-#ifndef OSVR_RETURN_WARN_UNUSED
-#define OSVR_RETURN_WARN_UNUSED
-#endif
-/* End of function annotations. */
-/** @} */
-
-/** @def OSVR_RETURN_SUCCESS_CONDITION
-    @brief Applied to a typedef, indicates the condition for `return` under
-   which a function returning it should be considered to have succeeded (thus
-   holding certain specifications).
-
-    Should be placed before the typename in a typedef, with the parameter
-   including the keyword `return` to substitute for the return value.
-*/
-#ifndef OSVR_RETURN_SUCCESS_CONDITION
-#define OSVR_RETURN_SUCCESS_CONDITION(X)
-#endif
-
-/* End of annotation group. */
-/** @} */
-#endif
diff --git a/gfx/vr/osvr/Util/BoolC.h b/gfx/vr/osvr/Util/BoolC.h
deleted file mode 100644
index b50ec7cfd7..0000000000
--- a/gfx/vr/osvr/Util/BoolC.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/** @file
-    @brief Header providing a C-safe "bool" type, because we can't depend on
-   Visual Studio providing proper C99 support in external-facing APIs.
-
-    Must be c-safe!
-
-    @date 2015
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2015 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_BoolC_h_GUID_4F97BE90_2758_4BA5_B0FC_0CA92DEBA210
-#define INCLUDED_BoolC_h_GUID_4F97BE90_2758_4BA5_B0FC_0CA92DEBA210
-
-/* Internal Includes */
-#include <osvr/Util/APIBaseC.h>
-#include <osvr/Util/StdInt.h>
-
-/* Library/third-party includes */
-/* none */
-
-/* Standard includes */
-/* none */
-
-OSVR_EXTERN_C_BEGIN
-/** @addtogroup Util
-@{
-*/
-
-/** @brief A pre-C99-safe bool type. Canonical values for true and false are
- * provided. Interpretation of other values is not defined. */
-typedef uint8_t OSVR_CBool;
-/** @brief Canonical "true" value for OSVR_CBool */
-#define OSVR_TRUE (1)
-/** @brief Canonical "false" value for OSVR_CBool */
-#define OSVR_FALSE (0)
-
-/** @} */
-OSVR_EXTERN_C_END
-
-#endif
diff --git a/gfx/vr/osvr/Util/ChannelCountC.h b/gfx/vr/osvr/Util/ChannelCountC.h
deleted file mode 100644
index dc49b3b171..0000000000
--- a/gfx/vr/osvr/Util/ChannelCountC.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/** @file
-    @brief Header
-
-    Must be c-safe!
-
-    @date 2015
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2015 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_ChannelCountC_h_GUID_CF7E5EE7_28B0_4B99_E823_DD701904B5D1
-#define INCLUDED_ChannelCountC_h_GUID_CF7E5EE7_28B0_4B99_E823_DD701904B5D1
-
-/* Internal Includes */
-#include <osvr/Util/StdInt.h>
-#include <osvr/Util/APIBaseC.h>
-
-/* Library/third-party includes */
-/* none */
-
-/* Standard includes */
-/* none */
-
-OSVR_EXTERN_C_BEGIN
-
-/** @addtogroup PluginKit
-@{
-*/
-
-/** @brief The integer type specifying a number of channels/sensors or a
-channel/sensor index.
-*/
-typedef uint32_t OSVR_ChannelCount;
-
-/** @} */
-
-OSVR_EXTERN_C_END
-
-#endif
diff --git a/gfx/vr/osvr/Util/ClientCallbackTypesC.h b/gfx/vr/osvr/Util/ClientCallbackTypesC.h
deleted file mode 100644
index ae17381dc8..0000000000
--- a/gfx/vr/osvr/Util/ClientCallbackTypesC.h
+++ /dev/null
@@ -1,140 +0,0 @@
-/** @file

-    @brief Header

-

-    Must be c-safe!

-

-    GENERATED - do not edit by hand!

-

-    @date 2014

-

-    @author

-    Sensics, Inc.

-    <http://sensics.com/osvr>

-*/

-

-/*

-// Copyright 2014 Sensics, Inc.

-//

-// Licensed under the Apache License, Version 2.0 (the "License");

-// you may not use this file except in compliance with the License.

-// You may obtain a copy of the License at

-//

-//     http://www.apache.org/licenses/LICENSE-2.0

-//

-// Unless required by applicable law or agreed to in writing, software

-// distributed under the License is distributed on an "AS IS" BASIS,

-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

-// See the License for the specific language governing permissions and

-// limitations under the License.

-*/

-

-#ifndef INCLUDED_ClientCallbackTypesC_h_GUID_4D43A675_C8A4_4BBF_516F_59E6C785E4EF

-#define INCLUDED_ClientCallbackTypesC_h_GUID_4D43A675_C8A4_4BBF_516F_59E6C785E4EF

-

-/* Internal Includes */

-#include <osvr/Util/ClientReportTypesC.h>

-#include <osvr/Util/ImagingReportTypesC.h>

-#include <osvr/Util/ReturnCodesC.h>

-#include <osvr/Util/TimeValueC.h>

-

-/* Library/third-party includes */

-/* none */

-

-/* Standard includes */

-/* none */

-

-OSVR_EXTERN_C_BEGIN

-

-/** @addtogroup ClientKit

-    @{

-*/

-

-/** @name Report callback types

-    @{

-*/

-

-/* generated file - do not edit! */

-/** @brief C function type for a Pose callback */

-typedef void (*OSVR_PoseCallback)(void *userdata,

-                                     const struct OSVR_TimeValue *timestamp,

-                                     const struct OSVR_PoseReport *report);

-/** @brief C function type for a Position callback */

-typedef void (*OSVR_PositionCallback)(void *userdata,

-                                     const struct OSVR_TimeValue *timestamp,

-                                     const struct OSVR_PositionReport *report);

-/** @brief C function type for a Orientation callback */

-typedef void (*OSVR_OrientationCallback)(void *userdata,

-                                     const struct OSVR_TimeValue *timestamp,

-                                     const struct OSVR_OrientationReport *report);

-/** @brief C function type for a Velocity callback */

-typedef void (*OSVR_VelocityCallback)(void *userdata,

-                                     const struct OSVR_TimeValue *timestamp,

-                                     const struct OSVR_VelocityReport *report);

-/** @brief C function type for a LinearVelocity callback */

-typedef void (*OSVR_LinearVelocityCallback)(void *userdata,

-                                     const struct OSVR_TimeValue *timestamp,

-                                     const struct OSVR_LinearVelocityReport *report);

-/** @brief C function type for a AngularVelocity callback */

-typedef void (*OSVR_AngularVelocityCallback)(void *userdata,

-                                     const struct OSVR_TimeValue *timestamp,

-                                     const struct OSVR_AngularVelocityReport *report);

-/** @brief C function type for a Acceleration callback */

-typedef void (*OSVR_AccelerationCallback)(void *userdata,

-                                     const struct OSVR_TimeValue *timestamp,

-                                     const struct OSVR_AccelerationReport *report);

-/** @brief C function type for a LinearAcceleration callback */

-typedef void (*OSVR_LinearAccelerationCallback)(void *userdata,

-                                     const struct OSVR_TimeValue *timestamp,

-                                     const struct OSVR_LinearAccelerationReport *report);

-/** @brief C function type for a AngularAcceleration callback */

-typedef void (*OSVR_AngularAccelerationCallback)(void *userdata,

-                                     const struct OSVR_TimeValue *timestamp,

-                                     const struct OSVR_AngularAccelerationReport *report);

-/** @brief C function type for a Button callback */

-typedef void (*OSVR_ButtonCallback)(void *userdata,

-                                     const struct OSVR_TimeValue *timestamp,

-                                     const struct OSVR_ButtonReport *report);

-/** @brief C function type for a Analog callback */

-typedef void (*OSVR_AnalogCallback)(void *userdata,

-                                     const struct OSVR_TimeValue *timestamp,

-                                     const struct OSVR_AnalogReport *report);

-/** @brief C function type for a Imaging callback */

-typedef void (*OSVR_ImagingCallback)(void *userdata,

-                                     const struct OSVR_TimeValue *timestamp,

-                                     const struct OSVR_ImagingReport *report);

-/** @brief C function type for a Location2D callback */

-typedef void (*OSVR_Location2DCallback)(void *userdata,

-                                     const struct OSVR_TimeValue *timestamp,

-                                     const struct OSVR_Location2DReport *report);

-/** @brief C function type for a Direction callback */

-typedef void (*OSVR_DirectionCallback)(void *userdata,

-                                     const struct OSVR_TimeValue *timestamp,

-                                     const struct OSVR_DirectionReport *report);

-/** @brief C function type for a EyeTracker2D callback */

-typedef void (*OSVR_EyeTracker2DCallback)(void *userdata,

-                                     const struct OSVR_TimeValue *timestamp,

-                                     const struct OSVR_EyeTracker2DReport *report);

-/** @brief C function type for a EyeTracker3D callback */

-typedef void (*OSVR_EyeTracker3DCallback)(void *userdata,

-                                     const struct OSVR_TimeValue *timestamp,

-                                     const struct OSVR_EyeTracker3DReport *report);

-/** @brief C function type for a EyeTrackerBlink callback */

-typedef void (*OSVR_EyeTrackerBlinkCallback)(void *userdata,

-                                     const struct OSVR_TimeValue *timestamp,

-                                     const struct OSVR_EyeTrackerBlinkReport *report);

-/** @brief C function type for a NaviVelocity callback */

-typedef void (*OSVR_NaviVelocityCallback)(void *userdata,

-                                     const struct OSVR_TimeValue *timestamp,

-                                     const struct OSVR_NaviVelocityReport *report);

-/** @brief C function type for a NaviPosition callback */

-typedef void (*OSVR_NaviPositionCallback)(void *userdata,

-                                     const struct OSVR_TimeValue *timestamp,

-                                     const struct OSVR_NaviPositionReport *report);

-

-/** @} */

-

-/** @} */

-

-OSVR_EXTERN_C_END

-

-#endif

diff --git a/gfx/vr/osvr/Util/ClientOpaqueTypesC.h b/gfx/vr/osvr/Util/ClientOpaqueTypesC.h
deleted file mode 100644
index 64eba6d61e..0000000000
--- a/gfx/vr/osvr/Util/ClientOpaqueTypesC.h
+++ /dev/null
@@ -1,69 +0,0 @@
-/** @file
-    @brief Header declaring opaque types used by @ref Client and @ref ClientKit
-
-    Must be c-safe!
-
-    @date 2014
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2014 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_ClientOpaqueTypesC_h_GUID_24B79ED2_5751_4BA2_1690_BBD250EBC0C1
-#define INCLUDED_ClientOpaqueTypesC_h_GUID_24B79ED2_5751_4BA2_1690_BBD250EBC0C1
-
-/* Internal Includes */
-#include <osvr/Util/APIBaseC.h>
-
-/* Library/third-party includes */
-/* none */
-
-/* Standard includes */
-/* none */
-
-OSVR_EXTERN_C_BEGIN
-
-/** @addtogroup ClientKit
-    @{
-*/
-/** @brief Opaque handle that should be retained by your application. You need
-    only and exactly one.
-
-    Created by osvrClientInit() at application start.
-
-    You are required to clean up this handle with osvrClientShutdown().
-*/
-typedef struct OSVR_ClientContextObject *OSVR_ClientContext;
-
-/** @brief Opaque handle to an interface used for registering callbacks and
-   getting status.
-
-    You are not required to clean up this handle (it will be automatically
-   cleaned up when the context is), but you can if you are no longer using it,
-   using osvrClientFreeInterface() to inform the context that you no longer need
-   this interface.
-*/
-typedef struct OSVR_ClientInterfaceObject *OSVR_ClientInterface;
-
-/** @} */
-
-OSVR_EXTERN_C_END
-
-#endif
diff --git a/gfx/vr/osvr/Util/ClientReportTypesC.h b/gfx/vr/osvr/Util/ClientReportTypesC.h
deleted file mode 100644
index 85fa5a5a1f..0000000000
--- a/gfx/vr/osvr/Util/ClientReportTypesC.h
+++ /dev/null
@@ -1,348 +0,0 @@
-/** @file
-    @brief Header
-
-    Must be c-safe!
-
-    @date 2014
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2014 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_ClientReportTypesC_h_GUID_E79DAB07_78B7_4795_1EB9_CA6EEB274AEE
-#define INCLUDED_ClientReportTypesC_h_GUID_E79DAB07_78B7_4795_1EB9_CA6EEB274AEE
-
-/* Internal Includes */
-#include <osvr/Util/APIBaseC.h>
-#include <osvr/Util/Pose3C.h>
-#include <osvr/Util/StdInt.h>
-
-#include <osvr/Util/Vec2C.h>
-#include <osvr/Util/Vec3C.h>
-#include <osvr/Util/ChannelCountC.h>
-#include <osvr/Util/BoolC.h>
-
-/* Library/third-party includes */
-/* none */
-
-/* Standard includes */
-/* none */
-
-OSVR_EXTERN_C_BEGIN
-
-/** @addtogroup ClientKit
-    @{
-*/
-
-/** @name State types
-@{
-*/
-/** @brief Type of position state */
-typedef OSVR_Vec3 OSVR_PositionState;
-
-/** @brief Type of orientation state */
-typedef OSVR_Quaternion OSVR_OrientationState;
-
-/** @brief Type of pose state */
-typedef OSVR_Pose3 OSVR_PoseState;
-
-/** @brief Type of linear velocity state */
-typedef OSVR_Vec3 OSVR_LinearVelocityState;
-
-/** @brief The quaternion represents the incremental rotation taking place over
-    a period of dt seconds. Use of dt (which does not necessarily
-    have to be 1, as other velocity/acceleration representations imply) and an
-    incremental quaternion allows device reports to be scaled to avoid aliasing
-*/
-typedef struct OSVR_IncrementalQuaternion {
-    OSVR_Quaternion incrementalRotation;
-    double dt;
-} OSVR_IncrementalQuaternion;
-
-/** @brief Type of angular velocity state: an incremental quaternion, providing
-    the incremental rotation taking place due to velocity over a period of dt
-    seconds.
-*/
-typedef OSVR_IncrementalQuaternion OSVR_AngularVelocityState;
-
-/** @brief Struct for combined velocity state */
-typedef struct OSVR_VelocityState {
-    OSVR_LinearVelocityState linearVelocity;
-    /** @brief Whether the data source reports valid data for
-        #OSVR_VelocityState::linearVelocity */
-    OSVR_CBool linearVelocityValid;
-
-    OSVR_AngularVelocityState angularVelocity;
-    /** @brief Whether the data source reports valid data for
-    #OSVR_VelocityState::angularVelocity */
-    OSVR_CBool angularVelocityValid;
-} OSVR_VelocityState;
-
-/** @brief Type of linear acceleration state */
-typedef OSVR_Vec3 OSVR_LinearAccelerationState;
-
-/** @brief Type of angular acceleration state
-*/
-typedef OSVR_IncrementalQuaternion OSVR_AngularAccelerationState;
-
-/** @brief Struct for combined acceleration state */
-typedef struct OSVR_AccelerationState {
-    OSVR_LinearAccelerationState linearAcceleration;
-    /** @brief Whether the data source reports valid data for
-    #OSVR_AccelerationState::linearAcceleration */
-    OSVR_CBool linearAccelerationValid;
-
-    OSVR_AngularAccelerationState angularAcceleration;
-    /** @brief Whether the data source reports valid data for
-    #OSVR_AccelerationState::angularAcceleration */
-    OSVR_CBool angularAccelerationValid;
-} OSVR_AccelerationState;
-
-/** @brief Type of button state */
-typedef uint8_t OSVR_ButtonState;
-
-/** @brief OSVR_ButtonState value indicating "button down" */
-#define OSVR_BUTTON_PRESSED (1)
-
-/** @brief OSVR_ButtonState value indicating "button up" */
-#define OSVR_BUTTON_NOT_PRESSED (0)
-
-/** @brief Type of analog channel state */
-typedef double OSVR_AnalogState;
-
-/** @} */
-
-/** @name Report types
-    @{
-*/
-/** @brief Report type for a position callback on a tracker interface */
-typedef struct OSVR_PositionReport {
-    /** @brief Identifies the sensor that the report comes from */
-    int32_t sensor;
-    /** @brief The position vector */
-    OSVR_PositionState xyz;
-} OSVR_PositionReport;
-
-/** @brief Report type for an orientation callback on a tracker interface */
-typedef struct OSVR_OrientationReport {
-    /** @brief Identifies the sensor that the report comes from */
-    int32_t sensor;
-    /** @brief The rotation unit quaternion */
-    OSVR_OrientationState rotation;
-} OSVR_OrientationReport;
-
-/** @brief Report type for a pose (position and orientation) callback on a
-    tracker interface
-*/
-typedef struct OSVR_PoseReport {
-    /** @brief Identifies the sensor that the report comes from */
-    int32_t sensor;
-    /** @brief The pose structure, containing a position vector and a rotation
-        quaternion
-    */
-    OSVR_PoseState pose;
-} OSVR_PoseReport;
-
-/** @brief Report type for a velocity (linear and angular) callback on a
-    tracker interface
-*/
-typedef struct OSVR_VelocityReport {
-    /** @brief Identifies the sensor that the report comes from */
-    int32_t sensor;
-    /** @brief The data state - note that not all fields are neccesarily valid,
-        use the `Valid` members to check the status of the other fields.
-    */
-    OSVR_VelocityState state;
-} OSVR_VelocityReport;
-
-/** @brief Report type for a linear velocity callback on a tracker interface
-*/
-typedef struct OSVR_LinearVelocityReport {
-    /** @brief Identifies the sensor that the report comes from */
-    int32_t sensor;
-    /** @brief The state itself */
-    OSVR_LinearVelocityState state;
-} OSVR_LinearVelocityReport;
-
-/** @brief Report type for an angular velocity callback on a tracker interface
-*/
-typedef struct OSVR_AngularVelocityReport {
-    /** @brief Identifies the sensor that the report comes from */
-    int32_t sensor;
-    /** @brief The state itself */
-    OSVR_AngularVelocityState state;
-} OSVR_AngularVelocityReport;
-
-/** @brief Report type for an acceleration (linear and angular) callback on a
-    tracker interface
-*/
-typedef struct OSVR_AccelerationReport {
-    /** @brief Identifies the sensor that the report comes from */
-    int32_t sensor;
-    /** @brief The data state - note that not all fields are neccesarily valid,
-        use the `Valid` members to check the status of the other fields.
-    */
-    OSVR_AccelerationState state;
-} OSVR_AccelerationReport;
-
-/** @brief Report type for a linear acceleration callback on a tracker interface
-*/
-typedef struct OSVR_LinearAccelerationReport {
-    /** @brief Identifies the sensor that the report comes from */
-    int32_t sensor;
-    /** @brief The state itself */
-    OSVR_LinearAccelerationState state;
-} OSVR_LinearAccelerationReport;
-
-/** @brief Report type for an angular acceleration callback on a tracker
-    interface
-*/
-typedef struct OSVR_AngularAccelerationReport {
-    /** @brief Identifies the sensor that the report comes from */
-    int32_t sensor;
-    /** @brief The state itself */
-    OSVR_AngularAccelerationState state;
-} OSVR_AngularAccelerationReport;
-
-/** @brief Report type for a callback on a button interface */
-typedef struct OSVR_ButtonReport {
-    /** @brief Identifies the sensor that the report comes from */
-    int32_t sensor;
-    /** @brief The button state: 1 is pressed, 0 is not pressed. */
-    OSVR_ButtonState state;
-} OSVR_ButtonReport;
-
-/** @brief Report type for a callback on an analog interface */
-typedef struct OSVR_AnalogReport {
-    /** @brief Identifies the sensor/channel that the report comes from */
-    int32_t sensor;
-    /** @brief The analog state. */
-    OSVR_AnalogState state;
-} OSVR_AnalogReport;
-
-/** @brief Type of location within a 2D region/surface, in normalized
-    coordinates (in range [0, 1] in standard OSVR coordinate system)
-*/
-typedef OSVR_Vec2 OSVR_Location2DState;
-
-/** @brief Report type for 2D location */
-typedef struct OSVR_Location2DReport {
-    OSVR_ChannelCount sensor;
-    OSVR_Location2DState location;
-} OSVR_Location2DReport;
-
-/** @brief Type of unit directional vector in 3D with no particular origin */
-typedef OSVR_Vec3 OSVR_DirectionState;
-
-/** @brief Report type for 3D Direction vector */
-typedef struct OSVR_DirectionReport {
-    OSVR_ChannelCount sensor;
-    OSVR_DirectionState direction;
-} OSVR_DirectionReport;
-
-/** @brief Type of eye gaze direction in 3D which contains 3D vector (position)
-    containing gaze base point of the user's respective eye in 3D device
-    coordinates.
-*/
-typedef OSVR_PositionState OSVR_EyeGazeBasePoint3DState;
-
-/** @brief Type of eye gaze position in 2D which contains users's gaze/point of
-    regard in normalized display coordinates (in range [0, 1] in standard OSVR
-    coordinate system)
-*/
-typedef OSVR_Location2DState OSVR_EyeGazePosition2DState;
-
-// typedef OSVR_DirectionState OSVR_EyeGazeBasePoint3DState;
-
-/** @brief Type of 3D vector (direction vector) containing the normalized gaze
-    direction of user's respective eye */
-typedef OSVR_DirectionState OSVR_EyeGazeDirectionState;
-
-/** @brief State for 3D gaze report */
-typedef struct OSVR_EyeTracker3DState {
-    OSVR_CBool directionValid;
-    OSVR_DirectionState direction;
-    OSVR_CBool basePointValid;
-    OSVR_PositionState basePoint;
-} OSVR_EyeTracker3DState;
-
-/** @brief Report type for 3D gaze report */
-typedef struct OSVR_EyeTracker3DReport {
-    OSVR_ChannelCount sensor;
-    OSVR_EyeTracker3DState state;
-} OSVR_EyeTracker3DReport;
-
-/** @brief State for 2D location report */
-typedef OSVR_Location2DState OSVR_EyeTracker2DState;
-
-/** @brief Report type for 2D location report */
-typedef struct OSVR_EyeTracker2DReport {
-    OSVR_ChannelCount sensor;
-    OSVR_EyeTracker2DState state;
-} OSVR_EyeTracker2DReport;
-
-/** @brief State for a blink event */
-typedef OSVR_ButtonState OSVR_EyeTrackerBlinkState;
-
-/** @brief OSVR_EyeTrackerBlinkState value indicating an eyes blink had occurred
- */
-#define OSVR_EYE_BLINK (1)
-
-/** @brief OSVR_EyeTrackerBlinkState value indicating eyes are not blinking */
-#define OSVR_EYE_NO_BLINK (0)
-
-/** @brief Report type for a blink event */
-typedef struct OSVR_EyeTrackerBlinkReport {
-    OSVR_ChannelCount sensor;
-    OSVR_EyeTrackerBlinkState state;
-} OSVR_EyeTrackerBlinkReport;
-
-/** @brief Report type for an Imaging callback (forward declaration) */
-struct OSVR_ImagingReport;
-
-/** @brief Type of Navigation Velocity state */
-typedef OSVR_Vec2 OSVR_NaviVelocityState;
-
-/** @brief Type of Navigation Position state */
-typedef OSVR_Vec2 OSVR_NaviPositionState;
-
-/** @brief Report type for an navigation velocity callback on a tracker
- * interface */
-typedef struct OSVR_NaviVelocityReport {
-    OSVR_ChannelCount sensor;
-    /** @brief The 2D vector in world coordinate system, in meters/second */
-    OSVR_NaviVelocityState state;
-} OSVR_NaviVelocityReport;
-
-/** @brief Report type for an navigation position callback on a tracker
- * interface */
-typedef struct OSVR_NaviPositionReport {
-    OSVR_ChannelCount sensor;
-    /** @brief The 2D vector in world coordinate system, in meters, relative to
-     * starting position */
-    OSVR_NaviPositionState state;
-} OSVR_NaviPositionReport;
-
-/** @} */
-
-/** @} */
-OSVR_EXTERN_C_END
-
-#endif
diff --git a/gfx/vr/osvr/Util/Export.h b/gfx/vr/osvr/Util/Export.h
deleted file mode 100644
index f3e26b89f1..0000000000
--- a/gfx/vr/osvr/Util/Export.h
+++ /dev/null
@@ -1,138 +0,0 @@
-/** @file
-    @brief Automatically-generated export header - do not edit!
-
-    @date 2016
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-// Copyright 2016 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#ifndef OSVR_UTIL_EXPORT_H
-#define OSVR_UTIL_EXPORT_H
-
-#ifdef OSVR_UTIL_STATIC_DEFINE
-#  define OSVR_UTIL_EXPORT
-#  define OSVR_UTIL_NO_EXPORT
-#endif
-
-/* Per-compiler advance preventative definition */
-#if defined(__BORLANDC__) || defined(__CODEGEARC__) || defined(__HP_aCC) ||    \
-    defined(__PGI) || defined(__WATCOMC__)
-/* Compilers that don't support deprecated, according to CMake. */
-#  ifndef OSVR_UTIL_DEPRECATED
-#    define OSVR_UTIL_DEPRECATED
-#  endif
-#endif
-
-/* Check for attribute support */
-#if defined(__INTEL_COMPILER)
-/* Checking before GNUC because Intel implements GNU extensions,
- * so it chooses to define __GNUC__ as well. */
-#  if __INTEL_COMPILER >= 1200
-/* Intel compiler 12.0 or newer can handle these attributes per CMake */
-#    define OSVR_UTIL_EXPORT_HEADER_SUPPORTS_ATTRIBUTES
-#  endif
-
-#elif defined(__GNUC__)
-#  if (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 2))
-/* GCC 4.2+ */
-#    define OSVR_UTIL_EXPORT_HEADER_SUPPORTS_ATTRIBUTES
-#  endif
-#endif
-
-/* Per-platform defines */
-#if defined(_MSC_VER)
-/* MSVC on Windows */
-
-#ifndef OSVR_UTIL_EXPORT
-#  ifdef osvrUtil_EXPORTS
-      /* We are building this library */
-#    define OSVR_UTIL_EXPORT __declspec(dllexport)
-#  else
-      /* We are using this library */
-#    define OSVR_UTIL_EXPORT __declspec(dllimport)
-#  endif
-#endif
-
-#ifndef OSVR_UTIL_DEPRECATED
-#  define OSVR_UTIL_DEPRECATED __declspec(deprecated)
-#endif
-
-#elif defined(_WIN32) && defined(__GNUC__)
-/* GCC-compatible on Windows */
-
-#ifndef OSVR_UTIL_EXPORT
-#  ifdef osvrUtil_EXPORTS
-      /* We are building this library */
-#    define OSVR_UTIL_EXPORT __attribute__((dllexport))
-#  else
-      /* We are using this library */
-#    define OSVR_UTIL_EXPORT __attribute__((dllimport))
-#  endif
-#endif
-
-#ifndef OSVR_UTIL_DEPRECATED
-#  define OSVR_UTIL_DEPRECATED __attribute__((__deprecated__))
-#endif
-
-#elif defined(OSVR_UTIL_EXPORT_HEADER_SUPPORTS_ATTRIBUTES) ||         \
-    (defined(__APPLE__) && defined(__MACH__))
-/* GCC4.2+ compatible (assuming something *nix-like) and Mac OS X */
-/* (The first macro is defined at the top of the file, if applicable) */
-/* see https://gcc.gnu.org/wiki/Visibility */
-
-#ifndef OSVR_UTIL_EXPORT
-  /* We are building/using this library */
-#  define OSVR_UTIL_EXPORT __attribute__((visibility("default")))
-#endif
-
-#ifndef OSVR_UTIL_NO_EXPORT
-#  define OSVR_UTIL_NO_EXPORT __attribute__((visibility("hidden")))
-#endif
-
-#ifndef OSVR_UTIL_DEPRECATED
-#  define OSVR_UTIL_DEPRECATED __attribute__((__deprecated__))
-#endif
-
-#endif
-/* End of platform ifdefs */
-
-/* fallback def */
-#ifndef OSVR_UTIL_EXPORT
-#  define OSVR_UTIL_EXPORT
-#endif
-
-/* fallback def */
-#ifndef OSVR_UTIL_NO_EXPORT
-#  define OSVR_UTIL_NO_EXPORT
-#endif
-
-/* fallback def */
-#ifndef OSVR_UTIL_DEPRECATED_EXPORT
-#  define OSVR_UTIL_DEPRECATED_EXPORT OSVR_UTIL_EXPORT OSVR_UTIL_DEPRECATED
-#endif
-
-/* fallback def */
-#ifndef OSVR_UTIL_DEPRECATED_NO_EXPORT
-#  define OSVR_UTIL_DEPRECATED_NO_EXPORT OSVR_UTIL_NO_EXPORT OSVR_UTIL_DEPRECATED
-#endif
-
-/* Clean up after ourselves */
-#undef OSVR_UTIL_EXPORT_HEADER_SUPPORTS_ATTRIBUTES
-
-#endif
diff --git a/gfx/vr/osvr/Util/ImagingReportTypesC.h b/gfx/vr/osvr/Util/ImagingReportTypesC.h
deleted file mode 100644
index 1ce8b60d69..0000000000
--- a/gfx/vr/osvr/Util/ImagingReportTypesC.h
+++ /dev/null
@@ -1,91 +0,0 @@
-/** @file
-    @brief Header
-
-    Must be c-safe!
-
-    @date 2015
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2015 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_ImagingReportTypesC_h_GUID_746A7BF8_B92D_4585_CA72_DC5391DEDF24
-#define INCLUDED_ImagingReportTypesC_h_GUID_746A7BF8_B92D_4585_CA72_DC5391DEDF24
-
-/* Internal Includes */
-#include <osvr/Util/APIBaseC.h>
-#include <osvr/Util/StdInt.h>
-#include <osvr/Util/ChannelCountC.h>
-
-/* Library/third-party includes */
-/* none */
-
-/* Standard includes */
-/* none */
-
-OSVR_EXTERN_C_BEGIN
-
-/** @addtogroup ClientKit
-    @{
-*/
-typedef uint32_t OSVR_ImageDimension;
-typedef uint8_t OSVR_ImageChannels;
-typedef uint8_t OSVR_ImageDepth;
-
-/** @brief Type for raw buffer access to image data */
-typedef unsigned char OSVR_ImageBufferElement;
-
-typedef enum OSVR_ImagingValueType {
-    OSVR_IVT_UNSIGNED_INT = 0,
-    OSVR_IVT_SIGNED_INT = 1,
-    OSVR_IVT_FLOATING_POINT = 2
-} OSVR_ImagingValueType;
-
-typedef struct OSVR_ImagingMetadata {
-    /** @brief height in pixels */
-    OSVR_ImageDimension height;
-    /** @brief width in pixels */
-    OSVR_ImageDimension width;
-    /** @brief number of channels of data for each pixel */
-    OSVR_ImageChannels channels;
-    /** @brief the depth (size) in bytes of each channel - valid values are 1,
-     * 2, 4, and 8 */
-    OSVR_ImageDepth depth;
-    /** @brief Whether values are unsigned ints, signed ints, or floating point
-     */
-    OSVR_ImagingValueType type;
-
-} OSVR_ImagingMetadata;
-
-typedef struct OSVR_ImagingState {
-    OSVR_ImagingMetadata metadata;
-    OSVR_ImageBufferElement *data;
-} OSVR_ImagingState;
-
-typedef struct OSVR_ImagingReport {
-    OSVR_ChannelCount sensor;
-    OSVR_ImagingState state;
-} OSVR_ImagingReport;
-
-/** @} */
-
-OSVR_EXTERN_C_END
-
-#endif
diff --git a/gfx/vr/osvr/Util/MatrixConventionsC.h b/gfx/vr/osvr/Util/MatrixConventionsC.h
deleted file mode 100644
index b1f2c27975..0000000000
--- a/gfx/vr/osvr/Util/MatrixConventionsC.h
+++ /dev/null
@@ -1,190 +0,0 @@
-/** @file
-    @brief Header
-
-    Must be c-safe!
-
-    @date 2015
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2015 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//        http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_MatrixConventionsC_h_GUID_6FC7A4C6_E6C5_4A96_1C28_C3D21B909681
-#define INCLUDED_MatrixConventionsC_h_GUID_6FC7A4C6_E6C5_4A96_1C28_C3D21B909681
-
-/* Internal Includes */
-#include <osvr/Util/Export.h>
-#include <osvr/Util/APIBaseC.h>
-#include <osvr/Util/StdInt.h>
-#include <osvr/Util/Pose3C.h>
-#include <osvr/Util/ReturnCodesC.h>
-
-/* Library/third-party includes */
-/* none */
-
-/* Standard includes */
-/* none */
-
-OSVR_EXTERN_C_BEGIN
-
-/** @defgroup MatrixConvention Matrix conventions and bit flags
-    @ingroup UtilMath
-*/
-
-/** @brief Type for passing matrix convention flags.
-    @ingroup MatrixConvention
-*/
-typedef uint16_t OSVR_MatrixConventions;
-
-#ifndef OSVR_DOXYGEN_EXTERNAL
-/** @brief Bitmasks for testing matrix conventions.
-    @ingroup MatrixConvention
-*/
-typedef enum OSVR_MatrixMasks {
-    OSVR_MATRIX_MASK_ROWMAJOR = 0x1,
-    OSVR_MATRIX_MASK_ROWVECTORS = 0x2,
-    OSVR_MATRIX_MASK_LHINPUT = 0x4,
-    OSVR_MATRIX_MASK_UNSIGNEDZ = 0x8
-} OSVR_MatrixMasks;
-#endif
-
-/** @defgroup MatrixFlags Matrix flags
-    @ingroup MatrixConvention
-
-    Bit flags for specifying matrix options. Only one option may be specified
-   per enum, with all the specified options combined with bitwise-or `|`.
-
-    Most methods that take matrix flags only obey ::OSVR_MatrixOrderingFlags and
-   ::OSVR_MatrixVectorFlags - the flags that affect memory order. The remaining
-   flags are for use with projection matrix generation API methods.
-
-    @{
-*/
-/** @brief Flag bit controlling output memory order */
-typedef enum OSVR_MatrixOrderingFlags {
-    /** @brief Column-major memory order (default) */
-    OSVR_MATRIX_COLMAJOR = 0x0,
-    /** @brief Row-major memory order */
-    OSVR_MATRIX_ROWMAJOR = OSVR_MATRIX_MASK_ROWMAJOR
-} OSVR_MatrixOrderingFlags;
-
-/** @brief Flag bit controlling expected input to matrices.
-    (Related to ::OSVR_MatrixOrderingFlags - setting one to non-default results
-    in an output change, but setting both to non-default results in effectively
-    no change in the output. If this blows your mind, just ignore this aside and
-    carry on.)
-*/
-typedef enum OSVR_MatrixVectorFlags {
-    /** @brief Matrix transforms column vectors (default) */
-    OSVR_MATRIX_COLVECTORS = 0x0,
-    /** @brief Matrix transforms row vectors */
-    OSVR_MATRIX_ROWVECTORS = OSVR_MATRIX_MASK_ROWVECTORS
-} OSVR_MatrixVectorFlags;
-
-/** @brief Flag bit to indicate coordinate system input to projection matrix */
-typedef enum OSVR_ProjectionMatrixInputFlags {
-    /** @brief Matrix takes vectors from a right-handed coordinate system
-       (default) */
-    OSVR_MATRIX_RHINPUT = 0x0,
-    /** @brief Matrix takes vectors from a left-handed coordinate system */
-    OSVR_MATRIX_LHINPUT = OSVR_MATRIX_MASK_LHINPUT
-
-} OSVR_ProjectionMatrixInputFlags;
-
-/** @brief Flag bit to indicate the desired post-projection Z value convention
- */
-typedef enum OSVR_ProjectionMatrixZFlags {
-    /** @brief Matrix maps the near and far planes to signed Z values (in the
-        range [-1, 1])  (default)*/
-    OSVR_MATRIX_SIGNEDZ = 0x0,
-    /** @brief Matrix maps the near and far planes to unsigned Z values (in the
-        range [0, 1]) */
-    OSVR_MATRIX_UNSIGNEDZ = OSVR_MATRIX_MASK_UNSIGNEDZ
-} OSVR_ProjectionMatrixZFlags;
-/** @} */ /* end of matrix flags group */
-
-enum {
-    /** @brief Constant for the number of elements in the matrices we use - 4x4.
-        @ingroup MatrixConvention
-    */
-    OSVR_MATRIX_SIZE = 16
-};
-
-/** @addtogroup UtilMath
-    @{
-*/
-/** @brief Set a matrix of doubles based on a Pose3.
-    @param pose The Pose3 to convert
-    @param flags Memory ordering flag - see @ref MatrixFlags
-    @param[out] mat an array of 16 doubles
-*/
-OSVR_UTIL_EXPORT OSVR_ReturnCode osvrPose3ToMatrixd(
-    OSVR_Pose3 const *pose, OSVR_MatrixConventions flags, double *mat);
-
-/** @brief Set a matrix of floats based on a Pose3.
-    @param pose The Pose3 to convert
-    @param flags Memory ordering flag - see @ref MatrixFlags
-    @param[out] mat an array of 16 floats
-*/
-OSVR_UTIL_EXPORT OSVR_ReturnCode osvrPose3ToMatrixf(
-    OSVR_Pose3 const *pose, OSVR_MatrixConventions flags, float *mat);
-/** @} */
-
-OSVR_EXTERN_C_END
-
-#ifdef __cplusplus
-/** @brief Set a matrix based on a Pose3. (C++-only overload - detecting scalar
- * type) */
-inline OSVR_ReturnCode osvrPose3ToMatrix(OSVR_Pose3 const *pose,
-                                         OSVR_MatrixConventions flags,
-                                         double *mat) {
-    return osvrPose3ToMatrixd(pose, flags, mat);
-}
-
-/** @brief Set a matrix based on a Pose3. (C++-only overload - detecting scalar
- * type) */
-inline OSVR_ReturnCode osvrPose3ToMatrix(OSVR_Pose3 const *pose,
-                                         OSVR_MatrixConventions flags,
-                                         float *mat) {
-    return osvrPose3ToMatrixf(pose, flags, mat);
-}
-
-/** @brief Set a matrix based on a Pose3. (C++-only overload - detects scalar
- * and takes array rather than pointer) */
-template <typename Scalar>
-inline OSVR_ReturnCode osvrPose3ToMatrix(OSVR_Pose3 const *pose,
-                                         OSVR_MatrixConventions flags,
-                                         Scalar mat[OSVR_MATRIX_SIZE]) {
-    return osvrPose3ToMatrix(pose, flags, &(mat[0]));
-}
-/** @brief Set a matrix based on a Pose3. (C++-only overload - detects scalar,
- * takes array, takes pose by reference) */
-template <typename Scalar>
-inline OSVR_ReturnCode osvrPose3ToMatrix(OSVR_Pose3 const &pose,
-                                         OSVR_MatrixConventions flags,
-                                         Scalar mat[OSVR_MATRIX_SIZE]) {
-    return osvrPose3ToMatrix(&pose, flags, &(mat[0]));
-}
-
-#endif
-
-/** @} */
-
-#endif
diff --git a/gfx/vr/osvr/Util/PlatformConfig.h b/gfx/vr/osvr/Util/PlatformConfig.h
deleted file mode 100644
index 8342e4f8f8..0000000000
--- a/gfx/vr/osvr/Util/PlatformConfig.h
+++ /dev/null
@@ -1,88 +0,0 @@
-/** @file

-    @brief Auto-configured header

-

-    If this filename ends in `.h`, don't edit it: your edits will

-    be lost next time this file is regenerated!

-

-    Must be c-safe!

-

-    @date 2014

-

-    @author

-    Sensics, Inc.

-    <http://sensics.com/osvr>

-*/

-

-/*

-// Copyright 2014 Sensics, Inc.

-//

-// Licensed under the Apache License, Version 2.0 (the "License");

-// you may not use this file except in compliance with the License.

-// You may obtain a copy of the License at

-//

-//     http://www.apache.org/licenses/LICENSE-2.0

-//

-// Unless required by applicable law or agreed to in writing, software

-// distributed under the License is distributed on an "AS IS" BASIS,

-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

-// See the License for the specific language governing permissions and

-// limitations under the License.

-*/

-

-#ifndef INCLUDED_PlatformConfig_h_GUID_0D10E644_8114_4294_A839_699F39E1F0E0

-#define INCLUDED_PlatformConfig_h_GUID_0D10E644_8114_4294_A839_699F39E1F0E0

-

-/** @def OSVR_HAVE_STRUCT_TIMEVAL_IN_WINSOCK2_H

-    @brief Does the system have struct timeval in <winsock2.h>?

-*/

-#define OSVR_HAVE_STRUCT_TIMEVAL_IN_WINSOCK2_H

-

-/** @def OSVR_HAVE_STRUCT_TIMEVAL_IN_SYS_TIME_H

-    @brief Does the system have struct timeval in <sys/time.h>?

-*/

-

-/*

-    MinGW and similar environments have both winsock and sys/time.h, so

-    we hide this define for disambiguation at the top level.

-*/

-#ifndef OSVR_HAVE_STRUCT_TIMEVAL_IN_WINSOCK2_H

-/* #undef OSVR_HAVE_STRUCT_TIMEVAL_IN_SYS_TIME_H */

-#endif

-

-#if defined(OSVR_HAVE_STRUCT_TIMEVAL_IN_SYS_TIME_H) ||                         \

-    defined(OSVR_HAVE_STRUCT_TIMEVAL_IN_WINSOCK2_H)

-#define OSVR_HAVE_STRUCT_TIMEVAL

-#endif

-

-/**

- * Platform-specific variables.

- *

- * Prefer testing for specific compiler or platform features instead of relying

- * on these variables.

- *

- */

-//@{

-/* #undef OSVR_AIX */

-/* #undef OSVR_ANDROID */

-/* #undef OSVR_BSDOS */

-/* #undef OSVR_FREEBSD */

-/* #undef OSVR_HPUX */

-/* #undef OSVR_IRIX */

-/* #undef OSVR_LINUX */

-/* #undef OSVR_KFREEBSD */

-/* #undef OSVR_NETBSD */

-/* #undef OSVR_OPENBSD */

-/* #undef OSVR_OFS1 */

-/* #undef OSVR_SCO_SV */

-/* #undef OSVR_UNIXWARE */

-/* #undef OSVR_XENIX */

-/* #undef OSVR_SUNOS */

-/* #undef OSVR_TRU64 */

-/* #undef OSVR_ULTRIX */

-/* #undef OSVR_CYGWIN */

-/* #undef OSVR_MACOSX */

-#define OSVR_WINDOWS

-//@}

-

-#endif

-

diff --git a/gfx/vr/osvr/Util/Pose3C.h b/gfx/vr/osvr/Util/Pose3C.h
deleted file mode 100644
index 173428cfcb..0000000000
--- a/gfx/vr/osvr/Util/Pose3C.h
+++ /dev/null
@@ -1,70 +0,0 @@
-/** @file
-    @brief Header
-
-    Must be c-safe!
-
-    @date 2014
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2014 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_Pose3C_h_GUID_066CFCE2_229C_4194_5D2B_2602CCD5C439
-#define INCLUDED_Pose3C_h_GUID_066CFCE2_229C_4194_5D2B_2602CCD5C439
-
-/* Internal Includes */
-
-/* Internal Includes */
-#include <osvr/Util/APIBaseC.h>
-#include <osvr/Util/Vec3C.h>
-#include <osvr/Util/QuaternionC.h>
-
-/* Library/third-party includes */
-/* none */
-
-/* Standard includes */
-/* none */
-
-OSVR_EXTERN_C_BEGIN
-
-/** @addtogroup UtilMath
-    @{
-*/
-
-/** @brief A structure defining a 3D (6DOF) rigid body pose: translation and
-    rotation.
-*/
-typedef struct OSVR_Pose3 {
-    /** @brief Position vector */
-    OSVR_Vec3 translation;
-    /** @brief Orientation as a unit quaternion */
-    OSVR_Quaternion rotation;
-} OSVR_Pose3;
-
-/** @brief Set a pose to identity */
-OSVR_INLINE void osvrPose3SetIdentity(OSVR_Pose3 *pose) {
-    osvrQuatSetIdentity(&(pose->rotation));
-    osvrVec3Zero(&(pose->translation));
-}
-/** @} */
-
-OSVR_EXTERN_C_END
-
-#endif
diff --git a/gfx/vr/osvr/Util/QuaternionC.h b/gfx/vr/osvr/Util/QuaternionC.h
deleted file mode 100644
index 8056c89a0a..0000000000
--- a/gfx/vr/osvr/Util/QuaternionC.h
+++ /dev/null
@@ -1,92 +0,0 @@
-/** @file
-    @brief Header
-
-    Must be c-safe!
-
-    @date 2014
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2014 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_QuaternionC_h_GUID_1470A5FE_8209_41A6_C19E_46077FDF9C66
-#define INCLUDED_QuaternionC_h_GUID_1470A5FE_8209_41A6_C19E_46077FDF9C66
-
-/* Internal Includes */
-#include <osvr/Util/APIBaseC.h>
-
-/* Library/third-party includes */
-/* none */
-
-/* Standard includes */
-/* none */
-
-OSVR_EXTERN_C_BEGIN
-
-/** @addtogroup UtilMath
-    @{
-*/
-/** @brief A structure defining a quaternion, often a unit quaternion
- * representing 3D rotation.
-*/
-typedef struct OSVR_Quaternion {
-    /** @brief Internal data - direct access not recommended */
-    double data[4];
-} OSVR_Quaternion;
-
-#define OSVR_QUAT_MEMBER(COMPONENT, INDEX)                                     \
-    /** @brief Accessor for quaternion component COMPONENT */                  \
-    OSVR_INLINE double osvrQuatGet##COMPONENT(OSVR_Quaternion const *q) {      \
-        return q->data[INDEX];                                                 \
-    }                                                                          \
-    /** @brief Setter for quaternion component COMPONENT */                    \
-    OSVR_INLINE void osvrQuatSet##COMPONENT(OSVR_Quaternion *q, double val) {  \
-        q->data[INDEX] = val;                                                  \
-    }
-
-OSVR_QUAT_MEMBER(W, 0)
-OSVR_QUAT_MEMBER(X, 1)
-OSVR_QUAT_MEMBER(Y, 2)
-OSVR_QUAT_MEMBER(Z, 3)
-
-#undef OSVR_QUAT_MEMBER
-
-/** @brief Set a quaternion to the identity rotation */
-OSVR_INLINE void osvrQuatSetIdentity(OSVR_Quaternion *q) {
-    osvrQuatSetW(q, 1);
-    osvrQuatSetX(q, 0);
-    osvrQuatSetY(q, 0);
-    osvrQuatSetZ(q, 0);
-}
-
-/** @} */
-
-OSVR_EXTERN_C_END
-
-#ifdef __cplusplus
-template <typename StreamType>
-inline StreamType &operator<<(StreamType &os, OSVR_Quaternion const &quat) {
-    os << "(" << osvrQuatGetW(&quat) << ", (" << osvrQuatGetX(&quat) << ", "
-       << osvrQuatGetY(&quat) << ", " << osvrQuatGetZ(&quat) << "))";
-    return os;
-}
-#endif
-
-#endif
diff --git a/gfx/vr/osvr/Util/QuatlibInteropC.h b/gfx/vr/osvr/Util/QuatlibInteropC.h
deleted file mode 100644
index ef2a7fe12a..0000000000
--- a/gfx/vr/osvr/Util/QuatlibInteropC.h
+++ /dev/null
@@ -1,84 +0,0 @@
-/** @file
-    @brief Header
-
-    Must be c-safe!
-
-    @date 2014
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2014 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_QuatlibInteropC_h_GUID_85D92019_F0CC_419C_5F6D_F5A3134AA5D4
-#define INCLUDED_QuatlibInteropC_h_GUID_85D92019_F0CC_419C_5F6D_F5A3134AA5D4
-
-/* Internal Includes */
-#include <osvr/Util/APIBaseC.h>
-#include <osvr/Util/Pose3C.h>
-
-/* Library/third-party includes */
-#include <quat.h>
-
-/* Standard includes */
-#include <string.h>
-
-OSVR_EXTERN_C_BEGIN
-
-/** @addtogroup UtilMath
-    @{
-*/
-OSVR_INLINE void osvrQuatToQuatlib(q_type dest, OSVR_Quaternion const *src) {
-    dest[Q_W] = osvrQuatGetW(src);
-    dest[Q_X] = osvrQuatGetX(src);
-    dest[Q_Y] = osvrQuatGetY(src);
-    dest[Q_Z] = osvrQuatGetZ(src);
-}
-
-OSVR_INLINE void osvrQuatFromQuatlib(OSVR_Quaternion *dest, q_type const src) {
-    osvrQuatSetW(dest, src[Q_W]);
-    osvrQuatSetX(dest, src[Q_X]);
-    osvrQuatSetY(dest, src[Q_Y]);
-    osvrQuatSetZ(dest, src[Q_Z]);
-}
-
-OSVR_INLINE void osvrVec3ToQuatlib(q_vec_type dest, OSVR_Vec3 const *src) {
-    memcpy((void *)(dest), (void const *)(src->data), sizeof(double) * 3);
-}
-
-OSVR_INLINE void osvrVec3FromQuatlib(OSVR_Vec3 *dest, q_vec_type const src) {
-    memcpy((void *)(dest->data), (void const *)(src), sizeof(double) * 3);
-}
-
-OSVR_INLINE void osvrPose3ToQuatlib(q_xyz_quat_type *dest,
-                                    OSVR_Pose3 const *src) {
-    osvrVec3ToQuatlib(dest->xyz, &(src->translation));
-    osvrQuatToQuatlib(dest->quat, &(src->rotation));
-}
-
-OSVR_INLINE void osvrPose3FromQuatlib(OSVR_Pose3 *dest,
-                                      q_xyz_quat_type const *src) {
-    osvrVec3FromQuatlib(&(dest->translation), src->xyz);
-    osvrQuatFromQuatlib(&(dest->rotation), src->quat);
-}
-
-/** @} */
-
-OSVR_EXTERN_C_END
-#endif
diff --git a/gfx/vr/osvr/Util/RadialDistortionParametersC.h b/gfx/vr/osvr/Util/RadialDistortionParametersC.h
deleted file mode 100644
index ac85a680e9..0000000000
--- a/gfx/vr/osvr/Util/RadialDistortionParametersC.h
+++ /dev/null
@@ -1,62 +0,0 @@
-/** @file
-    @brief Header
-
-    Must be c-safe!
-
-    @date 2015
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2015 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//        http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_RadialDistortionParametersC_h_GUID_925BCEB1_BACA_4DA7_5133_FFF560C72EBD
-#define INCLUDED_RadialDistortionParametersC_h_GUID_925BCEB1_BACA_4DA7_5133_FFF560C72EBD
-
-/* Internal Includes */
-#include <osvr/Util/APIBaseC.h>
-#include <osvr/Util/Vec2C.h>
-#include <osvr/Util/Vec3C.h>
-
-/* Library/third-party includes */
-/* none */
-
-/* Standard includes */
-/* none */
-
-OSVR_EXTERN_C_BEGIN
-
-/** @addtogroup UtilMath
-@{
-*/
-
-/** @brief Parameters for a per-color-component radial distortion shader
-*/
-typedef struct OSVR_RadialDistortionParameters {
-    /** @brief Vector of K1 coefficients for the R, G, B channels*/
-    OSVR_Vec3 k1;
-    /** @brief Center of projection for the radial distortion, relative to the
-        bounds of this surface.
-        */
-    OSVR_Vec2 centerOfProjection;
-} OSVR_RadialDistortionParameters;
-
-OSVR_EXTERN_C_END
-
-#endif
diff --git a/gfx/vr/osvr/Util/RenderingTypesC.h b/gfx/vr/osvr/Util/RenderingTypesC.h
deleted file mode 100644
index 51ec0cc09d..0000000000
--- a/gfx/vr/osvr/Util/RenderingTypesC.h
+++ /dev/null
@@ -1,134 +0,0 @@
-/** @file
-    @brief Header with integer types for Viewer, Eye, and Surface
-   counts/indices, as well as viewport information.
-
-    Must be c-safe!
-
-    @date 2015
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2015 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//        http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_RenderingTypesC_h_GUID_6689A6CA_76AC_48AC_A0D0_2902BC95AC35
-#define INCLUDED_RenderingTypesC_h_GUID_6689A6CA_76AC_48AC_A0D0_2902BC95AC35
-
-/* Internal Includes */
-#include <osvr/Util/StdInt.h>
-#include <osvr/Util/APIBaseC.h>
-
-/* Library/third-party includes */
-/* none */
-
-/* Standard includes */
-/* none */
-
-OSVR_EXTERN_C_BEGIN
-
-/** @addtogroup PluginKit
-@{
-*/
-
-/** @brief A count or index for a display input in a display config.
-*/
-typedef uint8_t OSVR_DisplayInputCount;
-
-/** @brief The integer type used in specification of size or location of a
-    display input, in pixels.
-*/
-typedef int32_t OSVR_DisplayDimension;
-
-/** @brief The integer type specifying a number of viewers in a system.
-
-    A "head" is a viewer (though not all viewers are necessarily heads).
-
-    The count is output from osvrClientGetNumViewers().
-
-    When used as an ID/index, it is zero-based, so values range from 0 to (count
-    - 1) inclusive.
-
-    The most frequent count is 1, though higher values are theoretically
-    possible. If you do not handle higher values, do still check and alert the
-    user if their system reports a higher number, as your application may not
-    behave as the user expects.
-*/
-typedef uint32_t OSVR_ViewerCount;
-
-/** @brief The integer type specifying the number of eyes (viewpoints) of a
-    viewer.
-
-    The count for a given viewer is output from osvrClientGetNumEyesForViewer().
-
-    When used as an ID/index, it is zero-based,so values range from 0 to (count
-    - 1) inclusive, for a given viewer.
-
-    Use as an ID/index is not meaningful except in conjunction with the ID of
-    the corresponding viewer. (that is, there is no overall "eye 0", but "viewer
-    0, eye 0" is meaningful.)
-
-    In practice, the most frequent counts are 1 (e.g. mono) and 2 (e.g. stereo),
-    and for example the latter results in eyes with ID 0 and 1 for the viewer.
-    There is no innate or consistent semantics/meaning ("left" or "right") to
-    indices guaranteed at this time, and applications should not try to infer
-    any.
-*/
-typedef uint8_t OSVR_EyeCount;
-
-/** @brief The integer type specifying the number of surfaces seen by a viewer's
-    eye.
-
-    The count for a given viewer and eye is output from
-    osvrClientGetNumSurfacesForViewerEye(). Note that the count is not
-    necessarily equal between eyes of a viewer.
-
-    When used as an ID/index, it is zero-based, so values range from 0 to (count
-    - 1) inclusive, for a given viewer and eye.
-
-    Use as an ID/index is not meaningful except in conjunction with the IDs of
-    the corresponding viewer and eye. (that is, there is no overall "surface 0",
-    but "viewer 0, eye 0, surface 0" is meaningful.)
-*/
-typedef uint32_t OSVR_SurfaceCount;
-
-/** @brief The integer type used in specification of size or location of a
-    viewport.
-*/
-typedef int32_t OSVR_ViewportDimension;
-
-/** @brief The integer type used to indicate relative priorities of a display
-    distortion strategy. Negative values are defined to mean that strategy is
-    unavailable.
-
-    @sa OSVR_DISTORTION_PRIORITY_UNAVAILABLE
-*/
-typedef int32_t OSVR_DistortionPriority;
-
-/** @brief The constant to return as an OSVR_DistortionPriority if a given
-    strategy is not available for a surface.
-
-    @sa OSVR_DistortionPriority
-*/
-#define OSVR_DISTORTION_PRIORITY_UNAVAILABLE (-1)
-
-/** @} */
-
-OSVR_EXTERN_C_END
-
-#endif
diff --git a/gfx/vr/osvr/Util/ReturnCodesC.h b/gfx/vr/osvr/Util/ReturnCodesC.h
deleted file mode 100644
index 971798ea41..0000000000
--- a/gfx/vr/osvr/Util/ReturnCodesC.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/** @file
-    @brief Header declaring a type and values for simple C return codes.
-
-    Must be c-safe!
-
-    @date 2014
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2014 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_ReturnCodesC_h_GUID_C81A2FDE_E5BB_4AAA_70A4_C616DD7C141A
-#define INCLUDED_ReturnCodesC_h_GUID_C81A2FDE_E5BB_4AAA_70A4_C616DD7C141A
-
-/* Internal Includes */
-#include <osvr/Util/APIBaseC.h>
-#include <osvr/Util/AnnotationMacrosC.h>
-
-OSVR_EXTERN_C_BEGIN
-
-/** @addtogroup PluginKit
-    @{
-*/
-/** @name Return Codes
-    @{
-*/
-/** @brief The "success" value for an OSVR_ReturnCode */
-#define OSVR_RETURN_SUCCESS (0)
-/** @brief The "failure" value for an OSVR_ReturnCode */
-#define OSVR_RETURN_FAILURE (1)
-/** @brief Return type from C API OSVR functions. */
-typedef OSVR_RETURN_SUCCESS_CONDITION(
-    return == OSVR_RETURN_SUCCESS) char OSVR_ReturnCode;
-/** @} */
-
-/** @} */ /* end of group */
-
-OSVR_EXTERN_C_END
-
-#endif
diff --git a/gfx/vr/osvr/Util/StdInt.h b/gfx/vr/osvr/Util/StdInt.h
deleted file mode 100644
index c9462b62c0..0000000000
--- a/gfx/vr/osvr/Util/StdInt.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/** @file
-    @brief Header wrapping the C99 standard `stdint` header.
-
-    Must be c-safe!
-
-    @date 2014
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2014 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_StdInt_h_GUID_C1AAF35C_C704_4DB7_14AC_615730C4619B
-#define INCLUDED_StdInt_h_GUID_C1AAF35C_C704_4DB7_14AC_615730C4619B
-
-/* IWYU pragma: begin_exports */
-
-#if !defined(_MSC_VER) || (defined(_MSC_VER) && _MSC_VER >= 1600)
-#include <stdint.h>
-#else
-#include "MSStdIntC.h"
-#endif
-
-/* IWYU pragma: end_exports */
-
-#endif
diff --git a/gfx/vr/osvr/Util/TimeValueC.h b/gfx/vr/osvr/Util/TimeValueC.h
deleted file mode 100644
index 7dcead654a..0000000000
--- a/gfx/vr/osvr/Util/TimeValueC.h
+++ /dev/null
@@ -1,271 +0,0 @@
-/** @file
-    @brief Header defining a dependency-free, cross-platform substitute for
-   struct timeval
-
-    Must be c-safe!
-
-    @date 2014
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2014 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_TimeValueC_h_GUID_A02C6917_124D_4CB3_E63E_07F2DA7144E9
-#define INCLUDED_TimeValueC_h_GUID_A02C6917_124D_4CB3_E63E_07F2DA7144E9
-
-/* Internal Includes */
-#include <osvr/Util/Export.h>
-#include <osvr/Util/APIBaseC.h>
-#include <osvr/Util/AnnotationMacrosC.h>
-#include <osvr/Util/PlatformConfig.h>
-#include <osvr/Util/StdInt.h>
-#include <osvr/Util/BoolC.h>
-
-/* Library/third-party includes */
-/* none */
-
-/* Standard includes */
-/* none */
-
-OSVR_EXTERN_C_BEGIN
-
-/** @defgroup UtilTime Timestamp interaction
-    @ingroup Util
-
-    This provides a level of interoperability with struct timeval on systems
-    with that facility. It provides a neutral representation with sufficiently
-    large types.
-
-    For C++ code, use of std::chrono or boost::chrono instead is recommended.
-
-    Note that these time values may not necessarily correlate between processes
-   so should not be used to estimate or measure latency, etc.
-
-    @{
-*/
-
-/** @brief The signed integer type storing the seconds in a struct
-    OSVR_TimeValue */
-typedef int64_t OSVR_TimeValue_Seconds;
-/** @brief The signed integer type storing the microseconds in a struct
-    OSVR_TimeValue */
-typedef int32_t OSVR_TimeValue_Microseconds;
-
-/** @brief Standardized, portable parallel to struct timeval for representing
-   both absolute times and time intervals.
-
-   Where interpreted as an absolute time, its meaning is to be considered the
-   same as that of the POSIX struct timeval:
-   time since 00:00 Coordinated Universal Time (UTC), January 1, 1970.
-
-   For best results, please keep normalized. Output of all functions here
-   is normalized.
-   */
-typedef struct OSVR_TimeValue {
-    /** @brief Seconds portion of the time value. */
-    OSVR_TimeValue_Seconds seconds;
-    /** @brief Microseconds portion of the time value. */
-    OSVR_TimeValue_Microseconds microseconds;
-} OSVR_TimeValue;
-
-#ifdef OSVR_HAVE_STRUCT_TIMEVAL
-/** @brief Gets the current time in the TimeValue. Parallel to gettimeofday. */
-OSVR_UTIL_EXPORT void osvrTimeValueGetNow(OSVR_OUT OSVR_TimeValue *dest)
-    OSVR_FUNC_NONNULL((1));
-
-struct timeval; /* forward declaration */
-
-/** @brief Converts from a TimeValue struct to your system's struct timeval.
-
-    @param dest Pointer to an empty struct timeval for your platform.
-    @param src A pointer to an OSVR_TimeValue you'd like to convert from.
-
-    If either parameter is NULL, the function will return without doing
-   anything.
-*/
-OSVR_UTIL_EXPORT void
-osvrTimeValueToStructTimeval(OSVR_OUT struct timeval *dest,
-                             OSVR_IN_PTR const OSVR_TimeValue *src)
-    OSVR_FUNC_NONNULL((1, 2));
-
-/** @brief Converts from a TimeValue struct to your system's struct timeval.
-    @param dest An OSVR_TimeValue destination pointer.
-    @param src Pointer to a struct timeval you'd like to convert from.
-
-    The result is normalized.
-
-    If either parameter is NULL, the function will return without doing
-   anything.
-*/
-OSVR_UTIL_EXPORT void
-osvrStructTimevalToTimeValue(OSVR_OUT OSVR_TimeValue *dest,
-                             OSVR_IN_PTR const struct timeval *src)
-    OSVR_FUNC_NONNULL((1, 2));
-#endif
-
-/** @brief "Normalizes" a time value so that the absolute number of microseconds
-    is less than 1,000,000, and that the sign of both components is the same.
-
-    @param tv Address of a struct TimeValue to normalize in place.
-
-    If the given pointer is NULL, this function returns without doing anything.
-*/
-OSVR_UTIL_EXPORT void osvrTimeValueNormalize(OSVR_INOUT_PTR OSVR_TimeValue *tv)
-    OSVR_FUNC_NONNULL((1));
-
-/** @brief Sums two time values, replacing the first with the result.
-
-    @param tvA Destination and first source.
-    @param tvB second source
-
-    If a given pointer is NULL, this function returns without doing anything.
-
-    Both parameters are expected to be in normalized form.
-*/
-OSVR_UTIL_EXPORT void osvrTimeValueSum(OSVR_INOUT_PTR OSVR_TimeValue *tvA,
-                                       OSVR_IN_PTR const OSVR_TimeValue *tvB)
-    OSVR_FUNC_NONNULL((1, 2));
-
-/** @brief Computes the difference between two time values, replacing the first
-    with the result.
-
-    Effectively, `*tvA = *tvA - *tvB`
-
-    @param tvA Destination and first source.
-    @param tvB second source
-
-    If a given pointer is NULL, this function returns without doing anything.
-
-    Both parameters are expected to be in normalized form.
-*/
-OSVR_UTIL_EXPORT void
-osvrTimeValueDifference(OSVR_INOUT_PTR OSVR_TimeValue *tvA,
-                        OSVR_IN_PTR const OSVR_TimeValue *tvB)
-    OSVR_FUNC_NONNULL((1, 2));
-
-/** @brief  Compares two time values (assumed to be normalized), returning
-    the same values as strcmp
-
-    @return <0 if A is earlier than B, 0 if they are the same, and >0 if A
-    is later than B.
-*/
-OSVR_UTIL_EXPORT int osvrTimeValueCmp(OSVR_IN_PTR const OSVR_TimeValue *tvA,
-                                      OSVR_IN_PTR const OSVR_TimeValue *tvB)
-    OSVR_FUNC_NONNULL((1, 2));
-
-OSVR_EXTERN_C_END
-
-/** @brief Compute the difference between the two time values, returning the
-    duration as a double-precision floating-point number of seconds.
-
-    Effectively, `ret = *tvA - *tvB`
-
-    @param tvA first source.
-    @param tvB second source
-    @return Duration of timespan in seconds (floating-point)
-*/
-OSVR_INLINE double
-osvrTimeValueDurationSeconds(OSVR_IN_PTR const OSVR_TimeValue *tvA,
-                             OSVR_IN_PTR const OSVR_TimeValue *tvB) {
-    OSVR_TimeValue A = *tvA;
-    osvrTimeValueDifference(&A, tvB);
-    double dt = A.seconds + A.microseconds / 1000000.0;
-    return dt;
-}
-
-/** @brief True if A is later than B */
-OSVR_INLINE OSVR_CBool
-osvrTimeValueGreater(OSVR_IN_PTR const OSVR_TimeValue *tvA,
-                     OSVR_IN_PTR const OSVR_TimeValue *tvB) {
-    if (!tvA || !tvB) {
-        return OSVR_FALSE;
-    }
-    return ((tvA->seconds > tvB->seconds) ||
-            (tvA->seconds == tvB->seconds &&
-             tvA->microseconds > tvB->microseconds))
-               ? OSVR_TRUE
-               : OSVR_FALSE;
-}
-
-#ifdef __cplusplus
-
-#include <cmath>
-#include <cassert>
-
-/// Returns true if the time value is normalized. Typically used in assertions.
-inline bool osvrTimeValueIsNormalized(const OSVR_TimeValue &tv) {
-#ifdef __APPLE__
-    // apparently standard library used on mac only has floating-point abs?
-    return std::abs(double(tv.microseconds)) < 1000000 &&
-#else
-    return std::abs(tv.microseconds) < 1000000 &&
-#endif
-           ((tv.seconds > 0) == (tv.microseconds > 0));
-}
-
-/// True if A is later than B
-inline bool osvrTimeValueGreater(const OSVR_TimeValue &tvA,
-                                 const OSVR_TimeValue &tvB) {
-    assert(osvrTimeValueIsNormalized(tvA) &&
-           "First timevalue argument to comparison was not normalized!");
-    assert(osvrTimeValueIsNormalized(tvB) &&
-           "Second timevalue argument to comparison was not normalized!");
-    return (tvA.seconds > tvB.seconds) ||
-           (tvA.seconds == tvB.seconds && tvA.microseconds > tvB.microseconds);
-}
-
-/// Operator > overload for time values
-inline bool operator>(const OSVR_TimeValue &tvA, const OSVR_TimeValue &tvB) {
-    return osvrTimeValueGreater(tvA, tvB);
-}
-
-/// Operator < overload for time values
-inline bool operator<(const OSVR_TimeValue &tvA, const OSVR_TimeValue &tvB) {
-    // Change the order of arguments before forwarding.
-    return osvrTimeValueGreater(tvB, tvA);
-}
-
-/// Operator == overload for time values
-inline bool operator==(const OSVR_TimeValue &tvA, const OSVR_TimeValue &tvB) {
-    assert(
-        osvrTimeValueIsNormalized(tvA) &&
-        "First timevalue argument to equality comparison was not normalized!");
-    assert(
-        osvrTimeValueIsNormalized(tvB) &&
-        "Second timevalue argument to equality comparison was not normalized!");
-    return (tvA.seconds == tvB.seconds) &&
-           (tvA.microseconds == tvB.microseconds);
-}
-/// Operator == overload for time values
-inline bool operator!=(const OSVR_TimeValue &tvA, const OSVR_TimeValue &tvB) {
-    assert(osvrTimeValueIsNormalized(tvA) && "First timevalue argument to "
-                                             "inequality comparison was not "
-                                             "normalized!");
-    assert(osvrTimeValueIsNormalized(tvB) && "Second timevalue argument to "
-                                             "inequality comparison was not "
-                                             "normalized!");
-    return (tvA.seconds != tvB.seconds) ||
-           (tvA.microseconds != tvB.microseconds);
-}
-#endif
-
-/** @} */
-
-#endif
diff --git a/gfx/vr/osvr/Util/Vec2C.h b/gfx/vr/osvr/Util/Vec2C.h
deleted file mode 100644
index 0432a32e73..0000000000
--- a/gfx/vr/osvr/Util/Vec2C.h
+++ /dev/null
@@ -1,86 +0,0 @@
-/** @file
-    @brief Header
-
-    Must be c-safe!
-
-    @date 2014
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2014 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_Vec2C_h_GUID_F9715DE4_2649_4182_0F4C_D62121235D5F
-#define INCLUDED_Vec2C_h_GUID_F9715DE4_2649_4182_0F4C_D62121235D5F
-
-/* Internal Includes */
-#include <osvr/Util/APIBaseC.h>
-
-/* Library/third-party includes */
-/* none */
-
-/* Standard includes */
-/* none */
-
-OSVR_EXTERN_C_BEGIN
-
-/** @addtogroup UtilMath
-    @{
-*/
-/** @brief A structure defining a 2D vector, which represents position
-*/
-typedef struct OSVR_Vec2 {
-    /** @brief Internal array data. */
-    double data[2];
-} OSVR_Vec2;
-
-#define OSVR_VEC_MEMBER(COMPONENT, INDEX)                                      \
-    /** @brief Accessor for Vec2 component COMPONENT */                        \
-    OSVR_INLINE double osvrVec2Get##COMPONENT(OSVR_Vec2 const *v) {            \
-        return v->data[INDEX];                                                 \
-    }                                                                          \
-    /** @brief Setter for Vec2 component COMPONENT */                          \
-    OSVR_INLINE void osvrVec2Set##COMPONENT(OSVR_Vec2 *v, double val) {        \
-        v->data[INDEX] = val;                                                  \
-    }
-
-OSVR_VEC_MEMBER(X, 0)
-OSVR_VEC_MEMBER(Y, 1)
-
-#undef OSVR_VEC_MEMBER
-
-/** @brief Set a Vec2 to the zero vector */
-OSVR_INLINE void osvrVec2Zero(OSVR_Vec2 *v) {
-    osvrVec2SetX(v, 0);
-    osvrVec2SetY(v, 0);
-}
-
-/** @} */
-
-OSVR_EXTERN_C_END
-
-#ifdef __cplusplus
-template <typename StreamType>
-inline StreamType &operator<<(StreamType &os, OSVR_Vec2 const &vec) {
-    os << "(" << vec.data[0] << ", " << vec.data[1] << ")";
-    return os;
-}
-#endif
-
-#endif // INCLUDED_Vec2C_h_GUID_F9715DE4_2649_4182_0F4C_D62121235D5F
diff --git a/gfx/vr/osvr/Util/Vec3C.h b/gfx/vr/osvr/Util/Vec3C.h
deleted file mode 100644
index 6668611742..0000000000
--- a/gfx/vr/osvr/Util/Vec3C.h
+++ /dev/null
@@ -1,89 +0,0 @@
-/** @file
-    @brief Header
-
-    Must be c-safe!
-
-    @date 2014
-
-    @author
-    Sensics, Inc.
-    <http://sensics.com/osvr>
-*/
-
-/*
-// Copyright 2014 Sensics, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-
-#ifndef INCLUDED_Vec3C_h_GUID_BF4E98ED_74CF_4785_DB61_109A00BA74DE
-#define INCLUDED_Vec3C_h_GUID_BF4E98ED_74CF_4785_DB61_109A00BA74DE
-
-/* Internal Includes */
-#include <osvr/Util/APIBaseC.h>
-
-/* Library/third-party includes */
-/* none */
-
-/* Standard includes */
-/* none */
-
-OSVR_EXTERN_C_BEGIN
-
-/** @addtogroup UtilMath
-    @{
-*/
-/** @brief A structure defining a 3D vector, often a position/translation.
-*/
-typedef struct OSVR_Vec3 {
-    /** @brief Internal array data. */
-    double data[3];
-} OSVR_Vec3;
-
-#define OSVR_VEC_MEMBER(COMPONENT, INDEX)                                      \
-    /** @brief Accessor for Vec3 component COMPONENT */                        \
-    OSVR_INLINE double osvrVec3Get##COMPONENT(OSVR_Vec3 const *v) {            \
-        return v->data[INDEX];                                                 \
-    }                                                                          \
-    /** @brief Setter for Vec3 component COMPONENT */                          \
-    OSVR_INLINE void osvrVec3Set##COMPONENT(OSVR_Vec3 *v, double val) {        \
-        v->data[INDEX] = val;                                                  \
-    }
-
-OSVR_VEC_MEMBER(X, 0)
-OSVR_VEC_MEMBER(Y, 1)
-OSVR_VEC_MEMBER(Z, 2)
-
-#undef OSVR_VEC_MEMBER
-
-/** @brief Set a Vec3 to the zero vector */
-OSVR_INLINE void osvrVec3Zero(OSVR_Vec3 *v) {
-    osvrVec3SetX(v, 0);
-    osvrVec3SetY(v, 0);
-    osvrVec3SetZ(v, 0);
-}
-
-/** @} */
-
-OSVR_EXTERN_C_END
-
-#ifdef __cplusplus
-template <typename StreamType>
-inline StreamType &operator<<(StreamType &os, OSVR_Vec3 const &vec) {
-    os << "(" << vec.data[0] << ", " << vec.data[1] << ", " << vec.data[2]
-       << ")";
-    return os;
-}
-#endif
-
-#endif
diff --git a/gfx/vr/ovr_capi_dynamic.h b/gfx/vr/ovr_capi_dynamic.h
deleted file mode 100644
index 41e313dcac..0000000000
--- a/gfx/vr/ovr_capi_dynamic.h
+++ /dev/null
@@ -1,676 +0,0 @@
-/* -*- Mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; tab-width: 40 -*- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-/* This file contains just the needed struct definitions for
- * interacting with the Oculus VR C API, without needing to #include
- * OVR_CAPI.h directly.  Note that it uses the same type names as the
- * CAPI, and cannot be #included at the same time as OVR_CAPI.h.  It
- * does not include the entire C API, just want's needed.
- */
-
-#ifdef OVR_CAPI_h
-#ifdef _MSC_VER
-#pragma message("ovr_capi_dyanmic.h: OVR_CAPI.h included before ovr_capi_dynamic.h, skipping this")
-#else
-#warning OVR_CAPI.h included before ovr_capi_dynamic.h, skipping this
-#endif
-#define mozilla_ovr_capi_dynamic_h_
-
-#else
-
-#ifndef mozilla_ovr_capi_dynamic_h_
-#define mozilla_ovr_capi_dynamic_h_
-
-#define OVR_CAPI_LIMITED_MOZILLA 1
-
-#ifdef HAVE_64BIT_BUILD
-#define OVR_PTR_SIZE 8
-#define OVR_ON64(x)     x
-#else
-#define OVR_PTR_SIZE 4
-#define OVR_ON64(x)     /**/
-#endif
-
-#if defined(_WIN32)
-#define OVR_PFN __cdecl
-#else
-#define OVR_PFN
-#endif
-
-#if !defined(OVR_ALIGNAS)
-#if defined(__GNUC__) || defined(__clang__)
-#define OVR_ALIGNAS(n) __attribute__((aligned(n)))
-#elif defined(_MSC_VER) || defined(__INTEL_COMPILER)
-#define OVR_ALIGNAS(n) __declspec(align(n))
-#elif defined(__CC_ARM)
-#define OVR_ALIGNAS(n) __align(n)
-#else
-#error Need to define OVR_ALIGNAS
-#endif
-#endif
-
-#if !defined(OVR_UNUSED_STRUCT_PAD)
-#define OVR_UNUSED_STRUCT_PAD(padName, size) char padName[size];
-#endif
-
-#ifdef __cplusplus 
-extern "C" {
-#endif
-
-typedef int32_t ovrResult;
-
-typedef enum {
-  ovrSuccess = 0,
-  ovrSuccess_NotVisible = 1000,
-  ovrSuccess_HMDFirmwareMismatch = 4100,
-  ovrSuccess_TrackerFirmwareMismatch = 4101,
-  ovrSuccess_ControllerFirmwareMismatch = 4104,
-} ovrSuccessType;
-
-typedef char ovrBool;
-typedef struct OVR_ALIGNAS(4) { int x, y; } ovrVector2i;
-typedef struct OVR_ALIGNAS(4) { int w, h; } ovrSizei;
-typedef struct OVR_ALIGNAS(4) { ovrVector2i Pos; ovrSizei Size; } ovrRecti;
-typedef struct OVR_ALIGNAS(4) { float x, y, z, w; } ovrQuatf;
-typedef struct OVR_ALIGNAS(4) { float x, y; } ovrVector2f;
-typedef struct OVR_ALIGNAS(4) { float x, y, z; } ovrVector3f;
-typedef struct OVR_ALIGNAS(4) { float M[4][4]; } ovrMatrix4f;
-
-typedef struct OVR_ALIGNAS(4) {
-  ovrQuatf Orientation;
-  ovrVector3f Position;
-} ovrPosef;
-
-typedef struct OVR_ALIGNAS(8) {
-  ovrPosef ThePose;
-  ovrVector3f AngularVelocity;
-  ovrVector3f LinearVelocity;
-  ovrVector3f AngularAcceleration;
-  ovrVector3f LinearAcceleration;
-  OVR_UNUSED_STRUCT_PAD(pad0, 4)
-  double      TimeInSeconds;
-} ovrPoseStatef;
-
-typedef struct {
-  float UpTan;
-  float DownTan;
-  float LeftTan;
-  float RightTan;
-} ovrFovPort;
-
-typedef enum {
-  ovrHmd_None      = 0,    
-  ovrHmd_DK1       = 3,
-  ovrHmd_DKHD      = 4,
-  ovrHmd_DK2       = 6,
-  ovrHmd_CB        = 8,
-  ovrHmd_Other     = 9,
-  ovrHmd_E3_2015   = 10,
-  ovrHmd_ES06      = 11,
-  ovrHmd_ES09      = 12,
-  ovrHmd_ES11      = 13,
-  ovrHmd_CV1       = 14,
-  ovrHmd_EnumSize = 0x7fffffff
-} ovrHmdType;
-
-typedef enum {
-  ovrHmdCap_DebugDevice       = 0x0010,
-  ovrHmdCap_EnumSize          = 0x7fffffff
-} ovrHmdCaps;
-
-typedef enum
-{
-  ovrTrackingCap_Orientation      = 0x0010,
-  ovrTrackingCap_MagYawCorrection = 0x0020,
-  ovrTrackingCap_Position         = 0x0040,
-  ovrTrackingCap_EnumSize         = 0x7fffffff
-} ovrTrackingCaps;
-
-typedef enum {
-  ovrEye_Left  = 0,
-  ovrEye_Right = 1,
-  ovrEye_Count = 2,
-  ovrEye_EnumSize = 0x7fffffff
-} ovrEyeType;
-
-typedef enum {
-  ovrTrackingOrigin_EyeLevel = 0,
-  ovrTrackingOrigin_FloorLevel = 1,
-  ovrTrackingOrigin_Count = 2,            ///< \internal Count of enumerated elements.
-  ovrTrackingOrigin_EnumSize = 0x7fffffff ///< \internal Force type int32_t.
-} ovrTrackingOrigin;
-
-typedef struct OVR_ALIGNAS(OVR_PTR_SIZE) {
-	char Reserved[8];
-} ovrGraphicsLuid;
-
-typedef struct OVR_ALIGNAS(OVR_PTR_SIZE) {
-  ovrHmdType  Type;
-  OVR_ON64(OVR_UNUSED_STRUCT_PAD(pad0, 4))
-  char ProductName[64];
-  char Manufacturer[64];
-  short VendorId;
-  short ProductId;
-  char SerialNumber[24];
-  short FirmwareMajor;
-  short FirmwareMinor;
-  unsigned int AvailableHmdCaps;
-  unsigned int DefaultHmdCaps;
-  unsigned int AvailableTrackingCaps;
-  unsigned int DefaultTrackingCaps;
-  ovrFovPort DefaultEyeFov[ovrEye_Count];
-  ovrFovPort MaxEyeFov[ovrEye_Count];
-  ovrSizei Resolution;
-  float DisplayRefreshRate;
-  OVR_ON64(OVR_UNUSED_STRUCT_PAD(pad1, 4))
-} ovrHmdDesc;
-
-typedef struct ovrHmdStruct* ovrSession;
-
-typedef enum {
-  ovrStatus_OrientationTracked    = 0x0001,
-  ovrStatus_PositionTracked       = 0x0002,
-  ovrStatus_EnumSize              = 0x7fffffff
-} ovrStatusBits;
-
-typedef struct OVR_ALIGNAS(OVR_PTR_SIZE) {
-  float FrustumHFovInRadians;
-  float FrustumVFovInRadians;
-  float FrustumNearZInMeters;
-  float FrustumFarZInMeters;
-} ovrTrackerDesc;
-
-typedef enum {
-  ovrTracker_Connected = 0x0020,
-  ovrTracker_PoseTracked = 0x0004
-} ovrTrackerFlags;
-
-typedef struct OVR_ALIGNAS(8) {
-  unsigned int TrackerFlags;
-  ovrPosef Pose;
-  ovrPosef LeveledPose;
-  OVR_UNUSED_STRUCT_PAD(pad0, 4)
-} ovrTrackerPose;
-
-typedef struct OVR_ALIGNAS(8) {
-  ovrPoseStatef HeadPose;
-  unsigned int StatusFlags;
-  ovrPoseStatef HandPoses[2];
-  unsigned int HandStatusFlags[2];
-  ovrPosef CalibratedOrigin;
-} ovrTrackingState;
-
-typedef struct OVR_ALIGNAS(4) {
-  ovrEyeType  Eye;
-  ovrFovPort  Fov;
-  ovrRecti    DistortedViewport;
-  ovrVector2f PixelsPerTanAngleAtCenter;
-  ovrVector3f HmdToEyeOffset;
-} ovrEyeRenderDesc;
-
-typedef struct OVR_ALIGNAS(4) {
-  float Projection22;
-  float Projection23;
-  float Projection32;
-} ovrTimewarpProjectionDesc;
-
-typedef struct OVR_ALIGNAS(4) {
-  ovrVector3f HmdToEyeViewOffset[ovrEye_Count];
-  float HmdSpaceToWorldScaleInMeters;
-} ovrViewScaleDesc;
-
-typedef enum {
-  ovrTexture_2D,
-  ovrTexture_2D_External,
-  ovrTexture_Cube,
-  ovrTexture_Count,
-  ovrTexture_EnumSize = 0x7fffffff
-} ovrTextureType;
-
-typedef enum {
-  ovrTextureBind_None,
-  ovrTextureBind_DX_RenderTarget = 0x0001,
-  ovrTextureBind_DX_UnorderedAccess = 0x0002,
-  ovrTextureBind_DX_DepthStencil = 0x0004,
-  ovrTextureBind_EnumSize = 0x7fffffff
-} ovrTextureBindFlags;
-
-typedef enum {
-  OVR_FORMAT_UNKNOWN,
-  OVR_FORMAT_B5G6R5_UNORM,
-  OVR_FORMAT_B5G5R5A1_UNORM,
-  OVR_FORMAT_B4G4R4A4_UNORM,
-  OVR_FORMAT_R8G8B8A8_UNORM,
-  OVR_FORMAT_R8G8B8A8_UNORM_SRGB,
-  OVR_FORMAT_B8G8R8A8_UNORM,
-  OVR_FORMAT_B8G8R8A8_UNORM_SRGB,
-  OVR_FORMAT_B8G8R8X8_UNORM,
-  OVR_FORMAT_B8G8R8X8_UNORM_SRGB,
-  OVR_FORMAT_R16G16B16A16_FLOAT,
-  OVR_FORMAT_D16_UNORM,
-  OVR_FORMAT_D24_UNORM_S8_UINT,
-  OVR_FORMAT_D32_FLOAT,
-  OVR_FORMAT_D32_FLOAT_S8X24_UINT,
-  OVR_FORMAT_ENUMSIZE = 0x7fffffff
-} ovrTextureFormat;
-
-typedef enum {
-  ovrTextureMisc_None,
-  ovrTextureMisc_DX_Typeless = 0x0001,
-  ovrTextureMisc_AllowGenerateMips = 0x0002,
-  ovrTextureMisc_EnumSize = 0x7fffffff
-} ovrTextureFlags;
-
-typedef struct {
-  ovrTextureType Type;
-  ovrTextureFormat Format;
-  int ArraySize;
-  int Width;
-  int Height;
-  int MipLevels;
-  int SampleCount;
-  ovrBool StaticImage;
-  unsigned int MiscFlags;
-  unsigned int BindFlags;
-} ovrTextureSwapChainDesc;
-
-typedef struct
-{
-  ovrTextureFormat Format;
-  int Width;
-  int Height;
-  unsigned int MiscFlags;
-} ovrMirrorTextureDesc;
-
-typedef void* ovrTextureSwapChain;
-typedef struct ovrMirrorTextureData* ovrMirrorTexture;
-
-
-
-typedef enum {
-  ovrButton_A = 0x00000001,
-  ovrButton_B = 0x00000002,
-  ovrButton_RThumb = 0x00000004,
-  ovrButton_RShoulder = 0x00000008,
-  ovrButton_RMask = ovrButton_A | ovrButton_B | ovrButton_RThumb | ovrButton_RShoulder,
-  ovrButton_X = 0x00000100,
-  ovrButton_Y = 0x00000200,
-  ovrButton_LThumb = 0x00000400,
-  ovrButton_LShoulder = 0x00000800,
-  ovrButton_LMask = ovrButton_X | ovrButton_Y | ovrButton_LThumb | ovrButton_LShoulder,
-  ovrButton_Up = 0x00010000,
-  ovrButton_Down = 0x00020000,
-  ovrButton_Left = 0x00040000,
-  ovrButton_Right = 0x00080000,
-  ovrButton_Enter = 0x00100000,
-  ovrButton_Back = 0x00200000,
-  ovrButton_VolUp = 0x00400000,
-  ovrButton_VolDown = 0x00800000,
-  ovrButton_Home = 0x01000000,
-  ovrButton_Private = ovrButton_VolUp | ovrButton_VolDown | ovrButton_Home,
-  ovrButton_EnumSize = 0x7fffffff
-} ovrButton;
-
-typedef enum {
-  ovrTouch_A = ovrButton_A,
-  ovrTouch_B = ovrButton_B,
-  ovrTouch_RThumb = ovrButton_RThumb,
-  ovrTouch_RIndexTrigger = 0x00000010,
-  ovrTouch_RButtonMask = ovrTouch_A | ovrTouch_B | ovrTouch_RThumb | ovrTouch_RIndexTrigger,
-  ovrTouch_X = ovrButton_X,
-  ovrTouch_Y = ovrButton_Y,
-  ovrTouch_LThumb = ovrButton_LThumb,
-  ovrTouch_LIndexTrigger = 0x00001000,
-  ovrTouch_LButtonMask = ovrTouch_X | ovrTouch_Y | ovrTouch_LThumb | ovrTouch_LIndexTrigger,
-  ovrTouch_RIndexPointing = 0x00000020,
-  ovrTouch_RThumbUp = 0x00000040,
-  ovrTouch_RPoseMask = ovrTouch_RIndexPointing | ovrTouch_RThumbUp,
-  ovrTouch_LIndexPointing = 0x00002000,
-  ovrTouch_LThumbUp = 0x00004000,
-  ovrTouch_LPoseMask = ovrTouch_LIndexPointing | ovrTouch_LThumbUp,
-  ovrTouch_EnumSize = 0x7fffffff
-} ovrTouch;
-
-typedef enum {
-  ovrControllerType_None = 0x00,
-  ovrControllerType_LTouch = 0x01,
-  ovrControllerType_RTouch = 0x02,
-  ovrControllerType_Touch = 0x03,
-  ovrControllerType_Remote = 0x04,
-  ovrControllerType_XBox = 0x10,
-  ovrControllerType_Active = 0xff,
-  ovrControllerType_EnumSize = 0x7fffffff
-} ovrControllerType;
-
-typedef enum {
-  ovrHand_Left = 0,
-  ovrHand_Right = 1,
-  ovrHand_Count = 2,
-  ovrHand_EnumSize = 0x7fffffff
-} ovrHandType;
-
-typedef struct {
-  double TimeInSeconds;
-  unsigned int Buttons;
-  unsigned int Touches;
-  float IndexTrigger[ovrHand_Count];
-  float HandTrigger[ovrHand_Count];
-  ovrVector2f Thumbstick[ovrHand_Count];
-  ovrControllerType ControllerType;
-} ovrInputState;
-
-typedef enum {
-  ovrInit_Debug          = 0x00000001,
-  ovrInit_RequestVersion = 0x00000004,
-  ovrinit_WritableBits   = 0x00ffffff,
-  ovrInit_EnumSize       = 0x7fffffff
-} ovrInitFlags;
-
-typedef enum {
-  ovrLogLevel_Debug = 0,
-  ovrLogLevel_Info  = 1,
-  ovrLogLevel_Error = 2,
-  ovrLogLevel_EnumSize = 0x7fffffff
-} ovrLogLevel;
-
-typedef void (OVR_PFN* ovrLogCallback)(uintptr_t userData, int level, const char* message);
-
-typedef struct OVR_ALIGNAS(8) {
-  uint32_t Flags;
-  uint32_t RequestedMinorVersion;
-  ovrLogCallback LogCallback;
-  uintptr_t UserData;
-  uint32_t ConnectionTimeoutMS;
-  OVR_ON64(OVR_UNUSED_STRUCT_PAD(pad0, 4))
-} ovrInitParams;
-
-typedef ovrResult(OVR_PFN* pfn_ovr_Initialize)(const ovrInitParams* params);
-typedef void (OVR_PFN* pfn_ovr_Shutdown)();
-
-typedef struct {
-  ovrResult Result;
-  char      ErrorString[512];
-} ovrErrorInfo;
-
-typedef void (OVR_PFN* pfn_ovr_GetLastErrorInfo)(ovrErrorInfo* errorInfo);
-typedef const char* (OVR_PFN* pfn_ovr_GetVersionString)();
-typedef int (OVR_PFN* pfn_ovr_TraceMessage)(int level, const char* message);
-typedef ovrHmdDesc (OVR_PFN* pfn_ovr_GetHmdDesc)(ovrSession session);
-typedef unsigned int (OVR_PFN* pfn_ovr_GetTrackerCount)(ovrSession session);
-typedef ovrTrackerDesc* (OVR_PFN* pfn_ovr_GetTrackerDesc)(ovrSession session, unsigned int trackerDescIndex);
-typedef ovrResult (OVR_PFN* pfn_ovr_Create)(ovrSession* pSession, ovrGraphicsLuid* pLuid);
-typedef void (OVR_PFN* pfn_ovr_Destroy)(ovrSession session);
-
-typedef struct {
-  ovrBool IsVisible;
-  ovrBool HmdPresent;
-  ovrBool HmdMounted;
-  ovrBool DisplayLost;
-  ovrBool ShouldQuit;
-  ovrBool ShouldRecenter;
-} ovrSessionStatus;
-
-typedef ovrResult (OVR_PFN* pfn_ovr_GetSessionStatus)(ovrSession session, ovrSessionStatus* sessionStatus);
-
-typedef ovrResult (OVR_PFN* pfn_ovr_SetTrackingOriginType)(ovrSession session, ovrTrackingOrigin origin);
-typedef ovrTrackingOrigin (OVR_PFN* pfn_ovr_GetTrackingOriginType)(ovrSession session);
-typedef ovrResult (OVR_PFN* pfn_ovr_RecenterTrackingOrigin)(ovrSession session);
-typedef void (OVR_PFN* pfn_ovr_ClearShouldRecenterFlag)(ovrSession session);
-typedef ovrTrackingState (OVR_PFN* pfn_ovr_GetTrackingState)(ovrSession session, double absTime, ovrBool latencyMarker);
-typedef ovrTrackerPose (OVR_PFN* pfn_ovr_GetTrackerPose)(ovrSession session, unsigned int trackerPoseIndex);
-typedef ovrResult (OVR_PFN* pfn_ovr_GetInputState)(ovrSession session, ovrControllerType controllerType, ovrInputState* inputState);
-typedef unsigned int (OVR_PFN* pfn_ovr_GetConnectedControllerTypes)(ovrSession session);
-typedef ovrResult (OVR_PFN* pfn_ovr_SetControllerVibration)(ovrSession session, ovrControllerType controllerType, float frequency, float amplitude);
-
-enum {
-  ovrMaxLayerCount = 16
-};
-
-typedef enum {
-  ovrLayerType_Disabled       = 0,
-  ovrLayerType_EyeFov         = 1,
-  ovrLayerType_Quad           = 3,
-  ovrLayerType_EyeMatrix      = 5,
-  ovrLayerType_EnumSize       = 0x7fffffff
-} ovrLayerType;
-
-typedef enum {
-  ovrLayerFlag_HighQuality               = 0x01,
-  ovrLayerFlag_TextureOriginAtBottomLeft = 0x02,
-  ovrLayerFlag_HeadLocked                = 0x04
-} ovrLayerFlags;
-
-typedef struct OVR_ALIGNAS(OVR_PTR_SIZE) {
-  ovrLayerType Type;
-  unsigned Flags;
-} ovrLayerHeader;
-
-typedef struct OVR_ALIGNAS(OVR_PTR_SIZE) {
-  ovrLayerHeader Header;
-  ovrTextureSwapChain ColorTexture[ovrEye_Count];
-  ovrRecti Viewport[ovrEye_Count];
-  ovrFovPort Fov[ovrEye_Count];
-  ovrPosef RenderPose[ovrEye_Count];
-  double SensorSampleTime;
-} ovrLayerEyeFov;
-
-typedef struct OVR_ALIGNAS(OVR_PTR_SIZE) {
-  ovrLayerHeader Header;
-  ovrTextureSwapChain ColorTexture[ovrEye_Count];
-  ovrRecti Viewport[ovrEye_Count];
-  ovrPosef RenderPose[ovrEye_Count];
-  ovrMatrix4f Matrix[ovrEye_Count];
-  double SensorSampleTime;
-} ovrLayerEyeMatrix;
-
-typedef struct OVR_ALIGNAS(OVR_PTR_SIZE) {
-  ovrLayerHeader Header;
-  ovrTextureSwapChain ColorTexture;
-  ovrRecti Viewport;
-  ovrPosef QuadPoseCenter;
-  ovrVector2f QuadSize;
-} ovrLayerQuad;
-
-typedef union {
-  ovrLayerHeader Header;
-  ovrLayerEyeFov EyeFov;
-  ovrLayerQuad Quad;
-} ovrLayer_Union;
-
-
-typedef ovrResult (OVR_PFN* pfn_ovr_GetTextureSwapChainLength)(ovrSession session, ovrTextureSwapChain chain, int* out_Length);
-typedef ovrResult (OVR_PFN* pfn_ovr_GetTextureSwapChainCurrentIndex)(ovrSession session, ovrTextureSwapChain chain, int* out_Index);
-typedef ovrResult (OVR_PFN* pfn_ovr_GetTextureSwapChainDesc)(ovrSession session, ovrTextureSwapChain chain, ovrTextureSwapChainDesc* out_Desc);
-typedef ovrResult (OVR_PFN* pfn_ovr_CommitTextureSwapChain)(ovrSession session, ovrTextureSwapChain chain);
-typedef void (OVR_PFN* pfn_ovr_DestroyTextureSwapChain)(ovrSession session, ovrTextureSwapChain chain);
-typedef void (OVR_PFN* pfn_ovr_DestroyMirrorTexture)(ovrSession session, ovrMirrorTexture mirrorTexture);
-typedef ovrSizei(OVR_PFN* pfn_ovr_GetFovTextureSize)(ovrSession session, ovrEyeType eye, ovrFovPort fov, float pixelsPerDisplayPixel);
-typedef ovrEyeRenderDesc(OVR_PFN* pfn_ovr_GetRenderDesc)(ovrSession session, ovrEyeType eyeType, ovrFovPort fov);
-typedef ovrResult(OVR_PFN* pfn_ovr_SubmitFrame)(ovrSession session, unsigned int frameIndex,
-	const ovrViewScaleDesc* viewScaleDesc,
-	ovrLayerHeader const * const * layerPtrList, unsigned int layerCount);
-typedef double (OVR_PFN* pfn_ovr_GetPredictedDisplayTime)(ovrSession session, long long frameIndex);
-typedef double (OVR_PFN* pfn_ovr_GetTimeInSeconds)();
-
-
-typedef enum {
-  ovrPerfHud_Off = 0,
-  ovrPerfHud_PerfSummary = 1,
-  ovrPerfHud_LatencyTiming = 2,
-  ovrPerfHud_AppRenderTiming = 3,
-  ovrPerfHud_CompRenderTiming = 4,
-  ovrPerfHud_VersionInfo = 5,
-  ovrPerfHud_Count = 6,
-  ovrPerfHud_EnumSize = 0x7fffffff
-} ovrPerfHudMode;
-
-typedef enum {
-  ovrLayerHud_Off = 0,
-  ovrLayerHud_Info = 1,
-  ovrLayerHud_EnumSize = 0x7fffffff
-} ovrLayerHudMode;
-
-typedef enum {
-  ovrDebugHudStereo_Off = 0,
-  ovrDebugHudStereo_Quad = 1,
-  ovrDebugHudStereo_QuadWithCrosshair = 2,
-  ovrDebugHudStereo_CrosshairAtInfinity = 3,
-  ovrDebugHudStereo_Count,
-  ovrDebugHudStereo_EnumSize = 0x7fffffff
-} ovrDebugHudStereoMode;
-
-typedef ovrBool(OVR_PFN* pfn_ovr_GetBool)(ovrSession session, const char* propertyName, ovrBool defaultVal);
-typedef ovrBool(OVR_PFN* pfn_ovr_SetBool)(ovrSession session, const char* propertyName, ovrBool value); 
-typedef int (OVR_PFN* pfn_ovr_GetInt)(ovrSession session, const char* propertyName, int defaultVal);
-typedef ovrBool (OVR_PFN* pfn_ovr_SetInt)(ovrSession session, const char* propertyName, int value);
-typedef float (OVR_PFN* pfn_ovr_GetFloat)(ovrSession session, const char* propertyName, float defaultVal);
-typedef ovrBool (OVR_PFN* pfn_ovr_SetFloat)(ovrSession session, const char* propertyName, float value);
-typedef unsigned int (OVR_PFN* pfn_ovr_GetFloatArray)(ovrSession session, const char* propertyName,
-  float values[], unsigned int valuesCapacity);
-typedef ovrBool (OVR_PFN* pfn_ovr_SetFloatArray)(ovrSession session, const char* propertyName,
-  const float values[], unsigned int valuesSize);
-typedef const char* (OVR_PFN* pfn_ovr_GetString)(ovrSession session, const char* propertyName,
-  const char* defaultVal);
-typedef ovrBool (OVR_PFN* pfn_ovr_SetString)(ovrSession session, const char* propertyName,
-  const char* value);
-
-
-
-typedef enum {
-  ovrError_MemoryAllocationFailure = -1000,
-  ovrError_SocketCreationFailure = -1001,
-  ovrError_InvalidSession = -1002,
-  ovrError_Timeout = -1003,
-  ovrError_NotInitialized = -1004,
-  ovrError_InvalidParameter = -1005,
-  ovrError_ServiceError = -1006,
-  ovrError_NoHmd = -1007,
-  ovrError_Unsupported = -1009,
-  ovrError_DeviceUnavailable = -1010,
-  ovrError_InvalidHeadsetOrientation = -1011,
-  ovrError_ClientSkippedDestroy = -1012,
-  ovrError_ClientSkippedShutdown = -1013,
-  ovrError_AudioReservedBegin = -2000,
-  ovrError_AudioDeviceNotFound = -2001,
-  ovrError_AudioComError = -2002,
-  ovrError_AudioReservedEnd = -2999,
-  ovrError_Initialize = -3000,
-  ovrError_LibLoad = -3001,
-  ovrError_LibVersion = -3002,
-  ovrError_ServiceConnection = -3003,
-  ovrError_ServiceVersion = -3004,
-  ovrError_IncompatibleOS = -3005,
-  ovrError_DisplayInit = -3006,
-  ovrError_ServerStart = -3007,
-  ovrError_Reinitialization = -3008,
-  ovrError_MismatchedAdapters = -3009,
-  ovrError_LeakingResources = -3010,
-  ovrError_ClientVersion = -3011,
-  ovrError_OutOfDateOS = -3012,
-  ovrError_OutOfDateGfxDriver = -3013,
-  ovrError_IncompatibleGPU = -3014,
-  ovrError_NoValidVRDisplaySystem = -3015,
-  ovrError_Obsolete = -3016,
-  ovrError_DisabledOrDefaultAdapter = -3017,
-  ovrError_HybridGraphicsNotSupported = -3018,
-  ovrError_DisplayManagerInit = -3019,
-  ovrError_TrackerDriverInit = -3020,
-  ovrError_InvalidBundleAdjustment = -4000,
-  ovrError_USBBandwidth = -4001,
-  ovrError_USBEnumeratedSpeed = -4002,
-  ovrError_ImageSensorCommError = -4003,
-  ovrError_GeneralTrackerFailure = -4004,
-  ovrError_ExcessiveFrameTruncation = -4005,
-  ovrError_ExcessiveFrameSkipping = -4006,
-  ovrError_SyncDisconnected = -4007,
-  ovrError_TrackerMemoryReadFailure = -4008,
-  ovrError_TrackerMemoryWriteFailure = -4009,
-  ovrError_TrackerFrameTimeout = -4010,
-  ovrError_TrackerTruncatedFrame = -4011,
-  ovrError_TrackerDriverFailure = -4012,
-  ovrError_TrackerNRFFailure = -4013,
-  ovrError_HardwareGone = -4014,
-  ovrError_NordicEnabledNoSync = -4015,
-  ovrError_NordicSyncNoFrames = -4016,
-  ovrError_CatastrophicFailure = -4017,
-  ovrError_HMDFirmwareMismatch = -4100,
-  ovrError_TrackerFirmwareMismatch = -4101,
-  ovrError_BootloaderDeviceDetected = -4102,
-  ovrError_TrackerCalibrationError = -4103,
-  ovrError_ControllerFirmwareMismatch = -4104,
-  ovrError_IMUTooManyLostSamples = -4200,
-  ovrError_IMURateError = -4201,
-  ovrError_FeatureReportFailure = -4202,
-  ovrError_Incomplete = -5000,
-  ovrError_Abandoned = -5001,
-  ovrError_DisplayLost = -6000,
-  ovrError_TextureSwapChainFull = -6001,
-  ovrError_TextureSwapChainInvalid = -6002,
-  ovrError_RuntimeException = -7000,
-  ovrError_MetricsUnknownApp = -90000,
-  ovrError_MetricsDuplicateApp = -90001,
-  ovrError_MetricsNoEvents = -90002,
-  ovrError_MetricsRuntime = -90003,
-  ovrError_MetricsFile = -90004,
-  ovrError_MetricsNoClientInfo = -90005,
-  ovrError_MetricsNoAppMetaData = -90006,
-  ovrError_MetricsNoApp = -90007,
-  ovrError_MetricsOafFailure = -90008,
-  ovrError_MetricsSessionAlreadyActive = -90009,
-  ovrError_MetricsSessionNotActive = -90010,
-} ovrErrorType;
-
-
-#ifdef XP_WIN
-
-struct IUnknown;
-
-typedef ovrResult (OVR_PFN* pfn_ovr_CreateTextureSwapChainDX)(ovrSession session,
-	IUnknown* d3dPtr,
-	const ovrTextureSwapChainDesc* desc,
-	ovrTextureSwapChain* out_TextureSwapChain);
-
-typedef ovrResult (OVR_PFN* pfn_ovr_GetTextureSwapChainBufferDX)(ovrSession session,
-	ovrTextureSwapChain chain,
-	int index,
-	IID iid,
-	void** out_Buffer);
-
-typedef ovrResult (OVR_PFN* pfn_ovr_CreateMirrorTextureDX)(ovrSession session,
-	IUnknown* d3dPtr,
-	const ovrMirrorTextureDesc* desc,
-	ovrMirrorTexture* out_MirrorTexture);
-
-typedef ovrResult (OVR_PFN* pfn_ovr_GetMirrorTextureBufferDX)(ovrSession session,
-	ovrMirrorTexture mirrorTexture,
-	IID iid,
-	void** out_Buffer);
-
-#endif
-
-
-typedef ovrResult (OVR_PFN* pfn_ovr_CreateTextureSwapChainGL)(ovrSession session,
-	const ovrTextureSwapChainDesc* desc,
-	ovrTextureSwapChain* out_TextureSwapChain);
-
-typedef ovrResult (OVR_PFN* pfn_ovr_GetTextureSwapChainBufferGL)(ovrSession session,
-	ovrTextureSwapChain chain,
-	int index,
-	unsigned int* out_TexId);
-
-typedef ovrResult (OVR_PFN* pfn_ovr_CreateMirrorTextureGL)(ovrSession session,
-	const ovrMirrorTextureDesc* desc,
-	ovrMirrorTexture* out_MirrorTexture);
-
-typedef ovrResult (OVR_PFN* pfn_ovr_GetMirrorTextureBufferGL)(ovrSession session,
-	ovrMirrorTexture mirrorTexture,
-	unsigned int* out_TexId);
-
-#ifdef __cplusplus 
-}
-#endif
-
-#endif /* mozilla_ovr_capi_dynamic_h_ */
-#endif /* OVR_CAPI_h */
diff --git a/image/AnimationParams.h b/image/AnimationParams.h
new file mode 100644
index 0000000000..dc403a4e8e
--- /dev/null
+++ b/image/AnimationParams.h
@@ -0,0 +1,47 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_image_AnimationParams_h
+#define mozilla_image_AnimationParams_h
+
+#include <stdint.h>
+#include "mozilla/gfx/Rect.h"
+#include "FrameTimeout.h"
+
+namespace mozilla {
+namespace image {
+
+enum class BlendMethod : int8_t {
+  // All color components of the frame, including alpha, overwrite the current
+  // contents of the frame's output buffer region.
+  SOURCE,
+
+  // The frame should be composited onto the output buffer based on its alpha,
+  // using a simple OVER operation.
+  OVER
+};
+
+enum class DisposalMethod : int8_t {
+  CLEAR_ALL = -1,  // Clear the whole image, revealing what's underneath.
+  NOT_SPECIFIED,   // Leave the frame and let the new frame draw on top.
+  KEEP,            // Leave the frame and let the new frame draw on top.
+  CLEAR,           // Clear the frame's area, revealing what's underneath.
+  RESTORE_PREVIOUS // Restore the previous (composited) frame.
+};
+
+struct AnimationParams
+{
+  gfx::IntRect mBlendRect;
+  FrameTimeout mTimeout;
+  uint32_t mFrameNum;
+  BlendMethod mBlendMethod;
+  DisposalMethod mDisposalMethod;
+};
+
+} // namespace image
+} // namespace mozilla
+
+#endif // mozilla_image_AnimationParams_h
diff --git a/image/Decoder.cpp b/image/Decoder.cpp
index f9b1034cfa..5ff8c72b56 100644
--- a/image/Decoder.cpp
+++ b/image/Decoder.cpp
@@ -278,14 +278,14 @@ Decoder::Telemetry() const
 }
 
 nsresult
-Decoder::AllocateFrame(uint32_t aFrameNum,
-                       const gfx::IntSize& aOutputSize,
+Decoder::AllocateFrame(const gfx::IntSize& aOutputSize,
                        const gfx::IntRect& aFrameRect,
                        gfx::SurfaceFormat aFormat,
-                       uint8_t aPaletteDepth)
+                       uint8_t aPaletteDepth,
+                       const Maybe<AnimationParams>& aAnimParams)
 {
-  mCurrentFrame = AllocateFrameInternal(aFrameNum, aOutputSize, aFrameRect,
-                                        aFormat, aPaletteDepth,
+  mCurrentFrame = AllocateFrameInternal(aOutputSize, aFrameRect, aFormat,
+                                        aPaletteDepth, aAnimParams,
                                         mCurrentFrame.get());
 
   if (mCurrentFrame) {
@@ -295,7 +295,7 @@ Decoder::AllocateFrame(uint32_t aFrameNum,
 
     // We should now be on |aFrameNum|. (Note that we're comparing the frame
     // number, which is zero-based, with the frame count, which is one-based.)
-    MOZ_ASSERT(aFrameNum + 1 == mFrameCount);
+    MOZ_ASSERT_IF(aAnimParams, aAnimParams->mFrameNum + 1 == mFrameCount);
 
     // If we're past the first frame, PostIsAnimated() should've been called.
     MOZ_ASSERT_IF(mFrameCount > 1, HasAnimation());
@@ -309,18 +309,19 @@ Decoder::AllocateFrame(uint32_t aFrameNum,
 }
 
 RawAccessFrameRef
-Decoder::AllocateFrameInternal(uint32_t aFrameNum,
-                               const gfx::IntSize& aOutputSize,
+Decoder::AllocateFrameInternal(const gfx::IntSize& aOutputSize,
                                const gfx::IntRect& aFrameRect,
                                SurfaceFormat aFormat,
                                uint8_t aPaletteDepth,
+                               const Maybe<AnimationParams>& aAnimParams,
                                imgFrame* aPreviousFrame)
 {
   if (HasError()) {
     return RawAccessFrameRef();
   }
 
-  if (aFrameNum != mFrameCount) {
+  uint32_t frameNum = aAnimParams ? aAnimParams->mFrameNum : 0;
+  if (frameNum != mFrameCount) {
     MOZ_ASSERT_UNREACHABLE("Allocating frames out of order");
     return RawAccessFrameRef();
   }
@@ -334,7 +335,8 @@ Decoder::AllocateFrameInternal(uint32_t aFrameNum,
   NotNull<RefPtr<imgFrame>> frame = WrapNotNull(new imgFrame());
   bool nonPremult = bool(mSurfaceFlags & SurfaceFlags::NO_PREMULTIPLY_ALPHA);
   if (NS_FAILED(frame->InitForDecoder(aOutputSize, aFrameRect, aFormat,
-                                      aPaletteDepth, nonPremult))) {
+                                      aPaletteDepth, nonPremult,
+                                      aAnimParams))) {
     NS_WARNING("imgFrame::Init should succeed");
     return RawAccessFrameRef();
   }
@@ -345,22 +347,22 @@ Decoder::AllocateFrameInternal(uint32_t aFrameNum,
     return RawAccessFrameRef();
   }
 
-  if (aFrameNum == 1) {
+  if (frameNum == 1) {
     MOZ_ASSERT(aPreviousFrame, "Must provide a previous frame when animated");
     aPreviousFrame->SetRawAccessOnly();
 
     // If we dispose of the first frame by clearing it, then the first frame's
     // refresh area is all of itself.
     // RESTORE_PREVIOUS is invalid (assumed to be DISPOSE_CLEAR).
-    AnimationData previousFrameData = aPreviousFrame->GetAnimationData();
-    if (previousFrameData.mDisposalMethod == DisposalMethod::CLEAR ||
-        previousFrameData.mDisposalMethod == DisposalMethod::CLEAR_ALL ||
-        previousFrameData.mDisposalMethod == DisposalMethod::RESTORE_PREVIOUS) {
-      mFirstFrameRefreshArea = previousFrameData.mRect;
+    DisposalMethod prevDisposal = aPreviousFrame->GetDisposalMethod();
+    if (prevDisposal == DisposalMethod::CLEAR ||
+        prevDisposal == DisposalMethod::CLEAR_ALL ||
+        prevDisposal == DisposalMethod::RESTORE_PREVIOUS) {
+      mFirstFrameRefreshArea = aPreviousFrame->GetRect();
     }
   }
 
-  if (aFrameNum > 0) {
+  if (frameNum > 0) {
     ref->SetRawAccessOnly();
 
     // Some GIFs are huge but only have a small area that they animate. We only
@@ -432,13 +434,7 @@ Decoder::PostIsAnimated(FrameTimeout aFirstFrameTimeout)
 }
 
 void
-Decoder::PostFrameStop(Opacity aFrameOpacity
-                         /* = Opacity::SOME_TRANSPARENCY */,
-                       DisposalMethod aDisposalMethod
-                         /* = DisposalMethod::KEEP */,
-                       FrameTimeout aTimeout /* = FrameTimeout::Forever() */,
-                       BlendMethod aBlendMethod /* = BlendMethod::OVER */,
-                       const Maybe<nsIntRect>& aBlendRect /* = Nothing() */)
+Decoder::PostFrameStop(Opacity aFrameOpacity)
 {
   // We should be mid-frame
   MOZ_ASSERT(!IsMetadataDecode(), "Stopping frame during metadata decode");
@@ -449,12 +445,11 @@ Decoder::PostFrameStop(Opacity aFrameOpacity
   mInFrame = false;
   mFinishedNewFrame = true;
 
-  mCurrentFrame->Finish(aFrameOpacity, aDisposalMethod, aTimeout,
-                        aBlendMethod, aBlendRect);
+  mCurrentFrame->Finish(aFrameOpacity);
 
   mProgress |= FLAG_FRAME_COMPLETE;
 
-  mLoopLength += aTimeout;
+  mLoopLength += mCurrentFrame->GetTimeout();
 
   // If we're not sending partial invalidations, then we send an invalidation
   // here when the first frame is complete.
diff --git a/image/Decoder.h b/image/Decoder.h
index 065a3c2135..ed0c196876 100644
--- a/image/Decoder.h
+++ b/image/Decoder.h
@@ -11,6 +11,7 @@
 #include "mozilla/Maybe.h"
 #include "mozilla/NotNull.h"
 #include "mozilla/RefPtr.h"
+#include "AnimationParams.h"
 #include "DecodePool.h"
 #include "DecoderFlags.h"
 #include "Downscaler.h"
@@ -28,6 +29,8 @@ namespace Telemetry {
 
 namespace image {
 
+class imgFrame;
+
 struct DecoderFinalStatus final
 {
   DecoderFinalStatus(bool aWasMetadataDecode,
@@ -443,11 +446,7 @@ protected:
   // Specify whether this frame is opaque as an optimization.
   // For animated images, specify the disposal, blend method and timeout for
   // this frame.
-  void PostFrameStop(Opacity aFrameOpacity = Opacity::SOME_TRANSPARENCY,
-                     DisposalMethod aDisposalMethod = DisposalMethod::KEEP,
-                     FrameTimeout aTimeout = FrameTimeout::Forever(),
-                     BlendMethod aBlendMethod = BlendMethod::OVER,
-                     const Maybe<nsIntRect>& aBlendRect = Nothing());
+  void PostFrameStop(Opacity aFrameOpacity = Opacity::SOME_TRANSPARENCY);
 
   /**
    * Called by the decoders when they have a region to invalidate. We may not
@@ -476,16 +475,13 @@ protected:
   /**
    * Allocates a new frame, making it our current frame if successful.
    *
-   * The @aFrameNum parameter only exists as a sanity check; it's illegal to
-   * create a new frame anywhere but immediately after the existing frames.
-   *
    * If a non-paletted frame is desired, pass 0 for aPaletteDepth.
    */
-  nsresult AllocateFrame(uint32_t aFrameNum,
-                         const gfx::IntSize& aOutputSize,
+  nsresult AllocateFrame(const gfx::IntSize& aOutputSize,
                          const gfx::IntRect& aFrameRect,
                          gfx::SurfaceFormat aFormat,
-                         uint8_t aPaletteDepth = 0);
+                         uint8_t aPaletteDepth = 0,
+                         const Maybe<AnimationParams>& aAnimParams = Nothing());
 
 private:
   /// Report that an error was encountered while decoding.
@@ -509,11 +505,11 @@ private:
     return mInFrame ? mFrameCount - 1 : mFrameCount;
   }
 
-  RawAccessFrameRef AllocateFrameInternal(uint32_t aFrameNum,
-                                          const gfx::IntSize& aOutputSize,
+  RawAccessFrameRef AllocateFrameInternal(const gfx::IntSize& aOutputSize,
                                           const gfx::IntRect& aFrameRect,
                                           gfx::SurfaceFormat aFormat,
                                           uint8_t aPaletteDepth,
+                                          const Maybe<AnimationParams>& aAnimParams,
                                           imgFrame* aPreviousFrame);
 
 protected:
diff --git a/image/DownscalingFilter.h b/image/DownscalingFilter.h
index 1485b85c20..936abdcd5d 100644
--- a/image/DownscalingFilter.h
+++ b/image/DownscalingFilter.h
@@ -74,7 +74,7 @@ public:
   Maybe<SurfaceInvalidRect> TakeInvalidRect() override { return Nothing(); }
 
   template <typename... Rest>
-  nsresult Configure(const DownscalingConfig& aConfig, Rest... aRest)
+  nsresult Configure(const DownscalingConfig& aConfig, const Rest&... aRest)
   {
     return NS_ERROR_FAILURE;
   }
@@ -115,7 +115,7 @@ public:
   }
 
   template <typename... Rest>
-  nsresult Configure(const DownscalingConfig& aConfig, Rest... aRest)
+  nsresult Configure(const DownscalingConfig& aConfig, const Rest&... aRest)
   {
     nsresult rv = mNext.Configure(aRest...);
     if (NS_FAILED(rv)) {
diff --git a/image/FrameTimeout.h b/image/FrameTimeout.h
new file mode 100644
index 0000000000..4070bba65b
--- /dev/null
+++ b/image/FrameTimeout.h
@@ -0,0 +1,119 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_image_FrameTimeout_h
+#define mozilla_image_FrameTimeout_h
+
+#include <stdint.h>
+#include "mozilla/Assertions.h"
+
+namespace mozilla {
+namespace image {
+
+/**
+ * FrameTimeout wraps a frame timeout value (measured in milliseconds) after
+ * first normalizing it. This normalization is necessary because some tools
+ * generate incorrect frame timeout values which we nevertheless have to
+ * support. For this reason, code that deals with frame timeouts should always
+ * use a FrameTimeout value rather than the raw value from the image header.
+ */
+struct FrameTimeout
+{
+  /**
+   * @return a FrameTimeout of zero. This should be used only for math
+   * involving FrameTimeout values. You can't obtain a zero FrameTimeout from
+   * FromRawMilliseconds().
+   */
+  static FrameTimeout Zero() { return FrameTimeout(0); }
+
+  /// @return an infinite FrameTimeout.
+  static FrameTimeout Forever() { return FrameTimeout(-1); }
+
+  /// @return a FrameTimeout obtained by normalizing a raw timeout value.
+  static FrameTimeout FromRawMilliseconds(int32_t aRawMilliseconds)
+  {
+    // Normalize all infinite timeouts to the same value.
+    if (aRawMilliseconds < 0) {
+      return FrameTimeout::Forever();
+    }
+
+    // Very small timeout values are problematic for two reasons: we don't want
+    // to burn energy redrawing animated images extremely fast, and broken tools
+    // generate these values when they actually want a "default" value, so such
+    // images won't play back right without normalization. For some context,
+    // see bug 890743, bug 125137, bug 139677, and bug 207059. The historical
+    // behavior of IE and Opera was:
+    //   IE 6/Win:
+    //     10 - 50ms is normalized to 100ms.
+    //     >50ms is used unnormalized.
+    //   Opera 7 final/Win:
+    //     10ms is normalized to 100ms.
+    //     >10ms is used unnormalized.
+    if (aRawMilliseconds >= 0 && aRawMilliseconds <= 10 ) {
+      return FrameTimeout(100);
+    }
+
+    // The provided timeout value is OK as-is.
+    return FrameTimeout(aRawMilliseconds);
+  }
+
+  bool operator==(const FrameTimeout& aOther) const
+  {
+    return mTimeout == aOther.mTimeout;
+  }
+
+  bool operator!=(const FrameTimeout& aOther) const { return !(*this == aOther); }
+
+  FrameTimeout operator+(const FrameTimeout& aOther)
+  {
+    if (*this == Forever() || aOther == Forever()) {
+      return Forever();
+    }
+
+    return FrameTimeout(mTimeout + aOther.mTimeout);
+  }
+
+  FrameTimeout& operator+=(const FrameTimeout& aOther)
+  {
+    *this = *this + aOther;
+    return *this;
+  }
+
+  /**
+   * @return this FrameTimeout's value in milliseconds. Illegal to call on a
+   * an infinite FrameTimeout value.
+   */
+  uint32_t AsMilliseconds() const
+  {
+    if (*this == Forever()) {
+      MOZ_ASSERT_UNREACHABLE("Calling AsMilliseconds() on an infinite FrameTimeout");
+      return 100;  // Fail to something sane.
+    }
+
+    return uint32_t(mTimeout);
+  }
+
+  /**
+   * @return this FrameTimeout value encoded so that non-negative values
+   * represent a timeout in milliseconds, and -1 represents an infinite
+   * timeout.
+   *
+   * XXX(seth): This is a backwards compatibility hack that should be removed.
+   */
+  int32_t AsEncodedValueDeprecated() const { return mTimeout; }
+
+private:
+  explicit FrameTimeout(int32_t aTimeout)
+    : mTimeout(aTimeout)
+  { }
+
+  int32_t mTimeout;
+};
+
+} // namespace image
+} // namespace mozilla
+
+#endif // mozilla_image_FrameTimeout_h
diff --git a/image/SurfaceFilters.h b/image/SurfaceFilters.h
index 1885661b97..70c8d4087d 100644
--- a/image/SurfaceFilters.h
+++ b/image/SurfaceFilters.h
@@ -70,7 +70,7 @@ public:
   { }
 
   template <typename... Rest>
-  nsresult Configure(const DeinterlacingConfig<PixelType>& aConfig, Rest... aRest)
+  nsresult Configure(const DeinterlacingConfig<PixelType>& aConfig, const Rest&... aRest)
   {
     nsresult rv = mNext.Configure(aRest...);
     if (NS_FAILED(rv)) {
@@ -360,7 +360,7 @@ public:
   { }
 
   template <typename... Rest>
-  nsresult Configure(const RemoveFrameRectConfig& aConfig, Rest... aRest)
+  nsresult Configure(const RemoveFrameRectConfig& aConfig, const Rest&... aRest)
   {
     nsresult rv = mNext.Configure(aRest...);
     if (NS_FAILED(rv)) {
@@ -590,7 +590,7 @@ public:
   { }
 
   template <typename... Rest>
-  nsresult Configure(const ADAM7InterpolatingConfig& aConfig, Rest... aRest)
+  nsresult Configure(const ADAM7InterpolatingConfig& aConfig, const Rest&... aRest)
   {
     nsresult rv = mNext.Configure(aRest...);
     if (NS_FAILED(rv)) {
diff --git a/image/SurfacePipe.cpp b/image/SurfacePipe.cpp
index 5c306144a0..8823151124 100644
--- a/image/SurfacePipe.cpp
+++ b/image/SurfacePipe.cpp
@@ -104,10 +104,11 @@ SurfaceSink::Configure(const SurfaceConfig& aConfig)
   // XXX(seth): Once every Decoder subclass uses SurfacePipe, we probably want
   // to allocate the frame directly here and get rid of Decoder::AllocateFrame
   // altogether.
-  nsresult rv = aConfig.mDecoder->AllocateFrame(aConfig.mFrameNum,
-                                                surfaceSize,
+  nsresult rv = aConfig.mDecoder->AllocateFrame(surfaceSize,
                                                 frameRect,
-                                                aConfig.mFormat);
+                                                aConfig.mFormat,
+                                                /* aPaletteDepth */ 0,
+                                                aConfig.mAnimParams);
   if (NS_FAILED(rv)) {
     return rv;
   }
@@ -154,11 +155,11 @@ PalettedSurfaceSink::Configure(const PalettedSurfaceConfig& aConfig)
   // XXX(seth): Once every Decoder subclass uses SurfacePipe, we probably want
   // to allocate the frame directly here and get rid of Decoder::AllocateFrame
   // altogether.
-  nsresult rv = aConfig.mDecoder->AllocateFrame(aConfig.mFrameNum,
-                                                aConfig.mOutputSize,
+  nsresult rv = aConfig.mDecoder->AllocateFrame(aConfig.mOutputSize,
                                                 aConfig.mFrameRect,
                                                 aConfig.mFormat,
-                                                aConfig.mPaletteDepth);
+                                                aConfig.mPaletteDepth,
+                                                aConfig.mAnimParams);
   if (NS_FAILED(rv)) {
     return rv;
   }
diff --git a/image/SurfacePipe.h b/image/SurfacePipe.h
index f046afa56c..61c8d30df8 100644
--- a/image/SurfacePipe.h
+++ b/image/SurfacePipe.h
@@ -34,6 +34,8 @@
 #include "mozilla/Variant.h"
 #include "mozilla/gfx/2D.h"
 
+#include "AnimationParams.h"
+
 namespace mozilla {
 namespace image {
 
@@ -722,10 +724,10 @@ struct SurfaceConfig
 {
   using Filter = SurfaceSink;
   Decoder* mDecoder;           /// Which Decoder to use to allocate the surface.
-  uint32_t mFrameNum;          /// Which frame of animation this surface is for.
   gfx::IntSize mOutputSize;    /// The size of the surface.
   gfx::SurfaceFormat mFormat;  /// The surface format (BGRA or BGRX).
   bool mFlipVertically;        /// If true, write the rows from bottom to top.
+  Maybe<AnimationParams> mAnimParams; /// Given for animated images.
 };
 
 /**
@@ -750,12 +752,12 @@ struct PalettedSurfaceConfig
 {
   using Filter = PalettedSurfaceSink;
   Decoder* mDecoder;           /// Which Decoder to use to allocate the surface.
-  uint32_t mFrameNum;          /// Which frame of animation this surface is for.
   gfx::IntSize mOutputSize;    /// The logical size of the surface.
   gfx::IntRect mFrameRect;     /// The surface subrect which contains data.
   gfx::SurfaceFormat mFormat;  /// The surface format (BGRA or BGRX).
   uint8_t mPaletteDepth;       /// The palette depth of this surface.
   bool mFlipVertically;        /// If true, write the rows from bottom to top.
+  Maybe<AnimationParams> mAnimParams; /// Given for animated images.
 };
 
 /**
diff --git a/image/SurfacePipeFactory.h b/image/SurfacePipeFactory.h
index ff53fec5c2..4571f2e136 100644
--- a/image/SurfacePipeFactory.h
+++ b/image/SurfacePipeFactory.h
@@ -70,8 +70,6 @@ public:
    *
    * @param aDecoder The decoder whose current frame the SurfacePipe will write
    *                 to.
-   * @param aFrameNum Which frame the SurfacePipe will write to. This will be 0
-   *                  for non-animated images.
    * @param aInputSize The original size of the image.
    * @param aOutputSize The size the SurfacePipe should output. Must be the same
    *                    as @aInputSize or smaller. If smaller, the image will be
@@ -79,6 +77,7 @@ public:
    * @param aFrameRect The portion of the image that actually contains data.
    * @param aFormat The surface format of the image; generally B8G8R8A8 or
    *                B8G8R8X8.
+   * @param aAnimParams Extra parameters used by animated images.
    * @param aFlags Flags enabling or disabling various functionality for the
    *               SurfacePipe; see the SurfacePipeFlags documentation for more
    *               information.
@@ -89,11 +88,11 @@ public:
    */
   static Maybe<SurfacePipe>
   CreateSurfacePipe(Decoder* aDecoder,
-                    uint32_t aFrameNum,
                     const nsIntSize& aInputSize,
                     const nsIntSize& aOutputSize,
                     const nsIntRect& aFrameRect,
                     gfx::SurfaceFormat aFormat,
+                    const Maybe<AnimationParams>& aAnimParams,
                     SurfacePipeFlags aFlags)
   {
     const bool deinterlace = bool(aFlags & SurfacePipeFlags::DEINTERLACE);
@@ -125,8 +124,8 @@ public:
     ADAM7InterpolatingConfig interpolatingConfig;
     RemoveFrameRectConfig removeFrameRectConfig { aFrameRect };
     DownscalingConfig downscalingConfig { aInputSize, aFormat };
-    SurfaceConfig surfaceConfig { aDecoder, aFrameNum, aOutputSize,
-                                  aFormat, flipVertically };
+    SurfaceConfig surfaceConfig { aDecoder, aOutputSize, aFormat,
+                                  flipVertically, aAnimParams };
 
     Maybe<SurfacePipe> pipe;
 
@@ -181,13 +180,12 @@ public:
    *
    * @param aDecoder The decoder whose current frame the SurfacePipe will write
    *                 to.
-   * @param aFrameNum Which frame the SurfacePipe will write to. This will be 0
-   *                  for non-animated images.
    * @param aInputSize The original size of the image.
    * @param aFrameRect The portion of the image that actually contains data.
    * @param aFormat The surface format of the image; generally B8G8R8A8 or
    *                B8G8R8X8.
    * @param aPaletteDepth The palette depth of the image.
+   * @param aAnimParams Extra parameters used by animated images.
    * @param aFlags Flags enabling or disabling various functionality for the
    *               SurfacePipe; see the SurfacePipeFlags documentation for more
    *               information.
@@ -198,11 +196,11 @@ public:
    */
   static Maybe<SurfacePipe>
   CreatePalettedSurfacePipe(Decoder* aDecoder,
-                            uint32_t aFrameNum,
                             const nsIntSize& aInputSize,
                             const nsIntRect& aFrameRect,
                             gfx::SurfaceFormat aFormat,
                             uint8_t aPaletteDepth,
+                            const Maybe<AnimationParams>& aAnimParams,
                             SurfacePipeFlags aFlags)
   {
     const bool deinterlace = bool(aFlags & SurfacePipeFlags::DEINTERLACE);
@@ -211,9 +209,9 @@ public:
 
     // Construct configurations for the SurfaceFilters.
     DeinterlacingConfig<uint8_t> deinterlacingConfig { progressiveDisplay };
-    PalettedSurfaceConfig palettedSurfaceConfig { aDecoder, aFrameNum, aInputSize,
-                                                  aFrameRect, aFormat, aPaletteDepth,
-                                                  flipVertically };
+    PalettedSurfaceConfig palettedSurfaceConfig { aDecoder, aInputSize, aFrameRect,
+                                                  aFormat, aPaletteDepth,
+                                                  flipVertically, aAnimParams };
 
     Maybe<SurfacePipe> pipe;
 
@@ -229,7 +227,7 @@ public:
 private:
   template <typename... Configs>
   static Maybe<SurfacePipe>
-  MakePipe(Configs... aConfigs)
+  MakePipe(const Configs&... aConfigs)
   {
     auto pipe = MakeUnique<typename detail::FilterPipeline<Configs...>::Type>();
     nsresult rv = pipe->Configure(aConfigs...);
diff --git a/image/decoders/nsBMPDecoder.cpp b/image/decoders/nsBMPDecoder.cpp
index 1f0449e4e6..42bb3486a8 100644
--- a/image/decoders/nsBMPDecoder.cpp
+++ b/image/decoders/nsBMPDecoder.cpp
@@ -674,8 +674,7 @@ nsBMPDecoder::ReadBitfields(const char* aData, size_t aLength)
   }
 
   MOZ_ASSERT(!mImageData, "Already have a buffer allocated?");
-  nsresult rv = AllocateFrame(/* aFrameNum = */ 0, OutputSize(),
-                              FullOutputFrame(),
+  nsresult rv = AllocateFrame(OutputSize(), FullOutputFrame(),
                               mMayHaveTransparency ? SurfaceFormat::B8G8R8A8
                                                    : SurfaceFormat::B8G8R8X8);
   if (NS_FAILED(rv)) {
diff --git a/image/decoders/nsGIFDecoder2.cpp b/image/decoders/nsGIFDecoder2.cpp
index 7955438e47..6f2be1fa18 100644
--- a/image/decoders/nsGIFDecoder2.cpp
+++ b/image/decoders/nsGIFDecoder2.cpp
@@ -187,6 +187,14 @@ nsGIFDecoder2::BeginImageFrame(const IntRect& aFrameRect,
   // Make sure there's no animation if we're downscaling.
   MOZ_ASSERT_IF(Size() != OutputSize(), !GetImageMetadata().HasAnimation());
 
+  AnimationParams animParams {
+    aFrameRect,
+    FrameTimeout::FromRawMilliseconds(mGIFStruct.delay_time),
+    uint32_t(mGIFStruct.images_decoded),
+    BlendMethod::OVER,
+    DisposalMethod(mGIFStruct.disposal_method)
+  };
+
   SurfacePipeFlags pipeFlags = aIsInterlaced
                              ? SurfacePipeFlags::DEINTERLACE
                              : SurfacePipeFlags();
@@ -198,17 +206,24 @@ nsGIFDecoder2::BeginImageFrame(const IntRect& aFrameRect,
 
     // The first frame is always decoded into an RGB surface.
     pipe =
-      SurfacePipeFactory::CreateSurfacePipe(this, mGIFStruct.images_decoded,
-                                            Size(), OutputSize(),
-                                            aFrameRect, format, pipeFlags);
+      SurfacePipeFactory::CreateSurfacePipe(this, Size(), OutputSize(),
+                                            aFrameRect, format,
+                                            Some(animParams), pipeFlags);
   } else {
     // This is an animation frame (and not the first). To minimize the memory
     // usage of animations, the image data is stored in paletted form.
+    //
+    // We should never use paletted surfaces with a draw target directly, so
+    // the only practical difference between B8G8R8A8 and B8G8R8X8 is the
+    // cleared pixel value if we get truncated. We want 0 in that case to
+    // ensure it is an acceptable value for the color map as was the case
+    // historically.
     MOZ_ASSERT(Size() == OutputSize());
     pipe =
-      SurfacePipeFactory::CreatePalettedSurfacePipe(this, mGIFStruct.images_decoded,
-                                                    Size(), aFrameRect, format,
-                                                    aDepth, pipeFlags);
+      SurfacePipeFactory::CreatePalettedSurfacePipe(this, Size(), aFrameRect,
+                                                    SurfaceFormat::B8G8R8A8,
+                                                    aDepth, Some(animParams),
+                                                    pipeFlags);
   }
 
   mCurrentFrameIndex = mGIFStruct.images_decoded;
@@ -249,9 +264,7 @@ nsGIFDecoder2::EndImageFrame()
   mGIFStruct.images_decoded++;
 
   // Tell the superclass we finished a frame
-  PostFrameStop(opacity,
-                DisposalMethod(mGIFStruct.disposal_method),
-                FrameTimeout::FromRawMilliseconds(mGIFStruct.delay_time));
+  PostFrameStop(opacity);
 
   // Reset the transparent pixel
   if (mOldColor) {
diff --git a/image/decoders/nsIconDecoder.cpp b/image/decoders/nsIconDecoder.cpp
index 9ca63f5adb..b186874c66 100644
--- a/image/decoders/nsIconDecoder.cpp
+++ b/image/decoders/nsIconDecoder.cpp
@@ -70,8 +70,9 @@ nsIconDecoder::ReadHeader(const char* aData)
 
   MOZ_ASSERT(!mImageData, "Already have a buffer allocated?");
   Maybe<SurfacePipe> pipe =
-    SurfacePipeFactory::CreateSurfacePipe(this, 0, Size(), OutputSize(),
+    SurfacePipeFactory::CreateSurfacePipe(this, Size(), OutputSize(),
                                           FullFrame(), SurfaceFormat::B8G8R8A8,
+                                          /* aAnimParams */ Nothing(),
                                           SurfacePipeFlags());
   if (!pipe) {
     return Transition::TerminateFailure();
diff --git a/image/decoders/nsJPEGDecoder.cpp b/image/decoders/nsJPEGDecoder.cpp
index e76ffcbaf8..7dac18e271 100644
--- a/image/decoders/nsJPEGDecoder.cpp
+++ b/image/decoders/nsJPEGDecoder.cpp
@@ -388,8 +388,8 @@ nsJPEGDecoder::ReadJPEGData(const char* aData, size_t aLength)
                            jpeg_has_multiple_scans(&mInfo);
 
     MOZ_ASSERT(!mImageData, "Already have a buffer allocated?");
-    nsresult rv = AllocateFrame(/* aFrameNum = */ 0, OutputSize(),
-                                FullOutputFrame(), SurfaceFormat::B8G8R8X8);
+    nsresult rv = AllocateFrame(OutputSize(), FullOutputFrame(),
+                                SurfaceFormat::B8G8R8X8);
     if (NS_FAILED(rv)) {
       mState = JPEG_ERROR;
       MOZ_LOG(sJPEGDecoderAccountingLog, LogLevel::Debug,
diff --git a/image/decoders/nsPNGDecoder.cpp b/image/decoders/nsPNGDecoder.cpp
index 9596ae7d67..1f19c41bc4 100644
--- a/image/decoders/nsPNGDecoder.cpp
+++ b/image/decoders/nsPNGDecoder.cpp
@@ -208,6 +208,25 @@ nsPNGDecoder::CreateFrame(const FrameInfo& aFrameInfo)
   MOZ_ASSERT_IF(Size() != OutputSize(),
                 transparency != TransparencyType::eFrameRect);
 
+  Maybe<AnimationParams> animParams;
+#ifdef PNG_APNG_SUPPORTED
+  if (png_get_valid(mPNG, mInfo, PNG_INFO_acTL)) {
+    mAnimInfo = AnimFrameInfo(mPNG, mInfo);
+
+    if (mAnimInfo.mDispose == DisposalMethod::CLEAR) {
+      // We may have to display the background under this image during
+      // animation playback, so we regard it as transparent.
+      PostHasTransparency();
+    }
+
+    animParams.emplace(AnimationParams {
+      aFrameInfo.mFrameRect,
+      FrameTimeout::FromRawMilliseconds(mAnimInfo.mTimeout),
+      mNumFrames, mAnimInfo.mBlend, mAnimInfo.mDispose
+    });
+  }
+#endif
+
   // If this image is interlaced, we can display better quality intermediate
   // results to the user by post processing them with ADAM7InterpolatingFilter.
   SurfacePipeFlags pipeFlags = aFrameInfo.mIsInterlaced
@@ -220,9 +239,9 @@ nsPNGDecoder::CreateFrame(const FrameInfo& aFrameInfo)
   }
 
   Maybe<SurfacePipe> pipe =
-    SurfacePipeFactory::CreateSurfacePipe(this, mNumFrames, Size(),
-                                          OutputSize(), aFrameInfo.mFrameRect,
-                                          format, pipeFlags);
+    SurfacePipeFactory::CreateSurfacePipe(this, Size(), OutputSize(),
+                                          aFrameInfo.mFrameRect, format,
+                                          animParams, pipeFlags);
 
   if (!pipe) {
     mPipe = SurfacePipe();
@@ -239,18 +258,6 @@ nsPNGDecoder::CreateFrame(const FrameInfo& aFrameInfo)
           "image frame with %dx%d pixels for decoder %p",
           mFrameRect.width, mFrameRect.height, this));
 
-#ifdef PNG_APNG_SUPPORTED
-  if (png_get_valid(mPNG, mInfo, PNG_INFO_acTL)) {
-    mAnimInfo = AnimFrameInfo(mPNG, mInfo);
-
-    if (mAnimInfo.mDispose == DisposalMethod::CLEAR) {
-      // We may have to display the background under this image during
-      // animation playback, so we regard it as transparent.
-      PostHasTransparency();
-    }
-  }
-#endif
-
   return NS_OK;
 }
 
@@ -269,9 +276,7 @@ nsPNGDecoder::EndImageFrame()
     opacity = Opacity::FULLY_OPAQUE;
   }
 
-  PostFrameStop(opacity, mAnimInfo.mDispose,
-                FrameTimeout::FromRawMilliseconds(mAnimInfo.mTimeout),
-                mAnimInfo.mBlend, Some(mFrameRect));
+  PostFrameStop(opacity);
 }
 
 nsresult
diff --git a/image/decoders/nsWebPDecoder.cpp b/image/decoders/nsWebPDecoder.cpp
index 6ed2c3e9cd..4f3cc8b2ad 100644
--- a/image/decoders/nsWebPDecoder.cpp
+++ b/image/decoders/nsWebPDecoder.cpp
@@ -19,10 +19,6 @@ static LazyLogModule sWebPLog("WebPDecoder");
 
 nsWebPDecoder::nsWebPDecoder(RasterImage* aImage)
   : Decoder(aImage)
-  , mLexer(Transition::ToUnbuffered(State::FINISHED_WEBP_DATA,
-                                    State::WEBP_DATA,
-                                    SIZE_MAX),
-           Transition::TerminateSuccess())
   , mDecoder(nullptr)
   , mBlend(BlendMethod::OVER)
   , mDisposal(DisposalMethod::KEEP)
@@ -30,6 +26,13 @@ nsWebPDecoder::nsWebPDecoder(RasterImage* aImage)
   , mFormat(SurfaceFormat::B8G8R8X8)
   , mLastRow(0)
   , mCurrentFrame(0)
+  , mData(nullptr)
+  , mLength(0)
+  , mIteratorComplete(false)
+  , mNeedDemuxer(true)
+  , mGotColorProfile(false)
+  , mInProfile(nullptr)
+  , mTransform(nullptr)
 {
   MOZ_LOG(sWebPLog, LogLevel::Debug,
       ("[this=%p] nsWebPDecoder::nsWebPDecoder", this));
@@ -39,27 +42,157 @@ nsWebPDecoder::~nsWebPDecoder()
 {
   MOZ_LOG(sWebPLog, LogLevel::Debug,
       ("[this=%p] nsWebPDecoder::~nsWebPDecoder", this));
-  WebPIDelete(mDecoder);
+  if (mDecoder) {
+    WebPIDelete(mDecoder);
+    WebPFreeDecBuffer(&mBuffer);
+  }
+  if (mInProfile) {
+    // mTransform belongs to us only if mInProfile is non-null
+    if (mTransform) {
+      qcms_transform_release(mTransform);
+    }
+    qcms_profile_release(mInProfile);
+  }
+}
+
+LexerResult
+nsWebPDecoder::ReadData()
+{
+  MOZ_ASSERT(mData);
+  MOZ_ASSERT(mLength > 0);
+
+  WebPDemuxer* demuxer = nullptr;
+  bool complete = mIteratorComplete;
+
+  if (mNeedDemuxer) {
+    WebPDemuxState state;
+    WebPData fragment;
+    fragment.bytes = mData;
+    fragment.size = mLength;
+
+    demuxer = WebPDemuxPartial(&fragment, &state);
+    if (state == WEBP_DEMUX_PARSE_ERROR) {
+      MOZ_LOG(sWebPLog, LogLevel::Error,
+          ("[this=%p] nsWebPDecoder::ReadData -- demux parse error\n", this));
+      WebPDemuxDelete(demuxer);
+      return LexerResult(TerminalState::FAILURE);
+    }
+
+    if (state == WEBP_DEMUX_PARSING_HEADER) {
+      WebPDemuxDelete(demuxer);
+      return LexerResult(Yield::NEED_MORE_DATA);
+    }
+
+    if (!demuxer) {
+      MOZ_LOG(sWebPLog, LogLevel::Error,
+          ("[this=%p] nsWebPDecoder::ReadData -- no demuxer\n", this));
+      return LexerResult(TerminalState::FAILURE);
+    }
+
+    complete = complete || state == WEBP_DEMUX_DONE;
+  }
+
+  LexerResult rv(TerminalState::FAILURE);
+  if (!HasSize()) {
+    rv = ReadHeader(demuxer, complete);
+  } else {
+    rv = ReadPayload(demuxer, complete);
+  }
+
+  WebPDemuxDelete(demuxer);
+  return rv;
 }
 
 LexerResult
 nsWebPDecoder::DoDecode(SourceBufferIterator& aIterator, IResumable* aOnResume)
 {
+  while (true) {
+    SourceBufferIterator::State state = SourceBufferIterator::COMPLETE;
+    if (!mIteratorComplete) {
+      state = aIterator.AdvanceOrScheduleResume(SIZE_MAX, aOnResume);
+
+      // We need to remember since we can't advance a complete iterator.
+      mIteratorComplete = state == SourceBufferIterator::COMPLETE;
+    }
+
+    if (state == SourceBufferIterator::WAITING) {
+      return LexerResult(Yield::NEED_MORE_DATA);
+    }
+
+    LexerResult rv = UpdateBuffer(aIterator, state);
+    if (rv.is<Yield>() && rv.as<Yield>() == Yield::NEED_MORE_DATA) {
+      // We need to check the iterator to see if more is available before
+      // giving up unless we are already complete.
+      if (mIteratorComplete) {
+        MOZ_LOG(sWebPLog, LogLevel::Error,
+            ("[this=%p] nsWebPDecoder::DoDecode -- read all data, "
+             "but needs more\n", this));
+        return LexerResult(TerminalState::FAILURE);
+      }
+      continue;
+    }
+
+    return rv;
+  }
+}
+
+LexerResult
+nsWebPDecoder::UpdateBuffer(SourceBufferIterator& aIterator,
+                            SourceBufferIterator::State aState)
+{
   MOZ_ASSERT(!HasError(), "Shouldn't call DoDecode after error!");
 
-  return mLexer.Lex(aIterator, aOnResume,
-                    [=](State aState, const char* aData, size_t aLength) {
-    switch (aState) {
-      case State::WEBP_DATA:
-        if (!HasSize()) {
-          return ReadHeader(aData, aLength);
-        }
-        return ReadPayload(aData, aLength);
-      case State::FINISHED_WEBP_DATA:
-        return FinishedData();
+  switch (aState) {
+    case SourceBufferIterator::READY:
+      if (!mData) {
+        // For as long as we hold onto an iterator, we know the data pointers
+        // to the chunks cannot change underneath us, so save the pointer to
+        // the first block.
+        MOZ_ASSERT(mLength == 0);
+        mData = reinterpret_cast<const uint8_t*>(aIterator.Data());
+      }
+      mLength += aIterator.Length();
+      return ReadData();
+    case SourceBufferIterator::COMPLETE:
+      return ReadData();
+    default:
+      MOZ_LOG(sWebPLog, LogLevel::Error,
+          ("[this=%p] nsWebPDecoder::DoDecode -- bad state\n", this));
+      return LexerResult(TerminalState::FAILURE);
+  }
+
+  // We need to buffer. If we have no data buffered, we need to get everything
+  // from the first chunk of the source buffer before appending the new data.
+  if (mBufferedData.empty()) {
+    MOZ_ASSERT(mData);
+    MOZ_ASSERT(mLength > 0);
+
+    if (!mBufferedData.append(mData, mLength)) {
+      MOZ_LOG(sWebPLog, LogLevel::Error,
+          ("[this=%p] nsWebPDecoder::DoDecode -- oom, initialize %zu\n",
+           this, mLength));
+      return LexerResult(TerminalState::FAILURE);
     }
-    MOZ_CRASH("Unknown State");
-  });
+
+    MOZ_LOG(sWebPLog, LogLevel::Debug,
+        ("[this=%p] nsWebPDecoder::DoDecode -- buffered %zu bytes\n",
+         this, mLength));
+  }
+
+  // Append the incremental data from the iterator.
+  if (!mBufferedData.append(aIterator.Data(), aIterator.Length())) {
+    MOZ_LOG(sWebPLog, LogLevel::Error,
+        ("[this=%p] nsWebPDecoder::DoDecode -- oom, append %zu on %zu\n",
+         this, aIterator.Length(), mBufferedData.length()));
+    return LexerResult(TerminalState::FAILURE);
+  }
+
+  MOZ_LOG(sWebPLog, LogLevel::Debug,
+      ("[this=%p] nsWebPDecoder::DoDecode -- buffered %zu -> %zu bytes\n",
+       this, aIterator.Length(), mBufferedData.length()));
+  mData = mBufferedData.begin();
+  mLength = mBufferedData.length();
+  return ReadData();
 }
 
 nsresult
@@ -69,13 +202,22 @@ nsWebPDecoder::CreateFrame(const nsIntRect& aFrameRect)
   MOZ_ASSERT(!mDecoder);
 
   MOZ_LOG(sWebPLog, LogLevel::Debug,
-      ("[this=%p] nsWebPDecoder::CreateFrame -- frame %u, %d x %d\n",
-       this, mCurrentFrame, aFrameRect.width, aFrameRect.height));
+      ("[this=%p] nsWebPDecoder::CreateFrame -- frame %u, (%d, %d) %d x %d\n",
+       this, mCurrentFrame, aFrameRect.x, aFrameRect.y,
+       aFrameRect.width, aFrameRect.height));
+
+  if (aFrameRect.width <= 0 || aFrameRect.height <= 0) {
+    MOZ_LOG(sWebPLog, LogLevel::Error,
+        ("[this=%p] nsWebPDecoder::CreateFrame -- bad frame rect\n",
+         this));
+    return NS_ERROR_FAILURE;
+  }
 
   // If this is our first frame in an animation and it doesn't cover the
   // full frame, then we are transparent even if there is no alpha
   if (mCurrentFrame == 0 && !aFrameRect.IsEqualEdges(FullFrame())) {
     MOZ_ASSERT(HasAnimation());
+    mFormat = SurfaceFormat::B8G8R8A8;
     PostHasTransparency();
   }
 
@@ -90,16 +232,22 @@ nsWebPDecoder::CreateFrame(const nsIntRect& aFrameRect)
     return NS_ERROR_FAILURE;
   }
 
+  SurfacePipeFlags pipeFlags = SurfacePipeFlags();
+
+  AnimationParams animParams {
+    aFrameRect, mTimeout, mCurrentFrame, mBlend, mDisposal
+  };
+
   Maybe<SurfacePipe> pipe = SurfacePipeFactory::CreateSurfacePipe(this,
-      mCurrentFrame, Size(), OutputSize(), aFrameRect,
-      mFormat, SurfacePipeFlags());
+      Size(), OutputSize(), aFrameRect, mFormat, Some(animParams), pipeFlags);
   if (!pipe) {
     MOZ_LOG(sWebPLog, LogLevel::Error,
         ("[this=%p] nsWebPDecoder::CreateFrame -- no pipe\n", this));
     return NS_ERROR_FAILURE;
   }
 
-  mPipe = Move(*pipe);
+  mFrameRect = aFrameRect;
+  mPipe = std::move(*pipe);
   return NS_OK;
 }
 
@@ -118,154 +266,149 @@ nsWebPDecoder::EndFrame()
        this, mCurrentFrame, (int)opacity, (int)mDisposal,
        mTimeout.AsEncodedValueDeprecated(), (int)mBlend));
 
-  PostFrameStop(opacity, mDisposal, mTimeout, mBlend);
-  WebPFreeDecBuffer(&mBuffer);
+  PostFrameStop(opacity);
   WebPIDelete(mDecoder);
+  WebPFreeDecBuffer(&mBuffer);
   mDecoder = nullptr;
   mLastRow = 0;
   ++mCurrentFrame;
 }
 
-nsresult
-nsWebPDecoder::GetDataBuffer(const uint8_t*& aData, size_t& aLength)
+void
+nsWebPDecoder::ApplyColorProfile(const char* aProfile, size_t aLength)
 {
-  if (!mData.empty() && mData.begin() != aData) {
-    if (!mData.append(aData, aLength)) {
-      MOZ_LOG(sWebPLog, LogLevel::Error,
-          ("[this=%p] nsWebPDecoder::GetDataBuffer -- oom, append %zu on %zu\n",
-           this, aLength, mData.length()));
-      return NS_ERROR_OUT_OF_MEMORY;
-    }
-    aData = mData.begin();
-    aLength = mData.length();
+  MOZ_ASSERT(!mGotColorProfile);
+  mGotColorProfile = true;
+
+  if (GetSurfaceFlags() & SurfaceFlags::NO_COLORSPACE_CONVERSION) {
+    return;
   }
-  return NS_OK;
-}
 
-nsresult
-nsWebPDecoder::SaveDataBuffer(const uint8_t* aData, size_t aLength)
-{
-  if (mData.empty() && !mData.append(aData, aLength)) {
+  auto mode = gfxPlatform::GetCMSMode();
+  if (mode == eCMSMode_Off || (mode == eCMSMode_TaggedOnly && !aProfile)) {
+    return;
+  }
+
+  if (!aProfile || !gfxPlatform::GetCMSOutputProfile()) {
+    MOZ_LOG(sWebPLog, LogLevel::Debug,
+      ("[this=%p] nsWebPDecoder::ApplyColorProfile -- not tagged or no output "
+       "profile , use sRGB transform\n", this));
+    mTransform = gfxPlatform::GetCMSRGBATransform();
+    return;
+  }
+
+  mInProfile = qcms_profile_from_memory(aProfile, aLength);
+  if (!mInProfile) {
     MOZ_LOG(sWebPLog, LogLevel::Error,
-        ("[this=%p] nsWebPDecoder::SaveDataBuffer -- oom, append %zu on %zu\n",
-         this, aLength, mData.length()));
-    return NS_ERROR_OUT_OF_MEMORY;
+      ("[this=%p] nsWebPDecoder::ApplyColorProfile -- bad color profile\n",
+       this));
+    return;
   }
-  return NS_OK;
+
+  // Calculate rendering intent.
+  int intent = gfxPlatform::GetRenderingIntent();
+  if (intent == -1) {
+    intent = qcms_profile_get_rendering_intent(mInProfile);
+  }
+
+  // Create the color management transform.
+  mTransform = qcms_transform_create(mInProfile,
+                                     QCMS_DATA_RGBA_8,
+                                     gfxPlatform::GetCMSOutputProfile(),
+                                     QCMS_DATA_RGBA_8,
+                                     (qcms_intent)intent);
+  MOZ_LOG(sWebPLog, LogLevel::Debug,
+    ("[this=%p] nsWebPDecoder::ApplyColorProfile -- use tagged "
+     "transform\n", this));
 }
 
-LexerTransition<nsWebPDecoder::State>
-nsWebPDecoder::ReadHeader(const char* aData, size_t aLength)
+LexerResult
+nsWebPDecoder::ReadHeader(WebPDemuxer* aDemuxer,
+                          bool aIsComplete)
 {
+  MOZ_ASSERT(aDemuxer);
+
   MOZ_LOG(sWebPLog, LogLevel::Debug,
-      ("[this=%p] nsWebPDecoder::ReadHeader -- %zu bytes\n", this, aLength));
-
-  // XXX(aosmond): In an ideal world, we could request the lexer to do this
-  // buffering for us (and in turn the underlying SourceBuffer). That way we
-  // could avoid extra copies during the decode and just do
-  // SourceBuffer::Compact on each iteration. For a typical WebP image we
-  // can hope that we will get the full header in the first packet, but
-  // for animated images we will end up buffering the whole stream if it
-  // not already fully received and contiguous.
-  auto data = (const uint8_t*)aData;
-  size_t length = aLength;
-  if (NS_FAILED(GetDataBuffer(data, length))) {
-    return Transition::TerminateFailure();
-  }
+      ("[this=%p] nsWebPDecoder::ReadHeader -- %zu bytes\n", this, mLength));
 
-  WebPBitstreamFeatures features;
-  VP8StatusCode status = WebPGetFeatures(data, length, &features);
-  switch (status) {
-    case VP8_STATUS_OK:
-      break;
-    case VP8_STATUS_NOT_ENOUGH_DATA:
-      if (NS_FAILED(SaveDataBuffer(data, length))) {
-        return Transition::TerminateFailure();
+  uint32_t flags = WebPDemuxGetI(aDemuxer, WEBP_FF_FORMAT_FLAGS);
+
+  if (!IsMetadataDecode() && !mGotColorProfile) {
+    if (flags & WebPFeatureFlags::ICCP_FLAG) {
+      WebPChunkIterator iter;
+      if (!WebPDemuxGetChunk(aDemuxer, "ICCP", 1, &iter)) {
+        return aIsComplete ? LexerResult(TerminalState::FAILURE)
+                           : LexerResult(Yield::NEED_MORE_DATA);
       }
-      return Transition::ContinueUnbuffered(State::WEBP_DATA);
-    default:
-      MOZ_LOG(sWebPLog, LogLevel::Error,
-          ("[this=%p] nsWebPDecoder::ReadHeader -- parse error %d\n",
-           this, status));
-      return Transition::TerminateFailure();
+
+      ApplyColorProfile(reinterpret_cast<const char*>(iter.chunk.bytes),
+                        iter.chunk.size);
+      WebPDemuxReleaseChunkIterator(&iter);
+    } else {
+      ApplyColorProfile(nullptr, 0);
+    }
   }
 
-  if (features.has_animation) {
+  if (flags & WebPFeatureFlags::ANIMATION_FLAG) {
     // A metadata decode expects to get the correct first frame timeout which
     // sadly is not provided by the normal WebP header parsing.
-    WebPDemuxState state;
-    WebPData fragment;
-    fragment.bytes = data;
-    fragment.size = length;
-    WebPDemuxer* demuxer = WebPDemuxPartial(&fragment, &state);
-    if (!demuxer || state == WEBP_DEMUX_PARSE_ERROR) {
-      MOZ_LOG(sWebPLog, LogLevel::Error,
-          ("[this=%p] nsWebPDecoder::ReadHeader -- demux parse error\n", this));
-      WebPDemuxDelete(demuxer);
-      return Transition::TerminateFailure();
-    }
-
     WebPIterator iter;
-    if (!WebPDemuxGetFrame(demuxer, 1, &iter)) {
-      WebPDemuxDelete(demuxer);
-      if (state == WEBP_DEMUX_DONE) {
-        MOZ_LOG(sWebPLog, LogLevel::Error,
-            ("[this=%p] nsWebPDecoder::ReadHeader -- demux parse error\n",
-             this));
-        return Transition::TerminateFailure();
-      }
-      if (NS_FAILED(SaveDataBuffer(data, length))) {
-        return Transition::TerminateFailure();
-      }
-      return Transition::ContinueUnbuffered(State::WEBP_DATA);
+    if (!WebPDemuxGetFrame(aDemuxer, 1, &iter)) {
+      return aIsComplete ? LexerResult(TerminalState::FAILURE)
+                         : LexerResult(Yield::NEED_MORE_DATA);
     }
 
     PostIsAnimated(FrameTimeout::FromRawMilliseconds(iter.duration));
     WebPDemuxReleaseIterator(&iter);
-    WebPDemuxDelete(demuxer);
+  } else {
+    // Single frames don't need a demuxer to be created.
+    mNeedDemuxer = false;
   }
 
-  MOZ_LOG(sWebPLog, LogLevel::Debug,
-      ("[this=%p] nsWebPDecoder::ReadHeader -- %d x %d, alpha %d, "
-       "animation %d, format %d, metadata decode %d, first frame decode %d\n",
-       this, features.width, features.height, features.has_alpha,
-       features.has_animation, features.format, IsMetadataDecode(),
-       IsFirstFrameDecode()));
-
-  PostSize(features.width, features.height);
-  if (features.has_alpha) {
+  uint32_t width = WebPDemuxGetI(aDemuxer, WEBP_FF_CANVAS_WIDTH);
+  uint32_t height = WebPDemuxGetI(aDemuxer, WEBP_FF_CANVAS_HEIGHT);
+  if (width > INT32_MAX || height > INT32_MAX) {
+    return LexerResult(TerminalState::FAILURE);
+  }
+
+  PostSize(width, height);
+
+  bool alpha = flags & WebPFeatureFlags::ALPHA_FLAG;
+  if (alpha) {
     mFormat = SurfaceFormat::B8G8R8A8;
     PostHasTransparency();
   }
 
+  MOZ_LOG(sWebPLog, LogLevel::Debug,
+      ("[this=%p] nsWebPDecoder::ReadHeader -- %u x %u, alpha %d, "
+       "animation %d, metadata decode %d, first frame decode %d\n",
+       this, width, height, alpha, HasAnimation(),
+       IsMetadataDecode(), IsFirstFrameDecode()));
+
   if (IsMetadataDecode()) {
-    return Transition::TerminateSuccess();
+    return LexerResult(TerminalState::SUCCESS);
   }
 
-  auto transition = ReadPayload((const char*)data, length);
-  if (!features.has_animation) {
-    mData.clearAndFree();
-  }
-  return transition;
+  return ReadPayload(aDemuxer, aIsComplete);
 }
 
-LexerTransition<nsWebPDecoder::State>
-nsWebPDecoder::ReadPayload(const char* aData, size_t aLength)
+LexerResult
+nsWebPDecoder::ReadPayload(WebPDemuxer* aDemuxer,
+                           bool aIsComplete)
 {
-  auto data = (const uint8_t*)aData;
   if (!HasAnimation()) {
-    auto rv = ReadSingle(data, aLength, true, FullFrame());
-    if (rv.NextStateIsTerminal() &&
-        rv.NextStateAsTerminal() == TerminalState::SUCCESS) {
+    auto rv = ReadSingle(mData, mLength, FullFrame());
+    if (rv.is<TerminalState>() &&
+        rv.as<TerminalState>() == TerminalState::SUCCESS) {
       PostDecodeDone();
     }
     return rv;
   }
-  return ReadMultiple(data, aLength);
+  return ReadMultiple(aDemuxer, aIsComplete);
 }
 
-LexerTransition<nsWebPDecoder::State>
-nsWebPDecoder::ReadSingle(const uint8_t* aData, size_t aLength, bool aAppend, const IntRect& aFrameRect)
+LexerResult
+nsWebPDecoder::ReadSingle(const uint8_t* aData, size_t aLength, const IntRect& aFrameRect)
 {
   MOZ_ASSERT(!IsMetadataDecode());
   MOZ_ASSERT(aData);
@@ -275,125 +418,120 @@ nsWebPDecoder::ReadSingle(const uint8_t* aData, size_t aLength, bool aAppend, co
       ("[this=%p] nsWebPDecoder::ReadSingle -- %zu bytes\n", this, aLength));
 
   if (!mDecoder && NS_FAILED(CreateFrame(aFrameRect))) {
-    return Transition::TerminateFailure();
+    return LexerResult(TerminalState::FAILURE);
   }
 
-  // XXX(aosmond): The demux API can be used for single images according to the
-  // documentation. If WebPIAppend is not any more efficient in its buffering
-  // than what we do for animated images, we should just combine the use cases.
   bool complete;
-  VP8StatusCode status;
-  if (aAppend) {
-    status = WebPIAppend(mDecoder, aData, aLength);
-  } else {
-    status = WebPIUpdate(mDecoder, aData, aLength);
-  }
-  switch (status) {
-    case VP8_STATUS_OK:
-      complete = true;
-      break;
-    case VP8_STATUS_SUSPENDED:
-      complete = false;
-      break;
-    default:
-      MOZ_LOG(sWebPLog, LogLevel::Error,
-          ("[this=%p] nsWebPDecoder::ReadSingle -- append error %d\n",
-           this, status));
-      return Transition::TerminateFailure();
-  }
+  do {
+    VP8StatusCode status = WebPIUpdate(mDecoder, aData, aLength);
+    switch (status) {
+      case VP8_STATUS_OK:
+        complete = true;
+        break;
+      case VP8_STATUS_SUSPENDED:
+        complete = false;
+        break;
+      default:
+        MOZ_LOG(sWebPLog, LogLevel::Error,
+            ("[this=%p] nsWebPDecoder::ReadSingle -- append error %d\n",
+             this, status));
+        return LexerResult(TerminalState::FAILURE);
+    }
 
-  int lastRow = -1;
-  int width = 0;
-  int height = 0;
-  int stride = 0;
-  const uint8_t* rowStart = WebPIDecGetRGB(mDecoder, &lastRow, &width, &height, &stride);
-  if (!rowStart || lastRow == -1) {
-    return Transition::ContinueUnbuffered(State::WEBP_DATA);
-  }
+    int lastRow = -1;
+    int width = 0;
+    int height = 0;
+    int stride = 0;
+    uint8_t* rowStart = WebPIDecGetRGB(mDecoder, &lastRow, &width, &height, &stride);
 
-  if (width <= 0 || height <= 0 || stride <= 0) {
-    MOZ_LOG(sWebPLog, LogLevel::Error,
-        ("[this=%p] nsWebPDecoder::ReadSingle -- bad (w,h,s) = (%d, %d, %d)\n",
-         this, width, height, stride));
-    return Transition::TerminateFailure();
-  }
+    MOZ_LOG(sWebPLog, LogLevel::Debug,
+        ("[this=%p] nsWebPDecoder::ReadSingle -- complete %d, read %d rows, "
+         "has %d rows available\n", this, complete, mLastRow, lastRow));
 
-  for (int row = mLastRow; row < lastRow; row++) {
-    const uint8_t* src = rowStart + row * stride;
-    auto result = mPipe.WritePixelsToRow<uint32_t>([&]() -> NextPixel<uint32_t> {
-      MOZ_ASSERT(mFormat == SurfaceFormat::B8G8R8A8 || src[3] == 0xFF);
-      const uint32_t pixel = gfxPackedPixel(src[3], src[0], src[1], src[2]);
-      src += 4;
-      return AsVariant(pixel);
-    });
-    MOZ_ASSERT(result != WriteState::FAILURE);
-    MOZ_ASSERT_IF(result == WriteState::FINISHED, complete && row == lastRow - 1);
-
-    if (result == WriteState::FAILURE) {
+    if (!rowStart || lastRow == -1 || lastRow == mLastRow) {
+      return LexerResult(Yield::NEED_MORE_DATA);
+    }
+
+    if (width != mFrameRect.width || height != mFrameRect.height ||
+        stride < mFrameRect.width * 4 ||
+        lastRow > mFrameRect.height) {
       MOZ_LOG(sWebPLog, LogLevel::Error,
-          ("[this=%p] nsWebPDecoder::ReadSingle -- write pixels error\n",
-           this));
-      return Transition::TerminateFailure();
+          ("[this=%p] nsWebPDecoder::ReadSingle -- bad (w,h,s) = (%d, %d, %d)\n",
+           this, width, height, stride));
+      return LexerResult(TerminalState::FAILURE);
     }
-  }
 
-  if (mLastRow != lastRow) {
-    mLastRow = lastRow;
+    const bool noPremultiply =
+      bool(GetSurfaceFlags() & SurfaceFlags::NO_PREMULTIPLY_ALPHA);
+
+    for (int row = mLastRow; row < lastRow; row++) {
+      uint8_t* src = rowStart + row * stride;
+      if (mTransform) {
+        qcms_transform_data(mTransform, src, src, width);
+      }
 
-    Maybe<SurfaceInvalidRect> invalidRect = mPipe.TakeInvalidRect();
-    if (invalidRect) {
-      PostInvalidation(invalidRect->mInputSpaceRect,
-          Some(invalidRect->mOutputSpaceRect));
+      WriteState result;
+      if (noPremultiply) {
+        result = mPipe.WritePixelsToRow<uint32_t>([&]() -> NextPixel<uint32_t> {
+          MOZ_ASSERT(mFormat == SurfaceFormat::B8G8R8A8 || src[3] == 0xFF);
+          const uint32_t pixel =
+            gfxPackedPixelNoPreMultiply(src[3], src[0], src[1], src[2]);
+          src += 4;
+          return AsVariant(pixel);
+        });
+      } else {
+        result = mPipe.WritePixelsToRow<uint32_t>([&]() -> NextPixel<uint32_t> {
+          MOZ_ASSERT(mFormat == SurfaceFormat::B8G8R8A8 || src[3] == 0xFF);
+          const uint32_t pixel = gfxPackedPixel(src[3], src[0], src[1], src[2]);
+          src += 4;
+          return AsVariant(pixel);
+        });
+      }
+
+      Maybe<SurfaceInvalidRect> invalidRect = mPipe.TakeInvalidRect();
+      if (invalidRect) {
+        PostInvalidation(invalidRect->mInputSpaceRect,
+            Some(invalidRect->mOutputSpaceRect));
+      }
+
+      if (result == WriteState::FAILURE) {
+        MOZ_LOG(sWebPLog, LogLevel::Error,
+            ("[this=%p] nsWebPDecoder::ReadSingle -- write pixels error\n",
+             this));
+        return LexerResult(TerminalState::FAILURE);
+      }
+
+      if (result == WriteState::FINISHED) {
+        MOZ_ASSERT(row == lastRow - 1, "There was more data to read?");
+        complete = true;
+        break;
+      }
     }
-  }
+
+    mLastRow = lastRow;
+  } while (!complete);
 
   if (!complete) {
-    return Transition::ContinueUnbuffered(State::WEBP_DATA);
+    return LexerResult(Yield::NEED_MORE_DATA);
   }
 
   EndFrame();
-  return Transition::TerminateSuccess();
+  return LexerResult(TerminalState::SUCCESS);
 }
 
-LexerTransition<nsWebPDecoder::State>
-nsWebPDecoder::ReadMultiple(const uint8_t* aData, size_t aLength)
+LexerResult
+nsWebPDecoder::ReadMultiple(WebPDemuxer* aDemuxer, bool aIsComplete)
 {
   MOZ_ASSERT(!IsMetadataDecode());
-  MOZ_ASSERT(aData);
+  MOZ_ASSERT(aDemuxer);
 
   MOZ_LOG(sWebPLog, LogLevel::Debug,
-      ("[this=%p] nsWebPDecoder::ReadMultiple -- %zu bytes\n", this, aLength));
-
-  auto data = aData;
-  size_t length = aLength;
-  if (NS_FAILED(GetDataBuffer(data, length))) {
-    return Transition::TerminateFailure();
-  }
+      ("[this=%p] nsWebPDecoder::ReadMultiple\n", this));
 
-  WebPDemuxState state;
-  WebPData fragment;
-  fragment.bytes = data;
-  fragment.size = length;
-  WebPDemuxer* demuxer = WebPDemuxPartial(&fragment, &state);
-  if (!demuxer) {
-    MOZ_LOG(sWebPLog, LogLevel::Error,
-        ("[this=%p] nsWebPDecoder::ReadMultiple -- create demuxer error\n",
-         this));
-    return Transition::TerminateFailure();
-  }
-
-  if (state == WEBP_DEMUX_PARSE_ERROR) {
-    MOZ_LOG(sWebPLog, LogLevel::Error,
-        ("[this=%p] nsWebPDecoder::ReadMultiple -- demuxer parse error\n",
-         this));
-    WebPDemuxDelete(demuxer);
-    return Transition::TerminateFailure();
-  }
-
-  bool complete = false;
+  bool complete = aIsComplete;
   WebPIterator iter;
-  auto rv = Transition::ContinueUnbuffered(State::WEBP_DATA);
-  if (WebPDemuxGetFrame(demuxer, mCurrentFrame + 1, &iter)) {
+  auto rv = LexerResult(Yield::NEED_MORE_DATA);
+  if (WebPDemuxGetFrame(aDemuxer, mCurrentFrame + 1, &iter)) {
     switch (iter.blend_method) {
       case WEBP_MUX_BLEND:
         mBlend = BlendMethod::OVER;
@@ -418,51 +556,34 @@ nsWebPDecoder::ReadMultiple(const uint8_t* aData, size_t aLength)
         break;
     }
 
-    mFormat = iter.has_alpha ? SurfaceFormat::B8G8R8A8 : SurfaceFormat::B8G8R8X8;
+    mFormat = iter.has_alpha || mCurrentFrame > 0 ? SurfaceFormat::B8G8R8A8
+                                                  : SurfaceFormat::B8G8R8X8;
     mTimeout = FrameTimeout::FromRawMilliseconds(iter.duration);
     nsIntRect frameRect(iter.x_offset, iter.y_offset, iter.width, iter.height);
 
-    rv = ReadSingle(iter.fragment.bytes, iter.fragment.size, false, frameRect);
-    complete = state == WEBP_DEMUX_DONE && !WebPDemuxNextFrame(&iter);
+    rv = ReadSingle(iter.fragment.bytes, iter.fragment.size, frameRect);
+    complete = complete && !WebPDemuxNextFrame(&iter);
     WebPDemuxReleaseIterator(&iter);
   }
 
-  if (rv.NextStateIsTerminal()) {
-    if (rv.NextStateAsTerminal() == TerminalState::SUCCESS) {
-      // If we extracted one frame, and it is not the last, we need to yield to
-      // the lexer to allow the upper layers to acknowledge the frame.
-      if (!complete && !IsFirstFrameDecode()) {
-        // The resume point is determined by whether or not we had to buffer.
-        // If we have yet to buffer, we want to resume at the same point,
-        // otherwise our internal buffer has everything we need and we want
-        // to resume having consumed all of the current fragment.
-        rv = Transition::ContinueUnbufferedAfterYield(State::WEBP_DATA,
-                 mData.empty() ? 0 : aLength);
-      } else {
-        uint32_t loopCount = WebPDemuxGetI(demuxer, WEBP_FF_LOOP_COUNT);
-
-        MOZ_LOG(sWebPLog, LogLevel::Debug,
-          ("[this=%p] nsWebPDecoder::ReadMultiple -- loop count %u\n",
-           this, loopCount));
-        PostDecodeDone(loopCount - 1);
-      }
+  if (rv.is<TerminalState>() &&
+      rv.as<TerminalState>() == TerminalState::SUCCESS) {
+    // If we extracted one frame, and it is not the last, we need to yield to
+    // the lexer to allow the upper layers to acknowledge the frame.
+    if (!complete && !IsFirstFrameDecode()) {
+      rv = LexerResult(Yield::OUTPUT_AVAILABLE);
+    } else {
+      uint32_t loopCount = WebPDemuxGetI(aDemuxer, WEBP_FF_LOOP_COUNT);
+
+      MOZ_LOG(sWebPLog, LogLevel::Debug,
+        ("[this=%p] nsWebPDecoder::ReadMultiple -- loop count %u\n",
+         this, loopCount));
+      PostDecodeDone(loopCount - 1);
     }
-  } else if (NS_FAILED(SaveDataBuffer(data, length))) {
-    rv = Transition::TerminateFailure();
   }
 
-  WebPDemuxDelete(demuxer);
   return rv;
 }
 
-LexerTransition<nsWebPDecoder::State>
-nsWebPDecoder::FinishedData()
-{
-  // Since we set up an unbuffered read for SIZE_MAX bytes, if we actually read
-  // all that data something is really wrong.
-  MOZ_ASSERT_UNREACHABLE("Read the entire address space?");
-  return Transition::TerminateFailure();
-}
-
 } // namespace image
 } // namespace mozilla
diff --git a/image/decoders/nsWebPDecoder.h b/image/decoders/nsWebPDecoder.h
index 5b3951cfc9..cdd2849f30 100644
--- a/image/decoders/nsWebPDecoder.h
+++ b/image/decoders/nsWebPDecoder.h
@@ -16,7 +16,7 @@ namespace mozilla {
 namespace image {
 class RasterImage;
 
-class nsWebPDecoder : public Decoder
+class nsWebPDecoder final : public Decoder
 {
 public:
   virtual ~nsWebPDecoder();
@@ -31,34 +31,28 @@ private:
   // Decoders should only be instantiated via DecoderFactory.
   explicit nsWebPDecoder(RasterImage* aImage);
 
-  enum class State
-  {
-    WEBP_DATA,
-    FINISHED_WEBP_DATA
-  };
+  void ApplyColorProfile(const char* aProfile, size_t aLength);
 
-  LexerTransition<State> ReadHeader(const char* aData, size_t aLength);
-  LexerTransition<State> ReadPayload(const char* aData, size_t aLength);
-  LexerTransition<State> FinishedData();
+  LexerResult UpdateBuffer(SourceBufferIterator& aIterator,
+                           SourceBufferIterator::State aState);
+  LexerResult ReadData();
+  LexerResult ReadHeader(WebPDemuxer* aDemuxer, bool aIsComplete);
+  LexerResult ReadPayload(WebPDemuxer* aDemuxer, bool aIsComplete);
 
   nsresult CreateFrame(const nsIntRect& aFrameRect);
   void EndFrame();
 
-  nsresult GetDataBuffer(const uint8_t*& aData, size_t& aLength);
-  nsresult SaveDataBuffer(const uint8_t* aData, size_t aLength);
+  LexerResult ReadSingle(const uint8_t* aData, size_t aLength,
+                         const IntRect& aFrameRect);
 
-  LexerTransition<State> ReadSingle(const uint8_t* aData, size_t aLength,
-                                    bool aAppend, const IntRect& aFrameRect);
-
-  LexerTransition<State> ReadMultiple(const uint8_t* aData, size_t aLength);
-
-  StreamingLexer<State> mLexer;
+  LexerResult ReadMultiple(WebPDemuxer* aDemuxer, bool aIsComplete);
 
   /// The SurfacePipe used to write to the output surface.
   SurfacePipe mPipe;
 
-  /// The buffer used to accumulate data until the complete WebP header is received.
-  Vector<uint8_t> mData;
+  /// The buffer used to accumulate data until the complete WebP header is
+  /// received, if and only if the iterator is discontiguous.
+  Vector<uint8_t> mBufferedData;
 
   /// The libwebp output buffer descriptor pointing to the decoded data.
   WebPDecBuffer mBuffer;
@@ -78,11 +72,35 @@ private:
   /// Surface format for the current frame.
   gfx::SurfaceFormat mFormat;
 
+  /// Frame rect for the current frame.
+  IntRect mFrameRect;
+
   /// The last row of decoded pixels written to mPipe.
   int mLastRow;
 
   /// Number of decoded frames.
   uint32_t mCurrentFrame;
+
+  /// Pointer to the start of the contiguous encoded image data.
+  const uint8_t* mData;
+
+  /// Length of data pointed to by mData.
+  size_t mLength;
+
+  /// True if the iterator has reached its end.
+  bool mIteratorComplete;
+
+  /// True if this decoding pass requires a WebPDemuxer.
+  bool mNeedDemuxer;
+
+  /// True if we have setup the color profile for the image.
+  bool mGotColorProfile;
+
+  /// Color management profile from the ICCP chunk in the image.
+  qcms_profile* mInProfile;
+
+  /// Color management transform to apply to image data.
+  qcms_transform* mTransform;
 };
 
 } // namespace image
diff --git a/image/encoders/png/nsPNGEncoder.cpp b/image/encoders/png/nsPNGEncoder.cpp
index 66294146df..abe6f35b42 100644
--- a/image/encoders/png/nsPNGEncoder.cpp
+++ b/image/encoders/png/nsPNGEncoder.cpp
@@ -9,6 +9,7 @@
 #include "nsStreamUtils.h"
 #include "nsString.h"
 #include "prprf.h"
+#include "mozilla/CheckedInt.h"
 
 using namespace mozilla;
 
@@ -703,30 +704,55 @@ nsPNGEncoder::WriteCallback(png_structp png, png_bytep data,
     return;
   }
 
-  if (that->mImageBufferUsed + size > that->mImageBufferSize) {
+  CheckedUint32 sizeNeeded = CheckedUint32(that->mImageBufferUsed) + size;
+  if (!sizeNeeded.isValid()) {
+    // Take the lock to ensure that nobody is trying to read from the buffer
+    // we are destroying
+    ReentrantMonitorAutoEnter autoEnter(that->mReentrantMonitor);
+
+    that->NullOutImageBuffer();
+    return;
+  }
+
+  if (sizeNeeded.value() > that->mImageBufferSize) {
     // When we're reallocing the buffer we need to take the lock to ensure
     // that nobody is trying to read from the buffer we are destroying
     ReentrantMonitorAutoEnter autoEnter(that->mReentrantMonitor);
 
-    // expand buffer, just double each time
-    that->mImageBufferSize *= 2;
-    uint8_t* newBuf = (uint8_t*)realloc(that->mImageBuffer,
-                                        that->mImageBufferSize);
-    if (!newBuf) {
-      // can't resize, just zero (this will keep us from writing more)
-      free(that->mImageBuffer);
-      that->mImageBuffer = nullptr;
-      that->mImageBufferSize = 0;
-      that->mImageBufferUsed = 0;
-      return;
+    while (sizeNeeded.value() > that->mImageBufferSize) {
+      // expand buffer, just double each time
+      CheckedUint32 bufferSize = CheckedUint32(that->mImageBufferSize) * 2;
+      if (!bufferSize.isValid()) {
+        that->NullOutImageBuffer();
+        return;
+      }
+      that->mImageBufferSize *= 2;
+      uint8_t* newBuf = (uint8_t*)realloc(that->mImageBuffer,
+                                          that->mImageBufferSize);
+      if (!newBuf) {
+        // can't resize, just zero (this will keep us from writing more)
+        that->NullOutImageBuffer();
+        return;
+      }
+      that->mImageBuffer = newBuf;
     }
-    that->mImageBuffer = newBuf;
   }
+
   memcpy(&that->mImageBuffer[that->mImageBufferUsed], data, size);
   that->mImageBufferUsed += size;
   that->NotifyListener();
 }
 
+void nsPNGEncoder::NullOutImageBuffer()
+{
+  mReentrantMonitor.AssertCurrentThreadIn();
+
+  free(mImageBuffer);
+  mImageBuffer = nullptr;
+  mImageBufferSize = 0;
+  mImageBufferUsed = 0;
+}
+
 void
 nsPNGEncoder::NotifyListener()
 {
diff --git a/image/encoders/png/nsPNGEncoder.h b/image/encoders/png/nsPNGEncoder.h
index 95e7d5c195..8c2239c119 100644
--- a/image/encoders/png/nsPNGEncoder.h
+++ b/image/encoders/png/nsPNGEncoder.h
@@ -54,6 +54,7 @@ protected:
   static void WarningCallback(png_structp png_ptr, png_const_charp warning_msg);
   static void ErrorCallback(png_structp png_ptr, png_const_charp error_msg);
   static void WriteCallback(png_structp png, png_bytep data, png_size_t size);
+  void NullOutImageBuffer();
   void NotifyListener();
 
   png_struct* mPNG;
diff --git a/image/imgFrame.cpp b/image/imgFrame.cpp
index 5da2ccec5d..c9f44181d6 100644
--- a/image/imgFrame.cpp
+++ b/image/imgFrame.cpp
@@ -161,13 +161,13 @@ imgFrame::imgFrame()
   : mMonitor("imgFrame")
   , mDecoded(0, 0, 0, 0)
   , mLockCount(0)
+  , mAborted(false)
+  , mFinished(false)
+  , mOptimizable(false)
   , mTimeout(FrameTimeout::FromRawMilliseconds(100))
   , mDisposalMethod(DisposalMethod::NOT_SPECIFIED)
   , mBlendMethod(BlendMethod::OVER)
   , mHasNoAlpha(false)
-  , mAborted(false)
-  , mFinished(false)
-  , mOptimizable(false)
   , mPalettedImageData(nullptr)
   , mPaletteDepth(0)
   , mNonPremult(false)
@@ -192,7 +192,8 @@ imgFrame::InitForDecoder(const nsIntSize& aImageSize,
                          const nsIntRect& aRect,
                          SurfaceFormat aFormat,
                          uint8_t aPaletteDepth /* = 0 */,
-                         bool aNonPremult /* = false */)
+                         bool aNonPremult /* = false */,
+                         const Maybe<AnimationParams>& aAnimParams /* = Nothing() */)
 {
   // Assert for properties that should be verified by decoders,
   // warn for properties related to bad content.
@@ -205,6 +206,15 @@ imgFrame::InitForDecoder(const nsIntSize& aImageSize,
   mImageSize = aImageSize;
   mFrameRect = aRect;
 
+  if (aAnimParams) {
+    mBlendRect = aAnimParams->mBlendRect;
+    mTimeout = aAnimParams->mTimeout;
+    mBlendMethod = aAnimParams->mBlendMethod;
+    mDisposalMethod = aAnimParams->mDisposalMethod;
+  } else {
+    mBlendRect = aRect;
+  }
+
   // We only allow a non-trivial frame rect (i.e., a frame rect that doesn't
   // cover the entire image) for paletted animation frames. We never draw those
   // frames directly; we just use FrameAnimator to composite them and produce a
@@ -607,12 +617,7 @@ imgFrame::ImageUpdatedInternal(const nsIntRect& aUpdateRect)
 }
 
 void
-imgFrame::Finish(Opacity aFrameOpacity /* = Opacity::SOME_TRANSPARENCY */,
-                 DisposalMethod aDisposalMethod /* = DisposalMethod::KEEP */,
-                 FrameTimeout aTimeout
-                   /* = FrameTimeout::FromRawMilliseconds(0) */,
-                 BlendMethod aBlendMethod /* = BlendMethod::OVER */,
-                 const Maybe<IntRect>& aBlendRect /* = Nothing() */)
+imgFrame::Finish(Opacity aFrameOpacity /* = Opacity::SOME_TRANSPARENCY */)
 {
   MonitorAutoLock lock(mMonitor);
   MOZ_ASSERT(mLockCount > 0, "Image data should be locked");
@@ -621,10 +626,6 @@ imgFrame::Finish(Opacity aFrameOpacity /* = Opacity::SOME_TRANSPARENCY */,
     mHasNoAlpha = true;
   }
 
-  mDisposalMethod = aDisposalMethod;
-  mTimeout = aTimeout;
-  mBlendMethod = aBlendMethod;
-  mBlendRect = aBlendRect;
   ImageUpdatedInternal(GetRect());
   mFinished = true;
 
@@ -844,7 +845,7 @@ imgFrame::GetAnimationData() const
   bool hasAlpha = mFormat == SurfaceFormat::B8G8R8A8;
 
   return AnimationData(data, PaletteDataLength(), mTimeout, GetRect(),
-                       mBlendMethod, mBlendRect, mDisposalMethod, hasAlpha);
+                       mBlendMethod, Some(mBlendRect), mDisposalMethod, hasAlpha);
 }
 
 void
diff --git a/image/imgFrame.h b/image/imgFrame.h
index e864aca7f7..928f6ad865 100644
--- a/image/imgFrame.h
+++ b/image/imgFrame.h
@@ -12,6 +12,7 @@
 #include "mozilla/Monitor.h"
 #include "mozilla/Move.h"
 #include "mozilla/VolatileBuffer.h"
+#include "AnimationParams.h"
 #include "gfxDrawable.h"
 #include "imgIContainer.h"
 #include "MainThreadUtils.h"
@@ -23,130 +24,12 @@ class ImageRegion;
 class DrawableFrameRef;
 class RawAccessFrameRef;
 
-enum class BlendMethod : int8_t {
-  // All color components of the frame, including alpha, overwrite the current
-  // contents of the frame's output buffer region.
-  SOURCE,
-
-  // The frame should be composited onto the output buffer based on its alpha,
-  // using a simple OVER operation.
-  OVER
-};
-
-enum class DisposalMethod : int8_t {
-  CLEAR_ALL = -1,  // Clear the whole image, revealing what's underneath.
-  NOT_SPECIFIED,   // Leave the frame and let the new frame draw on top.
-  KEEP,            // Leave the frame and let the new frame draw on top.
-  CLEAR,           // Clear the frame's area, revealing what's underneath.
-  RESTORE_PREVIOUS // Restore the previous (composited) frame.
-};
-
 enum class Opacity : uint8_t {
   FULLY_OPAQUE,
   SOME_TRANSPARENCY
 };
 
 /**
- * FrameTimeout wraps a frame timeout value (measured in milliseconds) after
- * first normalizing it. This normalization is necessary because some tools
- * generate incorrect frame timeout values which we nevertheless have to
- * support. For this reason, code that deals with frame timeouts should always
- * use a FrameTimeout value rather than the raw value from the image header.
- */
-struct FrameTimeout
-{
-  /**
-   * @return a FrameTimeout of zero. This should be used only for math
-   * involving FrameTimeout values. You can't obtain a zero FrameTimeout from
-   * FromRawMilliseconds().
-   */
-  static FrameTimeout Zero() { return FrameTimeout(0); }
-
-  /// @return an infinite FrameTimeout.
-  static FrameTimeout Forever() { return FrameTimeout(-1); }
-
-  /// @return a FrameTimeout obtained by normalizing a raw timeout value.
-  static FrameTimeout FromRawMilliseconds(int32_t aRawMilliseconds)
-  {
-    // Normalize all infinite timeouts to the same value.
-    if (aRawMilliseconds < 0) {
-      return FrameTimeout::Forever();
-    }
-
-    // Very small timeout values are problematic for two reasons: we don't want
-    // to burn energy redrawing animated images extremely fast, and broken tools
-    // generate these values when they actually want a "default" value, so such
-    // images won't play back right without normalization. For some context,
-    // see bug 890743, bug 125137, bug 139677, and bug 207059. The historical
-    // behavior of IE and Opera was:
-    //   IE 6/Win:
-    //     10 - 50ms is normalized to 100ms.
-    //     >50ms is used unnormalized.
-    //   Opera 7 final/Win:
-    //     10ms is normalized to 100ms.
-    //     >10ms is used unnormalized.
-    if (aRawMilliseconds >= 0 && aRawMilliseconds <= 10 ) {
-      return FrameTimeout(100);
-    }
-
-    // The provided timeout value is OK as-is.
-    return FrameTimeout(aRawMilliseconds);
-  }
-
-  bool operator==(const FrameTimeout& aOther) const
-  {
-    return mTimeout == aOther.mTimeout;
-  }
-
-  bool operator!=(const FrameTimeout& aOther) const { return !(*this == aOther); }
-
-  FrameTimeout operator+(const FrameTimeout& aOther)
-  {
-    if (*this == Forever() || aOther == Forever()) {
-      return Forever();
-    }
-
-    return FrameTimeout(mTimeout + aOther.mTimeout);
-  }
-
-  FrameTimeout& operator+=(const FrameTimeout& aOther)
-  {
-    *this = *this + aOther;
-    return *this;
-  }
-
-  /**
-   * @return this FrameTimeout's value in milliseconds. Illegal to call on a
-   * an infinite FrameTimeout value.
-   */
-  uint32_t AsMilliseconds() const
-  {
-    if (*this == Forever()) {
-      MOZ_ASSERT_UNREACHABLE("Calling AsMilliseconds() on an infinite FrameTimeout");
-      return 100;  // Fail to something sane.
-    }
-
-    return uint32_t(mTimeout);
-  }
-
-  /**
-   * @return this FrameTimeout value encoded so that non-negative values
-   * represent a timeout in milliseconds, and -1 represents an infinite
-   * timeout.
-   *
-   * XXX(seth): This is a backwards compatibility hack that should be removed.
-   */
-  int32_t AsEncodedValueDeprecated() const { return mTimeout; }
-
-private:
-  explicit FrameTimeout(int32_t aTimeout)
-    : mTimeout(aTimeout)
-  { }
-
-  int32_t mTimeout;
-};
-
-/**
  * AnimationData contains all of the information necessary for using an imgFrame
  * as part of an animation.
  *
@@ -210,14 +93,19 @@ public:
                           const nsIntRect& aRect,
                           SurfaceFormat aFormat,
                           uint8_t aPaletteDepth = 0,
-                          bool aNonPremult = false);
+                          bool aNonPremult = false,
+                          const Maybe<AnimationParams>& aAnimParams = Nothing());
 
   nsresult InitForDecoder(const nsIntSize& aSize,
                           SurfaceFormat aFormat,
                           uint8_t aPaletteDepth = 0)
   {
-    return InitForDecoder(aSize, nsIntRect(0, 0, aSize.width, aSize.height),
-                          aFormat, aPaletteDepth);
+    nsIntRect frameRect(0, 0, aSize.width, aSize.height);
+    AnimationParams animParams { frameRect, FrameTimeout::Forever(),
+                                 /* aFrameNum */ 1, BlendMethod::OVER,
+                                 DisposalMethod::NOT_SPECIFIED };
+    return InitForDecoder(aSize, frameRect,
+                          aFormat, aPaletteDepth, false, Some(animParams));
   }
 
 
@@ -268,22 +156,8 @@ public:
    * RawAccessFrameRef pointing to an imgFrame.
    *
    * @param aFrameOpacity    Whether this imgFrame is opaque.
-   * @param aDisposalMethod  For animation frames, how this imgFrame is cleared
-   *                         from the compositing frame before the next frame is
-   *                         displayed.
-   * @param aTimeout         For animation frames, the timeout before the next
-   *                         frame is displayed.
-   * @param aBlendMethod     For animation frames, a blending method to be used
-   *                         when compositing this frame.
-   * @param aBlendRect       For animation frames, if present, the subrect in
-   *                         which @aBlendMethod applies. Outside of this
-   *                         subrect, BlendMethod::OVER is always used.
    */
-  void Finish(Opacity aFrameOpacity = Opacity::SOME_TRANSPARENCY,
-              DisposalMethod aDisposalMethod = DisposalMethod::KEEP,
-              FrameTimeout aTimeout = FrameTimeout::FromRawMilliseconds(0),
-              BlendMethod aBlendMethod = BlendMethod::OVER,
-              const Maybe<IntRect>& aBlendRect = Nothing());
+  void Finish(Opacity aFrameOpacity = Opacity::SOME_TRANSPARENCY);
 
   /**
    * Mark this imgFrame as aborted. This informs the imgFrame that if it isn't
@@ -322,9 +196,15 @@ public:
    */
   uint32_t GetBytesPerPixel() const { return GetIsPaletted() ? 1 : 4; }
 
-  IntSize GetImageSize() const { return mImageSize; }
-  IntRect GetRect() const { return mFrameRect; }
+  const IntSize& GetImageSize() const { return mImageSize; }
+  const IntRect& GetRect() const { return mFrameRect; }
   IntSize GetSize() const { return mFrameRect.Size(); }
+  const IntRect& GetBlendRect() const { return mBlendRect; }
+  IntRect GetBoundedBlendRect() const { return mBlendRect.Intersect(mFrameRect); }
+  FrameTimeout GetTimeout() const { return mTimeout; }
+  BlendMethod GetBlendMethod() const { return mBlendMethod; }
+  DisposalMethod GetDisposalMethod() const { return mDisposalMethod; }
+  bool FormatHasAlpha() const { return mFormat == SurfaceFormat::B8G8R8A8; }
   void GetImageData(uint8_t** aData, uint32_t* length) const;
   uint8_t* GetImageData() const;
 
@@ -406,14 +286,6 @@ private: // data
   //! Number of RawAccessFrameRefs currently alive for this imgFrame.
   int32_t mLockCount;
 
-  //! The timeout for this frame.
-  FrameTimeout mTimeout;
-
-  DisposalMethod mDisposalMethod;
-  BlendMethod    mBlendMethod;
-  Maybe<IntRect> mBlendRect;
-  SurfaceFormat  mFormat;
-
   bool mHasNoAlpha;
   bool mAborted;
   bool mFinished;
@@ -426,6 +298,14 @@ private: // data
 
   IntSize      mImageSize;
   IntRect      mFrameRect;
+  IntRect      mBlendRect;
+
+  //! The timeout for this frame.
+  FrameTimeout mTimeout;
+
+  DisposalMethod mDisposalMethod;
+  BlendMethod    mBlendMethod;
+  SurfaceFormat  mFormat;
 
   // The palette and image data for images that are paletted, since Cairo
   // doesn't support these images.
diff --git a/image/test/gtest/Common.h b/image/test/gtest/Common.h
index 79bed9fc1b..0c288cddcb 100644
--- a/image/test/gtest/Common.h
+++ b/image/test/gtest/Common.h
@@ -245,7 +245,7 @@ already_AddRefed<Decoder> CreateTrivialDecoder();
  * @param aConfigs The configuration for the pipeline.
  */
 template <typename Func, typename... Configs>
-void WithFilterPipeline(Decoder* aDecoder, Func aFunc, Configs... aConfigs)
+void WithFilterPipeline(Decoder* aDecoder, Func aFunc, const Configs&... aConfigs)
 {
   auto pipe = MakeUnique<typename detail::FilterPipeline<Configs...>::Type>();
   nsresult rv = pipe->Configure(aConfigs...);
@@ -268,7 +268,7 @@ void WithFilterPipeline(Decoder* aDecoder, Func aFunc, Configs... aConfigs)
  * @param aConfigs The configuration for the pipeline.
  */
 template <typename... Configs>
-void AssertConfiguringPipelineFails(Decoder* aDecoder, Configs... aConfigs)
+void AssertConfiguringPipelineFails(Decoder* aDecoder, const Configs&... aConfigs)
 {
   auto pipe = MakeUnique<typename detail::FilterPipeline<Configs...>::Type>();
   nsresult rv = pipe->Configure(aConfigs...);
diff --git a/image/test/gtest/TestADAM7InterpolatingFilter.cpp b/image/test/gtest/TestADAM7InterpolatingFilter.cpp
index d9dab43465..d11224251e 100644
--- a/image/test/gtest/TestADAM7InterpolatingFilter.cpp
+++ b/image/test/gtest/TestADAM7InterpolatingFilter.cpp
@@ -33,7 +33,7 @@ WithADAM7InterpolatingFilter(const IntSize& aSize, Func aFunc)
 
   WithFilterPipeline(decoder, Forward<Func>(aFunc),
                      ADAM7InterpolatingConfig { },
-                     SurfaceConfig { decoder, 0, aSize,
+                     SurfaceConfig { decoder, aSize,
                                      SurfaceFormat::B8G8R8A8, false });
 }
 
@@ -45,7 +45,7 @@ AssertConfiguringADAM7InterpolatingFilterFails(const IntSize& aSize)
 
   AssertConfiguringPipelineFails(decoder,
                                  ADAM7InterpolatingConfig { },
-                                 SurfaceConfig { decoder, 0, aSize,
+                                 SurfaceConfig { decoder, aSize,
                                                  SurfaceFormat::B8G8R8A8, false });
 }
 
@@ -664,7 +664,7 @@ TEST(ImageADAM7InterpolatingFilter, ConfiguringPalettedADAM7InterpolatingFilterF
   // should fail.
   AssertConfiguringPipelineFails(decoder,
                                  ADAM7InterpolatingConfig { },
-                                 PalettedSurfaceConfig { decoder, 0, IntSize(100, 100),
+                                 PalettedSurfaceConfig { decoder, IntSize(100, 100),
                                                          IntRect(0, 0, 50, 50),
                                                          SurfaceFormat::B8G8R8A8, 8,
                                                          false });
diff --git a/image/test/gtest/TestDeinterlacingFilter.cpp b/image/test/gtest/TestDeinterlacingFilter.cpp
index 30cad79935..82637bbf71 100644
--- a/image/test/gtest/TestDeinterlacingFilter.cpp
+++ b/image/test/gtest/TestDeinterlacingFilter.cpp
@@ -28,7 +28,7 @@ WithDeinterlacingFilter(const IntSize& aSize,
 
   WithFilterPipeline(decoder, Forward<Func>(aFunc),
                      DeinterlacingConfig<uint32_t> { aProgressiveDisplay },
-                     SurfaceConfig { decoder, 0, aSize,
+                     SurfaceConfig { decoder, aSize,
                                      SurfaceFormat::B8G8R8A8, false });
 }
 
@@ -41,7 +41,7 @@ WithPalettedDeinterlacingFilter(const IntSize& aSize,
 
   WithFilterPipeline(decoder, Forward<Func>(aFunc),
                      DeinterlacingConfig<uint8_t> { /* mProgressiveDisplay = */ true },
-                     PalettedSurfaceConfig { decoder, 0, aSize,
+                     PalettedSurfaceConfig { decoder, aSize,
                                              IntRect(0, 0, 100, 100),
                                              SurfaceFormat::B8G8R8A8, 8,
                                              false });
@@ -55,7 +55,7 @@ AssertConfiguringDeinterlacingFilterFails(const IntSize& aSize)
 
   AssertConfiguringPipelineFails(decoder,
                                  DeinterlacingConfig<uint32_t> { /* mProgressiveDisplay = */ true},
-                                 SurfaceConfig { decoder, 0, aSize,
+                                 SurfaceConfig { decoder, aSize,
                                                  SurfaceFormat::B8G8R8A8, false });
 }
 
diff --git a/image/test/gtest/TestDownscalingFilter.cpp b/image/test/gtest/TestDownscalingFilter.cpp
index 596becab0b..d7aa0ead2a 100644
--- a/image/test/gtest/TestDownscalingFilter.cpp
+++ b/image/test/gtest/TestDownscalingFilter.cpp
@@ -29,7 +29,7 @@ WithDownscalingFilter(const IntSize& aInputSize,
   WithFilterPipeline(decoder, Forward<Func>(aFunc),
                      DownscalingConfig { aInputSize,
                                          SurfaceFormat::B8G8R8A8 },
-                     SurfaceConfig { decoder, 0, aOutputSize,
+                     SurfaceConfig { decoder, aOutputSize,
                                      SurfaceFormat::B8G8R8A8, false });
 }
 
@@ -43,7 +43,7 @@ AssertConfiguringDownscalingFilterFails(const IntSize& aInputSize,
   AssertConfiguringPipelineFails(decoder,
                                  DownscalingConfig { aInputSize,
                                                      SurfaceFormat::B8G8R8A8 },
-                                 SurfaceConfig { decoder, 0, aOutputSize,
+                                 SurfaceConfig { decoder, aOutputSize,
                                                  SurfaceFormat::B8G8R8A8, false });
 }
 
@@ -224,7 +224,7 @@ TEST(ImageDownscalingFilter, ConfiguringPalettedDownscaleFails)
   AssertConfiguringPipelineFails(decoder,
                                  DownscalingConfig { IntSize(100, 100),
                                                      SurfaceFormat::B8G8R8A8 },
-                                 PalettedSurfaceConfig { decoder, 0, IntSize(20, 20),
+                                 PalettedSurfaceConfig { decoder, IntSize(20, 20),
                                                          IntRect(0, 0, 20, 20),
                                                          SurfaceFormat::B8G8R8A8, 8,
                                                          false });
diff --git a/image/test/gtest/TestDownscalingFilterNoSkia.cpp b/image/test/gtest/TestDownscalingFilterNoSkia.cpp
index c62ca018da..80928a8809 100644
--- a/image/test/gtest/TestDownscalingFilterNoSkia.cpp
+++ b/image/test/gtest/TestDownscalingFilterNoSkia.cpp
@@ -52,6 +52,6 @@ TEST(ImageDownscalingFilter, NoSkia)
   AssertConfiguringPipelineFails(decoder,
                                  DownscalingConfig { IntSize(100, 100),
                                                      SurfaceFormat::B8G8R8A8 },
-                                 SurfaceConfig { decoder, 0, IntSize(50, 50),
+                                 SurfaceConfig { decoder, IntSize(50, 50),
                                                  SurfaceFormat::B8G8R8A8, false });
 }
diff --git a/image/test/gtest/TestRemoveFrameRectFilter.cpp b/image/test/gtest/TestRemoveFrameRectFilter.cpp
index e1def590e5..ad1f944fc4 100644
--- a/image/test/gtest/TestRemoveFrameRectFilter.cpp
+++ b/image/test/gtest/TestRemoveFrameRectFilter.cpp
@@ -28,7 +28,7 @@ WithRemoveFrameRectFilter(const IntSize& aSize,
 
   WithFilterPipeline(decoder, Forward<Func>(aFunc),
                      RemoveFrameRectConfig { aFrameRect },
-                     SurfaceConfig { decoder, 0, aSize,
+                     SurfaceConfig { decoder, aSize,
                                      SurfaceFormat::B8G8R8A8, false });
 }
 
@@ -41,7 +41,7 @@ AssertConfiguringRemoveFrameRectFilterFails(const IntSize& aSize,
 
   AssertConfiguringPipelineFails(decoder,
                                  RemoveFrameRectConfig { aFrameRect },
-                                 SurfaceConfig { decoder, 0, aSize,
+                                 SurfaceConfig { decoder, aSize,
                                                  SurfaceFormat::B8G8R8A8, false });
 }
 
@@ -320,7 +320,7 @@ TEST(ImageRemoveFrameRectFilter, ConfiguringPalettedRemoveFrameRectFails)
   // should fail.
   AssertConfiguringPipelineFails(decoder,
                                  RemoveFrameRectConfig { IntRect(0, 0, 50, 50) },
-                                 PalettedSurfaceConfig { decoder, 0, IntSize(100, 100),
+                                 PalettedSurfaceConfig { decoder, IntSize(100, 100),
                                                          IntRect(0, 0, 50, 50),
                                                          SurfaceFormat::B8G8R8A8, 8,
                                                          false });
diff --git a/image/test/gtest/TestSurfacePipeIntegration.cpp b/image/test/gtest/TestSurfacePipeIntegration.cpp
index 5e8c19fc2b..27138a3ee6 100644
--- a/image/test/gtest/TestSurfacePipeIntegration.cpp
+++ b/image/test/gtest/TestSurfacePipeIntegration.cpp
@@ -149,7 +149,7 @@ TEST_F(ImageSurfacePipeIntegration, SurfacePipe)
 
   auto sink = MakeUnique<SurfaceSink>();
   nsresult rv =
-    sink->Configure(SurfaceConfig { decoder, 0, IntSize(100, 100),
+    sink->Configure(SurfaceConfig { decoder, IntSize(100, 100),
                                     SurfaceFormat::B8G8R8A8, false });
   ASSERT_TRUE(NS_SUCCEEDED(rv));
 
@@ -227,7 +227,7 @@ TEST_F(ImageSurfacePipeIntegration, PalettedSurfacePipe)
 
   auto sink = MakeUnique<PalettedSurfaceSink>();
   nsresult rv =
-    sink->Configure(PalettedSurfaceConfig { decoder, 0, IntSize(100, 100),
+    sink->Configure(PalettedSurfaceConfig { decoder, IntSize(100, 100),
                                             IntRect(0, 0, 100, 100),
                                             SurfaceFormat::B8G8R8A8,
                                             8, false });
@@ -313,7 +313,7 @@ TEST_F(ImageSurfacePipeIntegration, DeinterlaceDownscaleWritePixels)
                      DeinterlacingConfig<uint32_t> { /* mProgressiveDisplay = */ true },
                      DownscalingConfig { IntSize(100, 100),
                                          SurfaceFormat::B8G8R8A8 },
-                     SurfaceConfig { decoder, 0, IntSize(25, 25),
+                     SurfaceConfig { decoder, IntSize(25, 25),
                                      SurfaceFormat::B8G8R8A8, false });
 }
 
@@ -369,7 +369,7 @@ TEST_F(ImageSurfacePipeIntegration, RemoveFrameRectBottomRightDownscaleWritePixe
                      RemoveFrameRectConfig { IntRect(50, 50, 100, 100) },
                      DownscalingConfig { IntSize(100, 100),
                                          SurfaceFormat::B8G8R8A8 },
-                     SurfaceConfig { decoder, 0, IntSize(20, 20),
+                     SurfaceConfig { decoder, IntSize(20, 20),
                                      SurfaceFormat::B8G8R8A8, false });
 }
 
@@ -403,7 +403,7 @@ TEST_F(ImageSurfacePipeIntegration, RemoveFrameRectTopLeftDownscaleWritePixels)
                      RemoveFrameRectConfig { IntRect(-50, -50, 100, 100) },
                      DownscalingConfig { IntSize(100, 100),
                                          SurfaceFormat::B8G8R8A8 },
-                     SurfaceConfig { decoder, 0, IntSize(20, 20),
+                     SurfaceConfig { decoder, IntSize(20, 20),
                                      SurfaceFormat::B8G8R8A8, false });
 }
 
@@ -427,7 +427,7 @@ TEST_F(ImageSurfacePipeIntegration, DeinterlaceRemoveFrameRectWritePixels)
   WithFilterPipeline(decoder, test,
                      DeinterlacingConfig<uint32_t> { /* mProgressiveDisplay = */ true },
                      RemoveFrameRectConfig { IntRect(50, 50, 100, 100) },
-                     SurfaceConfig { decoder, 0, IntSize(100, 100),
+                     SurfaceConfig { decoder, IntSize(100, 100),
                                      SurfaceFormat::B8G8R8A8, false });
 }
 
@@ -450,7 +450,7 @@ TEST_F(ImageSurfacePipeIntegration, DeinterlaceRemoveFrameRectDownscaleWritePixe
                      RemoveFrameRectConfig { IntRect(50, 50, 100, 100) },
                      DownscalingConfig { IntSize(100, 100),
                                          SurfaceFormat::B8G8R8A8 },
-                     SurfaceConfig { decoder, 0, IntSize(20, 20),
+                     SurfaceConfig { decoder, IntSize(20, 20),
                                      SurfaceFormat::B8G8R8A8, false });
 }
 
@@ -465,7 +465,7 @@ TEST_F(ImageSurfacePipeIntegration, ConfiguringPalettedRemoveFrameRectDownscaleF
                                  RemoveFrameRectConfig { IntRect(0, 0, 50, 50) },
                                  DownscalingConfig { IntSize(100, 100),
                                                      SurfaceFormat::B8G8R8A8 },
-                                 PalettedSurfaceConfig { decoder, 0, IntSize(100, 100),
+                                 PalettedSurfaceConfig { decoder, IntSize(100, 100),
                                                          IntRect(0, 0, 50, 50),
                                                          SurfaceFormat::B8G8R8A8, 8,
                                                          false });
@@ -482,7 +482,7 @@ TEST_F(ImageSurfacePipeIntegration, ConfiguringPalettedDeinterlaceDownscaleFails
                                  DeinterlacingConfig<uint8_t> { /* mProgressiveDisplay = */ true},
                                  DownscalingConfig { IntSize(100, 100),
                                                      SurfaceFormat::B8G8R8A8 },
-                                 PalettedSurfaceConfig { decoder, 0, IntSize(100, 100),
+                                 PalettedSurfaceConfig { decoder, IntSize(100, 100),
                                                          IntRect(0, 0, 20, 20),
                                                          SurfaceFormat::B8G8R8A8, 8,
                                                          false });
@@ -503,6 +503,6 @@ TEST_F(ImageSurfacePipeIntegration, ConfiguringHugeDeinterlacingBufferFails)
                                  DeinterlacingConfig<uint32_t> { /* mProgressiveDisplay = */ true},
                                  DownscalingConfig { IntSize(60000, 60000),
                                                      SurfaceFormat::B8G8R8A8 },
-                                 SurfaceConfig { decoder, 0, IntSize(600, 600),
+                                 SurfaceConfig { decoder, IntSize(600, 600),
                                                  SurfaceFormat::B8G8R8A8, false });
 }
diff --git a/image/test/gtest/TestSurfaceSink.cpp b/image/test/gtest/TestSurfaceSink.cpp
index ccf9be3ec0..3a1c74d12e 100644
--- a/image/test/gtest/TestSurfaceSink.cpp
+++ b/image/test/gtest/TestSurfaceSink.cpp
@@ -32,7 +32,7 @@ WithSurfaceSink(Func aFunc)
   const bool flipVertically = Orientation == Orient::FLIP_VERTICALLY;
 
   WithFilterPipeline(decoder, Forward<Func>(aFunc),
-                     SurfaceConfig { decoder, 0, IntSize(100, 100),
+                     SurfaceConfig { decoder, IntSize(100, 100),
                                      SurfaceFormat::B8G8R8A8, flipVertically });
 }
 
@@ -43,7 +43,7 @@ WithPalettedSurfaceSink(const IntRect& aFrameRect, Func aFunc)
   ASSERT_TRUE(decoder != nullptr);
 
   WithFilterPipeline(decoder, Forward<Func>(aFunc),
-                     PalettedSurfaceConfig { decoder, 0, IntSize(100, 100),
+                     PalettedSurfaceConfig { decoder, IntSize(100, 100),
                                              aFrameRect, SurfaceFormat::B8G8R8A8,
                                              8, false });
 }
diff --git a/ipc/glue/BackgroundUtils.cpp b/ipc/glue/BackgroundUtils.cpp
index 44f988efda..6f7501f703 100644
--- a/ipc/glue/BackgroundUtils.cpp
+++ b/ipc/glue/BackgroundUtils.cpp
@@ -295,7 +295,8 @@ LoadInfoToLoadInfoArgs(nsILoadInfo *aLoadInfo,
       aLoadInfo->CorsUnsafeHeaders(),
       aLoadInfo->GetForcePreflight(),
       aLoadInfo->GetIsPreflight(),
-      aLoadInfo->GetLoadTriggeredFromExternal()
+      aLoadInfo->GetLoadTriggeredFromExternal(),
+      aLoadInfo->GetIsFromProcessingFrameAttributes()
       );
 
   return NS_OK;
@@ -347,7 +348,7 @@ LoadInfoArgsToLoadInfo(const OptionalLoadInfoArgs& aOptionalLoadInfoArgs,
     redirectChain.AppendElement(redirectedPrincipal.forget());
   }
 
-  nsCOMPtr<nsILoadInfo> loadInfo =
+  RefPtr<mozilla::LoadInfo> loadInfo =
     new mozilla::LoadInfo(loadingPrincipal,
                           triggeringPrincipal,
                           principalToInherit,
@@ -375,8 +376,12 @@ LoadInfoArgsToLoadInfo(const OptionalLoadInfoArgs& aOptionalLoadInfoArgs,
                           loadInfoArgs.loadTriggeredFromExternal()
                           );
 
-   loadInfo.forget(outLoadInfo);
-   return NS_OK;
+  if (loadInfoArgs.isFromProcessingFrameAttributes()) {
+    loadInfo->SetIsFromProcessingFrameAttributes();
+  }
+
+  loadInfo.forget(outLoadInfo);
+  return NS_OK;
 }
 
 } // namespace ipc
diff --git a/js/src/jit/IonAnalysis.cpp b/js/src/jit/IonAnalysis.cpp
index 2c9ffb607d..b163d5818b 100644
--- a/js/src/jit/IonAnalysis.cpp
+++ b/js/src/jit/IonAnalysis.cpp
@@ -2306,7 +2306,7 @@ jit::RemoveUnmarkedBlocks(MIRGenerator* mir, MIRGraph& graph, uint32_t numMarked
         // bailout.
         for (PostorderIterator it(graph.poBegin()); it != graph.poEnd();) {
             MBasicBlock* block = *it++;
-            if (!block->isMarked())
+            if (block->isMarked())
                 continue;
 
             FlagAllOperandsAsHavingRemovedUses(mir, block);
diff --git a/js/src/jit/RangeAnalysis.cpp b/js/src/jit/RangeAnalysis.cpp
index 95484c2494..d64f9b8ca4 100644
--- a/js/src/jit/RangeAnalysis.cpp
+++ b/js/src/jit/RangeAnalysis.cpp
@@ -2167,7 +2167,7 @@ RangeAnalysis::analyzeLoopPhi(MBasicBlock* header, LoopIterationBound* loopBound
     if (initial->block()->isMarked())
         return;
 
-    SimpleLinearSum modified = ExtractLinearSum(phi->getLoopBackedgeOperand());
+    SimpleLinearSum modified = ExtractLinearSum(phi->getLoopBackedgeOperand(), MathSpace::Infinite);
 
     if (modified.term != phi || modified.constant == 0)
         return;
diff --git a/js/src/jsfun.h b/js/src/jsfun.h
index 7da831aa2b..1c7da57ecd 100644
--- a/js/src/jsfun.h
+++ b/js/src/jsfun.h
@@ -460,6 +460,19 @@ class JSFunction : public js::NativeObject
         return nonLazyScript();
     }
 
+    // If this is a scripted function, returns its canonical function (the
+    // original function allocated by the frontend). Note that lazy self-hosted
+    // builtins don't have a lazy script so in that case we also return nullptr.
+    JSFunction* maybeCanonicalFunction() const {
+        if (hasScript()) {
+            return nonLazyScript()->functionNonDelazifying();
+        }
+        if (isInterpretedLazy() && !isSelfHostedBuiltin()) {
+            return lazyScript()->functionNonDelazifying();
+        }
+        return nullptr;
+    }
+
     // The state of a JSFunction whose script errored out during bytecode
     // compilation. Such JSFunctions are only reachable via GC iteration and
     // not from script.
diff --git a/js/src/vm/ObjectGroup.cpp b/js/src/vm/ObjectGroup.cpp
index d6a8fcaa46..1fbf8976b6 100644
--- a/js/src/vm/ObjectGroup.cpp
+++ b/js/src/vm/ObjectGroup.cpp
@@ -496,12 +496,7 @@ ObjectGroup::defaultNewGroup(ExclusiveContext* cx, const Class* clasp,
 
             // Canonicalize new functions to use the original one associated with its script.
             JSFunction* fun = &associated->as<JSFunction>();
-            if (fun->hasScript())
-                associated = fun->nonLazyScript()->functionNonDelazifying();
-            else if (fun->isInterpretedLazy() && !fun->isSelfHostedBuiltin())
-                associated = fun->lazyScript()->functionNonDelazifying();
-            else
-                associated = nullptr;
+            associated = associated->as<JSFunction>().maybeCanonicalFunction();
 
             // If we have previously cleared the 'new' script information for this
             // function, don't try to construct another one.
diff --git a/js/src/vm/TypeInference.cpp b/js/src/vm/TypeInference.cpp
index c86345d9c9..4775a2dea2 100644
--- a/js/src/vm/TypeInference.cpp
+++ b/js/src/vm/TypeInference.cpp
@@ -3603,6 +3603,10 @@ TypeNewScript::make(JSContext* cx, ObjectGroup* group, JSFunction* fun)
     MOZ_ASSERT(!group->newScript());
     MOZ_ASSERT(!group->maybeUnboxedLayout());
 
+    // rollbackPartiallyInitializedObjects expects function_ to be
+    // canonicalized.
+    MOZ_ASSERT(fun->maybeCanonicalFunction() == fun);
+
     if (group->unknownProperties())
         return true;
 
@@ -3958,8 +3962,15 @@ TypeNewScript::rollbackPartiallyInitializedObjects(JSContext* cx, ObjectGroup* g
                 oomUnsafe.crash("rollbackPartiallyInitializedObjects");
         }
 
-        if (!iter.isConstructing() || !iter.matchCallee(cx, function))
+        if (!iter.isConstructing()) {
+            continue;
+        }
+
+        MOZ_ASSERT(iter.calleeTemplate()->maybeCanonicalFunction());
+
+        if (iter.calleeTemplate()->maybeCanonicalFunction() != function) {
             continue;
+        }
 
         // Derived class constructors initialize their this-binding later and
         // we shouldn't run the definite properties analysis on them.
diff --git a/layout/base/nsCSSFrameConstructor.cpp b/layout/base/nsCSSFrameConstructor.cpp
index c633745414..07a5b80e77 100644
--- a/layout/base/nsCSSFrameConstructor.cpp
+++ b/layout/base/nsCSSFrameConstructor.cpp
@@ -7021,8 +7021,11 @@ nsCSSFrameConstructor::MaybeConstructLazily(Operation aOperation,
                                             nsIContent* aContainer,
                                             nsIContent* aChild)
 {
+  // XXXmats no lazy frames for display:contents direct descendants yet
+  // (Mozilla bug 979782).
   if (mPresShell->GetPresContext()->IsChrome() || !aContainer ||
-      aContainer->IsInNativeAnonymousSubtree() || aContainer->IsXULElement()) {
+      aContainer->IsInNativeAnonymousSubtree() || aContainer->IsXULElement() ||
+      GetDisplayContentsStyleFor(aContainer)) {
     return false;
   }
 
@@ -7056,6 +7059,10 @@ nsCSSFrameConstructor::MaybeConstructLazily(Operation aOperation,
   // ignore anonymous children (eg framesets) make this complicated. So we set
   // these two booleans if we encounter these situations and unset them if we
   // hit a node with a leaf frame.
+  //
+  // Also, it's fine if one of the nodes without primary frame is a display:
+  // contents node except if it's the direct ancestor of the children we're
+  // recreating frames for.
   bool noPrimaryFrame = false;
   bool needsFrameBitSet = false;
 #endif
@@ -7065,17 +7072,14 @@ nsCSSFrameConstructor::MaybeConstructLazily(Operation aOperation,
     if (content->GetPrimaryFrame() && content->GetPrimaryFrame()->IsLeaf()) {
       noPrimaryFrame = needsFrameBitSet = false;
     }
-    if (!noPrimaryFrame && !content->GetPrimaryFrame()) {
+    if (!noPrimaryFrame && !content->GetPrimaryFrame() &&
+        !GetDisplayContentsStyleFor(content)) {
       noPrimaryFrame = true;
     }
     if (!needsFrameBitSet && content->HasFlag(NODE_NEEDS_FRAME)) {
       needsFrameBitSet = true;
     }
 #endif
-    // XXXmats no lazy frames for display:contents descendants yet (bug 979782).
-    if (GetDisplayContentsStyleFor(content)) {
-      return false;
-    }
     content->SetFlags(NODE_DESCENDANTS_NEED_FRAMES);
     content = content->GetFlattenedTreeParent();
   }
diff --git a/layout/build/nsLayoutStatics.cpp b/layout/build/nsLayoutStatics.cpp
index 0306626c42..0f4560afea 100644
--- a/layout/build/nsLayoutStatics.cpp
+++ b/layout/build/nsLayoutStatics.cpp
@@ -92,10 +92,6 @@
 #include "nsSynthVoiceRegistry.h"
 #endif
 
-#ifdef MOZ_ANDROID_OMX
-#include "AndroidMediaPluginHost.h"
-#endif
-
 #include "CubebUtils.h"
 #include "Latency.h"
 #include "WebAudioUtils.h"
@@ -381,11 +377,6 @@ nsLayoutStatics::Shutdown()
   nsAutoCopyListener::Shutdown();
   FrameLayerBuilder::Shutdown();
 
-
-#ifdef MOZ_ANDROID_OMX
-  AndroidMediaPluginHost::Shutdown();
-#endif
-
   CubebUtils::ShutdownLibrary();
   AsyncLatencyLogger::ShutdownLogger();
   WebAudioUtils::Shutdown();
diff --git a/layout/forms/nsComboboxControlFrame.cpp b/layout/forms/nsComboboxControlFrame.cpp
index f69198cc78..5a94389395 100644
--- a/layout/forms/nsComboboxControlFrame.cpp
+++ b/layout/forms/nsComboboxControlFrame.cpp
@@ -1040,6 +1040,9 @@ nsComboboxControlFrame::HandleRedisplayTextEvent()
   mRedisplayTextEvent.Forget();
 
   ActuallyDisplayText(true);
+  if (!weakThis.IsAlive())
+    return;
+
   // XXXbz This should perhaps be eResize.  Check.
   PresContext()->PresShell()->FrameNeedsReflow(mDisplayFrame,
                                                nsIPresShell::eStyleChange,
diff --git a/layout/reftests/css-display/display-contents-dyn-insert-text-ref.html b/layout/reftests/css-display/display-contents-dyn-insert-text-ref.html
new file mode 100644
index 0000000000..a212e025eb
--- /dev/null
+++ b/layout/reftests/css-display/display-contents-dyn-insert-text-ref.html
@@ -0,0 +1,7 @@
+<!doctype html>
+<meta charset="utf-8">
+<link rel="author" title="Emilio Cobos Álvarez" href="mailto:emilio@crisal.io">
+<title>CSS Test reference - Bug 1338678</title>
+<div style="display: contents">
+  <div id="element">PASS</div>
+</div>
diff --git a/layout/reftests/css-display/display-contents-dyn-insert-text.html b/layout/reftests/css-display/display-contents-dyn-insert-text.html
new file mode 100644
index 0000000000..f3b0c0c951
--- /dev/null
+++ b/layout/reftests/css-display/display-contents-dyn-insert-text.html
@@ -0,0 +1,16 @@
+<!doctype html>
+<meta charset="utf-8">
+<link rel="author" title="Markus Stange" href="mailto:mstange@themasta.com">
+<link rel="help" href="https://drafts.csswg.org/css-display/#box-generation">
+<title>Bug 1338678 - display:contents makes textContent disappear</title>
+<div style="display: contents">
+  <div id="element"></div>
+</div>
+<script>
+window.onload = function() {
+  document.body.offsetTop;
+  var element = document.getElementById('element');
+  element.textContent = "FAIL";
+  element.textContent = "PASS";
+}
+</script>
diff --git a/layout/reftests/css-display/reftest.list b/layout/reftests/css-display/reftest.list
index d310422bb3..00f46a80b5 100644
--- a/layout/reftests/css-display/reftest.list
+++ b/layout/reftests/css-display/reftest.list
@@ -24,5 +24,6 @@ skip pref(layout.css.display-contents.enabled,true) == display-contents-xbl-4.xu
 asserts(0-1) fuzzy-if(Android,8,3216) pref(layout.css.display-contents.enabled,true) == display-contents-fieldset.html display-contents-fieldset-ref.html # bug 1089223
 asserts(1) pref(layout.css.display-contents.enabled,true) == display-contents-xbl-5.xul display-contents-xbl-3-ref.xul # bug 1089223
 pref(layout.css.display-contents.enabled,true) == display-contents-list-item-child.html display-contents-list-item-child-ref.html
+pref(layout.css.display-contents.enabled,true) == display-contents-dyn-insert-text.html display-contents-dyn-insert-text-ref.html
 pref(layout.css.display-contents.enabled,true) == display-contents-writing-mode-1.html display-contents-writing-mode-1-ref.html
 pref(layout.css.display-contents.enabled,true) == display-contents-writing-mode-2.html display-contents-writing-mode-2-ref.html
diff --git a/layout/style/nsCSSParser.cpp b/layout/style/nsCSSParser.cpp
index b361cf0c25..33e5fe56d0 100644
--- a/layout/style/nsCSSParser.cpp
+++ b/layout/style/nsCSSParser.cpp
@@ -1549,6 +1549,9 @@ protected:
 
   // All data from successfully parsed properties are placed into |mData|.
   nsCSSExpandedDataBlock mData;
+  
+  // Value to make sure our resolved variable results stay within sane limits.
+  const int32_t MAX_CSS_VAR_LENGTH = 10240;
 
 public:
   // Used from nsCSSParser constructors and destructors
@@ -2802,6 +2805,12 @@ CSSParserImpl::ResolveValueWithVariableReferencesRec(
               // Invalid variable with no fallback.
               return false;
             }
+            // Make sure we are still using sane sizes for value and
+            // variableValue, and abort if OOB.
+            if (value.Length() > MAX_CSS_VAR_LENGTH ||
+                variableValue.Length() > MAX_CSS_VAR_LENGTH) {
+              return false;
+            }
             // Valid variable with no fallback.
             AppendTokens(value, valueFirstToken, valueLastToken,
                          varFirstToken, varLastToken, variableValue);
diff --git a/media/ffvpx/config_unix32.h b/media/ffvpx/config_unix32.h
index ae49d80752..1722059633 100644
--- a/media/ffvpx/config_unix32.h
+++ b/media/ffvpx/config_unix32.h
@@ -213,6 +213,9 @@
 #define HAVE_ES2_GL_H 0
 #define HAVE_GSM_H 0
 #define HAVE_IO_H 0
+#ifdef HAVE_LINUX_PERF_EVENT_H
+#undef HAVE_LINUX_PERF_EVENT_H
+#endif
 #define HAVE_LINUX_PERF_EVENT_H 0
 #define HAVE_MACHINE_IOCTL_BT848_H 0
 #define HAVE_MACHINE_IOCTL_METEOR_H 0
diff --git a/media/ffvpx/config_unix64.h b/media/ffvpx/config_unix64.h
index 1c5c4cb4cc..338b6692fe 100644
--- a/media/ffvpx/config_unix64.h
+++ b/media/ffvpx/config_unix64.h
@@ -213,6 +213,9 @@
 #define HAVE_ES2_GL_H 0
 #define HAVE_GSM_H 0
 #define HAVE_IO_H 0
+#ifdef HAVE_LINUX_PERF_EVENT_H
+#undef HAVE_LINUX_PERF_EVENT_H
+#endif
 #define HAVE_LINUX_PERF_EVENT_H 0
 #define HAVE_MACHINE_IOCTL_BT848_H 0
 #define HAVE_MACHINE_IOCTL_METEOR_H 0
diff --git a/media/libstagefright/frameworks/av/include/media/stagefright/MediaDefs.h b/media/libstagefright/frameworks/av/include/media/stagefright/MediaDefs.h
index 7ac6db8d5c..b8aad681dd 100644
--- a/media/libstagefright/frameworks/av/include/media/stagefright/MediaDefs.h
+++ b/media/libstagefright/frameworks/av/include/media/stagefright/MediaDefs.h
@@ -25,6 +25,7 @@ extern const char *MEDIA_MIMETYPE_IMAGE_JPEG;
 extern const char *MEDIA_MIMETYPE_VIDEO_VP6;
 extern const char *MEDIA_MIMETYPE_VIDEO_VP8;
 extern const char *MEDIA_MIMETYPE_VIDEO_VP9;
+extern const char *MEDIA_MIMETYPE_VIDEO_AV1;
 extern const char *MEDIA_MIMETYPE_VIDEO_AVC;
 extern const char *MEDIA_MIMETYPE_VIDEO_MPEG4;
 extern const char *MEDIA_MIMETYPE_VIDEO_H263;
diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
index 5667f04d87..786e804878 100644
--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
@@ -269,6 +269,10 @@ static const char *FourCC2MIME(uint32_t fourcc) {
         case FOURCC('V', 'P', '6', 'F'):
             return MEDIA_MIMETYPE_VIDEO_VP6;
 
+        case FOURCC('a', 'v', '0', '1'):
+        case FOURCC('.', 'a', 'v', '1'):
+            return MEDIA_MIMETYPE_VIDEO_AV1;
+
         default:
             ALOGE("Unknown MIME type %08x", fourcc);
             return NULL;
@@ -1346,6 +1350,8 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
         case FOURCC('a', 'v', 'c', '1'):
         case FOURCC('a', 'v', 'c', '3'):
         case FOURCC('V', 'P', '6', 'F'):
+        case FOURCC('a', 'v', '0', '1'):
+        case FOURCC('.', 'a', 'v', '1'):
         {
             mHasVideo = true;
 
diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MediaDefs.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MediaDefs.cpp
index a1b520b109..a7c6e75fcc 100644
--- a/media/libstagefright/frameworks/av/media/libstagefright/MediaDefs.cpp
+++ b/media/libstagefright/frameworks/av/media/libstagefright/MediaDefs.cpp
@@ -23,6 +23,7 @@ const char *MEDIA_MIMETYPE_IMAGE_JPEG = "image/jpeg";
 const char *MEDIA_MIMETYPE_VIDEO_VP6 = "video/x-vnd.on2.vp6";
 const char *MEDIA_MIMETYPE_VIDEO_VP8 = "video/x-vnd.on2.vp8";
 const char *MEDIA_MIMETYPE_VIDEO_VP9 = "video/x-vnd.on2.vp9";
+const char *MEDIA_MIMETYPE_VIDEO_AV1 = "video/av1";
 const char *MEDIA_MIMETYPE_VIDEO_AVC = "video/avc";
 const char *MEDIA_MIMETYPE_VIDEO_MPEG4 = "video/mp4v-es";
 const char *MEDIA_MIMETYPE_VIDEO_H263 = "video/3gpp";
diff --git a/media/libstagefright/gtest/TestMP4Rust.cpp b/media/libstagefright/gtest/TestMP4Rust.cpp
deleted file mode 100644
index a338b53860..0000000000
--- a/media/libstagefright/gtest/TestMP4Rust.cpp
+++ /dev/null
@@ -1,142 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "gtest/gtest.h"
-#include "mp4parse.h"
-
-#include <stdint.h>
-#include <stdio.h>
-#include <string.h>
-#include <algorithm>
-#include <vector>
-
-static intptr_t
-error_reader(uint8_t* buffer, uintptr_t size, void* userdata)
-{
-  return -1;
-}
-
-struct read_vector {
-  explicit read_vector(FILE* file, size_t length);
-  explicit read_vector(size_t length);
-
-  size_t location;
-  std::vector<uint8_t> buffer;
-};
-
-read_vector::read_vector(FILE* file, size_t length)
- : location(0)
-{
-  buffer.resize(length);
-  size_t read = fread(buffer.data(), sizeof(decltype(buffer)::value_type),
-      buffer.size(), file);
-  buffer.resize(read);
-}
-
-read_vector::read_vector(size_t length)
-  : location(0)
-{
-  buffer.resize(length, 0);
-}
-
-static intptr_t
-vector_reader(uint8_t* buffer, uintptr_t size, void* userdata)
-{
-  if (!buffer || !userdata) {
-    return -1;
-  }
-
-  auto source = reinterpret_cast<read_vector*>(userdata);
-  if (source->location > source->buffer.size()) {
-    return -1;
-  }
-  uintptr_t available = source->buffer.size() - source->location;
-  uintptr_t length = std::min(available, size);
-  memcpy(buffer, source->buffer.data() + source->location, length);
-  source->location += length;
-  return length;
-}
-
-TEST(rust, MP4MetadataEmpty)
-{
-  mp4parse_error rv;
-  mp4parse_io io;
-
-  // Shouldn't be able to read with no context.
-  rv = mp4parse_read(nullptr);
-  EXPECT_EQ(rv, MP4PARSE_ERROR_BADARG);
-
-  // Shouldn't be able to wrap an mp4parse_io with null members.
-  io = { nullptr, nullptr };
-  mp4parse_parser* context = mp4parse_new(&io);
-  EXPECT_EQ(context, nullptr);
-
-  io = { nullptr, &io };
-  context = mp4parse_new(&io);
-  EXPECT_EQ(context, nullptr);
-
-  // FIXME: this should probably be accepted.
-  io = { error_reader, nullptr };
-  context = mp4parse_new(&io);
-  EXPECT_EQ(context, nullptr);
-
-  // Read method errors should propagate.
-  io = { error_reader, &io };
-  context = mp4parse_new(&io);
-  ASSERT_NE(context, nullptr);
-  rv = mp4parse_read(context);
-  EXPECT_EQ(rv, MP4PARSE_ERROR_IO);
-  mp4parse_free(context);
-
-  // Short buffers should fail.
-  read_vector buf(0);
-  io = { vector_reader, &buf };
-  context = mp4parse_new(&io);
-  ASSERT_NE(context, nullptr);
-  rv = mp4parse_read(context);
-  EXPECT_EQ(rv, MP4PARSE_ERROR_INVALID);
-  mp4parse_free(context);
-
-  buf.buffer.reserve(4097);
-  context = mp4parse_new(&io);
-  ASSERT_NE(context, nullptr);
-  rv = mp4parse_read(context);
-  EXPECT_EQ(rv, MP4PARSE_ERROR_INVALID);
-  mp4parse_free(context);
-
-  // Empty buffers should fail.
-  buf.buffer.resize(4097, 0);
-  context = mp4parse_new(&io);
-  rv = mp4parse_read(context);
-  EXPECT_EQ(rv, MP4PARSE_ERROR_UNSUPPORTED);
-  mp4parse_free(context);
-}
-
-TEST(rust, MP4Metadata)
-{
-  FILE* f = fopen("street.mp4", "rb");
-  ASSERT_TRUE(f != nullptr);
-  // Read just the moov header to work around the parser
-  // treating mid-box eof as an error.
-  //read_vector reader = read_vector(f, 1061);
-  struct stat s;
-  ASSERT_EQ(0, fstat(fileno(f), &s));
-  read_vector reader = read_vector(f, s.st_size);
-  fclose(f);
-
-  mp4parse_io io = { vector_reader, &reader };
-  mp4parse_parser* context = mp4parse_new(&io);
-  ASSERT_NE(nullptr, context);
-
-  mp4parse_error rv = mp4parse_read(context);
-  EXPECT_EQ(MP4PARSE_OK, rv);
-
-  uint32_t tracks = 0;
-  rv = mp4parse_get_track_count(context, &tracks);
-  EXPECT_EQ(MP4PARSE_OK, rv);
-  EXPECT_EQ(2U, tracks);
-
-  mp4parse_free(context);
-}
diff --git a/media/omx-plugin/OmxPlugin.cpp b/media/omx-plugin/OmxPlugin.cpp
deleted file mode 100644
index ce132b8e25..0000000000
--- a/media/omx-plugin/OmxPlugin.cpp
+++ /dev/null
@@ -1,1078 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include <stagefright/ColorConverter.h>
-#include <stagefright/DataSource.h>
-#include <stagefright/MediaExtractor.h>
-#include <stagefright/MetaData.h>
-#include <stagefright/OMXCodec.h>
-#include <media/stagefright/MediaErrors.h>
-#include <stagefright/OMXClient.h>
-#include <algorithm>
-
-#include "mozilla/Assertions.h"
-#include "mozilla/Types.h"
-#include "MPAPI.h"
-
-#include "android/log.h"
-
-#define MAX_DECODER_NAME_LEN 256
-#define AVC_MIME_TYPE "video/avc"
-
-#define DEFAULT_STAGEFRIGHT_FLAGS OMXCodec::kClientNeedsFramebuffer
-
-#undef LOG
-#define LOG(args...)  __android_log_print(ANDROID_LOG_INFO, "OmxPlugin" , ## args)
-
-#include <I420ColorConverter.h>
-
-using namespace MPAPI;
-
-#if !defined(MOZ_STAGEFRIGHT_OFF_T)
-#define MOZ_STAGEFRIGHT_OFF_T off64_t
-#endif
-
-using namespace android;
-
-namespace OmxPlugin {
-
-const int OMX_QCOM_COLOR_FormatYVU420PackedSemiPlanar32m4ka = 0x7FA30C01;
-const int OMX_QCOM_COLOR_FormatYVU420SemiPlanar = 0x7FA30C00;
-const int OMX_TI_COLOR_FormatYUV420PackedSemiPlanar = 0x7F000100;
-
-class OmxDecoder {
-  PluginHost *mPluginHost;
-  Decoder *mDecoder;
-  sp<MediaSource> mVideoTrack;
-  sp<MediaSource> mVideoSource;
-  sp<MediaSource> mAudioTrack;
-  sp<MediaSource> mAudioSource;
-  int32_t mVideoWidth;
-  int32_t mVideoHeight;
-  int32_t mVideoColorFormat;
-  int32_t mVideoStride;
-  int32_t mVideoSliceHeight;
-  int32_t mVideoCropLeft;
-  int32_t mVideoCropTop;
-  int32_t mVideoCropRight;
-  int32_t mVideoCropBottom;
-  int32_t mVideoRotation;
-  int32_t mAudioChannels;
-  int32_t mAudioSampleRate;
-  int64_t mDurationUs;
-  MediaBuffer *mVideoBuffer;
-  VideoFrame mVideoFrame;
-  MediaBuffer *mAudioBuffer;
-  AudioFrame mAudioFrame;
-  ColorConverter *mColorConverter;
-
-  // 'true' if a read from the audio stream was done while reading the metadata
-  bool mAudioMetadataRead;
-
-  void ReleaseVideoBuffer();
-  void ReleaseAudioBuffer();
-
-  void ToVideoFrame_YUV420Planar(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame);
-  void ToVideoFrame_CbYCrY(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame);
-  void ToVideoFrame_YUV420SemiPlanar(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame);
-  void ToVideoFrame_YVU420SemiPlanar(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame);
-  void ToVideoFrame_YUV420PackedSemiPlanar(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame);
-  void ToVideoFrame_YVU420PackedSemiPlanar32m4ka(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame);
-  bool ToVideoFrame_RGB565(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame, BufferCallback *aBufferCallback);
-  bool ToVideoFrame_ColorConverter(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame, BufferCallback *aBufferCallback);
-  bool ToVideoFrame_I420ColorConverter(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame, BufferCallback *aBufferCallback);
-  bool ToVideoFrame(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame, BufferCallback *aBufferCallback);
-  bool ToAudioFrame(AudioFrame *aFrame, int64_t aTimeUs, void *aData, size_t aDataOffset, size_t aSize,
-                    int32_t aAudioChannels, int32_t aAudioSampleRate);
-public:
-  OmxDecoder(PluginHost *aPluginHost, Decoder *aDecoder);
-  ~OmxDecoder();
-
-  bool Init();
-  bool SetVideoFormat();
-  bool SetAudioFormat();
-
-  void GetDuration(int64_t *durationUs) {
-    *durationUs = mDurationUs;
-  }
-
-  void GetVideoParameters(int32_t *width, int32_t *height) {
-    *width = mVideoWidth;
-    *height = mVideoHeight;
-  }
-
-  void GetAudioParameters(int32_t *numChannels, int32_t *sampleRate) {
-    *numChannels = mAudioChannels;
-    *sampleRate = mAudioSampleRate;
-  }
-
-  bool HasVideo() {
-    return mVideoSource != nullptr;
-  }
-
-  bool HasAudio() {
-    return mAudioSource != nullptr;
-  }
-
-  bool ReadVideo(VideoFrame *aFrame, int64_t aSeekTimeUs, BufferCallback *aBufferCallback);
-  bool ReadAudio(AudioFrame *aFrame, int64_t aSeekTimeUs);
-};
-
-static class OmxClientInstance {
-public:
-  OmxClientInstance()
-    : mClient(new OMXClient())
-    , mStatus(mClient->connect())
-  {
-  }
-
-  status_t IsValid()
-  {
-    return mStatus == OK;
-  }
-
-  OMXClient *get()
-  {
-    return mClient;
-  }
-
-  ~OmxClientInstance()
-  {
-    if (mStatus == OK) {
-      mClient->disconnect();
-    }
-    delete mClient;
-  }
-
-private:
-  OMXClient *mClient;
-  status_t mStatus;
-} sClientInstance;
-
-OmxDecoder::OmxDecoder(PluginHost *aPluginHost, Decoder *aDecoder) :
-  mPluginHost(aPluginHost),
-  mDecoder(aDecoder),
-  mVideoWidth(0),
-  mVideoHeight(0),
-  mVideoColorFormat(0),
-  mVideoStride(0),
-  mVideoSliceHeight(0),
-  mVideoCropLeft(0),
-  mVideoCropTop(0),
-  mVideoCropRight(0),
-  mVideoCropBottom(0),
-  mVideoRotation(0),
-  mAudioChannels(-1),
-  mAudioSampleRate(-1),
-  mDurationUs(-1),
-  mVideoBuffer(nullptr),
-  mAudioBuffer(nullptr),
-  mColorConverter(nullptr),
-  mAudioMetadataRead(false)
-{
-}
-
-OmxDecoder::~OmxDecoder()
-{
-  ReleaseVideoBuffer();
-  ReleaseAudioBuffer();
-
-  if (mVideoSource.get()) {
-    mVideoSource->stop();
-  }
-
-  if (mAudioSource.get()) {
-    mAudioSource->stop();
-  }
-
-  if (mColorConverter) {
-    delete mColorConverter;
-  }
-}
-
-class AutoStopMediaSource {
-  sp<MediaSource> mMediaSource;
-public:
-  AutoStopMediaSource(sp<MediaSource> aMediaSource) : mMediaSource(aMediaSource) {
-  }
-
-  ~AutoStopMediaSource() {
-    mMediaSource->stop();
-  }
-};
-
-static uint32_t
-GetDefaultStagefrightFlags(PluginHost *aPluginHost)
-{
-  uint32_t flags = DEFAULT_STAGEFRIGHT_FLAGS;
-
-  char hardware[256] = "";
-  aPluginHost->GetSystemInfoString("hardware", hardware, sizeof(hardware));
-
-  if (!strcmp("qcom", hardware) ||
-      !strncmp("mt", hardware, 2)) {
-    // Qualcomm's OMXCodec implementation interprets this flag to mean that we
-    // only want a thumbnail and therefore only need one frame. After the first
-    // frame it returns EOS.
-    // Some MediaTek chipsets have also been found to do the same.
-    // All other OMXCodec implementations seen so far interpret this flag
-    // sanely; some do not return full framebuffers unless this flag is passed.
-    flags &= ~OMXCodec::kClientNeedsFramebuffer;
-  }
-
-  LOG("Hardware %s; using default flags %#x\n", hardware, flags);
-
-  return flags;
-}
-
-static uint32_t GetVideoCreationFlags(PluginHost* aPluginHost)
-{
-  // Check whether the user has set a pref to override our default OMXCodec
-  // CreationFlags flags. This is useful for A/B testing hardware and software
-  // decoders for performance and bugs. The interesting flag values are:
-  //  0 = Let Stagefright choose hardware or software decoding (default)
-  //  8 = Force software decoding
-  // 16 = Force hardware decoding
-  int32_t flags = 0;
-  aPluginHost->GetIntPref("media.stagefright.omxcodec.flags", &flags);
-  if (flags != 0) {
-    LOG("media.stagefright.omxcodec.flags=%d", flags);
-    if ((flags & OMXCodec::kHardwareCodecsOnly) != 0) {
-      LOG("FORCE HARDWARE DECODING");
-    } else if ((flags & OMXCodec::kSoftwareCodecsOnly) != 0) {
-      LOG("FORCE SOFTWARE DECODING");
-    }
-  }
-
-  flags |= GetDefaultStagefrightFlags(aPluginHost);
-
-  return static_cast<uint32_t>(flags);
-}
-
-enum ColorFormatSupport {
-  ColorFormatNotSupported = 0,
-  ColorFormatSupportOK,
-  ColorFormatSupportPreferred,
-};
-
-static ColorFormatSupport
-IsColorFormatSupported(OMX_COLOR_FORMATTYPE aColorFormat)
-{
-  switch (static_cast<int>(aColorFormat)) {
-    case OMX_COLOR_FormatCbYCrY:
-    case OMX_COLOR_FormatYUV420Planar:
-    case OMX_COLOR_FormatYUV420SemiPlanar:
-    case OMX_QCOM_COLOR_FormatYVU420PackedSemiPlanar32m4ka:
-    case OMX_QCOM_COLOR_FormatYVU420SemiPlanar:
-    case OMX_TI_COLOR_FormatYUV420PackedSemiPlanar:
-      LOG("Colour format %#x supported natively.", aColorFormat);
-      // Prefer natively supported colour formats over formats that need another
-      // slow software conversion.
-      return ColorFormatSupportPreferred;
-    default:
-      break;
-  }
-
-  // These formats are okay if we can't find a better one; Android provides a
-  // software conversion to a sane colour format.
-  if (ColorConverter(aColorFormat, OMX_COLOR_Format16bitRGB565).isValid()) {
-    LOG("Colour format %#x supported by Android ColorConverter.", aColorFormat);
-    return ColorFormatSupportOK;
-  }
-
-  I420ColorConverter yuvConverter;
-
-  if (yuvConverter.isLoaded() &&
-      yuvConverter.getDecoderOutputFormat() == aColorFormat) {
-    LOG("Colour format %#x supported by Android I420ColorConverter.", aColorFormat);
-    return ColorFormatSupportOK;
-  }
-
-  return ColorFormatNotSupported;
-}
-
-#if defined(MOZ_ANDROID_KK)
-/**
- * Look for a decoder that supports a colour format that we support.
- */
-static bool
-FindPreferredDecoderAndColorFormat(const sp<IOMX>& aOmx,
-                                   char *aDecoderName,
-                                   size_t aDecoderLen,
-                                   OMX_COLOR_FORMATTYPE *aColorFormat)
-{
-  Vector<CodecCapabilities> codecs;
-
-  // Get all AVC decoder/colour format pairs that this device supports.
-  QueryCodecs(aOmx, AVC_MIME_TYPE, true /* queryDecoders */, &codecs);
-
-  // We assume that faster (hardware accelerated) decoders come first in the
-  // list, so we choose the first decoder with a colour format we can use.
-  for (uint32_t i = 0; i < codecs.size(); i++) {
-    const CodecCapabilities &caps = codecs[i];
-    const Vector<OMX_U32> &colors = caps.mColorFormats;
-
-    bool found = false;
-    for (uint32_t j = 0; j < colors.size(); j++) {
-      OMX_COLOR_FORMATTYPE color = (OMX_COLOR_FORMATTYPE)colors[j];
-
-      LOG("Decoder %s can output colour format %#x.\n",
-          caps.mComponentName.string(), color);
-
-      ColorFormatSupport supported = IsColorFormatSupported(color);
-
-      if (supported) {
-        strncpy(aDecoderName, caps.mComponentName.string(), aDecoderLen);
-        *aColorFormat = color;
-        found = true;
-      }
-
-      if (supported == ColorFormatSupportPreferred) {
-        // The colour format is natively supported -- that's as good as we're
-        // going to get.
-        break;
-      }
-    }
-
-    if (found) {
-      return true;
-    }
-  }
-
-  return false;
-}
-#endif
-
-static sp<MediaSource> CreateVideoSource(PluginHost* aPluginHost,
-                                         const sp<IOMX>& aOmx,
-                                         const sp<MediaSource>& aVideoTrack)
-{
-  uint32_t flags = GetVideoCreationFlags(aPluginHost);
-
-  char decoderName[MAX_DECODER_NAME_LEN] = "";
-  sp<MetaData> videoFormat = aVideoTrack->getFormat();
-
-#if defined(MOZ_ANDROID_KK)
-  OMX_COLOR_FORMATTYPE colorFormat = (OMX_COLOR_FORMATTYPE)0;
-  if (FindPreferredDecoderAndColorFormat(aOmx,
-                                         decoderName, sizeof(decoderName),
-                                         &colorFormat)) {
-    // We found a colour format that we can handle. Tell OMXCodec to use it in
-    // case it isn't the default.
-    videoFormat->setInt32(kKeyColorFormat, colorFormat);
-
-    LOG("Found compatible decoder %s with colour format %#x.\n",
-        decoderName, colorFormat);
-  }
-#endif
-
-  if (flags == DEFAULT_STAGEFRIGHT_FLAGS) {
-    // Let Stagefright choose hardware or software decoder.
-    sp<MediaSource> videoSource = OMXCodec::Create(aOmx, videoFormat,
-                                                   false, aVideoTrack,
-                                                   decoderName[0] ? decoderName : nullptr,
-                                                   flags);
-    if (videoSource == nullptr)
-      return nullptr;
-
-    // Now that OMXCodec has parsed the video's AVCDecoderConfigurationRecord,
-    // check whether we know how to decode this video.
-    int32_t videoColorFormat;
-    if (videoSource->getFormat()->findInt32(kKeyColorFormat, &videoColorFormat)) {
-
-      if (IsColorFormatSupported((OMX_COLOR_FORMATTYPE)videoColorFormat)) {
-        return videoSource;
-      }
-
-      // We need to implement a ToVideoFrame_*() color conversion
-      // function for this video color format.
-      LOG("Unknown video color format: %#x", videoColorFormat);
-    } else {
-      LOG("Video color format not found");
-    }
-
-    // Throw away the videoSource and try again with new flags.
-    LOG("Falling back to software decoder");
-    videoSource.clear();
-    flags = DEFAULT_STAGEFRIGHT_FLAGS | OMXCodec::kSoftwareCodecsOnly;
-  }
-
-  MOZ_ASSERT(flags != DEFAULT_STAGEFRIGHT_FLAGS);
-  return OMXCodec::Create(aOmx, aVideoTrack->getFormat(), false, aVideoTrack,
-                          nullptr, flags);
-}
-
-bool OmxDecoder::Init()
-{
-#if defined(MOZ_WIDGET_ANDROID)
-  // OMXClient::connect() always returns OK and aborts fatally if
-  // it can't connect. We may need to implement the connect functionality
-  // ourselves if this proves to be an issue.
-  if (!sClientInstance.IsValid()) {
-    LOG("OMXClient failed to connect");
-    return false;
-  }
-#endif
-
-  //register sniffers, if they are not registered in this process.
-  DataSource::RegisterDefaultSniffers();
-
-  sp<DataSource> dataSource =
-    DataSource::CreateFromURI(static_cast<char*>(mDecoder->mResource));
-  if (!dataSource.get() || dataSource->initCheck()) {
-    return false;
-  }
-
-  sp<MediaExtractor> extractor = MediaExtractor::Create(dataSource);
-  if (extractor == nullptr) {
-    return false;
-  }
-
-  ssize_t audioTrackIndex = -1;
-  ssize_t videoTrackIndex = -1;
-  const char *audioMime = nullptr;
-  const char *videoMime = nullptr;
-
-  for (size_t i = 0; i < extractor->countTracks(); ++i) {
-    sp<MetaData> meta = extractor->getTrackMetaData(i);
-
-    const char *mime;
-    if (!meta->findCString(kKeyMIMEType, &mime)) {
-      continue;
-    }
-
-    if (videoTrackIndex == -1 && !strncasecmp(mime, "video/", 6)) {
-      videoTrackIndex = i;
-      videoMime = mime;
-    } else if (audioTrackIndex == -1 && !strncasecmp(mime, "audio/", 6)) {
-      audioTrackIndex = i;
-      audioMime = mime;
-    }
-  }
-
-  if (videoTrackIndex == -1 && audioTrackIndex == -1) {
-    return false;
-  }
-
-  int64_t totalDurationUs = 0;
-
-  sp<IOMX> omx = sClientInstance.get()->interface();
-
-  sp<MediaSource> videoTrack;
-  sp<MediaSource> videoSource;
-  if (videoTrackIndex != -1 && (videoTrack = extractor->getTrack(videoTrackIndex)) != nullptr) {
-    videoSource = CreateVideoSource(mPluginHost, omx, videoTrack);
-    if (videoSource == nullptr) {
-      LOG("OMXCodec failed to initialize video decoder for \"%s\"", videoMime);
-      return false;
-    }
-    status_t status = videoSource->start();
-    if (status != OK) {
-      LOG("videoSource->start() failed with status %#x", status);
-      return false;
-    }
-    int64_t durationUs;
-    if (videoTrack->getFormat()->findInt64(kKeyDuration, &durationUs)) {
-      if (durationUs < 0)
-        LOG("video duration %lld should be nonnegative", durationUs);
-      if (durationUs > totalDurationUs)
-        totalDurationUs = durationUs;
-    }
-  }
-
-  sp<MediaSource> audioTrack;
-  sp<MediaSource> audioSource;
-  if (audioTrackIndex != -1 && (audioTrack = extractor->getTrack(audioTrackIndex)) != nullptr)
-  {
-    if (!strcasecmp(audioMime, "audio/raw")) {
-      audioSource = audioTrack;
-    } else {
-      audioSource = OMXCodec::Create(omx,
-                                     audioTrack->getFormat(),
-                                     false, // decoder
-                                     audioTrack);
-    }
-
-    if (audioSource == nullptr) {
-      LOG("OMXCodec failed to initialize audio decoder for \"%s\"", audioMime);
-      return false;
-    }
-
-    status_t status = audioSource->start();
-    if (status != OK) {
-      LOG("audioSource->start() failed with status %#x", status);
-      return false;
-    }
-
-    int64_t durationUs;
-    if (audioTrack->getFormat()->findInt64(kKeyDuration, &durationUs)) {
-      if (durationUs < 0)
-        LOG("audio duration %lld should be nonnegative", durationUs);
-      if (durationUs > totalDurationUs)
-        totalDurationUs = durationUs;
-    }
-  }
-
-  // set decoder state
-  mVideoTrack = videoTrack;
-  mVideoSource = videoSource;
-  mAudioTrack = audioTrack;
-  mAudioSource = audioSource;
-  mDurationUs = totalDurationUs;
-
-  if (mVideoSource.get() && !SetVideoFormat())
-    return false;
-
-  // To reliably get the channel and sample rate data we need to read from the
-  // audio source until we get a INFO_FORMAT_CHANGE status
-  if (mAudioSource.get()) {
-    if (mAudioSource->read(&mAudioBuffer) != INFO_FORMAT_CHANGED) {
-      sp<MetaData> meta = mAudioSource->getFormat();
-      if (!meta->findInt32(kKeyChannelCount, &mAudioChannels) ||
-          !meta->findInt32(kKeySampleRate, &mAudioSampleRate)) {
-        return false;
-      }
-      mAudioMetadataRead = true;
-
-      if (mAudioChannels < 0) {
-        LOG("audio channel count %d must be nonnegative", mAudioChannels);
-        return false;
-      }
-
-      if (mAudioSampleRate < 0) {
-        LOG("audio sample rate %d must be nonnegative", mAudioSampleRate);
-        return false;
-      }
-    }
-    else if (!SetAudioFormat()) {
-        return false;
-    }
-  }
-  return true;
-}
-
-bool OmxDecoder::SetVideoFormat() {
-  sp<MetaData> format = mVideoSource->getFormat();
-
-  // Stagefright's kKeyWidth and kKeyHeight are what MPAPI calls stride and
-  // slice height. Stagefright only seems to use its kKeyStride and
-  // kKeySliceHeight to initialize camera video formats.
-
-#if defined(DEBUG)
-  int32_t unexpected;
-  if (format->findInt32(kKeyStride, &unexpected))
-    LOG("Expected kKeyWidth, but found kKeyStride %d", unexpected);
-  if (format->findInt32(kKeySliceHeight, &unexpected))
-    LOG("Expected kKeyHeight, but found kKeySliceHeight %d", unexpected);
-#endif // DEBUG
-
-  const char *componentName;
-
-  if (!format->findInt32(kKeyWidth, &mVideoStride) ||
-      !format->findInt32(kKeyHeight, &mVideoSliceHeight) ||
-      !format->findCString(kKeyDecoderComponent, &componentName) ||
-      !format->findInt32(kKeyColorFormat, &mVideoColorFormat) ) {
-    return false;
-  }
-
-  if (mVideoStride <= 0) {
-    LOG("stride %d must be positive", mVideoStride);
-    return false;
-  }
-
-  if (mVideoSliceHeight <= 0) {
-    LOG("slice height %d must be positive", mVideoSliceHeight);
-    return false;
-  }
-
-  // Gingerbread does not support the kKeyCropRect key
-  if (!format->findRect(kKeyCropRect, &mVideoCropLeft, &mVideoCropTop,
-                                      &mVideoCropRight, &mVideoCropBottom)) {
-    mVideoCropLeft = 0;
-    mVideoCropTop = 0;
-    mVideoCropRight = mVideoStride - 1;
-    mVideoCropBottom = mVideoSliceHeight - 1;
-    LOG("crop rect not available, assuming no cropping");
-  }
-
-  if (mVideoCropLeft < 0 || mVideoCropLeft >= mVideoCropRight || mVideoCropRight >= mVideoStride ||
-      mVideoCropTop < 0 || mVideoCropTop >= mVideoCropBottom || mVideoCropBottom >= mVideoSliceHeight) {
-    LOG("invalid crop rect %d,%d-%d,%d", mVideoCropLeft, mVideoCropTop, mVideoCropRight, mVideoCropBottom);
-    return false;
-  }
-
-  mVideoWidth = mVideoCropRight - mVideoCropLeft + 1;
-  mVideoHeight = mVideoCropBottom - mVideoCropTop + 1;
-  MOZ_ASSERT(mVideoWidth > 0 && mVideoWidth <= mVideoStride);
-  MOZ_ASSERT(mVideoHeight > 0 && mVideoHeight <= mVideoSliceHeight);
-
-  if (!format->findInt32(kKeyRotation, &mVideoRotation)) {
-    mVideoRotation = 0;
-    LOG("rotation not available, assuming 0");
-  }
-
-  if (mVideoRotation != 0 && mVideoRotation != 90 &&
-      mVideoRotation != 180 && mVideoRotation != 270) {
-    LOG("invalid rotation %d, assuming 0", mVideoRotation);
-  }
-
-  LOG("width: %d height: %d component: %s format: %#x stride: %d sliceHeight: %d rotation: %d crop: %d,%d-%d,%d",
-      mVideoWidth, mVideoHeight, componentName, mVideoColorFormat,
-      mVideoStride, mVideoSliceHeight, mVideoRotation,
-      mVideoCropLeft, mVideoCropTop, mVideoCropRight, mVideoCropBottom);
-
-  return true;
-}
-
-bool OmxDecoder::SetAudioFormat() {
-  // If the format changed, update our cached info.
-  if (!mAudioSource->getFormat()->findInt32(kKeyChannelCount, &mAudioChannels) ||
-      !mAudioSource->getFormat()->findInt32(kKeySampleRate, &mAudioSampleRate)) {
-    return false;
-  }
-
-  LOG("channelCount: %d sampleRate: %d", mAudioChannels, mAudioSampleRate);
-
-  if (mAudioChannels < 0) {
-    LOG("audio channel count %d must be nonnegative", mAudioChannels);
-    return false;
-  }
-
-  if (mAudioSampleRate < 0) {
-    LOG("audio sample rate %d must be nonnegative", mAudioSampleRate);
-    return false;
-  }
-
-  return true;
-}
-
-void OmxDecoder::ReleaseVideoBuffer() {
-  if (mVideoBuffer) {
-    mVideoBuffer->release();
-    mVideoBuffer = nullptr;
-  }
-}
-
-void OmxDecoder::ReleaseAudioBuffer() {
-  if (mAudioBuffer) {
-    mAudioBuffer->release();
-    mAudioBuffer = nullptr;
-  }
-}
-
-void OmxDecoder::ToVideoFrame_YUV420Planar(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame) {
-  void *y = aData;
-  void *u = static_cast<uint8_t *>(y) + mVideoStride * mVideoSliceHeight;
-  void *v = static_cast<uint8_t *>(u) + mVideoStride/2 * mVideoSliceHeight/2;
-  aFrame->Set(aTimeUs, aKeyFrame,
-              aData, aSize, mVideoStride, mVideoSliceHeight, mVideoRotation,
-              y, mVideoStride, mVideoWidth, mVideoHeight, 0, 0,
-              u, mVideoStride/2, mVideoWidth/2, mVideoHeight/2, 0, 0,
-              v, mVideoStride/2, mVideoWidth/2, mVideoHeight/2, 0, 0);
-}
-
-void OmxDecoder::ToVideoFrame_CbYCrY(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame) {
-  aFrame->Set(aTimeUs, aKeyFrame,
-              aData, aSize, mVideoStride, mVideoSliceHeight, mVideoRotation,
-              aData, mVideoStride, mVideoWidth, mVideoHeight, 1, 1,
-              aData, mVideoStride, mVideoWidth/2, mVideoHeight/2, 0, 3,
-              aData, mVideoStride, mVideoWidth/2, mVideoHeight/2, 2, 3);
-}
-
-void OmxDecoder::ToVideoFrame_YUV420SemiPlanar(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame) {
-  int32_t videoStride = mVideoStride;
-  int32_t videoSliceHeight = mVideoSliceHeight;
-
-  // OMX.SEC.avcdec rounds mVideoStride and mVideoSliceHeight up to the nearest
-  // multiple of 16 but the data itself is too small to fit. What we do is check
-  // to see if the video size patches the raw width and height. If so we can
-  // use those figures instead.
-
-  if (static_cast<int>(aSize) == mVideoWidth * mVideoHeight * 3 / 2) {
-    videoStride = mVideoWidth;
-    videoSliceHeight = mVideoHeight;
-  }
-
-  void *y = aData;
-  void *uv = static_cast<uint8_t *>(y) + (videoStride * videoSliceHeight);
-  aFrame->Set(aTimeUs, aKeyFrame,
-              aData, aSize, videoStride, videoSliceHeight, mVideoRotation,
-              y, videoStride, mVideoWidth, mVideoHeight, 0, 0,
-              uv, videoStride, mVideoWidth/2, mVideoHeight/2, 0, 1,
-              uv, videoStride, mVideoWidth/2, mVideoHeight/2, 1, 1);
-}
-
-void OmxDecoder::ToVideoFrame_YVU420SemiPlanar(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame) {
-  ToVideoFrame_YUV420SemiPlanar(aFrame, aTimeUs, aData, aSize, aKeyFrame);
-  aFrame->Cb.mOffset = 1;
-  aFrame->Cr.mOffset = 0;
-}
-
-void OmxDecoder::ToVideoFrame_YUV420PackedSemiPlanar(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame) {
-  void *y = aData;
-  void *uv = static_cast<uint8_t *>(y) + mVideoStride * (mVideoSliceHeight - mVideoCropTop/2);
-  aFrame->Set(aTimeUs, aKeyFrame,
-              aData, aSize, mVideoStride, mVideoSliceHeight, mVideoRotation,
-              y, mVideoStride, mVideoWidth, mVideoHeight, 0, 0,
-              uv, mVideoStride, mVideoWidth/2, mVideoHeight/2, 0, 1,
-              uv, mVideoStride, mVideoWidth/2, mVideoHeight/2, 1, 1);
-}
-
-void OmxDecoder::ToVideoFrame_YVU420PackedSemiPlanar32m4ka(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame) {
-  size_t roundedSliceHeight = (mVideoSliceHeight + 31) & ~31;
-  size_t roundedStride = (mVideoStride + 31) & ~31;
-  void *y = aData;
-  void *uv = static_cast<uint8_t *>(y) + (roundedStride * roundedSliceHeight);
-  aFrame->Set(aTimeUs, aKeyFrame,
-              aData, aSize, mVideoStride, mVideoSliceHeight, mVideoRotation,
-              y, mVideoStride, mVideoWidth, mVideoHeight, 0, 0,
-              uv, mVideoStride, mVideoWidth/2, mVideoHeight/2, 1, 1,
-              uv, mVideoStride, mVideoWidth/2, mVideoHeight/2, 0, 1);
-}
-
-bool OmxDecoder::ToVideoFrame_RGB565(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame, BufferCallback *aBufferCallback) {
-  void *buffer = (*aBufferCallback)(mVideoWidth, mVideoHeight, MPAPI::RGB565);
-
-  if (!buffer) {
-    return false;
-  }
-
-  aFrame->mTimeUs = aTimeUs;
-
-  memcpy(buffer, aData, mVideoWidth * mVideoHeight * 2);
-
-  aFrame->mSize = mVideoWidth * mVideoHeight * 2;
-
-  return true;
-}
-
-bool OmxDecoder::ToVideoFrame_ColorConverter(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame, BufferCallback *aBufferCallback) {
-  if (!mColorConverter) {
-    mColorConverter = new ColorConverter((OMX_COLOR_FORMATTYPE)mVideoColorFormat,
-                                         OMX_COLOR_Format16bitRGB565);
-  }
-
-  if (!mColorConverter->isValid()) {
-    return false;
-  }
-
-  aFrame->mTimeUs = aTimeUs;
-
-  void *buffer = (*aBufferCallback)(mVideoWidth, mVideoHeight, MPAPI::RGB565);
-
-  if (!buffer) {
-    return false;
-  }
-
-  aFrame->mSize = mVideoWidth * mVideoHeight * 2;
-
-  mColorConverter->convert(aData, mVideoStride, mVideoSliceHeight,
-                           mVideoCropLeft, mVideoCropTop,
-                           mVideoCropLeft + mVideoWidth - 1,
-                           mVideoCropTop + mVideoHeight - 1,
-                           buffer, mVideoWidth, mVideoHeight,
-                           0, 0, mVideoWidth - 1, mVideoHeight - 1);
-
-  return true;
-}
-
-bool OmxDecoder::ToVideoFrame_I420ColorConverter(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame, BufferCallback *aBufferCallback)
-{
-  I420ColorConverter yuvConverter;
-
-  if (!yuvConverter.isLoaded()) {
-    return false;
-  }
-
-  if (yuvConverter.getDecoderOutputFormat() != mVideoColorFormat) {
-    return false;
-  }
-
-  void *buffer = (*aBufferCallback)(mVideoWidth, mVideoHeight, MPAPI::I420);
-
-  ARect crop = { mVideoCropLeft, mVideoCropTop, mVideoCropRight, mVideoCropBottom };
-  int result = yuvConverter.convertDecoderOutputToI420(aData,
-                                                       mVideoWidth,
-                                                       mVideoHeight,
-                                                       crop,
-                                                       buffer);
-
-  // result is 0 on success, -1 otherwise.
-  if (result == OK) {
-    aFrame->mTimeUs = aTimeUs;
-    aFrame->mSize = mVideoWidth * mVideoHeight * 3 / 2;
-  }
-
-  return result == OK;
-}
-
-bool OmxDecoder::ToVideoFrame(VideoFrame *aFrame, int64_t aTimeUs, void *aData, size_t aSize, bool aKeyFrame, BufferCallback *aBufferCallback) {
-  switch (mVideoColorFormat) {
-  case OMX_COLOR_FormatYUV420Planar: // e.g. Asus Transformer, Stagefright's software decoder
-    ToVideoFrame_YUV420Planar(aFrame, aTimeUs, aData, aSize, aKeyFrame);
-    break;
-  case OMX_COLOR_FormatCbYCrY: // e.g. Droid 1
-    ToVideoFrame_CbYCrY(aFrame, aTimeUs, aData, aSize, aKeyFrame);
-    break;
-  case OMX_COLOR_FormatYUV420SemiPlanar: // e.g. Galaxy S III
-    ToVideoFrame_YUV420SemiPlanar(aFrame, aTimeUs, aData, aSize, aKeyFrame);
-    break;
-  case OMX_QCOM_COLOR_FormatYVU420SemiPlanar: // e.g. Nexus One
-    ToVideoFrame_YVU420SemiPlanar(aFrame, aTimeUs, aData, aSize, aKeyFrame);
-    break;
-  case OMX_QCOM_COLOR_FormatYVU420PackedSemiPlanar32m4ka: // e.g. Otoro
-    ToVideoFrame_YVU420PackedSemiPlanar32m4ka(aFrame, aTimeUs, aData, aSize, aKeyFrame);
-    break;
-  case OMX_TI_COLOR_FormatYUV420PackedSemiPlanar: // e.g. Galaxy Nexus
-    ToVideoFrame_YUV420PackedSemiPlanar(aFrame, aTimeUs, aData, aSize, aKeyFrame);
-    break;
-  case OMX_COLOR_Format16bitRGB565:
-    return ToVideoFrame_RGB565(aFrame, aTimeUs, aData, aSize, aKeyFrame, aBufferCallback);
-    break;
-  default:
-    if (!ToVideoFrame_ColorConverter(aFrame, aTimeUs, aData, aSize, aKeyFrame, aBufferCallback) &&
-        !ToVideoFrame_I420ColorConverter(aFrame, aTimeUs, aData, aSize, aKeyFrame, aBufferCallback)) {
-      LOG("Unknown video color format: %#x", mVideoColorFormat);
-      return false;
-    }
-  }
-  return true;
-}
-
-bool OmxDecoder::ToAudioFrame(AudioFrame *aFrame, int64_t aTimeUs, void *aData, size_t aDataOffset, size_t aSize, int32_t aAudioChannels, int32_t aAudioSampleRate)
-{
-  aFrame->Set(aTimeUs, reinterpret_cast<char *>(aData) + aDataOffset, aSize, aAudioChannels, aAudioSampleRate);
-  return true;
-}
-
-class ReadOptions : public MediaSource::ReadOptions
-{
-  // HTC have their own version of ReadOptions with extra fields. If we don't
-  // have this here, HTCOMXCodec will corrupt our stack.
-  uint32_t sadface[16];
-};
-
-bool OmxDecoder::ReadVideo(VideoFrame *aFrame, int64_t aSeekTimeUs,
-                           BufferCallback *aBufferCallback)
-{
-  MOZ_ASSERT(aSeekTimeUs >= -1);
-
-  if (!mVideoSource.get())
-    return false;
-
-  ReleaseVideoBuffer();
-
-  status_t err;
-
-  if (aSeekTimeUs != -1) {
-    ReadOptions options;
-    options.setSeekTo(aSeekTimeUs);
-    err = mVideoSource->read(&mVideoBuffer, &options);
-  } else {
-    err = mVideoSource->read(&mVideoBuffer);
-  }
-
-  aFrame->mSize = 0;
-
-  if (err == OK && mVideoBuffer->range_length() > 0) {
-    int64_t timeUs;
-    int32_t keyFrame;
-
-    if (!mVideoBuffer->meta_data()->findInt64(kKeyTime, &timeUs) ) {
-      LOG("no frame time");
-      return false;
-    }
-
-    if (timeUs < 0) {
-      LOG("frame time %lld must be nonnegative", timeUs);
-      return false;
-    }
-
-    if (!mVideoBuffer->meta_data()->findInt32(kKeyIsSyncFrame, &keyFrame)) {
-       keyFrame = 0;
-    }
-
-    char *data = reinterpret_cast<char *>(mVideoBuffer->data()) + mVideoBuffer->range_offset();
-    size_t length = mVideoBuffer->range_length();
-
-    if (!ToVideoFrame(aFrame, timeUs, data, length, keyFrame, aBufferCallback)) {
-      return false;
-    }
-  }
-  else if (err == INFO_FORMAT_CHANGED) {
-    // If the format changed, update our cached info.
-    LOG("mVideoSource INFO_FORMAT_CHANGED");
-    if (!SetVideoFormat())
-      return false;
-    else
-      return ReadVideo(aFrame, aSeekTimeUs, aBufferCallback);
-  }
-  else if (err == ERROR_END_OF_STREAM) {
-    LOG("mVideoSource END_OF_STREAM");
-  }
-  else if (err != OK) {
-    LOG("mVideoSource ERROR %#x", err);
-  }
-
-  return err == OK;
-}
-
-bool OmxDecoder::ReadAudio(AudioFrame *aFrame, int64_t aSeekTimeUs)
-{
-  MOZ_ASSERT(aSeekTimeUs >= -1);
-
-  status_t err;
-  if (mAudioMetadataRead && aSeekTimeUs == -1) {
-    // Use the data read into the buffer during metadata time
-    err = OK;
-  }
-  else {
-    ReleaseAudioBuffer();
-    if (aSeekTimeUs != -1) {
-      ReadOptions options;
-      options.setSeekTo(aSeekTimeUs);
-      err = mAudioSource->read(&mAudioBuffer, &options);
-    } else {
-      err = mAudioSource->read(&mAudioBuffer);
-    }
-  }
-  mAudioMetadataRead = false;
-
-  aSeekTimeUs = -1;
-
-  if (err == OK && mAudioBuffer->range_length() != 0) {
-    int64_t timeUs;
-    if (!mAudioBuffer->meta_data()->findInt64(kKeyTime, &timeUs)) {
-      LOG("no frame time");
-      return false;
-    }
-
-    if (timeUs < 0) {
-      LOG("frame time %lld must be nonnegative", timeUs);
-      return false;
-    }
-
-    return ToAudioFrame(aFrame, timeUs,
-                        mAudioBuffer->data(),
-                        mAudioBuffer->range_offset(),
-                        mAudioBuffer->range_length(),
-                        mAudioChannels, mAudioSampleRate);
-  }
-  else if (err == INFO_FORMAT_CHANGED) {
-    // If the format changed, update our cached info.
-    LOG("mAudioSource INFO_FORMAT_CHANGED");
-    if (!SetAudioFormat())
-      return false;
-    else
-      return ReadAudio(aFrame, aSeekTimeUs);
-  }
-  else if (err == ERROR_END_OF_STREAM) {
-    LOG("mAudioSource END_OF_STREAM");
-  }
-  else if (err != OK) {
-    LOG("mAudioSource ERROR %#x", err);
-  }
-
-  return err == OK;
-}
-
-static OmxDecoder *cast(Decoder *decoder) {
-  return reinterpret_cast<OmxDecoder *>(decoder->mPrivate);
-}
-
-static void GetDuration(Decoder *aDecoder, int64_t *durationUs) {
-  cast(aDecoder)->GetDuration(durationUs);
-}
-
-static void GetVideoParameters(Decoder *aDecoder, int32_t *width, int32_t *height) {
-  cast(aDecoder)->GetVideoParameters(width, height);
-}
-
-static void GetAudioParameters(Decoder *aDecoder, int32_t *numChannels, int32_t *sampleRate) {
-  cast(aDecoder)->GetAudioParameters(numChannels, sampleRate);
-}
-
-static bool HasVideo(Decoder *aDecoder) {
-  return cast(aDecoder)->HasVideo();
-}
-
-static bool HasAudio(Decoder *aDecoder) {
-  return cast(aDecoder)->HasAudio();
-}
-
-static bool ReadVideo(Decoder *aDecoder, VideoFrame *aFrame, int64_t aSeekTimeUs, BufferCallback *aBufferCallback)
-{
-  return cast(aDecoder)->ReadVideo(aFrame, aSeekTimeUs, aBufferCallback);
-}
-
-static bool ReadAudio(Decoder *aDecoder, AudioFrame *aFrame, int64_t aSeekTimeUs)
-{
-  return cast(aDecoder)->ReadAudio(aFrame, aSeekTimeUs);
-}
-
-static void DestroyDecoder(Decoder *aDecoder)
-{
-  if (aDecoder->mPrivate)
-    delete reinterpret_cast<OmxDecoder *>(aDecoder->mPrivate);
-}
-
-static bool Match(const char *aMimeChars, size_t aMimeLen, const char *aNeedle)
-{
-  return !strncmp(aMimeChars, aNeedle, aMimeLen);
-}
-
-static const char* const gCodecs[] = {
-  "avc1.42E01E",  // H.264 Constrained Baseline Profile Level 3.0
-  "avc1.42001E",  // H.264 Baseline Profile Level 3.0
-  "avc1.42001F",  // H.264 Baseline Profile Level 3.1
-  "avc1.4D401E",  // H.264 Main Profile Level 3.0
-  "avc1.4D401F",  // H.264 Main Profile Level 3.1
-  "mp4a.40.2",    // AAC-LC
-  nullptr
-};
-
-static bool CanDecode(const char *aMimeChars, size_t aMimeLen, const char* const**aCodecs)
-{
-  if (!Match(aMimeChars, aMimeLen, "video/mp4") &&
-      !Match(aMimeChars, aMimeLen, "audio/mp4") &&
-      !Match(aMimeChars, aMimeLen, "audio/mpeg") &&
-      !Match(aMimeChars, aMimeLen, "application/octet-stream")) { // file urls
-    return false;
-  }
-  *aCodecs = gCodecs;
-
-  return true;
-}
-
-static bool CreateDecoder(PluginHost *aPluginHost, Decoder *aDecoder, const char *aMimeChars, size_t aMimeLen)
-{
-  OmxDecoder *omx = new OmxDecoder(aPluginHost, aDecoder);
-  if (!omx || !omx->Init()) {
-    if (omx)
-      delete omx;
-    return false;
-  }
-
-  aDecoder->mPrivate = omx;
-  aDecoder->GetDuration = GetDuration;
-  aDecoder->GetVideoParameters = GetVideoParameters;
-  aDecoder->GetAudioParameters = GetAudioParameters;
-  aDecoder->HasVideo = HasVideo;
-  aDecoder->HasAudio = HasAudio;
-  aDecoder->ReadVideo = ReadVideo;
-  aDecoder->ReadAudio = ReadAudio;
-  aDecoder->DestroyDecoder = DestroyDecoder;
-
-  return true;
-}
-
-} // namespace OmxPlugin
-
-// Export the manifest so MPAPI can find our entry points.
-Manifest MOZ_EXPORT MPAPI_MANIFEST = {
-  OmxPlugin::CanDecode,
-  OmxPlugin::CreateDecoder
-};
diff --git a/media/omx-plugin/include/ics/I420ColorConverter.h b/media/omx-plugin/include/ics/I420ColorConverter.h
deleted file mode 100644
index 8d48e44b4d..0000000000
--- a/media/omx-plugin/include/ics/I420ColorConverter.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Copyright (C) 2011 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef I420_COLOR_CONVERTER_H
-#define I420_COLOR_CONVERTER_H
-
-#include <II420ColorConverter.h>
-
-// This is a wrapper around the I420 color converter functions in
-// II420ColorConverter, which is loaded from a shared library.
-class I420ColorConverter: public II420ColorConverter {
-public:
-    I420ColorConverter();
-    ~I420ColorConverter();
-
-    // Returns true if the converter functions are successfully loaded.
-    bool isLoaded();
-private:
-    void* mHandle;
-};
-
-#endif /* I420_COLOR_CONVERTER_H */
diff --git a/media/omx-plugin/include/ics/II420ColorConverter.h b/media/omx-plugin/include/ics/II420ColorConverter.h
deleted file mode 100644
index 0e3fe8285d..0000000000
--- a/media/omx-plugin/include/ics/II420ColorConverter.h
+++ /dev/null
@@ -1,127 +0,0 @@
-/*
- * Copyright (C) 2011 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef II420_COLOR_CONVERTER_H
-
-#define II420_COLOR_CONVERTER_H
-
-#include <stdint.h>
-#include <android/rect.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-typedef struct II420ColorConverter {
-
-    /*
-     * getDecoderOutputFormat
-     * Returns the color format (OMX_COLOR_FORMATTYPE) of the decoder output.
-     * If it is I420 (OMX_COLOR_FormatYUV420Planar), no conversion is needed,
-     * and convertDecoderOutputToI420() can be a no-op.
-     */
-    int (*getDecoderOutputFormat)();
-
-    /*
-     * convertDecoderOutputToI420
-     * @Desc     Converts from the decoder output format to I420 format.
-     * @note     Caller (e.g. VideoEditor) owns the buffers
-     * @param    decoderBits   (IN) Pointer to the buffer contains decoder output
-     * @param    decoderWidth  (IN) Buffer width, as reported by the decoder
-     *                              metadata (kKeyWidth)
-     * @param    decoderHeight (IN) Buffer height, as reported by the decoder
-     *                              metadata (kKeyHeight)
-     * @param    decoderRect   (IN) The rectangle of the actual frame, as
-     *                              reported by decoder metadata (kKeyCropRect)
-     * @param    dstBits      (OUT) Pointer to the output I420 buffer
-     * @return   -1 Any error
-     * @return   0  No Error
-     */
-    int (*convertDecoderOutputToI420)(
-        void* decoderBits, int decoderWidth, int decoderHeight,
-        ARect decoderRect, void* dstBits);
-
-    /*
-     * getEncoderIntputFormat
-     * Returns the color format (OMX_COLOR_FORMATTYPE) of the encoder input.
-     * If it is I420 (OMX_COLOR_FormatYUV420Planar), no conversion is needed,
-     * and convertI420ToEncoderInput() and getEncoderInputBufferInfo() can
-     * be no-ops.
-     */
-    int (*getEncoderInputFormat)();
-
-    /* convertI420ToEncoderInput
-     * @Desc     This function converts from I420 to the encoder input format
-     * @note     Caller (e.g. VideoEditor) owns the buffers
-     * @param    srcBits       (IN) Pointer to the input I420 buffer
-     * @param    srcWidth      (IN) Width of the I420 frame
-     * @param    srcHeight     (IN) Height of the I420 frame
-     * @param    encoderWidth  (IN) Encoder buffer width, as calculated by
-     *                              getEncoderBufferInfo()
-     * @param    encoderHeight (IN) Encoder buffer height, as calculated by
-     *                              getEncoderBufferInfo()
-     * @param    encoderRect   (IN) Rect coordinates of the actual frame inside
-     *                              the encoder buffer, as calculated by
-     *                              getEncoderBufferInfo().
-     * @param    encoderBits  (OUT) Pointer to the output buffer. The size of
-     *                              this buffer is calculated by
-     *                              getEncoderBufferInfo()
-     * @return   -1 Any error
-     * @return   0  No Error
-     */
-    int (*convertI420ToEncoderInput)(
-        void* srcBits, int srcWidth, int srcHeight,
-        int encoderWidth, int encoderHeight, ARect encoderRect,
-        void* encoderBits);
-
-    /* getEncoderInputBufferInfo
-     * @Desc     This function returns metadata for the encoder input buffer
-     *           based on the actual I420 frame width and height.
-     * @note     This API should be be used to obtain the necessary information
-     *           before calling convertI420ToEncoderInput().
-     *           VideoEditor knows only the width and height of the I420 buffer,
-     *           but it also needs know the width, height, and size of the
-     *           encoder input buffer. The encoder input buffer width and height
-     *           are used to set the metadata for the encoder.
-     * @param    srcWidth      (IN) Width of the I420 frame
-     * @param    srcHeight     (IN) Height of the I420 frame
-     * @param    encoderWidth  (OUT) Encoder buffer width needed
-     * @param    encoderHeight (OUT) Encoder buffer height needed
-     * @param    encoderRect   (OUT) Rect coordinates of the actual frame inside
-     *                               the encoder buffer
-     * @param    encoderBufferSize  (OUT) The size of the buffer that need to be
-     *                              allocated by the caller before invoking
-     *                              convertI420ToEncoderInput().
-     * @return   -1 Any error
-     * @return   0  No Error
-     */
-    int (*getEncoderInputBufferInfo)(
-        int srcWidth, int srcHeight,
-        int* encoderWidth, int* encoderHeight,
-        ARect* encoderRect, int* encoderBufferSize);
-
-} II420ColorConverter;
-
-/* The only function that the shared library needs to expose: It fills the
-   function pointers in II420ColorConverter */
-void getI420ColorConverter(II420ColorConverter *converter);
-
-#if defined(__cplusplus)
-}
-#endif
-
-#endif  // II420_COLOR_CONVERTER_H
-
diff --git a/media/omx-plugin/include/ics/README_MOZILLA b/media/omx-plugin/include/ics/README_MOZILLA
deleted file mode 100644
index be389e6d64..0000000000
--- a/media/omx-plugin/include/ics/README_MOZILLA
+++ /dev/null
@@ -1,4 +0,0 @@
-The source from this directory was copied from the Android OS source.
-Patches have been applied on top of the original source.
-
-The git branch used from AOSP was android-4.0.4_r2.1.
diff --git a/media/omx-plugin/include/ics/android/native_window.h b/media/omx-plugin/include/ics/android/native_window.h
deleted file mode 100644
index 2f4f2d33be..0000000000
--- a/media/omx-plugin/include/ics/android/native_window.h
+++ /dev/null
@@ -1,126 +0,0 @@
-/*
- * Copyright (C) 2010 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_NATIVE_WINDOW_H
-#define ANDROID_NATIVE_WINDOW_H
-
-#include <android/rect.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/*
- * Pixel formats that a window can use.
- */
-enum {
-    WINDOW_FORMAT_RGBA_8888          = 1,
-    WINDOW_FORMAT_RGBX_8888          = 2,
-    WINDOW_FORMAT_RGB_565            = 4,
-};
-
-struct ANativeWindow;
-typedef struct ANativeWindow ANativeWindow;
-
-typedef struct ANativeWindow_Buffer {
-    // The number of pixels that are show horizontally.
-    int32_t width;
-
-    // The number of pixels that are shown vertically.
-    int32_t height;
-
-    // The number of *pixels* that a line in the buffer takes in
-    // memory.  This may be >= width.
-    int32_t stride;
-
-    // The format of the buffer.  One of WINDOW_FORMAT_*
-    int32_t format;
-
-    // The actual bits.
-    void* bits;
-    
-    // Do not touch.
-    uint32_t reserved[6];
-} ANativeWindow_Buffer;
-
-/**
- * Acquire a reference on the given ANativeWindow object.  This prevents the object
- * from being deleted until the reference is removed.
- */
-void ANativeWindow_acquire(ANativeWindow* window);
-
-/**
- * Remove a reference that was previously acquired with ANativeWindow_acquire().
- */
-void ANativeWindow_release(ANativeWindow* window);
-
-/*
- * Return the current width in pixels of the window surface.  Returns a
- * negative value on error.
- */
-int32_t ANativeWindow_getWidth(ANativeWindow* window);
-
-/*
- * Return the current height in pixels of the window surface.  Returns a
- * negative value on error.
- */
-int32_t ANativeWindow_getHeight(ANativeWindow* window);
-
-/*
- * Return the current pixel format of the window surface.  Returns a
- * negative value on error.
- */
-int32_t ANativeWindow_getFormat(ANativeWindow* window);
-
-/*
- * Change the format and size of the window buffers.
- *
- * The width and height control the number of pixels in the buffers, not the
- * dimensions of the window on screen.  If these are different than the
- * window's physical size, then it buffer will be scaled to match that size
- * when compositing it to the screen.
- *
- * For all of these parameters, if 0 is supplied then the window's base
- * value will come back in force.
- *
- * width and height must be either both zero or both non-zero.
- *
- */
-int32_t ANativeWindow_setBuffersGeometry(ANativeWindow* window,
-        int32_t width, int32_t height, int32_t format);
-
-/**
- * Lock the window's next drawing surface for writing.
- * inOutDirtyBounds is used as an in/out parameter, upon entering the
- * function, it contains the dirty region, that is, the region the caller
- * intends to redraw. When the function returns, inOutDirtyBounds is updated
- * with the actual area the caller needs to redraw -- this region is often
- * extended by ANativeWindow_lock.
- */
-int32_t ANativeWindow_lock(ANativeWindow* window, ANativeWindow_Buffer* outBuffer,
-        ARect* inOutDirtyBounds);
-
-/**
- * Unlock the window's drawing surface after previously locking it,
- * posting the new buffer to the display.
- */
-int32_t ANativeWindow_unlockAndPost(ANativeWindow* window);
-
-#ifdef __cplusplus
-};
-#endif
-
-#endif // ANDROID_NATIVE_WINDOW_H
diff --git a/media/omx-plugin/include/ics/android/rect.h b/media/omx-plugin/include/ics/android/rect.h
deleted file mode 100644
index 64d487dc25..0000000000
--- a/media/omx-plugin/include/ics/android/rect.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Copyright (C) 2010 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-
-#ifndef ANDROID_RECT_H
-#define ANDROID_RECT_H
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-typedef struct ARect {
-#ifdef __cplusplus
-    typedef int32_t value_type;
-#endif
-    int32_t left;
-    int32_t top;
-    int32_t right;
-    int32_t bottom;
-} ARect;
-
-#ifdef __cplusplus
-};
-#endif
-
-#endif // ANDROID_RECT_H
diff --git a/media/omx-plugin/include/ics/binder/Binder.h b/media/omx-plugin/include/ics/binder/Binder.h
deleted file mode 100644
index ba3ac4b990..0000000000
--- a/media/omx-plugin/include/ics/binder/Binder.h
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
- * Copyright (C) 2008 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_BINDER_H
-#define ANDROID_BINDER_H
-
-#include <binder/IBinder.h>
-
-// ---------------------------------------------------------------------------
-namespace android {
-
-class BBinder : public IBinder
-{
-public:
-                        BBinder();
-
-    virtual const String16& getInterfaceDescriptor() const;
-    virtual bool        isBinderAlive() const;
-    virtual status_t    pingBinder();
-    virtual status_t    dump(int fd, const Vector<String16>& args);
-
-    virtual status_t    transact(   uint32_t code,
-                                    const Parcel& data,
-                                    Parcel* reply,
-                                    uint32_t flags = 0);
-
-    virtual status_t    linkToDeath(const sp<DeathRecipient>& recipient,
-                                    void* cookie = NULL,
-                                    uint32_t flags = 0);
-
-    virtual status_t    unlinkToDeath(  const wp<DeathRecipient>& recipient,
-                                        void* cookie = NULL,
-                                        uint32_t flags = 0,
-                                        wp<DeathRecipient>* outRecipient = NULL);
-
-    virtual void        attachObject(   const void* objectID,
-                                        void* object,
-                                        void* cleanupCookie,
-                                        object_cleanup_func func);
-    virtual void*       findObject(const void* objectID) const;
-    virtual void        detachObject(const void* objectID);
-
-    virtual BBinder*    localBinder();
-
-protected:
-    virtual             ~BBinder();
-
-    virtual status_t    onTransact( uint32_t code,
-                                    const Parcel& data,
-                                    Parcel* reply,
-                                    uint32_t flags = 0);
-
-private:
-                        BBinder(const BBinder& o);
-            BBinder&    operator=(const BBinder& o);
-
-    class Extras;
-
-            Extras*     mExtras;
-            void*       mReserved0;
-};
-
-// ---------------------------------------------------------------------------
-
-class BpRefBase : public virtual RefBase
-{
-protected:
-                            BpRefBase(const sp<IBinder>& o);
-    virtual                 ~BpRefBase();
-    virtual void            onFirstRef();
-    virtual void            onLastStrongRef(const void* id);
-    virtual bool            onIncStrongAttempted(uint32_t flags, const void* id);
-
-    inline  IBinder*        remote()                { return mRemote; }
-    inline  IBinder*        remote() const          { return mRemote; }
-
-private:
-                            BpRefBase(const BpRefBase& o);
-    BpRefBase&              operator=(const BpRefBase& o);
-
-    IBinder* const          mRemote;
-    RefBase::weakref_type*  mRefs;
-    volatile int32_t        mState;
-};
-
-}; // namespace android
-
-// ---------------------------------------------------------------------------
-
-#endif // ANDROID_BINDER_H
diff --git a/media/omx-plugin/include/ics/binder/IBinder.h b/media/omx-plugin/include/ics/binder/IBinder.h
deleted file mode 100644
index 81b56c2b2b..0000000000
--- a/media/omx-plugin/include/ics/binder/IBinder.h
+++ /dev/null
@@ -1,159 +0,0 @@
-/*
- * Copyright (C) 2008 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_IBINDER_H
-#define ANDROID_IBINDER_H
-
-#include <utils/Errors.h>
-#include <utils/RefBase.h>
-#include <utils/String16.h>
-#include <utils/Vector.h>
-
-
-#define B_PACK_CHARS(c1, c2, c3, c4) \
-    ((((c1)<<24)) | (((c2)<<16)) | (((c3)<<8)) | (c4))
-
-// ---------------------------------------------------------------------------
-namespace android {
-
-class BBinder;
-class BpBinder;
-class IInterface;
-class Parcel;
-
-/**
- * Base class and low-level protocol for a remotable object.
- * You can derive from this class to create an object for which other
- * processes can hold references to it.  Communication between processes
- * (method calls, property get and set) is down through a low-level
- * protocol implemented on top of the transact() API.
- */
-class IBinder : public virtual RefBase
-{
-public:
-    enum {
-        FIRST_CALL_TRANSACTION  = 0x00000001,
-        LAST_CALL_TRANSACTION   = 0x00ffffff,
-
-        PING_TRANSACTION        = B_PACK_CHARS('_','P','N','G'),
-        DUMP_TRANSACTION        = B_PACK_CHARS('_','D','M','P'),
-        INTERFACE_TRANSACTION   = B_PACK_CHARS('_', 'N', 'T', 'F'),
-
-        // Corresponds to TF_ONE_WAY -- an asynchronous call.
-        FLAG_ONEWAY             = 0x00000001
-    };
-
-                          IBinder();
-
-    /**
-     * Check if this IBinder implements the interface named by
-     * @a descriptor.  If it does, the base pointer to it is returned,
-     * which you can safely static_cast<> to the concrete C++ interface.
-     */
-    virtual sp<IInterface>  queryLocalInterface(const String16& descriptor);
-
-    /**
-     * Return the canonical name of the interface provided by this IBinder
-     * object.
-     */
-    virtual const String16& getInterfaceDescriptor() const = 0;
-
-    virtual bool            isBinderAlive() const = 0;
-    virtual status_t        pingBinder() = 0;
-    virtual status_t        dump(int fd, const Vector<String16>& args) = 0;
-
-    virtual status_t        transact(   uint32_t code,
-                                        const Parcel& data,
-                                        Parcel* reply,
-                                        uint32_t flags = 0) = 0;
-
-    /**
-     * This method allows you to add data that is transported through
-     * IPC along with your IBinder pointer.  When implementing a Binder
-     * object, override it to write your desired data in to @a outData.
-     * You can then call getConstantData() on your IBinder to retrieve
-     * that data, from any process.  You MUST return the number of bytes
-     * written in to the parcel (including padding).
-     */
-    class DeathRecipient : public virtual RefBase
-    {
-    public:
-        virtual void binderDied(const wp<IBinder>& who) = 0;
-    };
-
-    /**
-     * Register the @a recipient for a notification if this binder
-     * goes away.  If this binder object unexpectedly goes away
-     * (typically because its hosting process has been killed),
-     * then DeathRecipient::binderDied() will be called with a reference
-     * to this.
-     *
-     * The @a cookie is optional -- if non-NULL, it should be a
-     * memory address that you own (that is, you know it is unique).
-     *
-     * @note You will only receive death notifications for remote binders,
-     * as local binders by definition can't die without you dying as well.
-     * Trying to use this function on a local binder will result in an
-     * INVALID_OPERATION code being returned and nothing happening.
-     *
-     * @note This link always holds a weak reference to its recipient.
-     *
-     * @note You will only receive a weak reference to the dead
-     * binder.  You should not try to promote this to a strong reference.
-     * (Nor should you need to, as there is nothing useful you can
-     * directly do with it now that it has passed on.)
-     */
-    virtual status_t        linkToDeath(const sp<DeathRecipient>& recipient,
-                                        void* cookie = NULL,
-                                        uint32_t flags = 0) = 0;
-
-    /**
-     * Remove a previously registered death notification.
-     * The @a recipient will no longer be called if this object
-     * dies.  The @a cookie is optional.  If non-NULL, you can
-     * supply a NULL @a recipient, and the recipient previously
-     * added with that cookie will be unlinked.
-     */
-    virtual status_t        unlinkToDeath(  const wp<DeathRecipient>& recipient,
-                                            void* cookie = NULL,
-                                            uint32_t flags = 0,
-                                            wp<DeathRecipient>* outRecipient = NULL) = 0;
-
-    virtual bool            checkSubclass(const void* subclassID) const;
-
-    typedef void (*object_cleanup_func)(const void* id, void* obj, void* cleanupCookie);
-
-    virtual void            attachObject(   const void* objectID,
-                                            void* object,
-                                            void* cleanupCookie,
-                                            object_cleanup_func func) = 0;
-    virtual void*           findObject(const void* objectID) const = 0;
-    virtual void            detachObject(const void* objectID) = 0;
-
-    virtual BBinder*        localBinder();
-    virtual BpBinder*       remoteBinder();
-
-protected:
-    virtual          ~IBinder();
-
-private:
-};
-
-}; // namespace android
-
-// ---------------------------------------------------------------------------
-
-#endif // ANDROID_IBINDER_H
diff --git a/media/omx-plugin/include/ics/binder/IInterface.h b/media/omx-plugin/include/ics/binder/IInterface.h
deleted file mode 100644
index 5f9f69c042..0000000000
--- a/media/omx-plugin/include/ics/binder/IInterface.h
+++ /dev/null
@@ -1,150 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-//
-#ifndef ANDROID_IINTERFACE_H
-#define ANDROID_IINTERFACE_H
-
-#include <binder/Binder.h>
-
-namespace android {
-
-// ----------------------------------------------------------------------
-
-class IInterface : public virtual RefBase
-{
-public:
-            IInterface();
-            sp<IBinder>         asBinder();
-            sp<const IBinder>   asBinder() const;
-            
-protected:
-    virtual                     ~IInterface();
-    virtual IBinder*            onAsBinder() = 0;
-};
-
-// ----------------------------------------------------------------------
-
-template<typename INTERFACE>
-inline sp<INTERFACE> interface_cast(const sp<IBinder>& obj)
-{
-    return INTERFACE::asInterface(obj);
-}
-
-// ----------------------------------------------------------------------
-
-template<typename INTERFACE>
-class BnInterface : public INTERFACE, public BBinder
-{
-public:
-    virtual sp<IInterface>      queryLocalInterface(const String16& _descriptor);
-    virtual const String16&     getInterfaceDescriptor() const;
-
-protected:
-    virtual IBinder*            onAsBinder();
-};
-
-// ----------------------------------------------------------------------
-
-template<typename INTERFACE>
-class BpInterface : public INTERFACE, public BpRefBase
-{
-public:
-                                BpInterface(const sp<IBinder>& remote);
-
-protected:
-    virtual IBinder*            onAsBinder();
-};
-
-// ----------------------------------------------------------------------
-
-#define DECLARE_META_INTERFACE(INTERFACE)                               \
-    static const android::String16 descriptor;                          \
-    static android::sp<I##INTERFACE> asInterface(                       \
-            const android::sp<android::IBinder>& obj);                  \
-    virtual const android::String16& getInterfaceDescriptor() const;    \
-    I##INTERFACE();                                                     \
-    virtual ~I##INTERFACE();                                            \
-
-
-#define IMPLEMENT_META_INTERFACE(INTERFACE, NAME)                       \
-    const android::String16 I##INTERFACE::descriptor(NAME);             \
-    const android::String16&                                            \
-            I##INTERFACE::getInterfaceDescriptor() const {              \
-        return I##INTERFACE::descriptor;                                \
-    }                                                                   \
-    android::sp<I##INTERFACE> I##INTERFACE::asInterface(                \
-            const android::sp<android::IBinder>& obj)                   \
-    {                                                                   \
-        android::sp<I##INTERFACE> intr;                                 \
-        if (obj != NULL) {                                              \
-            intr = static_cast<I##INTERFACE*>(                          \
-                obj->queryLocalInterface(                               \
-                        I##INTERFACE::descriptor).get());               \
-            if (intr == NULL) {                                         \
-                intr = new Bp##INTERFACE(obj);                          \
-            }                                                           \
-        }                                                               \
-        return intr;                                                    \
-    }                                                                   \
-    I##INTERFACE::I##INTERFACE() { }                                    \
-    I##INTERFACE::~I##INTERFACE() { }                                   \
-
-
-#define CHECK_INTERFACE(interface, data, reply)                         \
-    if (!data.checkInterface(this)) { return PERMISSION_DENIED; }       \
-
-
-// ----------------------------------------------------------------------
-// No user-serviceable parts after this...
-
-template<typename INTERFACE>
-inline sp<IInterface> BnInterface<INTERFACE>::queryLocalInterface(
-        const String16& _descriptor)
-{
-    if (_descriptor == INTERFACE::descriptor) return this;
-    return NULL;
-}
-
-template<typename INTERFACE>
-inline const String16& BnInterface<INTERFACE>::getInterfaceDescriptor() const
-{
-    return INTERFACE::getInterfaceDescriptor();
-}
-
-template<typename INTERFACE>
-IBinder* BnInterface<INTERFACE>::onAsBinder()
-{
-    return this;
-}
-
-template<typename INTERFACE>
-inline BpInterface<INTERFACE>::BpInterface(const sp<IBinder>& remote)
-    : BpRefBase(remote)
-{
-}
-
-template<typename INTERFACE>
-inline IBinder* BpInterface<INTERFACE>::onAsBinder()
-{
-    return remote();
-}
-    
-// ----------------------------------------------------------------------
-
-}; // namespace android
-
-#endif // ANDROID_IINTERFACE_H
diff --git a/media/omx-plugin/include/ics/cutils/atomic.h b/media/omx-plugin/include/ics/cutils/atomic.h
deleted file mode 100644
index ae42eb8a0d..0000000000
--- a/media/omx-plugin/include/ics/cutils/atomic.h
+++ /dev/null
@@ -1,121 +0,0 @@
-/*
- * Copyright (C) 2007 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_CUTILS_ATOMIC_H
-#define ANDROID_CUTILS_ATOMIC_H
-
-#include <stdint.h>
-#include <sys/types.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/*
- * A handful of basic atomic operations.  The appropriate pthread
- * functions should be used instead of these whenever possible.
- *
- * The "acquire" and "release" terms can be defined intuitively in terms
- * of the placement of memory barriers in a simple lock implementation:
- *   - wait until compare-and-swap(lock-is-free --> lock-is-held) succeeds
- *   - barrier
- *   - [do work]
- *   - barrier
- *   - store(lock-is-free)
- * In very crude terms, the initial (acquire) barrier prevents any of the
- * "work" from happening before the lock is held, and the later (release)
- * barrier ensures that all of the work happens before the lock is released.
- * (Think of cached writes, cache read-ahead, and instruction reordering
- * around the CAS and store instructions.)
- *
- * The barriers must apply to both the compiler and the CPU.  Note it is
- * legal for instructions that occur before an "acquire" barrier to be
- * moved down below it, and for instructions that occur after a "release"
- * barrier to be moved up above it.
- *
- * The ARM-driven implementation we use here is short on subtlety,
- * and actually requests a full barrier from the compiler and the CPU.
- * The only difference between acquire and release is in whether they
- * are issued before or after the atomic operation with which they
- * are associated.  To ease the transition to C/C++ atomic intrinsics,
- * you should not rely on this, and instead assume that only the minimal
- * acquire/release protection is provided.
- *
- * NOTE: all int32_t* values are expected to be aligned on 32-bit boundaries.
- * If they are not, atomicity is not guaranteed.
- */
-
-/*
- * Basic arithmetic and bitwise operations.  These all provide a
- * barrier with "release" ordering, and return the previous value.
- *
- * These have the same characteristics (e.g. what happens on overflow)
- * as the equivalent non-atomic C operations.
- */
-int32_t android_atomic_inc(volatile int32_t* addr);
-int32_t android_atomic_dec(volatile int32_t* addr);
-int32_t android_atomic_add(int32_t value, volatile int32_t* addr);
-int32_t android_atomic_and(int32_t value, volatile int32_t* addr);
-int32_t android_atomic_or(int32_t value, volatile int32_t* addr);
-
-/*
- * Perform an atomic load with "acquire" or "release" ordering.
- *
- * This is only necessary if you need the memory barrier.  A 32-bit read
- * from a 32-bit aligned address is atomic on all supported platforms.
- */
-int32_t android_atomic_acquire_load(volatile const int32_t* addr);
-int32_t android_atomic_release_load(volatile const int32_t* addr);
-
-/*
- * Perform an atomic store with "acquire" or "release" ordering.
- *
- * This is only necessary if you need the memory barrier.  A 32-bit write
- * to a 32-bit aligned address is atomic on all supported platforms.
- */
-void android_atomic_acquire_store(int32_t value, volatile int32_t* addr);
-void android_atomic_release_store(int32_t value, volatile int32_t* addr);
-
-/*
- * Compare-and-set operation with "acquire" or "release" ordering.
- *
- * This returns zero if the new value was successfully stored, which will
- * only happen when *addr == oldvalue.
- *
- * (The return value is inverted from implementations on other platforms,
- * but matches the ARM ldrex/strex result.)
- *
- * Implementations that use the release CAS in a loop may be less efficient
- * than possible, because we re-issue the memory barrier on each iteration.
- */
-int android_atomic_acquire_cas(int32_t oldvalue, int32_t newvalue,
-        volatile int32_t* addr);
-int android_atomic_release_cas(int32_t oldvalue, int32_t newvalue,
-        volatile int32_t* addr);
-
-/*
- * Aliases for code using an older version of this header.  These are now
- * deprecated and should not be used.  The definitions will be removed
- * in a future release.
- */
-#define android_atomic_write android_atomic_release_store
-#define android_atomic_cmpxchg android_atomic_release_cas
-
-#ifdef __cplusplus
-} // extern "C"
-#endif
-
-#endif // ANDROID_CUTILS_ATOMIC_H
diff --git a/media/omx-plugin/include/ics/cutils/log.h b/media/omx-plugin/include/ics/cutils/log.h
deleted file mode 100644
index 42d738296c..0000000000
--- a/media/omx-plugin/include/ics/cutils/log.h
+++ /dev/null
@@ -1,482 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-//
-// C/C++ logging functions.  See the logging documentation for API details.
-//
-// We'd like these to be available from C code (in case we import some from
-// somewhere), so this has a C interface.
-//
-// The output will be correct when the log file is shared between multiple
-// threads and/or multiple processes so long as the operating system
-// supports O_APPEND.  These calls have mutex-protected data structures
-// and so are NOT reentrant.  Do not use LOG in a signal handler.
-//
-#ifndef _LIBS_CUTILS_LOG_H
-#define _LIBS_CUTILS_LOG_H
-
-#include <stdio.h>
-#include <time.h>
-#include <sys/types.h>
-#include <unistd.h>
-#ifdef HAVE_PTHREADS
-#include <pthread.h>
-#endif
-#include <stdarg.h>
-
-#include <cutils/uio.h>
-#include <cutils/logd.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-// ---------------------------------------------------------------------
-
-/*
- * Normally we strip LOGV (VERBOSE messages) from release builds.
- * You can modify this (for example with "#define LOG_NDEBUG 0"
- * at the top of your source file) to change that behavior.
- */
-#ifndef LOG_NDEBUG
-#ifdef NDEBUG
-#define LOG_NDEBUG 1
-#else
-#define LOG_NDEBUG 0
-#endif
-#endif
-
-/*
- * This is the local tag used for the following simplified
- * logging macros.  You can change this preprocessor definition
- * before using the other macros to change the tag.
- */
-#ifndef LOG_TAG
-#define LOG_TAG NULL
-#endif
-
-// ---------------------------------------------------------------------
-
-/*
- * Simplified macro to send a verbose log message using the current LOG_TAG.
- */
-#ifndef LOGV
-#if LOG_NDEBUG
-#define LOGV(...)   ((void)0)
-#else
-#define LOGV(...) ((void)LOG(LOG_VERBOSE, LOG_TAG, __VA_ARGS__))
-#endif
-#endif
-
-#define CONDITION(cond)     (__builtin_expect((cond)!=0, 0))
-
-#ifndef LOGV_IF
-#if LOG_NDEBUG
-#define LOGV_IF(cond, ...)   ((void)0)
-#else
-#define LOGV_IF(cond, ...) \
-    ( (CONDITION(cond)) \
-    ? ((void)LOG(LOG_VERBOSE, LOG_TAG, __VA_ARGS__)) \
-    : (void)0 )
-#endif
-#endif
-
-/*
- * Simplified macro to send a debug log message using the current LOG_TAG.
- */
-#ifndef LOGD
-#define LOGD(...) ((void)LOG(LOG_DEBUG, LOG_TAG, __VA_ARGS__))
-#endif
-
-#ifndef LOGD_IF
-#define LOGD_IF(cond, ...) \
-    ( (CONDITION(cond)) \
-    ? ((void)LOG(LOG_DEBUG, LOG_TAG, __VA_ARGS__)) \
-    : (void)0 )
-#endif
-
-/*
- * Simplified macro to send an info log message using the current LOG_TAG.
- */
-#ifndef LOGI
-#define LOGI(...) ((void)LOG(LOG_INFO, LOG_TAG, __VA_ARGS__))
-#endif
-
-#ifndef LOGI_IF
-#define LOGI_IF(cond, ...) \
-    ( (CONDITION(cond)) \
-    ? ((void)LOG(LOG_INFO, LOG_TAG, __VA_ARGS__)) \
-    : (void)0 )
-#endif
-
-/*
- * Simplified macro to send a warning log message using the current LOG_TAG.
- */
-#ifndef LOGW
-#define LOGW(...) ((void)LOG(LOG_WARN, LOG_TAG, __VA_ARGS__))
-#endif
-
-#ifndef LOGW_IF
-#define LOGW_IF(cond, ...) \
-    ( (CONDITION(cond)) \
-    ? ((void)LOG(LOG_WARN, LOG_TAG, __VA_ARGS__)) \
-    : (void)0 )
-#endif
-
-/*
- * Simplified macro to send an error log message using the current LOG_TAG.
- */
-#ifndef LOGE
-#define LOGE(...) ((void)LOG(LOG_ERROR, LOG_TAG, __VA_ARGS__))
-#endif
-
-#ifndef LOGE_IF
-#define LOGE_IF(cond, ...) \
-    ( (CONDITION(cond)) \
-    ? ((void)LOG(LOG_ERROR, LOG_TAG, __VA_ARGS__)) \
-    : (void)0 )
-#endif
-
-// ---------------------------------------------------------------------
-
-/*
- * Conditional based on whether the current LOG_TAG is enabled at
- * verbose priority.
- */
-#ifndef IF_LOGV
-#if LOG_NDEBUG
-#define IF_LOGV() if (false)
-#else
-#define IF_LOGV() IF_LOG(LOG_VERBOSE, LOG_TAG)
-#endif
-#endif
-
-/*
- * Conditional based on whether the current LOG_TAG is enabled at
- * debug priority.
- */
-#ifndef IF_LOGD
-#define IF_LOGD() IF_LOG(LOG_DEBUG, LOG_TAG)
-#endif
-
-/*
- * Conditional based on whether the current LOG_TAG is enabled at
- * info priority.
- */
-#ifndef IF_LOGI
-#define IF_LOGI() IF_LOG(LOG_INFO, LOG_TAG)
-#endif
-
-/*
- * Conditional based on whether the current LOG_TAG is enabled at
- * warn priority.
- */
-#ifndef IF_LOGW
-#define IF_LOGW() IF_LOG(LOG_WARN, LOG_TAG)
-#endif
-
-/*
- * Conditional based on whether the current LOG_TAG is enabled at
- * error priority.
- */
-#ifndef IF_LOGE
-#define IF_LOGE() IF_LOG(LOG_ERROR, LOG_TAG)
-#endif
-
-
-// ---------------------------------------------------------------------
-
-/*
- * Simplified macro to send a verbose system log message using the current LOG_TAG.
- */
-#ifndef SLOGV
-#if LOG_NDEBUG
-#define SLOGV(...)   ((void)0)
-#else
-#define SLOGV(...) ((void)__android_log_buf_print(LOG_ID_SYSTEM, ANDROID_LOG_VERBOSE, LOG_TAG, __VA_ARGS__))
-#endif
-#endif
-
-#define CONDITION(cond)     (__builtin_expect((cond)!=0, 0))
-
-#ifndef SLOGV_IF
-#if LOG_NDEBUG
-#define SLOGV_IF(cond, ...)   ((void)0)
-#else
-#define SLOGV_IF(cond, ...) \
-    ( (CONDITION(cond)) \
-    ? ((void)__android_log_buf_print(LOG_ID_SYSTEM, ANDROID_LOG_VERBOSE, LOG_TAG, __VA_ARGS__)) \
-    : (void)0 )
-#endif
-#endif
-
-/*
- * Simplified macro to send a debug system log message using the current LOG_TAG.
- */
-#ifndef SLOGD
-#define SLOGD(...) ((void)__android_log_buf_print(LOG_ID_SYSTEM, ANDROID_LOG_DEBUG, LOG_TAG, __VA_ARGS__))
-#endif
-
-#ifndef SLOGD_IF
-#define SLOGD_IF(cond, ...) \
-    ( (CONDITION(cond)) \
-    ? ((void)__android_log_buf_print(LOG_ID_SYSTEM, ANDROID_LOG_DEBUG, LOG_TAG, __VA_ARGS__)) \
-    : (void)0 )
-#endif
-
-/*
- * Simplified macro to send an info system log message using the current LOG_TAG.
- */
-#ifndef SLOGI
-#define SLOGI(...) ((void)__android_log_buf_print(LOG_ID_SYSTEM, ANDROID_LOG_INFO, LOG_TAG, __VA_ARGS__))
-#endif
-
-#ifndef SLOGI_IF
-#define SLOGI_IF(cond, ...) \
-    ( (CONDITION(cond)) \
-    ? ((void)__android_log_buf_print(LOG_ID_SYSTEM, ANDROID_LOG_INFO, LOG_TAG, __VA_ARGS__)) \
-    : (void)0 )
-#endif
-
-/*
- * Simplified macro to send a warning system log message using the current LOG_TAG.
- */
-#ifndef SLOGW
-#define SLOGW(...) ((void)__android_log_buf_print(LOG_ID_SYSTEM, ANDROID_LOG_WARN, LOG_TAG, __VA_ARGS__))
-#endif
-
-#ifndef SLOGW_IF
-#define SLOGW_IF(cond, ...) \
-    ( (CONDITION(cond)) \
-    ? ((void)__android_log_buf_print(LOG_ID_SYSTEM, ANDROID_LOG_WARN, LOG_TAG, __VA_ARGS__)) \
-    : (void)0 )
-#endif
-
-/*
- * Simplified macro to send an error system log message using the current LOG_TAG.
- */
-#ifndef SLOGE
-#define SLOGE(...) ((void)__android_log_buf_print(LOG_ID_SYSTEM, ANDROID_LOG_ERROR, LOG_TAG, __VA_ARGS__))
-#endif
-
-#ifndef SLOGE_IF
-#define SLOGE_IF(cond, ...) \
-    ( (CONDITION(cond)) \
-    ? ((void)__android_log_buf_print(LOG_ID_SYSTEM, ANDROID_LOG_ERROR, LOG_TAG, __VA_ARGS__)) \
-    : (void)0 )
-#endif
-
-    
-
-// ---------------------------------------------------------------------
-
-/*
- * Log a fatal error.  If the given condition fails, this stops program
- * execution like a normal assertion, but also generating the given message.
- * It is NOT stripped from release builds.  Note that the condition test
- * is -inverted- from the normal assert() semantics.
- */
-#ifndef LOG_ALWAYS_FATAL_IF
-#define LOG_ALWAYS_FATAL_IF(cond, ...) \
-    ( (CONDITION(cond)) \
-    ? ((void)android_printAssert(#cond, LOG_TAG, ## __VA_ARGS__)) \
-    : (void)0 )
-#endif
-
-#ifndef LOG_ALWAYS_FATAL
-#define LOG_ALWAYS_FATAL(...) \
-    ( ((void)android_printAssert(NULL, LOG_TAG, ## __VA_ARGS__)) )
-#endif
-
-/*
- * Versions of LOG_ALWAYS_FATAL_IF and LOG_ALWAYS_FATAL that
- * are stripped out of release builds.
- */
-#if LOG_NDEBUG
-
-#ifndef LOG_FATAL_IF
-#define LOG_FATAL_IF(cond, ...) ((void)0)
-#endif
-#ifndef LOG_FATAL
-#define LOG_FATAL(...) ((void)0)
-#endif
-
-#else
-
-#ifndef LOG_FATAL_IF
-#define LOG_FATAL_IF(cond, ...) LOG_ALWAYS_FATAL_IF(cond, ## __VA_ARGS__)
-#endif
-#ifndef LOG_FATAL
-#define LOG_FATAL(...) LOG_ALWAYS_FATAL(__VA_ARGS__)
-#endif
-
-#endif
-
-/*
- * Assertion that generates a log message when the assertion fails.
- * Stripped out of release builds.  Uses the current LOG_TAG.
- */
-#ifndef LOG_ASSERT
-#define LOG_ASSERT(cond, ...) LOG_FATAL_IF(!(cond), ## __VA_ARGS__)
-//#define LOG_ASSERT(cond) LOG_FATAL_IF(!(cond), "Assertion failed: " #cond)
-#endif
-
-// ---------------------------------------------------------------------
-
-/*
- * Basic log message macro.
- *
- * Example:
- *  LOG(LOG_WARN, NULL, "Failed with error %d", errno);
- *
- * The second argument may be NULL or "" to indicate the "global" tag.
- */
-#ifndef LOG
-#define LOG(priority, tag, ...) \
-    LOG_PRI(ANDROID_##priority, tag, __VA_ARGS__)
-#endif
-
-/*
- * Log macro that allows you to specify a number for the priority.
- */
-#ifndef LOG_PRI
-#define LOG_PRI(priority, tag, ...) \
-    android_printLog(priority, tag, __VA_ARGS__)
-#endif
-
-/*
- * Log macro that allows you to pass in a varargs ("args" is a va_list).
- */
-#ifndef LOG_PRI_VA
-#define LOG_PRI_VA(priority, tag, fmt, args) \
-    android_vprintLog(priority, NULL, tag, fmt, args)
-#endif
-
-/*
- * Conditional given a desired logging priority and tag.
- */
-#ifndef IF_LOG
-#define IF_LOG(priority, tag) \
-    if (android_testLog(ANDROID_##priority, tag))
-#endif
-
-// ---------------------------------------------------------------------
-
-/*
- * Event logging.
- */
-
-/*
- * Event log entry types.  These must match up with the declarations in
- * java/android/android/util/EventLog.java.
- */
-typedef enum {
-    EVENT_TYPE_INT      = 0,
-    EVENT_TYPE_LONG     = 1,
-    EVENT_TYPE_STRING   = 2,
-    EVENT_TYPE_LIST     = 3,
-} AndroidEventLogType;
-
-
-#ifndef LOG_EVENT_INT
-#define LOG_EVENT_INT(_tag, _value) {                                       \
-        int intBuf = _value;                                                \
-        (void) android_btWriteLog(_tag, EVENT_TYPE_INT, &intBuf,            \
-            sizeof(intBuf));                                                \
-    }
-#endif
-#ifndef LOG_EVENT_LONG
-#define LOG_EVENT_LONG(_tag, _value) {                                      \
-        long long longBuf = _value;                                         \
-        (void) android_btWriteLog(_tag, EVENT_TYPE_LONG, &longBuf,          \
-            sizeof(longBuf));                                               \
-    }
-#endif
-#ifndef LOG_EVENT_STRING
-#define LOG_EVENT_STRING(_tag, _value)                                      \
-    ((void) 0)  /* not implemented -- must combine len with string */
-#endif
-/* TODO: something for LIST */
-
-/*
- * ===========================================================================
- *
- * The stuff in the rest of this file should not be used directly.
- */
-
-#define android_printLog(prio, tag, fmt...) \
-    __android_log_print(prio, tag, fmt)
-
-#define android_vprintLog(prio, cond, tag, fmt...) \
-    __android_log_vprint(prio, tag, fmt)
-
-/* XXX Macros to work around syntax errors in places where format string
- * arg is not passed to LOG_ASSERT, LOG_ALWAYS_FATAL or LOG_ALWAYS_FATAL_IF
- * (happens only in debug builds).
- */
-
-/* Returns 2nd arg.  Used to substitute default value if caller's vararg list
- * is empty.
- */
-#define __android_second(dummy, second, ...)     second
-
-/* If passed multiple args, returns ',' followed by all but 1st arg, otherwise
- * returns nothing.
- */
-#define __android_rest(first, ...)               , ## __VA_ARGS__
-
-#define android_printAssert(cond, tag, fmt...) \
-    __android_log_assert(cond, tag, \
-        __android_second(0, ## fmt, NULL) __android_rest(fmt))
-
-#define android_writeLog(prio, tag, text) \
-    __android_log_write(prio, tag, text)
-
-#define android_bWriteLog(tag, payload, len) \
-    __android_log_bwrite(tag, payload, len)
-#define android_btWriteLog(tag, type, payload, len) \
-    __android_log_btwrite(tag, type, payload, len)
-
-// TODO: remove these prototypes and their users
-#define android_testLog(prio, tag) (1)
-#define android_writevLog(vec,num) do{}while(0)
-#define android_write1Log(str,len) do{}while (0)
-#define android_setMinPriority(tag, prio) do{}while(0)
-//#define android_logToCallback(func) do{}while(0)
-#define android_logToFile(tag, file) (0)
-#define android_logToFd(tag, fd) (0)
-
-typedef enum {
-    LOG_ID_MAIN = 0,
-    LOG_ID_RADIO = 1,
-    LOG_ID_EVENTS = 2,
-    LOG_ID_SYSTEM = 3,
-
-    LOG_ID_MAX
-} log_id_t;
-
-/*
- * Send a simple string to the log.
- */
-int __android_log_buf_write(int bufID, int prio, const char *tag, const char *text);
-int __android_log_buf_print(int bufID, int prio, const char *tag, const char *fmt, ...);
-
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif // _LIBS_CUTILS_LOG_H
diff --git a/media/omx-plugin/include/ics/cutils/logd.h b/media/omx-plugin/include/ics/cutils/logd.h
deleted file mode 100644
index 8737639cc2..0000000000
--- a/media/omx-plugin/include/ics/cutils/logd.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef _ANDROID_CUTILS_LOGD_H
-#define _ANDROID_CUTILS_LOGD_H
-
-/* the stable/frozen log-related definitions have been
- * moved to this header, which is exposed by the NDK
- */
-#include <android/log.h>
-
-/* the rest is only used internally by the system */
-#include <time.h>
-#include <stdio.h>
-#include <unistd.h>
-#include <stdint.h>
-#include <sys/types.h>
-#ifdef HAVE_PTHREADS
-#include <pthread.h>
-#endif
-#include <cutils/uio.h>
-#include <stdarg.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-int __android_log_bwrite(int32_t tag, const void *payload, size_t len);
-int __android_log_btwrite(int32_t tag, char type, const void *payload,
-    size_t len);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* _LOGD_H */
diff --git a/media/omx-plugin/include/ics/cutils/native_handle.h b/media/omx-plugin/include/ics/cutils/native_handle.h
deleted file mode 100644
index 268c5d3f51..0000000000
--- a/media/omx-plugin/include/ics/cutils/native_handle.h
+++ /dev/null
@@ -1,69 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef NATIVE_HANDLE_H_
-#define NATIVE_HANDLE_H_
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-typedef struct native_handle
-{
-    int version;        /* sizeof(native_handle_t) */
-    int numFds;         /* number of file-descriptors at &data[0] */
-    int numInts;        /* number of ints at &data[numFds] */
-    int data[0];        /* numFds + numInts ints */
-} native_handle_t;
-
-/*
- * native_handle_close
- * 
- * closes the file descriptors contained in this native_handle_t
- * 
- * return 0 on success, or a negative error code on failure
- * 
- */
-int native_handle_close(const native_handle_t* h);
-
-
-/*
- * native_handle_create
- * 
- * creates a native_handle_t and initializes it. must be destroyed with
- * native_handle_delete().
- * 
- */
-native_handle_t* native_handle_create(int numFds, int numInts);
-
-/*
- * native_handle_delete
- * 
- * frees a native_handle_t allocated with native_handle_create().
- * This ONLY frees the memory allocated for the native_handle_t, but doesn't
- * close the file descriptors; which can be achieved with native_handle_close().
- * 
- * return 0 on success, or a negative error code on failure
- * 
- */
-int native_handle_delete(native_handle_t* h);
-
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* NATIVE_HANDLE_H_ */
diff --git a/media/omx-plugin/include/ics/cutils/uio.h b/media/omx-plugin/include/ics/cutils/uio.h
deleted file mode 100644
index 01a74d26f3..0000000000
--- a/media/omx-plugin/include/ics/cutils/uio.h
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * Copyright (C) 2007 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-//
-// implementation of sys/uio.h for platforms that don't have it (Win32)
-//
-#ifndef _LIBS_CUTILS_UIO_H
-#define _LIBS_CUTILS_UIO_H
-
-#ifdef HAVE_SYS_UIO_H
-#include <sys/uio.h>
-#else
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#include <stddef.h>
-
-struct iovec {
-    const void*  iov_base;
-    size_t       iov_len;
-};
-
-extern int  readv( int  fd, struct iovec*  vecs, int  count );
-extern int  writev( int  fd, const struct iovec*  vecs, int  count );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* !HAVE_SYS_UIO_H */
-
-#endif /* _LIBS_UTILS_UIO_H */
-
diff --git a/media/omx-plugin/include/ics/drm/DrmManagerClient.h b/media/omx-plugin/include/ics/drm/DrmManagerClient.h
deleted file mode 100644
index b8fe46d08e..0000000000
--- a/media/omx-plugin/include/ics/drm/DrmManagerClient.h
+++ /dev/null
@@ -1,377 +0,0 @@
-/*
- * Copyright (C) 2010 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef __DRM_MANAGER_CLIENT_H__
-#define __DRM_MANAGER_CLIENT_H__
-
-#include <utils/threads.h>
-#include <binder/IInterface.h>
-#include "drm_framework_common.h"
-
-namespace android {
-
-class DrmInfo;
-class DrmRights;
-class DrmMetadata;
-class DrmInfoEvent;
-class DrmInfoStatus;
-class DrmInfoRequest;
-class DrmSupportInfo;
-class DrmConstraints;
-class DrmConvertedStatus;
-class DrmManagerClientImpl;
-
-/**
- * The Native application will instantiate this class and access DRM Framework
- * services through this class.
- *
- */
-class DrmManagerClient {
-public:
-    DrmManagerClient();
-
-    virtual ~DrmManagerClient();
-
-public:
-    class OnInfoListener: virtual public RefBase {
-
-    public:
-        virtual ~OnInfoListener() {}
-
-    public:
-        virtual void onInfo(const DrmInfoEvent& event) = 0;
-    };
-
-/**
- * APIs which will be used by native modules (e.g. StageFright)
- *
- */
-public:
-    /**
-     * Open the decrypt session to decrypt the given protected content
-     *
-     * @param[in] fd File descriptor of the protected content to be decrypted
-     * @param[in] offset Start position of the content
-     * @param[in] length The length of the protected content
-     * @return
-     *     Handle for the decryption session
-     */
-    sp<DecryptHandle> openDecryptSession(int fd, off64_t offset, off64_t length);
-
-    /**
-     * Open the decrypt session to decrypt the given protected content
-     *
-     * @param[in] uri Path of the protected content to be decrypted
-     * @return
-     *     Handle for the decryption session
-     */
-    sp<DecryptHandle> openDecryptSession(const char* uri);
-
-    /**
-     * Close the decrypt session for the given handle
-     *
-     * @param[in] decryptHandle Handle for the decryption session
-     * @return status_t
-     *     Returns DRM_NO_ERROR for success, DRM_ERROR_UNKNOWN for failure
-     */
-    status_t closeDecryptSession(sp<DecryptHandle> &decryptHandle);
-
-    /**
-     * Consumes the rights for a content.
-     * If the reserve parameter is true the rights is reserved until the same
-     * application calls this api again with the reserve parameter set to false.
-     *
-     * @param[in] decryptHandle Handle for the decryption session
-     * @param[in] action Action to perform. (Action::DEFAULT, Action::PLAY, etc)
-     * @param[in] reserve True if the rights should be reserved.
-     * @return status_t
-     *     Returns DRM_NO_ERROR for success, DRM_ERROR_UNKNOWN for failure.
-     *     In case license has been expired, DRM_ERROR_LICENSE_EXPIRED will be returned.
-     */
-    status_t consumeRights(sp<DecryptHandle> &decryptHandle, int action, bool reserve);
-
-    /**
-     * Informs the DRM engine about the playback actions performed on the DRM files.
-     *
-     * @param[in] decryptHandle Handle for the decryption session
-     * @param[in] playbackStatus Playback action (Playback::START, Playback::STOP, Playback::PAUSE)
-     * @param[in] position Position in the file (in milliseconds) where the start occurs.
-     *                     Only valid together with Playback::START.
-     * @return status_t
-     *     Returns DRM_NO_ERROR for success, DRM_ERROR_UNKNOWN for failure
-     */
-    status_t setPlaybackStatus(
-            sp<DecryptHandle> &decryptHandle, int playbackStatus, int64_t position);
-
-    /**
-     * Initialize decryption for the given unit of the protected content
-     *
-     * @param[in] decryptHandle Handle for the decryption session
-     * @param[in] decryptUnitId ID which specifies decryption unit, such as track ID
-     * @param[in] headerInfo Information for initializing decryption of this decrypUnit
-     * @return status_t
-     *     Returns DRM_NO_ERROR for success, DRM_ERROR_UNKNOWN for failure
-     */
-    status_t initializeDecryptUnit(
-            sp<DecryptHandle> &decryptHandle, int decryptUnitId, const DrmBuffer* headerInfo);
-
-    /**
-     * Decrypt the protected content buffers for the given unit
-     * This method will be called any number of times, based on number of
-     * encrypted streams received from application.
-     *
-     * @param[in] decryptHandle Handle for the decryption session
-     * @param[in] decryptUnitId ID which specifies decryption unit, such as track ID
-     * @param[in] encBuffer Encrypted data block
-     * @param[out] decBuffer Decrypted data block
-     * @param[in] IV Optional buffer
-     * @return status_t
-     *     Returns the error code for this API
-     *     DRM_NO_ERROR for success, and one of DRM_ERROR_UNKNOWN, DRM_ERROR_LICENSE_EXPIRED
-     *     DRM_ERROR_SESSION_NOT_OPENED, DRM_ERROR_DECRYPT_UNIT_NOT_INITIALIZED,
-     *     DRM_ERROR_DECRYPT for failure.
-     */
-    status_t decrypt(
-            sp<DecryptHandle> &decryptHandle, int decryptUnitId,
-            const DrmBuffer* encBuffer, DrmBuffer** decBuffer, DrmBuffer* IV = NULL);
-
-    /**
-     * Finalize decryption for the given unit of the protected content
-     *
-     * @param[in] decryptHandle Handle for the decryption session
-     * @param[in] decryptUnitId ID which specifies decryption unit, such as track ID
-     * @return status_t
-     *     Returns DRM_NO_ERROR for success, DRM_ERROR_UNKNOWN for failure
-     */
-    status_t finalizeDecryptUnit(
-            sp<DecryptHandle> &decryptHandle, int decryptUnitId);
-
-    /**
-     * Reads the specified number of bytes from an open DRM file.
-     *
-     * @param[in] decryptHandle Handle for the decryption session
-     * @param[out] buffer Reference to the buffer that should receive the read data.
-     * @param[in] numBytes Number of bytes to read.
-     * @param[in] offset Offset with which to update the file position.
-     *
-     * @return Number of bytes read. Returns -1 for Failure.
-     */
-    ssize_t pread(sp<DecryptHandle> &decryptHandle,
-            void* buffer, ssize_t numBytes, off64_t offset);
-
-    /**
-     * Validates whether an action on the DRM content is allowed or not.
-     *
-     * @param[in] path Path of the protected content
-     * @param[in] action Action to validate. (Action::DEFAULT, Action::PLAY, etc)
-     * @param[in] description Detailed description of the action
-     * @return true if the action is allowed.
-     */
-    bool validateAction(const String8& path, int action, const ActionDescription& description);
-
-/**
- * APIs which are just the underlying implementation for the Java API
- *
- */
-public:
-    /**
-     * Register a callback to be invoked when the caller required to
-     * receive necessary information
-     *
-     * @param[in] infoListener Listener
-     * @return status_t
-     *     Returns DRM_NO_ERROR for success, DRM_ERROR_UNKNOWN for failure
-     */
-    status_t setOnInfoListener(const sp<DrmManagerClient::OnInfoListener>& infoListener);
-
-    /**
-     * Get constraint information associated with input content
-     *
-     * @param[in] path Path of the protected content
-     * @param[in] action Actions defined such as,
-     *             Action::DEFAULT, Action::PLAY, etc
-     * @return DrmConstraints
-     *     key-value pairs of constraint are embedded in it
-     * @note
-     *     In case of error, return NULL
-     */
-    DrmConstraints* getConstraints(const String8* path, const int action);
-
-    /**
-     * Get metadata information associated with input content
-     *
-     * @param[in] path Path of the protected content
-     * @return DrmMetadata
-     *         key-value pairs of metadata
-     * @note
-     *     In case of error, return NULL
-     */
-    DrmMetadata* getMetadata(const String8* path);
-
-    /**
-     * Check whether the given mimetype or path can be handled
-     *
-     * @param[in] path Path of the content needs to be handled
-     * @param[in] mimetype Mimetype of the content needs to be handled
-     * @return
-     *     True if DrmManager can handle given path or mime type.
-     */
-    bool canHandle(const String8& path, const String8& mimeType);
-
-    /**
-     * Executes given drm information based on its type
-     *
-     * @param[in] drmInfo Information needs to be processed
-     * @return DrmInfoStatus
-     *     instance as a result of processing given input
-     */
-    DrmInfoStatus* processDrmInfo(const DrmInfo* drmInfo);
-
-    /**
-     * Retrieves necessary information for registration, unregistration or rights
-     * acquisition information.
-     *
-     * @param[in] drmInfoRequest Request information to retrieve drmInfo
-     * @return DrmInfo
-     *     instance as a result of processing given input
-     */
-    DrmInfo* acquireDrmInfo(const DrmInfoRequest* drmInfoRequest);
-
-    /**
-     * Save DRM rights to specified rights path
-     * and make association with content path
-     *
-     * @param[in] drmRights DrmRights to be saved
-     * @param[in] rightsPath File path where rights to be saved
-     * @param[in] contentPath File path where content was saved
-     * @return status_t
-     *     Returns DRM_NO_ERROR for success, DRM_ERROR_UNKNOWN for failure
-     */
-    status_t saveRights(
-        const DrmRights& drmRights, const String8& rightsPath, const String8& contentPath);
-
-    /**
-     * Retrieves the mime type embedded inside the original content
-     *
-     * @param[in] path the path of the protected content
-     * @return String8
-     *     Returns mime-type of the original content, such as "video/mpeg"
-     */
-    String8 getOriginalMimeType(const String8& path);
-
-    /**
-     * Retrieves the type of the protected object (content, rights, etc..)
-     * by using specified path or mimetype. At least one parameter should be non null
-     * to retrieve DRM object type
-     *
-     * @param[in] path Path of the content or null.
-     * @param[in] mimeType Mime type of the content or null.
-     * @return type of the DRM content,
-     *     such as DrmObjectType::CONTENT, DrmObjectType::RIGHTS_OBJECT
-     */
-    int getDrmObjectType(const String8& path, const String8& mimeType);
-
-    /**
-     * Check whether the given content has valid rights or not
-     *
-     * @param[in] path Path of the protected content
-     * @param[in] action Action to perform
-     * @return the status of the rights for the protected content,
-     *     such as RightsStatus::RIGHTS_VALID, RightsStatus::RIGHTS_EXPIRED, etc.
-     */
-    int checkRightsStatus(const String8& path, int action);
-
-    /**
-     * Removes the rights associated with the given protected content
-     *
-     * @param[in] path Path of the protected content
-     * @return status_t
-     *     Returns DRM_NO_ERROR for success, DRM_ERROR_UNKNOWN for failure
-     */
-    status_t removeRights(const String8& path);
-
-    /**
-     * Removes all the rights information of each plug-in associated with
-     * DRM framework. Will be used in master reset
-     *
-     * @return status_t
-     *     Returns DRM_NO_ERROR for success, DRM_ERROR_UNKNOWN for failure
-     */
-    status_t removeAllRights();
-
-    /**
-     * This API is for Forward Lock DRM.
-     * Each time the application tries to download a new DRM file
-     * which needs to be converted, then the application has to
-     * begin with calling this API.
-     *
-     * @param[in] convertId Handle for the convert session
-     * @param[in] mimeType Description/MIME type of the input data packet
-     * @return Return handle for the convert session
-     */
-    int openConvertSession(const String8& mimeType);
-
-    /**
-     * Passes the input data which need to be converted. The resultant
-     * converted data and the status is returned in the DrmConvertedInfo
-     * object. This method will be called each time there are new block
-     * of data received by the application.
-     *
-     * @param[in] convertId Handle for the convert session
-     * @param[in] inputData Input Data which need to be converted
-     * @return Return object contains the status of the data conversion,
-     *     the output converted data and offset. In this case the
-     *     application will ignore the offset information.
-     */
-    DrmConvertedStatus* convertData(int convertId, const DrmBuffer* inputData);
-
-    /**
-     * When there is no more data which need to be converted or when an
-     * error occurs that time the application has to inform the Drm agent
-     * via this API. Upon successful conversion of the complete data,
-     * the agent will inform that where the header and body signature
-     * should be added. This signature appending is needed to integrity
-     * protect the converted file.
-     *
-     * @param[in] convertId Handle for the convert session
-     * @return Return object contains the status of the data conversion,
-     *     the header and body signature data. It also informs
-     *     the application on which offset these signature data
-     *     should be appended.
-     */
-    DrmConvertedStatus* closeConvertSession(int convertId);
-
-    /**
-     * Retrieves all DrmSupportInfo instance that native DRM framework can handle.
-     * This interface is meant to be used by JNI layer
-     *
-     * @param[out] length Number of elements in drmSupportInfoArray
-     * @param[out] drmSupportInfoArray Array contains all DrmSupportInfo
-     *     that native DRM framework can handle
-     * @return status_t
-     *     Returns DRM_NO_ERROR for success, DRM_ERROR_UNKNOWN for failure
-     */
-    status_t getAllSupportInfo(int* length, DrmSupportInfo** drmSupportInfoArray);
-
-private:
-    int mUniqueId;
-    sp<DrmManagerClientImpl> mDrmManagerClientImpl;
-};
-
-};
-
-#endif /* __DRM_MANAGER_CLIENT_H__ */
-
diff --git a/media/omx-plugin/include/ics/drm/drm_framework_common.h b/media/omx-plugin/include/ics/drm/drm_framework_common.h
deleted file mode 100644
index 2632cbd29e..0000000000
--- a/media/omx-plugin/include/ics/drm/drm_framework_common.h
+++ /dev/null
@@ -1,336 +0,0 @@
-/*
- * Copyright (C) 2010 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef __DRM_FRAMEWORK_COMMON_H__
-#define __DRM_FRAMEWORK_COMMON_H__
-
-#include <utils/Vector.h>
-#include <utils/KeyedVector.h>
-#include <utils/RefBase.h>
-#include <utils/String8.h>
-#include <utils/Errors.h>
-
-#define INVALID_VALUE -1
-
-namespace android {
-
-/**
- * Error code for DRM Frameowrk
- */
-enum {
-    // The following constant values should be in sync with
-    // media/stagefright/MediaErrors.h
-    ERROR_BASE = -2000,
-
-    DRM_ERROR_UNKNOWN                       = ERROR_BASE,
-    DRM_ERROR_NO_LICENSE                    = ERROR_BASE - 1,
-    DRM_ERROR_LICENSE_EXPIRED               = ERROR_BASE - 2,
-    DRM_ERROR_SESSION_NOT_OPENED            = ERROR_BASE - 3,
-    DRM_ERROR_DECRYPT_UNIT_NOT_INITIALIZED  = ERROR_BASE - 4,
-    DRM_ERROR_DECRYPT                       = ERROR_BASE - 5,
-    DRM_ERROR_CANNOT_HANDLE                 = ERROR_BASE - 6,
-    DRM_ERROR_TAMPER_DETECTED               = ERROR_BASE - 7,
-
-    DRM_NO_ERROR                            = NO_ERROR
-};
-
-/**
- * copy control settings used in DecryptHandle::copyControlVector
- */
-enum DrmCopyControl {
-    DRM_COPY_CONTROL_BASE = 1000,
-    // the key used to set the value for HDCP
-    // if the associated value is 1, then HDCP is required
-    // otherwise, HDCP is not required
-    DRM_COPY_CONTROL_HDCP = DRM_COPY_CONTROL_BASE
-};
-
-/**
- * Defines DRM Buffer
- */
-class DrmBuffer {
-public:
-    char* data;
-    int length;
-
-    DrmBuffer() :
-        data(NULL),
-        length(0) {
-    }
-
-    DrmBuffer(char* dataBytes, int dataLength) :
-        data(dataBytes),
-        length(dataLength) {
-    }
-
-};
-
-/**
- * Defines detailed description of the action
- */
-class ActionDescription {
-public:
-    ActionDescription(int _outputType, int _configuration) :
-        outputType(_outputType),
-        configuration(_configuration) {
-    }
-
-public:
-    int outputType;   /* BLUETOOTH , HDMI*/
-    int configuration; /* RESOLUTION_720_480 , RECORDABLE etc.*/
-};
-
-/**
- * Defines constants related to DRM types
- */
-class DrmObjectType {
-private:
-    DrmObjectType();
-
-public:
-    /**
-     * Field specifies the unknown type
-     */
-    static const int UNKNOWN = 0x00;
-    /**
-     * Field specifies the protected content type
-     */
-    static const int CONTENT = 0x01;
-    /**
-     * Field specifies the rights information
-     */
-    static const int RIGHTS_OBJECT = 0x02;
-    /**
-     * Field specifies the trigger information
-     */
-    static const int TRIGGER_OBJECT = 0x03;
-};
-
-/**
- * Defines constants related to play back
- */
-class Playback {
-private:
-    Playback();
-
-public:
-    /**
-     * Constant field signifies playback start
-     */
-    static const int START = 0x00;
-    /**
-     * Constant field signifies playback stop
-     */
-    static const int STOP = 0x01;
-    /**
-     * Constant field signifies playback paused
-     */
-    static const int PAUSE = 0x02;
-    /**
-     * Constant field signifies playback resumed
-     */
-    static const int RESUME = 0x03;
-};
-
-/**
- * Defines actions that can be performed on protected content
- */
-class Action {
-private:
-    Action();
-
-public:
-    /**
-     * Constant field signifies that the default action
-     */
-    static const int DEFAULT = 0x00;
-    /**
-     * Constant field signifies that the content can be played
-     */
-    static const int PLAY = 0x01;
-    /**
-     * Constant field signifies that the content can be set as ring tone
-     */
-    static const int RINGTONE = 0x02;
-    /**
-     * Constant field signifies that the content can be transfered
-     */
-    static const int TRANSFER = 0x03;
-    /**
-     * Constant field signifies that the content can be set as output
-     */
-    static const int OUTPUT = 0x04;
-    /**
-     * Constant field signifies that preview is allowed
-     */
-    static const int PREVIEW = 0x05;
-    /**
-     * Constant field signifies that the content can be executed
-     */
-    static const int EXECUTE = 0x06;
-    /**
-     * Constant field signifies that the content can displayed
-     */
-    static const int DISPLAY = 0x07;
-};
-
-/**
- * Defines constants related to status of the rights
- */
-class RightsStatus {
-private:
-    RightsStatus();
-
-public:
-    /**
-     * Constant field signifies that the rights are valid
-     */
-    static const int RIGHTS_VALID = 0x00;
-    /**
-     * Constant field signifies that the rights are invalid
-     */
-    static const int RIGHTS_INVALID = 0x01;
-    /**
-     * Constant field signifies that the rights are expired for the content
-     */
-    static const int RIGHTS_EXPIRED = 0x02;
-    /**
-     * Constant field signifies that the rights are not acquired for the content
-     */
-    static const int RIGHTS_NOT_ACQUIRED = 0x03;
-};
-
-/**
- * Defines API set for decryption
- */
-class DecryptApiType {
-private:
-    DecryptApiType();
-
-public:
-    /**
-     * Decrypt API set for non encrypted content
-     */
-    static const int NON_ENCRYPTED = 0x00;
-    /**
-     * Decrypt API set for ES based DRM
-     */
-    static const int ELEMENTARY_STREAM_BASED = 0x01;
-    /**
-     * POSIX based Decrypt API set for container based DRM
-     */
-    static const int CONTAINER_BASED = 0x02;
-    /**
-     * Decrypt API for Widevine streams
-     */
-    static const int WV_BASED = 0x3;
-};
-
-/**
- * Defines decryption information
- */
-class DecryptInfo {
-public:
-    /**
-     * size of memory to be allocated to get the decrypted content.
-     */
-    int decryptBufferLength;
-    /**
-     * reserved for future purpose
-     */
-};
-
-/**
- * Defines decryption handle
- */
-class DecryptHandle : public RefBase {
-public:
-    /**
-     * Decryption session Handle
-     */
-    int decryptId;
-    /**
-     * Mimetype of the content to be used to select the media extractor
-     * For e.g., "video/mpeg" or "audio/mp3"
-     */
-    String8 mimeType;
-    /**
-     * Defines which decryption pattern should be used to decrypt the given content
-     * DrmFramework provides two different set of decryption APIs.
-     *   1. Decrypt APIs for elementary stream based DRM
-     *      (file format is not encrypted but ES is encrypted)
-     *         e.g., Marlin DRM (MP4 file format), WM-DRM (asf file format)
-     *
-     *         DecryptApiType::ELEMENTARY_STREAM_BASED
-     *             Decryption API set for ES based DRM
-     *                 initializeDecryptUnit(), decrypt(), and finalizeDecryptUnit()
-     *   2. Decrypt APIs for container based DRM (file format itself is encrypted)
-     *         e.g., OMA DRM (dcf file format)
-     *
-     *         DecryptApiType::CONTAINER_BASED
-     *             POSIX based Decryption API set for container based DRM
-     *                 pread()
-     */
-    int decryptApiType;
-    /**
-     * Defines the status of the rights like
-     *     RIGHTS_VALID, RIGHTS_INVALID, RIGHTS_EXPIRED or RIGHTS_NOT_ACQUIRED
-     */
-    int status;
-    /**
-     * Information required to decrypt content
-     * e.g. size of memory to be allocated to get the decrypted content.
-     */
-    DecryptInfo* decryptInfo;
-    /**
-     * Defines a vector for the copy control settings sent from the DRM plugin
-     * to the player
-     */
-    KeyedVector<DrmCopyControl, int> copyControlVector;
-
-    /**
-     * Defines a vector for any extra data the DRM plugin wants to send
-     * to the native code
-     */
-    KeyedVector<String8, String8> extendedData;
-
-public:
-    DecryptHandle():
-            decryptId(INVALID_VALUE),
-            mimeType(""),
-            decryptApiType(INVALID_VALUE),
-            status(INVALID_VALUE),
-            decryptInfo(NULL) {
-
-    }
-
-    ~DecryptHandle() {
-        delete decryptInfo; decryptInfo = NULL;
-    }
-
-    bool operator<(const DecryptHandle& handle) const {
-        return (decryptId < handle.decryptId);
-    }
-
-    bool operator==(const DecryptHandle& handle) const {
-        return (decryptId == handle.decryptId);
-    }
-};
-
-};
-
-#endif /* __DRM_FRAMEWORK_COMMON_H__ */
-
diff --git a/media/omx-plugin/include/ics/hardware/fb.h b/media/omx-plugin/include/ics/hardware/fb.h
deleted file mode 100644
index ba2f286d07..0000000000
--- a/media/omx-plugin/include/ics/hardware/fb.h
+++ /dev/null
@@ -1,164 +0,0 @@
-/*
- * Copyright (C) 2008 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-
-#ifndef ANDROID_FB_INTERFACE_H
-#define ANDROID_FB_INTERFACE_H
-
-#include <stdint.h>
-#include <sys/cdefs.h>
-#include <sys/types.h>
-
-#include <cutils/native_handle.h>
-
-#include <hardware/hardware.h>
-
-__BEGIN_DECLS
-
-#define GRALLOC_HARDWARE_FB0 "fb0"
-
-/*****************************************************************************/
-
-
-/*****************************************************************************/
-
-typedef struct framebuffer_device_t {
-    struct hw_device_t common;
-
-    /* flags describing some attributes of the framebuffer */
-    const uint32_t  flags;
-
-    /* dimensions of the framebuffer in pixels */
-    const uint32_t  width;
-    const uint32_t  height;
-
-    /* frambuffer stride in pixels */
-    const int       stride;
-
-    /* framebuffer pixel format */
-    const int       format;
-
-    /* resolution of the framebuffer's display panel in pixel per inch*/
-    const float     xdpi;
-    const float     ydpi;
-
-    /* framebuffer's display panel refresh rate in frames per second */
-    const float     fps;
-
-    /* min swap interval supported by this framebuffer */
-    const int       minSwapInterval;
-
-    /* max swap interval supported by this framebuffer */
-    const int       maxSwapInterval;
-
-    int reserved[8];
-
-    /*
-     * requests a specific swap-interval (same definition than EGL)
-     *
-     * Returns 0 on success or -errno on error.
-     */
-    int (*setSwapInterval)(struct framebuffer_device_t* window,
-            int interval);
-
-    /*
-     * This hook is OPTIONAL.
-     *
-     * It is non NULL If the framebuffer driver supports "update-on-demand"
-     * and the given rectangle is the area of the screen that gets
-     * updated during (*post)().
-     *
-     * This is useful on devices that are able to DMA only a portion of
-     * the screen to the display panel, upon demand -- as opposed to
-     * constantly refreshing the panel 60 times per second, for instance.
-     *
-     * Only the area defined by this rectangle is guaranteed to be valid, that
-     * is, the driver is not allowed to post anything outside of this
-     * rectangle.
-     *
-     * The rectangle evaluated during (*post)() and specifies which area
-     * of the buffer passed in (*post)() shall to be posted.
-     *
-     * return -EINVAL if width or height <=0, or if left or top < 0
-     */
-    int (*setUpdateRect)(struct framebuffer_device_t* window,
-            int left, int top, int width, int height);
-
-    /*
-     * Post <buffer> to the display (display it on the screen)
-     * The buffer must have been allocated with the
-     *   GRALLOC_USAGE_HW_FB usage flag.
-     * buffer must be the same width and height as the display and must NOT
-     * be locked.
-     *
-     * The buffer is shown during the next VSYNC.
-     *
-     * If the same buffer is posted again (possibly after some other buffer),
-     * post() will block until the the first post is completed.
-     *
-     * Internally, post() is expected to lock the buffer so that a
-     * subsequent call to gralloc_module_t::(*lock)() with USAGE_RENDER or
-     * USAGE_*_WRITE will block until it is safe; that is typically once this
-     * buffer is shown and another buffer has been posted.
-     *
-     * Returns 0 on success or -errno on error.
-     */
-    int (*post)(struct framebuffer_device_t* dev, buffer_handle_t buffer);
-
-
-    /*
-     * The (*compositionComplete)() method must be called after the
-     * compositor has finished issuing GL commands for client buffers.
-     */
-
-    int (*compositionComplete)(struct framebuffer_device_t* dev);
-
-    /*
-     * This hook is OPTIONAL.
-     *
-     * If non NULL it will be caused by SurfaceFlinger on dumpsys
-     */
-    void (*dump)(struct framebuffer_device_t* dev, char *buff, int buff_len);
-
-    /*
-     * (*enableScreen)() is used to either blank (enable=0) or
-     * unblank (enable=1) the screen this framebuffer is attached to.
-     *
-     * Returns 0 on success or -errno on error.
-     */
-    int (*enableScreen)(struct framebuffer_device_t* dev, int enable);
-
-    void* reserved_proc[6];
-
-} framebuffer_device_t;
-
-
-/** convenience API for opening and closing a supported device */
-
-static inline int framebuffer_open(const struct hw_module_t* module,
-        struct framebuffer_device_t** device) {
-    return module->methods->open(module,
-            GRALLOC_HARDWARE_FB0, (struct hw_device_t**)device);
-}
-
-static inline int framebuffer_close(struct framebuffer_device_t* device) {
-    return device->common.close(&device->common);
-}
-
-
-__END_DECLS
-
-#endif  // ANDROID_FB_INTERFACE_H
diff --git a/media/omx-plugin/include/ics/hardware/gralloc.h b/media/omx-plugin/include/ics/hardware/gralloc.h
deleted file mode 100644
index f8beb5efb2..0000000000
--- a/media/omx-plugin/include/ics/hardware/gralloc.h
+++ /dev/null
@@ -1,261 +0,0 @@
-/*
- * Copyright (C) 2008 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-
-#ifndef ANDROID_GRALLOC_INTERFACE_H
-#define ANDROID_GRALLOC_INTERFACE_H
-
-#include <system/window.h>
-#include <hardware/hardware.h>
-
-#include <stdint.h>
-#include <sys/cdefs.h>
-#include <sys/types.h>
-
-#include <cutils/native_handle.h>
-
-#include <hardware/hardware.h>
-#include <hardware/fb.h>
-
-__BEGIN_DECLS
-
-#define GRALLOC_API_VERSION 1
-
-/**
- * The id of this module
- */
-#define GRALLOC_HARDWARE_MODULE_ID "gralloc"
-
-/**
- * Name of the graphics device to open
- */
-
-#define GRALLOC_HARDWARE_GPU0 "gpu0"
-
-enum {
-    /* buffer is never read in software */
-    GRALLOC_USAGE_SW_READ_NEVER         = 0x00000000,
-    /* buffer is rarely read in software */
-    GRALLOC_USAGE_SW_READ_RARELY        = 0x00000002,
-    /* buffer is often read in software */
-    GRALLOC_USAGE_SW_READ_OFTEN         = 0x00000003,
-    /* mask for the software read values */
-    GRALLOC_USAGE_SW_READ_MASK          = 0x0000000F,
-    
-    /* buffer is never written in software */
-    GRALLOC_USAGE_SW_WRITE_NEVER        = 0x00000000,
-    /* buffer is never written in software */
-    GRALLOC_USAGE_SW_WRITE_RARELY       = 0x00000020,
-    /* buffer is never written in software */
-    GRALLOC_USAGE_SW_WRITE_OFTEN        = 0x00000030,
-    /* mask for the software write values */
-    GRALLOC_USAGE_SW_WRITE_MASK         = 0x000000F0,
-
-    /* buffer will be used as an OpenGL ES texture */
-    GRALLOC_USAGE_HW_TEXTURE            = 0x00000100,
-    /* buffer will be used as an OpenGL ES render target */
-    GRALLOC_USAGE_HW_RENDER             = 0x00000200,
-    /* buffer will be used by the 2D hardware blitter */
-    GRALLOC_USAGE_HW_2D                 = 0x00000400,
-    /* buffer will be used by the HWComposer HAL module */
-    GRALLOC_USAGE_HW_COMPOSER           = 0x00000800,
-    /* buffer will be used with the framebuffer device */
-    GRALLOC_USAGE_HW_FB                 = 0x00001000,
-    /* buffer will be used with the HW video encoder */
-    GRALLOC_USAGE_HW_VIDEO_ENCODER      = 0x00010000,
-    /* mask for the software usage bit-mask */
-    GRALLOC_USAGE_HW_MASK               = 0x00011F00,
-
-    /* buffer should be displayed full-screen on an external display when
-     * possible
-     */
-    GRALLOC_USAGE_EXTERNAL_DISP         = 0x00002000,
-
-    /* Must have a hardware-protected path to external display sink for
-     * this buffer.  If a hardware-protected path is not available, then
-     * either don't composite only this buffer (preferred) to the
-     * external sink, or (less desirable) do not route the entire
-     * composition to the external sink.
-     */
-    GRALLOC_USAGE_PROTECTED             = 0x00004000,
-
-    /* implementation-specific private usage flags */
-    GRALLOC_USAGE_PRIVATE_0             = 0x10000000,
-    GRALLOC_USAGE_PRIVATE_1             = 0x20000000,
-    GRALLOC_USAGE_PRIVATE_2             = 0x40000000,
-    GRALLOC_USAGE_PRIVATE_3             = 0x80000000,
-    GRALLOC_USAGE_PRIVATE_MASK          = 0xF0000000,
-};
-
-/*****************************************************************************/
-
-/**
- * Every hardware module must have a data structure named HAL_MODULE_INFO_SYM
- * and the fields of this data structure must begin with hw_module_t
- * followed by module specific information.
- */
-typedef struct gralloc_module_t {
-    struct hw_module_t common;
-    
-    /*
-     * (*registerBuffer)() must be called before a buffer_handle_t that has not
-     * been created with (*alloc_device_t::alloc)() can be used.
-     * 
-     * This is intended to be used with buffer_handle_t's that have been
-     * received in this process through IPC.
-     * 
-     * This function checks that the handle is indeed a valid one and prepares
-     * it for use with (*lock)() and (*unlock)().
-     * 
-     * It is not necessary to call (*registerBuffer)() on a handle created 
-     * with (*alloc_device_t::alloc)().
-     * 
-     * returns an error if this buffer_handle_t is not valid.
-     */
-    int (*registerBuffer)(struct gralloc_module_t const* module,
-            buffer_handle_t handle);
-
-    /*
-     * (*unregisterBuffer)() is called once this handle is no longer needed in
-     * this process. After this call, it is an error to call (*lock)(),
-     * (*unlock)(), or (*registerBuffer)().
-     * 
-     * This function doesn't close or free the handle itself; this is done
-     * by other means, usually through libcutils's native_handle_close() and
-     * native_handle_free(). 
-     * 
-     * It is an error to call (*unregisterBuffer)() on a buffer that wasn't
-     * explicitly registered first.
-     */
-    int (*unregisterBuffer)(struct gralloc_module_t const* module,
-            buffer_handle_t handle);
-    
-    /*
-     * The (*lock)() method is called before a buffer is accessed for the 
-     * specified usage. This call may block, for instance if the h/w needs
-     * to finish rendering or if CPU caches need to be synchronized.
-     * 
-     * The caller promises to modify only pixels in the area specified 
-     * by (l,t,w,h).
-     * 
-     * The content of the buffer outside of the specified area is NOT modified
-     * by this call.
-     *
-     * If usage specifies GRALLOC_USAGE_SW_*, vaddr is filled with the address
-     * of the buffer in virtual memory.
-     *
-     * THREADING CONSIDERATIONS:
-     *
-     * It is legal for several different threads to lock a buffer from 
-     * read access, none of the threads are blocked.
-     * 
-     * However, locking a buffer simultaneously for write or read/write is
-     * undefined, but:
-     * - shall not result in termination of the process
-     * - shall not block the caller
-     * It is acceptable to return an error or to leave the buffer's content
-     * into an indeterminate state.
-     *
-     * If the buffer was created with a usage mask incompatible with the
-     * requested usage flags here, -EINVAL is returned. 
-     * 
-     */
-    
-    int (*lock)(struct gralloc_module_t const* module,
-            buffer_handle_t handle, int usage,
-            int l, int t, int w, int h,
-            void** vaddr);
-
-    
-    /*
-     * The (*unlock)() method must be called after all changes to the buffer
-     * are completed.
-     */
-    
-    int (*unlock)(struct gralloc_module_t const* module,
-            buffer_handle_t handle);
-
-
-    /* reserved for future use */
-    int (*perform)(struct gralloc_module_t const* module,
-            int operation, ... );
-
-    /* reserved for future use */
-    void* reserved_proc[7];
-} gralloc_module_t;
-
-/*****************************************************************************/
-
-/**
- * Every device data structure must begin with hw_device_t
- * followed by module specific public methods and attributes.
- */
-
-typedef struct alloc_device_t {
-    struct hw_device_t common;
-
-    /* 
-     * (*alloc)() Allocates a buffer in graphic memory with the requested
-     * parameters and returns a buffer_handle_t and the stride in pixels to
-     * allow the implementation to satisfy hardware constraints on the width
-     * of a pixmap (eg: it may have to be multiple of 8 pixels). 
-     * The CALLER TAKES OWNERSHIP of the buffer_handle_t.
-     * 
-     * Returns 0 on success or -errno on error.
-     */
-    
-    int (*alloc)(struct alloc_device_t* dev,
-            int w, int h, int format, int usage,
-            buffer_handle_t* handle, int* stride);
-
-    /*
-     * (*free)() Frees a previously allocated buffer. 
-     * Behavior is undefined if the buffer is still mapped in any process,
-     * but shall not result in termination of the program or security breaches
-     * (allowing a process to get access to another process' buffers).
-     * THIS FUNCTION TAKES OWNERSHIP of the buffer_handle_t which becomes
-     * invalid after the call. 
-     * 
-     * Returns 0 on success or -errno on error.
-     */
-    int (*free)(struct alloc_device_t* dev,
-            buffer_handle_t handle);
-
-    /* This hook is OPTIONAL.
-     *
-     * If non NULL it will be caused by SurfaceFlinger on dumpsys
-     */
-    void (*dump)(struct alloc_device_t *dev, char *buff, int buff_len);
-
-    void* reserved_proc[7];
-} alloc_device_t;
-
-
-/** convenience API for opening and closing a supported device */
-
-static inline int gralloc_open(const struct hw_module_t* module, 
-        struct alloc_device_t** device) {
-    return module->methods->open(module, 
-            GRALLOC_HARDWARE_GPU0, (struct hw_device_t**)device);
-}
-
-static inline int gralloc_close(struct alloc_device_t* device) {
-    return device->common.close(&device->common);
-}
-
-__END_DECLS
-
-#endif  // ANDROID_ALLOC_INTERFACE_H
diff --git a/media/omx-plugin/include/ics/hardware/hardware.h b/media/omx-plugin/include/ics/hardware/hardware.h
deleted file mode 100644
index 7774b2b645..0000000000
--- a/media/omx-plugin/include/ics/hardware/hardware.h
+++ /dev/null
@@ -1,139 +0,0 @@
-/*
- * Copyright (C) 2008 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_INCLUDE_HARDWARE_HARDWARE_H
-#define ANDROID_INCLUDE_HARDWARE_HARDWARE_H
-
-#include <stdint.h>
-#include <sys/cdefs.h>
-
-#include <cutils/native_handle.h>
-#include <system/graphics.h>
-
-__BEGIN_DECLS
-
-/*
- * Value for the hw_module_t.tag field
- */
-
-#define MAKE_TAG_CONSTANT(A,B,C,D) (((A) << 24) | ((B) << 16) | ((C) << 8) | (D))
-
-#define HARDWARE_MODULE_TAG MAKE_TAG_CONSTANT('H', 'W', 'M', 'T')
-#define HARDWARE_DEVICE_TAG MAKE_TAG_CONSTANT('H', 'W', 'D', 'T')
-
-struct hw_module_t;
-struct hw_module_methods_t;
-struct hw_device_t;
-
-/**
- * Every hardware module must have a data structure named HAL_MODULE_INFO_SYM
- * and the fields of this data structure must begin with hw_module_t
- * followed by module specific information.
- */
-typedef struct hw_module_t {
-    /** tag must be initialized to HARDWARE_MODULE_TAG */
-    uint32_t tag;
-
-    /** major version number for the module */
-    uint16_t version_major;
-
-    /** minor version number of the module */
-    uint16_t version_minor;
-
-    /** Identifier of module */
-    const char *id;
-
-    /** Name of this module */
-    const char *name;
-
-    /** Author/owner/implementor of the module */
-    const char *author;
-
-    /** Modules methods */
-    struct hw_module_methods_t* methods;
-
-    /** module's dso */
-    void* dso;
-
-    /** padding to 128 bytes, reserved for future use */
-    uint32_t reserved[32-7];
-
-} hw_module_t;
-
-typedef struct hw_module_methods_t {
-    /** Open a specific device */
-    int (*open)(const struct hw_module_t* module, const char* id,
-            struct hw_device_t** device);
-
-} hw_module_methods_t;
-
-/**
- * Every device data structure must begin with hw_device_t
- * followed by module specific public methods and attributes.
- */
-typedef struct hw_device_t {
-    /** tag must be initialized to HARDWARE_DEVICE_TAG */
-    uint32_t tag;
-
-    /** version number for hw_device_t */
-    uint32_t version;
-
-    /** reference to the module this device belongs to */
-    struct hw_module_t* module;
-
-    /** padding reserved for future use */
-    uint32_t reserved[12];
-
-    /** Close this device */
-    int (*close)(struct hw_device_t* device);
-
-} hw_device_t;
-
-/**
- * Name of the hal_module_info
- */
-#define HAL_MODULE_INFO_SYM         HMI
-
-/**
- * Name of the hal_module_info as a string
- */
-#define HAL_MODULE_INFO_SYM_AS_STR  "HMI"
-
-/**
- * Get the module info associated with a module by id.
- *
- * @return: 0 == success, <0 == error and *module == NULL
- */
-int hw_get_module(const char *id, const struct hw_module_t **module);
-
-/**
- * Get the module info associated with a module instance by class 'class_id'
- * and instance 'inst'.
- *
- * Some modules types necessitate multiple instances. For example audio supports
- * multiple concurrent interfaces and thus 'audio' is the module class
- * and 'primary' or 'a2dp' are module interfaces. This implies that the files
- * providing these modules would be named audio.primary.<variant>.so and
- * audio.a2dp.<variant>.so
- *
- * @return: 0 == success, <0 == error and *module == NULL
- */
-int hw_get_module_by_class(const char *class_id, const char *inst,
-                           const struct hw_module_t **module);
-
-__END_DECLS
-
-#endif  /* ANDROID_INCLUDE_HARDWARE_HARDWARE_H */
diff --git a/media/omx-plugin/include/ics/media/IOMX.h b/media/omx-plugin/include/ics/media/IOMX.h
deleted file mode 100644
index c4cc947a89..0000000000
--- a/media/omx-plugin/include/ics/media/IOMX.h
+++ /dev/null
@@ -1,197 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_IOMX_H_
-
-#define ANDROID_IOMX_H_
-
-#include <binder/IInterface.h>
-#include <ui/GraphicBuffer.h>
-#include <utils/List.h>
-#include <utils/String8.h>
-
-#include <OMX_Core.h>
-#include <OMX_Video.h>
-
-#include "jni.h"
-
-namespace android {
-
-class IMemory;
-class IOMXObserver;
-class IOMXRenderer;
-class Surface;
-
-class IOMX : public IInterface {
-public:
-    DECLARE_META_INTERFACE(OMX);
-
-    typedef void *buffer_id;
-    typedef void *node_id;
-
-    // Given the calling process' pid, returns true iff
-    // the implementation of the OMX interface lives in the same
-    // process.
-    virtual bool livesLocally(pid_t pid) = 0;
-
-    struct ComponentInfo {
-        String8 mName;
-        List<String8> mRoles;
-    };
-    virtual status_t listNodes(List<ComponentInfo> *list) = 0;
-
-    virtual status_t allocateNode(
-            const char *name, const sp<IOMXObserver> &observer,
-            node_id *node) = 0;
-
-    virtual status_t freeNode(node_id node) = 0;
-
-    virtual status_t sendCommand(
-            node_id node, OMX_COMMANDTYPE cmd, OMX_S32 param) = 0;
-
-    virtual status_t getParameter(
-            node_id node, OMX_INDEXTYPE index,
-            void *params, size_t size) = 0;
-
-    virtual status_t setParameter(
-            node_id node, OMX_INDEXTYPE index,
-            const void *params, size_t size) = 0;
-
-    virtual status_t getConfig(
-            node_id node, OMX_INDEXTYPE index,
-            void *params, size_t size) = 0;
-
-    virtual status_t setConfig(
-            node_id node, OMX_INDEXTYPE index,
-            const void *params, size_t size) = 0;
-
-    virtual status_t getState(
-            node_id node, OMX_STATETYPE* state) = 0;
-
-    virtual status_t storeMetaDataInBuffers(
-            node_id node, OMX_U32 port_index, OMX_BOOL enable) = 0;
-
-    virtual status_t enableGraphicBuffers(
-            node_id node, OMX_U32 port_index, OMX_BOOL enable) = 0;
-
-    virtual status_t getGraphicBufferUsage(
-            node_id node, OMX_U32 port_index, OMX_U32* usage) = 0;
-
-    virtual status_t useBuffer(
-            node_id node, OMX_U32 port_index, const sp<IMemory> &params,
-            buffer_id *buffer) = 0;
-
-    virtual status_t useGraphicBuffer(
-            node_id node, OMX_U32 port_index,
-            const sp<GraphicBuffer> &graphicBuffer, buffer_id *buffer) = 0;
-
-    // This API clearly only makes sense if the caller lives in the
-    // same process as the callee, i.e. is the media_server, as the
-    // returned "buffer_data" pointer is just that, a pointer into local
-    // address space.
-    virtual status_t allocateBuffer(
-            node_id node, OMX_U32 port_index, size_t size,
-            buffer_id *buffer, void **buffer_data) = 0;
-
-    virtual status_t allocateBufferWithBackup(
-            node_id node, OMX_U32 port_index, const sp<IMemory> &params,
-            buffer_id *buffer) = 0;
-
-    virtual status_t freeBuffer(
-            node_id node, OMX_U32 port_index, buffer_id buffer) = 0;
-
-    virtual status_t fillBuffer(node_id node, buffer_id buffer) = 0;
-
-    virtual status_t emptyBuffer(
-            node_id node,
-            buffer_id buffer,
-            OMX_U32 range_offset, OMX_U32 range_length,
-            OMX_U32 flags, OMX_TICKS timestamp) = 0;
-
-    virtual status_t getExtensionIndex(
-            node_id node,
-            const char *parameter_name,
-            OMX_INDEXTYPE *index) = 0;
-};
-
-struct omx_message {
-    enum {
-        EVENT,
-        EMPTY_BUFFER_DONE,
-        FILL_BUFFER_DONE,
-
-    } type;
-
-    IOMX::node_id node;
-
-    union {
-        // if type == EVENT
-        struct {
-            OMX_EVENTTYPE event;
-            OMX_U32 data1;
-            OMX_U32 data2;
-        } event_data;
-
-        // if type == EMPTY_BUFFER_DONE
-        struct {
-            IOMX::buffer_id buffer;
-        } buffer_data;
-
-        // if type == FILL_BUFFER_DONE
-        struct {
-            IOMX::buffer_id buffer;
-            OMX_U32 range_offset;
-            OMX_U32 range_length;
-            OMX_U32 flags;
-            OMX_TICKS timestamp;
-            OMX_PTR platform_private;
-            OMX_PTR data_ptr;
-        } extended_buffer_data;
-
-    } u;
-};
-
-class IOMXObserver : public IInterface {
-public:
-    DECLARE_META_INTERFACE(OMXObserver);
-
-    virtual void onMessage(const omx_message &msg) = 0;
-};
-
-////////////////////////////////////////////////////////////////////////////////
-
-class BnOMX : public BnInterface<IOMX> {
-public:
-    virtual status_t onTransact(
-            uint32_t code, const Parcel &data, Parcel *reply,
-            uint32_t flags = 0);
-};
-
-class BnOMXObserver : public BnInterface<IOMXObserver> {
-public:
-    virtual status_t onTransact(
-            uint32_t code, const Parcel &data, Parcel *reply,
-            uint32_t flags = 0);
-};
-
-struct CodecProfileLevel {
-    OMX_U32 mProfile;
-    OMX_U32 mLevel;
-};
-
-}  // namespace android
-
-#endif  // ANDROID_IOMX_H_
diff --git a/media/omx-plugin/include/ics/media/stagefright/MediaBuffer.h b/media/omx-plugin/include/ics/media/stagefright/MediaBuffer.h
deleted file mode 100644
index 3d79596f3f..0000000000
--- a/media/omx-plugin/include/ics/media/stagefright/MediaBuffer.h
+++ /dev/null
@@ -1,123 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef MEDIA_BUFFER_H_
-
-#define MEDIA_BUFFER_H_
-
-#include <pthread.h>
-
-#include <utils/Errors.h>
-#include <utils/RefBase.h>
-
-namespace android {
-
-struct ABuffer;
-class GraphicBuffer;
-class MediaBuffer;
-class MediaBufferObserver;
-class MetaData;
-
-class MediaBufferObserver {
-public:
-    MediaBufferObserver() {}
-    virtual ~MediaBufferObserver() {}
-
-    virtual void signalBufferReturned(MediaBuffer *buffer) = 0;
-
-private:
-    MediaBufferObserver(const MediaBufferObserver &);
-    MediaBufferObserver &operator=(const MediaBufferObserver &);
-};
-
-class MediaBuffer {
-public:
-    // The underlying data remains the responsibility of the caller!
-    MediaBuffer(void *data, size_t size);
-
-    MediaBuffer(size_t size);
-
-    MediaBuffer(const sp<GraphicBuffer>& graphicBuffer);
-
-    MediaBuffer(const sp<ABuffer> &buffer);
-
-    // Decrements the reference count and returns the buffer to its
-    // associated MediaBufferGroup if the reference count drops to 0.
-    void release();
-
-    // Increments the reference count.
-    void add_ref();
-
-    void *data() const;
-    size_t size() const;
-
-    size_t range_offset() const;
-    size_t range_length() const;
-
-    void set_range(size_t offset, size_t length);
-
-    sp<GraphicBuffer> graphicBuffer() const;
-
-    sp<MetaData> meta_data();
-
-    // Clears meta data and resets the range to the full extent.
-    void reset();
-
-    void setObserver(MediaBufferObserver *group);
-
-    // Returns a clone of this MediaBuffer increasing its reference count.
-    // The clone references the same data but has its own range and
-    // MetaData.
-    MediaBuffer *clone();
-
-    int refcount() const;
-
-protected:
-    virtual ~MediaBuffer();
-
-private:
-    friend class MediaBufferGroup;
-    friend class OMXDecoder;
-
-    // For use by OMXDecoder, reference count must be 1, drop reference
-    // count to 0 without signalling the observer.
-    void claim();
-
-    MediaBufferObserver *mObserver;
-    MediaBuffer *mNextBuffer;
-    int mRefCount;
-
-    void *mData;
-    size_t mSize, mRangeOffset, mRangeLength;
-    sp<GraphicBuffer> mGraphicBuffer;
-    sp<ABuffer> mBuffer;
-
-    bool mOwnsData;
-
-    sp<MetaData> mMetaData;
-
-    MediaBuffer *mOriginal;
-
-    void setNextBuffer(MediaBuffer *buffer);
-    MediaBuffer *nextBuffer();
-
-    MediaBuffer(const MediaBuffer &);
-    MediaBuffer &operator=(const MediaBuffer &);
-};
-
-}  // namespace android
-
-#endif  // MEDIA_BUFFER_H_
diff --git a/media/omx-plugin/include/ics/media/stagefright/MediaErrors.h b/media/omx-plugin/include/ics/media/stagefright/MediaErrors.h
deleted file mode 100644
index 21d00b8c53..0000000000
--- a/media/omx-plugin/include/ics/media/stagefright/MediaErrors.h
+++ /dev/null
@@ -1,71 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef MEDIA_ERRORS_H_
-
-#define MEDIA_ERRORS_H_
-
-#include <utils/Errors.h>
-
-namespace android {
-
-enum {
-    MEDIA_ERROR_BASE        = -1000,
-
-    ERROR_ALREADY_CONNECTED = MEDIA_ERROR_BASE,
-    ERROR_NOT_CONNECTED     = MEDIA_ERROR_BASE - 1,
-    ERROR_UNKNOWN_HOST      = MEDIA_ERROR_BASE - 2,
-    ERROR_CANNOT_CONNECT    = MEDIA_ERROR_BASE - 3,
-    ERROR_IO                = MEDIA_ERROR_BASE - 4,
-    ERROR_CONNECTION_LOST   = MEDIA_ERROR_BASE - 5,
-    ERROR_MALFORMED         = MEDIA_ERROR_BASE - 7,
-    ERROR_OUT_OF_RANGE      = MEDIA_ERROR_BASE - 8,
-    ERROR_BUFFER_TOO_SMALL  = MEDIA_ERROR_BASE - 9,
-    ERROR_UNSUPPORTED       = MEDIA_ERROR_BASE - 10,
-    ERROR_END_OF_STREAM     = MEDIA_ERROR_BASE - 11,
-
-    // Not technically an error.
-    INFO_FORMAT_CHANGED    = MEDIA_ERROR_BASE - 12,
-    INFO_DISCONTINUITY     = MEDIA_ERROR_BASE - 13,
-
-    // The following constant values should be in sync with
-    // drm/drm_framework_common.h
-    DRM_ERROR_BASE = -2000,
-
-    ERROR_DRM_UNKNOWN                       = DRM_ERROR_BASE,
-    ERROR_DRM_NO_LICENSE                    = DRM_ERROR_BASE - 1,
-    ERROR_DRM_LICENSE_EXPIRED               = DRM_ERROR_BASE - 2,
-    ERROR_DRM_SESSION_NOT_OPENED            = DRM_ERROR_BASE - 3,
-    ERROR_DRM_DECRYPT_UNIT_NOT_INITIALIZED  = DRM_ERROR_BASE - 4,
-    ERROR_DRM_DECRYPT                       = DRM_ERROR_BASE - 5,
-    ERROR_DRM_CANNOT_HANDLE                 = DRM_ERROR_BASE - 6,
-    ERROR_DRM_TAMPER_DETECTED               = DRM_ERROR_BASE - 7,
-
-    // Heartbeat Error Codes
-    HEARTBEAT_ERROR_BASE = -3000,
-
-    ERROR_HEARTBEAT_AUTHENTICATION_FAILURE                  = HEARTBEAT_ERROR_BASE,
-    ERROR_HEARTBEAT_NO_ACTIVE_PURCHASE_AGREEMENT            = HEARTBEAT_ERROR_BASE - 1,
-    ERROR_HEARTBEAT_CONCURRENT_PLAYBACK                     = HEARTBEAT_ERROR_BASE - 2,
-    ERROR_HEARTBEAT_UNUSUAL_ACTIVITY                        = HEARTBEAT_ERROR_BASE - 3,
-    ERROR_HEARTBEAT_STREAMING_UNAVAILABLE                   = HEARTBEAT_ERROR_BASE - 4,
-    ERROR_HEARTBEAT_CANNOT_ACTIVATE_RENTAL                  = HEARTBEAT_ERROR_BASE - 5,
-    ERROR_HEARTBEAT_TERMINATE_REQUESTED                     = HEARTBEAT_ERROR_BASE - 6,
-};
-
-}  // namespace android
-
-#endif  // MEDIA_ERRORS_H_
diff --git a/media/omx-plugin/include/ics/media/stagefright/MediaSource.h b/media/omx-plugin/include/ics/media/stagefright/MediaSource.h
deleted file mode 100644
index 3818e63ff4..0000000000
--- a/media/omx-plugin/include/ics/media/stagefright/MediaSource.h
+++ /dev/null
@@ -1,122 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef MEDIA_SOURCE_H_
-
-#define MEDIA_SOURCE_H_
-
-#include <sys/types.h>
-
-#include <media/stagefright/MediaErrors.h>
-#include <utils/RefBase.h>
-#include <utils/Vector.h>
-
-namespace android {
-
-class MediaBuffer;
-class MetaData;
-
-struct MediaSource : public virtual RefBase {
-    MediaSource();
-
-    // To be called before any other methods on this object, except
-    // getFormat().
-    virtual status_t start(MetaData *params = NULL) = 0;
-
-    // Any blocking read call returns immediately with a result of NO_INIT.
-    // It is an error to call any methods other than start after this call
-    // returns. Any buffers the object may be holding onto at the time of
-    // the stop() call are released.
-    // Also, it is imperative that any buffers output by this object and
-    // held onto by callers be released before a call to stop() !!!
-    virtual status_t stop() = 0;
-
-    // Returns the format of the data output by this media source.
-    virtual sp<MetaData> getFormat() = 0;
-
-    struct ReadOptions;
-
-    // Returns a new buffer of data. Call blocks until a
-    // buffer is available, an error is encountered of the end of the stream
-    // is reached.
-    // End of stream is signalled by a result of ERROR_END_OF_STREAM.
-    // A result of INFO_FORMAT_CHANGED indicates that the format of this
-    // MediaSource has changed mid-stream, the client can continue reading
-    // but should be prepared for buffers of the new configuration.
-    virtual status_t read(
-            MediaBuffer **buffer, const ReadOptions *options = NULL) = 0;
-
-    // Options that modify read() behaviour. The default is to
-    // a) not request a seek
-    // b) not be late, i.e. lateness_us = 0
-    struct ReadOptions {
-        enum SeekMode {
-            SEEK_PREVIOUS_SYNC,
-            SEEK_NEXT_SYNC,
-            SEEK_CLOSEST_SYNC,
-            SEEK_CLOSEST,
-        };
-
-        ReadOptions();
-
-        // Reset everything back to defaults.
-        void reset();
-
-        void setSeekTo(int64_t time_us, SeekMode mode = SEEK_CLOSEST_SYNC);
-        void clearSeekTo();
-        bool getSeekTo(int64_t *time_us, SeekMode *mode) const;
-
-        void setLateBy(int64_t lateness_us);
-        int64_t getLateBy() const;
-
-    private:
-        enum Options {
-            kSeekTo_Option      = 1,
-        };
-
-        uint32_t mOptions;
-        int64_t mSeekTimeUs;
-        SeekMode mSeekMode;
-        int64_t mLatenessUs;
-    };
-
-    // Causes this source to suspend pulling data from its upstream source
-    // until a subsequent read-with-seek. Currently only supported by
-    // OMXCodec.
-    virtual status_t pause() {
-        return ERROR_UNSUPPORTED;
-    }
-
-    // The consumer of this media source requests that the given buffers
-    // are to be returned exclusively in response to read calls.
-    // This will be called after a successful start() and before the
-    // first read() call.
-    // Callee assumes ownership of the buffers if no error is returned.
-    virtual status_t setBuffers(const Vector<MediaBuffer *> &buffers) {
-        return ERROR_UNSUPPORTED;
-    }
-
-protected:
-    virtual ~MediaSource();
-
-private:
-    MediaSource(const MediaSource &);
-    MediaSource &operator=(const MediaSource &);
-};
-
-}  // namespace android
-
-#endif  // MEDIA_SOURCE_H_
diff --git a/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_Core.h b/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_Core.h
deleted file mode 100644
index 9fb0f6fdb7..0000000000
--- a/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_Core.h
+++ /dev/null
@@ -1,1448 +0,0 @@
-/* ------------------------------------------------------------------
- * Copyright (C) 1998-2009 PacketVideo
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied.
- * See the License for the specific language governing permissions
- * and limitations under the License.
- * -------------------------------------------------------------------
- */
-/*
- * Copyright (c) 2008 The Khronos Group Inc. 
- * 
- * Permission is hereby granted, free of charge, to any person obtaining
- * a copy of this software and associated documentation files (the
- * "Software"), to deal in the Software without restriction, including
- * without limitation the rights to use, copy, modify, merge, publish,
- * distribute, sublicense, and/or sell copies of the Software, and to
- * permit persons to whom the Software is furnished to do so, subject
- * to the following conditions: 
- * The above copyright notice and this permission notice shall be included
- * in all copies or substantial portions of the Software. 
- * 
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
- * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
- * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
- * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
- * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
- * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
- * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 
- *
- */
-
-/** OMX_Core.h - OpenMax IL version 1.1.2
- *  The OMX_Core header file contains the definitions used by both the
- *  application and the component to access common items.
- */
-
-#ifndef OMX_Core_h
-#define OMX_Core_h
-
-#ifdef __cplusplus
-extern "C" {
-#endif /* __cplusplus */
-
-
-/* Each OMX header shall include all required header files to allow the
- *  header to compile without errors.  The includes below are required
- *  for this header file to compile successfully 
- */
-
-#include <OMX_Index.h>
-
-
-/** The OMX_COMMANDTYPE enumeration is used to specify the action in the
- *  OMX_SendCommand macro.  
- *  @ingroup core
- */
-typedef enum OMX_COMMANDTYPE
-{
-    OMX_CommandStateSet,    /**< Change the component state */
-    OMX_CommandFlush,       /**< Flush the data queue(s) of a component */
-    OMX_CommandPortDisable, /**< Disable a port on a component. */
-    OMX_CommandPortEnable,  /**< Enable a port on a component. */
-    OMX_CommandMarkBuffer,  /**< Mark a component/buffer for observation */
-    OMX_CommandKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_CommandVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_CommandMax = 0X7FFFFFFF
-} OMX_COMMANDTYPE;
-
-
-
-/** The OMX_STATETYPE enumeration is used to indicate or change the component
- *  state.  This enumeration reflects the current state of the component when
- *  used with the OMX_GetState macro or becomes the parameter in a state change
- *  command when used with the OMX_SendCommand macro.
- *
- *  The component will be in the Loaded state after the component is initially
- *  loaded into memory.  In the Loaded state, the component is not allowed to
- *  allocate or hold resources other than to build it's internal parameter
- *  and configuration tables.  The application will send one or more
- *  SetParameters/GetParameters and SetConfig/GetConfig commands to the
- *  component and the component will record each of these parameter and
- *  configuration changes for use later.  When the application sends the
- *  Idle command, the component will acquire the resources needed for the
- *  specified configuration and will transition to the idle state if the
- *  allocation is successful.  If the component cannot successfully
- *  transition to the idle state for any reason, the state of the component
- *  shall be fully rolled back to the Loaded state (e.g. all allocated 
- *  resources shall be released).  When the component receives the command
- *  to go to the Executing state, it shall begin processing buffers by
- *  sending all input buffers it holds to the application.  While
- *  the component is in the Idle state, the application may also send the
- *  Pause command.  If the component receives the pause command while in the
- *  Idle state, the component shall send all input buffers it holds to the 
- *  application, but shall not begin processing buffers.  This will allow the
- *  application to prefill buffers.
- * 
- *  @ingroup comp
- */
-
-typedef enum OMX_STATETYPE
-{
-    OMX_StateInvalid,      /**< component has detected that it's internal data 
-                                structures are corrupted to the point that
-                                it cannot determine it's state properly */
-    OMX_StateLoaded,      /**< component has been loaded but has not completed
-                                initialization.  The OMX_SetParameter macro
-                                and the OMX_GetParameter macro are the only 
-                                valid macros allowed to be sent to the 
-                                component in this state. */
-    OMX_StateIdle,        /**< component initialization has been completed
-                                successfully and the component is ready to
-                                to start. */
-    OMX_StateExecuting,   /**< component has accepted the start command and
-                                is processing data (if data is available) */
-    OMX_StatePause,       /**< component has received pause command */
-    OMX_StateWaitForResources, /**< component is waiting for resources, either after 
-                                preemption or before it gets the resources requested.
-                                See specification for complete details. */
-    OMX_StateKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_StateVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_StateMax = 0X7FFFFFFF
-} OMX_STATETYPE;
-
-/** The OMX_ERRORTYPE enumeration defines the standard OMX Errors.  These 
- *  errors should cover most of the common failure cases.  However, 
- *  vendors are free to add additional error messages of their own as 
- *  long as they follow these rules:
- *  1.  Vendor error messages shall be in the range of 0x90000000 to
- *      0x9000FFFF.
- *  2.  Vendor error messages shall be defined in a header file provided
- *      with the component.  No error messages are allowed that are
- *      not defined.
- */
-typedef enum OMX_ERRORTYPE
-{
-  OMX_ErrorNone = 0,
-
-  /** There were insufficient resources to perform the requested operation */
-  OMX_ErrorInsufficientResources = (OMX_S32) 0x80001000,
-
-  /** There was an error, but the cause of the error could not be determined */
-  OMX_ErrorUndefined = (OMX_S32) 0x80001001,
-
-  /** The component name string was not valid */
-  OMX_ErrorInvalidComponentName = (OMX_S32) 0x80001002,
-
-  /** No component with the specified name string was found */
-  OMX_ErrorComponentNotFound = (OMX_S32) 0x80001003,
-
-  /** The component specified did not have a "OMX_ComponentInit" or
-      "OMX_ComponentDeInit entry point */
-  OMX_ErrorInvalidComponent = (OMX_S32) 0x80001004,
-
-  /** One or more parameters were not valid */
-  OMX_ErrorBadParameter = (OMX_S32) 0x80001005,
-
-  /** The requested function is not implemented */
-  OMX_ErrorNotImplemented = (OMX_S32) 0x80001006,
-
-  /** The buffer was emptied before the next buffer was ready */
-  OMX_ErrorUnderflow = (OMX_S32) 0x80001007,
-
-  /** The buffer was not available when it was needed */
-  OMX_ErrorOverflow = (OMX_S32) 0x80001008,
-
-  /** The hardware failed to respond as expected */
-  OMX_ErrorHardware = (OMX_S32) 0x80001009,
-
-  /** The component is in the state OMX_StateInvalid */
-  OMX_ErrorInvalidState = (OMX_S32) 0x8000100A,
-
-  /** Stream is found to be corrupt */
-  OMX_ErrorStreamCorrupt = (OMX_S32) 0x8000100B,
-
-  /** Ports being connected are not compatible */
-  OMX_ErrorPortsNotCompatible = (OMX_S32) 0x8000100C,
-
-  /** Resources allocated to an idle component have been
-      lost resulting in the component returning to the loaded state */
-  OMX_ErrorResourcesLost = (OMX_S32) 0x8000100D,
-
-  /** No more indicies can be enumerated */
-  OMX_ErrorNoMore = (OMX_S32) 0x8000100E,
-
-  /** The component detected a version mismatch */
-  OMX_ErrorVersionMismatch = (OMX_S32) 0x8000100F,
-
-  /** The component is not ready to return data at this time */
-  OMX_ErrorNotReady = (OMX_S32) 0x80001010,
-
-  /** There was a timeout that occurred */
-  OMX_ErrorTimeout = (OMX_S32) 0x80001011,
-
-  /** This error occurs when trying to transition into the state you are already in */
-  OMX_ErrorSameState = (OMX_S32) 0x80001012,
-
-  /** Resources allocated to an executing or paused component have been 
-      preempted, causing the component to return to the idle state */
-  OMX_ErrorResourcesPreempted = (OMX_S32) 0x80001013, 
-
-  /** A non-supplier port sends this error to the IL client (via the EventHandler callback) 
-      during the allocation of buffers (on a transition from the LOADED to the IDLE state or
-      on a port restart) when it deems that it has waited an unusually long time for the supplier 
-      to send it an allocated buffer via a UseBuffer call. */
-  OMX_ErrorPortUnresponsiveDuringAllocation = (OMX_S32) 0x80001014,
-
-  /** A non-supplier port sends this error to the IL client (via the EventHandler callback) 
-      during the deallocation of buffers (on a transition from the IDLE to LOADED state or 
-      on a port stop) when it deems that it has waited an unusually long time for the supplier 
-      to request the deallocation of a buffer header via a FreeBuffer call. */
-  OMX_ErrorPortUnresponsiveDuringDeallocation = (OMX_S32) 0x80001015,
-
-  /** A supplier port sends this error to the IL client (via the EventHandler callback) 
-      during the stopping of a port (either on a transition from the IDLE to LOADED 
-      state or a port stop) when it deems that it has waited an unusually long time for 
-      the non-supplier to return a buffer via an EmptyThisBuffer or FillThisBuffer call. */
-  OMX_ErrorPortUnresponsiveDuringStop = (OMX_S32) 0x80001016,
-
-  /** Attempting a state transtion that is not allowed */
-  OMX_ErrorIncorrectStateTransition = (OMX_S32) 0x80001017,
-
-  /* Attempting a command that is not allowed during the present state. */
-  OMX_ErrorIncorrectStateOperation = (OMX_S32) 0x80001018, 
-
-  /** The values encapsulated in the parameter or config structure are not supported. */
-  OMX_ErrorUnsupportedSetting = (OMX_S32) 0x80001019,
-
-  /** The parameter or config indicated by the given index is not supported. */
-  OMX_ErrorUnsupportedIndex = (OMX_S32) 0x8000101A,
-
-  /** The port index supplied is incorrect. */
-  OMX_ErrorBadPortIndex = (OMX_S32) 0x8000101B,
-
-  /** The port has lost one or more of its buffers and it thus unpopulated. */
-  OMX_ErrorPortUnpopulated = (OMX_S32) 0x8000101C,
-
-  /** Component suspended due to temporary loss of resources */
-  OMX_ErrorComponentSuspended = (OMX_S32) 0x8000101D,
-
-  /** Component suspended due to an inability to acquire dynamic resources */
-  OMX_ErrorDynamicResourcesUnavailable = (OMX_S32) 0x8000101E,
-
-  /** When the macroblock error reporting is enabled the component returns new error 
-  for every frame that has errors */
-  OMX_ErrorMbErrorsInFrame = (OMX_S32) 0x8000101F,
-
-  /** A component reports this error when it cannot parse or determine the format of an input stream. */
-  OMX_ErrorFormatNotDetected = (OMX_S32) 0x80001020, 
-
-  /** The content open operation failed. */
-  OMX_ErrorContentPipeOpenFailed = (OMX_S32) 0x80001021,
-
-  /** The content creation operation failed. */
-  OMX_ErrorContentPipeCreationFailed = (OMX_S32) 0x80001022,
-
-  /** Separate table information is being used */
-  OMX_ErrorSeperateTablesUsed = (OMX_S32) 0x80001023,
-
-  /** Tunneling is unsupported by the component*/
-  OMX_ErrorTunnelingUnsupported = (OMX_S32) 0x80001024,
-
-  OMX_ErrorKhronosExtensions = (OMX_S32)0x8F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-  OMX_ErrorVendorStartUnused = (OMX_S32)0x90000000, /**< Reserved region for introducing Vendor Extensions */
-  OMX_ErrorMax = 0x7FFFFFFF
-} OMX_ERRORTYPE;
-
-/** @ingroup core */
-typedef OMX_ERRORTYPE (* OMX_COMPONENTINITTYPE)(OMX_IN  OMX_HANDLETYPE hComponent);
-
-/** @ingroup core */
-typedef struct OMX_COMPONENTREGISTERTYPE
-{
-  const char          * pName;       /* Component name, 128 byte limit (including '\0') applies */
-  OMX_COMPONENTINITTYPE pInitialize; /* Component instance initialization function */
-} OMX_COMPONENTREGISTERTYPE;
-
-/** @ingroup core */
-extern OMX_COMPONENTREGISTERTYPE OMX_ComponentRegistered[];
-
-/** @ingroup rpm */
-typedef struct OMX_PRIORITYMGMTTYPE {
- OMX_U32 nSize;             /**< size of the structure in bytes */
- OMX_VERSIONTYPE nVersion;  /**< OMX specification version information */
- OMX_U32 nGroupPriority;            /**< Priority of the component group */
- OMX_U32 nGroupID;                  /**< ID of the component group */
-} OMX_PRIORITYMGMTTYPE;
-
-/* Component name and Role names are limited to 128 characters including the terminating '\0'. */
-#define OMX_MAX_STRINGNAME_SIZE 128
-
-/** @ingroup comp */
-typedef struct OMX_PARAM_COMPONENTROLETYPE {
-    OMX_U32 nSize;              /**< size of the structure in bytes */
-    OMX_VERSIONTYPE nVersion;   /**< OMX specification version information */
-    OMX_U8 cRole[OMX_MAX_STRINGNAME_SIZE];  /**< name of standard component which defines component role */
-} OMX_PARAM_COMPONENTROLETYPE;
-
-/** End of Stream Buffer Flag: 
-  *
-  * A component sets EOS when it has no more data to emit on a particular 
-  * output port. Thus an output port shall set EOS on the last buffer it 
-  * emits. A component's determination of when an output port should 
-  * cease sending data is implemenation specific.
-  * @ingroup buf
-  */
-
-#define OMX_BUFFERFLAG_EOS 0x00000001 
-
-/** Start Time Buffer Flag: 
- *
- * The source of a stream (e.g. a demux component) sets the STARTTIME
- * flag on the buffer that contains the starting timestamp for the
- * stream. The starting timestamp corresponds to the first data that
- * should be displayed at startup or after a seek.
- * The first timestamp of the stream is not necessarily the start time.
- * For instance, in the case of a seek to a particular video frame, 
- * the target frame may be an interframe. Thus the first buffer of 
- * the stream will be the intra-frame preceding the target frame and
- * the starttime will occur with the target frame (with any other
- * required frames required to reconstruct the target intervening).
- *
- * The STARTTIME flag is directly associated with the buffer's 
- * timestamp ' thus its association to buffer data and its 
- * propagation is identical to the timestamp's.
- *
- * When a Sync Component client receives a buffer with the 
- * STARTTIME flag it shall perform a SetConfig on its sync port 
- * using OMX_ConfigTimeClientStartTime and passing the buffer's
- * timestamp.
- * 
- * @ingroup buf
- */
-
-#define OMX_BUFFERFLAG_STARTTIME 0x00000002
-
- 
-
-/** Decode Only Buffer Flag: 
- *
- * The source of a stream (e.g. a demux component) sets the DECODEONLY
- * flag on any buffer that should shall be decoded but should not be
- * displayed. This flag is used, for instance, when a source seeks to 
- * a target interframe that requires the decode of frames preceding the 
- * target to facilitate the target's reconstruction. In this case the 
- * source would emit the frames preceding the target downstream 
- * but mark them as decode only.
- *
- * The DECODEONLY is associated with buffer data and propagated in a 
- * manner identical to the buffer timestamp.
- *
- * A component that renders data should ignore all buffers with 
- * the DECODEONLY flag set.
- * 
- * @ingroup buf
- */
-
-#define OMX_BUFFERFLAG_DECODEONLY 0x00000004
-
-
-/* Data Corrupt Flag: This flag is set when the IL client believes the data in the associated buffer is corrupt 
- * @ingroup buf
- */
-
-#define OMX_BUFFERFLAG_DATACORRUPT 0x00000008
-
-/* End of Frame: The buffer contains exactly one end of frame and no data
- *  occurs after the end of frame. This flag is an optional hint. The absence
- *  of this flag does not imply the absence of an end of frame within the buffer. 
- * @ingroup buf
-*/
-#define OMX_BUFFERFLAG_ENDOFFRAME 0x00000010
-
-/* Sync Frame Flag: This flag is set when the buffer content contains a coded sync frame ' 
- *  a frame that has no dependency on any other frame information 
- *  @ingroup buf
- */
-#define OMX_BUFFERFLAG_SYNCFRAME 0x00000020
-
-/* Extra data present flag: there is extra data appended to the data stream
- * residing in the buffer 
- * @ingroup buf  
- */
-#define OMX_BUFFERFLAG_EXTRADATA 0x00000040
-
-/** Codec Config Buffer Flag: 
-* OMX_BUFFERFLAG_CODECCONFIG is an optional flag that is set by an
-* output port when all bytes in the buffer form part or all of a set of
-* codec specific configuration data.  Examples include SPS/PPS nal units
-* for OMX_VIDEO_CodingAVC or AudioSpecificConfig data for
-* OMX_AUDIO_CodingAAC.  Any component that for a given stream sets 
-* OMX_BUFFERFLAG_CODECCONFIG shall not mix codec configuration bytes
-* with frame data in the same buffer, and shall send all buffers
-* containing codec configuration bytes before any buffers containing
-* frame data that those configurations bytes describe.
-* If the stream format for a particular codec has a frame specific
-* header at the start of each frame, for example OMX_AUDIO_CodingMP3 or
-* OMX_AUDIO_CodingAAC in ADTS mode, then these shall be presented as
-* normal without setting OMX_BUFFERFLAG_CODECCONFIG.
- * @ingroup buf
- */
-#define OMX_BUFFERFLAG_CODECCONFIG 0x00000080
-
-
-
-/** @ingroup buf */
-typedef struct OMX_BUFFERHEADERTYPE
-{
-    OMX_U32 nSize;              /**< size of the structure in bytes */
-    OMX_VERSIONTYPE nVersion;   /**< OMX specification version information */
-    OMX_U8* pBuffer;            /**< Pointer to actual block of memory 
-                                     that is acting as the buffer */
-    OMX_U32 nAllocLen;          /**< size of the buffer allocated, in bytes */
-    OMX_U32 nFilledLen;         /**< number of bytes currently in the 
-                                     buffer */
-    OMX_U32 nOffset;            /**< start offset of valid data in bytes from
-                                     the start of the buffer */
-    OMX_PTR pAppPrivate;        /**< pointer to any data the application
-                                     wants to associate with this buffer */
-    OMX_PTR pPlatformPrivate;   /**< pointer to any data the platform
-                                     wants to associate with this buffer */ 
-    OMX_PTR pInputPortPrivate;  /**< pointer to any data the input port
-                                     wants to associate with this buffer */
-    OMX_PTR pOutputPortPrivate; /**< pointer to any data the output port
-                                     wants to associate with this buffer */
-    OMX_HANDLETYPE hMarkTargetComponent; /**< The component that will generate a 
-                                              mark event upon processing this buffer. */
-    OMX_PTR pMarkData;          /**< Application specific data associated with 
-                                     the mark sent on a mark event to disambiguate 
-                                     this mark from others. */
-    OMX_U32 nTickCount;         /**< Optional entry that the component and
-                                     application can update with a tick count
-                                     when they access the component.  This
-                                     value should be in microseconds.  Since
-                                     this is a value relative to an arbitrary
-                                     starting point, this value cannot be used 
-                                     to determine absolute time.  This is an
-                                     optional entry and not all components
-                                     will update it.*/
- OMX_TICKS nTimeStamp;          /**< Timestamp corresponding to the sample 
-                                     starting at the first logical sample 
-                                     boundary in the buffer. Timestamps of 
-                                     successive samples within the buffer may
-                                     be inferred by adding the duration of the 
-                                     of the preceding buffer to the timestamp
-                                     of the preceding buffer.*/
-  OMX_U32     nFlags;           /**< buffer specific flags */
-  OMX_U32 nOutputPortIndex;     /**< The index of the output port (if any) using 
-                                     this buffer */
-  OMX_U32 nInputPortIndex;      /**< The index of the input port (if any) using
-                                     this buffer */
-} OMX_BUFFERHEADERTYPE;
-
-/** The OMX_EXTRADATATYPE enumeration is used to define the 
- * possible extra data payload types.
- * NB: this enum is binary backwards compatible with the previous
- * OMX_EXTRADATA_QUANT define.  This should be replaced with
- * OMX_ExtraDataQuantization.
- */
-typedef enum OMX_EXTRADATATYPE
-{
-   OMX_ExtraDataNone = 0,                       /**< Indicates that no more extra data sections follow */        
-   OMX_ExtraDataQuantization,                   /**< The data payload contains quantization data */
-   OMX_ExtraDataKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-   OMX_ExtraDataVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-   OMX_ExtraDataMax = 0x7FFFFFFF
-} OMX_EXTRADATATYPE;
-
-
-typedef struct OMX_OTHER_EXTRADATATYPE  {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;               
-    OMX_U32 nPortIndex;
-    OMX_EXTRADATATYPE eType;       /* Extra Data type */
-    OMX_U32 nDataSize;   /* Size of the supporting data to follow */
-    OMX_U8  data[1];     /* Supporting data hint  */
-} OMX_OTHER_EXTRADATATYPE;
-
-/** @ingroup comp */
-typedef struct OMX_PORT_PARAM_TYPE {
-    OMX_U32 nSize;              /**< size of the structure in bytes */
-    OMX_VERSIONTYPE nVersion;   /**< OMX specification version information */
-    OMX_U32 nPorts;             /**< The number of ports for this component */
-    OMX_U32 nStartPortNumber;   /** first port number for this type of port */
-} OMX_PORT_PARAM_TYPE; 
-
-/** @ingroup comp */
-typedef enum OMX_EVENTTYPE
-{
-    OMX_EventCmdComplete,         /**< component has sucessfully completed a command */
-    OMX_EventError,               /**< component has detected an error condition */
-    OMX_EventMark,                /**< component has detected a buffer mark */
-    OMX_EventPortSettingsChanged, /**< component is reported a port settings change */
-    OMX_EventBufferFlag,          /**< component has detected an EOS */ 
-    OMX_EventResourcesAcquired,   /**< component has been granted resources and is
-                                       automatically starting the state change from
-                                       OMX_StateWaitForResources to OMX_StateIdle. */
-   OMX_EventComponentResumed,     /**< Component resumed due to reacquisition of resources */
-   OMX_EventDynamicResourcesAvailable, /**< Component has acquired previously unavailable dynamic resources */
-   OMX_EventPortFormatDetected,      /**< Component has detected a supported format. */
-   OMX_EventKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-   OMX_EventVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-   OMX_EventMax = 0x7FFFFFFF
-} OMX_EVENTTYPE;
-
-typedef struct OMX_CALLBACKTYPE
-{
-    /** The EventHandler method is used to notify the application when an
-        event of interest occurs.  Events are defined in the OMX_EVENTTYPE
-        enumeration.  Please see that enumeration for details of what will
-        be returned for each type of event. Callbacks should not return
-        an error to the component, so if an error occurs, the application 
-        shall handle it internally.  This is a blocking call.
-
-        The application should return from this call within 5 msec to avoid
-        blocking the component for an excessively long period of time.
-
-        @param hComponent
-            handle of the component to access.  This is the component
-            handle returned by the call to the GetHandle function.
-        @param pAppData
-            pointer to an application defined value that was provided in the 
-            pAppData parameter to the OMX_GetHandle method for the component.
-            This application defined value is provided so that the application 
-            can have a component specific context when receiving the callback.
-        @param eEvent
-            Event that the component wants to notify the application about.
-        @param nData1
-            nData will be the OMX_ERRORTYPE for an error event and will be 
-            an OMX_COMMANDTYPE for a command complete event and OMX_INDEXTYPE for a OMX_PortSettingsChanged event.
-         @param nData2
-            nData2 will hold further information related to the event. Can be OMX_STATETYPE for
-            a OMX_CommandStateSet command or port index for a OMX_PortSettingsChanged event.
-            Default value is 0 if not used. )
-        @param pEventData
-            Pointer to additional event-specific data (see spec for meaning).
-      */
-
-   OMX_ERRORTYPE (*EventHandler)(
-        OMX_IN OMX_HANDLETYPE hComponent,
-        OMX_IN OMX_PTR pAppData,
-        OMX_IN OMX_EVENTTYPE eEvent,
-        OMX_IN OMX_U32 nData1,
-        OMX_IN OMX_U32 nData2,
-        OMX_IN OMX_PTR pEventData);
-
-    /** The EmptyBufferDone method is used to return emptied buffers from an
-        input port back to the application for reuse.  This is a blocking call 
-        so the application should not attempt to refill the buffers during this
-        call, but should queue them and refill them in another thread.  There
-        is no error return, so the application shall handle any errors generated
-        internally.  
-        
-        The application should return from this call within 5 msec.
-        
-        @param hComponent
-            handle of the component to access.  This is the component
-            handle returned by the call to the GetHandle function.
-        @param pAppData
-            pointer to an application defined value that was provided in the 
-            pAppData parameter to the OMX_GetHandle method for the component.
-            This application defined value is provided so that the application 
-            can have a component specific context when receiving the callback.
-        @param pBuffer
-            pointer to an OMX_BUFFERHEADERTYPE structure allocated with UseBuffer
-            or AllocateBuffer indicating the buffer that was emptied.
-        @ingroup buf
-     */
-    OMX_ERRORTYPE (*EmptyBufferDone)(
-        OMX_IN OMX_HANDLETYPE hComponent,
-        OMX_IN OMX_PTR pAppData,
-        OMX_IN OMX_BUFFERHEADERTYPE* pBuffer);
-
-    /** The FillBufferDone method is used to return filled buffers from an
-        output port back to the application for emptying and then reuse.  
-        This is a blocking call so the application should not attempt to 
-        empty the buffers during this call, but should queue the buffers 
-        and empty them in another thread.  There is no error return, so 
-        the application shall handle any errors generated internally.  The 
-        application shall also update the buffer header to indicate the
-        number of bytes placed into the buffer.  
-
-        The application should return from this call within 5 msec.
-        
-        @param hComponent
-            handle of the component to access.  This is the component
-            handle returned by the call to the GetHandle function.
-        @param pAppData
-            pointer to an application defined value that was provided in the 
-            pAppData parameter to the OMX_GetHandle method for the component.
-            This application defined value is provided so that the application 
-            can have a component specific context when receiving the callback.
-        @param pBuffer
-            pointer to an OMX_BUFFERHEADERTYPE structure allocated with UseBuffer
-            or AllocateBuffer indicating the buffer that was filled.
-        @ingroup buf
-     */
-    OMX_ERRORTYPE (*FillBufferDone)(
-        OMX_OUT OMX_HANDLETYPE hComponent,
-        OMX_OUT OMX_PTR pAppData,
-        OMX_OUT OMX_BUFFERHEADERTYPE* pBuffer);
-
-} OMX_CALLBACKTYPE;
-
-/** The OMX_BUFFERSUPPLIERTYPE enumeration is used to dictate port supplier
-    preference when tunneling between two ports.
-    @ingroup tun buf
-*/
-typedef enum OMX_BUFFERSUPPLIERTYPE
-{
-    OMX_BufferSupplyUnspecified = 0x0, /**< port supplying the buffers is unspecified,
-                                              or don't care */
-    OMX_BufferSupplyInput,             /**< input port supplies the buffers */
-    OMX_BufferSupplyOutput,            /**< output port supplies the buffers */
-    OMX_BufferSupplyKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_BufferSupplyVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_BufferSupplyMax = 0x7FFFFFFF
-} OMX_BUFFERSUPPLIERTYPE;
-
-
-/** buffer supplier parameter 
- * @ingroup tun
- */
-typedef struct OMX_PARAM_BUFFERSUPPLIERTYPE {
-    OMX_U32 nSize; /**< size of the structure in bytes */
-    OMX_VERSIONTYPE nVersion; /**< OMX specification version information */
-    OMX_U32 nPortIndex; /**< port that this structure applies to */
-    OMX_BUFFERSUPPLIERTYPE eBufferSupplier; /**< buffer supplier */
-} OMX_PARAM_BUFFERSUPPLIERTYPE;
-
-
-/**< indicates that buffers received by an input port of a tunnel 
-     may not modify the data in the buffers 
-     @ingroup tun
- */
-#define OMX_PORTTUNNELFLAG_READONLY 0x00000001 
-
-
-/** The OMX_TUNNELSETUPTYPE structure is used to pass data from an output
-    port to an input port as part the two ComponentTunnelRequest calls
-    resulting from a OMX_SetupTunnel call from the IL Client. 
-    @ingroup tun
- */   
-typedef struct OMX_TUNNELSETUPTYPE
-{
-    OMX_U32 nTunnelFlags;             /**< bit flags for tunneling */
-    OMX_BUFFERSUPPLIERTYPE eSupplier; /**< supplier preference */
-} OMX_TUNNELSETUPTYPE; 
-
-/* OMX Component headers is included to enable the core to use
-   macros for functions into the component for OMX release 1.0.  
-   Developers should not access any structures or data from within
-   the component header directly */
-/* TO BE REMOVED - #include <OMX_Component.h> */
-
-/** GetComponentVersion will return information about the component.  
-    This is a blocking call.  This macro will go directly from the
-    application to the component (via a core macro).  The
-    component will return from this call within 5 msec.
-    @param [in] hComponent
-        handle of component to execute the command
-    @param [out] pComponentName
-        pointer to an empty string of length 128 bytes.  The component 
-        will write its name into this string.  The name will be 
-        terminated by a single zero byte.  The name of a component will 
-        be 127 bytes or less to leave room for the trailing zero byte.  
-        An example of a valid component name is "OMX.ABC.ChannelMixer\0".
-    @param [out] pComponentVersion
-        pointer to an OMX Version structure that the component will fill 
-        in.  The component will fill in a value that indicates the 
-        component version.  NOTE: the component version is NOT the same 
-        as the OMX Specification version (found in all structures).  The 
-        component version is defined by the vendor of the component and 
-        its value is entirely up to the component vendor.
-    @param [out] pSpecVersion
-        pointer to an OMX Version structure that the component will fill 
-        in.  The SpecVersion is the version of the specification that the 
-        component was built against.  Please note that this value may or 
-        may not match the structure's version.  For example, if the 
-        component was built against the 2.0 specification, but the 
-        application (which creates the structure is built against the 
-        1.0 specification the versions would be different.
-    @param [out] pComponentUUID
-        pointer to the UUID of the component which will be filled in by 
-        the component.  The UUID is a unique identifier that is set at 
-        RUN time for the component and is unique to each instantion of 
-        the component.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp
- */
-#define OMX_GetComponentVersion(                            \
-        hComponent,                                         \
-        pComponentName,                                     \
-        pComponentVersion,                                  \
-        pSpecVersion,                                       \
-        pComponentUUID)                                     \
-    ((OMX_COMPONENTTYPE*)hComponent)->GetComponentVersion(  \
-        hComponent,                                         \
-        pComponentName,                                     \
-        pComponentVersion,                                  \
-        pSpecVersion,                                       \
-        pComponentUUID)                 /* Macro End */
-
-
-/** Send a command to the component.  This call is a non-blocking call.
-    The component should check the parameters and then queue the command
-    to the component thread to be executed.  The component thread shall 
-    send the EventHandler() callback at the conclusion of the command. 
-    This macro will go directly from the application to the component (via
-    a core macro).  The component will return from this call within 5 msec.
-    
-    When the command is "OMX_CommandStateSet" the component will queue a
-    state transition to the new state idenfied in nParam.
-    
-    When the command is "OMX_CommandFlush", to flush a port's buffer queues,
-    the command will force the component to return all buffers NOT CURRENTLY 
-    BEING PROCESSED to the application, in the order in which the buffers 
-    were received.
-    
-    When the command is "OMX_CommandPortDisable" or 
-    "OMX_CommandPortEnable", the component's port (given by the value of
-    nParam) will be stopped or restarted. 
-    
-    When the command "OMX_CommandMarkBuffer" is used to mark a buffer, the
-    pCmdData will point to a OMX_MARKTYPE structure containing the component
-    handle of the component to examine the buffer chain for the mark.  nParam1
-    contains the index of the port on which the buffer mark is applied.
-
-    Specification text for more details. 
-    
-    @param [in] hComponent
-        handle of component to execute the command
-    @param [in] Cmd
-        Command for the component to execute
-    @param [in] nParam
-        Parameter for the command to be executed.  When Cmd has the value 
-        OMX_CommandStateSet, value is a member of OMX_STATETYPE.  When Cmd has 
-        the value OMX_CommandFlush, value of nParam indicates which port(s) 
-        to flush. -1 is used to flush all ports a single port index will 
-        only flush that port.  When Cmd has the value "OMX_CommandPortDisable"
-        or "OMX_CommandPortEnable", the component's port is given by 
-        the value of nParam.  When Cmd has the value "OMX_CommandMarkBuffer"
-        the components pot is given by the value of nParam.
-    @param [in] pCmdData
-        Parameter pointing to the OMX_MARKTYPE structure when Cmd has the value
-        "OMX_CommandMarkBuffer".     
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp
- */
-#define OMX_SendCommand(                                    \
-         hComponent,                                        \
-         Cmd,                                               \
-         nParam,                                            \
-         pCmdData)                                          \
-     ((OMX_COMPONENTTYPE*)hComponent)->SendCommand(         \
-         hComponent,                                        \
-         Cmd,                                               \
-         nParam,                                            \
-         pCmdData)                          /* Macro End */
-
-
-/** The OMX_GetParameter macro will get one of the current parameter 
-    settings from the component.  This macro cannot only be invoked when 
-    the component is in the OMX_StateInvalid state.  The nParamIndex
-    parameter is used to indicate which structure is being requested from
-    the component.  The application shall allocate the correct structure 
-    and shall fill in the structure size and version information before 
-    invoking this macro.  When the parameter applies to a port, the
-    caller shall fill in the appropriate nPortIndex value indicating the
-    port on which the parameter applies. If the component has not had 
-    any settings changed, then the component should return a set of 
-    valid DEFAULT  parameters for the component.  This is a blocking 
-    call.  
-    
-    The component should return from this call within 20 msec.
-    
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the OMX_GetHandle function.
-    @param [in] nParamIndex
-        Index of the structure to be filled.  This value is from the
-        OMX_INDEXTYPE enumeration.
-    @param [in,out] pComponentParameterStructure
-        Pointer to application allocated structure to be filled by the 
-        component.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp
- */
-#define OMX_GetParameter(                                   \
-        hComponent,                                         \
-        nParamIndex,                                        \
-        pComponentParameterStructure)                        \
-    ((OMX_COMPONENTTYPE*)hComponent)->GetParameter(         \
-        hComponent,                                         \
-        nParamIndex,                                        \
-        pComponentParameterStructure)    /* Macro End */
-
-
-/** The OMX_SetParameter macro will send an initialization parameter
-    structure to a component.  Each structure shall be sent one at a time,
-    in a separate invocation of the macro.  This macro can only be
-    invoked when the component is in the OMX_StateLoaded state, or the
-    port is disabled (when the parameter applies to a port). The 
-    nParamIndex parameter is used to indicate which structure is being
-    passed to the component.  The application shall allocate the 
-    correct structure and shall fill in the structure size and version 
-    information (as well as the actual data) before invoking this macro.
-    The application is free to dispose of this structure after the call
-    as the component is required to copy any data it shall retain.  This 
-    is a blocking call.  
-    
-    The component should return from this call within 20 msec.
-    
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the OMX_GetHandle function.
-    @param [in] nIndex
-        Index of the structure to be sent.  This value is from the
-        OMX_INDEXTYPE enumeration.
-    @param [in] pComponentParameterStructure
-        pointer to application allocated structure to be used for
-        initialization by the component.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp
- */
-#define OMX_SetParameter(                                   \
-        hComponent,                                         \
-        nParamIndex,                                        \
-        pComponentParameterStructure)                        \
-    ((OMX_COMPONENTTYPE*)hComponent)->SetParameter(         \
-        hComponent,                                         \
-        nParamIndex,                                        \
-        pComponentParameterStructure)    /* Macro End */
-
-
-/** The OMX_GetConfig macro will get one of the configuration structures 
-    from a component.  This macro can be invoked anytime after the 
-    component has been loaded.  The nParamIndex call parameter is used to 
-    indicate which structure is being requested from the component.  The 
-    application shall allocate the correct structure and shall fill in the 
-    structure size and version information before invoking this macro.  
-    If the component has not had this configuration parameter sent before, 
-    then the component should return a set of valid DEFAULT values for the 
-    component.  This is a blocking call.  
-    
-    The component should return from this call within 5 msec.
-    
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the OMX_GetHandle function.
-    @param [in] nIndex
-        Index of the structure to be filled.  This value is from the
-        OMX_INDEXTYPE enumeration.
-    @param [in,out] pComponentConfigStructure
-        pointer to application allocated structure to be filled by the 
-        component.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp
-*/        
-#define OMX_GetConfig(                                      \
-        hComponent,                                         \
-        nConfigIndex,                                       \
-        pComponentConfigStructure)                           \
-    ((OMX_COMPONENTTYPE*)hComponent)->GetConfig(            \
-        hComponent,                                         \
-        nConfigIndex,                                       \
-        pComponentConfigStructure)       /* Macro End */
-
-
-/** The OMX_SetConfig macro will send one of the configuration 
-    structures to a component.  Each structure shall be sent one at a time,
-    each in a separate invocation of the macro.  This macro can be invoked 
-    anytime after the component has been loaded.  The application shall 
-    allocate the correct structure and shall fill in the structure size 
-    and version information (as well as the actual data) before invoking 
-    this macro.  The application is free to dispose of this structure after 
-    the call as the component is required to copy any data it shall retain.  
-    This is a blocking call.  
-    
-    The component should return from this call within 5 msec.
-    
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the OMX_GetHandle function.
-    @param [in] nConfigIndex
-        Index of the structure to be sent.  This value is from the
-        OMX_INDEXTYPE enumeration above.
-    @param [in] pComponentConfigStructure
-        pointer to application allocated structure to be used for
-        initialization by the component.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp
- */
-#define OMX_SetConfig(                                      \
-        hComponent,                                         \
-        nConfigIndex,                                       \
-        pComponentConfigStructure)                           \
-    ((OMX_COMPONENTTYPE*)hComponent)->SetConfig(            \
-        hComponent,                                         \
-        nConfigIndex,                                       \
-        pComponentConfigStructure)       /* Macro End */
-
-
-/** The OMX_GetExtensionIndex macro will invoke a component to translate 
-    a vendor specific configuration or parameter string into an OMX 
-    structure index.  There is no requirement for the vendor to support 
-    this command for the indexes already found in the OMX_INDEXTYPE 
-    enumeration (this is done to save space in small components).  The 
-    component shall support all vendor supplied extension indexes not found
-    in the master OMX_INDEXTYPE enumeration.  This is a blocking call.  
-    
-    The component should return from this call within 5 msec.
-    
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the GetHandle function.
-    @param [in] cParameterName
-        OMX_STRING that shall be less than 128 characters long including
-        the trailing null byte.  This is the string that will get 
-        translated by the component into a configuration index.
-    @param [out] pIndexType
-        a pointer to a OMX_INDEXTYPE to receive the index value.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp
- */
-#define OMX_GetExtensionIndex(                              \
-        hComponent,                                         \
-        cParameterName,                                     \
-        pIndexType)                                         \
-    ((OMX_COMPONENTTYPE*)hComponent)->GetExtensionIndex(    \
-        hComponent,                                         \
-        cParameterName,                                     \
-        pIndexType)                     /* Macro End */
-
-
-/** The OMX_GetState macro will invoke the component to get the current 
-    state of the component and place the state value into the location
-    pointed to by pState.  
-    
-    The component should return from this call within 5 msec.
-    
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the OMX_GetHandle function.
-    @param [out] pState
-        pointer to the location to receive the state.  The value returned
-        is one of the OMX_STATETYPE members 
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp
- */
-#define OMX_GetState(                                       \
-        hComponent,                                         \
-        pState)                                             \
-    ((OMX_COMPONENTTYPE*)hComponent)->GetState(             \
-        hComponent,                                         \
-        pState)                         /* Macro End */
-
-
-/** The OMX_UseBuffer macro will request that the component use
-    a buffer (and allocate its own buffer header) already allocated 
-    by another component, or by the IL Client. This is a blocking 
-    call.
-    
-    The component should return from this call within 20 msec.
-    
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the OMX_GetHandle function.
-    @param [out] ppBuffer
-        pointer to an OMX_BUFFERHEADERTYPE structure used to receive the 
-        pointer to the buffer header
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp buf
- */
-
-#define OMX_UseBuffer(                                      \
-           hComponent,                                      \
-           ppBufferHdr,                                     \
-           nPortIndex,                                      \
-           pAppPrivate,                                     \
-           nSizeBytes,                                      \
-           pBuffer)                                         \
-    ((OMX_COMPONENTTYPE*)hComponent)->UseBuffer(            \
-           hComponent,                                      \
-           ppBufferHdr,                                     \
-           nPortIndex,                                      \
-           pAppPrivate,                                     \
-           nSizeBytes,                                      \
-           pBuffer)
-
-
-/** The OMX_AllocateBuffer macro will request that the component allocate 
-    a new buffer and buffer header.  The component will allocate the 
-    buffer and the buffer header and return a pointer to the buffer 
-    header.  This is a blocking call.
-    
-    The component should return from this call within 5 msec.
-    
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the OMX_GetHandle function.
-    @param [out] ppBuffer
-        pointer to an OMX_BUFFERHEADERTYPE structure used to receive 
-        the pointer to the buffer header
-    @param [in] nPortIndex
-        nPortIndex is used to select the port on the component the buffer will
-        be used with.  The port can be found by using the nPortIndex
-        value as an index into the Port Definition array of the component.
-    @param [in] pAppPrivate
-        pAppPrivate is used to initialize the pAppPrivate member of the 
-        buffer header structure.
-    @param [in] nSizeBytes
-        size of the buffer to allocate.  Used when bAllocateNew is true.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp buf
- */    
-#define OMX_AllocateBuffer(                                 \
-        hComponent,                                         \
-        ppBuffer,                                           \
-        nPortIndex,                                         \
-        pAppPrivate,                                        \
-        nSizeBytes)                                         \
-    ((OMX_COMPONENTTYPE*)hComponent)->AllocateBuffer(       \
-        hComponent,                                         \
-        ppBuffer,                                           \
-        nPortIndex,                                         \
-        pAppPrivate,                                        \
-        nSizeBytes)                     /* Macro End */
-
-
-/** The OMX_FreeBuffer macro will release a buffer header from the component
-    which was allocated using either OMX_AllocateBuffer or OMX_UseBuffer. If  
-    the component allocated the buffer (see the OMX_UseBuffer macro) then 
-    the component shall free the buffer and buffer header. This is a 
-    blocking call. 
-    
-    The component should return from this call within 20 msec.
-    
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the OMX_GetHandle function.
-    @param [in] nPortIndex
-        nPortIndex is used to select the port on the component the buffer will
-        be used with.
-    @param [in] pBuffer
-        pointer to an OMX_BUFFERHEADERTYPE structure allocated with UseBuffer
-        or AllocateBuffer.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp buf
- */
-#define OMX_FreeBuffer(                                     \
-        hComponent,                                         \
-        nPortIndex,                                         \
-        pBuffer)                                            \
-    ((OMX_COMPONENTTYPE*)hComponent)->FreeBuffer(           \
-        hComponent,                                         \
-        nPortIndex,                                         \
-        pBuffer)                        /* Macro End */
-
-
-/** The OMX_EmptyThisBuffer macro will send a buffer full of data to an 
-    input port of a component.  The buffer will be emptied by the component
-    and returned to the application via the EmptyBufferDone call back.
-    This is a non-blocking call in that the component will record the buffer
-    and return immediately and then empty the buffer, later, at the proper 
-    time.  As expected, this macro may be invoked only while the component 
-    is in the OMX_StateExecuting.  If nPortIndex does not specify an input
-    port, the component shall return an error.  
-    
-    The component should return from this call within 5 msec.
-    
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the OMX_GetHandle function.
-    @param [in] pBuffer
-        pointer to an OMX_BUFFERHEADERTYPE structure allocated with UseBuffer
-        or AllocateBuffer.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp buf
- */
-#define OMX_EmptyThisBuffer(                                \
-        hComponent,                                         \
-        pBuffer)                                            \
-    ((OMX_COMPONENTTYPE*)hComponent)->EmptyThisBuffer(      \
-        hComponent,                                         \
-        pBuffer)                        /* Macro End */
-
-
-/** The OMX_FillThisBuffer macro will send an empty buffer to an 
-    output port of a component.  The buffer will be filled by the component
-    and returned to the application via the FillBufferDone call back.
-    This is a non-blocking call in that the component will record the buffer
-    and return immediately and then fill the buffer, later, at the proper 
-    time.  As expected, this macro may be invoked only while the component 
-    is in the OMX_ExecutingState.  If nPortIndex does not specify an output
-    port, the component shall return an error.  
-    
-    The component should return from this call within 5 msec.
-    
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the OMX_GetHandle function.
-    @param [in] pBuffer
-        pointer to an OMX_BUFFERHEADERTYPE structure allocated with UseBuffer
-        or AllocateBuffer.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp buf
- */
-#define OMX_FillThisBuffer(                                 \
-        hComponent,                                         \
-        pBuffer)                                            \
-    ((OMX_COMPONENTTYPE*)hComponent)->FillThisBuffer(       \
-        hComponent,                                         \
-        pBuffer)                        /* Macro End */
-
-
-
-/** The OMX_UseEGLImage macro will request that the component use
-    a EGLImage provided by EGL (and allocate its own buffer header)
-    This is a blocking call.
-    
-    The component should return from this call within 20 msec.
-    
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the OMX_GetHandle function.
-    @param [out] ppBuffer
-        pointer to an OMX_BUFFERHEADERTYPE structure used to receive the 
-        pointer to the buffer header.  Note that the memory location used
-        for this buffer is NOT visible to the IL Client.
-    @param [in] nPortIndex
-        nPortIndex is used to select the port on the component the buffer will
-        be used with.  The port can be found by using the nPortIndex
-        value as an index into the Port Definition array of the component.
-    @param [in] pAppPrivate
-        pAppPrivate is used to initialize the pAppPrivate member of the 
-        buffer header structure.
-    @param [in] eglImage
-        eglImage contains the handle of the EGLImage to use as a buffer on the
-        specified port.  The component is expected to validate properties of 
-        the EGLImage against the configuration of the port to ensure the component
-        can use the EGLImage as a buffer.          
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup comp buf
- */
-#define OMX_UseEGLImage(                                    \
-           hComponent,                                      \
-           ppBufferHdr,                                     \
-           nPortIndex,                                      \
-           pAppPrivate,                                     \
-           eglImage)                                        \
-    ((OMX_COMPONENTTYPE*)hComponent)->UseEGLImage(          \
-           hComponent,                                      \
-           ppBufferHdr,                                     \
-           nPortIndex,                                      \
-           pAppPrivate,                                     \
-           eglImage)
-
-/** The OMX_Init method is used to initialize the OMX core.  It shall be the
-    first call made into OMX and it should only be executed one time without
-    an interviening OMX_Deinit call.  
-    
-    The core should return from this call within 20 msec.
-
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup core
- */
-OMX_API OMX_ERRORTYPE OMX_APIENTRY OMX_Init(void);
-
-
-/** The OMX_Deinit method is used to deinitialize the OMX core.  It shall be 
-    the last call made into OMX. In the event that the core determines that 
-    thare are components loaded when this call is made, the core may return 
-    with an error rather than try to unload the components.
-        
-    The core should return from this call within 20 msec.
-    
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup core
- */
-OMX_API OMX_ERRORTYPE OMX_APIENTRY OMX_Deinit(void);
-
-
-/** The OMX_ComponentNameEnum method will enumerate through all the names of
-    recognised valid components in the system. This function is provided
-    as a means to detect all the components in the system run-time. There is
-    no strict ordering to the enumeration order of component names, although
-    each name will only be enumerated once.  If the OMX core supports run-time
-    installation of new components, it is only requried to detect newly
-    installed components when the first call to enumerate component names
-    is made (i.e. when nIndex is 0x0).
-    
-    The core should return from this call in 20 msec.
-    
-    @param [out] cComponentName
-        pointer to a null terminated string with the component name.  The
-        names of the components are strings less than 127 bytes in length
-        plus the trailing null for a maximum size of 128 bytes.  An example 
-        of a valid component name is "OMX.TI.AUDIO.DSP.MIXER\0".  Names are 
-        assigned by the vendor, but shall start with "OMX." and then have 
-        the Vendor designation next.
-    @param [in] nNameLength
-        number of characters in the cComponentName string.  With all 
-        component name strings restricted to less than 128 characters 
-        (including the trailing null) it is recomended that the caller
-        provide a input string for the cComponentName of 128 characters.
-    @param [in] nIndex
-        number containing the enumeration index for the component. 
-        Multiple calls to OMX_ComponentNameEnum with increasing values
-        of nIndex will enumerate through the component names in the
-        system until OMX_ErrorNoMore is returned.  The value of nIndex
-        is 0 to (N-1), where N is the number of valid installed components
-        in the system.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  When the value of nIndex exceeds the number of 
-        components in the system minus 1, OMX_ErrorNoMore will be
-        returned. Otherwise the appropriate OMX error will be returned.
-    @ingroup core
- */
-OMX_API OMX_ERRORTYPE OMX_APIENTRY OMX_ComponentNameEnum(
-    OMX_OUT OMX_STRING cComponentName,
-    OMX_IN  OMX_U32 nNameLength,
-    OMX_IN  OMX_U32 nIndex);
-
-
-/** The OMX_GetHandle method will locate the component specified by the
-    component name given, load that component into memory and then invoke
-    the component's methods to create an instance of the component.  
-    
-    The core should return from this call within 20 msec.
-    
-    @param [out] pHandle
-        pointer to an OMX_HANDLETYPE pointer to be filled in by this method.
-    @param [in] cComponentName
-        pointer to a null terminated string with the component name.  The
-        names of the components are strings less than 127 bytes in length
-        plus the trailing null for a maximum size of 128 bytes.  An example 
-        of a valid component name is "OMX.TI.AUDIO.DSP.MIXER\0".  Names are 
-        assigned by the vendor, but shall start with "OMX." and then have 
-        the Vendor designation next.
-    @param [in] pAppData
-        pointer to an application defined value that will be returned
-        during callbacks so that the application can identify the source
-        of the callback.
-    @param [in] pCallBacks
-        pointer to a OMX_CALLBACKTYPE structure that will be passed to the
-        component to initialize it with.  
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup core
- */
-OMX_API OMX_ERRORTYPE OMX_APIENTRY OMX_GetHandle(
-    OMX_OUT OMX_HANDLETYPE* pHandle, 
-    OMX_IN  OMX_STRING cComponentName,
-    OMX_IN  OMX_PTR pAppData,
-    OMX_IN  OMX_CALLBACKTYPE* pCallBacks);
-
-
-/** The OMX_FreeHandle method will free a handle allocated by the OMX_GetHandle 
-    method.  If the component reference count goes to zero, the component will
-    be unloaded from memory.  
-    
-    The core should return from this call within 20 msec when the component is 
-    in the OMX_StateLoaded state.
-
-    @param [in] hComponent
-        Handle of the component to be accessed.  This is the component
-        handle returned by the call to the GetHandle function.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-    @ingroup core
- */
-OMX_API OMX_ERRORTYPE OMX_APIENTRY OMX_FreeHandle(
-    OMX_IN  OMX_HANDLETYPE hComponent);
-
-
-
-/** The OMX_SetupTunnel method will handle the necessary calls to the components
-    to setup the specified tunnel the two components.  NOTE: This is
-    an actual method (not a #define macro).  This method will make calls into
-    the component ComponentTunnelRequest method to do the actual tunnel 
-    connection.  
-
-    The ComponentTunnelRequest method on both components will be called. 
-    This method shall not be called unless the component is in the 
-    OMX_StateLoaded state except when the ports used for the tunnel are
-    disabled. In this case, the component may be in the OMX_StateExecuting,
-    OMX_StatePause, or OMX_StateIdle states. 
-
-    The core should return from this call within 20 msec.
-    
-    @param [in] hOutput
-        Handle of the component to be accessed.  Also this is the handle
-        of the component whose port, specified in the nPortOutput parameter
-        will be used the source for the tunnel. This is the component handle
-        returned by the call to the OMX_GetHandle function.  There is a 
-        requirement that hOutput be the source for the data when
-        tunelling (i.e. nPortOutput is an output port).  If 0x0, the component
-        specified in hInput will have it's port specified in nPortInput
-        setup for communication with the application / IL client.
-    @param [in] nPortOutput
-        nPortOutput is used to select the source port on component to be
-        used in the tunnel. 
-    @param [in] hInput
-        This is the component to setup the tunnel with. This is the handle
-        of the component whose port, specified in the nPortInput parameter
-        will be used the destination for the tunnel. This is the component handle
-        returned by the call to the OMX_GetHandle function.  There is a 
-        requirement that hInput be the destination for the data when
-        tunelling (i.e. nPortInut is an input port).   If 0x0, the component
-        specified in hOutput will have it's port specified in nPortPOutput
-        setup for communication with the application / IL client.
-    @param [in] nPortInput
-        nPortInput is used to select the destination port on component to be
-        used in the tunnel.
-    @return OMX_ERRORTYPE
-        If the command successfully executes, the return code will be
-        OMX_ErrorNone.  Otherwise the appropriate OMX error will be returned.
-        When OMX_ErrorNotImplemented is returned, one or both components is 
-        a non-interop component and does not support tunneling.
-        
-        On failure, the ports of both components are setup for communication
-        with the application / IL Client.
-    @ingroup core tun
- */
-OMX_API OMX_ERRORTYPE OMX_APIENTRY OMX_SetupTunnel(
-    OMX_IN  OMX_HANDLETYPE hOutput,
-    OMX_IN  OMX_U32 nPortOutput,
-    OMX_IN  OMX_HANDLETYPE hInput,
-    OMX_IN  OMX_U32 nPortInput);
-    
-/** @ingroup cp */
-OMX_API OMX_ERRORTYPE   OMX_GetContentPipe(
-    OMX_OUT OMX_HANDLETYPE *hPipe,
-    OMX_IN OMX_STRING szURI);
-
-/** The OMX_GetComponentsOfRole method will return the number of components that support the given
-    role and (if the compNames field is non-NULL) the names of those components. The call will fail if 
-    an insufficiently sized array of names is supplied. To ensure the array is sufficiently sized the
-    client should:
-        * first call this function with the compNames field NULL to determine the number of component names
-        * second call this function with the compNames field pointing to an array of names allocated 
-          according to the number returned by the first call.
-
-    The core should return from this call within 5 msec.
-    
-    @param [in] role
-        This is generic standard component name consisting only of component class 
-        name and the type within that class (e.g. 'audio_decoder.aac').
-    @param [inout] pNumComps
-        This is used both as input and output. 
- 
-        If compNames is NULL, the input is ignored and the output specifies how many components support
-        the given role.
-     
-        If compNames is not NULL, on input it bounds the size of the input structure and 
-        on output, it specifies the number of components string names listed within the compNames parameter.
-    @param [inout] compNames
-        If NULL this field is ignored. If non-NULL this points to an array of 128-byte strings which accepts 
-        a list of the names of all physical components that implement the specified standard component name. 
-        Each name is NULL terminated. numComps indicates the number of names.
-    @ingroup core
- */
-OMX_API OMX_ERRORTYPE OMX_GetComponentsOfRole ( 
-	OMX_IN      OMX_STRING role,
-    OMX_INOUT   OMX_U32 *pNumComps,
-    OMX_INOUT   OMX_U8  **compNames);
-
-/** The OMX_GetRolesOfComponent method will return the number of roles supported by the given
-    component and (if the roles field is non-NULL) the names of those roles. The call will fail if 
-    an insufficiently sized array of names is supplied. To ensure the array is sufficiently sized the
-    client should:
-        * first call this function with the roles field NULL to determine the number of role names
-        * second call this function with the roles field pointing to an array of names allocated 
-          according to the number returned by the first call.
-
-    The core should return from this call within 5 msec.
-
-    @param [in] compName
-        This is the name of the component being queried about.
-    @param [inout] pNumRoles
-        This is used both as input and output. 
- 
-        If roles is NULL, the input is ignored and the output specifies how many roles the component supports.
-     
-        If compNames is not NULL, on input it bounds the size of the input structure and 
-        on output, it specifies the number of roles string names listed within the roles parameter.
-    @param [out] roles
-        If NULL this field is ignored. If non-NULL this points to an array of 128-byte strings 
-        which accepts a list of the names of all standard components roles implemented on the 
-        specified component name. numComps indicates the number of names.
-    @ingroup core
- */
-OMX_API OMX_ERRORTYPE OMX_GetRolesOfComponent ( 
-	OMX_IN      OMX_STRING compName, 
-    OMX_INOUT   OMX_U32 *pNumRoles,
-    OMX_OUT     OMX_U8 **roles);
-
-#ifdef __cplusplus
-}
-#endif /* __cplusplus */
-
-#endif
-/* File EOF */
-
diff --git a/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_IVCommon.h b/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_IVCommon.h
deleted file mode 100644
index 8bb4dede8f..0000000000
--- a/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_IVCommon.h
+++ /dev/null
@@ -1,947 +0,0 @@
-/* ------------------------------------------------------------------
- * Copyright (C) 1998-2009 PacketVideo
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied.
- * See the License for the specific language governing permissions
- * and limitations under the License.
- * -------------------------------------------------------------------
- */
-/**
- * Copyright (c) 2008 The Khronos Group Inc.
- *
- * Permission is hereby granted, free of charge, to any person obtaining
- * a copy of this software and associated documentation files (the
- * "Software"), to deal in the Software without restriction, including
- * without limitation the rights to use, copy, modify, merge, publish,
- * distribute, sublicense, and/or sell copies of the Software, and to
- * permit persons to whom the Software is furnished to do so, subject
- * to the following conditions:
- * The above copyright notice and this permission notice shall be included
- * in all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
- * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
- * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
- * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
- * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
- * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
- * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
- *
- */
-
-/**
- * @file OMX_IVCommon.h - OpenMax IL version 1.1.2
- *  The structures needed by Video and Image components to exchange
- *  parameters and configuration data with the components.
- */
-#ifndef OMX_IVCommon_h
-#define OMX_IVCommon_h
-
-#ifdef __cplusplus
-extern "C" {
-#endif /* __cplusplus */
-
-/**
- * Each OMX header must include all required header files to allow the header
- * to compile without errors.  The includes below are required for this header
- * file to compile successfully
- */
-
-#include <OMX_Core.h>
-
-/** @defgroup iv OpenMAX IL Imaging and Video Domain
- * Common structures for OpenMAX IL Imaging and Video domains
- * @{
- */
-
-
-/**
- * Enumeration defining possible uncompressed image/video formats.
- *
- * ENUMS:
- *  Unused                 : Placeholder value when format is N/A
- *  Monochrome             : black and white
- *  8bitRGB332             : Red 7:5, Green 4:2, Blue 1:0
- *  12bitRGB444            : Red 11:8, Green 7:4, Blue 3:0
- *  16bitARGB4444          : Alpha 15:12, Red 11:8, Green 7:4, Blue 3:0
- *  16bitARGB1555          : Alpha 15, Red 14:10, Green 9:5, Blue 4:0
- *  16bitRGB565            : Red 15:11, Green 10:5, Blue 4:0
- *  16bitBGR565            : Blue 15:11, Green 10:5, Red 4:0
- *  18bitRGB666            : Red 17:12, Green 11:6, Blue 5:0
- *  18bitARGB1665          : Alpha 17, Red 16:11, Green 10:5, Blue 4:0
- *  19bitARGB1666          : Alpha 18, Red 17:12, Green 11:6, Blue 5:0
- *  24bitRGB888            : Red 24:16, Green 15:8, Blue 7:0
- *  24bitBGR888            : Blue 24:16, Green 15:8, Red 7:0
- *  24bitARGB1887          : Alpha 23, Red 22:15, Green 14:7, Blue 6:0
- *  25bitARGB1888          : Alpha 24, Red 23:16, Green 15:8, Blue 7:0
- *  32bitBGRA8888          : Blue 31:24, Green 23:16, Red 15:8, Alpha 7:0
- *  32bitARGB8888          : Alpha 31:24, Red 23:16, Green 15:8, Blue 7:0
- *  YUV411Planar           : U,Y are subsampled by a factor of 4 horizontally
- *  YUV411PackedPlanar     : packed per payload in planar slices
- *  YUV420Planar           : Three arrays Y,U,V.
- *  YUV420PackedPlanar     : packed per payload in planar slices
- *  YUV420SemiPlanar       : Two arrays, one is all Y, the other is U and V
- *  YUV422Planar           : Three arrays Y,U,V.
- *  YUV422PackedPlanar     : packed per payload in planar slices
- *  YUV422SemiPlanar       : Two arrays, one is all Y, the other is U and V
- *  YCbYCr                 : Organized as 16bit YUYV (i.e. YCbYCr)
- *  YCrYCb                 : Organized as 16bit YVYU (i.e. YCrYCb)
- *  CbYCrY                 : Organized as 16bit UYVY (i.e. CbYCrY)
- *  CrYCbY                 : Organized as 16bit VYUY (i.e. CrYCbY)
- *  YUV444Interleaved      : Each pixel contains equal parts YUV
- *  RawBayer8bit           : SMIA camera output format
- *  RawBayer10bit          : SMIA camera output format
- *  RawBayer8bitcompressed : SMIA camera output format
- */
-typedef enum OMX_COLOR_FORMATTYPE {
-    OMX_COLOR_FormatUnused,
-    OMX_COLOR_FormatMonochrome,
-    OMX_COLOR_Format8bitRGB332,
-    OMX_COLOR_Format12bitRGB444,
-    OMX_COLOR_Format16bitARGB4444,
-    OMX_COLOR_Format16bitARGB1555,
-    OMX_COLOR_Format16bitRGB565,
-    OMX_COLOR_Format16bitBGR565,
-    OMX_COLOR_Format18bitRGB666,
-    OMX_COLOR_Format18bitARGB1665,
-    OMX_COLOR_Format19bitARGB1666,
-    OMX_COLOR_Format24bitRGB888,
-    OMX_COLOR_Format24bitBGR888,
-    OMX_COLOR_Format24bitARGB1887,
-    OMX_COLOR_Format25bitARGB1888,
-    OMX_COLOR_Format32bitBGRA8888,
-    OMX_COLOR_Format32bitARGB8888,
-    OMX_COLOR_FormatYUV411Planar,
-    OMX_COLOR_FormatYUV411PackedPlanar,
-    OMX_COLOR_FormatYUV420Planar,
-    OMX_COLOR_FormatYUV420PackedPlanar,
-    OMX_COLOR_FormatYUV420SemiPlanar,
-    OMX_COLOR_FormatYUV422Planar,
-    OMX_COLOR_FormatYUV422PackedPlanar,
-    OMX_COLOR_FormatYUV422SemiPlanar,
-    OMX_COLOR_FormatYCbYCr,
-    OMX_COLOR_FormatYCrYCb,
-    OMX_COLOR_FormatCbYCrY,
-    OMX_COLOR_FormatCrYCbY,
-    OMX_COLOR_FormatYUV444Interleaved,
-    OMX_COLOR_FormatRawBayer8bit,
-    OMX_COLOR_FormatRawBayer10bit,
-    OMX_COLOR_FormatRawBayer8bitcompressed,
-    OMX_COLOR_FormatL2,
-    OMX_COLOR_FormatL4,
-    OMX_COLOR_FormatL8,
-    OMX_COLOR_FormatL16,
-    OMX_COLOR_FormatL24,
-    OMX_COLOR_FormatL32,
-    OMX_COLOR_FormatYUV420PackedSemiPlanar,
-    OMX_COLOR_FormatYUV422PackedSemiPlanar,
-    OMX_COLOR_Format18BitBGR666,
-    OMX_COLOR_Format24BitARGB6666,
-    OMX_COLOR_Format24BitABGR6666,
-    OMX_COLOR_FormatKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */
-    OMX_COLOR_FormatVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    /**<Reserved android opaque colorformat. Tells the encoder that
-     * the actual colorformat will be  relayed by the
-     * Gralloc Buffers.
-     * FIXME: In the process of reserving some enum values for
-     * Android-specific OMX IL colorformats. Change this enum to
-     * an acceptable range once that is done.
-     * */
-    OMX_COLOR_FormatAndroidOpaque = 0x7F000789,
-    OMX_TI_COLOR_FormatYUV420PackedSemiPlanar = 0x7F000100,
-    OMX_QCOM_COLOR_FormatYVU420SemiPlanar = 0x7FA30C00,
-    OMX_COLOR_FormatMax = 0x7FFFFFFF
-} OMX_COLOR_FORMATTYPE;
-
-
-/**
- * Defines the matrix for conversion from RGB to YUV or vice versa.
- * iColorMatrix should be initialized with the fixed point values
- * used in converting between formats.
- */
-typedef struct OMX_CONFIG_COLORCONVERSIONTYPE {
-    OMX_U32 nSize;              /**< Size of the structure in bytes */
-    OMX_VERSIONTYPE nVersion;   /**< OMX specification version info */
-    OMX_U32 nPortIndex;         /**< Port that this struct applies to */
-    OMX_S32 xColorMatrix[3][3]; /**< Stored in signed Q16 format */
-    OMX_S32 xColorOffset[4];    /**< Stored in signed Q16 format */
-}OMX_CONFIG_COLORCONVERSIONTYPE;
-
-
-/**
- * Structure defining percent to scale each frame dimension.  For example:
- * To make the width 50% larger, use fWidth = 1.5 and to make the width
- * 1/2 the original size, use fWidth = 0.5
- */
-typedef struct OMX_CONFIG_SCALEFACTORTYPE {
-    OMX_U32 nSize;            /**< Size of the structure in bytes */
-    OMX_VERSIONTYPE nVersion; /**< OMX specification version info */
-    OMX_U32 nPortIndex;       /**< Port that this struct applies to */
-    OMX_S32 xWidth;           /**< Fixed point value stored as Q16 */
-    OMX_S32 xHeight;          /**< Fixed point value stored as Q16 */
-}OMX_CONFIG_SCALEFACTORTYPE;
-
-
-/**
- * Enumeration of possible image filter types
- */
-typedef enum OMX_IMAGEFILTERTYPE {
-    OMX_ImageFilterNone,
-    OMX_ImageFilterNoise,
-    OMX_ImageFilterEmboss,
-    OMX_ImageFilterNegative,
-    OMX_ImageFilterSketch,
-    OMX_ImageFilterOilPaint,
-    OMX_ImageFilterHatch,
-    OMX_ImageFilterGpen,
-    OMX_ImageFilterAntialias,
-    OMX_ImageFilterDeRing,
-    OMX_ImageFilterSolarize,
-    OMX_ImageFilterKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */
-    OMX_ImageFilterVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_ImageFilterMax = 0x7FFFFFFF
-} OMX_IMAGEFILTERTYPE;
-
-
-/**
- * Image filter configuration
- *
- * STRUCT MEMBERS:
- *  nSize        : Size of the structure in bytes
- *  nVersion     : OMX specification version information
- *  nPortIndex   : Port that this structure applies to
- *  eImageFilter : Image filter type enumeration
- */
-typedef struct OMX_CONFIG_IMAGEFILTERTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_IMAGEFILTERTYPE eImageFilter;
-} OMX_CONFIG_IMAGEFILTERTYPE;
-
-
-/**
- * Customized U and V for color enhancement
- *
- * STRUCT MEMBERS:
- *  nSize             : Size of the structure in bytes
- *  nVersion          : OMX specification version information
- *  nPortIndex        : Port that this structure applies to
- *  bColorEnhancement : Enable/disable color enhancement
- *  nCustomizedU      : Practical values: 16-240, range: 0-255, value set for
- *                      U component
- *  nCustomizedV      : Practical values: 16-240, range: 0-255, value set for
- *                      V component
- */
-typedef struct OMX_CONFIG_COLORENHANCEMENTTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_BOOL bColorEnhancement;
-    OMX_U8 nCustomizedU;
-    OMX_U8 nCustomizedV;
-} OMX_CONFIG_COLORENHANCEMENTTYPE;
-
-
-/**
- * Define color key and color key mask
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nARGBColor : 32bit Alpha, Red, Green, Blue Color
- *  nARGBMask  : 32bit Mask for Alpha, Red, Green, Blue channels
- */
-typedef struct OMX_CONFIG_COLORKEYTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nARGBColor;
-    OMX_U32 nARGBMask;
-} OMX_CONFIG_COLORKEYTYPE;
-
-
-/**
- * List of color blend types for pre/post processing
- *
- * ENUMS:
- *  None          : No color blending present
- *  AlphaConstant : Function is (alpha_constant * src) +
- *                  (1 - alpha_constant) * dst)
- *  AlphaPerPixel : Function is (alpha * src) + (1 - alpha) * dst)
- *  Alternate     : Function is alternating pixels from src and dst
- *  And           : Function is (src & dst)
- *  Or            : Function is (src | dst)
- *  Invert        : Function is ~src
- */
-typedef enum OMX_COLORBLENDTYPE {
-    OMX_ColorBlendNone,
-    OMX_ColorBlendAlphaConstant,
-    OMX_ColorBlendAlphaPerPixel,
-    OMX_ColorBlendAlternate,
-    OMX_ColorBlendAnd,
-    OMX_ColorBlendOr,
-    OMX_ColorBlendInvert,
-    OMX_ColorBlendKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */
-    OMX_ColorBlendVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_ColorBlendMax = 0x7FFFFFFF
-} OMX_COLORBLENDTYPE;
-
-
-/**
- * Color blend configuration
- *
- * STRUCT MEMBERS:
- *  nSize             : Size of the structure in bytes
- *  nVersion          : OMX specification version information
- *  nPortIndex        : Port that this structure applies to
- *  nRGBAlphaConstant : Constant global alpha values when global alpha is used
- *  eColorBlend       : Color blend type enumeration
- */
-typedef struct OMX_CONFIG_COLORBLENDTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nRGBAlphaConstant;
-    OMX_COLORBLENDTYPE  eColorBlend;
-} OMX_CONFIG_COLORBLENDTYPE;
-
-
-/**
- * Hold frame dimension
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nWidth     : Frame width in pixels
- *  nHeight    : Frame height in pixels
- */
-typedef struct OMX_FRAMESIZETYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nWidth;
-    OMX_U32 nHeight;
-} OMX_FRAMESIZETYPE;
-
-
-/**
- * Rotation configuration
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nRotation  : +/- integer rotation value
- */
-typedef struct OMX_CONFIG_ROTATIONTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_S32 nRotation;
-} OMX_CONFIG_ROTATIONTYPE;
-
-
-/**
- * Possible mirroring directions for pre/post processing
- *
- * ENUMS:
- *  None       : No mirroring
- *  Vertical   : Vertical mirroring, flip on X axis
- *  Horizontal : Horizontal mirroring, flip on Y axis
- *  Both       : Both vertical and horizontal mirroring
- */
-typedef enum OMX_MIRRORTYPE {
-    OMX_MirrorNone = 0,
-    OMX_MirrorVertical,
-    OMX_MirrorHorizontal,
-    OMX_MirrorBoth,
-    OMX_MirrorKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */
-    OMX_MirrorVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_MirrorMax = 0x7FFFFFFF
-} OMX_MIRRORTYPE;
-
-
-/**
- * Mirroring configuration
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  eMirror    : Mirror type enumeration
- */
-typedef struct OMX_CONFIG_MIRRORTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_MIRRORTYPE  eMirror;
-} OMX_CONFIG_MIRRORTYPE;
-
-
-/**
- * Position information only
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nX         : X coordinate for the point
- *  nY         : Y coordinate for the point
- */
-typedef struct OMX_CONFIG_POINTTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_S32 nX;
-    OMX_S32 nY;
-} OMX_CONFIG_POINTTYPE;
-
-
-/**
- * Frame size plus position
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nLeft      : X Coordinate of the top left corner of the rectangle
- *  nTop       : Y Coordinate of the top left corner of the rectangle
- *  nWidth     : Width of the rectangle
- *  nHeight    : Height of the rectangle
- */
-typedef struct OMX_CONFIG_RECTTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_S32 nLeft;
-    OMX_S32 nTop;
-    OMX_U32 nWidth;
-    OMX_U32 nHeight;
-} OMX_CONFIG_RECTTYPE;
-
-
-/**
- * Deblocking state; it is required to be set up before starting the codec
- *
- * STRUCT MEMBERS:
- *  nSize       : Size of the structure in bytes
- *  nVersion    : OMX specification version information
- *  nPortIndex  : Port that this structure applies to
- *  bDeblocking : Enable/disable deblocking mode
- */
-typedef struct OMX_PARAM_DEBLOCKINGTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_BOOL bDeblocking;
-} OMX_PARAM_DEBLOCKINGTYPE;
-
-
-/**
- * Stabilization state
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  bStab      : Enable/disable frame stabilization state
- */
-typedef struct OMX_CONFIG_FRAMESTABTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_BOOL bStab;
-} OMX_CONFIG_FRAMESTABTYPE;
-
-
-/**
- * White Balance control type
- *
- * STRUCT MEMBERS:
- *  SunLight : Referenced in JSR-234
- *  Flash    : Optimal for device's integrated flash
- */
-typedef enum OMX_WHITEBALCONTROLTYPE {
-    OMX_WhiteBalControlOff = 0,
-    OMX_WhiteBalControlAuto,
-    OMX_WhiteBalControlSunLight,
-    OMX_WhiteBalControlCloudy,
-    OMX_WhiteBalControlShade,
-    OMX_WhiteBalControlTungsten,
-    OMX_WhiteBalControlFluorescent,
-    OMX_WhiteBalControlIncandescent,
-    OMX_WhiteBalControlFlash,
-    OMX_WhiteBalControlHorizon,
-    OMX_WhiteBalControlKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */
-    OMX_WhiteBalControlVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_WhiteBalControlMax = 0x7FFFFFFF
-} OMX_WHITEBALCONTROLTYPE;
-
-
-/**
- * White Balance control configuration
- *
- * STRUCT MEMBERS:
- *  nSize            : Size of the structure in bytes
- *  nVersion         : OMX specification version information
- *  nPortIndex       : Port that this structure applies to
- *  eWhiteBalControl : White balance enumeration
- */
-typedef struct OMX_CONFIG_WHITEBALCONTROLTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_WHITEBALCONTROLTYPE eWhiteBalControl;
-} OMX_CONFIG_WHITEBALCONTROLTYPE;
-
-
-/**
- * Exposure control type
- */
-typedef enum OMX_EXPOSURECONTROLTYPE {
-    OMX_ExposureControlOff = 0,
-    OMX_ExposureControlAuto,
-    OMX_ExposureControlNight,
-    OMX_ExposureControlBackLight,
-    OMX_ExposureControlSpotLight,
-    OMX_ExposureControlSports,
-    OMX_ExposureControlSnow,
-    OMX_ExposureControlBeach,
-    OMX_ExposureControlLargeAperture,
-    OMX_ExposureControlSmallApperture,
-    OMX_ExposureControlKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */
-    OMX_ExposureControlVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_ExposureControlMax = 0x7FFFFFFF
-} OMX_EXPOSURECONTROLTYPE;
-
-
-/**
- * White Balance control configuration
- *
- * STRUCT MEMBERS:
- *  nSize            : Size of the structure in bytes
- *  nVersion         : OMX specification version information
- *  nPortIndex       : Port that this structure applies to
- *  eExposureControl : Exposure control enumeration
- */
-typedef struct OMX_CONFIG_EXPOSURECONTROLTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_EXPOSURECONTROLTYPE eExposureControl;
-} OMX_CONFIG_EXPOSURECONTROLTYPE;
-
-
-/**
- * Defines sensor supported mode.
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nFrameRate : Single shot mode is indicated by a 0
- *  bOneShot   : Enable for single shot, disable for streaming
- *  sFrameSize : Framesize
- */
-typedef struct OMX_PARAM_SENSORMODETYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nFrameRate;
-    OMX_BOOL bOneShot;
-    OMX_FRAMESIZETYPE sFrameSize;
-} OMX_PARAM_SENSORMODETYPE;
-
-
-/**
- * Defines contrast level
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nContrast  : Values allowed for contrast -100 to 100, zero means no change
- */
-typedef struct OMX_CONFIG_CONTRASTTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_S32 nContrast;
-} OMX_CONFIG_CONTRASTTYPE;
-
-
-/**
- * Defines brightness level
- *
- * STRUCT MEMBERS:
- *  nSize       : Size of the structure in bytes
- *  nVersion    : OMX specification version information
- *  nPortIndex  : Port that this structure applies to
- *  nBrightness : 0-100%
- */
-typedef struct OMX_CONFIG_BRIGHTNESSTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nBrightness;
-} OMX_CONFIG_BRIGHTNESSTYPE;
-
-
-/**
- * Defines backlight level configuration for a video sink, e.g. LCD panel
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nBacklight : Values allowed for backlight 0-100%
- *  nTimeout   : Number of milliseconds before backlight automatically turns
- *               off.  A value of 0x0 disables backight timeout
- */
-typedef struct OMX_CONFIG_BACKLIGHTTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nBacklight;
-    OMX_U32 nTimeout;
-} OMX_CONFIG_BACKLIGHTTYPE;
-
-
-/**
- * Defines setting for Gamma
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nGamma     : Values allowed for gamma -100 to 100, zero means no change
- */
-typedef struct OMX_CONFIG_GAMMATYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_S32 nGamma;
-} OMX_CONFIG_GAMMATYPE;
-
-
-/**
- * Define for setting saturation
- *
- * STRUCT MEMBERS:
- *  nSize       : Size of the structure in bytes
- *  nVersion    : OMX specification version information
- *  nPortIndex  : Port that this structure applies to
- *  nSaturation : Values allowed for saturation -100 to 100, zero means
- *                no change
- */
-typedef struct OMX_CONFIG_SATURATIONTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_S32 nSaturation;
-} OMX_CONFIG_SATURATIONTYPE;
-
-
-/**
- * Define for setting Lightness
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nLightness : Values allowed for lightness -100 to 100, zero means no
- *               change
- */
-typedef struct OMX_CONFIG_LIGHTNESSTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_S32 nLightness;
-} OMX_CONFIG_LIGHTNESSTYPE;
-
-
-/**
- * Plane blend configuration
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Index of input port associated with the plane.
- *  nDepth     : Depth of the plane in relation to the screen. Higher
- *               numbered depths are "behind" lower number depths.
- *               This number defaults to the Port Index number.
- *  nAlpha     : Transparency blending component for the entire plane.
- *               See blending modes for more detail.
- */
-typedef struct OMX_CONFIG_PLANEBLENDTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nDepth;
-    OMX_U32 nAlpha;
-} OMX_CONFIG_PLANEBLENDTYPE;
-
-
-/**
- * Define interlace type
- *
- * STRUCT MEMBERS:
- *  nSize                 : Size of the structure in bytes
- *  nVersion              : OMX specification version information
- *  nPortIndex            : Port that this structure applies to
- *  bEnable               : Enable control variable for this functionality
- *                          (see below)
- *  nInterleavePortIndex  : Index of input or output port associated with
- *                          the interleaved plane.
- *  pPlanarPortIndexes[4] : Index of input or output planar ports.
- */
-typedef struct OMX_PARAM_INTERLEAVETYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_BOOL bEnable;
-    OMX_U32 nInterleavePortIndex;
-} OMX_PARAM_INTERLEAVETYPE;
-
-
-/**
- * Defines the picture effect used for an input picture
- */
-typedef enum OMX_TRANSITIONEFFECTTYPE {
-    OMX_EffectNone,
-    OMX_EffectFadeFromBlack,
-    OMX_EffectFadeToBlack,
-    OMX_EffectUnspecifiedThroughConstantColor,
-    OMX_EffectDissolve,
-    OMX_EffectWipe,
-    OMX_EffectUnspecifiedMixOfTwoScenes,
-    OMX_EffectKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */
-    OMX_EffectVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_EffectMax = 0x7FFFFFFF
-} OMX_TRANSITIONEFFECTTYPE;
-
-
-/**
- * Structure used to configure current transition effect
- *
- * STRUCT MEMBERS:
- * nSize      : Size of the structure in bytes
- * nVersion   : OMX specification version information
- * nPortIndex : Port that this structure applies to
- * eEffect    : Effect to enable
- */
-typedef struct OMX_CONFIG_TRANSITIONEFFECTTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_TRANSITIONEFFECTTYPE eEffect;
-} OMX_CONFIG_TRANSITIONEFFECTTYPE;
-
-
-/**
- * Defines possible data unit types for encoded video data. The data unit
- * types are used both for encoded video input for playback as well as
- * encoded video output from recording.
- */
-typedef enum OMX_DATAUNITTYPE {
-    OMX_DataUnitCodedPicture,
-    OMX_DataUnitVideoSegment,
-    OMX_DataUnitSeveralSegments,
-    OMX_DataUnitArbitraryStreamSection,
-    OMX_DataUnitKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */
-    OMX_DataUnitVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_DataUnitMax = 0x7FFFFFFF
-} OMX_DATAUNITTYPE;
-
-
-/**
- * Defines possible encapsulation types for coded video data unit. The
- * encapsulation information is used both for encoded video input for
- * playback as well as encoded video output from recording.
- */
-typedef enum OMX_DATAUNITENCAPSULATIONTYPE {
-    OMX_DataEncapsulationElementaryStream,
-    OMX_DataEncapsulationGenericPayload,
-    OMX_DataEncapsulationRtpPayload,
-    OMX_DataEncapsulationKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */
-    OMX_DataEncapsulationVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_DataEncapsulationMax = 0x7FFFFFFF
-} OMX_DATAUNITENCAPSULATIONTYPE;
-
-
-/**
- * Structure used to configure the type of being decoded/encoded
- */
-typedef struct OMX_PARAM_DATAUNITTYPE {
-    OMX_U32 nSize;            /**< Size of the structure in bytes */
-    OMX_VERSIONTYPE nVersion; /**< OMX specification version information */
-    OMX_U32 nPortIndex;       /**< Port that this structure applies to */
-    OMX_DATAUNITTYPE eUnitType;
-    OMX_DATAUNITENCAPSULATIONTYPE eEncapsulationType;
-} OMX_PARAM_DATAUNITTYPE;
-
-
-/**
- * Defines dither types
- */
-typedef enum OMX_DITHERTYPE {
-    OMX_DitherNone,
-    OMX_DitherOrdered,
-    OMX_DitherErrorDiffusion,
-    OMX_DitherOther,
-    OMX_DitherKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */
-    OMX_DitherVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_DitherMax = 0x7FFFFFFF
-} OMX_DITHERTYPE;
-
-
-/**
- * Structure used to configure current type of dithering
- */
-typedef struct OMX_CONFIG_DITHERTYPE {
-    OMX_U32 nSize;            /**< Size of the structure in bytes */
-    OMX_VERSIONTYPE nVersion; /**< OMX specification version information */
-    OMX_U32 nPortIndex;       /**< Port that this structure applies to */
-    OMX_DITHERTYPE eDither;   /**< Type of dithering to use */
-} OMX_CONFIG_DITHERTYPE;
-
-typedef struct OMX_CONFIG_CAPTUREMODETYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;     /**< Port that this structure applies to */
-    OMX_BOOL bContinuous;   /**< If true then ignore frame rate and emit capture
-                             *   data as fast as possible (otherwise obey port's frame rate). */
-    OMX_BOOL bFrameLimited; /**< If true then terminate capture after the port emits the
-                             *   specified number of frames (otherwise the port does not
-                             *   terminate the capture until instructed to do so by the client).
-                             *   Even if set, the client may manually terminate the capture prior
-                             *   to reaching the limit. */
-    OMX_U32 nFrameLimit;      /**< Limit on number of frames emitted during a capture (only
-                               *   valid if bFrameLimited is set). */
-} OMX_CONFIG_CAPTUREMODETYPE;
-
-typedef enum OMX_METERINGTYPE {
-
-    OMX_MeteringModeAverage,     /**< Center-weighted average metering. */
-    OMX_MeteringModeSpot,  	      /**< Spot (partial) metering. */
-    OMX_MeteringModeMatrix,      /**< Matrix or evaluative metering. */
-
-    OMX_MeteringKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */
-    OMX_MeteringVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_EVModeMax = 0x7fffffff
-} OMX_METERINGTYPE;
-
-typedef struct OMX_CONFIG_EXPOSUREVALUETYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_METERINGTYPE eMetering;
-    OMX_S32 xEVCompensation;      /**< Fixed point value stored as Q16 */
-    OMX_U32 nApertureFNumber;     /**< e.g. nApertureFNumber = 2 implies "f/2" - Q16 format */
-    OMX_BOOL bAutoAperture;		/**< Whether aperture number is defined automatically */
-    OMX_U32 nShutterSpeedMsec;    /**< Shutterspeed in milliseconds */
-    OMX_BOOL bAutoShutterSpeed;	/**< Whether shutter speed is defined automatically */
-    OMX_U32 nSensitivity;         /**< e.g. nSensitivity = 100 implies "ISO 100" */
-    OMX_BOOL bAutoSensitivity;	/**< Whether sensitivity is defined automatically */
-} OMX_CONFIG_EXPOSUREVALUETYPE;
-
-/**
- * Focus region configuration
- *
- * STRUCT MEMBERS:
- *  nSize           : Size of the structure in bytes
- *  nVersion        : OMX specification version information
- *  nPortIndex      : Port that this structure applies to
- *  bCenter         : Use center region as focus region of interest
- *  bLeft           : Use left region as focus region of interest
- *  bRight          : Use right region as focus region of interest
- *  bTop            : Use top region as focus region of interest
- *  bBottom         : Use bottom region as focus region of interest
- *  bTopLeft        : Use top left region as focus region of interest
- *  bTopRight       : Use top right region as focus region of interest
- *  bBottomLeft     : Use bottom left region as focus region of interest
- *  bBottomRight    : Use bottom right region as focus region of interest
- */
-typedef struct OMX_CONFIG_FOCUSREGIONTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_BOOL bCenter;
-    OMX_BOOL bLeft;
-    OMX_BOOL bRight;
-    OMX_BOOL bTop;
-    OMX_BOOL bBottom;
-    OMX_BOOL bTopLeft;
-    OMX_BOOL bTopRight;
-    OMX_BOOL bBottomLeft;
-    OMX_BOOL bBottomRight;
-} OMX_CONFIG_FOCUSREGIONTYPE;
-
-/**
- * Focus Status type
- */
-typedef enum OMX_FOCUSSTATUSTYPE {
-    OMX_FocusStatusOff = 0,
-    OMX_FocusStatusRequest,
-    OMX_FocusStatusReached,
-    OMX_FocusStatusUnableToReach,
-    OMX_FocusStatusLost,
-    OMX_FocusStatusKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */
-    OMX_FocusStatusVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_FocusStatusMax = 0x7FFFFFFF
-} OMX_FOCUSSTATUSTYPE;
-
-/**
- * Focus status configuration
- *
- * STRUCT MEMBERS:
- *  nSize               : Size of the structure in bytes
- *  nVersion            : OMX specification version information
- *  nPortIndex          : Port that this structure applies to
- *  eFocusStatus        : Specifies the focus status
- *  bCenterStatus       : Use center region as focus region of interest
- *  bLeftStatus         : Use left region as focus region of interest
- *  bRightStatus        : Use right region as focus region of interest
- *  bTopStatus          : Use top region as focus region of interest
- *  bBottomStatus       : Use bottom region as focus region of interest
- *  bTopLeftStatus      : Use top left region as focus region of interest
- *  bTopRightStatus     : Use top right region as focus region of interest
- *  bBottomLeftStatus   : Use bottom left region as focus region of interest
- *  bBottomRightStatus  : Use bottom right region as focus region of interest
- */
-typedef struct OMX_PARAM_FOCUSSTATUSTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_FOCUSSTATUSTYPE eFocusStatus;
-    OMX_BOOL bCenterStatus;
-    OMX_BOOL bLeftStatus;
-    OMX_BOOL bRightStatus;
-    OMX_BOOL bTopStatus;
-    OMX_BOOL bBottomStatus;
-    OMX_BOOL bTopLeftStatus;
-    OMX_BOOL bTopRightStatus;
-    OMX_BOOL bBottomLeftStatus;
-    OMX_BOOL bBottomRightStatus;
-} OMX_PARAM_FOCUSSTATUSTYPE;
-
-/** @} */
-
-#ifdef __cplusplus
-}
-#endif /* __cplusplus */
-
-#endif
-/* File EOF */
diff --git a/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_Index.h b/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_Index.h
deleted file mode 100644
index c0b8d9296d..0000000000
--- a/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_Index.h
+++ /dev/null
@@ -1,275 +0,0 @@
-/* ------------------------------------------------------------------
- * Copyright (C) 1998-2009 PacketVideo
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied.
- * See the License for the specific language governing permissions
- * and limitations under the License.
- * -------------------------------------------------------------------
- */
-/*
- * Copyright (c) 2008 The Khronos Group Inc. 
- * 
- * Permission is hereby granted, free of charge, to any person obtaining
- * a copy of this software and associated documentation files (the
- * "Software"), to deal in the Software without restriction, including
- * without limitation the rights to use, copy, modify, merge, publish,
- * distribute, sublicense, and/or sell copies of the Software, and to
- * permit persons to whom the Software is furnished to do so, subject
- * to the following conditions: 
- * The above copyright notice and this permission notice shall be included
- * in all copies or substantial portions of the Software. 
- * 
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
- * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
- * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
- * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
- * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
- * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
- * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 
- *
- */
-
-/** @file OMX_Index.h - OpenMax IL version 1.1.2
- *  The OMX_Index header file contains the definitions for both applications
- *  and components .
- */
-
-
-#ifndef OMX_Index_h
-#define OMX_Index_h
-
-#ifdef __cplusplus
-extern "C" {
-#endif /* __cplusplus */
-
-
-/* Each OMX header must include all required header files to allow the
- *  header to compile without errors.  The includes below are required
- *  for this header file to compile successfully 
- */
-#include <OMX_Types.h>
-
-
-/** The OMX_INDEXTYPE enumeration is used to select a structure when either
- *  getting or setting parameters and/or configuration data.  Each entry in 
- *  this enumeration maps to an OMX specified structure.  When the 
- *  OMX_GetParameter, OMX_SetParameter, OMX_GetConfig or OMX_SetConfig methods
- *  are used, the second parameter will always be an entry from this enumeration
- *  and the third entry will be the structure shown in the comments for the entry.
- *  For example, if the application is initializing a cropping function, the 
- *  OMX_SetConfig command would have OMX_IndexConfigCommonInputCrop as the second parameter 
- *  and would send a pointer to an initialized OMX_RECTTYPE structure as the 
- *  third parameter.
- *  
- *  The enumeration entries named with the OMX_Config prefix are sent using
- *  the OMX_SetConfig command and the enumeration entries named with the
- *  OMX_PARAM_ prefix are sent using the OMX_SetParameter command.
- */
-typedef enum OMX_INDEXTYPE {
-
-    OMX_IndexComponentStartUnused = 0x01000000,
-    OMX_IndexParamPriorityMgmt,             /**< reference: OMX_PRIORITYMGMTTYPE */
-    OMX_IndexParamAudioInit,                /**< reference: OMX_PORT_PARAM_TYPE */
-    OMX_IndexParamImageInit,                /**< reference: OMX_PORT_PARAM_TYPE */
-    OMX_IndexParamVideoInit,                /**< reference: OMX_PORT_PARAM_TYPE */
-    OMX_IndexParamOtherInit,                /**< reference: OMX_PORT_PARAM_TYPE */
-    OMX_IndexParamNumAvailableStreams,      /**< reference: OMX_PARAM_U32TYPE */
-    OMX_IndexParamActiveStream,             /**< reference: OMX_PARAM_U32TYPE */
-    OMX_IndexParamSuspensionPolicy,         /**< reference: OMX_PARAM_SUSPENSIONPOLICYTYPE */
-    OMX_IndexParamComponentSuspended,       /**< reference: OMX_PARAM_SUSPENSIONTYPE */
-    OMX_IndexConfigCapturing,               /**< reference: OMX_CONFIG_BOOLEANTYPE */ 
-    OMX_IndexConfigCaptureMode,             /**< reference: OMX_CONFIG_CAPTUREMODETYPE */ 
-    OMX_IndexAutoPauseAfterCapture,         /**< reference: OMX_CONFIG_BOOLEANTYPE */ 
-    OMX_IndexParamContentURI,               /**< reference: OMX_PARAM_CONTENTURITYPE */
-    OMX_IndexParamCustomContentPipe,        /**< reference: OMX_PARAM_CONTENTPIPETYPE */ 
-    OMX_IndexParamDisableResourceConcealment, /**< reference: OMX_RESOURCECONCEALMENTTYPE */
-    OMX_IndexConfigMetadataItemCount,       /**< reference: OMX_CONFIG_METADATAITEMCOUNTTYPE */
-    OMX_IndexConfigContainerNodeCount,      /**< reference: OMX_CONFIG_CONTAINERNODECOUNTTYPE */
-    OMX_IndexConfigMetadataItem,            /**< reference: OMX_CONFIG_METADATAITEMTYPE */
-    OMX_IndexConfigCounterNodeID,           /**< reference: OMX_CONFIG_CONTAINERNODEIDTYPE */
-    OMX_IndexParamMetadataFilterType,       /**< reference: OMX_PARAM_METADATAFILTERTYPE */
-    OMX_IndexParamMetadataKeyFilter,        /**< reference: OMX_PARAM_METADATAFILTERTYPE */
-    OMX_IndexConfigPriorityMgmt,            /**< reference: OMX_PRIORITYMGMTTYPE */
-    OMX_IndexParamStandardComponentRole,    /**< reference: OMX_PARAM_COMPONENTROLETYPE */
-
-    OMX_IndexPortStartUnused = 0x02000000,
-    OMX_IndexParamPortDefinition,           /**< reference: OMX_PARAM_PORTDEFINITIONTYPE */
-    OMX_IndexParamCompBufferSupplier,       /**< reference: OMX_PARAM_BUFFERSUPPLIERTYPE */ 
-    OMX_IndexReservedStartUnused = 0x03000000,
-
-    /* Audio parameters and configurations */
-    OMX_IndexAudioStartUnused = 0x04000000,
-    OMX_IndexParamAudioPortFormat,          /**< reference: OMX_AUDIO_PARAM_PORTFORMATTYPE */
-    OMX_IndexParamAudioPcm,                 /**< reference: OMX_AUDIO_PARAM_PCMMODETYPE */
-    OMX_IndexParamAudioAac,                 /**< reference: OMX_AUDIO_PARAM_AACPROFILETYPE */
-    OMX_IndexParamAudioRa,                  /**< reference: OMX_AUDIO_PARAM_RATYPE */
-    OMX_IndexParamAudioMp3,                 /**< reference: OMX_AUDIO_PARAM_MP3TYPE */
-    OMX_IndexParamAudioAdpcm,               /**< reference: OMX_AUDIO_PARAM_ADPCMTYPE */
-    OMX_IndexParamAudioG723,                /**< reference: OMX_AUDIO_PARAM_G723TYPE */
-    OMX_IndexParamAudioG729,                /**< reference: OMX_AUDIO_PARAM_G729TYPE */
-    OMX_IndexParamAudioAmr,                 /**< reference: OMX_AUDIO_PARAM_AMRTYPE */
-    OMX_IndexParamAudioWma,                 /**< reference: OMX_AUDIO_PARAM_WMATYPE */
-    OMX_IndexParamAudioSbc,                 /**< reference: OMX_AUDIO_PARAM_SBCTYPE */
-    OMX_IndexParamAudioMidi,                /**< reference: OMX_AUDIO_PARAM_MIDITYPE */
-    OMX_IndexParamAudioGsm_FR,              /**< reference: OMX_AUDIO_PARAM_GSMFRTYPE */
-    OMX_IndexParamAudioMidiLoadUserSound,   /**< reference: OMX_AUDIO_PARAM_MIDILOADUSERSOUNDTYPE */
-    OMX_IndexParamAudioG726,                /**< reference: OMX_AUDIO_PARAM_G726TYPE */
-    OMX_IndexParamAudioGsm_EFR,             /**< reference: OMX_AUDIO_PARAM_GSMEFRTYPE */
-    OMX_IndexParamAudioGsm_HR,              /**< reference: OMX_AUDIO_PARAM_GSMHRTYPE */
-    OMX_IndexParamAudioPdc_FR,              /**< reference: OMX_AUDIO_PARAM_PDCFRTYPE */
-    OMX_IndexParamAudioPdc_EFR,             /**< reference: OMX_AUDIO_PARAM_PDCEFRTYPE */
-    OMX_IndexParamAudioPdc_HR,              /**< reference: OMX_AUDIO_PARAM_PDCHRTYPE */
-    OMX_IndexParamAudioTdma_FR,             /**< reference: OMX_AUDIO_PARAM_TDMAFRTYPE */
-    OMX_IndexParamAudioTdma_EFR,            /**< reference: OMX_AUDIO_PARAM_TDMAEFRTYPE */
-    OMX_IndexParamAudioQcelp8,              /**< reference: OMX_AUDIO_PARAM_QCELP8TYPE */
-    OMX_IndexParamAudioQcelp13,             /**< reference: OMX_AUDIO_PARAM_QCELP13TYPE */
-    OMX_IndexParamAudioEvrc,                /**< reference: OMX_AUDIO_PARAM_EVRCTYPE */
-    OMX_IndexParamAudioSmv,                 /**< reference: OMX_AUDIO_PARAM_SMVTYPE */
-    OMX_IndexParamAudioVorbis,              /**< reference: OMX_AUDIO_PARAM_VORBISTYPE */
-
-    OMX_IndexConfigAudioMidiImmediateEvent, /**< reference: OMX_AUDIO_CONFIG_MIDIIMMEDIATEEVENTTYPE */
-    OMX_IndexConfigAudioMidiControl,        /**< reference: OMX_AUDIO_CONFIG_MIDICONTROLTYPE */
-    OMX_IndexConfigAudioMidiSoundBankProgram, /**< reference: OMX_AUDIO_CONFIG_MIDISOUNDBANKPROGRAMTYPE */
-    OMX_IndexConfigAudioMidiStatus,         /**< reference: OMX_AUDIO_CONFIG_MIDISTATUSTYPE */
-    OMX_IndexConfigAudioMidiMetaEvent,      /**< reference: OMX_AUDIO_CONFIG_MIDIMETAEVENTTYPE */
-    OMX_IndexConfigAudioMidiMetaEventData,  /**< reference: OMX_AUDIO_CONFIG_MIDIMETAEVENTDATATYPE */
-    OMX_IndexConfigAudioVolume,             /**< reference: OMX_AUDIO_CONFIG_VOLUMETYPE */
-    OMX_IndexConfigAudioBalance,            /**< reference: OMX_AUDIO_CONFIG_BALANCETYPE */
-    OMX_IndexConfigAudioChannelMute,        /**< reference: OMX_AUDIO_CONFIG_CHANNELMUTETYPE */
-    OMX_IndexConfigAudioMute,               /**< reference: OMX_AUDIO_CONFIG_MUTETYPE */
-    OMX_IndexConfigAudioLoudness,           /**< reference: OMX_AUDIO_CONFIG_LOUDNESSTYPE */
-    OMX_IndexConfigAudioEchoCancelation,    /**< reference: OMX_AUDIO_CONFIG_ECHOCANCELATIONTYPE */
-    OMX_IndexConfigAudioNoiseReduction,     /**< reference: OMX_AUDIO_CONFIG_NOISEREDUCTIONTYPE */
-    OMX_IndexConfigAudioBass,               /**< reference: OMX_AUDIO_CONFIG_BASSTYPE */
-    OMX_IndexConfigAudioTreble,             /**< reference: OMX_AUDIO_CONFIG_TREBLETYPE */
-    OMX_IndexConfigAudioStereoWidening,     /**< reference: OMX_AUDIO_CONFIG_STEREOWIDENINGTYPE */
-    OMX_IndexConfigAudioChorus,             /**< reference: OMX_AUDIO_CONFIG_CHORUSTYPE */
-    OMX_IndexConfigAudioEqualizer,          /**< reference: OMX_AUDIO_CONFIG_EQUALIZERTYPE */
-    OMX_IndexConfigAudioReverberation,      /**< reference: OMX_AUDIO_CONFIG_REVERBERATIONTYPE */
-    OMX_IndexConfigAudioChannelVolume,      /**< reference: OMX_AUDIO_CONFIG_CHANNELVOLUMETYPE */
-
-    /* Image specific parameters and configurations */
-    OMX_IndexImageStartUnused = 0x05000000,
-    OMX_IndexParamImagePortFormat,          /**< reference: OMX_IMAGE_PARAM_PORTFORMATTYPE */
-    OMX_IndexParamFlashControl,             /**< reference: OMX_IMAGE_PARAM_FLASHCONTROLTYPE */
-    OMX_IndexConfigFocusControl,            /**< reference: OMX_IMAGE_CONFIG_FOCUSCONTROLTYPE */
-    OMX_IndexParamQFactor,                  /**< reference: OMX_IMAGE_PARAM_QFACTORTYPE */
-    OMX_IndexParamQuantizationTable,        /**< reference: OMX_IMAGE_PARAM_QUANTIZATIONTABLETYPE */
-    OMX_IndexParamHuffmanTable,             /**< reference: OMX_IMAGE_PARAM_HUFFMANTTABLETYPE */
-    OMX_IndexConfigFlashControl,            /**< reference: OMX_IMAGE_PARAM_FLASHCONTROLTYPE */
-
-    /* Video specific parameters and configurations */
-    OMX_IndexVideoStartUnused = 0x06000000,
-    OMX_IndexParamVideoPortFormat,          /**< reference: OMX_VIDEO_PARAM_PORTFORMATTYPE */
-    OMX_IndexParamVideoQuantization,        /**< reference: OMX_VIDEO_PARAM_QUANTIZATIONTYPE */
-    OMX_IndexParamVideoFastUpdate,          /**< reference: OMX_VIDEO_PARAM_VIDEOFASTUPDATETYPE */
-    OMX_IndexParamVideoBitrate,             /**< reference: OMX_VIDEO_PARAM_BITRATETYPE */
-    OMX_IndexParamVideoMotionVector,        /**< reference: OMX_VIDEO_PARAM_MOTIONVECTORTYPE */
-    OMX_IndexParamVideoIntraRefresh,        /**< reference: OMX_VIDEO_PARAM_INTRAREFRESHTYPE */
-    OMX_IndexParamVideoErrorCorrection,     /**< reference: OMX_VIDEO_PARAM_ERRORCORRECTIONTYPE */
-    OMX_IndexParamVideoVBSMC,               /**< reference: OMX_VIDEO_PARAM_VBSMCTYPE */
-    OMX_IndexParamVideoMpeg2,               /**< reference: OMX_VIDEO_PARAM_MPEG2TYPE */
-    OMX_IndexParamVideoMpeg4,               /**< reference: OMX_VIDEO_PARAM_MPEG4TYPE */
-    OMX_IndexParamVideoWmv,                 /**< reference: OMX_VIDEO_PARAM_WMVTYPE */
-    OMX_IndexParamVideoRv,                  /**< reference: OMX_VIDEO_PARAM_RVTYPE */
-    OMX_IndexParamVideoAvc,                 /**< reference: OMX_VIDEO_PARAM_AVCTYPE */
-    OMX_IndexParamVideoH263,                /**< reference: OMX_VIDEO_PARAM_H263TYPE */
-    OMX_IndexParamVideoProfileLevelQuerySupported, /**< reference: OMX_VIDEO_PARAM_PROFILELEVELTYPE */
-    OMX_IndexParamVideoProfileLevelCurrent, /**< reference: OMX_VIDEO_PARAM_PROFILELEVELTYPE */
-    OMX_IndexConfigVideoBitrate,            /**< reference: OMX_VIDEO_CONFIG_BITRATETYPE */
-    OMX_IndexConfigVideoFramerate,          /**< reference: OMX_CONFIG_FRAMERATETYPE */
-    OMX_IndexConfigVideoIntraVOPRefresh,    /**< reference: OMX_CONFIG_INTRAREFRESHVOPTYPE */
-    OMX_IndexConfigVideoIntraMBRefresh,     /**< reference: OMX_CONFIG_MACROBLOCKERRORMAPTYPE */
-    OMX_IndexConfigVideoMBErrorReporting,   /**< reference: OMX_CONFIG_MBERRORREPORTINGTYPE */
-    OMX_IndexParamVideoMacroblocksPerFrame, /**< reference: OMX_PARAM_MACROBLOCKSTYPE */
-    OMX_IndexConfigVideoMacroBlockErrorMap, /**< reference: OMX_CONFIG_MACROBLOCKERRORMAPTYPE */
-    OMX_IndexParamVideoSliceFMO,            /**< reference: OMX_VIDEO_PARAM_AVCSLICEFMO */
-    OMX_IndexConfigVideoAVCIntraPeriod,     /**< reference: OMX_VIDEO_CONFIG_AVCINTRAPERIOD */
-    OMX_IndexConfigVideoNalSize,            /**< reference: OMX_VIDEO_CONFIG_NALSIZE */
-
-    /* Image & Video common Configurations */
-    OMX_IndexCommonStartUnused = 0x07000000,
-    OMX_IndexParamCommonDeblocking,         /**< reference: OMX_PARAM_DEBLOCKINGTYPE */
-    OMX_IndexParamCommonSensorMode,         /**< reference: OMX_PARAM_SENSORMODETYPE */
-    OMX_IndexParamCommonInterleave,         /**< reference: OMX_PARAM_INTERLEAVETYPE */
-    OMX_IndexConfigCommonColorFormatConversion, /**< reference: OMX_CONFIG_COLORCONVERSIONTYPE */
-    OMX_IndexConfigCommonScale,             /**< reference: OMX_CONFIG_SCALEFACTORTYPE */
-    OMX_IndexConfigCommonImageFilter,       /**< reference: OMX_CONFIG_IMAGEFILTERTYPE */
-    OMX_IndexConfigCommonColorEnhancement,  /**< reference: OMX_CONFIG_COLORENHANCEMENTTYPE */
-    OMX_IndexConfigCommonColorKey,          /**< reference: OMX_CONFIG_COLORKEYTYPE */
-    OMX_IndexConfigCommonColorBlend,        /**< reference: OMX_CONFIG_COLORBLENDTYPE */
-    OMX_IndexConfigCommonFrameStabilisation,/**< reference: OMX_CONFIG_FRAMESTABTYPE */
-    OMX_IndexConfigCommonRotate,            /**< reference: OMX_CONFIG_ROTATIONTYPE */
-    OMX_IndexConfigCommonMirror,            /**< reference: OMX_CONFIG_MIRRORTYPE */
-    OMX_IndexConfigCommonOutputPosition,    /**< reference: OMX_CONFIG_POINTTYPE */
-    OMX_IndexConfigCommonInputCrop,         /**< reference: OMX_CONFIG_RECTTYPE */
-    OMX_IndexConfigCommonOutputCrop,        /**< reference: OMX_CONFIG_RECTTYPE */
-    OMX_IndexConfigCommonDigitalZoom,       /**< reference: OMX_CONFIG_SCALEFACTORTYPE */
-    OMX_IndexConfigCommonOpticalZoom,       /**< reference: OMX_CONFIG_SCALEFACTORTYPE*/
-    OMX_IndexConfigCommonWhiteBalance,      /**< reference: OMX_CONFIG_WHITEBALCONTROLTYPE */
-    OMX_IndexConfigCommonExposure,          /**< reference: OMX_CONFIG_EXPOSURECONTROLTYPE */
-    OMX_IndexConfigCommonContrast,          /**< reference: OMX_CONFIG_CONTRASTTYPE */
-    OMX_IndexConfigCommonBrightness,        /**< reference: OMX_CONFIG_BRIGHTNESSTYPE */
-    OMX_IndexConfigCommonBacklight,         /**< reference: OMX_CONFIG_BACKLIGHTTYPE */
-    OMX_IndexConfigCommonGamma,             /**< reference: OMX_CONFIG_GAMMATYPE */
-    OMX_IndexConfigCommonSaturation,        /**< reference: OMX_CONFIG_SATURATIONTYPE */
-    OMX_IndexConfigCommonLightness,         /**< reference: OMX_CONFIG_LIGHTNESSTYPE */
-    OMX_IndexConfigCommonExclusionRect,     /**< reference: OMX_CONFIG_RECTTYPE */
-    OMX_IndexConfigCommonDithering,         /**< reference: OMX_CONFIG_DITHERTYPE */
-    OMX_IndexConfigCommonPlaneBlend,        /**< reference: OMX_CONFIG_PLANEBLENDTYPE */
-    OMX_IndexConfigCommonExposureValue,     /**< reference: OMX_CONFIG_EXPOSUREVALUETYPE */
-    OMX_IndexConfigCommonOutputSize,        /**< reference: OMX_FRAMESIZETYPE */
-    OMX_IndexParamCommonExtraQuantData,     /**< reference: OMX_OTHER_EXTRADATATYPE */
-    OMX_IndexConfigCommonFocusRegion,       /**< reference: OMX_CONFIG_FOCUSREGIONTYPE */
-    OMX_IndexConfigCommonFocusStatus,       /**< reference: OMX_PARAM_FOCUSSTATUSTYPE */
-    OMX_IndexConfigCommonTransitionEffect,  /**< reference: OMX_CONFIG_TRANSITIONEFFECTTYPE */
-
-    /* Reserved Configuration range */
-    OMX_IndexOtherStartUnused = 0x08000000,
-    OMX_IndexParamOtherPortFormat,          /**< reference: OMX_OTHER_PARAM_PORTFORMATTYPE */
-    OMX_IndexConfigOtherPower,              /**< reference: OMX_OTHER_CONFIG_POWERTYPE */
-    OMX_IndexConfigOtherStats,              /**< reference: OMX_OTHER_CONFIG_STATSTYPE */
-
-
-    /* Reserved Time range */
-    OMX_IndexTimeStartUnused = 0x09000000,
-    OMX_IndexConfigTimeScale,               /**< reference: OMX_TIME_CONFIG_SCALETYPE */
-    OMX_IndexConfigTimeClockState,          /**< reference: OMX_TIME_CONFIG_CLOCKSTATETYPE */
-    OMX_IndexConfigTimeActiveRefClock,      /**< reference: OMX_TIME_CONFIG_ACTIVEREFCLOCKTYPE */
-    OMX_IndexConfigTimeCurrentMediaTime,    /**< reference: OMX_TIME_CONFIG_TIMESTAMPTYPE (read only) */
-    OMX_IndexConfigTimeCurrentWallTime,     /**< reference: OMX_TIME_CONFIG_TIMESTAMPTYPE (read only) */
-    OMX_IndexConfigTimeCurrentAudioReference, /**< reference: OMX_TIME_CONFIG_TIMESTAMPTYPE (write only) */
-    OMX_IndexConfigTimeCurrentVideoReference, /**< reference: OMX_TIME_CONFIG_TIMESTAMPTYPE (write only) */
-    OMX_IndexConfigTimeMediaTimeRequest,    /**< reference: OMX_TIME_CONFIG_MEDIATIMEREQUESTTYPE (write only) */
-    OMX_IndexConfigTimeClientStartTime,     /**<reference:  OMX_TIME_CONFIG_TIMESTAMPTYPE (write only) */
-    OMX_IndexConfigTimePosition,            /**< reference: OMX_TIME_CONFIG_TIMESTAMPTYPE */
-    OMX_IndexConfigTimeSeekMode,            /**< reference: OMX_TIME_CONFIG_SEEKMODETYPE */
-
-
-    OMX_IndexKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    /* Vendor specific area */
-    OMX_IndexVendorStartUnused = 0x7F000000,
-    /* Vendor specific structures should be in the range of 0x7F000000 
-       to 0x7FFFFFFE.  This range is not broken out by vendor, so
-       private indexes are not guaranteed unique and therefore should
-       only be sent to the appropriate component. */
-
-    OMX_IndexMax = 0x7FFFFFFF
-
-} OMX_INDEXTYPE;
-
-#ifdef __cplusplus
-}
-#endif /* __cplusplus */
-
-#endif
-/* File EOF */
diff --git a/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_Types.h b/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_Types.h
deleted file mode 100644
index 03fd4bcf50..0000000000
--- a/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_Types.h
+++ /dev/null
@@ -1,365 +0,0 @@
-/* ------------------------------------------------------------------
- * Copyright (C) 1998-2009 PacketVideo
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied.
- * See the License for the specific language governing permissions
- * and limitations under the License.
- * -------------------------------------------------------------------
- */
-/*
- * Copyright (c) 2008 The Khronos Group Inc. 
- * 
- * Permission is hereby granted, free of charge, to any person obtaining
- * a copy of this software and associated documentation files (the
- * "Software"), to deal in the Software without restriction, including
- * without limitation the rights to use, copy, modify, merge, publish,
- * distribute, sublicense, and/or sell copies of the Software, and to
- * permit persons to whom the Software is furnished to do so, subject
- * to the following conditions: 
- * The above copyright notice and this permission notice shall be included
- * in all copies or substantial portions of the Software. 
- * 
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
- * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
- * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
- * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
- * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
- * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
- * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 
- *
- */
-
-/** OMX_Types.h - OpenMax IL version 1.1.2
- *  The OMX_Types header file contains the primitive type definitions used by 
- *  the core, the application and the component.  This file may need to be
- *  modified to be used on systems that do not have "char" set to 8 bits, 
- *  "short" set to 16 bits and "long" set to 32 bits.
- */
-
-#ifndef OMX_Types_h
-#define OMX_Types_h
-
-#ifdef __cplusplus
-extern "C" {
-#endif /* __cplusplus */
-
-/** The OMX_API and OMX_APIENTRY are platform specific definitions used
- *  to declare OMX function prototypes.  They are modified to meet the
- *  requirements for a particular platform */
-#ifdef __SYMBIAN32__   
-#   ifdef __OMX_EXPORTS
-#       define OMX_API __declspec(dllexport)
-#   else
-#       ifdef _WIN32
-#           define OMX_API __declspec(dllexport) 
-#       else
-#           define OMX_API __declspec(dllimport)
-#       endif
-#   endif
-#else
-#   ifdef _WIN32
-#      ifdef __OMX_EXPORTS
-#          define OMX_API __declspec(dllexport)
-#      else
-//#          define OMX_API __declspec(dllimport)
-#define OMX_API
-#      endif
-#   else
-#      ifdef __OMX_EXPORTS
-#          define OMX_API
-#      else
-#          define OMX_API extern
-#      endif
-#   endif
-#endif
-
-#ifndef OMX_APIENTRY
-#define OMX_APIENTRY 
-#endif 
-
-/** OMX_IN is used to identify inputs to an OMX function.  This designation 
-    will also be used in the case of a pointer that points to a parameter 
-    that is used as an output. */
-#ifndef OMX_IN
-#define OMX_IN
-#endif
-
-/** OMX_OUT is used to identify outputs from an OMX function.  This 
-    designation will also be used in the case of a pointer that points 
-    to a parameter that is used as an input. */
-#ifndef OMX_OUT
-#define OMX_OUT
-#endif
-
-
-/** OMX_INOUT is used to identify parameters that may be either inputs or
-    outputs from an OMX function at the same time.  This designation will 
-    also be used in the case of a pointer that  points to a parameter that 
-    is used both as an input and an output. */
-#ifndef OMX_INOUT
-#define OMX_INOUT
-#endif
-
-/** OMX_ALL is used to as a wildcard to select all entities of the same type
- *  when specifying the index, or referring to a object by an index.  (i.e.
- *  use OMX_ALL to indicate all N channels). When used as a port index
- *  for a config or parameter this OMX_ALL denotes that the config or
- *  parameter applies to the entire component not just one port. */
-#define OMX_ALL 0xFFFFFFFF
-
-/** In the following we define groups that help building doxygen documentation */
-
-/** @defgroup core OpenMAX IL core
- * Functions and structure related to the OMX IL core
- */
- 
- /** @defgroup comp OpenMAX IL component
- * Functions and structure related to the OMX IL component
- */
- 
-/** @defgroup rpm Resource and Policy Management 
- * Structures for resource and policy management of components
- */
-
-/** @defgroup buf Buffer Management
- * Buffer handling functions and structures
- */
-  
-/** @defgroup tun Tunneling
- * @ingroup core comp
- * Structures and functions to manage tunnels among component ports
- */
- 
-/** @defgroup cp Content Pipes
- *  @ingroup core
- */
- 
- /** @defgroup metadata Metadata handling
-  * 
-  */ 
-
-/** OMX_U8 is an 8 bit unsigned quantity that is byte aligned */
-typedef unsigned char OMX_U8;
-
-/** OMX_S8 is an 8 bit signed quantity that is byte aligned */
-typedef signed char OMX_S8;
-
-/** OMX_U16 is a 16 bit unsigned quantity that is 16 bit word aligned */
-typedef unsigned short OMX_U16;
-
-/** OMX_S16 is a 16 bit signed quantity that is 16 bit word aligned */
-typedef signed short OMX_S16;
-
-/** OMX_U32 is a 32 bit unsigned quantity that is 32 bit word aligned */
-typedef unsigned long OMX_U32;
-
-/** OMX_S32 is a 32 bit signed quantity that is 32 bit word aligned */
-typedef signed long OMX_S32;
-
-
-/* Users with compilers that cannot accept the "long long" designation should
-   define the OMX_SKIP64BIT macro.  It should be noted that this may cause 
-   some components to fail to compile if the component was written to require
-   64 bit integral types.  However, these components would NOT compile anyway
-   since the compiler does not support the way the component was written.
-*/
-#ifndef OMX_SKIP64BIT
-#ifdef __SYMBIAN32__
-/** OMX_U64 is a 64 bit unsigned quantity that is 64 bit word aligned */
-typedef unsigned long long OMX_U64;
-
-/** OMX_S64 is a 64 bit signed quantity that is 64 bit word aligned */
-typedef signed long long OMX_S64;
-
-#elif defined(WIN32)
-
-/** OMX_U64 is a 64 bit unsigned quantity that is 64 bit word aligned */   
-typedef unsigned __int64  OMX_U64;
-
-/** OMX_S64 is a 64 bit signed quantity that is 64 bit word aligned */
-typedef signed   __int64  OMX_S64;
-
-#else /* WIN32 */
-
-/** OMX_U64 is a 64 bit unsigned quantity that is 64 bit word aligned */
-typedef unsigned long long OMX_U64;
-
-/** OMX_S64 is a 64 bit signed quantity that is 64 bit word aligned */
-typedef signed long long OMX_S64;
-
-#endif /* WIN32 */
-#endif
-
-
-/** The OMX_BOOL type is intended to be used to represent a true or a false 
-    value when passing parameters to and from the OMX core and components.  The
-    OMX_BOOL is a 32 bit quantity and is aligned on a 32 bit word boundary.
- */
-typedef enum OMX_BOOL {
-    OMX_FALSE = 0,
-    OMX_TRUE = !OMX_FALSE,
-    OMX_BOOL_MAX = 0x7FFFFFFF
-} OMX_BOOL; 
- 
-/** The OMX_PTR type is intended to be used to pass pointers between the OMX
-    applications and the OMX Core and components.  This is a 32 bit pointer and
-    is aligned on a 32 bit boundary.
- */
-typedef void* OMX_PTR;
-
-/** The OMX_STRING type is intended to be used to pass "C" type strings between
-    the application and the core and component.  The OMX_STRING type is a 32 
-    bit pointer to a zero terminated string.  The  pointer is word aligned and 
-    the string is byte aligned.  
- */
-typedef char* OMX_STRING;
-
-/** The OMX_BYTE type is intended to be used to pass arrays of bytes such as
-    buffers between the application and the component and core.  The OMX_BYTE 
-    type is a 32 bit pointer to a zero terminated string.  The  pointer is word
-    aligned and the string is byte aligned.
- */
-typedef unsigned char* OMX_BYTE;
-
-/** OMX_UUIDTYPE is a very long unique identifier to uniquely identify
-    at runtime.  This identifier should be generated by a component in a way
-    that guarantees that every instance of the identifier running on the system
-    is unique. */
-typedef unsigned char OMX_UUIDTYPE[128];
-
-/** The OMX_DIRTYPE enumeration is used to indicate if a port is an input or
-    an output port.  This enumeration is common across all component types.    
- */
-typedef enum OMX_DIRTYPE
-{
-    OMX_DirInput,              /**< Port is an input port */
-    OMX_DirOutput,             /**< Port is an output port */
-    OMX_DirMax = 0x7FFFFFFF
-} OMX_DIRTYPE;
-
-/** The OMX_ENDIANTYPE enumeration is used to indicate the bit ordering 
-    for numerical data (i.e. big endian, or little endian).    
- */
-typedef enum OMX_ENDIANTYPE
-{
-    OMX_EndianBig, /**< big endian */
-    OMX_EndianLittle, /**< little endian */
-    OMX_EndianMax = 0x7FFFFFFF
-} OMX_ENDIANTYPE;
-
-
-/** The OMX_NUMERICALDATATYPE enumeration is used to indicate if data 
-    is signed or unsigned
- */
-typedef enum OMX_NUMERICALDATATYPE
-{
-    OMX_NumericalDataSigned, /**< signed data */
-    OMX_NumericalDataUnsigned, /**< unsigned data */
-    OMX_NumercialDataMax = 0x7FFFFFFF
-} OMX_NUMERICALDATATYPE;
-
-
-/** Unsigned bounded value type */
-typedef struct OMX_BU32 {
-    OMX_U32 nValue; /**< actual value */
-    OMX_U32 nMin;   /**< minimum for value (i.e. nValue >= nMin) */
-    OMX_U32 nMax;   /**< maximum for value (i.e. nValue <= nMax) */
-} OMX_BU32;
-
-
-/** Signed bounded value type */
-typedef struct OMX_BS32 {
-    OMX_S32 nValue; /**< actual value */
-    OMX_S32 nMin;   /**< minimum for value (i.e. nValue >= nMin) */
-    OMX_S32 nMax;   /**< maximum for value (i.e. nValue <= nMax) */
-} OMX_BS32;
-
-
-/** Structure representing some time or duration in microseconds. This structure
-  *  must be interpreted as a signed 64 bit value. The quantity is signed to accommodate 
-  *  negative deltas and preroll scenarios. The quantity is represented in microseconds 
-  *  to accomodate high resolution timestamps (e.g. DVD presentation timestamps based
-  *  on a 90kHz clock) and to allow more accurate and synchronized delivery (e.g. 
-  *  individual audio samples delivered at 192 kHz). The quantity is 64 bit to 
-  *  accommodate a large dynamic range (signed 32 bit values would allow only for plus
-  *  or minus 35 minutes).
-  *
-  *  Implementations with limited precision may convert the signed 64 bit value to 
-  *  a signed 32 bit value internally but risk loss of precision.  
-  */
-#ifndef OMX_SKIP64BIT
-typedef OMX_S64 OMX_TICKS;
-#else
-typedef struct OMX_TICKS
-{
-    OMX_U32 nLowPart;    /** low bits of the signed 64 bit tick value */
-    OMX_U32 nHighPart;   /** high bits of the signed 64 bit tick value */
-} OMX_TICKS;
-#endif
-#define OMX_TICKS_PER_SECOND 1000000
-
-/** Define the public interface for the OMX Handle.  The core will not use
-    this value internally, but the application should only use this value.
- */
-typedef void* OMX_HANDLETYPE;
-
-typedef struct OMX_MARKTYPE
-{
-    OMX_HANDLETYPE hMarkTargetComponent;   /**< The component that will 
-                                                generate a mark event upon 
-                                                processing the mark. */
-    OMX_PTR pMarkData;   /**< Application specific data associated with 
-                              the mark sent on a mark event to disambiguate 
-                              this mark from others. */
-} OMX_MARKTYPE;
-
-
-/** OMX_NATIVE_DEVICETYPE is used to map a OMX video port to the
- *  platform & operating specific object used to reference the display 
- *  or can be used by a audio port for native audio rendering */
-typedef void* OMX_NATIVE_DEVICETYPE;
-
-/** OMX_NATIVE_WINDOWTYPE is used to map a OMX video port to the
- *  platform & operating specific object used to reference the window */
-typedef void* OMX_NATIVE_WINDOWTYPE;
-
-/** The OMX_VERSIONTYPE union is used to specify the version for
-    a structure or component.  For a component, the version is entirely
-    specified by the component vendor.  Components doing the same function
-    from different vendors may or may not have the same version.  For 
-    structures, the version shall be set by the entity that allocates the
-    structure.  For structures specified in the OMX 1.1 specification, the
-    value of the version shall be set to 1.1.0.0 in all cases.  Access to the
-    OMX_VERSIONTYPE can be by a single 32 bit access (e.g. by nVersion) or
-    by accessing one of the structure elements to, for example, check only
-    the Major revision.
- */
-typedef union OMX_VERSIONTYPE
-{
-    struct
-    {
-        OMX_U8 nVersionMajor;   /**< Major version accessor element */
-        OMX_U8 nVersionMinor;   /**< Minor version accessor element */
-        OMX_U8 nRevision;       /**< Revision version accessor element */
-        OMX_U8 nStep;           /**< Step version accessor element */
-    } s;
-    OMX_U32 nVersion;           /**< 32 bit value to make accessing the
-                                    version easily done in a single word
-                                    size copy/compare operation */
-} OMX_VERSIONTYPE;
-
-#ifdef __cplusplus
-}
-#endif /* __cplusplus */
-
-#endif
-/* File EOF */
diff --git a/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_Video.h b/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_Video.h
deleted file mode 100644
index 4f8485d3fa..0000000000
--- a/media/omx-plugin/include/ics/media/stagefright/openmax/OMX_Video.h
+++ /dev/null
@@ -1,1078 +0,0 @@
-/* ------------------------------------------------------------------
- * Copyright (C) 1998-2009 PacketVideo
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
- * express or implied.
- * See the License for the specific language governing permissions
- * and limitations under the License.
- * -------------------------------------------------------------------
- */
-/**
- * Copyright (c) 2008 The Khronos Group Inc. 
- * 
- * Permission is hereby granted, free of charge, to any person obtaining
- * a copy of this software and associated documentation files (the
- * "Software"), to deal in the Software without restriction, including
- * without limitation the rights to use, copy, modify, merge, publish,
- * distribute, sublicense, and/or sell copies of the Software, and to
- * permit persons to whom the Software is furnished to do so, subject
- * to the following conditions: 
- * The above copyright notice and this permission notice shall be included
- * in all copies or substantial portions of the Software. 
- * 
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
- * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
- * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
- * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
- * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
- * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
- * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 
- *
- */
-
-/** 
- *  @file OMX_Video.h - OpenMax IL version 1.1.2
- *  The structures is needed by Video components to exchange parameters 
- *  and configuration data with OMX components.
- */
-#ifndef OMX_Video_h
-#define OMX_Video_h
-
-/** @defgroup video OpenMAX IL Video Domain
- * @ingroup iv
- * Structures for OpenMAX IL Video domain
- * @{
- */
-
-#ifdef __cplusplus
-extern "C" {
-#endif /* __cplusplus */
-
-
-/**
- * Each OMX header must include all required header files to allow the
- * header to compile without errors.  The includes below are required
- * for this header file to compile successfully 
- */
-
-#include <OMX_IVCommon.h>
-
-
-/**
- * Enumeration used to define the possible video compression codings.  
- * NOTE:  This essentially refers to file extensions. If the coding is 
- *        being used to specify the ENCODE type, then additional work 
- *        must be done to configure the exact flavor of the compression 
- *        to be used.  For decode cases where the user application can 
- *        not differentiate between MPEG-4 and H.264 bit streams, it is 
- *        up to the codec to handle this.
- */
-typedef enum OMX_VIDEO_CODINGTYPE {
-    OMX_VIDEO_CodingUnused,     /**< Value when coding is N/A */
-    OMX_VIDEO_CodingAutoDetect, /**< Autodetection of coding type */
-    OMX_VIDEO_CodingMPEG2,      /**< AKA: H.262 */
-    OMX_VIDEO_CodingH263,       /**< H.263 */
-    OMX_VIDEO_CodingMPEG4,      /**< MPEG-4 */
-    OMX_VIDEO_CodingWMV,        /**< all versions of Windows Media Video */
-    OMX_VIDEO_CodingRV,         /**< all versions of Real Video */
-    OMX_VIDEO_CodingAVC,        /**< H.264/AVC */
-    OMX_VIDEO_CodingMJPEG,      /**< Motion JPEG */
-    OMX_VIDEO_CodingVPX,        /**< Google VPX, formerly known as On2 VP8 */
-    OMX_VIDEO_CodingKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_CodingVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_CodingMax = 0x7FFFFFFF
-} OMX_VIDEO_CODINGTYPE;
-
-
-/**
- * Data structure used to define a video path.  The number of Video paths for 
- * input and output will vary by type of the Video component.  
- * 
- *    Input (aka Source) : zero Inputs, one Output,
- *    Splitter           : one Input, 2 or more Outputs,
- *    Processing Element : one Input, one output,
- *    Mixer              : 2 or more inputs, one output,
- *    Output (aka Sink)  : one Input, zero outputs.
- * 
- * The PortDefinition structure is used to define all of the parameters 
- * necessary for the compliant component to setup an input or an output video 
- * path.  If additional vendor specific data is required, it should be 
- * transmitted to the component using the CustomCommand function.  Compliant 
- * components will prepopulate this structure with optimal values during the 
- * GetDefaultInitParams command.
- *
- * STRUCT MEMBERS:
- *  cMIMEType             : MIME type of data for the port
- *  pNativeRender         : Platform specific reference for a display if a 
- *                          sync, otherwise this field is 0
- *  nFrameWidth           : Width of frame to be used on channel if 
- *                          uncompressed format is used.  Use 0 for unknown,
- *                          don't care or variable
- *  nFrameHeight          : Height of frame to be used on channel if 
- *                          uncompressed format is used. Use 0 for unknown,
- *                          don't care or variable
- *  nStride               : Number of bytes per span of an image 
- *                          (i.e. indicates the number of bytes to get
- *                          from span N to span N+1, where negative stride
- *                          indicates the image is bottom up
- *  nSliceHeight          : Height used when encoding in slices
- *  nBitrate              : Bit rate of frame to be used on channel if 
- *                          compressed format is used. Use 0 for unknown, 
- *                          don't care or variable
- *  xFramerate            : Frame rate to be used on channel if uncompressed 
- *                          format is used. Use 0 for unknown, don't care or 
- *                          variable.  Units are Q16 frames per second.
- *  bFlagErrorConcealment : Turns on error concealment if it is supported by 
- *                          the OMX component
- *  eCompressionFormat    : Compression format used in this instance of the 
- *                          component. When OMX_VIDEO_CodingUnused is 
- *                          specified, eColorFormat is used
- *  eColorFormat : Decompressed format used by this component
- *  pNativeWindow : Platform specific reference for a window object if a 
- *                          display sink , otherwise this field is 0x0. 
- */
-typedef struct OMX_VIDEO_PORTDEFINITIONTYPE {
-    OMX_STRING cMIMEType;
-    OMX_NATIVE_DEVICETYPE pNativeRender;
-    OMX_U32 nFrameWidth;
-    OMX_U32 nFrameHeight;
-    OMX_S32 nStride;
-    OMX_U32 nSliceHeight;
-    OMX_U32 nBitrate;
-    OMX_U32 xFramerate;
-    OMX_BOOL bFlagErrorConcealment;
-    OMX_VIDEO_CODINGTYPE eCompressionFormat;
-    OMX_COLOR_FORMATTYPE eColorFormat;
-    OMX_NATIVE_WINDOWTYPE pNativeWindow;
-} OMX_VIDEO_PORTDEFINITIONTYPE;
-
-/**  
- * Port format parameter.  This structure is used to enumerate the various 
- * data input/output format supported by the port.
- * 
- * STRUCT MEMBERS:
- *  nSize              : Size of the structure in bytes
- *  nVersion           : OMX specification version information
- *  nPortIndex         : Indicates which port to set
- *  nIndex             : Indicates the enumeration index for the format from 
- *                       0x0 to N-1
- *  eCompressionFormat : Compression format used in this instance of the 
- *                       component. When OMX_VIDEO_CodingUnused is specified, 
- *                       eColorFormat is used 
- *  eColorFormat       : Decompressed format used by this component
- *  xFrameRate         : Indicates the video frame rate in Q16 format
- */
-typedef struct OMX_VIDEO_PARAM_PORTFORMATTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nIndex;
-    OMX_VIDEO_CODINGTYPE eCompressionFormat; 
-    OMX_COLOR_FORMATTYPE eColorFormat;
-    OMX_U32 xFramerate;
-} OMX_VIDEO_PARAM_PORTFORMATTYPE;
-
-
-/**
- * This is a structure for configuring video compression quantization 
- * parameter values.  Codecs may support different QP values for different
- * frame types.
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version info
- *  nPortIndex : Port that this structure applies to
- *  nQpI       : QP value to use for index frames
- *  nQpP       : QP value to use for P frames
- *  nQpB       : QP values to use for bidirectional frames 
- */
-typedef struct OMX_VIDEO_PARAM_QUANTIZATIONTYPE {
-    OMX_U32 nSize;            
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nQpI;
-    OMX_U32 nQpP;
-    OMX_U32 nQpB;
-} OMX_VIDEO_PARAM_QUANTIZATIONTYPE;
-
-
-/** 
- * Structure for configuration of video fast update parameters. 
- *  
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version info 
- *  nPortIndex : Port that this structure applies to
- *  bEnableVFU : Enable/Disable video fast update
- *  nFirstGOB  : Specifies the number of the first macroblock row
- *  nFirstMB   : specifies the first MB relative to the specified first GOB
- *  nNumMBs    : Specifies the number of MBs to be refreshed from nFirstGOB 
- *               and nFirstMB
- */
-typedef struct OMX_VIDEO_PARAM_VIDEOFASTUPDATETYPE {
-    OMX_U32 nSize;            
-    OMX_VERSIONTYPE nVersion; 
-    OMX_U32 nPortIndex;       
-    OMX_BOOL bEnableVFU;      
-    OMX_U32 nFirstGOB;                            
-    OMX_U32 nFirstMB;                            
-    OMX_U32 nNumMBs;                                  
-} OMX_VIDEO_PARAM_VIDEOFASTUPDATETYPE;
-
-
-/** 
- * Enumeration of possible bitrate control types 
- */
-typedef enum OMX_VIDEO_CONTROLRATETYPE {
-    OMX_Video_ControlRateDisable,
-    OMX_Video_ControlRateVariable,
-    OMX_Video_ControlRateConstant,
-    OMX_Video_ControlRateVariableSkipFrames,
-    OMX_Video_ControlRateConstantSkipFrames,
-    OMX_Video_ControlRateKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_Video_ControlRateVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_Video_ControlRateMax = 0x7FFFFFFF
-} OMX_VIDEO_CONTROLRATETYPE;
-
-
-/** 
- * Structure for configuring bitrate mode of a codec. 
- *
- * STRUCT MEMBERS:
- *  nSize          : Size of the struct in bytes
- *  nVersion       : OMX spec version info
- *  nPortIndex     : Port that this struct applies to
- *  eControlRate   : Control rate type enum
- *  nTargetBitrate : Target bitrate to encode with
- */
-typedef struct OMX_VIDEO_PARAM_BITRATETYPE {
-    OMX_U32 nSize;                          
-    OMX_VERSIONTYPE nVersion;               
-    OMX_U32 nPortIndex;                     
-    OMX_VIDEO_CONTROLRATETYPE eControlRate; 
-    OMX_U32 nTargetBitrate;                 
-} OMX_VIDEO_PARAM_BITRATETYPE;
-
-
-/** 
- * Enumeration of possible motion vector (MV) types 
- */
-typedef enum OMX_VIDEO_MOTIONVECTORTYPE {
-    OMX_Video_MotionVectorPixel,
-    OMX_Video_MotionVectorHalfPel,
-    OMX_Video_MotionVectorQuarterPel,
-    OMX_Video_MotionVectorEighthPel,
-    OMX_Video_MotionVectorKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_Video_MotionVectorVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_Video_MotionVectorMax = 0x7FFFFFFF
-} OMX_VIDEO_MOTIONVECTORTYPE;
-
-
-/**
- * Structure for configuring the number of motion vectors used as well
- * as their accuracy.
- * 
- * STRUCT MEMBERS:
- *  nSize            : Size of the struct in bytes
- *  nVersion         : OMX spec version info
- *  nPortIndex       : port that this structure applies to
- *  eAccuracy        : Enumerated MV accuracy
- *  bUnrestrictedMVs : Allow unrestricted MVs
- *  bFourMV          : Allow use of 4 MVs
- *  sXSearchRange    : Search range in horizontal direction for MVs
- *  sYSearchRange    : Search range in vertical direction for MVs
- */
-typedef struct OMX_VIDEO_PARAM_MOTIONVECTORTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_VIDEO_MOTIONVECTORTYPE eAccuracy;
-    OMX_BOOL bUnrestrictedMVs;
-    OMX_BOOL bFourMV;
-    OMX_S32 sXSearchRange;
-    OMX_S32 sYSearchRange;
-} OMX_VIDEO_PARAM_MOTIONVECTORTYPE;
-
-
-/** 
- * Enumeration of possible methods to use for Intra Refresh 
- */
-typedef enum OMX_VIDEO_INTRAREFRESHTYPE {
-    OMX_VIDEO_IntraRefreshCyclic,
-    OMX_VIDEO_IntraRefreshAdaptive,
-    OMX_VIDEO_IntraRefreshBoth,
-    OMX_VIDEO_IntraRefreshKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_IntraRefreshVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_IntraRefreshMax = 0x7FFFFFFF
-} OMX_VIDEO_INTRAREFRESHTYPE;
-
-
-/**
- * Structure for configuring intra refresh mode 
- * 
- * STRUCT MEMBERS:
- *  nSize        : Size of the structure in bytes
- *  nVersion     : OMX specification version information
- *  nPortIndex   : Port that this structure applies to
- *  eRefreshMode : Cyclic, Adaptive, or Both
- *  nAirMBs      : Number of intra macroblocks to refresh in a frame when 
- *                 AIR is enabled
- *  nAirRef      : Number of times a motion marked macroblock has to be  
- *                 intra coded
- *  nCirMBs      : Number of consecutive macroblocks to be coded as "intra"  
- *                 when CIR is enabled
- */
-typedef struct OMX_VIDEO_PARAM_INTRAREFRESHTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_VIDEO_INTRAREFRESHTYPE eRefreshMode;
-    OMX_U32 nAirMBs;
-    OMX_U32 nAirRef;
-    OMX_U32 nCirMBs;
-} OMX_VIDEO_PARAM_INTRAREFRESHTYPE;
-
-
-/**
- * Structure for enabling various error correction methods for video 
- * compression.
- *
- * STRUCT MEMBERS:
- *  nSize                   : Size of the structure in bytes
- *  nVersion                : OMX specification version information 
- *  nPortIndex              : Port that this structure applies to 
- *  bEnableHEC              : Enable/disable header extension codes (HEC)
- *  bEnableResync           : Enable/disable resynchronization markers
- *  nResynchMarkerSpacing   : Resynch markers interval (in bits) to be 
- *                            applied in the stream 
- *  bEnableDataPartitioning : Enable/disable data partitioning 
- *  bEnableRVLC             : Enable/disable reversible variable length 
- *                            coding
- */
-typedef struct OMX_VIDEO_PARAM_ERRORCORRECTIONTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_BOOL bEnableHEC;
-    OMX_BOOL bEnableResync;
-    OMX_U32  nResynchMarkerSpacing;
-    OMX_BOOL bEnableDataPartitioning;
-    OMX_BOOL bEnableRVLC;
-} OMX_VIDEO_PARAM_ERRORCORRECTIONTYPE;
-
-
-/** 
- * Configuration of variable block-size motion compensation (VBSMC) 
- * 
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information 
- *  nPortIndex : Port that this structure applies to
- *  b16x16     : Enable inter block search 16x16
- *  b16x8      : Enable inter block search 16x8
- *  b8x16      : Enable inter block search 8x16
- *  b8x8       : Enable inter block search 8x8
- *  b8x4       : Enable inter block search 8x4
- *  b4x8       : Enable inter block search 4x8
- *  b4x4       : Enable inter block search 4x4
- */
-typedef struct OMX_VIDEO_PARAM_VBSMCTYPE {
-    OMX_U32 nSize; 
-    OMX_VERSIONTYPE nVersion; 
-    OMX_U32 nPortIndex;       
-    OMX_BOOL b16x16; 
-    OMX_BOOL b16x8; 
-    OMX_BOOL b8x16;
-    OMX_BOOL b8x8;
-    OMX_BOOL b8x4;
-    OMX_BOOL b4x8;
-    OMX_BOOL b4x4;
-} OMX_VIDEO_PARAM_VBSMCTYPE;
-
-
-/** 
- * H.263 profile types, each profile indicates support for various 
- * performance bounds and different annexes.
- *
- * ENUMS:
- *  Baseline           : Baseline Profile: H.263 (V1), no optional modes                                                    
- *  H320 Coding        : H.320 Coding Efficiency Backward Compatibility 
- *                       Profile: H.263+ (V2), includes annexes I, J, L.4
- *                       and T
- *  BackwardCompatible : Backward Compatibility Profile: H.263 (V1), 
- *                       includes annex F                                    
- *  ISWV2              : Interactive Streaming Wireless Profile: H.263+ 
- *                       (V2), includes annexes I, J, K and T                 
- *  ISWV3              : Interactive Streaming Wireless Profile: H.263++  
- *                       (V3), includes profile 3 and annexes V and W.6.3.8   
- *  HighCompression    : Conversational High Compression Profile: H.263++  
- *                       (V3), includes profiles 1 & 2 and annexes D and U   
- *  Internet           : Conversational Internet Profile: H.263++ (V3),  
- *                       includes profile 5 and annex K                       
- *  Interlace          : Conversational Interlace Profile: H.263++ (V3),  
- *                       includes profile 5 and annex W.6.3.11               
- *  HighLatency        : High Latency Profile: H.263++ (V3), includes  
- *                       profile 6 and annexes O.1 and P.5                       
- */
-typedef enum OMX_VIDEO_H263PROFILETYPE {
-    OMX_VIDEO_H263ProfileBaseline            = 0x01,        
-    OMX_VIDEO_H263ProfileH320Coding          = 0x02,          
-    OMX_VIDEO_H263ProfileBackwardCompatible  = 0x04,  
-    OMX_VIDEO_H263ProfileISWV2               = 0x08,               
-    OMX_VIDEO_H263ProfileISWV3               = 0x10,               
-    OMX_VIDEO_H263ProfileHighCompression     = 0x20,     
-    OMX_VIDEO_H263ProfileInternet            = 0x40,            
-    OMX_VIDEO_H263ProfileInterlace           = 0x80,           
-    OMX_VIDEO_H263ProfileHighLatency         = 0x100,         
-    OMX_VIDEO_H263ProfileKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_H263ProfileVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_H263ProfileMax                 = 0x7FFFFFFF  
-} OMX_VIDEO_H263PROFILETYPE;
-
-
-/** 
- * H.263 level types, each level indicates support for various frame sizes, 
- * bit rates, decoder frame rates.
- */
-typedef enum OMX_VIDEO_H263LEVELTYPE {
-    OMX_VIDEO_H263Level10  = 0x01,  
-    OMX_VIDEO_H263Level20  = 0x02,      
-    OMX_VIDEO_H263Level30  = 0x04,      
-    OMX_VIDEO_H263Level40  = 0x08,      
-    OMX_VIDEO_H263Level45  = 0x10,      
-    OMX_VIDEO_H263Level50  = 0x20,      
-    OMX_VIDEO_H263Level60  = 0x40,      
-    OMX_VIDEO_H263Level70  = 0x80, 
-    OMX_VIDEO_H263LevelKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_H263LevelVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_H263LevelMax = 0x7FFFFFFF  
-} OMX_VIDEO_H263LEVELTYPE;
-
-
-/** 
- * Specifies the picture type. These values should be OR'd to signal all 
- * pictures types which are allowed.
- *
- * ENUMS:
- *  Generic Picture Types:          I, P and B
- *  H.263 Specific Picture Types:   SI and SP
- *  H.264 Specific Picture Types:   EI and EP
- *  MPEG-4 Specific Picture Types:  S
- */
-typedef enum OMX_VIDEO_PICTURETYPE {
-    OMX_VIDEO_PictureTypeI   = 0x01,
-    OMX_VIDEO_PictureTypeP   = 0x02,
-    OMX_VIDEO_PictureTypeB   = 0x04,
-    OMX_VIDEO_PictureTypeSI  = 0x08,
-    OMX_VIDEO_PictureTypeSP  = 0x10,
-    OMX_VIDEO_PictureTypeEI  = 0x11,
-    OMX_VIDEO_PictureTypeEP  = 0x12,
-    OMX_VIDEO_PictureTypeS   = 0x14,
-    OMX_VIDEO_PictureTypeKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_PictureTypeVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_PictureTypeMax = 0x7FFFFFFF
-} OMX_VIDEO_PICTURETYPE;
-
-
-/** 
- * H.263 Params 
- *
- * STRUCT MEMBERS:
- *  nSize                    : Size of the structure in bytes
- *  nVersion                 : OMX specification version information 
- *  nPortIndex               : Port that this structure applies to
- *  nPFrames                 : Number of P frames between each I frame
- *  nBFrames                 : Number of B frames between each I frame
- *  eProfile                 : H.263 profile(s) to use
- *  eLevel                   : H.263 level(s) to use
- *  bPLUSPTYPEAllowed        : Indicating that it is allowed to use PLUSPTYPE 
- *                             (specified in the 1998 version of H.263) to 
- *                             indicate custom picture sizes or clock 
- *                             frequencies 
- *  nAllowedPictureTypes     : Specifies the picture types allowed in the 
- *                             bitstream
- *  bForceRoundingTypeToZero : value of the RTYPE bit (bit 6 of MPPTYPE) is 
- *                             not constrained. It is recommended to change 
- *                             the value of the RTYPE bit for each reference 
- *                             picture in error-free communication
- *  nPictureHeaderRepetition : Specifies the frequency of picture header 
- *                             repetition
- *  nGOBHeaderInterval       : Specifies the interval of non-empty GOB  
- *                             headers in units of GOBs
- */
-typedef struct OMX_VIDEO_PARAM_H263TYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nPFrames;
-    OMX_U32 nBFrames;
-    OMX_VIDEO_H263PROFILETYPE eProfile;
-	OMX_VIDEO_H263LEVELTYPE eLevel;
-    OMX_BOOL bPLUSPTYPEAllowed;
-    OMX_U32 nAllowedPictureTypes;
-    OMX_BOOL bForceRoundingTypeToZero;
-    OMX_U32 nPictureHeaderRepetition;
-    OMX_U32 nGOBHeaderInterval;
-} OMX_VIDEO_PARAM_H263TYPE;
-
-
-/** 
- * MPEG-2 profile types, each profile indicates support for various 
- * performance bounds and different annexes.
- */
-typedef enum OMX_VIDEO_MPEG2PROFILETYPE {
-    OMX_VIDEO_MPEG2ProfileSimple = 0,  /**< Simple Profile */
-    OMX_VIDEO_MPEG2ProfileMain,        /**< Main Profile */
-    OMX_VIDEO_MPEG2Profile422,         /**< 4:2:2 Profile */
-    OMX_VIDEO_MPEG2ProfileSNR,         /**< SNR Profile */
-    OMX_VIDEO_MPEG2ProfileSpatial,     /**< Spatial Profile */
-    OMX_VIDEO_MPEG2ProfileHigh,        /**< High Profile */
-    OMX_VIDEO_MPEG2ProfileKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_MPEG2ProfileVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_MPEG2ProfileMax = 0x7FFFFFFF  
-} OMX_VIDEO_MPEG2PROFILETYPE;
-
-
-/** 
- * MPEG-2 level types, each level indicates support for various frame 
- * sizes, bit rates, decoder frame rates.  No need 
- */
-typedef enum OMX_VIDEO_MPEG2LEVELTYPE {
-    OMX_VIDEO_MPEG2LevelLL = 0,  /**< Low Level */ 
-    OMX_VIDEO_MPEG2LevelML,      /**< Main Level */ 
-    OMX_VIDEO_MPEG2LevelH14,     /**< High 1440 */ 
-    OMX_VIDEO_MPEG2LevelHL,      /**< High Level */   
-    OMX_VIDEO_MPEG2LevelKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_MPEG2LevelVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_MPEG2LevelMax = 0x7FFFFFFF  
-} OMX_VIDEO_MPEG2LEVELTYPE;
-
-
-/** 
- * MPEG-2 params 
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nPFrames   : Number of P frames between each I frame
- *  nBFrames   : Number of B frames between each I frame
- *  eProfile   : MPEG-2 profile(s) to use
- *  eLevel     : MPEG-2 levels(s) to use
- */
-typedef struct OMX_VIDEO_PARAM_MPEG2TYPE {
-    OMX_U32 nSize;           
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;      
-    OMX_U32 nPFrames;        
-    OMX_U32 nBFrames;        
-    OMX_VIDEO_MPEG2PROFILETYPE eProfile;
-	OMX_VIDEO_MPEG2LEVELTYPE eLevel;   
-} OMX_VIDEO_PARAM_MPEG2TYPE;
-
-
-/** 
- * MPEG-4 profile types, each profile indicates support for various 
- * performance bounds and different annexes.
- * 
- * ENUMS:
- *  - Simple Profile, Levels 1-3
- *  - Simple Scalable Profile, Levels 1-2
- *  - Core Profile, Levels 1-2
- *  - Main Profile, Levels 2-4
- *  - N-bit Profile, Level 2
- *  - Scalable Texture Profile, Level 1
- *  - Simple Face Animation Profile, Levels 1-2
- *  - Simple Face and Body Animation (FBA) Profile, Levels 1-2
- *  - Basic Animated Texture Profile, Levels 1-2
- *  - Hybrid Profile, Levels 1-2
- *  - Advanced Real Time Simple Profiles, Levels 1-4
- *  - Core Scalable Profile, Levels 1-3
- *  - Advanced Coding Efficiency Profile, Levels 1-4
- *  - Advanced Core Profile, Levels 1-2
- *  - Advanced Scalable Texture, Levels 2-3
- */
-typedef enum OMX_VIDEO_MPEG4PROFILETYPE {
-    OMX_VIDEO_MPEG4ProfileSimple           = 0x01,        
-    OMX_VIDEO_MPEG4ProfileSimpleScalable   = 0x02,    
-    OMX_VIDEO_MPEG4ProfileCore             = 0x04,              
-    OMX_VIDEO_MPEG4ProfileMain             = 0x08,             
-    OMX_VIDEO_MPEG4ProfileNbit             = 0x10,              
-    OMX_VIDEO_MPEG4ProfileScalableTexture  = 0x20,   
-    OMX_VIDEO_MPEG4ProfileSimpleFace       = 0x40,        
-    OMX_VIDEO_MPEG4ProfileSimpleFBA        = 0x80,         
-    OMX_VIDEO_MPEG4ProfileBasicAnimated    = 0x100,     
-    OMX_VIDEO_MPEG4ProfileHybrid           = 0x200,            
-    OMX_VIDEO_MPEG4ProfileAdvancedRealTime = 0x400,  
-    OMX_VIDEO_MPEG4ProfileCoreScalable     = 0x800,      
-    OMX_VIDEO_MPEG4ProfileAdvancedCoding   = 0x1000,    
-    OMX_VIDEO_MPEG4ProfileAdvancedCore     = 0x2000,      
-    OMX_VIDEO_MPEG4ProfileAdvancedScalable = 0x4000,
-    OMX_VIDEO_MPEG4ProfileAdvancedSimple   = 0x8000,
-    OMX_VIDEO_MPEG4ProfileKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_MPEG4ProfileVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_MPEG4ProfileMax              = 0x7FFFFFFF  
-} OMX_VIDEO_MPEG4PROFILETYPE;
-
-
-/** 
- * MPEG-4 level types, each level indicates support for various frame 
- * sizes, bit rates, decoder frame rates.  No need 
- */
-typedef enum OMX_VIDEO_MPEG4LEVELTYPE {
-    OMX_VIDEO_MPEG4Level0  = 0x01,   /**< Level 0 */   
-    OMX_VIDEO_MPEG4Level0b = 0x02,   /**< Level 0b */   
-    OMX_VIDEO_MPEG4Level1  = 0x04,   /**< Level 1 */ 
-    OMX_VIDEO_MPEG4Level2  = 0x08,   /**< Level 2 */ 
-    OMX_VIDEO_MPEG4Level3  = 0x10,   /**< Level 3 */ 
-    OMX_VIDEO_MPEG4Level4  = 0x20,   /**< Level 4 */  
-    OMX_VIDEO_MPEG4Level4a = 0x40,   /**< Level 4a */  
-    OMX_VIDEO_MPEG4Level5  = 0x80,   /**< Level 5 */  
-    OMX_VIDEO_MPEG4LevelKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_MPEG4LevelVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_MPEG4LevelMax = 0x7FFFFFFF  
-} OMX_VIDEO_MPEG4LEVELTYPE;
-
-
-/** 
- * MPEG-4 configuration.  This structure handles configuration options
- * which are specific to MPEG4 algorithms
- *
- * STRUCT MEMBERS:
- *  nSize                : Size of the structure in bytes
- *  nVersion             : OMX specification version information
- *  nPortIndex           : Port that this structure applies to
- *  nSliceHeaderSpacing  : Number of macroblocks between slice header (H263+ 
- *                         Annex K). Put zero if not used
- *  bSVH                 : Enable Short Video Header mode
- *  bGov                 : Flag to enable GOV
- *  nPFrames             : Number of P frames between each I frame (also called 
- *                         GOV period)
- *  nBFrames             : Number of B frames between each I frame
- *  nIDCVLCThreshold     : Value of intra DC VLC threshold
- *  bACPred              : Flag to use ac prediction
- *  nMaxPacketSize       : Maximum size of packet in bytes.
- *  nTimeIncRes          : Used to pass VOP time increment resolution for MPEG4. 
- *                         Interpreted as described in MPEG4 standard.
- *  eProfile             : MPEG-4 profile(s) to use.
- *  eLevel               : MPEG-4 level(s) to use.
- *  nAllowedPictureTypes : Specifies the picture types allowed in the bitstream
- *  nHeaderExtension     : Specifies the number of consecutive video packet
- *                         headers within a VOP
- *  bReversibleVLC       : Specifies whether reversible variable length coding 
- *                         is in use
- */
-typedef struct OMX_VIDEO_PARAM_MPEG4TYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nSliceHeaderSpacing;
-    OMX_BOOL bSVH;
-    OMX_BOOL bGov;
-    OMX_U32 nPFrames;
-    OMX_U32 nBFrames;
-    OMX_U32 nIDCVLCThreshold;
-    OMX_BOOL bACPred;
-    OMX_U32 nMaxPacketSize;
-    OMX_U32 nTimeIncRes;
-    OMX_VIDEO_MPEG4PROFILETYPE eProfile;
-    OMX_VIDEO_MPEG4LEVELTYPE eLevel;
-    OMX_U32 nAllowedPictureTypes;
-    OMX_U32 nHeaderExtension;
-    OMX_BOOL bReversibleVLC;
-} OMX_VIDEO_PARAM_MPEG4TYPE;
-
-
-/** 
- * WMV Versions 
- */
-typedef enum OMX_VIDEO_WMVFORMATTYPE {
-    OMX_VIDEO_WMVFormatUnused = 0x01,   /**< Format unused or unknown */
-    OMX_VIDEO_WMVFormat7      = 0x02,   /**< Windows Media Video format 7 */
-    OMX_VIDEO_WMVFormat8      = 0x04,   /**< Windows Media Video format 8 */
-    OMX_VIDEO_WMVFormat9      = 0x08,   /**< Windows Media Video format 9 */
-    OMX_VIDEO_WMFFormatKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_WMFFormatVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_WMVFormatMax    = 0x7FFFFFFF
-} OMX_VIDEO_WMVFORMATTYPE;
-
-
-/** 
- * WMV Params 
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  eFormat    : Version of WMV stream / data
- */
-typedef struct OMX_VIDEO_PARAM_WMVTYPE {
-    OMX_U32 nSize; 
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_VIDEO_WMVFORMATTYPE eFormat;
-} OMX_VIDEO_PARAM_WMVTYPE;
-
-
-/** 
- * Real Video Version 
- */
-typedef enum OMX_VIDEO_RVFORMATTYPE {
-    OMX_VIDEO_RVFormatUnused = 0, /**< Format unused or unknown */
-    OMX_VIDEO_RVFormat8,          /**< Real Video format 8 */
-    OMX_VIDEO_RVFormat9,          /**< Real Video format 9 */
-    OMX_VIDEO_RVFormatG2,         /**< Real Video Format G2 */
-    OMX_VIDEO_RVFormatKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_RVFormatVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_RVFormatMax = 0x7FFFFFFF
-} OMX_VIDEO_RVFORMATTYPE;
-
-
-/** 
- * Real Video Params 
- *
- * STUCT MEMBERS:
- *  nSize              : Size of the structure in bytes
- *  nVersion           : OMX specification version information 
- *  nPortIndex         : Port that this structure applies to
- *  eFormat            : Version of RV stream / data
- *  nBitsPerPixel      : Bits per pixel coded in the frame
- *  nPaddedWidth       : Padded width in pixel of a video frame
- *  nPaddedHeight      : Padded Height in pixels of a video frame
- *  nFrameRate         : Rate of video in frames per second
- *  nBitstreamFlags    : Flags which internal information about the bitstream
- *  nBitstreamVersion  : Bitstream version
- *  nMaxEncodeFrameSize: Max encoded frame size
- *  bEnablePostFilter  : Turn on/off post filter
- *  bEnableTemporalInterpolation : Turn on/off temporal interpolation
- *  bEnableLatencyMode : When enabled, the decoder does not display a decoded 
- *                       frame until it has detected that no enhancement layer 
- *  					 frames or dependent B frames will be coming. This 
- *  					 detection usually occurs when a subsequent non-B 
- *  					 frame is encountered 
- */
-typedef struct OMX_VIDEO_PARAM_RVTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_VIDEO_RVFORMATTYPE eFormat;
-    OMX_U16 nBitsPerPixel;
-    OMX_U16 nPaddedWidth;
-    OMX_U16 nPaddedHeight;
-    OMX_U32 nFrameRate;
-    OMX_U32 nBitstreamFlags;
-    OMX_U32 nBitstreamVersion;
-    OMX_U32 nMaxEncodeFrameSize;
-    OMX_BOOL bEnablePostFilter;
-    OMX_BOOL bEnableTemporalInterpolation;
-    OMX_BOOL bEnableLatencyMode;
-} OMX_VIDEO_PARAM_RVTYPE;
-
-
-/** 
- * AVC profile types, each profile indicates support for various 
- * performance bounds and different annexes.
- */
-typedef enum OMX_VIDEO_AVCPROFILETYPE {
-    OMX_VIDEO_AVCProfileBaseline = 0x01,   /**< Baseline profile */
-    OMX_VIDEO_AVCProfileMain     = 0x02,   /**< Main profile */
-    OMX_VIDEO_AVCProfileExtended = 0x04,   /**< Extended profile */
-    OMX_VIDEO_AVCProfileHigh     = 0x08,   /**< High profile */
-    OMX_VIDEO_AVCProfileHigh10   = 0x10,   /**< High 10 profile */
-    OMX_VIDEO_AVCProfileHigh422  = 0x20,   /**< High 4:2:2 profile */
-    OMX_VIDEO_AVCProfileHigh444  = 0x40,   /**< High 4:4:4 profile */
-    OMX_VIDEO_AVCProfileKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_AVCProfileVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_AVCProfileMax      = 0x7FFFFFFF  
-} OMX_VIDEO_AVCPROFILETYPE;
-
-
-/** 
- * AVC level types, each level indicates support for various frame sizes, 
- * bit rates, decoder frame rates.  No need 
- */
-typedef enum OMX_VIDEO_AVCLEVELTYPE {
-    OMX_VIDEO_AVCLevel1   = 0x01,     /**< Level 1 */
-    OMX_VIDEO_AVCLevel1b  = 0x02,     /**< Level 1b */
-    OMX_VIDEO_AVCLevel11  = 0x04,     /**< Level 1.1 */
-    OMX_VIDEO_AVCLevel12  = 0x08,     /**< Level 1.2 */
-    OMX_VIDEO_AVCLevel13  = 0x10,     /**< Level 1.3 */
-    OMX_VIDEO_AVCLevel2   = 0x20,     /**< Level 2 */
-    OMX_VIDEO_AVCLevel21  = 0x40,     /**< Level 2.1 */
-    OMX_VIDEO_AVCLevel22  = 0x80,     /**< Level 2.2 */
-    OMX_VIDEO_AVCLevel3   = 0x100,    /**< Level 3 */
-    OMX_VIDEO_AVCLevel31  = 0x200,    /**< Level 3.1 */
-    OMX_VIDEO_AVCLevel32  = 0x400,    /**< Level 3.2 */
-    OMX_VIDEO_AVCLevel4   = 0x800,    /**< Level 4 */
-    OMX_VIDEO_AVCLevel41  = 0x1000,   /**< Level 4.1 */
-    OMX_VIDEO_AVCLevel42  = 0x2000,   /**< Level 4.2 */
-    OMX_VIDEO_AVCLevel5   = 0x4000,   /**< Level 5 */
-    OMX_VIDEO_AVCLevel51  = 0x8000,   /**< Level 5.1 */
-    OMX_VIDEO_AVCLevelKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_AVCLevelVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_AVCLevelMax = 0x7FFFFFFF  
-} OMX_VIDEO_AVCLEVELTYPE;
-
-
-/** 
- * AVC loop filter modes 
- *
- * OMX_VIDEO_AVCLoopFilterEnable               : Enable
- * OMX_VIDEO_AVCLoopFilterDisable              : Disable
- * OMX_VIDEO_AVCLoopFilterDisableSliceBoundary : Disabled on slice boundaries
- */
-typedef enum OMX_VIDEO_AVCLOOPFILTERTYPE {
-    OMX_VIDEO_AVCLoopFilterEnable = 0,
-    OMX_VIDEO_AVCLoopFilterDisable,
-    OMX_VIDEO_AVCLoopFilterDisableSliceBoundary,
-    OMX_VIDEO_AVCLoopFilterKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_AVCLoopFilterVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_AVCLoopFilterMax = 0x7FFFFFFF
-} OMX_VIDEO_AVCLOOPFILTERTYPE;
-
-
-/** 
- * AVC params 
- *
- * STRUCT MEMBERS:
- *  nSize                     : Size of the structure in bytes
- *  nVersion                  : OMX specification version information
- *  nPortIndex                : Port that this structure applies to
- *  nSliceHeaderSpacing       : Number of macroblocks between slice header, put  
- *                              zero if not used
- *  nPFrames                  : Number of P frames between each I frame
- *  nBFrames                  : Number of B frames between each I frame
- *  bUseHadamard              : Enable/disable Hadamard transform
- *  nRefFrames                : Max number of reference frames to use for inter
- *                              motion search (1-16)
- *  nRefIdxTrailing           : Pic param set ref frame index (index into ref
- *                              frame buffer of trailing frames list), B frame
- *                              support
- *  nRefIdxForward            : Pic param set ref frame index (index into ref
- *                              frame buffer of forward frames list), B frame
- *                              support
- *  bEnableUEP                : Enable/disable unequal error protection. This 
- *                              is only valid of data partitioning is enabled.
- *  bEnableFMO                : Enable/disable flexible macroblock ordering
- *  bEnableASO                : Enable/disable arbitrary slice ordering
- *  bEnableRS                 : Enable/disable sending of redundant slices
- *  eProfile                  : AVC profile(s) to use
- *  eLevel                    : AVC level(s) to use
- *  nAllowedPictureTypes      : Specifies the picture types allowed in the 
- *                              bitstream
- *  bFrameMBsOnly             : specifies that every coded picture of the 
- *                              coded video sequence is a coded frame 
- *                              containing only frame macroblocks
- *  bMBAFF                    : Enable/disable switching between frame and 
- *                              field macroblocks within a picture
- *  bEntropyCodingCABAC       : Entropy decoding method to be applied for the 
- *                              syntax elements for which two descriptors appear 
- *                              in the syntax tables
- *  bWeightedPPrediction      : Enable/disable weighted prediction shall not 
- *                              be applied to P and SP slices
- *  nWeightedBipredicitonMode : Default weighted prediction is applied to B 
- *                              slices 
- *  bconstIpred               : Enable/disable intra prediction
- *  bDirect8x8Inference       : Specifies the method used in the derivation 
- *                              process for luma motion vectors for B_Skip, 
- *                              B_Direct_16x16 and B_Direct_8x8 as specified 
- *                              in subclause 8.4.1.2 of the AVC spec 
- *  bDirectSpatialTemporal    : Flag indicating spatial or temporal direct
- *                              mode used in B slice coding (related to 
- *                              bDirect8x8Inference) . Spatial direct mode is 
- *                              more common and should be the default.
- *  nCabacInitIdx             : Index used to init CABAC contexts
- *  eLoopFilterMode           : Enable/disable loop filter
- */
-typedef struct OMX_VIDEO_PARAM_AVCTYPE {
-    OMX_U32 nSize;                 
-    OMX_VERSIONTYPE nVersion;      
-    OMX_U32 nPortIndex;            
-    OMX_U32 nSliceHeaderSpacing;  
-    OMX_U32 nPFrames;     
-    OMX_U32 nBFrames;     
-    OMX_BOOL bUseHadamard;
-    OMX_U32 nRefFrames;  
-	OMX_U32 nRefIdx10ActiveMinus1;
-	OMX_U32 nRefIdx11ActiveMinus1;
-    OMX_BOOL bEnableUEP;  
-    OMX_BOOL bEnableFMO;  
-    OMX_BOOL bEnableASO;  
-    OMX_BOOL bEnableRS;   
-    OMX_VIDEO_AVCPROFILETYPE eProfile;
-	OMX_VIDEO_AVCLEVELTYPE eLevel; 
-    OMX_U32 nAllowedPictureTypes;  
-	OMX_BOOL bFrameMBsOnly;        									
-    OMX_BOOL bMBAFF;               
-    OMX_BOOL bEntropyCodingCABAC;  
-    OMX_BOOL bWeightedPPrediction; 
-    OMX_U32 nWeightedBipredicitonMode; 
-    OMX_BOOL bconstIpred ;
-    OMX_BOOL bDirect8x8Inference;  
-	OMX_BOOL bDirectSpatialTemporal;
-	OMX_U32 nCabacInitIdc;
-	OMX_VIDEO_AVCLOOPFILTERTYPE eLoopFilterMode;
-} OMX_VIDEO_PARAM_AVCTYPE;
-
-typedef struct OMX_VIDEO_PARAM_PROFILELEVELTYPE {
-   OMX_U32 nSize;                 
-   OMX_VERSIONTYPE nVersion;      
-   OMX_U32 nPortIndex;            
-   OMX_U32 eProfile;      /**< type is OMX_VIDEO_AVCPROFILETYPE, OMX_VIDEO_H263PROFILETYPE, 
-                                 or OMX_VIDEO_MPEG4PROFILETYPE depending on context */
-   OMX_U32 eLevel;        /**< type is OMX_VIDEO_AVCLEVELTYPE, OMX_VIDEO_H263LEVELTYPE, 
-                                 or OMX_VIDEO_MPEG4PROFILETYPE depending on context */
-   OMX_U32 nProfileIndex; /**< Used to query for individual profile support information,
-                               This parameter is valid only for 
-                               OMX_IndexParamVideoProfileLevelQuerySupported index,
-                               For all other indices this parameter is to be ignored. */
-} OMX_VIDEO_PARAM_PROFILELEVELTYPE;
-
-/** 
- * Structure for dynamically configuring bitrate mode of a codec. 
- *
- * STRUCT MEMBERS:
- *  nSize          : Size of the struct in bytes
- *  nVersion       : OMX spec version info
- *  nPortIndex     : Port that this struct applies to
- *  nEncodeBitrate : Target average bitrate to be generated in bps
- */
-typedef struct OMX_VIDEO_CONFIG_BITRATETYPE {
-    OMX_U32 nSize;                          
-    OMX_VERSIONTYPE nVersion;               
-    OMX_U32 nPortIndex;                     
-    OMX_U32 nEncodeBitrate;                 
-} OMX_VIDEO_CONFIG_BITRATETYPE;
-
-/** 
- * Defines Encoder Frame Rate setting
- *
- * STRUCT MEMBERS:
- *  nSize            : Size of the structure in bytes
- *  nVersion         : OMX specification version information 
- *  nPortIndex       : Port that this structure applies to
- *  xEncodeFramerate : Encoding framerate represented in Q16 format
- */
-typedef struct OMX_CONFIG_FRAMERATETYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 xEncodeFramerate; /* Q16 format */
-} OMX_CONFIG_FRAMERATETYPE;
-
-typedef struct OMX_CONFIG_INTRAREFRESHVOPTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_BOOL IntraRefreshVOP;
-} OMX_CONFIG_INTRAREFRESHVOPTYPE;
-
-typedef struct OMX_CONFIG_MACROBLOCKERRORMAPTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nErrMapSize;           /* Size of the Error Map in bytes */
-    OMX_U8  ErrMap[1];             /* Error map hint */
-} OMX_CONFIG_MACROBLOCKERRORMAPTYPE;
-
-typedef struct OMX_CONFIG_MBERRORREPORTINGTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_BOOL bEnabled;
-} OMX_CONFIG_MBERRORREPORTINGTYPE;
-
-typedef struct OMX_PARAM_MACROBLOCKSTYPE {
-    OMX_U32 nSize;
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nMacroblocks;
-} OMX_PARAM_MACROBLOCKSTYPE;
-
-/** 
- * AVC Slice Mode modes 
- *
- * OMX_VIDEO_SLICEMODE_AVCDefault   : Normal frame encoding, one slice per frame
- * OMX_VIDEO_SLICEMODE_AVCMBSlice   : NAL mode, number of MBs per frame
- * OMX_VIDEO_SLICEMODE_AVCByteSlice : NAL mode, number of bytes per frame
- */
-typedef enum OMX_VIDEO_AVCSLICEMODETYPE {
-    OMX_VIDEO_SLICEMODE_AVCDefault = 0,
-    OMX_VIDEO_SLICEMODE_AVCMBSlice,
-    OMX_VIDEO_SLICEMODE_AVCByteSlice,
-    OMX_VIDEO_SLICEMODE_AVCKhronosExtensions = 0x6F000000, /**< Reserved region for introducing Khronos Standard Extensions */ 
-    OMX_VIDEO_SLICEMODE_AVCVendorStartUnused = 0x7F000000, /**< Reserved region for introducing Vendor Extensions */
-    OMX_VIDEO_SLICEMODE_AVCLevelMax = 0x7FFFFFFF
-} OMX_VIDEO_AVCSLICEMODETYPE;
-
-/** 
- * AVC FMO Slice Mode Params 
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nNumSliceGroups : Specifies the number of slice groups
- *  nSliceGroupMapType : Specifies the type of slice groups
- *  eSliceMode : Specifies the type of slice
- */
-typedef struct OMX_VIDEO_PARAM_AVCSLICEFMO {
-    OMX_U32 nSize; 
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U8 nNumSliceGroups;
-    OMX_U8 nSliceGroupMapType;
-    OMX_VIDEO_AVCSLICEMODETYPE eSliceMode;
-} OMX_VIDEO_PARAM_AVCSLICEFMO;
-
-/** 
- * AVC IDR Period Configs
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nIDRPeriod : Specifies periodicity of IDR frames
- *  nPFrames : Specifies internal of coding Intra frames
- */
-typedef struct OMX_VIDEO_CONFIG_AVCINTRAPERIOD {
-    OMX_U32 nSize; 
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nIDRPeriod;
-    OMX_U32 nPFrames;
-} OMX_VIDEO_CONFIG_AVCINTRAPERIOD;
-
-/** 
- * AVC NAL Size Configs
- *
- * STRUCT MEMBERS:
- *  nSize      : Size of the structure in bytes
- *  nVersion   : OMX specification version information
- *  nPortIndex : Port that this structure applies to
- *  nNaluBytes : Specifies the NAL unit size
- */
-typedef struct OMX_VIDEO_CONFIG_NALSIZE {
-    OMX_U32 nSize; 
-    OMX_VERSIONTYPE nVersion;
-    OMX_U32 nPortIndex;
-    OMX_U32 nNaluBytes;
-} OMX_VIDEO_CONFIG_NALSIZE;
-
-/** @} */
-
-#ifdef __cplusplus
-}
-#endif /* __cplusplus */
-
-#endif
-/* File EOF */
-
diff --git a/media/omx-plugin/include/ics/pixelflinger/format.h b/media/omx-plugin/include/ics/pixelflinger/format.h
deleted file mode 100644
index 82eeca4d72..0000000000
--- a/media/omx-plugin/include/ics/pixelflinger/format.h
+++ /dev/null
@@ -1,136 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_PIXELFLINGER_FORMAT_H
-#define ANDROID_PIXELFLINGER_FORMAT_H
-
-#include <stdint.h>
-#include <sys/types.h>
-
-enum GGLPixelFormat {
-    // these constants need to match those
-    // in graphics/PixelFormat.java, ui/PixelFormat.h, BlitHardware.h
-    GGL_PIXEL_FORMAT_UNKNOWN    =   0,
-    GGL_PIXEL_FORMAT_NONE       =   0,
-
-    GGL_PIXEL_FORMAT_RGBA_8888   =   1,  // 4x8-bit ARGB
-    GGL_PIXEL_FORMAT_RGBX_8888   =   2,  // 3x8-bit RGB stored in 32-bit chunks
-    GGL_PIXEL_FORMAT_RGB_888     =   3,  // 3x8-bit RGB
-    GGL_PIXEL_FORMAT_RGB_565     =   4,  // 16-bit RGB
-    GGL_PIXEL_FORMAT_BGRA_8888   =   5,  // 4x8-bit BGRA
-    GGL_PIXEL_FORMAT_RGBA_5551   =   6,  // 16-bit RGBA
-    GGL_PIXEL_FORMAT_RGBA_4444   =   7,  // 16-bit RGBA
-
-    GGL_PIXEL_FORMAT_A_8         =   8,  // 8-bit A
-    GGL_PIXEL_FORMAT_L_8         =   9,  // 8-bit L (R=G=B = L)
-    GGL_PIXEL_FORMAT_LA_88       = 0xA,  // 16-bit LA
-    GGL_PIXEL_FORMAT_RGB_332     = 0xB,  // 8-bit RGB (non paletted)
-
-    // reserved range. don't use.
-    GGL_PIXEL_FORMAT_RESERVED_10 = 0x10,
-    GGL_PIXEL_FORMAT_RESERVED_11 = 0x11,
-    GGL_PIXEL_FORMAT_RESERVED_12 = 0x12,
-    GGL_PIXEL_FORMAT_RESERVED_13 = 0x13,
-    GGL_PIXEL_FORMAT_RESERVED_14 = 0x14,
-    GGL_PIXEL_FORMAT_RESERVED_15 = 0x15,
-    GGL_PIXEL_FORMAT_RESERVED_16 = 0x16,
-    GGL_PIXEL_FORMAT_RESERVED_17 = 0x17,
-
-    // reserved/special formats
-    GGL_PIXEL_FORMAT_Z_16       =  0x18,
-    GGL_PIXEL_FORMAT_S_8        =  0x19,
-    GGL_PIXEL_FORMAT_SZ_24      =  0x1A,
-    GGL_PIXEL_FORMAT_SZ_8       =  0x1B,
-
-    // reserved range. don't use.
-    GGL_PIXEL_FORMAT_RESERVED_20 = 0x20,
-    GGL_PIXEL_FORMAT_RESERVED_21 = 0x21,
-};
-
-enum GGLFormatComponents {
-	GGL_STENCIL_INDEX		= 0x1901,
-	GGL_DEPTH_COMPONENT		= 0x1902,
-	GGL_ALPHA				= 0x1906,
-	GGL_RGB					= 0x1907,
-	GGL_RGBA				= 0x1908,
-	GGL_LUMINANCE			= 0x1909,
-	GGL_LUMINANCE_ALPHA		= 0x190A,
-};
-
-enum GGLFormatComponentIndex {
-    GGL_INDEX_ALPHA   = 0,
-    GGL_INDEX_RED     = 1,
-    GGL_INDEX_GREEN   = 2,
-    GGL_INDEX_BLUE    = 3,
-    GGL_INDEX_STENCIL = 0,
-    GGL_INDEX_DEPTH   = 1,
-    GGL_INDEX_Y       = 0,
-    GGL_INDEX_CB      = 1,
-    GGL_INDEX_CR      = 2,
-};
-
-typedef struct {
-#ifdef __cplusplus
-    enum {
-        ALPHA   = GGL_INDEX_ALPHA,
-        RED     = GGL_INDEX_RED,
-        GREEN   = GGL_INDEX_GREEN,
-        BLUE    = GGL_INDEX_BLUE,
-        STENCIL = GGL_INDEX_STENCIL,
-        DEPTH   = GGL_INDEX_DEPTH,
-        LUMA    = GGL_INDEX_Y,
-        CHROMAB = GGL_INDEX_CB,
-        CHROMAR = GGL_INDEX_CR,
-    };
-    inline uint32_t mask(int i) const {
-            return ((1<<(c[i].h-c[i].l))-1)<<c[i].l;
-    }
-    inline uint32_t bits(int i) const {
-            return c[i].h - c[i].l;
-    }
-#endif
-	uint8_t     size;	// bytes per pixel
-    uint8_t     bitsPerPixel;
-    union {    
-        struct {
-            uint8_t     ah;		// alpha high bit position + 1
-            uint8_t     al;		// alpha low bit position
-            uint8_t     rh;		// red high bit position + 1
-            uint8_t     rl;		// red low bit position
-            uint8_t     gh;		// green high bit position + 1
-            uint8_t     gl;		// green low bit position
-            uint8_t     bh;		// blue high bit position + 1
-            uint8_t     bl;		// blue low bit position
-        };
-        struct {
-            uint8_t h;
-            uint8_t l;
-        } __attribute__((__packed__)) c[4];        
-    } __attribute__((__packed__));
-	uint16_t    components;	// GGLFormatComponents
-} GGLFormat;
-
-
-#ifdef __cplusplus
-extern "C" const GGLFormat* gglGetPixelFormatTable(size_t* numEntries = 0);
-#else
-const GGLFormat* gglGetPixelFormatTable(size_t* numEntries);
-#endif
-
-
-// ----------------------------------------------------------------------------
-
-#endif // ANDROID_PIXELFLINGER_FORMAT_H
diff --git a/media/omx-plugin/include/ics/pixelflinger/pixelflinger.h b/media/omx-plugin/include/ics/pixelflinger/pixelflinger.h
deleted file mode 100644
index 8a2b4421b3..0000000000
--- a/media/omx-plugin/include/ics/pixelflinger/pixelflinger.h
+++ /dev/null
@@ -1,330 +0,0 @@
-/*
- * Copyright (C) 2007 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_PIXELFLINGER_H
-#define ANDROID_PIXELFLINGER_H
-
-#include <stdint.h>
-#include <sys/types.h>
-
-#include <pixelflinger/format.h>
-
-// GGL types
-
-typedef int8_t			GGLbyte;		// b
-typedef int16_t			GGLshort;		// s
-typedef int32_t			GGLint;			// i
-typedef ssize_t			GGLsizei;		// i
-typedef int32_t			GGLfixed;		// x
-typedef int32_t			GGLclampx;		// x
-typedef float			GGLfloat;		// f
-typedef float			GGLclampf;		// f
-typedef double			GGLdouble;		// d
-typedef double			GGLclampd;		// d
-typedef uint8_t			GGLubyte;		// ub
-typedef uint8_t			GGLboolean;		// ub
-typedef uint16_t		GGLushort;		// us
-typedef uint32_t		GGLuint;		// ui
-typedef unsigned int	GGLenum;		// ui
-typedef unsigned int	GGLbitfield;	// ui
-typedef void			GGLvoid;
-typedef int32_t         GGLfixed32;
-typedef	int32_t         GGLcolor;
-typedef int32_t         GGLcoord;
-
-// ----------------------------------------------------------------------------
-
-#define GGL_MAX_VIEWPORT_DIMS           4096
-#define GGL_MAX_TEXTURE_SIZE            4096
-#define GGL_MAX_ALIASED_POINT_SIZE      0x7FFFFFF
-#define GGL_MAX_SMOOTH_POINT_SIZE       2048
-#define GGL_MAX_SMOOTH_LINE_WIDTH       2048
-
-// ----------------------------------------------------------------------------
-
-// All these names are compatible with their OpenGL equivalents
-// some of them are listed only for completeness
-enum GGLNames {
-	GGL_FALSE						= 0,
-	GGL_TRUE						= 1,
-
-	// enable/disable
-    GGL_SCISSOR_TEST                = 0x0C11,
-	GGL_TEXTURE_2D					= 0x0DE1,
-	GGL_ALPHA_TEST					= 0x0BC0,
-	GGL_BLEND						= 0x0BE2,
-	GGL_COLOR_LOGIC_OP				= 0x0BF2,
-	GGL_DITHER						= 0x0BD0,
-	GGL_STENCIL_TEST				= 0x0B90,
-	GGL_DEPTH_TEST					= 0x0B71,
-    GGL_AA                          = 0x80000001,
-    GGL_W_LERP                      = 0x80000004,
-    GGL_POINT_SMOOTH_NICE           = 0x80000005,
-
-    // buffers, pixel drawing/reading
-    GGL_COLOR                       = 0x1800,
-    
-    // fog
-    GGL_FOG                         = 0x0B60,
-    
-	// shade model
-	GGL_FLAT						= 0x1D00,
-	GGL_SMOOTH						= 0x1D01,
-
-	// Texture parameter name
-	GGL_TEXTURE_MIN_FILTER			= 0x2801,
-	GGL_TEXTURE_MAG_FILTER			= 0x2800,
-	GGL_TEXTURE_WRAP_S				= 0x2802,
-	GGL_TEXTURE_WRAP_T				= 0x2803,
-	GGL_TEXTURE_WRAP_R				= 0x2804,
-
-	// Texture Filter	
-	GGL_NEAREST						= 0x2600,
-	GGL_LINEAR						= 0x2601,
-	GGL_NEAREST_MIPMAP_NEAREST		= 0x2700,
-	GGL_LINEAR_MIPMAP_NEAREST		= 0x2701,
-	GGL_NEAREST_MIPMAP_LINEAR		= 0x2702,
-	GGL_LINEAR_MIPMAP_LINEAR		= 0x2703,
-
-	// Texture Wrap Mode
-	GGL_CLAMP						= 0x2900,
-	GGL_REPEAT						= 0x2901,
-    GGL_CLAMP_TO_EDGE               = 0x812F,
-
-	// Texture Env Mode
-	GGL_REPLACE						= 0x1E01,
-	GGL_MODULATE					= 0x2100,
-	GGL_DECAL						= 0x2101,
-	GGL_ADD							= 0x0104,
-
-	// Texture Env Parameter
-	GGL_TEXTURE_ENV_MODE			= 0x2200,
-	GGL_TEXTURE_ENV_COLOR			= 0x2201,
-
-	// Texture Env Target
-	GGL_TEXTURE_ENV					= 0x2300,
-
-    // Texture coord generation
-    GGL_TEXTURE_GEN_MODE            = 0x2500,
-    GGL_S                           = 0x2000,
-    GGL_T                           = 0x2001,
-    GGL_R                           = 0x2002,
-    GGL_Q                           = 0x2003,
-    GGL_ONE_TO_ONE                  = 0x80000002,
-    GGL_AUTOMATIC                   = 0x80000003,
-
-    // AlphaFunction
-    GGL_NEVER                       = 0x0200,
-    GGL_LESS                        = 0x0201,
-    GGL_EQUAL                       = 0x0202,
-    GGL_LEQUAL                      = 0x0203,
-    GGL_GREATER                     = 0x0204,
-    GGL_NOTEQUAL                    = 0x0205,
-    GGL_GEQUAL                      = 0x0206,
-    GGL_ALWAYS                      = 0x0207,
-
-    // LogicOp
-    GGL_CLEAR                       = 0x1500,   // 0
-    GGL_AND                         = 0x1501,   // s & d
-    GGL_AND_REVERSE                 = 0x1502,   // s & ~d
-    GGL_COPY                        = 0x1503,   // s
-    GGL_AND_INVERTED                = 0x1504,   // ~s & d
-    GGL_NOOP                        = 0x1505,   // d
-    GGL_XOR                         = 0x1506,   // s ^ d
-    GGL_OR                          = 0x1507,   // s | d
-    GGL_NOR                         = 0x1508,   // ~(s | d)
-    GGL_EQUIV                       = 0x1509,   // ~(s ^ d)
-    GGL_INVERT                      = 0x150A,   // ~d
-    GGL_OR_REVERSE                  = 0x150B,   // s | ~d
-    GGL_COPY_INVERTED               = 0x150C,   // ~s 
-    GGL_OR_INVERTED                 = 0x150D,   // ~s | d
-    GGL_NAND                        = 0x150E,   // ~(s & d)
-    GGL_SET                         = 0x150F,   // 1
-
-	// blending equation & function
-	GGL_ZERO                        = 0,		// SD
-	GGL_ONE                         = 1,		// SD
-	GGL_SRC_COLOR                   = 0x0300,	//  D
-	GGL_ONE_MINUS_SRC_COLOR         = 0x0301,	//	D
-	GGL_SRC_ALPHA                   = 0x0302,	// SD
-	GGL_ONE_MINUS_SRC_ALPHA			= 0x0303,	// SD
-	GGL_DST_ALPHA					= 0x0304,	// SD
-	GGL_ONE_MINUS_DST_ALPHA			= 0x0305,	// SD
-	GGL_DST_COLOR					= 0x0306,	// S
-	GGL_ONE_MINUS_DST_COLOR			= 0x0307,	// S
-	GGL_SRC_ALPHA_SATURATE			= 0x0308,	// S
-    
-    // clear bits
-    GGL_DEPTH_BUFFER_BIT            = 0x00000100,
-    GGL_STENCIL_BUFFER_BIT          = 0x00000400,
-    GGL_COLOR_BUFFER_BIT            = 0x00004000,
-
-    // errors
-    GGL_NO_ERROR                    = 0,
-    GGL_INVALID_ENUM                = 0x0500,
-    GGL_INVALID_VALUE               = 0x0501,
-    GGL_INVALID_OPERATION           = 0x0502,
-    GGL_STACK_OVERFLOW              = 0x0503,
-    GGL_STACK_UNDERFLOW             = 0x0504,
-    GGL_OUT_OF_MEMORY               = 0x0505
-};
-
-// ----------------------------------------------------------------------------
-
-typedef struct {
-    GGLsizei    version;    // always set to sizeof(GGLSurface)
-    GGLuint     width;      // width in pixels
-    GGLuint     height;     // height in pixels
-    GGLint      stride;     // stride in pixels
-    GGLubyte*   data;       // pointer to the bits
-    GGLubyte    format;     // pixel format
-    GGLubyte    rfu[3];     // must be zero
-    // these values are dependent on the used format
-    union {
-        GGLint  compressedFormat;
-        GGLint  vstride;
-    };
-    void*       reserved;
-} GGLSurface;
-
-
-typedef struct {
-    // immediate rendering
-    void (*pointx)(void *con, const GGLcoord* v, GGLcoord r);
-    void (*linex)(void *con, 
-            const GGLcoord* v0, const GGLcoord* v1, GGLcoord width);
-    void (*recti)(void* c, GGLint l, GGLint t, GGLint r, GGLint b); 
-    void (*trianglex)(void* c,
-            GGLcoord const* v0, GGLcoord const* v1, GGLcoord const* v2);
-
-    // scissor
-    void (*scissor)(void* c, GGLint x, GGLint y, GGLsizei width, GGLsizei height);
-
-    // Set the textures and color buffers
-    void (*activeTexture)(void* c, GGLuint tmu);
-    void (*bindTexture)(void* c, const GGLSurface* surface);
-    void (*colorBuffer)(void* c, const GGLSurface* surface);
-    void (*readBuffer)(void* c, const GGLSurface* surface);
-    void (*depthBuffer)(void* c, const GGLSurface* surface);
-    void (*bindTextureLod)(void* c, GGLuint tmu, const GGLSurface* surface);
-
-    // enable/disable features
-    void (*enable)(void* c, GGLenum name);
-    void (*disable)(void* c, GGLenum name);
-    void (*enableDisable)(void* c, GGLenum name, GGLboolean en);
-
-    // specify the fragment's color
-    void (*shadeModel)(void* c, GGLenum mode);
-    void (*color4xv)(void* c, const GGLclampx* color);
-    // specify color iterators (16.16)
-    void (*colorGrad12xv)(void* c, const GGLcolor* grad);
-
-    // specify Z coordinate iterators (0.32)
-    void (*zGrad3xv)(void* c, const GGLfixed32* grad);
-
-    // specify W coordinate iterators (16.16)
-    void (*wGrad3xv)(void* c, const GGLfixed* grad);
-
-    // specify fog iterator & color (16.16)
-    void (*fogGrad3xv)(void* c, const GGLfixed* grad);
-    void (*fogColor3xv)(void* c, const GGLclampx* color);
-
-    // specify blending parameters
-    void (*blendFunc)(void* c, GGLenum src, GGLenum dst);
-    void (*blendFuncSeparate)(void* c,  GGLenum src, GGLenum dst,
-                                        GGLenum srcAlpha, GGLenum dstAplha);
-
-    // texture environnement (REPLACE / MODULATE / DECAL / BLEND)
-    void (*texEnvi)(void* c,    GGLenum target,
-                                GGLenum pname,
-                                GGLint param);
-
-    void (*texEnvxv)(void* c, GGLenum target,
-            GGLenum pname, const GGLfixed* params);
-
-    // texture parameters (Wrapping, filter)
-    void (*texParameteri)(void* c,  GGLenum target,
-                                    GGLenum pname,
-                                    GGLint param);
-
-    // texture iterators (16.16)
-    void (*texCoord2i)(void* c, GGLint s, GGLint t);
-    void (*texCoord2x)(void* c, GGLfixed s, GGLfixed t);
-    
-    // s, dsdx, dsdy, scale, t, dtdx, dtdy, tscale
-    // This api uses block floating-point for S and T texture coordinates.
-    // All values are given in 16.16, scaled by 'scale'. In other words,
-    // set scale to 0, for 16.16 values.
-    void (*texCoordGradScale8xv)(void* c, GGLint tmu, const int32_t* grad8);
-    
-    void (*texGeni)(void* c, GGLenum coord, GGLenum pname, GGLint param);
-
-    // masking
-    void (*colorMask)(void* c,  GGLboolean red,
-                                GGLboolean green,
-                                GGLboolean blue,
-                                GGLboolean alpha);
-
-    void (*depthMask)(void* c, GGLboolean flag);
-
-    void (*stencilMask)(void* c, GGLuint mask);
-
-    // alpha func
-    void (*alphaFuncx)(void* c, GGLenum func, GGLclampx ref);
-
-    // depth func
-    void (*depthFunc)(void* c, GGLenum func);
-
-    // logic op
-    void (*logicOp)(void* c, GGLenum opcode); 
-
-    // clear
-    void (*clear)(void* c, GGLbitfield mask);
-    void (*clearColorx)(void* c,
-            GGLclampx r, GGLclampx g, GGLclampx b, GGLclampx a);
-    void (*clearDepthx)(void* c, GGLclampx depth);
-    void (*clearStencil)(void* c, GGLint s);
-
-    // framebuffer operations
-    void (*copyPixels)(void* c, GGLint x, GGLint y,
-            GGLsizei width, GGLsizei height, GGLenum type);
-    void (*rasterPos2x)(void* c, GGLfixed x, GGLfixed y);
-    void (*rasterPos2i)(void* c, GGLint x, GGLint y);
-} GGLContext;
-
-// ----------------------------------------------------------------------------
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-// construct / destroy the context
-ssize_t gglInit(GGLContext** context);
-ssize_t gglUninit(GGLContext* context);
-
-GGLint gglBitBlit(
-        GGLContext* c,
-        int tmu,
-        GGLint crop[4],
-        GGLint where[4]);
-
-#ifdef __cplusplus
-};
-#endif
-
-// ----------------------------------------------------------------------------
-
-#endif // ANDROID_PIXELFLINGER_H
diff --git a/media/omx-plugin/include/ics/stagefright/ColorConverter.h b/media/omx-plugin/include/ics/stagefright/ColorConverter.h
deleted file mode 100644
index 85ba920683..0000000000
--- a/media/omx-plugin/include/ics/stagefright/ColorConverter.h
+++ /dev/null
@@ -1,88 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef COLOR_CONVERTER_H_
-
-#define COLOR_CONVERTER_H_
-
-#include <sys/types.h>
-
-#include <stdint.h>
-#include <utils/Errors.h>
-
-#include <OMX_Video.h>
-
-namespace android {
-
-struct ColorConverter {
-    ColorConverter(OMX_COLOR_FORMATTYPE from, OMX_COLOR_FORMATTYPE to);
-    ~ColorConverter();
-
-    bool isValid() const;
-
-    status_t convert(
-            const void *srcBits,
-            size_t srcWidth, size_t srcHeight,
-            size_t srcCropLeft, size_t srcCropTop,
-            size_t srcCropRight, size_t srcCropBottom,
-            void *dstBits,
-            size_t dstWidth, size_t dstHeight,
-            size_t dstCropLeft, size_t dstCropTop,
-            size_t dstCropRight, size_t dstCropBottom);
-
-private:
-    struct BitmapParams {
-        BitmapParams(
-                void *bits,
-                size_t width, size_t height,
-                size_t cropLeft, size_t cropTop,
-                size_t cropRight, size_t cropBottom);
-
-        size_t cropWidth() const;
-        size_t cropHeight() const;
-
-        void *mBits;
-        size_t mWidth, mHeight;
-        size_t mCropLeft, mCropTop, mCropRight, mCropBottom;
-    };
-
-    OMX_COLOR_FORMATTYPE mSrcFormat, mDstFormat;
-    uint8_t *mClip;
-
-    uint8_t *initClip();
-
-    status_t convertCbYCrY(
-            const BitmapParams &src, const BitmapParams &dst);
-
-    status_t convertYUV420Planar(
-            const BitmapParams &src, const BitmapParams &dst);
-
-    status_t convertQCOMYUV420SemiPlanar(
-            const BitmapParams &src, const BitmapParams &dst);
-
-    status_t convertYUV420SemiPlanar(
-            const BitmapParams &src, const BitmapParams &dst);
-
-    status_t convertTIYUV420PackedSemiPlanar(
-            const BitmapParams &src, const BitmapParams &dst);
-
-    ColorConverter(const ColorConverter &);
-    ColorConverter &operator=(const ColorConverter &);
-};
-
-}  // namespace android
-
-#endif  // COLOR_CONVERTER_H_
diff --git a/media/omx-plugin/include/ics/stagefright/DataSource.h b/media/omx-plugin/include/ics/stagefright/DataSource.h
deleted file mode 100644
index 870d80571d..0000000000
--- a/media/omx-plugin/include/ics/stagefright/DataSource.h
+++ /dev/null
@@ -1,112 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef DATA_SOURCE_H_
-
-#define DATA_SOURCE_H_
-
-#include <sys/types.h>
-
-#include <media/stagefright/MediaErrors.h>
-#include <utils/Errors.h>
-#include <utils/KeyedVector.h>
-#include <utils/List.h>
-#include <utils/RefBase.h>
-#include <utils/threads.h>
-#include <drm/DrmManagerClient.h>
-
-#if !defined(STAGEFRIGHT_EXPORT)
-#define STAGEFRIGHT_EXPORT
-#endif
-
-namespace android {
-
-struct AMessage;
-class String8;
-
-class STAGEFRIGHT_EXPORT DataSource : public RefBase {
-public:
-    enum Flags {
-        kWantsPrefetching      = 1,
-        kStreamedFromLocalHost = 2,
-        kIsCachingDataSource   = 4,
-        kIsHTTPBasedSource     = 8,
-    };
-
-    static sp<DataSource> CreateFromURI(
-            const char *uri,
-            const KeyedVector<String8, String8> *headers = NULL);
-
-    DataSource() {}
-
-    virtual status_t initCheck() const = 0;
-
-    virtual ssize_t readAt(off64_t offset, void *data, size_t size) = 0;
-
-    // Convenience methods:
-    bool getUInt16(off64_t offset, uint16_t *x);
-
-    // May return ERROR_UNSUPPORTED.
-    virtual status_t getSize(off64_t *size);
-
-    virtual uint32_t flags() {
-        return 0;
-    }
-
-    virtual status_t reconnectAtOffset(off64_t offset) {
-        return ERROR_UNSUPPORTED;
-    }
-
-    ////////////////////////////////////////////////////////////////////////////
-
-    bool sniff(String8 *mimeType, float *confidence, sp<AMessage> *meta);
-
-    // The sniffer can optionally fill in "meta" with an AMessage containing
-    // a dictionary of values that helps the corresponding extractor initialize
-    // its state without duplicating effort already exerted by the sniffer.
-    typedef bool (*SnifferFunc)(
-            const sp<DataSource> &source, String8 *mimeType,
-            float *confidence, sp<AMessage> *meta);
-
-    static void RegisterSniffer(SnifferFunc func);
-    static void RegisterDefaultSniffers();
-
-    // for DRM
-    virtual sp<DecryptHandle> DrmInitialization() {
-        return NULL;
-    }
-    virtual void getDrmInfo(sp<DecryptHandle> &handle, DrmManagerClient **client) {};
-
-    virtual String8 getUri() {
-        return String8();
-    }
-
-    virtual String8 getMIMEType() const;
-
-protected:
-    virtual ~DataSource() {}
-
-private:
-    static Mutex gSnifferMutex;
-    static List<SnifferFunc> gSniffers;
-
-    DataSource(const DataSource &);
-    DataSource &operator=(const DataSource &);
-};
-
-}  // namespace android
-
-#endif  // DATA_SOURCE_H_
diff --git a/media/omx-plugin/include/ics/stagefright/MediaExtractor.h b/media/omx-plugin/include/ics/stagefright/MediaExtractor.h
deleted file mode 100644
index 6d39131a9b..0000000000
--- a/media/omx-plugin/include/ics/stagefright/MediaExtractor.h
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef MEDIA_EXTRACTOR_H_
-
-#define MEDIA_EXTRACTOR_H_
-
-#include <utils/RefBase.h>
-
-namespace android {
-
-class DataSource;
-struct MediaSource;
-class MetaData;
-
-class MediaExtractor : public RefBase {
-public:
-    static sp<MediaExtractor> Create(
-            const sp<DataSource> &source, const char *mime = NULL);
-
-    virtual size_t countTracks() = 0;
-    virtual sp<MediaSource> getTrack(size_t index) = 0;
-
-    enum GetTrackMetaDataFlags {
-        kIncludeExtensiveMetaData = 1
-    };
-    virtual sp<MetaData> getTrackMetaData(
-            size_t index, uint32_t flags = 0) = 0;
-
-    // Return container specific meta-data. The default implementation
-    // returns an empty metadata object.
-    virtual sp<MetaData> getMetaData();
-
-    enum Flags {
-        CAN_SEEK_BACKWARD  = 1,  // the "seek 10secs back button"
-        CAN_SEEK_FORWARD   = 2,  // the "seek 10secs forward button"
-        CAN_PAUSE          = 4,
-        CAN_SEEK           = 8,  // the "seek bar"
-    };
-
-    // If subclasses do _not_ override this, the default is
-    // CAN_SEEK_BACKWARD | CAN_SEEK_FORWARD | CAN_SEEK | CAN_PAUSE
-    virtual uint32_t flags() const;
-
-    // for DRM
-    virtual void setDrmFlag(bool flag) {
-        mIsDrm = flag;
-    };
-    virtual bool getDrmFlag() {
-        return mIsDrm;
-    }
-    virtual char* getDrmTrackInfo(size_t trackID, int *len) {
-        return NULL;
-    }
-
-protected:
-    MediaExtractor() {}
-    virtual ~MediaExtractor() {}
-
-private:
-    bool mIsDrm;
-
-    MediaExtractor(const MediaExtractor &);
-    MediaExtractor &operator=(const MediaExtractor &);
-};
-
-}  // namespace android
-
-#endif  // MEDIA_EXTRACTOR_H_
diff --git a/media/omx-plugin/include/ics/stagefright/MetaData.h b/media/omx-plugin/include/ics/stagefright/MetaData.h
deleted file mode 100644
index 4cdee1702f..0000000000
--- a/media/omx-plugin/include/ics/stagefright/MetaData.h
+++ /dev/null
@@ -1,231 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef META_DATA_H_
-
-#define META_DATA_H_
-
-#include <sys/types.h>
-
-#include <stdint.h>
-
-#include <utils/RefBase.h>
-#include <utils/KeyedVector.h>
-
-namespace android {
-
-// The following keys map to int32_t data unless indicated otherwise.
-enum {
-    kKeyMIMEType          = 'mime',  // cstring
-    kKeyWidth             = 'widt',  // int32_t, image pixel
-    kKeyHeight            = 'heig',  // int32_t, image pixel
-    kKeyDisplayWidth      = 'dWid',  // int32_t, display/presentation
-    kKeyDisplayHeight     = 'dHgt',  // int32_t, display/presentation
-
-    // a rectangle, if absent assumed to be (0, 0, width - 1, height - 1)
-    kKeyCropRect          = 'crop',
-
-    kKeyRotation          = 'rotA',  // int32_t (angle in degrees)
-    kKeyIFramesInterval   = 'ifiv',  // int32_t
-    kKeyStride            = 'strd',  // int32_t
-    kKeySliceHeight       = 'slht',  // int32_t
-    kKeyChannelCount      = '#chn',  // int32_t
-    kKeySampleRate        = 'srte',  // int32_t (audio sampling rate Hz)
-    kKeyFrameRate         = 'frmR',  // int32_t (video frame rate fps)
-    kKeyBitRate           = 'brte',  // int32_t (bps)
-    kKeyESDS              = 'esds',  // raw data
-    kKeyAVCC              = 'avcc',  // raw data
-    kKeyD263              = 'd263',  // raw data
-    kKeyVorbisInfo        = 'vinf',  // raw data
-    kKeyVorbisBooks       = 'vboo',  // raw data
-    kKeyWantsNALFragments = 'NALf',
-    kKeyIsSyncFrame       = 'sync',  // int32_t (bool)
-    kKeyIsCodecConfig     = 'conf',  // int32_t (bool)
-    kKeyTime              = 'time',  // int64_t (usecs)
-    kKeyDecodingTime      = 'decT',  // int64_t (decoding timestamp in usecs)
-    kKeyNTPTime           = 'ntpT',  // uint64_t (ntp-timestamp)
-    kKeyTargetTime        = 'tarT',  // int64_t (usecs)
-    kKeyDriftTime         = 'dftT',  // int64_t (usecs)
-    kKeyAnchorTime        = 'ancT',  // int64_t (usecs)
-    kKeyDuration          = 'dura',  // int64_t (usecs)
-    kKeyColorFormat       = 'colf',
-    kKeyPlatformPrivate   = 'priv',  // pointer
-    kKeyDecoderComponent  = 'decC',  // cstring
-    kKeyBufferID          = 'bfID',
-    kKeyMaxInputSize      = 'inpS',
-    kKeyThumbnailTime     = 'thbT',  // int64_t (usecs)
-    kKeyTrackID           = 'trID',
-    kKeyIsDRM             = 'idrm',  // int32_t (bool)
-
-    kKeyAlbum             = 'albu',  // cstring
-    kKeyArtist            = 'arti',  // cstring
-    kKeyAlbumArtist       = 'aart',  // cstring
-    kKeyComposer          = 'comp',  // cstring
-    kKeyGenre             = 'genr',  // cstring
-    kKeyTitle             = 'titl',  // cstring
-    kKeyYear              = 'year',  // cstring
-    kKeyAlbumArt          = 'albA',  // compressed image data
-    kKeyAlbumArtMIME      = 'alAM',  // cstring
-    kKeyAuthor            = 'auth',  // cstring
-    kKeyCDTrackNumber     = 'cdtr',  // cstring
-    kKeyDiscNumber        = 'dnum',  // cstring
-    kKeyDate              = 'date',  // cstring
-    kKeyWriter            = 'writ',  // cstring
-    kKeyCompilation       = 'cpil',  // cstring
-    kKeyLocation          = 'loc ',  // cstring
-    kKeyTimeScale         = 'tmsl',  // int32_t
-
-    // video profile and level
-    kKeyVideoProfile      = 'vprf',  // int32_t
-    kKeyVideoLevel        = 'vlev',  // int32_t
-
-    // Set this key to enable authoring files in 64-bit offset
-    kKey64BitFileOffset   = 'fobt',  // int32_t (bool)
-    kKey2ByteNalLength    = '2NAL',  // int32_t (bool)
-
-    // Identify the file output format for authoring
-    // Please see <media/mediarecorder.h> for the supported
-    // file output formats.
-    kKeyFileType          = 'ftyp',  // int32_t
-
-    // Track authoring progress status
-    // kKeyTrackTimeStatus is used to track progress in elapsed time
-    kKeyTrackTimeStatus   = 'tktm',  // int64_t
-
-    kKeyNotRealTime       = 'ntrt',  // bool (int32_t)
-
-    // Ogg files can be tagged to be automatically looping...
-    kKeyAutoLoop          = 'autL',  // bool (int32_t)
-
-    kKeyValidSamples      = 'valD',  // int32_t
-
-    kKeyIsUnreadable      = 'unre',  // bool (int32_t)
-
-    // An indication that a video buffer has been rendered.
-    kKeyRendered          = 'rend',  // bool (int32_t)
-
-    // The language code for this media
-    kKeyMediaLanguage     = 'lang',  // cstring
-
-    // To store the timed text format data
-    kKeyTextFormatData    = 'text',  // raw data
-
-    kKeyRequiresSecureBuffers = 'secu',  // bool (int32_t)
-};
-
-enum {
-    kTypeESDS        = 'esds',
-    kTypeAVCC        = 'avcc',
-    kTypeD263        = 'd263',
-};
-
-class MetaData : public RefBase {
-public:
-    MetaData();
-    MetaData(const MetaData &from);
-
-    enum Type {
-        TYPE_NONE     = 'none',
-        TYPE_C_STRING = 'cstr',
-        TYPE_INT32    = 'in32',
-        TYPE_INT64    = 'in64',
-        TYPE_FLOAT    = 'floa',
-        TYPE_POINTER  = 'ptr ',
-        TYPE_RECT     = 'rect',
-    };
-
-    void clear();
-    bool remove(uint32_t key);
-
-    bool setCString(uint32_t key, const char *value);
-    bool setInt32(uint32_t key, int32_t value);
-    bool setInt64(uint32_t key, int64_t value);
-    bool setFloat(uint32_t key, float value);
-    bool setPointer(uint32_t key, void *value);
-
-    bool setRect(
-            uint32_t key,
-            int32_t left, int32_t top,
-            int32_t right, int32_t bottom);
-
-    bool findCString(uint32_t key, const char **value);
-    bool findInt32(uint32_t key, int32_t *value);
-    bool findInt64(uint32_t key, int64_t *value);
-    bool findFloat(uint32_t key, float *value);
-    bool findPointer(uint32_t key, void **value);
-
-    bool findRect(
-            uint32_t key,
-            int32_t *left, int32_t *top,
-            int32_t *right, int32_t *bottom);
-
-    bool setData(uint32_t key, uint32_t type, const void *data, size_t size);
-
-    bool findData(uint32_t key, uint32_t *type,
-                  const void **data, size_t *size) const;
-
-protected:
-    virtual ~MetaData();
-
-private:
-    struct typed_data {
-        typed_data();
-        ~typed_data();
-
-        typed_data(const MetaData::typed_data &);
-        typed_data &operator=(const MetaData::typed_data &);
-
-        void clear();
-        void setData(uint32_t type, const void *data, size_t size);
-        void getData(uint32_t *type, const void **data, size_t *size) const;
-
-    private:
-        uint32_t mType;
-        size_t mSize;
-
-        union {
-            void *ext_data;
-            float reservoir;
-        } u;
-
-        bool usesReservoir() const {
-            return mSize <= sizeof(u.reservoir);
-        }
-
-        void allocateStorage(size_t size);
-        void freeStorage();
-
-        void *storage() {
-            return usesReservoir() ? &u.reservoir : u.ext_data;
-        }
-
-        const void *storage() const {
-            return usesReservoir() ? &u.reservoir : u.ext_data;
-        }
-    };
-
-    struct Rect {
-        int32_t mLeft, mTop, mRight, mBottom;
-    };
-
-    KeyedVector<uint32_t, typed_data> mItems;
-
-    // MetaData &operator=(const MetaData &);
-};
-
-}  // namespace android
-
-#endif  // META_DATA_H_
diff --git a/media/omx-plugin/include/ics/stagefright/OMXClient.h b/media/omx-plugin/include/ics/stagefright/OMXClient.h
deleted file mode 100644
index 2f14d06e8c..0000000000
--- a/media/omx-plugin/include/ics/stagefright/OMXClient.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef OMX_CLIENT_H_
-
-#define OMX_CLIENT_H_
-
-#include <media/IOMX.h>
-
-namespace android {
-
-class OMXClient {
-public:
-    OMXClient();
-
-    status_t connect();
-    void disconnect();
-
-    sp<IOMX> interface() {
-        return mOMX;
-    }
-
-private:
-    sp<IOMX> mOMX;
-
-    OMXClient(const OMXClient &);
-    OMXClient &operator=(const OMXClient &);
-};
-
-}  // namespace android
-
-#endif  // OMX_CLIENT_H_
diff --git a/media/omx-plugin/include/ics/stagefright/OMXCodec.h b/media/omx-plugin/include/ics/stagefright/OMXCodec.h
deleted file mode 100644
index 84f8282f64..0000000000
--- a/media/omx-plugin/include/ics/stagefright/OMXCodec.h
+++ /dev/null
@@ -1,378 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef OMX_CODEC_H_
-
-#define OMX_CODEC_H_
-
-#include <android/native_window.h>
-#include <media/IOMX.h>
-#include <media/stagefright/MediaBuffer.h>
-#include <media/stagefright/MediaSource.h>
-#include <utils/threads.h>
-
-namespace android {
-
-class MemoryDealer;
-struct OMXCodecObserver;
-struct CodecProfileLevel;
-
-struct OMXCodec : public MediaSource,
-                  public MediaBufferObserver {
-    enum CreationFlags {
-        kPreferSoftwareCodecs    = 1,
-        kIgnoreCodecSpecificData = 2,
-
-        // The client wants to access the output buffer's video
-        // data for example for thumbnail extraction.
-        kClientNeedsFramebuffer  = 4,
-
-        // Request for software or hardware codecs. If request
-        // can not be fullfilled, Create() returns NULL.
-        kSoftwareCodecsOnly      = 8,
-        kHardwareCodecsOnly      = 16,
-
-        // Store meta data in video buffers
-        kStoreMetaDataInVideoBuffers = 32,
-
-        // Only submit one input buffer at one time.
-        kOnlySubmitOneInputBufferAtOneTime = 64,
-
-        // Enable GRALLOC_USAGE_PROTECTED for output buffers from native window
-        kEnableGrallocUsageProtected = 128,
-
-        // Secure decoding mode
-        kUseSecureInputBuffers = 256,
-    };
-    static sp<MediaSource> Create(
-            const sp<IOMX> &omx,
-            const sp<MetaData> &meta, bool createEncoder,
-            const sp<MediaSource> &source,
-            const char *matchComponentName = NULL,
-            uint32_t flags = 0,
-            const sp<ANativeWindow> &nativeWindow = NULL);
-
-    static void setComponentRole(
-            const sp<IOMX> &omx, IOMX::node_id node, bool isEncoder,
-            const char *mime);
-
-    virtual status_t start(MetaData *params = NULL);
-    virtual status_t stop();
-
-    virtual sp<MetaData> getFormat();
-
-    virtual status_t read(
-            MediaBuffer **buffer, const ReadOptions *options = NULL);
-
-    virtual status_t pause();
-
-    // from MediaBufferObserver
-    virtual void signalBufferReturned(MediaBuffer *buffer);
-
-    // for use by ACodec
-    static void findMatchingCodecs(
-            const char *mime,
-            bool createEncoder, const char *matchComponentName,
-            uint32_t flags,
-            Vector<String8> *matchingCodecs);
-
-protected:
-    virtual ~OMXCodec();
-
-private:
-
-    // Make sure mLock is accessible to OMXCodecObserver
-    friend class OMXCodecObserver;
-
-    // Call this with mLock hold
-    void on_message(const omx_message &msg);
-
-    enum State {
-        DEAD,
-        LOADED,
-        LOADED_TO_IDLE,
-        IDLE_TO_EXECUTING,
-        EXECUTING,
-        EXECUTING_TO_IDLE,
-        IDLE_TO_LOADED,
-        RECONFIGURING,
-        ERROR
-    };
-
-    enum {
-        kPortIndexInput  = 0,
-        kPortIndexOutput = 1
-    };
-
-    enum PortStatus {
-        ENABLED,
-        DISABLING,
-        DISABLED,
-        ENABLING,
-        SHUTTING_DOWN,
-    };
-
-    enum Quirks {
-        kNeedsFlushBeforeDisable              = 1,
-        kWantsNALFragments                    = 2,
-        kRequiresLoadedToIdleAfterAllocation  = 4,
-        kRequiresAllocateBufferOnInputPorts   = 8,
-        kRequiresFlushCompleteEmulation       = 16,
-        kRequiresAllocateBufferOnOutputPorts  = 32,
-        kRequiresFlushBeforeShutdown          = 64,
-        kDefersOutputBufferAllocation         = 128,
-        kDecoderLiesAboutNumberOfChannels     = 256,
-        kInputBufferSizesAreBogus             = 512,
-        kSupportsMultipleFramesPerInputBuffer = 1024,
-        kAvoidMemcopyInputRecordingFrames     = 2048,
-        kRequiresLargerEncoderOutputBuffer    = 4096,
-        kOutputBuffersAreUnreadable           = 8192,
-    };
-
-    enum BufferStatus {
-        OWNED_BY_US,
-        OWNED_BY_COMPONENT,
-        OWNED_BY_NATIVE_WINDOW,
-        OWNED_BY_CLIENT,
-    };
-
-    struct BufferInfo {
-        IOMX::buffer_id mBuffer;
-        BufferStatus mStatus;
-        sp<IMemory> mMem;
-        size_t mSize;
-        void *mData;
-        MediaBuffer *mMediaBuffer;
-    };
-
-    struct CodecSpecificData {
-        size_t mSize;
-        uint8_t mData[1];
-    };
-
-    sp<IOMX> mOMX;
-    bool mOMXLivesLocally;
-    IOMX::node_id mNode;
-    uint32_t mQuirks;
-
-    // Flags specified in the creation of the codec.
-    uint32_t mFlags;
-
-    bool mIsEncoder;
-    char *mMIME;
-    char *mComponentName;
-    sp<MetaData> mOutputFormat;
-    sp<MediaSource> mSource;
-    Vector<CodecSpecificData *> mCodecSpecificData;
-    size_t mCodecSpecificDataIndex;
-
-    sp<MemoryDealer> mDealer[2];
-
-    State mState;
-    Vector<BufferInfo> mPortBuffers[2];
-    PortStatus mPortStatus[2];
-    bool mInitialBufferSubmit;
-    bool mSignalledEOS;
-    status_t mFinalStatus;
-    bool mNoMoreOutputData;
-    bool mOutputPortSettingsHaveChanged;
-    int64_t mSeekTimeUs;
-    ReadOptions::SeekMode mSeekMode;
-    int64_t mTargetTimeUs;
-    bool mOutputPortSettingsChangedPending;
-
-    MediaBuffer *mLeftOverBuffer;
-
-    Mutex mLock;
-    Condition mAsyncCompletion;
-
-    bool mPaused;
-
-    sp<ANativeWindow> mNativeWindow;
-
-    // The index in each of the mPortBuffers arrays of the buffer that will be
-    // submitted to OMX next.  This only applies when using buffers from a
-    // native window.
-    size_t mNextNativeBufferIndex[2];
-
-    // A list of indices into mPortStatus[kPortIndexOutput] filled with data.
-    List<size_t> mFilledBuffers;
-    Condition mBufferFilled;
-
-    // Used to record the decoding time for an output picture from
-    // a video encoder.
-    List<int64_t> mDecodingTimeList;
-
-    OMXCodec(const sp<IOMX> &omx, IOMX::node_id node,
-             uint32_t quirks, uint32_t flags,
-             bool isEncoder, const char *mime, const char *componentName,
-             const sp<MediaSource> &source,
-             const sp<ANativeWindow> &nativeWindow);
-
-    void addCodecSpecificData(const void *data, size_t size);
-    void clearCodecSpecificData();
-
-    void setComponentRole();
-
-    void setAMRFormat(bool isWAMR, int32_t bitRate);
-    status_t setAACFormat(int32_t numChannels, int32_t sampleRate, int32_t bitRate);
-    void setG711Format(int32_t numChannels);
-
-    status_t setVideoPortFormatType(
-            OMX_U32 portIndex,
-            OMX_VIDEO_CODINGTYPE compressionFormat,
-            OMX_COLOR_FORMATTYPE colorFormat);
-
-    void setVideoInputFormat(
-            const char *mime, const sp<MetaData>& meta);
-
-    status_t setupBitRate(int32_t bitRate);
-    status_t setupErrorCorrectionParameters();
-    status_t setupH263EncoderParameters(const sp<MetaData>& meta);
-    status_t setupMPEG4EncoderParameters(const sp<MetaData>& meta);
-    status_t setupAVCEncoderParameters(const sp<MetaData>& meta);
-    status_t findTargetColorFormat(
-            const sp<MetaData>& meta, OMX_COLOR_FORMATTYPE *colorFormat);
-
-    status_t isColorFormatSupported(
-            OMX_COLOR_FORMATTYPE colorFormat, int portIndex);
-
-    // If profile/level is set in the meta data, its value in the meta
-    // data will be used; otherwise, the default value will be used.
-    status_t getVideoProfileLevel(const sp<MetaData>& meta,
-            const CodecProfileLevel& defaultProfileLevel,
-            CodecProfileLevel& profileLevel);
-
-    status_t setVideoOutputFormat(
-            const char *mime, OMX_U32 width, OMX_U32 height);
-
-    void setImageOutputFormat(
-            OMX_COLOR_FORMATTYPE format, OMX_U32 width, OMX_U32 height);
-
-    void setJPEGInputFormat(
-            OMX_U32 width, OMX_U32 height, OMX_U32 compressedSize);
-
-    void setMinBufferSize(OMX_U32 portIndex, OMX_U32 size);
-
-    void setRawAudioFormat(
-            OMX_U32 portIndex, int32_t sampleRate, int32_t numChannels);
-
-    status_t allocateBuffers();
-    status_t allocateBuffersOnPort(OMX_U32 portIndex);
-    status_t allocateOutputBuffersFromNativeWindow();
-
-    status_t queueBufferToNativeWindow(BufferInfo *info);
-    status_t cancelBufferToNativeWindow(BufferInfo *info);
-    BufferInfo* dequeueBufferFromNativeWindow();
-    status_t pushBlankBuffersToNativeWindow();
-
-    status_t freeBuffersOnPort(
-            OMX_U32 portIndex, bool onlyThoseWeOwn = false);
-
-    status_t freeBuffer(OMX_U32 portIndex, size_t bufIndex);
-
-    bool drainInputBuffer(IOMX::buffer_id buffer);
-    void fillOutputBuffer(IOMX::buffer_id buffer);
-    bool drainInputBuffer(BufferInfo *info);
-    void fillOutputBuffer(BufferInfo *info);
-
-    void drainInputBuffers();
-    void fillOutputBuffers();
-
-    bool drainAnyInputBuffer();
-    BufferInfo *findInputBufferByDataPointer(void *ptr);
-    BufferInfo *findEmptyInputBuffer();
-
-    // Returns true iff a flush was initiated and a completion event is
-    // upcoming, false otherwise (A flush was not necessary as we own all
-    // the buffers on that port).
-    // This method will ONLY ever return false for a component with quirk
-    // "kRequiresFlushCompleteEmulation".
-    bool flushPortAsync(OMX_U32 portIndex);
-
-    void disablePortAsync(OMX_U32 portIndex);
-    status_t enablePortAsync(OMX_U32 portIndex);
-
-    static size_t countBuffersWeOwn(const Vector<BufferInfo> &buffers);
-    static bool isIntermediateState(State state);
-
-    void onEvent(OMX_EVENTTYPE event, OMX_U32 data1, OMX_U32 data2);
-    void onCmdComplete(OMX_COMMANDTYPE cmd, OMX_U32 data);
-    void onStateChange(OMX_STATETYPE newState);
-    void onPortSettingsChanged(OMX_U32 portIndex);
-
-    void setState(State newState);
-
-    status_t init();
-    void initOutputFormat(const sp<MetaData> &inputFormat);
-    status_t initNativeWindow();
-
-    void initNativeWindowCrop();
-
-    void dumpPortStatus(OMX_U32 portIndex);
-
-    status_t configureCodec(const sp<MetaData> &meta);
-
-    static uint32_t getComponentQuirks(
-            const char *componentName, bool isEncoder);
-
-    void restorePatchedDataPointer(BufferInfo *info);
-
-    status_t applyRotation();
-    status_t waitForBufferFilled_l();
-
-    int64_t retrieveDecodingTimeUs(bool isCodecSpecific);
-
-    status_t parseAVCCodecSpecificData(
-            const void *data, size_t size,
-            unsigned *profile, unsigned *level);
-
-    OMXCodec(const OMXCodec &);
-    OMXCodec &operator=(const OMXCodec &);
-};
-
-struct CodecCapabilities {
-    String8 mComponentName;
-    Vector<CodecProfileLevel> mProfileLevels;
-    Vector<OMX_U32> mColorFormats;
-};
-
-// Return a vector of componentNames with supported profile/level pairs
-// supporting the given mime type, if queryDecoders==true, returns components
-// that decode content of the given type, otherwise returns components
-// that encode content of the given type.
-// profile and level indications only make sense for h.263, mpeg4 and avc
-// video.
-// If hwCodecOnly==true, only returns hardware-based components, software and
-// hardware otherwise.
-// The profile/level values correspond to
-// OMX_VIDEO_H263PROFILETYPE, OMX_VIDEO_MPEG4PROFILETYPE,
-// OMX_VIDEO_AVCPROFILETYPE, OMX_VIDEO_H263LEVELTYPE, OMX_VIDEO_MPEG4LEVELTYPE
-// and OMX_VIDEO_AVCLEVELTYPE respectively.
-
-status_t QueryCodecs(
-        const sp<IOMX> &omx,
-        const char *mimeType, bool queryDecoders, bool hwCodecOnly,
-        Vector<CodecCapabilities> *results);
-
-status_t QueryCodecs(
-        const sp<IOMX> &omx,
-        const char *mimeType, bool queryDecoders,
-        Vector<CodecCapabilities> *results);
-
-}  // namespace android
-
-#endif  // OMX_CODEC_H_
diff --git a/media/omx-plugin/include/ics/system/graphics.h b/media/omx-plugin/include/ics/system/graphics.h
deleted file mode 100644
index 729e92c788..0000000000
--- a/media/omx-plugin/include/ics/system/graphics.h
+++ /dev/null
@@ -1,123 +0,0 @@
-/*
- * Copyright (C) 2011 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef SYSTEM_CORE_INCLUDE_ANDROID_GRAPHICS_H
-#define SYSTEM_CORE_INCLUDE_ANDROID_GRAPHICS_H
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/*
- * If the HAL needs to create service threads to handle graphics related
- * tasks, these threads need to run at HAL_PRIORITY_URGENT_DISPLAY priority
- * if they can block the main rendering thread in any way.
- *
- * the priority of the current thread can be set with:
- *
- *      #include <sys/resource.h>
- *      setpriority(PRIO_PROCESS, 0, HAL_PRIORITY_URGENT_DISPLAY);
- *
- */
-
-#define HAL_PRIORITY_URGENT_DISPLAY     (-8)
-
-/**
- * pixel format definitions
- */
-
-enum {
-    HAL_PIXEL_FORMAT_RGBA_8888          = 1,
-    HAL_PIXEL_FORMAT_RGBX_8888          = 2,
-    HAL_PIXEL_FORMAT_RGB_888            = 3,
-    HAL_PIXEL_FORMAT_RGB_565            = 4,
-    HAL_PIXEL_FORMAT_BGRA_8888          = 5,
-    HAL_PIXEL_FORMAT_RGBA_5551          = 6,
-    HAL_PIXEL_FORMAT_RGBA_4444          = 7,
-
-    /* 0x8 - 0xFF range unavailable */
-
-    /*
-     * 0x100 - 0x1FF
-     *
-     * This range is reserved for pixel formats that are specific to the HAL
-     * implementation.  Implementations can use any value in this range to
-     * communicate video pixel formats between their HAL modules.  These formats
-     * must not have an alpha channel.  Additionally, an EGLimage created from a
-     * gralloc buffer of one of these formats must be supported for use with the
-     * GL_OES_EGL_image_external OpenGL ES extension.
-     */
-
-    /*
-     * Android YUV format:
-     *
-     * This format is exposed outside of the HAL to software decoders and
-     * applications.  EGLImageKHR must support it in conjunction with the
-     * OES_EGL_image_external extension.
-     *
-     * YV12 is a 4:2:0 YCrCb planar format comprised of a WxH Y plane followed
-     * by (W/2) x (H/2) Cr and Cb planes.
-     *
-     * This format assumes
-     * - an even width
-     * - an even height
-     * - a horizontal stride multiple of 16 pixels
-     * - a vertical stride equal to the height
-     *
-     *   y_size = stride * height
-     *   c_size = ALIGN(stride/2, 16) * height/2
-     *   size = y_size + c_size * 2
-     *   cr_offset = y_size
-     *   cb_offset = y_size + c_size
-     *
-     */
-    HAL_PIXEL_FORMAT_YV12   = 0x32315659, // YCrCb 4:2:0 Planar
-
-
-
-    /* Legacy formats (deprecated), used by ImageFormat.java */
-    HAL_PIXEL_FORMAT_YCbCr_422_SP       = 0x10, // NV16
-    HAL_PIXEL_FORMAT_YCrCb_420_SP       = 0x11, // NV21
-    HAL_PIXEL_FORMAT_YCbCr_422_I        = 0x14, // YUY2
-};
-
-
-/**
- * Transformation definitions
- *
- * IMPORTANT NOTE:
- * HAL_TRANSFORM_ROT_90 is applied CLOCKWISE and AFTER HAL_TRANSFORM_FLIP_{H|V}.
- *
- */
-
-enum {
-    /* flip source image horizontally (around the vertical axis) */
-    HAL_TRANSFORM_FLIP_H    = 0x01,
-    /* flip source image vertically (around the horizontal axis)*/
-    HAL_TRANSFORM_FLIP_V    = 0x02,
-    /* rotate source image 90 degrees clockwise */
-    HAL_TRANSFORM_ROT_90    = 0x04,
-    /* rotate source image 180 degrees */
-    HAL_TRANSFORM_ROT_180   = 0x03,
-    /* rotate source image 270 degrees clockwise */
-    HAL_TRANSFORM_ROT_270   = 0x07,
-};
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* SYSTEM_CORE_INCLUDE_ANDROID_GRAPHICS_H */
diff --git a/media/omx-plugin/include/ics/system/window.h b/media/omx-plugin/include/ics/system/window.h
deleted file mode 100644
index 1cc4a0a18b..0000000000
--- a/media/omx-plugin/include/ics/system/window.h
+++ /dev/null
@@ -1,632 +0,0 @@
-/*
- * Copyright (C) 2011 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef SYSTEM_CORE_INCLUDE_ANDROID_WINDOW_H
-#define SYSTEM_CORE_INCLUDE_ANDROID_WINDOW_H
-
-#include <stdint.h>
-#include <sys/cdefs.h>
-#include <system/graphics.h>
-#include <cutils/native_handle.h>
-
-__BEGIN_DECLS
-
-/*****************************************************************************/
-
-#define ANDROID_NATIVE_MAKE_CONSTANT(a,b,c,d) \
-    (((unsigned)(a)<<24)|((unsigned)(b)<<16)|((unsigned)(c)<<8)|(unsigned)(d))
-
-#define ANDROID_NATIVE_WINDOW_MAGIC \
-    ANDROID_NATIVE_MAKE_CONSTANT('_','w','n','d')
-
-#define ANDROID_NATIVE_BUFFER_MAGIC \
-    ANDROID_NATIVE_MAKE_CONSTANT('_','b','f','r')
-
-// ---------------------------------------------------------------------------
-
-typedef const native_handle_t* buffer_handle_t;
-
-// ---------------------------------------------------------------------------
-
-typedef struct android_native_rect_t
-{
-    int32_t left;
-    int32_t top;
-    int32_t right;
-    int32_t bottom;
-} android_native_rect_t;
-
-// ---------------------------------------------------------------------------
-
-typedef struct android_native_base_t
-{
-    /* a magic value defined by the actual EGL native type */
-    int magic;
-
-    /* the sizeof() of the actual EGL native type */
-    int version;
-
-    void* reserved[4];
-
-    /* reference-counting interface */
-    void (*incRef)(struct android_native_base_t* base);
-    void (*decRef)(struct android_native_base_t* base);
-} android_native_base_t;
-
-typedef struct ANativeWindowBuffer
-{
-#ifdef __cplusplus
-    ANativeWindowBuffer() {
-        common.magic = ANDROID_NATIVE_BUFFER_MAGIC;
-        common.version = sizeof(ANativeWindowBuffer);
-        memset(common.reserved, 0, sizeof(common.reserved));
-    }
-
-    // Implement the methods that sp<ANativeWindowBuffer> expects so that it
-    // can be used to automatically refcount ANativeWindowBuffer's.
-    void incStrong(const void* id) const {
-        common.incRef(const_cast<android_native_base_t*>(&common));
-    }
-    void decStrong(const void* id) const {
-        common.decRef(const_cast<android_native_base_t*>(&common));
-    }
-#endif
-
-    struct android_native_base_t common;
-
-    int width;
-    int height;
-    int stride;
-    int format;
-    int usage;
-
-    void* reserved[2];
-
-    buffer_handle_t handle;
-
-    void* reserved_proc[8];
-} ANativeWindowBuffer_t;
-
-// Old typedef for backwards compatibility.
-typedef ANativeWindowBuffer_t android_native_buffer_t;
-
-// ---------------------------------------------------------------------------
-
-/* attributes queriable with query() */
-enum {
-    NATIVE_WINDOW_WIDTH     = 0,
-    NATIVE_WINDOW_HEIGHT    = 1,
-    NATIVE_WINDOW_FORMAT    = 2,
-
-    /* The minimum number of buffers that must remain un-dequeued after a buffer
-     * has been queued.  This value applies only if set_buffer_count was used to
-     * override the number of buffers and if a buffer has since been queued.
-     * Users of the set_buffer_count ANativeWindow method should query this
-     * value before calling set_buffer_count.  If it is necessary to have N
-     * buffers simultaneously dequeued as part of the steady-state operation,
-     * and this query returns M then N+M buffers should be requested via
-     * native_window_set_buffer_count.
-     *
-     * Note that this value does NOT apply until a single buffer has been
-     * queued.  In particular this means that it is possible to:
-     *
-     * 1. Query M = min undequeued buffers
-     * 2. Set the buffer count to N + M
-     * 3. Dequeue all N + M buffers
-     * 4. Cancel M buffers
-     * 5. Queue, dequeue, queue, dequeue, ad infinitum
-     */
-    NATIVE_WINDOW_MIN_UNDEQUEUED_BUFFERS = 3,
-
-    /* Check whether queueBuffer operations on the ANativeWindow send the buffer
-     * to the window compositor.  The query sets the returned 'value' argument
-     * to 1 if the ANativeWindow DOES send queued buffers directly to the window
-     * compositor and 0 if the buffers do not go directly to the window
-     * compositor.
-     *
-     * This can be used to determine whether protected buffer content should be
-     * sent to the ANativeWindow.  Note, however, that a result of 1 does NOT
-     * indicate that queued buffers will be protected from applications or users
-     * capturing their contents.  If that behavior is desired then some other
-     * mechanism (e.g. the GRALLOC_USAGE_PROTECTED flag) should be used in
-     * conjunction with this query.
-     */
-    NATIVE_WINDOW_QUEUES_TO_WINDOW_COMPOSER = 4,
-
-    /* Get the concrete type of a ANativeWindow.  See below for the list of
-     * possible return values.
-     *
-     * This query should not be used outside the Android framework and will
-     * likely be removed in the near future.
-     */
-    NATIVE_WINDOW_CONCRETE_TYPE = 5,
-
-
-    /*
-     * Default width and height of the ANativeWindow, these are the dimensions
-     * of the window irrespective of the NATIVE_WINDOW_SET_BUFFERS_DIMENSIONS
-     * call.
-     */
-    NATIVE_WINDOW_DEFAULT_WIDTH = 6,
-    NATIVE_WINDOW_DEFAULT_HEIGHT = 7,
-
-    /*
-     * transformation that will most-likely be applied to buffers. This is only
-     * a hint, the actual transformation applied might be different.
-     *
-     * INTENDED USE:
-     *
-     * The transform hint can be used by a producer, for instance the GLES
-     * driver, to pre-rotate the rendering such that the final transformation
-     * in the composer is identity. This can be very useful when used in
-     * conjunction with the h/w composer HAL, in situations where it
-     * cannot handle arbitrary rotations.
-     *
-     * 1. Before dequeuing a buffer, the GL driver (or any other ANW client)
-     *    queries the ANW for NATIVE_WINDOW_TRANSFORM_HINT.
-     *
-     * 2. The GL driver overrides the width and height of the ANW to
-     *    account for NATIVE_WINDOW_TRANSFORM_HINT. This is done by querying
-     *    NATIVE_WINDOW_DEFAULT_{WIDTH | HEIGHT}, swapping the dimensions
-     *    according to NATIVE_WINDOW_TRANSFORM_HINT and calling
-     *    native_window_set_buffers_dimensions().
-     *
-     * 3. The GL driver dequeues a buffer of the new pre-rotated size.
-     *
-     * 4. The GL driver renders to the buffer such that the image is
-     *    already transformed, that is applying NATIVE_WINDOW_TRANSFORM_HINT
-     *    to the rendering.
-     *
-     * 5. The GL driver calls native_window_set_transform to apply
-     *    inverse transformation to the buffer it just rendered.
-     *    In order to do this, the GL driver needs
-     *    to calculate the inverse of NATIVE_WINDOW_TRANSFORM_HINT, this is
-     *    done easily:
-     *
-     *        int hintTransform, inverseTransform;
-     *        query(..., NATIVE_WINDOW_TRANSFORM_HINT, &hintTransform);
-     *        inverseTransform = hintTransform;
-     *        if (hintTransform & HAL_TRANSFORM_ROT_90)
-     *            inverseTransform ^= HAL_TRANSFORM_ROT_180;
-     *
-     *
-     * 6. The GL driver queues the pre-transformed buffer.
-     *
-     * 7. The composer combines the buffer transform with the display
-     *    transform.  If the buffer transform happens to cancel out the
-     *    display transform then no rotation is needed.
-     *
-     */
-    NATIVE_WINDOW_TRANSFORM_HINT = 8,
-};
-
-/* valid operations for the (*perform)() hook */
-enum {
-    NATIVE_WINDOW_SET_USAGE                 =  0,
-    NATIVE_WINDOW_CONNECT                   =  1,   /* deprecated */
-    NATIVE_WINDOW_DISCONNECT                =  2,   /* deprecated */
-    NATIVE_WINDOW_SET_CROP                  =  3,
-    NATIVE_WINDOW_SET_BUFFER_COUNT          =  4,
-    NATIVE_WINDOW_SET_BUFFERS_GEOMETRY      =  5,   /* deprecated */
-    NATIVE_WINDOW_SET_BUFFERS_TRANSFORM     =  6,
-    NATIVE_WINDOW_SET_BUFFERS_TIMESTAMP     =  7,
-    NATIVE_WINDOW_SET_BUFFERS_DIMENSIONS    =  8,
-    NATIVE_WINDOW_SET_BUFFERS_FORMAT        =  9,
-    NATIVE_WINDOW_SET_SCALING_MODE          = 10,
-    NATIVE_WINDOW_LOCK                      = 11,   /* private */
-    NATIVE_WINDOW_UNLOCK_AND_POST           = 12,   /* private */
-    NATIVE_WINDOW_API_CONNECT               = 13,   /* private */
-    NATIVE_WINDOW_API_DISCONNECT            = 14,   /* private */
-};
-
-/* parameter for NATIVE_WINDOW_[API_][DIS]CONNECT */
-enum {
-    /* Buffers will be queued by EGL via eglSwapBuffers after being filled using
-     * OpenGL ES.
-     */
-    NATIVE_WINDOW_API_EGL = 1,
-
-    /* Buffers will be queued after being filled using the CPU
-     */
-    NATIVE_WINDOW_API_CPU = 2,
-
-    /* Buffers will be queued by Stagefright after being filled by a video
-     * decoder.  The video decoder can either be a software or hardware decoder.
-     */
-    NATIVE_WINDOW_API_MEDIA = 3,
-
-    /* Buffers will be queued by the the camera HAL.
-     */
-    NATIVE_WINDOW_API_CAMERA = 4,
-};
-
-/* parameter for NATIVE_WINDOW_SET_BUFFERS_TRANSFORM */
-enum {
-    /* flip source image horizontally */
-    NATIVE_WINDOW_TRANSFORM_FLIP_H = HAL_TRANSFORM_FLIP_H ,
-    /* flip source image vertically */
-    NATIVE_WINDOW_TRANSFORM_FLIP_V = HAL_TRANSFORM_FLIP_V,
-    /* rotate source image 90 degrees clock-wise */
-    NATIVE_WINDOW_TRANSFORM_ROT_90 = HAL_TRANSFORM_ROT_90,
-    /* rotate source image 180 degrees */
-    NATIVE_WINDOW_TRANSFORM_ROT_180 = HAL_TRANSFORM_ROT_180,
-    /* rotate source image 270 degrees clock-wise */
-    NATIVE_WINDOW_TRANSFORM_ROT_270 = HAL_TRANSFORM_ROT_270,
-};
-
-/* parameter for NATIVE_WINDOW_SET_SCALING_MODE */
-enum {
-    /* the window content is not updated (frozen) until a buffer of
-     * the window size is received (enqueued)
-     */
-    NATIVE_WINDOW_SCALING_MODE_FREEZE           = 0,
-    /* the buffer is scaled in both dimensions to match the window size */
-    NATIVE_WINDOW_SCALING_MODE_SCALE_TO_WINDOW  = 1,
-};
-
-/* values returned by the NATIVE_WINDOW_CONCRETE_TYPE query */
-enum {
-    NATIVE_WINDOW_FRAMEBUFFER               = 0, /* FramebufferNativeWindow */
-    NATIVE_WINDOW_SURFACE                   = 1, /* Surface */
-    NATIVE_WINDOW_SURFACE_TEXTURE_CLIENT    = 2, /* SurfaceTextureClient */
-};
-
-/* parameter for NATIVE_WINDOW_SET_BUFFERS_TIMESTAMP
- *
- * Special timestamp value to indicate that timestamps should be auto-generated
- * by the native window when queueBuffer is called.  This is equal to INT64_MIN,
- * defined directly to avoid problems with C99/C++ inclusion of stdint.h.
- */
-static const int64_t NATIVE_WINDOW_TIMESTAMP_AUTO = (-9223372036854775807LL-1);
-
-struct ANativeWindow
-{
-#ifdef __cplusplus
-    ANativeWindow()
-        : flags(0), minSwapInterval(0), maxSwapInterval(0), xdpi(0), ydpi(0)
-    {
-        common.magic = ANDROID_NATIVE_WINDOW_MAGIC;
-        common.version = sizeof(ANativeWindow);
-        memset(common.reserved, 0, sizeof(common.reserved));
-    }
-
-    /* Implement the methods that sp<ANativeWindow> expects so that it
-       can be used to automatically refcount ANativeWindow's. */
-    void incStrong(const void* id) const {
-        common.incRef(const_cast<android_native_base_t*>(&common));
-    }
-    void decStrong(const void* id) const {
-        common.decRef(const_cast<android_native_base_t*>(&common));
-    }
-#endif
-
-    struct android_native_base_t common;
-
-    /* flags describing some attributes of this surface or its updater */
-    const uint32_t flags;
-
-    /* min swap interval supported by this updated */
-    const int   minSwapInterval;
-
-    /* max swap interval supported by this updated */
-    const int   maxSwapInterval;
-
-    /* horizontal and vertical resolution in DPI */
-    const float xdpi;
-    const float ydpi;
-
-    /* Some storage reserved for the OEM's driver. */
-    intptr_t    oem[4];
-
-    /*
-     * Set the swap interval for this surface.
-     *
-     * Returns 0 on success or -errno on error.
-     */
-    int     (*setSwapInterval)(struct ANativeWindow* window,
-                int interval);
-
-    /*
-     * Hook called by EGL to acquire a buffer. After this call, the buffer
-     * is not locked, so its content cannot be modified. This call may block if
-     * no buffers are available.
-     *
-     * The window holds a reference to the buffer between dequeueBuffer and
-     * either queueBuffer or cancelBuffer, so clients only need their own
-     * reference if they might use the buffer after queueing or canceling it.
-     * Holding a reference to a buffer after queueing or canceling it is only
-     * allowed if a specific buffer count has been set.
-     *
-     * Returns 0 on success or -errno on error.
-     */
-    int     (*dequeueBuffer)(struct ANativeWindow* window,
-                struct ANativeWindowBuffer** buffer);
-
-    /*
-     * hook called by EGL to lock a buffer. This MUST be called before modifying
-     * the content of a buffer. The buffer must have been acquired with
-     * dequeueBuffer first.
-     *
-     * Returns 0 on success or -errno on error.
-     */
-    int     (*lockBuffer)(struct ANativeWindow* window,
-                struct ANativeWindowBuffer* buffer);
-    /*
-     * Hook called by EGL when modifications to the render buffer are done.
-     * This unlocks and post the buffer.
-     *
-     * The window holds a reference to the buffer between dequeueBuffer and
-     * either queueBuffer or cancelBuffer, so clients only need their own
-     * reference if they might use the buffer after queueing or canceling it.
-     * Holding a reference to a buffer after queueing or canceling it is only
-     * allowed if a specific buffer count has been set.
-     *
-     * Buffers MUST be queued in the same order than they were dequeued.
-     *
-     * Returns 0 on success or -errno on error.
-     */
-    int     (*queueBuffer)(struct ANativeWindow* window,
-                struct ANativeWindowBuffer* buffer);
-
-    /*
-     * hook used to retrieve information about the native window.
-     *
-     * Returns 0 on success or -errno on error.
-     */
-    int     (*query)(const struct ANativeWindow* window,
-                int what, int* value);
-
-    /*
-     * hook used to perform various operations on the surface.
-     * (*perform)() is a generic mechanism to add functionality to
-     * ANativeWindow while keeping backward binary compatibility.
-     *
-     * DO NOT CALL THIS HOOK DIRECTLY.  Instead, use the helper functions
-     * defined below.
-     *
-     *  (*perform)() returns -ENOENT if the 'what' parameter is not supported
-     *  by the surface's implementation.
-     *
-     * The valid operations are:
-     *     NATIVE_WINDOW_SET_USAGE
-     *     NATIVE_WINDOW_CONNECT               (deprecated)
-     *     NATIVE_WINDOW_DISCONNECT            (deprecated)
-     *     NATIVE_WINDOW_SET_CROP
-     *     NATIVE_WINDOW_SET_BUFFER_COUNT
-     *     NATIVE_WINDOW_SET_BUFFERS_GEOMETRY  (deprecated)
-     *     NATIVE_WINDOW_SET_BUFFERS_TRANSFORM
-     *     NATIVE_WINDOW_SET_BUFFERS_TIMESTAMP
-     *     NATIVE_WINDOW_SET_BUFFERS_DIMENSIONS
-     *     NATIVE_WINDOW_SET_BUFFERS_FORMAT
-     *     NATIVE_WINDOW_SET_SCALING_MODE
-     *     NATIVE_WINDOW_LOCK                   (private)
-     *     NATIVE_WINDOW_UNLOCK_AND_POST        (private)
-     *     NATIVE_WINDOW_API_CONNECT            (private)
-     *     NATIVE_WINDOW_API_DISCONNECT         (private)
-     *
-     */
-
-    int     (*perform)(struct ANativeWindow* window,
-                int operation, ... );
-
-    /*
-     * Hook used to cancel a buffer that has been dequeued.
-     * No synchronization is performed between dequeue() and cancel(), so
-     * either external synchronization is needed, or these functions must be
-     * called from the same thread.
-     *
-     * The window holds a reference to the buffer between dequeueBuffer and
-     * either queueBuffer or cancelBuffer, so clients only need their own
-     * reference if they might use the buffer after queueing or canceling it.
-     * Holding a reference to a buffer after queueing or canceling it is only
-     * allowed if a specific buffer count has been set.
-     */
-    int     (*cancelBuffer)(struct ANativeWindow* window,
-                struct ANativeWindowBuffer* buffer);
-
-
-    void* reserved_proc[2];
-};
-
- /* Backwards compatibility: use ANativeWindow (struct ANativeWindow in C).
-  * android_native_window_t is deprecated.
-  */
-typedef struct ANativeWindow ANativeWindow;
-typedef struct ANativeWindow android_native_window_t;
-
-/*
- *  native_window_set_usage(..., usage)
- *  Sets the intended usage flags for the next buffers
- *  acquired with (*lockBuffer)() and on.
- *  By default (if this function is never called), a usage of
- *      GRALLOC_USAGE_HW_RENDER | GRALLOC_USAGE_HW_TEXTURE
- *  is assumed.
- *  Calling this function will usually cause following buffers to be
- *  reallocated.
- */
-
-static inline int native_window_set_usage(
-        struct ANativeWindow* window, int usage)
-{
-    return window->perform(window, NATIVE_WINDOW_SET_USAGE, usage);
-}
-
-/* deprecated. Always returns 0. Don't call. */
-static inline int native_window_connect(
-        struct ANativeWindow* window, int api) {
-    return 0;
-}
-
-/* deprecated. Always returns 0. Don't call. */
-static inline int native_window_disconnect(
-        struct ANativeWindow* window, int api) {
-    return 0;
-}
-
-/*
- * native_window_set_crop(..., crop)
- * Sets which region of the next queued buffers needs to be considered.
- * A buffer's crop region is scaled to match the surface's size.
- *
- * The specified crop region applies to all buffers queued after it is called.
- *
- * if 'crop' is NULL, subsequently queued buffers won't be cropped.
- *
- * An error is returned if for instance the crop region is invalid,
- * out of the buffer's bound or if the window is invalid.
- */
-static inline int native_window_set_crop(
-        struct ANativeWindow* window,
-        android_native_rect_t const * crop)
-{
-    return window->perform(window, NATIVE_WINDOW_SET_CROP, crop);
-}
-
-/*
- * native_window_set_buffer_count(..., count)
- * Sets the number of buffers associated with this native window.
- */
-static inline int native_window_set_buffer_count(
-        struct ANativeWindow* window,
-        size_t bufferCount)
-{
-    return window->perform(window, NATIVE_WINDOW_SET_BUFFER_COUNT, bufferCount);
-}
-
-/*
- * native_window_set_buffers_geometry(..., int w, int h, int format)
- * All buffers dequeued after this call will have the dimensions and format
- * specified.  A successful call to this function has the same effect as calling
- * native_window_set_buffers_size and native_window_set_buffers_format.
- *
- * XXX: This function is deprecated.  The native_window_set_buffers_dimensions
- * and native_window_set_buffers_format functions should be used instead.
- */
-static inline int native_window_set_buffers_geometry(
-        struct ANativeWindow* window,
-        int w, int h, int format)
-{
-    return window->perform(window, NATIVE_WINDOW_SET_BUFFERS_GEOMETRY,
-            w, h, format);
-}
-
-/*
- * native_window_set_buffers_dimensions(..., int w, int h)
- * All buffers dequeued after this call will have the dimensions specified.
- * In particular, all buffers will have a fixed-size, independent form the
- * native-window size. They will be scaled according to the scaling mode
- * (see native_window_set_scaling_mode) upon window composition.
- *
- * If w and h are 0, the normal behavior is restored. That is, dequeued buffers
- * following this call will be sized to match the window's size.
- *
- * Calling this function will reset the window crop to a NULL value, which
- * disables cropping of the buffers.
- */
-static inline int native_window_set_buffers_dimensions(
-        struct ANativeWindow* window,
-        int w, int h)
-{
-    return window->perform(window, NATIVE_WINDOW_SET_BUFFERS_DIMENSIONS,
-            w, h);
-}
-
-/*
- * native_window_set_buffers_format(..., int format)
- * All buffers dequeued after this call will have the format specified.
- *
- * If the specified format is 0, the default buffer format will be used.
- */
-static inline int native_window_set_buffers_format(
-        struct ANativeWindow* window,
-        int format)
-{
-    return window->perform(window, NATIVE_WINDOW_SET_BUFFERS_FORMAT, format);
-}
-
-/*
- * native_window_set_buffers_transform(..., int transform)
- * All buffers queued after this call will be displayed transformed according
- * to the transform parameter specified.
- */
-static inline int native_window_set_buffers_transform(
-        struct ANativeWindow* window,
-        int transform)
-{
-    return window->perform(window, NATIVE_WINDOW_SET_BUFFERS_TRANSFORM,
-            transform);
-}
-
-/*
- * native_window_set_buffers_timestamp(..., int64_t timestamp)
- * All buffers queued after this call will be associated with the timestamp
- * parameter specified. If the timestamp is set to NATIVE_WINDOW_TIMESTAMP_AUTO
- * (the default), timestamps will be generated automatically when queueBuffer is
- * called. The timestamp is measured in nanoseconds, and is normally monotonically
- * increasing. The timestamp should be unaffected by time-of-day adjustments,
- * and for a camera should be strictly monotonic but for a media player may be
- * reset when the position is set.
- */
-static inline int native_window_set_buffers_timestamp(
-        struct ANativeWindow* window,
-        int64_t timestamp)
-{
-    return window->perform(window, NATIVE_WINDOW_SET_BUFFERS_TIMESTAMP,
-            timestamp);
-}
-
-/*
- * native_window_set_scaling_mode(..., int mode)
- * All buffers queued after this call will be associated with the scaling mode
- * specified.
- */
-static inline int native_window_set_scaling_mode(
-        struct ANativeWindow* window,
-        int mode)
-{
-    return window->perform(window, NATIVE_WINDOW_SET_SCALING_MODE,
-            mode);
-}
-
-
-/*
- * native_window_api_connect(..., int api)
- * connects an API to this window. only one API can be connected at a time.
- * Returns -EINVAL if for some reason the window cannot be connected, which
- * can happen if it's connected to some other API.
- */
-static inline int native_window_api_connect(
-        struct ANativeWindow* window, int api)
-{
-    return window->perform(window, NATIVE_WINDOW_API_CONNECT, api);
-}
-
-/*
- * native_window_api_disconnect(..., int api)
- * disconnect the API from this window.
- * An error is returned if for instance the window wasn't connected in the
- * first place.
- */
-static inline int native_window_api_disconnect(
-        struct ANativeWindow* window, int api)
-{
-    return window->perform(window, NATIVE_WINDOW_API_DISCONNECT, api);
-}
-
-
-__END_DECLS
-
-#endif /* SYSTEM_CORE_INCLUDE_ANDROID_WINDOW_H */
diff --git a/media/omx-plugin/include/ics/ui/GraphicBuffer.h b/media/omx-plugin/include/ics/ui/GraphicBuffer.h
deleted file mode 100644
index 6ab01f4c98..0000000000
--- a/media/omx-plugin/include/ics/ui/GraphicBuffer.h
+++ /dev/null
@@ -1,159 +0,0 @@
-/*
- * Copyright (C) 2007 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_GRAPHIC_BUFFER_H
-#define ANDROID_GRAPHIC_BUFFER_H
-
-#include <stdint.h>
-#include <sys/types.h>
-
-#include <ui/android_native_buffer.h>
-#include <ui/PixelFormat.h>
-#include <ui/Rect.h>
-#include <utils/Flattenable.h>
-#include <pixelflinger/pixelflinger.h>
-
-struct ANativeWindowBuffer;
-
-namespace android {
-
-class GraphicBufferMapper;
-
-// ===========================================================================
-// GraphicBuffer
-// ===========================================================================
-
-class GraphicBuffer
-    : public EGLNativeBase<
-        ANativeWindowBuffer,
-        GraphicBuffer, 
-        LightRefBase<GraphicBuffer> >, public Flattenable
-{
-public:
-
-    enum {
-        USAGE_SW_READ_NEVER     = GRALLOC_USAGE_SW_READ_NEVER,
-        USAGE_SW_READ_RARELY    = GRALLOC_USAGE_SW_READ_RARELY,
-        USAGE_SW_READ_OFTEN     = GRALLOC_USAGE_SW_READ_OFTEN,
-        USAGE_SW_READ_MASK      = GRALLOC_USAGE_SW_READ_MASK,
-        
-        USAGE_SW_WRITE_NEVER    = GRALLOC_USAGE_SW_WRITE_NEVER,
-        USAGE_SW_WRITE_RARELY   = GRALLOC_USAGE_SW_WRITE_RARELY,
-        USAGE_SW_WRITE_OFTEN    = GRALLOC_USAGE_SW_WRITE_OFTEN,
-        USAGE_SW_WRITE_MASK     = GRALLOC_USAGE_SW_WRITE_MASK,
-
-        USAGE_SOFTWARE_MASK     = USAGE_SW_READ_MASK|USAGE_SW_WRITE_MASK,
-
-        USAGE_PROTECTED         = GRALLOC_USAGE_PROTECTED,
-
-        USAGE_HW_TEXTURE        = GRALLOC_USAGE_HW_TEXTURE,
-        USAGE_HW_RENDER         = GRALLOC_USAGE_HW_RENDER,
-        USAGE_HW_2D             = GRALLOC_USAGE_HW_2D,
-        USAGE_HW_COMPOSER       = GRALLOC_USAGE_HW_COMPOSER,
-        USAGE_HW_VIDEO_ENCODER  = GRALLOC_USAGE_HW_VIDEO_ENCODER,
-        USAGE_HW_MASK           = GRALLOC_USAGE_HW_MASK
-    };
-
-    GraphicBuffer();
-
-    // creates w * h buffer
-    GraphicBuffer(uint32_t w, uint32_t h, PixelFormat format, uint32_t usage);
-
-    // create a buffer from an existing handle
-    GraphicBuffer(uint32_t w, uint32_t h, PixelFormat format, uint32_t usage,
-            uint32_t stride, native_handle_t* handle, bool keepOwnership);
-
-    // create a buffer from an existing ANativeWindowBuffer
-    GraphicBuffer(ANativeWindowBuffer* buffer, bool keepOwnership);
-
-    // return status
-    status_t initCheck() const;
-
-    uint32_t getWidth() const           { return width; }
-    uint32_t getHeight() const          { return height; }
-    uint32_t getStride() const          { return stride; }
-    uint32_t getUsage() const           { return usage; }
-    PixelFormat getPixelFormat() const  { return format; }
-    Rect getBounds() const              { return Rect(width, height); }
-    
-    status_t reallocate(uint32_t w, uint32_t h, PixelFormat f, uint32_t usage);
-
-    status_t lock(uint32_t usage, void** vaddr);
-    status_t lock(uint32_t usage, const Rect& rect, void** vaddr);
-    status_t lock(GGLSurface* surface, uint32_t usage);
-    status_t unlock();
-
-    ANativeWindowBuffer* getNativeBuffer() const;
-    
-    void setIndex(int index);
-    int getIndex() const;
-
-    // for debugging
-    static void dumpAllocationsToSystemLog();
-
-private:
-    virtual ~GraphicBuffer();
-
-    enum {
-        ownNone   = 0,
-        ownHandle = 1,
-        ownData   = 2,
-    };
-
-    inline const GraphicBufferMapper& getBufferMapper() const {
-        return mBufferMapper;
-    }
-    inline GraphicBufferMapper& getBufferMapper() {
-        return mBufferMapper;
-    }
-    uint8_t mOwner;
-
-private:
-    friend class Surface;
-    friend class BpSurface;
-    friend class BnSurface;
-    friend class SurfaceTextureClient;
-    friend class LightRefBase<GraphicBuffer>;
-    GraphicBuffer(const GraphicBuffer& rhs);
-    GraphicBuffer& operator = (const GraphicBuffer& rhs);
-    const GraphicBuffer& operator = (const GraphicBuffer& rhs) const;
-
-    status_t initSize(uint32_t w, uint32_t h, PixelFormat format, 
-            uint32_t usage);
-
-    void free_handle();
-
-    // Flattenable interface
-    size_t getFlattenedSize() const;
-    size_t getFdCount() const;
-    status_t flatten(void* buffer, size_t size,
-            int fds[], size_t count) const;
-    status_t unflatten(void const* buffer, size_t size,
-            int fds[], size_t count);
-
-
-    GraphicBufferMapper& mBufferMapper;
-    ssize_t mInitCheck;
-    int mIndex;
-
-    // If we're wrapping another buffer then this reference will make sure it
-    // doesn't get freed.
-    sp<ANativeWindowBuffer> mWrappedBuffer;
-};
-
-}; // namespace android
-
-#endif // ANDROID_GRAPHIC_BUFFER_H
diff --git a/media/omx-plugin/include/ics/ui/PixelFormat.h b/media/omx-plugin/include/ics/ui/PixelFormat.h
deleted file mode 100644
index 848c5a1149..0000000000
--- a/media/omx-plugin/include/ics/ui/PixelFormat.h
+++ /dev/null
@@ -1,137 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-//
-
-// Pixel formats used across the system.
-// These formats might not all be supported by all renderers, for instance
-// skia or SurfaceFlinger are not required to support all of these formats
-// (either as source or destination)
-
-// XXX: we should consolidate these formats and skia's
-
-#ifndef UI_PIXELFORMAT_H
-#define UI_PIXELFORMAT_H
-
-#include <stdint.h>
-#include <sys/types.h>
-#include <utils/Errors.h>
-#include <pixelflinger/format.h>
-#include <hardware/hardware.h>
-
-namespace android {
-
-enum {
-    //
-    // these constants need to match those
-    // in graphics/PixelFormat.java & pixelflinger/format.h
-    //
-    PIXEL_FORMAT_UNKNOWN    =   0,
-    PIXEL_FORMAT_NONE       =   0,
-
-    // logical pixel formats used by the SurfaceFlinger -----------------------
-    PIXEL_FORMAT_CUSTOM         = -4,
-        // Custom pixel-format described by a PixelFormatInfo structure
-
-    PIXEL_FORMAT_TRANSLUCENT    = -3,
-        // System chooses a format that supports translucency (many alpha bits)
-
-    PIXEL_FORMAT_TRANSPARENT    = -2,
-        // System chooses a format that supports transparency
-        // (at least 1 alpha bit)
-
-    PIXEL_FORMAT_OPAQUE         = -1,
-        // System chooses an opaque format (no alpha bits required)
-
-    // real pixel formats supported for rendering -----------------------------
-
-    PIXEL_FORMAT_RGBA_8888   = HAL_PIXEL_FORMAT_RGBA_8888,  // 4x8-bit RGBA
-    PIXEL_FORMAT_RGBX_8888   = HAL_PIXEL_FORMAT_RGBX_8888,  // 4x8-bit RGB0
-    PIXEL_FORMAT_RGB_888     = HAL_PIXEL_FORMAT_RGB_888,    // 3x8-bit RGB
-    PIXEL_FORMAT_RGB_565     = HAL_PIXEL_FORMAT_RGB_565,    // 16-bit RGB
-    PIXEL_FORMAT_BGRA_8888   = HAL_PIXEL_FORMAT_BGRA_8888,  // 4x8-bit BGRA
-    PIXEL_FORMAT_RGBA_5551   = HAL_PIXEL_FORMAT_RGBA_5551,  // 16-bit ARGB
-    PIXEL_FORMAT_RGBA_4444   = HAL_PIXEL_FORMAT_RGBA_4444,  // 16-bit ARGB
-    PIXEL_FORMAT_A_8         = GGL_PIXEL_FORMAT_A_8,        // 8-bit A
-    PIXEL_FORMAT_L_8         = GGL_PIXEL_FORMAT_L_8,        // 8-bit L (R=G=B=L)
-    PIXEL_FORMAT_LA_88       = GGL_PIXEL_FORMAT_LA_88,      // 16-bit LA
-    PIXEL_FORMAT_RGB_332     = GGL_PIXEL_FORMAT_RGB_332,    // 8-bit RGB
-
-    // New formats can be added if they're also defined in
-    // pixelflinger/format.h
-};
-
-typedef int32_t PixelFormat;
-
-struct PixelFormatInfo
-{
-    enum {
-        INDEX_ALPHA   = 0,
-        INDEX_RED     = 1,
-        INDEX_GREEN   = 2,
-        INDEX_BLUE    = 3
-    };
-
-    enum { // components
-        ALPHA               = 1,
-        RGB                 = 2,
-        RGBA                = 3,
-        LUMINANCE           = 4,
-        LUMINANCE_ALPHA     = 5,
-        OTHER               = 0xFF
-    };
-
-    struct szinfo {
-        uint8_t h;
-        uint8_t l;
-    };
-
-    inline PixelFormatInfo() : version(sizeof(PixelFormatInfo)) { }
-    size_t getScanlineSize(unsigned int width) const;
-    size_t getSize(size_t ci) const {
-        return (ci <= 3) ? (cinfo[ci].h - cinfo[ci].l) : 0;
-    }
-    size_t      version;
-    PixelFormat format;
-    size_t      bytesPerPixel;
-    size_t      bitsPerPixel;
-    union {
-        szinfo      cinfo[4];
-        struct {
-            uint8_t     h_alpha;
-            uint8_t     l_alpha;
-            uint8_t     h_red;
-            uint8_t     l_red;
-            uint8_t     h_green;
-            uint8_t     l_green;
-            uint8_t     h_blue;
-            uint8_t     l_blue;
-        };
-    };
-    uint8_t     components;
-    uint8_t     reserved0[3];
-    uint32_t    reserved1;
-};
-
-// Consider caching the results of these functions are they're not
-// guaranteed to be fast.
-ssize_t     bytesPerPixel(PixelFormat format);
-ssize_t     bitsPerPixel(PixelFormat format);
-status_t    getPixelFormatInfo(PixelFormat format, PixelFormatInfo* info);
-
-}; // namespace android
-
-#endif // UI_PIXELFORMAT_H
diff --git a/media/omx-plugin/include/ics/ui/Point.h b/media/omx-plugin/include/ics/ui/Point.h
deleted file mode 100644
index 1653120a6d..0000000000
--- a/media/omx-plugin/include/ics/ui/Point.h
+++ /dev/null
@@ -1,87 +0,0 @@
-/*
- * Copyright (C) 2006 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_UI_POINT
-#define ANDROID_UI_POINT
-
-#include <utils/TypeHelpers.h>
-
-namespace android {
-
-class Point
-{
-public:
-    int x;
-    int y;
-
-    // we don't provide copy-ctor and operator= on purpose
-    // because we want the compiler generated versions
-
-    // Default constructor doesn't initialize the Point
-    inline Point() {
-    }
-    inline Point(int x, int y) : x(x), y(y) {
-    }
-
-    inline bool operator == (const Point& rhs) const {
-        return (x == rhs.x) && (y == rhs.y);
-    }
-    inline bool operator != (const Point& rhs) const {
-        return !operator == (rhs);
-    }
-
-    inline bool isOrigin() const {
-        return !(x|y);
-    }
-
-    // operator < defines an order which allows to use points in sorted
-    // vectors.
-    bool operator < (const Point& rhs) const {
-        return y<rhs.y || (y==rhs.y && x<rhs.x);
-    }
-
-    inline Point& operator - () {
-        x = -x;
-        y = -y;
-        return *this;
-    }
-    
-    inline Point& operator += (const Point& rhs) {
-        x += rhs.x;
-        y += rhs.y;
-        return *this;
-    }
-    inline Point& operator -= (const Point& rhs) {
-        x -= rhs.x;
-        y -= rhs.y;
-        return *this;
-    }
-    
-    const Point operator + (const Point& rhs) const {
-        const Point result(x+rhs.x, y+rhs.y);
-        return result;
-    }
-    const Point operator - (const Point& rhs) const {
-        const Point result(x-rhs.x, y-rhs.y);
-        return result;
-    }    
-};
-
-ANDROID_BASIC_TYPES_TRAITS(Point)
-
-}; // namespace android
-
-#endif // ANDROID_UI_POINT
diff --git a/media/omx-plugin/include/ics/ui/Rect.h b/media/omx-plugin/include/ics/ui/Rect.h
deleted file mode 100644
index 9e98bc5620..0000000000
--- a/media/omx-plugin/include/ics/ui/Rect.h
+++ /dev/null
@@ -1,149 +0,0 @@
-/*
- * Copyright (C) 2006 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_UI_RECT
-#define ANDROID_UI_RECT
-
-#include <utils/TypeHelpers.h>
-#include <ui/Point.h>
-
-#include <android/rect.h>
-
-namespace android {
-
-class Rect : public ARect
-{
-public:
-    typedef ARect::value_type value_type;
-
-    // we don't provide copy-ctor and operator= on purpose
-    // because we want the compiler generated versions
-
-    inline Rect() {
-    }
-    inline Rect(int32_t w, int32_t h) {
-        left = top = 0; right = w; bottom = h;
-    }
-    inline Rect(int32_t l, int32_t t, int32_t r, int32_t b) {
-        left = l; top = t; right = r; bottom = b;
-    }
-    inline Rect(const Point& lt, const Point& rb) {
-        left = lt.x; top = lt.y; right = rb.x; bottom = rb.y;
-    }
-
-    void makeInvalid();
-
-    inline void clear() {
-        left = top = right = bottom = 0;
-    }
-
-    // a valid rectangle has a non negative width and height
-    inline bool isValid() const {
-        return (width()>=0) && (height()>=0);
-    }
-
-    // an empty rect has a zero width or height, or is invalid
-    inline bool isEmpty() const {
-        return (width()<=0) || (height()<=0);
-    }
-
-    inline void set(const Rect& rhs) {
-        operator = (rhs);
-    }
-
-    // rectangle's width
-    inline int32_t width() const {
-        return right-left;
-    }
-    
-    // rectangle's height
-    inline int32_t height() const {
-        return bottom-top;
-    }
-
-    void setLeftTop(const Point& lt) {
-        left = lt.x;
-        top  = lt.y;
-    }
-
-    void setRightBottom(const Point& rb) {
-        right = rb.x;
-        bottom  = rb.y;
-    }
-    
-    // the following 4 functions return the 4 corners of the rect as Point
-    Point leftTop() const {
-        return Point(left, top);
-    }
-    Point rightBottom() const {
-        return Point(right, bottom);
-    }
-    Point rightTop() const {
-        return Point(right, top);
-    }
-    Point leftBottom() const {
-        return Point(left, bottom);
-    }
-
-    // comparisons
-    inline bool operator == (const Rect& rhs) const {
-        return (left == rhs.left) && (top == rhs.top) &&
-               (right == rhs.right) && (bottom == rhs.bottom);
-    }
-
-    inline bool operator != (const Rect& rhs) const {
-        return !operator == (rhs);
-    }
-
-    // operator < defines an order which allows to use rectangles in sorted
-    // vectors.
-    bool operator < (const Rect& rhs) const;
-
-    Rect& offsetToOrigin() {
-        right -= left;
-        bottom -= top;
-        left = top = 0;
-        return *this;
-    }
-    Rect& offsetTo(const Point& p) {
-        return offsetTo(p.x, p.y);
-    }
-    Rect& offsetBy(const Point& dp) {
-        return offsetBy(dp.x, dp.y);
-    }
-    Rect& operator += (const Point& rhs) {
-        return offsetBy(rhs.x, rhs.y);
-    }
-    Rect& operator -= (const Point& rhs) {
-        return offsetBy(-rhs.x, -rhs.y);
-    }
-    const Rect operator + (const Point& rhs) const;
-    const Rect operator - (const Point& rhs) const;
-
-    void translate(int32_t dx, int32_t dy) { // legacy, don't use.
-        offsetBy(dx, dy);
-    }
- 
-    Rect&   offsetTo(int32_t x, int32_t y);
-    Rect&   offsetBy(int32_t x, int32_t y);
-    bool    intersect(const Rect& with, Rect* result) const;
-};
-
-ANDROID_BASIC_TYPES_TRAITS(Rect)
-
-}; // namespace android
-
-#endif // ANDROID_UI_RECT
diff --git a/media/omx-plugin/include/ics/ui/android_native_buffer.h b/media/omx-plugin/include/ics/ui/android_native_buffer.h
deleted file mode 100644
index b6e1db4600..0000000000
--- a/media/omx-plugin/include/ics/ui/android_native_buffer.h
+++ /dev/null
@@ -1,22 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_ANDROID_NATIVES_PRIV_H
-#define ANDROID_ANDROID_NATIVES_PRIV_H
-
-#include <ui/egl/android_natives.h>
-
-#endif /* ANDROID_ANDROID_NATIVES_PRIV_H */
diff --git a/media/omx-plugin/include/ics/ui/egl/android_natives.h b/media/omx-plugin/include/ics/ui/egl/android_natives.h
deleted file mode 100644
index 9ac50a5a39..0000000000
--- a/media/omx-plugin/include/ics/ui/egl/android_natives.h
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
- * Copyright (C) 2009 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_ANDROID_NATIVES_H
-#define ANDROID_ANDROID_NATIVES_H
-
-#include <sys/types.h>
-#include <string.h>
-
-#include <hardware/gralloc.h>
-#include <system/window.h>
-// FIXME: remove this header, it's for legacy use.  native_window is pulled from frameworks/base/native/include/android/
-#include <android/native_window.h>
-// ---------------------------------------------------------------------------
-
-/* FIXME: this is legacy for pixmaps */
-typedef struct egl_native_pixmap_t
-{
-    int32_t     version;    /* must be 32 */
-    int32_t     width;
-    int32_t     height;
-    int32_t     stride;
-    uint8_t*    data;
-    uint8_t     format;
-    uint8_t     rfu[3];
-    union {
-        uint32_t    compressedFormat;
-        int32_t     vstride;
-    };
-    int32_t     reserved;
-} egl_native_pixmap_t;
-
-/*****************************************************************************/
-
-#ifdef __cplusplus
-
-#include <utils/RefBase.h>
-
-namespace android {
-
-/*
- * This helper class turns an EGL android_native_xxx type into a C++
- * reference-counted object; with proper type conversions.
- */
-template <typename NATIVE_TYPE, typename TYPE, typename REF>
-class EGLNativeBase : public NATIVE_TYPE, public REF
-{
-public:
-    // Disambiguate between the incStrong in REF and NATIVE_TYPE
-    void incStrong(const void* id) const {
-        REF::incStrong(id);
-    }
-    void decStrong(const void* id) const {
-        REF::decStrong(id);
-    }
-
-protected:
-    typedef EGLNativeBase<NATIVE_TYPE, TYPE, REF> BASE;
-    EGLNativeBase() : NATIVE_TYPE(), REF() {
-        NATIVE_TYPE::common.incRef = incRef;
-        NATIVE_TYPE::common.decRef = decRef;
-    }
-    static inline TYPE* getSelf(NATIVE_TYPE* self) {
-        return static_cast<TYPE*>(self);
-    }
-    static inline TYPE const* getSelf(NATIVE_TYPE const* self) {
-        return static_cast<TYPE const *>(self);
-    }
-    static inline TYPE* getSelf(android_native_base_t* base) {
-        return getSelf(reinterpret_cast<NATIVE_TYPE*>(base));
-    }
-    static inline TYPE const * getSelf(android_native_base_t const* base) {
-        return getSelf(reinterpret_cast<NATIVE_TYPE const*>(base));
-    }
-    static void incRef(android_native_base_t* base) {
-        EGLNativeBase* self = getSelf(base);
-        self->incStrong(self);
-    }
-    static void decRef(android_native_base_t* base) {
-        EGLNativeBase* self = getSelf(base);
-        self->decStrong(self);
-    }
-};
-
-} // namespace android
-#endif // __cplusplus
-
-/*****************************************************************************/
-
-#endif /* ANDROID_ANDROID_NATIVES_H */
diff --git a/media/omx-plugin/include/ics/utils/Errors.h b/media/omx-plugin/include/ics/utils/Errors.h
deleted file mode 100644
index 0b75b1926c..0000000000
--- a/media/omx-plugin/include/ics/utils/Errors.h
+++ /dev/null
@@ -1,88 +0,0 @@
-/*
- * Copyright (C) 2007 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_ERRORS_H
-#define ANDROID_ERRORS_H
-
-#include <sys/types.h>
-#include <errno.h>
-
-namespace android {
-
-// use this type to return error codes
-#ifdef HAVE_MS_C_RUNTIME
-typedef int         status_t;
-#else
-typedef int32_t     status_t;
-#endif
-
-/* the MS C runtime lacks a few error codes */
-
-/*
- * Error codes. 
- * All error codes are negative values.
- */
-
-// Win32 #defines NO_ERROR as well.  It has the same value, so there's no
-// real conflict, though it's a bit awkward.
-#ifdef _WIN32
-# undef NO_ERROR
-#endif
- 
-enum {
-    OK                = 0,    // Everything's swell.
-    NO_ERROR          = 0,    // No errors.
-    
-    UNKNOWN_ERROR       = 0x80000000,
-
-    NO_MEMORY           = -ENOMEM,
-    INVALID_OPERATION   = -ENOSYS,
-    BAD_VALUE           = -EINVAL,
-    BAD_TYPE            = 0x80000001,
-    NAME_NOT_FOUND      = -ENOENT,
-    PERMISSION_DENIED   = -EPERM,
-    NO_INIT             = -ENODEV,
-    ALREADY_EXISTS      = -EEXIST,
-    DEAD_OBJECT         = -EPIPE,
-    FAILED_TRANSACTION  = 0x80000002,
-    JPARKS_BROKE_IT     = -EPIPE,
-#if !defined(HAVE_MS_C_RUNTIME)
-    BAD_INDEX           = -EOVERFLOW,
-    NOT_ENOUGH_DATA     = -ENODATA,
-    WOULD_BLOCK         = -EWOULDBLOCK, 
-    TIMED_OUT           = -ETIMEDOUT,
-    UNKNOWN_TRANSACTION = -EBADMSG,
-#else    
-    BAD_INDEX           = -E2BIG,
-    NOT_ENOUGH_DATA     = 0x80000003,
-    WOULD_BLOCK         = 0x80000004,
-    TIMED_OUT           = 0x80000005,
-    UNKNOWN_TRANSACTION = 0x80000006,
-#endif    
-    FDS_NOT_ALLOWED     = 0x80000007,
-};
-
-// Restore define; enumeration is in "android" namespace, so the value defined
-// there won't work for Win32 code in a different namespace.
-#ifdef _WIN32
-# define NO_ERROR 0L
-#endif
-
-}; // namespace android
-    
-// ---------------------------------------------------------------------------
-    
-#endif // ANDROID_ERRORS_H
diff --git a/media/omx-plugin/include/ics/utils/Flattenable.h b/media/omx-plugin/include/ics/utils/Flattenable.h
deleted file mode 100644
index 852be3b6a3..0000000000
--- a/media/omx-plugin/include/ics/utils/Flattenable.h
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * Copyright (C) 2010 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_UTILS_FLATTENABLE_H
-#define ANDROID_UTILS_FLATTENABLE_H
-
-
-#include <stdint.h>
-#include <sys/types.h>
-#include <utils/Errors.h>
-
-namespace android {
-
-class Flattenable
-{
-public:
-    // size in bytes of the flattened object
-    virtual size_t getFlattenedSize() const = 0;
-
-    // number of file descriptors to flatten
-    virtual size_t getFdCount() const = 0;
-
-    // flattens the object into buffer.
-    // size should be at least of getFlattenedSize()
-    // file descriptors are written in the fds[] array but ownership is
-    // not transfered (ie: they must be dupped by the caller of
-    // flatten() if needed).
-    virtual status_t flatten(void* buffer, size_t size,
-            int fds[], size_t count) const = 0;
-
-    // unflattens the object from buffer.
-    // size should be equal to the value of getFlattenedSize() when the
-    // object was flattened.
-    // unflattened file descriptors are found in the fds[] array and
-    // don't need to be dupped(). ie: the caller of unflatten doesn't
-    // keep ownership. If a fd is not retained by unflatten() it must be
-    // explicitly closed.
-    virtual status_t unflatten(void const* buffer, size_t size,
-            int fds[], size_t count) = 0;
-
-protected:
-    virtual ~Flattenable() = 0;
-
-};
-
-}; // namespace android
-
-
-#endif /* ANDROID_UTILS_FLATTENABLE_H */
diff --git a/media/omx-plugin/include/ics/utils/KeyedVector.h b/media/omx-plugin/include/ics/utils/KeyedVector.h
deleted file mode 100644
index 6bcdea4ff1..0000000000
--- a/media/omx-plugin/include/ics/utils/KeyedVector.h
+++ /dev/null
@@ -1,201 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_KEYED_VECTOR_H
-#define ANDROID_KEYED_VECTOR_H
-
-#include <assert.h>
-#include <stdint.h>
-#include <sys/types.h>
-
-#include <utils/SortedVector.h>
-#include <utils/TypeHelpers.h>
-#include <utils/Errors.h>
-
-// ---------------------------------------------------------------------------
-
-namespace android {
-
-template <typename KEY, typename VALUE>
-class KeyedVector
-{
-public:
-    typedef KEY    key_type;
-    typedef VALUE  value_type;
-
-    inline                  KeyedVector();
-
-    /*
-     * empty the vector
-     */
-
-    inline  void            clear()                     { mVector.clear(); }
-
-    /*! 
-     * vector stats
-     */
-
-    //! returns number of items in the vector
-    inline  size_t          size() const                { return mVector.size(); }
-    //! returns wether or not the vector is empty
-    inline  bool            isEmpty() const             { return mVector.isEmpty(); }
-    //! returns how many items can be stored without reallocating the backing store
-    inline  size_t          capacity() const            { return mVector.capacity(); }
-    //! setst the capacity. capacity can never be reduced less than size()
-    inline ssize_t          setCapacity(size_t size)    { return mVector.setCapacity(size); }
-    
-    /*! 
-     * accessors
-     */
-            const VALUE&    valueFor(const KEY& key) const;
-            const VALUE&    valueAt(size_t index) const;
-            const KEY&      keyAt(size_t index) const;
-            ssize_t         indexOfKey(const KEY& key) const;
-
-    /*!
-     * modifing the array
-     */
-
-            VALUE&          editValueFor(const KEY& key);
-            VALUE&          editValueAt(size_t index);
-
-            /*! 
-             * add/insert/replace items
-             */
-             
-            ssize_t         add(const KEY& key, const VALUE& item);
-            ssize_t         replaceValueFor(const KEY& key, const VALUE& item);
-            ssize_t         replaceValueAt(size_t index, const VALUE& item);
-
-    /*!
-     * remove items
-     */
-
-            ssize_t         removeItem(const KEY& key);
-            ssize_t         removeItemsAt(size_t index, size_t count = 1);
-            
-private:
-            SortedVector< key_value_pair_t<KEY, VALUE> >    mVector;
-};
-
-// ---------------------------------------------------------------------------
-
-/**
- * Variation of KeyedVector that holds a default value to return when
- * valueFor() is called with a key that doesn't exist.
- */
-template <typename KEY, typename VALUE>
-class DefaultKeyedVector : public KeyedVector<KEY, VALUE>
-{
-public:
-    inline                  DefaultKeyedVector(const VALUE& defValue = VALUE());
-            const VALUE&    valueFor(const KEY& key) const;
-
-private:
-            VALUE                                           mDefault;
-};
-
-// ---------------------------------------------------------------------------
-
-template<typename KEY, typename VALUE> inline
-KeyedVector<KEY,VALUE>::KeyedVector()
-{
-}
-
-template<typename KEY, typename VALUE> inline
-ssize_t KeyedVector<KEY,VALUE>::indexOfKey(const KEY& key) const {
-    return mVector.indexOf( key_value_pair_t<KEY,VALUE>(key) );
-}
-
-template<typename KEY, typename VALUE> inline
-const VALUE& KeyedVector<KEY,VALUE>::valueFor(const KEY& key) const {
-    ssize_t i = indexOfKey(key);
-    assert(i>=0);
-    return mVector.itemAt(i).value;
-}
-
-template<typename KEY, typename VALUE> inline
-const VALUE& KeyedVector<KEY,VALUE>::valueAt(size_t index) const {
-    return mVector.itemAt(index).value;
-}
-
-template<typename KEY, typename VALUE> inline
-const KEY& KeyedVector<KEY,VALUE>::keyAt(size_t index) const {
-    return mVector.itemAt(index).key;
-}
-
-template<typename KEY, typename VALUE> inline
-VALUE& KeyedVector<KEY,VALUE>::editValueFor(const KEY& key) {
-    ssize_t i = indexOfKey(key);
-    assert(i>=0);
-    return mVector.editItemAt(i).value;
-}
-
-template<typename KEY, typename VALUE> inline
-VALUE& KeyedVector<KEY,VALUE>::editValueAt(size_t index) {
-    return mVector.editItemAt(index).value;
-}
-
-template<typename KEY, typename VALUE> inline
-ssize_t KeyedVector<KEY,VALUE>::add(const KEY& key, const VALUE& value) {
-    return mVector.add( key_value_pair_t<KEY,VALUE>(key, value) );
-}
-
-template<typename KEY, typename VALUE> inline
-ssize_t KeyedVector<KEY,VALUE>::replaceValueFor(const KEY& key, const VALUE& value) {
-    key_value_pair_t<KEY,VALUE> pair(key, value);
-    mVector.remove(pair);
-    return mVector.add(pair);
-}
-
-template<typename KEY, typename VALUE> inline
-ssize_t KeyedVector<KEY,VALUE>::replaceValueAt(size_t index, const VALUE& item) {
-    if (index<size()) {
-        mVector.editItemAt(index).value = item;
-        return index;
-    }
-    return BAD_INDEX;
-}
-
-template<typename KEY, typename VALUE> inline
-ssize_t KeyedVector<KEY,VALUE>::removeItem(const KEY& key) {
-    return mVector.remove(key_value_pair_t<KEY,VALUE>(key));
-}
-
-template<typename KEY, typename VALUE> inline
-ssize_t KeyedVector<KEY, VALUE>::removeItemsAt(size_t index, size_t count) {
-    return mVector.removeItemsAt(index, count);
-}
-
-// ---------------------------------------------------------------------------
-
-template<typename KEY, typename VALUE> inline
-DefaultKeyedVector<KEY,VALUE>::DefaultKeyedVector(const VALUE& defValue)
-    : mDefault(defValue)
-{
-}
-
-template<typename KEY, typename VALUE> inline
-const VALUE& DefaultKeyedVector<KEY,VALUE>::valueFor(const KEY& key) const {
-    ssize_t i = indexOfKey(key);
-    return i >= 0 ? KeyedVector<KEY,VALUE>::valueAt(i) : mDefault;
-}
-
-}; // namespace android
-
-// ---------------------------------------------------------------------------
-
-#endif // ANDROID_KEYED_VECTOR_H
diff --git a/media/omx-plugin/include/ics/utils/List.h b/media/omx-plugin/include/ics/utils/List.h
deleted file mode 100644
index 403cd7f1e5..0000000000
--- a/media/omx-plugin/include/ics/utils/List.h
+++ /dev/null
@@ -1,332 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-//
-// Templated list class.  Normally we'd use STL, but we don't have that.
-// This class mimics STL's interfaces.
-//
-// Objects are copied into the list with the '=' operator or with copy-
-// construction, so if the compiler's auto-generated versions won't work for
-// you, define your own.
-//
-// The only class you want to use from here is "List".
-//
-#ifndef _LIBS_UTILS_LIST_H
-#define _LIBS_UTILS_LIST_H
-
-#include <stddef.h>
-#include <stdint.h>
-
-namespace android {
-
-/*
- * Doubly-linked list.  Instantiate with "List<MyClass> myList".
- *
- * Objects added to the list are copied using the assignment operator,
- * so this must be defined.
- */
-template<typename T> 
-class List 
-{
-protected:
-    /*
-     * One element in the list.
-     */
-    class _Node {
-    public:
-        explicit _Node(const T& val) : mVal(val) {}
-        ~_Node() {}
-        inline T& getRef() { return mVal; }
-        inline const T& getRef() const { return mVal; }
-        inline _Node* getPrev() const { return mpPrev; }
-        inline _Node* getNext() const { return mpNext; }
-        inline void setVal(const T& val) { mVal = val; }
-        inline void setPrev(_Node* ptr) { mpPrev = ptr; }
-        inline void setNext(_Node* ptr) { mpNext = ptr; }
-    private:
-        friend class List;
-        friend class _ListIterator;
-        T           mVal;
-        _Node*      mpPrev;
-        _Node*      mpNext;
-    };
-
-    /*
-     * Iterator for walking through the list.
-     */
-    
-    template <typename TYPE>
-    struct CONST_ITERATOR {
-        typedef _Node const * NodePtr;
-        typedef const TYPE Type;
-    };
-    
-    template <typename TYPE>
-    struct NON_CONST_ITERATOR {
-        typedef _Node* NodePtr;
-        typedef TYPE Type;
-    };
-    
-    template<
-        typename U,
-        template <class> class Constness
-    > 
-    class _ListIterator {
-        typedef _ListIterator<U, Constness>     _Iter;
-        typedef typename Constness<U>::NodePtr  _NodePtr;
-        typedef typename Constness<U>::Type     _Type;
-
-        explicit _ListIterator(_NodePtr ptr) : mpNode(ptr) {}
-
-    public:
-        _ListIterator() {}
-        _ListIterator(const _Iter& rhs) : mpNode(rhs.mpNode) {}
-        ~_ListIterator() {}
-        
-        // this will handle conversions from iterator to const_iterator
-        // (and also all convertible iterators)
-        // Here, in this implementation, the iterators can be converted
-        // if the nodes can be converted
-        template<typename V> explicit 
-        _ListIterator(const V& rhs) : mpNode(rhs.mpNode) {}
-        
-
-        /*
-         * Dereference operator.  Used to get at the juicy insides.
-         */
-        _Type& operator*() const { return mpNode->getRef(); }
-        _Type* operator->() const { return &(mpNode->getRef()); }
-
-        /*
-         * Iterator comparison.
-         */
-        inline bool operator==(const _Iter& right) const { 
-            return mpNode == right.mpNode; }
-        
-        inline bool operator!=(const _Iter& right) const { 
-            return mpNode != right.mpNode; }
-
-        /*
-         * handle comparisons between iterator and const_iterator
-         */
-        template<typename OTHER>
-        inline bool operator==(const OTHER& right) const { 
-            return mpNode == right.mpNode; }
-        
-        template<typename OTHER>
-        inline bool operator!=(const OTHER& right) const { 
-            return mpNode != right.mpNode; }
-
-        /*
-         * Incr/decr, used to move through the list.
-         */
-        inline _Iter& operator++() {     // pre-increment
-            mpNode = mpNode->getNext();
-            return *this;
-        }
-        const _Iter operator++(int) {    // post-increment
-            _Iter tmp(*this);
-            mpNode = mpNode->getNext();
-            return tmp;
-        }
-        inline _Iter& operator--() {     // pre-increment
-            mpNode = mpNode->getPrev();
-            return *this;
-        }
-        const _Iter operator--(int) {   // post-increment
-            _Iter tmp(*this);
-            mpNode = mpNode->getPrev();
-            return tmp;
-        }
-
-        inline _NodePtr getNode() const { return mpNode; }
-
-        _NodePtr mpNode;    /* should be private, but older gcc fails */
-    private:
-        friend class List;
-    };
-
-public:
-    List() {
-        prep();
-    }
-    List(const List<T>& src) {      // copy-constructor
-        prep();
-        insert(begin(), src.begin(), src.end());
-    }
-    virtual ~List() {
-        clear();
-        delete[] (unsigned char*) mpMiddle;
-    }
-
-    typedef _ListIterator<T, NON_CONST_ITERATOR> iterator;
-    typedef _ListIterator<T, CONST_ITERATOR> const_iterator;
-
-    List<T>& operator=(const List<T>& right);
-
-    /* returns true if the list is empty */
-    inline bool empty() const { return mpMiddle->getNext() == mpMiddle; }
-
-    /* return #of elements in list */
-    size_t size() const {
-        return size_t(distance(begin(), end()));
-    }
-
-    /*
-     * Return the first element or one past the last element.  The
-     * _Node* we're returning is converted to an "iterator" by a
-     * constructor in _ListIterator.
-     */
-    inline iterator begin() { 
-        return iterator(mpMiddle->getNext()); 
-    }
-    inline const_iterator begin() const { 
-        return const_iterator(const_cast<_Node const*>(mpMiddle->getNext())); 
-    }
-    inline iterator end() { 
-        return iterator(mpMiddle); 
-    }
-    inline const_iterator end() const { 
-        return const_iterator(const_cast<_Node const*>(mpMiddle)); 
-    }
-
-    /* add the object to the head or tail of the list */
-    void push_front(const T& val) { insert(begin(), val); }
-    void push_back(const T& val) { insert(end(), val); }
-
-    /* insert before the current node; returns iterator at new node */
-    iterator insert(iterator posn, const T& val) 
-    {
-        _Node* newNode = new _Node(val);        // alloc & copy-construct
-        newNode->setNext(posn.getNode());
-        newNode->setPrev(posn.getNode()->getPrev());
-        posn.getNode()->getPrev()->setNext(newNode);
-        posn.getNode()->setPrev(newNode);
-        return iterator(newNode);
-    }
-
-    /* insert a range of elements before the current node */
-    void insert(iterator posn, const_iterator first, const_iterator last) {
-        for ( ; first != last; ++first)
-            insert(posn, *first);
-    }
-
-    /* remove one entry; returns iterator at next node */
-    iterator erase(iterator posn) {
-        _Node* pNext = posn.getNode()->getNext();
-        _Node* pPrev = posn.getNode()->getPrev();
-        pPrev->setNext(pNext);
-        pNext->setPrev(pPrev);
-        delete posn.getNode();
-        return iterator(pNext);
-    }
-
-    /* remove a range of elements */
-    iterator erase(iterator first, iterator last) {
-        while (first != last)
-            erase(first++);     // don't erase than incr later!
-        return iterator(last);
-    }
-
-    /* remove all contents of the list */
-    void clear() {
-        _Node* pCurrent = mpMiddle->getNext();
-        _Node* pNext;
-
-        while (pCurrent != mpMiddle) {
-            pNext = pCurrent->getNext();
-            delete pCurrent;
-            pCurrent = pNext;
-        }
-        mpMiddle->setPrev(mpMiddle);
-        mpMiddle->setNext(mpMiddle);
-    }
-
-    /*
-     * Measure the distance between two iterators.  On exist, "first"
-     * will be equal to "last".  The iterators must refer to the same
-     * list.
-     *
-     * FIXME: This is actually a generic iterator function. It should be a 
-     * template function at the top-level with specializations for things like
-     * vector<>, which can just do pointer math). Here we limit it to
-     * _ListIterator of the same type but different constness.
-     */
-    template<
-        typename U,
-        template <class> class CL,
-        template <class> class CR
-    > 
-    ptrdiff_t distance(
-            _ListIterator<U, CL> first, _ListIterator<U, CR> last) const 
-    {
-        ptrdiff_t count = 0;
-        while (first != last) {
-            ++first;
-            ++count;
-        }
-        return count;
-    }
-
-private:
-    /*
-     * I want a _Node but don't need it to hold valid data.  More
-     * to the point, I don't want T's constructor to fire, since it
-     * might have side-effects or require arguments.  So, we do this
-     * slightly uncouth storage alloc.
-     */
-    void prep() {
-        mpMiddle = (_Node*) new unsigned char[sizeof(_Node)];
-        mpMiddle->setPrev(mpMiddle);
-        mpMiddle->setNext(mpMiddle);
-    }
-
-    /*
-     * This node plays the role of "pointer to head" and "pointer to tail".
-     * It sits in the middle of a circular list of nodes.  The iterator
-     * runs around the circle until it encounters this one.
-     */
-    _Node*      mpMiddle;
-};
-
-/*
- * Assignment operator.
- *
- * The simplest way to do this would be to clear out the target list and
- * fill it with the source.  However, we can speed things along by
- * re-using existing elements.
- */
-template<class T>
-List<T>& List<T>::operator=(const List<T>& right)
-{
-    if (this == &right)
-        return *this;       // self-assignment
-    iterator firstDst = begin();
-    iterator lastDst = end();
-    const_iterator firstSrc = right.begin();
-    const_iterator lastSrc = right.end();
-    while (firstSrc != lastSrc && firstDst != lastDst)
-        *firstDst++ = *firstSrc++;
-    if (firstSrc == lastSrc)        // ran out of elements in source?
-        erase(firstDst, lastDst);   // yes, erase any extras
-    else
-        insert(lastDst, firstSrc, lastSrc);     // copy remaining over
-    return *this;
-}
-
-}; // namespace android
-
-#endif // _LIBS_UTILS_LIST_H
diff --git a/media/omx-plugin/include/ics/utils/Log.h b/media/omx-plugin/include/ics/utils/Log.h
deleted file mode 100644
index 3c6cc8bdcb..0000000000
--- a/media/omx-plugin/include/ics/utils/Log.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-//
-// C/C++ logging functions.  See the logging documentation for API details.
-//
-// We'd like these to be available from C code (in case we import some from
-// somewhere), so this has a C interface.
-//
-// The output will be correct when the log file is shared between multiple
-// threads and/or multiple processes so long as the operating system
-// supports O_APPEND.  These calls have mutex-protected data structures
-// and so are NOT reentrant.  Do not use LOG in a signal handler.
-//
-#ifndef _LIBS_UTILS_LOG_H
-#define _LIBS_UTILS_LOG_H
-
-#include <cutils/log.h>
-
-#endif // _LIBS_UTILS_LOG_H
diff --git a/media/omx-plugin/include/ics/utils/RefBase.h b/media/omx-plugin/include/ics/utils/RefBase.h
deleted file mode 100644
index c7a9b78959..0000000000
--- a/media/omx-plugin/include/ics/utils/RefBase.h
+++ /dev/null
@@ -1,528 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_REF_BASE_H
-#define ANDROID_REF_BASE_H
-
-#include <cutils/atomic.h>
-
-#include <stdint.h>
-#include <sys/types.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <utils/StrongPointer.h>
-
-// ---------------------------------------------------------------------------
-namespace android {
-
-class TextOutput;
-TextOutput& printWeakPointer(TextOutput& to, const void* val);
-
-// ---------------------------------------------------------------------------
-
-#define COMPARE_WEAK(_op_)                                      \
-inline bool operator _op_ (const sp<T>& o) const {              \
-    return m_ptr _op_ o.m_ptr;                                  \
-}                                                               \
-inline bool operator _op_ (const T* o) const {                  \
-    return m_ptr _op_ o;                                        \
-}                                                               \
-template<typename U>                                            \
-inline bool operator _op_ (const sp<U>& o) const {              \
-    return m_ptr _op_ o.m_ptr;                                  \
-}                                                               \
-template<typename U>                                            \
-inline bool operator _op_ (const U* o) const {                  \
-    return m_ptr _op_ o;                                        \
-}
-
-// ---------------------------------------------------------------------------
-class ReferenceMover;
-class ReferenceConverterBase {
-public:
-    virtual size_t getReferenceTypeSize() const = 0;
-    virtual void* getReferenceBase(void const*) const = 0;
-    inline virtual ~ReferenceConverterBase() { }
-};
-
-// ---------------------------------------------------------------------------
-
-class RefBase
-{
-public:
-            void            incStrong(const void* id) const;
-            void            decStrong(const void* id) const;
-    
-            void            forceIncStrong(const void* id) const;
-
-            //! DEBUGGING ONLY: Get current strong ref count.
-            int32_t         getStrongCount() const;
-
-    class weakref_type
-    {
-    public:
-        RefBase*            refBase() const;
-        
-        void                incWeak(const void* id);
-        void                decWeak(const void* id);
-        
-        // acquires a strong reference if there is already one.
-        bool                attemptIncStrong(const void* id);
-        
-        // acquires a weak reference if there is already one.
-        // This is not always safe. see ProcessState.cpp and BpBinder.cpp
-        // for proper use.
-        bool                attemptIncWeak(const void* id);
-
-        //! DEBUGGING ONLY: Get current weak ref count.
-        int32_t             getWeakCount() const;
-
-        //! DEBUGGING ONLY: Print references held on object.
-        void                printRefs() const;
-
-        //! DEBUGGING ONLY: Enable tracking for this object.
-        // enable -- enable/disable tracking
-        // retain -- when tracking is enable, if true, then we save a stack trace
-        //           for each reference and dereference; when retain == false, we
-        //           match up references and dereferences and keep only the 
-        //           outstanding ones.
-        
-        void                trackMe(bool enable, bool retain);
-    };
-    
-            weakref_type*   createWeak(const void* id) const;
-            
-            weakref_type*   getWeakRefs() const;
-
-            //! DEBUGGING ONLY: Print references held on object.
-    inline  void            printRefs() const { getWeakRefs()->printRefs(); }
-
-            //! DEBUGGING ONLY: Enable tracking of object.
-    inline  void            trackMe(bool enable, bool retain)
-    { 
-        getWeakRefs()->trackMe(enable, retain); 
-    }
-
-    typedef RefBase basetype;
-
-protected:
-                            RefBase();
-    virtual                 ~RefBase();
-
-    //! Flags for extendObjectLifetime()
-    enum {
-        OBJECT_LIFETIME_STRONG  = 0x0000,
-        OBJECT_LIFETIME_WEAK    = 0x0001,
-        OBJECT_LIFETIME_MASK    = 0x0001
-    };
-    
-            void            extendObjectLifetime(int32_t mode);
-            
-    //! Flags for onIncStrongAttempted()
-    enum {
-        FIRST_INC_STRONG = 0x0001
-    };
-    
-    virtual void            onFirstRef();
-    virtual void            onLastStrongRef(const void* id);
-    virtual bool            onIncStrongAttempted(uint32_t flags, const void* id);
-    virtual void            onLastWeakRef(const void* id);
-
-private:
-    friend class ReferenceMover;
-    static void moveReferences(void* d, void const* s, size_t n,
-            const ReferenceConverterBase& caster);
-
-private:
-    friend class weakref_type;
-    class weakref_impl;
-    
-                            RefBase(const RefBase& o);
-            RefBase&        operator=(const RefBase& o);
-
-        weakref_impl* const mRefs;
-};
-
-// ---------------------------------------------------------------------------
-
-template <class T>
-class LightRefBase
-{
-public:
-    inline LightRefBase() : mCount(0) { }
-    inline void incStrong(const void* id) const {
-        android_atomic_inc(&mCount);
-    }
-    inline void decStrong(const void* id) const {
-        if (android_atomic_dec(&mCount) == 1) {
-            delete static_cast<const T*>(this);
-        }
-    }
-    //! DEBUGGING ONLY: Get current strong ref count.
-    inline int32_t getStrongCount() const {
-        return mCount;
-    }
-
-    typedef LightRefBase<T> basetype;
-
-protected:
-    inline ~LightRefBase() { }
-
-private:
-    friend class ReferenceMover;
-    inline static void moveReferences(void* d, void const* s, size_t n,
-            const ReferenceConverterBase& caster) { }
-
-private:
-    mutable volatile int32_t mCount;
-};
-
-// ---------------------------------------------------------------------------
-
-template <typename T>
-class wp
-{
-public:
-    typedef typename RefBase::weakref_type weakref_type;
-    
-    inline wp() : m_ptr(0) { }
-
-    wp(T* other);
-    wp(const wp<T>& other);
-    wp(const sp<T>& other);
-    template<typename U> wp(U* other);
-    template<typename U> wp(const sp<U>& other);
-    template<typename U> wp(const wp<U>& other);
-
-    ~wp();
-    
-    // Assignment
-
-    wp& operator = (T* other);
-    wp& operator = (const wp<T>& other);
-    wp& operator = (const sp<T>& other);
-    
-    template<typename U> wp& operator = (U* other);
-    template<typename U> wp& operator = (const wp<U>& other);
-    template<typename U> wp& operator = (const sp<U>& other);
-    
-    void set_object_and_refs(T* other, weakref_type* refs);
-
-    // promotion to sp
-    
-    sp<T> promote() const;
-
-    // Reset
-    
-    void clear();
-
-    // Accessors
-    
-    inline  weakref_type* get_refs() const { return m_refs; }
-    
-    inline  T* unsafe_get() const { return m_ptr; }
-
-    // Operators
-
-    COMPARE_WEAK(==)
-    COMPARE_WEAK(!=)
-    COMPARE_WEAK(>)
-    COMPARE_WEAK(<)
-    COMPARE_WEAK(<=)
-    COMPARE_WEAK(>=)
-
-    inline bool operator == (const wp<T>& o) const {
-        return (m_ptr == o.m_ptr) && (m_refs == o.m_refs);
-    }
-    template<typename U>
-    inline bool operator == (const wp<U>& o) const {
-        return m_ptr == o.m_ptr;
-    }
-
-    inline bool operator > (const wp<T>& o) const {
-        return (m_ptr == o.m_ptr) ? (m_refs > o.m_refs) : (m_ptr > o.m_ptr);
-    }
-    template<typename U>
-    inline bool operator > (const wp<U>& o) const {
-        return (m_ptr == o.m_ptr) ? (m_refs > o.m_refs) : (m_ptr > o.m_ptr);
-    }
-
-    inline bool operator < (const wp<T>& o) const {
-        return (m_ptr == o.m_ptr) ? (m_refs < o.m_refs) : (m_ptr < o.m_ptr);
-    }
-    template<typename U>
-    inline bool operator < (const wp<U>& o) const {
-        return (m_ptr == o.m_ptr) ? (m_refs < o.m_refs) : (m_ptr < o.m_ptr);
-    }
-                         inline bool operator != (const wp<T>& o) const { return m_refs != o.m_refs; }
-    template<typename U> inline bool operator != (const wp<U>& o) const { return !operator == (o); }
-                         inline bool operator <= (const wp<T>& o) const { return !operator > (o); }
-    template<typename U> inline bool operator <= (const wp<U>& o) const { return !operator > (o); }
-                         inline bool operator >= (const wp<T>& o) const { return !operator < (o); }
-    template<typename U> inline bool operator >= (const wp<U>& o) const { return !operator < (o); }
-
-private:
-    template<typename Y> friend class sp;
-    template<typename Y> friend class wp;
-
-    T*              m_ptr;
-    weakref_type*   m_refs;
-};
-
-template <typename T>
-TextOutput& operator<<(TextOutput& to, const wp<T>& val);
-
-#undef COMPARE_WEAK
-
-// ---------------------------------------------------------------------------
-// No user serviceable parts below here.
-
-template<typename T>
-wp<T>::wp(T* other)
-    : m_ptr(other)
-{
-    if (other) m_refs = other->createWeak(this);
-}
-
-template<typename T>
-wp<T>::wp(const wp<T>& other)
-    : m_ptr(other.m_ptr), m_refs(other.m_refs)
-{
-    if (m_ptr) m_refs->incWeak(this);
-}
-
-template<typename T>
-wp<T>::wp(const sp<T>& other)
-    : m_ptr(other.m_ptr)
-{
-    if (m_ptr) {
-        m_refs = m_ptr->createWeak(this);
-    }
-}
-
-template<typename T> template<typename U>
-wp<T>::wp(U* other)
-    : m_ptr(other)
-{
-    if (other) m_refs = other->createWeak(this);
-}
-
-template<typename T> template<typename U>
-wp<T>::wp(const wp<U>& other)
-    : m_ptr(other.m_ptr)
-{
-    if (m_ptr) {
-        m_refs = other.m_refs;
-        m_refs->incWeak(this);
-    }
-}
-
-template<typename T> template<typename U>
-wp<T>::wp(const sp<U>& other)
-    : m_ptr(other.m_ptr)
-{
-    if (m_ptr) {
-        m_refs = m_ptr->createWeak(this);
-    }
-}
-
-template<typename T>
-wp<T>::~wp()
-{
-    if (m_ptr) m_refs->decWeak(this);
-}
-
-template<typename T>
-wp<T>& wp<T>::operator = (T* other)
-{
-    weakref_type* newRefs =
-        other ? other->createWeak(this) : 0;
-    if (m_ptr) m_refs->decWeak(this);
-    m_ptr = other;
-    m_refs = newRefs;
-    return *this;
-}
-
-template<typename T>
-wp<T>& wp<T>::operator = (const wp<T>& other)
-{
-    weakref_type* otherRefs(other.m_refs);
-    T* otherPtr(other.m_ptr);
-    if (otherPtr) otherRefs->incWeak(this);
-    if (m_ptr) m_refs->decWeak(this);
-    m_ptr = otherPtr;
-    m_refs = otherRefs;
-    return *this;
-}
-
-template<typename T>
-wp<T>& wp<T>::operator = (const sp<T>& other)
-{
-    weakref_type* newRefs =
-        other != NULL ? other->createWeak(this) : 0;
-    T* otherPtr(other.m_ptr);
-    if (m_ptr) m_refs->decWeak(this);
-    m_ptr = otherPtr;
-    m_refs = newRefs;
-    return *this;
-}
-
-template<typename T> template<typename U>
-wp<T>& wp<T>::operator = (U* other)
-{
-    weakref_type* newRefs =
-        other ? other->createWeak(this) : 0;
-    if (m_ptr) m_refs->decWeak(this);
-    m_ptr = other;
-    m_refs = newRefs;
-    return *this;
-}
-
-template<typename T> template<typename U>
-wp<T>& wp<T>::operator = (const wp<U>& other)
-{
-    weakref_type* otherRefs(other.m_refs);
-    U* otherPtr(other.m_ptr);
-    if (otherPtr) otherRefs->incWeak(this);
-    if (m_ptr) m_refs->decWeak(this);
-    m_ptr = otherPtr;
-    m_refs = otherRefs;
-    return *this;
-}
-
-template<typename T> template<typename U>
-wp<T>& wp<T>::operator = (const sp<U>& other)
-{
-    weakref_type* newRefs =
-        other != NULL ? other->createWeak(this) : 0;
-    U* otherPtr(other.m_ptr);
-    if (m_ptr) m_refs->decWeak(this);
-    m_ptr = otherPtr;
-    m_refs = newRefs;
-    return *this;
-}
-
-template<typename T>
-void wp<T>::set_object_and_refs(T* other, weakref_type* refs)
-{
-    if (other) refs->incWeak(this);
-    if (m_ptr) m_refs->decWeak(this);
-    m_ptr = other;
-    m_refs = refs;
-}
-
-template<typename T>
-sp<T> wp<T>::promote() const
-{
-    sp<T> result;
-    if (m_ptr && m_refs->attemptIncStrong(&result)) {
-        result.set_pointer(m_ptr);
-    }
-    return result;
-}
-
-template<typename T>
-void wp<T>::clear()
-{
-    if (m_ptr) {
-        m_refs->decWeak(this);
-        m_ptr = 0;
-    }
-}
-
-template <typename T>
-inline TextOutput& operator<<(TextOutput& to, const wp<T>& val)
-{
-    return printWeakPointer(to, val.unsafe_get());
-}
-
-// ---------------------------------------------------------------------------
-
-// this class just serves as a namespace so TYPE::moveReferences can stay
-// private.
-
-class ReferenceMover {
-    // StrongReferenceCast and WeakReferenceCast do the impedance matching
-    // between the generic (void*) implementation in Refbase and the strongly typed
-    // template specializations below.
-
-    template <typename TYPE>
-    struct StrongReferenceCast : public ReferenceConverterBase {
-        virtual size_t getReferenceTypeSize() const { return sizeof( sp<TYPE> ); }
-        virtual void* getReferenceBase(void const* p) const {
-            sp<TYPE> const* sptr(reinterpret_cast<sp<TYPE> const*>(p));
-            return static_cast<typename TYPE::basetype *>(sptr->get());
-        }
-    };
-
-    template <typename TYPE>
-    struct WeakReferenceCast : public ReferenceConverterBase {
-        virtual size_t getReferenceTypeSize() const { return sizeof( wp<TYPE> ); }
-        virtual void* getReferenceBase(void const* p) const {
-            wp<TYPE> const* sptr(reinterpret_cast<wp<TYPE> const*>(p));
-            return static_cast<typename TYPE::basetype *>(sptr->unsafe_get());
-        }
-    };
-
-public:
-    template<typename TYPE> static inline
-    void move_references(sp<TYPE>* d, sp<TYPE> const* s, size_t n) {
-        memmove(d, s, n*sizeof(sp<TYPE>));
-        StrongReferenceCast<TYPE> caster;
-        TYPE::moveReferences(d, s, n, caster);
-    }
-    template<typename TYPE> static inline
-    void move_references(wp<TYPE>* d, wp<TYPE> const* s, size_t n) {
-        memmove(d, s, n*sizeof(wp<TYPE>));
-        WeakReferenceCast<TYPE> caster;
-        TYPE::moveReferences(d, s, n, caster);
-    }
-};
-
-// specialization for moving sp<> and wp<> types.
-// these are used by the [Sorted|Keyed]Vector<> implementations
-// sp<> and wp<> need to be handled specially, because they do not
-// have trivial copy operation in the general case (see RefBase.cpp
-// when DEBUG ops are enabled), but can be implemented very
-// efficiently in most cases.
-
-template<typename TYPE> inline
-void move_forward_type(sp<TYPE>* d, sp<TYPE> const* s, size_t n) {
-    ReferenceMover::move_references(d, s, n);
-}
-
-template<typename TYPE> inline
-void move_backward_type(sp<TYPE>* d, sp<TYPE> const* s, size_t n) {
-    ReferenceMover::move_references(d, s, n);
-}
-
-template<typename TYPE> inline
-void move_forward_type(wp<TYPE>* d, wp<TYPE> const* s, size_t n) {
-    ReferenceMover::move_references(d, s, n);
-}
-
-template<typename TYPE> inline
-void move_backward_type(wp<TYPE>* d, wp<TYPE> const* s, size_t n) {
-    ReferenceMover::move_references(d, s, n);
-}
-
-
-}; // namespace android
-
-// ---------------------------------------------------------------------------
-
-#endif // ANDROID_REF_BASE_H
diff --git a/media/omx-plugin/include/ics/utils/SharedBuffer.h b/media/omx-plugin/include/ics/utils/SharedBuffer.h
deleted file mode 100644
index 24508b0f76..0000000000
--- a/media/omx-plugin/include/ics/utils/SharedBuffer.h
+++ /dev/null
@@ -1,146 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_SHARED_BUFFER_H
-#define ANDROID_SHARED_BUFFER_H
-
-#include <stdint.h>
-#include <sys/types.h>
-
-// ---------------------------------------------------------------------------
-
-namespace android {
-
-class SharedBuffer
-{
-public:
-
-    /* flags to use with release() */
-    enum {
-        eKeepStorage = 0x00000001
-    };
-
-    /*! allocate a buffer of size 'size' and acquire() it.
-     *  call release() to free it.
-     */
-    static          SharedBuffer*           alloc(size_t size);
-    
-    /*! free the memory associated with the SharedBuffer.
-     * Fails if there are any users associated with this SharedBuffer.
-     * In other words, the buffer must have been release by all its
-     * users.
-     */
-    static          ssize_t                 dealloc(const SharedBuffer* released);
-    
-    //! get the SharedBuffer from the data pointer
-    static  inline  const SharedBuffer*     sharedBuffer(const void* data);
-
-    //! access the data for read
-    inline          const void*             data() const;
-    
-    //! access the data for read/write
-    inline          void*                   data();
-
-    //! get size of the buffer
-    inline          size_t                  size() const;
- 
-    //! get back a SharedBuffer object from its data
-    static  inline  SharedBuffer*           bufferFromData(void* data);
-    
-    //! get back a SharedBuffer object from its data
-    static  inline  const SharedBuffer*     bufferFromData(const void* data);
-
-    //! get the size of a SharedBuffer object from its data
-    static  inline  size_t                  sizeFromData(const void* data);
-    
-    //! edit the buffer (get a writtable, or non-const, version of it)
-                    SharedBuffer*           edit() const;
-
-    //! edit the buffer, resizing if needed
-                    SharedBuffer*           editResize(size_t size) const;
-
-    //! like edit() but fails if a copy is required
-                    SharedBuffer*           attemptEdit() const;
-    
-    //! resize and edit the buffer, loose it's content.
-                    SharedBuffer*           reset(size_t size) const;
-
-    //! acquire/release a reference on this buffer
-                    void                    acquire() const;
-                    
-    /*! release a reference on this buffer, with the option of not
-     * freeing the memory associated with it if it was the last reference
-     * returns the previous reference count
-     */     
-                    int32_t                 release(uint32_t flags = 0) const;
-    
-    //! returns wether or not we're the only owner
-    inline          bool                    onlyOwner() const;
-    
-
-private:
-        inline SharedBuffer() { }
-        inline ~SharedBuffer() { }
-        inline SharedBuffer(const SharedBuffer&);
- 
-        // 16 bytes. must be sized to preserve correct alingment.
-        mutable int32_t        mRefs;
-                size_t         mSize;
-                uint32_t       mReserved[2];
-};
-
-// ---------------------------------------------------------------------------
-
-const SharedBuffer* SharedBuffer::sharedBuffer(const void* data) {
-    return data ? reinterpret_cast<const SharedBuffer *>(data)-1 : 0;
-}
-
-const void* SharedBuffer::data() const {
-    return this + 1;
-}
-
-void* SharedBuffer::data() {
-    return this + 1;
-}
-
-size_t SharedBuffer::size() const {
-    return mSize;
-}
-
-SharedBuffer* SharedBuffer::bufferFromData(void* data)
-{
-    return ((SharedBuffer*)data)-1;
-}
-    
-const SharedBuffer* SharedBuffer::bufferFromData(const void* data)
-{
-    return ((const SharedBuffer*)data)-1;
-}
-
-size_t SharedBuffer::sizeFromData(const void* data)
-{
-    return (((const SharedBuffer*)data)-1)->mSize;
-}
-
-bool SharedBuffer::onlyOwner() const {
-    return (mRefs == 1);
-}
-
-}; // namespace android
-
-// ---------------------------------------------------------------------------
-
-#endif // ANDROID_VECTOR_H
diff --git a/media/omx-plugin/include/ics/utils/SortedVector.h b/media/omx-plugin/include/ics/utils/SortedVector.h
deleted file mode 100644
index 0e98aeb05f..0000000000
--- a/media/omx-plugin/include/ics/utils/SortedVector.h
+++ /dev/null
@@ -1,283 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_SORTED_VECTOR_H
-#define ANDROID_SORTED_VECTOR_H
-
-#include <assert.h>
-#include <stdint.h>
-#include <sys/types.h>
-
-#include <utils/Vector.h>
-#include <utils/VectorImpl.h>
-#include <utils/TypeHelpers.h>
-
-// ---------------------------------------------------------------------------
-
-namespace android {
-
-template <class TYPE>
-class SortedVector : private SortedVectorImpl
-{
-    friend class Vector<TYPE>;
-
-public:
-            typedef TYPE    value_type;
-    
-    /*! 
-     * Constructors and destructors
-     */
-    
-                            SortedVector();
-                            SortedVector(const SortedVector<TYPE>& rhs);
-    virtual                 ~SortedVector();
-
-    /*! copy operator */
-    const SortedVector<TYPE>&   operator = (const SortedVector<TYPE>& rhs) const;    
-    SortedVector<TYPE>&         operator = (const SortedVector<TYPE>& rhs);    
-
-    /*
-     * empty the vector
-     */
-
-    inline  void            clear()             { VectorImpl::clear(); }
-
-    /*! 
-     * vector stats
-     */
-
-    //! returns number of items in the vector
-    inline  size_t          size() const                { return VectorImpl::size(); }
-    //! returns wether or not the vector is empty
-    inline  bool            isEmpty() const             { return VectorImpl::isEmpty(); }
-    //! returns how many items can be stored without reallocating the backing store
-    inline  size_t          capacity() const            { return VectorImpl::capacity(); }
-    //! setst the capacity. capacity can never be reduced less than size()
-    inline  ssize_t         setCapacity(size_t size)    { return VectorImpl::setCapacity(size); }
-
-    /*! 
-     * C-style array access
-     */
-     
-    //! read-only C-style access 
-    inline  const TYPE*     array() const;
-
-    //! read-write C-style access. BE VERY CAREFUL when modifying the array
-    //! you ust keep it sorted! You usually don't use this function.
-            TYPE*           editArray();
-
-            //! finds the index of an item
-            ssize_t         indexOf(const TYPE& item) const;
-            
-            //! finds where this item should be inserted
-            size_t          orderOf(const TYPE& item) const;
-            
-    
-    /*! 
-     * accessors
-     */
-
-    //! read-only access to an item at a given index
-    inline  const TYPE&     operator [] (size_t index) const;
-    //! alternate name for operator []
-    inline  const TYPE&     itemAt(size_t index) const;
-    //! stack-usage of the vector. returns the top of the stack (last element)
-            const TYPE&     top() const;
-    //! same as operator [], but allows to access the vector backward (from the end) with a negative index
-            const TYPE&     mirrorItemAt(ssize_t index) const;
-
-    /*!
-     * modifing the array
-     */
-
-            //! add an item in the right place (and replace the one that is there)
-            ssize_t         add(const TYPE& item);
-            
-            //! editItemAt() MUST NOT change the order of this item
-            TYPE&           editItemAt(size_t index) {
-                return *( static_cast<TYPE *>(VectorImpl::editItemLocation(index)) );
-            }
-
-            //! merges a vector into this one
-            ssize_t         merge(const Vector<TYPE>& vector);
-            ssize_t         merge(const SortedVector<TYPE>& vector);
-            
-            //! removes an item
-            ssize_t         remove(const TYPE&);
-
-    //! remove several items
-    inline  ssize_t         removeItemsAt(size_t index, size_t count = 1);
-    //! remove one item
-    inline  ssize_t         removeAt(size_t index)  { return removeItemsAt(index); }
-            
-protected:
-    virtual void    do_construct(void* storage, size_t num) const;
-    virtual void    do_destroy(void* storage, size_t num) const;
-    virtual void    do_copy(void* dest, const void* from, size_t num) const;
-    virtual void    do_splat(void* dest, const void* item, size_t num) const;
-    virtual void    do_move_forward(void* dest, const void* from, size_t num) const;
-    virtual void    do_move_backward(void* dest, const void* from, size_t num) const;
-    virtual int     do_compare(const void* lhs, const void* rhs) const;
-};
-
-
-// ---------------------------------------------------------------------------
-// No user serviceable parts from here...
-// ---------------------------------------------------------------------------
-
-template<class TYPE> inline
-SortedVector<TYPE>::SortedVector()
-    : SortedVectorImpl(sizeof(TYPE),
-                ((traits<TYPE>::has_trivial_ctor   ? HAS_TRIVIAL_CTOR   : 0)
-                |(traits<TYPE>::has_trivial_dtor   ? HAS_TRIVIAL_DTOR   : 0)
-                |(traits<TYPE>::has_trivial_copy   ? HAS_TRIVIAL_COPY   : 0))
-                )
-{
-}
-
-template<class TYPE> inline
-SortedVector<TYPE>::SortedVector(const SortedVector<TYPE>& rhs)
-    : SortedVectorImpl(rhs) {
-}
-
-template<class TYPE> inline
-SortedVector<TYPE>::~SortedVector() {
-    finish_vector();
-}
-
-template<class TYPE> inline
-SortedVector<TYPE>& SortedVector<TYPE>::operator = (const SortedVector<TYPE>& rhs) {
-    SortedVectorImpl::operator = (rhs);
-    return *this; 
-}
-
-template<class TYPE> inline
-const SortedVector<TYPE>& SortedVector<TYPE>::operator = (const SortedVector<TYPE>& rhs) const {
-    SortedVectorImpl::operator = (rhs);
-    return *this; 
-}
-
-template<class TYPE> inline
-const TYPE* SortedVector<TYPE>::array() const {
-    return static_cast<const TYPE *>(arrayImpl());
-}
-
-template<class TYPE> inline
-TYPE* SortedVector<TYPE>::editArray() {
-    return static_cast<TYPE *>(editArrayImpl());
-}
-
-
-template<class TYPE> inline
-const TYPE& SortedVector<TYPE>::operator[](size_t index) const {
-    assert( index<size() );
-    return *(array() + index);
-}
-
-template<class TYPE> inline
-const TYPE& SortedVector<TYPE>::itemAt(size_t index) const {
-    return operator[](index);
-}
-
-template<class TYPE> inline
-const TYPE& SortedVector<TYPE>::mirrorItemAt(ssize_t index) const {
-    assert( (index>0 ? index : -index)<size() );
-    return *(array() + ((index<0) ? (size()-index) : index));
-}
-
-template<class TYPE> inline
-const TYPE& SortedVector<TYPE>::top() const {
-    return *(array() + size() - 1);
-}
-
-template<class TYPE> inline
-ssize_t SortedVector<TYPE>::add(const TYPE& item) {
-    return SortedVectorImpl::add(&item);
-}
-
-template<class TYPE> inline
-ssize_t SortedVector<TYPE>::indexOf(const TYPE& item) const {
-    return SortedVectorImpl::indexOf(&item);
-}
-
-template<class TYPE> inline
-size_t SortedVector<TYPE>::orderOf(const TYPE& item) const {
-    return SortedVectorImpl::orderOf(&item);
-}
-
-template<class TYPE> inline
-ssize_t SortedVector<TYPE>::merge(const Vector<TYPE>& vector) {
-    return SortedVectorImpl::merge(reinterpret_cast<const VectorImpl&>(vector));
-}
-
-template<class TYPE> inline
-ssize_t SortedVector<TYPE>::merge(const SortedVector<TYPE>& vector) {
-    return SortedVectorImpl::merge(reinterpret_cast<const SortedVectorImpl&>(vector));
-}
-
-template<class TYPE> inline
-ssize_t SortedVector<TYPE>::remove(const TYPE& item) {
-    return SortedVectorImpl::remove(&item);
-}
-
-template<class TYPE> inline
-ssize_t SortedVector<TYPE>::removeItemsAt(size_t index, size_t count) {
-    return VectorImpl::removeItemsAt(index, count);
-}
-
-// ---------------------------------------------------------------------------
-
-template<class TYPE>
-void SortedVector<TYPE>::do_construct(void* storage, size_t num) const {
-    construct_type( reinterpret_cast<TYPE*>(storage), num );
-}
-
-template<class TYPE>
-void SortedVector<TYPE>::do_destroy(void* storage, size_t num) const {
-    destroy_type( reinterpret_cast<TYPE*>(storage), num );
-}
-
-template<class TYPE>
-void SortedVector<TYPE>::do_copy(void* dest, const void* from, size_t num) const {
-    copy_type( reinterpret_cast<TYPE*>(dest), reinterpret_cast<const TYPE*>(from), num );
-}
-
-template<class TYPE>
-void SortedVector<TYPE>::do_splat(void* dest, const void* item, size_t num) const {
-    splat_type( reinterpret_cast<TYPE*>(dest), reinterpret_cast<const TYPE*>(item), num );
-}
-
-template<class TYPE>
-void SortedVector<TYPE>::do_move_forward(void* dest, const void* from, size_t num) const {
-    move_forward_type( reinterpret_cast<TYPE*>(dest), reinterpret_cast<const TYPE*>(from), num );
-}
-
-template<class TYPE>
-void SortedVector<TYPE>::do_move_backward(void* dest, const void* from, size_t num) const {
-    move_backward_type( reinterpret_cast<TYPE*>(dest), reinterpret_cast<const TYPE*>(from), num );
-}
-
-template<class TYPE>
-int SortedVector<TYPE>::do_compare(const void* lhs, const void* rhs) const {
-    return compare_type( *reinterpret_cast<const TYPE*>(lhs), *reinterpret_cast<const TYPE*>(rhs) );
-}
-
-}; // namespace android
-
-
-// ---------------------------------------------------------------------------
-
-#endif // ANDROID_SORTED_VECTOR_H
diff --git a/media/omx-plugin/include/ics/utils/String16.h b/media/omx-plugin/include/ics/utils/String16.h
deleted file mode 100644
index 360f407c36..0000000000
--- a/media/omx-plugin/include/ics/utils/String16.h
+++ /dev/null
@@ -1,238 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_STRING16_H
-#define ANDROID_STRING16_H
-
-#include <utils/Errors.h>
-#include <utils/SharedBuffer.h>
-#include <utils/Unicode.h>
-
-// ---------------------------------------------------------------------------
-
-extern "C" {
-
-}
-
-// ---------------------------------------------------------------------------
-
-namespace android {
-
-// ---------------------------------------------------------------------------
-
-class String8;
-class TextOutput;
-
-//! This is a string holding UTF-16 characters.
-class String16
-{
-public:
-                                String16();
-                                String16(const String16& o);
-                                String16(const String16& o,
-                                         size_t len,
-                                         size_t begin=0);
-    explicit                    String16(const char16_t* o);
-    explicit                    String16(const char16_t* o, size_t len);
-    explicit                    String16(const String8& o);
-    explicit                    String16(const char* o);
-    explicit                    String16(const char* o, size_t len);
-
-                                ~String16();
-    
-    inline  const char16_t*     string() const;
-    inline  size_t              size() const;
-    
-    inline  const SharedBuffer* sharedBuffer() const;
-    
-            void                setTo(const String16& other);
-            status_t            setTo(const char16_t* other);
-            status_t            setTo(const char16_t* other, size_t len);
-            status_t            setTo(const String16& other,
-                                      size_t len,
-                                      size_t begin=0);
-    
-            status_t            append(const String16& other);
-            status_t            append(const char16_t* other, size_t len);
-            
-    inline  String16&           operator=(const String16& other);
-    
-    inline  String16&           operator+=(const String16& other);
-    inline  String16            operator+(const String16& other) const;
-
-            status_t            insert(size_t pos, const char16_t* chrs);
-            status_t            insert(size_t pos,
-                                       const char16_t* chrs, size_t len);
-
-            ssize_t             findFirst(char16_t c) const;
-            ssize_t             findLast(char16_t c) const;
-
-            bool                startsWith(const String16& prefix) const;
-            bool                startsWith(const char16_t* prefix) const;
-            
-            status_t            makeLower();
-
-            status_t            replaceAll(char16_t replaceThis,
-                                           char16_t withThis);
-
-            status_t            remove(size_t len, size_t begin=0);
-
-    inline  int                 compare(const String16& other) const;
-
-    inline  bool                operator<(const String16& other) const;
-    inline  bool                operator<=(const String16& other) const;
-    inline  bool                operator==(const String16& other) const;
-    inline  bool                operator!=(const String16& other) const;
-    inline  bool                operator>=(const String16& other) const;
-    inline  bool                operator>(const String16& other) const;
-    
-    inline  bool                operator<(const char16_t* other) const;
-    inline  bool                operator<=(const char16_t* other) const;
-    inline  bool                operator==(const char16_t* other) const;
-    inline  bool                operator!=(const char16_t* other) const;
-    inline  bool                operator>=(const char16_t* other) const;
-    inline  bool                operator>(const char16_t* other) const;
-    
-    inline                      operator const char16_t*() const;
-    
-private:
-            const char16_t*     mString;
-};
-
-TextOutput& operator<<(TextOutput& to, const String16& val);
-
-// ---------------------------------------------------------------------------
-// No user servicable parts below.
-
-inline int compare_type(const String16& lhs, const String16& rhs)
-{
-    return lhs.compare(rhs);
-}
-
-inline int strictly_order_type(const String16& lhs, const String16& rhs)
-{
-    return compare_type(lhs, rhs) < 0;
-}
-
-inline const char16_t* String16::string() const
-{
-    return mString;
-}
-
-inline size_t String16::size() const
-{
-    return SharedBuffer::sizeFromData(mString)/sizeof(char16_t)-1;
-}
-
-inline const SharedBuffer* String16::sharedBuffer() const
-{
-    return SharedBuffer::bufferFromData(mString);
-}
-
-inline String16& String16::operator=(const String16& other)
-{
-    setTo(other);
-    return *this;
-}
-
-inline String16& String16::operator+=(const String16& other)
-{
-    append(other);
-    return *this;
-}
-
-inline String16 String16::operator+(const String16& other) const
-{
-    String16 tmp(*this);
-    tmp += other;
-    return tmp;
-}
-
-inline int String16::compare(const String16& other) const
-{
-    return strzcmp16(mString, size(), other.mString, other.size());
-}
-
-inline bool String16::operator<(const String16& other) const
-{
-    return strzcmp16(mString, size(), other.mString, other.size()) < 0;
-}
-
-inline bool String16::operator<=(const String16& other) const
-{
-    return strzcmp16(mString, size(), other.mString, other.size()) <= 0;
-}
-
-inline bool String16::operator==(const String16& other) const
-{
-    return strzcmp16(mString, size(), other.mString, other.size()) == 0;
-}
-
-inline bool String16::operator!=(const String16& other) const
-{
-    return strzcmp16(mString, size(), other.mString, other.size()) != 0;
-}
-
-inline bool String16::operator>=(const String16& other) const
-{
-    return strzcmp16(mString, size(), other.mString, other.size()) >= 0;
-}
-
-inline bool String16::operator>(const String16& other) const
-{
-    return strzcmp16(mString, size(), other.mString, other.size()) > 0;
-}
-
-inline bool String16::operator<(const char16_t* other) const
-{
-    return strcmp16(mString, other) < 0;
-}
-
-inline bool String16::operator<=(const char16_t* other) const
-{
-    return strcmp16(mString, other) <= 0;
-}
-
-inline bool String16::operator==(const char16_t* other) const
-{
-    return strcmp16(mString, other) == 0;
-}
-
-inline bool String16::operator!=(const char16_t* other) const
-{
-    return strcmp16(mString, other) != 0;
-}
-
-inline bool String16::operator>=(const char16_t* other) const
-{
-    return strcmp16(mString, other) >= 0;
-}
-
-inline bool String16::operator>(const char16_t* other) const
-{
-    return strcmp16(mString, other) > 0;
-}
-
-inline String16::operator const char16_t*() const
-{
-    return mString;
-}
-
-}; // namespace android
-
-// ---------------------------------------------------------------------------
-
-#endif // ANDROID_STRING16_H
diff --git a/media/omx-plugin/include/ics/utils/String8.h b/media/omx-plugin/include/ics/utils/String8.h
deleted file mode 100644
index 4163697d2d..0000000000
--- a/media/omx-plugin/include/ics/utils/String8.h
+++ /dev/null
@@ -1,383 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_STRING8_H
-#define ANDROID_STRING8_H
-
-#include <utils/Errors.h>
-#include <utils/SharedBuffer.h>
-#include <utils/Unicode.h>
-
-#include <string.h> // for strcmp
-#include <stdarg.h>
-
-// ---------------------------------------------------------------------------
-
-namespace android {
-
-class String16;
-class TextOutput;
-
-//! This is a string holding UTF-8 characters. Does not allow the value more
-// than 0x10FFFF, which is not valid unicode codepoint.
-class String8
-{
-public:
-                                String8();
-                                String8(const String8& o);
-    explicit                    String8(const char* o);
-    explicit                    String8(const char* o, size_t numChars);
-    
-    explicit                    String8(const String16& o);
-    explicit                    String8(const char16_t* o);
-    explicit                    String8(const char16_t* o, size_t numChars);
-    explicit                    String8(const char32_t* o);
-    explicit                    String8(const char32_t* o, size_t numChars);
-                                ~String8();
-
-    static inline const String8 empty();
-
-    static String8              format(const char* fmt, ...) __attribute__((format (printf, 1, 2)));
-    static String8              formatV(const char* fmt, va_list args);
-
-    inline  const char*         string() const;
-    inline  size_t              size() const;
-    inline  size_t              length() const;
-    inline  size_t              bytes() const;
-    inline  bool                isEmpty() const;
-    
-    inline  const SharedBuffer* sharedBuffer() const;
-    
-            void                clear();
-
-            void                setTo(const String8& other);
-            status_t            setTo(const char* other);
-            status_t            setTo(const char* other, size_t numChars);
-            status_t            setTo(const char16_t* other, size_t numChars);
-            status_t            setTo(const char32_t* other,
-                                      size_t length);
-
-            status_t            append(const String8& other);
-            status_t            append(const char* other);
-            status_t            append(const char* other, size_t numChars);
-
-            status_t            appendFormat(const char* fmt, ...)
-                    __attribute__((format (printf, 2, 3)));
-            status_t            appendFormatV(const char* fmt, va_list args);
-
-            // Note that this function takes O(N) time to calculate the value.
-            // No cache value is stored.
-            size_t              getUtf32Length() const;
-            int32_t             getUtf32At(size_t index,
-                                           size_t *next_index) const;
-            void                getUtf32(char32_t* dst) const;
-
-    inline  String8&            operator=(const String8& other);
-    inline  String8&            operator=(const char* other);
-    
-    inline  String8&            operator+=(const String8& other);
-    inline  String8             operator+(const String8& other) const;
-    
-    inline  String8&            operator+=(const char* other);
-    inline  String8             operator+(const char* other) const;
-
-    inline  int                 compare(const String8& other) const;
-
-    inline  bool                operator<(const String8& other) const;
-    inline  bool                operator<=(const String8& other) const;
-    inline  bool                operator==(const String8& other) const;
-    inline  bool                operator!=(const String8& other) const;
-    inline  bool                operator>=(const String8& other) const;
-    inline  bool                operator>(const String8& other) const;
-    
-    inline  bool                operator<(const char* other) const;
-    inline  bool                operator<=(const char* other) const;
-    inline  bool                operator==(const char* other) const;
-    inline  bool                operator!=(const char* other) const;
-    inline  bool                operator>=(const char* other) const;
-    inline  bool                operator>(const char* other) const;
-    
-    inline                      operator const char*() const;
-    
-            char*               lockBuffer(size_t size);
-            void                unlockBuffer();
-            status_t            unlockBuffer(size_t size);
-            
-            // return the index of the first byte of other in this at or after
-            // start, or -1 if not found
-            ssize_t             find(const char* other, size_t start = 0) const;
-
-            void                toLower();
-            void                toLower(size_t start, size_t numChars);
-            void                toUpper();
-            void                toUpper(size_t start, size_t numChars);
-
-    /*
-     * These methods operate on the string as if it were a path name.
-     */
-
-    /*
-     * Set the filename field to a specific value.
-     *
-     * Normalizes the filename, removing a trailing '/' if present.
-     */
-    void setPathName(const char* name);
-    void setPathName(const char* name, size_t numChars);
-
-    /*
-     * Get just the filename component.
-     *
-     * "/tmp/foo/bar.c" --> "bar.c"
-     */
-    String8 getPathLeaf(void) const;
-
-    /*
-     * Remove the last (file name) component, leaving just the directory
-     * name.
-     *
-     * "/tmp/foo/bar.c" --> "/tmp/foo"
-     * "/tmp" --> "" // ????? shouldn't this be "/" ???? XXX
-     * "bar.c" --> ""
-     */
-    String8 getPathDir(void) const;
-
-    /*
-     * Retrieve the front (root dir) component.  Optionally also return the
-     * remaining components.
-     *
-     * "/tmp/foo/bar.c" --> "tmp" (remain = "foo/bar.c")
-     * "/tmp" --> "tmp" (remain = "")
-     * "bar.c" --> "bar.c" (remain = "")
-     */
-    String8 walkPath(String8* outRemains = NULL) const;
-
-    /*
-     * Return the filename extension.  This is the last '.' and any number
-     * of characters that follow it.  The '.' is included in case we
-     * decide to expand our definition of what constitutes an extension.
-     *
-     * "/tmp/foo/bar.c" --> ".c"
-     * "/tmp" --> ""
-     * "/tmp/foo.bar/baz" --> ""
-     * "foo.jpeg" --> ".jpeg"
-     * "foo." --> ""
-     */
-    String8 getPathExtension(void) const;
-
-    /*
-     * Return the path without the extension.  Rules for what constitutes
-     * an extension are described in the comment for getPathExtension().
-     *
-     * "/tmp/foo/bar.c" --> "/tmp/foo/bar"
-     */
-    String8 getBasePath(void) const;
-
-    /*
-     * Add a component to the pathname.  We guarantee that there is
-     * exactly one path separator between the old path and the new.
-     * If there is no existing name, we just copy the new name in.
-     *
-     * If leaf is a fully qualified path (i.e. starts with '/', it
-     * replaces whatever was there before.
-     */
-    String8& appendPath(const char* leaf);
-    String8& appendPath(const String8& leaf)  { return appendPath(leaf.string()); }
-
-    /*
-     * Like appendPath(), but does not affect this string.  Returns a new one instead.
-     */
-    String8 appendPathCopy(const char* leaf) const
-                                             { String8 p(*this); p.appendPath(leaf); return p; }
-    String8 appendPathCopy(const String8& leaf) const { return appendPathCopy(leaf.string()); }
-
-    /*
-     * Converts all separators in this string to /, the default path separator.
-     *
-     * If the default OS separator is backslash, this converts all
-     * backslashes to slashes, in-place. Otherwise it does nothing.
-     * Returns self.
-     */
-    String8& convertToResPath();
-
-private:
-            status_t            real_append(const char* other, size_t numChars);
-            char*               find_extension(void) const;
-
-            const char* mString;
-};
-
-TextOutput& operator<<(TextOutput& to, const String16& val);
-
-// ---------------------------------------------------------------------------
-// No user servicable parts below.
-
-inline int compare_type(const String8& lhs, const String8& rhs)
-{
-    return lhs.compare(rhs);
-}
-
-inline int strictly_order_type(const String8& lhs, const String8& rhs)
-{
-    return compare_type(lhs, rhs) < 0;
-}
-
-inline const String8 String8::empty() {
-    return String8();
-}
-
-inline const char* String8::string() const
-{
-    return mString;
-}
-
-inline size_t String8::length() const
-{
-    return SharedBuffer::sizeFromData(mString)-1;
-}
-
-inline size_t String8::size() const
-{
-    return length();
-}
-
-inline bool String8::isEmpty() const
-{
-    return length() == 0;
-}
-
-inline size_t String8::bytes() const
-{
-    return SharedBuffer::sizeFromData(mString)-1;
-}
-
-inline const SharedBuffer* String8::sharedBuffer() const
-{
-    return SharedBuffer::bufferFromData(mString);
-}
-
-inline String8& String8::operator=(const String8& other)
-{
-    setTo(other);
-    return *this;
-}
-
-inline String8& String8::operator=(const char* other)
-{
-    setTo(other);
-    return *this;
-}
-
-inline String8& String8::operator+=(const String8& other)
-{
-    append(other);
-    return *this;
-}
-
-inline String8 String8::operator+(const String8& other) const
-{
-    String8 tmp(*this);
-    tmp += other;
-    return tmp;
-}
-
-inline String8& String8::operator+=(const char* other)
-{
-    append(other);
-    return *this;
-}
-
-inline String8 String8::operator+(const char* other) const
-{
-    String8 tmp(*this);
-    tmp += other;
-    return tmp;
-}
-
-inline int String8::compare(const String8& other) const
-{
-    return strcmp(mString, other.mString);
-}
-
-inline bool String8::operator<(const String8& other) const
-{
-    return strcmp(mString, other.mString) < 0;
-}
-
-inline bool String8::operator<=(const String8& other) const
-{
-    return strcmp(mString, other.mString) <= 0;
-}
-
-inline bool String8::operator==(const String8& other) const
-{
-    return strcmp(mString, other.mString) == 0;
-}
-
-inline bool String8::operator!=(const String8& other) const
-{
-    return strcmp(mString, other.mString) != 0;
-}
-
-inline bool String8::operator>=(const String8& other) const
-{
-    return strcmp(mString, other.mString) >= 0;
-}
-
-inline bool String8::operator>(const String8& other) const
-{
-    return strcmp(mString, other.mString) > 0;
-}
-
-inline bool String8::operator<(const char* other) const
-{
-    return strcmp(mString, other) < 0;
-}
-
-inline bool String8::operator<=(const char* other) const
-{
-    return strcmp(mString, other) <= 0;
-}
-
-inline bool String8::operator==(const char* other) const
-{
-    return strcmp(mString, other) == 0;
-}
-
-inline bool String8::operator!=(const char* other) const
-{
-    return strcmp(mString, other) != 0;
-}
-
-inline bool String8::operator>=(const char* other) const
-{
-    return strcmp(mString, other) >= 0;
-}
-
-inline bool String8::operator>(const char* other) const
-{
-    return strcmp(mString, other) > 0;
-}
-
-inline String8::operator const char*() const
-{
-    return mString;
-}
-
-}  // namespace android
-
-// ---------------------------------------------------------------------------
-
-#endif // ANDROID_STRING8_H
diff --git a/media/omx-plugin/include/ics/utils/StrongPointer.h b/media/omx-plugin/include/ics/utils/StrongPointer.h
deleted file mode 100644
index 49fa3a8d6f..0000000000
--- a/media/omx-plugin/include/ics/utils/StrongPointer.h
+++ /dev/null
@@ -1,220 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_STRONG_POINTER_H
-#define ANDROID_STRONG_POINTER_H
-
-#include <cutils/atomic.h>
-
-#include <stdint.h>
-#include <sys/types.h>
-#include <stdlib.h>
-
-// ---------------------------------------------------------------------------
-namespace android {
-
-class TextOutput;
-TextOutput& printStrongPointer(TextOutput& to, const void* val);
-
-template<typename T> class wp;
-
-// ---------------------------------------------------------------------------
-
-#define COMPARE(_op_)                                           \
-inline bool operator _op_ (const sp<T>& o) const {              \
-    return m_ptr _op_ o.m_ptr;                                  \
-}                                                               \
-inline bool operator _op_ (const T* o) const {                  \
-    return m_ptr _op_ o;                                        \
-}                                                               \
-template<typename U>                                            \
-inline bool operator _op_ (const sp<U>& o) const {              \
-    return m_ptr _op_ o.m_ptr;                                  \
-}                                                               \
-template<typename U>                                            \
-inline bool operator _op_ (const U* o) const {                  \
-    return m_ptr _op_ o;                                        \
-}                                                               \
-inline bool operator _op_ (const wp<T>& o) const {              \
-    return m_ptr _op_ o.m_ptr;                                  \
-}                                                               \
-template<typename U>                                            \
-inline bool operator _op_ (const wp<U>& o) const {              \
-    return m_ptr _op_ o.m_ptr;                                  \
-}
-
-// ---------------------------------------------------------------------------
-
-template <typename T>
-class sp
-{
-public:
-    inline sp() : m_ptr(0) { }
-
-    sp(T* other);
-    sp(const sp<T>& other);
-    template<typename U> sp(U* other);
-    template<typename U> sp(const sp<U>& other);
-
-    ~sp();
-
-    // Assignment
-
-    sp& operator = (T* other);
-    sp& operator = (const sp<T>& other);
-
-    template<typename U> sp& operator = (const sp<U>& other);
-    template<typename U> sp& operator = (U* other);
-
-    //! Special optimization for use by ProcessState (and nobody else).
-    void force_set(T* other);
-
-    // Reset
-
-    void clear();
-
-    // Accessors
-
-    inline  T&      operator* () const  { return *m_ptr; }
-    inline  T*      operator-> () const { return m_ptr;  }
-    inline  T*      get() const         { return m_ptr; }
-
-    // Operators
-
-    COMPARE(==)
-    COMPARE(!=)
-    COMPARE(>)
-    COMPARE(<)
-    COMPARE(<=)
-    COMPARE(>=)
-
-private:    
-    template<typename Y> friend class sp;
-    template<typename Y> friend class wp;
-    void set_pointer(T* ptr);
-    T* m_ptr;
-};
-
-#undef COMPARE
-
-template <typename T>
-TextOutput& operator<<(TextOutput& to, const sp<T>& val);
-
-// ---------------------------------------------------------------------------
-// No user serviceable parts below here.
-
-template<typename T>
-sp<T>::sp(T* other)
-: m_ptr(other)
-  {
-    if (other) other->incStrong(this);
-  }
-
-template<typename T>
-sp<T>::sp(const sp<T>& other)
-: m_ptr(other.m_ptr)
-  {
-    if (m_ptr) m_ptr->incStrong(this);
-  }
-
-template<typename T> template<typename U>
-sp<T>::sp(U* other) : m_ptr(other)
-{
-    if (other) ((T*)other)->incStrong(this);
-}
-
-template<typename T> template<typename U>
-sp<T>::sp(const sp<U>& other)
-: m_ptr(other.m_ptr)
-  {
-    if (m_ptr) m_ptr->incStrong(this);
-  }
-
-template<typename T>
-sp<T>::~sp()
-{
-    if (m_ptr) m_ptr->decStrong(this);
-}
-
-template<typename T>
-sp<T>& sp<T>::operator = (const sp<T>& other) {
-    T* otherPtr(other.m_ptr);
-    if (otherPtr) otherPtr->incStrong(this);
-    if (m_ptr) m_ptr->decStrong(this);
-    m_ptr = otherPtr;
-    return *this;
-}
-
-template<typename T>
-sp<T>& sp<T>::operator = (T* other)
-{
-    if (other) other->incStrong(this);
-    if (m_ptr) m_ptr->decStrong(this);
-    m_ptr = other;
-    return *this;
-}
-
-template<typename T> template<typename U>
-sp<T>& sp<T>::operator = (const sp<U>& other)
-{
-    T* otherPtr(other.m_ptr);
-    if (otherPtr) otherPtr->incStrong(this);
-    if (m_ptr) m_ptr->decStrong(this);
-    m_ptr = otherPtr;
-    return *this;
-}
-
-template<typename T> template<typename U>
-sp<T>& sp<T>::operator = (U* other)
-{
-    if (other) ((T*)other)->incStrong(this);
-    if (m_ptr) m_ptr->decStrong(this);
-    m_ptr = other;
-    return *this;
-}
-
-template<typename T>    
-void sp<T>::force_set(T* other)
-{
-    other->forceIncStrong(this);
-    m_ptr = other;
-}
-
-template<typename T>
-void sp<T>::clear()
-{
-    if (m_ptr) {
-        m_ptr->decStrong(this);
-        m_ptr = 0;
-    }
-}
-
-template<typename T>
-void sp<T>::set_pointer(T* ptr) {
-    m_ptr = ptr;
-}
-
-template <typename T>
-inline TextOutput& operator<<(TextOutput& to, const sp<T>& val)
-{
-    return printStrongPointer(to, val.get());
-}
-
-}; // namespace android
-
-// ---------------------------------------------------------------------------
-
-#endif // ANDROID_STRONG_POINTER_H
diff --git a/media/omx-plugin/include/ics/utils/Timers.h b/media/omx-plugin/include/ics/utils/Timers.h
deleted file mode 100644
index 8b4d322873..0000000000
--- a/media/omx-plugin/include/ics/utils/Timers.h
+++ /dev/null
@@ -1,144 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-//
-// Timer functions.
-//
-#ifndef _LIBS_UTILS_TIMERS_H
-#define _LIBS_UTILS_TIMERS_H
-
-#include <stdint.h>
-#include <sys/types.h>
-#include <sys/time.h>
-
-// ------------------------------------------------------------------
-// C API
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-typedef int64_t nsecs_t;       // nano-seconds
-
-static inline nsecs_t seconds_to_nanoseconds(nsecs_t secs)
-{
-    return secs*1000000000;
-}
-
-static inline nsecs_t milliseconds_to_nanoseconds(nsecs_t secs)
-{
-    return secs*1000000;
-}
-
-static inline nsecs_t microseconds_to_nanoseconds(nsecs_t secs)
-{
-    return secs*1000;
-}
-
-static inline nsecs_t nanoseconds_to_seconds(nsecs_t secs)
-{
-    return secs/1000000000;
-}
-
-static inline nsecs_t nanoseconds_to_milliseconds(nsecs_t secs)
-{
-    return secs/1000000;
-}
-
-static inline nsecs_t nanoseconds_to_microseconds(nsecs_t secs)
-{
-    return secs/1000;
-}
-
-static inline nsecs_t s2ns(nsecs_t v)  {return seconds_to_nanoseconds(v);}
-static inline nsecs_t ms2ns(nsecs_t v) {return milliseconds_to_nanoseconds(v);}
-static inline nsecs_t us2ns(nsecs_t v) {return microseconds_to_nanoseconds(v);}
-static inline nsecs_t ns2s(nsecs_t v)  {return nanoseconds_to_seconds(v);}
-static inline nsecs_t ns2ms(nsecs_t v) {return nanoseconds_to_milliseconds(v);}
-static inline nsecs_t ns2us(nsecs_t v) {return nanoseconds_to_microseconds(v);}
-
-static inline nsecs_t seconds(nsecs_t v)      { return s2ns(v); }
-static inline nsecs_t milliseconds(nsecs_t v) { return ms2ns(v); }
-static inline nsecs_t microseconds(nsecs_t v) { return us2ns(v); }
-
-enum {
-    SYSTEM_TIME_REALTIME = 0,  // system-wide realtime clock
-    SYSTEM_TIME_MONOTONIC = 1, // monotonic time since unspecified starting point
-    SYSTEM_TIME_PROCESS = 2,   // high-resolution per-process clock
-    SYSTEM_TIME_THREAD = 3     // high-resolution per-thread clock
-};
-    
-// return the system-time according to the specified clock
-#ifdef __cplusplus
-nsecs_t systemTime(int clock = SYSTEM_TIME_MONOTONIC);
-#else
-nsecs_t systemTime(int clock);
-#endif // def __cplusplus
-
-/**
- * Returns the number of milliseconds to wait between the reference time and the timeout time.
- * If the timeout is in the past relative to the reference time, returns 0.
- * If the timeout is more than INT_MAX milliseconds in the future relative to the reference time,
- * such as when timeoutTime == LLONG_MAX, returns -1 to indicate an infinite timeout delay.
- * Otherwise, returns the difference between the reference time and timeout time
- * rounded up to the next millisecond.
- */
-int toMillisecondTimeoutDelay(nsecs_t referenceTime, nsecs_t timeoutTime);
-
-#ifdef __cplusplus
-} // extern "C"
-#endif
-
-// ------------------------------------------------------------------
-// C++ API
-
-#ifdef __cplusplus
-
-namespace android {
-/*
- * Time the duration of something.
- *
- * Includes some timeval manipulation functions.
- */
-class DurationTimer {
-public:
-    DurationTimer() {}
-    ~DurationTimer() {}
-
-    // Start the timer.
-    void start();
-    // Stop the timer.
-    void stop();
-    // Get the duration in microseconds.
-    long long durationUsecs() const;
-
-    // Subtract two timevals.  Returns the difference (ptv1-ptv2) in
-    // microseconds.
-    static long long subtractTimevals(const struct timeval* ptv1,
-        const struct timeval* ptv2);
-
-    // Add the specified amount of time to the timeval.
-    static void addToTimeval(struct timeval* ptv, long usec);
-
-private:
-    struct timeval  mStartWhen;
-    struct timeval  mStopWhen;
-};
-
-}; // android
-#endif // def __cplusplus
-
-#endif // _LIBS_UTILS_TIMERS_H
diff --git a/media/omx-plugin/include/ics/utils/TypeHelpers.h b/media/omx-plugin/include/ics/utils/TypeHelpers.h
deleted file mode 100644
index d0dc33a7e0..0000000000
--- a/media/omx-plugin/include/ics/utils/TypeHelpers.h
+++ /dev/null
@@ -1,246 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_TYPE_HELPERS_H
-#define ANDROID_TYPE_HELPERS_H
-
-#include <new>
-#include <stdint.h>
-#include <string.h>
-#include <sys/types.h>
-
-// ---------------------------------------------------------------------------
-
-namespace android {
-
-/*
- * Types traits
- */
-
-template <typename T> struct trait_trivial_ctor { enum { value = false }; };
-template <typename T> struct trait_trivial_dtor { enum { value = false }; };
-template <typename T> struct trait_trivial_copy { enum { value = false }; };
-template <typename T> struct trait_trivial_move { enum { value = false }; };
-template <typename T> struct trait_pointer      { enum { value = false }; };    
-template <typename T> struct trait_pointer<T*>  { enum { value = true }; };
-
-template <typename TYPE>
-struct traits {
-    enum {
-        // whether this type is a pointer
-        is_pointer          = trait_pointer<TYPE>::value,
-        // whether this type's constructor is a no-op
-        has_trivial_ctor    = is_pointer || trait_trivial_ctor<TYPE>::value,
-        // whether this type's destructor is a no-op
-        has_trivial_dtor    = is_pointer || trait_trivial_dtor<TYPE>::value,
-        // whether this type type can be copy-constructed with memcpy
-        has_trivial_copy    = is_pointer || trait_trivial_copy<TYPE>::value,
-        // whether this type can be moved with memmove
-        has_trivial_move    = is_pointer || trait_trivial_move<TYPE>::value
-    };
-};
-
-template <typename T, typename U>
-struct aggregate_traits {
-    enum {
-        is_pointer          = false,
-        has_trivial_ctor    = 
-            traits<T>::has_trivial_ctor && traits<U>::has_trivial_ctor,
-        has_trivial_dtor    = 
-            traits<T>::has_trivial_dtor && traits<U>::has_trivial_dtor,
-        has_trivial_copy    = 
-            traits<T>::has_trivial_copy && traits<U>::has_trivial_copy,
-        has_trivial_move    = 
-            traits<T>::has_trivial_move && traits<U>::has_trivial_move
-    };
-};
-
-#define ANDROID_BASIC_TYPES_TRAITS( T )                                     \
-    template<> struct trait_trivial_ctor< T >   { enum { value = true }; }; \
-    template<> struct trait_trivial_dtor< T >   { enum { value = true }; }; \
-    template<> struct trait_trivial_copy< T >   { enum { value = true }; }; \
-    template<> struct trait_trivial_move< T >   { enum { value = true }; };
-
-// ---------------------------------------------------------------------------
-
-/*
- * basic types traits
- */
-
-ANDROID_BASIC_TYPES_TRAITS( void )
-ANDROID_BASIC_TYPES_TRAITS( bool )
-ANDROID_BASIC_TYPES_TRAITS( char )
-ANDROID_BASIC_TYPES_TRAITS( unsigned char )
-ANDROID_BASIC_TYPES_TRAITS( short )
-ANDROID_BASIC_TYPES_TRAITS( unsigned short )
-ANDROID_BASIC_TYPES_TRAITS( int )
-ANDROID_BASIC_TYPES_TRAITS( unsigned int )
-ANDROID_BASIC_TYPES_TRAITS( long )
-ANDROID_BASIC_TYPES_TRAITS( unsigned long )
-ANDROID_BASIC_TYPES_TRAITS( long long )
-ANDROID_BASIC_TYPES_TRAITS( unsigned long long )
-ANDROID_BASIC_TYPES_TRAITS( float )
-ANDROID_BASIC_TYPES_TRAITS( double )
-
-// ---------------------------------------------------------------------------
-
-
-/*
- * compare and order types
- */
-
-template<typename TYPE> inline
-int strictly_order_type(const TYPE& lhs, const TYPE& rhs) {
-    return (lhs < rhs) ? 1 : 0;
-}
-
-template<typename TYPE> inline
-int compare_type(const TYPE& lhs, const TYPE& rhs) {
-    return strictly_order_type(rhs, lhs) - strictly_order_type(lhs, rhs);
-}
-
-/*
- * create, destroy, copy and move types...
- */
-
-template<typename TYPE> inline
-void construct_type(TYPE* p, size_t n) {
-    if (!traits<TYPE>::has_trivial_ctor) {
-        while (n--) {
-            new(p++) TYPE;
-        }
-    }
-}
-
-template<typename TYPE> inline
-void destroy_type(TYPE* p, size_t n) {
-    if (!traits<TYPE>::has_trivial_dtor) {
-        while (n--) {
-            p->~TYPE();
-            p++;
-        }
-    }
-}
-
-template<typename TYPE> inline
-void copy_type(TYPE* d, const TYPE* s, size_t n) {
-    if (!traits<TYPE>::has_trivial_copy) {
-        while (n--) {
-            new(d) TYPE(*s);
-            d++, s++;
-        }
-    } else {
-        memcpy(d,s,n*sizeof(TYPE));
-    }
-}
-
-template<typename TYPE> inline
-void splat_type(TYPE* where, const TYPE* what, size_t n) {
-    if (!traits<TYPE>::has_trivial_copy) {
-        while (n--) {
-            new(where) TYPE(*what);
-            where++;
-        }
-    } else {
-        while (n--) {
-            *where++ = *what;
-        }
-    }
-}
-
-template<typename TYPE> inline
-void move_forward_type(TYPE* d, const TYPE* s, size_t n = 1) {
-    if ((traits<TYPE>::has_trivial_dtor && traits<TYPE>::has_trivial_copy) 
-            || traits<TYPE>::has_trivial_move) 
-    {
-        memmove(d,s,n*sizeof(TYPE));
-    } else {
-        d += n;
-        s += n;
-        while (n--) {
-            --d, --s;
-            if (!traits<TYPE>::has_trivial_copy) {
-                new(d) TYPE(*s);
-            } else {
-                *d = *s;   
-            }
-            if (!traits<TYPE>::has_trivial_dtor) {
-                s->~TYPE();
-            }
-        }
-    }
-}
-
-template<typename TYPE> inline
-void move_backward_type(TYPE* d, const TYPE* s, size_t n = 1) {
-    if ((traits<TYPE>::has_trivial_dtor && traits<TYPE>::has_trivial_copy) 
-            || traits<TYPE>::has_trivial_move) 
-    {
-        memmove(d,s,n*sizeof(TYPE));
-    } else {
-        while (n--) {
-            if (!traits<TYPE>::has_trivial_copy) {
-                new(d) TYPE(*s);
-            } else {
-                *d = *s;   
-            }
-            if (!traits<TYPE>::has_trivial_dtor) {
-                s->~TYPE();
-            }
-            d++, s++;
-        }
-    }
-}
-
-// ---------------------------------------------------------------------------
-
-/*
- * a key/value pair
- */
-
-template <typename KEY, typename VALUE>
-struct key_value_pair_t {
-    KEY     key;
-    VALUE   value;
-    key_value_pair_t() { }
-    key_value_pair_t(const key_value_pair_t& o) : key(o.key), value(o.value) { }
-    key_value_pair_t(const KEY& k, const VALUE& v) : key(k), value(v)  { }
-    key_value_pair_t(const KEY& k) : key(k) { }
-    inline bool operator < (const key_value_pair_t& o) const {
-        return strictly_order_type(key, o.key);
-    }
-};
-
-template <typename K, typename V>
-struct trait_trivial_ctor< key_value_pair_t<K, V> >
-{ enum { value = aggregate_traits<K,V>::has_trivial_ctor }; };
-template <typename K, typename V>
-struct trait_trivial_dtor< key_value_pair_t<K, V> >
-{ enum { value = aggregate_traits<K,V>::has_trivial_dtor }; };
-template <typename K, typename V>
-struct trait_trivial_copy< key_value_pair_t<K, V> >
-{ enum { value = aggregate_traits<K,V>::has_trivial_copy }; };
-template <typename K, typename V>
-struct trait_trivial_move< key_value_pair_t<K, V> >
-{ enum { value = aggregate_traits<K,V>::has_trivial_move }; };
-
-// ---------------------------------------------------------------------------
-
-}; // namespace android
-
-// ---------------------------------------------------------------------------
-
-#endif // ANDROID_TYPE_HELPERS_H
diff --git a/media/omx-plugin/include/ics/utils/Unicode.h b/media/omx-plugin/include/ics/utils/Unicode.h
deleted file mode 100644
index 90a82763b7..0000000000
--- a/media/omx-plugin/include/ics/utils/Unicode.h
+++ /dev/null
@@ -1,170 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_UNICODE_H
-#define ANDROID_UNICODE_H
-
-#include <sys/types.h>
-#include <stdint.h>
-
-extern "C" {
-
-#if !defined(__cplusplus) || __cplusplus == 199711L // C or C++98
-typedef uint32_t char32_t;
-typedef uint16_t char16_t;
-#endif
-
-// Standard string functions on char16_t strings.
-int strcmp16(const char16_t *, const char16_t *);
-int strncmp16(const char16_t *s1, const char16_t *s2, size_t n);
-size_t strlen16(const char16_t *);
-size_t strnlen16(const char16_t *, size_t);
-char16_t *strcpy16(char16_t *, const char16_t *);
-char16_t *strncpy16(char16_t *, const char16_t *, size_t);
-
-// Version of comparison that supports embedded nulls.
-// This is different than strncmp() because we don't stop
-// at a nul character and consider the strings to be different
-// if the lengths are different (thus we need to supply the
-// lengths of both strings).  This can also be used when
-// your string is not nul-terminated as it will have the
-// equivalent result as strcmp16 (unlike strncmp16).
-int strzcmp16(const char16_t *s1, size_t n1, const char16_t *s2, size_t n2);
-
-// Version of strzcmp16 for comparing strings in different endianness.
-int strzcmp16_h_n(const char16_t *s1H, size_t n1, const char16_t *s2N, size_t n2);
-
-// Standard string functions on char32_t strings.
-size_t strlen32(const char32_t *);
-size_t strnlen32(const char32_t *, size_t);
-
-/**
- * Measure the length of a UTF-32 string in UTF-8. If the string is invalid
- * such as containing a surrogate character, -1 will be returned.
- */
-ssize_t utf32_to_utf8_length(const char32_t *src, size_t src_len);
-
-/**
- * Stores a UTF-8 string converted from "src" in "dst", if "dst_length" is not
- * large enough to store the string, the part of the "src" string is stored
- * into "dst" as much as possible. See the examples for more detail.
- * Returns the size actually used for storing the string.
- * dst" is not null-terminated when dst_len is fully used (like strncpy).
- *
- * Example 1
- * "src" == \u3042\u3044 (\xE3\x81\x82\xE3\x81\x84)
- * "src_len" == 2
- * "dst_len" >= 7
- * ->
- * Returned value == 6
- * "dst" becomes \xE3\x81\x82\xE3\x81\x84\0
- * (note that "dst" is null-terminated)
- *
- * Example 2
- * "src" == \u3042\u3044 (\xE3\x81\x82\xE3\x81\x84)
- * "src_len" == 2
- * "dst_len" == 5
- * ->
- * Returned value == 3
- * "dst" becomes \xE3\x81\x82\0
- * (note that "dst" is null-terminated, but \u3044 is not stored in "dst"
- * since "dst" does not have enough size to store the character)
- *
- * Example 3
- * "src" == \u3042\u3044 (\xE3\x81\x82\xE3\x81\x84)
- * "src_len" == 2
- * "dst_len" == 6
- * ->
- * Returned value == 6
- * "dst" becomes \xE3\x81\x82\xE3\x81\x84
- * (note that "dst" is NOT null-terminated, like strncpy)
- */
-void utf32_to_utf8(const char32_t* src, size_t src_len, char* dst);
-
-/**
- * Returns the unicode value at "index".
- * Returns -1 when the index is invalid (equals to or more than "src_len").
- * If returned value is positive, it is able to be converted to char32_t, which
- * is unsigned. Then, if "next_index" is not NULL, the next index to be used is
- * stored in "next_index". "next_index" can be NULL.
- */
-int32_t utf32_from_utf8_at(const char *src, size_t src_len, size_t index, size_t *next_index);
-
-
-/**
- * Returns the UTF-8 length of UTF-16 string "src".
- */
-ssize_t utf16_to_utf8_length(const char16_t *src, size_t src_len);
-
-/**
- * Converts a UTF-16 string to UTF-8. The destination buffer must be large
- * enough to fit the UTF-16 as measured by utf16_to_utf8_length with an added
- * NULL terminator.
- */
-void utf16_to_utf8(const char16_t* src, size_t src_len, char* dst);
-
-/**
- * Returns the length of "src" when "src" is valid UTF-8 string.
- * Returns 0 if src is NULL or 0-length string. Returns -1 when the source
- * is an invalid string.
- *
- * This function should be used to determine whether "src" is valid UTF-8
- * characters with valid unicode codepoints. "src" must be null-terminated.
- *
- * If you are going to use other utf8_to_... functions defined in this header
- * with string which may not be valid UTF-8 with valid codepoint (form 0 to
- * 0x10FFFF), you should use this function before calling others, since the
- * other functions do not check whether the string is valid UTF-8 or not.
- *
- * If you do not care whether "src" is valid UTF-8 or not, you should use
- * strlen() as usual, which should be much faster.
- */
-ssize_t utf8_length(const char *src);
-
-/**
- * Measure the length of a UTF-32 string.
- */
-size_t utf8_to_utf32_length(const char *src, size_t src_len);
-
-/**
- * Stores a UTF-32 string converted from "src" in "dst". "dst" must be large
- * enough to store the entire converted string as measured by
- * utf8_to_utf32_length plus space for a NULL terminator.
- */
-void utf8_to_utf32(const char* src, size_t src_len, char32_t* dst);
-
-/**
- * Returns the UTF-16 length of UTF-8 string "src".
- */
-ssize_t utf8_to_utf16_length(const uint8_t* src, size_t srcLen);
-
-/**
- * Convert UTF-8 to UTF-16 including surrogate pairs.
- * Returns a pointer to the end of the string (where a null terminator might go
- * if you wanted to add one).
- */
-char16_t* utf8_to_utf16_no_null_terminator(const uint8_t* src, size_t srcLen, char16_t* dst);
-
-/**
- * Convert UTF-8 to UTF-16 including surrogate pairs. The destination buffer
- * must be large enough to hold the result as measured by utf8_to_utf16_length
- * plus an added NULL terminator.
- */
-void utf8_to_utf16(const uint8_t* src, size_t srcLen, char16_t* dst);
-
-}
-
-#endif
diff --git a/media/omx-plugin/include/ics/utils/Vector.h b/media/omx-plugin/include/ics/utils/Vector.h
deleted file mode 100644
index e30071d16d..0000000000
--- a/media/omx-plugin/include/ics/utils/Vector.h
+++ /dev/null
@@ -1,424 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_VECTOR_H
-#define ANDROID_VECTOR_H
-
-#include <new>
-#include <stdint.h>
-#include <sys/types.h>
-
-#include <cutils/log.h>
-
-#include <utils/VectorImpl.h>
-#include <utils/TypeHelpers.h>
-
-// ---------------------------------------------------------------------------
-
-namespace android {
-
-template <typename TYPE>
-class SortedVector;
-
-/*!
- * The main templated vector class ensuring type safety
- * while making use of VectorImpl.
- * This is the class users want to use.
- */
-
-template <class TYPE>
-class Vector : private VectorImpl
-{
-public:
-            typedef TYPE    value_type;
-
-    /*!
-     * Constructors and destructors
-     */
-
-                            Vector();
-                            Vector(const Vector<TYPE>& rhs);
-    explicit                Vector(const SortedVector<TYPE>& rhs);
-    virtual                 ~Vector();
-
-    /*! copy operator */
-            const Vector<TYPE>&     operator = (const Vector<TYPE>& rhs) const;
-            Vector<TYPE>&           operator = (const Vector<TYPE>& rhs);
-
-            const Vector<TYPE>&     operator = (const SortedVector<TYPE>& rhs) const;
-            Vector<TYPE>&           operator = (const SortedVector<TYPE>& rhs);
-
-            /*
-     * empty the vector
-     */
-
-    inline  void            clear()             { VectorImpl::clear(); }
-
-    /*!
-     * vector stats
-     */
-
-    //! returns number of items in the vector
-    inline  size_t          size() const                { return VectorImpl::size(); }
-    //! returns whether or not the vector is empty
-    inline  bool            isEmpty() const             { return VectorImpl::isEmpty(); }
-    //! returns how many items can be stored without reallocating the backing store
-    inline  size_t          capacity() const            { return VectorImpl::capacity(); }
-    //! sets the capacity. capacity can never be reduced less than size()
-    inline  ssize_t         setCapacity(size_t size)    { return VectorImpl::setCapacity(size); }
-
-    /*!
-     * set the size of the vector. items are appended with the default
-     * constructor, or removed from the end as needed.
-     */
-    inline  ssize_t         resize(size_t size)         { return VectorImpl::resize(size); }
-
-    /*!
-     * C-style array access
-     */
-
-    //! read-only C-style access
-    inline  const TYPE*     array() const;
-    //! read-write C-style access
-            TYPE*           editArray();
-
-    /*!
-     * accessors
-     */
-
-    //! read-only access to an item at a given index
-    inline  const TYPE&     operator [] (size_t index) const;
-    //! alternate name for operator []
-    inline  const TYPE&     itemAt(size_t index) const;
-    //! stack-usage of the vector. returns the top of the stack (last element)
-            const TYPE&     top() const;
-
-    /*!
-     * modifying the array
-     */
-
-    //! copy-on write support, grants write access to an item
-            TYPE&           editItemAt(size_t index);
-    //! grants right access to the top of the stack (last element)
-            TYPE&           editTop();
-
-            /*!
-             * append/insert another vector
-             */
-
-    //! insert another vector at a given index
-            ssize_t         insertVectorAt(const Vector<TYPE>& vector, size_t index);
-
-    //! append another vector at the end of this one
-            ssize_t         appendVector(const Vector<TYPE>& vector);
-
-
-    //! insert an array at a given index
-            ssize_t         insertArrayAt(const TYPE* array, size_t index, size_t length);
-
-    //! append an array at the end of this vector
-            ssize_t         appendArray(const TYPE* array, size_t length);
-
-            /*!
-             * add/insert/replace items
-             */
-
-    //! insert one or several items initialized with their default constructor
-    inline  ssize_t         insertAt(size_t index, size_t numItems = 1);
-    //! insert one or several items initialized from a prototype item
-            ssize_t         insertAt(const TYPE& prototype_item, size_t index, size_t numItems = 1);
-    //! pop the top of the stack (removes the last element). No-op if the stack's empty
-    inline  void            pop();
-    //! pushes an item initialized with its default constructor
-    inline  void            push();
-    //! pushes an item on the top of the stack
-            void            push(const TYPE& item);
-    //! same as push() but returns the index the item was added at (or an error)
-    inline  ssize_t         add();
-    //! same as push() but returns the index the item was added at (or an error)
-            ssize_t         add(const TYPE& item);
-    //! replace an item with a new one initialized with its default constructor
-    inline  ssize_t         replaceAt(size_t index);
-    //! replace an item with a new one
-            ssize_t         replaceAt(const TYPE& item, size_t index);
-
-    /*!
-     * remove items
-     */
-
-    //! remove several items
-    inline  ssize_t         removeItemsAt(size_t index, size_t count = 1);
-    //! remove one item
-    inline  ssize_t         removeAt(size_t index)  { return removeItemsAt(index); }
-
-    /*!
-     * sort (stable) the array
-     */
-
-     typedef int (*compar_t)(const TYPE* lhs, const TYPE* rhs);
-     typedef int (*compar_r_t)(const TYPE* lhs, const TYPE* rhs, void* state);
-
-     inline status_t        sort(compar_t cmp);
-     inline status_t        sort(compar_r_t cmp, void* state);
-
-     // for debugging only
-     inline size_t getItemSize() const { return itemSize(); }
-
-
-     /*
-      * these inlines add some level of compatibility with STL. eventually
-      * we should probably turn things around.
-      */
-     typedef TYPE* iterator;
-     typedef TYPE const* const_iterator;
-
-     inline iterator begin() { return editArray(); }
-     inline iterator end()   { return editArray() + size(); }
-     inline const_iterator begin() const { return array(); }
-     inline const_iterator end() const   { return array() + size(); }
-     inline void reserve(size_t n) { setCapacity(n); }
-     inline bool empty() const{ return isEmpty(); }
-     inline void push_back(const TYPE& item)  { insertAt(item, size(), 1); }
-     inline void push_front(const TYPE& item) { insertAt(item, 0, 1); }
-     inline iterator erase(iterator pos) {
-         ssize_t index = removeItemsAt(pos-array());
-         return begin() + index;
-     }
-
-protected:
-    virtual void    do_construct(void* storage, size_t num) const;
-    virtual void    do_destroy(void* storage, size_t num) const;
-    virtual void    do_copy(void* dest, const void* from, size_t num) const;
-    virtual void    do_splat(void* dest, const void* item, size_t num) const;
-    virtual void    do_move_forward(void* dest, const void* from, size_t num) const;
-    virtual void    do_move_backward(void* dest, const void* from, size_t num) const;
-};
-
-// Vector<T> can be trivially moved using memcpy() because moving does not
-// require any change to the underlying SharedBuffer contents or reference count.
-template<typename T> struct trait_trivial_move<Vector<T> > { enum { value = true }; };
-
-// ---------------------------------------------------------------------------
-// No user serviceable parts from here...
-// ---------------------------------------------------------------------------
-
-template<class TYPE> inline
-Vector<TYPE>::Vector()
-    : VectorImpl(sizeof(TYPE),
-                ((traits<TYPE>::has_trivial_ctor   ? HAS_TRIVIAL_CTOR   : 0)
-                |(traits<TYPE>::has_trivial_dtor   ? HAS_TRIVIAL_DTOR   : 0)
-                |(traits<TYPE>::has_trivial_copy   ? HAS_TRIVIAL_COPY   : 0))
-                )
-{
-}
-
-template<class TYPE> inline
-Vector<TYPE>::Vector(const Vector<TYPE>& rhs)
-    : VectorImpl(rhs) {
-}
-
-template<class TYPE> inline
-Vector<TYPE>::Vector(const SortedVector<TYPE>& rhs)
-    : VectorImpl(static_cast<const VectorImpl&>(rhs)) {
-}
-
-template<class TYPE> inline
-Vector<TYPE>::~Vector() {
-    finish_vector();
-}
-
-template<class TYPE> inline
-Vector<TYPE>& Vector<TYPE>::operator = (const Vector<TYPE>& rhs) {
-    VectorImpl::operator = (rhs);
-    return *this;
-}
-
-template<class TYPE> inline
-const Vector<TYPE>& Vector<TYPE>::operator = (const Vector<TYPE>& rhs) const {
-    VectorImpl::operator = (static_cast<const VectorImpl&>(rhs));
-    return *this;
-}
-
-template<class TYPE> inline
-Vector<TYPE>& Vector<TYPE>::operator = (const SortedVector<TYPE>& rhs) {
-    VectorImpl::operator = (static_cast<const VectorImpl&>(rhs));
-    return *this;
-}
-
-template<class TYPE> inline
-const Vector<TYPE>& Vector<TYPE>::operator = (const SortedVector<TYPE>& rhs) const {
-    VectorImpl::operator = (rhs);
-    return *this;
-}
-
-template<class TYPE> inline
-const TYPE* Vector<TYPE>::array() const {
-    return static_cast<const TYPE *>(arrayImpl());
-}
-
-template<class TYPE> inline
-TYPE* Vector<TYPE>::editArray() {
-    return static_cast<TYPE *>(editArrayImpl());
-}
-
-
-template<class TYPE> inline
-const TYPE& Vector<TYPE>::operator[](size_t index) const {
-    LOG_FATAL_IF(index>=size(),
-            "%s: index=%u out of range (%u)", __PRETTY_FUNCTION__,
-            int(index), int(size()));
-    return *(array() + index);
-}
-
-template<class TYPE> inline
-const TYPE& Vector<TYPE>::itemAt(size_t index) const {
-    return operator[](index);
-}
-
-template<class TYPE> inline
-const TYPE& Vector<TYPE>::top() const {
-    return *(array() + size() - 1);
-}
-
-template<class TYPE> inline
-TYPE& Vector<TYPE>::editItemAt(size_t index) {
-    return *( static_cast<TYPE *>(editItemLocation(index)) );
-}
-
-template<class TYPE> inline
-TYPE& Vector<TYPE>::editTop() {
-    return *( static_cast<TYPE *>(editItemLocation(size()-1)) );
-}
-
-template<class TYPE> inline
-ssize_t Vector<TYPE>::insertVectorAt(const Vector<TYPE>& vector, size_t index) {
-    return VectorImpl::insertVectorAt(reinterpret_cast<const VectorImpl&>(vector), index);
-}
-
-template<class TYPE> inline
-ssize_t Vector<TYPE>::appendVector(const Vector<TYPE>& vector) {
-    return VectorImpl::appendVector(reinterpret_cast<const VectorImpl&>(vector));
-}
-
-template<class TYPE> inline
-ssize_t Vector<TYPE>::insertArrayAt(const TYPE* array, size_t index, size_t length) {
-    return VectorImpl::insertArrayAt(array, index, length);
-}
-
-template<class TYPE> inline
-ssize_t Vector<TYPE>::appendArray(const TYPE* array, size_t length) {
-    return VectorImpl::appendArray(array, length);
-}
-
-template<class TYPE> inline
-ssize_t Vector<TYPE>::insertAt(const TYPE& item, size_t index, size_t numItems) {
-    return VectorImpl::insertAt(&item, index, numItems);
-}
-
-template<class TYPE> inline
-void Vector<TYPE>::push(const TYPE& item) {
-    return VectorImpl::push(&item);
-}
-
-template<class TYPE> inline
-ssize_t Vector<TYPE>::add(const TYPE& item) {
-    return VectorImpl::add(&item);
-}
-
-template<class TYPE> inline
-ssize_t Vector<TYPE>::replaceAt(const TYPE& item, size_t index) {
-    return VectorImpl::replaceAt(&item, index);
-}
-
-template<class TYPE> inline
-ssize_t Vector<TYPE>::insertAt(size_t index, size_t numItems) {
-    return VectorImpl::insertAt(index, numItems);
-}
-
-template<class TYPE> inline
-void Vector<TYPE>::pop() {
-    VectorImpl::pop();
-}
-
-template<class TYPE> inline
-void Vector<TYPE>::push() {
-    VectorImpl::push();
-}
-
-template<class TYPE> inline
-ssize_t Vector<TYPE>::add() {
-    return VectorImpl::add();
-}
-
-template<class TYPE> inline
-ssize_t Vector<TYPE>::replaceAt(size_t index) {
-    return VectorImpl::replaceAt(index);
-}
-
-template<class TYPE> inline
-ssize_t Vector<TYPE>::removeItemsAt(size_t index, size_t count) {
-    return VectorImpl::removeItemsAt(index, count);
-}
-
-template<class TYPE> inline
-status_t Vector<TYPE>::sort(Vector<TYPE>::compar_t cmp) {
-    return VectorImpl::sort((VectorImpl::compar_t)cmp);
-}
-
-template<class TYPE> inline
-status_t Vector<TYPE>::sort(Vector<TYPE>::compar_r_t cmp, void* state) {
-    return VectorImpl::sort((VectorImpl::compar_r_t)cmp, state);
-}
-
-// ---------------------------------------------------------------------------
-
-template<class TYPE>
-void Vector<TYPE>::do_construct(void* storage, size_t num) const {
-    construct_type( reinterpret_cast<TYPE*>(storage), num );
-}
-
-template<class TYPE>
-void Vector<TYPE>::do_destroy(void* storage, size_t num) const {
-    destroy_type( reinterpret_cast<TYPE*>(storage), num );
-}
-
-template<class TYPE>
-void Vector<TYPE>::do_copy(void* dest, const void* from, size_t num) const {
-    copy_type( reinterpret_cast<TYPE*>(dest), reinterpret_cast<const TYPE*>(from), num );
-}
-
-template<class TYPE>
-void Vector<TYPE>::do_splat(void* dest, const void* item, size_t num) const {
-    splat_type( reinterpret_cast<TYPE*>(dest), reinterpret_cast<const TYPE*>(item), num );
-}
-
-template<class TYPE>
-void Vector<TYPE>::do_move_forward(void* dest, const void* from, size_t num) const {
-    move_forward_type( reinterpret_cast<TYPE*>(dest), reinterpret_cast<const TYPE*>(from), num );
-}
-
-template<class TYPE>
-void Vector<TYPE>::do_move_backward(void* dest, const void* from, size_t num) const {
-    move_backward_type( reinterpret_cast<TYPE*>(dest), reinterpret_cast<const TYPE*>(from), num );
-}
-
-}; // namespace android
-
-
-// ---------------------------------------------------------------------------
-
-#endif // ANDROID_VECTOR_H
-
diff --git a/media/omx-plugin/include/ics/utils/VectorImpl.h b/media/omx-plugin/include/ics/utils/VectorImpl.h
deleted file mode 100644
index 720b2546c4..0000000000
--- a/media/omx-plugin/include/ics/utils/VectorImpl.h
+++ /dev/null
@@ -1,184 +0,0 @@
-/*
- * Copyright (C) 2005 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_VECTOR_IMPL_H
-#define ANDROID_VECTOR_IMPL_H
-
-#include <assert.h>
-#include <stdint.h>
-#include <sys/types.h>
-#include <utils/Errors.h>
-
-// ---------------------------------------------------------------------------
-// No user serviceable parts in here...
-// ---------------------------------------------------------------------------
-
-namespace android {
-
-/*!
- * Implementation of the guts of the vector<> class
- * this ensures backward binary compatibility and
- * reduces code size.
- * For performance reasons, we expose mStorage and mCount
- * so these fields are set in stone.
- *
- */
-
-class VectorImpl
-{
-public:
-    enum { // flags passed to the ctor
-        HAS_TRIVIAL_CTOR    = 0x00000001,
-        HAS_TRIVIAL_DTOR    = 0x00000002,
-        HAS_TRIVIAL_COPY    = 0x00000004,
-    };
-
-                            VectorImpl(size_t itemSize, uint32_t flags);
-                            VectorImpl(const VectorImpl& rhs);
-    virtual                 ~VectorImpl();
-
-    /*! must be called from subclasses destructor */
-            void            finish_vector();
-
-            VectorImpl&     operator = (const VectorImpl& rhs);
-
-    /*! C-style array access */
-    inline  const void*     arrayImpl() const       { return mStorage; }
-            void*           editArrayImpl();
-
-    /*! vector stats */
-    inline  size_t          size() const        { return mCount; }
-    inline  bool            isEmpty() const     { return mCount == 0; }
-            size_t          capacity() const;
-            ssize_t         setCapacity(size_t size);
-            ssize_t         resize(size_t size);
-
-            /*! append/insert another vector or array */
-            ssize_t         insertVectorAt(const VectorImpl& vector, size_t index);
-            ssize_t         appendVector(const VectorImpl& vector);
-            ssize_t         insertArrayAt(const void* array, size_t index, size_t length);
-            ssize_t         appendArray(const void* array, size_t length);
-
-            /*! add/insert/replace items */
-            ssize_t         insertAt(size_t where, size_t numItems = 1);
-            ssize_t         insertAt(const void* item, size_t where, size_t numItems = 1);
-            void            pop();
-            void            push();
-            void            push(const void* item);
-            ssize_t         add();
-            ssize_t         add(const void* item);
-            ssize_t         replaceAt(size_t index);
-            ssize_t         replaceAt(const void* item, size_t index);
-
-            /*! remove items */
-            ssize_t         removeItemsAt(size_t index, size_t count = 1);
-            void            clear();
-
-            const void*     itemLocation(size_t index) const;
-            void*           editItemLocation(size_t index);
-
-            typedef int (*compar_t)(const void* lhs, const void* rhs);
-            typedef int (*compar_r_t)(const void* lhs, const void* rhs, void* state);
-            status_t        sort(compar_t cmp);
-            status_t        sort(compar_r_t cmp, void* state);
-
-protected:
-            size_t          itemSize() const;
-            void            release_storage();
-
-    virtual void            do_construct(void* storage, size_t num) const = 0;
-    virtual void            do_destroy(void* storage, size_t num) const = 0;
-    virtual void            do_copy(void* dest, const void* from, size_t num) const = 0;
-    virtual void            do_splat(void* dest, const void* item, size_t num) const = 0;
-    virtual void            do_move_forward(void* dest, const void* from, size_t num) const = 0;
-    virtual void            do_move_backward(void* dest, const void* from, size_t num) const = 0;
-
-private:
-        void* _grow(size_t where, size_t amount);
-        void  _shrink(size_t where, size_t amount);
-
-        inline void _do_construct(void* storage, size_t num) const;
-        inline void _do_destroy(void* storage, size_t num) const;
-        inline void _do_copy(void* dest, const void* from, size_t num) const;
-        inline void _do_splat(void* dest, const void* item, size_t num) const;
-        inline void _do_move_forward(void* dest, const void* from, size_t num) const;
-        inline void _do_move_backward(void* dest, const void* from, size_t num) const;
-
-            // These 2 fields are exposed in the inlines below,
-            // so they're set in stone.
-            void *      mStorage;   // base address of the vector
-            size_t      mCount;     // number of items
-
-    const   uint32_t    mFlags;
-    const   size_t      mItemSize;
-};
-
-
-
-class SortedVectorImpl : public VectorImpl
-{
-public:
-                            SortedVectorImpl(size_t itemSize, uint32_t flags);
-                            SortedVectorImpl(const VectorImpl& rhs);
-    virtual                 ~SortedVectorImpl();
-
-    SortedVectorImpl&     operator = (const SortedVectorImpl& rhs);
-
-    //! finds the index of an item
-            ssize_t         indexOf(const void* item) const;
-
-    //! finds where this item should be inserted
-            size_t          orderOf(const void* item) const;
-
-    //! add an item in the right place (or replaces it if there is one)
-            ssize_t         add(const void* item);
-
-    //! merges a vector into this one
-            ssize_t         merge(const VectorImpl& vector);
-            ssize_t         merge(const SortedVectorImpl& vector);
-
-    //! removes an item
-            ssize_t         remove(const void* item);
-
-protected:
-    virtual int             do_compare(const void* lhs, const void* rhs) const = 0;
-
-private:
-            ssize_t         _indexOrderOf(const void* item, size_t* order = 0) const;
-
-            // these are made private, because they can't be used on a SortedVector
-            // (they don't have an implementation either)
-            ssize_t         add();
-            void            pop();
-            void            push();
-            void            push(const void* item);
-            ssize_t         insertVectorAt(const VectorImpl& vector, size_t index);
-            ssize_t         appendVector(const VectorImpl& vector);
-            ssize_t         insertArrayAt(const void* array, size_t index, size_t length);
-            ssize_t         appendArray(const void* array, size_t length);
-            ssize_t         insertAt(size_t where, size_t numItems = 1);
-            ssize_t         insertAt(const void* item, size_t where, size_t numItems = 1);
-            ssize_t         replaceAt(size_t index);
-            ssize_t         replaceAt(const void* item, size_t index);
-};
-
-}; // namespace android
-
-
-// ---------------------------------------------------------------------------
-
-#endif // ANDROID_VECTOR_IMPL_H
-
diff --git a/media/omx-plugin/include/ics/utils/threads.h b/media/omx-plugin/include/ics/utils/threads.h
deleted file mode 100644
index ab3e8cdb63..0000000000
--- a/media/omx-plugin/include/ics/utils/threads.h
+++ /dev/null
@@ -1,564 +0,0 @@
-/*
- * Copyright (C) 2007 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef _LIBS_UTILS_THREADS_H
-#define _LIBS_UTILS_THREADS_H
-
-#include <stdint.h>
-#include <sys/types.h>
-#include <time.h>
-#include <system/graphics.h>
-
-#if defined(HAVE_PTHREADS)
-# include <pthread.h>
-#endif
-
-// ------------------------------------------------------------------
-// C API
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-typedef void* android_thread_id_t;
-
-typedef int (*android_thread_func_t)(void*);
-
-enum {
-    /*
-     * ***********************************************
-     * ** Keep in sync with android.os.Process.java **
-     * ***********************************************
-     * 
-     * This maps directly to the "nice" priorities we use in Android.
-     * A thread priority should be chosen inverse-proportionally to
-     * the amount of work the thread is expected to do. The more work
-     * a thread will do, the less favorable priority it should get so that 
-     * it doesn't starve the system. Threads not behaving properly might
-     * be "punished" by the kernel.
-     * Use the levels below when appropriate. Intermediate values are
-     * acceptable, preferably use the {MORE|LESS}_FAVORABLE constants below.
-     */
-    ANDROID_PRIORITY_LOWEST         =  19,
-
-    /* use for background tasks */
-    ANDROID_PRIORITY_BACKGROUND     =  10,
-    
-    /* most threads run at normal priority */
-    ANDROID_PRIORITY_NORMAL         =   0,
-    
-    /* threads currently running a UI that the user is interacting with */
-    ANDROID_PRIORITY_FOREGROUND     =  -2,
-
-    /* the main UI thread has a slightly more favorable priority */
-    ANDROID_PRIORITY_DISPLAY        =  -4,
-    
-    /* ui service treads might want to run at a urgent display (uncommon) */
-    ANDROID_PRIORITY_URGENT_DISPLAY =  HAL_PRIORITY_URGENT_DISPLAY,
-    
-    /* all normal audio threads */
-    ANDROID_PRIORITY_AUDIO          = -16,
-    
-    /* service audio threads (uncommon) */
-    ANDROID_PRIORITY_URGENT_AUDIO   = -19,
-
-    /* should never be used in practice. regular process might not 
-     * be allowed to use this level */
-    ANDROID_PRIORITY_HIGHEST        = -20,
-
-    ANDROID_PRIORITY_DEFAULT        = ANDROID_PRIORITY_NORMAL,
-    ANDROID_PRIORITY_MORE_FAVORABLE = -1,
-    ANDROID_PRIORITY_LESS_FAVORABLE = +1,
-};
-
-enum {
-    ANDROID_TGROUP_DEFAULT          = 0,
-    ANDROID_TGROUP_BG_NONINTERACT   = 1,
-    ANDROID_TGROUP_FG_BOOST         = 2,
-    ANDROID_TGROUP_MAX              = ANDROID_TGROUP_FG_BOOST,
-};
-
-// Create and run a new thread.
-extern int androidCreateThread(android_thread_func_t, void *);
-
-// Create thread with lots of parameters
-extern int androidCreateThreadEtc(android_thread_func_t entryFunction,
-                                  void *userData,
-                                  const char* threadName,
-                                  int32_t threadPriority,
-                                  size_t threadStackSize,
-                                  android_thread_id_t *threadId);
-
-// Get some sort of unique identifier for the current thread.
-extern android_thread_id_t androidGetThreadId();
-
-// Low-level thread creation -- never creates threads that can
-// interact with the Java VM.
-extern int androidCreateRawThreadEtc(android_thread_func_t entryFunction,
-                                     void *userData,
-                                     const char* threadName,
-                                     int32_t threadPriority,
-                                     size_t threadStackSize,
-                                     android_thread_id_t *threadId);
-
-// Used by the Java Runtime to control how threads are created, so that
-// they can be proper and lovely Java threads.
-typedef int (*android_create_thread_fn)(android_thread_func_t entryFunction,
-                                        void *userData,
-                                        const char* threadName,
-                                        int32_t threadPriority,
-                                        size_t threadStackSize,
-                                        android_thread_id_t *threadId);
-
-extern void androidSetCreateThreadFunc(android_create_thread_fn func);
-
-// ------------------------------------------------------------------
-// Extra functions working with raw pids.
-
-// Get pid for the current thread.
-extern pid_t androidGetTid();
-
-// Change the scheduling group of a particular thread.  The group
-// should be one of the ANDROID_TGROUP constants.  Returns BAD_VALUE if
-// grp is out of range, else another non-zero value with errno set if
-// the operation failed.  Thread ID zero means current thread.
-extern int androidSetThreadSchedulingGroup(pid_t tid, int grp);
-
-// Change the priority AND scheduling group of a particular thread.  The priority
-// should be one of the ANDROID_PRIORITY constants.  Returns INVALID_OPERATION
-// if the priority set failed, else another value if just the group set failed;
-// in either case errno is set.  Thread ID zero means current thread.
-extern int androidSetThreadPriority(pid_t tid, int prio);
-
-// Get the current priority of a particular thread. Returns one of the
-// ANDROID_PRIORITY constants or a negative result in case of error.
-extern int androidGetThreadPriority(pid_t tid);
-
-// Get the current scheduling group of a particular thread. Normally returns
-// one of the ANDROID_TGROUP constants other than ANDROID_TGROUP_DEFAULT.
-// Returns ANDROID_TGROUP_DEFAULT if no pthread support (e.g. on host) or if
-// scheduling groups are disabled.  Returns INVALID_OPERATION if unexpected error.
-// Thread ID zero means current thread.
-extern int androidGetThreadSchedulingGroup(pid_t tid);
-
-#ifdef __cplusplus
-}
-#endif
-
-// ------------------------------------------------------------------
-// C++ API
-
-#ifdef __cplusplus
-
-#include <utils/Errors.h>
-#include <utils/RefBase.h>
-#include <utils/Timers.h>
-
-namespace android {
-
-typedef android_thread_id_t thread_id_t;
-
-typedef android_thread_func_t thread_func_t;
-
-enum {
-    PRIORITY_LOWEST         = ANDROID_PRIORITY_LOWEST,
-    PRIORITY_BACKGROUND     = ANDROID_PRIORITY_BACKGROUND,
-    PRIORITY_NORMAL         = ANDROID_PRIORITY_NORMAL,
-    PRIORITY_FOREGROUND     = ANDROID_PRIORITY_FOREGROUND,
-    PRIORITY_DISPLAY        = ANDROID_PRIORITY_DISPLAY,
-    PRIORITY_URGENT_DISPLAY = ANDROID_PRIORITY_URGENT_DISPLAY,
-    PRIORITY_AUDIO          = ANDROID_PRIORITY_AUDIO,
-    PRIORITY_URGENT_AUDIO   = ANDROID_PRIORITY_URGENT_AUDIO,
-    PRIORITY_HIGHEST        = ANDROID_PRIORITY_HIGHEST,
-    PRIORITY_DEFAULT        = ANDROID_PRIORITY_DEFAULT,
-    PRIORITY_MORE_FAVORABLE = ANDROID_PRIORITY_MORE_FAVORABLE,
-    PRIORITY_LESS_FAVORABLE = ANDROID_PRIORITY_LESS_FAVORABLE,
-};
-
-// Create and run a new thread.
-inline bool createThread(thread_func_t f, void *a) {
-    return androidCreateThread(f, a) ? true : false;
-}
-
-// Create thread with lots of parameters
-inline bool createThreadEtc(thread_func_t entryFunction,
-                            void *userData,
-                            const char* threadName = "android:unnamed_thread",
-                            int32_t threadPriority = PRIORITY_DEFAULT,
-                            size_t threadStackSize = 0,
-                            thread_id_t *threadId = 0)
-{
-    return androidCreateThreadEtc(entryFunction, userData, threadName,
-        threadPriority, threadStackSize, threadId) ? true : false;
-}
-
-// Get some sort of unique identifier for the current thread.
-inline thread_id_t getThreadId() {
-    return androidGetThreadId();
-}
-
-/*****************************************************************************/
-
-/*
- * Simple mutex class.  The implementation is system-dependent.
- *
- * The mutex must be unlocked by the thread that locked it.  They are not
- * recursive, i.e. the same thread can't lock it multiple times.
- */
-class Mutex {
-public:
-    enum {
-        PRIVATE = 0,
-        SHARED = 1
-    };
-    
-                Mutex();
-                Mutex(const char* name);
-                Mutex(int type, const char* name = NULL);
-                ~Mutex();
-
-    // lock or unlock the mutex
-    status_t    lock();
-    void        unlock();
-
-    // lock if possible; returns 0 on success, error otherwise
-    status_t    tryLock();
-
-    // Manages the mutex automatically. It'll be locked when Autolock is
-    // constructed and released when Autolock goes out of scope.
-    class Autolock {
-    public:
-        inline Autolock(Mutex& mutex) : mLock(mutex)  { mLock.lock(); }
-        inline Autolock(Mutex* mutex) : mLock(*mutex) { mLock.lock(); }
-        inline ~Autolock() { mLock.unlock(); }
-    private:
-        Mutex& mLock;
-    };
-
-private:
-    friend class Condition;
-    
-    // A mutex cannot be copied
-                Mutex(const Mutex&);
-    Mutex&      operator = (const Mutex&);
-    
-#if defined(HAVE_PTHREADS)
-    pthread_mutex_t mMutex;
-#else
-    void    _init();
-    void*   mState;
-#endif
-};
-
-#if defined(HAVE_PTHREADS)
-
-inline Mutex::Mutex() {
-    pthread_mutex_init(&mMutex, NULL);
-}
-inline Mutex::Mutex(const char* name) {
-    pthread_mutex_init(&mMutex, NULL);
-}
-inline Mutex::Mutex(int type, const char* name) {
-    if (type == SHARED) {
-        pthread_mutexattr_t attr;
-        pthread_mutexattr_init(&attr);
-        pthread_mutexattr_setpshared(&attr, PTHREAD_PROCESS_SHARED);
-        pthread_mutex_init(&mMutex, &attr);
-        pthread_mutexattr_destroy(&attr);
-    } else {
-        pthread_mutex_init(&mMutex, NULL);
-    }
-}
-inline Mutex::~Mutex() {
-    pthread_mutex_destroy(&mMutex);
-}
-inline status_t Mutex::lock() {
-    return -pthread_mutex_lock(&mMutex);
-}
-inline void Mutex::unlock() {
-    pthread_mutex_unlock(&mMutex);
-}
-inline status_t Mutex::tryLock() {
-    return -pthread_mutex_trylock(&mMutex);
-}
-
-#endif // HAVE_PTHREADS
-
-/*
- * Automatic mutex.  Declare one of these at the top of a function.
- * When the function returns, it will go out of scope, and release the
- * mutex.
- */
- 
-typedef Mutex::Autolock AutoMutex;
-
-/*****************************************************************************/
-
-#if defined(HAVE_PTHREADS)
-
-/*
- * Simple mutex class.  The implementation is system-dependent.
- *
- * The mutex must be unlocked by the thread that locked it.  They are not
- * recursive, i.e. the same thread can't lock it multiple times.
- */
-class RWLock {
-public:
-    enum {
-        PRIVATE = 0,
-        SHARED = 1
-    };
-
-                RWLock();
-                RWLock(const char* name);
-                RWLock(int type, const char* name = NULL);
-                ~RWLock();
-
-    status_t    readLock();
-    status_t    tryReadLock();
-    status_t    writeLock();
-    status_t    tryWriteLock();
-    void        unlock();
-
-    class AutoRLock {
-    public:
-        inline AutoRLock(RWLock& rwlock) : mLock(rwlock)  { mLock.readLock(); }
-        inline ~AutoRLock() { mLock.unlock(); }
-    private:
-        RWLock& mLock;
-    };
-
-    class AutoWLock {
-    public:
-        inline AutoWLock(RWLock& rwlock) : mLock(rwlock)  { mLock.writeLock(); }
-        inline ~AutoWLock() { mLock.unlock(); }
-    private:
-        RWLock& mLock;
-    };
-
-private:
-    // A RWLock cannot be copied
-                RWLock(const RWLock&);
-   RWLock&      operator = (const RWLock&);
-
-   pthread_rwlock_t mRWLock;
-};
-
-inline RWLock::RWLock() {
-    pthread_rwlock_init(&mRWLock, NULL);
-}
-inline RWLock::RWLock(const char* name) {
-    pthread_rwlock_init(&mRWLock, NULL);
-}
-inline RWLock::RWLock(int type, const char* name) {
-    if (type == SHARED) {
-        pthread_rwlockattr_t attr;
-        pthread_rwlockattr_init(&attr);
-        pthread_rwlockattr_setpshared(&attr, PTHREAD_PROCESS_SHARED);
-        pthread_rwlock_init(&mRWLock, &attr);
-        pthread_rwlockattr_destroy(&attr);
-    } else {
-        pthread_rwlock_init(&mRWLock, NULL);
-    }
-}
-inline RWLock::~RWLock() {
-    pthread_rwlock_destroy(&mRWLock);
-}
-inline status_t RWLock::readLock() {
-    return -pthread_rwlock_rdlock(&mRWLock);
-}
-inline status_t RWLock::tryReadLock() {
-    return -pthread_rwlock_tryrdlock(&mRWLock);
-}
-inline status_t RWLock::writeLock() {
-    return -pthread_rwlock_wrlock(&mRWLock);
-}
-inline status_t RWLock::tryWriteLock() {
-    return -pthread_rwlock_trywrlock(&mRWLock);
-}
-inline void RWLock::unlock() {
-    pthread_rwlock_unlock(&mRWLock);
-}
-
-#endif // HAVE_PTHREADS
-
-/*****************************************************************************/
-
-/*
- * Condition variable class.  The implementation is system-dependent.
- *
- * Condition variables are paired up with mutexes.  Lock the mutex,
- * call wait(), then either re-wait() if things aren't quite what you want,
- * or unlock the mutex and continue.  All threads calling wait() must
- * use the same mutex for a given Condition.
- */
-class Condition {
-public:
-    enum {
-        PRIVATE = 0,
-        SHARED = 1
-    };
-
-    Condition();
-    Condition(int type);
-    ~Condition();
-    // Wait on the condition variable.  Lock the mutex before calling.
-    status_t wait(Mutex& mutex);
-    // same with relative timeout
-    status_t waitRelative(Mutex& mutex, nsecs_t reltime);
-    // Signal the condition variable, allowing one thread to continue.
-    void signal();
-    // Signal the condition variable, allowing all threads to continue.
-    void broadcast();
-
-private:
-#if defined(HAVE_PTHREADS)
-    pthread_cond_t mCond;
-#else
-    void*   mState;
-#endif
-};
-
-#if defined(HAVE_PTHREADS)
-
-inline Condition::Condition() {
-    pthread_cond_init(&mCond, NULL);
-}
-inline Condition::Condition(int type) {
-    if (type == SHARED) {
-        pthread_condattr_t attr;
-        pthread_condattr_init(&attr);
-        pthread_condattr_setpshared(&attr, PTHREAD_PROCESS_SHARED);
-        pthread_cond_init(&mCond, &attr);
-        pthread_condattr_destroy(&attr);
-    } else {
-        pthread_cond_init(&mCond, NULL);
-    }
-}
-inline Condition::~Condition() {
-    pthread_cond_destroy(&mCond);
-}
-inline status_t Condition::wait(Mutex& mutex) {
-    return -pthread_cond_wait(&mCond, &mutex.mMutex);
-}
-inline status_t Condition::waitRelative(Mutex& mutex, nsecs_t reltime) {
-#if defined(HAVE_PTHREAD_COND_TIMEDWAIT_RELATIVE)
-    struct timespec ts;
-    ts.tv_sec  = reltime/1000000000;
-    ts.tv_nsec = reltime%1000000000;
-    return -pthread_cond_timedwait_relative_np(&mCond, &mutex.mMutex, &ts);
-#else // HAVE_PTHREAD_COND_TIMEDWAIT_RELATIVE
-    struct timespec ts;
-#if defined(HAVE_POSIX_CLOCKS)
-    clock_gettime(CLOCK_REALTIME, &ts);
-#else // HAVE_POSIX_CLOCKS
-    // we don't support the clocks here.
-    struct timeval t;
-    gettimeofday(&t, NULL);
-    ts.tv_sec = t.tv_sec;
-    ts.tv_nsec= t.tv_usec*1000;
-#endif // HAVE_POSIX_CLOCKS
-    ts.tv_sec += reltime/1000000000;
-    ts.tv_nsec+= reltime%1000000000;
-    if (ts.tv_nsec >= 1000000000) {
-        ts.tv_nsec -= 1000000000;
-        ts.tv_sec  += 1;
-    }
-    return -pthread_cond_timedwait(&mCond, &mutex.mMutex, &ts);
-#endif // HAVE_PTHREAD_COND_TIMEDWAIT_RELATIVE
-}
-inline void Condition::signal() {
-    pthread_cond_signal(&mCond);
-}
-inline void Condition::broadcast() {
-    pthread_cond_broadcast(&mCond);
-}
-
-#endif // HAVE_PTHREADS
-
-/*****************************************************************************/
-
-/*
- * This is our spiffy thread object!
- */
-
-class Thread : virtual public RefBase
-{
-public:
-    // Create a Thread object, but doesn't create or start the associated
-    // thread. See the run() method.
-                        Thread(bool canCallJava = true);
-    virtual             ~Thread();
-
-    // Start the thread in threadLoop() which needs to be implemented.
-    virtual status_t    run(    const char* name = 0,
-                                int32_t priority = PRIORITY_DEFAULT,
-                                size_t stack = 0);
-    
-    // Ask this object's thread to exit. This function is asynchronous, when the
-    // function returns the thread might still be running. Of course, this
-    // function can be called from a different thread.
-    virtual void        requestExit();
-
-    // Good place to do one-time initializations
-    virtual status_t    readyToRun();
-    
-    // Call requestExit() and wait until this object's thread exits.
-    // BE VERY CAREFUL of deadlocks. In particular, it would be silly to call
-    // this function from this object's thread. Will return WOULD_BLOCK in
-    // that case.
-            status_t    requestExitAndWait();
-
-    // Wait until this object's thread exits. Returns immediately if not yet running.
-    // Do not call from this object's thread; will return WOULD_BLOCK in that case.
-            status_t    join();
-
-protected:
-    // exitPending() returns true if requestExit() has been called.
-            bool        exitPending() const;
-    
-private:
-    // Derived class must implement threadLoop(). The thread starts its life
-    // here. There are two ways of using the Thread object:
-    // 1) loop: if threadLoop() returns true, it will be called again if
-    //          requestExit() wasn't called.
-    // 2) once: if threadLoop() returns false, the thread will exit upon return.
-    virtual bool        threadLoop() = 0;
-
-private:
-    Thread& operator=(const Thread&);
-    static  int             _threadLoop(void* user);
-    const   bool            mCanCallJava;
-    // always hold mLock when reading or writing
-            thread_id_t     mThread;
-    mutable Mutex           mLock;
-            Condition       mThreadExitedCondition;
-            status_t        mStatus;
-    // note that all accesses of mExitPending and mRunning need to hold mLock
-    volatile bool           mExitPending;
-    volatile bool           mRunning;
-            sp<Thread>      mHoldSelf;
-#if HAVE_ANDROID_OS
-            int             mTid;
-#endif
-};
-
-
-}; // namespace android
-
-#endif  // __cplusplus
-
-#endif // _LIBS_UTILS_THREADS_H
diff --git a/media/omx-plugin/kk/OmxPluginKitKat.cpp b/media/omx-plugin/kk/OmxPluginKitKat.cpp
deleted file mode 100644
index d33552c158..0000000000
--- a/media/omx-plugin/kk/OmxPluginKitKat.cpp
+++ /dev/null
@@ -1,8 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#define MOZ_STAGEFRIGHT_OFF_T off64_t
-#define MOZ_ANDROID_KK
-#include "../OmxPlugin.cpp"
diff --git a/media/omx-plugin/kk/moz.build b/media/omx-plugin/kk/moz.build
deleted file mode 100644
index b2d2d942dd..0000000000
--- a/media/omx-plugin/kk/moz.build
+++ /dev/null
@@ -1,32 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SOURCES += [
-    'OmxPluginKitKat.cpp',
-]
-
-SharedLibrary('omxpluginkk')
-
-LOCAL_INCLUDES += [
-    '../include/ics',
-    '../include/ics/media/stagefright/openmax',
-]
-
-USE_LIBS += [
-    '/media/omx-plugin/lib/ics/libstagefright/stagefright',
-    '/media/omx-plugin/lib/ics/libutils/utils',
-    'videoeditorplayer',
-]
-
-# Don't use STL wrappers; this isn't Gecko code
-DISABLE_STL_WRAPPING = True
-NO_VISIBILITY_FLAGS = True
-
-# Suppress warnings in third-party code.
-CXXFLAGS += [
-    '-Wno-multichar',
-    '-Wno-shadow',
-]
diff --git a/media/omx-plugin/lib/ics/libstagefright/libstagefright.cpp b/media/omx-plugin/lib/ics/libstagefright/libstagefright.cpp
deleted file mode 100644
index a998c4a569..0000000000
--- a/media/omx-plugin/lib/ics/libstagefright/libstagefright.cpp
+++ /dev/null
@@ -1,193 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#include "mozilla/Types.h"
-#define STAGEFRIGHT_EXPORT __attribute__ ((visibility ("default")))
-#include "stagefright/ColorConverter.h"
-#include "stagefright/DataSource.h"
-#include "media/stagefright/MediaBuffer.h"
-#include "stagefright/MediaExtractor.h"
-#include "media/stagefright/MediaSource.h"
-#include "stagefright/MetaData.h"
-#include "media/stagefright/openmax/OMX_Types.h"
-#include "media/stagefright/openmax/OMX_Index.h"
-#include "media/stagefright/openmax/OMX_IVCommon.h"
-#include "media/stagefright/openmax/OMX_Video.h"
-#include "media/stagefright/openmax/OMX_Core.h"
-#include "stagefright/OMXCodec.h"
-#include "stagefright/OMXClient.h"
-
-namespace android {
-MOZ_EXPORT void
-MediaBuffer::release()
-{
-}
-
-MOZ_EXPORT size_t
-MediaBuffer::range_offset() const
-{
-  return 0;
-}
-
-MOZ_EXPORT size_t
-MediaBuffer::range_length() const
-{
-  return 0;
-}
-
-MOZ_EXPORT sp<MetaData>
-MediaBuffer::meta_data()
-{
-  return 0;
-}
-
-MOZ_EXPORT void*
-MediaBuffer::data() const
-{
-  return 0;
-}
-
-MOZ_EXPORT size_t
-MediaBuffer::size() const
-{
-  return 0;
-}
-
-MOZ_EXPORT bool
-MetaData::findInt32(uint32_t key, int32_t *value)
-{
-  return false;
-}
-
-MOZ_EXPORT bool
-MetaData::setInt32(uint32_t, int32_t)
-{
-  return false;
-}
-
-MOZ_EXPORT bool
-MetaData::findInt64(uint32_t key, int64_t *value)
-{
-  return false;
-}
-
-MOZ_EXPORT bool
-MetaData::findPointer(uint32_t key, void **value)
-{
-  return false;
-}
-
-MOZ_EXPORT bool
-MetaData::findCString(uint32_t key, const char **value)
-{
-  return false;
-}
-
-MOZ_EXPORT bool
-MetaData::findRect(unsigned int key, int *cropLeft, int *cropTop,
-                   int *cropRight, int *cropBottom)
-{
-  abort();
-}
-
-MOZ_EXPORT MediaSource::ReadOptions::ReadOptions()
-{
-}
-
-MOZ_EXPORT void
-MediaSource::ReadOptions::setSeekTo(int64_t time_us, SeekMode mode)
-{
-}
-
-MOZ_EXPORT sp<DataSource> DataSource::CreateFromURI(
-          const char *uri,
-          const KeyedVector<String8, String8> *headers) {
-  return 0;
-}
-
-MOZ_EXPORT bool
-DataSource::getUInt16(off64_t offset, uint16_t *x)
-{
-  return false;
-}
-
-MOZ_EXPORT status_t
-DataSource::getSize(off64_t *size)
-{
-  return 0;
-}
-
-MOZ_EXPORT String8
-DataSource::getMIMEType() const
-{
-  return String8();
-}
-
-MOZ_EXPORT void
-DataSource::RegisterDefaultSniffers()
-{
-}
-
-MOZ_EXPORT sp<MediaExtractor>
-MediaExtractor::Create(const sp<DataSource> &source, const char *mime)
-{
-  return 0;
-}
-
-MOZ_EXPORT sp<MediaSource>
-OMXCodec::Create(
-            const sp<IOMX> &omx,
-            const sp<MetaData> &meta, bool createEncoder,
-            const sp<MediaSource> &source,
-            const char *matchComponentName,
-            uint32_t flags,
-            const sp<ANativeWindow> &nativeWindow)
-{
-  return 0;
-}
-
-MOZ_EXPORT OMXClient::OMXClient()
-{
-}
-
-MOZ_EXPORT status_t OMXClient::connect()
-{
-  return OK;
-}
-
-MOZ_EXPORT void OMXClient::disconnect()
-{
-}
-
-MOZ_EXPORT
-ColorConverter::ColorConverter(OMX_COLOR_FORMATTYPE, OMX_COLOR_FORMATTYPE) { }
-
-MOZ_EXPORT
-ColorConverter::~ColorConverter() { }
-
-MOZ_EXPORT bool
-ColorConverter::isValid() const { return false; }
-
-MOZ_EXPORT status_t
-ColorConverter::convert(const void *srcBits,
-                        size_t srcWidth, size_t srcHeight,
-                        size_t srcCropLeft, size_t srcCropTop,
-                        size_t srcCropRight, size_t srcCropBottom,
-                        void *dstBits,
-                        size_t dstWidth, size_t dstHeight,
-                        size_t dstCropLeft, size_t dstCropTop,
-                        size_t dstCropRight, size_t dstCropBottom)
-{
-  return 0;
-}
-
-MOZ_EXPORT status_t QueryCodecs(const sp<IOMX> &omx,
-                                const char *mimeType, bool queryDecoders,
-                                Vector<CodecCapabilities> *results)
-{
-  return 0;
-}
-
-}
diff --git a/media/omx-plugin/lib/ics/libstagefright/moz.build b/media/omx-plugin/lib/ics/libstagefright/moz.build
deleted file mode 100644
index b156d151e2..0000000000
--- a/media/omx-plugin/lib/ics/libstagefright/moz.build
+++ /dev/null
@@ -1,32 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-DIST_INSTALL = False
-
-SOURCES += [
-    'libstagefright.cpp',
-]
-# Some codec-related code uses multi-character constants; allow this.
-# XXX: could instead use the FOURCC macro to define these constants.
-if CONFIG['GNU_CC'] or CONFIG['CLANG_CL']:
-    SOURCES['libstagefright.cpp'].flags += ['-Wno-error=multichar']
-
-SharedLibrary('stagefright')
-
-LOCAL_INCLUDES += [
-    '/media/omx-plugin/include/ics',
-    '/media/omx-plugin/include/ics/media/stagefright/openmax',
-]
-
-USE_LIBS += [
-    '/media/omx-plugin/lib/ics/libutils/utils',
-]
-
-# Don't use STL wrappers; this isn't Gecko code
-DISABLE_STL_WRAPPING = True
-NO_VISIBILITY_FLAGS = True
-
-if CONFIG['GNU_CXX']:
-    CXXFLAGS += ['-Wno-shadow']
diff --git a/media/omx-plugin/lib/ics/libutils/libutils.cpp b/media/omx-plugin/lib/ics/libutils/libutils.cpp
deleted file mode 100644
index 67f5a540a8..0000000000
--- a/media/omx-plugin/lib/ics/libutils/libutils.cpp
+++ /dev/null
@@ -1,84 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#include "mozilla/Types.h"
-#include "utils/RefBase.h"
-#include "utils/String16.h"
-#include "utils/String8.h"
-#include "utils/Vector.h"
-
-namespace android {
-MOZ_EXPORT RefBase::RefBase() : mRefs(0)
-{
-}
-
-MOZ_EXPORT RefBase::~RefBase()
-{
-}
-
-MOZ_EXPORT void RefBase::incStrong(const void *id) const
-{
-}
-
-MOZ_EXPORT void RefBase::decStrong(const void *id) const
-{
-}
-
-MOZ_EXPORT void RefBase::onFirstRef()
-{
-}
-
-MOZ_EXPORT void RefBase::onLastStrongRef(const void* id)
-{
-}
-
-MOZ_EXPORT bool RefBase::onIncStrongAttempted(uint32_t flags, const void* id)
-{
-  return false;
-}
-
-MOZ_EXPORT void RefBase::onLastWeakRef(void const* id)
-{
-}
-
-MOZ_EXPORT String16::String16(char const*)
-{
-}
-
-MOZ_EXPORT String16::~String16()
-{
-}
-
-MOZ_EXPORT String8::String8()
-{
-}
-
-MOZ_EXPORT String8::String8(const String8 &)
-{
-}
-
-MOZ_EXPORT String8::~String8()
-{
-}
-
-MOZ_EXPORT VectorImpl::VectorImpl(size_t, uint32_t)
-  : mFlags(0), mItemSize(0)
-{
-}
-
-MOZ_EXPORT VectorImpl::VectorImpl(const VectorImpl &)
-  : mFlags(0), mItemSize(0)
-{
-}
-
-MOZ_EXPORT VectorImpl::~VectorImpl()
-{
-}
-
-MOZ_EXPORT void VectorImpl::finish_vector()
-{
-}
-
-}
diff --git a/media/omx-plugin/lib/ics/libutils/moz.build b/media/omx-plugin/lib/ics/libutils/moz.build
deleted file mode 100644
index 7fa617fb38..0000000000
--- a/media/omx-plugin/lib/ics/libutils/moz.build
+++ /dev/null
@@ -1,24 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-DIST_INSTALL = False
-
-SOURCES += [
-    'libutils.cpp',
-]
-
-SharedLibrary('utils')
-
-LOCAL_INCLUDES += [
-    '/media/omx-plugin/include/ics',
-    '/media/omx-plugin/include/ics/media/stagefright/openmax',
-]
-
-# Don't use STL wrappers; this isn't Gecko code
-DISABLE_STL_WRAPPING = True
-NO_VISIBILITY_FLAGS = True
-
-if CONFIG['GNU_CXX']:
-    CXXFLAGS += ['-Wno-shadow']
diff --git a/media/omx-plugin/lib/ics/libvideoeditorplayer/libvideoeditorplayer.cpp b/media/omx-plugin/lib/ics/libvideoeditorplayer/libvideoeditorplayer.cpp
deleted file mode 100644
index 2c491aeb9e..0000000000
--- a/media/omx-plugin/lib/ics/libvideoeditorplayer/libvideoeditorplayer.cpp
+++ /dev/null
@@ -1,23 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim:set ts=2 sw=2 sts=2 et cindent: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#include "mozilla/Types.h"
-#include "I420ColorConverter.h"
-
-MOZ_EXPORT
-I420ColorConverter::I420ColorConverter()
-{
-}
-
-MOZ_EXPORT
-I420ColorConverter::~I420ColorConverter()
-{
-}
-
-MOZ_EXPORT bool
-I420ColorConverter::isLoaded()
-{
-  return false;
-}
diff --git a/media/omx-plugin/lib/ics/libvideoeditorplayer/moz.build b/media/omx-plugin/lib/ics/libvideoeditorplayer/moz.build
deleted file mode 100644
index f05f0f3c90..0000000000
--- a/media/omx-plugin/lib/ics/libvideoeditorplayer/moz.build
+++ /dev/null
@@ -1,20 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-DIST_INSTALL = False
-
-SOURCES += [
-    'libvideoeditorplayer.cpp',
-]
-
-SharedLibrary('videoeditorplayer')
-
-# Don't use STL wrappers; this isn't Gecko code
-DISABLE_STL_WRAPPING = True
-NO_VISIBILITY_FLAGS = True
-
-LOCAL_INCLUDES += [
-    '/media/omx-plugin/include/ics',
-]
diff --git a/media/omx-plugin/moz.build b/media/omx-plugin/moz.build
deleted file mode 100644
index 004a8bdba0..0000000000
--- a/media/omx-plugin/moz.build
+++ /dev/null
@@ -1,43 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# Copyright 2013 Mozilla Foundation and Mozilla contributors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-SOURCES += [
-    'OmxPlugin.cpp',
-]
-
-SharedLibrary('omxplugin')
-
-LOCAL_INCLUDES += [
-    'include/ics',
-    'include/ics/media/stagefright/openmax',
-]
-
-if CONFIG['GNU_CXX']:
-    # Stagefright header files define many multichar constants.
-    CXXFLAGS += [
-        '-Wno-multichar',
-        '-Wno-shadow',
-    ]
-
-USE_LIBS += [
-    '/media/omx-plugin/lib/ics/libstagefright/stagefright',
-    '/media/omx-plugin/lib/ics/libutils/utils',
-    'videoeditorplayer',
-]
-
-# Don't use STL wrappers; this isn't Gecko code
-DISABLE_STL_WRAPPING = True
-NO_VISIBILITY_FLAGS = True
diff --git a/modules/libmar/sign/mar_sign.c b/modules/libmar/sign/mar_sign.c
index 84319651db..182f387d92 100644
--- a/modules/libmar/sign/mar_sign.c
+++ b/modules/libmar/sign/mar_sign.c
@@ -534,6 +534,7 @@ extract_signature(const char *src, uint32_t sigIndex, const char * dest)
   for (i = 0; i <= sigIndex; i++) {
     /* Avoid leaking while skipping signatures */
     free(extractedSignature);
+    extractedSignature = NULL;
 
     /* skip past the signature algorithm ID */
     if (fseeko(fpSrc, sizeof(uint32_t), SEEK_CUR)) {
diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
index 378745ea4c..a841bde553 100644
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -23,7 +23,7 @@ pref("keyword.enabled", false);
 pref("general.useragent.locale", "chrome://global/locale/intl.properties");
 pref("general.useragent.compatMode.gecko", false);
 pref("general.useragent.compatMode.firefox", false);
-pref("general.useragent.compatMode.version", "52.9");
+pref("general.useragent.compatMode.version", "60.9");
 pref("general.useragent.appVersionIsBuildID", false);
 
 // This pref exists only for testing purposes. In order to disable all
@@ -362,9 +362,6 @@ pref("media.play-stand-alone", true);
 pref("media.hardware-video-decoding.enabled", true);
 pref("media.hardware-video-decoding.force-enabled", false);
 
-#ifdef MOZ_DIRECTSHOW
-pref("media.directshow.enabled", true);
-#endif
 #ifdef MOZ_FMP4
 pref("media.mp4.enabled", true);
 // Specifies whether the PDMFactory can create a test decoder that
@@ -4898,30 +4895,6 @@ pref("dom.browserElement.maxScreenshotDelayMS", 2000);
 // Whether we should show the placeholder when the element is focused but empty.
 pref("dom.placeholder.show_on_focus", true);
 
-// VR is disabled by default in release and enabled for nightly and aurora
-#ifdef RELEASE_OR_BETA
-pref("dom.vr.enabled", false);
-#else
-pref("dom.vr.enabled", true);
-#endif
-pref("dom.vr.oculus.enabled", true);
-// OSVR device
-pref("dom.vr.osvr.enabled", false);
-// OpenVR device
-pref("dom.vr.openvr.enabled", false);
-// Pose prediction reduces latency effects by returning future predicted HMD
-// poses to callers of the WebVR API.  This currently only has an effect for
-// Oculus Rift on SDK 0.8 or greater.  It is disabled by default for now due to
-// frame uniformity issues with e10s.
-pref("dom.vr.poseprediction.enabled", false);
-// path to openvr DLL
-pref("gfx.vr.openvr-runtime", "");
-// path to OSVR DLLs
-pref("gfx.vr.osvr.utilLibPath", "");
-pref("gfx.vr.osvr.commonLibPath", "");
-pref("gfx.vr.osvr.clientLibPath", "");
-pref("gfx.vr.osvr.clientKitLibPath", "");
-
 // MMS UA Profile settings
 pref("wap.UAProf.url", "");
 pref("wap.UAProf.tagname", "x-wap-profile");
@@ -5269,7 +5242,7 @@ pref("browser.search.official", true);
 //pref("media.gmp-manager.url.override", "");
 
 // Update service URL for GMP install/updates:
-pref("media.gmp-manager.url", "https://aus5.mozilla.org/update/3/GMP/55.0/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml");
+pref("media.gmp-manager.url", "https://aus5.mozilla.org/update/3/GMP/60.0/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml");
 
 // When |media.gmp-manager.cert.requireBuiltIn| is true or not specified the
 // final certificate and all certificates the connection is redirected to before
diff --git a/netwerk/base/LoadInfo.cpp b/netwerk/base/LoadInfo.cpp
index ebe9d47031..d57f644dfe 100644
--- a/netwerk/base/LoadInfo.cpp
+++ b/netwerk/base/LoadInfo.cpp
@@ -67,6 +67,7 @@ LoadInfo::LoadInfo(nsIPrincipal* aLoadingPrincipal,
   , mForcePreflight(false)
   , mIsPreflight(false)
   , mLoadTriggeredFromExternal(false)
+  , mIsFromProcessingFrameAttributes(false)
 {
   MOZ_ASSERT(mLoadingPrincipal);
   MOZ_ASSERT(mTriggeringPrincipal);
@@ -241,6 +242,7 @@ LoadInfo::LoadInfo(nsPIDOMWindowOuter* aOuterWindow,
   , mForcePreflight(false)
   , mIsPreflight(false)
   , mLoadTriggeredFromExternal(false)
+  , mIsFromProcessingFrameAttributes(false)
 {
   // Top-level loads are never third-party
   // Grab the information we can out of the window.
@@ -304,6 +306,7 @@ LoadInfo::LoadInfo(const LoadInfo& rhs)
   , mForcePreflight(rhs.mForcePreflight)
   , mIsPreflight(rhs.mIsPreflight)
   , mLoadTriggeredFromExternal(rhs.mLoadTriggeredFromExternal)
+  , mIsFromProcessingFrameAttributes(rhs.mIsFromProcessingFrameAttributes)
 {
 }
 
@@ -355,6 +358,7 @@ LoadInfo::LoadInfo(nsIPrincipal* aLoadingPrincipal,
   , mForcePreflight(aForcePreflight)
   , mIsPreflight(aIsPreflight)
   , mLoadTriggeredFromExternal(aLoadTriggeredFromExternal)
+  , mIsFromProcessingFrameAttributes(false)
 {
   // Only top level TYPE_DOCUMENT loads can have a null loadingPrincipal
   MOZ_ASSERT(mLoadingPrincipal || aContentPolicyType == nsIContentPolicy::TYPE_DOCUMENT);
@@ -970,5 +974,19 @@ LoadInfo::GetIsTopLevelLoad(bool *aResult)
   return NS_OK;
 }
 
+void
+LoadInfo::SetIsFromProcessingFrameAttributes()
+{
+  mIsFromProcessingFrameAttributes = true;
+}
+
+NS_IMETHODIMP
+LoadInfo::GetIsFromProcessingFrameAttributes(bool *aIsFromProcessingFrameAttributes)
+{
+  MOZ_ASSERT(aIsFromProcessingFrameAttributes);
+  *aIsFromProcessingFrameAttributes = mIsFromProcessingFrameAttributes;
+  return NS_OK;
+}
+
 } // namespace net
 } // namespace mozilla
diff --git a/netwerk/base/LoadInfo.h b/netwerk/base/LoadInfo.h
index 2b1e8c9e8e..a4ec25a9d3 100644
--- a/netwerk/base/LoadInfo.h
+++ b/netwerk/base/LoadInfo.h
@@ -81,6 +81,7 @@ public:
 
   void SetIsPreflight();
   void SetUpgradeInsecureRequests();
+  void SetIsFromProcessingFrameAttributes();
 
 private:
   // private constructor that is only allowed to be called from within
@@ -157,6 +158,11 @@ private:
   bool                             mForcePreflight;
   bool                             mIsPreflight;
   bool                             mLoadTriggeredFromExternal;
+
+  // Is true if this load was triggered by processing the attributes of the
+  // browsing context container.
+  // See nsILoadInfo.isFromProcessingFrameAttributes
+  bool                             mIsFromProcessingFrameAttributes;
 };
 
 } // namespace net
diff --git a/netwerk/base/nsILoadInfo.idl b/netwerk/base/nsILoadInfo.idl
index bc609c3177..fc1aadd932 100644
--- a/netwerk/base/nsILoadInfo.idl
+++ b/netwerk/base/nsILoadInfo.idl
@@ -740,4 +740,11 @@ interface nsILoadInfo : nsISupports
    * Note that the load for a sub-frame's document will return false here.
    */
   [infallible] readonly attribute boolean isTopLevelLoad;
+
+  /**
+   * This attribute will be true if this is a load triggered by
+   * https://html.spec.whatwg.org/multipage/iframe-embed-object.html#process-the-iframe-attributes
+   * or https://html.spec.whatwg.org/multipage/obsolete.html#process-the-frame-attributes
+   */
+  [infallible] readonly attribute boolean isFromProcessingFrameAttributes;
 };
diff --git a/netwerk/ipc/NeckoChannelParams.ipdlh b/netwerk/ipc/NeckoChannelParams.ipdlh
index 2633ef608e..2896f427d1 100644
--- a/netwerk/ipc/NeckoChannelParams.ipdlh
+++ b/netwerk/ipc/NeckoChannelParams.ipdlh
@@ -56,6 +56,7 @@ struct LoadInfoArgs
   bool                  forcePreflight;
   bool                  isPreflight;
   bool                  loadTriggeredFromExternal;
+  bool                  isFromProcessingFrameAttributes;
 };
 
 /**
diff --git a/netwerk/protocol/http/HttpBaseChannel.cpp b/netwerk/protocol/http/HttpBaseChannel.cpp
index 03123ceb08..21b661c2bc 100644
--- a/netwerk/protocol/http/HttpBaseChannel.cpp
+++ b/netwerk/protocol/http/HttpBaseChannel.cpp
@@ -3676,14 +3676,17 @@ HttpBaseChannel::GetPerformance()
     return nullptr;
   }
 
-  // We only add to the document's performance object if it has the same
-  // principal as the one triggering the load. This is to prevent navigations
-  // triggered _by_ the iframe from showing up in the parent document's
-  // performance entries if they have different origins.
   if (!mLoadInfo->TriggeringPrincipal()->Equals(loadingDocument->NodePrincipal())) {
     return nullptr;
   }
 
+  if (mLoadInfo->GetExternalContentPolicyType() == nsIContentPolicy::TYPE_SUBDOCUMENT &&
+      !mLoadInfo->GetIsFromProcessingFrameAttributes()) {
+    // We only report loads caused by processing the attributes of the
+    // browsing context container.
+    return nullptr;
+  }
+
   nsCOMPtr<nsPIDOMWindowInner> innerWindow = loadingDocument->GetInnerWindow();
   if (!innerWindow) {
     return nullptr;
diff --git a/netwerk/protocol/http/nsHttpPipeline.cpp b/netwerk/protocol/http/nsHttpPipeline.cpp
index 293de8e39c..4f5777244f 100644
--- a/netwerk/protocol/http/nsHttpPipeline.cpp
+++ b/netwerk/protocol/http/nsHttpPipeline.cpp
@@ -291,6 +291,11 @@ nsHttpPipeline::PushBack(const char *data, uint32_t length)
     MOZ_ASSERT(PR_GetCurrentThread() == gSocketThread);
     MOZ_ASSERT(mPushBackLen == 0, "push back buffer already has data!");
 
+    // Some bad behaving proxies may yank the connection out from under us.
+    // Check if we still have a connection to work with.
+    if (!mConnection)
+      return NS_ERROR_FAILURE;
+
     // If we have no chance for a pipeline (e.g. due to an Upgrade)
     // then push this data down to original connection
     if (!mConnection->IsPersistent())
diff --git a/nsprpub/TAG-INFO b/nsprpub/TAG-INFO
deleted file mode 100644
index ed713edea7..0000000000
--- a/nsprpub/TAG-INFO
+++ /dev/null
@@ -1 +0,0 @@
-NSPR_4_19_RTM
diff --git a/nsprpub/configure b/nsprpub/configure
index 619d193ae8..ce2543ed76 100755
--- a/nsprpub/configure
+++ b/nsprpub/configure
@@ -2488,7 +2488,7 @@ test -n "$target_alias" &&
   program_prefix=${target_alias}-
 
 MOD_MAJOR_VERSION=4
-MOD_MINOR_VERSION=19
+MOD_MINOR_VERSION=20
 MOD_PATCH_VERSION=0
 NSPR_MODNAME=nspr20
 _HAVE_PTHREADS=
diff --git a/nsprpub/configure.in b/nsprpub/configure.in
index ea0ae7f8ea..cbd22b42e8 100644
--- a/nsprpub/configure.in
+++ b/nsprpub/configure.in
@@ -15,7 +15,7 @@ dnl ========================================================
 dnl = Defaults
 dnl ========================================================
 MOD_MAJOR_VERSION=4
-MOD_MINOR_VERSION=19
+MOD_MINOR_VERSION=20
 MOD_PATCH_VERSION=0
 NSPR_MODNAME=nspr20
 _HAVE_PTHREADS=
@@ -2106,6 +2106,10 @@ tools are selected during the Xcode/Developer Tools installation.])
 	    AC_DEFINE(_AMD64_)
 	    USE_64=1
 	    ;;
+    aarch64)
+	    AC_DEFINE(_ARM64_)
+	    USE_64=1
+	    ;;
     ia64)
 	    AC_DEFINE(_IA64_)
 	    USE_64=1
diff --git a/nsprpub/lib/ds/plarena.h b/nsprpub/lib/ds/plarena.h
index 5336a0e4d4..0ca00c0ac1 100644
--- a/nsprpub/lib/ds/plarena.h
+++ b/nsprpub/lib/ds/plarena.h
@@ -95,13 +95,24 @@ struct PLArenaPool {
 
 #if defined(PL_SANITIZE_ADDRESS)
 
+#if defined(_MSC_VER)
+/* We can't use dllimport due to DLL linkage mismatch with
+ * sanitizer/asan_interface.h.
+ */
+#define PL_ASAN_VISIBILITY(type_) type_
+#else
+#define PL_ASAN_VISIBILITY(type_) PR_IMPORT(type_)
+#endif
+
 /* These definitions are usually provided through the
  * sanitizer/asan_interface.h header installed by ASan.
  * See https://github.com/google/sanitizers/wiki/AddressSanitizerManualPoisoning
  */
 
-PR_IMPORT(void) __asan_poison_memory_region(void const volatile *addr, size_t size);
-PR_IMPORT(void) __asan_unpoison_memory_region(void const volatile *addr, size_t size);
+PL_ASAN_VISIBILITY(void) __asan_poison_memory_region(
+    void const volatile *addr, size_t size);
+PL_ASAN_VISIBILITY(void) __asan_unpoison_memory_region(
+    void const volatile *addr, size_t size);
 
 #define PL_MAKE_MEM_NOACCESS(addr, size) \
     __asan_poison_memory_region((addr), (size))
diff --git a/nsprpub/pr/include/md/_linux.cfg b/nsprpub/pr/include/md/_linux.cfg
index b4c0ed427b..afc407c47a 100644
--- a/nsprpub/pr/include/md/_linux.cfg
+++ b/nsprpub/pr/include/md/_linux.cfg
@@ -1020,6 +1020,98 @@
 #define PR_BYTES_PER_WORD_LOG2   2
 #define PR_BYTES_PER_DWORD_LOG2  3
 
+#elif defined(__riscv) && (__riscv_xlen == 32)
+
+#undef  IS_BIG_ENDIAN
+#define IS_LITTLE_ENDIAN 1
+#undef  IS_64
+
+#define PR_BYTES_PER_BYTE   1
+#define PR_BYTES_PER_SHORT  2
+#define PR_BYTES_PER_INT    4
+#define PR_BYTES_PER_INT64  8
+#define PR_BYTES_PER_LONG   4
+#define PR_BYTES_PER_FLOAT  4
+#define PR_BYTES_PER_DOUBLE 8
+#define PR_BYTES_PER_WORD   4
+#define PR_BYTES_PER_DWORD  8
+
+#define PR_BITS_PER_BYTE    8
+#define PR_BITS_PER_SHORT   16
+#define PR_BITS_PER_INT     32
+#define PR_BITS_PER_INT64   64
+#define PR_BITS_PER_LONG    32
+#define PR_BITS_PER_FLOAT   32
+#define PR_BITS_PER_DOUBLE  64
+#define PR_BITS_PER_WORD    32
+
+#define PR_BITS_PER_BYTE_LOG2   3
+#define PR_BITS_PER_SHORT_LOG2  4
+#define PR_BITS_PER_INT_LOG2    5
+#define PR_BITS_PER_INT64_LOG2  6
+#define PR_BITS_PER_LONG_LOG2   5
+#define PR_BITS_PER_FLOAT_LOG2  5
+#define PR_BITS_PER_DOUBLE_LOG2 6
+#define PR_BITS_PER_WORD_LOG2   5
+
+#define PR_ALIGN_OF_SHORT   2
+#define PR_ALIGN_OF_INT     4
+#define PR_ALIGN_OF_LONG    4
+#define PR_ALIGN_OF_INT64   8
+#define PR_ALIGN_OF_FLOAT   4
+#define PR_ALIGN_OF_DOUBLE  8
+#define PR_ALIGN_OF_POINTER 4
+#define PR_ALIGN_OF_WORD    4
+
+#define PR_BYTES_PER_WORD_LOG2  2
+#define PR_BYTES_PER_DWORD_LOG2 3
+
+#elif defined(__riscv) && (__riscv_xlen == 64)
+
+#undef  IS_BIG_ENDIAN
+#define IS_LITTLE_ENDIAN 1
+#define IS_64
+
+#define PR_BYTES_PER_BYTE   1
+#define PR_BYTES_PER_SHORT  2
+#define PR_BYTES_PER_INT    4
+#define PR_BYTES_PER_INT64  8
+#define PR_BYTES_PER_LONG   8
+#define PR_BYTES_PER_FLOAT  4
+#define PR_BYTES_PER_DOUBLE 8
+#define PR_BYTES_PER_WORD   8
+#define PR_BYTES_PER_DWORD  8
+
+#define PR_BITS_PER_BYTE    8
+#define PR_BITS_PER_SHORT   16
+#define PR_BITS_PER_INT     32
+#define PR_BITS_PER_INT64   64
+#define PR_BITS_PER_LONG    64
+#define PR_BITS_PER_FLOAT   32
+#define PR_BITS_PER_DOUBLE  64
+#define PR_BITS_PER_WORD    64
+
+#define PR_BITS_PER_BYTE_LOG2   3
+#define PR_BITS_PER_SHORT_LOG2  4
+#define PR_BITS_PER_INT_LOG2    5
+#define PR_BITS_PER_INT64_LOG2  6
+#define PR_BITS_PER_LONG_LOG2   6
+#define PR_BITS_PER_FLOAT_LOG2  5
+#define PR_BITS_PER_DOUBLE_LOG2 6
+#define PR_BITS_PER_WORD_LOG2   6
+
+#define PR_ALIGN_OF_SHORT   2
+#define PR_ALIGN_OF_INT     4
+#define PR_ALIGN_OF_LONG    8
+#define PR_ALIGN_OF_INT64   8
+#define PR_ALIGN_OF_FLOAT   4
+#define PR_ALIGN_OF_DOUBLE  8
+#define PR_ALIGN_OF_POINTER 8
+#define PR_ALIGN_OF_WORD    8
+
+#define PR_BYTES_PER_WORD_LOG2  3
+#define PR_BYTES_PER_DWORD_LOG2 3
+
 #else
 
 #error "Unknown CPU architecture"
diff --git a/nsprpub/pr/include/md/_linux.h b/nsprpub/pr/include/md/_linux.h
index b4b298b71c..2370ab8313 100644
--- a/nsprpub/pr/include/md/_linux.h
+++ b/nsprpub/pr/include/md/_linux.h
@@ -57,6 +57,10 @@
 #define _PR_SI_ARCHITECTURE "m32r"
 #elif defined(__or1k__)
 #define _PR_SI_ARCHITECTURE "or1k"
+#elif defined(__riscv) && (__riscv_xlen == 32)
+#define _PR_SI_ARCHITECTURE "riscv32"
+#elif defined(__riscv) && (__riscv_xlen == 64)
+#define _PR_SI_ARCHITECTURE "riscv64"
 #else
 #error "Unknown CPU architecture"
 #endif
diff --git a/nsprpub/pr/include/md/_win95.cfg b/nsprpub/pr/include/md/_win95.cfg
index 1e693cc68c..7c379fce70 100644
--- a/nsprpub/pr/include/md/_win95.cfg
+++ b/nsprpub/pr/include/md/_win95.cfg
@@ -214,6 +214,55 @@
 #define PR_BYTES_PER_WORD_LOG2  2
 #define PR_BYTES_PER_DWORD_LOG2 3
 
+#elif defined(_M_ARM64) || defined(_ARM64_)
+
+#define IS_LITTLE_ENDIAN 1
+#undef  IS_BIG_ENDIAN
+#define IS_64
+
+#define PR_BYTES_PER_BYTE   1
+#define PR_BYTES_PER_SHORT  2
+#define PR_BYTES_PER_INT    4
+#define PR_BYTES_PER_INT64  8
+#define PR_BYTES_PER_LONG   4
+#define PR_BYTES_PER_FLOAT  4
+#define PR_BYTES_PER_WORD	8
+#define PR_BYTES_PER_DWORD	8
+#define PR_BYTES_PER_DOUBLE 8
+
+#define PR_BITS_PER_BYTE    8
+#define PR_BITS_PER_SHORT   16
+#define PR_BITS_PER_INT     32
+#define PR_BITS_PER_INT64   64
+#define PR_BITS_PER_LONG    32
+#define PR_BITS_PER_FLOAT   32
+#define PR_BITS_PER_WORD	64
+#define PR_BITS_PER_DWORD	64
+#define PR_BITS_PER_DOUBLE  64
+
+#define PR_BITS_PER_BYTE_LOG2   3
+#define PR_BITS_PER_SHORT_LOG2  4
+#define PR_BITS_PER_INT_LOG2    5
+#define PR_BITS_PER_INT64_LOG2  6
+#define PR_BITS_PER_LONG_LOG2   5
+#define PR_BITS_PER_FLOAT_LOG2  5
+#define PR_BITS_PER_WORD_LOG2	6
+#define PR_BITS_PER_DWORD_LOG2	6
+#define PR_BITS_PER_DOUBLE_LOG2 6
+
+#define PR_ALIGN_OF_SHORT   2
+#define PR_ALIGN_OF_INT     4
+#define PR_ALIGN_OF_LONG    4
+#define PR_ALIGN_OF_INT64   8
+#define PR_ALIGN_OF_FLOAT   4
+#define PR_ALIGN_OF_WORD	8
+#define PR_ALIGN_OF_DWORD	8
+#define PR_ALIGN_OF_DOUBLE  8
+#define PR_ALIGN_OF_POINTER 8
+
+#define PR_BYTES_PER_WORD_LOG2	3
+#define PR_BYTES_PER_DWORD_LOG2	3
+
 #else /* defined(_M_IX86) || defined(_X86_) */
 
 #error unknown processor architecture
diff --git a/nsprpub/pr/include/md/_win95.h b/nsprpub/pr/include/md/_win95.h
index 04f811d37d..24e537bb74 100644
--- a/nsprpub/pr/include/md/_win95.h
+++ b/nsprpub/pr/include/md/_win95.h
@@ -26,6 +26,8 @@
 #define _PR_SI_ARCHITECTURE   "ia64"
 #elif defined(_M_ARM) || defined(_ARM_)
 #define _PR_SI_ARCHITECTURE   "arm"
+#elif defined(_M_ARM64)
+#define _PR_SI_ARCHITECTURE   "aarch64"
 #else
 #error unknown processor architecture
 #endif
diff --git a/nsprpub/pr/include/prinit.h b/nsprpub/pr/include/prinit.h
index ab3aba2082..5f6b4e3de9 100644
--- a/nsprpub/pr/include/prinit.h
+++ b/nsprpub/pr/include/prinit.h
@@ -31,9 +31,9 @@ PR_BEGIN_EXTERN_C
 ** The format of the version string is
 **     "<major version>.<minor version>[.<patch level>] [<Beta>]"
 */
-#define PR_VERSION  "4.19"
+#define PR_VERSION  "4.20"
 #define PR_VMAJOR   4
-#define PR_VMINOR   19
+#define PR_VMINOR   20
 #define PR_VPATCH   0
 #define PR_BETA     PR_FALSE
 
diff --git a/nsprpub/pr/src/misc/prnetdb.c b/nsprpub/pr/src/misc/prnetdb.c
index affebf6ac3..c482e8e4a6 100644
--- a/nsprpub/pr/src/misc/prnetdb.c
+++ b/nsprpub/pr/src/misc/prnetdb.c
@@ -7,6 +7,10 @@
 
 #include <string.h>
 
+#if defined(LINUX)
+#include <sys/un.h>
+#endif
+
 /*
  * On Unix, the error code for gethostbyname() and gethostbyaddr()
  * is returned in the global variable h_errno, instead of the usual
@@ -1366,7 +1370,17 @@ PRUintn _PR_NetAddrSize(const PRNetAddr* addr)
 #endif
 #if defined(XP_UNIX) || defined(XP_OS2)
     else if (AF_UNIX == addr->raw.family)
-        addrsize = sizeof(addr->local);
+    {
+#if defined(LINUX)
+        if (addr->local.path[0] == 0)
+            /* abstract socket address is supported on Linux only */
+            addrsize = strnlen(addr->local.path + 1,
+                               sizeof(addr->local.path)) +
+                       offsetof(struct sockaddr_un, sun_path) + 1;
+        else
+#endif
+            addrsize = sizeof(addr->local);
+    }
 #endif
     else addrsize = 0;
 
diff --git a/nsprpub/pr/src/pthreads/ptio.c b/nsprpub/pr/src/pthreads/ptio.c
index f6aa567418..1549a905fb 100644
--- a/nsprpub/pr/src/pthreads/ptio.c
+++ b/nsprpub/pr/src/pthreads/ptio.c
@@ -1750,7 +1750,12 @@ static PRStatus pt_Bind(PRFileDesc *fd, const PRNetAddr *addr)
     if (addr->raw.family == AF_UNIX)
     {
         /* Disallow relative pathnames */
-        if (addr->local.path[0] != '/')
+        if (addr->local.path[0] != '/'
+#if defined(LINUX)
+            /* Linux has abstract socket address support */
+            && addr->local.path[0] != 0
+#endif
+            )
         {
             PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
             return PR_FAILURE;
diff --git a/nsprpub/pr/src/pthreads/ptsynch.c b/nsprpub/pr/src/pthreads/ptsynch.c
index a93b74795e..126bed6704 100644
--- a/nsprpub/pr/src/pthreads/ptsynch.c
+++ b/nsprpub/pr/src/pthreads/ptsynch.c
@@ -911,7 +911,8 @@ PR_IMPLEMENT(PRStatus) PR_DeleteSemaphore(const char *name)
  * From the semctl(2) man page in glibc 2.0
  */
 #if (defined(__GNU_LIBRARY__) && !defined(_SEM_SEMUN_UNDEFINED)) \
-    || defined(FREEBSD) || defined(OPENBSD) || defined(BSDI) \
+    || (defined(FREEBSD) && __FreeBSD_version < 1200059) \
+    || defined(OPENBSD) || defined(BSDI) \
     || defined(DARWIN) || defined(SYMBIAN)
 /* union semun is defined by including <sys/sem.h> */
 #else
diff --git a/nsprpub/pr/tests/Makefile.in b/nsprpub/pr/tests/Makefile.in
index 79a67f09cb..f1cfba9ccf 100644
--- a/nsprpub/pr/tests/Makefile.in
+++ b/nsprpub/pr/tests/Makefile.in
@@ -18,6 +18,7 @@ include $(topsrcdir)/config/config.mk
 DIRS = dll
 
 CSRCS =             \
+	abstract.c		\
 	accept.c		\
 	acceptread.c	\
 	acceptreademu.c	\
diff --git a/nsprpub/pr/tests/abstract.c b/nsprpub/pr/tests/abstract.c
new file mode 100644
index 0000000000..6be5610c04
--- /dev/null
+++ b/nsprpub/pr/tests/abstract.c
@@ -0,0 +1,157 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <stdio.h>
+
+#if defined(LINUX)
+
+#include <string.h>
+#include "nspr.h"
+
+static const char abstractSocketName[] = "\0testsocket";
+
+static void
+ClientThread(void* aArg)
+{
+  PRFileDesc* socket;
+  PRNetAddr addr;
+  PRUint8 buf[1024];
+  PRInt32 len;
+  PRInt32 total;
+
+  addr.local.family = PR_AF_LOCAL;
+  memcpy(addr.local.path, abstractSocketName, sizeof(abstractSocketName));
+
+  socket = PR_OpenTCPSocket(addr.raw.family);
+  if (!socket) {
+    fprintf(stderr, "PR_OpenTCPSokcet failed\n");
+    exit(1);
+  }
+
+  if (PR_Connect(socket, &addr, PR_INTERVAL_NO_TIMEOUT) == PR_FAILURE) {
+    fprintf(stderr, "PR_Connect failed\n");
+    exit(1);
+  }
+
+  total = 0;
+  while (total < sizeof(buf)) {
+    len = PR_Recv(socket, buf + total, sizeof(buf) - total, 0,
+                  PR_INTERVAL_NO_TIMEOUT);
+    if (len < 1) {
+      fprintf(stderr, "PR_Recv failed\n");
+      exit(1);
+    }
+    total += len;
+  }
+
+  total = 0;
+  while (total < sizeof(buf)) {
+    len = PR_Send(socket, buf + total, sizeof(buf) - total, 0,
+                  PR_INTERVAL_NO_TIMEOUT);
+    if (len < 1) {
+      fprintf(stderr, "PR_Send failed\n");
+      exit(1);
+    }
+    total += len;
+  }
+
+  if (PR_Close(socket) == PR_FAILURE) {
+    fprintf(stderr, "PR_Close failed\n");
+    exit(1);
+  }
+}
+
+int
+main()
+{
+  PRFileDesc* socket;
+  PRFileDesc* acceptSocket;
+  PRThread* thread;
+  PRNetAddr addr;
+  PRUint8 buf[1024];
+  PRInt32 len;
+  PRInt32 total;
+
+  addr.local.family = PR_AF_LOCAL;
+  memcpy(addr.local.path, abstractSocketName, sizeof(abstractSocketName));
+
+  socket = PR_OpenTCPSocket(addr.raw.family);
+  if (!socket) {
+    fprintf(stderr, "PR_OpenTCPSocket failed\n");
+    exit(1);
+  }
+  if (PR_Bind(socket, &addr) == PR_FAILURE) {
+    fprintf(stderr, "PR_Bind failed\n");
+    exit(1);
+  }
+
+  if (PR_Listen(socket, 5) == PR_FAILURE) {
+    fprintf(stderr, "PR_Listen failed\n");
+    exit(1);
+  }
+
+  thread = PR_CreateThread(PR_USER_THREAD, ClientThread, 0, PR_PRIORITY_NORMAL,
+                           PR_GLOBAL_THREAD, PR_JOINABLE_THREAD, 0);
+  if (!thread) {
+    fprintf(stderr, "PR_CreateThread failed");
+    exit(1);
+  }
+
+  acceptSocket  = PR_Accept(socket, NULL, PR_INTERVAL_NO_TIMEOUT);
+  if (!acceptSocket) {
+    fprintf(stderr, "PR_Accept failed\n");
+    exit(1);
+  }
+
+  memset(buf, 'A', sizeof(buf));
+
+  total = 0;
+  while (total < sizeof(buf)) {
+    len = PR_Send(acceptSocket, buf + total, sizeof(buf) - total, 0,
+                  PR_INTERVAL_NO_TIMEOUT);
+    if (len < 1) {
+      fprintf(stderr, "PR_Send failed\n");
+      exit(1);
+    }
+    total += len;
+  }
+
+  total = 0;
+  while (total < sizeof(buf)) {
+    len = PR_Recv(acceptSocket, buf + total, sizeof(buf) - total, 0,
+                  PR_INTERVAL_NO_TIMEOUT);
+    if (len < 1) {
+      fprintf(stderr, "PR_Recv failed\n");
+      exit(1);
+    }
+    total += len;
+  }
+
+  if (PR_Close(acceptSocket) == PR_FAILURE) {
+    fprintf(stderr, "PR_Close failed\n");
+    exit(1);
+  }
+
+  if (PR_JoinThread(thread) == PR_FAILURE) {
+    fprintf(stderr, "PR_JoinThread failed\n");
+    exit(1);
+  }
+
+  if (PR_Close(socket) == PR_FAILURE) {
+    fprintf(stderr, "PR_Close failed\n");
+    exit(1);
+  }
+  printf("PASS\n");
+  return 0;
+}
+
+#else
+int
+main()
+{
+  prinf("PASS\n");
+  return 0;
+}
+#endif
diff --git a/nsprpub/pr/tests/runtests.pl b/nsprpub/pr/tests/runtests.pl
index 5dbc649bfe..f1ab7647e4 100755
--- a/nsprpub/pr/tests/runtests.pl
+++ b/nsprpub/pr/tests/runtests.pl
@@ -241,6 +241,7 @@ $prog = shift;  # Program to test
 
 # MAIN ---------------
 @progs = (
+"abstract",
 "accept",
 "acceptread",
 "acceptreademu",
diff --git a/nsprpub/pr/tests/runtests.sh b/nsprpub/pr/tests/runtests.sh
index 760f03292b..d021287b82 100755
--- a/nsprpub/pr/tests/runtests.sh
+++ b/nsprpub/pr/tests/runtests.sh
@@ -71,6 +71,7 @@ LOGFILE=${NSPR_TEST_LOGFILE:-$NULL_DEVICE}
 #
 
 TESTS="
+abstract
 accept
 acceptread
 acceptreademu
diff --git a/nsprpub/pr/tests/vercheck.c b/nsprpub/pr/tests/vercheck.c
index 43b0abc4b6..5e6588f9d8 100644
--- a/nsprpub/pr/tests/vercheck.c
+++ b/nsprpub/pr/tests/vercheck.c
@@ -40,7 +40,7 @@ static char *compatible_version[] = {
     "4.10", "4.10.1", "4.10.2", "4.10.3", "4.10.4",
     "4.10.5", "4.10.6", "4.10.7", "4.10.8", "4.10.9",
     "4.10.10", "4.11", "4.12", "4.13", "4.14", "4.15",
-    "4.16", "4.17", "4.18",
+    "4.16", "4.17", "4.18", "4.19",
     PR_VERSION
 };
 
@@ -56,8 +56,8 @@ static char *incompatible_version[] = {
     "3.0", "3.0.1",
     "3.1", "3.1.1", "3.1.2", "3.1.3",
     "3.5", "3.5.1",
-    "4.19.1",
-    "4.20", "4.20.1",
+    "4.20.1",
+    "4.21", "4.21.1",
     "10.0", "11.1", "12.14.20"
 };
 
diff --git a/old-configure.in b/old-configure.in
index d0b17835c6..ba3b75ef3a 100644
--- a/old-configure.in
+++ b/old-configure.in
@@ -48,7 +48,7 @@ dnl ========================================================
 MOZJPEG=62
 MOZPNG=10625
 NSPR_VERSION=4
-NSPR_MINVER=4.19
+NSPR_MINVER=4.20
 NSS_VERSION=3
 
 dnl Set the minimum version of toolkit libs used by mozilla
@@ -2044,7 +2044,7 @@ MOZ_ARG_WITH_BOOL(system-nss,
     _USE_SYSTEM_NSS=1 )
 
 if test -n "$_USE_SYSTEM_NSS"; then
-    AM_PATH_NSS(3.38, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
+    AM_PATH_NSS(3.41, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
 fi
 
 if test -z "$MOZ_SYSTEM_NSS"; then
@@ -2204,7 +2204,6 @@ MOZ_VORBIS=
 MOZ_TREMOR=
 MOZ_SAMPLE_TYPE_FLOAT32=
 MOZ_SAMPLE_TYPE_S16=
-MOZ_DIRECTSHOW=
 MOZ_WEBRTC=
 MOZ_PEERCONNECTION=
 MOZ_SRTP=
@@ -2212,8 +2211,6 @@ MOZ_WEBRTC_SIGNALING=
 MOZ_WEBRTC_ASSERT_ALWAYS=1
 MOZ_WEBRTC_HARDWARE_AEC_NS=
 MOZ_SCTP=
-MOZ_ANDROID_OMX=
-MOZ_OMX_PLUGIN=
 MOZ_VPX_ERROR_CONCEALMENT=
 VPX_USE_YASM=
 VPX_ASFLAGS=
@@ -2222,6 +2219,7 @@ VPX_X86_ASM=
 VPX_ARM_ASM=
 LIBJPEG_TURBO_AS=
 LIBJPEG_TURBO_ASFLAGS=
+MOZ_GAMEPAD=
 MOZ_PREF_EXTENSIONS=1
 MOZ_REFLOW_PERF=
 MOZ_SAFE_BROWSING=
@@ -2233,6 +2231,7 @@ MOZ_URL_CLASSIFIER=
 MOZ_XUL=1
 MOZ_ZIPWRITER=1
 MOZ_NO_SMART_CARDS=
+MOZ_NECKO_WIFI=1
 NECKO_COOKIES=1
 MOZ_USE_NATIVE_POPUP_WINDOWS=
 MOZ_EXCLUDE_HYPHENATION_DICTIONARIES=
@@ -2892,23 +2891,6 @@ fi
 fi # COMPILE_ENVIRONMENT
 
 dnl ========================================================
-dnl = DirectShow support
-dnl ========================================================
-if test "$OS_ARCH" = "WINNT"; then
-    dnl Enable DirectShow support by default.
-    MOZ_DIRECTSHOW=1
-fi
-
-MOZ_ARG_DISABLE_BOOL(directshow,
-[  --disable-directshow  Disable support for DirectShow],
-    MOZ_DIRECTSHOW=,
-    MOZ_DIRECTSHOW=1)
-
-if test -n "$MOZ_DIRECTSHOW"; then
-    AC_DEFINE(MOZ_DIRECTSHOW)
-fi;
-
-dnl ========================================================
 dnl = EME support
 dnl ========================================================
 
@@ -2939,45 +2921,6 @@ if test -n "$MOZ_EME"; then
 fi
 
 dnl ========================================================
-dnl = Enable media plugin support
-dnl ========================================================
-if test "$OS_TARGET" = "Android"; then
-  dnl Enable support on android by default
-  MOZ_ANDROID_OMX=1
-fi
-
-MOZ_ARG_ENABLE_BOOL(android-omx,
-[  --enable-android-omx  Enable support for Android OMX media backend],
-    MOZ_ANDROID_OMX=1,
-    MOZ_ANDROID_OMX=)
-
-if test -n "$MOZ_ANDROID_OMX"; then
-  AC_DEFINE(MOZ_ANDROID_OMX)
-fi
-
-dnl ========================================================
-dnl = Enable building OMX media plugin (B2G or Android)
-dnl ========================================================
-if test "$OS_TARGET" = "Android"; then
-  dnl Enable support on android by default
-  MOZ_OMX_PLUGIN=1
-fi
-
-MOZ_ARG_ENABLE_BOOL(omx-plugin,
-[  --enable-omx-plugin      Enable building OMX plugin (B2G)],
-    MOZ_OMX_PLUGIN=1,
-    MOZ_OMX_PLUGIN=)
-
-if test -n "$MOZ_OMX_PLUGIN"; then
-    if test "$OS_TARGET" = "Android"; then
-        dnl Only allow building OMX plugin on Android
-        AC_DEFINE(MOZ_OMX_PLUGIN)
-    else
-        dnl fail if we're not building on Android
-        AC_MSG_ERROR([OMX media plugin can only be built on Android])
-    fi
-fi
-
 dnl system libvpx Support
 dnl ========================================================
 MOZ_ARG_WITH_BOOL(system-libvpx,
@@ -3345,13 +3288,12 @@ fi # COMPILE_ENVIRONMENT
 dnl ========================================================
 dnl Gamepad support
 dnl ========================================================
-MOZ_GAMEPAD=1
 MOZ_GAMEPAD_BACKEND=stub
 
-MOZ_ARG_DISABLE_BOOL(gamepad,
-[  --disable-gamepad   Disable gamepad support],
-    MOZ_GAMEPAD=,
-    MOZ_GAMEPAD=1)
+MOZ_ARG_ENABLE_BOOL(gamepad,
+[  --enable-gamepad   Enable gamepad support],
+    MOZ_GAMEPAD=1,
+    MOZ_GAMEPAD=)
 
 if test "$MOZ_GAMEPAD"; then
     case "$OS_TARGET" in
@@ -3694,10 +3636,10 @@ if test "$MOZ_IOS"; then
   MOZ_UPDATER=
 fi
 
-MOZ_ARG_DISABLE_BOOL(updater,
-[  --disable-updater       Disable building of updater],
-    MOZ_UPDATER=,
-    MOZ_UPDATER=1 )
+MOZ_ARG_ENABLE_BOOL(updater,
+[  --enable-updater       Enable building of internal updater],
+    MOZ_UPDATER=1,
+    MOZ_UPDATER= )
 
 if test -n "$MOZ_UPDATER"; then
     AC_DEFINE(MOZ_UPDATER)
@@ -4998,27 +4940,29 @@ dnl
 dnl option to disable necko's wifi scanner
 dnl
 
-case "$OS_TARGET" in
-  Android)
-    ;;
-  Darwin)
-    if test -z "$MOZ_IOS"; then
-      NECKO_WIFI=1
-    fi
-    ;;
-  DragonFly|FreeBSD|WINNT)
-    NECKO_WIFI=1
-    ;;
-  Linux)
-    NECKO_WIFI=1
-    NECKO_WIFI_DBUS=1
-    ;;
-esac
-
 MOZ_ARG_DISABLE_BOOL(necko-wifi,
 [  --disable-necko-wifi    Disable necko wifi scanner],
-    NECKO_WIFI=,
-    NECKO_WIFI=1)
+    MOZ_NECKO_WIFI=,
+    MOZ_NECKO_WIFI=1)
+
+if test "$MOZ_NECKO_WIFI"; then
+  case "$OS_TARGET" in
+    Android)
+      ;;
+    Darwin)
+      if test -z "$MOZ_IOS"; then
+        NECKO_WIFI=1
+      fi
+      ;;
+    DragonFly|FreeBSD|WINNT)
+      NECKO_WIFI=1
+      ;;
+    Linux)
+      NECKO_WIFI=1
+      NECKO_WIFI_DBUS=1
+      ;;
+  esac
+fi
 
 if test "$NECKO_WIFI"; then
   if test -z "$MOZ_ENABLE_DBUS" -a -n "$NECKO_WIFI_DBUS"; then
@@ -5481,9 +5425,6 @@ AC_SUBST(MOZ_TREMOR)
 AC_SUBST(MOZ_FFVPX)
 AC_SUBST_LIST(FFVPX_ASFLAGS)
 AC_SUBST(MOZ_EME)
-AC_SUBST(MOZ_DIRECTSHOW)
-AC_SUBST(MOZ_ANDROID_OMX)
-AC_SUBST(MOZ_OMX_PLUGIN)
 AC_SUBST(MOZ_VPX_ERROR_CONCEALMENT)
 AC_SUBST(VPX_USE_YASM)
 AC_SUBST_LIST(VPX_ASFLAGS)
diff --git a/security/manager/ssl/nsNSSCallbacks.cpp b/security/manager/ssl/nsNSSCallbacks.cpp
index daabca5911..b8f1b0eb7f 100644
--- a/security/manager/ssl/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@@ -40,9 +40,6 @@ using namespace mozilla::psm;
 
 extern LazyLogModule gPIPNSSLog;
 
-static void AccumulateCipherSuite(Telemetry::ID probe,
-                                  const SSLChannelInfo& channelInfo);
-
 namespace {
 
 // Bits in bit mask for SSL_REASONS_FOR_NOT_FALSE_STARTING telemetry probe
@@ -1106,68 +1103,6 @@ AccumulateECCCurve(Telemetry::ID probe, uint32_t bits)
                      : 0; // Unknown
 }
 
-static void
-AccumulateCipherSuite(Telemetry::ID probe, const SSLChannelInfo& channelInfo)
-{
-  uint32_t value;
-  switch (channelInfo.cipherSuite) {
-    // ECDHE key exchange
-    case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: value = 1; break;
-    case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: value = 2; break;
-    case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: value = 3; break;
-    case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: value = 4; break;
-    case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: value = 5; break;
-    case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: value = 6; break;
-    case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: value = 7; break;
-    case TLS_ECDHE_RSA_WITH_RC4_128_SHA: value = 8; break;
-    case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: value = 9; break;
-    case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: value = 10; break;
-    case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: value = 11; break;
-    case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: value = 12; break;
-    case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: value = 13; break;
-    case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: value = 14; break;
-    // DHE key exchange
-    case TLS_DHE_RSA_WITH_AES_128_CBC_SHA: value = 21; break;
-    case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: value = 22; break;
-    case TLS_DHE_RSA_WITH_AES_256_CBC_SHA: value = 23; break;
-    case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: value = 24; break;
-    case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: value = 25; break;
-    case TLS_DHE_DSS_WITH_AES_128_CBC_SHA: value = 26; break;
-    case TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: value = 27; break;
-    case TLS_DHE_DSS_WITH_AES_256_CBC_SHA: value = 28; break;
-    case TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: value = 29; break;
-    case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: value = 30; break;
-    // ECDH key exchange
-    case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: value = 41; break;
-    case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: value = 42; break;
-    case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: value = 43; break;
-    case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: value = 44; break;
-    case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: value = 45; break;
-    case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: value = 46; break;
-    case TLS_ECDH_ECDSA_WITH_RC4_128_SHA: value = 47; break;
-    case TLS_ECDH_RSA_WITH_RC4_128_SHA: value = 48; break;
-    // RSA key exchange
-    case TLS_RSA_WITH_AES_128_CBC_SHA: value = 61; break;
-    case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: value = 62; break;
-    case TLS_RSA_WITH_AES_256_CBC_SHA: value = 63; break;
-    case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: value = 64; break;
-    case SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: value = 65; break;
-    case TLS_RSA_WITH_3DES_EDE_CBC_SHA: value = 66; break;
-    case TLS_RSA_WITH_SEED_CBC_SHA: value = 67; break;
-    case TLS_RSA_WITH_RC4_128_SHA: value = 68; break;
-    case TLS_RSA_WITH_RC4_128_MD5: value = 69; break;
-    // TLS 1.3 PSK resumption
-    case TLS_AES_128_GCM_SHA256: value = 70; break;
-    case TLS_CHACHA20_POLY1305_SHA256: value = 71; break;
-    case TLS_AES_256_GCM_SHA384: value = 72; break;
-    // unknown
-    default:
-      value = 0;
-      break;
-  }
-  MOZ_ASSERT(value != 0);
-}
-
 // In the case of session resumption, the AuthCertificate hook has been bypassed
 // (because we've previously successfully connected to our peer). That being the
 // case, we unfortunately don't know if the peer's server certificate verified
@@ -1285,10 +1220,6 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
     // 1=tls1, 2=tls1.1, 3=tls1.2
     unsigned int versionEnum = channelInfo.protocolVersion & 0xFF;
     MOZ_ASSERT(versionEnum > 0);
-    AccumulateCipherSuite(
-      infoObject->IsFullHandshake() ? Telemetry::SSL_CIPHER_SUITE_FULL
-                                    : Telemetry::SSL_CIPHER_SUITE_RESUMED,
-      channelInfo);
 
     SSLCipherSuiteInfo cipherInfo;
     rv = SSL_GetCipherSuiteInfo(channelInfo.cipherSuite, &cipherInfo,
diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp
index 4fc8c142ef..f580f2bcb6 100644
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -1309,8 +1309,8 @@ typedef struct {
   bool weak;
 } CipherPref;
 
-// Update the switch statement in AccumulateCipherSuite in nsNSSCallbacks.cpp
-// when you add/remove cipher suites here.
+// List of available cipher suites and their prefs
+// Format: "pref", cipherSuite, defaultEnabled, [isWeak = false]
 static const CipherPref sCipherPrefs[] = {
  { "security.ssl3.ecdhe_rsa_aes_128_gcm_sha256",
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, true },
diff --git a/security/manager/ssl/nsSTSPreloadList.errors b/security/manager/ssl/nsSTSPreloadList.errors
index 1b7c90eded..92e7ea00f9 100644
--- a/security/manager/ssl/nsSTSPreloadList.errors
+++ b/security/manager/ssl/nsSTSPreloadList.errors
@@ -1,7 +1,7 @@
 0-1.party: could not connect to host
 0.me.uk: did not receive HSTS header
 00001.am: max-age too low: 129600
-0005.com: could not connect to host
+0005.com: did not receive HSTS header
 0005aa.com: could not connect to host
 0005pay.com: did not receive HSTS header
 00100010.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -13,10 +13,10 @@
 00180018.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 00190019.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 00220022.net: could not connect to host
-00330033.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+00330033.net: could not connect to host
 00440044.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 00550055.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-00660066.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+00660066.net: could not connect to host
 007-preisvergleich.de: could not connect to host
 00770077.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 00778899.com: did not receive HSTS header
@@ -38,8 +38,9 @@
 0222.mg: did not receive HSTS header
 0222aa.com: could not connect to host
 023838.com: could not connect to host
+023sec.com: could not connect to host
 028718.com: did not receive HSTS header
-029978.com: could not connect to host
+029978.com: did not receive HSTS header
 029inno.com: could not connect to host
 02dl.net: could not connect to host
 02smh.com: could not connect to host
@@ -51,7 +52,7 @@
 04sun.com: could not connect to host
 050508.com: could not connect to host
 055268.com: did not receive HSTS header
-066318.com: could not connect to host
+066318.com: did not receive HSTS header
 066538.com: did not receive HSTS header
 066718.com: did not receive HSTS header
 066928.com: could not connect to host
@@ -64,7 +65,6 @@
 078860.com: did not receive HSTS header
 078890.com: did not receive HSTS header
 081638.com: did not receive HSTS header
-083962.com: could not connect to host
 086628.com: did not receive HSTS header
 0c.eu: did not receive HSTS header
 0cdn.ga: could not connect to host
@@ -73,7 +73,6 @@
 0fl.com: did not receive HSTS header
 0g.org.uk: could not connect to host
 0i0.nl: could not connect to host
-0iz.net: could not connect to host
 0o0.ooo: could not connect to host
 0p.no: did not receive HSTS header
 0vi.org: could not connect to host
@@ -90,23 +89,29 @@
 0x90.fi: could not connect to host
 0x90.in: could not connect to host
 0xa.in: could not connect to host
+0xaa55.me: could not connect to host
 0xb612.org: could not connect to host
 0xcafec0.de: did not receive HSTS header
 0xf00.ch: could not connect to host
 1.0.0.1: max-age too low: 0
 1000hats.com: did not receive HSTS header
+1000serien.com: could not connect to host
 1001.best: could not connect to host
-1001firms.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+1001carats.fr: could not connect to host
 100onrainkajino.com: could not connect to host
+100rembourse.be: did not receive HSTS header
 1017scribes.com: could not connect to host
 1018hosting.nl: did not receive HSTS header
 1022996493.rsc.cdn77.org: could not connect to host
+10414.org: could not connect to host
+1066.io: could not connect to host
 1091.jp: could not connect to host
 10gbit.ovh: could not connect to host
 10seos.com: did not receive HSTS header
 10tacle.io: could not connect to host
 10v2.com: did not receive HSTS header
 10x.ooo: could not connect to host
+10xiuxiu.com: did not receive HSTS header
 1100.so: could not connect to host
 110110110.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 1116pay.com: did not receive HSTS header
@@ -115,10 +120,12 @@
 118118118.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 11bt.cc: did not receive HSTS header
 11recruitment.com.au: did not receive HSTS header
-11scc.com: did not receive HSTS header
+11scc.com: could not connect to host
 120dayweightloss.com: could not connect to host
 123110.com: could not connect to host
+123djdrop.com: did not receive HSTS header
 123movies.fyi: did not receive HSTS header
+123pay.ir: did not receive HSTS header
 123share.org: did not receive HSTS header
 123termpapers.com: could not connect to host
 123test.com: did not receive HSTS header
@@ -128,6 +135,7 @@
 123test.nl: did not receive HSTS header
 126ium.moe: could not connect to host
 127011-networks.ch: could not connect to host
+1288366.com: could not connect to host
 12vpn.org: could not connect to host
 12vpnchina.com: could not connect to host
 130978.com: did not receive HSTS header
@@ -135,6 +143,7 @@
 135vv.com: could not connect to host
 13826145000.com: could not connect to host
 1391kj.com: did not receive HSTS header
+1395kj.com: did not receive HSTS header
 1396.cc: could not connect to host
 1396.net: did not receive HSTS header
 1481481.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -146,7 +155,7 @@
 1481485.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 1481485.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 1481486.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-1481486.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+1481486.net: could not connect to host
 1536.cf: could not connect to host
 16164f.com: could not connect to host
 163pwd.com: could not connect to host
@@ -156,27 +165,28 @@
 168bo9.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 168bo9.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 168esb.com: could not connect to host
+16book.org: could not connect to host
 16deza.com: did not receive HSTS header
 16packets.com: could not connect to host
-173vpn.cn: did not receive HSTS header
+173vpn.cn: could not connect to host
 173vpns.com: could not connect to host
 173vpnv.com: could not connect to host
 174.net.nz: did not receive HSTS header
 174343.com: could not connect to host
-1750studios.com: could not connect to host
 17hats.com: did not receive HSTS header
 188522.com: did not receive HSTS header
 18888msc.com: could not connect to host
 1888zr.com: could not connect to host
 188betwarriors.co.uk: could not connect to host
-188da.com: could not connect to host
 188trafalgar.ca: did not receive HSTS header
 189dv.com: could not connect to host
 1912x.com: could not connect to host
-19216811.online: could not connect to host
+19216811.online: did not receive HSTS header
 1921958389.rsc.cdn77.org: could not connect to host
 195gm.com: could not connect to host
 1a-jva.de: could not connect to host
+1a-vermessung.at: did not receive HSTS header
+1a-werkstattgeraete.de: did not receive HSTS header
 1aim.com: did not receive HSTS header
 1atic.com: could not connect to host
 1b1.pl: could not connect to host
@@ -184,6 +194,7 @@
 1cover.com: could not connect to host
 1day1ac.red: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 1er-secours.ch: could not connect to host
+1europlan.nl: could not connect to host
 1gsoft.com: could not connect to host
 1item.co.il: did not receive HSTS header
 1k8b.com: could not connect to host
@@ -193,31 +204,31 @@
 1q365a.com: could not connect to host
 1s.tn: could not connect to host
 1salland.nl: could not connect to host
-1st4abounce.co.uk: did not receive HSTS header
+1st4abounce.co.uk: could not connect to host
 1stcapital.com.sg: did not receive HSTS header
 1ststop.co.uk: did not receive HSTS header
 1three1.net: did not receive HSTS header
 1upinternet.com: could not connect to host
 1xcess.com: did not receive HSTS header
-1years.cc: could not connect to host
+1years.cc: did not receive HSTS header
 2-cpu.de: could not connect to host
 200fcw.com: could not connect to host
 2018.wales: could not connect to host
-20188088.com: did not receive HSTS header
 2048-spiel.de: could not connect to host
 2048game.co.uk: could not connect to host
 206rc.net: max-age too low: 2592000
-208.es: could not connect to host
+208.es: did not receive HSTS header
+20denier.com: could not connect to host
 20hs.cn: did not receive HSTS header
 20zq.com: could not connect to host
 21.co.uk: did not receive HSTS header
 21lg.co: could not connect to host
 21stnc.com: could not connect to host
 22bt.cc: did not receive HSTS header
-22scc.com: did not receive HSTS header
+22digital.agency: could not connect to host
+22scc.com: could not connect to host
 2333.press: could not connect to host
 247a.co.uk: could not connect to host
-247exchange.com: could not connect to host
 247quickbooks.com: did not receive HSTS header
 2488.ch: did not receive HSTS header
 249cq.com: could not connect to host
@@ -230,6 +241,7 @@
 256k.me: could not connect to host
 258da.com: did not receive HSTS header
 25daysof.io: could not connect to host
+263.info: could not connect to host
 27728522.com: could not connect to host
 2859cc.com: could not connect to host
 286.com: did not receive HSTS header
@@ -238,21 +250,22 @@
 298da.com: did not receive HSTS header
 2acbi-asso.fr: did not receive HSTS header
 2b3b.com: could not connect to host
-2bad2c0.de: could not connect to host
+2bad2c0.de: did not receive HSTS header
 2bitout.com: could not connect to host
 2bizi.ru: could not connect to host
 2bouncy.com: did not receive HSTS header
 2brokegirls.org: could not connect to host
 2carpros.com: did not receive HSTS header
-2fl.me: could not connect to host
+2fl.me: did not receive HSTS header
 2intermediate.co.uk: did not receive HSTS header
+2mir.com: could not connect to host
 2or3.tk: could not connect to host
 2smart4food.com: could not connect to host
 2ss.jp: did not receive HSTS header
 300651.ru: did not receive HSTS header
 300mbmovie24.com: could not connect to host
 300mbmovies4u.cc: could not connect to host
-301.website: could not connect to host
+301.website: did not receive HSTS header
 302.nyc: could not connect to host
 30yearmortgagerates.net: could not connect to host
 3133780x.com: did not receive HSTS header
@@ -261,9 +274,10 @@
 31tv.ru: did not receive HSTS header
 32ph.com: could not connect to host
 330.net: could not connect to host
+33836.com: could not connect to host
 338da.com: could not connect to host
 33drugstore.com: could not connect to host
-33scc.com: did not receive HSTS header
+33scc.com: could not connect to host
 341.mg: could not connect to host
 34oztonic.eu: did not receive HSTS header
 3555500.com: did not receive HSTS header
@@ -278,9 +292,9 @@
 3778xl.com: could not connect to host
 3839.ca: could not connect to host
 38888msc.com: could not connect to host
-388da.com: could not connect to host
-38blog.com: could not connect to host
+38blog.com: did not receive HSTS header
 38sihu.com: could not connect to host
+398.info: could not connect to host
 3candy.com: could not connect to host
 3chit.cf: could not connect to host
 3click-loan.com: could not connect to host
@@ -290,13 +304,14 @@
 3dm.audio: could not connect to host
 3dproteinimaging.com: did not receive HSTS header
 3fl.com: did not receive HSTS header
+3hl0.net: could not connect to host
+3ik.us: could not connect to host
 3mbo.de: did not receive HSTS header
 3sreporting.com: did not receive HSTS header
 3vlnaeet.cz: could not connect to host
 3wecommerce.com.br: could not connect to host
 3weekdietworks.com: did not receive HSTS header
 3xx.link: could not connect to host
-40-grad.de: max-age too low: 2628000
 4036aa.com: did not receive HSTS header
 4036bb.com: did not receive HSTS header
 4036cc.com: did not receive HSTS header
@@ -307,23 +322,23 @@
 404forest.com: did not receive HSTS header
 41844.de: could not connect to host
 420dongstorm.com: could not connect to host
-4237.com: max-age too low: 86400
-42day.info: could not connect to host
+4237.com: could not connect to host
 42entrepreneurs.fr: did not receive HSTS header
 42ms.org: could not connect to host
 42t.ru: could not connect to host
-439050.com: could not connect to host
-439191.com: did not receive HSTS header
+439191.com: could not connect to host
 440hz-radio.de: did not receive HSTS header
 440hz.radio: did not receive HSTS header
 4455software.com: did not receive HSTS header
 448da.com: did not receive HSTS header
 44957.com: could not connect to host
-44scc.com: did not receive HSTS header
-44sec.com: could not connect to host
+44scc.com: could not connect to host
 4500.co.il: did not receive HSTS header
+4553vip.com: could not connect to host
 4679.space: did not receive HSTS header
+4736666.com: could not connect to host
 478933.com: could not connect to host
+47essays.com: could not connect to host
 47tech.com: could not connect to host
 4997777.com: could not connect to host
 4azino777.ru: did not receive HSTS header
@@ -331,11 +346,13 @@
 4bike.eu: did not receive HSTS header
 4cclothing.com: could not connect to host
 4d2.xyz: could not connect to host
+4decor.org: max-age too low: 0
 4hvac.com: did not receive HSTS header
 4loc.us: could not connect to host
 4miners.net: could not connect to host
 4mybaby.ch: did not receive HSTS header
 4ourty2.org: could not connect to host
+4sics.se: could not connect to host
 4sqsu.eu: could not connect to host
 4w-performers.link: could not connect to host
 4web-hosting.com: could not connect to host
@@ -346,54 +363,66 @@
 500fcw.com: could not connect to host
 50ma.xyz: could not connect to host
 50millionablaze.org: could not connect to host
+50plusnet.nl: could not connect to host
 513vpn.net: could not connect to host
 517vpn.cn: could not connect to host
 518maicai.com: could not connect to host
+51aifuli.com: could not connect to host
 5214889.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 5214889.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 52b9.com: could not connect to host
 52b9.net: could not connect to host
+52hentai.ml: could not connect to host
 52kb.net: could not connect to host
 52kb1.com: could not connect to host
 52neptune.com: did not receive HSTS header
 5310899.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 5310899.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-5364.com: could not connect to host
 540.co: did not receive HSTS header
 5432.cc: did not receive HSTS header
 54bf.com: could not connect to host
-555fl.com: max-age too low: 129600
 555xl.com: could not connect to host
+558da.com: could not connect to host
 55bt.cc: did not receive HSTS header
-55scc.com: did not receive HSTS header
+55scc.com: could not connect to host
 56877.com: could not connect to host
 56ct.com: could not connect to host
 57aromas.com: did not receive HSTS header
+57he.com: could not connect to host
+593380.com: could not connect to host
+598380.com: could not connect to host
 598598598.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+5986fc.com: could not connect to host
 5chat.it: could not connect to host
 5ece.de: could not connect to host
 5piecesofadvice.com: could not connect to host
-5w5.la: did not receive HSTS header
+5starbouncycastlehire.co.uk: could not connect to host
+5w5.la: could not connect to host
 605508.cc: could not connect to host
 605508.com: could not connect to host
 60ych.net: did not receive HSTS header
 6120.eu: did not receive HSTS header
+626380.com: could not connect to host
 62755.com: did not receive HSTS header
 645ds.cn: did not receive HSTS header
 645ds.com: did not receive HSTS header
 64616e.xyz: could not connect to host
 64970.com: did not receive HSTS header
 64bitgaming.de: could not connect to host
+64bitservers.net: could not connect to host
+65d88.com: could not connect to host
 660011.com: did not receive HSTS header
+6616fc.com: could not connect to host
 66205.net: did not receive HSTS header
+6677.us: could not connect to host
 668da.com: did not receive HSTS header
+66bwf.com: could not connect to host
 67899876.com: did not receive HSTS header
 688da.com: could not connect to host
 692b8c32.de: could not connect to host
 69mentor.com: could not connect to host
 69square.com: could not connect to host
-6ird.com: did not receive HSTS header
-6w6.la: did not receive HSTS header
+6w6.la: could not connect to host
 6z3.net: could not connect to host
 7045.com: could not connect to host
 7183.org: could not connect to host
@@ -403,7 +432,7 @@
 72ty.com: could not connect to host
 72ty.net: could not connect to host
 73223.com: did not receive HSTS header
-7570.com: could not connect to host
+7570.com: did not receive HSTS header
 771122.tv: did not receive HSTS header
 7717a.com: did not receive HSTS header
 772244.net: did not receive HSTS header
@@ -413,17 +442,18 @@
 778da.com: did not receive HSTS header
 77book.cn: could not connect to host
 788da.com: did not receive HSTS header
-789zr.com: max-age too low: 86400
+789zr.com: could not connect to host
 7f-wgg.cf: could not connect to host
+7kovrikov.ru: did not receive HSTS header
 7links.com.br: did not receive HSTS header
 7nw.eu: could not connect to host
 7thheavenrestaurant.com: could not connect to host
 8.net.co: could not connect to host
 80036.com: could not connect to host
 8003pay.com: could not connect to host
-808.lv: could not connect to host
+808.lv: did not receive HSTS header
 808phone.net: could not connect to host
-81818app.com: could not connect to host
+818bwf.com: could not connect to host
 81uc.com: could not connect to host
 8206688.com: did not receive HSTS header
 826468.com: could not connect to host
@@ -434,15 +464,22 @@
 8522cn.com: did not receive HSTS header
 8522top.com: could not connect to host
 8560.be: could not connect to host
+8649955.com: could not connect to host
+8649966.com: could not connect to host
+8649977.com: could not connect to host
+8688fc.com: could not connect to host
 8722.com: did not receive HSTS header
 87577.com: could not connect to host
-88.to: could not connect to host
+88.to: did not receive HSTS header
+8876205.com: did not receive HSTS header
 8887999.com: could not connect to host
 8888av.co: could not connect to host
 8888esb.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 888azino.com: did not receive HSTS header
+888bwf.com: could not connect to host
 888lu.co: could not connect to host
-888msc.vip: did not receive HSTS header
+888msc.vip: could not connect to host
+88bwf.com: did not receive HSTS header
 88d.com: could not connect to host
 88laohu.cc: could not connect to host
 88laohu.com: could not connect to host
@@ -466,25 +503,27 @@
 8ballbombom.uk: could not connect to host
 8da2017.com: did not receive HSTS header
 8da2018.com: could not connect to host
-8dabet.com: could not connect to host
 8mpay.com: did not receive HSTS header
+8pecxstudios.com: could not connect to host
+8shequapp.com: could not connect to host
+8svn.com: did not receive HSTS header
 8t88.biz: could not connect to host
-8ung.online: could not connect to host
 8xx.bet: could not connect to host
 8xx.io: could not connect to host
 8xx888.com: could not connect to host
+8xxxxxxx.com: could not connect to host
 90smthng.com: could not connect to host
 91-freedom.com: could not connect to host
 9118b.com: could not connect to host
 911911.pw: could not connect to host
-915ers.com: did not receive HSTS header
+915ers.com: could not connect to host
+918yy.com: could not connect to host
 919945.com: did not receive HSTS header
 91dh.cc: could not connect to host
-91lt.info: could not connect to host
+91lt.info: did not receive HSTS header
 922.be: could not connect to host
 92bmh.com: did not receive HSTS header
-9454.com: max-age too low: 86400
-94cs.cn: did not receive HSTS header
+9454.com: could not connect to host
 9500years.com: max-age too low: 0
 95778.com: could not connect to host
 960news.ca: could not connect to host
@@ -498,53 +537,59 @@
 987987.com: did not receive HSTS header
 9906753.net: did not receive HSTS header
 99511.fi: did not receive HSTS header
+99599.net: could not connect to host
 99buffets.com: could not connect to host
 9bingo.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 9iwan.net: did not receive HSTS header
 9jadirect.com: could not connect to host
+9jaxtreme.com.ng: did not receive HSTS header
 9point6.com: could not connect to host
 9ss6.com: could not connect to host
+9tolife.be: did not receive HSTS header
 9vies.ca: could not connect to host
 9won.kr: could not connect to host
-a-intel.com: could not connect to host
+a-intel.com: did not receive HSTS header
 a-ix.net: could not connect to host
 a-plus.space: could not connect to host
 a-rickroll-n.pw: could not connect to host
 a-shafaat.ir: did not receive HSTS header
+a-starbouncycastles.co.uk: could not connect to host
 a-theme.com: could not connect to host
 a1-autopartsglasgow.com: could not connect to host
 a1798.com: could not connect to host
 a200k.xyz: did not receive HSTS header
-a2a.net: could not connect to host
 a2c-co.net: could not connect to host
 a2it.gr: max-age too low: 0
+a3.pm: did not receive HSTS header
 a3workshop.swiss: could not connect to host
+a7m2.me: could not connect to host
+a8q.org: could not connect to host
 a9c.co: could not connect to host
+aa-tour.ru: could not connect to host
 aa43d.cn: could not connect to host
 aa6688.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 aa7733.com: could not connect to host
 aaeblog.com: did not receive HSTS header
 aaeblog.net: did not receive HSTS header
 aaeblog.org: did not receive HSTS header
+aanbieders.ga: could not connect to host
 aaoo.net: could not connect to host
 aapp.space: could not connect to host
 aardvarksolutions.co.za: did not receive HSTS header
 aariefhaafiz.com: could not connect to host
 aaron-gustafson.com: did not receive HSTS header
-aaronmcguire.me: did not receive HSTS header
+aaronmcguire.me: could not connect to host
 aarvinproperties.com: could not connect to host
 ab-bauservice-berlin.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 abacus-events.co.uk: did not receive HSTS header
-abacustech.net: did not receive HSTS header
-abacustech.org: did not receive HSTS header
 abareplace.com: did not receive HSTS header
 abasky.net: could not connect to host
 abcdentalcare.com: did not receive HSTS header
 abcdobebe.com: did not receive HSTS header
-abchelp.net: did not receive HSTS header
+abchelp.net: could not connect to host
+abdullah.pw: could not connect to host
 abearofsoap.com: could not connect to host
 abecodes.net: could not connect to host
-abeontech.com: could not connect to host
 aberdeenalmeras.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 abi-fvs.de: could not connect to host
 abigailstark.com: could not connect to host
@@ -560,24 +605,21 @@ abou.to: could not connect to host
 about.ge: did not receive HSTS header
 aboutassistedliving.org: did not receive HSTS header
 aboutmyip.info: did not receive HSTS header
-aboutmyproperty.ca: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 aboutyou-deals.de: could not connect to host
 abraxan.pro: could not connect to host
 absimple.ca: did not receive HSTS header
 absinthium.ch: could not connect to host
 absolutewaterproofingsolutions.com: did not receive HSTS header
 abstractbarista.com: could not connect to host
-abstractbarista.net: could not connect to host
 abt.de: did not receive HSTS header
 abtom.de: did not receive HSTS header
 abury.fr: did not receive HSTS header
 abury.me: did not receive HSTS header
 abyssgaming.eu: could not connect to host
-ac-epmservices.com: could not connect to host
 ac.milan.it: did not receive HSTS header
 acabadosboston.com: could not connect to host
 academialowcost.com.br: did not receive HSTS header
-academicenterprise.org: could not connect to host
+academicenterprise.org: did not receive HSTS header
 academy4.net: did not receive HSTS header
 acadianapatios.com: did not receive HSTS header
 acai51.net: could not connect to host
@@ -598,16 +640,18 @@ accwing.com: could not connect to host
 aceadvisory.biz: did not receive HSTS header
 acelpb.com: could not connect to host
 acemypaper.com: could not connect to host
+acevik.de: could not connect to host
 acg.mn: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 acg.sb: could not connect to host
+acg18.us: max-age too low: 0
 acgaudio.com: could not connect to host
-acgmoon.org: did not receive HSTS header
 acgpiano.club: could not connect to host
 acheirj.com.br: could not connect to host
-acheritage.co.uk: did not receive HSTS header
+acheritage.co.uk: could not connect to host
 achmadfamily.com: could not connect to host
 achow101.com: did not receive HSTS header
 achterhoekseveiligheidsbeurs.nl: could not connect to host
+acidbin.co: could not connect to host
 acisonline.net: did not receive HSTS header
 acksoft.fr: did not receive HSTS header
 acksoftdemo.fr: did not receive HSTS header
@@ -618,37 +662,42 @@ acr.im: could not connect to host
 acraft.org: could not connect to host
 acrepairdrippingsprings.com: could not connect to host
 acritelli.com: did not receive HSTS header
+across.ml: could not connect to host
 acrossgw.com: could not connect to host
 acsihostingsolutions.com: did not receive HSTS header
 acslimited.co.uk: did not receive HSTS header
+actc81.fr: could not connect to host
 actilove.ch: could not connect to host
 actiontowingroundrock.com: could not connect to host
 activateplay.com: did not receive HSTS header
 active-escape.com: did not receive HSTS header
 activeclearweb.com: could not connect to host
 activeweb.top: could not connect to host
+activeworld.net: max-age too low: 2592000
 activistasconstructivos.org: did not receive HSTS header
 activiti.alfresco.com: did not receive HSTS header
 actu-film.com: max-age too low: 0
 actu-medias.com: could not connect to host
 actualite-videos.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+acupofsalt.tv: could not connect to host
 acuve.jp: could not connect to host
-acyume.com: did not receive HSTS header
 ad-disruptio.fr: could not connect to host
 ad13.in: could not connect to host
 ada.is: max-age too low: 2592000
 adajwells.me: could not connect to host
-adambryant.ca: could not connect to host
 adamcoffee.net: could not connect to host
 adamdixon.co.uk: could not connect to host
+adamjoycegames.co.uk: could not connect to host
 adamricheimer.com: could not connect to host
 adamsfoundationrepair.com: did not receive HSTS header
+adamwilcox.org: did not receive HSTS header
 adamwk.com: did not receive HSTS header
 adastra.re: could not connect to host
 adblock.ovh: could not connect to host
 adboos.com: could not connect to host
 addaxpetroleum.com: could not connect to host
 addcrazy.com: did not receive HSTS header
+addiko.net: could not connect to host
 addvocate.com: could not connect to host
 adec-emsa.ae: could not connect to host
 adelaides.com: did not receive HSTS header
@@ -669,8 +718,6 @@ admin-forms.co.uk: did not receive HSTS header
 admin-numerique.com: did not receive HSTS header
 admin.google.com: did not receive HSTS header (error ignored - included regardless)
 adminwerk.com: did not receive HSTS header
-adminwerk.net: did not receive HSTS header
-admiral.dp.ua: did not receive HSTS header
 admitcard.co.in: could not connect to host
 admsel.ec: could not connect to host
 adoal.net: did not receive HSTS header
@@ -679,6 +726,7 @@ adonairelogios.com.br: could not connect to host
 adoniscabaret.co.uk: could not connect to host
 adopteunsiteflash.com: could not connect to host
 adora-illustrations.fr: did not receive HSTS header
+adorade.ro: could not connect to host
 adprospb.com: did not receive HSTS header
 adquisitio.de: could not connect to host
 adquisitio.in: could not connect to host
@@ -701,15 +749,18 @@ advancedplasticsurgerycenter.com: did not receive HSTS header
 advancedseotool.it: did not receive HSTS header
 advancedstudio.ro: could not connect to host
 advancedwriters.com: could not connect to host
-advantagemechanicalinc.com: could not connect to host
+advantagemechanicalinc.com: did not receive HSTS header
+advelty.cz: could not connect to host
 adventistdeploy.org: could not connect to host
 adventures.is: did not receive HSTS header
 adver.top: could not connect to host
 advertisemant.com: could not connect to host
+advicepro.org.uk: did not receive HSTS header
 adviespuntklokkenluiders.nl: could not connect to host
 adzie.xyz: could not connect to host
 adzuna.co.uk: did not receive HSTS header
 aegialis.com: did not receive HSTS header
+aelisya.ch: could not connect to host
 aelurus.com: could not connect to host
 aemoria.com: could not connect to host
 aeon.wiki: could not connect to host
@@ -726,67 +777,68 @@ aevpn.net: could not connect to host
 aevpn.org: could not connect to host
 aeyoun.com: did not receive HSTS header
 af-fotografie.net: did not receive HSTS header
+af-internet.nl: did not receive HSTS header
 afdkompakt.de: max-age too low: 86400
 afeefzarapackages.com: did not receive HSTS header
 affily.io: could not connect to host
 affinity.vc: did not receive HSTS header
+affloc.com: could not connect to host
 affordablebouncycastle.co.uk: did not receive HSTS header
 affordablepapers.com: could not connect to host
 aficotroceni.ro: did not receive HSTS header
 afiru.net: could not connect to host
 aflamtorrent.com: could not connect to host
-afmchandler.com: did not receive HSTS header
+afmchandler.com: could not connect to host
 afp548.tk: could not connect to host
-after.im: did not receive HSTS header
+africatravel.de: did not receive HSTS header
+after.im: could not connect to host
+afterskool.eu: could not connect to host
 afterstack.net: could not connect to host
-afvallendoeje.nu: did not receive HSTS header
+afvallendoeje.nu: could not connect to host
 afyou.co.kr: could not connect to host
+afzco.asia: did not receive HSTS header
 agalaxyfarfaraway.co.uk: could not connect to host
 agatheetraphael.fr: could not connect to host
-agbremen.de: did not receive HSTS header
+agbremen.de: could not connect to host
 agdalieso.com.ba: could not connect to host
 agelesscitizen.com: could not connect to host
 agelesscitizens.com: could not connect to host
 agenbettingasia.com: did not receive HSTS header
+agenceactiv.immo: did not receive HSTS header
+agenceklic.com: did not receive HSTS header
 agenciagriff.com: did not receive HSTS header
 agencymanager.be: could not connect to host
 agentseeker.ca: could not connect to host
 agevio.com: could not connect to host
 agiairini.cz: could not connect to host
 agilebits.net: could not connect to host
-agileecommerce.com.br: could not connect to host
 agingstop.net: could not connect to host
-agonswim.com: could not connect to host
+agonswim.com: did not receive HSTS header
 agoravm.tk: could not connect to host
 agowa.eu: did not receive HSTS header
 agowa338.de: did not receive HSTS header
-agracan.com: could not connect to host
 agrafix.design: did not receive HSTS header
-agrarking.com: could not connect to host
 agrias.com.br: did not receive HSTS header
 agrikulturchic.com: could not connect to host
 agrimap.com: did not receive HSTS header
 agro-id.gov.ua: did not receive HSTS header
 agro.rip: did not receive HSTS header
 agroglass.com.br: did not receive HSTS header
-agroyard.com.ua: could not connect to host
 agtv.com.br: did not receive HSTS header
 ahabingo.com: did not receive HSTS header
 ahelos.tk: could not connect to host
 ahiru3.com: did not receive HSTS header
-ahkubiak.ovh: could not connect to host
 aholic.co: did not receive HSTS header
-ahoynetwork.com: could not connect to host
+ahoynetwork.com: did not receive HSTS header
 ahri.ovh: could not connect to host
 ahsin.online: could not connect to host
 ahwah.net: could not connect to host
-ahwatukeefoothillsmontessori.com: did not receive HSTS header
+ahwatukeefoothillsmontessori.com: could not connect to host
 ai1989.com: could not connect to host
 aibaoyou.com: could not connect to host
 aibsoftware.mx: could not connect to host
-aicial.com: could not connect to host
+aicial.com: did not receive HSTS header
 aicial.com.au: could not connect to host
-aid-web.ch: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 aidanwoods.com: did not receive HSTS header
 aide-admin.com: did not receive HSTS header
 aide-valais.ch: could not connect to host
@@ -794,9 +846,9 @@ aidikofflaw.com: did not receive HSTS header
 aiesecarad.ro: could not connect to host
 aifreeze.ru: could not connect to host
 aify.eu: could not connect to host
+aiheisi.com: did not receive HSTS header
 aikenorganics.com: could not connect to host
 aim-consultants.com: did not receive HSTS header
-aimerworld.com: did not receive HSTS header
 aimrom.org: could not connect to host
 ainrb.com: could not connect to host
 aioboot.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -808,10 +860,9 @@ airconsalberton.co.za: did not receive HSTS header
 airconsboksburg.co.za: did not receive HSTS header
 airconsfourways.co.za: did not receive HSTS header
 airconsmidrand.co.za: did not receive HSTS header
+airconssandton.co.za: did not receive HSTS header
 airedaleterrier.com.br: could not connect to host
 airfax.io: could not connect to host
-airhorn.de: did not receive HSTS header
-airicy.com: did not receive HSTS header
 airlea.com: could not connect to host
 airlinecheckins.com: did not receive HSTS header
 airlinesettlement.com: did not receive HSTS header
@@ -822,15 +873,19 @@ airsick.guide: did not receive HSTS header
 airtimefranchise.com: did not receive HSTS header
 aishnair.com: could not connect to host
 aisle3.space: could not connect to host
+aisr.nl: did not receive HSTS header
 aiticon.de: did not receive HSTS header
 aivene.com: could not connect to host
 aiw-thkoeln.online: could not connect to host
 aixxe.net: did not receive HSTS header
+aizxxs.com: could not connect to host
+aizxxs.net: could not connect to host
 ajetaci.cz: could not connect to host
 ajibot.com: could not connect to host
 ajmahal.com: could not connect to host
 ajouin.com: could not connect to host
 ajw-group.com: did not receive HSTS header
+ak-webit.de: could not connect to host
 aka.my: did not receive HSTS header
 akboy.pw: could not connect to host
 akclinics.org: did not receive HSTS header
@@ -841,20 +896,22 @@ akhilindurti.com: could not connect to host
 akhras.at: did not receive HSTS header
 akiba-server.info: could not connect to host
 akihiro.xyz: could not connect to host
+akita-boutique.com: could not connect to host
 akita-stream.com: could not connect to host
 akkadia.cc: could not connect to host
-akkeylab.com: could not connect to host
 akoch.net: could not connect to host
 akombakom.net: could not connect to host
 akracing.se: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+akritikos.info: could not connect to host
 akselimedia.fi: could not connect to host
 akstudentsfirst.org: could not connect to host
 aktan.com.br: could not connect to host
-aktivist.in: could not connect to host
+aktivist.in: did not receive HSTS header
+aktuelle-uhrzeit.at: did not receive HSTS header
 akul.co.in: could not connect to host
 al-f.net: could not connect to host
 al-shami.net: could not connect to host
-alanhuang.name: did not receive HSTS header
+al3366.tech: could not connect to host
 alanlee.net: could not connect to host
 alanrickmanflipstable.com: did not receive HSTS header
 alanya.law: did not receive HSTS header
@@ -867,13 +924,13 @@ alauda-home.de: could not connect to host
 alaundeil.xyz: could not connect to host
 albanien.guide: could not connect to host
 alberguecimballa.es: could not connect to host
-albertbogdanowicz.pl: could not connect to host
 albertify.xyz: could not connect to host
 albertonplumber24-7.co.za: did not receive HSTS header
 albertopimienta.com: did not receive HSTS header
+albuic.tk: could not connect to host
 alcantarafleuriste.com: did not receive HSTS header
 alcatelonetouch.us: could not connect to host
-alcatraz.online: could not connect to host
+alcatraz.online: did not receive HSTS header
 alcazaar.com: could not connect to host
 alchemia.co.il: did not receive HSTS header
 alcorao.org: could not connect to host
@@ -885,16 +942,15 @@ aledg.cl: could not connect to host
 alenan.org: could not connect to host
 aleph.land: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 alertaenlinea.gov: did not receive HSTS header
-alessandro.pw: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-alessandroonline.com.br: did not receive HSTS header
+alessandro.pw: could not connect to host
 alessandroz.ddns.net: could not connect to host
 alessandroz.pro: could not connect to host
 alethearose.com: did not receive HSTS header
 alexandernorth.ch: could not connect to host
 alexandre.sh: did not receive HSTS header
+alexdaulby.com: did not receive HSTS header
 alexdodge.ca: did not receive HSTS header
 alexfisherhealth.com.au: did not receive HSTS header
-alexgebhard.com: could not connect to host
 alexhaydock.co.uk: did not receive HSTS header
 alexischaussy.xyz: could not connect to host
 alexismeza.com: could not connect to host
@@ -906,19 +962,24 @@ alexkidd.de: did not receive HSTS header
 alexmak.net: did not receive HSTS header
 alexmol.tk: could not connect to host
 alexperry.io: could not connect to host
+alexsinnott.me: could not connect to host
 alfa24.pro: could not connect to host
+alfaperfumes.com.br: could not connect to host
 alfaponny.se: could not connect to host
 alfirous.com: could not connect to host
 alfredxing.com: did not receive HSTS header
 algarmatic-automatismos.pt: could not connect to host
 algebraaec.com: did not receive HSTS header
+algercounty.gov: could not connect to host
 alghaib.com: could not connect to host
-alibababee.com: did not receive HSTS header
+alibababee.com: could not connect to host
+alibip.de: could not connect to host
 alicialab.org: could not connect to host
 alien.bz: did not receive HSTS header
 alilialili.ga: could not connect to host
 alinemaciel.adm.br: could not connect to host
 alinode.com: could not connect to host
+alis-test.tk: could not connect to host
 alistairholland.me: did not receive HSTS header
 alistairpialek.com: max-age too low: 86400
 alisync.com: could not connect to host
@@ -928,7 +989,7 @@ aljammaz.holdings: could not connect to host
 aljmz.com: did not receive HSTS header
 alkami.com: max-age too low: 0
 alkamitech.com: max-age too low: 0
-alkel.info: could not connect to host
+alkel.info: did not receive HSTS header
 all-subtitles.com: could not connect to host
 all.tf: could not connect to host
 all4os.com: did not receive HSTS header
@@ -936,17 +997,22 @@ allaboutbelgaum.com: did not receive HSTS header
 alldaymonitoring.com: could not connect to host
 alldm.ru: could not connect to host
 allegro-inc.com: did not receive HSTS header
+allemobieleproviders.nl: could not connect to host
+allenosgood.com: could not connect to host
 allerbestefreunde.de: did not receive HSTS header
+allfreelancers.su: did not receive HSTS header
 allgrass.es: did not receive HSTS header
 allgrass.net: did not receive HSTS header
 allhard.org: could not connect to host
 alliance-compacts.com: did not receive HSTS header
 allinnote.com: could not connect to host
-allinonecyprus.com: did not receive HSTS header
+allinone-ranking150.com: did not receive HSTS header
+allinonecyprus.com: could not connect to host
 allkindzabeats.com: did not receive HSTS header
 allladyboys.com: could not connect to host
 allmbw.com: could not connect to host
 allmystery.de: did not receive HSTS header
+allo-symo.fr: did not receive HSTS header
 allods-zone.ru: did not receive HSTS header
 alloffice.com.ua: did not receive HSTS header
 alloinformatique.net: could not connect to host
@@ -957,12 +1023,12 @@ allrealty.co.za: could not connect to host
 allscammers.exposed: could not connect to host
 allseasons-cleaning.co.uk: could not connect to host
 allsortscastles.co.uk: could not connect to host
+allstarautokiaparts.com: could not connect to host
 allstarswithus.com: could not connect to host
 allstorebrasil.com.br: could not connect to host
 alltheducks.com: max-age too low: 43200
 allthingsblogging.com: could not connect to host
 allthingsfpl.com: could not connect to host
-alltubedownload.net: could not connect to host
 almagalla.com: could not connect to host
 almatinki.com: could not connect to host
 aloalabs.com: did not receive HSTS header
@@ -971,8 +1037,10 @@ alorenzi.eu: did not receive HSTS header
 alp.net.cn: could not connect to host
 alparque.com: did not receive HSTS header
 alpe-d-or.dyn-o-saur.com: could not connect to host
+alpencam.com: could not connect to host
 alpha.irccloud.com: could not connect to host
 alphabit-secure.com: could not connect to host
+alphabrock.cn: could not connect to host
 alphabuild.io: could not connect to host
 alphagamers.net: did not receive HSTS header
 alphahunks.com: could not connect to host
@@ -987,14 +1055,15 @@ altailife.ru: did not receive HSTS header
 altamarea.se: could not connect to host
 altbinaries.com: could not connect to host
 alteqnia.com: could not connect to host
-altercpa.ru: did not receive HSTS header
+altercpa.ru: max-age too low: 0
 altered.network: could not connect to host
 altfire.ca: could not connect to host
 altiacaselight.com: could not connect to host
 altitudemoversdenver.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-altoneum.com: did not receive HSTS header
+altoneum.com: could not connect to host
 altporn.xyz: could not connect to host
 altruistgroup.net: max-age too low: 300
+alttrackr.com: could not connect to host
 aluminium-scaffolding.co.uk: could not connect to host
 alunjam.es: did not receive HSTS header
 alunonaescola.com.br: did not receive HSTS header
@@ -1007,8 +1076,12 @@ am8888.top: could not connect to host
 amaderelectronics.com: max-age too low: 2592000
 amadilo.de: could not connect to host
 amadoraslindas.com: could not connect to host
+amaforro.com: could not connect to host
 amaforums.org: did not receive HSTS header
+amalficoastchauffeur.com: could not connect to host
+amalfirock.it: could not connect to host
 amandaonishi.com: could not connect to host
+amandaworldstudies.com: could not connect to host
 amaranthus.com.ph: could not connect to host
 amateri.com: could not connect to host
 amatzen.dk: did not receive HSTS header
@@ -1031,6 +1104,7 @@ americansforcommunitydevelopment.org: did not receive HSTS header
 americansportsinstitute.org: did not receive HSTS header
 americanworkwear.nl: did not receive HSTS header
 ameschristian.net: did not receive HSTS header
+amesplash.co.uk: did not receive HSTS header
 amethystcards.co.uk: could not connect to host
 ameza.co.uk: could not connect to host
 ameza.com.mx: could not connect to host
@@ -1049,7 +1123,7 @@ amin.one: could not connect to host
 amisharingstuff.com: could not connect to host
 amishsecurity.com: could not connect to host
 amitse.com: did not receive HSTS header
-amitube.com: did not receive HSTS header
+amitube.com: could not connect to host
 amleeds.co.uk: did not receive HSTS header
 amlvfs.net: could not connect to host
 ammoulianiapartments.com: did not receive HSTS header
@@ -1069,14 +1143,13 @@ anacruz.es: did not receive HSTS header
 anadoluefessk.org: did not receive HSTS header
 anadoluefessporkulubu.org: could not connect to host
 anagra.ms: could not connect to host
-anaiscoachpersonal.es: could not connect to host
 anaisypirueta.es: did not receive HSTS header
+anajianu.ro: max-age too low: 2592000
 anakros.me: could not connect to host
 analangelsteen.com: could not connect to host
 analpantyhose.org: could not connect to host
 analteengirls.net: could not connect to host
 analytic-s.ml: could not connect to host
-analytics-shop.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 analyticsinmotion.net: could not connect to host
 analyzemyfriends.com: could not connect to host
 anastasiafond.com: did not receive HSTS header
@@ -1085,10 +1158,10 @@ anchorgrounds.com: did not receive HSTS header
 anchorinmarinainc.com: did not receive HSTS header
 ancient-gates.de: could not connect to host
 ancientkarma.com: could not connect to host
-ancientnorth.com: did not receive HSTS header
 andbraiz.com: did not receive HSTS header
-andere-gedanken.net: max-age too low: 10
+andere-gedanken.net: did not receive HSTS header
 anderslind.dk: could not connect to host
+andiscyber.space: could not connect to host
 andreagobetti.com: did not receive HSTS header
 andreas-kluge.eu: could not connect to host
 andreasanti.net: did not receive HSTS header
@@ -1098,25 +1171,25 @@ andreasfritz-fotografie.de: could not connect to host
 andreaskluge.eu: could not connect to host
 andreasr.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 andreastoneman.com: could not connect to host
+andrefaber.nl: did not receive HSTS header
 andrei-coman.com: did not receive HSTS header
 andreigec.net: did not receive HSTS header
-andrejbenz.com: could not connect to host
+andrejstefanovski.com: did not receive HSTS header
 andrepicard.de: could not connect to host
 andrerose.ca: did not receive HSTS header
-andrespaz.com: could not connect to host
 andrewbroekman.com: could not connect to host
 andrewdavidwong.com: did not receive HSTS header
 andrewdaws.co: could not connect to host
 andrewdaws.info: could not connect to host
 andrewdaws.me: could not connect to host
 andrewdaws.tv: could not connect to host
-andrewhowden.com: did not receive HSTS header
 andrewmichaud.beer: could not connect to host
 andrewrdaws.com: could not connect to host
 andrewregan.me: could not connect to host
 andrewtebert.com: did not receive HSTS header
 andrewthelott.net: could not connect to host
 andrewvoce.com: did not receive HSTS header
+andrewx.net: could not connect to host
 andrewyg.net: could not connect to host
 andreypopp.com: could not connect to host
 android: could not connect to host
@@ -1130,6 +1203,7 @@ andycloud.dynu.net: could not connect to host
 andycraftz.eu: did not receive HSTS header
 andymartin.cc: could not connect to host
 andymelichar.com: max-age too low: 0
+andys-place.co.uk: could not connect to host
 andyuk.org: could not connect to host
 anecuni-club.com: could not connect to host
 anecuni-rec.com: could not connect to host
@@ -1137,6 +1211,7 @@ anendlesssupply.co.uk: did not receive HSTS header
 anfenglish.com: did not receive HSTS header
 anfsanchezo.co: could not connect to host
 anfsanchezo.me: could not connect to host
+ange-de-bonheur444.com: could not connect to host
 angelic47.com: could not connect to host
 angeloroberto.ch: did not receive HSTS header
 angeloventuri.com: did not receive HSTS header
@@ -1144,7 +1219,6 @@ angervillelorcher.fr: did not receive HSTS header
 anghami.com: did not receive HSTS header
 anglertanke.de: could not connect to host
 anglictinatabor.cz: could not connect to host
-angrut.com: could not connect to host
 angry-monk.com: could not connect to host
 angrydragonproductions.com: could not connect to host
 angrylab.com: did not receive HSTS header
@@ -1154,10 +1228,11 @@ aniaimichal.eu: could not connect to host
 anim.ee: could not connect to host
 animalnet.de: max-age too low: 7776000
 animalstropic.com: could not connect to host
-animatelluris.nl: max-age too low: 300
+animatelluris.nl: max-age too low: 2628000
 anime1.top: could not connect to host
 anime1video.tk: could not connect to host
 animeday.ml: could not connect to host
+animes-portal.info: did not receive HSTS header
 animesfusion.com.br: could not connect to host
 animurecs.com: could not connect to host
 aniplus.cf: could not connect to host
@@ -1167,23 +1242,25 @@ anisekai.com: max-age too low: 2592000
 anita-mukorom.hu: did not receive HSTS header
 anitklib.ml: could not connect to host
 anitube-nocookie.ch: could not connect to host
-anivar.net: did not receive HSTS header
+anivar.net: could not connect to host
 ankakaak.com: could not connect to host
 ankaraprofesyonelnakliyat.com: did not receive HSTS header
-ankaraprofesyonelnakliyat.com.tr: did not receive HSTS header
+ankaraprofesyonelnakliyat.com.tr: could not connect to host
+ankenbrand.me: did not receive HSTS header
 ankitha.in: max-age too low: 0
 ankya9.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 anlp.top: could not connect to host
 annabellaw.com: did not receive HSTS header
 annahmeschluss.de: did not receive HSTS header
-annangela.moe: did not receive HSTS header
 annarbor.group: did not receive HSTS header
 annetaan.fi: could not connect to host
 annevankesteren.com: could not connect to host
 annevankesteren.org: could not connect to host
 annicascakes.nl: could not connect to host
+annotate.software: could not connect to host
 annrusnak.com: did not receive HSTS header
 annsbouncycastles.com: could not connect to host
+anohana.org: could not connect to host
 anomaly.ws: did not receive HSTS header
 anonboards.com: could not connect to host
 anonrea.ch: could not connect to host
@@ -1198,6 +1275,7 @@ ansermfg.com: max-age too low: 0
 ansgar.tk: could not connect to host
 anshuman-chatterjee.com: did not receive HSTS header
 anshumanbiswas.com: could not connect to host
+ansibeast.net: did not receive HSTS header
 answers-online.ru: could not connect to host
 ant.land: could not connect to host
 antecim.fr: could not connect to host
@@ -1209,11 +1287,10 @@ anthonyavon.com: could not connect to host
 anthonyloop.com: did not receive HSTS header
 anthro.id: did not receive HSTS header
 antifraud.net.ru: could not connect to host
-antimatiere.space: could not connect to host
+antimatiere.space: did not receive HSTS header
 antimine.kr: could not connect to host
 antipa.ch: could not connect to host
 antirayapmalang.com: did not receive HSTS header
-antocom.com: could not connect to host
 antoine-roux.fr: did not receive HSTS header
 antoinebetas.be: max-age too low: 0
 antoined.fr: did not receive HSTS header
@@ -1224,10 +1301,12 @@ antoniorequena.com.ve: could not connect to host
 antons.io: did not receive HSTS header
 antraxx.ee: could not connect to host
 antscript.com: did not receive HSTS header
-anttitenhunen.com: could not connect to host
 anunayk.com: could not connect to host
-anycoin.me: could not connect to host
+anycoin.me: did not receive HSTS header
 anyfood.fi: could not connect to host
+anypool.fr: did not receive HSTS header
+anypool.net: did not receive HSTS header
+anyprime.net: could not connect to host
 anytonetech.com: did not receive HSTS header
 anyways.at: could not connect to host
 aobogo.com: could not connect to host
@@ -1246,29 +1325,34 @@ apaginastore.com.br: could not connect to host
 apeasternpower.com: could not connect to host
 aperim.com: max-age too low: 43200
 aperture-laboratories.science: did not receive HSTS header
+apexitsolutions.ca: could not connect to host
 api.mega.co.nz: could not connect to host
 apibot.de: could not connect to host
 apience.com: did not receive HSTS header
+apila.care: could not connect to host
 apila.us: could not connect to host
+apiled.io: could not connect to host
 apis.blue: could not connect to host
 apis.google.com: did not receive HSTS header (error ignored - included regardless)
 apis.world: could not connect to host
 apivia.fr: did not receive HSTS header
 apkdv.com: did not receive HSTS header
+apkmod.id: did not receive HSTS header
 apkoyunlar.club: could not connect to host
 apkriver.com: did not receive HSTS header
 apl2bits.net: did not receive HSTS header
-apm.com.tw: did not receive HSTS header
 apmg-certified.com: did not receive HSTS header
 apmg-cyber.com: did not receive HSTS header
 apmpproject.org: did not receive HSTS header
 apnakliyat.com: did not receive HSTS header
-apolloyl.com: could not connect to host
+apo-deutschland.biz: could not connect to host
+apolloyl.com: did not receive HSTS header
 apollyon.work: could not connect to host
 aponkral.site: could not connect to host
 aponkralsunucu.com: could not connect to host
 aponow.de: did not receive HSTS header
-apotheek-nl.org: max-age too low: 3600
+apostilasaprovacao.com: could not connect to host
+apotheek-nl.org: did not receive HSTS header
 app: could not connect to host
 app-arena.com: did not receive HSTS header
 app.manilla.com: could not connect to host
@@ -1277,13 +1361,15 @@ appart.ninja: could not connect to host
 appcoins.io: did not receive HSTS header
 appdb.cc: did not receive HSTS header
 appdrinks.com: could not connect to host
+appel-aide.ch: could not connect to host
 appeldorn.me: did not receive HSTS header
 appengine.google.com: did not receive HSTS header (error ignored - included regardless)
+appformacpc.com: did not receive HSTS header
 appimlab.it: could not connect to host
 apple-watch-zubehoer.de: could not connect to host
 apple.ax: could not connect to host
 applejacks-bouncy-castles.co.uk: could not connect to host
-applewatch.co.nz: could not connect to host
+applewatch.co.nz: did not receive HSTS header
 applez.xyz: could not connect to host
 appliancerepairlosangeles.com: did not receive HSTS header
 applic8.com: did not receive HSTS header
@@ -1291,7 +1377,6 @@ apply55gx.com: could not connect to host
 appointed.at: did not receive HSTS header
 appraisal-comps.com: could not connect to host
 appreciationkards.com: did not receive HSTS header
-apprenticeships.gov: did not receive HSTS header
 approlys.fr: did not receive HSTS header
 apps-for-fishing.com: could not connect to host
 apps4all.sytes.net: could not connect to host
@@ -1301,13 +1386,13 @@ appson.co.uk: did not receive HSTS header
 apptoutou.com: could not connect to host
 appuro.com: did not receive HSTS header
 appxcrypto.com: did not receive HSTS header
-aproposcomputing.com: could not connect to host
+aprefix.com: could not connect to host
 aprpullmanportermuseum.org: did not receive HSTS header
-aprr.org: could not connect to host
 aptitude9.com: could not connect to host
 aqilacademy.com.au: could not connect to host
 aqqrate.com: could not connect to host
 aquariumaccessories.shop: could not connect to host
+aquaron.com: did not receive HSTS header
 aquilaguild.com: could not connect to host
 aquilalab.com: could not connect to host
 aquireceitas.com: did not receive HSTS header
@@ -1332,12 +1417,13 @@ arctica.io: did not receive HSTS header
 ardao.me: could not connect to host
 ardorlabs.se: did not receive HSTS header
 area3.org: could not connect to host
+area536.com: did not receive HSTS header
 areallyneatwebsite.com: could not connect to host
 arent.kz: did not receive HSTS header
 arenzanaphotography.com: could not connect to host
-areqgaming.com: could not connect to host
-arewedubstepyet.com: did not receive HSTS header
+arewedubstepyet.com: could not connect to host
 areyouever.me: could not connect to host
+argama-nature.com: did not receive HSTS header
 argennon.xyz: could not connect to host
 argh.io: could not connect to host
 arguggi.co.uk: could not connect to host
@@ -1345,6 +1431,7 @@ ariaartgallery.com: did not receive HSTS header
 ariacreations.net: did not receive HSTS header
 arifburhan.online: could not connect to host
 arifp.me: could not connect to host
+arimarie.com: could not connect to host
 arinflatablefun.co.uk: could not connect to host
 arislight.com: could not connect to host
 aristilabs.com: did not receive HSTS header
@@ -1352,12 +1439,12 @@ aristocratps.com: did not receive HSTS header
 arithxu.com: did not receive HSTS header
 arizer.com: did not receive HSTS header
 arka.gq: did not receive HSTS header
+arkbyte.com: did not receive HSTS header
 arknodejs.com: could not connect to host
 arlen.io: could not connect to host
 arlen.se: could not connect to host
 arlet.click: could not connect to host
 arlingtonwine.net: could not connect to host
-arm-host.com: did not receive HSTS header
 arm.gov: could not connect to host
 armazemdaminiatura.com.br: could not connect to host
 armeni-jewellery.gr: did not receive HSTS header
@@ -1387,16 +1474,15 @@ arrowgrove.com: could not connect to host
 ars-design.net: could not connect to host
 arsenal.ru: could not connect to host
 arsk1.com: could not connect to host
-art2web.net: could not connect to host
 artansoft.com: could not connect to host
 artaronquieres.com: did not receive HSTS header
 artartefatos.com.br: could not connect to host
 artbytik.ru: did not receive HSTS header
+arteequipamientos.com.uy: did not receive HSTS header
 artegusto.ru: did not receive HSTS header
 artemicroway.com.br: could not connect to host
 arteseideias.com.pt: did not receive HSTS header
 artesupra.com: did not receive HSTS header
-arthan.me: could not connect to host
 arti-group.ml: max-age too low: 2592000
 articaexports.com: could not connect to host
 artifex21.com: did not receive HSTS header
@@ -1408,14 +1494,16 @@ artisense.de: could not connect to host
 artisphere.ch: did not receive HSTS header
 artisticedgegranite.net: could not connect to host
 artistnetwork.nl: did not receive HSTS header
+artmaxi.eu: could not connect to host
 artnims.com: could not connect to host
 arto.bg: did not receive HSTS header
 artofeyes.nl: could not connect to host
 artsinthevalley.net.au: did not receive HSTS header
 artstopinc.com: did not receive HSTS header
+arturkohut.com: could not connect to host
 artyland.ru: could not connect to host
 arvamus.eu: could not connect to host
-arxell.com: did not receive HSTS header
+arw.me: did not receive HSTS header
 arzaroth.com: did not receive HSTS header
 as.se: could not connect to host
 as9178.net: could not connect to host
@@ -1425,62 +1513,66 @@ asana.studio: did not receive HSTS header
 asasuou.pw: could not connect to host
 asc16.com: could not connect to host
 aschaefer.net: could not connect to host
-ascii.moe: could not connect to host
 asdpress.cn: could not connect to host
+aseith.com: could not connect to host
+aseko.gr: did not receive HSTS header
 asepms.com: max-age too low: 7776000
-asge-handel.de: did not receive HSTS header
+ashd1.goip.de: could not connect to host
+ashd2.goip.de: could not connect to host
+ashd3.goip.de: could not connect to host
 ashlane-cottages.com: could not connect to host
 ashleakunowski.com: could not connect to host
 ashleyadum.com: could not connect to host
 ashleyfoley.photography: could not connect to host
+ashleymadison.com: could not connect to host
 ashleymedway.com: could not connect to host
 asian-archi.com.tw: did not receive HSTS header
 asianbet77.co: did not receive HSTS header
 asianbet77.net: did not receive HSTS header
-asiesvenezuela.com: could not connect to host
 asisee.co.il: could not connect to host
-asisee.photography: could not connect to host
-ask.pe: could not connect to host
 askfit.cz: did not receive HSTS header
 askmagicconch.com: could not connect to host
+aslinfinity.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 asm-x.com: could not connect to host
 asmik-armenie.com: did not receive HSTS header
 asmm.cc: did not receive HSTS header
 asmui.ga: could not connect to host
 asmui.ml: did not receive HSTS header
 asoftwareco.com: did not receive HSTS header
-aspargesgaarden.no: could not connect to host
 asphaltfruehling.de: could not connect to host
+aspisdata.com: did not receive HSTS header
 asral7.com: could not connect to host
-asryflorist.com: could not connect to host
-ass.org.au: could not connect to host
+asryflorist.com: did not receive HSTS header
+ass.org.au: did not receive HSTS header
 assadrivesloirecher.com: did not receive HSTS header
 assdecoeur.org: could not connect to host
 assekuranzjobs.de: could not connect to host
 asset-alive.com: did not receive HSTS header
 asset-alive.net: could not connect to host
+assetict.com: max-age too low: 0
 assetsupervision.com: could not connect to host
-assindia.nl: could not connect to host
+assindia.nl: did not receive HSTS header
 assistance-personnes-agees.ch: could not connect to host
 assistcart.com: could not connect to host
 assurancesmons.be: did not receive HSTS header
 astaninki.com: could not connect to host
+astenretail.com: could not connect to host
 asthon.cn: could not connect to host
 astraalivankila.net: could not connect to host
 astral.gq: did not receive HSTS header
-astral.org.pl: could not connect to host
 astrath.net: could not connect to host
 astrea-voetbal-groningen.nl: could not connect to host
 astrolpost.com: could not connect to host
 astromelody.com: did not receive HSTS header
 astronomie-fulda.de: did not receive HSTS header
-astrosnail.pt.eu.org: could not connect to host
 astutr.co: could not connect to host
 asuhe.cc: could not connect to host
 asuhe.win: did not receive HSTS header
 asuhe.xyz: could not connect to host
-async.be: max-age too low: 0
+async.be: could not connect to host
+at-one.ca: did not receive HSTS header
 at1.co: could not connect to host
+ataber.pw: could not connect to host
 atacadooptico.com.br: could not connect to host
 atavio.at: could not connect to host
 atavio.ch: could not connect to host
@@ -1489,6 +1581,7 @@ atbeckett.com: did not receive HSTS header
 atcreform.gov: did not receive HSTS header
 atelier-rk.com: did not receive HSTS header
 atelier-viennois-cannes.fr: could not connect to host
+atelierhupsakee.nl: did not receive HSTS header
 ateliernihongo.ch: did not receive HSTS header
 ateliersantgervasi.com: did not receive HSTS header
 atg.soy: could not connect to host
@@ -1496,27 +1589,27 @@ athaliasoft.com: could not connect to host
 athenelive.com: could not connect to host
 athensbusinessresources.us: could not connect to host
 atheoryofchange.com: could not connect to host
+atherosense.ga: could not connect to host
 athi.pl: did not receive HSTS header
 athul.xyz: could not connect to host
 atk.me: could not connect to host
 atkdesign.pt: did not receive HSTS header
-atlantaspringroll.com: could not connect to host
-atlantichomes.com.au: could not connect to host
+atlantahairsurgeon.com: did not receive HSTS header
 atlas-5.site: could not connect to host
 atlas-staging.ml: could not connect to host
 atlas.co: did not receive HSTS header
 atlassian.net: did not receive HSTS header
-atlayo.com: did not receive HSTS header
 atlex.nl: did not receive HSTS header
 atlseccon.com: did not receive HSTS header
 atmocdn.com: could not connect to host
 atomic.menu: could not connect to host
+atomic.red: could not connect to host
 atomik.pro: did not receive HSTS header
 atop.io: could not connect to host
 atracaosexshop.com.br: could not connect to host
 atrevillot.com: could not connect to host
+attelage.net: did not receive HSTS header
 attic118.com: could not connect to host
-attilagyorffy.com: could not connect to host
 attimidesigns.com: did not receive HSTS header
 attogproductions.com: did not receive HSTS header
 au-pair24.de: did not receive HSTS header
@@ -1524,6 +1617,7 @@ au.search.yahoo.com: max-age too low: 172800
 au2pb.net: could not connect to host
 aubiosales.com: could not connect to host
 aucubin.moe: could not connect to host
+audiobookstudio.com: could not connect to host
 audioonly.stream: could not connect to host
 audiovisualdevices.com.au: did not receive HSTS header
 audividi.shop: did not receive HSTS header
@@ -1532,10 +1626,11 @@ aufprise.de: did not receive HSTS header
 augaware.org: did not receive HSTS header
 augenblicke-blog.de: could not connect to host
 augias.org: could not connect to host
-augix.net: could not connect to host
 augrandinquisiteur.com: did not receive HSTS header
 aujapan.ru: could not connect to host
+aulaschrank.gq: could not connect to host
 auntieme.com: did not receive HSTS header
+auntmia.com: could not connect to host
 aur.rocks: did not receive HSTS header
 aurainfosec.com: did not receive HSTS header
 aurainfosec.com.au: did not receive HSTS header
@@ -1561,6 +1656,7 @@ australianfreebets.com.au: did not receive HSTS header
 auth.mail.ru: did not receive HSTS header
 authenitech.com: did not receive HSTS header
 authentication.io: could not connect to host
+authinfo-bestellen.de: could not connect to host
 authint.com: could not connect to host
 author24.ru: did not receive HSTS header
 authoritynutrition.com: did not receive HSTS header
@@ -1576,16 +1672,17 @@ autodeploy.it: could not connect to host
 autoecolebudget.ch: did not receive HSTS header
 autoecoledumontblanc.com: could not connect to host
 autoeet.cz: did not receive HSTS header
+autohaus-snater.de: did not receive HSTS header
 autojuhos.sk: could not connect to host
+autokovrik-diskont.ru: did not receive HSTS header
 automobiles5.com: could not connect to host
 autos-retro-plaisir.com: did not receive HSTS header
-autosearch.me: did not receive HSTS header
+autosearch.me: could not connect to host
 autosiero.nl: did not receive HSTS header
 autostock.me: could not connect to host
 autostop-occasions.be: could not connect to host
 autotsum.com: could not connect to host
 autoxy.it: did not receive HSTS header
-autozane.com: could not connect to host
 autumnwindsagility.com: could not connect to host
 auverbox.ovh: could not connect to host
 auvious.com: did not receive HSTS header
@@ -1595,23 +1692,26 @@ av.de: did not receive HSTS header
 av01.tv: could not connect to host
 av163.cc: could not connect to host
 avadatravel.com: did not receive HSTS header
+avalon-studios.de: could not connect to host
+avalyuan.com: could not connect to host
 avantmfg.com: did not receive HSTS header
 avaq.fr: did not receive HSTS header
 avastantivirus.ro: did not receive HSTS header
 avdelivers.com: did not receive HSTS header
 avdh.top: could not connect to host
 avec-ou-sans-ordonnance.fr: could not connect to host
-aveling-adventure.co.uk: could not connect to host
+aveling-adventure.co.uk: did not receive HSTS header
 avg.club: did not receive HSTS header
 avi9526.pp.ua: could not connect to host
 aviacao.pt: did not receive HSTS header
 avidcruiser.com: did not receive HSTS header
 aviodeals.com: could not connect to host
-avitres.com: did not receive HSTS header
+avitres.com: could not connect to host
 avmemo.com: could not connect to host
 avmo.pw: could not connect to host
 avmoo.com: could not connect to host
 avonlearningcampus.com: could not connect to host
+avotoma.com: could not connect to host
 avso.pw: could not connect to host
 avspot.net: could not connect to host
 avus-automobile.com: did not receive HSTS header
@@ -1620,6 +1720,7 @@ awan.tech: could not connect to host
 awanderlustadventure.com: did not receive HSTS header
 awccanadianpharmacy.com: could not connect to host
 awei.pub: could not connect to host
+awen.me: did not receive HSTS header
 awf0.xyz: could not connect to host
 awg-mode.de: did not receive HSTS header
 awin.la: did not receive HSTS header
@@ -1635,8 +1736,9 @@ axem.co.jp: did not receive HSTS header
 axeny.com: did not receive HSTS header
 axg.io: did not receive HSTS header
 axialsports.com: did not receive HSTS header
+axis-stralis.co.uk: could not connect to host
 axiumacademy.com: did not receive HSTS header
-axka.com: could not connect to host
+axka.com: did not receive HSTS header
 axolsoft.com: max-age too low: 10540800
 axtudo.com: did not receive HSTS header
 axtux.tk: could not connect to host
@@ -1650,19 +1752,19 @@ ayor.jp: could not connect to host
 ayor.tech: could not connect to host
 ayuru.info: could not connect to host
 az-vinyl-boden.de: could not connect to host
-azabani.com: did not receive HSTS header
 azamra.com: did not receive HSTS header
 azia.info: could not connect to host
-azino777.ru: could not connect to host
 azirevpn.com: did not receive HSTS header
 azlo.com: did not receive HSTS header
 azprep.us: could not connect to host
 azun.pl: did not receive HSTS header
 azuxul.fr: could not connect to host
+azzag.co.uk: did not receive HSTS header
 b-entropy.com: could not connect to host
 b-pi.duckdns.org: could not connect to host
 b-rickroll-e.pw: could not connect to host
 b-space.de: could not connect to host
+b-ticket.ch: could not connect to host
 b0618.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b0618.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b0868.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -1680,6 +1782,7 @@ b2b-nestle.com.br: could not connect to host
 b2bpromoteit.com: did not receive HSTS header
 b3orion.com: could not connect to host
 b422edu.com: could not connect to host
+b4r7.de: did not receive HSTS header
 b5189.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b5189.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b5289.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -1691,7 +1794,7 @@ b8591.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_
 b8591.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b8979.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b8979.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-b8a.me: could not connect to host
+b8a.me: did not receive HSTS header
 b9018.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b9018.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b9108.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -1703,7 +1806,7 @@ b9112.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_
 b911gt.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b911gt.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b9168.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-b91688.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+b91688.com: could not connect to host
 b91688.info: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b91688.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b91688.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -1781,8 +1884,9 @@ b9king.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR
 b9winner.cc: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 b9winner.com: could not connect to host
 b9winner.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+baas-becking.biology.utah.edu: could not connect to host
+babarkata.com: could not connect to host
 babelfisch.eu: could not connect to host
-babsbibs.com: could not connect to host
 babursahvizeofisi.com: could not connect to host
 baby-click.de: could not connect to host
 babybee.ie: could not connect to host
@@ -1797,15 +1901,12 @@ bacchanallia.com: could not connect to host
 bacgrouppublishing.com: could not connect to host
 bacimg.com: did not receive HSTS header
 back-bone.nl: did not receive HSTS header
-backeby.eu: could not connect to host
 backenmachtgluecklich.de: max-age too low: 2592000
-backgroundchecks.online: did not receive HSTS header
 backgroundz.net: could not connect to host
 backintomotionphysiotherapy.com: did not receive HSTS header
 backlogapp.io: could not connect to host
 backpacken.org: could not connect to host
 backscattering.de: did not receive HSTS header
-backupsinop.com.br: did not receive HSTS header
 backyardbbqbash.com: did not receive HSTS header
 baconate.com: did not receive HSTS header
 bad.show: could not connect to host
@@ -1815,17 +1916,18 @@ badcronjob.com: could not connect to host
 badenhard.eu: could not connect to host
 badgirlsbible.com: could not connect to host
 badkamergigant.com: could not connect to host
-badlink.org: could not connect to host
 baff.lu: could not connect to host
-baffinlee.com: could not connect to host
+baffinlee.com: did not receive HSTS header
 bagiobella.com: max-age too low: 0
+baglu.com: could not connect to host
+bagstage.de: did not receive HSTS header
 baiduaccount.com: could not connect to host
 baildonhottubs.co.uk: could not connect to host
 bair.io: could not connect to host
 bairdzhang.com: could not connect to host
 baito-j.jp: did not receive HSTS header
 baixoutudo.com: did not receive HSTS header
-bajic.ch: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+bajajfinserv.in: did not receive HSTS header
 bakabt.info: could not connect to host
 bakanin.ru: could not connect to host
 bakaweb.fr: could not connect to host
@@ -1840,6 +1942,7 @@ balenciaspa.com: did not receive HSTS header
 balihai.com: did not receive HSTS header
 balilingo.ooo: could not connect to host
 ballbusting-cbt.com: could not connect to host
+balle.dk: could not connect to host
 ballitolocksmith.com: could not connect to host
 balloonphp.com: could not connect to host
 balnearionaturaspa.com: did not receive HSTS header
@@ -1858,15 +1961,15 @@ bandar303.cc: did not receive HSTS header
 bandar303.id: did not receive HSTS header
 bandar303.win: did not receive HSTS header
 bandarifamily.com: could not connect to host
-bandb.xyz: could not connect to host
-bandrcrafts.com: did not receive HSTS header
+bandb.xyz: did not receive HSTS header
+bandrcrafts.com: could not connect to host
 banduhn.com: did not receive HSTS header
 bangzafran.com: could not connect to host
 bank: could not connect to host
 bankcircle.co.in: could not connect to host
+bankersonline.com: could not connect to host
 bankitt.network: could not connect to host
 bankmilhas.com.br: did not receive HSTS header
-banknet.gov: did not receive HSTS header
 bankofrealty.review: could not connect to host
 banksaround.com: did not receive HSTS header
 bannisbierblog.de: could not connect to host
@@ -1876,18 +1979,18 @@ banri.me: could not connect to host
 banxehoi.com: did not receive HSTS header
 bao-in.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 bao-in.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-baodan666.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+baodan666.com: could not connect to host
 baosuckhoedoisong.net: could not connect to host
 baptistboard.com: did not receive HSTS header
 baptiste-destombes.fr: did not receive HSTS header
 baraxolka.ru: could not connect to host
+barbaros.info: could not connect to host
 barcouniforms.com: did not receive HSTS header
-bardiel.de: max-age too low: 0
-barely.sexy: could not connect to host
+barely.sexy: did not receive HSTS header
+barf-alarm.de: did not receive HSTS header
 bargainmovingcompany.com: did not receive HSTS header
 bariller.fr: did not receive HSTS header
 baris-sagdic.com: could not connect to host
-barisi.me: could not connect to host
 barnrats.com: could not connect to host
 baropkamp.be: did not receive HSTS header
 barprive.com: could not connect to host
@@ -1898,7 +2001,7 @@ barrett.ag: did not receive HSTS header
 barrut.me: did not receive HSTS header
 barshout.co.uk: could not connect to host
 barss.io: could not connect to host
-bartbania.com: did not receive HSTS header
+bartel.ws: could not connect to host
 bartelldrugs.com: did not receive HSTS header
 barunisystems.com: could not connect to host
 bascht.com: did not receive HSTS header
@@ -1921,6 +2024,7 @@ bat909.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR
 bat9vip.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 bat9vip.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 batfoundry.com: could not connect to host
+batipresta.ch: did not receive HSTS header
 batonger.com: could not connect to host
 batten.eu.org: could not connect to host
 batteryservice.ru: did not receive HSTS header
@@ -1930,6 +2034,7 @@ baudairenergyservices.com: did not receive HSTS header
 bauen-mit-ziegel.de: max-age too low: 604800
 baum.ga: did not receive HSTS header
 baumstark.ca: could not connect to host
+bautied.de: did not receive HSTS header
 bayinstruments.com: could not connect to host
 bayrisch-fuer-anfaenger.de: did not receive HSTS header
 baysse.eu: did not receive HSTS header
@@ -1937,7 +2042,7 @@ bazarstupava.sk: could not connect to host
 bazisszoftver.hu: could not connect to host
 bb-shiokaze.jp: did not receive HSTS header
 bbb1991.me: could not connect to host
-bbdos.ru: could not connect to host
+bbdos.ru: did not receive HSTS header
 bbj.io: did not receive HSTS header
 bbkanews.com: did not receive HSTS header
 bblovess.cn: could not connect to host
@@ -1968,35 +2073,40 @@ bcnet.com.hk: could not connect to host
 bcnet.hk: could not connect to host
 bcodeur.com: did not receive HSTS header
 bcradio.org: could not connect to host
+bcs.adv.br: did not receive HSTS header
 bcsytv.com: could not connect to host
+bcvps.com: did not receive HSTS header
 bcweightlifting.ca: could not connect to host
-bdata.cl: did not receive HSTS header
+bdata.cl: could not connect to host
 bddemir.com: could not connect to host
 bde-epitech.fr: could not connect to host
 bdenzer.com: did not receive HSTS header
 bdenzer.xyz: could not connect to host
+bdikaros-network.net: could not connect to host
 bdsmxxxpics.com: could not connect to host
 be9418.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-be9418.info: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+be9418.info: could not connect to host
 be9418.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-be9418.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+be9418.org: could not connect to host
 be9458.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 be9458.info: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 be9458.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 be9458.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 be958.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-be958.info: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+be958.info: could not connect to host
 be958.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-be958.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+be958.org: could not connect to host
 be9966.com: could not connect to host
 beach-inspector.com: did not receive HSTS header
+beachfutbolclub.com: did not receive HSTS header
 beachi.es: could not connect to host
+beacinsight.com: could not connect to host
 beaglewatch.com: could not connect to host
 beagreenbean.co.uk: could not connect to host
 beamitapp.com: could not connect to host
 beanbot.party: could not connect to host
 beanworks.ca: did not receive HSTS header
-bearden.io: did not receive HSTS header
+bearden.io: could not connect to host
 beardydave.com: did not receive HSTS header
 beasel.biz: could not connect to host
 beastlog.tk: could not connect to host
@@ -2007,10 +2117,12 @@ bebeefy.uk: could not connect to host
 bebesurdoue.com: could not connect to host
 beccajoshwedding.com: could not connect to host
 becklove.cn: could not connect to host
+beckon.com: did not receive HSTS header
 becoast.fr: did not receive HSTS header
 becubed.co: could not connect to host
 bedabox.com: did not receive HSTS header
 bedeta.de: could not connect to host
+bedlingtonterrier.com.br: could not connect to host
 bedouille.com: could not connect to host
 bedreid.dk: did not receive HSTS header
 bedrijvenadministratie.nl: could not connect to host
@@ -2025,25 +2137,29 @@ befundup.com: could not connect to host
 begcykel.com: did not receive HSTS header
 begoodny.co.il: max-age too low: 7889238
 behere.be: could not connect to host
+beholdthehurricane.com: could not connect to host
 beier.io: could not connect to host
 beikeil.de: did not receive HSTS header
 beingmad.org: did not receive HSTS header
 belairsewvac.com: could not connect to host
+belastingdienst-in-beeld.nl: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 belcompany.nl: could not connect to host
 belewpictures.com: could not connect to host
 belgien.guide: could not connect to host
 belize-firmengruendung.com: could not connect to host
 bellavistaoutdoor.com: could not connect to host
 belliash.eu.org: did not receive HSTS header
-belltower.io: did not receive HSTS header
+belltower.io: could not connect to host
 belmontprom.com: could not connect to host
 belpbleibtbelp.ch: could not connect to host
+belua.com: did not receive HSTS header
 belwederczykow.eu: could not connect to host
+belyvly.com: did not receive HSTS header
 bemvindoaolar.com.br: could not connect to host
 bemyvictim.com: max-age too low: 2678400
-benchcast.com: could not connect to host
-bencorby.com: could not connect to host
+benchcast.com: did not receive HSTS header
 bendechrai.com: did not receive HSTS header
+bendingtheending.com: did not receive HSTS header
 benedikt-tuchen.de: could not connect to host
 benediktdichgans.de: did not receive HSTS header
 beneffy.com: did not receive HSTS header
@@ -2056,9 +2172,12 @@ benhchuyenkhoa.net: could not connect to host
 benjakesjohnson.com: could not connect to host
 benjamin-horvath.com: could not connect to host
 benjamin-suess.de: could not connect to host
+benjamindietrich.com: could not connect to host
 benjaminesims.com: did not receive HSTS header
+benjaminjurke.net: did not receive HSTS header
 benk.press: could not connect to host
-benny003.de: could not connect to host
+benmorecentre.co.uk: did not receive HSTS header
+benny003.de: did not receive HSTS header
 benohead.com: did not receive HSTS header
 bentphotos.se: could not connect to host
 benwattie.com: did not receive HSTS header
@@ -2069,7 +2188,7 @@ bep.gov: did not receive HSTS header
 bep362.vn: could not connect to host
 beraru.tk: could not connect to host
 beraten-entwickeln-steuern.de: could not connect to host
-berdu.id: did not receive HSTS header
+berdaguermontes.eu: could not connect to host
 berduri.com: did not receive HSTS header
 beretech.fr: could not connect to host
 berger.work: could not connect to host
@@ -2077,18 +2196,18 @@ bergfex.at: did not receive HSTS header
 bergland-seefeld.at: did not receive HSTS header
 berhampore-gateway.tk: could not connect to host
 berlatih.com: did not receive HSTS header
+berliancom.com: did not receive HSTS header
 berlin-kohlefrei.de: could not connect to host
 berlinleaks.com: could not connect to host
 bermytraq.bm: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 bernexskiclub.ch: did not receive HSTS header
 bernieware.de: could not connect to host
-berr.yt: could not connect to host
-berry.cat: could not connect to host
 berrymark.be: did not receive HSTS header
 berseb.se: could not connect to host
 berthelier.me: could not connect to host
 berz.one: could not connect to host
 besb66.club: could not connect to host
+besb66.com: did not receive HSTS header
 besb66.me: could not connect to host
 besb66.ninja: could not connect to host
 besb66.rocks: could not connect to host
@@ -2106,7 +2225,7 @@ bestbestbitcoin.com: could not connect to host
 bestbonuses.co.uk: did not receive HSTS header
 bestellipticalmachinereview.info: could not connect to host
 bestesb.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-bestesb.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+bestesb.net: could not connect to host
 bestfitnesswatchreview.info: could not connect to host
 besthost.cz: did not receive HSTS header
 besthotsales.com: could not connect to host
@@ -2117,7 +2236,6 @@ bestof1001.de: could not connect to host
 bestorangeseo.com: could not connect to host
 bestpaintings.nl: did not receive HSTS header
 bestparking.xyz: could not connect to host
-bestpig.fr: could not connect to host
 bestwarezone.com: could not connect to host
 bet-99.cc: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 bet-99.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -2129,12 +2247,11 @@ bet990.com: could not connect to host
 bet9bet9.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 betaclean.fr: did not receive HSTS header
 betafive.net: could not connect to host
-betakah.net: could not connect to host
+betakah.net: did not receive HSTS header
 betamint.org: did not receive HSTS header
 betcafearena.ro: could not connect to host
 betformular.com: could not connect to host
 betgo9.cc: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-bethanyduke.com: could not connect to host
 bethditto.com: did not receive HSTS header
 betkoo.com: could not connect to host
 betnet.fr: could not connect to host
@@ -2144,9 +2261,8 @@ bets.de: did not receive HSTS header
 betshoot.com: could not connect to host
 betsonlinefree.com.au: could not connect to host
 betterlifemakers.com: max-age too low: 200
-bettflaschen.ch: did not receive HSTS header
 bettween.com: did not receive HSTS header
-between.be: could not connect to host
+between.be: did not receive HSTS header
 betwin9.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 betwin9.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 betz.ro: could not connect to host
@@ -2160,6 +2276,7 @@ bexit-security.nl: could not connect to host
 bexithosting.nl: could not connect to host
 bey.io: could not connect to host
 beylikduzum.com: could not connect to host
+beylikduzuvaillant.com: could not connect to host
 beyond-edge.com: could not connect to host
 beyuna.co.uk: did not receive HSTS header
 beyuna.eu: did not receive HSTS header
@@ -2169,27 +2286,29 @@ bezoomnyville.com: could not connect to host
 bezorg.ninja: could not connect to host
 bezprawnik.pl: did not receive HSTS header
 bf.am: max-age too low: 0
-bf7088.com: did not receive HSTS header
-bf7877.com: did not receive HSTS header
 bfd.vodka: did not receive HSTS header
 bfear.com: could not connect to host
 bfelob.gov: could not connect to host
 bffm.biz: could not connect to host
 bfrailwayclub.cf: could not connect to host
+bg-sexologia.com: could not connect to host
 bg16.de: could not connect to host
 bgcparkstad.nl: did not receive HSTS header
 bgdaddy.com: did not receive HSTS header
 bgenlisted.com: could not connect to host
 bgfashion.net: could not connect to host
 bgneuesheim.de: did not receive HSTS header
+bgp.ee: could not connect to host
 bhatia.at: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 bhosted.nl: did not receive HSTS header
+biancolievito.it: did not receive HSTS header
 bianinapiccanovias.com: could not connect to host
 biaoqingfuhao.net: did not receive HSTS header
 biaoqingfuhao.org: did not receive HSTS header
 biapinheiro.com.br: max-age too low: 5184000
 biblerhymes.com: did not receive HSTS header
 bibliafeminina.com.br: could not connect to host
+biblio.wiki: could not connect to host
 bichines.es: did not receive HSTS header
 bichonfrise.com.br: could not connect to host
 bichonmaltes.com.br: could not connect to host
@@ -2203,7 +2322,7 @@ bienenblog.cc: could not connect to host
 bier.jp: did not receive HSTS header
 bierbringer.at: could not connect to host
 bierochs.org: could not connect to host
-biftin.net: could not connect to host
+biewen.me: did not receive HSTS header
 big-black.de: did not receive HSTS header
 bigbbqbrush.bid: could not connect to host
 bigbounceentertainment.co.uk: could not connect to host
@@ -2216,18 +2335,20 @@ biglagoonrentals.com: did not receive HSTS header
 bigshinylock.minazo.net: could not connect to host
 bigshort.org: could not connect to host
 biguixhe.net: could not connect to host
-bijoux.com.br: could not connect to host
 bijouxbrasil.com.br: did not receive HSTS header
 bijouxdegriffe.com.br: could not connect to host
 bijugeral.com.br: could not connect to host
+bijuteriicualint.ro: could not connect to host
 bikelifetvkidsquads.co.uk: could not connect to host
 bikermusic.net: could not connect to host
+bikeshopitalia.com: could not connect to host
 bilanligne.com: did not receive HSTS header
 bildermachr.de: could not connect to host
+biletru.net: could not connect to host
 biletua.de: could not connect to host
-biletyplus.com: could not connect to host
 biletyplus.ru: did not receive HSTS header
-bill-nye-the.science: did not receive HSTS header
+bilibili.red: could not connect to host
+bill-nye-the.science: could not connect to host
 billdestler.com: did not receive HSTS header
 billigssl.dk: did not receive HSTS header
 billkiss.com: could not connect to host
@@ -2250,7 +2371,9 @@ bingo9.net: could not connect to host
 bingofriends.com: could not connect to host
 bingostars.com: did not receive HSTS header
 binimo.com: could not connect to host
-biocrafting.net: did not receive HSTS header
+binkanhada.biz: could not connect to host
+binsp.net: could not connect to host
+bintelligence.nl: did not receive HSTS header
 bioespuna.eu: did not receive HSTS header
 biofam.ru: did not receive HSTS header
 biomax-mep.com.br: did not receive HSTS header
@@ -2261,18 +2384,21 @@ biospeak.solutions: could not connect to host
 biou.me: could not connect to host
 biovalue.eu: could not connect to host
 bip.gov.sa: could not connect to host
+birchbarkfurniture.ch: could not connect to host
 birdandbranchnyc.com: max-age too low: 43200
 birkengarten.ch: could not connect to host
 birkman.com: did not receive HSTS header
 biscuits-rec.com: could not connect to host
 biscuits-shop.com: could not connect to host
-bismarck.moe: did not receive HSTS header
+bismarck.moe: could not connect to host
 bisterfeldt.com: did not receive HSTS header
+bistrodeminas.com: could not connect to host
 biswas.me: could not connect to host
 bit.voyage: did not receive HSTS header
 bitace.com: did not receive HSTS header
 bitbit.org: did not receive HSTS header
-bitbr.net: could not connect to host
+bitbr.net: did not receive HSTS header
+bitcalt.ga: could not connect to host
 bitcantor.com: did not receive HSTS header
 bitchan.it: could not connect to host
 bitclubfun.com: did not receive HSTS header
@@ -2280,15 +2406,16 @@ bitcoin-casino-no-deposit-bonus.com: max-age too low: 0
 bitcoin-class.com: could not connect to host
 bitcoin-daijin.com: could not connect to host
 bitcoin.com: did not receive HSTS header
+bitcoinclashic.ninja: could not connect to host
 bitcoinec.info: could not connect to host
 bitcoinfo.jp: did not receive HSTS header
 bitcoinhk.org: did not receive HSTS header
 bitcoinjpn.com: could not connect to host
 bitcoinprivacy.net: did not receive HSTS header
+bitcoinwalletscript.tk: could not connect to host
 bitcoinworld.me: could not connect to host
 bitconcepts.co.uk: could not connect to host
 bitedge.com: did not receive HSTS header
-bitenose.com: could not connect to host
 bitenose.net: could not connect to host
 bitenose.org: could not connect to host
 biteoftech.com: did not receive HSTS header
@@ -2296,7 +2423,6 @@ bitf.ly: could not connect to host
 bitfactory.ws: could not connect to host
 bitfarm-archiv.com: did not receive HSTS header
 bitfarm-archiv.de: did not receive HSTS header
-bithap.com: could not connect to host
 bitheus.com: could not connect to host
 bithosting.io: did not receive HSTS header
 bitk.co: did not receive HSTS header
@@ -2312,7 +2438,6 @@ bitmex.com: did not receive HSTS header
 bitmexin.com: could not connect to host
 bitmon.net: could not connect to host
 bitnet.io: did not receive HSTS header
-bitok.com: did not receive HSTS header
 bitplay.space: could not connect to host
 bitpod.de: could not connect to host
 bitrage.de: could not connect to host
@@ -2328,20 +2453,25 @@ bitvigor.com: could not connect to host
 bitwrought.net: could not connect to host
 bityes.org: could not connect to host
 bivsi.com: could not connect to host
+biyori.moe: did not receive HSTS header
 bizcms.com: could not connect to host
 bizedge.co.nz: did not receive HSTS header
 bizon.sk: did not receive HSTS header
-bizpare.com: did not receive HSTS header
+bizpare.com: max-age too low: 2592000
 bizzartech.com: did not receive HSTS header
+bizzi.tv: could not connect to host
 bizzybeebouncers.co.uk: could not connect to host
 bjgongyi.com: did not receive HSTS header
 bjl5689.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 bjl5689.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+bjolanta.pl: could not connect to host
 bjrn.io: could not connect to host
 bjtxl.cn: could not connect to host
 bk-wife.com: could not connect to host
 bkb-skandal.ch: could not connect to host
 bkhayes.com: did not receive HSTS header
+bl00.se: could not connect to host
+blaauwgeers.travel: could not connect to host
 black-armada.com: could not connect to host
 black-armada.com.pl: could not connect to host
 black-armada.pl: could not connect to host
@@ -2349,21 +2479,24 @@ black-gay-porn.biz: could not connect to host
 black-octopus.ru: could not connect to host
 blackapron.com.br: could not connect to host
 blackberrycentral.com: could not connect to host
+blackberryforums.be: did not receive HSTS header
 blackburn.link: could not connect to host
 blackdesertsp.com: could not connect to host
 blackdiam.net: did not receive HSTS header
+blackdragoninc.org: could not connect to host
+blackhell.xyz: could not connect to host
 blacklane.com: did not receive HSTS header
 blackly.uk: max-age too low: 0
 blackmagic.sk: could not connect to host
 blackmirror.com.au: did not receive HSTS header
-blackpayment.ru: could not connect to host
 blackphantom.de: could not connect to host
+blackroot.eu: max-age too low: 10368000
 blackscreen.me: could not connect to host
-blackscytheconsulting.com: could not connect to host
 blackunicorn.wtf: could not connect to host
 bladesmith.io: did not receive HSTS header
 blakerandall.xyz: did not receive HSTS header
 blantik.net: could not connect to host
+blantr.com: could not connect to host
 blarg.co: could not connect to host
 blauwwit.be: did not receive HSTS header
 blazeit.io: could not connect to host
@@ -2375,7 +2508,6 @@ blessedearth.com.au: max-age too low: 7889238
 blessnet.jp: did not receive HSTS header
 bleutecmedia.com: did not receive HSTS header
 blha303.com.au: could not connect to host
-bliesekow.net: could not connect to host
 bliker.ga: could not connect to host
 blindaryproduction.tk: could not connect to host
 blindsexdate.nl: did not receive HSTS header
@@ -2385,6 +2517,8 @@ bling999.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERR
 bling999.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 blinkenlight.co.uk: could not connect to host
 blinkenlight.com.au: could not connect to host
+blitzvendor.com: could not connect to host
+blizz.news: max-age too low: 0
 blmiller.com: did not receive HSTS header
 blocksatz-medien.de: could not connect to host
 blockshopauto.com: could not connect to host
@@ -2394,6 +2528,8 @@ blog.cyveillance.com: did not receive HSTS header
 blog.gparent.org: could not connect to host
 blog.torproject.org: max-age too low: 1000
 blogabout.ru: could not connect to host
+blogcuaviet.com: could not connect to host
+blogdeyugioh.com: could not connect to host
 blogdieconomia.it: did not receive HSTS header
 blogdimoda.com: did not receive HSTS header
 blogdimotori.it: did not receive HSTS header
@@ -2412,15 +2548,19 @@ bls-fiduciaire.be: did not receive HSTS header
 bltc.co: could not connect to host
 blubbablasen.de: could not connect to host
 blucas.org: did not receive HSTS header
+bludnykoren.ml: could not connect to host
 blue17.co.uk: did not receive HSTS header
+bluebahari.gq: could not connect to host
 bluebill.net: did not receive HSTS header
-bluecon.eu: did not receive HSTS header
+bluecardlottery.eu: could not connect to host
+bluecon.eu: could not connect to host
 bluefinger.nl: did not receive HSTS header
 blueglobalmedia.com: could not connect to host
 bluehawk.cloud: could not connect to host
 bluehelixmusic.com: could not connect to host
 blueliv.com: did not receive HSTS header
 bluemoonroleplaying.com: could not connect to host
+bluemosh.com: could not connect to host
 bluepearl.tk: could not connect to host
 bluepoint.foundation: could not connect to host
 bluepoint.institute: could not connect to host
@@ -2447,6 +2587,8 @@ bm-i.ch: could not connect to host
 bm-trading.nl: did not receive HSTS header
 bmet.de: did not receive HSTS header
 bmoattachments.org: did not receive HSTS header
+bmone.net: could not connect to host
+bn4t.me: did not receive HSTS header
 bnb-buddy.nl: could not connect to host
 bnboy.cn: could not connect to host
 bngsecure.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -2464,7 +2606,9 @@ bo9king.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERRO
 board-buy.ru: could not connect to host
 bobaobei.org: could not connect to host
 bobep.ru: could not connect to host
+bobiji.com: could not connect to host
 boboates.com: did not receive HSTS header
+bodixite.com: could not connect to host
 bodo-wolff.de: could not connect to host
 bodrumfarm.com: could not connect to host
 bodyblog.nl: did not receive HSTS header
@@ -2481,6 +2625,7 @@ boilesen.com: did not receive HSTS header
 bokeyy.com: could not connect to host
 bolainfoasia.com: did not receive HSTS header
 bolivarfm.com.ve: could not connect to host
+bollywood.uno: did not receive HSTS header
 boltdata.io: could not connect to host
 boltn.uk: did not receive HSTS header
 bolwerk.com.br: did not receive HSTS header
@@ -2489,22 +2634,24 @@ bombsquad.studio: could not connect to host
 bonamihome.ro: could not connect to host
 bonapp.restaurant: could not connect to host
 bondagefetishstore.com: could not connect to host
-bondtofte.dk: did not receive HSTS header
 boneko.de: did not receive HSTS header
-bonesserver.com: could not connect to host
-bonigo.de: did not receive HSTS header
+bonigo.de: could not connect to host
+bonita.com.br: could not connect to host
 bonitabrazilian.co.nz: did not receive HSTS header
+bonniekitchen.com: could not connect to host
 bonnin.fr: did not receive HSTS header
 bonobo.cz: could not connect to host
 bonop.com: did not receive HSTS header
+bonsi.net: could not connect to host
 bonta.one: could not connect to host
 bonus-flexi.com: did not receive HSTS header
 boobox.xyz: could not connect to host
-book-of-ra.de: did not receive HSTS header
+book-of-ra.de: could not connect to host
 bookcelerator.com: did not receive HSTS header
 booked.holiday: could not connect to host
+bookingdeluxesp.com: did not receive HSTS header
 bookingentertainment.com: did not receive HSTS header
-bookmakersfreebets.com.au: could not connect to host
+bookmakersfreebets.com.au: did not receive HSTS header
 bookofraonlinecasinos.com: could not connect to host
 bookourdjs.com: could not connect to host
 bookreport.ga: could not connect to host
@@ -2513,10 +2660,12 @@ bookwitty.social: could not connect to host
 boomerang.com: did not receive HSTS header
 boomsaki.com: did not receive HSTS header
 boomsakis.com: did not receive HSTS header
+boonehenry.co.uk: did not receive HSTS header
 boosterlearnpro.com: did not receive HSTS header
 boostgame.win: could not connect to host
 boote.wien: could not connect to host
 booter.es: could not connect to host
+booter.pw: did not receive HSTS header
 booth.in.th: could not connect to host
 bootikexpress.fr: did not receive HSTS header
 boozinyan.com: could not connect to host
@@ -2525,6 +2674,7 @@ borchers-media.de: could not connect to host
 borchers.ninja: did not receive HSTS header
 borderlinegroup.com: could not connect to host
 borgmestervangen.xyz: could not connect to host
+borgodigatteraia.it: could not connect to host
 boringsecurity.net: could not connect to host
 boris.one: could not connect to host
 borisavstankovic.rs: could not connect to host
@@ -2532,6 +2682,7 @@ borisbesemer.com: could not connect to host
 born-to-learn.com: could not connect to host
 borrelioz.com: did not receive HSTS header
 borscheid-wenig.com: did not receive HSTS header
+borzoi.com.br: could not connect to host
 boschee.net: could not connect to host
 bosworthdental.co.uk: did not receive HSTS header
 botlab.ch: could not connect to host
@@ -2539,10 +2690,11 @@ botmanager.pl: could not connect to host
 botox.bz: did not receive HSTS header
 bots.cat: could not connect to host
 botserver.de: could not connect to host
+botstack.host: could not connect to host
 boueki.jp: did not receive HSTS header
 boueki.org: did not receive HSTS header
 bouk.co: could not connect to host
-bounce-r-us.co.uk: did not receive HSTS header
+bounceaboutsussex.co.uk: did not receive HSTS header
 bouncebeyondcastles.co.uk: did not receive HSTS header
 bounceboxspc.com: did not receive HSTS header
 bouncecoffee.com: did not receive HSTS header
@@ -2555,10 +2707,14 @@ bouncingbuzzybees.co.uk: could not connect to host
 bouncycastleandparty.co.uk: could not connect to host
 bouncycastlehiremedway.com: did not receive HSTS header
 bouncycastles.me: could not connect to host
+bouncycastlesperth.net: could not connect to host
+bouncyhouses.co.uk: did not receive HSTS header
 bouncymadness.com: did not receive HSTS header
+bountiful.gov: could not connect to host
+bourgdepabos.com: did not receive HSTS header
 bouwbedrijfpurmerend.nl: did not receive HSTS header
 bowlsheet.com: did not receive HSTS header
-bownty.pt: max-age too low: 0
+bownty.pt: could not connect to host
 boxcryptor.com: did not receive HSTS header
 boxdevigneron.fr: could not connect to host
 boxing-austria.eu: did not receive HSTS header
@@ -2575,6 +2731,7 @@ bp-wahl.at: did not receive HSTS header
 bpadvisors.eu: could not connect to host
 bqcp.net: could not connect to host
 bqtoolbox.com: could not connect to host
+bracoitaliano.com.br: could not connect to host
 braemer-it-consulting.de: could not connect to host
 bragasoft.com.br: did not receive HSTS header
 bragaweb.com.br: could not connect to host
@@ -2588,22 +2745,23 @@ braintm.com: could not connect to host
 braintreebouncycastles.com: could not connect to host
 braintreegateway.com: did not receive HSTS header
 braintreepayments.com: did not receive HSTS header
-brainvation.de: did not receive HSTS header
-brakstad.org: could not connect to host
+bramburek.net: could not connect to host
 bran.cc: could not connect to host
 bran.soy: could not connect to host
 branchzero.com: did not receive HSTS header
 brand-foo.com: did not receive HSTS header
 brand-foo.jp: did not receive HSTS header
 brand-foo.net: did not receive HSTS header
+brandbuilderwebsites.com: could not connect to host
 brandnewdays.nl: could not connect to host
-brando753.xyz: could not connect to host
 brandon.so: could not connect to host
 brandonlui.ml: could not connect to host
 brandons.site: could not connect to host
 brandontaylor-black.com: could not connect to host
 brandred.net: could not connect to host
 brandspray.com: could not connect to host
+brandtrapselfie.nl: could not connect to host
+brandweeruitgeest.nl: could not connect to host
 brasilien.guide: could not connect to host
 brasilmorar.com: did not receive HSTS header
 bravz.de: could not connect to host
@@ -2611,17 +2769,20 @@ brb.city: did not receive HSTS header
 breatheav.com: did not receive HSTS header
 breatheproduction.com: did not receive HSTS header
 breeswish.org: did not receive HSTS header
+bregnedalsystems.dk: did not receive HSTS header
 bremensaki.com: max-age too low: 2592000
 brenden.net.au: could not connect to host
 bress.cloud: could not connect to host
-brettcornwall.com: did not receive HSTS header
 brettpemberton.xyz: did not receive HSTS header
 bretz-hufer.de: did not receive HSTS header
 brfvh24.se: could not connect to host
+briangarcia.ga: could not connect to host
+brianmwaters.net: did not receive HSTS header
 brianpcurran.com: did not receive HSTS header
 brickoo.com: could not connect to host
 brickwerks.io: could not connect to host
 brickyardbuffalo.com: did not receive HSTS header
+brideandgroomdirect.ie: did not receive HSTS header
 bridgeout.com: could not connect to host
 bridholm.se: could not connect to host
 brightfuturemadebyme.com: could not connect to host
@@ -2644,8 +2805,10 @@ brivadois.ovh: did not receive HSTS header
 brix.ninja: did not receive HSTS header
 brks.xyz: could not connect to host
 brmascots.com: could not connect to host
+brn.by: could not connect to host
 broerweb.nl: could not connect to host
 broken-oak.com: could not connect to host
+brokenjoysticks.net: did not receive HSTS header
 brookechase.com: did not receive HSTS header
 brookframework.org: could not connect to host
 brossman.it: could not connect to host
@@ -2653,16 +2816,15 @@ brouwerijkoelit.nl: could not connect to host
 brownlawoffice.us: did not receive HSTS header
 browserid.org: could not connect to host
 brplusdigital.com: could not connect to host
-brrd.io: could not connect to host
+bruckner.li: could not connect to host
 brunix.net: did not receive HSTS header
 brunoonline.co.uk: could not connect to host
+brunoramos.org: could not connect to host
 bryancastillo.site: could not connect to host
-bryankaplan.com: could not connect to host
 bryanshearer.accountant: did not receive HSTS header
 bryn.xyz: could not connect to host
 brynnan.nl: could not connect to host
-brztec.com: did not receive HSTS header
-bs.sb: could not connect to host
+brztec.com: could not connect to host
 bsagan.fr: did not receive HSTS header
 bsalyzer.com: could not connect to host
 bsc01.dyndns.org: could not connect to host
@@ -2674,28 +2836,30 @@ bsklabels.com: did not receive HSTS header
 bsktweetup.info: could not connect to host
 bsohoekvanholland.nl: could not connect to host
 bsuess.de: could not connect to host
-bt78.cn: did not receive HSTS header
+bsuru.xyz: could not connect to host
+bt78.cn: could not connect to host
 bt85.cn: could not connect to host
 bt9.cc: did not receive HSTS header
 bt96.cn: did not receive HSTS header
 bt995.com: did not receive HSTS header
 btaoke.com: could not connect to host
 btc-e.com: could not connect to host
+btc2secure.com: could not connect to host
 btcdlc.com: could not connect to host
 btcgo.nl: did not receive HSTS header
 btcp.space: could not connect to host
 btcpot.ltd: could not connect to host
+btku.org: could not connect to host
 btrb.ml: could not connect to host
 btserv.de: did not receive HSTS header
-btth.live: could not connect to host
+btth.xyz: could not connect to host
+bturboo.com: could not connect to host
 btxiaobai.com: did not receive HSTS header
 bubba.cc: could not connect to host
 buben.tech: did not receive HSTS header
-bubulazi.com: did not receive HSTS header
-bubulazy.com: did not receive HSTS header
 buchheld.at: could not connect to host
 buchverlag-scholz.de: did not receive HSTS header
-buck.com: could not connect to host
+buck.com: did not receive HSTS header
 bucket.tk: could not connect to host
 buckmulligans.com: did not receive HSTS header
 budaev-shop.ru: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -2703,6 +2867,7 @@ buddhistische-weisheiten.org: could not connect to host
 budgetenergievriendenvoordeel.nl: could not connect to host
 budgetthostels.nl: did not receive HSTS header
 budskap.eu: could not connect to host
+buehnenbande.ch: max-age too low: 2592000
 buenosairesestetica.com.ar: could not connect to host
 buenotour.ru: did not receive HSTS header
 buergerdialog.net: could not connect to host
@@ -2710,23 +2875,24 @@ buergerhaushalt.com: did not receive HSTS header
 buffalodrinkinggame.beer: did not receive HSTS header
 bugtrack.co.uk: did not receive HSTS header
 bugtrack.io: could not connect to host
-bugwie.com: did not receive HSTS header
 buhler.pro: did not receive HSTS header
 buiko.com: did not receive HSTS header
 build.chromium.org: did not receive HSTS header (error ignored - included regardless)
 buildci.asia: could not connect to host
 buildify.co.za: could not connect to host
+building-cost-estimators.com: did not receive HSTS header
 buildingclouds.at: could not connect to host
 buildingclouds.ch: could not connect to host
 buildingclouds.es: could not connect to host
 buildingclouds.eu: could not connect to host
 buildingclouds.fr: could not connect to host
 buildsaver.co.za: did not receive HSTS header
-builmaker.com: did not receive HSTS header
+builmaker.com: could not connect to host
 built.by: did not receive HSTS header
 buka.jp: could not connect to host
 bukai.men: did not receive HSTS header
 bukatv.cz: could not connect to host
+bulbgenie.com: could not connect to host
 buldogueingles.com.br: could not connect to host
 bulgarien.guide: could not connect to host
 bulkbuy.tech: could not connect to host
@@ -2767,6 +2933,7 @@ bush41.org: did not receive HSTS header
 bushcraftfriends.com: could not connect to host
 business.lookout.com: could not connect to host
 business.medbank.com.mt: did not receive HSTS header
+businessadviceperth.com.au: did not receive HSTS header
 businessamongus.com: could not connect to host
 businessetmarketing.com: could not connect to host
 businessfurs.info: could not connect to host
@@ -2775,6 +2942,7 @@ businessmodeler.se: could not connect to host
 bustabit.com: could not connect to host
 bustimes.org.uk: did not receive HSTS header
 busybee360.com: could not connect to host
+busyon.cloud: could not connect to host
 butchersworkshop.com: did not receive HSTS header
 butian518.com: did not receive HSTS header
 butt.repair: could not connect to host
@@ -2784,34 +2952,35 @@ butterfieldstraining.com: could not connect to host
 buttermilk.cf: could not connect to host
 buturyu.org: did not receive HSTS header
 buvinghausen.com: max-age too low: 86400
-buy-thing.com: did not receive HSTS header
+buy-thing.com: could not connect to host
 buyaccessible.gov: did not receive HSTS header
 buybaby.eu: could not connect to host
-buybike.shop: did not receive HSTS header
-buycarpet.shop: did not receive HSTS header
-buycook.shop: max-age too low: 2592000
 buydesired.com: did not receive HSTS header
 buyessay.org: could not connect to host
 buyessays.net: could not connect to host
 buyessayscheap.com: could not connect to host
 buyfox.de: could not connect to host
 buyharpoon.com: could not connect to host
-buyhealth.shop: did not receive HSTS header
 buyingsellingflorida.com: could not connect to host
-buyjewel.shop: did not receive HSTS header
 buynowdepot.com: did not receive HSTS header
-buyplussize.shop: did not receive HSTS header
-buyprofessional.shop: max-age too low: 2592000
 buyshoe.org: could not connect to host
-buywine.shop: did not receive HSTS header
 buywood.shop: could not connect to host
-buzzconcert.com: did not receive HSTS header
+buzzconcert.com: could not connect to host
+buzzconf.io: could not connect to host
 buzzdeck.com: did not receive HSTS header
 buzztelco.com.au: could not connect to host
 bvexplained.co.uk: could not connect to host
+bvgg.eu: did not receive HSTS header
 bvionline.eu: did not receive HSTS header
+bvv-europe.eu: could not connect to host
 bw81.xyz: could not connect to host
 bwear4all.de: could not connect to host
+bwf11.com: could not connect to host
+bwf55.com: could not connect to host
+bwf6.com: could not connect to host
+bwf66.com: could not connect to host
+bwf77.com: could not connect to host
+bwf99.com: could not connect to host
 bwin86.com: did not receive HSTS header
 bwin8601.com: did not receive HSTS header
 bwin8602.com: did not receive HSTS header
@@ -2819,14 +2988,17 @@ bwin8603.com: did not receive HSTS header
 bwin8604.com: did not receive HSTS header
 bwin8605.com: did not receive HSTS header
 bwin8606.com: did not receive HSTS header
+bwwb.nu: did not receive HSTS header
 bx-web.com: did not receive HSTS header
+by.cx: did not receive HSTS header
 by1896.com: could not connect to host
-by1898.com: could not connect to host
+by1898.com: did not receive HSTS header
 by1899.com: could not connect to host
 by4cqb.cn: could not connect to host
 by77.com: could not connect to host
 by777.com: did not receive HSTS header
 bydisk.com: could not connect to host
+byhe.me: could not connect to host
 byji.com: could not connect to host
 bypass.kr: could not connect to host
 bypassed.bid: could not connect to host
@@ -2848,14 +3020,12 @@ bypassed.today: could not connect to host
 bypassed.works: could not connect to host
 bypassed.world: could not connect to host
 bypro.xyz: could not connect to host
-byronkg.us: could not connect to host
 byronprivaterehab.com.au: did not receive HSTS header
 byronr.com: did not receive HSTS header
 byronwade.com: did not receive HSTS header
 byte.chat: did not receive HSTS header
 byte.wtf: did not receive HSTS header
 bytelog.org: did not receive HSTS header
-bytepen.com: could not connect to host
 bytesatwork.eu: could not connect to host
 byteshift.ca: could not connect to host
 bytesofcode.de: could not connect to host
@@ -2863,6 +3033,7 @@ bytesund.biz: could not connect to host
 byteturtle.eu: did not receive HSTS header
 byurudraw.pics: could not connect to host
 bywin9.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+bzhub.bid: could not connect to host
 c-rickroll-v.pw: could not connect to host
 c0rn3j.com: could not connect to host
 c12discountonline.com: did not receive HSTS header
@@ -2877,29 +3048,33 @@ c3bbs.com: could not connect to host
 c3hv.cn: could not connect to host
 c3ie.com: did not receive HSTS header
 c4.hk: could not connect to host
-c5h8no4na.net: could not connect to host
+ca-terminal-multiservices.fr: did not receive HSTS header
+cablehighspeed.net: could not connect to host
 cabsites.com: could not connect to host
 cabusar.fr: could not connect to host
 cachethome.com: could not connect to host
 cachethq.io: did not receive HSTS header
 caconnect.org: could not connect to host
+cacr.pw: could not connect to host
 cadao.me: did not receive HSTS header
 cadburymovies.in.net: did not receive HSTS header
 cadcreations.co.ke: could not connect to host
 cadenadg.gr: did not receive HSTS header
+cadra.nl: could not connect to host
+cadusilva.com: could not connect to host
 caerostris.com: could not connect to host
 caesreon.com: could not connect to host
-cafe-murr.de: did not receive HSTS header
+cafe-murr.de: could not connect to host
 cafe-scientifique.org.ec: could not connect to host
+cafe-service.ru: could not connect to host
 cafechesscourt.com: could not connect to host
 cafefresco.pe: did not receive HSTS header
 cafesg.net: did not receive HSTS header
-caibi.io: could not connect to host
+caijunyi.net: did not receive HSTS header
 caim.cz: did not receive HSTS header
 caipai.fm: could not connect to host
 cairnterrier.com.br: could not connect to host
 cais.de: did not receive HSTS header
-caizx.com: did not receive HSTS header
 cajapopcorn.com: max-age too low: 0
 cake.care: could not connect to host
 cal.goip.de: could not connect to host
@@ -2908,8 +3083,10 @@ calculatoaresecondhand.xyz: could not connect to host
 caldecotevillagehall.co.uk: could not connect to host
 calebmorris.com: max-age too low: 60
 calgaryconstructionjobs.com: did not receive HSTS header
+calidoinvierno.com: could not connect to host
 callabs.net: could not connect to host
 callanbryant.co.uk: did not receive HSTS header
+callawayracing.se: could not connect to host
 calleveryday.com: could not connect to host
 callision.com: did not receive HSTS header
 callmereda.com: could not connect to host
@@ -2922,14 +3099,18 @@ calvin.me: did not receive HSTS header
 calypso-tour.net: could not connect to host
 calypsogames.net: could not connect to host
 camaya.net: did not receive HSTS header
+cambridge-security.com: could not connect to host
 cambridgeanalytica.net: could not connect to host
 cambridgeanalytica.org: did not receive HSTS header
 camisadotorcedor.com.br: could not connect to host
 camjackson.net: did not receive HSTS header
+camjobs.net: did not receive HSTS header
 cammarkets.com: could not connect to host
-campaignelves.com: did not receive HSTS header
+campaignelves.com: could not connect to host
 campbellsoftware.co.uk: could not connect to host
+campbrainybunch.com: did not receive HSTS header
 campeoesdofutebol.com.br: did not receive HSTS header
+campeonatoalemao.com.br: could not connect to host
 campfire.co.il: did not receive HSTS header
 campfourpaws.com: did not receive HSTS header
 campingcarlovers.com: could not connect to host
@@ -2948,13 +3129,15 @@ candygirl.shop: could not connect to host
 candykidsentertainment.co.uk: did not receive HSTS header
 candylion.rocks: could not connect to host
 canerkorkmaz.com: could not connect to host
+canfield.gov: did not receive HSTS header
+canglong.net: could not connect to host
 canifis.net: did not receive HSTS header
 cannarobotics.com: could not connect to host
+canterberry.cc: did not receive HSTS header
 canterbury.ws: could not connect to host
-canva-dev.com: could not connect to host
 canyons.media: did not receive HSTS header
-canyonshoa.com: did not receive HSTS header
 caodecristachines.com.br: could not connect to host
+caodesantohumberto.com.br: could not connect to host
 caoyu.info: did not receive HSTS header
 capacent.is: did not receive HSTS header
 capacitacionyautoempleo.com: did not receive HSTS header
@@ -2973,6 +3156,7 @@ car-navi.ph: did not receive HSTS header
 car-rental24.com: did not receive HSTS header
 carano-service.de: did not receive HSTS header
 caraudio69.cz: did not receive HSTS header
+carbonmonoxidelawyer.net: could not connect to host
 card-cashing.com: max-age too low: 0
 card-toka.jp: could not connect to host
 cardloan-manual.net: could not connect to host
@@ -2987,8 +3171,6 @@ carey.bio: did not receive HSTS header
 carey.li: did not receive HSTS header
 carif-idf.net: could not connect to host
 carif-idf.org: could not connect to host
-carlandfaith.com: could not connect to host
-carlgo11.com: did not receive HSTS header
 carlolly.co.uk: could not connect to host
 carlosalves.info: could not connect to host
 carloshmm.com: could not connect to host
@@ -2998,9 +3180,10 @@ carlsbouncycastlesandhottubs.co.uk: did not receive HSTS header
 carlscatering.com: did not receive HSTS header
 caroli.biz: could not connect to host
 caroli.info: could not connect to host
-carpliyz.com: did not receive HSTS header
+carpliyz.com: could not connect to host
 carrando.de: could not connect to host
-carredejardin.com: could not connect to host
+carredejardin.com: did not receive HSTS header
+carrentalsathens.com: max-age too low: 0
 carroarmato0.be: did not receive HSTS header
 carsforbackpackers.com: could not connect to host
 carsten.pw: did not receive HSTS header
@@ -3018,61 +3201,69 @@ casefall.com: could not connect to host
 cash-pos.com: did not receive HSTS header
 cashfortulsahouses.com: could not connect to host
 cashless.fr: did not receive HSTS header
+cashlink.io: did not receive HSTS header
 cashmyphone.ch: could not connect to host
 cashsector.ga: could not connect to host
-casino-cash-flow.su: could not connect to host
-casino-cashflow.ru: could not connect to host
 casinocashflow.ru: could not connect to host
 casinolegal.pt: did not receive HSTS header
 casinolistings.com: could not connect to host
 casinoluck.com: could not connect to host
 casinoreal.com: could not connect to host
 casinostest.com: could not connect to host
-casionova.org: did not receive HSTS header
+casionova.org: could not connect to host
 casioshop.eu: did not receive HSTS header
 casjay.com: did not receive HSTS header
 casovi.cf: could not connect to host
 castagnonavocats.com: did not receive HSTS header
 castlejackpot.com: did not receive HSTS header
+castleswa.com.au: could not connect to host
+cat-blum.com: could not connect to host
 cata.ga: could not connect to host
-catalin.pw: could not connect to host
+catalin.pw: did not receive HSTS header
 catarsisvr.com: could not connect to host
 catcontent.cloud: could not connect to host
 caterkids.com: did not receive HSTS header
-catgirl.me: could not connect to host
+catgirl.me: did not receive HSTS header
 catgirl.pics: could not connect to host
 catharisme.org: could not connect to host
 catherineidylle.com: max-age too low: 0
 catherinesarasin.com: did not receive HSTS header
+cathosting.org: could not connect to host
 catinmay.com: did not receive HSTS header
 catnapstudios.com: could not connect to host
 catnmeow.com: could not connect to host
+catprog.org: did not receive HSTS header
 catsmagic.pp.ua: could not connect to host
 causae-fincas.es: did not receive HSTS header
 causae.es: did not receive HSTS header
 cavaleria.ro: did not receive HSTS header
 cavalierkingcharlesspaniel.com.br: could not connect to host
+cave-reynard.ch: could not connect to host
 caveclan.org: did not receive HSTS header
 cavedevs.de: could not connect to host
 cavedroid.xyz: could not connect to host
 cavern.tv: did not receive HSTS header
 cayafashion.de: did not receive HSTS header
+cayounglab.co.jp: did not receive HSTS header
 cbamo.org: did not receive HSTS header
+cbdev.de: could not connect to host
 cbi-epa.gov: could not connect to host
 cc2729.com: did not receive HSTS header
 ccayearbook.com: could not connect to host
 ccblog.de: did not receive HSTS header
+ccgn.co: could not connect to host
 ccja.ro: did not receive HSTS header
 ccl-sti.ch: did not receive HSTS header
 ccretreatandfarm.com: did not receive HSTS header
 cctech.ph: could not connect to host
 cctld.com: could not connect to host
+ccu.io: could not connect to host
 ccv.eu: did not receive HSTS header
 cd0.us: could not connect to host
 cdcpartners.gov: could not connect to host
 cdeck.net: could not connect to host
 cdkeyworld.de: did not receive HSTS header
-cdlcenter.com: could not connect to host
+cdlcenter.com: did not receive HSTS header
 cdmhp.org.nz: could not connect to host
 cdmon.tech: could not connect to host
 cdn.sx.cn: could not connect to host
@@ -3082,6 +3273,7 @@ cdnk39.com: could not connect to host
 cdreporting.co.uk: did not receive HSTS header
 cdt.org: did not receive HSTS header
 ce-agentur.de: did not receive HSTS header
+ceagriproducts.com: did not receive HSTS header
 cecilwalker.com.au: did not receive HSTS header
 cee.io: could not connect to host
 cefak.org.br: did not receive HSTS header
@@ -3096,14 +3288,17 @@ celigo.com: did not receive HSTS header
 celina-reads.de: could not connect to host
 cellartracker.com: could not connect to host
 cellsites.nz: could not connect to host
+celtadigital.com: did not receive HSTS header
 cem.pw: did not receive HSTS header
 cencalvia.org: could not connect to host
 centennialrewards.com: did not receive HSTS header
 centerforpolicy.org: could not connect to host
+centerpoint.ovh: did not receive HSTS header
+centillien.com: did not receive HSTS header
 centos.pub: could not connect to host
 central4.me: could not connect to host
 centralcountiesservices.org: did not receive HSTS header
-centralfor.me: did not receive HSTS header
+centralfor.me: could not connect to host
 centrallead.net: could not connect to host
 centralvacsunlimited.net: did not receive HSTS header
 centralvoice.org: could not connect to host
@@ -3112,9 +3307,9 @@ centrepoint-community.com: could not connect to host
 centricbeats.com: did not receive HSTS header
 centrolavoro.org: did not receive HSTS header
 centsforchange.net: could not connect to host
-century-group.com: could not connect to host
+century-group.com: max-age too low: 2592000
 ceoimon.com: did not receive HSTS header
-ceoptique.com: could not connect to host
+ceoptique.com: did not receive HSTS header
 cercevelet.com: did not receive HSTS header
 ceres1.space: did not receive HSTS header
 ceresia.ch: could not connect to host
@@ -3132,26 +3327,29 @@ certly.io: could not connect to host
 certmgr.org: could not connect to host
 ceruleanmainbeach.com.au: did not receive HSTS header
 cesal.net: could not connect to host
+cesantias.co: could not connect to host
 cesidianroot.eu: could not connect to host
 cespri.com.pe: did not receive HSTS header
 ceta.one: did not receive HSTS header
 cevrimici.com: could not connect to host
-cf-tm.net: could not connect to host
 cf11.de: did not receive HSTS header
+cfa.gov: did not receive HSTS header
+cfan.space: could not connect to host
 cfcnexus.org: could not connect to host
 cfcproperties.com: did not receive HSTS header
 cfetengineering.com: could not connect to host
 cfneia.org: did not receive HSTS header
 cfoitplaybook.com: could not connect to host
-cfsh.tk: could not connect to host
 cganx.org: could not connect to host
 cgerstner.eu: did not receive HSTS header
 cgsshelper.tk: could not connect to host
 cgtx.us: could not connect to host
 chabaojia.com: did not receive HSTS header
 chadklass.com: could not connect to host
+chadtaljaardt.com: could not connect to host
 chahub.com: could not connect to host
 chainmonitor.com: could not connect to host
+chaip.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 chairinstitute.com: did not receive HSTS header
 chaldeen.pro: did not receive HSTS header
 challengeskins.com: could not connect to host
@@ -3166,24 +3364,23 @@ chandlerredding.com: could not connect to host
 changelab.cc: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 changetip.com: did not receive HSTS header
 channelcards.com: did not receive HSTS header
-channellife.asia: could not connect to host
+channellife.asia: did not receive HSTS header
 channellife.co.nz: did not receive HSTS header
 channellife.com.au: did not receive HSTS header
-channyc.com: did not receive HSTS header
+channyc.com: could not connect to host
 chaos.fail: could not connect to host
 chaoscastles.co.uk: did not receive HSTS header
-chaospott.de: did not receive HSTS header
-chaoswars.ddns.net: could not connect to host
 chaoswebs.net: did not receive HSTS header
+chaotichive.com: could not connect to host
+chaoticlaw.com: did not receive HSTS header
 chaouby.com: could not connect to host
+chapelaria.tf: could not connect to host
 charakato.com: could not connect to host
-charge.co: could not connect to host
 chargejuice.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 charityclear.com: could not connect to host
 charitystreet.co.uk: could not connect to host
 charl.eu: could not connect to host
 charlesjay.com: could not connect to host
-charlestonfacialplastic.com: did not receive HSTS header
 charlestonsecuritysystems.net: did not receive HSTS header
 charliemcneive.com: could not connect to host
 charlimarie.com: did not receive HSTS header
@@ -3191,6 +3388,7 @@ charlipopkids.com.au: did not receive HSTS header
 charnleyhouse.co.uk: did not receive HSTS header
 charonsecurity.com: could not connect to host
 charp.eu: could not connect to host
+charr.xyz: could not connect to host
 chartstoffarm.de: did not receive HSTS header
 chasafilli.ch: could not connect to host
 chaseganey.com: did not receive HSTS header
@@ -3200,6 +3398,8 @@ chasse-et-plaisir.com: did not receive HSTS header
 chat-porc.eu: did not receive HSTS header
 chatbot.me: did not receive HSTS header
 chatbot.one: could not connect to host
+chatbotclic.com: could not connect to host
+chatbotclick.com: could not connect to host
 chatbots.email: could not connect to host
 chateau-belvoir.com: could not connect to host
 chateauconstellation.ch: did not receive HSTS header
@@ -3209,11 +3409,12 @@ chatup.cf: could not connect to host
 chatxp.com: could not connect to host
 chaulootz.com: did not receive HSTS header
 chaverde.org: could not connect to host
+chaz6.com: did not receive HSTS header
+chazgie.se: did not receive HSTS header
 chcemvediet.sk: max-age too low: 1555200
 chdgaming.xyz: could not connect to host
 cheah.xyz: could not connect to host
 cheapdns.org: could not connect to host
-cheapssl.com.tr: did not receive HSTS header
 cheapwritinghelp.com: could not connect to host
 cheapwritingservice.com: could not connect to host
 cheazey.net: did not receive HSTS header
@@ -3223,34 +3424,37 @@ checkhost.org: could not connect to host
 checkmateshoes.com: did not receive HSTS header
 checkmatewebsolutions.com: max-age too low: 0
 checkout.google.com: could not connect to host (error ignored - included regardless)
-checkyourmath.com: could not connect to host
 checkyourmeds.com: did not receive HSTS header
 cheekylittlerascals.co.uk: did not receive HSTS header
 cheerflow.com: could not connect to host
 cheesefusion.com: could not connect to host
+cheesehosting.net: did not receive HSTS header
 cheesetart.my: could not connect to host
 cheesypicsbooths.co.uk: could not connect to host
 cheetah85.de: could not connect to host
 chefgalles.com.br: could not connect to host
 chejianer.cn: could not connect to host
+chelema.xyz: could not connect to host
 chellame.com: could not connect to host
 chellame.fr: could not connect to host
 chelseafs.co.uk: did not receive HSTS header
 chemicalguys-ruhrpott.de: could not connect to host
 chenfengyi.com: could not connect to host
-chengtongled.com: did not receive HSTS header
+chengtongled.com: could not connect to host
 chensir.net: could not connect to host
 chepaofen.com: did not receive HSTS header
 cherekerry.com: could not connect to host
+cherrett.digital: did not receive HSTS header
 cherrydropscandycarts.co.uk: could not connect to host
 cherylsoleway.com: did not receive HSTS header
 chessreporter.nl: did not receive HSTS header
 chesterbrass.uk: did not receive HSTS header
+chez-janine.de: could not connect to host
+chhy.at: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 chiamata-aiuto.ch: could not connect to host
 chiaramail.com: could not connect to host
 chib.chat: could not connect to host
-chicagolug.org: could not connect to host
-chicorycom.net: could not connect to host
+chicorycom.net: did not receive HSTS header
 chihiro.xyz: could not connect to host
 chijiokeindustries.co.uk: could not connect to host
 chikan-beacon.net: could not connect to host
@@ -3258,7 +3462,7 @@ chikatomo-ryugaku.com: did not receive HSTS header
 chikory.com: could not connect to host
 childcaresolutionscny.org: did not receive HSTS header
 childrendeservebetter.org: could not connect to host
-chilli943.info: could not connect to host
+chilli943.info: did not receive HSTS header
 chimparoo.ca: did not receive HSTS header
 china-dhl.org: could not connect to host
 china-line.org: could not connect to host
@@ -3266,6 +3470,7 @@ chinacdn.org: could not connect to host
 chinawhale.com: could not connect to host
 chinternet.xyz: could not connect to host
 chiphell.com: did not receive HSTS header
+chiralsoftware.com: could not connect to host
 chirgui.eu: could not connect to host
 chloca.jp: did not receive HSTS header
 chloe.re: did not receive HSTS header
@@ -3274,19 +3479,21 @@ chloehorler.com: could not connect to host
 chlouis.net: could not connect to host
 chm.vn: did not receive HSTS header
 chocolat-suisse.ch: could not connect to host
+chocolate13tilias.com.br: did not receive HSTS header
 chodobien.com: could not connect to host
 chodocu.com: did not receive HSTS header
 choe.fi: could not connect to host
 choiralberta.ca: did not receive HSTS header
+choisirmonerp.com: did not receive HSTS header
 chollima.pro: could not connect to host
 chontalpa.pw: could not connect to host
+choootto.club: did not receive HSTS header
 chopperforums.com: could not connect to host
 chordso.com: did not receive HSTS header
 chorkley.me: could not connect to host
 chorleiterverband.de: did not receive HSTS header
 choruscrowd.com: could not connect to host
 chotu.net: could not connect to host
-chr0me.sh: could not connect to host
 chris-web.info: could not connect to host
 chrisandsarahinasia.com: could not connect to host
 chrisbrakebill.com: did not receive HSTS header
@@ -3296,10 +3503,10 @@ chrisfaber.com: could not connect to host
 chrisfinazzo.com: did not receive HSTS header
 chriskirchner.de: did not receive HSTS header
 chriskyrouac.com: could not connect to host
-chrisopperwall.com: did not receive HSTS header
-chrisself.xyz: max-age too low: 0
-christerwaren.fi: could not connect to host
+chrisopperwall.com: could not connect to host
+chrisself.xyz: could not connect to host
 christiaandruif.nl: could not connect to host
+christian-krug.website: did not receive HSTS header
 christianbro.gq: could not connect to host
 christianhoffmann.info: could not connect to host
 christianhospitaltank.org: did not receive HSTS header
@@ -3314,9 +3521,10 @@ christophheich.me: did not receive HSTS header
 christophkreileder.com: could not connect to host
 chrisupjohn.com: could not connect to host
 chrisupjohn.xyz: could not connect to host
+chrisvannooten.tk: could not connect to host
 chrisvicmall.com: did not receive HSTS header
 chromaryu.net: could not connect to host
-chromaxa.com: could not connect to host
+chromaxa.com: did not receive HSTS header
 chrome: could not connect to host
 chrome-devtools-frontend.appspot.com: did not receive HSTS header (error ignored - included regardless)
 chrome.google.com: did not receive HSTS header (error ignored - included regardless)
@@ -3324,22 +3532,19 @@ chronic101.xyz: could not connect to host
 chronogram.me: did not receive HSTS header
 chronoproject.com: did not receive HSTS header
 chrst.ph: could not connect to host
-chs.us: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+chs.us: max-age too low: 0
 chsh.moe: could not connect to host
-chua.cf: could not connect to host
+chua.cf: did not receive HSTS header
 chua.family: did not receive HSTS header
-chuckame.fr: did not receive HSTS header
+chuckame.fr: could not connect to host
 chulado.com: did not receive HSTS header
 chundelac.com: could not connect to host
+churchlinkpro.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 churchux.co: could not connect to host
-churchwebcanada.ca: did not receive HSTS header
-churchwebsupport.com: did not receive HSTS header
 churrasqueirafacil.com.br: could not connect to host
 chxdf.net: could not connect to host
-ci-labo.com.tw: max-age too low: 7889238
-ci-suite.com: could not connect to host
 cianmawhinney.xyz: could not connect to host
-cidadedopoker.com.br: could not connect to host
+cidadedopoker.com.br: did not receive HSTS header
 ciderclub.com: could not connect to host
 cidr.ml: could not connect to host
 cienbeaute-lidl.fr: could not connect to host
@@ -3347,20 +3552,23 @@ cigarblogs.net: could not connect to host
 cigarterminal.com: could not connect to host
 cigi.site: could not connect to host
 ciicutini.ro: did not receive HSTS header
+ciiex.co: could not connect to host
 cim2b.de: could not connect to host
 cimalando.eu: could not connect to host
 cinartelorgu.com: did not receive HSTS header
+cinay.pw: could not connect to host
 cindey.io: could not connect to host
 cinefilia.tk: could not connect to host
-cinelite.club: did not receive HSTS header
+cinelite.club: could not connect to host
 cinema5.ru: did not receive HSTS header
 cinemaclub.co: could not connect to host
 ciner.is: could not connect to host
 cinerama.com.br: did not receive HSTS header
+cintactimber.com: did not receive HSTS header
 cintdirect.com: could not connect to host
 cioconference.co.nz: could not connect to host
 cipher.co.th: did not receive HSTS header
-cipher.land: could not connect to host
+cipher.land: did not receive HSTS header
 cipherli.st: did not receive HSTS header
 ciplanutrition.com: could not connect to host
 cipriano.nl: did not receive HSTS header
@@ -3368,18 +3576,21 @@ cira.email: could not connect to host
 circ-logic.com: did not receive HSTS header
 circlebox.rocks: could not connect to host
 cirfi.com: could not connect to host
+cirope.com: could not connect to host
 cirrohost.com: did not receive HSTS header
+cirugiasplasticas.com.mx: did not receive HSTS header
+cirujanooral.com: could not connect to host
 ciscohomeanalytics.com: could not connect to host
 ciscommerce.net: could not connect to host
 citationgurus.com: could not connect to host
 citiagent.cz: could not connect to host
-citizen-cam.de: did not receive HSTS header
 citra-emu.org: did not receive HSTS header
-citroner.blog: could not connect to host
+citroner.blog: did not receive HSTS header
 citybusexpress.com: did not receive HSTS header
 cityofeastpointemi.gov: could not connect to host
 cityoflaurel.org: did not receive HSTS header
-cityofwadley-ga.gov: could not connect to host
+cityoftitansmmo.com: could not connect to host
+cityofwadley-ga.gov: did not receive HSTS header
 citywalkr.com: could not connect to host
 ciuciucadou.ro: could not connect to host
 cium.ru: could not connect to host
@@ -3390,10 +3601,12 @@ cjessett.com: max-age too low: 0
 cjtkfan.club: could not connect to host
 ckcameron.net: could not connect to host
 ckp.io: could not connect to host
+clacetandil.com.ar: could not connect to host
 clad.cf: could not connect to host
 claibornecountytn.gov: could not connect to host
 claimit.ml: could not connect to host
 clan-ww.com: did not receive HSTS header
+clanthor.com: did not receive HSTS header
 clapping-rhymes.com: could not connect to host
 clara-baumert.de: could not connect to host
 claralabs.com: did not receive HSTS header
@@ -3401,13 +3614,14 @@ claretandbanter.uk: did not receive HSTS header
 clarity-c2ced.appspot.com: did not receive HSTS header
 claritysrv.com: did not receive HSTS header
 clarksgaragedoorrepair.com: did not receive HSTS header
+clash-movies.de: max-age too low: 172800
 clashersrepublic.com: could not connect to host
 classicday.nl: could not connect to host
+classics.io: did not receive HSTS header
 classicsandexotics.com: could not connect to host
 classicshop.ua: did not receive HSTS header
 classicspublishing.com: could not connect to host
 classifiedssa.co.za: could not connect to host
-claster.it: did not receive HSTS header
 claudearpel.fr: did not receive HSTS header
 claudio4.com: did not receive HSTS header
 claytoncondon.com: could not connect to host
@@ -3422,12 +3636,11 @@ clearc.tk: could not connect to host
 clearchatsandbox.com: could not connect to host
 clearsky.me: did not receive HSTS header
 clearviewwealthprojector.com.au: could not connect to host
-clementfevrier.fr: could not connect to host
 clemovementlaw.com: could not connect to host
 clerkendweller.uk: could not connect to host
 clevelandokla.com: could not connect to host
-cleververmarkten.com: did not receive HSTS header
-cleververmarkten.de: did not receive HSTS header
+cleververmarkten.com: could not connect to host
+cleververmarkten.de: could not connect to host
 clic-music.com: could not connect to host
 click-2-order.co.uk: did not receive HSTS header
 click2order.co.uk: did not receive HSTS header
@@ -3444,53 +3657,63 @@ clicnbio.com: could not connect to host
 cliftons.com: did not receive HSTS header
 climaencusco.com: could not connect to host
 clinia.ca: did not receive HSTS header
+clinicadelogopedia.net: did not receive HSTS header
 clinicaferrusbratos.com: did not receive HSTS header
 clinicasilos.com: did not receive HSTS header
 cliniko.com: did not receive HSTS header
 clintonbloodworth.com: could not connect to host
 clintonbloodworth.io: could not connect to host
+clintonplasticsurgery.com: did not receive HSTS header
 clintwilson.technology: max-age too low: 2592000
 clip.ovh: did not receive HSTS header
 clipped4u.com: could not connect to host
 clnet.com.au: did not receive HSTS header
 cloghercastles.co.uk: did not receive HSTS header
+clojurescript.ru: could not connect to host
 clorik.com: could not connect to host
 closient.com: did not receive HSTS header
 closingholding.com: could not connect to host
+cloturea.fr: could not connect to host
 cloud-crowd.com.au: did not receive HSTS header
 cloud-project.com: could not connect to host
 cloud.wtf: could not connect to host
 cloud2go.de: did not receive HSTS header
 cloud58.org: did not receive HSTS header
+cloudalice.com: could not connect to host
+cloudalice.net: could not connect to host
 cloudapi.vc: could not connect to host
 cloudbased.info: did not receive HSTS header
 cloudbasedsite.com: did not receive HSTS header
 cloudberlin.goip.de: could not connect to host
 cloudbleed.info: could not connect to host
-cloudcert.org: did not receive HSTS header
+cloudbreaker.de: could not connect to host
+cloudconsulting.net.za: did not receive HSTS header
+cloudconsulting.org.za: did not receive HSTS header
+cloudconsulting.web.za: did not receive HSTS header
 cloudcy.net: could not connect to host
 clouddesktop.co.nz: could not connect to host
-cloudfren.com: did not receive HSTS header
+cloudfren.com: could not connect to host
 cloudimag.es: could not connect to host
 cloudimproved.com: could not connect to host
 cloudimprovedtest.com: could not connect to host
-cloudlink.club: could not connect to host
-cloudmigrator365.com: could not connect to host
+cloudlink.club: did not receive HSTS header
+cloudmigrator365.com: did not receive HSTS header
 cloudns.com.au: could not connect to host
 cloudopt.net: did not receive HSTS header
 cloudpagesforwork.com: did not receive HSTS header
 cloudpebble.net: did not receive HSTS header
 cloudpengu.in: could not connect to host
 clouds.webcam: could not connect to host
+cloudsocial.io: could not connect to host
 cloudspotterapp.com: did not receive HSTS header
 cloudstoragemaus.com: could not connect to host
 cloudstorm.me: could not connect to host
 cloudstrike.co: could not connect to host
-cloudteam.de: did not receive HSTS header
+cloudteam.de: could not connect to host
 cloudwalk.io: did not receive HSTS header
 cloudwarez.xyz: could not connect to host
 clounix.online: could not connect to host
-clovissantos.com: did not receive HSTS header
+clovissantos.com: could not connect to host
 clowde.in: could not connect to host
 clownaroundbouncycastles.co.uk: did not receive HSTS header
 clownish.co.il: could not connect to host
@@ -3498,28 +3721,29 @@ clsimplex.com: did not receive HSTS header
 clubcall.com: did not receive HSTS header
 clubdeslecteurs.net: could not connect to host
 clubmix.co.kr: could not connect to host
-cluefulca.com: could not connect to host
-cluefulca.net: could not connect to host
-cluefulca.org: could not connect to host
+clubscannan.ie: did not receive HSTS header
+clueful.ca: max-age too low: 0
 cluj.apartments: could not connect to host
+clush.pw: did not receive HSTS header
 cluster.id: could not connect to host
 clvrwebdesign.com: did not receive HSTS header
 clvs7.com: did not receive HSTS header
 clycat.ru: could not connect to host
 clywedogmaths.co.uk: could not connect to host
 cm3.pw: could not connect to host
+cmahy.be: could not connect to host
 cmangos.net: did not receive HSTS header
 cmc-versand.de: did not receive HSTS header
 cmcc.network: could not connect to host
 cmci.dk: did not receive HSTS header
 cmdtelecom.net.br: did not receive HSTS header
-cmitao.com: could not connect to host
 cmpr.es: could not connect to host
 cmrss.com: could not connect to host
 cmsbattle.com: could not connect to host
 cmscafe.ru: did not receive HSTS header
 cmskh.co.uk: could not connect to host
 cmso-cal.com: could not connect to host
+cmusical.es: could not connect to host
 cmweller.com: could not connect to host
 cnam.net: did not receive HSTS header
 cnaprograms.online: could not connect to host
@@ -3528,20 +3752,21 @@ cncmachinemetal.com: did not receive HSTS header
 cncn.us: did not receive HSTS header
 cnetw.xyz: could not connect to host
 cnitdog.com: could not connect to host
-cnlau.com: did not receive HSTS header
+cnlau.com: could not connect to host
 cnlic.com: could not connect to host
 cnrd.me: did not receive HSTS header
 cnsyear.com: did not receive HSTS header
 cnwage.com: could not connect to host
 cnwarn.com: could not connect to host
-co-driversphoto.se: could not connect to host
+co-driversphoto.se: did not receive HSTS header
 co-yutaka.com: could not connect to host
+co2eco.cn: did not receive HSTS header
+coa.one: could not connect to host
 coach-sportif.paris: did not receive HSTS header
 coachingconsultancy.com: did not receive HSTS header
 cobaltlp.com: could not connect to host
 cobcode.com: could not connect to host
 cobrax.net: could not connect to host
-cocaine-import.agency: could not connect to host
 coccinellaskitchen.com: could not connect to host
 coccinellaskitchen.de: could not connect to host
 coccinellaskitchen.it: could not connect to host
@@ -3553,21 +3778,23 @@ cocktailfuture.fr: could not connect to host
 coco-cool.fr: could not connect to host
 cocodemy.com: did not receive HSTS header
 cocolovesdaddy.com: could not connect to host
+cocyou.ooo: could not connect to host
 codabix.net: could not connect to host
 code-35.com: could not connect to host
 code-digsite.com: could not connect to host
 code-judge.tk: could not connect to host
 code.google.com: did not receive HSTS header (error ignored - included regardless)
 codealkemy.co: could not connect to host
+codebreaking.org: did not receive HSTS header
 codeco.pw: could not connect to host
 codecontrollers.de: could not connect to host
 codeforce.io: could not connect to host
-codeforhakodate.org: could not connect to host
+codeforhakodate.org: did not receive HSTS header
 codejunkie.de: could not connect to host
 codelayer.ca: could not connect to host
 codelitmus.com: did not receive HSTS header
 codeloop.pw: could not connect to host
-codelove.de: did not receive HSTS header
+codelove.de: could not connect to host
 codemonkeyrawks.net: did not receive HSTS header
 codemperium.com: could not connect to host
 codenlife.xyz: could not connect to host
@@ -3575,27 +3802,37 @@ codeofhonor.tech: could not connect to host
 codeplay.org: could not connect to host
 codepoet.de: did not receive HSTS header
 codeproxy.ddns.net: could not connect to host
-codepx.com: did not receive HSTS header
+codepx.com: could not connect to host
 codercy.com: could not connect to host
 coderhangout.com: could not connect to host
-codersbistro.com: did not receive HSTS header
+codersatlas.co: could not connect to host
+codersatlas.com: could not connect to host
+codersatlas.xyz: could not connect to host
+codersbistro.com: could not connect to host
+codestep.io: could not connect to host
 codewiththepros.org: could not connect to host
 codewiz.xyz: could not connect to host
+codimaker.com: did not receive HSTS header
+codymoniz.com: could not connect to host
 coecrafters.com: could not connect to host
 coffeedino.com: did not receive HSTS header
 coffeeetc.co.uk: could not connect to host
 coffeestrategies.com: max-age too low: 5184000
-cogniflex.com: did not receive HSTS header
+coffeetocode.me: did not receive HSTS header
+cogniflex.com: could not connect to host
 cognixia.com: did not receive HSTS header
 cogumelosmagicos.org: could not connect to host
-cohesive.io: did not receive HSTS header
+cohesive.io: could not connect to host
 coin-exchange.cz: could not connect to host
+coincoele.com.br: could not connect to host
 coindam.com: could not connect to host
+coindatabase.net: could not connect to host
 coinessa.com: could not connect to host
 coinjar-sandbox.com: could not connect to host
 colarelli.ch: could not connect to host
 coldaddy.com: could not connect to host
-coldlostsick.net: could not connect to host
+coldawn.com: could not connect to host
+coldlostsick.net: did not receive HSTS header
 coldwatericecream.com: did not receive HSTS header
 colearnr.com: could not connect to host
 colincampbell.me: could not connect to host
@@ -3614,11 +3851,11 @@ collins.press: could not connect to host
 collinsartworks.com: did not receive HSTS header
 collision.fyi: could not connect to host
 colmexpro.com: did not receive HSTS header
+colo-tech.com: could not connect to host
 colognegaming.net: could not connect to host
-cololi.moe: max-age too low: 2592000
 coloradocomputernetworking.net: could not connect to host
 colorcentertoner.com.br: did not receive HSTS header
-coloringnotebook.com: could not connect to host
+coloringnotebook.com: did not receive HSTS header
 colorlib.com: did not receive HSTS header
 colorunhas.com.br: did not receive HSTS header
 com-news.io: could not connect to host
@@ -3626,14 +3863,10 @@ com.cc: could not connect to host
 combatshield.cz: did not receive HSTS header
 comchezmeme.com: could not connect to host
 comdotgame.com: could not connect to host
-comefollowme2016.com: did not receive HSTS header
 comeoncolleen.com: did not receive HSTS header
 comercialtrading.eu: could not connect to host
 cometbot.cf: could not connect to host
 cometrueunlimited.com: could not connect to host
-comevius.com: could not connect to host
-comevius.org: could not connect to host
-comevius.xyz: could not connect to host
 comfortdom.ua: did not receive HSTS header
 comfortticket.de: did not receive HSTS header
 comfy.cafe: could not connect to host
@@ -3650,13 +3883,14 @@ commerciallocker.com: could not connect to host
 commercialplanet.eu: could not connect to host
 commune-preuilly.fr: did not receive HSTS header
 community-cupboard.org: did not receive HSTS header
+communityflow.info: could not connect to host
 comocurarlashemorroides.org: did not receive HSTS header
 comocurarlashemorroidesya.com: did not receive HSTS header
-comodo.nl: could not connect to host
 comorecuperaratumujerpdf.com: could not connect to host
 comotalk.com: could not connect to host
 compalytics.com: could not connect to host
 comparamejor.com: did not receive HSTS header
+compareandrecycle.com: did not receive HSTS header
 comparejewelleryprices.co.uk: could not connect to host
 comparetravelinsurance.com.au: did not receive HSTS header
 compassionate-biology.com: could not connect to host
@@ -3665,6 +3899,7 @@ compiledworks.com: could not connect to host
 completesportperformance.com: did not receive HSTS header
 completionist.audio: could not connect to host
 complex-organization.com: could not connect to host
+complexsystems.fail: did not receive HSTS header
 complt.xyz: could not connect to host
 complymd.com: did not receive HSTS header
 compredietlight.com.br: did not receive HSTS header
@@ -3673,26 +3908,32 @@ comprehensiveihc.com: could not connect to host
 compromised.com: could not connect to host
 compros.me: could not connect to host
 compsmag.com: did not receive HSTS header
-comptrollerofthecurrency.gov: did not receive HSTS header
+compucastell.ch: could not connect to host
 compucorner.com.mx: could not connect to host
 compusolve.nl: could not connect to host
+computeracademy.co.za: could not connect to host
+computercraft.net: could not connect to host
 computertal.de: could not connect to host
 comssa.org.au: did not receive HSTS header
+comw.cc: could not connect to host
 comyuno.com: did not receive HSTS header
 concentrade.de: did not receive HSTS header
 conceptatelier.de: could not connect to host
 conception.sk: could not connect to host
 concerts-metal.ch: did not receive HSTS header
 conclave.global: could not connect to host
+conclinica.com.br: did not receive HSTS header
 concord-group.co.jp: did not receive HSTS header
 conectalmeria.com: did not receive HSTS header
 confidential.network: could not connect to host
 confirm365.com: could not connect to host
 conflux.tw: did not receive HSTS header
 conformal.com: could not connect to host
+conformist.jp: could not connect to host
+confucio.cl: could not connect to host
 confuddledpenguin.com: did not receive HSTS header
 cong5.net: max-age too low: 0
-congz.me: could not connect to host
+congz.me: did not receive HSTS header
 conkret.ch: could not connect to host
 conkret.co.uk: could not connect to host
 conkret.eu: could not connect to host
@@ -3702,11 +3943,12 @@ connaitre-les-astres.com: did not receive HSTS header
 connect.ua: could not connect to host
 connected-verhuurservice.nl: did not receive HSTS header
 connectfss.com: could not connect to host
-connectingconcepts.com: did not receive HSTS header
+connectingconcepts.com: could not connect to host
 conniesacademy.com: could not connect to host
-conpins.nl: could not connect to host
+conocimientosdigitales.com: could not connect to host
 conrad.am: could not connect to host
 consciousandglamorous.com: could not connect to host
+consciousbrand.co: did not receive HSTS header
 consciousbrand.org.au: could not connect to host
 consciousbranding.org.au: could not connect to host
 consciousbrands.net.au: could not connect to host
@@ -3725,13 +3967,17 @@ contaimo.com: did not receive HSTS header
 container-lion.com: did not receive HSTS header
 containerstatistics.com: could not connect to host
 contarkos.xyz: could not connect to host
+content-design.de: did not receive HSTS header
+contentdesign.de: did not receive HSTS header
 contents.ga: did not receive HSTS header
 continuation.io: could not connect to host
 continuumgaming.com: could not connect to host
+contractdigital.co.uk: did not receive HSTS header
 contraout.com: could not connect to host
 controlcenter.gigahost.dk: did not receive HSTS header
 contxt-agentur.de: did not receive HSTS header
 convergemagazine.com: did not receive HSTS header
+convert.zone: could not connect to host
 converter.ml: could not connect to host
 convertimg.com: could not connect to host
 convoitises.com: did not receive HSTS header
@@ -3745,17 +3991,22 @@ coole-meister.de: could not connect to host
 cooljs.me: could not connect to host
 coolkidsbouncycastles.co.uk: did not receive HSTS header
 coolrc.me: did not receive HSTS header
+cooltang.ooo: did not receive HSTS header
+coolviewthermostat.com: did not receive HSTS header
 coolvox.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 coonelnel.net: did not receive HSTS header
+cooperativehandmade.com: did not receive HSTS header
+cooperativehandmade.pe: did not receive HSTS header
 cooxa.com: could not connect to host
+copperhead.co: did not receive HSTS header
 copshop.com.br: could not connect to host
 coptic-treasures.com: max-age too low: 2592000
 copycaught.com: could not connect to host
 copytrack.com: did not receive HSTS header
 cor-ser.es: could not connect to host
 coralproject.net: did not receive HSTS header
-coralrosado.com.br: did not receive HSTS header
-coramcdaniel.com: did not receive HSTS header
+coralrosado.com.br: could not connect to host
+coramcdaniel.com: could not connect to host
 corbinhesse.com: did not receive HSTS header
 corderoscleaning.com: did not receive HSTS header
 cordial-restaurant.com: did not receive HSTS header
@@ -3766,6 +4017,7 @@ coreinfrastructure.org: did not receive HSTS header
 corenetworking.de: could not connect to host
 coresos.com: could not connect to host
 corex.io: could not connect to host
+corgi.party: could not connect to host
 corgicloud.com: could not connect to host
 corinnanese.de: could not connect to host
 coriver.me: did not receive HSTS header
@@ -3775,7 +4027,6 @@ cormilu.com.br: did not receive HSTS header
 cornishcamels.com: did not receive HSTS header
 cornmachine.com: did not receive HSTS header
 coroasdefloresonline.com.br: could not connect to host
-coropiacere.org: could not connect to host
 corozanu.ro: did not receive HSTS header
 corpoatletico.com.br: could not connect to host
 corporateencryption.com: could not connect to host
@@ -3786,30 +4037,36 @@ correiodovale.com.br: did not receive HSTS header
 corruption-mc.net: could not connect to host
 corruption-rsps.net: could not connect to host
 corruption-server.net: could not connect to host
+cosmeticosdelivery.com.br: could not connect to host
 cosmeticosnet.com.br: did not receive HSTS header
 cosmiatria.pe: could not connect to host
-cosmic-os.org: could not connect to host
+cosmic-os.org: did not receive HSTS header
 cosmoluziluminacion.com: did not receive HSTS header
 cosmoss-departure.com: could not connect to host
+cosni.co: could not connect to host
+costa-rica-reisen.ch: did not receive HSTS header
+costcofinance.com: did not receive HSTS header
 costow.club: did not receive HSTS header
 cotonea.de: did not receive HSTS header
 cougarsland.com: did not receive HSTS header
 coughlan.de: did not receive HSTS header
 counselling.network: could not connect to host
+counsellingtime.co.uk: could not connect to host
 count.sh: could not connect to host
 countryoutlaws.ca: did not receive HSTS header
 coup-dun-soir.ch: could not connect to host
 couponcodeq.com: could not connect to host
 couragewhispers.ca: could not connect to host
-coursables.com: did not receive HSTS header
 coursdeprogrammation.com: could not connect to host
 course.pp.ua: did not receive HSTS header
 course.rs: could not connect to host
 coursella.com: did not receive HSTS header
 courses.nl: could not connect to host
 courseworkbank.info: could not connect to host
+covaci.pro: did not receive HSTS header
 cove.sh: could not connect to host
 covenantbank.net: could not connect to host
+covenantmatrix.com: did not receive HSTS header
 coverdat.com: could not connect to host
 coverduck.ru: could not connect to host
 coworkingmanifesto.com: did not receive HSTS header
@@ -3817,6 +4074,7 @@ cozitop.com.br: could not connect to host
 cozmaadrian.ro: could not connect to host
 cozy.io: did not receive HSTS header
 cozycloud.cc: did not receive HSTS header
+cpahunt.com: did not receive HSTS header
 cpaneltips.com: could not connect to host
 cpbanq.com: could not connect to host
 cpuvinf.eu.org: could not connect to host
@@ -3824,7 +4082,6 @@ cqchome.com: did not receive HSTS header
 cracking.org: did not receive HSTS header
 crackingking.com: could not connect to host
 crackpfer.de: could not connect to host
-crackslut.eu: could not connect to host
 craftbeerbarn.co.uk: could not connect to host
 craftedge.xyz: could not connect to host
 craftination.net: could not connect to host
@@ -3833,6 +4090,7 @@ craftmine.cz: could not connect to host
 craftngo.hu: could not connect to host
 craftwmcp.xyz: could not connect to host
 craftydev.design: could not connect to host
+craigary.net: could not connect to host
 cranems.com.ua: could not connect to host
 cranesafe.com: max-age too low: 7889238
 cranioschule.com: did not receive HSTS header
@@ -3853,14 +4111,15 @@ creaescola.com: did not receive HSTS header
 creamybuild.com: could not connect to host
 create-ls.jp: could not connect to host
 create-test-publish.co.uk: could not connect to host
-createcos.com: could not connect to host
+create-together.nl: did not receive HSTS header
+creations-edita.com: could not connect to host
 creativeapple.ltd: did not receive HSTS header
 creativeartifice.com: did not receive HSTS header
 creativecommons.cl: did not receive HSTS header
 creativecommonscatpictures.com: could not connect to host
-creativefolks.co.uk: did not receive HSTS header
 creativephysics.ml: could not connect to host
 creativeplayuk.com: did not receive HSTS header
+creativlabor.ch: did not receive HSTS header
 creato.top: could not connect to host
 creators.co: could not connect to host
 crecips.com: could not connect to host
@@ -3868,15 +4127,22 @@ crecket.me: could not connect to host
 credia.jp: did not receive HSTS header
 creditclear.com.au: did not receive HSTS header
 creditreporttips.net: did not receive HSTS header
+creepycraft.nl: could not connect to host
 crendontech.com: did not receive HSTS header
 creorin.com: did not receive HSTS header
 crestoncottage.com: could not connect to host
+creusalp.ch: did not receive HSTS header
 crewplanner.eu: did not receive HSTS header
-crge.eu: max-age too low: 0
+crge.eu: could not connect to host
+criadorespet.com.br: could not connect to host
+crickey.eu: could not connect to host
 crimewatch.net.za: could not connect to host
+crimson.no: did not receive HSTS header
 crip-usk.ba: could not connect to host
 crisissurvivalspecialists.com: could not connect to host
+cristiandeluxe.com: did not receive HSTS header
 cristianhares.com: could not connect to host
+critcola.com: could not connect to host
 criticalaim.com: could not connect to host
 crizk.com: could not connect to host
 crl-autos.com: could not connect to host
@@ -3886,24 +4152,24 @@ crockett.io: did not receive HSTS header
 croco.vision: did not receive HSTS header
 croeder.net: could not connect to host
 croisieres.discount: did not receive HSTS header
-cromefire.myds.me: could not connect to host
 cromosomax.com: could not connect to host
-cronoscentral.be: did not receive HSTS header
+cronberg.ch: could not connect to host
 croods-mt2.fr: did not receive HSTS header
 croome.no-ip.org: could not connect to host
 crop-alert.com: could not connect to host
+croquette.net: did not receive HSTS header
 crosbug.com: did not receive HSTS header (error ignored - included regardless)
 crosspeakoms.com: did not receive HSTS header
 crosssec.com: did not receive HSTS header
 crow.tw: could not connect to host
 crowdcurity.com: did not receive HSTS header
 crowdjuris.com: could not connect to host
-crowdwis.com: did not receive HSTS header
+crowdwis.com: could not connect to host
 crownbouncycastlehire.co.uk: did not receive HSTS header
 crownruler.com: did not receive HSTS header
 crox.co: could not connect to host
 crrev.com: did not receive HSTS header (error ignored - included regardless)
-crt2014-2024review.gov: could not connect to host
+crt.sh: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 crtvmgmt.com: could not connect to host
 crudysql.com: could not connect to host
 crufad.org: did not receive HSTS header
@@ -3912,20 +4178,20 @@ crushroom.com: max-age too low: 43200
 cruzadobalcazarabogados.com: could not connect to host
 cruzeiropedia.org: did not receive HSTS header
 cruzr.xyz: could not connect to host
-crypalert.com: could not connect to host
+crypalert.com: did not receive HSTS header
 crypt.guru: did not receive HSTS header
 cryptify.eu: could not connect to host
 crypto-navi.org: did not receive HSTS header
-crypto.tube: did not receive HSTS header
+crypto.tube: max-age too low: 2592000
 cryptobells.com: did not receive HSTS header
 cryptobin.org: could not connect to host
 cryptocaseproject.com: could not connect to host
 cryptodash.net: could not connect to host
 cryptodyno.ninja: could not connect to host
-cryptoisnotacrime.org: could not connect to host
 cryptojar.io: could not connect to host
 cryptolab.pro: could not connect to host
-cryptolab.tk: did not receive HSTS header
+cryptolab.tk: could not connect to host
+cryptonom.org: could not connect to host
 cryptoparty.dk: could not connect to host
 cryptopartyatx.org: could not connect to host
 cryptopartynewcastle.org: could not connect to host
@@ -3933,12 +4199,13 @@ cryptopro.shop: could not connect to host
 cryptopush.com: did not receive HSTS header
 crysadm.com: could not connect to host
 crystalclassics.co.uk: did not receive HSTS header
+crystallizedcouture.com: did not receive HSTS header
 crystalmate.eu: did not receive HSTS header
 cs-colorscreed-betongulve.dk: could not connect to host
 cs-ubladego.pl: could not connect to host
-csacongress.org: max-age too low: 2592000
 csapak.com: did not receive HSTS header
 csawctf.poly.edu: could not connect to host
+csbgtribalta.com: did not receive HSTS header
 cscau.com: did not receive HSTS header
 csehnyelv.hu: could not connect to host
 cselzer.com: did not receive HSTS header
@@ -3969,16 +4236,16 @@ cswarzone.com: [Exception... "Component returned failure code: 0x80004005 (NS_ER
 ct-status.org: could not connect to host
 ct-watches.dk: did not receive HSTS header
 cthomas.work: could not connect to host
-ctrl.blog: did not receive HSTS header
+cthulhuden.com: could not connect to host
 ctyi.me: could not connect to host
-cuanhua3s.com: did not receive HSTS header
-cubecart.net: did not receive HSTS header
+cuanhua3s.com: could not connect to host
+cubecart.net: could not connect to host
 cubecraftstore.com: could not connect to host
 cubecraftstore.net: could not connect to host
 cubela.tech: could not connect to host
 cubeserver.eu: could not connect to host
 cubewano.com: could not connect to host
-cubix.host: did not receive HSTS header
+cubix.host: could not connect to host
 cucc.date: could not connect to host
 cuecamania.com.br: could not connect to host
 cujanovic.com: did not receive HSTS header
@@ -3986,7 +4253,6 @@ cujba.com: could not connect to host
 culinae.nl: could not connect to host
 cultureelbeleggen.nl: did not receive HSTS header
 cultureroll.com: could not connect to host
-cumparama.com: did not receive HSTS header
 cumshots-video.ru: could not connect to host
 cunha.be: could not connect to host
 cuni-cuni-club.com: did not receive HSTS header
@@ -3997,6 +4263,7 @@ cuongthach.com: did not receive HSTS header
 cuonic.com: could not connect to host
 cupcake.io: did not receive HSTS header
 cupcake.is: did not receive HSTS header
+cupi.co: could not connect to host
 cupidosshop.com: could not connect to host
 cupofarchitects.net: could not connect to host
 curacao-license.com: could not connect to host
@@ -4011,7 +4278,7 @@ cursosgratuitos.com.br: did not receive HSTS header
 curveweb.co.uk: did not receive HSTS header
 cusfit.com: did not receive HSTS header
 custe.rs: could not connect to host
-custerweb.com: could not connect to host
+custerweb.com: did not receive HSTS header
 customadesign.com: did not receive HSTS header
 customd.com: did not receive HSTS header
 customfilmworks.com: could not connect to host
@@ -4021,19 +4288,20 @@ customromlist.com: could not connect to host
 customshort.link: could not connect to host
 customwritings.com: could not connect to host
 cutelariafiveladeouro.com.br: did not receive HSTS header
+cutephil.com: could not connect to host
+cutimbo.com: could not connect to host
 cutorrent.com: could not connect to host
 cuvva.insure: did not receive HSTS header
 cuxpool.club: could not connect to host
 cvjm-memmingen.de: did not receive HSTS header
+cvninja.pl: did not receive HSTS header
 cvps.top: did not receive HSTS header
 cvsoftub.com: did not receive HSTS header
 cvtparking.co.uk: did not receive HSTS header
-cvv.cn: could not connect to host
 cw-bw.de: could not connect to host
 cwage.com: could not connect to host
-cwbw.network: did not receive HSTS header
+cwbw.network: could not connect to host
 cwilson.ga: could not connect to host
-cwinfo.fi: could not connect to host
 cy.technology: did not receive HSTS header
 cyanogenmod.xxx: could not connect to host
 cybbh.space: could not connect to host
@@ -4042,20 +4310,18 @@ cyber-konzept.de: did not receive HSTS header
 cyber-perikarp.eu: could not connect to host
 cyber.cafe: could not connect to host
 cybercecurity.com: did not receive HSTS header
-cybercloud.cc: did not receive HSTS header
 cybercymru.co.uk: did not receive HSTS header
-cyberdyne-industries.net: could not connect to host
+cyberdyne-industries.net: did not receive HSTS header
 cyberfrancais.ro: did not receive HSTS header
 cyberlab.team: did not receive HSTS header
 cyberpeace.nl: could not connect to host
+cyberphaze.com: did not receive HSTS header
 cyberprey.com: did not receive HSTS header
 cyberpunk.ca: could not connect to host
-cybersantri.com: could not connect to host
 cyberserver.org: could not connect to host
 cybershambles.com: could not connect to host
 cybersmart.co.uk: did not receive HSTS header
 cyberspace.today: could not connect to host
-cybertorsk.org: could not connect to host
 cyclehackluxembourgcity.lu: could not connect to host
 cyclingjunkies.com: could not connect to host
 cydia-search.io: could not connect to host
@@ -4064,61 +4330,67 @@ cygu.ch: did not receive HSTS header
 cymtech.net: could not connect to host
 cynoshair.com: could not connect to host
 cyoda.com: did not receive HSTS header
-cypherpunk.at: could not connect to host
-cypherpunk.com: could not connect to host
+cypad.cn: did not receive HSTS header
+cype.dedyn.io: could not connect to host
 cypherpunk.ws: could not connect to host
 cyphertite.com: could not connect to host
-cypressinheritancesaga.com: could not connect to host
 cytadel.fr: did not receive HSTS header
+cyyzaid.cn: max-age too low: 0
 czaw.org: did not receive HSTS header
+czechamlp.com: could not connect to host
 czirnich.org: did not receive HSTS header
 czlx.co: could not connect to host
 d-academia.com: did not receive HSTS header
+d-garnier-delaunay.fr: did not receive HSTS header
 d-macindustries.com: did not receive HSTS header
 d-rickroll-e.pw: could not connect to host
-d-toys.com.ua: could not connect to host
 d.rip: max-age too low: 900
 d00r.de: did not receive HSTS header
 d0xq.net: could not connect to host
 d1ves.io: did not receive HSTS header
 d3njjcbhbojbot.cloudfront.net: did not receive HSTS header
 d3x.pw: could not connect to host
-d4rkdeagle.tk: could not connect to host
+d88688.com: could not connect to host
+d88871.com: could not connect to host
 d8studio.net: could not connect to host
+da-ist-kunst.de: could not connect to host
 da.hn: could not connect to host
 da8.cc: could not connect to host
 dabblegoat.com: could not connect to host
 dabbot.org: did not receive HSTS header
 dad256.tk: could not connect to host
 dadtheimpaler.com: could not connect to host
-daemonslayer.net: could not connect to host
+daemon.xin: could not connect to host
+daemonslayer.net: did not receive HSTS header
 dah5.com: did not receive HSTS header
 dahl-pind.dk: did not receive HSTS header
-dahlberg.cologne: could not connect to host
 dai-rin.co.jp: could not connect to host
 dailybunda.com: did not receive HSTS header
 dailystormerpodcasts.com: could not connect to host
 dailytopix.com: could not connect to host
 daimadi.com: could not connect to host
-daisuki.pw: did not receive HSTS header
+daisuki.pw: could not connect to host
 daiwai.de: did not receive HSTS header
 dakerealestate.com: did not receive HSTS header
 dakl-shop.de: did not receive HSTS header
 dakotasilencer.com: did not receive HSTS header
 dakrib.net: could not connect to host
 daku.gdn: could not connect to host
-dalek.co.nz: did not receive HSTS header
+dalepresencia.com: did not receive HSTS header
 dalfiume.it: did not receive HSTS header
 dalingk.co: could not connect to host
+dallas.gov: could not connect to host
 daltonedwards.me: could not connect to host
 dam74.com.ar: could not connect to host
-damianuv-blog.cz: did not receive HSTS header
-damicris.ro: could not connect to host
+damedrogy.cz: could not connect to host
+damianuv-blog.cz: could not connect to host
+damienpontifex.com: did not receive HSTS header
 damjanovic.work: could not connect to host
 dan.org.nz: could not connect to host
 danbarrett.com.au: could not connect to host
 dancebuzz.co.uk: did not receive HSTS header
 dancerdates.net: did not receive HSTS header
+dancingshiva.at: could not connect to host
 dandymrsb.com: could not connect to host
 dango.in: could not connect to host
 daniel-du.com: could not connect to host
@@ -4130,7 +4402,10 @@ danielcowie.me: could not connect to host
 danieldk.eu: did not receive HSTS header
 danielgraziano.ca: could not connect to host
 danieliancu.com: could not connect to host
+danieljireh.com: did not receive HSTS header
 danielkratz.com: max-age too low: 172800
+danielnaaman.net: could not connect to host
+danielnaaman.org: could not connect to host
 danielt.co.uk: did not receive HSTS header
 danielverlaan.nl: could not connect to host
 danielworthy.com: did not receive HSTS header
@@ -4142,18 +4417,17 @@ dankredues.com: could not connect to host
 danmark.guide: did not receive HSTS header
 dannycrichton.com: did not receive HSTS header
 danova.de: did not receive HSTS header
+danoz.net: could not connect to host
 danrl.de: could not connect to host
 danskringsporta.be: did not receive HSTS header
 danwillenberg.com: did not receive HSTS header
 daolerp.xyz: could not connect to host
-dapim.co.il: did not receive HSTS header
 dargasia.is: could not connect to host
 darinjohnson.ca: did not receive HSTS header
 dario.im: did not receive HSTS header
 dark-x.cf: could not connect to host
 darkanzali.pl: max-age too low: 0
 darkdestiny.ch: could not connect to host
-darkfire.ch: could not connect to host
 darkfriday.ddns.net: could not connect to host
 darkhole.cn: did not receive HSTS header
 darkishgreen.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -4176,26 +4450,27 @@ dash-board.jp: did not receive HSTS header
 dash.rocks: did not receive HSTS header
 dashboard.yt: could not connect to host
 dashburst.com: did not receive HSTS header
+dashlane.com: did not receive HSTS header
 dashnimorad.com: did not receive HSTS header
 data-abundance.com: could not connect to host
 data-detox.com: could not connect to host
 data.haus: could not connect to host
 data.qld.gov.au: did not receive HSTS header
+data.world: did not receive HSTS header
 databeam.de: could not connect to host
 datacave.is: could not connect to host
 datacenternews.asia: did not receive HSTS header
 datacenternews.co.nz: did not receive HSTS header
 datacentrenews.eu: did not receive HSTS header
+datacool.tk: could not connect to host
 datacubed.com: did not receive HSTS header
-datafd.com: could not connect to host
-datafd.net: could not connect to host
 datahoarder.download: could not connect to host
 datahoarderschool.club: did not receive HSTS header
 dataisme.com: did not receive HSTS header
 datajapan.co.jp: did not receive HSTS header
 datamatic.ru: could not connect to host
-datapun.ch: did not receive HSTS header
 dataretention.solutions: could not connect to host
+datascomemorativas.com.br: could not connect to host
 datasharesystem.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 datasnitch.co.uk: could not connect to host
 datatekniikka.com: could not connect to host
@@ -4206,10 +4481,10 @@ datenreiter.cf: could not connect to host
 datenreiter.gq: could not connect to host
 datenreiter.ml: could not connect to host
 datenreiter.tk: could not connect to host
-datenschutzhelden.org: could not connect to host
+datenschutzhelden.org: max-age too low: 172800
 datine.com.br: could not connect to host
 datorb.com: could not connect to host
-datortipsen.se: did not receive HSTS header
+datortipsen.se: could not connect to host
 datsound.ru: did not receive HSTS header
 datsumou-q.com: did not receive HSTS header
 daverandom.com: could not connect to host
@@ -4237,7 +4512,6 @@ days.one: could not connect to host
 daytonaseaside.com: did not receive HSTS header
 db-sanity.com: could not connect to host
 db.gy: could not connect to host
-dbcom.ru: could not connect to host
 dbjc.duckdns.org: could not connect to host
 dblx.io: could not connect to host
 dbox.ga: could not connect to host
@@ -4249,19 +4523,19 @@ dcc.moe: could not connect to host
 dccode.gov: could not connect to host
 dccoffeeproducts.com: did not receive HSTS header
 dccraft.net: could not connect to host
-dcl.re: could not connect to host
+dcl.re: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 dctxf.com: did not receive HSTS header
 dcuofriends.net: could not connect to host
-dcw.io: did not receive HSTS header
 dd.art.pl: could not connect to host
-ddatsh.com: did not receive HSTS header
 dden.website: could not connect to host
 dden.xyz: could not connect to host
+ddholdingservices.com: did not receive HSTS header
 ddmeportal.com: could not connect to host
 ddns-anbieter.de: could not connect to host
 ddocu.me: could not connect to host
 ddos-mitigation.co.uk: could not connect to host
 ddos-mitigation.info: could not connect to host
+de-osopanda.com: could not connect to host
 de-servers.de: could not connect to host
 deadmann.com: could not connect to host
 deadsoul.net: could not connect to host
@@ -4269,9 +4543,11 @@ deai-life.biz: could not connect to host
 debank.tv: did not receive HSTS header
 debatch.se: could not connect to host
 debian-vhost.de: could not connect to host
+debigare.com: did not receive HSTS header
 debiton.dk: could not connect to host
 debitoutil.com: did not receive HSTS header
 debitpaie.com: did not receive HSTS header
+debkleinteam.com: did not receive HSTS header
 deborahmarinelli.eu: could not connect to host
 debtkit.co.uk: did not receive HSTS header
 debtprotectionreporting.com: did not receive HSTS header
@@ -4290,10 +4566,15 @@ decorincasa.com.br: could not connect to host
 decorland.com.ua: could not connect to host
 decormiernissanparts.com: could not connect to host
 decoyrouting.com: could not connect to host
+decstasy.de: did not receive HSTS header
+dede.ml: could not connect to host
 dedeo.tk: could not connect to host
 dedicatutiempo.es: could not connect to host
 dedietrich-asia.com: did not receive HSTS header
+deeonix.eu: could not connect to host
+deep.club: could not connect to host
 deep.social: did not receive HSTS header
+deepaero.com: could not connect to host
 deepcovelabs.net: could not connect to host
 deepcreampie.com: could not connect to host
 deepearth.uk: could not connect to host
@@ -4301,8 +4582,6 @@ deeprecce.com: could not connect to host
 deeprecce.link: could not connect to host
 deeprecce.tech: could not connect to host
 deeps.cat: could not connect to host
-deeps.me: could not connect to host
-deepsouthsounds.com: did not receive HSTS header
 deepvalley.tech: could not connect to host
 deepvision.com.ua: did not receive HSTS header
 deer.team: could not connect to host
@@ -4321,18 +4600,23 @@ defimetier.org: could not connect to host
 defimetiers.com: could not connect to host
 defimetiers.fr: could not connect to host
 degroetenvanrosaline.nl: could not connect to host
+dehydrated.de: did not receive HSTS header
 deight.co: could not connect to host
 deight.in: could not connect to host
+dejan.media: could not connect to host
 dekasan.ru: could not connect to host
+dekoh-shouyu.com: did not receive HSTS header
 delandalucia.com: did not receive HSTS header
 delayrefunds.co.uk: could not connect to host
-delcopa.gov: could not connect to host
+delcopa.gov: did not receive HSTS header
 delf.co.jp: did not receive HSTS header
 deliberatedigital.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+delitto.top: could not connect to host
 deliver.moe: did not receive HSTS header
 deliverance.co.uk: could not connect to host
 deloittequant.com: could not connect to host
 deltaconcepts.de: could not connect to host
+deltasmart.ch: did not receive HSTS header
 delvj.org: could not connect to host
 demandware.com: did not receive HSTS header
 demarche-expresse.com: did not receive HSTS header
@@ -4344,7 +4628,10 @@ democracy.io: did not receive HSTS header
 democraticdifference.com: could not connect to host
 demomanca.com: did not receive HSTS header
 demotops.com: could not connect to host
+demuzere.eu: could not connect to host
+dengchangdong.com: did not receive HSTS header
 denh.am: did not receive HSTS header
+denimio.com: did not receive HSTS header
 denisjean.fr: could not connect to host
 dennispotter.eu: did not receive HSTS header
 densmirnov.com: max-age too low: 7776000
@@ -4353,12 +4640,12 @@ dentaldomain.org: did not receive HSTS header
 dentaldomain.ph: did not receive HSTS header
 denvercybersecurity.com: did not receive HSTS header
 denverphilharmonic.org: did not receive HSTS header
-denverprophit.us: could not connect to host
+denverprophit.us: did not receive HSTS header
 depaco.com: did not receive HSTS header
 deped.blog: could not connect to host
 depedshs.com: could not connect to host
 depedtayo.com: did not receive HSTS header
-depedtayo.ph: could not connect to host
+depedtayo.ph: did not receive HSTS header
 depijl-mz.nl: did not receive HSTS header
 depixion.agency: could not connect to host
 depo.space: could not connect to host
@@ -4366,45 +4653,45 @@ deprobe.pro: could not connect to host
 dequehablamos.es: could not connect to host
 derbyshiredotnet.co.uk: did not receive HSTS header
 derchris.me: could not connect to host
-derekseaman.com: did not receive HSTS header
-derekseaman.studio: did not receive HSTS header
 derevtsov.com: did not receive HSTS header
 derivativeshub.pro: could not connect to host
 derive.cc: could not connect to host
 dermacarecomplex.com: could not connect to host
 derpumpkinfuhrer.com: could not connect to host
-derrickemery.com: could not connect to host
+derrickemery.com: did not receive HSTS header
 derwaldschrat.net: did not receive HSTS header
 derwolfe.net: did not receive HSTS header
 desiccantpackets.com: did not receive HSTS header
 design-fu.com: did not receive HSTS header
 designandmore.it: did not receive HSTS header
 designanyware.com.br: could not connect to host
-designgears.com: did not receive HSTS header
+designgears.com: could not connect to host
 designgraphic.fr: did not receive HSTS header
 designsbykerrialee.co.uk: could not connect to host
 designthinking.or.jp: did not receive HSTS header
+desormiers.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+despachomartinyasociados.com: could not connect to host
 despora.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 despotika.de: could not connect to host
 desserteagleselvenar.tk: could not connect to host
 destinationbijoux.fr: could not connect to host
 destinopiriapolis.com: did not receive HSTS header
 destom.be: could not connect to host
+desuperheroes.co: could not connect to host
 desveja.com.br: could not connect to host
-detalhecomercio.com.br: could not connect to host
-detalyedesigngroup.com: could not connect to host
 detechnologiecooperatie.nl: did not receive HSTS header
 detecte-fuite.ch: could not connect to host
 detecte.ch: could not connect to host
 detectefuite.ch: could not connect to host
 detector.exposed: could not connect to host
-detest.org: did not receive HSTS header
+detest.org: could not connect to host
 dethikiemtra.com: did not receive HSTS header
 detroitrocs.org: did not receive HSTS header
 detteflies.com: max-age too low: 7889238
+detuprovincia.cl: did not receive HSTS header
 detutorial.com: max-age too low: 36000
-deusu.de: did not receive HSTS header
-deusu.org: did not receive HSTS header
+deusu.de: could not connect to host
+deusu.org: could not connect to host
 deux.solutions: could not connect to host
 deuxsol.co: could not connect to host
 deuxsol.com: could not connect to host
@@ -4413,43 +4700,46 @@ deuxvia.com: could not connect to host
 dev: could not connect to host
 dev-aegon.azurewebsites.net: did not receive HSTS header
 dev-bluep.pantheonsite.io: did not receive HSTS header
-dev-talk.eu: did not receive HSTS header
+dev-talk.eu: could not connect to host
 dev-talk.net: could not connect to host
 devafterdark.com: could not connect to host
 devdesco.com: could not connect to host
 devdom.io: max-age too low: 172800
 devdoodle.net: could not connect to host
+develop.cool: could not connect to host
 develop.fitness: could not connect to host
 developersclub.website: could not connect to host
 devenney.io: did not receive HSTS header
 devh.de: could not connect to host
-deviltracks.net: could not connect to host
+devh.net: could not connect to host
+deviltracks.net: did not receive HSTS header
+deviltraxxx.de: could not connect to host
 devin-balimuhac.de: did not receive HSTS header
 devincrow.me: could not connect to host
 devinpacker.com: could not connect to host
 devisonline.ch: could not connect to host
 devistravaux.org: did not receive HSTS header
-devjack.de: could not connect to host
-devlux.ch: did not receive HSTS header
+devjack.de: did not receive HSTS header
 devmsg.com: could not connect to host
 devnsec.com: could not connect to host
 devnull.team: could not connect to host
-devopps.me: did not receive HSTS header
+devolution.ws: could not connect to host
+devopps.me: could not connect to host
 devops.moe: could not connect to host
 devopsconnected.com: could not connect to host
-devpgsv.com: could not connect to host
+devpgsv.com: did not receive HSTS header
 devtestfan1.gov: could not connect to host
 devtub.com: could not connect to host
 devuan.org: did not receive HSTS header
 dewebwerf.nl: did not receive HSTS header
 dewin.io: could not connect to host
-dfekt.no: could not connect to host
-dfektlan.no: could not connect to host
+dexonsoftware.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 dfixit.com: could not connect to host
 dfrance.com.br: did not receive HSTS header
 dfviana.com.br: max-age too low: 2592000
 dgby.org: did not receive HSTS header
 dggwp.de: did not receive HSTS header
+dgx.io: could not connect to host
 dharamkot.com: could not connect to host
 dharma.ai: did not receive HSTS header
 dhl-smart.ch: could not connect to host
@@ -4463,6 +4753,7 @@ diabolic.chat: could not connect to host
 diagnocentro.cl: could not connect to host
 diagnosia.com: did not receive HSTS header
 diagonale-deco.fr: did not receive HSTS header
+diagrammingoutloud.co.uk: did not receive HSTS header
 dialectic-og.com: could not connect to host
 diamondcare.com.br: did not receive HSTS header
 diamondpkg.org: could not connect to host
@@ -4478,31 +4769,34 @@ dichgans-besserer.de: did not receive HSTS header
 dichvudangkygiayphep.com: could not connect to host
 dicio.com.br: did not receive HSTS header
 dick.red: could not connect to host
-dickord.club: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 didierlaumen.be: did not receive HSTS header
 die-besten-weisheiten.de: could not connect to host
 die-gruenen-teufel.de: could not connect to host
 dieb.photo: could not connect to host
 diejanssens.net: did not receive HSTS header
-diemogebhardt.com: did not receive HSTS header
-dierabenmutti.de: max-age too low: 7776000
+diemogebhardt.com: could not connect to host
 dierencompleet.nl: did not receive HSTS header
 dierenkruiden.nl: did not receive HSTS header
 dieser.me: could not connect to host
 dietagespresse.com: did not receive HSTS header
+dietergreven.de: did not receive HSTS header
 diewebstube.de: could not connect to host
 diezel.com: could not connect to host
 diferenca.com: did not receive HSTS header
+diff2html.xyz: did not receive HSTS header
 diggable.co: max-age too low: 2592000
 digihyp.ch: did not receive HSTS header
 digikol.net: could not connect to host
+digimomedia.co.uk: did not receive HSTS header
 diginota.com: did not receive HSTS header
+digired.ro: could not connect to host
 digired.xyz: could not connect to host
-digital1world.com: did not receive HSTS header
+digital1world.com: could not connect to host
 digitalbank.kz: could not connect to host
-digitalcloud.ovh: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+digitalcash.cf: could not connect to host
+digitalcloud.ovh: could not connect to host
 digitalcuko.com: did not receive HSTS header
-digitaldaddy.net: did not receive HSTS header
+digitaldaddy.net: could not connect to host
 digitalero.rip: did not receive HSTS header
 digitalewelten.de: could not connect to host
 digitalexhale.com: did not receive HSTS header
@@ -4515,8 +4809,7 @@ digitalnonplus.com: could not connect to host
 digitalquery.com: did not receive HSTS header
 digitalriver.tk: did not receive HSTS header
 digitalrxcloud.com: could not connect to host
-digitalunite.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-digitalwasteland.net: could not connect to host
+digitalwasteland.net: did not receive HSTS header
 digiworks.se: did not receive HSTS header
 diguass.us: could not connect to host
 dijks.com: could not connect to host
@@ -4528,20 +4821,22 @@ dim.lighting: could not connect to host
 dimensionen.de: did not receive HSTS header
 dimes.com.tr: did not receive HSTS header
 dimitrisotiropoulosbooks.com: max-age too low: 7889238
-dimseklubben.dk: could not connect to host
 din-tools.com: did not receive HSTS header
 dinamoelektrik.com: could not connect to host
 dingcc.com: could not connect to host
 dingcc.org: could not connect to host
 dingcc.xyz: could not connect to host
+dinge.xyz: did not receive HSTS header
 dingelbob-schuhcreme.gq: could not connect to host
 dingss.com: could not connect to host
 dinkum.online: could not connect to host
+dinotopia.org.uk: did not receive HSTS header
 dinotv.at: could not connect to host
 dintillat.fr: could not connect to host
 dinube.com: did not receive HSTS header
 dionysus.se: could not connect to host
 dipconsultants.com: could not connect to host
+direct2uk.com: max-age too low: 2592000
 directhskincream.com: could not connect to host
 directinsure.in: did not receive HSTS header
 directme.ga: could not connect to host
@@ -4551,7 +4846,7 @@ directtwosolutions.org: could not connect to host
 directwatertanks.co.uk: did not receive HSTS header
 direnv.net: did not receive HSTS header
 direwolfsoftware.ca: could not connect to host
-dirkwolf.de: could not connect to host
+dirips.com: did not receive HSTS header
 dirtycat.ru: could not connect to host
 disadattamentolavorativo.it: could not connect to host
 discipul.nl: did not receive HSTS header
@@ -4562,21 +4857,23 @@ discountmania.eu: did not receive HSTS header
 discountmetaux.fr: did not receive HSTS header
 discover-mercure.com: could not connect to host
 discoveringdocker.com: could not connect to host
-discoverrsv.com: did not receive HSTS header
+discoverrsv.com: could not connect to host
+discoverucluelet.com: did not receive HSTS header
 discoverwellness.center: could not connect to host
 discovery.lookout.com: did not receive HSTS header
 discoveryballoon.org: could not connect to host
-disking.co.uk: did not receive HSTS header
 dislocated.de: did not receive HSTS header
 disorderboutique.com: did not receive HSTS header
 disruptivelabs.net: could not connect to host
 disruptivelabs.org: could not connect to host
 dissieux.com: did not receive HSTS header
 dissimulo.me: could not connect to host
+distiduffer.org: could not connect to host
 distinctivephotography.com.au: could not connect to host
 distinguishedwindows.co.uk: did not receive HSTS header
 distractionco.de: did not receive HSTS header
 distrilogservices.com: could not connect to host
+distro.re: did not receive HSTS header
 ditch.ch: could not connect to host
 ditrutoancau.vn: could not connect to host
 dittvertshus.no: could not connect to host
@@ -4596,7 +4893,9 @@ dj4et.de: could not connect to host
 djieno.com: could not connect to host
 djsk.nl: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 djul.net: could not connect to host
+djursland-psykologen.dk: did not receive HSTS header
 djxmmx.net: did not receive HSTS header
+djz4music.com: did not receive HSTS header
 dkn.go.id: did not receive HSTS header
 dkniss.de: could not connect to host
 dl.google.com: did not receive HSTS header (error ignored - included regardless)
@@ -4611,6 +4910,7 @@ dmcastles.com: did not receive HSTS header
 dmcglobaltravel.com.mx: did not receive HSTS header
 dmcibulldog.com: did not receive HSTS header
 dmdre.com: did not receive HSTS header
+dmeevalumate.com: did not receive HSTS header
 dmenergy.ru: did not receive HSTS header
 dmfd.net: could not connect to host
 dmix.ca: could not connect to host
@@ -4618,15 +4918,18 @@ dmlogic.com: could not connect to host
 dmtry.me: did not receive HSTS header
 dmwall.cn: could not connect to host
 dmz.ninja: could not connect to host
+dndesign.be: did not receive HSTS header
 dnfc.rocks: could not connect to host
 dnmaze.com: could not connect to host
 dns-manager.info: did not receive HSTS header
 dns.google.com: did not receive HSTS header (error ignored - included regardless)
 dnsbird.net: could not connect to host
 dnsbird.org: could not connect to host
-dnscrypt.org: max-age too low: 0
+dnscrypt.nl: could not connect to host
+dnscrypt.org: did not receive HSTS header
 dnsknowledge.com: did not receive HSTS header
 dnsql.io: could not connect to host
+dnzz123.com: did not receive HSTS header
 do-do.tk: could not connect to host
 do-it.cz: could not connect to host
 doak.io: did not receive HSTS header
@@ -4641,23 +4944,28 @@ doclot.io: could not connect to host
 docplexus.in: did not receive HSTS header
 docplexus.org: did not receive HSTS header
 docset.io: could not connect to host
+docsoc.org.uk: could not connect to host
 docufiel.com: could not connect to host
 doculus.io: could not connect to host
 documentations-sociales.com: could not connect to host
+docupet.com: did not receive HSTS header
 docxtemplater.com: did not receive HSTS header
 doesmycodehavebugs.today: could not connect to host
 doeswindowssuckforeveryoneorjustme.com: could not connect to host
-dogbox.se: could not connect to host
+dog-blum.com: could not connect to host
+dogbox.se: did not receive HSTS header
 dogcratereview.info: could not connect to host
+doge.town: could not connect to host
 dogespeed.ga: could not connect to host
 dogfi.sh: could not connect to host
 doggieholic.net: could not connect to host
 dognlife.com: could not connect to host
-dogoodbehappyllc.com: did not receive HSTS header
+dogoodbehappyllc.com: could not connect to host
 dogprograms.net: could not connect to host
 dohosting.ru: could not connect to host
 dojifish.space: could not connect to host
 dojin.nagoya: could not connect to host
+dokan-e.com: did not receive HSTS header
 dokan.online: did not receive HSTS header
 doked.io: could not connect to host
 dokspot.cf: could not connect to host
@@ -4670,26 +4978,30 @@ dolphin-cloud.com: could not connect to host
 dolphin-hosting.com: could not connect to host
 dolphincorp.co.uk: could not connect to host
 dolphinswithlasers.com: could not connect to host
-dolt.xyz: could not connect to host
+dolt.xyz: did not receive HSTS header
 domaine-aigoual-cevennes.com: did not receive HSTS header
 domainelaremejeanne.com: did not receive HSTS header
 domaris.de: did not receive HSTS header
+domasazu.pl: did not receive HSTS header
 domen-reg.ru: could not connect to host
 domengrad.ru: did not receive HSTS header
 domenicocatelli.com: did not receive HSTS header
 domfee.com: could not connect to host
+domian.cz: could not connect to host
 dominikanskarepubliken.guide: could not connect to host
 dominioanimal.com: could not connect to host
+dominioanimal.com.br: could not connect to host
 dominique-mueller.de: could not connect to host
+domwkwiatach.pl: did not receive HSTS header
 domytermpaper.com: could not connect to host
 don.yokohama: could not connect to host
-donateway.com: did not receive HSTS header
 dong8.top: could not connect to host
 dongjingre.net: could not connect to host
 donhoward.org: did not receive HSTS header
 donlydental.ca: did not receive HSTS header
 donmez.uk: could not connect to host
 donmez.ws: could not connect to host
+donna-bellini-business-fotografie-muenchen.de: did not receive HSTS header
 donotspampls.me: could not connect to host
 donotspellitgav.in: did not receive HSTS header
 donpaginasweb.com: did not receive HSTS header
@@ -4697,6 +5009,7 @@ donsbach-edv.de: did not receive HSTS header
 donthedragonwilson.com: could not connect to host
 donttrustrobots.nl: could not connect to host
 donzelot.co.uk: did not receive HSTS header
+donzool.es: could not connect to host
 doobydude.us: could not connect to host
 doodledraw.ninja: could not connect to host
 doodlefinder.de: max-age too low: 600000
@@ -4705,14 +5018,15 @@ doomleika.com: did not receive HSTS header
 doooonoooob.com: could not connect to host
 doopdidoop.com: did not receive HSTS header
 door.cards: could not connect to host
+dopfer-fenstertechnik.de: did not receive HSTS header
 dopost.it: could not connect to host
+doppenpost.nl: could not connect to host
 doriginal.es: did not receive HSTS header
 dorkfarm.com: did not receive HSTS header
 dormebebe.com.br: could not connect to host
 dosipe.com: could not connect to host
 doska.kz: could not connect to host
 dostavkakurierom.ru: could not connect to host
-dot.ro: did not receive HSTS header
 dotadata.me: could not connect to host
 dotb.dn.ua: did not receive HSTS header
 dotbrick.co.th: could not connect to host
@@ -4722,6 +5036,7 @@ dotspaperie.com: could not connect to host
 doublethink.online: could not connect to host
 doubleyummy.uk: did not receive HSTS header
 dougferris.id.au: could not connect to host
+douglas-ma.gov: did not receive HSTS header
 douglasstafford.com: did not receive HSTS header
 doujin-domain.cz: could not connect to host
 doujin.nagoya: could not connect to host
@@ -4729,19 +5044,17 @@ doulasofgreaterkansascity.org: max-age too low: 300
 dovecotadmin.org: could not connect to host
 doveholesband.co.uk: did not receive HSTS header
 dovetailnow.com: could not connect to host
+dovro.de: could not connect to host
 dowc.org: did not receive HSTS header
 download.jitsi.org: did not receive HSTS header
 downsouthweddings.com.au: did not receive HSTS header
 doxcelerate.com: could not connect to host
 doyoulyft.com: could not connect to host
 dpangerl.de: did not receive HSTS header
-dps.srl: did not receive HSTS header
 dpsart.it: did not receive HSTS header
 dr-knirr.de: could not connect to host
-dr2dr.ca: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 drabben.be: did not receive HSTS header
 drabbin.com: could not connect to host
-dragfiles.com: could not connect to host
 draghive.club: did not receive HSTS header
 draghive.net: could not connect to host
 draghive.photos: did not receive HSTS header
@@ -4752,22 +5065,29 @@ dragons-of-highlands.cz: did not receive HSTS header
 dragonsmoke.cloud: could not connect to host
 dragonstower.net: could not connect to host
 dragonteam.ninja: could not connect to host
+drahcro.uk: could not connect to host
 drainagebuizen.nl: did not receive HSTS header
 drakefortreasurer.sexy: could not connect to host
 drakensberg-tourism.com: did not receive HSTS header
 drakfot.se: could not connect to host
 dralexjimenez.com: did not receive HSTS header
 drastosasports.com.br: could not connect to host
-drawvesly.ovh: did not receive HSTS header
+drawvesly.ovh: could not connect to host
 drbarnabus.com: could not connect to host
+drbethanybarnes.com: could not connect to host
+drdavidgilpin.com: did not receive HSTS header
 drdevil.ru: could not connect to host
+drdim.ru: could not connect to host
 dreadbyte.com: could not connect to host
 dreadd.org: could not connect to host
 dreamaholic.club: could not connect to host
 dreamcatcherblog.de: could not connect to host
+dreamersgiftshopec.com: could not connect to host
 dreaming.solutions: could not connect to host
 dreamlighteyeserum.com: could not connect to host
 dreamsforabetterworld.com.au: did not receive HSTS header
+dreamtechie.com: did not receive HSTS header
+dreatho.com: did not receive HSTS header
 dreax.win: could not connect to host
 dredgepress.com: did not receive HSTS header
 dreischneidiger.de: could not connect to host
@@ -4776,6 +5096,7 @@ drewgle.net: could not connect to host
 drhopeson.com: did not receive HSTS header
 drillnation.com.au: could not connect to host
 drinknaturespower.com: could not connect to host
+drinkplanet.eu: could not connect to host
 drinkvabeer.com: could not connect to host
 dripdoctors.com: did not receive HSTS header
 drishti.guru: could not connect to host
@@ -4783,8 +5104,6 @@ drive.xyz: could not connect to host
 drivercopilot.com: did not receive HSTS header
 drivewithstatetransit.com.au: did not receive HSTS header
 driving-lessons.co.uk: could not connect to host
-drixn.cn: could not connect to host
-drixn.com: could not connect to host
 drixn.info: could not connect to host
 drixn.net: could not connect to host
 drlazarina.net: did not receive HSTS header
@@ -4793,6 +5112,8 @@ drogoz.moe: could not connect to host
 droidboss.com: did not receive HSTS header
 droithxn.com: could not connect to host
 droncentrum.pl: could not connect to host
+dronebotworkshop.com: did not receive HSTS header
+dronexpertos.com: could not connect to host
 droomhuis-in-brielle-kopen.nl: could not connect to host
 droomhuis-in-de-friese-meren-kopen.nl: could not connect to host
 droomhuis-in-delfzijl-kopen.nl: could not connect to host
@@ -4808,7 +5129,9 @@ droomhuisindestadverkopen.nl: could not connect to host
 droomhuisophetplattelandverkopen.nl: could not connect to host
 dropcam.com: did not receive HSTS header
 drostschocolates.com: did not receive HSTS header
-drpure.pw: did not receive HSTS header
+drpure.pw: could not connect to host
+drpure.top: did not receive HSTS header
+drrodina.com: did not receive HSTS header
 drtroyhendrickson.com: could not connect to host
 drtti.io: could not connect to host
 drturner.com.au: did not receive HSTS header
@@ -4819,32 +5142,38 @@ drump-truck.com: did not receive HSTS header
 drupal123.com: could not connect to host
 druznek.rocks: could not connect to host
 druznek.xyz: could not connect to host
+drvr.xyz: could not connect to host
 drybasement.com: did not receive HSTS header
 drybasementkansas.com: did not receive HSTS header
 drycreekapiary.com: could not connect to host
 ds-christiansen.de: could not connect to host
 dshiv.io: could not connect to host
-dsouzamusic.com: could not connect to host
+dsne.com.mx: could not connect to host
+dsouzamusic.com: did not receive HSTS header
 dsuinnovation.com: could not connect to host
-dsyunmall.com: did not receive HSTS header
+dsyunmall.com: could not connect to host
+dtechstore.com.br: did not receive HSTS header
 dtub.co: could not connect to host
 dualias.xyz: could not connect to host
 duan.li: could not connect to host
 dubaosheng.com: could not connect to host
 dubik.su: did not receive HSTS header
-duckyubuntu.tk: could not connect to host
+duchyoffeann.com: could not connect to host
+ducius.net: could not connect to host
+duckasylum.com: did not receive HSTS header
 ducohosting.com: did not receive HSTS header
 dudesunderwear.com.br: could not connect to host
 duelsow.eu: could not connect to host
 duelysthub.com: could not connect to host
-duerls.de: could not connect to host
+duerls.de: did not receive HSTS header
 dugnet.tech: could not connect to host
 dujsq.com: could not connect to host
 dujsq.top: could not connect to host
-dukec.me: did not receive HSTS header
+dukec.me: could not connect to host
 dukefox.com: could not connect to host
 duks.com.br: did not receive HSTS header
 dullsir.com: did not receive HSTS header
+dum.moe: could not connect to host
 dumbdemo.com: could not connect to host
 dunamiscommunity.com: could not connect to host
 dunashoes.com: could not connect to host
@@ -4854,12 +5183,13 @@ dung-massage.fr: did not receive HSTS header
 duo.money: could not connect to host
 duocircle.com: did not receive HSTS header
 duole30.com: could not connect to host
+duonganhtuan.com: could not connect to host
 duongpho.com: did not receive HSTS header
+duploclique.pt: did not receive HSTS header
 durangoenergyllc.com: could not connect to host
-durchblick-shop.de: could not connect to host
-durexwinkel.nl: could not connect to host
 dushu.cat: could not connect to host
 duskopy.top: could not connect to host
+dustycloth.com: could not connect to host
 dutchessuganda.com: did not receive HSTS header
 dutchrank.com: did not receive HSTS header
 dutyfreeonboard.com: did not receive HSTS header
@@ -4869,10 +5199,9 @@ dvotx.org: did not receive HSTS header
 dwellstudio.com: did not receive HSTS header
 dwhd.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 dwnld.me: could not connect to host
+dxm.no-ip.biz: could not connect to host
 dycem-ns.com: did not receive HSTS header
-dycoa.com: could not connect to host
 dycontrol.de: could not connect to host
-dylancl.cf: could not connect to host
 dylanscott.com.au: did not receive HSTS header
 dynamic-innovations.net: could not connect to host
 dynamic-networks.be: could not connect to host
@@ -4883,13 +5212,14 @@ dyz.pw: could not connect to host
 dziekonski.com: could not connect to host
 dzimejl.sk: did not receive HSTS header
 dzlibs.io: could not connect to host
-dzndk.com: could not connect to host
 dzndk.net: could not connect to host
 dzndk.org: could not connect to host
 dzytdl.com: did not receive HSTS header
+e-apack.com.br: could not connect to host
 e-aut.net: could not connect to host
 e-baraxolka.ru: could not connect to host
 e-deca2.org: did not receive HSTS header
+e-gemeinde.at: could not connect to host
 e-isfa.eu: did not receive HSTS header
 e-mak.eu: could not connect to host
 e-migration.ch: could not connect to host
@@ -4898,6 +5228,7 @@ e-planetelec.fr: did not receive HSTS header
 e-pokupki.eu: did not receive HSTS header
 e-rickroll-r.pw: could not connect to host
 e-sa.com: did not receive HSTS header
+e-tune-mt.net: could not connect to host
 e-vau.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 e-vo-linka.cz: did not receive HSTS header
 e-wishlist.net: could not connect to host
@@ -4926,6 +5257,8 @@ earlybirdsnacks.com: could not connect to host
 earth-people.org: could not connect to host
 earthrise16.com: could not connect to host
 easew.com: could not connect to host
+easez.net: could not connect to host
+eason-yang.com: could not connect to host
 east-line.su: could not connect to host
 eastcoastbubbleandbounce.co.uk: could not connect to host
 eastcoastinflatables.co.uk: did not receive HSTS header
@@ -4935,10 +5268,9 @@ eastmontgroup.com: did not receive HSTS header
 eastpeoria-il.gov: could not connect to host
 easy-factures.fr: could not connect to host
 easychiller.org: could not connect to host
+easycontentplan.com: could not connect to host
 easykonto.de: could not connect to host
-easykraamzorg.nl: did not receive HSTS header
 easyplane.it: did not receive HSTS header
-easypv.ch: could not connect to host
 easyreal.ru: could not connect to host
 easyschools.org: did not receive HSTS header
 easysimplecrm.com: could not connect to host
@@ -4959,9 +5291,11 @@ ebolsa.com.br: did not receive HSTS header
 ebolsas.com.br: did not receive HSTS header
 ebooksgratuits.org: could not connect to host
 ebop.ch: could not connect to host
-ebp2p.com: did not receive HSTS header
+ebp2p.com: could not connect to host
 ebraph.com: could not connect to host
+ebrnd.de: could not connect to host
 ebrowz.com: could not connect to host
+ec-baran.de: could not connect to host
 ecake.in: could not connect to host
 ecc-kaufbeuren.de: could not connect to host
 eccux.com: could not connect to host
@@ -4969,22 +5303,29 @@ ecelembrou.ovh: could not connect to host
 ecfs.link: could not connect to host
 ecg.fr: could not connect to host
 echipstore.com: did not receive HSTS header
-echo.cc: could not connect to host
 echoactive.com: max-age too low: 7776000
-echomanchester.net: could not connect to host
+echomanchester.net: did not receive HSTS header
+ecir.pro: could not connect to host
 eckro.com: could not connect to host
+eco-wiki.com: could not connect to host
+ecobrain.be: max-age too low: 0
 ecole-en-danger.fr: could not connect to host
 ecole-iaf.fr: could not connect to host
 ecole-maternelle-saint-joseph.be: could not connect to host
 ecolesrec.ch: did not receive HSTS header
 ecology-21.ru: did not receive HSTS header
 ecomlane.com: could not connect to host
+ecommercestore.net.br: could not connect to host
 ecomparemo.com: did not receive HSTS header
+ecompen.co.za: could not connect to host
 econativa.pt: could not connect to host
 economy.st: did not receive HSTS header
 economycarrentalscyprus.com: could not connect to host
 ecorus.eu: did not receive HSTS header
+ecos.srl: did not receive HSTS header
+ecoskif.ru: could not connect to host
 ecosoftconsult.com: could not connect to host
+ecosystemmanager.azurewebsites.net: did not receive HSTS header
 ecotruck-pooling.com: did not receive HSTS header
 ecrimex.net: did not receive HSTS header
 ectora.com: could not connect to host
@@ -4994,6 +5335,7 @@ edcphenix.tk: could not connect to host
 eddmixpanel.com: could not connect to host
 edelblack.ch: could not connect to host
 edelsteincosmetic.com: did not receive HSTS header
+eden-institut-carita-valdisere.com: did not receive HSTS header
 eden-mobility.co.uk: did not receive HSTS header
 eden-noel.at: could not connect to host
 edenaya.com: could not connect to host
@@ -5004,12 +5346,11 @@ edgecustomersportal.com: could not connect to host
 edgereinvent.com: did not receive HSTS header
 edh.email: did not receive HSTS header
 edhrealtor.com: did not receive HSTS header
-edilservizi.it: did not receive HSTS header
-edilservizivco.it: did not receive HSTS header
 edisonchee.com: did not receive HSTS header
 edissecurity.sk: did not receive HSTS header
-edition-pommern.com: did not receive HSTS header
+edition-pommern.com: max-age too low: 86400
 editoraacademiacrista.com.br: could not connect to host
+editoraimaculada.com.br: did not receive HSTS header
 edix.ru: could not connect to host
 edk.com.tr: did not receive HSTS header
 edpubs.gov: could not connect to host
@@ -5023,11 +5364,12 @@ educatoys.com.br: could not connect to host
 educatweb.de: did not receive HSTS header
 educnum.fr: did not receive HSTS header
 educourse.ga: could not connect to host
-eduif.nl: could not connect to host
+eduif.nl: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 eduvance.in: did not receive HSTS header
 ee-terminals.com: could not connect to host
 eeb98.com: could not connect to host
 eeetrust.org: could not connect to host
+eemcevn.com: could not connect to host
 eenekorea.com: could not connect to host
 eengezinswoning-in-alphen-aan-den-rijn-kopen.nl: could not connect to host
 eengezinswoning-in-de-friese-meren-kopen.nl: could not connect to host
@@ -5046,33 +5388,31 @@ eenhoorn.ga: could not connect to host
 eeqj.com: did not receive HSTS header
 eesistumine2017.ee: could not connect to host
 eez.ee: could not connect to host
-ef-georgia.org: could not connect to host
 effectiveosgi.com: could not connect to host
 effectivepapers.com: could not connect to host
 efficienthealth.com: could not connect to host
+effizienta.ch: did not receive HSTS header
 eftcorp.biz: did not receive HSTS header
-egbert.net: could not connect to host
 egfl.org.uk: did not receive HSTS header
 egge.com: max-age too low: 0
 egit.co: could not connect to host
-eglek.com: did not receive HSTS header
-ego-world.org: did not receive HSTS header
+ego-world.org: could not connect to host
 egupova.ru: did not receive HSTS header
 ehealthcounselor.com: could not connect to host
 ehipaadev.com: could not connect to host
 ehito.ovh: could not connect to host
+ehr.gov: could not connect to host
 ehrenamt-skpfcw.de: could not connect to host
 ehrlichesbier.de: could not connect to host
+ehsellert.com: did not receive HSTS header
 ehuber.info: could not connect to host
 eicfood.com: could not connect to host
 eidolonhost.com: did not receive HSTS header
-eifelindex.de: did not receive HSTS header
 eiga-movie.com: max-age too low: 0
 eigenbubi.de: could not connect to host
 eightyfour.ca: could not connect to host
 eigo.work: did not receive HSTS header
 eimanavicius.lt: did not receive HSTS header
-einar.io: max-age too low: 86400
 einfachmaldiefressehalten.de: could not connect to host
 einhorn.space: could not connect to host
 einmonolog.de: could not connect to host
@@ -5082,9 +5422,10 @@ einsitapis.com: could not connect to host
 ejgconsultancy.co.uk: did not receive HSTS header
 ejuicelab.co.uk: did not receive HSTS header
 ejusu.com: could not connect to host
-ek.network: could not connect to host
+ek.network: did not receive HSTS header
 ekbanden.nl: could not connect to host
 ekobudisantoso.net: could not connect to host
+ekodevices.com: could not connect to host
 ekong366.com: could not connect to host
 eksik.com: could not connect to host
 el-soul.com: did not receive HSTS header
@@ -5093,22 +5434,24 @@ elan-organics.com: did not receive HSTS header
 elanguest.pl: could not connect to host
 elanguest.ro: could not connect to host
 elanguest.ru: could not connect to host
-elarvee.xyz: could not connect to host
 elaxy-online.de: could not connect to host
 elbaal.gov: did not receive HSTS header
 elblein.de: did not receive HSTS header
+elblogdegoyo.mx: max-age too low: 2592000
 elbohlyart.com: did not receive HSTS header
 eldietista.es: could not connect to host
-eldisagjapi.com: could not connect to host
 eldisagjapi.de: could not connect to host
 elearningpilot.com: did not receive HSTS header
+eleaut.com.br: did not receive HSTS header
 electicofficial.com: did not receive HSTS header
 electricalcontrolpanels.co.uk: could not connect to host
 electricant.com: did not receive HSTS header
 electricant.nl: did not receive HSTS header
 electriccitysf.com: could not connect to host
 electrician-umhlanga.co.za: did not receive HSTS header
+electrician-umhlangaridge.co.za: did not receive HSTS header
 electricianforum.co.uk: did not receive HSTS header
+electricianlalucia.co.za: did not receive HSTS header
 electricianumhlangarocks.co.za: did not receive HSTS header
 electricoperaduo.com: did not receive HSTS header
 electromc.com: could not connect to host
@@ -5124,14 +5467,16 @@ elenagherta.ga: could not connect to host
 elenoon.ir: max-age too low: 1
 elenorsmadness.org: could not connect to host
 eleonorengland.com: did not receive HSTS header
-elestanteliterario.com: did not receive HSTS header
-eletesstilus.hu: could not connect to host
+elestanteliterario.com: max-age too low: 43200
 elevateandprosper.com: could not connect to host
+elevator.ee: could not connect to host
+elexel.ru: could not connect to host
 elgacien.de: could not connect to host
 elguillatun.cl: did not receive HSTS header
 elhall.pro: did not receive HSTS header
 elhall.ru: did not receive HSTS header
 eliasojala.me: did not receive HSTS header
+elielaloum.com: could not connect to host
 elimdengelen.com: did not receive HSTS header
 eline168.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 eliott.be: could not connect to host
@@ -5141,8 +5486,10 @@ elite-box.org: did not receive HSTS header
 elite-porno.ru: could not connect to host
 elitecovering.fr: did not receive HSTS header
 elitefishtank.com: could not connect to host
-elitesensual.com.br: could not connect to host
+elitehosting.de: did not receive HSTS header
+elitesensual.com.br: did not receive HSTS header
 elizeugomes.com.br: did not receive HSTS header
+ell-net.tokyo: could not connect to host
 ellen-skye.de: max-age too low: 604800
 elliff.net: did not receive HSTS header
 elliotgluck.com: did not receive HSTS header
@@ -5153,6 +5500,9 @@ elnutricionista.es: could not connect to host
 elo.fyi: could not connect to host
 elohna.ch: did not receive HSTS header
 elonbase.com: could not connect to host
+elonm.ru: could not connect to host
+elosuite.com: could not connect to host
+eloxt.com: could not connect to host
 elpay.kz: did not receive HSTS header
 elpo.xyz: could not connect to host
 elsamakhin.com: could not connect to host
@@ -5167,9 +5517,12 @@ elyisus.info: did not receive HSTS header
 elytronsecurity.com: did not receive HSTS header
 email.lookout.com: could not connect to host
 email2rss.net: could not connect to host
+emailalaperformance.fr: could not connect to host
 emailcontrol.nl: did not receive HSTS header
+emailing.alsace: could not connect to host
 emanatepixels.com: could not connect to host
 emanga.su: did not receive HSTS header
+emasex.es: could not connect to host
 emavok.eu: could not connect to host
 embellir-aroma.com: could not connect to host
 embellir-kyujin.com: could not connect to host
@@ -5182,6 +5535,7 @@ emergencymedicinefoundations.com: did not receive HSTS header
 emergentvisiontec.com: did not receive HSTS header
 emesolutions.net: did not receive HSTS header
 emiele.com.br: could not connect to host
+emiliendevos.be: could not connect to host
 emilyhorsman.com: could not connect to host
 emilyshepherd.me: did not receive HSTS header
 eminhuseynov.com: could not connect to host
@@ -5189,6 +5543,7 @@ eminovic.me: could not connect to host
 emjainteractive.com: did not receive HSTS header
 emjimadhu.com: could not connect to host
 emma-o.com: could not connect to host
+emma.ca: did not receive HSTS header
 emmable.com: could not connect to host
 emmaliddell.com: did not receive HSTS header
 emmanuelle-et-julien.ch: could not connect to host
@@ -5209,22 +5564,23 @@ empty-r.com: could not connect to host
 emptypath.com: did not receive HSTS header
 emupedia.net: did not receive HSTS header
 emyself.info: could not connect to host
-emyself.org: did not receive HSTS header
+emyself.org: could not connect to host
 en4u.org: could not connect to host
 enaia.fr: did not receive HSTS header
+enaim.de: max-age too low: 0
 encadrer-mon-enfant.com: did not receive HSTS header
 encode.space: could not connect to host
 encode.uk.com: did not receive HSTS header
 encoder.pw: could not connect to host
-encoderx.uk: could not connect to host
-encontrebarato.com.br: did not receive HSTS header
+encontrebarato.com.br: could not connect to host
 encrypted.google.com: did not receive HSTS header (error ignored - included regardless)
 encryptedaudience.com: could not connect to host
 encryptio.com: could not connect to host
 end.pp.ua: could not connect to host
 endangeredwatch.com: could not connect to host
+ende-x.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 endlessdark.net: max-age too low: 600
-endlesshorizon.net: could not connect to host
+endlesshorizon.net: max-age too low: 0
 endlesstone.com: did not receive HSTS header
 endofinternet.goip.de: could not connect to host
 endofnet.org: could not connect to host
@@ -5237,11 +5593,14 @@ enecoshop.nl: did not receive HSTS header
 enefan.jp: could not connect to host
 enelacto.com: did not receive HSTS header
 energethik-tulln.at: did not receive HSTS header
+energisammenslutningen.dk: could not connect to host
+energyradio.mk: max-age too low: 0
 enersaveapp.org: could not connect to host
 enersec.co.uk: could not connect to host
 enfoqueseguro.com: did not receive HSTS header
 engineowning.com: did not receive HSTS header
 enginx.cn: could not connect to host
+enginx.net: could not connect to host
 englerts.de: did not receive HSTS header
 englishclub.com: did not receive HSTS header
 englishdirectory.de: could not connect to host
@@ -5252,15 +5611,14 @@ enjen.net: did not receive HSTS header
 enjoymayfield.com: max-age too low: 0
 enjoystudio.ro: did not receive HSTS header
 enlatte.com: could not connect to host
-enlazaresbueno.cl: did not receive HSTS header
+enlazaresbueno.cl: could not connect to host
+enlighten10x.ga: could not connect to host
 enlightened.si: did not receive HSTS header
 enoou.com: could not connect to host
 enpalmademallorca.info: could not connect to host
 ensemble-vos-idees.fr: could not connect to host
 enskat.de: could not connect to host
 enskatson-sippe.de: could not connect to host
-ensured.com: could not connect to host
-ensured.nl: could not connect to host
 entaurus.com: could not connect to host
 enteente.club: could not connect to host
 enteente.com: could not connect to host
@@ -5270,6 +5628,7 @@ enterdev.co: did not receive HSTS header
 enterprisecarclub.co.uk: could not connect to host
 enterprisechannel.asia: did not receive HSTS header
 enterprivacy.com: did not receive HSTS header
+entersynapse.com: could not connect to host
 entheorie.net: did not receive HSTS header
 entourneebeetle.com: could not connect to host
 entrepreneur.or.id: could not connect to host
@@ -5282,21 +5641,23 @@ environment.ai: could not connect to host
 envoutement-desenvoutement.com: did not receive HSTS header
 envoyglobal.com: did not receive HSTS header
 envoyworld.com: did not receive HSTS header
-envygeeks.com: could not connect to host
+envygeeks.com: did not receive HSTS header
 envygeeks.io: did not receive HSTS header
 eol34.com: could not connect to host
 eoldb.org: could not connect to host
 eolme.ml: could not connect to host
 eonet.cc: did not receive HSTS header
 eos-classic.io: could not connect to host
+eosol.services: could not connect to host
 eosol.zone: could not connect to host
 epanurse.com: could not connect to host
 epave.paris: could not connect to host
 epaygateway.net: could not connect to host
 ephe.be: could not connect to host
 ephry.com: could not connect to host
+epicbouncycastlehirenorwich.co.uk: could not connect to host
 epicmc.games: could not connect to host
-epitesz.co: did not receive HSTS header
+epicpages.com: could not connect to host
 eposcloud.net: could not connect to host
 eposmidlands.co.uk: could not connect to host
 eposnewport.co.uk: did not receive HSTS header
@@ -5308,13 +5669,15 @@ epossussex.co.uk: could not connect to host
 eposwales.co.uk: could not connect to host
 epoxate.com: could not connect to host
 eprofitacademy.com: did not receive HSTS header
-epulsar.ru: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+epsorting.cz: did not receive HSTS header
+epulsar.ru: did not receive HSTS header
 epvin.com: could not connect to host
 eq8.net.au: could not connect to host
 eqib.nl: did not receive HSTS header
+eqibank.com: could not connect to host
 eqim.me: could not connect to host
 eqorg.com: could not connect to host
-equallyy.com: could not connect to host
+equallyy.com: did not receive HSTS header
 equalparts.eu: could not connect to host
 equate.net.au: did not receive HSTS header
 equatetechnologies.com.au: did not receive HSTS header
@@ -5329,13 +5692,14 @@ erad.fr: could not connect to host
 erawanarifnugroho.com: did not receive HSTS header
 erclab.kr: could not connect to host
 erecciontotalal100.com: could not connect to host
+erectiepillenwinkel.nl: could not connect to host
 erepublik-deutschland.de: did not receive HSTS header
 eressea.xyz: could not connect to host
 ericbond.net: could not connect to host
 erichalv.com: could not connect to host
 ericloud.tk: could not connect to host
 ericorporation.com: did not receive HSTS header
-ericyl.com: did not receive HSTS header
+eridanus.uk: could not connect to host
 eriel.com.br: could not connect to host
 erikwagner.de: did not receive HSTS header
 erinlin.com: did not receive HSTS header
@@ -5344,6 +5708,7 @@ ernaehrungsberatung-rapperswil.ch: did not receive HSTS header
 ernaehrungsberatung-zurich.ch: could not connect to host
 ernesto.at: could not connect to host
 eroimatome.com: could not connect to host
+eroma.com.au: did not receive HSTS header
 eromixx.com: could not connect to host
 eromon.net: could not connect to host
 erotalia.es: could not connect to host
@@ -5355,14 +5720,14 @@ erpiv.com: could not connect to host
 errolz.com: did not receive HSTS header
 errors.zenpayroll.com: could not connect to host
 erspro.net: could not connect to host
-ervaarjapan.nl: did not receive HSTS header
+eruvalerts.com: did not receive HSTS header
 erwinvanlonden.net: did not receive HSTS header
 es888.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 es8888.net: could not connect to host
 es888999.com: could not connect to host
 es999.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 es9999.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-esafar.cz: did not receive HSTS header
+esaborit.ddns.net: could not connect to host
 esb-in.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 esb-top.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 esb-top.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -5427,7 +5792,7 @@ esb777.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR
 esb777.us: could not connect to host
 esb886.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 esb888.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-esb8886.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+esb8886.com: could not connect to host
 esb9527.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 esb9588.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 esb9588.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -5473,12 +5838,13 @@ esbm4.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_
 esbm5.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 esbuilders.co.nz: did not receive HSTS header
 escalate.eu: could not connect to host
+escape2rooms.fr: did not receive HSTS header
 escapees.com: did not receive HSTS header
 escolaengenharia.com.br: did not receive HSTS header
 escort-byuro.net: could not connect to host
 escort-fashion.com: could not connect to host
 escortdisplay.com: could not connect to host
-escortshotsexy.com: could not connect to host
+escortshotsexy.com: did not receive HSTS header
 escotour.com: did not receive HSTS header
 escueladewordpress.com: did not receive HSTS header
 esec.rs: did not receive HSTS header
@@ -5487,6 +5853,7 @@ esh.ink: could not connect to host
 eshepperd.com: did not receive HSTS header
 eshobe.com: did not receive HSTS header
 eshtapay.com: could not connect to host
+esipublications.com: did not receive HSTS header
 esko.bar: could not connect to host
 esln.org: did not receive HSTS header
 esmoney.cc: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -5513,6 +5880,7 @@ essayscam.org: could not connect to host
 essayshark.com: could not connect to host
 essaywebsite.com: did not receive HSTS header
 essenceofvitalitydetox.com: could not connect to host
+essencesdeprana.org: did not receive HSTS header
 essential12.com: could not connect to host
 essentialoilsimports.com: could not connect to host
 essentiel-physique.com: could not connect to host
@@ -5521,8 +5889,7 @@ esseriumani.com: could not connect to host
 essexghosthunters.co.uk: did not receive HSTS header
 essplusmed.org: could not connect to host
 estaciona.guru: could not connect to host
-estaleiro.org: could not connect to host
-estan.cn: could not connect to host
+estan.cn: did not receive HSTS header
 estebanborges.com: did not receive HSTS header
 estespr.com: did not receive HSTS header
 estetistarimini.it: did not receive HSTS header
@@ -5533,11 +5900,12 @@ estudio21pattern.com: could not connect to host
 estudioamazonico.com: could not connect to host
 et-buchholz.de: could not connect to host
 et180.com: could not connect to host
+etalent.net: did not receive HSTS header
 etangs-magazine.com: could not connect to host
 etaoinwu.tk: could not connect to host
 etdonline.co.uk: did not receive HSTS header
 eteapparel.com: did not receive HSTS header
-etenendrinken.nu: could not connect to host
+etenendrinken.nu: did not receive HSTS header
 eternalsymbols.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 eternitylove.us: could not connect to host
 eth9.net: could not connect to host
@@ -5546,8 +5914,10 @@ ethanfaust.com: did not receive HSTS header
 ethanlew.is: could not connect to host
 ethantskinner.com: did not receive HSTS header
 ether.school: could not connect to host
+etherderbies.com: could not connect to host
 etheria-software.tk: did not receive HSTS header
-ethicalexploiting.com: did not receive HSTS header
+etherpad.fr: did not receive HSTS header
+ethicalexploiting.com: could not connect to host
 ethicall.org.uk: did not receive HSTS header
 ethicaltek.com: could not connect to host
 ethil-faer.fr: could not connect to host
@@ -5565,8 +5935,9 @@ ettebiz.com: max-age too low: 0
 etula.ga: did not receive HSTS header
 etula.me: could not connect to host
 etys.no: did not receive HSTS header
+etzi.myds.me: did not receive HSTS header
 euanbaines.com: did not receive HSTS header
-eucl3d.com: did not receive HSTS header
+eucl3d.com: could not connect to host
 euclideanpostulates.xyz: could not connect to host
 eucollegetours.com: could not connect to host
 euexia.fr: could not connect to host
@@ -5581,11 +5952,12 @@ eupho.me: could not connect to host
 eupresidency2018.com: could not connect to host
 euren.se: could not connect to host
 eurocamping.se: could not connect to host
+eurocomcompany.cz: could not connect to host
+euroconthr.ro: could not connect to host
 euroescortguide.com: could not connect to host
 europapier.at: did not receive HSTS header
 europapier.ba: did not receive HSTS header
 europapier.bg: did not receive HSTS header
-europapier.com: did not receive HSTS header
 europapier.cz: did not receive HSTS header
 europapier.hr: did not receive HSTS header
 europapier.rs: did not receive HSTS header
@@ -5598,6 +5970,7 @@ eurospecautowerks.com: did not receive HSTS header
 eurostrategy.vn.ua: could not connect to host
 euvo.tk: could not connect to host
 evades.io: did not receive HSTS header
+evadifranco.com: did not receive HSTS header
 evanhandgraaf.nl: did not receive HSTS header
 evankurniawan.com: did not receive HSTS header
 evanreev.es: could not connect to host
@@ -5608,14 +5981,12 @@ evdenevenakliyatankara.pw: could not connect to host
 evecalm.com: did not receive HSTS header
 evedanjailbreak.com: could not connect to host
 evegalaxy.net: could not connect to host
-evemodx.com: did not receive HSTS header
 evenstar-gaming.com: could not connect to host
 event64.ru: did not receive HSTS header
 eventmake.es: could not connect to host
 eventplace.me: did not receive HSTS header
 events12.com: did not receive HSTS header
 eventsafrica.net: did not receive HSTS header
-everitoken.io: did not receive HSTS header
 everyarti.st: could not connect to host
 everybooks.com: could not connect to host
 everydaytherich.com: max-age too low: 7776000
@@ -5623,12 +5994,14 @@ everygayporn.xyz: could not connect to host
 everylab.org: could not connect to host
 everymove.org: could not connect to host
 everything.place: could not connect to host
+everythingstech.com: could not connect to host
 everytruckjob.com: did not receive HSTS header
 eveseat.net: could not connect to host
 eveshaiwu.com: could not connect to host
 evi.be: did not receive HSTS header
+evilarmy.com: did not receive HSTS header
 evilbeasts.ru: could not connect to host
-evileden.com: could not connect to host
+evilcult.me: did not receive HSTS header
 evilnerd.de: did not receive HSTS header
 evilness.nl: could not connect to host
 evilsay.com: could not connect to host
@@ -5636,9 +6009,11 @@ evilvolcanolairs.com: did not receive HSTS header
 evin.ml: could not connect to host
 evio.com: did not receive HSTS header
 evites.me: could not connect to host
+evokepk.com: could not connect to host
 evoludis.net: did not receive HSTS header
 evolutionexpeditions.com: did not receive HSTS header
 evomon.com: could not connect to host
+evonews.com: did not receive HSTS header
 evossd.tk: could not connect to host
 evowl.com: could not connect to host
 ewallet-optimizer.com: did not receive HSTS header
@@ -5646,23 +6021,25 @@ ewex.org: could not connect to host
 eworksmedia.com: could not connect to host
 ewuchuan.com: could not connect to host
 exampleessays.com: could not connect to host
+examplesu.com: could not connect to host
 excelgum.ca: did not receive HSTS header
 exceptionalbits.com: could not connect to host
 exceptionalservices.us: could not connect to host
 exchangecoordinator.com: could not connect to host
 exchangeworks.co: did not receive HSTS header
+exclusivedesignz.com: could not connect to host
 exebouncycastles.co.uk: did not receive HSTS header
 exembit.com: did not receive HSTS header
-exfiles.cz: did not receive HSTS header
+exfiles.cz: could not connect to host
 exgaywatch.com: could not connect to host
 exgravitus.com: could not connect to host
+exhaledayspa.com.au: did not receive HSTS header
 exno.co: could not connect to host
-exo.do: max-age too low: 0
+exnovin.co: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 exocen.com: could not connect to host
+exoplatform.com: did not receive HSTS header
 exoticads.com: could not connect to host
 exousiakaidunamis.xyz: could not connect to host
-expancio.com: max-age too low: 0
-expanddigital.media: did not receive HSTS header
 expatads.com: could not connect to host
 expatriate.pl: did not receive HSTS header
 expecting.com.br: could not connect to host
@@ -5670,37 +6047,36 @@ experticon.com: did not receive HSTS header
 expertmile.com: did not receive HSTS header
 experts-en-gestion.fr: did not receive HSTS header
 explodingcamera.com: did not receive HSTS header
-exploit-db.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+exploration.ga: did not receive HSTS header
 expo-designers.com: did not receive HSTS header
-expokohler.com: could not connect to host
+expokohler.com: did not receive HSTS header
 expoort.com.br: could not connect to host
 exporo.de: did not receive HSTS header
 expoundite.net: did not receive HSTS header
 expowerhps.com: did not receive HSTS header
 expressfinance.co.za: did not receive HSTS header
-extendwings.com: could not connect to host
 exteriorservices.io: could not connect to host
 extramoney.cash: could not connect to host
 extrathemeshowcase.net: could not connect to host
 extratorrent.cool: did not receive HSTS header
-extratorrent.fyi: max-age too low: 0
-extratorrent.red: max-age too low: 0
+extratorrent.fyi: could not connect to host
+extratorrent.red: could not connect to host
 extratorrent.world: could not connect to host
 extratorrentlive.xyz: could not connect to host
 extratorrents.tech: could not connect to host
-extreemhost.nl: did not receive HSTS header
 extremenetworking.net: could not connect to host
 extremeservicesandrestoration.com: could not connect to host
 exy.pw: could not connect to host
-eyasc.nl: did not receive HSTS header
+eyasc.nl: could not connect to host
 eyedarts.com: did not receive HSTS header
 eyeglassuniverse.com: did not receive HSTS header
 eyenote.gov: did not receive HSTS header
-eyes-of-universe.eu: did not receive HSTS header
+eyes-of-universe.eu: could not connect to host
 eyesoccer-didikh.rhcloud.com: could not connect to host
 eyesonly.cc: did not receive HSTS header
 eytosh.net: could not connect to host
 ez.fi: could not connect to host
+ezequiel-garzon.net: could not connect to host
 ezgamble.com: did not receive HSTS header
 ezimoeko.net: could not connect to host
 ezmod.org: could not connect to host
@@ -5721,14 +6097,14 @@ faber.io: could not connect to host
 faberusa.com: did not receive HSTS header
 fabhub.io: could not connect to host
 fabian-kluge.de: could not connect to host
+fabian-koeppen.de: did not receive HSTS header
 fabianasantiago.com: could not connect to host
 fabianfischer.de: did not receive HSTS header
-fabianmunoz.com: could not connect to host
+fabianmunoz.com: did not receive HSTS header
 fabienbaker.com: could not connect to host
-fabled.com: did not receive HSTS header
+fabled.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 fabriko.fr: did not receive HSTS header
 fabriziorocca.com: could not connect to host
-fabrysociety.org: could not connect to host
 fabulouslyyouthfulskin.com: could not connect to host
 fabulouslyyouthfulskineyeserum.com: could not connect to host
 facebattle.com: could not connect to host
@@ -5740,9 +6116,12 @@ facesnf.com: could not connect to host
 fachschaft-informatik.de: did not receive HSTS header
 facilitrak.com: could not connect to host
 factorable.net: did not receive HSTS header
+factoringsolutions.co.uk: did not receive HSTS header
 factorygw.com: did not receive HSTS header
 factorypartsdirect.com: could not connect to host
+factureenlinea.com: could not connect to host
 fadednet.com: could not connect to host
+fadeev.legal: did not receive HSTS header
 fadilus.com: did not receive HSTS header
 fads-center.online: could not connect to host
 faeriecakes.be: could not connect to host
@@ -5759,6 +6138,7 @@ faizan.net: did not receive HSTS header
 faizan.xyz: did not receive HSTS header
 fakeletters.org: could not connect to host
 faktura.pl: did not receive HSTS header
+falaland.com: did not receive HSTS header
 falcibiosystems.org: did not receive HSTS header
 falconwiz.com: did not receive HSTS header
 falkp.no: did not receive HSTS header
@@ -5774,12 +6154,12 @@ famep.gov: could not connect to host
 famer.me: could not connect to host
 fameuxhosting.co.uk: could not connect to host
 familie-sander.rocks: max-age too low: 600
-familie-sprink.de: could not connect to host
+familie-sprink.de: did not receive HSTS header
 familie-zimmermann.at: could not connect to host
+familiegrottendieck.de: max-age too low: 7776000
 familletouret.fr: did not receive HSTS header
-famio.cn: did not receive HSTS header
-fanflow.com: did not receive HSTS header
-fanhouwan.com: did not receive HSTS header
+famio.cn: could not connect to host
+fanflow.com: could not connect to host
 fansmade.art: could not connect to host
 fant.dk: did not receive HSTS header
 fantasticgardenersmelbourne.com.au: did not receive HSTS header
@@ -5793,7 +6173,6 @@ faraonplay5.com: could not connect to host
 faraonplay7.com: could not connect to host
 faraonplay8.com: could not connect to host
 faraslot8.net: could not connect to host
-farces.com: could not connect to host
 faretravel.co.uk: could not connect to host
 farkas.bz: did not receive HSTS header
 farm24.co.uk: could not connect to host
@@ -5801,6 +6180,9 @@ farmacia.pt: did not receive HSTS header
 farmaciaformula.com.br: could not connect to host
 farmaciamedicom.com.br: could not connect to host
 farmmaximizer.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+farrel-f.id: could not connect to host
+farsil.eu: could not connect to host
+fascia.fit: could not connect to host
 fashion.net: did not receive HSTS header
 fashioncare.cz: did not receive HSTS header
 fashiondays.bg: max-age too low: 0
@@ -5812,16 +6194,15 @@ fasset.jp: could not connect to host
 fastaim.de: could not connect to host
 fastbackmbg.be: could not connect to host
 fastbackmbm.be: could not connect to host
-fastcomcorp.com: did not receive HSTS header
 fastcomcorp.net: did not receive HSTS header
 fastconfirm.com: could not connect to host
+fastcp.top: could not connect to host
 fastograph.com: could not connect to host
 fastopen.ml: could not connect to host
 fastwebsites.com.br: did not receive HSTS header
 fastworx.com: did not receive HSTS header
 fatdoge.cn: did not receive HSTS header
 fatgeekflix.net: could not connect to host
-fatherhood.gov: did not receive HSTS header
 fatlossguide.xyz: could not connect to host
 fator25.com.br: could not connect to host
 fatox.de: could not connect to host
@@ -5829,7 +6210,7 @@ fattorino.it: did not receive HSTS header
 fatwin.pw: could not connect to host
 fatzebra.com.au: max-age too low: 0
 favorit.club: did not receive HSTS header
-fawkex.me: could not connect to host
+fawkex.me: did not receive HSTS header
 faxreader.net: could not connect to host
 fayolle.info: did not receive HSTS header
 fbf.gov: did not receive HSTS header
@@ -5843,12 +6224,14 @@ fdj.im: could not connect to host
 fdm.ro: did not receive HSTS header
 fdt.name: did not receive HSTS header
 feard.space: could not connect to host
-fed51.com: could not connect to host
+fecik.sk: did not receive HSTS header
+fed51.com: did not receive HSTS header
 fedbizopps.gov: could not connect to host
 fedemo.top: did not receive HSTS header
 federalregister.gov: did not receive HSTS header
 fedn.it: could not connect to host
 fedo.moe: could not connect to host
+fee-hosting.com: max-age too low: 0
 feedstringer.com: could not connect to host
 feedthebot.com: did not receive HSTS header
 feegg.com.br: could not connect to host
@@ -5856,11 +6239,12 @@ feeriedesign-event.com: could not connect to host
 fefore.com: did not receive HSTS header
 fegans.org.uk: did not receive HSTS header
 feirlane.org: could not connect to host
-feisbed.com: could not connect to host
 feist.io: could not connect to host
 feitobrasilcosmeticos.com.br: did not receive HSTS header
+fejes.house: could not connect to host
 felger-times.fr: could not connect to host
 felgitscher.xyz: max-age too low: 2592000
+felisslovakia.sk: did not receive HSTS header
 feliwyn.fr: did not receive HSTS header
 felixhefner.de: did not receive HSTS header
 felixqu.com: did not receive HSTS header
@@ -5888,17 +6272,18 @@ festember.com: did not receive HSTS header
 festival.house: did not receive HSTS header
 festivalxdentro.com: did not receive HSTS header
 festrip.com: could not connect to host
-fetch.co.uk: did not receive HSTS header
+fetch.co.uk: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 fetclips.se: could not connect to host
 fetlife.com: could not connect to host
 fettbrot.tk: did not receive HSTS header
 feudaltactics.com: could not connect to host
 feuerwehr-dachaufsetzer.de: could not connect to host
-fexmen.com: did not receive HSTS header
+fexmen.com: could not connect to host
 ff-bg.xyz: could not connect to host
-ffh.me: could not connect to host
+ffbans.org: did not receive HSTS header
 ffl123.com: did not receive HSTS header
 fgequipamentos.com.br: did not receive HSTS header
+fhg90.com: did not receive HSTS header
 fhsseniormens.club: could not connect to host
 fi-sanki.co.jp: could not connect to host
 fibrasynormasdecolombia.com: did not receive HSTS header
@@ -5910,16 +6295,17 @@ fideleslaici.com: did not receive HSTS header
 fieldclockapp.com: did not receive HSTS header
 fieldtalk.co.uk: could not connect to host
 fiendishmasterplan.com: did not receive HSTS header
-fierman.eu: could not connect to host
-fierman.net: could not connect to host
-fierman.us: could not connect to host
+fierman.eu: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+fierman.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+fierman.us: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 fiftyshadesofluca.ml: could not connect to host
 fig.co: did not receive HSTS header
 fig.ms: could not connect to host
 fightr.co: could not connect to host
 figura.cz: did not receive HSTS header
 figura.im: did not receive HSTS header
-figuurzagers.nl: could not connect to host
+figuurzagers.nl: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+fiissh.tech: did not receive HSTS header
 fiksel.info: could not connect to host
 fikt.space: could not connect to host
 filamentia.nl: could not connect to host
@@ -5934,6 +6320,7 @@ filey.co.uk: did not receive HSTS header
 filhomes.ph: could not connect to host
 fillitupchallenge.eu: did not receive HSTS header
 fillmysuitca.se: did not receive HSTS header
+film-storyboards.com: did not receive HSTS header
 film.photography: did not receive HSTS header
 film.photos: did not receive HSTS header
 filmatiporno.xxx: could not connect to host
@@ -5954,7 +6341,8 @@ findmybottleshop.com.au: could not connect to host
 findthere.net: could not connect to host
 findtutorsnearme.com: did not receive HSTS header
 findyour.diet: could not connect to host
-finer04.pw: did not receive HSTS header
+fine-services.paris: could not connect to host
+finer04.pw: could not connect to host
 finewineonline.com: could not connect to host
 fingent.com: did not receive HSTS header
 fingerscrossed.style: could not connect to host
@@ -5984,7 +6372,9 @@ firstchoicepool.com: did not receive HSTS header
 firstdogonthemoon.com.au: did not receive HSTS header
 firstforex.co.uk: did not receive HSTS header
 firstlook.org: did not receive HSTS header
+fischer-its.com: could not connect to host
 fiscoeconti.it: did not receive HSTS header
+fishfinders.info: did not receive HSTS header
 fiskestang.com: did not receive HSTS header
 fit4medien.de: did not receive HSTS header
 fitbylo.com: could not connect to host
@@ -5993,18 +6383,18 @@ fitfitup.com: did not receive HSTS header
 fitiapp.com: could not connect to host
 fitnesswerk.de: could not connect to host
 fitqbe.com: did not receive HSTS header
-fitseven.ru: did not receive HSTS header
 fitshop.com.br: could not connect to host
 fitsw.com: did not receive HSTS header
 fiuxy.org: could not connect to host
 five.vn: did not receive HSTS header
+fiveboosts.xyz: could not connect to host
 fivestarsitters.com: did not receive HSTS header
 fivestepfunnels.com: could not connect to host
 fivezerocreative.com: did not receive HSTS header
 fiws.net: did not receive HSTS header
 fix-the-timeline.com: could not connect to host
 fix-the-timeline.org: could not connect to host
-fixate.ru: max-age too low: 3153600
+fixate.ru: could not connect to host
 fixeaide.com: did not receive HSTS header
 fixeaider.com: did not receive HSTS header
 fixico-staging.nl: could not connect to host
@@ -6045,43 +6435,52 @@ flc111.com: did not receive HSTS header
 flc999.com: max-age too low: 129600
 fleamarketgoods.com: did not receive HSTS header
 flemingtonaudiparts.com: could not connect to host
+flesters.com.br: did not receive HSTS header
 fleurette.me: could not connect to host
 fleursdesoleil.fr: did not receive HSTS header
 flexdrukker.nl: could not connect to host
 flexinvesting.fi: could not connect to host
+flextribly.xyz: could not connect to host
 fliexer.com: could not connect to host
 flightschoolusa.com: did not receive HSTS header
 flikmsg.co: could not connect to host
 fling.dating: could not connect to host
 flipagram.com: did not receive HSTS header
-flipbell.com: did not receive HSTS header
+flipbell.com: could not connect to host
 flipkey.com: did not receive HSTS header
 flirchi.com: did not receive HSTS header
-flirtycourts.com: did not receive HSTS header
+flirtycourts.com: could not connect to host
+flixhaven.net: did not receive HSTS header
 flixtor.net: could not connect to host
 flkrpxl.com: max-age too low: 86400
 flood.io: did not receive HSTS header
 floorball-haunwoehr.de: did not receive HSTS header
 flopy.club: could not connect to host
 florafiora.com.br: did not receive HSTS header
-florian-lillpopp.de: max-age too low: 10
+florian-lillpopp.de: did not receive HSTS header
 florian-schlachter.de: did not receive HSTS header
-florianlillpopp.de: max-age too low: 10
+florian2833z.de: could not connect to host
+florianlillpopp.de: did not receive HSTS header
 floridaderi.ru: did not receive HSTS header
 floridaescapes.co.uk: did not receive HSTS header
 florinapp.com: could not connect to host
 florispoort.nl: did not receive HSTS header
 floro.me: did not receive HSTS header
+floseed.fr: could not connect to host
 flosserver.de: could not connect to host
 floth.at: could not connect to host
 flouartistique.ch: could not connect to host
 flow.pe: could not connect to host
+flowcount.xyz: could not connect to host
 flowerandplant.org: did not receive HSTS header
 flowersandclouds.com: could not connect to host
 floweslawncare.com: could not connect to host
 flowlo.me: could not connect to host
 flox.io: could not connect to host
 floydm.com: did not receive HSTS header
+flucky.xyz: could not connect to host
+flucto.com: did not receive HSTS header
+flue-ducting.co.uk: did not receive HSTS header
 flugplatz-edvc.de: could not connect to host
 flugsportvereinigungcelle.de: did not receive HSTS header
 flugstadplasticsurgery.com: did not receive HSTS header
@@ -6095,24 +6494,24 @@ flybunnyfly.dk: did not receive HSTS header
 flygpost.com: did not receive HSTS header
 flyingdoggy.net: could not connect to host
 flyingspaghettimonsterdonationsfund.nl: could not connect to host
-flyingyoung.top: did not receive HSTS header
-flyp.me: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+flyingyoung.top: could not connect to host
 flyspace.ga: did not receive HSTS header
 flyspace.ml: did not receive HSTS header
 flyss.net: could not connect to host
+flyssh.net: could not connect to host
 fm83.nl: could not connect to host
 fm992.com: could not connect to host
 fmapplication.com: could not connect to host
 fmi.gov: did not receive HSTS header
 fmovies.fyi: did not receive HSTS header
-fmovies.life: could not connect to host
+fmovies.life: did not receive HSTS header
 fnfpt.co.uk: could not connect to host
 fniephaus.com: did not receive HSTS header
 fnncat.com: did not receive HSTS header
 fnvsecurity.com: could not connect to host
 fobc-usa.org: did not receive HSTS header
 focalforest.com: could not connect to host
-foerster-kunststoff.de: could not connect to host
+foerster-kunststoff.de: did not receive HSTS header
 fognini-depablo.eu: could not connect to host
 fohome.ca: could not connect to host
 fokan.ch: did not receive HSTS header
@@ -6127,8 +6526,9 @@ fonetiq.io: could not connect to host
 fontawesome.com: did not receive HSTS header
 foo: could not connect to host
 food4health.guide: could not connect to host
-foodacademy.capetown: could not connect to host
+foodacademy.capetown: max-age too low: 43200
 foodbuddy.ch: could not connect to host
+foodcowgirls.com: could not connect to host
 foodiebox.no: did not receive HSTS header
 foodies.my: did not receive HSTS header
 foodievenues.com: could not connect to host
@@ -6152,6 +6552,7 @@ foreveralone.io: could not connect to host
 foreveryoung.pt: did not receive HSTS header
 forex-dan.com: did not receive HSTS header
 forex-plus.com: did not receive HSTS header
+forexsignals7.com: could not connect to host
 forgix.com: could not connect to host
 forglemmigej.net: could not connect to host
 forlagetmarx.dk: did not receive HSTS header
@@ -6160,7 +6561,9 @@ formaliteo.com: did not receive HSTS header
 formasdemaquillarse.com: did not receive HSTS header
 formazioneopen.it: could not connect to host
 formersessalaries.com: did not receive HSTS header
+formkiq.com: could not connect to host
 formula.cf: could not connect to host
+forpc.us: did not receive HSTS header
 forplanetsake.com: could not connect to host
 forplayers.pl: could not connect to host
 forquilhinhanoticias.com.br: did not receive HSTS header
@@ -6179,8 +6582,9 @@ fossewayflowers.co.uk: could not connect to host
 fossewayflowers.com: could not connect to host
 fossewaygardencentre.co.uk: did not receive HSTS header
 fossgruppen.se: did not receive HSTS header
-fossguard.com: could not connect to host
+fossguard.com: did not receive HSTS header
 fotiu.com: could not connect to host
+foto-pro.by: did not receive HSTS header
 fotoallerlei.com: did not receive HSTS header
 fotocerita.net: could not connect to host
 fotogiraffe.ru: did not receive HSTS header
@@ -6192,6 +6596,7 @@ fourwheelpartloanssimple.com: did not receive HSTS header
 foxdev.io: could not connect to host
 foxelbox.com: did not receive HSTS header
 foxes.no: could not connect to host
+foxhound.com.br: could not connect to host
 foxley-farm.co.uk: did not receive HSTS header
 foxley-seeds.co.uk: did not receive HSTS header
 foxleyseeds.co.uk: could not connect to host
@@ -6208,7 +6613,6 @@ fragnic.com: did not receive HSTS header
 fralef.me: did not receive HSTS header
 francesca-and-lucas.com: did not receive HSTS header
 francevpn.xyz: could not connect to host
-franckgirard.net: could not connect to host
 francois-vidit.com: did not receive HSTS header
 frangor.info: did not receive HSTS header
 frankedier.com: did not receive HSTS header
@@ -6225,61 +6629,68 @@ frasys.cloud: max-age too low: 2592000
 frasys.io: could not connect to host
 fraudempire.com: could not connect to host
 freakyamazing.com: could not connect to host
-freakyaweso.me: max-age too low: 86400
-freakyawesome.band: could not connect to host
-freakyawesome.blog: could not connect to host
-freakyawesome.ca: could not connect to host
-freakyawesome.club: could not connect to host
-freakyawesome.co: could not connect to host
-freakyawesome.co.uk: could not connect to host
-freakyawesome.com: could not connect to host
-freakyawesome.company: could not connect to host
-freakyawesome.email: could not connect to host
-freakyawesome.events: could not connect to host
-freakyawesome.fashion: could not connect to host
-freakyawesome.fitness: could not connect to host
-freakyawesome.fm: could not connect to host
-freakyawesome.fun: could not connect to host
-freakyawesome.fyi: could not connect to host
-freakyawesome.games: could not connect to host
-freakyawesome.guide: could not connect to host
-freakyawesome.guru: could not connect to host
-freakyawesome.in: could not connect to host
-freakyawesome.info: could not connect to host
-freakyawesome.io: could not connect to host
-freakyawesome.life: could not connect to host
-freakyawesome.live: could not connect to host
-freakyawesome.marketing: could not connect to host
-freakyawesome.me: could not connect to host
-freakyawesome.media: could not connect to host
-freakyawesome.net: could not connect to host
-freakyawesome.network: could not connect to host
-freakyawesome.news: could not connect to host
-freakyawesome.online: could not connect to host
-freakyawesome.org: could not connect to host
-freakyawesome.photography: could not connect to host
-freakyawesome.photos: could not connect to host
-freakyawesome.press: could not connect to host
-freakyawesome.recipes: could not connect to host
-freakyawesome.rentals: could not connect to host
-freakyawesome.reviews: could not connect to host
-freakyawesome.services: could not connect to host
-freakyawesome.shop: could not connect to host
-freakyawesome.site: could not connect to host
-freakyawesome.social: could not connect to host
-freakyawesome.software: could not connect to host
+freakyaweso.me: did not receive HSTS header
+freakyawesome.blog: max-age too low: 86400
+freakyawesome.club: did not receive HSTS header
+freakyawesome.co: did not receive HSTS header
+freakyawesome.com: did not receive HSTS header
+freakyawesome.company: did not receive HSTS header
+freakyawesome.dance: did not receive HSTS header
+freakyawesome.design: could not connect to host
+freakyawesome.education: did not receive HSTS header
+freakyawesome.email: did not receive HSTS header
+freakyawesome.events: did not receive HSTS header
+freakyawesome.fashion: did not receive HSTS header
+freakyawesome.fitness: did not receive HSTS header
+freakyawesome.fm: did not receive HSTS header
+freakyawesome.fun: did not receive HSTS header
+freakyawesome.fyi: did not receive HSTS header
+freakyawesome.games: did not receive HSTS header
+freakyawesome.guide: did not receive HSTS header
+freakyawesome.guru: did not receive HSTS header
+freakyawesome.info: did not receive HSTS header
+freakyawesome.io: did not receive HSTS header
+freakyawesome.lgbt: did not receive HSTS header
+freakyawesome.life: did not receive HSTS header
+freakyawesome.live: did not receive HSTS header
+freakyawesome.management: did not receive HSTS header
+freakyawesome.marketing: did not receive HSTS header
+freakyawesome.me: did not receive HSTS header
+freakyawesome.media: did not receive HSTS header
+freakyawesome.network: did not receive HSTS header
+freakyawesome.news: did not receive HSTS header
+freakyawesome.online: did not receive HSTS header
+freakyawesome.photography: did not receive HSTS header
+freakyawesome.photos: did not receive HSTS header
+freakyawesome.press: did not receive HSTS header
+freakyawesome.recipes: did not receive HSTS header
+freakyawesome.rentals: did not receive HSTS header
+freakyawesome.reviews: did not receive HSTS header
+freakyawesome.science: did not receive HSTS header
+freakyawesome.services: did not receive HSTS header
+freakyawesome.shop: did not receive HSTS header
+freakyawesome.site: did not receive HSTS header
+freakyawesome.social: did not receive HSTS header
+freakyawesome.software: did not receive HSTS header
 freakyawesome.solutions: could not connect to host
-freakyawesome.store: could not connect to host
-freakyawesome.team: could not connect to host
-freakyawesome.tips: could not connect to host
-freakyawesome.today: could not connect to host
-freakyawesome.tours: could not connect to host
-freakyawesome.tv: could not connect to host
-freakyawesome.video: could not connect to host
-freakyawesome.website: could not connect to host
-freakyawesome.work: could not connect to host
+freakyawesome.space: did not receive HSTS header
+freakyawesome.store: did not receive HSTS header
+freakyawesome.support: did not receive HSTS header
+freakyawesome.team: did not receive HSTS header
+freakyawesome.tech: did not receive HSTS header
+freakyawesome.technology: did not receive HSTS header
+freakyawesome.tips: did not receive HSTS header
+freakyawesome.today: did not receive HSTS header
+freakyawesome.tours: did not receive HSTS header
+freakyawesome.training: did not receive HSTS header
+freakyawesome.tv: did not receive HSTS header
+freakyawesome.video: did not receive HSTS header
+freakyawesome.website: did not receive HSTS header
+freakyawesome.work: did not receive HSTS header
 freakyawesome.world: could not connect to host
-freakyawesome.xyz: could not connect to host
+freakyawesome.wtf: did not receive HSTS header
+freakyawesome.xyz: did not receive HSTS header
+freakyawesome.yoga: could not connect to host
 freakyawesomeblog.com: could not connect to host
 freakyawesomeio.com: could not connect to host
 freakyawesomemedia.com: could not connect to host
@@ -6291,54 +6702,63 @@ freakyawesometeam.com: could not connect to host
 freakyawesometheme.com: could not connect to host
 freakyawesomethemes.com: could not connect to host
 freakyawesomewp.com: could not connect to host
+frebi.org: could not connect to host
+frebib.co.uk: could not connect to host
+frebib.com: could not connect to host
+frebib.me: could not connect to host
+frebib.net: could not connect to host
 freddythechick.uk: could not connect to host
-fredericcote.com: did not receive HSTS header
+fredericcote.com: could not connect to host
+frederickalcantara.com: could not connect to host
 fredliang.cn: could not connect to host
+fredriksslekt.se: did not receive HSTS header
+free-your-pc.com: could not connect to host
 free8.xyz: could not connect to host
 freeasinlliure.org: did not receive HSTS header
-freeassangenow.org: did not receive HSTS header
 freeben666.fr: could not connect to host
+freebies.id: could not connect to host
 freeblog.me: could not connect to host
 freebookmakerbets.com.au: did not receive HSTS header
-freebus.org: could not connect to host
+freecookies.nl: did not receive HSTS header
 freedomrealtyoftexas.com: did not receive HSTS header
 freedomvote.nl: could not connect to host
 freeexampapers.com: could not connect to host
 freeflow.tv: could not connect to host
 freehao123.cn: could not connect to host
 freejidi.com: could not connect to host
-freekdevries.nl: did not receive HSTS header
+freelancecollab.com: could not connect to host
 freelanced.co.za: could not connect to host
+freelanceshipping.com: did not receive HSTS header
 freelandinnovation.com: did not receive HSTS header
 freelansir.com: could not connect to host
 freemanning.de: could not connect to host
 freematthale.net: did not receive HSTS header
+freepoints.us: could not connect to host
 freeslots.guru: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 freesoftwaredriver.com: could not connect to host
 freesounding.com: did not receive HSTS header
 freesounding.ru: did not receive HSTS header
-freesourcestl.org: did not receive HSTS header
-freesquare.net: did not receive HSTS header
 freethought.org.au: could not connect to host
 freeutopia.org: did not receive HSTS header
+freevps.us: did not receive HSTS header
+freitasul.com.br: could not connect to host
+freitasul.io: could not connect to host
 frenzel.dk: could not connect to host
 freqlabs.com: did not receive HSTS header
 freshfind.xyz: could not connect to host
-freshlymind.com: did not receive HSTS header
+freshkiss.com.au: did not receive HSTS header
+freshmaza.com: could not connect to host
 freshmaza.io: did not receive HSTS header
 frettboard.com: did not receive HSTS header
 frezbo.com: could not connect to host
 frforms.com: did not receive HSTS header
-frickelboxx.de: could not connect to host
 frickenate.com: could not connect to host
 fridaperfumaria.com.br: could not connect to host
 friedhelm-wolf.de: could not connect to host
 friendica.ch: could not connect to host
 friendlyfiregameshow.com: could not connect to host
-friendship-quotes.co.uk: could not connect to host
 friller.com.au: did not receive HSTS header
 frimons.com: max-age too low: 7889238
-fringeintravel.com: did not receive HSTS header
 fritteli.ch: did not receive HSTS header
 frodriguez.xyz: could not connect to host
 froehlich.it: did not receive HSTS header
@@ -6346,27 +6766,30 @@ froggstack.de: could not connect to host
 frolov.net: could not connect to host
 fromix.de: could not connect to host
 fromlemaytoz.com: could not connect to host
+fromthesoutherncross.com: could not connect to host
 front-end.dog: could not connect to host
+frontierdiscount.com: did not receive HSTS header
 frontisme.nl: did not receive HSTS header
 frontline.cloud: did not receive HSTS header
 frontline6.com: did not receive HSTS header
 frontmin.com: did not receive HSTS header
 frost-ci.xyz: could not connect to host
-frostbytes.net: did not receive HSTS header
+frostbytes.net: could not connect to host
 frosty-gaming.xyz: could not connect to host
 frp-roleplay.de: could not connect to host
 frprn.com: could not connect to host
 frprn.xxx: could not connect to host
 frsis2017.com: could not connect to host
 frugal-millennial.com: did not receive HSTS header
-fruitscale.com: could not connect to host
 fruitusers.com: could not connect to host
 frumious.fyi: could not connect to host
 frusky.net: could not connect to host
+fs-fitness.eu: could not connect to host
 fs-gamenet.de: did not receive HSTS header
 fsf.moe: could not connect to host
 fsfi.is: could not connect to host
 fsinf.at: did not receive HSTS header
+fsj4u.ch: did not receive HSTS header
 fspphoto.com: could not connect to host
 fsradio.eu: did not receive HSTS header
 fsrs.gov: could not connect to host
@@ -6380,16 +6803,21 @@ ftgho.com: could not connect to host
 ftpi.ml: could not connect to host
 fu-li88.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 fu-li88.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+fu639.top: did not receive HSTS header
 fuchsy.com: could not connect to host
 fuckbilibili.com: could not connect to host
 fuckcf.cf: could not connect to host
 fuckgfw233.org: could not connect to host
+fuckobr.com: could not connect to host
+fuckobr.net: could not connect to host
+fuckobr.org: could not connect to host
 fuckobr.ru: could not connect to host
+fuckobr.su: could not connect to host
 fudanshi.org: could not connect to host
 fuelministry.com: did not receive HSTS header
+fugamo.de: did not receive HSTS header
 fugle.de: could not connect to host
 fuitedeau.ch: could not connect to host
-fujianshipbuilding.com: could not connect to host
 fujiorganics.com: did not receive HSTS header
 fukuko.biz: could not connect to host
 fukuko.xyz: could not connect to host
@@ -6405,11 +6833,13 @@ fumiware.com: could not connect to host
 fun25.tk: could not connect to host
 fun9.cc: could not connect to host
 fun99.cc: could not connect to host
-funarena.com.ua: did not receive HSTS header
+funarena.com.ua: could not connect to host
 fundacionfranciscofiasco.org: could not connect to host
 fundacionhijosdelsol.org: could not connect to host
 fundayltd.com: could not connect to host
 funderburg.me: did not receive HSTS header
+fundingempire.com: could not connect to host
+funerariahogardecristo.cl: did not receive HSTS header
 fungame.eu: did not receive HSTS header
 funi4u.com: could not connect to host
 funideas.org: could not connect to host
@@ -6423,25 +6853,26 @@ funtastic-event-hire.co.uk: did not receive HSTS header
 funtastic.ie: could not connect to host
 funtimebourne.co.uk: did not receive HSTS header
 fuorifuocogenova.it: could not connect to host
+furaje-iasi.com: could not connect to host
+furcity.me: could not connect to host
 furi.ga: could not connect to host
 furiffic.com: did not receive HSTS header
+furikake.xyz: could not connect to host
 furnation.com: could not connect to host
-furnishedproperty.com.au: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 furnitureconcept.co.uk: could not connect to host
 furry.agency: could not connect to host
 furry.be: did not receive HSTS header
 furry.zone: did not receive HSTS header
-fursuitbutts.com: could not connect to host
 furtherfood.com: did not receive HSTS header
 furtivelook.com: did not receive HSTS header
 fusedrops.com: did not receive HSTS header
 fusionmate.com: could not connect to host
-fussell.io: could not connect to host
 futa.agency: could not connect to host
 futbol11.com: did not receive HSTS header
-futbolvivo.tv: did not receive HSTS header
+futbolvivo.tv: could not connect to host
 futos.de: could not connect to host
 futurefire.de: could not connect to host
+futurefundapp.com: could not connect to host
 futuresonline.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 futurestarsusa.org: did not receive HSTS header
 futuretechnologi.es: could not connect to host
@@ -6456,15 +6887,16 @@ fws.gov: did not receive HSTS header
 fwww7.com: could not connect to host
 fxgame.online: could not connect to host
 fxpig-ib.com: could not connect to host
-fxtalk.cn: could not connect to host
 fxwebstudio.com.au: max-age too low: 0
+fydjbsd.cn: could not connect to host
 fyodorpi.com: did not receive HSTS header
 fyol.pw: could not connect to host
 fysiohaenraets.nl: did not receive HSTS header
 fzn.io: did not receive HSTS header
 fzslm.me: did not receive HSTS header
 g-i-s.vn: did not receive HSTS header
-g-marketing.ro: did not receive HSTS header
+g-marketing.ro: could not connect to host
+g-o.pl: did not receive HSTS header
 g-rickroll-o.pw: could not connect to host
 g01.in.ua: could not connect to host
 g1jeu.com: could not connect to host
@@ -6474,41 +6906,46 @@ g2a.co: did not receive HSTS header
 g2g.com: did not receive HSTS header
 g4w.co: could not connect to host (error ignored - included regardless)
 g5led.nl: could not connect to host
+g6666g.tk: could not connect to host
 g77.ca: could not connect to host
 gaanbaksho.com.au: did not receive HSTS header
 gaasuper6.com: could not connect to host
 gabber.scot: could not connect to host
 gabethebabetv.com: could not connect to host
 gabi.com.es: could not connect to host
-gabi.soy: could not connect to host
+gabi.soy: did not receive HSTS header
 gabi.uno: could not connect to host
 gablaxian.com: max-age too low: 2592000
 gabriele-kluge.de: could not connect to host
+gabrielsimonet.ch: could not connect to host
 gaelleetarnaud.com: did not receive HSTS header
 gafachi.com: could not connect to host
+gagne-enterprises.com: did not receive HSTS header
 gaichanh.com: did not receive HSTS header
-gailfellowsphotography.com: could not connect to host
 gainesvillegoneaustin.org: did not receive HSTS header
 gaiserik.com: did not receive HSTS header
 gaite.me: did not receive HSTS header
 gajas18.com: could not connect to host
-gakkainavi.net: could not connect to host
+gakkainavi-epsilon.jp: could not connect to host
 gakkainavi4.com: could not connect to host
+gala.kiev.ua: could not connect to host
 galardi.org: could not connect to host
 galena.io: could not connect to host
 galenskap.eu: could not connect to host
 galeriadobimba.com.br: could not connect to host
+galeriart.xyz: could not connect to host
 galerieautodirect.com: did not receive HSTS header
 galgoafegao.com.br: could not connect to host
 galgoingles.com.br: could not connect to host
 galgopersa.com.br: could not connect to host
 gali.review: did not receive HSTS header
 galileomtz.com: did not receive HSTS header
+gallerify.eu: could not connect to host
 gallery44.org: did not receive HSTS header
 galoisvpn.xyz: could not connect to host
 gam3rs.de: could not connect to host
+gamajo.com: did not receive HSTS header
 gambitcloud.net: could not connect to host
-game-files.net: did not receive HSTS header
 game-gentle.com: could not connect to host
 game.yt: could not connect to host
 game88city.com: could not connect to host
@@ -6542,8 +6979,11 @@ gametium.es: could not connect to host
 gamhealth.net: could not connect to host
 gamingmedia.eu: did not receive HSTS header
 gamingreinvented.com: did not receive HSTS header
+gamismodelbaru.com: did not receive HSTS header
+gamismu.com: did not receive HSTS header
 gamoice.com: did not receive HSTS header
 gampenhof.de: could not connect to host
+gan.wtf: could not connect to host
 gangnam-club.com: could not connect to host
 gangnam-karaoke.com: did not receive HSTS header
 ganhonet.com.br: did not receive HSTS header
@@ -6551,6 +6991,7 @@ ganyouxuan.com: could not connect to host
 ganzgraph.de: did not receive HSTS header
 gaon.network: could not connect to host
 gaptek.id: did not receive HSTS header
+gar-nich.net: could not connect to host
 garage-abri-chalet.fr: did not receive HSTS header
 garage-door.pro: could not connect to host
 garageon.net: did not receive HSTS header
@@ -6561,8 +7002,6 @@ garciniacambogiareviewed.co: did not receive HSTS header
 garden-life.org: could not connect to host
 garden.trade: could not connect to host
 gardencarezone.com: did not receive HSTS header
-garethkirk.com: could not connect to host
-garethkirkreviews.com: could not connect to host
 garfieldairlines.net: did not receive HSTS header
 garten-bau.ch: did not receive HSTS header
 garten-diy.de: could not connect to host
@@ -6570,6 +7009,7 @@ gartenhauszentrum.de: [Exception... "Component returned failure code: 0x80004005
 gasbarkenora.com: could not connect to host
 gasnews.net: could not connect to host
 gasser-daniel.ch: did not receive HSTS header
+gassouthkenticoqa.azurewebsites.net: could not connect to host
 gastauftritt.net: did not receive HSTS header
 gastritisolucion.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 gatapro.net: could not connect to host
@@ -6580,12 +7020,13 @@ gatilagata.com.br: could not connect to host
 gatomix.net: could not connect to host
 gatorsa.es: could not connect to host
 gaussorgues.me: could not connect to host
-gautham.pro: could not connect to host
+gautham.pro: did not receive HSTS header
 gavick.com: did not receive HSTS header
 gay-jays.com: could not connect to host
 gay-sissies.com: could not connect to host
-gaya-sa.org: did not receive HSTS header
-gaycc.cc: did not receive HSTS header
+gaya-sa.org: could not connect to host
+gayauthors.org: could not connect to host
+gayforgenji.com: could not connect to host
 gaygeeks.de: could not connect to host
 gayjays.com: could not connect to host
 gaysfisting.com: could not connect to host
@@ -6601,19 +7042,23 @@ gchp.ie: did not receive HSTS header
 gcodetools.com: could not connect to host
 gdegem.org: did not receive HSTS header
 gdevpenze.ru: could not connect to host
-gdprhallofshame.com: could not connect to host
+gdprhallofshame.com: did not receive HSTS header
 gdutnic.com: could not connect to host
 gdz-otvety.com: could not connect to host
+gdz.tv: could not connect to host
 gear-acquisition-syndrome.community: could not connect to host
 gearseo.com.br: did not receive HSTS header
 geaskb.nl: could not connect to host
+geass.xyz: could not connect to host
 geblitzt.de: did not receive HSTS header
 gedankenbude.info: could not connect to host
 gedankenworks.com: could not connect to host
+geek.ch: could not connect to host
+geek1.de: did not receive HSTS header
 geekbaba.com: could not connect to host
 geekcast.co.uk: could not connect to host
 geekchimp.com: could not connect to host
-geekdt.com: did not receive HSTS header
+geekdt.com: could not connect to host
 geekmind.org: max-age too low: 172800
 geeks.berlin: could not connect to host
 geeks.lgbt: could not connect to host
@@ -6625,15 +7070,18 @@ geemo.top: could not connect to host
 gehrke.nrw: could not connect to host
 geigr.de: could not connect to host
 geiser.io: did not receive HSTS header
+gekosoft.eu: could not connect to host
 geldteveel.eu: could not connect to host
 geli-graphics.com: did not receive HSTS header
 gemeinfreie-lieder.de: did not receive HSTS header
 gemsoftheworld.org: could not connect to host
 gemuplay.com: could not connect to host
+genbright.com: could not connect to host
 genemesservwparts.com: could not connect to host
+general-insurance.tk: could not connect to host
 generalpants.com.au: did not receive HSTS header
 generationnext.pl: could not connect to host
-genesischangelog.com: could not connect to host
+genesischangelog.com: did not receive HSTS header
 geneve.guide: could not connect to host
 genia-life.de: could not connect to host
 genie-seiner-generation.de: did not receive HSTS header
@@ -6644,28 +7092,32 @@ genshiken.org: could not connect to host
 gensokyo.chat: could not connect to host
 genuu.com: did not receive HSTS header
 genuxation.com: could not connect to host
-genxbeats.com: did not receive HSTS header
+genuxtsg.com: did not receive HSTS header
+genxbeats.com: could not connect to host
+genxnotes.com: could not connect to host
 genyaa.com: could not connect to host
 genyhitch.com: did not receive HSTS header
 geocommunicator.gov: could not connect to host
 geoffanderinmyers.com: did not receive HSTS header
 geoffdev.com: could not connect to host
 geoffmyers.com: did not receive HSTS header
-geoffreyrichard.com: could not connect to host
+geoffreyrichard.com: did not receive HSTS header
 geopals.net: did not receive HSTS header
-georgeperez.me: did not receive HSTS header
+georgehalachev.com: did not receive HSTS header
+georgeperez.me: could not connect to host
 georgesonarthurs.com.au: did not receive HSTS header
+gepe.ch: did not receive HSTS header
 gereja.ga: max-age too low: 1209600
 gerencianet.com.br: did not receive HSTS header
 gereon.ch: could not connect to host
 geri.be: could not connect to host
+germancraft.net: could not connect to host
 germansoldiers.net: could not connect to host
 gers-authentique.com: could not connect to host
 gerum.dynv6.net: did not receive HSTS header
 geschenkly.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 geschmackspiloten.de: did not receive HSTS header
 gesiwista.net: did not receive HSTS header
-gestorehotel.com: did not receive HSTS header
 gesunde-smoothies.de: did not receive HSTS header
 gesundes-im-napf.de: did not receive HSTS header
 get-asterisk.ru: could not connect to host
@@ -6679,6 +7131,7 @@ getcarina.com: could not connect to host
 getcleartouch.com: did not receive HSTS header
 getcolor.com: did not receive HSTS header
 getdigitized.net: could not connect to host
+geteduroam.no: could not connect to host
 getenergized2018.kpn: could not connect to host
 getfestify.com: did not receive HSTS header
 getfilterlive.org: could not connect to host
@@ -6697,6 +7150,7 @@ getgeek.se: did not receive HSTS header
 getinternet.de: did not receive HSTS header
 getkai.co.nz: did not receive HSTS header
 getlantern.org: did not receive HSTS header
+getleanflorida.gov: could not connect to host
 getlifti.com: could not connect to host
 getlittleapps.com: could not connect to host
 getlolaccount.com: did not receive HSTS header
@@ -6718,6 +7172,7 @@ getsubs.net: could not connect to host
 getwarden.net: could not connect to host
 getwashdaddy.com: could not connect to host
 getweloop.io: did not receive HSTS header
+getyou.onl: could not connect to host
 getyourphix.tk: could not connect to host
 gevaulug.fr: could not connect to host
 gfbouncycastles.co.uk: did not receive HSTS header
@@ -6726,7 +7181,7 @@ gflclan.ru: could not connect to host
 gfm.tech: could not connect to host
 gfoss.gr: could not connect to host
 gfw.moe: could not connect to host
-gfwno.win: did not receive HSTS header
+gfwno.win: could not connect to host
 gfwsb.ml: could not connect to host
 gglks.com: could not connect to host
 ggobbo.com: could not connect to host
@@ -6734,7 +7189,7 @@ ggrks-asano.com: could not connect to host
 ggss.cf: could not connect to host
 ggss.ml: could not connect to host
 gh16.com.ar: could not connect to host
-ghcif.de: did not receive HSTS header
+ghcif.de: could not connect to host
 gheorghe-sarcov.ga: could not connect to host
 gheorghesarcov.ga: could not connect to host
 gheorghesarcov.tk: could not connect to host
@@ -6746,13 +7201,16 @@ ghowell.io: could not connect to host
 gianlucapartengo.photography: did not receive HSTS header
 giant-powerfit.co.uk: did not receive HSTS header
 gibraltar-firma.com: did not receive HSTS header
+gibraltar.at: could not connect to host
+gicl.dk: could not connect to host
 giddyaunt.net: could not connect to host
 gidea.nu: could not connect to host
 giduv.com: did not receive HSTS header
-giegler.software: did not receive HSTS header
+giegler.software: could not connect to host
 giftbg.org: did not receive HSTS header
+giftedconsortium.com: could not connect to host
 giftgofers.com: max-age too low: 2592000
-giftservices.nl: did not receive HSTS header
+giftservices.nl: could not connect to host
 gifzilla.net: could not connect to host
 gigacloud.org: could not connect to host
 gigawattz.com: did not receive HSTS header
@@ -6763,12 +7221,15 @@ gilescountytn.gov: did not receive HSTS header
 gilgaz.com: did not receive HSTS header
 gillet-cros.fr: could not connect to host
 gilly.berlin: did not receive HSTS header
+gilpinmanagement.com: did not receive HSTS header
+gilpinrealty.com: did not receive HSTS header
 gilroywestwood.org: did not receive HSTS header
 gincher.net: did not receive HSTS header
 gingali.de: did not receive HSTS header
 ginie.de: did not receive HSTS header
 ginijony.com: did not receive HSTS header
 ginkel.com: did not receive HSTS header
+ginnegappen.nl: could not connect to host
 gintenreiter-photography.com: did not receive HSTS header
 giochistem.it: could not connect to host
 giogadesign.com: did not receive HSTS header
@@ -6776,26 +7237,31 @@ gip-carif-idf.net: could not connect to host
 gip-carif-idf.org: could not connect to host
 gipsamsfashion.com: could not connect to host
 gipsic.com: did not receive HSTS header
+giraffeinflatables.co.uk: did not receive HSTS header
 girlsgonesporty.com: could not connect to host
 girlsnet.work: could not connect to host
-girsa.org: could not connect to host
 gis3m.org: did not receive HSTS header
 gisac.org: did not receive HSTS header
 gistfy.com: could not connect to host
 git-stuff.tk: could not connect to host
+git.ac.cn: could not connect to host
 git.co: could not connect to host
 gitar.io: could not connect to host
 github.party: did not receive HSTS header
 givemyanswer.com: could not connect to host
 giverang.biz: could not connect to host
 giverang.com: could not connect to host
+givip.eu: could not connect to host
 gix.net.pl: could not connect to host
 gixtools.co.uk: could not connect to host
 gixtools.uk: could not connect to host
 gizmo.ovh: could not connect to host
 gizzo.sk: could not connect to host
+gkimanyar.org: did not receive HSTS header
 glabiatoren-kst.de: could not connect to host
 gladystudio.com: did not receive HSTS header
+glahcks.com: could not connect to host
+glaspe.com: could not connect to host
 glass.google.com: did not receive HSTS header (error ignored - included regardless)
 glasslikes.com: did not receive HSTS header
 glbg.eu: did not receive HSTS header
@@ -6804,12 +7270,13 @@ glenavy.tk: could not connect to host
 glencambria.com: could not connect to host
 glencoveny.gov: could not connect to host
 glentakahashi.com: could not connect to host
-glicerina.online: did not receive HSTS header
+glicerina.online: could not connect to host
 glittersjabloon.nl: did not receive HSTS header
 glitzmirror.com: could not connect to host
 glnpo.gov: could not connect to host
+global.hr: could not connect to host
 globalado.com: could not connect to host
-globalbridge-japan.com: could not connect to host
+globalbridge-japan.com: did not receive HSTS header
 globalelite.black: did not receive HSTS header
 globalexpert.co.nz: could not connect to host
 globalgivingtime.com: could not connect to host
@@ -6818,10 +7285,9 @@ globalinstitutefortraining.org.au: did not receive HSTS header
 globalittech.com: could not connect to host
 globalmoneyapp.com: could not connect to host
 globalmusic.ga: could not connect to host
-globalnewsdaily.cf: could not connect to host
+globalnewsdaily.cf: did not receive HSTS header
 globalnomadvintage.com: could not connect to host
 globalperspectivescanada.com: could not connect to host
-globalresistancecorporation.com: could not connect to host
 globalsites.nl: did not receive HSTS header
 globaltennis.ca: could not connect to host
 globalvisions-events.ch: could not connect to host
@@ -6840,11 +7306,10 @@ gmantra.org: max-age too low: 7776000
 gmanukyan.com: could not connect to host
 gmat.ovh: could not connect to host
 gmoes.at: did not receive HSTS header
-gmplab.com: could not connect to host
+gmplab.com: did not receive HSTS header
 gnaptracker.tk: could not connect to host
 gnom.me: could not connect to host
 gnosticjade.net: did not receive HSTS header
-gnwp.eu: could not connect to host
 gnylf.com: could not connect to host
 go.ax: did not receive HSTS header
 go2sh.de: did not receive HSTS header
@@ -6855,7 +7320,6 @@ goaltree.ch: did not receive HSTS header
 goapunks.net: did not receive HSTS header
 goat.chat: did not receive HSTS header
 goat.xyz: could not connect to host
-goatbot.xyz: could not connect to host
 goben.ch: could not connect to host
 goblins.net: did not receive HSTS header
 goblinsatwork.com: could not connect to host
@@ -6866,7 +7330,9 @@ godbo9.cc: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_
 godbo9.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 godbo9.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 godesb.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+godofnea.com: could not connect to host
 godrealms.com: could not connect to host
+godruoyi.com: did not receive HSTS header
 goedeke.ml: could not connect to host
 goerner.me: did not receive HSTS header
 goesta-hallenbau.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -6875,7 +7341,7 @@ gogenenglish.com: could not connect to host
 gogetssl.com: did not receive HSTS header
 goggs.eu: could not connect to host
 gogold-g.com: could not connect to host
-goguel.org: could not connect to host
+goguel.org: did not receive HSTS header
 goiaspropaganda.com.br: could not connect to host
 gold24.in: could not connect to host
 goldclubcasino.com: could not connect to host
@@ -6895,7 +7361,8 @@ gong8.win: could not connect to host
 gonkar.com: did not receive HSTS header
 gonzalesca.gov: did not receive HSTS header
 gonzalosanchez.mx: did not receive HSTS header
-goodeats.nyc: did not receive HSTS header
+gooddomainna.me: could not connect to host
+goodeats.nyc: could not connect to host
 goodfeels.net: could not connect to host
 goodfurday.ca: could not connect to host
 goodmengroup.de: did not receive HSTS header
@@ -6915,9 +7382,6 @@ goozz.nl: did not receive HSTS header
 gopay.cz: did not receive HSTS header
 gopokego.cz: could not connect to host
 goranrango.ch: could not connect to host
-gordonobrecht.com: did not receive HSTS header
-gorf.chat: could not connect to host
-gorf.club: could not connect to host
 gorgiaxx.com: could not connect to host
 gorilla-gym.site: could not connect to host
 gorillow.com: could not connect to host
@@ -6926,21 +7390,18 @@ gosharewood.com: did not receive HSTS header
 goshop.cz: did not receive HSTS header
 goshow.tv: could not connect to host
 gostream.asia: could not connect to host
-gosuland.org: did not receive HSTS header
-got-tty.de: did not receive HSTS header
 gotgenes.com: could not connect to host
 goto.google.com: did not receive HSTS header (error ignored - included regardless)
 gotobrno.cz: did not receive HSTS header
 gotocloud.ru: could not connect to host
 gotowned.org: could not connect to host
 gotspot.com: could not connect to host
-gottfridsberg.org: could not connect to host
 gottfriedfeyen.com: did not receive HSTS header
 goubi.me: did not receive HSTS header
 goujianwen.com: did not receive HSTS header
 goukon.ru: could not connect to host
 gourmettia.com: did not receive HSTS header
-gouthro-goteborg.se: could not connect to host
+gouthro-goteborg.se: did not receive HSTS header
 gouv.ovh: did not receive HSTS header
 gov.ax: could not connect to host
 goverage.org: could not connect to host
@@ -6951,10 +7412,13 @@ gozadentro.com: could not connect to host
 gozel.com.tr: did not receive HSTS header
 gpalabs.com: could not connect to host
 gparent.org: did not receive HSTS header
+gpfclan.de: could not connect to host
 gpga.cf: could not connect to host
 gplintegratedit.com: could not connect to host
 gpo.gov: did not receive HSTS header
 gps.com.br: could not connect to host
+gpsarena.ro: could not connect to host
+gpsfix.cz: could not connect to host
 gpstuner.com: did not receive HSTS header
 graavaapi.elasticbeanstalk.com: could not connect to host
 grabi.ga: could not connect to host
@@ -6962,19 +7426,18 @@ gracechurchpc.net: could not connect to host
 graceful-project.eu: did not receive HSTS header
 gracesofgrief.com: could not connect to host
 grachtenpandverkopen.nl: could not connect to host
-grademymac.com: did not receive HSTS header
-grademypc.com: did not receive HSTS header
+grademymac.com: could not connect to host
+grademypc.com: could not connect to host
 gradenotify.com: could not connect to host
 grads360.org: could not connect to host
 gradsm-ci.net: could not connect to host
 grafitec.ru: did not receive HSTS header
-grafmurr.de: could not connect to host
 graftworld.pw: could not connect to host
 grahamofthewheels.com: did not receive HSTS header
 grana.com: did not receive HSTS header
 grandchamproofing.com: did not receive HSTS header
 grandlinecsk.ru: did not receive HSTS header
-grandmascookieblog.com: did not receive HSTS header
+grandmascookieblog.com: could not connect to host
 grandmasfridge.org: did not receive HSTS header
 grandwailea.com: did not receive HSTS header
 granian.pro: could not connect to host
@@ -6982,10 +7445,12 @@ grantedby.me: max-age too low: 0
 granth.io: could not connect to host
 graph.no: did not receive HSTS header
 graphified.nl: did not receive HSTS header
+graphire.io: could not connect to host
 graphite.org.uk: could not connect to host
 graphsearchengine.com: could not connect to host
 gratis-app.com: did not receive HSTS header
 gratisonlinesex.com: could not connect to host
+gravitation.pro: could not connect to host
 gravito.nl: did not receive HSTS header
 gravity-net.de: could not connect to host
 graycell.net: could not connect to host
@@ -6997,15 +7462,24 @@ greatfire.kr: could not connect to host
 greatideahub.com: did not receive HSTS header
 greatlengthshairextensionssalon.com: did not receive HSTS header
 greatnet.de: did not receive HSTS header
-greatsong.net: did not receive HSTS header
+greatsong.net: max-age too low: 2592000
+greedbutt.com: max-age too low: 2592000
+green-light.cf: could not connect to host
+green-light.ga: could not connect to host
+green-light.gq: could not connect to host
+green-light.ml: could not connect to host
+greenbaysecuritysolutions.com: did not receive HSTS header
 greencardtalent.com: could not connect to host
 greenconn.ca: could not connect to host
+greendroid.de: did not receive HSTS header
 greenenergysolution.uk: did not receive HSTS header
 greenesting.ch: could not connect to host
 greenesting.com: could not connect to host
+greenglam.biz: did not receive HSTS header
+greengoblindev.com: could not connect to host
 greengov.gov: could not connect to host
 greenhillantiques.co.uk: did not receive HSTS header
-greenitpark.net: could not connect to host
+greenitpark.net: did not receive HSTS header
 greensolid.biz: could not connect to host
 greenville.ag: did not receive HSTS header
 greenvines.com.tw: did not receive HSTS header
@@ -7013,7 +7487,6 @@ greenvpn.ltd: could not connect to host
 greenvpn.pro: did not receive HSTS header
 greggsfoundation.org.uk: could not connect to host
 gregmartyn.com: could not connect to host
-gregmarziomedia.co.za: did not receive HSTS header
 gregmilton.org: could not connect to host
 gregorytlee.me: could not connect to host
 grekland.guide: could not connect to host
@@ -7025,12 +7498,12 @@ grettogeek.com: did not receive HSTS header
 greuel.online: could not connect to host
 greve.xyz: could not connect to host
 grevesgarten.de: could not connect to host
-greyhash.se: could not connect to host
 greyline.se: could not connect to host
 grian-bam.at: did not receive HSTS header
 gribani.com: could not connect to host
 grid2osm.org: could not connect to host
 gridle.io: did not receive HSTS header
+griecopelino.com: did not receive HSTS header
 grifomarchetti.com: did not receive HSTS header
 grigalanzsoftware.com: could not connect to host
 grillinfools.com: did not receive HSTS header
@@ -7039,9 +7512,8 @@ gripopgriep.net: could not connect to host
 gritte.net: could not connect to host
 griyo.online: could not connect to host
 groben-itsolutions.de: could not connect to host
-groenders.nl: could not connect to host
+groenders.nl: did not receive HSTS header
 groenewoud.run: could not connect to host
-groenteclub.nl: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 groentefruitzeep.com: could not connect to host
 groentefruitzeep.nl: could not connect to host
 groetzner.net: did not receive HSTS header
@@ -7049,6 +7521,7 @@ groseb.net: did not receive HSTS header
 grossell.ru: could not connect to host
 grossmann.gr: could not connect to host
 grossmisconduct.news: could not connect to host
+grouchysysadmin.com: could not connect to host
 groupe-cassous.com: did not receive HSTS header
 groups.google.com: did not receive HSTS header (error ignored - included regardless)
 grow-shop.ee: could not connect to host
@@ -7057,7 +7530,6 @@ grow-shop.lv: could not connect to host
 growingmetrics.com: could not connect to host
 grozip.com: did not receive HSTS header
 gruelang.org: could not connect to host
-gruenderwoche-dresden.de: did not receive HSTS header
 grumples.biz: did not receive HSTS header
 grunex.com: did not receive HSTS header
 grupopgn.com.br: could not connect to host
@@ -7070,12 +7542,16 @@ gs-net.at: could not connect to host
 gsm-map.com: could not connect to host
 gsmkungen.com: could not connect to host
 gsnort.com: did not receive HSTS header
+gtalife.net: did not receive HSTS header
 gtamodshop.org: could not connect to host
 gtanda.tk: could not connect to host
+gtdgo.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 gtech.work: did not receive HSTS header
 gtldna.com: could not connect to host
 gtraxapp.com: could not connect to host
+gts-dp.de: did not receive HSTS header
 gts-schulsoftware.de: did not receive HSTS header
+gtts.space: did not receive HSTS header
 guarajubaimoveis.com.br: did not receive HSTS header
 guava.studio: did not receive HSTS header
 gudangpangan.id: could not connect to host
@@ -7083,6 +7559,7 @@ gudrun.ml: could not connect to host
 guelphhydropool.com: could not connect to host
 guendra.dedyn.io: could not connect to host
 guentherhouse.com: did not receive HSTS header
+gufen.ga: could not connect to host
 guffrits.com: could not connect to host
 gugaltika-ipb.org: could not connect to host
 guge.gq: could not connect to host
@@ -7104,18 +7581,20 @@ gulenet.com: could not connect to host
 gulfcoast-sandbox.com: could not connect to host
 gulitsky.me: could not connect to host
 gulleyperformancecenter.com: did not receive HSTS header
+gulshankumar.net: did not receive HSTS header
 gumannp.de: did not receive HSTS header
+gumballs.com: did not receive HSTS header
 gummibande.noip.me: could not connect to host
 gunhunter.com: could not connect to host
 guniram.com: did not receive HSTS header
 gunnarhafdal.com: did not receive HSTS header
-gunnaro.com: could not connect to host
+gunnaro.com: did not receive HSTS header
 guntbert.net: could not connect to host
 guoqiang.info: did not receive HSTS header
-guphi.net: did not receive HSTS header
 gurochan.ch: could not connect to host
 gurom.lv: could not connect to host
 gurubetng.com: did not receive HSTS header
+gurugardener.co.nz: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 gurusupe.com: could not connect to host
 gus.moe: could not connect to host
 guso.gq: could not connect to host
@@ -7124,8 +7603,6 @@ guso.site: could not connect to host
 guso.tech: could not connect to host
 gussi.is: did not receive HSTS header
 guthabenkarten-billiger.de: could not connect to host
-guts.me: did not receive HSTS header
-guts.moe: did not receive HSTS header
 guvernalternativa.ro: could not connect to host
 guyot-tech.com: did not receive HSTS header
 gvchannel.xyz: could not connect to host
@@ -7136,6 +7613,7 @@ gvt2.com: could not connect to host (error ignored - included regardless)
 gvt3.com: could not connect to host (error ignored - included regardless)
 gw2oracle.com: could not connect to host
 gw2reload.eu: could not connect to host
+gwa-verwaltung.de: did not receive HSTS header
 gwijaya.com: could not connect to host
 gwtest.us: could not connect to host
 gxgx.org: could not connect to host
@@ -7159,22 +7637,27 @@ h3x.jp: could not connect to host
 haarkliniek.com: did not receive HSTS header
 habbixed.tk: could not connect to host
 habbo.life: could not connect to host
+habbos.es: could not connect to host
 habbotalk.nl: could not connect to host
 habeo.si: could not connect to host
 hablemosdetecnologia.com.ve: could not connect to host
+habtium.com: could not connect to host
 hac30.com: could not connect to host
+hack.club: could not connect to host
 hack.cz: could not connect to host
 hack.li: could not connect to host
-hackattack.com: did not receive HSTS header
 hackbubble.me: could not connect to host
+hacker.club: could not connect to host
 hacker.deals: could not connect to host
 hacker8.cn: could not connect to host
 hackercat.ninja: max-age too low: 2592000
-hackerchai.com: could not connect to host
 hackerco.com: did not receive HSTS header
 hackerforever.com: did not receive HSTS header
+hackerlite.xyz: max-age too low: 0
 hackerone-ext-adroll.com: could not connect to host
+hackerpoints.com: did not receive HSTS header
 hackerspace-ntnu.no: did not receive HSTS header
+hackerstxt.org: could not connect to host
 hackest.org: did not receive HSTS header
 hackingsafe.com: could not connect to host
 hackit.im: could not connect to host
@@ -7184,6 +7667,8 @@ hacksnack.io: could not connect to host
 hackyourfaceoff.com: could not connect to host
 hackzogtum-coburg.de: did not receive HSTS header
 hadaf.pro: could not connect to host
+hadret.com: did not receive HSTS header
+hadret.sh: could not connect to host
 hadzic.co: could not connect to host
 haeckdesign.com: did not receive HSTS header
 haeckl.eu: did not receive HSTS header
@@ -7192,6 +7677,7 @@ haemmerle.net: [Exception... "Component returned failure code: 0x80004005 (NS_ER
 haf.gr: could not connect to host
 hafoda.com: did not receive HSTS header
 hahayidu.org: could not connect to host
+haidihai.ro: did not receive HSTS header
 hail2u.net: did not receive HSTS header
 hainoni.com: did not receive HSTS header
 hairlossstop.net: could not connect to host
@@ -7209,14 +7695,17 @@ hal-9th.space: could not connect to host
 halcyonsbastion.com: could not connect to host
 half-logic.eu.org: could not connect to host
 halfwaythere.eu: could not connect to host
+halledesprix.fr: did not receive HSTS header
+halloweenthings.website: could not connect to host
 halo.red: could not connect to host
-halta.info: could not connect to host
+halta.info: did not receive HSTS header
 halyul.cc: did not receive HSTS header
 halyul.com: did not receive HSTS header
 haman.nl: could not connect to host
 hamish.ca: did not receive HSTS header
 hamking.tk: could not connect to host
 hammamsayad.com: could not connect to host
+hammer-corp.com: did not receive HSTS header
 hamon.cc: did not receive HSTS header
 hamu.blue: could not connect to host
 hancatemc.com: did not receive HSTS header
@@ -7229,7 +7718,10 @@ handmadegobelin.com: did not receive HSTS header
 handmadeshoes.pe: did not receive HSTS header
 handmadetutorials.ro: could not connect to host
 handsandall.com: did not receive HSTS header
+handyglas.com: could not connect to host
+handynummer.online: did not receive HSTS header
 hanfu.la: could not connect to host
+hang333.moe: could not connect to host
 hang333.pw: could not connect to host
 hangar18-modelismo.com.br: could not connect to host
 hanimalis.fr: could not connect to host
@@ -7250,7 +7742,6 @@ haobo6666.com: could not connect to host
 haobo7777.com: could not connect to host
 haomwei.com: could not connect to host
 haoyugao.com: could not connect to host
-hapijs.cn: could not connect to host
 hapissl.com: could not connect to host
 hapivm.com: could not connect to host
 happist.com: did not receive HSTS header
@@ -7261,7 +7752,8 @@ happyheartsabode.com: did not receive HSTS header
 happytiger.eu: could not connect to host
 hapsfordmill.co.uk: could not connect to host
 hapvm.com: could not connect to host
-haqaza.com.br: could not connect to host
+haqaza.com.br: did not receive HSTS header
+harald-pfeiffer.de: could not connect to host
 harambe.site: could not connect to host
 harbourweb.net: did not receive HSTS header
 hardline.xyz: could not connect to host
@@ -7299,8 +7791,9 @@ hatcherlawgroupnm.com: did not receive HSTS header
 hatethe.uk: could not connect to host
 hatoko.net: could not connect to host
 haufschild.de: could not connect to host
+hauntedfishtank.com: did not receive HSTS header
 haurumcraft.net: could not connect to host
-hausarzt-stader-str.de: could not connect to host
+hausarzt-stader-str.de: did not receive HSTS header
 hauswarteam.com: could not connect to host
 hav.com: could not connect to host
 haveeruexaminer.com: could not connect to host
@@ -7309,13 +7802,13 @@ haven.cloud: did not receive HSTS header
 havenmoon.com: could not connect to host
 havenswift-hosting.co.uk: did not receive HSTS header
 hawk-la.com: could not connect to host
-hawkofgeorgia.com: could not connect to host
 hawthornharpist.com: could not connect to host
 haxoff.com: did not receive HSTS header
 haxon.me: could not connect to host
 haxx.hu: did not receive HSTS header
 haydenhill.us: could not connect to host
 hayleishop.fr: did not receive HSTS header
+hayzepvp.us: did not receive HSTS header
 hazcod.com: could not connect to host
 haze-productions.com: could not connect to host
 haze.network: did not receive HSTS header
@@ -7338,18 +7831,18 @@ hbvip06.com: could not connect to host
 hbvip07.com: could not connect to host
 hbvip08.com: could not connect to host
 hcfhomelottery.ca: did not receive HSTS header
-hcie.pl: did not receive HSTS header
 hcoe.fi: did not receive HSTS header
 hcr.io: did not receive HSTS header
 hcs-company.com: did not receive HSTS header
-hcs-company.nl: did not receive HSTS header
+hcs-company.nl: could not connect to host
 hcstr.com: did not receive HSTS header
-hd1tj.org: did not receive HSTS header
 hda.me: did not receive HSTS header
 hdm.io: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 hdrboundless.com: could not connect to host
+hdritalyphotos.com: did not receive HSTS header
 hdserver.info: did not receive HSTS header
 hdsmigrationtool.com: could not connect to host
+hdtwinks.com: could not connect to host
 hduin.xyz: could not connect to host
 hdwallpapers.net: could not connect to host
 hdy.nz: could not connect to host
@@ -7357,23 +7850,24 @@ head-shop.lt: could not connect to host
 head-shop.lv: could not connect to host
 headmates.xyz: could not connect to host
 health-match.com.au: could not connect to host
+health.gov: could not connect to host
 healthcare6.com: did not receive HSTS header
+healthfinder.gov: could not connect to host
 healthjoy.com: did not receive HSTS header
 healthlabs.com: did not receive HSTS header
 healthmatchapp.com: could not connect to host
 healthyandnaturalliving.com: could not connect to host
 healthycod.in: could not connect to host
-healtious.com: did not receive HSTS header
+healtious.com: could not connect to host
 hearingshofar.com: could not connect to host
 heart.ge: could not connect to host
 heartlandrentals.com: did not receive HSTS header
-heartsucker.com: could not connect to host
 hearty.cf: did not receive HSTS header
 hearty.ink: could not connect to host
 hearty.space: could not connect to host
 hearty.tech: could not connect to host
+hearty.us: could not connect to host
 heartyapp.com: could not connect to host
-heartyapp.tw: could not connect to host
 heartyme.net: could not connect to host
 heathmanners.com: could not connect to host
 heavenlyseals.com: could not connect to host
@@ -7381,28 +7875,30 @@ heavenlysmokenc.com: could not connect to host
 heavystresser.com: could not connect to host
 heayao.com: could not connect to host
 hebaus.com: could not connect to host
+heberut.gov: did not receive HSTS header
 hebriff.com: could not connect to host
+hechamano.es: did not receive HSTS header
 hectorj.net: could not connect to host
 hedweb.com: could not connect to host
 heeler.blue: could not connect to host
 heeler.red: could not connect to host
 heidilein.info: did not receive HSTS header
 heimnetze.org: could not connect to host
-heisenberg.co: could not connect to host
+hejahanif.se: could not connect to host
 hejsupport.se: could not connect to host
 hekeki.com: could not connect to host
-helber-it-services.de: could not connect to host
-hele.cz: did not receive HSTS header
+hele.cz: could not connect to host
+helencrump.co.uk: did not receive HSTS header
 helgakristoffer.com: could not connect to host
 helgakristoffer.wedding: could not connect to host
 helicaldash.com: could not connect to host
 helixflight.com: did not receive HSTS header
 hellenicaward.com: did not receive HSTS header
+hellerup.net: could not connect to host
 hello-nestor.com: did not receive HSTS header
 helloanselm.com: did not receive HSTS header
 hellofilters.com: could not connect to host
 hellomouse.cf: did not receive HSTS header
-hellomouse.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 hellomouse.tk: could not connect to host
 hellotandem.com: could not connect to host
 hellothought.net: could not connect to host
@@ -7420,12 +7916,12 @@ helpium.de: did not receive HSTS header
 helpmebuild.com: did not receive HSTS header
 helppresta.com: did not receive HSTS header
 helpverif.com: did not receive HSTS header
-helpwithmybank.gov: did not receive HSTS header
 helsingfors.guide: could not connect to host
 helup.com: did not receive HSTS header
 hemlockhillscabinrentals.com: did not receive HSTS header
 hencagon.com: could not connect to host
 hendersonrealestatepros.com: did not receive HSTS header
+hendyisaac.com: did not receive HSTS header
 henhenlu.com: could not connect to host
 henkbrink.com: did not receive HSTS header
 henningkerstan.org: did not receive HSTS header
@@ -7436,13 +7932,17 @@ hentaimaster.net: could not connect to host
 hentaiz.net: could not connect to host
 hepteract.us: could not connect to host
 heptner24.de: could not connect to host
+heracles-hotel.eu: did not receive HSTS header
+herbal-id.com: did not receive HSTS header
 herbandpat.org: could not connect to host
 herbertmouwen.nl: could not connect to host
 here.ml: could not connect to host
-here4funpartysolutions.ie: did not receive HSTS header
+here4funpartysolutions.ie: could not connect to host
 heribe-maruo.com: did not receive HSTS header
 heritagedentistry.ca: did not receive HSTS header
+hermann.in: could not connect to host
 hermes-servizi.it: could not connect to host
+hermes.cat: could not connect to host
 heroin.org.uk: could not connect to host
 herpaderp.net: could not connect to host
 herr-webdesign.de: could not connect to host
@@ -7451,14 +7951,17 @@ herrenfahrt.com: did not receive HSTS header
 herrtxbias.org: could not connect to host
 hetmeisjeachterpauw.nl: could not connect to host
 hetmer.com: did not receive HSTS header
-hetmer.cz: did not receive HSTS header
-hetmer.net: could not connect to host
+hetmer.net: did not receive HSTS header
+hetzflix.stream: did not receive HSTS header
 heutger.net: did not receive HSTS header
+heverhagen.rocks: did not receive HSTS header
+hex.bz: could not connect to host
 hex2013.com: did not receive HSTS header
 hexacon.io: could not connect to host
 hexadecimal.tech: could not connect to host
-hexe.net: did not receive HSTS header
+hexe.net: could not connect to host
 hexhu.com: could not connect to host
+hexieshe.com: could not connect to host
 hexobind.com: could not connect to host
 heyfringe.com: could not connect to host
 heyguevara.com: did not receive HSTS header
@@ -7469,11 +7972,10 @@ hfcbank.com.gh: did not receive HSTS header
 hfi.me: did not receive HSTS header
 hflsdev.org: could not connect to host
 hfu.io: could not connect to host
-hg525.com: max-age too low: 86400
+hg525.com: could not connect to host
 hg71839.com: could not connect to host
 hg881.com: could not connect to host
 hgfa.fi: could not connect to host
-hgvnet.de: could not connect to host
 hi808.net: did not receive HSTS header
 hialatv.com: could not connect to host
 hibilog.com: could not connect to host
@@ -7490,8 +7992,10 @@ hig.gov: could not connect to host
 highgrove.org.uk: could not connect to host
 highland-webcams.com: could not connect to host
 highlandparkcog.org: did not receive HSTS header
+highlatitudestravel.com: did not receive HSTS header
 highperformancehvac.com: did not receive HSTS header
 highseer.com: did not receive HSTS header
+highspeedinternetservices.ca: did not receive HSTS header
 highsurf-miyazaki.com: could not connect to host
 hightechgadgets.net: could not connect to host
 hightimes.com: could not connect to host
@@ -7500,11 +8004,12 @@ highvelocitydesign.com: could not connect to host
 higp.de: did not receive HSTS header
 hiisukun.com: could not connect to host
 hiitcentre.com: did not receive HSTS header
+hijoan.com: did not receive HSTS header
 hik-cloud.com: did not receive HSTS header
 hikagestudios.com: did not receive HSTS header
 hikariempire.com: could not connect to host
 hilaolu.com: could not connect to host
-hilaolu.studio: did not receive HSTS header
+hilaolu.studio: max-age too low: 0
 hilariousbeer.com.mx: could not connect to host
 hilinemerchandising.com: did not receive HSTS header
 hill.selfip.net: could not connect to host
@@ -7518,26 +8023,25 @@ hinkel-sohn.de: did not receive HSTS header
 hinrich.de: did not receive HSTS header
 hintergedanken.com: could not connect to host
 hintermeier-rae.at: did not receive HSTS header
-hiojbk.com: could not connect to host
+hiojbk.com: did not receive HSTS header
 hipercultura.com: did not receive HSTS header
 hiphopconvention.nl: could not connect to host
 hipi.jp: could not connect to host
-hipnos.net: did not receive HSTS header
 hipnoseinstitute.org: did not receive HSTS header
-hiraku.me: did not receive HSTS header
+hiqfleet.co.uk: did not receive HSTS header
+hiraku.me: could not connect to host
 hirefitness.co.uk: did not receive HSTS header
 hireprofs.com: could not connect to host
 hiresuccessstaffing.com: did not receive HSTS header
 hiretech.com: did not receive HSTS header
 hirevets.gov: did not receive HSTS header
 hirokilog.com: could not connect to host
+hirte-digital.de: did not receive HSTS header
 hisingenrunt.se: did not receive HSTS header
-hisnet.de: could not connect to host
 histoire-theatre.com: did not receive HSTS header
 history.pe: could not connect to host
 hitchunion.org: could not connect to host
 hitoy.org: could not connect to host
-hitrek.ml: could not connect to host
 hittipps.com: could not connect to host
 hivatal-info.hu: could not connect to host
 hj2999.com: did not receive HSTS header
@@ -7553,7 +8057,8 @@ hm1ch.com: could not connect to host
 hm1ch.ovh: could not connect to host
 hmksq.ae: max-age too low: 7776000
 hmm.nyc: could not connect to host
-hoast.xyz: could not connect to host
+hnwebi.com: did not receive HSTS header
+hoast.xyz: did not receive HSTS header
 hobaugh.social: could not connect to host
 hobby-gamerz-community.de: did not receive HSTS header
 hocassian.cn: did not receive HSTS header
@@ -7567,10 +8072,13 @@ hoerbuecher-und-hoerspiele.de: could not connect to host
 hoffens.se: could not connect to host
 hofiprojekt.cz: did not receive HSTS header
 hogar123.es: could not connect to host
-hogepad.com: could not connect to host
+hohm.in: could not connect to host
 hoiku-map.tokyo: could not connect to host
 hoiku-navi.com: did not receive HSTS header
 hokepon.com: did not receive HSTS header
+hokify.at: did not receive HSTS header
+hokify.ch: did not receive HSTS header
+hokify.de: did not receive HSTS header
 holgerlehner.com: could not connect to host
 holidayincotswolds.co.uk: could not connect to host
 holifestival-freyung.de: could not connect to host
@@ -7578,7 +8086,7 @@ holisticdrbright.com: max-age too low: 300
 hollandguns.com: did not receive HSTS header
 hollerau.de: could not connect to host
 holowaty.me: could not connect to host
-holy-hi.com: did not receive HSTS header
+holstphoto.com: max-age too low: 2592000
 holymoly.lu: could not connect to host
 holymolycasinos.com: did not receive HSTS header
 homa.website: could not connect to host
@@ -7586,8 +8094,9 @@ homads.com: did not receive HSTS header
 home-cloud.online: could not connect to host
 home-coaching.be: did not receive HSTS header
 home-craft.de: could not connect to host
+home-insurance-quotes.tk: could not connect to host
 home-v.ind.in: could not connect to host
-home-work-jobs.com: did not receive HSTS header
+home-work-jobs.com: could not connect to host
 homeandyarddetailing.com: could not connect to host
 homecarpetcleaning.co.uk: could not connect to host
 homeclouding.de: could not connect to host
@@ -7596,12 +8105,11 @@ homedna.com: did not receive HSTS header
 homeexx.com: did not receive HSTS header
 homehunting.pt: did not receive HSTS header
 homeoesp.org: did not receive HSTS header
-homeownersassociationmanagementla.com: did not receive HSTS header
+homeownersassociationmanagementla.com: could not connect to host
 homeremodelingcontractorsca.com: did not receive HSTS header
 homesandal.com: did not receive HSTS header
 homeseller.co.uk: could not connect to host
-homesfordinner.ca: could not connect to host
-homestay.id: did not receive HSTS header
+homesfordinner.ca: did not receive HSTS header
 homeyantra.com: did not receive HSTS header
 homezhi.com.tw: could not connect to host
 homoglyph.net: could not connect to host
@@ -7619,15 +8127,12 @@ hoodiecrow.com: could not connect to host
 hoodoo.io: could not connect to host
 hoodoo.tech: could not connect to host
 hookandloom.com: did not receive HSTS header
-hookbin.com: could not connect to host
 hoopsacademyusa.com: could not connect to host
 hopesb.org: did not receive HSTS header
 hopewellproperties.co.uk: did not receive HSTS header
 hopglass.eu: could not connect to host
 hopglass.net: could not connect to host
-hopzone.net: could not connect to host
 horace.li: did not receive HSTS header
-horackova.info: could not connect to host
 horisonttimedia.fi: did not receive HSTS header
 horizonmoto.fr: did not receive HSTS header
 horkel.cf: could not connect to host
@@ -7641,7 +8146,8 @@ horvathtom.com: could not connect to host
 horvatnyelvkonyv.hu: could not connect to host
 host.black: could not connect to host
 hostam.link: could not connect to host
-hosted-oswa.org: could not connect to host
+hostcoz.com: did not receive HSTS header
+hosted-oswa.org: did not receive HSTS header
 hostedbgp.net: did not receive HSTS header
 hostedtalkgadget.google.com: did not receive HSTS header (error ignored - included regardless)
 hostelite.com: did not receive HSTS header
@@ -7651,6 +8157,7 @@ hostinaus.com.au: did not receive HSTS header
 hostingfirst.nl: could not connect to host
 hostingfj.com: could not connect to host
 hostisan.com: could not connect to host
+hostserv.org: could not connect to host
 hosyaku.gr.jp: did not receive HSTS header
 hot-spa.ch: did not receive HSTS header
 hotartup.com: could not connect to host
@@ -7659,24 +8166,27 @@ hotchoc.io: could not connect to host
 hotel-huberhof.at: did not receive HSTS header
 hotel-tongruben.de: max-age too low: 0
 hotelaustria-wien.at: did not receive HSTS header
+hotello.io: could not connect to host
 hotelmadhuwanvihar.com: could not connect to host
 hotelvictoriaoax-mailing.com: could not connect to host
 hotelvillahermosa-mailing.com: could not connect to host
 hotelvue.nl: could not connect to host
 hotesb.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-hotesb.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+hotesb.net: could not connect to host
 hotjuice.com: could not connect to host
 hotornot.com: could not connect to host
 hotpoint-training.com: did not receive HSTS header
 hottestwebcamgirls.org: could not connect to host
 houkago-step.com: did not receive HSTS header
 houseinvestor.com: could not connect to host
-housemaadiah.org: did not receive HSTS header
+housemaadiah.org: could not connect to host
+housetalk.ru: did not receive HSTS header
 housingstudents.org.uk: could not connect to host
 how2fsbo.com: could not connect to host
 howardwatts.co.uk: did not receive HSTS header
 howfargames.com: could not connect to host
 howrandom.org: could not connect to host
+howsmytls.com: could not connect to host
 howtocuremysciatica.com: could not connect to host
 howtofreelance.com: did not receive HSTS header
 howtoinstall.co: did not receive HSTS header
@@ -7684,33 +8194,39 @@ hozinga.de: could not connect to host
 hpctecnologias.com: did not receive HSTS header
 hpeditor.tk: could not connect to host
 hpepub.asia: could not connect to host
+hpepub.com: could not connect to host
 hpepub.org: did not receive HSTS header
+hpnow.com.br: could not connect to host
 hppub.info: could not connect to host
 hppub.org: could not connect to host
 hppub.site: could not connect to host
 hqhost.net: did not receive HSTS header
 hqq.tv: could not connect to host
-hqy.moe: did not receive HSTS header
 hr-intranet.com: could not connect to host
 hr-tech.store: could not connect to host
 hr98.tk: could not connect to host
+hr98.xyz: could not connect to host
 hrackydomino.cz: did not receive HSTS header
 hrfhomelottery.com: did not receive HSTS header
-hrk.io: did not receive HSTS header
-hrobert.hu: could not connect to host
+hrjfeedstock.com: did not receive HSTS header
+hrk.io: could not connect to host
 hrtech.store: could not connect to host
 hrtraining.com.au: did not receive HSTS header
 hru.gov: could not connect to host
 hschen.top: could not connect to host
 hserver.top: could not connect to host
+hsex.tv: did not receive HSTS header
 hsir.me: could not connect to host
+hsn.com: could not connect to host
 hsts-preload-test.xyz: could not connect to host
 hsts.com.br: could not connect to host
 hsts.date: could not connect to host
 hstspreload.me: could not connect to host
+hsulei.com: could not connect to host
 hszhyy120.com: could not connect to host
 htlball.at: could not connect to host
 html-lab.tk: could not connect to host
+htp2.top: could not connect to host
 http418.xyz: could not connect to host
 httphacker.com: could not connect to host
 https.ps: could not connect to host
@@ -7721,15 +8237,14 @@ hua-in.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR
 hua-in.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 hua-li88.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 hua-li88.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-huang.nu: could not connect to host
+huang-haitao.com: could not connect to host
 huangguancq.com: could not connect to host
-huangh.com: could not connect to host
 huangting.me: did not receive HSTS header
 huangzenghao.com: could not connect to host
 huarongdao.com: did not receive HSTS header
 huaxueba.com: could not connect to host
 hubert.systems: did not receive HSTS header
-hubertmoszka.pl: max-age too low: 0
+hubertmoszka.pl: could not connect to host
 hubrecht.at: could not connect to host
 hubrick.com: could not connect to host
 hudhaifahgoga.co.za: could not connect to host
@@ -7737,7 +8252,6 @@ hudingyuan.cn: could not connect to host
 hugocollignon.fr: could not connect to host
 hui-in.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 hui-in.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-huihui.moe: did not receive HSTS header
 huiser.nl: could not connect to host
 hukaloh.com: could not connect to host
 hukkatavara.com: could not connect to host
@@ -7747,16 +8261,19 @@ humankode.com: did not receive HSTS header
 humblebee.es: could not connect to host
 humblefinances.com: could not connect to host
 humeurs.net: could not connect to host
+humorce.com: did not receive HSTS header
 humortuga.pt: did not receive HSTS header
 hump.dk: could not connect to host
 humpi.at: could not connect to host
 humpteedumptee.in: did not receive HSTS header
+huniverse.co: could not connect to host
 hunqz.com: could not connect to host
-hunter-read.com: could not connect to host
+hunterjohnson.io: could not connect to host
 huodongweb.com: could not connect to host
 huoduan.com: did not receive HSTS header
 huongquynh.com: could not connect to host
 hup.blue: could not connect to host
+hurleyhomestead.com: could not connect to host
 hurricanelabs.com: did not receive HSTS header
 huskybutt.dog: could not connect to host
 huskyduvercors.com: did not receive HSTS header
@@ -7765,7 +8282,9 @@ hustle.life: did not receive HSTS header
 huwjones.me: could not connect to host
 huzu.com: did not receive HSTS header
 huzurmetal.net: could not connect to host
+hveradistributions.com: could not connect to host
 hwcine.com: could not connect to host
+hwinfo.com: did not receive HSTS header
 hwpkasse.de: max-age too low: 2592000
 hyakumachi.com: did not receive HSTS header
 hyatt.com: did not receive HSTS header
@@ -7779,7 +8298,7 @@ hydra.zone: could not connect to host
 hydrabit.nl: did not receive HSTS header
 hydrante.ch: could not connect to host
 hydrocloud.net: could not connect to host
-hydrodipcenter.nl: did not receive HSTS header
+hydrodipcenter.nl: could not connect to host
 hydronium.cf: could not connect to host
 hydronium.ga: could not connect to host
 hydronium.me: could not connect to host
@@ -7799,9 +8318,9 @@ hypnoresults.com.au: did not receive HSTS header
 hypnos.hu: did not receive HSTS header
 hypotheques24.ch: could not connect to host
 hysg.me: could not connect to host
+hytzongxuan.com: did not receive HSTS header
 hyvive.com: could not connect to host
 hzh.pub: did not receive HSTS header
-i--b.com: did not receive HSTS header
 i-jp.net: could not connect to host
 i-partners.sk: could not connect to host
 i-rickroll-n.pw: could not connect to host
@@ -7810,10 +8329,14 @@ i10z.com: could not connect to host
 i28s.com: did not receive HSTS header
 i496.eu: could not connect to host
 i4m1k0su.com: could not connect to host
+i95.me: did not receive HSTS header
 i9multiequipamentos.com.br: did not receive HSTS header
 ia1000.com: could not connect to host
 iadttaveras.com: could not connect to host
 iain.tech: did not receive HSTS header
+iamlbk.com: could not connect to host
+iamlizu.com: did not receive HSTS header
+iamlzh.com: did not receive HSTS header
 iamokay.nl: did not receive HSTS header
 iamreubin.co.uk: did not receive HSTS header
 iamsoareyou.se: could not connect to host
@@ -7824,9 +8347,9 @@ iapws.com: did not receive HSTS header
 iban.is: could not connect to host
 ibarf.nl: did not receive HSTS header
 ibase.com: did not receive HSTS header
-ibeep.com: could not connect to host
 ibenchu.com: did not receive HSTS header
 ibestreview.com: did not receive HSTS header
+ibiu.xyz: did not receive HSTS header
 ibizatopcharter.com: did not receive HSTS header
 ibna.online: could not connect to host
 ibnuwebhost.com: could not connect to host
@@ -7840,7 +8363,9 @@ ibsafrica.co.za: could not connect to host
 ibsglobal.co.za: could not connect to host
 icabanken.se: did not receive HSTS header
 icaforsakring.se: did not receive HSTS header
+icake.life: did not receive HSTS header
 icasnetwork.com: did not receive HSTS header
+icbemp.gov: could not connect to host
 ice.yt: could not connect to host
 icebat.dyndns.org: could not connect to host
 icebound.cc: did not receive HSTS header
@@ -7851,16 +8376,17 @@ icepink.com.br: could not connect to host
 icewoman.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 icfl.com.br: could not connect to host
 ich-find-den-g.net: could not connect to host
-ich-hab-die-schnauze-voll-von-der-suche-nach-ner-kurzen-domain.de: could not connect to host
 ich-mach-druck.eu: did not receive HSTS header
+ichasco.com: did not receive HSTS header
 ichnichtskaufmann.de: could not connect to host
 ichoosebtec.com: did not receive HSTS header
 ichronos.net: did not receive HSTS header
 icity.ly: did not receive HSTS header
 ickerseashop.com: could not connect to host
 icloud.net: could not connect to host
+icmshoptrend.com: did not receive HSTS header
 icnsoft.ga: did not receive HSTS header
-icnsoft.me: did not receive HSTS header
+icnsoft.me: could not connect to host
 icnsoft.org: could not connect to host
 icntorrent.download: could not connect to host
 ico500.com: did not receive HSTS header
@@ -7873,7 +8399,7 @@ icusignature.com: could not connect to host
 icys2017.com: did not receive HSTS header
 id-co.in: could not connect to host
 id-conf.com: did not receive HSTS header
-idafauziyah.com: could not connect to host
+idblab.tk: could not connect to host
 idc.yn.cn: could not connect to host
 idcrane.com: could not connect to host
 iddconnect.com: could not connect to host
@@ -7894,16 +8420,17 @@ identity-hash.online: could not connect to host
 identitylabs.uk: could not connect to host
 identitysandbox.gov: could not connect to host
 idgsupply.com: did not receive HSTS header
-idid.tk: could not connect to host
 idinby.dk: did not receive HSTS header
-idiopolis.org: could not connect to host
+idiopolis.org: did not receive HSTS header
 idisplay.es: could not connect to host
 idlekernel.com: could not connect to host
 idol-bikes.ru: could not connect to host
 idontexist.me: could not connect to host
 idsafe.co.za: could not connect to host
 idsoccer.com: did not receive HSTS header
+idvl.de: could not connect to host
 iec.pe: could not connect to host
+iemas.azurewebsites.net: did not receive HSTS header
 iemb.cf: could not connect to host
 ierna.com: did not receive HSTS header
 ies.id.lv: could not connect to host
@@ -7918,20 +8445,24 @@ ifastuniversity.com: did not receive HSTS header
 ifcfg.me: could not connect to host
 ifconfig.co: did not receive HSTS header
 ifleurs.com: could not connect to host
+ifly.pw: could not connect to host
 ifreetion.cn: did not receive HSTS header
+ifroheweihnachten.net: did not receive HSTS header
 ifx.ee: could not connect to host
 ifxnet.com: could not connect to host
 ifxor.com: could not connect to host
 igamingforums.com: could not connect to host
 igaryhe.io: did not receive HSTS header
 igd.chat: could not connect to host
-igforums.com: could not connect to host
-igi.codes: did not receive HSTS header
+igforums.com: did not receive HSTS header
+igi.codes: could not connect to host
 igiftcards.nl: did not receive HSTS header
 ignatisd.gr: did not receive HSTS header
 igule.net: could not connect to host
 iha6.com: could not connect to host
+ihatethissh.it: could not connect to host
 ihc.im: did not receive HSTS header
+ihcr.top: did not receive HSTS header
 ihls.xyz: did not receive HSTS header
 ihongzu.com: could not connect to host
 ihrlotto.de: could not connect to host
@@ -7945,24 +8476,26 @@ iilin.com: did not receive HSTS header
 iispeed.com: did not receive HSTS header
 ijn-dd.nl: could not connect to host
 ijoda.com: could not connect to host
-ike.io: could not connect to host
+ijr.com: did not receive HSTS header
+ike.io: did not receive HSTS header
 ikenmeyer.com: could not connect to host
 ikenmeyer.eu: could not connect to host
 ikocik.sk: could not connect to host
 ikon.name: could not connect to host
 ikudo.top: could not connect to host
+ikuuuu.com: could not connect to host
 ikwilguidobellen.nl: could not connect to host
 ikzoekeengoedkopeauto.nl: could not connect to host
 ikzoekjeugdhulp.nl: did not receive HSTS header
+ilazycat.com: could not connect to host
 ilbuongiorno.it: did not receive HSTS header
 ildomani.it: did not receive HSTS header
 ileat.com: could not connect to host
-ilemonrain.com: could not connect to host
 ilgi.work: could not connect to host
 ilii.me: could not connect to host
 ilikerainbows.co: did not receive HSTS header
 ilikerainbows.co.uk: could not connect to host
-ilikfreshweedstores.com: did not receive HSTS header
+ilikfreshweedstores.com: could not connect to host
 ilmconpm.de: could not connect to host
 iloilofit.org: did not receive HSTS header
 ilona.graphics: did not receive HSTS header
@@ -7973,10 +8506,12 @@ imadalin.ro: could not connect to host
 image.tf: could not connect to host
 imagecurl.com: could not connect to host
 imagecurl.org: could not connect to host
+imagenesdedibujosalapizfacilesdehacer.com: could not connect to host
 imaginarymakings.me: could not connect to host
 imakepoems.net: could not connect to host
-imanhearts.com: did not receive HSTS header
+imanhearts.com: max-age too low: 0
 imanudin.net: did not receive HSTS header
+imaple.org: could not connect to host
 imbrian.org: could not connect to host
 imed.com.pt: did not receive HSTS header
 imed.pt: did not receive HSTS header
@@ -7988,13 +8523,13 @@ imguoguo.com: could not connect to host
 imim.pw: could not connect to host
 imjiangtao.com: did not receive HSTS header
 imlinan.cn: could not connect to host
+imlinan.com: could not connect to host
 imlinan.info: could not connect to host
 imlinan.net: could not connect to host
 imlonghao.com: did not receive HSTS header
 immanuel60.hu: did not receive HSTS header
 immaternity.com: could not connect to host
-immersionwealth.com: could not connect to host
-immo-vk.de: did not receive HSTS header
+immersivewebportal.com: could not connect to host
 immobiliarecapitani.com: did not receive HSTS header
 immobilien-wallat.de: could not connect to host
 immoprotect.ca: did not receive HSTS header
@@ -8021,16 +8556,18 @@ imoner.com: could not connect to host
 imoner.ga: could not connect to host
 imoni-blog.net: could not connect to host
 imoto.me: could not connect to host
+imperdin.com: could not connect to host
 imperdintechnologies.com: could not connect to host
 imperialonlinestore.com: did not receive HSTS header
 imperialwebsolutions.com: did not receive HSTS header
 imprenta-es.com: did not receive HSTS header
 improvingwp.com: could not connect to host
 impulse-clan.de: could not connect to host
-imrejonk.nl: could not connect to host
 imu.li: did not receive HSTS header
 imusic.dk: did not receive HSTS header
-imy.life: could not connect to host
+imy.life: did not receive HSTS header
+imydl.com: could not connect to host
+imyjy.cn: could not connect to host
 inandeyes.com: did not receive HSTS header
 inb4.us: could not connect to host
 inbox.li: did not receive HSTS header
@@ -8039,30 +8576,33 @@ incendiary-arts.com: could not connect to host
 inceptionradionetwork.com: could not connect to host
 incestporn.tv: could not connect to host
 inchomatic.com: did not receive HSTS header
-incompliance.de: did not receive HSTS header
 increasetestosteronelevels.org: could not connect to host
 inderagamono.net: could not connect to host
 indesit-training.com: did not receive HSTS header
 indexyz.me: could not connect to host
-indianaantlersupply.com: could not connect to host
 indiawise.co.uk: could not connect to host
 indiecert.net: did not receive HSTS header
 indieethos.com: did not receive HSTS header
-indiemods.com: could not connect to host
+indiemods.com: did not receive HSTS header
 indien.guide: could not connect to host
 indilens.com: did not receive HSTS header
 indiraactive.com: could not connect to host
 indiroyunu.com: did not receive HSTS header
 indochina.io: could not connect to host
+indogerman.de: did not receive HSTS header
+indogermantrade.de: could not connect to host
+indoorplantsexpert.com: could not connect to host
 indoorskiassen.nl: did not receive HSTS header
 indostar303.com: did not receive HSTS header
 indredouglas.me: could not connect to host
+indusfastremit.com: could not connect to host
 industreiler.com: could not connect to host
 industreiler.com.br: could not connect to host
 industriasrenova.com: could not connect to host
-industrybazar.com: max-age too low: 2592000
+industrybazar.com: did not receive HSTS header
 ineed.com.mt: could not connect to host
 inetpub.cn: could not connect to host
+inevitavelbrasil.com.br: could not connect to host
 inexlog.fr: could not connect to host
 inexpensivecomputers.net: could not connect to host
 infcof.com: did not receive HSTS header
@@ -8076,6 +8616,7 @@ infinitusgaming.eu: could not connect to host
 infinity-freedom.com: could not connect to host
 infinity-freedom.de: could not connect to host
 infinity-lifestyle.de: could not connect to host
+infinity.to: could not connect to host
 inflate-a-bubbles.co.uk: did not receive HSTS header
 inflation.ml: could not connect to host
 influxus.com: could not connect to host
@@ -8083,17 +8624,19 @@ info-bay.com: could not connect to host
 info-sys.tk: could not connect to host
 infoamin.com: did not receive HSTS header
 infocoin.es: did not receive HSTS header
-infoduv.fr: did not receive HSTS header
+infopagina.es: could not connect to host
 inforichjapan.com: did not receive HSTS header
 inforisposte.com: did not receive HSTS header
 informaticapremium.com: did not receive HSTS header
 informatik.zone: could not connect to host
 infos-generation.com: did not receive HSTS header
 infosec.rip: could not connect to host
+infosimmo.com: did not receive HSTS header
 infosoph.org: could not connect to host
 infotics.es: did not receive HSTS header
 infovae-idf.com: could not connect to host
 infoworm.org: could not connect to host
+infr.red: did not receive HSTS header
 infradio.am: could not connect to host
 infranix.eu: max-age too low: 7360000
 infruction.com: could not connect to host
@@ -8106,6 +8649,7 @@ ingesol.fr: did not receive HSTS header
 ingresscode.cn: did not receive HSTS header
 inhelix.com: could not connect to host
 inhive.group: did not receive HSTS header
+iniiter.com: could not connect to host
 injapan.nl: could not connect to host
 injertoshorticolas.com: did not receive HSTS header
 injigo.com: did not receive HSTS header
@@ -8136,11 +8680,11 @@ innoventure.de: could not connect to host
 inondation.ch: could not connect to host
 inorder.website: could not connect to host
 inovatec.com: did not receive HSTS header
-inox.io: did not receive HSTS header
+inox.io: could not connect to host
 inoxio.com: did not receive HSTS header
 inoxio.de: did not receive HSTS header
 inplacers.ru: did not receive HSTS header
-inquisitive.io: did not receive HSTS header
+inquisitive.io: could not connect to host
 insane-bullets.com: could not connect to host
 insane.zone: could not connect to host
 inschrijfformulier.com: could not connect to host
@@ -8148,7 +8692,6 @@ inscript.pl: did not receive HSTS header
 insideofgaming.de: could not connect to host
 insite-feedback.com: could not connect to host
 insouciant.org: could not connect to host
-inspirationalquotesuk.co.uk: could not connect to host
 inspirationconcepts.nl: did not receive HSTS header
 inspire-av.com: did not receive HSTS header
 inspiroinc.com: could not connect to host
@@ -8168,6 +8711,7 @@ insurance: could not connect to host
 insurethebox.tk: could not connect to host
 int-ext-design.fr: could not connect to host
 int-ma.in: did not receive HSTS header
+integraelchen.de: could not connect to host
 integrationinc.com: did not receive HSTS header
 integraxor.com.tw: did not receive HSTS header
 integrityingovernmentidaho.com: could not connect to host
@@ -8177,9 +8721,12 @@ intelbet.es: did not receive HSTS header
 intelbet.ro: did not receive HSTS header
 intelhost.net: max-age too low: 0
 intelldynamics.com: could not connect to host
-intelliance.eu: could not connect to host
+intelliance.eu: did not receive HSTS header
+interabbit.com: could not connect to host
 interboursegeneva.ch: did not receive HSTS header
 interchanges.io: max-age too low: 0
+intercom.com: did not receive HSTS header
+intercom.io: did not receive HSTS header
 interference.io: did not receive HSTS header
 interfloraservices.co.uk: could not connect to host
 intergenx.co.uk: could not connect to host
@@ -8191,12 +8738,13 @@ interim-cto.de: could not connect to host
 interiorcheapo.com: could not connect to host
 interiortradingco.com.au: could not connect to host
 interleucina.org: did not receive HSTS header
-interlocal.co.uk: could not connect to host
+interlocal.co.uk: did not receive HSTS header
 interlun.com: could not connect to host
 intermezzo-emmerich.de: did not receive HSTS header
 intermezzo-emmerich.nl: did not receive HSTS header
 internacao.com: did not receive HSTS header
 internaldh.com: could not connect to host
+internationalschoolnewyork.com: could not connect to host
 internaut.co.za: did not receive HSTS header
 internetbugbounty.org: did not receive HSTS header
 internetcasinos.de: could not connect to host
@@ -8216,11 +8764,14 @@ intim-uslugi-kazan.net: could not connect to host
 intimateperrierjouet.com: could not connect to host
 intimici.com.br: could not connect to host
 intimtoy.com.ua: could not connect to host
+intracom.com: did not receive HSTS header
 intranetsec.fr: could not connect to host
-intreaba.xyz: max-age too low: 2592000
+intreaba.xyz: could not connect to host
+intrigue3d.com: could not connect to host
+introverted.ninja: did not receive HSTS header
 introvertedtravel.space: max-age too low: 0
-intrp.net: did not receive HSTS header
 invenio.software: could not connect to host
+inventoryexpress.xyz: could not connect to host
 inverselink.com: could not connect to host
 investcountry.com: could not connect to host
 investingdiary.cn: could not connect to host
@@ -8231,15 +8782,18 @@ invictusmc.uk: could not connect to host
 invinsec.cloud: did not receive HSTS header
 invinsec.com: max-age too low: 86400
 invis.net: could not connect to host
+invitation-factory.tk: could not connect to host
 invite24.pro: could not connect to host
 invuelto.com: did not receive HSTS header
+iodev.nl: could not connect to host
 iodice.org: did not receive HSTS header
 iodu.re: could not connect to host
+ioerror.us: did not receive HSTS header
 ioiart.eu: could not connect to host
 iolife.dk: could not connect to host
 ionas-law.ro: did not receive HSTS header
 ionc.ca: could not connect to host
-ionote.me: did not receive HSTS header
+ionote.me: could not connect to host
 iop.intuit.com: max-age too low: 86400
 iora.fr: could not connect to host
 iostips.ru: could not connect to host
@@ -8248,13 +8802,16 @@ iotsms.io: could not connect to host
 ip-life.net: did not receive HSTS header
 ip.or.at: could not connect to host
 ip6.im: did not receive HSTS header
+ipadportfolioapp.com: did not receive HSTS header
+ipawind.com: did not receive HSTS header
 ipbill.org.uk: could not connect to host
 ipcfg.me: could not connect to host
 ipfp.pl: did not receive HSTS header
 iphonechina.net: could not connect to host
+iphoneportfolioapp.com: did not receive HSTS header
 ipid.me: could not connect to host
+iplabs.de: did not receive HSTS header
 iplife.cn: could not connect to host
-iplog.info: could not connect to host
 ipmimagazine.com: did not receive HSTS header
 ipmotion.ca: could not connect to host
 ipnetworking.net: could not connect to host
@@ -8268,31 +8825,35 @@ iprice.vn: did not receive HSTS header
 ipricethailand.com: did not receive HSTS header
 iprody.com: could not connect to host
 ipsilon-project.org: did not receive HSTS header
+ipstoragesolutions.com: did not receive HSTS header
 iptel.ro: could not connect to host
+iptvmakedonija.mk: did not receive HSTS header
 ipuservicedesign.com: could not connect to host
 ipv6.watch: did not receive HSTS header
 ipv6cloud.club: could not connect to host
 ipv6demo.de: could not connect to host
 ipv6only.network: could not connect to host
+ipv8.net: could not connect to host
 ipvsec.nl: could not connect to host
 iqcn.co: could not connect to host
 iqualtech.com: max-age too low: 7889238
 ir-saitama.com: could not connect to host
+iran-geo.com: could not connect to host
 iran-poll.org: max-age too low: 0
-irandp.net: did not receive HSTS header
+irandp.net: could not connect to host
 iranianlawschool.com: could not connect to host
 iraqidinar.org: did not receive HSTS header
 irasandi.com: could not connect to host
 irazimina.ru: did not receive HSTS header
 irccloud.com: did not receive HSTS header
+ircmett.de: did not receive HSTS header
 iready.ro: could not connect to host
 irelandesign.com: could not connect to host
-irinkeby.nu: could not connect to host
+irinkeby.nu: did not receive HSTS header
 irische-segenswuensche.info: could not connect to host
 irisdina.de: could not connect to host
-irishmusic.nu: could not connect to host
+irishmusic.nu: did not receive HSTS header
 irland.guide: could not connect to host
-irmag.ru: did not receive HSTS header
 irmtrudjurke.de: did not receive HSTS header
 irodorinet.com: max-age too low: 0
 iron-guard.net: did not receive HSTS header
@@ -8306,16 +8867,21 @@ irun-telecom.co.uk: could not connect to host
 irvinepa.org: max-age too low: 10540800
 is-a-furry.org: did not receive HSTS header
 isaackabel.cf: could not connect to host
-isastylish.com: could not connect to host
+isaackabel.ga: could not connect to host
+isaackabel.gq: could not connect to host
+isaackabel.ml: could not connect to host
+isaackabel.tk: could not connect to host
 ischool.co.jp: did not receive HSTS header
+isdecolaop.nl: could not connect to host
 isdf.me: could not connect to host
 isdown.cz: could not connect to host
 isef-eg.com: did not receive HSTS header
 iserv.fr: did not receive HSTS header
+isfff.com: could not connect to host
 isfriday.com: could not connect to host
 ishadowsocks.ltd: could not connect to host
+ishet.al: max-age too low: 0
 ishillaryclintoninprisonyet.com: could not connect to host
-ishome.org: could not connect to host
 isidom.fr: did not receive HSTS header
 isipulsa.web.id: did not receive HSTS header
 isisfighters.info: could not connect to host
@@ -8325,12 +8891,13 @@ iskai.net: did not receive HSTS header
 iskkk.com: could not connect to host
 iskkk.net: could not connect to host
 islandinthenet.com: did not receive HSTS header
+islandlakeil.gov: could not connect to host
 islandoilsupply.com: max-age too low: 300
 islandpumpandtank.com: did not receive HSTS header
-islandzero.net: did not receive HSTS header
+islandzero.net: could not connect to host
 islazia.fr: did not receive HSTS header
-islief.com: could not connect to host
 isntall.us: did not receive HSTS header
+isocom.eu: did not receive HSTS header
 isoface33.fr: did not receive HSTS header
 isogen5.com: could not connect to host
 isogram.nl: did not receive HSTS header
@@ -8347,7 +8914,6 @@ istgame.com: did not receive HSTS header
 isthefieldcontrolsystemdown.com: could not connect to host
 istherrienstillcoach.com: could not connect to host
 isv.online: did not receive HSTS header
-isyu.xyz: could not connect to host
 iszy.me: could not connect to host
 it-cave.com: could not connect to host
 it-enthusiasts.tech: could not connect to host
@@ -8355,6 +8921,7 @@ it-go.net: did not receive HSTS header
 it-labor.info: did not receive HSTS header
 it-schwerin.de: could not connect to host
 itad.top: could not connect to host
+itblog.pp.ua: did not receive HSTS header
 itbrief.co.nz: did not receive HSTS header
 itbrief.com.au: did not receive HSTS header
 itchimes.com: did not receive HSTS header
@@ -8362,14 +8929,14 @@ itchybrainscentral.com: could not connect to host
 itds-consulting.com: could not connect to host
 itds-consulting.cz: could not connect to host
 itds-consulting.eu: could not connect to host
-itechgeek.com: max-age too low: 0
+itechgeek.com: did not receive HSTS header
 items.lv: did not receive HSTS header
 itemton.com: could not connect to host
+iterasoft.de: did not receive HSTS header
 itfaq.nl: did not receive HSTS header
-itfensi.net: max-age too low: 6307200
+itfensi.net: could not connect to host
 itforcc.com: did not receive HSTS header
 ithakama.com: could not connect to host
-itilo.de: did not receive HSTS header
 itinsight.hu: did not receive HSTS header
 itiomassagem.com.br: did not receive HSTS header
 itisjustnot.cricket: could not connect to host
@@ -8385,6 +8952,7 @@ itrack.in.th: did not receive HSTS header
 itriskltd.com: did not receive HSTS header
 its-schindler.de: could not connect to host
 its-v.de: could not connect to host
+its4living.com: could not connect to host
 itsadog.co.uk: did not receive HSTS header
 itsagadget.com: did not receive HSTS header
 itsamurai.ru: max-age too low: 2592000
@@ -8394,17 +8962,20 @@ itsg-faq.de: could not connect to host
 itshka.rv.ua: max-age too low: 604800
 itshost.ru: could not connect to host
 itsmejohn.org: could not connect to host
+itspartytimesweetinflations.com: could not connect to host
 itsupport-luzern.ch: could not connect to host
 ittop-gabon.com: could not connect to host
 itu2015.de: could not connect to host
 ius.io: did not receive HSTS header
 iuscommunity.org: did not receive HSTS header
+ivanilla.org: could not connect to host
 ivanpolchenko.com: could not connect to host
 ivi-co.com: max-age too low: 0
 ivi-fertility.com: max-age too low: 0
 ivi.es: max-age too low: 0
 ivk.website: could not connect to host
 ivklombard.ru: did not receive HSTS header
+ivoryonsunset.com: could not connect to host
 ivxv.ee: could not connect to host
 ivyshop.com.br: could not connect to host
 iwannarefill.com: could not connect to host
@@ -8418,9 +8989,14 @@ ixec2.tk: could not connect to host
 ixh.me: did not receive HSTS header
 ixio.cz: could not connect to host
 izdiwho.com: could not connect to host
+izevg.ru: could not connect to host
+izhaojie.com: could not connect to host
 izolight.ch: could not connect to host
 izonemart.com: did not receive HSTS header
 izoox.com: did not receive HSTS header
+izxxs.com: could not connect to host
+izxxs.net: could not connect to host
+izxzw.net: could not connect to host
 izzzorgconcerten.nl: could not connect to host
 j-eck.nl: did not receive HSTS header
 j-lsolutions.com: could not connect to host
@@ -8429,36 +9005,40 @@ j0ng.xyz: could not connect to host
 j15t98j.co.uk: did not receive HSTS header
 j2ee.cz: could not connect to host
 j8y.de: did not receive HSTS header
-ja-publications.agency: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+ja-publications.agency: did not receive HSTS header
 ja-publications.com: did not receive HSTS header
 jaan.su: could not connect to host
 jaaxypro.com: could not connect to host
-jability.ovh: did not receive HSTS header
+jability.ovh: could not connect to host
 jackalworks.com: could not connect to host
-jackdoan.com: could not connect to host
+jackdoan.com: did not receive HSTS header
 jackfahnestock.com: could not connect to host
 jackops.com: could not connect to host
 jackrusselterrier.com.br: could not connect to host
 jackyyf.com: could not connect to host
-jacobparry.ca: max-age too low: 0
+jaco.by: could not connect to host
+jacobparry.ca: did not receive HSTS header
 jadara.info: could not connect to host
 jaepinformatica.com: did not receive HSTS header
 jagido.de: did not receive HSTS header
 jahliveradio.com: did not receive HSTS header
 jaimechanaga.com: could not connect to host
 jaion.ml: could not connect to host
+jaion.tech: could not connect to host
 jak-na-les.cz: could not connect to host
 jakenbake.com: could not connect to host
+jakeslab.tech: could not connect to host
 jakewalker.xyz: did not receive HSTS header
 jakincode.army: could not connect to host
 jaksel.id: could not connect to host
 jaksi.io: did not receive HSTS header
+jakubarbet.eu: could not connect to host
 jamanji.com.ng: could not connect to host
-jamaware.org: did not receive HSTS header
+jamaware.org: could not connect to host
 jamberry.com.mx: could not connect to host
 james-parker.com: did not receive HSTS header
 james.je: could not connect to host
-jamesandanneke.com: did not receive HSTS header
+jamesandanneke.com: could not connect to host
 jamesbradach.com: did not receive HSTS header
 jamesburton.london: could not connect to host
 jamesbywater.co.uk: could not connect to host
@@ -8480,7 +9060,6 @@ jamesmaurer.com: did not receive HSTS header
 jamesrains.com: could not connect to host
 jameswarp.com: could not connect to host
 jami.am: max-age too low: 0
-jamie-read-photography.com: could not connect to host
 jamourtney.com: could not connect to host
 jamyeprice.com: did not receive HSTS header
 jan-cermak.cz: did not receive HSTS header
@@ -8497,16 +9076,17 @@ janmachynka.cz: could not connect to host
 janmg.com: could not connect to host
 janosh.com: did not receive HSTS header
 janssen.fm: could not connect to host
+janssenwigman.nl: did not receive HSTS header
 janus-engineering.de: did not receive HSTS header
 janverlaan.nl: did not receive HSTS header
 jap-nope.de: did not receive HSTS header
 japan4you.org: did not receive HSTS header
-japanbaths.com: could not connect to host
-japaneseemoticons.org: did not receive HSTS header
+japanbaths.com: did not receive HSTS header
+japaneseemoticons.org: could not connect to host
 japanesenames.biz: did not receive HSTS header
-japangids.nl: could not connect to host
+japangids.nl: max-age too low: 86400
 japansm.com: could not connect to host
-japanwide.net: could not connect to host
+japanwide.net: did not receive HSTS header
 japaripark.com: could not connect to host
 jape.today: could not connect to host
 japlex.com: could not connect to host
@@ -8514,20 +9094,23 @@ jaqen.ch: could not connect to host
 jardins-utopie.net: could not connect to host
 jaredbates.net: did not receive HSTS header
 jaredfraser.com: could not connect to host
-jarivisual.com: did not receive HSTS header
+jarivisual.com: could not connect to host
 jarl.ninja: could not connect to host
 jarnail.ca: could not connect to host
+jaroslavc.eu: could not connect to host
 jaroslavtrsek.cz: did not receive HSTS header
 jarrodcastaing.com: did not receive HSTS header
 jarrodcastaing.com.au: did not receive HSTS header
-jarsater.com: did not receive HSTS header
+jarsater.com: could not connect to host
 jartza.org: could not connect to host
+jasl.works: could not connect to host
 jasmineconseil.com: did not receive HSTS header
 jasoncosper.com: did not receive HSTS header
 jasonian-photo.com: could not connect to host
 jasonradin.com: did not receive HSTS header
 jasonrobinson.me: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 jasonroe.me: did not receive HSTS header
+jasonsansone.com: could not connect to host
 jasonwindholz.com: could not connect to host
 jastoria.pl: did not receive HSTS header
 jastrow.me: did not receive HSTS header
@@ -8535,18 +9118,19 @@ jateng.press: could not connect to host
 jav-collective.com: could not connect to host
 java-board.com: could not connect to host
 javachip.win: could not connect to host
-javan.ga: could not connect to host
+javan.ga: did not receive HSTS header
 javascriptlab.fr: could not connect to host
 javelinsms.com: could not connect to host
 javfree.me: could not connect to host
 javiermixdjs.com: did not receive HSTS header
+javik.net: did not receive HSTS header
 javilacat.info: could not connect to host
 jawn.ca: could not connect to host
 jawnelodzkie.org.pl: could not connect to host
 jaxageto.de: did not receive HSTS header
 jayblock.com: did not receive HSTS header
 jayharris.ca: could not connect to host
-jaylen.com.ar: did not receive HSTS header
+jaylen.com.ar: could not connect to host
 jayna.design: did not receive HSTS header
 jayschulman.com: did not receive HSTS header
 jayscoaching.com: could not connect to host
@@ -8574,22 +9158,27 @@ jcyz.cf: could not connect to host
 jdav-leipzig.de: could not connect to host
 jdcdirectsales.com.ph: could not connect to host
 jdfk.net: could not connect to host
-jdgonzalez95.com: did not receive HSTS header
+jdgonzalez95.com: could not connect to host
 jdh8.org: did not receive HSTS header
-jdsf.tk: did not receive HSTS header
+jdsf.tk: could not connect to host
 jean-remy.ch: could not connect to host
 jebengotai.com: did not receive HSTS header
-jecho.cn: could not connect to host
+jedayoshi.me: could not connect to host
+jedayoshi.tk: could not connect to host
 jeepmafia.com: did not receive HSTS header
-jeff.forsale: could not connect to host
-jeff.is: did not receive HSTS header
+jeff.forsale: did not receive HSTS header
+jeff.is: could not connect to host
 jeff393.com: could not connect to host
+jeffanderson.me: did not receive HSTS header
 jeffersonregan.org: could not connect to host
 jeffhuxley.com: could not connect to host
+jeffmcneill.com: did not receive HSTS header
 jeffreymagee.com: did not receive HSTS header
 jeil-makes.co.kr: could not connect to host
+jelewa.de: did not receive HSTS header
 jellow.nl: did not receive HSTS header
 jemoticons.com: did not receive HSTS header
+jena.space: could not connect to host
 jenjoit.de: could not connect to host
 jennedebleser.com: did not receive HSTS header
 jenniferchan.id.au: could not connect to host
@@ -8599,28 +9188,29 @@ jens-prangenberg.de: did not receive HSTS header
 jens.hk: could not connect to host
 jensenbanden.no: could not connect to host
 jenssen.org: did not receive HSTS header
-jeremyc.ca: could not connect to host
+jeparamedia.com: did not receive HSTS header
 jeremye77.com: did not receive HSTS header
 jeremymade.com: did not receive HSTS header
 jeremywagner.me: did not receive HSTS header
 jermann.biz: did not receive HSTS header
 jeroenensanne.wedding: could not connect to host
+jeroensangers.com: could not connect to host
 jeroenvanderwal.nl: did not receive HSTS header
 jeroldirvin.com: did not receive HSTS header
 jerrypau.ca: could not connect to host
 jesorsenville.com: did not receive HSTS header
-jessevictors.com: could not connect to host
 jessicah.org: could not connect to host
 jesuisformidable.nl: could not connect to host
 jesuslucas.com: did not receive HSTS header
 jet-code.com: did not receive HSTS header
+jetapi.org: could not connect to host
 jetbrains.pw: could not connect to host
-jetflex.de: did not receive HSTS header
 jetlagphotography.com: could not connect to host
 jetmirshatri.com: did not receive HSTS header
 jeton.com: did not receive HSTS header
 jetsetcharge.com: could not connect to host
 jetsetpay.com: could not connect to host
+jettlarue.com: could not connect to host
 jettravel.com.mt: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 jettshome.org: could not connect to host
 jetzt-elektromobil.de: could not connect to host
@@ -8630,7 +9220,6 @@ jewellerymarvels.com: did not receive HSTS header
 jez.nl: could not connect to host
 jfmel.com: did not receive HSTS header
 jfnllc.com: could not connect to host
-jfr.im: did not receive HSTS header
 jfx.space: did not receive HSTS header
 jh-media.eu: could not connect to host
 jhburton.co.uk: could not connect to host
@@ -8640,20 +9229,25 @@ jhejderup.me: could not connect to host
 jhermsmeier.de: could not connect to host
 jhw-profiles.de: did not receive HSTS header
 jia1hao.com: could not connect to host
+jiacl.com: could not connect to host
 jiaidu.com: could not connect to host
 jiangzequn.com: could not connect to host
+jiangzm.com: could not connect to host
 jianjiantv.com: could not connect to host
 jiaqiang.vip: could not connect to host
+jiazhao.ga: could not connect to host
 jichi.me: could not connect to host
 jie.dance: could not connect to host
 jief.me: could not connect to host
 jigsawdevelopments.com: could not connect to host
 jiid.ga: could not connect to host
-jikken.de: could not connect to host
+jikegu.com: could not connect to host
+jikken.de: did not receive HSTS header
 jimas.eu: did not receive HSTS header
 jimenacocina.com: did not receive HSTS header
 jimgao.tk: did not receive HSTS header
 jimmehcai.com: could not connect to host
+jimmycn.com: could not connect to host
 jimmynelson.com: did not receive HSTS header
 jinancy.fr: could not connect to host
 jing-in.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -8669,38 +9263,38 @@ jitlab.org: could not connect to host
 jitsi.org: did not receive HSTS header
 jiveiaktivno.bg: did not receive HSTS header
 jiyue.com: did not receive HSTS header
-jiyuu-ni.com: could not connect to host
-jiyuu-ni.net: could not connect to host
 jjf.org.au: did not receive HSTS header
 jka.io: did not receive HSTS header
 jkb.pics: could not connect to host
 jkbuster.com: could not connect to host
-jkinteriorspa.com: could not connect to host
+jkest.cc: could not connect to host
 jkng.eu: could not connect to host
 jko.works: could not connect to host
 jkuvw.xyz: could not connect to host
+jkyuan.tk: could not connect to host
 jldp.org: did not receive HSTS header
 jlhmedia.com: did not receive HSTS header
+jlot.org: did not receive HSTS header
 jm06.com: did not receive HSTS header
 jm22.com: could not connect to host
 jmb.lc: could not connect to host
 jmotion.co.uk: did not receive HSTS header
 jmpmotorsport.co.uk: did not receive HSTS header
 jmvbmx.ch: could not connect to host
+jmvdigital.com: did not receive HSTS header
 jn1.me: did not receive HSTS header
 jncde.de: did not receive HSTS header
 jncie.de: did not receive HSTS header
 jncie.eu: did not receive HSTS header
 jncip.de: did not receive HSTS header
 joakimalgroy.com: could not connect to host
-joaquimgoliveira.pt: could not connect to host
 jobers.ch: did not receive HSTS header
 jobers.pt: did not receive HSTS header
 jobflyapp.com: could not connect to host
-joblab.com.ua: did not receive HSTS header
 jobmedic.com: could not connect to host
+jobmob.co.il: did not receive HSTS header
 jobshq.com: did not receive HSTS header
-jobss.co.uk: did not receive HSTS header
+jobss.co.uk: could not connect to host
 jobtestprep.de: max-age too low: 0
 jobtestprep.dk: max-age too low: 0
 jobtestprep.fr: max-age too low: 0
@@ -8708,6 +9302,7 @@ jobtestprep.it: did not receive HSTS header
 jobtestprep.nl: max-age too low: 0
 jobtestprep.se: max-age too low: 0
 jodel.ninja: could not connect to host
+jodyshop.com: did not receive HSTS header
 joe-pagan.com: did not receive HSTS header
 joearodriguez.com: could not connect to host
 joecod.es: could not connect to host
@@ -8715,18 +9310,19 @@ joefixit.co.uk: could not connect to host
 joelgonewild.com: did not receive HSTS header
 joerg-wellpott.de: did not receive HSTS header
 joetyson.io: could not connect to host
+joeyfelix.com: could not connect to host
+joeyvilaro.com: could not connect to host
 johand.io: could not connect to host
 johannaojanen.com: could not connect to host
 johannes-bugenhagen.de: did not receive HSTS header
-johannes-sprink.de: could not connect to host
+johannes-sprink.de: did not receive HSTS header
 johnbrownphotography.ch: did not receive HSTS header
 johncardell.com: did not receive HSTS header
 johners.me: could not connect to host
 johngaltgroup.com: did not receive HSTS header
-johnhgaunt.com: did not receive HSTS header
+johngo.tk: did not receive HSTS header
 johnmorganpartnership.co.uk: did not receive HSTS header
 johnrom.com: could not connect to host
-johnsiu.com: did not receive HSTS header
 johntomasowa.com: could not connect to host
 johnverkerk.com: could not connect to host
 joinamericacorps.gov: could not connect to host
@@ -8736,15 +9332,19 @@ jonarcher.info: did not receive HSTS header
 jonas-keidel.de: did not receive HSTS header
 jonasgroth.se: did not receive HSTS header
 jonathan.ir: could not connect to host
+jonathancarter.org: could not connect to host
 jonathandowning.uk: did not receive HSTS header
 jonathanmassacand.ch: could not connect to host
 jonathanreyes.com: did not receive HSTS header
 jonathansanchez.pro: could not connect to host
+jonathanselea.se: did not receive HSTS header
 jonesopolis.xyz: could not connect to host
+jonferwerda.net: could not connect to host
 jonfor.net: could not connect to host
 jongha.me: could not connect to host
 jonn.me: could not connect to host
 jonnichols.info: could not connect to host
+jons.org: could not connect to host
 jonsno.ws: could not connect to host
 joostbovee.nl: did not receive HSTS header
 jooto.com: did not receive HSTS header
@@ -8763,6 +9363,7 @@ josahrens.me: could not connect to host
 jose.eti.br: did not receive HSTS header
 joseaveleira.es: did not receive HSTS header
 josecage.com: could not connect to host
+josegerber.ch: did not receive HSTS header
 josericaurte.com: could not connect to host
 joshi.su: could not connect to host
 joshplant.co.uk: could not connect to host
@@ -8771,9 +9372,10 @@ joto.de: did not receive HSTS header
 jotpics.com: could not connect to host
 jottit.com: could not connect to host
 jouetspetitechanson.com: could not connect to host
-journalof.tech: could not connect to host
+journalof.tech: max-age too low: 86400
 joworld.net: could not connect to host
 joyceclerkx.com: could not connect to host
+joyceseamone.com: did not receive HSTS header
 joyjohnston.ca: did not receive HSTS header
 joyqi.com: did not receive HSTS header
 jpaglier.com: could not connect to host
@@ -8785,31 +9387,39 @@ jproxx.com: did not receive HSTS header
 jptun.com: could not connect to host
 jrgold.me: could not connect to host
 jrmd.io: could not connect to host
-jrvar.com: did not receive HSTS header
+jrvar.com: could not connect to host
+js3311.com: could not connect to host
 js88.sg: could not connect to host
+js93029.com: could not connect to host
 jsanders.us: did not receive HSTS header
 jsbentertainment.nl: could not connect to host
 jsbevents.nl: could not connect to host
 jsblights.nl: could not connect to host
 jsc7776.com: could not connect to host
 jsdelivr.net: could not connect to host
+jsevilleja.org: could not connect to host
 jsg-technologies.de: did not receive HSTS header
 jsjyhzy.cc: could not connect to host
 jslidong.top: did not receive HSTS header
 json-viewer.com: did not receive HSTS header
 jstelecom.com.br: did not receive HSTS header
-jsuse.xyz: did not receive HSTS header
+jsuse.xyz: could not connect to host
 jsvr.tk: could not connect to host
 jsxc.ch: could not connect to host
-ju1ro.de: did not receive HSTS header
+jtcat.com: could not connect to host
+jtcjewelry.com: could not connect to host
+ju1ro.de: could not connect to host
 jualautoclave.com: did not receive HSTS header
 jualssh.com: could not connect to host
 juandesouza.com: did not receive HSTS header
 juanhub.com: did not receive HSTS header
+jubee.nl: did not receive HSTS header
 juchheim-methode.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+jucktehkeinen.de: did not receive HSTS header
 juiced.gs: did not receive HSTS header
 juka.pp.ua: could not connect to host
 julegoerke.de: did not receive HSTS header
+julenlanda.com: could not connect to host
 juliamweber.de: could not connect to host
 julian-kipka.de: did not receive HSTS header
 julian-witusch.de: could not connect to host
@@ -8829,19 +9439,22 @@ jumping-duck.com: could not connect to host
 jumpman-iphone-design.de: could not connect to host
 junaos.com: did not receive HSTS header
 junaos.xyz: did not receive HSTS header
+junctioncitywisconsin.gov: could not connect to host
 jundimax.com.br: could not connect to host
 junge-selbsthilfe.info: could not connect to host
 jungleculture.co.za: did not receive HSTS header
 junglegoat.xyz: did not receive HSTS header
+junias-fenske.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 juniwalk.cz: could not connect to host
 junjung.me: could not connect to host
+junoaroma.com: could not connect to host
 junqtion.com: could not connect to host
-jupp0r.de: did not receive HSTS header
+jupp0r.de: could not connect to host
 juridiqueo.com: did not receive HSTS header
+juristas.com.br: did not receive HSTS header
 juristeo.com: did not receive HSTS header
 jurke.com: did not receive HSTS header
 jurko.cz: could not connect to host
-jurriaan.ninja: could not connect to host
 just-english.online: did not receive HSTS header
 just-pools.co.za: could not connect to host
 just2trade.com: did not receive HSTS header
@@ -8849,37 +9462,42 @@ justbelieverecovery.com: did not receive HSTS header
 justiceforfathers.com: did not receive HSTS header
 justiceo.org: did not receive HSTS header
 justinellingwood.com: could not connect to host
+justinharrison.ca: could not connect to host
 justinlemay.com: could not connect to host
 justinrudio.com: did not receive HSTS header
 justlikethat.hosting: did not receive HSTS header
 justmy.website: did not receive HSTS header
 justnaw.co.uk: could not connect to host
-justonce.net: could not connect to host
 justudin.com: did not receive HSTS header
 justwood.cz: did not receive HSTS header
 justzz.xyz: could not connect to host
 jutella.de: did not receive HSTS header
 juul.xyz: could not connect to host
-juventusclublugano.ch: could not connect to host
+juventusclublugano.ch: did not receive HSTS header
 juventusmania1897.com: could not connect to host
 juwairen.cn: could not connect to host
 juzgalo.com: did not receive HSTS header
+jva-wuerzburg.de: could not connect to host
 jvn.com: did not receive HSTS header
 jvoice.net: did not receive HSTS header
+jwallet.cc: did not receive HSTS header
 jwilsson.me: could not connect to host
 jwolt-lx.com: could not connect to host
-jxir.de: could not connect to host
 jysperm.me: did not receive HSTS header
+jzachpearson.com: max-age too low: 0
+jzcapital.co: could not connect to host
 jznet.org: could not connect to host
 k-dev.de: could not connect to host
 k-rickroll-g.pw: could not connect to host
 k-wallet.com: could not connect to host
 k1cp.com: could not connect to host
-k33k00.com: did not receive HSTS header
-k38.cc: max-age too low: 3600
+k3508.com: could not connect to host
+k38.cc: could not connect to host
 ka-clan.com: could not connect to host
 kaanduman.com: could not connect to host
 kaasbijwijn.nl: did not receive HSTS header
+kaashosting.nl: did not receive HSTS header
+kabarlinux.id: could not connect to host
 kabinapp.com: did not receive HSTS header
 kabuabc.com: could not connect to host
 kackscharf.de: could not connect to host
@@ -8887,7 +9505,7 @@ kadioglumakina.com.tr: did not receive HSTS header
 kadmec.com: did not receive HSTS header
 kaela.design: could not connect to host
 kahopoon.net: could not connect to host
-kai.cool: did not receive HSTS header
+kai.cool: could not connect to host
 kaibol.com: could not connect to host
 kaika-facilitymanagement.de: could not connect to host
 kaika-hms.de: did not receive HSTS header
@@ -8900,8 +9518,9 @@ kajlovo.cz: could not connect to host
 kakaomilchkuh.de: did not receive HSTS header
 kaketalk.com: did not receive HSTS header
 kakoo-media.nl: could not connect to host
-kakoo.nl: could not connect to host
+kakoo.nl: did not receive HSTS header
 kakoomedia.nl: could not connect to host
+kakuto.me: could not connect to host
 kalami.nl: could not connect to host
 kaleidomarketing.com: did not receive HSTS header
 kaleidoskop-freiburg.de: did not receive HSTS header
@@ -8914,41 +9533,44 @@ kambodja.guide: could not connect to host
 kamcvicit.sk: could not connect to host
 kamikano.com: could not connect to host
 kamitech.ch: could not connect to host
+kampunginggris-ue.com: could not connect to host
 kanada.guide: could not connect to host
-kanagawachuo-hospital.jp: did not receive HSTS header
+kanagawachuo-hospital.jp: could not connect to host
 kanar.nl: could not connect to host
 kancolle.me: could not connect to host
+kandalife.com: could not connect to host
 kandec.co.jp: did not receive HSTS header
 kaneisdi.com: did not receive HSTS header
 kaneo-gmbh.de: did not receive HSTS header
 kanganer.com: could not connect to host
 kangzaber.com: could not connect to host
 kaniklani.co.za: did not receive HSTS header
-kanmitao.com: could not connect to host
+kanmitao.com: did not receive HSTS header
 kanotijd.nl: could not connect to host
 kanr.in: could not connect to host
 kanscooking.org: could not connect to host
 kantorad.io: could not connect to host
 kantv1.com: could not connect to host
-kanzakiranko.jp: could not connect to host
 kanzlei-wirtschaftsrecht.berlin: max-age too low: 600000
 kanzshop.com: could not connect to host
 kaohub.com: could not connect to host
 kaomojis.net: did not receive HSTS header
+kaotik4266.com: could not connect to host
 kapiorr.duckdns.org: could not connect to host
 kaplatz.is: could not connect to host
-kapo.info: could not connect to host
+kaplatzis.com: could not connect to host
+kapo.info: did not receive HSTS header
 kappit.dk: could not connect to host
 kapucini.si: max-age too low: 0
 kaputt.com: could not connect to host
 kapverde.guide: could not connect to host
-karaface.com: could not connect to host
 karamna.com: could not connect to host
 karanastic.com: did not receive HSTS header
 karanlyons.com: could not connect to host
 karaoketonight.com: could not connect to host
 karatekit.co.uk: could not connect to host
 karatorian.org: could not connect to host
+karenledger.ca: did not receive HSTS header
 karjala-ski.ru: could not connect to host
 karlis-kavacis.id.lv: did not receive HSTS header
 karloskontana.tk: could not connect to host
@@ -8957,23 +9579,25 @@ karpanhellas.com: could not connect to host
 kars.ooo: could not connect to host
 karting34.com: did not receive HSTS header
 karuneshjohri.com: could not connect to host
+kasadara.com: did not receive HSTS header
 kashdash.ca: could not connect to host
 kashis.com.au: max-age too low: 0
-kat.al: max-age too low: 0
+kat.al: could not connect to host
 katalogakci.cz: did not receive HSTS header
+katalogbutikker.dk: could not connect to host
 kathrinbaumannphotography.com: did not receive HSTS header
 kati0.com: could not connect to host
 katiaetdavid.fr: could not connect to host
 katja-nikolic-design.de: could not connect to host
 katoju.co.jp: could not connect to host
 katproxy.al: could not connect to host
-katproxy.online: could not connect to host
+katproxy.online: did not receive HSTS header
 katproxy.site: could not connect to host
 katproxy.tech: could not connect to host
 katproxy.top: could not connect to host
 katrinjanke.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-kattenfun.be: did not receive HSTS header
-kattenfun.nl: did not receive HSTS header
+kattenfun.be: could not connect to host
+kattenfun.nl: could not connect to host
 katthewaffle.fr: could not connect to host
 katzen.me: could not connect to host
 katzspeech.com: did not receive HSTS header
@@ -8982,8 +9606,10 @@ kauperwood.ovh: could not connect to host
 kauplusprofesional.com: did not receive HSTS header
 kausch.at: could not connect to host
 kausta.me: could not connect to host
+kaverti.com: did not receive HSTS header
 kavik.no: could not connect to host
 kavinvin.me: could not connect to host
+kawaii.io: could not connect to host
 kawaiiku.com: could not connect to host
 kawaiiku.de: could not connect to host
 kaydan.io: could not connect to host
@@ -8994,7 +9620,6 @@ kaysis.gov.tr: did not receive HSTS header
 kazamasion.com: could not connect to host
 kazanasolutions.de: could not connect to host
 kazenojiyu.fr: did not receive HSTS header
-kb3.net: did not receive HSTS header
 kbfl.org: could not connect to host
 kcluster.io: could not connect to host
 kcptun.com: could not connect to host
@@ -9003,11 +9628,13 @@ kdata.it: did not receive HSTS header
 kdbx.online: could not connect to host
 kdm-online.de: did not receive HSTS header
 kearney.io: could not connect to host
+keditor.biz: could not connect to host
 keechain.io: could not connect to host
 keeley.gq: could not connect to host
 keeley.ml: could not connect to host
 keeleysam.me: could not connect to host
-keepaa.com: could not connect to host
+keematdekho.com: could not connect to host
+keepaa.com: did not receive HSTS header
 keepassa.co: could not connect to host
 keepclean.me: could not connect to host
 keepcoalintheground.org: could not connect to host
@@ -9015,15 +9642,16 @@ keepflow.io: could not connect to host
 keepmanager.org: could not connect to host
 keeprubyweird.com: did not receive HSTS header
 kefaloniatoday.com: did not receive HSTS header
-keifel.de: could not connect to host
 keihin-chaplin.jp: did not receive HSTS header
 kein-fidget-spinner-werden.de: could not connect to host
 kejibot.com: could not connect to host
 kekehouse.net: could not connect to host
 kellyandantony.com: could not connect to host
 kelm.me: could not connect to host
+kelmarsafety.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 kelp.agency: did not receive HSTS header
 ken-electric.com.br: could not connect to host
+kenbillionsyuan.tk: could not connect to host
 kenc.dk: max-age too low: 2592000
 kenchristensen.dk: max-age too low: 2592000
 kenderbeton-magyarorszag.hu: did not receive HSTS header
@@ -9033,33 +9661,33 @@ kenderhazmagyarorszag.hu: did not receive HSTS header
 kenkoelectric.com: did not receive HSTS header
 kenman.dk: max-age too low: 2592000
 kennedy.ie: could not connect to host
-kennynet.co.uk: could not connect to host
+kensparkesphotography.com: did not receive HSTS header
 kentacademiestrust.org.uk: did not receive HSTS header
 kepler-seminar.de: did not receive HSTS header
-keralit.nl: did not receive HSTS header
 kerangalam.com: did not receive HSTS header
+kerem.xyz: could not connect to host
 kerksanders.nl: could not connect to host
 kermadec.blog: could not connect to host
-kermadec.com: did not receive HSTS header
-kermadec.net: did not receive HSTS header
 kernelmode.io: did not receive HSTS header
 kernl.us: did not receive HSTS header
+kersmexico.com: could not connect to host
 keshausconsulting.com: could not connect to host
 keskeces.com: did not receive HSTS header
 kessel-runners.com: could not connect to host
 kesteren.com: could not connect to host
 kevindekoninck.com: could not connect to host
-kevinfoley.cc: could not connect to host
-kevinfoley.org: could not connect to host
+kevinheslinphoto.com: did not receive HSTS header
 kevinmoreland.com: could not connect to host
 kevinroebert.de: did not receive HSTS header
 kevlar.pw: did not receive HSTS header
 kewego.co.uk: could not connect to host
 keymaster.lookout.com: did not receive HSTS header
+keypersonins.com: did not receive HSTS header
 keyserver.sexy: could not connect to host
 kfbrussels.be: could not connect to host
+kfm.ink: did not receive HSTS header
 kg-rating.com: could not connect to host
-kgb.us: could not connect to host
+kgb.us: did not receive HSTS header
 kgregorczyk.pl: could not connect to host
 kgxtech.com: max-age too low: 2592000
 khaganat.net: did not receive HSTS header
@@ -9068,34 +9696,39 @@ khosla.uk: could not connect to host
 ki-on.net: did not receive HSTS header
 kiaka.co: could not connect to host
 kialo.com: did not receive HSTS header
-kiapps.ovh: could not connect to host
 kickass-proxies.org: could not connect to host
 kickass.al: could not connect to host
 kickasstorrents.gq: could not connect to host
 kickerplaza.nl: did not receive HSTS header
 kid-dachau.de: max-age too low: 600000
 kidbacker.com: could not connect to host
+kiddies.academy: did not receive HSTS header
+kiddieschristianacademy.co.za: did not receive HSTS header
 kidkat.cn: could not connect to host
 kidswallstickers.com.au: could not connect to host
+kiedys.net: could not connect to host
 kiel-media.de: did not receive HSTS header
 kielderweather.org.uk: did not receive HSTS header
 kielwi.gov: could not connect to host
 kienlen.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+kieran.ie: could not connect to host
+kieranjones.uk: could not connect to host
 kieranweightman.me: could not connect to host
 kiesuwcursus.nl: did not receive HSTS header
 kievradio.com: could not connect to host
+kikimilyatacado.com.br: could not connect to host
 kikuzuki.org: could not connect to host
 kiladera.be: did not receive HSTS header
-kilerd.me: did not receive HSTS header
+kilerd.me: could not connect to host
 kill-paff.com: did not receive HSTS header
-kimana.pe: could not connect to host
+kimana.pe: did not receive HSTS header
 kimberg.co.uk: did not receive HSTS header
 kimberlybeautysoapcompany.com: did not receive HSTS header
+kimo.se: did not receive HSTS header
 kimpost.org: could not connect to host
 kimscrazeecastles.co.uk: did not receive HSTS header
 kina.guide: could not connect to host
 kinderbuecher-kostenlos.de: did not receive HSTS header
-kinderjugendfreizeitverein.de: did not receive HSTS header
 kinderly.co.uk: did not receive HSTS header
 kinderopvangengeltjes.nl: did not receive HSTS header
 kinderopvangzevenbergen.nl: did not receive HSTS header
@@ -9114,27 +9747,31 @@ kinkdr.com: could not connect to host
 kinmunity.com: did not receive HSTS header
 kinnettmemorial.org: did not receive HSTS header
 kinnon.enterprises: could not connect to host
-kinomoto.me: could not connect to host
 kinow.com: did not receive HSTS header
 kinsmenhomelottery.com: did not receive HSTS header
 kintoandar.com: max-age too low: 0
-kintrip.com: did not receive HSTS header
+kintrip.com: could not connect to host
 kintzingerfilm.de: did not receive HSTS header
 kionetworks.com: did not receive HSTS header
 kipin.fr: did not receive HSTS header
 kipira.com: could not connect to host
+kipriakipita.gr: could not connect to host
 kiraboshi.xyz: could not connect to host
+kirainmoe.com: did not receive HSTS header
 kirara.eu: could not connect to host
-kircp.com: could not connect to host
+kirillpokrovsky.de: could not connect to host
 kirito.kr: did not receive HSTS header
 kirkforsenate.com: could not connect to host
 kirkpatrickdavis.com: could not connect to host
+kis-toitoidixi.de: could not connect to host
 kisa.io: could not connect to host
 kiss-register.org: could not connect to host
 kissart.net: could not connect to host
 kissesb.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-kissesb.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+kissesb.net: could not connect to host
 kisskiss.ch: could not connect to host
+kissoft.ro: could not connect to host
+kisstube.tv: could not connect to host
 kisstyle.ru: did not receive HSTS header
 kisun.co.jp: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 kita.id: did not receive HSTS header
@@ -9143,6 +9780,8 @@ kitakemon.com: could not connect to host
 kitashop.com.br: could not connect to host
 kitatec.com.br: could not connect to host
 kitchenaccessories.pro: did not receive HSTS header
+kitchenalley.ca: max-age too low: 86400
+kitchenalley.com: max-age too low: 86400
 kitchenchaos.de: could not connect to host
 kitegarage.eu: did not receive HSTS header
 kiteschoolamsterdam.nl: could not connect to host
@@ -9151,18 +9790,24 @@ kitk.at: could not connect to host
 kitsostech.com: could not connect to host
 kitsta.com: could not connect to host
 kiwi.global: could not connect to host
+kiwico.com: max-age too low: 0
 kiwiirc.com: max-age too low: 5256000
 kiwipayment.com: could not connect to host
 kiwipayments.com: could not connect to host
 kiwiplace.com: could not connect to host
+kix.moe: did not receive HSTS header
 kiyo.space: could not connect to host
 kizil.net: could not connect to host
 kj1391.com: did not receive HSTS header
+kj1396.net: did not receive HSTS header
+kj1397.com: did not receive HSTS header
 kjaermaxi.me: did not receive HSTS header
-kjellvn.net: could not connect to host
 kjg-bachrain.de: could not connect to host
+kjg-ummeln.de: did not receive HSTS header
 kjoglum.me: could not connect to host
+kkomputer.net: did not receive HSTS header
 kkull.tv: could not connect to host
+kkws.co: could not connect to host
 klantenadvies.nl: did not receive HSTS header
 klas.or.id: did not receive HSTS header
 klatschreime.de: did not receive HSTS header
@@ -9171,30 +9816,34 @@ klauwd.com: could not connect to host
 klaxn.org: could not connect to host
 klean-ritekc.com: did not receive HSTS header
 kleberstoff.xyz: could not connect to host
+kleding.website: did not receive HSTS header
 kleertjesvoordelig.nl: could not connect to host
 kleidertauschpartys.de: could not connect to host
 kleinerarchitekturfuehrer.de: could not connect to host
 kleinholding.com: could not connect to host
 kleinserienproduktion.com: could not connect to host
 klempnershop.eu: did not receive HSTS header
-kleppe.co: could not connect to host
 kletterkater.com: did not receive HSTS header
 klicktojob.de: could not connect to host
 klingeletest.de: could not connect to host
 klingsundet.no: did not receive HSTS header
+klinkerstreet.com.ua: did not receive HSTS header
 kliqsd.com: could not connect to host
 kloentrup.de: max-age too low: 604800
+klotz-labs.com: max-age too low: 7889238
 klunkergarten.org: could not connect to host
+klustekeningen.nl: did not receive HSTS header
 km-net.pl: did not receive HSTS header
 kmdev.me: did not receive HSTS header
 knapen.io: max-age too low: 604800
 knccloud.com: could not connect to host
+kneipi.de: did not receive HSTS header
 kngk-azs.ru: could not connect to host
+kniga.market: could not connect to host
 knigadel.com: did not receive HSTS header
 knightsbridgegroup.org: could not connect to host
 knightsweep.com: could not connect to host
 kniwweler.com: could not connect to host
-knnet.ch: could not connect to host
 knowdebt.org: did not receive HSTS header
 knowledgehook.com: did not receive HSTS header
 knowledgesnap.com: could not connect to host
@@ -9202,11 +9851,15 @@ knowledgesnapsites.com: could not connect to host
 knownsec.cf: could not connect to host
 knuckles.tk: could not connect to host
 kobieta.guru: could not connect to host
+koboldcraft.ch: could not connect to host
 koddsson.com: did not receive HSTS header
 kodexplorer.ml: could not connect to host
 kodiaklabs.org: could not connect to host
 kodokushi.fr: could not connect to host
+koehn.com: could not connect to host
+koelbli.ch: could not connect to host
 koen.io: max-age too low: 86400
+koenen-bau.de: did not receive HSTS header
 koenvdheuvel.me: could not connect to host
 koerper-wie-seele.de: did not receive HSTS header
 koerperimpuls.ch: did not receive HSTS header
@@ -9217,18 +9870,23 @@ koirala.net: could not connect to host
 kokenmetaanbiedingen.nl: could not connect to host
 kokoiroworks.com: could not connect to host
 kola-entertainments.de: did not receive HSTS header
+kolania.com: could not connect to host
+kolaykaydet.com: could not connect to host
 kolbeck.tk: could not connect to host
 kollawat.me: could not connect to host
 kolozsvaricsuhe.hu: did not receive HSTS header
+kombidorango.com.br: did not receive HSTS header
 komikito.com: could not connect to host
 kompetenzwerft.de: did not receive HSTS header
 konata.us: could not connect to host
 kongbaofang.com: could not connect to host
 konicaprinterdriver.com: could not connect to host
 konings.it: could not connect to host
+konkai.store: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 konkurs.ba: could not connect to host
 kontakthuman.hu: did not receive HSTS header
 kontaxis.network: could not connect to host
+kontrolapovinnosti.cz: did not receive HSTS header
 konventseliten.se: could not connect to host
 koop-bremen.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 koopjesnel.nl: could not connect to host
@@ -9236,14 +9894,17 @@ koordinate.net: could not connect to host
 kopio.jp: did not receive HSTS header
 koppelvlak.net: could not connect to host
 kopular.com: could not connect to host
+koretech.nl: could not connect to host
 kori.ml: did not receive HSTS header
 koriyoukai.net: did not receive HSTS header
 kornersafe.com: did not receive HSTS header
 korni22.org: could not connect to host
-korsanparti.org: could not connect to host
+korsanparti.org: did not receive HSTS header
 kostuumstore.nl: could not connect to host
 kostya.net: did not receive HSTS header
 kotakoo.id: could not connect to host
+kotausaha.com: could not connect to host
+kotelezobiztositas.eu: did not receive HSTS header
 kotomei.moe: could not connect to host
 kotonehoko.net: could not connect to host
 kotorimusic.ga: could not connect to host
@@ -9252,23 +9913,23 @@ kottur.is: could not connect to host
 koukni.cz: did not receive HSTS header
 kourpe.online: could not connect to host
 kousaku.jp: could not connect to host
+kovnsk.net: could not connect to host
+kovuthehusky.com: did not receive HSTS header
 kozmik.co: could not connect to host
 kpdyer.com: did not receive HSTS header
 kpebetka.net: did not receive HSTS header
+kpmgpublications.ie: did not receive HSTS header
 kpn-dnssec.com: could not connect to host
 kprog.net: did not receive HSTS header
 kpvpn.com: could not connect to host
-kradalby.no: could not connect to host
 kraigwalker.com: could not connect to host
 kraiwan.com: did not receive HSTS header
-krampus-fischamend.at: could not connect to host
 krasavchik.by: could not connect to host
 krasota.ru: did not receive HSTS header
 krausen.ca: could not connect to host
-krausoft.hu: could not connect to host
+krausoft.hu: did not receive HSTS header
 kravelindo-adventure.com: could not connect to host
 kraynik.com: could not connect to host
-krayx.com: could not connect to host
 krc.link: could not connect to host
 kream.io: did not receive HSTS header
 kreavis.com: did not receive HSTS header
@@ -9276,7 +9937,7 @@ kreb.io: could not connect to host
 kredietpaspoort.nl: could not connect to host
 kredite.sale: could not connect to host
 kredite24.de: did not receive HSTS header
-kreditkarte-fuer-backpacker.de: did not receive HSTS header
+kreditkarte-fuer-backpacker.de: could not connect to host
 krestanskydarek.cz: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 kreza.de: could not connect to host
 kriegskindernothilfe.de: could not connect to host
@@ -9284,12 +9945,12 @@ kriegt.es: did not receive HSTS header
 krist.club: did not receive HSTS header
 kristjanrang.eu: did not receive HSTS header
 kristofferkoch.com: could not connect to host
-krizek.cc: did not receive HSTS header
+krizek.cc: could not connect to host
 krizevackapajdasija.hr: could not connect to host
 krmela.com: did not receive HSTS header
 kroetenfuchs.de: could not connect to host
 krokodent.de: did not receive HSTS header
-kromonos.net: could not connect to host
+kronaw.it: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 kronych.cz: could not connect to host
 kroodle.nl: did not receive HSTS header
 krouzkyliduska.cz: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -9297,10 +9958,10 @@ kruegerrand-wert.de: did not receive HSTS header
 krunut.com: did not receive HSTS header
 kryha.io: did not receive HSTS header
 krypteia.org: could not connect to host
-kryptomech.com: could not connect to host
-ks88.com: could not connect to host
+kryptomodkingz.com: could not connect to host
 ksfh-mail.de: could not connect to host
 ksk-agentur.de: did not receive HSTS header
+kspg.tv: could not connect to host
 kstan.me: could not connect to host
 kswcosmetics.com: could not connect to host
 kswriter.com: could not connect to host
@@ -9310,33 +9971,37 @@ kuba.guide: could not connect to host
 kubiwa.net: could not connect to host
 kubusadvocaten.nl: could not connect to host
 kuchenschock.de: did not receive HSTS header
-kucheryavenkovn.ru: did not receive HSTS header
+kucheryavenkovn.ru: could not connect to host
 kucom.it: did not receive HSTS header
-kuechenplan.online: could not connect to host
+kuechenplan.online: did not receive HSTS header
 kueulangtahunanak.net: could not connect to host
 kuko-crews.org: could not connect to host
 kultmobil.se: did not receive HSTS header
 kum.com: could not connect to host
 kummerlaender.eu: did not receive HSTS header
-kundenerreichen.com: did not receive HSTS header
-kundenerreichen.de: did not receive HSTS header
+kundenerreichen.com: could not connect to host
+kundenerreichen.de: could not connect to host
 kundo.se: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+kunstfehler.at: did not receive HSTS header
 kunstschule-krabax.de: did not receive HSTS header
 kuops.com: did not receive HSTS header
 kupdokuchyne.cz: could not connect to host
 kupelne-ptacek.sk: did not receive HSTS header
 kuppingercole.com: did not receive HSTS header
 kura.io: could not connect to host
+kurashino-mall.com: could not connect to host
 kurehun.org: could not connect to host
 kuro346.moe: could not connect to host
 kuroisalva.xyz: did not receive HSTS header
+kurrende.nrw: could not connect to host
+kurrietv.nl: did not receive HSTS header
 kursprogramisty.pl: could not connect to host
 kurtmclester.com: could not connect to host
 kurumi.io: did not receive HSTS header
 kurz.pw: could not connect to host
 kurzonline.com.br: could not connect to host
 kuwago.io: could not connect to host
-kuzdrowiu24.pl: did not receive HSTS header
+kuzdrowiu24.pl: could not connect to host
 kvt.berlin: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 kwidz.fr: did not receive HSTS header
 kwikmed.eu: could not connect to host
@@ -9345,21 +10010,22 @@ kwipi.com: did not receive HSTS header
 kwmr.me: did not receive HSTS header
 kwok.tv: could not connect to host
 kwondratsch.com: could not connect to host
-kxind.cn: could not connect to host
-kyanite.co: could not connect to host
+kxind.cn: did not receive HSTS header
+kyanite.co: max-age too low: 7889238
 kyberna.xyz: could not connect to host
 kykoonn.net: did not receive HSTS header
 kylapps.com: did not receive HSTS header
 kyle.place: could not connect to host
 kylebaldw.in: did not receive HSTS header
 kylerwood.com: could not connect to host
+kylescastles.co.uk: did not receive HSTS header
 kyliehunt.com: did not receive HSTS header
 kylling.io: could not connect to host
 kymo.org: did not receive HSTS header
 kynaston.org.uk: could not connect to host
 kyochon.fr: could not connect to host
 kyonagashima.com: did not receive HSTS header
-kyoto-k9.com: did not receive HSTS header
+kyoto-sake.net: could not connect to host
 kyouko.nl: could not connect to host
 kyujin-office.net: could not connect to host
 kzjnet.com: could not connect to host
@@ -9369,7 +10035,7 @@ l18.io: could not connect to host
 l3j.net: could not connect to host
 la-flora-negra.de: could not connect to host
 la-grande-jaugue.fr: did not receive HSTS header
-la-retraite-info.com: did not receive HSTS header
+la-retraite-info.com: could not connect to host
 la-serendipite.fr: did not receive HSTS header
 labaia.info: could not connect to host
 laballoons.com: max-age too low: 7889238
@@ -9396,6 +10062,7 @@ lacentral.com: did not receive HSTS header
 lacledeslan.ninja: could not connect to host
 lacuevadechauvet.com: did not receive HSTS header
 ladadate.com: could not connect to host
+ladenzeile.de: did not receive HSTS header
 ladybugjam.com: could not connect to host
 ladylikeit.com: could not connect to host
 ladylucks.co.uk: could not connect to host
@@ -9404,11 +10071,13 @@ laemen.nl: could not connect to host
 laf.in.net: could not connect to host
 lafamillemusique.fr: did not receive HSTS header
 lafeemam.fr: could not connect to host
+lafka.org: could not connect to host
 laforetenchantee.ch: could not connect to host
+lafosseobservatoire.be: did not receive HSTS header
 lafr4nc3.xyz: could not connect to host
+lag-gbr.gq: could not connect to host
 lagalerievirtuelle.fr: did not receive HSTS header
 lagier.xyz: could not connect to host
-laglab.org: could not connect to host
 lagodny.eu: could not connect to host
 lagoza.name: could not connect to host
 laharilais.fr: did not receive HSTS header
@@ -9422,20 +10091,23 @@ lakewoodcomputerservices.com: could not connect to host
 lalajj.com: could not connect to host
 laltroweb.it: did not receive HSTS header
 lamafioso.com: could not connect to host
+lamaisondelatransformationculturelle.com: did not receive HSTS header
 lamaland.ru: did not receive HSTS header
+lamanwebinfo.com: did not receive HSTS header
 lambda-complex.org: could not connect to host
 lambdafive.co.uk: could not connect to host
+lamiaposta.email: did not receive HSTS header
 lamomebijou.paris: did not receive HSTS header
 lampl.info: could not connect to host
 lamtv.com.mx: could not connect to host
 lan2k.org: max-age too low: 86400
 lanauzedesigns.com: did not receive HSTS header
 lanboll.com: could not connect to host
-lanbyte.se: did not receive HSTS header
+lanbyte.se: could not connect to host
 lancehoteis.com: did not receive HSTS header
 lancehoteis.com.br: did not receive HSTS header
+lancork.net: could not connect to host
 land-links.org: did not receive HSTS header
-landbetweenthelakes.us: did not receive HSTS header
 landell.ml: could not connect to host
 landgoedverkopen.nl: could not connect to host
 landhuisverkopen.nl: could not connect to host
@@ -9445,29 +10117,32 @@ langenbach.rocks: could not connect to host
 langendorf-ernaehrung-training.de: could not connect to host
 langendries.eu: did not receive HSTS header
 langhun.me: could not connect to host
+lanhhuyet510.tk: could not connect to host
 laniakean.com: did not receive HSTS header
+lannainnovation.com: did not receive HSTS header
 lanonfire.com: could not connect to host
 lansinoh.co.uk: did not receive HSTS header
 lanzainc.xyz: could not connect to host
 laobox.fr: could not connect to host
-laohei.org: could not connect to host
+laohei.org: did not receive HSTS header
 laospage.com: did not receive HSTS header
 lapakus.com: could not connect to host
 laperfumista.es: could not connect to host
-lapetition.be: could not connect to host
 laplaceduvillage.net: could not connect to host
 laquack.com: could not connect to host
 lared.ovh: did not receive HSTS header
 laredsemanario.com: could not connect to host
-larky.top: could not connect to host
 larsgujord.no: did not receive HSTS header
 larsmerke.de: did not receive HSTS header
 lasepiataca.com: did not receive HSTS header
 lasercloud.ml: could not connect to host
+laserfuchs.de: did not receive HSTS header
 lashstuff.com: did not receive HSTS header
 lasnaves.com: did not receive HSTS header
+lassesworld.com: could not connect to host
+lassesworld.se: could not connect to host
 lasst-uns-beten.de: could not connect to host
-lastharo.com: could not connect to host
+latabaccheria.net: could not connect to host
 latable-bowling-vire.fr: did not receive HSTS header
 latabledebry.be: could not connect to host
 latamarissiere.eu: could not connect to host
@@ -9479,18 +10154,22 @@ lathamlabs.com: could not connect to host
 lathamlabs.net: could not connect to host
 lathamlabs.org: could not connect to host
 lathen-wahn.de: did not receive HSTS header
+latiendadelbebefeliz.com: did not receive HSTS header
+latinphone.com: could not connect to host
 latinred.com: did not receive HSTS header
 latitude42technology.com: did not receive HSTS header
 latour-managedcare.ch: could not connect to host
+latterdaybride.com: max-age too low: 7889238
 latus.xyz: could not connect to host
 laufcampus.com: did not receive HSTS header
+laufers.pl: did not receive HSTS header
 laufseminare-laufreisen.com: did not receive HSTS header
 lauftrainer-ausbildung.com: did not receive HSTS header
 laurel4th.org: did not receive HSTS header
 laurelspaandlash.com: did not receive HSTS header
 laureltv.org: did not receive HSTS header
 laurent-e-levy.com: did not receive HSTS header
-lausitzer-widerstand.de: could not connect to host
+lausitzer-widerstand.de: did not receive HSTS header
 lavapot.com: did not receive HSTS header
 laventainnhotel-mailing.com: could not connect to host
 lavine.ch: did not receive HSTS header
@@ -9506,27 +10185,30 @@ laymans911.info: could not connect to host
 lazapateriahandmade.pe: did not receive HSTS header
 lazerus.net: could not connect to host
 lazulu.com: could not connect to host
+lazurit.com: did not receive HSTS header
 lazytux.de: did not receive HSTS header
 lbarrios.es: could not connect to host
 lbrlh.tk: could not connect to host
 lbrli.tk: could not connect to host
 lbrls.tk: could not connect to host
 lbrt.xyz: could not connect to host
+lbsi-nordwest.de: did not receive HSTS header
+lcbizsolutions.com: could not connect to host
 lclarkpdx.com: could not connect to host
 lcti.biz: could not connect to host
+lcy.cat: could not connect to host
+lcybox.com: did not receive HSTS header
 ldarby.me.uk: could not connect to host
 ldcraft.pw: could not connect to host
 leadbook.ru: max-age too low: 604800
-leadership9.com: could not connect to host
-leadgenie.me: could not connect to host
-leadinfo.com: did not receive HSTS header
 leadstart.org: did not receive HSTS header
 leakedminecraft.net: could not connect to host
-leakreporter.net: could not connect to host
+leakreporter.net: did not receive HSTS header
 leaks.directory: could not connect to host
 leanclub.org: could not connect to host
 leaodarodesia.com.br: could not connect to host
 leardev.de: did not receive HSTS header
+learn-smart.uk: did not receive HSTS header
 learnedhacker.com: could not connect to host
 learnedovo.com: did not receive HSTS header
 learnfrenchfluently.com: could not connect to host
@@ -9537,6 +10219,7 @@ lebosse.me: could not connect to host
 lebrun.org: could not connect to host
 lecourtier.fr: did not receive HSTS header
 led-tl-wereld.nl: did not receive HSTS header
+led.xyz: could not connect to host
 leddruckalarm.de: did not receive HSTS header
 ledgerscope.net: could not connect to host
 ledhouse.sk: did not receive HSTS header
@@ -9554,7 +10237,6 @@ leen.io: could not connect to host
 leerkotte.eu: could not connect to host
 leetsaber.com: did not receive HSTS header
 legal.farm: could not connect to host
-legalcontrol.info: could not connect to host
 legaleus.co.uk: could not connect to host
 legalisepeacebloom.com: could not connect to host
 legalrobot-uat.com: could not connect to host
@@ -9564,7 +10246,9 @@ legarage.org: did not receive HSTS header
 legatofmrc.fr: could not connect to host
 legavenue.com.br: did not receive HSTS header
 legendary.camera: did not receive HSTS header
+legendarycamera.com: did not receive HSTS header
 legitaxi.com: did not receive HSTS header
+legumefederation.org: did not receive HSTS header
 legymnase.eu: did not receive HSTS header
 lehtinen.xyz: could not connect to host
 leigh.life: did not receive HSTS header
@@ -9574,19 +10258,22 @@ leinir.dk: did not receive HSTS header
 leition.com: did not receive HSTS header
 leitionusercontent.com: did not receive HSTS header
 leitner.com.au: did not receive HSTS header
+leiyun.me: could not connect to host
 lelehei.com: could not connect to host
 lellyboi.ml: could not connect to host
 lelongbank.com: did not receive HSTS header
 lelubre.info: did not receive HSTS header
 lemon.co: could not connect to host
+lemonthy.ca: could not connect to host
 lemp.io: did not receive HSTS header
 lenders.direct: could not connect to host
+lenguajedeprogramacion.com: did not receive HSTS header
 lengyelnyelvoktatas.hu: could not connect to host
 lengyelul.hu: could not connect to host
 lenkunz.me: could not connect to host
 lenn1.de: did not receive HSTS header
 lennarth.com: could not connect to host
-lennartheinrich.de: did not receive HSTS header
+lennartheinrich.de: could not connect to host
 lennier.info: could not connect to host
 lennyfaces.net: did not receive HSTS header
 lenovogaming.com: could not connect to host
@@ -9594,15 +10281,16 @@ lentri.com: did not receive HSTS header
 lenzw.de: did not receive HSTS header
 leob.in: could not connect to host
 leochedibracchio.com: did not receive HSTS header
+leodaniels.com: did not receive HSTS header
 leon-jaekel.com: could not connect to host
 leonardcamacho.me: could not connect to host
+leonauto.de: could not connect to host
 leonhooijer.nl: could not connect to host
-leonmahler.consulting: did not receive HSTS header
 leopold.email: could not connect to host
 leopotamgroup.com: could not connect to host
-leovanna.co.uk: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 lepiquillo.fr: did not receive HSTS header
 lepont.pl: could not connect to host
+leprado.com: could not connect to host
 lerasenglish.com: max-age too low: 0
 lerlivros.online: could not connect to host
 lerner.moscow: did not receive HSTS header
@@ -9611,21 +10299,23 @@ les-voitures-electriques.com: max-age too low: 2592000
 lesbiansslaves.com: could not connect to host
 lesbofight.com: could not connect to host
 lescomptoirsdepierrot.com: could not connect to host
+lesconteursavis.org: could not connect to host
+lescourtiersbordelais.com: did not receive HSTS header
 lesdouceursdeliyana.com: could not connect to host
 lesecuadors.com: did not receive HSTS header
 lesformations.net: could not connect to host
 lesh.eu: could not connect to host
 lesharris.com: could not connect to host
-lesjardinsdubanchet.fr: could not connect to host
+leshervelines.com: could not connect to host
 lesliekearney.com: did not receive HSTS header
 lesperlesdunet.fr: could not connect to host
 lesquatredauphins.fr: did not receive HSTS header
-lesquerda.cat: did not receive HSTS header
 lessing.consulting: did not receive HSTS header
 letempsdunefleur.be: could not connect to host
 leter.io: did not receive HSTS header
 lethbridgecoffee.com: did not receive HSTS header
 letitfly.me: could not connect to host
+letraba.com: could not connect to host
 letras.mus.br: did not receive HSTS header
 letreview.ph: could not connect to host
 letsgetintouch.com: could not connect to host
@@ -9641,15 +10331,17 @@ levelum.com: did not receive HSTS header
 levelupwear.com: max-age too low: 7889238
 leveredge.net: could not connect to host
 levert.ch: could not connect to host
+lewdgamer.com: could not connect to host
 lewisjuggins.co.uk: did not receive HSTS header
 lewisseals.com: could not connect to host
 lexiphanic.co.uk: did not receive HSTS header
 lexpartsofac.com: could not connect to host
+lexxyn.nl: did not receive HSTS header
 lez-cuties.com: could not connect to host
 lezdomsm.com: could not connect to host
 lfaz.org: could not connect to host
 lg21.co: could not connect to host
-lgbtqventures.com: did not receive HSTS header
+lgbtqventures.com: max-age too low: 86400
 lgbtventures.com: did not receive HSTS header
 lgiswa.com.au: did not receive HSTS header
 lgrs.com.au: did not receive HSTS header
@@ -9677,7 +10369,6 @@ lianyexiuchang.in: could not connect to host
 liaoshuma.com: could not connect to host
 liaozheqi.cn: could not connect to host
 liaronce.win: could not connect to host
-liautard.fr: could not connect to host
 libanco.com: could not connect to host
 libdeer.so: could not connect to host
 libertas-tech.com: could not connect to host
@@ -9687,7 +10378,6 @@ libfte.org: did not receive HSTS header
 librairie-asie.com: did not receive HSTS header
 library.linode.com: did not receive HSTS header
 librechan.net: could not connect to host
-librends.org: could not connect to host
 libricks.fr: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 librisulibri.it: did not receive HSTS header
 licence-registry.com: could not connect to host
@@ -9700,6 +10390,7 @@ lidl-selection.at: did not receive HSTS header
 liduan.com: could not connect to host
 liebach.me: did not receive HSTS header
 liebestarot.at: did not receive HSTS header
+lieblingsholz.de: could not connect to host
 lied8.eu: could not connect to host
 liehuojun.com: could not connect to host
 lietaer.eu: did not receive HSTS header
@@ -9708,13 +10399,13 @@ lifecoach.tw: did not receive HSTS header
 lifecoachproviders.com: could not connect to host
 lifeguard.aecom.com: did not receive HSTS header
 lifeinitsownway.com: could not connect to host
-lifeinsurances.pro: did not receive HSTS header
+lifeinsurances.pro: could not connect to host
 lifeinsurances24.com: did not receive HSTS header
 lifemarque.co.uk: did not receive HSTS header
 lifenexto.com: could not connect to host
 lifeng.us: could not connect to host
-lifequotes-uk.co.uk: could not connect to host
 lifeskillsdirect.com: did not receive HSTS header
+lifestyle7788.com: could not connect to host
 lifestyler.me: could not connect to host
 lifetimemoneymachine.com: did not receive HSTS header
 lifeventure.co.uk: did not receive HSTS header
@@ -9732,32 +10423,33 @@ lignemalin.com: could not connect to host
 lignemax.com: did not receive HSTS header
 lignenet.com: did not receive HSTS header
 lijero.co: could not connect to host
+likc.me: did not receive HSTS header
 like.lgbt: could not connect to host
-likenewhearing.com.au: could not connect to host
 likenosis.com: could not connect to host
 lila.pink: did not receive HSTS header
 lilapmedia.com: did not receive HSTS header
 lilismartinis.com: could not connect to host
-lillpopp.eu: max-age too low: 10
+lillpopp.eu: did not receive HSTS header
 lilpwny.com: could not connect to host
 lilycms.com: could not connect to host
 lilygreen.co.za: did not receive HSTS header
 limalama.eu: max-age too low: 1
-limeres.com: could not connect to host
+limeburst.net: did not receive HSTS header
 limeyeti.com: could not connect to host
 limiteddata.co.uk: could not connect to host
-limitget.com: did not receive HSTS header
+limitget.com: could not connect to host
+limn.me: could not connect to host
 limodo-shop.de: did not receive HSTS header
 limpens.net: did not receive HSTS header
 limpido.it: could not connect to host
 limunana.com: could not connect to host
+lincolncountytn.gov: could not connect to host
 lincsbouncycastlehire.co.uk: did not receive HSTS header
 lindberg.io: did not receive HSTS header
-linden.me: did not receive HSTS header
-lindnerhof.info: did not receive HSTS header
+lindnerhof.info: could not connect to host
 lineauniformes.com.br: could not connect to host
-linernotekids.com: did not receive HSTS header
-linext.cn: could not connect to host
+linernotekids.com: could not connect to host
+linext.cn: did not receive HSTS header
 lingerie.net.br: did not receive HSTS header
 lingerielovers.com.br: did not receive HSTS header
 lingerieonline.com.br: could not connect to host
@@ -9769,18 +10461,19 @@ linhaoyi.com: could not connect to host
 link.ba: could not connect to host
 linkage.ph: did not receive HSTS header
 linkages.org: could not connect to host
+linkonaut.net: could not connect to host
 linksanitizer.com: could not connect to host
 linksextremist.at: could not connect to host
-linkthisstatus.ml: could not connect to host
+linkybos.com: did not receive HSTS header
 linley.de: could not connect to host
 linmi.cc: did not receive HSTS header
 linno.me: could not connect to host
 linorman1997.me: could not connect to host
 linostassi.net: could not connect to host
-linpx.com: could not connect to host
 linux-admin-california.com: could not connect to host
 linux-mint.cz: could not connect to host
 linux.army: could not connect to host
+linux.im: did not receive HSTS header
 linux.sb: could not connect to host
 linuxandstuff.de: could not connect to host
 linuxcode.net: could not connect to host
@@ -9793,6 +10486,7 @@ linuxmint.cz: could not connect to host
 linuxmonitoring.net: could not connect to host
 linvx.org: did not receive HSTS header
 linxmind.eu: could not connect to host
+lionhosting.nl: could not connect to host
 lipo.lol: could not connect to host
 liquid.solutions: did not receive HSTS header
 liquidcomm.net: could not connect to host
@@ -9807,6 +10501,7 @@ lisowski-photography.com: could not connect to host
 lissabon.guide: could not connect to host
 listafirmelor.com: could not connect to host
 listage.ovh: did not receive HSTS header
+listal.com: could not connect to host
 lists.mayfirst.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 litcc.com: could not connect to host
 litcomphonors.com: could not connect to host
@@ -9817,10 +10512,10 @@ littledisney.ro: did not receive HSTS header
 littlefreelibrary.org: did not receive HSTS header
 littlelife.co.uk: did not receive HSTS header
 littleservice.cn: could not connect to host
-littleskin.cn: did not receive HSTS header
 liud.im: could not connect to host
 liujunyang.com: did not receive HSTS header
 liukang.tech: could not connect to host
+liushuyu.tk: did not receive HSTS header
 liv3ly.com: did not receive HSTS header
 livechatlady.info: did not receive HSTS header
 livedemo.io: could not connect to host
@@ -9830,19 +10525,23 @@ liverewrite.com: could not connect to host
 livesearch-fukuoka.com: did not receive HSTS header
 liviababynet.com.br: could not connect to host
 livinghealthywithchocolate.com: did not receive HSTS header
+livrariacoad.com.br: could not connect to host
 livrariahugodesaovitor.com.br: could not connect to host
+livroseuniformes.com.br: could not connect to host
 lixiang.one: could not connect to host
 lixiaojiang.ga: could not connect to host
 lixingcong.com: could not connect to host
-liyinjia.com: could not connect to host
+liyinjia.com: did not receive HSTS header
 lizzythepooch.com: did not receive HSTS header
-lkiserver.com: could not connect to host
-llamasweet.tech: could not connect to host
+ljason.cn: could not connect to host
+lkiserver.com: max-age too low: 43200
 lll.st: could not connect to host
 llvm.us: could not connect to host
+lmerza.com: did not receive HSTS header
 lmrcouncil.gov: could not connect to host
 ln.io: could not connect to host
 lnbeauty.ru: max-age too low: 0
+lnmp.me: could not connect to host
 lnoldan.com: could not connect to host
 loacg.com: did not receive HSTS header
 loadingdeck.com: did not receive HSTS header
@@ -9851,19 +10550,21 @@ loadtraining.com: did not receive HSTS header
 loafbox.com: could not connect to host
 loafhead.me: could not connect to host
 loanmatch.sg: could not connect to host
+loansharkpro.com: could not connect to host
 loansonline.today: could not connect to host
 loanstreet.be: could not connect to host
 lobin21.com: could not connect to host
 lobosdomain.ddns.net: could not connect to host
+lobosdomain.hopto.org: could not connect to host
 lobosdomain.no-ip.info: could not connect to host
 lobste.rs: did not receive HSTS header
 locais.org: could not connect to host
 localblitz.com: did not receive HSTS header
 localchum.com: could not connect to host
-localdata.us: did not receive HSTS header
+localdata.us: could not connect to host
 localdrive.me: could not connect to host
+localhorst.xyz: could not connect to host
 localnetwork.nz: could not connect to host
-location-fichier-email.com: could not connect to host
 locationvoitureautriche.com: could not connect to host
 locationvoiturecorse.net: could not connect to host
 locationvoiturefinlande.com: could not connect to host
@@ -9873,9 +10574,10 @@ locationvoiturenorvege.com: could not connect to host
 locationvoiturepaysbas.com: could not connect to host
 locationvoituresuede.com: could not connect to host
 locchat.com: could not connect to host
+locker.email: could not connect to host
 locker3.com: could not connect to host
+lockify.com: could not connect to host
 locksmith-durbannorth.co.za: could not connect to host
-locksmithdearborn.com: did not receive HSTS header
 locksmithhillcrest.co.za: could not connect to host
 locksmithrandburg24-7.co.za: could not connect to host
 locksmithsbluff.com: could not connect to host
@@ -9899,7 +10601,7 @@ logicsale.com: did not receive HSTS header
 logicsale.de: did not receive HSTS header
 logicsale.fr: did not receive HSTS header
 logicsale.it: did not receive HSTS header
-logimagine.com: could not connect to host
+logimagine.com: did not receive HSTS header
 login.corp.google.com: max-age too low: 7776000 (error ignored - included regardless)
 login.persona.org: could not connect to host
 logingate.hu: could not connect to host
@@ -9907,7 +10609,7 @@ loginseite.com: could not connect to host
 logistify.com.mx: did not receive HSTS header
 lognot.net: could not connect to host
 logymedia.com: could not connect to host
-lohl1kohl.de: could not connect to host
+lohl1kohl.de: did not receive HSTS header
 loisircreatif.net: did not receive HSTS header
 lojadocristaozinho.com.br: could not connect to host
 lojadoprazer.com.br: could not connect to host
@@ -9915,22 +10617,26 @@ lojahunamarcenaria.com.br: could not connect to host
 lojamulticapmais.com.br: did not receive HSTS header
 lojashowdecozinha.com.br: could not connect to host
 lojasviavento.com.br: could not connect to host
+lojatema.com.br: could not connect to host
 lojavalcapelli.com.br: could not connect to host
-lolhax.org: could not connect to host
+lojavirtualfct.com.br: did not receive HSTS header
 loli.bz: could not connect to host
 loli.com: could not connect to host
-loli.vip: did not receive HSTS header
+loli.vip: could not connect to host
 lolicon.info: could not connect to host
 lolicore.ch: could not connect to host
 lolidunno.com: could not connect to host
 lolis.stream: could not connect to host
 lollaconcept.com.br: could not connect to host
-lonasdigital.com: did not receive HSTS header
+lonasdigital.com: could not connect to host
 lonbali.com: did not receive HSTS header
 londoncalling.co: did not receive HSTS header
 londonlanguageexchange.com: could not connect to host
 londonseedcentre.co.uk: could not connect to host
 lonerwolf.com: did not receive HSTS header
+long139.com: could not connect to host
+long18.cc: could not connect to host
+long688.com: could not connect to host
 longboarding-ulm.de: could not connect to host
 longma.pw: could not connect to host
 longtaitouwang.com: did not receive HSTS header
@@ -9940,9 +10646,11 @@ looktothestars.org: did not receive HSTS header
 lookupclose.com: did not receive HSTS header
 looneymooney.com: could not connect to host
 loongsg.xyz: could not connect to host
+loony.info: could not connect to host
+loopower.com: could not connect to host
 loperetti.ch: could not connect to host
 loqyu.co: could not connect to host
-lordgun.com: could not connect to host
+lordgun.com: did not receive HSTS header
 lordjevington.co.uk: did not receive HSTS header
 losebellyfat.pro: could not connect to host
 losrascadoresparagatos.com: did not receive HSTS header
@@ -9959,11 +10667,11 @@ lothuytinhsi.com: could not connect to host
 lotos-ag.ch: did not receive HSTS header
 lotsencafe.de: did not receive HSTS header
 lottosonline.com: did not receive HSTS header
-lotuscloud.de: did not receive HSTS header
+lotuscloud.de: could not connect to host
 lotuscloud.org: could not connect to host
 louduniverse.net: did not receive HSTS header
 louiewatch.com: could not connect to host
-louisvillevmug.info: could not connect to host
+louisvillevmug.info: did not receive HSTS header
 love-schna.jp: could not connect to host
 love4taylor.eu.org: could not connect to host
 loveable.de: could not connect to host
@@ -9971,7 +10679,7 @@ loveamber.me: could not connect to host
 loveandloyalty.se: could not connect to host
 lovebo9.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 lovebo9.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-lovelens.ch: could not connect to host
+lovelens.ch: max-age too low: 0
 lovelifelovelive.com: could not connect to host
 lovelive-anime.tk: could not connect to host
 lovelive-anime.tokyo: could not connect to host
@@ -9980,10 +10688,12 @@ lovelyblogacademy.com: did not receive HSTS header
 lovelychalets-peisey.com: did not receive HSTS header
 lovelycorral.com: did not receive HSTS header
 lovelyfriends.org: did not receive HSTS header
+lovelytimes.net: could not connect to host
 lovemen.cc: did not receive HSTS header
 lovemysafetynet.com: did not receive HSTS header
 loveread-ec.appspot.com: did not receive HSTS header
 loveto.at: could not connect to host
+lovetravel360.com: could not connect to host
 lovingpenguin.com: did not receive HSTS header
 lowhangingfruitgrabber.com: could not connect to host
 lowt.us: could not connect to host
@@ -9993,43 +10703,55 @@ loxis.be: did not receive HSTS header
 loyaltech.ch: could not connect to host
 lpacademy.com.br: could not connect to host
 lpak.nl: could not connect to host
+lpcom.de: max-age too low: 172800
 lpgram.ga: could not connect to host
 lpm-uk.com: did not receive HSTS header
+lqs.me: could not connect to host
 lrhsclubs.com: could not connect to host
 lrhstsa.com: could not connect to host
 ls-a.org: did not receive HSTS header
 ls-reallife.de: did not receive HSTS header
 ls-rp.es: did not receive HSTS header
-lsky.cn: did not receive HSTS header
+lshiy.com: did not receive HSTS header
+lsky.cn: could not connect to host
 lsp-sports.de: did not receive HSTS header
 lstma.com: could not connect to host
 lsvih.com: did not receive HSTS header
 lswim.com: did not receive HSTS header
 lsws.de: could not connect to host
-lsys.ac: could not connect to host
+lsy.cn: did not receive HSTS header
 lszj.com: could not connect to host
 ltba.org: could not connect to host
 ltbytes.com: could not connect to host
 ltechnologygroup.com: could not connect to host
 ltransferts.com: could not connect to host
 ltu.social: could not connect to host
-luan.ma: did not receive HSTS header
+lubomirkazakov.com: did not receive HSTS header
 lubot.net: could not connect to host
+lucakrebs.de: could not connect to host
 lucas-garte.com: did not receive HSTS header
 lucascantor.com: did not receive HSTS header
+lucascobb.com: did not receive HSTS header
 lucascodes.com: could not connect to host
-lucassoler.com.ar: could not connect to host
 lucaterzini.com: could not connect to host
+lucianoalbanes.com: did not receive HSTS header
 lucidlogs.com: could not connect to host
 luckydog.pw: could not connect to host
 luckystarfishing.com: did not receive HSTS header
 luclu7.pw: could not connect to host
-ludwig.click: did not receive HSTS header
+ludwig.click: could not connect to host
 lufthansaexperts.com: max-age too low: 2592000
 luganskservers.net: could not connect to host
+luginbuehl.eu: could not connect to host
 luis-checa.com: could not connect to host
+luisgf.es: did not receive HSTS header
 luisv.me: could not connect to host
+luizkowalski.net: could not connect to host
 luk.photo: could not connect to host
+lukas-schauer.de: did not receive HSTS header
+lukas.im: did not receive HSTS header
+lukas2511.de: did not receive HSTS header
+lukasschauer.de: did not receive HSTS header
 lukasunger.cz: could not connect to host
 lukasunger.net: could not connect to host
 lukaszdolan.com: did not receive HSTS header
@@ -10043,15 +10765,14 @@ luma.pink: could not connect to host
 lumd.me: could not connect to host
 lumer.tech: could not connect to host
 lumi.do: did not receive HSTS header
-luminancy.com: did not receive HSTS header
+luminancy.com: could not connect to host
 lunapatch.com: max-age too low: 7889238
 lunarift.com: could not connect to host
 lunarrift.net: could not connect to host
-lunarsoft.net: did not receive HSTS header
 luneta.nearbuysystems.com: could not connect to host
 lunight.ml: could not connect to host
+lunix.io: did not receive HSTS header
 luno.io: could not connect to host
-luody.info: could not connect to host
 luoe.ml: could not connect to host
 luolikong.vip: did not receive HSTS header
 luom.net: could not connect to host
@@ -10060,32 +10781,36 @@ luoxingyu.ml: could not connect to host
 luripump.se: could not connect to host
 lusis.fr: did not receive HSTS header
 lusis.net: could not connect to host
+lustige-zitate.com: did not receive HSTS header
 lustrumxi.nl: could not connect to host
-luteijn.biz: did not receive HSTS header
 luther.fi: could not connect to host
+luvplay.co.uk: could not connect to host
 luxe-it.co.uk: could not connect to host
 luxinmo.com: did not receive HSTS header
 luxofit.de: did not receive HSTS header
 luxonetwork.com: could not connect to host
 luxus-russen.de: could not connect to host
 luzeshomologadas.com.br: could not connect to host
+lv5.top: could not connect to host
 lwhate.com: could not connect to host
 lycly.me: could not connect to host
 lycly.top: could not connect to host
 lydia-und-simon.de: could not connect to host
 lydiagorstein.com: did not receive HSTS header
+lyfbits.com: could not connect to host
 lylares.com: did not receive HSTS header
 lynkos.com: did not receive HSTS header
 lyonelkaufmann.ch: did not receive HSTS header
+lyoness.digital: could not connect to host
 lyonl.com: could not connect to host
 lyscnd.com: could not connect to host
 lysergion.com: could not connect to host
 lyuba.fr: could not connect to host
-lyuly.com: did not receive HSTS header
 lz.sb: could not connect to host
 lzahq.tech: did not receive HSTS header
 lzkill.com: did not receive HSTS header
 lzqii.cn: could not connect to host
+lzzr.me: could not connect to host
 m-ali.xyz: did not receive HSTS header
 m-edmondson.co.uk: did not receive HSTS header
 m-generator.com: could not connect to host
@@ -10097,13 +10822,13 @@ m0wef.uk: could not connect to host
 m2tc.fr: could not connect to host
 m3-gmbh.de: did not receive HSTS header
 m4570.xyz: could not connect to host
-m4g.ru: could not connect to host
 m82labs.com: did not receive HSTS header
 ma-musique.fr: could not connect to host
+ma-plancha.ch: did not receive HSTS header
 maarten.nyc: could not connect to host
 maartenprovo.be: did not receive HSTS header
 maartenterpstra.xyz: could not connect to host
-mac-torrents.me: did not receive HSTS header
+mac-torrents.me: could not connect to host
 mac-world.pl: did not receive HSTS header
 macandtonic.com: could not connect to host
 macbolo.com: could not connect to host
@@ -10111,24 +10836,28 @@ macchaberrycream.com: could not connect to host
 macchedil.com: did not receive HSTS header
 macdj.tk: could not connect to host
 macedopesca.com.br: did not receive HSTS header
-macgeneral.de: did not receive HSTS header
 mach1club.com: did not receive HSTS header
 machbach.net: could not connect to host
+machijun.net: did not receive HSTS header
 machinelearningjavascript.com: could not connect to host
+maciespartyhire.co.uk: did not receive HSTS header
 mack.space: could not connect to host
+mackey7.net: did not receive HSTS header
 macleodnc.com: did not receive HSTS header
 macsandcheesedreams.com: could not connect to host
+macstore.pe: did not receive HSTS header
 macustar.eu: did not receive HSTS header
-madandpissedoff.com: could not connect to host
+madbicicletas.com: could not connect to host
 madcatdesign.de: did not receive HSTS header
 maddin.ga: could not connect to host
+made-to-usb.com: did not receive HSTS header
 madebyfalcon.co.uk: did not receive HSTS header
 madebymagnitude.com: did not receive HSTS header
 madeglobal.com: did not receive HSTS header
 madeinorder.com: could not connect to host
 madeintucson.org: could not connect to host
 mademoiselle-emma.be: could not connect to host
-mademoiselle-emma.fr: could not connect to host
+mademoiselle-emma.fr: did not receive HSTS header
 maderasbrown.com: could not connect to host
 maderwin.com: did not receive HSTS header
 madesoftware.com.br: could not connect to host
@@ -10136,15 +10865,15 @@ madnetwork.org: could not connect to host
 madokami.net: could not connect to host
 madpeople.net: max-age too low: 2592000
 madrants.net: could not connect to host
-madweb.design: did not receive HSTS header
 maerzpa.de: did not receive HSTS header
 mafamane.com: could not connect to host
+maff.scot: could not connect to host
 mafiareturns.com: max-age too low: 2592000
 magazinedabeleza.net: could not connect to host
 magebankin.com: did not receive HSTS header
 magenx.com: did not receive HSTS header
 magia360.com: did not receive HSTS header
-magicball.co: could not connect to host
+magickmoments.co.uk: did not receive HSTS header
 magieamour.com: did not receive HSTS header
 magieblanche.fr: did not receive HSTS header
 magnacumlaude.co: could not connect to host
@@ -10160,19 +10889,25 @@ mail-settings.google.com: did not receive HSTS header (error ignored - included
 mail.google.com: did not receive HSTS header (error ignored - included regardless)
 mail4geek.com: did not receive HSTS header
 mailchuck.com: could not connect to host
-maildragon.com: could not connect to host
+maildragon.com: did not receive HSTS header
 mailgarant.nl: could not connect to host
 mailhost.it: could not connect to host
-mailing-femprendedores.com: did not receive HSTS header
+mailing-femprendedores.com: could not connect to host
 mailing-jbgg.com: could not connect to host
-maillink.store: did not receive HSTS header
+maillink.store: could not connect to host
 mailon.ga: could not connect to host
 mailpenny.com: could not connect to host
 main-street-seo.com: did not receive HSTS header
 main-unit.com: could not connect to host
+mainston.com: could not connect to host
 maintainerheaven.ch: could not connect to host
 maisalto.ind.br: could not connect to host
+maitrechaton.fr: did not receive HSTS header
 maitriser-son-stress.com: could not connect to host
+majesticcolorado.com: did not receive HSTS header
+majkl.me: could not connect to host
+majkl.xyz: could not connect to host
+majkl578.cz: could not connect to host
 majncloud.tk: could not connect to host
 make-pizza.info: could not connect to host
 makedonien.guide: could not connect to host
@@ -10180,7 +10915,7 @@ makeit-so.de: could not connect to host
 makeitdynamic.com: could not connect to host
 makemejob.com: could not connect to host
 makemyvape.co.uk: max-age too low: 7889238
-makerstuff.net: did not receive HSTS header
+makerstuff.net: could not connect to host
 makeshiftco.de: could not connect to host
 makeuplove.nl: could not connect to host
 makeyourlaws.org: did not receive HSTS header
@@ -10198,6 +10933,7 @@ maljaars-media.nl: could not connect to host
 malkaso.com.ua: could not connect to host
 malmstroms-co.se: could not connect to host
 malone.link: could not connect to host
+malte-kiefer.de: did not receive HSTS header
 maltes.website: could not connect to host
 malvy.kiev.ua: could not connect to host
 malwareverse.us: did not receive HSTS header
@@ -10218,7 +10954,7 @@ manaboutahor.se: could not connect to host
 manage.zenpayroll.com: did not receive HSTS header
 manage4all.com: could not connect to host
 manageall.de: could not connect to host
-managed-varnish.de: did not receive HSTS header
+managed-varnish.de: could not connect to host
 manageforall.com: could not connect to host
 manageforall.de: could not connect to host
 management-ethics.com: did not receive HSTS header
@@ -10249,8 +10985,11 @@ manshop24.com: could not connect to host
 mansion-note.com: did not receive HSTS header
 mansiontech.cn: did not receive HSTS header
 manududu.com.br: could not connect to host
+manuel7espejo.com: did not receive HSTS header
 manuelrueger.de: could not connect to host
+manuscript.com: did not receive HSTS header
 manutrol.com.br: did not receive HSTS header
+maomao.blog: could not connect to host
 maomaobt.com: did not receive HSTS header
 maomaofuli.vip: could not connect to host
 maosi.xin: could not connect to host
@@ -10259,17 +10998,17 @@ maplenorth.co: could not connect to host
 mapresidentielle.fr: did not receive HSTS header
 mapservices.nl: did not receive HSTS header
 maquillage-permanent-tatoo.com: did not receive HSTS header
+maquininhamercadopoint.com.br: could not connect to host
 maranatha.pl: did not receive HSTS header
-marbinvest.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-marcaixala.me: could not connect to host
-marcaudefroy.com: could not connect to host
+marbinvest.com: did not receive HSTS header
+marcaudefroy.com: did not receive HSTS header
 marcberman.co: did not receive HSTS header
 marcbuehlmann.com: did not receive HSTS header
 marcelmarnitz.com: could not connect to host
 marcelparra.com: could not connect to host
 marchagen.nl: did not receive HSTS header
 marche-nordic-jorat.ch: could not connect to host
-marco-kretz.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+marco-kretz.de: did not receive HSTS header
 marco01809.net: could not connect to host
 marcoececilia.it: did not receive HSTS header
 marcofinke.de: could not connect to host
@@ -10278,22 +11017,25 @@ marcontrol.com: did not receive HSTS header
 marcosteixeira.tk: could not connect to host
 marcschlagenhauf.de: could not connect to host
 marcus-scheffler.com: did not receive HSTS header
-marcush.de: could not connect to host
-marcusserver.synology.me: did not receive HSTS header
+marcush.de: did not receive HSTS header
+marcusserver.synology.me: could not connect to host
 mardelcupon.com: could not connect to host
 mare92.cz: could not connect to host
 mareklecian.cz: did not receive HSTS header
 margan.ch: could not connect to host
 margaretrosefashions.co.uk: could not connect to host
+margo.ml: could not connect to host
+mariacorzo.com: could not connect to host
 mariacristinadoces.com.br: did not receive HSTS header
 mariannematthew.com: could not connect to host
 marianwehlus.de: did not receive HSTS header
 mariaolesen.dk: could not connect to host
 marie-curie.fr: could not connect to host
-marie-elisabeth.dk: did not receive HSTS header
 marie-en-provence.com: could not connect to host
 marie.club: could not connect to host
 marienschule-sundern.de: did not receive HSTS header
+marinecadastre.gov: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+marioabela.com: did not receive HSTS header
 mariusschulte.de: did not receive HSTS header
 marix.ro: could not connect to host
 mark-a-hydrant.com: did not receive HSTS header
@@ -10305,16 +11047,17 @@ marketgot.com: did not receive HSTS header
 marketing-advertising.eu: could not connect to host
 marketingdesignu.cz: could not connect to host
 marketingromania.ro: did not receive HSTS header
-marketio.co: could not connect to host
+marketio.co: did not receive HSTS header
+marketlinks.org: did not receive HSTS header
 markllego.com: could not connect to host
 marko-fenster24.de: did not receive HSTS header
 markorszulak.com: did not receive HSTS header
 markow.io: max-age too low: 7776000
 markrego.com: could not connect to host
-markrobin.de: did not receive HSTS header
 marksill.com: could not connect to host
 marktboten.de: did not receive HSTS header
 markusabraham.com: did not receive HSTS header
+markusgran.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 markusueberallassetmanagement.de: could not connect to host
 markusueberallconsulting.de: could not connect to host
 markusweimar.de: did not receive HSTS header
@@ -10336,6 +11079,7 @@ martin-mattel.com: could not connect to host
 martinec.co.uk: could not connect to host
 martinestyle.com: could not connect to host
 martineve.com: did not receive HSTS header
+martingansler.de: did not receive HSTS header
 martinkup.cz: did not receive HSTS header
 martinp.no: could not connect to host
 martinrogalla.com: did not receive HSTS header
@@ -10355,19 +11099,21 @@ masjidtawheed.net: did not receive HSTS header
 maskice.hr: did not receive HSTS header
 maskinkultur.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 maskt.pw: could not connect to host
+maslife365.com: could not connect to host
 massagelimaperu.com: did not receive HSTS header
 massivum.de: did not receive HSTS header
 massot.eu: did not receive HSTS header
 mastd.fr: could not connect to host
 mastd.onl: could not connect to host
-mastepinnelaand.nl: did not receive HSTS header
-masteragenasia.com: could not connect to host
+masteragenasia.com: did not receive HSTS header
 masteragenasia.net: did not receive HSTS header
 masterapi.ninja: did not receive HSTS header
 masterhaus.bg: did not receive HSTS header
 masteringtheterminal.com: did not receive HSTS header
+mastersquirrel.xyz: did not receive HSTS header
 mastersthesiswriting.com: could not connect to host
 mastichor.info: could not connect to host
+mastiffingles.com.br: could not connect to host
 mastimtibetano.com: could not connect to host
 masto.io: could not connect to host
 mastod.life: could not connect to host
@@ -10380,18 +11126,27 @@ mastodon.fun: could not connect to host
 mastodon.my: could not connect to host
 mastodon.org.uk: did not receive HSTS header
 mastodon.pl: did not receive HSTS header
-mastodones.club: could not connect to host
+mastodones.club: did not receive HSTS header
 masty.nl: could not connect to host
 masumreza.tk: could not connect to host
 mat99.dk: could not connect to host
 matarrosabierzo.com: could not connect to host
+matchneedle.com: did not receive HSTS header
 mateusmeyer.com.br: could not connect to host
 mateuszpilszek.pl: could not connect to host
+mathematris.com: could not connect to host
 mathers.ovh: did not receive HSTS header
+matheusmacedo.ddns.net: could not connect to host
 mathias.re: did not receive HSTS header
+mathieui.net: could not connect to host
 mathijskingma.nl: could not connect to host
+mathsource.ga: could not connect to host
+mathsweek.nz: could not connect to host
+mathsweek.org.nz: could not connect to host
+mathsweek.school.nz: could not connect to host
 matillat.ovh: did not receive HSTS header
-matlabjo.ir: could not connect to host
+matlabjo.ir: did not receive HSTS header
+matmessages.com: did not receive HSTS header
 matomeplus.co: could not connect to host
 matrict.com: could not connect to host
 matrip.de: could not connect to host
@@ -10412,9 +11167,7 @@ mattia98.org: did not receive HSTS header
 mattisam.com: did not receive HSTS header
 mattressinsider.com: max-age too low: 3153600
 mattwb65.com: did not receive HSTS header
-mattwservices.co.uk: max-age too low: 2592000
 matty.digital: did not receive HSTS header
-matze.co: did not receive HSTS header
 matze.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 maultrom.ml: could not connect to host
 maupiknik.com: did not receive HSTS header
@@ -10424,25 +11177,29 @@ mausi.co: did not receive HSTS header
 mavisang.cf: could not connect to host
 mawe.red: could not connect to host
 max-mad.com: could not connect to host
+maxbachmann.de: did not receive HSTS header
+maxdev72.freeboxos.fr: could not connect to host
 maxfox.me: could not connect to host
 maxhorvath.com: could not connect to host
 maxibanki.ovh: could not connect to host
 maxicore.co.za: could not connect to host
 maxima.at: did not receive HSTS header
 maximelouet.me: did not receive HSTS header
-maximov.space: could not connect to host
+maximov.space: did not receive HSTS header
 maxkeller.io: did not receive HSTS header
 maxmachine.ind.br: could not connect to host
-maxr1998.de: could not connect to host
 maxserver.com: did not receive HSTS header
 maya-ro.com: could not connect to host
 maya.mg: could not connect to host
 maybeul.com: could not connect to host
-maydex.info: could not connect to host
 maynardnetworks.com: could not connect to host
+mayoimobiliare.ro: did not receive HSTS header
 mayoristassexshop.com: did not receive HSTS header
+mazternet.ru: could not connect to host
 mazyun.com: did not receive HSTS header
 mazz-tech.com: could not connect to host
+mb300sd.com: could not connect to host
+mb300sd.net: could not connect to host
 mbconsultancy.nu: did not receive HSTS header
 mbdrogenbos-usedcars.be: could not connect to host
 mbwemmel-usedcars.be: could not connect to host
@@ -10458,6 +11215,7 @@ mcdonalds.ru: did not receive HSTS header
 mcga.media: could not connect to host
 mcgavocknissanwichitaparts.com: could not connect to host
 mchan.us: did not receive HSTS header
+mchopkins.net: could not connect to host
 mcideas.tk: could not connect to host
 mcjackk77.com: could not connect to host
 mckinley1.com: could not connect to host
@@ -10465,7 +11223,6 @@ mckinleytk.com: could not connect to host
 mcl.gg: did not receive HSTS header
 mclab.su: max-age too low: 2592000
 mclist.it: could not connect to host
-mclyr.com: could not connect to host
 mcnoobs.pro: could not connect to host
 mcooperlaw.com: did not receive HSTS header
 mcqyy.com: could not connect to host
@@ -10476,8 +11233,10 @@ mctherealm.net: could not connect to host
 mcuexchange.com: did not receive HSTS header
 mcuong.tk: could not connect to host
 md-student.com: did not receive HSTS header
+mdbouncycastlehirelondon.co.uk: did not receive HSTS header
+mdcloudpracticesolutions.com: could not connect to host
 mdfnet.se: did not receive HSTS header
-mdscomp.net: did not receive HSTS header
+mdscomp.net: could not connect to host
 mdwftw.com: could not connect to host
 me-dc.com: could not connect to host
 meadowviewfarms.org: could not connect to host
@@ -10492,13 +11251,16 @@ mecenat-cassous.com: did not receive HSTS header
 mechok.ru: could not connect to host
 medallia.io: could not connect to host
 meddatix.com: could not connect to host
+medi-link.co.il: did not receive HSTS header
 media-access.online: did not receive HSTS header
 media-courses.com: could not connect to host
-mediacru.sh: max-age too low: 0
+mediabm.jp: did not receive HSTS header
+mediacru.sh: could not connect to host
 mediadandy.com: could not connect to host
 mediafinancelab.org: could not connect to host
 mediamag.am: max-age too low: 0
-mediastorm.us: did not receive HSTS header
+mediarocks.de: did not receive HSTS header
+mediastorm.us: could not connect to host
 mediawikicn.org: could not connect to host
 medicinskavranje.edu.rs: could not connect to host
 medienservice-fritz.de: did not receive HSTS header
@@ -10511,22 +11273,26 @@ mediumraw.org: did not receive HSTS header
 mediweed.tk: could not connect to host
 medm-test.com: could not connect to host
 medpot.net: did not receive HSTS header
-medsindex.com: max-age too low: 2592000
+medsindex.com: did not receive HSTS header
 medstreaming.com: did not receive HSTS header
 medtankers.management: did not receive HSTS header
 medy-me.com: could not connect to host
 medzinenews.com: did not receive HSTS header
 meedoenzaanstad.nl: did not receive HSTS header
 meetfinch.com: could not connect to host
+mega-aukcion.ru: could not connect to host
 megadrol.com: could not connect to host
 megaflix.nl: could not connect to host
 megakiste.de: could not connect to host
 megam.host: could not connect to host
-megashur.se: did not receive HSTS header
+megamarkey.de: did not receive HSTS header
+megashur.se: could not connect to host
 megasystem.cl: could not connect to host
 meghudson.com: could not connect to host
 meifrench.com: could not connect to host
+meilleur.xyz: did not receive HSTS header
 meincloudspeicher.de: could not connect to host
+meine-plancha.ch: did not receive HSTS header
 meine-reise-gut-versichert.de: did not receive HSTS header
 meinebo.it: could not connect to host
 meisterritter.de: did not receive HSTS header
@@ -10540,6 +11306,7 @@ melf.nl: could not connect to host
 melhoresdominios.net: could not connect to host
 melhorproduto.com.br: could not connect to host
 melikoff.es: could not connect to host
+melitopol.co.ua: did not receive HSTS header
 melodic.com.au: could not connect to host
 melody-lyrics.com: could not connect to host
 melonstudios.net: could not connect to host
@@ -10550,6 +11317,7 @@ melvinlow.com: did not receive HSTS header
 memberpress.com: did not receive HSTS header
 members.mayfirst.org: did not receive HSTS header
 membersonline.org: did not receive HSTS header
+memberstweets.com: could not connect to host
 memdoc.org: could not connect to host
 memeblast.ninja: could not connect to host
 memepasmal.org: could not connect to host
@@ -10562,7 +11330,8 @@ memorytrace.space: could not connect to host
 menaraannonces.com: could not connect to host
 menchez.me: could not connect to host
 menhera.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-menotag.com: did not receive HSTS header
+menntagatt.is: did not receive HSTS header
+menotag.com: could not connect to host
 mensachterdepatient.nl: max-age too low: 2592000
 mensmaximus.de: did not receive HSTS header
 mentalhealth.gov: did not receive HSTS header
@@ -10571,20 +11340,19 @@ mentesemprendedoras.net: could not connect to host
 menthix.net: could not connect to host
 menu.fyi: could not connect to host
 menudrivetest.com: could not connect to host
-menuel.me: did not receive HSTS header
 menuiserie-berard.com: did not receive HSTS header
 menzaijia.com: could not connect to host
+menzel-motors.com: did not receive HSTS header
 meo.de: could not connect to host
 meow.cloud: could not connect to host
 meozcraft.com: could not connect to host
-mercamaris.es: did not receive HSTS header
+meraseo.com: could not connect to host
 mercanix.co.uk: could not connect to host
 merccorp.de: max-age too low: 0
 mercedes-benz-usedcars.be: could not connect to host
 mercury-studio.com: did not receive HSTS header
 mereckas.com: could not connect to host
 meredithkm.info: did not receive HSTS header
-merenita.eu: did not receive HSTS header
 mergozzo.com: did not receive HSTS header
 merimatka.fi: could not connect to host
 meritz.rocks: could not connect to host
@@ -10602,11 +11370,8 @@ metadistribution.com: did not receive HSTS header
 metagrader.com: could not connect to host
 metalsculpture.co.uk: max-age too low: 0
 metanic.org: did not receive HSTS header
-metaregistrar.com: max-age too low: 0
 metasyntactic.xyz: could not connect to host
-metebalci.com: did not receive HSTS header
-meteosky.net: could not connect to host
-meter.md: could not connect to host
+meteosky.net: did not receive HSTS header
 metikam.pl: did not receive HSTS header
 metin2blog.de: did not receive HSTS header
 metin2sepeti.com: could not connect to host
@@ -10615,17 +11380,20 @@ metrans-spedition.de: could not connect to host
 metricaid.com: did not receive HSTS header
 metrix-money-ptc.com: could not connect to host
 metrix.design: could not connect to host
+metropolisil.gov: did not receive HSTS header
 metzgerei-birkenhof.de: could not connect to host
 meu-smartphone.com: did not receive HSTS header
 meucosmetico.com.br: could not connect to host
 meuemail.pro: could not connect to host
 meupedido.online: did not receive HSTS header
 meusigno.com: could not connect to host
+mevanshop.com: could not connect to host
 mexbt.com: could not connect to host
 mexicanbusinessweb.mx: did not receive HSTS header
-mexicansbook.ru: did not receive HSTS header
+mexicansbook.ru: could not connect to host
 mexior.nl: could not connect to host
 meyeraviation.com: could not connect to host
+mfacko.cz: did not receive HSTS header
 mfcatalin.com: could not connect to host
 mfedderke.com: could not connect to host
 mfgod.com: did not receive HSTS header
@@ -10634,8 +11402,9 @@ mfpccprod.com: could not connect to host
 mfrsgb45.org: did not receive HSTS header
 mft.global: could not connect to host
 mfxer.com: could not connect to host
-mgcraft.net: did not receive HSTS header
-mgdigital.fr: did not receive HSTS header
+mfz.mk: did not receive HSTS header
+mgcraft.net: could not connect to host
+mgdigital.fr: could not connect to host
 mgiay.com: did not receive HSTS header
 mgoessel.de: did not receive HSTS header
 mh-bloemen.co.jp: could not connect to host
@@ -10643,6 +11412,7 @@ mhdsyarif.com: did not receive HSTS header
 mhealthdemocamp.com: could not connect to host
 mhertel.com: did not receive HSTS header
 mhict.nl: could not connect to host
+mhjuma.com: could not connect to host
 mht-travel.com: could not connect to host
 mhx.pw: could not connect to host
 mia.ac: could not connect to host
@@ -10652,24 +11422,25 @@ mianfei-vpn.com: could not connect to host
 miboulot.com: could not connect to host
 micaiahparker.com: could not connect to host
 micasamgmt.com: did not receive HSTS header
+michaelcullen.name: could not connect to host
 michaeldemuth.com: could not connect to host
 michaelfitzpatrickruth.com: did not receive HSTS header
 michaelizquierdo.com: max-age too low: 0
-michaelklos.nl: could not connect to host
+michaelklos.nl: did not receive HSTS header
 michaelmorpurgo.com: did not receive HSTS header
-michaeln.net: could not connect to host
+michaeln.net: did not receive HSTS header
 michaels-homepage-service.de: could not connect to host
 michaelscrivo.com: did not receive HSTS header
-michaelsulzer.com: could not connect to host
-michaelsulzer.eu: could not connect to host
+michaelsulzer.com: did not receive HSTS header
+michaelsulzer.eu: did not receive HSTS header
 michaelwaite.org: could not connect to host
 michal-kral.cz: could not connect to host
 michalborka.cz: could not connect to host
 michalkral.tk: could not connect to host
+michalp.pl: did not receive HSTS header
 michalvasicek.cz: did not receive HSTS header
 michasfahrschule.com: could not connect to host
 michel.pt: did not receive HSTS header
-michele.ml: could not connect to host
 michelledonelan.co.uk: did not receive HSTS header
 michiganmetalartwork.com: max-age too low: 7889238
 mico.world: could not connect to host
@@ -10681,10 +11452,13 @@ microdesic.com: could not connect to host
 microme.ga: could not connect to host
 micropple.net: could not connect to host
 microtalk.org: could not connect to host
+middletowndelcopa.gov: could not connect to host
 midirs.org: did not receive HSTS header
+midlgx.com: max-age too low: 0
 midonet.org: did not receive HSTS header
 midriversmotorsllc.com: did not receive HSTS header
 midterm.us: could not connect to host
+midweststructuralrepair.com: could not connect to host
 midwestwomenworkers.org: could not connect to host
 miegl.cz: could not connect to host
 miemie.jp: could not connect to host
@@ -10700,11 +11474,11 @@ miguelgfierro.com: did not receive HSTS header
 miguksaram.com: could not connect to host
 mijn-email.org: could not connect to host
 mijndiad.nl: did not receive HSTS header
+mijnetickets.nl: did not receive HSTS header
 mijnkredietpaspoort.nl: could not connect to host
 mijnsite.ovh: could not connect to host
 mika.cat: could not connect to host
 mikadesign.se: did not receive HSTS header
-mikaela.info: max-age too low: 0
 mikaelemilsson.net: did not receive HSTS header
 mikeburns.com: could not connect to host
 mikedugan.org: did not receive HSTS header
@@ -10712,14 +11486,17 @@ mikeg.de: did not receive HSTS header
 mikek.work: did not receive HSTS header
 mikeology.org: could not connect to host
 mikepair.net: could not connect to host
-mikes.tk: could not connect to host
+mikes.tk: did not receive HSTS header
 mikeybot.com: could not connect to host
 mikii.club: could not connect to host
 mikk.cz: could not connect to host
 mikori.sk: did not receive HSTS header
 mikro-inwestycje.co.uk: did not receive HSTS header
 miku.be: could not connect to host
+miku.cloud: could not connect to host
 miku.hatsune.my: did not receive HSTS header
+miku.party: could not connect to host
+mikumiku.stream: could not connect to host
 mikusinec.com: could not connect to host
 milahendri.com: did not receive HSTS header
 milang.xyz: could not connect to host
@@ -10731,25 +11508,74 @@ militarycarlot.com: did not receive HSTS header
 militaryconsumer.gov: did not receive HSTS header
 milkingit.net: could not connect to host
 millibitcoin.jp: could not connect to host
+million5.com: did not receive HSTS header
+million6.com: did not receive HSTS header
+million8.com: did not receive HSTS header
 millionairessecrets.com: could not connect to host
-millions25.com: could not connect to host
-millions26.com: could not connect to host
-millions27.com: could not connect to host
+millions11.com: did not receive HSTS header
+millions13.com: did not receive HSTS header
+millions14.com: did not receive HSTS header
+millions15.com: did not receive HSTS header
+millions16.com: did not receive HSTS header
+millions17.com: did not receive HSTS header
+millions19.com: did not receive HSTS header
+millions20.com: did not receive HSTS header
+millions22.com: did not receive HSTS header
+millions25.com: did not receive HSTS header
+millions26.com: did not receive HSTS header
+millions27.com: did not receive HSTS header
+millions28.com: did not receive HSTS header
+millions29.com: did not receive HSTS header
+millions31.com: did not receive HSTS header
+millions33.com: did not receive HSTS header
+millions35.com: did not receive HSTS header
+millions36.com: did not receive HSTS header
+millions37.com: did not receive HSTS header
+millions38.com: did not receive HSTS header
+millions39.com: could not connect to host
+millions40.com: could not connect to host
+millions41.com: could not connect to host
+millions42.com: could not connect to host
+millions43.com: could not connect to host
+millions5.com: did not receive HSTS header
+millions50.com: did not receive HSTS header
+millions55.com: did not receive HSTS header
+millions56.com: did not receive HSTS header
+millions58.com: did not receive HSTS header
+millions59.com: did not receive HSTS header
+millions6.com: did not receive HSTS header
+millions61.com: did not receive HSTS header
+millions62.com: did not receive HSTS header
+millions63.com: did not receive HSTS header
+millions66.com: did not receive HSTS header
+millions7.com: did not receive HSTS header
+millions70.com: did not receive HSTS header
+millions71.com: did not receive HSTS header
+millions72.com: did not receive HSTS header
+millions80.com: did not receive HSTS header
+millions81.com: did not receive HSTS header
+millions82.com: did not receive HSTS header
+millions88.com: did not receive HSTS header
+millions9.com: did not receive HSTS header
+millions99.com: did not receive HSTS header
 millstep.de: did not receive HSTS header
 milonga.tips: could not connect to host
 mim.properties: could not connect to host
 mimbeim.com: did not receive HSTS header
 mimm.gov: did not receive HSTS header
+mimobile.website: could not connect to host
 mimoderoupa.pt: could not connect to host
 min.kiwi: could not connect to host
 minacssas.com: could not connect to host
 minantavla.se: could not connect to host
+mind-moves.es: could not connect to host
 mind.sh: did not receive HSTS header
 mindbodycontinuum.com: could not connect to host
+mindbodytherapymn.com: did not receive HSTS header
 mindcell.no: could not connect to host
 mindcraft.ga: could not connect to host
 mindwork.space: could not connect to host
-mine.world: could not connect to host
+mine.world: did not receive HSTS header
 minecraft-forum.cf: could not connect to host
 minecraft-forum.ga: could not connect to host
 minecraft-forum.gq: could not connect to host
@@ -10763,10 +11589,11 @@ minecraftforums.gq: could not connect to host
 minecraftforums.ml: could not connect to host
 minecraftserverz.com: could not connect to host
 minecraftvoter.com: could not connect to host
-minecrell.net: max-age too low: 172800
+minei.me: did not receive HSTS header
 mineover.es: could not connect to host
 minetude.com: could not connect to host
 mingkyaa.com: could not connect to host
+mingming.info: did not receive HSTS header
 mingo.nl: max-age too low: 2592000
 mingy.ddns.net: could not connect to host
 mingyueli.com: could not connect to host
@@ -10776,17 +11603,18 @@ minikneet.nl: did not receive HSTS header
 minimaliston.com: could not connect to host
 minimoo.se: could not connect to host
 minipainting.net: could not connect to host
-minis-hip.de: max-age too low: 172800
 miniskipper.at: did not receive HSTS header
+miniwallaby.com: could not connect to host
 minkondom.nu: could not connect to host
 minnesotadata.com: could not connect to host
-minor.news: could not connect to host
+minor.news: did not receive HSTS header
 minora.io: could not connect to host
 minoris.se: did not receive HSTS header
-minorshadows.net: did not receive HSTS header
 mintea-noua.ro: could not connect to host
+minu.link: could not connect to host
 mipiaci.co.nz: did not receive HSTS header
 mipiaci.com.au: did not receive HSTS header
+mipla.ch: could not connect to host
 miragrow.com: could not connect to host
 mireillewendling.com.br: could not connect to host
 mirgleich.dnshome.de: could not connect to host
@@ -10799,16 +11627,16 @@ miruc.co: did not receive HSTS header
 mirucon.com: did not receive HSTS header
 misconfigured.io: could not connect to host
 miscreant.me: could not connect to host
-misericordiasegrate.org: did not receive HSTS header
+misericordiasegrate.org: could not connect to host
 misgluteosperfectos.com: did not receive HSTS header
 misiondelosangeles-mailing.com: could not connect to host
 misiru.jp: could not connect to host
 missrain.tw: could not connect to host
 missycosmeticos.com.br: could not connect to host
 mist.ink: could not connect to host
+mister-cooks.fr: did not receive HSTS header
 mister.hosting: did not receive HSTS header
 misterl.net: did not receive HSTS header
-misuzu.moe: could not connect to host
 mitarbeiter-pc.de: did not receive HSTS header
 mitchellrenouf.ca: could not connect to host
 mitior.net: could not connect to host
@@ -10824,8 +11652,8 @@ miyako-kyoto.jp: could not connect to host
 miyoshi-kikaku.co.jp: could not connect to host
 mizd.at: could not connect to host
 mizi.name: could not connect to host
+mizumax.me: could not connect to host
 mjcaffarattilaw.com: did not receive HSTS header
-mjec.net: could not connect to host
 mjhsc.nl: did not receive HSTS header
 mk-dizajn.com: could not connect to host
 mkacg.com: could not connect to host
@@ -10833,13 +11661,13 @@ mkakh.xyz: could not connect to host
 mkfs.be: could not connect to host
 mkfs.fr: could not connect to host
 mkg-palais-hanau.de: did not receive HSTS header
-mkie.cf: could not connect to host
 mkp-deutschland.de: did not receive HSTS header
 mkplay.io: could not connect to host
-mkuznets.com: could not connect to host
 mkw.st: could not connect to host
 mlcambiental.com.br: did not receive HSTS header
 mlcdn.co: could not connect to host
+mlfaw.com: could not connect to host
+mlii.net: could not connect to host
 mlm-worldwide.de: did not receive HSTS header
 mlpchan.net: could not connect to host
 mlpepilepsy.org: could not connect to host
@@ -10847,6 +11675,7 @@ mlpvc-rr.ml: did not receive HSTS header
 mlrslateroofing.com.au: did not receive HSTS header
 mlsrv.de: could not connect to host
 mm-wife.com: could not connect to host
+mm13.at: could not connect to host
 mmaps.ddns.net: could not connect to host
 mmarnitz.de: could not connect to host
 mmcc.pe: did not receive HSTS header
@@ -10854,7 +11683,8 @@ mmgazhomeloans.com: did not receive HSTS header
 mmilog.hu: could not connect to host
 mmmm.com: could not connect to host
 mmstick.tk: could not connect to host
-mnd.sc: could not connect to host
+mna7e.com: did not receive HSTS header
+mncr.nl: could not connect to host
 mnec.io: could not connect to host
 mneeb.de: could not connect to host
 mnemotiv.com: could not connect to host
@@ -10865,8 +11695,8 @@ mo3.club: could not connect to host
 moar.so: did not receive HSTS header
 moas.design: did not receive HSTS header
 moas.photos: did not receive HSTS header
-mobag.ru: did not receive HSTS header
 mobaircon.com: did not receive HSTS header
+mobi4.tk: could not connect to host
 mobile-gesundheit.org: could not connect to host
 mobile.eti.br: could not connect to host
 mobilebay.top: could not connect to host
@@ -10890,7 +11720,7 @@ mockmyapp.com: could not connect to host
 mocloud.eu: could not connect to host
 mocloud.win: could not connect to host
 mocsuite.club: could not connect to host
-mocurio.com: could not connect to host
+mocurio.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 modalrakyat.com: could not connect to host
 modalrakyat.id: did not receive HSTS header
 modaperuimport.com: could not connect to host
@@ -10909,20 +11739,21 @@ moderntld.net: could not connect to host
 mododo.de: could not connect to host
 modx.by: max-age too low: 31536
 modx.io: could not connect to host
-modydev.club: could not connect to host
+modydev.club: did not receive HSTS header
 moe.pe: could not connect to host
 moe.wtf: could not connect to host
 moe4sale.in: did not receive HSTS header
+moeali.com: could not connect to host
 moebel-nagel.de: did not receive HSTS header
-moebel-vergleichen.com: did not receive HSTS header
 moefi.xyz: could not connect to host
 moegirl.org: did not receive HSTS header
+moeli.org: could not connect to host
 moellers.it: could not connect to host
 moeloli.pw: did not receive HSTS header
 moelord.org: could not connect to host
 moen.io: did not receive HSTS header
 moevenpick-cafe.com: did not receive HSTS header
-moeyun.net: could not connect to host
+moeyun.net: max-age too low: 86400
 mogry.net: did not receive HSTS header
 mohio.co.nz: did not receive HSTS header
 moho.kr: could not connect to host
@@ -10931,12 +11762,14 @@ moitur.com: did not receive HSTS header
 mojapraca.sk: did not receive HSTS header
 mojefilmy.xyz: could not connect to host
 mojizuri.jp: max-age too low: 86400
+mojnet.eu: could not connect to host
+mojnet.net: could not connect to host
 mokadev.com: did not receive HSTS header
 mokken-fabriek.nl: did not receive HSTS header
-molokai.org: could not connect to host
 mols.me: could not connect to host
 momento.co.id: did not receive HSTS header
 momfulfilled.com: could not connect to host
+momjoyas.com: did not receive HSTS header
 mommel.com: could not connect to host
 mommelonline.de: could not connect to host
 momoka.moe: could not connect to host
@@ -10948,6 +11781,7 @@ monarca.systems: could not connect to host
 monasterialis.eu: could not connect to host
 monautoneuve.fr: did not receive HSTS header
 mondar.io: could not connect to host
+mondedesnovels.com: did not receive HSTS header
 mondopoint.com: did not receive HSTS header
 mondwandler.de: could not connect to host
 moneoci.com.br: could not connect to host
@@ -10963,7 +11797,8 @@ monitaure.io: could not connect to host
 monitman.solutions: could not connect to host
 monitorchain.com: did not receive HSTS header
 monitori.ng: could not connect to host
-monkieteel.nl: max-age too low: 2592000
+monkeydust.net: max-age too low: 0
+monkieteel.nl: did not receive HSTS header
 monochrometoys.com: could not connect to host
 monodukuri.cafe: could not connect to host
 monodzukuri.cafe: could not connect to host
@@ -10974,16 +11809,17 @@ montanana.com: did not receive HSTS header
 montand.com: did not receive HSTS header
 monteurzimmerfrei.de: could not connect to host
 montonicms.com: could not connect to host
-moo.pet: could not connect to host
+moo.pet: did not receive HSTS header
 moobo.xyz: did not receive HSTS header
 moodifiers.com: could not connect to host
 moon.lc: could not connect to host
 moonagic.io: could not connect to host
 moonless.net: could not connect to host
+moonlightcapital.ml: could not connect to host
 moonloupe.com: could not connect to host
 moonrhythm.info: could not connect to host
-moonrhythm.io: did not receive HSTS header
 moonysbouncycastles.co.uk: could not connect to host
+mooretownrancheria-nsn.gov: could not connect to host
 moosemanstudios.com: could not connect to host
 moov.is: could not connect to host
 moparcraft.com: could not connect to host
@@ -10994,7 +11830,7 @@ moparscape.org: did not receive HSTS header
 mopsuite.club: could not connect to host
 mor.cloud: could not connect to host
 mor.gl: could not connect to host
-mordrum.com: could not connect to host
+moreapp.co.uk: could not connect to host
 morenci.ch: could not connect to host
 morepopcorn.co.nz: did not receive HSTS header
 moreserviceleads.com: did not receive HSTS header
@@ -11003,6 +11839,7 @@ morethanadream.lv: could not connect to host
 morfitronik.pl: could not connect to host
 morganestes.com: max-age too low: 0
 morganino.eu: could not connect to host
+morhys.com: could not connect to host
 morningcalculation.com: could not connect to host
 morninglory.com: did not receive HSTS header
 mornings.com: did not receive HSTS header
@@ -11015,13 +11852,14 @@ morz.org: max-age too low: 0
 mosaique-lachenaie.fr: could not connect to host
 moskva.guide: did not receive HSTS header
 moso.io: did not receive HSTS header
+mostlikelyto.fail: did not receive HSTS header
 mostlyharmless.at: could not connect to host
 mostlyinfinite.com: did not receive HSTS header
 mostwuat.com: could not connect to host
 motherbase.io: could not connect to host
 motherboard.services: could not connect to host
 motionfreight.com: could not connect to host
-motionpicturesolutions.com: did not receive HSTS header
+motionpicturesolutions.com: could not connect to host
 motocyklovedily.cz: did not receive HSTS header
 motomorgen.com: could not connect to host
 motorbiketourhanoi.com: could not connect to host
@@ -11030,31 +11868,35 @@ motornomaslo.bg: did not receive HSTS header
 motoroilinfo.com: did not receive HSTS header
 motorsportdiesel.com: did not receive HSTS header
 motovio.de: did not receive HSTS header
-motransportinfo.com: did not receive HSTS header
 mottvd.com: could not connect to host
 moube.fr: could not connect to host
 moucloud.cn: did not receive HSTS header
 moudicat.com: max-age too low: 6307200
 moula.com.au: did not receive HSTS header
 moumaobuchiyu.com: could not connect to host
+mounp.me: max-age too low: 2592000
 mountainadventureseminars.com: did not receive HSTS header
 mountainmusicpromotions.com: did not receive HSTS header
-movabletype.net: max-age too low: 3600
+mountairymd.gov: could not connect to host
+mousemessages.com: did not receive HSTS header
+movabletype.net: did not receive HSTS header
 moveek.com: did not receive HSTS header
-moveltix.net: could not connect to host
+moveisfit.com.br: could not connect to host
 movepin.com: could not connect to host
-movie4k.fyi: max-age too low: 0
+movie4k.fyi: could not connect to host
 movie4k.life: could not connect to host
 movie4kto.site: could not connect to host
 moviedollars.com: could not connect to host
 movienang.com: max-age too low: 0
+movienized.de: did not receive HSTS header
 moviesabout.net: could not connect to host
+moviespur.info: did not receive HSTS header
 moving-pixtures.de: could not connect to host
 movingoklahoma.org: could not connect to host
 movio.ga: could not connect to host
 mowalls.net: could not connect to host
 moy-gorod.od.ua: did not receive HSTS header
-moysovet.info: did not receive HSTS header
+moyoo.net: did not receive HSTS header
 moyu.host: did not receive HSTS header
 mozart-game.cz: could not connect to host
 mozartgame.cz: could not connect to host
@@ -11067,23 +11909,30 @@ mp3donusturucu.net: did not receive HSTS header
 mp3gratuiti.com: could not connect to host
 mp3juices.is: could not connect to host
 mpe.org: did not receive HSTS header
+mpg.ovh: could not connect to host
+mphoto.at: did not receive HSTS header
 mpi-sa.fr: did not receive HSTS header
+mpintaamalabanna.it: could not connect to host
 mpkossen.com: did not receive HSTS header
 mpn.poker: did not receive HSTS header
+mpodraza.pl: could not connect to host
 mpreserver.com: could not connect to host
 mpserver12.org: could not connect to host
 mpu-giessen.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+mpy.ovh: could not connect to host
 mqas.net: could not connect to host
 mr-coffee.net: could not connect to host
 mr-hosting.com: could not connect to host
+mr-labo.jp: could not connect to host
+mr3.io: could not connect to host
 mrafrohead.com: could not connect to host
 mrawe.com: could not connect to host
+mrazek.biz: did not receive HSTS header
 mrburtbox.com: could not connect to host
 mrdani.net: could not connect to host
 mrdleisure.co.uk: did not receive HSTS header
 mredsanders.net: did not receive HSTS header
 mrettich.org: did not receive HSTS header
-mrhc.ru: could not connect to host
 mrizzio.com: could not connect to host
 mrksk.com: could not connect to host
 mrleonardo.com: did not receive HSTS header
@@ -11093,10 +11942,12 @@ mrnh.tk: could not connect to host
 mrnonz.com: max-age too low: 0
 mrparker.pw: did not receive HSTS header
 mrpopat.in: did not receive HSTS header
-mrpropop.com: max-age too low: 0
+mrpropop.com: did not receive HSTS header
 mruganiepodspacja.pl: could not connect to host
+ms-alternativ.de: did not receive HSTS header
 msc-seereisen.net: could not connect to host
 msgallery.tk: could not connect to host
+msopopop.cn: max-age too low: 5184000
 msp66.de: could not connect to host
 mstd.tokyo: did not receive HSTS header
 mstdn-tech.jp: could not connect to host
@@ -11107,8 +11958,8 @@ mszaki.com: did not receive HSTS header
 mt.me.uk: could not connect to host
 mtamaki.com: could not connect to host
 mtau.com: max-age too low: 2592000
-mtb.wtf: could not connect to host
-mtcgf.com: did not receive HSTS header
+mtcgf.com: could not connect to host
+mtcq.jp: could not connect to host
 mtd.ovh: could not connect to host
 mtdn.jp: could not connect to host
 mtfgnettoyage.fr: could not connect to host
@@ -11116,16 +11967,19 @@ mtg-esport.de: did not receive HSTS header
 mtirc.co: could not connect to host
 mtn.cc: could not connect to host
 mtr.md: could not connect to host
-mtravelers.net: could not connect to host
 mu3on.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+muahahahaha.co.uk: could not connect to host
 muchohentai.com: could not connect to host
-muffet.pw: could not connect to host
+mudgezero.one: could not connect to host
+muenzubi.de: did not receive HSTS header
+muffet.pw: did not receive HSTS header
 muga.space: could not connect to host
 muj-svet.cz: could not connect to host
 mujadin.se: did not receive HSTS header
 mulenvo.com: did not receive HSTS header
 mulheres18.com: could not connect to host
 mullen.net.au: did not receive HSTS header
+multiplexcy.com: could not connect to host
 multiterm.org: could not connect to host
 multivpn.cn.com: could not connect to host
 multivpn.com.de: could not connect to host
@@ -11133,11 +11987,12 @@ multivpn.com.ua: could not connect to host
 multivpn.fr: could not connect to host
 multiworldsoftware.com: did not receive HSTS header
 multizone.games: could not connect to host
-mumei.space: did not receive HSTS header
+mumei.space: could not connect to host
 mundoadulto.com.br: did not receive HSTS header
 mundoalpha.com.br: did not receive HSTS header
+mundodoscarbonos.com.br: could not connect to host
 munecoscabezones.com: did not receive HSTS header
-munich-rage.de: could not connect to host
+munich-rage.de: did not receive HSTS header
 munkiepus.com: did not receive HSTS header
 munpanel.com: could not connect to host
 munrabi.com: could not connect to host
@@ -11146,6 +12001,7 @@ munzee.com: did not receive HSTS header
 muonium.ch: could not connect to host
 murdercube.com: could not connect to host
 murfy.kiwi: could not connect to host
+murgi.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 muriburi.land: could not connect to host
 muriburiland.com: could not connect to host
 murodese.org: could not connect to host
@@ -11166,24 +12022,30 @@ musicaconleali.it: did not receive HSTS header
 musiccitycats.com: did not receive HSTS header
 musikkfondene.no: did not receive HSTS header
 musikzug-bookholzberg.de: did not receive HSTS header
+musique2nuit.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 muslimbanter.co.za: could not connect to host
+mustafa.space: could not connect to host
 mustika.cf: did not receive HSTS header
 mutamatic.com: could not connect to host
 mutuelle-obligatoire-pme.fr: did not receive HSTS header
+muusika.fun: could not connect to host
 muzgra.in: did not receive HSTS header
 muzi.cz: could not connect to host
 muzykaprzeszladoplay.pl: could not connect to host
 mvanmarketing.nl: did not receive HSTS header
 mvnet.com.br: did not receive HSTS header
 mvsecurity.nl: could not connect to host
-mwalz.com: could not connect to host
 mwohlfarth.de: did not receive HSTS header
 mxawei.cn: could not connect to host
 mxlife.org: could not connect to host
+mxp.tw: did not receive HSTS header
 my-demo.co: could not connect to host
-my-dick.ru: could not connect to host
+my-dick.ru: did not receive HSTS header
 my-owncloud.com: could not connect to host
 my-pawnshop.com.ua: could not connect to host
+my-plancha.ch: did not receive HSTS header
+my-static-demo-808795.c.cdn77.org: could not connect to host
+my-static-live-808795.c.cdn77.org: could not connect to host
 my-voice.nl: could not connect to host
 my.alfresco.com: did not receive HSTS header
 my.swedbank.se: did not receive HSTS header
@@ -11193,7 +12055,7 @@ myandroidtools.cc: could not connect to host
 myandroidtools.pro: could not connect to host
 myappliancerepairhouston.com: did not receive HSTS header
 myartsway.com: did not receive HSTS header
-mybboard.pl: could not connect to host
+mybboard.pl: did not receive HSTS header
 mybudget.xyz: could not connect to host
 mybuilderinlondon.co.uk: did not receive HSTS header
 mybusiness.cm: did not receive HSTS header
@@ -11203,7 +12065,7 @@ mycollab.net: could not connect to host
 mycolorado.gov: could not connect to host
 mycontrolmonitor.com: could not connect to host
 mycoted.com: did not receive HSTS header
-mycuco.it: did not receive HSTS header
+mycreativeartsconsulting.com: could not connect to host
 myday.eu.com: did not receive HSTS header
 mydeos.com: could not connect to host
 mydigipass.com: did not receive HSTS header
@@ -11211,6 +12073,9 @@ mydmdi.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR
 mydnaresults.com: could not connect to host
 mydnatest.com: did not receive HSTS header
 mydriversedge.com: did not receive HSTS header
+mydrone.services: could not connect to host
+myeasybooking.de: could not connect to host
+myeml.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 myepass.bg: could not connect to host
 myepass.de: could not connect to host
 myessaygeek.com: could not connect to host
@@ -11225,12 +12090,12 @@ mygooder.com: did not receive HSTS header
 mygov.scot: did not receive HSTS header
 mygpsite.com: did not receive HSTS header
 mygreatjob.eu: could not connect to host
+mygreenrecipes.com: could not connect to host
 myhair.asia: did not receive HSTS header
 myhloli.com: did not receive HSTS header
 myicare.org: did not receive HSTS header
 myiocc.org: did not receive HSTS header
 myip.tech: max-age too low: 2592000
-myjumpsuit.de: did not receive HSTS header
 mykolab.com: did not receive HSTS header
 mykreuzfahrt.de: could not connect to host
 mylene-chandelier.me: did not receive HSTS header
@@ -11250,9 +12115,12 @@ mynigma.org: did not receive HSTS header
 myon.info: did not receive HSTS header
 myonlinedating.club: could not connect to host
 myownconference.de: did not receive HSTS header
+myownconference.es: did not receive HSTS header
 myownconference.fr: did not receive HSTS header
 myownconference.lt: did not receive HSTS header
 myownconference.lv: did not receive HSTS header
+myownconference.pt: did not receive HSTS header
+myownwebinar.com: could not connect to host
 mypagella.com: could not connect to host
 mypagella.eu: could not connect to host
 mypagella.it: could not connect to host
@@ -11271,26 +12139,27 @@ myrig.ru: did not receive HSTS header
 myrsa.in: did not receive HSTS header
 myruststats.com: could not connect to host
 mysa.is: could not connect to host
-mysber.ru: did not receive HSTS header
 mysecretrewards.com: could not connect to host
+myseo.ga: could not connect to host
+myserv.one: could not connect to host
 mysongbird.xyz: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 myspa.asia: did not receive HSTS header
+mystatus24.com: did not receive HSTS header
 mystery-science-theater-3000.de: did not receive HSTS header
 mysteryblog.de: did not receive HSTS header
-mysterysear.ch: could not connect to host
 mystown.org: could not connect to host
 mystudy.me: could not connect to host
+mysupboard.de: could not connect to host
 mytc.fr: could not connect to host
 mythlogic.com: did not receive HSTS header
 mythslegendscollection.com: did not receive HSTS header
 mytravelblog.de: could not connect to host
+mytweeps.com: did not receive HSTS header
 mywallets.io: could not connect to host
 myweb360.de: did not receive HSTS header
 mywebinar.io: could not connect to host
-mywebpanel.nl: did not receive HSTS header
 myxbox.gr: max-age too low: 0
 myzone.com: max-age too low: 0
-mziulu.me: could not connect to host
 mzlog.win: could not connect to host
 mzorn.photography: could not connect to host
 n-rickroll-e.pw: could not connect to host
@@ -11303,13 +12172,15 @@ n2x.in: could not connect to host
 n3twork.net: could not connect to host
 n4l.pw: could not connect to host
 n64chan.me: did not receive HSTS header
-n7.education: did not receive HSTS header
-na.hn: did not receive HSTS header
+na.hn: could not connect to host
 naano.org: could not connect to host
 nabru.co.uk: did not receive HSTS header
 nabu-bad-nauheim.de: did not receive HSTS header
 nabytko.cz: could not connect to host
+nacktwanderfreunde.de: did not receive HSTS header
+nadaquenosepas.com: could not connect to host
 nadia.pt: could not connect to host
+nagajanroshiya.info: did not receive HSTS header
 nagaragem.com.br: did not receive HSTS header
 nagios.by: did not receive HSTS header
 nagoya-kyuyo.com: could not connect to host
@@ -11317,8 +12188,8 @@ naiaspa.fr: did not receive HSTS header
 naiharngym.com: did not receive HSTS header
 nailedithomebuilders.com: max-age too low: 300
 nais.me: did not receive HSTS header
-najedlo.sk: could not connect to host
 nakamastreamingcommunity.com: could not connect to host
+nakanishi-paint.com: could not connect to host
 nakhonidc.com: could not connect to host
 nakitbonus2.com: could not connect to host
 nakliyatsirketi.biz: could not connect to host
@@ -11335,15 +12206,16 @@ nameme.xyz: could not connect to host
 nametaken-cloud.duckdns.org: could not connect to host
 namethatbone.com: could not connect to host
 namethatporn.com: could not connect to host
-nami.exchange: could not connect to host
+nami.exchange: did not receive HSTS header
 namikawatetsuji.jp: could not connect to host
-namorico.me: max-age too low: 0
+namorico.me: did not receive HSTS header
 namuwikiusercontent.com: could not connect to host
 nan.ci: did not receive HSTS header
 nan.zone: could not connect to host
 nanami.moe: could not connect to host
 nanderson.me: could not connect to host
 nanfangstone.com: could not connect to host
+nani.io: did not receive HSTS header
 naniki.co.uk: could not connect to host
 nanogeneinc.com: could not connect to host
 nanokamo.com: did not receive HSTS header
@@ -11354,29 +12226,30 @@ naoar.com: could not connect to host
 naphex.rocks: could not connect to host
 napisynapomniky.cz: did not receive HSTS header
 narach.com: did not receive HSTS header
+narazaka.net: could not connect to host
 nargele.eu: did not receive HSTS header
 narko.space: could not connect to host
 narodniki.com: did not receive HSTS header
 narviz.com: did not receive HSTS header
 nasarawanewsonline.com: could not connect to host
+naseco.se: did not receive HSTS header
 nasme.tk: could not connect to host
 nasmocopati.com: did not receive HSTS header
 nasralmabrooka.com: did not receive HSTS header
+nassi.me: could not connect to host
 nastysclaw.com: could not connect to host
 natalia-fadeeva.ru: could not connect to host
 natalia.io: did not receive HSTS header
 natalieandjoshua.com: could not connect to host
 natalt.org: did not receive HSTS header
 natalydanilova.com: max-age too low: 300
-natanaelys.com: could not connect to host
 nataniel-perissier.fr: could not connect to host
+natatorium.org: did not receive HSTS header
 nate.sh: could not connect to host
+natecraun.net: did not receive HSTS header
 natenom.com: max-age too low: 7200
 natenom.de: max-age too low: 7200
 natenom.name: max-age too low: 7200
-nathanmfarrugia.com: did not receive HSTS header
-nationalbank.gov: did not receive HSTS header
-nationalbanknet.gov: did not receive HSTS header
 nationalmall.gov: could not connect to host
 nationwidevehiclecontracts.co.uk: did not receive HSTS header
 natropie.pl: could not connect to host
@@ -11384,61 +12257,65 @@ natur-udvar.hu: could not connect to host
 natural-progesterone.net: could not connect to host
 naturalcommission.com: could not connect to host
 naturblogg.no: did not receive HSTS header
+nature-shots.net: did not receive HSTS header
 naturecoaster.com: did not receive HSTS header
 natuterra.com.br: could not connect to host
 natuurbehangnederland.nl: could not connect to host
 nauck.org: did not receive HSTS header
 naudles.me: could not connect to host
-naughty.audio: could not connect to host
 nav.jobs: could not connect to host
 naval.tf: could not connect to host
-navegos.net: did not receive HSTS header
+navegos.net: could not connect to host
+navenlle.com: could not connect to host
 naviaddress.io: did not receive HSTS header
 naviteq.eu: could not connect to host
 navitime.me: did not receive HSTS header
 navjobs.com: could not connect to host
+navstivime.cz: did not receive HSTS header
 nawroth.info: could not connect to host
-nax.io: did not receive HSTS header
-nay.moe: did not receive HSTS header
+nax.io: could not connect to host
+nay.moe: could not connect to host
+nazigol.com: did not receive HSTS header
 nba2kqq.com: could not connect to host
 nba669.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 nba686.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-nbb.io: could not connect to host
+nbb.io: did not receive HSTS header
 nbg-ha.de: could not connect to host
 nbis.gov: could not connect to host
 nbl.org.tw: could not connect to host
-nbrown.us: could not connect to host
+nbp.com.pk: did not receive HSTS header
 nbtparse.org: could not connect to host
 nc2c.com: could not connect to host
+ncaq.net: did not receive HSTS header
 ncc60205.info: could not connect to host
 ncdesigns-studio.com: could not connect to host
 nchristo.com: did not receive HSTS header
-ncloud.freeddns.org: could not connect to host
 nclvle.co.uk: did not receive HSTS header
 ncpc.gov: could not connect to host
 ncpw.gov: did not receive HSTS header
 ncrmnt.org: did not receive HSTS header
 nct.org.uk: did not receive HSTS header
+ndatc.com: did not receive HSTS header
 ndmath.club: could not connect to host
 ndtblog.com: could not connect to host
 ndtmarket.place: could not connect to host
 ne1home.dyndns.org: did not receive HSTS header
 neap.io: could not connect to host
 near.st: did not receive HSTS header
+nearbi.com.mx: could not connect to host
 nearbiwa.com: did not receive HSTS header
 nearon.nl: could not connect to host
 neavision.de: did not receive HSTS header
-nebula.exchange: did not receive HSTS header
 nebulousenhanced.com: could not connect to host
 necesitodinero.org: could not connect to host
 necio.ca: could not connect to host
 nedcf.org.uk: could not connect to host
 nediyor.com: did not receive HSTS header
 nedwave.com: did not receive HSTS header
-nedzad.me: max-age too low: 0
+nedys.top: did not receive HSTS header
 needle.net.nz: could not connect to host
 needle.nz: could not connect to host
-neels.ch: did not receive HSTS header
+neels.ch: could not connect to host
 neer.io: could not connect to host
 neet-investor.biz: could not connect to host
 neftaly.com: did not receive HSTS header
@@ -11447,25 +12324,36 @@ negativecurvature.net: could not connect to host
 negativzinsen.info: did not receive HSTS header
 negraelinda.com: did not receive HSTS header
 neilgreen.net: did not receive HSTS header
+neio.uk: could not connect to host
 nejnamc.org: did not receive HSTS header
 neko-life.com: did not receive HSTS header
 neko.li: could not connect to host
-neko.ml: could not connect to host
 nekoku.io: could not connect to host
 nekox.ml: could not connect to host
+nella-project.org: could not connect to host
+nella.io: could not connect to host
+nellacms.com: could not connect to host
+nellacms.org: could not connect to host
+nellafw.org: could not connect to host
 nellen.it: did not receive HSTS header
 nemanja.top: did not receive HSTS header
+nemecl.eu: could not connect to host
 nemno.de: could not connect to host
 nemovement.org: could not connect to host
 neoani.me: did not receive HSTS header
 neocoding.com: did not receive HSTS header
 neocyd.com: could not connect to host
 neodrive.ch: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+neoeliteconsulting.com: could not connect to host
 neofelhz.space: could not connect to host
 neojames.me: could not connect to host
+neokobe.city: could not connect to host
+neolink.dk: could not connect to host
 neonisi.com: could not connect to host
 neonnuke.tech: did not receive HSTS header
 neosolution.ca: did not receive HSTS header
+neotist.com: did not receive HSTS header
+neowa.tk: could not connect to host
 nephos.xyz: could not connect to host
 nercp.org.uk: did not receive HSTS header
 nerd42.de: could not connect to host
@@ -11475,8 +12363,8 @@ nerfroute.com: could not connect to host
 neris.io: could not connect to host
 neriumhcp.com: did not receive HSTS header
 nesantuoka.lt: could not connect to host
-nesbase.com: could not connect to host
 nestedquotes.ca: could not connect to host
+nesterov.pw: could not connect to host
 nestone.ru: could not connect to host
 net-navi.cc: did not receive HSTS header
 net-rencontre.com: did not receive HSTS header
@@ -11487,24 +12375,25 @@ net4it.de: did not receive HSTS header
 netba.net: could not connect to host
 netbox.cc: could not connect to host
 netbrief.ml: could not connect to host
-netde.jp: could not connect to host
+netde.jp: did not receive HSTS header
 netdego.jp: could not connect to host
+netducks.space: could not connect to host
 netfs.pl: did not receive HSTS header
 netguide.co.nz: did not receive HSTS header
 netherwind.eu: did not receive HSTS header
 netlilo.com: could not connect to host
 netloanusa.com: could not connect to host
-netlocal.ru: could not connect to host
 netmagik.com: did not receive HSTS header
-netprofile.com.au: did not receive HSTS header
+netprofile.com.au: could not connect to host
 netresourcedesign.com: could not connect to host
 netsafeid.biz: did not receive HSTS header
 netscaler.expert: could not connect to host
 netsight.org: could not connect to host
 netsparkercloud.com: did not receive HSTS header
 netsystems.pro: could not connect to host
-nettacompany.com.tr: did not receive HSTS header
 nettefoundation.com: could not connect to host
+nettopower.dk: did not receive HSTS header
+nettoyage.email: could not connect to host
 nettplusultra-rhone.fr: did not receive HSTS header
 networkmon.net: could not connect to host
 networx-online.de: could not connect to host
@@ -11515,8 +12404,11 @@ netzvieh.de: could not connect to host
 netzzwerg4u.de: could not connect to host
 neuch.info: did not receive HSTS header
 neueonlinecasino2016.com: could not connect to host
+neuhaus-city.de: could not connect to host
 neuralgic.net: could not connect to host
 neuro-plus-100.com: could not connect to host
+neurogroove.info: did not receive HSTS header
+neuronasdigitales.com: did not receive HSTS header
 neuronfactor.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 neutralvehicle.com: did not receive HSTS header
 nevadafiber.net: could not connect to host
@@ -11524,6 +12416,7 @@ never-afk.de: did not receive HSTS header
 neveta.com: could not connect to host
 new: could not connect to host
 newantiagingcreams.com: could not connect to host
+newbasemedia.us: did not receive HSTS header
 newbieboss.com: did not receive HSTS header
 newbownerton.xyz: could not connect to host
 newchance.store: could not connect to host
@@ -11537,11 +12430,13 @@ newhdmovies.io: could not connect to host
 newline.online: did not receive HSTS header
 newlooknow.com: did not receive HSTS header
 newparadigmventures.net: did not receive HSTS header
-newpathintegratedtherapy.com: did not receive HSTS header
+newpathintegratedtherapy.com: could not connect to host
 newpoke.net: could not connect to host
 newportpropertygroup.com: could not connect to host
+news47ell.com: did not receive HSTS header
 news4c.com: did not receive HSTS header
-newsaboutgames.de: could not connect to host
+newsa2.com: could not connect to host
+newsaboutgames.de: did not receive HSTS header
 newserumforskin.com: could not connect to host
 newsquantified.com: max-age too low: 0
 newstarnootropics.com: could not connect to host
@@ -11550,25 +12445,26 @@ newtonhaus.com: could not connect to host
 newtonwarp.com: could not connect to host
 nexgeneration-solutions.com: could not connect to host
 nexlab.org: did not receive HSTS header
+nexril.net: max-age too low: 7776000
 next-taxi.ru: could not connect to host
 next47.com: did not receive HSTS header
-nextcloud.li: could not connect to host
+nextcloud.nerdpol.ovh: could not connect to host
 nextcloud.org: could not connect to host
-nextend.net: could not connect to host
+nextend.net: did not receive HSTS header
 nextend.org: did not receive HSTS header
 nexth.de: could not connect to host
 nexth.net: did not receive HSTS header
 nexth.us: could not connect to host
 nexthop.co.jp: could not connect to host
 nexthop.co.th: did not receive HSTS header
+nexthop.jp: could not connect to host
 nextlevel-it.co.uk: could not connect to host
 nextpages.de: could not connect to host
 nextproject.us: could not connect to host
 nextshutter.com: did not receive HSTS header
 nexusbyte.de: could not connect to host
-nexuscorporation.in: did not receive HSTS header
+nexuscorporation.in: could not connect to host
 nfhome.be: did not receive HSTS header
-nfls.io: did not receive HSTS header
 nfluence.org: could not connect to host
 nfo.so: could not connect to host
 nfrost.me: could not connect to host
@@ -11578,10 +12474,12 @@ ngiemboon.net: could not connect to host
 ngine.ch: did not receive HSTS header
 nginxnudes.com: could not connect to host
 nginxyii.tk: could not connect to host
+ngla.gov: could not connect to host
 nglr.org: could not connect to host
 ngocuong.net: could not connect to host
 ngt-service.ru: could not connect to host
 ngtoys.com.br: did not receive HSTS header
+nhccnews.org: could not connect to host
 nhliberty.org: did not receive HSTS header
 nhsuites.com: did not receive HSTS header
 nhus.de: max-age too low: 172800
@@ -11600,11 +12498,11 @@ nicolasdutour.com: did not receive HSTS header
 nicolasklotz.de: did not receive HSTS header
 nicoleoquendo.com: max-age too low: 2592000
 niconiconi.xyz: could not connect to host
-nicoobook.com: did not receive HSTS header
-nicoobook.net: did not receive HSTS header
 nicorevin.ru: could not connect to host
 nidux.com: did not receive HSTS header
+niduxcomercial.com: could not connect to host
 niedersetz.de: could not connect to host
+niedrigsterpreis.de: did not receive HSTS header
 nien.chat: could not connect to host
 nien.com.tw: could not connect to host
 nienfun.com: could not connect to host
@@ -11612,35 +12510,32 @@ nieuwsoverijssel.nl: did not receive HSTS header
 niffler.software: could not connect to host
 nifpnet.nl: could not connect to host
 nifume.com: could not connect to host
-niggo.eu: could not connect to host
 nightsnack.cf: could not connect to host
 nightwinds.tk: could not connect to host
+nigt.cf: did not receive HSTS header
 niho.jp: did not receive HSTS header
 nikcub.com: did not receive HSTS header
 niki.ai: did not receive HSTS header
 nikksno.io: could not connect to host
 niklas.host: could not connect to host
-niklasanderson.com: could not connect to host
+niklasanderson.com: did not receive HSTS header
 niklaslindblad.se: did not receive HSTS header
 nikobradshaw.com: could not connect to host
 nikolaichik.photo: did not receive HSTS header
 nikolasbradshaw.com: could not connect to host
+nikz.in: did not receive HSTS header
 nilianwo.com: could not connect to host
 niloxy.com: did not receive HSTS header
-nimidam.com: could not connect to host
 ninchisho-online.com: did not receive HSTS header
 ninebytes.xyz: could not connect to host
 ning.so: did not receive HSTS header
 ninhs.org: could not connect to host
-ninjan.co: did not receive HSTS header
 ninjaspiders.com: could not connect to host
 ninofink.com: could not connect to host
 ninreiei.jp: could not connect to host
-ninverse.com: did not receive HSTS header
 niouininon.eu: could not connect to host
 nippler.org: could not connect to host
 nippombashi.net: did not receive HSTS header
-nippon.fr: could not connect to host
 nipponcareers.com: could not connect to host
 nirada.info: could not connect to host
 nirjharstudio.com: did not receive HSTS header
@@ -11653,17 +12548,19 @@ nishisbma.com: could not connect to host
 nitaonline.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 niva.synology.me: could not connect to host
 niveldron.com: could not connect to host
+nivi.ca: could not connect to host
 nixien.fr: could not connect to host
 nixmag.net: could not connect to host
 nixne.st: could not connect to host
+njujb.com: max-age too low: 5184000
 nkadvertising.online: could not connect to host
 nkautoservice.nl: did not receive HSTS header
 nkb.in.th: could not connect to host
-nlegall.fr: did not receive HSTS header
 nll.fi: could not connect to host
 nlrb.gov: did not receive HSTS header
 nmadda.com: did not receive HSTS header
-nmctest.net: could not connect to host
+nmctest.net: did not receive HSTS header
+nmd.so: did not receive HSTS header
 nmgb.ga: could not connect to host
 nmgb.ml: could not connect to host
 nmsnj.com: did not receive HSTS header
@@ -11675,23 +12572,24 @@ no17sifangjie.cc: could not connect to host
 noc.wang: could not connect to host
 nocallaghan.com: could not connect to host
 noclegi-online.pl: did not receive HSTS header
+nocmd.com: did not receive HSTS header
 noctinus.tk: could not connect to host
+nodalr.com: did not receive HSTS header
 node-core-app.com: could not connect to host
 nodebrewery.com: could not connect to host
 nodechate.xyz: could not connect to host
 nodecompat.com: did not receive HSTS header
 nodefiles.com: could not connect to host
 nodefoo.com: could not connect to host
-nodelab-it.de: did not receive HSTS header
+nodelab-it.de: could not connect to host
 nodepanel.net: did not receive HSTS header
 nodepositcasinouk.com: did not receive HSTS header
 nodeselect.com: could not connect to host
-nodespin.com: did not receive HSTS header
 nodesturut.cl: did not receive HSTS header
 nodetemple.com: could not connect to host
 nodi.at: did not receive HSTS header
 nodum.io: did not receive HSTS header
-noegoph.com: did not receive HSTS header
+noegoph.com: could not connect to host
 noelblog.ga: could not connect to host
 noelssanssoucipensacola.com: did not receive HSTS header
 noesberts-weidmoos.de: did not receive HSTS header
@@ -11704,11 +12602,9 @@ nolberg.net: did not receive HSTS header
 nolimits.net.nz: could not connect to host
 nolimitsbook.de: did not receive HSTS header
 nolte.work: could not connect to host
-nomagic.software: could not connect to host
 nomoondev.azurewebsites.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 nomorebytes.de: could not connect to host
 nonemu.ninja: could not connect to host
-noobunbox.net: did not receive HSTS header
 noodlecrave.com: did not receive HSTS header
 noodlesandwich.com: did not receive HSTS header
 noodleyum.com: did not receive HSTS header
@@ -11719,11 +12615,12 @@ nopex.no: could not connect to host
 nopol.de: could not connect to host
 norandom.com: could not connect to host
 norb.at: could not connect to host
-norden.eu.org: could not connect to host
 nordic-survival.de: did not receive HSTS header
 nordiccasinocommunity.com: did not receive HSTS header
+nordicess.dk: could not connect to host
 nordlicht.photography: did not receive HSTS header
 noref.tk: could not connect to host
+noreply.mx: could not connect to host
 norge.guide: could not connect to host
 normalady.com: could not connect to host
 normanschwaneberg.de: did not receive HSTS header
@@ -11736,8 +12633,9 @@ northwest-events.co.uk: could not connect to host
 northwoodsfish.com: could not connect to host
 nosbenevolesontdutalent.com: could not connect to host
 nosecretshop.com: could not connect to host
+nosfermiers.com: could not connect to host
 nosproduitsdequalite.fr: did not receive HSTS header
-nossasenhoradaconceicao.com.br: did not receive HSTS header
+nossasenhoradaconceicao.com.br: could not connect to host
 nostraspace.com: could not connect to host
 nosx.tk: could not connect to host
 not-a.link: could not connect to host
@@ -11760,15 +12658,16 @@ noticia.do: did not receive HSTS header
 notificami.com: could not connect to host
 notjustbitchy.com: could not connect to host
 notonprem.com: could not connect to host
+notrecourrier.net: did not receive HSTS header
 nottheonion.net: did not receive HSTS header
 nottori.com: could not connect to host
-nottres.com: did not receive HSTS header
 notypiesni.sk: did not receive HSTS header
 nou.si: did not receive HSTS header
 nouma.fr: did not receive HSTS header
 nouvelle-vague-saint-cast.fr: did not receive HSTS header
 nova-elearning.com: could not connect to host
 nova.com.hk: did not receive HSTS header
+novacal.ga: could not connect to host
 novaco.in: max-age too low: 3600
 novacraft.me: could not connect to host
 novaopcaofestas.com.br: could not connect to host
@@ -11777,6 +12676,7 @@ novatrucking.de: could not connect to host
 novavoidhowl.com: did not receive HSTS header
 novelabs.de: could not connect to host
 novelabs.eu: could not connect to host
+novelrealm.com: did not receive HSTS header
 novelshouse.com: could not connect to host
 novfishing.ru: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 novinhabucetuda.com: could not connect to host
@@ -11787,17 +12687,19 @@ nowprotein.com: did not receive HSTS header
 nowremindme.com: could not connect to host
 noxi.ga: could not connect to host
 nozoe.jp: could not connect to host
-npm.li: could not connect to host
-npol.de: did not receive HSTS header
-npool.org: could not connect to host
+npm.li: did not receive HSTS header
+npol.de: could not connect to host
+npool.org: did not receive HSTS header
 nq7.pl: could not connect to host
 nqesh.com: could not connect to host
+nqeshreviewer.com: could not connect to host
 nrc-gateway.gov: could not connect to host
 nrechn.de: could not connect to host
 nrizzio.me: could not connect to host
 nrnjn.xyz: did not receive HSTS header
-nrvn.cc: did not receive HSTS header
 nrvnastudios.com: could not connect to host
+nsa.ovh: could not connect to host
+nsa.wtf: could not connect to host
 nsbfalconacademy.org: could not connect to host
 nsdev.cn: could not connect to host
 nsellier.fr: did not receive HSTS header
@@ -11808,14 +12710,21 @@ nstyleintl.ca: did not receive HSTS header
 nsure.us: could not connect to host
 nsweb.solutions: could not connect to host
 ntbs.pro: could not connect to host
+nth.sh: did not receive HSTS header
 ntse.xyz: could not connect to host
 nu-pogodi.net: could not connect to host
 nu3.at: did not receive HSTS header
 nu3.ch: did not receive HSTS header
 nu3.co.uk: could not connect to host
+nu3.com: did not receive HSTS header
 nu3.de: did not receive HSTS header
+nu3.dk: did not receive HSTS header
+nu3.fi: did not receive HSTS header
 nu3.fr: did not receive HSTS header
+nu3.no: did not receive HSTS header
+nu3.se: did not receive HSTS header
 nube.ninja: did not receive HSTS header
+nubella.com.au: did not receive HSTS header
 nubeslayer.com: could not connect to host
 nuclear-crimes.com: did not receive HSTS header
 nuclearcrimes.com: did not receive HSTS header
@@ -11836,15 +12745,17 @@ nullpoint.at: did not receive HSTS header
 nullpro.com: could not connect to host
 numericacu.com: did not receive HSTS header
 numero-di-telefono.it: could not connect to host
+numis.tech: could not connect to host
 numista.com: did not receive HSTS header
 numm.fr: did not receive HSTS header
 nuovamoda.al: could not connect to host
-nup.pw: max-age too low: 0
+nup.pw: did not receive HSTS header
 nupef.org.br: did not receive HSTS header
 nurserybook.co: did not receive HSTS header
 nurture.be: did not receive HSTS header
 nusatrip-api.com: did not receive HSTS header
 nusku.biz: did not receive HSTS header
+nutricaovegana.com: did not receive HSTS header
 nutricuerpo.com: did not receive HSTS header
 nutrieduca.com: could not connect to host
 nutrienti.eu: did not receive HSTS header
@@ -11853,15 +12764,18 @@ nutritionculture.com: could not connect to host
 nutsandboltsmedia.com: did not receive HSTS header
 nuttyveg.com: did not receive HSTS header
 nuwaterglobal.com: did not receive HSTS header
+nvcogct.gov: could not connect to host
 nvlop.xyz: did not receive HSTS header
 nwa.xyz: could not connect to host
 nweb.co.nz: could not connect to host
 nwork.media: did not receive HSTS header
 nxt.sh: did not receive HSTS header
+nyanco.space: could not connect to host
 nyanpasu.tv: could not connect to host
 nyatane.com: could not connect to host
 nyazeeland.guide: could not connect to host
 nycroth.com: could not connect to host
+nydnxs.com: did not receive HSTS header
 nyesider.org: could not connect to host
 nyffo.com: did not receive HSTS header
 nylonfeetporn.com: could not connect to host
@@ -11874,10 +12788,13 @@ nystudio107.com: did not receive HSTS header
 nyuusannkinn.com: did not receive HSTS header
 nz.search.yahoo.com: max-age too low: 172800
 nzbs.io: could not connect to host
+nzdmo.govt.nz: did not receive HSTS header
 nzmk.cz: could not connect to host
 nzquakes.maori.nz: did not receive HSTS header
+o-loska.cz: did not receive HSTS header
 o-rickroll-y.pw: could not connect to host
 o0o.one: did not receive HSTS header
+oakesfam.net: did not receive HSTS header
 oaksbloom.com: could not connect to host
 oasis-conference.org.nz: could not connect to host
 oasis.mobi: did not receive HSTS header
@@ -11886,28 +12803,31 @@ oben.pl: did not receive HSTS header
 oberam.de: could not connect to host
 oberhof.co: could not connect to host
 oberhofjuice.com: could not connect to host
+oberoi.de: did not receive HSTS header
+obioncountytn.gov: could not connect to host
 objectif-leger.com: did not receive HSTS header
 oblikdom.pro: did not receive HSTS header
 oblikdom.ru: did not receive HSTS header
 oblondata.io: did not receive HSTS header
 obrienlab.com: did not receive HSTS header
+obscur.us: could not connect to host
 obscuredfiles.com: could not connect to host
 observatory.se: could not connect to host
 obsydian.org: could not connect to host
 oc-minecraft.com: could not connect to host
 ocad.com.au: did not receive HSTS header
 ocapic.com: could not connect to host
-occ.gov: did not receive HSTS header
 occasion-impro.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 occupymedia.org: could not connect to host
 ochaken.cf: could not connect to host
+ocloudhost.com: could not connect to host
 ocmeulebeke.be: did not receive HSTS header
 ocrami.us: did not receive HSTS header
 octanio.com: could not connect to host
 octo.im: could not connect to host
 octocat.ninja: could not connect to host
 octod.tk: could not connect to host
-octohost.net: did not receive HSTS header
+octohost.net: could not connect to host
 oddmouse.com: could not connect to host
 odin.xxx: could not connect to host
 odinkapital.no: did not receive HSTS header
@@ -11919,7 +12839,7 @@ odysseyconservationtrust.com: did not receive HSTS header
 oe8.bet: could not connect to host
 ofcourselanguages.com: could not connect to host
 ofcss.com: did not receive HSTS header
-ofer.site: did not receive HSTS header
+ofer.site: could not connect to host
 off-the-clock.us: could not connect to host
 offenedialoge.de: max-age too low: 2592000
 offersgame.com: could not connect to host
@@ -11928,6 +12848,7 @@ offgames.pro: could not connect to host
 office-ruru.com: could not connect to host
 officeclub.com.mx: did not receive HSTS header
 officeprint.co.th: could not connect to host
+officium.tech: could not connect to host
 offshore-firma.org: could not connect to host
 offshore-unternehmen.com: could not connect to host
 offshorefirma-gruenden.com: could not connect to host
@@ -11937,28 +12858,31 @@ ofo2.com: could not connect to host
 oganek.ie: could not connect to host
 oganime.com: could not connect to host
 oggw.us: could not connect to host
-ogkw.de: did not receive HSTS header
+ogis.gov: could not connect to host
 ogogoshop.com: could not connect to host
 ogrodywstudniach.pl: did not receive HSTS header
 ohayosoro.me: could not connect to host
 ohhdeertrade.com: did not receive HSTS header
 ohm2013.org: did not receive HSTS header
 ohma.ga: did not receive HSTS header
-ohnemusik.com: max-age too low: 0
+ohnemusik.com: did not receive HSTS header
 ohohrazi.com: did not receive HSTS header
 ohreally.de: could not connect to host
 ohsocool.org: did not receive HSTS header
+oiaio.cn: could not connect to host
 oiepoie.nl: could not connect to host
+oilfieldinjury.attorney: could not connect to host
 oinky.ddns.net: could not connect to host
 oishioffice.com: did not receive HSTS header
+ojanaho.com: did not receive HSTS header
 ojbk.eu: could not connect to host
 ojeremy.com: did not receive HSTS header
 ojls.co: could not connect to host
 okad-center.de: did not receive HSTS header
 okad.de: did not receive HSTS header
 okad.eu: did not receive HSTS header
-okane.love: could not connect to host
-okashi.me: could not connect to host
+okaidi.es: could not connect to host
+okane.love: did not receive HSTS header
 okaz.de: did not receive HSTS header
 oklahomamoversassociation.org: could not connect to host
 oklahomanotepro.com: could not connect to host
@@ -11968,16 +12892,20 @@ okutama.in.th: could not connect to host
 olafnorge.de: did not receive HSTS header
 olcso-vps-szerver.hu: could not connect to host
 oldandyounglesbians.us: could not connect to host
+oldbrookinflatables.co.uk: did not receive HSTS header
+oldenglishsheepdog.com.br: could not connect to host
 oldschool-criminal.com: did not receive HSTS header
 oldtimer-trifft-flugplatz.de: did not receive HSTS header
-olifant.fr: did not receive HSTS header
-oliverdunk.com: did not receive HSTS header
+olightstore.com: did not receive HSTS header
+oliode.tk: could not connect to host
 olivlabs.com: could not connect to host
 ollehbizev.co.kr: could not connect to host
+ollieowlsblog.com: could not connect to host
 ols.io: did not receive HSTS header
 olswangtrainees.com: could not connect to host
 olympe-transport.fr: did not receive HSTS header
 omacostudio.com: could not connect to host
+omar.yt: did not receive HSTS header
 omarsuniagamusic.ga: did not receive HSTS header
 omeuanimal.com: did not receive HSTS header
 omgaanmetidealen.com: could not connect to host
@@ -11987,32 +12915,36 @@ omise.co: did not receive HSTS header
 ommahpost.com: did not receive HSTS header
 omnigon.network: could not connect to host
 omnilab.tech: could not connect to host
+omnisafira.com: did not receive HSTS header
 omniti.com: max-age too low: 1
 omorashi.org: could not connect to host
 omquote.gq: could not connect to host
-omskit.ru: did not receive HSTS header
+omskit.ru: could not connect to host
 omyogarishikesh.com: did not receive HSTS header
 on-te.ch: did not receive HSTS header
-onahonavi.com: could not connect to host
+ondrejhoralek.cz: did not receive HSTS header
 one-pe.com: did not receive HSTS header
 onearth.one: did not receive HSTS header
 oneb4nk.com: could not connect to host
 onecycling.my: could not connect to host
 onecycling.world: could not connect to host
 onefour.co: could not connect to host
+onegoodthingbyjillee.com: did not receive HSTS header
 onehourloan.com: could not connect to host
 onehourloan.sg: did not receive HSTS header
 oneiros.cc: could not connect to host
 onelawsuit.com: could not connect to host
+oneminute.io: did not receive HSTS header
 oneminutefilm.tv: did not receive HSTS header
 onemusou.com: could not connect to host
 onepathnetwork.com: max-age too low: 7776000
 onepluscamps.com: did not receive HSTS header
+onepointsafeband.ca: could not connect to host
+onepointsafeband.com: could not connect to host
 onepopstore.com: could not connect to host
 onespiritinc.com: did not receive HSTS header
 onet.space: could not connect to host
 onetly.com: could not connect to host
-onetwentyseven001.com: did not receive HSTS header
 onewebdev.info: could not connect to host
 oneworldbank.com: did not receive HSTS header
 onewpst.com: could not connect to host
@@ -12022,7 +12954,10 @@ onionbot.ga: could not connect to host
 onioncloud.org: could not connect to host
 onionplay.live: could not connect to host
 onionsburg.com: could not connect to host
+onkfaktor.de: could not connect to host
 online-casino.eu: did not receive HSTS header
+online-horoskop.ch: did not receive HSTS header
+online-results.dk: did not receive HSTS header
 online-scene.com: did not receive HSTS header
 online-wetten.de: could not connect to host
 onlinebiller.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -12032,16 +12967,18 @@ onlinecompliance.org: did not receive HSTS header
 onlinecorners.com: did not receive HSTS header
 onlinedemo.hu: could not connect to host
 onlinedeposit.us: could not connect to host
+onlineinfographic.com: could not connect to host
 onlinekasino.de: did not receive HSTS header
 onlinepollsph.com: could not connect to host
 onlineporno.tv: could not connect to host
 onlineschadestaat.nl: did not receive HSTS header
-onlinespielothek.com: did not receive HSTS header
+onlinespielothek.com: could not connect to host
+onlineweblearning.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 onlinewetten.de: could not connect to host
 only-roses.co.uk: did not receive HSTS header
 only-roses.com: max-age too low: 2592000
 onlyesb.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-onlyesb.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+onlyesb.net: could not connect to host
 onlyshopstation.com: did not receive HSTS header
 onlyzero.net: could not connect to host
 onmuvo.com: could not connect to host
@@ -12049,8 +12986,10 @@ onmyoji.biz: could not connect to host
 onnee.ch: could not connect to host
 onnext.cc: did not receive HSTS header
 ononpay.com: did not receive HSTS header
+onoranze-funebri.biz: could not connect to host
 onovlena.dn.ua: could not connect to host
 onpatient.com: did not receive HSTS header
+onpermit.net: could not connect to host
 onsennuie.fr: could not connect to host
 onsite4u.de: could not connect to host
 onsitemassageco.com: did not receive HSTS header
@@ -12073,14 +13012,17 @@ oopsmycase.com: could not connect to host
 oopsorup.com: could not connect to host
 oosoo.org: could not connect to host
 oost.io: could not connect to host
+opadaily.com: could not connect to host
 opatut.de: did not receive HSTS header
 opcaobolsas.com.br: could not connect to host
+open-desk.org: could not connect to host
 open-future.be: did not receive HSTS header
 open-mx.de: could not connect to host
 open-to-repair.fr: max-age too low: 86400
 openacademies.com: could not connect to host
 openas.org: did not receive HSTS header
 openbankproject.com: did not receive HSTS header
+openbsd.id: could not connect to host
 openclub24.ru: could not connect to host
 openconcept.no: did not receive HSTS header
 openconnect.com.au: could not connect to host
@@ -12091,6 +13033,7 @@ openiocdb.com: could not connect to host
 openmetals.com: could not connect to host
 openmind-shop.de: did not receive HSTS header
 openmirrors.cf: could not connect to host
+openpresentes.com.br: could not connect to host
 openpriv.pw: could not connect to host
 openprovider.nl: did not receive HSTS header
 openrainbow.org: could not connect to host
@@ -12101,7 +13044,7 @@ opensourcehouse.net: could not connect to host
 openspace.xxx: did not receive HSTS header
 opensrd.com: could not connect to host
 openssf.org: did not receive HSTS header
-opentexon.com: did not receive HSTS header
+opentexon.com: could not connect to host
 openxmpp.com: could not connect to host
 operad.fr: could not connect to host
 opiates.net: did not receive HSTS header
@@ -12119,17 +13062,30 @@ opsafewinter.net: could not connect to host
 opsbears.com: did not receive HSTS header
 opsnotepad.com: could not connect to host
 opstacks.com: could not connect to host
+opteamax.eu: did not receive HSTS header
 optenhoefel.de: could not connect to host
 optiekzien.nl: did not receive HSTS header
 optimal-e.com: did not receive HSTS header
+optimised.cloud: could not connect to host
+optimised.io: could not connect to host
+optimisedlabs.info: could not connect to host
+optimisedlabs.net: could not connect to host
+optimisedlabs.uk: could not connect to host
 optimista.soy: could not connect to host
 optimize-jpg.com: could not connect to host
+optimizedlabs.co.uk: could not connect to host
+optimizedlabs.info: could not connect to host
+optimizedlabs.net: could not connect to host
+optimizedlabs.uk: could not connect to host
+optisure.de: did not receive HSTS header
 optometriepunt.nl: did not receive HSTS header
 optumrxhealthstore.com: could not connect to host
 opunch.org: did not receive HSTS header
+opure.ml: could not connect to host
+opure.ru: could not connect to host
 oracaodocredo.com.br: could not connect to host
 orangekey.tk: could not connect to host
-oranges.tokyo: could not connect to host
+oranges.tokyo: did not receive HSTS header
 oranic.com: did not receive HSTS header
 orbiosales.com: could not connect to host
 orbitcom.de: did not receive HSTS header
@@ -12149,29 +13105,36 @@ orfeo-engineering.ch: could not connect to host
 organic-superfood.net: could not connect to host
 organicae.com: did not receive HSTS header
 oricejoc.com: could not connect to host
+orientravelmacas.com: did not receive HSTS header
 originalmockups.com: did not receive HSTS header
 originalsport.com.br: could not connect to host
 orioncustompcs.com: could not connect to host
 orionfcu.com: did not receive HSTS header
 orionrebellion.com: did not receive HSTS header
 orleika.ml: could not connect to host
+orovillelaw.com: could not connect to host
 oroweatorganic.com: could not connect to host
+orro.ro: did not receive HSTS header
 ortho-graz.at: max-age too low: 86400
 orthodoxy.lt: did not receive HSTS header
 ortodonciaian.com: did not receive HSTS header
-orui.com.br: could not connect to host
+orui.com.br: did not receive HSTS header
+orum.in: max-age too low: 0
+orz.uno: did not receive HSTS header
 osaiyuwu.com: could not connect to host
+osaka-onakura.com: did not receive HSTS header
+oscamp.eu: could not connect to host
 oscarmashauri.com: did not receive HSTS header
 oscillation-services.fr: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+oscloud.com: could not connect to host
 oscloud.com.ua: could not connect to host
 oscreen.me: could not connect to host
 oscreen.org: could not connect to host
-oscsdp.cz: did not receive HSTS header
+oscsdp.cz: could not connect to host
 osdls.gov: did not receive HSTS header
-osereso.tn: could not connect to host
 osha-kimi.com: did not receive HSTS header
 oshanko.de: could not connect to host
-oshinagaki.jp: could not connect to host
+oshinagaki.jp: did not receive HSTS header
 oslfoundation.org: did not receive HSTS header
 osmestres.com: did not receive HSTS header
 osp.cx: could not connect to host
@@ -12181,46 +13144,53 @@ ossbinaries.com: could not connect to host
 osteammate.com: could not connect to host
 ostendorf.com: did not receive HSTS header
 osticketawesome.com: did not receive HSTS header
-ostrov8.com: could not connect to host
 oswaldmattgroup.com: did not receive HSTS header
 otako.pl: did not receive HSTS header
+otakucloud.net: did not receive HSTS header
 otakuworld.de: could not connect to host
-otakuyun.com: did not receive HSTS header
 otchecker.com: could not connect to host
 othercode.nl: could not connect to host
 otherkinforum.com: could not connect to host
-othermedia.cc: could not connect to host
-otherstuff.nl: could not connect to host
-otichi.com: did not receive HSTS header
+othermedia.cc: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+otherstuff.nl: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+otichi.com: could not connect to host
 otinane.eu: could not connect to host
 otmns.net: could not connect to host
 otmo7.com: could not connect to host
+otoblok.com: did not receive HSTS header
 otokonna.com: could not connect to host
 otrsdemo.hu: did not receive HSTS header
-ottoproject.io: max-age too low: 900
+otsu.beer: could not connect to host
 ottospora.nl: could not connect to host
+ouimoove.com: could not connect to host
+ouowo.gq: could not connect to host
 ourbank.com: max-age too low: 2592000
 ourchoice2016.com: could not connect to host
+ouruglyfood.com: could not connect to host
 outdooradventures.pro: could not connect to host
 outdoorproducts.com: max-age too low: 7889238
 outreachbuddy.com: could not connect to host
 outsider.im: could not connect to host
 outurnate.com: did not receive HSTS header
 ouvirmusica.com.br: did not receive HSTS header
+ovabag.com: did not receive HSTS header
 ovenapp.io: did not receive HSTS header
 over25tips.com: did not receive HSTS header
+overceny.cz: did not receive HSTS header
 override.io: could not connect to host
 overrustle.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 oversight.io: could not connect to host
 overstappen.nl: did not receive HSTS header
 overture.london: did not receive HSTS header
-ovpn.to: could not connect to host
+overwall.org: could not connect to host
 ovuscloud.de: could not connect to host
 ovwane.com: could not connect to host
 owall.ml: did not receive HSTS header
 owennelson.me: max-age too low: 2592000
 owensmith.website: could not connect to host
+owl-hakkei.com: did not receive HSTS header
 owlscrap.ru: could not connect to host
+ownc.at: could not connect to host
 owncloud.help: could not connect to host
 owngeek.com: could not connect to host
 ownmovies.fr: could not connect to host
@@ -12246,29 +13216,12 @@ p2av.com: could not connect to host
 p3.marketing: did not receive HSTS header
 p3in.com: could not connect to host
 p3ter.fr: did not receive HSTS header
-p8r.de: did not receive HSTS header
+p8r.de: could not connect to host
 paavolastudio.com: did not receive HSTS header
-pablo.im: did not receive HSTS header
-pablo.scot: did not receive HSTS header
-pablo.sh: did not receive HSTS header
-pabloarteaga.co.uk: did not receive HSTS header
-pabloarteaga.com: did not receive HSTS header
-pabloarteaga.com.es: did not receive HSTS header
-pabloarteaga.es: did not receive HSTS header
-pabloarteaga.eu: did not receive HSTS header
-pabloarteaga.info: did not receive HSTS header
-pabloarteaga.me: did not receive HSTS header
-pabloarteaga.name: did not receive HSTS header
-pabloarteaga.net: did not receive HSTS header
-pabloarteaga.nom.es: did not receive HSTS header
-pabloarteaga.org: did not receive HSTS header
-pabloarteaga.science: did not receive HSTS header
-pabloarteaga.tech: did not receive HSTS header
-pabloarteaga.uk: did not receive HSTS header
-pabloarteaga.xyz: did not receive HSTS header
 pablocamino.tk: could not connect to host
 pablorey-art.com: did not receive HSTS header
 pachaiyappas.org: did not receive HSTS header
+pacificpalisadeselectrician.com: could not connect to host
 packair.com: did not receive HSTS header
 packer.io: did not receive HSTS header
 packetapp.ru: could not connect to host
@@ -12284,6 +13237,7 @@ pader-deko.de: [Exception... "Component returned failure code: 0x80004005 (NS_ER
 paestbin.com: could not connect to host
 page: could not connect to host
 pagedesignshop.com: did not receive HSTS header
+pageperform.com: did not receive HSTS header
 pagerate.io: could not connect to host
 pages-tocaven.com: could not connect to host
 pagetoimage.com: could not connect to host
@@ -12295,13 +13249,15 @@ paino.cloud: could not connect to host
 painosso.org: could not connect to host
 paintingat.com: could not connect to host
 paio2-rec.com: could not connect to host
-paio2.com: did not receive HSTS header
+paio2.com: could not connect to host
 paisaone.com: could not connect to host
 paizinhovirgula.com: did not receive HSTS header
 pajonzeck.de: could not connect to host
 paket.io: could not connect to host
 paket.ml: did not receive HSTS header
 paketkreditsuzuki.com: could not connect to host
+pakeystonescholars.gov: could not connect to host
+pakowanie-polska.pl: could not connect to host
 paku.me: could not connect to host
 palationtrade.com: could not connect to host
 palawan.jp: could not connect to host
@@ -12310,7 +13266,7 @@ paleolowcarb.de: did not receive HSTS header
 paleosquawk.com: could not connect to host
 pallet.io: could not connect to host
 palmer.im: could not connect to host
-pammbook.com: did not receive HSTS header
+pammbook.com: could not connect to host
 pamplona.tv: could not connect to host
 pan.tips: could not connect to host
 panaceallc.net: could not connect to host
@@ -12327,8 +13283,10 @@ panjee.com: did not receive HSTS header
 panjee.fr: did not receive HSTS header
 panlex.org: did not receive HSTS header
 panni.me: could not connect to host
+panoma.de: did not receive HSTS header
 panoranordic.net: could not connect to host
 panos.io: did not receive HSTS header
+panoti.com: could not connect to host
 pansu.space: could not connect to host
 pantsu.cat: did not receive HSTS header
 paolo565.org: did not receive HSTS header
@@ -12348,19 +13306,20 @@ papotage.net: could not connect to host
 papygeek.com: could not connect to host
 parabhairavayoga.com: did not receive HSTS header
 paradiesgirls.ch: could not connect to host
+paradigi.com.br: did not receive HSTS header
 paradise-engineers.com: could not connect to host
 paragon.edu: could not connect to host
 parakranov.ru: did not receive HSTS header
-paranormalweirdo.com: could not connect to host
-paranoxer.hu: could not connect to host
 parav.xyz: did not receive HSTS header
 pardnoy.com: could not connect to host
 parent5446.us: could not connect to host
 parentmail.co.uk: did not receive HSTS header
-parfum-baza.ru: did not receive HSTS header
+parfum-baza.ru: could not connect to host
+pariga.co.uk: could not connect to host
 paris-cyber.fr: did not receive HSTS header
 parisdimanche.com: did not receive HSTS header
 parishome.jp: could not connect to host
+parisprovincedemenagements.fr: did not receive HSTS header
 parisvox.info: did not receive HSTS header
 parithy.net: could not connect to host
 parkhillsbaptist.church: did not receive HSTS header
@@ -12372,17 +13331,14 @@ parkwithark.com: could not connect to host
 parodybit.net: did not receive HSTS header
 parpaing-paillette.net: could not connect to host
 parquet-lascazes.fr: did not receive HSTS header
-partage.ovh: did not receive HSTS header
-parteaga.com: did not receive HSTS header
-parteaga.net: did not receive HSTS header
-parthkolekar.me: could not connect to host
+partage.ovh: could not connect to host
 participatorybudgeting.de: did not receive HSTS header
 participatorybudgeting.info: did not receive HSTS header
 particonpsplus.it: could not connect to host
 partirkyoto.jp: did not receive HSTS header
-partiwatch.com: could not connect to host
+partiwatch.com: max-age too low: 2592000
 partnerbeam.com: could not connect to host
-partnercardservices.com: did not receive HSTS header
+partnersfcu.org: did not receive HSTS header
 partnerwerk.de: did not receive HSTS header
 partyhaus.ovh: could not connect to host
 partyhireformby.co.uk: did not receive HSTS header
@@ -12394,7 +13350,10 @@ partyvan.moe: could not connect to host
 partyvan.nl: could not connect to host
 partyvan.se: could not connect to host
 pascalchristen.ch: did not receive HSTS header
-pasportaservo.org: could not connect to host
+pascalspoerri.ch: could not connect to host
+pasportaservo.org: did not receive HSTS header
+passendonderwijs.nl: did not receive HSTS header
+passionebenessere.com: did not receive HSTS header
 passpilot.co.uk: did not receive HSTS header
 passwd.io: did not receive HSTS header
 password.codes: could not connect to host
@@ -12409,36 +13368,43 @@ pastenib.com: could not connect to host
 paster.li: did not receive HSTS header
 pasteros.io: could not connect to host
 pastie.se: could not connect to host
+pastorbelgagroenendael.com.br: could not connect to host
 pastorcanadense.com.br: could not connect to host
+pastormaremanoabruzes.com.br: could not connect to host
+pastorsuico.com.br: could not connect to host
 pataua.kiwi: did not receive HSTS header
 paternitydnatest.com: could not connect to host
 patfs.com: did not receive HSTS header
 pathwaytofaith.com: could not connect to host
 patientinsight.net: could not connect to host
+patouille-et-gribouille.fr: did not receive HSTS header
 patriaco.net: did not receive HSTS header
 patric-lenhart.de: could not connect to host
 patrick.dark.name: could not connect to host
 patrickbusch.net: could not connect to host
+patrickmcnamara.xyz: did not receive HSTS header
 patrickneuro.de: could not connect to host
 patrickquinn.ca: did not receive HSTS header
 patrickschneider.me: could not connect to host
-patt.us: did not receive HSTS header
+patt.us: could not connect to host
 patterson.mp: could not connect to host
 paul-kerebel.pro: could not connect to host
 paul-schmidt.de: max-age too low: 0
 paulbunyanmls.com: did not receive HSTS header
+paulewen.ca: could not connect to host
+paulpetersen.dk: did not receive HSTS header
 paulproell.at: did not receive HSTS header
 paulrudge.codes: could not connect to host
-paulshir.com: could not connect to host
-paulshir.is: could not connect to host
 paulyang.cn: did not receive HSTS header
 paveljanda.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 pavelkahouseforcisco.com: did not receive HSTS header
+pavelstriz.cz: could not connect to host
 pawsru.org: could not connect to host
 paxdei.com.br: could not connect to host
 paxwinkel.nl: could not connect to host
 pay.gigahost.dk: did not receive HSTS header
 pay.ubuntu.com: could not connect to host
+pay8522.com: could not connect to host
 payclixpayments.com: did not receive HSTS header
 payfreez.com: could not connect to host
 paykings.com: did not receive HSTS header
@@ -12451,11 +13417,14 @@ payroll.ch: could not connect to host
 paytwopay.com: could not connect to host
 payzwin.com: did not receive HSTS header
 pb-design.ch: could not connect to host
+pb.ax: could not connect to host
 pbapp.net: did not receive HSTS header
 pbbr.com: did not receive HSTS header
 pbcknd.ml: could not connect to host
 pbcomp.com.au: did not receive HSTS header
 pbprint.ru: could not connect to host
+pbqs.site: could not connect to host
+pbreen.co.uk: could not connect to host
 pbscreens.com: could not connect to host
 pbytes.com: could not connect to host
 pc-nf.de: did not receive HSTS header
@@ -12465,7 +13434,7 @@ pcbricole.fr: could not connect to host
 pcfun.net: did not receive HSTS header
 pchax.net: could not connect to host
 pchospital.cc: could not connect to host
-pcmedia.co.nz: did not receive HSTS header
+pcmedia.co.nz: max-age too low: 7889238
 pcvirusclear.com: could not connect to host
 pdamsidoarjo.co.id: could not connect to host
 pdevio.com: could not connect to host
@@ -12496,7 +13465,7 @@ penablog.com: did not receive HSTS header
 pengisatelier.net: could not connect to host
 pengui.uk: could not connect to host
 penguinclientsystem.com: did not receive HSTS header
-pengumuman.id: did not receive HSTS header
+pengumuman.id: could not connect to host
 pennyapp.io: did not receive HSTS header
 pennylane.me.uk: did not receive HSTS header
 pensanisso.com: did not receive HSTS header
@@ -12505,7 +13474,7 @@ pension-veldzigt.nl: did not receive HSTS header
 pension-waldesruh.de: did not receive HSTS header
 pensiunealido.ro: could not connect to host
 pentagram.me: max-age too low: 2592000
-pentano.net: could not connect to host
+pentano.net: did not receive HSTS header
 people-mozilla.org: could not connect to host
 peoplerange.com: did not receive HSTS header
 peoplesbankal.com: did not receive HSTS header
@@ -12513,7 +13482,7 @@ peperiot.com: did not receive HSTS header
 pepper.dog: could not connect to host
 pepperhead.com: did not receive HSTS header
 pepperworldhotshop.de: did not receive HSTS header
-pepsicoemployeepreferencesurvey.com: did not receive HSTS header
+pepsicoemployeepreferencesurvey.com: could not connect to host
 per-pedes.at: did not receive HSTS header
 perdel.cn: could not connect to host
 pereuda.com: could not connect to host
@@ -12529,7 +13498,13 @@ performous.org: did not receive HSTS header
 perfumista.vn: did not receive HSTS header
 periodismoactual.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 periscopeliveweb.com: could not connect to host
-perlwork.nl: could not connect to host
+perlwork.nl: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+perm-jur.ch: could not connect to host
+perm-juridique.ch: could not connect to host
+permanence-juridique.com: could not connect to host
+permanencejuridique-ge.ch: could not connect to host
+permanencejuridique.com: could not connect to host
+permiscoderoute.fr: did not receive HSTS header
 pernatie.ru: could not connect to host
 peromsik.com: did not receive HSTS header
 perplex.nl: did not receive HSTS header
@@ -12537,6 +13512,7 @@ perrone.co: could not connect to host
 perroud.pro: did not receive HSTS header
 persjrp.ca: could not connect to host
 persoform.ch: could not connect to host
+personal-injury-attorney.co: could not connect to host
 personalcommunicationsecurity.com: could not connect to host
 personaldatabasen.no: could not connect to host
 personalinjurylist.com: could not connect to host
@@ -12562,32 +13538,37 @@ pethelpers.org: did not receive HSTS header
 pethub.com: did not receive HSTS header
 petit.site: could not connect to host
 petlife.od.ua: could not connect to host
-petplum.com: could not connect to host
+petplum.com: did not receive HSTS header
 petrkrapek.cz: did not receive HSTS header
+petrotranz.com: did not receive HSTS header
 petrovsky.pro: could not connect to host
+petruzz.net: did not receive HSTS header
 petsittersservices.com: could not connect to host
 pettsy.com: did not receive HSTS header
 peuf.shop: could not connect to host
 peuterspeelzaalhoekvanholland.nl: could not connect to host
+pewat.com: could not connect to host
 pewboards.com: could not connect to host
 pexieapp.com: did not receive HSTS header
 peykezamin.ir: did not receive HSTS header
 peyote.org: could not connect to host
 peytonfarrar.com: could not connect to host
+pf.dk: did not receive HSTS header
 pferdeeinstreu-kaufen.com: did not receive HSTS header
 pfgshop.com.br: could not connect to host
 pflegedienst-gratia.de: max-age too low: 300
+pfo.io: could not connect to host
 pfolta.net: could not connect to host
 pgcpbc.com: could not connect to host
 pgmsource.com: could not connect to host
 pgpm.io: could not connect to host
-pgregg.com: did not receive HSTS header
 pgtb.be: could not connect to host
 phalconist.com: could not connect to host
+phantasie.cc: could not connect to host
+pharmaboard.org: did not receive HSTS header
 pharmgkb.org: could not connect to host
-pharynx.nl: could not connect to host
+phaux.uno: could not connect to host
 phcmembers.com: did not receive HSTS header
-phcnetworks.net: did not receive HSTS header
 phdsupply.com: could not connect to host
 phdwuda.com: could not connect to host
 phenomeno-porto.com: did not receive HSTS header
@@ -12596,38 +13577,47 @@ phenomenoporto.com: did not receive HSTS header
 phenomenoporto.nl: did not receive HSTS header
 philadelphiacandies.com: did not receive HSTS header
 philadelphiadancefoundation.org: could not connect to host
+philipkohn.com: did not receive HSTS header
 philipmordue.co.uk: could not connect to host
 philippa.cool: could not connect to host
+philippinedroneassociation.org: did not receive HSTS header
 phillippi.me: could not connect to host
 phillmoore.com: did not receive HSTS header
 phillprice.com: did not receive HSTS header
 philonas.net: did not receive HSTS header
 philpropertygroup.com: could not connect to host
 phippsreporting.com: did not receive HSTS header
+phishing.rs: did not receive HSTS header
 phoebe.co.nz: did not receive HSTS header
 phoenicis.com.ua: did not receive HSTS header
+phoenics.de: did not receive HSTS header
 phoenix.dj: did not receive HSTS header
-phoenixlogan.com: could not connect to host
 phonenumberinfo.co.uk: could not connect to host
 phongmay24h.com: could not connect to host
-phood.be: could not connect to host
-photo.org.il: could not connect to host
+phood.be: did not receive HSTS header
+photek.fm: could not connect to host
 photoblogverona.com: could not connect to host
 photoboothpartyhire.co.uk: did not receive HSTS header
 photographyforchange.com: could not connect to host
 photographyforchange.org: could not connect to host
+photon.sh: could not connect to host
 photops.fr: could not connect to host
 photosoftware.nl: could not connect to host
+photosquare.com.tw: did not receive HSTS header
 phototag.org: did not receive HSTS header
 php-bach.org: could not connect to host
 phpdistribution.com: did not receive HSTS header
 phperformances.fr: did not receive HSTS header
 phpfashion.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+phpkari.cz: could not connect to host
 phr34kz.pw: did not receive HSTS header
+phra.gs: could not connect to host
 phrasing.me: could not connect to host
+phrive.space: could not connect to host
 phryneas.de: did not receive HSTS header
 phumin.in.th: did not receive HSTS header
 phuong.faith: could not connect to host
+physicpezeshki.com: did not receive HSTS header
 pi-eng.fr: did not receive HSTS header
 pianetaottica.eu: could not connect to host
 pianetaottica.info: could not connect to host
@@ -12638,14 +13628,14 @@ piasto.com.cy: could not connect to host
 piatanoua.md: did not receive HSTS header
 picallo.es: could not connect to host
 picardiascr.com: could not connect to host
-pickersurvey.org: could not connect to host
 pickr.co: could not connect to host
 picone.com.au: could not connect to host
 picotronic.biz: could not connect to host
-picsandtours.com: could not connect to host
+picotronic.de: did not receive HSTS header
+picsandtours.com: did not receive HSTS header
 picscare.co.uk: did not receive HSTS header
 picshare.nz: could not connect to host
-pidatacenters.com: did not receive HSTS header
+pidatacenters.com: could not connect to host
 pidomex.com: did not receive HSTS header
 piedfeed.com: did not receive HSTS header
 pieinsurance.com: did not receive HSTS header
@@ -12654,13 +13644,16 @@ pieperhome.de: did not receive HSTS header
 pierrejeansuau.fr: could not connect to host
 pieterjangeeroms.me: could not connect to host
 piggott.me.uk: did not receive HSTS header
+pigritia.de: could not connect to host
 piils.fr: did not receive HSTS header
 pikalongwar.com: did not receive HSTS header
+pikeitservices.com.au: did not receive HSTS header
 pikmy.com: could not connect to host
 pilgermaske.org: did not receive HSTS header
 piligrimname.com: could not connect to host
 pillowandpepper.com: did not receive HSTS header
 pilotcrowd.nl: did not receive HSTS header
+pimg136.com: could not connect to host
 pimpmymac.ru: did not receive HSTS header
 pimpmypaper.com: could not connect to host
 pims.global: did not receive HSTS header
@@ -12675,14 +13668,14 @@ pinkfis.ch: did not receive HSTS header
 pinkhq.com: did not receive HSTS header
 pinkinked.com: could not connect to host
 pinoylinux.org: did not receive HSTS header
-pinpointengineer.co.uk: could not connect to host
+pinscher.com.br: could not connect to host
 pintoselectrician.co.za: did not receive HSTS header
 pioche.ovh: did not receive HSTS header
 pippen.io: could not connect to host
 pips.rocks: could not connect to host
 pir9.com: did not receive HSTS header
 piranil.com: did not receive HSTS header
-pirata.ga: did not receive HSTS header
+pirata.ga: could not connect to host
 pirateahoy.eu: could not connect to host
 piratebay.ml: could not connect to host
 piratebit.tech: could not connect to host
@@ -12692,12 +13685,12 @@ piratelist.online: could not connect to host
 piratenlogin.de: could not connect to host
 piratepay.io: could not connect to host
 piratepay.ir: could not connect to host
-pirateproxy.pe: max-age too low: 0
+pirateproxy.pe: could not connect to host
 pirateproxy.sx: did not receive HSTS header
 pirateproxy.vip: could not connect to host
 pirati.cz: max-age too low: 604800
 piratte.net: did not receive HSTS header
-pirganj24.com: could not connect to host
+pirganj24.com: did not receive HSTS header
 pirlitu.com: did not receive HSTS header
 pisexy.me: did not receive HSTS header
 pisidia.de: could not connect to host
@@ -12718,34 +13711,38 @@ pixelpoint.io: did not receive HSTS header
 pixelrain.info: could not connect to host
 pixi.chat: could not connect to host
 pixi.me: did not receive HSTS header
+pixiv.rip: could not connect to host
+pixivimg.me: could not connect to host
 pizala.de: could not connect to host
+pizzacook.ch: did not receive HSTS header
 pizzadoc.ch: could not connect to host
-pj00100.com: could not connect to host
+pizzafunny.com.br: could not connect to host
+pizzamc.eu: could not connect to host
+pj00100.com: did not receive HSTS header
 pj00200.com: did not receive HSTS header
 pj00300.com: did not receive HSTS header
 pj00400.com: did not receive HSTS header
 pj00600.com: did not receive HSTS header
 pj00700.com: did not receive HSTS header
 pj00800.com: did not receive HSTS header
-pj009.com: did not receive HSTS header
+pj009.com: could not connect to host
 pj00900.com: did not receive HSTS header
 pj02.com: did not receive HSTS header
 pj83.duckdns.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 pj881988.com: could not connect to host
 pjbet.mg: could not connect to host
+pjili.com: did not receive HSTS header
 pjsec.tk: could not connect to host
 pkautodesign.com: did not receive HSTS header
-pkbjateng.or.id: could not connect to host
 pko.ch: did not receive HSTS header
 pkschat.com: could not connect to host
-pksps.com: could not connect to host
 plaasprodukte.com: could not connect to host
+placassinal.com.br: did not receive HSTS header
 placefade.com: could not connect to host
 placehold.co: did not receive HSTS header
 placollection.org: could not connect to host
 plaettliaktion.ch: did not receive HSTS header
 plagiarismcheck.org: max-age too low: 604800
-plaintech.net.au: could not connect to host
 plaintray.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 plakbak.nl: could not connect to host
 planbox.info: could not connect to host
@@ -12757,23 +13754,26 @@ planformation.com: did not receive HSTS header
 planktonholland.com: did not receive HSTS header
 planpharmacy.com: could not connect to host
 plant.ml: could not connect to host
-plantroon.com: did not receive HSTS header
+plantroon.com: could not connect to host
 plass.hamburg: could not connect to host
 plasti-pac.ch: did not receive HSTS header
-plasticsurgeryservices.com: did not receive HSTS header
+plasticsurgeryartist.com: max-age too low: 300
+plastiflex.it: could not connect to host
 plasvilledescartaveis.com.br: could not connect to host
 platform.lookout.com: could not connect to host
 platinumpeek.com: did not receive HSTS header
 platomania.eu: did not receive HSTS header
+plattner.club: could not connect to host
 play: could not connect to host
 play.google.com: did not receive HSTS header (error ignored - included regardless)
 playdreamcraft.com.br: did not receive HSTS header
 playerhunter.com: did not receive HSTS header
 playflick.com: could not connect to host
+playhappywheelsunblocked.com: could not connect to host
 playkh.com: did not receive HSTS header
 playkinder.com: did not receive HSTS header
 playmaker.io: did not receive HSTS header
-playmaza.live: did not receive HSTS header
+playmaza.live: could not connect to host
 playmfe.com: could not connect to host
 playsoundevents.be: could not connect to host
 playsource.co: could not connect to host
@@ -12783,13 +13783,14 @@ please-deny.me: could not connect to host
 pleaseuseansnisupportedbrowser.ml: could not connect to host
 pleasure.forsale: could not connect to host
 plen.io: could not connect to host
+plexi.dyndns.tv: could not connect to host
 plexpy13.ddns.net: could not connect to host
+plextv.de: did not receive HSTS header
 plexusmd.com: did not receive HSTS header
 plfgr.eu.org: could not connect to host
 plhdb.org: did not receive HSTS header
 plinc.co: could not connect to host
 plirt.ru: could not connect to host
-ploader.ru: max-age too low: 604800
 plogable.co: could not connect to host
 plomberierenga.com: max-age too low: 2592000
 plombirator.kz: did not receive HSTS header
@@ -12800,14 +13801,17 @@ plugboard.xyz: could not connect to host
 pluggedhead.com: did not receive HSTS header
 plumbingboksburg.co.za: did not receive HSTS header
 plumbingman.com.au: did not receive HSTS header
-plumplat.com: did not receive HSTS header
-plus-digital.net: did not receive HSTS header
+plumnet.ch: could not connect to host
+plus-digital.net: could not connect to host
 plus-u.com.au: did not receive HSTS header
 plus.sandbox.google.com: did not receive HSTS header (error ignored - included regardless)
+plus1s.site: could not connect to host
 plus1s.tk: could not connect to host
 plushev.com: did not receive HSTS header
 plussizereviews.com: could not connect to host
+plustech.id: did not receive HSTS header
 plut.org: did not receive HSTS header
+pluth.org: did not receive HSTS header
 plymouthglassgallery.com: did not receive HSTS header
 plymouthsoftplay.co.uk: could not connect to host
 pm13-media.cz: could not connect to host
@@ -12819,10 +13823,14 @@ pmemanager.fr: did not receive HSTS header
 pmessage.ch: could not connect to host
 pmheart.site: could not connect to host
 pmnts.io: could not connect to host
+pmponline.de: did not receive HSTS header
+pneumonline.be: did not receive HSTS header
 pneusgppremium.com.br: did not receive HSTS header
 pnukee.com: did not receive HSTS header
 po.gl: could not connect to host
+poc17.com: could not connect to host
 pocakdrops.com: did not receive HSTS header
+pocakking.tk: could not connect to host
 pocket-lint.com: did not receive HSTS header
 pocketfullofapps.com: did not receive HSTS header
 pocketmemories.net: could not connect to host
@@ -12842,18 +13850,19 @@ pointiswunderland.de: did not receive HSTS header
 pointpro.de: did not receive HSTS header
 points4unitedway.com: could not connect to host
 pointworksacademy.com: could not connect to host
+pokalsocial.de: could not connect to host
 pokeduel.me: did not receive HSTS header
 pokomichi.com: did not receive HSTS header
 pol-expo.ru: could not connect to host
 pol.in.th: could not connect to host
 polandb2b.directory: could not connect to host
-polar-baer.com: could not connect to host
 polarityschule.com: did not receive HSTS header
-pole.net.nz: did not receive HSTS header
+pole.net.nz: could not connect to host
 poleartschool.com: could not connect to host
 polen.guide: could not connect to host
 policeiwitness.sg: could not connect to host
 polimat.org: could not connect to host
+polish-translations.com: could not connect to host
 polish.directory: could not connect to host
 polit-it.pro: could not connect to host
 politeiaudesa.org: max-age too low: 2592000
@@ -12861,18 +13870,19 @@ politically-incorrect.xyz: could not connect to host
 politiewervingshop.nl: did not receive HSTS header
 politologos.org: could not connect to host
 pollpodium.nl: could not connect to host
+poloniex.co.za: did not receive HSTS header
 polsport.live: did not receive HSTS header
 polycoise.com: could not connect to host
 polycrypt.us: could not connect to host
+polyfill.io: did not receive HSTS header
+polymorph.rs: could not connect to host
 polypho.nyc: could not connect to host
 polysage.org: did not receive HSTS header
 polytechecosystem.vc: could not connect to host
 pomardaserra.com: could not connect to host
-pomfe.co: could not connect to host
 pompefunebrilariviera.it: could not connect to host
 pompompoes.com: could not connect to host
 pondof.fish: could not connect to host
-poneytelecom.org: could not connect to host
 ponteencima.com: could not connect to host
 ponteus.com: could not connect to host
 pontodogame.com.br: could not connect to host
@@ -12880,6 +13890,7 @@ pontokay.com.br: could not connect to host
 pontualcomp.com: could not connect to host
 pony.today: could not connect to host
 ponythread.com: did not receive HSTS header
+ponzi.life: could not connect to host
 poolinstallers.co.za: could not connect to host
 poolsandstuff.com: did not receive HSTS header
 poon.tech: could not connect to host
@@ -12892,10 +13903,12 @@ popkins.ml: did not receive HSTS header
 popkins.tk: could not connect to host
 popupsoftplay.com: could not connect to host
 poris.web.id: could not connect to host
+pormat.cl: did not receive HSTS header
 porn77.info: could not connect to host
 pornalpha.com: could not connect to host
 pornbay.org: could not connect to host
 pornblog.org: could not connect to host
+porncandi.com: could not connect to host
 pornimg.net: could not connect to host
 pornless.biz: could not connect to host
 pornmax.net: could not connect to host
@@ -12909,6 +13922,7 @@ pornstars.me: did not receive HSTS header
 pornteddy.com: could not connect to host
 pornultra.net: could not connect to host
 porschen.fr: could not connect to host
+port.im: did not receive HSTS header
 port.social: could not connect to host
 portalcarapicuiba.com: did not receive HSTS header
 portale-randkowe.pl: did not receive HSTS header
@@ -12920,12 +13934,11 @@ portalplatform.net: could not connect to host
 portaluniversalista.org: did not receive HSTS header
 portalveneza.com.br: did not receive HSTS header
 portalzine.de: did not receive HSTS header
-portefeuillesignalen.nl: did not receive HSTS header
+portefeuillesignalen.nl: could not connect to host
 portraitsystem.biz: did not receive HSTS header
 poshpak.com: max-age too low: 86400
 positivesobrietyinstitute.com: did not receive HSTS header
-post.we.bs: did not receive HSTS header
-post4me.at: could not connect to host
+posoiu.net: could not connect to host
 postback.io: did not receive HSTS header
 postcardpayment.com: could not connect to host
 postcodegarant.nl: could not connect to host
@@ -12937,6 +13950,7 @@ potatron.tech: could not connect to host
 potbar.com: could not connect to host
 potbox.com: could not connect to host
 potenzmittelblog.info: could not connect to host
+potenzprobleme-info.net: did not receive HSTS header
 potlytics.com: could not connect to host
 potomania.cz: could not connect to host
 potpourrifestival.de: did not receive HSTS header
@@ -12950,8 +13964,9 @@ pourout.org: did not receive HSTS header
 poussinooz.fr: could not connect to host
 povitria.net: could not connect to host
 powaclub.com: max-age too low: 86400
+power-coonies.de: could not connect to host
 power-l.ch: did not receive HSTS header
-power-of-interest.com: did not receive HSTS header
+power-of-interest.com: could not connect to host
 power99press.com: could not connect to host
 powerb.ch: did not receive HSTS header
 powerdent.net.br: could not connect to host
@@ -12960,6 +13975,7 @@ poweroff.win: could not connect to host
 powerplannerapp.com: could not connect to host
 powersergunited.com: could not connect to host
 powersergunited.org: could not connect to host
+powersergusercontent.com: could not connect to host
 powershellmagic.com: could not connect to host
 powershift.ne.jp: did not receive HSTS header
 powertothebuilder.com: could not connect to host
@@ -12972,17 +13988,18 @@ pozzitiv.ro: could not connect to host
 pozzo-balbi.com: did not receive HSTS header
 ppembed.com: did not receive HSTS header
 ppoou.co.uk: could not connect to host
-ppoozl.com: could not connect to host
 pppo.gov: could not connect to host
 ppr-truby.ru: could not connect to host
 ppsvcs2.com: did not receive HSTS header
 ppuu.org: did not receive HSTS header
 ppy3.com: did not receive HSTS header
 practodev.com: could not connect to host
+prajwalkoirala.com: could not connect to host
 pratinav.xyz: could not connect to host
 prattpokemon.com: could not connect to host
 praxis-research.info: could not connect to host
 prazeresdavida.com.br: could not connect to host
+prazynka.pl: did not receive HSTS header
 precedecaritas.com.br: could not connect to host
 precisionaeroimaging.com: did not receive HSTS header
 prediksisydney.com: could not connect to host
@@ -12991,9 +14008,8 @@ preezzie.com: could not connect to host
 prefis.com: did not receive HSTS header
 prefontaine.name: could not connect to host
 prego-shop.de: could not connect to host
+pregono.com: did not receive HSTS header
 preio.cn: could not connect to host
-preisser-it.de: did not receive HSTS header
-preisser.it: did not receive HSTS header
 prekladysanca.cz: could not connect to host
 prelist.org: did not receive HSTS header
 premaritalsex.info: could not connect to host
@@ -13004,11 +14020,12 @@ prepandgo-euro.com: could not connect to host
 preposted.com: could not connect to host
 preppertactics.com: did not receive HSTS header
 preprodfan.gov: could not connect to host
+presbee.com: could not connect to host
 prescriptionrex.com: did not receive HSTS header
 presentesdegrife.com.br: could not connect to host
 presidentials2016.com: could not connect to host
 press-anime-nenkan.com: did not receive HSTS header
-press-presse.ca: did not receive HSTS header
+press-presse.ca: max-age too low: 2592000
 pressakey.de: did not receive HSTS header
 pressenews.net: could not connect to host
 pressfreedomfoundation.org: did not receive HSTS header
@@ -13018,7 +14035,6 @@ prestonapp.com: could not connect to host
 prettygrouse.com: did not receive HSTS header
 prettyphotoart.de: did not receive HSTS header
 prettytunesapp.com: could not connect to host
-pretwolk.nl: could not connect to host
 pretzlaff.info: did not receive HSTS header
 preworkout.me: could not connect to host
 prgslab.net: could not connect to host
@@ -13030,13 +14046,13 @@ prilock.com: did not receive HSTS header
 primecaplending.com: could not connect to host
 primewho.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 primordialsnooze.com: could not connect to host
-primotiles.co.uk: did not receive HSTS header
-prinbanat.ngo: could not connect to host
-princeagency.com: could not connect to host
+primotiles.co.uk: could not connect to host
+primotilesandbathrooms.co.uk: max-age too low: 2592000
+prinbanat.ngo: did not receive HSTS header
+princeagency.com: did not receive HSTS header
 princessbackpack.de: could not connect to host
 princessmargaretlotto.com: did not receive HSTS header
-principalsexam.com: could not connect to host
-principalstest.ph: could not connect to host
+principalship.net: could not connect to host
 prinesdoma.at: did not receive HSTS header
 printerest.io: could not connect to host
 printersonline.be: did not receive HSTS header
@@ -13048,9 +14064,9 @@ pristineevents.co.uk: did not receive HSTS header
 pritchett.xyz: could not connect to host
 privacylabs.io: did not receive HSTS header
 privacymanatee.com: could not connect to host
-privacynow.eu: did not receive HSTS header
 privacyrup.net: could not connect to host
 privategiant.com: could not connect to host
+privatepokertour.com: could not connect to host
 privatstunden.express: could not connect to host
 privcloud.cc: could not connect to host
 privcloud.org: could not connect to host
@@ -13060,25 +14076,30 @@ privytime.com: could not connect to host
 prmte.com: did not receive HSTS header
 prnt.li: did not receive HSTS header
 pro-esb.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-pro-esb.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+pro-esb.net: could not connect to host
 pro-image.de: did not receive HSTS header
 pro-zone.com: could not connect to host
 proact-it.co.uk: could not connect to host
 proactive.run: could not connect to host
 procens.us: could not connect to host
+proclubs.news: did not receive HSTS header
 procode.gq: could not connect to host
 procrastinatingengineer.co.uk: could not connect to host
+prodottogiusto.com: could not connect to host
 prodpad.com: did not receive HSTS header
 produccioneskm.cl: did not receive HSTS header
 productgap.com: did not receive HSTS header
 productived.net: did not receive HSTS header
 producto8.com: did not receive HSTS header
+productoinnovador.com: did not receive HSTS header
+produkttest-online.com: did not receive HSTS header
 proesb.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-proesb.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+proesb.net: could not connect to host
 profi-durchgangsmelder.de: did not receive HSTS header
 profinetz.de: could not connect to host
 profivps.com: could not connect to host
 profloorstl.com: did not receive HSTS header
+proformer.io: could not connect to host
 profpay.com: could not connect to host
 profundr.com: could not connect to host
 profusion.io: could not connect to host
@@ -13089,11 +14110,12 @@ programmingstudent.com: could not connect to host
 progress-technologies.com: could not connect to host
 progressivecfo.co.nz: could not connect to host
 prohostonline.fi: could not connect to host
+proimpact.it: did not receive HSTS header
 proitconsulting.com.au: could not connect to host
 proj.org.cn: could not connect to host
 project-rune.tech: could not connect to host
 project-sparks.eu: did not receive HSTS header
-project-splash.com: max-age too low: 0
+project-splash.com: could not connect to host
 project-stats.com: could not connect to host
 projectascension.io: could not connect to host
 projectasterk.com: could not connect to host
@@ -13101,16 +14123,15 @@ projectcastle.tech: did not receive HSTS header
 projectdp.net: could not connect to host
 projectherogames.xyz: could not connect to host
 projectl1b1t1na.tk: could not connect to host
-projectmercury.space: could not connect to host
+projectmercury.space: did not receive HSTS header
 projectte.ch: could not connect to host
 projectvault.ovh: did not receive HSTS header
 projectx.top: could not connect to host
 projekt-umbriel.de: could not connect to host
 projektik.cz: did not receive HSTS header
-projektzentrisch.de: could not connect to host
 projetoresecia.com: could not connect to host
 prok.pw: did not receive HSTS header
-prokop.ovh: could not connect to host
+prokop.ovh: did not receive HSTS header
 promarketer.net: did not receive HSTS header
 promecon-gmbh.de: did not receive HSTS header
 promedicalapplications.com: did not receive HSTS header
@@ -13122,24 +14143,26 @@ pronostic-king.fr: could not connect to host
 prontocleaners.co.uk: could not connect to host
 prontolight.com: did not receive HSTS header
 prontomovers.co.uk: could not connect to host
+proobec.cz: did not receive HSTS header
 propactrading.com: could not connect to host
 propagandism.org: did not receive HSTS header
+propepper.net: did not receive HSTS header
 propershave.com: could not connect to host
+prophiler.de: did not receive HSTS header
 proplan.co.il: did not receive HSTS header
 propmag.co: could not connect to host
 prosenseit.com: did not receive HSTS header
+prosharp.com.au: could not connect to host
 proslimdiets.com: could not connect to host
 prosocialmachines.com: could not connect to host
-prosoft.sk: did not receive HSTS header
 prosperident.com: did not receive HSTS header
 prostohobby.ru: could not connect to host
 prostoporno.net: could not connect to host
+prostoporno.sexy: could not connect to host
 proteapower.co.za: could not connect to host
 protecciondelconsumidor.gov: did not receive HSTS header
 proteinnuts.cz: could not connect to host
-proteinnuts.sk: could not connect to host
 protonmail.ch: did not receive HSTS header
-protoyou.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 provisionaldriving.com: did not receive HSTS header
 provisionircd.tk: did not receive HSTS header
 provitacare.com: did not receive HSTS header
@@ -13149,7 +14172,7 @@ proxbox.net: did not receive HSTS header
 proxi.cf: could not connect to host
 proximato.com: could not connect to host
 proxybay.al: could not connect to host
-proxybay.club: max-age too low: 0
+proxybay.club: did not receive HSTS header
 proxybay.info: did not receive HSTS header
 proxybay.top: could not connect to host
 proxydesk.eu: could not connect to host
@@ -13160,13 +14183,14 @@ proxyportal.net: could not connect to host
 proxyportal.org: did not receive HSTS header
 proxyrox.com: could not connect to host
 proxyweb.us: did not receive HSTS header
+proyecto13.com: did not receive HSTS header
 proymaganadera.com: did not receive HSTS header
+prpr.cloud: could not connect to host
 prpsss.com: could not connect to host
 prstatic.com: could not connect to host
 pruikshop.nl: could not connect to host
 prxio.date: could not connect to host
 prxio.site: could not connect to host
-prytkov.com: could not connect to host
 ps-qa.com: could not connect to host
 ps-x.ru: could not connect to host
 pscleaningsolutions.co.uk: could not connect to host
@@ -13183,13 +14207,14 @@ pstrozniak.com: could not connect to host
 pstudio.me: max-age too low: 0
 psw.academy: could not connect to host
 psw.consulting: could not connect to host
-psychiatrie-betreuung.ch: did not receive HSTS header
+psxtr.com: could not connect to host
+psychiatrie-betreuung.ch: could not connect to host
+psychologie-hofner.at: could not connect to host
 psynapse.net.au: could not connect to host
 ptn.moscow: could not connect to host
 ptonet.com: could not connect to host
 ptrujillo.com: did not receive HSTS header
 pub-online.ro: could not connect to host
-pubi.me: could not connect to host
 pubkey.is: could not connect to host
 publications.qld.gov.au: did not receive HSTS header
 publicidadnovagrass.com.mx: could not connect to host
@@ -13203,8 +14228,10 @@ puetter.eu: could not connect to host
 pugilares.com.pl: could not connect to host
 pugliese.fr: could not connect to host
 puhe.se: could not connect to host
-puikheid.nl: could not connect to host
+puhka.me: could not connect to host
+puikheid.nl: did not receive HSTS header
 puiterwijk.org: could not connect to host
+puli.com.br: could not connect to host
 pulledporkheaven.com: could not connect to host
 pulsar.guru: did not receive HSTS header
 pulsedursley.co.uk: did not receive HSTS header
@@ -13212,22 +14239,22 @@ pult.co: could not connect to host
 pumpgames.net: could not connect to host
 punchkickinteractive.com: did not receive HSTS header
 punchr-kamikazee.rhcloud.com: could not connect to host
-punchunique.com: did not receive HSTS header
 punkdns.top: could not connect to host
 puppydns.com: did not receive HSTS header
 purahealthyliving.com: did not receive HSTS header
 purbd.com: did not receive HSTS header
 pureessentialoil.biz: max-age too low: 300
 pureholisticliving.me: could not connect to host
+purelunch.co.uk: could not connect to host
 purewebmasters.com: could not connect to host
 purikore.com: could not connect to host
 purplehippie.in: did not receive HSTS header
+purplez.pw: did not receive HSTS header
 purpoz.com.br: could not connect to host
 purpspc.com: could not connect to host
-purrfectcams.com: did not receive HSTS header
-purrfectswingers.com: did not receive HSTS header
 push.world: did not receive HSTS header
 pushapp.org: did not receive HSTS header
+pushphp.com: could not connect to host
 pushstar.com: max-age too low: 0
 puzz.gg: could not connect to host
 pvagner.tk: did not receive HSTS header
@@ -13235,8 +14262,9 @@ pwd.ovh: could not connect to host
 pwfrance.com: could not connect to host
 pwi.agency: did not receive HSTS header
 pwm.jp: could not connect to host
-pwnsdx.pw: could not connect to host
+pwnsdx.pw: did not receive HSTS header
 pwntr.com: could not connect to host
+pwt.pw: could not connect to host
 pxio.de: did not receive HSTS header
 pyjiaoyi.cf: could not connect to host
 pyol.org: could not connect to host
@@ -13255,13 +14283,11 @@ q2.si: did not receive HSTS header
 q8mp3.me: did not receive HSTS header
 qadmium.tk: could not connect to host
 qamrulhaque.com: could not connect to host
-qaz.cloud: did not receive HSTS header
+qapital.com: did not receive HSTS header
 qazcloud.com: could not connect to host
-qbeing.info: could not connect to host
 qbik.de: did not receive HSTS header
 qbin.io: did not receive HSTS header
 qbnt.ca: could not connect to host
-qbus.pl: could not connect to host
 qccqld.org.au: did not receive HSTS header
 qe2homelottery.com: did not receive HSTS header
 qensio.com: did not receive HSTS header
@@ -13279,6 +14305,7 @@ qirinus.com: did not receive HSTS header
 qiuxian.ddns.net: could not connect to host
 qixxit.de: did not receive HSTS header
 qkka.org: did not receive HSTS header
+qkzy.net: did not receive HSTS header
 qldconservation.org: could not connect to host
 qnatek.org: could not connect to host
 qonqa.de: did not receive HSTS header
@@ -13288,7 +14315,6 @@ qoqo.us: did not receive HSTS header
 qorm.co.uk: could not connect to host
 qqj.net: could not connect to host
 qqq.gg: could not connect to host
-qqrss.com: could not connect to host
 qqvips.com: could not connect to host
 qqvrsmart.cn: could not connect to host
 qrara.net: did not receive HSTS header
@@ -13297,18 +14323,18 @@ qrforex.com: did not receive HSTS header
 qrlending.com: could not connect to host
 qrlfinancial.com: could not connect to host
 qswoo.org: could not connect to host
-qto.com: could not connect to host
-qto.net: could not connect to host
+qtap.me: could not connect to host
 qto.org: could not connect to host
-quaedam.org: could not connect to host
+quaedam.org: did not receive HSTS header
 quail.solutions: could not connect to host
 quakerlens.com: did not receive HSTS header
 quality1.com.br: did not receive HSTS header
 qualityology.com: did not receive HSTS header
 quanglepro.com: could not connect to host
 quangngaimedia.com: did not receive HSTS header
-quanjinlong.cn: could not connect to host
+quanjinlong.cn: did not receive HSTS header
 quantacloud.ch: could not connect to host
+quantaloupe.tech: could not connect to host
 quantenteranik.eu: could not connect to host
 quantor.dk: did not receive HSTS header
 quantum-cloud.xyz: could not connect to host
@@ -13317,19 +14343,21 @@ quantum-lviv.pp.ua: could not connect to host
 quantumcore.cn: could not connect to host
 quantumcourse.org: did not receive HSTS header
 quanwuji.com: could not connect to host
-quanyin.eu.org: could not connect to host
+quanyin.eu.org: did not receive HSTS header
 quarryhillrentals.com: did not receive HSTS header
 quarus.net: could not connect to host
 quebecmailbox.com: could not connect to host
 queenbrownie.com.br: could not connect to host
 queenshaflo.com: could not connect to host
+queercinema.ch: could not connect to host
 quelmandataire.fr: did not receive HSTS header
-querkommentar.de: could not connect to host
+querkommentar.de: did not receive HSTS header
 queroreceitasoberana.com.br: did not receive HSTS header
 queryplayground.com: could not connect to host
 questionable.host: could not connect to host
 questions-admin.com: did not receive HSTS header
 questionyu.com: did not receive HSTS header
+questoj.cn: did not receive HSTS header
 questsandrewards.com: could not connect to host
 quic.fr: did not receive HSTS header
 quickandroid.tools: could not connect to host
@@ -13337,6 +14365,7 @@ quickpayservice.com: could not connect to host
 quietus.gq: could not connect to host
 quikrmovies.to: could not connect to host
 quikstorhawaii.com: max-age too low: 300
+quilmo.com: could not connect to host
 quimsertek.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 quizionic.com: could not connect to host
 quizl.io: did not receive HSTS header
@@ -13344,17 +14373,19 @@ quizmemes.org: could not connect to host
 quotehex.com: could not connect to host
 quotemaster.co.za: could not connect to host
 quranserver.net: could not connect to host
-qwallet.ca: did not receive HSTS header
+qwallet.ca: could not connect to host
 qwaser.fr: could not connect to host
 qweepi.de: could not connect to host
 qwertyatom100.me: could not connect to host
 qwilink.me: did not receive HSTS header
 qybot.cc: did not receive HSTS header
-r-ay.club: did not receive HSTS header
+r-ay.club: could not connect to host
 r-core.org: could not connect to host
 r-core.ru: could not connect to host
 r-cut.fr: could not connect to host
 r-rickroll-u.pw: could not connect to host
+r0t.co: could not connect to host
+r0uzic.net: did not receive HSTS header
 r10n.com: did not receive HSTS header
 r15.me: did not receive HSTS header
 r18.moe: could not connect to host
@@ -13362,16 +14393,26 @@ raajheshkannaa.com: could not connect to host
 rabbitvcactus.eu: did not receive HSTS header
 rabota-x.ru: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 racasdecachorro.org: could not connect to host
+racdek.net: max-age too low: 2628000
+racdek.nl: max-age too low: 2628000
+rachaelrussell.com: did not receive HSTS header
 rackblue.com: could not connect to host
 racktear.com: did not receive HSTS header
 raconteur.net: did not receive HSTS header
 rad-route.de: could not connect to host
-raddavarden.nu: could not connect to host
+rada-group.eu: could not connect to host
+radarnext.com: could not connect to host
+raddavarden.nu: did not receive HSTS header
 radicaleducation.net: could not connect to host
+radioactivenetwork.xyz: could not connect to host
 radioafibra.com.br: could not connect to host
-radiocomsaocarlos.com.br: could not connect to host
+radionicabg.com: could not connect to host
+radior9.it: could not connect to host
+radom-pack.pl: could not connect to host
 radtke.bayern: did not receive HSTS header
 rafaelcz.de: could not connect to host
+raft.pub: could not connect to host
+raghavdua.in: could not connect to host
 ragingserenity.com: did not receive HSTS header
 ragnaroktop.com.br: could not connect to host
 rahadiana.com: could not connect to host
@@ -13380,17 +14421,12 @@ rai-co.net: did not receive HSTS header
 raiblockscommunity.net: could not connect to host
 raidstone.com: could not connect to host
 raidstone.rocks: could not connect to host
-raiffeisen-kosovo.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 railjob.cn: could not connect to host
 railyardurgentcare.com: did not receive HSTS header
 rainbin.com: could not connect to host
 rainbowbarracuda.com: could not connect to host
-raipet.no-ip.biz: could not connect to host
-raisecorp.com: could not connect to host
 raitza.de: could not connect to host
 rakugaki.cn: could not connect to host
-ralfs-zusizone.de: could not connect to host
-ramarka.de: could not connect to host
 ramatola.uk: could not connect to host
 rambii.de: could not connect to host
 ramblingrf.tech: could not connect to host
@@ -13409,19 +14445,24 @@ rannseier.org: did not receive HSTS header
 ranos.org: could not connect to host
 rantanda.com: could not connect to host
 rany.duckdns.org: could not connect to host
-rany.io: could not connect to host
+rany.io: did not receive HSTS header
 rany.pw: could not connect to host
+ranyeh.co: could not connect to host
+rapdogg.com: could not connect to host
+raphaelmoura.ddns.net: could not connect to host
 rapidemobile.com: did not receive HSTS header
 rapidflow.io: could not connect to host
 rapido.nu: could not connect to host
 rapidresearch.me: could not connect to host
 rapidthunder.io: could not connect to host
-rasing.me: could not connect to host
+rasebo.ro: could not connect to host
+rasing.me: max-age too low: 43200
 raspass.me: did not receive HSTS header
 raspberry.us: could not connect to host
 raspberryultradrops.com: did not receive HSTS header
+raspitec.ddns.net: could not connect to host
 rastreador.com.es: did not receive HSTS header
-rastreie.net: did not receive HSTS header
+rastreie.net: could not connect to host
 ratajczak.fr: could not connect to host
 rate-esport.de: could not connect to host
 rathorian.fr: could not connect to host
@@ -13429,39 +14470,46 @@ rationem.nl: did not receive HSTS header
 ratuseks.com: could not connect to host
 ratuseks.net: could not connect to host
 ratuseks.us: could not connect to host
+rauchenwald.net: could not connect to host
 raucris.ro: could not connect to host
 raulfraile.net: could not connect to host
-rautermods.net: could not connect to host
+rautermods.net: did not receive HSTS header
 ravage.fm: did not receive HSTS header
 raven.lipetsk.ru: could not connect to host
 ravengergaming.ga: could not connect to host
 ravengergaming.net: could not connect to host
 ravenx.me: could not connect to host
+raviparekh.co.uk: could not connect to host
 ravse.dk: could not connect to host
 raw-diets.com: could not connect to host
 rawet.se: could not connect to host
 rawoil.com: could not connect to host
 rawr.sexy: could not connect to host
 rawstorieslondon.com: could not connect to host
+rayanitco.com: did not receive HSTS header
 raycarruthersphotography.co.uk: could not connect to host
 raydan.space: could not connect to host
 raydobe.me: could not connect to host
+raymondelooff.nl: did not receive HSTS header
 raytron.org: could not connect to host
 raywin168.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 raywin168.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 raywin88.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-razberry.kr: could not connect to host
 razlaw.name: did not receive HSTS header
 razzolini.com.br: could not connect to host
 rb-china.net: could not connect to host
+rbcservicehub-uat.azurewebsites.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 rbhighinc.org: could not connect to host
+rbmafrica.co.za: could not connect to host
 rbose.org: could not connect to host
 rbqcloud.com: could not connect to host
 rbti.me: could not connect to host
 rbtvshitstorm.is: did not receive HSTS header
+rburchell.com: did not receive HSTS header
 rbxcatalog.com: could not connect to host
 rc4.io: could not connect to host
 rc7.ch: could not connect to host
+rca.ink: could not connect to host
 rcafox.com: could not connect to host
 rcoliveira.com: could not connect to host
 rcorporation.be: did not receive HSTS header
@@ -13472,11 +14520,13 @@ rcx.io: could not connect to host
 rdfz.tech: could not connect to host
 rdns.im: did not receive HSTS header
 rdplumbingsolutions.com.au: did not receive HSTS header
+rdxsattamatka.mobi: could not connect to host
 rdyrda.fr: could not connect to host
 re-customer.net: could not connect to host
 re-wilding.com: could not connect to host
 reachr.com: could not connect to host
 reactdatepicker.com: did not receive HSTS header
+reactions.ai: could not connect to host
 reactor92.com: could not connect to host
 reader.ga: could not connect to host
 readify.com.au: did not receive HSTS header
@@ -13508,19 +14558,21 @@ reaper.rip: could not connect to host
 reardenporn.com: could not connect to host
 rebekaesgabor.online: could not connect to host
 rebootmc.com: could not connect to host
+rebtoor.com: could not connect to host
 receitas-de-bolos.pt: could not connect to host
 receitasdebacalhau.pt: could not connect to host
-recetasdecocinaideal.com: did not receive HSTS header
+receptionsbook.com: could not connect to host
 recetasfacilesdehacer.com: did not receive HSTS header
 rechat.com: did not receive HSTS header
 rechenwerk.net: could not connect to host
 recht-freundlich.de: did not receive HSTS header
 rechtenliteratuurleiden.nl: could not connect to host
-recompiled.org: max-age too low: 7776000
+reclamebureau-ultrax.nl: did not receive HSTS header
 recreation.gov: did not receive HSTS header
 recruitsecuritytraining.co.uk: could not connect to host
 recruitsecuritytraining.com: could not connect to host
 rectoraudiparts.com: could not connect to host
+red-trigger.net: did not receive HSTS header
 redair.es: could not connect to host
 redar.xyz: could not connect to host
 redburn.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -13529,11 +14581,15 @@ reddiseals.com: [Exception... "Component returned failure code: 0x80004005 (NS_E
 reddit.com: did not receive HSTS header
 rede.ca: did not receive HSTS header
 redeemingbeautyminerals.com: max-age too low: 0
+redespaulista.com: did not receive HSTS header
+redheeler.com.br: could not connect to host
 redhorsemountainranch.com: did not receive HSTS header
 redicabo.de: could not connect to host
+redigest.it: max-age too low: 0
 redirectman.com: could not connect to host
 redizoo.com: did not receive HSTS header
 redlatam.org: did not receive HSTS header
+redletter.link: could not connect to host
 redmbk.com: did not receive HSTS header
 redneck-gaming.de: did not receive HSTS header
 redner.cc: did not receive HSTS header
@@ -13544,6 +14600,7 @@ redperegrine.com: did not receive HSTS header
 redporno.cz: could not connect to host
 redports.org: could not connect to host
 redra.ws: did not receive HSTS header
+redsquirrelcampsite.co.uk: max-age too low: 5184000
 redstarsurf.com: did not receive HSTS header
 reducerin.ro: did not receive HSTS header
 redy.host: did not receive HSTS header
@@ -13572,10 +14629,10 @@ regionalcoalition.org: did not receive HSTS header
 regionale.org: did not receive HSTS header
 register.gov.uk: did not receive HSTS header
 registertovoteflorida.gov: did not receive HSTS header
-registryplus.nl: did not receive HSTS header
 regoul.com: did not receive HSTS header
 regsec.com: could not connect to host
 rehabthailand.nl: could not connect to host
+reher.pro: could not connect to host
 rei.codes: did not receive HSTS header
 reic.me: could not connect to host
 reidascuecas.com.br: could not connect to host
@@ -13585,8 +14642,9 @@ reinaertvandecruys.com: could not connect to host
 reinaertvandecruys.me: could not connect to host
 reineberthe.ch: could not connect to host
 reinoldus.ddns.net: could not connect to host
+reisenbauer.ee: could not connect to host
 reismil.ch: could not connect to host
-reisyukaku.org: could not connect to host
+reisyukaku.org: did not receive HSTS header
 reithguard-it.de: did not receive HSTS header
 rejo.in: could not connect to host
 rejushiiplotter.ru: could not connect to host
@@ -13602,7 +14660,7 @@ rem.pe: did not receive HSTS header
 rema.site: did not receive HSTS header
 remain.london: could not connect to host
 remedica.fr: could not connect to host
-remedioskaseros.com: did not receive HSTS header
+remedioscaserosparalacistitis.com: did not receive HSTS header
 remedium.de: could not connect to host
 remedyrehab.com: did not receive HSTS header
 rememberthis.co.za: could not connect to host
@@ -13612,21 +14670,27 @@ remonttitekniikka.fi: could not connect to host
 remotestance.com: did not receive HSTS header
 rencaijia.com: did not receive HSTS header
 rencontres-erotiques.com: did not receive HSTS header
-reneclemens.nl: max-age too low: 300
+rene-guitton.fr: did not receive HSTS header
+reneclemens.nl: max-age too low: 2628000
+renedekoeijer.nl: max-age too low: 2628000
 rengarenkblog.com: could not connect to host
 renideo.fr: could not connect to host
 renkhosting.com: could not connect to host
 renlong.org: did not receive HSTS header
 rennfire.org: could not connect to host
 renrenss.com: could not connect to host
-rent-a-c.io: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+renscreations.com: could not connect to host
 rentacarcluj.xyz: did not receive HSTS header
 rentalmed.com.br: did not receive HSTS header
+rentasweb.gob.ar: did not receive HSTS header
 rentbrowser.com: could not connect to host
 rentbrowsertrain.me: could not connect to host
 rentcarassist.com: could not connect to host
 renteater.com: could not connect to host
 rentex.com: did not receive HSTS header
+reo.gov: could not connect to host
+reorz.com: could not connect to host
+reparo.pe: did not receive HSTS header
 repex.co.il: could not connect to host
 replaceits.me: could not connect to host
 replacemychina.com: could not connect to host
@@ -13643,14 +14707,15 @@ reporturi.io: did not receive HSTS header
 reporturl.com: did not receive HSTS header
 reporturl.io: did not receive HSTS header
 reposaarenkuva.fi: could not connect to host
-reprolife.co.uk: did not receive HSTS header
+reprolife.co.uk: could not connect to host
 reptilauksjonen.no: could not connect to host
 republicmo.gov: could not connect to host
 repustate.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 reqognize.com: could not connect to host
+reqrut.net: could not connect to host
 request-trent.com: could not connect to host
-res-rheingau.de: did not receive HSTS header
-res42.com: could not connect to host
+res-rheingau.de: could not connect to host
+res42.com: did not receive HSTS header
 resc.la: could not connect to host
 research.md: could not connect to host
 reseponline.info: did not receive HSTS header
@@ -13667,13 +14732,18 @@ restaurantemiperu.com: did not receive HSTS header
 restaurantesimonetti.com.br: could not connect to host
 restaurantmangal.ch: could not connect to host
 restchart.com: did not receive HSTS header
+rester-a-domicile.ch: could not connect to host
+rester-autonome-chez-soi.ch: could not connect to host
 restioson.me: could not connect to host
-restopro.nyc: did not receive HSTS header
+restopro.nyc: could not connect to host
 restoreresearchstudy.com: could not connect to host
 resultsdate.news: could not connect to host
+retcor.net: could not connect to host
+retetop95.it: did not receive HSTS header
 reth.ch: could not connect to host
 retireyourpassword.org: did not receive HSTS header
 retogroup.com: could not connect to host
+retronet.nl: could not connect to host
 retropage.co: did not receive HSTS header
 retrowave.eu: could not connect to host
 rets.org.br: did not receive HSTS header
@@ -13685,7 +14755,8 @@ revealdata.com: did not receive HSTS header
 revelaciones.tv: could not connect to host
 revello.org: did not receive HSTS header
 reverie.pw: could not connect to host
-review.info: did not receive HSTS header
+reverse.design: could not connect to host
+review.info: could not connect to host
 reviewbestseller.com: did not receive HSTS header
 reviewjust.com: did not receive HSTS header
 reviewspedia.org: did not receive HSTS header
@@ -13699,57 +14770,61 @@ reykjavik.guide: could not connect to host
 rezun.cloud: did not receive HSTS header
 rf.tn: could not connect to host
 rfeif.org: could not connect to host
+rfxanalyst.com: could not connect to host
 rgservers.com: did not receive HSTS header
 rhapsodhy.hu: could not connect to host
 rhdigital.pro: could not connect to host
+rheinturm.nrw: could not connect to host
 rhering.de: could not connect to host
 rhetthenckel.com: max-age too low: 0
-rhiskiapril.com: did not receive HSTS header
+rheuma-online.de: could not connect to host
+rhiskiapril.com: could not connect to host
+rhnet.at: could not connect to host
 rhodes.ml: could not connect to host
 rhodesianridgeback.com.br: could not connect to host
 rhodosdreef.nl: could not connect to host
-riaucybersolution.net: did not receive HSTS header
 ribopierre.fr: could not connect to host
 riceglue.com: could not connect to host
-richamorindonesia.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+richamorindonesia.com: did not receive HSTS header
 richardb.me: could not connect to host
 richardcrosby.co.uk: did not receive HSTS header
-richardhicks.us: could not connect to host
 richeza.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 richie.link: did not receive HSTS header
 richiemail.net: could not connect to host
 richmondsunlight.com: did not receive HSTS header
 richmtdriver.com: could not connect to host
+richonrails.com: did not receive HSTS header
 richsiciliano.com: did not receive HSTS header
 richterphilipp.com: could not connect to host
 rickmartensen.nl: did not receive HSTS header
 ricknox.com: did not receive HSTS header
 ricky.capital: did not receive HSTS header
 rid-wan.com: could not connect to host
+ride-up.com: did not receive HSTS header
 rideaudiscount.com: did not receive HSTS header
 rideforwade.com: could not connect to host
 rideforwade.net: could not connect to host
 rideforwade.org: could not connect to host
 rideworks.com: could not connect to host
 ridingoklahoma.com: could not connect to host
-ridwan.co: could not connect to host
 rienasemettre.fr: did not receive HSTS header
 riesenmagnete.de: could not connect to host
 riester.pl: did not receive HSTS header
-rievo.net: did not receive HSTS header
 right-to-love.name: did not receive HSTS header
 right2.org: could not connect to host
+rightcapital.com: did not receive HSTS header
 righteousendeavour.com: could not connect to host
 righttoknow.ie: did not receive HSTS header
 rijndael.xyz: could not connect to host
 rijnmondeg.nl: did not receive HSTS header
 rika.me: could not connect to host
+rimediogiusto.com: could not connect to host
 rincon-nsn.gov: could not connect to host
 ring0.xyz: did not receive HSTS header
 ringh.am: could not connect to host
 rinj.se: did not receive HSTS header
 rionewyork.com.br: could not connect to host
-ripa.io: did not receive HSTS header
+ripa.io: could not connect to host
 ripple.com: did not receive HSTS header
 rippleunion.com: could not connect to host
 risi-china.com: could not connect to host
@@ -13757,7 +14832,7 @@ risingsun.red: could not connect to host
 riskmgt.com.au: could not connect to host
 rissato.com.br: could not connect to host
 ristorantefattoamano.eu: could not connect to host
-rithm.ch: could not connect to host
+rithm.ch: did not receive HSTS header
 rittis.ru: did not receive HSTS header
 rivagecare.it: did not receive HSTS header
 rivercruiseadvisor.com: did not receive HSTS header
@@ -13777,73 +14852,83 @@ rme.li: did not receive HSTS header
 rmit.me: could not connect to host
 rmk.si: could not connect to host
 rmsides.com: did not receive HSTS header
-rmstudio.tw: could not connect to host
+rn29.me: could not connect to host
+rnbjunk.com: did not receive HSTS header
 roadfeast.com: could not connect to host
 roan24.pl: did not receive HSTS header
+roave.com: could not connect to host
 rob.uk.com: did not receive HSTS header
 robertabittle.com: could not connect to host
+robertg.me: did not receive HSTS header
+robertglastra.com: could not connect to host
 roberto-webhosting.nl: could not connect to host
 robertocasares.no-ip.biz: could not connect to host
 robi-net.it: could not connect to host
-robinvdmarkt.nl: could not connect to host
+robin-novotny.com: could not connect to host
+robinadr.com: did not receive HSTS header
 robomonkey.org: could not connect to host
+robtatemusic.com: could not connect to host
 robteix.com: did not receive HSTS header
-robtex.com: did not receive HSTS header
 robtex.net: did not receive HSTS header
 robtex.org: did not receive HSTS header
 robust.ga: could not connect to host
 roc.net.au: could not connect to host
 rochman.id: did not receive HSTS header
-rocket-wars.de: did not receive HSTS header
+rockcellar.ch: could not connect to host
+rocketgnomes.com: could not connect to host
 rocketnet.ml: could not connect to host
 rockeyscrivo.com: did not receive HSTS header
 rocksberg.net: could not connect to host
 rockz.io: did not receive HSTS header
 rodarion.pl: could not connect to host
 rodehutskors.net: could not connect to host
-rodinneodpoledne2018.cz: did not receive HSTS header
 rodney.id.au: did not receive HSTS header
 rodneybrooksjr.com: did not receive HSTS header
 rodosto.com: did not receive HSTS header
-rody-design.com: could not connect to host
 roelbazuin.com: did not receive HSTS header
 roelf.org: did not receive HSTS header
+roeljoyas.com: did not receive HSTS header
 roeper.party: could not connect to host
 roesemann.email: could not connect to host
 roffe.nu: did not receive HSTS header
+roflcopter.fr: did not receive HSTS header
 rofrank.space: could not connect to host
 rogeiro.net: could not connect to host
-roger101.com: could not connect to host
+roger101.com: did not receive HSTS header
 rogerdat.ovh: could not connect to host
-roguefortgame.com: could not connect to host
+roguesignal.net: could not connect to host
 rohanbassett.com: could not connect to host
 rohankrishnadev.in: could not connect to host
 rohlik.cz: did not receive HSTS header
 roiscroll.com: did not receive HSTS header
 roketix.co.uk: did not receive HSTS header
+roksolana.be: could not connect to host
 rolandkolodziej.com: max-age too low: 86400
 rolandslate.com: did not receive HSTS header
 rolemaster.net: could not connect to host
 rolroer.co.za: could not connect to host
 romaimperator.com: did not receive HSTS header
+romainmuller.xyz: did not receive HSTS header
 romans-place.me.uk: could not connect to host
-romantic-quotes.co.uk: could not connect to host
+romantic-quotes.co.uk: did not receive HSTS header
 romanticschemermovie.com: could not connect to host
 romeoferraris.com: did not receive HSTS header
 romleg.cf: could not connect to host
 roms.fun: could not connect to host
 romulusapp.com: could not connect to host
 ron2k.za.net: could not connect to host
+ronanrbr.com: did not receive HSTS header
 rondoniatec.com.br: did not receive HSTS header
 rondreis-planner.nl: could not connect to host
 ronghexx.com: could not connect to host
 ronvandordt.info: did not receive HSTS header
 ronwo.de: max-age too low: 1
+ronzertnert.xyz: could not connect to host
 roo.ie: did not receive HSTS header
 rool.me: did not receive HSTS header
 roolevoi.ru: could not connect to host
 room-checkin24.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-roosteroriginals.com: could not connect to host
+roomongo.com: did not receive HSTS header
 roosterpgplus.nl: did not receive HSTS header
 rootbsd.at: could not connect to host
 rootforum.org: did not receive HSTS header
@@ -13853,14 +14938,16 @@ rootwpn.com: could not connect to host
 rop.io: did not receive HSTS header
 roquecenter.org: did not receive HSTS header
 roromendut.online: could not connect to host
-rorymcdaniel.com: did not receive HSTS header
+rorymcdaniel.com: could not connect to host
+roseofyork.com: did not receive HSTS header
 rosetiger.life: could not connect to host
-rosevillefacialplasticsurgery.com: did not receive HSTS header
 rosewoodranch.com: did not receive HSTS header
+roshiya.co.in: could not connect to host
 rosi-royal.com: could not connect to host
 rospa100.com: did not receive HSTS header
 rossclark.com: did not receive HSTS header
 rossen.be: did not receive HSTS header
+rossfrancis.co.uk: did not receive HSTS header
 rossiworld.com: did not receive HSTS header
 rosslug.org.uk: could not connect to host
 rotex1840.de: did not receive HSTS header
@@ -13875,11 +14962,50 @@ rous.se: could not connect to host
 rouvray.org: could not connect to host
 royal-forest.org: max-age too low: 0
 royal-mangal.ch: could not connect to host
+royal806.com: did not receive HSTS header
+royal810.com: could not connect to host
+royal811.com: could not connect to host
+royal816.com: could not connect to host
+royal817.com: could not connect to host
+royal830.com: could not connect to host
+royal833.com: did not receive HSTS header
+royal851.com: could not connect to host
+royal852.com: did not receive HSTS header
+royal855.com: could not connect to host
+royal856.com: did not receive HSTS header
+royal857.com: did not receive HSTS header
+royal859.com: did not receive HSTS header
+royal86.com: did not receive HSTS header
+royal861.com: did not receive HSTS header
+royal865.com: did not receive HSTS header
+royal869.com: did not receive HSTS header
+royal872.com: could not connect to host
+royal873.com: did not receive HSTS header
+royal875.com: did not receive HSTS header
 royal876.com: could not connect to host
+royal877.com: could not connect to host
+royal879.com: could not connect to host
+royal88.tech: did not receive HSTS header
+royal881.com: could not connect to host
+royal882.com: could not connect to host
+royal883.com: could not connect to host
+royal885.com: did not receive HSTS header
+royal886.com: did not receive HSTS header
+royal887.com: did not receive HSTS header
+royal888888.com: did not receive HSTS header
+royal889.com: did not receive HSTS header
+royal890.com: could not connect to host
+royal891.com: could not connect to host
+royal892.com: could not connect to host
+royal893.com: could not connect to host
+royal894.com: could not connect to host
+royal895.com: could not connect to host
+royal896.com: did not receive HSTS header
+royal899.com: did not receive HSTS header
 royalhop.co: could not connect to host
-royalpub.net: did not receive HSTS header
 royalsignaturecruise.com: could not connect to host
 royaltube.net: could not connect to host
+royalyule.com: did not receive HSTS header
 roychan.org: max-age too low: 0
 royzez.com: could not connect to host
 rozalisbengal.ro: could not connect to host
@@ -13888,7 +15014,8 @@ rpasafrica.com: could not connect to host
 rr.in.th: could not connect to host
 rring.me: could not connect to host
 rritv.com: could not connect to host
-rrke.cc: did not receive HSTS header
+rrke.cc: could not connect to host
+rro.rs: could not connect to host
 rrom.me: did not receive HSTS header
 rs-devdemo.host: could not connect to host
 rsajeey.info: could not connect to host
@@ -13897,13 +15024,17 @@ rsf.io: could not connect to host
 rsi.im: could not connect to host
 rskuipers.com: did not receive HSTS header
 rsldb.com: could not connect to host
+rsm-intern.de: could not connect to host
 rsmaps.org: could not connect to host
 rsmmail.com: did not receive HSTS header
 rsships.com: could not connect to host
 rstraining.co.uk: did not receive HSTS header
 rstsecuritygroup.co.uk: could not connect to host
 rtc.fun: could not connect to host
+rtd.uk.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+rtfpessoa.xyz: did not receive HSTS header
 rtho.me: did not receive HSTS header
+rttss.com: could not connect to host
 rtvi.com: did not receive HSTS header
 ru-music.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 ruarua.ml: could not connect to host
@@ -13911,13 +15042,13 @@ rubbereggs.ca: could not connect to host
 rubbix.net: could not connect to host
 rubecodeberg.com: could not connect to host
 rubendv.be: did not receive HSTS header
-rubens.cloud: did not receive HSTS header
 rubenschulz.nl: did not receive HSTS header
 rubi-ka.net: max-age too low: 0
 ruborr.se: did not receive HSTS header
+rubyquincunx.com: could not connect to host
+rubyquincunx.org: could not connect to host
 rubysecurity.org: did not receive HSTS header
 rubyshop.nl: could not connect to host
-rudelune.fr: could not connect to host
 rudeotter.com: did not receive HSTS header
 ruderverein-gelsenkirchen.de: did not receive HSTS header
 rue-de-la-vieille.fr: did not receive HSTS header
@@ -13925,43 +15056,46 @@ ruflay.ru: could not connect to host
 rugirlfriend.com: could not connect to host
 rugs.ca: did not receive HSTS header
 rugstorene.co.uk: did not receive HSTS header
-ruhr3.de: could not connect to host
+ruhr3.de: did not receive HSTS header
 ruig.jp: could not connect to host
+ruigomes.me: did not receive HSTS header
 ruitershoponline.nl: did not receive HSTS header
 ruja.dk: did not receive HSTS header
 rukhaiyar.com: could not connect to host
 rullzer.com: did not receive HSTS header
 rummel-platz.de: could not connect to host
 rumoterra.com.br: could not connect to host
-run-forrest.run: could not connect to host
 runawebinar.nl: could not connect to host
 runcarina.com: could not connect to host
 rundumcolumn.xyz: could not connect to host
-runefake.com: could not connect to host
+runementors.com: could not connect to host
 runhardt.eu: did not receive HSTS header
 runtl.com: did not receive HSTS header
 runtondev.com: did not receive HSTS header
 ruobiyi.com: could not connect to host
 ruqu.nl: could not connect to host
 rusadmin.biz: did not receive HSTS header
-rushball.net: could not connect to host
 rusl.me: could not connect to host
+rusl.net: did not receive HSTS header
 russmarshall.com: could not connect to host
 rustbyexample.com: did not receive HSTS header
 rustfanatic.com: did not receive HSTS header
 rustralasia.net: max-age too low: 0
-rusxakep.com: could not connect to host
 ruurdboomsma.nl: could not connect to host
 ruxit.com: did not receive HSTS header
 rva.gov: could not connect to host
+rvender.cz: did not receive HSTS header
 rvg.zone: could not connect to host
+rvoigt.eu: could not connect to host
 rvolve.net: could not connect to host
 rw-solutions.tech: could not connect to host
 rwanderlust.com: did not receive HSTS header
-rxbn.de: could not connect to host
+rwgamernl.ml: could not connect to host
+rxgroup.io: could not connect to host
 rxprep.com: did not receive HSTS header
 rxt.social: could not connect to host
 rxv.cc: could not connect to host
+ryancarter.co.uk: did not receive HSTS header
 ryanroberts.co.uk: could not connect to host
 ryanteck.uk: did not receive HSTS header
 rybox.info: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -13969,35 +15103,44 @@ ryejuice.sytes.net: could not connect to host
 rylin.net: did not receive HSTS header
 rylore.com: could not connect to host
 ryssland.guide: could not connect to host
+ryyule.com: did not receive HSTS header
+ryzex.de: could not connect to host
 rzegroup.com: did not receive HSTS header
 s-d-v.ch: could not connect to host
+s-mdb.com: max-age too low: 7776000
 s-on.li: could not connect to host
 s-rickroll-p.pw: could not connect to host
 s.how: could not connect to host
 s0923.com: could not connect to host
-s0laris.co.uk: could not connect to host
 s1mplescripts.de: could not connect to host
 s1ris.org: did not receive HSTS header
 s3cases.com: did not receive HSTS header
+s3gfault.com: could not connect to host
 s3n.se: could not connect to host
-s4media.org: did not receive HSTS header
 saabwa.org: could not connect to host
 sabatek.pl: did not receive HSTS header
+sabrinajoiasprontaentrega.com.br: could not connect to host
+sabtunes.com: did not receive HSTS header
 sac-shop.com: did not receive HSTS header
+saccounty.gov: could not connect to host
+sacharidovejednotky.eu: could not connect to host
 sachk.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+sackers.com: did not receive HSTS header
 saco-ceso.com: could not connect to host
 sadiejanehair.com: could not connect to host
+sadmansh.com: could not connect to host
 sadsu.com: did not receive HSTS header
 saenforcement.agency: could not connect to host
 safari-afrique.com: did not receive HSTS header
 safe.space: could not connect to host
-safedevice.net: did not receive HSTS header
+safedevice.net: could not connect to host
 safelist.eu: did not receive HSTS header
 safemovescheme.co.uk: could not connect to host
 safemt.gov: could not connect to host
 safepay.io: could not connect to host
 saferedirect.link: could not connect to host
 saferedirectlink.com: could not connect to host
+saferpost.com: could not connect to host
 safesecret.info: did not receive HSTS header
 safewings-nh.nl: could not connect to host
 safing.me: could not connect to host
@@ -14006,23 +15149,23 @@ sagarhandicraft.com: could not connect to host
 sagemontchurch.org: did not receive HSTS header
 sageth.com: could not connect to host
 sah3.net: could not connect to host
+saigonstar.de: could not connect to host
 sail-nyc.com: did not receive HSTS header
 saint-astier-triathlon.com: did not receive HSTS header
+saintefoy-tarentaise.com: did not receive HSTS header
 saintjohnlutheran.church: did not receive HSTS header
 saintmichelqud.com: did not receive HSTS header
-saintw.com: could not connect to host
 sairai.bid: could not connect to host
 saiyasu-search.com: did not receive HSTS header
 sakaserver.com: did not receive HSTS header
 sakib.ninja: did not receive HSTS header
 sakurabuff.com: could not connect to host
 salaervergleich.com: did not receive HSTS header
-sale.sh: could not connect to host
+sale.sh: did not receive HSTS header
 saleaks.org: could not connect to host
 salearnership.co.za: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 saleslift.pl: could not connect to host
-salishseawhalewatching.ca: could not connect to host
-salixcode.com: could not connect to host
+salishseawhalewatching.ca: did not receive HSTS header
 sallysubs.com: could not connect to host
 salmo23.com.br: could not connect to host
 salon-claudia.ch: could not connect to host
@@ -14032,20 +15175,23 @@ salserototal.com: could not connect to host
 saltedskies.com: could not connect to host
 saltra.online: could not connect to host
 saltro.nl: did not receive HSTS header
+saludsexualmasculina.org: did not receive HSTS header
 salvaalocombia.com: could not connect to host
 salverainha.org: could not connect to host
 salzamt.tk: could not connect to host
+samanacafe.com: could not connect to host
 samanthahumphreysstudio.com: did not receive HSTS header
+samanthasicecream.com: could not connect to host
 samaritan.tech: could not connect to host
 samaritansnet.org: did not receive HSTS header
-samel.de: could not connect to host
 sametovymesic.cz: could not connect to host
 samin.tk: could not connect to host
+samip.fi: did not receive HSTS header
 saml2.com: could not connect to host
 samlamac.com: could not connect to host
 samm.com.au: did not receive HSTS header
 sammenlignakasser.dk: did not receive HSTS header
-sammyjohnson.com: could not connect to host
+sammyslimos.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 samp.im: could not connect to host
 sampcup.com: could not connect to host
 sampoznay.ru: could not connect to host
@@ -14054,15 +15200,17 @@ samsen.club: could not connect to host
 samsonova.de: could not connect to host
 samsungxoa.com: could not connect to host
 samvanderkris.com: could not connect to host
-sanael.net: could not connect to host
+samvanderkris.xyz: did not receive HSTS header
+samyerkes.com: did not receive HSTS header
+san-mian-ka.ml: did not receive HSTS header
 sanalbayrak.com: could not connect to host
 sanandreasstories.com: did not receive HSTS header
 sanasalud.org: could not connect to host
 sanatfilan.com: did not receive HSTS header
-sanatorionosti.com.ar: could not connect to host
 sanatrans.com: could not connect to host
 sanchez.adv.br: could not connect to host
 sanderknape.com: did not receive HSTS header
+sandtonvipcompanions.com: did not receive HSTS header
 sandviks.com: did not receive HSTS header
 sanguoxiu.com: could not connect to host
 sanhei.ch: did not receive HSTS header
@@ -14083,7 +15231,6 @@ santmark.org: could not connect to host
 santodomingocg.org: did not receive HSTS header
 santorinibbs.com: did not receive HSTS header
 santouri.be: could not connect to host
-saol.eu: could not connect to host
 saotn.org: did not receive HSTS header
 sapereaude.com.pl: did not receive HSTS header
 sapphireblue.me: could not connect to host
@@ -14095,7 +15242,7 @@ sarahdoyley.com: could not connect to host
 sarahlouisesearle.com: could not connect to host
 sarahsweetlife.com: could not connect to host
 sarahsweger.com: could not connect to host
-sarakas.com: could not connect to host
+sarakas.com: did not receive HSTS header
 sarangsemutbandung.com: could not connect to host
 sarindia.com: could not connect to host
 sarindia.de: could not connect to host
@@ -14105,13 +15252,13 @@ sarkarischeme.in: could not connect to host
 sarkisozleri.us: could not connect to host
 sarndipity.com: could not connect to host
 saruwebshop.co.za: could not connect to host
-sasanika.org: did not receive HSTS header
+sasrobotics.xyz: could not connect to host
 sat.rent: did not receive HSTS header
 satanichia.moe: could not connect to host
 sativatunja.com: could not connect to host
 satmep.com: did not receive HSTS header
 satoshicrypt.com: did not receive HSTS header
-satragreen.com: did not receive HSTS header
+satragreen.com: could not connect to host
 satrent.com: did not receive HSTS header
 satrent.se: did not receive HSTS header
 satriyowibowo.my.id: could not connect to host
@@ -14141,17 +15288,17 @@ savingbytes.com: did not receive HSTS header
 savinggoliath.com: could not connect to host
 savvysuit.com: did not receive HSTS header
 saxol-group.com: could not connect to host
-saxotex.de: did not receive HSTS header
 say-hanabi.com: could not connect to host
 sayhanabi.com: could not connect to host
 sazima.ru: did not receive HSTS header
 sbm.cloud: could not connect to host
 sbobetfun.com: did not receive HSTS header
 sbox-archives.com: could not connect to host
+sbsrv.ml: could not connect to host
 sby.de: did not receive HSTS header
 sc4le.com: could not connect to host
-scaffoldhirefourways.co.za: did not receive HSTS header
-scaffoldhirerandburg.co.za: did not receive HSTS header
+scaarus.com: could not connect to host
+scaffoldhireeastrand.co.za: did not receive HSTS header
 scaffoldhiresandton.co.za: did not receive HSTS header
 scala.click: did not receive HSTS header
 scannabi.com: could not connect to host
@@ -14161,10 +15308,13 @@ schaafenstrasse.koeln: could not connect to host
 schachburg.de: did not receive HSTS header
 schadegarant.net: could not connect to host
 schalkoortbv.nl: did not receive HSTS header
+schaper-sport.com: did not receive HSTS header
+schatmeester.be: did not receive HSTS header
 schau-rein.co.at: did not receive HSTS header
 schauer.so: could not connect to host
 schd.io: did not receive HSTS header
 schermreparatierotterdam.nl: did not receive HSTS header
+schil.li: could not connect to host
 schippers-it.nl: did not receive HSTS header
 schlabbi.com: did not receive HSTS header
 schmelzle.io: could not connect to host
@@ -14173,9 +15323,10 @@ schmitt.ovh: could not connect to host
 schmitt.ws: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 schmitz.link: could not connect to host
 schneider-electric.tg: did not receive HSTS header
-schnell-abnehmen.tips: did not receive HSTS header
+schnell-abnehmen.tips: could not connect to host
 schnell-gold.com: could not connect to host
 scholl.io: could not connect to host
+schollbox.de: could not connect to host
 school.in.th: could not connect to host
 schooli.io: could not connect to host
 schooltrends.co.uk: did not receive HSTS header
@@ -14187,17 +15338,16 @@ schreiber-netzwerk.eu: did not receive HSTS header
 schreibnacht.de: did not receive HSTS header
 schreinerei-wortmann.de: did not receive HSTS header
 schrikdraad.net: did not receive HSTS header
-schritt4fit.de: did not receive HSTS header
 schrodinger.io: could not connect to host
 schroepfglas-versand.de: did not receive HSTS header
 schroettle.com: did not receive HSTS header
 schulterglatzen-altenwalde.de: could not connect to host
 schur-it.de: could not connect to host
 schwarzkopfforyou.de: did not receive HSTS header
-schwarzwaldcon.de: could not connect to host
+schwarzwaldcon.de: did not receive HSTS header
 schwedenhaus.ag: did not receive HSTS header
 schweiz.guide: could not connect to host
-schweizerbolzonello.net: did not receive HSTS header
+schweizerbolzonello.net: could not connect to host
 schwerkraftlabor.de: did not receive HSTS header
 schwetz.net: could not connect to host
 sci-internet.tk: could not connect to host
@@ -14207,7 +15357,9 @@ science-anatomie.com: did not receive HSTS header
 scienceathome.org: did not receive HSTS header
 sciencemonster.co.uk: could not connect to host
 scionasset.com: did not receive HSTS header
+sciototownship-oh.gov: did not receive HSTS header
 scivillage.com: did not receive HSTS header
+sckc.stream: could not connect to host
 sclgroup.cc: did not receive HSTS header
 scm-2017.org: could not connect to host
 scooshonline.co.uk: did not receive HSTS header
@@ -14215,6 +15367,7 @@ scopea.fr: max-age too low: 0
 score-savers.com: max-age too low: 10540800
 scores4schools.com: could not connect to host
 scorobudem.ru: could not connect to host
+scorocode.ru: did not receive HSTS header
 scotbirchfield.com: did not receive HSTS header
 scottainslie.me.uk: could not connect to host
 scottdial.com: did not receive HSTS header
@@ -14222,27 +15375,36 @@ scottferguson.com.au: did not receive HSTS header
 scotthel.me: did not receive HSTS header
 scotthelme.com: did not receive HSTS header
 scottnicol.co.uk: could not connect to host
+scottstorey.co.uk: did not receive HSTS header
+scottynordstrom.org: could not connect to host
 scourt.info: max-age too low: 0
 scourt.org.ua: could not connect to host
 scoutdb.ch: did not receive HSTS header
+scpartyentertainment.co.uk: did not receive HSTS header
 scrambl.is: could not connect to host
-scramble.io: did not receive HSTS header
+scramble.io: could not connect to host
 scrambler.in: could not connect to host
 scrapings.net: could not connect to host
-screencaster.io: did not receive HSTS header
+screencaster.io: could not connect to host
 screenresolution.space: could not connect to host
 screensaversplanet.com: did not receive HSTS header
-scribbleserver.com: could not connect to host
+scribbleserver.com: did not receive HSTS header
 scribe.systems: could not connect to host
 scrion.com: could not connect to host
 script.google.com: did not receive HSTS header (error ignored - included regardless)
 scriptenforcer.net: could not connect to host
 scripthost.org: could not connect to host
-scriptict.nl: could not connect to host
+scriptict.nl: did not receive HSTS header
 scriptjunkie.us: could not connect to host
 scrollstory.com: did not receive HSTS header
 scruffymen.com: could not connect to host
 scrumplex.net: did not receive HSTS header
+sctm.at: could not connect to host
+scuters.club: could not connect to host
+scw.com: did not receive HSTS header
+scw.nz: could not connect to host
+scwilliams.co.uk: could not connect to host
+scwilliams.uk: could not connect to host
 sdhmanagementgroup.com: could not connect to host
 sdia.ru: could not connect to host
 sdl-corporatesite-staging.azurewebsites.net: did not receive HSTS header
@@ -14260,25 +15422,26 @@ seansyardservice.com: did not receive HSTS header
 searchgov.gov.il: did not receive HSTS header
 searchshops.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 searx.pw: could not connect to host
+seatshare.co.uk: did not receive HSTS header
+seattleprivacy.org: could not connect to host
+seavancouver.com: did not receive HSTS header
 sebastian-bair.de: could not connect to host
 sebastian-lutsch.de: could not connect to host
 sebastian-schmidt.me: did not receive HSTS header
 sebastianhampl.de: could not connect to host
 sebastianpedersen.com: did not receive HSTS header
 sebastiensenechal.com: did not receive HSTS header
+sebi.cf: could not connect to host
 sebster.com: did not receive HSTS header
-sec44.com: could not connect to host
-sec44.net: could not connect to host
-sec44.org: could not connect to host
 sec4share.me: did not receive HSTS header
 secandtech.com: could not connect to host
 secanje.nl: did not receive HSTS header
-secboom.com: could not connect to host
+secboom.com: did not receive HSTS header
 seccomp.ru: did not receive HSTS header
 seceye.cn: could not connect to host
-secitem.at: did not receive HSTS header
+secitem.at: could not connect to host
 secitem.de: could not connect to host
-secitem.eu: did not receive HSTS header
+secitem.eu: could not connect to host
 secnet.ga: could not connect to host
 secondary-survivor.com: could not connect to host
 secondary-survivor.help: could not connect to host
@@ -14288,11 +15451,13 @@ secondarysurvivorportal.com: could not connect to host
 secondarysurvivorportal.help: could not connect to host
 secondbike.co.uk: did not receive HSTS header
 secondbyte.nl: could not connect to host
-secondpay.nl: could not connect to host
+secondpay.nl: did not receive HSTS header
 secondspace.ca: could not connect to host
+secpoc.online: could not connect to host
 secretnation.net: did not receive HSTS header
 secretofanah.com: could not connect to host
 secretpanties.com: could not connect to host
+secretum.tech: did not receive HSTS header
 sectest.ml: could not connect to host
 sectia22.ro: could not connect to host
 secur3.us: did not receive HSTS header
@@ -14308,23 +15473,24 @@ secureideas.com: did not receive HSTS header
 secureindia.co: could not connect to host
 secureradio.net: could not connect to host
 securesuisse.ch: could not connect to host
+securetronic.ch: could not connect to host
 securita.eu: did not receive HSTS header
 security-carpet.com: could not connect to host
 security-thoughts.org: could not connect to host
 security.google.com: did not receive HSTS header (error ignored - included regardless)
-security.love: could not connect to host
 security.xn--q9jyb4c: could not connect to host
 securityarena.com: could not connect to host
 securitybrief.asia: did not receive HSTS header
 securitybrief.co.nz: did not receive HSTS header
 securitybrief.com.au: did not receive HSTS header
 securitybrief.eu: did not receive HSTS header
-securitybsides.pl: could not connect to host
+securitybsides.pl: did not receive HSTS header
+securitycamerasaustin.net: did not receive HSTS header
+securitycamerasjohnsoncity.com: could not connect to host
 securityglance.com: could not connect to host
 securityinet.biz: did not receive HSTS header
 securityinet.net: did not receive HSTS header
 securityinet.org.il: could not connect to host
-securitymap.wiki: could not connect to host
 securitysoapbox.com: could not connect to host
 securitytalk.pl: could not connect to host
 securitytestfan.gov: could not connect to host
@@ -14344,9 +15510,10 @@ seefunk.net: did not receive HSTS header
 seehimnaked.com: could not connect to host
 seehimnude.com: could not connect to host
 seehisnudes.com: could not connect to host
+seekthe.net: did not receive HSTS header
 seele.ca: could not connect to host
 seemeasaperson.com: did not receive HSTS header
-seen.life: could not connect to host
+seen.life: did not receive HSTS header
 sehenderson.com: did not receive HSTS header
 seida.at: could not connect to host
 seiko-dojo.com: could not connect to host
@@ -14358,20 +15525,24 @@ selecadm.name: could not connect to host
 selectary.com: could not connect to host
 selectcertifiedautos.com: did not receive HSTS header
 selectruckscalltrackingreports.com: could not connect to host
+selent.me: could not connect to host
 seleondar.ru: did not receive HSTS header
 selfdefenserx.com: did not receive HSTS header
 selfhosters.com: could not connect to host
 selfie-france.fr: could not connect to host
 selfserverx.com: could not connect to host
 selitysvideot.fi: did not receive HSTS header
-selldorado.com: could not connect to host
-sellercritic.com: did not receive HSTS header
+sellercritic.com: could not connect to host
 sellocdn.com: could not connect to host
 sellservs.co.za: could not connect to host
-semantheme.fr: did not receive HSTS header
+seltendoof.de: could not connect to host
+semantheme.fr: could not connect to host
 semen3325.xyz: could not connect to host
 semenkovich.com: did not receive HSTS header
 sementes.gratis: could not connect to host
+semianalog.com: could not connect to host
+semirben.de: max-age too low: 172800
+semmlers.com: did not receive HSTS header
 semps-servers.de: could not connect to host
 sendash.com: did not receive HSTS header
 sendmeback.de: did not receive HSTS header
@@ -14382,24 +15553,31 @@ senseye.io: did not receive HSTS header
 sensiblemn.org: could not connect to host
 sensibus.com: did not receive HSTS header
 sensoft-int.com: could not connect to host
+sensoft-int.net: could not connect to host
 sensualism.com: could not connect to host
 seo-lagniappe.com: did not receive HSTS header
 seoarchive.org: could not connect to host
 seobot.com.au: could not connect to host
+seoenmexico.com.mx: did not receive HSTS header
 seohochschule.de: could not connect to host
+seoium.com: did not receive HSTS header
 seokay.com: did not receive HSTS header
 seolaba.io: could not connect to host
+seolib.org: could not connect to host
 seomarketingdeals.com: did not receive HSTS header
 seomen.biz: could not connect to host
 seomobo.com: could not connect to host
 seosanantonioinc.com: did not receive HSTS header
 seoscribe.net: could not connect to host
+seosec.xyz: could not connect to host
 seotronix.net: did not receive HSTS header
 seowarp.net: did not receive HSTS header
-sep23.ru: could not connect to host
+sep23.ru: did not receive HSTS header
 sepakbola.win: could not connect to host
 sephr.com: did not receive HSTS header
 sepie.gob.es: did not receive HSTS header
+seproco.com: could not connect to host
+septakkordeon.de: could not connect to host
 seq.tf: did not receive HSTS header
 sequatchiecountytn.gov: could not connect to host
 serafin.tech: could not connect to host
@@ -14407,15 +15585,16 @@ serathius.ovh: could not connect to host
 serbien.guide: could not connect to host
 serenitycreams.com: did not receive HSTS header
 serfdom.io: did not receive HSTS header
+sergeemond.ca: could not connect to host
 sergivb01.me: did not receive HSTS header
 serized.pw: could not connect to host
 serkaneles.com: did not receive HSTS header
+servdiscount.com: did not receive HSTS header
 servecrypt.com: could not connect to host
 servecrypt.net: could not connect to host
 servecrypt.ru: could not connect to host
 server-bg.net: could not connect to host
 server.pk: did not receive HSTS header
-serverangels.co.uk: did not receive HSTS header
 servercode.ca: did not receive HSTS header
 serverdensity.io: did not receive HSTS header
 servergno.me: did not receive HSTS header
@@ -14427,13 +15606,13 @@ servicevie.com: did not receive HSTS header
 servpanel.de: did not receive HSTS header
 servu.de: did not receive HSTS header
 servx.ru: did not receive HSTS header
-serwusik.pl: did not receive HSTS header
 seryo.moe: could not connect to host
 seryo.net: could not connect to host
 seryovpn.com: could not connect to host
 sesha.co.za: could not connect to host
 sethoedjo.com: could not connect to host
 setkit.net: could not connect to host
+setterirlandes.com.br: could not connect to host
 setuid.de: could not connect to host
 sevenet.pl: did not receive HSTS header
 sevenhearts.online: could not connect to host
@@ -14444,20 +15623,21 @@ sexgarage.de: could not connect to host
 sexocomgravidas.com: could not connect to host
 sexoyrelax.com: could not connect to host
 sexpay.net: could not connect to host
-sexplicit.co.uk: did not receive HSTS header
 sexshopfacil.com.br: could not connect to host
 sexshopnet.com.br: could not connect to host
 sexshopsgay.com: did not receive HSTS header
 sexwork.net: could not connect to host
 sexymassageoil.com: could not connect to host
 seyahatsagliksigortalari.com: could not connect to host
-seydaozcan.com: did not receive HSTS header
 seyr.it: could not connect to host
 sfashion.si: did not receive HSTS header
 sfaturiit.ro: could not connect to host
+sfcomercio.com.br: could not connect to host
 sfhobbies.com.br: could not connect to host
 sfsltd.com: did not receive HSTS header
 sgovaard.nl: did not receive HSTS header
+sgroup-hitoduma.com: did not receive HSTS header
+sgroup-rec.com: did not receive HSTS header
 sgthotshot.com: could not connect to host
 sgtsnookums.net: could not connect to host
 sh11.pp.ua: did not receive HSTS header
@@ -14491,15 +15671,17 @@ shag-shag.ru: could not connect to host
 shagi29.ru: did not receive HSTS header
 shahbeat.com: could not connect to host
 shaitan.eu: could not connect to host
-shakebox.de: could not connect to host
 shandonsg.co.uk: could not connect to host
 shanekoster.net: did not receive HSTS header
-shanesage.com: did not receive HSTS header
+shanesage.com: could not connect to host
+shanewadleigh.com: did not receive HSTS header
 shang-yu.cn: could not connect to host
+shangzhen.site: could not connect to host
 shanxiapark.com: could not connect to host
-shanyhs.com: did not receive HSTS header
+shanyhs.com: could not connect to host
 shapesedinburgh.co.uk: did not receive HSTS header
 shardsoft.com: could not connect to host
+sharecc.co: could not connect to host
 shareeri.com: could not connect to host
 shareimg.xyz: could not connect to host
 sharemessage.net: could not connect to host
@@ -14514,9 +15696,8 @@ shariahlawcenter.org: could not connect to host
 sharialawcenter.com: could not connect to host
 sharialawcenter.org: could not connect to host
 sharingcode.com: did not receive HSTS header
+sharkie.org.za: did not receive HSTS header
 sharpe-practice.co.uk: could not connect to host
-sharperedge.pw: could not connect to host
-sharperedgecomputers.com: could not connect to host
 shasso.com: did not receive HSTS header
 shatorin.com: did not receive HSTS header
 shauncrowley.co.uk: could not connect to host
@@ -14527,9 +15708,12 @@ shawnh.net: could not connect to host
 shawnstarrcustomhomes.com: did not receive HSTS header
 shawnwilson.info: could not connect to host
 shazbots.org: could not connect to host
+shellday.cc: could not connect to host
+shellot.com: could not connect to host
 shellsec.pw: did not receive HSTS header
-shemissed.me: did not receive HSTS header
 shena.co.uk: could not connect to host
+shengrenyu.com: could not connect to host
+shens.ai: could not connect to host
 shentengtu.idv.tw: could not connect to host
 shep.co.il: did not receive HSTS header
 sheratan.web.id: could not connect to host
@@ -14542,12 +15726,14 @@ sheying.tm: could not connect to host
 shiatsu-institut.ch: could not connect to host
 shibainu.com.br: could not connect to host
 shibe.club: could not connect to host
+shieldofachilles.in: could not connect to host
 shift.ooo: did not receive HSTS header
 shiftins.com: could not connect to host
 shiftnrg.org: did not receive HSTS header
 shiftplanning.com: did not receive HSTS header
 shiinko.com: could not connect to host
 shikinobi.com: did not receive HSTS header
+shin-inc.jp: did not receive HSTS header
 shindorei.fr: could not connect to host
 shinebijoux.com.br: could not connect to host
 shinju.moe: could not connect to host
@@ -14559,23 +15745,28 @@ shipping24h.com: could not connect to host
 shippingbo.com: did not receive HSTS header
 shiroki-k.net: could not connect to host
 shirosaki.org: could not connect to host
+shishamania.de: could not connect to host
 shishkin.link: did not receive HSTS header
 shitfest.info: did not receive HSTS header
 shitposting.life: could not connect to host
 shk.im: could not connect to host
 shlemenkov.by: could not connect to host
 shm-forum.org.uk: could not connect to host
-sho-tanaka.jp: did not receive HSTS header
+shmibbles.me: could not connect to host
+shmunky.co.uk: did not receive HSTS header
+sho-tanaka.jp: could not connect to host
 shocksrv.com: did not receive HSTS header
 shoemuse.com: did not receive HSTS header
 shooshosha.com: could not connect to host
 shootpooloklahoma.com: could not connect to host
-shop.fr: max-age too low: 0
+shop.fr: did not receive HSTS header
 shopdopastor.com.br: could not connect to host
 shopherbal.co.za: could not connect to host
+shophisway.com: could not connect to host
 shopods.com: did not receive HSTS header
 shopontarget.com: did not receive HSTS header
 shoppeno5.com: did not receive HSTS header
+shoppia.se: did not receive HSTS header
 shoppingreview.org: did not receive HSTS header
 shoprose.ru: could not connect to host
 shoprsc.com: could not connect to host
@@ -14590,8 +15781,11 @@ showdepiscinas.com.br: did not receive HSTS header
 shower.im: did not receive HSTS header
 showkeeper.tv: did not receive HSTS header
 showroom.de: did not receive HSTS header
+showroom113.ru: could not connect to host
+shoxmusic.net: max-age too low: 2592000
 shred.ch: could not connect to host
 shredoptics.ch: could not connect to host
+shreyansh26.me: could not connect to host
 shtorku.com: could not connect to host
 shu-kin.net: did not receive HSTS header
 shukatsu-note.com: could not connect to host
@@ -14604,39 +15798,44 @@ shybynature.com: did not receive HSTS header
 shymeck.pw: could not connect to host
 shypp.it: could not connect to host
 shyrydan.es: could not connect to host
+si.to: could not connect to host
 siamega.com: could not connect to host
 siammedia.co: could not connect to host
 siamojo.com: could not connect to host
 sianimacion.com: could not connect to host
 siao-mei.com: did not receive HSTS header
-siberkulupler.com: could not connect to host
 sichere-kartenakzeptanz.de: could not connect to host
 siciliadigitale.pro: could not connect to host
+sickfile.com: could not connect to host
 sicklepod.com: could not connect to host
+siconnect.us: did not receive HSTS header
 sictame-tigf.org: did not receive HSTS header
 sideropolisnoticias.com.br: did not receive HSTS header
+sidpod.ru: could not connect to host
+siduga.com: could not connect to host
 siebens.net: could not connect to host
 sieh.es: did not receive HSTS header
 sieulog.com: could not connect to host
 sifls.com: could not connect to host
 sifreuret.com: could not connect to host
+signaltransmitter.de: did not receive HSTS header
+signdesk.com: did not receive HSTS header
 signere.com: could not connect to host
 signere.no: did not receive HSTS header
 signoracle.com: could not connect to host
-signosquecombinam.com.br: could not connect to host
+signosquecombinam.com.br: did not receive HSTS header
 signsdance.uk: could not connect to host
 sigsegv.run: did not receive HSTS header
 sihaizixun.net: could not connect to host
 siikarantacamping.fi: did not receive HSTS header
-sijimi.cn: could not connect to host
+sijimi.cn: did not receive HSTS header
 sijmenschoon.nl: did not receive HSTS header
 sikatehtaat.fi: could not connect to host
 siku.pro: could not connect to host
 silentcircle.com: did not receive HSTS header
 silentcircle.org: could not connect to host
-silentexplosion.de: could not connect to host
 silentlink.io: could not connect to host
-silentmode.com: max-age too low: 0
+silentmode.com: max-age too low: 7889238
 silicagelpackets.ca: did not receive HSTS header
 silke-hunde.de: did not receive HSTS header
 silqueskineyeserum.com: could not connect to host
@@ -14645,8 +15844,11 @@ silver-drachenkrieger.de: did not receive HSTS header
 silverartcollector.com: did not receive HSTS header
 silverback.is: did not receive HSTS header
 silvergoldbull.ba: could not connect to host
-silvergoldbull.lt: could not connect to host
+silvergoldbull.bg: could not connect to host
+silvergoldbull.kg: could not connect to host
+silvergoldbull.ky: could not connect to host
 silvergoldbull.md: could not connect to host
+silvergoldbull.ml: could not connect to host
 silvergoldbull.ph: could not connect to host
 silverhome.ninja: could not connect to host
 silverpvp.com: could not connect to host
@@ -14654,9 +15856,7 @@ silverstartup.sk: could not connect to host
 silviamacallister.com: did not receive HSTS header
 silvistefi.com: could not connect to host
 sim-sim.appspot.com: did not receive HSTS header
-sim4seed.org: could not connect to host
 simbast.com: could not connect to host
-simbihaiti.com: max-age too low: 7889238
 simbol.id: could not connect to host
 simbolo.co.uk: could not connect to host
 simccorp.com: could not connect to host
@@ -14675,10 +15875,12 @@ simonkjellberg.se: did not receive HSTS header
 simonsaxon.com: did not receive HSTS header
 simonschmitt.ch: could not connect to host
 simonsmh.cc: did not receive HSTS header
+simotrescu.ro: could not connect to host
 simpan.id: could not connect to host
 simpeo.fr: did not receive HSTS header
 simpeo.org: did not receive HSTS header
 simpleai.net: max-age too low: 600
+simpleclassiclife.com: could not connect to host
 simplefraud.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 simplelearner.com: could not connect to host
 simplepractice.com: did not receive HSTS header
@@ -14687,20 +15889,24 @@ simplesamlphp.org: did not receive HSTS header
 simplexsupport.com: did not receive HSTS header
 simplixos.org: could not connect to host
 simplyenak.com: did not receive HSTS header
+simplyrara.com: did not receive HSTS header
 sims4hub.ga: could not connect to host
 simtin-net.de: could not connect to host
 simumiehet.com: could not connect to host
 simyo.nl: did not receive HSTS header
 sin30.net: could not connect to host
 sincai666.com: could not connect to host
+sinceschool.com: could not connect to host
 sinclairmoving.com: did not receive HSTS header
 sincron.org: could not connect to host
+sinefili.com: could not connect to host
 sinful.pw: could not connect to host
 singee.site: could not connect to host
-singerwang.com: could not connect to host
+singerwang.com: did not receive HSTS header
 singles-berlin.de: could not connect to host
 singul4rity.com: could not connect to host
 sinkip.com: could not connect to host
+sinn.io: could not connect to host
 sinneserweiterung.de: could not connect to host
 sinon.org: did not receive HSTS header
 sinoscandinavia.se: could not connect to host
@@ -14709,13 +15915,14 @@ sinsojb.me: could not connect to host
 sintesysglobal.com: did not receive HSTS header
 sinusbot.online: did not receive HSTS header
 sion.moe: did not receive HSTS header
+sipc.org: did not receive HSTS header
 sipsik.net: did not receive HSTS header
 siqi.wang: could not connect to host
-sirburton.com: did not receive HSTS header
+sirburton.com: could not connect to host
 siriad.com: could not connect to host
 sirius-lee.net: could not connect to host
 siro.gq: did not receive HSTS header
-siroop.ch: max-age too low: 86400
+siroop.ch: did not receive HSTS header
 sisgopro.com: could not connect to host
 sistemasespecializados.com: did not receive HSTS header
 sistemlash.com: did not receive HSTS header
@@ -14730,28 +15937,32 @@ sitennisclub.com: did not receive HSTS header
 siterip.org: could not connect to host
 sites.google.com: did not receive HSTS header (error ignored - included regardless)
 sitesforward.com: did not receive HSTS header
-sitesource101.com: could not connect to host
+sitesource101.com: did not receive HSTS header
 sitesten.com: did not receive HSTS header
+sitesuccessful.com: did not receive HSTS header
+sitsy.ru: did not receive HSTS header
 sittinginoblivion.com: did not receive HSTS header
 sizingservers.be: did not receive HSTS header
-sizzle.co.uk: did not receive HSTS header
+sizzle.co.uk: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 sja-se-training.com: could not connect to host
+sjatsh.com: could not connect to host
 sjdtaxi.com: did not receive HSTS header
 sjhyl11.com: could not connect to host
 sjsc.fr: did not receive HSTS header
 sjsmith.id.au: did not receive HSTS header
+sjv4u.ch: did not receive HSTS header
 sjzebs.com: did not receive HSTS header
 sjzget.com: did not receive HSTS header
 sjzybs.com: did not receive HSTS header
 skandiabanken.no: did not receive HSTS header
 skaraborgsassistans.com: did not receive HSTS header
 skarox.com: could not connect to host
+skarox.ee: could not connect to host
 skarox.eu: could not connect to host
 skarox.net: could not connect to host
 skarox.ru: could not connect to host
 skates.guru: did not receive HSTS header
 skday.com: did not receive HSTS header
-sketchywebsite.net: did not receive HSTS header
 ski-insurance.com.au: did not receive HSTS header
 skidstresser.com: could not connect to host
 skiinstructor.services: did not receive HSTS header
@@ -14770,33 +15981,37 @@ skoda-clever-lead.de: could not connect to host
 skoda-im-dialog.de: could not connect to host
 skoda-nurdiebesten.de: did not receive HSTS header
 skoda-service-team-cup.de: did not receive HSTS header
+skolnieks.lv: could not connect to host
 skomski.org: did not receive HSTS header
-skotty.io: did not receive HSTS header
+skoolergraph.azurewebsites.net: did not receive HSTS header
 skpdev.net: could not connect to host
 skrimix.tk: could not connect to host
 skrivande.co: could not connect to host
 skullhouse.nyc: could not connect to host
 sky-aroma.com: could not connect to host
+sky-universe.net: did not receive HSTS header
 skyasker.cn: could not connect to host
 skyasker.com: could not connect to host
 skybloom.com: could not connect to host
+skybloom.io: could not connect to host
 skybound.link: did not receive HSTS header
 skyflix.me: could not connect to host
 skyline.link: could not connect to host
 skyline.tw: did not receive HSTS header
 skylocker.net: could not connect to host
-skylocker.nl: could not connect to host
+skylocker.nl: did not receive HSTS header
 skyoy.com: did not receive HSTS header
 skypeassets.com: could not connect to host
 skypoker.com: could not connect to host
 skyris.co: could not connect to host
 skyrunners.ch: could not connect to host
-skytec.host: did not receive HSTS header
+skytec.host: could not connect to host
 skyvault.io: could not connect to host
 skyveo.ml: did not receive HSTS header
 skyway.capital: did not receive HSTS header
 skyworldserver.ddns.net: could not connect to host
-sl1pkn07.wtf: max-age too low: 2592000
+sl0.us: did not receive HSTS header
+sl1pkn07.wtf: could not connect to host
 slaps.be: could not connect to host
 slash-dev.de: did not receive HSTS header
 slash64.co.uk: could not connect to host
@@ -14806,6 +16021,8 @@ slashand.co: could not connect to host
 slashbits.no: did not receive HSTS header
 slashdesign.it: did not receive HSTS header
 slashem.me: did not receive HSTS header
+slatemc.fun: could not connect to host
+slatko.io: could not connect to host
 slattery.co: did not receive HSTS header
 slauber.de: did not receive HSTS header
 sld08.com: did not receive HSTS header
@@ -14815,6 +16032,7 @@ sleepstar.com.mt: did not receive HSTS header
 sliceone.com: could not connect to host
 slicketl.com: did not receive HSTS header
 slicss.com: could not connect to host
+slides.zone: could not connect to host
 slightfuture.click: could not connect to host
 slightfuture.com: did not receive HSTS header
 slimk1nd.nl: could not connect to host
@@ -14822,6 +16040,7 @@ slimmerbouwen.be: did not receive HSTS header
 slingo.com: did not receive HSTS header
 slix.io: could not connect to host
 sln.cloud: could not connect to host
+slo-net.net: could not connect to host
 slope.haus: could not connect to host
 slotboss.co.uk: did not receive HSTS header
 slovakiana.sk: did not receive HSTS header
@@ -14830,11 +16049,13 @@ slovoice.org: could not connect to host
 slowfood.es: did not receive HSTS header
 slowsociety.org: could not connect to host
 slse.ca: max-age too low: 0
-sluplift.com: did not receive HSTS header
+sluplift.com: could not connect to host
 slycurity.de: could not connect to host
 slytech.ch: could not connect to host
 smallcdn.rocks: could not connect to host
 smallchat.nl: could not connect to host
+smallcloudsolutions.co.za: could not connect to host
+smallpath.me: could not connect to host
 smallplanet.ch: did not receive HSTS header
 smallshopit.com: did not receive HSTS header
 smart-mirror.de: did not receive HSTS header
@@ -14845,27 +16066,26 @@ smartboleta.com: did not receive HSTS header
 smartbuyelectric.com: could not connect to host
 smartcoin.com.br: could not connect to host
 smarterskies.gov: did not receive HSTS header
+smartest-trading.com: could not connect to host
 smarthomedna.com: did not receive HSTS header
 smartietop.com: could not connect to host
 smartit.pro: did not receive HSTS header
 smartlend.se: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+smartmompicks.com: did not receive HSTS header
 smartofficesandsmarthomes.com: did not receive HSTS header
 smartofficeusa.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 smartphone.continental.com: could not connect to host
 smartrade.tech: did not receive HSTS header
 smartrak.co.nz: did not receive HSTS header
-smartshoppers.es: did not receive HSTS header
-smartwank.com: could not connect to host
 smartwritingservice.com: could not connect to host
 smcbox.com: did not receive HSTS header
 smdev.fr: could not connect to host
 smet.us: could not connect to host
-smexpt.com: did not receive HSTS header
 smi-a.me: could not connect to host
 smileawei.com: could not connect to host
 smimea.com: did not receive HSTS header
 smirkingwhorefromhighgarden.pro: could not connect to host
-smithchow.com: could not connect to host
+smith.is: could not connect to host
 smittix.co.uk: did not receive HSTS header
 smkn1lengkong.sch.id: did not receive HSTS header
 smksi2.com: could not connect to host
@@ -14884,11 +16104,13 @@ smspodmena.ru: could not connect to host
 smtp.bz: did not receive HSTS header
 smtpdev.com: could not connect to host
 smuhelper.cn: could not connect to host
-smusg.com: could not connect to host
+smusg.com: did not receive HSTS header
+smutba.se: did not receive HSTS header
 snafarms.com: did not receive HSTS header
 snailing.org: could not connect to host
 snake.dog: could not connect to host
 snakehosting.dk: did not receive HSTS header
+snapappts.com: could not connect to host
 snapworks.net: did not receive HSTS header
 snarf.in: could not connect to host
 sneaker.date: could not connect to host
@@ -14901,20 +16123,20 @@ snic.website: could not connect to host
 sniderman.pro: could not connect to host
 sniderman.xyz: could not connect to host
 snip.host: could not connect to host
-snippet.host: could not connect to host
 snod.land: did not receive HSTS header
-snoot.club: did not receive HSTS header
 snoozedds.com: max-age too low: 600
 snoqualmiefiber.org: could not connect to host
+snoringhq.com: did not receive HSTS header
 snovey.com: could not connect to host
 snow-online.de: could not connect to host
 snowdy.eu: could not connect to host
 snowdy.link: could not connect to host
-snowyluma.com: could not connect to host
+snrat.com: did not receive HSTS header
 so-healthy.co.uk: did not receive HSTS header
 sobabox.ru: could not connect to host
 sobinski.pl: did not receive HSTS header
 soboleva-pr.com.ua: could not connect to host
+soc.net: could not connect to host
 socal-babes.com: could not connect to host
 soccergif.com: could not connect to host
 soci.ml: could not connect to host
@@ -14922,7 +16144,7 @@ social-journey.com: could not connect to host
 socialbillboard.com: could not connect to host
 socialcs.xyz: could not connect to host
 socialdj.de: did not receive HSTS header
-socialfacecook.com: could not connect to host
+socialfacecook.com: did not receive HSTS header
 socialgrowing.cl: did not receive HSTS header
 socialhead.io: could not connect to host
 socialhub.com: did not receive HSTS header
@@ -14934,10 +16156,13 @@ socialworkout.org: could not connect to host
 socialworkout.tv: could not connect to host
 socketize.com: did not receive HSTS header
 sockeye.cc: could not connect to host
+socoastal.com: could not connect to host
 socomponents.co.uk: could not connect to host
 sodacore.com: could not connect to host
-soe-server.com: could not connect to host
+sodamakerclub.com: did not receive HSTS header
+sodiao.cc: could not connect to host
 softballsavings.com: did not receive HSTS header
+softbebe.com: did not receive HSTS header
 softclean.pt: did not receive HSTS header
 softplaynation.co.uk: did not receive HSTS header
 sogeek.me: could not connect to host
@@ -14952,7 +16177,8 @@ soldbygold.net: did not receive HSTS header
 solentes.com.br: could not connect to host
 solidfuelappliancespares.co.uk: did not receive HSTS header
 solidimage.com.br: could not connect to host
-solidus.systems: did not receive HSTS header
+solidtuesday.com: could not connect to host
+solidus.systems: could not connect to host
 solidwebnetworks.co.uk: did not receive HSTS header
 solinter.com.br: did not receive HSTS header
 solisrey.es: could not connect to host
@@ -14960,12 +16186,13 @@ soljem.com: did not receive HSTS header
 soll-i.ch: did not receive HSTS header
 solosmusic.xyz: could not connect to host
 solsystems.ru: did not receive HSTS header
-solus-project.com: could not connect to host
+solus-project.com: did not receive HSTS header
 solutive.fi: did not receive HSTS header
 solymar.co: could not connect to host
 some.rip: max-age too low: 6307200
 somebodycares.org: did not receive HSTS header
 somepills.com: did not receive HSTS header
+somersetscr.nhs.uk: could not connect to host
 someshit.xyz: could not connect to host
 something-else.cf: could not connect to host
 somethingnew.xyz: could not connect to host
@@ -14973,18 +16200,22 @@ somethingsimilar.com: [Exception... "Component returned failure code: 0x80004005
 somewherein.jp: did not receive HSTS header
 sonafe.info: could not connect to host
 sonerezh.bzh: did not receive HSTS header
+songluck.com: could not connect to host
 sonialive.com: did not receive HSTS header
 sonic.network: did not receive HSTS header
 sonicrainboom.rocks: could not connect to host
 sonix.dk: could not connect to host
 sonja-daniels.com: could not connect to host
 sonja-kowa.de: could not connect to host
+sonoecoracao.com.br: could not connect to host
 sonyforum.no: did not receive HSTS header
 soobi.org: did not receive HSTS header
-soondy.com: did not receive HSTS header
+soodwatthanaphon.net: did not receive HSTS header
+soondy.com: could not connect to host
+soothemobilemassage.com.au: did not receive HSTS header
 soply.com: could not connect to host
 soporte.cc: could not connect to host
-sorenam.com: could not connect to host
+sorenam.com: did not receive HSTS header
 sorensen-online.com: could not connect to host
 sorex.photo: did not receive HSTS header
 sorinmuntean.ro: did not receive HSTS header
@@ -14994,30 +16225,33 @@ soruly.moe: did not receive HSTS header
 sos.de: did not receive HSTS header
 sosaka.ml: could not connect to host
 sosecu.red: could not connect to host
+sosesh.shop: could not connect to host
 sosiolog.com: did not receive HSTS header
 sosko.in.rs: could not connect to host
+sotavasara.net: did not receive HSTS header
 sotiran.com: did not receive HSTS header
 sotor.de: did not receive HSTS header
 soucorneteiro.com.br: could not connect to host
 soulcraft.bz: could not connect to host
-soulema.com: could not connect to host
+soulema.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 soulfulglamour.uk: could not connect to host
 soulsteer.com: could not connect to host
-soundbytemedia.com: did not receive HSTS header
 soundedj.com.br: could not connect to host
 soundforsound.co.uk: did not receive HSTS header
 soundgasm.net: could not connect to host
 soundsecurity.io: could not connect to host
+souqtajmeel.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 sourcecode.love: could not connect to host
 sourcelair.com: did not receive HSTS header
+sourcely.net: could not connect to host
 sourcitec.com: did not receive HSTS header
-sous-surveillance.net: could not connect to host
 southcoastkitesurf.co.uk: did not receive HSTS header
 southcoastswords.com: did not receive HSTS header
 southernjamusa.com: did not receive HSTS header
 southernlights.xyz: could not connect to host
 southgale.condos: could not connect to host
 southside-crew.club: could not connect to host
+southwindsor-ct.gov: could not connect to host
 southworcestershiregpservices.co.uk: could not connect to host
 soutien-naissance.com: could not connect to host
 souvik.me: did not receive HSTS header
@@ -15038,6 +16272,7 @@ spacountryexplorer.org.au: did not receive HSTS header
 spaggel.nl: did not receive HSTS header
 spam.lol: could not connect to host
 spamloco.net: did not receive HSTS header
+spamwc.de: did not receive HSTS header
 spangehlassociates.com: did not receive HSTS header
 spanien.guide: could not connect to host
 sparelib.com: max-age too low: 3650
@@ -15045,7 +16280,7 @@ spark.team: could not connect to host
 sparkbase.cn: could not connect to host
 sparklingsparklers.com: did not receive HSTS header
 sparkresearch.net: could not connect to host
-sparkreviewcenter.com: could not connect to host
+sparkreviewcenter.com: did not receive HSTS header
 sparkwood.org: could not connect to host
 sparmedo.de: did not receive HSTS header
 sparsa.army: could not connect to host
@@ -15054,10 +16289,12 @@ spartantheatre.org: could not connect to host
 spauted.com: could not connect to host
 spawn.cz: could not connect to host
 spcx.eu: could not connect to host
+spd-pulheim-mitte.de: did not receive HSTS header
 spdysync.com: could not connect to host
 specialedesigns.com: could not connect to host
 specialistnow.com.au: did not receive HSTS header
 spectreattack.com: did not receive HSTS header
+spectrosoftware.de: could not connect to host
 speculor.net: could not connect to host
 spedplus.com.br: did not receive HSTS header
 speed-mailer.com: could not connect to host
@@ -15076,10 +16313,10 @@ sphinx.network: could not connect to host
 spicydog.tk: could not connect to host
 spicywombat.com: could not connect to host
 spiegels.nl: did not receive HSTS header
+spiel-teppich.de: could not connect to host
 spielcasinos.com: did not receive HSTS header
 spikeykc.me: could not connect to host
 spillersfamily.net: could not connect to host
-spillmaker.no: did not receive HSTS header
 spilsbury.io: could not connect to host
 spineandscoliosis.com: did not receive HSTS header
 spinner.dnshome.de: could not connect to host
@@ -15093,7 +16330,8 @@ spitefultowel.com: did not receive HSTS header
 spitfireuav.com: could not connect to host
 spititout.it: could not connect to host
 split.is: could not connect to host
-splunk.zone: could not connect to host
+splunk.zone: did not receive HSTS header
+spoketwist.com: did not receive HSTS header
 spokonline.com: could not connect to host
 spon.cz: did not receive HSTS header
 sponsorowani.pl: did not receive HSTS header
@@ -15101,7 +16339,6 @@ sponsortobias.com: could not connect to host
 spontex.org: did not receive HSTS header
 spookyinternet.com: could not connect to host
 sporara.com: did not receive HSTS header
-sport-socken.net: did not receive HSTS header
 sport247.bet: max-age too low: 2592000
 sportchirp-internal.azurewebsites.net: did not receive HSTS header
 sportflash.info: did not receive HSTS header
@@ -15115,11 +16352,12 @@ spot-events.com: could not connect to host
 spotifyripper.tk: could not connect to host
 spotlightsrule.com: could not connect to host
 spotlightsrule.ddns.net: could not connect to host
+spotteredu.com: did not receive HSTS header
 spr.id.au: could not connect to host
 spreadsheets.google.com: did not receive HSTS header (error ignored - included regardless)
 spresso.me: did not receive HSTS header
-spricknet.de: could not connect to host
 sprigings.com: did not receive HSTS header
+springreizen.nl: did not receive HSTS header
 springsoffthegrid.com: could not connect to host
 sprint.ml: did not receive HSTS header
 sprk.fitness: did not receive HSTS header
@@ -15137,6 +16375,7 @@ sqshq.de: did not receive HSTS header
 squaddraft.com: did not receive HSTS header
 squadlinx.com: did not receive HSTS header
 square.gs: could not connect to host
+squarelab.it: could not connect to host
 squareonebgc.com.ph: could not connect to host
 squatldf.org: could not connect to host
 squids.space: could not connect to host
@@ -15146,6 +16385,7 @@ sr-cs.net: did not receive HSTS header
 srcc.fr: could not connect to host
 sreeharis.tk: could not connect to host
 srevilak.net: did not receive HSTS header
+srichan.net: could not connect to host
 sritest.io: could not connect to host
 srmaximo.com: could not connect to host
 srna.sk: did not receive HSTS header
@@ -15159,23 +16399,21 @@ ssc8689.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERRO
 ssc8689.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 ssco.xyz: did not receive HSTS header
 ssconn.com: could not connect to host
-ssh.nu: could not connect to host
+ssh.nu: did not receive HSTS header
 sshool.at: could not connect to host
 ssl.panoramio.com: could not connect to host
 ssl.rip: could not connect to host
 sslzilla.de: did not receive HSTS header
 ssn1.ru: did not receive HSTS header
-sspanda.com: did not receive HSTS header
+sspanda.com: could not connect to host
 ssrvpn.tech: could not connect to host
 sss3s.com: could not connect to host
-sstewartgallus.com: could not connect to host
 ssworld.ga: could not connect to host
 staack.com: could not connect to host
 stabletoken.com: could not connect to host
 staceyhankeinc.com: did not receive HSTS header
 stackfiles.io: could not connect to host
 stackhub.cc: could not connect to host
-stacktile.io: could not connect to host
 stadionmanager.com: could not connect to host
 stadjerspasonline.nl: could not connect to host
 stadtgartenla.com: could not connect to host
@@ -15193,13 +16431,14 @@ stamboomvanderwal.nl: did not receive HSTS header
 stanandjerre.org: could not connect to host
 standardssuck.org: did not receive HSTS header
 standingmist.com: did not receive HSTS header
-standoutbooks.com: did not receive HSTS header
+standoutbooks.com: max-age too low: 0
 standuppaddlesports.com.au: did not receive HSTS header
+stang.moe: did not receive HSTS header
 stannahtrapliften.nl: did not receive HSTS header
 star-citizen.wiki: did not receive HSTS header
 star-killer.net: could not connect to host
-star-stuff.de: did not receive HSTS header
-star.do: could not connect to host
+star-stuff.de: could not connect to host
+star.do: did not receive HSTS header
 starandshield.com: did not receive HSTS header
 starapple.nl: did not receive HSTS header
 starcafe.me: could not connect to host
@@ -15208,6 +16447,7 @@ stardust-entertainments.co.uk: did not receive HSTS header
 starease.net: could not connect to host
 starfeeling.net: could not connect to host
 stargatepartners.com: did not receive HSTS header
+starinvestors.in: could not connect to host
 starklane.com: max-age too low: 300
 starlightentertainmentdevon.co.uk: did not receive HSTS header
 starmusic.ga: could not connect to host
@@ -15215,6 +16455,7 @@ starplatinum.jp: could not connect to host
 starquake.nl: could not connect to host
 starsbattle.net: could not connect to host
 starteesforsale.co.za: did not receive HSTS header
+startsamenvitaal.nu: did not receive HSTS header
 startup.melbourne: could not connect to host
 startuplevel.com: could not connect to host
 startuponcloud.com: max-age too low: 2678400
@@ -15222,7 +16463,6 @@ startuppeople.co.uk: could not connect to host
 startupum.ru: could not connect to host
 starwatches.eu: could not connect to host
 stash.ai: did not receive HSTS header
-stassi.ch: did not receive HSTS header
 state-of-body-and-mind.com: could not connect to host
 state-sponsored-actors.net: could not connect to host
 statementinsertsforless.com: did not receive HSTS header
@@ -15249,6 +16489,8 @@ stcomex.com: did not receive HSTS header
 stdev.org: could not connect to host
 steamhours.com: could not connect to host
 steampunkrobot.com: did not receive HSTS header
+steborio.pw: could not connect to host
+steckel.cc: could not connect to host
 steelbea.ms: could not connect to host
 steelrhino.co: could not connect to host
 steem.io: did not receive HSTS header
@@ -15256,6 +16498,7 @@ steenackers.be: did not receive HSTS header
 stefanweiser.de: did not receive HSTS header
 steffi-in-australien.com: could not connect to host
 stellarvale.net: could not connect to host
+stellen.ch: did not receive HSTS header
 stem.is: did not receive HSTS header
 stepbystep3d.com: did not receive HSTS header
 steph-autoecole.ch: did not receive HSTS header
@@ -15263,16 +16506,20 @@ steph3n.me: could not connect to host
 stephanierxo.com: did not receive HSTS header
 stephanos.me: could not connect to host
 stephenandburns.com: did not receive HSTS header
+stephenjvoiceovers.com: did not receive HSTS header
 stephensolis.net: could not connect to host
 stephensolisrey.es: could not connect to host
 steplogictalent.com: could not connect to host
 sterjoski.com: did not receive HSTS header
 stesti.cz: could not connect to host
+steuerkanzlei-und-wirtschaftsberater-manke.de: could not connect to host
+steve.kiwi: could not connect to host
 stevechekblain.win: could not connect to host
 stevengoodpaster.com: could not connect to host
 stevenkwan.me: could not connect to host
 stevensheffey.me: could not connect to host
 stevensononthe.net: did not receive HSTS header
+steventruesdell.com: could not connect to host
 stewartremodelingadvantage.com: could not connect to host
 stewonet.nl: did not receive HSTS header
 stge.uk: could not connect to host
@@ -15280,6 +16527,7 @@ sticklerjs.org: could not connect to host
 stickmy.cn: could not connect to host
 stickswag.cf: could not connect to host
 stickswag.eu: could not connect to host
+stiens.de: did not receive HSTS header
 stiffordacademy.org.uk: could not connect to host
 stig.io: did not receive HSTS header
 stiger.me: could not connect to host
@@ -15288,11 +16536,12 @@ stijnbelmans.be: max-age too low: 604800
 stikkie.me: could not connect to host
 stilettomoda.com.br: could not connect to host
 stillblackhat.id: could not connect to host
+stillnessproject.com: did not receive HSTS header
 stillyarts.com: did not receive HSTS header
 stinkytrashhound.com: could not connect to host
 stirlingpoon.net: could not connect to host
 stirlingpoon.xyz: could not connect to host
-stitthappens.com: did not receive HSTS header
+stitthappens.com: could not connect to host
 stjohnmiami.org: did not receive HSTS header
 stjohnsc.com: could not connect to host
 stkbn.com: could not connect to host
@@ -15310,14 +16559,15 @@ stoffelen.nl: did not receive HSTS header
 stoianlawfirm.com: could not connect to host
 stoick.me: could not connect to host
 stoinov.com: could not connect to host
+stolbart.com: could not connect to host
 stole-my.bike: could not connect to host
 stole-my.tv: could not connect to host
 stolkschepen.nl: did not receive HSTS header
 stomadental.com: did not receive HSTS header
 stonecutterscommunity.com: could not connect to host
+stonefusion.org.uk: could not connect to host
 stonemain.eu: could not connect to host
 stonemanbrasil.com.br: could not connect to host
-stonewuu.com: could not connect to host
 stopakwardhandshakes.org: could not connect to host
 stopbreakupnow.org: could not connect to host
 stopwoodfin.org: could not connect to host
@@ -15328,7 +16578,8 @@ store10.de: could not connect to host
 storecove.com: did not receive HSTS header
 storeden.com: did not receive HSTS header
 storefrontify.com: could not connect to host
-storiesofhealth.org: did not receive HSTS header
+storeprijs.nl: did not receive HSTS header
+storiesofhealth.org: could not connect to host
 stormhub.org: could not connect to host
 stormwatcher.org: could not connect to host
 stormyyd.com: max-age too low: 0
@@ -15336,14 +16587,23 @@ storytea.top: did not receive HSTS header
 stpatricksguild.com: did not receive HSTS header
 stqry.com: did not receive HSTS header
 str0.at: did not receive HSTS header
+straightedgebarbers.ca: did not receive HSTS header
 strangeplace.net: did not receive HSTS header
 strangescout.me: could not connect to host
 strasweb.fr: did not receive HSTS header
+stratuscloud.co.za: did not receive HSTS header
+stratuscloudconsulting.cn: did not receive HSTS header
+stratuscloudconsulting.co.uk: did not receive HSTS header
+stratuscloudconsulting.co.za: did not receive HSTS header
+stratuscloudconsulting.com: did not receive HSTS header
+stratuscloudconsulting.in: did not receive HSTS header
+stratuscloudconsulting.info: did not receive HSTS header
+stratuscloudconsulting.net: did not receive HSTS header
+stratuscloudconsulting.org: did not receive HSTS header
 strbt.de: could not connect to host
 strchr.com: did not receive HSTS header
 stream-ing.xyz: could not connect to host
 stream.pub: could not connect to host
-streamblur.net: could not connect to host
 streamdesk.ca: did not receive HSTS header
 streamer.tips: did not receive HSTS header
 streamingeverywhere.com: could not connect to host
@@ -15357,8 +16617,9 @@ strehl.tk: could not connect to host
 strelitzia02.com: could not connect to host
 stressfreehousehold.com: could not connect to host
 stretchpc.com: could not connect to host
+strictlynormal.com: could not connect to host
 strictlysudo.com: could not connect to host
-strife.tk: could not connect to host
+strife.tk: did not receive HSTS header
 strila.me: could not connect to host
 striptizer.tk: could not connect to host
 strming.com: could not connect to host
@@ -15373,14 +16634,16 @@ student.andover.edu: could not connect to host
 studentrdh.com: did not receive HSTS header
 studentresearcher.org: did not receive HSTS header
 studentskydenik.cz: could not connect to host
-studenttravel.cz: did not receive HSTS header
+studenttravel.cz: could not connect to host
 studer.su: could not connect to host
+studiemeter.nl: did not receive HSTS header
+studiereader.nl: did not receive HSTS header
 studinf.xyz: could not connect to host
-studio-panic.com: did not receive HSTS header
+studio-panic.com: could not connect to host
+studio-webdigi.com: did not receive HSTS header
 studiocn.cn: could not connect to host
 studiodoprazer.com.br: could not connect to host
 studiozelden.com: did not receive HSTS header
-studisys.net: could not connect to host
 studlan.no: could not connect to host
 studport.rv.ua: max-age too low: 604800
 studyabroadstation.com: could not connect to host
@@ -15390,6 +16653,7 @@ studyhub.cf: did not receive HSTS header
 studying-neet.com: could not connect to host
 studytale.com: could not connect to host
 stuff-fibre.co.nz: did not receive HSTS header
+stuffiwouldbuy.com: did not receive HSTS header
 stugb.de: did not receive HSTS header
 stumeta2018.de: could not connect to host
 stupidstatetricks.com: could not connect to host
@@ -15397,15 +16661,18 @@ sturbi.de: did not receive HSTS header
 sturbock.me: did not receive HSTS header
 sturdio.com.br: could not connect to host
 sturge.co.uk: did not receive HSTS header
+stutsmancounty.gov: could not connect to host
+stuttgart-gablenberg.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+stuudium.cloud: could not connect to host
 stuudium.life: could not connect to host
+stylaq.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 stylenda.com: could not connect to host
 stylle.me: could not connect to host
-stytt.com: did not receive HSTS header
+stytt.com: could not connect to host
 suaraangin.com: could not connect to host
 suareforma.com: could not connect to host
 suave.io: did not receive HSTS header
 subbing.work: could not connect to host
-subdimension.org: could not connect to host
 subeesu.com: could not connect to host
 subhacker.net: could not connect to host
 subjektzentrisch.de: could not connect to host
@@ -15413,31 +16680,35 @@ sublevel.net: did not receive HSTS header
 subrain.com: did not receive HSTS header
 subrosa.io: could not connect to host
 subsys.no: did not receive HSTS header
+subterfuge.io: did not receive HSTS header
 subtitle.rip: could not connect to host
 subwayz.de: did not receive HSTS header
 subzerolosangeles.com: did not receive HSTS header
-subzerotech.co.uk: could not connect to host
 successwithflora.com: could not connect to host
 succubus.network: could not connect to host
 succubus.xxx: could not connect to host
-suche.org: could not connect to host
 suchprogrammer.net: did not receive HSTS header
 sudo.im: could not connect to host
 sudosu.fr: could not connect to host
 suempresa.cloud: could not connect to host
-suffts.de: could not connect to host
+suffts.de: did not receive HSTS header
 sugarcitycon.com: could not connect to host
 sugarsweetorsour.com: did not receive HSTS header
 sugartownfarm.com: could not connect to host
 suian.or.jp: max-age too low: 86400
 suite73.org: could not connect to host
+suited21.com: did not receive HSTS header
 suitocracy.com: could not connect to host
+summa-prefis.com: did not receive HSTS header
 summer.ga: could not connect to host
+summermc.cc: could not connect to host
 summitbankofkc.com: did not receive HSTS header
 summitmasters.net: did not receive HSTS header
+sumoatm.com: did not receive HSTS header
 sumoscout.de: did not receive HSTS header
+sun-leo.co.jp: did not receive HSTS header
 sun-wellness-online.com.vn: did not receive HSTS header
-sun.re: could not connect to host
+sun.re: did not receive HSTS header
 suncountrymarine.com: did not receive HSTS header
 sundaycooks.com: max-age too low: 2592000
 suneilpatel.com: could not connect to host
@@ -15446,7 +16717,7 @@ sunfireshop.com.br: could not connect to host
 sunlandsg.vn: did not receive HSTS header
 sunnyfruit.ru: could not connect to host
 sunriseafricarelief.com: did not receive HSTS header
-sunset.im: did not receive HSTS header
+sunset.im: could not connect to host
 sunshinepress.org: could not connect to host
 sunxchina.com: could not connect to host
 sunyanzi.tk: could not connect to host
@@ -15470,9 +16741,7 @@ superiorfloridavacation.com: could not connect to host
 superklima.ro: did not receive HSTS header
 superlandnetwork.de: could not connect to host
 superlentes.com.br: could not connect to host
-supermarx.nl: could not connect to host
 supernovabrasil.com.br: did not receive HSTS header
-supernt.lt: could not connect to host
 superpase.com: could not connect to host
 supersahnetorten.de: could not connect to host
 supersalescontest.nl: did not receive HSTS header
@@ -15481,25 +16750,28 @@ supersecurefancydomain.com: could not connect to host
 supertramp-dafonseca.com: did not receive HSTS header
 superuser.fi: could not connect to host
 superwally.org: could not connect to host
+superway.es: did not receive HSTS header
 supes.io: did not receive HSTS header
 supperclub.es: could not connect to host
 support4server.de: could not connect to host
 supportfan.gov: could not connect to host
 suprlink.net: could not connect to host
-supweb.ovh: did not receive HSTS header
+supweb.ovh: could not connect to host
+surasak.io: could not connect to host
 surasak.xyz: could not connect to host
 suraya.online: could not connect to host
+surdam.casa: could not connect to host
 surfeasy.com: did not receive HSTS header
 surfone-leucate.com: did not receive HSTS header
 surgiclinic.gr: did not receive HSTS header
 surkatty.org: did not receive HSTS header
-surveyinstrumentsales.com: max-age too low: 84600
+suruifu.tk: could not connect to host
 survivalistplanet.com: could not connect to host
 survivebox.fr: did not receive HSTS header
+susanvelez.com: did not receive HSTS header
 susastudentenjobs.de: could not connect to host
 susconam.org: could not connect to host
 suseasky.com: did not receive HSTS header
-sushi.roma.it: did not receive HSTS header
 sushifrick.de: could not connect to host
 sushiwereld.be: did not receive HSTS header
 susoccm.org: did not receive HSTS header
@@ -15517,7 +16789,8 @@ svarovani.tk: could not connect to host
 svatba-frantovi.cz: could not connect to host
 sve-hosting.nl: could not connect to host
 svenbacia.me: could not connect to host
-svenskacasino.com: did not receive HSTS header
+svendubbeld.nl: did not receive HSTS header
+svenskacasino.com: could not connect to host
 svenskaservern.se: could not connect to host
 svetdrzaku.cz: did not receive HSTS header
 svetjakonadlani.cz: did not receive HSTS header
@@ -15527,11 +16800,11 @@ svj-stochovska.cz: could not connect to host
 svjvn.cz: could not connect to host
 swacp.com: could not connect to host
 swaggerdile.com: could not connect to host
-swagsocial.net: could not connect to host
 swaleacademiestrust.org.uk: max-age too low: 2592000
 swallsoft.co.uk: could not connect to host
 swallsoft.com: could not connect to host
 swanseapartyhire.co.uk: could not connect to host
+swarlys-server.de: could not connect to host
 swarmation.com: did not receive HSTS header
 sway.com: did not receive HSTS header
 swdatlantico.pt: could not connect to host
@@ -15539,6 +16812,7 @@ sweep.cards: did not receive HSTS header
 sweetlegs.jp: could not connect to host
 sweetstreats.ca: could not connect to host
 sweetvanilla.jp: could not connect to host
+swehack.org: could not connect to host
 swfloshatraining.com: could not connect to host
 swift-devedge.de: could not connect to host
 swiftconf.com: did not receive HSTS header
@@ -15546,9 +16820,12 @@ swiftcrypto.com: could not connect to host
 swiftpk.net: could not connect to host
 swiggy.com: did not receive HSTS header
 swimming.ca: did not receive HSTS header
+swimmingpoolaccidentattorney.net: could not connect to host
 swingular.com: could not connect to host
+swisscannabis.club: could not connect to host
 swissentreprises.ch: could not connect to host
 swissfreshaircan.com: could not connect to host
+swisstechtalks.ch: did not receive HSTS header
 swisstranslate.ch: did not receive HSTS header
 swisstranslate.fr: did not receive HSTS header
 swisswebhelp.ch: could not connect to host
@@ -15561,28 +16838,32 @@ sx3.no: could not connect to host
 sxbk.pw: could not connect to host
 syam.cc: could not connect to host
 syamuwatching.xyz: could not connect to host
-sychov.pro: could not connect to host
 sydgrabber.tk: could not connect to host
+syhost.at: did not receive HSTS header
+syhost.ch: did not receive HSTS header
+syhost.de: did not receive HSTS header
 sykl.us: could not connect to host
 sylvaincombe.net: could not connect to host
+sylvan.me: could not connect to host
+sylvangarden.net: could not connect to host
 sylvangarden.org: could not connect to host
 sylvanorder.com: did not receive HSTS header
-symetria.io: max-age too low: 2592000
 synackr.com: could not connect to host
 synapticconsulting.co.uk: could not connect to host
 syncaddict.net: could not connect to host
 syncappate.com: could not connect to host
 syncclinicalstudy.com: could not connect to host
 syncer.jp: did not receive HSTS header
-synchtu.be: could not connect to host
 syncmylife.net: could not connect to host
 syncserve.net: did not receive HSTS header
-syneic.com: could not connect to host
+syneic.com: did not receive HSTS header
 synergisticsoccer.com: could not connect to host
 syno.gq: could not connect to host
 syntaxoff.com: could not connect to host
 syntheticmotoroil.org: did not receive HSTS header
 syobon.org: could not connect to host
+syoier.com: could not connect to host
+syracuseut.gov: could not connect to host
 syrocon.ch: could not connect to host
 sys.tf: could not connect to host
 sysadmins.ro: could not connect to host
@@ -15597,9 +16878,11 @@ systea.net: could not connect to host
 system-online.cz: did not receive HSTS header
 systemd.me: could not connect to host
 sytk.me: could not connect to host
+syunpay.cn: did not receive HSTS header
 syy.hk: did not receive HSTS header
 szagun.net: did not receive HSTS header
 szaszm.tk: could not connect to host
+szczot3k.pl: did not receive HSTS header
 szerbnyelvkonyv.hu: could not connect to host
 szlovaknyelv.hu: could not connect to host
 szlovennyelv.hu: could not connect to host
@@ -15610,6 +16893,8 @@ t-ken.xyz: could not connect to host
 t-point.eu: did not receive HSTS header
 t-tz.com: could not connect to host
 t0dd.eu: could not connect to host
+t2000headphones.com: could not connect to host
+t2000laserpointers.com: could not connect to host
 t3rror.net: could not connect to host
 t4c-rebirth.com: could not connect to host
 t4x.org: could not connect to host
@@ -15622,6 +16907,7 @@ tabitatsu.jp: did not receive HSTS header
 tabla-periodica.com: could not connect to host
 tachyonapp.com: could not connect to host
 tacoma-games.com: did not receive HSTS header
+tacostea.net: could not connect to host
 tacotown.tk: could not connect to host
 tadata.me: could not connect to host
 tadcastercircuit.org.uk: did not receive HSTS header
@@ -15658,19 +16944,21 @@ talklifestyle.nl: could not connect to host
 talktwincities.com: could not connect to host
 tallr.se: could not connect to host
 tallshoe.com: could not connect to host
+talroo.com: could not connect to host
 talsi.eu: could not connect to host
-tam7t.com: could not connect to host
-tamersunion.org: did not receive HSTS header
+tam7t.com: did not receive HSTS header
 tamex.xyz: could not connect to host
-tamriel-rebuilt.org: could not connect to host
 tandarts-haarlem.nl: did not receive HSTS header
 tandblekningidag.com: could not connect to host
+tandilmap.com.ar: did not receive HSTS header
 tangerine.ga: could not connect to host
 tangibilizing.com: could not connect to host
 tangiblesecurity.com: did not receive HSTS header
+tango-cats.de: could not connect to host
 tangsisi.com: could not connect to host
 tangyue.date: could not connect to host
 tangzhao.net: could not connect to host
+tanhit.com: could not connect to host
 taniesianie.pl: did not receive HSTS header
 tankfreunde.de: did not receive HSTS header
 tante-bugil.net: could not connect to host
@@ -15684,18 +16972,20 @@ tapestries.tk: could not connect to host
 tapfinder.ca: could not connect to host
 tapka.cz: did not receive HSTS header
 tappublisher.com: did not receive HSTS header
+taqun.club: could not connect to host
 tarantul.org.ua: could not connect to host
 taravancil.com: did not receive HSTS header
 tarek.link: could not connect to host
 targaryen.house: could not connect to host
-tarhauskielto.fi: could not connect to host
+tarhauskielto.fi: did not receive HSTS header
+tarots-et-oracles.com: did not receive HSTS header
 tarsashaz-biztositas.hu: did not receive HSTS header
 tartaros.fi: could not connect to host
-taskstats.com: could not connect to host
+taskstats.com: did not receive HSTS header
 tasmansecurity.com: could not connect to host
 tassup.com: could not connect to host
 tasta.ro: could not connect to host
-tasticfilm.com: did not receive HSTS header
+tasticfilm.com: could not connect to host
 tastyyy.co: could not connect to host
 tasyacherry-anal.com: could not connect to host
 tatilbus.com: could not connect to host
@@ -15703,9 +16993,11 @@ tatilmix.com: could not connect to host
 tatort-fanpage.de: could not connect to host
 tatt.io: could not connect to host
 tauchkater.de: could not connect to host
+tauschen.info: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 tavoittaja.fi: did not receive HSTS header
 tavopica.lt: did not receive HSTS header
 taxbench.com: could not connect to host
+taxi-24std.de: did not receive HSTS header
 taxiindenbosch.nl: did not receive HSTS header
 taxmadras.com: could not connect to host
 taxsnaps.co.nz: did not receive HSTS header
@@ -15719,8 +17011,10 @@ tbrss.com: did not receive HSTS header
 tbtech.cz: did not receive HSTS header
 tbys.us: could not connect to host
 tc-bonito.de: did not receive HSTS header
+tcacademy.co.uk: could not connect to host
 tcao.info: could not connect to host
 tcby45.xyz: could not connect to host
+tchaka.top: could not connect to host
 tcl.ath.cx: did not receive HSTS header
 tcp.expert: did not receive HSTS header
 tcptun.com: could not connect to host
@@ -15737,9 +17031,11 @@ tdsbhack.ga: could not connect to host
 tdsbhack.gq: could not connect to host
 tdsbhack.ml: could not connect to host
 tdsbhack.tk: could not connect to host
-teacherph.net: could not connect to host
+teacherph.net: did not receive HSTS header
 teachforcanada.ca: did not receive HSTS header
 tealdrones.com: did not receive HSTS header
+team-bbd.com: could not connect to host
+team-pancake.eu: could not connect to host
 team-teasers.com: could not connect to host
 team2fou.cf: did not receive HSTS header
 teamassists.com: did not receive HSTS header
@@ -15751,10 +17047,11 @@ teamnetsol.com: did not receive HSTS header
 teampoint.cz: could not connect to host
 teams.microsoft.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 teamsocial.co: did not receive HSTS header
+teamtravel.co: could not connect to host
 teamx-gaming.de: could not connect to host
 teamzeus.cz: could not connect to host
 teaparty.id: could not connect to host
-tearoy.faith: could not connect to host
+tearoy.faith: did not receive HSTS header
 teasenetwork.com: could not connect to host
 tebieer.com: could not connect to host
 tech-blog.fr: did not receive HSTS header
@@ -15763,7 +17060,10 @@ tech55i.com: could not connect to host
 techandtux.de: could not connect to host
 techask.it: could not connect to host
 techassist.io: did not receive HSTS header
-techcavern.ml: did not receive HSTS header
+techbelife.com: could not connect to host
+techbrawl.org: could not connect to host
+techcavern.ml: could not connect to host
+techcentric.com: did not receive HSTS header
 techday.co.nz: did not receive HSTS header
 techday.com: did not receive HSTS header
 techday.com.au: did not receive HSTS header
@@ -15779,15 +17079,13 @@ techmasters.andover.edu: could not connect to host
 techmatehq.com: could not connect to host
 technicalforensic.com: could not connect to host
 technicalpenguins.com: did not receive HSTS header
-technicalsystemsprocessing.com: did not receive HSTS header
-techniclab.net: could not connect to host
-techniclab.org: could not connect to host
-techniclab.ru: could not connect to host
-technikrom.org: did not receive HSTS header
+technifocal.com: could not connect to host
 technogroup.cz: did not receive HSTS header
+technologyand.me: did not receive HSTS header
 technosavvyport.com: did not receive HSTS header
 technosuport.com: did not receive HSTS header
 technoswag.ca: could not connect to host
+technotonic.co.uk: could not connect to host
 technotonic.com.au: did not receive HSTS header
 techpointed.com: could not connect to host
 techpro.net.br: did not receive HSTS header
@@ -15798,24 +17096,25 @@ techtrackerpro.com: could not connect to host
 techtraveller.com.au: did not receive HSTS header
 techtuts.info: could not connect to host
 techunit.org: could not connect to host
+techvalue.gr: did not receive HSTS header
+techwords.io: could not connect to host
 tecit.ch: could not connect to host
-tecnidev.com: could not connect to host
 tecnimotos.com: did not receive HSTS header
-tecnogaming.com: did not receive HSTS header
 tecnologino.com: could not connect to host
-tecture.de: did not receive HSTS header
-tedovo.com: could not connect to host
+tecture.de: could not connect to host
+tedovo.com: did not receive HSTS header
 tedxkmitl.com: could not connect to host
 tee-idf.net: could not connect to host
-teedb.de: could not connect to host
 teehaus-shila.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 teenerotic.net: could not connect to host
 teeplelaw.com: did not receive HSTS header
-teesypeesy.com: did not receive HSTS header
+teesypeesy.com: max-age too low: 2592000
 tefl.io: did not receive HSTS header
 tegelsensanitaironline.nl: did not receive HSTS header
+tehcrayz.com: could not connect to host
 tehotuotanto.net: did not receive HSTS header
 tehplace.club: could not connect to host
+tehrankey.ir: did not receive HSTS header
 tekiro.com: did not receive HSTS header
 teknogeek.id: could not connect to host
 teknologi.or.id: max-age too low: 36000
@@ -15823,8 +17122,11 @@ teknotes.co.uk: could not connect to host
 tekshrek.com: did not receive HSTS header
 teksuperior.com: could not connect to host
 tektoria.de: did not receive HSTS header
+tektuts.com: could not connect to host
 tel-dithmarschen.de: did not receive HSTS header
+tele-alarme.ch: could not connect to host
 tele-assistance.ch: could not connect to host
+telealarmevalais.ch: could not connect to host
 teleallarme.ch: could not connect to host
 telecharger-itunes.com: could not connect to host
 telecharger-open-office.com: could not connect to host
@@ -15832,18 +17134,16 @@ telecharger-winrar.com: could not connect to host
 telefisk.org: did not receive HSTS header
 telefonnummer.online: could not connect to host
 telefonogratuito.com: did not receive HSTS header
-telefonsinyalguclendirici.com: did not receive HSTS header
+telefonsinyalguclendirici.com: could not connect to host
 telefoonnummerinfo.nl: could not connect to host
 telekollektiv.org: could not connect to host
+telepons.com: could not connect to host
 telescam.com: could not connect to host
-teleshop.be: could not connect to host
-teletechnology.in: did not receive HSTS header
+teleshop.be: did not receive HSTS header
 teletra.ru: could not connect to host
 telfordwhitehouse.co.uk: did not receive HSTS header
-tellingua.com: could not connect to host
 teltonica.com: did not receive HSTS header
 telugu4u.net: could not connect to host
-temasa.net: did not receive HSTS header
 temehu.com: did not receive HSTS header
 tempcraft.net: could not connect to host
 tempflix.com: could not connect to host
@@ -15852,25 +17152,29 @@ tempodecolheita.com.br: could not connect to host
 tempus-aquilae.de: could not connect to host
 ten-cafe.com: could not connect to host
 tendertool.nl: could not connect to host
-tendoryu-aikido.org: did not receive HSTS header
 tenerife-villas.com: max-age too low: 2592000
 tengu.cloud: could not connect to host
 tenispopular.com: could not connect to host
 tenma.pro: could not connect to host
 tenni.xyz: could not connect to host
+tennisadmin.com: could not connect to host
 tennisapp.org: could not connect to host
 tennispensacola.com: could not connect to host
 tensei-slime.com: did not receive HSTS header
 tensionup.com: could not connect to host
 tent.io: could not connect to host
+tentabrowser.com: could not connect to host
 tentins.com: could not connect to host
 teodio.cl: did not receive HSTS header
 teos.online: could not connect to host
 teoskanta.fi: could not connect to host
 teranga.ch: did not receive HSTS header
 tercerapuertoaysen.cl: could not connect to host
+termax.me: could not connect to host
+terminalvelocity.co.nz: could not connect to host
 terra-x.net: could not connect to host
 terra.by: did not receive HSTS header
+terrace.co.jp: did not receive HSTS header
 terrax.berlin: could not connect to host
 terrax.info: did not receive HSTS header
 terrax.net: could not connect to host
@@ -15883,7 +17187,7 @@ test02.dk: did not receive HSTS header
 testadren.com: could not connect to host
 testadron.com: could not connect to host
 testandroid.xyz: could not connect to host
-testbawks.com: could not connect to host
+testbawks.com: did not receive HSTS header
 testbirds.cz: could not connect to host
 testbirds.sk: could not connect to host
 testdomain.ovh: could not connect to host
@@ -15892,12 +17196,12 @@ testnode.xyz: could not connect to host
 testosterone-complex.com: could not connect to host
 testovaci.ml: could not connect to host
 testpornsite.com: could not connect to host
-tetrafinancial-commercial-business-equipment-financing.com: did not receive HSTS header
-tetrafinancial-energy-mining-equipment-financing.com: did not receive HSTS header
-tetrafinancial-healthcare-medical-equipment-financing.com: did not receive HSTS header
-tetrafinancial-manufacturing-industrial-equipment-financing.com: did not receive HSTS header
-tetrafinancial-news.com: did not receive HSTS header
-tetrafinancial-technology-equipment-software-financing.com: did not receive HSTS header
+tetrafinancial-commercial-business-equipment-financing.com: could not connect to host
+tetrafinancial-energy-mining-equipment-financing.com: could not connect to host
+tetrafinancial-healthcare-medical-equipment-financing.com: could not connect to host
+tetrafinancial-manufacturing-industrial-equipment-financing.com: could not connect to host
+tetrafinancial-news.com: could not connect to host
+tetrafinancial-technology-equipment-software-financing.com: could not connect to host
 tetramax.eu: did not receive HSTS header
 tetsai.com: could not connect to host
 teufelsystem.de: could not connect to host
@@ -15908,6 +17212,7 @@ textracer.dk: could not connect to host
 tezcam.tk: could not connect to host
 tf-network.de: did not receive HSTS header
 tf2stadium.com: did not receive HSTS header
+tf7879.com: could not connect to host
 tfcoms-sp-tracker-client.azurewebsites.net: could not connect to host
 tffans.com: could not connect to host
 tfl.lu: did not receive HSTS header
@@ -15915,10 +17220,9 @@ tgbyte.com: did not receive HSTS header
 tgod.co: could not connect to host
 tgr.re: could not connect to host
 th-bl.de: did not receive HSTS header
-th3nd.com: could not connect to host
+th3nd.com: did not receive HSTS header
 thackert.myfirewall.org: could not connect to host
 thagki9.com: did not receive HSTS header
-thai.land: could not connect to host
 thaianthro.com: max-age too low: 0
 thaigirls.xyz: could not connect to host
 thaihostcool.com: did not receive HSTS header
@@ -15927,22 +17231,24 @@ thalmann.fr: did not receive HSTS header
 thalskarth.com: did not receive HSTS header
 thatgudstuff.com: could not connect to host
 thatpodcast.io: did not receive HSTS header
-thatvizsla.life: could not connect to host
+thatvizsla.life: did not receive HSTS header
 the-construct.com: could not connect to host
 the-delta.net.eu.org: could not connect to host
 the-digitale.com: did not receive HSTS header
 the-earth-yui.net: could not connect to host
 the-finance-blog.com: could not connect to host
 the-gist.io: could not connect to host
-the-paddies.de: could not connect to host
+the-paddies.de: did not receive HSTS header
 the-sky-of-valkyries.com: could not connect to host
 the.ie: max-age too low: 0
 the420vape.org: could not connect to host
 theamateurs.net: did not receive HSTS header
-theamp.com: could not connect to host
+theamp.com: did not receive HSTS header
+thearcheryguide.com: did not receive HSTS header
 theater.cf: could not connect to host
 theavenuegallery.com: did not receive HSTS header
 thebakingclass.com: max-age too low: 60
+thebarneystyle.com: did not receive HSTS header
 thebasementguys.com: could not connect to host
 thebeautifulmusic.net: did not receive HSTS header
 thebeginningisnye.com: could not connect to host
@@ -15966,15 +17272,15 @@ thecodeninja.net: did not receive HSTS header
 thecoffeehouse.xyz: could not connect to host
 thecoffeepod.co.uk: did not receive HSTS header
 thecozycastle.com: did not receive HSTS header
+thecrochetcottage.net: could not connect to host
 thecskr.in: did not receive HSTS header
 thecsw.com: did not receive HSTS header
-thecuriousdev.com: did not receive HSTS header
+thecuriouscat.net: could not connect to host
 thedailyupvote.com: could not connect to host
 thedarkartsandcrafts.com: could not connect to host
-thedebug.life: did not receive HSTS header
 thedevilwearswibra.nl: did not receive HSTS header
-thedom.site: could not connect to host
-thedominatorsclan.com: did not receive HSTS header
+thediaryofadam.com: did not receive HSTS header
+thedominatorsclan.com: could not connect to host
 thedrinks.co: did not receive HSTS header
 thedrop.pw: did not receive HSTS header
 thedrunkencabbage.com: could not connect to host
@@ -15986,9 +17292,10 @@ theepankar.com: could not connect to host
 theescapistswiki.com: could not connect to host
 theevergreen.me: could not connect to host
 theexpatriate.de: could not connect to host
-theeyeopener.com: did not receive HSTS header
 thefarbeyond.com: could not connect to host
 thefasterweb.com: did not receive HSTS header
+thefilmcolor.com: max-age too low: 0
+theflyingbear.net: could not connect to host
 thefootballanalyst.com: did not receive HSTS header
 thefox.co: did not receive HSTS header
 thefox.com.fr: could not connect to host
@@ -16005,14 +17312,18 @@ thegreens.us: could not connect to host
 thegreenvpn.com: could not connect to host
 thegym.org: did not receive HSTS header
 thehiddenbay.cc: could not connect to host
-thehiddenbay.eu: max-age too low: 0
-thehiddenbay.me: max-age too low: 0
+thehiddenbay.eu: could not connect to host
+thehiddenbay.fi: did not receive HSTS header
+thehiddenbay.info: did not receive HSTS header
+thehiddenbay.me: could not connect to host
 thehiddenbay.net: could not connect to host
+thehiddenbay.ws: did not receive HSTS header
 thehighersideclothing.com: did not receive HSTS header
 thehistory.me: could not connect to host
 thehoopsarchive.com: could not connect to host
 theimagesalon.com: max-age too low: 43200
 theinvisibletrailer.com: could not connect to host
+thej0lt.com: did not receive HSTS header
 thejobauction.com: did not receive HSTS header
 thejserver.de: could not connect to host
 thekrewserver.com: did not receive HSTS header
@@ -16032,6 +17343,7 @@ themerchandiser.net: [Exception... "Component returned failure code: 0x80004005
 themesurgeons.net: could not connect to host
 themicrocapital.com: could not connect to host
 themoderate.xyz: could not connect to host
+thenarcissisticlife.com: did not receive HSTS header
 thenextstep.events: could not connect to host
 thenichecast.com: could not connect to host
 thenorthschool.org.uk: did not receive HSTS header
@@ -16039,35 +17351,38 @@ thenrdhrd.nl: could not connect to host
 theodorejones.info: could not connect to host
 theojones.name: could not connect to host
 theokonst.tk: did not receive HSTS header
-theosblog.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+theosblog.de: did not receive HSTS header
 theosophie-afrique.org: could not connect to host
 theoverfly.co: could not connect to host
 thepartywarehouse.co.uk: did not receive HSTS header
 thepcweb.tk: could not connect to host
+thepiabo.ovh: did not receive HSTS header
 thepiratebay.al: could not connect to host
 thepiratebay.poker: could not connect to host
 thepiratebay.tech: could not connect to host
 theposhfudgecompany.co.uk: could not connect to host
+thepostoffice.ro: did not receive HSTS header
 theprincegame.com: could not connect to host
 theprivacysolution.com: could not connect to host
+thepurem.com: could not connect to host
+thepythianseed.com: did not receive HSTS header
 thequillmagazine.org: could not connect to host
 therewill.be: could not connect to host
-therise.ca: could not connect to host
+therise.ca: max-age too low: 300
 thermique.ch: could not connect to host
 theroamingnotary.com: did not receive HSTS header
-therockawaysny.com: did not receive HSTS header
+therockawaysny.com: could not connect to host
 thesassynut.com: did not receive HSTS header
 thesearchnerds.co.uk: did not receive HSTS header
 thesecurityteam.net: could not connect to host
 thesehighsandlows.com: could not connect to host
 theserver201.tk: could not connect to host
+theserviceyouneed.com: did not receive HSTS header
 theshadestore.com: max-age too low: 10368000
 thesled.net: could not connect to host
-thesnellvilledentist.com: did not receive HSTS header
 thesplit.is: could not connect to host
 thestack.xyz: could not connect to host
 thestagchorleywood.co.uk: did not receive HSTS header
-thesteins.org: could not connect to host
 thestonegroup.de: did not receive HSTS header
 thestoritplace.com: max-age too low: 0
 thestral.pro: could not connect to host
@@ -16076,28 +17391,29 @@ thetapirsmouth.com: could not connect to host
 thethirdroad.com: did not receive HSTS header
 thetradinghall.com: could not connect to host
 thetruthhurvitz.com: could not connect to host
+theunitedstates.io: did not receive HSTS header
 theurbanyoga.com: did not receive HSTS header
 theuucc.org: did not receive HSTS header
 thevintagenews.com: did not receive HSTS header
 thevoid.one: could not connect to host
 thewallset.com: could not connect to host
 thewaxhouse.shop: did not receive HSTS header
-thewayofthedojo.com: did not receive HSTS header
+thewebdexter.com: could not connect to host
 thewebfellas.com: did not receive HSTS header
 thewego.com: could not connect to host
 theweilai.com: could not connect to host
 thewhiterabbit.space: could not connect to host
 thewindow.com: could not connect to host
 theworkingeye.nl: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+thewp.pro: max-age too low: 0
 theyachtteam.com: could not connect to host
-thezero.org: could not connect to host
 thezonders.com: did not receive HSTS header
 thgros.fr: could not connect to host
+thibaultwalle.com: could not connect to host
 thibautcharles.net: did not receive HSTS header
 thienteakee.com: did not receive HSTS header
 thierfreund.de: did not receive HSTS header
-thijsbekke.nl: could not connect to host
-thingies.site: could not connect to host
+thierryhayoz.ch: could not connect to host
 thinkcash.nl: could not connect to host
 thinkcoding.de: could not connect to host
 thinkcoding.org: could not connect to host
@@ -16126,12 +17442,11 @@ thomasnet.fr: could not connect to host
 thomasscholz.com: max-age too low: 2592000
 thomasschweizer.net: could not connect to host
 thomasvt.xyz: max-age too low: 2592000
-thomspooren.nl: could not connect to host
 thorbis.com: could not connect to host
 thorbiswebsitedesign.com: could not connect to host
 thorgames.nl: did not receive HSTS header
 thorncreek.net: did not receive HSTS header
-thot.space: could not connect to host
+thot.space: did not receive HSTS header
 thoughtlessleaders.online: could not connect to host
 threatcentral.io: could not connect to host
 threebrothersbrewing.com: could not connect to host
@@ -16142,8 +17457,8 @@ throughthelookingglasslens.co.uk: could not connect to host
 thrx.net: did not receive HSTS header
 thumbtack.com: did not receive HSTS header
 thundercampaign.com: could not connect to host
-thuviensoft.com: could not connect to host
 thuviensoft.net: could not connect to host
+thynx.io: could not connect to host
 thyrex.fr: could not connect to host
 ti-js.com: could not connect to host
 ti.blog.br: did not receive HSTS header
@@ -16155,6 +17470,7 @@ tianxing.pro: did not receive HSTS header
 tianxingvpn.pro: could not connect to host
 tibbitshall.ca: could not connect to host
 tibovanheule.site: could not connect to host
+ticketmates.com.au: did not receive HSTS header
 ticketoplichting.nl: did not receive HSTS header
 tickopa.co.uk: could not connect to host
 tickreport.com: did not receive HSTS header
@@ -16163,13 +17479,12 @@ tictactux.de: could not connect to host
 tidmore.us: could not connect to host
 tie-online.org: could not connect to host
 tiendafetichista.com: could not connect to host
+tiendavertigo.com: did not receive HSTS header
 tiendschuurstraat.nl: could not connect to host
 tiensnet.com: could not connect to host
 tierarztpraxis-illerwinkel.de: did not receive HSTS header
 tiernanx.com: could not connect to host
-tierraprohibida.net: did not receive HSTS header
 tierrarp.com: could not connect to host
-tiffanytravels.com: did not receive HSTS header
 tiggi.pw: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 tightlineproductions.com: did not receive HSTS header
 tigit.co.nz: could not connect to host
@@ -16181,7 +17496,7 @@ tilkah.com.au: could not connect to host
 tillcraft.com: could not connect to host
 timbeilby.com: could not connect to host
 timbuktutimber.com: did not receive HSTS header
-timcamara.com: could not connect to host
+timcamara.com: did not receive HSTS header
 timchanhxe.com: did not receive HSTS header
 timdebruijn.nl: did not receive HSTS header
 time-river.xyz: could not connect to host
@@ -16198,15 +17513,15 @@ timestamp.io: did not receive HSTS header
 timestamp.uk: could not connect to host
 timetab.org: could not connect to host
 timhieubenh.net: could not connect to host
+timhieuthuoc.com: could not connect to host
 timhjalpen.se: could not connect to host
 timklefisch.de: did not receive HSTS header
 timmy.im: could not connect to host
 timmy.ws: could not connect to host
-timotrans.de: did not receive HSTS header
-timotrans.eu: did not receive HSTS header
-timowi.de: could not connect to host
+timotrans.de: could not connect to host
+timotrans.eu: could not connect to host
 timowi.net: could not connect to host
-timroes.de: could not connect to host
+timroes.de: did not receive HSTS header
 timschubert.net: max-age too low: 172800
 timvandekamp.nl: did not receive HSTS header
 timwhite.io: did not receive HSTS header
@@ -16214,8 +17529,8 @@ timwittenberg.com: could not connect to host
 tinchbear.xyz: could not connect to host
 tindewen.net: could not connect to host
 tink.network: could not connect to host
-tinkerers-trunk.co.za: did not receive HSTS header
-tioat.net: could not connect to host
+tinkerboard.org: could not connect to host
+tinkerers-trunk.co.za: could not connect to host
 tipiakers.club: could not connect to host
 tipps-fuer-den-haushalt.de: could not connect to host
 tippspiel.cc: could not connect to host
@@ -16230,6 +17545,7 @@ titanleaf.com: could not connect to host
 titanpointe.org: did not receive HSTS header
 tittarpuls.se: could not connect to host
 titties.ml: could not connect to host
+tivido.nl: could not connect to host
 tjandpals.com: could not connect to host
 tjc.wiki: could not connect to host
 tjeckien.guide: could not connect to host
@@ -16237,16 +17553,15 @@ tjs.me: could not connect to host
 tju.me: could not connect to host
 tkappertjedemetamorfose.nl: could not connect to host
 tkarstens.de: did not receive HSTS header
+tkeycoin.com: did not receive HSTS header
 tkhw.tk: could not connect to host
-tkirch.de: could not connect to host
-tkjg.fi: could not connect to host
-tkn.tokyo: could not connect to host
 tkonstantopoulos.tk: could not connect to host
 tkts.cl: could not connect to host
 tlcdn.net: could not connect to host
 tlo.hosting: could not connect to host
 tlo.link: could not connect to host
 tlo.network: could not connect to host
+tls.builders: could not connect to host
 tls.li: could not connect to host
 tlsbv.nl: did not receive HSTS header
 tlshost.net: could not connect to host
@@ -16254,22 +17569,25 @@ tm-solutions.eu: could not connect to host
 tm.id.au: did not receive HSTS header
 tmaward.net: could not connect to host
 tmconnects.com: could not connect to host
-tmdc.ddns.net: could not connect to host
 tmhlive.com: could not connect to host
 tmhr.moe: could not connect to host
+tmi.news: did not receive HSTS header
 tmin.cf: could not connect to host
 tmitchell.io: could not connect to host
 tmprod.com: did not receive HSTS header
-tmtradingmorocco.ma: could not connect to host
+tmtradingmorocco.ma: did not receive HSTS header
 tnb-plattform.de: could not connect to host
 tncnanet.com.br: could not connect to host
 tno.io: could not connect to host
+tnwioa.gov: could not connect to host
 to2mbn.org: could not connect to host
+toabsentfamily.com: did not receive HSTS header
 tobaby.com.br: could not connect to host
 tobacco.gov: could not connect to host
 tobaccore.eu: could not connect to host
 tobaccore.sk: could not connect to host
-tobedo.net: could not connect to host
+tobi-server.goip.de: could not connect to host
+tobi-videos.goip.de: could not connect to host
 tobias-bielefeld.de: did not receive HSTS header
 tobiasbergius.se: could not connect to host
 tobiasmathes.com: could not connect to host
@@ -16279,6 +17597,7 @@ tobiassachs.cf: could not connect to host
 tobiassachs.tk: could not connect to host
 tobis-webservice.de: did not receive HSTS header
 tobyx.is: could not connect to host
+toddmissiontx.gov: did not receive HSTS header
 todesschaf.org: could not connect to host
 todo.is: could not connect to host
 todobazar.es: could not connect to host
@@ -16294,8 +17613,10 @@ tohokufd.com: could not connect to host
 tojeto.eu: did not receive HSTS header
 toka.sg: could not connect to host
 tokage.me: could not connect to host
+tokbijouxs.com.br: did not receive HSTS header
 tokenloan.com: could not connect to host
-tokfun.com: could not connect to host
+tokintu.com: could not connect to host
+tokky.eu: could not connect to host
 tokobungaasryflorist.com: did not receive HSTS header
 tokobungadijambi.com: did not receive HSTS header
 tokobungadilampung.com: could not connect to host
@@ -16305,17 +17626,19 @@ tokoone.com: did not receive HSTS header
 tokotamz.net: could not connect to host
 tokotimbangandigitalmurah.web.id: did not receive HSTS header
 tokoyo.biz: could not connect to host
+toldositajuba.com: could not connect to host
 tollmanz.com: did not receive HSTS header
 tollsjekk.no: could not connect to host
 tolud.com: could not connect to host
 tom-maxwell.com: did not receive HSTS header
 tom.run: did not receive HSTS header
 tomandshirley.com: could not connect to host
+tomaspialek.cz: did not receive HSTS header
+tomaz.eu: could not connect to host
 tomberek.info: did not receive HSTS header
 tomcort.com: could not connect to host
 tomdudfield.com: did not receive HSTS header
 tomeara.net: could not connect to host
-tomershemesh.me: could not connect to host
 tomevans.io: did not receive HSTS header
 tomharling.co.uk: could not connect to host
 tomiler.com: could not connect to host
@@ -16323,21 +17646,22 @@ tomlankhorst.nl: did not receive HSTS header
 tomli.me: could not connect to host
 tommounsey.com: did not receive HSTS header
 tommsy.com: did not receive HSTS header
-tommy-bordas.fr: did not receive HSTS header
 tommyads.com: could not connect to host
 tommyweber.de: did not receive HSTS header
-tomoyaf.com: did not receive HSTS header
+tomoyaf.com: could not connect to host
 tomphill.co.uk: could not connect to host
+tomudding.com: did not receive HSTS header
 tomy.icu: could not connect to host
 tonburi.jp: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 tongmu.me: could not connect to host
 tonguetechnology.com: could not connect to host
+toni-dis.ch: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 toniharant.de: could not connect to host
 toomanypillows.com: could not connect to host
+toomy.ddns.net: could not connect to host
 top-esb.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 top-stage.net: could not connect to host
 top10mountainbikes.info: could not connect to host
-top9.fr: could not connect to host
 topanlage.de: could not connect to host
 topbargains.com.au: did not receive HSTS header
 topbestsellerproduct.com: did not receive HSTS header
@@ -16346,7 +17670,6 @@ topdeskdev.net: could not connect to host
 topdetoxcleanse.com: could not connect to host
 topdevbox.net: could not connect to host
 topesb.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-topkek.ml: could not connect to host
 topmarine.se: did not receive HSTS header
 topnewstoday.org: could not connect to host
 topnotchendings.com: could not connect to host
@@ -16357,6 +17680,7 @@ topservercccam.com: did not receive HSTS header
 topshelfguild.com: could not connect to host
 toptenthebest.com: did not receive HSTS header
 toptranslation.com: did not receive HSTS header
+topvertimai.lt: could not connect to host
 topwin.la: could not connect to host
 topyx.com: did not receive HSTS header
 tor2web.org: could not connect to host
@@ -16367,16 +17691,21 @@ toretfaction.net: could not connect to host
 torlock.download: could not connect to host
 torproject.org.uk: could not connect to host
 torproject.ovh: could not connect to host
-torrentdownloads.bid: max-age too low: 0
+torrentdownloads.bid: did not receive HSTS header
+torrentfunk.com: could not connect to host
 torrentgamesps2.info: could not connect to host
 torrenttop100.net: could not connect to host
 torrentz.website: could not connect to host
 torrentz2.eu: did not receive HSTS header
+tortocan.com: could not connect to host
 tortugalife.de: could not connect to host
 torv.rocks: did not receive HSTS header
+tosainu.com.br: could not connect to host
 tosecure.link: could not connect to host
 toshnix.com: could not connect to host
 toshub.com: could not connect to host
+totalbeauty.co.uk: could not connect to host
+totaldragonshop.com.br: could not connect to host
 totalle.com.br: could not connect to host
 totallynotaserver.com: could not connect to host
 totalsystemcare.com: could not connect to host
@@ -16385,7 +17714,7 @@ totalworkout.fitness: did not receive HSTS header
 totch.de: could not connect to host
 totem-eshop.cz: could not connect to host
 totoro.pub: could not connect to host
-totot.net: did not receive HSTS header
+totot.net: could not connect to host
 toucedo.de: could not connect to host
 touch-up-net.com: could not connect to host
 touchbasemail.com: did not receive HSTS header
@@ -16393,33 +17722,35 @@ touchinformatica.com: did not receive HSTS header
 touchpointidg.us: could not connect to host
 touchscreen-handy.de: did not receive HSTS header
 touchstonefms.co.uk: did not receive HSTS header
-touchtable.nl: did not receive HSTS header
 tougetu.com: could not connect to host
 touhou.cc: did not receive HSTS header
 touray-enterprise.ch: could not connect to host
+tourispo.com: could not connect to host
 tourpeer.com: did not receive HSTS header
 toursandtransfers.it: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 tousproducteurs.fr: did not receive HSTS header
+tovp.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 towaway.ru: could not connect to host
+townofruthnc.gov: could not connect to host
 tox.im: did not receive HSTS header
 toxicboot.com: could not connect to host
 toxicip.com: could not connect to host
-toxme.se: did not receive HSTS header
+toxme.se: could not connect to host
 toymania.de: could not connect to host
 toyotamotala.se: could not connect to host
 tpbcdn.com: could not connect to host
-tpblist.xyz: max-age too low: 0
+tpblist.xyz: could not connect to host
 tpbunblocked.org: could not connect to host
 tpe-edu.com: could not connect to host
-tpms4u.at: did not receive HSTS header
+tpms4u.at: could not connect to host
 tppdebate.org: did not receive HSTS header
 trabajarenperu.com: did not receive HSTS header
 tracalada.cl: did not receive HSTS header
 tracetracker.com: did not receive HSTS header
 tracewind.top: could not connect to host
-track.plus: could not connect to host
 trackdays4fun.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 tracker-gps.ch: could not connect to host
+trackfeed.tokyo: could not connect to host
 trackmeet.io: did not receive HSTS header
 tracktivity.com.au: did not receive HSTS header
 trade-smart.ru: could not connect to host
@@ -16434,10 +17765,11 @@ tradingrooms.com: did not receive HSTS header
 traditional-knowledge.tk: did not receive HSTS header
 traeningsprojekt.dk: did not receive HSTS header
 trafficquality.org: could not connect to host
-traffictigers.com: could not connect to host
+traffictigers.com: did not receive HSTS header
 traforet.win: could not connect to host
 train-track.co.uk: did not receive HSTS header
 traindb.nl: did not receive HSTS header
+trainhorns.us: did not receive HSTS header
 training4girls.ru: could not connect to host
 traininglist.org: could not connect to host
 trainingproviderresults.gov: could not connect to host
@@ -16454,11 +17786,13 @@ transcendmotor.sg: could not connect to host
 transcricentro.pt: could not connect to host
 transcriptionwave.com: did not receive HSTS header
 transdirect.com.au: did not receive HSTS header
+transferio.nl: did not receive HSTS header
 transformify.org: did not receive HSTS header
 transgendernetwerk.nl: did not receive HSTS header
 transl8.eu: did not receive HSTS header
 translate.googleapis.com: did not receive HSTS header (error ignored - included regardless)
 translateblender.ru: could not connect to host
+translatoruk.co.uk: did not receive HSTS header
 transmithe.net: could not connect to host
 transportal.sk: did not receive HSTS header
 transsexualpantyhose.com: could not connect to host
@@ -16466,25 +17800,30 @@ tratamentoparacelulite.biz: could not connect to host
 trauertexte.info: could not connect to host
 traumhuetten.de: did not receive HSTS header
 travality.ru: could not connect to host
-travel-dealz.de: did not receive HSTS header
 travel-kuban.ru: did not receive HSTS header
+travel-to-nature.ch: did not receive HSTS header
+travel.co.za: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 travel1x1.com: did not receive HSTS header
 traveling-thailand.info: could not connect to host
 travelinsightswriter.com: could not connect to host
 travelling.expert: could not connect to host
+travellsell.com: did not receive HSTS header
 travelmyth.ie: did not receive HSTS header
 travelpricecheck.com: max-age too low: 0
+travisfranck.com: could not connect to host
 travotion.com: could not connect to host
 trazosdearte.com: did not receive HSTS header
 treasuredinheritanceministry.com: did not receive HSTS header
 treatment.org: could not connect to host
 treatprostatewithhifu.com: could not connect to host
+treebaglia.xyz: could not connect to host
 treeby.net: could not connect to host
 treehousebydesign.com: did not receive HSTS header
 treeremovaljohannesburg.co.za: could not connect to host
 treino.blog.br: could not connect to host
 treker.us: could not connect to host
 trell.co.in: did not receive HSTS header
+tremlor.com: max-age too low: 300
 tremolosoftware.com: did not receive HSTS header
 tremoureux.fr: could not connect to host
 trendberry.ru: could not connect to host
@@ -16492,28 +17831,33 @@ trendingpulse.com: could not connect to host
 trendisland.de: did not receive HSTS header
 trendydips.com: could not connect to host
 trentmaydew.com: could not connect to host
+tretkowski.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 trewe.eu: could not connect to host
 triadwars.com: did not receive HSTS header
 triageo.com.au: could not connect to host
 trialmock.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 trianon.xyz: could not connect to host
-tributh.cf: could not connect to host
-tributh.net: could not connect to host
 trickedguys.com: could not connect to host
 tricks.clothing: did not receive HSTS header
 triddi.com: could not connect to host
+tridentflood.com: could not connect to host
 tridimage.com: did not receive HSTS header
 trigular.de: could not connect to host
 trileg.net: could not connect to host
+trimarchimanuele.it: did not receive HSTS header
 trinity.fr.eu.org: could not connect to host
 trinityaffirmations.com: max-age too low: 0
 trinitycore.org: max-age too low: 2592000
 trinitytechdev.com: did not receive HSTS header
+trink-und-partyspiele.de: could not connect to host
 tripcombi.com: did not receive HSTS header
 tripdelta.com: did not receive HSTS header
 tripinsider.club: did not receive HSTS header
+triple-mmm.de: max-age too low: 0
+tripout.tech: did not receive HSTS header
 trisportas.lt: did not receive HSTS header
 tristanfarkas.one: could not connect to host
+triticeaetoolbox.org: did not receive HSTS header
 trixati.org.ua: did not receive HSTS header
 trixies-wish.nz: could not connect to host
 trixy.com.br: could not connect to host
@@ -16521,12 +17865,14 @@ trizone.com.au: did not receive HSTS header
 troisdorf-gestalten.de: did not receive HSTS header
 trollme.me: could not connect to host
 trollscave.xyz: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-trondelan.no: could not connect to host
+trondelan.no: did not receive HSTS header
 tronflix.com: did not receive HSTS header
 troo.ly: could not connect to host
 trouter.io: could not connect to host
 trouver-son-chemin.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+troykelly.com: did not receive HSTS header
 trpg.wiki: could not connect to host
+truckgpsreviews.com: did not receive HSTS header
 true.ink: did not receive HSTS header
 truebred-labradors.com: did not receive HSTS header
 trueessayhelp.co.uk: did not receive HSTS header
@@ -16536,18 +17882,21 @@ trumeet.top: did not receive HSTS header
 trunkjunk.co: could not connect to host
 trush.in: could not connect to host
 trustedinnovators.com: could not connect to host
+trustednewssites.com: could not connect to host
 trusteecar.com: did not receive HSTS header
 trustmeimfancy.com: could not connect to host
 trustocean.com: did not receive HSTS header
-try2services.cm: did not receive HSTS header
 trybind.com: could not connect to host
 tryfabulousdiet.com: could not connect to host
 tryfm.net: did not receive HSTS header
 trynowrinkleseyeserum.com: could not connect to host
 tryoneday.co: did not receive HSTS header
 tryti.me: could not connect to host
+ts-publishers.com: could not connect to host
 ts2.se: could not connect to host
+ts3-dns.com: could not connect to host
 ts3-dns.me: could not connect to host
+ts3-dns.net: could not connect to host
 ts3.consulting: could not connect to host
 tsaro.io: could not connect to host
 tscqmalawi.info: did not receive HSTS header
@@ -16564,18 +17913,17 @@ tsumegumi.net: could not connect to host
 tsumi.moe: could not connect to host
 tsura.org: could not connect to host
 tsurezurematome.ga: could not connect to host
-tt.dog: could not connect to host
 ttackmedical.com.br: could not connect to host
-ttrade.ga: could not connect to host
 tts.co.nz: did not receive HSTS header
 ttspttsp.com: could not connect to host
 tty.space: could not connect to host
 ttz.im: could not connect to host
 tuamoronline.com: could not connect to host
+tuang-tuang.com: could not connect to host
 tubbutec.de: did not receive HSTS header
 tubeju.com: could not connect to host
-tubetoon.com: did not receive HSTS header
-tubetooncartoons.com: did not receive HSTS header
+tubetoon.com: could not connect to host
+tubetooncartoons.com: could not connect to host
 tubex.ga: could not connect to host
 tucidi.net: could not connect to host
 tucker.wales: could not connect to host
@@ -16586,21 +17934,24 @@ tufilo.com: could not connect to host
 tugers.com: did not receive HSTS header
 tulenceria.es: could not connect to host
 tulsameetingroom.com: could not connect to host
+tumagiri.net: did not receive HSTS header
+tumutanzi.com: did not receive HSTS header
 tunca.it: did not receive HSTS header
 tunebitfm.de: could not connect to host
 tungstenroyce.com: did not receive HSTS header
 tunity.be: did not receive HSTS header
+tuou.xyz: could not connect to host
 tupizm.com: could not connect to host
 turismo.cl: could not connect to host
 turkiet.guide: could not connect to host
-turkrock.com: did not receive HSTS header
 turn-sticks.com: could not connect to host
 turnik-67.ru: could not connect to host
 turniker.ru: could not connect to host
 turnsticks.com: could not connect to host
+turtle.ai: did not receive HSTS header
 turtlementors.com: could not connect to host
 turtles.ga: could not connect to host
-tusb.ml: did not receive HSTS header
+tusb.ml: could not connect to host
 tussengelegenwoningverkopen.nl: could not connect to host
 tuthowto.com: could not connect to host
 tutiendaroja.com: did not receive HSTS header
@@ -16609,12 +17960,14 @@ tutorio.ga: could not connect to host
 tutu.ro: could not connect to host
 tuturulianda.com: did not receive HSTS header
 tuvalie.com: did not receive HSTS header
+tuxflow.de: could not connect to host
 tuxhound.org: could not connect to host
 tuxrtfm.com: could not connect to host
 tv.search.yahoo.com: could not connect to host
 tvc.red: could not connect to host
 tverdohleb.com: could not connect to host
 tvoru.com.ua: did not receive HSTS header
+tvqc.com: did not receive HSTS header
 tvs-virtual.cz: did not receive HSTS header
 tvtubeflix.com: did not receive HSTS header
 tvz-materijali.com: could not connect to host
@@ -16651,9 +18004,9 @@ twinkseason.xyz: could not connect to host
 twiri.net: could not connect to host
 twist.party: could not connect to host
 twistapp.com: did not receive HSTS header
-twistdevelopment.co.uk: could not connect to host
 twittelzie.nl: could not connect to host
 twitter.ax: could not connect to host
+twocornertiming.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 twogo.com: did not receive HSTS header
 twojfaktum.pl: could not connect to host
 twolanedesign.com: did not receive HSTS header
@@ -16661,6 +18014,8 @@ twolinepassbrewing.com: could not connect to host
 twolivelife.com: could not connect to host
 twoo.com: could not connect to host
 twotube.ie: could not connect to host
+twun.io: could not connect to host
+twuni.org: did not receive HSTS header
 tx041cap.org: could not connect to host
 txbi.de: could not connect to host
 txclimbers.com: could not connect to host
@@ -16668,13 +18023,12 @@ txcp01.com: could not connect to host
 txcp02.com: could not connect to host
 txf.pw: could not connect to host
 ty2u.com: did not receive HSTS header
-tycjt.vip: did not receive HSTS header
+tycjt.vip: could not connect to host
 tykoon.com: could not connect to host
+tyl.io: did not receive HSTS header
 tyler.coach: could not connect to host
 tylercoach.com: could not connect to host
-tylerharcourt.ca: max-age too low: 86400
-tylerharcourt.com: could not connect to host
-tylerharcourt.org: did not receive HSTS header
+tylerharcourt.net: could not connect to host
 tylerharcourt.xyz: could not connect to host
 tylerjharcourt.com: could not connect to host
 tylian.net: max-age too low: 0
@@ -16683,11 +18037,10 @@ type1joe.net: could not connect to host
 type1joe.org: could not connect to host
 typehub.net: could not connect to host
 typeofweb.com: did not receive HSTS header
-typeonejoe.com: could not connect to host
 typeonejoe.net: could not connect to host
 typeonejoe.org: could not connect to host
 typingrevolution.com: did not receive HSTS header
-tyreis.com: did not receive HSTS header
+tyreis.com: could not connect to host
 tyrelius.com: could not connect to host
 tyroproducts.eu: did not receive HSTS header
 tyskland.guide: could not connect to host
@@ -16695,8 +18048,9 @@ tz56789.com: did not receive HSTS header
 tzappa.net: could not connect to host
 tzwe.com: could not connect to host
 u-master.net: did not receive HSTS header
-u-tokyo.club: could not connect to host
+u-metals.com: did not receive HSTS header
 u175.com: could not connect to host
+uaci.edu.mx: could not connect to host
 uadp.pw: could not connect to host
 uahs.org.uk: did not receive HSTS header
 ubalert.com: could not connect to host
@@ -16704,35 +18058,66 @@ uber.com.au: did not receive HSTS header
 ubercalculator.com: did not receive HSTS header
 uberfunction.com: did not receive HSTS header
 ubertt.org: could not connect to host
-ubicloud.de: could not connect to host
+ubicloud.de: did not receive HSTS header
 ubicv.com: could not connect to host
 ublox.com: did not receive HSTS header
 ubtce.com: could not connect to host
+ubun.net: could not connect to host
 ubuntuhot.com: did not receive HSTS header
 uc.ac.id: did not receive HSTS header
 uchiha.ml: could not connect to host
 uclanmasterplan.co.uk: did not receive HSTS header
-uclf.de: could not connect to host
 udbhav.me: could not connect to host
-uefeng.com: did not receive HSTS header
 uega.net: did not receive HSTS header
+uel-thompson-okanagan.ca: could not connect to host
 uerdingen.info: did not receive HSTS header
 uesociedadlimitada.com: could not connect to host
 ueu.me: could not connect to host
-uevan.com: did not receive HSTS header
 ufgaming.com: did not receive HSTS header
 uflixit.com: did not receive HSTS header
 ufo.moe: could not connect to host
 ufotable.uk: could not connect to host
 ugcdn.com: could not connect to host
-uggedal.com: could not connect to host
 ugisgutless.com: could not connect to host
 ugo.ninja: could not connect to host
 ugosadventures.com: could not connect to host
+uhappy11.com: did not receive HSTS header
+uhappy21.com: did not receive HSTS header
+uhappy23.com: did not receive HSTS header
+uhappy24.com: did not receive HSTS header
+uhappy25.com: did not receive HSTS header
+uhappy26.com: did not receive HSTS header
+uhappy27.com: did not receive HSTS header
+uhappy28.com: did not receive HSTS header
+uhappy29.com: did not receive HSTS header
+uhappy3.com: did not receive HSTS header
+uhappy31.com: did not receive HSTS header
+uhappy33.com: did not receive HSTS header
+uhappy55.com: did not receive HSTS header
+uhappy56.com: did not receive HSTS header
+uhappy58.com: did not receive HSTS header
+uhappy59.com: did not receive HSTS header
+uhappy60.com: did not receive HSTS header
+uhappy61.com: did not receive HSTS header
+uhappy62.com: did not receive HSTS header
+uhappy66.com: did not receive HSTS header
+uhappy67.com: did not receive HSTS header
+uhappy71.com: did not receive HSTS header
+uhappy73.com: could not connect to host
+uhappy74.com: could not connect to host
+uhappy75.com: could not connect to host
+uhappy76.com: could not connect to host
+uhappy77.com: did not receive HSTS header
+uhappy78.com: could not connect to host
+uhappy8.com: did not receive HSTS header
+uhappy86.com: did not receive HSTS header
+uhappy9.com: did not receive HSTS header
+uhappy99.com: did not receive HSTS header
 uhasseltctf.ga: could not connect to host
-uhm.io: could not connect to host
+uhasseltodin.be: did not receive HSTS header
+uhm.io: did not receive HSTS header
+uhssl.com: did not receive HSTS header
 uhuru-market.com: did not receive HSTS header
-uicchy.com: could not connect to host
 uitslagensoftware.nl: did not receive HSTS header
 ukas.com: could not connect to host
 ukdropshipment.co.uk: did not receive HSTS header
@@ -16752,6 +18137,7 @@ ultimate-memoryplus.com: could not connect to host
 ultimate-neuroplus.com: could not connect to host
 ultramax.biz: could not connect to host
 ultraporn.biz: could not connect to host
+ultrasite.tk: could not connect to host
 ultrasteam.net: could not connect to host
 ultros.io: did not receive HSTS header
 umaimise.info: did not receive HSTS header
@@ -16760,8 +18146,10 @@ umbriel.fr: did not receive HSTS header
 umgardi.ca: could not connect to host
 umidev.com: could not connect to host
 umie.cc: did not receive HSTS header
+umkmjogja.com: did not receive HSTS header
 ump45.moe: could not connect to host
-umsolugar.com.br: did not receive HSTS header
+umsolugar.com.br: could not connect to host
+umwandeln-online.de: could not connect to host
 unapolegetic.co: did not receive HSTS header
 unart.info: could not connect to host
 unbanthe.net: could not connect to host
@@ -16780,7 +18168,7 @@ unblocked.win: could not connect to host
 unblocked.works: could not connect to host
 unblocked.world: could not connect to host
 unblockedall.site: could not connect to host
-unblockedbay.info: max-age too low: 0
+unblockedbay.info: could not connect to host
 unblockerproxy.site: did not receive HSTS header
 unblockerproxy.top: did not receive HSTS header
 unblockmy.party: could not connect to host
@@ -16795,10 +18183,11 @@ undecidable.de: could not connect to host
 under30stravelinsurance.com.au: did not receive HSTS header
 undercovercondoms.com: could not connect to host
 underkin.com: could not connect to host
-underwearoffer.com: did not receive HSTS header
+undone.me: could not connect to host
 unefuite.ch: could not connect to host
 unfiltered.nyc: could not connect to host
 unfuddle.cn: could not connect to host
+ungeek.eu: did not receive HSTS header
 ungern.guide: could not connect to host
 unhu.fr: could not connect to host
 uni-games.com: could not connect to host
@@ -16818,7 +18207,7 @@ uniformespousoalegre.com.br: did not receive HSTS header
 unikitty-on-tour.com: could not connect to host
 unikrn.com: could not connect to host
 uninet.cf: could not connect to host
-uniojeda.ml: did not receive HSTS header
+uniojeda.ml: could not connect to host
 unionstationapp.com: could not connect to host
 unirenter.ru: did not receive HSTS header
 unison.com: did not receive HSTS header
@@ -16826,66 +18215,71 @@ unisyssecurity.com: did not receive HSTS header
 unitedcyberdevelopment.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 unitlabs.net: could not connect to host
 unitrade-425.co.za: did not receive HSTS header
+univerpack.net: could not connect to host
 university4industry.com: did not receive HSTS header
 universogay.com: could not connect to host
 univstore.win: could not connect to host
 univz.com: could not connect to host
-unix.se: did not receive HSTS header
+unixapp.ml: could not connect to host
+unixfox.eu: could not connect to host
 unixtime.pro: could not connect to host
 unknownbreakup.com: max-age too low: 2592000
 unknownphenomena.net: could not connect to host
+unleash.pw: could not connect to host
 unlogis.ch: could not connect to host
-unmanaged.space: could not connect to host
-uno.fi: did not receive HSTS header
+unmanaged.space: did not receive HSTS header
 unplugg3r.dk: could not connect to host
+unpossible.xyz: could not connect to host
 unravel.ie: could not connect to host
 unripple.com: could not connect to host
 unruh.fr: did not receive HSTS header
-uns.vn: could not connect to host
 unschoolrules.com: did not receive HSTS header
 unstockd.org: could not connect to host
 unsupervised.ca: did not receive HSTS header
 unsystem.net: could not connect to host
 unterkunft.guru: did not receive HSTS header
-unterschicht.tv: could not connect to host
 untoldstory.eu: did not receive HSTS header
 unveiledgnosis.com: did not receive HSTS header
 unwiredbrain.com: could not connect to host
 unwomen.is: did not receive HSTS header
-unyq.me: did not receive HSTS header
+unworthy.ml: could not connect to host
+unyq.me: could not connect to host
 uonstaffhub.com: could not connect to host
 uow.ninja: could not connect to host
 up1.ca: could not connect to host
 upaknship.com: did not receive HSTS header
 upandclear.org: max-age too low: 0
-upay.ru: could not connect to host
 upboard.jp: could not connect to host
+updatehub.io: did not receive HSTS header
 upldr.pw: could not connect to host
 uploadbro.com: could not connect to host
 upmchealthsecurity.us: could not connect to host
 uporoops.com: could not connect to host
+upr-info.org: did not receive HSTS header
 uprotect.it: could not connect to host
 upstats.eu: could not connect to host
 uptakedigital.com.au: max-age too low: 2592000
 uptic.net: did not receive HSTS header
 uptogood.org: could not connect to host
 upupming.site: did not receive HSTS header
+upwardtraining.co.uk: could not connect to host
 ur-lauber.de: did not receive HSTS header
 urban-garden.lt: could not connect to host
 urban-garden.lv: could not connect to host
+urban-karuizawa.co.jp: max-age too low: 0
+urbanfi.sh: did not receive HSTS header
 urbanmic.com: could not connect to host
-urbanstylestaging.com: did not receive HSTS header
-urbansurvival.com: did not receive HSTS header
+urbanstylestaging.com: could not connect to host
 urbpic.com: could not connect to host
 urcentral.org: could not connect to host
-url.cab: could not connect to host
+urgences-valais.ch: could not connect to host
+url.cab: did not receive HSTS header
 urlachershop.com.br: did not receive HSTS header
-urlakite.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 urlchomp.com: did not receive HSTS header
 urology.wiki: did not receive HSTS header
 urphp.com: did not receive HSTS header
 us-immigration.com: did not receive HSTS header
-usaab.org: did not receive HSTS header
+usaab.org: could not connect to host
 usafuelservice.com: did not receive HSTS header
 usatomotori.com: did not receive HSTS header
 usbirthcertificate.com: could not connect to host
@@ -16893,23 +18287,26 @@ usbtypeccompliant.com: could not connect to host
 uscitizenship.info: did not receive HSTS header
 uscntalk.com: could not connect to host
 uscp8.com: could not connect to host
-uscurrency.gov: did not receive HSTS header
 use.ci: could not connect to host
 used-in.jp: could not connect to host
 usedesk.ru: did not receive HSTS header
 usedoor.jp: did not receive HSTS header
+usedu.us: could not connect to host
 useevlo.com.br: could not connect to host
 user-new.com: did not receive HSTS header
 usercare.com: could not connect to host
 useresponse.com: did not receive HSTS header
 userify.com: did not receive HSTS header
+uskaria.com: could not connect to host
 uslab.io: could not connect to host
 usleep.net: could not connect to host
 usparklodging.com: did not receive HSTS header
 usportsgo.com: could not connect to host
 usr.nz: did not receive HSTS header
 usuluddin.ga: did not receive HSTS header
+utahfireinfo.gov: did not receive HSTS header
 utdscanner.com: did not receive HSTS header
+utdsgda.com: could not connect to host
 uteam.it: could not connect to host
 utilio.nl: max-age too low: 2592000
 utilitronium-shockwave.com: could not connect to host
@@ -16926,8 +18323,10 @@ uttnetgroup.fr: could not connect to host
 utube.tw: could not connect to host
 utumno.ch: could not connect to host
 utvbloggen.se: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+uuid.cf: could not connect to host
 uvarov.pw: could not connect to host
 uvolejniku.cz: did not receive HSTS header
+uwekoetter.com: did not receive HSTS header
 uwesander.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 uwfreelanceopticien.nl: could not connect to host
 uwimonacs.org.jm: did not receive HSTS header
@@ -16947,25 +18346,22 @@ v2.pw: did not receive HSTS header
 v2ex.us: could not connect to host
 v4veedu.com: could not connect to host
 v5wz.com: did not receive HSTS header
-v5xp.com: could not connect to host
+v5xp.com: did not receive HSTS header
 v7.cl: could not connect to host
 v789xl.com: did not receive HSTS header
-va.gov: did not receive HSTS header
 vaaddress.co: could not connect to host
-vaalmarketplace.co.za: could not connect to host
+vaalmarketplace.co.za: did not receive HSTS header
 vacationality.com: could not connect to host
 vacationfund.co: could not connect to host
 vacationscostarica.com: did not receive HSTS header
 vackerbetong.se: could not connect to host
-vaclavambroz.cz: could not connect to host
+vaclavambroz.cz: did not receive HSTS header
 vaclavambroz.eu: could not connect to host
 vacuumreviewcenter.com: did not receive HSTS header
 vaddder.com: could not connect to host
-vadennissanofhinesvilleparts.com: could not connect to host
+vadennissanofhinesvilleparts.com: did not receive HSTS header
 vadik.me: could not connect to host
 vadodesign.nl: did not receive HSTS header
-vagaerg.com: did not receive HSTS header
-vagaerg.net: did not receive HSTS header
 vaibhavchatarkar.com: could not connect to host
 val-sec.com: could not connect to host
 valaeris.de: did not receive HSTS header
@@ -16974,16 +18370,20 @@ valecnatechnika.cz: could not connect to host
 valenhub.com: could not connect to host
 valenhub.es: could not connect to host
 valenscaelum.com: could not connect to host
+valentin-ochs.de: could not connect to host
 valesdev.com: max-age too low: 0
 valethound.com: could not connect to host
 valhallacostarica.com: could not connect to host
 valhallamovement.com: did not receive HSTS header
 valitron.se: did not receive HSTS header
+valkor.pro: could not connect to host
 valkyrja.xyz: could not connect to host
 valleyridgepta.org: could not connect to host
+valleyshop.ca: could not connect to host
 vallis.net: could not connect to host
 valmagus.com: could not connect to host
 valopv.be: could not connect to host
+valshamar.is: could not connect to host
 vamoaeturismo.com.br: could not connect to host
 vamosfalardesaude.pt: could not connect to host
 vampirism.eu: could not connect to host
@@ -16994,14 +18394,17 @@ vanderstraeten.dynv6.net: could not connect to host
 vanessabalibridal.com: could not connect to host
 vanestack.com: could not connect to host
 vanetv.com: could not connect to host
-vangeluwedeberlaere.be: did not receive HSTS header
+vangeluwedeberlaere.be: could not connect to host
 vanhaos.com: could not connect to host
 vanitas.xyz: could not connect to host
 vanitynailworkz.com: could not connect to host
 vanlaanen.com: did not receive HSTS header
+vanohaker.ru: could not connect to host
 vansieleghem.com: could not connect to host
 vantaio.com: did not receive HSTS header
+vapecom-shop.com: could not connect to host
 vapecraftinc.com: did not receive HSTS header
+vapehour.com: could not connect to host
 vapemania.eu: could not connect to host
 vapeshopsupply.com: max-age too low: 7889238
 vaporpunk.space: did not receive HSTS header
@@ -17020,28 +18423,29 @@ vavai.net: did not receive HSTS header
 vavouchers.com: could not connect to host
 vawltstorage.com: did not receive HSTS header
 vayaport.com: could not connect to host
+vb-oa.co.uk: did not receive HSTS header
 vbest.net: could not connect to host
-vbhelp.org: did not receive HSTS header
+vbestreviews.com: did not receive HSTS header
+vbhelp.org: could not connect to host
 vbulletin-russia.com: could not connect to host
 vbulletinrussia.com: could not connect to host
 vcdn.xyz: could not connect to host
 vcdove.com: could not connect to host
-vcelin-na-doliku.cz: could not connect to host
 vconcept.ch: could not connect to host
 vconcept.me: could not connect to host
 vcr.re: could not connect to host
-vdanker.net: could not connect to host
 vdhco.be: did not receive HSTS header
 vdownloader.com: could not connect to host
 vdrpro.com: could not connect to host
 veblen.com: did not receive HSTS header
 vechkasov.ru: could not connect to host
 vectro.me: could not connect to host
-vedatkamer.com: could not connect to host
+vedatkamer.com: did not receive HSTS header
 vega-motor.com.ua: did not receive HSTS header
 vega-rumia.com.pl: max-age too low: 2592000
 vega.dyndns.info: could not connect to host
 vegalayer.com: could not connect to host
+vegalengd.com: did not receive HSTS header
 vegane-proteine.com: could not connect to host
 vegangaymer.blog: could not connect to host
 veganosonline.com: could not connect to host
@@ -17051,6 +18455,7 @@ veggiesbourg.fr: did not receive HSTS header
 vegis.ro: did not receive HSTS header
 veglog.com: could not connect to host
 vehent.org: did not receive HSTS header
+vehicletransportservices.co: did not receive HSTS header
 vehicleuplift.co.uk: did not receive HSTS header
 vekenz.com: could not connect to host
 velasense.com: could not connect to host
@@ -17067,11 +18472,15 @@ venmos.com: could not connect to host
 venninvestorplatform.com: did not receive HSTS header
 venoom.eu: did not receive HSTS header
 vensl.org: could not connect to host
+venturedisplay.co.uk: did not receive HSTS header
 venturepro.com: did not receive HSTS header
+venusbymariatash.com: could not connect to host
 venzocrm.com: did not receive HSTS header
-ver-ooginoog.nl: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-veraandsteve.date: could not connect to host
+ver-ooginoog.nl: max-age too low: 2592000
+veraandsteve.date: did not receive HSTS header
 verdeandco.co.uk: could not connect to host
+vergeaccessories.com: could not connect to host
+vergessen.cn: could not connect to host
 verifiedinvesting.com: could not connect to host
 verifikatorindonesia.com: could not connect to host
 veriomed.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -17080,11 +18489,12 @@ verliefde-jongens.nl: could not connect to host
 vermogeninkaart.nl: could not connect to host
 vermontcareergateway.org: could not connect to host
 vernonfishandgame.ca: did not receive HSTS header
+vernonhouseofhope.com: did not receive HSTS header
 versbeton.nl: max-age too low: 864000
 versfin.net: could not connect to host
 versia.ru: did not receive HSTS header
-versolslapeyre.fr: did not receive HSTS header
 veryhax.de: could not connect to host
+veryimportantusers.com: could not connect to host
 veryyounglesbians.com: could not connect to host
 ves.vn.ua: could not connect to host
 vestacp.top: could not connect to host
@@ -17093,36 +18503,54 @@ veterinaire-cazeres-foucault.fr: could not connect to host
 vethouse.com.ua: did not receive HSTS header
 vetmgmt.com: could not connect to host
 veto.fish: could not connect to host
-vforvendetta.science: could not connect to host
+vforvendetta.science: did not receive HSTS header
 vfree.org: could not connect to host
 vgatest.nl: could not connect to host
 vglimg.com: could not connect to host
 vhost.co.id: could not connect to host
 viabemestar.com.br: could not connect to host
 viadeux.com: did not receive HSTS header
+viagraonlinebestellen.org: max-age too low: 3600
 vialibido.com.br: could not connect to host
 viato.fr: could not connect to host
 vibrashop.com.br: did not receive HSTS header
 vicenage.com: could not connect to host
 viceversa.xyz: did not receive HSTS header
+vicianovi.cz: did not receive HSTS header
+viciousflora.com: could not connect to host
 viciousviscosity.xyz: could not connect to host
+vickshomes.com: could not connect to host
 victorenxovais.com.br: could not connect to host
+victoreriksson.ch: could not connect to host
+victoreriksson.co: could not connect to host
+victoreriksson.com: could not connect to host
+victoreriksson.eu: could not connect to host
+victoreriksson.info: could not connect to host
+victoreriksson.me: could not connect to host
+victoreriksson.net: could not connect to host
+victoreriksson.nu: could not connect to host
+victoreriksson.org: could not connect to host
+victoreriksson.se: could not connect to host
+victoreriksson.us: could not connect to host
 victoriapemberton.com: did not receive HSTS header
 victoriaville.ca: did not receive HSTS header
+victornilsson.pw: did not receive HSTS header
 vid.me: did not receive HSTS header
 vidb.me: could not connect to host
 vidbuchanan.co.uk: did not receive HSTS header
+vidcloud.xyz: did not receive HSTS header
 viddiaz.com: did not receive HSTS header
 videnskabsklubben.dk: did not receive HSTS header
+videobola.win: could not connect to host
 videoload.co: could not connect to host
 videomuz.com: could not connect to host
-videorullen.se: could not connect to host
+videorullen.se: did not receive HSTS header
 videosxgays.com: could not connect to host
 videotogel.net: could not connect to host
 videoueberwachung-set.de: did not receive HSTS header
 vider.ga: could not connect to host
 vidid.net: did not receive HSTS header
-vidiproject.com: did not receive HSTS header
+vidiproject.com: could not connect to host
 viditut.com: could not connect to host
 vidkovaomara.si: could not connect to host
 vidlyoficial.com: could not connect to host
@@ -17132,19 +18560,18 @@ viennan.net: did not receive HSTS header
 vietnam-lifer.com: could not connect to host
 vietnamchevrolet.net: did not receive HSTS header
 vietnamphotographytours.com: did not receive HSTS header
-vieux.pro: could not connect to host
 viewsea.com: max-age too low: 0
+viga.me: could not connect to host
 vigilo.cf: could not connect to host
 vigilo.ga: could not connect to host
-vigo-krankenversicherung.de: could not connect to host
 viikko.eu: could not connect to host
 vijos.org: did not receive HSTS header
 vikasbabyworld.de: could not connect to host
+vikodek.com: did not receive HSTS header
 viktor-machnik.de: could not connect to host
 viktorsvantesson.net: did not receive HSTS header
 vilabiamodas.com.br: could not connect to host
 viladochurrasco.com.br: could not connect to host
-vilaydin.com: did not receive HSTS header
 vilight.com.br: could not connect to host
 villa-anna-cilento.de: could not connect to host
 villa-bellarte.de: did not receive HSTS header
@@ -17171,16 +18598,20 @@ vinesauce.info: could not connect to host
 vinetalk.net: could not connect to host
 vinicius.sl: could not connect to host
 viniferawineclub.com: did not receive HSTS header
+vinigas.com: did not receive HSTS header
 vinihk.com: did not receive HSTS header
+vinnie.gq: could not connect to host
 vinogradovka.com: did not receive HSTS header
+vintock.com: could not connect to host
 vio.no: did not receive HSTS header
 violenceinterrupted.org: did not receive HSTS header
 violet-letter.delivery: could not connect to host
-violetraven.co.uk: could not connect to host
+violetraven.co.uk: did not receive HSTS header
 viosey.com: could not connect to host
 vioye.com: could not connect to host
-vip-9649.com: could not connect to host
-vip9649.com: could not connect to host
+vip-9649.com: did not receive HSTS header
+vip4553.com: could not connect to host
+vip9649.com: did not receive HSTS header
 viperdns.com: could not connect to host
 vipesball.cc: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 vipesball.info: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -17193,12 +18624,14 @@ vipnettikasinoklubi.com: did not receive HSTS header
 viral8.jp: could not connect to host
 viralboombox.xyz: could not connect to host
 virginiacrimeanalysisnetwork.org: did not receive HSTS header
+virial.de: did not receive HSTS header
 viris.si: max-age too low: 536000
 virtualhealth.com: did not receive HSTS header
 virtualstrongbox.ca: did not receive HSTS header
 visa-shinsei.com: did not receive HSTS header
 visanhigia.com: could not connect to host
 viserproject.com: did not receive HSTS header
+visioflux-premium.com: did not receive HSTS header
 vision-painting.com: did not receive HSTS header
 visiondigitalsog.com: could not connect to host
 visiongamestudios.com: could not connect to host
@@ -17216,14 +18649,17 @@ vitagenda.nl: could not connect to host
 vital-tel.co.uk: did not receive HSTS header
 vitalamin.at: could not connect to host
 vitalamin.ch: could not connect to host
+vitalamin.com: could not connect to host
+vitalamin.de: did not receive HSTS header
 vitalita.cz: did not receive HSTS header
 vitalorange.com: did not receive HSTS header
 vitalthings.de: could not connect to host
 vitamaxxi.com.br: could not connect to host
-vitapingu.de: could not connect to host
+vitamineproteine.com: did not receive HSTS header
 vitta.me: did not receive HSTS header
 vitzro.kr: could not connect to host
 viva-french.com: did not receive HSTS header
+vivamusic.es: did not receive HSTS header
 vivasports.com.br: could not connect to host
 viveconsalud.club: could not connect to host
 vivocloud.com: could not connect to host
@@ -17237,12 +18673,14 @@ vladimiroff.org: did not receive HSTS header
 vldkn.net: could not connect to host
 vleij.family: could not connect to host
 vlogge.com: did not receive HSTS header
-vlsk.eu: could not connect to host
+vlsk.eu: did not receive HSTS header
 vlzbazar.ru: could not connect to host
+vmem.jp: did not receive HSTS header
 vmrdev.com: could not connect to host
 vmstan.com: did not receive HSTS header
 vndb.org: could not connect to host
 vocab.guru: could not connect to host
+vocalik.com: could not connect to host
 vocalsynth.space: could not connect to host
 voceinveste.com: did not receive HSTS header
 vodpay.com: could not connect to host
@@ -17264,6 +18702,7 @@ voipkb.com: did not receive HSTS header
 voiro.club: could not connect to host
 voirodaisuki.club: could not connect to host
 vokalsystem.com: did not receive HSTS header
+vokurka.net: did not receive HSTS header
 volatimer.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 volbyzive.cz: did not receive HSTS header
 volcain.io: could not connect to host
@@ -17283,20 +18722,20 @@ vonavy-cukor.sk: could not connect to host
 vonavycukor.sk: could not connect to host
 vonedelmann.de: did not receive HSTS header
 vongerlach.at: did not receive HSTS header
-vonterra.us: did not receive HSTS header
 vooreenveiligthuis.nl: did not receive HSTS header
 voorjou.com: did not receive HSTS header
 vorangerie.com: could not connect to host
 vorderklier.de: could not connect to host
 vorkbaard.nl: did not receive HSTS header
+vorte.ga: could not connect to host
 vortexhobbies.com: did not receive HSTS header
 vosjesweb.nl: could not connect to host
 votercircle.com: did not receive HSTS header
 voterstartingpoint.uk: did not receive HSTS header
 votewa.gov: could not connect to host
+votre-site-internet.ch: could not connect to host
 votresiteweb.ch: could not connect to host
 vow.vn: could not connect to host
-vowsy.club: did not receive HSTS header
 vox.vg: did not receive HSTS header
 vozami.com: could not connect to host
 vpip.net: could not connect to host
@@ -17307,6 +18746,7 @@ vpnhot.com: could not connect to host
 vpnzoom.com: did not receive HSTS header
 vps-szerver-berles.hu: could not connect to host
 vpsmojo.com: could not connect to host
+vpsvz.cloud: could not connect to host
 vqporn.com: could not connect to host
 vranjske.co.rs: could not connect to host
 vratny.space: could not connect to host
@@ -17332,15 +18772,17 @@ vsamsonov.com: could not connect to host
 vsc-don-stocksport.de: did not receive HSTS header
 vtuber-schedule.info: could not connect to host
 vucdn.com: could not connect to host
+vulndetect.org: did not receive HSTS header
 vulnerabilities.io: could not connect to host
 vuosaarenmontessoritalo.fi: did not receive HSTS header
 vvl.me: did not receive HSTS header
-vvzero.cf: could not connect to host
 vw-touranclub.cz: could not connect to host
 vwoforangeparts.com: could not connect to host
 vwt-event.nl: could not connect to host
+vww-8522.com: could not connect to host
 vxapps.com: could not connect to host
 vxml.club: could not connect to host
+vxst.org: max-age too low: 2592000
 vxz.me: could not connect to host
 vykup-car.ru: could not connect to host
 vynedmusic.com: could not connect to host
@@ -17351,11 +18793,13 @@ vyvygen.com: did not receive HSTS header
 vyzner.cz: could not connect to host
 vzk.io: could not connect to host
 w10club.com: could not connect to host
+w1221.com: could not connect to host
 w2gshop.com.br: could not connect to host
 w4a.fr: could not connect to host
 w4b.in: could not connect to host
 w4xzr.top: could not connect to host
 w4xzr.xyz: could not connect to host
+w84.it: could not connect to host
 w9rld.com: did not receive HSTS header
 wabifoggynuts.com: could not connect to host
 wachter.biz: could not connect to host
@@ -17367,6 +18811,7 @@ wafairhaven.com.au: did not receive HSTS header
 wafni.com: could not connect to host
 wai-in.com: could not connect to host
 wai-in.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+waidu.de: did not receive HSTS header
 wail.net: could not connect to host
 wait.moe: could not connect to host
 waixingrenfuli7.vip: could not connect to host
@@ -17378,12 +18823,14 @@ waka88.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR
 wakapp.de: could not connect to host
 wakened.net: did not receive HSTS header
 waldkinder-ilmenau.de: did not receive HSTS header
+waligorska.pl: could not connect to host
 walkeryoung.ca: could not connect to host
 walkingforhealth.org.uk: did not receive HSTS header
 wallabag.it: did not receive HSTS header
 wallabag.org: did not receive HSTS header
 wallacequinn.co.uk: did not receive HSTS header
 wallet.google.com: did not receive HSTS header (error ignored - included regardless)
+wallingford.cc: could not connect to host
 wallsblog.dk: could not connect to host
 walnutgaming.co.uk: could not connect to host
 walterlynnmosley.com: did not receive HSTS header
@@ -17395,15 +18842,17 @@ wanda79.com: could not connect to host
 wanda96.com: could not connect to host
 wanda97.com: could not connect to host
 wanda98.com: could not connect to host
-wandercue.com: did not receive HSTS header
+wandercue.com: could not connect to host
 wangjiatun.com.tw: could not connect to host
+wangjun.me: did not receive HSTS header
 wangkezun.com: could not connect to host
+wangler-internet.de: did not receive HSTS header
+wangqiliang.org: could not connect to host
 wangqiliang.xn--fiqs8s: could not connect to host
 wangql.cn: could not connect to host
 wanquanojbk.com: did not receive HSTS header
 wantshow.com.br: did not receive HSTS header
-wanvi.net: did not receive HSTS header
-wanybug.cn: could not connect to host
+wanybug.cn: did not receive HSTS header
 wapgu.cc: could not connect to host
 wapjt.cn: could not connect to host
 wapking.live: could not connect to host
@@ -17411,15 +18860,17 @@ wapt.fr: did not receive HSTS header
 warandpeace.xyz: could not connect to host
 warcraftjournal.org: could not connect to host
 wardsegers.be: did not receive HSTS header
-warehost.de: could not connect to host
+warehost.de: did not receive HSTS header
 warekon.com: could not connect to host
 warekon.dk: could not connect to host
-warenmedia.com: could not connect to host
 warezaddict.com: could not connect to host
 warhistoryonline.com: did not receive HSTS header
 warlions.info: could not connect to host
 warmestwishes.ca: could not connect to host
 warnings.xyz: could not connect to host
+warp-radio.com: could not connect to host
+warp-radio.net: could not connect to host
+warp-radio.tv: could not connect to host
 warped.com: did not receive HSTS header
 warren.sh: could not connect to host
 warrencreative.com: did not receive HSTS header
@@ -17427,31 +18878,35 @@ warsentech.com: did not receive HSTS header
 warumsuchen.at: did not receive HSTS header
 wasatchconstables.com: did not receive HSTS header
 wasatchcrest.com: did not receive HSTS header
-wasserburg.dk: did not receive HSTS header
+washandfun.com: did not receive HSTS header
 wassim.is: did not receive HSTS header
 watashi.bid: could not connect to host
 watchium.com: did not receive HSTS header
-watchtv-online.pw: max-age too low: 0
+watchtv-online.pw: could not connect to host
 watchweasel.com: could not connect to host
+waterfedpole.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 waterforlife.net.au: did not receive HSTS header
 waterpoint.com.br: could not connect to host
 watersportmarkt.net: did not receive HSTS header
+watertrails.io: could not connect to host
 watsonhall.uk: could not connect to host
 wattechweb.com: did not receive HSTS header
+wave-ola.es: did not receive HSTS header
 wavefloatrooms.com: did not receive HSTS header
 wavefrontsystemstech.com: could not connect to host
 wavesoftime.com: could not connect to host
 waxlrs.com: could not connect to host
+wayfairertravel.com: did not receive HSTS header
 waylaydesign.com: did not receive HSTS header
 waylee.net: did not receive HSTS header
 wbit.co.il: did not receive HSTS header
 wbut.ml: could not connect to host
+wd627.com: could not connect to host
+wd976.com: could not connect to host
 wdesk.com: did not receive HSTS header
-wdmg.com.ua: max-age too low: 604800
 wdrl.info: did not receive HSTS header
 wdt.io: could not connect to host
 we.serveftp.net: could not connect to host
-wealthcentral.com.au: did not receive HSTS header
 wealthformyhealth.com: did not receive HSTS header
 wear2work.nl: could not connect to host
 wearedisneyland.com: did not receive HSTS header
@@ -17462,13 +18917,15 @@ weaverhairextensions.nl: could not connect to host
 web-adminy.co.uk: could not connect to host
 web-advisor.co.uk: could not connect to host
 web-demarche.com: could not connect to host
+web-dl.cc: did not receive HSTS header
 web-industry.fr: could not connect to host
 web-insider.net: did not receive HSTS header
+web-thinker.ru: could not connect to host
 web-vision.de: did not receive HSTS header
 web4all.fr: did not receive HSTS header
 web4pro.fr: could not connect to host
 webandwords.com.au: could not connect to host
-webanker.sh: could not connect to host
+webanker.sh: did not receive HSTS header
 webapky.cz: could not connect to host
 webapps.directory: could not connect to host
 webart-factory.de: could not connect to host
@@ -17477,23 +18934,27 @@ webauthority.co.uk: did not receive HSTS header
 webbuzz.com.au: did not receive HSTS header
 webbx.se: did not receive HSTS header
 webchat.domains: did not receive HSTS header
-webcreation.rocks: did not receive HSTS header
+webcreation.rocks: could not connect to host
+webdeflect.com: did not receive HSTS header
 webdesign-kronberg.de: did not receive HSTS header
 webdesignssussex.co.uk: could not connect to host
 webdev-quiz.de: did not receive HSTS header
 webdev.mobi: could not connect to host
+webdollarvpn.io: could not connect to host
 webdosh.com: did not receive HSTS header
 webeconomia.it: did not receive HSTS header
 webelement.sk: did not receive HSTS header
 weberjulia.com: could not connect to host
+webfox.com.br: did not receive HSTS header
 webfronten.dk: did not receive HSTS header
 webgaff.com: could not connect to host
 webgap.me: did not receive HSTS header
-webgreat.de: max-age too low: 3600
+webgreat.de: did not receive HSTS header
 webhackspro.com: could not connect to host
 webhelyesarcu.hu: did not receive HSTS header
 webhosting4.net: did not receive HSTS header
 webhostingpros.ml: could not connect to host
+webhostingshop.ca: could not connect to host
 webless.com: could not connect to host
 weblogic.pl: did not receive HSTS header
 webm.to: could not connect to host
@@ -17512,19 +18973,20 @@ webneuch.swiss: did not receive HSTS header
 webninja.work: could not connect to host
 webnoob.net: could not connect to host
 webnosql.com: could not connect to host
-webperformance.ru: could not connect to host
+webogram.org: could not connect to host
+webperformance.ru: did not receive HSTS header
 webproshosting.tk: could not connect to host
+webproxy.pw: could not connect to host
 webpublica.pt: could not connect to host
 webreslist.com: did not receive HSTS header
 websandbox.uk: could not connect to host
 websectools.com: could not connect to host
 webseo.de: did not receive HSTS header
-websiteadvice.com.au: did not receive HSTS header
 websitedesign.bg: did not receive HSTS header
+websiterent.ca: could not connect to host
 websitesabq.com: did not receive HSTS header
 webspotter.nl: could not connect to host
 webstationservice.fr: could not connect to host
-webstellung.com: did not receive HSTS header
 webstory.xyz: could not connect to host
 webswitch.io: did not receive HSTS header
 webtar.info: could not connect to host
@@ -17533,27 +18995,29 @@ webtechgadgetry.com: could not connect to host
 webtek.nu: could not connect to host
 webthings.com.br: could not connect to host
 webtiles.co.uk: could not connect to host
-webtobesocial.de: could not connect to host
-webukhost.com: could not connect to host
 webuni.hu: did not receive HSTS header
 webveloper.com: did not receive HSTS header
 webwolf.co.za: could not connect to host
 webwork.pw: did not receive HSTS header
 webypass.xyz: could not connect to host
+webz.one: could not connect to host
 webzanem.com: could not connect to host
 wecanfindit.co.za: could not connect to host
 wecanvisit.com: could not connect to host
 wedding-m.jp: did not receive HSTS header
-weddingalbumsdesign.com: did not receive HSTS header
+weddingalbumsdesign.com: max-age too low: 2592000
 weddingenvelopes.co.uk: did not receive HSTS header
+weddingfantasy.ru: could not connect to host
 weddingibiza.nl: could not connect to host
-wedotrains.club: did not receive HSTS header
+wedotrains.club: could not connect to host
 weebsr.us: could not connect to host
 weed.ren: could not connect to host
 weedcircles.com: did not receive HSTS header
 weedlandia.org: could not connect to host
 weekly.fyi: could not connect to host
 wegenaer.nl: could not connect to host
+wegethitched.co.uk: could not connect to host
+weggeweest.nl: could not connect to host
 wegner.no: could not connect to host
 weicn.org: did not receive HSTS header
 weightreviews.com: could not connect to host
@@ -17562,12 +19026,13 @@ weiler.xyz: could not connect to host
 weimaraner.com.br: could not connect to host
 weinhandel-preissler.de: could not connect to host
 weirdserver.com: could not connect to host
-weiyuz.com: max-age too low: 6585555
+weixiaojun.org: did not receive HSTS header
 weizenke.im: could not connect to host
 wejumall.com: could not connect to host
 wekibe.de: could not connect to host
-welby.cat: could not connect to host
+welby.cat: did not receive HSTS header
 welches-kinderfahrrad.de: could not connect to host
+welcomehelp.de: could not connect to host
 welkers.org: could not connect to host
 wellastore.ru: could not connect to host
 wellcomp.com.br: did not receive HSTS header
@@ -17582,16 +19047,18 @@ welovejobs.com: did not receive HSTS header
 welovemail.com: could not connect to host
 welpo.me: could not connect to host
 welpy.com: could not connect to host
+welsh.com.br: could not connect to host
 weltentreff.com: could not connect to host
 weltmeisterschaft.net: could not connect to host
-weme.eu: could not connect to host
+weme.eu: did not receive HSTS header
 wen-in.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 wen-in.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 wenchieh.com: could not connect to host
 wendalyncheng.com: did not receive HSTS header
-wener.me: could not connect to host
+wendu.me: could not connect to host
 wengebowuguan.com: could not connect to host
 wenode.net: did not receive HSTS header
+wenta-computerservice.net: could not connect to host
 wentu.ml: could not connect to host
 wenz.io: did not receive HSTS header
 wer.sh: could not connect to host
@@ -17603,8 +19070,6 @@ werkenbijkfc.nl: did not receive HSTS header
 werkplaatsoost.nl: did not receive HSTS header
 werkruimtebottendaal.nl: could not connect to host
 werkz.io: could not connect to host
-werner-schaeffer.de: did not receive HSTS header
-wernerschaeffer.de: did not receive HSTS header
 wes-dev.com: did not receive HSTS header
 wesayyesprogram.com: could not connect to host
 wesleyharris.ca: did not receive HSTS header
@@ -17613,6 +19078,7 @@ westcoastaggregate.com: could not connect to host
 westendzone.com: could not connect to host
 westerhoud.nl: did not receive HSTS header
 westhighlandwhiteterrier.com.br: could not connect to host
+westlaketire.pt: did not receive HSTS header
 westlinwinds.com: could not connect to host
 westsussexconnecttosupport.org: could not connect to host
 westtulsa.com: could not connect to host
@@ -17626,14 +19092,14 @@ wetthost.com: could not connect to host
 wetttipps.com: could not connect to host
 wetttipps.de: could not connect to host
 wevahoo.com: could not connect to host
-wevg.org: did not receive HSTS header
 wevolver.com: did not receive HSTS header
 wewillgo.com: could not connect to host
 wewillgo.org: did not receive HSTS header
 wewlad.me: could not connect to host
 weyland.tech: did not receive HSTS header
-wezl.net: did not receive HSTS header
+weynaphotography.com: did not receive HSTS header
 wf-training-master.appspot.com: did not receive HSTS header (error ignored - included regardless)
+wfl.ro: did not receive HSTS header
 wftda.com: did not receive HSTS header
 wg-tools.de: could not connect to host
 whanau.org: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
@@ -17651,24 +19117,25 @@ whereismyorigin.cf: could not connect to host
 wherephoto.com: did not receive HSTS header
 wheresben.today: could not connect to host
 whilsttraveling.com: could not connect to host
+whimtrip.fr: could not connect to host
 whisker.network: could not connect to host
-whiskyglazen.nl: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-whisperinghoperanch.org: did not receive HSTS header
 whistler-transfers.com: did not receive HSTS header
 whitehat.id: could not connect to host
 whiterabbit.org: did not receive HSTS header
 whiterabbitcakery.com: could not connect to host
 whiteready.it: did not receive HSTS header
 whiteroom.agency: did not receive HSTS header
+whiterose.goip.de: could not connect to host
 whitestagforge.com: did not receive HSTS header
+whoasome.com: could not connect to host
 whoclicks.net: could not connect to host
-whoisamitsingh.com: did not receive HSTS header
+whoisamitsingh.com: could not connect to host
 whoisapi.online: could not connect to host
 whoiscuter.ml: could not connect to host
 whoiscutest.ml: could not connect to host
 wholebites.com: max-age too low: 7889238
 wholelotofbounce.co.uk: did not receive HSTS header
-wholikes.us: could not connect to host
+wholikes.us: did not receive HSTS header
 whoneedstobeprimaried.today: could not connect to host
 whoownsmyavailability.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 whoshotya.de: did not receive HSTS header
@@ -17701,16 +19168,18 @@ willcipriano.com: could not connect to host
 willeminfo.ch: did not receive HSTS header
 willemsjort.be: did not receive HSTS header
 william.gg: did not receive HSTS header
-william.si: did not receive HSTS header
+william.si: could not connect to host
 williamboundsltd.com: could not connect to host
 williamsapiens.com: could not connect to host
 williamsflintlocks.com: did not receive HSTS header
 williamtm.design: could not connect to host
-willkommen-fuerstenberg.de: could not connect to host
+willkommen-fuerstenberg.de: did not receive HSTS header
 willosagiede.com: did not receive HSTS header
 wilsonovi.com: could not connect to host
+wilsonvilleoregon.gov: could not connect to host
 winaes.com: did not receive HSTS header
 winclient.cn: could not connect to host
+wind.moe: could not connect to host
 windholz.us: could not connect to host
 windows10insider.com: did not receive HSTS header
 windowsforum.com: did not receive HSTS header
@@ -17720,20 +19189,19 @@ windrunner.se: could not connect to host
 winds.cf: could not connect to host
 windwoodmedia.com: could not connect to host
 windwoodweb.com: could not connect to host
-wine-importer.ru: did not receive HSTS header
+wine-importer.ru: could not connect to host
 winebid.com: could not connect to host
 winecodeavocado.com: could not connect to host
 wineonthewall.com: max-age too low: 300
 wineworksonline.com: could not connect to host
 winfield.me.uk: did not receive HSTS header
-winfieldchen.me: did not receive HSTS header
 winged.io: did not receive HSTS header
 wingos.net: could not connect to host
 wingumd.net: could not connect to host
 winnersports.co: could not connect to host
 winpack.cf: could not connect to host
 winpack.eu.org: could not connect to host
-winportal.cz: did not receive HSTS header
+winportal.cz: could not connect to host
 winsec.nl: could not connect to host
 winshiplending.com: could not connect to host
 winsufi.biz: could not connect to host
@@ -17742,13 +19210,13 @@ wipc.net: did not receive HSTS header
 wipply.com: could not connect to host
 wirbatz.org: did not receive HSTS header
 wirc.gr: could not connect to host
-wiredcut.com: did not receive HSTS header
-wireframesoftware.com: could not connect to host
+wiredcut.com: could not connect to host
 wireless-emergency-stop.com: did not receive HSTS header
 wirelesswatch.com.au: could not connect to host
-wiretrip.io: did not receive HSTS header
+wiretrip.io: could not connect to host
 wirkaufendeinau.to: could not connect to host
 wisak.eu: could not connect to host
+wisal.org: did not receive HSTS header
 wisdomize.me: could not connect to host
 wiseflat.com: did not receive HSTS header
 wiseloan.com: did not receive HSTS header
@@ -17759,7 +19227,7 @@ witae.com: could not connect to host
 withgoogle.com: did not receive HSTS header (error ignored - included regardless)
 withlocals.com: did not receive HSTS header
 withmy.beer: could not connect to host
-withoutacrystalball.com: did not receive HSTS header
+withoutacrystalball.com: could not connect to host
 withustrading.com: did not receive HSTS header
 withyoutube.com: did not receive HSTS header (error ignored - included regardless)
 wittcher.com: could not connect to host
@@ -17767,6 +19235,7 @@ wittepapaver.nl: did not receive HSTS header
 witting.co: could not connect to host
 wittydonut.com: could not connect to host
 witzemaschine.com: max-age too low: 0
+wixguide.co: did not receive HSTS header
 wizardmeow.xin: could not connect to host
 wizardspire.com: did not receive HSTS header
 wizznab.tk: could not connect to host
@@ -17776,7 +19245,9 @@ wlzhiyin.cn: could not connect to host
 wmawri.com: did not receive HSTS header
 wmcuk.net: did not receive HSTS header
 wmfinanz.com: could not connect to host
+wmnrj.com: did not receive HSTS header
 wmoda.com.br: could not connect to host
+wmustore.com: did not receive HSTS header
 wnmed.com.au: did not receive HSTS header
 wnmm.nl: could not connect to host
 wnnc.co.uk: could not connect to host
@@ -17785,21 +19256,23 @@ wobblylang.org: could not connect to host
 wochenentwicklung.com: did not receive HSTS header
 wochennummern.de: could not connect to host
 wod-stavby.cz: could not connect to host
+wodboss.com: could not connect to host
 wodice.com: could not connect to host
 wohnungsbau-ludwigsburg.de: did not receive HSTS header
 woi.vision: could not connect to host
 woima.fi: max-age too low: 604800
-wokeai.net: could not connect to host
+wokeai.net: did not receive HSTS header
 woktoss.com: could not connect to host
 wolfemg.com: could not connect to host
 wolfenland.net: did not receive HSTS header
 wolfesden.com: could not connect to host
-wolfgang-kloke.de: could not connect to host
 wolfram.io: could not connect to host
 wolkenspeicher.org: could not connect to host
 wollekorb.de: could not connect to host
+womb.city: could not connect to host
 womf.org: did not receive HSTS header
 womosale.de: could not connect to host
+wonabo.com: could not connect to host
 wonderbooks.club: could not connect to host
 wonderfall.xyz: could not connect to host
 wonderhost.info: could not connect to host
@@ -17807,9 +19280,10 @@ wondershift.biz: did not receive HSTS header
 wondy.com: could not connect to host
 woodlandschurch.net: max-age too low: 43200
 woodmafia.com.au: could not connect to host
-woodworkertip.com: did not receive HSTS header
-woomai.net: did not receive HSTS header
+woodworkertip.com: could not connect to host
+woomai.net: could not connect to host
 woomu.me: could not connect to host
+wooplagaming.com: could not connect to host
 woording.com: could not connect to host
 wootton95.com: could not connect to host
 wooviet.com: could not connect to host
@@ -17823,26 +19297,32 @@ wordsofamaster.com: could not connect to host
 work-and-jockel.de: did not receive HSTS header
 workemy.com: could not connect to host
 workfone.io: could not connect to host
+workingmachine.info: could not connect to host
 workissime.com: did not receive HSTS header
 workpermit.com.vn: could not connect to host
+workplaces.online: did not receive HSTS header
 worksofwyoming.org: did not receive HSTS header
 workwithgo.com: could not connect to host
 world-education-association.org: could not connect to host
 worldchess.london: could not connect to host
+worldcrafts.org: did not receive HSTS header
 worldfree4.org: did not receive HSTS header
 worldlist.org: could not connect to host
+worldofterra.net: could not connect to host
 worldpovertysolutions.org: did not receive HSTS header
-worldrecipes.eu: did not receive HSTS header
 worldsbeststory.com: did not receive HSTS header
 worldwhisperer.net: could not connect to host
+wormdisk.net: could not connect to host
 wormholevpn.net: could not connect to host
 worshapp.com: did not receive HSTS header
-woshiluo.site: could not connect to host
+woti.dedyn.io: could not connect to host
+wow-foederation.de: could not connect to host
 wow-travel.eu: could not connect to host
 wow202y5.com: did not receive HSTS header
 wowapi.org: could not connect to host
 wowhelp.it: could not connect to host
 wowinvasion.com: did not receive HSTS header
+wp-bullet.com: did not receive HSTS header
 wp-fastsearch.de: could not connect to host
 wp-rescue.com.au: could not connect to host
 wp-stack.pro: could not connect to host
@@ -17851,6 +19331,9 @@ wpblog.com.tw: could not connect to host
 wpcarer.pro: could not connect to host
 wpcheck.io: could not connect to host
 wpcontrol.se: could not connect to host
+wpdesigner.ir: did not receive HSTS header
+wpdublin.com: could not connect to host
+wpexplainer.com: did not receive HSTS header
 wpfast.net: could not connect to host
 wpfortify.com: could not connect to host
 wpg-inc.com: did not receive HSTS header
@@ -17881,9 +19364,7 @@ writing-expert.com: could not connect to host
 wrldevelopment.com: did not receive HSTS header
 wroffle.com: did not receive HSTS header
 wrwg.ca: could not connect to host
-ws-meca.com: did not receive HSTS header
 wsb-immo.at: could not connect to host
-wscbiolo.id: could not connect to host
 wsdcap.com: could not connect to host
 wsor.group: did not receive HSTS header
 wss.com.ve: could not connect to host
@@ -17895,18 +19376,26 @@ wubify.com: did not receive HSTS header
 wubocong.com: did not receive HSTS header
 wubthecaptain.eu: could not connect to host
 wuchipc.com: could not connect to host
+wufu.org: did not receive HSTS header
 wufupay.com: could not connect to host
 wuhengmin.com: could not connect to host
 wulpi.it: did not receive HSTS header
 wumai.cloud: could not connect to host
+wumbo.cf: could not connect to host
+wumbo.ga: could not connect to host
+wumbo.gq: could not connect to host
 wumbo.kiwi: could not connect to host
+wumbo.ml: could not connect to host
+wumbo.tk: could not connect to host
 wundtherapie-schulung.de: could not connect to host
 wurzelzwerg.net: could not connect to host
 wusx.club: could not connect to host
 wutianxian.com: could not connect to host
 wvr-law.de: did not receive HSTS header
+wvv-8522.com: could not connect to host
+wvw-8522.com: could not connect to host
 wvw698.com: max-age too low: 2592000
-wwjd.dynu.net: could not connect to host
+wwbsb.xyz: could not connect to host
 wwv-8522.com: could not connect to host
 www-001133.com: could not connect to host
 www-0385.com: could not connect to host
@@ -17915,29 +19404,19 @@ www-1117.com: could not connect to host
 www-38978.com: could not connect to host
 www-39988.com: did not receive HSTS header
 www-507.net: could not connect to host
-www-62755.com: did not receive HSTS header
+www-62755.com: could not connect to host
 www-66136.com: did not receive HSTS header
 www-746.com: could not connect to host
-www-7570.com: could not connect to host
+www-7570.com: did not receive HSTS header
 www-771122.com: did not receive HSTS header
 www-8003.com: did not receive HSTS header
 www-88599.com: did not receive HSTS header
 www-8887999.com: could not connect to host
-www-9649.com: could not connect to host
+www-9649.com: did not receive HSTS header
 www-9995.com: could not connect to host
 www-djbet.com: could not connect to host
 www-jinshavip.com: could not connect to host
-www.amazon.ca: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-www.amazon.co.jp: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-www.amazon.co.uk: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-www.amazon.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-www.amazon.com.au: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-www.amazon.com.br: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-www.amazon.com.mx: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-www.amazon.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-www.amazon.fr: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-www.amazon.it: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-www.amazon.nl: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
+www-pj009.com: could not connect to host
 www.captaintrain.com: did not receive HSTS header
 www.cueup.com: could not connect to host
 www.cyveillance.com: did not receive HSTS header
@@ -17947,7 +19426,7 @@ www.gmail.com: did not receive HSTS header (error ignored - included regardless)
 www.googlemail.com: did not receive HSTS header (error ignored - included regardless)
 www.gpo.gov: did not receive HSTS header
 www.greplin.com: could not connect to host
-www.icann.org: did not receive HSTS header
+www.intercom.io: did not receive HSTS header
 www.jitsi.org: did not receive HSTS header
 www.ledgerscope.net: could not connect to host
 www.logentries.com: did not receive HSTS header
@@ -17967,18 +19446,18 @@ wwww.me.uk: did not receive HSTS header
 wxrlab.com: could not connect to host
 wxukang.cn: could not connect to host
 wxyz.buzz: could not connect to host
-wxzm.sx: could not connect to host
 wy6.org: did not receive HSTS header
 wybmabiity.com: could not connect to host
 wygluszanie.eu: could not connect to host
-wylog.ph: did not receive HSTS header
 wyu.cc: could not connect to host
 wyzphoto.nl: did not receive HSTS header
 wyzwaniemilosci.com: could not connect to host
+wzfetish.com.br: could not connect to host
+wzrd.in: did not receive HSTS header
 x-pertservice.com: did not receive HSTS header
 x-power-detox.com: could not connect to host
 x-ripped-hd.com: could not connect to host
-x1be.win: could not connect to host
+x1be.win: did not receive HSTS header
 x23.eu: did not receive HSTS header
 x2c0.net: did not receive HSTS header
 x2w.io: could not connect to host
@@ -17993,17 +19472,16 @@ xat.re: did not receive HSTS header
 xavier.is: could not connect to host
 xavierbarroso.com: did not receive HSTS header
 xbc.nz: could not connect to host
+xbertschy.com: did not receive HSTS header
 xbind.io: could not connect to host
 xchangeinfo.com: could not connect to host
 xchating.com: could not connect to host
+xcler8.com: could not connect to host
 xcompany.one: could not connect to host
 xcoop.me: did not receive HSTS header
 xd.fi: did not receive HSTS header
 xd.gov: did not receive HSTS header
 xdd.io: could not connect to host
-xdty.org: could not connect to host
-xecure.zone: could not connect to host
-xecureit.com: could not connect to host
 xehoivn.vn: could not connect to host
 xellos.ga: could not connect to host
 xellos.ml: could not connect to host
@@ -18011,7 +19489,7 @@ xenesisziarovky.sk: could not connect to host
 xenosphere.tk: could not connect to host
 xeonlab.com: could not connect to host
 xeonlab.de: could not connect to host
-xett.com: could not connect to host
+xett.com: did not receive HSTS header
 xfive.de: could not connect to host
 xfrag-networks.com: did not receive HSTS header
 xg3n1us.de: did not receive HSTS header
@@ -18020,13 +19498,15 @@ xhadius.de: could not connect to host
 xia100.xyz: could not connect to host
 xiangqiushi.com: did not receive HSTS header
 xianguocy.com: could not connect to host
+xiaobude.cn: did not receive HSTS header
 xiaody.me: could not connect to host
+xiaofengsky.com: did not receive HSTS header
 xiaolan.me: could not connect to host
 xiaolvmu.com: could not connect to host
 xiaolvmu.me: could not connect to host
 xiaoxiao.im: could not connect to host
 xiaxuejin.cn: could not connect to host
-xiazhanjian.com: could not connect to host
+xiazhanjian.com: did not receive HSTS header
 xice.cf: could not connect to host
 xilegames.com: could not connect to host
 ximage.me: could not connect to host
@@ -18034,23 +19514,27 @@ ximens.me: could not connect to host
 xin-in.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 xin-in.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 xinbiji.cn: could not connect to host
+xinbo270.com: could not connect to host
 xinex.cz: did not receive HSTS header
 xing-in.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 xing.ml: could not connect to host
 xinghuokeji.xin: could not connect to host
 xingiahanvisa.net: did not receive HSTS header
 xinnixwebshop.be: did not receive HSTS header
+xinplay.net: max-age too low: 0
+xinsane.com: could not connect to host
 xiqi.us: did not receive HSTS header
 xirion.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 xisa.it: could not connect to host
 xivpn.com: could not connect to host
 xiyu.it: did not receive HSTS header
 xiyu.moe: did not receive HSTS header
-xjoi.net: did not receive HSTS header
-xlaff.com: could not connect to host
-xlboo.com: could not connect to host
+xj8876.com: max-age too low: 2592000
+xlaff.com: did not receive HSTS header
+xlboo.com: did not receive HSTS header
 xlfblog.com: did not receive HSTS header
 xlinar.com: could not connect to host
+xlui.me: did not receive HSTS header
 xmerak.com: did not receive HSTS header
 xmiui.com: could not connect to host
 xmonk.org: did not receive HSTS header
@@ -18078,6 +19562,7 @@ xn--80ablh1c.online: could not connect to host
 xn--80ac0aqlt.xn--p1ai: could not connect to host
 xn--80aocgsfei.xn--p1ai: could not connect to host
 xn--88j2fy28hbxmnnf9zlw5buzd.com: did not receive HSTS header
+xn--8dry00a7se89ay98epsgxxq.com: did not receive HSTS header
 xn--8mr166hf6s.xn--fiqs8s: could not connect to host
 xn--98jm6m.jp: could not connect to host
 xn--9pr52k0p5a.com: did not receive HSTS header
@@ -18087,12 +19572,14 @@ xn--cckvb1cwa0c5br5e2d2711k.net: could not connect to host
 xn--datenrettung-mnchen-jbc.com: did not receive HSTS header
 xn--dckya4a0bya6x.com: could not connect to host
 xn--dckya4a0bya6x.jp: could not connect to host
+xn--die-zahnrzte-ncb.de: did not receive HSTS header
 xn--dk8haaa.ws: could not connect to host
-xn--dmontaa-9za.com: did not receive HSTS header
 xn--e--0g4aiy1b8rmfg3o.jp: could not connect to host
 xn--e--4h4axau6ld4lna0g.com: could not connect to host
 xn--e--ig4a4c3f6bvc5et632i.com: could not connect to host
 xn--e--k83a5h244w54gttk.xyz: could not connect to host
+xn--eckle6c0exa0b0modc7054g7h8ajw6f.com: did not receive HSTS header
+xn--ehq13kgw4e.ml: could not connect to host
 xn--ekr87w7se89ay98ezcs.biz: did not receive HSTS header
 xn--gfrrli-yxa.ch: could not connect to host
 xn--gmq92k.nagoya: could not connect to host
@@ -18102,6 +19589,7 @@ xn--hwt895j.xn--kpry57d: could not connect to host
 xn--internetlnen-1cb.com: could not connect to host
 xn--jp-6l5cs1yf3ivjsglphyv.net: could not connect to host
 xn--jywq5uqwqxhd2onsij.jp: did not receive HSTS header
+xn--keditr-0xa.biz: could not connect to host
 xn--l8j9d2b.jp: could not connect to host
 xn--lgb3a8bcpn.cf: could not connect to host
 xn--lgb3a8bcpn.ga: could not connect to host
@@ -18119,11 +19607,13 @@ xn--milchaufschumer-test-lzb.de: could not connect to host
 xn--n8jubz39q0g0afpa985c.com: could not connect to host
 xn--neb-tma3u8u.xyz: could not connect to host
 xn--o77hka.ga: could not connect to host
+xn--oiqt18e8e2a.eu.org: could not connect to host
 xn--p8jskj.jp: could not connect to host
 xn--pck4e3a2ex597b4ml.xyz: did not receive HSTS header
 xn--pckqk6xk43lunk.net: could not connect to host
 xn--qckqc0nxbyc4cdb4527err7c.biz: did not receive HSTS header
 xn--qckyd1cu698a35zarib.xyz: could not connect to host
+xn--qfun83b.ga: could not connect to host
 xn--r77hya.ga: could not connect to host
 xn--rt-cja.eu: could not connect to host
 xn--sdkwa9azd389v01ya.com: could not connect to host
@@ -18131,6 +19621,7 @@ xn--srenpind-54a.dk: could not connect to host
 xn--t8j2a3042d.xyz: could not connect to host
 xn--tda.ml: could not connect to host
 xn--thorme-6uaf.ca: could not connect to host
+xn--trdler-xxa.xyz: could not connect to host
 xn--u9jy16ncfao19mo8i.nagoya: could not connect to host
 xn--uist1idrju3i.jp: did not receive HSTS header
 xn--uort9oqoaj00bv04d.biz: did not receive HSTS header
@@ -18139,8 +19630,8 @@ xn--vck8crc010pu14e.biz: could not connect to host
 xn--vck8crc655y34ioha.net: could not connect to host
 xn--vck8crcu789ajtaj92eura.xyz: could not connect to host
 xn--w22a.jp: could not connect to host
-xn--werner-schffer-fib.de: did not receive HSTS header
-xn--wmq.jp: could not connect to host
+xn--werner-schffer-fib.de: could not connect to host
+xn--wmq.jp: did not receive HSTS header
 xn--xdtx3pfzbiw3ar8e7yedqrhui.com: could not connect to host
 xn--xz1a.jp: could not connect to host
 xn--y8j2eb5631a4qf5n0h.com: could not connect to host
@@ -18150,12 +19641,13 @@ xn--ykrp42k.com: could not connect to host
 xn--yoamomisuasbcn-ynb.com: could not connect to host
 xn--zck9a4b352yuua.jp: did not receive HSTS header
 xng.io: did not receive HSTS header
-xnu.kr: could not connect to host
+xnode.org: could not connect to host
 xobox.me: could not connect to host
 xoda.pw: could not connect to host
 xoffy.com: did not receive HSTS header
 xom.party: could not connect to host
 xombra.com: could not connect to host
+xoonth.net: could not connect to host
 xor-a.net: could not connect to host
 xotika.tv: could not connect to host
 xpbytes.com: did not receive HSTS header
@@ -18165,10 +19657,13 @@ xpi.fr: could not connect to host
 xpj.bet: did not receive HSTS header
 xpj.sx: could not connect to host
 xpjcunkuan.com: could not connect to host
+xplore-dna.net: could not connect to host
 xpressprint.com.br: max-age too low: 90
+xps2pdf.co.uk: could not connect to host
+xps2pdf.info: could not connect to host
 xpwn.cz: did not receive HSTS header
+xq55.com: did not receive HSTS header
 xqin.net: could not connect to host
-xrippedhd.com: could not connect to host
 xroot.org: did not receive HSTS header
 xrp.pw: could not connect to host
 xscancun.com: could not connect to host
@@ -18179,7 +19674,7 @@ xt.om: did not receive HSTS header
 xtenz.xyz: could not connect to host
 xtom.email: could not connect to host
 xtom.io: could not connect to host
-xtream-hosting.com: could not connect to host
+xtream-hosting.com: did not receive HSTS header
 xtream-hosting.de: could not connect to host
 xtream-hosting.eu: could not connect to host
 xtreamhosting.eu: could not connect to host
@@ -18198,14 +19693,9 @@ xxx3dbdsm.com: could not connect to host
 xxxladyboysporn.com: could not connect to host
 xxxred.net: could not connect to host
 xy1919.com: could not connect to host
-xy6161.com: could not connect to host
-xy6262.com: could not connect to host
-xy6363.com: could not connect to host
-xy7171.com: could not connect to host
-xy7272.com: could not connect to host
-xy7373.com: could not connect to host
 xyndrac.net: max-age too low: 2592000
 xynex.us: could not connect to host
+xyngular-health.com: did not receive HSTS header
 xynta.ch: could not connect to host
 xyyp.mn: could not connect to host
 xzoneadventure.com: did not receive HSTS header
@@ -18229,21 +19719,27 @@ yao-in.com: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR
 yao-in.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 yaoidreams.com: could not connect to host
 yaporn.tv: could not connect to host
-yarchives.jp: max-age too low: 0
+yarchives.jp: could not connect to host
 yard-fu.com: could not connect to host
 yardbird.us: could not connect to host
 yarnhookup.com: did not receive HSTS header
+yarogneva.ru: could not connect to host
 yasinaydin.net: did not receive HSTS header
 yasutomonodokoiko.com: did not receive HSTS header
 yaucy.win: could not connect to host
 yawen.tw: did not receive HSTS header
+yawnbox.com: did not receive HSTS header
+yayart.club: could not connect to host
+yazaral.com: did not receive HSTS header
 ybscareers.co.uk: did not receive HSTS header
+ybt520.com: did not receive HSTS header
 ycaaz.com: did not receive HSTS header
 ycc.wtf: could not connect to host
 ycm2.wtf: could not connect to host
 ydy.jp: could not connect to host
 yello.website: could not connect to host
 yellowcar.website: could not connect to host
+yellowfly.co.uk: did not receive HSTS header
 yemalu.com: could not connect to host
 yemekbaz.az: could not connect to host
 yennhi.co: could not connect to host
@@ -18255,20 +19751,22 @@ yenniferallulli.nl: could not connect to host
 yepbitcoin.com: could not connect to host
 yesdevnull.net: did not receive HSTS header
 yesfone.com.br: could not connect to host
+yeshu.org: could not connect to host
+yesiammaisey.me: could not connect to host
 yestees.com: did not receive HSTS header
 yetcore.io: could not connect to host
 yetishirt.com: could not connect to host
 yffengshi.ml: could not connect to host
 ygcdyf.com: did not receive HSTS header
 yggdar.ga: could not connect to host
-yh35.net: max-age too low: 86400
+yh35.net: could not connect to host
 yhori.xyz: could not connect to host
 yhwj.top: could not connect to host
 yibaoweilong.top: could not connect to host
 yibin0831.com: could not connect to host
+yicknam.my: could not connect to host
 yiffy.tips: did not receive HSTS header
 yiffy.zone: did not receive HSTS header
-yigujin.cn: could not connect to host
 yikzu.cn: could not connect to host
 yin.roma.it: did not receive HSTS header
 yin8888.tv: did not receive HSTS header
@@ -18276,18 +19774,23 @@ ying299.com: could not connect to host
 ying299.net: could not connect to host
 yinga.ga: did not receive HSTS header
 yingsuo.ltd: could not connect to host
-yingyj.com: could not connect to host
+yingyj.com: did not receive HSTS header
 yinhe12.net: did not receive HSTS header
 yipingguo.com: could not connect to host
 yippie.nl: could not connect to host
 yizhu.com: could not connect to host
+yjsw.sh.cn: could not connect to host
 ylilauta.org: could not connect to host
 ylk.io: could not connect to host
+ylwz.cc: did not receive HSTS header
 ynode.co: did not receive HSTS header
 ynsn.nl: could not connect to host
 yntongji.com: could not connect to host
+ynxfh.cn: did not receive HSTS header
 yob.vn: could not connect to host
+yobai28.com: did not receive HSTS header
 yobst.tk: could not connect to host
+yocchan1513.net: did not receive HSTS header
 yoga-prive.de: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 yoga.is-an-engineer.com: could not connect to host
 yogatrainingrishikesh.com: could not connect to host
@@ -18302,17 +19805,19 @@ yoloprod.fr: could not connect to host
 yoloseo.com: could not connect to host
 yomena.in: could not connect to host
 yomepre.com: could not connect to host
-yongbin.org: did not receive HSTS header
 yopers.com: did not receive HSTS header
 yorkshireterrier.com.br: could not connect to host
-yorname.ml: did not receive HSTS header
 yoru.me: could not connect to host
+yosheenetwork.fr: could not connect to host
+yotilab.com: could not connect to host
 yotilabs.com: could not connect to host
-youcaitian.com: did not receive HSTS header
+youcaitian.com: could not connect to host
 youcancraft.de: could not connect to host
 youcontrol.ru: could not connect to host
 youdowell.com: did not receive HSTS header
 youfencun.com: did not receive HSTS header
+youftp.tk: could not connect to host
+yougot.pw: could not connect to host
 youjizz.bz: could not connect to host
 youlend.com: did not receive HSTS header
 youlog.net: could not connect to host
@@ -18322,11 +19827,13 @@ youngandunited.nl: did not receive HSTS header
 younl.net: could not connect to host
 youon.tokyo: did not receive HSTS header
 yourbapp.ch: could not connect to host
+yourfriendlytech.com: could not connect to host
+yourgadget.ro: could not connect to host
 yourgame.co.il: did not receive HSTS header
-yourhair.net: could not connect to host
+yourhair.net: max-age too low: 0
 youri.me: could not connect to host
 yourlovesong.com.mx: could not connect to host
-yourname.xyz: did not receive HSTS header
+yourname.xyz: could not connect to host
 yoursbookstore.jp: max-age too low: 0
 yoursecondphone.co: could not connect to host
 yourself.today: could not connect to host
@@ -18343,7 +19850,7 @@ youyoulemon.com: could not connect to host
 ypcs.fi: did not receive HSTS header
 ypiresia.fr: could not connect to host
 yryz.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
-ysicing.net: could not connect to host
+yspeo.biz: did not receive HSTS header
 yspeo.com: max-age too low: 2592000
 ysx.me.uk: did not receive HSTS header
 ytb.zone: did not receive HSTS header
@@ -18355,8 +19862,10 @@ ytpak.com: could not connect to host
 ytvwld.de: did not receive HSTS header
 yu7.jp: did not receive HSTS header
 yuanbenlian.com: did not receive HSTS header
+yuanjiazhao.tk: could not connect to host
 yudan.com.br: could not connect to host
 yude.ml: could not connect to host
+yue2.net: could not connect to host
 yuema.net.cn: could not connect to host
 yufan.me: did not receive HSTS header
 yugege.cf: could not connect to host
@@ -18393,9 +19902,12 @@ yux.fr: could not connect to host
 yux.io: did not receive HSTS header
 yuxingxin.com: did not receive HSTS header
 yuzu.tk: did not receive HSTS header
+yvetteerasmus.com: max-age too low: 0
 ywei.org: could not connect to host
 ywyz.tech: could not connect to host
-yya.bid: could not connect to host
+yxs.me: could not connect to host
+yxt521.com: did not receive HSTS header
+yya.bid: did not receive HSTS header
 yya.men: could not connect to host
 yyrss.com: could not connect to host
 z-coder.com: could not connect to host
@@ -18406,6 +19918,7 @@ z33.co: could not connect to host
 z3liff.com: could not connect to host
 z3liff.net: could not connect to host
 zaalleatherwear.nl: did not receive HSTS header
+zabavno.mk: did not receive HSTS header
 zacharopoulos.me: could not connect to host
 zachbolinger.com: could not connect to host
 zachpeters.org: did not receive HSTS header
@@ -18420,6 +19933,7 @@ zaidanfood.com: did not receive HSTS header
 zaidanfood.eu: did not receive HSTS header
 zaidanlebensmittelhandel.de: did not receive HSTS header
 zalan.do: could not connect to host
+zalohovaniburian.cz: could not connect to host
 zamis.net: did not receive HSTS header
 zamorano.edu: could not connect to host
 zamos.ru: max-age too low: 0
@@ -18429,32 +19943,36 @@ zaoext.com: could not connect to host
 zaoshanghao-dajia.rhcloud.com: could not connect to host
 zap.yt: could not connect to host
 zapatoshechoamano.pe: did not receive HSTS header
-zaptan.info: did not receive HSTS header
-zaptan.net: did not receive HSTS header
-zaptan.org: did not receive HSTS header
-zaptan.us: did not receive HSTS header
+zappos.com: did not receive HSTS header
+zaptan.net: could not connect to host
+zaptan.org: could not connect to host
+zaptan.us: could not connect to host
 zargaripour.com: did not receive HSTS header
 zarooba.com: could not connect to host
 zavca.com: did not receive HSTS header
 zbasenem.pl: did not receive HSTS header
 zbchen.com: could not connect to host
 zberger.com: could not connect to host
+zbetcheck.in: could not connect to host
 zbigniewgalucki.eu: did not receive HSTS header
 zbp.at: did not receive HSTS header
-zby.io: could not connect to host
+zdravesteny.cz: could not connect to host
 zdravotnickasluzba.eu: could not connect to host
-zdrowiepaleo.pl: did not receive HSTS header
+zdrowiepaleo.pl: could not connect to host
 zdx.ch: max-age too low: 0
+zeal-and.jp: could not connect to host
 zeb.fun: could not connect to host
-zebibyte.cn: could not connect to host
+zebibyte.cn: did not receive HSTS header
 zebrababy.cn: could not connect to host
 zebry.nl: did not receive HSTS header
 zecrypto.com: could not connect to host
 zeedroom.be: did not receive HSTS header
+zeelynk.com: could not connect to host
 zefiris.org: did not receive HSTS header
 zefu.ca: could not connect to host
 zehdenick-bleibt-bunt.de: could not connect to host
 zehntner.ch: max-age too low: 3600
+zeitoununiversity.org: could not connect to host
 zeitzer-turngala.de: could not connect to host
 zelfmoord.ga: could not connect to host
 zelfstandigemakelaars.net: could not connect to host
@@ -18463,17 +19981,18 @@ zeloz.xyz: could not connect to host
 zenfusion.fr: could not connect to host
 zenhaiku.com: could not connect to host
 zenics.co.uk: did not receive HSTS header
+zenmate.com.tr: could not connect to host
 zeno-system.com: did not receive HSTS header
 zenpayroll.com: did not receive HSTS header
+zenram.com: did not receive HSTS header
 zentience.dk: did not receive HSTS header
 zentience.net: did not receive HSTS header
 zentience.org: did not receive HSTS header
 zentiweb.nl: did not receive HSTS header
 zentraler-kreditausschuss.de: did not receive HSTS header
 zentralwolke.de: did not receive HSTS header
-zenvite.com: could not connect to host
 zenwears.com: could not connect to host
-zenycosta.com: could not connect to host
+zeparadox.com: did not receive HSTS header
 zepect.com: did not receive HSTS header
 zera.com.au: could not connect to host
 zerekin.net: max-age too low: 86400
@@ -18486,6 +20005,7 @@ zeroling.com: could not connect to host
 zeroml.ml: could not connect to host
 zerosource.net: could not connect to host
 zerowastesonoma.gov: could not connect to host
+zertif.info: could not connect to host
 zerudi.com: did not receive HSTS header
 zetadisseny.es: did not receive HSTS header
 zeto365.pl: did not receive HSTS header
@@ -18506,14 +20026,15 @@ zhaojin97.cn: could not connect to host
 zhendingresources.com: did not receive HSTS header
 zhengouwu.com: could not connect to host
 zhenmeish.com: could not connect to host
+zhenyan.org: could not connect to host
 zhh.in: could not connect to host
+zhih.me: could not connect to host
 zhihua-lai.com: did not receive HSTS header
 zhiin.net: could not connect to host
 zhikin.com: could not connect to host
 zhimajk.com: could not connect to host
 zhiwei.me: did not receive HSTS header
 zhoujiashu.com: could not connect to host
-zhuji.com: could not connect to host
 zhuji.com.cn: could not connect to host
 zhuji5.com: could not connect to host
 zhujicaihong.com: could not connect to host
@@ -18521,28 +20042,33 @@ zhuweiyou.com: did not receive HSTS header
 zi0r.com: did not receive HSTS header
 zian.online: could not connect to host
 zicklam.com: could not connect to host
+ziegler-family.com: could not connect to host
 zigcore.com.br: could not connect to host
-zii.bz: could not connect to host
 zikirakhirzaman.com: could not connect to host
 zinc-x.com: did not receive HSTS header
 zinenapse.info: could not connect to host
 zippy-download.com: could not connect to host
 zippy-download.de: could not connect to host
+ziptie.com: max-age too low: 0
 zirtue.io: could not connect to host
 zitrone44.de: did not receive HSTS header
-zivagold.com: did not receive HSTS header
 zivy-ruzenec.cz: could not connect to host
 zixo.sk: could not connect to host
 ziyuanabc.xyz: could not connect to host
-ziz.exchange: could not connect to host
+ziz.exchange: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 zizoo.com: did not receive HSTS header
 zju.tv: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 zjubtv.com: could not connect to host
+zjuqsc.com: could not connect to host
 zjutv.com: could not connect to host
+zjyifa.cn: could not connect to host
 zkillboard.com: did not receive HSTS header
 zking.ga: could not connect to host
-zlc1994.com: could not connect to host
+zl0iu.com: could not connect to host
+zl8862.com: could not connect to host
+zlc1994.com: did not receive HSTS header
 zlcp.com: could not connect to host
+zmala.com: did not receive HSTS header
 zmsastro.co.za: could not connect to host
 zmscable.com: did not receive HSTS header
 zmy.im: could not connect to host
@@ -18555,9 +20081,9 @@ zohar.link: could not connect to host
 zohar.shop: could not connect to host
 zoi.jp: could not connect to host
 zokster.net: could not connect to host
+zolokar.xyz: could not connect to host
 zolotoy-standart.com.ua: did not receive HSTS header
 zombiesecured.com: could not connect to host
-zomiac.pp.ua: could not connect to host
 zonadebolsa.es: did not receive HSTS header
 zone403.net: could not connect to host
 zoneminder.com: did not receive HSTS header
@@ -18567,9 +20093,9 @@ zoo.city: could not connect to host
 zoo24.de: did not receive HSTS header
 zoofaeth.de: did not receive HSTS header
 zoofit.com.au: did not receive HSTS header
-zoological-gardens.eu: could not connect to host
 zoomingin.net: max-age too low: 5184000
 zoommailing.com: did not receive HSTS header
+zoomseoservices.com: max-age too low: 2592000
 zoorigin.com: did not receive HSTS header
 zooxdata.com: could not connect to host
 zorki.nl: did not receive HSTS header
@@ -18580,9 +20106,7 @@ zpy.fun: could not connect to host
 zq789.com: could not connect to host
 zqhong.com: could not connect to host
 zqjs.tk: could not connect to host
-zqwqz.com: could not connect to host
-zrhdwz.cn: could not connect to host
-zrkr.de: could not connect to host
+zqstudio.top: could not connect to host
 zrn.in: did not receive HSTS header
 ztan.tk: could not connect to host
 ztcaoll222.cn: could not connect to host
@@ -18590,13 +20114,12 @@ ztytian.com: could not connect to host
 zuan-in.com: could not connect to host
 zuan-in.net: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 zubora.co: could not connect to host
-zubro.net: could not connect to host
 zuckerfloh.de: did not receive HSTS header
 zudomc.me: could not connect to host
 zuehlcke.de: could not connect to host
 zukix.com: could not connect to host
 zulu7.com: did not receive HSTS header
-zunda.cafe: did not receive HSTS header
+zunda.cafe: could not connect to host
 zunftmarke.de: did not receive HSTS header
 zurickrelogios.com.br: did not receive HSTS header
 zutsu-raku.com: did not receive HSTS header
@@ -18604,15 +20127,16 @@ zuviel.space: could not connect to host
 zvejonys.lt: did not receive HSTS header
 zvncloud.com: did not receive HSTS header
 zvz.im: could not connect to host
+zwalcz-cellulit.com: did not receive HSTS header
 zwembadheeten.nl: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 zx1168.com: could not connect to host
 zx2268.com: could not connect to host
 zxavier.com: did not receive HSTS header
-zxc.science: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISiteSecurityService.processHeader]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: /home/trava90/REPO/UXP/security/manager/tools/getHSTSPreloadList.js :: processStsHeader :: line 131"  data: no]
 zxity.co.uk: could not connect to host
 zxity.ltd: could not connect to host
 zxity.uk: could not connect to host
 zyf.pw: could not connect to host
+zyger.co.za: did not receive HSTS header
 zymbit.com: did not receive HSTS header
 zync.ca: did not receive HSTS header
 zypgr.com: could not connect to host
diff --git a/security/manager/ssl/nsSTSPreloadList.inc b/security/manager/ssl/nsSTSPreloadList.inc
index 66c7922fae..75d35a7774 100644
--- a/security/manager/ssl/nsSTSPreloadList.inc
+++ b/security/manager/ssl/nsSTSPreloadList.inc
@@ -8,7 +8,7 @@
 /*****************************************************************************/
 
 #include <stdint.h>
-const PRTime gPreloadListExpirationTime = INT64_C(1551523663318000);
+const PRTime gPreloadListExpirationTime = INT64_C(1555803903526000);
 
 class nsSTSPreload
 {
@@ -41,13 +41,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "022610.com", true },
   { "02327.net", true },
   { "02375.net", true },
-  { "023sec.com", true },
   { "02607.com", true },
   { "026122.com", true },
   { "02638.net", true },
   { "03170317.com", true },
   { "0391315.com", true },
   { "046569.com", true },
+  { "04911701.cn", true },
   { "050.ca", true },
   { "050media.nl", true },
   { "0511315.net", true },
@@ -83,6 +83,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "083912.com", true },
   { "083957.com", true },
   { "083960.com", true },
+  { "083962.com", true },
   { "083965.com", true },
   { "083967.com", true },
   { "08detaxe.fr", true },
@@ -93,7 +94,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "0c3.de", true },
   { "0day.agency", true },
   { "0des.com", true },
+  { "0ii0.cf", true },
   { "0ik.de", true },
+  { "0iz.net", true },
   { "0knowledge.de", false },
   { "0o0.edu.pl", true },
   { "0paste.com", true },
@@ -113,7 +116,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "0x7d.com", true },
   { "0x7fffffff.net", true },
   { "0x90.io", true },
-  { "0xaa55.me", true },
   { "0xabe.io", true },
   { "0xacab.org", true },
   { "0xda.de", true },
@@ -127,8 +129,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "100-downloads.com", true },
   { "10000v.ru", true },
   { "1000minds.com", true },
-  { "1000serien.com", true },
-  { "1001carats.fr", true },
+  { "1001firms.com", true },
   { "1001kartini.com", true },
   { "1001kerstpakketten.com", false },
   { "1001mv.com", true },
@@ -139,7 +140,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "100lat.pl", true },
   { "100mani.it", true },
   { "100pounds.co.uk", true },
-  { "100rembourse.be", true },
   { "101.qa", true },
   { "1011100.com", true },
   { "101sauna.kz", true },
@@ -152,14 +152,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "10439.net", true },
   { "10453.net", true },
   { "10495.net", true },
-  { "1066.io", true },
   { "10774.net", true },
   { "10840.net", true },
   { "10gb.io", true },
   { "10hz.de", true },
   { "10og.de", true },
   { "10ppm.com", true },
-  { "10xiuxiu.com", true },
   { "112app.nl", true },
   { "112hz.com", true },
   { "114514ss.com", true },
@@ -179,10 +177,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "123bearing.com", true },
   { "123bearing.eu", true },
   { "123comparer.fr", true },
-  { "123djdrop.com", true },
   { "123midterm.com", true },
+  { "123nutricion.es", true },
   { "123opstalverzekeringen.nl", true },
-  { "123pay.ir", false },
   { "123plons.nl", true },
   { "123roulement.be", true },
   { "123roulement.com", true },
@@ -190,7 +187,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "124133.com", true },
   { "124633.com", true },
   { "125m125.de", true },
-  { "1288366.com", true },
   { "1288fc.com", true },
   { "12photos.eu", true },
   { "12thmanrising.com", true },
@@ -199,7 +195,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "130.ua", true },
   { "132kv.ch", true },
   { "1359826938.rsc.cdn77.org", true },
-  { "1395kj.com", true },
   { "13th-dover.uk", true },
   { "143533.com", true },
   { "143633.com", true },
@@ -220,20 +215,24 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "15-10.com", true },
   { "1511774230.rsc.cdn77.org", true },
   { "152433.com", true },
+  { "1527web.com", true },
   { "154233.com", true },
   { "154633.com", true },
   { "154933.com", true },
   { "156433.com", true },
   { "1590284872.rsc.cdn77.org", true },
+  { "159cp.com", true },
   { "1600esplanade.com", true },
   { "160887.com", true },
+  { "162jonesrd.ca", true },
   { "1644091933.rsc.cdn77.org", true },
   { "1661237.com", true },
-  { "16book.org", true },
+  { "1750studios.com", false },
   { "1768calc.com.au", true },
   { "1811559.com", true },
   { "1844329061.rsc.cdn77.org", true },
   { "1876996.com", true },
+  { "188da.com", true },
   { "188dv.com", true },
   { "1895media.com", true },
   { "189fc.com", true },
@@ -242,6 +241,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "18f.gov", true },
   { "18f.gsa.gov", false },
   { "1911trust.com", true },
+  { "192.io", true },
   { "192168ll.repair", true },
   { "192433.com", true },
   { "1972969867.rsc.cdn77.org", true },
@@ -249,14 +249,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "19area.cn", true },
   { "19hundert84.de", true },
   { "1a-diamantscheiben.de", true },
-  { "1a-vermessung.at", true },
-  { "1a-werkstattgeraete.de", true },
   { "1ab-machinery.com", true },
   { "1c-power.ru", true },
   { "1cover.co.nz", true },
   { "1cover.com.au", true },
+  { "1cswd.com", true },
   { "1e9.nl", true },
-  { "1europlan.nl", true },
   { "1f123.net", true },
   { "1fach-digital.de", true },
   { "1hourproofreading.com", true },
@@ -293,34 +291,40 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "1stforfun.co.uk", true },
   { "1stpeninsulabouncers.co.uk", true },
   { "1volcano.ru", true },
+  { "1way.faith", true },
   { "1whw.co.uk", true },
   { "1wirelog.de", true },
   { "1wl.uk", true },
   { "2.wtf", true },
   { "200.network", true },
+  { "2001y.me", true },
   { "2012.ovh", true },
+  { "20188088.com", true },
   { "20at.com", true },
-  { "20denier.com", true },
   { "215dy.net", true },
   { "21sthammersmith.org.uk", true },
   { "21stnc.us", true },
   { "21x9.org", true },
+  { "222001.com", true },
   { "2222yh.com", true },
-  { "22digital.agency", true },
+  { "22vetter.st", true },
   { "230beats.com", true },
   { "23333.link", true },
   { "2333666.xyz", true },
   { "2333blog.com", true },
-  { "233abc.com", true },
+  { "233abc.com", false },
   { "233blog.com", true },
   { "233boy.com", true },
   { "233bwg.com", true },
   { "233hugo.com", true },
+  { "233now.com", true },
   { "233ss.net", true },
   { "233vps.com", true },
+  { "233yes.com", true },
   { "24-7.jp", true },
   { "245meadowvistaway.com", true },
   { "246060.ru", true },
+  { "247exchange.com", true },
   { "247healthshop.com", true },
   { "247medplan.com", true },
   { "2495dentalimplants.com", true },
@@ -330,6 +334,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "24hourlocksmithbaltimore.com", true },
   { "24hourlocksmithdallastx.com", true },
   { "24hourlocksmithdetroit.com", true },
+  { "24hourlocksmithshouston.com", true },
   { "24hoursanantoniolocksmiths.com", true },
   { "24hourscienceprojects.com", true },
   { "24ip.com", true },
@@ -342,7 +347,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "2600edinburgh.org", true },
   { "2600hq.com", true },
   { "260887.com", true },
-  { "263.info", true },
   { "2718282.net", true },
   { "28-industries.com", true },
   { "281180.de", true },
@@ -370,6 +374,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "2chan.jp", true },
   { "2cv-fahrer.de", true },
   { "2fm.ie", true },
+  { "2fm.radio", true },
   { "2fraud.pro", true },
   { "2g1s.net", true },
   { "2gen.com", true },
@@ -381,7 +386,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "2li.ch", true },
   { "2manydots.nl", true },
   { "2mb.solutions", true },
-  { "2mir.com", true },
   { "2nains.ch", true },
   { "2nerds1bit.com", true },
   { "2nics.net", true },
@@ -390,6 +394,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "2rsc.com", true },
   { "2rsc.net", true },
   { "2stv.net", true },
+  { "2tuu.com", true },
   { "2ulcceria.nl", true },
   { "2wheel.com", true },
   { "2y.fi", true },
@@ -439,7 +444,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "33445222.com", true },
   { "33445333.com", true },
   { "33445444.com", true },
-  { "33836.com", true },
+  { "33jiasu.com", true },
   { "340422.com", true },
   { "340622.com", true },
   { "340922.com", true },
@@ -507,6 +512,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "375422.com", true },
   { "379700.com", true },
   { "380422.com", true },
+  { "388da.com", true },
   { "390422.com", true },
   { "392422.com", true },
   { "393335.ml", true },
@@ -519,7 +525,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "394622.com", true },
   { "394922.com", true },
   { "396422.com", true },
-  { "398.info", true },
   { "39sihu.com", false },
   { "3aandl.com", true },
   { "3ags.de", true },
@@ -533,7 +538,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "3countiescastlehire.co.uk", true },
   { "3cs.ch", true },
   { "3d-fotoservice.de", true },
+  { "3dcollective.es", true },
+  { "3de5.nl", true },
   { "3deeplearner.com", true },
+  { "3dgep.com", true },
   { "3djuegos.com", true },
   { "3dmedium.de", true },
   { "3dmusiclab.nl", true },
@@ -542,12 +550,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "3drenaline.com", true },
   { "3haeuserprojekt.org", true },
   { "3haueserprojekt.org", true },
-  { "3hl0.net", true },
-  { "3ik.us", true },
   { "3james.com", true },
   { "3logic.ru", true },
   { "3lot.ru", true },
   { "3n5b.com", true },
+  { "3niu168.com", true },
+  { "3niu178.com", true },
+  { "3niu6.com", true },
+  { "3niu66.com", true },
+  { "3niu666.com", true },
+  { "3niu8.com", true },
+  { "3niu88.com", true },
+  { "3niu8888.com", true },
+  { "3niuurl.com", true },
   { "3os.ooo", true },
   { "3phase.pw", true },
   { "3plusdesign.gr", true },
@@ -589,6 +604,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "41studio.com", true },
   { "41where.com", true },
   { "420java.com", true },
+  { "42ch.com", true },
+  { "42day.info", true },
+  { "439050.com", true },
   { "440887.com", true },
   { "441jj.com", false },
   { "442887.com", true },
@@ -596,21 +614,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "4444yh.com", true },
   { "444887.com", true },
   { "445887.com", true },
+  { "44sec.com", true },
   { "451.ooo", true },
   { "4553s.com", true },
-  { "4553vip.com", true },
   { "4706666.com", true },
   { "4716666.com", true },
   { "4726666.com", true },
-  { "4736666.com", true },
   { "4756666.com", true },
   { "4786666.com", true },
-  { "47essays.com", true },
   { "491mhz.net", true },
   { "49889.com", true },
   { "49dollaridahoregisteredagent.com", true },
   { "4c-haircare.com", true },
-  { "4decor.org", true },
   { "4everproxy.com", true },
   { "4eyes.ch", true },
   { "4fit.ro", true },
@@ -620,11 +635,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "4garage.com.br", true },
   { "4host.ch", true },
   { "4kprojektory.cz", true },
+  { "4lock.com.br", true },
   { "4mm.org", true },
   { "4plebs.moe", true },
   { "4project.co.il", true },
   { "4share.tv", true },
-  { "4sics.se", true },
   { "4th-ave-studio.com", true },
   { "4thdc.com", true },
   { "4u.services", true },
@@ -672,7 +687,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "508088.com", true },
   { "50lakeshore.com", true },
   { "50north.de", true },
-  { "50plusnet.nl", true },
   { "514122.com", true },
   { "514522.com", true },
   { "514622.com", true },
@@ -682,13 +696,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "51877.net", true },
   { "519422.com", true },
   { "51acg.eu.org", true },
-  { "51aifuli.com", true },
   { "51tiaojiu.com", true },
+  { "5219.ml", true },
   { "524022.com", true },
   { "524622.com", true },
   { "524922.com", true },
   { "525.info", true },
-  { "52hentai.ml", true },
+  { "52hentai.us", true },
   { "52kb365.com", true },
   { "52ncp.net", true },
   { "52sykb.com", true },
@@ -696,6 +710,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "534122.com", true },
   { "534622.com", true },
   { "534922.com", true },
+  { "5364.com", true },
   { "536422.com", true },
   { "5364b.com", true },
   { "5364c.com", true },
@@ -715,23 +730,26 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "5555yh.com", true },
   { "55639.com", true },
   { "55797.com", true },
-  { "558da.com", true },
+  { "566380.com", true },
+  { "575380.com", true },
   { "576422.com", true },
+  { "578380.com", true },
   { "579422.com", true },
-  { "57he.com", true },
   { "57wilkie.net", true },
   { "583422.com", true },
+  { "585380.com", true },
   { "585422.com", true },
   { "586422.com", true },
   { "588da.com", true },
+  { "591380.com", true },
   { "591422.com", true },
+  { "592380.com", true },
   { "592422.com", true },
   { "5930593.com", true },
   { "594022.com", true },
   { "594622.com", true },
   { "595422.com", true },
   { "596422.com", true },
-  { "5986fc.com", true },
   { "5997891.com", true },
   { "5apps.com", true },
   { "5c1fd0f31022cbc40af9f785847baaf9.space", true },
@@ -743,7 +761,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "5gb.space", true },
   { "5kraceforals.com", true },
   { "5percentperweek.com", true },
-  { "5starbouncycastlehire.co.uk", true },
   { "5thchichesterscouts.org.uk", true },
   { "5y.fi", true },
   { "602422.com", true },
@@ -759,6 +776,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "614322.com", true },
   { "614922.com", true },
   { "61730123.com", true },
+  { "618media.com", true },
   { "621422.com", true },
   { "624022.com", true },
   { "624122.com", true },
@@ -809,7 +827,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "649622.com", true },
   { "649722.com", true },
   { "649822.com", true },
-  { "64bitservers.net", false },
   { "651422.com", true },
   { "652422.com", true },
   { "6541166.com", true },
@@ -827,9 +844,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "6548877.com", true },
   { "656088.com", true },
   { "659422.com", true },
-  { "65d88.com", true },
   { "66136.com", true },
-  { "6616fc.com", true },
   { "6633445.com", true },
   { "6652566.com", true },
   { "6660111.ru", true },
@@ -837,15 +852,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "666668722.com", true },
   { "6666yh.com", true },
   { "666omg.com", true },
-  { "6677.us", true },
   { "66b.com", true },
-  { "66bwf.com", true },
   { "670422.com", true },
   { "671422.com", true },
   { "672422.com", true },
   { "673422.com", true },
   { "676422.com", true },
   { "679422.com", true },
+  { "680226.com", true },
   { "680422.com", true },
   { "68277.me", true },
   { "686848.com", true },
@@ -858,10 +872,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "694922.com", true },
   { "6969.us", true },
   { "698da.com", true },
+  { "69928.com", true },
   { "6997896.com", true },
   { "69butterfly.com", true },
   { "69fps.gg", true },
   { "69wasted.net", true },
+  { "6ird.com", true },
   { "6lo.zgora.pl", true },
   { "6pm.com", true },
   { "6t-montjoye.org", true },
@@ -889,13 +905,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "736433.com", true },
   { "738433.com", true },
   { "739433.com", true },
-  { "73info.com", false },
+  { "73info.com", true },
   { "740833.com", true },
   { "741833.com", true },
   { "742833.com", true },
   { "743833.com", true },
   { "74th.jp", true },
   { "755k3.com", true },
+  { "758global.com", true },
   { "762.ch", true },
   { "7733445.com", true },
   { "7777yh.com", true },
@@ -905,14 +922,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "7885765.com", true },
   { "7891553.com", true },
   { "7891997.com", true },
+  { "79ch.com", true },
   { "7careconnect.com", true },
   { "7delights.com", true },
   { "7delights.in", true },
   { "7geese.com", true },
   { "7graus.pt", true },
   { "7kicks.com", true },
-  { "7kovrikov.ru", true },
   { "7proxies.com", true },
+  { "7qly.com", true },
   { "7sons.de", true },
   { "7thcircledesigns.com", true },
   { "7trade8.com", true },
@@ -922,10 +940,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "809422.com", true },
   { "80993.net", true },
   { "814022.com", true },
+  { "81818app.com", true },
   { "8189196.com", true },
-  { "818bwf.com", true },
   { "818da.com", true },
   { "8349822.com", true },
+  { "850226.com", true },
   { "8522.com", true },
   { "8522club.com", true },
   { "8522hk.com", true },
@@ -934,10 +953,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "8522usa.com", true },
   { "86286286.com", true },
   { "86499.com", true },
-  { "8649955.com", true },
-  { "8649966.com", true },
-  { "8649977.com", true },
-  { "8688fc.com", true },
   { "86metro.ru", true },
   { "8722.am", true },
   { "8722am.com", true },
@@ -946,6 +961,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "8722ph.com", true },
   { "8722tw.com", true },
   { "8722usa.com", true },
+  { "88-line.com", true },
+  { "88-line.net", true },
+  { "881-line.com", true },
+  { "881-line.net", true },
   { "8818k3.com", true },
   { "8833445.com", true },
   { "88522am.com", true },
@@ -954,7 +973,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "8876008.com", true },
   { "8876009.com", true },
   { "8876138.com", true },
-  { "8876205.com", true },
   { "8876278.com", true },
   { "8876289.com", true },
   { "8876290.com", true },
@@ -1028,26 +1046,34 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "8889893.com", true },
   { "8889903.com", true },
   { "8889910.com", true },
-  { "888bwf.com", true },
   { "888funcity.com", true },
   { "888funcity.net", true },
-  { "88bwf.com", true },
+  { "88yule11.com", true },
+  { "88yule112.com", true },
+  { "88yule113.com", true },
+  { "88yule12.com", true },
+  { "88yule13.com", true },
+  { "88yule15.com", true },
+  { "88yule16.com", true },
+  { "88yule6.com", true },
+  { "88yule7.com", true },
+  { "88yule9.com", true },
   { "8ack.de", true },
   { "8ackprotect.com", true },
   { "8da188.com", true },
   { "8da222.com", true },
   { "8da88.com", true },
   { "8da999.com", true },
+  { "8dabet.com", true },
   { "8hrs.net", true },
   { "8maerz.at", true },
-  { "8pecxstudios.com", true },
-  { "8shequapp.com", true },
-  { "8svn.com", true },
   { "8t8.eu", true },
   { "8tech.com.hk", true },
   { "8thportsmouth.org.uk", true },
   { "8tuffbeers.com", true },
+  { "8ung.online", true },
   { "8xxbet.net", true },
+  { "8y.network", true },
   { "9-11commission.gov", true },
   { "903422.com", true },
   { "905422.com", true },
@@ -1060,7 +1086,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "914122.com", true },
   { "918116.com", true },
   { "918gd.com", true },
-  { "918yy.com", true },
   { "919422.com", true },
   { "91966.com", true },
   { "91tianmi.com", false },
@@ -1081,6 +1106,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "949122.com", true },
   { "949622.com", true },
   { "949722.com", true },
+  { "94cs.cn", false },
   { "9679693.com", true },
   { "9681909.com", true },
   { "972422.com", true },
@@ -1099,19 +1125,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "9918883.com", true },
   { "9933445.com", true },
   { "99599.fi", true },
-  { "99599.net", true },
   { "9994553.com", true },
   { "9998722.com", true },
   { "99998522.com", true },
   { "99999822.com", true },
   { "999998722.com", true },
   { "99rst.org", true },
+  { "99wxt.com", true },
   { "9farm.com", true },
   { "9fvip.net", true },
   { "9jajuice.com", true },
   { "9pkfz.com", true },
   { "9riddles.com", true },
-  { "9tolife.be", true },
   { "9uelle.jp", true },
   { "9vx.org", true },
   { "9y.at", true },
@@ -1124,7 +1149,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "a-little-linux-box.at", true },
   { "a-msystems.com", true },
   { "a-oben.org", true },
-  { "a-starbouncycastles.co.uk", true },
+  { "a-players.team", true },
   { "a-wife.net", true },
   { "a-ztransmission.com", true },
   { "a0print.nl", true },
@@ -1133,19 +1158,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "a1moldsolutions.com", true },
   { "a1scuba.com", true },
   { "a1scubastore.com", true },
+  { "a2a.me", true },
+  { "a2a.net", true },
   { "a2nutrition.com.au", true },
-  { "a3.pm", true },
+  { "a2os.club", true },
   { "a4sound.com", true },
   { "a632079.me", true },
-  { "a7m2.me", true },
-  { "a8q.org", true },
-  { "aa-tour.ru", true },
+  { "a7la-chat.com", true },
   { "aa1718.net", true },
   { "aaapl.com", true },
   { "aabanet.com.br", true },
   { "aaben-bank.dk", true },
   { "aabenbank.dk", true },
   { "aacfree.com", true },
+  { "aacs-design.com", true },
+  { "aadw.de", true },
   { "aaex.cloud", true },
   { "aagetransport.no", true },
   { "aalalbayt.com", true },
@@ -1153,16 +1180,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aalstmotors-usedcars.be", true },
   { "aaltocapital.com", true },
   { "aamwa.com", true },
-  { "aanbieders.ga", true },
   { "aandeautobody.com", true },
   { "aandkevents.co.uk", true },
   { "aanmpc.com", true },
   { "aaomidi.com", true },
+  { "aapar.nl", true },
   { "aapas.org.ar", true },
+  { "aarklendoia.com", true },
   { "aarkue.eu", true },
   { "aaron.cm", true },
   { "aaron.xin", true },
-  { "aaronburt.co.uk", true },
+  { "aaronburt.co.uk", false },
   { "aaronhorler.com", true },
   { "aaronhorler.com.au", true },
   { "aaronkimmig.de", true },
@@ -1174,6 +1202,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aavienna.com", true },
   { "abaapplianceservice.com", true },
   { "abaaustin.com", true },
+  { "ababyco.com.hr", true },
   { "abacusbouncycastle.co.uk", true },
   { "abacustech.co.jp", true },
   { "abandonedmines.gov", true },
@@ -1187,6 +1216,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "abbruch-star.de", true },
   { "abc-rz.de", true },
   { "abc.li", true },
+  { "abc8081.net", true },
   { "abcbouncycastlessurrey.co.uk", true },
   { "abcbouncyfactory.co.uk", true },
   { "abcdef.be", true },
@@ -1196,13 +1226,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "abcstudio.com.au", true },
   { "abdel.me", true },
   { "abdelsater.net", true },
-  { "abdullah.pw", true },
   { "abdulwahaab.ca", true },
   { "abe-elektro.de", true },
   { "abe-medical.jp", true },
   { "abeestrada.com", false },
   { "abeilles-idapi.fr", true },
   { "abenteuer-ahnenforschung.de", true },
+  { "abeontech.com", true },
   { "aberdeencastles.co.uk", true },
   { "aberdeenjudo.co.uk", true },
   { "abeus.com", true },
@@ -1218,6 +1248,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "abilma.com", true },
   { "abilymp06.net", true },
   { "abimelec.com", true },
+  { "abinferis.com", true },
   { "abinyah.com", true },
   { "abitidalavoro.roma.it", true },
   { "abitur97ag.de", true },
@@ -1260,6 +1291,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aboutict.nl", true },
   { "aboutlegal.nl", true },
   { "aboutmedia.nl", true },
+  { "aboutmyproperty.ca", true },
   { "aboutspice.com", true },
   { "aboutyou.at", true },
   { "aboutyou.be", true },
@@ -1275,6 +1307,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "abristolgeek.co.uk", true },
   { "abseits.org", true },
   { "absolem.cc", true },
+  { "absolutcruceros.com", true },
   { "absoluteautobody.com", true },
   { "absolutedouble.co.uk", true },
   { "absolutehaitian.com", true },
@@ -1282,12 +1315,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "absolutelyinflatables.co.uk", true },
   { "absoluterush.net", true },
   { "absolutewebdesigns.com", true },
+  { "absolutviajes.com", true },
+  { "abstractbarista.net", true },
   { "abstraction21.com", true },
   { "absturztau.be", true },
   { "absturztaube.ch", true },
   { "absynthe-inquisition.fr", true },
   { "abthorpe.org", true },
+  { "abublog.com", true },
   { "abulanov.com", true },
+  { "abundanteconomy.com", true },
   { "abundent.com", true },
   { "abuse.fi", true },
   { "abuse.io", true },
@@ -1295,9 +1332,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "abvlbasketviganello.ch", true },
   { "abyssproject.net", true },
   { "ac-admin.pl", true },
+  { "ac-epmservices.com", true },
   { "ac-town.com", true },
   { "ac0g.dyndns.org", true },
   { "aca-creative.co.uk", true },
+  { "academiadebomberosonline.com", true },
   { "academicexperts.us", true },
   { "academichealthscience.net", true },
   { "academie-de-police.ch", true },
@@ -1328,8 +1367,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "accoladescreens.com.au", true },
   { "accord-application.com", true },
   { "accordiondoor.com", true },
+  { "account.bbc.com", true },
   { "accounts.firefox.com", true },
   { "accounts.google.com", true },
+  { "accpl.co", true },
   { "accpodcast.com", true },
   { "accredit.ly", true },
   { "accudraftpaintbooths.com", true },
@@ -1353,10 +1394,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "acerentalandsales.com", true },
   { "acerislaw.com", true },
   { "acessoeducacao.com", true },
-  { "acevik.de", true },
   { "acfo.org", true },
   { "acg.social", true },
-  { "acg18.us", false },
+  { "acgmoon.com", true },
+  { "acgmoon.org", true },
   { "acgtalktw.com", true },
   { "achalay.org", true },
   { "acheconcursos.com.br", true },
@@ -1370,7 +1411,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "achtzig20.de", true },
   { "achwo.de", true },
   { "acid.ninja", true },
-  { "acidbin.co", true },
   { "aciety.com", true },
   { "aciksite.com", true },
   { "ackermann.ch", true },
@@ -1394,6 +1434,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "acousticalsolutions.com", true },
   { "acoustics.network", true },
   { "acoustics.tech", true },
+  { "acousticsoundrecords.com", true },
   { "acoustique-tardy.com", true },
   { "acpcoils.com", true },
   { "acperu.ch", true },
@@ -1407,7 +1448,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "acriticismlab.org", true },
   { "acrolife.cz", true },
   { "acroso.me", true },
-  { "across.ml", true },
   { "acrosstheblvd.com", true },
   { "acroyoga-nuernberg.de", true },
   { "acrylbilder-acrylmalerei.de", true },
@@ -1419,10 +1459,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "acsemb.org", true },
   { "acsports.ca", true },
   { "actc.org.uk", true },
-  { "actc81.fr", true },
   { "actgruppe.de", true },
+  { "actheater.com", true },
   { "actiefgeld.nl", true },
   { "actioncleaningnd.com", true },
+  { "actionfinancialservices.net", true },
   { "actionlabs.net", true },
   { "actionmadagascar.ch", true },
   { "actionsack.com", true },
@@ -1435,7 +1476,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "activeexcavator.com", true },
   { "activehire.co.uk", true },
   { "activeleisure.ie", true },
-  { "activeworld.net", false },
   { "activiteithardenberg.nl", true },
   { "activitesaintnicaise.org", true },
   { "activityeventhire.co.uk", true },
@@ -1445,19 +1485,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "actorsroom.com", true },
   { "actserv.co.ke", true },
   { "actualadmins.com", true },
+  { "actualidadblog.com", true },
   { "actualidadecommerce.com", true },
   { "actualidadgadget.com", true },
   { "actualidadiphone.com", true },
   { "actualidadkd.com", true },
+  { "actualidadliteratura.com", true },
   { "actualidadmotor.com", true },
+  { "actualidadviajes.com", true },
+  { "actuatemedia.com", true },
   { "acuica.co.uk", false },
   { "acul.me", true },
-  { "acupofsalt.tv", true },
   { "acus.gov", true },
   { "acwcerts.co.uk", true },
   { "acwi.gov", true },
   { "acy.com", true },
   { "acyfxasia.com", true },
+  { "acyume.com", true },
   { "ad-notam.asia", true },
   { "ad-notam.ch", true },
   { "ad-notam.co.uk", true },
@@ -1468,17 +1512,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ad-notam.pt", true },
   { "ad-notam.us", true },
   { "ada.gov", true },
+  { "adaera.com", true },
   { "adalis.org", true },
   { "adam-ant.co.uk", true },
   { "adam-kostecki.de", true },
   { "adam-wilson.me", true },
+  { "adam.lgbt", true },
   { "adamas-magicus.ru", true },
   { "adambalogh.net", true },
+  { "adambryant.ca", false },
   { "adambyers.com", true },
   { "adamek.online", true },
   { "adamfontenot.com", true },
   { "adamh.us", true },
-  { "adamjoycegames.co.uk", true },
   { "adamkaminski.com", true },
   { "adamkostecki.de", true },
   { "adamoutler.com", true },
@@ -1487,14 +1533,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "adamsbouncycastles.co.uk", true },
   { "adamstas.com", true },
   { "adamwallington.co.uk", true },
-  { "adamwilcox.org", true },
   { "adamyuan.xyz", true },
+  { "adappt.co.uk", true },
+  { "adapptlabs.com", true },
   { "adapt-elektronik.com", true },
   { "adapt.de", true },
   { "adaptablesecurity.org", true },
   { "adapti.de", true },
   { "adaptivemechanics.edu.au", true },
   { "adarshthapa.in", true },
+  { "adativos.com.br", true },
   { "adawolfa.cz", true },
   { "adayinthelifeof.nl", true },
   { "adblockextreme.com", true },
@@ -1505,14 +1553,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "addicional.com", true },
   { "addictionresource.com", true },
   { "addictively.com", true },
-  { "addiko.net", true },
   { "addisoncrump.info", true },
   { "addnine.com", true },
   { "addon.watch", true },
   { "addones.net", true },
   { "addtoany.com", true },
   { "adduono.com", true },
+  { "addvalue-renovations.co.uk", true },
+  { "addydari.us", true },
   { "adelebeals.com", true },
+  { "adelianz.com", true },
   { "adelightfulglow.com", true },
   { "adeline.mobi", true },
   { "adentalsolution.com", true },
@@ -1525,6 +1575,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "adhd-inattentive.com", true },
   { "adhesivelaundry.co.uk", true },
   { "adhoc.is", true },
+  { "adiehard.party", true },
   { "adimaja.com", true },
   { "adinariversloveschool.com", true },
   { "adingenierie.fr", true },
@@ -1536,6 +1587,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "adlerosn.com", true },
   { "adlerosn.com.br", true },
   { "adlershop.ch", true },
+  { "adlignum.se", true },
   { "adm-sarov.ru", true },
   { "adme.co.il", true },
   { "admin-serv.net", true },
@@ -1544,21 +1596,25 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "admin.google.com", true },
   { "admin.stg.fedoraproject.org", true },
   { "adminforge.de", true },
+  { "administrator.de", true },
   { "administratorserwera.pl", true },
   { "adminlinux.pl", true },
   { "admino.cz", true },
   { "admins.tech", true },
+  { "adminwerk.net", true },
   { "adminwiki.fr", true },
   { "admirable.one", true },
+  { "admirable.pro", true },
   { "admody.com", true },
   { "admongo.gov", true },
   { "adnanoktar.com", true },
   { "adnanotoyedekparca.com", true },
+  { "adnolesh.com", true },
   { "adnot.am", true },
   { "adnseguros.es", true },
+  { "adonizer.science", true },
   { "adonnante.com", true },
   { "adoptionlink.co.uk", true },
-  { "adorade.ro", true },
   { "adorai.tk", true },
   { "adorecricket.com", true },
   { "adorewe.com", true },
@@ -1572,6 +1628,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "adr.gov", true },
   { "adra.com", true },
   { "adrafinil.wiki", true },
+  { "adresults.com", true },
+  { "adresults.nl", true },
   { "adrianbechtold.de", true },
   { "adriancitu.com", true },
   { "adriancostin.ro", true },
@@ -1592,6 +1650,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "advanced-scribes.com", true },
   { "advanced.info", true },
   { "advanceddieselspokane.com", true },
+  { "advanceddisposables.co.uk", true },
   { "advancedoneroofing.com", true },
   { "advancedprotectionkey.com", true },
   { "advancedprotectionsecuritykey.com", true },
@@ -1602,13 +1661,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "advancyte.com", true },
   { "advantagehomeexteriors.com", true },
   { "advara.com", true },
-  { "advelty.cz", true },
   { "advenacs.com.au", true },
   { "advenapay.com", true },
   { "adventaholdings.com", true },
   { "advento.bg", true },
   { "adventure-inn.com", true },
   { "adventureally.com", true },
+  { "adventuredrives.com", true },
   { "adventureforest.co.nz", true },
   { "adventureforest.de", false },
   { "adventureforest.nz", true },
@@ -1616,8 +1675,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "adventurenow.nl", true },
   { "adventures.de", true },
   { "adventureswithlillie.ca", true },
+  { "adventurousway.com", true },
   { "advertis.biz", true },
-  { "advicepro.org.uk", true },
   { "advocate-europe.eu", true },
   { "advocaten-avocats.be", true },
   { "advocatenalkmaar.org", true },
@@ -1647,8 +1706,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "adzuna.ru", true },
   { "adzuna.sg", true },
   { "ae-construction.co.uk", true },
+  { "ae-dir.com", true },
+  { "ae-dir.org", true },
   { "aebian.org", true },
   { "aecexpert.fr", true },
+  { "aedollon.com", true },
   { "aefcleaning.com", true },
   { "aegee-utrecht.nl", true },
   { "aegisalarm.co.uk", true },
@@ -1659,7 +1721,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aegrel.ee", true },
   { "aehe.us", true },
   { "aei.co.uk", true },
-  { "aelisya.ch", true },
   { "aeon.co", true },
   { "aep-digital.com", true },
   { "aeradesign.com", true },
@@ -1689,13 +1750,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aextron.com", true },
   { "aextron.de", true },
   { "aextron.org", true },
-  { "af-internet.nl", true },
   { "afavre.io", true },
   { "afb24.de", true },
   { "afbeelding.im", true },
   { "afbeeldinguploaden.nl", true },
+  { "afcmrs.org", true },
   { "afcompany.it", true },
   { "afcurgentcarelyndhurst.com", true },
+  { "affarsnatverk.nu", true },
   { "affichagepub3.com", true },
   { "affiliatefeatures.com", true },
   { "affiliateroyale.com", true },
@@ -1705,7 +1767,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "affissioni.roma.it", true },
   { "affittacamere.roma.it", true },
   { "affittialmare.it", true },
-  { "affloc.com", true },
+  { "affittisalento.it", true },
   { "affordableazdivorce.com", true },
   { "affordableblindsexpress.com", true },
   { "affordableenergyadvocates.com", true },
@@ -1717,6 +1779,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "affping.com", true },
   { "affvps.net", true },
   { "afghan.dating", true },
+  { "afgn.com.ua", true },
   { "afi-business-consulting.com", true },
   { "aficionados.com.br", true },
   { "afinadoronline.com.br", true },
@@ -1732,18 +1795,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "africanexponent.com", true },
   { "africanimpact.com", true },
   { "africantourer.com", true },
-  { "africatravel.de", true },
   { "afrikarl.de", true },
   { "afrodigital.uk", true },
   { "afs-asso.org", true },
+  { "afscheidsportret.nl", true },
   { "aftab-alam.de", true },
   { "after.digital", true },
+  { "afterdwi.info", true },
   { "afterhate.fr", true },
-  { "afterskool.eu", true },
   { "afuh.de", true },
   { "afva.net", true },
   { "afwd.international", true },
-  { "afzco.asia", true },
   { "ag-websolutions.de", true },
   { "ag8-game.com", true },
   { "agalliasis.ch", true },
@@ -1754,7 +1816,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "agechecker.net", true },
   { "ageg.ca", true },
   { "agemfis.com", true },
-  { "agenceklic.com", true },
   { "agencewebstreet.com", true },
   { "agenciadeempregosdourados.com.br", true },
   { "agenciafiscal.pe", true },
@@ -1762,6 +1823,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "agenda-loto.net", false },
   { "agenda21senden.de", true },
   { "agendatelefonica.com.br", true },
+  { "agendazilei.com", true },
   { "agent-grow.com", true },
   { "agent6.com.au", true },
   { "agentprocessing.com", true },
@@ -1775,6 +1837,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "agic.io", true },
   { "agilebits.com", true },
   { "agilecraft.com", true },
+  { "agileecommerce.com.br", true },
   { "agileui.com", true },
   { "agiley.se", true },
   { "agilizing.us", true },
@@ -1805,7 +1868,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "agouralighting.com", true },
   { "agouraoutdoorlighting.com", true },
   { "agr.asia", true },
+  { "agracan.com", true },
   { "agrajag.nl", true },
+  { "agrarking.com", true },
   { "agrarking.de", true },
   { "agrarshop4u.de", true },
   { "agrekov.ru", true },
@@ -1819,6 +1884,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "agro-forestry.net", true },
   { "agroline.by", true },
   { "agroxxi.ru", false },
+  { "agroyard.com.ua", true },
   { "agsb.ch", true },
   { "agscinemas.com", true },
   { "agscinemasapp.com", true },
@@ -1827,8 +1893,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "agy.cl", true },
   { "ahawkesrealtors.com", true },
   { "ahd.com", false },
+  { "ahegao.ca", true },
   { "aheng.me", true },
   { "ahero4all.org", true },
+  { "ahkubiak.ovh", true },
   { "ahlaejaba.com", true },
   { "ahlz.sk", true },
   { "ahmad.works", true },
@@ -1848,15 +1916,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ai.gov", true },
   { "ai.je", true },
   { "aia.de", true },
+  { "aiasesoriainmobiliaria.com", true },
   { "aibenzi.com", true },
   { "aibiying.com", true },
   { "aicial.co.uk", true },
+  { "aid-web.ch", true },
   { "aidanapple.com", true },
   { "aidanmitchell.co.uk", true },
   { "aidanmitchell.uk", true },
   { "aidanmontare.net", true },
+  { "aidanpr.com", true },
+  { "aidanpr.net", true },
   { "aiden.link", true },
   { "aidhan.net", true },
+  { "aidi-ahmi.com", true },
   { "aids.gov", true },
   { "aie.de", true },
   { "aiforsocialmedia.com", true },
@@ -1866,6 +1939,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aignermunich.com", true },
   { "aignermunich.de", true },
   { "aignermunich.jp", true },
+  { "aiho.stream", true },
   { "aiicy.org", true },
   { "aiida.se", true },
   { "aijsk.com", true },
@@ -1881,6 +1955,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ailitonia.xyz", true },
   { "aimax.com", true },
   { "aimeeandalec.com", true },
+  { "aimerworld.com", false },
   { "aimgroup.co.tz", true },
   { "aimi-salon.com", true },
   { "aimotive.com", true },
@@ -1892,6 +1967,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aipbarcelona.com", true },
   { "air-craftglass.com", true },
   { "air-shots.ch", true },
+  { "air-techniques.fr", true },
   { "air-we-go.co.uk", true },
   { "airbnb.ae", true },
   { "airbnb.at", true },
@@ -1966,7 +2042,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "airbossofamerica.com", true },
   { "airclass.com", true },
   { "aircomms.com", true },
-  { "airconssandton.co.za", true },
   { "airductclean.com", false },
   { "airductcleaning-fresno.com", true },
   { "airductcleaninggrandprairie.com", true },
@@ -1976,7 +2051,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "airetvie.com", true },
   { "airhart.me", true },
   { "airhelp.com", true },
+  { "airhorn.de", true },
   { "airi-tabei.com", true },
+  { "airicy.com", true },
   { "airikai.com", true },
   { "airlibre-parachutisme.com", true },
   { "airmail.cc", true },
@@ -1994,6 +2071,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "airtoolaccessoryo.com", true },
   { "airvpn.org", true },
   { "airvuz.com", true },
+  { "airware.com", true },
   { "airwaystorage.net", true },
   { "airweb.top", true },
   { "airwegobouncycastles.co.uk", true },
@@ -2002,7 +2080,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ais.fashion", true },
   { "aisance-co.com", true },
   { "aisi316l.net", true },
-  { "aisr.nl", true },
   { "aistockcharts.com", true },
   { "aistrope.com", true },
   { "ait.com.ar", true },
@@ -2012,8 +2089,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aivd.lol", true },
   { "aiwdirect.com", true },
   { "aixvox.com", false },
-  { "aizxxs.com", true },
-  { "aizxxs.net", true },
   { "ajapaik.ee", true },
   { "ajarope.com", true },
   { "ajaxed.net", true },
@@ -2029,7 +2104,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ajnasz.hu", true },
   { "ajsb85.com", true },
   { "ak-varazdin.hr", true },
-  { "ak-webit.de", true },
   { "aka.ms", true },
   { "akachanikuji.com", true },
   { "akademeia.moe", true },
@@ -2047,10 +2121,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "akihito.com", true },
   { "akijo.de", true },
   { "akilli-devre.com", true },
-  { "akita-boutique.com", true },
   { "akiym.com", true },
   { "akj.io", true },
   { "akkbouncycastles.co.uk", true },
+  { "akkeylab.com", true },
   { "akostecki.de", true },
   { "akovana.com", true },
   { "akoww.de", false },
@@ -2059,12 +2133,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "akpwebdesign.com", true },
   { "akr.io", true },
   { "akr.services", true },
-  { "akritikos.info", true },
   { "akronet.cz", false },
   { "akropol.cz", false },
   { "akropolis-ravensburg.de", true },
   { "aksehir.bel.tr", true },
-  { "akselinurmio.fi", false },
+  { "akselinurmio.fi", true },
+  { "akshay.in.eu.org", true },
   { "akshi.in", true },
   { "aktin.cz", true },
   { "aktin.sk", true },
@@ -2073,13 +2147,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aktiv-naturheilmittel.de", true },
   { "aktivace.eu", true },
   { "aktivierungscenter.de", true },
-  { "aktuelle-uhrzeit.at", true },
   { "akuislam.com", true },
   { "akukas.com", true },
   { "akustik.tech", true },
   { "akutun.cl", true },
   { "akvorrat.at", true },
-  { "al3366.tech", true },
+  { "akyildiz.net", true },
   { "al3xpro.com", true },
   { "alab.space", true },
   { "alabamadebtrelief.org", true },
@@ -2098,6 +2171,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "alamgir.works", true },
   { "alanberger.me.uk", true },
   { "alanhua.ng", true },
+  { "alanhuang.name", true },
   { "alaninkenya.org", true },
   { "alaricfavier.eu", false },
   { "alarmcomplete.co.uk", true },
@@ -2113,13 +2187,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "albbounce.co.uk", true },
   { "albersdruck.de", true },
   { "albertathome.org", true },
+  { "albertbogdanowicz.pl", true },
   { "albertcuyp-markt.amsterdam", true },
   { "albertinum-goettingen.de", true },
   { "albinma.com", true },
   { "albion2.org", true },
   { "alboweb.nl", true },
   { "albrocar.com", true },
-  { "albuic.tk", true },
   { "alca31.com", true },
   { "alchimic.ch", true },
   { "alcnutrition.com", true },
@@ -2132,6 +2206,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aldomedia.com", true },
   { "aldorr.net", false },
   { "aldous-huxley.com", true },
+  { "alecel.de", true },
   { "alecpap.com", true },
   { "alecpapierniak.com", true },
   { "alecrust.com", true },
@@ -2145,6 +2220,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "alerts.sg", true },
   { "alertwire.com", true },
   { "alesia-formation.fr", true },
+  { "alessandroonline.com.br", true },
   { "aletm.it", true },
   { "alex-ross.co.uk", true },
   { "alex97000.de", true },
@@ -2156,19 +2232,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "alexanderzinn.com", true },
   { "alexandra-schulze.de", true },
   { "alexandrastorm.com", true },
-  { "alexandrastylist.com", true },
+  { "alexandrastylist.com", false },
   { "alexandre-blond.fr", true },
   { "alexandros.io", true },
   { "alexbaker.org", true },
   { "alexberts.ch", true },
+  { "alexbogovich.com", true },
   { "alexbresnahan.com", true },
   { "alexcoman.com", true },
   { "alexdaniel.org", true },
-  { "alexdaulby.com", true },
   { "alexei.su", false },
   { "alexey-shamara.ru", true },
   { "alexeykopytko.com", true },
+  { "alexfabian.myftp.org", true },
   { "alexgaynor.net", true },
+  { "alexgebhard.com", true },
   { "alexhd.de", true },
   { "alexio.ml", true },
   { "alexisabarca.com", true },
@@ -2186,7 +2264,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "alexschroeder.ch", true },
   { "alexsergeyev.com", true },
   { "alexsexton.com", true },
-  { "alexsinnott.me", true },
   { "alextaffe.com", true },
   { "alexthayne.co.uk", true },
   { "alextjam.es", true },
@@ -2194,10 +2271,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "alexvdveen.nl", true },
   { "alexvetter.de", true },
   { "alexwardweb.com", true },
+  { "alexwilliams.tech", true },
   { "alexyang.me", true },
   { "alfa-tech.su", true },
-  { "alfaperfumes.com.br", true },
+  { "alfred-figge.de", true },
   { "alftrain.com", true },
+  { "algbee.com", true },
   { "algeriepart.com", true },
   { "alghanimcatering.com", true },
   { "algoaware.eu", true },
@@ -2211,7 +2290,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aliaswp.com", true },
   { "alibangash.com", true },
   { "alibiloungelv.com", true },
-  { "alibip.de", true },
   { "alice-noutore.com", true },
   { "alice.tw", true },
   { "alicemaywebdesign.com.au", true },
@@ -2222,6 +2300,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "alienflight.com", true },
   { "alienslab.net", true },
   { "alienstat.com", true },
+  { "alienvision.com.br", true },
   { "alignrs.com", true },
   { "aliim.gdn", true },
   { "alijammusic.com", true },
@@ -2229,7 +2308,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "alinasmusicstudio.com", true },
   { "alinbu.net", true },
   { "aliorange.com", true },
-  { "alis-test.tk", true },
   { "alisonisrealestate.com", true },
   { "alisonlitchfield.com", true },
   { "alistairstowing.com", true },
@@ -2239,6 +2317,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aljaspod.hu", true },
   { "aljaspod.net", true },
   { "aljweb.com", true },
+  { "alkacoin.net", true },
   { "all-connect.net", false },
   { "all-fashion-schools.com", true },
   { "all-markup-news.com", true },
@@ -2268,17 +2347,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "alldewall.de", true },
   { "alldigitalsolutions.com", true },
   { "alle.bg", true },
-  { "allemobieleproviders.nl", true },
   { "allemoz.com", true },
   { "allemoz.fr", true },
-  { "allenosgood.com", true },
   { "allenscaravans.co.uk", true },
   { "allensun.org", true },
   { "allesisonline.nl", true },
   { "alleskomtgoed.org", true },
   { "allesrocknroll.de", true },
   { "allforyou.at", true },
-  { "allfreelancers.su", false },
+  { "allfundsconnect.com", true },
   { "allgaragefloors.com", true },
   { "allgreenturf.com.au", true },
   { "alliance-psychiatry.com", true },
@@ -2288,7 +2365,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "alligatorge.de", true },
   { "allinagency.com", true },
   { "allincoin.shop", true },
-  { "allinone-ranking150.com", true },
   { "allis.studio", true },
   { "allius.de", true },
   { "alljamin.com", true },
@@ -2296,7 +2372,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "allmend-ru.de", true },
   { "allns.fr", true },
   { "allo-credit.ch", true },
-  { "allo-symo.fr", true },
   { "allofthestops.com", true },
   { "allontanamentovolatili.it", true },
   { "allontanamentovolatili.milano.it", true },
@@ -2311,7 +2386,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "allsearch.io", true },
   { "allshousedesigns.com", true },
   { "allstakesupply.com.au", true },
-  { "allstarautokiaparts.com", true },
   { "allstarcashforcars.com", true },
   { "allstarpartyinflatables.co.uk", true },
   { "allstarquilts.com", true },
@@ -2324,12 +2398,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "allthings.me", true },
   { "allthingssquared.com", true },
   { "allthingswild.co.uk", true },
+  { "alltubedownload.net", true },
+  { "allurebikerental.com", true },
   { "allurescarves.com", true },
   { "alluvion.studio", true },
   { "allvips.ru", true },
   { "allweatherlandscaping.net", true },
   { "almaatlantica.com", true },
-  { "almavios.com", true },
+  { "almavios.com", false },
+  { "almayadeen.education", true },
   { "almorafestival.com", true },
   { "almut-zielonka.de", true },
   { "aloesoluciones.com.ar", true },
@@ -2337,7 +2414,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "alonetone.com", true },
   { "alp.od.ua", true },
   { "alpca.org", true },
-  { "alpencam.com", true },
   { "alpencams.com", true },
   { "alpengreis.ch", true },
   { "alpenjuice.com", true },
@@ -2350,7 +2426,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "alphaantileak.net", true },
   { "alphabetsigns.com", true },
   { "alphabouncycastles.co.uk", true },
-  { "alphabrock.cn", true },
   { "alphachat.net", true },
   { "alphadote.com", true },
   { "alphaetomega3d.fr", true },
@@ -2359,6 +2434,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "alphagateanddoor.com", true },
   { "alphainflatablehire.com", true },
   { "alphaman.ooo", true },
+  { "alphanodes.com", true },
   { "alphapengu.in", true },
   { "alpharotary.com", true },
   { "alphasall.com", false },
@@ -2378,7 +2454,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "alpiniste.fr", true },
   { "alqassam.net", true },
   { "alquiaga.com", true },
+  { "alquiladoramexico.com", true },
   { "alrait.com", true },
+  { "alre-outillage.fr", true },
   { "alroniks.com", true },
   { "als-japan.com", true },
   { "alstertouch.com", true },
@@ -2386,22 +2464,28 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "alstroemeria.org", true },
   { "alt-three.com", true },
   { "alt.org", true },
-  { "altapina.com", true },
+  { "altair.fi", true },
+  { "altapina.com", false },
   { "altaplana.be", true },
   { "altedirect.com", true },
   { "alter-news.fr", true },
   { "alterbaum.net", true },
   { "alternador.com.br", true },
   { "alternative.bike", true },
+  { "alternative.hosting", true },
   { "alternativebit.fr", true },
   { "alternativedev.ca", true },
+  { "alternativeinternet.ca", true },
   { "alternativet.party", true },
+  { "alternativetomeds.com", true },
   { "alterspalter.de", true },
   { "altes-sportamt.de", true },
   { "altesses.eu", true },
   { "altestore.com", true },
+  { "altisdev.com", true },
   { "altkremsmuensterer.at", true },
   { "altmaestrat.es", true },
+  { "altmann-systems.de", true },
   { "altoa.cz", true },
   { "altonblom.com", true },
   { "altopartners.com", true },
@@ -2409,10 +2493,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "altphotos.com", true },
   { "alts.li", true },
   { "altstipendiaten.de", true },
-  { "alttrackr.com", true },
   { "altunbas.info", true },
   { "alumni-kusa.jp", true },
   { "alupferd.de", true },
+  { "aluro.info", true },
   { "aluroof.eu", true },
   { "alvcs.com", true },
   { "alviano.com", true },
@@ -2438,19 +2522,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "am3.se", true },
   { "ama.ne.jp", true },
   { "amadvice.com", true },
-  { "amaforro.com", true },
   { "amagdic.com", true },
   { "amagical.net", false },
   { "amaiz.com", true },
   { "amalfi5stars.com", true },
-  { "amalficoastchauffeur.com", true },
   { "amalfilapiazzetta.it", true },
   { "amalfipositanoboatrental.com", true },
-  { "amalfirock.it", true },
   { "amalfitabula.it", true },
+  { "amaliagamis.com", true },
+  { "amanatrustbooks.org.uk", true },
   { "amandadamsphotography.com", true },
   { "amandasage.ca", true },
   { "amani-kinderdorf.de", true },
+  { "amardham.org", true },
   { "amaresq.com", true },
   { "amartinz.at", true },
   { "amateurchef.co.uk", true },
@@ -2464,6 +2548,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "amazili-communication.com", true },
   { "amazing-castles.co.uk", true },
   { "amazinginflatables.co.uk", true },
+  { "amazingraymond.com", true },
+  { "amazingraymond.com.au", true },
   { "amb.tf", true },
   { "amberalert.gov", true },
   { "amberglowleisure.co.uk", true },
@@ -2522,8 +2608,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aminafrance.com", true },
   { "amineptine.com", true },
   { "aminorth.com", true },
+  { "aminullrouted.com", true },
   { "amionvpn.com", true },
-  { "amirautos.com", true },
+  { "amirautos.com", false },
   { "amirmahdy.com", true },
   { "amisderodin.fr", true },
   { "amitabhsirkiclasses.org.in", true },
@@ -2544,6 +2631,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ampersandnbspsemicolon.com", true },
   { "amphetamines.org", true },
   { "amphibo.ly", true },
+  { "ampleroads.com", true },
+  { "ampol-agd.pl", true },
   { "ampproject.com", true },
   { "ampproject.org", true },
   { "amrcaustin.com", true },
@@ -2558,15 +2647,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "amyrussellhair.com", true },
   { "amyyeung.com", true },
   { "amzn.rocks", true },
+  { "an-alles-gedacht.de", true },
   { "anabolic.co", true },
   { "anacreon.de", true },
   { "anadiyogacentre.com", true },
   { "anaethelion.fr", true },
-  { "anajianu.ro", true },
+  { "anaiscoachpersonal.es", true },
   { "analbleachingguide.com", true },
   { "analgesia.net", true },
   { "analisilaica.it", true },
   { "analogist.net", true },
+  { "analytics-shop.com", true },
   { "analyticsinmotion.com", true },
   { "analyticum.at", true },
   { "analyticum.com", true },
@@ -2583,11 +2674,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "anassiriphotography.com", false },
   { "anastasia-shamara.ru", true },
   { "anaveragehuman.eu.org", true },
+  { "ance.lv", true },
   { "ancestramil.fr", true },
   { "anchev.net", true },
   { "anchorit.gov", true },
   { "anchovy.nz", false },
+  { "anciens.org", true },
   { "ancientcraft.eu", true },
+  { "ancientnorth.com", true },
   { "ancientnorth.nl", true },
   { "ancolies-andre.com", true },
   { "anconaswine.com", true },
@@ -2598,11 +2692,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "andarpersassi.it", true },
   { "andel.info", false },
   { "anders.hamburg", true },
-  { "anderskp.dk", true },
+  { "anderskp.dk", false },
   { "andersonshatch.com", true },
   { "andiplusben.com", true },
   { "andisadhdspot.com", true },
-  { "andiscyber.space", true },
   { "anditi.com", true },
   { "andoms.fi", true },
   { "andre-ballensiefen.de", true },
@@ -2625,18 +2718,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "andreasmuelhaupt.de", true },
   { "andreasolsson.se", true },
   { "andree.cloud", true },
-  { "andrefaber.nl", true },
   { "andrehansen.de", true },
   { "andrei-nakov.org", true },
-  { "andrejstefanovski.com", true },
+  { "andrejbenz.com", true },
   { "andrelauzier.com", true },
   { "andreoliveira.io", true },
+  { "andrespaz.com", true },
   { "andreundnina.de", true },
   { "andrew.fi", true },
   { "andrew.london", true },
   { "andrewbdesign.com", true },
   { "andrewdaws.io", true },
   { "andrewensley.com", true },
+  { "andrewhowden.com", true },
   { "andrewimeson.com", true },
   { "andrewin.ru", true },
   { "andrewmichaud.com", true },
@@ -2647,7 +2741,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "andrewryno.com", true },
   { "andrewsun.com", true },
   { "andrewtchin.com", true },
-  { "andrewx.net", true },
   { "andrezadnik.com", true },
   { "andro2id.com", true },
   { "andro4all.com", true },
@@ -2665,7 +2758,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "androticsdirect.com", true },
   { "andruvision.cz", true },
   { "andsat.org", true },
-  { "andschwa.com", true },
+  { "andschwa.com", false },
   { "andso.cn", true },
   { "anduril.de", true },
   { "anduril.eu", true },
@@ -2673,7 +2766,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "andyc.cc", true },
   { "andycrockett.io", true },
   { "andymoore.info", true },
-  { "andys-place.co.uk", true },
   { "andysroom.dynu.net", true },
   { "andyt.eu", true },
   { "andzia.art.pl", true },
@@ -2683,12 +2775,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "anedot.xyz", true },
   { "aneebahmed.com", true },
   { "anegabawa.com", true },
-  { "aneslix.com", true },
+  { "aneslix.com", false },
   { "anetaben.nl", true },
   { "anextraordinaryday.net", true },
-  { "ange-de-bonheur444.com", true },
   { "angehardy.com", true },
   { "angel-body.com", true },
+  { "angelcojuelo.com", true },
   { "angelesydemonios.es", true },
   { "angelicare.co.uk", true },
   { "angelinahair.com", true },
@@ -2706,6 +2798,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "angrapa.ru", true },
   { "angristan.fr", true },
   { "angristan.xyz", true },
+  { "angrut.com", true },
   { "angry.im", true },
   { "angrysnarl.com", true },
   { "angryteeth.net", true },
@@ -2713,6 +2806,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "angusmak.com", true },
   { "anhaffen.lu", true },
   { "ani-man.de", true },
+  { "anicam.fr", true },
   { "aniforprez.net", true },
   { "animacurse.moe", true },
   { "animaemundi.be", true },
@@ -2742,13 +2836,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "anitube.ch", true },
   { "aniwhen.com", true },
   { "anjoola.com", true },
+  { "ankane.org", true },
   { "ankarakart.com.tr", true },
   { "ankaraprofesyonelwebtasarim.com", true },
   { "ankaraseo.name.tr", true },
   { "ankarauzmanlarnakliyat.com", true },
   { "ankarayilmaznakliyat.com", true },
   { "ankarayucelnakliyat.com", true },
-  { "ankenbrand.me", true },
   { "ankitpati.in", true },
   { "ankiuser.net", true },
   { "ankiweb.net", true },
@@ -2759,13 +2853,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "anleitung-zum-schreiben.de", true },
   { "anleitung-zum-schweissen.de", true },
   { "anleitung-zum-toepfern.de", true },
+  { "anlovegeek.net", true },
   { "anna.info", true },
   { "annaenemma.nl", true },
   { "annafiore.com.br", true },
+  { "annangela.moe", true },
   { "annarokina.com", true },
   { "annasvapor.se", true },
   { "annawagner.pl", true },
   { "annedaniels.co.uk", true },
+  { "anneeden.de", true },
   { "annejan.com", true },
   { "anneliesonline.nl", true },
   { "annema.biz", true },
@@ -2776,12 +2873,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "anniversary-cruise.com", true },
   { "annmariewaltsphotography.com", true },
   { "annonasoftware.com", true },
-  { "annotate.software", true },
   { "annoyingasfuk.com", true },
   { "annuaire-jcb.com", true },
   { "annuaire-photographe.fr", false },
   { "annunciationbvmchurch.org", true },
-  { "anohana.org", true },
   { "anojan.com", true },
   { "anon-next.de", true },
   { "anoncom.net", true },
@@ -2791,6 +2886,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "anons.fr", true },
   { "anonym-surfen.de", true },
   { "anonyme-spieler.at", true },
+  { "anopan.tk", true },
   { "anorak.tech", true },
   { "another.ch", true },
   { "anotherchef.com", true },
@@ -2807,7 +2903,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ansgar-sonntag.de", true },
   { "ansgarsonntag.de", true },
   { "anshar.eu", true },
-  { "ansibeast.net", true },
   { "ansichtssache.at", true },
   { "ansogning-sg.dk", true },
   { "anstaskforce.gov", true },
@@ -2819,14 +2914,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "antaresmedia.com.py", true },
   { "antarespc.com", true },
   { "antcas.com", true },
+  { "antennista.bari.it", true },
   { "antennista.catania.it", true },
   { "antennista.milano.it", true },
   { "antennista.pavia.it", true },
   { "antennista.roma.it", true },
   { "antennista.tv", true },
+  { "antennistaroma.it", true },
   { "antennisti.milano.it", true },
   { "antennisti.roma.it", true },
   { "anteprima.info", true },
+  { "antfie.com", true },
   { "anthedesign.fr", true },
   { "anthisis.tv", true },
   { "anthony.codes", true },
@@ -2837,6 +2935,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "anthropoid.ca", true },
   { "anti-bible.com", true },
   { "anti-radar.org", true },
+  { "antiaz.com", true },
   { "antibioticshome.com", true },
   { "anticopyright.com", true },
   { "antiekboerderijgraafland.nl", true },
@@ -2844,6 +2943,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "antik-trodelmarkt.de", true },
   { "antikvariat.ru", true },
   { "antikvarius.ro", true },
+  { "antilaserpriority.com", true },
   { "antiled.by", true },
   { "antimine.me", true },
   { "antipolygraph.org", true },
@@ -2852,6 +2952,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "antispeciesism.com", true },
   { "antispeciesist.com", true },
   { "antivirusprotection.reviews", true },
+  { "antocom.com", true },
   { "antoga.eu", true },
   { "antoinedeschenes.com", true },
   { "antoinemary.com", true },
@@ -2860,9 +2961,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "antonin.one", true },
   { "antonio-gartenbau.de", true },
   { "antonjuulnaber.dk", true },
+  { "antonuotila.fi", true },
   { "antota.lt", true },
   { "antragsgruen.de", true },
+  { "antroposboutique.it", true },
   { "antroposofica.com.br", true },
+  { "anttitenhunen.com", true },
   { "antvklik.com", true },
   { "antyblokada.pl", true },
   { "anulowano.pl", true },
@@ -2875,9 +2979,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "anynode.net", true },
   { "anyon.com", true },
   { "anypeer.net", true },
-  { "anypool.fr", true },
-  { "anypool.net", true },
-  { "anyprime.net", true },
   { "anyquestions.govt.nz", true },
   { "anystack.xyz", true },
   { "anzeiger.ag", true },
@@ -2886,6 +2987,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aoa.gov", true },
   { "aoadatacommunity.us", true },
   { "aoaprograms.net", true },
+  { "aoeuaoeu.com", true },
   { "aofusa.net", true },
   { "aoil.gr", true },
   { "aoku3d.com", true },
@@ -2908,6 +3010,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "apartment-natik.fr", true },
   { "apartmentkroatien.at", true },
   { "apartmentregister.com.au", true },
+  { "apasaja.tech", true },
+  { "apbank.ch", true },
   { "apbox.de", true },
   { "apcemporium.co.uk", true },
   { "apcube.com", true },
@@ -2917,7 +3021,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "apertis.org", true },
   { "aperturesciencelabs.de", true },
   { "apervita.net", true },
-  { "apexitsolutions.ca", true },
   { "apfelcholest.de", true },
   { "apgw.jp", true },
   { "aphelionentertainment.com", true },
@@ -2937,8 +3040,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "apiary.store", true },
   { "apiary.supplies", true },
   { "apiary.supply", true },
-  { "apila.care", true },
-  { "apiled.io", true },
+  { "apimon.de", true },
   { "apination.com", true },
   { "apio.systems", true },
   { "apis.google.com", true },
@@ -2946,15 +3048,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "apisyouwonthate.com", true },
   { "apk.li", true },
   { "apk4fun.com", true },
-  { "apkmod.id", true },
   { "aplikaceproandroid.cz", true },
   { "aplpackaging.co.uk", true },
   { "aplu.fr", true },
   { "aplus-usa.net", true },
+  { "aplusdownload.com", true },
   { "apluswaterservices.com", true },
+  { "apm.com.tw", true },
   { "apn-dz.org", true },
   { "apn-einstellungen.de", true },
-  { "apo-deutschland.biz", true },
   { "apobot.de", true },
   { "apogeephoto.com", true },
   { "apoil.org", true },
@@ -2964,7 +3066,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aposke.com", true },
   { "aposke.net", true },
   { "aposke.org", true },
-  { "apostilasaprovacao.com", true },
   { "apotheke-ch.org", true },
   { "apothes.is", true },
   { "app-at.work", true },
@@ -2981,12 +3082,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "appartementmarsum.nl", true },
   { "appchive.net", true },
   { "appearance-plm.de", true },
-  { "appel-aide.ch", true },
   { "appelaprojets.fr", true },
   { "appelboomdefilm.nl", true },
   { "appengine.google.com", true },
   { "apperio.com", true },
-  { "appformacpc.com", true },
   { "appgeek.com.br", true },
   { "appharbor.com", true },
   { "appify.org", true },
@@ -3007,8 +3106,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "apponline.com", true },
   { "apprank.in", true },
   { "apprenticeship.gov", true },
+  { "apprenticeships.gov", true },
   { "approbo.com", true },
   { "approvedtreecare.com", true },
+  { "apps-perso.com", true },
   { "apps.co", true },
   { "apps.facebook.com", false },
   { "apps.fedoraproject.org", true },
@@ -3016,6 +3117,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "apps4inter.net", true },
   { "appscloudplus.com", true },
   { "appseccalifornia.org", false },
+  { "appsforlondon.com", true },
   { "appshuttle.com", true },
   { "appt.ch", true },
   { "apptomics.com", true },
@@ -3024,11 +3126,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "appveyor.com", true },
   { "appzoojoo.be", true },
   { "apratimsaha.com", true },
-  { "aprefix.com", true },
   { "apretatuercas.es", true },
   { "aprikaner.de", true },
   { "aprogend.com.br", true },
+  { "aproposcomputing.com", true },
   { "aprovpn.com", true },
+  { "aprr.org", true },
   { "aprsdroid.org", true },
   { "aprz.de", true },
   { "apsa.paris", true },
@@ -3043,6 +3146,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aquabar.co.il", true },
   { "aquabio.ch", true },
   { "aquadonis.ch", true },
+  { "aquagarden.com.pl", true },
   { "aquahomo.com", true },
   { "aquainfo.net", true },
   { "aqualife.com.gr", true },
@@ -3050,7 +3154,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aqualysis.nl", true },
   { "aquapoint.kiev.ua", true },
   { "aquarium-supplement.net", true },
-  { "aquaron.com", true },
   { "aquaselect.eu", true },
   { "aquatechnologygroup.com", true },
   { "aquaundine.net", true },
@@ -3086,9 +3189,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "arbitrary.ch", true },
   { "arboworks.com", true },
   { "arbu.eu", false },
+  { "arcaea.net", true },
   { "arcaik.net", true },
   { "arcbouncycastles.co.uk", true },
   { "arcenergy.co.uk", true },
+  { "archaeoadventures.com", true },
   { "archimedicx.com", true },
   { "archined.nl", true },
   { "architectryan.com", true },
@@ -3096,6 +3201,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "architectureandgovernance.com", true },
   { "archivero.es", true },
   { "archivesdelavieordinaire.ch", true },
+  { "archivosstl.com", true },
   { "archlinux.de", true },
   { "archlinux.org", true },
   { "arclandholdings.com.au", true },
@@ -3108,7 +3214,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ardor.noip.me", true },
   { "ardtrade.ru", true },
   { "area4pro.com", true },
-  { "area536.com", true },
   { "areaclienti.net", true },
   { "areafiftylan.nl", true },
   { "areatrend.com", true },
@@ -3120,11 +3225,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "arenlor.com", true },
   { "arenlor.info", true },
   { "arenns.com", true },
+  { "areqgaming.com", true },
   { "ares-trading.de", true },
   { "arethsu.se", true },
   { "arfad.ch", true },
   { "arg.zone", true },
-  { "argama-nature.com", false },
   { "arganaderm.ch", true },
   { "argb.de", true },
   { "argekultur.at", true },
@@ -3142,7 +3247,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "arijitdg.net", true },
   { "arikar.eu", true },
   { "arima.co.ke", true },
-  { "arimarie.com", true },
   { "arinde.ee", true },
   { "arise19.com", true },
   { "arisevendor.net", true },
@@ -3159,13 +3263,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "arkacrao.org", true },
   { "arkadiyt.com", true },
   { "arkaic.dyndns.org", true },
-  { "arkbyte.com", true },
   { "arkulagunak.com", false },
   { "arlatools.com", true },
   { "arlen.tv", true },
   { "arlenarmageddon.com", true },
   { "arletalibrary.com", true },
   { "arlingtonelectric.com", true },
+  { "arm-host.com", true },
   { "armadaquadrat.com", true },
   { "armandsdiscount.com", true },
   { "armanozak.com", true },
@@ -3186,6 +3290,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "armstrongsengineering.com", true },
   { "army24.cz", true },
   { "armyprodej.cz", true },
+  { "arnakdanielian.com", true },
   { "arnaudb.net", true },
   { "arnaudfeld.de", true },
   { "arne.codes", true },
@@ -3203,6 +3308,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "arnsmedia.nl", true },
   { "arod.tk", true },
   { "arogov.com", true },
+  { "arogyadhamhealth.com", true },
   { "arokha.com", true },
   { "aromacos.ch", true },
   { "aromatlas.com", true },
@@ -3210,16 +3316,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aroonchande.com", true },
   { "aros.pl", true },
   { "arose.io", true },
+  { "around-cms.de", true },
   { "arox.eu", true },
   { "arpamip.org", true },
   { "arpnet.co.jp", true },
   { "arqueo-ecuatoriana.ec", true },
   { "arquitetura.pt", true },
   { "arrakis.se", true },
+  { "arraudi.be", true },
   { "arrazane.com.br", true },
   { "arresttracker.com", true },
   { "arrive.by", true },
   { "arrmaforum.com", true },
+  { "arroba.digital", true },
   { "arrow-analytics.nl", true },
   { "arrow-api.nl", true },
   { "arrowfastener.com", true },
@@ -3227,10 +3336,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "arrowheadflats.com", true },
   { "arrowwebprojects.nl", true },
   { "arschkrebs.org", true },
-  { "arsplus.ru", true },
+  { "arsplus.ru", false },
   { "arswb.men", true },
   { "art-auction.jp", true },
   { "art-et-culture.ch", true },
+  { "art-pix.com", true },
+  { "art-pix.de", true },
+  { "art-pix.net", true },
+  { "art2web.net", true },
   { "artboja.com", true },
   { "artdeco-photo.com", true },
   { "arte-soft.co", true },
@@ -3241,10 +3354,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "arteaga.tech", true },
   { "arteaga.uk", true },
   { "arteaga.xyz", true },
+  { "artebel.com.br", true },
   { "artecat.ch", true },
   { "artedellavetrina.it", true },
   { "artedona.com", true },
-  { "arteequipamientos.com.uy", true },
   { "artefakt.es", true },
   { "artefeita.com.br", true },
   { "arteinstudio.it", true },
@@ -3256,15 +3369,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "artfabrics.com", true },
   { "artforum.sk", true },
   { "artfullyelegant.com", true },
+  { "arthan.me", true },
   { "arthermitage.org", true },
   { "arthur.cn", true },
   { "arthurlaw.ca", true },
+  { "articu.no", true },
   { "artificial.army", true },
   { "artificialgrassandlandscaping.com", true },
   { "artik.cloud", true },
   { "artimpact.ch", true },
   { "artioml.net", true },
   { "artionet.ch", true },
+  { "artis-game.net", true },
   { "artisan-cheminees-poeles-design.fr", true },
   { "artisans-libres.com", true },
   { "artisansoftaste.com", true },
@@ -3278,8 +3394,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "artlogo.sk", true },
   { "artmanager.dk", true },
   { "artmarketingnews.com", true },
-  { "artmaxi.eu", true },
   { "artmoney.com", true },
+  { "artofcode.co.uk", true },
   { "artofmonitoring.com", false },
   { "artofwhere.com", true },
   { "artratio.net", true },
@@ -3288,7 +3404,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "arts.gov", true },
   { "artschmidtoptical.com", true },
   { "artspac.es", true },
-  { "arturkohut.com", true },
+  { "arturopinto.com.mx", true },
   { "arturrossa.de", true },
   { "arturszalak.com", true },
   { "artweby.cz", true },
@@ -3301,7 +3417,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "arvindhariharan.com", true },
   { "arvindhariharan.me", true },
   { "arvutiladu.ee", true },
-  { "arw.me", true },
+  { "arxell.com", true },
+  { "aryalaroca.de", true },
   { "aryan-nation.com", true },
   { "aryasenna.net", true },
   { "arzid.com", true },
@@ -3311,6 +3428,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "as44222.net", true },
   { "asadatec.de", true },
   { "asadzulfahri.com", true },
+  { "asafaweb.com", true },
   { "asafilm.co", true },
   { "asandu.eu", true },
   { "asanger.biz", true },
@@ -3322,22 +3440,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ascension.run", true },
   { "ascensori.biz", true },
   { "ascgathering.com", true },
+  { "ascii.moe", true },
   { "asciitable.tips", true },
   { "asciiwwdc.com", true },
   { "asd.gov.au", true },
   { "asdyx.de", true },
   { "asec01.net", true },
   { "asegem.es", true },
-  { "aseith.com", true },
-  { "aseko.gr", true },
   { "asenno.com", true },
   { "aserver.co", true },
   { "asexualitat.cat", true },
   { "asgapps.co.za", true },
-  { "ashd1.goip.de", true },
-  { "ashd2.goip.de", true },
-  { "ashd3.goip.de", true },
+  { "asge-handel.de", true },
+  { "ashastalent.com", true },
+  { "ashkan-rechtsanwalt-arbeitsrecht-paderborn.de", true },
   { "ashleyedisonuk.com", true },
+  { "ashleythouret.com", true },
   { "ashlocklawgroup.com", true },
   { "ashmportfolio.com", true },
   { "ashutoshmishra.org", true },
@@ -3351,10 +3469,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "asianshops.net", true },
   { "asianspa.co.uk", true },
   { "asiba.com.au", true },
+  { "asiesvenezuela.com", true },
   { "asiinc-tex.com", true },
   { "asile-colis.fr", true },
   { "asinetasima.com", true },
+  { "asirviablog.com", true },
+  { "asisee.photography", true },
   { "ask.fi", true },
+  { "ask.pe", true },
   { "ask1.org", true },
   { "askcaisse.com", true },
   { "askcascade.com", true },
@@ -3365,11 +3487,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "askvg.com", true },
   { "askwhy.cz", true },
   { "askwhy.eu", true },
-  { "aslinfinity.com", true },
   { "asmbsurvey.com", true },
   { "asmdz.com", true },
   { "asmood.net", true },
   { "asoul.tw", true },
+  { "aspargesgaarden.no", true },
   { "aspatrimoine.com", true },
   { "aspcl.ch", true },
   { "aspectcontext.com", true },
@@ -3380,7 +3502,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aspiradorasbaratas.net", true },
   { "aspirateur-anti-pollution.fr", true },
   { "aspires.co.jp", true },
-  { "aspisdata.com", true },
+  { "asprion.org", true },
   { "asproni.it", true },
   { "asr.cloud", true },
   { "asr.li", true },
@@ -3392,7 +3514,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "assempsaibiza.com", true },
   { "assertion.de", true },
   { "assessoriati.com.br", true },
-  { "assetict.com", true },
   { "assetvault.co.za", true },
   { "assguidesporrentruy.ch", true },
   { "assign-it.co.uk", true },
@@ -3411,10 +3532,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "astec-informatica.com", true },
   { "astengox.com", true },
   { "astenotarili.online", true },
-  { "astenretail.com", true },
   { "astral-imperium.uk", true },
+  { "astral.org.pl", true },
   { "astrology42.com", true },
   { "astroscopy.ch", true },
+  { "astrosnail.pt.eu.org", true },
   { "astrovandalistas.cc", true },
   { "astural.org", true },
   { "astutikhonda.com", true },
@@ -3422,18 +3544,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "asucrews.com", true },
   { "asuka.io", true },
   { "asun.co", true },
+  { "asurbernardo.com", true },
   { "asurepay.cc", false },
   { "asustreiber.de", true },
   { "asvsa.ch", true },
   { "asws.nl", true },
   { "asystent-dzierzawy.pl", true },
-  { "at-one.ca", true },
   { "at.search.yahoo.com", false },
-  { "ataber.pw", true },
+  { "at7s.me", true },
   { "atac.no", true },
   { "atacadocervejeiro.com.br", true },
   { "atacadodesandalias.com.br", true },
+  { "atallo.com", true },
+  { "atallo.es", true },
   { "ataton.ch", true },
+  { "atc.cuneo.it", true },
   { "atc.io", true },
   { "atchleyjazz.com", true },
   { "atchleyjazz.org", true },
@@ -3453,24 +3578,24 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "atelierdesflammesnoires.fr", true },
   { "atelierfantazie.sk", true },
   { "atelierhsn.com", true },
-  { "atelierhupsakee.nl", true },
   { "ateliernaruby.cz", true },
   { "ateliers-veronese-nantes.fr", true },
   { "atelierssud.ch", true },
   { "atelierssud.swiss", true },
   { "atencionbimbo.com", false },
   { "atendimentodelta.com.br", true },
+  { "aterskapa-data.se", true },
   { "atgoetschel.ch", true },
   { "atgroup.gr", true },
   { "atgseed.co.uk", true },
   { "atgseed.uk", true },
   { "ath0.org", false },
   { "atheist-refugees.com", true },
+  { "atheistfrontier.com", true },
   { "athena-bartholdi.com", true },
   { "athena-garage.co.uk", true },
   { "athenadynamics.com", true },
   { "athenaneuro.com", true },
-  { "atherosense.ga", true },
   { "athlin.de", true },
   { "atigerseye.com", true },
   { "atimbertownservices.com", true },
@@ -3484,13 +3609,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "atitude.com", true },
   { "ativapsicologia.com.br", true },
   { "atl-paas.net", true },
-  { "atlantahairsurgeon.com", true },
   { "atlantareroof.com", true },
+  { "atlantaspringroll.com", true },
+  { "atlantichomes.com.au", true },
   { "atlanticpediatricortho.com", true },
   { "atlantis-kh.noip.me", true },
   { "atlantischild.hu", true },
   { "atlantishq.de", true },
   { "atlantiswaterproofing.com", true },
+  { "atlas-heritage.com", true },
   { "atlasbrown.com", true },
   { "atlaschiropractic.org", true },
   { "atlascultural.com", true },
@@ -3498,6 +3625,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "atlasone.us", true },
   { "atlassian.io", true },
   { "atlassignsandplaques.com", true },
+  { "atlayo.com", false },
   { "atletika.hu", true },
   { "atmschambly.com", true },
   { "atnis.com", true },
@@ -3508,7 +3636,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "atom86.net", true },
   { "atombase.org", true },
   { "atomic-bounce.com", true },
-  { "atomic.red", true },
   { "atomicbounce.co.uk", true },
   { "atomism.com", true },
   { "atorcidabrasileira.com.br", true },
@@ -3518,12 +3645,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "atraverscugy.ch", true },
   { "atrinik.org", true },
   { "atsoftware.de", true },
+  { "atspeeds.com", true },
   { "attac.us", true },
   { "atte.fi", true },
-  { "attelage.net", true },
   { "attendantdesign.com", true },
   { "attendu.cz", true },
   { "attention.horse", true },
+  { "attilagyorffy.com", true },
   { "attilavandervelde.nl", true },
   { "attinderdhillon.com", true },
   { "attitudes-bureaux.fr", true },
@@ -3557,7 +3685,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "audiense.com", false },
   { "audio-detector.com", true },
   { "audiobookboo.com", true },
-  { "audiobookstudio.com", true },
   { "audiolibri.org", true },
   { "audiolot.com", true },
   { "audion.cc", true },
@@ -3574,11 +3701,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "auditos.com", true },
   { "audits.io", true },
   { "auditsquare.com", true },
+  { "audreyhossepian.fr", true },
   { "audreyjudson.com", true },
+  { "auenhof-agrar.de", true },
   { "auerbach-verlag.de", true },
   { "auf-feindgebiet.de", true },
   { "augen-seite.de", true },
   { "augiero.it", true },
+  { "augix.net", true },
   { "augmentable.de", false },
   { "augmented-portal.com", true },
   { "august-don.site", true },
@@ -3587,7 +3717,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "augustiner-kantorei-erfurt.de", true },
   { "augustiner-kantorei.de", true },
   { "aukaraoke.su", true },
-  { "aulaschrank.gq", true },
   { "aulo.in", false },
   { "aumilieudumonde.gf", true },
   { "aunali1.com", true },
@@ -3600,6 +3729,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "auri.ga", true },
   { "auricblue.com", true },
   { "auriko-games.de", true },
+  { "aurnik.com", true },
   { "aurora-multimedia.co.uk", true },
   { "auroraassociationofrealtors.com", true },
   { "aurosa.cz", true },
@@ -3609,6 +3739,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "aus-ryugaku.info", true },
   { "ausmwoid.de", true },
   { "auspicacious.org", true },
+  { "ausrecord.com", true },
   { "aussiefunadvisor.com", true },
   { "aussiegreenmarks.com.au", true },
   { "aussieservicedown.com", true },
@@ -3623,8 +3754,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "austintxlocksmiths.com", true },
   { "austinuniversityhouse.com", true },
   { "australian.dating", true },
+  { "australianairbrushedtattoos.com.au", true },
   { "australianarmedforces.org", true },
+  { "australianattractions.com.au", true },
   { "australianimmigrationadvisors.com.au", true },
+  { "australiantemporarytattoos.com", true },
+  { "australiantemporarytattoos.com.au", true },
   { "australien-tipps.info", true },
   { "austromorph.space", true },
   { "auszeit-lanzarote.com", true },
@@ -3632,7 +3767,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "auszeit.bio", true },
   { "auth.adult", true },
   { "authenticwoodcraft.com", true },
-  { "authinfo-bestellen.de", true },
   { "authinity.com", true },
   { "authland.com", false },
   { "author24.biz", true },
@@ -3648,6 +3782,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "autoauctionsohio.com", true },
   { "autoauctionsvirginia.com", true },
   { "autobahnco.com", true },
+  { "autobarn.co.nz", true },
   { "autobedrijfgarant.nl", true },
   { "autobelle.it", true },
   { "autobourcier.com", true },
@@ -3664,9 +3799,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "autodidacticstudios.org", true },
   { "autoentrepreneurinfo.com", true },
   { "autoepc.ro", true },
-  { "autohaus-snater.de", true },
+  { "autoeshop.eu", true },
   { "autoinsurancehavasu.com", true },
-  { "autokovrik-diskont.ru", true },
+  { "autokeyreplacementsanantonio.com", true },
   { "autoledky.sk", true },
   { "automaan.nl", true },
   { "automacity.com", true },
@@ -3676,6 +3811,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "automotivegroup-usedcars.be", true },
   { "automotivemechanic.org", true },
   { "automoto-tom.net", true },
+  { "automy.de", true },
   { "autonewssite.com", true },
   { "autoosijek.com", true },
   { "autopapo.com.br", true },
@@ -3686,6 +3822,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "autoprogconsortium.ga", true },
   { "autoproshouston.com", true },
   { "autorando.com", true },
+  { "autorijschoolrichardschut.nl", true },
+  { "autos-mertens.com", true },
   { "autoschadeschreuder.nl", true },
   { "autoscuola.roma.it", true },
   { "autosecurityfinance.com", true },
@@ -3701,8 +3839,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "autoteplo.org", true },
   { "autoterminus-used.be", true },
   { "autoto.hr", true },
+  { "autotransportquoteservices.com", true },
   { "autoverzekeringafsluiten.com", true },
   { "autowerkstatt-puchheim.de", true },
+  { "autozane.com", true },
   { "autres-talents.fr", true },
   { "autshir.com", true },
   { "auux.com", true },
@@ -3718,11 +3858,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "avaaz.org", true },
   { "avabouncehire.co.uk", true },
   { "avacariu.me", true },
+  { "avaemr-development-environment.ca", true },
+  { "avaeon.com", true },
   { "availablecastles.com", true },
   { "avalon-island.ru", true },
   { "avalon-rpg.com", true },
-  { "avalon-studios.de", true },
-  { "avalyuan.com", true },
   { "avanet.ch", true },
   { "avanet.com", true },
   { "avanovum.de", true },
@@ -3748,6 +3888,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "avia-krasnoyarsk.ru", true },
   { "avia-ufa.ru", true },
   { "aviapoisk.kz", true },
+  { "aviationstrategies.aero", true },
   { "aviationstrategy.aero", true },
   { "avid.blue", true },
   { "avidmode-dev.com", true },
@@ -3757,11 +3898,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "avietech.com", true },
   { "aviv.nyc", true },
   { "avlhostel.com", true },
+  { "avmrc.nl", true },
   { "avnet.ws", true },
   { "avocadooo.stream", true },
   { "avocatbeziau.com", true },
   { "avocode.com", true },
-  { "avotoma.com", true },
+  { "avonture.be", true },
   { "avova.de", true },
   { "avpres.net", true },
   { "avptp.org", true },
@@ -3769,8 +3911,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "avs-building-services.co.uk", true },
   { "avsox.com", true },
   { "avticket.ru", false },
+  { "avtobania.pro", true },
   { "avtoforex.ru", true },
   { "avtogara-isperih.com", true },
+  { "avtomarket.ru", true },
+  { "avtoveles.by", true },
   { "avtovokzaly.ru", true },
   { "avv.li", true },
   { "avvaterra.ch", true },
@@ -3781,12 +3926,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "awaremi-tai.com", true },
   { "awaresec.com", true },
   { "awaresec.no", true },
+  { "awarify.io", true },
+  { "awarify.me", true },
   { "awaro.net", true },
   { "awbouncycastlehire.com", true },
   { "awecademy.org", true },
-  { "awen.me", true },
+  { "awesome-coconut-software.fr", true },
   { "awesomebouncycastles.co.uk", true },
   { "awesomesit.es", true },
+  { "awic.ca", true },
   { "awk.tw", true },
   { "awksolutions.com", true },
   { "awningcanopyus.com", true },
@@ -3807,16 +3955,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "axiomer.me", true },
   { "axiomer.net", true },
   { "axiomer.org", true },
-  { "axis-stralis.co.uk", true },
   { "axisfleetmanagement.co.uk", true },
   { "axolotlfarm.org", false },
+  { "axon-toumpa.gr", true },
   { "axonholdingse.eu", true },
+  { "axre.de", true },
   { "axrec.de", true },
   { "ay-net.jp", true },
   { "ayahya.me", true },
   { "ayanomimi.com", true },
   { "aycomba.de", true },
   { "ayesh.me", true },
+  { "ayj.solutions", true },
   { "aykutcevik.com", true },
   { "aylak.com", true },
   { "aylesburycastlehire.co.uk", true },
@@ -3829,16 +3979,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ayurveda-mantry.com", true },
   { "az-moga.bg", true },
   { "az.search.yahoo.com", false },
+  { "azabani.com", true },
   { "azadliq.info", true },
+  { "azane.ga", true },
+  { "azarus.ch", true },
   { "azazy.net", false },
   { "azgfd.com", true },
   { "aziende.com.ar", true },
   { "azimut.fr", true },
+  { "azino777.ru", true },
   { "azizfirat.com", true },
-  { "azizvicdan.com", true },
+  { "azizvicdan.com", false },
   { "azlk-team.ru", true },
+  { "azmusica.biz", true },
+  { "azmusica.com", true },
   { "azort.com", true },
   { "azrazalea.net", true },
+  { "azsgeniedev.azurewebsites.net", true },
   { "azso.pro", true },
   { "azsupport.com", true },
   { "aztraslochi.it", true },
@@ -3846,10 +4003,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "azu-l.com", true },
   { "azu-l.jp", true },
   { "azuki.cloud", true },
+  { "azukie.com", true },
   { "azurecrimson.com", true },
   { "azuriasky.com", true },
   { "azuriasky.net", true },
-  { "azzag.co.uk", true },
   { "azzorti.com", true },
   { "azzurrapelletterie.it", true },
   { "b-b-law.com", true },
@@ -3860,7 +4017,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "b-landia.net", true },
   { "b-root-force.de", true },
   { "b-services.net", true },
-  { "b-ticket.ch", true },
   { "b0k.org", true },
   { "b0rk.com", true },
   { "b1788.net", false },
@@ -3871,18 +4027,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "b303.me", true },
   { "b4bouncycastles.co.uk", true },
   { "b4ckbone.de", true },
-  { "b4r7.de", true },
   { "b4z.eu", true },
   { "b64.club", true },
   { "b72.com", true },
   { "b72.net", true },
   { "baalsworld.de", true },
-  { "baas-becking.biology.utah.edu", true },
   { "baazee.de", true },
   { "babacasino.net", true },
   { "babai.ru", true },
-  { "babarkata.com", true },
   { "babeleo.com", true },
+  { "bablodel.biz", true },
+  { "bablodel.com", true },
+  { "babsbibs.com", true },
   { "baby-bath-tub.com", true },
   { "baby-digne.com", true },
   { "baby-fotografie-muenchen.de", true },
@@ -3897,6 +4053,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bachata.info", true },
   { "baches-piscines.com", true },
   { "baciu.ch", true },
+  { "backeby.eu", true },
+  { "backgroundchecks.online", true },
   { "backmountaingas.com", true },
   { "backpacker.dating", true },
   { "backschues.com", true },
@@ -3906,17 +4064,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "backsideverbier.ch", true },
   { "backterris.com", true },
   { "backtest.org", true },
+  { "backup-kurumsal.com", true },
   { "backupcloud.ru", true },
+  { "backupsinop.com.br", true },
   { "bacon-monitoring.org", true },
   { "baconismagic.ca", true },
   { "bacontreeconsulting.com", true },
   { "bacoux.com", true },
   { "bacsituvansuckhoe.com", true },
   { "bacula.jp", true },
+  { "bad-wurzach.de", true },
   { "bad.horse", true },
   { "bad.pet", true },
   { "badam.co", true },
+  { "badanka.com", true },
   { "badanteinfamiglia.it", true },
+  { "badaparda.com", true },
   { "badblock.fr", true },
   { "badboyzclub.de", true },
   { "badf00d.de", true },
@@ -3925,6 +4088,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "badges.stg.fedoraproject.org", true },
   { "badgesenpatches.nl", true },
   { "badhusky.com", true },
+  { "badlink.org", true },
   { "badmania.fr", true },
   { "badmintonbible.com", true },
   { "badoo.com", true },
@@ -3945,10 +4109,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bageluncle.com", true },
   { "baggy.me.uk", true },
   { "bagheera.me.uk", true },
-  { "baglu.com", true },
   { "bagsofbounce.co.uk", true },
   { "bagspecialist.nl", true },
-  { "bagstage.de", true },
   { "bah.im", false },
   { "bahaiprayers.io", true },
   { "bahnbonus-praemienwelt.de", true },
@@ -3966,10 +4128,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bailonga.com", true },
   { "baitulongbaycruises.com", true },
   { "baiyangliu.com", true },
-  { "bajajfinserv.in", true },
+  { "bajic.ch", true },
   { "baka-gamer.net", true },
   { "baka.network", true },
   { "baka.org.cn", true },
+  { "baka.red", true },
   { "bakaproxy.moe", true },
   { "bakermen.com", true },
   { "bakersafari.co", true },
@@ -3987,9 +4150,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "balancenaturalhealthclinic.ca", true },
   { "balboa.io", true },
   { "balcaonet.com.br", true },
+  { "balcarek.pl", true },
   { "balconnr.com", true },
   { "balconsverdun.com", true },
   { "baldur.cc", true },
+  { "baldwin.com.au", true },
   { "balia.de", true },
   { "balicekzdravi.cz", true },
   { "balidesignshop.com.br", true },
@@ -4014,6 +4179,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "balmofgilead.org.uk", true },
   { "balslev.io", true },
   { "balticer.de", true },
+  { "balticmed.pl", true },
   { "balticnetworks.com", true },
   { "bamahammer.com", true },
   { "bambooforest.nl", true },
@@ -4040,6 +4206,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bangorfederal.com", false },
   { "bangridho.com", true },
   { "bangumi.co", true },
+  { "bangyu.wang", true },
   { "banham.co.uk", true },
   { "banham.com", true },
   { "banjostringiz.com", true },
@@ -4048,14 +4215,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bankcardoffer.com", true },
   { "bankee.us", true },
   { "bankerbuch.de", true },
-  { "bankersonline.com", true },
   { "banketbesteld.nl", true },
   { "bankfreeoffers.com", true },
   { "bankgradesecurity.com", true },
   { "bankin.com", true },
   { "bankinter.pt", true },
   { "bankio.se", true },
+  { "banknet.gov", true },
   { "bankofdenton.com", true },
+  { "bankpolicies.com", true },
   { "banksiaparkcottages.com.au", true },
   { "bankstownapartments.com.au", true },
   { "bankvanbreda.be", true },
@@ -4063,6 +4231,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bannermarquees.ie", true },
   { "bannsecurity.com", true },
   { "banquevanbreda.be", true },
+  { "bantaihost.com", true },
   { "banter.city", true },
   { "baobeiglass.com", true },
   { "baofengtech.com", true },
@@ -4071,12 +4240,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bar-harcourt.com", true },
   { "barabrume.fr", true },
   { "barans2239.com", true },
+  { "baravalle.com", true },
   { "barbarabowersrealty.com", true },
   { "barbarafabbri.com", true },
   { "barbarafeldman.com", true },
   { "barbarians.com", false },
-  { "barbaros.info", true },
   { "barbate.fr", true },
+  { "barberlegalcounsel.com", true },
   { "barbershop-harmony.org", true },
   { "barbershop-lasvillas.com", true },
   { "barbiere.it", true },
@@ -4091,15 +4261,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bardiharborow.com", true },
   { "bardiharborow.tk", true },
   { "baresquare.com", true },
-  { "barf-alarm.de", true },
   { "baripedia.org", true },
   { "bariseau-mottrie.be", true },
+  { "barisi.me", true },
   { "bariskaragoz.nl", true },
   { "baristador.com", true },
   { "barkerjr.xyz", true },
+  { "barlex.pl", true },
   { "barlotta.net", true },
   { "barnabycolby.io", true },
   { "barnel.com", true },
+  { "barnfotografistockholm.se", true },
   { "barpodsosnami.pl", true },
   { "barracuda.com.tr", true },
   { "barrera.io", true },
@@ -4113,7 +4285,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "barslecht.nl", true },
   { "bart-f.com", true },
   { "barta.me", true },
-  { "bartel.ws", true },
+  { "bartbania.com", true },
   { "bartelt.name", true },
   { "barter4crypto.com", true },
   { "barthonia-showroom.de", true },
@@ -4162,7 +4334,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "batch.com", true },
   { "bati-alu.fr", true },
   { "batiburrillo.net", true },
-  { "batipresta.ch", true },
   { "batistareisfloresonline.com.br", true },
   { "batlab.ch", true },
   { "batolis.com", true },
@@ -4181,9 +4352,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bausep.de", true },
   { "baustils.com", true },
   { "bauthier-occasions.be", true },
-  { "bautied.de", true },
   { "bauunternehmen-herr.de", true },
   { "bauwens.cloud", true },
+  { "bavartec.de", true },
   { "bayareaenergyevents.com", true },
   { "baychimo.com", true },
   { "bayden.com", true },
@@ -4196,8 +4367,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bayerstefan.eu", true },
   { "bayherbalist.com", true },
   { "bayilelakiku.com", true },
+  { "baykatre.com", true },
   { "bayly.eu", true },
   { "baymard.com", true },
+  { "bayportbotswana.com", true },
+  { "bayportfinance.com", true },
+  { "bayportghana.com", true },
+  { "bayporttanzania.com", true },
+  { "bayportuganda.com", true },
+  { "bayportzambia.com", true },
   { "baytalebaa.com", true },
   { "baywatch.io", true },
   { "bayz.de", true },
@@ -4248,15 +4426,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bcmhire.co.uk", true },
   { "bcpc-ccgpfcheminots.com", true },
   { "bcrook.com", true },
-  { "bcs.adv.br", true },
   { "bcswampcabins.com", true },
-  { "bcvps.com", true },
-  { "bcyw56.live", true },
+  { "bcyw56.live", false },
   { "bd2positivo.com", true },
   { "bda-boulevarddesairs.com", true },
   { "bdbxml.net", true },
   { "bdd.fi", true },
-  { "bdikaros-network.net", true },
   { "bdpachicago.tech", true },
   { "bdvg.org", true },
   { "be-a-password.ninja", true },
@@ -4268,8 +4443,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "be2cloud.de", true },
   { "beacham.online", true },
   { "beachcitycastles.com", true },
-  { "beachfutbolclub.com", true },
-  { "beacinsight.com", true },
   { "beadare.com", true },
   { "beadare.nl", true },
   { "beaglesecurity.com", true },
@@ -4280,18 +4453,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "beanilla.com", true },
   { "beanjuice.me", true },
   { "beans-one.com", false },
+  { "bearcms.com", true },
   { "bearcosports.com.br", true },
   { "bearded.sexy", true },
   { "beardic.cn", true },
   { "bearingworks.com", true },
+  { "bearlakelife.com", true },
   { "beastiejob.com", true },
   { "beastowner.li", true },
   { "beatfeld.de", true },
   { "beatnikbreaks.com", true },
   { "beatrizaebischer.ch", true },
+  { "beaumelcosmetiques.fr", true },
   { "beaute-eternelle.ch", true },
   { "beauty-hippie-schmuck.de", true },
   { "beauty-italy.ru", true },
+  { "beauty-yan-enterprise.com", true },
   { "beauty24.de", true },
   { "beautybear.dk", true },
   { "beautyby.tv", true },
@@ -4307,7 +4484,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bebout.pw", true },
   { "beckenhamcastles.co.uk", true },
   { "beckerantiques.com", true },
-  { "beckon.com", true },
   { "becs.ch", true },
   { "becydog.cz", true },
   { "bedamedia.com", true },
@@ -4316,9 +4492,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bedandbreakfasthoekvanholland.com", true },
   { "bedels.nl", true },
   { "bedfordnissanparts.com", true },
-  { "bedlingtonterrier.com.br", true },
   { "bednar.co", true },
   { "bedrijfsfotoreportages.nl", true },
+  { "bedrijfshulpverleningfriesland.nl", true },
   { "bedrijfsportaal.nl", true },
   { "bedrocklinux.org", true },
   { "bedste10.dk", true },
@@ -4370,6 +4546,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "befoodsafe.gov", true },
   { "beforeyoueatoc.com", true },
   { "beframed.ch", true },
+  { "befreewifi.info", true },
   { "befundonline.de", true },
   { "begabungsfoerderung.info", true },
   { "begbie.com", true },
@@ -4378,10 +4555,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "beginwp.top", true },
   { "behamepresrdce.sk", true },
   { "behamzdarma.cz", true },
+  { "behead.de", true },
   { "behindthethrills.com", true },
   { "behna24hodin.cz", true },
   { "behoerden-online-dienste.de", true },
-  { "beholdthehurricane.com", true },
   { "behoreal.cz", true },
   { "bei18.com", true },
   { "beichtgenerator.de", true },
@@ -4390,6 +4567,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "beimchristoph.de", true },
   { "beinad.com", true },
   { "beinad.ru", true },
+  { "beisance.com", true },
   { "bejarano.io", true },
   { "belacapa.com.br", true },
   { "belanglos.de", true },
@@ -4401,13 +4579,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "belarto.it", true },
   { "belarto.nl", true },
   { "belarto.pl", true },
-  { "belastingdienst-in-beeld.nl", false },
   { "belastingmiddeling.nl", true },
   { "belavis.com", true },
+  { "beleggingspanden-financiering.nl", true },
   { "belegit.org", true },
+  { "belezashopping.com.br", true },
   { "belfastbounce.co.uk", true },
   { "belfastlocks.com", true },
   { "belfasttechservices.co.uk", true },
+  { "belfor-probleme.de", true },
   { "belge.rs", true },
   { "belgers.com", true },
   { "belhopro.be", true },
@@ -4417,6 +4597,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "believersweb.org", true },
   { "bell.id.au", true },
   { "bella.network", true },
+  { "bellaklein.de", true },
   { "bellamodeling.com", true },
   { "bellinghamdetailandglass.com", true },
   { "belloy.ch", true },
@@ -4428,10 +4609,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "belmontgoessolar.org", true },
   { "belouga.org", true },
   { "belt.black", true },
-  { "belua.com", true },
   { "belvoirbouncycastles.co.uk", true },
   { "bely-mishka.by", true },
-  { "belyvly.com", true },
   { "bemcorp.de", true },
   { "bemindly.com", true },
   { "bemsoft.pl", true },
@@ -4441,6 +4620,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ben.ninja", true },
   { "ben2.co.il", true },
   { "benabrams.it", true },
+  { "benandsarah.life", true },
   { "benary.org", true },
   { "benbozsa.ca", true },
   { "benburwell.com", true },
@@ -4449,9 +4629,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "benchling.com", true },
   { "benchmarkmonument.com", true },
   { "benchstoolo.com", true },
+  { "bencorby.com", true },
   { "bendemaree.com", true },
   { "bendigoland.com.au", true },
-  { "bendingtheending.com", true },
   { "bendix.co", true },
   { "bendyworks.com", true },
   { "beneathvt.com", true },
@@ -4459,6 +4639,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "benepiscinas.com.br", true },
   { "beneri.se", true },
   { "benevita.bio", true },
+  { "benewpro.com", true },
   { "bengalurugifts.com", true },
   { "bengisureklam.com", true },
   { "benhaney.com", true },
@@ -4466,11 +4647,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "benhavenarchives.org", true },
   { "benjamin-hering.com", true },
   { "benjamin.pe", true },
+  { "benjaminbedard.com", true },
   { "benjaminblack.net", true },
-  { "benjamindietrich.com", true },
   { "benjamindietrich.de", true },
   { "benjaminjurke.com", true },
-  { "benjaminjurke.net", true },
   { "benjaminkopelke.com", true },
   { "benjaminpiquet.fr", true },
   { "benjamins.com", true },
@@ -4479,7 +4659,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "benleemd.com", true },
   { "benmatthews.com.au", true },
   { "benmillett.us", false },
-  { "benmorecentre.co.uk", true },
   { "bennettsbouncycastlehire.co.uk", true },
   { "bennettshire.co.uk", true },
   { "benni1.eu", true },
@@ -4494,6 +4673,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "benscobie.com", true },
   { "benshoof.org", true },
   { "bensinflatables.co.uk", true },
+  { "bensokol.com", true },
   { "bentertain.de", true },
   { "bentley.blog", true },
   { "bentley.link", true },
@@ -4503,11 +4683,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "benz-hikaku.com", true },
   { "benzi.io", true },
   { "beoordelingen.be", true },
+  { "bepenak.com", true },
   { "bephoenix.org.uk", true },
+  { "bepsvpt.me", true },
   { "bequiia.com", true },
   { "beranovi.com", true },
   { "berasavocate.com", true },
-  { "berdaguermontes.eu", false },
+  { "berdu.id", true },
   { "bergenhave.nl", true },
   { "berger-chiro.com", true },
   { "bergevoet-fa.nl", true },
@@ -4534,8 +4716,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bergstoneware.com", true },
   { "berichtsheft-vorlage.de", true },
   { "berikod.ru", true },
-  { "berinhard.pl", true },
-  { "berliancom.com", true },
+  { "beringsoegaard.dk", true },
   { "berlin-flirt.de", true },
   { "berlin.dating", true },
   { "bermeitinger.eu", true },
@@ -4546,6 +4727,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bernardez-photo.com", true },
   { "bernardfischer.fr", true },
   { "bernardgo.com", true },
+  { "bernardo.fm", true },
   { "bernat.ch", true },
   { "bernat.im", true },
   { "bernd-leitner-fotodesign.com", true },
@@ -4557,9 +4739,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bernhardluginbuehl.ch", true },
   { "bernhardluginbuehl.com", true },
   { "berodes.be", true },
+  { "berr.yt", true },
   { "berra.se", true },
   { "berruezoabogados.com", true },
   { "berrus.com", true },
+  { "berry.cat", true },
   { "berrypay.com", true },
   { "bersierservices.ch", true },
   { "bersotavocats.fr", true },
@@ -4573,7 +4757,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bertsmithvwparts.com", true },
   { "beryl.net", true },
   { "besb.io", true },
-  { "besb66.com", true },
   { "beschriftung-metz.de", true },
   { "bescover.com", true },
   { "beserberg.tk", true },
@@ -4601,6 +4784,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "best-music-colleges.com", true },
   { "best-nursing-colleges.com", true },
   { "best-pharmacy-schools.com", true },
+  { "best-tickets.co.uk", true },
   { "best-trucking-schools.com", true },
   { "best-wallpaper.net", true },
   { "best10websitebuilders.com", true },
@@ -4615,7 +4799,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bestbridal.top", true },
   { "bestbyte.com.br", true },
   { "bestcellular.com", false },
-  { "bestdating.today", true },
+  { "bestdating.today", false },
+  { "bestdoc.com.br", true },
+  { "bestdownloadscenter.com", true },
   { "bestelectricnd.com", true },
   { "bestemailmarketingsoftware.org", true },
   { "bestessaycheap.com", true },
@@ -4623,9 +4809,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bestfriendsequality.org", true },
   { "bestgiftever.ca", true },
   { "bestgifts4you.com", true },
+  { "besti.it", true },
   { "bestinductioncooktop.us", true },
   { "bestinshowing.com", true },
-  { "bestinver.es", true },
+  { "bestinver.es", false },
   { "bestjumptrampolines.be", true },
   { "bestkenmoredentists.com", true },
   { "bestlashesandbrows.com", true },
@@ -4636,12 +4823,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bestpal.eu", true },
   { "bestpartyhire.com", true },
   { "bestperfumebrands.com", true },
+  { "bestpig.fr", true },
   { "bestplumbing.com", true },
+  { "bestpractice.domains", true },
   { "bestschools.io", true },
   { "bestschools.top", true },
   { "bestseries.tv", true },
   { "bestshoesmix.com", true },
   { "bestwebsite.gallery", true },
+  { "bet.eu", true },
+  { "betaal.my", true },
   { "betacavi.com", true },
   { "betacloud.io", true },
   { "betaclouds.net", true },
@@ -4650,11 +4841,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "betaworx.de", true },
   { "betaworx.eu", true },
   { "betecnet.de", true },
+  { "bethanyduke.com", true },
   { "bethpage.net", true },
+  { "betleakbot.com", true },
   { "betobaccofree.gov", true },
   { "betonbit.com", true },
+  { "betonmarkets.info", true },
   { "betpamm.com", true },
-  { "betrallyarabia.com", true },
+  { "betrallyarabia.com", false },
   { "bets.gg", true },
   { "betseybuckheit.com", true },
   { "betsharpangles.com", true },
@@ -4679,6 +4873,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bettertime.jetzt", true },
   { "betterweb.fr", true },
   { "betterworldinternational.org", true },
+  { "bettflaschen.ch", true },
   { "bettingbusiness.ru", true },
   { "bettingsider.dk", true },
   { "bettolinokitchen.com", true },
@@ -4702,7 +4897,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bexit.nl", true },
   { "bexleycastles.co.uk", true },
   { "beybiz.com", true },
-  { "beylikduzuvaillant.com", true },
+  { "beyerautomation.com", true },
   { "beyond-infinity.org", false },
   { "beyond-rational.com", true },
   { "beyondalderaan.net", true },
@@ -4717,17 +4912,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bezemkast.nl", true },
   { "bezpecnostsiti.cf", true },
   { "bezr.co.uk", true },
+  { "bezzia.com", true },
+  { "bf7088.com", true },
+  { "bf7877.com", true },
   { "bfam.tv", true },
   { "bfem.gov", true },
   { "bfgcdn.com", true },
   { "bfi.wien", false },
   { "bflix.tv", true },
   { "bforb.sk", true },
+  { "bfp-mail.de", true },
   { "bfpg.org", true },
   { "bft-media.com", true },
   { "bftbradio.com", true },
   { "bfw-online.de", true },
-  { "bg-sexologia.com", true },
   { "bgbhsf.top", true },
   { "bgeo.io", true },
   { "bgfoto.info", true },
@@ -4748,17 +4946,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bhost.net", true },
   { "bhtelecom.ba", true },
   { "bhuntr.com", true },
+  { "bhxch.moe", true },
   { "bi.search.yahoo.com", false },
   { "biaggeo.com", true },
-  { "biancolievito.it", true },
   { "biano-ai.com", true },
   { "biasmath.es", true },
   { "biathloncup.ru", true },
+  { "bibica.net", true },
   { "bible-maroc.com", true },
   { "bible.ru", true },
   { "bibleonline.ru", true },
+  { "biblethoughts.blog", true },
   { "bibliaon.com", true },
-  { "biblio.wiki", true },
   { "biblioblog.fr", true },
   { "bibliomarkt.ch", true },
   { "biblionaut.net", true },
@@ -4768,11 +4967,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bibuch.com", true },
   { "bicecontracting.com", true },
   { "bicha.net", true },
+  { "bicifanaticos.com", true },
   { "bicranial.io", true },
   { "bicycle-events.com", true },
   { "bicycleframeiz.com", true },
   { "biddl.com", true },
   { "biddle.co", true },
+  { "bidman.cz", true },
+  { "bidman.eu", true },
   { "bidu.com.br", true },
   { "bie.edu", false },
   { "biegal.ski", true },
@@ -4790,8 +4992,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bieser.ch", true },
   { "biester.pro", true },
   { "bieumau.net", true },
-  { "biewen.me", true },
   { "bifrost.cz", true },
+  { "biftin.net", true },
   { "big-andy.co.uk", true },
   { "big-bounce.co.uk", true },
   { "big-fluglaerm-hamburg.de", true },
@@ -4800,6 +5002,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bigbouncebouncycastles.co.uk", true },
   { "bigbouncetheory.co.uk", true },
   { "bigbounceuk.com", true },
+  { "bigbrotherawards.nl", true },
   { "bigcakes.dk", true },
   { "bigclassaction.com", true },
   { "bigdinosaur.org", true },
@@ -4810,14 +5013,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bignumworks.com", true },
   { "bigorbitgallery.org", true },
   { "bigserp.com", true },
+  { "bigshopper.com", true },
+  { "bigshopper.nl", true },
   { "bigsisterchannel.com", true },
   { "bigskylifestylerealestate.com", true },
   { "bigskymontanalandforsale.com", true },
   { "bigwiseguide.com", true },
   { "bihub.io", true },
   { "biilo.com", true },
+  { "bijancompany.com", true },
+  { "bijoux.com.br", true },
   { "bijouxcherie.com", true },
-  { "bijuteriicualint.ro", true },
+  { "biju-neko.jp", true },
   { "bike-discount.de", true },
   { "bike-kurse.ch", true },
   { "bike-shack.com", true },
@@ -4825,7 +5032,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bikehistory.org", true },
   { "biker.dating", true },
   { "bikerebel.com", true },
-  { "bikeshopitalia.com", true },
   { "bikiniatoll.com", true },
   { "bikiniseli.com", true },
   { "bikkelbroeders.com", false },
@@ -4837,12 +5043,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bildiri.ci", true },
   { "bildkomponist.de", true },
   { "bildschirmflackern.de", true },
-  { "biletru.net", true },
   { "biletyplus.by", true },
+  { "biletyplus.com", true },
   { "biletyplus.ua", true },
   { "bilgo.com", true },
   { "bilibili.link", true },
-  { "bilibili.red", true },
   { "bilimoe.com", true },
   { "bilke.org", true },
   { "billaud.eu.org", true },
@@ -4859,6 +5064,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "billogram.com", true },
   { "billpro.com", false },
   { "billrhodesbakery.com", true },
+  { "billsqualityautocare.com", true },
   { "billy.pictures", true },
   { "billyoh.com", true },
   { "billysbouncycastlehire.co.uk", true },
@@ -4891,10 +5097,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bing.com", true },
   { "bingobank.org", true },
   { "binhex.net", true },
-  { "binkanhada.biz", true },
   { "binkconsulting.be", true },
   { "binnenmeer.de", true },
-  { "binsp.net", true },
+  { "bintangsyurga.com", true },
+  { "bintelligence.info", true },
   { "binti.com", true },
   { "bintooshoots.com", true },
   { "bio-disinfestazione.it", true },
@@ -4903,6 +5109,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bioatelier.it", true },
   { "biobuttons.ch", true },
   { "biocheminee.com", true },
+  { "biocrafting.net", false },
   { "biodiagnostiki.clinic", true },
   { "biodieseldata.com", true },
   { "biodots.at", true },
@@ -4921,11 +5128,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bioharmony.ca", true },
   { "biointelligence-explosion.com", true },
   { "bioknowme.com", true },
+  { "bioleev.sklep.pl", true },
   { "bioligo.ch", true },
   { "biologis.ch", true },
   { "biology-colleges.com", true },
+  { "biomag.it", true },
   { "biomasscore.com", true },
+  { "biomed-hospital.ch", true },
+  { "biomed.ch", true },
   { "biometrics.es", true },
+  { "biomin.co.uk", true },
   { "biomodra.cz", true },
   { "biopsychiatry.com", true },
   { "bioresonanz-ibiza.com", true },
@@ -4934,10 +5146,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bioshine.com.sg", true },
   { "biosignalanalytics.com", true },
   { "biosphere.cc", true },
+  { "biospw.com", true },
   { "biotechware.com", true },
+  { "biotin.ch", true },
   { "bipyo.com", true },
   { "birbaumer.li", true },
-  { "birchbarkfurniture.ch", true },
   { "birchbarkfurniture.com", true },
   { "birchbarkfurniture.fr", true },
   { "birdbrowser.com", true },
@@ -4961,6 +5174,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "biscoint.io", true },
   { "biscuitcute.com.br", true },
   { "biser-borisov.eu", true },
+  { "bishopscourt-hawarden.co.uk", true },
   { "bismarck-tb.de", true },
   { "biso.ga", true },
   { "bison.co", true },
@@ -4968,7 +5182,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bissalama.org", true },
   { "bisschopssteeg.nl", true },
   { "bistrocean.com", true },
-  { "bistrodeminas.com", true },
+  { "bistroservice.de", true },
   { "bistrotdelagare.fr", true },
   { "bit-cloud.de", true },
   { "bit-rapid.com", true },
@@ -4985,7 +5199,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bitbucket.org", true },
   { "bitburner.de", true },
   { "bitcalt.eu.org", true },
-  { "bitcalt.ga", true },
   { "bitchigo.com", true },
   { "bitcoin-india.net", true },
   { "bitcoin-india.org", true },
@@ -4998,16 +5211,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bitcoin.org", true },
   { "bitcoin.us", true },
   { "bitcoinbitcoin.com", true },
-  { "bitcoinclashic.ninja", true },
   { "bitcoincore.org", true },
+  { "bitcoinfees.net", true },
   { "bitcoinindia.com", true },
   { "bitcoinkarlsruhe.de", true },
   { "bitcoinrealestate.com.au", true },
   { "bitcointhefts.com", true },
-  { "bitcoinwalletscript.tk", true },
   { "bitcoinx.gr", true },
   { "bitcoinx.ro", true },
   { "bitcork.io", true },
+  { "bitcqr.io", true },
+  { "bitenose.com", true },
   { "bitex.la", true },
   { "bitfasching.de", false },
   { "bitfehler.net", true },
@@ -5017,6 +5231,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bitfuse.net", true },
   { "bitgo.com", true },
   { "bitgrapes.com", true },
+  { "bithap.com", true },
   { "bithir.co.uk", true },
   { "bititrain.com", true },
   { "bitlish.com", true },
@@ -5032,42 +5247,49 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bitmidi.com", true },
   { "bitminter.com", true },
   { "bitmoe.com", true },
+  { "bitok.com", true },
   { "bitpoll.de", true },
   { "bitpoll.org", true },
   { "bitpumpe.net", true },
   { "bitref.com", true },
   { "bitrush.nl", true },
+  { "bits-hr.de", true },
   { "bitsafe.com.my", true },
   { "bitsburg.ru", true },
+  { "bitski.com", true },
   { "bitskins.co", true },
   { "bitskrieg.net", true },
+  { "bitso.com", true },
   { "bitsoffreedom.nl", true },
   { "bitstep.ca", true },
   { "bitstorm.nl", true },
   { "bitstorm.org", true },
   { "bitsum.com", true },
+  { "bitsy.com", true },
   { "bitsync.nl", true },
   { "bitten.pw", true },
   { "bittersweetcandybowl.com", true },
   { "bittylicious.com", true },
   { "bitvest.io", true },
+  { "bitwarden.com", true },
   { "bitwolk.nl", true },
   { "bitxel.com.co", true },
+  { "biupay.com.br", true },
   { "biurokarier.edu.pl", true },
   { "bixservice.com", true },
-  { "biyori.moe", true },
   { "biyou-homme.com", true },
   { "biz4x.com", true },
   { "bizbudding.com", true },
   { "bizcash.co.za", true },
   { "bizeau.ch", true },
+  { "biznesonline.info", true },
   { "bizniskatalog.mk", true },
   { "biznpro.ru", true },
   { "bizstarter.cz", true },
   { "biztera.com", true },
   { "biztok.eu", true },
   { "biztouch.work", true },
-  { "bizzi.tv", true },
+  { "bizzdesign.com", true },
   { "bjarnerest.de", true },
   { "bjmgeek.science", true },
   { "bjmun.cn", true },
@@ -5080,7 +5302,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bkkposn.com", true },
   { "bklaindia.com", true },
   { "bkositspartytime.co.uk", true },
-  { "bl00.se", true },
   { "bl4ckb0x.biz", true },
   { "bl4ckb0x.com", true },
   { "bl4ckb0x.de", true },
@@ -5089,7 +5310,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bl4ckb0x.net", true },
   { "bl4ckb0x.org", true },
   { "blaauwgeers.pro", true },
-  { "blaauwgeers.travel", true },
   { "blabber.im", true },
   { "blablacar.co.uk", true },
   { "blablacar.com", true },
@@ -5118,14 +5338,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "blackandpony.de", true },
   { "blackbag.nl", true },
   { "blackbase.de", true },
-  { "blackberryforums.be", true },
+  { "blackbird-whitebird.com", true },
   { "blackcat.ca", true },
   { "blackcatinformatics.ca", true },
   { "blackcatinformatics.com", true },
   { "blackcicada.com", true },
   { "blackdotbrewery.com", true },
   { "blackdown.de", true },
-  { "blackdragoninc.org", true },
   { "blackedbyte.com", true },
   { "blackevent.be", true },
   { "blackfire.io", true },
@@ -5133,7 +5352,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "blackgate.org", true },
   { "blackhat.dk", true },
   { "blackhelicopters.net", true },
-  { "blackhell.xyz", true },
   { "blackhillsinfosec.com", true },
   { "blackilli.de", true },
   { "blackislegroup.com", true },
@@ -5146,21 +5364,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "blacknova.io", true },
   { "blackonion.com", true },
   { "blackpapermoon.de", true },
+  { "blackpayment.ru", true },
   { "blackphoenix.de", true },
   { "blackpi.dedyn.io", true },
   { "blackroadphotography.de", true },
-  { "blackroot.eu", true },
+  { "blackscytheconsulting.com", true },
   { "blackseals.net", true },
+  { "blacktown.eu", true },
   { "blackyau.cc", true },
   { "blackys-chamber.de", true },
   { "blaise.io", true },
   { "blakecoin.org", true },
   { "blakekhan.com", true },
+  { "blakezone.com", true },
   { "blameomar.com", true },
   { "blancodent.com", true },
   { "blankersfamily.com", true },
   { "blanket.technology", true },
-  { "blantr.com", true },
   { "blasorchester-runkel.de", true },
   { "blastentertainment.com.au", true },
   { "blastersklan.com", true },
@@ -5182,6 +5402,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "blendle.com", true },
   { "blendle.nl", true },
   { "blendr.com", true },
+  { "blendstudios.com", true },
   { "blenheimears.com", true },
   { "blenneros.net", false },
   { "blessedguy.com", true },
@@ -5190,6 +5411,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "blichmann.eu", true },
   { "blidz.com", true },
   { "blieque.co.uk", true },
+  { "bliesekow.net", true },
   { "blikk.no", true },
   { "blikund.swedbank.se", true },
   { "blinder.com.co", true },
@@ -5209,9 +5431,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "blizhost.com", true },
   { "blizhost.com.br", true },
   { "blizora.com", true },
-  { "blizz.news", true },
   { "blkbx.eu", true },
   { "blm.gov", true },
+  { "blo-melchiorshausen.de", true },
   { "blobfolio.com", true },
   { "block-this.com", true },
   { "block65.com", true },
@@ -5238,9 +5460,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "blogarts.net", true },
   { "blogbooker.com", true },
   { "blogconcours.net", true },
-  { "blogcuaviet.com", true },
   { "blogdelosjuguetes.com", true },
-  { "blogdeyugioh.com", true },
   { "blogexpert.ca", true },
   { "bloggermumofthreeboys.com", true },
   { "blogging-life.com", true },
@@ -5258,8 +5478,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "blok56.nl", true },
   { "blokmy.com", true },
   { "blood4pets.tk", true },
+  { "bloodhunt.pl", true },
   { "bloodsports.org", true },
+  { "bloody.pw", true },
   { "bloom-avenue.com", true },
+  { "bloom.sh", true },
   { "bltc.co.uk", true },
   { "bltc.com", true },
   { "bltc.net", true },
@@ -5267,13 +5490,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bltc.org.uk", true },
   { "bltdirect.com", true },
   { "blubberladen.de", true },
-  { "bludnykoren.ml", true },
   { "blue-gmbh-erfahrungen.de", true },
   { "blue-gmbh.de", true },
   { "blue-leaf81.net", true },
   { "blue42.net", true },
   { "blueblou.com", true },
-  { "bluecardlottery.eu", true },
   { "bluecards.eu", true },
   { "bluechilli.com", true },
   { "bluecon.ninja", true },
@@ -5288,10 +5509,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bluekrypt.com", true },
   { "blueliquiddesigns.com.au", true },
   { "bluemeda.web.id", true },
-  { "bluemosh.com", true },
   { "bluemtnrentalmanagement.ca", true },
   { "bluenote9.com", true },
   { "blueoakart.com", true },
+  { "blueoceantech.us", true },
   { "blueperil.de", true },
   { "bluepoint.one", true },
   { "bluepostbox.de", true },
@@ -5299,6 +5520,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "blues-and-pictures.com", true },
   { "blueskycoverage.com", true },
   { "bluestardiabetes.com", true },
+  { "bluesuncamping.com", true },
   { "bluesunhotels.com", true },
   { "bluetexservice.com", true },
   { "bluewavewebdesign.com", true },
@@ -5324,13 +5546,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bm-immo.ch", true },
   { "bmhglobal.com.au", true },
   { "bminton.is-a-geek.net", true },
-  { "bmone.net", true },
+  { "bmk-kramsach.at", true },
   { "bmriv.com", true },
   { "bmros.com.ar", true },
   { "bmw-motorradclub-seefeld.de", true },
   { "bmwcolors.com", true },
   { "bn1digital.co.uk", true },
-  { "bn4t.me", true },
   { "bnbsinflatablehire.co.uk", true },
   { "bngs.pl", true },
   { "bnin.org", true },
@@ -5338,6 +5559,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bnstree.com", true },
   { "bnty.net", true },
   { "bnzblowermotors.com", true },
+  { "bo4tracker.com", true },
   { "boardgamegeeks.de", true },
   { "boards.ie", true },
   { "boat-engines.eu", true },
@@ -5349,7 +5571,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bobaobei.net", true },
   { "bobazar.com", true },
   { "bobcopeland.com", true },
-  { "bobiji.com", false },
   { "bobkidbob.com", true },
   { "bobkoetsier.nl", true },
   { "bobnbouncedublin.ie", true },
@@ -5363,7 +5584,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bocreation.fr", true },
   { "bodhi.fedoraproject.org", true },
   { "bodis.nl", true },
-  { "bodixite.com", true },
   { "bodsch.com", true },
   { "bodybuildingworld.com", true },
   { "bodyconshop.com", true },
@@ -5399,7 +5619,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "boldt-metallbau.de", true },
   { "bolektro.de", true },
   { "bolgarnyelv.hu", true },
-  { "bollywood.uno", true },
   { "bologna-disinfestazioni.it", true },
   { "bolovegna.it", true },
   { "bolt.cm", false },
@@ -5407,6 +5626,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bolte.org", true },
   { "bomb.codes", true },
   { "bombe-lacrymogene.fr", true },
+  { "bomhard.de", true },
   { "bonaccorso.eu", true },
   { "bonami.cz", true },
   { "bonami.hu", true },
@@ -5421,12 +5641,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bondlink.com", true },
   { "bondoer.fr", true },
   { "bondskampeerder.nl", true },
+  { "bondtofte.dk", true },
   { "bonebunny.de", true },
+  { "bonesserver.com", true },
   { "bonfi.net", true },
   { "bongo.cat", true },
   { "bonibuty.com", true },
   { "bonifacius.be", true },
-  { "bonita.com.br", true },
   { "bonito.pl", true },
   { "bonnant-associes.ch", true },
   { "bonnant-partners.ch", true },
@@ -5443,9 +5664,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bonqoeur.ca", true },
   { "bonrecipe.com", true },
   { "bonsaimedia.nl", true },
-  { "bonsi.net", true },
   { "bonux.co", true },
-  { "boodaah.com", false },
   { "boodmo.com", true },
   { "boogaerdtmakelaars.nl", true },
   { "boogiebouncecastles.co.uk", true },
@@ -5453,7 +5672,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "booker.ly", true },
   { "bookingapp.be", true },
   { "bookingapp.nl", true },
-  { "bookingdeluxesp.com", true },
   { "bookingready.com", true },
   { "bookingslog.com", true },
   { "bookingworldspeakers.com", true },
@@ -5461,14 +5679,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bookmein.in", true },
   { "booksearch.jp", true },
   { "booksinthefridge.at", true },
+  { "booksouthafrica.travel", true },
   { "booktracker-org.appspot.com", true },
   { "bool.be", true },
   { "boombv.com", true },
   { "boomersurf.com", true },
   { "boomshelf.com", true },
   { "boomshelf.org", true },
+  { "boomvm.pw", true },
   { "boonbox.com", true },
-  { "boonehenry.co.uk", true },
   { "booox.biz", true },
   { "booox.cc", true },
   { "booox.info", true },
@@ -5482,7 +5701,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "boosinflatablegames.co.uk", true },
   { "boost.fyi", true },
   { "boost.ink", true },
-  { "booter.pw", true },
   { "bootjp.me", false },
   { "bopiweb.com", true },
   { "bopp.org", true },
@@ -5504,7 +5722,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "borowski.pw", true },
   { "borrelpartybus.nl", true },
   { "borysek.net", true },
-  { "borzoi.com.br", true },
   { "bosabosa.org", true },
   { "boscoyacht.ch", true },
   { "boskeopolis-stories.com", true },
@@ -5517,11 +5734,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "botezdepoveste.ro", true },
   { "botguard.net", true },
   { "bothellwaygarage.net", true },
+  { "botoes-primor.pt", true },
   { "botsindiscord.me", true },
-  { "botstack.host", true },
   { "bottaerisposta.net", true },
   { "bottineauneighborhood.org", true },
   { "bottke.berlin", true },
+  { "bottledstories.de", true },
+  { "bou.cloud", true },
   { "bou.lt", true },
   { "bouah.net", true },
   { "bouchard-mathieux.com", true },
@@ -5537,6 +5756,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bounce-abouts.com", true },
   { "bounce-n-go.co.uk", true },
   { "bounce-on.co.uk", true },
+  { "bounce-r-us.co.uk", true },
   { "bounce-xtreme.co.uk", true },
   { "bounce4fun.co.uk", true },
   { "bounce4fun.ie", true },
@@ -5545,7 +5765,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bouncea-bout.com", true },
   { "bounceaboutandplay.co.uk", true },
   { "bounceaboutnewark.co.uk", true },
-  { "bounceaboutsussex.co.uk", true },
   { "bouncealotcastlehire.co.uk", true },
   { "bouncealotnorthwest.co.uk", true },
   { "bounceandwobble.co.uk", true },
@@ -5618,14 +5837,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bouncycastlesinleeds.co.uk", true },
   { "bouncycastlesisleofwight.co.uk", true },
   { "bouncycastlesmonaghan.com", true },
-  { "bouncycastlesperth.net", true },
   { "bouncycastlessheerness.co.uk", true },
   { "bouncydays.co.uk", true },
   { "bouncyfeet.co.uk", true },
   { "bouncygiggles.com.au", true },
   { "bouncyhigher.co.uk", true },
   { "bouncyhousecastlehire.co.uk", true },
-  { "bouncyhouses.co.uk", true },
   { "bouncykingdom.co.uk", true },
   { "bouncykings.co.uk", true },
   { "bouncykingsnortheast.co.uk", true },
@@ -5639,7 +5856,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bountyfactory.io", true },
   { "bourasse.fr", true },
   { "bourdon.fr.eu.org", true },
-  { "bourgdepabos.com", true },
   { "bourhis.info", true },
   { "bournefun.co.uk", true },
   { "bourqu.in", true },
@@ -5687,9 +5903,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "br3in.nl", false },
   { "br7.ru", true },
   { "braams.nl", true },
+  { "braathe.no", true },
   { "bracho.xyz", true },
+  { "brachotelborak.com", true },
   { "brackets-salad.com", true },
-  { "bracoitaliano.com.br", true },
   { "bradbrockmeyer.com", true },
   { "bradfergusonrealestate.com", true },
   { "bradfordhottubhire.co.uk", true },
@@ -5714,16 +5931,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "brainserve.swiss", true },
   { "brainsik.net", true },
   { "brainster.co", true },
+  { "brainvation.de", true },
   { "brainvoyagermusic.com", true },
   { "brainwav.es", true },
   { "brainwork.space", true },
   { "brakemanpro.com", true },
   { "brakpanplumber24-7.co.za", true },
+  { "brakstad.org", true },
   { "bralnik.com", true },
   { "brambogaerts.nl", true },
-  { "bramburek.net", true },
   { "bramhallsamusements.com", true },
   { "brammingfys.dk", true },
+  { "bramsikkens.be", true },
   { "bramstaps.nl", true },
   { "bramvanaken.be", true },
   { "bramygrozy.pl", true },
@@ -5732,19 +5951,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "branchtrack.com", true },
   { "brandand.co.uk", true },
   { "brandbil.dk", true },
-  { "brandbuilderwebsites.com", true },
   { "brandcodeconsulting.com", true },
   { "brandcodestyle.com", true },
   { "brandingclic.com", true },
+  { "brando753.xyz", true },
   { "brandongomez.me", true },
   { "brandonhubbard.com", true },
   { "brandonwalker.me", true },
   { "brandrocket.dk", true },
   { "brandstead.com", true },
-  { "brandtrapselfie.nl", true },
   { "brandweerfraneker.nl", true },
   { "brandweertrainingen.nl", true },
-  { "brandweeruitgeest.nl", true },
   { "brank.as", true },
   { "branw.xyz", true },
   { "brasal.ma", true },
@@ -5771,10 +5988,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bravebaby.com.au", true },
   { "bravehearts.org.au", true },
   { "braviskindenjeugd.nl", true },
-  { "bravisziekenhuis.nl", true },
+  { "bravisziekenhuis.nl", false },
   { "brazenfol.io", true },
   { "brazilian.dating", true },
   { "brazillens.com", true },
+  { "brazoriabar.org", true },
   { "brck.nl", true },
   { "brd.ro", true },
   { "breadandlife.org", true },
@@ -5798,10 +6016,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "breeyn.com", true },
   { "brefy.com", true },
   { "brege.org", true },
-  { "bregnedalsystems.dk", true },
   { "breitband.bz.it", true },
   { "breitbild-beamer.de", true },
   { "brejoc.com", true },
+  { "brelahotelberulia.com", true },
   { "bremen-restaurants.de", true },
   { "bremerfriedensforum.de", true },
   { "brendanbatliner.com", true },
@@ -5811,6 +6029,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bressier.fr", true },
   { "bretcarmichael.com", true },
   { "brettabel.com", true },
+  { "brettcornwall.com", true },
   { "brettelliff.com", true },
   { "brettlawyer.com", true },
   { "brettw.xyz", true },
@@ -5818,15 +6037,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "brevboxar.se", true },
   { "brewsouth.com", true },
   { "brewtrackr.com", true },
+  { "breznet.com", true },
   { "brgins.com", true },
+  { "brian-gordon.name", true },
   { "brianalaway.com", true },
   { "brianalawayconsulting.com", true },
   { "briandwells.com", true },
   { "brianfoshee.com", true },
-  { "briangarcia.ga", true },
   { "brianjohnson.co.za", true },
   { "brianlanders.us", true },
-  { "brianmwaters.net", true },
   { "brianroadifer.com", true },
   { "briansmith.org", true },
   { "briantkatch.com", true },
@@ -5839,7 +6058,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bricolajeux.ch", true },
   { "brid.gy", false },
   { "bridalshoes.com", true },
-  { "brideandgroomdirect.ie", true },
   { "bridgedirectoutreach.com", true },
   { "bridgeglobalmarketing.com", true },
   { "bridgehomeloans.com", true },
@@ -5847,10 +6065,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bridgevest.com", true },
   { "bridgingdirectory.com", true },
   { "bridltaceng.com", true },
+  { "bridzius.lt", true },
   { "brie.tech", true },
   { "briefassistant.com", true },
   { "briefhansa.de", true },
   { "briefvorlagen-papierformat.de", true },
+  { "brier.me", true },
   { "briffoud.fr", true },
   { "briggsleroux.com", true },
   { "brighouse-leisure.co.uk", true },
@@ -5867,6 +6087,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "brilliantproductions.co.nz", true },
   { "brimspark.systems", true },
   { "brio-shop.ch", true },
+  { "brioukraine.store", true },
   { "brisbanelogistics.com.au", true },
   { "bristebein.com", true },
   { "bristolandwestonsuperbounce.com", true },
@@ -5882,10 +6103,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "britneyclause.com", true },
   { "brittanyferriesnewsroom.com", true },
   { "britton-photography.com", true },
+  { "brk.st", true },
   { "brmsalescommunity.com", true },
-  { "brn.by", true },
   { "brnojebozi.cz", true },
   { "bro.hk", true },
+  { "broadbandnd.com", true },
   { "broadleft.org", true },
   { "broadsheet.com.au", true },
   { "brockmeyer.net", true },
@@ -5896,7 +6118,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "broersma.com", true },
   { "broeselei.at", true },
   { "brokenhands.io", true },
-  { "brokenjoysticks.net", true },
   { "brokervalues.com", true },
   { "brompton-cocktail.com", true },
   { "bronetb2b.com.br", true },
@@ -5918,14 +6139,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "browntowncountryclub.com", true },
   { "browsemycity.com", true },
   { "browserleaks.com", true },
+  { "brrd.io", true },
   { "brring.com", true },
   { "brrr.fr", true },
   { "bru6.de", true },
+  { "brubankv1-staging.azurewebsites.net", true },
   { "brucekovner.com", true },
   { "brucemartin.net", true },
   { "brucemobile.de", false },
   { "bruck.me", true },
-  { "bruckner.li", true },
+  { "brudkista.nu", true },
+  { "brudkista.se", true },
+  { "brudkistan.nu", true },
+  { "brudkistan.se", true },
+  { "brueser-gmbh.de", true },
   { "bruna-cdn.nl", true },
   { "brunick.de", false },
   { "brunn.email", true },
@@ -5933,10 +6160,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "brunohenc.from.hr", true },
   { "brunoproduit.ch", true },
   { "brunoramos.com", true },
-  { "brunoramos.org", true },
   { "brunosouza.org", true },
   { "brush.ninja", true },
+  { "brutus2.ga", true },
   { "bruun.co", true },
+  { "bry.do", true },
+  { "bryankaplan.com", true },
   { "bryanquigley.com", true },
   { "bryansmith.net", true },
   { "bryansmith.tech", true },
@@ -5946,9 +6175,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "brzy-svoji.cz", true },
   { "bs-network.net", true },
   { "bs-security.com", true },
+  { "bs.sb", true },
   { "bs.to", true },
   { "bs12v.ru", true },
   { "bsa157.org", true },
+  { "bsapack564.org", true },
   { "bsatroop794.org", true },
   { "bsc-rietz.at", true },
   { "bscc.support", true },
@@ -5973,18 +6204,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bsquared.org", true },
   { "bst.gg", true },
   { "bstoked.net", true },
-  { "bsuru.xyz", true },
   { "bsw-solution.de", true },
   { "bt123.xyz", true },
   { "bta.lv", false },
-  { "btc2secure.com", true },
   { "btcarmory.com", true },
   { "btcbolsa.com", true },
   { "btcontract.com", true },
   { "btcpop.co", true },
   { "btcycle.org", true },
+  { "btine.tk", true },
   { "btio.pw", true },
-  { "btku.org", true },
   { "btmstore.com.br", true },
   { "btnissanparts.com", true },
   { "btorrent.xyz", true },
@@ -5992,22 +6221,25 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "btsoft.eu", true },
   { "btsow.com", true },
   { "bttc.co.uk", true },
+  { "btth.live", true },
   { "btth.pl", true },
   { "btth.tv", true },
-  { "btth.xyz", true },
   { "bttorj45.com", true },
-  { "bturboo.com", true },
+  { "buayacorp.com", true },
   { "bubblegumblog.com", true },
   { "bubblespetspa.com", true },
   { "bubblin.io", true },
   { "bubblinghottubs.co.uk", true },
   { "bubblybouncers.co.uk", true },
   { "bubhub.io", true },
+  { "bubulazi.com", false },
+  { "bubulazy.com", false },
   { "bucek.cz", true },
   { "buch-angucken.de", true },
   { "buchhandlungkilgus.de", true },
   { "buchwegweiser.com", true },
   { "buckelewrealtygroup.com", true },
+  { "bucketlist.co.ke", true },
   { "buckypaper.com", true },
   { "buddhismus.net", true },
   { "buddie5.com", true },
@@ -6024,10 +6256,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "budgiesballoons.com", true },
   { "budntod.com", true },
   { "budolfs.de", true },
-  { "buehnenbande.ch", false },
   { "bueltge.de", true },
   { "buena-vista.cz", true },
   { "buena.me", true },
+  { "bueny.com", true },
+  { "bueny.net", true },
   { "bueroplus.de", true },
   { "bueroschwarz.design", true },
   { "bueroshop24.de", true },
@@ -6041,13 +6274,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bugginslab.co.uk", true },
   { "bugs.chromium.org", true },
   { "bugsmashed.com", true },
+  { "bugwie.com", true },
   { "bugzil.la", true },
   { "bugzilla.mozilla.org", true },
   { "build.chromium.org", true },
   { "buildbox.io", true },
   { "buildbytes.com", true },
+  { "buildfaith.ca", true },
   { "buildhoscaletraingi.com", true },
-  { "building-cost-estimators.com", true },
   { "buildingclouds.de", true },
   { "buildingcostestimators.co.uk", true },
   { "builditsolutions.net", true },
@@ -6059,14 +6293,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "builtory.my", true },
   { "builtvisible.com", true },
   { "builtwith.com", true },
+  { "buissonchardin.fr", true },
   { "bukkenfan.jp", true },
   { "bul3seas.eu", true },
   { "bulario.com", true },
   { "bulario.net", true },
   { "bulbcompare.com", true },
-  { "bulbgenie.com", true },
+  { "bulgarianwine.com", true },
   { "bulkcandystore.com", true },
   { "bulkingtime.com", true },
+  { "bulkowespacerkowo.nl", true },
   { "bulktrade.de", true },
   { "bulktshirtsjohannesburg.co.za", true },
   { "bulkwholesalesweets.co.uk", true },
@@ -6074,6 +6310,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bulldog-hosting.de", true },
   { "bulledair-savons.ch", true },
   { "bullettags.com", true },
+  { "bullpendaily.com", true },
   { "bullshitmail.nl", true },
   { "bullterrier.nu", true },
   { "bulwarkhost.com", true },
@@ -6086,6 +6323,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bunkyo-life.com", true },
   { "bunny-rabbits.com", true },
   { "bunnycarenotes.com", true },
+  { "bunnydiamond.de", true },
   { "bunnyvishal.com", true },
   { "bunzy.ca", true },
   { "bupropion.com", true },
@@ -6127,7 +6365,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "busindre.com", true },
   { "business-garden.com", true },
   { "business.facebook.com", false },
-  { "businessadviceperth.com.au", true },
   { "businesscentermarin.ch", true },
   { "businessesdirectory.eu", true },
   { "businessfactors.de", true },
@@ -6145,10 +6382,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bustimes.org", true },
   { "bustup-tips.com", true },
   { "busuttil.org.uk", true },
-  { "busyon.cloud", true },
   { "butarque.es", true },
   { "buthowdoyoubuygroceries.com", true },
+  { "butikpris.se", true },
   { "butikvip.ru", true },
+  { "butlerfm.dk", true },
   { "butteramotors.com", true },
   { "buttonline.ch", true },
   { "buttonrun.com", true },
@@ -6157,51 +6395,49 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "buurtpreventiefraneker.nl", true },
   { "buxum-communication.ch", true },
   { "buy-out.jp", true },
+  { "buybike.shop", true },
+  { "buycarpet.shop", true },
   { "buycbd.store", true },
+  { "buycook.shop", true },
   { "buydissertations.com", true },
   { "buyebook.xyz", true },
   { "buyerdocs.com", true },
+  { "buyhealth.shop", true },
   { "buyinginvestmentproperty.com", true },
+  { "buyjewel.shop", true },
   { "buymindhack.com", true },
   { "buypapercheap.net", true },
+  { "buyplussize.shop", true },
+  { "buyprofessional.shop", true },
   { "buyritefairview.com", true },
   { "buysellinvestproperties.com", true },
   { "buyseo.store", true },
+  { "buysuisse.shop", true },
   { "buytermpaper.com", true },
   { "buytheway.co.za", true },
+  { "buywine.shop", true },
   { "buzz.tools", true },
-  { "buzzconf.io", true },
   { "buzzcontent.com", true },
   { "buzzprint.it", true },
   { "bvalle.com", true },
-  { "bvgg.eu", true },
   { "bvl.aero", true },
-  { "bvv-europe.eu", true },
   { "bw.codes", true },
   { "bwcscorecard.org", true },
   { "bwe-seminare.de", true },
-  { "bwf11.com", true },
-  { "bwf55.com", true },
-  { "bwf6.com", true },
-  { "bwf66.com", true },
-  { "bwf77.com", true },
-  { "bwf99.com", true },
   { "bwfc.nl", true },
   { "bwh1.net", false },
   { "bwilkinson.co.uk", true },
   { "bwl-earth.club", true },
   { "bws16.de", true },
   { "bwserhoscaletrainaz.com", true },
-  { "bwwb.nu", true },
   { "bx-n.de", true },
   { "bxdev.me", true },
   { "bxp40.at", true },
-  { "by.cx", true },
   { "byange.pro", true },
   { "byatte.com", true },
+  { "bye-bye.us", true },
   { "byeskille.no", true },
   { "bygningsregistrering.dk", true },
-  { "byhe.me", true },
   { "byiu.info", false },
   { "byken.cn", true },
   { "bymark.co", true },
@@ -6213,6 +6449,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "byr.moe", true },
   { "byrko.cz", true },
   { "byrko.sk", true },
+  { "byronkg.us", true },
   { "byrtz.de", true },
   { "bytanchan.com", true },
   { "byte-time.com", true },
@@ -6220,6 +6457,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bytearts.net", false },
   { "bytebucket.org", true },
   { "bytecode.no", true },
+  { "bytecrafter.com", true },
+  { "bytecrafter.net", true },
   { "bytejail.com", true },
   { "bytema.cz", true },
   { "bytema.eu", true },
@@ -6228,6 +6467,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bytemix.cloud", true },
   { "byteowls.com", false },
   { "bytepark.de", true },
+  { "bytepen.com", true },
   { "bytes.co", true },
   { "bytes.fyi", true },
   { "bytesatwork.de", true },
@@ -6240,9 +6480,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "bythisverse.com", true },
   { "bytrain.net", true },
   { "byvshie.com", true },
-  { "bzhub.bid", true },
   { "bziaks.xyz", true },
-  { "bzsparks.com", true },
+  { "bzsparks.com", false },
   { "bztech.com.br", true },
   { "bztraveler.com", true },
   { "bztraveler.net", true },
@@ -6258,14 +6497,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "c0rporation.com", true },
   { "c2design.it", true },
   { "c2o-library.net", true },
+  { "c3sign.de", true },
   { "c3vo.de", true },
   { "c3w.at", true },
   { "c3wien.at", true },
+  { "c3woc.de", true },
   { "c4539.com", true },
   { "c4k3.net", true },
+  { "c5h8no4na.net", true },
   { "c7dn.com", true },
   { "ca-key.de", true },
-  { "ca-terminal-multiservices.fr", true },
   { "ca.gparent.org", true },
   { "ca.search.yahoo.com", false },
   { "ca5.de", true },
@@ -6278,7 +6519,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cabineritten.nl", true },
   { "cabinet-bedin.com", true },
   { "cabinetfurnituree.com", true },
-  { "cablehighspeed.net", true },
   { "cablemod.com", true },
   { "cablesandkits.com", true },
   { "cabotfinancial.co.uk", true },
@@ -6288,9 +6528,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cacaumidade.com.br", true },
   { "caceis.bank", true },
   { "cachacacha.com", true },
+  { "cachedview.nl", true },
   { "cachetagalong.com", true },
   { "cachetur.no", true },
   { "cackette.com", true },
+  { "cacn.pw", true },
   { "cad-noerdlingen.de", true },
   { "cadacoon.com", true },
   { "cadafamilia.de", true },
@@ -6301,12 +6543,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cadooz.com", true },
   { "cadorama.fr", true },
   { "cadoth.net", true },
-  { "cadra.nl", false },
   { "cadre.com", true },
   { "cadsys.net", true },
-  { "cadusilva.com", true },
   { "caesarkabalan.com", true },
-  { "cafe-service.ru", false },
   { "cafedupont.be", true },
   { "cafedupont.co.uk", true },
   { "cafedupont.de", true },
@@ -6316,15 +6555,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cafeobscura.nl", true },
   { "caferagazzi.de", true },
   { "cafericoy.com", true },
+  { "cafeterasbaratas.net", true },
   { "caffeinatedcode.com", true },
-  { "cagalogluyayinevi.com", true },
+  { "cafled.org", true },
+  { "cagalogluyayinevi.com", false },
+  { "caglarcakici.com", true },
+  { "caibi.io", true },
   { "cainhosting.com", false },
   { "caitcs.com", true },
   { "caiwenjian.xyz", true },
+  { "caizx.com", false },
   { "caja-pdf.es", true },
   { "cajio.ru", true },
   { "cajunuk.co.uk", true },
   { "cake-time.co.uk", true },
+  { "cakearific.com", true },
   { "cakestart.net", true },
   { "caketoindia.com", true },
   { "cakingandbaking.com", true },
@@ -6362,15 +6607,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "calendarsnow.com", true },
   { "calendly.com", true },
   { "calenfil.com", true },
+  { "calentadores-solares-sunshine.com", true },
   { "caletka.cz", true },
   { "calgoty.com", true },
   { "calibreapp.com", true },
   { "calibso.net", true },
   { "caliderumba.com", true },
-  { "calidoinvierno.com", true },
   { "calixte-concept.fr", true },
+  { "calkinsmusic.com", true },
   { "call.me", true },
-  { "callawayracing.se", false },
+  { "callanan.nl", true },
+  { "callantonia.com", true },
   { "callear.org", true },
   { "callhub.io", true },
   { "callidus-vulpes.de", true },
@@ -6379,6 +6626,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "callumsilcock.com", true },
   { "callumsilcock.me", true },
   { "calluna.nl", true },
+  { "calminteractive.fr", true },
   { "calmtech.com", true },
   { "calotte-academy.com", true },
   { "calrotaract.org", true },
@@ -6386,6 +6634,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "calvinallen.net", false },
   { "calyxengineers.com", true },
   { "calyxinstitute.org", false },
+  { "camara360grados.com", true },
   { "camaradivisas.com", true },
   { "camaras.uno", true },
   { "camarilloelectric.com", true },
@@ -6399,7 +6648,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cambier.org", true },
   { "cambiowatch.ch", true },
   { "cambodian.dating", true },
-  { "cambridge-security.com", true },
+  { "cambreaconsulting.com", true },
+  { "cambridge-examen.nl", true },
   { "cambridgebouncers.co.uk", true },
   { "cambridgesecuritygroup.org", true },
   { "camcapital.com", true },
@@ -6411,7 +6661,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cameraviva.com.br", true },
   { "camerweb.es", true },
   { "camilomodzz.net", true },
-  { "camjobs.net", true },
   { "camolist.com", true },
   { "camomile.desi", true },
   { "camp-pleinsoleil.ch", true },
@@ -6423,10 +6672,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "campaignwiki.org", true },
   { "campamentos.info", true },
   { "campbellapplianceheatingandair.com", true },
-  { "campbrainybunch.com", true },
   { "campcambodia.org", true },
   { "campcanada.org", true },
-  { "campeonatoalemao.com.br", true },
   { "camperdays.de", true },
   { "camperlist.com", true },
   { "campermanaustralia.com", true },
@@ -6440,7 +6687,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "campula.cz", true },
   { "campus-discounts.com", true },
   { "campus-finance.com", true },
-  { "campusdrugprevention.gov", true },
+  { "campusdrugprevention.gov", false },
   { "campuswire.com", true },
   { "campvana.com", true },
   { "campwabashi.org", true },
@@ -6453,15 +6700,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "canadasmotorcycle.ca", true },
   { "canadian-nurse.com", true },
   { "canadian.dating", true },
+  { "canadianatheists.ca", true },
+  { "canadianatheists.com", true },
   { "canadianchristianity.com", false },
   { "canadianoutdoorequipment.com", true },
   { "canadiantouristboard.com", true },
   { "canal-onanismo.org", true },
   { "canalsidehouse.be", true },
   { "canalsidehouse.com", true },
+  { "canariculturacolor.com", true },
   { "canarymod.net", true },
   { "cancerdata.nhs.uk", true },
   { "candaceplayforth.com", true },
+  { "candelec.com", true },
   { "candeo-books.nl", true },
   { "candex.com", true },
   { "candguchocolat.com", true },
@@ -6474,7 +6725,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cangelloplasticsurgery.com", true },
   { "cangku.in", true },
   { "cangku.moe", false },
-  { "canglong.net", true },
   { "canhazip.com", true },
   { "canicaprice.com", true },
   { "canihavesome.coffee", true },
@@ -6488,20 +6738,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cannoli.london", true },
   { "cannyfoxx.me", true },
   { "canoonic.se", true },
+  { "canopycleaningmelbourne.com.au", true },
   { "cant.at", true },
   { "cantatio.ch", true },
-  { "canterberry.cc", true },
   { "canterburybouncycastlehire.co.uk", true },
+  { "cantonroadjewelry.com", true },
   { "cantrack.com", true },
+  { "canva-dev.com", true },
   { "canva.com", true },
   { "canx.org", true },
+  { "canyonshoa.com", true },
   { "canyoupwn.me", true },
   { "cao.gov", true },
   { "cao.la", true },
-  { "caodesantohumberto.com.br", true },
   { "caoshan60.com", true },
   { "capachitos.cl", true },
   { "capacityproject.org", true },
+  { "capebretonpiper.com", true },
   { "capekeen.com", true },
   { "capellidipremoli.com", true },
   { "caphane.com", true },
@@ -6526,9 +6779,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "capstansecurity.co.uk", true },
   { "capstansecurity.com", true },
   { "capstoneinsights.com", true },
+  { "capsule.org", true },
   { "capsulesubs.fr", true },
   { "captain-dandelion.com", true },
   { "captainark.net", true },
+  { "captainsfarm.in", true },
   { "captainsinn.com", true },
   { "captivationtheory.com", true },
   { "capturapp.com", false },
@@ -6553,7 +6808,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "carbon12.software", true },
   { "carboneselectricosnettosl.info", false },
   { "carbonmade.com", false },
-  { "carbonmonoxidelawyer.net", true },
   { "carbono.uy", true },
   { "carbontv.com", true },
   { "carburetorcycleoi.com", true },
@@ -6581,6 +6835,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cardxl.nl", true },
   { "care4all.com", true },
   { "careeapp.com", true },
+  { "career.support", true },
   { "careeroptionscoach.com", true },
   { "careerpower.co.in", true },
   { "careers.plus", true },
@@ -6606,9 +6861,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cariocacooking.com", true },
   { "carisenda.com", true },
   { "carkeysanantonio.com", true },
+  { "carlandfaith.com", true },
+  { "carlgo11.com", true },
   { "carlife-at.jp", true },
   { "carlili.fr", true },
   { "carlingfordapartments.com.au", true },
+  { "carlinmack.com", true },
   { "carlmjohnson.net", true },
   { "carlo.mx", false },
   { "carlobiagi.de", true },
@@ -6616,12 +6874,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "carlocksmithbaltimore.com", true },
   { "carlocksmithellicottcity.com", true },
   { "carlocksmithfallbrook.com", true },
+  { "carlocksmithkey.com", true },
   { "carlocksmithlewisville.com", true },
   { "carlocksmithmesquite.com", true },
   { "carlocksmithtucson.com", true },
   { "carlosfelic.io", true },
   { "carlosjeurissen.com", true },
   { "carlot-j.com", true },
+  { "carmelrise.co.uk", true },
   { "carnaticalifornia.com", true },
   { "carnet-du-voyageur.com", true },
   { "carnildo.com", true },
@@ -6640,7 +6900,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "carpetcleaningtomball.com", true },
   { "carrando.com", true },
   { "carre-lutz.com", true },
-  { "carrentalsathens.com", true },
   { "carriedin.com", true },
   { "carrierplatform.com", true },
   { "carringtonrealtygroup.com", true },
@@ -6648,7 +6907,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "carroceriascarluis.com", true },
   { "carrollservicecompany.com", true },
   { "carrosserie-dubois.com", true },
+  { "carrouselcompany.fr", true },
+  { "cars4salecy.com", true },
   { "carseatchecks.ca", true },
+  { "carshippingcarriers.com", true },
   { "carson-aviation-adventures.com", true },
   { "carson-matthews.co.uk", true },
   { "carsoug.com", true },
@@ -6671,7 +6933,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cartertonscouts.org.nz", true },
   { "cartesentreprises-unicef.fr", true },
   { "carthedral.com", true },
-  { "cartierplan.ga", true },
+  { "cartierplan.ga", false },
   { "carto.la", true },
   { "cartongesso.roma.it", true },
   { "cartooncastles.ie", true },
@@ -6698,6 +6960,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "casadasportasejanelas.com", true },
   { "casadoarbitro.com.br", true },
   { "casadowifi.com.br", true },
+  { "casaessencias.com.br", true },
+  { "casalborgo.it", true },
   { "casalindamex.com", true },
   { "casalunchbreak.de", true },
   { "casamariposaspi.com", true },
@@ -6713,17 +6977,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "case-vacanza-salento.com", true },
   { "casecoverkeygi.com", true },
   { "casecurity.org", true },
+  { "caseof.tk", true },
   { "caseplus-daem.de", true },
   { "caseycapitalpartners.com", true },
   { "cash-4x4.com", true },
   { "cashati.com", true },
   { "cashbook.co.tz", true },
   { "cashbot.cz", true },
+  { "cashfazz.com", true },
   { "cashlink.de", true },
-  { "cashlink.io", true },
   { "cashlogic.ch", true },
   { "cashmaxtexas.com", true },
   { "cashplk.com", true },
+  { "casino-cash-flow.su", true },
+  { "casino-cashflow.ru", true },
   { "casino-online.info", true },
   { "casino-trio.com", true },
   { "casinobonuscodes.online", true },
@@ -6731,8 +6998,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "casinomucho.org", true },
   { "casinomucho.se", true },
   { "casinoonlinesicuri.com", true },
+  { "casinorewards.info", true },
   { "casinovergleich.com", true },
   { "casio-caisses-enregistreuses.fr", true },
+  { "casirus.com", true },
   { "casjay.cloud", true },
   { "casjay.info", true },
   { "casjay.us", true },
@@ -6755,10 +7024,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "castles4kidz.com", true },
   { "castles4rascalsiow.co.uk", true },
   { "castlesrus-kent.com", true },
-  { "castleswa.com.au", true },
   { "casualdesignsfurniture.com", true },
   { "casusgrillcaribbean.com", true },
-  { "cat-blum.com", true },
   { "cat-box.de", true },
   { "cat.net", true },
   { "cat73.org", true },
@@ -6776,6 +7043,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "catchfotografie.nl", true },
   { "catchhimandkeephim.com", true },
   { "catchief.com", true },
+  { "catcoxx.de", true },
   { "catdecor.ru", true },
   { "catenacondos.com", true },
   { "catering-xanadu.cz", true },
@@ -6788,7 +7056,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "catherinescastles.co.uk", true },
   { "catholics.dating", true },
   { "cathosa.nl", true },
-  { "cathosting.org", true },
   { "cathy.guru", true },
   { "cathy.website", true },
   { "cathyfitzpatrick.com", true },
@@ -6801,7 +7068,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "catl.st", true },
   { "catmoose.ca", true },
   { "catnet.dk", false },
-  { "catprog.org", true },
   { "cattivo.nl", false },
   { "catuniverse.org", true },
   { "catveteran.com", true },
@@ -6811,12 +7077,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "caulong-ao.net", true },
   { "cav.ac", true },
   { "cavac.at", true },
-  { "cave-reynard.ch", true },
   { "cavevinsdefrance.fr", true },
   { "cavzodiaco.com.br", true },
   { "caxalt.com", true },
   { "caylercapital.com", true },
-  { "cayounglab.co.jp", true },
   { "cazaviajes.es", true },
   { "cazes.info", true },
   { "cb-crochet.com", true },
@@ -6825,8 +7089,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cbcf.info", true },
   { "cbd.casa", true },
   { "cbd.supply", true },
-  { "cbdev.de", true },
+  { "cbdcontact.pl", true },
   { "cbdmarket.space", true },
+  { "cbdoilcures.co", true },
   { "cbecrft.net", true },
   { "cbhq.net", true },
   { "cbin168.com", true },
@@ -6837,9 +7102,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cbw.sh", true },
   { "cc-brantomois.fr", true },
   { "ccac.gov", true },
+  { "ccattestprep.com", true },
   { "ccavenue.com", true },
+  { "ccc-ch.ch", true },
   { "cccwien.at", true },
-  { "ccgn.co", true },
   { "ccgx.de", true },
   { "ccoooss.com", true },
   { "ccprwebsite.org", true },
@@ -6848,7 +7114,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ccsys.com", true },
   { "cctvcanada.net", true },
   { "cctvview.info", true },
-  { "ccu.io", true },
   { "ccu.plus", true },
   { "ccv-deutschland.de", true },
   { "ccv.ch", true },
@@ -6867,6 +7132,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cdda.ch", true },
   { "cdepot.eu", true },
   { "cdkeykopen.com", true },
+  { "cdmlb.net", true },
   { "cdn.ampproject.org", true },
   { "cdn6.de", true },
   { "cdncompanies.com", true },
@@ -6878,8 +7144,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cdshining.com", true },
   { "cdu-wilgersdorf.de", true },
   { "cduckett.net", true },
+  { "cdvl.org", true },
   { "ce-pimkie.fr", true },
-  { "ceagriproducts.com", true },
+  { "ceanimalhealth.com", true },
   { "cebz.org", true },
   { "cecame.ch", true },
   { "ceciliacolombara.com", true },
@@ -6893,6 +7160,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ceebee.com", true },
   { "cejhon.cz", false },
   { "celcomhomefibre.com.my", true },
+  { "cele.bi", true },
   { "celebmasta.com", true },
   { "celebrityhealthcritic.com", true },
   { "celebrityscope.net", true },
@@ -6904,7 +7172,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "celltesequ.com", true },
   { "celluliteorangeskin.com", true },
   { "celluliteremovaldiet.com", true },
-  { "celtadigital.com", true },
   { "celti.ie.eu.org", true },
   { "celti.name", true },
   { "celuliteonline.com", true },
@@ -6922,13 +7189,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "centennialradon.com", true },
   { "centennialseptic.com", true },
   { "centerpereezd.ru", false },
-  { "centerpoint.ovh", true },
-  { "centillien.com", false },
   { "centio.bg", true },
   { "centos.tips", true },
   { "centralbank.ae", true },
   { "centralebigmat.eu", true },
   { "centralegedimat.eu", true },
+  { "centrallotus.com", true },
   { "centralmarket.com", true },
   { "centralmissourifoundationrepair.com", true },
   { "centralpoint.be", false },
@@ -6968,8 +7234,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cermak.photos", true },
   { "cernakova.eu", true },
   { "cerpus-course.com", true },
+  { "cerrajeriaamericadelquindio.com", true },
   { "cert.govt.nz", true },
   { "cert.or.id", true },
+  { "certaintelligence.com", true },
   { "certcenter.ch", true },
   { "certcenter.co.uk", true },
   { "certcenter.com", true },
@@ -6981,6 +7249,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "certificatedetails.com", true },
   { "certificatespending.com", true },
   { "certificatetools.com", true },
+  { "certifiedfieldassociate.com", true },
   { "certifiednurses.org", true },
   { "certmonitor.com.au", true },
   { "certmonitor.net", true },
@@ -6988,7 +7257,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "certspotter.com", true },
   { "certspotter.org", true },
   { "cervejista.com", true },
-  { "cesantias.co", true },
+  { "ces-ltd.co.uk", true },
   { "cesboard.com", true },
   { "cesdb.com", true },
   { "cesipagano.com", true },
@@ -7004,8 +7273,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cevo.com.hr", true },
   { "ceyizlikelisleri.com", true },
   { "cf-ide.de", true },
-  { "cfa.gov", true },
-  { "cfan.space", true },
+  { "cf-tm.net", true },
   { "cfda.gov", true },
   { "cfdcre5.org", true },
   { "cfh.com", true },
@@ -7013,6 +7281,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cfno.org", true },
   { "cfo.gov", true },
   { "cfpa-formation.fr", true },
+  { "cfsh.tk", true },
   { "cftc.gov", true },
   { "cftcarouge.com", true },
   { "cfttt.com", true },
@@ -7028,12 +7297,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cgbassurances.ch", true },
   { "cgbilling.com", true },
   { "cgcookiemarkets.com", true },
+  { "cgminc.net", true },
   { "cgnparts.com", true },
   { "cgpe.com", true },
   { "cgsmart.com", true },
   { "cgurtner.ch", true },
   { "ch-laborit.fr", true },
   { "ch-sc.de", true },
+  { "ch.bzh", true },
   { "ch.search.yahoo.com", false },
   { "ch47f.com", true },
   { "chabaudparfum.com", true },
@@ -7041,11 +7312,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "chabik.com", true },
   { "chad.ch", true },
   { "chadstoneapartments.com.au", true },
-  { "chadtaljaardt.com", true },
   { "chaffeyconstruction.com", true },
   { "chaifeng.com", true },
   { "chainedunion.info", true },
-  { "chaip.org", true },
   { "chaisystems.net", true },
   { "chaletdemontagne.org", true },
   { "chaletmanager.com", true },
@@ -7064,8 +7333,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "champions.co", true },
   { "championsofpowerfulliving.com", true },
   { "championweb.co.nz", true },
+  { "championweb.com", true },
   { "championweb.com.au", true },
+  { "championweb.com.sg", true },
   { "championweb.nz", true },
+  { "championweb.sg", true },
   { "champonthis.de", true },
   { "champserver.net", false },
   { "chancekorte.com", true },
@@ -7088,16 +7360,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "chaosdorf.de", true },
   { "chaosfield.at", true },
   { "chaoslab.org", true },
+  { "chaospott.de", true },
   { "chaosriftgames.com", true },
-  { "chaotichive.com", true },
-  { "chaoticlaw.com", true },
-  { "chapelaria.tf", true },
+  { "chaoswars.ddns.net", true },
   { "chapelfordbouncers.co.uk", true },
   { "chapiteauxduleman.fr", true },
   { "chaplain.co", true },
   { "charbonnel.eu", true },
   { "charcoal-se.org", true },
   { "charcoalvenice.com", true },
+  { "charge.co", false },
   { "chargedmonkey.com", true },
   { "chargify.com", true },
   { "charisma.ai", true },
@@ -7110,6 +7382,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "charlespitonltd.com", true },
   { "charlesrogers.co.uk", true },
   { "charlesstover.com", true },
+  { "charlestonfacialplastic.com", true },
   { "charliedillon.com", true },
   { "charliegarrod.com", true },
   { "charliehr.com", true },
@@ -7124,31 +7397,30 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "charmanterelefant.at", true },
   { "charmingsaul.com", true },
   { "charmyadesara.com", true },
-  { "charr.xyz", true },
-  { "chars.ga", true },
+  { "chars.ga", false },
   { "charta-digitale-vernetzung.de", true },
   { "charteroak.org", true },
   { "chartkick.com", true },
   { "chartpen.com", true },
   { "chartsy.de", true },
   { "chartwellestate.com", true },
-  { "charuru.moe", true },
+  { "charuru.moe", false },
   { "chascrazycreations.com", true },
   { "chaseandzoey.de", true },
   { "chasetrails.co.uk", true },
+  { "chat-house-adell.com", true },
   { "chat-libera.org", true },
   { "chat-senza-registrazione.net", true },
   { "chat.cz", true },
   { "chat2.cf", true },
   { "chat40.net", true },
   { "chatbelgie.eu", true },
-  { "chatbotclic.com", true },
-  { "chatbotclick.com", true },
   { "chatbots.systems", true },
   { "chatear.social", true },
   { "chateau-de-lisle.fr", true },
   { "chateaudestrainchamps.com", true },
   { "chatfacile.org", true },
+  { "chatforskning.no", true },
   { "chatgrape.com", true },
   { "chatint.com", true },
   { "chatitaly.org", true },
@@ -7172,10 +7444,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "chaurocks.com", true },
   { "chaussenot.net", true },
   { "chavetaro.com", true },
-  { "chaz6.com", true },
   { "chazalet.fr", true },
   { "chazay.net", false },
-  { "chazgie.se", true },
   { "chbk.co", true },
   { "chbs.me", true },
   { "chch.it", true },
@@ -7200,9 +7470,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cheapgeekts.com", false },
   { "cheapgoa.com", true },
   { "cheapiesystems.com", true },
+  { "cheapssl.com.tr", true },
   { "cheapticket.in", true },
+  { "cheatengine.pro", true },
   { "check.torproject.org", false },
   { "checkecert.nl", true },
+  { "checkjelinkje.nl", true },
   { "checkmyessay.com", true },
   { "checkmyessays.com", true },
   { "checkmyip.com", true },
@@ -7214,6 +7487,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "checkspf.net", true },
   { "checktype.com", true },
   { "checkui.com", true },
+  { "checkyourmath.com", true },
   { "checkyourprivilege.org", true },
   { "checkyourreps.org", true },
   { "checos.co.uk", true },
@@ -7222,14 +7496,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cheekymonkeysinflatables.co.uk", true },
   { "cheela.org", true },
   { "cheeseemergency.co.uk", true },
-  { "cheesehosting.net", true },
   { "cheetahwerx.com", true },
   { "cheez.systems", true },
   { "cheezflix.uk", true },
   { "chefwear.com", true },
   { "chehalemgroup.com", true },
   { "cheladmin.ru", true },
-  { "chelema.xyz", true },
   { "cheltenhambounce.co.uk", true },
   { "cheltenhambouncycastles.co.uk", true },
   { "cheltik.ru", true },
@@ -7250,8 +7522,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cheolguso.com", true },
   { "cherevoiture.com", true },
   { "cherie-belle.com", true },
-  { "cherrett.digital", true },
   { "cherry-green.ch", true },
+  { "cherrybread.net", true },
   { "cherryonit.com", true },
   { "cherrywoodtech.com", true },
   { "chertseybouncycastles.co.uk", true },
@@ -7259,25 +7531,27 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "chess.com", true },
   { "chessboardao.com", true },
   { "chesscoders.com", true },
+  { "chesskid.com", true },
   { "chesspoint.ch", true },
-  { "chesterlestreetasc.co.uk", true },
+  { "chesterlestreetasc.co.uk", false },
   { "chestnut.cf", true },
+  { "chetwood.se", true },
   { "chevy37.com", true },
   { "chevymotor-occasions.be", true },
   { "chewey.de", true },
   { "chewey.org", true },
   { "chewingucand.com", true },
-  { "chez-janine.de", true },
   { "chez-oim.org", true },
   { "chez.moe", true },
   { "chfr.search.yahoo.com", false },
   { "chhory.com", true },
-  { "chhy.at", true },
   { "chiaraiuola.com", false },
   { "chiaseeds24.com", true },
   { "chiboard.co", true },
   { "chibr.eu", true },
   { "chic-leather.com", true },
+  { "chicagoemergencyclosings.com", true },
+  { "chicagolug.org", true },
   { "chicagostudentactivists.org", true },
   { "chicisimo.com", true },
   { "chicolawfirm.com", true },
@@ -7314,11 +7588,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "chint.ai", true },
   { "chinwag.im", true },
   { "chinwag.org", true },
-  { "chipcore.com", true },
+  { "chipcore.com", false },
   { "chipglobe.com", true },
   { "chippy.ch", false },
   { "chips-scheduler.de", true },
-  { "chiralsoftware.com", true },
+  { "chipset.no", true },
   { "chireiden.net", true },
   { "chiro-neuchatel.ch", true },
   { "chiropractic.gr", true },
@@ -7344,28 +7618,33 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "chocgu.com", true },
   { "chocodecor.com.br", true },
   { "chocolah.com.au", false },
-  { "chocolate13tilias.com.br", true },
+  { "chocolat.work", true },
   { "chocolatesandhealth.com", true },
   { "chocolatier-tristan.ch", true },
+  { "chocolytech.info", true },
   { "chocotough.nl", true },
   { "choiceautoloan.com", true },
-  { "choisirmonerp.com", true },
   { "chokladfantasi.net", true },
+  { "chomp.life", true },
   { "chon.io", true },
   { "chonghe.org", true },
   { "chook.as", true },
-  { "choootto.club", true },
+  { "choootto.net", true },
   { "choosemypc.net", true },
+  { "chopperdesign.com", true },
   { "chorkley.co.uk", true },
   { "chorkley.com", true },
   { "chorkley.uk", true },
   { "chorpinkpoemps.de", true },
   { "chosenplaintext.org", true },
+  { "chotlo.com", true },
   { "chourishi-shigoto.com", true },
   { "chovancova.sk", true },
   { "chowii.com", true },
   { "choyri.com", true },
+  { "chr0me.sh", true },
   { "chris-edwards.net", true },
+  { "chrisahrweileryoga.com", true },
   { "chrisaitch.com", true },
   { "chrisb.me", true },
   { "chrisb.xyz", true },
@@ -7391,14 +7670,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "christchurchbouncycastles.co.uk", true },
   { "christec.net", true },
   { "christensenplace.us", true },
+  { "christerwaren.fi", true },
   { "christiaanconover.com", true },
+  { "christian-fischer.pictures", true },
+  { "christian-folini.ch", true },
   { "christian-gredig.de", true },
   { "christian-host.com", true },
-  { "christian-krug.website", true },
   { "christian-liebel.com", true },
   { "christian-stadelmann.de", true },
   { "christianbargon.de", false },
   { "christiancleva.com", true },
+  { "christiancoleman.info", true },
   { "christianfaq.org", true },
   { "christianforums.com", true },
   { "christiangehring.org", true },
@@ -7410,7 +7692,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "christianpeltier.com", true },
   { "christianpilgrimage.com.au", true },
   { "christians.dating", true },
-  { "christianscholz.de", true },
+  { "christianscholz.de", false },
   { "christiehawkes.com", true },
   { "christiesantiques.com", true },
   { "christmascard.be", true },
@@ -7418,6 +7700,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "christoph-conrads.name", true },
   { "christophbartschat.com", true },
   { "christopher-simon.de", true },
+  { "christopher.sh", true },
   { "christopherandcharlotte.uk", true },
   { "christopherburg.com", true },
   { "christopherkennelly.com", true },
@@ -7446,6 +7729,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "chrpaul.de", true },
   { "chrstn.eu", true },
   { "chrysanthos.net", true },
+  { "chrystajewelry.com", true },
   { "chshouyu.com", true },
   { "chsterz.de", true },
   { "chuchote-moi.fr", true },
@@ -7456,15 +7740,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "chunk.science", true },
   { "chupadelfrasco.com", true },
   { "chuppa.com.au", true },
-  { "churchlinkpro.com", true },
   { "churchofsaintrocco.org", true },
   { "churchofscb.org", true },
   { "churchthemes.com", true },
+  { "churchwebcanada.ca", true },
+  { "churchwebsupport.com", true },
   { "churningtracker.com", true },
+  { "chybeck.net", true },
   { "chyen.cc", true },
   { "chytraauta.cz", true },
   { "chziyue.com", true },
   { "ci-fo.org", true },
+  { "ci-suite.com", true },
   { "ci5.me", true },
   { "ciancode.com", true },
   { "ciania.pl", true },
@@ -7472,26 +7759,30 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ciansc.com", true },
   { "ciaracode.com", true },
   { "ciat.no", false },
+  { "cibercactus.com", true },
+  { "cica.es", true },
   { "cidbot.com", true },
   { "cidersus.com.ec", true },
   { "cie-theatre-montfaucon.ch", true },
+  { "ciel.pro", true },
   { "cielbleu.org", true },
   { "cielly.com", true },
+  { "cierreperimetral.com", true },
   { "cifop-numerique.fr", true },
   { "ciftlikesintisi.com", true },
   { "cig-dem.com", true },
   { "cigar-cartel.com", true },
-  { "ciiex.co", true },
   { "cilloc.be", true },
   { "cima-idf.fr", true },
+  { "cimbalino.org", true },
   { "cimballa.com", true },
   { "cimfax.com", true },
   { "cinafilm.com", true },
-  { "cinay.pw", true },
   { "cindydudley.com", true },
   { "cine-music.de", true },
   { "cine.to", true },
   { "cinefilzonen.se", true },
+  { "cinefun.net", true },
   { "cinemarxism.com", true },
   { "cinemasetfree.com", true },
   { "cinemysticism.com", true },
@@ -7501,7 +7792,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cinq-elements.fr", true },
   { "cinq-elements.net", true },
   { "cinsects.de", true },
-  { "cintactimber.com", true },
   { "cinteo.com", true },
   { "cio-ciso-interchange.org", true },
   { "cio-cisointerchange.org", true },
@@ -7521,19 +7811,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cipria.no", true },
   { "cipy.com", true },
   { "cir.is", true },
+  { "circady.com", true },
   { "circara.com", true },
   { "circle-people.com", true },
   { "circu.ml", true },
   { "circulatedigital.com", true },
   { "circule.cc", true },
   { "ciri.com.co", true },
-  { "cirope.com", true },
   { "cirrus0.de", true },
-  { "cirugiasplasticas.com.mx", true },
-  { "cirujanooral.com", true },
   { "cirurgicagervasio.com.br", true },
   { "cirurgicalucena.com.br", true },
   { "cirurgicasalutar.com.br", true },
+  { "cirurgicavirtual.com.br", true },
+  { "cisa.gov", true },
   { "ciscodude.net", false },
   { "cisoaid.com", true },
   { "cisofy.com", true },
@@ -7542,10 +7832,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cisum-cycling.com", true },
   { "cisy.me", true },
   { "citcuit.in", true },
+  { "citfin.cz", true },
   { "cities.cl", true },
   { "citimarinestore.com", true },
+  { "citizen-cam.de", true },
   { "citizensbankal.com", true },
   { "citizenscience.gov", false },
+  { "citizenscience.org", true },
   { "citizenslasvegas.com", true },
   { "citizensleague.org", true },
   { "citizenspact.eu", true },
@@ -7557,15 +7850,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "city-walks.info", true },
   { "citya.com", true },
   { "citybeat.de", true },
+  { "citycreek.studio", true },
+  { "cityextra.com.au", true },
+  { "cityfloorsupply.com", true },
   { "citylights.eu", true },
   { "citymoobel.ee", true },
   { "cityoftitans.com", true },
-  { "cityoftitansmmo.com", true },
   { "citysportapp.com", true },
   { "cityworksonline.com", true },
   { "ciubotaru.tk", true },
   { "ciurcasdan.eu", true },
   { "civicforum.pl", true },
+  { "civilbikes.com", true },
   { "civilg20.org", true },
   { "civillines.nl", true },
   { "civiltoday.com", true },
@@ -7594,27 +7890,24 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cktennis.com", true },
   { "cl.search.yahoo.com", false },
   { "cl0ud.space", true },
-  { "clacetandil.com.ar", true },
   { "claimconnect.com", true },
   { "claimconnect.us", true },
   { "claimjeidee.be", true },
   { "claimnote.com", true },
   { "clairegold.com", true },
   { "clairescastles.co.uk", true },
+  { "clamofon.com", true },
   { "clanebouncycastles.com", true },
   { "clangwarnings.com", true },
   { "clanrose.org.uk", true },
-  { "clanthor.com", true },
   { "clanwarz.com", true },
   { "clarkeaward.com", true },
   { "clarkwinkelmann.com", true },
   { "clase3.tk", true },
-  { "clash-movies.de", true },
   { "clash.lol", true },
   { "class.com.au", true },
   { "classdojo.com", true },
   { "classicalpilates.ca", true },
-  { "classics.io", true },
   { "classictheatrecumbria.co.uk", true },
   { "classpoint.cz", true },
   { "classroom.google.com", true },
@@ -7622,6 +7915,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "classroomcountdown.co.nz", true },
   { "classteaching.com.au", true },
   { "classyvaper.de", true },
+  { "claster.it", true },
   { "claude-leveille.com", true },
   { "claude.tech", true },
   { "claudia-urio.com", true },
@@ -7630,6 +7924,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "clawe.de", true },
   { "clawhammer.dk", true },
   { "clayandcottonkirkwood.com", true },
+  { "claygregory.com", true },
   { "clayprints.com", true },
   { "claytonstowing.com.au", true },
   { "clazzrooms.com", true },
@@ -7649,12 +7944,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "clearblueday.co.uk", true },
   { "clearbookscdn.uk", true },
   { "clearbreezesecuritydoors.com.au", true },
+  { "clearer.cloud", true },
   { "clearip.com", true },
   { "clearkonjac.com", true },
   { "clearsettle-admin.com", true },
   { "clearvoice.com", true },
   { "clemenscompanies.com", true },
   { "clement-beaufils.fr", true },
+  { "clementfevrier.fr", true },
   { "cles-asso.fr", true },
   { "cles.jp", true },
   { "clevergod.net", true },
@@ -7669,6 +7966,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "click4web.com", true },
   { "clickclock.cc", true },
   { "clickenergy.com.au", true },
+  { "clickingmad.com", true },
   { "clickphish.com", true },
   { "clicksaveandprint.com", true },
   { "clien.net", true },
@@ -7681,8 +7979,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "climatestew.com", true },
   { "clindoeilmontagne.com", true },
   { "clingout.com", true },
-  { "clinicadam.com", false },
-  { "clinicadelogopedia.net", true },
+  { "clinicadam.com", true },
   { "clinicalrehabilitation.info", true },
   { "clinicaltrials.gov", true },
   { "clinicasmedicas.com.br", true },
@@ -7690,7 +7987,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cliniquecomplementaire.com", true },
   { "cliniquevethuy.be", true },
   { "clintonlibrary.gov", true },
-  { "clintonplasticsurgery.com", true },
   { "clipclip.com", true },
   { "clippings.com", true },
   { "clive.io", true },
@@ -7702,7 +7998,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "clockcaster.com", true },
   { "clockworksms.com", true },
   { "clod-hacking.com", true },
-  { "clojurescript.ru", true },
   { "cloppenburg-autmobil.com", true },
   { "cloppenburg-automobil.com", true },
   { "clorophilla.net", true },
@@ -7710,8 +8005,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "closelinksecurity.co.uk", true },
   { "closelinksecurity.com", true },
   { "closetemail.com", true },
-  { "cloturea.fr", true },
-  { "cloud-surfer.net", true },
+  { "cloud-surfer.net", false },
   { "cloud.bugatti", true },
   { "cloud.fail", true },
   { "cloud.google.com", true },
@@ -7720,16 +8014,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cloud9bouncycastlehire.com", true },
   { "cloudapps.digital", true },
   { "cloudbolin.es", true },
-  { "cloudbreaker.de", true },
   { "cloudbrothers.info", true },
   { "cloudcactuar.com", false },
   { "cloudcaprice.net", true },
+  { "cloudcert.org", true },
   { "cloudchart.site", true },
   { "cloudcite.net", true },
   { "cloudcloudcloud.cloud", true },
-  { "cloudconsulting.net.za", true },
-  { "cloudconsulting.org.za", true },
-  { "cloudconsulting.web.za", true },
   { "cloudcrux.net", true },
   { "cloudey.net", true },
   { "cloudfiles.at", true },
@@ -7740,6 +8031,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cloudily.com", true },
   { "cloudkeep.nl", true },
   { "cloudkit.pro", false },
+  { "cloudland.club", true },
   { "cloudlessdreams.com", true },
   { "cloudlight.biz", true },
   { "cloudnote.cc", true },
@@ -7752,7 +8044,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cloudservice.io", true },
   { "cloudservices.nz", true },
   { "cloudsign.jp", true },
-  { "cloudsocial.io", true },
   { "cloudspace-analytics.com", true },
   { "cloudspeedy.net", true },
   { "cloudspire.net", true },
@@ -7760,6 +8051,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cloudtropia.de", true },
   { "cloudtskr.com", true },
   { "cloudup.com", true },
+  { "cloudwellmarketing.com", true },
   { "clouz.de", true },
   { "cloveros.ga", true },
   { "clownindeklas.nl", true },
@@ -7787,15 +8079,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "clubempleos.com", true },
   { "clubeohara.com", true },
   { "clubfamily.de", true },
-  { "clubgalaxy.futbol", true },
+  { "clubgalaxy.futbol", false },
   { "clubiconkenosha.com", true },
   { "clubmate.rocks", true },
   { "clubmini.jp", true },
   { "clubnoetig-ink2g.de", true },
   { "clubon.space", true },
-  { "clubscannan.ie", true },
-  { "clueful.ca", true },
-  { "clush.pw", true },
   { "cluster.biz.tr", true },
   { "clusteranalyse.net", true },
   { "clusterfuck.nz", true },
@@ -7804,7 +8093,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cm.center", true },
   { "cmacacias.ch", true },
   { "cmadeangelis.it", true },
-  { "cmahy.be", true },
+  { "cmc.pt", true },
+  { "cmcelectrical.com", true },
   { "cmcressy.ch", true },
   { "cmdline.org", true },
   { "cme-colleg.de", true },
@@ -7813,6 +8103,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cmftech.com", true },
   { "cmgacheatcontrol.com", true },
   { "cmillrehab.com", true },
+  { "cmitao.com", true },
   { "cmlachapelle.ch", true },
   { "cmlancy.ch", true },
   { "cmlignon.ch", true },
@@ -7824,7 +8115,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cms-weble.jp", true },
   { "cmskeyholding.co.uk", true },
   { "cmskeyholding.com", true },
-  { "cmusical.es", true },
+  { "cmv.gr", true },
   { "cmylife.nl", true },
   { "cn.search.yahoo.com", false },
   { "cn8522.com", true },
@@ -7839,14 +8130,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cncrans.ch", true },
   { "cnet-hosting.com", true },
   { "cni-certing.it", true },
+  { "cnnet.in", true },
   { "cnre.eu", true },
   { "cnvt.fr", true },
   { "co-factor.ro", true },
   { "co-founder-stuttgart.de", true },
   { "co.search.yahoo.com", false },
-  { "co2eco.cn", true },
   { "co50.com", true },
-  { "coa.one", true },
   { "coachezmoi.ch", true },
   { "coachfederation.ro", true },
   { "coaching-impulse.ch", true },
@@ -7858,10 +8148,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "coathangastrangler.com", true },
   { "coathangerstrangla.com", true },
   { "coathangerstrangler.com", true },
-  { "coatl-industries.com", true },
+  { "coatl-industries.com", false },
+  { "coatsandcocktails.org", true },
   { "cobalt.io", true },
   { "cobaltgp.com", true },
+  { "cobaltis.co.uk", true },
   { "cobracastles.co.uk", true },
+  { "cocaine-import.agency", true },
   { "cocaine.ninja", true },
   { "cocalc.com", true },
   { "cocareonline.com", true },
@@ -7877,7 +8170,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cocoscastles.co.uk", true },
   { "cocquyt-usedcars.be", true },
   { "cocubes.com", true },
-  { "cocyou.ooo", true },
   { "coda.io", true },
   { "coda.moe", true },
   { "coda.today", true },
@@ -7886,6 +8178,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "codabix.de", true },
   { "code-golf.io", true },
   { "code-poets.co.uk", true },
+  { "code-vikings.de", true },
   { "code-well.com", true },
   { "code.facebook.com", false },
   { "code.fm", true },
@@ -7901,6 +8194,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "codeferm.com", true },
   { "codefordus.de", true },
   { "codefordus.nrw", true },
+  { "codehz.one", true },
   { "codein.ca", true },
   { "codeine.co.uk", true },
   { "codeit.guru", true },
@@ -7918,12 +8212,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "codereview.appspot.com", false },
   { "codereview.chromium.org", false },
   { "coderme.com", true },
+  { "codersbase.org", true },
   { "coderware.co.uk", true },
   { "codes.pk", true },
   { "codesplain.in", true },
   { "codesport.io", true },
   { "codespromo.be", true },
-  { "codestep.io", true },
   { "codestudies.net", true },
   { "codesyncro.com", true },
   { "codetheworld.com", true },
@@ -7942,7 +8236,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "codigo-bonus-bet.es", true },
   { "codigodelbonusbet365.com", true },
   { "codigosddd.com.br", true },
-  { "codimaker.com", true },
   { "coding-minds.com", true },
   { "coding.lv", true },
   { "coding.net", true },
@@ -7952,7 +8245,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "codingrobots.com", true },
   { "codxg.org", true },
   { "codyevanscomputer.com", true },
-  { "codymoniz.com", true },
   { "codyqx4.com", true },
   { "codyscafesb.com", true },
   { "coens.me.uk", true },
@@ -7961,7 +8253,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "coffee-mamenoki.jp", true },
   { "coffeeandteabrothers.com", true },
   { "coffeetime.fun", true },
-  { "coffeetocode.me", true },
   { "cogala.eu", true },
   { "cogent.cc", true },
   { "cogilog.com", true },
@@ -7982,10 +8273,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "coinbit.trade", true },
   { "coincealed.com", true },
   { "coinchat.im", true },
-  { "coincoele.com.br", true },
   { "coincoin.eu.org", true },
   { "coincolors.co", true },
-  { "coindatabase.net", true },
   { "coindeal.com", true },
   { "coinf.it", true },
   { "coinflux.com", true },
@@ -8005,7 +8294,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "colaborativa.tv", true },
   { "colapsys.net", true },
   { "colasjourdain.fr", true },
-  { "coldawn.com", false },
+  { "coldcardwallet.com", true },
   { "coldfff.com", false },
   { "coldhak.ca", true },
   { "coldstreamcreekfarm.com", true },
@@ -8048,7 +8337,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "collinelhossari.com", true },
   { "collinklippel.com", true },
   { "collinmbarrett.com", true },
-  { "colo-tech.com", true },
+  { "cololi.moe", true },
   { "colombian.dating", true },
   { "coloppe.com", true },
   { "coloraid.net", true },
@@ -8057,6 +8346,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "colorcodedlyrics.com", true },
   { "colorectalcompounding.com", true },
   { "colorfuldots.com", true },
+  { "colorguni.com", true },
   { "colorhexa.com", true },
   { "coloristcafe.com", true },
   { "colorsbycarin.com", true },
@@ -8064,6 +8354,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "colotimes.com", true },
   { "colourfulcastles.co.uk", true },
   { "colpacpackaging.com", true },
+  { "colpatriaws.azurewebsites.net", true },
   { "colson-occasions.be", true },
   { "coltellisurvival.com", true },
   { "coltonrb.com", true },
@@ -8071,6 +8362,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "colyakootees.com", true },
   { "com-in.de", true },
   { "comalia.com", true },
+  { "comame.xyz", true },
   { "comandofilmes.club", true },
   { "comarkinstruments.net", true },
   { "combatircelulitis.com", true },
@@ -8082,18 +8374,24 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "comcol.nl", true },
   { "comdurav.com", true },
   { "comeals.com", true },
+  { "comefollowme2016.com", true },
   { "comeoishii.com", true },
   { "comercialtpv.com", true },
   { "comerford.net", true },
   { "comestoarra.com", true },
   { "cometcache.com", true },
   { "cometonovascotia.ca", true },
+  { "comevius.com", true },
+  { "comevius.org", true },
+  { "comevius.xyz", true },
   { "comff.net", true },
   { "comfintouch.com", true },
   { "comflores.com.br", true },
   { "comfortmastersinsulation.com", true },
+  { "comfun.net", true },
   { "comhack.com", true },
   { "comicspornos.com", true },
+  { "comicspornow.com", true },
   { "comicspornoxxx.com", true },
   { "comicwiki.dk", true },
   { "comidasperuanas.net", true },
@@ -8114,17 +8412,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "commonspace.la", true },
   { "communityblog.fedoraproject.org", true },
   { "communitycodeofconduct.com", true },
-  { "communityflow.info", true },
   { "communitymanagertorrejon.com", true },
   { "communote.net", true },
   { "como-se-escribe.com", true },
   { "comocurarlagastritis24.online", true },
   { "comocurarlagastritistratamientonatural.com", true },
   { "comodesinflamarlashemorroides.org", true },
+  { "comodo.nl", true },
   { "comodormirmasrapido.com", true },
   { "comodosslstore.com", true },
   { "comoeliminarlaspapulasperladasenelglande.com", true },
   { "comogene.com", true },
+  { "comohacerblog.net", true },
   { "comohacerelamoraunhombrenet.com", true },
   { "comohacerpara.com", true },
   { "comoimportar.net", true },
@@ -8141,7 +8440,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "compagniemartin.com", true },
   { "comparatif-moto.fr", true },
   { "compareandrecycle.co.uk", true },
-  { "compareandrecycle.com", false },
   { "compareinsurance.com.au", true },
   { "comparesoft.com", true },
   { "comparexcloudcenter.com", true },
@@ -8154,13 +8452,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "comphare.nl", true },
   { "compibus.fr", true },
   { "compilenix.org", true },
+  { "compleetondernemen.nl", true },
   { "completefloorcoverings.com", true },
   { "completesecurityessex.co.uk", true },
   { "completesecurityessex.com", true },
   { "completionist.me", true },
   { "complexart.ro", true },
   { "complexorganizations.com", true },
-  { "complexsystems.fail", true },
   { "compliance-management.ch", true },
   { "compliance-systeme.de", true },
   { "compliancedictionary.com", true },
@@ -8168,33 +8466,36 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "compostatebien.com.ar", true },
   { "compoundingrxusa.com", true },
   { "compraneta.com", false },
+  { "compraporinternet.online", true },
+  { "comprarimpresoras-3d.com", true },
   { "comprasoffie.com.br", true },
   { "compreautomacao.com.br", true },
   { "compree.com", true },
   { "compservice.in.ua", true },
+  { "comptrollerofthecurrency.gov", true },
   { "comptu.com", true },
   { "compubench.com", true },
-  { "compucastell.ch", true },
   { "compucorner.mx", true },
   { "compunetwor.com", true },
   { "compuplast.cz", true },
   { "computehealth.com", true },
   { "computer-acquisti.com", true },
+  { "computer-menschen.de", true },
   { "computer-science-schools.com", true },
-  { "computeracademy.co.za", true },
   { "computerassistance.co.uk", true },
   { "computerbas.nl", true },
   { "computerbase.de", true },
   { "computercamaccgi.com", true },
-  { "computercraft.net", true },
   { "computeremergency.com.au", false },
+  { "computerfreunde-barmbek.de", true },
   { "computerhilfe-feucht.de", true },
   { "computernetwerkwestland.nl", true },
   { "computerslotopschool.nl", true },
   { "computersystems.guru", false },
+  { "computop.com", true },
+  { "comtily.com", true },
   { "comunidadmontepinar.es", true },
   { "comvos.de", true },
-  { "comw.cc", true },
   { "conalcorp.com", true },
   { "conatus.ai", true },
   { "conaudisa.com", false },
@@ -8204,7 +8505,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "concertsenboite.fr", true },
   { "concertsto.com", true },
   { "conciliumnotaire.ca", true },
-  { "conclinica.com.br", true },
   { "concordsoftwareleasing.com", true },
   { "concretelevelingsystems.com", true },
   { "concreterepairatlanta.com", true },
@@ -8229,12 +8529,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "conejovalleylighting.com", true },
   { "conejovalleyoutdoorlighting.com", true },
   { "conexiontransporte.com", true },
+  { "conference.dnsfor.me", true },
   { "confiancefoundation.org", true },
   { "config.schokokeks.org", false },
   { "confiwall.de", true },
   { "conformax.com.br", true },
-  { "conformist.jp", true },
-  { "confucio.cl", true },
   { "congineer.com", true },
   { "congobunkering.com", true },
   { "conju.cat", true },
@@ -8261,16 +8560,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "connorsmith.co", true },
   { "connyduck.at", true },
   { "conociendosalama.com", true },
-  { "conocimientosdigitales.com", true },
+  { "conorboyd.info", true },
   { "conory.com", true },
   { "conpath.net", true },
+  { "conpins.nl", true },
   { "conrad-kostecki.de", true },
   { "conradkostecki.de", true },
   { "conradsautotransmissionrepair.com", true },
   { "conrail.blue", true },
   { "consagracionamariasantisima.org", true },
-  { "consciousbrand.co", true },
   { "consciouschoices.net", true },
+  { "consciousnesschange.com", true },
   { "consec-systems.de", true },
   { "consegnafioridomicilio.net", true },
   { "consejosdenutricion.com", true },
@@ -8298,6 +8598,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "constructive.men", true },
   { "consul.io", true },
   { "consulenza.pro", true },
+  { "consultanta-in-afaceri.ro", true },
   { "consultation.biz.tr", true },
   { "consultimator.com", true },
   { "consultimedia.de", true },
@@ -8313,16 +8614,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "contaquanto.com.br", true },
   { "contemplativeeducation.org", true },
   { "content-api-dev.azurewebsites.net", false },
-  { "content-design.de", true },
   { "contentcoms.co.uk", true },
-  { "contentdesign.de", true },
   { "contentpass.net", true },
   { "contessa32experience.com", true },
   { "contextplatform.com", true },
   { "conti-profitlink.co.uk", true },
   { "continuum.memorial", true },
   { "contrabass.net", true },
-  { "contractdigital.co.uk", true },
   { "contractormountain.com", true },
   { "contractwriters.com", true },
   { "contraspin.co.nz", true },
@@ -8341,7 +8639,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "conversiones.com", true },
   { "conversionsciences.com", true },
   { "convert.im", true },
-  { "convert.zone", true },
   { "converticacommerce.com", false },
   { "convexset.org", true },
   { "convocatoriafundacionpepsicomexico.org", false },
@@ -8375,19 +8672,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "coolerssr.space", true },
   { "coolgifs.de", true },
   { "coolprylar.se", true },
-  { "coolviewthermostat.com", true },
   { "coolwallet.io", true },
   { "coonawarrawines.com.au", true },
   { "coopens.com", true },
-  { "cooperativehandmade.com", true },
-  { "cooperativehandmade.pe", true },
   { "coor.fun", true },
   { "coore.jp", true },
   { "coorpacademy.com", true },
   { "copdfoundation.org", true },
   { "copinstant.com", true },
   { "copperandtileroofing.com", true },
-  { "copperhead.co", true },
   { "copperheados.com", true },
   { "coppermein.co.za", true },
   { "copplaw.com", true },
@@ -8423,7 +8716,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "coresolutions.ca", true },
   { "coreum.ca", true },
   { "coreyjmahler.com", true },
-  { "corgi.party", true },
   { "coribi.com", true },
   { "corinastefan.ro", true },
   { "corintech.net", true },
@@ -8441,11 +8733,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "corona-academy.com", true },
   { "corona-renderer.cloud", true },
   { "corona-renderer.com", true },
+  { "coropiacere.org", true },
   { "corourbano.es", true },
   { "corpfin.net", true },
   { "corpio.nl", true },
   { "corpkitnw.com", true },
   { "corpoflow.nl", true },
+  { "corporacioninternacionallideres.org", true },
   { "corporateclash.net", true },
   { "corporatecomputingsolutions.com", true },
   { "corporateinfluencers.com", true },
@@ -8458,10 +8752,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "corpuschristisouthriver.org", true },
   { "corpusslayer.com", true },
   { "corrbee.com", true },
+  { "correct.cf", true },
+  { "correcthorse.cf", true },
   { "correctiv.org", true },
   { "corrick.io", true },
   { "corrupted.io", true },
   { "corsa-b.uk", true },
+  { "corscanplus.com", true },
   { "corsectra.com", true },
   { "corsihaccpsicurezzalavoro.it", true },
   { "cortexitrecruitment.com", true },
@@ -8472,7 +8769,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "corvus.eu.org", true },
   { "coryadum.com", true },
   { "corytyburski.com", true },
-  { "corzntin.fr", false },
   { "cosasque.com", true },
   { "cosciamoos.com", true },
   { "cosirex.com", true },
@@ -8482,19 +8778,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cosmeticappraisal.com", true },
   { "cosmeticasimple.com", true },
   { "cosmeticos-naturales.com", true },
-  { "cosmeticosdelivery.com.br", true },
   { "cosmicnavigator.com", true },
+  { "cosmintataru.ro", true },
   { "cosmodacollection.com", true },
   { "cosmofunnel.com", true },
   { "cosmundi.de", true },
-  { "cosni.co", true },
   { "cosplayer.com", true },
   { "cospol.ch", true },
-  { "costa-rica-reisen.ch", true },
   { "costa-rica-reisen.de", true },
   { "costablanca.villas", true },
   { "costablancavoorjou.com", true },
-  { "costcofinance.com", true },
   { "costcoinsider.com", true },
   { "costellofc.co.uk", true },
   { "costinstefan.eu", true },
@@ -8506,7 +8799,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cotta.dk", true },
   { "cotwe-ge.ch", true },
   { "cougar.dating", true },
-  { "counsellingtime.co.uk", true },
   { "counsellingtime.com", true },
   { "counstellor.com", true },
   { "counter-team.ch", true },
@@ -8517,6 +8809,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "countersolutions.co.uk", true },
   { "countetime.com", true },
   { "countingto.one", true },
+  { "country-creativ.de", true },
   { "countryattire.com", true },
   { "countrybrewer.com.au", true },
   { "countryfrog.uk", true },
@@ -8524,18 +8817,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "countybankdel.com", true },
   { "countyjailinmatesearch.com", true },
   { "coupe-bordure.com", true },
+  { "couplay.org", true },
   { "couponcodesme.com", true },
   { "cour4g3.me", true },
   { "couragefound.org", true },
+  { "coursables.com", true },
   { "coursera.org", true },
   { "courtlistener.com", true },
   { "couscous.recipes", true },
   { "cousincouples.com", false },
   { "coussinsky.net", true },
   { "couvreur-hinault.fr", true },
-  { "covaci.pro", true },
   { "covbounce.co.uk", true },
-  { "covenantmatrix.com", true },
   { "covenantoftheriver.org", true },
   { "covermytrip.com.au", true },
   { "covershousing.nl", true },
@@ -8547,18 +8840,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cowboyim.com", true },
   { "coweo.cz", true },
   { "cowo.group", true },
+  { "coworking-luzern.ch", true },
   { "coxcapitalmanagement.com", true },
   { "coxxs.me", true },
   { "coxxs.moe", true },
   { "cozo.me", true },
   { "cozyeggdesigns.com", true },
   { "cp-st-martin.be", true },
-  { "cpahunt.com", false },
+  { "cpap.com", true },
   { "cpasperdu.com", true },
   { "cpbapremiocaduceo.com.ar", true },
   { "cpcheats.co", true },
   { "cpd-education.co.uk", true },
   { "cpe-colleg.de", true },
+  { "cpgarmor.com", true },
   { "cphpvb.net", true },
   { "cplala.com", true },
   { "cplus.me", true },
@@ -8569,6 +8864,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cprheartcenter.com", true },
   { "cprnearme.com", true },
   { "cpsc.gov", true },
+  { "cpsq.fr", true },
   { "cptoon.com", true },
   { "cpu.biz.tr", true },
   { "cpvmatch.eu", true },
@@ -8582,14 +8878,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "craazzyman21.at", true },
   { "crackcat.de", true },
   { "cracker.in.th", true },
+  { "crackers4cheese.com", true },
   { "crackle.io", true },
   { "crackorsquad.in", true },
+  { "crackslut.eu", true },
   { "crackstation.net", true },
   { "cradlepointecm.com", true },
   { "craft-verlag.de", true },
   { "craftandbuild.de", true },
   { "craftcommerce.com", true },
-  { "craftinghand.com", true },
+  { "craftinghand.com", false },
   { "craftinginredlipstick.com", true },
   { "craftist.de", true },
   { "craftsmandruggets.com", true },
@@ -8597,7 +8895,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "craftyguy.net", true },
   { "craftyphotons.net", true },
   { "crag.com.tw", true },
-  { "craigary.net", true },
   { "craigbates.co.uk", true },
   { "craigfrancis.co.uk", true },
   { "craigleclaireteam.com", true },
@@ -8619,6 +8916,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "crazy-bulks.com", true },
   { "crazy-cat.net", true },
   { "crazy-coders.com", true },
+  { "crazybulk.co.uk", true },
+  { "crazybulk.com", true },
+  { "crazybulk.de", true },
+  { "crazybulk.fr", true },
   { "crazycastles.ie", true },
   { "crazydomains.ae", true },
   { "crazydomains.co.nz", true },
@@ -8639,12 +8940,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "crealogix-online.com", true },
   { "creamcastles.co.uk", true },
   { "creared.edu.co", true },
-  { "create-together.nl", true },
+  { "createcos.com", true },
   { "createme.com.pl", true },
   { "createursdefilms.com", true },
   { "creatieven.com", true },
   { "creation-contemporaine.com", true },
-  { "creations-edita.com", true },
   { "creative-wave.fr", true },
   { "creativebites.de", true },
   { "creativecaptiv.es", true },
@@ -8652,17 +8952,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "creativecommons.org", true },
   { "creativeconceptsvernon.com", true },
   { "creativedigital.co.nz", true },
+  { "creativefolks.co.uk", true },
   { "creativefreedom.ca", true },
   { "creativeglassgifts.com.au", true },
+  { "creativeground.com.au", true },
+  { "creativeimagery.com.au", true },
   { "creativeink.de", true },
   { "creativekkids.com", true },
   { "creativelaw.eu", true },
   { "creativeliquid.com", true },
+  { "creativerezults.com", true },
   { "creativesprite.com", true },
   { "creativesurvey.com", true },
   { "creativeweb.biz", true },
   { "creativewolf.net", true },
-  { "creativlabor.ch", true },
+  { "creativosonline.org", true },
   { "creatixx-network.de", false },
   { "creators-design.com", true },
   { "creators.direct", true },
@@ -8673,15 +8977,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "crediteo.pl", true },
   { "creditkarma.com", true },
   { "creditos-rapidos.com", true },
+  { "creditozen.es", true },
+  { "creditozen.mx", true },
   { "creditproautos.com", false },
   { "creditscoretalk.com", true },
   { "creditta.com", true },
   { "credittoken.io", true },
   { "creeks-coworking.com", true },
   { "creep.im", true },
-  { "creepycraft.nl", true },
   { "creepypastas.com", true },
   { "creepypastas.net", true },
+  { "creer-une-boutique-en-ligne.com", true },
   { "creerunsitepro.com", true },
   { "crefelder.com", true },
   { "crem.in", false },
@@ -8694,13 +9000,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cretdupuy.com", true },
   { "creteangle.com", true },
   { "cretica.no", true },
-  { "creusalp.ch", true },
   { "crew505.org", true },
   { "crgalvin.com", true },
   { "crgm.net", true },
-  { "criadorespet.com.br", true },
   { "cribcore.com", true },
-  { "crickey.eu", true },
   { "criena.com", true },
   { "criena.net", true },
   { "crimefreeliving.com", true },
@@ -8708,9 +9011,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "crimevictims.gov", true },
   { "criminal-attorney.ru", true },
   { "criminal.enterprises", true },
-  { "crimson.no", true },
   { "crinesdanzantes.be", true },
   { "criptolog.com", true },
+  { "criscitos.it", true },
   { "crisisactual.com", true },
   { "crisisnextdoor.gov", true },
   { "crisp.chat", true },
@@ -8721,8 +9024,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "crispinusphotography.com", true },
   { "cristarta.com", true },
   { "cristau.org", true },
-  { "cristiandeluxe.com", false },
-  { "critcola.com", true },
   { "critical.today", false },
   { "criticalsurveys.co.uk", true },
   { "crizin.io", true },
@@ -8731,13 +9032,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "crochetnerd.com", true },
   { "croisedanslemetro.com", true },
   { "croixblanche-haguenau.fr", true },
-  { "cronberg.ch", true },
+  { "cromefire.myds.me", true },
   { "croncron.io", true },
   { "cronix.cc", true },
   { "cronologie.de", true },
   { "cronometer.com", true },
+  { "cronoscentral.be", true },
   { "cropdiagnosis.com", true },
-  { "croquette.net", true },
   { "crosbug.com", true },
   { "crose.co.uk", true },
   { "cross-led-sign.com", true },
@@ -8760,6 +9061,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "crowdliminal.com", true },
   { "crowdsim3d.com", true },
   { "crowdsupply.com", true },
+  { "crownaffairs.ch", true },
   { "crowncastles.co.uk", true },
   { "crownchessclub.com", true },
   { "crownmarqueehire.co.uk", true },
@@ -8771,7 +9073,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "crsmsodry.cz", true },
   { "crstat.ru", true },
   { "crt.cloud", true },
-  { "crt.sh", true },
+  { "crt2014-2024review.gov", true },
+  { "cruisemoab.com", true },
   { "crumbcontrol.com", true },
   { "crunchrapps.com", true },
   { "crunchy.rocks", true },
@@ -8779,6 +9082,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "crute.me", true },
   { "crvv.me", true },
   { "cry.nu", false },
+  { "cryogenix.net", true },
   { "cryoit.com", true },
   { "cryothanasia.com", true },
   { "cryp.no", true },
@@ -8800,6 +9104,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cryptography.ch", true },
   { "cryptography.io", true },
   { "cryptoguidemap.com", true },
+  { "cryptoisnotacrime.org", true },
   { "cryptojacks.io", true },
   { "cryptojourney.com", true },
   { "cryptolinc.com", true },
@@ -8807,7 +9112,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cryptolosophy.io", true },
   { "cryptolosophy.org", true },
   { "cryptomaniaks.com", true },
-  { "cryptonom.org", true },
   { "cryptonym.com", true },
   { "cryptoparty.at", true },
   { "cryptoparty.tv", true },
@@ -8820,16 +9124,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cryptract.co", true },
   { "crys.cloud", true },
   { "crys.hu", true },
+  { "crystal-zone.com", true },
   { "crystalapp.ca", true },
   { "crystalchandelierservices.com", true },
   { "crystalgrid.net", true },
-  { "crystallizedcouture.com", true },
   { "crystaloscillat.com", true },
+  { "crystalzoneshop.com", true },
   { "crystone.me", true },
   { "cryz.ru", true },
   { "cs2016.ch", true },
   { "csabg.org", true },
-  { "csbgtribalta.com", true },
+  { "csacongress.org", true },
   { "csbs.fr", true },
   { "csbuilder.io", true },
   { "csca.me", true },
@@ -8838,9 +9143,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "csfcloud.com", true },
   { "csfd.cz", true },
   { "csfm.com", true },
+  { "csgo.design", true },
   { "csgo.su", false },
   { "csgoswap.com", true },
   { "csharpmarc.net", true },
+  { "cshub.nl", true },
   { "csi.lk", true },
   { "csinterstargeneve.ch", true },
   { "cskentertainment.co.uk", true },
@@ -8855,10 +9162,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "css.net", true },
   { "cssai.eu", true },
   { "cssaunion.com", true },
+  { "cstanley.net", true },
   { "cstb.ch", true },
   { "cstp-marketing.com", true },
   { "cstrong.nl", true },
   { "csu.st", true },
+  { "csust.ac.cn", true },
   { "csuw.net", true },
   { "csvalpha.nl", true },
   { "ct.search.yahoo.com", false },
@@ -8866,7 +9175,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ctcom-peru.com", true },
   { "ctcue.com", true },
   { "ctf.link", true },
-  { "cthulhuden.com", true },
   { "ctj.im", true },
   { "ctkwwri.org", true },
   { "ctl.email", true },
@@ -8875,19 +9183,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ctnguyen.net", true },
   { "ctns.de", true },
   { "ctoforhire.com.au", true },
-  { "ctomp.io", true },
+  { "ctomp.io", false },
   { "ctoresms.com", true },
   { "ctpe.net", true },
+  { "ctr.id", true },
+  { "ctrl.blog", true },
   { "ctrld.me", true },
   { "cu247secure.ie", true },
   { "cub-bouncingcastles.co.uk", true },
   { "cube-cloud.com", true },
+  { "cube.builders", true },
   { "cube.de", true },
   { "cubebot.io", true },
   { "cubebuilders.net", true },
   { "cubecart-demo.co.uk", true },
   { "cubecart-hosting.co.uk", true },
   { "cubecraft.net", true },
+  { "cubecraftcdn.com", true },
   { "cubekrowd.net", true },
   { "cubetech.co.jp", true },
   { "cubia.de", true },
@@ -8913,17 +9225,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cultivo.bio", true },
   { "cultofd50.org", true },
   { "cultofperf.org.uk", true },
+  { "cultura10.com", true },
   { "culture-school.top", true },
   { "culturedcode.com", true },
   { "culturerain.com", true },
   { "culturesouthwest.org.uk", true },
   { "cumberlandrivertales.com", true },
+  { "cumparama.com", true },
   { "cumplegenial.com", true },
   { "cuoc.org.uk", true },
   { "cup.al", true },
   { "cupcakesandcrinoline.com", true },
   { "cupcao.gov", true },
-  { "cupi.co", true },
   { "cupom.net", true },
   { "cuppycakes.fi", true },
   { "cur.by", true },
@@ -8962,6 +9275,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "curveprotect.org", true },
   { "curvesandwords.com", true },
   { "curvissa.co.uk", true },
+  { "curvylove.de", true },
   { "custodyxchange.com", true },
   { "custombikes.cl", true },
   { "customdissertation.com", true },
@@ -8972,8 +9286,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "customizeyoursink.com", true },
   { "customwritingservice.com", true },
   { "customwritten.com", true },
-  { "cutephil.com", true },
-  { "cutimbo.com", true },
   { "cutimbo.ovh", true },
   { "cutner.co", true },
   { "cuvva.co", true },
@@ -8998,14 +9310,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cvl.ch", true },
   { "cvlibrary.co.uk", true },
   { "cvmu.jp", true },
-  { "cvninja.pl", true },
   { "cvr.dk", true },
   { "cvursache.com", true },
+  { "cvv.cn", true },
   { "cw.center", true },
   { "cwagner.me", true },
   { "cwarren.org", true },
   { "cwbrtrust.ca", true },
   { "cwgaming.co.uk", true },
+  { "cwinfo.fi", true },
   { "cwmart.in", true },
   { "cwrau.com", true },
   { "cwrau.de", true },
@@ -9022,6 +9335,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cyber.je", true },
   { "cyberatlantis.com", true },
   { "cybercareers.gov", true },
+  { "cybercloud.cc", true },
   { "cybercocoon.com", true },
   { "cybercrew.cc", true },
   { "cybercrime-forschung.de", true },
@@ -9029,22 +9343,25 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cyberdos.de", false },
   { "cyberduck.io", true },
   { "cyberexplained.info", true },
+  { "cybergates.org", true },
   { "cybergrx.com", true },
   { "cyberguerrilla.info", true },
   { "cyberguerrilla.org", true },
+  { "cyberhipsters.nl", true },
   { "cyberianhusky.com", true },
   { "cyberkov.com", true },
   { "cyberlab.kiev.ua", false },
+  { "cyberlegal.co", true },
   { "cyberlightapp.com", true },
   { "cybermeldpunt.nl", true },
   { "cyberogism.com", true },
   { "cyberoptic.de", true },
-  { "cyberphaze.com", true },
   { "cyberpioneer.net", false },
   { "cyberpubonline.com", true },
   { "cyberregister.nl", true },
   { "cyberregister.org", true },
   { "cybersafesolutions.com", true },
+  { "cybersantri.com", true },
   { "cyberscan.io", true },
   { "cybersecurity.nz", true },
   { "cybersecurity.run", true },
@@ -9057,6 +9374,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cyberspect.com", true },
   { "cyberspect.io", true },
   { "cyberstatus.de", true },
+  { "cybertorsk.org", true },
   { "cybertu.be", true },
   { "cyberwars.dk", true },
   { "cyberwire.nl", true },
@@ -9080,11 +9398,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cygnius.net", true },
   { "cyhour.com", true },
   { "cykelbanor.se", true },
+  { "cyl6.com", true },
   { "cylindehea.com", true },
   { "cylindricity.com", true },
   { "cyon.ch", true },
-  { "cypad.cn", true },
-  { "cype.dedyn.io", true },
   { "cyph.audio", true },
   { "cyph.com", true },
   { "cyph.healthcare", true },
@@ -9093,21 +9410,24 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "cyph.me", true },
   { "cyph.video", true },
   { "cyph.ws", true },
+  { "cypherpunk.at", true },
+  { "cypherpunk.com", true },
   { "cypherpunk.observer", true },
+  { "cypressinheritancesaga.com", true },
   { "cypresslegacy.com", true },
   { "cyprus-company-service.com", true },
   { "cyrating.com", true },
   { "cysec.biz", true },
+  { "cysmo.de", true },
   { "cyson.tech", true },
   { "cytech.com.tr", true },
   { "cytegic-update-packages.com", true },
+  { "cytotecforsale.com", true },
   { "cyumus.com", true },
-  { "cyyzaid.cn", false },
   { "czakey.net", true },
   { "czbix.com", true },
   { "czbtm.com", true },
   { "czc.cz", true },
-  { "czechamlp.com", true },
   { "czechcrystals.co.uk", true },
   { "czechvirus.cz", true },
   { "czerno.com", true },
@@ -9121,6 +9441,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "d-parts.de", true },
   { "d-parts24.de", true },
   { "d-quantum.com", true },
+  { "d-toys.com.ua", true },
   { "d-training.de", true },
   { "d.nf", true },
   { "d.nr", true },
@@ -9128,21 +9449,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "d0g.cc", true },
   { "d0m41n.name", true },
   { "d0xq.com", true },
+  { "d2.gg", true },
   { "d2ph.com", true },
   { "d2s.uk", true },
   { "d3lab.net", true },
   { "d3xt3r01.tk", true },
   { "d3xx3r.de", true },
   { "d42.no", true },
+  { "d4done.com", true },
+  { "d4rkdeagle.tk", true },
   { "d4wson.com", true },
   { "d4x.de", true },
   { "d66.nl", true },
   { "d6c5yfulmsbv6.cloudfront.net", true },
   { "d8.io", true },
-  { "d88688.com", true },
-  { "d88871.com", true },
   { "d88988.com", true },
-  { "da-ist-kunst.de", true },
   { "da42foripad.com", true },
   { "daallexx.eu", true },
   { "dabasstacija.lv", true },
@@ -9162,7 +9483,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dadrian.io", true },
   { "daduke.org", true },
   { "daemen.org", true },
-  { "daemon.xin", true },
   { "daemwool.ch", true },
   { "daevel.fr", true },
   { "dafnik.me", true },
@@ -9172,6 +9492,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dag-konsult.com", true },
   { "dagensannonser.se", true },
   { "dagmar2018.cz", true },
+  { "dahlberg.cologne", true },
   { "dai.top", true },
   { "daigakujuken-plus.com", true },
   { "daikoz.com", true },
@@ -9182,6 +9503,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dailyhealthguard.com", true },
   { "dailykos.com", true },
   { "dailyrover.com", true },
+  { "dailyroverr.com", true },
   { "dailyxenang.com", true },
   { "daintymeal.com", true },
   { "dairyshrine.org", true },
@@ -9199,7 +9521,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dalaran.city", true },
   { "dalb.in", true },
   { "dale-electric.com", true },
-  { "dalepresencia.com", true },
+  { "dalek.co.nz", true },
   { "dalfsennet.nl", true },
   { "dalingk.com", true },
   { "dallaslu.com", true },
@@ -9208,12 +9530,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dalmatiersheusden.be", true },
   { "damaged.org", true },
   { "damasexpress.com", true },
-  { "damedrogy.cz", true },
+  { "damejidlo.cz", true },
+  { "dameocio.com", true },
   { "damghaem.ir", true },
+  { "damicris.ro", true },
   { "damienoreilly.org", true },
-  { "damienpontifex.com", false },
   { "daminiphysio.ca", true },
   { "damip.net", true },
+  { "damirsystems.com", true },
   { "dammekens.be", true },
   { "damngoodpepper.com", false },
   { "damongant.de", true },
@@ -9230,9 +9554,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dance-colleges.com", true },
   { "danchen.org", true },
   { "dancingcubs.co.uk", true },
-  { "dancingshiva.at", true },
   { "dandenongroadapartments.com.au", true },
   { "daneandthepain.com", true },
+  { "dangmai.tk", true },
   { "dangr.zone", true },
   { "danhalliday.com", true },
   { "danholloway.online", true },
@@ -9247,23 +9571,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "danielehniss.de", true },
   { "danielepestilli.com", true },
   { "danielgorr.de", true },
+  { "danielgray.email", true },
   { "danielheal.net", true },
   { "danielhinterlechner.eu", true },
   { "danielhochleitner.de", true },
   { "danieljamesscott.org", true },
-  { "danieljireh.com", true },
   { "danieljstevens.com", true },
   { "danielkoster.nl", true },
   { "daniellockyer.com", true },
-  { "danielmarquard.com", false },
   { "danielmartin.de", true },
   { "danielmoch.com", true },
   { "danielmorell.com", true },
   { "danielmostertman.com", true },
   { "danielmostertman.nl", true },
+  { "danieln.tech", true },
   { "danielnaaman.com", true },
-  { "danielnaaman.net", true },
-  { "danielnaaman.org", true },
+  { "danielparker.com.au", true },
   { "danielpeukert.cz", true },
   { "danielran.com", true },
   { "danielrozenberg.com", true },
@@ -9290,6 +9613,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "danminkevitch.com", true },
   { "danna-salary.com", true },
   { "dannhanks.com", true },
+  { "dannicholas.net", true },
   { "danny-tittel.de", true },
   { "danny.fm", true },
   { "dannycairns.com", true },
@@ -9297,7 +9621,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dannystevens.co.uk", true },
   { "danonsecurity.com", true },
   { "danotage.tv", true },
-  { "danoz.net", true },
   { "danpiel.net", true },
   { "dansa.com.co", true },
   { "dansage.co", true },
@@ -9321,6 +9644,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dao.spb.su", true },
   { "daoro.net", true },
   { "daphne.informatik.uni-freiburg.de", true },
+  { "dapim.co.il", true },
   { "daplie.com", true },
   { "dapps.earth", true },
   { "dappworld.com", true },
@@ -9349,7 +9673,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "darkengine.net", true },
   { "darkerlystormy.com", true },
   { "darkerstormy.com", true },
+  { "darkestproductions.net", true },
   { "darkeststar.org", true },
+  { "darkfire.ch", true },
   { "darklaunch.com", true },
   { "darknessflickers.com", true },
   { "darknetlive.com", true },
@@ -9365,6 +9691,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "darkwater.info", true },
   { "darkwebnews.com", true },
   { "darkx.me", true },
+  { "darmgesundheit.ch", true },
   { "darom.jp", true },
   { "darookee.net", false },
   { "daropia.org", true },
@@ -9377,13 +9704,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "darwinkel.net", true },
   { "darwinsearch.org", true },
   { "daryl.moe", true },
+  { "darylcrouse.com", true },
   { "darylcumbo.net", true },
   { "das-forum24.de", true },
   { "das-mediale-haus.de", true },
   { "das-sommercamp.de", true },
   { "dasgeestig.nl", true },
   { "dashboard.run", true },
-  { "dashlane.com", true },
+  { "dashcloud.co", true },
   { "dashnearby.com", true },
   { "dashwebconsulting.com", true },
   { "dasignsource.com", true },
@@ -9394,35 +9722,41 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "data-wing.ga", true },
   { "data.gov", true },
   { "data.govt.nz", true },
-  { "data.world", true },
   { "data3w.nl", true },
   { "databionix.com", true },
   { "databutlr.com", true },
   { "databutlr.net", true },
   { "datacalle.com", true },
   { "datacandy.com", true },
-  { "datacool.tk", true },
   { "datadit.hu", true },
   { "datadyne.technology", true },
+  { "datafd.com", true },
+  { "datafd.net", true },
   { "dataformers.at", true },
   { "datagrail.io", true },
   { "dataguidance.com", true },
   { "dataharvest.at", true },
+  { "datahive360.com", true },
+  { "datahjalp.nu", true },
   { "datahoarder.xyz", true },
   { "datajobs.ai", true },
   { "datakick.org", true },
   { "datalife.gr", true },
   { "datalysis.ch", true },
+  { "dataprivacysolution.com", true },
   { "dataprotectionadvisors.com", true },
+  { "datapun.ch", true },
   { "datapure.net", true },
   { "dataregister.info", true },
   { "datascience.cafe", true },
   { "datascience.ch", true },
-  { "datascomemorativas.com.br", true },
   { "dataskydd.net", true },
   { "dataspace.pl", true },
+  { "datasupport-stockholm.se", true },
+  { "datasupport.one", true },
   { "dataswamp.org", true },
   { "datatekniikka.fi", false },
+  { "datatekniker.nu", true },
   { "datateknologsektionen.se", false },
   { "datatree.nl", true },
   { "datatruckers.com", true },
@@ -9443,6 +9777,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "datewon.net", false },
   { "datingticino.ch", true },
   { "datmancrm.com", true },
+  { "dator-test.se", true },
+  { "datorhjalp-stockholm.se", true },
+  { "datorhjalptaby.se", true },
+  { "datorservice-stockholm.se", true },
   { "datovyaudit.cz", true },
   { "datumou-osusume.com", true },
   { "datumou-recipe.com", true },
@@ -9456,6 +9794,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "daveoc64.co.uk", true },
   { "davepage.me.uk", true },
   { "davepearce.com", true },
+  { "davepermen.net", true },
   { "davescomputertips.com", true },
   { "davesharpe.com", true },
   { "davesinclair.com.au", true },
@@ -9463,6 +9802,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "davevelopment.net", true },
   { "davewardle.com", true },
   { "david-corry.com", true },
+  { "david-hinschberger.me", true },
   { "david-jeffery.co.uk", true },
   { "david-pearce.com", true },
   { "david-reess.de", true },
@@ -9515,16 +9855,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dawson-floridavilla.co.uk", true },
   { "day-peak.com", true },
   { "daycontactlens.com", true },
+  { "daydream.team", true },
   { "daylight-dream.ee", true },
   { "daylightpirates.org", true },
-  { "dayman.net", false },
+  { "dayman.net", true },
   { "daymprove.life", true },
   { "dayofdays.be", true },
   { "daysoftheyear.com", true },
   { "db-works.nl", true },
+  { "db.ci", true },
   { "dbapress.org", true },
   { "dbaron.org", true },
   { "dbas.cz", true },
+  { "dbcom.ru", true },
   { "dbdc.us", true },
   { "dbentertainment.co.uk", true },
   { "dbgamestudio.com", true },
@@ -9533,6 +9876,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dbldub.net", true },
   { "dbmiller.org", true },
   { "dbmteam.com", true },
+  { "dbmxpca.com", true },
   { "dborcard.com", true },
   { "dbpkg.com", true },
   { "dbq.com", true },
@@ -9557,14 +9901,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dchest.org", true },
   { "dckd.nl", true },
   { "dclaisse.fr", true },
+  { "dcmediahosting.com", true },
   { "dcmt.co", true },
   { "dcpower.eu", true },
   { "dcrdev.com", true },
+  { "dcw.io", true },
+  { "ddatsh.com", true },
   { "ddays2008.org", true },
   { "ddel.de", true },
   { "dden.ca", true },
   { "ddepot.us", true },
-  { "ddholdingservices.com", true },
   { "ddhosted.com", true },
   { "ddns-test.de", true },
   { "ddnsweb.com", true },
@@ -9582,7 +9928,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "de.search.yahoo.com", false },
   { "deadbeef.ninja", true },
   { "deadc0de.re", true },
-  { "deadinsi.de", true },
+  { "deadinsi.de", false },
   { "deaf.dating", true },
   { "deaf.eu.org", true },
   { "dealapp.nl", true },
@@ -9624,8 +9970,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "debarrasnanterre.com", true },
   { "debbyefurd.com", true },
   { "debie-usedcars.be", true },
-  { "debigare.com", true },
-  { "debkleinteam.com", true },
+  { "debora-singkreis.de", true },
   { "debron-ot.nl", true },
   { "debrusoft.ch", true },
   { "debt.com", true },
@@ -9635,12 +9980,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "decaffeinated.io", true },
   { "decalquai.ch", true },
   { "decay24.de", true },
+  { "decfun.com", true },
   { "dechat.nl", true },
   { "decher.de", true },
   { "decidetreatment.org", true },
   { "decis.fr", true },
   { "decisivetactics.com", true },
   { "deckbuilderamerica.com", true },
+  { "declivitas.com", true },
   { "decoating.pl", true },
   { "decock-usedcars.be", true },
   { "decodeanddestroy.com", true },
@@ -9655,9 +10002,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "decorestilo.com.br", true },
   { "decosoftware.com", true },
   { "decrousaz-ceramique.ch", true },
+  { "decrypto.net", true },
   { "decs.es", true },
-  { "decstasy.de", true },
-  { "dede.ml", true },
   { "dedelta.net", true },
   { "dedg3.com", true },
   { "dedge.org", true },
@@ -9672,8 +10018,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "deejayevents.ro", true },
   { "deelmijnreis.nl", true },
   { "deep-chess.com", true },
-  { "deep.club", true },
-  { "deepaero.com", true },
   { "deeparamaraj.com", true },
   { "deepbluecrafting.co.uk", true },
   { "deepblueemail.com", true },
@@ -9682,7 +10026,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "deephill.com", true },
   { "deepinsight.io", true },
   { "deeployr.io", true },
+  { "deeps.me", true },
   { "deepserve.info", true },
+  { "deepsouthsounds.com", true },
   { "deepspace.dedyn.io", true },
   { "deepwealth.institute", true },
   { "deepz.pt", true },
@@ -9696,6 +10042,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "defendinnovation.org", true },
   { "defendtheweb.co.uk", true },
   { "defero.io", true },
+  { "define-atheism.com", true },
+  { "define-atheist.com", true },
+  { "defineatheism.com", true },
+  { "defineatheist.com", true },
   { "deflect.ca", true },
   { "deflumeri.com", true },
   { "deflumeriker.com", true },
@@ -9704,6 +10054,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "defont.nl", true },
   { "defrax.com", true },
   { "defrax.de", true },
+  { "defreitas.no", true },
   { "deftek.com", true },
   { "deftig-und-fein.de", true },
   { "deftnerd.com", true },
@@ -9719,23 +10070,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "degracetechnologie.com", true },
   { "degressif.com", true },
   { "dehopre.com", true },
-  { "dehydrated.de", true },
   { "deidee.nl", true },
   { "deinballon.de", true },
   { "deinewebsite.de", true },
   { "deinfoto.ch", true },
   { "deinserverhost.de", true },
   { "deitti.net", true },
-  { "dejan.media", true },
   { "dejandayoff.com", true },
   { "dejure.org", true },
   { "dejw.cz", true },
+  { "dekasegi-kansai.com", true },
   { "dekasiba.com", true },
   { "dekeurslagers.nl", true },
   { "dekka.cz", true },
   { "dekkercreativedesign.nl", true },
   { "dekko.io", true },
-  { "dekoh-shouyu.com", true },
   { "dekonix.ru", true },
   { "dekulk.nl", true },
   { "delahrzolder.nl", true },
@@ -9752,7 +10101,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "deliciousmedia.net", true },
   { "delicioustable.com", true },
   { "delid.cz", true },
-  { "delitto.top", true },
   { "delivery.co.at", true },
   { "deliveryiquique.cl", true },
   { "dellipaoli.com", true },
@@ -9766,10 +10114,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "deltaacademy.org", true },
   { "deltadata.ch", true },
   { "deltafinanceiro.com.br", true },
+  { "deltanio.nl", true },
   { "deltaonlineguards.com", true },
   { "deltaservers.com.br", true },
   { "deltasigmachi.org", true },
-  { "deltasmart.ch", true },
   { "deltava.org", true },
   { "demarle.ch", true },
   { "dementiapraecox.de", true },
@@ -9792,22 +10140,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dempsters.ca", false },
   { "demuzere.be", true },
   { "demuzere.com", true },
-  { "demuzere.eu", true },
   { "demuzere.net", true },
   { "demuzere.org", true },
   { "denabot.pw", true },
   { "denaehula.com", true },
   { "denardbrewing.com", true },
   { "denbkh.ru", true },
-  { "dengchangdong.com", true },
   { "dengode.eu", true },
-  { "denimio.com", true },
   { "denimtoday.com", true },
   { "denis-martinez.photos", true },
   { "denisewakeman.com", true },
   { "denistruffaut.fr", false },
   { "deniszczuk.pl", true },
   { "denizdesign.co.uk", true },
+  { "denkubator.de", true },
   { "dennisang.com", true },
   { "dennisdoes.net", false },
   { "denniskoot.nl", true },
@@ -9818,17 +10164,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dent.uy", true },
   { "dental-colleges.com", true },
   { "dentallaborgeraeteservice.de", true },
+  { "dentechnica.co.uk", true },
   { "dentfix.ro", false },
   { "dentistesdarveauetrioux.com", true },
   { "dentistglasgow.com", true },
   { "dentrassi.de", true },
   { "dentystabirmingham.co.uk", true },
+  { "denvergospelhall.org", true },
   { "denwauranailab.com", true },
+  { "deonlinespecialist.nl", true },
   { "deontology.com", true },
   { "depaddestoeltjes.be", true },
   { "depannage-traceur.fr", true },
   { "deparis.me", true },
+  { "depeces.com", true },
   { "depechemode-live.com", true },
+  { "depedncr.com", true },
+  { "depedtalks.com", true },
   { "depicus.com", true },
   { "depone.net", true },
   { "depot-leipzig.de", true },
@@ -9850,6 +10202,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "derattizzazioni.org", true },
   { "derbuntering.de", true },
   { "derbybouncycastles.com", true },
+  { "derbyware.com", true },
   { "derdewereldrommelmarkt.nl", true },
   { "derechosdigitales.org", true },
   { "dereddingsklos.nl", true },
@@ -9857,8 +10210,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "derehamcastles.co.uk", true },
   { "derekheld.com", true },
   { "derekkent.com", true },
+  { "derekseaman.com", true },
+  { "derekseaman.studio", true },
   { "dergeilstestammderwelt.de", true },
   { "derhil.de", true },
+  { "derivedata.com", true },
   { "derk-jan.com", true },
   { "derkuki.de", true },
   { "derma-expert.eu", true },
@@ -9870,6 +10226,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dermscc.com", true },
   { "deroo.org", true },
   { "derp.army", true },
+  { "derp.chat", true },
   { "derre.fr", true },
   { "derreichesack.com", true },
   { "dersix.com", true },
@@ -9880,6 +10237,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "desarrollowp.com", true },
   { "descartes-finance.com", true },
   { "desec.io", true },
+  { "desertmedaesthetics.com", true },
   { "desertsounds.org", true },
   { "desgenst.ch", true },
   { "design-in-bad.eu", true },
@@ -9904,8 +10262,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "deskvip.com", true },
   { "desmaakvanplanten.be", true },
   { "desmo.gg", true },
-  { "desormiers.com", true },
-  { "despachomartinyasociados.com", true },
   { "despertadoronline.com.es", true },
   { "desplats.com.ar", true },
   { "dessinemoilademocratie.ch", true },
@@ -9919,9 +10275,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "desu.ne.jp", true },
   { "desuchan.eu", true },
   { "desuchan.org", true },
-  { "desuperheroes.co", true },
   { "det-te.ch", true },
+  { "detalhecomercio.com.br", true },
   { "detalika.ru", true },
+  { "detalyedesigngroup.com", true },
   { "detecmon.com", true },
   { "detectify.com", false },
   { "detectivedesk.com.au", true },
@@ -9932,16 +10289,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "detoxic.vn", true },
   { "detoxsinutritie.ro", true },
   { "detroit-english.de", true },
-  { "detroitstylepizza.com", true },
+  { "detroitstylepizza.com", false },
   { "detroitzoo.org", true },
   { "detski.center", true },
   { "detskysad.com", true },
   { "detuinmuze.nl", true },
-  { "detuprovincia.cl", true },
   { "detype.nl", true },
   { "deuchnord.fr", true },
   { "deude.de", true },
   { "deukie.nl", true },
+  { "deumavan.ch", true },
   { "deurenfabriek.nl", true },
   { "deutsch-vietnamesisch-dolmetscher.com", true },
   { "deutsche-seniorenbetreuung.de", true },
@@ -9955,18 +10312,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dev-brandywineglobal.com", true },
   { "dev-gutools.co.uk", true },
   { "dev-pulse-mtn.pantheonsite.io", true },
+  { "dev-sev-web.pantheonsite.io", true },
   { "dev-tek.de", true },
   { "devagency.fr", true },
   { "devalps.eu", true },
   { "devb.nl", true },
-  { "devcast.io", false },
   { "devcf.com", true },
   { "devct.cz", false },
   { "devcu.com", true },
   { "devcu.net", true },
   { "devel.cz", true },
-  { "develerik.com", false },
-  { "develop.cool", true },
   { "developer.android.com", true },
   { "developer.mydigipass.com", false },
   { "developerdan.com", true },
@@ -9980,33 +10335,31 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "developyourelement.com", true },
   { "develux.com", true },
   { "develux.net", true },
-  { "devh.net", true },
   { "deviant.email", true },
   { "devillers-occasions.be", true },
   { "devilshakerz.com", true },
-  { "deviltraxxx.de", true },
   { "devinfo.net", false },
   { "devirc.net", true },
   { "deviser.wang", true },
   { "devisnow.fr", true },
   { "devkid.net", true },
-  { "devkit.cc", false },
   { "devklog.net", true },
   { "devlamvzw.org", false },
   { "devlatron.net", true },
   { "devlogr.com", true },
   { "devnull.zone", true },
-  { "devolution.ws", true },
   { "devonsawatzky.ca", true },
   { "devopers.com.br", true },
   { "devops-survey.com", true },
   { "devpsy.info", true },
   { "devragu.com", true },
   { "devrandom.net", true },
+  { "devries.one", true },
   { "devsjournal.com", true },
   { "devsrvr.ru", true },
   { "devstaff.gr", true },
   { "devstroke.io", true },
+  { "devswag.io", true },
   { "devtty.org", true },
   { "devyn.ca", false },
   { "devzero.io", true },
@@ -10017,6 +10370,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dex.top", true },
   { "dexalo.de", true },
   { "dexigner.com", true },
+  { "dexonrest.azurewebsites.net", true },
   { "deyute.com", true },
   { "dez-online.de", true },
   { "dezeregio.nl", true },
@@ -10026,6 +10380,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dezshop24.de", true },
   { "df1paw.de", true },
   { "dfctaiwan.org", true },
+  { "dfekt.no", true },
+  { "dfektlan.no", true },
   { "dfl.mn", true },
   { "dflcares.com", true },
   { "dfmn.berlin", true },
@@ -10039,11 +10395,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dgportals.co.uk", true },
   { "dgpot.com", true },
   { "dgt-portal.de", true },
-  { "dgx.io", true },
   { "dharveydev.com", true },
   { "dhautefeuille.eu", true },
   { "dhauwer.nl", true },
   { "dhaynes.xyz", true },
+  { "dhbr.org", true },
   { "dhconcept.ch", true },
   { "dheart.net", true },
   { "dhhs.gov", true },
@@ -10054,11 +10410,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "di2pra.com", true },
   { "di2pra.fr", true },
   { "dia-de.com", true },
+  { "dia.com.br", true },
   { "diablovalleytech.com", true },
   { "diadorafitness.es", true },
   { "diadorafitness.it", true },
   { "diagnostix.org", true },
-  { "diagrammingoutloud.co.uk", true },
   { "dialapicnic.co.za", true },
   { "dialoegue.com", true },
   { "diamante.ro", true },
@@ -10073,12 +10429,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dianurse.com", true },
   { "diare-na-miru.cz", true },
   { "diario-egipto.com", true },
+  { "diaroma.it", true },
+  { "diarynote.jp", true },
   { "diasdasemana.com", true },
   { "diasp.org", true },
   { "diatrofi-ygeia.gr", true },
+  { "diba.org.cn", true },
   { "dibiphp.com", true },
   { "diccionarioabierto.com", true },
   { "diccionariodedudas.com", true },
+  { "diccionarqui.com", true },
   { "dice.tokyo", true },
   { "dicelab.co.uk", true },
   { "dicesites.com", true },
@@ -10091,6 +10451,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dicionariofinanceiro.com", true },
   { "dicionariopopular.com", true },
   { "dickieslife.com", true },
+  { "dickord.club", true },
   { "dickpics.ru", true },
   { "dicksakowicz.com", true },
   { "dicoding.com", true },
@@ -10113,6 +10474,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "die-seide.de", true },
   { "die-sinlosen.de", true },
   { "die-speisekammer-reutlingen.de", true },
+  { "diebestengutscheine.de", true },
   { "diedrich.co", true },
   { "diedrich.me", true },
   { "dieecpd.org", true },
@@ -10128,6 +10490,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dienchaninstitute.com", true },
   { "dienstplan.cc", true },
   { "dienstplan.one", true },
+  { "dierabenmutti.de", true },
   { "dierenartsdeconinck.be", true },
   { "dieselanimals.lt", true },
   { "dieselgalleri.com", true },
@@ -10143,16 +10506,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dietlin.com", true },
   { "dietrich.cx", true },
   { "dieumfrage.com", true },
-  { "diff2html.xyz", true },
   { "different.cz", false },
   { "differenta.ro", false },
   { "diffnow.com", true },
   { "difoosion.com", true },
+  { "difusordeambientes.com.br", true },
   { "digcit.org", true },
   { "digdata.de", true },
   { "dighans.com", true },
   { "digiarc.net", true },
   { "digibild.ch", true },
+  { "digibones.be", true },
   { "digibull.email", true },
   { "digibull.link", true },
   { "digicert-support.com", true },
@@ -10163,10 +10527,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "digilicious.com", true },
   { "digimagical.com", true },
   { "digimedia.cd", false },
-  { "digimomedia.co.uk", true },
   { "digioccumss.ddns.net", true },
   { "digipitch.com", true },
-  { "digired.ro", true },
   { "digital-compounds.com", true },
   { "digital-eastside.de", true },
   { "digital-liberal.ch", true },
@@ -10177,7 +10539,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "digital2web.com", false },
   { "digitalarchitecture.com", true },
   { "digitalbitbox.com", true },
-  { "digitalcash.cf", true },
   { "digitalcitizen.life", true },
   { "digitalcitizen.ro", true },
   { "digitalcraftmarketing.co.uk", true },
@@ -10203,12 +10564,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "digitalhabitat.io", true },
   { "digitalliteracy.gov", true },
   { "digitalmarketingindallas.com", true },
+  { "digitalposition.com", true },
   { "digitalrights.center", true },
   { "digitalrights.fund", true },
+  { "digitalroar.com", true },
   { "digitalskillswap.com", true },
   { "digitalsurge.io", true },
   { "digitaltcertifikat.dk", true },
   { "digitaltechnologies.ltd.uk", true },
+  { "digitalunite.de", true },
   { "digitkon.com", true },
   { "digitreads.com", true },
   { "digminecraft.com", true },
@@ -10242,18 +10606,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dimmersthousandoaks.com", true },
   { "dimmerswestlakevillage.com", true },
   { "dimonb.com", true },
+  { "dimseklubben.dk", true },
   { "din-hkd.jp", true },
   { "dineachook.com.au", true },
   { "dinepont.fr", true },
   { "dinerroboticurology.com", true },
   { "dingcc.me", true },
-  { "dinge.xyz", true },
   { "dingsbums.shop", true },
   { "dinheirolucrar.com", true },
   { "dinkommunikasjon.no", true },
   { "dinmtb.dk", true },
   { "dinocarrozzeria.com", true },
-  { "dinotopia.org.uk", true },
   { "dinstec.cl", true },
   { "dintrafic.net", true },
   { "diodeled.com", true },
@@ -10263,13 +10626,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dipalma.me", true },
   { "dipdaq.com", true },
   { "dipling.de", true },
+  { "diplomatiq.org", true },
   { "diplona.de", true },
   { "dipulse.it", true },
   { "dir2epub.com", true },
   { "dir2epub.org", true },
   { "dirba.io", true },
   { "direct-sel.com", true },
-  { "direct2uk.com", false },
   { "direct365.es", true },
   { "directebanking.com", true },
   { "directelectricalltd.co.uk", true },
@@ -10279,12 +10642,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "directreal.sk", true },
   { "directspa.fr", true },
   { "direktvermarktung-schmitzberger.at", true },
-  { "dirips.com", true },
   { "dirk-scheele.de", true },
-  { "dirk-weise.de", false },
+  { "dirk-weise.de", true },
   { "dirkdoering.de", true },
   { "dirkjonker.nl", true },
   { "dirko.net", true },
+  { "dirkwolf.de", true },
   { "dirtcraft.ca", true },
   { "dirtygeek.ovh", true },
   { "dirtyincest.com", true },
@@ -10294,6 +10657,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "disanteimpianti.com", true },
   { "disavow.tools", true },
   { "disc.uz", true },
+  { "discarica.bari.it", true },
   { "discarica.bologna.it", true },
   { "discarica.it", true },
   { "discarica.roma.it", true },
@@ -10308,13 +10672,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "discordapp.com", true },
   { "discordghost.space", true },
   { "discordia.me", true },
+  { "discordservers.com", true },
   { "discotek.club", true },
   { "discount24.de", true },
   { "discountlumberspokane.com", true },
   { "discountplush.com", true },
   { "discover-shaken.com", true },
   { "discoverthreejs.com", true },
-  { "discoverucluelet.com", true },
   { "discoveryaima.com", true },
   { "discoveryottawa.ca", true },
   { "discoveryrom.org", true },
@@ -10336,11 +10700,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "disinfestazioni.bari.it", true },
   { "disinfestazioni.bergamo.it", true },
   { "disinfestazioni.catania.it", true },
+  { "disinfestazioni.co", true },
   { "disinfestazioni.firenze.it", true },
   { "disinfestazioni.genova.it", true },
   { "disinfestazioni.gorizia.it", true },
   { "disinfestazioni.info", true },
   { "disinfestazioni.milano.it", true },
+  { "disinfestazioni.napoli.it", true },
   { "disinfestazioni.net", true },
   { "disinfestazioni.padova.it", true },
   { "disinfestazioni.rimini.it", true },
@@ -10355,6 +10721,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "disk.do", true },
   { "diskbit.com", true },
   { "diskbit.nl", true },
+  { "disking.co.uk", true },
   { "dismail.de", true },
   { "dispatchitsolutions.com", true },
   { "dispatchitsolutions.io", true },
@@ -10364,27 +10731,30 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dissertationhelp.com", true },
   { "dissidence.ovh", true },
   { "dissident.host", true },
+  { "dist-it.com", true },
   { "dist.torproject.org", false },
   { "disti.com", true },
-  { "distiduffer.org", true },
   { "distillery.com", true },
   { "distinguishedprisoner.com", true },
   { "distribuidoracristal.com.br", true },
   { "distribuidoraplus.com", true },
   { "distribuidorveterinario.es", true },
-  { "distro.re", true },
+  { "distro.fr", true },
   { "ditelbat.com", true },
   { "diti.me", true },
   { "ditisabc.nl", true },
+  { "div.im", true },
   { "diva.nl", true },
   { "divari.nl", true },
   { "divcoder.com", true },
   { "dive-japan.com", true },
   { "divedowntown.com", true },
   { "divegearexpress.com", true },
+  { "divegearexpress.net", true },
   { "diveidc.com", true },
   { "diveplan.org", true },
   { "divergenz.org", true },
+  { "diversifiedproduct.com", true },
   { "diversityflags.com", true },
   { "diversityflags.com.au", true },
   { "diversityflags.nz", true },
@@ -10423,14 +10793,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "djeung.org", true },
   { "djipanov.com", true },
   { "djleon.net", true },
+  { "djlinux.cz", true },
   { "djlive.pl", true },
   { "djlnetworks.co.uk", true },
+  { "djroynomden.nl", true },
   { "djsbouncycastlehire.com", true },
   { "djt-vom-chausseehaus.de", true },
-  { "djursland-psykologen.dk", true },
   { "djvintagevinyl.nl", true },
   { "djwaynepryke.com", true },
-  { "djz4music.com", false },
   { "dk-kromeriz.cz", true },
   { "dk.com", true },
   { "dk.search.yahoo.com", false },
@@ -10438,6 +10808,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dkds.us", true },
   { "dko-steiermark.ml", true },
   { "dkstage.com", true },
+  { "dkwedding.gr", true },
   { "dl.google.com", true },
   { "dlabouncycastlehire.co.uk", true },
   { "dlaspania.pl", true },
@@ -10458,12 +10829,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dm.mylookout.com", false },
   { "dm4productions.com", true },
   { "dm7ds.de", true },
+  { "dmaglobal.com", true },
   { "dmailshop.ro", true },
   { "dmarc.dk", true },
   { "dmatrix.xyz", true },
   { "dmd.lv", true },
   { "dmdd.org.uk", true },
-  { "dmeevalumate.com", true },
   { "dmess.ru", true },
   { "dmi.es", true },
   { "dmitry.sh", true },
@@ -10480,7 +10851,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dnacloud.pl", true },
   { "dnakids.co.uk", true },
   { "dnc.org.nz", true },
-  { "dndesign.be", true },
   { "dndtools.net", true },
   { "dne.lu", true },
   { "dnlr.tech", true },
@@ -10490,29 +10860,31 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dns-swiss.ch", true },
   { "dns.google.com", true },
   { "dns8.online", true },
+  { "dnsaio.com", true },
   { "dnscrawler.com", true },
   { "dnscrypt.info", true },
-  { "dnscrypt.nl", true },
   { "dnscurve.io", true },
   { "dnshallinta.fi", true },
   { "dnsinfo.ml", true },
   { "dnsipv6.srv.br", true },
+  { "dnskeep.com", true },
+  { "dnskeeper.com", true },
   { "dnsman.se", true },
   { "dnspod.ml", true },
   { "dnstwister.report", true },
-  { "dnzz123.com", true },
   { "do-prod.com", true },
   { "do.gd", true },
   { "do.search.yahoo.com", false },
   { "do13.net", true },
   { "do67.de", true },
   { "do67.net", true },
+  { "doanhnhanplus.vn", true },
   { "dobraprace.cz", true },
   { "dobrev.family", true },
   { "dobrisan.ro", true },
   { "dobsnet.net", true },
   { "doc.python.org", true },
-  { "doc.to", true },
+  { "doc.to", false },
   { "doc8643.com", true },
   { "docabo.ch", true },
   { "docbox.ch", true },
@@ -10525,11 +10897,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "docline.gov", true },
   { "docloh.de", true },
   { "docloudu.info", true },
+  { "docplexus.com", true },
   { "docs.google.com", false },
   { "docs.python.org", true },
   { "docs.re", true },
   { "docs.tw", true },
-  { "docsoc.org.uk", true },
+  { "doctabaila.com", true },
   { "doctafit.com", true },
   { "doctor-locks.co.uk", true },
   { "doctor.dating", true },
@@ -10539,21 +10912,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "doctorwho.cz", true },
   { "docubox.info", true },
   { "docucopies.com", true },
+  { "docudanang.com.vn", true },
   { "documaniatv.com", true },
-  { "docupet.com", true },
   { "docusearch.com", true },
+  { "dodds.cc", true },
+  { "dodomu.ddns.net", true },
   { "dodopri.com", true },
   { "doenjoylife.com", true },
   { "does.one", true },
   { "doesburg-comp.nl", true },
   { "dofuspvp.com", true },
   { "dofux.org", true },
-  { "dog-blum.com", true },
   { "dogadayiz.net", true },
   { "dogan.ch", false },
   { "dogcontrol.ca", true },
   { "doge.me", true },
-  { "doge.town", true },
   { "dogear.ch", true },
   { "dogft.com", true },
   { "doggedbyirs.com", true },
@@ -10567,7 +10940,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "doihavetoputonpants.com", true },
   { "doitauto.de", true },
   { "dojozendebourges.fr", true },
-  { "dokan-e.com", false },
   { "dokelio-idf.fr", true },
   { "doki.space", true },
   { "dokipy.no", true },
@@ -10575,6 +10947,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dokuboard.com", true },
   { "dokuraum.de", true },
   { "dolci-delizie.de", true },
+  { "dolciterapie.com", true },
   { "doleta.gov", true },
   { "doli.se", true },
   { "dolice.net", true },
@@ -10591,6 +10964,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "domain001.info", true },
   { "domainedemiolan.ch", true },
   { "domainexpress.de", false },
+  { "domainhacks.io", true },
   { "domainkauf.de", true },
   { "domainoo.com", true },
   { "domains.autos", true },
@@ -10606,23 +10980,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "domakidis.com", true },
   { "domaxpoker.com", true },
   { "domeconseil.fr", true },
-  { "domein-direct.nl", true },
+  { "domein-direct.nl", false },
   { "domenic.me", true },
   { "domenicam.com", true },
   { "domesticcleaners.co.uk", true },
   { "domhaase.me", true },
-  { "domian.cz", true },
   { "dominationgame.co.uk", true },
   { "dominicself.co.uk", true },
   { "dominik-schlueter.de", true },
   { "dominikaner-vechta.de", true },
   { "dominikkulaga.pl", true },
-  { "dominioanimal.com.br", true },
   { "dominionregistries.domains", true },
   { "dominique-haas.fr", true },
   { "dominoknihy.cz", true },
   { "dominomatrix.com", true },
   { "domix.fun", true },
+  { "domizx.de", true },
   { "dommascate.com.br", true },
   { "domob.eu", true },
   { "domodeco.fr", true },
@@ -10633,7 +11006,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "domster.com", true },
   { "domus-global.com", true },
   { "domus-global.cz", true },
-  { "domwkwiatach.pl", true },
   { "domyassignments.com", true },
   { "domycasestudy.com", true },
   { "domycoursework.com", true },
@@ -10652,12 +11024,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "donabeneko.jp", true },
   { "donaldm.co.uk", true },
   { "donateaday.net", true },
+  { "donateway.com", true },
+  { "donboscogroep.nl", true },
   { "donfelino.tk", false },
   { "dongxuwang.com", true },
+  { "donjusto.nl", true },
   { "donkennedyandsons.com", true },
   { "donkeytrekkingkefalonia.com", true },
   { "donmaldeamores.com", true },
-  { "donna-bellini-business-fotografie-muenchen.de", true },
   { "donna-bellini-fotografie-berlin.de", true },
   { "donna-bellini-fotografie-erfurt.de", true },
   { "donna-bellini-fotografie-frankfurt.de", true },
@@ -10672,6 +11046,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "donnaandscottmcelweerealestate.com", true },
   { "donnacha.blog", true },
   { "donnachie.net", true },
+  { "donnajeanbooks.com", true },
   { "donner-reuschel.de", true },
   { "donnons.org", false },
   { "donnoval.ru", false },
@@ -10682,12 +11057,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "donpomodoro.com.co", true },
   { "dont.re", true },
   { "dont.watch", true },
+  { "dontbeevil.com", true },
   { "dontbubble.me", true },
   { "dontcageus.org", true },
   { "dontpayfull.com", true },
   { "donttrust.me", true },
   { "donutcompany.co.jp", true },
-  { "donzool.es", true },
   { "dooby.fr", true },
   { "dooleylabs.com", true },
   { "dooleytackaberry.com", true },
@@ -10701,9 +11076,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "doorflow.com", true },
   { "doorhandlese.com", true },
   { "doorshingekit.com", true },
+  { "doorswest.net", true },
   { "dopesoft.de", true },
-  { "dopfer-fenstertechnik.de", true },
-  { "doppenpost.nl", true },
+  { "dopetrue.com", true },
+  { "dophys.top", true },
   { "dopply.com", true },
   { "dopravni-modely.cz", true },
   { "dopsi.ch", true },
@@ -10747,6 +11123,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dosvientosoutdoorlighting.com", true },
   { "doswap.com", true },
   { "dosyauzantisi.com", true },
+  { "dot.ro", true },
   { "dot42.no", true },
   { "dota2huds.com", true },
   { "dotacni-parazit.cz", true },
@@ -10782,11 +11159,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dougley.com", true },
   { "dougsautobody.com", true },
   { "doujinshi.info", true },
+  { "doujinspot.com", true },
   { "dounats.com", true },
   { "douzer.de", true },
   { "douzer.industries", true },
   { "dovenzorgmalawi.nl", true },
-  { "dovro.de", true },
   { "dowell.media", true },
   { "dowellconsulting.com", true },
   { "dowhatmakegood.de", true },
@@ -10794,12 +11171,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "downloadaja.com", true },
   { "downloadgamemods.com", true },
   { "downloadgram.com", true },
+  { "downloadhindimovie.com", true },
+  { "downloadhindimovie.net", true },
+  { "downloadhindimovies.net", true },
   { "downloads.zdnet.com", true },
   { "downloadsoftwaregratisan.com", true },
   { "downrightcute.com", true },
   { "downtimerobot.com", true },
   { "downtimerobot.nl", true },
+  { "downtownautospecialists.com", true },
   { "downtownvernon.com", true },
+  { "dox-box.eu", true },
   { "doyoucheck.com", false },
   { "doyouedc.com", true },
   { "doyoutax.com", true },
@@ -10808,6 +11190,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dozecloud.com", true },
   { "dp.cx", true },
   { "dpd.com.pl", true },
+  { "dpecuador.com", true },
   { "dperson.net", true },
   { "dpfsolutionsfl.com", true },
   { "dpg.no", true },
@@ -10816,6 +11199,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dpm-ident.de", true },
   { "dprb.biz", true },
   { "dprd-wonogirikab.go.id", false },
+  { "dps.srl", true },
   { "dpsg-roden.de", true },
   { "dpwsweeps.co.uk", true },
   { "dr-becarelli-philippe.chirurgiens-dentistes.fr", true },
@@ -10832,6 +11216,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dr-schuessler.de", true },
   { "dr-stoetter.de", true },
   { "dr-www.de", true },
+  { "dr2dr.ca", true },
+  { "draadloze-noodstop.nl", true },
   { "drabadir.com", true },
   { "drabim.org", true },
   { "drach.xyz", true },
@@ -10842,6 +11228,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "draftguru.com.au", true },
   { "drafton.com", true },
   { "drageeparadise.fr", true },
+  { "dragfiles.com", true },
   { "draghetti.it", true },
   { "draghive.asia", true },
   { "draghive.ca", true },
@@ -10852,6 +11239,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "draghive.tv", true },
   { "dragon-chem.eu", true },
   { "dragon-hearts.co.uk", true },
+  { "dragon.nu", true },
   { "dragoncave.me", true },
   { "dragonclean.gr", true },
   { "dragonfly.co.uk", true },
@@ -10868,14 +11256,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dragonsunited.org", true },
   { "dragonwolfpackaquaria.com", true },
   { "dragonwork.me", true },
-  { "drahcro.uk", true },
+  { "drainagedirect.com", true },
+  { "draintechnorthwest.net", true },
   { "drakecommercial.com", true },
   { "drakeluce.com", true },
   { "drakenson.de", true },
+  { "draliabadi.com", true },
   { "dramaticpeople.com", true },
   { "dramyalderman.com", true },
   { "dranderle.com", true },
-  { "dranek.com", true },
   { "dras.hu", true },
   { "draugr.de", true },
   { "draw.uy", true },
@@ -10883,19 +11272,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "drawingcode.net", true },
   { "drawtwo.gg", true },
   { "drawxp.com", true },
-  { "drbethanybarnes.com", true },
   { "drbriones.com", true },
   { "drcarolynquist.com", true },
   { "drchrislivingston.com", true },
   { "drchristinehatfield.ca", true },
   { "drchristophepanthier.com", true },
-  { "drdavidgilpin.com", true },
-  { "drdim.ru", true },
   { "drdipilla.com", true },
   { "dreamcreator108.com", true },
   { "dreamday-with-dreamcar.de", true },
   { "dreamdivers.com", true },
-  { "dreamersgiftshopec.com", true },
   { "dreamhack.com", true },
   { "dreamhostremixer.com", true },
   { "dreamithost.com.au", true },
@@ -10908,11 +11293,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dreammaker-nw.com", true },
   { "dreammakerremodelil.com", true },
   { "dreammakerutah.com", true },
-  { "dreamof.net", true },
+  { "dreamof.net", false },
   { "dreamonkey.com", true },
   { "dreamrae.net", true },
-  { "dreamtechie.com", true },
-  { "dreatho.com", true },
+  { "dreamstream.mobi", true },
+  { "dreamstream.network", true },
+  { "dreamstream.nl", true },
+  { "dreamstream.tv", true },
+  { "dreamstream.video", true },
+  { "dreemurr.com", true },
   { "drei01.com", true },
   { "drei01.de", true },
   { "dreid.org", true },
@@ -10929,7 +11318,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dressify.co", true },
   { "dressify.in", true },
   { "drevanbeale.com", true },
-  { "drevo-door.cz", true },
+  { "drevo-door.cz", false },
   { "drew.beer", true },
   { "drew.red", true },
   { "drewapianostudio.com", true },
@@ -10943,8 +11332,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "drgn.no", true },
   { "drhathazi.hu", true },
   { "drheibel.com", true },
+  { "drhoseyni.com", true },
   { "driesjtuver.nl", true },
+  { "driessoftsec.tk", true },
   { "driftdude.nl", true },
+  { "driftingruby.com", true },
   { "drighes.com", true },
   { "drillingsupply.info", true },
   { "drillingsupplystore.com", true },
@@ -10952,7 +11344,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "drillshackresort.com", true },
   { "drinkcontrolapp.com", true },
   { "drinkgas-jihlava.cz", true },
-  { "drinkplanet.eu", true },
   { "drive.google.com", false },
   { "driven2shine.eu", true },
   { "drivenes.net", true },
@@ -10965,6 +11356,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "drivingtestpro.com", true },
   { "drivinhors.com", true },
   { "drivya.com", true },
+  { "drixn.cn", true },
+  { "drixn.com", true },
   { "drizz.com.br", false },
   { "drjacquesmalan.com", true },
   { "drjenafernandez.com", true },
@@ -10981,8 +11374,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "drmcdaniel.com", true },
   { "drms.us", true },
   { "drmtransit.com", true },
+  { "drmyco.net", true },
   { "drnow.ru", true },
   { "drogueriaelbarco.com", true },
+  { "droidandy.com", true },
   { "droidapp.nl", true },
   { "droidgyan.com", true },
   { "droidhere.com", true },
@@ -10990,9 +11385,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "droidwave.com", true },
   { "droidwiki.de", true },
   { "drone-it.net", true },
-  { "dronebotworkshop.com", true },
+  { "dronebl.org", true },
   { "dronepit.dk", true },
-  { "dronexpertos.com", true },
   { "droni.cz", true },
   { "dronnet.com", false },
   { "dronografia.es", true },
@@ -11010,7 +11404,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "drpetervoigt.ddns.net", true },
   { "drpetervoigt.de", true },
   { "drpico.com.au", true },
-  { "drrodina.com", true },
   { "drrr.chat", true },
   { "drrr.wiki", true },
   { "drsajjadian.com", true },
@@ -11019,6 +11412,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "drschruefer.de", true },
   { "drsturgeonfreitas.com", true },
   { "drtimmarch.com", true },
+  { "drtimothybradley.com", true },
   { "druckerei-huesgen.de", true },
   { "drugs.com", true },
   { "drumbe.at", true },
@@ -11029,9 +11423,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "drupalspb.org", true },
   { "drusantia.net", true },
   { "drusillas.co.uk", true },
-  { "druwe.net", true },
+  { "druwe.net", false },
   { "druznek.me", true },
-  { "drvr.xyz", true },
   { "drwang.group", true },
   { "drweissbrot.net", true },
   { "drwxr.org", true },
@@ -11042,6 +11435,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "drydrydry.com", true },
   { "dryerventcleaningarlington.com", true },
   { "dryerventcleaningcarrollton.com", true },
+  { "dryjersey.com", true },
   { "drywallresponse.gov", true },
   { "ds67.de", true },
   { "dsancomics.com", true },
@@ -11059,21 +11453,25 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dshield.org", true },
   { "dsm5.com", true },
   { "dsmjs.com", true },
-  { "dsne.com.mx", true },
+  { "dsmstainlessproducts.co.uk", true },
   { "dso-imaging.co.uk", true },
   { "dso-izlake.si", true },
   { "dsol.hu", true },
-  { "dsrw.org", true },
   { "dssale.com", true },
   { "dstamou.de", true },
+  { "dstat.cc", true },
   { "dsteiner.at", true },
   { "dstvinstallalberton.co.za", true },
+  { "dstvinstalledenvale.co.za", true },
+  { "dstvinstallfourways.co.za", true },
+  { "dstvinstallkemptonpark.co.za", true },
   { "dstvinstallrandburg.co.za", true },
+  { "dstvsandton.co.za", true },
+  { "dstvsouthafrica.com", true },
   { "dt27.org", true },
   { "dtbouncycastles.co.uk", true },
   { "dtdsh.com", true },
   { "dte.co.uk", true },
-  { "dtechstore.com.br", true },
   { "dtg-fonds.com", true },
   { "dtg-fonds.de", true },
   { "dtg-fonds.net", true },
@@ -11099,13 +11497,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dubtrack.fm", true },
   { "ducalendars.com", true },
   { "duch.cloud", true },
-  { "duchyoffeann.com", true },
-  { "duckasylum.com", false },
   { "duckbase.com", true },
+  { "duckblade.com", true },
   { "duckduck.horse", true },
   { "duckduckstart.com", true },
   { "duckeight.win", true },
   { "duckinc.net", true },
+  { "duckyubuntu.tk", true },
   { "duct.me", true },
   { "due-diligence-security.com", true },
   { "duerlund-falkenberg.dk", true },
@@ -11153,15 +11551,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dunmanelectric.com", true },
   { "duobus.nl", true },
   { "duoluodeyu.com", true },
-  { "duonganhtuan.com", true },
   { "duoquadragintien.fr", true },
   { "dupisces.com.tw", true },
   { "dupree.co", true },
   { "dupree.pe", true },
   { "durand.tf", true },
+  { "duranthon.eu", true },
   { "durbanlocksmiths.co.za", true },
+  { "durchblick-shop.de", true },
   { "durdle.com", true },
   { "dureuil.info", true },
+  { "durexwinkel.nl", true },
   { "durfteparticiperen.nl", true },
   { "duria.de", true },
   { "duriaux-dentiste.ch", true },
@@ -11171,7 +11571,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dusnan.com", true },
   { "dustplanet.de", true },
   { "dustri.org", true },
-  { "dustycloth.com", true },
   { "dustygroove.com", true },
   { "dustyspokesbnb.ca", true },
   { "dutch.desi", true },
@@ -11197,13 +11596,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dwgf.xyz", true },
   { "dwi-sued.de", true },
   { "dwienzek.de", true },
+  { "dworekhetmanski.pl", true },
   { "dworzak.ch", true },
   { "dwscdv3.com", true },
   { "dwtm.ch", true },
   { "dwworld.co.uk", true },
+  { "dx-revision.com", true },
   { "dxgl.info", true },
   { "dxgl.org", true },
-  { "dxm.no-ip.biz", true },
   { "dybuster.at", true },
   { "dybuster.ch", true },
   { "dybuster.com", true },
@@ -11211,10 +11611,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dybuster.es", true },
   { "dybuster.it", true },
   { "dybuster.se", true },
+  { "dycoa.com", true },
   { "dyeager.org", true },
   { "dyktig.as", true },
   { "dyktig.no", true },
   { "dylanboudro.com", true },
+  { "dylancl.cf", true },
   { "dylankatz.com", true },
   { "dylanknoll.ca", true },
   { "dylanspcrepairs.com", true },
@@ -11245,6 +11647,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dynamo.city", true },
   { "dynapptic.com", true },
   { "dynastic.co", true },
+  { "dynastyarena.com", true },
+  { "dynastybullpen.com", true },
+  { "dynastycalculator.com", true },
+  { "dynastycentral.com", true },
+  { "dynastychalkboard.com", true },
+  { "dynastyclubhouse.com", true },
+  { "dynastycrate.com", true },
+  { "dynastyduel.com", true },
+  { "dynastyfan.com", true },
+  { "dynastygoal.com", true },
+  { "dynastylocker.com", true },
+  { "dynastyredline.com", true },
+  { "dynastyredzone.com", true },
   { "dynn.be", true },
   { "dynorphin.com", true },
   { "dynorphins.com", true },
@@ -11255,18 +11670,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "dyscalculia-blog.com", true },
   { "dysthymia.com", true },
   { "dyyn.de", true },
+  { "dzar.nsupdate.info", true },
   { "dzeina.ch", true },
   { "dzet.de", true },
   { "dziary.com", true },
   { "dziurdzia.pl", true },
   { "dzivniekubriviba.lv", true },
+  { "dzndk.com", true },
   { "dznn.nl", true },
   { "dzomo.org", true },
+  { "dzsi.bi", true },
   { "dzsibi.com", true },
   { "dzsula.hu", true },
   { "dzyabchenko.com", true },
   { "dzyszla.pl", true },
-  { "e-apack.com.br", true },
   { "e-bikesdirect.co.uk", true },
   { "e-biografias.net", true },
   { "e-borneoshop.com", true },
@@ -11276,6 +11693,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "e-enterprise.gov", false },
   { "e-hon.link", true },
   { "e-id.ee", true },
+  { "e-imzo.uz", true },
   { "e-kontakti.fi", true },
   { "e-lambre.com", true },
   { "e-learningbs.com", true },
@@ -11294,7 +11712,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "e-tonery.cz", true },
   { "e-traceur-france.fr", true },
   { "e-tresor.at", true },
-  { "e-tune-mt.net", true },
   { "e-typ.eu", true },
   { "e-verify.gov", false },
   { "e-worksmedia.com", true },
@@ -11335,13 +11752,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "earticleblog.com", true },
   { "earvinkayonga.com", false },
   { "easelforart.com", true },
-  { "easez.net", true },
   { "eashwar.com", true },
-  { "eason-yang.com", true },
   { "eastarm.net", true },
   { "eastblue.org", true },
   { "easterncapebirding.co.za", true },
   { "eastlothianbouncycastles.co.uk", true },
+  { "eastman.space", true },
   { "eastmanbusinessinstitute.com", true },
   { "eastnorschool.co.uk", true },
   { "eastplan.co.kr", true },
@@ -11352,10 +11768,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "easyadsnbanners.tk", false },
   { "easycoding.org", true },
   { "easyconstat.com", true },
-  { "easycontentplan.com", true },
   { "easycosmetic.ch", true },
   { "easycup.com", false },
-  { "easydumpsterrental.com", false },
+  { "easydumpsterrental.com", true },
   { "easyeigo.com", true },
   { "easyfiles.ch", true },
   { "easyhaul.com", true },
@@ -11364,6 +11779,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "easyoutdoor.nl", true },
   { "easypay.bg", true },
   { "easyproperty.com", true },
+  { "easypv.ch", true },
   { "easyqr.codes", true },
   { "easyroad.fr", true },
   { "easyslide.be", true },
@@ -11377,6 +11793,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eatmebudapest.hu", true },
   { "eaton-works.com", true },
   { "eatry.io", true },
+  { "eats.soy", true },
   { "eatsleeprepeat.net", true },
   { "eatson.com", true },
   { "eatz-and-treatz.com", true },
@@ -11411,8 +11828,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eboutic.ch", true },
   { "eboyer.com", true },
   { "ebpglobal.com", false },
-  { "ebrnd.de", true },
-  { "ec-baran.de", true },
   { "ec-current.com", true },
   { "ec.mine.nu", true },
   { "eca.edu.au", true },
@@ -11426,24 +11841,31 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ecco-verde.com", false },
   { "ecdn.cz", true },
   { "ecfnorte.com.br", true },
+  { "ecfunstalls.com", true },
   { "echatta.net", true },
   { "echatta.org", true },
+  { "echi.pw", true },
   { "echidna-rocktools.eu", true },
   { "echo-security.co", true },
+  { "echo.cc", true },
   { "echoanalytics.com", true },
   { "echobridgepartners.com", true },
   { "echodio.com", true },
   { "echofoxtrot.co", true },
+  { "echoit.net", true },
+  { "echoit.net.au", true },
+  { "echoit.services", true },
   { "echopaper.com", true },
+  { "echorecovery.org", true },
   { "echosim.io", true },
   { "echosixmonkey.com", true },
   { "echosystem.fr", true },
   { "echoteam.gq", true },
   { "echoteen.com", true },
   { "echoworld.ch", true },
+  { "echternach-immobilien.de", true },
   { "echtes-hutzelbrot.de", true },
   { "echtgeld-casinos.de", true },
-  { "ecir.pro", true },
   { "ecir.ru", true },
   { "ecirtam.net", true },
   { "eckel.co", true },
@@ -11452,13 +11874,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ecliptic.cc", true },
   { "ecnetworker.com", true },
   { "eco-derattizzazione.it", true },
-  { "eco-wiki.com", true },
   { "eco-work.it", true },
   { "eco2u.ru", true },
   { "ecobee.com", false },
   { "ecobergerie.fr", true },
   { "ecobin.nl", true },
-  { "ecobrain.be", true },
   { "ecoccinelles.ch", true },
   { "ecoccinelles.com", true },
   { "ecococon.fr", true },
@@ -11477,9 +11897,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ecoledusabbat.org", true },
   { "ecolemathurincordier.com", true },
   { "ecombustibil.ro", true },
-  { "ecommercestore.net.br", true },
-  { "ecompen.co.za", true },
   { "ecomycie.com", true },
+  { "economiafinanzas.com", true },
   { "economias.pt", true },
   { "economic-sanctions.com", true },
   { "economicinclusion.gov", true },
@@ -11490,17 +11909,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "econverter.cloud", true },
   { "ecorp.cc", true },
   { "ecos-ev.de", true },
-  { "ecos.srl", true },
   { "ecoshare.info", true },
-  { "ecoskif.ru", true },
+  { "ecosm.com.au", true },
   { "ecosound.ch", true },
   { "ecostruxureit.com", true },
   { "ecosystem.atlassian.net", true },
+  { "ecosystemmanager-uat1.azurewebsites.net", true },
+  { "ecotaxi2airport.com", true },
   { "ecoterramedia.com", true },
   { "ecotur.org", true },
   { "ecovision.com.br", true },
   { "ecpannualmeeting.com", true },
   { "ecrandouble.ch", true },
+  { "ecuinformacion.com", true },
   { "ecupcafe.com", false },
   { "ecuteam.com", true },
   { "ecxforum.com", true },
@@ -11515,11 +11936,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eddyn.net", true },
   { "edeca.net", true },
   { "edehsa.com", true },
+  { "edeka-jbl-treueaktion.de", true },
+  { "eden-eu.com", true },
   { "eden.co.uk", true },
   { "edenming.info", true },
   { "edesseglabor.hu", true },
   { "edfinancial.com", true },
-  { "edge-cloud.net", true },
+  { "edge-cloud.net", false },
+  { "edgedynasty.com", true },
+  { "edgefantasy.com", true },
   { "edgeservices.co.uk", true },
   { "edgetalk.net", true },
   { "edgevelder.com", true },
@@ -11531,12 +11956,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "edicct.com", true },
   { "edilane.com", true },
   { "edilane.de", true },
+  { "edilservizi.it", true },
+  { "edilservizivco.it", true },
   { "edinburghsportsandoutdoorlearning.com", true },
   { "edincmovie.com", true },
   { "ediscomp.sk", true },
   { "edisonlee55.com", true },
   { "edisonluiz.com", true },
   { "edisonnissanparts.com", true },
+  { "edit.co.uk", true },
   { "edit.yahoo.com", false },
   { "edited.de", true },
   { "edition-bambou.com", true },
@@ -11553,6 +11981,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "edragneainpuscarie.ro", true },
   { "edsby.com", true },
   { "edservicing.com", true },
+  { "edshogg.co.uk", true },
   { "edsm.net", true },
   { "edstep.com", true },
   { "edtech-hub.com", true },
@@ -11561,8 +11990,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "edu6.cloud", true },
   { "eduard-dopler.de", true },
   { "edubras.com.br", true },
+  { "educatek.es", true },
   { "educationevolving.org", true },
   { "educationfutures.com", true },
+  { "educationmalaysia.co.uk", true },
   { "educationunlimited.com", true },
   { "educator-one.com", true },
   { "eductf.org", true },
@@ -11582,11 +12013,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "edvgarbe.de", true },
   { "edvmesstec.de", true },
   { "edwar.do", true },
+  { "edwarddekker.nl", true },
   { "edwards.me.uk", true },
   { "edwardsnowden.com", true },
   { "edwardspeyer.com", true },
   { "edwardwall.me", true },
   { "edwellbrook.com", true },
+  { "edwinmattiacci.com", true },
   { "edwinyrkuniversity.de", true },
   { "edxg.de", false },
   { "edxn.de", true },
@@ -11596,7 +12029,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eellak.gr", true },
   { "eelsden.net", true },
   { "eelzak.nl", true },
-  { "eemcevn.com", true },
   { "eentweevijf.be", true },
   { "eer.io", true },
   { "eerlijktransport.nl", true },
@@ -11604,6 +12036,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eery.de", true },
   { "eesti.xyz", true },
   { "eewna.org", true },
+  { "ef-georgia.org", true },
   { "ef.gy", true },
   { "efa-football.com", true },
   { "efaas.nl", true },
@@ -11619,7 +12052,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "effero.net", true },
   { "effex.ru", true },
   { "effinfun.com", true },
-  { "effizienta.ch", true },
   { "efflam.net", true },
   { "effortlesshr.com", true },
   { "efg-darmstadt.de", false },
@@ -11645,13 +12077,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eganassociates.com.au", true },
   { "egarden.it", true },
   { "egb.at", false },
+  { "egbert.net", true },
   { "egeozcan.com", true },
   { "egg-ortho.ch", true },
   { "eggblast.com", true },
   { "eggert.org", false },
   { "eggplant.today", true },
   { "egiftcards.be", true },
+  { "eglek.com", true },
   { "egles.eu", true },
+  { "eglisedenantes.fr", true },
   { "ego4u.com", true },
   { "ego4u.de", true },
   { "egoroof.ru", true },
@@ -11667,6 +12102,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ehandel.com", true },
   { "ehazi.hu", true },
   { "ehbssl.com", true },
+  { "ehcommerce.com", true },
   { "eheliche-disziplin.schule", true },
   { "ehertz.uk", true },
   { "ehipaa.com", true },
@@ -11676,10 +12112,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ehne.de", true },
   { "ehomusicgear.com", true },
   { "ehrenburg.info", true },
+  { "ehseller.com", true },
   { "ehub.cz", true },
   { "ehub.hu", true },
   { "ehub.pl", true },
   { "ehub.sk", true },
+  { "eiao.me", true },
   { "eichel.eu", true },
   { "eichler.work", true },
   { "eichornenterprises.com", true },
@@ -11689,12 +12127,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eickhofcolumbaria.com", true },
   { "eidolons.org", true },
   { "eifel.website", true },
+  { "eifelindex.de", true },
   { "eigenpul.se", true },
   { "eigenpulse.com", true },
   { "eighty-aid.com", true },
   { "eigpropertyauctions.co.uk", true },
   { "eihaikyo.com", true },
   { "eika.as", true },
+  { "eikounoayumi.jp", true },
+  { "eilandprojectkeukens.nl", true },
   { "eilhan.com", true },
   { "eimacs.com", true },
   { "einaros.is", true },
@@ -11709,6 +12150,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "einsteincapital.ca", true },
   { "eintageinzug.de", true },
   { "eintragsservice24.de", true },
+  { "eioperator.com", true },
   { "eipione.com", true },
   { "eirastudios.co.uk", false },
   { "eirb.fr", true },
@@ -11723,16 +12165,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ejkmuseum.nl", true },
   { "ejknet.nl", true },
   { "ejkwebdesign.nl", true },
-  { "ek-networks.de", true },
+  { "ek-networks.de", false },
   { "ekaigotenshoku.com", true },
   { "ekati.ru", true },
+  { "ekawaiishop.com", true },
   { "ekb-avia.ru", true },
   { "ekd.de", true },
   { "ekedc.com", true },
   { "ekedp.com", true },
   { "eklepka.com", true },
   { "eklitzke.org", true },
-  { "ekodevices.com", true },
   { "ekokontakt.cz", true },
   { "ekonbenefits.com", true },
   { "ekostecki.de", true },
@@ -11742,7 +12184,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eksisozluk.com", true },
   { "ekuatorial.com", true },
   { "ekyu.moe", true },
+  { "ekz-crosstour.ch", true },
   { "ekzarta.ru", true },
+  { "ekzcrosstour.ch", true },
   { "el-cell.com", true },
   { "el-hossari.com", true },
   { "el-news.de", true },
@@ -11751,9 +12195,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "elainerock.com", true },
   { "elaon.de", true },
   { "elars.de", true },
+  { "elarvee.xyz", true },
   { "elb500ttl.nl", true },
   { "elbetech.net", true },
-  { "elblogdegoyo.mx", true },
   { "elcambiador.es", true },
   { "elcontadorsac.com", true },
   { "eldapoint.co.uk", true },
@@ -11764,9 +12208,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eldertons.co.uk", true },
   { "eldevo.com", true },
   { "eldinhadzic.com", true },
+  { "eldisagjapi.com", true },
   { "eldrid.ge", true },
   { "eldritchfiction.net", true },
-  { "eleaut.com.br", true },
   { "electionsbycounty.com", true },
   { "electionsdatabase.com", true },
   { "electmikewaters.com", true },
@@ -11806,7 +12250,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "electricgatemotorskemptonpark.co.za", true },
   { "electricgatemotorsroodepoort.co.za", true },
   { "electrichiddenhills.com", true },
-  { "electrician-umhlangaridge.co.za", true },
   { "electricianagoura.com", true },
   { "electricianagourahills.com", true },
   { "electriciancalabasas.com", true },
@@ -11816,7 +12259,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "electricianhiddenhills.com", true },
   { "electriciankemptonpark24-7.co.za", true },
   { "electricianlakesherwood.com", true },
-  { "electricianlalucia.co.za", true },
   { "electricianmalibu.com", true },
   { "electricianmoorpark.com", true },
   { "electriciannewburypark.com", true },
@@ -11835,6 +12277,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "electricsimivalley.com", true },
   { "electricthousandoaks.com", true },
   { "electricwestlakevillage.com", true },
+  { "electro-pak.com.pk", true },
   { "electroinkoophardenberg.nl", true },
   { "electronic-ignition-system.com", true },
   { "electronicafacil.net", true },
@@ -11870,6 +12313,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "elektrometz.de", true },
   { "elektronickakancelar.cz", true },
   { "elektronische-post.org", true },
+  { "elektropartner.nu", true },
   { "elektropost.org", true },
   { "elektrotechnik-heisel.de", true },
   { "elektrotechnik-kaetzel.de", true },
@@ -11886,14 +12330,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "elephpant.cz", true },
   { "elepover.com", true },
   { "elerizoentintado.es", true },
+  { "eletesstilus.hu", true },
   { "eletor.com", true },
   { "eletor.pl", true },
+  { "elettricista-roma.it", true },
   { "elettricista-roma.org", true },
   { "eleusis-zur-verschwiegenheit.de", true },
-  { "elevator.ee", true },
   { "elevatoraptitudetest.com", true },
-  { "elexel.ru", true },
   { "elexprimidor.com", true },
+  { "elexwong.com", true },
   { "elfe.de", true },
   { "elfnon.com", true },
   { "elfring.eu", true },
@@ -11911,7 +12356,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eliaskordelakos.com", true },
   { "elibom.com", true },
   { "elie.net", true },
-  { "elielaloum.com", true },
   { "elifesciences.org", true },
   { "eligibilis.com", true },
   { "eligible.com", true },
@@ -11931,7 +12375,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "elite12.de", true },
   { "elitebouncingfun.com", true },
   { "elitegameservers.net", true },
-  { "elitehosting.de", false },
   { "elitenutritionoficial.com", true },
   { "elixi.re", true },
   { "elixir.bzh", true },
@@ -11941,7 +12384,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "elizabethrominski.com", true },
   { "eljef.me", true },
   { "elkoy.org", true },
-  { "ell-net.tokyo", true },
   { "ella-kwikmed.com", false },
   { "ellak.gr", true },
   { "ellegaard.dk", true },
@@ -11961,13 +12403,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "elodieclerc.ch", true },
   { "elohellp.com", false },
   { "elonaspitze.de", true },
-  { "elonm.ru", true },
   { "elosrah.com", true },
-  { "elosuite.com", true },
-  { "eloxt.com", true },
   { "elpado.de", true },
   { "elpo.net", true },
   { "elpoderdelespiritu.org", true },
+  { "elradix.be", true },
   { "elrinconderovica.com", true },
   { "elsagradocoran.org", true },
   { "elshou.com", true },
@@ -11985,7 +12425,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "elucron.com", true },
   { "eluhome.de", true },
   { "eluvio.com", true },
-  { "elvcino.com", true },
+  { "elvcino.com", false },
   { "elvidence.com.au", true },
   { "elviraszabo.com", true },
   { "elvispresley.net", true },
@@ -11999,20 +12439,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "elysiumware.com", true },
   { "em-biotek.cz", true },
   { "emaging-productions.fr", true },
-  { "emailalaperformance.fr", true },
+  { "emaging.fr", true },
   { "emailconfiguration.com", true },
   { "emailfuermich.de", true },
   { "emailhunter.co", true },
-  { "emailing.alsace", true },
+  { "emailmeform.com", true },
   { "emailprivacytester.com", true },
   { "emailtools.io", true },
   { "emaily.eu", true },
+  { "emanol.co.uk", true },
   { "emanuel.photography", true },
   { "emanuela-gabriela.co.uk", true },
   { "emanuelduss.ch", true },
   { "emanueleanastasio.com", true },
   { "emanuelemazzotta.com", true },
   { "emarketingmatters.com", true },
+  { "emasex.com", true },
   { "embassycargo.eu", true },
   { "emberlife.com", true },
   { "embox.net", true },
@@ -12039,7 +12481,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "emil-reimann.com", true },
   { "emil.click", true },
   { "emilecourriel.com", true },
-  { "emiliendevos.be", true },
+  { "emilio.media", true },
   { "emilong.com", true },
   { "emilreimann.de", true },
   { "emils-1910.de", true },
@@ -12056,7 +12498,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "emkanrecords.com", true },
   { "emkei.cz", true },
   { "emkrivoy.com", true },
-  { "emma.ca", true },
   { "emmababy420.com", true },
   { "emmagraystore.com", true },
   { "emobilityforum.org", true },
@@ -12071,6 +12512,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "emperor-penguins.com", true },
   { "empese.com", true },
   { "empherino.net", true },
+  { "empire-univ.com", true },
   { "emploi-collectivites.fr", true },
   { "employeeexpress.gov", true },
   { "employer.gov", true },
@@ -12083,7 +12525,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "emporioviverbem.com.br", false },
   { "empower.net", true },
   { "empowerdb.com", true },
+  { "emprechtinger.com", true },
   { "emprego.pt", true },
+  { "emprunterlivre.ci", true },
   { "empyrean-advisors.com", true },
   { "emresaglam.com", true },
   { "emtradingacademy.com", true },
@@ -12097,7 +12541,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "en-maktoob.search.yahoo.com", false },
   { "en4rab.co.uk", true },
   { "enaah.de", true },
-  { "enaim.de", true },
   { "enalean.com", true },
   { "enamae.net", true },
   { "enbecom.net", true },
@@ -12105,7 +12548,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "encircleapp.com", true },
   { "encnet.de", true },
   { "encode.host", true },
-  { "encore.io", true },
+  { "encoderx.uk", true },
+  { "encore.io", false },
   { "encouragemarketing.com", true },
   { "encredible.de", false },
   { "encredible.org", false },
@@ -12118,7 +12562,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "encryptmysite.net", true },
   { "encuentraprecios.es", true },
   { "encycarpedia.com", true },
-  { "ende-x.com", true },
+  { "encyclopedia-titanica.org", true },
   { "endeal.nl", true },
   { "ender.co.at", true },
   { "enderbycamping.com", true },
@@ -12126,6 +12570,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "endingthedocumentgame.gov", true },
   { "endlessdiy.ca", true },
   { "endlessvideo.com", true },
+  { "endofodo.goip.de", true },
   { "endoftenancycleaninglondon.co.uk", true },
   { "endoftennancycleaning.co.uk", true },
   { "endpointsystems.com", true },
@@ -12134,7 +12579,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "enemiesoflight.de", true },
   { "energie-sante.ch", true },
   { "energiekeurplus.nl", true },
-  { "energisammenslutningen.dk", true },
   { "energy-drink-magazin.de", true },
   { "energy-in-balance.eu", true },
   { "energy-infra.nl", true },
@@ -12163,7 +12607,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "engiedev.net", true },
   { "enginepit.com", true },
   { "enginsight.com", true },
-  { "enginx.net", true },
+  { "engl-systems.de", true },
   { "englishbulgaria.net", true },
   { "englishcast.com.br", true },
   { "englishforums.com", true },
@@ -12175,14 +12619,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "enijew.com", true },
   { "enitso.de", true },
   { "enixgaming.com", true },
+  { "enjin.io", true },
   { "enjincoin.io", true },
   { "enjinwallet.io", true },
+  { "enjinx.cn", true },
   { "enjinx.io", true },
   { "enjoy-drive.com", true },
   { "enjoy-israel.ru", true },
   { "enjoyphoneblog.it", true },
   { "enlight.no", true },
-  { "enlighten10x.ga", true },
   { "enlightenedhr.com", true },
   { "enlightenment.org", true },
   { "enlnf.link", true },
@@ -12197,6 +12642,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "enotecastore.it", true },
   { "enpasenerji.com.tr", true },
   { "enquos.com", true },
+  { "enrich.email", true },
   { "enriquepiraces.com", true },
   { "enrollapp.com", true },
   { "ensage.io", true },
@@ -12205,6 +12651,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ensembling.com", true },
   { "ensley.tech", true },
   { "ensons.de", true },
+  { "ensured.com", true },
+  { "ensured.nl", true },
   { "ensurtec.com", true },
   { "ent-london.com", true },
   { "entabe.jp", true },
@@ -12213,7 +12661,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "entercenter.ru", true },
   { "enterprisey.enterprises", true },
   { "entersoftsecurity.com", true },
-  { "entersynapse.com", false },
   { "entheogens.com", true },
   { "enthusiaformazione.com", true },
   { "entradaweb.cl", true },
@@ -12224,6 +12671,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "entrusted.io", true },
   { "entryboss.cc", true },
   { "entrypoint.sh", true },
+  { "entwickler.land", true },
   { "enuchi.jp", true },
   { "envant.co.uk", true },
   { "enveloppenopmaat.nl", true },
@@ -12243,7 +12691,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eopugetsound.org", false },
   { "eosol.de", true },
   { "eosol.net", true },
-  { "eosol.services", true },
   { "epa.com.es", true },
   { "epassafe.com", true },
   { "epay.bg", true },
@@ -12253,7 +12700,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "epi.one", true },
   { "epic-vistas.com", true },
   { "epic-vistas.de", true },
-  { "epicbouncycastlehirenorwich.co.uk", true },
   { "epicbouncycastles.co.uk", true },
   { "epicdowney.com", true },
   { "epicenter.work", true },
@@ -12262,7 +12708,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "epichouse.net", false },
   { "epicinflatables.co.uk", true },
   { "epickitty.co.uk", true },
-  { "epicpages.com", true },
   { "epicsecure.de", true },
   { "epicsoft.de", false },
   { "epicvistas.com", true },
@@ -12276,6 +12721,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "episkevh-plaketas.gr", true },
   { "epistas.com", true },
   { "epistas.de", true },
+  { "epitesz.co", true },
   { "epiteugma.com", true },
   { "epizentrum.work", true },
   { "epizentrum.works", true },
@@ -12305,12 +12751,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eppelpress.lu", true },
   { "epreskripce.cz", true },
   { "epsilon.dk", true },
-  { "epsorting.cz", true },
   { "epspolymer.com", true },
   { "epublibre.org", true },
   { "epyonsuniverse.net", true },
   { "eq-serve.com", true },
   { "equalcloud.com", true },
+  { "equallove.me", true },
   { "equeim.ru", true },
   { "equidam.com", true },
   { "equinecoaching.ca", true },
@@ -12323,12 +12769,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "er-mgmt.com", true },
   { "er.tl", true },
   { "er1s.xyz", true },
+  { "erasmo.info", true },
   { "erasmusplusrooms.com", true },
   { "erate.fi", true },
   { "erath.fr", true },
   { "erdethamburgeronsdag.no", true },
   { "ereader.uno", true },
-  { "erectiepillenwinkel.nl", true },
   { "erethon.com", true },
   { "erf-neuilly.com", true },
   { "ergo-open.de", true },
@@ -12351,9 +12797,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ericoc.com", true },
   { "erics.site", true },
   { "ericschwartzlive.com", true },
+  { "ericspeidel.de", true },
   { "ericvaughn-flam.com", true },
   { "ericwie.se", true },
-  { "eridanus.uk", true },
+  { "ericyl.com", true },
   { "erigrid.eu", true },
   { "eriix.org", true },
   { "erikheemskerk.nl", true },
@@ -12370,7 +12817,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "erkaelderbarenaaben.dk", true },
   { "ernest.ly", true },
   { "ero.ink", true },
-  { "eroma.com.au", true },
   { "eron.info", true },
   { "eroskines.com", true },
   { "erp-band.ru", true },
@@ -12400,6 +12846,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "erudicia.se", true },
   { "erudicia.uk", true },
   { "erudikum.cz", true },
+  { "ervaarjapan.nl", true },
   { "erverydown.ml", true },
   { "erwanlepape.com", true },
   { "erwin.saarland", true },
@@ -12409,7 +12856,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "erythroxylum-coca.com", true },
   { "es-geenen.de", true },
   { "es.search.yahoo.com", false },
-  { "esaborit.ddns.net", true },
+  { "esafar.cz", false },
   { "esagente.com", true },
   { "esailinggear.com", true },
   { "esalesdata.com", true },
@@ -12419,7 +12866,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "esc.chat", true },
   { "esc.gov", true },
   { "escael.org", true },
-  { "escape2rooms.fr", true },
   { "escapeplaza.de", true },
   { "escapetalk.nl", true },
   { "escargotbistro.com", true },
@@ -12438,11 +12884,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "esg-abi2001.de", true },
   { "esgen.org", true },
   { "esgr.in", true },
+  { "eshigami.com", true },
   { "eshop-prices.com", true },
   { "eshspotatoes.com", true },
   { "esibun.net", true },
   { "esigmbh.de", true },
-  { "esipublications.com", true },
   { "esite.ch", true },
   { "eskdale.net", true },
   { "eskriett.com", true },
@@ -12452,6 +12898,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "esolcourses.com", true },
   { "esolitos.com", true },
   { "esono.de", true },
+  { "esote.net", true },
   { "esoterikerforum.de", true },
   { "espace-caen.fr", true },
   { "espace-gestion.fr", true },
@@ -12460,15 +12907,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "espacetemps.ch", true },
   { "espacetheosophie.fr", true },
   { "espacio-cultural.com", true },
+  { "espacioantiguo.com", true },
   { "espanol.search.yahoo.com", false },
   { "espanolseguros.com", true },
   { "espanova.com", true },
   { "espci.fr", true },
   { "especificosba.com.ar", true },
+  { "espehus.dk", true },
   { "espenandersen.no", true },
   { "espgg.org", true },
   { "esphigmenou.gr", true },
   { "espigol.org", true },
+  { "espiritugay.com", true },
   { "esport-battlefield.com", true },
   { "esports-network.de", true },
   { "espower.com.sg", true },
@@ -12484,24 +12934,27 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "essaychecker.com", true },
   { "essaydirectory.com", true },
   { "essayforsale.net", true },
+  { "essayjob.com", true },
   { "essaynews.com", true },
   { "essaypro.net", true },
   { "essaytalk.com", true },
   { "essaywriting.biz", true },
   { "essca.fr", true },
   { "essenalablog.de", true },
-  { "essencesdeprana.org", true },
+  { "essenciasparis.com.br", true },
   { "essex.cc", true },
   { "essite.net", true },
   { "esslm.sk", true },
   { "essoduke.org", true },
   { "essteebee.ch", true },
   { "establo.pro", true },
+  { "estada.ch", true },
   { "estafallando.es", true },
   { "estafallando.mx", true },
+  { "estaleiro.org", true },
   { "estate360.co.tz", true },
   { "estateczech-eu.ru", true },
-  { "estcequejailaflemme.fr", true },
+  { "estcequejailaflemme.fr", false },
   { "estcequonmetenprodaujourdhui.info", true },
   { "esteam.se", true },
   { "estedafah.com", true },
@@ -12514,8 +12967,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "estoic.net", true },
   { "estoniantrade.ee", true },
   { "estonoentraenelexamen.com", true },
+  { "estoppels.com", true },
   { "estudiarparaser.com", true },
   { "estudiserradal.com", true },
+  { "estufitas.com", true },
+  { "esu.zone", true },
   { "esurety.net", true },
   { "esuretynew.azurewebsites.net", true },
   { "esw00.com", true },
@@ -12528,7 +12984,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eta.cz", true },
   { "etaes.eu", true },
   { "etajerka-spb.ru", true },
-  { "etalent.net", true },
   { "etaoinwu.win", true },
   { "etasigmaphi.org", true },
   { "etath.com", true },
@@ -12537,6 +12992,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "etccooperative.org", true },
   { "etch.co", true },
   { "etd-glasfaser.de", true },
+  { "etda.or.th", true },
   { "etech-solution.com", true },
   { "etech-solution.net", true },
   { "etech-solutions.com", true },
@@ -12549,20 +13005,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "etfacta.com", true },
   { "eth-faucet.net", true },
   { "eth0.nl", true },
+  { "etha.nz", true },
   { "ethack.org", true },
   { "ethaligan.fr", true },
   { "ethan.pm", true },
+  { "ethanjones.me", true },
   { "ethercalc.com", true },
   { "ethercalc.org", true },
-  { "etherderbies.com", true },
-  { "ethergeist.de", true },
-  { "etherpad.fr", true },
+  { "ethergeist.de", false },
+  { "etherium.org", true },
   { "etherpad.nl", true },
+  { "ethers.news", true },
   { "ethicaldata.co.uk", true },
   { "ethicalpolitics.org", true },
   { "ethicsburg.gov", true },
   { "ethika.com", true },
   { "ethiopian.dating", true },
+  { "ethiopiannews247.com", true },
   { "ethitter.com", true },
   { "ethosinfo.com", true },
   { "etienne.cc", true },
@@ -12574,14 +13033,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "etrecosmeticderm.com", true },
   { "etresmant.es", true },
   { "etrker.com", true },
+  { "etrolleybizstore.com", true },
   { "etskinner.com", true },
   { "etskinner.net", true },
+  { "etssquare.com", true },
   { "etudesbibliques.fr", true },
   { "etudesbibliques.net", true },
   { "etudesbibliques.org", true },
+  { "eturist.si", true },
   { "etv.cx", true },
   { "etyd.org", true },
-  { "etzi.myds.me", true },
   { "eu-darlehen-finanzierung.de", true },
   { "eu-datenbank.de", true },
   { "eu-gamers.com", true },
@@ -12614,17 +13075,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eureka.archi", true },
   { "eurekaarchi.com", true },
   { "eurekaarchitecture.com", true },
+  { "eurheilu.com", true },
   { "euro-servers.de", true },
   { "euroalter.com", true },
   { "eurocars2000.es", true },
   { "eurocenterobuda.hu", true },
-  { "eurocomcompany.cz", true },
-  { "euroconthr.ro", true },
   { "eurodentaire.com", true },
   { "euroflora.com", true },
   { "euroflora.mobi", true },
   { "eurofrank.eu", true },
   { "eurolocarno.es", true },
+  { "europapier.com", true },
   { "europapier.hu", true },
   { "europapier.net", true },
   { "europapier.sk", true },
@@ -12648,14 +13109,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eurousa.us", true },
   { "eurovision.ie", true },
   { "euteamo.cn", true },
+  { "euterpiaradio.ch", true },
   { "eutotal.com", true },
   { "eutram.com", true },
+  { "euwid-energie.de", true },
   { "euwid.de", true },
   { "ev-zertifikate.de", true },
   { "eva-select.com", true },
   { "eva.cz", true },
   { "evaartinger.de", true },
-  { "evadifranco.com", true },
   { "evafojtova.cz", true },
   { "evailoil.ee", true },
   { "evailoil.eu", true },
@@ -12666,6 +13128,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "evanfiddes.com", true },
   { "evangelicalmagazine.com", true },
   { "evangelosm.com", true },
+  { "evansdesignstudio.com", true },
   { "evantageglobal.com", true },
   { "evanwang0.com", true },
   { "evapp.org", true },
@@ -12674,11 +13137,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "evavolfova.cz", true },
   { "eve.ac", true },
   { "eve0s.com", true },
+  { "eveadmin.azurewebsites.net", true },
   { "evelienzorgt.nl", true },
   { "evelyndayman.com", true },
   { "evemarketer.com", true },
+  { "evemodx.com", true },
   { "evenementenhoekvanholland.nl", true },
   { "evenstargames.com", true },
+  { "event-blick.de", true },
   { "event4fun.no", true },
   { "eventaro.com", true },
   { "eventide.space", true },
@@ -12696,6 +13162,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "evergladesrestoration.gov", true },
   { "evergreenmichigan.com", true },
   { "everhome.de", true },
+  { "everitoken.io", true },
   { "everling.lu", true },
   { "everlong.org", true },
   { "evermarkstudios.com", true },
@@ -12712,7 +13179,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "everygayporn.com", false },
   { "everything-everywhere.com", true },
   { "everythingaccess.com", true },
-  { "everythingstech.com", true },
   { "everythinq.com", true },
   { "everytrycounts.gov", false },
   { "everywhere.cloud", true },
@@ -12724,9 +13190,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "evidenceusa.com.br", true },
   { "evidencija.ba", true },
   { "evidentiasoftware.com", true },
-  { "evilarmy.com", true },
   { "evilbunnyfufu.com", true },
-  { "evilcult.me", true },
+  { "evileden.com", true },
   { "evilized.de", true },
   { "evilmartians.com", true },
   { "evilsite.cf", true },
@@ -12737,14 +13202,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "evodation.org", true },
   { "evodia-spirits.de", true },
   { "evok.com.co", false },
-  { "evokepk.com", true },
   { "evolutioninflatables.co.uk", true },
   { "evolutionlending.co.uk", true },
   { "evolutionpets.com", true },
   { "evolutionsmedicalspa.com", true },
   { "evolvetechnologies.co.uk", true },
   { "evolvingthoughts.net", true },
-  { "evonews.com", true },
   { "evony.eu", true },
   { "evosyn.com", true },
   { "evotec.pl", true },
@@ -12753,16 +13216,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "evrial.com", true },
   { "evrica.me", true },
   { "evromandie.ch", true },
+  { "evrotrust.com", true },
   { "evstatus.com", true },
   { "evtasima.name.tr", true },
   { "evtripping.com", true },
+  { "evtscan.io", true },
   { "ewaipiotr.pl", true },
   { "ewanm89.co.uk", true },
   { "ewanm89.com", true },
   { "ewanm89.uk", true },
   { "ewe2.ninja", true },
+  { "ewhitehat.com", true },
   { "ewie.name", true },
   { "ewizmo.com", true },
+  { "ewok.io", true },
   { "ewout.io", true },
   { "ewsfeed.com", true },
   { "ewtl.es", true },
@@ -12776,14 +13243,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "examedge.com", true },
   { "example.sc", true },
   { "example.wf", true },
-  { "examplesu.com", true },
   { "examsmate.in", true },
   { "exaplac.com", true },
   { "exarpy.com", true },
   { "exatmiseis.net", false },
   { "exceed.global", true },
   { "exceedagency.com", true },
+  { "excel-utbildning.nu", true },
   { "excelhot.com", true },
+  { "excelkurs.one", true },
+  { "excella.me", true },
   { "exceltechdubai.com", true },
   { "exceltechoman.com", true },
   { "exceltobarcode.com", true },
@@ -12794,7 +13263,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "exchaser.com", true },
   { "exclusivebouncycastles.co.uk", true },
   { "exclusivecarcare.co.uk", true },
-  { "exclusivedesignz.com", true },
   { "exdamo.de", false },
   { "exe-boss.tech", true },
   { "execution.biz.tr", true },
@@ -12807,22 +13275,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "exeria.de", true },
   { "exexcarriers.com", true },
   { "exgen.io", true },
-  { "exhaledayspa.com.au", true },
   { "exhalespa.com", true },
   { "exhibityour.com", true },
   { "exiahost.com", true },
   { "exit9wineandliquor.com", true },
   { "exitooutdoor.com", true },
+  { "exmart.ng", true },
   { "exmoe.com", true },
-  { "exnovin.co", true },
   { "exon.io", true },
-  { "exoplatform.com", true },
   { "exordiumconcepts.com", true },
   { "exoscale.ch", true },
   { "exoscale.com", true },
   { "exoten-spezialist.de", true },
   { "exousiakaidunamis.pw", true },
   { "exp.de", true },
+  { "expancio.com", false },
+  { "expanddigital.media", true },
   { "expandeco.com", true },
   { "expatmortgage.uk", true },
   { "expe.voyage", true },
@@ -12841,6 +13309,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "expiscor.solutions", true },
   { "explodie.org", true },
   { "exploflex.com.br", true },
+  { "exploit-db.com", true },
   { "exploit.cz", true },
   { "exploit.party", true },
   { "exploit.ph", true },
@@ -12875,6 +13344,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "exside.com", true },
   { "exsora.com", true },
   { "extasic.com", true },
+  { "extendwings.com", true },
   { "extensia.it", true },
   { "extensibility.biz.tr", true },
   { "extensiblewebmanifesto.org", true },
@@ -12902,6 +13372,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "extradivers-worldwide.com", true },
   { "extranetpuc.com.br", true },
   { "extrapagetab.com", true },
+  { "extreemhost.nl", true },
   { "extreme-gaming.de", true },
   { "extreme-gaming.us", true },
   { "extreme-players.com", true },
@@ -12911,6 +13382,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "exxo.tk", true },
   { "exyplis.com", true },
   { "eydesignguidelines.com", true },
+  { "eye-encounters.com", true },
   { "eyeandfire.com", true },
   { "eyecandy.gr", true },
   { "eyeglasses.com", false },
@@ -12923,14 +13395,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "eynio.com", true },
   { "eyona.com", true },
   { "eyps.net", true },
+  { "eyrelles-tissus.com", true },
   { "eyyit.com", false },
   { "eyyubyilmaz.com", true },
   { "ez3d.eu", true },
   { "ezakazivanje.rs", true },
   { "ezdog.press", true },
-  { "ezequiel-garzon.net", true },
+  { "ezesec.com", true },
   { "ezgif.com", true },
   { "ezhik-din.ru", true },
+  { "ezpzdelivery.com", true },
   { "eztvtorrent.com", true },
   { "ezwritingservice.com", true },
   { "ezzhole.net", true },
@@ -12952,14 +13426,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "f5.hk", true },
   { "f5nu.com", true },
   { "f5w.de", true },
+  { "f88-line.com", true },
+  { "f88-line.net", true },
+  { "f88line.com", true },
+  { "f88line.net", true },
+  { "f88yule1.com", true },
+  { "f88yule5.com", true },
+  { "f88yule6.com", true },
+  { "f88yule7.com", true },
+  { "f88yule8.com", true },
   { "fa-works.com", true },
   { "fabbro-roma.org", true },
+  { "fabbro.roma.it", true },
   { "faber.org.ru", true },
   { "fabian-fingerle.de", true },
   { "fabian-klose.com", true },
   { "fabian-klose.de", true },
   { "fabian-klose.net", true },
-  { "fabian-koeppen.de", true },
   { "fabianackle.ch", true },
   { "fabianbeiner.com", false },
   { "fabianbeiner.de", false },
@@ -12974,6 +13457,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fabriceleroux.com", true },
   { "fabriziocavaliere.it", true },
   { "fabriziorocca.it", true },
+  { "fabrysociety.org", true },
   { "fabse.net", true },
   { "facanabota.com", true },
   { "facanabota.com.br", true },
@@ -13007,7 +13491,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "factbytefactbox.com", true },
   { "factcool.com", true },
   { "factor.cc", false },
-  { "factureenlinea.com", true },
   { "factuur.pro", true },
   { "factuursturen.be", true },
   { "factuursturen.nl", true },
@@ -13020,6 +13503,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "faelix.net", true },
   { "faerb.it", true },
   { "faerie-art.com", true },
+  { "faeservice.eu", true },
+  { "fafarishoptrading.com", true },
   { "fahnamporn.com", true },
   { "fahnen-fanwelt.de", true },
   { "fahrenwal.de", true },
@@ -13058,13 +13543,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fakturi.com", true },
   { "fakturoid.cz", true },
   { "falaeapp.org", true },
-  { "falaland.com", true },
   { "falaowang.com", true },
   { "falbros.com", true },
+  { "falce.in", true },
+  { "falcema.com", true },
   { "falcona.io", true },
   { "falconfrag.com", true },
   { "falconvintners.com", true },
-  { "falcoz.co", true },
+  { "falcoz.co", false },
   { "faldoria.de", true },
   { "falegname-roma.it", true },
   { "falkhusemann.de", true },
@@ -13086,13 +13572,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fameus.fr", true },
   { "famfi.co", true },
   { "familiaperez.net", true },
+  { "familie-keil.de", true },
   { "familie-kruithof.nl", true },
   { "familie-kupschke.de", true },
   { "familie-leu.ch", true },
+  { "familie-mischak.de", true },
   { "familie-monka.de", true },
   { "familie-poeppinghaus.de", true },
   { "familie-remke.de", true },
-  { "familiegrottendieck.de", true },
   { "familieholme.de", true },
   { "familiekiekjes.nl", true },
   { "familjenfrodlund.se", true },
@@ -13110,6 +13597,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fan.gov", true },
   { "fanactu.com", true },
   { "fanatical.com", true },
+  { "fanatik.io", true },
   { "fanboi.ch", true },
   { "fancy-bridge.com", true },
   { "fancy.org.uk", true },
@@ -13119,6 +13607,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fandomservices.com", true },
   { "fanfareunion.ch", true },
   { "fangs.ink", true },
+  { "fanhouwan.com", true },
   { "fanjoe.be", true },
   { "fansided.com", true },
   { "fantasiapainter.com", true },
@@ -13128,8 +13617,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fantastici.de", true },
   { "fantasticservices.com", true },
   { "fantasticservicesgroup.com.au", true },
+  { "fantasy-judo.com", true },
   { "fantasycastles.co.uk", true },
+  { "fantasycdn.com", true },
+  { "fantasydrop.com", true },
   { "fantasyescortsbirmingham.co.uk", true },
+  { "fantasymina.de", true },
   { "fantasypartyhire.com.au", true },
   { "fantasyspectrum.com", true },
   { "fantopia.club", true },
@@ -13139,12 +13632,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fanyue123.tk", true },
   { "fanz.pro", true },
   { "fanzlive.com", true },
+  { "fapplepie.com", true },
   { "faq.ie", true },
   { "fara.gov", true },
   { "faradji.nu", true },
   { "faradome.ws", true },
   { "faraslot8.com", true },
   { "farcecrew.de", true },
+  { "farces.com", false },
   { "farfallapets.com.br", true },
   { "farfetchos.com", true },
   { "fargtorget.se", true },
@@ -13152,6 +13647,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "farhood.org", true },
   { "farid.is", true },
   { "farmacia-discreto.com", true },
+  { "farmaciadejaime.es", true },
   { "farmacialaboratorio.it", true },
   { "farmer.dating", true },
   { "farmers.gov", false },
@@ -13160,15 +13656,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "faroes.net", true },
   { "faroes.org", true },
   { "farrel-f.cf", true },
-  { "farrel-f.id", true },
   { "farrel-f.tk", true },
   { "farrelf.blog", true },
-  { "farsil.eu", true },
   { "fart.wtf", true },
   { "farthing.xyz", true },
   { "farwat.ru", true },
   { "faschingmd.com", true },
-  { "fascia.fit", true },
   { "fashion-stoff.de", true },
   { "fashion24.de", true },
   { "fashion4ever.pl", true },
@@ -13196,10 +13689,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fassaden-selleng.de", true },
   { "fassadenverkleidung24.de", true },
   { "fassi-sport.it", true },
+  { "fast-host.net", true },
+  { "fast-pro.co.jp", true },
   { "fastblit.com", true },
   { "fastcash.com.br", true },
+  { "fastcomcorp.com", true },
   { "fastcommerce.org", true },
-  { "fastcp.top", true },
   { "fastest-hosting.co.uk", true },
   { "fastforwardsociety.nl", true },
   { "fastforwardthemes.com", true },
@@ -13210,10 +13705,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fastrevision.com", true },
   { "fastvistorias.com.br", true },
   { "faszienrollen-info.de", false },
+  { "fatalerrorcoded.eu", true },
   { "fateandirony.com", true },
   { "fatecdevday.com.br", true },
   { "fatedata.com", true },
   { "fateitalia.it", true },
+  { "fatherhood.gov", true },
   { "fathers4equalrights.org", true },
   { "fatidique.com", true },
   { "fatimamoldes.com.br", true },
@@ -13228,7 +13725,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fawong.com", true },
   { "faxite.com", true },
   { "faxvorlagen-druckvorlagen.de", true },
-  { "fayntic.com", true },
   { "fb.me", true },
   { "fbcdn.net", true },
   { "fbcopy.com", true },
@@ -13275,7 +13771,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "featherweightlabs.com", true },
   { "featuredmen.com", false },
   { "feb.gov", true },
-  { "fecik.sk", true },
   { "fedcenter.gov", true },
   { "federaljobs.gov", true },
   { "federalreserve.gov", true },
@@ -13293,7 +13788,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fedshirevets.gov", true },
   { "fedux.com.ar", true },
   { "fedvan.com", true },
-  { "fee-hosting.com", true },
   { "feedbin.com", false },
   { "feedfall.com", true },
   { "feedhq.org", true },
@@ -13301,6 +13795,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "feedough.com", true },
   { "feedthefuture.gov", true },
   { "feeeei.com", true },
+  { "feek.fit", true },
   { "feel-events.com", true },
   { "feel.aero", true },
   { "feelgood-workouts.de", true },
@@ -13321,19 +13816,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "feigling.net", false },
   { "feildel.fr", true },
   { "feilen.de", true },
+  { "feisbed.com", true },
   { "feisim.com", true },
   { "feisim.org", true },
   { "feistyduck.com", true },
   { "feizhujianzhi.com", true },
-  { "fejes.house", true },
   { "feld.design", true },
   { "feld.saarland", true },
   { "feldhousen.com", true },
+  { "feldmann-stachelscheid.de", true },
   { "felett.es", true },
   { "feli.games", true },
   { "felicifia.org", true },
   { "felinepc.com", true },
-  { "felisslovakia.sk", true },
   { "felistirnavia.sk", true },
   { "felixaufreisen.de", true },
   { "felixbarta.de", true },
@@ -13348,6 +13843,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "femastudios.com", true },
   { "femiluna.com", true },
   { "feminina.pt", true },
+  { "feminism.lgbt", true },
   { "femradio.es", true },
   { "femtomind.com", true },
   { "fence-stlouis.com", true },
@@ -13366,6 +13862,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ferienhaus-polchow-ruegen.de", false },
   { "ferienhausprovence.ch", true },
   { "ferienwohnung-hafeninsel-stralsund.de", true },
+  { "ferienwohnung-wiesengrund.eu", true },
   { "feriespotter.dk", true },
   { "ferm-rotterdam.nl", true },
   { "fermabel.com.br", true },
@@ -13379,6 +13876,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ferret.zone", true },
   { "ferreteriaxerez.com", true },
   { "ferrolatino.ch", true },
+  { "ferrone.ru", true },
   { "ferrousmoon.com", true },
   { "ferry.tw", true },
   { "ferticare.pt", true },
@@ -13400,6 +13898,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "feuerwehr-oberkotzau.de", true },
   { "feuerwehr-offenbach-bieber.de", false },
   { "feuerwehr-vechta.de", true },
+  { "feuerwehrbadwurzach.de", true },
   { "feuerwerksmanufaktur.de", true },
   { "feuetgloire.com", true },
   { "fewo-hafeninsel-stralsund.de", true },
@@ -13410,14 +13909,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ff-bad-hoehenstadt.de", true },
   { "ff-getzersdorf.at", true },
   { "ff-obersunzing-niedersunzing.de", true },
-  { "ff14-mstdn.xyz", true },
+  { "ff14-mstdn.xyz", false },
   { "ffb.gov", false },
-  { "ffbans.org", true },
+  { "ffbsee.net", true },
+  { "ffh.me", true },
   { "ffiec.gov", true },
   { "ffis.me", true },
   { "ffkoenigsberg.de", true },
   { "ffmradio.de", true },
   { "ffprofile.com", true },
+  { "ffrev.de", true },
   { "ffsociety.nl", true },
   { "ffta.eu", true },
   { "ffw-zeven.de", true },
@@ -13429,7 +13930,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fhdhelp.de", false },
   { "fhdhilft.de", false },
   { "fhfaoig.gov", true },
-  { "fhg90.com", true },
   { "fhmkh.cn", true },
   { "fi.google.com", true },
   { "fi.search.yahoo.com", false },
@@ -13439,10 +13939,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fiasgo.com", true },
   { "fiasgo.dk", true },
   { "fiasgo.i.ng", true },
+  { "fibabanka.com.tr", true },
   { "fibo-forex.org", true },
   { "fibra.click", true },
   { "fibretv.co.nz", true },
   { "fibretv.tv", true },
+  { "fibromuebles.com", true },
   { "fichier-pdf.fr", true },
   { "fickweiler.nl", true },
   { "ficlab.com", true },
@@ -13454,10 +13956,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fidelis-it.net", true },
   { "fidhouriet.ch", true },
   { "fiduciaire-ratio.ch", true },
-  { "fieldwork-paysage.com", true },
+  { "fieldwork-paysage.com", false },
   { "fierlafijn.net", true },
   { "fierscleaning.nl", true },
   { "fiery.me", true },
+  { "fiestagenial.com", true },
   { "fifautstore.com", true },
   { "fifei.de", true },
   { "fifichachnil.paris", true },
@@ -13469,16 +13972,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fight215.com", true },
   { "fight215.org", true },
   { "figinstitute.org", true },
+  { "figliasons.com", true },
   { "figshare.com", true },
   { "figurasdelinguagem.com.br", true },
   { "figure.nz", true },
   { "fiilr.com", true },
-  { "fiissh.tech", true },
   { "fiix.io", true },
   { "fijnefeestdageneneengelukkignieuwjaar.nl", true },
   { "fijnewoensdag.nl", true },
   { "fiken.no", true },
   { "fikst.com", true },
+  { "fil-tec-rixen.com", true },
   { "fil.fi", true },
   { "filanthropystar.org", true },
   { "file-cloud.eu", true },
@@ -13504,13 +14008,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "filleritemsindia.com", true },
   { "fillo.sk", true },
   { "film-colleges.com", true },
-  { "film-storyboards.com", true },
   { "film-storyboards.fr", true },
   { "film-tutorial.com", true },
   { "filme-onlines.com", true },
   { "filmers.net", true },
   { "filmesonline.online", true },
   { "filmitis.com", true },
+  { "filmovizija.mk", true },
   { "filmreviewonline.com", true },
   { "filmserver.de", true },
   { "filmsite-studio.com", true },
@@ -13520,6 +14024,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "filterlists.com", true },
   { "filtr.me", true },
   { "fimsquad.com", true },
+  { "finagosolo.com", true },
   { "final-expense-quotes.com", true },
   { "finalprice.net", true },
   { "finalrewind.org", true },
@@ -13547,12 +14052,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "findstorenearme.co.uk", true },
   { "findstorenearme.us", true },
   { "findthatnude.com", true },
+  { "findyourtrainer.com", true },
   { "findyourvoice.ca", true },
-  { "fine-services.paris", true },
-  { "finecocoin.io", true },
+  { "finecocoin.io", false },
+  { "finecraft.cc", true },
   { "finefriends.nl", true },
   { "finelovedolls.com", true },
   { "finenet.com.tw", true },
+  { "finesoon.net", true },
   { "finevegashomes.com", true },
   { "finfev.de", true },
   { "finflix.net", true },
@@ -13571,6 +14078,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fintry.ca", true },
   { "finvantage.com", true },
   { "finwe.info", true },
+  { "finzy.com", true },
+  { "fionafuchs.de", true },
   { "fionamcbride.com", true },
   { "fioristionline.it", true },
   { "fioristionline.net", true },
@@ -13604,6 +14113,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "firevap.org", true },
   { "firewallconsultants.com", true },
   { "fireworksshowvr.com", true },
+  { "firexfly.com", true },
   { "firma-cerny.cz", true },
   { "firma-offshore.com", true },
   { "firmament.space", true },
@@ -13625,7 +14135,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "firstinnovationltd.com", true },
   { "firstmall.de", true },
   { "firstq.xyz", true },
-  { "fischer-its.com", false },
   { "fischer-kundendienst.de", true },
   { "fischers.cc", true },
   { "fischers.it", true },
@@ -13639,10 +14148,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fishermansbendcorporation.com.au", true },
   { "fishermansbendtownhouses.com.au", true },
   { "fishexport.eu", true },
-  { "fishfinders.info", true },
   { "fishgen.no", true },
   { "fishserver.net", true },
   { "fishtacos.blog", true },
+  { "fisinfomanagerdr.com", true },
+  { "fisiobox.eu", true },
+  { "fiskalnepretor.pl", true },
   { "fistu.la", true },
   { "fit-4u.ch", true },
   { "fit-mit-nina.com", true },
@@ -13654,12 +14165,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fitmeat.at", true },
   { "fitness-challenge.co.uk", true },
   { "fitness.gov", true },
+  { "fitseven.ru", true },
   { "fittelo.cz", true },
   { "fitzsim.org", true },
   { "fiuxy.bz", true },
   { "fiuxy.co", true },
   { "fiuxy.me", true },
-  { "fiveboosts.xyz", true },
   { "fivethirtyeight.com", true },
   { "fixatom.com", true },
   { "fixed.supply", true },
@@ -13674,11 +14185,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fiziktedavi.name.tr", true },
   { "fizyoterapi.name.tr", true },
   { "fizz.buzz", false },
+  { "fj.je", true },
   { "fj.search.yahoo.com", false },
   { "fj.simple.com", false },
+  { "fjdekermadec.com", true },
   { "fjharcu.com", true },
   { "fjordboge.dk", true },
   { "fjugstad.com", true },
+  { "fjzone.org", true },
   { "fkcdn.de", true },
   { "fkfev.de", true },
   { "fktpm.ru", true },
@@ -13713,6 +14227,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "flavr.be", true },
   { "flawlesscowboy.xyz", true },
   { "fleep.io", true },
+  { "fleesty.dynv6.net", true },
   { "fleetcor.at", true },
   { "fleetcor.ch", true },
   { "fleetcor.cz", true },
@@ -13743,9 +14258,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "flexport.com", true },
   { "flexstart.me", true },
   { "flextrack.dk", true },
-  { "flextribly.xyz", true },
   { "fliacuello.com.ar", true },
   { "flickcritter.com", true },
+  { "flieger-funk-runde.de", true },
   { "fliesen-waldschmidt.de", true },
   { "flight.school", true },
   { "flightdeckfriend.com", true },
@@ -13764,10 +14279,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "flipneus.net", true },
   { "fliptable.org", true },
   { "flirt-norden.de", true },
-  { "flirtee.net", false },
+  { "flirtee.net", true },
   { "flirtfaces.de", true },
   { "flirtos.de", true },
-  { "flixhaven.net", true },
   { "flixports.com", true },
   { "flmortgagebank.com", true },
   { "floatationlocations.com", true },
@@ -13776,6 +14290,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "flocktofedora.org", true },
   { "floersheimer-openair.de", true },
   { "floffi.media", true },
+  { "floify.com", true },
   { "floj.tech", true },
   { "flokinet.is", true },
   { "floless.co.uk", true },
@@ -13796,7 +14311,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "floresvilleedc.org", true },
   { "florian-bachelet.fr", true },
   { "florian-thie.de", true },
-  { "florian2833z.de", true },
   { "floriankarmen.com", true },
   { "floriankeller.de", true },
   { "florianmitrea.uk", true },
@@ -13813,20 +14327,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "florisvdk.net", true },
   { "floriswesterman.nl", true },
   { "flosch.at", false },
-  { "floseed.fr", true },
   { "floskelwolke.de", true },
+  { "flourishtogether.com", true },
   { "flow.su", true },
   { "flowair24.ru", true },
   { "flowcom.de", true },
-  { "flowcount.xyz", true },
   { "flowersbylegacy.com", true },
   { "flowinvoice.com", true },
   { "flowreader.com", true },
   { "flra.gov", true },
-  { "flucky.xyz", true },
-  { "flucto.com", true },
-  { "flue-ducting.co.uk", true },
   { "fluffycloud.de", true },
+  { "fluggesellschaft.de", true },
   { "fluhrers.de", true },
   { "fluidmeterusa.com", true },
   { "fluids.ac.uk", true },
@@ -13856,9 +14367,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "flyingrub.me", true },
   { "flymns.fr", true },
   { "flynn.io", true },
+  { "flyp.me", true },
+  { "flypenge.dk", true },
   { "flyserver.co.il", true },
   { "flyshe.co.uk", true },
-  { "flyssh.net", true },
   { "flyswoop.com", true },
   { "flyt.online", true },
   { "flytoadventures.com", true },
@@ -13877,6 +14389,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fnkr.net", true },
   { "fnof.ch", true },
   { "fnordserver.eu", true },
+  { "fnpro.eu", true },
   { "fnzc.co.nz", true },
   { "foairbus.fr", true },
   { "foairbussas.fr", true },
@@ -13886,6 +14399,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "focuspointtechnologies.com", true },
   { "foej-aktiv.de", true },
   { "foej.net", true },
+  { "foerster.gmbh", true },
   { "fogpublishingph.com", true },
   { "fogway.net", true },
   { "foia.gov", true },
@@ -13930,8 +14444,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "foo.hamburg", true },
   { "foodattitude.ch", true },
   { "foodblogger.club", true },
-  { "foodcowgirls.com", true },
   { "foodev.de", true },
+  { "foodloader.net", true },
   { "foodsafety.gov", true },
   { "foodsafetyjobs.gov", true },
   { "foodsouvenirs.it", true },
@@ -13943,6 +14457,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fooster.io", true },
   { "foot.fr", true },
   { "footagecrate.com", true },
+  { "football.de", true },
   { "footballforum.de", true },
   { "footloose.co.uk", true },
   { "for.care", true },
@@ -13972,13 +14487,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "forex.ee", true },
   { "forexchef.de", true },
   { "forexee.com", true },
-  { "forexsignals7.com", true },
   { "forextickler.com", true },
   { "forextimes.ru", false },
   { "forfunssake.co.uk", true },
   { "forge-goerger.eu", true },
   { "forgotten-legends.org", true },
   { "form3w.nl", true },
+  { "formacionyestudios.com", true },
   { "forman.store", true },
   { "formapi.io", true },
   { "format-paysage.ch", true },
@@ -13987,7 +14502,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "formationseeker.com", true },
   { "formbetter.com", true },
   { "formini.dz", true },
-  { "formkiq.com", true },
   { "formsbyair.com", true },
   { "formula-ot.ru", true },
   { "formulacionquimica.com", true },
@@ -13997,10 +14511,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "foro.io", false },
   { "forodeespanol.com", true },
   { "forodieta.com", true },
+  { "forokd.com", true },
   { "forologikidilosi.com.gr", true },
   { "forourselves.com", true },
-  { "forpc.us", true },
   { "forrestheller.com", true },
+  { "forro.berlin", true },
   { "forro.info", true },
   { "forsakringsarkivet.se", true },
   { "forschbach-janssen.de", true },
@@ -14043,7 +14558,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "foto-leistenschneider.de", true },
   { "foto-leitner.com", true },
   { "foto-leitner.de", true },
-  { "foto-pro.by", true },
   { "foto-robitsch.at", true },
   { "foto-roma.ru", true },
   { "foto.by", true },
@@ -14052,6 +14566,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fotoflits.net", true },
   { "fotografechristha.nl", true },
   { "fotografiadellalucerossa.com", true },
+  { "fotografiamakro.pl", true },
   { "fotohome.dk", true },
   { "fotokomorkomania.pl", true },
   { "fotoleitner.com", true },
@@ -14076,11 +14591,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "foutrelis.com", true },
   { "fowlervwparts.com", true },
   { "fowlsmurf.net", true },
-  { "fox.my", true },
+  { "fox.my", false },
   { "foxbnc.co.uk", true },
   { "foxdev.co", true },
   { "foxesare.sexy", true },
-  { "foxhound.com.br", true },
   { "foxing.club", true },
   { "foxo.blue", true },
   { "foxontheinter.net", true },
@@ -14088,6 +14602,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "foxquill.com", true },
   { "foxstreetcomms.co.za", true },
   { "fpaci.org", true },
+  { "fpasca.com", true },
   { "fpc.gov", false },
   { "fpersona.com", true },
   { "fpgradosuperior.com", true },
@@ -14103,6 +14618,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fracreazioni.it", true },
   { "fraesentest.de", true },
   { "fragmentspuren.de", true },
+  { "fragrances.bg", true },
   { "fragstore.net", true },
   { "fraho.eu", true },
   { "framapiaf.org", true },
@@ -14118,6 +14634,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "franchini.engineer", true },
   { "francis.tokyo", true },
   { "francisli.net", false },
+  { "franckgirard.net", true },
   { "franckyz.com", true },
   { "francois-gaillard.fr", true },
   { "francois-occasions.be", true },
@@ -14142,6 +14659,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "frankl.in", true },
   { "frankmorrow.com", true },
   { "frankopol-sklep.pl", true },
+  { "frankpalomeque.com", true },
   { "franksiler.com", true },
   { "frankslaughterinsurance.com", true },
   { "frankwei.xyz", true },
@@ -14173,34 +14691,38 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "frdl.ch", true },
   { "freaksites.dk", true },
   { "freaksports.com.au", true },
-  { "frebi.org", true },
-  { "frebib.co.uk", true },
-  { "frebib.com", true },
-  { "frebib.me", true },
-  { "frebib.net", true },
+  { "freakyawesome.agency", true },
+  { "freakyawesome.art", true },
+  { "freakyawesome.band", true },
+  { "freakyawesome.business", true },
+  { "freakyawesome.ca", true },
+  { "freakyawesome.co.uk", true },
+  { "freakyawesome.in", true },
+  { "freakyawesome.net", true },
+  { "freakyawesome.org", true },
   { "freddieonfire.tk", false },
   { "freddyfazbearspizzeria.com", true },
   { "freddysfuncastles.co.uk", true },
-  { "frederickalcantara.com", true },
   { "frederik-braun.com", false },
   { "frederikvig.com", true },
   { "fredloya.com", true },
-  { "fredriksslekt.se", true },
+  { "fredriksslaktforskning.se", true },
   { "fredtec.ru", true },
   { "fredvoyage.fr", true },
-  { "free-your-pc.com", true },
+  { "free-ss.site", true },
   { "free.ac.cn", true },
   { "free.com.tw", true },
+  { "freeassangenow.org", true },
   { "freeasyshop.com", true },
   { "freebarrettbrown.org", true },
   { "freebcard.com", true },
   { "freebetoffers.co.uk", true },
-  { "freebies.id", true },
   { "freebookmakersbetsandbonuses.com.au", true },
   { "freeboson.org", true },
+  { "freebus.org", true },
   { "freecam2cam.site", true },
   { "freecloud.at", true },
-  { "freecookies.nl", true },
+  { "freecycleusa.com", true },
   { "freedev.cz", true },
   { "freedom.nl", true },
   { "freedom.press", true },
@@ -14219,18 +14741,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "freeinoutboard.com", true },
   { "freejasongoudlock.org", true },
   { "freejeremy.net", true },
+  { "freekdevries.nl", true },
+  { "freeks.com.br", true },
   { "freela.ch", true },
   { "freelance.boutique", true },
   { "freelance.guide", true },
   { "freelance.nl", true },
-  { "freelancecollab.com", true },
   { "freelanceessaywriters.com", true },
   { "freelancehunt.com", true },
-  { "freelanceshipping.com", true },
+  { "freelancejobs.org.uk", true },
   { "freelauri.com", true },
   { "freelifer.jp", true },
   { "freelo.cz", true },
   { "freelysurf.cf", true },
+  { "freemania.eu", true },
+  { "freemania.nl", true },
   { "freemanlogistics.com", true },
   { "freemans.com", true },
   { "freemomhugs.org", true },
@@ -14239,7 +14764,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "freenetproject.org", true },
   { "freeonplate.com", true },
   { "freepnglogos.com", true },
-  { "freepoints.us", true },
   { "freepublicprofile.com", true },
   { "freergform.org", true },
   { "freeshell.de", true },
@@ -14250,12 +14774,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "freesoft-board.to", true },
   { "freesoftlab.com", true },
   { "freesolitaire.win", true },
+  { "freesourcestl.org", true },
+  { "freesquare.net", true },
   { "freessl.tech", true },
   { "freesslcertificate.me", true },
   { "freethetv.ie", true },
   { "freetsa.org", true },
-  { "freevps.us", false },
   { "freeweibo.com", true },
+  { "freewoodfactory.com", true },
   { "freeyourmusic.com", true },
   { "freezion.com", true },
   { "frei.social", true },
@@ -14271,8 +14797,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "freifunk-remscheid.de", true },
   { "freimeldungen.de", true },
   { "freims.cc", true },
-  { "freitasul.com.br", true },
-  { "freitasul.io", true },
   { "freiwurst.net", true },
   { "freizeitbad-riff.de", true },
   { "freizeitplaza.de", true },
@@ -14288,9 +14812,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "freshdns.nl", true },
   { "freshempire.gov", true },
   { "freshislandfish.com", true },
-  { "freshkiss.com.au", true },
-  { "freshmaza.com", true },
+  { "freshlymind.com", true },
   { "freshmaza.net", true },
+  { "freshpounds.com", true },
   { "fretscha.com", true },
   { "frettirnar.is", true },
   { "fretworksec.com", true },
@@ -14299,6 +14823,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "freundinnen-urlaub.de", true },
   { "friarsonbase.com", true },
   { "fribourgviking.net", true },
+  { "frickelboxx.de", true },
   { "frickelmeister.de", true },
   { "fridayfoucoud.ma", true },
   { "fridolinka.cz", true },
@@ -14312,6 +14837,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "friends-of-naz.com", true },
   { "friends-socialgroup.org", true },
   { "friends24.cz", true },
+  { "friendship-quotes.co.uk", true },
   { "friendshipismagicsquad.com", true },
   { "friendsofgfwpc.org", true },
   { "frieslandrail.nl", true },
@@ -14321,6 +14847,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "frigi.ch", true },
   { "frigolit.net", true },
   { "frillip.com", true },
+  { "fringeintravel.com", true },
   { "frinkiac.com", true },
   { "frino.de", true },
   { "frippz.se", true },
@@ -14328,6 +14855,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fritzrepair.com", true },
   { "frizo.com", true },
   { "frly.de", true },
+  { "frnco.uk", true },
   { "frob.nl", true },
   { "froehliche-hessen.de", true },
   { "frogatto.com", true },
@@ -14338,11 +14866,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "frolova.org", true },
   { "from-the-net.com", true },
   { "fromscratch.rocks", true },
-  { "fromthesoutherncross.com", true },
   { "fronteers.nl", false },
   { "frontier-ad.co.jp", true },
   { "frontier.bet", true },
-  { "frontierdiscount.com", true },
   { "frontiers.nl", true },
   { "frontlinemessenger.com", true },
   { "fropky.com", true },
@@ -14367,11 +14893,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "frugalmechanic.com", true },
   { "frugro.be", true },
   { "fruition.co.jp", true },
+  { "fruitscale.com", true },
   { "frusky.de", true },
   { "fruttini.de", true },
   { "frydrychit.cz", true },
   { "fs-community.nl", true },
-  { "fs-fitness.eu", true },
   { "fs-g.org", true },
   { "fs-maistadt.de", true },
   { "fs257.com", true },
@@ -14387,12 +14913,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fsdress.com", true },
   { "fsfxpackages.com", true },
   { "fsg.one", true },
-  { "fsj4u.ch", true },
   { "fsk.fo", true },
   { "fsky.info", true },
   { "fsm2016.org", true },
   { "fsps.ch", true },
   { "fsstyle.com", true },
+  { "fsty.uk", true },
   { "fsvt.ch", true },
   { "ft.com", false },
   { "ftc.gov", false },
@@ -14404,17 +14930,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ftptest.net", true },
   { "ftrsecure.com", true },
   { "ftv.re", true },
-  { "fu639.top", true },
   { "fu898.top", true },
   { "fuantaishenhaimuli.net", true },
   { "fuck-your-false-positive.de", true },
   { "fuckav.ru", true },
   { "fuckcie.com", true },
   { "fucklife.ch", true },
-  { "fuckobr.com", true },
-  { "fuckobr.net", true },
-  { "fuckobr.org", true },
-  { "fuckobr.su", true },
   { "fuckonthefirst.date", true },
   { "fuckup.dk", true },
   { "fuckyoupaypal.me", true },
@@ -14422,11 +14943,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fuelfirebrand.com", true },
   { "fuelingyourdreams.com", true },
   { "fuerstenfelder-immobilien.de", true },
-  { "fugamo.de", true },
   { "fuglede.dk", true },
   { "fuite.ch", true },
   { "fuites.ch", true },
+  { "fujianshipbuilding.com", true },
   { "fujiwaraqol.com", true },
+  { "fujiwarashinzo.com", true },
   { "fukakukeiba.com", true },
   { "fukikaeru.com", true },
   { "fukuiedu.com", true },
@@ -14441,6 +14963,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fullbundle.com", true },
   { "fullereno.com", true },
   { "fullerlife.org.uk", true },
+  { "fullfilez.com", true },
   { "fullhost.com", true },
   { "fullhub.ru", true },
   { "fullmatch.net", true },
@@ -14452,9 +14975,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fun-bounce.co.uk", true },
   { "fun-tasia.co.uk", true },
   { "fun4kidzbouncycastles.co.uk", true },
+  { "fun4tomorrow.com", true },
   { "fun4ubouncycastles.co.uk", true },
   { "fun888city.com", true },
   { "fun888city.net", true },
+  { "fun88city.com", true },
   { "funadvisor.ca", true },
   { "funadvisorfrance.com", true },
   { "funandbounce.com", true },
@@ -14466,10 +14991,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fundays.nl", true },
   { "fundchan.com", true },
   { "fundeego.com", true },
-  { "fundingempire.com", true },
   { "fundort.ch", true },
   { "funds.ddns.net", true },
-  { "funerariahogardecristo.cl", true },
   { "funfactorleeds.co.uk", true },
   { "funfair.io", true },
   { "funfoodco.co.uk", true },
@@ -14494,11 +15017,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "funtimeentertainment.co.uk", true },
   { "funtimesbouncycastles.co.uk", true },
   { "fur.red", true },
-  { "furaje-iasi.com", true },
-  { "furcity.me", true },
+  { "furcdn.net", true },
+  { "furgetmeknot.org", true },
   { "furgo.love", true },
   { "furigana.info", true },
-  { "furikake.xyz", true },
   { "furkancaliskan.com", true },
   { "furkot.com", true },
   { "furkot.de", true },
@@ -14509,30 +15031,36 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "furlan.co", true },
   { "furlog.it", true },
   { "furnfurs.com", true },
+  { "furnishedproperty.com.au", true },
   { "furry.cat", true },
   { "furry.dk", true },
   { "furrybot.me", true },
   { "furrytech.network", true },
-  { "furrytf.club", true },
+  { "furrytf.club", false },
   { "furryyiff.site", true },
+  { "fursuitbutts.com", true },
   { "fusa-miyamoto.jp", true },
   { "fuselight.nl", true },
   { "fuseos.net", true },
   { "fushee.com", true },
   { "fusiongaming.de", true },
   { "fussball-xxl.de", true },
+  { "fussell.io", true },
+  { "fuszara.eu", true },
+  { "futa.moe", true },
   { "futaba-works.com", true },
   { "futagro.com", true },
   { "futbomb.com", true },
   { "futcre.com", true },
   { "futrou.com", true },
   { "future-moves.com", true },
+  { "futureaudiographics.com", true },
   { "futurefund.com", true },
-  { "futurefundapp.com", true },
   { "futuregrowthva.com", true },
   { "futurehack.io", true },
   { "futurenda.com", true },
   { "futureoceans.org", true },
+  { "futuressm.com", true },
   { "futuretimes.io", true },
   { "futurezone.at", true },
   { "futurope.com", true },
@@ -14559,6 +15087,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fxopen.ru", true },
   { "fxp.co.il", true },
   { "fxseo.com.au", true },
+  { "fxtalk.cn", true },
   { "fxthai.com", true },
   { "fxtrade-lab.com", true },
   { "fxweb.co", true },
@@ -14569,6 +15098,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fyksen.me", true },
   { "fyn.nl", true },
   { "fyol.xyz", false },
+  { "fyreek.me", true },
   { "fyretrine.com", true },
   { "fysesbjerg.dk", true },
   { "fysio123.nl", true },
@@ -14584,9 +15114,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "fzx750.ru", true },
   { "g-ds.de", true },
   { "g-m-w.eu", true },
-  { "g-o.pl", true },
   { "g-p-design.com", true },
   { "g-rom.net", true },
+  { "g.co", true },
   { "g0881.com", true },
   { "g0man.com", true },
   { "g1.ie", true },
@@ -14600,7 +15130,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "g3rv4.com", true },
   { "g4w.co", true },
   { "g5.gov", true },
-  { "g6666g.tk", true },
   { "g8energysolutions.co.uk", true },
   { "gaaz.fr", true },
   { "gabe565.com", true },
@@ -14608,8 +15137,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gabecook.com", true },
   { "gabemack.com", true },
   { "gabinetpsychoterapii.krakow.pl", true },
+  { "gabiocs.com", true },
   { "gabriel.to", true },
-  { "gabrielsimonet.ch", true },
+  { "gabriele.tips", true },
   { "gabrielsteens.nl", true },
   { "gachimuchi.ru", true },
   { "gachiyase.com", true },
@@ -14626,7 +15156,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gaflooring.com", true },
   { "gafunds.com", true },
   { "gagliarducci.it", true },
-  { "gagne-enterprises.com", true },
   { "gagne.tk", true },
   { "gagnerplusdargent.info", true },
   { "gagniard.org", true },
@@ -14634,27 +15163,30 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gagygnole.ch", true },
   { "gaiavanderzeyp.com", true },
   { "gaichon.com", true },
+  { "gailfellowsphotography.com", true },
   { "gaines-sodiamex.fr", true },
   { "gaio-automobiles.fr", true },
   { "gaireg.de", true },
   { "gaitandmobility.com", true },
   { "gaitrehabilitation.com", true },
   { "gaitresearch.com", true },
-  { "gakkainavi-epsilon.jp", true },
   { "gakkainavi-epsilon.net", true },
   { "gakkainavi.jp", true },
+  { "gakkainavi.net", true },
   { "gakkainavi4.jp", true },
   { "gakkainavi4.net", true },
   { "gaku-architect.com", true },
-  { "gala.kiev.ua", false },
   { "galabau-maurmann.de", true },
   { "galacg.me", true },
   { "galactic-crew.org", true },
   { "galak.ch", true },
   { "galanight.cz", true },
+  { "galaxy.edu.pe", true },
+  { "galaxymimi.com", true },
   { "galecia.com", true },
   { "galeria42.com", true },
-  { "galeriart.xyz", true },
+  { "galerialottus.com.br", true },
+  { "galeriarr.pl", true },
   { "galeries.photo", true },
   { "galilahiskye.com", true },
   { "galileanhome.org", true },
@@ -14662,7 +15194,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "galinas-blog.de", true },
   { "galinos.gr", true },
   { "galle.cz", true },
-  { "gallerify.eu", true },
   { "galletasgabi.com.mx", false },
   { "galleyfoods.com", true },
   { "gallicrooster.com", true },
@@ -14670,7 +15201,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gallifreypermaculture.com.au", true },
   { "gallun-shop.com", true },
   { "galpaoap.com.br", true },
-  { "gamajo.com", true },
   { "gamberorosso.menu", true },
   { "gambetti.fr", true },
   { "gambit.pro", true },
@@ -14680,6 +15210,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gambitprint.com", true },
   { "gamblerhealing.com", true },
   { "gamblersgaming.eu", true },
+  { "game-files.net", false },
+  { "game-topic.ru", true },
   { "game4less.com", true },
   { "game7.de", true },
   { "game88city.net", true },
@@ -14729,11 +15261,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gamingzoneservers.com", true },
   { "gamisalya.com", true },
   { "gamishou.fr", true },
-  { "gamismodelbaru.com", true },
-  { "gamismu.com", true },
+  { "gamismodernshop.com", true },
+  { "gamismurahonline.com", true },
   { "gamivo.com", true },
   { "gamoloco.com", true },
-  { "gan.wtf", true },
   { "ganado.org", true },
   { "ganaenergia.com", true },
   { "ganasoku.net", true },
@@ -14753,9 +15284,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gapdirect.com", true },
   { "gapfa.org", true },
   { "gaphag.ddns.net", true },
-  { "gar-nich.net", false },
   { "garage-leone.com", true },
   { "garage-meynard.com", true },
+  { "garagedejan.ch", true },
   { "garageenginuity.com", true },
   { "garagegoossens.be", true },
   { "garagemhermetica.org", true },
@@ -14769,11 +15300,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "garderobche.eu", true },
   { "gardikagigih.com", true },
   { "gardinte.com", true },
+  { "gardis.ua", true },
   { "garedtech.com", false },
   { "garethbowker.com", true },
+  { "garethkirk.com", true },
+  { "garethkirkreviews.com", true },
   { "garethrhugh.es", true },
   { "garforthgolfclub.co.uk", true },
   { "gargazon.net", true },
+  { "garnuchbau.de", true },
   { "garron.net", true },
   { "garrowmediallc.com", true },
   { "gartenbaur.de", true },
@@ -14802,10 +15337,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gaussianwaves.com", true },
   { "gauthier.dk", true },
   { "gautvedt.no", true },
+  { "gavin.sh", true },
   { "gavins.stream", true },
   { "gavinsblog.com", true },
   { "gawrimanecuta.com", true },
-  { "gayforgenji.com", true },
+  { "gaycc.cc", true },
+  { "gayhotti.es", true },
   { "gaymerconnect.net", true },
   { "gaymerx.com", true },
   { "gaymerx.net", true },
@@ -14820,6 +15357,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gbcsummercamps.com", true },
   { "gbl.selfip.net", true },
   { "gboys.net", true },
+  { "gbs-uk.com", true },
   { "gc-mc.de", true },
   { "gc.gy", true },
   { "gc.ru.net", true },
@@ -14837,17 +15375,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gdhzcgs.com", true },
   { "gdiary.net", true },
   { "gdngs.de", true },
+  { "gdoce.es", true },
   { "gdpr-pohotovost.cz", true },
   { "gdv.me", true },
   { "gdz-spishy.com", true },
-  { "gdz.tv", true },
   { "ge3k.net", false },
   { "gear4you.shop", true },
   { "gearallnews.com", true },
+  { "gearboxhero.com", true },
   { "gearev.net", true },
   { "gearfinder.nl", true },
   { "gearset.com", true },
-  { "geass.xyz", true },
   { "geba-online.de", true },
   { "gebn.co.uk", true },
   { "gebn.uk", true },
@@ -14859,11 +15397,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "geckler-ee.de", true },
   { "geder.at", true },
   { "gedlingcastlehire.co.uk", true },
+  { "gedlingtherapy.co.uk", true },
   { "gee.is", true },
   { "geecrat.com", true },
   { "geek-hub.de", true },
-  { "geek.ch", true },
-  { "geek1.de", true },
   { "geekabit.nl", true },
   { "geekandi.com", true },
   { "geekariom.com", true },
@@ -14898,6 +15435,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "geigenbauer.in", false },
   { "geiser-family.ch", true },
   { "geisser-elektronikdata.de", true },
+  { "geitenijs.com", true },
   { "gelb-computer.de", true },
   { "geld-im-blick.de", true },
   { "geld24.nl", true },
@@ -14907,8 +15445,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gelis.ch", true },
   { "gelodosul.com.br", true },
   { "gelog-software.de", false },
+  { "gelonghui.com", true },
   { "geloofindemocratie.nl", false },
   { "geluidsstudio.com", true },
+  { "geluk.io", true },
   { "gem-indonesia.net", false },
   { "gem-info.fr", true },
   { "gemeentemolenwaard.nl", true },
@@ -14916,7 +15456,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gemgroups.in", true },
   { "gemini.com", true },
   { "gemquery.com", true },
-  { "genbright.com", true },
   { "genchev.io", true },
   { "gencmedya.com", true },
   { "genderidentiteit.nl", true },
@@ -14933,7 +15472,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "general-anaesthesia.com", true },
   { "general-anaesthetics.com", true },
   { "general-anesthesia.com", true },
-  { "general-insurance.tk", true },
   { "generali-worldwide.com", true },
   { "generalinsuranceservices.com", true },
   { "generationgoat.com", true },
@@ -14946,6 +15484,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "genesysmi.com", true },
   { "genetargetsolutions.com.au", true },
   { "genetidyne.com", true },
+  { "genevachauffeur.com", true },
   { "geneve-naturisme.ch", true },
   { "genevoise-entretien.ch", true },
   { "genfaerd.dk", true },
@@ -14955,7 +15494,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "geniuszone.biz", true },
   { "genocidediary.org", true },
   { "genodeftest.de", true },
-  { "genome.gov", false },
+  { "genome.gov", true },
   { "genomequestlive.com", true },
   { "genosse-einhorn.de", true },
   { "genoveve.de", true },
@@ -14971,17 +15510,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gentoo-blog.de", true },
   { "gentooblog.de", true },
   { "genusshotel-riegersburg.at", true },
-  { "genuxtsg.com", true },
-  { "genxnotes.com", true },
+  { "geocar.com", true },
   { "geocompass.at", true },
   { "geofox.org", true },
   { "geography-schools.com", true },
+  { "geoinstinct.com", true },
   { "geoip.fedoraproject.org", true },
   { "geoip.stg.fedoraproject.org", true },
   { "geojs.io", true },
   { "geology-schools.com", true },
   { "geometra.roma.it", true },
   { "geomex.be", true },
+  { "geomonkeys.com", true },
   { "geoponika.gr", true },
   { "geoport.al", true },
   { "georadar-algerie.com", true },
@@ -14989,7 +15529,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "george-orwell.com", true },
   { "georgebrighton.co.uk", true },
   { "georgecolgrove.com", true },
-  { "georgehalachev.com", true },
+  { "georgedesign.ch", true },
   { "georgemaschke.com", true },
   { "georgemaschke.net", true },
   { "georgepancescu.ro", true },
@@ -14998,6 +15538,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "georgiaautoglass.net", true },
   { "georgiaglassrepair.com", true },
   { "georgiastuartyoga.co.uk", true },
+  { "georgiatransport.com", true },
   { "georgiaurologist.com", true },
   { "georgioskontaxis.com", true },
   { "georgioskontaxis.net", true },
@@ -15007,7 +15548,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "geoscope.ch", true },
   { "geosphereservices.com", true },
   { "geotab.com", true },
-  { "gepe.ch", true },
   { "gepgroup.gr", true },
   { "gepps.de", true },
   { "geraintwhite.co.uk", true },
@@ -15019,7 +15559,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gerbyte.co.uk", true },
   { "gerbyte.com", true },
   { "gerbyte.uk", true },
-  { "germancraft.net", true },
   { "germandarknes.net", true },
   { "germanssky.de", true },
   { "germanticz.de", true },
@@ -15033,9 +15572,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "geschwinder.net", true },
   { "gesica.cloud", true },
   { "gessettirotti.it", true },
+  { "gestorehotel.com", true },
   { "gestormensajeria.com", true },
   { "gesundheitmassage.com", true },
   { "gesundheitswelt24.de", true },
+  { "gesundheitszentrum-am-reischberg.de", true },
   { "get-erp.ru", true },
   { "get-it-live.com", true },
   { "get-it-live.de", true },
@@ -15049,6 +15590,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "getbooks.co.il", true },
   { "getbox.me", true },
   { "getbreadcrumbs.com", true },
+  { "getbrowink.com", true },
   { "getbutterfly.com", true },
   { "getcloak.com", false },
   { "getcolq.com", true },
@@ -15056,7 +15598,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "getdash.io", true },
   { "getdeveloper.de", true },
   { "geteckeld.nl", true },
-  { "geteduroam.no", true },
   { "getenv.io", true },
   { "geterp.ru", true },
   { "getfedora.org", true },
@@ -15076,12 +15617,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "getmango.com", true },
   { "getmdl.io", true },
   { "getmerch.eu", true },
+  { "getmovil.com", true },
   { "getnib.com", true },
   { "getnikola.com", true },
   { "getoutofdebt.org", true },
   { "getpagespeed.com", true },
   { "getpanelapp.com", true },
-  { "getpei.com", false },
+  { "getpei.com", true },
   { "getprivacy.de", true },
   { "getprivacy.net", true },
   { "getpublii.com", true },
@@ -15092,12 +15634,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "getsensibill.com", true },
   { "getsetbounce.co.uk", true },
   { "getsilknow.com", true },
-  { "getsmartaboutdrugs.gov", true },
+  { "getsmartaboutdrugs.gov", false },
   { "getsport.mobi", true },
   { "getswadeshi.com", true },
   { "getteamninja.com", true },
   { "getthefriendsyouwant.com", true },
   { "getticker.com", true },
+  { "gettodoing.com", true },
   { "gettopquality.com", true },
   { "getts.ro", true },
   { "getupandbounce.co.uk", true },
@@ -15105,7 +15648,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "getwemap.com", true },
   { "getwisdom.io", true },
   { "getyeflask.com", true },
-  { "getyou.onl", false },
   { "getyourlifestraight.com", true },
   { "gevelreinigingtiel.nl", true },
   { "geyduschek.be", true },
@@ -15138,6 +15680,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ggx.us", true },
   { "gha.st", true },
   { "ghaglund.se", true },
+  { "ghettonetflix.de", true },
+  { "ghfip.com.au", true },
   { "ghini.com", true },
   { "ghislainphu.fr", true },
   { "ghostblog.info", false },
@@ -15161,24 +15705,24 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "giardinaggio.napoli.it", true },
   { "giardiniere.bologna.it", true },
   { "giardiniere.milano.it", true },
-  { "gibraltar.at", true },
   { "gichigamigames.com", true },
-  { "gicl.dk", true },
   { "giebel.it", true },
   { "gierds.de", true },
   { "giethoorn.com", true },
   { "gietvloergarant.nl", false },
   { "giftcard.net", true },
-  { "giftedconsortium.com", true },
+  { "giftcardgranny.com", true },
   { "giftking.nl", false },
   { "giftmaniabrilhos.com.br", true },
   { "gifts.best", true },
   { "gifts365.co.uk", true },
+  { "giftya.com", true },
   { "gifudodo.com", true },
   { "gig-raiffeisen.de", true },
   { "giga.nl", true },
   { "gigabitz.pw", true },
   { "gigacog.com", true },
+  { "gigantar.com", true },
   { "gigantism.com", true },
   { "gigawa.lt", true },
   { "giggletotz.co.uk", true },
@@ -15191,6 +15735,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gigseekr.com", true },
   { "gigtroll.eu", true },
   { "gijsbertus.com", true },
+  { "gijswesterman.nl", true },
   { "gikovatelojavirtual.com.br", true },
   { "gilangcp.com", true },
   { "gileadpac.com", true },
@@ -15204,18 +15749,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gilmoreid.com.au", true },
   { "gilmourluna.com", true },
   { "gilnet.be", true },
-  { "gilpinmanagement.com", true },
-  { "gilpinrealty.com", true },
   { "gimme.money", true },
   { "gina-architektur.design", true },
   { "ginabaum.com", true },
+  { "ginacat.de", true },
   { "gingersutton.com", true },
   { "ginionusedcars.be", true },
   { "ginja.co.th", true },
-  { "ginnegappen.nl", true },
   { "ginniemae.gov", true },
   { "gino-gelati.de", true },
   { "ginza-luce.net", true },
+  { "ginza-viola.com", true },
   { "ginzadelunch.jp", true },
   { "ginzaj.com", true },
   { "giochi-online.ws", true },
@@ -15223,7 +15767,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gioielleriamolena.com", true },
   { "gippert-klein.de", true },
   { "giraffeduck.com", true },
-  { "giraffeinflatables.co.uk", true },
   { "giraffenland.de", true },
   { "giraffes.org", true },
   { "giri.co", true },
@@ -15231,6 +15774,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "girlsforum.com", true },
   { "girlsgenerationgoods.com", true },
   { "girlz.jp", true },
+  { "girsa.org", true },
   { "girvas.ru", true },
   { "gisch.tk", true },
   { "gisgov.be", true },
@@ -15239,7 +15783,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gisher.video", true },
   { "gishiko.net", true },
   { "gistr.io", true },
-  { "git.ac.cn", true },
   { "git.market", true },
   { "git.sb", true },
   { "git.tt", true },
@@ -15266,36 +15809,34 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "given2.com", true },
   { "givesunlight.com", true },
   { "givingnexus.org", false },
-  { "givip.eu", true },
   { "gixtools.com", true },
   { "gixtools.net", true },
   { "gj-bochum.de", true },
   { "gjcampbell.co.uk", true },
   { "gjengset.com", true },
   { "gjspunk.de", false },
-  { "gkimanyar.org", true },
   { "gkoenig-innenausbau.de", true },
   { "gkralik.eu", true },
   { "gl.search.yahoo.com", false },
-  { "gla-hyperloop.com", true },
+  { "gla-hyperloop.com", false },
   { "glaciernursery.com", true },
   { "gladiatorboost.com", true },
   { "gladwellentertainments.co.uk", true },
-  { "glahcks.com", true },
   { "glamguru.co.il", true },
   { "glamguru.world", true },
   { "glamour4you.de", true },
   { "glamourdaze.com", true },
+  { "glamouria.com.br", true },
   { "glasdon.com", true },
   { "glasen-hardt.de", true },
   { "glasfaser-im-hanseviertel.de", true },
   { "glasgestaltung.biz", true },
   { "glasner.photo", true },
-  { "glaspe.com", true },
   { "glass.google.com", true },
   { "glasschmuck-millefiori.de", true },
   { "glassexpertswa.com", true },
   { "glassrainbowtrust.org.je", true },
+  { "glassrom.pw", true },
   { "glasweld.com", true },
   { "glavsudexpertiza.ru", true },
   { "glazedmag.fr", true },
@@ -15318,7 +15859,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "global-lights.ma", true },
   { "global-office.com", true },
   { "global-village.koeln", true },
-  { "global.hr", true },
   { "globalcanineregistry.com", true },
   { "globalchokepoints.org", true },
   { "globalcomix.com", true },
@@ -15332,13 +15872,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "globalonetechnology.com", true },
   { "globalprojetores.com.br", true },
   { "globalresearchcouncil.org", true },
+  { "globalresistancecorporation.com", true },
   { "globalventil.com", true },
   { "globcoin.io", true },
   { "globelink-group.com", true },
   { "glocalworks.jp", true },
   { "glofox.com", true },
+  { "glolighting.co.za", true },
   { "gloneta.com", false },
   { "gloning.name", true },
+  { "glont.net", true },
+  { "gloria.tv", true },
   { "glosiko.com", true },
   { "glossopnorthendafc.co.uk", true },
   { "glotech.co.uk", true },
@@ -15364,6 +15908,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gmccar.it", true },
   { "gmcd.co", true },
   { "gmdu.net", true },
+  { "gme.one", true },
   { "gmind.ovh", true },
   { "gmod.de", true },
   { "gmpark.dk", true },
@@ -15394,6 +15939,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gnucashtoqif.us", true },
   { "gnunet.org", true },
   { "gnuplus.me", true },
+  { "gnwp.eu", true },
   { "go-dutch.eu", true },
   { "go-embedded.de", true },
   { "go-propiedades.cl", true },
@@ -15408,6 +15954,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "goanalyse.co.uk", true },
   { "goand.run", true },
   { "goarmy.eu", true },
+  { "goatbot.xyz", true },
   { "goatcloud.com", true },
   { "gobarrelroll.com", true },
   { "gobouncy.co.uk", true },
@@ -15420,14 +15967,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "godaxen.tv", true },
   { "godclan.hu", true },
   { "godesigner.ru", true },
-  { "godofnea.com", true },
   { "godrive.ga", true },
-  { "godruoyi.com", true },
   { "godsofhell.com", true },
   { "godsofhell.de", true },
   { "goededoelkerstkaarten.nl", true },
+  { "goedkoopstecartridges.nl", true },
+  { "goedkopecartridgeskopen.nl", true },
   { "goedkopelaptopshardenberg.nl", true },
   { "goedkopeonesies.nl", true },
+  { "goedkopetonerkopen.nl", true },
   { "goedverzekerd.net", true },
   { "goemail.me", true },
   { "goerlitz-zgorzelec.org", true },
@@ -15466,13 +16014,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "goldendawnapersonalaffair.com", true },
   { "goldenhillsoftware.com", true },
   { "goldenhost.ca", true },
+  { "goldenmonrepos.com", true },
   { "goldenplate.com.sg", true },
   { "goldenruleemail.com", true },
   { "goldfmromania.ro", true },
   { "goldmark.com.au", true },
   { "goldpreisfinder.at", true },
   { "goldsecurity.com", true },
+  { "goldsilver.org.ua", true },
   { "goldstein.tel", true },
+  { "goldytechspecialists.com", true },
   { "golf18network.com", true },
   { "golf18staging.com", true },
   { "golfhausmallorca.com", true },
@@ -15481,8 +16032,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "golfscape.com", true },
   { "golighthouse.com", true },
   { "golik.net.pl", false },
+  { "golser-schuh.at", true },
   { "golser.info", true },
   { "gomasy.jp", true },
+  { "gomel.chat", true },
   { "gomelchat.com", true },
   { "gomena.io", true },
   { "gommista.roma.it", true },
@@ -15495,31 +16048,39 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gooby.co", false },
   { "good-tips.pro", true },
   { "gooday.life", true },
-  { "gooddomainna.me", true },
-  { "goodenough.nz", false },
+  { "goodenough.nz", true },
   { "goodhealthtv.com", true },
   { "goodquote.gq", true },
+  { "goodryb.top", true },
   { "goodshepherdmv.com", true },
   { "goodth.ink", true },
   { "google", true },
   { "google-analytics.com", true },
   { "googleandroid.cz", true },
+  { "googlehosts.org", true },
   { "googlemail.com", false },
   { "googleplex.com", true },
   { "googlesource.com", true },
   { "goombi.fr", true },
   { "goonersworld.co.uk", true },
+  { "goontopia.com", true },
   { "goooo.info", true },
   { "gootlijsten.nl", true },
   { "goover.de", true },
   { "goow.in", true },
   { "goozp.com", true },
   { "gopher.tk", true },
+  { "gophoto.it", true },
+  { "goplex.com.au", true },
   { "goproallaccess.com", true },
   { "goproinspectiongroup.com", true },
   { "goquiq.com", true },
+  { "gordeijnsbouw.nl", true },
+  { "gordonobrecht.com", true },
   { "gordonscouts.com.au", true },
   { "gorealya.com", true },
+  { "gorf.chat", true },
+  { "gorf.club", true },
   { "gorgias.me", true },
   { "gorky.media", true },
   { "gorn.ch", true },
@@ -15529,12 +16090,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gosforthdentalsurgery.co.uk", true },
   { "goshawkdb.io", true },
   { "goshin-group.co.jp", true },
+  { "gosolockpicks.com", true },
   { "gospelfollower.com", true },
   { "gospelofmark.ch", true },
   { "gospelvestcination.de", true },
   { "gostaffer.com", true },
   { "gostest.org", false },
   { "gosu.pro", true },
+  { "gosuland.org", true },
+  { "got-tty.de", true },
   { "goteborgsklassikern.se", true },
   { "gotech.com.eg", false },
   { "gothamlimo.com", true },
@@ -15549,6 +16113,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gotoxy.at", true },
   { "gotrail.fr", true },
   { "gottcode.org", false },
+  { "gottfridsberg.org", true },
   { "goudenharynck.be", true },
   { "gouforit.com", true },
   { "gouldcooksey.com", true },
@@ -15556,6 +16121,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "goup.com.tr", true },
   { "gouptime.ml", true },
   { "gourmetfestival.de", true },
+  { "gourmetspalencia.com", true },
   { "gov.tc", true },
   { "governmentjobs.gov", true },
   { "governorhub.com", true },
@@ -15564,20 +16130,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "govtjobs.blog", true },
   { "govtrack.us", true },
   { "govype.com", true },
+  { "gowancommunications.com", true },
   { "gowe.wang", false },
   { "gowildrodeo.co.uk", true },
   { "gowithflo.de", true },
   { "gozenhost.com", true },
   { "gpcsolutions.fr", true },
-  { "gpdimaranathasiantar.org", true },
-  { "gpfclan.de", true },
+  { "gpdimaranathasiantar.org", false },
   { "gpgscoins.com", true },
   { "gplans.us", true },
   { "gpm.ltd", true },
   { "gprs.uk.com", true },
-  { "gpsarena.ro", true },
   { "gpscamera.nl", true },
-  { "gpsfix.cz", true },
   { "gpsolarpanels.com", true },
   { "gpsvideocanada.com", true },
   { "gpureport.cz", true },
@@ -15606,9 +16170,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "grafcaps.com", true },
   { "graffen.dk", true },
   { "grafmag.pl", true },
+  { "grafmurr.de", true },
   { "grafoteka.pl", true },
   { "graft.community", true },
   { "graft.observer", true },
+  { "grahambaker.ca", true },
   { "grahamcarruthers.co.za", true },
   { "grahamcluley.com", true },
   { "grailians.com", true },
@@ -15648,11 +16214,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "graonatural.com.br", true },
   { "grapee.jp", true },
   { "grapeintentions.com", true },
+  { "grapevine.is", true },
   { "graphcommons.com", true },
   { "graphene.software", true },
   { "graphic-schools.com", true },
   { "graphic-shot.com", true },
-  { "graphire.io", true },
   { "grapholio.net", true },
   { "grasmark.com", true },
   { "grassenberg.de", true },
@@ -15668,7 +16234,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "graumeier.de", true },
   { "gravilink.com", true },
   { "gravitascreative.net", true },
-  { "gravitation.pro", false },
   { "gravitechthai.com", true },
   { "gravity-inc.net", true },
   { "gravityformspdfextended.com", true },
@@ -15681,12 +16246,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "grayowlworks.com", true },
   { "grayscale.co", true },
   { "grayson.sh", true },
+  { "graz2020.com", true },
   { "grazieitalian.com", true },
   { "grc.com", false },
   { "greatagain.gov", true },
   { "greatestwebsiteonearth.com", true },
   { "greatfire.org", true },
   { "greathairtransplants.com", true },
+  { "greathosts.biz", true },
   { "greatislandarts.ca", true },
   { "greatlakeside.de", true },
   { "greatlifeinsurancegroup.com", true },
@@ -15694,24 +16261,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "greboid.co.uk", true },
   { "greboid.com", true },
   { "greditsoft.com", true },
-  { "greedbutt.com", true },
   { "greek.dating", true },
   { "greeklish.gr", true },
+  { "greekmusic.academy", true },
   { "green-attitude.be", true },
   { "green-care.nl", true },
-  { "green-light.cf", true },
   { "green-light.co.nz", true },
-  { "green-light.ga", true },
-  { "green-light.gq", true },
-  { "green-light.ml", true },
   { "greenaddress.it", true },
   { "greenapproach.ca", true },
-  { "greenbaysecuritysolutions.com", true },
   { "greencircleplantnursery.com.au", true },
   { "greencircleplantnursery.net.au", true },
   { "greener.pl", true },
-  { "greenglam.biz", true },
-  { "greengoblindev.com", true },
   { "greenhats.de", true },
   { "greenliquidsystem.com", true },
   { "greenliv.pl", true },
@@ -15720,6 +16280,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "greenoutdoor.dk", false },
   { "greenpanda.de", true },
   { "greenpartyofnewmilford.org", true },
+  { "greenpaws.ee", true },
   { "greenpeace-magazin.de", true },
   { "greenpeace.berlin", true },
   { "greenroach.ru", true },
@@ -15735,6 +16296,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gregbrimble.com", true },
   { "greger.me", true },
   { "gregmarziomedia-dev.com", true },
+  { "gregmarziomedia.co.za", true },
   { "gregmarziomedia.com", true },
   { "gregmilton.com", true },
   { "gregmote.com", true },
@@ -15761,15 +16323,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "grexx.nl", true },
   { "grey.house", true },
   { "greybeards.ca", true },
+  { "greyhash.se", true },
   { "greymattertechs.com", true },
   { "greysky.me", true },
   { "greyskymedia.com", true },
   { "greysolutions.it", true },
   { "greywizard.com", true },
+  { "greywolf.cz", true },
   { "grh.am", true },
   { "griassdi-reseller.de", true },
+  { "gricargo.com", true },
+  { "gridsmartercities.com", true },
   { "griechische-pfoetchen.de", true },
-  { "griecopelino.com", true },
+  { "griefheart.com", true },
   { "grieg-gaarden.no", true },
   { "grieg.com", true },
   { "grieg.net", true },
@@ -15796,6 +16362,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "groenaquasolutions.nl", true },
   { "groenewoud.me", true },
   { "groentebesteld.nl", true },
+  { "groenteclub.nl", true },
   { "groepjam-usedcars.be", true },
   { "grog.pw", true },
   { "grokker.com", true },
@@ -15804,6 +16371,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gronau-it-cloud-computing.de", true },
   { "grondius.com", true },
   { "groomershop.ru", true },
+  { "groomscroft.co.uk", true },
+  { "groomscroft.com", true },
   { "grootinadvies.nl", true },
   { "groovydisk.com", true },
   { "groovygoldfish.org", true },
@@ -15815,7 +16384,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "groth.xyz", true },
   { "grothoff.org", true },
   { "grottenthaler.eu", true },
-  { "grouchysysadmin.com", true },
   { "groundlevelup.com", true },
   { "group4layers.net", true },
   { "groupe-neurologique-nord.lu", true },
@@ -15824,6 +16392,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "grouphomes.com.au", false },
   { "groupme.com", true },
   { "groups.google.com", true },
+  { "grove-archiv.de", true },
   { "growingallthings.co.uk", true },
   { "growit.events", true },
   { "growy.ch", true },
@@ -15833,6 +16402,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gruble.de", true },
   { "gruebebraeu.ch", true },
   { "gruenderlehrstuhl.de", true },
+  { "gruenderwoche-dresden.de", true },
   { "gruene-im-rvr.de", true },
   { "gruene-wattenscheid.de", true },
   { "gruenes-wp.de", true },
@@ -15840,6 +16410,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gruenstreifen-ev.de", true },
   { "grumpy.fr", true },
   { "grumpygamers.com", true },
+  { "grundlage.com.ua", true },
   { "grunwaldzki.center", true },
   { "grunwasser.fr", true },
   { "grupomakben.com", true },
@@ -15849,6 +16420,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gruselgrotte.com", true },
   { "grusenmeyer.be", true },
   { "grusig-geil.ch", true },
+  { "gruver.de", true },
   { "gruwa.net", true },
   { "gs93.de", true },
   { "gsaj114.net", true },
@@ -15866,22 +16438,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gt-network.de", true },
   { "gta-arabs.com", true },
   { "gtaforum.nl", true },
-  { "gtalife.net", true },
   { "gtchipsi.org", true },
   { "gtcprojects.com", true },
-  { "gtdgo.com", true },
   { "gtlaun.ch", true },
   { "gtlfsonlinepay.com", true },
   { "gtmasterclub.it", false },
   { "gtmetrix.com", true },
+  { "gtoepfer.de", true },
   { "gtopala.com", true },
   { "gtopala.net", true },
   { "gtour.info", false },
   { "gtravers-basketmaker.co.uk", true },
-  { "gts-dp.de", true },
-  { "gtts.space", true },
   { "gtxbbs.com", true },
+  { "gtxmail.de", true },
   { "guajars.cl", true },
+  { "guannan.net.cn", true },
   { "guanyembadalona.org", true },
   { "guanzhong.ca", true },
   { "guardian360.nl", true },
@@ -15891,6 +16462,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gubagoo.com", true },
   { "gubagoo.io", true },
   { "gudini.net", true },
+  { "gudrunfit.dk", true },
   { "guegan.de", true },
   { "guelo.ch", true },
   { "guenthereder.at", true },
@@ -15901,17 +16473,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "guevener.de", true },
   { "gueze-ardeche.fr", true },
   { "gueze-sas.fr", true },
-  { "gufen.ga", true },
   { "guffr.it", true },
   { "guge.ch", true },
   { "gugert.net", true },
   { "guhei.net", true },
   { "guhenry3.tk", true },
   { "guiacidade.com.br", true },
+  { "guiaswow.com", true },
   { "guichet-entreprises.fr", true },
   { "guichet-qualifications.fr", true },
   { "guid2steamid.com", true },
   { "guid2steamid.pw", true },
+  { "guida.org", true },
   { "guide-peche-cantal.com", true },
   { "guidebook.co.tz", true },
   { "guidedselling.net", true },
@@ -15933,33 +16506,38 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gulchuk.com", true },
   { "gulenbase.no", true },
   { "gulfstream.ru", true },
-  { "gulshankumar.net", true },
-  { "gumballs.com", true },
   { "gume4you.com", true },
+  { "gumeyamall.jp", true },
   { "gumi.ca", true },
   { "gunauc.net", true },
   { "gunceloyunhileleri.com", true },
+  { "gunn.ee", true },
   { "gunsofshadowvalley.com", true },
   { "gunwatch.co.uk", true },
   { "gunworld.com.au", true },
   { "guochang.xyz", true },
   { "guodong.net", true },
   { "guoke.com", true },
+  { "guolaw.ca", true },
   { "guoliang.me", true },
   { "guozeyu.com", true },
   { "gupfen.ch", true },
+  { "guphi.net", false },
   { "gurkan.in", true },
   { "gurmel.ru", true },
   { "gurpusmaximus.com", true },
   { "guru-naradi.cz", true },
   { "gurucomi.com", true },
   { "gurueffect.com", true },
-  { "gurugardener.co.nz", true },
+  { "gururi.com", true },
   { "gus.host", true },
   { "gustaff.de", true },
   { "gustiaux.com", true },
   { "gustom.io", true },
   { "gut8er.com.de", true },
+  { "gutools.co.uk", true },
+  { "guts.me", true },
+  { "guts.moe", true },
   { "gutschein-spezialist.de", true },
   { "gutscheingeiz.de", true },
   { "gutuia.blue", true },
@@ -15969,18 +16547,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gv-neumann.de", true },
   { "gv-salto.nl", true },
   { "gvatas.in", true },
+  { "gvc-it.tk", true },
   { "gveh.de", true },
   { "gvi-timing.ch", true },
   { "gviedu.com", true },
   { "gvitiming.ch", true },
   { "gvobgyn.ca", true },
+  { "gvoetbaldagenalcides.nl", true },
   { "gvt2.com", true },
   { "gvt3.com", true },
   { "gvwgroup.com", true },
   { "gw2efficiency.com", true },
   { "gw2treasures.com", true },
   { "gw2zone.net", true },
-  { "gwa-verwaltung.de", true },
   { "gwerder.net", true },
   { "gwhois.org", true },
   { "gwrtech.com", true },
@@ -15989,6 +16568,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "gyara.moe", true },
   { "gyas.nl", true },
   { "gymagine.ch", true },
+  { "gymbunny.de", true },
   { "gymhero.me", true },
   { "gymjp.com", true },
   { "gymkirchenfeld.ch", true },
@@ -16033,11 +16613,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "haazen.xyz", true },
   { "habarisoft.com", true },
   { "habbig.cc", true },
-  { "habbos.es", true },
   { "haberer.me", true },
   { "habitat-domotique.fr", true },
   { "habr.com", true },
-  { "habtium.com", true },
   { "habtium.es", true },
   { "habview.net", true },
   { "hacc.top", true },
@@ -16047,25 +16625,24 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hacertest.com", true },
   { "hacettepeteknokent.com.tr", true },
   { "hachre.de", false },
-  { "hack.club", true },
   { "hackademix.net", true },
   { "hackanders.com", true },
+  { "hackattack.com", true },
   { "hackbarth.guru", true },
   { "hackbeil.name", true },
   { "hackcraft.net", true },
   { "hackdown.me", true },
   { "hackenkunjeleren.nl", true },
   { "hackenturet.dk", true },
-  { "hacker.club", true },
   { "hacker.holiday", true },
   { "hacker.im", true },
   { "hacker.one", true },
   { "hacker.parts", true },
   { "hacker1.com", true },
   { "hacker101.com", true },
+  { "hackerchai.com", true },
   { "hackereyes.com", true },
   { "hackergateway.com", true },
-  { "hackerlite.xyz", true },
   { "hackernet.se", true },
   { "hackerone-ext-content.com", true },
   { "hackerone-user-content.com", true },
@@ -16073,9 +16650,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hackerone.com", true },
   { "hackerone.net", true },
   { "hackerone.org", true },
-  { "hackerpoints.com", true },
   { "hackerschat.net", true },
-  { "hackerstxt.org", true },
   { "hackettrecipes.com", true },
   { "hackgins.com", true },
   { "hackingand.coffee", false },
@@ -16092,9 +16667,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hadaly.fr", true },
   { "hadleighswimmingclub.co.uk", true },
   { "hadouk.in", true },
-  { "hadret.com", true },
-  { "hadret.sh", true },
   { "hadrons.org", true },
+  { "hady.fr", true },
   { "haefligermedia.ch", true },
   { "haemka.de", true },
   { "haens.li", true },
@@ -16104,12 +16678,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hafniatimes.com", true },
   { "haggeluring.su", true },
   { "hagiati.gr", true },
+  { "hagier.pl", true },
   { "hagueaustralia.com.au", true },
   { "haha-raku.com", true },
   { "hahay.es", true },
   { "haiboxu.com", true },
-  { "haidihai.ro", true },
   { "hailer.com", true },
+  { "hailstorm.nl", true },
   { "haim.bio", true },
   { "haimablog.ooo", true },
   { "hairbeautyartists.it", true },
@@ -16119,6 +16694,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hairtonic-lab.com", true },
   { "haixihui.cn", true },
   { "hajekdavid.cz", true },
+  { "hajekj.cz", true },
   { "hajekj.net", true },
   { "hajnzic.at", true },
   { "hak5.org", true },
@@ -16145,23 +16721,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "halliday.work", true },
   { "halligladen.de", true },
   { "hallmarkestates.ca", true },
-  { "halloweenthings.website", true },
   { "hallucinogen.com", true },
   { "hallucinogens.org", true },
   { "hallumlaw.com", true },
   { "halo.fr", true },
+  { "halocredit.pl", true },
   { "halongbaybackpackertour.com", true },
   { "haloobaloo.com", true },
   { "haloria.com", true },
   { "haltegame.com", true },
   { "hamacho-kyudo.com", true },
   { "hamali.bg", true },
+  { "hamburg40grad.de", true },
   { "hamburgerbesteld.nl", true },
   { "hamcocc.com", true },
   { "hamcram.io", true },
   { "hamiltonlinen.com", true },
   { "hamiltonmedical.nl", true },
-  { "hammer-corp.com", true },
   { "hammer-schnaps.com", true },
   { "hammer-sms.com", true },
   { "hampl.tv", true },
@@ -16169,6 +16745,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hamsters-uk.org", true },
   { "hana.ondemand.com", true },
   { "hanakaraku.com", true },
+  { "hanakatova.com", true },
   { "hanashi.eu", true },
   { "hanbing.it", true },
   { "handbrake.fr", true },
@@ -16180,14 +16757,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "handmade-workshop.de", true },
   { "handmadehechoamano.com", true },
   { "handy-center.net", true },
-  { "handyglas.com", true },
   { "handymanlondonplease.co.uk", true },
-  { "handynummer.online", true },
   { "handysex.live", true },
   { "handyticket.de", true },
   { "hanfox.co.uk", false },
   { "hanfverband-erfurt.de", true },
-  { "hang333.moe", true },
   { "hangar.hosting", true },
   { "hangcapnach.com", true },
   { "hangouts.google.com", true },
@@ -16196,11 +16770,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hanksacservice.com", true },
   { "hannah.link", true },
   { "hannahi.com", true },
+  { "hannasecret.de", true },
   { "hannoluteijn.nl", true },
   { "hannover.de", true },
   { "hanoibuffet.com", true },
   { "hanpenblog.com", true },
   { "hansahome.ddns.net", true },
+  { "hansashop.eu", true },
   { "hansbijster.nl", true },
   { "hanschventures.com", true },
   { "hansen-kronshagen.de", true },
@@ -16215,6 +16791,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hanyibo.com", true },
   { "hanzubon.jp", true },
   { "hao-zhang.com", true },
+  { "haocq3.com", true },
   { "haogoodair.ca", true },
   { "haoqi.men", true },
   { "haorenka.cc", true },
@@ -16222,13 +16799,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "haozhang.org", true },
   { "haozhexie.com", true },
   { "haozi.me", true },
+  { "haozijing.com", true },
   { "hapheemraadssingel.nl", true },
+  { "hapijs.cn", true },
   { "happndin.com", true },
   { "happy-baby.info", true },
   { "happy-end-shukatsu.com", true },
   { "happyagain.de", true },
   { "happyagain.se", true },
   { "happyandrelaxeddogs.eu", true },
+  { "happybeerdaytome.com", true },
   { "happybirthdaywisher.com", true },
   { "happybounce.co.uk", true },
   { "happycarb.de", true },
@@ -16246,7 +16826,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "haptemic.com", true },
   { "haraj.com.sa", true },
   { "harald-d.dyndns.org", true },
-  { "harald-pfeiffer.de", true },
   { "harapecorita.com", true },
   { "harbor-light.net", true },
   { "hardeman.nu", true },
@@ -16290,6 +16869,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hartlieb.me", true },
   { "hartzer.com", true },
   { "harukakikuchi.com", true },
+  { "harukawa.moe", true },
   { "haruue.moe", true },
   { "harvarddharma.org", true },
   { "harvestapp.com", true },
@@ -16304,6 +16884,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hash-archive.org", true },
   { "hash.army", true },
   { "hash.works", true },
+  { "hashcashconsultants.com", true },
   { "hashcat.net", true },
   { "hashemian.com", true },
   { "hashes.org", true },
@@ -16318,6 +16899,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hashnode.com", true },
   { "hashru.nl", true },
   { "hashworks.net", true },
+  { "hashxp.org", true },
   { "hasilocke.de", true },
   { "haskovec.com", true },
   { "hasselbach-dellwig.de", true },
@@ -16325,7 +16907,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hatpakha.com", true },
   { "hatul.info", true },
   { "haucke.xyz", true },
-  { "hauntedfishtank.com", false },
   { "hauntedhouserecords.co.uk", true },
   { "haus-garten-test.de", true },
   { "haus-henne.de", true },
@@ -16343,7 +16924,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "havasuhomepage.com", true },
   { "havasuinsurance.com", true },
   { "havasutacohacienda.com", true },
+  { "have.jp", true },
   { "haveabounce.co.uk", true },
+  { "haveacry.com", true },
   { "haveforeningen-enghaven.dk", true },
   { "havefunbiking.com", true },
   { "haveibeenpwned.com", true },
@@ -16355,12 +16938,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "haverstack.com", true },
   { "havetherelationshipyouwant.com", true },
   { "hawaar.com", true },
+  { "hawaiianchoice.com", true },
   { "hawaya.com", true },
   { "hawkeyeinsight.com", true },
   { "hawkinsonkiaparts.com", true },
+  { "hawkofgeorgia.com", true },
   { "hawkon.dk", true },
   { "hawksguild.com", true },
   { "hawksracing.de", true },
+  { "hax.to", true },
   { "haxdroid.com", true },
   { "haxo.nl", false },
   { "hayai.space", true },
@@ -16370,8 +16956,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "haydentomas.com", true },
   { "hayfordoleary.com", true },
   { "haynes-davis.com", true },
-  { "hayvid.com", false },
-  { "hayzepvp.us", true },
+  { "hayvid.com", true },
   { "haz.cat", true },
   { "haze.productions", true },
   { "hazeover.com", true },
@@ -16384,13 +16969,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hbpowell.com", true },
   { "hcaz.io", true },
   { "hcbj.io", true },
+  { "hcie.pl", false },
+  { "hcscrusaders.com", true },
   { "hd-gaming.com", true },
   { "hd-offensive.at", false },
   { "hd-only.org", true },
   { "hd-outillage.com", true },
+  { "hd1tj.org", true },
   { "hdc.cz", true },
   { "hdcamvids.com", true },
   { "hdcenter.cc", true },
+  { "hddrecovery.net.au", true },
   { "hdeaves.uk", true },
   { "hdf.world", true },
   { "hdfgroup.org", true },
@@ -16398,7 +16987,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hdhoang.space", true },
   { "hdkandsons.com", true },
   { "hdnastudio.com", true },
-  { "hdritalyphotos.com", true },
   { "hdrsource.com", true },
   { "hdrtranscon.com", true },
   { "hds-lan.de", true },
@@ -16412,9 +17000,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "headshotharp.de", true },
   { "healey.io", true },
   { "health-and-beauty-news.net", true },
-  { "health-booster.com", true },
+  { "health-booster.com", false },
   { "health-plan-news.com", true },
-  { "health.gov", true },
   { "health.graphics", true },
   { "healthand-beautynews.net", true },
   { "healthandskinbeauty.com", true },
@@ -16424,7 +17011,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "healtheals.com", true },
   { "healtheffectsofasbestos.com", true },
   { "healthery.com", true },
-  { "healthfinder.gov", true },
   { "healthfoam.com", true },
   { "healthgames.co.uk", true },
   { "healthiercompany.com", true },
@@ -16441,13 +17027,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "healthyteame.com", true },
   { "heap.zone", true },
   { "heapkeeper.org", true },
+  { "hearinghelpexpress.com", true },
   { "hearmeraw.uk", true },
-  { "heart.taxi", false },
   { "heartbeat24.de", true },
   { "heartgames.pl", true },
   { "heartlandbiomed.com", true },
   { "heartmdinstitute.com", true },
   { "heartsintrueharmony.com", true },
+  { "heartsucker.com", false },
   { "hearttruth.gov", true },
   { "heartview.com.br", true },
   { "heartwoodart.com", true },
@@ -16460,7 +17047,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hearty.org.tw", true },
   { "hearty.taipei", true },
   { "hearty.tw", true },
-  { "hearty.us", true },
+  { "heartyapp.tw", true },
   { "heartycraft.com", true },
   { "heatershop.co.uk", true },
   { "heatingandairconditioningdallastx.com", true },
@@ -16468,13 +17055,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "heavensattic.co.uk", true },
   { "heavensinferno.net", true },
   { "heavyequipments.org", true },
+  { "hebamme-cranio.ch", true },
   { "hebergeurssd.com", true },
   { "hebikhiv.nl", true },
   { "hebingying.cn", true },
   { "hebocon.nl", true },
   { "hec-espace-entreprise.ch", true },
   { "hec.global", true },
-  { "hechamano.es", true },
   { "heckelektro.de", true },
   { "heckerundknopp.de", true },
   { "heckticmedia.com", true },
@@ -16515,23 +17102,25 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "heinzelmann.co", true },
   { "heiraten-gardasee.de", true },
   { "heiraten-venedig.de", true },
+  { "heisenberg.co", true },
   { "heissluft-fritteuse.com", true },
   { "heistheguy.com", true },
   { "heitland-it.de", true },
   { "heiwa-valve.co.jp", true },
-  { "hejahanif.se", true },
   { "hejianpeng.cn", true },
   { "heka.ai", true },
+  { "helber-it-services.de", true },
   { "helden-spielen.de", true },
   { "heldenhalde.de", true },
+  { "heldtech.services", true },
   { "heldundsexgott.de", true },
   { "heleendebruyne.be", true },
   { "helenaknowledge.com", true },
-  { "helencrump.co.uk", true },
   { "helenekurtz.com", true },
   { "helenelefauconnier.com", true },
   { "helenkellersimulator.org", true },
   { "helfordriversc.co.uk", true },
+  { "helgaschultz.de", true },
   { "helichat.de", true },
   { "helikon.ro", true },
   { "helioanodyne.eu", true },
@@ -16540,10 +17129,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "heliosvoting.org", true },
   { "helix.am", true },
   { "hellenicagora.co.uk", true },
+  { "hellerarko.de", true },
   { "hellersgas.com", true },
   { "helles-koepfchen.de", true },
   { "helloacm.com", true },
   { "hellobrian.me", true },
+  { "hellomouse.net", true },
   { "helloworldhost.com", false },
   { "hellsgamers.pw", true },
   { "hellsh.com", true },
@@ -16554,18 +17145,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "helpmij.cf", true },
   { "helpscoutdocs.com", true },
   { "helpstarloja.com.br", true },
+  { "helpwithmybank.gov", true },
   { "helsinki.dating", true },
   { "helvella.de", true },
   { "hematoonkologia.pl", true },
   { "hemdal.se", true },
   { "hemnet.se", true },
+  { "hems.si", true },
+  { "hemtest.com", true },
   { "hen.ne.ke", true },
   { "henchman.io", true },
   { "hendersonvalleyautomotive.co.nz", true },
   { "hendric.us", false },
   { "hendrik.li", true },
   { "hendrinortier.nl", true },
-  { "hendyisaac.com", true },
   { "hengelsportdeal.com", true },
   { "hengstumone.com", true },
   { "henkboelman.com", true },
@@ -16577,6 +17170,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hennadesigns.org", true },
   { "hennecke-forstbetrieb.de", true },
   { "henneke.me", true },
+  { "hennies.org", true },
   { "henningkerstan.de", true },
   { "hennymerkel.com", true },
   { "henok.eu", true },
@@ -16594,8 +17188,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "heppler.net", true },
   { "heptafrogs.de", true },
   { "her25.com", false },
-  { "heracles-hotel.eu", true },
-  { "herbal-id.com", true },
   { "herberichfamily.com", true },
   { "herbert.io", true },
   { "herbhuang.com", true },
@@ -16610,19 +17202,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "heritagebaptistchurch.com.ph", true },
   { "herkam.pl", true },
   { "hermanbrouwer.nl", true },
-  { "hermann.in", true },
   { "hermes-net.de", true },
-  { "hermes.cat", true },
   { "herminghaus24.de", true },
   { "herndl.org", true },
   { "herni-kupony.cz", true },
   { "hernn.com", true },
   { "herocentral.de", true },
+  { "heroco.xyz", true },
   { "herofil.es", true },
   { "herohirehq.co.uk", true },
   { "heroiclove.com", true },
   { "heroicpixel.com", true },
   { "heroku.com", true },
+  { "heromuster.com", true },
   { "herpes-no.com", true },
   { "herranzramia.com", false },
   { "herrderzeit.de", true },
@@ -16634,12 +17226,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "herrtxbias.net", false },
   { "hertsbouncycastles.com", true },
   { "hertz.bj", true },
+  { "hervespanneut.com", true },
   { "herzbotschaft.de", true },
   { "herzfuersoziales.at", true },
   { "herzig.cc", true },
   { "herzogglass.com", true },
   { "hesaplama.net", true },
   { "hessen-liebe.de", true },
+  { "hesslag.com", true },
   { "hestervanderheijden.nl", true },
   { "hestia-systeme.be", true },
   { "hestia-systeme.com", true },
@@ -16649,12 +17243,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hetene.nl", true },
   { "hethely.ch", true },
   { "hetluisterbos.be", true },
-  { "hetzflix.stream", true },
+  { "hetmer.cz", true },
   { "heute-kaufen.de", true },
   { "heute.training", true },
-  { "heverhagen.rocks", true },
   { "hevertonfreitas.com.br", true },
-  { "hex.bz", true },
   { "hex.nl", true },
   { "hexagon-e.com", true },
   { "hexapt.com", true },
@@ -16664,7 +17256,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hexiaohu.cn", true },
   { "hexicurity.com", true },
   { "hexid.me", true },
-  { "hexieshe.com", true },
   { "hexo.io", false },
   { "hexony.com", true },
   { "hexr.org", true },
@@ -16679,6 +17270,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hg.gg", true },
   { "hg.python.org", true },
   { "hgbet.com", true },
+  { "hgvnet.de", true },
   { "hgw168.com", true },
   { "hh-medic.com", true },
   { "hh-wolke.dedyn.io", true },
@@ -16708,20 +17300,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hieu.com.au", true },
   { "higgsboson.tk", true },
   { "higgstools.org", true },
+  { "highair.net", true },
   { "higherpress.org", true },
-  { "highlatitudestravel.com", true },
   { "highlegshop.com", true },
   { "highlevelwoodlands.com", true },
   { "highlightsfootball.com", true },
   { "highlnk.com", true },
   { "highspeed-arnsberg.de", true },
   { "highspeedinternet.my", true },
-  { "highspeedinternetservices.ca", true },
   { "hightechbasementsystems.com", true },
   { "highwaytohoell.de", true },
   { "higilopocht.li", true },
   { "hijackpost.com", true },
-  { "hijoan.com", true },
   { "hikarukujo.com", true },
   { "hike.pics", true },
   { "hikerone.com", true },
@@ -16745,20 +17335,24 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "himecorazon.com", true },
   { "himekomi.com", true },
   { "himens.com", true },
+  { "himiku.com", true },
   { "hin10.com", true },
   { "hinata-hidetoshi.com", true },
+  { "hindi-movie.org", true },
+  { "hindimoviedownload.net", true },
+  { "hindimovieonline.net", true },
   { "hintergrundbewegung.de", true },
   { "hinterhofbu.de", true },
   { "hinterposemuckel.de", true },
   { "hiparish.org", true },
   { "hiphop.ren", true },
+  { "hipnos.net", true },
   { "hippies.com.br", true },
   { "hippo.ge", true },
   { "hippomovers.com", true },
   { "hippopotamuses.org", true },
   { "hips.com", true },
   { "hipstercat.fr", true },
-  { "hiqfleet.co.uk", true },
   { "hiqfranchise.co.uk", true },
   { "hiqhub.co.uk", false },
   { "hiqonline.co.uk", true },
@@ -16773,20 +17367,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hiring-process.com", true },
   { "hiromuogawa.com", true },
   { "hirotaka.org", true },
-  { "hirte-digital.de", true },
   { "hirtzfr.eu", true },
   { "hirzaconsult.ro", true },
   { "hisbrucker.net", true },
   { "hisgifts.com.au", true },
   { "hisingensck.se", true },
+  { "hisnet.de", true },
   { "hispanic.dating", true },
   { "histocamp.de", true },
   { "histoire-cite.ch", true },
   { "historia-arte.com", true },
   { "history-schools.com", true },
   { "history.google.com", false },
+  { "history.gov", true },
   { "hitandhealth.nl", true },
   { "hiteco.com", true },
+  { "hiteshbrahmbhatt.com", true },
   { "hititgunesi-tr.com", true },
   { "hitmanstat.us", true },
   { "hitn.at", true },
@@ -16795,6 +17391,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hitokoto-mania.com", true },
   { "hitokoto.cn", true },
   { "hitomecha.com", true },
+  { "hitrek.ml", true },
   { "hitter-lauzon.com", true },
   { "hitter.family", true },
   { "hitterfamily.com", true },
@@ -16811,6 +17408,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hj-mosaiques.be", true },
   { "hj.rs", true },
   { "hj3455.com", true },
+  { "hj99vip.com", true },
   { "hjartasmarta.se", true },
   { "hjkbm.cn", true },
   { "hjort.land", true },
@@ -16818,10 +17416,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hjphoto.co.uk", true },
   { "hjtky.cn", true },
   { "hjw-kunstwerk.de", true },
+  { "hjyl9898.com", true },
   { "hk.search.yahoo.com", false },
   { "hkbsurgery.com", true },
   { "hkdobrev.com", true },
   { "hkr.at", true },
+  { "hks-projekt.at", true },
   { "hks.pw", true },
   { "hktkl.com", true },
   { "hkustmbajp.com", true },
@@ -16838,6 +17438,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hlsmandarincentre.com", true },
   { "hlucas.de", true },
   { "hm773.net", true },
+  { "hm773.org", true },
   { "hmcdj.cn", true },
   { "hmhotelec.com", false },
   { "hmoegirl.com", true },
@@ -16847,13 +17448,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hnfertilizermachine.com", true },
   { "hnn.net.br", true },
   { "hnonline.sk", true },
-  { "hnwebi.com", true },
+  { "hnrk.io", true },
   { "hnyp.hu", true },
   { "hoaas.no", true },
   { "hoahau.org", true },
   { "hoarding.me", true },
   { "hobby-drechselei.de", true },
   { "hobbyspeed.com", true },
+  { "hochdorf-tennis.de", true },
   { "hochhaus.us", true },
   { "hochoukikikiraku.com", true },
   { "hochyi.com", true },
@@ -16872,28 +17474,29 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hoeren.club", true },
   { "hoesnelwasik.nl", true },
   { "hoeveiligismijn.nl", true },
-  { "hoevenstein.nl", true },
+  { "hoevenstein.nl", false },
   { "hoewler.ch", true },
   { "hoezzi.nl", true },
   { "hof-mulin.ch", true },
   { "hofapp.de", true },
   { "hofauer.de", true },
   { "hoflerlawfirm.com", true },
+  { "hogarthdavieslloyd.com", true },
+  { "hoge.se", true },
+  { "hogepad.com", true },
   { "hogl.dk", true },
   { "hogrebe.de", true },
   { "hogwarts.io", true },
   { "hohenleimbach.de", true },
-  { "hohm.in", true },
   { "hoikuen-now.top", true },
   { "hoiquanadida.com", true },
   { "hoish.in", true },
   { "hoken-wakaru.jp", true },
   { "hokieprivacy.org", true },
-  { "hokify.at", true },
-  { "hokify.ch", true },
-  { "hokify.de", true },
   { "hokioisecurity.com", true },
   { "holad.de", true },
+  { "holadinero.es", true },
+  { "holadinero.mx", true },
   { "holboxwhalesharktours.com", true },
   { "holebedeljek.hu", true },
   { "holidaysportugal.eu", true },
@@ -16912,9 +17515,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "holo.ovh", true },
   { "holodeck.us", true },
   { "holofono.com", true },
+  { "holofox.ru", true },
   { "holoxplor.space", true },
-  { "holstphoto.com", true },
   { "holvonix.com", true },
+  { "holy-hi.com", false },
   { "holycrossphl.org", true },
   { "holycrossverobeach.org", true },
   { "holydragoon.jp", true },
@@ -16929,6 +17533,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "holytransaction.com", true },
   { "holywhite.com", true },
   { "holz.nu", true },
+  { "holzed.com", true },
   { "holzheizer-forum.de", true },
   { "holzheizerforum.de", true },
   { "holzschutz-holzbearbeitung.de", true },
@@ -16937,8 +17542,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "holzundgarten.de", true },
   { "holzvergaser-forum.de", true },
   { "homatism.com", true },
+  { "hombresconestilo.com", true },
   { "home-handymen.co.uk", true },
-  { "home-insurance-quotes.tk", true },
   { "homeautomated.com", true },
   { "homebasedsalons.com.au", true },
   { "homebodyalberta.com", true },
@@ -16963,6 +17568,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "homes-in-stockton.com", true },
   { "homeseller.com", true },
   { "homeserver-kp.de", true },
+  { "homestay.id", true },
   { "homesteadandprepper.com", true },
   { "homesteadfarm.org", true },
   { "homewatt.co.uk", true },
@@ -16970,6 +17576,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hommeatoutfaire.be", true },
   { "homophoni.com", true },
   { "hompus.nl", false },
+  { "homunyan.com", true },
   { "homyremedies.com", true },
   { "hon-matsuba.co.jp", true },
   { "honda-centrum.cz", true },
@@ -16990,6 +17597,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hoodtrader.com", true },
   { "hoofddorp-centraal.nl", true },
   { "hookany.com", true },
+  { "hookbin.com", true },
   { "hoooc.com", true },
   { "hooowl.com", true },
   { "hoop.la", true },
@@ -16997,20 +17605,25 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hooplessinseattle.com", true },
   { "hooray.beer", true },
   { "hoorr.com", true },
+  { "hoosa.de", true },
   { "hootworld.net", false },
   { "hoovism.com", true },
   { "hoowhen.cn", true },
   { "hopconseils.ch", true },
   { "hopconseils.com", true },
   { "hope-line-earth.jp", true },
+  { "hopemeet.info", true },
+  { "hopemeet.me", true },
   { "hopesanddreams.org.uk", true },
   { "hopla.sg", true },
   { "hoplongtech.com", true },
   { "hoponmedia.de", true },
   { "hopps.me", true },
   { "hoppyx.com", true },
+  { "hopzone.net", true },
   { "hor.website", true },
   { "horaceli.com", true },
+  { "horackova.info", true },
   { "horairetrain.fr", true },
   { "hord.ca", true },
   { "horecaapparatuurkobezuijen.nl", true },
@@ -17043,7 +17656,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hospitality-colleges.com", true },
   { "hostadvice.com", true },
   { "hostarea51.com", true },
-  { "hostcoz.com", true },
   { "hosteasy.nl", false },
   { "hostedcomments.com", true },
   { "hostedtalkgadget.google.com", true },
@@ -17058,20 +17670,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hostinglogin.net", true },
   { "hostingphp.ch", true },
   { "hostingpunt.be", true },
+  { "hostingsams.com", true },
   { "hostingsolutions.cz", true },
   { "hostix.de", true },
   { "hostma.ma", true },
   { "hostmark.pl", true },
-  { "hostme.co.il", false },
+  { "hostme.co.il", true },
   { "hostmijnpagina.nl", true },
   { "hostmodern.com.au", true },
   { "hosts.cf", true },
-  { "hostserv.org", true },
   { "hostworkz.com", true },
   { "hotcandlestick.com", true },
   { "hotchillibox.com", true },
   { "hotcoin.io", true },
   { "hotdoc.com.au", true },
+  { "hotel-alan.hr", true },
   { "hotel-kontorhaus-stralsund.de", true },
   { "hotel-kontorhaus.de", true },
   { "hotel-kronjuwel.de", true },
@@ -17080,11 +17693,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hotel-rosner.at", true },
   { "hotelamgarnmarkt.at", false },
   { "hotelarevalo.com", true },
+  { "hotelbonacabol.com", true },
+  { "hotelbretagne.dk", true },
   { "hotelcoliber.pl", true },
+  { "hotelelaphusabrac.com", true },
+  { "hoteles4you.com", true },
   { "hotelflow.com.br", true },
   { "hotelident.de", true },
-  { "hotello.io", true },
+  { "hotelkaj.hr", true },
   { "hotelmap.com", true },
+  { "hotelmarinaadria.com", true },
+  { "hotelneptundalmatien.com", true },
   { "hotelpostaorvieto.it", true },
   { "hotelromacuernavaca.com.mx", true },
   { "hotels-insolites.com", true },
@@ -17093,6 +17712,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hotelsinbuxton.com", true },
   { "hotelsinformer.com", true },
   { "hotelsinncoventry.com", true },
+  { "hotelsolinebrela.com", true },
   { "hotelvalena.com", true },
   { "hotelvillaluisa.de", true },
   { "hothbricks.com", true },
@@ -17112,12 +17732,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "house-sparrow.com", true },
   { "houseboydesigns.com", true },
   { "housekeeperlondon.co.uk", true },
+  { "houselocal.co.uk", true },
   { "houseofherbs.gr", true },
   { "houseofhouston.com", true },
   { "houseofyee.com", true },
   { "houser.lu", true },
   { "housese.at", true },
-  { "housetalk.ru", true },
   { "houstonapartmentinsiders.com", true },
   { "houstonauthorizedrepair.com", true },
   { "houstoncreditlaw.com", true },
@@ -17130,19 +17750,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "howbehealthy.com", true },
   { "howbigismybuilding.com", true },
   { "howellaccounts.co.uk", true },
+  { "howesky.com", true },
   { "howgoodwasmysex.com", true },
   { "howieisawesome.com", true },
   { "howlongtobeatsteam.com", true },
   { "howmanymilesfrom.com", true },
   { "howsecureismypassword.net", true },
   { "howsmyssl.com", true },
-  { "howsmytls.com", true },
   { "howsyourhealth.org", true },
   { "howtocommunicate.com.au", true },
   { "howtogeek.com", true },
   { "howtogeekpro.com", true },
   { "howtogosolar.org", true },
   { "howtolaser.com", true },
+  { "howtomovetheneedle.com", true },
   { "howtoteachviolin.com", true },
   { "howtotech.de", true },
   { "hozana.si", false },
@@ -17151,15 +17772,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hpac-portal.com", true },
   { "hpage.com", true },
   { "hpbn.co", true },
-  { "hpepub.com", true },
   { "hpisavageforum.com", true },
   { "hpkp-faq.de", true },
-  { "hpnow.com.br", true },
+  { "hps.digital", true },
   { "hps.hu", true },
+  { "hpsdigital.hu", true },
+  { "hqhh.org", true },
   { "hquest.pro.br", true },
   { "hqwebhosting.tk", false },
+  { "hqy.moe", true },
   { "hr-tech.shop", true },
-  { "hr98.xyz", true },
   { "hrabogados.com", true },
   { "hraesvelg.net", true },
   { "hranicka.cz", true },
@@ -17168,8 +17790,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hrdns.de", false },
   { "href.one", true },
   { "hreflang.info", true },
-  { "hrjfeedstock.com", true },
   { "hrjfeedstock.org", true },
+  { "hrltech.com.br", true },
+  { "hro.to", true },
+  { "hrobert.hu", true },
   { "hroling.nl", true },
   { "hroschyk.cz", true },
   { "hrsa.gov", true },
@@ -17182,22 +17806,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hs-umformtechnik.de", true },
   { "hsappstatic.net", true },
   { "hscorp.de", true },
-  { "hsex.tv", true },
   { "hsivonen.com", true },
   { "hsivonen.fi", true },
   { "hsivonen.iki.fi", true },
   { "hsmr.cc", true },
-  { "hsn.com", true },
   { "hsr.gov", false },
   { "hsts.eu", true },
   { "hsts.me", true },
+  { "hsts.ovh", true },
   { "hstsfail.appspot.com", true },
   { "hstspreload.appspot.com", true },
   { "hstspreload.com", true },
   { "hstspreload.de", true },
   { "hstspreload.org", true },
-  { "hsulei.com", true },
   { "hszemi.de", true },
+  { "ht.mk", true },
   { "htaccessbook.com", true },
   { "htaps.com", true },
   { "hte.ovh", true },
@@ -17210,7 +17833,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "htmlyse.com", true },
   { "htmue.net", true },
   { "htmue.org", true },
-  { "htp2.top", true },
   { "htsure.ma", true },
   { "http2.eu", true },
   { "http2.pro", true },
@@ -17237,7 +17859,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hu8hu8.com", true },
   { "huagati.com", true },
   { "huahinpropertylisting.com", true },
-  { "huang-haitao.com", true },
+  { "hualao.co", true },
+  { "huang.nu", true },
+  { "huangh.com", true },
+  { "huangjia71.com", true },
+  { "huangjia72.com", true },
+  { "huangjia73.com", true },
+  { "huangjia74.com", true },
+  { "huangjia75.com", true },
+  { "huangjia76.com", true },
+  { "huangjia77.com", true },
+  { "huangjia78.com", true },
+  { "huangjia79.com", true },
+  { "huangjia99.com", true },
   { "huangjiaint.com", true },
   { "huangjingjing.com", true },
   { "huangliangbo.com", true },
@@ -17247,6 +17881,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hub.org.ua", true },
   { "hub385.com", true },
   { "hubapi.com", true },
+  { "hubchain.com", true },
+  { "hubchain.com.br", true },
+  { "hubchain.fr", true },
+  { "hubchain.io", true },
+  { "hubchain.org", true },
   { "huber-informatik.de", true },
   { "hubok.net", true },
   { "hubspot.com", true },
@@ -17272,6 +17911,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "huguesditciles.com", true },
   { "huh.gdn", true },
   { "huh.today", true },
+  { "huihui.moe", true },
   { "huininga.com", true },
   { "huininga.nl", true },
   { "huininga.org", true },
@@ -17327,7 +17967,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "humexe.com", true },
   { "hummy.tv", true },
   { "humorcaliente.com", true },
-  { "humorce.com", false },
   { "humpchies.com", true },
   { "humpen.se", true },
   { "humppakone.com", true },
@@ -17335,12 +17974,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hundeformel.de", true },
   { "hundesport-psvhalle.de", true },
   { "hundeverwaltung.de", true },
+  { "hundhausen.de", true },
   { "hundter.com", true },
   { "hunger.im", true },
-  { "huniverse.co", true },
   { "hunstoncanoeclub.co.uk", true },
+  { "hunter-read.com", true },
   { "hunter.io", true },
-  { "hunterjohnson.io", true },
   { "hunterkehoe.com", true },
   { "huntexpired.com", true },
   { "huntingdonbouncers.co.uk", true },
@@ -17353,7 +17992,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hupp.se", true },
   { "hurd.is", true },
   { "huren.nl", true },
-  { "hurleyhomestead.com", true },
   { "huroji.com", true },
   { "hurtigtinternet.dk", true },
   { "husakbau.at", true },
@@ -17374,7 +18012,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "huynhviet.com", true },
   { "huyvu.nl", true },
   { "hvdbox.de", true },
-  { "hveradistributions.com", true },
   { "hverdagogkink.no", true },
   { "hvh.no", true },
   { "hvmk.nl", true },
@@ -17382,12 +18019,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hvtuananh.com", true },
   { "hwaddress.com", true },
   { "hwag-pb.de", true },
-  { "hwinfo.com", true },
   { "hwlibre.com", true },
   { "hx53.de", true },
   { "hxp.io", true },
   { "hxsf.me", true },
   { "hxying.com", true },
+  { "hy1.com", true },
   { "hybridworx.com", true },
   { "hybridworx.de", true },
   { "hybridworx.eu", true },
@@ -17410,7 +18047,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hylemorphica.org", true },
   { "hynek.me", true },
   { "hyparia.fr", true },
+  { "hyparia.org", true },
   { "hype.ru", true },
+  { "hypeitems.pl", true },
   { "hypemgmt.com", true },
   { "hyper-text.org", true },
   { "hyperactive.am", true },
@@ -17429,12 +18068,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "hypotheekbond.nl", true },
   { "hypothes.is", true },
   { "hypothyroidmom.com", true },
+  { "hyr.mn", true },
   { "hysh.jp", true },
-  { "hytzongxuan.com", true },
   { "hyundai.no", true },
   { "hyvanilmankampaamo.fi", true },
+  { "hyvanolonterapia.fi", true },
   { "hyvinvointineuvoja.fi", true },
   { "hztgzz.com", true },
+  { "i--b.com", true },
+  { "i-0v0.in", true },
   { "i-aloks.ru", true },
   { "i-geld.de", true },
   { "i-hakul.net", true },
@@ -17452,11 +18094,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "i1314.gdn", true },
   { "i1place.com", true },
   { "i2b.ro", true },
+  { "i2gether.org.uk", true },
   { "i5y.co.uk", true },
   { "i5y.org", true },
   { "i66.me", true },
   { "i879.com", true },
-  { "i95.me", false },
+  { "i9s.in", true },
+  { "ia.cafe", true },
   { "ia.net", true },
   { "iaco.li", true },
   { "iacono.com.br", false },
@@ -17479,12 +18123,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "iamhansen.xyz", true },
   { "iaminashittymood.today", true },
   { "iamjoshellis.com", true },
-  { "iamlbk.com", true },
-  { "iamlizu.com", true },
-  { "iamlzh.com", true },
   { "iamtheib.me", true },
   { "iamtonyarthur.com", true },
-  { "iamusingtheinter.net", true },
+  { "iamusingtheinter.net", false },
   { "iamwoodbeard.com", true },
   { "ianbrault.com", true },
   { "iandouglasscott.com", true },
@@ -17507,6 +18148,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ibauruapan.com.mx", true },
   { "ibcmed.org", true },
   { "ibe.de", true },
+  { "ibeep.com", true },
   { "iberiaversicherungen.com", true },
   { "ibericaderedes.es", true },
   { "ibexcore.com", true },
@@ -17515,30 +18157,31 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ibiz.mk", true },
   { "iblackfriday.ro", true },
   { "ibodyiq.com", true },
+  { "ibps-recruitment.in", true },
   { "ibrainmedicine.org", true },
   { "ibrom.eu", true },
   { "ibstyle.tk", true },
   { "ibuki.run", true },
+  { "ibutikk.no", true },
   { "ibwc.gov", true },
   { "ibykos.com", true },
   { "ic-lighting.com.au", true },
   { "ic-spares.com", true },
   { "ic3.gov", true },
   { "icafecash.com", true },
-  { "icake.life", true },
   { "icanhasht.ml", true },
   { "icarlos.net", true },
   { "icasture.top", true },
-  { "icbemp.gov", true },
   { "iccpublisher.com", true },
   { "ice.xyz", true },
   { "iceberg.academy", true },
   { "icebook.co.uk", true },
   { "icecars.net", true },
+  { "icecontrol.ro", true },
   { "icedream.tech", true },
   { "icetiger.eu", true },
+  { "ich-hab-die-schnauze-voll-von-der-suche-nach-ner-kurzen-domain.de", true },
   { "ich-tanke.de", true },
-  { "ichasco.com", true },
   { "ichbinein.org", true },
   { "ichbinkeinreh.de", true },
   { "ichmachdas.net", true },
@@ -17547,7 +18190,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "icloudlogin.com", true },
   { "icmhd.ch", true },
   { "icmp2018.org", true },
-  { "icmshoptrend.com", true },
+  { "icnsoft.cf", true },
+  { "icnsoft.ml", true },
   { "icobench.com", true },
   { "icodeconnect.com", true },
   { "icoh.it", true },
@@ -17560,6 +18204,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "icsfinomornasco.it", true },
   { "ict-concept.nl", false },
   { "ict-crew.nl", true },
+  { "ict-helpteam.nl", true },
   { "ict-radar.com", true },
   { "ict-radar.nl", true },
   { "ictcareer.ch", true },
@@ -17576,17 +18221,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "id0-rsa.pub", true },
   { "id7.fr", true },
   { "idaeus.eu", true },
+  { "idafauziyah.com", true },
   { "idahoansforliberty.net", true },
   { "idarv.com", true },
   { "idaspis.com", true },
   { "idatha.de", true },
-  { "idblab.tk", true },
   { "idc-business.be", true },
   { "idconsult.nl", true },
   { "idealimplant.com", true },
   { "idealinflatablehire.co.uk", true },
   { "idealninajemce.cz", false },
-  { "idealsegurancaeletronica.com.br", true },
+  { "idealsegurancaeletronica.com.br", false },
   { "idealtruss.com", true },
   { "idealtruss.com.tw", true },
   { "idealwhite.space", true },
@@ -17595,7 +18240,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ideashop.com", true },
   { "ideaweb.de", true },
   { "idenamaislami.com", true },
-  { "idensys.nl", false },
+  { "idensys.nl", true },
   { "ident-clinic.be", true },
   { "identassist.com", true },
   { "identifyme.net", true },
@@ -17612,6 +18257,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "idgard.de", false },
   { "idgateway.co.uk", true },
   { "idhosts.co.id", true },
+  { "idid.tk", true },
   { "idiotentruppe.de", true },
   { "idisposable.co.uk", true },
   { "idlethoughtsandramblings.com", true },
@@ -17621,11 +18267,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "idoc24.com", true },
   { "idodiandina.com", true },
   { "idolf.dk", true },
-  { "idolish7.fun", true },
+  { "idolish7.fun", false },
   { "idolknow.com", true },
   { "idolshop.dk", true },
   { "idolshop.me", true },
   { "idontplaydarts.com", true },
+  { "idoparadoxon.hu", true },
   { "idranktoomuch.coffee", true },
   { "idratherbequilting.com", true },
   { "idraulico-roma.it", true },
@@ -17633,11 +18280,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "idraulico.roma.it", true },
   { "idrinktoomuch.coffee", true },
   { "idrissi.eu", true },
+  { "idrottsnaprapaten.se", true },
   { "idrycleaningi.com", true },
   { "idtheft.gov", true },
   { "idubaj.cz", true },
   { "idunno.org", true },
-  { "idvl.de", true },
   { "idxforza.com", true },
   { "ie.search.yahoo.com", false },
   { "iea-annex61.org", true },
@@ -17646,11 +18293,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ieeesb.nl", true },
   { "ieeesbe.nl", true },
   { "ieeespmb.org", true },
-  { "ieji.de", false },
-  { "iemas.azurewebsites.net", true },
+  { "ieffalot.me", true },
+  { "ieji.de", true },
   { "iemb.tk", true },
   { "ienakanote.com", false },
   { "ies-italia.it", true },
+  { "iesonline.co.in", true },
   { "ieval.ro", true },
   { "iewar.com", true },
   { "ifangpei.cn", true },
@@ -17666,7 +18314,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ifightsurveillance.org", true },
   { "ifixe.ch", true },
   { "iflare.de", true },
-  { "ifly.pw", true },
   { "ifort.fr", true },
   { "ifosep.fr", true },
   { "ifoss.me", true },
@@ -17710,11 +18357,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ih8sn0w.com", true },
   { "ihacklabs.com", true },
   { "ihakkitekin.com", true },
-  { "ihatethissh.it", true },
-  { "ihcr.top", true },
+  { "ihcprofile.com", true },
+  { "iheartmary.org", true },
   { "ihkk.net", true },
   { "ihls.stream", true },
   { "ihls.world", true },
+  { "ihmphila.org", true },
   { "ihoey.com", true },
   { "ihollaback.org", true },
   { "ihopeit.works", true },
@@ -17722,15 +18370,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ihotel.io", false },
   { "ihrhost.com", true },
   { "ihtdenisjaccard.com", true },
+  { "ihuan.me", true },
   { "ii74.com", true },
   { "iiit.pl", true },
   { "iimarckus.org", true },
-  { "iiong.com", false },
+  { "iiong.com", true },
   { "iirii.com", true },
   { "iix.se", true },
   { "ijm.io", true },
   { "ijohan.nl", true },
-  { "ijr.com", true },
+  { "ijsbaanwitten.nl", true },
   { "ijsblokjesvormen.nl", true },
   { "ijsclubtilburg.nl", true },
   { "ijsclubwanneperveen.nl", true },
@@ -17751,13 +18400,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ikk.me", true },
   { "ikkatsu-satei.jp", true },
   { "ikkbb.de", true },
+  { "ikke-coach.nl", true },
   { "ikkev.de", true },
   { "ikkoku.de", true },
   { "iklive.org", false },
-  { "ikraenglish.com", true },
+  { "ikraenglish.com", false },
+  { "iktisatbank.com", true },
   { "ikulist.me", true },
   { "ikumi.us", true },
-  { "ikuuuu.com", true },
   { "ikvts.de", true },
   { "ikwilthepiratebay.org", true },
   { "ikxkx.com", true },
@@ -17769,11 +18419,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ilamparas.com.ve", true },
   { "ilamparas.mx", true },
   { "ilard.fr", true },
-  { "ilazycat.com", true },
   { "ile-kalorii.pl", true },
   { "ile-sapporo.jp", true },
   { "ileci.de", true },
   { "ilektronika-farmakeia-online.gr", true },
+  { "ilemonrain.com", true },
+  { "ilformichiere.com", true },
   { "ilhan.name", true },
   { "ilhansubasi.com", true },
   { "iliastsi.net", true },
@@ -17781,7 +18432,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "iligang.com", true },
   { "iligang.link", true },
   { "iligang.xin", true },
+  { "ilkeakyildiz.com", true },
   { "illambias.ch", true },
+  { "illative.net", true },
   { "illegalpornography.com", true },
   { "illegalpornography.me", true },
   { "illerzell.de", true },
@@ -17793,6 +18446,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "illsley.org", true },
   { "illumed.net", true },
   { "illuminationis.com", true },
+  { "illuminatisofficial.org", true },
   { "illusionephemere.com", true },
   { "illusionunlimited.com", true },
   { "illustrate.biz", true },
@@ -17809,6 +18463,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ilrg.com", true },
   { "iltec-prom.ru", true },
   { "iltec.ru", true },
+  { "iltuogiardino.org", true },
   { "ilweb.es", true },
   { "ilya.pp.ua", true },
   { "im-c-shop.com", true },
@@ -17824,7 +18479,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "imagebin.ca", true },
   { "imagefu.com", true },
   { "imageination.co", true },
-  { "imagenesdedibujosalapizfacilesdehacer.com", true },
   { "imagerive.ch", true },
   { "imagescostumes.com", true },
   { "imaginair.es", true },
@@ -17838,7 +18492,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "imanesdeviaje.com", true },
   { "imanolbarba.net", true },
   { "imap2imap.de", true },
-  { "imaple.org", true },
   { "imarkethost.co.uk", true },
   { "imask.ml", true },
   { "imawhale.com", true },
@@ -17852,7 +18505,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "imedikament.de", true },
   { "imeds.pl", true },
   { "imefuniversitario.org", true },
-  { "imeid.de", true },
+  { "imeid.de", false },
   { "imex-dtp.com", true },
   { "imforza.com", true },
   { "img.mg", true },
@@ -17873,18 +18526,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "imjustcreative.com", true },
   { "imkerei-freilinger.de", false },
   { "imkerverein-moenchswald.de", true },
-  { "imlinan.com", true },
+  { "immarypoppinsyall.tk", true },
   { "immaterium.de", true },
   { "immatix.xyz", true },
+  { "immersa.co.uk", true },
   { "immersion-pictures.com", true },
-  { "immersivewebportal.com", true },
+  { "immersionwealth.com", true },
   { "immigrantdad.com", true },
   { "immigrationdirect.com.au", true },
-  { "immo-agentur.com", true },
+  { "immo-agentur.com", false },
   { "immo-passion.net", true },
+  { "immo-vk.de", true },
   { "immobilien-badlippspringe.de", true },
   { "immobilien-in-istanbul.de", true },
   { "immobilien-zirm.de", true },
+  { "immobiliengutachter-holland.de", true },
   { "immobilier-nice.fr", true },
   { "immobilier92.net", true },
   { "immobiza.com", false },
@@ -17901,7 +18557,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "impas.se", true },
   { "impelup.com", true },
   { "impendulo.org", true },
-  { "imperdin.com", true },
+  { "impera.at", true },
   { "imperial-legrand.com", true },
   { "imperialmiami.com", true },
   { "imperiodigital.online", true },
@@ -17932,15 +18588,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "impyus.com", true },
   { "imququ.com", true },
   { "imreh.net", true },
+  { "imrejonk.nl", true },
   { "imrunner.com", true },
   { "imrunner.ru", true },
   { "ims-sargans.ch", true },
   { "imscompany.com", true },
+  { "imtikai.ml", true },
   { "imwalking.de", true },
   { "imwnk.cn", true },
-  { "imydl.com", true },
   { "imydl.tech", true },
-  { "imyjy.cn", true },
   { "imyrs.cn", true },
   { "imyunya.com", true },
   { "imyvm.com", true },
@@ -17955,11 +18611,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "inanyevent.london", true },
   { "inares.org", true },
   { "inbitcoin.it", true },
-  { "inbounder.io", true },
+  { "inbounder.io", false },
   { "inbox-group.com", true },
   { "inbox.google.com", true },
   { "inbulgaria.info", true },
   { "incarna.co", true },
+  { "incco.ir", true },
   { "incert.cn", true },
   { "incertint.com", true },
   { "inchcape-fleet-autobid.co.uk", true },
@@ -17971,8 +18628,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "includesubdomains2.preloaded.test", true },
   { "incoherent.ch", true },
   { "incommon.io", true },
+  { "incompliance.de", true },
   { "inconcerts.de", true },
   { "incontrixsingle.net", true },
+  { "incore.nl", true },
   { "incowrimo.org", true },
   { "incparadise.net", true },
   { "incubos.org", true },
@@ -17986,9 +18645,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "index-mp3.com", true },
   { "indiaflowermall.com", true },
   { "indian-elephant.com", true },
+  { "indianaantlersupply.com", true },
   { "indianaberry.com", true },
   { "indianafoundationpros.com", true },
+  { "indianamoldrepairpros.com", true },
   { "indianapolislocksmithinc.com", true },
+  { "indianawaterdamagerepairpros.com", true },
   { "indiatrademarkwatch.com", true },
   { "indiayogastudio.net", true },
   { "indicateurs-flash.fr", true },
@@ -18000,16 +18662,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "indigoinflatables.com", true },
   { "indigosakura.com", true },
   { "indigotreeservice.com", true },
+  { "indika.pe", true },
+  { "indio.co.jp", true },
   { "inditip.com", true },
-  { "indogerman.de", false },
   { "indogermanstartup.com", true },
-  { "indogermantrade.de", true },
   { "indoorcomfortteam.com", true },
-  { "indoorplantsexpert.com", true },
   { "indovinabank.com.vn", true },
   { "indusap.com", true },
   { "indusfastremit-us.com", true },
-  { "indusfastremit.com", true },
   { "indust.me", true },
   { "industriafranchini.com", true },
   { "industrialstarter.com", true },
@@ -18020,15 +18680,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ineed.coffee", false },
   { "inertianetworks.com", true },
   { "inesfinc.es", true },
+  { "inessoftsec.be", true },
   { "inesta.nl", true },
   { "inet.se", true },
+  { "inethost.eu", true },
   { "inetserver.eu", true },
   { "inetsoftware.de", true },
-  { "inevitavelbrasil.com.br", true },
   { "inf-fusion.ca", true },
   { "inference.biz.tr", true },
   { "infermiere.roma.it", true },
   { "inff.info", true },
+  { "inffin-portal.de", true },
+  { "inffin-tec.de", true },
   { "inficom.org", true },
   { "infinite.hosting", true },
   { "infinitegroup.info", true },
@@ -18037,7 +18700,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "infinitiofaugustaparts.com", true },
   { "infinitioflynnwoodparts.com", true },
   { "infinitomaisum.com", true },
-  { "infinity.to", true },
   { "infinitybas.com", true },
   { "infinitybc.se", true },
   { "infinityengine.org", true },
@@ -18059,39 +18721,41 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "info-screen.me", true },
   { "info-screw.com", true },
   { "infobae.com", true },
+  { "infobrain.net", true },
   { "infocity-tech.fr", true },
   { "infocommsociety.com", true },
   { "infocon.org", true },
   { "infocusvr.net", true },
+  { "infoduv.fr", true },
   { "infogram.com", true },
   { "infogrfx.com", true },
   { "infomegastore.com", true },
   { "infomir.eu", true },
   { "infomisto.com", true },
-  { "infopagina.es", true },
   { "infopier.sg", true },
   { "infopulsa.com", true },
   { "infopuntzorg.nl", true },
   { "infor-allaitement.be", true },
+  { "inforaga.com", true },
   { "informaciondeciclismo.com", true },
   { "informatiebeveiliging.nl", true },
   { "informatik-handwerk.de", true },
   { "informationrx.org", true },
+  { "informations-echafaudages.com", true },
   { "informhealth.com", true },
   { "informnapalm.org", true },
   { "infosec-handbook.eu", true },
   { "infosec.exchange", false },
   { "infosec.pizza", true },
   { "infosec.wiki", true },
+  { "infosectalks.com", true },
   { "infosenior.ch", true },
-  { "infosimmo.com", true },
   { "infotainworld.com", true },
-  { "infotolium.com", true },
+  { "infotolium.com", false },
   { "infotrac.net", true },
   { "infotune.nl", true },
   { "infovision-france.com", true },
   { "infoweb.ee", true },
-  { "infr.red", true },
   { "infra.land", true },
   { "infra.press", true },
   { "infrabeep.com", true },
@@ -18110,8 +18774,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "infranium.net", true },
   { "infranium.org", true },
   { "infranotes.com", true },
+  { "infranoto.com", true },
   { "infranox.com", true },
   { "infrapass.com", true },
+  { "infrapeer.com", true },
   { "infrapilot.com", true },
   { "infraping.com", true },
   { "infrapirtis.lt", true },
@@ -18138,12 +18804,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "inglebycakes.co.uk", true },
   { "inglesnarede.com.br", true },
   { "ingo-schlueter.de", true },
+  { "ingolonde.pw", true },
   { "ingoschlueter.de", true },
   { "ingredientdaddy.ro", true },
   { "inhaltsangabe.de", true },
   { "inheritestate.com", true },
   { "inhouseents.co.uk", true },
-  { "iniiter.com", true },
   { "inima.org", true },
   { "inios.fr", true },
   { "inishbofin.ie", true },
@@ -18174,6 +18840,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "innersafe.com", true },
   { "inno.ch", true },
   { "innocenceseekers.net", true },
+  { "innogen.fr", true },
   { "innohb.com", true },
   { "innolabfribourg.ch", true },
   { "innoloop.com", true },
@@ -18181,11 +18848,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "innot.net", true },
   { "innotas.com", true },
   { "innoteil.com", true },
+  { "innotel.com.au", true },
   { "innovaptor.at", true },
   { "innovaptor.com", true },
   { "innovate-indonesia.com", true },
   { "innovation-workshop.ro", true },
   { "innovation.gov", false },
+  { "innover.se", true },
   { "innovum.cz", false },
   { "innsalzachsingles.de", true },
   { "innwan.com", true },
@@ -18194,6 +18863,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "inovat.ma", true },
   { "inovatecsystems.com", true },
   { "inpas.co.uk", true },
+  { "inputmag.com", true },
   { "inquant.de", true },
   { "ins-kreativ.de", true },
   { "ins.to", true },
@@ -18201,6 +18871,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "insblauehinein.nl", true },
   { "inscomers.net", true },
   { "inscripcionessena.com", true },
+  { "insecret.co.ua", true },
+  { "insecret.com.ua", true },
+  { "insecret.trade", true },
   { "insecure.org.je", true },
   { "insertcoins.net", true },
   { "insgesamt.net", true },
@@ -18219,9 +18892,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "insignificant.space", true },
   { "insinuator.net", true },
   { "insistel.com", true },
+  { "insofttransfer.com", true },
   { "insolent.ch", true },
   { "insolved.com", true },
   { "insping.com", true },
+  { "inspirationalquotesuk.co.uk", true },
   { "inspired-creations.co.za", true },
   { "inspired-lua.org", true },
   { "inspiredrealtyinc.com", true },
@@ -18237,6 +18912,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "instant-thinking.de", true },
   { "instant.io", true },
   { "instantkhabar.com", true },
+  { "instantluxe.cn", true },
+  { "instantluxe.co.uk", true },
+  { "instantluxe.com", true },
+  { "instantluxe.de", true },
+  { "instantluxe.it", true },
+  { "instantphotocamera.com", true },
+  { "instantphotoprinter.com", true },
   { "instava.cz", true },
   { "instead.com.au", true },
   { "insteagle.com", true },
@@ -18247,29 +18929,33 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "instinctiveads.com", true },
   { "institut-confucius-montpellier.org", true },
   { "institutmaupertuis.hopto.org", true },
+  { "institutogiuseppe.com", true },
+  { "institutogiuseppe.com.ar", true },
   { "institutolancaster.com", true },
   { "instrumart.ru", false },
   { "insult.es", true },
   { "insurance321.com", true },
   { "insureon.com", true },
   { "insurgentsmustdie.com", true },
+  { "int64software.com", true },
   { "intae.it", true },
   { "intafe.co.jp", true },
   { "intal.info", true },
   { "intarweb.ca", true },
   { "intasky.cz", true },
   { "intasky.sk", true },
-  { "integraelchen.de", true },
   { "integralblue.com", true },
   { "integralkk.com", true },
   { "integratedintegrations.xyz", true },
   { "integratedmedicalonline.com", true },
   { "integrateur-web-paris.com", true },
   { "integrity.gov", true },
+  { "integrityfortcollins.com", true },
   { "integrityokc.com", true },
   { "integrityoklahoma.com", true },
   { "integrogroup.com", true },
   { "integromat.com", true },
+  { "integroof.com", true },
   { "intelhost.cl", true },
   { "intelhost.com", true },
   { "intelhost.com.ar", true },
@@ -18280,33 +18966,37 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "intellar.com", true },
   { "intellectdynamics.com", true },
   { "intelligence-explosion.com", true },
+  { "intelligenetics.com", true },
   { "intellinetixvibration.com", true },
+  { "intellitonic.com", true },
   { "intelly.nl", true },
   { "intelly365.nl", true },
   { "intencje.pl", true },
   { "intensifyrsvp.com.au", true },
   { "inter-corporate.com", true },
   { "inter-culinarium.com", true },
+  { "interabbit.co", true },
   { "interaffairs.com", true },
   { "interaktiva.fi", true },
   { "interasistmen.se", true },
   { "interchangedesign.com", true },
-  { "intercom.com", true },
-  { "intercom.io", true },
   { "interessiert-uns.net", true },
   { "interfesse.net", true },
   { "interflores.com.br", true },
   { "interfug.de", true },
   { "intergozd.si", true },
+  { "interguard.net", true },
   { "interiery-waters.cz", true },
   { "interimages.fr", true },
   { "interior-design-colleges.com", true },
   { "interiordesignsconcept.com", true },
   { "interiorprofesional.com.ar", true },
   { "interisaudit.com", true },
+  { "interlijn.nl", true },
   { "interlingvo.biz", true },
   { "intermax.nl", true },
   { "intermedinet.nl", true },
+  { "intern.tax", true },
   { "internalkmc.com", true },
   { "internaluse.net", true },
   { "international-arbitration-attorney.com", true },
@@ -18314,7 +19004,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "international-nash-day.com", true },
   { "internationalfashionjobs.com", true },
   { "internationalschool.it", true },
-  { "internationalschoolnewyork.com", true },
   { "internationaltalento.it", true },
   { "internect.co.za", true },
   { "internet-aukcion.info", true },
@@ -18329,6 +19018,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "internethealthreport.org", true },
   { "internethering.de", true },
   { "internetinhetbuitengebied.nl", true },
+  { "internetmedia.si", true },
   { "internetmuseum.se", true },
   { "internetofdon.gs", true },
   { "internetoffensive.fail", true },
@@ -18357,14 +19047,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "inton.biz", true },
   { "intoparking.com", false },
   { "intpforum.com", true },
-  { "intracom.com", true },
+  { "intr0.com", true },
   { "intradayseasonals.com", true },
   { "intramanager.dk", true },
   { "intranetsec-regionra.fr", true },
   { "intraobes.com", true },
   { "intrasoft.com.au", true },
   { "intraxia.com", true },
-  { "introverted.ninja", true },
+  { "intrp.net", true },
   { "intune.life", true },
   { "intvonline.com", true },
   { "intxt.net", true },
@@ -18379,7 +19069,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "inventaire.ch", true },
   { "inventionsteps.com.au", true },
   { "inventix.nl", true },
-  { "inventoryexpress.xyz", true },
   { "inventoryimages.co.uk", true },
   { "inventoryimages.com", true },
   { "inventtatte.com", true },
@@ -18406,15 +19095,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "invisionita.com", true },
   { "invisiverse.com", true },
   { "invitacionesytarjetas.gratis", true },
-  { "invitation-factory.tk", true },
+  { "invitemember.com", true },
   { "invitescene.com", true },
   { "invitethemhome.com", true },
   { "invkao.com", true },
   { "invoiced.com", true },
   { "invoicefinance.com", true },
   { "invoicefinance.nl", true },
+  { "invoicehippo.nl", true },
   { "invuite.com", true },
+  { "inwao.com", true },
   { "inwestcorp.se", true },
+  { "inxtravel.com.br", true },
   { "inzdr.com", true },
   { "inzelabs.com", true },
   { "inzestfreunde.de", true },
@@ -18423,9 +19115,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "iocheck.com", false },
   { "iochen.com", true },
   { "iocurrents.com", true },
-  { "iodev.nl", true },
   { "iodine.com", true },
-  { "ioerror.us", true },
   { "iofort.com", true },
   { "iojo.net", true },
   { "ioliver.co.uk", true },
@@ -18434,6 +19124,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "iomstamps.com", true },
   { "ionlabs.kr", true },
   { "ionovia.de", true },
+  { "ionspin.com", true },
   { "ionx.co.uk", true },
   { "ioover.net", true },
   { "iosartstudios.gr", true },
@@ -18454,12 +19145,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ip6.li", false },
   { "ipad.li", true },
   { "ipadkaitori.jp", true },
-  { "ipadportfolioapp.com", true },
   { "ipal.im", true },
   { "ipal.name", true },
   { "ipal.pl", true },
   { "ipal.tel", true },
-  { "ipawind.com", true },
   { "ipcareers.net", true },
   { "ipconsulting.se", true },
   { "ipemcomodoro.com.ar", true },
@@ -18468,15 +19157,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ipfs.ink", true },
   { "ipfs.io", true },
   { "iphonekaitori.tokyo", true },
-  { "iphoneportfolioapp.com", true },
   { "iphoneunlock.nu", true },
   { "iphonote.com", true },
   { "ipintel.io", true },
-  { "iplabs.de", true },
   { "iplantom.com", true },
   { "iplayradio.net", false },
   { "ipleak.net", true },
   { "ipledgeonline.org", false },
+  { "iplog.info", false },
   { "ipmonitoring.hu", true },
   { "ipo-times.jp", true },
   { "ipokabu.net", true },
@@ -18484,12 +19172,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ipop.gr", true },
   { "iposm.net", true },
   { "ipplans.com", true },
+  { "iprcenter.gov", true },
   { "ipresent.com", true },
   { "iprim.ru", true },
   { "iproducemusic.com", true },
   { "ipsec.pl", true },
   { "ipssl.li", true },
-  { "ipstoragesolutions.com", true },
   { "ipstream.it", true },
   { "ipswitch.com.tw", true },
   { "iptvzoom.xyz", true },
@@ -18504,18 +19192,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ipv6.jetzt", true },
   { "ipv6vpn.net", true },
   { "ipv6wallofshame.com", true },
-  { "ipv8.net", true },
   { "iqboxy.com", true },
   { "iqsmn.org", true },
   { "ir1s.com", true },
   { "iramellor.com", true },
-  { "iran-geo.com", true },
   { "iranian.lgbt", true },
   { "iranianholiday.com", true },
   { "iranjeunesse.com", true },
   { "irayo.net", true },
   { "irc-results.com", true },
-  { "ircmett.de", true },
   { "irdvb.com", true },
   { "ireef.tv", true },
   { "iren.ch", true },
@@ -18524,14 +19209,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "irfan.id", true },
   { "irgendeine.cloud", true },
   { "irgit.pl", true },
+  { "irgwebsites.com", true },
   { "iridiumbrowser.de", true },
   { "iridiumflare.de", true },
   { "iriomote.com", true },
   { "iris-design.info", true },
   { "iris-insa.com", true },
+  { "irisdesideratum.com", true },
   { "irish.dating", true },
+  { "irish.radio", true },
+  { "irishradioplayer.radio", true },
   { "irisjieun.com", true },
+  { "irkfap.com", true },
   { "irland-firma.com", true },
+  { "irmag.ru", true },
   { "irmgard-woelfle.de", true },
   { "irmgardkoch.com", true },
   { "iro-iro.xyz", true },
@@ -18547,11 +19238,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "iruca.co", true },
   { "is-going-to-rickroll.me", true },
   { "is-sw.net", true },
+  { "isaac.world", true },
   { "isaacdgoodman.com", true },
-  { "isaackabel.ga", true },
-  { "isaackabel.gq", true },
-  { "isaackabel.ml", true },
-  { "isaackabel.tk", true },
   { "isaackhor.com", true },
   { "isaacman.tech", true },
   { "isaacmorneau.com", true },
@@ -18567,28 +19255,30 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "isamiok.com", true },
   { "isara.com", true },
   { "isarklinikum.de", true },
+  { "isastylish.com", true },
   { "isavings.com", true },
   { "isayoga.de", true },
+  { "isbaseballstillon.com", true },
   { "isbc-telecom.ru", true },
   { "isbengrumpy.com", true },
   { "isc2chapter-cny.org", true },
   { "iscert.org", true },
-  { "isdecolaop.nl", true },
   { "isdn.jp", true },
   { "isecrets.se", true },
   { "iservicio.mx", true },
   { "iseulde.com", true },
-  { "isfff.com", true },
+  { "isg-tech.com", true },
   { "isgp-studies.com", true },
   { "ishamf.com", true },
   { "ishangirdhar.com", true },
-  { "ishet.al", true },
   { "ishiharaken.com", true },
+  { "ishome.org", true },
   { "ishtarfreya.com", true },
   { "isil.fi", true },
   { "isimonbrown.co.uk", true },
   { "isincheck.com", true },
   { "isinolsun.com", true },
+  { "isiso.com.tr", true },
   { "isistomie.com", true },
   { "isitchristmas.com", true },
   { "isitcoffeetime.com", true },
@@ -18606,6 +19296,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "islavolcan.cl", true },
   { "isletech.net", true },
   { "isliada.org", true },
+  { "islief.com", true },
   { "islykaithecutest.cf", true },
   { "islykaithecutest.ml", true },
   { "ismailkarsli.com", true },
@@ -18615,11 +19306,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ismywebsitepenalized.com", true },
   { "isn.cz", true },
   { "iso27032.com", true },
-  { "isocom.eu", true },
   { "isognattori.com", true },
   { "isolta.com", true },
   { "isolta.de", true },
   { "isolta.ee", true },
+  { "isolta.fi", true },
   { "isolta.lv", true },
   { "isolta.se", true },
   { "isondo.com", true },
@@ -18668,9 +19359,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "isuzupartscenter.com", true },
   { "isvbscriptdead.com", true },
   { "isvsecwatch.org", true },
+  { "isyu.xyz", true },
   { "isz-berlin.de", true },
   { "isz.no", true },
   { "it-academy.sk", true },
+  { "it-boss.ro", true },
   { "it-faul.de", true },
   { "it-fernau.com", true },
   { "it-jobbank.dk", true },
@@ -18684,8 +19377,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "it-service24.com", true },
   { "it-shamans.de", true },
   { "it-shamans.eu", true },
+  { "it-stack.de", true },
+  { "it-support-nu.se", true },
+  { "it-support-stockholm.se", true },
+  { "it-support.one", true },
+  { "it-supportistockholm.se", true },
+  { "it-supportnu.se", true },
   { "it-sysoft.com", true },
+  { "it-tekniker.nu", true },
   { "it-ti.me", true },
+  { "it-uws.com", true },
   { "it-world.eu", true },
   { "it.search.yahoo.com", false },
   { "it1b.com", true },
@@ -18704,7 +19405,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "itamservices.nl", true },
   { "itap.gov", true },
   { "itb-online.co.uk", true },
-  { "itblog.pp.ua", true },
+  { "itbox.cl", true },
   { "itchy.nl", true },
   { "itcko.sk", true },
   { "itdashboard.gov", true },
@@ -18715,7 +19416,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "iteke.tk", true },
   { "iteli.eu", true },
   { "iterader.com", true },
-  { "iterasoft.de", true },
   { "iterror.co", true },
   { "itesign.de", true },
   { "itfh.eu", true },
@@ -18725,19 +19425,26 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ithakama.cz", true },
   { "ithenrik.com", true },
   { "ithinc.net", true },
+  { "ithink.cf", true },
+  { "ithjalpforetag.se", true },
   { "itikon.com", true },
+  { "itilo.de", true },
+  { "itinthebubble.com", true },
   { "itis.gov", true },
   { "itis4u.ch", true },
   { "itjob.ma", true },
   { "itkaufmann.at", true },
+  { "itkonsultstockholm.se", true },
   { "itlitera.com", true },
   { "itludens.com", true },
+  { "itm-c.de", true },
   { "itmindscape.com", true },
   { "itn.co.uk", true },
   { "itneeds.tech", true },
   { "itnota.com", true },
   { "itochan.jp", true },
   { "itooky.com", true },
+  { "itouriria.com", true },
   { "itpro.ua", true },
   { "itraveille.fr", true },
   { "itreallyaddsup.com", true },
@@ -18746,11 +19453,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "itruth.tk", true },
   { "its-future.com", true },
   { "its-gutachten.de", true },
-  { "its4living.com", true },
   { "itsabouncything.com", true },
   { "itsanicedoor.co.uk", true },
   { "itsasaja.com", true },
   { "itsaw.de", true },
+  { "itsayardlife.com", true },
   { "itsblue.de", true },
   { "itsdcdn.com", true },
   { "itsecblog.de", true },
@@ -18763,7 +19470,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "itsnotquitethehilton.com", true },
   { "itsok.de", true },
   { "itspartytimeonline.co.uk", true },
-  { "itspartytimesweetinflations.com", true },
   { "itspecialista.eu", true },
   { "itspersonaltraining.nl", true },
   { "itsryan.com", true },
@@ -18771,6 +19477,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "itstatic.tech", true },
   { "itsuitsyou.co.za", true },
   { "itsundef.in", true },
+  { "itsupportnacka.se", true },
   { "itsv.at", true },
   { "itswincer.com", true },
   { "itzap.com.au", true },
@@ -18781,7 +19488,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ivanbenito.com", true },
   { "ivanboi.com", true },
   { "ivancacic.com", false },
-  { "ivanilla.org", true },
   { "ivanmeade.com", true },
   { "ivaoru.org", true },
   { "ivfausland.de", true },
@@ -18797,21 +19503,27 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ivinet.cl", true },
   { "ivitalia.it", true },
   { "ivo.co.za", true },
+  { "ivopetkov.com", true },
   { "ivor.io", true },
   { "ivor.is", true },
   { "ivorvanhese.com", true },
   { "ivorvanhese.nl", true },
-  { "ivoryonsunset.com", true },
   { "ivpn.net", true },
   { "ivre.rocks", true },
   { "ivsign.net", true },
   { "ivusn.cz", true },
   { "ivvl.ru", true },
   { "ivy-league-colleges.com", true },
+  { "ivy.show", true },
   { "iwader.co.uk", true },
   { "iwalton.com", true },
   { "iwantexchange.com", true },
+  { "iwantpayments.com", true },
   { "iwanttoliveinabunker.com", true },
+  { "iwanttrack.com", true },
+  { "iwascoding.com", true },
+  { "iwatchcops.com", true },
+  { "iwatchcops.org", true },
   { "iwch.tk", true },
   { "iwebolutions.com", true },
   { "iwell.de", true },
@@ -18835,14 +19547,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "iyuanbao.net", true },
   { "iz8mbw.net", true },
   { "izaakbeekman.com", true },
-  { "izevg.ru", true },
-  { "izhaojie.com", true },
   { "izodiacsigns.com", true },
   { "izuba.info", true },
   { "izumi.tv", true },
-  { "izxxs.com", true },
-  { "izxxs.net", true },
-  { "izxzw.net", true },
   { "izzys.casa", true },
   { "j-elliott.co.uk", true },
   { "j-navi.com", true },
@@ -18888,7 +19595,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jacksorrell.com", true },
   { "jacksutton.info", true },
   { "jackyliao123.tk", true },
-  { "jaco.by", true },
   { "jacobamunch.com", true },
   { "jacobdevans.com", true },
   { "jacobhaug.com", false },
@@ -18912,9 +19618,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jahner.xyz", true },
   { "jahofmann.de", false },
   { "jailbreakingisnotacrime.org", true },
-  { "jaion.tech", true },
+  { "jaion.xyz", true },
   { "jaispirit.com", false },
   { "jaitnetworking.com", false },
+  { "jajsemjachym.cz", true },
   { "jakarta.dating", true },
   { "jakdelatseo.cz", true },
   { "jake.eu.org", true },
@@ -18924,7 +19631,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jakecurtis.de", true },
   { "jakereynolds.co", true },
   { "jakerullman.com", true },
-  { "jakeslab.tech", true },
   { "jaketremper.com", true },
   { "jakewestrip.com", true },
   { "jakob-server.tk", true },
@@ -18934,7 +19640,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jakpremyslet.cz", true },
   { "jaksch.biz", true },
   { "jakub-boucek.cz", true },
-  { "jakubarbet.eu", true },
   { "jakubboucek.cz", true },
   { "jakubklimek.com", true },
   { "jakubtopic.cz", true },
@@ -18973,6 +19678,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jamessmith.me.uk", true },
   { "jamesturnerstickley.com", true },
   { "jamhost.org", true },
+  { "jamie-read-photography.com", true },
   { "jamie.ie", true },
   { "jamielarter.ca", true },
   { "jamielinux.com", true },
@@ -18981,6 +19687,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jamiepeters.nl", true },
   { "jamieweb.net", true },
   { "jamieweb.org", true },
+  { "jamiewebb.net", true },
   { "jamjestsimon.pl", true },
   { "jammucake.com", true },
   { "jammysplodgers.co.uk", true },
@@ -18990,6 +19697,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jan-and-maaret.de", true },
   { "jan-bucher.ch", true },
   { "jan-hill.com", true },
+  { "jan-reiss.de", true },
   { "jan-rieger.de", true },
   { "jan-roenspies.de", true },
   { "jan-von.de", true },
@@ -18998,6 +19706,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "janbrodda.de", true },
   { "jandev.de", true },
   { "janduchene.ch", true },
+  { "jane.com", true },
   { "janehamelgardendesign.co.uk", true },
   { "janelauhomes.com", true },
   { "janhuelsmann.com", true },
@@ -19006,6 +19715,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "janik.xyz", false },
   { "janikrabe.com", true },
   { "janjoris.nl", true },
+  { "jankamp.com", true },
+  { "janker.me", true },
   { "jankoepsel.com", true },
   { "jann.is", true },
   { "jannekekaasjager.nl", true },
@@ -19014,7 +19725,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "janoberst.com", true },
   { "janokacer.sk", true },
   { "janschaumann.de", true },
-  { "janssenwigman.nl", true },
+  { "jansen-schilders.nl", true },
   { "janterpstra.eu", true },
   { "jantinaboelens.nl", true },
   { "janvari.com", true },
@@ -19025,28 +19736,29 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "japanphilosophy.com", false },
   { "japanwatches.xyz", true },
   { "japon-japan.com", true },
+  { "jar.io", true },
   { "jardin-exotique-rennes.fr", true },
   { "jardinderline.ch", true },
   { "jardineriaon.com", true },
   { "jardiniersduminotaure.fr", true },
   { "jaredeberle.org", false },
   { "jaredfernandez.com", true },
+  { "jario.com.br", true },
   { "jarniashop.se", true },
   { "jaroku.com", true },
   { "jarondl.net", true },
-  { "jaroslavc.eu", true },
   { "jarrettgraham.com", true },
   { "jarroba.com", true },
   { "jas-team.net", true },
   { "jashvaidya.com", true },
-  { "jasl.works", true },
   { "jasmijnwagenaar.nl", true },
   { "jasminefields.net", true },
   { "jason.re", true },
+  { "jasonadam.de", true },
   { "jasonamorrow.com", true },
   { "jasongerber.ch", true },
   { "jasonmili.online", true },
-  { "jasonsansone.com", true },
+  { "jasonsplecoscichlids.com", true },
   { "jasper.link", true },
   { "jasperhammink.com", true },
   { "jasperhuttenmedia.com", true },
@@ -19056,7 +19768,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "javamilk.com", true },
   { "javierburgos.net", true },
   { "javierlorente.es", true },
-  { "javik.net", true },
   { "jaxfstk.com", true },
   { "jaxxnet.co.uk", true },
   { "jaxxnet.org", true },
@@ -19064,6 +19775,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jayf.de", true },
   { "jayfreestone.com", true },
   { "jaymecd.rocks", true },
+  { "jaypandit.me", true },
   { "jayrl.com", true },
   { "jaysaw.me", true },
   { "jaytx.com", true },
@@ -19092,6 +19804,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jci.cc", true },
   { "jclynne.com", true },
   { "jcra.net", true },
+  { "jcsesecuneta.com", true },
   { "jctf.team", true },
   { "jcwodan.nl", true },
   { "jd-group.co.uk", true },
@@ -19122,9 +19835,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jeannelucienne.fr", true },
   { "jeanneret-combustibles.ch", true },
   { "jec-dekrone.be", true },
+  { "jecho.cn", true },
   { "jeda.ch", true },
-  { "jedayoshi.me", true },
-  { "jedayoshi.tk", true },
   { "jedepannetonordi.fr", true },
   { "jedidiah.eu", false },
   { "jedipedia.net", true },
@@ -19132,15 +19844,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jedmud.com", true },
   { "jedwarddurrett.com", true },
   { "jeec.ist", true },
+  { "jeemain.org", true },
   { "jeepeg.com", true },
-  { "jeffanderson.me", true },
+  { "jeeran.com", true },
+  { "jeeranservices.com", true },
   { "jeffcasavant.com", false },
   { "jeffcloninger.net", true },
   { "jeffersonregan.co.uk", true },
   { "jeffersonregan.com", true },
   { "jeffersonregan.net", true },
   { "jeffhaferman.com", true },
-  { "jeffmcneill.com", true },
   { "jeffreyhaferman.com", true },
   { "jeffrhinelander.com", true },
   { "jeffri.me", true },
@@ -19148,6 +19861,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jefftickle.com", true },
   { "jeffwebb.com", true },
   { "jefrydco.id", true },
+  { "jefsweden.eu", true },
   { "jehovahsays.net", true },
   { "jej.cz", true },
   { "jej.sk", true },
@@ -19155,10 +19869,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jekkt.com", false },
   { "jelena-adeli.com", true },
   { "jelenkovic.rs", true },
-  { "jelewa.de", true },
   { "jell.ie", true },
   { "jelle.pro", true },
-  { "jelleglebbeek.com", true },
   { "jelleluteijn.com", true },
   { "jelleluteijn.eu", true },
   { "jelleluteijn.net", true },
@@ -19175,7 +19887,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jemangeducheval.com", true },
   { "jembatankarir.com", true },
   { "jemefaisdesamis.com", true },
-  { "jena.space", true },
   { "jennierobinson.com", true },
   { "jenniferengerwingaantrouwen.nl", true },
   { "jennifermason.eu", true },
@@ -19184,13 +19895,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jenolson.net", true },
   { "jenprace.cz", true },
   { "jensrex.dk", true },
-  { "jeparamedia.com", true },
   { "jepertinger-itconsulting.de", true },
   { "jeproteste.info", true },
   { "jeremiahbenes.com", true },
   { "jeremy-chen.org", true },
   { "jeremy.hu", true },
   { "jeremybentham.com", true },
+  { "jeremybloomfield.co.uk", true },
+  { "jeremyc.ca", false },
   { "jeremycantu.com", true },
   { "jeremycrews.com", true },
   { "jeremynally.com", true },
@@ -19200,7 +19912,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jericamacmillan.com", true },
   { "jering.tech", true },
   { "jeroendeneef.com", true },
-  { "jeroensangers.com", true },
   { "jerret.de", true },
   { "jerryweb.org", true },
   { "jerryyu.ca", true },
@@ -19213,26 +19924,28 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jesseerbach.com", true },
   { "jessekaufman.com", true },
   { "jessesjumpingcastles.co.uk", true },
+  { "jessevictors.com", true },
   { "jessgranger.com", false },
   { "jessicabenedictus.nl", false },
   { "jessicahrehor.com", true },
   { "jesters-court.net", true },
   { "jesuisadmin.fr", true },
   { "jet-stream.fr", true },
-  { "jetapi.org", true },
   { "jetbbs.com", true },
+  { "jetflex.de", true },
   { "jetkittens.co.uk", true },
   { "jetsetboyz.net", true },
   { "jetsieswerda.nl", true },
-  { "jettlarue.com", true },
   { "jetwhiz.com", true },
   { "jeuxetcodes.fr", true },
   { "jeweet.net", true },
   { "jewishboyscouts.com", true },
+  { "jewishquotations.com", true },
   { "jexler.net", true },
   { "jf-fotos.de", true },
   { "jfbst.net", true },
   { "jfmhero.me", true },
+  { "jfr.im", true },
   { "jfreitag.de", true },
   { "jfsa.jp", true },
   { "jgid.de", true },
@@ -19248,19 +19961,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jhf.io", true },
   { "jhill.de", true },
   { "jhollandtranslations.com", true },
+  { "jhservicos.net.br", true },
   { "jhuang.me", true },
   { "jhwestover.com", true },
-  { "jiacl.com", true },
   { "jiahao.codes", true },
-  { "jiangzm.com", false },
+  { "jiangxu.site", true },
   { "jianji.de", true },
+  { "jianny.me", true },
   { "jianshu.com", true },
   { "jianyuan.pro", true },
-  { "jiazhao.ga", true },
+  { "jiatingtrading.com", true },
   { "jicaivvip.com", true },
   { "jichi.io", true },
   { "jichi000.win", true },
-  { "jikegu.com", true },
+  { "jieyang2016.com", true },
   { "jimbiproducts.com", true },
   { "jimbraaten.com", true },
   { "jimbutlerkiaparts.com", true },
@@ -19269,7 +19983,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jimfranke.nl", true },
   { "jimizhou.xyz", true },
   { "jimmycai.com", false },
-  { "jimmycn.com", false },
   { "jimmyroura.ch", true },
   { "jimshaver.net", true },
   { "jimslop.nl", true },
@@ -19284,13 +19997,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jinshuju.net", true },
   { "jintaiyang123.org", true },
   { "jiogo.com", true },
+  { "jiosongs.biz", true },
   { "jirav.com", true },
   { "jiripudil.cz", true },
   { "jirosworld.com", true },
   { "jisai.net.cn", true },
   { "jisha.site", true },
   { "jixun.moe", true },
+  { "jiyue.moe", true },
   { "jiyusu.com", true },
+  { "jiyuu-ni.com", true },
+  { "jiyuu-ni.net", true },
   { "jjhampton.com", true },
   { "jjj.blog", true },
   { "jjjconnection.com", true },
@@ -19302,10 +20019,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jjvanoorschot.nl", true },
   { "jk-entertainment.biz", true },
   { "jkchocolate.com", true },
-  { "jkest.cc", true },
+  { "jki.io", true },
+  { "jkinteriorspa.com", true },
   { "jkirsche.com", true },
   { "jkrippen.com", true },
-  { "jkyuan.tk", true },
   { "jl-dns.eu", true },
   { "jl-dns.nl", true },
   { "jl-exchange.nl", true },
@@ -19313,7 +20030,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jlink.nl", true },
   { "jlkhosting.com", true },
   { "jloh.codes", true },
-  { "jlot.org", true },
   { "jlpn.eu", true },
   { "jlpn.nl", true },
   { "jlponsetto.com", true },
@@ -19323,6 +20039,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jmalarcon.es", true },
   { "jmarciniak.it", true },
   { "jmatt.org", true },
+  { "jmbeautystudio.se", true },
   { "jmbelloteau.com", true },
   { "jmcashngold.com.au", true },
   { "jmcataffo.com", true },
@@ -19338,7 +20055,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jmpb.hu", true },
   { "jmsolodesigns.com", true },
   { "jmssg.jp", true },
-  { "jmvdigital.com", true },
   { "jnjdj.com", true },
   { "jnm-art.com", true },
   { "jnordell.com", true },
@@ -19347,6 +20063,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "joanofarcmtcarmel.org", true },
   { "joaoaugusto.net", true },
   { "joaosampaio.com.br", true },
+  { "joaquimgoliveira.pt", true },
   { "job-ofertas.info", true },
   { "job-offer.de", true },
   { "job.biz.tr", true },
@@ -19361,10 +20078,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jobcorpsy2y.com", true },
   { "jobify.in", true },
   { "jobindex.dk", true },
+  { "joblab.com.ua", true },
   { "joblife.co.za", true },
   { "jobmi.com", true },
   { "jobmiplayground.com", true },
-  { "jobmob.co.il", true },
   { "jobs-in-tech.com", true },
   { "jobs.at", true },
   { "jobs.ch", true },
@@ -19379,10 +20096,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jockbusuttil.com", true },
   { "jockbusuttil.uk", true },
   { "jodaniels.photography", true },
+  { "jodbush.com", true },
   { "jodlajodla.si", true },
   { "joduska.me", true },
   { "jodyboucher.com", false },
-  { "jodyshop.com", true },
   { "joe262.com", true },
   { "joedavison.me", true },
   { "joedinardo.com", true },
@@ -19402,6 +20119,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "joelmarkhamphotography.com.au", true },
   { "joelmunch.com", true },
   { "joelnichols.uk", true },
+  { "joelotu.com", true },
   { "joemotherfuckingjohnson.com", true },
   { "joepitt.co.uk", false },
   { "joergschneider.com", true },
@@ -19412,12 +20130,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "joestead.codes", true },
   { "joetsutj.com", true },
   { "joetyson.me", true },
-  { "joeyfelix.com", true },
   { "joeygitalian.com", true },
   { "joeyhoer.com", true },
   { "joeysmith.com", true },
   { "joeyvanvenrooij.nl", true },
-  { "joeyvilaro.com", true },
   { "jogi-server.de", true },
   { "jogorama.com.br", false },
   { "jogwitz.de", true },
@@ -19442,8 +20158,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "johndball.com", true },
   { "johnfulgenzi.com", true },
   { "johngallias.com", true },
-  { "johngo.tk", false },
   { "johnguant.com", true },
+  { "johnhgaunt.com", true },
   { "johnkastler.net", true },
   { "johnmcc.net", true },
   { "johnmcintosh.pro", true },
@@ -19457,6 +20173,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "johnrockefeller.net", true },
   { "johnsanchez.io", true },
   { "johnsegovia.com", true },
+  { "johnsiu.com", true },
   { "johnsonho.net", true },
   { "johnvanhese.nl", true },
   { "johnyytb.be", true },
@@ -19468,6 +20185,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jokedalderup.nl", true },
   { "joker.menu", true },
   { "jokerice.co.uk", true },
+  { "jokesbykids.com", true },
   { "jokewignand.nl", true },
   { "joliettech.com", true },
   { "jollausers.de", true },
@@ -19479,6 +20197,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jomofojo.co", true },
   { "jomofojo.com", true },
   { "jonahperez.com", true },
+  { "jonale.net", true },
   { "jonandnoraswedding.com", true },
   { "jonas-thelemann.de", true },
   { "jonas-wenk.de", false },
@@ -19486,22 +20205,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jonasled.de", true },
   { "jonaswitmer.ch", true },
   { "jonathan-apps.com", true },
-  { "jonathancarter.org", true },
   { "jonathandupree.com", true },
   { "jonathanha.as", true },
   { "jonathanj.nl", true },
   { "jonathanlara.com", true },
   { "jonathanschle.de", true },
-  { "jonathanselea.se", true },
+  { "jonathanscott.me", true },
   { "jonblankenship.com", true },
   { "jondarby.com", true },
   { "jondevin.com", true },
   { "jondowdle.com", true },
   { "jonespayne.com", false },
-  { "jonferwerda.net", true },
   { "jong030.nl", true },
   { "jongbloed.nl", true },
   { "jongcs.com", true },
+  { "jongpay.com", true },
   { "jonilar.com", true },
   { "jonincharacter.com", true },
   { "jonirrings.com", true },
@@ -19514,7 +20232,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jonola.com", true },
   { "jonpads.com", true },
   { "jonpavelich.com", true },
-  { "jons.org", true },
   { "jonscaife.com", true },
   { "jooksms.com", true },
   { "jooksuratas.ee", true },
@@ -19534,6 +20251,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jordanscorporatelaw.com", true },
   { "jordanstrustcompany.com", true },
   { "jordhy.com", true },
+  { "jorexenterprise.com", true },
   { "jorgerosales.org", true },
   { "jorisdalderup.nl", true },
   { "jornalalerta.com.br", true },
@@ -19545,11 +20263,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "josef-lotz.de", true },
   { "josefjanosec.com", true },
   { "josefottosson.se", true },
-  { "josegerber.ch", true },
   { "joseitoda.org", true },
   { "josemikkola.fi", true },
   { "josepbel.com", true },
   { "josephbleroy.com", true },
+  { "josephgeorge.com.au", true },
   { "josephre.es", false },
   { "josephsniderman.com", true },
   { "josephsniderman.net", true },
@@ -19579,18 +20297,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jouwpaardenbak.nl", true },
   { "jovani.com", false },
   { "jovic.hamburg", true },
-  { "joyceseamone.com", true },
   { "joyful.house", true },
   { "joyfulexpressions.gallery", true },
   { "joynadvisors.com", true },
   { "joyofcookingandbaking.com", true },
   { "joysinventingblog.com", true },
+  { "jpbe-network.de", true },
+  { "jpbe.de", true },
   { "jpdeharenne.be", true },
   { "jpeg.io", true },
   { "jphandjob.com", true },
   { "jplesbian.com", true },
   { "jpmelos.com", true },
   { "jpmelos.com.br", true },
+  { "jpmguitarshop.com.br", true },
   { "jpod.cc", true },
   { "jpralves.net", true },
   { "jps-selection.co.uk", true },
@@ -19605,23 +20325,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jr5proxdoug.xyz", true },
   { "jrabasco.me", true },
   { "jrc9.ca", true },
+  { "jrchaseify.xyz", true },
   { "jreb.nl", true },
   { "jreinert.com", true },
   { "jrflorian.com", true },
+  { "jrlopezoficial.com", true },
   { "jross.me", true },
   { "jrtapsell.co.uk", true },
   { "jrxpress.com", true },
   { "js-web.eu", true },
-  { "js3311.com", true },
   { "js8855.com", true },
-  { "js93029.com", true },
   { "jschoi.org", true },
   { "jschumacher.info", true },
   { "jsd-cog.org", true },
   { "jsdelivr.com", true },
   { "jselby.net", true },
   { "jsent.co.uk", true },
-  { "jsevilleja.org", true },
   { "jskier.com", false },
   { "jskoelliken.ch", true },
   { "jsmetallerie.fr", true },
@@ -19630,8 +20349,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jsonsinc.com", true },
   { "jsteward.moe", true },
   { "jstore.ch", true },
-  { "jtcat.com", true },
-  { "jtcjewelry.com", true },
   { "jtconsultancy.sg", true },
   { "jthackery.com", false },
   { "jtl-software.com", true },
@@ -19642,16 +20359,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ju.io", true },
   { "juan23.edu.uy", true },
   { "juanfrancisco.tech", true },
+  { "juanjovega.com", true },
   { "juanmaguitar.com", true },
   { "juanmazzetti.com", true },
   { "juanxt.ddns.net", true },
-  { "jubee.nl", true },
   { "jubileum.online", true },
   { "jubileumfotograaf.nl", true },
   { "jucca-nautica.si", true },
   { "juch.cc", true },
   { "juchit.at", true },
-  { "jucktehkeinen.de", true },
   { "judc-ge.ch", true },
   { "judge2020.com", true },
   { "judge2020.me", true },
@@ -19661,6 +20377,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "juef.space", true },
   { "juegosycodigos.es", true },
   { "juegosycodigos.mx", true },
+  { "juegosyolimpicos.com", true },
   { "juelda.com", true },
   { "juergen-elbert.de", true },
   { "juergen-roehrig.de", true },
@@ -19678,7 +20395,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "juku-info.top", true },
   { "juku-wing.jp", true },
   { "jule-spil.dk", true },
-  { "julenlanda.com", false },
   { "julian-uphoff.de", true },
   { "julian-weigle.de", true },
   { "juliangonggrijp.com", true },
@@ -19728,6 +20444,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jumpinmonkeys.co.uk", true },
   { "jumpintogreenerpastures.com", true },
   { "jumpnplay.co.uk", true },
+  { "jundongwu.com", true },
   { "junespina.com", true },
   { "junethack.net", true },
   { "jungaa.fr", true },
@@ -19737,23 +20454,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "junglejackscastles.co.uk", true },
   { "junglememories.co.uk", true },
   { "junglist.org", true },
-  { "jungundwild-design.de", true },
+  { "jungundwild-design.de", false },
   { "juni.io", true },
-  { "junias-fenske.de", true },
   { "juniperroots.ca", true },
   { "junjhome.com", true },
   { "junjun-web.net", true },
   { "junkdrome.org", true },
   { "juno.co.uk", true },
-  { "junoaroma.com", true },
   { "junodownload.com", true },
   { "jura-reiseschutz.de", true },
   { "jurassicbarkharrogate.co.uk", true },
   { "jurassicgolf.nl", true },
   { "juridoc.com.br", true },
   { "jurijbuga.de", true },
-  { "jurisprudent.by", true },
-  { "juristas.com.br", true },
+  { "jurriaan.ninja", true },
   { "just-a-clanpage.de", true },
   { "just-vet-and-drive.fr", true },
   { "justanothercompany.name", true },
@@ -19768,16 +20482,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "justgalak.org", true },
   { "justice.gov", true },
   { "justice4assange.com", true },
-  { "justin-tech.com", false },
-  { "justinharrison.ca", true },
+  { "justin-tech.com", true },
   { "justinho.com", true },
+  { "justinmuturifoundation.org", true },
+  { "justinribeiro.com", true },
   { "justinstandring.com", true },
   { "justmensgloves.com", true },
+  { "justonce.net", true },
   { "justpaste.it", true },
   { "justsmart.io", true },
   { "justsome.info", true },
   { "justtalk.site", true },
-  { "justthinktwice.gov", true },
+  { "justthinktwice.gov", false },
   { "justupdate.me", true },
   { "justyy.com", true },
   { "juszkiewicz.com.pl", true },
@@ -19787,7 +20503,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "juusujanar.eu", true },
   { "juvenex.co", true },
   { "juwelierstoopman.nl", true },
-  { "jva-wuerzburg.de", true },
   { "jvandenbroeck.com", true },
   { "jvanerp.nl", true },
   { "jvbouncycastlehire.co.uk", true },
@@ -19796,7 +20511,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jvphotoboothhire.co.uk", true },
   { "jvsticker.com", true },
   { "jvwdev.nl", true },
-  { "jwallet.cc", true },
   { "jwatt.org", true },
   { "jwe.nl", true },
   { "jwilsson.com", true },
@@ -19804,17 +20518,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "jwmmarketing.com", true },
   { "jwnotifier.org", true },
   { "jwod.gov", true },
+  { "jwplay.ml", true },
   { "jwschuepfheim.ch", true },
   { "jwsoft.nl", true },
+  { "jxir.de", true },
   { "jxltom.com", true },
   { "jxm.in", true },
   { "jydemarked.dk", true },
   { "jyggen.com", true },
   { "jym.fit", true },
   { "jyoti-fairworks.org", true },
-  { "jzachpearson.com", true },
   { "jzbk.org", true },
-  { "jzcapital.co", true },
   { "k-bone.com", true },
   { "k-homes.net", true },
   { "k-netz.de", true },
@@ -19824,9 +20538,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "k-scr.me", true },
   { "k-system.de", true },
   { "k-tube.com", true },
+  { "k1024.org", true },
   { "k258059.net", true },
   { "k2mts.org", true },
-  { "k3508.com", true },
+  { "k33k00.com", false },
   { "k3nny.fr", true },
   { "k4law.com", true },
   { "k4r.ru", true },
@@ -19839,16 +20554,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kaangenc.me", true },
   { "kaany.io", true },
   { "kaasbesteld.nl", true },
-  { "kaashosting.nl", true },
   { "kaatha-kamrater.se", true },
   { "kab-s.de", true },
   { "kabaca.design", true },
-  { "kabarlinux.id", true },
   { "kabashop.com.br", true },
   { "kabat-fans.cz", true },
   { "kabeltv.co.nz", true },
   { "kabeuchi.com", true },
   { "kaboom.pw", true },
+  { "kabos.art", true },
   { "kabu-abc.com", true },
   { "kabulpress.org", true },
   { "kabus.org", true },
@@ -19882,7 +20596,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kakie-gobocha.jp", true },
   { "kakie-kolesa.ru", true },
   { "kakolightingmuseum.or.jp", true },
-  { "kakuto.me", true },
   { "kalakarclub.com", true },
   { "kalamos-psychiatrie.be", true },
   { "kalastus.com", true },
@@ -19902,10 +20615,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kaltenbrunner.it", true },
   { "kalterersee.ch", true },
   { "kalwestelectric.com", true },
+  { "kalyanmatka.guru", true },
   { "kam-serwis.pl", true },
+  { "kamata-shinkyu-seikotsu.jp", true },
+  { "kameari-za.space", true },
   { "kamikaichimaru.com", false },
   { "kamikatse.net", true },
+  { "kamilki.me", true },
   { "kaminbau-laub.de", true },
+  { "kamisato-ent.com", true },
   { "kamixa.se", true },
   { "kamppailusali.fi", true },
   { "kamranmirhazar.com", true },
@@ -19917,7 +20635,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kanag.pl", true },
   { "kanal-schaefer.de", true },
   { "kanal-tv-haensch.de", true },
-  { "kandalife.com", true },
   { "kandianshang.com", true },
   { "kanecastles.com", true },
   { "kanehusky.com", true },
@@ -19945,15 +20662,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kantorosobisty.pl", true },
   { "kanuvu.de", true },
   { "kany.me", false },
+  { "kanzakiranko.jp", false },
   { "kanzashi.com", true },
   { "kanzlei-gaengler.de", true },
   { "kanzlei-myca.de", true },
   { "kanzlei-oehler.com", true },
   { "kanzlei-sixt.de", true },
-  { "kaotik4266.com", true },
   { "kap-genial.de", true },
+  { "kap.pe", true },
   { "kapgy-moto.com", true },
-  { "kappenstein.org", true },
+  { "kappenstein.org", false },
   { "kapseli.net", true },
   { "kaptadata.com", true },
   { "kaptamedia.com", true },
@@ -19962,6 +20680,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "karabas.com", true },
   { "karabijnhaken.nl", false },
   { "karachi.dating", true },
+  { "karaface.com", true },
   { "karalane.com", true },
   { "karamomo.net", true },
   { "karanjthakkar.com", true },
@@ -19969,7 +20688,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "karateka.org", true },
   { "karateka.ru", true },
   { "kardize24.pl", true },
-  { "karenledger.ca", true },
+  { "kardolocksmith.com", true },
   { "karewan.ovh", true },
   { "kargl.net", true },
   { "karguine.in", true },
@@ -19990,6 +20709,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "karmaspa.se", true },
   { "karn.nu", true },
   { "karneid.info", true },
+  { "karoverwaltung.de", true },
   { "karsofsystems.com", true },
   { "karsten-voigt.de", true },
   { "karta-paliwowa.pl", true },
@@ -20001,7 +20721,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kartonmodellbau.org", true },
   { "karula.org", true },
   { "karupp-did.net", true },
-  { "kasadara.com", true },
   { "kasei.im", true },
   { "kashinavi.com", true },
   { "kashmirobserver.net", true },
@@ -20015,7 +20734,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kat.marketing", true },
   { "katagena.com", true },
   { "katalogbajugamismu.com", true },
-  { "katalogbutikker.dk", true },
+  { "katarsisuib.no", true },
   { "katata-kango.ac.jp", true },
   { "katcleaning.com.au", true },
   { "katedra.de", true },
@@ -20031,6 +20750,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "katieskandy.co.uk", true },
   { "katieskastles.co.uk", true },
   { "katja-und-ronny.de", true },
+  { "katjavoneysmondt.de", true },
   { "katka.info", true },
   { "katnunn.co.uk", true },
   { "kato-yane.com", true },
@@ -20045,15 +20765,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kau-boys.de", true },
   { "kaufberatung.community", true },
   { "kaufmanbankruptcylaw.com", true },
-  { "kaverti.com", true },
   { "kavovary-kava.cz", true },
-  { "kawaii.io", true },
   { "kawaiii.link", true },
   { "kaweus.de", true },
   { "kay.la", true },
   { "kayakabovegroundswimmingpools.com", true },
   { "kayscs.com", true },
   { "kazakov.lt", true },
+  { "kazancci.com", true },
   { "kazand.lt", true },
   { "kazandaemon.ru", true },
   { "kazek.com.pl", true },
@@ -20063,6 +20782,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kazumi.ooo", true },
   { "kazumi.ro", true },
   { "kazy111.info", true },
+  { "kb3.net", true },
   { "kb88.com", true },
   { "kba-online.de", true },
   { "kbb-ev.de", true },
@@ -20087,6 +20807,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kdfans.com", true },
   { "kdw.cloud", true },
   { "kdyby.org", true },
+  { "ke.fo", true },
   { "ke7tlf.us", true },
   { "keakon.net", true },
   { "keane.space", true },
@@ -20100,11 +20821,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kedarastudios.com", true },
   { "kedibizworx.com", true },
   { "kediri.win", true },
-  { "keditor.biz", true },
   { "kedv.es", true },
   { "keeleysam.com", true },
   { "keelove.net", true },
-  { "keematdekho.com", true },
   { "keengamer.com", true },
   { "keepa.com", true },
   { "keeperapp.com", true },
@@ -20112,11 +20831,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "keepersecurity.com", true },
   { "keepingtheplot.co.uk", true },
   { "keepiteasy.eu", true },
+  { "keepsight.org.au", true },
   { "keevitaja.com", true },
   { "keeweb.info", true },
   { "keezin.ga", true },
   { "keganthorrez.com", true },
   { "kehlenbach.net", true },
+  { "keifel.de", true },
   { "kein-design.de", true },
   { "keinanung.nl", true },
   { "keinefilterblase.de", true },
@@ -20140,8 +20861,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kellygrenard.com", true },
   { "kellyskastles.co.uk", true },
   { "kellyssportsbarandgrill.com", true },
-  { "kelmarsafety.com", true },
-  { "kelvinfichter.com", true },
+  { "kelsa.io", true },
+  { "kelvinfichter.com", false },
   { "kemmerer-net.de", true },
   { "kempkens.io", true },
   { "kempo-sissach.ch", true },
@@ -20150,7 +20871,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kemptown.net", true },
   { "ken.fm", true },
   { "kenalsworld.com", true },
-  { "kenbillionsyuan.tk", true },
   { "kenbonny.net", true },
   { "kengilmour.com", true },
   { "kenguntokku.jp", true },
@@ -20161,6 +20881,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kennethlim.me", true },
   { "kenneths.org", true },
   { "kenny-peck.com", true },
+  { "kennynet.co.uk", true },
   { "keno.im", true },
   { "kenokallinger.at", true },
   { "kenoschwalb.com", false },
@@ -20168,7 +20889,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kens.pics", true },
   { "kensbouncycastles.co.uk", true },
   { "kenscustomfloors.com", true },
-  { "kensparkesphotography.com", true },
   { "kentec.net", true },
   { "kenterlis.gr", true },
   { "kenvix.com", true },
@@ -20177,16 +20897,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "keops-spine.fr", true },
   { "keops-spine.us", true },
   { "kepkonyvtar.hu", true },
+  { "keponews.com", true },
+  { "keralit.nl", true },
   { "kerebro.com", true },
-  { "kerem.xyz", true },
   { "kerforhome.com", true },
   { "kerijacoby.com", true },
+  { "kermadec.com", true },
+  { "kermadec.fr", true },
+  { "kermadec.net", true },
   { "kernel-error.de", true },
   { "kernelpanics.nl", true },
+  { "kernelprogrammer.com", true },
   { "kerrfrequencycombs.org", true },
   { "kerrnel.com", true },
   { "kersbergen.nl", true },
-  { "kersmexico.com", true },
   { "kerstkaart.nl", true },
   { "kersvers.agency", true },
   { "kerus.net", true },
@@ -20204,12 +20928,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ketty-voyance.com", true },
   { "keutel.net", true },
   { "kevin-darmor.eu", true },
+  { "kevin-ta.com", true },
   { "kevinapease.com", true },
   { "kevinbowers.me", true },
   { "kevinbusse.de", true },
   { "kevincox.ca", false },
+  { "kevinfoley.cc", true },
+  { "kevinfoley.org", true },
   { "kevingsky.com", true },
-  { "kevinheslinphoto.com", true },
   { "kevinhill.nl", true },
   { "kevinhq.com", true },
   { "kevinkla.es", true },
@@ -20236,9 +20962,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "keylaserinstitute.com", true },
   { "keylength.com", true },
   { "keymach.com", true },
-  { "keypersonins.com", true },
-  { "keys.fedoraproject.org", true },
   { "keys.jp", true },
+  { "keys247.co.uk", true },
   { "keystoneok.com", false },
   { "keysupport.org", true },
   { "keywebdesign.nl", true },
@@ -20246,12 +20971,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kfassessment.com", true },
   { "kffs.ru", true },
   { "kfirba.me", true },
-  { "kfm.ink", true },
   { "kforesund.se", true },
   { "kfv-kiel.de", false },
   { "kfz-hantschel.de", true },
+  { "kg7.pl", true },
   { "kgm-irm.be", true },
   { "kgnk.ru", true },
+  { "kgv-schlauroth.de", true },
   { "khaledgarbaya.net", false },
   { "khanovaskola.cz", true },
   { "khas.co.uk", true },
@@ -20271,6 +20997,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kiano.net", true },
   { "kiapartscenter.net", true },
   { "kiapartsdepartment.com", true },
+  { "kiapps.ovh", true },
   { "kibea.net", true },
   { "kibibit.net", true },
   { "kibriscicek.net", true },
@@ -20279,9 +21006,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kickedmycat.com", true },
   { "kickstart.com.pk", false },
   { "kicou.info", true },
-  { "kiddies.academy", true },
+  { "kidaptive.com", true },
   { "kiddieschristian.academy", true },
-  { "kiddieschristianacademy.co.za", true },
   { "kiddyboom.ua", true },
   { "kids-at-home.ch", true },
   { "kids-castles.com", true },
@@ -20299,19 +21025,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kidzpartiesllp.co.uk", true },
   { "kidzsmile.co.uk", true },
   { "kiebel.de", true },
-  { "kiedys.net", true },
   { "kiehls.pt", true },
   { "kiekin.org", true },
   { "kiekko.pro", true },
   { "kiel-kind.de", true },
-  { "kieran.ie", true },
-  { "kieranjones.uk", true },
   { "kiesuwkerstkaart.nl", true },
   { "kiffmarks.com", true },
   { "kigmbh.com", true },
+  { "kiisu.club", true },
   { "kikbb.com", true },
   { "kiki-voice.jp", true },
-  { "kikimilyatacado.com.br", true },
   { "kiku.pw", true },
   { "kilianvalkhof.com", true },
   { "killaraapartments.com.au", true },
@@ -20325,13 +21048,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kilogram.nl", true },
   { "kilometertje.nl", true },
   { "kimamass.com", true },
+  { "kimbal.co.uk", true },
   { "kimdumaine.com", true },
   { "kimiris.com", true },
   { "kimis.gr", true },
   { "kimisia.net", true },
   { "kimmel.com", true },
   { "kimmel.in", true },
-  { "kimo.se", true },
   { "kimono-rental-one.com", true },
   { "kimotodental.com", true },
   { "kimsufi-jordi.tk", true },
@@ -20341,7 +21064,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kinautas.com", true },
   { "kinderbasar-luhe.de", true },
   { "kinderchor-bayreuth.de", true },
+  { "kinderjugendfreizeitverein.de", true },
   { "kinderkleding.news", true },
+  { "kinderpneumologie.ch", true },
   { "kindertagespflege-rasselbande-halle.de", true },
   { "kinderzahn-bogenhausen.de", true },
   { "kindfotografie.nl", true },
@@ -20349,6 +21074,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kindlezs.com", true },
   { "kine-duthil.fr", true },
   { "kinepolis-studio.be", true },
+  { "kinerd.me", true },
+  { "kinesiomed-cryosauna.gr", true },
   { "kinetiq.com", true },
   { "king-of-the-castles.com", true },
   { "kingant.net", true },
@@ -20366,6 +21093,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kingsley.cc", true },
   { "kingstclinic.com", true },
   { "kingtecservices.com", true },
+  { "kingwoodtxlocksmith.com", true },
   { "kini24.ru", true },
   { "kinkcafe.net", true },
   { "kinkenonline.com", true },
@@ -20373,6 +21101,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kinniyaonlus.com", true },
   { "kinocheck.de", true },
   { "kinohled.cz", true },
+  { "kinomoto.me", true },
   { "kinomoto.ovh", false },
   { "kinos.nl", true },
   { "kinozal-tv.appspot.com", true },
@@ -20385,20 +21114,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kipa.at", true },
   { "kipiradio.com", true },
   { "kippenbart.gq", true },
-  { "kipriakipita.gr", true },
   { "kiragameforum.net", true },
-  { "kirainmoe.com", true },
   { "kiraku.co", true },
   { "kirbear.com", true },
   { "kirche-dortmund-ost.de", true },
   { "kirchen-im-web.de", false },
   { "kirchengemeinde-markt-erlbach.de", true },
+  { "kircp.com", true },
   { "kirei.se", true },
   { "kirig.ph", true },
   { "kirikira.moe", true },
   { "kirill.ws", true },
   { "kirillaristov.com", true },
-  { "kirillpokrovsky.de", true },
   { "kirinas.com", true },
   { "kirinuki.jp", true },
   { "kirkforcongress.com", true },
@@ -20412,24 +21139,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kirstenbos.ca", true },
   { "kirstin-peters.de", true },
   { "kirwandigital.com", true },
-  { "kis-toitoidixi.de", true },
   { "kisallatorvos.hu", true },
   { "kisalt.im", true },
+  { "kisel.org", true },
   { "kisiselveri.com", true },
   { "kiskeedeesailing.com", true },
   { "kisma.de", true },
   { "kissflow.com", true },
   { "kissgyms.com", true },
   { "kissmycreative.com", true },
-  { "kissoft.ro", true },
-  { "kisstube.tv", true },
   { "kitabnamabayi.com", true },
+  { "kitacoffee.com", true },
   { "kitbag.com.au", true },
   { "kitchen-profi.by", true },
   { "kitchen-profi.com.ua", true },
   { "kitchen-profi.kz", true },
-  { "kitchenalley.ca", true },
-  { "kitchenalley.com", true },
   { "kitchenpunx.com", false },
   { "kiteadventure.nl", true },
   { "kiteschooledam.nl", true },
@@ -20444,22 +21168,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kittpress.com", true },
   { "kittyhacker101.tk", true },
   { "kivitelezesbiztositas.hu", true },
+  { "kiwi-bird.xyz", true },
   { "kiwi.com", true },
   { "kiwi.digital", true },
   { "kiwi.wiki", true },
-  { "kiwico.com", true },
-  { "kix.moe", false },
   { "kiyotatsu.com", true },
   { "kj-prince.com", true },
-  { "kj1396.net", true },
-  { "kj1397.com", true },
   { "kjaer.io", true },
   { "kjarni.cc", true },
   { "kjarrval.is", true },
   { "kjchernov.info", true },
   { "kjellner.com", true },
   { "kjelltitulaer.com", true },
-  { "kjg-ummeln.de", true },
+  { "kjellvn.net", true },
   { "kk-neudorf-duissern.de", false },
   { "kkaefer.com", true },
   { "kki.org", true },
@@ -20468,7 +21189,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kkren.me", true },
   { "kks-karlstadt.de", true },
   { "kksg.com", true },
-  { "kkws.co", true },
   { "kkyy.me", true },
   { "kkzxak47.com", true },
   { "kl-diaetist.dk", true },
@@ -20490,7 +21210,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kleaning.by", true },
   { "klebeband.eu", true },
   { "klebetape.de", true },
-  { "kleding.website", true },
   { "kledingrekken.nl", false },
   { "kleim.fr", true },
   { "kleinblogje.nl", false },
@@ -20506,6 +21225,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kleinreich.de", true },
   { "kleinsys.com", true },
   { "kleintransporte.net", true },
+  { "klemkow.net", true },
+  { "klemkow.org", true },
+  { "kleppe.co", true },
   { "kleteckova.cz", true },
   { "klicke-gemeinsames.de", true },
   { "klickstdu.com", true },
@@ -20517,9 +21239,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "klimchuk.by", true },
   { "klimchuk.com", true },
   { "klingenundmesser.com", true },
+  { "klinik-fuer-aesthetische-zahnheilkunde.de", true },
   { "klinikac.co.id", false },
   { "klinkenberg.ws", true },
-  { "klinkerstreet.com.ua", false },
   { "klm-huisjes.nl", true },
   { "klmhouses.com", true },
   { "klocker-ausserlechner.com", true },
@@ -20527,7 +21249,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kloia.com", true },
   { "klose.family", true },
   { "klosko.net", true },
-  { "klotz-labs.com", true },
   { "kloudboy.com", true },
   { "kls-agency.com.ua", false },
   { "klseet.com", true },
@@ -20535,8 +21256,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "klubxanadu.cz", true },
   { "kluck.me", true },
   { "klugemedia.de", true },
-  { "klustekeningen.nl", true },
   { "klustermedia.com", true },
+  { "klusweb-merenwijk.nl", true },
   { "klva.cz", true },
   { "klzwzhi.com", true },
   { "kmashworth.co.uk", true },
@@ -20550,6 +21271,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "knarcraft.net", true },
   { "kncg.pw", true },
   { "kndkv.com", true },
+  { "kndrd.io", true },
   { "kneblinghausen.de", true },
   { "knechtology.com", true },
   { "knegten-agilis.com", true },
@@ -20559,23 +21281,26 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kngk-transavto.ru", true },
   { "kngk.org", true },
   { "kngkng.com", true },
-  { "kniga.market", false },
   { "knight-industries.org", true },
   { "knightsblog.de", true },
   { "knightsbridge.net", true },
   { "knightsbridgewine.com", true },
+  { "knihovnajablonne.cz", true },
   { "knip.ch", true },
   { "knispel-online.de", true },
   { "knitfarious.com", true },
   { "knmv.nl", true },
+  { "knnet.ch", true },
   { "knockendarroch.co.uk", true },
   { "knop.info", true },
   { "knot-store.com", true },
   { "knowarth.com", true },
   { "knowledgeforce.com", true },
   { "knowlevillagecc.co.uk", true },
+  { "knowyourday.ai", true },
   { "knthost.com", true },
   { "knurps.de", true },
+  { "knuthildebrandt.de", false },
   { "knutur.is", true },
   { "knygos.lt", true },
   { "ko-sys.com", true },
@@ -20585,7 +21310,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kobejet.com", true },
   { "kobezda.net", true },
   { "kobofarm.com", true },
-  { "koboldcraft.ch", true },
   { "kobolya.hu", true },
   { "kocherev.org", true },
   { "kochereva.com", true },
@@ -20601,10 +21325,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "koe.hn", true },
   { "koebbes.de", true },
   { "koecollege.com", true },
-  { "koehn.com", true },
-  { "koelbli.ch", true },
   { "koelnmafia.de", true },
-  { "koenen-bau.de", true },
   { "koenigsbrunner-tafel.de", true },
   { "koenleemans.nl", true },
   { "koenrouwhorst.nl", true },
@@ -20639,16 +21360,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kokobaba.com", true },
   { "kokona.ch", true },
   { "kokumoto.com", true },
-  { "kolania.com", true },
   { "kolania.de", true },
   { "kolania.net", true },
-  { "kolaykaydet.com", true },
   { "kolbeinsson.se", true },
   { "kolcsey.eu", true },
   { "koldanews.com", true },
   { "kolin.org", true },
   { "kolizaskrap.bg", true },
   { "kolja-engelmann.de", true },
+  { "koljakrekow.de", true },
   { "kolkataflowermall.com", true },
   { "kollect.ie", true },
   { "kollega.it", true },
@@ -20659,8 +21379,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kolpingsfamilie-vechta-maria-frieden.de", true },
   { "koluke.co", true },
   { "koluke.com", true },
+  { "komall.net", true },
   { "komandakovalchuk.com", false },
-  { "kombidorango.com.br", true },
   { "komelin.com", true },
   { "komenamanda.de", true },
   { "komicloud.com", true },
@@ -20681,11 +21401,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kondi.net", true },
   { "kondou-butsudan.com", true },
   { "kongar.org", true },
+  { "kongsecuritydata.com", true },
   { "koniecfica.sk", true },
   { "konijntjes.nl", true },
   { "koningskwartiertje.nl", true },
   { "koninkrijk.net", true },
-  { "konkai.store", true },
   { "konklone.com", true },
   { "konoe.studio", true },
   { "konosuke.jp", true },
@@ -20696,7 +21416,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kontaxis.org", true },
   { "kontorhaus-schlachte.de", true },
   { "kontorhaus-stralsund.de", true },
-  { "kontrolapovinnosti.cz", true },
   { "konventa.net", true },
   { "konyalian.com", true },
   { "konzertheld.de", true },
@@ -20718,9 +21437,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "koptev.ru", true },
   { "kopteva.ru", true },
   { "korben.info", true },
+  { "korea-dpr.org", true },
   { "korea.dating", true },
   { "koreaboo.com", true },
-  { "koretech.nl", true },
   { "korinar.com", true },
   { "kornrunner.net", true },
   { "korobi.io", true },
@@ -20733,8 +21452,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kortgebyr.dk", true },
   { "kortic.com", true },
   { "koryfi.com", true },
+  { "kos4all.com", true },
   { "kosaki.moe", true },
   { "koscielniak-nieruchomosci.pl", true },
+  { "kosherjava.com", true },
   { "kosho.org", true },
   { "kosonaudioteca.com", true },
   { "kost-magazin.de", true },
@@ -20743,8 +21464,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kostecki.org", true },
   { "kostecki.tel", true },
   { "kostya.ws", true },
-  { "kotausaha.com", true },
-  { "kotelezobiztositas.eu", true },
+  { "kosuzu.moe", true },
   { "kother.org", true },
   { "kotilinkki.fi", true },
   { "kotitesti.fi", true },
@@ -20763,9 +21483,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kovaldo.ru", true },
   { "kovals.sk", true },
   { "kovehitus.ee", true },
-  { "kovnsk.net", true },
   { "kovspace.com", true },
-  { "kovuthehusky.com", true },
   { "kowalmik.tk", true },
   { "kowalstwo.com.pl", true },
   { "kowarschick.de", true },
@@ -20778,14 +21496,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kpinvest.eu", true },
   { "kplasticsurgery.com", true },
   { "kplnet.net", true },
-  { "kpmgpublications.ie", true },
   { "kpop.re", true },
-  { "kpopsource.com", false },
+  { "kpopsource.com", true },
   { "kpumuk.info", true },
   { "kpx1.de", true },
   { "kr.search.yahoo.com", false },
   { "kr0n.dk", true },
   { "krachtinverbinding.nl", true },
+  { "kradalby.no", true },
   { "kraft.blog", true },
   { "kraft.im", true },
   { "kraftfleisch.de", true },
@@ -20800,12 +21518,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kralovstvimap.cz", true },
   { "kram.nz", true },
   { "krambeutel.de", true },
+  { "kramer-edelstahl.de", true },
+  { "krampus-fischamend.at", true },
   { "kramsj.uk", true },
   { "krang.org.uk", true },
   { "krankenpflege-haushaltshilfe.de", true },
+  { "kranz.space", true },
   { "krasnodar-avia.ru", true },
   { "krasovsky.me", true },
   { "krautomat.com", true },
+  { "krayx.com", true },
   { "krazyboi.com", true },
   { "krazykastles.co.uk", true },
   { "krazykoolkastles.com", true },
@@ -20817,6 +21539,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kredit-abzocke.com", true },
   { "kredita.dk", true },
   { "kreditkacs.cz", true },
+  { "kredytzen.pl", true },
   { "kreen.org", true },
   { "krehl.io", true },
   { "kremalicious.com", true },
@@ -20837,17 +21560,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "krislamoureux.com", true },
   { "krismurray.co.uk", true },
   { "krisstarkey.co.uk", true },
+  { "kristall-energie.at", true },
   { "kristenpaigejohnson.com", true },
   { "kristiehill.com", true },
   { "kristikala.nl", true },
   { "kristinbailey.com", false },
   { "kristofba.ch", true },
   { "kristofdv.be", true },
+  { "kritikos.io", true },
   { "krizevci.info", true },
   { "krmeni.cz", false },
   { "krokedil.se", true },
   { "kromamoveis.com.br", true },
-  { "kronaw.it", true },
+  { "kromonos.net", true },
   { "krony.de", true },
   { "kroon.email", true },
   { "kropkait.pl", true },
@@ -20861,6 +21586,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "krukhmer.com", true },
   { "krumberconsulting.com", true },
   { "krupa.net.pl", false },
+  { "kruselegal.com.au", true },
   { "krusesec.com", true },
   { "krutka.cz", true },
   { "kruu.de", true },
@@ -20872,29 +21598,32 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "krypsys.com", true },
   { "krypt.com", true },
   { "kryptera.se", true },
-  { "kryptomodkingz.com", true },
+  { "kryptomech.com", true },
   { "krytykawszystkiego.com", true },
   { "krytykawszystkiego.pl", true },
   { "kryx.de", true },
   { "ks-watch.de", true },
+  { "ks88.com", true },
   { "kschv-rdeck.de", true },
   { "kselenia.ee", true },
   { "ksero.center", true },
   { "ksero.wroclaw.pl", true },
   { "ksham.net", true },
   { "kshlm.in", true },
-  { "kspg.tv", true },
+  { "ksmmmo.org.tr", true },
   { "kssk.de", true },
   { "ksukelife.com", true },
   { "kt-zoe.com", true },
   { "ktbnetbank.com", true },
   { "kthnxbai.xyz", true },
+  { "ktm-troxler.de", true },
   { "kts-thueringen.de", true },
   { "ktsee.eu.org", true },
   { "ktsofas.gr", true },
   { "ktw.lv", true },
   { "ku-7.club", true },
   { "ku.io", false },
+  { "kuaimen.bid", true },
   { "kuaitiyu.org", true },
   { "kualiti.net", true },
   { "kualo.co.uk", true },
@@ -20940,9 +21669,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kungerkueken.de", true },
   { "kunra.de", true },
   { "kunstdrucke-textildruck.de", true },
-  { "kunstfehler.at", true },
   { "kunstundunrat.de", true },
   { "kuoruan.com", true },
+  { "kupaa.ink", true },
   { "kupferstichshop.com", true },
   { "kupid.com", true },
   { "kupiec.eu.org", true },
@@ -20951,15 +21680,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kuponrazzi.com", true },
   { "kuponydoher.cz", true },
   { "kupschke.net", true },
-  { "kurashino-mall.com", true },
+  { "kurniadwin.to", true },
   { "kuro.link", true },
   { "kurofuku.me", true },
   { "kuroha.co.uk", true },
   { "kuroinu.jp", true },
   { "kurona.ga", true },
   { "kuronekogaro.com", true },
-  { "kurrende.nrw", false },
-  { "kurrietv.nl", true },
   { "kurschies.de", true },
   { "kurserne.dk", true },
   { "kurswahl-online.de", true },
@@ -20982,6 +21709,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kvalitnitesneni.cz", true },
   { "kvantel.no", true },
   { "kvcc.com.au", true },
+  { "kvestmaster.ru", true },
   { "kvetinymilt.cz", true },
   { "kvhile.com", true },
   { "kvilt.dk", true },
@@ -20999,7 +21727,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kx197.com", true },
   { "kxah35.com", true },
   { "kxline.com", true },
-  { "kxnrl.com", false },
+  { "kxnrl.com", true },
   { "kxway.com", true },
   { "kybi.sk", true },
   { "kydara.com", true },
@@ -21007,14 +21735,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kylegutschow.com", true },
   { "kylejohnson.io", true },
   { "kylelaker.com", true },
-  { "kylescastles.co.uk", true },
   { "kylinj.com", false },
   { "kynastonwedding.co.uk", true },
   { "kyobostory-events.com", true },
   { "kyoko.org", true },
   { "kyosaku.org", true },
+  { "kyoto-k9.com", false },
   { "kyoto-mic.com", true },
-  { "kyoto-sake.net", true },
   { "kyoto-tomikawa.jp", true },
   { "kyoto-tomoshibi.jp", true },
   { "kyprexxo.com", true },
@@ -21025,9 +21752,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "kz.search.yahoo.com", false },
   { "kzar.co.uk", true },
   { "kzsdabas.hu", true },
+  { "l-atelier-c.com", true },
   { "l-lab.org", true },
   { "l0re.com", true },
+  { "l17r.eu", true },
   { "l2guru.ru", true },
+  { "l3.ee", true },
   { "l33te.net", true },
   { "l4n-clan.de", true },
   { "l7plumbing.com.au", true },
@@ -21048,8 +21778,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "laatikko.io", true },
   { "laatjeniethackmaken.nl", true },
   { "labande-annonce.fr", true },
+  { "labanochjonas.se", true },
+  { "labanskoller.se", true },
+  { "labanskollermark.se", true },
   { "labcenter.com", true },
   { "labcoat.jp", true },
+  { "labeled.vn", true },
   { "labms.com.au", true },
   { "labobooks.com", true },
   { "laboitebio-logique.ca", true },
@@ -21062,6 +21796,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "labrat.mobi", false },
   { "labspack.com", true },
   { "labtest.ltd", true },
+  { "lacaey.se", true },
   { "lacantine.xyz", true },
   { "lacaserita.org", true },
   { "lacaveducinquantenaire.com", true },
@@ -21087,11 +21822,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lacyc3.eu", true },
   { "ladbroke.net", true },
   { "ladenzeile.at", true },
-  { "ladenzeile.de", true },
+  { "ladislavbrezovnik.com", true },
   { "ladraiglaan.com", true },
   { "lady-2.jp", true },
   { "ladyanna.de", true },
   { "ladyofhopeparish.org", true },
+  { "laermschmiede.de", true },
   { "laeso.es", true },
   { "laextra.mx", true },
   { "lafayette-rushford.com", true },
@@ -21099,15 +21835,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lafema.de", true },
   { "lafillepolyvalente.ca", true },
   { "lafillepolyvalente.com", true },
-  { "lafka.org", true },
   { "lafkor.de", true },
   { "laflash.com", true },
-  { "lafosseobservatoire.be", true },
-  { "lag-gbr.gq", true },
   { "lagarderob.ru", false },
   { "lagazzettadigitale.it", true },
   { "lagerauftrag.info", true },
   { "lagit.in", true },
+  { "laglab.org", false },
   { "lagout.org", true },
   { "lagriffeduservice.fr", true },
   { "laguiadelvaron.com", true },
@@ -21117,6 +21851,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lahnau-akustik.de", true },
   { "lahora.com.ec", true },
   { "lai.is", true },
+  { "laibcoms.com", true },
   { "lain.at", true },
   { "lain.li", true },
   { "laindonleisure.co.uk", true },
@@ -21141,26 +21876,29 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lakeshowlife.com", true },
   { "lakewoodcityglass.com", true },
   { "lakhesis.net", true },
+  { "lakkt.de", true },
   { "lakonia.com.br", true },
   { "lalalab.com", true },
   { "lalaya.fr", true },
   { "laled.ch", true },
+  { "lalingua.ir", true },
   { "lalucioledigitale.com", true },
   { "lalunecreative.com", true },
   { "lalyre-corcelles.ch", true },
-  { "lamaisondelatransformationculturelle.com", true },
   { "lamakat.de", true },
-  { "lamanwebinfo.com", true },
   { "lamapoll.de", true },
   { "lamarieealhonneur.com", false },
   { "lambauer.com", true },
+  { "lambdaof.xyz", true },
   { "lambertshealthcare.co.uk", true },
   { "lamboo.be", true },
   { "lamclam.site", true },
+  { "lamconnect.com", true },
   { "lame1337.xyz", true },
-  { "lamiaposta.email", false },
+  { "lamed.se", true },
   { "lamikvah.org", true },
   { "laminine.info", true },
+  { "lammersmarketing.com", true },
   { "lamontre.ru", true },
   { "lamp.re", false },
   { "lamp24.se", true },
@@ -21174,6 +21912,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lampenwelt.ch", true },
   { "lampenwelt.de", true },
   { "lampposthomeschool.com", true },
+  { "lampsh.ml", true },
   { "lampy.pl", true },
   { "lamunyon.com", true },
   { "lan.biz.tr", true },
@@ -21183,14 +21922,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lancashirecca.org.uk", true },
   { "lancejames.com", true },
   { "lancelafontaine.com", true },
+  { "lancelhoff.com", true },
+  { "lancemanion.com", true },
   { "lanceyip.com", true },
-  { "lancork.net", true },
   { "lancyvbc.ch", true },
   { "land.nrw", false },
+  { "landbetweenthelakes.us", true },
   { "landchecker.com.au", true },
   { "landflair-magazin.de", true },
   { "landhaus-christmann.de", true },
+  { "landhaus-havelse.de", true },
   { "landinfo.no", true },
+  { "landingear.com", true },
   { "landlordy.com", true },
   { "landofelves.net", true },
   { "landrovermerriamparts.com", true },
@@ -21222,20 +21965,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "langkahteduh.com", true },
   { "langkawitrip.com", true },
   { "langotie.com.br", true },
+  { "langsam-dator.se", true },
   { "langstreckensaufen.de", true },
   { "languagecourse.net", true },
   { "languageterminal.com", true },
   { "langworth.com", true },
   { "langzijn.nl", true },
-  { "lanhhuyet510.tk", true },
   { "lanna.io", true },
-  { "lannainnovation.com", true },
   { "lanodan.eu", true },
   { "lanostrasalute.it", true },
   { "lanre.org", true },
   { "lanroamer.de", true },
   { "lansechensilu.com", true },
-  { "lanseyujie.com", false },
   { "lanternalauth.com", true },
   { "lanternhealth.org", true },
   { "lantian.pub", true },
@@ -21248,6 +21989,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "laozhu.me", true },
   { "laparoscopia.com.mx", true },
   { "lapassiondutrading.com", true },
+  { "lapetition.be", true },
   { "lapicena.eu", true },
   { "lapidge.net", true },
   { "lapix.com.co", true },
@@ -21258,6 +22000,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lapparente-aise.ch", true },
   { "lappari.com", true },
   { "lara.photography", true },
+  { "larabergmann.de", true },
   { "laracode.eu", true },
   { "laraeph.com", true },
   { "laraigneedusoir.com", true },
@@ -21272,7 +22015,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "largeviewer.com", true },
   { "lariposte.org", true },
   { "lariscus.eu", true },
+  { "larky.top", true },
   { "larondinedisinfestazione.com", true },
+  { "larotayogaming.com", true },
   { "larptreff.de", true },
   { "larraz.es", true },
   { "larryli.cn", true },
@@ -21291,13 +22036,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lasavonnerieducroisic.fr", true },
   { "lascana.co.uk", true },
   { "lasereyess.net", true },
-  { "laserfuchs.de", true },
   { "laserpc.net", true },
   { "laserplaza.de", true },
   { "laserplaza.net", true },
   { "lasertechsolutions.com", true },
   { "lask.in", true },
   { "laskas.pl", true },
+  { "lasowy.com", true },
   { "laspequenassemillas.com", true },
   { "lasrecetascocina.com", true },
   { "lasrecetasdeguada.com", true },
@@ -21306,9 +22051,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lasseleegaard.dk", true },
   { "lasseleegaard.net", true },
   { "lasseleegaard.org", true },
-  { "lassesworld.com", true },
-  { "lassesworld.se", true },
+  { "lastbutnotyeast.com", true },
   { "lastchancetraveler.com", true },
+  { "lastharo.com", true },
   { "lastpass.com", false },
   { "lastrada-minden.de", true },
   { "lastweekinaws.com", true },
@@ -21324,22 +22069,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lateralsecurity.com", true },
   { "latestbuy.com.au", true },
   { "latestdeals.co.uk", true },
-  { "latiendadelbebefeliz.com", true },
   { "latiendauno.com", true },
   { "latiendawapa.com", true },
+  { "latinmusicrecords.com", true },
   { "latino.dating", true },
-  { "latinphone.com", true },
   { "latintoy.com", true },
   { "latitudesign.com", true },
   { "latremebunda.com", true },
   { "latrine.cz", true },
-  { "latterdaybride.com", true },
   { "lattyware.co.uk", true },
   { "lattyware.com", true },
   { "laubacher.io", true },
   { "lauchundei.at", true },
   { "lauensteiner.de", false },
-  { "laufers.pl", true },
   { "laufpix.de", true },
   { "lauftreff-himmelgeist.de", true },
   { "laughinggrapepublishing.com", true },
@@ -21349,6 +22091,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "launchmylifend.com", true },
   { "launchpad-app2.com", true },
   { "launchpadder2.com", true },
+  { "laupv.online", true },
   { "lauraandwill.wedding", false },
   { "lauraenvoyage.fr", true },
   { "laurakashiwase.com", true },
@@ -21357,6 +22100,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "laurelblack.com", true },
   { "laurenceplouffe.com", true },
   { "laurenlobue.com", true },
+  { "laurensvanderblom.nl", true },
   { "lauriemilne.com", true },
   { "lauriuc.sk", true },
   { "lausannedentiste.ch", true },
@@ -21399,7 +22143,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "layoutsatzunddruck.de", true },
   { "lazistance.com", true },
   { "lazowik.pl", true },
-  { "lazurit.com", true },
   { "lazyboston.com", true },
   { "lazyclock.com", true },
   { "lazyframe.com", true },
@@ -21414,7 +22157,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lbmblaasmuziek.nl", true },
   { "lbphacker.pw", true },
   { "lbs-logics.com", true },
-  { "lbsi-nordwest.de", true },
   { "lbux.org", true },
   { "lc-cs.com", false },
   { "lc-promiss.de", true },
@@ -21422,15 +22164,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lca.gov", true },
   { "lcacommons.gov", true },
   { "lcars-sv.info", true },
-  { "lcbizsolutions.com", true },
   { "lce-events.com", true },
   { "lcgaj.com", true },
   { "lcht.ch", false },
   { "lcrmscp.gov", true },
-  { "lcy.cat", true },
-  { "lcy.im", true },
+  { "lcy.im", false },
   { "lcy.moe", true },
-  { "lcybox.com", true },
   { "ld-begunjscica.si", true },
   { "ldc.com.br", false },
   { "ldjb.jp", true },
@@ -21447,14 +22186,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "le-palantir.com", true },
   { "le-traiteur-parisien.fr", true },
   { "le0.me", true },
+  { "le0yn.ml", true },
   { "le130rb.com", true },
   { "le23.fr", true },
   { "le42mars.fr", true },
   { "leadbox.cz", true },
   { "leaderoftheresistance.com", false },
   { "leaderoftheresistance.net", false },
+  { "leadership9.com", true },
+  { "leadgenie.me", true },
+  { "leadinfo.com", true },
   { "leadingsalons.com", true },
+  { "leadplan.ru", true },
   { "leadquest.nl", true },
+  { "leaf-consulting.de", true },
   { "leafandseed.co.uk", true },
   { "leafans.tk", false },
   { "leafinote.com", true },
@@ -21465,7 +22210,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "leanplando.com", true },
   { "leap-it.be", true },
   { "leapandjump.co.uk", true },
-  { "learn-smart.uk", true },
   { "learndev.info", true },
   { "learnflakes.net", true },
   { "learnforestry.com", true },
@@ -21473,6 +22217,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "learningis1.st", true },
   { "learninglaw.com", true },
   { "learningman.top", true },
+  { "learnlux.com", true },
   { "learnpianogreece.com", true },
   { "learnplayground.com", true },
   { "learntube.cz", true },
@@ -21493,6 +22238,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lebens-fluss.at", true },
   { "lebensraum-fitness-toenisvorst.de", true },
   { "lebensraum-im-garten.de", true },
+  { "lebensraum-kurse.ch", true },
   { "lebihan.pl", true },
   { "leblanc.io", true },
   { "lebourgeo.is", true },
@@ -21501,7 +22247,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lecoinchocolat.com", true },
   { "lectricecorrectrice.com", true },
   { "led-jihlava.cz", true },
-  { "led.xyz", true },
   { "ledecologie.com.br", true },
   { "ledeguisement.com", true },
   { "lederer-it.com", true },
@@ -21511,7 +22256,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lee-fuller.co.uk", true },
   { "leeaaronsrealestate.com", true },
   { "leebiblestudycentre.co.uk", true },
-  { "leech360.com", false },
   { "leeclemens.net", false },
   { "leedev.org", true },
   { "leekspin.ml", true },
@@ -21536,14 +22280,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "legacy.bank", true },
   { "legadental.com", true },
   { "legaillart.fr", true },
+  { "legalcontrol.info", true },
   { "legaldesk.com", true },
   { "legalinmotion.es", true },
   { "legalrobot.com", true },
-  { "legendarycamera.com", true },
   { "legendesdechine.ch", true },
   { "legendofkrystal.com", true },
   { "legends-game.ru", false },
   { "legible.es", true },
+  { "legilimens.de", true },
   { "legioniv.org", true },
   { "legiscontabilidade.com.br", true },
   { "legissa.ovh", true },
@@ -21552,10 +22297,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "legland.fr", true },
   { "legoutdesplantes.be", true },
   { "legrandvtc.fr", true },
-  { "legumefederation.org", true },
   { "legumeinfo.org", true },
   { "lehighmathcircle.org", true },
+  { "lehmitz-weinstuben.de", true },
   { "lehti-tarjous.net", true },
+  { "leibniz-gymnasium-altdorf.de", true },
   { "leibniz-remscheid.de", false },
   { "leideninternationalreview.com", true },
   { "leilautourdumon.de", true },
@@ -21565,7 +22311,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "leipziger-triathlon.de", true },
   { "leisure-blog.com", true },
   { "leisure-supplies-show.co.uk", true },
-  { "leiyun.me", true },
   { "lejardindesmesanges.fr", true },
   { "lektier.cf", true },
   { "lel.ovh", true },
@@ -21576,19 +22321,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lemoine.at", true },
   { "lemondenumerique.com", true },
   { "lemondrops.xyz", true },
+  { "lemonlawnow.com", true },
   { "lemonop.com", true },
   { "lemonparty.co", true },
   { "lemonrockbiketours.com", true },
-  { "lemonthy.ca", true },
   { "lemonthy.com", true },
   { "lemouillour.fr", true },
   { "lemuslimpost.com", true },
   { "lenagroben.de", true },
   { "lenaneva.ru", true },
   { "lence.net", true },
+  { "lendahandmissionteams.org", true },
   { "lendingclub.com", true },
   { "lenget.com", true },
-  { "lenguajedeprogramacion.com", true },
   { "lengzzz.com", true },
   { "lenidh.de", true },
   { "leninalbertop.com.ve", true },
@@ -21603,7 +22348,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lenyip.me", true },
   { "lenyip.works", true },
   { "leoandpeto.com", true },
-  { "leodaniels.com", true },
   { "leodraxler.at", true },
   { "leola.cz", true },
   { "leola.sk", true },
@@ -21611,22 +22355,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "leominstercu.com", false },
   { "leon-tech.com", true },
   { "leon.net", true },
-  { "leonauto.de", true },
   { "leonax.net", true },
   { "leonbuitendam.nl", true },
   { "leondenard.com", true },
   { "leonklingele.de", true },
+  { "leonmahler.consulting", true },
   { "leontiekoetter.de", true },
   { "leopoldina.net", true },
+  { "leovanna.co.uk", true },
   { "leowkahman.com", true },
   { "lep.gov", true },
   { "lepenetapeti.com", true },
   { "lepidum.jp", true },
   { "leponton-lorient.fr", true },
   { "leppis-it.de", true },
-  { "leprado.com", true },
   { "lepsos.com", true },
   { "lequerceagriturismo.com", true },
+  { "lequest.dk", true },
   { "lereporter.ma", true },
   { "leretour.ch", true },
   { "lerku.com", true },
@@ -21638,18 +22383,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lernplattform-akademie.de", true },
   { "lerp.me", true },
   { "les-ateliers-de-melineo.be", true },
+  { "les-inoxydables.com", true },
   { "les-pingouins.com", true },
   { "lesaffre.es", true },
   { "lesancheslibres.fr", true },
   { "lesarts.com", true },
   { "lesberger.ch", true },
-  { "lesconteursavis.org", true },
-  { "lescourtiersbordelais.com", true },
+  { "lesbrillantsdaristide.com", true },
   { "leseditionsbraquage.com", true },
   { "lesfilmsavivre.com", true },
   { "lesgoodnews.fr", true },
-  { "leshervelines.com", true },
   { "lesjardinsdemathieu.net", true },
+  { "lesjardinsdubanchet.fr", true },
   { "lesmamy.ch", true },
   { "lesmontagne.net", true },
   { "lesnet.co.uk", true },
@@ -21657,6 +22402,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lespecialiste-pradelexcellence.com", true },
   { "lesplatanes.ch", true },
   { "lespret.nl", true },
+  { "lesquerda.cat", false },
   { "lesscloud.com", true },
   { "lessets-graphiques.com", true },
   { "lessis.moe", true },
@@ -21664,8 +22410,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lesterrassesdusoleil.ch", true },
   { "lesyndicat.info", true },
   { "letemps.ch", true },
+  { "letertrefleuri.com", true },
   { "leto12.xyz", true },
-  { "letraba.com", true },
   { "letranif.net", true },
   { "lets-bounce.com", true },
   { "lets-go-acoustic.de", true },
@@ -21694,8 +22440,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "leuthardtfamily.com", true },
   { "levans.fr", true },
   { "levanscatering.com", true },
+  { "level-10.de", true },
   { "levelaccordingly.com", true },
   { "levelcheat.com", true },
+  { "levelonetrainingandfitness.com", true },
   { "leveluplv.com", true },
   { "leveluprails.com", true },
   { "levendwater.org", true },
@@ -21703,6 +22451,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "leverj.io", true },
   { "levermann.eu", true },
   { "leviaan.nl", true },
+  { "leviathan-studio.com", true },
   { "levineteamestates.com", true },
   { "levinus.de", true },
   { "leviscop.com", true },
@@ -21719,7 +22468,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lexicography.online", true },
   { "lexpierce.social", true },
   { "lexway.pk", true },
-  { "lexxyn.nl", true },
   { "leymaritima.com", true },
   { "lezard-com.fr", true },
   { "lfashion.eu", true },
@@ -21738,12 +22486,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lhajn.cz", true },
   { "lhakustik.se", true },
   { "lhalbert.xyz", true },
-  { "lhamaths.online", true },
+  { "lhamaths.online", false },
   { "lhconsult.tk", false },
+  { "lhero.org", true },
   { "lhgavarain.com", true },
   { "lhost.su", true },
   { "li-ke.co.jp", true },
   { "li.search.yahoo.com", false },
+  { "lialion.de", true },
   { "liam-w.io", true },
   { "liamelliott.me", true },
   { "liamlin.me", true },
@@ -21753,10 +22503,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lianye4.cc", true },
   { "lianye5.cc", true },
   { "lianye6.cc", true },
+  { "liautard.fr", true },
   { "lib64.net", true },
   { "libbitcoin.org", true },
   { "libble.eu", true },
   { "liberapay.com", true },
+  { "liberation2020.com", true },
   { "liberdademg.com.br", true },
   { "libgame.com", true },
   { "libmpq.org", true },
@@ -21775,13 +22527,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "libreduca.com", true },
   { "librelamp.com", true },
   { "libremail.nl", true },
+  { "librends.org", true },
   { "libreoffice-from-collabora.com", true },
   { "libreofficefromcollabora.com", true },
   { "librervac.org", true },
+  { "librosdescargas.club", true },
   { "libscode.com", false },
   { "libskia.so", true },
   { "libsodium.org", true },
   { "libstock.si", true },
+  { "libzik.com", true },
   { "lichess.org", true },
   { "lichtmetzger.de", true },
   { "lichtspot.de", true },
@@ -21807,32 +22562,37 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lie.as", true },
   { "liebel.org", true },
   { "lieberwirth.biz", true },
-  { "lieblingsholz.de", true },
   { "liemen.net", true },
   { "lierrmm.space", true },
   { "lieuu.com", true },
   { "lifanov.com", true },
   { "life-emotions.pt", true },
+  { "life-like.com", true },
   { "lifeartstudios.net", true },
   { "lifebetweenlives.com.au", true },
   { "lifeboxhealthcare.co.uk", true },
   { "lifecism.com", true },
   { "lifeenrichmentnc.com", true },
+  { "lifefoto.de", true },
   { "lifegrip.com.au", true },
   { "lifeinhex.com", true },
   { "lifeinsurancepro.org", true },
+  { "lifeisabug.com", true },
   { "lifekiss.ru", true },
   { "lifelenz.com", true },
   { "lifematenutrition.com", true },
   { "lifemstyle.com", true },
   { "lifeqa.net", true },
+  { "lifequotes-uk.co.uk", true },
   { "lifereset.it", true },
   { "lifesafety.com.br", true },
-  { "lifestyle7788.com", true },
+  { "lifestylecent.com", true },
   { "lifestylefinancial.ca", true },
   { "lifetree.network", true },
+  { "lifeupgame.fr", true },
   { "lifi.digital", true },
   { "lifi.is", true },
+  { "lift-wise.com", true },
   { "liftie.info", true },
   { "ligadosgames.com", true },
   { "light-up.xyz", true },
@@ -21873,13 +22633,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lijncoaching.nl", true },
   { "lijstje.be", true },
   { "lijstje.nl", true },
-  { "likc.me", true },
   { "likeablehub.com", true },
   { "likeabox.de", true },
   { "likebee.gr", true },
   { "likegeeks.com", true },
   { "likehifi.de", true },
   { "likemovies.de", true },
+  { "likenewhearing.com.au", true },
   { "likere.com", true },
   { "likesforinsta.com", true },
   { "likui.me", true },
@@ -21887,6 +22647,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "liliang13.com", true },
   { "liljohnsanitary.net", true },
   { "lillepuu.com", true },
+  { "lilliangray.co.za", true },
   { "lily-bearing.com", true },
   { "lily-inn.com", true },
   { "lilyfarmfreshskincare.com", true },
@@ -21897,14 +22658,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "limawi.io", true },
   { "limberg.me", true },
   { "limbo.services", true },
-  { "limeburst.net", true },
   { "limelabs.de", true },
   { "limelabs.io", true },
+  { "limeres.com", true },
   { "limereslaw.com", true },
   { "limitededitioncomputers.com", true },
   { "limitededitionsolutions.com", true },
   { "limitxyz.com", true },
-  { "limn.me", true },
   { "limoairporttoronto.net", true },
   { "limousineservicezurich.com", true },
   { "limpid.nl", true },
@@ -21921,6 +22681,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lindalap.fi", true },
   { "lindaolsson.com", true },
   { "lindemann.space", true },
+  { "linden.me", true },
   { "lindeskar.se", true },
   { "lindholmen.club", true },
   { "lindnerhof-taktik.de", true },
@@ -21930,6 +22691,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lindsaygorski.com", true },
   { "lindskogen.se", true },
   { "lindy.co", false },
+  { "line-wise.com", true },
   { "line.biz", true },
   { "line.co.nz", true },
   { "lineageos.org", true },
@@ -21944,6 +22706,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "linguatrip.com", false },
   { "lingvo-svoboda.ru", true },
   { "linherest.tk", true },
+  { "linhua.org", true },
   { "link-sanitizer.com", true },
   { "link2serve.com", true },
   { "linkat4.cz", true },
@@ -21954,15 +22717,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "linklocker.co", true },
   { "linkmaker.co.uk", true },
   { "linkmauve.fr", true },
-  { "linkonaut.net", true },
+  { "linkopia.com", true },
+  { "linkstream.live", true },
   { "linkthis.me", true },
   { "linkthis.ml", true },
+  { "linkthisstatus.ml", true },
   { "linktio.com", true },
   { "linky.tk", true },
-  { "linkybos.com", true },
   { "linkycat.com", true },
   { "linode.com", false },
   { "linost.com", true },
+  { "linpx.com", true },
   { "linqhost.nl", true },
   { "linss.com", true },
   { "lintellift.com", true },
@@ -21975,7 +22740,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "linux.cn", true },
   { "linux.conf.au", true },
   { "linux.fi", true },
-  { "linux.im", true },
   { "linux.pizza", true },
   { "linux3.org", true },
   { "linuxadictos.com", true },
@@ -21995,7 +22759,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "linx.net", true },
   { "linzgau.de", true },
   { "linzyjx.com", true },
-  { "lionhosting.nl", true },
   { "lionlyrics.com", true },
   { "lionsdeal.com", true },
   { "lipartydepot.com", true },
@@ -22029,10 +22792,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lists.stg.fedoraproject.org", true },
   { "litchidova.nl", true },
   { "litebit.eu", true },
+  { "litebitanalytics.eu", true },
   { "litebits.com", true },
   { "litemind.com", true },
   { "literarymachin.es", true },
   { "literature-schools.com", true },
+  { "literaturpreis-bad-wurzach.de", true },
   { "litfin.name", true },
   { "lithan.com", true },
   { "lithesalar.se", true },
@@ -22043,6 +22808,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "littleboutiqueshop.co.uk", true },
   { "littleboutiqueshop.com", true },
   { "littleboutiqueshop.uk", true },
+  { "littledev.nl", true },
   { "littlefairy.no", true },
   { "littlefamilyadventure.com", true },
   { "littlegreece.ae", true },
@@ -22052,9 +22818,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "littlepincha.fr", true },
   { "littleprincessandmascotparties.co.uk", true },
   { "littleqiu.net", true },
+  { "littleredpenguin.com", true },
   { "littleredsbakeshop.com", true },
   { "littlericket.me", false },
   { "littlescallywagsplay.co.uk", true },
+  { "littleskin.cn", true },
   { "littleswitch.co.jp", true },
   { "littlewatcher.com", true },
   { "litvideoserver.de", true },
@@ -22065,8 +22833,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "liufengyu.cn", true },
   { "liul.in", true },
   { "liupeicheng.top", true },
-  { "liushuyu.tk", true },
   { "liv3d.stream", true },
+  { "livaniaccesorios.com", true },
   { "live4k.media", false },
   { "livebandphotos.com", true },
   { "livebetterwith.com", true },
@@ -22079,6 +22847,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "livedesign24.de", true },
   { "liveflightapp.com", true },
   { "liveforspeed.se", true },
+  { "livehomecams.co.uk", true },
   { "livekaarten.be", true },
   { "livekaarten.nl", true },
   { "livekarten.at", true },
@@ -22105,7 +22874,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "livi.co.uk", true },
   { "livi.fr", true },
   { "living-space.co.nz", true },
+  { "living.digital", true },
+  { "living.video", true },
   { "living24.de", true },
+  { "livingafrugallife.com", true },
   { "livingforreal.com", true },
   { "livinginhimalone.com", true },
   { "livingkingsinc.net", true },
@@ -22114,26 +22886,29 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "livnev.me", true },
   { "livnev.xyz", true },
   { "livolett.de", true },
-  { "livrariacoad.com.br", true },
   { "livres-et-stickers.com", true },
-  { "livroseuniformes.com.br", true },
+  { "lixiaoyu.live", true },
   { "lixtick.com", true },
   { "liyang.pro", false },
   { "liyin.date", true },
   { "liyunbin.com", true },
   { "liz.ee", true },
   { "lizardsystems.com", true },
+  { "lizheng.de", true },
   { "lizhi.io", true },
   { "lizhi123.net", true },
   { "lizmooredestinationweddings.com", true },
   { "lizzaran.io", true },
-  { "ljason.cn", true },
+  { "lizzwood.com", true },
   { "ljc.ro", true },
   { "ljs.io", true },
+  { "ljskool.com", true },
+  { "ljusdalsnaprapatklinik.se", true },
   { "lk-hardware.cz", true },
   { "lknw.de", true },
   { "lkp111138.me", true },
   { "llamacuba.com", true },
+  { "llamasweet.tech", true },
   { "llemoz.com", true },
   { "ller.xyz", true },
   { "llm-guide.com", true },
@@ -22141,14 +22916,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lloyd-day.me", true },
   { "llslb.com", false },
   { "lm-pumpen.de", false },
+  { "lmbyrne.co.uk", true },
+  { "lmbyrne.com", true },
   { "lmcm.io", true },
   { "lmddgtfy.net", true },
-  { "lmerza.com", true },
   { "lmintlcx.com", true },
+  { "lmmi.nl", true },
   { "lmmtfy.io", true },
   { "lmsptfy.com", true },
   { "lmtls.me", true },
   { "lmtm.eu", true },
+  { "lmtravis.com", true },
   { "lng-17.org", true },
   { "lnhequipmentltd.com", true },
   { "lntu.org", true },
@@ -22162,10 +22940,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "loandolphin.com.au", true },
   { "loanreadycredit.com", true },
   { "loanstreet.nl", true },
+  { "lob-assets-staging.com", true },
+  { "lob-assets.com", true },
   { "lob-staging.com", true },
   { "lob.com", true },
   { "lobivia.de", true },
-  { "lobosdomain.hopto.org", true },
   { "lobsangstudio.com", true },
   { "lobstr.co", true },
   { "local360.net", true },
@@ -22174,13 +22953,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "localblock.co.za", true },
   { "localbouncycastle.com", true },
   { "localdecor.com.br", true },
+  { "localea.com", true },
   { "localethereum.com", true },
   { "localhorst.duckdns.org", true },
-  { "localhorst.xyz", true },
   { "localhost.ee", true },
   { "localprideart.com", true },
+  { "localsource.eu", true },
   { "localspot.pl", true },
   { "locapos.com", true },
+  { "location-fichier-email.com", true },
   { "locationvoitureallemagne.com", true },
   { "locationvoitureangleterre.com", true },
   { "locationvoitureaustralie.com", true },
@@ -22190,9 +22971,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "locationvoitureportugal.com", true },
   { "locatorplus.gov", true },
   { "locauxrama.fr", true },
-  { "locker.email", true },
   { "locker.plus", true },
-  { "lockify.com", true },
+  { "locklock.com.br", true },
+  { "locklockbrasil.com.br", true },
+  { "locknlock.com.br", true },
+  { "locknlockbrasil.com.br", true },
   { "lockpick.nl", true },
   { "lockpicks.se", true },
   { "lockr.io", true },
@@ -22200,9 +22983,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "locksmithbalchsprings.com", true },
   { "locksmithballito.com", true },
   { "locksmithbluff.co.za", true },
+  { "locksmithdearborn.com", true },
   { "locksmithedmonds.com", true },
+  { "locksmithfriendswoodtexas.com", true },
   { "locksmithgarland-tx.com", true },
   { "locksmithgrapevinetx.com", true },
+  { "locksmithhumbletx.com", true },
   { "locksmithindurban.co.za", true },
   { "locksmithlivoniami.com", true },
   { "locksmithmadisonheights.com", true },
@@ -22289,18 +23075,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lojaprimemed.com.br", true },
   { "lojaprojetoagua.com.br", true },
   { "lojasceletro.com.br", true },
-  { "lojatema.com.br", true },
   { "lojaterrazul.com.br", true },
   { "lojavirtualfc.com.br", true },
-  { "lojavirtualfct.com.br", true },
   { "lojavisamed.com.br", true },
   { "lojix.com", true },
   { "lojj.pt", true },
   { "lok.space", true },
   { "lokaal.org", true },
+  { "loker.id", true },
   { "loket.nl", true },
   { "lolcorp.pl", true },
   { "lolcow.farm", true },
+  { "lolhax.org", true },
+  { "loli.ee", true },
   { "loli.net", true },
   { "loli.pet", true },
   { "loli.ski", true },
@@ -22311,6 +23098,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lolico.moe", true },
   { "lolicon.eu", true },
   { "lolkot.ru", true },
+  { "lolly.cc", true },
   { "lolnames.gg", true },
   { "lolpatrol.de", true },
   { "lolpatrol.wtf", true },
@@ -22330,9 +23118,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lonesomecosmonaut.com", true },
   { "lonestarlandandcommercial.com", true },
   { "long-journey.com", true },
-  { "long139.com", true },
-  { "long18.cc", true },
-  { "long688.com", true },
+  { "longboat.io", true },
   { "longhaircareforum.com", true },
   { "longhorn-imports.com", true },
   { "longhorn.id.au", true },
@@ -22360,14 +23146,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lookyman.net", true },
   { "lookzook.com", true },
   { "loom.no", true },
-  { "loony.info", true },
-  { "loopower.com", true },
   { "loopstart.org", true },
   { "looseleafsecurity.com", true },
   { "loothole.com", true },
   { "loovto.net", true },
   { "loposchokk.com", true },
   { "loqu8.com", true },
+  { "loquo.com", true },
   { "lord.sh", true },
   { "lordofthebrick.com", true },
   { "lore.azurewebsites.net", true },
@@ -22407,6 +23192,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "loungecafe.org", true },
   { "loungepapillon.com", true },
   { "love4taylor.me", true },
+  { "loveai.org", true },
   { "loveandadoreboutique.com", true },
   { "lovebigisland.com", true },
   { "lovecrystal.co.uk", true },
@@ -22415,8 +23201,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lovelens.li", false },
   { "lovelivewiki.com", true },
   { "lovelovenavi.jp", true },
-  { "lovelytimes.net", true },
   { "lovemanagementaccounts.co.uk", true },
+  { "lovemiku.info", true },
   { "lovemomiji.com", true },
   { "lovenwishes.com", true },
   { "loveph.one", true },
@@ -22424,7 +23210,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "loverepublic.ru", true },
   { "lovesmagical.com", true },
   { "lovesupremefestival.com", true },
-  { "lovetravel360.com", true },
   { "lovevape.co", true },
   { "loveyounastya.com", true },
   { "loveysa.ch", true },
@@ -22445,47 +23230,46 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "loyaltyondemand.club", true },
   { "loyaltyondemand.eu", true },
   { "lp-support.nl", true },
-  { "lpcom.de", true },
   { "lprcommunity.co.za", true },
   { "lpt-nebreziny.eu", true },
-  { "lqs.me", true },
   { "lra-cloud.de", true },
   { "lrdo.net", true },
+  { "lriese.ch", true },
   { "lrssystems.com", true },
   { "ls-alarm.de", true },
   { "lsal.me", true },
   { "lsc-dillingen.de", true },
   { "lsc.gov", true },
-  { "lshiy.com", true },
   { "lsmpx.com", true },
   { "lsquo.com", true },
   { "lsscreens.de", true },
+  { "lsys.ac", true },
   { "lt.search.yahoo.com", false },
   { "ltaake.com", true },
   { "ltecode.com", true },
   { "ltib.com.au", true },
   { "ltls.org", true },
   { "ltn-tom-morel.fr", true },
+  { "lty.space", true },
   { "lu.search.yahoo.com", false },
+  { "luan.ma", true },
   { "luav.org", true },
   { "lubar.me", true },
   { "lubbockyounglawyers.org", true },
   { "lublin.toys", true },
-  { "lubomirkazakov.com", true },
   { "luc-oberson.ch", true },
   { "luca-steeb.com", true },
   { "luca.swiss", true },
   { "lucacastelnuovo.nl", false },
   { "lucafontana.net", true },
   { "lucafrancesca.me", true },
-  { "lucakrebs.de", true },
   { "lucasantarella.com", true },
   { "lucasbergen.ca", true },
-  { "lucascobb.com", true },
   { "lucasem.com", true },
   { "lucasgaland.com", true },
   { "lucasgymnastics.com", true },
   { "lucaslarson.net", true },
+  { "lucassoler.com.ar", false },
   { "luce.life", true },
   { "luchscheider.de", false },
   { "lucid-light.de", true },
@@ -22520,28 +23304,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "luftreiniger.biz", true },
   { "lufu.io", true },
   { "lugbb.org", true },
+  { "lugimax.com", true },
   { "luginbuehl.be", true },
-  { "luginbuehl.eu", true },
   { "lugui.in", true },
   { "lui.pink", true },
   { "luiscapelo.info", true },
-  { "luisgf.es", true },
   { "luismaier.de", true },
   { "luisyr.com", true },
-  { "luizkowalski.net", true },
   { "luk.earth", true },
   { "lukas-gorr.de", true },
   { "lukas-meixner.com", true },
   { "lukas-oppermann.de", true },
-  { "lukas-schauer.de", true },
-  { "lukas.im", true },
-  { "lukas2511.de", true },
   { "lukasberan.com", true },
   { "lukasberan.cz", true },
   { "lukasfunk.com", true },
   { "lukasoppermann.com", true },
   { "lukasoppermann.de", true },
-  { "lukasschauer.de", true },
   { "lukasschick.de", false },
   { "lukaszorn.de", true },
   { "lukaszwojcik.net", true },
@@ -22556,6 +23334,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lukesutton.info", true },
   { "lukmanulhakim.id", true },
   { "lukull-pizza.de", true },
+  { "luloboutique.com", true },
+  { "lumbercartel.ca", true },
   { "lumen.sh", true },
   { "lumi.pw", true },
   { "lumiere.com", true },
@@ -22565,39 +23345,47 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lumminary.com", true },
   { "lunafag.ru", true },
   { "lunakit.org", true },
+  { "lunalove.de", true },
   { "lunanova.moe", true },
   { "lunapps.com", true },
   { "lunar6.ch", true },
+  { "lunarichter.de", true },
   { "lunarlog.com", true },
   { "lunarshark.com", true },
+  { "lunarsoft.net", true },
   { "lunartail.nl", true },
   { "lunasqu.ee", true },
   { "lunastrail.com", true },
+  { "lunazacharias.com", true },
   { "lunchbunch.me", true },
   { "lune-indigo.ch", true },
   { "lungta.pro", true },
   { "lunidea.ch", true },
   { "lunidea.com", true },
   { "lunis.net", true },
-  { "lunix.io", true },
   { "lunorian.is", true },
+  { "luodaoyi.com", true },
+  { "luody.info", true },
   { "luoe.me", true },
   { "luoh.cc", true },
   { "luoh.me", true },
   { "luohua.im", true },
   { "luongvu.com", true },
+  { "luoshifeng.com", true },
   { "luowu.cc", true },
+  { "lupa.cz", true },
   { "lupecode.com", true },
   { "lupinencyclopedia.com", true },
   { "lupinenorthamerica.com", true },
   { "luqsus.pl", true },
   { "lusitom.com", true },
   { "luso-livros.net", true },
+  { "lusoft.cz", true },
   { "lusteniny.cz", true },
-  { "lustige-zitate.com", true },
   { "lustin.fr", true },
   { "lustrum.ch", true },
   { "lusynth.com", true },
+  { "luteijn.biz", true },
   { "luteijn.cloud", true },
   { "luteijn.email", true },
   { "luteijn.pro", true },
@@ -22605,12 +23393,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lutoma.org", true },
   { "luukdebruincv.nl", true },
   { "luukklene.nl", true },
+  { "luukuton.fi", true },
   { "luuppi.fi", true },
   { "luvare.com", true },
   { "luvbridal.com.au", true },
-  { "luvplay.co.uk", true },
   { "luxcraft.eng.br", true },
   { "luxescreenprotector.nl", false },
+  { "luxfosdecoenterprise.com", true },
   { "luxsci.com", true },
   { "luxurynsight.net", true },
   { "luxurytimepieces.net", true },
@@ -22624,7 +23413,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "luzfaltex.com", true },
   { "lv.search.yahoo.com", false },
   { "lv0.it", true },
-  { "lv5.top", true },
+  { "lvftw.com", true },
+  { "lvguitars.com", true },
   { "lvmoo.com", true },
   { "lvrsystems.com", true },
   { "lw-addons.net", true },
@@ -22636,7 +23426,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lycee-saintjoseph-mesnieres.fr", true },
   { "lychankiet.name.vn", false },
   { "lydudlejning.net", true },
-  { "lyfbits.com", true },
   { "lyftrideestimate.com", true },
   { "lykai.ca", true },
   { "lymia.moe", true },
@@ -22652,16 +23441,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "lynxpro.nl", true },
   { "lyon-interactive.com", true },
   { "lyon-synergie.com", true },
-  { "lyoness.digital", true },
   { "lyrical-nonsense.com", true },
   { "lyricfm.ie", true },
   { "lys.ch", true },
+  { "lysdeau.be", true },
   { "lyst.co.uk", true },
   { "lyukaacom.ru", true },
+  { "lyuly.com", true },
   { "lyx.dk", true },
+  { "lzcreation.com", true },
   { "lzh.one", true },
   { "lzwc.nl", true },
-  { "lzzr.me", true },
   { "m-22.com", true },
   { "m-chemical.com.hk", true },
   { "m-gh.info", true },
@@ -22680,9 +23470,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "m2epro.com", true },
   { "m2il.co", true },
   { "m2os.com", true },
+  { "m4g.ru", true },
   { "m4rcus.de", true },
   { "ma-eir.nl", true },
-  { "ma-plancha.ch", true },
   { "ma2t.com", true },
   { "maartenderaedemaeker.be", true },
   { "maartenvandekamp.nl", true },
@@ -22693,12 +23483,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mabankonline.com", true },
   { "mabulledu.net", true },
   { "mac-i-tea.ch", true },
+  { "mac-service-stockholm.se", true },
+  { "mac-servicen.se", true },
+  { "mac-support.nu", true },
+  { "mac-support.se", true },
   { "mac.biz.tr", true },
   { "mac1.net", true },
   { "macaw.nl", true },
   { "macaws.org", true },
+  { "macbook.es", true },
   { "maceinturecuir.com", true },
   { "maces-net.de", true },
+  { "macgeneral.de", true },
   { "macgenius.com", true },
   { "mach-politik.ch", true },
   { "macha.cloud", true },
@@ -22709,11 +23505,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "macht-elektro.de", true },
   { "machtweb.de", true },
   { "machu-picchu.nl", true },
-  { "maciespartyhire.co.uk", true },
   { "macil.tech", true },
   { "macinyasha.net", true },
   { "macker.io", true },
-  { "mackey7.net", true },
   { "mackeysack.com", true },
   { "mackiehouse.ca", true },
   { "macksproductions.in", true },
@@ -22728,12 +23522,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "macosxfilerecovery.com", true },
   { "macoun.de", true },
   { "macros.co.jp", true },
-  { "macstore.pe", true },
+  { "macsupportnacka.se", true },
+  { "macsupportstockholm.se", true },
   { "mactools.com.co", true },
   { "mad.ninja", true },
   { "madae.nl", true },
+  { "madandpissedoff.com", true },
   { "madars.org", false },
-  { "madbicicletas.com", true },
   { "madbin.com", true },
   { "madbouncycastles.co.uk", true },
   { "maddi.biz", true },
@@ -22742,7 +23537,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "maddistonpsa.co.uk", true },
   { "maddreefer.com", true },
   { "made-in-earth.co.jp", true },
-  { "made-to-usb.com", true },
   { "madebydusk.com", true },
   { "madebyshore.com", true },
   { "madeinchezmoi.net", true },
@@ -22756,10 +23550,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "madisonent-facialplasticsurgery.com", true },
   { "madisonsquarerealestate.com", true },
   { "madmar.ee", true },
+  { "madmax-store.gr", true },
   { "madoka.nu", true },
   { "madokami.pw", true },
   { "madreacqua.org", true },
   { "madrecha.com", true },
+  { "madreshoy.com", true },
   { "madridartcollection.com", true },
   { "madscientistwebdesign.com", true },
   { "madtec.de", true },
@@ -22773,7 +23569,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "maeplasticsurgery.com", true },
   { "maestrano.com", true },
   { "maff.co.uk", true },
-  { "maff.scot", false },
   { "mafia.network", true },
   { "mafiaforum.de", true },
   { "mafiapenguin.club", true },
@@ -22792,6 +23587,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "magentaize.net", true },
   { "magentapinkinteriors.co.uk", true },
   { "magentoeesti.eu", true },
+  { "magepro.fr", true },
   { "magewell.nl", true },
   { "maggie.com", true },
   { "magi-cake.com", true },
@@ -22801,10 +23597,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "magical.rocks", true },
   { "magicalcircuslv.com", true },
   { "magicalshuttle.fr", true },
+  { "magicamulet.me", true },
+  { "magicball.co", true },
   { "magicbroccoli.de", true },
   { "magiccards.info", true },
   { "magicdaysomagh.co.uk", true },
-  { "magickmoments.co.uk", true },
+  { "magicdlp.com", true },
   { "magiclen.org", true },
   { "magicspaceninjapirates.de", true },
   { "magictable.com", true },
@@ -22817,15 +23615,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "magnetpass.uk", true },
   { "magnets.jp", true },
   { "magnettracker.com", true },
+  { "magnificatwellnesscenter.com", true },
   { "magnificentdata.com", true },
   { "magnoliadoulas.com", true },
   { "magnoliastrong.com", true },
   { "magnunbaterias.com.br", true },
+  { "magodaoferta.com.br", true },
   { "magonote-nk.com", true },
   { "magravsitalia.com", true },
   { "magu.kz", true },
   { "maguire.email", true },
   { "magwin.co.uk", true },
+  { "mah-nig.ga", true },
   { "mahai.me", true },
   { "mahatmayoga.org", true },
   { "mahefa.co.uk", true },
@@ -22858,12 +23659,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "maillady-susume.com", true },
   { "mailmag.net", false },
   { "mailnara.co.kr", true },
+  { "mailtelligent.com", true },
   { "mailto.space", true },
   { "mailum.org", false },
   { "mainechiro.com", true },
   { "mainframeserver.space", true },
   { "mainlined.org", true },
-  { "mainston.com", true },
   { "maintenance-traceur-hp.fr", true },
   { "mainzelmaennchen.net", true },
   { "maioresemelhores.com", true },
@@ -22874,21 +23675,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "maispa.com", true },
   { "maisretorno.com", true },
   { "maisvitaminas.com.br", true },
+  { "maitemerino.net", true },
   { "maitheme.com", true },
-  { "maitrechaton.fr", true },
   { "maitrise-orthopedique.com", true },
   { "majahoidja.ee", true },
   { "majaweb.cz", true },
-  { "majemedia.com", true },
+  { "majemedia.com", false },
   { "majesnix.org", true },
-  { "majesticcolorado.com", true },
   { "majid.info", true },
   { "majkassab.com", true },
   { "majkassab.net", true },
   { "majkassab.org", true },
-  { "majkl.me", true },
-  { "majkl.xyz", true },
-  { "majkl578.cz", true },
   { "majkyto.cz", true },
   { "majlovesreg.one", true },
   { "majolka.com", true },
@@ -22899,6 +23696,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "makeaboldmove.com", true },
   { "makechanges.com.au", true },
   { "makedin.net", true },
+  { "makedonija.net.mk", true },
   { "makem-bounce.co.uk", true },
   { "makenaiyo-fx.com", true },
   { "makera.ga", true },
@@ -22909,6 +23707,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "makinen.ru", true },
   { "makkusu.photo", true },
   { "makkyon.com", true },
+  { "makos.jp", true },
   { "makowitz.cz", true },
   { "maktoob.search.yahoo.com", false },
   { "maku.edu.tr", true },
@@ -22948,7 +23747,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "malscan.com", true },
   { "malscan.org", true },
   { "malta-firma.com", true },
-  { "malte-kiefer.de", true },
   { "malufs.com.br", true },
   { "malware.watch", true },
   { "malwareinvestigator.gov", true },
@@ -22987,6 +23785,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "manager-efficacement.com", true },
   { "manager.linode.com", false },
   { "managewp.org", true },
+  { "manaonetrading.com", true },
+  { "manatees.com.au", true },
   { "manatees.net", true },
   { "manavgabhawala.com", true },
   { "manawill.jp", true },
@@ -23041,14 +23841,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "manualscollection.com", true },
   { "manuel-herrmann.de", true },
   { "manuel-schefczyk.de", true },
-  { "manuel7espejo.com", true },
   { "manuelahidalgo.org", true },
   { "manueldopheide.com", true },
   { "manueli.de", true },
   { "manuelpinto.in", false },
   { "manufacturing.gov", true },
+  { "manufacturinginmexico.org", true },
   { "manufacturingusa.com", true },
-  { "manuscript.com", true },
   { "manuscriptlink.com", true },
   { "manutd.org.np", true },
   { "manuth.life", true },
@@ -23058,7 +23857,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "manylots.ru", true },
   { "manyue.org", true },
   { "maoi.re", true },
-  { "maomao.blog", true },
   { "maomihz.com", true },
   { "maone.net", true },
   { "maorseo.com", true },
@@ -23069,22 +23867,27 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "map4jena.de", true },
   { "mapasmundi.com.br", true },
   { "mapblender.com", true },
+  { "mapchange.org", true },
   { "mapeo.io", true },
   { "maplanetebeaute.fr", true },
+  { "maplegate.info", true },
   { "maplehome.tk", true },
   { "mapletime.com", true },
   { "maps.net", true },
   { "mapstack.org", true },
   { "maquettage.com", true },
   { "maquinariaspesadas.org", true },
-  { "maquininhamercadopoint.com.br", true },
+  { "maquinasdecoserplus.com", true },
   { "mar-eco.no", true },
   { "marabumadrid.com", false },
+  { "marabunta.io", true },
   { "marakovits.net", true },
   { "marble.com", true },
   { "marbogardenlidkoping.se", true },
+  { "marbree.eu", true },
   { "marc-hammer.de", true },
   { "marc-schlagenhauf.de", true },
+  { "marcaixala.me", true },
   { "marcbeije.com", true },
   { "marcberndtgen.de", true },
   { "marcceleiro.cat", true },
@@ -23119,6 +23922,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "marcoherten.com", true },
   { "marcoklomp.nl", true },
   { "marcoslater.com", true },
+  { "marcusds.ca", true },
   { "marcuskoh.com", true },
   { "marcusstafford.com", true },
   { "marechal-company.com", true },
@@ -23126,22 +23930,24 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "marek.su", true },
   { "marelijah.org", true },
   { "margagriesser.de", true },
+  { "margays.de", true },
   { "margecommunication.com", true },
   { "margo-co.ch", true },
-  { "margo.ml", true },
   { "margotlondon.co.uk", true },
   { "margots.biz", true },
   { "margots.life", true },
   { "margots.tech", true },
   { "marguerite-maison.fr", true },
-  { "mariacorzo.com", true },
   { "mariage-photo.ch", true },
+  { "mariaheidemann.nl", true },
   { "marianatherapy.com", true },
   { "marianelaisashi.com", true },
   { "marianhoenscheid.de", true },
   { "mariannenan.nl", true },
   { "mariannethijssen.nl", true },
   { "mariapietropola.com", true },
+  { "mariatash.com", true },
+  { "marie-elisabeth.dk", false },
   { "mariehane.com", true },
   { "mariemiramont.fr", true },
   { "mariereichl.cz", true },
@@ -23156,13 +23962,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "marinazarza.es", true },
   { "marinbusinesscenter.ch", true },
   { "marine.gov", true },
-  { "marinecadastre.gov", true },
   { "marinekaplama.com", true },
   { "marinela.com.mx", false },
   { "marinelausa.com", false },
   { "marines-shop.com", true },
   { "mario.party", false },
-  { "marioabela.com", true },
   { "mariogeckler.de", true },
   { "mariposah.ch", true },
   { "marisamorby.com", false },
@@ -23194,12 +23998,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "marketingbrandingnews.net", true },
   { "marketingco.nl", true },
   { "marketingconverts.com", true },
+  { "marketingeinnovacion.com", true },
   { "marketingforfood.com", true },
   { "marketinggenerators.nl", true },
   { "marketingtrendnews.com", true },
   { "marketingvirtuales.com", true },
   { "marketizare.ro", true },
-  { "marketlinks.org", true },
   { "marketnsight.com", true },
   { "markfordelegate.com", true },
   { "markhaehnel.de", true },
@@ -23218,6 +24022,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "markridgwell.co.uk", true },
   { "markridgwell.com", true },
   { "markridgwellcom.appspot.com", true },
+  { "markrobin.de", true },
   { "markscastles.co.uk", true },
   { "marksm.it", true },
   { "marksmanhomes.com", true },
@@ -23228,6 +24033,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "markt-heiligenstadt.de", false },
   { "marktcontact.com", true },
   { "marktissink.nl", true },
+  { "marktplaatshelper.nl", true },
   { "markup-ua.com", true },
   { "markus-blog.de", true },
   { "markus-dev.com", true },
@@ -23236,7 +24042,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "markus-ullmann.de", true },
   { "markus.design", true },
   { "markusehrlicher.de", true },
-  { "markusgran.de", true },
   { "markuskeppeler.de", true },
   { "markuskeppeler.no-ip.biz", true },
   { "marl.fr", true },
@@ -23265,6 +24070,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "marshyplay.live", true },
   { "marsikelektro.cz", true },
   { "martasibaja.com", true },
+  { "martel-innovate.com", true },
   { "martelange.ovh", true },
   { "marten-buer.de", true },
   { "martensmxservice.nl", true },
@@ -23282,7 +24088,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "martindimitrov.cz", true },
   { "martine.nu", true },
   { "martineweitweg.de", true },
-  { "martingansler.de", true },
+  { "martinfranc.eu", true },
   { "martinkus.eu", true },
   { "martinmuc.de", true },
   { "martinreed.net", true },
@@ -23302,6 +24108,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "marycliffpress.com", true },
   { "maryeclark.com", true },
   { "maryeileen90.party", true },
+  { "maryhaze.net", true },
   { "maryjaneroach.com", true },
   { "maryjruggles.com", true },
   { "marykatrinaphotography.com", true },
@@ -23319,7 +24126,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "masiniunelte.store.ro", true },
   { "masiul.is", true },
   { "maskim.fr", true },
-  { "maslife365.com", true },
   { "maslin.io", true },
   { "masrur.org", true },
   { "massaboutique.com", true },
@@ -23338,9 +24144,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "massotherapeutique.com", true },
   { "massvow.com", true },
   { "masta.ch", true },
+  { "mastafu.info", true },
   { "mastah.fr", true },
   { "mastd.me", false },
   { "mastellone.us", true },
+  { "mastepinnelaand.nl", true },
   { "master-net.org", true },
   { "mastercardpac.com", true },
   { "masterdemolitioninc.com", true },
@@ -23351,9 +24159,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "masterpc.co.uk", true },
   { "masterplc.com", true },
   { "masters.black", true },
-  { "mastersquirrel.xyz", true },
   { "masterstuff.de", true },
-  { "mastiffingles.com.br", true },
   { "mastodon.at", true },
   { "mastodon.host", true },
   { "mastodon.rocks", true },
@@ -23367,7 +24173,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "matcha-iga.jp", true },
   { "matchatea24.com", true },
   { "matchboxdesigngroup.com", true },
-  { "matchneedle.com", true },
   { "matdogs.com", true },
   { "matejgroma.com", true },
   { "matel.org", true },
@@ -23384,7 +24189,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "math.hamburg", true },
   { "mathalexservice.info", true },
   { "mathematik.rocks", false },
-  { "mathematris.com", true },
   { "mathembedded.com", true },
   { "matheo-schefczyk.de", true },
   { "mathfinder.org", true },
@@ -23394,25 +24198,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mathiasgarbe.de", true },
   { "mathiaswagner.org", true },
   { "mathieuguimond.com", true },
-  { "mathieui.net", true },
   { "mathis.com.tr", true },
   { "maths.network", true },
-  { "mathsource.ga", true },
   { "mathspace.co", true },
-  { "mathsweek.nz", true },
-  { "mathsweek.org.nz", true },
-  { "mathsweek.school.nz", true },
   { "mathys.io", true },
+  { "matijakolaric.com", true },
   { "matildajaneclothing.com", true },
   { "matjaz.it", true },
   { "matlss.com", true },
-  { "matmessages.com", true },
   { "matok.me.uk", true },
   { "matome-surume.com", true },
   { "matomeathena.com", true },
   { "matoutepetiteboutique.com", true },
   { "matratzentester.com", true },
   { "matridiana.com", true },
+  { "matrieux.dk", true },
   { "matrimoni.uk", true },
   { "matriterie-sdv.ro", true },
   { "matrixim.cc", true },
@@ -23421,6 +24221,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "matsu-semi.com", true },
   { "matsu-walk.com", true },
   { "matt-brooks.com", true },
+  { "matt-royal.com.cy", true },
   { "matt-royal.gr", true },
   { "matt.re", true },
   { "mattandyana.com", true },
@@ -23434,16 +24235,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mattcorp.com", true },
   { "mattdbarton.com", true },
   { "matteomarescotti.it", true },
+  { "mattessons.co.uk", true },
   { "mattferderer.com", true },
   { "mattfin.ch", true },
   { "mattforster.ca", true },
   { "matthecat.com", true },
-  { "matthewchapman.co.uk", true },
+  { "matthewchapman.co.uk", false },
   { "matthewfells.com", true },
   { "matthewgallagher.co.uk", true },
   { "matthewgrow.com", true },
   { "matthewj.ca", true },
   { "matthewkenny.co.uk", true },
+  { "matthewljiang.com", true },
   { "matthewohare.com", true },
   { "matthewsetter.com", true },
   { "matthey.nl", true },
@@ -23462,10 +24265,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mattmccutchen.net", true },
   { "mattmcshane.com", true },
   { "mattonline.me", true },
+  { "mattprojects.com", true },
+  { "mattwservices.co.uk", true },
   { "matviet.vn", true },
   { "matway.com", true },
   { "matway.net", true },
+  { "matze.co", true },
   { "mauerwerkstag.info", true },
+  { "mauiticketsforless.com", true },
   { "mauldincookfence.com", true },
   { "mauran.me", true },
   { "maurice-walker.com", false },
@@ -23490,12 +24297,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "max-went.pl", true },
   { "max.gov", true },
   { "maxb.fm", true },
-  { "maxbachmann.de", true },
   { "maxbeenen.de", true },
   { "maxbruckner.de", true },
   { "maxbruckner.org", true },
   { "maxchan.info", true },
-  { "maxdev72.freeboxos.fr", true },
   { "maxh.me.uk", true },
   { "maxhamon.ovh", true },
   { "maxhoechtl.at", true },
@@ -23511,11 +24316,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "maxipcalls.com", true },
   { "maxisito.it", true },
   { "maxkaul.de", true },
+  { "maxlaumeister.com", true },
   { "maxmatthe.ws", true },
   { "maxmilton.com", true },
   { "maxmind.com", true },
+  { "maxmobiles.ru", true },
   { "maxp.info", true },
   { "maxpl0it.com", true },
+  { "maxr1998.de", true },
   { "maxrandolph.com", true },
   { "maxtruxa.com", true },
   { "maxundlara.at", true },
@@ -23526,24 +24334,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "may24.tw", true },
   { "mayaimplant.com", true },
   { "mayavi.co.in", true },
+  { "maydex.info", true },
   { "mayerbrownllz.com", true },
-  { "mayoimobiliare.ro", true },
   { "mayomarquees.com", true },
   { "mayopartyhire.com", true },
   { "maypolevilla.co.uk", true },
-  { "mayrhofer.eu.org", true },
+  { "mayrhofer.eu.org", false },
   { "mazda-mps.de", true },
   { "mazda-thermote.com", true },
   { "mazda626.net", true },
+  { "mazdaofgermantown.com", true },
   { "maze.design", false },
   { "maze.fr", true },
   { "mazenjobs.com", true },
-  { "mazternet.ru", true },
   { "mazurlabs.tk", true },
   { "mazzotta.me", true },
   { "mb-is.info", true },
-  { "mb300sd.com", true },
-  { "mb300sd.net", true },
   { "mbaasy.com", true },
   { "mbaestlein.de", true },
   { "mbainflatables.co.uk", true },
@@ -23578,7 +24384,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mccoolesredlioninn.com", true },
   { "mccordsvillelocksmith.com", true },
   { "mccrackon.com", true },
-  { "mcculloughjchris.com", false },
+  { "mcculloughjchris.com", true },
   { "mcdermottautomotive.com", true },
   { "mcdona1d.me", true },
   { "mcdonalds.be", true },
@@ -23595,9 +24401,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mcgarderen.nl", true },
   { "mcgovernance.com", true },
   { "mchel.net", true },
-  { "mchopkins.net", true },
   { "mchristopher.com", true },
+  { "mchuiji.com", true },
   { "mcinterface.de", true },
+  { "mcit.gov.ws", true },
   { "mcivor.me", true },
   { "mckenry.net", false },
   { "mckernan.in", true },
@@ -23605,6 +24412,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mcl.de", false },
   { "mclinflatables.co.uk", true },
   { "mclmotors.co.uk", true },
+  { "mclyr.com", true },
   { "mcmillansedationdentistry.com", false },
   { "mcmillanskiclub.com.au", true },
   { "mcneill.io", true },
@@ -23628,8 +24436,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "md5file.com", true },
   { "md5hashing.net", true },
   { "mdazo.net", true },
-  { "mdbouncycastlehirelondon.co.uk", true },
-  { "mdcloudpracticesolutions.com", true },
   { "mdcloudps.com", true },
   { "mdek.at", true },
   { "mdewendt.de", true },
@@ -23658,6 +24464,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "meadowfenfarm.com", true },
   { "mealgoo.com", true },
   { "meamod.com", false },
+  { "meangirl.club", true },
   { "meany.xyz", true },
   { "meap.xyz", true },
   { "measureyourpenis.today", true },
@@ -23668,6 +24475,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mecaniquemondor.com", true },
   { "mechanics-schools.com", true },
   { "mechanus.io", true },
+  { "mechaspartans6648.com", true },
   { "mechmk1.me", true },
   { "med-colleges.com", true },
   { "med-otzyv.ru", true },
@@ -23678,11 +24486,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "meddelare.com", true },
   { "meddigital.com", false },
   { "mede-handover.azurewebsites.net", true },
+  { "medecine-esthetique-du-calaisis.fr", true },
   { "medeinos.lt", true },
   { "medellinapartamentos.com", true },
   { "medexpress.co.uk", true },
   { "medhy.fr", true },
-  { "medi-link.co.il", true },
   { "medi.com.br", true },
   { "media-credit.eu", true },
   { "media-instance.ru", true },
@@ -23693,7 +24501,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mediaarea.net", true },
   { "mediabackoffice.co.jp", true },
   { "mediablaster.com", true },
-  { "mediabm.jp", true },
+  { "mediabogen.net", true },
   { "mediaburst.co.uk", true },
   { "mediadex.be", true },
   { "mediaexpert.fr", true },
@@ -23707,9 +24515,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "medialab.nrw", true },
   { "mediamarkt.pl", true },
   { "mediapart.fr", true },
+  { "mediapath.gr", true },
   { "mediarithmics.com", true },
   { "mediarithmics.io", true },
-  { "mediarocks.de", true },
   { "mediaselection.eu", true },
   { "mediathekview.de", true },
   { "mediationculturelleclp.ch", true },
@@ -23729,12 +24537,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "medicareinfo.org", true },
   { "medicinesfast.com", false },
   { "medicinia.com.br", true },
+  { "medicm.jp", true },
   { "medicocompetente.it", true },
   { "medicoresponde.com.br", true },
   { "medienweite.de", true },
   { "medifi.com", true },
   { "medigap-quote.net", true },
   { "medik8.com.cy", true },
+  { "medikalakademi.com.tr", true },
   { "medikuma.com", true },
   { "medino.com", true },
   { "medinside.ch", true },
@@ -23786,7 +24596,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "meeusen-usedcars.be", true },
   { "meeztertom.nl", true },
   { "meg-a-bounce.co.uk", true },
-  { "mega-aukcion.ru", true },
   { "mega-byte.nl", true },
   { "mega-feeling.de", true },
   { "mega.co.nz", true },
@@ -23795,12 +24604,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "megabounce.co.uk", true },
   { "megabounceni.co.uk", true },
   { "megabouncingcastles.com", true },
+  { "megafilmesplay.net", true },
   { "megaflowers.ru", true },
   { "megagifs.de", true },
   { "megainflatables.co.uk", true },
   { "megakoncert90.cz", true },
-  { "megamarkey.de", true },
   { "megamisja.pl", true },
+  { "megamp3.eu", true },
   { "meganandmarc.us", true },
   { "meganreel.com", false },
   { "megapixel.cz", true },
@@ -23811,6 +24621,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "megasslstore.com", true },
   { "megauction.tk", true },
   { "megaxchange.com", true },
+  { "meggidesign.com", true },
   { "mego.cloud", true },
   { "megumico.net", true },
   { "megustariasaber.com", true },
@@ -23824,28 +24635,35 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mehr-schulferien.de", true },
   { "mehrleben.at", true },
   { "mehrwert.de", true },
+  { "meia.ir", true },
   { "meierhofer.net", true },
   { "meikan.moe", true },
   { "meillard-auto-ecole.ch", true },
   { "meilleur.info", true },
+  { "meimeistartup.com", true },
   { "mein-kuechenhelfer.de", true },
   { "mein-muehlhausen.bayern", true },
   { "mein-webportal.de", true },
   { "meinbetriebsrat24.de", true },
   { "meincenter-meinemeinung.de", true },
   { "meincoach.at", true },
+  { "meine-cloud-online.de", true },
   { "meine-email-im.net", true },
   { "meine-finanzanalyse.de", true },
   { "meine-immofinanzierung.de", true },
-  { "meine-plancha.ch", true },
   { "meinezwangsversteigerung.de", true },
   { "meinstartinsleben.com", true },
   { "meinstartinsleben.de", true },
   { "meintragebaby.de", true },
   { "meinv.asia", true },
+  { "meiodomato.com.br", true },
   { "meiqia.cn", true },
   { "meiqia.com", true },
+  { "meisterlabs.com", true },
+  { "meistertask.com", true },
   { "meitan.gz.cn", true },
+  { "meizitang.es", true },
+  { "mekatro.tech", true },
   { "mekatrotekno.com", true },
   { "mekesh.com", true },
   { "mekesh.net", true },
@@ -23867,7 +24685,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "melissaadkins.com", true },
   { "melissaauclaire.com", true },
   { "melissameuwszen.nl", true },
-  { "melitopol.co.ua", true },
+  { "mellitus.org", true },
   { "melnessgroup.com", true },
   { "melnikov.ch", true },
   { "melodicprogressivehouse.com", true },
@@ -23905,7 +24723,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "menielias.com", true },
   { "menkyo-blog.com", true },
   { "mennace.com", true },
-  { "menntagatt.is", true },
   { "menole.com", true },
   { "menole.de", true },
   { "menole.net", true },
@@ -23914,6 +24731,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mensagensaniversario.com.br", true },
   { "mensagensdeconforto.com.br", true },
   { "mensagensperfeitas.com.br", true },
+  { "mensarena.gr", true },
   { "mensch-peter.me", true },
   { "mentalhealthmn.org", true },
   { "mentaltraining-fuer-musiker.ch", true },
@@ -23921,24 +24739,25 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mentorithm.com", true },
   { "mentz.info", true },
   { "menudieta.com", true },
+  { "menuel.me", true },
   { "menuonlineordering.com", true },
-  { "menzel-motors.com", true },
   { "menzietti.it", true },
   { "mephedrone.org", true },
   { "meps.net", true },
   { "mer.gd", true },
   { "merakilp.com", true },
   { "meransuedtirol.com", true },
-  { "meraseo.com", true },
   { "mercadobitcoin.com.br", true },
   { "mercadobitcoin.net", true },
   { "mercadoleal.com.br", true },
   { "mercadopago.com", true },
+  { "mercamaris.es", true },
   { "mercari.com", true },
   { "mercedes-benz.io", true },
   { "mercedes-ig.de", true },
   { "mercedespartscenter.com", true },
   { "merchant-automotive.com", true },
+  { "merchcity.com", true },
   { "mercier-auto.com", true },
   { "mercier-cars.co.uk", true },
   { "mercredifiction.io", true },
@@ -23948,6 +24767,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "meremobil.dk", true },
   { "merenbach.com", true },
   { "merenita.com", true },
+  { "merenita.eu", true },
   { "merenita.net", true },
   { "merenita.nl", true },
   { "meric-graphisme.info", true },
@@ -23972,6 +24792,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mesappros.com", true },
   { "mescaline.com", true },
   { "mescaline.org", true },
+  { "mesec.cz", true },
   { "mesh.gov", true },
   { "meshok.info", true },
   { "mesicka.com", true },
@@ -24005,9 +24826,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "metasquare.nyc", true },
   { "metasysteminfo.com", true },
   { "metaurl.io", true },
+  { "metavetted.com", true },
   { "metaword.com", true },
   { "metaword.net", true },
   { "metaword.org", true },
+  { "metebalci.com", false },
   { "meteenonline.nl", true },
   { "meteo-parc.com", true },
   { "meteo-r.ovh", true },
@@ -24024,6 +24847,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "meteorologiaenred.com", true },
   { "meteosherbrooke.com", true },
   { "meteosmit.it", true },
+  { "meter.md", true },
   { "meterhost.com", true },
   { "methamphetamine.co.uk", true },
   { "methylone.com", true },
@@ -24036,6 +24860,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "metrolush.com", true },
   { "metron-eging.com", true },
   { "metron-networks.com", true },
+  { "metron-online.com", true },
   { "metronaut.de", true },
   { "metropop.ch", true },
   { "metsasta.com", true },
@@ -24052,13 +24877,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mexicom.org", true },
   { "meyash.co", true },
   { "mf-fischer.de", true },
-  { "mfacko.cz", true },
   { "mfen.de", true },
   { "mfgusa.com", true },
   { "mfits.co.uk", true },
   { "mflodin.se", true },
   { "mfxbe.de", true },
-  { "mfz.mk", true },
+  { "mfxxx.cn", true },
   { "mgi.gov", true },
   { "mgknet.com", true },
   { "mglink.be", true },
@@ -24074,13 +24898,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mheistermann.de", true },
   { "mhermans.nl", true },
   { "mhi.web.id", true },
-  { "mhjuma.com", true },
   { "mhmfoundationrepair.com", true },
   { "mi-beratung.de", true },
   { "mi-so-ji.com", true },
   { "mi80.com", true },
   { "miadennees.com", true },
   { "miagexport.com", true },
+  { "mialquilerdecoches.com", true },
   { "miaonagemi.com", true },
   { "miaoubox.com", true },
   { "miaowo.org", true },
@@ -24098,7 +24922,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "michaelasawyer.com", true },
   { "michaelband.co", true },
   { "michaelband.com", true },
-  { "michaelcullen.name", true },
   { "michaeleichorn.com", true },
   { "michaelhrehor.com", true },
   { "michaeliscorp.com", true },
@@ -24122,12 +24945,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "michal-s.net", true },
   { "michal-spacek.com", true },
   { "michal-spacek.cz", true },
+  { "michaldudek.it", true },
+  { "michalpodraza.pl", true },
   { "michalspacek.com", true },
   { "michalspacek.cz", true },
   { "michalwiglasz.cz", true },
   { "michaonline.de", true },
   { "michel-wein.de", true },
+  { "michele.ml", true },
   { "michellavat.com", true },
+  { "michelskovbo.dk", true },
   { "michiganstateuniversityonline.com", true },
   { "michiganunionoptout.com", true },
   { "michmexguides.com.mx", true },
@@ -24135,39 +24962,46 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mickelvaessen.com", true },
   { "micomi.co", true },
   { "miconcinemas.com", true },
+  { "micopal.com", true },
   { "micr.io", true },
   { "micr0lab.org", true },
   { "microbiote-insectes-vecteurs.group", true },
   { "microco.sm", true },
   { "microcomploja.com.br", true },
   { "microdots.de", true },
+  { "microfonejts.com.br", true },
   { "microlinks.org", true },
   { "microlog.org", true },
   { "micromata.de", true },
+  { "micromind.io", true },
+  { "microneedlingstudio.se", true },
   { "microsoftaffiliates.azurewebsites.net", true },
   { "microvb.com", true },
+  { "microwesen.de", true },
   { "microzubr.com", true },
   { "midair.io", true },
   { "midasjewellery.com.au", true },
+  { "midcarolinaregionalairport.com", true },
+  { "midcarolinaregionalairport.org", true },
   { "midgawash.com", true },
   { "midislandrealty.com", true },
+  { "midistop.org", true },
   { "midkam.ca", true },
   { "midlandgate.de", true },
   { "midlandleisuresales.co.uk", true },
   { "midlandroofingri.com", true },
   { "midlandsfundays.co.uk", true },
   { "midlandsphotobooths.co.uk", true },
-  { "midlgx.com", true },
   { "midnight-visions.de", true },
   { "midnightmango.co.uk", true },
   { "midnightmango.de", true },
   { "midnightmechanism.com", true },
   { "midrandplumber24-7.co.za", true },
+  { "midress.club", true },
   { "midstatebasement.com", true },
   { "midtowndentistry.com", true },
   { "midwestbloggers.org", true },
   { "midwestplus.com", true },
-  { "midweststructuralrepair.com", true },
   { "miegl.com", true },
   { "miembarcacion.com", true },
   { "miemus.eu", true },
@@ -24181,6 +25015,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "miguel.pw", true },
   { "migueldemoura.com", true },
   { "migueldominguez.ch", true },
+  { "miguelgaton.es", true },
   { "miguelmartinez.ch", true },
   { "miguelmenendez.pro", true },
   { "miguelmoura.com", true },
@@ -24190,7 +25025,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mijcorijneveld.nl", true },
   { "mijn-financien.be", true },
   { "mijnavg.eu", true },
-  { "mijnetickets.nl", false },
   { "mijnetz.nl", true },
   { "mijnkerstkaarten.be", true },
   { "mijnkinderkleding.com", true },
@@ -24221,6 +25055,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mikevesch.com", true },
   { "mikewest.org", true },
   { "mikewillia.ms", true },
+  { "mikewrites.online", true },
   { "mikewritesstuff.com", true },
   { "mikeybailey.org", true },
   { "mikhirev.ru", true },
@@ -24236,23 +25071,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mikonmaa.fi", true },
   { "mikropixel.de", true },
   { "mikroskeem.eu", true },
-  { "miku.cloud", true },
-  { "miku.party", true },
   { "mikumaycry.com", true },
-  { "mikumiku.stream", true },
   { "mikupic.com", true },
   { "mikywow.eu", true },
   { "mil-spec.ch", true },
   { "mil0.com", true },
+  { "milakirschner.de", true },
   { "milania.de", true },
   { "milanpala.cz", false },
   { "milanstephan.de", true },
   { "milcahsmusings.com", true },
+  { "milchbuchstabe.de", true },
   { "mileme.com", true },
   { "milenaria.es", true },
   { "milesapart.dating", true },
   { "milhoazul.com.br", true },
   { "milionshop.sk", true },
+  { "milkameglepetes.hu", true },
   { "milkandcookies.ca", true },
   { "milkingit.co.uk", true },
   { "milktea.info", true },
@@ -24261,76 +25096,34 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "milldyke.nl", true },
   { "millefleurs.eu", true },
   { "millennium-thisiswhoweare.net", true },
+  { "millenniumstem.org", true },
   { "millenniumweb.com", false },
   { "millersminibarns.com", true },
   { "millettable.com", true },
   { "millhousenchurch.com", true },
-  { "million5.com", true },
-  { "million6.com", true },
-  { "million8.com", true },
   { "millionairegames.com", true },
   { "millions1.com", true },
-  { "millions11.com", true },
-  { "millions13.com", true },
-  { "millions14.com", true },
-  { "millions15.com", true },
-  { "millions16.com", true },
-  { "millions17.com", true },
-  { "millions19.com", true },
-  { "millions20.com", true },
-  { "millions22.com", true },
-  { "millions28.com", true },
-  { "millions29.com", true },
-  { "millions31.com", true },
   { "millions32.com", true },
-  { "millions33.com", true },
-  { "millions35.com", true },
-  { "millions36.com", true },
-  { "millions37.com", true },
-  { "millions38.com", true },
-  { "millions39.com", true },
-  { "millions40.com", true },
-  { "millions41.com", true },
-  { "millions42.com", true },
-  { "millions43.com", true },
-  { "millions5.com", true },
-  { "millions50.com", true },
   { "millions51.com", true },
   { "millions52.com", true },
   { "millions53.com", true },
-  { "millions55.com", true },
-  { "millions56.com", true },
   { "millions57.com", true },
-  { "millions58.com", true },
-  { "millions59.com", true },
-  { "millions6.com", true },
   { "millions60.com", true },
-  { "millions61.com", true },
-  { "millions62.com", true },
-  { "millions63.com", true },
-  { "millions66.com", true },
-  { "millions7.com", true },
-  { "millions70.com", true },
-  { "millions71.com", true },
-  { "millions72.com", true },
   { "millions77.com", true },
   { "millions8.com", true },
-  { "millions80.com", true },
-  { "millions81.com", true },
-  { "millions82.com", true },
-  { "millions88.com", true },
-  { "millions9.com", true },
-  { "millions99.com", true },
   { "millistream.com", true },
+  { "milnes.org", true },
   { "milsonhypnotherapyservices.com", true },
   { "mim.am", true },
   { "mimemo.io", true },
   { "mimemoriadepez.com", true },
   { "mimeo.digital", true },
   { "mimithedog.com", true },
-  { "mimobile.website", true },
+  { "mimmog.it", true },
   { "mimocad.io", true },
   { "mimovrste.com", true },
+  { "mimusic.cf", true },
+  { "min-datorsupport.se", true },
   { "min-sky.no", true },
   { "minakov.pro", true },
   { "minakova.pro", true },
@@ -24339,12 +25132,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "minaprine.com", true },
   { "mind-box.ch", true },
   { "mind-hochschul-netzwerk.de", true },
-  { "mind-moves.es", true },
-  { "mindbodytherapymn.com", true },
+  { "mindatasupport.nu", true },
+  { "mindatasupport.se", true },
+  { "mindatorsupport.se", true },
   { "mindcoding.ro", true },
   { "mindercasso.nl", true },
   { "mindfactory.de", true },
   { "mindleaking.org", true },
+  { "mindmeister.com", true },
   { "mindoktor.se", false },
   { "mindorbs.com", true },
   { "mindox.com.br", true },
@@ -24357,12 +25152,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "minecraft-server.eu", true },
   { "minecraftforum.de", true },
   { "minecraftforum.ovh", true },
-  { "minecraftjson.com", true },
+  { "minecraftjson.com", false },
   { "minecraftstal.com", true },
   { "minehattan.de", true },
   { "minehub.de", true },
-  { "minei.me", true },
   { "minenash.com", true },
+  { "minepack.net", true },
   { "minepay.net", true },
   { "minepic.org", true },
   { "minepod.fr", true },
@@ -24374,7 +25169,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "minf3-games.de", true },
   { "minfin.gov.ua", true },
   { "mingky.net", true },
-  { "mingming.info", true },
   { "mingram.net", true },
   { "mingtreerealty.com", true },
   { "mingwah.ch", true },
@@ -24393,28 +25187,28 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "minimbah.com.au", true },
   { "minimvc.com", true },
   { "miningtronics.com", true },
+  { "minisoft4u.ir", true },
   { "ministeriumfuerinternet.de", true },
   { "minitruckin.net", true },
   { "minitrucktalk.com", true },
-  { "miniwallaby.com", true },
+  { "minivaro.de", true },
   { "minkymoon.jp", true },
   { "minnesotakinkyyouth.org", true },
   { "minnesotamathcorps.org", true },
   { "minnesotareadingcorps.org", true },
   { "minnit.chat", true },
   { "minobar.com", true },
+  { "minorshadows.net", true },
   { "minpingvin.dk", true },
   { "minschuns.ch", true },
   { "mintclass.com", true },
   { "mintosherbs.com", true },
   { "mintrak2.com", true },
   { "mintse.com", true },
-  { "minu.link", true },
   { "minube.co.cr", true },
   { "minutashop.ru", true },
   { "minux.info", true },
   { "mipapo.de", true },
-  { "mipla.ch", true },
   { "miproximopaso.org", true },
   { "mipueblohoy.com", true },
   { "mipymesenlinea.com", true },
@@ -24437,8 +25231,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mirshak.com", true },
   { "mirtes.cz", true },
   { "mirtouf.fr", true },
+  { "misakacloud.net", true },
   { "misakiya.co.jp", true },
   { "misanci.cz", true },
+  { "mischak.net", true },
   { "misclick.nl", true },
   { "mishkovskyi.net", true },
   { "misinstrumentos.com", true },
@@ -24465,12 +25261,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "missualready.com", true },
   { "missyou.link", true },
   { "mistacms.com", true },
-  { "mister-cooks.fr", true },
   { "mister-matthew.de", true },
   { "mistreaded.com", true },
   { "mistybox.com", true },
   { "misupport.dk", true },
   { "misura.re", true },
+  { "misuzu.moe", true },
+  { "misxvenelantro.com", true },
   { "mit-dem-rad-zur-arbeit.de", true },
   { "mit-dem-rad-zur-uni.de", true },
   { "mit-uns.org", true },
@@ -24494,6 +25291,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mitsukabose.com", true },
   { "mittagonggardencentre.com.au", true },
   { "mittagonghomestead.com.au", true },
+  { "mittbolan.se", true },
   { "mittelunsachlich.de", true },
   { "mittenofficesystems.com", true },
   { "mitylite.com", true },
@@ -24510,6 +25308,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mivzaklive.co.il", true },
   { "miweb.cr", false },
   { "mixinglight.com", true },
+  { "mixmister.com", true },
   { "mixnshake.com", true },
   { "mixposure.com", true },
   { "mixrepairs.co.uk", true },
@@ -24524,11 +25323,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mizu.coffee", true },
   { "mizucoffee.net", true },
   { "mizuho-trade.net", true },
-  { "mizumax.me", true },
+  { "mizuhobank.co.id", true },
   { "mj420.com", true },
   { "mjacobson.net", true },
   { "mjanja.ch", true },
   { "mjasm.org", true },
+  { "mjec.net", true },
   { "mjlaurindo.pt", true },
   { "mjmedia.co.za", true },
   { "mjmnagy.info", true },
@@ -24548,6 +25348,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mkg-scherer.de", true },
   { "mkg-wiebelskirchen.de", true },
   { "mkhsoft.eu", true },
+  { "mkie.cf", true },
   { "mkimage.com", true },
   { "mkjl.ml", true },
   { "mkk.de", true },
@@ -24561,18 +25362,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mkset.ru", true },
   { "mktdigital.info", true },
   { "mktemp.org", true },
+  { "mkuznets.com", true },
   { "mlarte.com", true },
   { "mlcnfriends.com", true },
   { "mlemay.com", true },
-  { "mlfaw.com", true },
-  { "mlii.net", true },
   { "mlmjam.com", true },
   { "mlp.ee", true },
   { "mlpvector.club", true },
   { "mlundberg.se", true },
   { "mlvbphotography.com", true },
   { "mlytics.com", true },
-  { "mm13.at", true },
   { "mm404.com", true },
   { "mma-acareporting.com", true },
   { "mmalisz.com", true },
@@ -24586,11 +25385,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mms.is", true },
   { "mmt.my", true },
   { "mmucha.de", true },
-  { "mna7e.com", true },
   { "mncloud.de", true },
-  { "mncr.nl", true },
+  { "mnd.sc", true },
   { "mne.moe", true },
   { "mnedc.org", true },
+  { "mneerup.dk", true },
   { "mnemonic.ninja", true },
   { "mnguyen.io", true },
   { "mnitro.com", true },
@@ -24605,8 +25404,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mo.nl", true },
   { "mo2021.de", true },
   { "moa.moe", true },
+  { "moabpapier.de", true },
+  { "moabygg.se", true },
+  { "moahmo.com", true },
+  { "mobag.ru", false },
   { "mobal.com", true },
-  { "mobi4.tk", true },
+  { "mobi2go.com", true },
   { "mobidea.com", true },
   { "mobifinans.ru", true },
   { "mobil-bei-uns.de", true },
@@ -24641,6 +25444,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "moc.ac", true },
   { "mocarps.hk", true },
   { "mochanstore.com", true },
+  { "mochiyuki.net", true },
   { "mockerel.com", true },
   { "mococo.co.uk", true },
   { "modaexecutiva.com.br", true },
@@ -24648,6 +25452,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "modafinil.wiki", true },
   { "modafo.com", true },
   { "modalogi.com", true },
+  { "modav.org", true },
   { "modcasts.video", true },
   { "modding-forum.com", true },
   { "modding-welt.com", true },
@@ -24673,28 +25478,32 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "modistry.com", true },
   { "modistryusercontent.com", true },
   { "modmountain.com", true },
+  { "modnitsa.info", true },
   { "modosaude.com.br", true },
   { "modul21.com", true },
   { "modul21.eu", true },
   { "module.market", true },
   { "modulex-gmbh.de", true },
   { "moe-max.jp", true },
-  { "moeali.com", true },
+  { "moebel-vergleichen.com", true },
   { "moechel.com", true },
   { "moeclue.com", true },
   { "moefactory.com", true },
   { "moehrke.cc", true },
   { "moekes.amsterdam", true },
   { "moeking.me", true },
-  { "moeli.org", true },
   { "moellers.systems", true },
+  { "moenew.top", true },
   { "moeqing.net", true },
   { "moetrack.com", true },
   { "moeyoo.net", true },
+  { "mofidmed.com", true },
   { "mofohome.dyndns.org", true },
+  { "mogooin.com", true },
   { "moha-swiss.com", true },
   { "mohanmekap.com", true },
   { "mohela.com", true },
+  { "mohr-maschinenservice.de", true },
   { "moin.jp", true },
   { "moipourtoit.ch", true },
   { "moipourtoit.com", true },
@@ -24707,12 +25516,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mojefedora.cz", true },
   { "mojilitygroup.com", true },
   { "mojizuri.com", true },
-  { "mojnet.eu", true },
-  { "mojnet.net", true },
   { "mojoco.co.za", true },
   { "mojzis.com", true },
   { "mojzis.cz", true },
   { "mojzisova.com", true },
+  { "mok.pw", true },
   { "mokeedev.review", true },
   { "mokhtarmial.com", false },
   { "mokote.com", true },
@@ -24721,6 +25529,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "molecularbiosystems.org", true },
   { "molinero.xyz", true },
   { "mollaretsmeningitis.org", true },
+  { "mollie.com", true },
+  { "molokai.org", true },
   { "molti.hu", true },
   { "molun.net", false },
   { "molunerfinn.com", true },
@@ -24729,7 +25539,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "momentum.photos", true },
   { "momentumdash.com", true },
   { "momirfarooq.com", true },
-  { "momjoyas.com", true },
   { "momo0v0.club", true },
   { "momozeit.de", true },
   { "momstableonline.com", true },
@@ -24748,7 +25557,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "monarchcleanersnc.com", true },
   { "monbudget.org", true },
   { "moncoach.ch", true },
-  { "mondedesnovels.com", true },
   { "mondedie.fr", true },
   { "mondial-movers.nl", true },
   { "mondo-it.ch", true },
@@ -24770,16 +25578,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "monix.io", true },
   { "monkay.de", true },
   { "monkeybusiness.agency", true },
-  { "monkeydust.net", true },
   { "monkeyhill.us", true },
   { "monkeytek.ca", true },
   { "monkieteel.com", true },
   { "monlabs.com", true },
   { "monloyer.quebec", true },
   { "monnyonle.hu", true },
-  { "mono.cafe", false },
+  { "mono.cafe", true },
   { "mono0x.net", true },
   { "monobank.no", true },
+  { "monobunt.at", true },
   { "monodukuri.com", true },
   { "monokoo.com", true },
   { "monolithapps.com", true },
@@ -24793,6 +25601,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "monpermisvoiture.com", true },
   { "monpetitforfait.com", true },
   { "monpetitmobile.com", true },
+  { "monsieurbureau.com", true },
   { "monsieursavon.ch", true },
   { "monstermashentertainments.co.uk", true },
   { "monsterx.cn", true },
@@ -24807,6 +25616,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "montemanik.com", true },
   { "montenero.pl", true },
   { "montessori.edu.vn", true },
+  { "montgomeryfirm.com", true },
   { "montgomerysoccer.net", true },
   { "montopolis.com", true },
   { "montpreveyres.ch", true },
@@ -24829,10 +25639,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "moonchart.co.uk", true },
   { "moondrop.org", true },
   { "moonkin.eu", true },
-  { "moonlightcapital.ml", true },
   { "moonmelo.com", true },
   { "moonraptor.co.uk", true },
   { "moonraptor.com", true },
+  { "moonrhythm.io", true },
   { "moonshyne.org", true },
   { "moontaj.com", true },
   { "moonvpn.org", true },
@@ -24848,13 +25658,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "moosmann-moehrle.de", true },
   { "moot-info.co.za", true },
   { "moovablestorage.com", true },
+  { "mop321.com", true },
   { "moparcraft.net", true },
   { "moparisthebest.com", true },
   { "moparisthebest.net", true },
   { "moparisthebest.org", true },
   { "moparscape.net", true },
   { "mopedreifen.de", false },
+  { "mopie.de", true },
   { "mople71.cz", true },
+  { "moplx.com", true },
   { "moppeleinhorn.de", true },
   { "moppy.org", true },
   { "morbatex.com", true },
@@ -24864,10 +25677,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "morbotron.com", true },
   { "morchino.ch", true },
   { "morchstore.com", true },
+  { "mordrum.com", true },
   { "more-hikkoshi.com", true },
   { "more-terrain.de", true },
   { "moreal.co", true },
-  { "moreapp.co.uk", true },
   { "moreniche.com", true },
   { "morepablo.com", true },
   { "morepay.cn", true },
@@ -24879,7 +25692,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "morgansjewelerspv.com", true },
   { "morgansleisure.co.uk", true },
   { "morgner.com", true },
-  { "morhys.com", true },
   { "moritz-baestlein.de", true },
   { "moritztremmel.de", true },
   { "moriz.de", true },
@@ -24909,7 +25721,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mosshi.be", true },
   { "mosstier.com", true },
   { "mostholynameofjesus.org", true },
-  { "mostlikelyto.fail", true },
   { "mostlyoverhead.com", true },
   { "motd.ch", true },
   { "motd.today", true },
@@ -24920,11 +25731,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "motekmedical.com", true },
   { "motekmedical.eu", true },
   { "motekmedical.nl", true },
+  { "motekrysen.com", true },
   { "moteksystems.com", true },
   { "motezazer.fr", true },
   { "mothereff.in", false },
   { "motifstudio.com.ua", true },
   { "motionless.nl", true },
+  { "motionvideos.uk", true },
   { "motiweb.fr", true },
   { "motocollection.pl", true },
   { "motohell.com", true },
@@ -24939,6 +25752,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "motostorie.blog", false },
   { "motovated.co.nz", true },
   { "motowilliams.com", true },
+  { "motransportinfo.com", true },
   { "motstats.co.uk", true },
   { "moulinaparoles.ca", true },
   { "mountain-rock.ru", true },
@@ -24947,11 +25761,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mountainroseherbs.com", true },
   { "mountainspringsrentals.ca", true },
   { "mountfarmer.de", true },
-  { "mousemessages.com", true },
+  { "mousepotato.uk", true },
   { "moutiezhaller.com", true },
   { "movacare.de", true },
   { "move.mil", true },
-  { "moveisfit.com.br", true },
+  { "moveltix.net", true },
   { "movember.com", false },
   { "movewellnesslab.com", true },
   { "movie-cross.net", true },
@@ -24962,10 +25776,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "moviedeposit.com", true },
   { "moviefreeze.com", true },
   { "movieguys.org", true },
-  { "movienized.de", true },
   { "moviepilot.com", true },
   { "moviesetc.net", true },
-  { "moviespur.info", false },
   { "moviko.nz", true },
   { "movil.uno", true },
   { "moviltronix.com", true },
@@ -24977,7 +25789,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "moy.cat", true },
   { "moyer.pub", true },
   { "moylen.eu", true },
-  { "moyoo.net", true },
+  { "moysovet.info", false },
   { "mozartgroup.hu", true },
   { "mozektevidi.net", true },
   { "mozilla.cz", true },
@@ -24988,10 +25800,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mpcompliance.com", true },
   { "mpetroff.net", true },
   { "mpg-universal.com", true },
-  { "mpg.ovh", true },
   { "mpgaming.pro", true },
-  { "mphoto.at", true },
-  { "mpintaamalabanna.it", true },
+  { "mphwinkel.nl", true },
   { "mpkrachtig.nl", true },
   { "mpkshop.com.br", true },
   { "mplanetphl.fr", true },
@@ -24999,19 +25809,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mplicka.cz", true },
   { "mplusm.eu", true },
   { "mpnpokertour.com", true },
-  { "mpodraza.pl", true },
   { "mprsco.eu", true },
   { "mpsgarage.com.au", true },
   { "mpsoundcraft.com", true },
   { "mpu-vorbereitung.com", true },
-  { "mpy.ovh", true },
   { "mr-anderson.org", true },
   { "mr-designer-oman.com", true },
-  { "mr-labo.jp", true },
   { "mr-nachhilfe.de", true },
   { "mr-wolf.nl", false },
-  { "mr3.io", true },
-  { "mrazek.biz", true },
   { "mrbmafrica.com", true },
   { "mrbounce.com", true },
   { "mrbouncescrazycastles.co.uk", true },
@@ -25025,6 +25830,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mrevolution.eu", true },
   { "mrgasfires.co.uk", true },
   { "mrgiveaways.com", true },
+  { "mrhc.ru", true },
+  { "mrhookupsd.com", true },
   { "mrinalpurohit.in", true },
   { "mrjhnsn.com", true },
   { "mrjooz.com", true },
@@ -25046,7 +25853,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mrv.li", true },
   { "mrx.one", true },
   { "mrxn.net", true },
-  { "ms-alternativ.de", true },
   { "ms-ch.ch", true },
   { "ms-host.fr", true },
   { "msa-aesch.ch", true },
@@ -25064,7 +25870,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "msmails.de", true },
   { "msno.no", true },
   { "msnr.net", true },
-  { "msopopop.cn", true },
   { "mspsocial.net", true },
   { "msquadrat.de", true },
   { "msroot.de", true },
@@ -25082,13 +25887,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mt-bank.jp", true },
   { "mt.search.yahoo.com", false },
   { "mt2414.com", true },
+  { "mta.fail", true },
   { "mta.org.ua", true },
   { "mtane0412.com", true },
   { "mtasa.com", true },
   { "mtasa.hu", true },
   { "mtauburnassociates.com", true },
-  { "mtcq.jp", true },
+  { "mtb.wtf", true },
   { "mtd.org", true },
+  { "mteleport.net", true },
   { "mtg-tutor.de", true },
   { "mtgeni.us", true },
   { "mtgenius.com", true },
@@ -25103,6 +25910,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mtltransport.com", true },
   { "mtnz.co.za", true },
   { "mtouch.facebook.com", false },
+  { "mtravelers.net", true },
   { "mtrip.com", true },
   { "mtrock.ru", true },
   { "mts-energia.eu", true },
@@ -25110,7 +25918,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mtsolar.es", true },
   { "mu.search.yahoo.com", false },
   { "muabannhanh.com", false },
-  { "muahahahaha.co.uk", true },
   { "mubiflex.nl", true },
   { "muckingabout.eu", true },
   { "muckrack.com", true },
@@ -25119,14 +25926,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mud-status.de", true },
   { "mudbenesov.cz", true },
   { "mudcrab.us", false },
-  { "mudgezero.one", true },
   { "muehlemann.net", true },
   { "muel.io", true },
   { "muelhau.pt", true },
   { "muell-weg.de", true },
   { "muellapp.com", true },
   { "muenchberger.com", true },
-  { "muenzubi.de", true },
   { "mufibot.net", true },
   { "muguayuan.com", true },
   { "muh.io", true },
@@ -25141,6 +25946,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mulej.net", true },
   { "muling.lu", true },
   { "mullens-usedcars.be", true },
+  { "mullerimoveisrj.com.br", true },
   { "multi-vpn.biz", true },
   { "multibit.org", true },
   { "multibomasm.com.br", true },
@@ -25154,7 +25960,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "multimedia-pool.com", true },
   { "multiplayernow.com", true },
   { "multipleservers.com", true },
-  { "multiplexcy.com", true },
   { "multirep.ch", true },
   { "multiroom-streaming.de", true },
   { "multisite.ovh", true },
@@ -25171,11 +25976,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "munch.me", true },
   { "munchcorp.com", true },
   { "mundoarabe.com.br", true },
+  { "mundoconejos.com", true },
   { "mundodapoesia.com", true },
   { "mundodasmensagens.com", true },
+  { "mundogamers.top", true },
   { "mundokinderland.com.br", true },
   { "mundolarraz.es", true },
   { "mundomagicotv.com", true },
+  { "mundoperros.es", true },
+  { "mundotortugas.com", true },
   { "mundschenk.at", true },
   { "mundtec.com.br", true },
   { "munduch.cz", true },
@@ -25190,7 +25999,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "murashun.jp", true },
   { "muratore-roma.it", true },
   { "murfy.nz", true },
-  { "murgi.de", true },
   { "murmel.it", false },
   { "murof.com.br", true },
   { "murray.xyz", true },
@@ -25211,6 +26019,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "music-project.eu", true },
   { "music-world.pl", true },
   { "music.amazon.com", true },
+  { "musica.com", true },
   { "musicalive.nl", true },
   { "musicall.com", true },
   { "musicalschwarzenburg.ch", true },
@@ -25218,24 +26027,25 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "musicasbr.com.br", true },
   { "musicchris.de", true },
   { "musicdemons.com", true },
+  { "musicfromgod.com", true },
   { "musicgamegalaxy.de", true },
   { "musician.dating", true },
   { "musickhouseleveling.com", true },
   { "musicompare.com", true },
   { "musicschoolonline.com", true },
+  { "musicstudio.pro", true },
   { "musicwear.cz", true },
   { "musicworkout.de", true },
   { "musik-mentaltraining.ch", true },
+  { "musikholics.com", true },
   { "musikverein-elten.de", true },
   { "musikzentrale.net", true },
-  { "musique2nuit.com", true },
   { "musketonhaken.nl", false },
   { "muslim.singles", true },
   { "musmann.io", true },
   { "muspla.com", true },
   { "muspla.com.br", true },
   { "musselsblog.com", true },
-  { "mustafa.space", true },
   { "mustafaturhan.com", true },
   { "mustard.co.uk", true },
   { "mustardking.me", true },
@@ -25251,13 +26061,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "muthai.in.th", true },
   { "mutuals.cool", true },
   { "mutuelle.fr", true },
+  { "muunnin.net", true },
   { "muurlingoogzorg.nl", true },
-  { "muusika.fun", true },
   { "muusikoiden.net", true },
   { "muwatenraqamy.org", true },
   { "muz2u.ru", true },
   { "muzeumkomiksu.eu", true },
-  { "muzhijy.com", false },
+  { "muzhijy.com", true },
   { "muzikantine.nl", true },
   { "mv-schnuppertage.de", true },
   { "mv-wohnen.de", true },
@@ -25269,6 +26079,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mvp-stars.com", true },
   { "mw.search.yahoo.com", false },
   { "mwainc.org", true },
+  { "mwalz.com", true },
+  { "mwamitours.com", true },
   { "mware-staging.azurewebsites.net", true },
   { "mwavuli.co.ke", true },
   { "mwba.org", true },
@@ -25281,9 +26093,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mx.org.ua", true },
   { "mx.search.yahoo.com", false },
   { "mx5international.com", true },
+  { "mxdanggui.org", true },
   { "mxihan.xyz", true },
   { "mxn8.com", true },
-  { "mxp.tw", true },
   { "my-aftershave-store.co.uk", true },
   { "my-best-wishes.com", true },
   { "my-cdn.de", true },
@@ -25299,9 +26111,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "my-ip.work", true },
   { "my-new-bikini.de", true },
   { "my-nextcloud.at", true },
-  { "my-plancha.ch", true },
-  { "my-static-demo-808795.c.cdn77.org", true },
-  { "my-static-live-808795.c.cdn77.org", true },
   { "my-stuff-online.com", true },
   { "my.onlime.ch", false },
   { "my.usa.gov", false },
@@ -25334,11 +26143,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mybodylife.com", true },
   { "mybon.at", false },
   { "mybonfire.com", true },
+  { "myboothang.com", true },
   { "mybreastcancerjourney.com", true },
+  { "mybus.ro", true },
   { "mybusiness.wien", true },
   { "mycamda.com", true },
   { "mycard.moe", true },
   { "mycareersfuture.sg", true },
+  { "mycarwashers.com", true },
+  { "mycc.be", true },
   { "mycieokien.info", false },
   { "mycinema.pro", true },
   { "mycircleworks.com", true },
@@ -25352,15 +26165,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "myconnect.cn", true },
   { "myconsulting.ch", true },
   { "mycookrecetas.com", true },
+  { "mycoupons.com", true },
   { "mycr.eu", true },
-  { "mycreativeartsconsulting.com", true },
   { "mycreativenook.com", true },
   { "mycreditcardcenter.com", true },
   { "mycrypnet.io", true },
-  { "mycrypto.com", true },
+  { "mycrypto.com", false },
   { "mycrystalgrove.com", true },
+  { "mycuco.it", true },
   { "mycustomwriting.com", true },
   { "mydarkstar.net", true },
+  { "mydatadoneright.eu", true },
   { "mydaywebapp.com", true },
   { "mydebian.in.ua", true },
   { "mydentalplan.gr", true },
@@ -25374,15 +26189,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mydomaindesk.com", true },
   { "mydreamlifelab.com", true },
   { "mydreamshaadi.in", true },
-  { "mydrone.services", true },
   { "mydroneservices.ca", true },
   { "mydroneservices.com", true },
+  { "myduffyfamily.com", true },
   { "myeberspaecher.com", true },
   { "myeffect.today", true },
   { "myeisenbahn.de", true },
-  { "myeml.net", false },
   { "myetherwallet.com", true },
   { "myf.cloud", true },
+  { "myfae.eu", true },
   { "myfantasysportstalk.com", true },
   { "myfedloan.org", true },
   { "myfirenet.com", true },
@@ -25405,7 +26220,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mygoldennetwork.com", true },
   { "mygreatjobs.de", true },
   { "mygreatlakes.org", true },
-  { "mygreenrecipes.com", true },
   { "mygretchen.de", true },
   { "mygrotto.org", true },
   { "mygymer.ch", true },
@@ -25422,6 +26236,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "myipv4.de", true },
   { "myjudo.net", true },
   { "myjumparoo.co.uk", true },
+  { "myjumpsuit.de", true },
   { "myki.co", true },
   { "mykontool.de", true },
   { "mykumedir.com", true },
@@ -25432,6 +26247,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mylifeabundant.com", true },
   { "mylittlechat.ru", true },
   { "myliveupdates.com", true },
+  { "myloan.hk", true },
   { "mylookout.com", false },
   { "mylstrom.com", true },
   { "mylucknursinghome.com", true },
@@ -25452,6 +26268,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mymx.lu", true },
   { "myna.go.jp", true },
   { "mynameistavis.com", true },
+  { "myndcoin.com", true },
   { "mynetworkingbuddy.com", true },
   { "mynext.events", true },
   { "mynextmove.org", true },
@@ -25459,6 +26276,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mynook.info", false },
   { "mynortherngarden.com", true },
   { "myonline.hu", true },
+  { "myonline.store", true },
   { "myonlinevehicleinsurance.com", true },
   { "myoptumhealthcomplexmedical.com", true },
   { "myoptumhealthparentsteps.com", true },
@@ -25468,15 +26286,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "myownconference.cloud", true },
   { "myownconference.com", true },
   { "myownconference.com.ua", true },
-  { "myownconference.es", true },
   { "myownconference.pl", true },
-  { "myownconference.pt", true },
   { "myownconference.ru", true },
   { "myowndisk.com", true },
   { "myowndisk.net", true },
-  { "myownwebinar.com", true },
   { "mypaperdone.com", true },
+  { "mypartnernews.com", true },
   { "mypartybynoelia.es", true },
+  { "mypay.fr", true },
   { "mypayoffloan.com", true },
   { "mypcqq.cc", true },
   { "myperfecthome.ca", true },
@@ -25554,16 +26371,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "myriadof.com", true },
   { "myrig.com", true },
   { "myrig.net", true },
+  { "myrnabiondo.com.br", true },
   { "myrotvorets.center", true },
   { "myrotvorets.news", true },
   { "myrp.co", true },
+  { "mysber.ru", true },
   { "myschoolphoto.org", true },
   { "myseatime.com", true },
   { "mysecretcase.com", false },
   { "mysectools.org", true },
   { "myself5.de", true },
-  { "myseo.ga", true },
-  { "myserv.one", true },
   { "myservicearl.com", true },
   { "myseu.cn", true },
   { "mysexydate24.com", true },
@@ -25579,16 +26396,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "myspicer.com", true },
   { "mysqldump-secure.org", true },
   { "myssl.com", true },
-  { "mystatus24.com", false },
   { "mysteriouscode.io", true },
   { "mysterydata.com", true },
   { "mysterymind.ch", true },
+  { "mysterysear.ch", true },
   { "mystic-welten.de", true },
   { "mystickphysick.com", true },
   { "mysticplumes.com", true },
   { "mystorymonster.com", true },
   { "mystudycart.com", true },
-  { "mysupboard.de", true },
   { "myswissmailaddress.com", true },
   { "mytfg.de", true },
   { "mythemeshop.com", false },
@@ -25605,7 +26421,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mytty.net", true },
   { "mytuleap.com", false },
   { "mytun.com", true },
-  { "mytweeps.com", true },
   { "myulog.net", true },
   { "myunox.com", true },
   { "myupdatestar.com", true },
@@ -25621,6 +26436,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mywari.com", true },
   { "mywebmanager.co.uk", true },
   { "mywebpanel.eu", true },
+  { "mywebpanel.nl", true },
   { "myweddingaway.co.uk", true },
   { "myweddingreceptionideas.com", true },
   { "myworkinfo.com", false },
@@ -25633,6 +26449,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "mz-mz.net", true },
   { "mza.com", true },
   { "mzh.io", true },
+  { "mziulu.me", false },
   { "mzmtech.com", true },
   { "mznet.de", true },
   { "mzstatic.cc", true },
@@ -25648,20 +26465,24 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "n0paste.tk", false },
   { "n0psled.nl", true },
   { "n26.com", true },
+  { "n2diving.net", true },
   { "n2servers.com", true },
   { "n4v.eu", true },
   { "n5118.com", true },
   { "n6a.net", true },
+  { "n7.education", true },
   { "n8ch.net", true },
   { "n8mgt.com", true },
   { "n8nvi.com", true },
   { "n8solutions.net", true },
+  { "n8solutions.us", true },
   { "na-school.nl", true },
   { "naahgluck.de", true },
   { "naam.me", true },
   { "nabaleka.com", true },
   { "nabankco.com", true },
   { "nabidkamajetku.cz", true },
+  { "nabidkydnes.cz", true },
   { "nabytek-valmo.cz", true },
   { "nacfit.com", true },
   { "nachsendeauftrag.net", true },
@@ -25669,18 +26490,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nachtmuziek.info", true },
   { "nacin.com", true },
   { "nacktetatsachen.at", false },
-  { "nacktwanderfreunde.de", true },
   { "nacyklo.cz", true },
-  { "nadaquenosepas.com", true },
   { "nadejeproninu.cz", true },
   { "nadelholzkulturen.de", true },
   { "naders.com", true },
+  { "nadiafourcade-photographie.fr", true },
   { "nadine-chaudier.net", true },
   { "nadsandgams.com", true },
   { "nadyaolcer.fr", true },
   { "nafod.net", true },
   { "naga-semi.com", true },
-  { "nagajanroshiya.info", true },
   { "nagashi.ma", false },
   { "nagaya.biz", true },
   { "nagb.gov", true },
@@ -25691,6 +26510,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nah.nz", true },
   { "nah.re", true },
   { "nahura.com", true },
+  { "nai-job.jp", true },
   { "nailattitude.ch", true },
   { "nailchiodo.com", true },
   { "nailsalon-aztplus.com", true },
@@ -25702,15 +26522,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "najany.fr", true },
   { "najany.nl", true },
   { "najany.se", true },
+  { "najedlo.sk", true },
+  { "naji-astier.com", true },
   { "nakada4610.com", true },
   { "nakalabo.jp", true },
   { "nakama.tv", true },
   { "nakandya.com", true },
-  { "nakanishi-paint.com", true },
   { "nakayama.systems", true },
   { "nakedalarmclock.me", true },
   { "nakedtruthbeauty.com", true },
   { "nakene.com", true },
+  { "nakladki.su", true },
   { "nakliyat.name.tr", true },
   { "nakliyatsirketi.biz.tr", true },
   { "nako.no", true },
@@ -25741,12 +26563,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nandex.org", true },
   { "nange.cn", true },
   { "nange.co", true },
-  { "nani.io", true },
   { "nankiseamansclub.com", true },
   { "nannytax.ca", true },
+  { "nano.voting", true },
   { "nanofy.org", true },
   { "nanogi.ga", true },
+  { "nanogramme.fr", true },
+  { "nanollet.org", true },
   { "nanotechnologist.com", true },
+  { "nanotechnologysolutions.com.au", true },
   { "nanotechtorsion.com", true },
   { "nanovolt.nl", true },
   { "nanowallet.io", true },
@@ -25766,7 +26591,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "narakenkoland.net", true },
   { "naralogics.com", true },
   { "narardetval.se", true },
-  { "narazaka.net", true },
   { "narduin.xyz", true },
   { "narenderchopra.com", true },
   { "narfation.org", true },
@@ -25785,7 +26609,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nasbi.pl", true },
   { "nasbnation.com", false },
   { "nascio.org", true },
-  { "naseco.se", true },
   { "nashdistribution.com", true },
   { "nashikmatka.com", true },
   { "nashira.cz", true },
@@ -25793,14 +26616,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nashvillelidsurgery.com", true },
   { "nashzhou.me", true },
   { "nasrsolar.com", true },
-  { "nassi.me", true },
   { "nastoletni.pl", true },
   { "nataldigital.com", true },
   { "nataliedawnhanson.com", true },
+  { "natanaelys.com", false },
   { "natation-nsh.com", false },
-  { "natatorium.org", true },
   { "natchmatch.com", true },
-  { "natecraun.net", true },
   { "natgeofreshwater.com", true },
   { "nathaliebaron.ch", true },
   { "nathaliebaroncoaching.ch", true },
@@ -25810,8 +26631,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nathanaeldawe.com", true },
   { "nathancheek.com", false },
   { "nathankonopinski.com", true },
+  { "nathanmfarrugia.com", true },
   { "nathansmetana.com", true },
   { "nathumarket.com.br", true },
+  { "nation-contracting.com.hk", true },
+  { "nationalbank.gov", true },
+  { "nationalbanknet.gov", true },
   { "nationalcentereg.org", true },
   { "nationalcprfoundation.com", true },
   { "nationalcrimecheck.com.au", true },
@@ -25827,15 +26652,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nativs.ch", true },
   { "natlec.com", true },
   { "natsumihoshino.com", true },
+  { "natuerlichabnehmen.ch", true },
   { "natur.com", true },
   { "natura-sense.com", true },
+  { "naturalezafengshui.com", true },
   { "naturalfit.co.uk", true },
-  { "naturalhealthcures.net", true },
+  { "naturalhealthcures.net", false },
   { "naturalkitchen.co.uk", true },
   { "naturalspacesdomes.com", true },
   { "naturaum.de", true },
   { "nature-et-bio.fr", true },
-  { "nature-shots.net", true },
+  { "natureclaim.com", true },
   { "natureflo.net", true },
   { "naturesbest.co.uk", true },
   { "naturesorganichaven.com", true },
@@ -25845,13 +26672,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "naturline.com", true },
   { "naturtint.co.uk", true },
   { "natusvita.com.br", true },
+  { "natverkstekniker.se", true },
   { "naude.co", true },
+  { "naughty.audio", true },
+  { "naughtytoy.co.uk", true },
   { "nausicaahotel.it", true },
+  { "naut.ca", true },
   { "nautiljon.com", true },
   { "nautsch.de", true },
   { "navarralanparty.org", true },
   { "navdeep.ca", true },
-  { "navenlle.com", true },
   { "navienna.com", true },
   { "navient.com", true },
   { "navigate-it-services.de", false },
@@ -25861,8 +26691,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nayahe.ru", true },
   { "nayami64.xyz", true },
   { "nayanaas.com", true },
+  { "nayr.us", true },
   { "nazevfirmy.cz", true },
-  { "nazigol.com", true },
   { "nazukebanashi.com", true },
   { "nazuna.blue", true },
   { "nb.zone", true },
@@ -25924,34 +26754,35 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nbhorsetraining.com", true },
   { "nbib.gov", true },
   { "nbnnetwork.com", true },
-  { "nbp.com.pk", true },
   { "nbrain.de", true },
   { "nbrii.com", true },
   { "nbriresearch.com", true },
+  { "nbrown.us", true },
   { "nbur.co.uk", true },
   { "nc-beautypro.fr", true },
   { "nc-formation.fr", true },
   { "nc-network.io", true },
   { "nc99.co", true },
+  { "nca.ink", true },
   { "ncamarquee.co.uk", true },
   { "ncands.net", true },
-  { "ncaq.net", true },
   { "ncc-efm.com", true },
   { "ncc-efm.org", true },
   { "ncc-qualityandsafety.org", true },
   { "nccemail.net", true },
   { "ncdc.pt", true },
   { "ncea.net.au", true },
+  { "ncgt.se", true },
   { "nchangfong.com", true },
   { "nchponline.org", true },
   { "ncic.gg", true },
+  { "ncloud.freeddns.org", true },
   { "ncm-malerbetrieb.de", true },
   { "ncsc.gov.uk", true },
   { "ncsccs.com", true },
   { "ncstep.org", true },
   { "nctx.co.uk", true },
   { "ndarville.com", true },
-  { "ndatc.com", true },
   { "ndbt.com", true },
   { "ndcpolipak.com", true },
   { "ndeoffshore.com", true },
@@ -25963,10 +26794,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ndphp.org", true },
   { "ndpigskin.com", true },
   { "nds-helicopter.de", true },
+  { "ndum.ch", true },
   { "ndy.sex", true },
   { "ne-on.org", true },
   { "nea.gov", true },
-  { "nearbi.com.mx", true },
   { "nearby.in.th", true },
   { "neartothesky.com", true },
   { "neatous.cz", true },
@@ -25980,6 +26811,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nebra.io", true },
   { "nebracy.com", true },
   { "nebul.at", true },
+  { "nebula.exchange", true },
   { "nebulae.co", true },
   { "nebuluxcapital.com", true },
   { "necessaryandproportionate.net", true },
@@ -25988,10 +26820,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "necormansir.com", true },
   { "nectarleaf.com", true },
   { "nedcdata.org", true },
+  { "nederland.media", true },
+  { "nederlands-vastgoedfonds.nl", true },
   { "nedim-accueil.fr", true },
   { "nedlinin.com", true },
   { "nedraconsult.ru", true },
-  { "nedys.top", true },
   { "neecist.org", true },
   { "needemand.com", true },
   { "needstyle.ru", true },
@@ -26018,12 +26851,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "neillans.com", true },
   { "neilshealthymeals.com", true },
   { "neilwynne.com", true },
-  { "neio.uk", true },
   { "nejenpneu.cz", true },
   { "nejkasy.cz", true },
   { "nejlevnejsi-parapety.cz", true },
   { "neko-nyan-nuko.com", true },
   { "neko-nyan.org", true },
+  { "neko.ml", true },
   { "nekodex.net", true },
   { "nekolove.jp", true },
   { "nekomimi.pl", true },
@@ -26032,17 +26865,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nekowa.moe", true },
   { "nekusoul.de", true },
   { "nelhage.com", true },
-  { "nella-project.org", true },
-  { "nella.io", true },
-  { "nellacms.com", true },
-  { "nellacms.org", true },
-  { "nellafw.org", true },
   { "nemcd.com", true },
-  { "nemecl.eu", true },
   { "nemez.net", true },
   { "nemo.run", true },
   { "nemopan.com", true },
   { "nemopret.dk", true },
+  { "nemplex.com", true },
   { "nemplex.win", false },
   { "nems.no", true },
   { "nemumu.com", true },
@@ -26053,13 +26881,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "neobits.nl", true },
   { "neocities.org", true },
   { "neoclick.io", true },
+  { "neodigital.bg", true },
   { "neoedresources.org", true },
-  { "neoeliteconsulting.com", true },
   { "neohu.com", true },
   { "neojo.org", true },
-  { "neokobe.city", true },
   { "neolaudia.es", true },
-  { "neolink.dk", true },
   { "neonataleducationalresources.org", true },
   { "neonatalgoldenhours.org", true },
   { "neonknight.ch", true },
@@ -26068,15 +26894,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "neos.co.jp", true },
   { "neosdesignstudio.co.uk", true },
   { "neostralis.com", true },
-  { "neotist.com", true },
   { "neotiv.com", true },
-  { "neowa.tk", true },
   { "neowin.net", true },
   { "neowlan.net", true },
   { "neoxcrf.com", true },
   { "neoz.com.br", true },
   { "nepageeks.com", true },
   { "nepal-evolution.org", true },
+  { "nepezzano13.com", true },
   { "nephelion.org", true },
   { "nephy.jp", true },
   { "nepovolenainternetovahazardnihra.cz", true },
@@ -26084,6 +26909,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nepremicnine.click", true },
   { "nepremicnine.net", true },
   { "nepustil.net", false },
+  { "nerdca.st", true },
   { "nerdhouse.io", true },
   { "nerdmind.de", true },
   { "nerdoutstudios.tv", true },
@@ -26095,10 +26921,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nerot.eu", true },
   { "nerpa-club.ru", true },
   { "nerull7.info", true },
-  { "nerven.se", false },
+  { "nerven.se", true },
+  { "nesbase.com", true },
   { "nesolabs.com", true },
   { "nesolabs.de", true },
-  { "nesterov.pw", true },
   { "nestor.nu", true },
   { "neswec.org.uk", true },
   { "net-masters.pl", true },
@@ -26119,9 +26945,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "netbuzz.ru", true },
   { "netconnect.at", true },
   { "netcoolusers.org", true },
+  { "netd.at", true },
   { "netdex.co", true },
-  { "netducks.com", true },
-  { "netducks.space", true },
   { "netera.se", true },
   { "neteraser.de", true },
   { "netexem.com", true },
@@ -26137,8 +26962,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nethunter.top", true },
   { "netki.com", true },
   { "netlentes.com.br", true },
+  { "netlocal.ru", true },
   { "netmagicas.com.br", true },
   { "netmeister.org", true },
+  { "netnea.com", true },
   { "netnik.de", true },
   { "netnodes.net", true },
   { "netraising.com", false },
@@ -26155,6 +26982,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "netsparker.com.tr", true },
   { "netspeedia.net", true },
   { "netsphere.cz", true },
+  { "nettacompany.com.tr", true },
   { "nettamente.com", true },
   { "nette.org", true },
   { "nettegeschenke.de", true },
@@ -26162,8 +26990,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nettilamppu.fi", true },
   { "netto-service.ch", true },
   { "nettools.link", true },
-  { "nettopower.dk", true },
-  { "nettoyage.email", true },
   { "nettx.co.uk", true },
   { "netulo.com", true },
   { "netvizura.co.uk", true },
@@ -26190,20 +27016,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "netzwerkwerk.de", true },
   { "neuber.uno", true },
   { "neuflizeobc.net", true },
-  { "neuhaus-city.de", true },
   { "neurabyte.com", true },
   { "neurexcellence.com", true },
   { "neurobiology.com", true },
   { "neurochip.com", true },
   { "neurocny.cloud", true },
   { "neuroethics.com", true },
-  { "neurogroove.info", true },
   { "neurolab.no", true },
-  { "neuronasdigitales.com", true },
   { "neuropharmacology.com", true },
   { "neurostimtms.com", true },
   { "neurotransmitter.net", true },
   { "neurozentrum-zentralschweiz.ch", true },
+  { "neutein.com", true },
   { "neutralox.com", false },
   { "neuwal.com", true },
   { "neva.li", true },
@@ -26221,11 +27045,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "new-process.com", true },
   { "new-process.de", true },
   { "new-process.eu", true },
+  { "new-web-studio.com", true },
   { "new.travel.pl", true },
   { "newaccess.ch", true },
-  { "newbasemedia.us", true },
   { "newbietech.cn", false },
-  { "newborncryptocoin.com", false },
+  { "newborncryptocoin.com", true },
   { "newburybouncycastles.co.uk", true },
   { "newburyparkelectric.com", true },
   { "newburyparkelectrical.com", true },
@@ -26233,6 +27057,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "newburyparkexteriorlighting.com", true },
   { "newburyparklandscapelighting.com", true },
   { "newburyparkoutdoorlighting.com", true },
+  { "newcab.de", true },
   { "newcitygas.ca", true },
   { "newcityinfo.ch", true },
   { "newcitystudio.ch", true },
@@ -26258,8 +27083,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "newodesign.com", true },
   { "newposts.ru", true },
   { "newreleases.io", true },
-  { "news47ell.com", true },
-  { "newsa2.com", true },
+  { "newsgroups.io", true },
+  { "newsletteralerts.com", true },
   { "newsmotor.info", true },
   { "newspsychology.com", true },
   { "newstone-tech.com", true },
@@ -26269,8 +27094,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "newvehicle.com", true },
   { "nex.li", true },
   { "nex.sx", true },
+  { "nexd.com", true },
   { "nexicafiles.com", true },
-  { "nexril.net", true },
   { "next-web.ad.jp", true },
   { "next176.sk", true },
   { "next24.io", true },
@@ -26280,14 +27105,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nextcasino.com", true },
   { "nextcloud.co.za", true },
   { "nextcloud.com", true },
-  { "nextcloud.nerdpol.ovh", true },
+  { "nextcloud.li", true },
   { "nextclouddarwinkel.nl", true },
   { "nextevolution.co.uk", true },
   { "nextgen.sk", true },
   { "nextgencel.com", true },
   { "nextgenthemes.com", true },
   { "nextgreatmess.com", true },
-  { "nexthop.jp", true },
   { "nextiot.de", true },
   { "nextmbta.com", true },
   { "nextme.se", true },
@@ -26305,13 +27129,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "neyer-lorenz.de", true },
   { "nezrouge-est-vaudois.ch", true },
   { "nezrouge-geneve.ch", true },
+  { "nezvestice.cz", true },
   { "nf4.net", true },
   { "nf9q.com", true },
+  { "nfam.de", true },
   { "nfe-elektro.de", true },
   { "nfir.nl", true },
   { "nfl.dedyn.io", true },
   { "nfl.duckdns.org", true },
+  { "nflchan.org", true },
   { "nflmocks.com", true },
+  { "nfls.io", true },
   { "nflsic.org", true },
   { "nfpors.gov", true },
   { "nframe.io", true },
@@ -26321,14 +27149,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ngasembaru.com", true },
   { "ngc.gov", false },
   { "nghe.net", true },
+  { "ngi.eu", true },
   { "nginxconfig.com", true },
   { "nginxconfig.io", true },
   { "ngndn.jp", true },
   { "ngt.gr", true },
+  { "nguyenminhhung.com", true },
   { "ngvf.de", true },
   { "ngx.hk", true },
   { "ngxpkg.com", true },
-  { "nhccnews.org", true },
   { "nhchalton.com", true },
   { "nhdsilentheroes.org", true },
   { "nhgteam.hu", true },
@@ -26380,6 +27209,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "niclasreich.de", true },
   { "nicn.me", true },
   { "nico.st", true },
+  { "nicochinese.com", true },
   { "nicocourts.com", true },
   { "nicoknibbe.nl", true },
   { "nicoladixonrealestate.com", true },
@@ -26396,11 +27226,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nicolemathew.com", true },
   { "niconico.ooo", true },
   { "niconode.com", false },
+  { "nicoobook.com", true },
+  { "nicoobook.net", true },
   { "nicsezcheckfbi.gov", true },
   { "nicul.in", true },
   { "nidro.de", true },
   { "nidsuber.ch", true },
-  { "niduxcomercial.com", true },
   { "niederohmig.de", true },
   { "niehage.name", true },
   { "nielshoogenhout.be", true },
@@ -26422,6 +27253,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "niess.space", true },
   { "niesstar.com", true },
   { "nietzsche.com", true },
+  { "nieuwsberichten.eu", true },
   { "nieuwslagmaat.nl", true },
   { "nifc.gov", true },
   { "niftiestsoftware.com", true },
@@ -26429,6 +27261,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nigensha.co.jp", true },
   { "niggemeier.cc", true },
   { "nigger.racing", true },
+  { "niggo.eu", true },
   { "night2stay.cn", true },
   { "night2stay.com", true },
   { "night2stay.de", true },
@@ -26440,7 +27273,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nightmoose.org", true },
   { "nightsi.de", true },
   { "nightstand.io", true },
-  { "nigt.cf", true },
   { "nihon-no-sake.net", true },
   { "nihtek.in", true },
   { "nii2.org", true },
@@ -26457,19 +27289,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nikklassen.ca", true },
   { "niklas.pw", true },
   { "niklasbabel.com", true },
-  { "nikolasgrottendieck.com", true },
+  { "nikolainevalainen.fi", true },
   { "nikomo.fi", false },
   { "nikoninframe.co.uk", true },
   { "nikonlibrary.co.uk", true },
   { "nikonnps.co.uk", true },
   { "nikonpromotions.co.uk", true },
   { "nikonschool.co.uk", true },
-  { "nikz.in", true },
+  { "niktok.com", true },
   { "nil.gs", true },
   { "nil.mx", true },
   { "niles.xyz", true },
   { "nilrem.org", true },
   { "nimeshjm.com", true },
+  { "nimidam.com", true },
   { "nina-laaf.de", true },
   { "ninaforever.com", true },
   { "ninarinaldi.com.br", true },
@@ -26485,20 +27318,24 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ninfora.com", true },
   { "ninja-galerie.de", true },
   { "ninja-skillz.com", true },
+  { "ninjan.co", true },
   { "ninjaworld.co.uk", true },
   { "ninjio.com", true },
   { "ninov.de", true },
   { "nintendoforum.no", true },
   { "ninth.cat", true },
   { "ninthfloor.org", true },
+  { "ninverse.com", true },
   { "nipax.cz", true },
   { "nipe-systems.de", true },
   { "nipit.biz", true },
   { "nippon-oku.com", true },
+  { "nippon.fr", true },
   { "niqex.com", true },
   { "nirjonmela.com", true },
   { "nirjonmela.net", true },
   { "nirudo.me", true },
+  { "niscats.com", true },
   { "nissanofbismarckparts.com", true },
   { "nitifilter.com", true },
   { "nitix.games", true },
@@ -26511,7 +27348,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nitrous-networks.com", true },
   { "nitschinger.at", true },
   { "niu.moe", true },
-  { "nivi.ca", true },
   { "nix.black", true },
   { "nixonlibrary.gov", true },
   { "nixtest.net", true },
@@ -26523,7 +27359,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "njguardtraining.com", true },
   { "njilc.com", true },
   { "njpjanssen.nl", true },
-  { "njujb.com", true },
   { "nkapliev.org", true },
   { "nkforum.pl", true },
   { "nkinka.de", true },
@@ -26533,12 +27368,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nl3ehv.nl", true },
   { "nlap.ca", false },
   { "nlbewustgezond.nl", true },
+  { "nlegall.fr", true },
   { "nlfant.eu", true },
   { "nllboard.co.uk", true },
   { "nlleisure.co.uk", true },
   { "nlm.gov", true },
   { "nlt.by", false },
-  { "nmd.so", true },
   { "nmmlp.org", true },
   { "nmnd.de", true },
   { "nmontag.com", true },
@@ -26550,9 +27385,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "no-xice.com", true },
   { "no.search.yahoo.com", false },
   { "noagendahr.org", true },
+  { "noah-witt.com", true },
   { "noahjacobson.com", true },
   { "noahmodas.com.br", true },
   { "noahsaso.com", true },
+  { "noahwitt.me", true },
   { "nobitakun.com", true },
   { "nobledust.com", true },
   { "nobleparkapartments.com.au", true },
@@ -26560,20 +27397,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "noc.org", true },
   { "nocit.dk", true },
   { "nocks.com", true },
-  { "nocmd.com", true },
   { "nocs.cn", true },
-  { "nodalr.com", true },
   { "nodari.com.ar", true },
   { "nodariweb.com.ar", true },
+  { "nodecdn.net", true },
   { "nodecraft.com", true },
   { "nodejs.de", true },
   { "nodelia.com", true },
   { "nodesec.cc", true },
+  { "nodesonic.com", true },
+  { "nodespin.com", true },
   { "nodevops.com", true },
+  { "nodist.club", true },
   { "noeatnosleep.me", true },
   { "noedidacticos.com", true },
   { "noelclaremont.com", true },
   { "noellabo.jp", true },
+  { "noellimpag.me", true },
   { "noematic.space", true },
   { "noemax.com", true },
   { "noexec.org", true },
@@ -26602,18 +27442,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "noleggio-bagni-chimici.it", true },
   { "noma-film.com", true },
   { "nomadproject.io", true },
+  { "nomagic.software", true },
   { "nomenclator.org", true },
   { "nomesbiblicos.com", true },
   { "nomial.co.uk", true },
   { "nomifensine.com", true },
   { "nomsy.net", true },
-  { "nonabytes.xyz", true },
+  { "nonabytes.xyz", false },
   { "noname-ev.de", true },
   { "nonametheme.com", true },
   { "noncombatant.org", true },
   { "noob-box.net", true },
   { "noobow.me", true },
   { "noobswhatelse.net", true },
+  { "noobunbox.net", true },
   { "noodles.net.nz", true },
   { "noodplan.co.za", true },
   { "noodweer.be", true },
@@ -26621,7 +27463,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "noomist.com", true },
   { "noon-entertainments.com", true },
   { "noop.ch", true },
+  { "nooranevalainen.fi", true },
   { "noordsee.de", true },
+  { "noordwesthoekrit.nl", true },
   { "noorsolidarity.com", true },
   { "noortronic.com", true },
   { "nootronerd.com", true },
@@ -26631,8 +27475,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nopaynocure.com", true },
   { "norad.sytes.net", true },
   { "norbertschneider-music.com", true },
+  { "nord-restaurant-bar.de", true },
   { "nord-sud.be", true },
   { "nordakademie.de", true },
+  { "norden.eu.org", true },
   { "nordicirc.com", true },
   { "nordinfo.fi", true },
   { "nordlichter-brv.de", true },
@@ -26641,7 +27487,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nordseeblicke.de", true },
   { "nordwal.de", true },
   { "nordwaldzendo.de", true },
-  { "noreply.mx", true },
   { "norestfortheweekend.com", true },
   { "noret.com", true },
   { "norichanmama.com", true },
@@ -26661,6 +27506,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "northconsulting.fr", true },
   { "northcountykiaparts.com", true },
   { "northcreekresort.com", true },
+  { "northcreekresortblue.ca", true },
   { "northdakotahealthnetwork.com", true },
   { "northdevonbouncycastles.co.uk", true },
   { "northeastcdc.org", true },
@@ -26669,19 +27515,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "northerngate.net", true },
   { "northernhamsterclub.com", true },
   { "northernpage.com", true },
+  { "northernpowertrain.com", true },
   { "northernselfstorage.co.za", true },
   { "northfieldyarn.com", true },
   { "northokanaganbookkeeping.com", true },
   { "northpointoutdoors.com", true },
   { "northpole.dance", true },
+  { "northpost.is", true },
   { "northridgeelectrical.com", true },
   { "northumbriagames.co.uk", true },
   { "norys-escape.de", true },
   { "nos-medias.fr", true },
   { "nos-oignons.net", true },
   { "noscript.net", true },
+  { "noscura.nl", true },
   { "nosecrets.ch", true },
-  { "nosfermiers.com", true },
   { "noslite.nl", true },
   { "nospoint.cz", true },
   { "nosqlzoo.net", true },
@@ -26705,8 +27553,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "notcompletelycorrect.com", true },
   { "notepad.nz", true },
   { "noteskeeper.ru", true },
+  { "noticaballos.com", true },
   { "noticiasdehumor.com", true },
   { "notify.moe", true },
+  { "notigatos.es", true },
+  { "notilus.fr", true },
   { "notinglife.com", true },
   { "notjustvacs.com", true },
   { "notmybox.com", true },
@@ -26715,11 +27566,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "notofilia.com", true },
   { "notora.tech", true },
   { "notoriousdev.com", true },
-  { "notrecourrier.net", true },
+  { "nototema.com", true },
   { "notsafefor.work", true },
+  { "nottres.com", true },
   { "noudjalink.nl", true },
   { "noustique.com", true },
   { "nova-dess.ch", true },
+  { "nova-it.pl", true },
   { "nova-kultura.org", true },
   { "nova-wd.org.uk", true },
   { "nova.live", true },
@@ -26761,21 +27614,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "np.search.yahoo.com", false },
   { "npath.de", true },
   { "npcrcss.org", true },
+  { "nphrm.com", true },
   { "npmcdn.com", true },
   { "npregion.org", true },
   { "npsas.org", true },
   { "npw.net", true },
-  { "nqeshreviewer.com", true },
   { "nrd.li", true },
   { "nrdstd.io", true },
   { "nrev.ch", true },
   { "nrkn.fr", true },
   { "nrsweb.org", true },
+  { "nrvn.cc", false },
   { "ns-frontier.com", true },
   { "ns2servers.pw", true },
   { "nsa.lol", true },
-  { "nsa.ovh", true },
-  { "nsa.wtf", true },
   { "nsapwn.com", true },
   { "nsboston.org", true },
   { "nsboutique.com", true },
@@ -26799,25 +27651,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ntags.org", true },
   { "ntcoss.org.au", true },
   { "nte.email", true },
-  { "nth.sh", true },
   { "nti.de", true },
   { "ntia.gov", true },
+  { "ntlabs.org", true },
   { "ntotten.com", true },
   { "ntppool.org", false },
   { "ntsb.gov", true },
   { "ntwt.us", true },
   { "ntx360grad-fallakte.de", true },
   { "ntzwrk.org", true },
-  { "nu3.com", true },
-  { "nu3.dk", true },
-  { "nu3.fi", true },
-  { "nu3.no", true },
-  { "nu3.se", true },
   { "nu3tion.com", true },
   { "nu3tion.cz", true },
   { "nuacht.ie", true },
   { "nuamooreaindonesia.com", true },
-  { "nubella.com.au", true },
   { "nubu.at", true },
   { "nuclea.id", true },
   { "nuclea.site", true },
@@ -26828,6 +27674,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nuevaimagenpublicidad.es", true },
   { "nuffield.nl", true },
   { "nugdev.co", true },
+  { "nukleosome.com", true },
   { "null-life.com", true },
   { "nullday.de", true },
   { "nulle-part.org", true },
@@ -26847,7 +27694,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "numero1.ch", true },
   { "numerologist.com", true },
   { "numerossanos.com.ar", true },
-  { "numis.tech", true },
   { "numismed-seniorcare.de", true },
   { "numwave.nl", true },
   { "nunesgh.com", true },
@@ -26858,6 +27704,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nuovaelle.it", true },
   { "nuquery.com", true },
   { "nur.berlin", true },
+  { "nureg.club", true },
+  { "nureg.net", true },
+  { "nureg.xyz", true },
   { "nuriacamaras.com", true },
   { "nursejj.com", true },
   { "nurseone.ca", true },
@@ -26865,14 +27714,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nursingschool.network", true },
   { "nuryahan.com.br", true },
   { "nussadoclub.org", true },
+  { "nut.services", true },
   { "nutikell.com", true },
   { "nutleyeducationalfoundation.org", true },
   { "nutleyef.org", true },
   { "nutonic-sports.com", true },
   { "nutpanda.com", true },
   { "nutra-creations.com", true },
+  { "nutrafitsuplementos.com.br", true },
   { "nutri-spec.me", true },
-  { "nutricaovegana.com", true },
   { "nutriciametabolics-shop.de", true },
   { "nutridieta.com", true },
   { "nutripedia.gr", true },
@@ -26881,6 +27731,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nutrivisa.com.br", true },
   { "nuvechtdal.nl", true },
   { "nuvini.com", true },
+  { "nuvospineandsports.com", true },
   { "nuxer.fr", true },
   { "nv.gw", true },
   { "nve-qatar.com", true },
@@ -26894,6 +27745,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nwerc.party", true },
   { "nwgh.org", false },
   { "nwimports.com", true },
+  { "nwitt.us", true },
   { "nwk1.com", true },
   { "nwperformanceandoffroad.com", true },
   { "nwr-waffenbuch.de", true },
@@ -26909,14 +27761,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nyadora.moe", true },
   { "nyan.it", true },
   { "nyan.stream", true },
-  { "nyanco.space", true },
   { "nyansparkle.com", true },
   { "nyantec.com", true },
   { "nybiz.nyc", true },
   { "nycoyote.org", true },
   { "nydig.com", true },
-  { "nydnxs.com", true },
-  { "nyghtus.net", true },
+  { "nyghtus.net", false },
   { "nyhaoyuan.net", true },
   { "nyiad.edu", true },
   { "nyip.co.uk", true },
@@ -26928,15 +27778,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "nyoronfansubs.org", true },
   { "nyphox.ovh", true },
   { "nys-hk.com", false },
+  { "nysteak5.com", true },
   { "nytrafficticket.com", true },
   { "nyxi.eu", true },
   { "nyyu.tk", true },
   { "nzb.cat", false },
   { "nzbr.de", true },
-  { "nzdmo.govt.nz", true },
   { "nzstudy.ac.nz", true },
   { "nzws.me", true },
-  { "o-loska.cz", true },
   { "o-results.ch", true },
   { "o-sp.com", true },
   { "o2careers.co.uk", true },
@@ -26947,7 +27796,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "o8b.club", true },
   { "oaic.gov.au", true },
   { "oakandresin.co", true },
-  { "oakesfam.net", true },
   { "oakington.info", false },
   { "oaklands.co.za", true },
   { "oakparkelectrical.com", true },
@@ -26956,16 +27804,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "oakparklighting.com", true },
   { "oakparkoutdoorlighting.com", true },
   { "oakslighting.co.uk", true },
+  { "oaktree-realtors.com", true },
   { "oanalista.com.br", true },
   { "oasisdabeleza.com.br", true },
   { "oasisim.net", false },
   { "oatmealdome.me", true },
+  { "oatycloud.spdns.de", true },
   { "oauth-dropins.appspot.com", false },
   { "obamalibrary.gov", true },
   { "obamawhitehouse.gov", true },
   { "oberhofdrinks.com", true },
   { "obermeiers.eu", true },
-  { "oberoi.de", true },
   { "obesidadlavega.com", true },
   { "obfuscate.xyz", true },
   { "obg-global.com", true },
@@ -26980,7 +27829,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "obono.at", true },
   { "obrienswine.ie", true },
   { "obs.group", true },
-  { "obscur.us", true },
   { "observer.name", true },
   { "obsessharness.com", true },
   { "obsidianirc.net", true },
@@ -26992,6 +27840,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "oc-sa.ch", true },
   { "ocalaflwomenshealth.com", true },
   { "ocarupo.com", true },
+  { "occ.gov", true },
   { "occenterprises.org", true },
   { "occentus.net", true },
   { "occmon.net", true },
@@ -27016,7 +27865,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ocim.ch", true },
   { "ockendenhemming.co.uk", true },
   { "oclausen.com", true },
-  { "ocloudhost.com", true },
   { "ocni-ambulance-most.cz", true },
   { "ocolere.ch", true },
   { "ocotg.com", true },
@@ -27027,6 +27875,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "octal.es", true },
   { "octarineparrot.com", true },
   { "octav.name", false },
+  { "octobered.com", true },
   { "octocaptcha.com", true },
   { "octofox.de", true },
   { "octohedralpvp.tk", true },
@@ -27045,6 +27894,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "oddsandevensbookkeeping.ca", true },
   { "oddtime.net", true },
   { "odensc.me", true },
+  { "odense3dprint.dk", true },
   { "odhosc.ca", true },
   { "odifi.com", true },
   { "odinseye.net", true },
@@ -27055,6 +27905,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "odvps.com", true },
   { "odysseyofthemind.eu", true },
   { "odzyskaniedomeny.pl", true },
+  { "oe-boston.com", true },
   { "oec-music.com", true },
   { "oeh.ac.at", true },
   { "oeko-bundesfreiwilligendienst-sh.de", true },
@@ -27067,10 +27918,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "oemspace.nl", true },
   { "oemwolf.com", true },
   { "oenings.eu", true },
+  { "oessi.eu", true },
   { "of2m.fr", true },
   { "ofcampuslausanne.ch", true },
   { "ofda.gov", true },
   { "ofertasadsl.com", true },
+  { "ofertino.es", true },
+  { "ofertolino.fr", true },
   { "offandonagain.org", true },
   { "offbyinfinity.com", true },
   { "offenekommune.de", true },
@@ -27078,6 +27932,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "offertegiuste.com", true },
   { "offfbynight.be", true },
   { "offgames.io", true },
+  { "offgridauto.com", true },
   { "offgridhub.com", true },
   { "office-discount.at", true },
   { "office-discount.de", true },
@@ -27087,9 +27942,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "officeinteriors.co.nz", true },
   { "officemovepro.com", true },
   { "officiants.wedding", false },
-  { "officium.tech", true },
   { "offroadeq.com", true },
   { "offroadhoverboard.net", true },
+  { "offshoot.ie", true },
   { "offshoot.rentals", true },
   { "offshore.digital", true },
   { "offshoremarineparts.com", false },
@@ -27099,7 +27954,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "oftamedic.com", true },
   { "oftn.org", true },
   { "oge.ch", true },
-  { "ogis.gov", true },
+  { "ogkw.de", true },
   { "oglen.ca", true },
   { "ogocare.com", true },
   { "oguya.ch", true },
@@ -27107,6 +27962,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "oh14.de", true },
   { "ohadsoft.com", true },
   { "ohai.su", true },
+  { "ohartl.de", true },
   { "ohchouette.com", true },
   { "ohd.dk", true },
   { "oheila.com", true },
@@ -27120,21 +27976,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ohsohairy.co.uk", true },
   { "ohyooo.com", true },
   { "oi-wiki.org", true },
-  { "oiaio.cn", true },
-  { "oilfieldinjury.attorney", true },
+  { "oil-ecn.ru", true },
   { "oilpaintingsonly.com", true },
   { "oirealtor.com", true },
   { "oisd.nl", true },
   { "oita-homes.com", true },
   { "ojaioliveoil.com", true },
-  { "ojanaho.com", true },
   { "ojdip.net", true },
   { "ojomovies.com", true },
   { "ojp.gov", true },
-  { "okaidi.es", true },
   { "okaidi.fr", true },
   { "okakuro.org", true },
   { "okanaganrailtrail.ca", true },
+  { "okashi.me", true },
   { "okay.cf", true },
   { "okay.coffee", true },
   { "okburrito.com", true },
@@ -27164,10 +28018,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "olbat.net", true },
   { "olcayanar.com", true },
   { "olcbrookhaven.org", true },
-  { "oldbrookinflatables.co.uk", true },
   { "oldbrookmarqueehire.co.uk", true },
   { "oldchaphome.nl", true },
-  { "oldenglishsheepdog.com.br", true },
+  { "older-racer.com", true },
   { "oldita.ru", true },
   { "oldking.net", true },
   { "oldnews.news", true },
@@ -27178,6 +28031,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "oldsticker.com", true },
   { "oldstmary.com", true },
   { "oldtimerreifen-moeller.de", true },
+  { "olecoin.io", true },
   { "olegon.ru", true },
   { "olegs.be", true },
   { "oleksii.name", true },
@@ -27189,18 +28043,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "olgui.net", true },
   { "olgun.eu", true },
   { "olhcparish.net", true },
-  { "olightstore.com", true },
+  { "olifant.fr", true },
   { "olightstore.ro", true },
-  { "oliode.tk", true },
   { "oliveoil.bot", true },
   { "oliveoilschool.org", true },
   { "oliveoiltest.com", true },
   { "oliveoiltimes.com", true },
   { "oliveraiedelabastideblanche.fr", true },
   { "oliverclausen.com", true },
+  { "oliverdunk.com", false },
   { "oliverfaircliff.com", true },
   { "olivernaraki.com", true },
   { "oliverniebuhr.de", true },
+  { "oliverschmid.space", true },
   { "oliverspringer.eu", true },
   { "oliverst.com", true },
   { "olivierberardphotographe.com", true },
@@ -27209,7 +28064,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "oliviervaillancourt.com", true },
   { "olizeite.ch", true },
   { "ollie.io", true },
-  { "ollieowlsblog.com", true },
   { "ollies.cloud", true },
   { "ollies.cz", true },
   { "olliespage.com", true },
@@ -27221,16 +28075,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "olmc-nutley.org", true },
   { "olmcnewark.com", true },
   { "olmsted.io", true },
+  { "olomercy.com", true },
   { "olphseaside.org", true },
   { "olqoa.org", true },
+  { "olsh-hilltown.com", true },
+  { "olsonproperties.com", true },
   { "olygazoo.com", true },
   { "olymp-arts.world", true },
   { "olympeakgaming.tv", true },
   { "olympiads.ca", true },
   { "olympic-research.com", true },
+  { "om.yoga", true },
   { "om1.com", true },
   { "omanko.porn", true },
-  { "omar.yt", true },
   { "omarh.net", true },
   { "omdesign.cz", true },
   { "omegahosting.net", true },
@@ -27251,7 +28108,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "omniasl.com", true },
   { "omniatv.com", true },
   { "omnibot.tv", true },
-  { "omnisafira.com", true },
   { "omniscimus.net", false },
   { "omnisiens.se", true },
   { "omnisky.dk", true },
@@ -27264,8 +28120,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "omronwellness.com", true },
   { "omsdieppe.fr", true },
   { "on-tech.co.uk", true },
+  { "on.tax", true },
   { "ona.io", true },
   { "onaboat.se", true },
+  { "onahonavi.com", true },
   { "onarto.com", true },
   { "onazikgu.com", true },
   { "onbuzzer.com", false },
@@ -27278,7 +28136,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "onderwijstransparant.nl", true },
   { "ondevamosjantar.com", true },
   { "ondrej.org", true },
-  { "ondrejhoralek.cz", true },
+  { "ondrejbudin.cz", true },
   { "one---line.com", true },
   { "one-resource.com", true },
   { "one-s.co.jp", true },
@@ -27296,21 +28154,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "onedrive.live.com", false },
   { "onee3.org", true },
   { "onefour.ga", false },
-  { "onegoodthingbyjillee.com", true },
   { "oneheartbali.church", true },
   { "oneidentity.me", true },
   { "oneiroi.co.uk", true },
   { "onemid.net", true },
-  { "oneminute.io", false },
   { "onemoonmedia.de", true },
   { "oneononeonone.de", true },
   { "oneononeonone.tv", true },
   { "onepercentrentals.com", true },
-  { "onepointsafeband.ca", true },
-  { "onepointsafeband.com", true },
   { "onepointzero.com", true },
   { "oneprediction.com", true },
-  { "onesnzeroes.com", false },
+  { "onesnzeroes.com", true },
   { "onesports.cz", true },
   { "onestepfootcare.com", true },
   { "onestopcastles.co.uk", true },
@@ -27319,6 +28173,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "onetech.it", true },
   { "onetime.info", true },
   { "onetonline.org", true },
+  { "onetouchrevealplus.com", true },
+  { "onetwentyseven001.com", true },
   { "oneway.ga", true },
   { "onewaymail.com", true },
   { "oneweb.hu", true },
@@ -27330,22 +28186,24 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "oni.nl", true },
   { "onice.ch", true },
   { "onionbot.me", true },
+  { "onionplay.net", true },
   { "onionplay.org", true },
   { "onionscan.org", true },
+  { "onionyst.com", true },
   { "oniria.ch", true },
   { "onix.eu.com", true },
   { "onixcco.com.br", true },
+  { "onkentessegertdij.hu", true },
   { "onlfait.ch", true },
+  { "online-backup.se", true },
   { "online-bouwmaterialen.nl", true },
   { "online-calculator.com", true },
   { "online-consulting-corp.com", true },
   { "online-consulting-corp.fr", true },
   { "online-eikaiwa-guide.com", true },
   { "online-health-insurance.com", true },
-  { "online-horoskop.ch", true },
   { "online-lernprogramme.de", true },
   { "online-pr.at", true },
-  { "online-results.dk", true },
   { "online-stopwatch.com", true },
   { "online-textil.com", true },
   { "online-textil.cz", true },
@@ -27360,11 +28218,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "onlinecollegeessay.com", true },
   { "onlinefashion.it", true },
   { "onlinehashfollow.com", true },
-  { "onlineinfographic.com", true },
   { "onlinekmc.com", true },
   { "onlinelegalmarketing.com", true },
   { "onlinelegalmedia.com", true },
   { "onlinelighting.com.au", true },
+  { "onlinemarketingmuscle.com", true },
   { "onlinemarketingtraining.co.uk", true },
   { "onlinepokerspelen.be", true },
   { "onlineporno.xyz", true },
@@ -27373,15 +28231,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "onlinestoreninjas.com", true },
   { "onlinetextil.cz", true },
   { "onlineth.com", false },
-  { "onlineweblearning.com", true },
   { "onlinexl.nl", true },
   { "onlylebanon.net", true },
   { "onmaps.de", true },
   { "onmarketbookbuilds.com", true },
   { "onnaguse.com", true },
-  { "onoranze-funebri.biz", true },
   { "onpay.io", true },
-  { "onpermit.net", true },
   { "onqproductions.com", true },
   { "onrr.gov", true },
   { "ons.ca", true },
@@ -27414,7 +28269,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "oopsis.com", true },
   { "ooyo.be", true },
   { "op11.co.uk", false },
-  { "opadaily.com", true },
   { "opalesurfcasting.net", true },
   { "oparl.org", true },
   { "opcenter.de", true },
@@ -27422,7 +28276,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "open-banking-access.uk", true },
   { "open-bs.com", true },
   { "open-bs.ru", true },
-  { "open-desk.org", true },
   { "open-domotics.info", true },
   { "open-freax.fr", true },
   { "open-gaming.net", true },
@@ -27436,7 +28289,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "openbayes.com", true },
   { "openbeecloud.com", true },
   { "openblox.org", true },
-  { "openbsd.id", true },
   { "opencad.io", true },
   { "opencircuit.nl", true },
   { "openclima.com", true },
@@ -27452,6 +28304,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "openings.ninja", true },
   { "openintelligence.uk", true },
   { "openitforum.pl", true },
+  { "openjur.de", true },
   { "openkim.org", true },
   { "openkvk.nl", true },
   { "openmirrors.ml", true },
@@ -27459,7 +28312,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "opennippon.com", true },
   { "opennippon.ru", true },
   { "openpictures.ch", true },
-  { "openpresentes.com.br", true },
   { "openquery.com.au", true },
   { "openrainbow.com", true },
   { "openrainbow.net", true },
@@ -27472,6 +28324,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "openscreen.lu", true },
   { "opensource-cms.nl", true },
   { "opensource-training.de", true },
+  { "opensourcesurvey.org", true },
   { "openspa.webhop.info", true },
   { "openssl.org", true },
   { "openstem.com.au", true },
@@ -27500,13 +28353,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "opoleo.com", false },
   { "oportho.com.br", true },
   { "oposiciones.com.es", true },
+  { "oposicionesapolicialocal.es", true },
   { "oposicionescorreos.com.es", true },
+  { "oposicionescorreos.es", true },
+  { "oposicionescorreos.info", true },
+  { "oposicionesdejusticia.org", true },
   { "oposicionesertzaintza.com.es", true },
+  { "oposicionesycursos.com", true },
   { "oppada.com", true },
   { "oppaiti.me", true },
   { "oppejoud.ee", true },
   { "opportunis.me", true },
   { "opportunity.de", true },
+  { "oppositionsecurity.com", true },
   { "oppwa.com", true },
   { "opq.pw", true },
   { "oprbox.com", true },
@@ -27519,28 +28378,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "opticaltest.com", true },
   { "optik-trosdorff.de", true },
   { "optimalsetup.com", true },
-  { "optimised.cloud", true },
-  { "optimised.io", true },
   { "optimisedlabs.co.uk", true },
   { "optimisedlabs.com", true },
-  { "optimisedlabs.info", true },
-  { "optimisedlabs.net", true },
-  { "optimisedlabs.uk", true },
   { "optimist.bg", true },
-  { "optimizedlabs.co.uk", true },
-  { "optimizedlabs.info", true },
-  { "optimizedlabs.net", true },
-  { "optimizedlabs.uk", true },
   { "optimumwebdesigns.com", true },
   { "optimus.io", true },
   { "optimuscrime.net", true },
-  { "optisure.de", true },
   { "optm.us", true },
   { "optmos.at", true },
   { "optometryscotland.org.uk", true },
   { "optoutday.de", true },
-  { "opure.ml", true },
-  { "opure.ru", true },
   { "opus-codium.fr", true },
   { "oraculum.cz", true },
   { "orang-utans.com", true },
@@ -27552,6 +28399,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "orangenuts.in", true },
   { "orangetravel.eu", true },
   { "orangutan-appeal.org.uk", true },
+  { "oranjee.net", true },
+  { "orbital3.com", true },
   { "orbu.net", true },
   { "orca.pet", true },
   { "orcamoney.com", true },
@@ -27563,6 +28412,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "orderessay.net", true },
   { "ordernow.at", true },
   { "orderswift.com", true },
+  { "ordoro.com", true },
   { "ordr.mobi", true },
   { "oreshinya.xyz", true },
   { "oreskylaw.com", true },
@@ -27580,7 +28430,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "orians.eu", true },
   { "oribia.net", true },
   { "orientalart.nl", true },
-  { "orientravelmacas.com", true },
+  { "oriflameszepsegkozpont.hu", true },
   { "origami.to", true },
   { "origamika.com", true },
   { "original-christstollen.com", true },
@@ -27599,39 +28449,35 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "oriongames.eu", true },
   { "orkestar-krizevci.hr", true },
   { "orkiv.com", true },
+  { "orlandobalbas.com", true },
   { "orlandoprojects.com", true },
   { "orleika.io", true },
   { "orlives.de", false },
   { "ormer.nl", true },
   { "orocojuco.com", true },
-  { "orovillelaw.com", true },
-  { "orro.ro", true },
   { "orrs.de", true },
   { "orthocop.cz", true },
   { "orthodontiste-geneve-docteur-rioux.com", true },
   { "orthograph.ch", true },
   { "orthotictransfers.com", true },
   { "ortlepp.eu", true },
-  { "orum.in", true },
+  { "oruggt.is", true },
   { "orwell1984.today", true },
   { "oryva.com", true },
-  { "orz.uno", true },
   { "os-chrome.ru", true },
   { "os-s.net", true },
   { "os-t.de", true },
   { "os24.cz", true },
   { "osacrypt.studio", true },
-  { "osaka-onakura.com", true },
   { "osakeannit.fi", true },
   { "osao.org", true },
   { "osbi.pl", true },
   { "osborn.io", true },
   { "osborneinn.com", true },
   { "osburn.com", true },
-  { "oscamp.eu", true },
   { "oscarvk.ch", true },
-  { "oscloud.com", true },
   { "osepideasthatwork.org", true },
+  { "osereso.tn", true },
   { "oses.mobi", true },
   { "oshayr.com", true },
   { "oshell.me", true },
@@ -27639,6 +28485,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "oshrc.gov", true },
   { "osielnava.com", true },
   { "osirisrp.online", true },
+  { "osirium.com", true },
   { "oskrba.net", true },
   { "oskuro.net", true },
   { "osla.org", true },
@@ -27651,12 +28498,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "osobliwydom.pl", true },
   { "osomjournal.org", true },
   { "ospf.sk", true },
+  { "osprecos.com.br", true },
+  { "osprecos.pt", true },
   { "ospree.me", true },
   { "ostan-collections.net", true },
   { "osterkraenzchen.de", true },
+  { "ostgotamusiken.se", true },
   { "osti.gov", true },
   { "ostimwebyazilim.com", true },
   { "ostr.io", true },
+  { "ostrov8.com", true },
   { "osusume-houhou.com", true },
   { "oswalds.co.uk", true },
   { "oswaldsmillaudio.com", true },
@@ -27668,13 +28519,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "otakubox.de", true },
   { "otakurepublic.com", true },
   { "otakurumi.de", true },
+  { "otakuyun.com", true },
   { "otellio.com", true },
   { "otellio.de", true },
   { "otellio.it", true },
   { "other98.com", true },
   { "oticasaopaulo.com.br", true },
   { "oticasvisao.net.br", true },
-  { "otoblok.com", true },
   { "otokiralama.name.tr", true },
   { "otorrino.pt", true },
   { "otoy.com", true },
@@ -27683,7 +28534,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "otr.ie", true },
   { "otrm.de", true },
   { "otsfreestyle.jp", true },
-  { "otsu.beer", true },
+  { "ottoproject.io", false },
   { "ottoversand.at", true },
   { "otus-magnum.com", true },
   { "otvaracie-hodiny.sk", true },
@@ -27692,10 +28543,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ouattara.ch", true },
   { "ouestsolutions.com", true },
   { "ouglor.com", true },
-  { "ouimoove.com", true },
   { "ouin.land", true },
   { "oulunjujutsu.com", true },
-  { "ouowo.gq", true },
   { "our-box.net", true },
   { "ourai.ws", true },
   { "ourcloud.at", true },
@@ -27707,7 +28556,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ourladyqueenofmartyrs.org", true },
   { "ourls.win", true },
   { "ourmaster.org", true },
-  { "ouruglyfood.com", true },
   { "ourwedding.xyz", true },
   { "ourworldindata.org", true },
   { "out-of-scope.de", true },
@@ -27734,10 +28582,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "outline.ski", true },
   { "outlines.xyz", true },
   { "outlookonthedesktop.com", true },
+  { "outplnr.fr", true },
   { "outpostinfo.com", true },
   { "outsideconnections.com", true },
   { "outsiders.paris", true },
-  { "ovabag.com", true },
   { "ovelhaostra.com", true },
   { "overalglas.nl", true },
   { "overamsteluitgevers.nl", true },
@@ -27753,29 +28601,30 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "overthecloud.it", true },
   { "overthinkingit.com", true },
   { "overtrolls.de", true },
-  { "overwall.org", true },
   { "overzicht.pro", true },
   { "overzicht.ws", true },
   { "oveweddings.com", true },
   { "ovirt.org", true },
   { "ovix.co", true },
   { "ovnrain.com", true },
+  { "ovpn.to", true },
   { "ovvy.net", false },
   { "owapi.net", true },
   { "owennelson.co.uk", true },
+  { "owensordinarymd.com", true },
   { "owid.cloud", true },
-  { "owl-hakkei.com", true },
   { "owl-square.com", true },
   { "owl-stat.ch", true },
   { "owl.net", true },
   { "owlandrabbitgallery.com", true },
   { "owlishmedia.com", true },
   { "own3d.ch", true },
-  { "ownc.at", true },
   { "owncloud.ch", true },
   { "ownmay.com", true },
   { "oxborrow.ca", true },
   { "oxelie.com", true },
+  { "oxia.me", true },
+  { "oxiame.eu", true },
   { "oxo.cloud", true },
   { "oxygin.net", true },
   { "oxytocin.org", true },
@@ -27811,6 +28660,24 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "paas-inf.net", true },
   { "paass.net", true },
   { "paazmaya.fi", true },
+  { "pablo.im", true },
+  { "pablo.scot", true },
+  { "pablo.sh", true },
+  { "pabloarteaga.co.uk", true },
+  { "pabloarteaga.com", true },
+  { "pabloarteaga.com.es", true },
+  { "pabloarteaga.es", true },
+  { "pabloarteaga.eu", true },
+  { "pabloarteaga.info", true },
+  { "pabloarteaga.me", true },
+  { "pabloarteaga.name", true },
+  { "pabloarteaga.net", true },
+  { "pabloarteaga.nom.es", true },
+  { "pabloarteaga.org", true },
+  { "pabloarteaga.science", true },
+  { "pabloarteaga.tech", true },
+  { "pabloarteaga.uk", true },
+  { "pabloarteaga.xyz", true },
   { "pablofain.com", true },
   { "pabuzo.vn", true },
   { "pacaom.com", true },
@@ -27824,7 +28691,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pacificcashforcars.com.au", true },
   { "pacificpalisadeselectric.com", true },
   { "pacificpalisadeselectrical.com", true },
-  { "pacificpalisadeselectrician.com", true },
   { "pacificpalisadeslandscapelighting.com", true },
   { "pacificpalisadeslighting.com", true },
   { "pacifictilkin-occasions.be", true },
@@ -27832,6 +28698,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pack-haus.de", true },
   { "packagefactory.dk", true },
   { "packagingproject.management", true },
+  { "packagist.jp", true },
   { "packagist.org", false },
   { "packaware.com", true },
   { "packetdigital.com", true },
@@ -27854,6 +28721,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pagalworld.co", true },
   { "pagalworld.com", true },
   { "pagalworld.info", true },
+  { "pagalworld.io", true },
   { "pagalworld.la", true },
   { "pagalworld.me", true },
   { "pagalworld.org", true },
@@ -27863,10 +28731,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pagedesignpro.com", true },
   { "pagedesignweb.com", true },
   { "pagefulloflies.io", true },
-  { "pageperform.com", true },
   { "pagewizz.com", true },
   { "pagiamtzis.com", true },
   { "pagina.com.mx", true },
+  { "pagina394.com.br", true },
   { "paginaweb4u.com", true },
   { "pagure.io", true },
   { "pahae.de", true },
@@ -27878,9 +28746,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "painefamily.co.uk", true },
   { "painlessproperty.co.uk", true },
   { "paint-it.pink", true },
+  { "paintball-ljubljana.si", true },
   { "paintball-shop.sk", true },
   { "paintcolorsbysue.com", true },
   { "paintingindurban.co.za", true },
+  { "paintsealdirect.com", true },
   { "paipuman.jp", true },
   { "pajadam.me", true },
   { "pajuvuo.fi", true },
@@ -27888,9 +28758,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "paketo.sk", true },
   { "paketwatch.de", false },
   { "pakho.xyz", true },
+  { "pakingas.lt", true },
   { "pakistani.dating", true },
   { "pakitow.fr", true },
   { "pakke.de", true },
+  { "pakroyalpress.com", true },
   { "paktolos.net", true },
   { "palabr.as", true },
   { "palapadev.com", true },
@@ -27901,6 +28773,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "palavatv.com", true },
   { "palazzo.link", true },
   { "palazzo.work", true },
+  { "paleoself.com", true },
   { "paleotraining.com", true },
   { "palestra.roma.it", true },
   { "palladium46.com", true },
@@ -27945,11 +28818,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "panj.ws", true },
   { "panjiva.com", true },
   { "panmetro.com", true },
-  { "panoma.de", true },
   { "panomizer.de", true },
   { "panopy.co", true },
   { "panopy.me", true },
-  { "panoti.com", false },
   { "panoxadrez.com.br", true },
   { "panpa.ca", true },
   { "panpsychism.com", true },
@@ -27964,6 +28835,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pants-off.xyz", true },
   { "panzer72.ru", true },
   { "panzerscreen.dk", true },
+  { "pao.ge", true },
   { "pap.la", false },
   { "papa-webzeit.de", true },
   { "papadopoulos.me", true },
@@ -27980,6 +28852,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "paperlesssolutionsltd.com.ng", true },
   { "papertracker.net", true },
   { "paperturn.com", true },
+  { "paperworld.online", true },
   { "paperwritinghelp.net", true },
   { "papiermakerijdehoop.nl", true },
   { "papiermeteenverhaal.nl", true },
@@ -27989,9 +28862,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "paprikas.fr", true },
   { "paraborsa.net", true },
   { "parachute70.com", true },
+  { "paracomer.es", true },
   { "paradais-sphynx.com", true },
   { "paradependentesquimicos.com.br", true },
-  { "paradigi.com.br", true },
   { "paradise-engineer.com", true },
   { "paradise-engineering.com", true },
   { "paradise-travel.net", true },
@@ -28003,18 +28876,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "paranoidcrypto.com", true },
   { "paranoidmode.com", true },
   { "paranoidpenguin.net", true },
+  { "paranormalweirdo.com", true },
+  { "paranoxer.hu", true },
   { "parasitologyclub.org", true },
+  { "parasosto.fi", true },
   { "paratlan.hu", true },
   { "paratxt.org", true },
   { "parcelbroker.co.uk", false },
   { "parchcraftaustralia.com", true },
   { "parckwart.de", true },
   { "parcon.it", true },
+  { "parcoursup.fr", true },
   { "parentelement.com", true },
   { "parentheseardenne.be", true },
   { "parentinterview.com", true },
   { "parentsintouch.co.uk", true },
-  { "pariga.co.uk", true },
   { "paris-store.com", true },
   { "parisackerman.com", true },
   { "parisbloom.com", true },
@@ -28024,11 +28900,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "parisfranceparking.de", true },
   { "parisfranceparking.fr", true },
   { "parisfranceparking.nl", true },
-  { "parisprovincedemenagements.fr", true },
   { "parkeren.in", true },
   { "parkfans.net", true },
   { "parkhost.eu", true },
   { "parkinginparis.fr", true },
+  { "parkingparisnord.fr", true },
   { "parkingpoint.co.uk", true },
   { "parkrunstats.servehttp.com", true },
   { "parkviewmotorcompany.com", true },
@@ -28047,13 +28923,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "parsemail.org", true },
   { "parser.nu", true },
   { "parsonsfamilyhomes.com", true },
+  { "parteaga.com", true },
+  { "parteaga.net", true },
   { "partecipa.tn.it", true },
+  { "parthkolekar.me", true },
   { "partijhandel.website", true },
   { "partijtjevoordevrijheid.nl", false },
   { "partiono.com", true },
   { "partner.sh", true },
+  { "partnercardservices.com", true },
   { "partnermobil.de", true },
-  { "partnersfcu.org", true },
   { "partou.de", true },
   { "partridge.tech", true },
   { "parts4phone.com", true },
@@ -28094,14 +28973,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pascalmathis.com", true },
   { "pascalmathis.me", true },
   { "pascalmathis.net", true },
-  { "pascalspoerri.ch", false },
   { "pascualinmuebles.com", true },
   { "pasearch.nl", true },
   { "pashminacachemire.com", true },
   { "pass.org.my", true },
   { "passabook.com", true },
   { "passcod.name", true },
-  { "passendonderwijs.nl", true },
   { "passfilesafe.com", true },
   { "passfoto-deinfoto.ch", true },
   { "passieposse.nl", true },
@@ -28110,9 +28987,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "passionatehorsemanship.com", true },
   { "passionatelife.com.au", true },
   { "passionbyd.com", true },
-  { "passionebenessere.com", true },
   { "passionpictures.eu", true },
   { "passions-art.com", true },
+  { "passover-fun.com", true },
   { "passphrase.today", true },
   { "passport.yandex.by", true },
   { "passport.yandex.com", true },
@@ -28150,10 +29027,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pasternok.org", true },
   { "pasticcerialorenzetti.com", true },
   { "pastoral-verbund.de", true },
-  { "pastorbelgagroenendael.com.br", true },
   { "pastordocaucaso.com.br", true },
-  { "pastormaremanoabruzes.com.br", true },
-  { "pastorsuico.com.br", true },
   { "pasztor.at", true },
   { "patapwn.com", true },
   { "patatbesteld.nl", true },
@@ -28168,16 +29042,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pathwaystoresilience.org", true },
   { "patika-biztositas.hu", true },
   { "patikabiztositas.hu", true },
-  { "patouille-et-gribouille.fr", true },
+  { "patineteselectricosbaratos.net", true },
   { "patrick-othmer.de", true },
   { "patrick-robrecht.de", true },
+  { "patrick.my-gateway.de", true },
   { "patrick21.ch", true },
   { "patrickaudley.ca", true },
   { "patrickaudley.com", true },
   { "patrickbrosi.de", true },
   { "patrickhoefler.net", true },
   { "patricklynch.xyz", true },
-  { "patrickmcnamara.xyz", true },
   { "patrikgarten.de", true },
   { "patriksima.cz", true },
   { "patriksimek.cz", true },
@@ -28204,7 +29078,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "paulcooper.me.uk", true },
   { "pauldev.co", true },
   { "paulerhof.com", true },
-  { "paulewen.ca", true },
   { "paulgerberrealtors.com", true },
   { "paulinewesterman.nl", true },
   { "paulmeier.com", false },
@@ -28212,11 +29085,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "paulov.com", true },
   { "paulov.info", true },
   { "paulov.ru", true },
-  { "paulpetersen.dk", true },
   { "paulrobertlloyd.com", true },
   { "paulrotter.de", true },
   { "paulschreiber.com", true },
   { "paulscustomauto.com", true },
+  { "paulshir.com", true },
+  { "paulshir.is", true },
   { "paulsnar.lv", true },
   { "paulswartz.net", true },
   { "paulus-foto.pl", true },
@@ -28227,10 +29101,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pauly-stahlhandel.de", true },
   { "pauspam.net", true },
   { "pautadiaria.com", true },
+  { "pavamtio.cz", true },
   { "pavando.com", true },
   { "pavelfojt.cz", true },
   { "pavelrebrov.com", true },
-  { "pavelstriz.cz", true },
   { "pavio.org", true },
   { "paw.cloud", true },
   { "paw.pt", true },
@@ -28241,8 +29115,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pawsomebox.co.uk", true },
   { "pawsr.us", true },
   { "paxerahealth.com", true },
+  { "pay-online.in", true },
   { "pay.gov", true },
-  { "pay8522.com", true },
   { "paybook.co.tz", true },
   { "payboy.biz", true },
   { "payboy.rocks", true },
@@ -28268,20 +29142,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "paysbuy.net", true },
   { "paysera.com", true },
   { "payslipview.com", true },
-  { "payssaintgilles.fr", true },
+  { "payssaintgilles.fr", false },
   { "paystack.com", true },
   { "paytm.in", true },
   { "paytonmoledor.com", true },
   { "payupay.ru", true },
   { "payzang.com", true },
-  { "pb.ax", false },
   { "pback.se", true },
   { "pbosquet.com", true },
   { "pbourhis.me", true },
-  { "pbqs.site", true },
   { "pbr.so", true },
   { "pbraunschdash.com", true },
-  { "pbreen.co.uk", true },
   { "pbrumby.com", true },
   { "pbz.im", true },
   { "pc-rescue.me", false },
@@ -28320,6 +29191,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pdfresizer.com", true },
   { "pdfsearch.org", true },
   { "pdfsearches.com", true },
+  { "pdkrawczyk.com", true },
   { "pdox.net", true },
   { "pdragt.com", true },
   { "pdthings.net", true },
@@ -28329,6 +29201,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "peaceispossible.cc", true },
   { "peaceloveandlabor.com", true },
   { "peak-careers.com", true },
+  { "peakhomeloan.com", true },
   { "peaksloth.com", true },
   { "peanutbase.org", true },
   { "peanutproductionsnyc.com", true },
@@ -28347,6 +29220,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pedicurean.nl", true },
   { "pedicureduiven.nl", true },
   { "pedidamanosevilla.com", true },
+  { "pedidosfarma.com.br", true },
   { "pedikura-vitu.cz", true },
   { "pedimanie.cz", true },
   { "pedimoda.com.br", true },
@@ -28397,11 +29271,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pekoe.se", true },
   { "pelanucto.cz", true },
   { "pelican.ie", true },
+  { "peliculator.com", true },
+  { "pellet.pordenone.it", true },
   { "pelletizermill.com", true },
   { "pelletsprice.com", true },
   { "pelopogrund.com", true },
   { "pelopoplot.com", true },
   { "pelotonimports.com", true },
+  { "pemborongbangunan.id", true },
   { "pems.gov.au", true },
   { "penaugustin.com", true },
   { "pencepay.com", true },
@@ -28410,6 +29287,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "penetrationstest.se", true },
   { "penfold.fr", true },
   { "pengi.me", true },
+  { "penguinbits.net", true },
   { "penguindrum.moe", true },
   { "penguinprotocols.com", true },
   { "penispumpen.se", true },
@@ -28439,7 +29317,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pepeelektro.sk", true },
   { "pepemodelismo.com.br", true },
   { "peperstraat.online", true },
+  { "pepgrid.net", true },
   { "peplog.nl", true },
+  { "pepme.net", true },
+  { "pepstaff.net", true },
   { "pepwaterproofing.com", true },
   { "pequenosfavoritos.com.br", false },
   { "per-olsson.se", true },
@@ -28453,29 +29334,29 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "perd.re", true },
   { "perecraft.com", true },
   { "perezdecastro.org", true },
+  { "perfect-carstyle.de", true },
   { "perfect.in.th", true },
   { "perfectbalance.tech", true },
   { "perfectcloud.org", true },
+  { "perfectfocuseyecare.com", true },
+  { "perfectgift.com", true },
   { "perfectoparty.co.uk", true },
   { "perfectsnap.co.uk", true },
+  { "perfectstreaming.systems", true },
   { "perfektesgewicht.com", true },
   { "perfektesgewicht.de", true },
-  { "performancehealth.com", true },
+  { "perfmatters.io", true },
+  { "performancehealth.com", false },
   { "performing-art-schools.com", true },
   { "perfumeaz.com", true },
   { "perfumes.com.br", true },
+  { "periodic-drinking.com", true },
   { "periscope.tv", true },
   { "perishablepress.com", true },
   { "perm-avia.ru", true },
-  { "perm-jur.ch", true },
-  { "perm-juridique.ch", true },
   { "perm4.com", true },
   { "permajackofstlouis.com", true },
-  { "permanence-juridique.com", true },
-  { "permanencejuridique-ge.ch", true },
-  { "permanencejuridique.com", true },
   { "permeance108.com", true },
-  { "permiscoderoute.fr", true },
   { "permistheorique.be", true },
   { "permistheoriqueenligne.be", true },
   { "perniciousgames.com", true },
@@ -28484,8 +29365,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "perrau.lt", true },
   { "perroquet-passion.ch", true },
   { "persephone.gr", true },
+  { "persocloud.org", true },
   { "personal-genome.com", true },
-  { "personal-injury-attorney.co", true },
   { "personaltrainer-senti.de", true },
   { "perspectivum.com", true },
   { "perspektivwechsel-coaching.de", true },
@@ -28512,11 +29393,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "petelew.is", true },
   { "peter.org.ua", true },
   { "peterandjoelle.co.uk", true },
+  { "peterbarrett.ca", true },
   { "peterboers.info", true },
   { "peterborgapps.com", true },
   { "peterbruceharvey.com", true },
   { "peterdavehello.org", true },
   { "peterfiorella.com", true },
+  { "peterhons.com.au", true },
   { "peterhuetz.at", true },
   { "peterhuetz.com", true },
   { "peterjin.org", true },
@@ -28546,10 +29429,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "petroleum-schools.com", true },
   { "petroscand.eu", true },
   { "petrostathis.com", true },
-  { "petrotranz.com", true },
   { "petrpikora.com", true },
   { "petrucciresidential.com", true },
-  { "petruzz.net", true },
+  { "pets4life.com.au", true },
   { "petschnighof.at", true },
   { "pettitcoat.com", true },
   { "petwall.info", true },
@@ -28557,7 +29439,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pewnews.org", true },
   { "pex.digital", true },
   { "peyote.com", true },
-  { "pf.dk", true },
   { "pfa.or.jp", true },
   { "pfadfinder-aurich.de", true },
   { "pfadfinder-grossauheim.de", true },
@@ -28575,8 +29456,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pflanzen-shop.ch", true },
   { "pflanzenshop-emsland.de", true },
   { "pflegesalon-siebke.de", true },
+  { "pflug.email", true },
   { "pfmeasure.com", true },
-  { "pfo.io", true },
   { "pfotentour-berlin.de", true },
   { "pfrost.me", true },
   { "pfudor.tk", true },
@@ -28589,15 +29470,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pgp.guru", true },
   { "pgp.network", true },
   { "pgpmail.cc", true },
+  { "pgregg.com", true },
   { "ph-blog.de", true },
   { "ph.search.yahoo.com", false },
   { "ph3r3tz.net", true },
-  { "phantasie.cc", true },
   { "phantastikon.de", true },
   { "pharma-display.com", true },
   { "pharmaabsoluta.com.br", true },
   { "pharmaboard.de", true },
-  { "pharmaboard.org", true },
   { "pharmacie-fr.org", true },
   { "pharmacieplusfm.ch", true },
   { "pharmafoto.ch", true },
@@ -28609,28 +29489,33 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pharmica.uk", true },
   { "pharside.dyndns.org", true },
   { "pharynks.com", true },
+  { "pharynx.nl", true },
   { "phasersec.com", false },
   { "phasme-2016.com", true },
   { "phattea.tk", true },
-  { "phaux.uno", true },
   { "phcimages.com", true },
+  { "phcnetworks.net", true },
   { "phcorner.net", true },
   { "phdhub.it", true },
+  { "phellowseven.com", true },
   { "phelx.de", true },
+  { "phen-garcinia.info", true },
   { "phenixairsoft.com", true },
+  { "phenq.com", true },
   { "phget.com", true },
   { "phhtc.ir", true },
   { "phi-works.com", true },
   { "phialo.de", true },
   { "phil-dirt.com", true },
   { "phil-phillies.com", true },
+  { "phil.red", true },
   { "phil.tw", true },
   { "philadelphia.com.mx", true },
   { "phileas-psychiatrie.be", true },
   { "philia-sa.com", true },
   { "philipdb.com", true },
   { "philipdb.nl", true },
-  { "philipkohn.com", true },
+  { "philipkobelt.ch", true },
   { "philipp-trulson.de", true },
   { "philipp-winkler.de", true },
   { "philipp1994.de", true },
@@ -28640,11 +29525,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "philippebonnard.fr", true },
   { "philipperoose.be", true },
   { "philippheenen.de", true },
-  { "philippinedroneassociation.org", true },
   { "philippkeschl.at", true },
   { "philipssupportforum.com", true },
   { "philipzhan.tk", true },
   { "phillipgoldfarb.com", true },
+  { "phillipsdistribution.com", true },
   { "phillyinjurylawyer.com", true },
   { "philna.sh", true },
   { "philosoftware.com.br", true },
@@ -28659,12 +29544,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "philsturgeon.uk", true },
   { "philux.ch", true },
   { "phishing-studie.org", true },
-  { "phishing.rs", false },
   { "phishingusertraining.com", true },
   { "phligence.com", true },
   { "phocean.net", true },
-  { "phoenics.de", true },
+  { "phoenixlogan.com", true },
   { "phoenixurbanspaces.com", true },
+  { "pholder.com", true },
   { "phone-service-center.de", true },
   { "phonix-company.fr", true },
   { "phormance.com", true },
@@ -28672,39 +29557,38 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "phosagro.com", false },
   { "phosagro.ru", false },
   { "phosphene.io", true },
-  { "photek.fm", true },
   { "photistic.org", true },
   { "photo-livesearch.com", true },
   { "photo-paysage.com", true },
+  { "photo.org.il", true },
   { "photoancestry.com", true },
   { "photoartelle.com", true },
   { "photodeal.fr", true },
+  { "photofilmcamera.com", true },
   { "photographe-reims.com", true },
   { "photographersdaydream.com", true },
   { "photography-workshops.net", true },
-  { "photolium.net", true },
+  { "photolium.net", false },
   { "photomodelcasting.com", true },
-  { "photon.sh", true },
-  { "photosquare.com.tw", true },
   { "phototravel.uk", true },
   { "phototrio.com", true },
+  { "phoxden.net", true },
   { "phoxmeh.com", true },
   { "php-developer.org", true },
   { "php-tuning.de", true },
+  { "php.watch", true },
   { "phparcade.com", true },
   { "phpartners.org", true },
   { "phpbbchinese.com", true },
   { "phpdorset.co.uk", true },
   { "phpinfo.in.th", true },
-  { "phpkari.cz", true },
   { "phpliteadmin.org", true },
   { "phpmyadmin.net", true },
   { "phpower.com", true },
   { "phpprime.com", true },
   { "phpsecure.info", true },
+  { "phpstan.org", true },
   { "phpunit.de", true },
-  { "phra.gs", true },
-  { "phrive.space", true },
   { "phryanjr.com", false },
   { "phuket-idc.com", true },
   { "phuket-idc.de", true },
@@ -28712,10 +29596,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "phurl.de", true },
   { "phurl.io", true },
   { "phus.lu", true },
+  { "phyley.com", true },
   { "physicalism.com", true },
   { "physicalist.com", true },
   { "physicaltherapist.com", false },
-  { "physicpezeshki.com", true },
   { "physics-schools.com", true },
   { "physiotherapie-seiwald.de", true },
   { "physiovesenaz.ch", true },
@@ -28739,6 +29623,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "piccolo-parties.co.uk", true },
   { "pickabrain.fr", true },
   { "pickelhaubes.com", true },
+  { "pickersurvey.org", true },
   { "pickme.nl", false },
   { "pickmysoap.gr", true },
   { "pickormix.co.uk", true },
@@ -28747,7 +29632,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "picoauto.com", true },
   { "piconepress.com", true },
   { "picotech.com", true },
-  { "picotronic.de", true },
   { "picster.at", true },
   { "picsto.re", true },
   { "pictorial.com.sg", true },
@@ -28766,6 +29650,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pieland.eu", true },
   { "pieldenaranja.com", true },
   { "piem.org", true },
+  { "piepermail.nl", true },
   { "pieq.eu", true },
   { "pieq.eu.org", true },
   { "pier28.com", true },
@@ -28773,6 +29658,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "piercraft.com", true },
   { "pierre-denoblens.net", true },
   { "pierre-schmitz.com", true },
+  { "pierreblake.com", true },
   { "pierrefv.com", true },
   { "pierreprinetti.com", true },
   { "pierrickdeniel.fr", true },
@@ -28781,11 +29667,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pieterhordijk.com", true },
   { "pietermaene.be", false },
   { "pietz.uk", true },
-  { "pigritia.de", true },
   { "pigs.pictures", true },
   { "pijuice.com", true },
+  { "pijusmagnificus.com", true },
   { "pik.bzh", true },
-  { "pikeitservices.com.au", true },
   { "pikimusic.moe", true },
   { "pilani.ch", true },
   { "pilarguineagil.com", true },
@@ -28794,6 +29679,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pileofgarbage.net", true },
   { "piliszek.net", true },
   { "pill.id", true },
+  { "pillowfort.pub", true },
   { "pilot-colleges.com", true },
   { "pilot.co", true },
   { "pilotgrowth.com", true },
@@ -28825,16 +29711,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pinkwalk.co.nz", true },
   { "pinkyf.com", false },
   { "pinkylam.me", true },
+  { "pinnacle-tex.com", true },
   { "pinnacleallergy.net", true },
   { "pinnaclelife.co.nz", true },
   { "pinnaclelife.nz", true },
   { "pinnacles.com", true },
   { "pinner.io", true },
+  { "pinot.it", true },
   { "pinoydailytvshow.net", true },
   { "pinoyonlinetv.com", true },
   { "pinoytech.ph", true },
   { "pinpayments.com", true },
-  { "pinscher.com.br", true },
+  { "pinpointengineer.co.uk", true },
   { "pinskupakki.fi", true },
   { "pinterest.at", true },
   { "pinterest.co.uk", true },
@@ -28844,16 +29732,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pinterest.ie", true },
   { "pinterest.info", true },
   { "pinterest.jp", true },
+  { "pinterjann.is", true },
   { "pintosbeeremovals.co.za", true },
   { "pintosplumbing.co.za", true },
   { "pioneer-car.eu", true },
   { "pioneer-rus.ru", true },
   { "pipenny.net", true },
+  { "pipfrosch.com", true },
   { "pipocao.com", true },
   { "pirate.trade", true },
   { "piratebayproxy.tf", true },
   { "piraten-basel.ch", true },
   { "piraten-bv-nord.de", true },
+  { "pirateparty.org.uk", true },
   { "pirateproxy.cam", true },
   { "pirateproxy.cat", true },
   { "pirateproxy.cc", true },
@@ -28882,12 +29773,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pissblau.com", true },
   { "pissflaps.co.uk", true },
   { "pisupp.ly", true },
+  { "pitaiabank.com", true },
+  { "pitaiatrade.com", true },
   { "pitbullsecuritysolutions.ca", true },
   { "pitchpinecapital.com", true },
   { "pitchupp.com", true },
   { "pitfire.io", true },
   { "pitot-rs.org", true },
   { "pittmantraffic.co.uk", true },
+  { "piubip.com.br", true },
   { "pivniraj.com", true },
   { "pivotaltracker.com", true },
   { "pivotanimation.org", true },
@@ -28909,39 +29803,37 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pixelz.cc", true },
   { "pixiv.cat", true },
   { "pixiv.moe", true },
-  { "pixivimg.me", true },
   { "pixlfox.com", true },
   { "pixloc.fr", true },
   { "pizza-show.fr", true },
   { "pizzabesteld.nl", true },
   { "pizzabottle.com", false },
-  { "pizzacook.ch", true },
   { "pizzafest.ddns.net", true },
-  { "pizzafunny.com.br", true },
   { "pizzagigant.hu", true },
   { "pizzahut.ru", true },
   { "pizzalongaway.it", true },
-  { "pizzamc.eu", true },
   { "pizzeria-mehrhoog.de", true },
   { "pizzeriaamadeus.hr", true },
   { "pizzeriacolore.com", true },
   { "pj539999.com", true },
   { "pjentertainments.co.uk", true },
-  { "pjili.com", true },
   { "pjleisure.co.uk", true },
   { "pjo.no", true },
   { "pjuu.com", false },
   { "pk.search.yahoo.com", false },
   { "pkbjateng.com", true },
+  { "pkbjateng.or.id", true },
+  { "pkeus.de", true },
   { "pkgt.de", false },
   { "pkirwan.com", true },
   { "pkisolutions.com", true },
   { "pkov.cz", true },
   { "pkphotobooths.co.uk", true },
+  { "pkrank.com", true },
+  { "pksps.com", true },
   { "pl-cours.ch", true },
   { "pl.search.yahoo.com", false },
   { "placasonline.com.br", true },
-  { "placassinal.com.br", true },
   { "placebet.pro", true },
   { "placedaffiliate.com", true },
   { "placedapps.com", true },
@@ -28953,6 +29845,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "plainbulktshirts.co.za", true },
   { "plainjs.com", true },
   { "plainmark.com", true },
+  { "plaintech.net.au", true },
   { "plaisirdumouvement.com", true },
   { "plan-immobilier.fr", true },
   { "plan-it-events.de", true },
@@ -28989,6 +29882,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "plantastique.ch", true },
   { "plantastique.com", true },
   { "planteforum.no", true },
+  { "plantekno.com", true },
   { "plantes.ch", true },
   { "plantezcheznous.com", true },
   { "plantrustler.com", true },
@@ -28997,9 +29891,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "planview.com", true },
   { "plaque-funeraire.fr", true },
   { "plassmann.ws", true },
-  { "plasticsurgeryartist.com", true },
   { "plasticsurgerynola.com", true },
-  { "plastiflex.it", true },
+  { "plasticsurgeryservices.com", true },
   { "plastovelehatko.cz", true },
   { "plateformecandidature.com", true },
   { "platformadmin.com", true },
@@ -29008,7 +29901,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "platschi.net", true },
   { "platten-nach-mass.de", true },
   { "platterlauncher.com", true },
-  { "plattner.club", true },
   { "play-casino-japan.com", true },
   { "play-charades.com", true },
   { "play.cash", true },
@@ -29018,9 +29910,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "playcollect.net", true },
   { "playdaysparties.co.uk", true },
   { "playerdb.co", true },
+  { "players2gather.com", true },
   { "playerscout.net", true },
   { "playform.cloud", true },
-  { "playhappywheelsunblocked.com", true },
   { "playnation.io", true },
   { "playocean.net", true },
   { "playpirates.com", true },
@@ -29042,12 +29934,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pleier.it", false },
   { "pleine-conscience.ch", true },
   { "plenigo.com", true },
+  { "plentybetter.com", true },
+  { "plentybetter.org", true },
   { "plesse.pl", true },
   { "plexa.de", true },
   { "plexhome13.ddns.net", true },
-  { "plexi.dyndns.tv", true },
   { "plexmark.tk", true },
-  { "plextv.de", true },
+  { "plicca.com", true },
   { "pliosoft.com", true },
   { "plissee-experte.de", true },
   { "plitu.de", true },
@@ -29077,21 +29970,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "plumbingcentral.com.au", true },
   { "plumbingglenvista.co.za", true },
   { "plumlocosoft.com", true },
-  { "plumnet.ch", true },
   { "plumpie.net", false },
+  { "plumplat.com", true },
   { "plur.com.au", true },
   { "plural.cafe", true },
   { "plurr.me", true },
   { "plus-5.com", true },
   { "plus.google.com", false },
   { "plus.sandbox.google.com", true },
-  { "plus1s.site", true },
   { "pluscbdoil.com", true },
   { "pluslink.co.jp", true },
   { "plusstreamfeed.appspot.com", true },
-  { "plustech.id", true },
-  { "pluta.net", true },
-  { "pluth.org", true },
+  { "pluta.net", false },
   { "plutiedev.com", true },
   { "pluto.life", true },
   { "plutokorea.com", true },
@@ -29123,7 +30013,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pmnaish.co.uk", true },
   { "pmoreau.org", true },
   { "pmp-art.com", true },
-  { "pmponline.de", true },
   { "pmsacorp.com", true },
   { "pmsf.eu", true },
   { "pmsfdev.com", true },
@@ -29134,29 +30023,108 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pneu01.fr", true },
   { "pneu74.fr", true },
   { "pneuhaus-lemp.ch", true },
-  { "pneumonline.be", true },
   { "pnimmobilier.ch", true },
   { "pnmhomecheckup.com", true },
+  { "pnoec.org.do", true },
   { "pnona.cz", true },
   { "pnsc.is", true },
   { "pnut.io", false },
   { "po.net", true },
   { "poba.fr", true },
+  { "poc.xn--fiqs8s", true },
+  { "poc060.com", true },
+  { "poc080.com", true },
+  { "poc100.com", true },
+  { "poc109.com", true },
+  { "poc11.com", true },
+  { "poc116.com", true },
+  { "poc118.com", true },
+  { "poc119.com", true },
+  { "poc120.com", true },
+  { "poc128.com", true },
+  { "poc13.com", true },
+  { "poc15.com", true },
+  { "poc16.com", true },
+  { "poc18.com", true },
+  { "poc19.com", true },
+  { "poc21.com", true },
+  { "poc211.com", true },
+  { "poc22.com", true },
+  { "poc226.com", true },
+  { "poc228.com", true },
+  { "poc23.com", true },
+  { "poc25.com", true },
+  { "poc26.com", true },
+  { "poc261.com", true },
+  { "poc262.com", true },
+  { "poc27.com", true },
+  { "poc290.com", true },
+  { "poc298.com", true },
+  { "poc31.com", true },
+  { "poc32.com", true },
+  { "poc33.com", true },
+  { "poc35.com", true },
+  { "poc36.com", true },
+  { "poc37.com", true },
+  { "poc38.com", true },
+  { "poc51.com", true },
+  { "poc518.com", true },
+  { "poc52.com", true },
+  { "poc53.com", true },
+  { "poc55.com", true },
+  { "poc56.com", true },
+  { "poc568.com", true },
+  { "poc57.com", true },
+  { "poc58.com", true },
+  { "poc586.com", true },
+  { "poc588.com", true },
+  { "poc59.com", true },
+  { "poc601.com", true },
+  { "poc618.com", true },
+  { "poc63.com", true },
+  { "poc65.com", true },
+  { "poc66.com", true },
+  { "poc67.com", true },
+  { "poc68.com", true },
+  { "poc69.com", true },
+  { "poc699.com", true },
+  { "poc7.com", true },
+  { "poc718.com", true },
+  { "poc72.com", true },
+  { "poc75.com", true },
+  { "poc76.com", true },
+  { "poc77.com", true },
+  { "poc78.com", true },
+  { "poc79.com", true },
+  { "poc8.com", true },
+  { "poc816.com", true },
+  { "poc86.com", true },
   { "poc88.com", true },
-  { "pocakking.tk", true },
+  { "poc88.vip", true },
+  { "poc888.com", true },
+  { "poc89.com", true },
+  { "poc899.com", true },
+  { "poc916.com", true },
+  { "poc918.com", true },
+  { "poc98.com", true },
+  { "poc99.com", true },
   { "pocatellonissanparts.com", true },
   { "pochaneko.com", true },
   { "pocitacezababku.cz", true },
   { "pocketfruity.com", true },
   { "pocketinsure.com", true },
+  { "pocpok.com", true },
+  { "pocqipai.com", true },
   { "podemos.info", true },
   { "podia.com.gr", false },
+  { "podo-podo.com", true },
   { "podroof.com", true },
   { "podroof.com.au", true },
   { "podshrink.de", true },
   { "poe.digital", true },
   { "poed.net.au", true },
   { "poedgirl.com", true },
+  { "poemlife.com", true },
   { "poezja.com.pl", true },
   { "poezjagala.pl", true },
   { "poffenhouse.ddns.net", true },
@@ -29174,7 +30142,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "poiru.net", true },
   { "poitiers-ttacc-86.eu.org", true },
   { "pojer.me", true },
-  { "pokalsocial.de", true },
   { "pokazy-iluzji.pl", true },
   { "pokefarm.com", true },
   { "pokeinthe.io", true },
@@ -29185,8 +30152,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pokemori.jp", true },
   { "pokepon.center", true },
   { "pokl.cz", true },
+  { "pokrowcecardo.pl", true },
   { "polaire.org", true },
   { "polanda.com", true },
+  { "polar-baer.com", true },
   { "polar.uk.com", true },
   { "pole-emotion.ch", true },
   { "poleacademie.com", true },
@@ -29203,7 +30172,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "polis812.ru", true },
   { "polish-dictionary.com", true },
   { "polish-flag.com", true },
-  { "polish-translations.com", true },
   { "polish-translator.com", true },
   { "polish-translator.net", true },
   { "polish-translators.net", true },
@@ -29226,19 +30194,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "polleverywhere.com", true },
   { "pollingplace.uk", true },
   { "polly.spdns.org", true },
+  { "polomack.eu", true },
   { "poloniainfo.com", true },
-  { "poloniex.co.za", true },
   { "polska-robota.com.ua", true },
   { "polskiemalzenstwo.org", true },
   { "poly-fast.com", true },
   { "polycraftual.co.uk", true },
-  { "polyfill.io", true },
   { "polyfluoroltd.com", false },
   { "polygamer.net", true },
   { "polygraphi.ae", true },
   { "polymake.org", true },
   { "polymathematician.com", true },
-  { "polymorph.rs", true },
   { "polynomapp.com", true },
   { "polypane.rocks", true },
   { "polypet.com.sg", true },
@@ -29247,6 +30213,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "polytekniskforening.dk", true },
   { "pomar.club", false },
   { "pomelo-paradigm.com", true },
+  { "pomfe.co", true },
   { "pomfeed.fr", true },
   { "pommedepain.fr", true },
   { "pomockypredeti.sk", true },
@@ -29257,14 +30224,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "poncho-bedrucken.de", true },
   { "ponere.dz", true },
   { "poneypourtous.com", true },
+  { "poneytelecom.org", true },
   { "ponga.se", true },
+  { "ponio.xyz", true },
   { "pony-cl.co.jp", true },
   { "pony.tf", true },
   { "ponychan.net", true },
   { "ponycyclepals.co.uk", true },
   { "ponydesignclub.nl", true },
   { "ponyfoo.com", true },
-  { "ponzi.life", true },
   { "poodleassassin.com", true },
   { "poodlefan.net", true },
   { "pookl.com", true },
@@ -29287,6 +30255,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "popoway.cloud", true },
   { "popoway.me", true },
   { "poppetsphere.de", true },
+  { "poptimize.net", true },
   { "population-ethics.com", true },
   { "popvitrin.com", true },
   { "poquvi.net", true },
@@ -29294,8 +30263,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "porg.es", true },
   { "pork.org.uk", true },
   { "porkel.de", true },
+  { "pornagent.de", true },
   { "pornbay.eu", true },
-  { "porncandi.com", true },
   { "porndragon.net", true },
   { "pornfacefinder.com", false },
   { "pornflare.net", true },
@@ -29314,7 +30283,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "porny.xyz", true },
   { "porpcr.com", true },
   { "pors-sw.cz", true },
-  { "port.im", true },
   { "port443.hamburg", true },
   { "port443.se", true },
   { "port67.org", true },
@@ -29327,6 +30295,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "portalcentric.net", true },
   { "portalkla.com.br", true },
   { "portamiinpista.it", true },
+  { "portatiles-baratos.net", true },
   { "porte.roma.it", true },
   { "portercup.com", true },
   { "porterranchelectrical.com", true },
@@ -29355,11 +30324,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "positive.com.cy", true },
   { "positivenames.net", true },
   { "posobota.cz", true },
-  { "posoiu.net", true },
   { "post-darwinian.com", true },
   { "post-darwinism.com", true },
   { "post.com.ar", true },
   { "post.io", true },
+  { "post.we.bs", true },
+  { "post4me.at", true },
   { "postal.dk", true },
   { "postal3.es", true },
   { "postblue.info", true },
@@ -29385,7 +30355,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "potature.rimini.it", true },
   { "potature.roma.it", true },
   { "potentialproject.com", false },
-  { "potenzprobleme-info.net", true },
   { "poterepersonale.it", true },
   { "pothe.com", true },
   { "pothe.de", true },
@@ -29402,12 +30371,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pourlesenfants.info", true },
   { "pouwels-oss.nl", true },
   { "povareschka.ru", true },
+  { "povertymind.com", true },
   { "povesham.tk", true },
   { "pow-s.com", true },
   { "pow.jp", true },
   { "powdersnow.top", true },
   { "powelljones.co.uk", true },
-  { "power-coonies.de", true },
   { "power-fit.org", true },
   { "power-flowengineer.com", true },
   { "power-meter.cc", true },
@@ -29428,8 +30397,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "powersergdatasystems.com", true },
   { "powersergholdings.com", true },
   { "powersergthisisthetunnelfuckyouscott.com", true },
+  { "powersergthisisthewebsitefuckyouchris.com", true },
   { "powersergthisisthewebsitefuckyouscott.com", true },
-  { "powersergusercontent.com", true },
   { "powerwellness-korecki.de", true },
   { "pozemedicale.org", true },
   { "pozlife.net", true },
@@ -29442,6 +30411,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ppmathis.ch", true },
   { "ppmathis.com", true },
   { "ppmoon.com", true },
+  { "ppoozl.com", true },
   { "ppro.com", true },
   { "pptavmdata.org", true },
   { "ppy.la", true },
@@ -29461,17 +30431,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "prado.it", true },
   { "praeparation-keppner.de", true },
   { "praerien-racing.com", true },
+  { "praetzlich-hamburg.de", true },
   { "prague-swim.cz", true },
   { "praguepsychology.com", true },
   { "praguepsychology.cz", true },
   { "pragueswim.cz", true },
   { "praha-9.eu", true },
-  { "prajwalkoirala.com", true },
   { "prakhar.uk", true },
   { "prakharprasad.com", true },
   { "praktijkdevecht.nl", true },
   { "praktijkpassepartout.nl", true },
   { "prashchar.uk", true },
+  { "prateep.io", true },
   { "pratopronto.org", true },
   { "pratorotoli.it", true },
   { "praxino.de", true },
@@ -29479,10 +30450,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "praxis-familienglueck.de", true },
   { "praxis-odermath.de", true },
   { "prayerrequest.com", true },
-  { "prazynka.pl", true },
   { "prc-newmedia.com", true },
   { "prc.gov", true },
+  { "pre-lean-consulting.de", true },
   { "precept.uk.com", true },
+  { "preciosde.es", true },
   { "preciouslife.fr", true },
   { "preciscx.com", true },
   { "preciseassemblies.com", true },
@@ -29492,12 +30464,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "precisionventures.com", true },
   { "precode.eu", true },
   { "predoiu.ro", true },
+  { "preferredreverse.com", true },
   { "prefix.eu", true },
-  { "pregono.com", true },
   { "pregunteleakaren.gov", true },
   { "preigu.de", true },
   { "preis-alarm.info", true },
   { "preis-alarm.org", true },
+  { "preisser-it.de", true },
+  { "preisser.it", true },
   { "preissler.co.uk", true },
   { "preload.link", true },
   { "preloaded-hsts.badssl.com", true },
@@ -29512,6 +30486,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "prelved.pl", true },
   { "prelved.se", true },
   { "prematureacceleration.club", true },
+  { "preme.name", true },
   { "premierbouncycastles.co.uk", true },
   { "premieresloges.ca", false },
   { "premierevents.ie", true },
@@ -29523,11 +30498,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "premiumwebdesign.it", true },
   { "premtech.nl", true },
   { "prenatalgeboortekaartjes.nl", true },
+  { "prepadefi.fr", true },
   { "prepaid-cards.xyz", true },
   { "prepaid-voip.nl", true },
   { "prepaidkredietkaart.be", true },
   { "prepare-job-hunting.com", true },
-  { "presbee.com", true },
+  { "prepavesale.fr", true },
   { "presbvm.org", true },
   { "presbyterian-colleges.com", true },
   { "prescotonline.co.uk", true },
@@ -29556,12 +30532,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "prestonbrant.com", true },
   { "pretachique.com.br", true },
   { "pretix.eu", true },
+  { "pretor.com.pl", true },
+  { "pretor.eu", true },
+  { "pretor.pl", true },
+  { "pretorcup.pl", true },
   { "pretrialservices.gov", true },
   { "pretty.hu", true },
   { "prettygirlcheats.com", true },
-  { "prettynode.com", true },
+  { "prettynode.com", false },
+  { "pretwolk.nl", true },
   { "pretzelx.com", true },
   { "prevenir.ch", true },
+  { "preventshare.com", true },
   { "preview-it-now.com", true },
   { "priceremoval.net", true },
   { "pricesniffer.co", true },
@@ -29572,16 +30554,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "primaconsulting.net", true },
   { "primalbase.com", true },
   { "primalinea.pro", true },
+  { "primalshop.dk", true },
+  { "primananda.com", true },
   { "primates.com", true },
   { "primeequityproperties.com", true },
   { "primoloyalty.com", true },
   { "primorus.lt", true },
-  { "primotilesandbathrooms.co.uk", false },
   { "princeofwhales.com", true },
   { "princesparktouch.com", true },
   { "princessefoulard.com", true },
-  { "principalship.net", true },
+  { "principalsexam.com", true },
   { "principalstest.com", true },
+  { "principalstest.ph", true },
   { "principalstest.review", true },
   { "principaltoolbox.com", true },
   { "principia-journal.de", true },
@@ -29590,7 +30574,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "princovi.cz", true },
   { "prinice.org", true },
   { "printeknologies.com", true },
+  { "printerinktoutlet.nl", true },
   { "printerleasing.be", true },
+  { "printertonerkopen.nl", true },
   { "printf.de", true },
   { "printfn.com", false },
   { "printler.com", true },
@@ -29621,6 +30607,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "prismacloud.com", true },
   { "prismacloud.green", true },
   { "prismacloud.xyz", true },
+  { "prismapayments.com", true },
   { "pristal.eu", true },
   { "pristinegreenlandscaping.com", true },
   { "pritalk.com", true },
@@ -29633,6 +30620,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "privacychick.io", true },
   { "privacyforjournalists.org.au", true },
   { "privacyinternational.org", true },
+  { "privacynow.eu", true },
   { "privacyscore.org", true },
   { "privacyweek.at", true },
   { "privacyweek.de", true },
@@ -29645,7 +30633,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "privatecapsecurity.org", true },
   { "privateideas.de", true },
   { "privateimarketing.com", true },
-  { "privatepokertour.com", true },
   { "privatepropertymallorca.com", true },
   { "privatestatic.com", false },
   { "privatevoid.net", true },
@@ -29677,6 +30664,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "probely.com", true },
   { "probiv.biz", true },
   { "probiv.cc", true },
+  { "procar-rheinland.de", true },
   { "procarservices.com", true },
   { "procensus.com", true },
   { "procert.ch", true },
@@ -29684,7 +30672,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "procharter.com", true },
   { "procinorte.net", true },
   { "proclib.org", true },
-  { "proclubs.news", true },
+  { "procrastinatingengineer.uk", true },
   { "procrastinationland.com", true },
   { "procreditbank-kos.com", true },
   { "procreditbank.com.al", true },
@@ -29694,7 +30682,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "prodietix.cz", true },
   { "prodigia.com", false },
   { "prodinger.com", true },
-  { "prodottogiusto.com", true },
   { "prodsim.ninja", true },
   { "producepromotions.com", true },
   { "producertools.io", true },
@@ -29703,10 +30690,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "productdesignsoftware.com.au", true },
   { "production.vn", true },
   { "productlondon.com", true },
-  { "productoinnovador.com", true },
   { "productpeo.pl", true },
   { "products4more.at", true },
-  { "produkttest-online.com", true },
   { "prodware.fr", true },
   { "prodware.nl", true },
   { "proeflokaalbakker.nl", true },
@@ -29748,20 +30733,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "progressnet.nl", true },
   { "progresswww.nl", true },
   { "prohrcloud.com", true },
-  { "proimpact.it", true },
   { "project.supply", true },
   { "project86fashion.com", true },
   { "projectarmy.net", false },
   { "projectblackbook.us", true },
-  { "projectborealisgitlab.site", false },
+  { "projectborealisgitlab.site", true },
   { "projectforge.org", true },
+  { "projectgrimoire.com", true },
   { "projectlinuseasttn.org", true },
   { "projectnom.com", true },
   { "projectsafechildhood.gov", true },
   { "projectsecretidentity.com", true },
   { "projectsecretidentity.org", true },
   { "projectunity.io", true },
+  { "projectxyz.eu", true },
   { "projektarbeit-projektplanung.de", true },
+  { "projektzentrisch.de", true },
   { "projest.ch", true },
   { "projet-fly.ch", true },
   { "prolan.pw", true },
@@ -29770,6 +30757,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "promedyczny.pl", true },
   { "prometheanfire.net", true },
   { "prometheanfire.org", true },
+  { "promiflash.de", true },
   { "promisesaplus.com", true },
   { "promo-brille.at", true },
   { "promo-brille.ch", true },
@@ -29790,13 +30778,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pronto-intervento.net", true },
   { "prontointerventoimmediato.it", true },
   { "prontossl.com", true },
-  { "proobec.cz", true },
   { "proofwiki.org", true },
   { "proos.nl", true },
   { "proovn.com", true },
   { "propagandablog.de", true },
   { "propagationtools.com", true },
-  { "propepper.net", true },
   { "properchels.com", true },
   { "propermatches.com", true },
   { "properticons.com", true },
@@ -29804,22 +30790,25 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "propertygroup.pl", true },
   { "propertyinside.id", true },
   { "propertyone.mk", true },
-  { "prophiler.de", true },
+  { "propertysales-almeria.com", true },
   { "propipesystem.com", true },
   { "proposalonline.com", true },
   { "propr.no", true },
   { "proprietairesmaisons.fr", true },
   { "propseller.com", true },
   { "proseandleprechauns.com", true },
-  { "prosharp.com.au", true },
   { "prospanek.cz", true },
+  { "prospecto.com.au", true },
+  { "prospecto.ee", true },
+  { "prospecto.hr", true },
+  { "prospecto.lt", true },
   { "prosperfit.com", true },
   { "prosperontheweb.com", true },
   { "prospo.co", true },
-  { "prostoporno.sexy", true },
+  { "prostoporno.vip", true },
   { "prostye-recepty.com", true },
   { "prosurveillancegear.com", true },
-  { "prot.ch", false },
+  { "prot.ch", true },
   { "protech.ge", true },
   { "protectedreport.com", true },
   { "protectem.de", true },
@@ -29828,6 +30817,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "protege.moi", true },
   { "protegetudescanso.com", true },
   { "protein-riegel-test.de", true },
+  { "proteinnuts.sk", false },
   { "protempore.fr", true },
   { "proteogenix-products.com", true },
   { "proteogenix.science", true },
@@ -29858,6 +30848,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "prowise.com", true },
   { "prowise.me", true },
   { "proximityradio.fr", true },
+  { "proxybay.bet", true },
   { "proxybay.bz", true },
   { "proxybay.co", true },
   { "proxybay.eu.org", true },
@@ -29866,10 +30857,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "proxybay.tv", true },
   { "proxyportal.eu", true },
   { "proyectafengshui.com", true },
-  { "proyecto13.com", true },
   { "prpferrara.it", true },
   { "prplz.io", true },
-  { "prpr.cloud", true },
   { "prt.in.th", true },
   { "prtimes.com", true },
   { "prtpe.com", true },
@@ -29882,6 +30871,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "prynhawn.net", true },
   { "prynhawn.org", true },
   { "pryspry.com", true },
+  { "prytkov.com", true },
   { "przemas.pl", true },
   { "ps-provider.co.jp", true },
   { "ps-sale.ru", true },
@@ -29924,7 +30914,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "psw-consulting.de", true },
   { "psw-group.de", true },
   { "psw.net", true },
-  { "psxtr.com", true },
   { "psyao.ch", true },
   { "psychedelia.com", true },
   { "psychedelics.org", true },
@@ -29935,7 +30924,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "psycho.space", true },
   { "psychoactive.com", true },
   { "psychoco.net", false },
-  { "psychologie-hofner.at", true },
+  { "psychotechnique.be", true },
+  { "psychotechnique.ch", true },
+  { "psychotechniquetest.fr", true },
   { "psychotherapie-kp.de", true },
   { "psycolleges.com", true },
   { "psydix.org", true },
@@ -29964,6 +30955,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "puac.de", true },
   { "pubclub.com", true },
   { "pubean.com", true },
+  { "pubi.me", false },
   { "publanda.nl", true },
   { "public-g.de", true },
   { "public-projects.com", true },
@@ -29976,27 +30968,33 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "publicrea.com", true },
   { "publicsuffix.org", true },
   { "publiq.space", true },
-  { "pubmire.com", true },
+  { "pubmire.com", false },
   { "pubreview.com.au", true },
   { "pubreviews.com", true },
   { "pucchi.net", true },
   { "pucssa.org", true },
   { "puddis.de", true },
+  { "puestifiestas.mx", true },
+  { "puestosdeferia.mx", true },
   { "puggan.se", true },
   { "pugovka72.ru", true },
-  { "puhka.me", true },
   { "puissancemac.ch", true },
   { "pukfalkenberg.dk", true },
-  { "puli.com.br", true },
   { "pulizieuffici.milano.it", true },
   { "pulpproject.org", true },
+  { "pulsarsecurity.com", true },
   { "pulser.stream", true },
   { "pulsnitzer-lebkuchen-shop.de", true },
+  { "pulsnitzer-lebkuchen.de", true },
   { "pulsnitzer-lebkuchen.shop", true },
   { "pulsnitzer-pfefferkuchen-shop.de", true },
   { "pulsnitzer-pfefferkuchen.shop", true },
+  { "pumpandcash.com", true },
   { "pumperszene.com", true },
+  { "punchlinetheatre.co.uk", true },
+  { "punchunique.com", true },
   { "puneflowermall.com", true },
+  { "punematka.com", true },
   { "punikonta.de", true },
   { "punitsheth.com", true },
   { "punkapoule.fr", true },
@@ -30011,9 +31009,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pure-gmbh.com", true },
   { "purecabo.com", true },
   { "purefkh.xyz", true },
+  { "purefreefrom.co.uk", true },
   { "pureitsolutionsllp.com", true },
-  { "purelunch.co.uk", true },
   { "pureluxemedical.com", true },
+  { "purenvi.ca", true },
   { "purevapeofficial.com", true },
   { "purplebooth.co.uk", false },
   { "purplebricks.co.uk", true },
@@ -30030,21 +31029,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "purplestar.com", true },
   { "purplestar.mobi", true },
   { "purplewindows.net", true },
-  { "purplez.pw", true },
   { "purrfect-box.co.uk", true },
   { "purrfectboudoir.com", true },
+  { "purrfectcams.com", true },
   { "purrfectmembersclub.com", true },
+  { "purrfectswingers.com", true },
   { "pursuedtirol.com", true },
   { "puryearlaw.com", true },
   { "pusatinkubatorbayi.com", true },
   { "pushers.com.mx", true },
   { "pushoflove.com", true },
-  { "pushphp.com", true },
   { "pushrax.com", true },
   { "pusichatka.ddns.net", true },
+  { "pussr.com", true },
   { "put.moe", true },
   { "put.re", true },
   { "putatara.net", true },
+  { "putin.red", true },
   { "putman-it.nl", true },
   { "putney.io", true },
   { "putomani.rs", true },
@@ -30058,6 +31059,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "puzzle-welt.ch", true },
   { "puzzlepoint.ch", true },
   { "pv-paderborn-now.de", true },
+  { "pvamg.org", true },
   { "pvcvoordeel.nl", false },
   { "pvda.nl", true },
   { "pvmotorco.com", true },
@@ -30071,11 +31073,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "pwnedpass.tk", true },
   { "pwnies.dk", true },
   { "pwolk.com", true },
+  { "pxgamer.xyz", true },
   { "pxl-mailtracker.com", true },
   { "pxl.cl", true },
   { "pxx.io", true },
   { "py-amf.org", true },
   { "py.search.yahoo.com", false },
+  { "pycoder.org", true },
   { "pycrc.org", true },
   { "pycrypto.org", true },
   { "pycycle.info", true },
@@ -30111,10 +31115,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "qaconstrucciones.com", true },
   { "qadmium.com", true },
   { "qambarraza.com", true },
-  { "qapital.com", true },
+  { "qani.me", true },
   { "qaq.sh", true },
+  { "qarea.com", true },
+  { "qaz.cloud", true },
+  { "qbeing.info", true },
   { "qbiju.com.br", true },
   { "qbiltrade.com", true },
+  { "qbus.pl", true },
   { "qc.immo", true },
   { "qc.search.yahoo.com", false },
   { "qccareerschool.com", true },
@@ -30129,6 +31137,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "qctravelschool.com", true },
   { "qdabogados.com", true },
   { "qdon.space", false },
+  { "qe-lab.at", true },
   { "qedcon.org", false },
   { "qelectrotech.org", true },
   { "qetesh.de", true },
@@ -30147,14 +31156,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "qingcao.org", true },
   { "qingpei.me", true },
   { "qionouu.cn", true },
+  { "qipl.org", true },
   { "qis.fr", true },
   { "qitarabutrans.com", true },
   { "qiu521119.host", true },
-  { "qiuri.org", true },
+  { "qiukong.com", true },
+  { "qiuri.org", false },
   { "qivonline.pt", true },
   { "qiwi.be", true },
   { "qixi.biz", true },
   { "qkmortgage.com", true },
+  { "qlcvea.com", true },
   { "qldconservation.org.au", true },
   { "qldformulaford.org", true },
   { "qledtech.com", false },
@@ -30167,9 +31179,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "qonto.eu", true },
   { "qoor.io", true },
   { "qotw.net", true },
+  { "qpcna.org", true },
   { "qponverzum.hu", true },
   { "qq-navi.com", true },
   { "qq52o.me", true },
+  { "qqrss.com", true },
   { "qr-city.org", true },
   { "qr.cl", true },
   { "qrbird.com", true },
@@ -30181,6 +31195,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "qtl.me", true },
   { "qtmsheep.com", true },
   { "qtn.net", true },
+  { "qto.com", true },
+  { "qto.net", true },
   { "qtpass.org", true },
   { "qtpower.co.uk", true },
   { "qtpower.net", true },
@@ -30188,6 +31204,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "qtvr.com", true },
   { "qtxh.net", true },
   { "quackerswaterproofing.com", true },
+  { "quadra.srl", true },
   { "quaggan.co", true },
   { "quai10.org", false },
   { "qualite-ecole-et-formation.ch", true },
@@ -30200,7 +31217,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "qualpay.biz", true },
   { "qualtrics.com", true },
   { "quant-labs.de", true },
-  { "quantaloupe.tech", true },
   { "quanterra.ch", true },
   { "quantolytic.de", true },
   { "quantoras.com", true },
@@ -30222,11 +31238,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "qubes-os.org", true },
   { "qubyte.codes", true },
   { "quchao.com", true },
+  { "queencomplex.net", true },
   { "queene.eu", true },
   { "queens.lgbt", true },
   { "queensrdapartments.com.au", true },
   { "queer.party", true },
-  { "queercinema.ch", true },
   { "queercoders.com", false },
   { "queextensiones.com", true },
   { "quehacerencusco.com", true },
@@ -30241,24 +31257,29 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "quentinchevre.ch", true },
   { "queo.com.co", true },
   { "quera.ir", true },
+  { "quermail.com", true },
   { "query-massage.com", true },
   { "question.com", true },
-  { "questoj.cn", true },
   { "questsocial.it", true },
   { "quevisiongrafica.com", true },
   { "quic.stream", true },
   { "quickboysvrouwen2.nl", true },
   { "quickinfosystem.com", true },
+  { "quickrelations.de", true },
+  { "quieroserbombero.org", true },
   { "quiet-waters.org", true },
   { "quietapple.org", true },
+  { "quietboy.net", true },
   { "quikchange.net", true },
   { "quikpay.com.au", true },
-  { "quilmo.com", true },
   { "quimatic.com.br", true },
   { "quinnlabs.com", true },
   { "quinoa24.com", true },
   { "quintessa.org", true },
   { "quintype.com", true },
+  { "quiq-api.com", true },
+  { "quiq-cdn.com", true },
+  { "quiq.us", true },
   { "quire.io", true },
   { "quisido.com", true },
   { "quitarlasmanchasde.com", true },
@@ -30294,8 +31315,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "r-ay.cn", true },
   { "r-rwebdesign.com", true },
   { "r-t-b.fr", true },
-  { "r0t.co", true },
-  { "r0uzic.net", true },
   { "r1a.eu", true },
   { "r1ch.net", true },
   { "r2d2pc.com", true },
@@ -30318,24 +31337,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "raah.co", true },
   { "rabbit.wales", false },
   { "rabbitfinance.com", true },
+  { "rabbitinternet.com", true },
   { "rabica.de", true },
   { "rabotaescort.com", true },
   { "rabynska.eu", true },
   { "raccoltarifiuti.com", true },
-  { "racdek.com", true },
-  { "racdek.net", true },
-  { "racdek.nl", true },
   { "racermaster.xyz", true },
   { "racesport.nl", false },
   { "raceviewcycles.com", true },
   { "raceviewequestrian.com", true },
-  { "rachaelrussell.com", true },
   { "rachelchen.me", true },
   { "racheldiensthuette.de", true },
   { "rachelmoorelaw.com", true },
   { "rachelreagan.com", true },
   { "rachelsbouncycastles.co.uk", true },
   { "rachida-dati.eu", true },
+  { "rachurch.net", true },
   { "racius.com", true },
   { "rackerlab.com", false },
   { "raclet.co.uk", true },
@@ -30343,10 +31360,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "racoo.net", true },
   { "racozo.com", true },
   { "racunovodstvo-prina.si", true },
-  { "rada-group.eu", true },
   { "radar.sx", true },
   { "radaravia.ru", true },
-  { "radarnext.com", true },
+  { "radarbanyumas.co.id", true },
   { "radartatska.se", true },
   { "radartek.com", true },
   { "radcube.hu", true },
@@ -30359,22 +31375,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "radio-pulsar.eu", true },
   { "radio-utopie.de", true },
   { "radio1.ie", true },
-  { "radioactivenetwork.xyz", true },
+  { "radiobox.net", true },
+  { "radiocommg.com.br", true },
+  { "radiocomsaocarlos.com.br", true },
   { "radiofmimagen.net", true },
   { "radioheteroglossia.com", true },
   { "radioilusion.es", true },
   { "radiom.fr", true },
   { "radiomodem.dk", true },
   { "radiomontebianco.it", true },
-  { "radionicabg.com", true },
   { "radiopolarniki.spb.ru", true },
-  { "radior9.it", true },
   { "radiormi.com", true },
   { "radiorsvp.com", false },
   { "radiosendungen.com", true },
   { "radis-adopt.com", true },
+  { "radiumone.io", true },
   { "radiumtree.com", true },
-  { "radom-pack.pl", true },
   { "radondetectionandcontrol.com", true },
   { "radreisetraumtreibstoff.de", true },
   { "radyabkhodro.net", true },
@@ -30386,18 +31402,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rafey.xyz", true },
   { "raffaellaosti.com", true },
   { "rafleatherdesign.com", true },
-  { "raft.pub", true },
   { "rafting-japan.com", true },
   { "ragasto.nl", true },
   { "rage-overload.ch", true },
   { "rage.rip", true },
   { "rage4.com", true },
-  { "raghavdua.in", true },
   { "rahulpnath.com", true },
   { "raidensnakesden.co.uk", true },
   { "raidensnakesden.com", true },
   { "raidensnakesden.net", true },
   { "raidstone.net", true },
+  { "raiffeisen-kosovo.com", true },
   { "rail-o-rama.nl", true },
   { "rail24.nl", true },
   { "rail360.nl", true },
@@ -30424,6 +31439,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rainstormsinjuly.co", true },
   { "rainville.me", true },
   { "rainway.io", true },
+  { "raipet.no-ip.biz", true },
+  { "raisecorp.com", true },
   { "raiseyourflag.com", true },
   { "raissarobles.com", true },
   { "raito.win", true },
@@ -30434,6 +31451,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "raku.bzh", true },
   { "rakugokai.net", true },
   { "ralf-huebscher.de", true },
+  { "ralfs-zusizone.de", true },
   { "ralimtek.com", false },
   { "rally-base.com", true },
   { "rally-base.cz", true },
@@ -30448,11 +31466,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "raltha.com", true },
   { "ram-it.nl", true },
   { "ram.nl", true },
+  { "ramarka.de", true },
   { "rambo.codes", true },
   { "rammstein-portugal.com", true },
-  { "ramrecha.com", true },
+  { "ramrecha.com", false },
   { "ramsor-gaming.de", true },
   { "randc.org", true },
+  { "randolf.ca", true },
   { "random-samplings.org", true },
   { "randomadversary.com", true },
   { "randombit.eu", false },
@@ -30461,6 +31481,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "randomkoalafacts.com", true },
   { "randomprecision.co.uk", true },
   { "randomquotesapp.com", true },
+  { "randomrepo.com", true },
+  { "randomserver.pw", true },
   { "ranfurlychambers.co.nz", true },
   { "rangde.org", true },
   { "rangercollege.edu", true },
@@ -30470,17 +31492,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ranktopay.com", true },
   { "ranson.com.au", true },
   { "rante.com", true },
-  { "ranyeh.co", true },
   { "ranyeh.com", true },
   { "ranzbak.nl", true },
   { "raoul-kieffer.net", true },
-  { "rapdogg.com", true },
   { "rapenroer.com", true },
   { "rapenroer.nl", true },
   { "raphael.li", true },
   { "raphaeladdile.com", true },
   { "raphaelcasazza.ch", true },
-  { "raphaelmoura.ddns.net", true },
   { "raphaelschmid.eu", true },
   { "raphrfg.com", true },
   { "rapidapp.io", true },
@@ -30497,9 +31516,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rascals-castles.co.uk", true },
   { "rascalscastles.co.uk", true },
   { "rascalscastlesdoncaster.co.uk", true },
-  { "rasebo.ro", true },
   { "raspii.tech", true },
-  { "raspitec.ddns.net", true },
   { "rasty.cz", true },
   { "ratd.net", true },
   { "ratebridge.com", true },
@@ -30511,19 +31528,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rationalism.com", true },
   { "rationalops.com", true },
   { "rattenkot.io", true },
-  { "rauchenwald.net", true },
   { "raulrivero.es", true },
   { "rault.io", true },
-  { "raum4224.de", true },
   { "rauros.net", true },
   { "rautelow.de", true },
+  { "ravada-vdi.com", true },
+  { "ravanalk.com", true },
   { "ravchat.com", true },
   { "raven.dog", true },
   { "ravenger.net", true },
   { "ravensbuch.de", true },
   { "ravhaaglanden.org", true },
   { "ravindran.me", true },
-  { "raviparekh.co.uk", true },
   { "ravis.org", true },
   { "ravkr.duckdns.org", true },
   { "rawdutch.nl", true },
@@ -30534,27 +31550,24 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ray-home.de", true },
   { "ray-works.de", true },
   { "rayan-it.ir", true },
-  { "rayanitco.com", true },
   { "rayiris.com", true },
   { "raykitchenware.com", true },
   { "raymcbride.com", true },
   { "raymd.de", true },
   { "raymii.org", true },
-  { "raymondelooff.nl", true },
   { "raystark.com", true },
   { "rayworks.de", true },
+  { "razberry.kr", true },
   { "razeen.me", true },
   { "razeencheng.com", true },
   { "raziskovalec-resnice.com", true },
   { "razvanburz.net", true },
-  { "rbcservicehub-uat.azurewebsites.net", true },
   { "rbensch.com", true },
   { "rbflote.lv", true },
   { "rbltracker.com", true },
-  { "rbmafrica.co.za", true },
+  { "rbmland.com", true },
   { "rbnet.xyz", true },
   { "rbran.com", true },
-  { "rburchell.com", true },
   { "rbx-talk.xyz", true },
   { "rc-offi.net", true },
   { "rc-rp.com", true },
@@ -30562,6 +31575,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rca.fr", true },
   { "rcd.cz", true },
   { "rcdocuments.com", true },
+  { "rcgoncalves.pt", true },
+  { "rchavez.site", true },
   { "rchrdsn.uk", true },
   { "rcifsgapinsurance.co.uk", true },
   { "rclsm.net", true },
@@ -30582,20 +31597,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rdmrotterdam.nl", true },
   { "rdmtaxservice.com", true },
   { "rdns.cc", true },
+  { "rdv-cni.fr", true },
   { "rdv-prefecture.com", true },
   { "rdwh.tech", true },
-  { "rdxsattamatka.mobi", true },
   { "re-curi.com", true },
   { "re-engines.com", true },
   { "reachhead.com", true },
+  { "reachonline.org", true },
   { "reachrss.com", true },
   { "reaconverter.com", true },
   { "react-db.com", true },
+  { "reactions.studio", true },
   { "reactivarte.es", true },
   { "reactive-press.com", true },
   { "reactpwa.com", true },
   { "read.sc", true },
   { "reades.co.uk", true },
+  { "reades.uk", true },
   { "readheadcopywriting.com", true },
   { "readingandmath.org", true },
   { "readingrats.de", true },
@@ -30603,6 +31621,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "readonly.de", true },
   { "readouble.com", false },
   { "reads.wang", true },
+  { "readybetwin.com", true },
+  { "readyrowan.com", true },
+  { "readyrowan.org", true },
   { "readysell.net", true },
   { "readytobattle.net", true },
   { "readytongue.com", true },
@@ -30616,6 +31637,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "realestatemarketingblog.org", true },
   { "realestateonehowell.com", true },
   { "realestateradioshow.com", true },
+  { "realfood.space", true },
   { "realfreedom.city", true },
   { "realhorsegirls.net", true },
   { "realhypnosistraining.com.au", true },
@@ -30646,6 +31668,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "reancos.report", true },
   { "reanimated.eu", true },
   { "reath.me", true },
+  { "reath.xyz", true },
   { "reaven.nl", true },
   { "rebane2001.com", true },
   { "rebeagle.com", true },
@@ -30656,16 +31679,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rebirthia.me", true },
   { "reboxetine.com", true },
   { "reboxonline.com", true },
-  { "rebtoor.com", true },
   { "recalls.gov", true },
   { "recantoshop.com", true },
   { "recantoshop.com.br", true },
   { "recapp.ch", true },
   { "recaptcha-demo.appspot.com", true },
+  { "recard.vn", true },
   { "receiliart.com", true },
   { "receptionpoint.com", true },
-  { "receptionsbook.com", true },
   { "recepty.eu", true },
+  { "recetasdecocinaideal.com", true },
   { "recetin.com", true },
   { "rechenknaecht.de", true },
   { "rechtsanwaeltin-vollmer.de", true },
@@ -30675,13 +31698,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "recipex.ru", true },
   { "recipeyak.com", true },
   { "reckontalk.com", true },
-  { "reclamebureau-ultrax.nl", true },
   { "reclametoolz.nl", true },
   { "reclusiam.net", true },
   { "recmon.hu", true },
   { "reco-studio.de", true },
   { "recolic.net", true },
   { "recommended.reviews", true },
+  { "recompiled.org", true },
   { "recon-networks.com", true },
   { "reconexion.life", true },
   { "recordeuropa.com", false },
@@ -30693,9 +31716,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "recuerdafilms.com", true },
   { "recuperodatiraidfastec.it", true },
   { "recurly.com", true },
+  { "recurrentmeningitis.org", true },
+  { "recursosdeautoayuda.com", true },
   { "recyclingpromotions.us", true },
   { "red-t-shirt.ru", true },
-  { "red-trigger.net", true },
   { "red2fred2.com", true },
   { "redable.hosting", true },
   { "redable.nl", true },
@@ -30729,14 +31753,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rede-t.com", true },
   { "redelectrical.co.uk", true },
   { "redessantaluzia.com.br", true },
+  { "redflare.com.au", true },
   { "redfox-infosec.de", true },
   { "redfoxmarketiing.com", true },
   { "redgatesoftware.co.uk", true },
   { "redgoose.ca", true },
   { "redhandedsecurity.com.au", true },
-  { "redheeler.com.br", true },
   { "redicals.com", true },
-  { "redigest.it", true },
   { "redir.me", true },
   { "redirect.fedoraproject.org", true },
   { "redirect.stg.fedoraproject.org", true },
@@ -30745,32 +31768,37 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rediverge.com", true },
   { "redivis.com", true },
   { "redleslie.com", true },
-  { "redletter.link", true },
   { "redlinelap.com", true },
   { "redlink.de", true },
   { "redmind.se", true },
+  { "redmondtea.com", true },
   { "redmore.me", true },
   { "redneragenturen.org", true },
   { "rednsx.org", true },
   { "redpact.com", true },
   { "redprice.by", true },
+  { "redscan.com", true },
+  { "redshell.pw", true },
   { "redshield.co", true },
   { "redshiftlabs.com.au", true },
   { "redshoeswalking.net", true },
   { "redsicom.com", true },
   { "redsquarelasvegas.com", true },
-  { "redsquirrelcampsite.co.uk", true },
   { "redstoner.com", true },
   { "redteam-pentesting.de", true },
   { "redwaterhost.com", true },
   { "redweek.com", true },
+  { "redwhey.com", true },
   { "redwoodpaddle.es", true },
   { "redwoodpaddle.pt", true },
+  { "redzonedaily.com", true },
   { "redzurl.com", false },
   { "reed-sensor.com", true },
   { "reedloden.com", true },
   { "reedyforkfarm.com", true },
   { "reegle.com", true },
+  { "reening.net", true },
+  { "reensshop.com", true },
   { "rees-carter.net", true },
   { "reesmichael1.com", true },
   { "reevaappliances.co.uk", true },
@@ -30783,6 +31811,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "reflectivity.io", true },
   { "reflectores.net", true },
   { "refletindosaude.com.br", true },
+  { "reflets.info", true },
   { "reflexions.co", true },
   { "reflexive-engineering.com", true },
   { "reflexive.xyz", true },
@@ -30802,6 +31831,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "reganclassics.com", true },
   { "reganparty.com", true },
   { "regar42.fr", false },
+  { "regasportshop.it", true },
   { "regeneo.cz", true },
   { "regenerapoint.it", true },
   { "regenerescence.com", true },
@@ -30825,6 +31855,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "registrarplus.net", true },
   { "registrarplus.nl", true },
   { "registryplus.net", true },
+  { "registryplus.nl", true },
   { "regmyr.se", true },
   { "regnix.net", true },
   { "regnr.info", true },
@@ -30832,15 +31863,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "regraph.de", true },
   { "regresionavidaspasadas.com", true },
   { "regularflolloping.com", true },
+  { "regularizaeudora.com.br", true },
   { "regulations.gov", true },
   { "reha-honpo.jp", true },
   { "rehabili-shigoto.com", true },
   { "rehabilitation.network", true },
   { "rehabmail.com", true },
   { "rehabphilippines.com", true },
+  { "rehabreviews.com", true },
   { "rehabthailand.com", true },
   { "rehabthailand.org", true },
-  { "reher.pro", true },
   { "rei.ki", true },
   { "reichardt-home.goip.de", true },
   { "reichel-steinmetz.de", true },
@@ -30867,10 +31899,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "reinouthoornweg.nl", true },
   { "reinventetoi.com", false },
   { "reisekosten-gorilla.com", true },
-  { "reisenbauer.ee", true },
   { "reiseversicherung-werner-hahn.de", true },
   { "reishunger.de", true },
   { "reisslittle.com", true },
+  { "reittherapie-tschoepke.de", true },
   { "rejahrehim.com", true },
   { "rejects.email", true },
   { "rejsehuskelisten.dk", true },
@@ -30903,7 +31935,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "remedionaturales.com", true },
   { "remedioparaherpes.com", true },
   { "remedios-caserospara.com", true },
-  { "remedioscaserosparalacistitis.com", true },
   { "remejeanne.com", true },
   { "rememberthemilk.com", false },
   { "remi-saurel.com", true },
@@ -30925,17 +31956,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "renaissanceplasticsurgery.net", true },
   { "renascentia.asia", true },
   { "renaultclubticino.ch", true },
+  { "rendall.tv", true },
   { "renderloop.com", true },
   { "rendre-service.ch", true },
   { "rene-schwarz.com", true },
   { "rene-stolp.de", true },
   { "renearends.nl", true },
   { "renedekoeijer.com", true },
-  { "renedekoeijer.nl", true },
   { "renee.today", true },
   { "reneleu.ch", true },
   { "renem.net", false },
-  { "renemayrhofer.com", true },
+  { "renemayrhofer.com", false },
   { "reneschmidt.de", true },
   { "renewablefreedom.org", true },
   { "renewablemaine.org", true },
@@ -30947,31 +31978,33 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "renkenlaw.com", true },
   { "renlen.nl", true },
   { "renov8sa.co.za", true },
+  { "renovablesverdes.com", true },
   { "renovum.es", true },
   { "renrenche.com", false },
   { "rens.nu", true },
-  { "renscreations.com", true },
+  { "rensa-datorn.se", true },
+  { "rent-a-c.io", true },
   { "rent-a-coder.de", true },
   { "rentacaramerica.com", true },
-  { "rentasweb.gob.ar", true },
+  { "rentandgo.it", true },
+  { "rentayventadecarpas.com", true },
   { "renthelper.us", true },
   { "rentinsingapore.com.sg", true },
   { "rentourhomeinprovence.com", true },
   { "renuo.ch", true },
   { "renxinge.cn", false },
-  { "reo.gov", true },
-  { "reorz.com", true },
   { "reox.at", false },
   { "repaik.com", true },
   { "repair.by", true },
   { "repaper.org", true },
-  { "reparo.pe", true },
   { "repaxan.com", true },
   { "repkord.com", true },
+  { "replace.ninja", true },
   { "replicaswiss.nl", true },
   { "repology.org", true },
   { "report-uri.com", true },
   { "report2psb.online", true },
+  { "reportband.gov", true },
   { "reporting.gov", true },
   { "reproduciblescience.org", true },
   { "reproductive-revolution.com", true },
@@ -30987,7 +32020,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "repugnant-conclusion.com", true },
   { "repugnantconclusion.com", true },
   { "reputationweaver.com", true },
-  { "reqrut.net", true },
   { "requestr.co.uk", true },
   { "res-kc.com", true },
   { "resama.eu", true },
@@ -31012,6 +32044,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "resolving.com", true },
   { "resoplus.ch", true },
   { "resort-islands.net", true },
+  { "resortafroditatucepi.com", true },
   { "resortohshima.com", true },
   { "resourceconnect.com", true },
   { "resourceguruapp.com", true },
@@ -31021,6 +32054,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "respectmyprivacy.net", true },
   { "respectmyprivacy.nl", true },
   { "respecttheflame.com", true },
+  { "respiranto.de", true },
   { "respon.jp", true },
   { "responer.com", true },
   { "responsepartner.com", true },
@@ -31029,13 +32063,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "responsivepaper.com", true },
   { "respostas.com.br", true },
   { "ressl.ch", true },
+  { "restaurant-de-notenkraker.be", true },
   { "restaurant-oregano.de", true },
   { "restaurant-rosengarten.at", true },
   { "restaurantguru.com", true },
   { "restaurantmaan.nl", true },
   { "restauranttester.at", true },
-  { "rester-a-domicile.ch", true },
-  { "rester-autonome-chez-soi.ch", true },
   { "restoran-radovce.me", true },
   { "restorethegulf.gov", true },
   { "restoruns.com", true },
@@ -31044,16 +32077,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "restrito.org", true },
   { "resultsatretail.com", true },
   { "resursedigitale.ro", true },
-  { "retcor.net", true },
   { "retefarmaciecostadamalfi.it", true },
   { "retetenoi.net", true },
-  { "retetop95.it", true },
+  { "reticket.me", true },
   { "reticon.de", true },
   { "retmig.dk", true },
   { "reto.ch", true },
   { "reto.com", true },
   { "reto.io", true },
   { "retokromer.ch", true },
+  { "retornaz.com", true },
+  { "retornaz.eu", true },
+  { "retornaz.fr", true },
   { "retractableawningssydney.com.au", true },
   { "retro.rocks", true },
   { "retro.sx", true },
@@ -31063,10 +32098,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "retrofitlab.com", true },
   { "retroity.net", true },
   { "retrojar.top", true },
-  { "retronet.nl", true },
+  { "retroride.cz", true },
   { "retroroundup.com", true },
   { "retrotracks.net", true },
   { "retrovideospiele.com", true },
+  { "returnonerror.com", true },
   { "returnpath.com", true },
   { "reucon.com", true },
   { "reulitz.de", true },
@@ -31080,7 +32116,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "revayd.net", true },
   { "revensoftware.com", true },
   { "reverencestudios.com", true },
-  { "reverse.design", true },
   { "reverseaustralia.com", true },
   { "reversecanada.com", true },
   { "reverseloansolutions.com", true },
@@ -31093,6 +32128,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "revision.co.zw", true },
   { "revisionnotes.xyz", true },
   { "revisit.date", true },
+  { "revista-programar.info", true },
   { "revivalinhisword.com", true },
   { "revivalprayerfellowship.com", true },
   { "revivingtheredeemed.org", true },
@@ -31112,7 +32148,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rezosup.org", true },
   { "rezultant.ru", true },
   { "rftoon.com", true },
-  { "rfxanalyst.com", true },
   { "rga.sh", true },
   { "rgavmf.ru", true },
   { "rgbinnovation.com", true },
@@ -31124,15 +32159,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rhees.nl", true },
   { "rhein-liebe.de", true },
   { "rheinneckarmetal.com", true },
-  { "rheinturm.nrw", true },
   { "rheocube.com", true },
   { "rhese.net", true },
   { "rhetorical.ml", true },
-  { "rheuma-online.de", true },
   { "rhevelo.com", true },
   { "rhinelander.ca", true },
+  { "rhinobase.net", true },
   { "rhinoceroses.org", true },
-  { "rhnet.at", true },
   { "rhodenmanorcattery.co.uk", true },
   { "rhodri.io", true },
   { "rhowell.io", true },
@@ -31143,10 +32176,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "riajenaka.com", true },
   { "riaki.net", true },
   { "rial.space", true },
+  { "riaucybersolution.net", false },
   { "ribs.com", true },
   { "ricardo.nu", true },
   { "ricardobalk.nl", true },
   { "ricardopq.com", true },
+  { "ricaribeiro.com.br", true },
   { "ricaud.me", true },
   { "riccardopiccioni.it", true },
   { "riccy.org", true },
@@ -31156,21 +32191,24 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "richardfeinbergdds.com", true },
   { "richardharpur.com", true },
   { "richardhering.de", true },
+  { "richardhicks.us", true },
   { "richardjgreen.net", true },
   { "richardlangworth.com", true },
   { "richardlevinmd.com", true },
   { "richardlugten.nl", true },
   { "richardramos.me", true },
   { "richardrblocker.net", true },
+  { "richardschut.nl", true },
   { "richardson.cam", true },
   { "richardson.engineering", true },
   { "richardson.pictures", true },
   { "richardson.software", true },
   { "richardson.systems", true },
+  { "richardson.tw", true },
   { "richardstonerealestate.com", true },
   { "richardwarrender.com", true },
+  { "richeyweb.com", true },
   { "richie.fi", true },
-  { "richonrails.com", true },
   { "ricketyspace.net", true },
   { "ricki-z.com", true },
   { "rickrongen.nl", true },
@@ -31185,15 +32223,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ricoydesign.com", true },
   { "ricozienke.de", true },
   { "riddims.co", true },
-  { "ride-up.com", true },
+  { "rideintaxi.com", true },
   { "rideways.com", true },
   { "rideyourdamn.bike", true },
   { "ridgelandchurch.org", true },
+  { "ridhaan.co", true },
   { "ridingboutique.de", true },
+  { "ridwan.co", false },
   { "riederle.com", true },
   { "riemer.ml", true },
   { "riesenweber.id.au", true },
   { "riesheating.com", true },
+  { "rievo.net", true },
   { "riffreporter.de", true },
   { "rifkivalkry.net", true },
   { "rift.pictures", true },
@@ -31202,7 +32243,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "righettod.eu", true },
   { "righini.ch", true },
   { "rightbrain.training", true },
-  { "rightcapital.com", true },
   { "rightmovecanada.com", true },
   { "rightnetworks.com", true },
   { "rightstuff.link", true },
@@ -31210,6 +32250,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rigolitch.fr", true },
   { "rigsalesaustralia.com", true },
   { "rijk-catering.nl", false },
+  { "rijschoolrichardschut.nl", true },
+  { "rijschoolsafetyfirst.nl", true },
   { "rijsinkunst.nl", false },
   { "rik.onl", true },
   { "riku.pw", true },
@@ -31217,7 +32259,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rileyevans.co.uk", true },
   { "rimax.vn", true },
   { "rimcountrymuseum.org", true },
-  { "rimediogiusto.com", true },
   { "rimeto.io", true },
   { "rimo.site", true },
   { "rimorrecherche.nl", true },
@@ -31228,12 +32269,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rio-weimar.de", true },
   { "rioshop.com.br", true },
   { "rioxmarketing.com", true },
+  { "rioxmarketing.pt", true },
   { "rip-sport.cz", true },
   { "ripaton.fr", true },
   { "ripcorddesign.com", true },
   { "ripcordsandbox.com", true },
   { "ripmixmake.org", true },
   { "riqy86.nl", true },
+  { "ris-bad-wurzach.de", true },
   { "ris.fi", true },
   { "risada.nl", true },
   { "risaphuketproperty.com", true },
@@ -31251,6 +32294,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ristoviitanen.fi", true },
   { "ristrutturazioneappartamento.roma.it", true },
   { "rit.space", false },
+  { "ritirocalcinacci.viterbo.it", true },
   { "rittau.biz", true },
   { "rittau.org", true },
   { "ritzlux.com.tw", true },
@@ -31258,7 +32302,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rivalsa.cn", true },
   { "rivastation.de", true },
   { "riverbanktearooms.co.uk", true },
-  { "riverbed.com", false },
   { "riverbendroofingnd.com", true },
   { "riverford.co.uk", true },
   { "rivermist.com.au", true },
@@ -31294,16 +32337,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rmcbs.de", true },
   { "rmeuropean.com", true },
   { "rmf.io", true },
+  { "rmi.com.ar", true },
   { "rmm-i.com", true },
   { "rmmanfredi.com", true },
   { "rmpsolution.de", true },
   { "rmrig.org", true },
+  { "rms-digicert.ne.jp", true },
   { "rms.sexy", true },
+  { "rmstudio.tw", true },
   { "rmsupply.nl", true },
-  { "rn29.me", true },
   { "rnag.ie", true },
   { "rnb-storenbau.ch", true },
-  { "rnbjunk.com", true },
   { "rngmeme.com", true },
   { "rnt.cl", true },
   { "ro.search.yahoo.com", false },
@@ -31311,21 +32355,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "roadguard.nl", false },
   { "roadtopgm.com", true },
   { "roams.es", true },
-  { "roave.com", true },
   { "rob006.net", true },
   { "robandjanine.com", true },
   { "robbertt.com", false },
   { "robbiecrash.me", true },
   { "robdavidson.network", true },
   { "robert-flynn.de", true },
+  { "robert-wiek-transporte.de", true },
   { "robertattfield.com", true },
   { "robertayamashita.com", true },
   { "robertayamashita.com.br", true },
   { "robertbln.com", true },
-  { "robertg.me", true },
-  { "robertglastra.com", true },
   { "roberthurlbut.com", true },
   { "robertkrueger.de", true },
+  { "robertlluberes.com", true },
   { "robertlysik.com", true },
   { "robertnemec.com", true },
   { "robertoentringer.com", true },
@@ -31337,16 +32380,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "robhorstmanshof.nl", true },
   { "robicue.com", true },
   { "robigalia.org", false },
-  { "robin-novotny.com", true },
   { "robin.co.kr", true },
   { "robin.info", true },
-  { "robinadr.com", true },
   { "robinevandenbos.nl", true },
   { "robinflikkema.nl", true },
+  { "robinfrancq.ml", true },
   { "robinhoodbingo.com", true },
   { "robinlinden.eu", true },
   { "robinsonstrategy.com", true },
   { "robinsonyu.com", true },
+  { "robinvdmarkt.nl", true },
   { "robinwill.de", true },
   { "robinwinslow.uk", true },
   { "robjager-fotografie.nl", true },
@@ -31367,7 +32410,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "robpol86.com", true },
   { "robspc.repair", true },
   { "robspeed.rocks", true },
-  { "robtatemusic.com", true },
+  { "robtex.com", true },
   { "robu.in", true },
   { "robud.info", true },
   { "robustac.com", true },
@@ -31377,10 +32420,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rockagogo.com", true },
   { "rockbankland.com.au", true },
   { "rockcanyonbank.com", true },
-  { "rockcellar.ch", true },
   { "rockenfuerlachenhelfen.de", true },
+  { "rocket-wars.de", true },
   { "rocketevents.com.au", true },
-  { "rocketgnomes.com", true },
   { "rocketr.net", true },
   { "rocketsandtutus.com", true },
   { "rockfax.com", true },
@@ -31398,25 +32440,27 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rodeobull.biz", true },
   { "rodeohire.com", true },
   { "rodeosales.co.uk", true },
+  { "rodest.net", true },
   { "rodevlaggen.nl", true },
   { "rodichi.net", true },
   { "rodinnebyvanie.eu", true },
+  { "rodinneodpoledne2018.cz", true },
   { "rodolfo.gs", true },
   { "rodomonte.org", true },
   { "rodrigocarvalho.blog.br", true },
+  { "rody-design.com", true },
+  { "rodykossen.com", true },
   { "rodzina-kupiec.eu.org", true },
   { "roeckx.be", true },
   { "roeitijd.nl", false },
   { "roeldevries.me", true },
   { "roeleveld.nl", true },
   { "roelhollander.eu", true },
-  { "roeljoyas.com", true },
   { "roelof.io", true },
   { "roelsworld.eu", true },
   { "roemhild.de", true },
   { "roerstaafjes.nl", true },
   { "rofl.com.ua", true },
-  { "roflcopter.fr", true },
   { "rogagym.com", true },
   { "rogerhub.com", true },
   { "rogerriendeau.ca", true },
@@ -31427,9 +32471,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rogoff.xyz", true },
   { "rogue-e.xyz", true },
   { "roguefinancial.com", true },
+  { "roguefortgame.com", true },
   { "roguenation.space", true },
   { "roguenetworks.me", true },
-  { "roguesignal.net", true },
   { "roguetechhub.org", true },
   { "rohedaten.de", true },
   { "rohitagr.com", true },
@@ -31438,7 +32482,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rokass.nl", true },
   { "rokki.ch", true },
   { "rokort.dk", true },
-  { "roksolana.be", true },
   { "rokudenashi.de", true },
   { "roland.io", true },
   { "rolandinsh.com", true },
@@ -31457,7 +32500,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "roma-servizi.it", true },
   { "romab.com", true },
   { "romain-arias.fr", true },
-  { "romainmuller.xyz", false },
   { "roman-pavlik.cz", true },
   { "romancloud.com", true },
   { "romande-entretien.ch", true },
@@ -31479,17 +32521,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rommelwood.de", true },
   { "romun.net", true },
   { "romy.tw", true },
-  { "ronanrbr.com", true },
   { "rondommen.nl", true },
   { "rondouin.fr", true },
   { "rondreis-amerika.be", true },
   { "rondreis-schotland.nl", true },
+  { "ronem.com.au", true },
   { "roninf.ch", true },
   { "roninitconsulting.com", true },
   { "ronniegane.kiwi", true },
   { "ronnylindner.de", true },
   { "ronomon.com", true },
-  { "ronzertnert.xyz", true },
   { "roodfruit.studio", true },
   { "roodhealth.co.uk", true },
   { "roof.ai", false },
@@ -31503,11 +32544,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "room2d.com", true },
   { "room3b.eu", true },
   { "roombase.nl", true },
+  { "roomguide.info", true },
   { "roomhub.jp", true },
-  { "roomongo.com", true },
+  { "roomsatevents.eu", true },
   { "rooneytours.nl", true },
   { "roopakv.com", true },
   { "roosabels.nl", false },
+  { "roosteroriginals.com", false },
   { "root-space.eu", true },
   { "root.bg", true },
   { "root.cz", true },
@@ -31519,6 +32562,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rootkea.me", true },
   { "rootlair.com", true },
   { "rootonline.de", true },
+  { "rootpigeon.com", true },
   { "roots-example-project.com", true },
   { "roots.io", true },
   { "rootsandrain.com", true },
@@ -31542,22 +32586,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rosemariefloydballet.com", true },
   { "rosenheimsingles.de", true },
   { "rosenkeller.org", true },
-  { "roseofyork.com", true },
   { "roseofyorkbooking.com", true },
   { "roseon.net", true },
   { "roseparkhouse.com", true },
   { "rosesciences.com", true },
+  { "rosevillefacialplasticsurgery.com", true },
   { "roshhashanahfun.com", true },
-  { "roshiya.co.in", true },
   { "roslynpad.net", true },
   { "rosnertexte.at", true },
   { "rosset.me", true },
   { "rosset.net", true },
-  { "rossfrancis.co.uk", true },
   { "rossmacphee.com", true },
   { "rostclub.ro", true },
   { "rostov-avia.ru", true },
+  { "rostros.eu", true },
   { "rot47.net", true },
+  { "rotapalor.com", true },
   { "rotek.at", true },
   { "roten.email", true },
   { "rothe.io", true },
@@ -31587,65 +32631,36 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "routetracker.co", true },
   { "rove3d.com", true },
   { "rowancasting.ie", true },
+  { "rowancounty911.com", true },
+  { "rowancounty911.org", true },
+  { "rowancountyairport.com", true },
+  { "rowancountync.gov", true },
   { "rowankaag.nl", true },
+  { "rowanpubliclibrary.com", true },
+  { "rowansheriff.com", true },
+  { "rowansheriff.org", true },
+  { "rowantransit.com", true },
+  { "rowantransit.org", true },
   { "rowlog.com", true },
   { "rows.io", true },
   { "roxiesbouncycastlehire.co.uk", true },
   { "roxtri.cz", true },
   { "royal-rangers.de", true },
-  { "royal806.com", true },
-  { "royal810.com", true },
-  { "royal811.com", true },
   { "royal812.com", true },
   { "royal813.com", true },
-  { "royal816.com", true },
-  { "royal817.com", true },
   { "royal818.com", true },
-  { "royal830.com", true },
-  { "royal833.com", true },
   { "royal850.com", true },
-  { "royal851.com", true },
-  { "royal852.com", true },
   { "royal853.com", true },
-  { "royal855.com", true },
-  { "royal856.com", true },
-  { "royal857.com", true },
-  { "royal859.com", true },
-  { "royal86.com", true },
-  { "royal861.com", true },
   { "royal862.com", true },
   { "royal863.com", true },
-  { "royal865.com", true },
   { "royal867.com", true },
   { "royal868.com", true },
-  { "royal869.com", true },
   { "royal871.com", true },
-  { "royal872.com", true },
-  { "royal873.com", true },
-  { "royal875.com", true },
-  { "royal877.com", true },
-  { "royal879.com", true },
   { "royal88.com", true },
-  { "royal88.tech", true },
-  { "royal881.com", true },
-  { "royal882.com", true },
-  { "royal883.com", true },
-  { "royal885.com", true },
-  { "royal886.com", true },
-  { "royal887.com", true },
-  { "royal888888.com", true },
-  { "royal889.com", true },
-  { "royal890.com", true },
-  { "royal891.com", true },
-  { "royal892.com", true },
-  { "royal893.com", true },
-  { "royal894.com", true },
-  { "royal895.com", true },
-  { "royal896.com", true },
   { "royal898.com", true },
-  { "royal899.com", true },
   { "royalacademy.org.uk", true },
   { "royalasianescorts.co.uk", true },
+  { "royalbeautyclinic.ir", true },
   { "royalbluewa3.cc", true },
   { "royalcitytaxi.ca", true },
   { "royalcitytaxi.com", true },
@@ -31653,16 +32668,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "royalmarinesassociation.org.uk", true },
   { "royalnissanparts.com", true },
   { "royalpalacenogent.fr", true },
+  { "royalpub.net", false },
   { "royalrangers.fi", true },
   { "royalty-market.com", true },
-  { "royalyule.com", true },
   { "royceandsteph.com", true },
   { "roycewilliams.net", true },
+  { "roygerritse.nl", true },
   { "rozalynne-dawn.ga", true },
+  { "rozar.eu", true },
   { "rozhodce.cz", true },
+  { "rpadonline.com", true },
   { "rpadovani.com", true },
   { "rpauto.ru", true },
   { "rpgcampaign.website", true },
+  { "rpgchan.cf", true },
   { "rpgmaker.es", true },
   { "rpherbig.com", true },
   { "rphl.net", true },
@@ -31675,9 +32694,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rraesthetics.com", true },
   { "rrdesignsuisse.com", true },
   { "rrg-partner.ch", true },
-  { "rro.rs", true },
   { "rrudnik.com", true },
   { "rrwolfe.com", true },
+  { "rs-maschinenverleih.de", true },
   { "rsanahuano.com", true },
   { "rsap.ca", true },
   { "rsauget.fr", true },
@@ -31685,12 +32704,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rsgcard.com", true },
   { "rsingermd.com", true },
   { "rsl.gd", true },
-  { "rsm-intern.de", true },
   { "rsm-liga.de", true },
-  { "rsmith.io", false },
+  { "rsmith.io", true },
   { "rsp-blogs.de", true },
   { "rsridentassist.com", true },
   { "rss.sh", false },
+  { "rssr.ddns.net", true },
   { "rssr.se", true },
   { "rsttraining.co.uk", true },
   { "rsync.eu", false },
@@ -31698,28 +32717,26 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rtate.ca", true },
   { "rtate.se", true },
   { "rtcx.net", true },
-  { "rtd.uk.com", true },
   { "rte.eu", true },
+  { "rte.radio", true },
   { "rte2fm.ie", true },
   { "rteaertel.ie", true },
   { "rtechservices.io", true },
   { "rteguide.ie", true },
   { "rteinternational.ie", true },
   { "rtejr.ie", true },
-  { "rtek.se", false },
+  { "rtek.se", true },
   { "rtenews.eu", true },
   { "rteone.ie", true },
   { "rteplayer.com", true },
   { "rtesport.eu", true },
   { "rteworld.com", true },
-  { "rtfpessoa.xyz", true },
-  { "rths.tk", true },
+  { "rths.tk", false },
   { "rthsoftware.cn", true },
   { "rthsoftware.net", true },
   { "rtrappman.com", true },
   { "rtrinflatables.co.uk", true },
   { "rtsr.ch", true },
-  { "rttss.com", true },
   { "rttvvip.com", true },
   { "rtwcourse.com", true },
   { "rtzoeller.com", true },
@@ -31735,12 +32752,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ruben.am", false },
   { "rubenbarbero.com", true },
   { "rubenkruisselbrink.nl", true },
+  { "rubens.cloud", true },
   { "rublacklist.net", true },
   { "ruby-auf-schienen.de", true },
   { "rubyist.today", true },
   { "rubymartin.com.au", true },
-  { "rubyquincunx.com", true },
-  { "rubyquincunx.org", true },
   { "rubytune.com", true },
   { "rucksack-rauf-und-weg.de", true },
   { "ruckzuck-privatpatient.de", true },
@@ -31748,6 +32764,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ruconsole.com", true },
   { "rud.is", true },
   { "rudd-o.com", true },
+  { "rudelune.fr", true },
   { "rudewiki.com", true },
   { "rudhaulidirectory.com", true },
   { "rudloff.pro", true },
@@ -31770,7 +32787,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ruhrmobil-e.de", true },
   { "ruhrnalist.de", true },
   { "ruht.ro", true },
-  { "ruigomes.me", true },
+  { "ruicore.cn", true },
   { "ruiming.me", true },
   { "ruin.one", true },
   { "ruiruigeblog.com", true },
@@ -31785,10 +32802,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rumplesinflatables.co.uk", true },
   { "rumtaste.com", true },
   { "rumtaste.de", true },
+  { "run-forrest.run", false },
   { "run-it-direct.co.uk", true },
   { "runagain.ch", true },
   { "runebet.com", true },
-  { "runementors.com", false },
+  { "runefake.com", true },
   { "runklesecurity.com", true },
   { "runnergrapher.com", true },
   { "runreport.fr", true },
@@ -31802,6 +32820,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ruralsuppliesdirect.co.uk", true },
   { "ruri.io", false },
   { "rusempire.ru", true },
+  { "rushball.net", true },
   { "rushiiworks.com", true },
   { "rushpoppershop.co.uk", true },
   { "rushter.com", true },
@@ -31810,7 +32829,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ruska-modra.cz", true },
   { "ruskamodra.cz", true },
   { "ruskod.net", true },
-  { "rusl.net", true },
   { "rusmolotok.ru", true },
   { "russellupevents.co.uk", true },
   { "russia.dating", true },
@@ -31822,38 +32840,37 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rustable.com", true },
   { "rustikalwallis.ch", true },
   { "rustyrambles.com", true },
+  { "rusxakep.com", true },
   { "rutgerschimmel.nl", true },
-  { "ruthmontenegro.com", true },
+  { "ruthmontenegro.com", false },
   { "rutiger.com", true },
   { "rutika.ru", true },
+  { "rutten.me", true },
   { "ruudkoot.nl", true },
   { "ruwhof.net", true },
   { "ruya.com", true },
   { "ruyatabirleri.com", true },
   { "rv-jpshop.com", true },
   { "rva-asbestgroep.nl", true },
-  { "rvender.cz", true },
   { "rvfu98.com", true },
   { "rvnoel.net", true },
-  { "rvoigt.eu", true },
   { "rvsa2bevestigingen.nl", true },
   { "rvsa4bevestigingen.nl", true },
   { "rvsbevestigingen.nl", true },
   { "rw.search.yahoo.com", false },
-  { "rwgamernl.ml", true },
   { "rwky.net", true },
+  { "rws-cc.com", true },
   { "rws-vertriebsportal.de", true },
   { "rwx.ovh", true },
   { "rx-contact.com", false },
+  { "rxbn.de", true },
   { "rxbusiness.com", true },
   { "rxcheck.com", true },
-  { "rxgroup.io", true },
   { "rxight.com", true },
   { "ryan-design.com", true },
   { "ryan-gehring.com", true },
   { "ryan-goldstein.com", true },
   { "ryanbritton.com", true },
-  { "ryancarter.co.uk", true },
   { "ryanhowell.io", false },
   { "ryankearney.com", false },
   { "ryanmcdonough.co.uk", false },
@@ -31862,13 +32879,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "rychlikoderi.cz", true },
   { "rydermais.tk", true },
   { "rynekpierwotny.pl", true },
+  { "rynkebo.dk", true },
   { "ryois.me", true },
   { "rys.pw", true },
   { "ryssl.com", true },
   { "ryu22e.org", true },
   { "ryuu.es", true },
-  { "ryyule.com", true },
-  { "ryzex.de", true },
   { "ryzhov.me", true },
   { "rzentarzewski.net", true },
   { "s-a.xyz", true },
@@ -31877,21 +32893,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "s-huset.dk", true },
   { "s-ip-media.de", true },
   { "s-mainte.com", true },
-  { "s-mdb.com", true },
   { "s-n-unso.com", true },
   { "s-pegasus.com", true },
   { "s-s-paint.com", true },
   { "s007.co", true },
+  { "s0laris.co.uk", true },
   { "s10y.eu", true },
   { "s13d.fr", true },
   { "s16e.no", true },
   { "s2member.com", true },
+  { "s2p.moe", true },
+  { "s2t.net", true },
   { "s3cur3.it", true },
-  { "s3gfault.com", true },
   { "s3robertomarini.it", true },
   { "s404.de", true },
   { "s44.eu", true },
   { "s4db.net", true },
+  { "s4media.org", true },
   { "s4q.me", true },
   { "s4tips.com", true },
   { "s4ur0n.com", true },
@@ -31904,23 +32922,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sa.net", true },
   { "saabpartsdistribution.com", true },
   { "saamhorigheidsfonds.nl", false },
+  { "saas.de", true },
   { "saastopankki.fi", true },
   { "saba-piserver.info", true },
   { "sabahattin-gucukoglu.com", true },
   { "sabe.cz", true },
   { "sabine-forschbach.de", true },
   { "sabineforschbach.de", true },
+  { "sablyrics.com", true },
   { "sabrinajoias.com.br", true },
-  { "sabrinajoiasprontaentrega.com.br", true },
-  { "sabtunes.com", true },
   { "sacaentradas.com", true },
   { "saccani.net", true },
-  { "sacharidovejednotky.eu", true },
-  { "sackers.com", true },
   { "sackmesser.ch", true },
   { "saclier.at", true },
   { "sacprincesse.com", true },
   { "sacred-knights.net", true },
+  { "sacredheart-cliftonheights.net", true },
   { "sacrome.com", true },
   { "sadbox.es", true },
   { "sadbox.org", true },
@@ -31929,11 +32946,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sadev.co.za", true },
   { "sadhana.cz", true },
   { "sadhawkict.org", true },
-  { "sadmansh.com", true },
+  { "sadiejewellery.co.uk", true },
   { "sadou.kyoto.jp", true },
   { "saechsischer-christstollen.shop", true },
   { "saengsook.com", true },
   { "saengsuk.com", true },
+  { "saf.earth", true },
   { "safar.sk", true },
   { "safaritenten.nl", true },
   { "safcstore.com", true },
@@ -31950,12 +32968,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "safeguardcommerce.com", true },
   { "safeguardhosting.ca", true },
   { "safeinfra.nl", true },
+  { "safeitup.se", true },
   { "safejourney.education", true },
   { "safematix.com", true },
   { "safeme.ga", true },
   { "safeocs.gov", true },
   { "safer-networking.org", true },
-  { "saferpost.com", true },
   { "saferproduct.gov", true },
   { "saferproducts.gov", true },
   { "safersurfing.eu", false },
@@ -31982,25 +33000,32 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sahkotyot.eu", true },
   { "said.id", true },
   { "said.my.id", true },
+  { "saidelbakkali.com", true },
   { "saidtezel.com", true },
   { "saier.me", true },
   { "saifoundation.in", true },
   { "saigonflowers.com", true },
-  { "saigonstar.de", true },
   { "saikarra.com", true },
   { "saikou.moe", true },
   { "saikouji.tokushima.jp", true },
   { "sailingonward.com", true },
   { "sailormoonevents.org", true },
   { "sailormoonlibrary.org", true },
+  { "sailwiz.com", true },
   { "saimoe.moe", true },
   { "saimoe.org", true },
   { "sainetworks.net", true },
   { "saint-bernard-gouesch.fr", true },
   { "saint-cyril.com", true },
   { "saintaardvarkthecarpeted.com", true },
+  { "saintanne.net", true },
   { "saintanthonyscorner.com", true },
+  { "sainteugenechurch.net", true },
+  { "sainteugeneschurch.com", true },
+  { "saintfrancescabrini.net", true },
+  { "saintfrancisdesales.net", true },
   { "sainth.de", true },
+  { "sainthedwig-saintmary.org", true },
   { "sainthelena-centersquare.net", true },
   { "sainthelenas.org", true },
   { "saintisidorecyo.com", true },
@@ -32009,12 +33034,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "saintjosephschurch.net", true },
   { "saintmarkchurch.net", true },
   { "saintmaryna.com", true },
+  { "saintmaryscathedral-trenton.org", true },
   { "saintpatrick-norristown.net", true },
   { "saintpeterchurch.net", true },
   { "saintphilipneri.org", true },
   { "saintpius.net", true },
   { "saintpolycarp.org", true },
   { "saintsrobotics.com", true },
+  { "saintw.com", true },
   { "saipariwar.com", true },
   { "saiputra.com", true },
   { "saitrance.com", true },
@@ -32022,6 +33049,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sajamstudija.info", true },
   { "sajdowski.de", true },
   { "sakaki.anime.my", false },
+  { "sakamichi.moe", true },
+  { "sakerhetskopiering.nu", true },
   { "sakostacloud.de", true },
   { "sakura-paris.org", true },
   { "sakura.zone", true },
@@ -32050,6 +33079,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "salesmachine.io", true },
   { "salexy.kz", true },
   { "salidaswap.com", true },
+  { "salixcode.com", true },
   { "salland1.nl", true },
   { "salle-quali.fr", true },
   { "sallydowns.name", true },
@@ -32059,6 +33089,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "salmonvision.com.tw", true },
   { "salmos91.com", true },
   { "salmotierra-salvatierra.com", true },
+  { "salon-hinata.biz", true },
   { "salon-minipli.de", true },
   { "salon.io", false },
   { "salon1.ee", true },
@@ -32073,7 +33104,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "saltstack.cz", true },
   { "salud.top", false },
   { "saludmas.site", true },
-  { "saludsexualmasculina.org", true },
   { "saludsis.mil.co", true },
   { "saludyvida.site", true },
   { "salutethefish.com", true },
@@ -32082,13 +33112,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "salva.re", true },
   { "salvagedfurnitureparlour.com", true },
   { "sam-football.fr", true },
-  { "samanacafe.com", true },
   { "samanthasgeckos.com", true },
-  { "samanthasicecream.com", true },
   { "samappleton.com", true },
   { "samara-avia.ru", true },
   { "samaritainsmeyrin.ch", true },
   { "samatva-yogalaya.com", true },
+  { "samba.com.co", true },
   { "samba.org", true },
   { "sambaa.com.br", true },
   { "sambaash.com", true },
@@ -32096,13 +33125,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "samdev.io", true },
   { "samegoal.com", true },
   { "samegoal.org", true },
+  { "samel.de", true },
   { "samenwerkingsportaal.nl", true },
   { "samenwerkingsportaal.tk", true },
   { "sameworks.com", true },
   { "samgrayson.me", true },
   { "samhuri.net", true },
   { "samifar.in", true },
-  { "samip.fi", true },
   { "samitechnic.com", true },
   { "samizdat.cz", true },
   { "samkelleher.com", true },
@@ -32110,10 +33139,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "samlaw.co.nz", true },
   { "samlivogarv.dk", true },
   { "sammamish--locksmith.com", true },
+  { "sammyjohnson.com", true },
   { "sammyservers.com", true },
   { "sammyservers.net", true },
-  { "sammyslimos.com", true },
-  { "samnya.cn", true },
+  { "samnya.cn", false },
+  { "samplefashion.nl", true },
+  { "samri.pt", true },
   { "samrobertson.co.uk", true },
   { "samshouseofspaghetti.net", true },
   { "samsungmobile.it", true },
@@ -32124,21 +33155,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "samuellaulhau.fr", true },
   { "samui-samui.de", false },
   { "samuirehabcenter.com", true },
-  { "samvanderkris.xyz", true },
   { "samwilberforce.com", true },
   { "samwrigley.co.uk", true },
   { "samwu.tw", true },
-  { "samyerkes.com", true },
-  { "san-mian-ka.ml", true },
   { "san.ac.th", true },
   { "sana-store.com", true },
   { "sana-store.cz", true },
   { "sana-store.sk", true },
+  { "sanael.net", true },
   { "sanantoniolocksmithinc.com", true },
   { "sanantoniolocksmithtx.com", true },
   { "sanasport.cz", true },
   { "sanasport.sk", true },
   { "sanatorii-sverdlovskoy-oblasti.ru", true },
+  { "sanatorionosti.com.ar", true },
   { "sanbornteam.com", true },
   { "sand-islets.de", true },
   { "sandalj.com", true },
@@ -32167,7 +33197,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sandtears.com", true },
   { "sandtonescorts.com", true },
   { "sandtonplumber24-7.co.za", true },
-  { "sandtonvipcompanions.com", true },
   { "sandyrobsonhypnotherapy.co.uk", true },
   { "sanemind.de", true },
   { "sanemind.eu", true },
@@ -32182,6 +33211,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sanitairwinkel.com", true },
   { "sanitairwinkel.nl", true },
   { "sanitrak.cz", true },
+  { "sanjotech.space", true },
   { "sannesfotklinikk.no", true },
   { "sanpham-balea.org", true },
   { "sanskritiyoga.com", true },
@@ -32196,6 +33226,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "santojuken.co.jp", true },
   { "santoshpandit.com", true },
   { "sanvitolocapobus.com", true },
+  { "saol.eu", true },
   { "saoneth.pl", true },
   { "saorsat.com", true },
   { "saorsat.ie", true },
@@ -32213,18 +33244,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sapphirepearl.com.sg", true },
   { "sapprendre.ch", true },
   { "saprima.de", true },
+  { "sarabara.com", true },
   { "sarahbeckettharpist.com", true },
   { "sarahboydrealty.com", true },
   { "sarahcorliss.com", true },
   { "sarahlicity.co.uk", true },
   { "sarahlicity.me.uk", true },
   { "sarahplusdrei.de", true },
+  { "sarahsecret.de", true },
   { "sarahvictor.co.uk", true },
   { "sarahwikeley.co.uk", true },
   { "saraleebread.com", false },
   { "sarariman.com", true },
   { "sarasotaroboticurology.com", true },
   { "sarasturdivant.com", true },
+  { "sardacompost.it", true },
   { "sardegnatirocini.it", true },
   { "sarink.eu", true },
   { "sarkisianbuilders.com", true },
@@ -32233,6 +33267,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sarpsb.org", true },
   { "sarumtechnologies.com", true },
   { "sas-snowboarding.sk", true },
+  { "sasanika.org", true },
   { "sascha.io", true },
   { "sascha.is", true },
   { "saschaeggenberger.ch", true },
@@ -32242,7 +33277,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sashascollections.com", true },
   { "sasioglu.co.uk", true },
   { "saskpension.com", true },
-  { "sasrobotics.xyz", true },
   { "sassandbelle.co.uk", true },
   { "sassandbelle.com", true },
   { "sassandbelletrade.co.uk", true },
@@ -32257,6 +33291,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "saterdalen.net", true },
   { "satimagingcorp.com", true },
   { "satinn.pl", true },
+  { "satisperfectacollections.com", true },
   { "satmd.de", true },
   { "satoshinumbers.com", true },
   { "sattamatkachart.in", true },
@@ -32273,6 +33308,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sauerbrey.eu", true },
   { "sauerland-schnittgruen.de", true },
   { "saulchristie.com", true },
+  { "saultdefencelaw.ca", true },
   { "saumon-de-france.com", true },
   { "saumon-france.com", true },
   { "saumondefrance.fr", true },
@@ -32291,8 +33327,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "saveora.com", true },
   { "savetheinternet.eu", true },
   { "saveya.com", true },
-  { "savic.com", true },
+  { "savic.com", false },
   { "saviezvousque.net", true },
+  { "savilleassessment.com", true },
   { "savingrecipe.com", true },
   { "savingsoftheyear.com", true },
   { "savingsomegreen.com", true },
@@ -32304,6 +33341,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "saxojoe.co.uk", true },
   { "saxojoe.de", true },
   { "saxoncreative.com", true },
+  { "saxotex.de", true },
   { "saxwereld.nl", true },
   { "sayori.pw", true },
   { "sayprepay.com", true },
@@ -32322,6 +33360,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sbanken.no", true },
   { "sber.us", true },
   { "sberbank.ch", true },
+  { "sberna-fotofast.cz", true },
   { "sbf888.com", true },
   { "sbiewald.de", true },
   { "sbir.gov", true },
@@ -32329,6 +33368,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sbit.com.br", true },
   { "sblum.de", true },
   { "sbo-dresden.de", true },
+  { "sbox-servers.com", true },
   { "sbr.red", true },
   { "sbrouwer.org", true },
   { "sbrownbourne.com", true },
@@ -32336,13 +33376,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sbsbaits.com", true },
   { "sbscyber.com", true },
   { "sbsnursery.co.uk", true },
-  { "sbsrv.ml", true },
   { "sbssoft.ru", true },
   { "sbytes.info", true },
+  { "sc-artworks.co.uk", true },
   { "sc5.jp", true },
-  { "scaarus.com", true },
   { "scaffalature.roma.it", true },
-  { "scaffoldhireeastrand.co.za", true },
+  { "scaffoldhirefourways.co.za", true },
+  { "scaffoldhirerandburg.co.za", true },
   { "scalacollege.nl", true },
   { "scalaire.com", true },
   { "scalaire.fr", true },
@@ -32358,8 +33398,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "scanleasing.net", true },
   { "scanpay.dk", true },
   { "scarafaggio.it", true },
+  { "scarvespalace.com", true },
   { "scatsbouncingcastles.ie", true },
   { "scbdh.org", true },
+  { "scbreed.com", true },
   { "sceenfox.de", true },
   { "scelec.com.au", true },
   { "scenastu.pl", true },
@@ -32370,9 +33412,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "scepticism.com", true },
   { "schadevergoedingen.eu", true },
   { "schaefer-reifen.de", true },
+  { "schaffensdrang.at", true },
   { "schamlosharmlos.de", true },
-  { "schaper-sport.com", true },
-  { "schatmeester.be", true },
   { "schatzibaers.de", true },
   { "schawe.me", true },
   { "schbebtv.fr", true },
@@ -32392,7 +33433,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "scheuchenstuel.at", true },
   { "schgroup.com", true },
   { "schier.info", true },
-  { "schil.li", true },
   { "schildbach.de", true },
   { "schillers-friedberg.de", true },
   { "schimmel-test.info", true },
@@ -32416,6 +33456,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "schmid.tv", true },
   { "schmidthomes.com", true },
   { "schmidtplasticsurgery.com", true },
+  { "schmitt-etienne.fr", true },
   { "schmitt-max.com", true },
   { "schnapke.name", true },
   { "schneeketten-ratgeber.de", true },
@@ -32444,8 +33485,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "scholarshipplatform.com", true },
   { "scholarshipsplatform.com", true },
   { "scholarstyle.com", true },
+  { "scholieren.com", true },
   { "scholierenvervoerzeeland.nl", true },
-  { "schollbox.de", false },
   { "scholledev.com", true },
   { "scholz-kallies.de", true },
   { "schont.org", true },
@@ -32470,6 +33511,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "schreibers.ca", true },
   { "schreinerei-jahreis.de", true },
   { "schrenkinzl.at", true },
+  { "schritt4fit.de", true },
   { "schrodingersscat.com", true },
   { "schrodingersscat.org", true },
   { "schroeder-immobilien-sundern.de", true },
@@ -32503,6 +33545,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "schwabenhaus-ka.de", true },
   { "schwalliers.com", true },
   { "schwanke.in", true },
+  { "schwano-dent.at", true },
   { "schwarz-gelbe-fuechse.de", true },
   { "schwarzegar.de", true },
   { "schwarzer.it", true },
@@ -32537,7 +33580,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "scistarter.com", true },
   { "scitopia.me", true },
   { "scitopia.net", true },
-  { "sckc.stream", false },
   { "sclns.co", true },
   { "scohetal.de", true },
   { "scontogiusto.com", true },
@@ -32547,25 +33589,25 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "scooterservis.com", true },
   { "scootfleet.com", true },
   { "scorerealtygroup.com", true },
-  { "scorocode.ru", true },
   { "scorp13.com", true },
+  { "scorpowines.com", true },
+  { "scottah.com", true },
   { "scottgalvin.com", true },
   { "scottgruber.me", true },
   { "scottgthomas.com", true },
   { "scotthelme.co.uk", true },
+  { "scottipc.com", true },
   { "scottishcu.org", true },
   { "scottishseniorsgolf.com", true },
   { "scottlanderkingman.com", true },
   { "scottseditaacting.com", true },
-  { "scottstorey.co.uk", true },
   { "scotttopperproductions.com", true },
-  { "scottynordstrom.org", false },
   { "scoutingridderkerk.nl", true },
   { "scoutingtungelroy.nl", true },
   { "scoutnet.de", true },
+  { "scouttrails.com", true },
   { "scp-trens.notaires.fr", true },
   { "scp500.com", true },
-  { "scpartyentertainment.co.uk", true },
   { "scpslgame.com", true },
   { "scra.gov", true },
   { "scrabble-solver.com", true },
@@ -32573,6 +33615,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "scramget.com", true },
   { "scramsoft.com", true },
   { "scrap.tf", true },
+  { "scrapdealers.eu", true },
   { "scratchandscuffs.co.uk", true },
   { "scratchandscuffs.com", true },
   { "scratchandscuffs.uk", true },
@@ -32588,12 +33631,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "screenlight.tv", true },
   { "screenmachine.com", true },
   { "screenparadigm.com", true },
+  { "screenpublisher.com", true },
   { "scripo-bay.com", true },
   { "script.google.com", true },
   { "scripter.co", true },
   { "scriptgates.ru", true },
   { "scriptum.gr", true },
   { "scrisulfacebine.ro", true },
+  { "scrivito.com", true },
   { "scrod.me", true },
   { "scroll.in", true },
   { "scrtch.fr", true },
@@ -32606,24 +33651,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "scswam.com", true },
   { "sctiger.me", true },
   { "sctiger.ml", true },
-  { "sctm.at", true },
   { "sctrainingllc.com", true },
   { "scubadiving-phuket.com", true },
   { "scubaland.hu", true },
   { "scul.net", true },
   { "sculpture.support", true },
   { "scuolaguidalame.ch", true },
-  { "scuters.club", true },
-  { "scw.com", true },
-  { "scw.nz", true },
-  { "scwilliams.co.uk", true },
-  { "scwilliams.uk", true },
   { "sd.af", true },
   { "sdayman.com", true },
   { "sdcardrecovery.de", true },
   { "sdg-tracker.org", true },
   { "sdgllc.com", true },
   { "sdho.org", true },
+  { "sdis-trib.fr", true },
   { "sdns.fr", true },
   { "sdsi.us", true },
   { "sdsk.one", true },
@@ -32633,6 +33673,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sdvx.net", true },
   { "sdxcentral.com", true },
   { "se-booster.com", true },
+  { "se-live.org", true },
   { "se-theories.org", true },
   { "se.com", true },
   { "se.search.yahoo.com", false },
@@ -32646,7 +33687,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sealbaker.com", true },
   { "sealoffantasy.de", true },
   { "sealtitebasement.com", true },
+  { "seamester.com", true },
   { "seamless.no", true },
+  { "seamoo.se", true },
   { "sean-wright.com", true },
   { "seanholcroft.co.uk", true },
   { "seankilgarriff.com", true },
@@ -32671,22 +33714,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "searchcandy.nl", true },
   { "searchcandy.uk", true },
   { "searchdatalogy.com", true },
+  { "searchfox.org", true },
   { "seareytraining.com", true },
   { "searsucker.com", true },
   { "searx.ru", true },
   { "searx.xyz", true },
   { "seasidestudios.co.uk", true },
   { "season.moe", true },
+  { "seasons-vintage.com", true },
   { "seasons.nu", false },
   { "seatbeltpledge.com", true },
-  { "seatshare.co.uk", true },
   { "seattle-life.net", true },
   { "seattlefabrication.com", true },
   { "seattlemesh.net", true },
-  { "seattleprivacy.org", true },
   { "seattlewalkinbathtubs.com", true },
-  { "seavancouver.com", true },
   { "seb-mgl.de", true },
+  { "seb-net.com", true },
   { "sebald.com", true },
   { "sebald.org", true },
   { "sebascelis.com", true },
@@ -32702,8 +33745,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sebastiaperis.com", true },
   { "sebasveeke.nl", true },
   { "sebepoznani.eu", true },
-  { "sebi.cf", true },
   { "sebi.org", true },
+  { "sebjacobs.com", true },
   { "seby.io", true },
   { "sec-mails.de", true },
   { "sec-research.com", true },
@@ -32713,6 +33756,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sec.gov", true },
   { "sec.red", true },
   { "sec3ure.co.uk", true },
+  { "sec44.com", true },
+  { "sec44.net", true },
+  { "sec44.org", true },
   { "sec455.com", true },
   { "sec530.com", true },
   { "sec555.com", true },
@@ -32728,19 +33774,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "secondchancejobsforfelons.com", true },
   { "seconfig.sytes.net", true },
   { "secpatrol.de", true },
-  { "secpoc.online", true },
   { "secretar.is", true },
   { "secretary-schools.com", true },
+  { "secretpigeon.com", true },
   { "secretsanta.fr", true },
   { "secretsdujeu.com", true },
   { "secretserveronline.com", true },
-  { "secretum.tech", true },
   { "secteer.com", true },
   { "sectelligence.nl", true },
   { "sectio-aurea.org", true },
   { "section-31.org", true },
   { "section.io", true },
   { "section508.gov", true },
+  { "section77.de", true },
   { "sectionw2s.org", true },
   { "sector5.xyz", true },
   { "sectun.com", true },
@@ -32760,25 +33806,27 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "secureim.de", true },
   { "securejabber.me", true },
   { "securelect-inspection.com", true },
+  { "securemailbox.com", true },
+  { "securemessage.nl", true },
   { "secureobscure.com", true },
   { "secureonline.co", false },
   { "securethe.news", true },
   { "securetheorem.com", true },
-  { "securetronic.ch", true },
   { "securetrustbank.com", true },
   { "securi-tay.co.uk", true },
   { "securify.nl", true },
   { "securipy.com", true },
   { "securiscan.io", true },
+  { "securist.nl", true },
   { "security-24-7.com", true },
   { "security-brokers.com", true },
   { "security.gives", true },
   { "security.google.com", true },
+  { "security.love", true },
   { "security201.co.uk", true },
   { "security201.com", true },
-  { "securitycamerasaustin.net", true },
+  { "securityblues.co.uk", true },
   { "securitycamerascincinnati.com", true },
-  { "securitycamerasjohnsoncity.com", true },
   { "securityescrownews.com", true },
   { "securityfest.com", true },
   { "securitygladiators.com", true },
@@ -32788,6 +33836,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "securityindicators.com", true },
   { "securityinet.com", false },
   { "securitykey.co", true },
+  { "securitymap.wiki", true },
   { "securitypluspro.com", true },
   { "securityprimes.in", true },
   { "securitypuppy.com", true },
@@ -32802,23 +33851,27 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "securocloud.com", true },
   { "secutrans.com", true },
   { "secuvera.de", false },
+  { "secvault.io", true },
   { "secwall.me", true },
   { "secyourity.se", true },
   { "sedeusquiser.net", true },
   { "sedlakovalegal.com", true },
   { "sedmicka.sk", true },
+  { "sedomicilier.fr", true },
   { "sedussa.ro", true },
+  { "see.asso.fr", true },
   { "see.wtf", true },
   { "seeclop.ch", true },
   { "seedandleisure.co.uk", true },
+  { "seedcoworking.es", true },
   { "seedisclaimers.com", true },
   { "seednode.co", true },
   { "seedsofangelica.net", true },
   { "seekers.ch", true },
+  { "seekfirstthekingdom.ca", true },
   { "seeks.ru", true },
-  { "seekthe.net", true },
   { "seemeagain.com", true },
-  { "seesuite.com", true },
+  { "seesuite.com", false },
   { "seewhatididhere.com", true },
   { "seeworkdone.com", true },
   { "seezeitlodge-bostalsee.de", true },
@@ -32828,13 +33881,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "segaretro.org", true },
   { "segitz.de", true },
   { "segmetic.com", true },
+  { "segnidisegni.eu", true },
   { "segulink.com", true },
   { "seguridadconsumidor.gov", true },
+  { "seguridadysaludeneltrabajo.com.co", true },
   { "seguros-de-salud-y-vida.com", true },
   { "segurosbalboa.com.ec", false },
   { "segurosdecarroshialeah.org", true },
   { "segurosdevidamiami.org", true },
-  { "segurosocial.gov", true },
+  { "segurosocial.gov", false },
   { "seguroviagem.srv.br", false },
   { "sehnenweh.org", true },
   { "seibert.ninja", true },
@@ -32847,10 +33902,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "seitai-nabejun.jp", true },
   { "seitai-taiyou.com", true },
   { "seitenwaelzer.de", true },
+  { "sekikawa.biz", true },
   { "sekisonn.com", true },
   { "sekoya.org", true },
   { "selbys.net.au", true },
   { "selcusters.nl", true },
+  { "seldax.com", true },
   { "selea.se", true },
   { "selected-properties.com", true },
   { "selectel.com", false },
@@ -32858,7 +33915,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "selectorders.com", true },
   { "selectsplat.com", true },
   { "selegiline.com", true },
-  { "selent.me", true },
+  { "selekzo.com", true },
   { "self-evident.org", true },
   { "self-signed.com", true },
   { "self-xss.info", true },
@@ -32873,6 +33930,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "selfoutlet.com", true },
   { "selkiemckatrick.com", true },
   { "sellajoch.com", true },
+  { "selldorado.com", true },
   { "selldurango.com", true },
   { "sellguard.pl", true },
   { "sellme.biz", true },
@@ -32880,7 +33938,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sello.com", true },
   { "sellorbuy.uk", true },
   { "sellorbuy.us", true },
-  { "seltendoof.de", true },
+  { "seloc.org", true },
   { "semacode.com", true },
   { "semaf.at", true },
   { "semaflex.it", true },
@@ -32888,13 +33946,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "semaphore-studios.com", true },
   { "semdynamics.com", true },
   { "semenov.su", false },
-  { "semianalog.com", true },
   { "seminariruum.ee", true },
   { "semiocast.com", true },
-  { "semirben.de", true },
   { "semiread.com", true },
   { "semjonov.de", true },
-  { "semmlers.com", true },
   { "semox.de", true },
   { "semps-2fa.de", true },
   { "semps-threema.de", true },
@@ -32927,17 +33982,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "senobio.com", true },
   { "senorcontento.com", true },
   { "sens2lavie.com", true },
+  { "sensavi.ua", true },
+  { "sense.hamburg", true },
   { "sensebridge.com", true },
   { "sensebridge.net", true },
   { "sensepixel.com", true },
   { "senshudo.tv", true },
-  { "sensoft-int.net", true },
+  { "sensoft-int.org", true },
   { "sensound.ml", true },
   { "sentandsecure.com", true },
   { "sentic.info", true },
   { "sentidosdelatierra.org", true },
+  { "sentiments.io", true },
   { "sentinel.gov", true },
   { "sentinelproject.io", true },
+  { "sentirmebien.org", true },
   { "sentry.io", true },
   { "sentry.nu", true },
   { "senzaparole.de", true },
@@ -32953,29 +34012,24 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "seoankara.name.tr", true },
   { "seobutler.com", true },
   { "seocomposer.com", true },
-  { "seoenmexico.com.mx", true },
+  { "seodayo.com", true },
   { "seoexperte.berlin", true },
   { "seogeek.nl", true },
   { "seohackers.fr", true },
   { "seohouston.com", true },
   { "seoinc.com", true },
-  { "seoium.com", true },
   { "seojames.com", true },
-  { "seolib.org", true },
   { "seomarketing.bg", true },
   { "seon.me", true },
   { "seoprovider.nl", true },
   { "seoquake.com", true },
-  { "seosec.xyz", false },
   { "seosof.com", true },
-  { "seostepbysteplab.com", true },
+  { "seostepbysteplab.com", false },
   { "seoul.dating", true },
   { "seouniversity.org", true },
   { "seovision.se", true },
   { "sepalandseed.com", true },
   { "seppelec.com", true },
-  { "seproco.com", true },
-  { "septakkordeon.de", true },
   { "septentrionalist.org", true },
   { "septfinance.ch", true },
   { "septicrepairspecialists.com", true },
@@ -32991,10 +34045,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "serenaden.at", true },
   { "serendeputy.com", true },
   { "serf.io", true },
-  { "sergeemond.ca", true },
+  { "serge-design.ch", true },
   { "sergefonville.nl", true },
   { "sergeyreznikov.com", true },
   { "sergije-stanic.me", true },
+  { "sergiojimenezequestrian.com", true },
   { "sergiosantoro.it", true },
   { "sergiozygmunt.com", true },
   { "sergos.de", true },
@@ -33005,10 +34060,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "seriousclimbing.com", true },
   { "seriouss.am", true },
   { "sernate.com", true },
-  { "serotiuk.com", true },
+  { "serotiuk.com", false },
   { "serpenteq.com", true },
   { "serrano-chris.ch", true },
-  { "servdiscount.com", true },
+  { "seru.eu", true },
   { "serve-a.com.au", true },
   { "servea.com.au", true },
   { "serveatechnologies.com", true },
@@ -33020,8 +34075,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "server-essentials.com", false },
   { "server-eye.com", true },
   { "server-eye.de", true },
+  { "server92.tk", true },
   { "serveradium.com", true },
   { "serveradminz.com", true },
+  { "serverangels.co.uk", true },
   { "serverco.com", true },
   { "serverd.de", true },
   { "serverexpose.com", true },
@@ -33043,19 +34100,26 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "serviceboss.de", true },
   { "servicemembers.gov", true },
   { "servida.ch", true },
+  { "servidoresweb.online", true },
   { "serviettenhaus.de", true },
   { "servingbaby.com", true },
   { "servious.org", true },
   { "servitek.de", true },
   { "serviziourgente.it", true },
+  { "servo.org", true },
   { "servx.org", true },
   { "serw.org", true },
   { "serwis-wroclaw.pl", true },
+  { "serwusik.pl", true },
   { "seryox.com", true },
   { "sesam-biotech.com", true },
+  { "sesrdcem.cz", true },
+  { "session.bbc.co.uk", true },
+  { "session.bbc.com", true },
   { "sessionslogning.dk", true },
   { "sesslerimmo.ch", true },
   { "sestra.in", true },
+  { "setasgourmet.es", true },
   { "setenforce.one", true },
   { "setfix.de", true },
   { "sethcaplan.com", true },
@@ -33064,13 +34128,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "setphaserstostun.org", true },
   { "setsailanddive.com", true },
   { "settberg.de", true },
-  { "setterirlandes.com.br", true },
+  { "settimanadellascienza.it", true },
   { "settleapp.co", true },
   { "setuid.io", true },
   { "setuid0.kr", true },
   { "setyoursite.nl", true },
   { "seva.fashion", true },
   { "seven-purple.com", true },
+  { "seven-shadows.de", true },
   { "sevencooks.com", true },
   { "sevenhillsapartments.com.au", true },
   { "sevenicealimentos.com.br", true },
@@ -33079,6 +34144,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "severine-trousselard.com", true },
   { "severntrentinsuranceportal.com", true },
   { "sevinci.ch", true },
+  { "sevwebdesign.com", true },
   { "sewa.nu", true },
   { "sewafineseam.com", true },
   { "sewinginsight.com", true },
@@ -33087,13 +34153,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sexdocka.nu", true },
   { "sexflare.net", true },
   { "sexmobil.de", true },
+  { "sexplicit.co.uk", true },
   { "sexservice.io", true },
   { "sexy-store.nl", true },
+  { "seydaozcan.com", true },
   { "seyfarth.de", true },
   { "seyr.me", true },
   { "sfa.sk", true },
   { "sfaparish.org", true },
-  { "sfcomercio.com.br", true },
   { "sfdev.ovh", true },
   { "sfg-net.com", true },
   { "sfg-net.eu", true },
@@ -33113,8 +34180,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sgi.org", true },
   { "sgitc.de", true },
   { "sglibellen.de", true },
-  { "sgroup-hitoduma.com", true },
-  { "sgroup-rec.com", true },
+  { "sgrmreproduccionapp.azurewebsites.net", true },
   { "sgs-systems.de", true },
   { "sgs.camera", true },
   { "sgs.systems", true },
@@ -33127,6 +34193,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sh0rt.zone", true },
   { "sh0shin.org", true },
   { "shaadithailand.com", true },
+  { "shabiwangyou.com", true },
   { "shad.waw.pl", true },
   { "shadesofgrayadr.com", true },
   { "shadesofgraylaw.com", true },
@@ -33154,6 +34221,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "shaicoleman.com", true },
   { "shainessim.com", true },
   { "shakan.ch", true },
+  { "shakebox.de", true },
   { "shaken-kyoto.jp", true },
   { "shaken110.com", true },
   { "shakepeers.org", false },
@@ -33172,8 +34240,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "shan.si", true },
   { "shanahanstrategy.com", true },
   { "shanetully.com", true },
-  { "shanewadleigh.com", true },
-  { "shangzhen.site", true },
   { "shankangke.com", true },
   { "shannoneichorn.com", true },
   { "shansing.cn", true },
@@ -33193,10 +34259,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sharescope.co.uk", false },
   { "shareselecttools.com", true },
   { "sharevari.com", true },
+  { "sharing-kyoto.com", true },
   { "sharisharpe.com", true },
   { "shark.cat", true },
   { "shark5060.net", true },
-  { "sharkie.org.za", true },
+  { "sharkcut.se", true },
+  { "sharperedge.pw", true },
+  { "sharperedgecomputers.com", true },
   { "sharu.me", true },
   { "sharvey.ca", true },
   { "shattered-souls.de", true },
@@ -33225,22 +34294,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "shehaal.com", true },
   { "shehata.com", true },
   { "sheilasdrivingschool.com", true },
+  { "shek.zone", true },
   { "shelfordsandstaplefordscouts.org.uk", true },
-  { "shellday.cc", true },
   { "shelleystoybox.com", true },
   { "shellfire.de", true },
   { "shellgame.io", true },
   { "shellj.me", true },
   { "shelljuggler.com", false },
-  { "shellot.com", true },
   { "shellshock.eu", true },
   { "shellvatore.us", true },
+  { "shemissed.me", true },
   { "shemsconseils.ma", true },
   { "shengbao.org", true },
   { "shenghaiautoparts.com", true },
   { "shenghaiautoparts.net", true },
-  { "shengrenyu.com", true },
-  { "shens.ai", true },
   { "shenyuqi.com", false },
   { "sherbers.de", true },
   { "sherrikehoetherapy.com", true },
@@ -33255,8 +34322,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "shichibukai.net", true },
   { "shico.org", true },
   { "shieldcomputer.com", true },
+  { "shielder.it", true },
   { "shieldfe.com", true },
-  { "shieldofachilles.in", true },
   { "shift-record.com", true },
   { "shift-to.co.jp", true },
   { "shiftdevices.com", true },
@@ -33268,9 +34335,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "shijing.me", true },
   { "shikimori.one", true },
   { "shikimori.org", true },
+  { "shimi.blog", true },
+  { "shimi.guru", true },
   { "shimi.net", true },
+  { "shimmy1996.com", true },
   { "shimo.im", true },
-  { "shin-inc.jp", true },
   { "shinghoi.com", true },
   { "shinglereplacementlv.com", true },
   { "shining.gifts", true },
@@ -33279,13 +34348,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "shinonome-lab.eu.org", true },
   { "shinsyo.com", true },
   { "shintoism.com", true },
+  { "shinuytodaati.co.il", true },
   { "shinyuu.net", true },
   { "shipard.com", true },
   { "shipard.cz", true },
   { "shipcloud.io", true },
   { "shippercenter.info", true },
   { "shiqi.ca", true },
+  { "shiqi.lol", true },
   { "shiqi.one", true },
+  { "shiqi.se", true },
+  { "shiqi.tv", true },
   { "shiqisifu.cc", true },
   { "shirakaba-cc.com", true },
   { "shirao.jp", true },
@@ -33293,7 +34366,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "shirtsdelivered.com", true },
   { "shirtsofholland.com", true },
   { "shiseki.top", true },
-  { "shishamania.de", true },
   { "shishkabobnc.com", true },
   { "shishkin.us", true },
   { "shishlik.net", true },
@@ -33308,8 +34380,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "shivammathur.com", true },
   { "shivatattvayoga.com", true },
   { "shlmail.info", true },
-  { "shmibbles.me", true },
-  { "shmunky.co.uk", true },
   { "shobhanayogsadan.com", true },
   { "shock.ee", true },
   { "shockercityservices.com", true },
@@ -33317,8 +34387,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "shoeracks.uk", true },
   { "shoestringeventing.co.uk", true },
   { "shokola.com", true },
+  { "sholtowu.com", true },
   { "shome.de", true },
   { "shooter.dog", true },
+  { "shootingstarmedium.com", true },
   { "shop-hellsheadbangers.com", true },
   { "shop-s.net", true },
   { "shop4d.com", true },
@@ -33342,14 +34414,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "shopcoupons.my", true },
   { "shopcoupons.ph", true },
   { "shopcoupons.sg", true },
-  { "shophisway.com", true },
   { "shopific.co", true },
+  { "shopific.com", true },
   { "shopify.com", true },
   { "shopifycloud.com", true },
   { "shopkini.com", true },
   { "shoplandia.co", true },
   { "shopperexperts.com", true },
-  { "shoppia.se", true },
   { "shopping24.de", true },
   { "shoppr.dk", true },
   { "shopregional.com.br", true },
@@ -33375,18 +34446,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "showbits.net", true },
   { "showersnet.com", true },
   { "showf.om", true },
+  { "showfom.sb", true },
   { "showmax.com", true },
   { "showmethemoney.ru", true },
   { "showpassword.net", true },
   { "showroom.cam", true },
   { "showroom.co.uk", true },
   { "showroom.uk", true },
-  { "showroom113.ru", true },
   { "showsonar.com", true },
-  { "shoxmusic.net", false },
   { "shredriteservices.com", true },
-  { "shreyansh26.me", true },
   { "shrike.me", false },
+  { "shrimpcam.pw", true },
   { "shrinidhiclinic.in", true },
   { "shrinkhub.com", true },
   { "shrub.ca", true },
@@ -33395,8 +34465,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "shtaketniki.ru", true },
   { "shteiman.net", true },
   { "shu-fu.net", true },
+  { "shuax.com", true },
   { "shuffleradio.nl", true },
   { "shugo.net", true },
+  { "shuhacksoc.co.uk", true },
   { "shukatsu-support.jp", true },
   { "shulan.moe", true },
   { "shuletime.ml", true },
@@ -33411,13 +34483,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "shwrm.ch", true },
   { "shyuka.me", true },
   { "si-benelux.nl", true },
-  { "si.to", true },
   { "si2b.fr", true },
   { "siaggiusta.com", true },
+  { "siamdevsqua.re", true },
+  { "siamdevsquare.com", true },
   { "siamsnus.com", true },
   { "sianbryn.co.uk", true },
   { "sianjhon.com", true },
+  { "siava.ru", true },
   { "siberas.de", true },
+  { "siberkulupler.com", true },
+  { "sibertakvim.com", true },
   { "sibfk.org", true },
   { "sibiutourguide.com", true },
   { "sibrenvasse.nl", true },
@@ -33426,9 +34502,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sicilianbalm.com", true },
   { "siciliapulizie.it", true },
   { "sicken.eu", true },
-  { "sickfile.com", true },
-  { "siconnect.us", true },
-  { "sicurled.com", true },
+  { "sicurezzalavoro24.com", true },
+  { "sicurled.com", false },
   { "sidelka-tver.ru", true },
   { "sidema.be", true },
   { "sidemount-forum.com", true },
@@ -33441,11 +34516,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sidnicio.us", true },
   { "sidonge.com", true },
   { "sidongkim.com", true },
-  { "sidpod.ru", true },
-  { "siduga.com", true },
   { "siegemund-frankfurt.de", true },
   { "siel.nl", true },
   { "sielsystems.nl", true },
+  { "siemencaes.tk", true },
   { "sientemendoza.com.ar", true },
   { "sierpinska.co", true },
   { "sierpinska.eu", true },
@@ -33466,13 +34540,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "signage.red", true },
   { "signal.org", true },
   { "signalmaps.co.uk", true },
-  { "signaltransmitter.de", true },
-  { "signdesk.com", true },
   { "significados.com", true },
   { "significados.com.br", true },
   { "significantbanter.com", true },
   { "signing-milter.org", true },
   { "signix.net", true },
+  { "signrightsigns.co.uk", true },
   { "signtul.com", false },
   { "sigsrv.net", true },
   { "sigterm.no", true },
@@ -33480,6 +34553,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sigurnost.online", true },
   { "siirtutkusu.com", true },
   { "sikayetvar.com", false },
+  { "sikecikcomel.com", true },
   { "sikevux.se", true },
   { "sikko.biz", true },
   { "siku-shop.ch", true },
@@ -33489,6 +34563,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "silent-clean.de", true },
   { "silent-yachts.com", true },
   { "silent.live", false },
+  { "silentexplosion.de", true },
   { "silentkernel.fr", false },
   { "silentundo.org", true },
   { "silerfamily.net", true },
@@ -33511,7 +34586,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "silverdragonart.com", true },
   { "silverfirsdental.com", true },
   { "silvergoldbull.be", true },
-  { "silvergoldbull.bg", true },
   { "silvergoldbull.bj", true },
   { "silvergoldbull.by", true },
   { "silvergoldbull.ca", true },
@@ -33552,15 +34626,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "silvergoldbull.in", true },
   { "silvergoldbull.is", true },
   { "silvergoldbull.it", true },
-  { "silvergoldbull.kg", true },
   { "silvergoldbull.kr", true },
-  { "silvergoldbull.ky", true },
   { "silvergoldbull.li", true },
   { "silvergoldbull.lk", true },
+  { "silvergoldbull.lt", true },
   { "silvergoldbull.lv", true },
   { "silvergoldbull.ma", true },
   { "silvergoldbull.mk", true },
-  { "silvergoldbull.ml", true },
   { "silvergoldbull.mw", true },
   { "silvergoldbull.my", true },
   { "silvergoldbull.nz", true },
@@ -33586,11 +34658,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "silverseen.com", true },
   { "silverswanrecruitment.com", true },
   { "silverwind.io", true },
+  { "silvesrom.ro", true },
   { "silvine.xyz", true },
   { "silvobeat.blog", true },
   { "silvobeat.com", true },
   { "sim-karten.net", true },
   { "sim-minaoshi.jp", true },
+  { "sim-usa.mobi", true },
+  { "sim4seed.org", true },
   { "simam.de", true },
   { "simark.ca", true },
   { "simbeton.nl", true },
@@ -33635,7 +34710,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "simphony.cz", true },
   { "simpip.com", true },
   { "simple.com", false },
-  { "simpleclassiclife.com", true },
   { "simplecmsdemo.com", true },
   { "simplecoding.click", true },
   { "simplecontacts.com", true },
@@ -33659,9 +34733,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "simplycloud.de", true },
   { "simplyfixit.co.uk", true },
   { "simplyhelen.de", true },
+  { "simplylifetips.com", false },
   { "simplylovejesus.com", true },
   { "simplymozzo.se", true },
-  { "simplyrara.com", true },
   { "simplyregister.net", true },
   { "simplystudio.com", true },
   { "simplytiles.com", true },
@@ -33674,10 +34748,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sin.swiss", true },
   { "sinaryuda.web.id", true },
   { "sinatrafamily.com", true },
-  { "sinceschool.com", true },
+  { "sincemydivorce.com", true },
   { "sinclairinat0r.com", true },
   { "sinde.ru", true },
-  { "sinefili.com", true },
   { "sinergy.ch", true },
   { "sinfonietta-meridiana.de", true },
   { "sinfulforums.net", true },
@@ -33689,7 +34762,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "singleuse.link", true },
   { "singlu10.org", false },
   { "sinktank.de", true },
-  { "sinn.io", true },
   { "sinnersprojects.ro", true },
   { "sinomod.com", true },
   { "sinonimos.com.br", true },
@@ -33701,9 +34773,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sintaxis.org", true },
   { "sinterama.biz", true },
   { "sinuelovirtual.com.br", true },
+  { "sinusitis-bronchitis.ch", true },
   { "sioeckes.hu", true },
   { "sion.info", true },
-  { "sipc.org", true },
   { "sipstix.co.za", true },
   { "siratalmustaqim.com", true },
   { "siraweb.org", true },
@@ -33733,6 +34805,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sit.ec", true },
   { "sitc.sk", true },
   { "site-helper.com", true },
+  { "siteage.net", true },
   { "sitebuilderreport.com", true },
   { "sitedrive.fi", true },
   { "sitefactory.com.br", true },
@@ -33741,34 +34814,32 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "siterencontre.me", true },
   { "sites.google.com", true },
   { "sitesko.de", true },
-  { "sitesuccessful.com", true },
   { "sitevandaag.nl", true },
   { "sitischu.com", true },
-  { "sitsy.ru", false },
+  { "sitiweb.nl", true },
   { "sivale.mx", true },
   { "sivyerge.com", true },
   { "siw64.com", true },
+  { "six-o-one.com", true },
   { "sixcorners.info", true },
   { "sixcorners.net", true },
   { "sixpackholubice.cz", true },
   { "sixtwentyten.com", true },
   { "sj-leisure.com", true },
   { "sjaakgilsingfashion.nl", true },
-  { "sjatsh.com", true },
   { "sjbwoodstock.org", true },
   { "sjd.is", true },
   { "sjdaws.com", true },
   { "sjis.me", true },
   { "sjleisure.co.uk", true },
   { "sjoorm.com", true },
-  { "sjv4u.ch", true },
   { "sk-net.cz", true },
   { "skala.io", true },
   { "skalarwelle.eu", true },
   { "skanvordoff.ru", true },
   { "skanword.info", true },
-  { "skarox.ee", true },
   { "skatclub-beratzhausen.de", true },
+  { "skateaustria.at", true },
   { "skatesins.ch", true },
   { "skatingchina.com", true },
   { "skatn.de", true },
@@ -33780,6 +34851,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "skepneklaw.com", true },
   { "skepticalsports.com", true },
   { "sketchmyroom.com", true },
+  { "sketchywebsite.net", true },
+  { "skgzberichtenbox.nl", true },
   { "skhaz.io", true },
   { "skhire.co.uk", true },
   { "skhoop.cz", true },
@@ -33822,19 +34895,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "skogskultur.fi", true },
   { "skol.bzh", true },
   { "skolagatt.is", true },
+  { "skolakrizik.cz", true },
   { "skolem.de", true },
   { "skoleniphp.cz", true },
   { "skommettiamo.it", true },
   { "skontakt.cz", true },
   { "skontorp-enterprise.no", true },
-  { "skoolergraph.azurewebsites.net", true },
+  { "skorepova.info", true },
   { "skortekaas.nl", false },
   { "skory.us", true },
   { "skou.dk", false },
+  { "skpk.de", true },
   { "skram.de", true },
   { "skryptersi.pl", true },
   { "sksdrivingschool.com.au", true },
   { "sktan.com", true },
+  { "skulblaka.ch", true },
   { "skuldwyrm.no", true },
   { "skutry-levne.cz", true },
   { "skutry.cz", true },
@@ -33843,14 +34919,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sky-coach.com", true },
   { "sky-coach.nl", true },
   { "sky-live.fr", true },
-  { "sky-universe.net", true },
   { "skyanchor.com", true },
-  { "skybloom.io", true },
   { "skycmd.net", true },
   { "skyderby.ru", true },
   { "skydragoness.com", true },
   { "skydrive.live.com", false },
+  { "skyeeverest.tk", true },
   { "skyem.co.uk", true },
+  { "skyfone.cz", true },
+  { "skyger.cz", true },
   { "skylgenet.nl", true },
   { "skylightcreative.com.au", true },
   { "skylinertech.com", true },
@@ -33867,11 +34944,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "skys-entertainment.com", true },
   { "skyscapecanopies.com", true },
   { "skysuite.nl", true },
+  { "skywalkers.cz", true },
   { "skyynet.de", true },
   { "skyzimba.com.br", true },
   { "sl-bildermacher.de", true },
   { "sl-informatique.ovh", true },
-  { "sl0.us", true },
   { "sl899.com", true },
   { "sl998.com", true },
   { "slab.com", false },
@@ -33888,7 +34965,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "slash32.co.uk", true },
   { "slashcrypto.org", true },
   { "slate.to", true },
-  { "slatemc.fun", true },
   { "slatop.org", false },
   { "slaughter.com", true },
   { "slaughterhouse.fr", true },
@@ -33909,7 +34985,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "slevomat.cz", true },
   { "slicklines.co.uk", true },
   { "slidebatch.com", true },
-  { "slides.zone", true },
   { "slik.ai", true },
   { "slim-slender.com", true },
   { "slimspots.com", true },
@@ -33919,7 +34994,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "slink.hr", true },
   { "slip-gaming.tk", true },
   { "slneighbors.org", true },
-  { "slo-net.net", true },
   { "slo-tech.com", true },
   { "sloancom.com", true },
   { "slonep.net", true },
@@ -33935,9 +35009,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "slowgames.xyz", true },
   { "slpower.com", true },
   { "slrd-isperih.com", true },
+  { "slt24.de", true },
   { "sluciaconstruccion.com", true },
-  { "sluimann.de", true },
+  { "sluimann.de", false },
   { "sluitkampzeist.nl", false },
+  { "slunecnice.cz", true },
   { "slusham.com", true },
   { "slvh.fr", true },
   { "slwilde.ca", true },
@@ -33952,20 +35028,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "smackhappy.com", true },
   { "smadav.ml", true },
   { "smakassen.no", true },
-  { "smallcloudsolutions.co.za", true },
   { "smalldata.tech", true },
   { "smalldogbreeds.net", true },
   { "smalle-voet.de", true },
   { "smallhadroncollider.com", true },
-  { "smallpath.me", true },
   { "smalltalkconsulting.com", true },
   { "smaltimento-rifiuti.org", true },
   { "smaltimento.caserta.it", true },
+  { "smaltimento.milano.it", true },
   { "smaltimento.napoli.it", true },
   { "smaltimento.roma.it", true },
   { "smaltimentoamianto.frosinone.it", true },
   { "smaltimentoamianto.latina.it", true },
   { "smaltimentorifiuti.firenze.it", true },
+  { "smaltimentorifiuti.livorno.it", true },
+  { "smaltimentorifiuti.prato.it", true },
   { "smaltimentorifiuti.veneto.it", true },
   { "smares.de", true },
   { "smart-cp.jp", true },
@@ -33974,15 +35051,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "smart-shapes.co.uk", true },
   { "smart-wohnen.net", true },
   { "smart.gov", true },
+  { "smart.vet", true },
   { "smartacademy.ge", true },
   { "smartairkey.com", true },
   { "smartandcom.ch", true },
-  { "smartandhappychild.ro", true },
+  { "smartandhappychild.ro", false },
   { "smartcheck.gov", true },
   { "smartcleaningcenter.nl", true },
   { "smartcpa.ca", true },
   { "smartedg.io", true },
-  { "smartest-trading.com", true },
   { "smartfit.cz", true },
   { "smartftp.com", true },
   { "smarthdd.com", true },
@@ -33996,19 +35073,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "smartmarketingcoaching.com", true },
   { "smartmeal.ru", true },
   { "smartmessages.net", true },
-  { "smartmompicks.com", true },
   { "smartmomsmartideas.com", true },
   { "smartpass.government.ae", true },
   { "smartphonechecker.co.uk", true },
+  { "smartphones-baratos.com", true },
   { "smartpolicingplatform.com", true },
+  { "smartpti.net", true },
   { "smartrecruit.ro", true },
   { "smartservices.nl", true },
   { "smartshiftme.com", true },
   { "smartship.co.jp", true },
+  { "smartshoppers.es", true },
   { "smartsparrow.com", true },
   { "smartthursday.hu", true },
   { "smartvideo.io", true },
   { "smartviewing.com", true },
+  { "smartwank.com", true },
+  { "smartweb.ge", true },
   { "smartwelve.com", true },
   { "smartwoodczech.cz", true },
   { "smartwurk.nl", false },
@@ -34020,9 +35101,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sme-gmbh.net", true },
   { "smeetsengraas.com", true },
   { "smeso.it", true },
+  { "smexpt.com", true },
   { "smiatek.name", true },
   { "smileandpay.com", true },
   { "smiledirectsales.com", true },
+  { "smilenwa.com", true },
   { "smilessoftplay.co.uk", true },
   { "smileytechguy.com", true },
   { "smilingmiao.com", true },
@@ -34033,15 +35116,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "smit.com.ua", true },
   { "smit.ee", true },
   { "smith.co", true },
-  { "smith.is", true },
   { "smithandcanova.co.uk", false },
+  { "smithchow.com", true },
   { "smithchung.eu", true },
   { "smithfieldbaptist.org", true },
+  { "smitug.pw", true },
   { "smkw.com", false },
   { "smm.im", true },
   { "smmlaba.io", true },
   { "smokeandmirrors.agency", true },
   { "smokefree.gov", true },
+  { "smokefreerowan.org", true },
   { "smokeus.dk", true },
   { "smol.cat", true },
   { "smoo.st", true },
@@ -34070,17 +35155,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "smsprivacy.org", true },
   { "smspujcka24.eu", true },
   { "smtp.in.th", true },
+  { "smtparish.org", true },
   { "smuncensored.com", true },
-  { "smutba.se", true },
   { "smutek.net", true },
   { "smvcm.com", true },
   { "smx.net.br", true },
+  { "sn0int.com", true },
+  { "snabbare-dator.se", true },
+  { "snabbit-support.nu", true },
+  { "snabbit-support.se", true },
   { "snackbesteld.nl", true },
   { "snafu.cz", true },
   { "snakafya.com", true },
   { "snap.com", true },
   { "snapappointments.com", true },
-  { "snapappts.com", true },
   { "snapchat.com", true },
   { "snapfinance.com", true },
   { "snapserv.ch", true },
@@ -34119,13 +35207,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "snight.co", true },
   { "snille.com", true },
   { "snip.run", true },
+  { "snippet.host", true },
   { "snippet.wiki", true },
   { "snl.no", true },
   { "sno-kingroofing-gutters.com", true },
   { "snoerendevelopment.nl", true },
   { "snohomishsepticservice.com", true },
+  { "snoot.club", true },
   { "snopyta.com", true },
-  { "snoringhq.com", true },
+  { "snortfroken.net", true },
   { "snote.io", true },
   { "snoupon.com", true },
   { "snow-online.com", true },
@@ -34137,14 +35227,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "snowdy.dk", true },
   { "snowhaze.ch", true },
   { "snowhaze.com", true },
+  { "snoworld.one", true },
   { "snowpak.com", true },
   { "snowpaws.de", true },
   { "snowplane.net", true },
   { "snowraven.de", true },
   { "snowy.land", true },
+  { "snowyluma.com", true },
   { "snowyluma.me", true },
   { "snperformance.gr", true },
-  { "snrat.com", true },
+  { "snroth.de", true },
   { "snrub.co", true },
   { "sntravel.co.uk", true },
   { "snuff.porn", true },
@@ -34163,7 +35255,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sobieray.dyndns.org", true },
   { "sobotkama.eu", true },
   { "sobreporcentagem.com", true },
-  { "soc.net", true },
   { "soccorso-stradale.org", true },
   { "sochi-sochno.ru", true },
   { "sociability.dk", true },
@@ -34191,17 +35282,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sociopathy.org", true },
   { "sockeye.io", true },
   { "sockscap64.com", true },
-  { "socoastal.com", true },
   { "sodadigital.com.au", true },
   { "sodafilm.de", true },
-  { "sodamakerclub.com", true },
   { "sodexam.pro", true },
   { "sodi.nl", true },
-  { "sodiao.cc", true },
   { "sodomojo.com", true },
+  { "soe-server.com", true },
   { "sofa-rockers.org", true },
   { "sofabedshop.de", true },
+  { "sofiadaoutza.gr", true },
   { "sofiavanmoorsel.com", true },
+  { "sofiesteinfeld.de", true },
   { "sofort.com", true },
   { "sofortimplantate-muenchen.de", true },
   { "sofortueberweisung.de", true },
@@ -34210,8 +35301,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "softanka.com", true },
   { "softart.club", true },
   { "softballrampage.com", true },
-  { "softbebe.com", true },
+  { "softblinds.co.uk", true },
   { "softcreatr.de", false },
+  { "softfay.com", true },
   { "softonic.com", true },
   { "softonic.com.br", true },
   { "softonic.jp", true },
@@ -34219,10 +35311,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "softplay4hire.co.uk", true },
   { "softprayog.in", true },
   { "softrobot.se", true },
+  { "softsecmatheodexelle.be", true },
   { "softtennis-zenei.com", true },
   { "softw.net", true },
   { "software.rocks", true },
   { "softwarebetrieb.de", true },
+  { "softwarebeveiligingtestdomein.be", true },
   { "softwaredesign.foundation", false },
   { "softwarehardenberg.nl", true },
   { "softwarevoortherapeuten.nl", true },
@@ -34271,7 +35365,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "solicafe.at", true },
   { "solidarita-kosovo.net", true },
   { "solidshield.com", true },
-  { "solidtuesday.com", true },
   { "solihullcarnival.co.uk", true },
   { "solihullinflatables.com", true },
   { "solihulllionsclub.org.uk", true },
@@ -34284,11 +35377,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "solomo.pt", true },
   { "solonotizie24.it", true },
   { "solos.im", true },
-  { "solsocog.de", true },
+  { "soloshu.co", true },
+  { "solsocog.de", false },
   { "soluphant.de", true },
   { "solutionhoisthire.com.au", true },
+  { "solutions-teknik.com", true },
   { "solvation.de", true },
   { "solve-it.se", true },
+  { "solve.co.uk", true },
   { "solved.tips", true },
   { "solvemethod.com", true },
   { "solvewebmedia.com", true },
@@ -34301,7 +35397,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "somanao.com", true },
   { "somcase.com.br", true },
   { "somecrazy.com", true },
-  { "somersetscr.nhs.uk", true },
   { "somersetwellbeing.nhs.uk", true },
   { "somethingsketchy.net", true },
   { "sommefeldt.com", true },
@@ -34316,7 +35411,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sonavankova.cz", true },
   { "sondergaard.de", true },
   { "sondersobk.dk", true },
-  { "songluck.com", true },
   { "songshuzuoxi.com", true },
   { "songsmp3.co", true },
   { "songsmp3.com", true },
@@ -34333,9 +35427,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sonic.studio", true },
   { "sonicdoe.com", true },
   { "sonixonline.com", true },
-  { "sonoecoracao.com.br", true },
   { "sonyunlock.nu", true },
-  { "soodwatthanaphon.net", true },
   { "soohealthy.nl", true },
   { "soomee.be", true },
   { "soomee1.be", true },
@@ -34343,7 +35435,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "soontm.net", true },
   { "soopure.nl", true },
   { "sooscreekdental.com", true },
-  { "soothemobilemassage.com.au", true },
   { "soph.jp", true },
   { "soph.us", true },
   { "sopher.io", true },
@@ -34368,25 +35459,27 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "soruly.com", true },
   { "sorz.org", true },
   { "sos-elettricista.it", true },
+  { "sos-fabbro.it", true },
   { "sos-falegname.it", true },
   { "sos-idraulico.it", true },
   { "sos-muratore.it", true },
-  { "sosesh.shop", true },
   { "sosoftplay.co.uk", true },
   { "sospromotions.com.au", true },
   { "sostacancun.com", true },
   { "sosteam.jp", true },
   { "sosteric.si", true },
+  { "sot.blue", true },
+  { "sot.red", true },
   { "sotadb.info", true },
   { "sotai.tk", true },
   { "sotar.us", true },
-  { "sotavasara.net", true },
   { "sotoasobi.net", true },
   { "sotthewes.nl", true },
   { "sou-co.jp", true },
   { "soubriquet.org", true },
   { "soufastnet.com.br", true },
   { "sougi-review.top", true },
+  { "souked.com", true },
   { "souki.cz", true },
   { "soukodou.jp", true },
   { "soul-source.co.uk", true },
@@ -34399,6 +35492,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "soumikghosh.com", true },
   { "soumya92.me", true },
   { "soundabout.nl", true },
+  { "soundbytemedia.com", true },
   { "soundeo.com", true },
   { "soundeo.net", true },
   { "soundhunter.xyz", false },
@@ -34407,18 +35501,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "soundscrate.com", true },
   { "soundtruckandautorepair.com", true },
   { "soupcafe.org", true },
-  { "souqtajmeel.com", true },
   { "sour.is", true },
   { "souravsaha.com", true },
   { "sourcebox.be", false },
   { "sourcecode.tw", true },
-  { "sourcely.net", true },
   { "sourceway.de", true },
   { "souris.ch", true },
+  { "sous-surveillance.net", false },
   { "southafrican.dating", true },
   { "southambouncycastle.co.uk", true },
   { "southamerican.dating", true },
   { "southbankregister.com.au", true },
+  { "southbendflooring.com", true },
   { "southcountyplumbing.com", true },
   { "southdakotahealthnetwork.com", true },
   { "southeastvalleyurology.com", true },
@@ -34454,6 +35548,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "space-it.de", true },
   { "space-y.cf", true },
   { "spacebaseapp.com", true },
+  { "spacebear.ee", true },
   { "spacedirectory.org", true },
   { "spacedots.net", true },
   { "spacehighway.ms", true },
@@ -34469,9 +35564,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "spakurort.eu", true },
   { "spaldingwall.com", true },
   { "spamdrain.com", true },
-  { "spamwc.de", true },
   { "spanda.io", true },
   { "spanjeflydrive.nl", true },
+  { "spanner.works", true },
   { "spanyolul.hu", true },
   { "spar-ni.co.uk", true },
   { "sparanoid.com", true },
@@ -34487,6 +35582,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "spartaconsulting.fi", true },
   { "spartacuslife.com", true },
   { "spartaermelo.nl", true },
+  { "sparxsolutions.be", true },
   { "spasicilia.it", true },
   { "spatzenwerkstatt.de", true },
   { "spaysy.com", true },
@@ -34494,19 +35590,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "spaziopervoi.com.br", true },
   { "spazturtle.co.uk", true },
   { "spazzacamino.roma.it", true },
-  { "spd-pulheim-mitte.de", true },
+  { "spbet99.com", true },
   { "spdepartamentos.com.br", true },
   { "spdf.net", true },
   { "spdillini.com", true },
   { "speak-polish.com", true },
+  { "speakingdiligence.com", true },
   { "spearfishingmx.com", true },
   { "speargames.net", true },
   { "specdrones.us", true },
+  { "specialized-hosting.eu", true },
   { "specialproperties.com", true },
   { "specialtyalloys.ca", true },
   { "speciesism.com", true },
   { "spectroom.space", true },
-  { "spectrosoftware.de", true },
   { "spectrum.gov", true },
   { "spediscifiori.com", true },
   { "spedition-transport-umzug.de", true },
@@ -34521,6 +35618,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "speedsportofhull.co.uk", true },
   { "speedtailors.com", true },
   { "speedtest-russia.com", true },
+  { "speedwaybusinesspark.com", true },
   { "speeltoneel.nl", true },
   { "speerpunt.info", true },
   { "speets.ca", true },
@@ -34531,8 +35629,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "spellcheckci.com", true },
   { "spellchecker.net", true },
   { "spenglerei-shop.de", true },
+  { "spenny.tf", true },
   { "sperandii.it", true },
   { "sperec.fr", true },
+  { "spero.solutions", true },
   { "sperrstun.de", true },
   { "spesys-services.fr", true },
   { "spha.info", true },
@@ -34547,14 +35647,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "spidernet.tk", true },
   { "spideroak.com", true },
   { "spiders.org.ua", true },
-  { "spiel-teppich.de", true },
   { "spielezar.ch", true },
   { "spielland.ch", true },
   { "spiellawine.de", true },
+  { "spieltexte.de", true },
   { "spiet.nl", true },
   { "spiff.eu", true },
   { "spiga.ch", true },
   { "spikelands.com", true },
+  { "spilled.ink", true },
+  { "spillmaker.no", false },
   { "spilogkoder.dk", true },
   { "spinalien.net", false },
   { "spinalo.se", true },
@@ -34563,6 +35665,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "spingenie.com", true },
   { "spins.fedoraproject.org", true },
   { "spinspin.wtf", true },
+  { "spira-group.eu", true },
+  { "spira.kiev.ua", true },
   { "spiralschneiderkaufen.de", true },
   { "spirella-shop.ch", true },
   { "spirit55555.dk", true },
@@ -34588,7 +35692,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "spodelime.com", true },
   { "spokaneexteriors.com", true },
   { "spokanepolebuildings.com", true },
-  { "spoketwist.com", true },
   { "spoluck.ca", true },
   { "spolwind.de", true },
   { "spom.net", true },
@@ -34606,6 +35709,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sport-in-sundern.de", true },
   { "sport-potreby.cz", true },
   { "sport-potreby.sk", true },
+  { "sport-socken.net", true },
   { "sportabee.com", true },
   { "sportakrobatik.at", true },
   { "sportbetuwe.nl", true },
@@ -34628,8 +35732,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sportxt.ru", true },
   { "spot-lumiere-led.com", true },
   { "spotrebitelskecentrum.sk", true },
+  { "spotswoodvet.com", true },
   { "spottedpenguin.co.uk", true },
-  { "spotteredu.com", true },
   { "spotupload.com", true },
   { "sppin.fr", true },
   { "sprachfreudehoch3.de", true },
@@ -34640,21 +35744,25 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "spreadthenews.eu", true },
   { "spree.co.za", true },
   { "spreed.me", true },
+  { "spricknet.de", true },
   { "springerundpartner.de", true },
   { "springfieldbricks.com", true },
   { "springhillmaine.com", true },
-  { "springreizen.nl", true },
   { "sprinklermanohio.com", true },
   { "spritmonitor.de", true },
   { "spritsail.io", true },
+  { "spro.in", true },
   { "sproktz.com", true },
   { "spron.in", true },
+  { "sproutways.com", true },
   { "sprucecreekclubs.com", true },
   { "sprucecreekgcc.com", true },
   { "sps-lehrgang.de", true },
   { "spslawoffice.com", true },
   { "spsnewengland.org", true },
+  { "spt.re", true },
   { "sptk.org", true },
+  { "sptr.blog", true },
   { "spuffin.com", true },
   { "spufpowered.com", true },
   { "spunkt.fr", true },
@@ -34670,10 +35778,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sqlfeatures.com", true },
   { "sqr-training.com", true },
   { "sqroot.eu", true },
+  { "sqsd.xyz", true },
   { "square-gaming.org", true },
   { "square-src.de", false },
   { "square.com", false },
-  { "squarelab.it", true },
   { "squareup.com", false },
   { "squawk.cc", true },
   { "squeakql.online", true },
@@ -34725,6 +35833,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ssl.doctor", true },
   { "ssl.google-analytics.com", true },
   { "ssl.md", true },
+  { "ssl24.pl", true },
   { "ssl247.co.uk", true },
   { "ssl247.com.mx", true },
   { "ssl247.de", true },
@@ -34737,7 +35846,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ssldecoder.org", true },
   { "ssldev.net", true },
   { "sslmate.com", true },
-  { "sslok.com", true },
+  { "sslok.com", false },
   { "sslping.com", true },
   { "sslpoint.com", true },
   { "ssls.cz", true },
@@ -34751,6 +35860,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ssrfq.com", true },
   { "sssppp.gq", true },
   { "sstaging.com", true },
+  { "sstewartgallus.com", true },
   { "ssuc.net", true },
   { "ssuiteoffice.com", true },
   { "ssuitesoft.com", true },
@@ -34768,6 +35878,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stacklasvegas.com", true },
   { "stackpath.com", true },
   { "stackptr.com", true },
+  { "stacktile.io", false },
   { "stackunderflow.com", true },
   { "staddlestonesbowness.co.uk", true },
   { "stadm.com", true },
@@ -34776,6 +35887,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stadtbauwerk.at", false },
   { "stadtbuecherei-bad-wurzach.de", true },
   { "stadterneuerung-hwb.de", true },
+  { "stadtkapelle-oehringen.de", true },
   { "stadtpapa.de", true },
   { "stadtplan-ilmenau.de", true },
   { "staer.ro", true },
@@ -34789,12 +35901,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stageirites.org", true },
   { "stahlfors.com", true },
   { "stainedglass.net.au", true },
+  { "stainternational.com", true },
   { "stair.ch", true },
   { "stairfallgames.com", true },
   { "stairlin.com", true },
   { "staklim-malang.info", true },
   { "stako.jp", true },
   { "staktrace.com", true },
+  { "stal-rulon.ru", true },
   { "stalder.work", true },
   { "staljedevledder.nl", true },
   { "stalker-shop.com", true },
@@ -34819,6 +35933,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stanthonymaryclaret.org", true },
   { "staparishgm.org", true },
   { "star-clean.it", true },
+  { "star.watch", true },
   { "starcoachservices.ca", true },
   { "starcomproj.com", true },
   { "stardanceacademy.net", true },
@@ -34829,7 +35944,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stargatelrp.co.uk", true },
   { "stargazer.de", true },
   { "starina.ru", true },
-  { "starinvestors.in", true },
   { "starka.st", true },
   { "starkbim.com", true },
   { "starking.net.cn", true },
@@ -34838,24 +35952,27 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "starmtech.fr", true },
   { "starpeak.org", true },
   { "starphotoboothsni.co.uk", true },
+  { "starport.com.au", true },
   { "starsam80.net", true },
   { "starsguru.com", true },
   { "starsing.bid", true },
   { "starskim.cn", true },
   { "starstreak.net", false },
   { "startaninflatablebusiness.com", true },
+  { "startanull.ru", true },
   { "startergen.com", true },
   { "startlab.sk", true },
   { "startle.cloud", true },
+  { "startliste.info", true },
   { "startpage.com", true },
   { "startpage.info", true },
   { "startrek.in", true },
-  { "startsamenvitaal.nu", true },
   { "starttls-everywhere.org", true },
   { "starttraffic.com", true },
   { "starttraffic.uk", true },
   { "startupgenius.org", true },
   { "starwins.co.uk", true },
+  { "stassi.ch", false },
   { "stastka.ch", true },
   { "stat.ink", true },
   { "statebuildinggroup.com", true },
@@ -34897,6 +36014,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stcu.org", false },
   { "std-home-test.com", true },
   { "stderr.cc", true },
+  { "stdev.top", true },
   { "stdrc.cc", false },
   { "steakhaus-zumdorfbrunnen.de", true },
   { "steakovercooked.com", true },
@@ -34911,12 +36029,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "steamtrades.com", true },
   { "steamwhale.com", true },
   { "stebet.net", true },
-  { "steborio.pw", true },
-  { "steckel.cc", true },
   { "stedb.eu", true },
   { "stedbg.net", true },
   { "steef389.eu", true },
   { "steel-roses.de", true },
+  { "steelbeasts.org", true },
   { "steelephys.com.au", true },
   { "steelmounta.in", true },
   { "steemit.com", true },
@@ -34947,7 +36064,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stella-artis-ensemble.at", true },
   { "stellarguard.me", true },
   { "stellarium-gornergrat.ch", true },
-  { "stellen.ch", true },
+  { "stellarx.com", true },
   { "stelleninserate.de", true },
   { "stellenticket.de", true },
   { "stellmacher.name", true },
@@ -34966,8 +36083,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stephenhaunts.com", true },
   { "stephenhorler.com.au", true },
   { "stephenj.co.uk", true },
-  { "stephenjvoiceovers.com", true },
   { "stephenperreira.com", true },
+  { "stephenreescarter.com", true },
+  { "stephenreescarter.net", true },
   { "stephenschrauger.com", true },
   { "stephenschrauger.info", true },
   { "stephenschrauger.net", true },
@@ -34993,15 +36111,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sternenbund.info", true },
   { "sternplastic.com", true },
   { "sternsinus.com", true },
+  { "stetson.edu", true },
   { "stetspa.it", true },
   { "steuer-voss.de", true },
   { "steuerberater-essen-steele.com", true },
   { "steuerkanzlei-edel.de", true },
-  { "steuerkanzlei-und-wirtschaftsberater-manke.de", true },
   { "steuern-recht-wirtschaft.de", true },
   { "steuerseminare-graf.de", true },
   { "steuertipps-sonderausgaben.de", true },
-  { "steve.kiwi", true },
   { "steveborba.com", true },
   { "stevecostar.com", true },
   { "stevedesmond.ca", true },
@@ -35016,23 +36133,24 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stevenroddis.com", true },
   { "stevens.se", false },
   { "steventress.com", true },
-  { "steventruesdell.com", true },
   { "stevenwooding.com", true },
   { "stevenz.net", true },
   { "stevenz.science", true },
   { "stevenz.xyz", true },
   { "stevesdrivingschooltyneside.com", true },
   { "stewartswines.com", true },
-  { "stewpolley.com", true },
+  { "stewpolley.com", false },
   { "steyaert.be", false },
   { "stforex.com", false },
   { "stfrancisnaugatuck.org", true },
   { "stfw.info", true },
   { "stgabrielstowepa.org", true },
+  { "stgeorgecomfortinn.com", true },
   { "stgeorgegolfing.com", true },
   { "stgm.org", true },
   { "sthenryrc.org", true },
   { "stian.net", true },
+  { "stichtingdemuziekkamer.nl", true },
   { "stichtingliab.nl", true },
   { "stichtingscholierenvervoerzeeland.nl", true },
   { "stichtingsticky.nl", true },
@@ -35040,11 +36158,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stickandpoketattookit.com", true },
   { "stickeramoi.com", true },
   { "stickergiant.com", true },
-  { "stickertuningfetzt.de", false },
+  { "stickertuningfetzt.de", true },
   { "stickies.io", true },
   { "stickmanventures.com", true },
   { "stickstueb.de", true },
-  { "stiens.de", true },
   { "stift-kremsmuenster.at", true },
   { "stiftemaskinen.no", true },
   { "stigharder.com", true },
@@ -35054,7 +36171,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stikic.me", true },
   { "stilartmoebel.de", true },
   { "stilecop.com", true },
-  { "stillnessproject.com", true },
   { "stilmobil.se", true },
   { "stiltmedia.com", true },
   { "stimmgabel.lu", true },
@@ -35071,12 +36187,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stitchfiddle.com", true },
   { "stitchinprogress.com", true },
   { "stivesbouncycastlehire.co.uk", true },
+  { "stjameslititz.org", true },
   { "stjohnin.com", true },
   { "stjohnsottsville.org", true },
   { "stjoseph-stcatherine.org", true },
+  { "stjosephri.org", true },
+  { "stjosephsoswego.com", true },
   { "stjosephspringcity.com", true },
+  { "stjosephtheworker.net", true },
   { "stjscatholicchurch.org", true },
   { "stjustin.org", true },
+  { "stkevin-stbenedict.org", true },
   { "stln.ml", true },
   { "stlu.de", true },
   { "stlukenh.org", true },
@@ -35087,24 +36208,27 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stmarkseagirt.com", true },
   { "stmarthachurch.com", true },
   { "stmaryextra.uk", true },
+  { "stmarysnutley.org", true },
+  { "stmaryswestwarwick.org", true },
+  { "stmatthewri.org", true },
   { "stmattsparish.com", true },
   { "stmichaellvt.com", true },
   { "stmichaelunion.org", true },
-  { "stmkza.net", true },
   { "stmlearning.com", true },
   { "stmsolutions.pl", true },
   { "stneotsbouncycastlehire.co.uk", true },
+  { "stnevis.ru", true },
   { "stockpile.com", true },
   { "stockrow.com", true },
   { "stockstuck.com", true },
   { "stocktout.info", true },
   { "stocktrader.com", true },
+  { "stocp.org", true },
   { "stodieck.com", true },
   { "stoebermehl.at", true },
   { "stoffelnet.de", true },
   { "stogiesandmash.com", true },
   { "stokvistrading.nl", true },
-  { "stolbart.com", true },
   { "stolin.info", true },
   { "stolina.de", false },
   { "stolkpotplanten.nl", true },
@@ -35113,19 +36237,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stolpi.is", true },
   { "stomt.com", true },
   { "stoneagehealth.com.au", true },
+  { "stonechatjewellers.ie", true },
   { "stonedworms.de", true },
-  { "stonefusion.org.uk", true },
+  { "stoneedgeconcrete.com", true },
   { "stonehammerhead.org", true },
   { "stonehurstcap.com", true },
+  { "stonewuu.com", true },
   { "stony.com", true },
   { "stonystratford.org", true },
   { "stopbullying.gov", true },
   { "stopfraud.gov", false },
+  { "stopjunkmail.co.uk", true },
   { "stopthethyroidmadness.com", true },
   { "storageideas.uk", true },
   { "stordbatlag.no", true },
   { "storedsafe.com", true },
   { "storeit.co.uk", true },
+  { "storeprice.co.uk", true },
   { "storillo.com", true },
   { "storm-family.com", true },
   { "stormi.io", true },
@@ -35140,35 +36268,36 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stouter.nl", true },
   { "stoxford.com", true },
   { "stpatrickbayshore.org", true },
+  { "stpatrickkennettsquare.org", true },
+  { "stpatrickri.org", true },
+  { "stpatricks-pelham.com", true },
+  { "stpaulcatholicchurcheastnorriton.net", true },
+  { "str8hd.com", true },
   { "straatderzotten.nl", true },
   { "strafensau.de", true },
+  { "strafvollzugsgesetze.de", true },
   { "strahlende-augen.info", true },
-  { "straightedgebarbers.ca", true },
   { "strajnar.si", true },
   { "straka.name", true },
+  { "strandedinotter.space", true },
+  { "strandom.ru", true },
   { "strandschnuppern.de", true },
   { "strangelane.com", true },
   { "strangemusicinc.com", true },
   { "strangemusicinc.net", true },
+  { "strangeways.ca", true },
+  { "straphael-holyangels.com", true },
   { "strate.io", true },
   { "strategiccapital.com", true },
   { "strategiclivingblog.com", true },
   { "strategie-zone.de", true },
   { "strathewerd.de", true },
   { "stratmann-b.de", true },
-  { "stratuscloud.co.za", true },
-  { "stratuscloudconsulting.cn", true },
-  { "stratuscloudconsulting.co.uk", true },
-  { "stratuscloudconsulting.co.za", true },
-  { "stratuscloudconsulting.com", true },
-  { "stratuscloudconsulting.in", true },
-  { "stratuscloudconsulting.info", true },
-  { "stratuscloudconsulting.net", true },
-  { "stratuscloudconsulting.org", true },
   { "straubis.org", true },
   { "strauser.com", true },
   { "stravers.shoes", true },
   { "strawberry-laser.gr", true },
+  { "streamblur.net", true },
   { "streamchan.org", true },
   { "streamelements.com", true },
   { "streamkit.gg", true },
@@ -35177,6 +36306,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "street-smart-home.de", true },
   { "street-tek.com", true },
   { "streetdancecenter.com", true },
+  { "streetlightdata.com", true },
   { "streetmarket.ru", true },
   { "streets.mn", true },
   { "streetshirts.co.uk", true },
@@ -35191,7 +36321,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "striatadev.com", true },
   { "stricted.net", true },
   { "strictlyguitar.de", true },
-  { "strictlynormal.com", true },
   { "strijkshop.be", true },
   { "stringtoolbox.com", true },
   { "stringvox.com", true },
@@ -35202,6 +36331,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "strobeltobias.de", true },
   { "strobeto.de", true },
   { "strobotti.com", true },
+  { "stroccounioncity.org", true },
+  { "stroeder.com", true },
   { "stroeerdigital.de", true },
   { "stroginohelp.ru", true },
   { "strom.family", true },
@@ -35217,14 +36348,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "strosemausoleum.com", true },
   { "stroseoflima.com", true },
   { "strozik.de", true },
+  { "strrl.com", true },
   { "structurally.net", true },
   { "structure.systems", true },
   { "strugee.net", true },
   { "strutta.me", true },
   { "strydom.me.uk", true },
   { "stsolarenerji.com", true },
+  { "ststanislaus.com", true },
   { "ststanstrans.org", true },
   { "stt.wiki", true },
+  { "sttg.com.au", true },
   { "stthomasbrigantine.org", true },
   { "stuartbell.co.uk", true },
   { "stuarteggerton.com", true },
@@ -35241,20 +36375,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "student-eshop.sk", true },
   { "studentfinancecountdown.com", true },
   { "studentforums.biz", true },
+  { "studentklinikk.no", true },
   { "studentloans.gov", true },
   { "studentpop.com", true },
   { "studentrightsadvocate.org", true },
   { "studentse.fr", true },
   { "studenttenant.com", true },
   { "studiebegeleiding-haegeman.be", true },
-  { "studiemeter.nl", true },
   { "studienportal.eu", true },
   { "studienservice.de", true },
-  { "studiereader.nl", true },
   { "studio-637.com", true },
   { "studio-architetto.com", true },
+  { "studio-art.pro", true },
   { "studio-fotografico.ru", true },
-  { "studio-webdigi.com", true },
+  { "studio-happyvalley.com", true },
   { "studio44.fit", true },
   { "studioadevents.com", true },
   { "studioavvocato24.it", true },
@@ -35262,6 +36396,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "studiodentisticosanmarco.it", true },
   { "studiodewit.nl", true },
   { "studiogavioli.com", true },
+  { "studiogears.com", true },
   { "studiograou.com", true },
   { "studiohelder.fr", false },
   { "studiohomebase.amsterdam", true },
@@ -35276,10 +36411,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "studioscherp.nl", true },
   { "studiostawki.com", true },
   { "studiostudio.net", true },
+  { "studiosus-gruppenreisen.com", true },
+  { "studiosus.com", true },
   { "studiotheatrestains.fr", true },
   { "studiovaud.com", true },
   { "studipro-formation.fr", true },
   { "studipro-marketing.fr", true },
+  { "studisys.net", true },
   { "studium.cz", true },
   { "studyin.jp", true },
   { "studyspy.ac.nz", true },
@@ -35288,7 +36426,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stuetzredli.ch", true },
   { "stuffi.fr", true },
   { "stuffie.org", true },
-  { "stuffiwouldbuy.com", true },
   { "stuka-art.de", true },
   { "stulda.cz", false },
   { "stumeta.de", true },
@@ -35297,8 +36434,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stuntmen.xyz", true },
   { "stupendous.net", false },
   { "stutelage.com", true },
-  { "stuttgart-gablenberg.de", true },
-  { "stuudium.cloud", true },
   { "stuudium.com", true },
   { "stuudium.net", true },
   { "stuudium.org", true },
@@ -35309,6 +36444,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "stuvus.uni-stuttgart.de", true },
   { "stw-group.at", true },
   { "stygium.net", false },
+  { "stylebajumuslim.com", true },
   { "styleci.io", true },
   { "stylecollective.us", true },
   { "styles.pm", true },
@@ -35324,6 +36460,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "subastasdecarros.net", true },
   { "subculture.live", true },
   { "subdev.org", true },
+  { "subdimension.org", true },
   { "sublimebits.com", true },
   { "sublocale.com", true },
   { "submedia.tv", true },
@@ -35333,13 +36470,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "subrosr.com", true },
   { "subsistence.wiki", true },
   { "substitutealert.com", true },
-  { "subterfuge.io", true },
   { "suburban-landscape.net", true },
   { "suburbaninfinitioftroyparts.com", true },
   { "subversive-tech.com", true },
+  { "subzerotech.co.uk", true },
   { "succ.in", true },
   { "succesprojekter.dk", true },
   { "successdeliv.com", true },
+  { "suche.org", true },
   { "suchmaschinen-werkstatt.de", true },
   { "suckmyan.us", false },
   { "sucretown.net", true },
@@ -35367,7 +36505,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "suggea.com", true },
   { "suggestim.ch", true },
   { "suisui.stream", true },
-  { "suited21.com", true },
   { "suitesapp.com", true },
   { "sujal.com", true },
   { "sujatadev.in", true },
@@ -35384,13 +36521,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sullenholland.nl", true },
   { "suluvir.com", true },
   { "sumguy.com", true },
-  { "summa-prefis.com", true },
   { "summa.eu", false },
   { "summercampthailand.com", true },
   { "summershomes.com", true },
-  { "sumoatm.com", false },
   { "sumthing.com", true },
-  { "sun-leo.co.jp", true },
   { "sunboxstore.jp", true },
   { "sunbritetv.com", true },
   { "sunchasercats.com", true },
@@ -35403,11 +36537,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sunfox.cz", true },
   { "sunfulong.blog", true },
   { "sunfulong.me", true },
+  { "sungreen.info", true },
   { "sunjaydhama.com", true },
   { "sunjiutuo.com", true },
   { "sunlit.cloud", true },
   { "sunn.ie", true },
+  { "sunny.co.uk", true },
+  { "sunnylyx.com", true },
+  { "sunnysidechurchofchrist.org", true },
   { "sunoikisis.org", true },
+  { "sunred.info", true },
+  { "sunred.org", true },
   { "sunsetwx.com", true },
   { "sunshinesf.org", true },
   { "sunsmartresorts.com", true },
@@ -35439,12 +36579,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "superguide.com.au", true },
   { "superhappiness.com", true },
   { "superhome.com.au", true },
+  { "superidropulitrice.com", true },
   { "supermae.pt", true },
+  { "supermarx.nl", true },
   { "supermercadosdia.com.ar", true },
   { "supermercato24.it", true },
   { "supermil.ch", true },
   { "supern0va.net", true },
   { "supernaut.info", true },
+  { "supernt.lt", true },
   { "supersec.es", true },
   { "supersole.net", true },
   { "supersonnig-festival.de", true },
@@ -35457,7 +36600,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "supertechcrew.com", true },
   { "supertutorial.com.br", true },
   { "supervisionassist.com", true },
-  { "superway.es", true },
   { "supeuro.com", true },
   { "supioka.com", true },
   { "supmil.net", true },
@@ -35477,23 +36619,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "supriville.com.br", true },
   { "sur-v.com", true },
   { "surao.cz", true },
-  { "surasak.io", true },
   { "surasak.net", true },
   { "surasak.org", true },
-  { "surdam.casa", true },
   { "sure-it.de", true },
   { "surefit-oms.com", true },
   { "suretone.co.za", true },
   { "surfnetkids.com", true },
+  { "surfnetparents.com", true },
   { "surfocal.com", true },
   { "surgenet.nl", true },
   { "surgeongeneral.gov", true },
   { "surgicalassociateswny.com", true },
   { "suroil.com", true },
   { "surpreem.com", true },
+  { "surrealcoder.com", true },
   { "surreyheathyc.org.uk", true },
   { "suruifu.com", true },
-  { "suruifu.tk", true },
   { "survature.com", true },
   { "surveillance104.com", true },
   { "surveyhealthcare.com", true },
@@ -35503,9 +36644,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "susanbpilates.com", true },
   { "susann-kerk.de", true },
   { "susanna-komischke.de", true },
-  { "susanvelez.com", true },
   { "susc.org.uk", true },
   { "sush.us", true },
+  { "sushi.roma.it", true },
   { "sushibesteld.nl", true },
   { "sushikatze.de", true },
   { "susosudon.com", true },
@@ -35528,6 +36669,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sv-turm-hohenlimburg.de", true },
   { "sv.search.yahoo.com", false },
   { "svager.cz", true },
+  { "svak-gutachter.de", true },
   { "svallee.fr", false },
   { "svanstrom.com", true },
   { "svanstrom.org", true },
@@ -35540,7 +36682,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "svdb.co", false },
   { "svdreamcatcher.com", true },
   { "sveinerik.org", true },
-  { "svendubbeld.nl", true },
   { "sveneckelmann.de", true },
   { "svenjaundchristian.de", true },
   { "svenluijten.com", false },
@@ -35555,19 +36696,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "svm-it.eu", true },
   { "svobodnyblog.cz", true },
   { "svorcikova.cz", true },
+  { "svsb-live.azurewebsites.net", false },
   { "sw-servers.net", true },
   { "sw33tp34.com", true },
+  { "swagsocial.net", true },
   { "swankism.com", true },
   { "swansdoor.org", true },
   { "swap.gg", true },
   { "swapadoodle.com", true },
   { "swaptaxdata.com", true },
   { "swarfarm.com", true },
-  { "swarlys-server.de", true },
+  { "swarovski-lov.cz", true },
   { "swat4stats.com", true },
   { "swattransport.ae", true },
   { "sway-cdn.com", true },
   { "swd.agency", true },
+  { "swe77.com", true },
+  { "swe777.com", true },
   { "sweak.net", true },
   { "swedishhost.com", true },
   { "swedishhost.se", true },
@@ -35575,12 +36720,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sweepay.ch", true },
   { "sweet-as.co.uk", true },
   { "sweet-orr.com", true },
+  { "sweet-spatula.com", true },
   { "sweetair.com", true },
   { "sweetbridge.com", true },
   { "sweetgood.de", true },
   { "sweethomesnohomishrenovations.com", true },
   { "sweets-mimatsu.com", true },
-  { "swehack.org", true },
   { "sweharris.org", true },
   { "swerve-media-testbed-03.co.uk", true },
   { "swetrust.com", true },
@@ -35590,7 +36735,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "swiftqueue.com", true },
   { "swilly.org", true },
   { "swimbee.nl", true },
-  { "swimmingpoolaccidentattorney.net", true },
   { "swimready.net", true },
   { "swimwear365.co.uk", true },
   { "swineson.me", true },
@@ -35602,14 +36746,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "swiss-cyber-experts.ch", true },
   { "swiss-vanilla.ch", true },
   { "swiss-vanilla.com", true },
-  { "swisscannabis.club", true },
   { "swissdojo.ch", true },
   { "swisselement365.com", true },
   { "swissfreshaircan.ch", true },
   { "swissid.ch", true },
   { "swisslinux.org", true },
   { "swisstechassociation.ch", true },
-  { "swisstechtalks.ch", true },
   { "swissvanilla.ch", true },
   { "swissvanilla.com", true },
   { "switch-trader.com", true },
@@ -35618,6 +36760,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "switcheo.rocks", true },
   { "switzerland-family-office.com", true },
   { "swivells.com", true },
+  { "swkdevserver.tk", true },
+  { "swktestserver.tk", true },
   { "swn-nec.de", true },
   { "swordfeng.xyz", true },
   { "swqa.hu", true },
@@ -35630,8 +36774,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sy-anduril.de", true },
   { "sy24.ru", true },
   { "syajvo.if.ua", true },
+  { "syakonavi.com", true },
   { "syamutodon.xyz", true },
   { "sycamorememphis.org", true },
+  { "sychov.pro", true },
   { "sydney-sehen.com", true },
   { "sydney.dating", true },
   { "sydneyhelicopters.com.au", true },
@@ -35639,9 +36785,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "syenar.net", true },
   { "syezd.com.au", true },
   { "syha.org.uk", true },
-  { "syhost.at", true },
-  { "syhost.ch", true },
-  { "syhost.de", true },
   { "sykepleien.no", false },
   { "sylaps.com", true },
   { "syleam.in", true },
@@ -35650,8 +36793,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sylvaindurand.fr", true },
   { "sylvaindurand.org", true },
   { "sylvaloir.fr", true },
-  { "sylvan.me", true },
-  { "sylvangarden.net", true },
   { "sylve.ch", true },
   { "sym01.com", true },
   { "symb.ch", true },
@@ -35660,7 +36801,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "symbiose-immobilier.ch", true },
   { "symbiose.com", true },
   { "symbiosecom.ch", true },
+  { "symdevinc.com", true },
   { "symeda.de", true },
+  { "symetria.io", true },
   { "symfora-meander.nl", true },
   { "symlnk.de", true },
   { "symphonos.it", true },
@@ -35669,6 +36812,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "symptome-erklaert.de", true },
   { "synabi.com", true },
   { "synack.uk", true },
+  { "synackr.net", true },
   { "synaptickz.me", true },
   { "synatra.co", true },
   { "sync-it.no", true },
@@ -35678,6 +36822,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "synchrolarity.com", true },
   { "synchronicity.cz", true },
   { "synchronyse.com", true },
+  { "synchtu.be", false },
   { "syncrise.co.jp", true },
   { "syneart.com", true },
   { "synecek11.cz", true },
@@ -35692,7 +36837,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "syntheticgrassliving.com.au", true },
   { "syntheticurinereview.com", true },
   { "synthetik.com", true },
-  { "syoier.com", true },
   { "syplasticsurgery.com", true },
   { "syriatalk.biz", true },
   { "syriatalk.org", true },
@@ -35710,6 +36854,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "system.is", true },
   { "system12.pl", true },
   { "system365.eu", true },
+  { "system4travel.com", true },
   { "systemadmin.uk", true },
   { "systematic-momo.com", true },
   { "systematic-momo.dk", true },
@@ -35729,7 +36874,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "sysystems.cz", true },
   { "syt3.net", true },
   { "syukatsu-net.jp", true },
-  { "syunpay.cn", true },
   { "syy.im", true },
   { "syzygy-tables.info", true },
   { "sz-ideenlos.de", true },
@@ -35738,24 +36882,26 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "szaloneigly.com", true },
   { "szamitogepdepo.com", true },
   { "szaydon.me", false },
+  { "szc.me", true },
   { "szclsya.me", true },
-  { "szczot3k.pl", true },
   { "szechenyi2020.hu", true },
   { "szentistvanpt.sk", true },
+  { "szepsegbennedrejlik.hu", true },
   { "szerelem.love", true },
+  { "szeretekvajpolni.hu", true },
   { "szetowah.org.hk", true },
   { "szunia.com", true },
   { "szybkiebieganie.pl", true },
   { "szyndler.ch", true },
   { "szzsivf.com", true },
   { "t-hawk.com", true },
+  { "t-m.me", true },
   { "t-net.org.hu", true },
   { "t-shirts4less.nl", true },
   { "t-stonegroup.com", true },
   { "t.facebook.com", false },
+  { "t0ny.name", true },
   { "t12u.com", true },
-  { "t2000headphones.com", true },
-  { "t2000laserpointers.com", true },
   { "t23m-navi.jp", false },
   { "t2i.nl", true },
   { "t47.io", true },
@@ -35763,10 +36909,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "t4cc0.re", true },
   { "t5118.com", true },
   { "t7e.de", false },
+  { "t9i.in", true },
   { "ta-65.com", true },
   { "ta-sports.net", true },
   { "ta65.com", true },
   { "taabe.net", true },
+  { "taalcursusvolgen.nl", true },
   { "taartbesteld.nl", true },
   { "tabarnak.ga", true },
   { "tabernadovinho.com.br", true },
@@ -35779,6 +36927,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tablescraps.com", true },
   { "tablet.facebook.com", false },
   { "tabletd.com", true },
+  { "tabletsbaratasya.com", true },
   { "tablotv.com", false },
   { "taborsky.cz", true },
   { "tac-volley.com", true },
@@ -35786,11 +36935,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tacklinglife.com", true },
   { "tacklog.com", true },
   { "tacomafia.net", true },
-  { "tacostea.net", true },
   { "tacticalsquare.com", true },
   { "taddiestales.com", true },
   { "tadeo.ca", true },
   { "tadiranbatteries.de", true },
+  { "tadj-mahalat.com", true },
+  { "tadlab.cl", true },
   { "tadluedtke.com", true },
   { "tadtadya.com", true },
   { "tadu.de", true },
@@ -35804,12 +36954,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tagungsraum-usedom.de", true },
   { "tagungsraum-zinnowitz.de", true },
   { "tahavu.com", true },
+  { "taherian.me", true },
   { "tahosa.co", true },
   { "tahosalodge.org", true },
   { "tailpuff.net", false },
   { "tails.boum.org", true },
   { "taimane.com", true },
   { "taiphanmem.net", true },
+  { "taishokudaiko.com", true },
   { "taishon.nagoya", true },
   { "taitmacleod.com", true },
   { "taiwan.dating", true },
@@ -35853,10 +37005,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "talkwithyourbaby.org", true },
   { "tallcraft.com", true },
   { "talldude.net", true },
+  { "tallinnsec.ee", true },
+  { "tallinnsex.ee", true },
   { "talltreeskv.com.au", true },
   { "tallyfy.com", true },
   { "talon.rip", true },
-  { "talroo.com", true },
   { "talun.de", true },
   { "tam-moon.com", true },
   { "tam-safe.com", true },
@@ -35865,26 +37018,25 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tamasszabo.net", true },
   { "tambre.ee", true },
   { "tamchunho.com", true },
+  { "tamersunion.org", true },
   { "tamindir.com", true },
   { "tamirson.com", true },
   { "tammy.pro", true },
   { "tampabaybusinesslistings.com", true },
   { "tamposign.fr", true },
+  { "tamriel-rebuilt.org", true },
   { "tanacio.com", true },
   { "tanak3n.xyz", false },
   { "tancredi.nl", true },
   { "tandem-trade.ru", false },
   { "tandemexhibits.com", true },
   { "tandempartnerships.com", true },
-  { "tandilmap.com.ar", true },
   { "tandk.com.vn", true },
   { "tandzorg.link", true },
   { "tangel.me", true },
   { "tangemann.org", true },
-  { "tango-cats.de", true },
   { "tango-ouest.com", true },
   { "tangoalpha.co.uk", true },
-  { "tanhit.com", true },
   { "taniafitness.co.uk", true },
   { "taniafitness.com", true },
   { "tanie-uslugi-ksiegowe.pl", true },
@@ -35913,7 +37065,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "taprix.org", true },
   { "tapsnapp.co", true },
   { "taquilla.com", true },
-  { "taqun.club", true },
   { "tar-mag.com", true },
   { "taranis.re", true },
   { "tarasecurity.co.uk", true },
@@ -35926,12 +37077,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tariff.cc", true },
   { "tarik.io", true },
   { "tarmexico.com", true },
-  { "tarots-et-oracles.com", true },
+  { "taron.top", true },
+  { "tarot-cartas.com", true },
   { "tarsan.cz", true },
   { "tartaneagle.org.uk", true },
   { "tartanhamedshop.com.br", true },
   { "taruntarun.net", true },
   { "tas2580.net", false },
+  { "tasadordecoches.com", true },
+  { "tascuro.com", true },
   { "taskin.me", true },
   { "taskotron.fedoraproject.org", true },
   { "taskotron.stg.fedoraproject.org", true },
@@ -35956,13 +37110,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tattvaayoga.com", true },
   { "tatuantes.com", true },
   { "taunhanh.us", true },
-  { "tauschen.info", true },
+  { "taustyle.ru", true },
   { "tavolaquadrada.com.br", true },
   { "tavsys.net", true },
   { "tax-guard.com", true },
   { "taxaroo.com", true },
   { "taxaudit.com", true },
-  { "taxi-24std.de", false },
   { "taxi-chamonix.fr", true },
   { "taxi-collectif.ch", true },
   { "taxi-jihlava.cz", true },
@@ -35974,6 +37127,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "taxisafmatosinhos.pt", true },
   { "taxiscollectifs.ch", true },
   { "taxlab.co.nz", true },
+  { "taxo.fi", true },
   { "taxpackagesupport.com", true },
   { "taxsquirrel.com", true },
   { "taylorpearson.me", false },
@@ -35994,7 +37148,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tbuchloh.de", true },
   { "tc-st-leonard.ch", true },
   { "tc.nz", true },
-  { "tcacademy.co.uk", true },
+  { "tcade.co", true },
   { "tcb-a.org", true },
   { "tcb-b.org", true },
   { "tccmb.com", true },
@@ -36003,12 +37157,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tcf.org", true },
   { "tcgforum.pl", true },
   { "tcgrepublic.com", true },
-  { "tchaka.top", true },
   { "tchannels.tv", true },
   { "tchebb.me", true },
   { "tchebotarev.com", true },
   { "tchnics.de", true },
   { "tchoukball.ch", true },
+  { "tcit.fr", true },
   { "tcmwellnessclinic.com", true },
   { "tcnapplications.com", true },
   { "tcpweb.net", true },
@@ -36018,15 +37172,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tdchrom.com", true },
   { "tdfbfoundation.org", true },
   { "tdrcartuchos.com.br", true },
+  { "tdro.cf", true },
   { "tdrs.info", true },
   { "tdsf.io", true },
   { "tdsinflatables.co.uk", true },
   { "tdude.co", true },
   { "tea.codes", true },
+  { "tea.in.th", true },
   { "teabagdesign.co.uk", true },
+  { "teachbiz.net", true },
   { "teachercreatedmaterials.com", true },
   { "teacherph.com", true },
   { "teacherpowered.org", true },
+  { "teachertool.io", true },
   { "teachingcopyright.com", true },
   { "teachingcopyright.net", true },
   { "teachingcopyright.org", true },
@@ -36036,8 +37194,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "teachwithouttears.com", true },
   { "teahut.net", true },
   { "team-azerty.com", true },
-  { "team-bbd.com", true },
-  { "team-pancake.eu", true },
   { "team.house", true },
   { "team3482.com", true },
   { "teambeam.at", true },
@@ -36056,9 +37212,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "teampaddymurphy.ch", true },
   { "teampaddymurphy.ie", true },
   { "teamsimplythebest.com", true },
+  { "teamspeak-serverlist.xyz", true },
   { "teamtouring.net", true },
   { "teamtrack.uk", true },
-  { "teamtravel.co", true },
   { "teamup.com", true },
   { "teamup.rocks", true },
   { "teamupturn.com", true },
@@ -36077,6 +37233,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tech-clips.com", false },
   { "tech-director.ru", true },
   { "tech-essential.com", true },
+  { "tech-info.jp", true },
   { "tech-rat.com", true },
   { "tech-seminar.jp", true },
   { "tech-value.eu", true },
@@ -36087,10 +37244,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "techamigo.in", true },
   { "techarea.fr", true },
   { "techaulogy.com", true },
-  { "techbelife.com", true },
-  { "techbrawl.org", true },
   { "techbrown.com", true },
-  { "techcentric.com", false },
   { "techcracky.com", true },
   { "techcultivation.de", false },
   { "techcultivation.net", false },
@@ -36099,32 +37253,38 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "techdroid.eu", true },
   { "techendeavors.com", true },
   { "techformator.pl", true },
+  { "techforthepeople.org", true },
   { "techglover.com", true },
   { "techhappy.ca", true },
   { "techinet.pl", true },
   { "techinsurance.com", true },
   { "techjoe.co", true },
+  { "techmagus.icu", true },
   { "techmajesty.com", true },
   { "techmasters.io", true },
+  { "techmoviles.com", true },
   { "techmunchies.net", false },
   { "technic3000.com", true },
   { "technicabv.nl", true },
   { "technicalbrothers.cf", true },
   { "technicallyeasy.net", true },
-  { "technifocal.com", true },
+  { "technicalramblings.com", true },
+  { "technicalsystemsprocessing.com", true },
+  { "techniclab.net", true },
+  { "techniclab.org", true },
+  { "techniclab.ru", true },
   { "technik-boeckmann.de", true },
   { "technikblase.fm", true },
   { "technikman.de", true },
+  { "technikrom.org", true },
   { "technoinfogroup.it", true },
   { "technologie-innovation.fr", true },
-  { "technologyand.me", true },
   { "technologyhound.org", true },
   { "technologysi.com", true },
   { "technoparcepsilon.fr", true },
   { "technoscoots.com", true },
   { "technosorcery.net", true },
   { "technospeakco.com", true },
-  { "technotonic.co.uk", true },
   { "techold.ru", true },
   { "techorbiter.com", true },
   { "techosmarcelo.com.ar", true },
@@ -36140,20 +37300,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "techtalks.no", true },
   { "techtrader.ai", true },
   { "techtrader.io", true },
-  { "techvalue.gr", true },
   { "techview.link", true },
   { "techviewforum.com", true },
   { "techwayz.com", true },
   { "techwithcromulent.com", true },
-  { "techwords.io", true },
+  { "techzero.cn", true },
   { "teckids.org", true },
   { "tecma.com", true },
   { "tecmarkdig.com", true },
   { "tecne.ws", true },
   { "tecnicoelettrodomestici.roma.it", true },
+  { "tecnidev.com", true },
   { "tecnoarea.com.ar", true },
   { "tecnobrasilloja.com.br", true },
   { "tecnodritte.it", true },
+  { "tecnogaming.com", true },
   { "tecnogazzetta.it", true },
   { "tecnologiasurbanas.com", true },
   { "tecon.co.at", true },
@@ -36167,6 +37328,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tedsdivingsystem.com", true },
   { "tedxodense.com", true },
   { "teebeedee.org", false },
+  { "teedb.de", true },
   { "teemo.gg", true },
   { "teemperor.de", true },
   { "teemulintula.fi", true },
@@ -36175,28 +37337,27 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "teensexgo.com", true },
   { "teeworlds-friends.de", true },
   { "tefek.cz", true },
+  { "teganlaw.ca", true },
+  { "teganlaw.com", true },
   { "tege-elektronik.hu", true },
-  { "tehcrayz.com", true },
   { "tehrabbitt.com", false },
-  { "tehrankey.ir", true },
   { "tehranperfume.com", true },
   { "teixobactin.com", true },
   { "tejarat98.com", true },
   { "teknemodus.com.au", true },
   { "teknik.io", true },
+  { "tekniksnack.se", true },
   { "tekniskakustik.se", true },
   { "tekno.de", true },
   { "teknoforums.com", true },
   { "teknolit.com", true },
   { "tekstschrijvers.net", true },
-  { "tektuts.com", true },
   { "tekuteku.jp", true },
   { "telamon.eu", true },
   { "telamon.fr", true },
-  { "tele-alarme.ch", true },
+  { "telco.at", true },
   { "tele-online.com", true },
   { "telealarme.ch", true },
-  { "telealarmevalais.ch", true },
   { "telecamera.pro", false },
   { "telecomwestland.nl", true },
   { "teledivi.com", true },
@@ -36209,16 +37370,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "telefoon.nl", true },
   { "telefoonabonnement.nl", true },
   { "telegenisys.com", true },
+  { "telegram.org", true },
   { "telegramdr.com", true },
   { "telehealthventures.com", false },
   { "telekothonbd.com", true },
   { "teleogistic.net", true },
   { "telepass.me", true },
   { "telephonedirectories.us", true },
-  { "telepons.com", true },
+  { "telesto.online", true },
+  { "teletechnology.in", false },
+  { "teletexto.com", true },
   { "telework.gov", true },
   { "tellcorpassessoria.com.br", true },
   { "telling.xyz", true },
+  { "tellingua.com", false },
+  { "tellthemachines.com", true },
   { "tellusaboutus.com", true },
   { "telly.site", true },
   { "tellygames.com", true },
@@ -36227,6 +37393,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "telos-analytics.com", true },
   { "teltru.com", true },
   { "tem.li", true },
+  { "temariopolicianacional.es", true },
+  { "temariosdeoposiciones.es", true },
+  { "temasa.net", true },
   { "tematicas.org", true },
   { "temdu.com", true },
   { "temizmama.com", true },
@@ -36246,10 +37415,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tenderplan.ru", true },
   { "tenderstem.co.uk", true },
   { "tendomag.com", true },
+  { "tendoryu-aikido.org", false },
   { "tenenz.com", true },
   { "tenisservis.eu", true },
+  { "tenkdigitalt.no", true },
   { "tenkofx.com", true },
-  { "tennisadmin.com", true },
   { "tennismindgame.com", true },
   { "tenno.tools", true },
   { "tenpo-iku.com", true },
@@ -36257,13 +37427,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tenseapp.pl", true },
   { "tenshoku-hanashi.com", true },
   { "tenta.com", true },
-  { "tentabrowser.com", true },
   { "tentations-voyages.com", false },
   { "tenthousandcoffees.com", true },
   { "tenthpin.com", false },
   { "tenyx.de", true },
   { "tenzer.dk", true },
   { "teoleonie.com", true },
+  { "tepautotuning.com", true },
   { "tepid.org", true },
   { "tepitus.de", true },
   { "teplofom.ru", true },
@@ -36277,14 +37447,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "teriiphotography.com", true },
   { "teriyakisecret.com", true },
   { "terlindung.com", true },
-  { "termax.me", true },
-  { "terminalvelocity.co.nz", true },
   { "termino.eu", true },
   { "terminsrakning.se", true },
   { "termitemounds.org", true },
   { "termitinitus.org", true },
   { "termografiranje.si", true },
   { "termux.com", true },
+  { "terpotiz.net", true },
   { "terra.fitness", true },
   { "terrab.de", false },
   { "terracloud.de", false },
@@ -36297,6 +37466,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "terralimno.eu", true },
   { "terraluna.space", true },
   { "terranova-nutrition.dk", true },
+  { "terranova.fi", true },
   { "terrapay.com", true },
   { "terrastaffinggroup.com", false },
   { "terraweb.net", true },
@@ -36314,14 +37484,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "teslamagician.com", true },
   { "tesoro.pr", true },
   { "tessai.ga", true },
+  { "tesseractinitiative.org", true },
+  { "test-sev-web.pantheonsite.io", true },
   { "test-textbooks.com", true },
   { "test.de", true },
   { "test.support", true },
   { "testeveonline.com", true },
   { "testgeomed.ro", true },
   { "testomato.com", true },
+  { "testoon.com", true },
   { "testosteronedetective.com", true },
   { "testsuite.org", true },
+  { "testsvigilantesdeseguridad.es", true },
   { "testuje.net", true },
   { "tetedelacourse.ch", true },
   { "teto.nu", true },
@@ -36362,8 +37536,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "teyssedre.ca", true },
   { "tf2b.com", true },
   { "tf2calculator.com", true },
-  { "tf7879.com", true },
+  { "tfb.az", true },
   { "tfg-bouncycastles.com", true },
+  { "tfk.fr", true },
   { "tfle.xyz", true },
   { "tflite.com", true },
   { "tfnapps.de", true },
@@ -36386,6 +37561,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thablubb.de", true },
   { "thaedal.net", true },
   { "thai.dating", true },
+  { "thai.land", true },
   { "thaicyberpoint.com", true },
   { "thaiforest.ch", true },
   { "thaihomecooking.com", true },
@@ -36400,7 +37576,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thalia.nu", true },
   { "thaliagetaway.com.au", true },
   { "thallinger.me", true },
+  { "thambaru.com", true },
   { "thamesfamilydentistry.com", true },
+  { "thamtubinhminh.com", true },
   { "thanabh.at", true },
   { "thanatoid.net", true },
   { "thanhthinhbui.com", true },
@@ -36409,6 +37587,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thatsme.io", true },
   { "thca.ca", true },
   { "thcpbees.co.uk", true },
+  { "the-arabs.com", true },
   { "the-bermanns.com", true },
   { "the-big-bang-theory.com", true },
   { "the-body-shop.hu", false },
@@ -36434,18 +37613,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "theankhlife.com", true },
   { "theanticellulitediet.com", true },
   { "theaps.net", true },
-  { "thearcheryguide.com", true },
   { "theastrocoach.com", true },
   { "theatre-schools.com", true },
+  { "theazoorsociety.org", true },
   { "thebakers.com.br", true },
   { "thebakery2go.de", true },
   { "thebannerstore.com", true },
   { "thebarbdemariateam.com", true },
-  { "thebarneystyle.com", true },
   { "thebarrens.nu", true },
   { "thebasebk.org", true },
   { "thebcm.co.uk", true },
   { "thebeachessportsphysio.com", true },
+  { "thebeardedrapscallion.com", true },
   { "thebeginningviolinist.com", true },
   { "thebest.ch", true },
   { "thebestfun.co.uk", true },
@@ -36463,6 +37642,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "theblackknightsings.com", true },
   { "theblondeabroad.com", true },
   { "theblueroofcottage.ca", true },
+  { "thebluub.com", true },
   { "theboatmancapital.com", true },
   { "thebodyprinciple.com", true },
   { "thebonerking.com", true },
@@ -36492,21 +37672,24 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thecrazytravel.com", true },
   { "thecrescentchildcarecenter.com", true },
   { "thecrew-exchange.com", true },
-  { "thecrochetcottage.net", true },
+  { "thecstick.com", true },
   { "thecuppacakery.co.uk", true },
-  { "thecuriouscat.net", true },
+  { "thecuriousdev.com", true },
   { "thecurvyfashionista.com", true },
   { "thecustomdroid.com", true },
+  { "theda.co.za", true },
   { "thedark1337.com", true },
+  { "thedebug.life", true },
   { "thederminstitute.com", true },
   { "thedhs.com", true },
   { "thediamondcenter.com", true },
-  { "thediaryofadam.com", true },
   { "thedisc.nl", true },
   { "thediscovine.com", true },
   { "thedocumentrefinery.com", true },
+  { "thedom.site", true },
   { "thedreamtravelgroup.co.uk", true },
   { "thedronechart.com", true },
+  { "thedroneely.com", true },
   { "thedutchmarketers.com", true },
   { "theebookkeepers.co.za", true },
   { "theeducationchannel.info", true },
@@ -36515,20 +37698,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "theeighthbit.com", true },
   { "theel0ja.ovh", true },
   { "theemasphere.com", true },
+  { "theender.net", true },
+  { "theepiclounge.com", true },
+  { "theeverycompany.com", true },
+  { "theeyeopener.com", true },
   { "thefairieswantmedead.com", true },
   { "thefanimatrix.net", true },
   { "thefashionpolos.com", true },
   { "thefbstalker.com", true },
   { "thefengshuioffice.com", true },
   { "theferrarista.com", true },
-  { "thefilmcolor.com", true },
   { "thefilmphotography.com", true },
   { "theflowerbasketonline.com", true },
   { "theflowershopdeddington.com", true },
-  { "theflyingbear.net", true },
   { "thefnafarchive.org", true },
   { "theforkedspoon.com", true },
   { "thefourthmoira.com", true },
+  { "thefreemail.com", true },
   { "thefrk.pw", true },
   { "thefuckingtide.com", true },
   { "thefunfirm.co.uk", true },
@@ -36554,9 +37740,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thehairstandard.com", true },
   { "thehamiltoncoblog.com", true },
   { "thehaxbys.co.uk", true },
-  { "thehiddenbay.fi", true },
-  { "thehiddenbay.info", true },
-  { "thehiddenbay.ws", true },
   { "thehivedesign.org", true },
   { "thehobincompany.com", true },
   { "thehomeicreate.com", true },
@@ -36567,25 +37750,30 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thehotness.tech", true },
   { "thehouseofgod.org.nz", true },
   { "thehowtohome.com", true },
+  { "thehub.ai", true },
+  { "theideaskitchen.com.au", true },
   { "theidiotboard.com", true },
+  { "theig.co", true },
   { "theillustrationstudio.com.au", true },
   { "theimagefile.com", true },
   { "theimaginationagency.com", true },
+  { "theinboxpros.com", true },
   { "theinflatables-ni.co.uk", true },
   { "theinflatablesne.co.uk", true },
   { "theinitium.com", true },
   { "theintercept.com", true },
   { "theinternationalgeekconspiracy.eu", true },
+  { "theissue.com.au", true },
   { "theitsage.com", false },
-  { "thej0lt.com", true },
   { "thejacksoninstitute.com.au", true },
   { "thekev.in", true },
   { "thekeytobusiness.co.uk", true },
   { "thekindplate.ca", true },
-  { "thekingofhate.com", true },
+  { "thekingofhate.com", false },
   { "thekovnerfoundation.org", true },
   { "thelaimlife.com", true },
   { "thelanscape.com", true },
+  { "thelastbeach.top", true },
   { "thelastsurprise.com", true },
   { "thelatedcult.com", true },
   { "thelearningenterprise.co.uk", true },
@@ -36598,6 +37786,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thelonelyones.co.uk", true },
   { "thelonious.nl", true },
   { "themacoaching.nl", true },
+  { "themadlabengineer.co.uk", true },
   { "themallards.info", true },
   { "themarshallproject.org", true },
   { "themecraft.studio", true },
@@ -36619,8 +37808,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "themusecollaborative.org", true },
   { "themusicinnoise.net", true },
   { "thenanfang.com", true },
-  { "thenarcissisticlife.com", true },
   { "theneatgadgets.com", true },
+  { "thenerdic.com", true },
   { "thenexwork.com", true },
   { "thenib.com", true },
   { "theninenine.com", true },
@@ -36628,6 +37817,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thenovaclinic.com", true },
   { "thenowheremen.com", true },
   { "theo.me", true },
+  { "theobg.co", true },
   { "theobromos.fr", true },
   { "theoc.co", true },
   { "theocharis.org", true },
@@ -36654,7 +37844,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thepharm.co.nz", true },
   { "thephonecaseplace.com", true },
   { "thephp.cc", true },
-  { "thepiabo.ovh", true },
   { "thepieslicer.com", true },
   { "thepiratesociety.org", true },
   { "theplaidpoodle.com", true },
@@ -36663,16 +37852,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "theplayspot.co.uk", true },
   { "theploughharborne.co.uk", true },
   { "thepoplarswines.com.au", true },
-  { "thepostoffice.ro", true },
   { "thepriorybandbsyresham.co.uk", true },
   { "theproductpoet.com", true },
   { "thepromisemusic.com", true },
-  { "thepurem.com", true },
-  { "thepythianseed.com", true },
   { "theragran.co.id", true },
   { "theralino.de", true },
   { "theramo.re", true },
-  { "therandombits.com", true },
+  { "therandombits.com", false },
   { "therapiemi.ch", true },
   { "therapynotes.com", true },
   { "therapyportal.com", true },
@@ -36709,7 +37895,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "theseletarmall.com", true },
   { "theseoframework.com", true },
   { "theseosystem.com", true },
-  { "theserviceyouneed.com", true },
   { "thesession.org", false },
   { "thesharedbrain.ch", true },
   { "thesharedbrain.com", true },
@@ -36725,31 +37910,38 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "theskingym.co.uk", true },
   { "thesmallbusinesswebsiteguy.com", true },
   { "thesmokingcuban.com", true },
+  { "thesnellvilledentist.com", true },
   { "thesocialmediacentral.com", true },
   { "thesplashlab.com", true },
   { "thesslstore.com", true },
   { "thestandingroomrestaurant.com", true },
   { "thestationatwillowgrove.com", true },
+  { "thesteins.org", false },
   { "thestoneage.de", true },
   { "thestory.ie", true },
   { "thestoryshack.com", true },
   { "thestrategyagency.com.au", true },
+  { "thestreamable.com", true },
   { "thestudyla.com", true },
   { "thestyle.city", true },
   { "thestyleforme.com", true },
   { "thesuppercircle.com", true },
   { "theswissbay.ch", true },
+  { "theteacherscorner.net", true },
   { "thetechnical.me", true },
   { "thetenscrolls.com", true },
   { "thethreepercent.marketing", true },
+  { "thetiedyelab.com", true },
   { "thetinylife.com", true },
   { "thetomharling.com", true },
+  { "thetorlock.com", true },
+  { "thetorrentfunk.com", true },
   { "thetotalemaildelivery.com", true },
+  { "thetravelczar.com", true },
   { "thetree.ro", true },
   { "thetrendspotter.net", true },
   { "thetuxkeeper.de", false },
   { "thetvtraveler.com", true },
-  { "theunitedstates.io", true },
   { "thevacweb.com", true },
   { "thevalentineconstitution.com", true },
   { "thevalueofarchitecture.com", true },
@@ -36758,11 +37950,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thevgg.com", false },
   { "thevisasofoz.com", true },
   { "thevoya.ga", true },
+  { "thevyra.com", true },
   { "thewagesroom.co.uk", true },
   { "thewarrencenter.org", true },
   { "thewaxhouse.academy", true },
   { "thewaxhouse.de", true },
-  { "thewebdexter.com", true },
+  { "thewayofthedojo.com", true },
   { "thewebflash.com", true },
   { "thewebsitedoctors.co.uk", true },
   { "thewebsitemarketingagency.com", true },
@@ -36771,11 +37964,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thewinstonatlyndhurst.com", true },
   { "thewoodkid.com.au", true },
   { "thewoolroom.com.au", true },
+  { "theworld.tk", true },
+  { "theworldbattle.com", true },
   { "theworldexchange.com", true },
   { "theworldexchange.net", true },
   { "theworldexchange.org", true },
   { "theworldsend.eu", true },
-  { "thewp.pro", true },
   { "thexfactorgames.com", true },
   { "thexme.de", true },
   { "theyakshack.co.uk", true },
@@ -36783,18 +37977,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "theyear199x.org", true },
   { "theyearinpictures.co.uk", true },
   { "theyosh.nl", true },
+  { "theyourbittorrent.com", true },
+  { "thezero.org", true },
   { "thezillersathenshotel.com", true },
   { "thiagohersan.com", true },
-  { "thibaultwalle.com", true },
   { "thiepcuoidep.com", true },
   { "thiepxinh.net", true },
   { "thierry-daellenbach.com", true },
   { "thierrybasset.ch", true },
-  { "thierryhayoz.ch", true },
+  { "thietbithoathiem.net", true },
+  { "thijmenmathijs.nl", true },
   { "thijsalders.nl", false },
+  { "thijsbekke.nl", true },
   { "thijsslop.nl", true },
   { "thijsvanderveen.net", true },
   { "thinegen.de", true },
+  { "thingies.site", true },
   { "thingsimplied.com", true },
   { "thingsof.org", true },
   { "think-asia.org", true },
@@ -36811,6 +38009,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thinkrealty.com", true },
   { "thinktux.net", true },
   { "thirdbearsolutions.com", true },
+  { "thirdgenphoto.co.uk", true },
   { "thiry-automobiles.net", true },
   { "this-server-will-be-the-death-of-me.com", true },
   { "thisbrownman.com", true },
@@ -36819,7 +38018,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thisdot.site", true },
   { "thisfreelife.gov", true },
   { "thisisgrey.com", true },
-  { "thisishugo.com", false },
+  { "thisishugo.com", true },
   { "thisisthefinalact.com", true },
   { "thisistheserver.com", true },
   { "thisiswhywemom.com", true },
@@ -36827,16 +38026,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thisoldearth.com", true },
   { "thisserver.dontexist.net", true },
   { "thistleandleaves.com", true },
+  { "thitruongsi.com", true },
   { "thm.vn", true },
   { "thole.org", true },
   { "thom4s.info", true },
   { "thomalaudan.de", true },
   { "thomas-bertran.com", true },
   { "thomas-fahle.de", true },
+  { "thomas-klubert.de", true },
   { "thomas-prior.com", true },
   { "thomas-sammut.com", true },
   { "thomas-schmittner.de", true },
   { "thomas-suchon.fr", true },
+  { "thomas.computer", true },
   { "thomas.love", false },
   { "thomasbeckers.be", true },
   { "thomasbreads.com", false },
@@ -36846,6 +38048,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thomaseyck.com", true },
   { "thomasfoster.co", true },
   { "thomashunter.name", false },
+  { "thomaskaviani.be", true },
   { "thomasmcfly.com", true },
   { "thomasmeester.nl", false },
   { "thomasmerritt.de", true },
@@ -36855,8 +38058,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thomasverhelst.be", true },
   { "thomasvochten.com", true },
   { "thomaswoo.com", true },
+  { "thomien.de", true },
   { "thompsonfamily.cloud", true },
   { "thomsonscleaning.co.uk", true },
+  { "thomspooren.nl", true },
   { "thomwiggers.nl", true },
   { "thor.edu", true },
   { "thor.re", true },
@@ -36883,6 +38088,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "threatworking.com", true },
   { "threecrownsllp.com", true },
   { "threedpro.me", true },
+  { "threefantasy.com", true },
   { "threefours.net", true },
   { "threelions.ch", true },
   { "threema.ch", true },
@@ -36898,6 +38104,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "throughtheglass.photo", true },
   { "throwaway.link", true },
   { "throwpass.com", true },
+  { "thrush.com", true },
   { "thues.eu", true },
   { "thuisverpleging-meerdael.be", true },
   { "thullbery.com", true },
@@ -36908,12 +38115,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "thunraz.com", true },
   { "thusoy.com", true },
   { "thuthuatios.com", true },
-  { "thuybich.com", true },
+  { "thuviensoft.com", true },
+  { "thuybich.com", false },
   { "thw-bernburg.de", true },
   { "thxandbye.de", true },
   { "thycotic.ru", true },
   { "thyngster.com", true },
-  { "thynx.io", true },
   { "thzone.net", true },
   { "ti-pla.net", true },
   { "ti-planet.org", true },
@@ -36930,7 +38137,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ticketassist.nl", true },
   { "ticketdriver.com", true },
   { "ticketluck.com", true },
-  { "ticketmates.com.au", true },
   { "ticketmaze.com", true },
   { "ticketpro.ca", false },
   { "ticketrunway.com", true },
@@ -36944,17 +38150,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ticketsvergleichen.de", true },
   { "tickit.ca", true },
   { "tid.jp", true },
+  { "tidy.chat", true },
   { "tidycustoms.net", true },
   { "tiekoetter.com", true },
-  { "tielectric.ch", true },
-  { "tiendavertigo.com", true },
+  { "tielectric.ch", false },
   { "tiens-ib.cz", true },
   { "tier-1-entrepreneur.com", true },
   { "tierarztpraxis-bogenhausen.de", true },
   { "tierarztpraxis-weinert.de", true },
+  { "tierraprohibida.net", true },
   { "ties.com", true },
   { "tiew.pl", true },
   { "tifan.net", true },
+  { "tiffanytravels.com", true },
   { "tiffnix.com", true },
   { "tigerchef.com", true },
   { "tigerdile.com", true },
@@ -36969,6 +38177,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tik.edu.ee", true },
   { "tik.help", true },
   { "tiki-god.co.uk", true },
+  { "tilde.institute", true },
   { "tildes.net", true },
   { "tildesnyder.com", true },
   { "tilesbay.com", true },
@@ -36990,6 +38199,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "timberkel.com", true },
   { "timbers.space", true },
   { "timbishopartist.com", true },
+  { "timbrado.com", true },
   { "timbrust.de", true },
   { "timco.cloud", true },
   { "timdeneau.com", true },
@@ -37001,15 +38211,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "time2choose.com", true },
   { "timeauction.hk", true },
   { "timebox.tk", true },
+  { "timebutler.de", true },
   { "timeglass.de", true },
   { "timeless-photostudio.com", true },
   { "timelessskincare.co.uk", true },
+  { "timelockstash.com", true },
   { "timetech.io", true },
   { "timetotrade.com", true },
   { "timewasters.nl", true },
   { "timewk.cn", true },
   { "timfiedler.net", true },
-  { "timhieuthuoc.com", true },
   { "timi-matik.hu", true },
   { "timing.com.br", true },
   { "timjk.de", true },
@@ -37019,6 +38230,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "timonengelke.de", true },
   { "timoso.de", true },
   { "timothybjacobs.com", true },
+  { "timowi.de", true },
   { "timoxbrow.com", true },
   { "timsayedmd.com", true },
   { "timtaubert.de", true },
@@ -37026,6 +38238,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "timtj.ca", true },
   { "timvivian.ca", true },
   { "timweb.ca", true },
+  { "timx.uk", true },
   { "timysewyn.be", true },
   { "tina-zander.de", true },
   { "tina.media", true },
@@ -37036,7 +38249,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tinfoleak.com", true },
   { "tinker.career", true },
   { "tinkerbeast.com", true },
-  { "tinkerboard.org", true },
   { "tinkererstrunk.co.za", true },
   { "tinkertry.com", true },
   { "tinlc.org", true },
@@ -37055,6 +38267,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tinytownsoftplay.co.uk", true },
   { "tinyvpn.net", true },
   { "tinyvpn.org", true },
+  { "tioat.net", true },
   { "tipaki.gr", true },
   { "tipbox.is", true },
   { "tipe.io", true },
@@ -37075,6 +38288,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tis.ph", true },
   { "tischlerei-klettke.de", true },
   { "tissot-mayenfisch.com", true },
+  { "tisvapo.it", true },
   { "tit-cdn.de", true },
   { "tit-dev.de", true },
   { "tit-dns.de", true },
@@ -37088,13 +38302,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "titelseite.ch", true },
   { "titiansgirlphotography.com", true },
   { "titouan.co", false },
-  { "tittelbach.at", false },
+  { "tittelbach.at", true },
   { "titusetcompagnies.net", true },
-  { "tivido.nl", true },
   { "tiwag.at", true },
   { "tixeconsulting.com", true },
   { "tixify.com", true },
   { "tjampoer.com", true },
+  { "tjcuk.co.uk", true },
   { "tjenestetorvet.dk", true },
   { "tjkcastles.uk", true },
   { "tjl.rocks", true },
@@ -37103,9 +38317,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tkacz.pro", true },
   { "tkanemoto.com", true },
   { "tkat.ch", true },
-  { "tkeycoin.com", true },
   { "tkgpm.com", true },
+  { "tkirch.de", true },
+  { "tkjg.fi", true },
   { "tkn.me", true },
+  { "tkn.tokyo", true },
   { "tkusano.jp", true },
   { "tkw01536.de", false },
   { "tl.gg", true },
@@ -37117,7 +38333,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tlo.xyz", true },
   { "tloxygen.com", true },
   { "tls-proxy.de", true },
-  { "tls.builders", true },
   { "tls.care", true },
   { "tls1914.org", true },
   { "tlsrobot.se", true },
@@ -37125,6 +38340,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tlumaczenie.com", true },
   { "tlyphed.net", true },
   { "tlys.de", true },
+  { "tm80plus.com", true },
   { "tmakiguchi.org", true },
   { "tmas.dk", true },
   { "tmberg.cf", true },
@@ -37136,10 +38352,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tmcpromotions.co.uk", true },
   { "tmcreationweb.com", true },
   { "tmdb.biz", true },
+  { "tmdc.ddns.net", true },
   { "tmf.ru", true },
   { "tmi-products.eu", true },
   { "tmi-produkter.se", true },
-  { "tmi.news", true },
   { "tmm.cx", true },
   { "tmonitoring.com", true },
   { "tmpraider.net", true },
@@ -37147,17 +38363,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tmsdiesel.com", true },
   { "tmtopup.com", true },
   { "tn0.club", true },
+  { "tnd.net.in", true },
   { "tndentalwellness.com", true },
   { "tnes.dk", true },
   { "tniad.mil.id", false },
   { "tnl.cloud", true },
   { "tntmobi.com", true },
   { "tny.link", true },
-  { "toabsentfamily.com", true },
   { "toad.ga", true },
   { "toast.al", false },
   { "tob-rulez.de", true },
   { "tobaccolocker.com", true },
+  { "tobedo.net", true },
   { "tober-cpag.de", true },
   { "tobi-mayer.de", true },
   { "tobias-bauer.de", true },
@@ -37178,6 +38395,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tobiassachs.de", true },
   { "tobiassattler.com", true },
   { "tobiaswiese.com", true },
+  { "tobiaswiese.eu", true },
+  { "tobiaswiese.org", true },
+  { "tobiaswiese.work", true },
   { "tobiemilford.com", true },
   { "tobis-rundfluege.de", true },
   { "tobischo.de", true },
@@ -37197,6 +38417,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "todapolitica.com", true },
   { "todaymeow.com", true },
   { "toddfry.com", true },
+  { "toddmath.com", true },
   { "todoereaders.com", true },
   { "todoescine.com", true },
   { "todoist.com", true },
@@ -37207,29 +38428,30 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "toeightycountries.com", true },
   { "toekomstperspectief.be", true },
   { "toerclub-ing-arnhem.nl", true },
+  { "toerschaatsenknsb.nl", true },
   { "toetsplatform.be", true },
   { "tofe.io", true },
+  { "tofliving.nl", true },
   { "tofu.cf", true },
   { "togech.jp", true },
   { "togetter.com", true },
   { "toheb.de", false },
   { "tohochofu-sportspark.com", true },
   { "tohokinemakan.tk", true },
+  { "toihoctiengtrung.com", true },
   { "tokaido-kun.jp", true },
   { "tokaido.com", true },
   { "tokainafb.net", true },
   { "tokainakurasi.net", true },
-  { "tokbijouxs.com.br", true },
   { "tokenmarket.net", true },
   { "tokens.net", true },
+  { "tokfun.com", true },
   { "tokic.hr", true },
   { "tokinoha.net", true },
-  { "tokintu.com", true },
   { "tokio.fi", true },
   { "tokka.com", true },
   { "tokke.dk", true },
   { "tokkee.org", true },
-  { "tokky.eu", true },
   { "tokototech.com", true },
   { "tokugai.com", true },
   { "tokumei.co", true },
@@ -37240,7 +38462,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tokyomakino.com", true },
   { "tokyovipper.com", true },
   { "tolboe.com", true },
-  { "toldositajuba.com", true },
   { "toleressea.fr", true },
   { "toles-sur-mesure.fr", true },
   { "tolle-wolke.de", true },
@@ -37259,17 +38480,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tomasjacik.cz", true },
   { "tomaskavalek.cz", false },
   { "tomaspatera.cz", true },
-  { "tomaspialek.cz", true },
   { "tomasvecera.cz", true },
   { "tomasz.com", true },
   { "tomatenaufdenaugen.de", true },
   { "tomatis-nantes.com", true },
   { "tomaw.net", true },
-  { "tomaz.eu", true },
   { "tombaker.me", true },
+  { "tombroker.org", true },
   { "tombrossman.com", true },
   { "tomd.ai", true },
   { "tomend.es", true },
+  { "tomershemesh.me", true },
   { "tomfisher.eu", true },
   { "tomharling.uk", true },
   { "tomharris.tech", true },
@@ -37285,6 +38506,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tomlowenthal.com", true },
   { "tomm.yt", true },
   { "tommic.eu", true },
+  { "tommy-bordas.fr", false },
   { "tomnatt.com", true },
   { "tomo.gr", false },
   { "tomosm.net", true },
@@ -37298,7 +38520,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tomspdblog.com", true },
   { "tomssl.com", true },
   { "tomticket.com", true },
-  { "tomudding.com", true },
   { "tomudding.nl", true },
   { "tomvote.com", true },
   { "tomwassenberg.com", true },
@@ -37328,12 +38549,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tonermonster.de", true },
   { "tonex.de", true },
   { "tonex.nl", true },
+  { "tonifarres.net", true },
   { "tonigallagherinteriors.com", true },
   { "tonkayagran.com", true },
   { "tonkayagran.ru", true },
   { "tonkinson.com", true },
   { "tonkinwilsonvillenissanparts.com", true },
   { "tonnycat.com", true },
+  { "tonnygaric.com", true },
   { "tono.us", true },
   { "tonsit.com", true },
   { "tonsit.org", true },
@@ -37347,14 +38570,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tonywebster.com", true },
   { "too.gy", true },
   { "toobug.net", true },
+  { "toolbox-bodensee.de", true },
   { "toolbox.ninja", false },
+  { "toolineo.de", true },
   { "toolkits.design", true },
   { "toolroomrecords.com", true },
   { "tools.pro", true },
   { "toolsense.io", true },
   { "toom.io", true },
-  { "toomy.ddns.net", true },
   { "toomy.pri.ee", true },
+  { "toon.style", true },
   { "toonpool.com", true },
   { "toonsburgh.com", true },
   { "toontown.team", true },
@@ -37369,7 +38594,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "top-obaly.cz", true },
   { "top-opakowania.pl", true },
   { "top-solar-info.de", true },
+  { "top4shop.de", true },
   { "top5hosting.co.uk", true },
+  { "top9.fr", true },
   { "topaxi.ch", true },
   { "topaxi.codes", true },
   { "topbigdeals.com", true },
@@ -37386,12 +38613,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "topeyelashenhancerserumreviews.com", true },
   { "topfivepercent.co.uk", true },
   { "topgshop.ru", true },
+  { "tophat.studio", true },
   { "topicdesk.com", true },
   { "topicit.net", true },
   { "topirishcasinos.com", true },
   { "topjobs.ch", true },
+  { "topkek.ml", true },
   { "toplist.cz", true },
   { "toplist.eu", true },
+  { "toplist.sk", true },
   { "topnotepad.com", true },
   { "topodin.com", true },
   { "toponlinecasinosites.co.uk", true },
@@ -37405,7 +38635,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "toptec.net.br", true },
   { "toptexture.com", true },
   { "toptheto.com", true },
-  { "topvertimai.lt", true },
+  { "topvision.se", true },
   { "topwindowcleaners.co.uk", true },
   { "topworktops.co.uk", true },
   { "toracon.org", true },
@@ -37413,8 +38643,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "torchantifa.org", true },
   { "toreni.us", true },
   { "toretame.jp", true },
+  { "torfbahn.de", true },
   { "torg-room.ru", true },
   { "torkware.com", true },
+  { "torlock.com", true },
+  { "torlock.host", true },
+  { "torlock.icu", true },
+  { "torlock.pw", true },
+  { "torlock2.com", true },
   { "tormakristof.eu", true },
   { "tormentedradio.com", false },
   { "torn1.se", true },
@@ -37423,40 +38659,45 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "torontoaccesscontrol.com", true },
   { "torontocorporatelimo.services", true },
   { "torontostarts.com", true },
+  { "toros.co", true },
+  { "toros2.com", true },
   { "torproject.org", false },
   { "torprojects.com", true },
   { "torquato.de", false },
   { "torrent.fedoraproject.org", true },
   { "torrent.is", true },
+  { "torrent.tm", true },
+  { "torrentfunk.host", true },
+  { "torrentfunk.icu", true },
+  { "torrentfunk.pw", true },
+  { "torrentfunk2.com", true },
   { "torrentpier.me", true },
   { "torrentz2.al", true },
   { "torresygutierrez.com", true },
   { "torretzalam.com", true },
   { "torservers.net", true },
+  { "torsquad.com", true },
   { "torsten-schmitz.net", true },
   { "torstensenf.de", true },
   { "torte.roma.it", true },
-  { "tortocan.com", true },
   { "tortoises-turtles.com", true },
   { "tortugan.com.br", true },
-  { "tosainu.com.br", true },
   { "tosamja.net", true },
   { "toscer.me", false },
   { "toschool.com.br", true },
   { "toshen.com", true },
   { "toshkov.com", true },
-  { "toskana-appartement.de", true },
+  { "toskana-appartement.de", false },
   { "tosolini.info", true },
   { "tosostav.cz", true },
   { "tosteberg.se", true },
   { "tostu.de", true },
   { "tot-radio.com", true },
-  { "totaku.ru", true },
-  { "totalbeauty.co.uk", true },
+  { "totaku.ru", false },
+  { "totalaccess.com.ua", true },
   { "totalbike.com.br", true },
   { "totalcarcheck.co.uk", true },
   { "totalchecklist.com", true },
-  { "totaldragonshop.com.br", true },
   { "totalemaildelivery.com", true },
   { "totalforcegym.com", true },
   { "totalhomecareinc.com", true },
@@ -37475,6 +38716,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "touchoflife.in", true },
   { "touchscreentills.com", true },
   { "touchstone.io", true },
+  { "touchsupport.com", true },
+  { "touchtable.nl", true },
   { "touchweb.fr", true },
   { "touchwoodtrees.com.au", true },
   { "touhou.ac.cn", true },
@@ -37485,7 +38728,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tourgest.net", true },
   { "tourify.me", true },
   { "tourismwithme.com", true },
-  { "tourispo.com", true },
   { "tournamentmgr.com", true },
   { "tournevis.ch", true },
   { "toursthatmatter.com", true },
@@ -37498,6 +38740,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "touslesdrivers.com", true },
   { "tout-art.ch", true },
   { "toutart.ch", true },
+  { "toutelathailande.fr", true },
   { "toutenmusic.fr", true },
   { "toutmonexam.fr", true },
   { "toutvendre.be", true },
@@ -37511,8 +38754,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "toutvendre.us", true },
   { "tovare.com", true },
   { "toverland-tickets.nl", true },
-  { "tovp.org", true },
   { "towandalibrary.org", true },
+  { "tower.land", true },
   { "townandcountryus.com", true },
   { "townhousedevelopments.com.au", true },
   { "townhouseregister.com.au", true },
@@ -37520,8 +38763,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "towsonroofers.com", true },
   { "towywebdesigns.uk", true },
   { "tox21.gov", false },
+  { "toycu.de", true },
   { "toymagazine.com.br", true },
   { "toyota-kinenkan.com", true },
+  { "toysale.by", false },
   { "toysperiod.com", true },
   { "tp-iryuubun.com", true },
   { "tp-kabushiki.com", true },
@@ -37553,10 +38798,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tracetracker.no", true },
   { "tracfinancialservices.com", true },
   { "tracinsurance.com", true },
+  { "track.plus", true },
   { "trackchair.com", true },
   { "trackdomains.com", true },
   { "trackersimulator.org", true },
   { "trackeye.dk", true },
+  { "tracking.best", true },
   { "trackingstream.com", true },
   { "trackrecordpro.co.uk", true },
   { "tracksa.com.ar", true },
@@ -37581,11 +38828,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "traditionskapperscollege.nl", true },
   { "traditionsvivantesenimages.ch", true },
   { "tradiz.org", false },
+  { "tradlost-natverk.se", true },
   { "trafarm.ro", true },
   { "trafas.nl", true },
   { "traffic.az", true },
+  { "trafficmanager.com", true },
   { "trafficmanager.ltd", true },
   { "trafficmanager.xxx", true },
+  { "trafficmgr.cn", true },
+  { "trafficmgr.net", true },
   { "trafficologyblueprint.com", true },
   { "trafficpixel.tk", true },
   { "traffixdevices.com", true },
@@ -37596,8 +38847,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "trailforks.com", true },
   { "trainex.org", true },
   { "trainhornforums.com", true },
-  { "trainhorns.us", true },
   { "trainiac.com.au", true },
+  { "traininghamburg.de", true },
   { "trainline.at", true },
   { "trainline.cn", true },
   { "trainline.com.br", true },
@@ -37632,6 +38883,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "trajano.net", true },
   { "trajectfoto.nl", true },
   { "trajectvideo.nl", true },
+  { "trakkr.tk", true },
+  { "tramclub-basel.ch", true },
   { "tran.pw", true },
   { "trance-heal.com", true },
   { "trance-heal.de", true },
@@ -37649,7 +38902,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "transcend.org", true },
   { "transcontrol.com.ua", true },
   { "transfer.pw", true },
-  { "transferio.nl", true },
   { "transfers.do", true },
   { "transfers.mx", true },
   { "transferserver.at", true },
@@ -37675,7 +38927,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "translate.fedoraproject.org", true },
   { "translate.googleapis.com", true },
   { "translate.stg.fedoraproject.org", true },
-  { "translatoruk.co.uk", true },
   { "transmarttouring.com", true },
   { "transmisjeonline.pl", true },
   { "transmitit.pl", true },
@@ -37699,35 +38950,36 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "trattamenti.biz", true },
   { "trattamento-cotto.it", true },
   { "trauer-beileid.de", true },
+  { "traumwerker.com", true },
   { "traut.cloud", true },
   { "travador.com", true },
   { "travaux-toiture-idf.fr", true },
-  { "travel-to-nature.ch", true },
-  { "travel.co.za", true },
+  { "travel-dealz.de", true },
   { "travel365.it", true },
   { "travelarmenia.org", true },
   { "traveleets.com", true },
   { "travelemy.com", true },
+  { "travelfield.org", true },
   { "travelholicworld.com", true },
   { "travelinsurance.co.nz", true },
   { "travellers.dating", true },
   { "travellovers.fr", true },
-  { "travellsell.com", true },
   { "travelogue.jp", true },
   { "travelphoto.cc", true },
   { "travelrefund.com", true },
   { "travelshack.com", true },
+  { "traverse.com.ua", true },
   { "travi.org", true },
   { "travis.nl", true },
   { "travisf.net", true },
   { "travisforte.io", true },
-  { "travisfranck.com", true },
   { "travler.net", true },
   { "trbanka.com", true },
   { "trea98.org", true },
   { "treaslockbox.gov", true },
+  { "trebarov.cz", true },
+  { "trebek.club", true },
   { "tree0.xyz", true },
-  { "treebaglia.xyz", true },
   { "treehouseresort.nl", true },
   { "trees.chat", true },
   { "treeschat.com", true },
@@ -37742,18 +38994,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "trek-planet.ru", true },
   { "trekfriend.com", true },
   { "trekkinglife.de", true },
-  { "tremlor.com", true },
   { "trendkraft.de", true },
   { "trendreportdeals.com", true },
   { "trendsettersre.com", true },
   { "trendus.no", true },
   { "trendykids.cz", true },
   { "trenta.io", true },
+  { "trenztec.ml", true },
   { "tresor.it", true },
   { "tresorit.com", true },
   { "tresorsecurity.com", true },
   { "tretail.net", true },
-  { "tretkowski.de", true },
   { "treussart.com", true },
   { "trevsanders.co.uk", true },
   { "trezy.me", true },
@@ -37767,6 +39018,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "trialandsuccess.nl", true },
   { "trialcentralnet.com", true },
   { "trianglecastles.co.uk", true },
+  { "trianglelawngames.com", true },
   { "tribac.de", true },
   { "tribaldos.com", true },
   { "tribaljusticeandsafety.gov", true },
@@ -37774,34 +39026,34 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tribetrails.com", true },
   { "tribly.de", true },
   { "tribut.de", true },
+  { "tributh.cf", true },
   { "tributh.ga", true },
   { "tributh.gq", true },
   { "tributh.ml", true },
+  { "tributh.net", true },
   { "tributh.tk", true },
   { "tricefy4.com", true },
   { "triciaree.com", true },
   { "trident-online.de", true },
-  { "tridentflood.com", true },
   { "trietment.com", true },
   { "trigardon-rg.de", true },
   { "trik.es", false },
+  { "trilex.be", true },
+  { "trilithsolutions.com", true },
   { "trillian.im", true },
   { "trilliumvacationrentals.ca", true },
   { "triluxds.com", true },
   { "trim-a-slab.com", true },
   { "trim21.cn", true },
   { "trimage.org", true },
-  { "trimarchimanuele.it", true },
   { "trinary.ca", true },
   { "trineco.com", true },
   { "trineco.fi", true },
   { "tringavillasyala.com", true },
-  { "trink-und-partyspiele.de", true },
   { "trinnes.net", true },
   { "trio.online", true },
   { "triop.se", true },
   { "trior.net", true },
-  { "triple-mmm.de", true },
   { "triplekeys.net", true },
   { "tripolistars.com", true },
   { "tripp.xyz", true },
@@ -37809,7 +39061,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tripsinc.com", true },
   { "trisect.eu", true },
   { "trish-mcevoy.ru", true },
-  { "triticeaetoolbox.org", true },
   { "trix360.com", true },
   { "trixexpressweb.nl", true },
   { "triz.co.uk", true },
@@ -37824,6 +39075,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "trollope-apollo.com", true },
   { "trommelwirbel.com", true },
   { "tronatic-studio.com", true },
+  { "tronmeo.com", true },
   { "troomcafe.com", true },
   { "troopaid.info", true },
   { "trophee-discount.com", true },
@@ -37836,7 +39088,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "troyfawkes.com", true },
   { "troyhunt.com", true },
   { "troyhuntsucks.com", true },
-  { "troykelly.com", true },
   { "trs.tn", true },
   { "trtltravel.com", true },
   { "trtruijens.com", true },
@@ -37845,12 +39096,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "trucchibellezza.it", true },
   { "truckersmp.com", true },
   { "truckerswereld.nl", false },
-  { "truckgpsreviews.com", true },
   { "truckstop-magazin.de", false },
+  { "trucosdescargas.com", true },
   { "true-itk.de", true },
+  { "trueachievements.com", true },
   { "trueassignmenthelp.co.uk", true },
   { "trueblueessentials.com", true },
   { "trueduality.net", true },
+  { "truehempculture.com.au", true },
   { "trueinstincts.ca", true },
   { "truekey.com", true },
   { "truentumvet.it", true },
@@ -37862,6 +39115,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "trueteaching.com", true },
   { "truetraveller.com", true },
   { "truetrophies.com", true },
+  { "trueweb.es", true },
   { "trufflemonkey.co.uk", true },
   { "truhlarstvi-fise.cz", true },
   { "trulance.com", true },
@@ -37876,7 +39130,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "trustcase.com", true },
   { "trustedbody.com", true },
   { "trustednetworks.nl", true },
-  { "trustednewssites.com", true },
   { "trustfield.ch", true },
   { "trustserv.de", true },
   { "truthmessages.pw", true },
@@ -37884,6 +39137,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "truyenfull.vn", true },
   { "trw-reseller.com", true },
   { "try2admin.pw", true },
+  { "try2services.cm", true },
   { "trybabyschoice.com", true },
   { "trybooking.com", true },
   { "tryfabulousskincream.com", true },
@@ -37899,15 +39153,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tryupdates.com", true },
   { "trywesayyes.com", true },
   { "trzepak.pl", true },
-  { "ts-publishers.com", true },
-  { "ts3-dns.com", true },
-  { "ts3-dns.net", false },
   { "ts3-legenda.tech", true },
   { "tsa-sucks.com", true },
   { "tsab.moe", true },
   { "tsai.com.de", true },
   { "tsatestprep.com", true },
   { "tschuermans.be", true },
+  { "tscinsurance.com", true },
   { "tsedryk.ca", true },
   { "tsgkc1.com", true },
   { "tsicons.com", true },
@@ -37938,6 +39190,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ttclub.fr", true },
   { "ttdsevaonline.com", true },
   { "ttll.de", true },
+  { "ttrade.ga", true },
   { "ttsoft.pl", true },
   { "ttsweb.org", true },
   { "ttt.tt", true },
@@ -37948,7 +39201,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ttyystudio.com", true },
   { "tu-immoprojekt.at", true },
   { "tu6.pm", true },
-  { "tuang-tuang.com", true },
   { "tuasaude.com", true },
   { "tubanten.nl", true },
   { "tube.tools", true },
@@ -37956,12 +39208,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tubepro.de", true },
   { "tubs4fun.co.uk", true },
   { "tubul.net", true },
+  { "tucepihotelalga.com", true },
   { "tucny.com", true },
   { "tucsonfcu.com", true },
   { "tucsonpcrepair.com", true },
   { "tucuxi.org", true },
   { "tudiennhakhoa.com", true },
   { "tudorproject.org", true },
+  { "tudulinna.ee", true },
   { "tuev-hessen.de", true },
   { "tufashionista.com", true },
   { "tuffclassified.com", true },
@@ -37972,11 +39226,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tuitle.com", true },
   { "tuja.hu", true },
   { "tulumplayarealestate.com", true },
-  { "tumagiri.net", true },
   { "tumblenfun.com", true },
   { "tumedico.es", true },
   { "tumelum.de", true },
-  { "tumutanzi.com", true },
   { "tunai.id", true },
   { "tunaut.com", true },
   { "tune-web.de", true },
@@ -37990,7 +39242,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tunnelwatch.com", true },
   { "tuntitili.fi", true },
   { "tuotteet.org", true },
-  { "tuou.xyz", true },
   { "tupa-germania.ru", true },
   { "tupeuxpastest.ch", true },
   { "tuppenceworth.ie", true },
@@ -37998,7 +39249,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "turdnagel.com", true },
   { "turf-experts.com", true },
   { "turigum.com", true },
+  { "turismodubrovnik.com", true },
   { "turkish.dating", true },
+  { "turkiyen.com", true },
+  { "turkrock.com", true },
   { "turl.pl", true },
   { "turnaroundforum.de", true },
   { "turncircles.com", true },
@@ -38007,7 +39261,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "turnonsocial.com", true },
   { "turpinpesage.fr", true },
   { "tursiae.org", true },
-  { "turtle.ai", false },
   { "turtleduckstudios.com", true },
   { "turtlepwr.com", true },
   { "turunculevye.com", true },
@@ -38029,11 +39282,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tuversionplus.com", true },
   { "tuwaner.com", true },
   { "tuxcloud.net", true },
-  { "tuxflow.de", false },
   { "tuxgeo.com", false },
   { "tuxie.com", true },
   { "tuxlife.net", true },
+  { "tuxone.ch", true },
   { "tuxpeliculas.com", true },
+  { "tuxpi.com", true },
   { "tuxplace.nl", true },
   { "tuxtimo.me", true },
   { "tuxz.net", true },
@@ -38041,6 +39295,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tuzaijidi.com", true },
   { "tv-programme.be", true },
   { "tv-programme.com", true },
+  { "tvbaratas.net", true },
   { "tvbeugels.nl", false },
   { "tvcal.net", true },
   { "tvcmarketing.com", true },
@@ -38048,9 +39303,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tverskaya-outlet.ru", true },
   { "tvhshop.be", true },
   { "tvipper.com", true },
+  { "tvlanguedoc.com", true },
   { "tvleaks.se", true },
   { "tvlplus.net", true },
-  { "tvqc.com", true },
   { "tvseries.info", true },
   { "tvsheerenhoek.nl", true },
   { "tvzr.com", true },
@@ -38060,6 +39315,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "twb.berlin", true },
   { "twd2.me", true },
   { "twd2.net", false },
+  { "twdreview.com", true },
+  { "tweak.group", true },
   { "tweakers.com.au", true },
   { "tweakers.net", true },
   { "tweaktown.com", true },
@@ -38073,6 +39330,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "twinkseason.com", true },
   { "twinztech.com", true },
   { "twisata.com", true },
+  { "twistdevelopment.co.uk", true },
   { "twisted-brains.org", true },
   { "twistedwave.com", true },
   { "twisto.cz", true },
@@ -38084,15 +39342,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "twitteroauth.com", true },
   { "twizzkidzinflatables.co.uk", true },
   { "twlan.org", true },
-  { "twocornertiming.com", true },
   { "twodadsgames.com", true },
   { "twofactorauth.org", true },
   { "twohuo.com", true },
   { "twopif.net", true },
   { "tworaz.net", true },
   { "twtimmy.com", true },
-  { "twun.io", true },
-  { "twuni.org", true },
+  { "twtremind.com", true },
   { "txcap.org", true },
   { "txdivorce.org", true },
   { "txi.su", true },
@@ -38105,17 +39361,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tycom.cz", true },
   { "tyil.nl", true },
   { "tyil.work", true },
-  { "tyl.io", true },
+  { "tykeplay.com", true },
   { "tyler.rs", true },
   { "tylerdavies.net", true },
   { "tylerfreedman.com", true },
-  { "tylerharcourt.net", true },
+  { "tylerharcourt.ca", true },
+  { "tylerharcourt.com", true },
+  { "tylerharcourt.org", true },
   { "tyleromeara.com", true },
   { "tylerschmidtke.com", true },
   { "typcn.com", true },
   { "typeblog.net", true },
   { "typecodes.com", true },
   { "typeof.pw", true },
+  { "typeonejoe.com", true },
   { "typeria.net", true },
   { "typewolf.com", true },
   { "typewritten.net", true },
@@ -38133,8 +39392,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "tyuo-keibi.co.jp", true },
   { "tzermias.gr", true },
   { "tzifas.com", true },
+  { "u-he.com", true },
   { "u-martfoods.com", true },
-  { "u-metals.com", true },
+  { "u-tokyo.club", true },
   { "u.nu", true },
   { "u0010.com", true },
   { "u0020.com", true },
@@ -38152,9 +39412,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "u4mh-dev-portal.azurewebsites.net", true },
   { "u5.re", true },
   { "u5b.de", false },
+  { "u5eu.com", true },
   { "u5r.nl", true },
   { "ua.search.yahoo.com", false },
-  { "uaci.edu.mx", true },
   { "uae-company-service.com", true },
   { "uangteman.com", true },
   { "uasmi.com", true },
@@ -38176,13 +39436,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ubis.group", true },
   { "ublaboo.org", true },
   { "uborcare.com", true },
-  { "ubun.net", true },
+  { "ubunlog.com", true },
   { "ubuntu18.com", true },
   { "ucac.nz", false },
   { "ucangiller.com", true },
+  { "ucasa.org.au", true },
   { "ucch.be", true },
   { "ucfirst.nl", true },
   { "uchargeapp.com", true },
+  { "uclf.de", true },
   { "uclip.club", true },
   { "ucppe.org", true },
   { "ucrdatatool.gov", true },
@@ -38193,81 +39455,53 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "udomain.net", true },
   { "udp.sh", false },
   { "udruga-point.hr", true },
+  { "udsocial.com", true },
   { "udvoukocek.eu", true },
   { "ueba1085.jp", true },
   { "ueberdosis.io", true },
   { "ueberwachungspaket.at", true },
   { "uedaviolin.com", true },
-  { "uel-thompson-okanagan.ca", true },
+  { "uefeng.com", true },
   { "ueni.com", true },
+  { "uevan.com", true },
   { "uex.im", true },
   { "ufanisi.mx", true },
   { "ufindme.at", true },
+  { "ufocentre.com", true },
   { "ufplanets.com", true },
   { "ugb-verlag.de", true },
+  { "uggedal.com", true },
   { "ugx-mods.com", true },
   { "uhappy1.com", true },
-  { "uhappy11.com", true },
   { "uhappy2.com", true },
-  { "uhappy21.com", true },
   { "uhappy22.com", true },
-  { "uhappy23.com", true },
-  { "uhappy24.com", true },
-  { "uhappy25.com", true },
-  { "uhappy26.com", true },
-  { "uhappy27.com", true },
-  { "uhappy28.com", true },
-  { "uhappy29.com", true },
-  { "uhappy3.com", true },
   { "uhappy30.com", true },
-  { "uhappy31.com", true },
-  { "uhappy33.com", true },
   { "uhappy50.com", true },
-  { "uhappy55.com", true },
-  { "uhappy56.com", true },
   { "uhappy57.com", true },
-  { "uhappy58.com", true },
-  { "uhappy59.com", true },
   { "uhappy6.com", true },
-  { "uhappy60.com", true },
-  { "uhappy61.com", true },
-  { "uhappy62.com", true },
-  { "uhappy66.com", true },
-  { "uhappy67.com", true },
   { "uhappy69.com", true },
   { "uhappy70.com", true },
-  { "uhappy71.com", true },
   { "uhappy72.com", true },
-  { "uhappy73.com", true },
-  { "uhappy74.com", true },
-  { "uhappy75.com", true },
-  { "uhappy76.com", true },
-  { "uhappy77.com", true },
-  { "uhappy78.com", true },
   { "uhappy79.com", true },
-  { "uhappy8.com", true },
   { "uhappy80.com", true },
   { "uhappy81.com", true },
   { "uhappy82.com", true },
   { "uhappy83.com", true },
   { "uhappy85.com", true },
-  { "uhappy86.com", true },
   { "uhappy88.com", true },
-  { "uhappy9.com", true },
   { "uhappy90.com", true },
-  { "uhappy99.com", true },
-  { "uhasseltodin.be", true },
   { "uhc.gg", true },
   { "uhlhosting.ch", true },
   { "uhrenlux.de", true },
-  { "uhssl.com", true },
   { "uhurl.net", true },
   { "ui8.net", true },
   { "uiberlay.cz", true },
+  { "uicchy.com", true },
   { "uiop.link", true },
   { "uiterwijk.org", true },
   { "uitgeverij-deviant.nl", true },
   { "ujob.com.cn", true },
+  { "ujvary.eu", true },
   { "uk.dating", true },
   { "uk.search.yahoo.com", false },
   { "ukbc.london", true },
@@ -38291,6 +39525,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ulabox.com", true },
   { "uldsh.de", true },
   { "ulen.me", true },
+  { "ulfberht.fi", true },
   { "ulgc.cz", true },
   { "uli-eckhardt.de", true },
   { "ulitroyo.com", true },
@@ -38304,18 +39539,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ultimateanu.com", true },
   { "ultimatemafia.net", true },
   { "ultraseopro.com", true },
-  { "ultrasite.tk", true },
   { "ultratech.software", true },
   { "ultratechlp.com", true },
   { "ultrautoparts.com.au", true },
   { "umanityracing.com", true },
+  { "umbertheprussianblue.com", true },
   { "umbrellaye.online", true },
   { "umbricht.li", true },
   { "umenlisam.com", true },
   { "umisonoda.com", true },
-  { "umkmjogja.com", true },
   { "umsapi.com", true },
-  { "umwandeln-online.de", true },
   { "un-framed.co.za", true },
   { "un-zero-un.fr", true },
   { "un.fo", true },
@@ -38350,24 +39583,26 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "uncensoreddns.org", true },
   { "undeadbrains.de", true },
   { "undeductive.media", true },
-  { "undef.in", true },
+  { "undef.in", false },
   { "underbridgeleisure.co.uk", true },
   { "undercovercondoms.co.uk", true },
   { "underfloorheating-uk.co.uk", true },
   { "underlined.fr", true },
   { "undernet.uy", false },
   { "underskatten.tk", true },
+  { "underwearoffer.com", true },
   { "undo.co.il", true },
-  { "undone.me", true },
   { "unece-deta.eu", true },
   { "unedouleur.com", true },
   { "unefleur.be", true },
   { "unerosesurlalune.fr", true },
   { "unexpected.nu", true },
+  { "unfallrechtler.de", true },
+  { "unfc.nl", true },
   { "unfettered.net", false },
   { "unga.dk", true },
-  { "ungeek.eu", true },
-  { "ungeek.fr", false },
+  { "ungaeuropeer.se", true },
+  { "ungeek.fr", true },
   { "ungegamere.dk", true },
   { "unghie.com", true },
   { "unicef-karten.at", true },
@@ -38382,6 +39617,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "unicefkartkidlafirm.pl", true },
   { "unicefkepeslapok.hu", true },
   { "unicefvoscilnice.si", true },
+  { "unicioushop.com", true },
   { "unicolabo.jp", true },
   { "unicorn-systems.net", true },
   { "unicorn.melbourne", true },
@@ -38396,7 +39632,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "uniekglas.nl", true },
   { "unifei.edu.br", true },
   { "uniform-agri.com", true },
+  { "unijob.com.br", true },
   { "unikoingold.com", true },
+  { "unikrn.space", true },
   { "unila.edu.br", true },
   { "unimbalr.com", true },
   { "unioils.la", true },
@@ -38425,7 +39663,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "unityconsciousnessbooks.com", true },
   { "univercite.ch", true },
   { "univeril.com", false },
-  { "univerpack.net", true },
   { "universal-happiness.com", true },
   { "universal.at", true },
   { "universalcarremote.com", true },
@@ -38433,15 +39670,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "universeinform.com", true },
   { "universidadvg.edu.mx", true },
   { "univitale.fr", true },
+  { "unix.se", true },
   { "unixadm.org", true },
-  { "unixapp.ml", true },
   { "unixattic.com", true },
   { "unixforum.org", true },
-  { "unixfox.eu", true },
   { "unixtime.date", true },
   { "unkrn.com", true },
   { "unlax.com", true },
-  { "unleash.pw", true },
   { "unli.xyz", true },
   { "unlocken.nl", true },
   { "unlocktalent.gov", true },
@@ -38449,15 +39684,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "unmonito.red", true },
   { "unn-edu.info", true },
   { "uno-pizza.ru", true },
+  { "uno.fi", true },
   { "unobrindes.com.br", true },
   { "unoccupyabq.org", true },
   { "unp.me", true },
   { "unpkg.com", true },
-  { "unpossible.xyz", true },
   { "unpr.dk", true },
   { "unquote.li", true },
   { "unrealircd.org", true },
   { "unrelated.net.au", true },
+  { "uns.vn", true },
   { "unsacsurledos.com", true },
   { "unsee.cc", true },
   { "unseen.is", true },
@@ -38467,23 +39703,28 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "unsourirealecole.fr", true },
   { "unstablewormhole.ltd", true },
   { "unstamps.org", true },
+  { "unstoppableunits.com", true },
   { "unsuspicious.click", true },
   { "unterfrankenclan.de", true },
   { "unterhaltungsbox.com", true },
   { "unternehmer-radio.de", true },
   { "unternehmerrat-hagen.de", true },
+  { "unterschicht.tv", true },
   { "untethereddog.com", true },
   { "unun.fi", true },
   { "unusualhatclub.com", true },
-  { "unworthy.ml", true },
   { "unx.dk", true },
   { "unxicdellum.cat", true },
+  { "uotomizu.com", true },
+  { "upakweship.com", true },
   { "upandrunningtutorials.com", true },
+  { "upay.ru", true },
   { "upbad.com", true },
   { "upbeatrobot.com", true },
   { "upbeatrobot.eu", true },
+  { "upcambio.com", true },
   { "upd.jp", true },
-  { "updatehub.io", true },
+  { "upengo.com", true },
   { "upgamerengine.com", true },
   { "upgamerengine.com.br", true },
   { "upgamerengine.net", true },
@@ -38501,9 +39742,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "upperbeaconsfield.org.au", true },
   { "upperroommission.ca", true },
   { "upplevelse.com", true },
-  { "upr-info.org", true },
   { "upr.com.ua", true },
   { "uprint.it", true },
+  { "uprospr.com", true },
   { "uprouteyou.com", true },
   { "upsettunnel.com", true },
   { "upsiteseo.com", true },
@@ -38519,7 +39760,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "uptrex.co.uk", true },
   { "upturn.org", true },
   { "upundit.com", true },
-  { "upwardtraining.co.uk", true },
   { "upwork.com", true },
   { "upyourfinances.com", true },
   { "ur.nl", true },
@@ -38529,20 +39769,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "urbackups.com", true },
   { "urbalex.ch", true },
   { "urban-culture.fr", true },
-  { "urban-karuizawa.co.jp", true },
   { "urban.melbourne", true },
   { "urbancreators.dk", true },
   { "urbandance.club", true },
   { "urbanesecurity.com", true },
-  { "urbanfi.sh", true },
   { "urbanguerillas.de", true },
   { "urbanhotbed.eu", true },
   { "urbanietz-immobilien.de", true },
   { "urbanmelbourne.info", true },
   { "urbannewsservice.com", true },
   { "urbansparrow.in", true },
+  { "urbansurvival.com", true },
   { "urbanwaters.gov", false },
   { "urbanwildlifealliance.org", false },
+  { "urbanxdevelopment.com", true },
   { "urbexdk.nl", true },
   { "urbizoroofing.com", true },
   { "urcentral.com", true },
@@ -38550,19 +39790,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "urcentral.nl", true },
   { "ureka.org", true },
   { "urep.us", true },
-  { "urgences-valais.ch", true },
   { "urinedrugtesthq.com", true },
+  { "uriport.com", true },
+  { "uriports.com", true },
   { "uripura.de", true },
   { "urist1011.ru", true },
   { "url.fi", true },
   { "url.fm", true },
-  { "url.rw", true },
+  { "url.rw", false },
   { "url0.eu", true },
+  { "urlakite.com", true },
   { "urlaub-busreisen.de", true },
   { "urlaub-leitner.at", true },
+  { "urlgot.com", true },
   { "urlscan.io", true },
   { "urltell.com", true },
   { "urltodomain.com", true },
+  { "urnes.org", true },
   { "urown.net", true },
   { "ursa-minor-beta.org", true },
   { "ursae.co", true },
@@ -38587,16 +39831,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "usalearning.gov", true },
   { "usaseanconnect.gov", true },
   { "usastaffing.gov", true },
+  { "usb-lock-rp.com", true },
   { "usbcraft.com", true },
   { "usbevents.co.uk", true },
   { "usbr.gov", true },
   { "uscloud.nl", true },
+  { "uscurrency.gov", true },
   { "usd.de", true },
   { "usdoj.gov", true },
   { "usds.gov", true },
   { "use.be", true },
   { "usebean.com", true },
-  { "usedu.us", true },
+  { "usemusic.com.br", true },
   { "user-re.com", true },
   { "userra.gov", true },
   { "usetypo3.com", true },
@@ -38607,7 +39853,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "usimmigration.us", true },
   { "usipvd.ch", true },
   { "usitcolours.bg", true },
-  { "uskaria.com", true },
   { "usmint.gov", true },
   { "usninosnikrcni.eu", true },
   { "usnti.com", true },
@@ -38627,13 +39872,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "usweme.info", true },
   { "uswitch.com", true },
   { "ut-addicted.com", true },
-  { "utahfireinfo.gov", true },
+  { "utahblackplate.com", true },
+  { "utahblackplates.com", true },
+  { "utahcanyons.org", true },
   { "utahlocal.net", true },
   { "utahtravelcenter.com", true },
   { "utazas-nyaralas.info", true },
   { "utazine.com", true },
   { "utcast-mate.com", true },
-  { "utdsgda.com", true },
   { "utepils.de", true },
   { "utgifter.no", true },
   { "utilia.tools", true },
@@ -38654,7 +39900,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "utw.me", true },
   { "utwente.io", true },
   { "utzon.net", true },
-  { "uuid.cf", true },
   { "uuit.nl", true },
   { "uv.uy", true },
   { "uvenuse.cz", true },
@@ -38662,7 +39907,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "uw1008.com", true },
   { "uw2333.com", true },
   { "uwac.co.uk", false },
-  { "uwekoetter.com", true },
+  { "uwat.cf", true },
   { "uwelilienthal.de", true },
   { "uwsoftware.be", true },
   { "uwvloereruit.nl", true },
@@ -38671,6 +39916,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "uxtechnologist.com", true },
   { "uy.search.yahoo.com", false },
   { "uz.search.yahoo.com", false },
+  { "uzayliyiz.biz", true },
   { "uzaymedya.com.tr", true },
   { "uziregister.nl", true },
   { "uzpirksana.lv", true },
@@ -38689,6 +39935,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "v2ray666.com", true },
   { "v4s.ro", true },
   { "va-reitartikel.com", true },
+  { "va.gov", true },
+  { "va1der.ca", true },
   { "vacationsbyvip.com", true },
   { "vaccines.gov", true },
   { "vacuumpump.co.id", true },
@@ -38697,6 +39945,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vaew.com", true },
   { "vagabond.fr", true },
   { "vagabondgal.com", true },
+  { "vagaerg.com", true },
+  { "vagaerg.net", true },
   { "vagmour.eu", true },
   { "vagpartsdb.com", true },
   { "vagrantbits.com", true },
@@ -38716,7 +39966,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "valek.net", true },
   { "valenciadevops.me", true },
   { "valentin-dederer.de", true },
-  { "valentin-ochs.de", true },
   { "valentin-sundermann.de", true },
   { "valentin.ml", true },
   { "valentinberclaz.com", true },
@@ -38735,31 +39984,34 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "valika.ee", true },
   { "valis.sx", true },
   { "valkohattu.fi", true },
-  { "valkor.pro", true },
   { "valkova.net", true },
   { "vallei-veluwe.nl", true },
   { "valleyautofair.com", true },
   { "valleyautoloan.com", true },
   { "valleycode.net", true },
   { "valleydalecottage.com.au", true },
-  { "valleyshop.ca", true },
   { "vallutaja.eu", true },
   { "valokuva-albumi.fi", true },
   { "valordolarblue.com.ar", true },
   { "valorem-tax.ch", true },
   { "valoremtax.ch", true },
   { "valoremtax.com", true },
+  { "valorin.net", true },
   { "valorizofficial.com", true },
-  { "valshamar.is", true },
   { "valsk.is", false },
   { "valskis.lt", true },
   { "valtlai.fi", true },
   { "valtoaho.com", true },
+  { "valtool.uk", true },
   { "valudo.st", true },
   { "valuechain.me", true },
+  { "valuemyhome.co.uk", true },
+  { "valuemyhome.uk", true },
   { "valueng.com", true },
   { "valueofblog.com", true },
   { "valueseed.net", true },
+  { "valuuttamuunnin.com", true },
+  { "vampire142.fr", true },
   { "vampyrium.net", false },
   { "van11y.net", true },
   { "vanagamsanthai.com", true },
@@ -38786,10 +40038,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vanhoudt-usedcars.be", true },
   { "vanhoutte.be", false },
   { "vanhove.biz", true },
+  { "vanlent.net", true },
   { "vanmalland.com", true },
   { "vannaos.com", true },
   { "vannaos.net", true },
-  { "vanohaker.ru", true },
   { "vanouwerkerk.net", true },
   { "vantagepointpreneed.com", true },
   { "vante.me", true },
@@ -38797,17 +40049,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vantru.is", true },
   { "vanvoro.us", false },
   { "vanwunnik.com", true },
-  { "vapecom-shop.com", true },
   { "vapecrunch.com", true },
-  { "vapehour.com", true },
   { "vapensiero.co.uk", true },
   { "vaperolles.ch", true },
   { "vapesense.co.uk", true },
   { "vapesupplies.com.au", true },
+  { "vapex.pl", true },
   { "vaphone.co", true },
   { "vapingdaily.com", true },
   { "vapor.cloud", false },
   { "vapordepot.jp", true },
+  { "varaeventos.com", true },
   { "varalwamp.com", true },
   { "varcare.jp", true },
   { "varden.info", true },
@@ -38841,6 +40093,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vaskulitis-info.de", true },
   { "vasp.group", true },
   { "vasports.com.au", true },
+  { "vastenotaris.nl", true },
   { "vasyharan.com", true },
   { "vat-eu.com", true },
   { "vat.direct", true },
@@ -38861,17 +40114,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vawomenshealth.com", true },
   { "vaygren.com", true },
   { "vazue.com", true },
-  { "vb-oa.co.uk", true },
   { "vb.media", true },
   { "vbazile.com", true },
   { "vbcdn.com", true },
-  { "vbestreviews.com", true },
   { "vbh2o.com", true },
   { "vbql.me", true },
   { "vbwinery.com", true },
   { "vc.gg", true },
   { "vcam.org", true },
   { "vccmurah.net", true },
+  { "vcelin-na-doliku.cz", true },
   { "vcf.gov", true },
   { "vcientertainment.com", false },
   { "vcmi.download", true },
@@ -38880,13 +40132,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vcsjones.codes", true },
   { "vcsjones.com", true },
   { "vcti.cloud", true },
+  { "vctor.net", true },
   { "vd42.net", true },
   { "vda.li", true },
+  { "vdanker.net", true },
   { "vdbongard.com", true },
   { "vdcomp.cz", false },
   { "vdemuzere.be", true },
   { "vdesc.com", true },
   { "vdisk24.de", true },
+  { "vdlp.nl", true },
   { "vdmeij.com", true },
   { "vdzwan.net", true },
   { "ve.search.yahoo.com", false },
@@ -38900,15 +40155,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vectorwish.com", true },
   { "vedma-praktik.com", true },
   { "veg-leiden.nl", true },
-  { "vegalengd.com", true },
   { "vegalitarian.org", true },
   { "veganforum.org", true },
   { "veganism.co.uk", true },
   { "veganism.com", true },
   { "veganmasterrace.com", true },
   { "vegasluxuryestates.com", true },
+  { "vegekoszyk.pl", true },
   { "vegepa.com", true },
   { "vegetariantokyo.net", true },
+  { "veggie-einhorn.de", true },
   { "veggie-treff.de", true },
   { "vegguide.org", true },
   { "veii.de", true },
@@ -38937,7 +40193,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ventriloservers.biz", true },
   { "venturavwparts.com", true },
   { "venturebanners.co.uk", true },
-  { "venturedisplay.co.uk", true },
   { "venturum.com", true },
   { "venturum.de", true },
   { "venturum.eu", true },
@@ -38951,6 +40206,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "verberne.nu", true },
   { "verbier-lechable.com", true },
   { "verbierfestival.com", true },
+  { "verboom.co.nz", true },
   { "verdict.gg", true },
   { "verduccies.com", true },
   { "verein-kiekin.de", true },
@@ -38959,11 +40215,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vereinscheck.de", true },
   { "verfassungsklage.at", true },
   { "verge.capital", true },
-  { "vergeaccessories.com", true },
   { "vergelijksimonly.nl", true },
-  { "vergessen.cn", true },
   { "verhovs.ky", false },
+  { "veri2.com", true },
   { "verifalia.com", true },
+  { "verificaprezzi.it", true },
   { "verifiedjoseph.com", true },
   { "verifiny.com", true },
   { "verifyos.com", true },
@@ -38975,6 +40231,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "veritasinvestmentwealth.com", true },
   { "verizonconnect.com", false },
   { "verizonguidelines.com", true },
+  { "verkeersschoolrichardschut.nl", true },
   { "verliebt-in-bw.de", true },
   { "verliebt-in-niedersachsen.de", true },
   { "vermeerdealers.com", true },
@@ -38985,7 +40242,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vernonchan.com", true },
   { "vernonfigureskatingclub.com", true },
   { "vernonfilmsociety.bc.ca", true },
-  { "vernonhouseofhope.com", true },
   { "vernonsecureselfstorage.ca", true },
   { "vernonspeedskatingclub.com", true },
   { "vernonwintercarnival.com", true },
@@ -38995,13 +40251,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "verry.org", true },
   { "vers.one", true },
   { "versagercloud.de", true },
+  { "versalhost.com", true },
+  { "versalhost.nl", true },
   { "versbesteld.nl", true },
+  { "verschurendegroot.nl", true },
+  { "verses.space", true },
   { "versicherungen-werner-hahn.de", true },
   { "versicherungskontor.net", true },
+  { "versolslapeyre.fr", true },
   { "verspai.de", true },
   { "verstraetenusedcars.be", true },
   { "vertebrates.com", true },
   { "verteilergetriebe.info", true },
+  { "verticrew.com", true },
   { "vertigo.name", false },
   { "vertner.net", true },
   { "vertrieb-strategie.de", true },
@@ -39010,7 +40272,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "verwayen.com", true },
   { "very-kids.fr", true },
   { "veryapt.com", true },
-  { "veryimportantusers.com", true },
   { "verymelon.de", true },
   { "verymetal.nl", true },
   { "verzekeringencambier.be", true },
@@ -39022,7 +40283,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vestd.com", true },
   { "vestingbar.nl", true },
   { "vestum.ru", true },
-  { "vetbits.com", true },
+  { "vet-planet.com", true },
+  { "vetbits.com", false },
+  { "vetergysurveys.com", true },
   { "veterinarian-hospital.com", true },
   { "veterinario.roma.it", true },
   { "veterinarioaltea.com", true },
@@ -39043,15 +40306,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vgropp.de", true },
   { "vh.net", true },
   { "vhrca.com", true },
+  { "vhs-bad-wurzach.de", true },
   { "vhummel.nl", true },
   { "vi.photo", true },
   { "via-shire-krug.ru", true },
+  { "via.blog.br", true },
+  { "viablog.com.br", true },
   { "viacdn.org", true },
   { "viafinance.cz", false },
   { "viaggio-in-cina.it", true },
-  { "viagraonlinebestellen.org", true },
   { "viagusto.pl", true },
   { "viajandoporelmundo.com.ar", true },
+  { "viajaramsterdam.com", true },
   { "viaje-a-china.com", true },
   { "vialorran.com", true },
   { "viaprinto.de", true },
@@ -39061,34 +40327,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vicentee.com", true },
   { "vichiya.com", true },
   { "vician.cz", true },
-  { "vicianovi.cz", true },
   { "vicicode.com", true },
-  { "viciousflora.com", true },
   { "vicjuwelen-annelore.be", true },
-  { "vickshomes.com", true },
   { "victora.com", true },
+  { "victorblomberg.se", true },
   { "victorcanera.com", true },
   { "victordiaz.me", true },
-  { "victoreriksson.ch", true },
-  { "victoreriksson.co", true },
-  { "victoreriksson.com", true },
-  { "victoreriksson.eu", true },
-  { "victoreriksson.info", true },
-  { "victoreriksson.me", true },
-  { "victoreriksson.net", true },
-  { "victoreriksson.nu", true },
-  { "victoreriksson.org", true },
-  { "victoreriksson.se", true },
-  { "victoreriksson.us", true },
   { "victorgbustamante.com", true },
   { "victorhawk.com", true },
   { "victoriaartist.ru", true },
   { "victoriastudio.ru", true },
   { "victorjacobs.com", true },
   { "victornet.de", true },
-  { "victornilsson.pw", true },
   { "victoroilpress.com", true },
+  { "victorricemill.com", true },
   { "victory.radio", true },
+  { "victoryalliance.us", true },
   { "victorzambrano.com", true },
   { "vicyu.com", true },
   { "vid-immobilien.de", true },
@@ -39097,14 +40351,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vidadu.com", true },
   { "vidarity.com", true },
   { "vidbooster.com", true },
-  { "vidcloud.xyz", true },
   { "vide-greniers.org", false },
-  { "videobola.win", true },
+  { "videobrochuresmarketing.com", true },
   { "videogamesartwork.com", true },
+  { "videojuegos.com", true },
   { "videokaufmann.at", true },
   { "videomail.io", true },
   { "videosdiversosdatv.com", true },
   { "videoseyredin.net", true },
+  { "videosparatodos.com", true },
   { "videospornogratis.pt", true },
   { "videosqr.com", true },
   { "videov.tk", true },
@@ -39126,15 +40381,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vietnamluxurytravelagency.com", true },
   { "vietnamphotoblog.com", true },
   { "vietnamwomenveterans.org", true },
+  { "vietplan.vn", true },
+  { "vieux.pro", true },
   { "viewbook.com", true },
   { "viewey.com", true },
   { "viewing.nyc", true },
   { "viewmyrecords.com", true },
-  { "viga.me", true },
   { "vigenebio.com", true },
   { "vigilantnow.com", true },
   { "vigliano.ovh", true },
   { "vignoblesdeletat.ch", true },
+  { "vigo-krankenversicherung.de", true },
   { "vigo-tarife.de", true },
   { "vigour.us", true },
   { "vigoxatelier.tech", true },
@@ -39150,11 +40407,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vikalpgupta.com", true },
   { "vikapaula.com", true },
   { "vikashkumar.me", true },
+  { "vikaviktoria.com", true },
   { "viking-style.ru", true },
   { "vikings.net", true },
-  { "vikodek.com", true },
+  { "viktorbarzin.me", true },
   { "viktorprevaric.eu", true },
   { "vila-eden.cz", true },
+  { "vilaydin.com", true },
   { "viljatori.fi", true },
   { "villa-eden.cz", true },
   { "villa-gockel.de", true },
@@ -39175,12 +40434,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "villesalonen.fi", true },
   { "villu.ga", true },
   { "viltsu.net", true },
+  { "vim.cx", true },
   { "vima.ch", true },
   { "vimeo.com", true },
   { "vinagro.sk", true },
   { "vinahost.vn", true },
   { "vinarstvimodryhrozen.cz", true },
   { "vincentcox.com", false },
+  { "vincentiliano.tk", true },
   { "vincentoshana.com", true },
   { "vincentpancol.com", true },
   { "vincentswordpress.nl", true },
@@ -39192,7 +40453,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vinilosdecorativos.net", true },
   { "vinistas.com", true },
   { "vinner.com.au", true },
-  { "vinnie.gq", true },
   { "vinnyandchristina.com", true },
   { "vinnyvidivici.com", true },
   { "vinokurov.tk", true },
@@ -39209,13 +40469,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vintagetrailerbuyers.com", true },
   { "vintazh.net", true },
   { "vinticom.ch", true },
-  { "vintock.com", true },
   { "vinyculture.com", true },
   { "vinzite.com", true },
+  { "violauotila.fi", true },
   { "violin4fun.nl", true },
   { "vionicbeach.com", true },
+  { "vionicshoes.co.uk", true },
   { "vionicshoes.com", true },
-  { "vip4553.com", true },
   { "vip8522.com", true },
   { "vipi.es", true },
   { "viptamin.eu", true },
@@ -39228,7 +40488,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "viralsouls.in", true },
   { "viralsv.com", true },
   { "virgopolymer.com", true },
-  { "virial.de", true },
   { "viridis-milites.cz", true },
   { "virtit.fr", true },
   { "virtual.hk", true },
@@ -39256,7 +40515,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vishwashantiyoga.com", true },
   { "visibox.nl", true },
   { "visikom.de", true },
-  { "visioflux-premium.com", true },
   { "visionarymedia.nl", true },
   { "visiondirectionaldrilling.com", true },
   { "visionexpress.com", true },
@@ -39285,15 +40543,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "visualmasters.nl", true },
   { "visudira.com", true },
   { "vitahook.pw", true },
-  { "vitalamin.com", true },
-  { "vitalamin.de", true },
+  { "vitalia.cz", true },
   { "vitalismaatjes.nl", true },
   { "vitalityscience.com", true },
+  { "vitalium-therme.de", true },
   { "vitalthrills.com", true },
   { "vitalware.com", true },
   { "vitalyzhukphoto.com", true },
-  { "vitamineproteine.com", true },
   { "vitaminler.com", true },
+  { "vitapingu.de", true },
   { "vitastic.nl", true },
   { "vitavie.nl", true },
   { "viteoscrm.ch", true },
@@ -39305,10 +40563,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vitra-vcare.co.uk", true },
   { "vitrado.de", true },
   { "vitsoft.by", true },
+  { "viva2000.com", true },
   { "vivaldi-fr.com", true },
   { "vivaldi.club", true },
   { "vivaldi.com", true },
-  { "vivamusic.es", true },
   { "vivanosports.com.br", false },
   { "vivatv.com.tw", true },
   { "vivendi.de", true },
@@ -39361,7 +40619,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vm-co.ch", true },
   { "vm0.eu", true },
   { "vmc.co.id", true },
-  { "vmem.jp", false },
   { "vmgirls.com", true },
   { "vmhydro.ru", false },
   { "vmis.nl", true },
@@ -39373,12 +40630,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vncg.org", true },
   { "vnd.cloud", true },
   { "vnfs-team.com", true },
+  { "vnpay.vn", true },
   { "vnpem.org", true },
   { "vnvisa.center", true },
   { "vnvisa.ru", true },
-  { "vocalik.com", true },
   { "vocaloid.my", true },
   { "vocalviews.com", true },
+  { "vocescruzadasbcs.mx", true },
   { "vochuys.nl", true },
   { "vocus.aero", true },
   { "vocustest.aero", true },
@@ -39402,7 +40660,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vojtechpavelka.cz", true },
   { "vokativy.cz", true },
   { "vokeapp.com", true },
-  { "vokurka.net", true },
   { "volcanconcretos.com", true },
   { "volcano-kazan.ru", true },
   { "volcano-spb.ru", true },
@@ -39419,6 +40676,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vollans.id.au", true },
   { "vollmondstollen.de", true },
   { "voloevents.com", true },
+  { "volqanic.com", true },
   { "volta.io", true },
   { "voltahurt.pl", true },
   { "volto.io", true },
@@ -39428,6 +40686,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vonborstelboerner.de", true },
   { "vonniehudson.com", true },
   { "vonski.pl", true },
+  { "vonterra.us", true },
   { "voodoochile.at", true },
   { "vop.li", true },
   { "vorlage-musterbriefe.de", true },
@@ -39437,7 +40696,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vorlif.org", true },
   { "vorm2.com", true },
   { "vorodevops.com", true },
-  { "vorte.ga", true },
   { "vos-fleurs.ch", true },
   { "vos-fleurs.com", true },
   { "vos-systems.com", true },
@@ -39448,6 +40706,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vosgym.jp", true },
   { "vosky.fr", true },
   { "vosn.de", true },
+  { "voss-klinik.com", true },
   { "vosselaer.com", true },
   { "vossenack.nrw", true },
   { "vosser.de", true },
@@ -39457,9 +40716,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "votocek.cz", true },
   { "votockova.cz", true },
   { "votoot.com", true },
-  { "votre-site-internet.ch", true },
   { "vouchinsurance.sg", true },
   { "vovladikavkaze.ru", true },
+  { "vowsy.club", true },
   { "voxfilmeonline.net", true },
   { "voxml.com", true },
   { "voxographe.com", false },
@@ -39476,14 +40735,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vpnpro.com", true },
   { "vpnservice.nl", true },
   { "vpntech.net", true },
+  { "vpsao.org", true },
   { "vpsboard.com", true },
   { "vpsdream.dk", true },
   { "vpsou.com", true },
   { "vpsport.ch", true },
-  { "vpsvz.cloud", true },
+  { "vpsproj.dynu.net", true },
   { "vpsvz.net", true },
   { "vrandopulo.ru", true },
   { "vrcholovka.cz", true },
+  { "vrcprofile.com", true },
   { "vreaulafacultate.ro", true },
   { "vreeman.com", true },
   { "vretmaskin.se", true },
@@ -39493,6 +40754,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vrijgezellenfeestzwolle.com", true },
   { "vrjetpackgame.com", true },
   { "vroedvrouwella.be", true },
+  { "vroyaltours.com", true },
   { "vrsystem.com.br", true },
   { "vrtak-cz.net", true },
   { "vscale.io", true },
@@ -39504,12 +40766,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vsestiralnie.com", true },
   { "vsestoki.com", true },
   { "vsl-defi.ch", true },
+  { "vsl.de", true },
   { "vssnederland.nl", true },
   { "vstehn.ru", true },
   { "vsund.de", true },
   { "vsx.ch", true },
   { "vtaxi.se", true },
   { "vtipe-vylez.cz", true },
+  { "vtt-hautsdefrance.fr", true },
   { "vtuber.art", true },
   { "vuakhuyenmai.vn", true },
   { "vubey.yt", true },
@@ -39517,12 +40781,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vuljespaarpot.nl", true },
   { "vullriede-multimedia.de", true },
   { "vulndetect.com", true },
-  { "vulndetect.org", true },
   { "vulnerability.ch", true },
   { "vulners.com", true },
   { "vulns.sexy", true },
   { "vulnscan.org", true },
   { "vulpine.club", true },
+  { "vulyk-medu.com.ua", true },
   { "vumetric.com", true },
   { "vuojolahti.com", true },
   { "vuojolahti.fi", true },
@@ -39535,16 +40799,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "vvdbronckhorst.nl", true },
   { "vvoip.org.uk", true },
   { "vvw-8522.com", true },
+  { "vvzero.cf", true },
   { "vvzero.com", true },
+  { "vvzero.me", true },
   { "vwbusje.com", true },
   { "vwfsrentacar.co.uk", true },
   { "vwhcare.com", true },
   { "vwittich.de", true },
   { "vwo.com", true },
   { "vwsoft.de", true },
-  { "vww-8522.com", true },
   { "vx.hn", true },
-  { "vxst.org", true },
   { "vxstream-sandbox.com", true },
   { "vybeministry.org", true },
   { "vyber-odhadce.cz", true },
@@ -39560,7 +40824,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "w-spotlight.appspot.com", true },
   { "w-w-auto.de", true },
   { "w.wiki", true },
-  { "w1221.com", true },
   { "w1n73r.de", true },
   { "w2n.me", true },
   { "w3ctag.org", true },
@@ -39571,11 +40834,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "w50.co.uk", true },
   { "w5gfe.org", true },
   { "w7k.de", true },
-  { "w84.it", true },
+  { "w889-line.com", true },
+  { "w889-line.net", true },
   { "w889889.com", true },
   { "w889889.net", true },
+  { "w88info.com", true },
+  { "w88info.win", true },
+  { "w88xinxi.com", true },
+  { "w8less.nl", true },
   { "w95.pw", true },
-  { "wa-stromerzeuger.de", true },
+  { "wa-stromerzeuger.de", false },
   { "wa.me", true },
   { "waaw.tv", true },
   { "wabatam.com", true },
@@ -39592,11 +40860,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wagyu-bader.de", true },
   { "wahhoi.net", true },
   { "wahidhasan.com", true },
+  { "wahlen-bad-wurzach.de", true },
   { "wahlman.org", true },
   { "wahrnehmungswelt.de", true },
   { "wahrnehmungswelten.de", true },
   { "waidfrau.de", true },
-  { "waidu.de", true },
   { "waifu-technologies.com", true },
   { "waifu-technologies.moe", true },
   { "waigel.org", true },
@@ -39613,10 +40881,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wakhanyeza.org", true },
   { "wakiminblog.com", true },
   { "wala-floor.de", true },
+  { "waldgourmet.de", true },
   { "waldvogel.family", true },
   { "walent.in", true },
   { "walentin.co", true },
-  { "waligorska.pl", true },
   { "walk.onl", true },
   { "walkera-fans.de", true },
   { "walkhighlandsandislands.com", true },
@@ -39632,12 +40900,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wallethub.com", false },
   { "walletnames.com", true },
   { "wallinger-online.at", true },
-  { "wallingford.cc", true },
   { "wallpapers.pub", true },
   { "wallpaperup.com", true },
   { "walls.de", true },
   { "walls.io", true },
+  { "wallsauce.com", true },
   { "walltime.info", true },
+  { "wallumai.com.au", true },
   { "wallysmasterblaster.com.au", true },
   { "walnutgaming.com", true },
   { "walnutis.net", true },
@@ -39664,12 +40933,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wangbangyu.gq", true },
   { "wangbangyu.ml", true },
   { "wangbangyu.tk", true },
-  { "wangjun.me", true },
+  { "wangejiba.com", true },
   { "wangqiliang.cn", true },
   { "wangqiliang.com", true },
-  { "wangqiliang.org", true },
   { "wangql.net", true },
   { "wangqr.tk", true },
+  { "wangriwu.com", true },
   { "wangtanzhang.com", true },
   { "wangwill.me", true },
   { "wangyubao.cn", true },
@@ -39677,28 +40946,31 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wangzuan168.cc", true },
   { "wanlieyan.com", true },
   { "wannaridecostarica.com", true },
+  { "wanvi.net", false },
   { "wanybug.cf", true },
   { "wanybug.com", true },
   { "wanybug.ga", true },
   { "wanybug.gq", true },
   { "wanybug.tk", true },
+  { "wanyingge.com", true },
   { "wanzenbug.xyz", true },
   { "waonui.io", true },
   { "wapa.gov", true },
+  { "wapazewddamcdocmanui6001.azurewebsites.net", true },
+  { "wapazewrdamcdocmanui6001.azurewebsites.net", true },
+  { "wapenon.com", true },
   { "wapking.co", true },
   { "wapoolandspa.com", true },
   { "wardow.com", true },
   { "warebouncycastles.co.uk", true },
   { "warekit.io", true },
   { "warenits.at", false },
+  { "warenmedia.com", true },
   { "wargameexclusive.com", true },
   { "warhaggis.com", true },
   { "warmservers.com", true },
   { "waroengkoe-shop.com", true },
   { "warofelements.de", true },
-  { "warp-radio.com", true },
-  { "warp-radio.net", true },
-  { "warp-radio.tv", true },
   { "warr.ath.cx", true },
   { "warringtonkidsbouncycastles.co.uk", true },
   { "warschild.org", true },
@@ -39709,13 +40981,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wasema.com", true },
   { "wasfestes.de", true },
   { "wasfuereintheater.com", true },
-  { "washandfun.com", true },
   { "washingtonregisteredagent.io", true },
   { "washingtonviews.com", true },
   { "wasi-net.de", true },
   { "wasielewski.com.de", true },
   { "wasil.org", true },
   { "waslh.com", true },
+  { "wasserburg.dk", true },
   { "wasserspucker.de", true },
   { "wassibauer.com", true },
   { "wastrel.ch", true },
@@ -39732,7 +41004,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "waterbrook.com.au", true },
   { "waterdogsmokedfish.com", true },
   { "waterdrop.tk", true },
-  { "waterfedpole.com", true },
   { "waterleeftinbeek.nl", true },
   { "watermonitor.gov", true },
   { "wateroutlook.com", true },
@@ -39740,14 +41011,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "waterschaplimburg.nl", true },
   { "waterside-residents.org.uk", true },
   { "waterslide-austria.at", true },
-  { "watertrails.io", true },
   { "waterworkscondos.com", true },
   { "watfordjc.uk", true },
   { "watoo.tech", true },
   { "watsonwork.me", true },
   { "watvindtnederland.com", true },
   { "waukeect.com", true },
-  { "wave-ola.es", true },
   { "wave.is", true },
   { "wave.red", true },
   { "wavengine.com", true },
@@ -39758,7 +41027,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "waxdramatic.com", true },
   { "waycraze.com", true },
   { "wayfair.de", true },
-  { "wayfairertravel.com", true },
+  { "waylandss.com", true },
+  { "waynefranklin.com", true },
   { "wayohoo.com", true },
   { "wayohoo.net", true },
   { "waytt.cf", true },
@@ -39782,11 +41052,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wcrca.org", true },
   { "wcsi.com", true },
   { "wcwcg.net", true },
-  { "wd627.com", true },
-  { "wd976.com", true },
   { "wdbflowersevents.co.uk", true },
   { "wdbgroup.co.uk", true },
   { "wdic.org", true },
+  { "wdmg.com.ua", true },
   { "wdodelta.nl", true },
   { "wdol.gov", true },
   { "wdt.cz", false },
@@ -39794,6 +41063,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "we-run-linux.de", true },
   { "we-use-linux.de", true },
   { "weacceptbitcoin.gr", true },
+  { "wealthcentral.com.au", true },
   { "wealthprojector.com", true },
   { "wealthprojector.com.au", true },
   { "wealthreport.com.au", true },
@@ -39809,9 +41079,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "weather-schools.com", true },
   { "weather.gov", true },
   { "weathermyway.rocks", true },
+  { "web-apps.tech", true },
   { "web-art.cz", true },
   { "web-design.co.il", true },
-  { "web-dl.cc", true },
   { "web-hotel.gr", true },
   { "web-jive.com", true },
   { "web-kouza.com", true },
@@ -39820,7 +41090,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "web-redacteuren.nl", true },
   { "web-siena.it", true },
   { "web-smart.com", true },
-  { "web-thinker.ru", true },
   { "web-wave.jp", true },
   { "web.bzh", true },
   { "web.cc", false },
@@ -39838,14 +41107,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "webais.ru", true },
   { "webalert.cz", true },
   { "webambacht.nl", true },
-  { "webandmore.de", false },
+  { "webandmore.de", true },
   { "webappky.cz", true },
   { "webartex.ru", true },
   { "webbiz.co.uk", true },
   { "webbson.net", false },
   { "webcamtoy.com", true },
   { "webcasinos.com", true },
-  { "webcatchers.nl", true },
+  { "webcatchers.nl", false },
   { "webcatechism.com", false },
   { "webclimbers.ch", true },
   { "webcollect.org.uk", true },
@@ -39853,7 +41122,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "webcookies.org", true },
   { "webcrm.com", true },
   { "webcurtaincall.com", true },
-  { "webdeflect.com", true },
   { "webdemaestrias.com", true },
   { "webdesign-st.de", true },
   { "webdesigneauclaire.com", true },
@@ -39865,7 +41133,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "webdevops.io", true },
   { "webdevxp.com", true },
   { "webdl.org", true },
-  { "webdollarvpn.io", true },
   { "webduck.nl", false },
   { "webeast.eu", true },
   { "webeau.com", true },
@@ -39880,13 +41147,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "webfilings-mirror-hrd.appspot.com", true },
   { "webfilings.appspot.com", true },
   { "webfixers.nl", true },
-  { "webfox.com.br", true },
   { "webgap.io", false },
   { "webgarten.ch", true },
   { "webgears.com", true },
   { "webharvest.gov", true },
   { "webhooks.stream", true },
-  { "webhostingshop.ca", true },
+  { "webhost.guide", true },
   { "webhostingzzp.nl", false },
   { "webhostplan.info", true },
   { "webies.ro", true },
@@ -39910,18 +41176,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "webmetering.at", true },
   { "webministeriet.net", true },
   { "webmotelli.fi", true },
+  { "webmr.de", true },
   { "webnames.ca", true },
   { "webnetforce.net", true },
   { "webnexty.com", true },
-  { "webogram.org", false },
   { "webpinoytambayan.net", true },
   { "webpinoytv.info", true },
   { "webpostingmart.com", true },
   { "webpostingpro.com", true },
   { "webpostingreviews.com", true },
   { "webproject.rocks", true },
-  { "webproxy.pw", true },
   { "webpubsub.com", true },
+  { "webpulser.com", true },
   { "webqualitat.com.br", true },
   { "webrebels.org", false },
   { "webrentcars.com", true },
@@ -39934,11 +41200,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "websenat.de", true },
   { "websharks.org", true },
   { "website-engineering.co.za", true },
+  { "websiteadvice.com.au", true },
   { "websiteboost.nl", true },
   { "websiteforlease.ca", true },
   { "websiteout.ca", true },
   { "websiteout.net", true },
-  { "websiterent.ca", true },
   { "websites4business.ca", true },
   { "websitesdallas.com", true },
   { "websiteservice.pro", true },
@@ -39948,6 +41214,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "webspiral.jp", true },
   { "webspire.tech", true },
   { "webstart.nl", true },
+  { "webstellung.com", true },
   { "webstijlen.nl", true },
   { "webstore.be", false },
   { "webstu.be", true },
@@ -39957,28 +41224,32 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "webtalis.nl", true },
   { "webtasarim.pw", true },
   { "webtheapp.com", true },
+  { "webtobesocial.de", true },
   { "webtorrent.io", true },
   { "webtrh.cz", true },
   { "webtropia.com", false },
+  { "webukhost.com", true },
   { "webutils.io", true },
   { "webvisum.de", true },
   { "webwednesday.nl", true },
+  { "webwelearn.com", true },
   { "webwinkelexploitatie.nl", true },
   { "webwinkelwestland.nl", true },
   { "webwit.nl", true },
   { "webworkshop.ltd", true },
   { "webxr.today", true },
   { "webyazilimankara.com", true },
-  { "webz.one", true },
   { "wechatify.com", true },
+  { "weck.alsace", true },
   { "wecleanbins.com", true },
   { "wecobble.com", true },
-  { "weddingfantasy.ru", true },
+  { "weddingdays.tv", true },
   { "weddingofficiantwilmington.com", true },
   { "weddingsbynoon.co.uk", true },
   { "weddywood.ru", false },
   { "wedg.uk", true },
   { "wedos.com", true },
+  { "weebl.me", true },
   { "weeblr.com", true },
   { "weeblrpress.com", true },
   { "weedlife.com", true },
@@ -40004,8 +41275,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wefinanceinc.com", true },
   { "wefitboilers.com", true },
   { "weforgood.org.tw", true },
-  { "wegethitched.co.uk", true },
-  { "weggeweest.nl", true },
   { "wegonnagetsued.org", true },
   { "wegotcookies.com", true },
   { "wegrzynek.org", true },
@@ -40032,13 +41301,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "weissman.agency", true },
   { "weiterbildung-vdz.de", true },
   { "weitergedacht.eu", true },
-  { "weixiaojun.org", true },
   { "weizenspr.eu", true },
   { "welcome-tahiti.com", true },
   { "welcome-werkstatt.com", true },
   { "welcome-werkstatt.de", true },
   { "welcome26.ch", true },
-  { "welcomehelp.de", true },
   { "welcomescuba.com", true },
   { "welcometoscottsdalehomes.com", true },
   { "weld.io", true },
@@ -40053,9 +41320,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wellness-bonbon.de", true },
   { "wellness-gutschein.de", true },
   { "wellnesscheck.net", true },
+  { "wellnessever.com", true },
   { "wellsolveit.com", false },
   { "welovecatsandkittens.com", true },
-  { "welsh.com.br", true },
+  { "welovemaira.com", true },
   { "welshccf.org.uk", true },
   { "welteneroberer.de", true },
   { "weltengilde.de", true },
@@ -40063,23 +41331,26 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "weltmeister.de", true },
   { "weltverschwoerung.de", true },
   { "welzijnkoggenland.nl", true },
-  { "wem.hr", true },
+  { "wem.hr", false },
   { "wemakebookkeepingeasy.com", true },
   { "wemakemenus.com", true },
   { "wemakeonlinereviews.com", true },
   { "wemovemountains.co.uk", true },
   { "wendigo.pl", true },
   { "wendlberger.net", true },
-  { "wendu.me", true },
+  { "wener.me", false },
+  { "wenge-murphy.com", true },
   { "wenger-shop.ch", true },
   { "wenjs.me", true },
   { "wensing-und-koenig.de", true },
+  { "wenta.de", true },
   { "wepay.com", false },
   { "wepay.in.th", true },
   { "wepay.vn", true },
   { "weplaynaked.dk", true },
   { "wer-kommt-her.de", true },
   { "werally.com", true },
+  { "werbe-markt.de", true },
   { "werbe-sonnenbrillen.de", true },
   { "werbeagentur.de", true },
   { "werbedesign-tauber.de", true },
@@ -40109,6 +41380,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "werktor.net", true },
   { "wermeester.com", true },
   { "werner-ema.de", true },
+  { "werner-schaeffer.de", true },
+  { "wernerschaeffer.de", true },
   { "werpo.com.ar", true },
   { "wertheimer-burgrock.de", true },
   { "wertpapiertreuhand.de", true },
@@ -40138,7 +41411,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "westernpadermatologist.com", true },
   { "westeros.hu", true },
   { "westhillselectrical.com", true },
-  { "westlaketire.pt", true },
   { "westlakevillageelectric.com", true },
   { "westlakevillageelectrical.com", true },
   { "westlakevillageelectrician.com", true },
@@ -40163,6 +41435,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wette.de", true },
   { "wetten.eu", true },
   { "wevenues.com", true },
+  { "wevg.org", true },
+  { "wew881.com", true },
+  { "wew882.com", true },
   { "wewin88.com", true },
   { "wewin88.net", true },
   { "wewitro.de", true },
@@ -40170,8 +41445,8 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wexfordbouncycastles.ie", true },
   { "wexilapp.com", true },
   { "weyland-yutani.org", true },
-  { "weynaphotography.com", true },
   { "wezartt.com", true },
+  { "wezl.net", true },
   { "wf-bigsky-master.appspot.com", true },
   { "wf-demo-eu.appspot.com", true },
   { "wf-demo-hrd.appspot.com", true },
@@ -40184,7 +41459,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wf-trial-hrd.appspot.com", true },
   { "wfh.ovh", true },
   { "wfh.se", true },
-  { "wfl.ro", true },
+  { "wforum.nl", true },
   { "wft-portfolio.nl", true },
   { "wg-steubenstrasse.de", true },
   { "wg3k.us", false },
@@ -40203,7 +41478,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "whatclinic.de", true },
   { "whatclinic.ie", true },
   { "whatclinic.ru", true },
+  { "whatdevotion.com", true },
   { "whateveraspidercan.com", true },
+  { "whatisapassword.com", true },
   { "whatismycountry.com", true },
   { "whatismyip.net", false },
   { "whatismyipaddress.ca", true },
@@ -40214,6 +41491,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "whatsmychaincert.com", true },
   { "whatsupgold.com.tw", true },
   { "whatsupoutdoor.com", true },
+  { "whatthefile.info", true },
   { "whatthingsweigh.com", true },
   { "whattominingrigrentals.com", true },
   { "whatusb.com", true },
@@ -40233,16 +41511,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "whexit.nl", true },
   { "whey-protein.ch", true },
   { "whiletrue.run", true },
-  { "whimtrip.fr", false },
   { "whing.org", true },
   { "whipnic.com", true },
   { "whirlpool-luboss.de", true },
   { "whirlpool.net.au", true },
   { "whisky-circle.info", true },
   { "whiskygentle.men", true },
+  { "whiskyglazen.nl", false },
   { "whiskynerd.ca", true },
   { "whisp.ly", false },
   { "whispeer.de", true },
+  { "whisperinghoperanch.org", true },
   { "whisperlab.org", true },
   { "whistleb.com", true },
   { "whistleblower.gov", true },
@@ -40268,7 +41547,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "whitelabelcashback.nl", true },
   { "whitelabeltickets.com", false },
   { "whitepharmacy.co.uk", true },
-  { "whiterose.goip.de", true },
   { "whiteshadowimperium.com", true },
   { "whitewebhosting.co.za", true },
   { "whitewebhosting.com", true },
@@ -40284,19 +41562,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "who-calledme.com", true },
   { "who.pm", true },
   { "whoami.io", true },
-  { "whoasome.com", true },
   { "whocalld.com", true },
   { "whocalled.us", true },
   { "whocybered.me", true },
-  { "whoimg.com", true },
+  { "whoimg.com", false },
   { "whoisdhh.com", true },
   { "whoisthenightking.com", true },
   { "whoiswp.com", true },
   { "wholesalecbd.com", true },
   { "wholesomeharvestbread.com", false },
+  { "whollyskincare.com", true },
   { "whonix.org", true },
   { "whosyourdaddy.ml", true },
   { "whoturgled.com", true },
+  { "whqqq.com", true },
   { "whqtravel.org", false },
   { "whs-music.org", true },
   { "whta.se", true },
@@ -40312,7 +41591,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "whyz1722.tk", true },
   { "wibbe.link", true },
   { "wiberg.nu", true },
+  { "wicharypawel.com", true },
   { "wichitafoundationpros.com", true },
+  { "wick-machinery.com", true },
+  { "wickelfischfrance.fr", true },
   { "wickrath.net", true },
   { "wideboxmacau.com", false },
   { "widegab.com", true },
@@ -40330,6 +41612,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wiek.net", true },
   { "wien52.at", true },
   { "wieneck-bauelemente.de", true },
+  { "wiener.hr", true },
   { "wienergyjobs.com", true },
   { "wieobensounten.de", true },
   { "wifi-hack.com", true },
@@ -40381,7 +41664,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wilcodeboer.me", true },
   { "wild-turtles.com", true },
   { "wildboaratvparts.com", true },
+  { "wildcatdiesel.com.au", true },
   { "wilddogdesign.co.uk", true },
+  { "wildercerron.com", true },
   { "wildewood.ca", true },
   { "wildlifeadaptationstrategy.gov", true },
   { "wildnisfamilie.net", true },
@@ -40405,6 +41690,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "williamfeely.info", true },
   { "williamjohngauthier.net", true },
   { "williamle.com", true },
+  { "williampuckering.com", true },
   { "williamscomposer.com", true },
   { "williamsonshore.com", true },
   { "williamsportmortgages.com", true },
@@ -40428,15 +41714,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wimbo.nl", true },
   { "wimpernforyou.de", true },
   { "win7stylebuilder.com", false },
+  { "win88-line.com", true },
+  { "win88-line.net", true },
   { "winbignow.click", true },
   { "winbuzzer.com", true },
   { "wincasinowin.click", true },
   { "winch-center.de", true },
-  { "wind.moe", true },
   { "winddan.nz", true },
   { "windelnkaufen24.de", true },
   { "windforme.com", true },
   { "windowcleaningexperts.net", true },
+  { "windows-support.nu", true },
+  { "windows-support.se", true },
   { "windowslatest.com", true },
   { "windowsnerd.com", true },
   { "windowsnoticias.com", true },
@@ -40449,6 +41738,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wine-tapa.com", true },
   { "wineparis.com", true },
   { "winepress.org", true },
+  { "winfieldchen.me", true },
   { "winghill.com", true },
   { "wingify.com", true },
   { "wingmin.net", true },
@@ -40478,6 +41768,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wir-bewegen.sh", true },
   { "wircon-int.net", true },
   { "wire.com", true },
+  { "wireframesoftware.com", true },
   { "wireheading.com", true },
   { "wireshark.org", true },
   { "wiretime.de", true },
@@ -40488,13 +41779,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wirsol.com", true },
   { "wis.no", true },
   { "wisak.me", true },
-  { "wisal.org", true },
   { "wischu.com", true },
   { "wisedog.eu", true },
   { "wishlist.net", true },
   { "wispapp.com", false },
   { "wisper.net.au", true },
   { "wispsuperfoods.com", true },
+  { "wiss.co.uk", true },
+  { "wissamnr.be", true },
   { "wisv.ch", true },
   { "wisweb.no", true },
   { "wit.ai", true },
@@ -40510,11 +41802,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wittu.fi", true },
   { "witway.nl", false },
   { "wivoc.nl", true },
-  { "wixguide.co", true },
   { "wiz.at", true },
   { "wiz.biz", true },
   { "wiz.farm", true },
   { "wizardbouncycastles.co.uk", true },
+  { "wizzair.com", true },
   { "wizzley.com", true },
   { "wizzr.nl", true },
   { "wj0666.com", true },
@@ -40545,17 +41837,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wmaccess.de", true },
   { "wmfusercontent.org", true },
   { "wmkowa.de", true },
-  { "wmustore.com", true },
   { "wnu.com", true },
   { "wo-ist-elvira.net", true },
   { "wo2forum.nl", true },
   { "woah.how", true },
   { "wobble.ninja", true },
   { "wobblywotnotz.co.uk", true },
-  { "wodboss.com", true },
+  { "woblex.cz", true },
   { "wodinaz.com", true },
   { "wodka-division.de", true },
   { "woelkchen.me", true },
+  { "wofflesoft.com", true },
   { "wofford-ecs.org", true },
   { "woffs.de", true },
   { "wogo.org", true },
@@ -40573,9 +41865,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wolfgang-kerschbaumer.at", true },
   { "wolfgang-kerschbaumer.com", true },
   { "wolfgang-kerschbaumer.net", true },
+  { "wolfgang-kloke.de", true },
   { "wolfgang-ziegler.com", true },
   { "wolfie.ovh", false },
   { "wolfsden.cz", true },
+  { "wolfshuegelturm.de", true },
   { "wolfvideoproductions.com", true },
   { "wolfwings.us", true },
   { "wolfy1339.com", false },
@@ -40586,15 +41880,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wollwerk.org", true },
   { "wolszon.me", true },
   { "woltlab-demo.com", true },
-  { "womb.city", true },
   { "wombatalla.com.au", true },
+  { "wombatnet.com", true },
   { "wombats.net", true },
+  { "wombere.org", true },
   { "womcom.nl", true },
   { "women-only.net", true },
   { "womensalespros.com", true },
   { "womenshairlossproject.com", true },
   { "womensmedassoc.com", true },
-  { "wonabo.com", true },
   { "wonder.com.mx", false },
   { "wonderbill.com", true },
   { "wonderbits.net", true },
@@ -40605,10 +41899,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wonderlandmovies.de", true },
   { "wondermags.com", true },
   { "wonghome.net", true },
+  { "wooc.org", true },
   { "wood-crafted.co.uk", true },
   { "wood-crafted.uk", true },
   { "woodbury.io", true },
-  { "woodcoin.org", false },
+  { "woodcoin.org", true },
+  { "woodenson.com", true },
   { "woodev.us", true },
   { "woodinvillesepticservice.net", true },
   { "woodlandhillselectrical.com", true },
@@ -40623,7 +41919,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "woohooyeah.nl", true },
   { "woonboulevardvolendam.nl", true },
   { "woontegelwinkel.nl", true },
-  { "wooplagaming.com", true },
   { "wootware.co.za", true },
   { "wopr.network", true },
   { "worca.de", true },
@@ -40650,10 +41945,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "workgrouptech.org", true },
   { "workingclassmedia.com", true },
   { "workinginsync.co.uk", true },
-  { "workingmachine.info", true },
+  { "worklizard.com", true },
   { "workmart.mx", true },
+  { "worknrby.com", true },
   { "workoptions.com", true },
-  { "workplaces.online", true },
   { "workraw.com", true },
   { "workray.com", true },
   { "works-ginan.jp", true },
@@ -40664,7 +41959,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "world-lolo.com", true },
   { "worldcareers.dk", true },
   { "worldcigars.com.br", true },
-  { "worldcrafts.org", true },
   { "worldcubeassociation.org", true },
   { "worldessays.com", true },
   { "worldeventscalendars.com", true },
@@ -40673,22 +41967,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "worldofarganoil.com", true },
   { "worldofbelia.de", true },
   { "worldofparties.co.uk", true },
-  { "worldofterra.net", true },
   { "worldofvnc.net", true },
   { "worldofwobble.co.uk", true },
   { "worldpeacetechnology.com", true },
+  { "worldrecipes.eu", true },
   { "worldsgreatestazuredemo.com", true },
   { "worldsinperil.it", true },
   { "worldsoccerclips.com", true },
   { "worldstone777.com", true },
   { "worldtalk.de", true },
   { "wormbytes.ca", true },
-  { "wormdisk.net", true },
   { "worst.horse", false },
   { "wort-suchen.de", true },
+  { "woshiluo.site", true },
   { "wot-tudasbazis.hu", true },
-  { "woti.dedyn.io", true },
   { "wotra-register.com", true },
+  { "wotsunduk.ru", true },
   { "woudenberg.nl", true },
   { "woudenbergsedrukkerij.nl", true },
   { "woufbox.com", true },
@@ -40696,7 +41990,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wouterslop.com", true },
   { "wouterslop.eu", true },
   { "wouterslop.nl", true },
-  { "wow-foederation.de", true },
   { "wow-screenshots.net", true },
   { "wowaffixes.info", true },
   { "wowbouncycastles.co.uk", true },
@@ -40706,7 +41999,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wowjs.uk", true },
   { "wownmedia.com", true },
   { "wozalapha.com", true },
-  { "wp-bullet.com", true },
   { "wp-master.org", true },
   { "wp-mix.com", true },
   { "wp-securehosting.com", true },
@@ -40721,9 +42013,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wpccu.org", true },
   { "wpcdn.bid", true },
   { "wpcharged.nz", true },
-  { "wpdesigner.ir", true },
   { "wpdirecto.com", true },
-  { "wpdublin.com", true },
   { "wpenhance.com", true },
   { "wpexplorer.com", true },
   { "wpformation.com", true },
@@ -40735,8 +42025,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wplistings.pro", true },
   { "wpmeetup-berlin.de", true },
   { "wpmu-tutorials.de", true },
+  { "wpno.com", true },
   { "wpoptimalizace.cz", true },
   { "wpostats.com", false },
+  { "wprodevs.com", true },
   { "wpscans.com", true },
   { "wpsec.nl", true },
   { "wpserp.com", true },
@@ -40747,6 +42039,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wpsono.com", true },
   { "wpthaiuser.com", true },
   { "wptomatic.de", true },
+  { "wptorium.com", true },
   { "wptotal.com", true },
   { "wpturnedup.com", true },
   { "wpvulndb.com", true },
@@ -40755,10 +42048,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wrara.org", true },
   { "wrathofgeek.com", true },
   { "wrc-results.com", true },
+  { "wrd48.net", true },
   { "wrdcfiles.ca", true },
   { "wrdx.io", true },
   { "wrenwrites.com", true },
   { "wrgms.com", true },
+  { "wrightselfstorageandremovals.com", true },
   { "wristreview.com", true },
   { "write-right.net", true },
   { "writeandedit-for-you.com", true },
@@ -40783,10 +42078,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wrp-timber-mouldings.co.uk", true },
   { "wrp.gov", true },
   { "wryoutube.com", true },
+  { "ws-meca.com", true },
   { "wsa.poznan.pl", true },
   { "wsadek.ovh", true },
   { "wsb.pl", true },
   { "wscales.com", false },
+  { "wscbiolo.id", true },
+  { "wscore.me", true },
   { "wsdcapital.com", true },
   { "wselektro.de", true },
   { "wsgvet.com", true },
@@ -40811,22 +42109,18 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wucke13.de", true },
   { "wuerfel.wf", true },
   { "wuerfelmail.de", true },
-  { "wufu.org", false },
   { "wug.jp", true },
   { "wug.news", true },
   { "wuifan.com", true },
   { "wuji.cz", true },
   { "wumai-p.cn", true },
-  { "wumbo.cf", true },
   { "wumbo.co.nz", true },
-  { "wumbo.ga", true },
-  { "wumbo.gq", true },
-  { "wumbo.ml", true },
-  { "wumbo.tk", true },
+  { "wunder.io", true },
   { "wunderkarten.de", true },
   { "wunderlist.com", true },
   { "wundernas.ch", true },
   { "wundi.net", true },
+  { "wunschpreisauto.de", true },
   { "wunschzettel.de", true },
   { "wuppertal-2018.de", false },
   { "wuppertaler-kurrende.com", false },
@@ -40835,17 +42129,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wuwuwu.me", true },
   { "wuxiaobai.win", true },
   { "wuxiaohen.com", true },
+  { "wuyang.ws", true },
   { "wuyue.photo", true },
   { "wv-n.de", true },
   { "wvg.myds.me", true },
-  { "wvv-8522.com", true },
-  { "wvw-8522.com", true },
   { "ww0512.com", true },
   { "ww2onlineshop.com", true },
-  { "wwbsb.xyz", true },
   { "wweforums.net", true },
   { "wweichen.com.cn", true },
   { "wwgc2011.se", true },
+  { "wwjd.dynu.net", true },
   { "wwv-8722.com", true },
   { "www-33445.com", true },
   { "www-49889.com", true },
@@ -40856,11 +42149,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "www-86499.com", true },
   { "www-8722.com", true },
   { "www-9822.com", true },
-  { "www-pj009.com", true },
   { "www.aclu.org", false },
   { "www.airbnb.com", true },
+  { "www.amazon.ca", true },
   { "www.amazon.cn", true },
+  { "www.amazon.co.jp", true },
+  { "www.amazon.co.uk", true },
+  { "www.amazon.com", true },
+  { "www.amazon.com.au", true },
+  { "www.amazon.com.br", true },
+  { "www.amazon.com.mx", true },
+  { "www.amazon.de", true },
   { "www.amazon.es", true },
+  { "www.amazon.fr", true },
+  { "www.amazon.it", true },
+  { "www.amazon.nl", true },
   { "www.apollo-auto.com", true },
   { "www.banking.co.at", false },
   { "www.braintreepayments.com", false },
@@ -40888,7 +42191,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "www.heliosnet.com", true },
   { "www.honeybadger.io", false },
   { "www.hyatt.com", false },
-  { "www.intercom.io", true },
+  { "www.icann.org", false },
   { "www.irccloud.com", false },
   { "www.lastpass.com", false },
   { "www.linode.com", false },
@@ -40919,6 +42222,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "www.wepay.com", false },
   { "www.wordpress.com", false },
   { "www.zdnet.com", true },
+  { "wx37.ac.cn", true },
   { "wxcafe.net", true },
   { "wxdisco.com", true },
   { "wxforums.com", true },
@@ -40926,13 +42230,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wxkxsw.com", true },
   { "wxlog.cn", true },
   { "wxster.com", true },
-  { "wyam.io", false },
+  { "wxzm.sx", true },
+  { "wyam.io", true },
   { "wybar.uk", true },
   { "wycrow.com", false },
   { "wyday.com", true },
   { "wygibanki.pl", true },
   { "wygodnie.pl", true },
   { "wyhpartnership.co.uk", true },
+  { "wylog.ph", true },
   { "wynterhill.co.uk", true },
   { "wyo.cam", true },
   { "wypemagazine.se", true },
@@ -40944,9 +42250,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "wyydsb.com", true },
   { "wyydsb.xin", true },
   { "wyysoft.tk", true },
-  { "wzfetish.com.br", true },
   { "wzfou.com", true },
-  { "wzrd.in", true },
   { "wzyboy.org", true },
   { "x-iweb.ru", true },
   { "x-lan.be", true },
@@ -40972,20 +42276,30 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xants.de", true },
   { "xatr0z.org", false },
   { "xawen.net", false },
+  { "xb6638.com", true },
+  { "xb6673.com", true },
+  { "xb851.com", true },
+  { "xb862.com", true },
+  { "xb913.com", true },
+  { "xb917.com", true },
+  { "xb925.com", true },
+  { "xb927.com", true },
+  { "xb965.com", true },
+  { "xb983.com", true },
   { "xbb.hk", true },
   { "xbb.li", true },
-  { "xbertschy.com", true },
   { "xblau.com", true },
   { "xboxdownloadthat.com", true },
   { "xboxlivegoldshop.nl", true },
   { "xboxonex.shop", true },
+  { "xbpay88.com", true },
   { "xbrl.online", true },
   { "xbrlsuccess.appspot.com", true },
   { "xbt.co", true },
   { "xbtce.com", true },
   { "xbtmusic.org", false },
+  { "xceedgaming.com", true },
   { "xcentricmold.com", true },
-  { "xcler8.com", true },
   { "xclirion-support.de", true },
   { "xcorpsolutions.com", true },
   { "xcvb.xyz", true },
@@ -40994,12 +42308,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xdawn.cn", true },
   { "xdeftor.com", true },
   { "xdos.io", true },
+  { "xdtag.com", true },
+  { "xdty.org", true },
+  { "xecure.zone", true },
+  { "xecureit.com", true },
   { "xeedbeam.me", true },
   { "xega.org", true },
   { "xehost.com", true },
   { "xeiropraktiki.gr", true },
   { "xelesante.jp", true },
   { "xendo.net", true },
+  { "xenolith.eu", true },
   { "xenomedia.nl", true },
   { "xenon.cloud", true },
   { "xenoncloud.net", true },
@@ -41026,6 +42345,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xhily.com", true },
   { "xhmikosr.io", true },
   { "xho.me", true },
+  { "xhotlips.date", true },
   { "xia.de", true },
   { "xiamenshipbuilding.com", true },
   { "xiamuzi.com", true },
@@ -41034,9 +42354,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xiangweiqing.co.uk", true },
   { "xiangwenquan.me", true },
   { "xianjianruishiyouyiyuan.com", true },
-  { "xiaobude.cn", true },
   { "xiaocg.xyz", true },
-  { "xiaofengsky.com", true },
   { "xiaoguo.net", false },
   { "xiaolanglang.net", true },
   { "xiaolong.link", true },
@@ -41046,6 +42364,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xiaoniaoyou.com", true },
   { "xiaoyu.net", true },
   { "xiaoyy.org", true },
+  { "xiashali.me", true },
   { "xichtsbuch.de", true },
   { "xicreative.net", true },
   { "xiecongan.org", true },
@@ -41055,18 +42374,22 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xiliant.com", false },
   { "xilkoi.net", true },
   { "xilou.org", true },
+  { "ximble.com", true },
   { "ximbo.net", true },
+  { "xinbo676.com", true },
+  { "xinboyule.com", true },
   { "xinj.com", true },
+  { "xinlandm.com", true },
   { "xinnixdeuren-shop.be", true },
-  { "xinplay.net", true },
+  { "xinu.xyz", true },
   { "xinuspeed.com", true },
   { "xinuspeedtest.com", true },
   { "xinuurl.com", true },
   { "xiongx.cn", true },
-  { "xj8876.com", true },
   { "xjd.vision", true },
   { "xjf6.com", true },
   { "xjjeeps.com", true },
+  { "xjoi.net", true },
   { "xjoin.de", true },
   { "xjpvictor.info", true },
   { "xkblog.xyz", true },
@@ -41075,13 +42398,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xkviz.net", true },
   { "xlan.be", true },
   { "xlange.com", true },
+  { "xldl.ml", true },
   { "xliang.co", true },
-  { "xlui.me", true },
   { "xluxes.jp", true },
   { "xmedius.ca", true },
   { "xmedius.com", false },
   { "xmedius.eu", true },
   { "xmenrevolution.com", true },
+  { "xmflyrk.com", true },
   { "xmine128.tk", true },
   { "xmlbeam.org", true },
   { "xmlogin288.com", true },
@@ -41095,34 +42419,44 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xn----7sbfl2alf8a.xn--p1ai", true },
   { "xn----8hcdn2ankm1bfq.com", true },
   { "xn----8sbjfacqfqshbh7afyeg.xn--80asehdb", true },
+  { "xn----9sbkdigdao0de1a8g.com", true },
   { "xn----zmcaltpp1mdh16i.com", true },
   { "xn--0iv967ab7w.xn--rhqv96g", true },
   { "xn--0kq33cz5c8wmwrqqw1d.com", true },
   { "xn--158h.ml", true },
+  { "xn--15tx89ctvm.xn--6qq986b3xl", true },
+  { "xn--1yst51avkr.ga", true },
+  { "xn--1yst51avkr.xn--6qq986b3xl", true },
   { "xn--24-6kch4bfqee.xn--p1ai", true },
   { "xn--24-glcia8dc.xn--p1ai", true },
+  { "xn--2sxs9ol7o.com", true },
   { "xn--48jwg508p.net", true },
+  { "xn--4dbfsnr.xn--9dbq2a", true },
   { "xn--4kro7fswi.xn--6qq986b3xl", true },
   { "xn--4pv80kkz8auzf.jp", true },
   { "xn--57h.ml", true },
   { "xn--5dbkjqb0d.com", true },
   { "xn--5dbkjqb0d.net", true },
   { "xn--6o8h.cf", true },
+  { "xn--6qq52xuogcjfw8pwqp.ga", true },
+  { "xn--6qq62xsogfjfs8p1qp.ga", true },
   { "xn--6x6a.life", true },
   { "xn--79q87uvkclvgd56ahq5a.net", true },
   { "xn--7ca.co", true },
   { "xn--7xa.google.com", true },
   { "xn--80adb4aeode.xn--p1ai", true },
   { "xn--80adbevek3air0ee9b8d.com", true },
+  { "xn--80adbvdjzhptl1be6j.com", true },
   { "xn--80aejljbfwxn.xn--p1ai", true },
   { "xn--80anogxed.xn--p1ai", true },
   { "xn--80azelb.xn--p1ai", true },
   { "xn--8bi.gq", true },
-  { "xn--8dry00a7se89ay98epsgxxq.com", true },
   { "xn--90accgba6bldkcbb7a.xn--p1acf", true },
   { "xn--allgu-biker-o8a.de", true },
   { "xn--aviao-dra1a.pt", true },
+  { "xn--b3c4f.xn--o3cw4h", true },
   { "xn--baron-bonzenbru-elb.com", true },
+  { "xn--bckerei-trster-5hb11a.de", true },
   { "xn--ben-bank-8za.dk", true },
   { "xn--benbank-dxa.dk", true },
   { "xn--berwachungspaket-izb.at", true },
@@ -41132,19 +42466,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xn--cckdrt0kwb4g3cnh.com", true },
   { "xn--cctsgy36bnvprwpekc.com", true },
   { "xn--cfa.site", true },
+  { "xn--circul-gva.cc", true },
+  { "xn--circul-u3a.cc", true },
   { "xn--d1acj9c.xn--90ais", true },
   { "xn--dcko6fsa5b1a8gyicbc.biz", true },
   { "xn--dej-3oa.lv", true },
   { "xn--detrkl13b9sbv53j.com", true },
   { "xn--detrkl13b9sbv53j.org", true },
-  { "xn--die-zahnrzte-ncb.de", true },
   { "xn--dmonenjger-q5ag.net", true },
+  { "xn--dmontaa-9za.com", true },
   { "xn--dragni-g1a.de", true },
   { "xn--dtursfest-72a.dk", true },
   { "xn--e1aoahhqgn.xn--p1ai", true },
   { "xn--ecki0cd0bu9a4nsjb.com", true },
-  { "xn--eckle6c0exa0b0modc7054g7h8ajw6f.com", true },
-  { "xn--ehq13kgw4e.ml", true },
   { "xn--ehqw04eq6e.jp", true },
   { "xn--elsignificadodesoar-c4b.com", true },
   { "xn--erklderbarenben-slbh.dk", true },
@@ -41152,6 +42486,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xn--f9jh4f4b4993b66s.tokyo", true },
   { "xn--familie-pppinghaus-l3b.de", true },
   { "xn--feuerlscher-arten-4zb.de", true },
+  { "xn--fiestadefindeao-crb.com", true },
   { "xn--fiqwix98h.jp", true },
   { "xn--fischereiverein-mnsterhausen-i7c.de", true },
   { "xn--fp8h58f.ws", true },
@@ -41171,14 +42506,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xn--jp8hx8f.ws", true },
   { "xn--kckd0bd4a8tp27yee2e.com", true },
   { "xn--kda.tk", true },
-  { "xn--keditr-0xa.biz", true },
   { "xn--klmek-0sa.com", true },
   { "xn--knstler-n2a.tips", false },
   { "xn--krpto-lva.de", true },
   { "xn--ktha-kamrater-pfba.se", true },
+  { "xn--labanskllermark-ftb.se", true },
   { "xn--lckwg.net", true },
   { "xn--love-un4c7e0d4a.com", true },
   { "xn--lsaupp-iua.se", true },
+  { "xn--lskieradio-3gb44h.pl", true },
   { "xn--lsupp-mra.net", true },
   { "xn--manuela-stsser-psb.de", true },
   { "xn--martnvillalba-zib.com", true },
@@ -41189,7 +42525,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xn--mgbbh2a9fub.xn--ngbc5azd", false },
   { "xn--mgbmmp7eub.com", true },
   { "xn--mgbpkc7fz3awhe.com", true },
+  { "xn--mgbuq0c.net", true },
   { "xn--mllers-wxa.info", true },
+  { "xn--mntsamling-0cb.dk", true },
   { "xn--myrepubic-wub.net", true },
   { "xn--myrepublc-x5a.net", true },
   { "xn--n8j7dygrbu0c31a5861bq8qb.com", true },
@@ -41199,7 +42537,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xn--nrrdetval-v2ab.se", true },
   { "xn--o38h.tk", true },
   { "xn--obt757c.com", true },
-  { "xn--oiqt18e8e2a.eu.org", true },
   { "xn--p8j9a0d9c9a.xn--q9jyb4c", true },
   { "xn--pbt947am3ab71g.com", true },
   { "xn--pe-bka.ee", true },
@@ -41207,7 +42544,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xn--q9jb1h5dvcspke3218b9mn4p0c.com", true },
   { "xn--q9ji3c6d.xn--q9jyb4c", true },
   { "xn--qckss0j.tk", true },
-  { "xn--qfun83b.ga", true },
   { "xn--r8jzaf7977b09e.com", true },
   { "xn--rdiger-kuhlmann-zvb.de", true },
   { "xn--reisebro-herrsching-bbc.de", true },
@@ -41219,6 +42555,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xn--ruanmller-u9a.com", true },
   { "xn--s-1gaa.fi", true },
   { "xn--schlerzeitung-ideenlos-ulc.de", true },
+  { "xn--schpski-c1a.de", true },
   { "xn--schsischer-christstollen-qbc.shop", true },
   { "xn--seelenwchter-mcb.eu", true },
   { "xn--spenijmazania-yhc.pl", true },
@@ -41228,7 +42565,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xn--t8j4aa4nyhxa7duezbl49aqg5546e264d.net", true },
   { "xn--t8j4aa4nzg3a5euoxcwee.xyz", true },
   { "xn--tigreray-i1a.org", true },
-  { "xn--trdler-xxa.xyz", true },
   { "xn--u8jwd.ga", true },
   { "xn--u9j0ia6hb7347cg8wavz0avb0e.com", true },
   { "xn--u9jv84l7ea468b.com", true },
@@ -41236,10 +42572,12 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xn--v6q426ishax2a.xyz", true },
   { "xn--woistdermlleimer-rzb.de", true },
   { "xn--wq9h.ml", true },
+  { "xn--xft85up3jca.ga", true },
   { "xn--y-5ga.com", true },
   { "xn--y8j148r.xn--q9jyb4c", true },
-  { "xn--y8ja6lb.xn--q9jyb4c", true },
   { "xn--y8jarb5hca.jp", true },
+  { "xn--yrvp1ac68c.xn--6qq986b3xl", true },
+  { "xn--z1tq4ldt4b.com", true },
   { "xn--zettlmeil-n1a.de", true },
   { "xn--zr9h.cf", true },
   { "xn--zr9h.ga", true },
@@ -41249,32 +42587,31 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xnaas.info", true },
   { "xnet-x.net", true },
   { "xninja.xyz", true },
-  { "xnode.org", true },
   { "xntrik.wtf", true },
+  { "xnu.kr", true },
   { "xo.tc", true },
   { "xo7.ovh", true },
   { "xolphin.nl", true },
   { "xombitgames.com", true },
   { "xombitmusic.com", true },
-  { "xone.cz", true },
+  { "xone.cz", false },
   { "xonn.de", true },
-  { "xoonth.net", true },
   { "xp-ochrona.pl", true },
+  { "xp.nsupdate.info", true },
   { "xp2.de", true },
   { "xpd.se", true },
+  { "xperiacode.com", true },
   { "xperidia.com", true },
   { "xpletus.nl", true },
-  { "xplore-dna.net", true },
   { "xpoc.pro", true },
   { "xposedornot.com", true },
-  { "xps2pdf.co.uk", true },
-  { "xps2pdf.info", true },
-  { "xq55.com", false },
   { "xqk7.com", true },
   { "xr.cx", true },
   { "xr1s.me", true },
   { "xrg.cz", true },
+  { "xrippedhd.com", true },
   { "xrockx.de", true },
+  { "xrptoolkit.com", true },
   { "xrwracing-france.com", true },
   { "xs2a.no", true },
   { "xs74.com", true },
@@ -41315,6 +42652,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xunn.io", true },
   { "xuntier.ch", true },
   { "xuyh0120.win", true },
+  { "xvii.pl", true },
   { "xviimusic.com", true },
   { "xvt-blog.tk", true },
   { "xwalck.se", true },
@@ -41324,9 +42662,14 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "xxiz.com", true },
   { "xxxlbox.com", true },
   { "xxxsuper.net", true },
+  { "xy6161.com", true },
+  { "xy6262.com", true },
+  { "xy6363.com", true },
+  { "xy7171.com", true },
+  { "xy7272.com", true },
+  { "xy7373.com", true },
   { "xyenon.bid", true },
   { "xyfun.net", false },
-  { "xyngular-health.com", true },
   { "xywing.com", true },
   { "xyzulu.hosting", true },
   { "xza.fr", true },
@@ -41339,6 +42682,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yacobo.com", true },
   { "yado-furu.com", true },
   { "yafuoku.ru", true },
+  { "yageys.com", true },
   { "yagihiro.tech", true },
   { "yahan.tv", true },
   { "yaharu.ru", true },
@@ -41357,17 +42701,21 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yame2.com", true },
   { "yamilafeinart.de", true },
   { "yamm.io", true },
+  { "yan.lt", true },
   { "yanaduday.com", true },
   { "yanbao.xyz", true },
   { "yandere.moe", true },
+  { "yangcs.net", true },
   { "yangjingwen.cn", true },
   { "yangmaodang.org", true },
+  { "yangmi.blog", true },
   { "yanngraf.ch", true },
   { "yanngraf.com", true },
   { "yannic.world", true },
   { "yannick.cloud", true },
   { "yannik-buerkle.de", true },
   { "yannikbloscheck.com", true },
+  { "yannis.codes", true },
   { "yanovich.net", true },
   { "yanqiyu.info", true },
   { "yans.io", true },
@@ -41375,7 +42723,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yanuwa.com", true },
   { "yapbreak.fr", true },
   { "yarcom.ru", false },
-  { "yarogneva.ru", true },
   { "yarravilletownhouses.com.au", true },
   { "yaru.one", true },
   { "yassine-ayari.com", true },
@@ -41385,14 +42732,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yatsuenpoon.com", true },
   { "yaup.tk", true },
   { "yawen.me", true },
-  { "yawnbox.com", true },
   { "yaxim.org", true },
-  { "yayart.club", true },
-  { "yazaral.com", true },
   { "ybin.me", true },
   { "ybresson.com", true },
   { "ybsul.com", true },
-  { "ybt520.com", true },
   { "ybti.net", true },
   { "ybzhao.com", true },
   { "ych.art", true },
@@ -41403,11 +42746,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ycnrg.org", true },
   { "yd.io", true },
   { "yeapdata.com", true },
-  { "yecl.net", true },
+  { "yecl.net", false },
   { "yeesker.com", true },
   { "yell.ml", true },
   { "yellotalk.co", true },
-  { "yellowfly.co.uk", true },
   { "yellowpages.ee", true },
   { "yellowtaillasvegas.com", true },
   { "yellowtree.co.za", true },
@@ -41449,8 +42791,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yenpape.com", true },
   { "yep-pro.ch", true },
   { "yephy.com", true },
-  { "yeshu.org", true },
-  { "yesiammaisey.me", true },
   { "yeskx.com", true },
   { "yeswecan.co.bw", true },
   { "yeswehack.com", true },
@@ -41463,16 +42803,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yeyi.site", true },
   { "yfengs.moe", true },
   { "ygobbs.com", true },
+  { "ygrene.com", true },
+  { "ygreneworks.com", true },
   { "yh599.cc", true },
   { "yhaupenthal.org", true },
   { "yhb.io", true },
   { "yhe.me", true },
   { "yhenke.de", true },
   { "yhfou.com", true },
+  { "yhhh.org", true },
   { "yhndnzj.com", true },
   { "yhong.me", true },
   { "yhrd.org", true },
-  { "yicknam.my", true },
+  { "yigujin.cn", true },
   { "yiheng.moe", true },
   { "yii2.cc", true },
   { "yikeyong.com", true },
@@ -41481,11 +42824,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yingatech.com", true },
   { "yinglinda.love", true },
   { "yinlei.org", true },
+  { "yisin.net", true },
   { "yiyuanzhong.com", true },
   { "yiyueread.com", true },
   { "yiz96.com", true },
   { "yjsoft.me", true },
-  { "yjsw.sh.cn", true },
   { "ykhut.com", true },
   { "yksityisyydensuoja.fi", true },
   { "ylde.de", true },
@@ -41495,14 +42838,11 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ymoah.nl", true },
   { "ymtsonline.org", true },
   { "ynnovasport.be", true },
-  { "ynxfh.cn", true },
   { "yoa.st", true },
   { "yoast.com", true },
   { "yobai-grouprec.jp", true },
-  { "yobai28.com", true },
   { "yobbelwobbel.de", false },
   { "yobify.com", true },
-  { "yocchan1513.net", true },
   { "yoga-alliance-teacher-training.com", true },
   { "yoga-bad-toelz.de", true },
   { "yoga-in-aying.de", true },
@@ -41512,6 +42852,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yogabhawnamission.com", true },
   { "yogacentric.co.uk", true },
   { "yogahealsinc.org", true },
+  { "yogamea.school", true },
   { "yogananda-roma.org", true },
   { "yogaschoolrishikesh.com", true },
   { "yoibyoin.info", true },
@@ -41519,14 +42860,17 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yoitoko.city", true },
   { "yoitsu.moe", true },
   { "yokohama-legaloffice.jp", true },
+  { "yokone3-kutikomi.com", true },
   { "yolo.jetzt", true },
   { "yolobert.de", true },
   { "yoloboatrentals.com", true },
   { "yolops.net", true },
   { "yombo.net", true },
   { "yon.co.il", true },
+  { "yongbin.org", true },
   { "yoonas.com", true },
   { "yooooex.com", true },
+  { "yoplate.com", true },
   { "yoppoy.com", true },
   { "yopuedo.co", true },
   { "yoramvandevelde.net", true },
@@ -41534,15 +42878,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yorcool.nl", true },
   { "yorkshiredalesinflatables.co.uk", true },
   { "yorkshireinflatables.co.uk", true },
+  { "yorname.ml", false },
   { "yosbeda.com", true },
   { "yosemo.de", true },
-  { "yosheenetwork.fr", true },
   { "yoshibaworks.com", true },
   { "yoshitsugu.net", true },
   { "yosida-dental.com", true },
+  { "yosida95.com", true },
   { "yospos.org", true },
   { "yoticonnections.com", true },
-  { "yotilab.com", true },
   { "yotta-zetta.com", true },
   { "yotubaiotona.net", true },
   { "you.com.br", true },
@@ -41553,9 +42897,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "youcanmakeit.at", true },
   { "youcruit.com", true },
   { "youdungoofd.com", true },
-  { "youftp.tk", true },
   { "yougee.ml", true },
-  { "yougot.pw", true },
   { "youhacked.me", true },
   { "youhavewords.com", true },
   { "youhua.ru", true },
@@ -41575,19 +42917,23 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "youpark.no", true },
   { "youpickfarms.org", true },
   { "your-erotic-stories.com", true },
+  { "your-idc.tk", true },
   { "your-out.com", true },
   { "your-waterserver.com", true },
   { "youracnepro.com", true },
   { "youran.me", true },
+  { "yourbittorrent.com", true },
+  { "yourbittorrent.host", true },
+  { "yourbittorrent.icu", true },
+  { "yourbittorrent.pw", true },
+  { "yourbittorrent2.com", true },
   { "yourbonus.click", true },
   { "yourciso.com", true },
   { "yourcomputer.expert", true },
   { "yourcopywriter.it", true },
   { "yourforex.org", true },
-  { "yourfriendlytech.com", true },
   { "yourfuntrivia.com", true },
   { "yourfuturestrategy.com.au", true },
-  { "yourgadget.ro", true },
   { "yourgames.tv", true },
   { "yourlanguages.de", true },
   { "yourmemorykeeper.co.uk", true },
@@ -41595,6 +42941,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yourskin.nl", true },
   { "yourstake.org", true },
   { "yourticketbooking.com", true },
+  { "yourtrainer.com", true },
   { "yousei.ne.jp", true },
   { "yout.com", true },
   { "youth.gov", true },
@@ -41610,13 +42957,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "ypart.eu", true },
   { "ypid.de", true },
   { "yplanapp.com", true },
+  { "ypse.com.br", true },
   { "yqjf68.com", true },
   { "yr166166.com", true },
   { "yrjanheikki.com", true },
   { "ys-shop.biz", true },
+  { "ysicing.me", true },
+  { "ysicing.net", true },
   { "ysicorp.com", true },
   { "yslbeauty.com", true },
-  { "yspeo.biz", true },
   { "ysun.xyz", true },
   { "ytec.ca", true },
   { "ytpak.pk", true },
@@ -41628,7 +42977,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yuan.ga", true },
   { "yuanben.io", true },
   { "yuanjiazhao.com", true },
-  { "yuanjiazhao.tk", true },
   { "yubi.co", true },
   { "yubicloud.io", true },
   { "yubico.ae", true },
@@ -41684,10 +43032,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yubikeyservices.eu", true },
   { "yubiking.com", true },
   { "yue.la", true },
-  { "yue2.net", true },
+  { "yuexiangzs.com", true },
   { "yugasun.com", true },
   { "yuisyo.ml", true },
-  { "yukari.cafe", false },
+  { "yukari.cafe", true },
   { "yukari.cloud", true },
   { "yuki-nagato.com", true },
   { "yuki.xyz", true },
@@ -41721,12 +43069,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "yveshield.com", true },
   { "yveslegendre.fr", true },
   { "yvesx.com", true },
-  { "yvetteerasmus.com", true },
   { "yvonnehaeusser.de", true },
   { "yvonnethomet.ch", true },
   { "yvonnewilhelmi.com", true },
-  { "yxs.me", true },
-  { "yxt521.com", true },
   { "yya.me", true },
   { "yyc.city", true },
   { "yyyy.xyz", true },
@@ -41743,7 +43088,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "z99944x.xyz", true },
   { "za.search.yahoo.com", false },
   { "zaagbaak.nl", true },
-  { "zabavno.mk", true },
   { "zabbix.tips", true },
   { "zabszk.net", true },
   { "zabukovnik.net", true },
@@ -41765,15 +43109,19 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zaclys.com", false },
   { "zafirus.name", true },
   { "zaghyr.org", true },
+  { "zagluszaczgps.pl", true },
   { "zahe.me", true },
   { "zahnaerzte-bohne.de", true },
   { "zahnarzt-duempten.de", true },
   { "zahnarzt-hofer.de", true },
   { "zahnarzt-kramer.ch", true },
   { "zahnarzt-muenich.de", true },
+  { "zahnmedizinzentrum.com", true },
   { "zajazd.biz", true },
   { "zakariya.blog", true },
   { "zakcutner.uk", true },
+  { "zakelijketaalcursus.nl", true },
+  { "zakelijkgoedengelsleren.nl", true },
   { "zakladam.cz", true },
   { "zakmccrac.de", true },
   { "zakojifarm.jp", true },
@@ -41782,7 +43130,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zakspartiesandevents.com", true },
   { "zalamea.ph", true },
   { "zaloghaz.ro", true },
-  { "zalohovaniburian.cz", true },
+  { "zaltv.com", true },
   { "zalvus.com", true },
   { "zamalektoday.com", true },
   { "zamocosmeticos.com.br", true },
@@ -41792,10 +43140,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zanellidesigns.co.uk", true },
   { "zanthra.com", true },
   { "zanzabar.it", true },
+  { "zanzo.cz", true },
   { "zapier.com", true },
   { "zapmaster14.com", true },
   { "zappbuildapps.com", false },
-  { "zappos.com", true },
   { "zarabiaj.com", true },
   { "zaratan.fr", true },
   { "zargescases.co.uk", true },
@@ -41810,9 +43158,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zawo-electric.de", true },
   { "zayna.eu", true },
   { "zbanks.cn", true },
-  { "zbetcheck.in", true },
   { "zbrane-doplnky.cz", true },
   { "zbut.bg", true },
+  { "zby.io", true },
   { "zbyga.cz", true },
   { "zbyte.it", true },
   { "zcarot.com", true },
@@ -41821,17 +43169,16 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zcon.nl", true },
   { "zcore.org", true },
   { "zcr.ca", true },
+  { "zcryp.to", true },
   { "zdbl.de", true },
   { "zdenekspacek.cz", true },
   { "zdorovayasimya.com", true },
   { "zdrave-konzultace.cz", true },
   { "zdravekonzultace.cz", true },
-  { "zdravesteny.cz", true },
   { "zdravystul.cz", true },
   { "zdrojak.cz", true },
   { "zdymak.by", true },
   { "ze3kr.com", true },
-  { "zeal-and.jp", true },
   { "zeal-interior.com", true },
   { "zealworks.jp", true },
   { "zebbra.ro", true },
@@ -41840,15 +43187,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zeds-official.com", true },
   { "zeebrieshoekvanholland.nl", true },
   { "zeel.com", true },
-  { "zeelynk.com", true },
   { "zeestraten.nl", true },
   { "zeetoppers.nl", true },
   { "zeeuw.nl", true },
   { "zeguigui.com", true },
+  { "zehkae.net", true },
   { "zeibekiko-souvlaki.gr", true },
+  { "zeidlertechnik.de", true },
   { "zeilenmethans.nl", true },
   { "zeilles.nu", true },
-  { "zeitoununiversity.org", true },
   { "zeitpunkt-kulturmagazin.de", true },
   { "zekesnider.com", true },
   { "zekinteractive.com", true },
@@ -41865,15 +43212,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zenithmedia.ca", true },
   { "zenk-security.com", true },
   { "zenlogic.com", true },
-  { "zenmate.com.tr", true },
+  { "zenluxuryliving.com", true },
   { "zennzimie.be", true },
   { "zennzimie.com", true },
   { "zenofa.co.id", true },
-  { "zenram.com", true },
   { "zentask.io", true },
   { "zenti.cloud", true },
   { "zenvideocloud.com", true },
-  { "zeparadox.com", true },
+  { "zenvite.com", true },
+  { "zenycosta.com", true },
   { "zephyrbk.com", true },
   { "zephyrbookkeeping.com", true },
   { "zephyretcoraline.com", true },
@@ -41892,7 +43239,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zerosync.com", true },
   { "zerotoone.de", true },
   { "zerowastesavvy.com", true },
-  { "zertif.info", true },
   { "zertitude.com", true },
   { "zeryn.net", true },
   { "zespia.tw", false },
@@ -41915,16 +43261,20 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zhangge.net", true },
   { "zhanghao.me", true },
   { "zhangheda.cf", true },
+  { "zhangshuqiao.org", true },
   { "zhangsidan.com", true },
+  { "zhangwendao.com", true },
   { "zhangyuhao.com", true },
   { "zhangzifan.com", false },
+  { "zhaoeq.com", true },
   { "zhaofeng.li", true },
   { "zhaopage.com", true },
   { "zhaoxixiangban.cc", true },
   { "zhcexo.com", true },
+  { "zhdd.pl", true },
   { "zhen-chen.com", true },
   { "zhengjie.com", true },
-  { "zhenyan.org", true },
+  { "zhenic.ir", true },
   { "zhi.ci", true },
   { "zhiku8.com", true },
   { "zhima.io", true },
@@ -41932,13 +43282,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zhl123.com", true },
   { "zhome.info", true },
   { "zhongzicili.ws", true },
+  { "zhost.io", true },
+  { "zhouba.cz", true },
   { "zhoushuo.me", false },
   { "zhoutiancai.cn", true },
   { "zhovner.com", true },
   { "zhthings.com", true },
   { "zhuihoude.com", true },
+  { "zhuji.com", true },
   { "zi.is", true },
-  { "ziegler-family.com", true },
   { "ziegler-heizung-frankfurt.de", true },
   { "zielonakarta.com", true },
   { "ziemlich-zackig.de", true },
@@ -41948,6 +43300,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zigottos.fr", true },
   { "zigzagmart.com", true },
   { "zihao.me", false },
+  { "zii.bz", true },
   { "zijung.me", true },
   { "zikinf.com", true },
   { "ziktime.com", true },
@@ -41956,6 +43309,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zilore.com", true },
   { "zilsen.com", true },
   { "zima.io", true },
+  { "zimaoxy.com", true },
   { "zimiao.moe", true },
   { "zimmer-voss.de", true },
   { "zingarastore.com", true },
@@ -41969,14 +43323,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zionsvillelocksmiths.com", true },
   { "zip.ch", true },
   { "zipkey.de", true },
-  { "ziptie.com", true },
   { "zircode.com", true },
   { "zirka24.net", true },
   { "ziroh.be", true },
+  { "zirrka.de", true },
   { "zirtek.ie", true },
   { "zirtual.com", true },
   { "zitseng.com", true },
   { "zittingskalender.be", true },
+  { "zivagold.com", true },
   { "zivava.ge", true },
   { "zivmergers.com", true },
   { "zivver.be", true },
@@ -41988,17 +43343,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zivver.uk", true },
   { "zivyruzenec.cz", true },
   { "zixiao.wang", true },
-  { "zjuqsc.com", true },
+  { "zizcollections.com", true },
+  { "zjateaucafe.be", true },
   { "zjv.me", true },
-  { "zjyifa.cn", true },
   { "zk.com.co", true },
   { "zk.gd", true },
   { "zk9.nl", true },
   { "zkontrolujsiauto.cz", true },
   { "zkrypt.cc", true },
   { "zkzone.net", true },
-  { "zl0iu.com", true },
-  { "zl8862.com", true },
   { "zlatakus.cz", true },
   { "zlatosnadno.cz", true },
   { "zlaty-tyden.cz", true },
@@ -42006,7 +43359,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zlavomat.sk", true },
   { "zlima12.com", true },
   { "zlypi.com", true },
-  { "zmala.com", true },
   { "zmarta.de", true },
   { "zmarta.dk", true },
   { "zmarta.fi", true },
@@ -42018,11 +43370,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zmartagroup.no", true },
   { "zmartagroup.se", true },
   { "znation.nl", true },
+  { "znhglobalresources.com", true },
   { "zny.pw", true },
   { "zoarcampsite.uk", true },
   { "zobraz.cz", true },
   { "zobworks.com", true },
   { "zoccarato.ovh", true },
+  { "zochowskiplasticsurgery.com", true },
   { "zockenbiszumumfallen.de", true },
   { "zodgame.us", true },
   { "zodiacohouses.com", true },
@@ -42034,9 +43388,9 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zojadravai.com", true },
   { "zoki.art", true },
   { "zollihood.ch", true },
-  { "zolokar.xyz", true },
   { "zom.bi", true },
   { "zomerschoen.nl", true },
+  { "zomiac.pp.ua", true },
   { "zonadigital.co", true },
   { "zone-produkte.de", false },
   { "zone39.com", true },
@@ -42053,10 +43407,10 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zook.systems", true },
   { "zoola.io", true },
   { "zoolaboo.de", true },
+  { "zoological-gardens.eu", true },
   { "zoom.earth", true },
   { "zoomcar.pro", true },
   { "zoomek.com", true },
-  { "zoomseoservices.com", false },
   { "zooom.azurewebsites.net", true },
   { "zooom2.azurewebsites.net", true },
   { "zoop.ml", true },
@@ -42070,7 +43424,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zor.com", true },
   { "zorasvobodova.cz", true },
   { "zorgclustertool.nl", true },
-  { "zorig.ch", false },
+  { "zorig.ch", true },
   { "zorium.org", true },
   { "zorntt.fr", true },
   { "zotero.org", true },
@@ -42079,11 +43433,15 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zozo.com", true },
   { "zozzle.co.uk", true },
   { "zp25.ninja", true },
-  { "zqstudio.top", true },
+  { "zqwqz.com", true },
+  { "zr.is", true },
   { "zravypapir.cz", true },
+  { "zrhdwz.cn", true },
+  { "zrkr.de", true },
   { "zrniecka-pre-sny.sk", true },
   { "zrnieckapresny.sk", true },
-  { "zrt.io", true },
+  { "zrt.io", false },
+  { "zry-blog.top", true },
   { "zs-ohradni.cz", true },
   { "zs-reporyje.cz", true },
   { "zscales.com", false },
@@ -42091,10 +43449,13 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zskomenskeho.cz", true },
   { "zskomenskeho.eu", true },
   { "zsoltsandor.me", true },
+  { "zsq.im", true },
   { "zsrbcs.com", true },
   { "zten.org", true },
   { "ztjuh.tk", true },
   { "zubel.it", false },
+  { "zubr.net", true },
+  { "zubro.net", true },
   { "zuefle.net", true },
   { "zug-anwalt.de", true },
   { "zug.fr", true },
@@ -42121,7 +43482,6 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zuzumba.es", true },
   { "zvps.uk", true },
   { "zvxr.net", true },
-  { "zwalcz-cellulit.com", true },
   { "zwartendijkstalling.nl", true },
   { "zwb3.de", true },
   { "zwerimex.com", true },
@@ -42131,6 +43491,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zwy.ch", true },
   { "zx6rninja.de", true },
   { "zx7r.de", true },
+  { "zxc.science", false },
   { "zxe.com.br", true },
   { "zxtcode.com", true },
   { "zy.md", true },
@@ -42139,7 +43500,7 @@ static const nsSTSPreload kSTSPreloadList[] = {
   { "zyciedogorynogami.pl", true },
   { "zydronium.com", true },
   { "zydronium.nl", true },
-  { "zyger.co.za", true },
+  { "zygozoon.com", true },
   { "zylai.com", true },
   { "zymmm.com", true },
   { "zypern-firma.com", true },
diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO
deleted file mode 100644
index a004fa449d..0000000000
--- a/security/nss/TAG-INFO
+++ /dev/null
@@ -1 +0,0 @@
-NSS_3_38_RTM
diff --git a/security/nss/automation/abi-check/expected-report-libnss3.so.txt b/security/nss/automation/abi-check/expected-report-libnss3.so.txt
index e69de29bb2..fa6e674121 100644
--- a/security/nss/automation/abi-check/expected-report-libnss3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libnss3.so.txt
@@ -0,0 +1,18 @@
+
+1 function with some indirect sub-type change:
+
+  [C]'function SECStatus CERT_AddOCSPAcceptableResponses(CERTOCSPRequest*, SECOidTag, ...)' at ocsp.c:2203:1 has some indirect sub-type changes:
+    parameter 2 of type 'typedef SECOidTag' has sub-type changes:
+      underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
+        type size hasn't changed
+        4 enumerator insertions:
+          '__anonymous_enum__::SEC_OID_X509_ANY_EXT_KEY_USAGE' value '357'
+          '__anonymous_enum__::SEC_OID_EXT_KEY_USAGE_IPSEC_IKE' value '358'
+          '__anonymous_enum__::SEC_OID_IPSEC_IKE_END' value '359'
+          '__anonymous_enum__::SEC_OID_IPSEC_IKE_INTERMEDIATE' value '360'
+
+        1 enumerator change:
+          '__anonymous_enum__::SEC_OID_TOTAL' from value '357' to '361' at secoidt.h:34:1
+
+
+
diff --git a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
index efc7d6d677..971365c685 100644
--- a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
@@ -1,4 +1,18 @@
 
-1 Added function:
+1 function with some indirect sub-type change:
+
+  [C]'function SECStatus NSS_GetAlgorithmPolicy(SECOidTag, PRUint32*)' at secoid.c:2217:1 has some indirect sub-type changes:
+    parameter 1 of type 'typedef SECOidTag' has sub-type changes:
+      underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
+        type size hasn't changed
+        4 enumerator insertions:
+          '__anonymous_enum__::SEC_OID_X509_ANY_EXT_KEY_USAGE' value '357'
+          '__anonymous_enum__::SEC_OID_EXT_KEY_USAGE_IPSEC_IKE' value '358'
+          '__anonymous_enum__::SEC_OID_IPSEC_IKE_END' value '359'
+          '__anonymous_enum__::SEC_OID_IPSEC_IKE_INTERMEDIATE' value '360'
+
+        1 enumerator change:
+          '__anonymous_enum__::SEC_OID_TOTAL' from value '357' to '361' at secoidt.h:34:1
+
+
 
-  'function SECStatus SECITEM_MakeItem(PLArenaPool*, SECItem*, unsigned char*, unsigned int)'    {SECITEM_MakeItem@@NSSUTIL_3.38}
diff --git a/security/nss/automation/abi-check/expected-report-libsmime3.so.txt b/security/nss/automation/abi-check/expected-report-libsmime3.so.txt
index e69de29bb2..f4870feec6 100644
--- a/security/nss/automation/abi-check/expected-report-libsmime3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libsmime3.so.txt
@@ -0,0 +1,48 @@
+
+1 function with some indirect sub-type change:
+
+  [C]'function PK11SymKey* NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo*)' at cmscinfo.c:363:1 has some indirect sub-type changes:
+    parameter 1 of type 'NSSCMSContentInfo*' has sub-type changes:
+      in pointed to type 'typedef NSSCMSContentInfo' at cmst.h:54:1:
+        underlying type 'struct NSSCMSContentInfoStr' at cmst.h:126:1 changed:
+          type size hasn't changed
+          1 data member changes (2 filtered):
+           type of 'NSSCMSContent NSSCMSContentInfoStr::content' changed:
+             underlying type 'union NSSCMSContentUnion' at cmst.h:113:1 changed:
+               type size hasn't changed
+               1 data member changes (3 filtered):
+                type of 'NSSCMSEncryptedData* NSSCMSContentUnion::encryptedData' changed:
+                  in pointed to type 'typedef NSSCMSEncryptedData' at cmst.h:65:1:
+                    underlying type 'struct NSSCMSEncryptedDataStr' at cmst.h:463:1 changed:
+                      type size hasn't changed
+                      1 data member changes (1 filtered):
+                       type of 'NSSCMSAttribute** NSSCMSEncryptedDataStr::unprotectedAttr' changed:
+                         in pointed to type 'NSSCMSAttribute*':
+                           in pointed to type 'typedef NSSCMSAttribute' at cmst.h:69:1:
+                             underlying type 'struct NSSCMSAttributeStr' at cmst.h:482:1 changed:
+                               type size hasn't changed
+                               1 data member change:
+                                type of 'SECOidData* NSSCMSAttributeStr::typeTag' changed:
+                                  in pointed to type 'typedef SECOidData' at secoidt.h:16:1:
+                                    underlying type 'struct SECOidDataStr' at secoidt.h:513:1 changed:
+                                      type size hasn't changed
+                                      1 data member change:
+                                       type of 'SECOidTag SECOidDataStr::offset' changed:
+                                         underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
+                                           type size hasn't changed
+                                           4 enumerator insertions:
+                                             '__anonymous_enum__::SEC_OID_X509_ANY_EXT_KEY_USAGE' value '357'
+                                             '__anonymous_enum__::SEC_OID_EXT_KEY_USAGE_IPSEC_IKE' value '358'
+                                             '__anonymous_enum__::SEC_OID_IPSEC_IKE_END' value '359'
+                                             '__anonymous_enum__::SEC_OID_IPSEC_IKE_INTERMEDIATE' value '360'
+
+                                           1 enumerator change:
+                                             '__anonymous_enum__::SEC_OID_TOTAL' from value '357' to '361' at secoidt.h:34:1
+
+
+
+
+
+
+
+
diff --git a/security/nss/automation/abi-check/previous-nss-release b/security/nss/automation/abi-check/previous-nss-release
index c52061e7e2..13a0361e35 100644
--- a/security/nss/automation/abi-check/previous-nss-release
+++ b/security/nss/automation/abi-check/previous-nss-release
@@ -1 +1 @@
-NSS_3_37_BRANCH
+NSS_3_40_BRANCH
diff --git a/security/nss/automation/clang-format/Dockerfile b/security/nss/automation/clang-format/Dockerfile
index 163c9b8fa5..e74dac09fe 100644
--- a/security/nss/automation/clang-format/Dockerfile
+++ b/security/nss/automation/clang-format/Dockerfile
@@ -1,26 +1,35 @@
-FROM ubuntu:16.04
-MAINTAINER Franziskus Kiefer <franziskuskiefer@gmail.com>
+# Minimal image with clang-format 3.9.
+FROM ubuntu:18.04
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
 
-RUN useradd -d /home/worker -s /bin/bash -m worker
-WORKDIR /home/worker
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    clang-format-3.9 \
+    locales \
+    mercurial \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
 
-# Install dependencies.
-ADD setup.sh /tmp/setup.sh
-RUN bash /tmp/setup.sh
+RUN update-alternatives --install /usr/bin/clang-format \
+    clang-format $(which clang-format-3.9) 10
 
-# Change user.
-USER worker
-
-# Env variables.
-ENV HOME /home/worker
 ENV SHELL /bin/bash
 ENV USER worker
-ENV LOGNAME worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
 ENV HOSTNAME taskcluster-worker
 ENV LANG en_US.UTF-8
-ENV LC_ALL en_US.UTF-8
+ENV LC_ALL $LANG
 ENV HOST localhost
 ENV DOMSUF localdomain
 
-# Entrypoint.
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+USER $USER
+
+# Entrypoint - which only works if /home/worker/nss is mounted.
 ENTRYPOINT ["/home/worker/nss/automation/clang-format/run_clang_format.sh"]
diff --git a/security/nss/automation/clang-format/setup.sh b/security/nss/automation/clang-format/setup.sh
deleted file mode 100644
index beac9e9051..0000000000
--- a/security/nss/automation/clang-format/setup.sh
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-# Update packages.
-export DEBIAN_FRONTEND=noninteractive
-apt-get -y update && apt-get -y upgrade
-
-# Install packages.
-apt_packages=()
-apt_packages+=('ca-certificates')
-apt_packages+=('curl')
-apt_packages+=('xz-utils')
-apt_packages+=('mercurial')
-apt_packages+=('git')
-apt_packages+=('locales')
-apt-get install -y --no-install-recommends ${apt_packages[@]}
-
-# Download clang.
-curl -L https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz -o clang.tar.xz
-curl -L https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig -o clang.tar.xz.sig
-# Verify the signature.
-gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
-gpg --verify clang.tar.xz.sig
-# Install into /usr/local/.
-tar xJvf *.tar.xz -C /usr/local --strip-components=1
-
-# Cleanup.
-function cleanup() {
-  rm -f clang.tar.xz clang.tar.xz.sig
-}
-trap cleanup ERR EXIT
-
-locale-gen en_US.UTF-8
-dpkg-reconfigure locales
-
-# Cleanup.
-rm -rf ~/.ccache ~/.cache
-apt-get autoremove -y
-apt-get clean
-apt-get autoclean
-
-# We're done. Remove this script.
-rm $0
diff --git a/security/nss/automation/release/nspr-version.txt b/security/nss/automation/release/nspr-version.txt
index 701680d2c8..102def16d9 100644
--- a/security/nss/automation/release/nspr-version.txt
+++ b/security/nss/automation/release/nspr-version.txt
@@ -1,4 +1,4 @@
-4.19
+4.20
 
 # The first line of this file must contain the human readable NSPR
 # version number, which is the minimum required version of NSPR
diff --git a/security/nss/automation/taskcluster/docker-aarch64/Dockerfile b/security/nss/automation/taskcluster/docker-aarch64/Dockerfile
index 2d7ade3578..aca173cd00 100644
--- a/security/nss/automation/taskcluster/docker-aarch64/Dockerfile
+++ b/security/nss/automation/taskcluster/docker-aarch64/Dockerfile
@@ -20,7 +20,6 @@ ENV HOME /home/worker
 ENV SHELL /bin/bash
 ENV USER worker
 ENV LOGNAME worker
-ENV HOSTNAME taskcluster-worker
 ENV LANG en_US.UTF-8
 ENV LC_ALL en_US.UTF-8
 ENV HOST localhost
diff --git a/security/nss/automation/taskcluster/docker-arm/Dockerfile b/security/nss/automation/taskcluster/docker-arm/Dockerfile
index 9a7e50201e..5b8cfca208 100644
--- a/security/nss/automation/taskcluster/docker-arm/Dockerfile
+++ b/security/nss/automation/taskcluster/docker-arm/Dockerfile
@@ -17,7 +17,6 @@ ENV HOME /home/worker
 ENV SHELL /bin/bash
 ENV USER worker
 ENV LOGNAME worker
-ENV HOSTNAME taskcluster-worker
 ENV LANG en_US.UTF-8
 ENV LC_ALL en_US.UTF-8
 ENV HOST localhost
diff --git a/security/nss/automation/taskcluster/docker-builds/Dockerfile b/security/nss/automation/taskcluster/docker-builds/Dockerfile
new file mode 100644
index 0000000000..9f0bb2034e
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-builds/Dockerfile
@@ -0,0 +1,75 @@
+# Dockerfile for building extra builds.  This includes more tools than the
+# default image, so it's a fair bit bigger.  Only use this for builds where
+# the smaller docker image is missing something.  These builds will run on
+# the leaner configuration.
+FROM ubuntu:18.04
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
+
+RUN dpkg --add-architecture i386
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    build-essential \
+    ca-certificates \
+    clang-4.0 \
+    clang \
+    cmake \
+    curl \
+    g++-4.8-multilib \
+    g++-5-multilib \
+    g++-6-multilib \
+    g++-multilib \
+    git \
+    gyp \
+    libelf-dev \
+    libdw-dev \
+    libssl-dev \
+    libssl-dev:i386 \
+    libxml2-utils \
+    lib32z1-dev \
+    linux-libc-dev:i386 \
+    llvm-dev \
+    locales \
+    mercurial \
+    ninja-build \
+    pkg-config \
+    valgrind \
+    zlib1g-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
+
+# Latest version of abigail-tools
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends automake libtool libxml2-dev \
+ && git clone git://sourceware.org/git/libabigail.git /tmp/libabigail \
+ && cd /tmp/libabigail \
+ && autoreconf -fi \
+ && ./configure --prefix=/usr --disable-static --disable-apidoc --disable-manual \
+ && make && make install \
+ && rm -rf /tmp/libabigail \
+ && apt-get remove -y automake libtool libxml2-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
+
+ENV SHELL /bin/bash
+ENV USER worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
+ENV LANG en_US.UTF-8
+ENV LC_ALL $LANG
+ENV HOST localhost
+ENV DOMSUF localdomain
+
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+# Add build and test scripts.
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+USER $USER
+
+# Set a default command for debugging.
+CMD ["/bin/bash", "--login"]
diff --git a/security/nss/automation/taskcluster/docker-clang-3.9/bin/checkout.sh b/security/nss/automation/taskcluster/docker-builds/bin/checkout.sh
index 9167f6bda6..9167f6bda6 100644
--- a/security/nss/automation/taskcluster/docker-clang-3.9/bin/checkout.sh
+++ b/security/nss/automation/taskcluster/docker-builds/bin/checkout.sh
diff --git a/security/nss/automation/taskcluster/docker-clang-3.9/Dockerfile b/security/nss/automation/taskcluster/docker-clang-3.9/Dockerfile
deleted file mode 100644
index 473ce64ba3..0000000000
--- a/security/nss/automation/taskcluster/docker-clang-3.9/Dockerfile
+++ /dev/null
@@ -1,30 +0,0 @@
-FROM ubuntu:16.04
-MAINTAINER Tim Taubert <ttaubert@mozilla.com>
-
-RUN useradd -d /home/worker -s /bin/bash -m worker
-WORKDIR /home/worker
-
-# Add build and test scripts.
-ADD bin /home/worker/bin
-RUN chmod +x /home/worker/bin/*
-
-# Install dependencies.
-ADD setup.sh /tmp/setup.sh
-RUN bash /tmp/setup.sh
-
-# Change user.
-USER worker
-
-# Env variables.
-ENV HOME /home/worker
-ENV SHELL /bin/bash
-ENV USER worker
-ENV LOGNAME worker
-ENV HOSTNAME taskcluster-worker
-ENV LANG en_US.UTF-8
-ENV LC_ALL en_US.UTF-8
-ENV HOST localhost
-ENV DOMSUF localdomain
-
-# Set a default command for debugging.
-CMD ["/bin/bash", "--login"]
diff --git a/security/nss/automation/taskcluster/docker-clang-3.9/setup.sh b/security/nss/automation/taskcluster/docker-clang-3.9/setup.sh
deleted file mode 100644
index 3076667a6e..0000000000
--- a/security/nss/automation/taskcluster/docker-clang-3.9/setup.sh
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-# Update packages.
-export DEBIAN_FRONTEND=noninteractive
-apt-get -y update && apt-get -y upgrade
-
-# Need this to add keys for PPAs below.
-apt-get install -y --no-install-recommends apt-utils
-
-apt_packages=()
-apt_packages+=('ca-certificates')
-apt_packages+=('curl')
-apt_packages+=('locales')
-apt_packages+=('xz-utils')
-
-# Latest Mercurial.
-apt_packages+=('mercurial')
-apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
-echo "deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main" > /etc/apt/sources.list.d/mercurial.list
-
-# Install packages.
-apt-get -y update
-apt-get install -y --no-install-recommends ${apt_packages[@]}
-
-# Download clang.
-curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
-curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
-# Verify the signature.
-gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
-gpg --verify *.tar.xz.sig
-# Install into /usr/local/.
-tar xJvf *.tar.xz -C /usr/local --strip-components=1
-# Cleanup.
-rm *.tar.xz*
-
-locale-gen en_US.UTF-8
-dpkg-reconfigure locales
-
-# Cleanup.
-rm -rf ~/.ccache ~/.cache
-apt-get autoremove -y
-apt-get clean
-apt-get autoclean
-rm $0
diff --git a/security/nss/automation/taskcluster/docker-clang-format/Dockerfile b/security/nss/automation/taskcluster/docker-clang-format/Dockerfile
new file mode 100644
index 0000000000..c9f8b8b0e9
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-clang-format/Dockerfile
@@ -0,0 +1,38 @@
+# Minimal image with clang-format 3.9.
+FROM ubuntu:18.04
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    clang-format-3.9 \
+    locales \
+    mercurial \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
+
+RUN update-alternatives --install /usr/bin/clang-format \
+    clang-format $(which clang-format-3.9) 10
+
+ENV SHELL /bin/bash
+ENV USER worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
+ENV LANG en_US.UTF-8
+ENV LC_ALL $LANG
+ENV HOST localhost
+ENV DOMSUF localdomain
+
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+USER $USER
+
+# Set a default command for debugging.
+CMD ["/bin/bash", "--login"]
diff --git a/security/nss/automation/taskcluster/docker-clang-format/bin/checkout.sh b/security/nss/automation/taskcluster/docker-clang-format/bin/checkout.sh
new file mode 100644
index 0000000000..9167f6bda6
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-clang-format/bin/checkout.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+if [ $(id -u) = 0 ]; then
+    # Drop privileges by re-running this script.
+    exec su worker $0
+fi
+
+# Default values for testing.
+REVISION=${NSS_HEAD_REVISION:-default}
+REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
+
+# Clone NSS.
+for i in 0 2 5; do
+    sleep $i
+    hg clone -r $REVISION $REPOSITORY nss && exit 0
+    rm -rf nss
+done
+exit 1
diff --git a/security/nss/automation/taskcluster/docker-decision/Dockerfile b/security/nss/automation/taskcluster/docker-decision/Dockerfile
index 473ce64ba3..e0a31641e5 100644
--- a/security/nss/automation/taskcluster/docker-decision/Dockerfile
+++ b/security/nss/automation/taskcluster/docker-decision/Dockerfile
@@ -1,30 +1,37 @@
-FROM ubuntu:16.04
-MAINTAINER Tim Taubert <ttaubert@mozilla.com>
+# Minimal image for running the decision task.
+FROM ubuntu:18.04
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
 
-RUN useradd -d /home/worker -s /bin/bash -m worker
-WORKDIR /home/worker
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    curl \
+    locales \
+    mercurial \
+    nodejs \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
 
-# Add build and test scripts.
-ADD bin /home/worker/bin
-RUN chmod +x /home/worker/bin/*
-
-# Install dependencies.
-ADD setup.sh /tmp/setup.sh
-RUN bash /tmp/setup.sh
-
-# Change user.
-USER worker
-
-# Env variables.
-ENV HOME /home/worker
 ENV SHELL /bin/bash
 ENV USER worker
-ENV LOGNAME worker
-ENV HOSTNAME taskcluster-worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
 ENV LANG en_US.UTF-8
-ENV LC_ALL en_US.UTF-8
+ENV LC_ALL $LANG
 ENV HOST localhost
 ENV DOMSUF localdomain
 
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+# Add build and test scripts.
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+USER $USER
+
 # Set a default command for debugging.
 CMD ["/bin/bash", "--login"]
diff --git a/security/nss/automation/taskcluster/docker-decision/setup.sh b/security/nss/automation/taskcluster/docker-decision/setup.sh
deleted file mode 100644
index 51938529c5..0000000000
--- a/security/nss/automation/taskcluster/docker-decision/setup.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-# Update packages.
-export DEBIAN_FRONTEND=noninteractive
-apt-get -y update && apt-get -y upgrade
-
-# Need those to install newer packages below.
-apt-get install -y --no-install-recommends apt-utils curl ca-certificates locales
-
-# Latest Mercurial.
-apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
-echo "deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main" > /etc/apt/sources.list.d/mercurial.list
-
-# Install packages.
-apt-get -y update && apt-get install -y --no-install-recommends mercurial
-
-# Latest Node.JS.
-curl -sL https://deb.nodesource.com/setup_6.x | bash -
-apt-get install -y --no-install-recommends nodejs
-
-locale-gen en_US.UTF-8
-dpkg-reconfigure locales
-
-# Cleanup.
-rm -rf ~/.ccache ~/.cache
-apt-get autoremove -y
-apt-get clean
-apt-get autoclean
-rm $0
diff --git a/security/nss/automation/taskcluster/docker-fuzz/Dockerfile b/security/nss/automation/taskcluster/docker-fuzz/Dockerfile
index 254f166c86..24f9399468 100644
--- a/security/nss/automation/taskcluster/docker-fuzz/Dockerfile
+++ b/security/nss/automation/taskcluster/docker-fuzz/Dockerfile
@@ -1,33 +1,59 @@
-FROM ubuntu:16.04
-MAINTAINER Tim Taubert <ttaubert@mozilla.com>
+# Dockerfile for running fuzzing tests.
+#
+# Note that when running this, you need to add `--cap-add SYS_PTRACE` to the
+# docker invocation or ASAN won't work.
+# On taskcluster use `features: ["allowPtrace"]`.
+# See https://github.com/google/sanitizers/issues/764#issuecomment-276700920
+FROM ubuntu:18.04
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
 
-RUN useradd -d /home/worker -s /bin/bash -m worker
-WORKDIR /home/worker
+RUN dpkg --add-architecture i386
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    build-essential \
+    ca-certificates \
+    clang \
+    clang-tools \
+    curl \
+    g++-multilib \
+    git \
+    gyp \
+    libssl-dev \
+    libssl-dev:i386 \
+    libxml2-utils \
+    lib32z1-dev \
+    linux-libc-dev:i386 \
+    llvm-dev \
+    locales \
+    mercurial \
+    ninja-build \
+    pkg-config \
+    valgrind \
+    zlib1g-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
 
-# Add build and test scripts.
-ADD bin /home/worker/bin
-RUN chmod +x /home/worker/bin/*
-
-# Install dependencies.
-ADD setup.sh /tmp/setup.sh
-RUN bash /tmp/setup.sh
-
-# Change user.
-USER worker
-
-# Env variables.
-ENV HOME /home/worker
 ENV SHELL /bin/bash
 ENV USER worker
-ENV LOGNAME worker
-ENV HOSTNAME taskcluster-worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
 ENV LANG en_US.UTF-8
-ENV LC_ALL en_US.UTF-8
+ENV LC_ALL $LANG
 ENV HOST localhost
 ENV DOMSUF localdomain
 
-# LLVM 4.0
-ENV PATH "${PATH}:/home/worker/third_party/llvm-build/Release+Asserts/bin/"
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+# Add build and test scripts.
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+# Change user.
+USER $USER
 
 # Set a default command for debugging.
 CMD ["/bin/bash", "--login"]
diff --git a/security/nss/automation/taskcluster/docker-fuzz/setup.sh b/security/nss/automation/taskcluster/docker-fuzz/setup.sh
deleted file mode 100644
index fcb72346e9..0000000000
--- a/security/nss/automation/taskcluster/docker-fuzz/setup.sh
+++ /dev/null
@@ -1,58 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-# Update packages.
-export DEBIAN_FRONTEND=noninteractive
-apt-get -y update && apt-get -y upgrade
-
-# Need this to add keys for PPAs below.
-apt-get install -y --no-install-recommends apt-utils
-
-apt_packages=()
-apt_packages+=('build-essential')
-apt_packages+=('ca-certificates')
-apt_packages+=('curl')
-apt_packages+=('git')
-apt_packages+=('gyp')
-apt_packages+=('libssl-dev')
-apt_packages+=('libxml2-utils')
-apt_packages+=('locales')
-apt_packages+=('ninja-build')
-apt_packages+=('pkg-config')
-apt_packages+=('zlib1g-dev')
-
-# 32-bit builds
-apt_packages+=('gcc-multilib')
-apt_packages+=('g++-multilib')
-
-# Latest Mercurial.
-apt_packages+=('mercurial')
-apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
-echo "deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main" > /etc/apt/sources.list.d/mercurial.list
-
-# Install packages.
-apt-get -y update
-apt-get install -y --no-install-recommends ${apt_packages[@]}
-
-# 32-bit builds
-dpkg --add-architecture i386
-apt-get -y update
-apt-get install -y --no-install-recommends libssl-dev:i386
-
-# Install LLVM/clang-4.0.
-mkdir clang-tmp
-git clone -n --depth 1 https://chromium.googlesource.com/chromium/src/tools/clang clang-tmp/clang
-git -C clang-tmp/clang checkout HEAD scripts/update.py
-clang-tmp/clang/scripts/update.py
-rm -fr clang-tmp
-
-locale-gen en_US.UTF-8
-dpkg-reconfigure locales
-
-# Cleanup.
-rm -rf ~/.ccache ~/.cache
-apt-get autoremove -y
-apt-get clean
-apt-get autoclean
-rm $0
diff --git a/security/nss/automation/taskcluster/docker-fuzz32/Dockerfile b/security/nss/automation/taskcluster/docker-fuzz32/Dockerfile
new file mode 100644
index 0000000000..f5fd3cfd52
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-fuzz32/Dockerfile
@@ -0,0 +1,73 @@
+# Dockerfile for running fuzzing tests on linux32.
+#
+# This is a temporary workaround for bugs in clang that make it incompatible
+# with Ubuntu 18.04 (see bug 1488148). This image can be removed once a new
+# release of LLVM includes the necessary fixes.
+
+FROM ubuntu:16.04
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
+
+RUN dpkg --add-architecture i386
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    build-essential \
+    ca-certificates \
+    curl \
+    g++-multilib \
+    git \
+    gyp \
+    libssl-dev \
+    libssl-dev:i386 \
+    libxml2-utils \
+    lib32z1-dev \
+    linux-libc-dev:i386 \
+    locales \
+    mercurial \
+    ninja-build \
+    pkg-config \
+    software-properties-common \
+    valgrind \
+    zlib1g-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
+
+# Install clang and tools from the LLVM PPA.
+RUN curl -sf https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - \
+ && apt-add-repository "deb http://apt.llvm.org/xenial/ llvm-toolchain-xenial-6.0 main" \
+ && apt-get update \
+ && apt-get install -y --no-install-recommends \
+    clang-6.0 \
+    clang-tools-6.0 \
+    llvm-6.0-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
+
+# Alias all the clang commands.
+RUN for i in $(dpkg -L clang-6.0 clang-tools-6.0 | grep '^/usr/bin/' | xargs -i basename {} -6.0); do \
+      update-alternatives --install "/usr/bin/$i" "$i" "/usr/bin/${i}-6.0" 10; \
+    done
+
+ENV SHELL /bin/bash
+ENV USER worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
+ENV LANG en_US.UTF-8
+ENV LC_ALL $LANG
+ENV HOST localhost
+ENV DOMSUF localdomain
+
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+# Add build and test scripts.
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+# Change user.
+USER $USER
+
+# Set a default command for debugging.
+CMD ["/bin/bash", "--login"]
diff --git a/security/nss/automation/taskcluster/docker-fuzz32/bin/checkout.sh b/security/nss/automation/taskcluster/docker-fuzz32/bin/checkout.sh
new file mode 100644
index 0000000000..9167f6bda6
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-fuzz32/bin/checkout.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+if [ $(id -u) = 0 ]; then
+    # Drop privileges by re-running this script.
+    exec su worker $0
+fi
+
+# Default values for testing.
+REVISION=${NSS_HEAD_REVISION:-default}
+REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
+
+# Clone NSS.
+for i in 0 2 5; do
+    sleep $i
+    hg clone -r $REVISION $REPOSITORY nss && exit 0
+    rm -rf nss
+done
+exit 1
diff --git a/security/nss/automation/taskcluster/docker-gcc-4.4/Dockerfile b/security/nss/automation/taskcluster/docker-gcc-4.4/Dockerfile
index 3330c007fe..69538322a8 100644
--- a/security/nss/automation/taskcluster/docker-gcc-4.4/Dockerfile
+++ b/security/nss/automation/taskcluster/docker-gcc-4.4/Dockerfile
@@ -1,30 +1,39 @@
 FROM ubuntu:14.04
-MAINTAINER Tim Taubert <ttaubert@mozilla.com>
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
 
-RUN useradd -d /home/worker -s /bin/bash -m worker
-WORKDIR /home/worker
+RUN dpkg --add-architecture i386
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    g++-4.4 \
+    gcc-4.4 \
+    locales \
+    make \
+    mercurial \
+    zlib1g-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
 
-# Add build and test scripts.
-ADD bin /home/worker/bin
-RUN chmod +x /home/worker/bin/*
-
-# Install dependencies.
-ADD setup.sh /tmp/setup.sh
-RUN bash /tmp/setup.sh
-
-# Change user.
-USER worker
-
-# Env variables.
-ENV HOME /home/worker
 ENV SHELL /bin/bash
 ENV USER worker
-ENV LOGNAME worker
-ENV HOSTNAME taskcluster-worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
 ENV LANG en_US.UTF-8
-ENV LC_ALL en_US.UTF-8
+ENV LC_ALL $LANG
 ENV HOST localhost
 ENV DOMSUF localdomain
 
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+# Add build and test scripts.
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+USER $USER
+
 # Set a default command for debugging.
 CMD ["/bin/bash", "--login"]
diff --git a/security/nss/automation/taskcluster/docker-gcc-4.4/setup.sh b/security/nss/automation/taskcluster/docker-gcc-4.4/setup.sh
deleted file mode 100644
index f6325d966c..0000000000
--- a/security/nss/automation/taskcluster/docker-gcc-4.4/setup.sh
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-# Update packages.
-export DEBIAN_FRONTEND=noninteractive
-apt-get -y update && apt-get -y upgrade
-
-apt_packages=()
-apt_packages+=('ca-certificates')
-apt_packages+=('g++-4.4')
-apt_packages+=('gcc-4.4')
-apt_packages+=('locales')
-apt_packages+=('make')
-apt_packages+=('mercurial')
-apt_packages+=('zlib1g-dev')
-
-# Install packages.
-apt-get -y update
-apt-get install -y --no-install-recommends ${apt_packages[@]}
-
-locale-gen en_US.UTF-8
-dpkg-reconfigure locales
-
-# Cleanup.
-rm -rf ~/.ccache ~/.cache
-apt-get autoremove -y
-apt-get clean
-apt-get autoclean
-rm $0
diff --git a/security/nss/automation/taskcluster/docker-interop/Dockerfile b/security/nss/automation/taskcluster/docker-interop/Dockerfile
new file mode 100644
index 0000000000..fb4e15d931
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-interop/Dockerfile
@@ -0,0 +1,56 @@
+# Dockerfile for running interop tests.
+# This includes Rust, golang, and nodejs.
+FROM ubuntu:18.04
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
+
+RUN dpkg --add-architecture i386
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    build-essential \
+    ca-certificates \
+    clang \
+    cmake \
+    curl \
+    g++-multilib \
+    git \
+    golang \
+    gyp \
+    libxml2-utils \
+    lib32z1-dev \
+    linux-libc-dev:i386 \
+    llvm-dev \
+    locales \
+    mercurial \
+    ninja-build \
+    npm \
+    pkg-config \
+    zlib1g-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
+
+ENV SHELL /bin/bash
+ENV USER worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
+ENV LANG en_US.UTF-8
+ENV LC_ALL $LANG
+ENV HOST localhost
+ENV DOMSUF localdomain
+
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+# Add build and test scripts.
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+USER $USER
+
+# Install Rust stable as $USER.
+RUN curl https://sh.rustup.rs -sSf | sh -s -- -y
+
+# Set a default command for debugging.
+CMD ["/bin/bash", "--login"]
diff --git a/security/nss/automation/taskcluster/docker-interop/bin/checkout.sh b/security/nss/automation/taskcluster/docker-interop/bin/checkout.sh
new file mode 100644
index 0000000000..9167f6bda6
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-interop/bin/checkout.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+if [ $(id -u) = 0 ]; then
+    # Drop privileges by re-running this script.
+    exec su worker $0
+fi
+
+# Default values for testing.
+REVISION=${NSS_HEAD_REVISION:-default}
+REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
+
+# Clone NSS.
+for i in 0 2 5; do
+    sleep $i
+    hg clone -r $REVISION $REPOSITORY nss && exit 0
+    rm -rf nss
+done
+exit 1
diff --git a/security/nss/automation/taskcluster/docker/Dockerfile b/security/nss/automation/taskcluster/docker/Dockerfile
index b3c2516baa..6df17c5e1d 100644
--- a/security/nss/automation/taskcluster/docker/Dockerfile
+++ b/security/nss/automation/taskcluster/docker/Dockerfile
@@ -1,30 +1,49 @@
-FROM ubuntu:16.04
-MAINTAINER Tim Taubert <ttaubert@mozilla.com>
+# Lean image for running the bulk of the NSS CI tests on taskcluster.
+FROM ubuntu:18.04
+LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
 
-RUN useradd -d /home/worker -s /bin/bash -m worker
-WORKDIR /home/worker
+RUN dpkg --add-architecture i386
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+    build-essential \
+    ca-certificates \
+    clang \
+    curl \
+    g++-multilib \
+    git \
+    gyp \
+    libxml2-utils \
+    lib32z1-dev \
+    linux-libc-dev:i386 \
+    llvm-dev \
+    locales \
+    mercurial \
+    ninja-build \
+    pkg-config \
+    zlib1g-dev \
+ && rm -rf /var/lib/apt/lists/* \
+ && apt-get autoremove -y && apt-get clean -y
 
-# Add build and test scripts.
-ADD bin /home/worker/bin
-RUN chmod +x /home/worker/bin/*
-
-# Install dependencies.
-ADD setup.sh /tmp/setup.sh
-RUN bash /tmp/setup.sh
-
-# Env variables.
-ENV HOME /home/worker
 ENV SHELL /bin/bash
 ENV USER worker
-ENV LOGNAME worker
-ENV HOSTNAME taskcluster-worker
+ENV LOGNAME $USER
+ENV HOME /home/$USER
 ENV LANG en_US.UTF-8
-ENV LC_ALL en_US.UTF-8
+ENV LC_ALL $LANG
 ENV HOST localhost
 ENV DOMSUF localdomain
 
-# Rust + Go
-ENV PATH "${PATH}:/home/worker/.cargo/bin/:/usr/lib/go-1.6/bin"
+RUN locale-gen $LANG \
+ && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
+
+RUN useradd -d $HOME -s $SHELL -m $USER
+WORKDIR $HOME
+
+# Add build and test scripts.
+ADD bin $HOME/bin
+RUN chmod +x $HOME/bin/*
+
+USER $USER
 
 # Set a default command for debugging.
 CMD ["/bin/bash", "--login"]
diff --git a/security/nss/automation/taskcluster/docker/setup.sh b/security/nss/automation/taskcluster/docker/setup.sh
deleted file mode 100644
index 7b90b2e69c..0000000000
--- a/security/nss/automation/taskcluster/docker/setup.sh
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-# Update packages.
-export DEBIAN_FRONTEND=noninteractive
-apt-get -y update && apt-get -y upgrade
-
-# Need this to add keys for PPAs below.
-apt-get install -y --no-install-recommends apt-utils
-
-apt_packages=()
-apt_packages+=('build-essential')
-apt_packages+=('ca-certificates')
-apt_packages+=('clang-5.0')
-apt_packages+=('curl')
-apt_packages+=('npm')
-apt_packages+=('git')
-apt_packages+=('golang-1.6')
-apt_packages+=('libxml2-utils')
-apt_packages+=('locales')
-apt_packages+=('ninja-build')
-apt_packages+=('pkg-config')
-apt_packages+=('zlib1g-dev')
-
-# 32-bit builds
-apt_packages+=('lib32z1-dev')
-apt_packages+=('gcc-multilib')
-apt_packages+=('g++-multilib')
-
-# ct-verif and sanitizers
-apt_packages+=('valgrind')
-
-# Latest Mercurial.
-apt_packages+=('mercurial')
-apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
-echo "deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main" > /etc/apt/sources.list.d/mercurial.list
-
-# gcc 4.8 and 6
-apt_packages+=('g++-6')
-apt_packages+=('g++-4.8')
-apt_packages+=('g++-6-multilib')
-apt_packages+=('g++-4.8-multilib')
-apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 60C317803A41BA51845E371A1E9377A2BA9EF27F
-echo "deb http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu xenial main" > /etc/apt/sources.list.d/toolchain.list
-
-# Install packages.
-apt-get -y update
-apt-get install -y --no-install-recommends ${apt_packages[@]}
-
-# Latest version of abigail-tools
-apt-get install -y libxml2-dev autoconf libelf-dev libdw-dev libtool
-git clone git://sourceware.org/git/libabigail.git
-cd ./libabigail
-autoreconf -fi
-./configure --prefix=/usr --disable-static --disable-apidoc --disable-manual
-make
-make install
-cd ..
-apt-get remove -y libxml2-dev autoconf libtool
-rm -rf libabigail
-
-# Install latest Rust (stable).
-su worker -c "curl https://sh.rustup.rs -sSf | sh -s -- -y"
-
-locale-gen en_US.UTF-8
-dpkg-reconfigure locales
-
-# Cleanup.
-rm -rf ~/.ccache ~/.cache
-apt-get autoremove -y
-apt-get clean
-apt-get autoclean
-rm $0
diff --git a/security/nss/automation/taskcluster/graph/src/extend.js b/security/nss/automation/taskcluster/graph/src/extend.js
index 5305325c52..1302602bcd 100644
--- a/security/nss/automation/taskcluster/graph/src/extend.js
+++ b/security/nss/automation/taskcluster/graph/src/extend.js
@@ -10,9 +10,19 @@ const LINUX_IMAGE = {
   path: "automation/taskcluster/docker"
 };
 
-const LINUX_CLANG39_IMAGE = {
-  name: "linux-clang-3.9",
-  path: "automation/taskcluster/docker-clang-3.9"
+const LINUX_BUILDS_IMAGE = {
+  name: "linux-builds",
+  path: "automation/taskcluster/docker-builds"
+};
+
+const LINUX_INTEROP_IMAGE = {
+  name: "linux-interop",
+  path: "automation/taskcluster/docker-interop"
+};
+
+const CLANG_FORMAT_IMAGE = {
+  name: "clang-format",
+  path: "automation/taskcluster/docker-clang-format"
 };
 
 const LINUX_GCC44_IMAGE = {
@@ -25,6 +35,12 @@ const FUZZ_IMAGE = {
   path: "automation/taskcluster/docker-fuzz"
 };
 
+// Bug 1488148 - temporary image for fuzzing 32-bit builds.
+const FUZZ_IMAGE_32 = {
+  name: "fuzz32",
+  path: "automation/taskcluster/docker-fuzz32"
+};
+
 const HACL_GEN_IMAGE = {
   name: "hacl",
   path: "automation/taskcluster/docker-hacl"
@@ -59,7 +75,7 @@ queue.filter(task => {
     }
   }
 
-  if (task.tests == "bogo" || task.tests == "interop") {
+  if (task.tests == "bogo" || task.tests == "interop" || task.tests == "tlsfuzzer") {
     // No windows
     if (task.platform == "windows2012-64" ||
         task.platform == "windows2012-32") {
@@ -89,7 +105,9 @@ queue.filter(task => {
 
   if (task.group == "Test") {
     // Don't run test builds on old make platforms, and not for fips gyp.
-    if (task.collection == "make" || task.collection == "fips") {
+    // Disable on aarch64, see bug 1488331.
+    if (task.collection == "make" || task.collection == "fips"
+        || task.platform == "aarch64") {
       return false;
     }
   }
@@ -134,13 +152,13 @@ export default async function main() {
   await scheduleLinux("Linux 32 (opt)", {
     platform: "linux32",
     image: LINUX_IMAGE
-  }, "-m32 --opt");
+  }, "-t ia32 --opt");
 
   await scheduleLinux("Linux 32 (debug)", {
     platform: "linux32",
     collection: "debug",
     image: LINUX_IMAGE
-  }, "-m32");
+  }, "-t ia32");
 
   await scheduleLinux("Linux 64 (opt)", {
     platform: "linux64",
@@ -193,8 +211,8 @@ export default async function main() {
       UBSAN_OPTIONS: "print_stacktrace=1",
       NSS_DISABLE_ARENA_FREE_LIST: "1",
       NSS_DISABLE_UNLOAD: "1",
-      CC: "clang-5.0",
-      CCC: "clang++-5.0",
+      CC: "clang",
+      CCC: "clang++",
     },
     platform: "linux64",
     collection: "asan",
@@ -230,12 +248,12 @@ export default async function main() {
 
   await scheduleWindows("Windows 2012 32 (opt)", {
     platform: "windows2012-32",
-  }, "build_gyp.sh --opt -m32");
+  }, "build_gyp.sh --opt -t ia32");
 
   await scheduleWindows("Windows 2012 32 (debug)", {
     platform: "windows2012-32",
     collection: "debug"
-  }, "build_gyp.sh -m32");
+  }, "build_gyp.sh -t ia32");
 
   await scheduleFuzzing();
   await scheduleFuzzing32();
@@ -251,29 +269,29 @@ export default async function main() {
   };
 
   await scheduleLinux("Linux AArch64 (debug)",
-    merge({
+    merge(aarch64_base, {
       command: [
         "/bin/bash",
         "-c",
         "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh"
       ],
       collection: "debug",
-    }, aarch64_base)
+    })
   );
 
   await scheduleLinux("Linux AArch64 (opt)",
-    merge({
+    merge(aarch64_base, {
       command: [
         "/bin/bash",
         "-c",
         "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh --opt"
       ],
       collection: "opt",
-    }, aarch64_base)
+    })
   );
 
   await scheduleLinux("Linux AArch64 (debug, make)",
-    merge({
+    merge(aarch64_base, {
       env: {USE_64: "1"},
       command: [
          "/bin/bash",
@@ -281,7 +299,7 @@ export default async function main() {
          "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh"
       ],
       collection: "make",
-    }, aarch64_base)
+    })
   );
 
   await scheduleMac("Mac (opt)", {collection: "opt"}, "--opt");
@@ -303,7 +321,7 @@ async function scheduleMac(name, base, args = "") {
   });
 
   // Build base definition.
-  let build_base = merge({
+  let build_base = merge(mac_base, {
     command: [
       MAC_CHECKOUT_CMD,
       ["bash", "-c",
@@ -320,7 +338,7 @@ async function scheduleMac(name, base, args = "") {
     }],
     kind: "build",
     symbol: "B"
-  }, mac_base);
+  });
 
   // The task that builds NSPR+NSS.
   let task_build = queue.scheduleTask(merge(build_base, {name}));
@@ -351,14 +369,18 @@ async function scheduleMac(name, base, args = "") {
 
 /*****************************************************************************/
 
-async function scheduleLinux(name, base, args = "") {
-  // Build base definition.
-  let build_base = merge({
+async function scheduleLinux(name, overrides, args = "") {
+  // Construct a base definition.  This takes |overrides| second because
+  // callers expect to be able to overwrite the |command| key.
+  let base = merge({
     command: [
       "/bin/bash",
       "-c",
       "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh " + args
     ],
+  }, overrides);
+  // The base for building.
+  let build_base = merge(base, {
     artifacts: {
       public: {
         expires: 24 * 7,
@@ -367,8 +389,8 @@ async function scheduleLinux(name, base, args = "") {
       }
     },
     kind: "build",
-    symbol: "B"
-  }, base);
+    symbol: "B",
+  });
 
   // The task that builds NSPR+NSS.
   let task_build = queue.scheduleTask(merge(build_base, {name}));
@@ -434,14 +456,17 @@ async function scheduleLinux(name, base, args = "") {
   }));
 
   // Extra builds.
-  let extra_base = merge({group: "Builds"}, build_base);
+  let extra_base = merge(build_base, {
+    group: "Builds",
+    image: LINUX_BUILDS_IMAGE,
+  });
   queue.scheduleTask(merge(extra_base, {
-    name: `${name} w/ clang-5.0`,
+    name: `${name} w/ clang-4`,
     env: {
-      CC: "clang-5.0",
-      CCC: "clang++-5.0",
+      CC: "clang-4.0",
+      CCC: "clang++-4.0",
     },
-    symbol: "clang-5.0"
+    symbol: "clang-4"
   }));
 
   queue.scheduleTask(merge(extra_base, {
@@ -474,16 +499,26 @@ async function scheduleLinux(name, base, args = "") {
   }));
 
   queue.scheduleTask(merge(extra_base, {
-    name: `${name} w/ gcc-6.1`,
+    name: `${name} w/ gcc-5`,
+    env: {
+      CC: "gcc-5",
+      CCC: "g++-5"
+    },
+    symbol: "gcc-5"
+  }));
+
+  queue.scheduleTask(merge(extra_base, {
+    name: `${name} w/ gcc-6`,
     env: {
       CC: "gcc-6",
       CCC: "g++-6"
     },
-    symbol: "gcc-6.1"
+    symbol: "gcc-6"
   }));
 
   queue.scheduleTask(merge(extra_base, {
     name: `${name} w/ modular builds`,
+    image: LINUX_IMAGE,
     env: {NSS_BUILD_MODULAR: "1"},
     command: [
       "/bin/bash",
@@ -493,7 +528,7 @@ async function scheduleLinux(name, base, args = "") {
     symbol: "modular"
   }));
 
-  await scheduleTestBuilds(merge(base, {group: "Test"}), args);
+  await scheduleTestBuilds(name + " Test", merge(base, {group: "Test"}), args);
 
   return queue.submit();
 }
@@ -534,7 +569,7 @@ async function scheduleFuzzing() {
   };
 
   // Build base definition.
-  let build_base = merge({
+  let build_base = merge(base, {
     command: [
       "/bin/bash",
       "-c",
@@ -550,7 +585,7 @@ async function scheduleFuzzing() {
     },
     kind: "build",
     symbol: "B"
-  }, base);
+  });
 
   // The task that builds NSPR+NSS.
   let task_build = queue.scheduleTask(merge(build_base, {
@@ -635,16 +670,16 @@ async function scheduleFuzzing32() {
     features: ["allowPtrace"],
     platform: "linux32",
     collection: "fuzz",
-    image: FUZZ_IMAGE
+    image: FUZZ_IMAGE_32
   };
 
   // Build base definition.
-  let build_base = merge({
+  let build_base = merge(base, {
     command: [
       "/bin/bash",
       "-c",
       "bin/checkout.sh && " +
-      "nss/automation/taskcluster/scripts/build_gyp.sh -g -v --fuzz -m32"
+      "nss/automation/taskcluster/scripts/build_gyp.sh -g -v --fuzz -t ia32"
     ],
     artifacts: {
       public: {
@@ -655,7 +690,7 @@ async function scheduleFuzzing32() {
     },
     kind: "build",
     symbol: "B"
-  }, base);
+  });
 
   // The task that builds NSPR+NSS.
   let task_build = queue.scheduleTask(merge(build_base, {
@@ -671,7 +706,7 @@ async function scheduleFuzzing32() {
       "/bin/bash",
       "-c",
       "bin/checkout.sh && " +
-      "nss/automation/taskcluster/scripts/build_gyp.sh -g -v --fuzz=tls -m32"
+      "nss/automation/taskcluster/scripts/build_gyp.sh -g -v --fuzz=tls -t ia32"
     ],
   }));
 
@@ -728,9 +763,9 @@ async function scheduleFuzzing32() {
 
 /*****************************************************************************/
 
-async function scheduleTestBuilds(base, args = "") {
+async function scheduleTestBuilds(name, base, args = "") {
   // Build base definition.
-  let build = merge({
+  let build = merge(base, {
     command: [
       "/bin/bash",
       "-c",
@@ -746,8 +781,15 @@ async function scheduleTestBuilds(base, args = "") {
     },
     kind: "build",
     symbol: "B",
-    name: "Linux 64 (debug, test)"
-  }, base);
+    name: `${name} build`,
+  });
+
+  // On linux we have a specialized build image for building.
+  if (build.platform === "linux32" || build.platform === "linux64") {
+    build = merge(build, {
+      image: LINUX_BUILDS_IMAGE,
+    });
+  }
 
   // The task that builds NSPR+NSS.
   let task_build = queue.scheduleTask(build);
@@ -755,7 +797,7 @@ async function scheduleTestBuilds(base, args = "") {
   // Schedule tests.
   queue.scheduleTask(merge(base, {
     parent: task_build,
-    name: "mpi",
+    name: `${name} mpi tests`,
     command: [
       "/bin/bash",
       "-c",
@@ -773,7 +815,7 @@ async function scheduleTestBuilds(base, args = "") {
       "-c",
       "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
     ],
-    name: "Gtests",
+    name: `${name} gtests`,
     symbol: "Gtest",
     tests: "gtests",
     cycle: "standard",
@@ -790,12 +832,12 @@ async function scheduleWindows(name, base, build_script) {
   base = merge(base, {
     workerType: "nss-win2012r2",
     env: {
-      PATH: "c:\\mozilla-build\\python;c:\\mozilla-build\\msys\\local\\bin;" +
-            "c:\\mozilla-build\\7zip;c:\\mozilla-build\\info-zip;" +
-            "c:\\mozilla-build\\python\\Scripts;c:\\mozilla-build\\yasm;" +
-            "c:\\mozilla-build\\msys\\bin;c:\\Windows\\system32;" +
-            "c:\\mozilla-build\\upx391w;c:\\mozilla-build\\moztools-x64\\bin;" +
-            "c:\\mozilla-build\\wget",
+      PATH: "c:\\mozilla-build\\bin;c:\\mozilla-build\\python;" +
+	    "c:\\mozilla-build\\msys\\local\\bin;c:\\mozilla-build\\7zip;" +
+	    "c:\\mozilla-build\\info-zip;c:\\mozilla-build\\python\\Scripts;" +
+	    "c:\\mozilla-build\\yasm;c:\\mozilla-build\\msys\\bin;" +
+	    "c:\\Windows\\system32;c:\\mozilla-build\\upx391w;" +
+	    "c:\\mozilla-build\\moztools-x64\\bin;c:\\mozilla-build\\wget",
       DOMSUF: "localdomain",
       HOST: "localhost",
     }
@@ -881,7 +923,7 @@ async function scheduleWindows(name, base, build_script) {
 /*****************************************************************************/
 
 function scheduleTests(task_build, task_cert, test_base) {
-  test_base = merge({kind: "test"}, test_base);
+  test_base = merge(test_base, {kind: "test"});
 
   // Schedule tests that do NOT need certificates.
   let no_cert_base = merge(test_base, {parent: task_build});
@@ -889,10 +931,21 @@ function scheduleTests(task_build, task_cert, test_base) {
     name: "Gtests", symbol: "Gtest", tests: "ssl_gtests gtests", cycle: "standard"
   }));
   queue.scheduleTask(merge(no_cert_base, {
-    name: "Bogo tests", symbol: "Bogo", tests: "bogo", cycle: "standard"
+    name: "Bogo tests",
+    symbol: "Bogo",
+    tests: "bogo",
+    cycle: "standard",
+    image: LINUX_INTEROP_IMAGE,
   }));
   queue.scheduleTask(merge(no_cert_base, {
-    name: "Interop tests", symbol: "Interop", tests: "interop", cycle: "standard"
+    name: "Interop tests",
+    symbol: "Interop",
+    tests: "interop",
+    cycle: "standard",
+    image: LINUX_INTEROP_IMAGE,
+  }));
+  queue.scheduleTask(merge(no_cert_base, {
+    name: "tlsfuzzer tests", symbol: "tlsfuzzer", tests: "tlsfuzzer", cycle: "standard"
   }));
   queue.scheduleTask(merge(no_cert_base, {
     name: "Chains tests", symbol: "Chains", tests: "chains"
@@ -928,6 +981,9 @@ function scheduleTests(task_build, task_cert, test_base) {
   queue.scheduleTask(merge(no_cert_base, {
     name: "SDR tests", symbol: "SDR", tests: "sdr"
   }));
+  queue.scheduleTask(merge(no_cert_base, {
+    name: "Policy tests", symbol: "Policy", tests: "policy"
+  }));
 
   // Schedule tests that need certificates.
   let cert_base = merge(test_base, {parent: task_cert});
@@ -971,11 +1027,11 @@ async function scheduleTools() {
     kind: "test"
   };
 
-  //ABI check task
+  // ABI check task
   queue.scheduleTask(merge(base, {
     symbol: "abi",
     name: "abi",
-    image: LINUX_IMAGE,
+    image: LINUX_BUILDS_IMAGE,
     command: [
       "/bin/bash",
       "-c",
@@ -984,9 +1040,9 @@ async function scheduleTools() {
   }));
 
   queue.scheduleTask(merge(base, {
-    symbol: "clang-format-3.9",
-    name: "clang-format-3.9",
-    image: LINUX_CLANG39_IMAGE,
+    symbol: "clang-format",
+    name: "clang-format",
+    image: CLANG_FORMAT_IMAGE,
     command: [
       "/bin/bash",
       "-c",
@@ -1049,7 +1105,7 @@ async function scheduleTools() {
     command: [
       "/bin/bash",
       "-c",
-      "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh --disable-tests --emit-llvm -m32"
+      "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh --disable-tests --emit-llvm -t ia32"
     ]
   }));
 
diff --git a/security/nss/automation/taskcluster/graph/src/try_syntax.js b/security/nss/automation/taskcluster/graph/src/try_syntax.js
index 214793bd5d..f1772a658c 100644
--- a/security/nss/automation/taskcluster/graph/src/try_syntax.js
+++ b/security/nss/automation/taskcluster/graph/src/try_syntax.js
@@ -37,7 +37,7 @@ function parseOptions(opts) {
   let aliases = {"gtests": "gtest"};
   let allUnitTests = ["bogo", "crmf", "chains", "cipher", "db", "ec", "fips",
                       "gtest", "interop", "lowhash", "merge", "sdr", "smime", "tools",
-                      "ssl", "mpi", "scert", "spki"];
+                      "ssl", "mpi", "scert", "spki", "policy", "tlsfuzzer"];
   let unittests = intersect(opts.unittests.split(/\s*,\s*/).map(t => {
     return aliases[t] || t;
   }), allUnitTests);
diff --git a/security/nss/automation/taskcluster/scripts/build_image.sh b/security/nss/automation/taskcluster/scripts/build_image.sh
index b422214e71..b8715dbe94 100644
--- a/security/nss/automation/taskcluster/scripts/build_image.sh
+++ b/security/nss/automation/taskcluster/scripts/build_image.sh
@@ -13,12 +13,12 @@ raise_error() {
 test -n "$PROJECT" || raise_error "Project must be provided."
 test -n "$HASH" || raise_error "Context Hash must be provided."
 
-CONTEXT_PATH=/home/worker/nss/$CONTEXT_PATH
+CONTEXT_PATH="/home/worker/nss/$CONTEXT_PATH"
 
-test -d $CONTEXT_PATH || raise_error "Context Path $CONTEXT_PATH does not exist."
+test -d "$CONTEXT_PATH" || raise_error "Context Path $CONTEXT_PATH does not exist."
 test -f "$CONTEXT_PATH/Dockerfile" || raise_error "Dockerfile must be present in $CONTEXT_PATH."
 
-docker build -t $PROJECT:$HASH $CONTEXT_PATH
+docker build -t "$PROJECT:$HASH" "$CONTEXT_PATH"
 
 mkdir /artifacts
-docker save $PROJECT:$HASH > /artifacts/image.tar
+docker save "$PROJECT:$HASH" > /artifacts/image.tar
diff --git a/security/nss/automation/taskcluster/scripts/tools.sh b/security/nss/automation/taskcluster/scripts/tools.sh
index 534cb32ce6..63a6ee8de3 100644
--- a/security/nss/automation/taskcluster/scripts/tools.sh
+++ b/security/nss/automation/taskcluster/scripts/tools.sh
@@ -2,12 +2,11 @@
 
 set -v -e -x
 
+# Assert that we're not running as root.
 if [[ $(id -u) -eq 0 ]]; then
-    # Stupid Docker. It works without sometimes... But not always.
-    echo "127.0.0.1 localhost.localdomain" >> /etc/hosts
-
-    # Drop privileges by re-running this script.
-    # Note: this mangles arguments, better to avoid running scripts as root.
+    # This exec is still needed until aarch64 images are updated (Bug 1488325).
+    # Remove when images are updated.  Until then, assert that things are good.
+    [[ $(uname -m) == aarch64 ]]
     exec su worker -c "$0 $*"
 fi
 
diff --git a/security/nss/automation/taskcluster/windows/build.sh b/security/nss/automation/taskcluster/windows/build.sh
index 46136153d0..eebb415353 100644
--- a/security/nss/automation/taskcluster/windows/build.sh
+++ b/security/nss/automation/taskcluster/windows/build.sh
@@ -2,12 +2,12 @@
 
 set -v -e -x
 
-# Set up the toolchain.
-if [ "$USE_64" = 1 ]; then
-  source $(dirname $0)/setup64.sh
+if [[ "$USE_64" == 1 ]]; then
+    m=x64
 else
-  source $(dirname $0)/setup32.sh
+    m=x86
 fi
+source "$(dirname "$0")/setup.sh"
 
 # Clone NSPR.
 hg_clone https://hg.mozilla.org/projects/nspr nspr default
diff --git a/security/nss/automation/taskcluster/windows/build_gyp.sh b/security/nss/automation/taskcluster/windows/build_gyp.sh
index cc829ca99a..c0f38f948f 100644
--- a/security/nss/automation/taskcluster/windows/build_gyp.sh
+++ b/security/nss/automation/taskcluster/windows/build_gyp.sh
@@ -2,33 +2,37 @@
 
 set -v -e -x
 
-# Set up the toolchain.
-if [[ "$@" == *"-m32"* ]]; then
-  source $(dirname $0)/setup32.sh
-else
-  source $(dirname $0)/setup64.sh
-fi
+# Parse for the -t option.
+m=x64
+for i in "$@"; do
+    case "$i" in
+        -t|--target) m= ;;
+        --target=*) m="${i#*=}" ;;
+        *) [[ -z "$m" ]] && m="$i" ;;
+    esac
+done
+[[ "$m" == "ia32" ]] && m=x86
+source "$(dirname "$0")/setup.sh"
 
 # Install GYP.
-cd gyp
+pushd gyp
 python -m virtualenv test-env
 test-env/Scripts/python setup.py install
 test-env/Scripts/python -m pip install --upgrade pip
 test-env/Scripts/pip install --upgrade setuptools
-cd ..
-
-export GYP_MSVS_OVERRIDE_PATH="${VSPATH}"
-export GYP_MSVS_VERSION="2015"
-export GYP="${PWD}/gyp/test-env/Scripts/gyp"
-
 # Fool GYP.
 touch "${VSPATH}/VC/vcvarsall.bat"
+export GYP_MSVS_OVERRIDE_PATH="${VSPATH}"
+export GYP_MSVS_VERSION=2015
+popd
+
+export PATH="${PATH}:${PWD}/ninja/bin:${PWD}/gyp/test-env/Scripts"
 
 # Clone NSPR.
 hg_clone https://hg.mozilla.org/projects/nspr nspr default
 
 # Build with gyp.
-GYP=${GYP} ./nss/build.sh -g -v "$@"
+./nss/build.sh -g -v "$@"
 
 # Package.
 7z a public/build/dist.7z dist
diff --git a/security/nss/automation/taskcluster/windows/setup.sh b/security/nss/automation/taskcluster/windows/setup.sh
index 36a040ba1c..93c0cdbd5a 100644
--- a/security/nss/automation/taskcluster/windows/setup.sh
+++ b/security/nss/automation/taskcluster/windows/setup.sh
@@ -2,13 +2,6 @@
 
 set -v -e -x
 
-export VSPATH="$(pwd)/vs2017_15.4.2"
-export NINJA_PATH="$(pwd)/ninja/bin"
-
-export WINDOWSSDKDIR="${VSPATH}/SDK"
-export VS90COMNTOOLS="${VSPATH}/VC"
-export INCLUDE="${VSPATH}/VC/include:${VSPATH}/SDK/Include/10.0.15063.0/ucrt:${VSPATH}/SDK/Include/10.0.15063.0/shared:${VSPATH}/SDK/Include/10.0.15063.0/um"
-
 # Usage: hg_clone repo dir [revision=@]
 hg_clone() {
     repo=$1
@@ -22,5 +15,42 @@ hg_clone() {
     exit 1
 }
 
-hg_clone https://hg.mozilla.org/build/tools tools default
-tools/scripts/tooltool/tooltool_wrapper.sh $(dirname $0)/releng.manifest https://tooltool.mozilla-releng.net/ non-existant-file.sh /c/mozilla-build/python/python.exe /c/builds/tooltool.py --authentication-file /c/builds/relengapi.tok -c /c/builds/tooltool_cache
+hg_clone https://hg.mozilla.org/build/tools tools b8d7c263dfc3
+tools/scripts/tooltool/tooltool_wrapper.sh \
+    $(dirname $0)/releng.manifest https://tooltool.mozilla-releng.net/ \
+    non-existant-file.sh /c/mozilla-build/python/python.exe \
+    /c/builds/tooltool.py --authentication-file /c/builds/relengapi.tok \
+    -c /c/builds/tooltool_cache
+
+# This needs $m to be set.
+[[ -n "$m" ]]
+
+# Setup MSVC paths.
+export VSPATH="${PWD}/vs2017_15.4.2"
+UCRTVersion="10.0.15063.0"
+
+export WINDOWSSDKDIR="${VSPATH}/SDK"
+export VS90COMNTOOLS="${VSPATH}/VC"
+export WIN32_REDIST_DIR="${VSPATH}/VC/redist/${m}/Microsoft.VC141.CRT"
+export WIN_UCRT_REDIST_DIR="${VSPATH}/SDK/Redist/ucrt/DLLs/${m}"
+
+if [ "$m" == "x86" ]; then
+    PATH="${PATH}:${VSPATH}/VC/bin/Hostx64/x86"
+    PATH="${PATH}:${VSPATH}/VC/bin/Hostx64/x64"
+fi
+PATH="${PATH}:${VSPATH}/VC/bin/Host${m}/${m}"
+PATH="${PATH}:${WIN32_REDIST_DIR}"
+PATH="${PATH}:${WIN_UCRT_REDIST_DIR}"
+PATH="${PATH}:${VSPATH}/SDK/bin/${UCRTVersion}/x64"
+export PATH
+
+LIB="${LIB}:${VSPATH}/VC/lib/${m}"
+LIB="${LIB}:${VSPATH}/SDK/lib/${UCRTVersion}/ucrt/${m}"
+LIB="${LIB}:${VSPATH}/SDK/lib/${UCRTVersion}/um/${m}"
+export LIB
+
+INCLUDE="${INCLUDE}:${VSPATH}/VC/include"
+INCLUDE="${INCLUDE}:${VSPATH}/SDK/Include/${UCRTVersion}/ucrt"
+INCLUDE="${INCLUDE}:${VSPATH}/SDK/Include/${UCRTVersion}/shared"
+INCLUDE="${INCLUDE}:${VSPATH}/SDK/Include/${UCRTVersion}/um"
+export INCLUDE
diff --git a/security/nss/automation/taskcluster/windows/setup32.sh b/security/nss/automation/taskcluster/windows/setup32.sh
deleted file mode 100644
index 19bed284d1..0000000000
--- a/security/nss/automation/taskcluster/windows/setup32.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-source $(dirname $0)/setup.sh
-
-export WIN32_REDIST_DIR="${VSPATH}/VC/redist/x86/Microsoft.VC141.CRT"
-export WIN_UCRT_REDIST_DIR="${VSPATH}/SDK/Redist/ucrt/DLLs/x86"
-export PATH="${NINJA_PATH}:${VSPATH}/VC/bin/Hostx64/x86:${VSPATH}/VC/bin/Hostx64/x64:${VSPATH}/VC/Hostx86/x86:${VSPATH}/SDK/bin/10.0.15063.0/x64:${VSPATH}/VC/redist/x86/Microsoft.VC141.CRT:${VSPATH}/SDK/Redist/ucrt/DLLs/x86:${PATH}"
-export LIB="${VSPATH}/VC/lib/x86:${VSPATH}/SDK/lib/10.0.15063.0/ucrt/x86:${VSPATH}/SDK/lib/10.0.15063.0/um/x86"
diff --git a/security/nss/automation/taskcluster/windows/setup64.sh b/security/nss/automation/taskcluster/windows/setup64.sh
deleted file mode 100644
index d16cb0ec9d..0000000000
--- a/security/nss/automation/taskcluster/windows/setup64.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/usr/bin/env bash
-
-set -v -e -x
-
-source $(dirname $0)/setup.sh
-
-export WIN32_REDIST_DIR="${VSPATH}/VC/redist/x64/Microsoft.VC141.CRT"
-export WIN_UCRT_REDIST_DIR="${VSPATH}/SDK/Redist/ucrt/DLLs/x64"
-export PATH="${NINJA_PATH}:${VSPATH}/VC/bin/Hostx64/x64:${VSPATH}/VC/bin/Hostx86/x86:${VSPATH}/SDK/bin/10.0.15063.0/x64:${VSPATH}/VC/redist/x64/Microsoft.VC141.CRT:${VSPATH}/SDK/Redist/ucrt/DLLs/x64:${PATH}"
-export LIB="${VSPATH}/VC/lib/x64:${VSPATH}/SDK/lib/10.0.15063.0/ucrt/x64:${VSPATH}/SDK/lib/10.0.15063.0/um/x64"
diff --git a/security/nss/build.sh b/security/nss/build.sh
index 338e14beb0..4c6d513cd4 100755
--- a/security/nss/build.sh
+++ b/security/nss/build.sh
@@ -50,75 +50,86 @@ fuzz=0
 fuzz_tls=0
 fuzz_oss=0
 no_local_nspr=0
-armhf=0
 
 gyp_params=(--depth="$cwd" --generator-output=".")
-nspr_params=()
 ninja_params=()
 
-# try to guess sensible defaults
-arch=$(python "$cwd"/coreconf/detect_host_arch.py)
-if [ "$arch" = "x64" -o "$arch" = "aarch64" ]; then
-    build_64=1
-elif [ "$arch" = "arm" ]; then
-    armhf=1
+# Assume that the target architecture is the same as the host by default.
+host_arch=$(python "$cwd"/coreconf/detect_host_arch.py)
+target_arch=$host_arch
+
+# Assume that MSVC is wanted if this is running on windows.
+platform=$(uname -s)
+if [ "${platform%-*}" = "MINGW32_NT" -o "${platform%-*}" = "MINGW64_NT" ]; then
+    msvc=1
 fi
 
-# parse command line arguments
+# Parse command line arguments.
 while [ $# -gt 0 ]; do
-    case $1 in
+    case "$1" in
         -c) clean=1 ;;
         -cc) clean_only=1 ;;
-        --gyp|-g) rebuild_gyp=1 ;;
-        --nspr) nspr_clean; rebuild_nspr=1 ;;
-        -j) ninja_params+=(-j "$2"); shift ;;
         -v) ninja_params+=(-v); verbose=1 ;;
-        --test) gyp_params+=(-Dtest_build=1) ;;
-        --clang) export CC=clang; export CCC=clang++; export CXX=clang++ ;;
-        --gcc) export CC=gcc; export CCC=g++; export CXX=g++ ;;
-        --fuzz) fuzz=1 ;;
-        --fuzz=oss) fuzz=1; fuzz_oss=1 ;;
-        --fuzz=tls) fuzz=1; fuzz_tls=1 ;;
+        -j) ninja_params+=(-j "$2"); shift ;;
+        --gyp|-g) rebuild_gyp=1 ;;
+        --opt|-o) opt_build=1 ;;
+        -m32|--m32) target_arch=ia32; echo 'Warning: use -t instead of -m32' 1>&2 ;;
+        -t|--target) target_arch="$2"; shift ;;
+        --target=*) target_arch="${1#*=}" ;;
+        --clang) export CC=clang; export CCC=clang++; export CXX=clang++; msvc=0 ;;
+        --gcc) export CC=gcc; export CCC=g++; export CXX=g++; msvc=0 ;;
+        --msvc) msvc=1 ;;
         --scan-build) enable_scanbuild  ;;
         --scan-build=?*) enable_scanbuild "${1#*=}" ;;
-        --opt|-o) opt_build=1 ;;
-        -m32|--m32) build_64=0 ;;
+        --disable-tests) gyp_params+=(-Ddisable_tests=1) ;;
+        --pprof) gyp_params+=(-Duse_pprof=1) ;;
         --asan) enable_sanitizer asan ;;
         --msan) enable_sanitizer msan ;;
         --ubsan) enable_ubsan ;;
         --ubsan=?*) enable_ubsan "${1#*=}" ;;
+        --fuzz) fuzz=1 ;;
+        --fuzz=oss) fuzz=1; fuzz_oss=1 ;;
+        --fuzz=tls) fuzz=1; fuzz_tls=1 ;;
         --sancov) enable_sancov ;;
         --sancov=?*) enable_sancov "${1#*=}" ;;
-        --pprof) gyp_params+=(-Duse_pprof=1) ;;
-        --ct-verif) gyp_params+=(-Dct_verif=1) ;;
         --emit-llvm) gyp_params+=(-Demit_llvm=1 -Dsign_libs=0) ;;
-        --disable-tests) gyp_params+=(-Ddisable_tests=1) ;;
         --no-zdefs) gyp_params+=(-Dno_zdefs=1) ;;
-        --system-sqlite) gyp_params+=(-Duse_system_sqlite=1) ;;
+        --test) gyp_params+=(-Dtest_build=1) ;;
+        --ct-verif) gyp_params+=(-Dct_verif=1) ;;
+        --nspr) nspr_clean; rebuild_nspr=1 ;;
         --with-nspr=?*) set_nspr_path "${1#*=}"; no_local_nspr=1 ;;
         --system-nspr) set_nspr_path "/usr/include/nspr/:"; no_local_nspr=1 ;;
-        --enable-libpkix) gyp_params+=(-Ddisable_libpkix=0) ;;
+        --system-sqlite) gyp_params+=(-Duse_system_sqlite=1) ;;
         --enable-fips) gyp_params+=(-Ddisable_fips=0) ;;
+        --enable-libpkix) gyp_params+=(-Ddisable_libpkix=0) ;;
+        --mozpkix-only) gyp_params+=(-Dmozpkix_only=1 -Ddisable_tests=1 -Dsign_libs=0) ;;
         *) show_help; exit 2 ;;
     esac
     shift
 done
 
+# Set the target architecture and build type.
+gyp_params+=(-Dtarget_arch="$target_arch")
 if [ "$opt_build" = 1 ]; then
     target=Release
 else
     target=Debug
 fi
-if [ "$build_64" = 1 ]; then
-    nspr_params+=(--enable-64bit)
-elif [ ! "$armhf" = 1 ]; then
-    gyp_params+=(-Dtarget_arch=ia32)
-fi
+
+# Do special setup.
 if [ "$fuzz" = 1 ]; then
     source "$cwd"/coreconf/fuzz.sh
 fi
+nspr_set_flags $sanitizer_flags
+if [ ! -z "$sanitizer_flags" ]; then
+    gyp_params+=(-Dsanitizer_flags="$sanitizer_flags")
+fi
 
-# set paths
+if [ "$msvc" = 1 ]; then
+    source "$cwd"/coreconf/msvc.sh
+fi
+
+# Setup build paths.
 target_dir="$cwd"/out/$target
 mkdir -p "$target_dir"
 dist_dir="$cwd"/../dist
@@ -149,6 +160,7 @@ check_config()
     echo CC="$CC" >"$newconf"
     echo CCC="$CCC" >>"$newconf"
     echo CXX="$CXX" >>"$newconf"
+    echo target_arch="$target_arch" >>"$newconf"
     for i in "$@"; do echo $i; done | sort >>"$newconf"
 
     # Note: The following diff fails if $oldconf isn't there as well, which
@@ -159,6 +171,7 @@ check_config()
 gyp_config="$cwd"/out/gyp_config
 nspr_config="$cwd"/out/$target/nspr_config
 
+# Now check what needs to be rebuilt.
 # If we don't have a build directory make sure that we rebuild.
 if [ ! -d "$target_dir" ]; then
     rebuild_nspr=1
@@ -167,33 +180,28 @@ elif [ ! -d "$dist_dir"/$target ]; then
     rebuild_nspr=1
 fi
 
-# Update NSPR ${C,CXX,LD}FLAGS.
-nspr_set_flags $sanitizer_flags
-
-if check_config "$nspr_config" "${nspr_params[@]}" \
+if check_config "$nspr_config" \
                  nspr_cflags="$nspr_cflags" \
                  nspr_cxxflags="$nspr_cxxflags" \
                  nspr_ldflags="$nspr_ldflags"; then
     rebuild_nspr=1
 fi
 
-# Forward sanitizer flags.
-if [ ! -z "$sanitizer_flags" ]; then
-    gyp_params+=(-Dsanitizer_flags="$sanitizer_flags")
-fi
-
 if check_config "$gyp_config" "${gyp_params[@]}"; then
     rebuild_gyp=1
 fi
 
-# save the chosen target
+# Save the chosen target.
 mkdir -p "$dist_dir"
 echo $target > "$dist_dir"/latest
 
+# Build.
+# NSPR.
 if [[ "$rebuild_nspr" = 1 && "$no_local_nspr" = 0 ]]; then
-    nspr_build "${nspr_params[@]}"
+    nspr_build
     mv -f "$nspr_config".new "$nspr_config"
 fi
+# gyp.
 if [ "$rebuild_gyp" = 1 ]; then
     if ! hash ${GYP} 2> /dev/null; then
         echo "Please install gyp" 1>&2
@@ -211,11 +219,11 @@ if [ "$rebuild_gyp" = 1 ]; then
     mv -f "$gyp_config".new "$gyp_config"
 fi
 
-# Run ninja.
-if hash ninja 2>/dev/null; then
-    ninja=ninja
-elif hash ninja-build 2>/dev/null; then
+# ninja.
+if hash ninja-build 2>/dev/null; then
     ninja=ninja-build
+elif hash ninja 2>/dev/null; then
+    ninja=ninja
 else
     echo "Please install ninja" 1>&2
     exit 1
diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c
index dbb93c9220..df02e44392 100644
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -741,6 +741,9 @@ ValidateCert(CERTCertDBHandle *handle, char *name, char *date,
         case 'V':
             usage = certificateUsageSSLServer;
             break;
+        case 'I':
+            usage = certificateUsageIPsec;
+            break;
         case 'S':
             usage = certificateUsageEmailSigner;
             break;
@@ -856,41 +859,59 @@ SECItemToHex(const SECItem *item, char *dst)
 }
 
 static const char *const keyTypeName[] = {
-    "null", "rsa", "dsa", "fortezza", "dh", "kea", "ec", "rsaPss"
+    "null", "rsa", "dsa", "fortezza", "dh", "kea", "ec", "rsaPss", "rsaOaep"
 };
 
 #define MAX_CKA_ID_BIN_LEN 20
 #define MAX_CKA_ID_STR_LEN 40
 
-/* print key number, key ID (in hex or ASCII), key label (nickname) */
-static SECStatus
-PrintKey(PRFileDesc *out, const char *nickName, int count,
-         SECKEYPrivateKey *key, void *pwarg)
+/* output human readable key ID in buffer, which should have at least
+ * MAX_CKA_ID_STR_LEN + 3 octets (quotations and a null terminator) */
+static void
+formatPrivateKeyID(SECKEYPrivateKey *privkey, char *buffer)
 {
     SECItem *ckaID;
-    char ckaIDbuf[MAX_CKA_ID_STR_LEN + 4];
 
-    pwarg = NULL;
-    ckaID = PK11_GetLowLevelKeyIDForPrivateKey(key);
+    ckaID = PK11_GetLowLevelKeyIDForPrivateKey(privkey);
     if (!ckaID) {
-        strcpy(ckaIDbuf, "(no CKA_ID)");
+        strcpy(buffer, "(no CKA_ID)");
     } else if (ItemIsPrintableASCII(ckaID)) {
         int len = PR_MIN(MAX_CKA_ID_STR_LEN, ckaID->len);
-        ckaIDbuf[0] = '"';
-        memcpy(ckaIDbuf + 1, ckaID->data, len);
-        ckaIDbuf[1 + len] = '"';
-        ckaIDbuf[2 + len] = '\0';
+        buffer[0] = '"';
+        memcpy(buffer + 1, ckaID->data, len);
+        buffer[1 + len] = '"';
+        buffer[2 + len] = '\0';
     } else {
         /* print ckaid in hex */
         SECItem idItem = *ckaID;
         if (idItem.len > MAX_CKA_ID_BIN_LEN)
             idItem.len = MAX_CKA_ID_BIN_LEN;
-        SECItemToHex(&idItem, ckaIDbuf);
+        SECItemToHex(&idItem, buffer);
     }
+    SECITEM_ZfreeItem(ckaID, PR_TRUE);
+}
+
+/* print key number, key ID (in hex or ASCII), key label (nickname) */
+static SECStatus
+PrintKey(PRFileDesc *out, const char *nickName, int count,
+         SECKEYPrivateKey *key, void *pwarg)
+{
+    char ckaIDbuf[MAX_CKA_ID_STR_LEN + 4];
+    CERTCertificate *cert;
+    KeyType keyType;
+
+    pwarg = NULL;
 
+    formatPrivateKeyID(key, ckaIDbuf);
+    cert = PK11_GetCertFromPrivateKey(key);
+    if (cert) {
+        keyType = CERT_GetCertKeyType(&cert->subjectPublicKeyInfo);
+        CERT_DestroyCertificate(cert);
+    } else {
+        keyType = key->keyType;
+    }
     PR_fprintf(out, "<%2d> %-8.8s %-42.42s %s\n", count,
-               keyTypeName[key->keyType], ckaIDbuf, nickName);
-    SECITEM_ZfreeItem(ckaID, PR_TRUE);
+               keyTypeName[keyType], ckaIDbuf, nickName);
 
     return SECSuccess;
 }
@@ -1002,7 +1023,7 @@ ListKeys(PK11SlotInfo *slot, const char *nickName, int index,
 }
 
 static SECStatus
-DeleteKey(char *nickname, secuPWData *pwdata)
+DeleteCertAndKey(char *nickname, secuPWData *pwdata)
 {
     SECStatus rv;
     CERTCertificate *cert;
@@ -1031,6 +1052,61 @@ DeleteKey(char *nickname, secuPWData *pwdata)
     return rv;
 }
 
+static SECKEYPrivateKey *
+findPrivateKeyByID(PK11SlotInfo *slot, const char *ckaID, secuPWData *pwarg)
+{
+    PORTCheapArenaPool arena;
+    SECItem ckaIDItem = { 0 };
+    SECKEYPrivateKey *privkey = NULL;
+    SECStatus rv;
+
+    if (PK11_NeedLogin(slot)) {
+        rv = PK11_Authenticate(slot, PR_TRUE, pwarg);
+        if (rv != SECSuccess) {
+            SECU_PrintError(progName, "could not authenticate to token %s.",
+                            PK11_GetTokenName(slot));
+            return NULL;
+        }
+    }
+
+    if (0 == PL_strncasecmp("0x", ckaID, 2)) {
+        ckaID += 2; /* skip leading "0x" */
+    }
+    PORT_InitCheapArena(&arena, DER_DEFAULT_CHUNKSIZE);
+    if (SECU_HexString2SECItem(&arena.arena, &ckaIDItem, ckaID)) {
+        privkey = PK11_FindKeyByKeyID(slot, &ckaIDItem, pwarg);
+    }
+    PORT_DestroyCheapArena(&arena);
+    return privkey;
+}
+
+static SECStatus
+DeleteKey(SECKEYPrivateKey *privkey, secuPWData *pwarg)
+{
+    SECStatus rv;
+    PK11SlotInfo *slot;
+
+    slot = PK11_GetSlotFromPrivateKey(privkey);
+    if (PK11_NeedLogin(slot)) {
+        rv = PK11_Authenticate(slot, PR_TRUE, pwarg);
+        if (rv != SECSuccess) {
+            SECU_PrintError(progName, "could not authenticate to token %s.",
+                            PK11_GetTokenName(slot));
+            return SECFailure;
+        }
+    }
+
+    rv = PK11_DeleteTokenPrivateKey(privkey, PR_TRUE);
+    if (rv != SECSuccess) {
+        char ckaIDbuf[MAX_CKA_ID_STR_LEN + 4];
+        formatPrivateKeyID(privkey, ckaIDbuf);
+        SECU_PrintError("problem deleting private key \"%s\"\n", ckaIDbuf);
+    }
+
+    PK11_FreeSlot(slot);
+    return rv;
+}
+
 /*
  *  L i s t M o d u l e s
  *
@@ -1100,7 +1176,9 @@ PrintSyntax()
         "\t\t [-d certdir] [-P dbprefix]\n", progName);
     FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n",
         progName);
-    FPS "\t%s -F -n nickname [-d certdir] [-P dbprefix]\n",
+    FPS "\t%s -F -n cert-name [-d certdir] [-P dbprefix]\n",
+        progName);
+    FPS "\t%s -F -k key-id [-d certdir] [-P dbprefix]\n",
         progName);
     FPS "\t%s -G -n key-name [-h token-name] [-k rsa] [-g key-size] [-y exp]\n"
         "\t\t [-f pwfile] [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
@@ -1390,6 +1468,8 @@ luF(enum usage_level ul, const char *command)
         return;
     FPS "%-20s The nickname of the key to delete\n",
         "   -n cert-name");
+    FPS "%-20s The key id of the key to delete, obtained using -K\n",
+        "   -k key-id");
     FPS "%-20s Cert database directory (default is ~/.netscape)\n",
         "   -d certdir");
     FPS "%-20s Cert & Key database prefix\n",
@@ -1629,6 +1709,7 @@ luV(enum usage_level ul, const char *command)
     FPS "%-20s Specify certificate usage:\n", "   -u certusage");
     FPS "%-25s C \t SSL Client\n", "");
     FPS "%-25s V \t SSL Server\n", "");
+    FPS "%-25s I \t IPsec\n", "");
     FPS "%-25s L \t SSL CA\n", "");
     FPS "%-25s A \t Any CA\n", "");
     FPS "%-25s Y \t Verify CA\n", "");
@@ -2944,10 +3025,9 @@ certutil_main(int argc, char **argv, PRBool initialize)
         readOnly = !certutil.options[opt_RW].activated;
     }
 
-    /*  -A, -D, -F, -M, -S, -V, and all require -n  */
+    /*  -A, -D, -M, -S, -V, and all require -n  */
     if ((certutil.commands[cmd_AddCert].activated ||
          certutil.commands[cmd_DeleteCert].activated ||
-         certutil.commands[cmd_DeleteKey].activated ||
          certutil.commands[cmd_DumpChain].activated ||
          certutil.commands[cmd_ModifyCertTrust].activated ||
          certutil.commands[cmd_CreateAndAddCert].activated ||
@@ -3034,6 +3114,16 @@ certutil_main(int argc, char **argv, PRBool initialize)
         return 255;
     }
 
+    /* Delete needs a nickname or a key ID */
+    if (certutil.commands[cmd_DeleteKey].activated &&
+        !(certutil.options[opt_Nickname].activated || keysource)) {
+        PR_fprintf(PR_STDERR,
+                   "%s -%c: specify a nickname (-n) or\n"
+                   "   a key ID (-k).\n",
+                   commandToRun, progName);
+        return 255;
+    }
+
     /* Upgrade/Merge needs a source database and a upgrade id. */
     if (certutil.commands[cmd_UpgradeMerge].activated &&
         !(certutil.options[opt_SourceDir].activated &&
@@ -3396,7 +3486,19 @@ certutil_main(int argc, char **argv, PRBool initialize)
     }
     /*  Delete key (-F)  */
     if (certutil.commands[cmd_DeleteKey].activated) {
-        rv = DeleteKey(name, &pwdata);
+        if (certutil.options[opt_Nickname].activated) {
+            rv = DeleteCertAndKey(name, &pwdata);
+        } else {
+            privkey = findPrivateKeyByID(slot, keysource, &pwdata);
+            if (!privkey) {
+                SECU_PrintError(progName, "%s is not a key-id", keysource);
+                rv = SECFailure;
+            } else {
+                rv = DeleteKey(privkey, &pwdata);
+                /* already destroyed by PK11_DeleteTokenPrivateKey */
+                privkey = NULL;
+            }
+        }
         goto shutdown;
     }
     /*  Modify trust attribute for cert (-M)  */
@@ -3468,30 +3570,8 @@ certutil_main(int argc, char **argv, PRBool initialize)
             if (keycert) {
                 privkey = PK11_FindKeyByDERCert(slot, keycert, &pwdata);
             } else {
-                PLArenaPool *arena = NULL;
-                SECItem keyidItem = { 0 };
-                char *keysourcePtr = keysource;
                 /* Interpret keysource as CKA_ID */
-                if (PK11_NeedLogin(slot)) {
-                    rv = PK11_Authenticate(slot, PR_TRUE, &pwdata);
-                    if (rv != SECSuccess) {
-                        SECU_PrintError(progName, "could not authenticate to token %s.",
-                                        PK11_GetTokenName(slot));
-                        return SECFailure;
-                    }
-                }
-                if (0 == PL_strncasecmp("0x", keysource, 2)) {
-                    keysourcePtr = keysource + 2; // skip leading "0x"
-                }
-                arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-                if (!arena) {
-                    SECU_PrintError(progName, "unable to allocate arena");
-                    return SECFailure;
-                }
-                if (SECU_HexString2SECItem(arena, &keyidItem, keysourcePtr)) {
-                    privkey = PK11_FindKeyByKeyID(slot, &keyidItem, &pwdata);
-                }
-                PORT_FreeArena(arena, PR_FALSE);
+                privkey = findPrivateKeyByID(slot, keysource, &pwdata);
             }
 
             if (!privkey) {
diff --git a/security/nss/cmd/crlutil/crlutil.c b/security/nss/cmd/crlutil/crlutil.c
index c5527fc932..be2e47a6c4 100644
--- a/security/nss/cmd/crlutil/crlutil.c
+++ b/security/nss/cmd/crlutil/crlutil.c
@@ -232,10 +232,6 @@ ImportCRL(CERTCertDBHandle *certHandle, char *url, int type,
     SECItem crlDER;
     PK11SlotInfo *slot = NULL;
     int rv;
-#if defined(DEBUG_jp96085)
-    PRIntervalTime starttime, endtime, elapsed;
-    PRUint32 mins, secs, msecs;
-#endif
 
     crlDER.data = NULL;
 
@@ -256,19 +252,9 @@ ImportCRL(CERTCertDBHandle *certHandle, char *url, int type,
             goto loser;
     }
 
-#if defined(DEBUG_jp96085)
-    starttime = PR_IntervalNow();
-#endif
     crl = PK11_ImportCRL(slot, &crlDER, url, type,
                          NULL, importOptions, NULL, decodeOptions);
-#if defined(DEBUG_jp96085)
-    endtime = PR_IntervalNow();
-    elapsed = endtime - starttime;
-    mins = PR_IntervalToSeconds(elapsed) / 60;
-    secs = PR_IntervalToSeconds(elapsed) % 60;
-    msecs = PR_IntervalToMilliseconds(elapsed) % 1000;
-    printf("Elapsed : %2d:%2d.%3d\n", mins, secs, msecs);
-#endif
+
     if (!crl) {
         const char *errString;
 
diff --git a/security/nss/cmd/crmf-cgi/crmfcgi.c b/security/nss/cmd/crmf-cgi/crmfcgi.c
index 07b81f233a..9f6174383c 100644
--- a/security/nss/cmd/crmf-cgi/crmfcgi.c
+++ b/security/nss/cmd/crmf-cgi/crmfcgi.c
@@ -4,7 +4,7 @@
 
 #include "seccomon.h"
 #include "nss.h"
-#include "key.h"
+#include "keyhi.h"
 #include "cert.h"
 #include "pk11func.h"
 #include "secmod.h"
diff --git a/security/nss/cmd/crmftest/testcrmf.c b/security/nss/cmd/crmftest/testcrmf.c
index 1c1359b1bc..3fe5725bfe 100644
--- a/security/nss/cmd/crmftest/testcrmf.c
+++ b/security/nss/cmd/crmftest/testcrmf.c
@@ -66,7 +66,7 @@
 #include "crmf.h"
 #include "secerr.h"
 #include "pk11func.h"
-#include "key.h"
+#include "keyhi.h"
 #include "cmmf.h"
 #include "plgetopt.h"
 #include "secutil.h"
diff --git a/security/nss/cmd/dbck/dbrecover.c b/security/nss/cmd/dbck/dbrecover.c
index 74d21d85eb..5b7e0549d1 100644
--- a/security/nss/cmd/dbck/dbrecover.c
+++ b/security/nss/cmd/dbck/dbrecover.c
@@ -288,7 +288,8 @@ addCertToDB(certDBEntryCert *certEntry, dbRestoreInfo *info,
 
     /*  If user chooses so, ignore expired certificates.  */
     allowOverride = (PRBool)((oldCert->keyUsage == certUsageSSLServer) ||
-                             (oldCert->keyUsage == certUsageSSLServerWithStepUp));
+                             (oldCert->keyUsage == certUsageSSLServerWithStepUp) ||
+                             (oldCert->keyUsage == certUsageIPsec));
     validity = CERT_CheckCertValidTimes(oldCert, PR_Now(), allowOverride);
     /*  If cert expired and user wants to delete it, ignore it. */
     if ((validity != secCertTimeValid) &&
diff --git a/security/nss/cmd/fipstest/fipstest.c b/security/nss/cmd/fipstest/fipstest.c
index 061f3dde09..5d00b3070c 100644
--- a/security/nss/cmd/fipstest/fipstest.c
+++ b/security/nss/cmd/fipstest/fipstest.c
@@ -2335,6 +2335,34 @@ sha_get_hashType(int hashbits)
     return hashType;
 }
 
+HASH_HashType
+hash_string_to_hashType(const char *src)
+{
+    HASH_HashType shaAlg = HASH_AlgNULL;
+    if (strncmp(src, "SHA-1", 5) == 0) {
+        shaAlg = HASH_AlgSHA1;
+    } else if (strncmp(src, "SHA-224", 7) == 0) {
+        shaAlg = HASH_AlgSHA224;
+    } else if (strncmp(src, "SHA-256", 7) == 0) {
+        shaAlg = HASH_AlgSHA256;
+    } else if (strncmp(src, "SHA-384", 7) == 0) {
+        shaAlg = HASH_AlgSHA384;
+    } else if (strncmp(src, "SHA-512", 7) == 0) {
+        shaAlg = HASH_AlgSHA512;
+    } else if (strncmp(src, "SHA1", 4) == 0) {
+        shaAlg = HASH_AlgSHA1;
+    } else if (strncmp(src, "SHA224", 6) == 0) {
+        shaAlg = HASH_AlgSHA224;
+    } else if (strncmp(src, "SHA256", 6) == 0) {
+        shaAlg = HASH_AlgSHA256;
+    } else if (strncmp(src, "SHA384", 6) == 0) {
+        shaAlg = HASH_AlgSHA384;
+    } else if (strncmp(src, "SHA512", 6) == 0) {
+        shaAlg = HASH_AlgSHA512;
+    }
+    return shaAlg;
+}
+
 /*
  * Perform the ECDSA Key Pair Generation Test.
  *
@@ -2628,17 +2656,8 @@ ecdsa_siggen_test(char *reqfn)
             *dst = '\0';
             src++; /* skip the comma */
             /* set the SHA Algorithm */
-            if (strncmp(src, "SHA-1", 5) == 0) {
-                shaAlg = HASH_AlgSHA1;
-            } else if (strncmp(src, "SHA-224", 7) == 0) {
-                shaAlg = HASH_AlgSHA224;
-            } else if (strncmp(src, "SHA-256", 7) == 0) {
-                shaAlg = HASH_AlgSHA256;
-            } else if (strncmp(src, "SHA-384", 7) == 0) {
-                shaAlg = HASH_AlgSHA384;
-            } else if (strncmp(src, "SHA-512", 7) == 0) {
-                shaAlg = HASH_AlgSHA512;
-            } else {
+            shaAlg = hash_string_to_hashType(src);
+            if (shaAlg == HASH_AlgNULL) {
                 fprintf(ecdsaresp, "ERROR: Unable to find SHAAlg type");
                 goto loser;
             }
@@ -2798,17 +2817,8 @@ ecdsa_sigver_test(char *reqfn)
             *dst = '\0';
             src++; /* skip the comma */
             /* set the SHA Algorithm */
-            if (strncmp(src, "SHA-1", 5) == 0) {
-                shaAlg = HASH_AlgSHA1;
-            } else if (strncmp(src, "SHA-224", 7) == 0) {
-                shaAlg = HASH_AlgSHA224;
-            } else if (strncmp(src, "SHA-256", 7) == 0) {
-                shaAlg = HASH_AlgSHA256;
-            } else if (strncmp(src, "SHA-384", 7) == 0) {
-                shaAlg = HASH_AlgSHA384;
-            } else if (strncmp(src, "SHA-512", 7) == 0) {
-                shaAlg = HASH_AlgSHA512;
-            } else {
+            shaAlg = hash_string_to_hashType(src);
+            if (shaAlg == HASH_AlgNULL) {
                 fprintf(ecdsaresp, "ERROR: Unable to find SHAAlg type");
                 goto loser;
             }
@@ -2956,6 +2966,932 @@ loser:
     fclose(ecdsareq);
 }
 
+/*
+ * Perform the ECDH Functional Test.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+#define MAX_ECC_PARAMS 256
+void
+ecdh_functional(char *reqfn, PRBool response)
+{
+    char buf[256];  /* holds one line from the input REQUEST file.
+                         * needs to be large enough to hold the longest
+                         * line "Qx = <144 hex digits>\n".
+                         */
+    FILE *ecdhreq;  /* input stream from the REQUEST file */
+    FILE *ecdhresp; /* output stream to the RESPONSE file */
+    char curve[16]; /* "nistxddd" */
+    unsigned char hashBuf[HASH_LENGTH_MAX];
+    ECParams *ecparams[MAX_ECC_PARAMS] = { NULL };
+    ECPrivateKey *ecpriv = NULL;
+    ECParams *current_ecparams = NULL;
+    SECItem pubkey;
+    SECItem ZZ;
+    unsigned int i;
+    unsigned int len = 0;
+    unsigned int uit_len = 0;
+    int current_curve = -1;
+    HASH_HashType hash = HASH_AlgNULL; /* type of SHA Alg */
+
+    ecdhreq = fopen(reqfn, "r");
+    ecdhresp = stdout;
+    strcpy(curve, "nist");
+    pubkey.data = NULL;
+    while (fgets(buf, sizeof buf, ecdhreq) != NULL) {
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n' || buf[0] == '\r') {
+            fputs(buf, ecdhresp);
+            continue;
+        }
+        if (buf[0] == '[') {
+            /* [Ex] */
+            if (buf[1] == 'E' && buf[3] == ']') {
+                current_curve = buf[2] - 'A';
+                fputs(buf, ecdhresp);
+                continue;
+            }
+            /* [Curve selected: x-nnn */
+            if (strncmp(buf, "[Curve ", 7) == 0) {
+                const char *src;
+                char *dst;
+                SECItem *encodedparams;
+
+                if ((current_curve < 0) || (current_curve > MAX_ECC_PARAMS)) {
+                    fprintf(stderr, "No curve type defined\n");
+                    goto loser;
+                }
+
+                src = &buf[1];
+                /* skip passed the colon */
+                while (*src && *src != ':')
+                    src++;
+                if (*src != ':') {
+                    fprintf(stderr,
+                            "No colon in curve selected statement\n%s", buf);
+                    goto loser;
+                }
+                src++;
+                /* skip to the first non-space */
+                while (*src && *src == ' ')
+                    src++;
+                dst = &curve[4];
+                *dst++ = tolower(*src);
+                src += 2; /* skip the hyphen */
+                *dst++ = *src++;
+                *dst++ = *src++;
+                *dst++ = *src++;
+                *dst = '\0';
+                if (ecparams[current_curve] != NULL) {
+                    PORT_FreeArena(ecparams[current_curve]->arena, PR_FALSE);
+                    ecparams[current_curve] = NULL;
+                }
+                encodedparams = getECParams(curve);
+                if (encodedparams == NULL) {
+                    fprintf(stderr, "Unknown curve %s.", curve);
+                    goto loser;
+                }
+                if (EC_DecodeParams(encodedparams, &ecparams[current_curve]) != SECSuccess) {
+                    fprintf(stderr, "Curve %s not supported.\n", curve);
+                    goto loser;
+                }
+                SECITEM_FreeItem(encodedparams, PR_TRUE);
+                fputs(buf, ecdhresp);
+                continue;
+            }
+            /* [Ex - SHAxxx] */
+            if (buf[1] == 'E' && buf[3] == ' ') {
+                const char *src;
+                current_curve = buf[2] - 'A';
+                if ((current_curve < 0) || (current_curve > 256)) {
+                    fprintf(stderr, "bad curve type defined (%c)\n", buf[2]);
+                    goto loser;
+                }
+                current_ecparams = ecparams[current_curve];
+                if (current_ecparams == NULL) {
+                    fprintf(stderr, "no curve defined for type %c defined\n",
+                            buf[2]);
+                    goto loser;
+                }
+                /* skip passed the colon */
+                src = &buf[1];
+                while (*src && *src != '-')
+                    src++;
+                if (*src != '-') {
+                    fprintf(stderr,
+                            "No data in curve selected statement\n%s", buf);
+                    goto loser;
+                }
+                src++;
+                /* skip to the first non-space */
+                while (*src && *src == ' ')
+                    src++;
+                hash = hash_string_to_hashType(src);
+                if (hash == HASH_AlgNULL) {
+                    fprintf(ecdhresp, "ERROR: Unable to find SHAAlg type");
+                    goto loser;
+                }
+                fputs(buf, ecdhresp);
+                continue;
+            }
+            fputs(buf, ecdhresp);
+            continue;
+        }
+        /* COUNT = ... */
+        if (strncmp(buf, "COUNT", 5) == 0) {
+            fputs(buf, ecdhresp);
+            if (current_ecparams == NULL) {
+                fprintf(stderr, "no curve defined for type %c defined\n",
+                        buf[2]);
+                goto loser;
+            }
+            len = (current_ecparams->fieldID.size + 7) >> 3;
+            if (pubkey.data != NULL) {
+                PORT_Free(pubkey.data);
+                pubkey.data = NULL;
+            }
+            SECITEM_AllocItem(NULL, &pubkey, EC_GetPointSize(current_ecparams));
+            if (pubkey.data == NULL) {
+                goto loser;
+            }
+            pubkey.data[0] = EC_POINT_FORM_UNCOMPRESSED;
+            continue;
+        }
+        /* QeCAVSx = ... */
+        if (strncmp(buf, "QeCAVSx", 7) == 0) {
+            fputs(buf, ecdhresp);
+            i = 7;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            from_hex_str(&pubkey.data[1], len, &buf[i]);
+            continue;
+        }
+        /* QeCAVSy = ... */
+        if (strncmp(buf, "QeCAVSy", 7) == 0) {
+            fputs(buf, ecdhresp);
+            i = 7;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            from_hex_str(&pubkey.data[1 + len], len, &buf[i]);
+            if (current_ecparams == NULL) {
+                fprintf(stderr, "no curve defined\n");
+                goto loser;
+            }
+            /* validate CAVS public key */
+            if (EC_ValidatePublicKey(current_ecparams, &pubkey) != SECSuccess) {
+                fprintf(stderr, "BAD key detected\n");
+                goto loser;
+            }
+
+            /* generate ECC key pair */
+            if (EC_NewKey(current_ecparams, &ecpriv) != SECSuccess) {
+                fprintf(stderr, "Failed to generate new key\n");
+                goto loser;
+            }
+            /* validate UIT generated public key */
+            if (EC_ValidatePublicKey(current_ecparams, &ecpriv->publicValue) !=
+                SECSuccess) {
+                fprintf(stderr, "generate key did not validate\n");
+                goto loser;
+            }
+            /* output UIT public key */
+            uit_len = ecpriv->publicValue.len;
+            if (uit_len % 2 == 0) {
+                fprintf(stderr, "generate key had invalid public value len\n");
+                goto loser;
+            }
+            uit_len = (uit_len - 1) / 2;
+            if (ecpriv->publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
+                fprintf(stderr, "generate key was compressed\n");
+                goto loser;
+            }
+            fputs("QeIUTx = ", ecdhresp);
+            to_hex_str(buf, &ecpriv->publicValue.data[1], uit_len);
+            fputs(buf, ecdhresp);
+            fputc('\n', ecdhresp);
+            fputs("QeIUTy = ", ecdhresp);
+            to_hex_str(buf, &ecpriv->publicValue.data[1 + uit_len], uit_len);
+            fputs(buf, ecdhresp);
+            fputc('\n', ecdhresp);
+            /* ECDH */
+            if (ECDH_Derive(&pubkey, current_ecparams, &ecpriv->privateValue,
+                            PR_FALSE, &ZZ) != SECSuccess) {
+                fprintf(stderr, "Derive failed\n");
+                goto loser;
+            }
+            /* output hash of ZZ */
+            if (fips_hashBuf(hash, hashBuf, ZZ.data, ZZ.len) != SECSuccess) {
+                fprintf(stderr, "hash of derived key failed\n");
+                goto loser;
+            }
+            SECITEM_FreeItem(&ZZ, PR_FALSE);
+            fputs("HashZZ = ", ecdhresp);
+            to_hex_str(buf, hashBuf, fips_hashLen(hash));
+            fputs(buf, ecdhresp);
+            fputc('\n', ecdhresp);
+            fputc('\n', ecdhresp);
+            PORT_FreeArena(ecpriv->ecParams.arena, PR_TRUE);
+            ecpriv = NULL;
+            continue;
+        }
+    }
+loser:
+    if (ecpriv != NULL) {
+        PORT_FreeArena(ecpriv->ecParams.arena, PR_TRUE);
+    }
+    for (i = 0; i < MAX_ECC_PARAMS; i++) {
+        if (ecparams[i] != NULL) {
+            PORT_FreeArena(ecparams[i]->arena, PR_FALSE);
+            ecparams[i] = NULL;
+        }
+    }
+    if (pubkey.data != NULL) {
+        PORT_Free(pubkey.data);
+    }
+    fclose(ecdhreq);
+}
+
+#define MATCH_OPENSSL 1
+/*
+ * Perform the ECDH Validity Test.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+ecdh_verify(char *reqfn, PRBool response)
+{
+    char buf[256];  /* holds one line from the input REQUEST file.
+                         * needs to be large enough to hold the longest
+                         * line "Qx = <144 hex digits>\n".
+                         */
+    FILE *ecdhreq;  /* input stream from the REQUEST file */
+    FILE *ecdhresp; /* output stream to the RESPONSE file */
+    char curve[16]; /* "nistxddd" */
+    unsigned char hashBuf[HASH_LENGTH_MAX];
+    unsigned char cavsHashBuf[HASH_LENGTH_MAX];
+    unsigned char private_data[MAX_ECKEY_LEN];
+    ECParams *ecparams[MAX_ECC_PARAMS] = { NULL };
+    ECParams *current_ecparams = NULL;
+    SECItem pubkey;
+    SECItem ZZ;
+    SECItem private_value;
+    unsigned int i;
+    unsigned int len = 0;
+    int current_curve = -1;
+    HASH_HashType hash = HASH_AlgNULL; /* type of SHA Alg */
+
+    ecdhreq = fopen(reqfn, "r");
+    ecdhresp = stdout;
+    strcpy(curve, "nist");
+    pubkey.data = NULL;
+    while (fgets(buf, sizeof buf, ecdhreq) != NULL) {
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n' || buf[0] == '\r') {
+            fputs(buf, ecdhresp);
+            continue;
+        }
+        if (buf[0] == '[') {
+            /* [Ex] */
+            if (buf[1] == 'E' && buf[3] == ']') {
+                current_curve = buf[2] - 'A';
+                fputs(buf, ecdhresp);
+                continue;
+            }
+            /* [Curve selected: x-nnn */
+            if (strncmp(buf, "[Curve ", 7) == 0) {
+                const char *src;
+                char *dst;
+                SECItem *encodedparams;
+
+                if ((current_curve < 0) || (current_curve > MAX_ECC_PARAMS)) {
+                    fprintf(stderr, "No curve type defined\n");
+                    goto loser;
+                }
+
+                src = &buf[1];
+                /* skip passed the colon */
+                while (*src && *src != ':')
+                    src++;
+                if (*src != ':') {
+                    fprintf(stderr,
+                            "No colon in curve selected statement\n%s", buf);
+                    goto loser;
+                }
+                src++;
+                /* skip to the first non-space */
+                while (*src && *src == ' ')
+                    src++;
+                dst = &curve[4];
+                *dst++ = tolower(*src);
+                src += 2; /* skip the hyphen */
+                *dst++ = *src++;
+                *dst++ = *src++;
+                *dst++ = *src++;
+                *dst = '\0';
+                if (ecparams[current_curve] != NULL) {
+                    PORT_FreeArena(ecparams[current_curve]->arena, PR_FALSE);
+                    ecparams[current_curve] = NULL;
+                }
+                encodedparams = getECParams(curve);
+                if (encodedparams == NULL) {
+                    fprintf(stderr, "Unknown curve %s.\n", curve);
+                    goto loser;
+                }
+                if (EC_DecodeParams(encodedparams, &ecparams[current_curve]) != SECSuccess) {
+                    fprintf(stderr, "Curve %s not supported.\n", curve);
+                    goto loser;
+                }
+                SECITEM_FreeItem(encodedparams, PR_TRUE);
+                fputs(buf, ecdhresp);
+                continue;
+            }
+            /* [Ex - SHAxxx] */
+            if (buf[1] == 'E' && buf[3] == ' ') {
+                const char *src;
+                current_curve = buf[2] - 'A';
+                if ((current_curve < 0) || (current_curve > 256)) {
+                    fprintf(stderr, "bad curve type defined (%c)\n", buf[2]);
+                    goto loser;
+                }
+                current_ecparams = ecparams[current_curve];
+                if (current_ecparams == NULL) {
+                    fprintf(stderr, "no curve defined for type %c defined\n",
+                            buf[2]);
+                    goto loser;
+                }
+                /* skip passed the colon */
+                src = &buf[1];
+                while (*src && *src != '-')
+                    src++;
+                if (*src != '-') {
+                    fprintf(stderr,
+                            "No data in curve selected statement\n%s", buf);
+                    goto loser;
+                }
+                src++;
+                /* skip to the first non-space */
+                while (*src && *src == ' ')
+                    src++;
+                hash = hash_string_to_hashType(src);
+                if (hash == HASH_AlgNULL) {
+                    fprintf(ecdhresp, "ERROR: Unable to find SHAAlg type");
+                    goto loser;
+                }
+                fputs(buf, ecdhresp);
+                continue;
+            }
+            fputs(buf, ecdhresp);
+            continue;
+        }
+        /* COUNT = ... */
+        if (strncmp(buf, "COUNT", 5) == 0) {
+            fputs(buf, ecdhresp);
+            if (current_ecparams == NULL) {
+                fprintf(stderr, "no curve defined for type %c defined\n",
+                        buf[2]);
+                goto loser;
+            }
+            len = (current_ecparams->fieldID.size + 7) >> 3;
+            if (pubkey.data != NULL) {
+                PORT_Free(pubkey.data);
+                pubkey.data = NULL;
+            }
+            SECITEM_AllocItem(NULL, &pubkey, EC_GetPointSize(current_ecparams));
+            if (pubkey.data == NULL) {
+                goto loser;
+            }
+            pubkey.data[0] = EC_POINT_FORM_UNCOMPRESSED;
+            continue;
+        }
+        /* QeCAVSx = ... */
+        if (strncmp(buf, "QeCAVSx", 7) == 0) {
+            fputs(buf, ecdhresp);
+            i = 7;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            from_hex_str(&pubkey.data[1], len, &buf[i]);
+            continue;
+        }
+        /* QeCAVSy = ... */
+        if (strncmp(buf, "QeCAVSy", 7) == 0) {
+            fputs(buf, ecdhresp);
+            i = 7;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            from_hex_str(&pubkey.data[1 + len], len, &buf[i]);
+            continue;
+        }
+        if (strncmp(buf, "deIUT", 5) == 0) {
+            fputs(buf, ecdhresp);
+            i = 5;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            from_hex_str(private_data, len, &buf[i]);
+            private_value.data = private_data;
+            private_value.len = len;
+            continue;
+        }
+        if (strncmp(buf, "QeIUTx", 6) == 0) {
+            fputs(buf, ecdhresp);
+            continue;
+        }
+        if (strncmp(buf, "QeIUTy", 6) == 0) {
+            fputs(buf, ecdhresp);
+            continue;
+        }
+        if (strncmp(buf, "CAVSHashZZ", 10) == 0) {
+            fputs(buf, ecdhresp);
+            i = 10;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            from_hex_str(cavsHashBuf, fips_hashLen(hash), &buf[i]);
+            if (current_ecparams == NULL) {
+                fprintf(stderr, "no curve defined for type defined\n");
+                goto loser;
+            }
+            /* validate CAVS public key */
+            if (EC_ValidatePublicKey(current_ecparams, &pubkey) != SECSuccess) {
+#ifdef MATCH_OPENSSL
+                fprintf(ecdhresp, "Result = F\n");
+#else
+                fprintf(ecdhresp, "Result = F # key didn't validate\n");
+#endif
+                continue;
+            }
+
+            /* ECDH */
+            if (ECDH_Derive(&pubkey, current_ecparams, &private_value,
+                            PR_FALSE, &ZZ) != SECSuccess) {
+                fprintf(stderr, "Derive failed\n");
+                goto loser;
+            }
+/* output  ZZ */
+#ifndef MATCH_OPENSSL
+            fputs("Z = ", ecdhresp);
+            to_hex_str(buf, ZZ.data, ZZ.len);
+            fputs(buf, ecdhresp);
+            fputc('\n', ecdhresp);
+#endif
+
+            if (fips_hashBuf(hash, hashBuf, ZZ.data, ZZ.len) != SECSuccess) {
+                fprintf(stderr, "hash of derived key failed\n");
+                goto loser;
+            }
+            SECITEM_FreeItem(&ZZ, PR_FALSE);
+#ifndef MATCH_NIST
+            fputs("IUTHashZZ = ", ecdhresp);
+            to_hex_str(buf, hashBuf, fips_hashLen(hash));
+            fputs(buf, ecdhresp);
+            fputc('\n', ecdhresp);
+#endif
+            if (memcmp(hashBuf, cavsHashBuf, fips_hashLen(hash)) != 0) {
+#ifdef MATCH_OPENSSL
+                fprintf(ecdhresp, "Result = F\n");
+#else
+                fprintf(ecdhresp, "Result = F # hash doesn't match\n");
+#endif
+            } else {
+                fprintf(ecdhresp, "Result = P\n");
+            }
+#ifndef MATCH_OPENSSL
+            fputc('\n', ecdhresp);
+#endif
+            continue;
+        }
+    }
+loser:
+    for (i = 0; i < MAX_ECC_PARAMS; i++) {
+        if (ecparams[i] != NULL) {
+            PORT_FreeArena(ecparams[i]->arena, PR_FALSE);
+            ecparams[i] = NULL;
+        }
+    }
+    if (pubkey.data != NULL) {
+        PORT_Free(pubkey.data);
+    }
+    fclose(ecdhreq);
+}
+
+/*
+ * Perform the DH Functional Test.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+#define MAX_ECC_PARAMS 256
+void
+dh_functional(char *reqfn, PRBool response)
+{
+    char buf[1024]; /* holds one line from the input REQUEST file.
+                         * needs to be large enough to hold the longest
+                         * line "YephCAVS = <512 hex digits>\n".
+                         */
+    FILE *dhreq;    /* input stream from the REQUEST file */
+    FILE *dhresp;   /* output stream to the RESPONSE file */
+    unsigned char hashBuf[HASH_LENGTH_MAX];
+    DSAPrivateKey *dsapriv = NULL;
+    PQGParams pqg = { 0 };
+    unsigned char pubkeydata[DSA_MAX_P_BITS / 8];
+    SECItem pubkey;
+    SECItem ZZ;
+    unsigned int i, j;
+    unsigned int pgySize;
+    HASH_HashType hash = HASH_AlgNULL; /* type of SHA Alg */
+
+    dhreq = fopen(reqfn, "r");
+    dhresp = stdout;
+    while (fgets(buf, sizeof buf, dhreq) != NULL) {
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n' || buf[0] == '\r') {
+            fputs(buf, dhresp);
+            continue;
+        }
+        if (buf[0] == '[') {
+            /* [Fx - SHAxxx] */
+            if (buf[1] == 'F' && buf[3] == ' ') {
+                const char *src;
+                /* skip passed the colon */
+                src = &buf[1];
+                while (*src && *src != '-')
+                    src++;
+                if (*src != '-') {
+                    fprintf(stderr, "No hash specified\n%s", buf);
+                    goto loser;
+                }
+                src++;
+                /* skip to the first non-space */
+                while (*src && *src == ' ')
+                    src++;
+                hash = hash_string_to_hashType(src);
+                if (hash == HASH_AlgNULL) {
+                    fprintf(dhresp, "ERROR: Unable to find SHAAlg type");
+                    goto loser;
+                }
+                /* clear the PQG parameters */
+                if (pqg.prime.data) { /* P */
+                    SECITEM_ZfreeItem(&pqg.prime, PR_FALSE);
+                }
+                if (pqg.subPrime.data) { /* Q */
+                    SECITEM_ZfreeItem(&pqg.subPrime, PR_FALSE);
+                }
+                if (pqg.base.data) { /* G */
+                    SECITEM_ZfreeItem(&pqg.base, PR_FALSE);
+                }
+                pgySize = DSA_MAX_P_BITS / 8; /* change if more key sizes are supported in CAVS */
+                SECITEM_AllocItem(NULL, &pqg.prime, pgySize);
+                SECITEM_AllocItem(NULL, &pqg.base, pgySize);
+                pqg.prime.len = pqg.base.len = pgySize;
+
+                /* set q to the max allows */
+                SECITEM_AllocItem(NULL, &pqg.subPrime, DSA_MAX_Q_BITS / 8);
+                pqg.subPrime.len = DSA_MAX_Q_BITS / 8;
+                fputs(buf, dhresp);
+                continue;
+            }
+            fputs(buf, dhresp);
+            continue;
+        }
+        if (buf[0] == 'P') {
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < pqg.prime.len; i += 2, j++) {
+                if (!isxdigit(buf[i])) {
+                    pqg.prime.len = j;
+                    break;
+                }
+                hex_to_byteval(&buf[i], &pqg.prime.data[j]);
+            }
+
+            fputs(buf, dhresp);
+            continue;
+        }
+
+        /* Q = ... */
+        if (buf[0] == 'Q') {
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < pqg.subPrime.len; i += 2, j++) {
+                if (!isxdigit(buf[i])) {
+                    pqg.subPrime.len = j;
+                    break;
+                }
+                hex_to_byteval(&buf[i], &pqg.subPrime.data[j]);
+            }
+
+            fputs(buf, dhresp);
+            continue;
+        }
+
+        /* G = ... */
+        if (buf[0] == 'G') {
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < pqg.base.len; i += 2, j++) {
+                if (!isxdigit(buf[i])) {
+                    pqg.base.len = j;
+                    break;
+                }
+                hex_to_byteval(&buf[i], &pqg.base.data[j]);
+            }
+
+            fputs(buf, dhresp);
+            continue;
+        }
+
+        /* COUNT = ... */
+        if (strncmp(buf, "COUNT", 5) == 0) {
+            fputs(buf, dhresp);
+            continue;
+        }
+
+        /* YephemCAVS = ... */
+        if (strncmp(buf, "YephemCAVS", 10) == 0) {
+            fputs(buf, dhresp);
+            i = 10;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            from_hex_str(pubkeydata, pqg.prime.len, &buf[i]);
+            pubkey.data = pubkeydata;
+            pubkey.len = pqg.prime.len;
+
+            /* generate FCC key pair, nist uses pqg rather then pg,
+             * so use DSA to generate the key */
+            if (DSA_NewKey(&pqg, &dsapriv) != SECSuccess) {
+                fprintf(stderr, "Failed to generate new key\n");
+                goto loser;
+            }
+            fputs("XephemIUT = ", dhresp);
+            to_hex_str(buf, dsapriv->privateValue.data, dsapriv->privateValue.len);
+            fputs(buf, dhresp);
+            fputc('\n', dhresp);
+            fputs("YephemIUT = ", dhresp);
+            to_hex_str(buf, dsapriv->publicValue.data, dsapriv->publicValue.len);
+            fputs(buf, dhresp);
+            fputc('\n', dhresp);
+            /* DH */
+            if (DH_Derive(&pubkey, &pqg.prime, &dsapriv->privateValue,
+                          &ZZ, pqg.prime.len) != SECSuccess) {
+                fprintf(stderr, "Derive failed\n");
+                goto loser;
+            }
+            /* output hash of ZZ */
+            if (fips_hashBuf(hash, hashBuf, ZZ.data, ZZ.len) != SECSuccess) {
+                fprintf(stderr, "hash of derived key failed\n");
+                goto loser;
+            }
+            SECITEM_FreeItem(&ZZ, PR_FALSE);
+            fputs("HashZZ = ", dhresp);
+            to_hex_str(buf, hashBuf, fips_hashLen(hash));
+            fputs(buf, dhresp);
+            fputc('\n', dhresp);
+            fputc('\n', dhresp);
+            PORT_FreeArena(dsapriv->params.arena, PR_TRUE);
+            dsapriv = NULL;
+            continue;
+        }
+    }
+loser:
+    if (dsapriv != NULL) {
+        PORT_FreeArena(dsapriv->params.arena, PR_TRUE);
+    }
+    fclose(dhreq);
+}
+
+#define MATCH_OPENSSL 1
+/*
+ * Perform the DH Validity Test.
+ *
+ * reqfn is the pathname of the REQUEST file.
+ *
+ * The output RESPONSE file is written to stdout.
+ */
+void
+dh_verify(char *reqfn, PRBool response)
+{
+    char buf[1024]; /* holds one line from the input REQUEST file.
+                         * needs to be large enough to hold the longest
+                         * line "YephCAVS = <512 hex digits>\n".
+                         */
+    FILE *dhreq;    /* input stream from the REQUEST file */
+    FILE *dhresp;   /* output stream to the RESPONSE file */
+    unsigned char hashBuf[HASH_LENGTH_MAX];
+    unsigned char cavsHashBuf[HASH_LENGTH_MAX];
+    PQGParams pqg = { 0 };
+    unsigned char pubkeydata[DSA_MAX_P_BITS / 8];
+    unsigned char privkeydata[DSA_MAX_P_BITS / 8];
+    SECItem pubkey;
+    SECItem privkey;
+    SECItem ZZ;
+    unsigned int i, j;
+    unsigned int pgySize;
+    HASH_HashType hash = HASH_AlgNULL; /* type of SHA Alg */
+
+    dhreq = fopen(reqfn, "r");
+    dhresp = stdout;
+    while (fgets(buf, sizeof buf, dhreq) != NULL) {
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n' || buf[0] == '\r') {
+            fputs(buf, dhresp);
+            continue;
+        }
+        if (buf[0] == '[') {
+            /* [Fx - SHAxxx] */
+            if (buf[1] == 'F' && buf[3] == ' ') {
+                const char *src;
+                /* skip passed the colon */
+                src = &buf[1];
+                while (*src && *src != '-')
+                    src++;
+                if (*src != '-') {
+                    fprintf(stderr, "No hash specified\n%s", buf);
+                    goto loser;
+                }
+                src++;
+                /* skip to the first non-space */
+                while (*src && *src == ' ')
+                    src++;
+                hash = hash_string_to_hashType(src);
+                if (hash == HASH_AlgNULL) {
+                    fprintf(dhresp, "ERROR: Unable to find SHAAlg type");
+                    goto loser;
+                }
+                /* clear the PQG parameters */
+                if (pqg.prime.data) { /* P */
+                    SECITEM_ZfreeItem(&pqg.prime, PR_FALSE);
+                }
+                if (pqg.subPrime.data) { /* Q */
+                    SECITEM_ZfreeItem(&pqg.subPrime, PR_FALSE);
+                }
+                if (pqg.base.data) { /* G */
+                    SECITEM_ZfreeItem(&pqg.base, PR_FALSE);
+                }
+                pgySize = DSA_MAX_P_BITS / 8; /* change if more key sizes are supported in CAVS */
+                SECITEM_AllocItem(NULL, &pqg.prime, pgySize);
+                SECITEM_AllocItem(NULL, &pqg.base, pgySize);
+                pqg.prime.len = pqg.base.len = pgySize;
+
+                /* set q to the max allows */
+                SECITEM_AllocItem(NULL, &pqg.subPrime, DSA_MAX_Q_BITS / 8);
+                pqg.subPrime.len = DSA_MAX_Q_BITS / 8;
+                fputs(buf, dhresp);
+                continue;
+            }
+            fputs(buf, dhresp);
+            continue;
+        }
+        if (buf[0] == 'P') {
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < pqg.prime.len; i += 2, j++) {
+                if (!isxdigit(buf[i])) {
+                    pqg.prime.len = j;
+                    break;
+                }
+                hex_to_byteval(&buf[i], &pqg.prime.data[j]);
+            }
+
+            fputs(buf, dhresp);
+            continue;
+        }
+
+        /* Q = ... */
+        if (buf[0] == 'Q') {
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < pqg.subPrime.len; i += 2, j++) {
+                if (!isxdigit(buf[i])) {
+                    pqg.subPrime.len = j;
+                    break;
+                }
+                hex_to_byteval(&buf[i], &pqg.subPrime.data[j]);
+            }
+
+            fputs(buf, dhresp);
+            continue;
+        }
+
+        /* G = ... */
+        if (buf[0] == 'G') {
+            i = 1;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < pqg.base.len; i += 2, j++) {
+                if (!isxdigit(buf[i])) {
+                    pqg.base.len = j;
+                    break;
+                }
+                hex_to_byteval(&buf[i], &pqg.base.data[j]);
+            }
+
+            fputs(buf, dhresp);
+            continue;
+        }
+
+        /* COUNT = ... */
+        if (strncmp(buf, "COUNT", 5) == 0) {
+            fputs(buf, dhresp);
+            continue;
+        }
+
+        /* YephemCAVS = ... */
+        if (strncmp(buf, "YephemCAVS", 10) == 0) {
+            fputs(buf, dhresp);
+            i = 10;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            from_hex_str(pubkeydata, pqg.prime.len, &buf[i]);
+            pubkey.data = pubkeydata;
+            pubkey.len = pqg.prime.len;
+            continue;
+        }
+        /* XephemUIT = ... */
+        if (strncmp(buf, "XephemIUT", 9) == 0) {
+            fputs(buf, dhresp);
+            i = 9;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            from_hex_str(privkeydata, pqg.subPrime.len, &buf[i]);
+            privkey.data = privkeydata;
+            privkey.len = pqg.subPrime.len;
+            continue;
+        }
+        /* YephemUIT = ... */
+        if (strncmp(buf, "YephemIUT", 9) == 0) {
+            fputs(buf, dhresp);
+            continue;
+        }
+        /* CAVSHashZZ = ... */
+        if (strncmp(buf, "CAVSHashZZ", 10) == 0) {
+            fputs(buf, dhresp);
+            i = 10;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            from_hex_str(cavsHashBuf, fips_hashLen(hash), &buf[i]);
+            /* do the DH operation*/
+            if (DH_Derive(&pubkey, &pqg.prime, &privkey,
+                          &ZZ, pqg.prime.len) != SECSuccess) {
+                fprintf(stderr, "Derive failed\n");
+                goto loser;
+            }
+/* output  ZZ */
+#ifndef MATCH_OPENSSL
+            fputs("Z = ", dhresp);
+            to_hex_str(buf, ZZ.data, ZZ.len);
+            fputs(buf, dhresp);
+            fputc('\n', dhresp);
+#endif
+            if (fips_hashBuf(hash, hashBuf, ZZ.data, ZZ.len) != SECSuccess) {
+                fprintf(stderr, "hash of derived key failed\n");
+                goto loser;
+            }
+            SECITEM_FreeItem(&ZZ, PR_FALSE);
+#ifndef MATCH_NIST_
+            fputs("IUTHashZZ = ", dhresp);
+            to_hex_str(buf, hashBuf, fips_hashLen(hash));
+            fputs(buf, dhresp);
+            fputc('\n', dhresp);
+#endif
+            if (memcmp(hashBuf, cavsHashBuf, fips_hashLen(hash)) != 0) {
+                fprintf(dhresp, "Result = F\n");
+            } else {
+                fprintf(dhresp, "Result = P\n");
+            }
+#ifndef MATCH_OPENSSL
+            fputc('\n', dhresp);
+#endif
+            continue;
+        }
+    }
+loser:
+    fclose(dhreq);
+}
+
 PRBool
 isblankline(char *b)
 {
@@ -5342,17 +6278,8 @@ rsa_siggen_test(char *reqfn)
                 i++;
             }
             /* set the SHA Algorithm */
-            if (strncmp(&buf[i], "SHA1", 4) == 0) {
-                shaAlg = HASH_AlgSHA1;
-            } else if (strncmp(&buf[i], "SHA224", 6) == 0) {
-                shaAlg = HASH_AlgSHA224;
-            } else if (strncmp(&buf[i], "SHA256", 6) == 0) {
-                shaAlg = HASH_AlgSHA256;
-            } else if (strncmp(&buf[i], "SHA384", 6) == 0) {
-                shaAlg = HASH_AlgSHA384;
-            } else if (strncmp(&buf[i], "SHA512", 6) == 0) {
-                shaAlg = HASH_AlgSHA512;
-            } else {
+            shaAlg = hash_string_to_hashType(&buf[i]);
+            if (shaAlg == HASH_AlgNULL) {
                 fprintf(rsaresp, "ERROR: Unable to find SHAAlg type");
                 goto loser;
             }
@@ -5537,17 +6464,8 @@ rsa_sigver_test(char *reqfn)
                 i++;
             }
             /* set the SHA Algorithm */
-            if (strncmp(&buf[i], "SHA1", 4) == 0) {
-                shaAlg = HASH_AlgSHA1;
-            } else if (strncmp(&buf[i], "SHA224", 6) == 0) {
-                shaAlg = HASH_AlgSHA224;
-            } else if (strncmp(&buf[i], "SHA256", 6) == 0) {
-                shaAlg = HASH_AlgSHA256;
-            } else if (strncmp(&buf[i], "SHA384", 6) == 0) {
-                shaAlg = HASH_AlgSHA384;
-            } else if (strncmp(&buf[i], "SHA512", 6) == 0) {
-                shaAlg = HASH_AlgSHA512;
-            } else {
+            shaAlg = hash_string_to_hashType(&buf[i]);
+            if (shaAlg == HASH_AlgNULL) {
                 fprintf(rsaresp, "ERROR: Unable to find SHAAlg type");
                 goto loser;
             }
@@ -6108,6 +7026,34 @@ main(int argc, char **argv)
             ecdsa_sigver_test(argv[3]);
         }
         /*************/
+        /*   ECDH   */
+        /*************/
+    } else if (strcmp(argv[1], "ecdh") == 0) {
+        /* argv[2]={init|resp}-{func|verify} argv[3]=<test name>.req */
+        if (strcmp(argv[2], "init-func") == 0) {
+            ecdh_functional(argv[3], 0);
+        } else if (strcmp(argv[2], "resp-func") == 0) {
+            ecdh_functional(argv[3], 1);
+        } else if (strcmp(argv[2], "init-verify") == 0) {
+            ecdh_verify(argv[3], 0);
+        } else if (strcmp(argv[2], "resp-verify") == 0) {
+            ecdh_verify(argv[3], 1);
+        }
+        /*************/
+        /*   DH   */
+        /*************/
+    } else if (strcmp(argv[1], "dh") == 0) {
+        /* argv[2]={init|resp}-{func|verify} argv[3]=<test name>.req */
+        if (strcmp(argv[2], "init-func") == 0) {
+            dh_functional(argv[3], 0);
+        } else if (strcmp(argv[2], "resp-func") == 0) {
+            dh_functional(argv[3], 1);
+        } else if (strcmp(argv[2], "init-verify") == 0) {
+            dh_verify(argv[3], 0);
+        } else if (strcmp(argv[2], "resp-verify") == 0) {
+            dh_verify(argv[3], 1);
+        }
+        /*************/
         /*   RNG     */
         /*************/
     } else if (strcmp(argv[1], "rng") == 0) {
diff --git a/security/nss/cmd/fipstest/kas.sh b/security/nss/cmd/fipstest/kas.sh
new file mode 100644
index 0000000000..9aa5387a83
--- /dev/null
+++ b/security/nss/cmd/fipstest/kas.sh
@@ -0,0 +1,84 @@
+#!/bin/sh
+# 
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# A Bourne shell script for running the NIST DSA Validation System
+#
+# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
+# variables appropriately so that the fipstest command and the NSPR and NSS
+# shared libraries/DLLs are on the search path.  Then run this script in the
+# directory where the REQUEST (.req) files reside.  The script generates the
+# RESPONSE (.rsp) files in the same directory.
+BASEDIR=${1-.}
+TESTDIR=${BASEDIR}/KAS
+COMMAND=${2-run}
+REQDIR=${TESTDIR}/req
+RSPDIR=${TESTDIR}/resp
+
+
+#
+if [ ${COMMAND} = "verify" ]; then
+#
+# need verify for KAS tests
+
+# verify generated keys
+#    name=KeyPair
+#    echo ">>>>>  $name"
+#    fipstest dsa keyver ${RSPDIR}/$name.rsp | grep ^Result.=.F
+# verify generated pqg values
+#    name=PQGGen
+#    echo ">>>>>  $name"
+#    fipstest dsa pqgver ${RSPDIR}/$name.rsp | grep ^Result.=.F
+# verify PQGVer with known answer
+#    sh ./validate1.sh ${TESTDIR} PQGVer.req ' ' '-e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;'
+# verify signatures
+#    name=SigGen
+#    echo ">>>>>  $name"
+#    fipstest dsa sigver ${RSPDIR}/$name.rsp | grep ^Result.=.F
+# verify SigVer with known answer
+#    sh ./validate1.sh ${TESTDIR} SigVer.req ' ' '-e /^X.=/d -e /^Result.=.F/s;.(.*);;'
+    exit 0
+fi
+
+request=KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdh init-func ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_resp.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdh resp-func ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdh init-verify ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_resp.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest ecdh resp-verify ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=KASFunctionTest_FFCEphem_NOKC_ZZOnly_init.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dh init-func ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=KASFunctionTest_FFCEphem_NOKC_ZZOnly_resp.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dh resp-func ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=KASValidityTest_FFCEphem_NOKC_ZZOnly_init.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dh init-verify ${REQDIR}/$request > ${RSPDIR}/$response
+
+request=KASValidityTest_FFCEphem_NOKC_ZZOnly_resp.req
+response=`echo $request | sed -e "s/req/rsp/"`
+echo $request $response
+fipstest dh resp-verify ${REQDIR}/$request > ${RSPDIR}/$response
+
diff --git a/security/nss/cmd/fipstest/runtest.sh b/security/nss/cmd/fipstest/runtest.sh
index 5f8e66a081..fcb16348b7 100644
--- a/security/nss/cmd/fipstest/runtest.sh
+++ b/security/nss/cmd/fipstest/runtest.sh
@@ -6,7 +6,7 @@
 #
 TESTDIR=${1-.}
 COMMAND=${2-run}
-TESTS="aes aesgcm dsa ecdsa hmac tls rng rsa sha tdea"
+TESTS="aes aesgcm dsa ecdsa hmac kas tls rng rsa sha tdea"
 for i in $TESTS
 do
     echo "********************Running $i tests"
diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c
index 6be2df432a..97c7f750a6 100644
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -3799,7 +3799,7 @@ SECU_ParseSSLVersionRangeString(const char *input,
     return SECSuccess;
 }
 
-SSLNamedGroup
+static SSLNamedGroup
 groupNameToNamedGroup(char *name)
 {
     if (PL_strlen(name) == 4) {
@@ -3837,6 +3837,23 @@ groupNameToNamedGroup(char *name)
     return ssl_grp_none;
 }
 
+static SECStatus
+countItems(const char *arg, unsigned int *numItems)
+{
+    char *str = PORT_Strdup(arg);
+    if (!str) {
+        return SECFailure;
+    }
+    char *p = strtok(str, ",");
+    while (p) {
+        ++(*numItems);
+        p = strtok(NULL, ",");
+    }
+    PORT_Free(str);
+    str = NULL;
+    return SECSuccess;
+}
+
 SECStatus
 parseGroupList(const char *arg, SSLNamedGroup **enabledGroups,
                unsigned int *enabledGroupsCount)
@@ -3847,21 +3864,12 @@ parseGroupList(const char *arg, SSLNamedGroup **enabledGroups,
     unsigned int numValues = 0;
     unsigned int count = 0;
 
-    /* Count the number of groups. */
-    str = PORT_Strdup(arg);
-    if (!str) {
+    if (countItems(arg, &numValues) != SECSuccess) {
         return SECFailure;
     }
-    p = strtok(str, ",");
-    while (p) {
-        ++numValues;
-        p = strtok(NULL, ",");
-    }
-    PORT_Free(str);
-    str = NULL;
     groups = PORT_ZNewArray(SSLNamedGroup, numValues);
     if (!groups) {
-        goto done;
+        return SECFailure;
     }
 
     /* Get group names. */
@@ -3881,9 +3889,7 @@ parseGroupList(const char *arg, SSLNamedGroup **enabledGroups,
     }
 
 done:
-    if (str) {
-        PORT_Free(str);
-    }
+    PORT_Free(str);
     if (!count) {
         PORT_Free(groups);
         return SECFailure;
@@ -3893,3 +3899,83 @@ done:
     *enabledGroups = groups;
     return SECSuccess;
 }
+
+SSLSignatureScheme
+schemeNameToScheme(const char *name)
+{
+#define compareScheme(x)                                \
+    do {                                                \
+        if (!PORT_Strncmp(name, #x, PORT_Strlen(#x))) { \
+            return ssl_sig_##x;                         \
+        }                                               \
+    } while (0)
+
+    compareScheme(rsa_pkcs1_sha1);
+    compareScheme(rsa_pkcs1_sha256);
+    compareScheme(rsa_pkcs1_sha384);
+    compareScheme(rsa_pkcs1_sha512);
+    compareScheme(ecdsa_sha1);
+    compareScheme(ecdsa_secp256r1_sha256);
+    compareScheme(ecdsa_secp384r1_sha384);
+    compareScheme(ecdsa_secp521r1_sha512);
+    compareScheme(rsa_pss_rsae_sha256);
+    compareScheme(rsa_pss_rsae_sha384);
+    compareScheme(rsa_pss_rsae_sha512);
+    compareScheme(ed25519);
+    compareScheme(ed448);
+    compareScheme(rsa_pss_pss_sha256);
+    compareScheme(rsa_pss_pss_sha384);
+    compareScheme(rsa_pss_pss_sha512);
+    compareScheme(dsa_sha1);
+    compareScheme(dsa_sha256);
+    compareScheme(dsa_sha384);
+    compareScheme(dsa_sha512);
+
+#undef compareScheme
+
+    return ssl_sig_none;
+}
+
+SECStatus
+parseSigSchemeList(const char *arg, const SSLSignatureScheme **enabledSigSchemes,
+                   unsigned int *enabledSigSchemeCount)
+{
+    SSLSignatureScheme *schemes;
+    unsigned int numValues = 0;
+    unsigned int count = 0;
+
+    if (countItems(arg, &numValues) != SECSuccess) {
+        return SECFailure;
+    }
+    schemes = PORT_ZNewArray(SSLSignatureScheme, numValues);
+    if (!schemes) {
+        return SECFailure;
+    }
+
+    /* Get group names. */
+    char *str = PORT_Strdup(arg);
+    if (!str) {
+        goto done;
+    }
+    char *p = strtok(str, ",");
+    while (p) {
+        SSLSignatureScheme scheme = schemeNameToScheme(p);
+        if (scheme == ssl_sig_none) {
+            count = 0;
+            goto done;
+        }
+        schemes[count++] = scheme;
+        p = strtok(NULL, ",");
+    }
+
+done:
+    PORT_Free(str);
+    if (!count) {
+        PORT_Free(schemes);
+        return SECFailure;
+    }
+
+    *enabledSigSchemeCount = count;
+    *enabledSigSchemes = schemes;
+    return SECSuccess;
+}
diff --git a/security/nss/cmd/lib/secutil.h b/security/nss/cmd/lib/secutil.h
index fe07aca606..90d7639097 100644
--- a/security/nss/cmd/lib/secutil.h
+++ b/security/nss/cmd/lib/secutil.h
@@ -9,7 +9,7 @@
 #include "secport.h"
 #include "prerror.h"
 #include "base64.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secpkcs7.h"
 #include "secasn1.h"
 #include "secder.h"
@@ -406,7 +406,9 @@ SECU_ParseSSLVersionRangeString(const char *input,
 
 SECStatus parseGroupList(const char *arg, SSLNamedGroup **enabledGroups,
                          unsigned int *enabledGroupsCount);
-SSLNamedGroup groupNameToNamedGroup(char *name);
+SECStatus parseSigSchemeList(const char *arg,
+                             const SSLSignatureScheme **enabledSigSchemes,
+                             unsigned int *enabledSigSchemeCount);
 
 /*
  *
diff --git a/security/nss/cmd/manifest.mn b/security/nss/cmd/manifest.mn
index 567c6bb9d9..be53d3c4eb 100644
--- a/security/nss/cmd/manifest.mn
+++ b/security/nss/cmd/manifest.mn
@@ -47,6 +47,7 @@ NSS_SRCDIRS = \
  listsuites \
  makepqg  \
  multinit \
+ nss-policy-check \
  ocspclnt  \
  ocspresp \
  oidcalc  \
diff --git a/security/nss/cmd/modutil/error.h b/security/nss/cmd/modutil/error.h
index d9f06592f8..33ed7bde7d 100644
--- a/security/nss/cmd/modutil/error.h
+++ b/security/nss/cmd/modutil/error.h
@@ -131,6 +131,7 @@ typedef enum {
     UNDEFAULT_SUCCESS_MSG,
     BROWSER_RUNNING_MSG,
     ABORTING_MSG,
+    P11_KIT_ENABLED_MSG,
 
     LAST_MSG /* must be last */
 } Message;
diff --git a/security/nss/cmd/modutil/modutil.c b/security/nss/cmd/modutil/modutil.c
index c1b44be536..f04ad3d925 100644
--- a/security/nss/cmd/modutil/modutil.c
+++ b/security/nss/cmd/modutil/modutil.c
@@ -138,7 +138,11 @@ char* msgStrings[] = {
     "\ncorruption of your security databases. If the browser is currently running,"
     "\nyou should exit browser before continuing this operation. Type "
     "\n'q <enter>' to abort, or <enter> to continue: ",
-    "\nAborting...\n"
+    "\nAborting...\n",
+    "\nWARNING: Manually adding a module while p11-kit is enabled could cause"
+    "\nduplicate module registration in your security database. It is suggested "
+    "\nto configure the module through p11-kit configuration file instead.\n"
+    "\nType 'q <enter>' to abort, or <enter> to continue: "
 };
 
 /* Increment i if doing so would have i still be less than j.  If you
@@ -856,6 +860,28 @@ main(int argc, char* argv[])
         goto loser;
     }
 
+    /* Warn if we are adding a module while p11-kit is enabled in the
+     * database. */
+    if ((command == ADD_COMMAND || command == RAW_ADD_COMMAND) &&
+        IsP11KitEnabled()) {
+        char* response;
+
+        PR_fprintf(PR_STDOUT, msgStrings[P11_KIT_ENABLED_MSG]);
+        if (!PR_fgets(stdinbuf, STDINBUF_SIZE, PR_STDIN)) {
+            PR_fprintf(PR_STDERR, errStrings[STDIN_READ_ERR]);
+            errcode = STDIN_READ_ERR;
+            goto loser;
+        }
+        if ((response = strtok(stdinbuf, " \r\n\t"))) {
+            if (!PL_strcasecmp(response, "q")) {
+                PR_fprintf(PR_STDOUT, msgStrings[ABORTING_MSG]);
+                errcode = SUCCESS;
+                goto loser;
+            }
+        }
+        PR_fprintf(PR_STDOUT, "\n");
+    }
+
     /* Execute the command */
     switch (command) {
         case ADD_COMMAND:
diff --git a/security/nss/cmd/modutil/modutil.h b/security/nss/cmd/modutil/modutil.h
index 04aa908c85..1981fec7bc 100644
--- a/security/nss/cmd/modutil/modutil.h
+++ b/security/nss/cmd/modutil/modutil.h
@@ -36,6 +36,7 @@ Error RawAddModule(char *dbmodulespec, char *modulespec);
 Error RawListModule(char *modulespec);
 Error SetDefaultModule(char *moduleName, char *slotName, char *mechanisms);
 Error UnsetDefaultModule(char *moduleName, char *slotName, char *mechanisms);
+PRBool IsP11KitEnabled(void);
 void out_of_memory(void);
 
 #endif /*MODUTIL_H*/
diff --git a/security/nss/cmd/modutil/pk11.c b/security/nss/cmd/modutil/pk11.c
index 1efc1895c4..6d17a33657 100644
--- a/security/nss/cmd/modutil/pk11.c
+++ b/security/nss/cmd/modutil/pk11.c
@@ -259,6 +259,55 @@ getStringFromFlags(unsigned long flags, const MaskString array[], int elements)
     return buf;
 }
 
+static PRBool
+IsP11KitProxyModule(SECMODModule *module)
+{
+    CK_INFO modinfo;
+    static const char p11KitManufacturerID[33] =
+        "PKCS#11 Kit                     ";
+    static const char p11KitLibraryDescription[33] =
+        "PKCS#11 Kit Proxy Module        ";
+
+    if (PK11_GetModInfo(module, &modinfo) == SECSuccess &&
+        PORT_Memcmp(modinfo.manufacturerID,
+                    p11KitManufacturerID,
+                    sizeof(modinfo.manufacturerID)) == 0 &&
+        PORT_Memcmp(modinfo.libraryDescription,
+                    p11KitLibraryDescription,
+                    sizeof(modinfo.libraryDescription)) == 0) {
+        return PR_TRUE;
+    }
+
+    return PR_FALSE;
+}
+
+PRBool
+IsP11KitEnabled(void)
+{
+    SECMODListLock *lock;
+    SECMODModuleList *mlp;
+    PRBool found = PR_FALSE;
+
+    lock = SECMOD_GetDefaultModuleListLock();
+    if (!lock) {
+        PR_fprintf(PR_STDERR, errStrings[NO_LIST_LOCK_ERR]);
+        return found;
+    }
+
+    SECMOD_GetReadLock(lock);
+
+    mlp = SECMOD_GetDefaultModuleList();
+    for (; mlp != NULL; mlp = mlp->next) {
+        if (IsP11KitProxyModule(mlp->module)) {
+            found = PR_TRUE;
+            break;
+        }
+    }
+
+    SECMOD_ReleaseReadLock(lock);
+    return found;
+}
+
 /**********************************************************************
  *
  * A d d M o d u l e
diff --git a/security/nss/cmd/nss-policy-check/Makefile b/security/nss/cmd/nss-policy-check/Makefile
new file mode 100644
index 0000000000..6e1d4ecdfc
--- /dev/null
+++ b/security/nss/cmd/nss-policy-check/Makefile
@@ -0,0 +1,47 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################
+
+
+include ../platrules.mk
+
diff --git a/security/nss/cmd/nss-policy-check/manifest.mn b/security/nss/cmd/nss-policy-check/manifest.mn
new file mode 100644
index 0000000000..8fb9abf000
--- /dev/null
+++ b/security/nss/cmd/nss-policy-check/manifest.mn
@@ -0,0 +1,15 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+CORE_DEPTH = ../..
+
+MODULE = nss
+
+CSRCS = nss-policy-check.c
+
+REQUIRES = seccmd
+
+PROGRAM = nss-policy-check
+
diff --git a/security/nss/cmd/nss-policy-check/nss-policy-check.c b/security/nss/cmd/nss-policy-check/nss-policy-check.c
new file mode 100644
index 0000000000..b83003874f
--- /dev/null
+++ b/security/nss/cmd/nss-policy-check/nss-policy-check.c
@@ -0,0 +1,206 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* This program can be used to check the validity of a NSS crypto policy
+ * configuration file, specified using a config= line.
+ *
+ * Exit codes:
+ *  failure: 2
+ *  warning: 1
+ *  success: 0
+ */
+
+#include <limits.h>
+#include <errno.h>
+#include <stdio.h>
+#include "utilparst.h"
+#include "nss.h"
+#include "secport.h"
+#include "secutil.h"
+#include "secmod.h"
+#include "ssl.h"
+#include "prenv.h"
+
+const char *sWarn = "WARN";
+const char *sInfo = "INFO";
+
+void
+get_tls_info(SSLProtocolVariant protocolVariant, const char *display)
+{
+    SSLVersionRange vrange_supported, vrange_enabled;
+    unsigned num_enabled = 0;
+    PRBool failed = PR_FALSE;
+
+    /* We assume SSL v2 is inactive, and therefore SSL_VersionRangeGetDefault
+     * gives complete information. */
+    if ((SSL_VersionRangeGetSupported(protocolVariant, &vrange_supported) != SECSuccess) ||
+        (SSL_VersionRangeGetDefault(protocolVariant, &vrange_enabled) != SECSuccess) ||
+        !vrange_enabled.min ||
+        !vrange_enabled.max ||
+        vrange_enabled.max < vrange_supported.min ||
+        vrange_enabled.min > vrange_supported.max) {
+        failed = PR_TRUE;
+    } else {
+        if (vrange_enabled.min < vrange_supported.min) {
+            vrange_enabled.min = vrange_supported.min;
+        }
+        if (vrange_enabled.max > vrange_supported.max) {
+            vrange_enabled.max = vrange_supported.max;
+        }
+        if (vrange_enabled.min > vrange_enabled.max) {
+            failed = PR_TRUE;
+        }
+    }
+    if (failed) {
+        num_enabled = 0;
+    } else {
+        num_enabled = vrange_enabled.max - vrange_enabled.min + 1;
+    }
+    fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-%s-VERSIONS: %u\n",
+            num_enabled ? sInfo : sWarn, display, num_enabled);
+    if (!num_enabled) {
+        PR_SetEnv("NSS_POLICY_WARN=1");
+    }
+}
+
+#ifndef PATH_MAX
+#define PATH_MAX 1024
+#endif
+
+int
+main(int argc, char **argv)
+{
+    const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
+    int i;
+    SECStatus rv;
+    SECMODModule *module = NULL;
+    char path[PATH_MAX];
+    const char *filename;
+    char moduleSpec[1024 + PATH_MAX];
+    unsigned num_enabled = 0;
+    int result = 0;
+    int fullPathLen;
+
+    if (argc != 2) {
+        fprintf(stderr, "Syntax: nss-policy-check <path-to-policy-file>\n");
+        result = 2;
+        goto loser_no_shutdown;
+    }
+
+    fullPathLen = strlen(argv[1]);
+
+    if (!fullPathLen || PR_Access(argv[1], PR_ACCESS_READ_OK) != PR_SUCCESS) {
+        fprintf(stderr, "Error: cannot read file %s\n", argv[1]);
+        result = 2;
+        goto loser_no_shutdown;
+    }
+
+    if (fullPathLen >= PATH_MAX) {
+        fprintf(stderr, "Error: filename parameter is too long\n");
+        result = 2;
+        goto loser_no_shutdown;
+    }
+
+    path[0] = 0;
+    filename = argv[1] + fullPathLen - 1;
+    while ((filename > argv[1]) && (*filename != NSSUTIL_PATH_SEPARATOR[0])) {
+        filename--;
+    }
+
+    if (filename == argv[1]) {
+        PORT_Strcpy(path, ".");
+    } else {
+        filename++; /* Go past the path separator. */
+        PORT_Strncat(path, argv[1], (filename - argv[1]));
+    }
+
+    PR_SetEnv("NSS_IGNORE_SYSTEM_POLICY=1");
+    rv = NSS_NoDB_Init(NULL);
+    if (rv != SECSuccess) {
+        fprintf(stderr, "NSS_Init failed: %s\n", PORT_ErrorToString(PR_GetError()));
+        result = 2;
+        goto loser_no_shutdown;
+    }
+
+    PR_SetEnv("NSS_POLICY_LOADED=0");
+    PR_SetEnv("NSS_POLICY_FAIL=0");
+    PR_SetEnv("NSS_POLICY_WARN=0");
+
+    sprintf(moduleSpec,
+            "name=\"Policy File\" "
+            "parameters=\"configdir='sql:%s' "
+            "secmod='%s' "
+            "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
+            "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical,printPolicyFeedback\"",
+            path, filename);
+
+    module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE);
+    if (!module || !module->loaded || atoi(PR_GetEnvSecure("NSS_POLICY_LOADED")) != 1) {
+        fprintf(stderr, "Error: failed to load policy file\n");
+        result = 2;
+        goto loser;
+    }
+
+    rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
+    if (rv != SECSuccess) {
+        fprintf(stderr, "enable SSL_SECURITY failed: %s\n", PORT_ErrorToString(PR_GetError()));
+        result = 2;
+        goto loser;
+    }
+
+    for (i = 0; i < SSL_NumImplementedCiphers; i++) {
+        PRUint16 suite = cipherSuites[i];
+        PRBool enabled;
+        SSLCipherSuiteInfo info;
+
+        rv = SSL_CipherPrefGetDefault(suite, &enabled);
+        if (rv != SECSuccess) {
+            fprintf(stderr,
+                    "SSL_CipherPrefGetDefault didn't like value 0x%04x (i = %d): %s\n",
+                    suite, i, PORT_ErrorToString(PR_GetError()));
+            continue;
+        }
+        rv = SSL_GetCipherSuiteInfo(suite, &info, (int)(sizeof info));
+        if (rv != SECSuccess) {
+            fprintf(stderr,
+                    "SSL_GetCipherSuiteInfo didn't like value 0x%04x (i = %d): %s\n",
+                    suite, i, PORT_ErrorToString(PR_GetError()));
+            continue;
+        }
+        if (enabled) {
+            ++num_enabled;
+            fprintf(stderr, "NSS-POLICY-INFO: ciphersuite %s is enabled\n", info.cipherSuiteName);
+        }
+    }
+    fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-CIPHERSUITES: %u\n", num_enabled ? sInfo : sWarn, num_enabled);
+    if (!num_enabled) {
+        PR_SetEnv("NSS_POLICY_WARN=1");
+    }
+
+    get_tls_info(ssl_variant_stream, "TLS");
+    get_tls_info(ssl_variant_datagram, "DTLS");
+
+    if (atoi(PR_GetEnvSecure("NSS_POLICY_FAIL")) != 0) {
+        result = 2;
+    } else if (atoi(PR_GetEnvSecure("NSS_POLICY_WARN")) != 0) {
+        result = 1;
+    }
+
+loser:
+    if (module) {
+        SECMOD_DestroyModule(module);
+    }
+    rv = NSS_Shutdown();
+    if (rv != SECSuccess) {
+        fprintf(stderr, "NSS_Shutdown failed: %s\n", PORT_ErrorToString(PR_GetError()));
+        result = 2;
+    }
+loser_no_shutdown:
+    if (result == 2) {
+        fprintf(stderr, "NSS-POLICY-FAIL\n");
+    } else if (result == 1) {
+        fprintf(stderr, "NSS-POLICY-WARN\n");
+    }
+    return result;
+}
diff --git a/security/nss/cmd/nss-policy-check/nss-policy-check.gyp b/security/nss/cmd/nss-policy-check/nss-policy-check.gyp
new file mode 100644
index 0000000000..877a5bc06e
--- /dev/null
+++ b/security/nss/cmd/nss-policy-check/nss-policy-check.gyp
@@ -0,0 +1,24 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+  'includes': [
+    '../../coreconf/config.gypi',
+    '../../cmd/platlibs.gypi'
+  ],
+  'targets': [
+    {
+      'target_name': 'nss-policy-check',
+      'type': 'executable',
+      'sources': [
+        'nss-policy-check.c'
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports'
+      ]
+    }
+  ],
+  'variables': {
+    'module': 'nss'
+  }
+}
\ No newline at end of file
diff --git a/security/nss/cmd/ocspclnt/ocspclnt.c b/security/nss/cmd/ocspclnt/ocspclnt.c
index 0927f8ef63..359dbc2172 100644
--- a/security/nss/cmd/ocspclnt/ocspclnt.c
+++ b/security/nss/cmd/ocspclnt/ocspclnt.c
@@ -134,6 +134,8 @@ long_usage(char *progname)
     PR_fprintf(pr_stderr,
                "%-17s s   SSL Server\n", "");
     PR_fprintf(pr_stderr,
+               "%-17s I   IPsec\n", "");
+    PR_fprintf(pr_stderr,
                "%-17s e   Email Recipient\n", "");
     PR_fprintf(pr_stderr,
                "%-17s E   Email Signer\n", "");
@@ -908,6 +910,9 @@ cert_usage_from_char(const char *cert_usage_str, SECCertUsage *cert_usage)
         case 's':
             *cert_usage = certUsageSSLServer;
             break;
+        case 'I':
+            *cert_usage = certUsageIPsec;
+            break;
         case 'e':
             *cert_usage = certUsageEmailRecipient;
             break;
diff --git a/security/nss/cmd/p7verify/p7verify.c b/security/nss/cmd/p7verify/p7verify.c
index ba38e1158b..5cbb4dcae9 100644
--- a/security/nss/cmd/p7verify/p7verify.c
+++ b/security/nss/cmd/p7verify/p7verify.c
@@ -117,6 +117,7 @@ Usage(char *progName)
     fprintf(stderr, "%-25s  9 - certUsageProtectedObjectSigner\n", " ");
     fprintf(stderr, "%-25s 10 - certUsageStatusResponder\n", " ");
     fprintf(stderr, "%-25s 11 - certUsageAnyCA\n", " ");
+    fprintf(stderr, "%-25s 12 - certUsageIPsec\n", " ");
 
     exit(-1);
 }
diff --git a/security/nss/cmd/rsaperf/rsaperf.c b/security/nss/cmd/rsaperf/rsaperf.c
index 7762a465b8..292b40b0f1 100644
--- a/security/nss/cmd/rsaperf/rsaperf.c
+++ b/security/nss/cmd/rsaperf/rsaperf.c
@@ -21,8 +21,8 @@
 #define DEFAULT_THREADS 1
 #define DEFAULT_EXPONENT 0x10001
 
-extern NSSLOWKEYPrivateKey *getDefaultRSAPrivateKey(void);
-extern NSSLOWKEYPublicKey *getDefaultRSAPublicKey(void);
+extern NSSLOWKEYPrivateKey *getDefaultRSAPrivateKey(int);
+extern NSSLOWKEYPublicKey *getDefaultRSAPublicKey(int);
 
 secuPWData pwData = { PW_NONE, NULL };
 
@@ -580,9 +580,9 @@ main(int argc, char **argv)
             /* use a hardcoded key */
             printf("Using hardcoded %ld bits key.\n", keybits);
             if (doPub) {
-                pubKey = getDefaultRSAPublicKey();
+                pubKey = getDefaultRSAPublicKey(keybits);
             } else {
-                privKey = getDefaultRSAPrivateKey();
+                privKey = getDefaultRSAPrivateKey(keybits);
             }
         }
 
diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c
index c372ec9b83..1784c9ee3a 100644
--- a/security/nss/cmd/selfserv/selfserv.c
+++ b/security/nss/cmd/selfserv/selfserv.c
@@ -165,9 +165,8 @@ PrintUsageHeader(const char *progName)
             "         [-f password_file] [-L [seconds]] [-M maxProcs] [-P dbprefix]\n"
             "         [-V [min-version]:[max-version]] [-a sni_name]\n"
             "         [ T <good|revoked|unknown|badsig|corrupted|none|ocsp>] [-A ca]\n"
-            "         [-C SSLCacheEntries] [-S dsa_nickname] -Q [-I groups]"
-            " [-e ec_nickname]"
-            "\n"
+            "         [-C SSLCacheEntries] [-S dsa_nickname] [-Q]\n"
+            "         [-I groups] [-J signatureschemes] [-e ec_nickname]\n"
             "         -U [0|1] -H [0|1|2] -W [0|1]\n"
             "\n",
             progName);
@@ -179,7 +178,7 @@ PrintParameterUsage()
     fputs(
         "-V [min]:[max] restricts the set of enabled SSL/TLS protocol versions.\n"
         "   All versions are enabled by default.\n"
-        "   Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2\n"
+        "   Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2 tls1.3\n"
         "   Example: \"-V ssl3:\" enables SSL 3 and newer.\n"
         "-D means disable Nagle delays in TCP\n"
         "-R means disable detection of rollback from TLS to SSL3\n"
@@ -195,7 +194,6 @@ PrintParameterUsage()
         "-s means disable SSL socket locking for performance\n"
         "-u means enable Session Ticket extension for TLS.\n"
         "-v means verbose output\n"
-        "-z means enable compression.\n"
         "-L seconds means log statistics every 'seconds' seconds (default=30).\n"
         "-M maxProcs tells how many processes to run in a multi-process server\n"
         "-N means do NOT use the server session cache.  Incompatible with -M.\n"
@@ -228,6 +226,13 @@ PrintParameterUsage()
         "-I comma separated list of enabled groups for TLS key exchange.\n"
         "   The following values are valid:\n"
         "   P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192\n"
+        "-J comma separated list of enabled signature schemes in preference order.\n"
+        "   The following values are valid:\n"
+        "     rsa_pkcs1_sha1, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512,\n"
+        "     ecdsa_sha1, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384,\n"
+        "     ecdsa_secp521r1_sha512,\n"
+        "     rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512,\n"
+        "     rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512,\n"
         "-Z enable 0-RTT (for TLS 1.3; also use -u)\n",
         stderr);
 }
@@ -795,13 +800,14 @@ PRBool NoReuse = PR_FALSE;
 PRBool hasSidCache = PR_FALSE;
 PRBool disableLocking = PR_FALSE;
 PRBool enableSessionTickets = PR_FALSE;
-PRBool enableCompression = PR_FALSE;
 PRBool failedToNegotiateName = PR_FALSE;
 PRBool enableExtendedMasterSecret = PR_FALSE;
 PRBool zeroRTT = PR_FALSE;
 PRBool enableALPN = PR_FALSE;
 SSLNamedGroup *enabledGroups = NULL;
 unsigned int enabledGroupsCount = 0;
+const SSLSignatureScheme *enabledSigSchemes = NULL;
+unsigned int enabledSigSchemeCount = 0;
 
 static char *virtServerNameArray[MAX_VIRT_SERVER_NAME_ARRAY_INDEX];
 static int virtServerNameIndex = 1;
@@ -1857,13 +1863,6 @@ server_main(
         }
     }
 
-    if (enableCompression) {
-        rv = SSL_OptionSet(model_sock, SSL_ENABLE_DEFLATE, PR_TRUE);
-        if (rv != SECSuccess) {
-            errExit("error enabling compression ");
-        }
-    }
-
     if (virtServerNameIndex > 1) {
         rv = SSL_SNISocketConfigHook(model_sock, mySSLSNISocketConfig,
                                      (void *)&virtServerNameArray);
@@ -1970,6 +1969,13 @@ server_main(
         }
     }
 
+    if (enabledSigSchemes) {
+        rv = SSL_SignatureSchemePrefSet(model_sock, enabledSigSchemes, enabledSigSchemeCount);
+        if (rv < 0) {
+            errExit("SSL_SignatureSchemePrefSet failed");
+        }
+    }
+
     /* This cipher is not on by default. The Acceptance test
      * would like it to be. Turn this cipher on.
      */
@@ -2214,9 +2220,10 @@ main(int argc, char **argv)
     /* please keep this list of options in ASCII collating sequence.
     ** numbers, then capital letters, then lower case, alphabetical.
     ** XXX: 'B', 'E', 'q', and 'x' were used in the past but removed
-    **      in 3.28, please leave some time before resuing those. */
+    **      in 3.28, please leave some time before resuing those.
+    **      'z' was removed in 3.39. */
     optstate = PL_CreateOptState(argc, argv,
-                                 "2:A:C:DGH:I:L:M:NP:QRS:T:U:V:W:YZa:bc:d:e:f:g:hi:jk:lmn:op:rst:uvw:yz");
+                                 "2:A:C:DGH:I:J:L:M:NP:QRS:T:U:V:W:YZa:bc:d:e:f:g:hi:jk:lmn:op:rst:uvw:y");
     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
         ++optionsFound;
         switch (optstate->option) {
@@ -2429,10 +2436,6 @@ main(int argc, char **argv)
                 debugCache = PR_TRUE;
                 break;
 
-            case 'z':
-                enableCompression = PR_TRUE;
-                break;
-
             case 'Z':
                 zeroRTT = PR_TRUE;
                 break;
@@ -2451,6 +2454,16 @@ main(int argc, char **argv)
                 }
                 break;
 
+            case 'J':
+                rv = parseSigSchemeList(optstate->value, &enabledSigSchemes, &enabledSigSchemeCount);
+                if (rv != SECSuccess) {
+                    PL_DestroyOptState(optstate);
+                    fprintf(stderr, "Bad signature scheme specified.\n");
+                    fprintf(stderr, "Run '%s -h' for usage information.\n", progName);
+                    exit(5);
+                }
+                break;
+
             default:
             case '?':
                 fprintf(stderr, "Unrecognized or bad option specified.\n");
diff --git a/security/nss/cmd/smimetools/cmsutil.c b/security/nss/cmd/smimetools/cmsutil.c
index 7106521c12..9106d9955b 100644
--- a/security/nss/cmd/smimetools/cmsutil.c
+++ b/security/nss/cmd/smimetools/cmsutil.c
@@ -115,6 +115,7 @@ Usage(void)
     fprintf(stderr, "%-25s  9 - certUsageProtectedObjectSigner\n", " ");
     fprintf(stderr, "%-25s 10 - certUsageStatusResponder\n", " ");
     fprintf(stderr, "%-25s 11 - certUsageAnyCA\n", " ");
+    fprintf(stderr, "%-25s 12 - certUsageIPsec\n", " ");
 
     exit(-1);
 }
diff --git a/security/nss/cmd/tests/nonspr10.c b/security/nss/cmd/tests/nonspr10.c
index 295484a1ca..fc700407a7 100644
--- a/security/nss/cmd/tests/nonspr10.c
+++ b/security/nss/cmd/tests/nonspr10.c
@@ -26,9 +26,7 @@
 #include "cryptoht.h"
 #include "ecl-exp.h"
 #include "hasht.h"
-#include "key.h"
 #include "keyhi.h"
-#include "keyt.h"
 #include "keythi.h"
 #include "nss.h"
 #include "nssb64.h"
diff --git a/security/nss/cmd/tstclnt/Makefile b/security/nss/cmd/tstclnt/Makefile
index a27a3ce97f..aae7b445cb 100644
--- a/security/nss/cmd/tstclnt/Makefile
+++ b/security/nss/cmd/tstclnt/Makefile
@@ -1,5 +1,5 @@
 #! gmake
-# 
+#
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c
index 6f5a43146a..520eeff648 100644
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -28,6 +28,7 @@
 #include "prio.h"
 #include "prnetdb.h"
 #include "nss.h"
+#include "nssb64.h"
 #include "ocsp.h"
 #include "ssl.h"
 #include "sslproto.h"
@@ -106,6 +107,45 @@ secuPWData pwdata = { PW_NONE, 0 };
 
 SSLNamedGroup *enabledGroups = NULL;
 unsigned int enabledGroupsCount = 0;
+const SSLSignatureScheme *enabledSigSchemes = NULL;
+unsigned int enabledSigSchemeCount = 0;
+
+const char *
+signatureSchemeName(SSLSignatureScheme scheme)
+{
+    switch (scheme) {
+#define strcase(x)    \
+    case ssl_sig_##x: \
+        return #x
+        strcase(none);
+        strcase(rsa_pkcs1_sha1);
+        strcase(rsa_pkcs1_sha256);
+        strcase(rsa_pkcs1_sha384);
+        strcase(rsa_pkcs1_sha512);
+        strcase(ecdsa_sha1);
+        strcase(ecdsa_secp256r1_sha256);
+        strcase(ecdsa_secp384r1_sha384);
+        strcase(ecdsa_secp521r1_sha512);
+        strcase(rsa_pss_rsae_sha256);
+        strcase(rsa_pss_rsae_sha384);
+        strcase(rsa_pss_rsae_sha512);
+        strcase(ed25519);
+        strcase(ed448);
+        strcase(rsa_pss_pss_sha256);
+        strcase(rsa_pss_pss_sha384);
+        strcase(rsa_pss_pss_sha512);
+        strcase(dsa_sha1);
+        strcase(dsa_sha256);
+        strcase(dsa_sha384);
+        strcase(dsa_sha512);
+#undef strcase
+        case ssl_sig_rsa_pkcs1_sha1md5:
+            return "RSA PKCS#1 SHA1+MD5";
+        default:
+            break;
+    }
+    return "Unknown Scheme";
+}
 
 void
 printSecurityInfo(PRFileDesc *fd)
@@ -132,11 +172,13 @@ printSecurityInfo(PRFileDesc *fd)
                     suite.macBits, suite.macAlgorithmName);
             FPRINTF(stderr,
                     "tstclnt: Server Auth: %d-bit %s, Key Exchange: %d-bit %s\n"
-                    "         Compression: %s, Extended Master Secret: %s\n",
+                    "         Compression: %s, Extended Master Secret: %s\n"
+                    "         Signature Scheme: %s\n",
                     channel.authKeyBits, suite.authAlgorithmName,
                     channel.keaKeyBits, suite.keaTypeName,
                     channel.compressionMethodName,
-                    channel.extendedMasterSecretUsed ? "Yes" : "No");
+                    channel.extendedMasterSecretUsed ? "Yes" : "No",
+                    signatureSchemeName(channel.signatureScheme));
         }
     }
     cert = SSL_RevealCert(fd);
@@ -178,11 +220,13 @@ PrintUsageHeader()
 {
     fprintf(stderr,
             "Usage:  %s -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port]\n"
-            "[-D | -d certdir] [-C] [-b | -R root-module] \n"
-            "[-n nickname] [-Bafosvx] [-c ciphers] [-Y] [-Z]\n"
-            "[-V [min-version]:[max-version]] [-K] [-T] [-U]\n"
-            "[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]] [-I groups]\n"
-            "[-A requestfile] [-L totalconnections] [-P {client,server}] [-Q]\n"
+            "  [-D | -d certdir] [-C] [-b | -R root-module] \n"
+            "  [-n nickname] [-Bafosvx] [-c ciphers] [-Y] [-Z]\n"
+            "  [-V [min-version]:[max-version]] [-K] [-T] [-U]\n"
+            "  [-r N] [-w passwd] [-W pwfile] [-q [-t seconds]]\n"
+            "  [-I groups] [-J signatureschemes]\n"
+            "  [-A requestfile] [-L totalconnections] [-P {client,server}]\n"
+            "  [-N encryptedSniKeys] [-Q]\n"
             "\n",
             progName);
 }
@@ -225,7 +269,6 @@ PrintParameterUsage()
     fprintf(stderr, "%-20s Timeout for server ping (default: no timeout).\n", "-t seconds");
     fprintf(stderr, "%-20s Renegotiate N times (resuming session if N>1).\n", "-r N");
     fprintf(stderr, "%-20s Enable the session ticket extension.\n", "-u");
-    fprintf(stderr, "%-20s Enable compression.\n", "-z");
     fprintf(stderr, "%-20s Enable false start.\n", "-g");
     fprintf(stderr, "%-20s Enable the cert_status extension (OCSP stapling).\n", "-T");
     fprintf(stderr, "%-20s Enable the signed_certificate_timestamp extension.\n", "-U");
@@ -255,9 +298,19 @@ PrintParameterUsage()
                     "%-20s The following values are valid:\n"
                     "%-20s P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192\n",
             "-I", "", "");
+    fprintf(stderr, "%-20s Comma separated list of signature schemes in preference order.\n"
+                    "%-20s The following values are valid:\n"
+                    "%-20s rsa_pkcs1_sha1, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512,\n"
+                    "%-20s ecdsa_sha1, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384,\n"
+                    "%-20s ecdsa_secp521r1_sha512,\n"
+                    "%-20s rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512,\n"
+                    "%-20s rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512,\n"
+                    "%-20s dsa_sha1, dsa_sha256, dsa_sha384, dsa_sha512\n",
+            "-J", "", "", "", "", "", "", "");
     fprintf(stderr, "%-20s Enable alternative TLS 1.3 handshake\n", "-X alt-server-hello");
     fprintf(stderr, "%-20s Use DTLS\n", "-P {client, server}");
     fprintf(stderr, "%-20s Exit after handshake\n", "-Q");
+    fprintf(stderr, "%-20s Encrypted SNI Keys\n", "-N");
 }
 
 static void
@@ -906,7 +959,6 @@ int multiplier = 0;
 SSLVersionRange enabledVersions;
 int disableLocking = 0;
 int enableSessionTickets = 0;
-int enableCompression = 0;
 int enableFalseStart = 0;
 int enableCertStatus = 0;
 int enableSignedCertTimestamps = 0;
@@ -936,6 +988,7 @@ PRBool stopAfterHandshake = PR_FALSE;
 PRBool requestToExit = PR_FALSE;
 char *versionString = NULL;
 PRBool handshakeComplete = PR_FALSE;
+char *encryptedSNIKeys = NULL;
 
 static int
 writeBytesToServer(PRFileDesc *s, const PRUint8 *buf, int nb)
@@ -1283,14 +1336,6 @@ run()
         goto done;
     }
 
-    /* enable compression. */
-    rv = SSL_OptionSet(s, SSL_ENABLE_DEFLATE, enableCompression);
-    if (rv != SECSuccess) {
-        SECU_PrintError(progName, "error enabling compression");
-        error = 1;
-        goto done;
-    }
-
     /* enable false start. */
     rv = SSL_OptionSet(s, SSL_ENABLE_FALSE_START, enableFalseStart);
     if (rv != SECSuccess) {
@@ -1374,6 +1419,35 @@ run()
         }
     }
 
+    if (enabledSigSchemes) {
+        rv = SSL_SignatureSchemePrefSet(s, enabledSigSchemes, enabledSigSchemeCount);
+        if (rv < 0) {
+            SECU_PrintError(progName, "SSL_SignatureSchemePrefSet failed");
+            error = 1;
+            goto done;
+        }
+    }
+
+    if (encryptedSNIKeys) {
+        SECItem esniKeysBin = { siBuffer, NULL, 0 };
+
+        if (!NSSBase64_DecodeBuffer(NULL, &esniKeysBin, encryptedSNIKeys,
+                                    strlen(encryptedSNIKeys))) {
+            SECU_PrintError(progName, "ESNIKeys record is invalid base64");
+            error = 1;
+            goto done;
+        }
+
+        rv = SSL_EnableESNI(s, esniKeysBin.data, esniKeysBin.len,
+                            "dummy.invalid");
+        SECITEM_FreeItem(&esniKeysBin, PR_FALSE);
+        if (rv < 0) {
+            SECU_PrintError(progName, "SSL_EnableESNI failed");
+            error = 1;
+            goto done;
+        }
+    }
+
     serverCertAuth.dbHandle = CERT_GetDefaultCertDB();
 
     SSL_AuthCertificateHook(s, ownAuthCertificate, &serverCertAuth);
@@ -1628,10 +1702,12 @@ main(int argc, char **argv)
         }
     }
 
-    /* XXX: 'B' was used in the past but removed in 3.28,
-     *      please leave some time before resuing it. */
+    /* Note: 'B' was used in the past but removed in 3.28
+     *       'z' was removed in 3.39
+     * Please leave some time before reusing these.
+     */
     optstate = PL_CreateOptState(argc, argv,
-                                 "46A:CDFGHI:KL:M:OP:QR:STUV:W:X:YZa:bc:d:fgh:m:n:op:qr:st:uvw:z");
+                                 "46A:CDFGHI:J:KL:M:N:OP:QR:STUV:W:X:YZa:bc:d:fgh:m:n:op:qr:st:uvw:");
     while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
         switch (optstate->option) {
             case '?':
@@ -1708,6 +1784,10 @@ main(int argc, char **argv)
                 };
                 break;
 
+            case 'N':
+                encryptedSNIKeys = PORT_Strdup(optstate->value);
+                break;
+
             case 'P':
                 useDTLS = PR_TRUE;
                 if (!strcmp(optstate->value, "server")) {
@@ -1850,10 +1930,6 @@ main(int argc, char **argv)
                 pwdata.data = PORT_Strdup(optstate->value);
                 break;
 
-            case 'z':
-                enableCompression = 1;
-                break;
-
             case 'I':
                 rv = parseGroupList(optstate->value, &enabledGroups, &enabledGroupsCount);
                 if (rv != SECSuccess) {
@@ -1862,6 +1938,15 @@ main(int argc, char **argv)
                     Usage();
                 }
                 break;
+
+            case 'J':
+                rv = parseSigSchemeList(optstate->value, &enabledSigSchemes, &enabledSigSchemeCount);
+                if (rv != SECSuccess) {
+                    PL_DestroyOptState(optstate);
+                    fprintf(stderr, "Bad signature scheme specified.\n");
+                    Usage();
+                }
+                break;
         }
     }
     PL_DestroyOptState(optstate);
@@ -2051,6 +2136,7 @@ done:
     PORT_Free(pwdata.data);
     PORT_Free(host);
     PORT_Free(zeroRttData);
+    PORT_Free(encryptedSNIKeys);
 
     if (enabledGroups) {
         PORT_Free(enabledGroups);
diff --git a/security/nss/cmd/vfychain/vfychain.c b/security/nss/cmd/vfychain/vfychain.c
index d42274c129..c01cdd08ed 100644
--- a/security/nss/cmd/vfychain/vfychain.c
+++ b/security/nss/cmd/vfychain/vfychain.c
@@ -64,7 +64,8 @@ Usage(const char *progName)
             "\t-t\t\t Following cert is explicitly trusted (overrides db trust).\n"
             "\t-u usage \t 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,\n"
             "\t\t\t 4=Email signer, 5=Email recipient, 6=Object signer,\n"
-            "\t\t\t 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA\n"
+            "\t\t\t 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA,\n"
+            "\t\t\t 12=IPsec\n"
             "\t-T\t\t Trust both explicit trust anchors (-t) and the database.\n"
             "\t\t\t (Default is to only trust certificates marked -t, if there are any,\n"
             "\t\t\t or to trust the database if there are certificates marked -t.)\n"
diff --git a/security/nss/cmd/vfyserv/vfyserv.h b/security/nss/cmd/vfyserv/vfyserv.h
index 00afc80494..5bcc51a50d 100644
--- a/security/nss/cmd/vfyserv/vfyserv.h
+++ b/security/nss/cmd/vfyserv/vfyserv.h
@@ -24,7 +24,7 @@
 #include "certt.h"
 #include "nss.h"
 #include "secder.h"
-#include "key.h"
+#include "keyhi.h"
 #include "sslproto.h"
 
 /* Custom header files */
diff --git a/security/nss/coreconf/config.gypi b/security/nss/coreconf/config.gypi
index 58137872ce..ba1b0c8c56 100644
--- a/security/nss/coreconf/config.gypi
+++ b/security/nss/coreconf/config.gypi
@@ -108,8 +108,12 @@
     'emit_llvm%': 0,
     'nss_public_dist_dir%': '<(nss_dist_dir)/public',
     'nss_private_dist_dir%': '<(nss_dist_dir)/private',
+    # This is only needed when building with --mozpkix-only and might not work
+    # on all machines.
+    'nss_include_dir%': '/usr/include/nss',
     'only_dev_random%': 1,
     'disable_fips%': 1,
+    'mozpkix_only%': 0,
   },
   'target_defaults': {
     # Settings specific to targets should go here.
@@ -126,6 +130,11 @@
       '<(nss_dist_dir)/private/<(module)',
     ],
     'conditions': [
+      [ 'mozpkix_only==1 and OS=="linux"', {
+        'include_dirs': [
+          '<(nss_include_dir)',
+        ],
+      }],
       [ 'disable_fips==1', {
         'defines': [
           'NSS_FIPS_DISABLED',
diff --git a/security/nss/coreconf/config.mk b/security/nss/coreconf/config.mk
index b62f6cef42..60a08411e8 100644
--- a/security/nss/coreconf/config.mk
+++ b/security/nss/coreconf/config.mk
@@ -185,6 +185,10 @@ ifdef NSS_SEED_ONLY_DEV_URANDOM
 DEFINES += -DSEED_ONLY_DEV_URANDOM
 endif
 
+ifdef NSS_PKCS1_AllowMissingParameters
+DEFINES += -DNSS_PKCS1_AllowMissingParameters
+endif
+
 # Avoid building object leak test code for optimized library
 ifndef BUILD_OPT
 ifdef PKIX_OBJECT_LEAK_TEST
diff --git a/security/nss/coreconf/coreconf.dep b/security/nss/coreconf/coreconf.dep
index 590d1bfaee..5182f75552 100644
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -10,4 +10,3 @@
  */
 
 #error "Do not include this header file."
-
diff --git a/security/nss/coreconf/fuzz.sh b/security/nss/coreconf/fuzz.sh
index 67cb7f5949..c7b8844b63 100644
--- a/security/nss/coreconf/fuzz.sh
+++ b/security/nss/coreconf/fuzz.sh
@@ -5,8 +5,7 @@ set +e
 
 # Default to clang if CC is not set.
 if [ -z "$CC" ]; then
-    command -v clang &> /dev/null 2>&1
-    if [ $? != 0 ]; then
+    if ! command -v clang &> /dev/null 2>&1; then
         echo "Fuzzing requires clang!"
         exit 1
     fi
@@ -24,8 +23,8 @@ if [ "$fuzz_oss" = 1 ]; then
   gyp_params+=(-Dno_zdefs=1 -Dfuzz_oss=1)
 else
   enable_sanitizer asan
-  # Ubsan doesn't build on 32-bit at the moment. Disable it.
-  if [ "$build_64" = 1 ]; then
+  # Ubsan only builds on x64 for the moment.
+  if [ "$target_arch" = "x64" ]; then
     enable_ubsan
   fi
   enable_sancov
diff --git a/security/nss/coreconf/msvc.sh b/security/nss/coreconf/msvc.sh
new file mode 100644
index 0000000000..a592279c90
--- /dev/null
+++ b/security/nss/coreconf/msvc.sh
@@ -0,0 +1,106 @@
+#!/bin/bash
+# This configures the environment for running MSVC.  It uses vswhere, the
+# registry, and a little knowledge of how MSVC is laid out.
+
+if ! hash vswhere 2>/dev/null; then
+    echo "Can't find vswhere on the path, aborting" 1>&2
+    exit 1
+fi
+
+if ! hash reg 2>/dev/null; then
+    echo "Can't find reg on the path, aborting" 1>&2
+    exit 1
+fi
+
+# Turn a unix-y path into a windows one.
+fixpath() {
+    if hash cygpath 2>/dev/null; then
+        cygpath --unix "$1"
+    else # haxx
+        echo "$1" | sed -e 's,\\,/,g;s,^\(.\):,/\L\1,;s,/$,,'
+    fi
+}
+
+# Query the registry.  This takes $1 and tags that on the end of several
+# different paths, looking for a value called $2 at that location.
+# e.g.,
+#   regquery Microsoft\Microsoft SDKs\Windows\v10.0 ProductVersion
+# looks for a REG_SZ value called ProductVersion at
+#   HKLM\SOFTWARE\Wow6432Node\Microsoft\Microsoft SDKs\Windows\v10.0
+#   HKLU\SOFTWARE\Wow6432Node\Microsoft\Microsoft SDKs\Windows\v10.0
+#   etc...
+regquery() {
+    search=("HKLM\\SOFTWARE\\Wow6432Node" \
+            "HKCU\\SOFTWARE\\Wow6432Node" \
+            "HKLM\\SOFTWARE" \
+            "HKCU\\SOFTWARE")
+    for i in "${search[@]}"; do
+        r=$(reg query "${i}\\${1}" -v "$2" | sed -e 's/ *'"$2"' *REG_SZ *//;t;d')
+        if [ -n "$r" ]; then
+            echo "$r"
+            return 0
+        fi
+    done
+    return 1
+}
+
+VSCOMPONENT=Microsoft.VisualStudio.Component.VC.Tools.x86.x64
+vsinstall=$(vswhere -latest -requires "$VSCOMPONENT" -property installationPath)
+
+# Attempt to setup paths if vswhere returns something and VSPATH isn't set.
+# Otherwise, assume that the env is setup.
+if [[ -n "$vsinstall" && -z "$VSPATH" ]]; then
+
+    case "$target_arch" in
+        ia32) m=x86 ;;
+        x64) m="$target_arch" ;;
+        *)
+            echo "No support for target '$target_arch' with MSVC." 1>&2
+            exit 1
+    esac
+
+    export VSPATH=$(fixpath "$vsinstall")
+    export WINDOWSSDKDIR="${VSPATH}/SDK"
+    export VCINSTALLDIR="${VSPATH}/VC"
+
+    CRTREG="Microsoft\\Microsoft SDKs\\Windows\\v10.0"
+    UniversalCRTSdkDir=$(regquery "$CRTREG" InstallationFolder)
+    UniversalCRTSdkDir=$(fixpath "$UniversalCRTSdkDir")
+    UCRTVersion=$(regquery "$CRTREG" ProductVersion)
+    UCRTVersion=$(cd "${UniversalCRTSdkDir}/include"; ls -d "${UCRTVersion}"* | tail -1)
+
+    VCVER=$(cat "${VCINSTALLDIR}/Auxiliary/Build/Microsoft.VCToolsVersion.default.txt")
+    REDISTVER=$(cat "${VCINSTALLDIR}/Auxiliary/Build/Microsoft.VCRedistVersion.default.txt")
+    export WIN32_REDIST_DIR="${VCINSTALLDIR}/Redist/MSVC/${REDISTVER}/${m}/Microsoft.VC141.CRT"
+    export WIN_UCRT_REDIST_DIR="${UniversalCRTSdkDir}/Redist/ucrt/DLLs/${m}"
+
+    if [ "$m" == "x86" ]; then
+        PATH="${PATH}:${VCINSTALLDIR}/Tools/MSVC/${VCVER}/bin/Hostx64/x64"
+        PATH="${PATH}:${VCINSTALLDIR}/Tools/MSVC/${VCVER}/bin/Hostx64/x86"
+    fi
+    PATH="${PATH}:${VCINSTALLDIR}/Tools/MSVC/${VCVER}/bin/Host${m}/${m}"
+    PATH="${PATH}:${UniversalCRTSdkDir}/bin/${UCRTVersion}/${m}"
+    PATH="${PATH}:${WIN32_REDIST_DIR}"
+    export PATH
+
+    INCLUDE="${VCINSTALLDIR}/Tools/MSVC/${VCVER}/ATLMFC/include"
+    INCLUDE="${INCLUDE}:${VCINSTALLDIR}/Tools/MSVC/${VCVER}/include"
+    INCLUDE="${INCLUDE}:${UniversalCRTSdkDir}/include/${UCRTVersion}/ucrt"
+    INCLUDE="${INCLUDE}:${UniversalCRTSdkDir}/include/${UCRTVersion}/shared"
+    INCLUDE="${INCLUDE}:${UniversalCRTSdkDir}/include/${UCRTVersion}/um"
+    INCLUDE="${INCLUDE}:${UniversalCRTSdkDir}/include/${UCRTVersion}/winrt"
+    INCLUDE="${INCLUDE}:${UniversalCRTSdkDir}/include/${UCRTVersion}/cppwinrt"
+    export INCLUDE
+
+    LIB="${VCINSTALLDIR}/lib/${m}"
+    LIB="${VCINSTALLDIR}/Tools/MSVC/${VCVER}/lib/${m}"
+    LIB="${LIB}:${UniversalCRTSdkDir}/lib/${UCRTVersion}/ucrt/${m}"
+    LIB="${LIB}:${UniversalCRTSdkDir}/lib/${UCRTVersion}/um/${m}"
+    export LIB
+
+    export GYP_MSVS_OVERRIDE_PATH="${VSPATH}"
+    export GYP_MSVS_VERSION=$(vswhere -latest -requires "$VSCOMPONENT" -property catalog_productLineVersion)
+else
+    echo Assuming env setup is already done.
+    echo VSPATH=$VSPATH
+fi
diff --git a/security/nss/coreconf/nspr.sh b/security/nss/coreconf/nspr.sh
index d11cd48ed7..325a188c39 100644
--- a/security/nss/coreconf/nspr.sh
+++ b/security/nss/coreconf/nspr.sh
@@ -32,6 +32,9 @@ nspr_build()
     if [ "$opt_build" = 1 ]; then
         extra_params+=(--disable-debug --enable-optimize)
     fi
+    if [ "$target_arch" = "x64" ]; then
+        extra_params+=(--enable-64bit)
+    fi
 
     echo "NSPR [1/3] configure ..."
     pushd "$nspr_dir" >/dev/null
diff --git a/security/nss/cpputil/databuffer.h b/security/nss/cpputil/databuffer.h
index 5ec0350986..e981a7c223 100644
--- a/security/nss/cpputil/databuffer.h
+++ b/security/nss/cpputil/databuffer.h
@@ -34,7 +34,7 @@ class DataBuffer {
 
   void Allocate(size_t l) {
     delete[] data_;
-    data_ = new uint8_t[l ? l : 1];  // Don't depend on new [0].
+    data_ = new uint8_t[l ? l : 1]();  // Don't depend on new [0].
     len_ = l;
   }
 
diff --git a/security/nss/cpputil/dummy_io.h b/security/nss/cpputil/dummy_io.h
index 797ac61133..e10ee1eee3 100644
--- a/security/nss/cpputil/dummy_io.h
+++ b/security/nss/cpputil/dummy_io.h
@@ -8,7 +8,7 @@
 #include "prerror.h"
 #include "prio.h"
 
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 class DummyIOLayerMethods {
  public:
diff --git a/security/nss/cpputil/scoped_ptrs.h b/security/nss/cpputil/nss_scoped_ptrs.h
index 6ffef4dd3f..03979f2c58 100644
--- a/security/nss/cpputil/scoped_ptrs.h
+++ b/security/nss/cpputil/nss_scoped_ptrs.h
@@ -4,8 +4,8 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#ifndef scoped_ptrs_h__
-#define scoped_ptrs_h__
+#ifndef nss_scoped_ptrs_h__
+#define nss_scoped_ptrs_h__
 
 #include <memory>
 #include "cert.h"
@@ -13,7 +13,6 @@
 #include "p12.h"
 #include "pk11pub.h"
 #include "pkcs11uri.h"
-#include "sslexp.h"
 
 struct ScopedDelete {
   void operator()(CERTCertificate* cert) { CERT_DestroyCertificate(cert); }
@@ -29,6 +28,9 @@ struct ScopedDelete {
   void operator()(PK11SymKey* key) { PK11_FreeSymKey(key); }
   void operator()(PRFileDesc* fd) { PR_Close(fd); }
   void operator()(SECAlgorithmID* id) { SECOID_DestroyAlgorithmID(id, true); }
+  void operator()(SECKEYEncryptedPrivateKeyInfo* e) {
+    SECKEY_DestroyEncryptedPrivateKeyInfo(e, true);
+  }
   void operator()(SECItem* item) { SECITEM_FreeItem(item, true); }
   void operator()(SECKEYPublicKey* key) { SECKEY_DestroyPublicKey(key); }
   void operator()(SECKEYPrivateKey* key) { SECKEY_DestroyPrivateKey(key); }
@@ -39,9 +41,6 @@ struct ScopedDelete {
   void operator()(PLArenaPool* arena) { PORT_FreeArena(arena, PR_FALSE); }
   void operator()(PK11Context* context) { PK11_DestroyContext(context, true); }
   void operator()(PK11GenericObject* obj) { PK11_DestroyGenericObject(obj); }
-  void operator()(SSLResumptionTokenInfo* token) {
-    SSL_DestroyResumptionTokenInfo(token);
-  }
   void operator()(SEC_PKCS12DecoderContext* dcx) {
     SEC_PKCS12DecoderFinish(dcx);
   }
@@ -69,6 +68,7 @@ SCOPED(PK11SlotInfo);
 SCOPED(PK11SymKey);
 SCOPED(PRFileDesc);
 SCOPED(SECAlgorithmID);
+SCOPED(SECKEYEncryptedPrivateKeyInfo);
 SCOPED(SECItem);
 SCOPED(SECKEYPublicKey);
 SCOPED(SECKEYPrivateKey);
@@ -77,10 +77,9 @@ SCOPED(PK11URI);
 SCOPED(PLArenaPool);
 SCOPED(PK11Context);
 SCOPED(PK11GenericObject);
-SCOPED(SSLResumptionTokenInfo);
 SCOPED(SEC_PKCS12DecoderContext);
 SCOPED(CERTDistNames);
 
 #undef SCOPED
 
-#endif  // scoped_ptrs_h__
+#endif  // nss_scoped_ptrs_h__
diff --git a/security/nss/cpputil/scoped_ptrs_ssl.h b/security/nss/cpputil/scoped_ptrs_ssl.h
new file mode 100644
index 0000000000..7eeae8f8f8
--- /dev/null
+++ b/security/nss/cpputil/scoped_ptrs_ssl.h
@@ -0,0 +1,35 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef scoped_ptrs_ssl_h__
+#define scoped_ptrs_ssl_h__
+
+#include <memory>
+#include "sslexp.h"
+
+struct ScopedDeleteSSL {
+  void operator()(SSLResumptionTokenInfo* token) {
+    SSL_DestroyResumptionTokenInfo(token);
+  }
+};
+
+template <class T>
+struct ScopedMaybeDeleteSSL {
+  void operator()(T* ptr) {
+    if (ptr) {
+      ScopedDeleteSSL del;
+      del(ptr);
+    }
+  }
+};
+
+#define SCOPED(x) typedef std::unique_ptr<x, ScopedMaybeDeleteSSL<x> > Scoped##x
+
+SCOPED(SSLResumptionTokenInfo);
+
+#undef SCOPED
+
+#endif  // scoped_ptrs_ssl_h__
diff --git a/security/nss/cpputil/tls_parser.h b/security/nss/cpputil/tls_parser.h
index 56f562e073..cd9e28fc35 100644
--- a/security/nss/cpputil/tls_parser.h
+++ b/security/nss/cpputil/tls_parser.h
@@ -20,13 +20,6 @@
 
 namespace nss_test {
 
-const uint8_t kTlsChangeCipherSpecType = 20;
-const uint8_t kTlsAlertType = 21;
-const uint8_t kTlsHandshakeType = 22;
-const uint8_t kTlsApplicationDataType = 23;
-const uint8_t kTlsAltHandshakeType = 24;
-const uint8_t kTlsAckType = 25;
-
 const uint8_t kTlsHandshakeClientHello = 1;
 const uint8_t kTlsHandshakeServerHello = 2;
 const uint8_t kTlsHandshakeNewSessionTicket = 4;
@@ -48,6 +41,8 @@ const uint8_t kTlsAlertBadRecordMac = 20;
 const uint8_t kTlsAlertRecordOverflow = 22;
 const uint8_t kTlsAlertHandshakeFailure = 40;
 const uint8_t kTlsAlertBadCertificate = 42;
+const uint8_t kTlsAlertCertificateRevoked = 44;
+const uint8_t kTlsAlertCertificateExpired = 45;
 const uint8_t kTlsAlertIllegalParameter = 47;
 const uint8_t kTlsAlertDecodeError = 50;
 const uint8_t kTlsAlertDecryptError = 51;
@@ -60,7 +55,7 @@ const uint8_t kTlsAlertUnrecognizedName = 112;
 const uint8_t kTlsAlertNoApplicationProtocol = 120;
 
 const uint8_t kTlsFakeChangeCipherSpec[] = {
-    kTlsChangeCipherSpecType,  // Type
+    ssl_ct_change_cipher_spec,  // Type
     0xfe,
     0xff,  // Version
     0x00,
diff --git a/security/nss/doc/certutil.xml b/security/nss/doc/certutil.xml
index 4622c75e41..5c3b3501ab 100644
--- a/security/nss/doc/certutil.xml
+++ b/security/nss/doc/certutil.xml
@@ -84,7 +84,7 @@
 
       <varlistentry>
         <term>-F</term>
-        <listitem><para>Delete a private key and the associated certificate from a database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the 
+        <listitem><para>Delete a private key and the associated certificate from a database. Specify the key to delete with the -n argument or the -k argument. Specify the database from which to delete the key with the
 <option>-d</option> argument.
 </para>
 <para>
@@ -258,7 +258,8 @@ Add one or multiple extensions that certutil cannot encode yet, by loading their
 
       <varlistentry>
         <term>-h tokenname</term>
-        <listitem><para>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</para></listitem>
+        <listitem><para>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</para>
+	<para>The name can also be a PKCS #11 URI. For example, the NSS internal certificate store can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB". For details about the format, see RFC 7512.</para></listitem>
       </varlistentry>
 
      <varlistentry>
@@ -292,7 +293,8 @@ Add one or multiple extensions that certutil cannot encode yet, by loading their
 
       <varlistentry>
         <term>-n nickname</term>
-        <listitem><para>Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.</para></listitem>
+        <listitem><para>Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.</para>
+	<para>The nickname can also be a PKCS #11 URI. For example, if you have a certificate named "my-server-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my-server-cert". For details about the format, see RFC 7512.</para></listitem>
       </varlistentry>
 
       <varlistentry>
@@ -1017,9 +1019,11 @@ certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and
 
     slot: NSS User Private Key and Certificate Services                  
    token: NSS Certificate DB
+     uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
 
     slot: NSS Internal Cryptographic Services                            
-   token: NSS Generic Crypto Services</programlisting>
+   token: NSS Generic Crypto Services
+     uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203</programlisting>
 
 	<para><command>Adding Certificates to the Database</command></para>
 	<para>
diff --git a/security/nss/doc/html/certutil.html b/security/nss/doc/html/certutil.html
index 902d1309a4..bacb2a5f5a 100644
--- a/security/nss/doc/html/certutil.html
+++ b/security/nss/doc/html/certutil.html
@@ -1,8 +1,8 @@
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code>  [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm140440587239488"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
-    </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">--rename </span></dt><dd><p>Change the database nickname of a certificate.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the 
-<code class="option">-d</code> argument. Use the <code class="option">-k</code> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <code class="option">-k</code> argument, the option looks for an RSA key matching the specified nickname. 
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code>  [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm46274732654912"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+    </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">--rename </span></dt><dd><p>Change the database nickname of a certificate.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key and the associated certificate from a database. Specify the key to delete with the -n argument or the -k argument. Specify the database from which to delete the key with the
+<code class="option">-d</code> argument.
 </p><p>
-When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using -D. Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair. You can display the public key with the command certutil -K -h tokenname. </p></dd><dt><span class="term">-G </span></dt><dd><p>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</p></dd><dt><span class="term">-H </span></dt><dd><p>Display a list of the command options and arguments.</p></dd><dt><span class="term">-K </span></dt><dd><p>List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).</p></dd><dt><span class="term">-L </span></dt><dd><p>List all the certificates, or display information about a named certificate, in a certificate database.
+Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair.</p></dd><dt><span class="term">-G </span></dt><dd><p>Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.</p></dd><dt><span class="term">-H </span></dt><dd><p>Display a list of the command options and arguments.</p></dd><dt><span class="term">-K </span></dt><dd><p>List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).</p></dd><dt><span class="term">-L </span></dt><dd><p>List all the certificates, or display information about a named certificate, in a certificate database.
 Use the -h tokenname argument to specify the certificate database on a particular hardware or software token.</p></dd><dt><span class="term">-M </span></dt><dd><p>Modify a certificate's trust attributes using the values of the -t argument.</p></dd><dt><span class="term">-N</span></dt><dd><p>Create new certificate and key databases.</p></dd><dt><span class="term">-O </span></dt><dd><p>Print the certificate chain.</p></dd><dt><span class="term">-R</span></dt><dd><p>Create a certificate request file that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use -o output-file argument.
 
 Use the -a argument to specify ASCII output.</p></dd><dt><span class="term">-S </span></dt><dd><p>Create an individual certificate and add it to a certificate database.</p></dd><dt><span class="term">-T </span></dt><dd><p>Reset the key database or token.</p></dd><dt><span class="term">-U </span></dt><dd><p>List all available modules or print a single named module.</p></dd><dt><span class="term">-V </span></dt><dd><p>Check the validity of a certificate and its attributes.</p></dd><dt><span class="term">-W </span></dt><dd><p>Change the password to a key database.</p></dd><dt><span class="term">--merge</span></dt><dd><p>Merge two databases into one.</p></dd><dt><span class="term">--upgrade-merge</span></dt><dd><p>Upgrade an old database and merge it into a new database. This is used to migrate legacy NSS databases (<code class="filename">cert8.db</code> and <code class="filename">key3.db</code>) into the newer SQLite databases (<code class="filename">cert9.db</code> and <code class="filename">key4.db</code>).</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><p>Arguments modify a command option and are usually lower case, numbers, or symbols.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-a</span></dt><dd><p>Use ASCII format or allow the use of ASCII format for input or output. This formatting follows RFC 1113. 
@@ -14,13 +14,13 @@ If this option is not used, the validity check defaults to the current system ti
 Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files.
            </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>OID (example): 1.2.3.4</p></li><li class="listitem"><p>critical-flag: critical or not-critical</p></li><li class="listitem"><p>filename: full path to a file containing an encoded extension</p></li></ul></div></dd><dt><span class="term">-f password-file</span></dt><dd><p>Specify a file that will automatically supply the password to include in a certificate 
  or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent 
- unauthorized access to this file.</p></dd><dt><span class="term">-g keysize</span></dt><dd><p>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 2048 bits. Any size between the minimum and maximum is allowed.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</p></dd><dt><span class="term">-i input_file</span></dt><dd><p>Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.</p></dd><dt><span class="term">-k key-type-or-id</span></dt><dd><p>Specify the type or specific ID of a key.</p><p>
+ unauthorized access to this file.</p></dd><dt><span class="term">-g keysize</span></dt><dd><p>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 2048 bits. Any size between the minimum and maximum is allowed.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</p><p>The name can also be a PKCS #11 URI. For example, the NSS internal certificate store can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB". For details about the format, see RFC 7512.</p></dd><dt><span class="term">-i input_file</span></dt><dd><p>Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.</p></dd><dt><span class="term">-k key-type-or-id</span></dt><dd><p>Specify the type or specific ID of a key.</p><p>
            The valid key type options are rsa, dsa, ec, or all. The default 
            value is rsa. Specifying the type of key can avoid mistakes caused by
            duplicate nicknames. Giving a key type generates a new key pair; 
            giving the ID of an existing key reuses that key pair (which is 
            required to renew certificates).
-          </p></dd><dt><span class="term">-l </span></dt><dd><p>Display detailed information when validating a certificate with the -V option.</p></dd><dt><span class="term">-m serial-number</span></dt><dd><p>Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is provided a default serial number is made from the current time. Serial numbers are limited to integers </p></dd><dt><span class="term">-n nickname</span></dt><dd><p>Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.</p></dd><dt><span class="term">-o output-file</span></dt><dd><p>Specify the output file name for new certificates or binary certificate requests. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.</p></dd><dt><span class="term">-P dbPrefix</span></dt><dd><p>Specify the prefix used on the certificate and key database file. This argument is provided to support legacy servers. Most applications do not use a database prefix.</p></dd><dt><span class="term">-p phone</span></dt><dd><p>Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces.</p></dd><dt><span class="term">-q pqgfile or curve-name</span></dt><dd><p>Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, <span class="command"><strong>certutil</strong></span> generates its own PQG value. PQG files are created with a separate DSA utility.</p><p>Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519.</p><p>
+          </p></dd><dt><span class="term">-l </span></dt><dd><p>Display detailed information when validating a certificate with the -V option.</p></dd><dt><span class="term">-m serial-number</span></dt><dd><p>Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is provided a default serial number is made from the current time. Serial numbers are limited to integers </p></dd><dt><span class="term">-n nickname</span></dt><dd><p>Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.</p><p>The nickname can also be a PKCS #11 URI. For example, if you have a certificate named "my-server-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my-server-cert". For details about the format, see RFC 7512.</p></dd><dt><span class="term">-o output-file</span></dt><dd><p>Specify the output file name for new certificates or binary certificate requests. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.</p></dd><dt><span class="term">-P dbPrefix</span></dt><dd><p>Specify the prefix used on the certificate and key database file. This argument is provided to support legacy servers. Most applications do not use a database prefix.</p></dd><dt><span class="term">-p phone</span></dt><dd><p>Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces.</p></dd><dt><span class="term">-q pqgfile or curve-name</span></dt><dd><p>Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, <span class="command"><strong>certutil</strong></span> generates its own PQG value. PQG files are created with a separate DSA utility.</p><p>Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519.</p><p>
            If a token is available that supports more curves, the foolowing curves are supported as well:
            sect163k1, nistk163, sect163r1, sect163r2,
            nistb163,  sect193r1, sect193r2, sect233k1, nistk233,
@@ -277,9 +277,11 @@ certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and
 
     slot: NSS User Private Key and Certificate Services                  
    token: NSS Certificate DB
+     uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
 
     slot: NSS Internal Cryptographic Services                            
-   token: NSS Generic Crypto Services</pre><p><span class="command"><strong>Adding Certificates to the Database</strong></span></p><p>
+   token: NSS Generic Crypto Services
+     uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203</pre><p><span class="command"><strong>Adding Certificates to the Database</strong></span></p><p>
 		Existing certificates or certificate requests can be added manually to the certificate database, even if they were generated elsewhere. This uses the <code class="option">-A</code> command option.
 	</p><pre class="programlisting">certutil -A -n certname -t trustargs -d [sql:]directory [-a] [-i input-file]</pre><p>
 		For example:
diff --git a/security/nss/doc/html/modutil.html b/security/nss/doc/html/modutil.html
index 5c53b0a621..b1adbf212a 100644
--- a/security/nss/doc/html/modutil.html
+++ b/security/nss/doc/html/modutil.html
@@ -1,4 +1,4 @@
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>MODUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="MODUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">MODUTIL</th></tr></table><hr></div><div class="refentry"><a name="modutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>modutil — Manage PKCS #11 module information within the security module database.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">modutil</code>  [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm233245929376"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>MODUTIL</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="index.html" title="MODUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">MODUTIL</th></tr></table><hr></div><div class="refentry"><a name="modutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>modutil — Manage PKCS #11 module information within the security module database.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">modutil</code>  [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm45295675968160"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
     </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Security Module Database Tool, <span class="command"><strong>modutil</strong></span>, is a command-line utility for managing PKCS #11 module information both within <code class="filename">secmod.db</code> files and within hardware tokens. <span class="command"><strong>modutil</strong></span> can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.</p><p>The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><p>
 		Running <span class="command"><strong>modutil</strong></span> always requires one (and only one) option to specify the type of module operation. Each option may take arguments, anywhere from none to multiple arguments.
 	</p><p><span class="command"><strong>Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-add modulename</span></dt><dd><p>Add the named PKCS #11 module to the database. Use this option with the <code class="option">-libfile</code>, <code class="option">-ciphers</code>, and <code class="option">-mechanisms</code> arguments.</p></dd><dt><span class="term">-changepw tokenname</span></dt><dd><p>Change the password on the named token. If the token has not been initialized, this option initializes the password. Use this option with the <code class="option">-pwfile</code> and <code class="option">-newpwfile</code> arguments. A <span class="emphasis"><em>password</em></span> is equivalent to a personal identification number (PIN).</p></dd><dt><span class="term">-chkfips</span></dt><dd><p>Verify whether the module is in the given FIPS mode. <span class="command"><strong>true</strong></span> means to verify that the module is in FIPS mode, while <span class="command"><strong>false</strong></span> means to verify that the module is not in FIPS mode.</p></dd><dt><span class="term">-create</span></dt><dd><p>Create new certificate, key, and module databases. Use the <code class="option">-dbdir</code> directory argument to specify a directory. If any of these databases already exist in a specified directory, <span class="command"><strong>modutil</strong></span> returns an error message.</p></dd><dt><span class="term">-default modulename</span></dt><dd><p>Specify the security mechanisms for which the named module will be a default provider. The security mechanisms are specified with the <code class="option">-mechanisms</code> argument.</p></dd><dt><span class="term">-delete modulename</span></dt><dd><p>Delete the named module. The default NSS PKCS #11 module cannot be deleted.</p></dd><dt><span class="term">-disable modulename</span></dt><dd><p>Disable all slots on the named module. Use the <code class="option">-slot</code> argument to disable a specific slot.</p><p>The internal NSS PKCS #11 module cannot be disabled.</p></dd><dt><span class="term">-enable modulename</span></dt><dd><p>Enable all slots on the named module. Use the <code class="option">-slot</code> argument to enable a specific slot.</p></dd><dt><span class="term">-fips [true | false]</span></dt><dd><p>Enable (true) or disable (false) FIPS 140-2 compliance for the default NSS module.</p></dd><dt><span class="term">-force</span></dt><dd><p>Disable <span class="command"><strong>modutil</strong></span>'s interactive prompts so it can be run from a script. Use this option only after manually testing each planned operation to check for warnings and to ensure that bypassing the prompts will cause no security lapses or loss of database integrity.</p></dd><dt><span class="term">-jar JAR-file</span></dt><dd><p>Add a new PKCS #11 module to the database using the named JAR file. Use this command with the <code class="option">-installdir</code> and <code class="option">-tempdir</code> arguments. The JAR file uses the NSS PKCS #11 JAR format to identify all the files to be installed, the module's name, the mechanism flags, and the cipher flags, as well as any files to be installed on the target machine, including the PKCS #11 module library file and other files such as documentation. This is covered in the JAR installation file section in the man page, which details the special script needed to perform an installation through a server or with <span class="command"><strong>modutil</strong></span>. </p></dd><dt><span class="term">-list [modulename]</span></dt><dd><p>Display basic information about the contents of the <code class="filename">secmod.db</code> file. Specifying a <span class="emphasis"><em>modulename</em></span> displays detailed information about a particular module and its slots and tokens.</p></dd><dt><span class="term">-rawadd</span></dt><dd><p>Add the module spec string to the <code class="filename">secmod.db</code> database.</p></dd><dt><span class="term">-rawlist</span></dt><dd><p>Display the module specs for a specified module or for all loadable modules.</p></dd><dt><span class="term">-undefault modulename</span></dt><dd><p>Specify the security mechanisms for which the named module will not be a default provider. The security mechanisms are specified with the <code class="option">-mechanisms</code> argument.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">MODULE</span></dt><dd><p>Give the security module to access.</p></dd><dt><span class="term">MODULESPEC</span></dt><dd><p>Give the security module spec to load into the security database.</p></dd><dt><span class="term">-ciphers cipher-enable-list</span></dt><dd><p>Enable specific ciphers in a module that is being added to the database. The <span class="emphasis"><em>cipher-enable-list</em></span> is a colon-delimited list of cipher names. Enclose this list in quotation marks if it contains spaces.</p></dd><dt><span class="term">-dbdir [sql:]directory</span></dt><dd><p>Specify the database directory in which to access or create security module database files.</p><p><span class="command"><strong>modutil</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">--dbprefix prefix</span></dt><dd><p>Specify the prefix used on the database files, such as <code class="filename">my_</code> for <code class="filename">my_cert8.db</code>. This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.</p></dd><dt><span class="term">-installdir root-installation-directory</span></dt><dd><p>Specify the root installation directory relative to which files will be installed by the <code class="option">-jar</code> option. This directory should be one below which it is appropriate to store dynamic library files, such as a server's root directory.</p></dd><dt><span class="term">-libfile library-file</span></dt><dd><p>Specify a path to a library file containing the implementation of the PKCS #11 interface module that is being added to the database.</p></dd><dt><span class="term">-mechanisms mechanism-list</span></dt><dd><p>Specify the security mechanisms for which a particular module will be flagged as a default provider. The <span class="emphasis"><em>mechanism-list</em></span> is a colon-delimited list of mechanism names. Enclose this list in quotation marks if it contains spaces.</p><p>The module becomes a default provider for the listed mechanisms when those mechanisms are enabled. If more than one module claims to be a particular mechanism's default provider, that mechanism's default provider is undefined.</p><p><span class="command"><strong>modutil</strong></span> supports several mechanisms: RSA, DSA, RC2, RC4, RC5, AES, DES, DH, SHA1, SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for random number generation), and FRIENDLY (meaning certificates are publicly readable).</p></dd><dt><span class="term">-newpwfile new-password-file</span></dt><dd><p>Specify a text file containing a token's new or replacement password so that a password can be entered automatically with the <code class="option">-changepw</code> option.</p></dd><dt><span class="term">-nocertdb</span></dt><dd><p>Do not open the certificate or key databases. This has several effects:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>With the <code class="option">-create</code> command, only a module security file is created; certificate and key databases are not created.</p></li><li class="listitem"><p>With the <code class="option">-jar</code> command, signatures on the JAR file are not checked.</p></li><li class="listitem"><p>With the <code class="option">-changepw</code> command, the password on the NSS internal module cannot be set or changed, since this password is stored in the key database.</p></li></ul></div></dd><dt><span class="term">-pwfile old-password-file</span></dt><dd><p>Specify a text file containing a token's existing password so that a password can be entered automatically when the <code class="option">-changepw</code> option is used to change passwords.</p></dd><dt><span class="term">-secmod secmodname</span></dt><dd><p>Give the name of the security module database (like <code class="filename">secmod.db</code>) to load.</p></dd><dt><span class="term">-slot slotname</span></dt><dd><p>Specify a particular slot to be enabled or disabled with the <code class="option">-enable</code> or <code class="option">-disable</code> options.</p></dd><dt><span class="term">-string CONFIG_STRING</span></dt><dd><p>Pass a configuration string for the module being added to the database.</p></dd><dt><span class="term">-tempdir temporary-directory</span></dt><dd><p>Give a directory location where temporary files are created during the installation by the <code class="option">-jar</code> option. If no temporary directory is specified, the current directory is used.</p></dd></dl></div></div><div class="refsection"><a name="usage-and-examples"></a><h2>Usage and Examples</h2><p><span class="command"><strong>Creating Database Files</strong></span></p><p>Before any operations can be performed, there must be a set of security databases available. <span class="command"><strong>modutil</strong></span> can be used to create these files. The only required argument is the database that where the databases will be located.</p><pre class="programlisting">modutil -create -dbdir [sql:]directory</pre><p><span class="command"><strong>Adding a Cryptographic Module</strong></span></p><p>Adding a PKCS #11 module means submitting a supporting library file, enabling its ciphers, and setting default provider status for various security mechanisms. This can be done by supplying all of the information through <span class="command"><strong>modutil</strong></span> directly or by running a JAR file and install script. For the most basic case, simply upload the library:</p><pre class="programlisting">modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list] </pre><p>For example:
@@ -63,9 +63,11 @@ Listing of PKCS #11 Modules
 
          slot: NSS Internal Cryptographic Services                            
         token: NSS Generic Crypto Services
+	  uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
 
          slot: NSS User Private Key and Certificate Services                  
         token: NSS Certificate DB
+	  uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
 -----------------------------------------------------------</pre><p>Passing a specific module name with the <code class="option">-list</code> returns details information about the module itself, like supported cipher mechanisms, version numbers, serial numbers, and other information about the module and the token it is loaded on. For example:</p><pre class="programlisting"> modutil -list "NSS Internal PKCS #11 Module" -dbdir sql:/home/my/sharednssdb
 
 -----------------------------------------------------------
diff --git a/security/nss/doc/html/pk12util.html b/security/nss/doc/html/pk12util.html
index 94dbf51e97..d773136c47 100644
--- a/security/nss/doc/html/pk12util.html
+++ b/security/nss/doc/html/pk12util.html
@@ -1,5 +1,5 @@
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PK12UTIL</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="index.html" title="PK12UTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PK12UTIL</th></tr></table><hr></div><div class="refentry"><a name="pk12util"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pk12util</code>  [-i p12File|-l p12File|-o p12File] [-d [sql:]directory] [-h tokenname] [-P dbprefix] [-r] [-v] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</p></div></div><div class="refsection"><a name="idm139975398059856"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
-    </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The PKCS #12 utility, <span class="command"><strong>pk12util</strong></span>, enables sharing certificates among any server that supports PKCS #12. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys.</p></div><div class="refsection"><a name="options"></a><h2>Options and Arguments</h2><p><span class="command"><strong>Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-i p12file</span></dt><dd><p>Import keys and certificates from a PKCS #12 file into a security database.</p></dd><dt><span class="term">-l p12file</span></dt><dd><p>List the keys and certificates in PKCS #12 file.</p></dd><dt><span class="term">-o p12file</span></dt><dd><p>Export keys and certificates from the security database to a PKCS #12 file.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-c keyCipher</span></dt><dd><p>Specify the key encryption algorithm.</p></dd><dt><span class="term">-C certCipher</span></dt><dd><p>Specify the certiticate encryption algorithm.</p></dd><dt><span class="term">-d [sql:]directory</span></dt><dd><p>Specify the database directory into which to import to or export from certificates and keys.</p><p><span class="command"><strong>pk12util</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of the token to import into or export from.</p></dd><dt><span class="term">-k slotPasswordFile</span></dt><dd><p>Specify the text file containing the slot's password.</p></dd><dt><span class="term">-K slotPassword</span></dt><dd><p>Specify the slot's password.</p></dd><dt><span class="term">-m | --key-len  keyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the private key.</p></dd><dt><span class="term">-n | --cert-key-len  certKeyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</p></dd><dt><span class="term">-n certname</span></dt><dd><p>Specify the nickname of the cert and private key to export.</p></dd><dt><span class="term">-P prefix</span></dt><dd><p>Specify the prefix used on the certificate and key databases. This option is provided as a special case. 
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PK12UTIL</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="index.html" title="PK12UTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PK12UTIL</th></tr></table><hr></div><div class="refentry"><a name="pk12util"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pk12util</code>  [-i p12File|-l p12File|-o p12File] [-d [sql:]directory] [-h tokenname] [-P dbprefix] [-r] [-v] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</p></div></div><div class="refsection"><a name="idm45659476549872"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a>
+    </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The PKCS #12 utility, <span class="command"><strong>pk12util</strong></span>, enables sharing certificates among any server that supports PKCS #12. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys.</p></div><div class="refsection"><a name="options"></a><h2>Options and Arguments</h2><p><span class="command"><strong>Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-i p12file</span></dt><dd><p>Import keys and certificates from a PKCS #12 file into a security database.</p></dd><dt><span class="term">-l p12file</span></dt><dd><p>List the keys and certificates in PKCS #12 file.</p></dd><dt><span class="term">-o p12file</span></dt><dd><p>Export keys and certificates from the security database to a PKCS #12 file.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-c keyCipher</span></dt><dd><p>Specify the key encryption algorithm.</p></dd><dt><span class="term">-C certCipher</span></dt><dd><p>Specify the certiticate encryption algorithm.</p></dd><dt><span class="term">-d [sql:]directory</span></dt><dd><p>Specify the database directory into which to import to or export from certificates and keys.</p><p><span class="command"><strong>pk12util</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of the token to import into or export from.</p></dd><dt><span class="term">-k slotPasswordFile</span></dt><dd><p>Specify the text file containing the slot's password.</p></dd><dt><span class="term">-K slotPassword</span></dt><dd><p>Specify the slot's password.</p></dd><dt><span class="term">-m | --key-len  keyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the private key.</p></dd><dt><span class="term">-n | --cert-key-len  certKeyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</p></dd><dt><span class="term">-n certname</span></dt><dd><p>Specify the nickname of the cert and private key to export.</p><p>The nickname can also be a PKCS #11 URI. For example, if you have a certificate named "my-server-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my-server-cert". For details about the format, see RFC 7512.</p></dd><dt><span class="term">-P prefix</span></dt><dd><p>Specify the prefix used on the certificate and key databases. This option is provided as a special case. 
           Changing the names of the certificate and key databases is not recommended.</p></dd><dt><span class="term">-r</span></dt><dd><p>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</p></dd><dt><span class="term">-v </span></dt><dd><p>Enable debug logging when importing.</p></dd><dt><span class="term">-w p12filePasswordFile</span></dt><dd><p>Specify the text file containing the pkcs #12 file password.</p></dd><dt><span class="term">-W p12filePassword</span></dt><dd><p>Specify the pkcs #12 file password.</p></dd></dl></div></div><div class="refsection"><a name="return-codes"></a><h2>Return Codes</h2><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> 0 - No error</p></li><li class="listitem"><p> 1 - User Cancelled</p></li><li class="listitem"><p> 2 - Usage error</p></li><li class="listitem"><p> 6 - NLS init error</p></li><li class="listitem"><p> 8 - Certificate DB open error</p></li><li class="listitem"><p> 9 - Key DB open error</p></li><li class="listitem"><p> 10 - File initialization error</p></li><li class="listitem"><p> 11 - Unicode conversion error</p></li><li class="listitem"><p> 12 - Temporary file creation error</p></li><li class="listitem"><p> 13 - PKCS11 get slot error</p></li><li class="listitem"><p> 14 - PKCS12 decoder start error</p></li><li class="listitem"><p> 15 - error read from import file</p></li><li class="listitem"><p> 16 - pkcs12 decode error</p></li><li class="listitem"><p> 17 - pkcs12 decoder verify error</p></li><li class="listitem"><p> 18 - pkcs12 decoder validate bags error</p></li><li class="listitem"><p> 19 - pkcs12 decoder import bags error</p></li><li class="listitem"><p> 20 - key db conversion version 3 to version 2 error</p></li><li class="listitem"><p> 21 - cert db conversion version 7 to version 5 error</p></li><li class="listitem"><p> 22 - cert and key dbs patch error</p></li><li class="listitem"><p> 23 - get default cert db error</p></li><li class="listitem"><p> 24 - find cert by nickname error</p></li><li class="listitem"><p> 25 - create export context error</p></li><li class="listitem"><p> 26 - PKCS12 add password itegrity error</p></li><li class="listitem"><p> 27 - cert and key Safes creation error</p></li><li class="listitem"><p> 28 - PKCS12 add cert and key error</p></li><li class="listitem"><p> 29 - PKCS12 encode error</p></li></ul></div></div><div class="refsection"><a name="examples"></a><h2>Examples</h2><p><span class="command"><strong>Importing Keys and Certificates</strong></span></p><p>The most basic usage of <span class="command"><strong>pk12util</strong></span> for importing a certificate or key is the PKCS #12 input file (<code class="option">-i</code>) and some way to specify the security database being accessed (either <code class="option">-d</code> for a directory or <code class="option">-h</code> for a token).
     </p><p>
     pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
diff --git a/security/nss/doc/modutil.xml b/security/nss/doc/modutil.xml
index 142aa69dab..b757a8731d 100644
--- a/security/nss/doc/modutil.xml
+++ b/security/nss/doc/modutil.xml
@@ -322,9 +322,11 @@ Listing of PKCS #11 Modules
 
          slot: NSS Internal Cryptographic Services                            
         token: NSS Generic Crypto Services
+	  uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
 
          slot: NSS User Private Key and Certificate Services                  
         token: NSS Certificate DB
+	  uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
 -----------------------------------------------------------</programlisting>
 	<para>Passing a specific module name with the <option>-list</option> returns details information about the module itself, like supported cipher mechanisms, version numbers, serial numbers, and other information about the module and the token it is loaded on. For example:</para>
 <programlisting> modutil -list "NSS Internal PKCS #11 Module" -dbdir sql:/home/my/sharednssdb
diff --git a/security/nss/doc/nroff/certutil.1 b/security/nss/doc/nroff/certutil.1
index 80a02fc276..b6a2e90b2c 100644
--- a/security/nss/doc/nroff/certutil.1
+++ b/security/nss/doc/nroff/certutil.1
@@ -2,12 +2,12 @@
 .\"     Title: CERTUTIL
 .\"    Author: [see the "Authors" section]
 .\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\"      Date: 27 October 2017
+.\"      Date:  5 October 2017
 .\"    Manual: NSS Security Tools
 .\"    Source: nss-tools
 .\"  Language: English
 .\"
-.TH "CERTUTIL" "1" "27 October 2017" "nss-tools" "NSS Security Tools"
+.TH "CERTUTIL" "1" "5 October 2017" "nss-tools" "NSS Security Tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -92,15 +92,11 @@ Add an email certificate to the certificate database\&.
 .PP
 \-F
 .RS 4
-Delete a private key from a key database\&. Specify the key to delete with the \-n argument\&. Specify the database from which to delete the key with the
+Delete a private key and the associated certificate from a database\&. Specify the key to delete with the \-n argument or the \-k argument\&. Specify the database from which to delete the key with the
 \fB\-d\fR
-argument\&. Use the
-\fB\-k\fR
-argument to specify explicitly whether to delete a DSA, RSA, or ECC key\&. If you don\*(Aqt use the
-\fB\-k\fR
-argument, the option looks for an RSA key matching the specified nickname\&.
+argument\&.
 .sp
-When you delete keys, be sure to also remove any certificates associated with those keys from the certificate database, by using \-D\&. Some smart cards do not let you remove a public key you have generated\&. In such a case, only the private key is deleted from the key pair\&. You can display the public key with the command certutil \-K \-h tokenname\&.
+Some smart cards do not let you remove a public key you have generated\&. In such a case, only the private key is deleted from the key pair\&.
 .RE
 .PP
 \-G
@@ -321,6 +317,8 @@ Set a key size to use when generating new public and private key pairs\&. The mi
 \-h tokenname
 .RS 4
 Specify the name of a token to use or act on\&. If not specified the default token is the internal database slot\&.
+.sp
+The name can also be a PKCS #11 URI\&. For example, the NSS internal certificate store can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB"\&. For details about the format, see RFC 7512\&.
 .RE
 .PP
 \-i input_file
@@ -348,6 +346,8 @@ Assign a unique serial number to a certificate being created\&. This operation s
 \-n nickname
 .RS 4
 Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate\&. Bracket the nickname string with quotation marks if it contains spaces\&.
+.sp
+The nickname can also be a PKCS #11 URI\&. For example, if you have a certificate named "my\-server\-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my\-server\-cert"\&. For details about the format, see RFC 7512\&.
 .RE
 .PP
 \-o output\-file
@@ -1579,9 +1579,11 @@ $ certutil \-U \-d sql:/home/my/sharednssdb
 
     slot: NSS User Private Key and Certificate Services                  
    token: NSS Certificate DB
+     uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
 
     slot: NSS Internal Cryptographic Services                            
    token: NSS Generic Crypto Services
+     uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
 .fi
 .if n \{\
 .RE
diff --git a/security/nss/doc/nroff/modutil.1 b/security/nss/doc/nroff/modutil.1
index 1ce9ab2cea..a2d7fe48b6 100644
--- a/security/nss/doc/nroff/modutil.1
+++ b/security/nss/doc/nroff/modutil.1
@@ -1,13 +1,13 @@
 '\" t
 .\"     Title: MODUTIL
 .\"    Author: [see the "Authors" section]
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date:  5 June 2014
+.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
+.\"      Date:  5 October 2017
 .\"    Manual: NSS Security Tools
 .\"    Source: nss-tools
 .\"  Language: English
 .\"
-.TH "MODUTIL" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
+.TH "MODUTIL" "1" "5 October 2017" "nss-tools" "NSS Security Tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -515,9 +515,11 @@ Listing of PKCS #11 Modules
 
          slot: NSS Internal Cryptographic Services                            
         token: NSS Generic Crypto Services
+	  uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
 
          slot: NSS User Private Key and Certificate Services                  
         token: NSS Certificate DB
+	  uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
 \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
 .fi
 .if n \{\
diff --git a/security/nss/doc/nroff/pk12util.1 b/security/nss/doc/nroff/pk12util.1
index e0a8da833e..eae5d3616f 100644
--- a/security/nss/doc/nroff/pk12util.1
+++ b/security/nss/doc/nroff/pk12util.1
@@ -2,12 +2,12 @@
 .\"     Title: PK12UTIL
 .\"    Author: [see the "Authors" section]
 .\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\"      Date: 27 October 2017
+.\"      Date:  5 October 2017
 .\"    Manual: NSS Security Tools
 .\"    Source: nss-tools
 .\"  Language: English
 .\"
-.TH "PK12UTIL" "1" "27 October 2017" "nss-tools" "NSS Security Tools"
+.TH "PK12UTIL" "1" "5 October 2017" "nss-tools" "NSS Security Tools"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -113,6 +113,8 @@ Specify the desired length of the symmetric key to be used to encrypt the certif
 \-n certname
 .RS 4
 Specify the nickname of the cert and private key to export\&.
+.sp
+The nickname can also be a PKCS #11 URI\&. For example, if you have a certificate named "my\-server\-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my\-server\-cert"\&. For details about the format, see RFC 7512\&.
 .RE
 .PP
 \-P prefix
diff --git a/security/nss/doc/pk12util.xml b/security/nss/doc/pk12util.xml
index c267949653..3f8eecf1b5 100644
--- a/security/nss/doc/pk12util.xml
+++ b/security/nss/doc/pk12util.xml
@@ -114,7 +114,8 @@
 
       <varlistentry>
         <term>-n certname</term>
-        <listitem><para>Specify the nickname of the cert and private key to export.</para></listitem>
+        <listitem><para>Specify the nickname of the cert and private key to export.</para>
+	<para>The nickname can also be a PKCS #11 URI. For example, if you have a certificate named "my-server-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my-server-cert". For details about the format, see RFC 7512.</para></listitem>
       </varlistentry>
 
       <varlistentry>
diff --git a/security/nss/exports.gyp b/security/nss/exports.gyp
index 907b5ac886..5cb44157fd 100644
--- a/security/nss/exports.gyp
+++ b/security/nss/exports.gyp
@@ -5,9 +5,82 @@
   'includes': [
     'coreconf/config.gypi'
   ],
+  'conditions': [
+    [ 'mozpkix_only==0', {
+      'targets': [
+        {
+          'target_name': 'nss_exports',
+          'type': 'none',
+          'direct_dependent_settings': {
+            'include_dirs': [
+              '<(nss_public_dist_dir)/nss',
+            ]
+          },
+          'dependencies': [
+            'cmd/lib/exports.gyp:cmd_lib_exports',
+            'lib/base/exports.gyp:lib_base_exports',
+            'lib/certdb/exports.gyp:lib_certdb_exports',
+            'lib/certhigh/exports.gyp:lib_certhigh_exports',
+            'lib/ckfw/builtins/exports.gyp:lib_ckfw_builtins_exports',
+            'lib/ckfw/exports.gyp:lib_ckfw_exports',
+            'lib/crmf/exports.gyp:lib_crmf_exports',
+            'lib/cryptohi/exports.gyp:lib_cryptohi_exports',
+            'lib/dev/exports.gyp:lib_dev_exports',
+            'lib/freebl/exports.gyp:lib_freebl_exports',
+            'lib/jar/exports.gyp:lib_jar_exports',
+            'lib/nss/exports.gyp:lib_nss_exports',
+            'lib/pk11wrap/exports.gyp:lib_pk11wrap_exports',
+            'lib/pkcs12/exports.gyp:lib_pkcs12_exports',
+            'lib/pkcs7/exports.gyp:lib_pkcs7_exports',
+            'lib/pki/exports.gyp:lib_pki_exports',
+            'lib/smime/exports.gyp:lib_smime_exports',
+            'lib/softoken/exports.gyp:lib_softoken_exports',
+            'lib/sqlite/exports.gyp:lib_sqlite_exports',
+            'lib/ssl/exports.gyp:lib_ssl_exports',
+            'lib/util/exports.gyp:lib_util_exports',
+            'lib/zlib/exports.gyp:lib_zlib_exports',
+          ],
+          'conditions': [
+            [ 'disable_libpkix==0', {
+              'dependencies': [
+                'lib/libpkix/include/exports.gyp:lib_libpkix_include_exports',
+                'lib/libpkix/pkix/certsel/exports.gyp:lib_libpkix_pkix_certsel_exports',
+                'lib/libpkix/pkix/checker/exports.gyp:lib_libpkix_pkix_checker_exports',
+                'lib/libpkix/pkix/crlsel/exports.gyp:lib_libpkix_pkix_crlsel_exports',
+                'lib/libpkix/pkix/params/exports.gyp:lib_libpkix_pkix_params_exports',
+                'lib/libpkix/pkix/results/exports.gyp:lib_libpkix_pkix_results_exports',
+                'lib/libpkix/pkix/store/exports.gyp:lib_libpkix_pkix_store_exports',
+                'lib/libpkix/pkix/top/exports.gyp:lib_libpkix_pkix_top_exports',
+                'lib/libpkix/pkix/util/exports.gyp:lib_libpkix_pkix_util_exports',
+                'lib/libpkix/pkix_pl_nss/module/exports.gyp:lib_libpkix_pkix_pl_nss_module_exports',
+                'lib/libpkix/pkix_pl_nss/pki/exports.gyp:lib_libpkix_pkix_pl_nss_pki_exports',
+                'lib/libpkix/pkix_pl_nss/system/exports.gyp:lib_libpkix_pkix_pl_nss_system_exports',
+              ],
+            }],
+          ],
+        },
+        {
+          'target_name': 'dbm_exports',
+          'type': 'none',
+          'conditions': [
+            ['disable_dbm==0', {
+              'direct_dependent_settings': {
+                'include_dirs': [
+                  '<(nss_public_dist_dir)/dbm'
+                ]
+              },
+              'dependencies': [
+                'lib/dbm/include/exports.gyp:lib_dbm_include_exports'
+              ],
+            }],
+          ],
+        }
+      ],
+    }],
+  ],
   'targets': [
     {
-      'target_name': 'nss_exports',
+      'target_name': 'nss_mozpkix_exports',
       'type': 'none',
       'direct_dependent_settings': {
         'include_dirs': [
@@ -15,63 +88,9 @@
         ]
       },
       'dependencies': [
-        'cmd/lib/exports.gyp:cmd_lib_exports',
-        'lib/base/exports.gyp:lib_base_exports',
-        'lib/certdb/exports.gyp:lib_certdb_exports',
-        'lib/certhigh/exports.gyp:lib_certhigh_exports',
-        'lib/ckfw/builtins/exports.gyp:lib_ckfw_builtins_exports',
-        'lib/ckfw/exports.gyp:lib_ckfw_exports',
-        'lib/crmf/exports.gyp:lib_crmf_exports',
-        'lib/cryptohi/exports.gyp:lib_cryptohi_exports',
-        'lib/dev/exports.gyp:lib_dev_exports',
-        'lib/freebl/exports.gyp:lib_freebl_exports',
-        'lib/jar/exports.gyp:lib_jar_exports',
-        'lib/nss/exports.gyp:lib_nss_exports',
-        'lib/pk11wrap/exports.gyp:lib_pk11wrap_exports',
-        'lib/pkcs12/exports.gyp:lib_pkcs12_exports',
-        'lib/pkcs7/exports.gyp:lib_pkcs7_exports',
-        'lib/pki/exports.gyp:lib_pki_exports',
-        'lib/smime/exports.gyp:lib_smime_exports',
-        'lib/softoken/exports.gyp:lib_softoken_exports',
-        'lib/sqlite/exports.gyp:lib_sqlite_exports',
-        'lib/ssl/exports.gyp:lib_ssl_exports',
-        'lib/util/exports.gyp:lib_util_exports',
-        'lib/zlib/exports.gyp:lib_zlib_exports'
-      ],
-      'conditions': [
-        [ 'disable_libpkix==0', {
-          'dependencies': [
-            'lib/libpkix/include/exports.gyp:lib_libpkix_include_exports',
-            'lib/libpkix/pkix/certsel/exports.gyp:lib_libpkix_pkix_certsel_exports',
-            'lib/libpkix/pkix/checker/exports.gyp:lib_libpkix_pkix_checker_exports',
-            'lib/libpkix/pkix/crlsel/exports.gyp:lib_libpkix_pkix_crlsel_exports',
-            'lib/libpkix/pkix/params/exports.gyp:lib_libpkix_pkix_params_exports',
-            'lib/libpkix/pkix/results/exports.gyp:lib_libpkix_pkix_results_exports',
-            'lib/libpkix/pkix/store/exports.gyp:lib_libpkix_pkix_store_exports',
-            'lib/libpkix/pkix/top/exports.gyp:lib_libpkix_pkix_top_exports',
-            'lib/libpkix/pkix/util/exports.gyp:lib_libpkix_pkix_util_exports',
-            'lib/libpkix/pkix_pl_nss/module/exports.gyp:lib_libpkix_pkix_pl_nss_module_exports',
-            'lib/libpkix/pkix_pl_nss/pki/exports.gyp:lib_libpkix_pkix_pl_nss_pki_exports',
-            'lib/libpkix/pkix_pl_nss/system/exports.gyp:lib_libpkix_pkix_pl_nss_system_exports',
-          ],
-        }],
+        'lib/mozpkix/exports.gyp:lib_mozpkix_exports',
+        'lib/mozpkix/exports.gyp:lib_mozpkix_test_exports',
       ],
     },
-    {
-      'target_name': 'dbm_exports',
-      'type': 'none',
-      'conditions': [
-        ['disable_dbm==0', {
-          'direct_dependent_settings': {
-            'include_dirs': [
-              '<(nss_public_dist_dir)/dbm'
-            ]
-          },
-          'dependencies': [
-            'lib/dbm/include/exports.gyp:lib_dbm_include_exports'
-          ],
-        }],
-      ],
-    }
-  ]
+  ],
 }
diff --git a/security/nss/fuzz/config/git-copy.sh b/security/nss/fuzz/config/git-copy.sh
index a9e817e2a6..fac8cbecf4 100644
--- a/security/nss/fuzz/config/git-copy.sh
+++ b/security/nss/fuzz/config/git-copy.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-set -e
+set -ex
 
 if [ $# -lt 3 ]; then
   echo "Usage: $0 <repo> <branch> <directory>" 1>&2
@@ -28,7 +28,7 @@ fi
 
 rm -rf "$DIR"
 git init -q "$DIR"
-git -C "$DIR" fetch -q --depth=1 "$REPO" "$COMMIT":git-copy-tmp
-git -C "$DIR" reset --hard git-copy-tmp
+git -C "$DIR" fetch -q --depth=1 "$REPO" "$COMMIT"
+git -C "$DIR" reset -q --hard FETCH_HEAD
 git -C "$DIR" rev-parse --verify HEAD > "$DIR"/.git-copy
 rm -rf "$DIR"/.git
diff --git a/security/nss/fuzz/tls_server_certs.cc b/security/nss/fuzz/tls_server_certs.cc
index 705b6aab3d..20732a5e0a 100644
--- a/security/nss/fuzz/tls_server_certs.cc
+++ b/security/nss/fuzz/tls_server_certs.cc
@@ -8,7 +8,7 @@
 #include "ssl.h"
 
 #include "cpputil.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_server_certs.h"
 
 const uint8_t kP256ServerCert[] = {
diff --git a/security/nss/gtests/certdb_gtest/alg1485_unittest.cc b/security/nss/gtests/certdb_gtest/alg1485_unittest.cc
index ef67330927..8daa6660f6 100644
--- a/security/nss/gtests/certdb_gtest/alg1485_unittest.cc
+++ b/security/nss/gtests/certdb_gtest/alg1485_unittest.cc
@@ -9,7 +9,7 @@
 #include "gtest/gtest.h"
 
 #include "nss.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "prprf.h"
 
 namespace nss_test {
diff --git a/security/nss/gtests/cryptohi_gtest/cryptohi_unittest.cc b/security/nss/gtests/cryptohi_gtest/cryptohi_unittest.cc
index ab553ee012..d690a4fec3 100644
--- a/security/nss/gtests/cryptohi_gtest/cryptohi_unittest.cc
+++ b/security/nss/gtests/cryptohi_gtest/cryptohi_unittest.cc
@@ -8,7 +8,7 @@
 
 #include "gtest/gtest.h"
 
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "cryptohi.h"
 #include "secitem.h"
 #include "secerr.h"
diff --git a/security/nss/gtests/der_gtest/der_private_key_import_unittest.cc b/security/nss/gtests/der_gtest/der_private_key_import_unittest.cc
index 836cc78765..88c2833170 100644
--- a/security/nss/gtests/der_gtest/der_private_key_import_unittest.cc
+++ b/security/nss/gtests/der_gtest/der_private_key_import_unittest.cc
@@ -11,7 +11,7 @@
 #include "secutil.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 namespace nss_test {
 
diff --git a/security/nss/gtests/der_gtest/p12_import_unittest.cc b/security/nss/gtests/der_gtest/p12_import_unittest.cc
index 6ffcda3482..31020231a0 100644
--- a/security/nss/gtests/der_gtest/p12_import_unittest.cc
+++ b/security/nss/gtests/der_gtest/p12_import_unittest.cc
@@ -8,7 +8,7 @@
 #include "p12.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 namespace nss_test {
 
diff --git a/security/nss/gtests/freebl_gtest/ecl_unittest.cc b/security/nss/gtests/freebl_gtest/ecl_unittest.cc
index fbad0246f9..36074be82b 100644
--- a/security/nss/gtests/freebl_gtest/ecl_unittest.cc
+++ b/security/nss/gtests/freebl_gtest/ecl_unittest.cc
@@ -7,7 +7,7 @@
 #include <stdint.h>
 
 #include "blapi.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "secerr.h"
 
 namespace nss_test {
diff --git a/security/nss/gtests/freebl_gtest/mpi_unittest.cc b/security/nss/gtests/freebl_gtest/mpi_unittest.cc
index 4fed1a40e0..2ccb8c351a 100644
--- a/security/nss/gtests/freebl_gtest/mpi_unittest.cc
+++ b/security/nss/gtests/freebl_gtest/mpi_unittest.cc
@@ -15,7 +15,7 @@
 #include "mpi.h"
 namespace nss_test {
 
-void gettime(struct timespec *tp) {
+void gettime(struct timespec* tp) {
 #ifdef __MACH__
   clock_serv_t cclock;
   mach_timespec_t mts;
@@ -69,6 +69,39 @@ class MPITest : public ::testing::Test {
     mp_clear(&b);
     mp_clear(&c);
   }
+
+  void dump(const std::string& prefix, const uint8_t* buf, size_t len) {
+    auto flags = std::cerr.flags();
+    std::cerr << prefix << ": [" << std::dec << len << "] ";
+    for (size_t i = 0; i < len; ++i) {
+      std::cerr << std::hex << std::setw(2) << std::setfill('0')
+                << static_cast<int>(buf[i]);
+    }
+    std::cerr << std::endl << std::resetiosflags(flags);
+  }
+
+  void TestToFixedOctets(const std::vector<uint8_t>& ref, size_t len) {
+    mp_int a;
+    ASSERT_EQ(MP_OKAY, mp_init(&a));
+    ASSERT_EQ(MP_OKAY, mp_read_unsigned_octets(&a, ref.data(), ref.size()));
+    uint8_t buf[len];
+    ASSERT_EQ(MP_OKAY, mp_to_fixlen_octets(&a, buf, len));
+    size_t compare;
+    if (len > ref.size()) {
+      for (size_t i = 0; i < len - ref.size(); ++i) {
+        ASSERT_EQ(0U, buf[i]) << "index " << i << " should be zero";
+      }
+      compare = ref.size();
+    } else {
+      compare = len;
+    }
+    dump("value", ref.data(), ref.size());
+    dump("output", buf, len);
+    ASSERT_EQ(0, memcmp(buf + len - compare, ref.data() + ref.size() - compare,
+                        compare))
+        << "comparing " << compare << " octets";
+    mp_clear(&a);
+  }
 };
 
 TEST_F(MPITest, MpiCmp01Test) { TestCmp("0", "1", -1); }
@@ -113,6 +146,47 @@ TEST_F(MPITest, MpiCmpUnalignedTest) {
 }
 #endif
 
+TEST_F(MPITest, MpiFixlenOctetsZero) {
+  std::vector<uint8_t> zero = {0};
+  TestToFixedOctets(zero, 1);
+  TestToFixedOctets(zero, 2);
+  TestToFixedOctets(zero, sizeof(mp_digit));
+  TestToFixedOctets(zero, sizeof(mp_digit) + 1);
+}
+
+TEST_F(MPITest, MpiFixlenOctetsVarlen) {
+  std::vector<uint8_t> packed;
+  for (size_t i = 0; i < sizeof(mp_digit) * 2; ++i) {
+    packed.push_back(0xa4);  // Any non-zero value will do.
+    TestToFixedOctets(packed, packed.size());
+    TestToFixedOctets(packed, packed.size() + 1);
+    TestToFixedOctets(packed, packed.size() + sizeof(mp_digit));
+  }
+}
+
+TEST_F(MPITest, MpiFixlenOctetsTooSmall) {
+  uint8_t buf[sizeof(mp_digit) * 3];
+  std::vector<uint8_t> ref;
+  for (size_t i = 0; i < sizeof(mp_digit) * 2; i++) {
+    ref.push_back(3);  // Any non-zero value will do.
+    dump("ref", ref.data(), ref.size());
+
+    mp_int a;
+    ASSERT_EQ(MP_OKAY, mp_init(&a));
+    ASSERT_EQ(MP_OKAY, mp_read_unsigned_octets(&a, ref.data(), ref.size()));
+#ifdef DEBUG
+    // ARGCHK maps to assert() in a debug build.
+    EXPECT_DEATH(mp_to_fixlen_octets(&a, buf, ref.size() - 1), "");
+#else
+    EXPECT_EQ(MP_BADARG, mp_to_fixlen_octets(&a, buf, ref.size() - 1));
+#endif
+    ASSERT_EQ(MP_OKAY, mp_to_fixlen_octets(&a, buf, ref.size()));
+    ASSERT_EQ(0, memcmp(buf, ref.data(), ref.size()));
+
+    mp_clear(&a);
+  }
+}
+
 // This test is slow. Disable it by default so we can run these tests on CI.
 class DISABLED_MPITest : public ::testing::Test {};
 
@@ -127,17 +201,17 @@ TEST_F(DISABLED_MPITest, MpiCmpConstTest) {
 
   mp_read_radix(
       &a,
-      const_cast<char *>(
+      const_cast<char*>(
           "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551"),
       16);
   mp_read_radix(
       &b,
-      const_cast<char *>(
+      const_cast<char*>(
           "FF0FFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551"),
       16);
   mp_read_radix(
       &c,
-      const_cast<char *>(
+      const_cast<char*>(
           "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632550"),
       16);
 
diff --git a/security/nss/gtests/freebl_gtest/rsa_unittest.cc b/security/nss/gtests/freebl_gtest/rsa_unittest.cc
index 5c667a1d17..a1453168f9 100644
--- a/security/nss/gtests/freebl_gtest/rsa_unittest.cc
+++ b/security/nss/gtests/freebl_gtest/rsa_unittest.cc
@@ -21,7 +21,7 @@ struct ScopedDelete {
 typedef std::unique_ptr<RSAPrivateKey, ScopedDelete<RSAPrivateKey>>
     ScopedRSAPrivateKey;
 
-class RSANewKeyTest : public ::testing::Test {
+class RSATest : public ::testing::Test {
  protected:
   RSAPrivateKey* CreateKeyWithExponent(int keySizeInBits,
                                        unsigned char publicExponent) {
@@ -34,24 +34,24 @@ class RSANewKeyTest : public ::testing::Test {
   }
 };
 
-TEST_F(RSANewKeyTest, expOneTest) {
+TEST_F(RSATest, expOneTest) {
   ScopedRSAPrivateKey key(CreateKeyWithExponent(2048, 0x01));
   ASSERT_TRUE(key == nullptr);
 }
-TEST_F(RSANewKeyTest, expTwoTest) {
+TEST_F(RSATest, expTwoTest) {
   ScopedRSAPrivateKey key(CreateKeyWithExponent(2048, 0x02));
   ASSERT_TRUE(key == nullptr);
 }
-TEST_F(RSANewKeyTest, expFourTest) {
+TEST_F(RSATest, expFourTest) {
   ScopedRSAPrivateKey key(CreateKeyWithExponent(2048, 0x04));
   ASSERT_TRUE(key == nullptr);
 }
-TEST_F(RSANewKeyTest, WrongKeysizeTest) {
+TEST_F(RSATest, WrongKeysizeTest) {
   ScopedRSAPrivateKey key(CreateKeyWithExponent(2047, 0x03));
   ASSERT_TRUE(key == nullptr);
 }
 
-TEST_F(RSANewKeyTest, expThreeTest) {
+TEST_F(RSATest, expThreeTest) {
   ScopedRSAPrivateKey key(CreateKeyWithExponent(2048, 0x03));
 #ifdef NSS_FIPS_DISABLED
   ASSERT_TRUE(key != nullptr);
@@ -59,3 +59,39 @@ TEST_F(RSANewKeyTest, expThreeTest) {
   ASSERT_TRUE(key == nullptr);
 #endif
 }
+
+TEST_F(RSATest, DecryptBlockTestErrors) {
+  unsigned char pubExp[3] = {0x01, 0x00, 0x01};
+  SECItem exp = {siBuffer, pubExp, 3};
+  ScopedRSAPrivateKey key(RSA_NewKey(2048, &exp));
+  ASSERT_TRUE(key);
+  uint8_t out[10] = {0};
+  uint8_t in_small[100] = {0};
+  unsigned int outputLen = 0;
+  unsigned int maxOutputLen = sizeof(out);
+
+  // This should fail because input the same size as the modulus (256).
+  SECStatus rv = RSA_DecryptBlock(key.get(), out, &outputLen, maxOutputLen,
+                                  in_small, sizeof(in_small));
+  EXPECT_EQ(SECFailure, rv);
+
+  uint8_t in[256] = {0};
+  // This should fail because the padding checks will fail.
+  rv = RSA_DecryptBlock(key.get(), out, &outputLen, maxOutputLen, in,
+                        sizeof(in));
+  EXPECT_EQ(SECFailure, rv);
+  // outputLen should be maxOutputLen.
+  EXPECT_EQ(maxOutputLen, outputLen);
+
+  // This should fail because the padding checks will fail.
+  uint8_t out_long[260] = {0};
+  maxOutputLen = sizeof(out_long);
+  rv = RSA_DecryptBlock(key.get(), out_long, &outputLen, maxOutputLen, in,
+                        sizeof(in));
+  EXPECT_EQ(SECFailure, rv);
+  // outputLen should <= 256-11=245.
+  EXPECT_LE(outputLen, 245u);
+  // Everything over 256 must be 0 in the output.
+  uint8_t out_long_test[4] = {0};
+  EXPECT_EQ(0, memcmp(out_long_test, &out_long[256], 4));
+}
diff --git a/security/nss/gtests/google_test/VERSION b/security/nss/gtests/google_test/VERSION
new file mode 100644
index 0000000000..bcb751e25c
--- /dev/null
+++ b/security/nss/gtests/google_test/VERSION
@@ -0,0 +1,2 @@
+release-1.8.1
+2fe3bd994b3189899d93f1d5a881e725e046fdc2
diff --git a/security/nss/gtests/google_test/gtest/CMakeLists.txt b/security/nss/gtests/google_test/gtest/CMakeLists.txt
index bd78cfe675..9ee79408c2 100644
--- a/security/nss/gtests/google_test/gtest/CMakeLists.txt
+++ b/security/nss/gtests/google_test/gtest/CMakeLists.txt
@@ -5,10 +5,6 @@
 # ctest.  You can select which tests to run using 'ctest -R regex'.
 # For more options, run 'ctest --help'.
 
-# BUILD_SHARED_LIBS is a standard CMake variable, but we declare it here to
-# make it prominent in the GUI.
-option(BUILD_SHARED_LIBS "Build shared libraries (DLLs)." OFF)
-
 # When other libraries are using a shared version of runtime libraries,
 # Google Test also has to use one.
 option(
@@ -22,6 +18,11 @@ option(gtest_build_samples "Build gtest's sample programs." OFF)
 
 option(gtest_disable_pthreads "Disable uses of pthreads in gtest." OFF)
 
+option(
+  gtest_hide_internal_symbols
+  "Build gtest with internal symbols hidden in shared libraries."
+  OFF)
+
 # Defines pre_project_set_up_hermetic_build() and set_up_hermetic_build().
 include(cmake/hermetic_build.cmake OPTIONAL)
 
@@ -39,25 +40,75 @@ endif()
 # as ${gtest_SOURCE_DIR} and to the root binary directory as
 # ${gtest_BINARY_DIR}.
 # Language "C" is required for find_package(Threads).
-project(gtest CXX C)
-cmake_minimum_required(VERSION 2.6.2)
+if (CMAKE_VERSION VERSION_LESS 3.0)
+  project(gtest CXX C)
+else()
+  cmake_policy(SET CMP0048 NEW)
+  project(gtest VERSION ${GOOGLETEST_VERSION} LANGUAGES CXX C)
+endif()
+cmake_minimum_required(VERSION 2.6.4)
+
+if (POLICY CMP0063) # Visibility
+  cmake_policy(SET CMP0063 NEW)
+endif (POLICY CMP0063)
 
 if (COMMAND set_up_hermetic_build)
   set_up_hermetic_build()
 endif()
 
+# These commands only run if this is the main project
+if(CMAKE_PROJECT_NAME STREQUAL "gtest" OR CMAKE_PROJECT_NAME STREQUAL "googletest-distribution")
+
+  # BUILD_SHARED_LIBS is a standard CMake variable, but we declare it here to
+  # make it prominent in the GUI.
+  option(BUILD_SHARED_LIBS "Build shared libraries (DLLs)." OFF)
+
+else()
+
+  mark_as_advanced(
+    gtest_force_shared_crt
+    gtest_build_tests
+    gtest_build_samples
+    gtest_disable_pthreads
+    gtest_hide_internal_symbols)
+
+endif()
+
+
+if (gtest_hide_internal_symbols)
+  set(CMAKE_CXX_VISIBILITY_PRESET hidden)
+  set(CMAKE_VISIBILITY_INLINES_HIDDEN 1)
+endif()
+
 # Define helper functions and macros used by Google Test.
 include(cmake/internal_utils.cmake)
 
 config_compiler_and_linker()  # Defined in internal_utils.cmake.
 
-# Where Google Test's .h files can be found.
-include_directories(
-  ${gtest_SOURCE_DIR}/include
-  ${gtest_SOURCE_DIR})
+# Create the CMake package file descriptors.
+if (INSTALL_GTEST)
+  include(CMakePackageConfigHelpers)
+  set(cmake_package_name GTest)
+  set(targets_export_name ${cmake_package_name}Targets CACHE INTERNAL "")
+  set(generated_dir "${CMAKE_CURRENT_BINARY_DIR}/generated" CACHE INTERNAL "")
+  set(cmake_files_install_dir "${CMAKE_INSTALL_LIBDIR}/cmake/${cmake_package_name}")
+  set(version_file "${generated_dir}/${cmake_package_name}ConfigVersion.cmake")
+  write_basic_package_version_file(${version_file} COMPATIBILITY AnyNewerVersion)
+  install(EXPORT ${targets_export_name}
+    NAMESPACE ${cmake_package_name}::
+    DESTINATION ${cmake_files_install_dir})
+  set(config_file "${generated_dir}/${cmake_package_name}Config.cmake")
+  configure_package_config_file("${gtest_SOURCE_DIR}/cmake/Config.cmake.in"
+    "${config_file}" INSTALL_DESTINATION ${cmake_files_install_dir})
+  install(FILES ${version_file} ${config_file}
+    DESTINATION ${cmake_files_install_dir})
+endif()
 
-# Where Google Test's libraries can be found.
-link_directories(${gtest_BINARY_DIR}/src)
+# Where Google Test's .h files can be found.
+set(gtest_build_include_dirs
+  "${gtest_SOURCE_DIR}/include"
+  "${gtest_SOURCE_DIR}")
+include_directories(${gtest_build_include_dirs})
 
 # Summary of tuple support for Microsoft Visual Studio:
 # Compiler    version(MS)  version(cmake)  Support
@@ -65,6 +116,8 @@ link_directories(${gtest_BINARY_DIR}/src)
 # <= VS 2010  <= 10        <= 1600         Use Google Tests's own tuple.
 # VS 2012     11           1700            std::tr1::tuple + _VARIADIC_MAX=10
 # VS 2013     12           1800            std::tr1::tuple
+# VS 2015     14           1900            std::tuple
+# VS 2017     15           >= 1910         std::tuple
 if (MSVC AND MSVC_VERSION EQUAL 1700)
   add_definitions(/D _VARIADIC_MAX=10)
 endif()
@@ -79,7 +132,23 @@ endif()
 # aggressive about warnings.
 cxx_library(gtest "${cxx_strict}" src/gtest-all.cc)
 cxx_library(gtest_main "${cxx_strict}" src/gtest_main.cc)
-target_link_libraries(gtest_main gtest)
+# If the CMake version supports it, attach header directory information
+# to the targets for when we are part of a parent build (ie being pulled
+# in via add_subdirectory() rather than being a standalone build).
+if (DEFINED CMAKE_VERSION AND NOT "${CMAKE_VERSION}" VERSION_LESS "2.8.11")
+  target_include_directories(gtest SYSTEM INTERFACE
+    "$<BUILD_INTERFACE:${gtest_build_include_dirs}>"
+    "$<INSTALL_INTERFACE:$<INSTALL_PREFIX>/${CMAKE_INSTALL_INCLUDEDIR}>")
+  target_include_directories(gtest_main SYSTEM INTERFACE
+    "$<BUILD_INTERFACE:${gtest_build_include_dirs}>"
+    "$<INSTALL_INTERFACE:$<INSTALL_PREFIX>/${CMAKE_INSTALL_INCLUDEDIR}>")
+endif()
+target_link_libraries(gtest_main PUBLIC gtest)
+
+########################################################################
+#
+# Install rules
+install_project(gtest gtest_main)
 
 ########################################################################
 #
@@ -121,28 +190,28 @@ if (gtest_build_tests)
   ############################################################
   # C++ tests built with standard compiler flags.
 
-  cxx_test(gtest-death-test_test gtest_main)
+  cxx_test(googletest-death-test-test gtest_main)
   cxx_test(gtest_environment_test gtest)
-  cxx_test(gtest-filepath_test gtest_main)
-  cxx_test(gtest-linked_ptr_test gtest_main)
-  cxx_test(gtest-listener_test gtest_main)
+  cxx_test(googletest-filepath-test gtest_main)
+  cxx_test(googletest-linked-ptr-test gtest_main)
+  cxx_test(googletest-listener-test gtest_main)
   cxx_test(gtest_main_unittest gtest_main)
-  cxx_test(gtest-message_test gtest_main)
+  cxx_test(googletest-message-test gtest_main)
   cxx_test(gtest_no_test_unittest gtest)
-  cxx_test(gtest-options_test gtest_main)
-  cxx_test(gtest-param-test_test gtest
-    test/gtest-param-test2_test.cc)
-  cxx_test(gtest-port_test gtest_main)
+  cxx_test(googletest-options-test gtest_main)
+  cxx_test(googletest-param-test-test gtest
+    test/googletest-param-test2-test.cc)
+  cxx_test(googletest-port-test gtest_main)
   cxx_test(gtest_pred_impl_unittest gtest_main)
   cxx_test(gtest_premature_exit_test gtest
     test/gtest_premature_exit_test.cc)
-  cxx_test(gtest-printers_test gtest_main)
+  cxx_test(googletest-printers-test gtest_main)
   cxx_test(gtest_prod_test gtest_main
     test/production.cc)
   cxx_test(gtest_repeat_test gtest)
   cxx_test(gtest_sole_header_test gtest_main)
   cxx_test(gtest_stress_test gtest)
-  cxx_test(gtest-test-part_test gtest_main)
+  cxx_test(googletest-test-part-test gtest_main)
   cxx_test(gtest_throw_on_failure_ex_test gtest)
   cxx_test(gtest-typed-test_test gtest_main
     test/gtest-typed-test2_test.cc)
@@ -164,10 +233,10 @@ if (gtest_build_tests)
 
   cxx_test_with_flags(gtest-death-test_ex_nocatch_test
     "${cxx_exception} -DGTEST_ENABLE_CATCH_EXCEPTIONS_=0"
-    gtest test/gtest-death-test_ex_test.cc)
+    gtest test/googletest-death-test_ex_test.cc)
   cxx_test_with_flags(gtest-death-test_ex_catch_test
     "${cxx_exception} -DGTEST_ENABLE_CATCH_EXCEPTIONS_=1"
-    gtest test/gtest-death-test_ex_test.cc)
+    gtest test/googletest-death-test_ex_test.cc)
 
   cxx_test_with_flags(gtest_no_rtti_unittest "${cxx_no_rtti}"
     gtest_main_no_rtti test/gtest_unittest.cc)
@@ -188,73 +257,75 @@ if (gtest_build_tests)
     cxx_library(gtest_main_use_own_tuple "${cxx_use_own_tuple}"
       src/gtest-all.cc src/gtest_main.cc)
 
-    cxx_test_with_flags(gtest-tuple_test "${cxx_use_own_tuple}"
-      gtest_main_use_own_tuple test/gtest-tuple_test.cc)
+    cxx_test_with_flags(googletest-tuple-test "${cxx_use_own_tuple}"
+      gtest_main_use_own_tuple test/googletest-tuple-test.cc)
 
     cxx_test_with_flags(gtest_use_own_tuple_test "${cxx_use_own_tuple}"
       gtest_main_use_own_tuple
-      test/gtest-param-test_test.cc test/gtest-param-test2_test.cc)
+      test/googletest-param-test-test.cc test/googletest-param-test2-test.cc)
   endif()
 
   ############################################################
   # Python tests.
 
-  cxx_executable(gtest_break_on_failure_unittest_ test gtest)
-  py_test(gtest_break_on_failure_unittest)
+  cxx_executable(googletest-break-on-failure-unittest_ test gtest)
+  py_test(googletest-break-on-failure-unittest)
 
   # Visual Studio .NET 2003 does not support STL with exceptions disabled.
   if (NOT MSVC OR MSVC_VERSION GREATER 1310)  # 1310 is Visual Studio .NET 2003
     cxx_executable_with_flags(
-      gtest_catch_exceptions_no_ex_test_
+      googletest-catch-exceptions-no-ex-test_
       "${cxx_no_exception}"
       gtest_main_no_exception
-      test/gtest_catch_exceptions_test_.cc)
+      test/googletest-catch-exceptions-test_.cc)
   endif()
 
   cxx_executable_with_flags(
-    gtest_catch_exceptions_ex_test_
+    googletest-catch-exceptions-ex-test_
     "${cxx_exception}"
     gtest_main
-    test/gtest_catch_exceptions_test_.cc)
-  py_test(gtest_catch_exceptions_test)
+    test/googletest-catch-exceptions-test_.cc)
+  py_test(googletest-catch-exceptions-test)
 
-  cxx_executable(gtest_color_test_ test gtest)
-  py_test(gtest_color_test)
+  cxx_executable(googletest-color-test_ test gtest)
+  py_test(googletest-color-test)
 
-  cxx_executable(gtest_env_var_test_ test gtest)
-  py_test(gtest_env_var_test)
+  cxx_executable(googletest-env-var-test_ test gtest)
+  py_test(googletest-env-var-test)
 
-  cxx_executable(gtest_filter_unittest_ test gtest)
-  py_test(gtest_filter_unittest)
+  cxx_executable(googletest-filter-unittest_ test gtest)
+  py_test(googletest-filter-unittest)
 
   cxx_executable(gtest_help_test_ test gtest_main)
   py_test(gtest_help_test)
 
-  cxx_executable(gtest_list_tests_unittest_ test gtest)
-  py_test(gtest_list_tests_unittest)
+  cxx_executable(googletest-list-tests-unittest_ test gtest)
+  py_test(googletest-list-tests-unittest)
 
-  cxx_executable(gtest_output_test_ test gtest)
-  py_test(gtest_output_test)
+  cxx_executable(googletest-output-test_ test gtest)
+  py_test(googletest-output-test --no_stacktrace_support)
 
-  cxx_executable(gtest_shuffle_test_ test gtest)
-  py_test(gtest_shuffle_test)
+  cxx_executable(googletest-shuffle-test_ test gtest)
+  py_test(googletest-shuffle-test)
 
   # MSVC 7.1 does not support STL with exceptions disabled.
   if (NOT MSVC OR MSVC_VERSION GREATER 1310)
-    cxx_executable(gtest_throw_on_failure_test_ test gtest_no_exception)
-    set_target_properties(gtest_throw_on_failure_test_
+    cxx_executable(googletest-throw-on-failure-test_ test gtest_no_exception)
+    set_target_properties(googletest-throw-on-failure-test_
       PROPERTIES
       COMPILE_FLAGS "${cxx_no_exception}")
-    py_test(gtest_throw_on_failure_test)
+    py_test(googletest-throw-on-failure-test)
   endif()
 
-  cxx_executable(gtest_uninitialized_test_ test gtest)
-  py_test(gtest_uninitialized_test)
+  cxx_executable(googletest-uninitialized-test_ test gtest)
+  py_test(googletest-uninitialized-test)
 
   cxx_executable(gtest_xml_outfile1_test_ test gtest_main)
   cxx_executable(gtest_xml_outfile2_test_ test gtest_main)
   py_test(gtest_xml_outfiles_test)
+  py_test(googletest-json-outfiles-test)
 
   cxx_executable(gtest_xml_output_unittest_ test gtest)
-  py_test(gtest_xml_output_unittest)
+  py_test(gtest_xml_output_unittest --no_stacktrace_support)
+  py_test(googletest-json-output-unittest --no_stacktrace_support)
 endif()
diff --git a/security/nss/gtests/google_test/gtest/Makefile.am b/security/nss/gtests/google_test/gtest/Makefile.am
index 9c96b42572..b44c8416ba 100644
--- a/security/nss/gtests/google_test/gtest/Makefile.am
+++ b/security/nss/gtests/google_test/gtest/Makefile.am
@@ -34,6 +34,7 @@ EXTRA_DIST += $(GTEST_SRC)
 # Sample files that we don't compile.
 EXTRA_DIST += \
   samples/prime_tables.h \
+  samples/sample1_unittest.cc \
   samples/sample2_unittest.cc \
   samples/sample3_unittest.cc \
   samples/sample4_unittest.cc \
@@ -52,40 +53,40 @@ EXTRA_DIST += \
   test/gtest-listener_test.cc \
   test/gtest-message_test.cc \
   test/gtest-options_test.cc \
-  test/gtest-param-test2_test.cc \
-  test/gtest-param-test2_test.cc \
-  test/gtest-param-test_test.cc \
-  test/gtest-param-test_test.cc \
+  test/googletest-param-test2-test.cc \
+  test/googletest-param-test2-test.cc \
+  test/googletest-param-test-test.cc \
+  test/googletest-param-test-test.cc \
   test/gtest-param-test_test.h \
   test/gtest-port_test.cc \
   test/gtest_premature_exit_test.cc \
   test/gtest-printers_test.cc \
   test/gtest-test-part_test.cc \
-  test/gtest-tuple_test.cc \
+  test/googletest-tuple-test.cc \
   test/gtest-typed-test2_test.cc \
   test/gtest-typed-test_test.cc \
   test/gtest-typed-test_test.h \
   test/gtest-unittest-api_test.cc \
-  test/gtest_break_on_failure_unittest_.cc \
-  test/gtest_catch_exceptions_test_.cc \
-  test/gtest_color_test_.cc \
-  test/gtest_env_var_test_.cc \
+  test/googletest-break-on-failure-unittest_.cc \
+  test/googletest-catch-exceptions-test_.cc \
+  test/googletest-color-test_.cc \
+  test/googletest-env-var-test_.cc \
   test/gtest_environment_test.cc \
-  test/gtest_filter_unittest_.cc \
+  test/googletest-filter-unittest_.cc \
   test/gtest_help_test_.cc \
-  test/gtest_list_tests_unittest_.cc \
+  test/googletest-list-tests-unittest_.cc \
   test/gtest_main_unittest.cc \
   test/gtest_no_test_unittest.cc \
-  test/gtest_output_test_.cc \
+  test/googletest-output-test_.cc \
   test/gtest_pred_impl_unittest.cc \
   test/gtest_prod_test.cc \
   test/gtest_repeat_test.cc \
-  test/gtest_shuffle_test_.cc \
+  test/googletest-shuffle-test_.cc \
   test/gtest_sole_header_test.cc \
   test/gtest_stress_test.cc \
   test/gtest_throw_on_failure_ex_test.cc \
-  test/gtest_throw_on_failure_test_.cc \
-  test/gtest_uninitialized_test_.cc \
+  test/googletest-throw-on-failure-test_.cc \
+  test/googletest-uninitialized-test_.cc \
   test/gtest_unittest.cc \
   test/gtest_unittest.cc \
   test/gtest_xml_outfile1_test_.cc \
@@ -96,19 +97,19 @@ EXTRA_DIST += \
 
 # Python tests that we don't run.
 EXTRA_DIST += \
-  test/gtest_break_on_failure_unittest.py \
-  test/gtest_catch_exceptions_test.py \
-  test/gtest_color_test.py \
-  test/gtest_env_var_test.py \
-  test/gtest_filter_unittest.py \
+  test/googletest-break-on-failure-unittest.py \
+  test/googletest-catch-exceptions-test.py \
+  test/googletest-color-test.py \
+  test/googletest-env-var-test.py \
+  test/googletest-filter-unittest.py \
   test/gtest_help_test.py \
-  test/gtest_list_tests_unittest.py \
-  test/gtest_output_test.py \
-  test/gtest_output_test_golden_lin.txt \
-  test/gtest_shuffle_test.py \
+  test/googletest-list-tests-unittest.py \
+  test/googletest-output-test.py \
+  test/googletest-output-test_golden_lin.txt \
+  test/googletest-shuffle-test.py \
   test/gtest_test_utils.py \
-  test/gtest_throw_on_failure_test.py \
-  test/gtest_uninitialized_test.py \
+  test/googletest-throw-on-failure-test.py \
+  test/googletest-uninitialized-test.py \
   test/gtest_xml_outfiles_test.py \
   test/gtest_xml_output_unittest.py \
   test/gtest_xml_test_utils.py
@@ -120,16 +121,16 @@ EXTRA_DIST += \
 
 # MSVC project files
 EXTRA_DIST += \
-  msvc/gtest-md.sln \
-  msvc/gtest-md.vcproj \
-  msvc/gtest.sln \
-  msvc/gtest.vcproj \
-  msvc/gtest_main-md.vcproj \
-  msvc/gtest_main.vcproj \
-  msvc/gtest_prod_test-md.vcproj \
-  msvc/gtest_prod_test.vcproj \
-  msvc/gtest_unittest-md.vcproj \
-  msvc/gtest_unittest.vcproj
+  msvc/2010/gtest-md.sln \
+  msvc/2010/gtest-md.vcxproj \
+  msvc/2010/gtest.sln \
+  msvc/2010/gtest.vcxproj \
+  msvc/2010/gtest_main-md.vcxproj \
+  msvc/2010/gtest_main.vcxproj \
+  msvc/2010/gtest_prod_test-md.vcxproj \
+  msvc/2010/gtest_prod_test.vcxproj \
+  msvc/2010/gtest_unittest-md.vcxproj \
+  msvc/2010/gtest_unittest.vcxproj
 
 # xcode project files
 EXTRA_DIST += \
@@ -205,47 +206,79 @@ pkginclude_internal_HEADERS = \
   include/gtest/internal/gtest-param-util-generated.h \
   include/gtest/internal/gtest-param-util.h \
   include/gtest/internal/gtest-port.h \
+  include/gtest/internal/gtest-port-arch.h \
   include/gtest/internal/gtest-string.h \
   include/gtest/internal/gtest-tuple.h \
-  include/gtest/internal/gtest-type-util.h
+  include/gtest/internal/gtest-type-util.h \
+  include/gtest/internal/custom/gtest.h \
+  include/gtest/internal/custom/gtest-port.h \
+  include/gtest/internal/custom/gtest-printers.h
 
 lib_libgtest_main_la_SOURCES = src/gtest_main.cc
 lib_libgtest_main_la_LIBADD = lib/libgtest.la
 
-# Bulid rules for samples and tests. Automake's naming for some of
+# Build rules for samples and tests. Automake's naming for some of
 # these variables isn't terribly obvious, so this is a brief
 # reference:
 #
 # TESTS -- Programs run automatically by "make check"
 # check_PROGRAMS -- Programs built by "make check" but not necessarily run
 
-noinst_LTLIBRARIES = samples/libsamples.la
-
-samples_libsamples_la_SOURCES = \
-  samples/sample1.cc \
-  samples/sample1.h \
-  samples/sample2.cc \
-  samples/sample2.h \
-  samples/sample3-inl.h \
-  samples/sample4.cc \
-  samples/sample4.h
-
 TESTS=
 TESTS_ENVIRONMENT = GTEST_SOURCE_DIR="$(srcdir)/test" \
                     GTEST_BUILD_DIR="$(top_builddir)/test"
 check_PROGRAMS=
 
 # A simple sample on using gtest.
-TESTS += samples/sample1_unittest
-check_PROGRAMS += samples/sample1_unittest
-samples_sample1_unittest_SOURCES = samples/sample1_unittest.cc
+TESTS += samples/sample1_unittest \
+    samples/sample2_unittest \
+    samples/sample3_unittest \
+    samples/sample4_unittest \
+    samples/sample5_unittest \
+    samples/sample6_unittest \
+    samples/sample7_unittest \
+    samples/sample8_unittest \
+    samples/sample9_unittest \
+    samples/sample10_unittest
+check_PROGRAMS += samples/sample1_unittest \
+    samples/sample2_unittest \
+    samples/sample3_unittest \
+    samples/sample4_unittest \
+    samples/sample5_unittest \
+    samples/sample6_unittest \
+    samples/sample7_unittest \
+    samples/sample8_unittest \
+    samples/sample9_unittest \
+    samples/sample10_unittest
+
+samples_sample1_unittest_SOURCES = samples/sample1_unittest.cc samples/sample1.cc
 samples_sample1_unittest_LDADD = lib/libgtest_main.la \
-                                 lib/libgtest.la \
-                                 samples/libsamples.la
-
-# Another sample.  It also verifies that libgtest works.
-TESTS += samples/sample10_unittest
-check_PROGRAMS += samples/sample10_unittest
+                                 lib/libgtest.la
+samples_sample2_unittest_SOURCES = samples/sample2_unittest.cc samples/sample2.cc
+samples_sample2_unittest_LDADD = lib/libgtest_main.la \
+                                 lib/libgtest.la
+samples_sample3_unittest_SOURCES = samples/sample3_unittest.cc
+samples_sample3_unittest_LDADD = lib/libgtest_main.la \
+                                 lib/libgtest.la
+samples_sample4_unittest_SOURCES = samples/sample4_unittest.cc samples/sample4.cc
+samples_sample4_unittest_LDADD = lib/libgtest_main.la \
+                                 lib/libgtest.la
+samples_sample5_unittest_SOURCES = samples/sample5_unittest.cc samples/sample1.cc
+samples_sample5_unittest_LDADD = lib/libgtest_main.la \
+                                 lib/libgtest.la
+samples_sample6_unittest_SOURCES = samples/sample6_unittest.cc
+samples_sample6_unittest_LDADD = lib/libgtest_main.la \
+                                 lib/libgtest.la
+samples_sample7_unittest_SOURCES = samples/sample7_unittest.cc
+samples_sample7_unittest_LDADD = lib/libgtest_main.la \
+                                 lib/libgtest.la
+samples_sample8_unittest_SOURCES = samples/sample8_unittest.cc
+samples_sample8_unittest_LDADD = lib/libgtest_main.la \
+                                 lib/libgtest.la
+
+# Also verify that libgtest works by itself.
+samples_sample9_unittest_SOURCES = samples/sample9_unittest.cc
+samples_sample9_unittest_LDADD = lib/libgtest.la
 samples_sample10_unittest_SOURCES = samples/sample10_unittest.cc
 samples_sample10_unittest_LDADD = lib/libgtest.la
 
diff --git a/security/nss/gtests/google_test/gtest/README b/security/nss/gtests/google_test/gtest/README
deleted file mode 100644
index 404bf3b83c..0000000000
--- a/security/nss/gtests/google_test/gtest/README
+++ /dev/null
@@ -1,435 +0,0 @@
-Google C++ Testing Framework
-============================
-
-http://code.google.com/p/googletest/
-
-Overview
---------
-
-Google's framework for writing C++ tests on a variety of platforms
-(Linux, Mac OS X, Windows, Windows CE, Symbian, etc).  Based on the
-xUnit architecture.  Supports automatic test discovery, a rich set of
-assertions, user-defined assertions, death tests, fatal and non-fatal
-failures, various options for running the tests, and XML test report
-generation.
-
-Please see the project page above for more information as well as the
-mailing list for questions, discussions, and development.  There is
-also an IRC channel on OFTC (irc.oftc.net) #gtest available.  Please
-join us!
-
-Requirements for End Users
---------------------------
-
-Google Test is designed to have fairly minimal requirements to build
-and use with your projects, but there are some.  Currently, we support
-Linux, Windows, Mac OS X, and Cygwin.  We will also make our best
-effort to support other platforms (e.g. Solaris, AIX, and z/OS).
-However, since core members of the Google Test project have no access
-to these platforms, Google Test may have outstanding issues there.  If
-you notice any problems on your platform, please notify
-googletestframework@googlegroups.com.  Patches for fixing them are
-even more welcome!
-
-### Linux Requirements ###
-
-These are the base requirements to build and use Google Test from a source
-package (as described below):
-  * GNU-compatible Make or gmake
-  * POSIX-standard shell
-  * POSIX(-2) Regular Expressions (regex.h)
-  * A C++98-standard-compliant compiler
-
-### Windows Requirements ###
-
-  * Microsoft Visual C++ 7.1 or newer
-
-### Cygwin Requirements ###
-
-  * Cygwin 1.5.25-14 or newer
-
-### Mac OS X Requirements ###
-
-  * Mac OS X 10.4 Tiger or newer
-  * Developer Tools Installed
-
-Also, you'll need CMake 2.6.4 or higher if you want to build the
-samples using the provided CMake script, regardless of the platform.
-
-Requirements for Contributors
------------------------------
-
-We welcome patches.  If you plan to contribute a patch, you need to
-build Google Test and its own tests from an SVN checkout (described
-below), which has further requirements:
-
-  * Python version 2.3 or newer (for running some of the tests and
-    re-generating certain source files from templates)
-  * CMake 2.6.4 or newer
-
-Getting the Source
-------------------
-
-There are two primary ways of getting Google Test's source code: you
-can download a stable source release in your preferred archive format,
-or directly check out the source from our Subversion (SVN) repository.
-The SVN checkout requires a few extra steps and some extra software
-packages on your system, but lets you track the latest development and
-make patches much more easily, so we highly encourage it.
-
-### Source Package ###
-
-Google Test is released in versioned source packages which can be
-downloaded from the download page [1].  Several different archive
-formats are provided, but the only difference is the tools used to
-manipulate them, and the size of the resulting file.  Download
-whichever you are most comfortable with.
-
-  [1] http://code.google.com/p/googletest/downloads/list
-
-Once the package is downloaded, expand it using whichever tools you
-prefer for that type.  This will result in a new directory with the
-name "gtest-X.Y.Z" which contains all of the source code.  Here are
-some examples on Linux:
-
-  tar -xvzf gtest-X.Y.Z.tar.gz
-  tar -xvjf gtest-X.Y.Z.tar.bz2
-  unzip gtest-X.Y.Z.zip
-
-### SVN Checkout ###
-
-To check out the main branch (also known as the "trunk") of Google
-Test, run the following Subversion command:
-
-  svn checkout http://googletest.googlecode.com/svn/trunk/ gtest-svn
-
-Setting up the Build
---------------------
-
-To build Google Test and your tests that use it, you need to tell your
-build system where to find its headers and source files.  The exact
-way to do it depends on which build system you use, and is usually
-straightforward.
-
-### Generic Build Instructions ###
-
-Suppose you put Google Test in directory ${GTEST_DIR}.  To build it,
-create a library build target (or a project as called by Visual Studio
-and Xcode) to compile
-
-  ${GTEST_DIR}/src/gtest-all.cc
-
-with ${GTEST_DIR}/include in the system header search path and ${GTEST_DIR}
-in the normal header search path.  Assuming a Linux-like system and gcc,
-something like the following will do:
-
-  g++ -isystem ${GTEST_DIR}/include -I${GTEST_DIR} \
-      -pthread -c ${GTEST_DIR}/src/gtest-all.cc
-  ar -rv libgtest.a gtest-all.o
-
-(We need -pthread as Google Test uses threads.)
-
-Next, you should compile your test source file with
-${GTEST_DIR}/include in the system header search path, and link it
-with gtest and any other necessary libraries:
-
-  g++ -isystem ${GTEST_DIR}/include -pthread path/to/your_test.cc libgtest.a \
-      -o your_test
-
-As an example, the make/ directory contains a Makefile that you can
-use to build Google Test on systems where GNU make is available
-(e.g. Linux, Mac OS X, and Cygwin).  It doesn't try to build Google
-Test's own tests.  Instead, it just builds the Google Test library and
-a sample test.  You can use it as a starting point for your own build
-script.
-
-If the default settings are correct for your environment, the
-following commands should succeed:
-
-  cd ${GTEST_DIR}/make
-  make
-  ./sample1_unittest
-
-If you see errors, try to tweak the contents of make/Makefile to make
-them go away.  There are instructions in make/Makefile on how to do
-it.
-
-### Using CMake ###
-
-Google Test comes with a CMake build script (CMakeLists.txt) that can
-be used on a wide range of platforms ("C" stands for cross-platform.).
-If you don't have CMake installed already, you can download it for
-free from http://www.cmake.org/.
-
-CMake works by generating native makefiles or build projects that can
-be used in the compiler environment of your choice.  The typical
-workflow starts with:
-
-  mkdir mybuild       # Create a directory to hold the build output.
-  cd mybuild
-  cmake ${GTEST_DIR}  # Generate native build scripts.
-
-If you want to build Google Test's samples, you should replace the
-last command with
-
-  cmake -Dgtest_build_samples=ON ${GTEST_DIR}
-
-If you are on a *nix system, you should now see a Makefile in the
-current directory.  Just type 'make' to build gtest.
-
-If you use Windows and have Visual Studio installed, a gtest.sln file
-and several .vcproj files will be created.  You can then build them
-using Visual Studio.
-
-On Mac OS X with Xcode installed, a .xcodeproj file will be generated.
-
-### Legacy Build Scripts ###
-
-Before settling on CMake, we have been providing hand-maintained build
-projects/scripts for Visual Studio, Xcode, and Autotools.  While we
-continue to provide them for convenience, they are not actively
-maintained any more.  We highly recommend that you follow the
-instructions in the previous two sections to integrate Google Test
-with your existing build system.
-
-If you still need to use the legacy build scripts, here's how:
-
-The msvc\ folder contains two solutions with Visual C++ projects.
-Open the gtest.sln or gtest-md.sln file using Visual Studio, and you
-are ready to build Google Test the same way you build any Visual
-Studio project.  Files that have names ending with -md use DLL
-versions of Microsoft runtime libraries (the /MD or the /MDd compiler
-option).  Files without that suffix use static versions of the runtime
-libraries (the /MT or the /MTd option).  Please note that one must use
-the same option to compile both gtest and the test code.  If you use
-Visual Studio 2005 or above, we recommend the -md version as /MD is
-the default for new projects in these versions of Visual Studio.
-
-On Mac OS X, open the gtest.xcodeproj in the xcode/ folder using
-Xcode.  Build the "gtest" target.  The universal binary framework will
-end up in your selected build directory (selected in the Xcode
-"Preferences..." -> "Building" pane and defaults to xcode/build).
-Alternatively, at the command line, enter:
-
-  xcodebuild
-
-This will build the "Release" configuration of gtest.framework in your
-default build location.  See the "xcodebuild" man page for more
-information about building different configurations and building in
-different locations.
-
-If you wish to use the Google Test Xcode project with Xcode 4.x and
-above, you need to either:
- * update the SDK configuration options in xcode/Config/General.xconfig.
-   Comment options SDKROOT, MACOS_DEPLOYMENT_TARGET, and GCC_VERSION. If
-   you choose this route you lose the ability to target earlier versions
-   of MacOS X.
- * Install an SDK for an earlier version. This doesn't appear to be
-   supported by Apple, but has been reported to work
-   (http://stackoverflow.com/questions/5378518).
-
-Tweaking Google Test
---------------------
-
-Google Test can be used in diverse environments.  The default
-configuration may not work (or may not work well) out of the box in
-some environments.  However, you can easily tweak Google Test by
-defining control macros on the compiler command line.  Generally,
-these macros are named like GTEST_XYZ and you define them to either 1
-or 0 to enable or disable a certain feature.
-
-We list the most frequently used macros below.  For a complete list,
-see file include/gtest/internal/gtest-port.h.
-
-### Choosing a TR1 Tuple Library ###
-
-Some Google Test features require the C++ Technical Report 1 (TR1)
-tuple library, which is not yet available with all compilers.  The
-good news is that Google Test implements a subset of TR1 tuple that's
-enough for its own need, and will automatically use this when the
-compiler doesn't provide TR1 tuple.
-
-Usually you don't need to care about which tuple library Google Test
-uses.  However, if your project already uses TR1 tuple, you need to
-tell Google Test to use the same TR1 tuple library the rest of your
-project uses, or the two tuple implementations will clash.  To do
-that, add
-
-  -DGTEST_USE_OWN_TR1_TUPLE=0
-
-to the compiler flags while compiling Google Test and your tests.  If
-you want to force Google Test to use its own tuple library, just add
-
-  -DGTEST_USE_OWN_TR1_TUPLE=1
-
-to the compiler flags instead.
-
-If you don't want Google Test to use tuple at all, add
-
-  -DGTEST_HAS_TR1_TUPLE=0
-
-and all features using tuple will be disabled.
-
-### Multi-threaded Tests ###
-
-Google Test is thread-safe where the pthread library is available.
-After #include "gtest/gtest.h", you can check the GTEST_IS_THREADSAFE
-macro to see whether this is the case (yes if the macro is #defined to
-1, no if it's undefined.).
-
-If Google Test doesn't correctly detect whether pthread is available
-in your environment, you can force it with
-
-  -DGTEST_HAS_PTHREAD=1
-
-or
-
-  -DGTEST_HAS_PTHREAD=0
-
-When Google Test uses pthread, you may need to add flags to your
-compiler and/or linker to select the pthread library, or you'll get
-link errors.  If you use the CMake script or the deprecated Autotools
-script, this is taken care of for you.  If you use your own build
-script, you'll need to read your compiler and linker's manual to
-figure out what flags to add.
-
-### As a Shared Library (DLL) ###
-
-Google Test is compact, so most users can build and link it as a
-static library for the simplicity.  You can choose to use Google Test
-as a shared library (known as a DLL on Windows) if you prefer.
-
-To compile *gtest* as a shared library, add
-
-  -DGTEST_CREATE_SHARED_LIBRARY=1
-
-to the compiler flags.  You'll also need to tell the linker to produce
-a shared library instead - consult your linker's manual for how to do
-it.
-
-To compile your *tests* that use the gtest shared library, add
-
-  -DGTEST_LINKED_AS_SHARED_LIBRARY=1
-
-to the compiler flags.
-
-Note: while the above steps aren't technically necessary today when
-using some compilers (e.g. GCC), they may become necessary in the
-future, if we decide to improve the speed of loading the library (see
-http://gcc.gnu.org/wiki/Visibility for details).  Therefore you are
-recommended to always add the above flags when using Google Test as a
-shared library.  Otherwise a future release of Google Test may break
-your build script.
-
-### Avoiding Macro Name Clashes ###
-
-In C++, macros don't obey namespaces.  Therefore two libraries that
-both define a macro of the same name will clash if you #include both
-definitions.  In case a Google Test macro clashes with another
-library, you can force Google Test to rename its macro to avoid the
-conflict.
-
-Specifically, if both Google Test and some other code define macro
-FOO, you can add
-
-  -DGTEST_DONT_DEFINE_FOO=1
-
-to the compiler flags to tell Google Test to change the macro's name
-from FOO to GTEST_FOO.  Currently FOO can be FAIL, SUCCEED, or TEST.
-For example, with -DGTEST_DONT_DEFINE_TEST=1, you'll need to write
-
-  GTEST_TEST(SomeTest, DoesThis) { ... }
-
-instead of
-
-  TEST(SomeTest, DoesThis) { ... }
-
-in order to define a test.
-
-Upgrating from an Earlier Version
----------------------------------
-
-We strive to keep Google Test releases backward compatible.
-Sometimes, though, we have to make some breaking changes for the
-users' long-term benefits.  This section describes what you'll need to
-do if you are upgrading from an earlier version of Google Test.
-
-### Upgrading from 1.3.0 or Earlier ###
-
-You may need to explicitly enable or disable Google Test's own TR1
-tuple library.  See the instructions in section "Choosing a TR1 Tuple
-Library".
-
-### Upgrading from 1.4.0 or Earlier ###
-
-The Autotools build script (configure + make) is no longer officially
-supportted.  You are encouraged to migrate to your own build system or
-use CMake.  If you still need to use Autotools, you can find
-instructions in the README file from Google Test 1.4.0.
-
-On platforms where the pthread library is available, Google Test uses
-it in order to be thread-safe.  See the "Multi-threaded Tests" section
-for what this means to your build script.
-
-If you use Microsoft Visual C++ 7.1 with exceptions disabled, Google
-Test will no longer compile.  This should affect very few people, as a
-large portion of STL (including <string>) doesn't compile in this mode
-anyway.  We decided to stop supporting it in order to greatly simplify
-Google Test's implementation.
-
-Developing Google Test
-----------------------
-
-This section discusses how to make your own changes to Google Test.
-
-### Testing Google Test Itself ###
-
-To make sure your changes work as intended and don't break existing
-functionality, you'll want to compile and run Google Test's own tests.
-For that you can use CMake:
-
-  mkdir mybuild
-  cd mybuild
-  cmake -Dgtest_build_tests=ON ${GTEST_DIR}
-
-Make sure you have Python installed, as some of Google Test's tests
-are written in Python.  If the cmake command complains about not being
-able to find Python ("Could NOT find PythonInterp (missing:
-PYTHON_EXECUTABLE)"), try telling it explicitly where your Python
-executable can be found:
-
-  cmake -DPYTHON_EXECUTABLE=path/to/python -Dgtest_build_tests=ON ${GTEST_DIR}
-
-Next, you can build Google Test and all of its own tests.  On *nix,
-this is usually done by 'make'.  To run the tests, do
-
-  make test
-
-All tests should pass.
-
-### Regenerating Source Files ###
-
-Some of Google Test's source files are generated from templates (not
-in the C++ sense) using a script.  A template file is named FOO.pump,
-where FOO is the name of the file it will generate.  For example, the
-file include/gtest/internal/gtest-type-util.h.pump is used to generate
-gtest-type-util.h in the same directory.
-
-Normally you don't need to worry about regenerating the source files,
-unless you need to modify them.  In that case, you should modify the
-corresponding .pump files instead and run the pump.py Python script to
-regenerate them.  You can find pump.py in the scripts/ directory.
-Read the Pump manual [2] for how to use it.
-
-  [2] http://code.google.com/p/googletest/wiki/PumpManual
-
-### Contributing a Patch ###
-
-We welcome patches.  Please read the Google Test developer's guide [3]
-for how you can contribute.  In particular, make sure you have signed
-the Contributor License Agreement, or we won't be able to accept the
-patch.
-
-  [3] http://code.google.com/p/googletest/wiki/GoogleTestDevGuide
-
-Happy testing!
diff --git a/security/nss/gtests/google_test/gtest/README.md b/security/nss/gtests/google_test/gtest/README.md
new file mode 100644
index 0000000000..e30fe80471
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/README.md
@@ -0,0 +1,341 @@
+### Generic Build Instructions
+
+#### Setup
+
+To build Google Test and your tests that use it, you need to tell your build
+system where to find its headers and source files. The exact way to do it
+depends on which build system you use, and is usually straightforward.
+
+#### Build
+
+Suppose you put Google Test in directory `${GTEST_DIR}`. To build it, create a
+library build target (or a project as called by Visual Studio and Xcode) to
+compile
+
+    ${GTEST_DIR}/src/gtest-all.cc
+
+with `${GTEST_DIR}/include` in the system header search path and `${GTEST_DIR}`
+in the normal header search path. Assuming a Linux-like system and gcc,
+something like the following will do:
+
+    g++ -isystem ${GTEST_DIR}/include -I${GTEST_DIR} \
+        -pthread -c ${GTEST_DIR}/src/gtest-all.cc
+    ar -rv libgtest.a gtest-all.o
+
+(We need `-pthread` as Google Test uses threads.)
+
+Next, you should compile your test source file with `${GTEST_DIR}/include` in
+the system header search path, and link it with gtest and any other necessary
+libraries:
+
+    g++ -isystem ${GTEST_DIR}/include -pthread path/to/your_test.cc libgtest.a \
+        -o your_test
+
+As an example, the make/ directory contains a Makefile that you can use to build
+Google Test on systems where GNU make is available (e.g. Linux, Mac OS X, and
+Cygwin). It doesn't try to build Google Test's own tests. Instead, it just
+builds the Google Test library and a sample test. You can use it as a starting
+point for your own build script.
+
+If the default settings are correct for your environment, the following commands
+should succeed:
+
+    cd ${GTEST_DIR}/make
+    make
+    ./sample1_unittest
+
+If you see errors, try to tweak the contents of `make/Makefile` to make them go
+away. There are instructions in `make/Makefile` on how to do it.
+
+### Using CMake
+
+Google Test comes with a CMake build script (
+[CMakeLists.txt](https://github.com/google/googletest/blob/master/CMakeLists.txt))
+that can be used on a wide range of platforms ("C" stands for cross-platform.).
+If you don't have CMake installed already, you can download it for free from
+<http://www.cmake.org/>.
+
+CMake works by generating native makefiles or build projects that can be used in
+the compiler environment of your choice. You can either build Google Test as a
+standalone project or it can be incorporated into an existing CMake build for
+another project.
+
+#### Standalone CMake Project
+
+When building Google Test as a standalone project, the typical workflow starts
+with:
+
+    mkdir mybuild       # Create a directory to hold the build output.
+    cd mybuild
+    cmake ${GTEST_DIR}  # Generate native build scripts.
+
+If you want to build Google Test's samples, you should replace the last command
+with
+
+    cmake -Dgtest_build_samples=ON ${GTEST_DIR}
+
+If you are on a \*nix system, you should now see a Makefile in the current
+directory. Just type 'make' to build gtest.
+
+If you use Windows and have Visual Studio installed, a `gtest.sln` file and
+several `.vcproj` files will be created. You can then build them using Visual
+Studio.
+
+On Mac OS X with Xcode installed, a `.xcodeproj` file will be generated.
+
+#### Incorporating Into An Existing CMake Project
+
+If you want to use gtest in a project which already uses CMake, then a more
+robust and flexible approach is to build gtest as part of that project directly.
+This is done by making the GoogleTest source code available to the main build
+and adding it using CMake's `add_subdirectory()` command. This has the
+significant advantage that the same compiler and linker settings are used
+between gtest and the rest of your project, so issues associated with using
+incompatible libraries (eg debug/release), etc. are avoided. This is
+particularly useful on Windows. Making GoogleTest's source code available to the
+main build can be done a few different ways:
+
+*   Download the GoogleTest source code manually and place it at a known
+    location. This is the least flexible approach and can make it more difficult
+    to use with continuous integration systems, etc.
+*   Embed the GoogleTest source code as a direct copy in the main project's
+    source tree. This is often the simplest approach, but is also the hardest to
+    keep up to date. Some organizations may not permit this method.
+*   Add GoogleTest as a git submodule or equivalent. This may not always be
+    possible or appropriate. Git submodules, for example, have their own set of
+    advantages and drawbacks.
+*   Use CMake to download GoogleTest as part of the build's configure step. This
+    is just a little more complex, but doesn't have the limitations of the other
+    methods.
+
+The last of the above methods is implemented with a small piece of CMake code in
+a separate file (e.g. `CMakeLists.txt.in`) which is copied to the build area and
+then invoked as a sub-build _during the CMake stage_. That directory is then
+pulled into the main build with `add_subdirectory()`. For example:
+
+New file `CMakeLists.txt.in`:
+
+    cmake_minimum_required(VERSION 2.8.2)
+
+    project(googletest-download NONE)
+
+    include(ExternalProject)
+    ExternalProject_Add(googletest
+      GIT_REPOSITORY    https://github.com/google/googletest.git
+      GIT_TAG           master
+      SOURCE_DIR        "${CMAKE_BINARY_DIR}/googletest-src"
+      BINARY_DIR        "${CMAKE_BINARY_DIR}/googletest-build"
+      CONFIGURE_COMMAND ""
+      BUILD_COMMAND     ""
+      INSTALL_COMMAND   ""
+      TEST_COMMAND      ""
+    )
+
+Existing build's `CMakeLists.txt`:
+
+    # Download and unpack googletest at configure time
+    configure_file(CMakeLists.txt.in googletest-download/CMakeLists.txt)
+    execute_process(COMMAND ${CMAKE_COMMAND} -G "${CMAKE_GENERATOR}" .
+      RESULT_VARIABLE result
+      WORKING_DIRECTORY ${CMAKE_BINARY_DIR}/googletest-download )
+    if(result)
+      message(FATAL_ERROR "CMake step for googletest failed: ${result}")
+    endif()
+    execute_process(COMMAND ${CMAKE_COMMAND} --build .
+      RESULT_VARIABLE result
+      WORKING_DIRECTORY ${CMAKE_BINARY_DIR}/googletest-download )
+    if(result)
+      message(FATAL_ERROR "Build step for googletest failed: ${result}")
+    endif()
+
+    # Prevent overriding the parent project's compiler/linker
+    # settings on Windows
+    set(gtest_force_shared_crt ON CACHE BOOL "" FORCE)
+
+    # Add googletest directly to our build. This defines
+    # the gtest and gtest_main targets.
+    add_subdirectory(${CMAKE_BINARY_DIR}/googletest-src
+                     ${CMAKE_BINARY_DIR}/googletest-build
+                     EXCLUDE_FROM_ALL)
+
+    # The gtest/gtest_main targets carry header search path
+    # dependencies automatically when using CMake 2.8.11 or
+    # later. Otherwise we have to add them here ourselves.
+    if (CMAKE_VERSION VERSION_LESS 2.8.11)
+      include_directories("${gtest_SOURCE_DIR}/include")
+    endif()
+
+    # Now simply link against gtest or gtest_main as needed. Eg
+    add_executable(example example.cpp)
+    target_link_libraries(example gtest_main)
+    add_test(NAME example_test COMMAND example)
+
+Note that this approach requires CMake 2.8.2 or later due to its use of the
+`ExternalProject_Add()` command. The above technique is discussed in more detail
+in [this separate article](http://crascit.com/2015/07/25/cmake-gtest/) which
+also contains a link to a fully generalized implementation of the technique.
+
+##### Visual Studio Dynamic vs Static Runtimes
+
+By default, new Visual Studio projects link the C runtimes dynamically but
+Google Test links them statically. This will generate an error that looks
+something like the following: gtest.lib(gtest-all.obj) : error LNK2038: mismatch
+detected for 'RuntimeLibrary': value 'MTd_StaticDebug' doesn't match value
+'MDd_DynamicDebug' in main.obj
+
+Google Test already has a CMake option for this: `gtest_force_shared_crt`
+
+Enabling this option will make gtest link the runtimes dynamically too, and
+match the project in which it is included.
+
+### Legacy Build Scripts
+
+Before settling on CMake, we have been providing hand-maintained build
+projects/scripts for Visual Studio, Xcode, and Autotools. While we continue to
+provide them for convenience, they are not actively maintained any more. We
+highly recommend that you follow the instructions in the above sections to
+integrate Google Test with your existing build system.
+
+If you still need to use the legacy build scripts, here's how:
+
+The msvc\ folder contains two solutions with Visual C++ projects. Open the
+`gtest.sln` or `gtest-md.sln` file using Visual Studio, and you are ready to
+build Google Test the same way you build any Visual Studio project. Files that
+have names ending with -md use DLL versions of Microsoft runtime libraries (the
+/MD or the /MDd compiler option). Files without that suffix use static versions
+of the runtime libraries (the /MT or the /MTd option). Please note that one must
+use the same option to compile both gtest and the test code. If you use Visual
+Studio 2005 or above, we recommend the -md version as /MD is the default for new
+projects in these versions of Visual Studio.
+
+On Mac OS X, open the `gtest.xcodeproj` in the `xcode/` folder using Xcode.
+Build the "gtest" target. The universal binary framework will end up in your
+selected build directory (selected in the Xcode "Preferences..." -> "Building"
+pane and defaults to xcode/build). Alternatively, at the command line, enter:
+
+    xcodebuild
+
+This will build the "Release" configuration of gtest.framework in your default
+build location. See the "xcodebuild" man page for more information about
+building different configurations and building in different locations.
+
+If you wish to use the Google Test Xcode project with Xcode 4.x and above, you
+need to either:
+
+*   update the SDK configuration options in xcode/Config/General.xconfig.
+    Comment options `SDKROOT`, `MACOS_DEPLOYMENT_TARGET`, and `GCC_VERSION`. If
+    you choose this route you lose the ability to target earlier versions of
+    MacOS X.
+*   Install an SDK for an earlier version. This doesn't appear to be supported
+    by Apple, but has been reported to work
+    (http://stackoverflow.com/questions/5378518).
+
+### Tweaking Google Test
+
+Google Test can be used in diverse environments. The default configuration may
+not work (or may not work well) out of the box in some environments. However,
+you can easily tweak Google Test by defining control macros on the compiler
+command line. Generally, these macros are named like `GTEST_XYZ` and you define
+them to either 1 or 0 to enable or disable a certain feature.
+
+We list the most frequently used macros below. For a complete list, see file
+[include/gtest/internal/gtest-port.h](https://github.com/google/googletest/blob/master/include/gtest/internal/gtest-port.h).
+
+### Choosing a TR1 Tuple Library
+
+Some Google Test features require the C++ Technical Report 1 (TR1) tuple
+library, which is not yet available with all compilers. The good news is that
+Google Test implements a subset of TR1 tuple that's enough for its own need, and
+will automatically use this when the compiler doesn't provide TR1 tuple.
+
+Usually you don't need to care about which tuple library Google Test uses.
+However, if your project already uses TR1 tuple, you need to tell Google Test to
+use the same TR1 tuple library the rest of your project uses, or the two tuple
+implementations will clash. To do that, add
+
+    -DGTEST_USE_OWN_TR1_TUPLE=0
+
+to the compiler flags while compiling Google Test and your tests. If you want to
+force Google Test to use its own tuple library, just add
+
+    -DGTEST_USE_OWN_TR1_TUPLE=1
+
+to the compiler flags instead.
+
+If you don't want Google Test to use tuple at all, add
+
+    -DGTEST_HAS_TR1_TUPLE=0
+
+and all features using tuple will be disabled.
+
+### Multi-threaded Tests
+
+Google Test is thread-safe where the pthread library is available. After
+`#include "gtest/gtest.h"`, you can check the `GTEST_IS_THREADSAFE` macro to see
+whether this is the case (yes if the macro is `#defined` to 1, no if it's
+undefined.).
+
+If Google Test doesn't correctly detect whether pthread is available in your
+environment, you can force it with
+
+    -DGTEST_HAS_PTHREAD=1
+
+or
+
+    -DGTEST_HAS_PTHREAD=0
+
+When Google Test uses pthread, you may need to add flags to your compiler and/or
+linker to select the pthread library, or you'll get link errors. If you use the
+CMake script or the deprecated Autotools script, this is taken care of for you.
+If you use your own build script, you'll need to read your compiler and linker's
+manual to figure out what flags to add.
+
+### As a Shared Library (DLL)
+
+Google Test is compact, so most users can build and link it as a static library
+for the simplicity. You can choose to use Google Test as a shared library (known
+as a DLL on Windows) if you prefer.
+
+To compile *gtest* as a shared library, add
+
+    -DGTEST_CREATE_SHARED_LIBRARY=1
+
+to the compiler flags. You'll also need to tell the linker to produce a shared
+library instead - consult your linker's manual for how to do it.
+
+To compile your *tests* that use the gtest shared library, add
+
+    -DGTEST_LINKED_AS_SHARED_LIBRARY=1
+
+to the compiler flags.
+
+Note: while the above steps aren't technically necessary today when using some
+compilers (e.g. GCC), they may become necessary in the future, if we decide to
+improve the speed of loading the library (see
+<http://gcc.gnu.org/wiki/Visibility> for details). Therefore you are recommended
+to always add the above flags when using Google Test as a shared library.
+Otherwise a future release of Google Test may break your build script.
+
+### Avoiding Macro Name Clashes
+
+In C++, macros don't obey namespaces. Therefore two libraries that both define a
+macro of the same name will clash if you `#include` both definitions. In case a
+Google Test macro clashes with another library, you can force Google Test to
+rename its macro to avoid the conflict.
+
+Specifically, if both Google Test and some other code define macro FOO, you can
+add
+
+    -DGTEST_DONT_DEFINE_FOO=1
+
+to the compiler flags to tell Google Test to change the macro's name from `FOO`
+to `GTEST_FOO`. Currently `FOO` can be `FAIL`, `SUCCEED`, or `TEST`. For
+example, with `-DGTEST_DONT_DEFINE_TEST=1`, you'll need to write
+
+    GTEST_TEST(SomeTest, DoesThis) { ... }
+
+instead of
+
+    TEST(SomeTest, DoesThis) { ... }
+
+in order to define a test.
diff --git a/security/nss/gtests/google_test/gtest/build-aux/.keep b/security/nss/gtests/google_test/gtest/build-aux/.keep
deleted file mode 100644
index e69de29bb2..0000000000
--- a/security/nss/gtests/google_test/gtest/build-aux/.keep
+++ /dev/null
diff --git a/security/nss/gtests/google_test/gtest/cmake/Config.cmake.in b/security/nss/gtests/google_test/gtest/cmake/Config.cmake.in
new file mode 100644
index 0000000000..12be4498b1
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/cmake/Config.cmake.in
@@ -0,0 +1,9 @@
+@PACKAGE_INIT@
+include(CMakeFindDependencyMacro)
+if (@GTEST_HAS_PTHREAD@)
+  set(THREADS_PREFER_PTHREAD_FLAG @THREADS_PREFER_PTHREAD_FLAG@)
+  find_dependency(Threads)
+endif()
+
+include("${CMAKE_CURRENT_LIST_DIR}/@targets_export_name@.cmake")
+check_required_components("@project_name@")
diff --git a/security/nss/gtests/google_test/gtest/cmake/gtest.pc.in b/security/nss/gtests/google_test/gtest/cmake/gtest.pc.in
new file mode 100644
index 0000000000..e7967ad56f
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/cmake/gtest.pc.in
@@ -0,0 +1,9 @@
+libdir=@CMAKE_INSTALL_FULL_LIBDIR@
+includedir=@CMAKE_INSTALL_FULL_INCLUDEDIR@
+
+Name: gtest
+Description: GoogleTest (without main() function)
+Version: @PROJECT_VERSION@
+URL: https://github.com/google/googletest
+Libs: -L${libdir} -lgtest @CMAKE_THREAD_LIBS_INIT@
+Cflags: -I${includedir} @GTEST_HAS_PTHREAD_MACRO@ @CMAKE_THREAD_LIBS_INIT@
diff --git a/security/nss/gtests/google_test/gtest/cmake/gtest_main.pc.in b/security/nss/gtests/google_test/gtest/cmake/gtest_main.pc.in
new file mode 100644
index 0000000000..fe25d9c73c
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/cmake/gtest_main.pc.in
@@ -0,0 +1,10 @@
+libdir=@CMAKE_INSTALL_FULL_LIBDIR@
+includedir=@CMAKE_INSTALL_FULL_INCLUDEDIR@
+
+Name: gtest_main
+Description: GoogleTest (with main() function)
+Version: @PROJECT_VERSION@
+URL: https://github.com/google/googletest
+Requires: gtest
+Libs: -L${libdir} -lgtest_main @CMAKE_THREAD_LIBS_INIT@
+Cflags: -I${includedir} @GTEST_HAS_PTHREAD_MACRO@ @CMAKE_THREAD_LIBS_INIT@
diff --git a/security/nss/gtests/google_test/gtest/cmake/internal_utils.cmake b/security/nss/gtests/google_test/gtest/cmake/internal_utils.cmake
index 93e6dbb7c1..8c1f9ba99c 100644
--- a/security/nss/gtests/google_test/gtest/cmake/internal_utils.cmake
+++ b/security/nss/gtests/google_test/gtest/cmake/internal_utils.cmake
@@ -20,7 +20,7 @@ macro(fix_default_compiler_settings_)
   if (MSVC)
     # For MSVC, CMake sets certain flags to defaults we want to override.
     # This replacement code is taken from sample in the CMake Wiki at
-    # http://www.cmake.org/Wiki/CMake_FAQ#Dynamic_Replace.
+    # https://gitlab.kitware.com/cmake/community/wikis/FAQ#dynamic-replace.
     foreach (flag_var
              CMAKE_CXX_FLAGS CMAKE_CXX_FLAGS_DEBUG CMAKE_CXX_FLAGS_RELEASE
              CMAKE_CXX_FLAGS_MINSIZEREL CMAKE_CXX_FLAGS_RELWITHDEBINFO)
@@ -38,6 +38,11 @@ macro(fix_default_compiler_settings_)
       # We prefer more strict warning checking for building Google Test.
       # Replaces /W3 with /W4 in defaults.
       string(REPLACE "/W3" "/W4" ${flag_var} "${${flag_var}}")
+
+      # Prevent D9025 warning for targets that have exception handling
+      # turned off (/EHs-c- flag). Where required, exceptions are explicitly
+      # re-enabled using the cxx_exception_flags variable.
+      string(REPLACE "/EHsc" "" ${flag_var} "${${flag_var}}")
     endforeach()
   endif()
 endmacro()
@@ -46,9 +51,16 @@ endmacro()
 # Google Mock.  You can tweak these definitions to suit your need.  A
 # variable's value is empty before it's explicitly assigned to.
 macro(config_compiler_and_linker)
-  if (NOT gtest_disable_pthreads)
+  # Note: pthreads on MinGW is not supported, even if available
+  # instead, we use windows threading primitives
+  unset(GTEST_HAS_PTHREAD)
+  if (NOT gtest_disable_pthreads AND NOT MINGW)
     # Defines CMAKE_USE_PTHREADS_INIT and CMAKE_THREAD_LIBS_INIT.
+    set(THREADS_PREFER_PTHREAD_FLAG ON)
     find_package(Threads)
+    if (CMAKE_USE_PTHREADS_INIT)
+      set(GTEST_HAS_PTHREAD ON)
+    endif()
   endif()
 
   fix_default_compiler_settings_()
@@ -84,10 +96,13 @@ macro(config_compiler_and_linker)
     set(cxx_base_flags "${cxx_base_flags} -D_UNICODE -DUNICODE -DWIN32 -D_WIN32")
     set(cxx_base_flags "${cxx_base_flags} -DSTRICT -DWIN32_LEAN_AND_MEAN")
     set(cxx_exception_flags "-EHsc -D_HAS_EXCEPTIONS=1")
-    set(cxx_no_exception_flags "-D_HAS_EXCEPTIONS=0")
+    set(cxx_no_exception_flags "-EHs-c- -D_HAS_EXCEPTIONS=0")
     set(cxx_no_rtti_flags "-GR-")
   elseif (CMAKE_COMPILER_IS_GNUCXX)
-    set(cxx_base_flags "-Wall -Wshadow")
+    set(cxx_base_flags "-Wall -Wshadow -Werror")
+    if(NOT CMAKE_CXX_COMPILER_VERSION VERSION_LESS 7.0.0)
+      set(cxx_base_flags "${cxx_base_flags} -Wno-error=dangling-else")
+    endif()
     set(cxx_exception_flags "-fexceptions")
     set(cxx_no_exception_flags "-fno-exceptions")
     # Until version 4.3.2, GCC doesn't define a macro to indicate
@@ -119,14 +134,16 @@ macro(config_compiler_and_linker)
     set(cxx_no_rtti_flags "")
   endif()
 
-  if (CMAKE_USE_PTHREADS_INIT)  # The pthreads library is available and allowed.
-    set(cxx_base_flags "${cxx_base_flags} -DGTEST_HAS_PTHREAD=1")
+  # The pthreads library is available and allowed?
+  if (DEFINED GTEST_HAS_PTHREAD)
+    set(GTEST_HAS_PTHREAD_MACRO "-DGTEST_HAS_PTHREAD=1")
   else()
-    set(cxx_base_flags "${cxx_base_flags} -DGTEST_HAS_PTHREAD=0")
+    set(GTEST_HAS_PTHREAD_MACRO "-DGTEST_HAS_PTHREAD=0")
   endif()
+  set(cxx_base_flags "${cxx_base_flags} ${GTEST_HAS_PTHREAD_MACRO}")
 
   # For building gtest's own tests and samples.
-  set(cxx_exception "${CMAKE_CXX_FLAGS} ${cxx_base_flags} ${cxx_exception_flags}")
+  set(cxx_exception "${cxx_base_flags} ${cxx_exception_flags}")
   set(cxx_no_exception
     "${CMAKE_CXX_FLAGS} ${cxx_base_flags} ${cxx_no_exception_flags}")
   set(cxx_default "${cxx_exception}")
@@ -146,13 +163,26 @@ function(cxx_library_with_type name type cxx_flags)
   set_target_properties(${name}
     PROPERTIES
     COMPILE_FLAGS "${cxx_flags}")
+  # Generate debug library name with a postfix.
+  set_target_properties(${name}
+    PROPERTIES
+    DEBUG_POSTFIX "d")
   if (BUILD_SHARED_LIBS OR type STREQUAL "SHARED")
     set_target_properties(${name}
       PROPERTIES
       COMPILE_DEFINITIONS "GTEST_CREATE_SHARED_LIBRARY=1")
+    if (NOT "${CMAKE_VERSION}" VERSION_LESS "2.8.11")
+      target_compile_definitions(${name} INTERFACE
+        $<INSTALL_INTERFACE:GTEST_LINKED_AS_SHARED_LIBRARY=1>)
+    endif()
   endif()
-  if (CMAKE_USE_PTHREADS_INIT)
-    target_link_libraries(${name} ${CMAKE_THREAD_LIBS_INIT})
+  if (DEFINED GTEST_HAS_PTHREAD)
+    if ("${CMAKE_VERSION}" VERSION_LESS "3.1.0")
+      set(threads_spec ${CMAKE_THREAD_LIBS_INIT})
+    else()
+      set(threads_spec Threads::Threads)
+    endif()
+    target_link_libraries(${name} PUBLIC ${threads_spec})
   endif()
 endfunction()
 
@@ -174,6 +204,10 @@ endfunction()
 # is built from the given source files with the given compiler flags.
 function(cxx_executable_with_flags name cxx_flags libs)
   add_executable(${name} ${ARGN})
+  if (MSVC AND (NOT (MSVC_VERSION LESS 1700)))  # 1700 is Visual Studio 2012.
+    # BigObj required for tests.
+    set(cxx_flags "${cxx_flags} -bigobj")
+  endif()
   if (cxx_flags)
     set_target_properties(${name}
       PROPERTIES
@@ -210,7 +244,7 @@ find_package(PythonInterp)
 # from the given source files with the given compiler flags.
 function(cxx_test_with_flags name cxx_flags libs)
   cxx_executable_with_flags(${name} "${cxx_flags}" "${libs}" ${ARGN})
-  add_test(${name} ${name})
+  add_test(NAME ${name} COMMAND ${name})
 endfunction()
 
 # cxx_test(name libs srcs...)
@@ -228,15 +262,57 @@ endfunction()
 # creates a Python test with the given name whose main module is in
 # test/name.py.  It does nothing if Python is not installed.
 function(py_test name)
-  # We are not supporting Python tests on Linux yet as they consider
-  # all Linux environments to be google3 and try to use google3 features.
   if (PYTHONINTERP_FOUND)
-    # ${CMAKE_BINARY_DIR} is known at configuration time, so we can
-    # directly bind it from cmake. ${CTEST_CONFIGURATION_TYPE} is known
-    # only at ctest runtime (by calling ctest -c <Configuration>), so
-    # we have to escape $ to delay variable substitution here.
-    add_test(${name}
-      ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/test/${name}.py
-          --build_dir=${CMAKE_CURRENT_BINARY_DIR}/\${CTEST_CONFIGURATION_TYPE})
+    if (${CMAKE_MAJOR_VERSION}.${CMAKE_MINOR_VERSION} GREATER 3.1)
+      if (CMAKE_CONFIGURATION_TYPES)
+	# Multi-configuration build generators as for Visual Studio save
+	# output in a subdirectory of CMAKE_CURRENT_BINARY_DIR (Debug,
+	# Release etc.), so we have to provide it here.
+        add_test(
+          NAME ${name}
+          COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/test/${name}.py
+              --build_dir=${CMAKE_CURRENT_BINARY_DIR}/$<CONFIG> ${ARGN})
+      else (CMAKE_CONFIGURATION_TYPES)
+	# Single-configuration build generators like Makefile generators
+	# don't have subdirs below CMAKE_CURRENT_BINARY_DIR.
+        add_test(
+          NAME ${name}
+          COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/test/${name}.py
+              --build_dir=${CMAKE_CURRENT_BINARY_DIR} ${ARGN})
+      endif (CMAKE_CONFIGURATION_TYPES)
+    else (${CMAKE_MAJOR_VERSION}.${CMAKE_MINOR_VERSION} GREATER 3.1)
+      # ${CMAKE_CURRENT_BINARY_DIR} is known at configuration time, so we can
+      # directly bind it from cmake. ${CTEST_CONFIGURATION_TYPE} is known
+      # only at ctest runtime (by calling ctest -c <Configuration>), so
+      # we have to escape $ to delay variable substitution here.
+      add_test(
+        ${name}
+        ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/test/${name}.py
+          --build_dir=${CMAKE_CURRENT_BINARY_DIR}/\${CTEST_CONFIGURATION_TYPE} ${ARGN})
+    endif (${CMAKE_MAJOR_VERSION}.${CMAKE_MINOR_VERSION} GREATER 3.1)
+  endif(PYTHONINTERP_FOUND)
+endfunction()
+
+# install_project(targets...)
+#
+# Installs the specified targets and configures the associated pkgconfig files.
+function(install_project)
+  if(INSTALL_GTEST)
+    install(DIRECTORY "${PROJECT_SOURCE_DIR}/include/"
+      DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}")
+    # Install the project targets.
+    install(TARGETS ${ARGN}
+      EXPORT ${targets_export_name}
+      RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}"
+      ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}"
+      LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}")
+    # Configure and install pkgconfig files.
+    foreach(t ${ARGN})
+      set(configured_pc "${generated_dir}/${t}.pc")
+      configure_file("${PROJECT_SOURCE_DIR}/cmake/${t}.pc.in"
+        "${configured_pc}" @ONLY)
+      install(FILES "${configured_pc}"
+        DESTINATION "${CMAKE_INSTALL_LIBDIR}/pkgconfig")
+    endforeach()
   endif()
 endfunction()
diff --git a/security/nss/gtests/google_test/gtest/configure.ac b/security/nss/gtests/google_test/gtest/configure.ac
index cc592e1583..254c8c4b31 100644
--- a/security/nss/gtests/google_test/gtest/configure.ac
+++ b/security/nss/gtests/google_test/gtest/configure.ac
@@ -5,7 +5,7 @@ m4_include(m4/acx_pthread.m4)
 # "[1.0.1]"). It also asumes that there won't be any closing parenthesis
 # between "AC_INIT(" and the closing ")" including comments and strings.
 AC_INIT([Google C++ Testing Framework],
-        [1.7.0],
+        [1.8.0],
         [googletestframework@googlegroups.com],
         [gtest])
 
diff --git a/security/nss/gtests/google_test/gtest/docs/Pkgconfig.md b/security/nss/gtests/google_test/gtest/docs/Pkgconfig.md
new file mode 100644
index 0000000000..97612894d2
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/docs/Pkgconfig.md
@@ -0,0 +1,146 @@
+## Using GoogleTest from various build systems ##
+
+GoogleTest comes with pkg-config files that can be used to determine all
+necessary flags for compiling and linking to GoogleTest (and GoogleMock).
+Pkg-config is a standardised plain-text format containing
+
+  * the includedir (-I) path
+  * necessary macro (-D) definitions
+  * further required flags (-pthread)
+  * the library (-L) path
+  * the library (-l) to link to
+
+All current build systems support pkg-config in one way or another. For
+all examples here we assume you want to compile the sample
+`samples/sample3_unittest.cc`.
+
+
+### CMake ###
+
+Using `pkg-config` in CMake is fairly easy:
+
+```
+cmake_minimum_required(VERSION 3.0)
+
+cmake_policy(SET CMP0048 NEW)
+project(my_gtest_pkgconfig VERSION 0.0.1 LANGUAGES CXX)
+
+find_package(PkgConfig)
+pkg_search_module(GTEST REQUIRED gtest_main)
+
+add_executable(testapp samples/sample3_unittest.cc)
+target_link_libraries(testapp ${GTEST_LDFLAGS})
+target_compile_options(testapp PUBLIC ${GTEST_CFLAGS})
+
+include(CTest)
+add_test(first_and_only_test testapp)
+```
+
+It is generally recommended that you use `target_compile_options` + `_CFLAGS`
+over `target_include_directories` + `_INCLUDE_DIRS` as the former includes not
+just -I flags (GoogleTest might require a macro indicating to internal headers
+that all libraries have been compiled with threading enabled. In addition,
+GoogleTest might also require `-pthread` in the compiling step, and as such
+splitting the pkg-config `Cflags` variable into include dirs and macros for
+`target_compile_definitions()` might still miss this). The same recommendation
+goes for using `_LDFLAGS` over the more commonplace `_LIBRARIES`, which
+happens to discard `-L` flags and `-pthread`.
+
+
+### Autotools ###
+
+Finding GoogleTest in Autoconf and using it from Automake is also fairly easy:
+
+In your `configure.ac`:
+
+```
+AC_PREREQ([2.69])
+AC_INIT([my_gtest_pkgconfig], [0.0.1])
+AC_CONFIG_SRCDIR([samples/sample3_unittest.cc])
+AC_PROG_CXX
+
+PKG_CHECK_MODULES([GTEST], [gtest_main])
+
+AM_INIT_AUTOMAKE([foreign subdir-objects])
+AC_CONFIG_FILES([Makefile])
+AC_OUTPUT
+```
+
+and in your `Makefile.am`:
+
+```
+check_PROGRAMS = testapp
+TESTS = $(check_PROGRAMS)
+
+testapp_SOURCES = samples/sample3_unittest.cc
+testapp_CXXFLAGS = $(GTEST_CFLAGS)
+testapp_LDADD = $(GTEST_LIBS)
+```
+
+
+### Meson ###
+
+Meson natively uses pkgconfig to query dependencies:
+
+```
+project('my_gtest_pkgconfig', 'cpp', version : '0.0.1')
+
+gtest_dep = dependency('gtest_main')
+
+testapp = executable(
+  'testapp',
+  files(['samples/sample3_unittest.cc']),
+  dependencies : gtest_dep,
+  install : false)
+
+test('first_and_only_test', testapp)
+```
+
+
+### Plain Makefiles ###
+
+Since `pkg-config` is a small Unix command-line utility, it can be used
+in handwritten `Makefile`s too:
+
+```
+GTEST_CFLAGS = `pkg-config --cflags gtest_main`
+GTEST_LIBS = `pkg-config --libs gtest_main`
+
+.PHONY: tests all
+
+tests: all
+	./testapp
+
+all: testapp
+
+testapp: testapp.o
+	$(CXX) $(CXXFLAGS) $(LDFLAGS) $< -o $@ $(GTEST_LIBS)
+
+testapp.o: samples/sample3_unittest.cc
+	$(CXX) $(CPPFLAGS) $(CXXFLAGS) $< -c -o $@ $(GTEST_CFLAGS)
+```
+
+
+### Help! pkg-config can't find GoogleTest! ###
+
+Let's say you have a `CMakeLists.txt` along the lines of the one in this
+tutorial and you try to run `cmake`. It is very possible that you get a
+failure along the lines of:
+
+```
+-- Checking for one of the modules 'gtest_main'
+CMake Error at /usr/share/cmake/Modules/FindPkgConfig.cmake:640 (message):
+  None of the required 'gtest_main' found
+```
+
+These failures are common if you installed GoogleTest yourself and have not
+sourced it from a distro or other package manager. If so, you need to tell
+pkg-config where it can find the `.pc` files containing the information.
+Say you installed GoogleTest to `/usr/local`, then it might be that the
+`.pc` files are installed under `/usr/local/lib64/pkgconfig`. If you set
+
+```
+export PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig
+```
+
+pkg-config will also try to look in `PKG_CONFIG_PATH` to find `gtest_main.pc`.
diff --git a/security/nss/gtests/google_test/gtest/docs/PumpManual.md b/security/nss/gtests/google_test/gtest/docs/PumpManual.md
new file mode 100644
index 0000000000..827bb24b04
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/docs/PumpManual.md
@@ -0,0 +1,177 @@
+
+
+<b>P</b>ump is <b>U</b>seful for <b>M</b>eta <b>P</b>rogramming.
+
+# The Problem #
+
+Template and macro libraries often need to define many classes,
+functions, or macros that vary only (or almost only) in the number of
+arguments they take. It's a lot of repetitive, mechanical, and
+error-prone work.
+
+Variadic templates and variadic macros can alleviate the problem.
+However, while both are being considered by the C++ committee, neither
+is in the standard yet or widely supported by compilers.  Thus they
+are often not a good choice, especially when your code needs to be
+portable. And their capabilities are still limited.
+
+As a result, authors of such libraries often have to write scripts to
+generate their implementation. However, our experience is that it's
+tedious to write such scripts, which tend to reflect the structure of
+the generated code poorly and are often hard to read and edit. For
+example, a small change needed in the generated code may require some
+non-intuitive, non-trivial changes in the script. This is especially
+painful when experimenting with the code.
+
+# Our Solution #
+
+Pump (for Pump is Useful for Meta Programming, Pretty Useful for Meta
+Programming, or Practical Utility for Meta Programming, whichever you
+prefer) is a simple meta-programming tool for C++. The idea is that a
+programmer writes a `foo.pump` file which contains C++ code plus meta
+code that manipulates the C++ code. The meta code can handle
+iterations over a range, nested iterations, local meta variable
+definitions, simple arithmetic, and conditional expressions. You can
+view it as a small Domain-Specific Language. The meta language is
+designed to be non-intrusive (s.t. it won't confuse Emacs' C++ mode,
+for example) and concise, making Pump code intuitive and easy to
+maintain.
+
+## Highlights ##
+
+  * The implementation is in a single Python script and thus ultra portable: no build or installation is needed and it works cross platforms.
+  * Pump tries to be smart with respect to [Google's style guide](https://github.com/google/styleguide): it breaks long lines (easy to have when they are generated) at acceptable places to fit within 80 columns and indent the continuation lines correctly.
+  * The format is human-readable and more concise than XML.
+  * The format works relatively well with Emacs' C++ mode.
+
+## Examples ##
+
+The following Pump code (where meta keywords start with `$`, `[[` and `]]` are meta brackets, and `$$` starts a meta comment that ends with the line):
+
+```
+$var n = 3     $$ Defines a meta variable n.
+$range i 0..n  $$ Declares the range of meta iterator i (inclusive).
+$for i [[
+               $$ Meta loop.
+// Foo$i does blah for $i-ary predicates.
+$range j 1..i
+template <size_t N $for j [[, typename A$j]]>
+class Foo$i {
+$if i == 0 [[
+  blah a;
+]] $elif i <= 2 [[
+  blah b;
+]] $else [[
+  blah c;
+]]
+};
+
+]]
+```
+
+will be translated by the Pump compiler to:
+
+```
+// Foo0 does blah for 0-ary predicates.
+template <size_t N>
+class Foo0 {
+  blah a;
+};
+
+// Foo1 does blah for 1-ary predicates.
+template <size_t N, typename A1>
+class Foo1 {
+  blah b;
+};
+
+// Foo2 does blah for 2-ary predicates.
+template <size_t N, typename A1, typename A2>
+class Foo2 {
+  blah b;
+};
+
+// Foo3 does blah for 3-ary predicates.
+template <size_t N, typename A1, typename A2, typename A3>
+class Foo3 {
+  blah c;
+};
+```
+
+In another example,
+
+```
+$range i 1..n
+Func($for i + [[a$i]]);
+$$ The text between i and [[ is the separator between iterations.
+```
+
+will generate one of the following lines (without the comments), depending on the value of `n`:
+
+```
+Func();              // If n is 0.
+Func(a1);            // If n is 1.
+Func(a1 + a2);       // If n is 2.
+Func(a1 + a2 + a3);  // If n is 3.
+// And so on...
+```
+
+## Constructs ##
+
+We support the following meta programming constructs:
+
+| `$var id = exp` | Defines a named constant value. `$id` is valid util the end of the current meta lexical block. |
+|:----------------|:-----------------------------------------------------------------------------------------------|
+| `$range id exp..exp` | Sets the range of an iteration variable, which can be reused in multiple loops later.          |
+| `$for id sep [[ code ]]` | Iteration. The range of `id` must have been defined earlier. `$id` is valid in `code`.         |
+| `$($)`          | Generates a single `$` character.                                                              |
+| `$id`           | Value of the named constant or iteration variable.                                             |
+| `$(exp)`        | Value of the expression.                                                                       |
+| `$if exp [[ code ]] else_branch` | Conditional.                                                                                   |
+| `[[ code ]]`    | Meta lexical block.                                                                            |
+| `cpp_code`      | Raw C++ code.                                                                                  |
+| `$$ comment`    | Meta comment.                                                                                  |
+
+**Note:** To give the user some freedom in formatting the Pump source
+code, Pump ignores a new-line character if it's right after `$for foo`
+or next to `[[` or `]]`. Without this rule you'll often be forced to write
+very long lines to get the desired output. Therefore sometimes you may
+need to insert an extra new-line in such places for a new-line to show
+up in your output.
+
+## Grammar ##
+
+```
+code ::= atomic_code*
+atomic_code ::= $var id = exp
+    | $var id = [[ code ]]
+    | $range id exp..exp
+    | $for id sep [[ code ]]
+    | $($)
+    | $id
+    | $(exp)
+    | $if exp [[ code ]] else_branch
+    | [[ code ]]
+    | cpp_code
+sep ::= cpp_code | empty_string
+else_branch ::= $else [[ code ]]
+    | $elif exp [[ code ]] else_branch
+    | empty_string
+exp ::= simple_expression_in_Python_syntax
+```
+
+## Code ##
+
+You can find the source code of Pump in [scripts/pump.py](../scripts/pump.py). It is still
+very unpolished and lacks automated tests, although it has been
+successfully used many times. If you find a chance to use it in your
+project, please let us know what you think!  We also welcome help on
+improving Pump.
+
+## Real Examples ##
+
+You can find real-world applications of Pump in [Google Test](https://github.com/google/googletest/tree/master/googletest) and [Google Mock](https://github.com/google/googletest/tree/master/googlemock). The source file `foo.h.pump` generates `foo.h`.
+
+## Tips ##
+
+  * If a meta variable is followed by a letter or digit, you can separate them using `[[]]`, which inserts an empty string. For example `Foo$j[[]]Helper` generate `Foo1Helper` when `j` is 1.
+  * To avoid extra-long Pump source lines, you can break a line anywhere you want by inserting `[[]]` followed by a new line. Since any new-line character next to `[[` or `]]` is ignored, the generated code won't contain this new line.
diff --git a/security/nss/gtests/google_test/gtest/docs/XcodeGuide.md b/security/nss/gtests/google_test/gtest/docs/XcodeGuide.md
new file mode 100644
index 0000000000..1c60a33dad
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/docs/XcodeGuide.md
@@ -0,0 +1,93 @@
+
+
+This guide will explain how to use the Google Testing Framework in your Xcode projects on Mac OS X. This tutorial begins by quickly explaining what to do for experienced users. After the quick start, the guide goes provides additional explanation about each step.
+
+# Quick Start #
+
+Here is the quick guide for using Google Test in your Xcode project.
+
+  1. Download the source from the [website](https://github.com/google/googletest) using this command: `svn checkout http://googletest.googlecode.com/svn/trunk/ googletest-read-only`.
+  1. Open up the `gtest.xcodeproj` in the `googletest-read-only/xcode/` directory and build the gtest.framework.
+  1. Create a new "Shell Tool" target in your Xcode project called something like "UnitTests".
+  1. Add the gtest.framework to your project and add it to the "Link Binary with Libraries" build phase of "UnitTests".
+  1. Add your unit test source code to the "Compile Sources" build phase of "UnitTests".
+  1. Edit the "UnitTests" executable and add an environment variable named "DYLD\_FRAMEWORK\_PATH" with a value equal to the path to the framework containing the gtest.framework relative to the compiled executable.
+  1. Build and Go.
+
+The following sections further explain each of the steps listed above in depth, describing in more detail how to complete it including some variations.
+
+# Get the Source #
+
+Currently, the gtest.framework discussed here isn't available in a tagged release of Google Test, it is only available in the trunk. As explained at the Google Test [site](https://github.com/google/googletest), you can get the code from anonymous SVN with this command:
+
+```
+svn checkout http://googletest.googlecode.com/svn/trunk/ googletest-read-only
+```
+
+Alternatively, if you are working with Subversion in your own code base, you can add Google Test as an external dependency to your own Subversion repository. By following this approach, everyone that checks out your svn repository will also receive a copy of Google Test (a specific version, if you wish) without having to check it out explicitly. This makes the set up of your project simpler and reduces the copied code in the repository.
+
+To use `svn:externals`, decide where you would like to have the external source reside. You might choose to put the external source inside the trunk, because you want it to be part of the branch when you make a release. However, keeping it outside the trunk in a version-tagged directory called something like `third-party/googletest/1.0.1`, is another option. Once the location is established, use `svn propedit svn:externals _directory_` to set the svn:externals property on a directory in your repository. This directory won't contain the code, but be its versioned parent directory.
+
+The command `svn propedit` will bring up your Subversion editor, making editing the long, (potentially multi-line) property simpler. This same method can be used to check out a tagged branch, by using the appropriate URL (e.g. `https://github.com/google/googletest/releases/tag/release-1.0.1`). Additionally, the svn:externals property allows the specification of a particular revision of the trunk with the `-r_##_` option (e.g. `externals/src/googletest -r60 http://googletest.googlecode.com/svn/trunk`).
+
+Here is an example of using the svn:externals properties on a trunk (read via `svn propget`) of a project. This value checks out a copy of Google Test into the `trunk/externals/src/googletest/` directory.
+
+```
+[Computer:svn] user$ svn propget svn:externals trunk
+externals/src/googletest http://googletest.googlecode.com/svn/trunk
+```
+
+# Add the Framework to Your Project #
+
+The next step is to build and add the gtest.framework to your own project. This guide describes two common ways below.
+
+  * **Option 1** --- The simplest way to add Google Test to your own project, is to open gtest.xcodeproj (found in the xcode/ directory of the Google Test trunk) and build the framework manually. Then, add the built framework into your project using the "Add->Existing Framework..." from the context menu or "Project->Add..." from the main menu. The gtest.framework is relocatable and contains the headers and object code that you'll need to make tests. This method requires rebuilding every time you upgrade Google Test in your project.
+  * **Option 2** --- If you are going to be living off the trunk of Google Test, incorporating its latest features into your unit tests (or are a Google Test developer yourself). You'll want to rebuild the framework every time the source updates. to do this, you'll need to add the gtest.xcodeproj file, not the framework itself, to your own Xcode project. Then, from the build products that are revealed by the project's disclosure triangle, you can find the gtest.framework, which can be added to your targets (discussed below).
+
+# Make a Test Target #
+
+To start writing tests, make a new "Shell Tool" target. This target template is available under BSD, Cocoa, or Carbon. Add your unit test source code to the "Compile Sources" build phase of the target.
+
+Next, you'll want to add gtest.framework in two different ways, depending upon which option you chose above.
+
+  * **Option 1** --- During compilation, Xcode will need to know that you are linking against the gtest.framework. Add the gtest.framework to the "Link Binary with Libraries" build phase of your test target. This will include the Google Test headers in your header search path, and will tell the linker where to find the library.
+  * **Option 2** --- If your working out of the trunk, you'll also want to add gtest.framework to your "Link Binary with Libraries" build phase of your test target. In addition, you'll  want to add the gtest.framework as a dependency to your unit test target. This way, Xcode will make sure that gtest.framework is up to date, every time your build your target. Finally, if you don't share build directories with Google Test, you'll have to copy the gtest.framework into your own build products directory using a "Run Script" build phase.
+
+# Set Up the Executable Run Environment #
+
+Since the unit test executable is a shell tool, it doesn't have a bundle with a `Contents/Frameworks` directory, in which to place gtest.framework. Instead, the dynamic linker must be told at runtime to search for the framework in another location. This can be accomplished by setting the "DYLD\_FRAMEWORK\_PATH" environment variable in the "Edit Active Executable ..." Arguments tab, under "Variables to be set in the environment:". The path for this value is the path (relative or absolute) of the directory containing the gtest.framework.
+
+If you haven't set up the DYLD\_FRAMEWORK\_PATH, correctly, you might get a message like this:
+
+```
+[Session started at 2008-08-15 06:23:57 -0600.]
+  dyld: Library not loaded: @loader_path/../Frameworks/gtest.framework/Versions/A/gtest
+    Referenced from: /Users/username/Documents/Sandbox/gtestSample/build/Debug/WidgetFrameworkTest
+    Reason: image not found
+```
+
+To correct this problem, go to to the directory containing the executable named in "Referenced from:" value in the error message above. Then, with the terminal in this location, find the relative path to the directory containing the gtest.framework. That is the value you'll need to set as the DYLD\_FRAMEWORK\_PATH.
+
+# Build and Go #
+
+Now, when you click "Build and Go", the test will be executed. Dumping out something like this:
+
+```
+[Session started at 2008-08-06 06:36:13 -0600.]
+[==========] Running 2 tests from 1 test case.
+[----------] Global test environment set-up.
+[----------] 2 tests from WidgetInitializerTest
+[ RUN      ] WidgetInitializerTest.TestConstructor
+[       OK ] WidgetInitializerTest.TestConstructor
+[ RUN      ] WidgetInitializerTest.TestConversion
+[       OK ] WidgetInitializerTest.TestConversion
+[----------] Global test environment tear-down
+[==========] 2 tests from 1 test case ran.
+[  PASSED  ] 2 tests.
+
+The Debugger has exited with status 0.  
+```
+
+# Summary #
+
+Unit testing is a valuable way to ensure your data model stays valid even during rapid development or refactoring. The Google Testing Framework is a great unit testing framework for C and C++ which integrates well with an Xcode development environment.
diff --git a/security/nss/gtests/google_test/gtest/docs/advanced.md b/security/nss/gtests/google_test/gtest/docs/advanced.md
new file mode 100644
index 0000000000..8065d19621
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/docs/advanced.md
@@ -0,0 +1,2520 @@
+# Advanced googletest Topics
+
+
+## Introduction
+
+Now that you have read the [googletest Primer](primer.md) and learned how to write
+tests using googletest, it's time to learn some new tricks. This document will
+show you more assertions as well as how to construct complex failure messages,
+propagate fatal failures, reuse and speed up your test fixtures, and use various
+flags with your tests.
+
+## More Assertions
+
+This section covers some less frequently used, but still significant,
+assertions.
+
+### Explicit Success and Failure
+
+These three assertions do not actually test a value or expression. Instead, they
+generate a success or failure directly. Like the macros that actually perform a
+test, you may stream a custom failure message into them.
+
+```c++
+SUCCEED();
+```
+
+Generates a success. This does **NOT** make the overall test succeed. A test is
+considered successful only if none of its assertions fail during its execution.
+
+NOTE: `SUCCEED()` is purely documentary and currently doesn't generate any
+user-visible output. However, we may add `SUCCEED()` messages to googletest's
+output in the future.
+
+```c++
+FAIL();
+ADD_FAILURE();
+ADD_FAILURE_AT("file_path", line_number);
+```
+
+`FAIL()` generates a fatal failure, while `ADD_FAILURE()` and `ADD_FAILURE_AT()`
+generate a nonfatal failure. These are useful when control flow, rather than a
+Boolean expression, determines the test's success or failure. For example, you
+might want to write something like:
+
+```c++
+switch(expression) {
+  case 1:
+     ... some checks ...
+  case 2:
+     ... some other checks ...
+  default:
+     FAIL() << "We shouldn't get here.";
+}
+```
+
+NOTE: you can only use `FAIL()` in functions that return `void`. See the
+[Assertion Placement section](#assertion-placement) for more information.
+
+**Availability**: Linux, Windows, Mac.
+
+### Exception Assertions
+
+These are for verifying that a piece of code throws (or does not throw) an
+exception of the given type:
+
+Fatal assertion                            | Nonfatal assertion                         | Verifies
+------------------------------------------ | ------------------------------------------ | --------
+`ASSERT_THROW(statement, exception_type);` | `EXPECT_THROW(statement, exception_type);` | `statement` throws an exception of the given type
+`ASSERT_ANY_THROW(statement);`             | `EXPECT_ANY_THROW(statement);`             | `statement` throws an exception of any type
+`ASSERT_NO_THROW(statement);`              | `EXPECT_NO_THROW(statement);`              | `statement` doesn't throw any exception
+
+Examples:
+
+```c++
+ASSERT_THROW(Foo(5), bar_exception);
+
+EXPECT_NO_THROW({
+  int n = 5;
+  Bar(&n);
+});
+```
+
+**Availability**: Linux, Windows, Mac; requires exceptions to be enabled in the
+build environment (note that `google3` **disables** exceptions).
+
+### Predicate Assertions for Better Error Messages
+
+Even though googletest has a rich set of assertions, they can never be complete,
+as it's impossible (nor a good idea) to anticipate all scenarios a user might
+run into. Therefore, sometimes a user has to use `EXPECT_TRUE()` to check a
+complex expression, for lack of a better macro. This has the problem of not
+showing you the values of the parts of the expression, making it hard to
+understand what went wrong. As a workaround, some users choose to construct the
+failure message by themselves, streaming it into `EXPECT_TRUE()`. However, this
+is awkward especially when the expression has side-effects or is expensive to
+evaluate.
+
+googletest gives you three different options to solve this problem:
+
+#### Using an Existing Boolean Function
+
+If you already have a function or functor that returns `bool` (or a type that
+can be implicitly converted to `bool`), you can use it in a *predicate
+assertion* to get the function arguments printed for free:
+
+| Fatal assertion                    | Nonfatal assertion                 | Verifies                    |
+| ---------------------------------- | ---------------------------------- | --------------------------- |
+| `ASSERT_PRED1(pred1, val1);`       | `EXPECT_PRED1(pred1, val1);`       | `pred1(val1)` is true       |
+| `ASSERT_PRED2(pred2, val1, val2);` | `EXPECT_PRED2(pred2, val1, val2);` | `pred2(val1, val2)` is true |
+| `...`                              | `...`                              | ...                         |
+
+In the above, `predn` is an `n`-ary predicate function or functor, where `val1`,
+`val2`, ..., and `valn` are its arguments. The assertion succeeds if the
+predicate returns `true` when applied to the given arguments, and fails
+otherwise. When the assertion fails, it prints the value of each argument. In
+either case, the arguments are evaluated exactly once.
+
+Here's an example. Given
+
+```c++
+// Returns true if m and n have no common divisors except 1.
+bool MutuallyPrime(int m, int n) { ... }
+
+const int a = 3;
+const int b = 4;
+const int c = 10;
+```
+
+the assertion
+
+```c++
+  EXPECT_PRED2(MutuallyPrime, a, b);
+```
+
+will succeed, while the assertion
+
+```c++
+  EXPECT_PRED2(MutuallyPrime, b, c);
+```
+
+will fail with the message
+
+```none
+MutuallyPrime(b, c) is false, where
+b is 4
+c is 10
+```
+
+> NOTE:
+>
+> 1.  If you see a compiler error "no matching function to call" when using
+>     `ASSERT_PRED*` or `EXPECT_PRED*`, please see
+>     [this](faq.md#OverloadedPredicate) for how to resolve it.
+> 1.  Currently we only provide predicate assertions of arity <= 5. If you need
+>     a higher-arity assertion, let [us](https://github.com/google/googletest/issues) know.
+
+**Availability**: Linux, Windows, Mac.
+
+#### Using a Function That Returns an AssertionResult
+
+While `EXPECT_PRED*()` and friends are handy for a quick job, the syntax is not
+satisfactory: you have to use different macros for different arities, and it
+feels more like Lisp than C++. The `::testing::AssertionResult` class solves
+this problem.
+
+An `AssertionResult` object represents the result of an assertion (whether it's
+a success or a failure, and an associated message). You can create an
+`AssertionResult` using one of these factory functions:
+
+```c++
+namespace testing {
+
+// Returns an AssertionResult object to indicate that an assertion has
+// succeeded.
+AssertionResult AssertionSuccess();
+
+// Returns an AssertionResult object to indicate that an assertion has
+// failed.
+AssertionResult AssertionFailure();
+
+}
+```
+
+You can then use the `<<` operator to stream messages to the `AssertionResult`
+object.
+
+To provide more readable messages in Boolean assertions (e.g. `EXPECT_TRUE()`),
+write a predicate function that returns `AssertionResult` instead of `bool`. For
+example, if you define `IsEven()` as:
+
+```c++
+::testing::AssertionResult IsEven(int n) {
+  if ((n % 2) == 0)
+     return ::testing::AssertionSuccess();
+  else
+     return ::testing::AssertionFailure() << n << " is odd";
+}
+```
+
+instead of:
+
+```c++
+bool IsEven(int n) {
+  return (n % 2) == 0;
+}
+```
+
+the failed assertion `EXPECT_TRUE(IsEven(Fib(4)))` will print:
+
+```none
+Value of: IsEven(Fib(4))
+  Actual: false (3 is odd)
+Expected: true
+```
+
+instead of a more opaque
+
+```none
+Value of: IsEven(Fib(4))
+  Actual: false
+Expected: true
+```
+
+If you want informative messages in `EXPECT_FALSE` and `ASSERT_FALSE` as well
+(one third of Boolean assertions in the Google code base are negative ones), and
+are fine with making the predicate slower in the success case, you can supply a
+success message:
+
+```c++
+::testing::AssertionResult IsEven(int n) {
+  if ((n % 2) == 0)
+     return ::testing::AssertionSuccess() << n << " is even";
+  else
+     return ::testing::AssertionFailure() << n << " is odd";
+}
+```
+
+Then the statement `EXPECT_FALSE(IsEven(Fib(6)))` will print
+
+```none
+  Value of: IsEven(Fib(6))
+     Actual: true (8 is even)
+  Expected: false
+```
+
+**Availability**: Linux, Windows, Mac.
+
+#### Using a Predicate-Formatter
+
+If you find the default message generated by `(ASSERT|EXPECT)_PRED*` and
+`(ASSERT|EXPECT)_(TRUE|FALSE)` unsatisfactory, or some arguments to your
+predicate do not support streaming to `ostream`, you can instead use the
+following *predicate-formatter assertions* to *fully* customize how the message
+is formatted:
+
+Fatal assertion                                  | Nonfatal assertion                               | Verifies
+------------------------------------------------ | ------------------------------------------------ | --------
+`ASSERT_PRED_FORMAT1(pred_format1, val1);`       | `EXPECT_PRED_FORMAT1(pred_format1, val1);`       | `pred_format1(val1)` is successful
+`ASSERT_PRED_FORMAT2(pred_format2, val1, val2);` | `EXPECT_PRED_FORMAT2(pred_format2, val1, val2);` | `pred_format2(val1, val2)` is successful
+`...`                                            | `...`                                            | ...
+
+The difference between this and the previous group of macros is that instead of
+a predicate, `(ASSERT|EXPECT)_PRED_FORMAT*` take a *predicate-formatter*
+(`pred_formatn`), which is a function or functor with the signature:
+
+```c++
+::testing::AssertionResult PredicateFormattern(const char* expr1,
+                                               const char* expr2,
+                                               ...
+                                               const char* exprn,
+                                               T1 val1,
+                                               T2 val2,
+                                               ...
+                                               Tn valn);
+```
+
+where `val1`, `val2`, ..., and `valn` are the values of the predicate arguments,
+and `expr1`, `expr2`, ..., and `exprn` are the corresponding expressions as they
+appear in the source code. The types `T1`, `T2`, ..., and `Tn` can be either
+value types or reference types. For example, if an argument has type `Foo`, you
+can declare it as either `Foo` or `const Foo&`, whichever is appropriate.
+
+As an example, let's improve the failure message in `MutuallyPrime()`, which was
+used with `EXPECT_PRED2()`:
+
+```c++
+// Returns the smallest prime common divisor of m and n,
+// or 1 when m and n are mutually prime.
+int SmallestPrimeCommonDivisor(int m, int n) { ... }
+
+// A predicate-formatter for asserting that two integers are mutually prime.
+::testing::AssertionResult AssertMutuallyPrime(const char* m_expr,
+                                               const char* n_expr,
+                                               int m,
+                                               int n) {
+  if (MutuallyPrime(m, n)) return ::testing::AssertionSuccess();
+
+  return ::testing::AssertionFailure() << m_expr << " and " << n_expr
+      << " (" << m << " and " << n << ") are not mutually prime, "
+      << "as they have a common divisor " << SmallestPrimeCommonDivisor(m, n);
+}
+```
+
+With this predicate-formatter, we can use
+
+```c++
+  EXPECT_PRED_FORMAT2(AssertMutuallyPrime, b, c);
+```
+
+to generate the message
+
+```none
+b and c (4 and 10) are not mutually prime, as they have a common divisor 2.
+```
+
+As you may have realized, many of the built-in assertions we introduced earlier
+are special cases of `(EXPECT|ASSERT)_PRED_FORMAT*`. In fact, most of them are
+indeed defined using `(EXPECT|ASSERT)_PRED_FORMAT*`.
+
+**Availability**: Linux, Windows, Mac.
+
+### Floating-Point Comparison
+
+Comparing floating-point numbers is tricky. Due to round-off errors, it is very
+unlikely that two floating-points will match exactly. Therefore, `ASSERT_EQ` 's
+naive comparison usually doesn't work. And since floating-points can have a wide
+value range, no single fixed error bound works. It's better to compare by a
+fixed relative error bound, except for values close to 0 due to the loss of
+precision there.
+
+In general, for floating-point comparison to make sense, the user needs to
+carefully choose the error bound. If they don't want or care to, comparing in
+terms of Units in the Last Place (ULPs) is a good default, and googletest
+provides assertions to do this. Full details about ULPs are quite long; if you
+want to learn more, see
+[here](https://randomascii.wordpress.com/2012/02/25/comparing-floating-point-numbers-2012-edition/).
+
+#### Floating-Point Macros
+
+| Fatal assertion                 | Nonfatal assertion             | Verifies                                 |
+| ------------------------------- | ------------------------------ | ---------------------------------------- |
+| `ASSERT_FLOAT_EQ(val1, val2);`  | `EXPECT_FLOAT_EQ(val1,val2);`  | the two `float` values are almost equal  |
+| `ASSERT_DOUBLE_EQ(val1, val2);` | `EXPECT_DOUBLE_EQ(val1, val2);`| the two `double` values are almost equal |
+
+By "almost equal" we mean the values are within 4 ULP's from each other.
+
+NOTE: `CHECK_DOUBLE_EQ()` in `base/logging.h` uses a fixed absolute error bound,
+so its result may differ from that of the googletest macros. That macro is
+unsafe and has been deprecated. Please don't use it any more.
+
+The following assertions allow you to choose the acceptable error bound:
+
+| Fatal assertion                       | Nonfatal assertion                    | Verifies                  |
+| ------------------------------------- | ------------------------------------- | ------------------------- |
+| `ASSERT_NEAR(val1, val2, abs_error);` | `EXPECT_NEAR(val1, val2, abs_error);` | the difference between `val1` and `val2` doesn't exceed the given absolute error |
+
+**Availability**: Linux, Windows, Mac.
+
+#### Floating-Point Predicate-Format Functions
+
+Some floating-point operations are useful, but not that often used. In order to
+avoid an explosion of new macros, we provide them as predicate-format functions
+that can be used in predicate assertion macros (e.g. `EXPECT_PRED_FORMAT2`,
+etc).
+
+```c++
+EXPECT_PRED_FORMAT2(::testing::FloatLE, val1, val2);
+EXPECT_PRED_FORMAT2(::testing::DoubleLE, val1, val2);
+```
+
+Verifies that `val1` is less than, or almost equal to, `val2`. You can replace
+`EXPECT_PRED_FORMAT2` in the above table with `ASSERT_PRED_FORMAT2`.
+
+**Availability**: Linux, Windows, Mac.
+
+### Asserting Using gMock Matchers
+
+Google-developed C++ mocking framework [gMock](../../googlemock) comes with a
+library of matchers for validating arguments passed to mock objects. A gMock
+*matcher* is basically a predicate that knows how to describe itself. It can be
+used in these assertion macros:
+
+| Fatal assertion                | Nonfatal assertion             | Verifies              |
+| ------------------------------ | ------------------------------ | --------------------- |
+| `ASSERT_THAT(value, matcher);` | `EXPECT_THAT(value, matcher);` | value matches matcher |
+
+For example, `StartsWith(prefix)` is a matcher that matches a string starting
+with `prefix`, and you can write:
+
+```c++
+using ::testing::StartsWith;
+...
+    // Verifies that Foo() returns a string starting with "Hello".
+    EXPECT_THAT(Foo(), StartsWith("Hello"));
+```
+
+Read this [recipe](../../googlemock/docs/CookBook.md#using-matchers-in-google-test-assertions) in
+the gMock Cookbook for more details.
+
+gMock has a rich set of matchers. You can do many things googletest cannot do
+alone with them. For a list of matchers gMock provides, read
+[this](../../googlemock/docs/CookBook.md#using-matchers). Especially useful among them are
+some [protocol buffer matchers](https://github.com/google/nucleus/blob/master/nucleus/testing/protocol-buffer-matchers.h). It's easy to write
+your [own matchers](../../googlemock/docs/CookBook.md#writing-new-matchers-quickly) too.
+
+For example, you can use gMock's
+[EqualsProto](https://github.com/google/nucleus/blob/master/nucleus/testing/protocol-buffer-matchers.h)
+to compare protos in your tests:
+
+```c++
+#include "testing/base/public/gmock.h"
+using ::testing::EqualsProto;
+...
+    EXPECT_THAT(actual_proto, EqualsProto("foo: 123 bar: 'xyz'"));
+    EXPECT_THAT(*actual_proto_ptr, EqualsProto(expected_proto));
+```
+
+gMock is bundled with googletest, so you don't need to add any build dependency
+in order to take advantage of this. Just include `"testing/base/public/gmock.h"`
+and you're ready to go.
+
+**Availability**: Linux, Windows, and Mac.
+
+### More String Assertions
+
+(Please read the [previous](#AssertThat) section first if you haven't.)
+
+You can use the gMock [string matchers](../../googlemock/docs/CheatSheet.md#string-matchers)
+with `EXPECT_THAT()` or `ASSERT_THAT()` to do more string comparison tricks
+(sub-string, prefix, suffix, regular expression, and etc). For example,
+
+```c++
+using ::testing::HasSubstr;
+using ::testing::MatchesRegex;
+...
+  ASSERT_THAT(foo_string, HasSubstr("needle"));
+  EXPECT_THAT(bar_string, MatchesRegex("\\w*\\d+"));
+```
+
+**Availability**: Linux, Windows, Mac.
+
+If the string contains a well-formed HTML or XML document, you can check whether
+its DOM tree matches an [XPath
+expression](http://www.w3.org/TR/xpath/#contents):
+
+```c++
+// Currently still in //template/prototemplate/testing:xpath_matcher
+#include "template/prototemplate/testing/xpath_matcher.h"
+using prototemplate::testing::MatchesXPath;
+EXPECT_THAT(html_string, MatchesXPath("//a[text()='click here']"));
+```
+
+**Availability**: Linux.
+
+### Windows HRESULT assertions
+
+These assertions test for `HRESULT` success or failure.
+
+Fatal assertion                        | Nonfatal assertion                     | Verifies
+-------------------------------------- | -------------------------------------- | --------
+`ASSERT_HRESULT_SUCCEEDED(expression)` | `EXPECT_HRESULT_SUCCEEDED(expression)` | `expression` is a success `HRESULT`
+`ASSERT_HRESULT_FAILED(expression)`    | `EXPECT_HRESULT_FAILED(expression)`    | `expression` is a failure `HRESULT`
+
+The generated output contains the human-readable error message associated with
+the `HRESULT` code returned by `expression`.
+
+You might use them like this:
+
+```c++
+CComPtr<IShellDispatch2> shell;
+ASSERT_HRESULT_SUCCEEDED(shell.CoCreateInstance(L"Shell.Application"));
+CComVariant empty;
+ASSERT_HRESULT_SUCCEEDED(shell->ShellExecute(CComBSTR(url), empty, empty, empty, empty));
+```
+
+**Availability**: Windows.
+
+### Type Assertions
+
+You can call the function
+
+```c++
+::testing::StaticAssertTypeEq<T1, T2>();
+```
+
+to assert that types `T1` and `T2` are the same. The function does nothing if
+the assertion is satisfied. If the types are different, the function call will
+fail to compile, and the compiler error message will likely (depending on the
+compiler) show you the actual values of `T1` and `T2`. This is mainly useful
+inside template code.
+
+**Caveat**: When used inside a member function of a class template or a function
+template, `StaticAssertTypeEq<T1, T2>()` is effective only if the function is
+instantiated. For example, given:
+
+```c++
+template <typename T> class Foo {
+ public:
+  void Bar() { ::testing::StaticAssertTypeEq<int, T>(); }
+};
+```
+
+the code:
+
+```c++
+void Test1() { Foo<bool> foo; }
+```
+
+will not generate a compiler error, as `Foo<bool>::Bar()` is never actually
+instantiated. Instead, you need:
+
+```c++
+void Test2() { Foo<bool> foo; foo.Bar(); }
+```
+
+to cause a compiler error.
+
+**Availability**: Linux, Windows, Mac.
+
+### Assertion Placement
+
+You can use assertions in any C++ function. In particular, it doesn't have to be
+a method of the test fixture class. The one constraint is that assertions that
+generate a fatal failure (`FAIL*` and `ASSERT_*`) can only be used in
+void-returning functions. This is a consequence of Google's not using
+exceptions. By placing it in a non-void function you'll get a confusing compile
+error like `"error: void value not ignored as it ought to be"` or `"cannot
+initialize return object of type 'bool' with an rvalue of type 'void'"` or
+`"error: no viable conversion from 'void' to 'string'"`.
+
+If you need to use fatal assertions in a function that returns non-void, one
+option is to make the function return the value in an out parameter instead. For
+example, you can rewrite `T2 Foo(T1 x)` to `void Foo(T1 x, T2* result)`. You
+need to make sure that `*result` contains some sensible value even when the
+function returns prematurely. As the function now returns `void`, you can use
+any assertion inside of it.
+
+If changing the function's type is not an option, you should just use assertions
+that generate non-fatal failures, such as `ADD_FAILURE*` and `EXPECT_*`.
+
+NOTE: Constructors and destructors are not considered void-returning functions,
+according to the C++ language specification, and so you may not use fatal
+assertions in them. You'll get a compilation error if you try. A simple
+workaround is to transfer the entire body of the constructor or destructor to a
+private void-returning method. However, you should be aware that a fatal
+assertion failure in a constructor does not terminate the current test, as your
+intuition might suggest; it merely returns from the constructor early, possibly
+leaving your object in a partially-constructed state. Likewise, a fatal
+assertion failure in a destructor may leave your object in a
+partially-destructed state. Use assertions carefully in these situations!
+
+## Teaching googletest How to Print Your Values
+
+When a test assertion such as `EXPECT_EQ` fails, googletest prints the argument
+values to help you debug. It does this using a user-extensible value printer.
+
+This printer knows how to print built-in C++ types, native arrays, STL
+containers, and any type that supports the `<<` operator. For other types, it
+prints the raw bytes in the value and hopes that you the user can figure it out.
+
+As mentioned earlier, the printer is *extensible*. That means you can teach it
+to do a better job at printing your particular type than to dump the bytes. To
+do that, define `<<` for your type:
+
+```c++
+// Streams are allowed only for logging.  Don't include this for
+// any other purpose.
+#include <ostream>
+
+namespace foo {
+
+class Bar {  // We want googletest to be able to print instances of this.
+...
+  // Create a free inline friend function.
+  friend std::ostream& operator<<(std::ostream& os, const Bar& bar) {
+    return os << bar.DebugString();  // whatever needed to print bar to os
+  }
+};
+
+// If you can't declare the function in the class it's important that the
+// << operator is defined in the SAME namespace that defines Bar.  C++'s look-up
+// rules rely on that.
+std::ostream& operator<<(std::ostream& os, const Bar& bar) {
+  return os << bar.DebugString();  // whatever needed to print bar to os
+}
+
+}  // namespace foo
+```
+
+Sometimes, this might not be an option: your team may consider it bad style to
+have a `<<` operator for `Bar`, or `Bar` may already have a `<<` operator that
+doesn't do what you want (and you cannot change it). If so, you can instead
+define a `PrintTo()` function like this:
+
+```c++
+// Streams are allowed only for logging.  Don't include this for
+// any other purpose.
+#include <ostream>
+
+namespace foo {
+
+class Bar {
+  ...
+  friend void PrintTo(const Bar& bar, std::ostream* os) {
+    *os << bar.DebugString();  // whatever needed to print bar to os
+  }
+};
+
+// If you can't declare the function in the class it's important that PrintTo()
+// is defined in the SAME namespace that defines Bar.  C++'s look-up rules rely
+// on that.
+void PrintTo(const Bar& bar, std::ostream* os) {
+  *os << bar.DebugString();  // whatever needed to print bar to os
+}
+
+}  // namespace foo
+```
+
+If you have defined both `<<` and `PrintTo()`, the latter will be used when
+googletest is concerned. This allows you to customize how the value appears in
+googletest's output without affecting code that relies on the behavior of its
+`<<` operator.
+
+If you want to print a value `x` using googletest's value printer yourself, just
+call `::testing::PrintToString(x)`, which returns an `std::string`:
+
+```c++
+vector<pair<Bar, int> > bar_ints = GetBarIntVector();
+
+EXPECT_TRUE(IsCorrectBarIntVector(bar_ints))
+    << "bar_ints = " << ::testing::PrintToString(bar_ints);
+```
+
+## Death Tests
+
+In many applications, there are assertions that can cause application failure if
+a condition is not met. These sanity checks, which ensure that the program is in
+a known good state, are there to fail at the earliest possible time after some
+program state is corrupted. If the assertion checks the wrong condition, then
+the program may proceed in an erroneous state, which could lead to memory
+corruption, security holes, or worse. Hence it is vitally important to test that
+such assertion statements work as expected.
+
+Since these precondition checks cause the processes to die, we call such tests
+_death tests_. More generally, any test that checks that a program terminates
+(except by throwing an exception) in an expected fashion is also a death test.
+
+
+Note that if a piece of code throws an exception, we don't consider it "death"
+for the purpose of death tests, as the caller of the code could catch the
+exception and avoid the crash. If you want to verify exceptions thrown by your
+code, see [Exception Assertions](#exception-assertions).
+
+If you want to test `EXPECT_*()/ASSERT_*()` failures in your test code, see
+Catching Failures
+
+### How to Write a Death Test
+
+googletest has the following macros to support death tests:
+
+Fatal assertion                                | Nonfatal assertion                             | Verifies
+---------------------------------------------- | ---------------------------------------------- | --------
+`ASSERT_DEATH(statement, regex);`              | `EXPECT_DEATH(statement, regex);`              | `statement` crashes with the given error
+`ASSERT_DEATH_IF_SUPPORTED(statement, regex);` | `EXPECT_DEATH_IF_SUPPORTED(statement, regex);` | if death tests are supported, verifies that `statement` crashes with the given error; otherwise verifies nothing
+`ASSERT_EXIT(statement, predicate, regex);`    | `EXPECT_EXIT(statement, predicate, regex);`    | `statement` exits with the given error, and its exit code matches `predicate`
+
+where `statement` is a statement that is expected to cause the process to die,
+`predicate` is a function or function object that evaluates an integer exit
+status, and `regex` is a (Perl) regular expression that the stderr output of
+`statement` is expected to match. Note that `statement` can be *any valid
+statement* (including *compound statement*) and doesn't have to be an
+expression.
+
+
+As usual, the `ASSERT` variants abort the current test function, while the
+`EXPECT` variants do not.
+
+> NOTE: We use the word "crash" here to mean that the process terminates with a
+> *non-zero* exit status code. There are two possibilities: either the process
+> has called `exit()` or `_exit()` with a non-zero value, or it may be killed by
+> a signal.
+>
+> This means that if `*statement*` terminates the process with a 0 exit code, it
+> is *not* considered a crash by `EXPECT_DEATH`. Use `EXPECT_EXIT` instead if
+> this is the case, or if you want to restrict the exit code more precisely.
+
+A predicate here must accept an `int` and return a `bool`. The death test
+succeeds only if the predicate returns `true`. googletest defines a few
+predicates that handle the most common cases:
+
+```c++
+::testing::ExitedWithCode(exit_code)
+```
+
+This expression is `true` if the program exited normally with the given exit
+code.
+
+```c++
+::testing::KilledBySignal(signal_number)  // Not available on Windows.
+```
+
+This expression is `true` if the program was killed by the given signal.
+
+The `*_DEATH` macros are convenient wrappers for `*_EXIT` that use a predicate
+that verifies the process' exit code is non-zero.
+
+Note that a death test only cares about three things:
+
+1.  does `statement` abort or exit the process?
+2.  (in the case of `ASSERT_EXIT` and `EXPECT_EXIT`) does the exit status
+    satisfy `predicate`? Or (in the case of `ASSERT_DEATH` and `EXPECT_DEATH`)
+    is the exit status non-zero? And
+3.  does the stderr output match `regex`?
+
+In particular, if `statement` generates an `ASSERT_*` or `EXPECT_*` failure, it
+will **not** cause the death test to fail, as googletest assertions don't abort
+the process.
+
+To write a death test, simply use one of the above macros inside your test
+function. For example,
+
+```c++
+TEST(MyDeathTest, Foo) {
+  // This death test uses a compound statement.
+  ASSERT_DEATH({
+    int n = 5;
+    Foo(&n);
+  }, "Error on line .* of Foo()");
+}
+
+TEST(MyDeathTest, NormalExit) {
+  EXPECT_EXIT(NormalExit(), ::testing::ExitedWithCode(0), "Success");
+}
+
+TEST(MyDeathTest, KillMyself) {
+  EXPECT_EXIT(KillMyself(), ::testing::KilledBySignal(SIGKILL),
+              "Sending myself unblockable signal");
+}
+```
+
+verifies that:
+
+*   calling `Foo(5)` causes the process to die with the given error message,
+*   calling `NormalExit()` causes the process to print `"Success"` to stderr and
+    exit with exit code 0, and
+*   calling `KillMyself()` kills the process with signal `SIGKILL`.
+
+The test function body may contain other assertions and statements as well, if
+necessary.
+
+### Death Test Naming
+
+IMPORTANT: We strongly recommend you to follow the convention of naming your
+**test case** (not test) `*DeathTest` when it contains a death test, as
+demonstrated in the above example. The [Death Tests And
+Threads](#death-tests-and-threads) section below explains why.
+
+If a test fixture class is shared by normal tests and death tests, you can use
+`using` or `typedef` to introduce an alias for the fixture class and avoid
+duplicating its code:
+
+```c++
+class FooTest : public ::testing::Test { ... };
+
+using FooDeathTest = FooTest;
+
+TEST_F(FooTest, DoesThis) {
+  // normal test
+}
+
+TEST_F(FooDeathTest, DoesThat) {
+  // death test
+}
+```
+
+**Availability**: Linux, Windows (requires MSVC 8.0 or above), Cygwin, and Mac
+
+### Regular Expression Syntax
+
+
+On POSIX systems (e.g. Linux, Cygwin, and Mac), googletest uses the
+[POSIX extended regular expression](http://www.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap09.html#tag_09_04)
+syntax. To learn about this syntax, you may want to read this
+[Wikipedia entry](http://en.wikipedia.org/wiki/Regular_expression#POSIX_Extended_Regular_Expressions).
+
+On Windows, googletest uses its own simple regular expression implementation. It
+lacks many features. For example, we don't support union (`"x|y"`), grouping
+(`"(xy)"`), brackets (`"[xy]"`), and repetition count (`"x{5,7}"`), among
+others. Below is what we do support (`A` denotes a literal character, period
+(`.`), or a single `\\ ` escape sequence; `x` and `y` denote regular
+expressions.):
+
+Expression | Meaning
+---------- | --------------------------------------------------------------
+`c`        | matches any literal character `c`
+`\\d`      | matches any decimal digit
+`\\D`      | matches any character that's not a decimal digit
+`\\f`      | matches `\f`
+`\\n`      | matches `\n`
+`\\r`      | matches `\r`
+`\\s`      | matches any ASCII whitespace, including `\n`
+`\\S`      | matches any character that's not a whitespace
+`\\t`      | matches `\t`
+`\\v`      | matches `\v`
+`\\w`      | matches any letter, `_`, or decimal digit
+`\\W`      | matches any character that `\\w` doesn't match
+`\\c`      | matches any literal character `c`, which must be a punctuation
+`.`        | matches any single character except `\n`
+`A?`       | matches 0 or 1 occurrences of `A`
+`A*`       | matches 0 or many occurrences of `A`
+`A+`       | matches 1 or many occurrences of `A`
+`^`        | matches the beginning of a string (not that of each line)
+`$`        | matches the end of a string (not that of each line)
+`xy`       | matches `x` followed by `y`
+
+To help you determine which capability is available on your system, googletest
+defines macros to govern which regular expression it is using. The macros are:
+<!--absl:google3-begin(google3-only)-->`GTEST_USES_PCRE=1`, or
+<!--absl:google3-end--> `GTEST_USES_SIMPLE_RE=1` or `GTEST_USES_POSIX_RE=1`. If
+you want your death tests to work in all cases, you can either `#if` on these
+macros or use the more limited syntax only.
+
+### How It Works
+
+Under the hood, `ASSERT_EXIT()` spawns a new process and executes the death test
+statement in that process. The details of how precisely that happens depend on
+the platform and the variable ::testing::GTEST_FLAG(death_test_style) (which is
+initialized from the command-line flag `--gtest_death_test_style`).
+
+*   On POSIX systems, `fork()` (or `clone()` on Linux) is used to spawn the
+    child, after which:
+    *   If the variable's value is `"fast"`, the death test statement is
+        immediately executed.
+    *   If the variable's value is `"threadsafe"`, the child process re-executes
+        the unit test binary just as it was originally invoked, but with some
+        extra flags to cause just the single death test under consideration to
+        be run.
+*   On Windows, the child is spawned using the `CreateProcess()` API, and
+    re-executes the binary to cause just the single death test under
+    consideration to be run - much like the `threadsafe` mode on POSIX.
+
+Other values for the variable are illegal and will cause the death test to fail.
+Currently, the flag's default value is
+"fast". However, we reserve
+the right to change it in the future. Therefore, your tests should not depend on
+this. In either case, the parent process waits for the child process to
+complete, and checks that
+
+1.  the child's exit status satisfies the predicate, and
+2.  the child's stderr matches the regular expression.
+
+If the death test statement runs to completion without dying, the child process
+will nonetheless terminate, and the assertion fails.
+
+### Death Tests And Threads
+
+The reason for the two death test styles has to do with thread safety. Due to
+well-known problems with forking in the presence of threads, death tests should
+be run in a single-threaded context. Sometimes, however, it isn't feasible to
+arrange that kind of environment. For example, statically-initialized modules
+may start threads before main is ever reached. Once threads have been created,
+it may be difficult or impossible to clean them up.
+
+googletest has three features intended to raise awareness of threading issues.
+
+1.  A warning is emitted if multiple threads are running when a death test is
+    encountered.
+2.  Test cases with a name ending in "DeathTest" are run before all other tests.
+3.  It uses `clone()` instead of `fork()` to spawn the child process on Linux
+    (`clone()` is not available on Cygwin and Mac), as `fork()` is more likely
+    to cause the child to hang when the parent process has multiple threads.
+
+It's perfectly fine to create threads inside a death test statement; they are
+executed in a separate process and cannot affect the parent.
+
+### Death Test Styles
+
+
+The "threadsafe" death test style was introduced in order to help mitigate the
+risks of testing in a possibly multithreaded environment. It trades increased
+test execution time (potentially dramatically so) for improved thread safety.
+
+The automated testing framework does not set the style flag. You can choose a
+particular style of death tests by setting the flag programmatically:
+
+```c++
+testing::FLAGS_gtest_death_test_style="threadsafe"
+```
+
+You can do this in `main()` to set the style for all death tests in the binary,
+or in individual tests. Recall that flags are saved before running each test and
+restored afterwards, so you need not do that yourself. For example:
+
+```c++
+int main(int argc, char** argv) {
+  InitGoogle(argv[0], &argc, &argv, true);
+  ::testing::FLAGS_gtest_death_test_style = "fast";
+  return RUN_ALL_TESTS();
+}
+
+TEST(MyDeathTest, TestOne) {
+  ::testing::FLAGS_gtest_death_test_style = "threadsafe";
+  // This test is run in the "threadsafe" style:
+  ASSERT_DEATH(ThisShouldDie(), "");
+}
+
+TEST(MyDeathTest, TestTwo) {
+  // This test is run in the "fast" style:
+  ASSERT_DEATH(ThisShouldDie(), "");
+}
+```
+
+
+### Caveats
+
+The `statement` argument of `ASSERT_EXIT()` can be any valid C++ statement. If
+it leaves the current function via a `return` statement or by throwing an
+exception, the death test is considered to have failed. Some googletest macros
+may return from the current function (e.g. `ASSERT_TRUE()`), so be sure to avoid
+them in `statement`.
+
+Since `statement` runs in the child process, any in-memory side effect (e.g.
+modifying a variable, releasing memory, etc) it causes will *not* be observable
+in the parent process. In particular, if you release memory in a death test,
+your program will fail the heap check as the parent process will never see the
+memory reclaimed. To solve this problem, you can
+
+1.  try not to free memory in a death test;
+2.  free the memory again in the parent process; or
+3.  do not use the heap checker in your program.
+
+Due to an implementation detail, you cannot place multiple death test assertions
+on the same line; otherwise, compilation will fail with an unobvious error
+message.
+
+Despite the improved thread safety afforded by the "threadsafe" style of death
+test, thread problems such as deadlock are still possible in the presence of
+handlers registered with `pthread_atfork(3)`.
+
+
+## Using Assertions in Sub-routines
+
+### Adding Traces to Assertions
+
+If a test sub-routine is called from several places, when an assertion inside it
+fails, it can be hard to tell which invocation of the sub-routine the failure is
+from. 
+You can alleviate this problem using extra logging or custom failure messages,
+but that usually clutters up your tests. A better solution is to use the
+`SCOPED_TRACE` macro or the `ScopedTrace` utility:
+
+```c++
+SCOPED_TRACE(message);
+ScopedTrace trace("file_path", line_number, message);
+```
+
+where `message` can be anything streamable to `std::ostream`. `SCOPED_TRACE`
+macro will cause the current file name, line number, and the given message to be
+added in every failure message. `ScopedTrace` accepts explicit file name and
+line number in arguments, which is useful for writing test helpers. The effect
+will be undone when the control leaves the current lexical scope.
+
+For example,
+
+```c++
+10: void Sub1(int n) {
+11:   EXPECT_EQ(1, Bar(n));
+12:   EXPECT_EQ(2, Bar(n + 1));
+13: }
+14:
+15: TEST(FooTest, Bar) {
+16:   {
+17:     SCOPED_TRACE("A");  // This trace point will be included in
+18:                         // every failure in this scope.
+19:     Sub1(1);
+20:   }
+21:   // Now it won't.
+22:   Sub1(9);
+23: }
+```
+
+could result in messages like these:
+
+```none
+path/to/foo_test.cc:11: Failure
+Value of: Bar(n)
+Expected: 1
+  Actual: 2
+   Trace:
+path/to/foo_test.cc:17: A
+
+path/to/foo_test.cc:12: Failure
+Value of: Bar(n + 1)
+Expected: 2
+  Actual: 3
+```
+
+Without the trace, it would've been difficult to know which invocation of
+`Sub1()` the two failures come from respectively. (You could add
+
+an extra message to each assertion in `Sub1()` to indicate the value of `n`, but
+that's tedious.)
+
+Some tips on using `SCOPED_TRACE`:
+
+1.  With a suitable message, it's often enough to use `SCOPED_TRACE` at the
+    beginning of a sub-routine, instead of at each call site.
+2.  When calling sub-routines inside a loop, make the loop iterator part of the
+    message in `SCOPED_TRACE` such that you can know which iteration the failure
+    is from.
+3.  Sometimes the line number of the trace point is enough for identifying the
+    particular invocation of a sub-routine. In this case, you don't have to
+    choose a unique message for `SCOPED_TRACE`. You can simply use `""`.
+4.  You can use `SCOPED_TRACE` in an inner scope when there is one in the outer
+    scope. In this case, all active trace points will be included in the failure
+    messages, in reverse order they are encountered.
+5.  The trace dump is clickable in Emacs - hit `return` on a line number and
+    you'll be taken to that line in the source file!
+
+**Availability**: Linux, Windows, Mac.
+
+### Propagating Fatal Failures
+
+A common pitfall when using `ASSERT_*` and `FAIL*` is not understanding that
+when they fail they only abort the _current function_, not the entire test. For
+example, the following test will segfault:
+
+```c++
+void Subroutine() {
+  // Generates a fatal failure and aborts the current function.
+  ASSERT_EQ(1, 2);
+
+  // The following won't be executed.
+  ...
+}
+
+TEST(FooTest, Bar) {
+  Subroutine();  // The intended behavior is for the fatal failure
+                 // in Subroutine() to abort the entire test.
+
+  // The actual behavior: the function goes on after Subroutine() returns.
+  int* p = NULL;
+  *p = 3;  // Segfault!
+}
+```
+
+To alleviate this, googletest provides three different solutions. You could use
+either exceptions, the `(ASSERT|EXPECT)_NO_FATAL_FAILURE` assertions or the
+`HasFatalFailure()` function. They are described in the following two
+subsections.
+
+#### Asserting on Subroutines with an exception
+
+The following code can turn ASSERT-failure into an exception:
+
+```c++
+class ThrowListener : public testing::EmptyTestEventListener {
+  void OnTestPartResult(const testing::TestPartResult& result) override {
+    if (result.type() == testing::TestPartResult::kFatalFailure) {
+      throw testing::AssertionException(result);
+    }
+  }
+};
+int main(int argc, char** argv) {
+  ...
+  testing::UnitTest::GetInstance()->listeners().Append(new ThrowListener);
+  return RUN_ALL_TESTS();
+}
+```
+
+This listener should be added after other listeners if you have any, otherwise
+they won't see failed `OnTestPartResult`.
+
+#### Asserting on Subroutines
+
+As shown above, if your test calls a subroutine that has an `ASSERT_*` failure
+in it, the test will continue after the subroutine returns. This may not be what
+you want.
+
+Often people want fatal failures to propagate like exceptions. For that
+googletest offers the following macros:
+
+Fatal assertion                       | Nonfatal assertion                    | Verifies
+------------------------------------- | ------------------------------------- | --------
+`ASSERT_NO_FATAL_FAILURE(statement);` | `EXPECT_NO_FATAL_FAILURE(statement);` | `statement` doesn't generate any new fatal failures in the current thread.
+
+Only failures in the thread that executes the assertion are checked to determine
+the result of this type of assertions. If `statement` creates new threads,
+failures in these threads are ignored.
+
+Examples:
+
+```c++
+ASSERT_NO_FATAL_FAILURE(Foo());
+
+int i;
+EXPECT_NO_FATAL_FAILURE({
+  i = Bar();
+});
+```
+
+**Availability**: Linux, Windows, Mac. Assertions from multiple threads are
+currently not supported on Windows.
+
+#### Checking for Failures in the Current Test
+
+`HasFatalFailure()` in the `::testing::Test` class returns `true` if an
+assertion in the current test has suffered a fatal failure. This allows
+functions to catch fatal failures in a sub-routine and return early.
+
+```c++
+class Test {
+ public:
+  ...
+  static bool HasFatalFailure();
+};
+```
+
+The typical usage, which basically simulates the behavior of a thrown exception,
+is:
+
+```c++
+TEST(FooTest, Bar) {
+  Subroutine();
+  // Aborts if Subroutine() had a fatal failure.
+  if (HasFatalFailure()) return;
+
+  // The following won't be executed.
+  ...
+}
+```
+
+If `HasFatalFailure()` is used outside of `TEST()` , `TEST_F()` , or a test
+fixture, you must add the `::testing::Test::` prefix, as in:
+
+```c++
+if (::testing::Test::HasFatalFailure()) return;
+```
+
+Similarly, `HasNonfatalFailure()` returns `true` if the current test has at
+least one non-fatal failure, and `HasFailure()` returns `true` if the current
+test has at least one failure of either kind.
+
+**Availability**: Linux, Windows, Mac.
+
+## Logging Additional Information
+
+In your test code, you can call `RecordProperty("key", value)` to log additional
+information, where `value` can be either a string or an `int`. The *last* value
+recorded for a key will be emitted to the [XML output](#generating-an-xml-report) if you
+specify one. For example, the test
+
+```c++
+TEST_F(WidgetUsageTest, MinAndMaxWidgets) {
+  RecordProperty("MaximumWidgets", ComputeMaxUsage());
+  RecordProperty("MinimumWidgets", ComputeMinUsage());
+}
+```
+
+will output XML like this:
+
+```xml
+  ...
+    <testcase name="MinAndMaxWidgets" status="run" time="0.006" classname="WidgetUsageTest" MaximumWidgets="12" MinimumWidgets="9" />
+  ...
+```
+
+> NOTE:
+>
+> *   `RecordProperty()` is a static member of the `Test` class. Therefore it
+>     needs to be prefixed with `::testing::Test::` if used outside of the
+>     `TEST` body and the test fixture class.
+> *   `*key*` must be a valid XML attribute name, and cannot conflict with the
+>     ones already used by googletest (`name`, `status`, `time`, `classname`,
+>     `type_param`, and `value_param`).
+> *   Calling `RecordProperty()` outside of the lifespan of a test is allowed.
+>     If it's called outside of a test but between a test case's
+>     `SetUpTestCase()` and `TearDownTestCase()` methods, it will be attributed
+>     to the XML element for the test case. If it's called outside of all test
+>     cases (e.g. in a test environment), it will be attributed to the top-level
+>     XML element.
+
+**Availability**: Linux, Windows, Mac.
+
+## Sharing Resources Between Tests in the Same Test Case
+
+googletest creates a new test fixture object for each test in order to make
+tests independent and easier to debug. However, sometimes tests use resources
+that are expensive to set up, making the one-copy-per-test model prohibitively
+expensive.
+
+If the tests don't change the resource, there's no harm in their sharing a
+single resource copy. So, in addition to per-test set-up/tear-down, googletest
+also supports per-test-case set-up/tear-down. To use it:
+
+1.  In your test fixture class (say `FooTest` ), declare as `static` some member
+    variables to hold the shared resources.
+1.  Outside your test fixture class (typically just below it), define those
+    member variables, optionally giving them initial values.
+1.  In the same test fixture class, define a `static void SetUpTestCase()`
+    function (remember not to spell it as **`SetupTestCase`** with a small `u`!)
+    to set up the shared resources and a `static void TearDownTestCase()`
+    function to tear them down.
+
+That's it! googletest automatically calls `SetUpTestCase()` before running the
+*first test* in the `FooTest` test case (i.e. before creating the first
+`FooTest` object), and calls `TearDownTestCase()` after running the *last test*
+in it (i.e. after deleting the last `FooTest` object). In between, the tests can
+use the shared resources.
+
+Remember that the test order is undefined, so your code can't depend on a test
+preceding or following another. Also, the tests must either not modify the state
+of any shared resource, or, if they do modify the state, they must restore the
+state to its original value before passing control to the next test.
+
+Here's an example of per-test-case set-up and tear-down:
+
+```c++
+class FooTest : public ::testing::Test {
+ protected:
+  // Per-test-case set-up.
+  // Called before the first test in this test case.
+  // Can be omitted if not needed.
+  static void SetUpTestCase() {
+    shared_resource_ = new ...;
+  }
+
+  // Per-test-case tear-down.
+  // Called after the last test in this test case.
+  // Can be omitted if not needed.
+  static void TearDownTestCase() {
+    delete shared_resource_;
+    shared_resource_ = NULL;
+  }
+
+  // You can define per-test set-up logic as usual.
+  virtual void SetUp() { ... }
+
+  // You can define per-test tear-down logic as usual.
+  virtual void TearDown() { ... }
+
+  // Some expensive resource shared by all tests.
+  static T* shared_resource_;
+};
+
+T* FooTest::shared_resource_ = NULL;
+
+TEST_F(FooTest, Test1) {
+  ... you can refer to shared_resource_ here ...
+}
+
+TEST_F(FooTest, Test2) {
+  ... you can refer to shared_resource_ here ...
+}
+```
+
+NOTE: Though the above code declares `SetUpTestCase()` protected, it may
+sometimes be necessary to declare it public, such as when using it with
+`TEST_P`.
+
+**Availability**: Linux, Windows, Mac.
+
+## Global Set-Up and Tear-Down
+
+Just as you can do set-up and tear-down at the test level and the test case
+level, you can also do it at the test program level. Here's how.
+
+First, you subclass the `::testing::Environment` class to define a test
+environment, which knows how to set-up and tear-down:
+
+```c++
+class Environment {
+ public:
+  virtual ~Environment() {}
+
+  // Override this to define how to set up the environment.
+  virtual void SetUp() {}
+
+  // Override this to define how to tear down the environment.
+  virtual void TearDown() {}
+};
+```
+
+Then, you register an instance of your environment class with googletest by
+calling the `::testing::AddGlobalTestEnvironment()` function:
+
+```c++
+Environment* AddGlobalTestEnvironment(Environment* env);
+```
+
+Now, when `RUN_ALL_TESTS()` is called, it first calls the `SetUp()` method of
+the environment object, then runs the tests if there was no fatal failures, and
+finally calls `TearDown()` of the environment object.
+
+It's OK to register multiple environment objects. In this case, their `SetUp()`
+will be called in the order they are registered, and their `TearDown()` will be
+called in the reverse order.
+
+Note that googletest takes ownership of the registered environment objects.
+Therefore **do not delete them** by yourself.
+
+You should call `AddGlobalTestEnvironment()` before `RUN_ALL_TESTS()` is called,
+probably in `main()`. If you use `gtest_main`, you need to call this before
+`main()` starts for it to take effect. One way to do this is to define a global
+variable like this:
+
+```c++
+::testing::Environment* const foo_env =
+    ::testing::AddGlobalTestEnvironment(new FooEnvironment);
+```
+
+However, we strongly recommend you to write your own `main()` and call
+`AddGlobalTestEnvironment()` there, as relying on initialization of global
+variables makes the code harder to read and may cause problems when you register
+multiple environments from different translation units and the environments have
+dependencies among them (remember that the compiler doesn't guarantee the order
+in which global variables from different translation units are initialized).
+
+## Value-Parameterized Tests
+
+*Value-parameterized tests* allow you to test your code with different
+parameters without writing multiple copies of the same test. This is useful in a
+number of situations, for example:
+
+*   You have a piece of code whose behavior is affected by one or more
+    command-line flags. You want to make sure your code performs correctly for
+    various values of those flags.
+*   You want to test different implementations of an OO interface.
+*   You want to test your code over various inputs (a.k.a. data-driven testing).
+    This feature is easy to abuse, so please exercise your good sense when doing
+    it!
+
+### How to Write Value-Parameterized Tests
+
+To write value-parameterized tests, first you should define a fixture class. It
+must be derived from both `::testing::Test` and
+`::testing::WithParamInterface<T>` (the latter is a pure interface), where `T`
+is the type of your parameter values. For convenience, you can just derive the
+fixture class from `::testing::TestWithParam<T>`, which itself is derived from
+both `::testing::Test` and `::testing::WithParamInterface<T>`. `T` can be any
+copyable type. If it's a raw pointer, you are responsible for managing the
+lifespan of the pointed values.
+
+NOTE: If your test fixture defines `SetUpTestCase()` or `TearDownTestCase()`
+they must be declared **public** rather than **protected** in order to use
+`TEST_P`.
+
+```c++
+class FooTest :
+    public ::testing::TestWithParam<const char*> {
+  // You can implement all the usual fixture class members here.
+  // To access the test parameter, call GetParam() from class
+  // TestWithParam<T>.
+};
+
+// Or, when you want to add parameters to a pre-existing fixture class:
+class BaseTest : public ::testing::Test {
+  ...
+};
+class BarTest : public BaseTest,
+                public ::testing::WithParamInterface<const char*> {
+  ...
+};
+```
+
+Then, use the `TEST_P` macro to define as many test patterns using this fixture
+as you want. The `_P` suffix is for "parameterized" or "pattern", whichever you
+prefer to think.
+
+```c++
+TEST_P(FooTest, DoesBlah) {
+  // Inside a test, access the test parameter with the GetParam() method
+  // of the TestWithParam<T> class:
+  EXPECT_TRUE(foo.Blah(GetParam()));
+  ...
+}
+
+TEST_P(FooTest, HasBlahBlah) {
+  ...
+}
+```
+
+Finally, you can use `INSTANTIATE_TEST_CASE_P` to instantiate the test case with
+any set of parameters you want. googletest defines a number of functions for
+generating test parameters. They return what we call (surprise!) *parameter
+generators*. Here is a summary of them, which are all in the `testing`
+namespace:
+
+| Parameter Generator          | Behavior                                    |
+| ---------------------------- | ------------------------------------------- |
+| `Range(begin, end [, step])` | Yields values `{begin, begin+step, begin+step+step, ...}`. The values do not include `end`. `step` defaults to 1.      |
+| `Values(v1, v2, ..., vN)`    | Yields values `{v1, v2, ..., vN}`.          |
+| `ValuesIn(container)` and `ValuesIn(begin,end)`   | Yields values from a C-style array, an STL-style container, or an iterator range  `[begin, end)`. |
+| `Bool()`                     | Yields sequence `{false, true}`.            |
+| `Combine(g1, g2, ..., gN)`   | Yields all combinations (Cartesian product) as std\:\:tuples of the values generated by the `N` generators.            |
+
+For more details, see the comments at the definitions of these functions.
+
+The following statement will instantiate tests from the `FooTest` test case each
+with parameter values `"meeny"`, `"miny"`, and `"moe"`.
+
+```c++
+INSTANTIATE_TEST_CASE_P(InstantiationName,
+                        FooTest,
+                        ::testing::Values("meeny", "miny", "moe"));
+```
+
+NOTE: The code above must be placed at global or namespace scope, not at
+function scope.
+
+NOTE: Don't forget this step! If you do your test will silently pass, but none
+of its cases will ever run!
+
+To distinguish different instances of the pattern (yes, you can instantiate it
+more than once), the first argument to `INSTANTIATE_TEST_CASE_P` is a prefix
+that will be added to the actual test case name. Remember to pick unique
+prefixes for different instantiations. The tests from the instantiation above
+will have these names:
+
+*   `InstantiationName/FooTest.DoesBlah/0` for `"meeny"`
+*   `InstantiationName/FooTest.DoesBlah/1` for `"miny"`
+*   `InstantiationName/FooTest.DoesBlah/2` for `"moe"`
+*   `InstantiationName/FooTest.HasBlahBlah/0` for `"meeny"`
+*   `InstantiationName/FooTest.HasBlahBlah/1` for `"miny"`
+*   `InstantiationName/FooTest.HasBlahBlah/2` for `"moe"`
+
+You can use these names in [`--gtest_filter`](#running-a-subset-of-the-tests).
+
+This statement will instantiate all tests from `FooTest` again, each with
+parameter values `"cat"` and `"dog"`:
+
+```c++
+const char* pets[] = {"cat", "dog"};
+INSTANTIATE_TEST_CASE_P(AnotherInstantiationName, FooTest,
+                        ::testing::ValuesIn(pets));
+```
+
+The tests from the instantiation above will have these names:
+
+*   `AnotherInstantiationName/FooTest.DoesBlah/0` for `"cat"`
+*   `AnotherInstantiationName/FooTest.DoesBlah/1` for `"dog"`
+*   `AnotherInstantiationName/FooTest.HasBlahBlah/0` for `"cat"`
+*   `AnotherInstantiationName/FooTest.HasBlahBlah/1` for `"dog"`
+
+Please note that `INSTANTIATE_TEST_CASE_P` will instantiate *all* tests in the
+given test case, whether their definitions come before or *after* the
+`INSTANTIATE_TEST_CASE_P` statement.
+
+You can see sample7_unittest.cc and sample8_unittest.cc for more examples.
+
+**Availability**: Linux, Windows (requires MSVC 8.0 or above), Mac
+
+### Creating Value-Parameterized Abstract Tests
+
+In the above, we define and instantiate `FooTest` in the *same* source file.
+Sometimes you may want to define value-parameterized tests in a library and let
+other people instantiate them later. This pattern is known as *abstract tests*.
+As an example of its application, when you are designing an interface you can
+write a standard suite of abstract tests (perhaps using a factory function as
+the test parameter) that all implementations of the interface are expected to
+pass. When someone implements the interface, they can instantiate your suite to
+get all the interface-conformance tests for free.
+
+To define abstract tests, you should organize your code like this:
+
+1.  Put the definition of the parameterized test fixture class (e.g. `FooTest`)
+    in a header file, say `foo_param_test.h`. Think of this as *declaring* your
+    abstract tests.
+1.  Put the `TEST_P` definitions in `foo_param_test.cc`, which includes
+    `foo_param_test.h`. Think of this as *implementing* your abstract tests.
+
+Once they are defined, you can instantiate them by including `foo_param_test.h`,
+invoking `INSTANTIATE_TEST_CASE_P()`, and depending on the library target that
+contains `foo_param_test.cc`. You can instantiate the same abstract test case
+multiple times, possibly in different source files.
+
+### Specifying Names for Value-Parameterized Test Parameters
+
+The optional last argument to `INSTANTIATE_TEST_CASE_P()` allows the user to
+specify a function or functor that generates custom test name suffixes based on
+the test parameters. The function should accept one argument of type
+`testing::TestParamInfo<class ParamType>`, and return `std::string`.
+
+`testing::PrintToStringParamName` is a builtin test suffix generator that
+returns the value of `testing::PrintToString(GetParam())`. It does not work for
+`std::string` or C strings.
+
+NOTE: test names must be non-empty, unique, and may only contain ASCII
+alphanumeric characters. In particular, they [should not contain
+underscores](https://g3doc.corp.google.com/third_party/googletest/googletest/g3doc/faq.md#no-underscores).
+
+```c++
+class MyTestCase : public testing::TestWithParam<int> {};
+
+TEST_P(MyTestCase, MyTest)
+{
+  std::cout << "Example Test Param: " << GetParam() << std::endl;
+}
+
+INSTANTIATE_TEST_CASE_P(MyGroup, MyTestCase, testing::Range(0, 10),
+                        testing::PrintToStringParamName());
+```
+
+## Typed Tests</id>
+
+Suppose you have multiple implementations of the same interface and want to make
+sure that all of them satisfy some common requirements. Or, you may have defined
+several types that are supposed to conform to the same "concept" and you want to
+verify it. In both cases, you want the same test logic repeated for different
+types.
+
+While you can write one `TEST` or `TEST_F` for each type you want to test (and
+you may even factor the test logic into a function template that you invoke from
+the `TEST`), it's tedious and doesn't scale: if you want `m` tests over `n`
+types, you'll end up writing `m*n` `TEST`s.
+
+*Typed tests* allow you to repeat the same test logic over a list of types. You
+only need to write the test logic once, although you must know the type list
+when writing typed tests. Here's how you do it:
+
+First, define a fixture class template. It should be parameterized by a type.
+Remember to derive it from `::testing::Test`:
+
+```c++
+template <typename T>
+class FooTest : public ::testing::Test {
+ public:
+  ...
+  typedef std::list<T> List;
+  static T shared_;
+  T value_;
+};
+```
+
+Next, associate a list of types with the test case, which will be repeated for
+each type in the list:
+
+```c++
+using MyTypes = ::testing::Types<char, int, unsigned int>;
+TYPED_TEST_CASE(FooTest, MyTypes);
+```
+
+The type alias (`using` or `typedef`) is necessary for the `TYPED_TEST_CASE`
+macro to parse correctly. Otherwise the compiler will think that each comma in
+the type list introduces a new macro argument.
+
+Then, use `TYPED_TEST()` instead of `TEST_F()` to define a typed test for this
+test case. You can repeat this as many times as you want:
+
+```c++
+TYPED_TEST(FooTest, DoesBlah) {
+  // Inside a test, refer to the special name TypeParam to get the type
+  // parameter.  Since we are inside a derived class template, C++ requires
+  // us to visit the members of FooTest via 'this'.
+  TypeParam n = this->value_;
+
+  // To visit static members of the fixture, add the 'TestFixture::'
+  // prefix.
+  n += TestFixture::shared_;
+
+  // To refer to typedefs in the fixture, add the 'typename TestFixture::'
+  // prefix.  The 'typename' is required to satisfy the compiler.
+  typename TestFixture::List values;
+
+  values.push_back(n);
+  ...
+}
+
+TYPED_TEST(FooTest, HasPropertyA) { ... }
+```
+
+You can see sample6_unittest.cc
+
+**Availability**: Linux, Windows (requires MSVC 8.0 or above), Mac
+
+## Type-Parameterized Tests
+
+*Type-parameterized tests* are like typed tests, except that they don't require
+you to know the list of types ahead of time. Instead, you can define the test
+logic first and instantiate it with different type lists later. You can even
+instantiate it more than once in the same program.
+
+If you are designing an interface or concept, you can define a suite of
+type-parameterized tests to verify properties that any valid implementation of
+the interface/concept should have. Then, the author of each implementation can
+just instantiate the test suite with their type to verify that it conforms to
+the requirements, without having to write similar tests repeatedly. Here's an
+example:
+
+First, define a fixture class template, as we did with typed tests:
+
+```c++
+template <typename T>
+class FooTest : public ::testing::Test {
+  ...
+};
+```
+
+Next, declare that you will define a type-parameterized test case:
+
+```c++
+TYPED_TEST_CASE_P(FooTest);
+```
+
+Then, use `TYPED_TEST_P()` to define a type-parameterized test. You can repeat
+this as many times as you want:
+
+```c++
+TYPED_TEST_P(FooTest, DoesBlah) {
+  // Inside a test, refer to TypeParam to get the type parameter.
+  TypeParam n = 0;
+  ...
+}
+
+TYPED_TEST_P(FooTest, HasPropertyA) { ... }
+```
+
+Now the tricky part: you need to register all test patterns using the
+`REGISTER_TYPED_TEST_CASE_P` macro before you can instantiate them. The first
+argument of the macro is the test case name; the rest are the names of the tests
+in this test case:
+
+```c++
+REGISTER_TYPED_TEST_CASE_P(FooTest,
+                           DoesBlah, HasPropertyA);
+```
+
+Finally, you are free to instantiate the pattern with the types you want. If you
+put the above code in a header file, you can `#include` it in multiple C++
+source files and instantiate it multiple times.
+
+```c++
+typedef ::testing::Types<char, int, unsigned int> MyTypes;
+INSTANTIATE_TYPED_TEST_CASE_P(My, FooTest, MyTypes);
+```
+
+To distinguish different instances of the pattern, the first argument to the
+`INSTANTIATE_TYPED_TEST_CASE_P` macro is a prefix that will be added to the
+actual test case name. Remember to pick unique prefixes for different instances.
+
+In the special case where the type list contains only one type, you can write
+that type directly without `::testing::Types<...>`, like this:
+
+```c++
+INSTANTIATE_TYPED_TEST_CASE_P(My, FooTest, int);
+```
+
+You can see `sample6_unittest.cc` for a complete example.
+
+**Availability**: Linux, Windows (requires MSVC 8.0 or above), Mac
+
+## Testing Private Code
+
+If you change your software's internal implementation, your tests should not
+break as long as the change is not observable by users. Therefore, **per the
+black-box testing principle, most of the time you should test your code through
+its public interfaces.**
+
+**If you still find yourself needing to test internal implementation code,
+consider if there's a better design.** The desire to test internal
+implementation is often a sign that the class is doing too much. Consider
+extracting an implementation class, and testing it. Then use that implementation
+class in the original class.
+
+If you absolutely have to test non-public interface code though, you can. There
+are two cases to consider:
+
+*   Static functions ( *not* the same as static member functions!) or unnamed
+    namespaces, and
+*   Private or protected class members
+
+To test them, we use the following special techniques:
+
+*   Both static functions and definitions/declarations in an unnamed namespace
+    are only visible within the same translation unit. To test them, you can
+    `#include` the entire `.cc` file being tested in your `*_test.cc` file.
+    (including `.cc` files is not a good way to reuse code - you should not do
+    this in production code!)
+
+    However, a better approach is to move the private code into the
+    `foo::internal` namespace, where `foo` is the namespace your project
+    normally uses, and put the private declarations in a `*-internal.h` file.
+    Your production `.cc` files and your tests are allowed to include this
+    internal header, but your clients are not. This way, you can fully test your
+    internal implementation without leaking it to your clients.
+
+*   Private class members are only accessible from within the class or by
+    friends. To access a class' private members, you can declare your test
+    fixture as a friend to the class and define accessors in your fixture. Tests
+    using the fixture can then access the private members of your production
+    class via the accessors in the fixture. Note that even though your fixture
+    is a friend to your production class, your tests are not automatically
+    friends to it, as they are technically defined in sub-classes of the
+    fixture.
+
+    Another way to test private members is to refactor them into an
+    implementation class, which is then declared in a `*-internal.h` file. Your
+    clients aren't allowed to include this header but your tests can. Such is
+    called the
+    [Pimpl](https://www.gamedev.net/articles/programming/general-and-gameplay-programming/the-c-pimpl-r1794/)
+    (Private Implementation) idiom.
+
+    Or, you can declare an individual test as a friend of your class by adding
+    this line in the class body:
+
+    ```c++
+        FRIEND_TEST(TestCaseName, TestName);
+    ```
+
+    For example,
+
+    ```c++
+    // foo.h
+
+    #include "gtest/gtest_prod.h"
+
+    class Foo {
+      ...
+    private:
+      FRIEND_TEST(FooTest, BarReturnsZeroOnNull);
+
+      int Bar(void* x);
+    };
+
+    // foo_test.cc
+    ...
+    TEST(FooTest, BarReturnsZeroOnNull) {
+      Foo foo;
+      EXPECT_EQ(0, foo.Bar(NULL));  // Uses Foo's private member Bar().
+    }
+    ```
+
+    Pay special attention when your class is defined in a namespace, as you
+    should define your test fixtures and tests in the same namespace if you want
+    them to be friends of your class. For example, if the code to be tested
+    looks like:
+
+    ```c++
+    namespace my_namespace {
+
+    class Foo {
+      friend class FooTest;
+      FRIEND_TEST(FooTest, Bar);
+      FRIEND_TEST(FooTest, Baz);
+      ... definition of the class Foo ...
+    };
+
+    }  // namespace my_namespace
+    ```
+
+    Your test code should be something like:
+
+    ```c++
+    namespace my_namespace {
+
+    class FooTest : public ::testing::Test {
+     protected:
+      ...
+    };
+
+    TEST_F(FooTest, Bar) { ... }
+    TEST_F(FooTest, Baz) { ... }
+
+    }  // namespace my_namespace
+    ```
+
+
+## "Catching" Failures
+
+If you are building a testing utility on top of googletest, you'll want to test
+your utility. What framework would you use to test it? googletest, of course.
+
+The challenge is to verify that your testing utility reports failures correctly.
+In frameworks that report a failure by throwing an exception, you could catch
+the exception and assert on it. But googletest doesn't use exceptions, so how do
+we test that a piece of code generates an expected failure?
+
+gunit-spi.h contains some constructs to do this. After #including this header,
+you can use
+
+```c++
+  EXPECT_FATAL_FAILURE(statement, substring);
+```
+
+to assert that `statement` generates a fatal (e.g. `ASSERT_*`) failure in the
+current thread whose message contains the given `substring`, or use
+
+```c++
+  EXPECT_NONFATAL_FAILURE(statement, substring);
+```
+
+if you are expecting a non-fatal (e.g. `EXPECT_*`) failure.
+
+Only failures in the current thread are checked to determine the result of this
+type of expectations. If `statement` creates new threads, failures in these
+threads are also ignored. If you want to catch failures in other threads as
+well, use one of the following macros instead:
+
+```c++
+  EXPECT_FATAL_FAILURE_ON_ALL_THREADS(statement, substring);
+  EXPECT_NONFATAL_FAILURE_ON_ALL_THREADS(statement, substring);
+```
+
+NOTE: Assertions from multiple threads are currently not supported on Windows.
+
+For technical reasons, there are some caveats:
+
+1.  You cannot stream a failure message to either macro.
+
+1.  `statement` in `EXPECT_FATAL_FAILURE{_ON_ALL_THREADS}()` cannot reference
+    local non-static variables or non-static members of `this` object.
+
+1.  `statement` in `EXPECT_FATAL_FAILURE{_ON_ALL_THREADS}()()` cannot return a
+    value.
+
+
+## Getting the Current Test's Name
+
+Sometimes a function may need to know the name of the currently running test.
+For example, you may be using the `SetUp()` method of your test fixture to set
+the golden file name based on which test is running. The `::testing::TestInfo`
+class has this information:
+
+```c++
+namespace testing {
+
+class TestInfo {
+ public:
+  // Returns the test case name and the test name, respectively.
+  //
+  // Do NOT delete or free the return value - it's managed by the
+  // TestInfo class.
+  const char* test_case_name() const;
+  const char* name() const;
+};
+
+}
+```
+
+To obtain a `TestInfo` object for the currently running test, call
+`current_test_info()` on the `UnitTest` singleton object:
+
+```c++
+  // Gets information about the currently running test.
+  // Do NOT delete the returned object - it's managed by the UnitTest class.
+  const ::testing::TestInfo* const test_info =
+    ::testing::UnitTest::GetInstance()->current_test_info();
+
+
+
+  printf("We are in test %s of test case %s.\n",
+         test_info->name(),
+         test_info->test_case_name());
+```
+
+`current_test_info()` returns a null pointer if no test is running. In
+particular, you cannot find the test case name in `TestCaseSetUp()`,
+`TestCaseTearDown()` (where you know the test case name implicitly), or
+functions called from them.
+
+**Availability**: Linux, Windows, Mac.
+
+## Extending googletest by Handling Test Events
+
+googletest provides an **event listener API** to let you receive notifications
+about the progress of a test program and test failures. The events you can
+listen to include the start and end of the test program, a test case, or a test
+method, among others. You may use this API to augment or replace the standard
+console output, replace the XML output, or provide a completely different form
+of output, such as a GUI or a database. You can also use test events as
+checkpoints to implement a resource leak checker, for example.
+
+**Availability**: Linux, Windows, Mac.
+
+### Defining Event Listeners
+
+To define a event listener, you subclass either testing::TestEventListener or
+testing::EmptyTestEventListener The former is an (abstract) interface, where
+*each pure virtual method can be overridden to handle a test event* (For
+example, when a test starts, the `OnTestStart()` method will be called.). The
+latter provides an empty implementation of all methods in the interface, such
+that a subclass only needs to override the methods it cares about.
+
+When an event is fired, its context is passed to the handler function as an
+argument. The following argument types are used:
+
+*   UnitTest reflects the state of the entire test program,
+*   TestCase has information about a test case, which can contain one or more
+    tests,
+*   TestInfo contains the state of a test, and
+*   TestPartResult represents the result of a test assertion.
+
+An event handler function can examine the argument it receives to find out
+interesting information about the event and the test program's state.
+
+Here's an example:
+
+```c++
+  class MinimalistPrinter : public ::testing::EmptyTestEventListener {
+    // Called before a test starts.
+    virtual void OnTestStart(const ::testing::TestInfo& test_info) {
+      printf("*** Test %s.%s starting.\n",
+             test_info.test_case_name(), test_info.name());
+    }
+
+    // Called after a failed assertion or a SUCCESS().
+    virtual void OnTestPartResult(const ::testing::TestPartResult& test_part_result) {
+      printf("%s in %s:%d\n%s\n",
+             test_part_result.failed() ? "*** Failure" : "Success",
+             test_part_result.file_name(),
+             test_part_result.line_number(),
+             test_part_result.summary());
+    }
+
+    // Called after a test ends.
+    virtual void OnTestEnd(const ::testing::TestInfo& test_info) {
+      printf("*** Test %s.%s ending.\n",
+             test_info.test_case_name(), test_info.name());
+    }
+  };
+```
+
+### Using Event Listeners
+
+To use the event listener you have defined, add an instance of it to the
+googletest event listener list (represented by class TestEventListeners - note
+the "s" at the end of the name) in your `main()` function, before calling
+`RUN_ALL_TESTS()`:
+
+```c++
+int main(int argc, char** argv) {
+  ::testing::InitGoogleTest(&argc, argv);
+  // Gets hold of the event listener list.
+  ::testing::TestEventListeners& listeners =
+        ::testing::UnitTest::GetInstance()->listeners();
+  // Adds a listener to the end.  googletest takes the ownership.
+  listeners.Append(new MinimalistPrinter);
+  return RUN_ALL_TESTS();
+}
+```
+
+There's only one problem: the default test result printer is still in effect, so
+its output will mingle with the output from your minimalist printer. To suppress
+the default printer, just release it from the event listener list and delete it.
+You can do so by adding one line:
+
+```c++
+  ...
+  delete listeners.Release(listeners.default_result_printer());
+  listeners.Append(new MinimalistPrinter);
+  return RUN_ALL_TESTS();
+```
+
+Now, sit back and enjoy a completely different output from your tests. For more
+details, you can read this sample9_unittest.cc
+
+You may append more than one listener to the list. When an `On*Start()` or
+`OnTestPartResult()` event is fired, the listeners will receive it in the order
+they appear in the list (since new listeners are added to the end of the list,
+the default text printer and the default XML generator will receive the event
+first). An `On*End()` event will be received by the listeners in the *reverse*
+order. This allows output by listeners added later to be framed by output from
+listeners added earlier.
+
+### Generating Failures in Listeners
+
+You may use failure-raising macros (`EXPECT_*()`, `ASSERT_*()`, `FAIL()`, etc)
+when processing an event. There are some restrictions:
+
+1.  You cannot generate any failure in `OnTestPartResult()` (otherwise it will
+    cause `OnTestPartResult()` to be called recursively).
+1.  A listener that handles `OnTestPartResult()` is not allowed to generate any
+    failure.
+
+When you add listeners to the listener list, you should put listeners that
+handle `OnTestPartResult()` *before* listeners that can generate failures. This
+ensures that failures generated by the latter are attributed to the right test
+by the former.
+
+We have a sample of failure-raising listener sample10_unittest.cc
+
+## Running Test Programs: Advanced Options
+
+googletest test programs are ordinary executables. Once built, you can run them
+directly and affect their behavior via the following environment variables
+and/or command line flags. For the flags to work, your programs must call
+`::testing::InitGoogleTest()` before calling `RUN_ALL_TESTS()`.
+
+To see a list of supported flags and their usage, please run your test program
+with the `--help` flag. You can also use `-h`, `-?`, or `/?` for short.
+
+If an option is specified both by an environment variable and by a flag, the
+latter takes precedence.
+
+### Selecting Tests
+
+#### Listing Test Names
+
+Sometimes it is necessary to list the available tests in a program before
+running them so that a filter may be applied if needed. Including the flag
+`--gtest_list_tests` overrides all other flags and lists tests in the following
+format:
+
+```none
+TestCase1.
+  TestName1
+  TestName2
+TestCase2.
+  TestName
+```
+
+None of the tests listed are actually run if the flag is provided. There is no
+corresponding environment variable for this flag.
+
+**Availability**: Linux, Windows, Mac.
+
+#### Running a Subset of the Tests
+
+By default, a googletest program runs all tests the user has defined. Sometimes,
+you want to run only a subset of the tests (e.g. for debugging or quickly
+verifying a change). If you set the `GTEST_FILTER` environment variable or the
+`--gtest_filter` flag to a filter string, googletest will only run the tests
+whose full names (in the form of `TestCaseName.TestName`) match the filter.
+
+The format of a filter is a '`:`'-separated list of wildcard patterns (called
+the *positive patterns*) optionally followed by a '`-`' and another
+'`:`'-separated pattern list (called the *negative patterns*). A test matches
+the filter if and only if it matches any of the positive patterns but does not
+match any of the negative patterns.
+
+A pattern may contain `'*'` (matches any string) or `'?'` (matches any single
+character). For convenience, the filter
+
+`'*-NegativePatterns'` can be also written as `'-NegativePatterns'`.
+
+For example:
+
+*   `./foo_test` Has no flag, and thus runs all its tests.
+*   `./foo_test --gtest_filter=*` Also runs everything, due to the single
+    match-everything `*` value.
+*   `./foo_test --gtest_filter=FooTest.*` Runs everything in test case `FooTest`
+    .
+*   `./foo_test --gtest_filter=*Null*:*Constructor*` Runs any test whose full
+    name contains either `"Null"` or `"Constructor"` .
+*   `./foo_test --gtest_filter=-*DeathTest.*` Runs all non-death tests.
+*   `./foo_test --gtest_filter=FooTest.*-FooTest.Bar` Runs everything in test
+    case `FooTest` except `FooTest.Bar`.
+*   `./foo_test --gtest_filter=FooTest.*:BarTest.*-FooTest.Bar:BarTest.Foo` Runs
+    everything in test case `FooTest` except `FooTest.Bar` and everything in
+    test case `BarTest` except `BarTest.Foo`.
+    
+#### Temporarily Disabling Tests
+
+If you have a broken test that you cannot fix right away, you can add the
+`DISABLED_` prefix to its name. This will exclude it from execution. This is
+better than commenting out the code or using `#if 0`, as disabled tests are
+still compiled (and thus won't rot).
+
+If you need to disable all tests in a test case, you can either add `DISABLED_`
+to the front of the name of each test, or alternatively add it to the front of
+the test case name.
+
+For example, the following tests won't be run by googletest, even though they
+will still be compiled:
+
+```c++
+// Tests that Foo does Abc.
+TEST(FooTest, DISABLED_DoesAbc) { ... }
+
+class DISABLED_BarTest : public ::testing::Test { ... };
+
+// Tests that Bar does Xyz.
+TEST_F(DISABLED_BarTest, DoesXyz) { ... }
+```
+
+NOTE: This feature should only be used for temporary pain-relief. You still have
+to fix the disabled tests at a later date. As a reminder, googletest will print
+a banner warning you if a test program contains any disabled tests.
+
+TIP: You can easily count the number of disabled tests you have using `gsearch`
+and/or `grep`. This number can be used as a metric for improving your test
+quality.
+
+**Availability**: Linux, Windows, Mac.
+
+#### Temporarily Enabling Disabled Tests
+
+To include disabled tests in test execution, just invoke the test program with
+the `--gtest_also_run_disabled_tests` flag or set the
+`GTEST_ALSO_RUN_DISABLED_TESTS` environment variable to a value other than `0`.
+You can combine this with the `--gtest_filter` flag to further select which
+disabled tests to run.
+
+**Availability**: Linux, Windows, Mac.
+
+### Repeating the Tests
+
+Once in a while you'll run into a test whose result is hit-or-miss. Perhaps it
+will fail only 1% of the time, making it rather hard to reproduce the bug under
+a debugger. This can be a major source of frustration.
+
+The `--gtest_repeat` flag allows you to repeat all (or selected) test methods in
+a program many times. Hopefully, a flaky test will eventually fail and give you
+a chance to debug. Here's how to use it:
+
+```none
+$ foo_test --gtest_repeat=1000
+Repeat foo_test 1000 times and don't stop at failures.
+
+$ foo_test --gtest_repeat=-1
+A negative count means repeating forever.
+
+$ foo_test --gtest_repeat=1000 --gtest_break_on_failure
+Repeat foo_test 1000 times, stopping at the first failure.  This
+is especially useful when running under a debugger: when the test
+fails, it will drop into the debugger and you can then inspect
+variables and stacks.
+
+$ foo_test --gtest_repeat=1000 --gtest_filter=FooBar.*
+Repeat the tests whose name matches the filter 1000 times.
+```
+
+If your test program contains [global set-up/tear-down](#global-set-up-and-tear-down) code, it
+will be repeated in each iteration as well, as the flakiness may be in it. You
+can also specify the repeat count by setting the `GTEST_REPEAT` environment
+variable.
+
+**Availability**: Linux, Windows, Mac.
+
+### Shuffling the Tests
+
+You can specify the `--gtest_shuffle` flag (or set the `GTEST_SHUFFLE`
+environment variable to `1`) to run the tests in a program in a random order.
+This helps to reveal bad dependencies between tests.
+
+By default, googletest uses a random seed calculated from the current time.
+Therefore you'll get a different order every time. The console output includes
+the random seed value, such that you can reproduce an order-related test failure
+later. To specify the random seed explicitly, use the `--gtest_random_seed=SEED`
+flag (or set the `GTEST_RANDOM_SEED` environment variable), where `SEED` is an
+integer in the range [0, 99999]. The seed value 0 is special: it tells
+googletest to do the default behavior of calculating the seed from the current
+time.
+
+If you combine this with `--gtest_repeat=N`, googletest will pick a different
+random seed and re-shuffle the tests in each iteration.
+
+**Availability**: Linux, Windows, Mac.
+
+### Controlling Test Output
+
+#### Colored Terminal Output
+
+googletest can use colors in its terminal output to make it easier to spot the
+important information:
+
+...<br/>
+<span style="color:green">[----------]<span style="color:black"> 1 test from FooTest<br/>
+<span style="color:green">[ RUN      ]<span style="color:black"> FooTest.DoesAbc<br/>
+<span style="color:green">[       OK ]<span style="color:black"> FooTest.DoesAbc<br/>
+<span style="color:green">[----------]<span style="color:black"> 2 tests from BarTest<br/>
+<span style="color:green">[ RUN      ]<span style="color:black"> BarTest.HasXyzProperty<br/>
+<span style="color:green">[       OK ]<span style="color:black"> BarTest.HasXyzProperty<br/>
+<span style="color:green">[ RUN      ]<span style="color:black"> BarTest.ReturnsTrueOnSuccess<br/>
+... some error messages ...<br/>
+<span   style="color:red">[  FAILED  ] <span style="color:black">BarTest.ReturnsTrueOnSuccess<br/>
+...<br/>
+<span style="color:green">[==========]<span style="color:black"> 30 tests from 14 test cases ran.<br/>
+<span style="color:green">[  PASSED  ]<span style="color:black"> 28 tests.<br/>
+<span style="color:red">[  FAILED  ]<span style="color:black"> 2 tests, listed below:<br/>
+<span style="color:red">[  FAILED  ]<span style="color:black"> BarTest.ReturnsTrueOnSuccess<br/>
+<span style="color:red">[  FAILED  ]<span style="color:black"> AnotherTest.DoesXyz<br/>
+  2 FAILED TESTS
+
+You can set the `GTEST_COLOR` environment variable or the `--gtest_color`
+command line flag to `yes`, `no`, or `auto` (the default) to enable colors,
+disable colors, or let googletest decide. When the value is `auto`, googletest
+will use colors if and only if the output goes to a terminal and (on non-Windows
+platforms) the `TERM` environment variable is set to `xterm` or `xterm-color`.
+
+ **Availability**: Linux, Windows, Mac.
+
+#### Suppressing the Elapsed Time
+
+By default, googletest prints the time it takes to run each test. To disable
+that, run the test program with the `--gtest_print_time=0` command line flag, or
+set the GTEST_PRINT_TIME environment variable to `0`.
+
+**Availability**: Linux, Windows, Mac.
+
+#### Suppressing UTF-8 Text Output
+
+In case of assertion failures, googletest prints expected and actual values of
+type `string` both as hex-encoded strings as well as in readable UTF-8 text if
+they contain valid non-ASCII UTF-8 characters. If you want to suppress the UTF-8
+text because, for example, you don't have an UTF-8 compatible output medium, run
+the test program with `--gtest_print_utf8=0` or set the `GTEST_PRINT_UTF8`
+environment variable to `0`.
+
+**Availability**: Linux, Windows, Mac.
+
+
+#### Generating an XML Report
+
+googletest can emit a detailed XML report to a file in addition to its normal
+textual output. The report contains the duration of each test, and thus can help
+you identify slow tests. The report is also used by the http://unittest
+dashboard to show per-test-method error messages.
+
+To generate the XML report, set the `GTEST_OUTPUT` environment variable or the
+`--gtest_output` flag to the string `"xml:path_to_output_file"`, which will
+create the file at the given location. You can also just use the string `"xml"`,
+in which case the output can be found in the `test_detail.xml` file in the
+current directory.
+
+If you specify a directory (for example, `"xml:output/directory/"` on Linux or
+`"xml:output\directory\"` on Windows), googletest will create the XML file in
+that directory, named after the test executable (e.g. `foo_test.xml` for test
+program `foo_test` or `foo_test.exe`). If the file already exists (perhaps left
+over from a previous run), googletest will pick a different name (e.g.
+`foo_test_1.xml`) to avoid overwriting it.
+
+
+The report is based on the `junitreport` Ant task. Since that format was
+originally intended for Java, a little interpretation is required to make it
+apply to googletest tests, as shown here:
+
+```xml
+<testsuites name="AllTests" ...>
+  <testsuite name="test_case_name" ...>
+    <testcase    name="test_name" ...>
+      <failure message="..."/>
+      <failure message="..."/>
+      <failure message="..."/>
+    </testcase>
+  </testsuite>
+</testsuites>
+```
+
+*   The root `<testsuites>` element corresponds to the entire test program.
+*   `<testsuite>` elements correspond to googletest test cases.
+*   `<testcase>` elements correspond to googletest test functions.
+
+For instance, the following program
+
+```c++
+TEST(MathTest, Addition) { ... }
+TEST(MathTest, Subtraction) { ... }
+TEST(LogicTest, NonContradiction) { ... }
+```
+
+could generate this report:
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<testsuites tests="3" failures="1" errors="0" time="0.035" timestamp="2011-10-31T18:52:42" name="AllTests">
+  <testsuite name="MathTest" tests="2" failures="1" errors="0" time="0.015">
+    <testcase name="Addition" status="run" time="0.007" classname="">
+      <failure message="Value of: add(1, 1)&#x0A;  Actual: 3&#x0A;Expected: 2" type="">...</failure>
+      <failure message="Value of: add(1, -1)&#x0A;  Actual: 1&#x0A;Expected: 0" type="">...</failure>
+    </testcase>
+    <testcase name="Subtraction" status="run" time="0.005" classname="">
+    </testcase>
+  </testsuite>
+  <testsuite name="LogicTest" tests="1" failures="0" errors="0" time="0.005">
+    <testcase name="NonContradiction" status="run" time="0.005" classname="">
+    </testcase>
+  </testsuite>
+</testsuites>
+```
+
+Things to note:
+
+*   The `tests` attribute of a `<testsuites>` or `<testsuite>` element tells how
+    many test functions the googletest program or test case contains, while the
+    `failures` attribute tells how many of them failed.
+
+*   The `time` attribute expresses the duration of the test, test case, or
+    entire test program in seconds.
+
+*   The `timestamp` attribute records the local date and time of the test
+    execution.
+
+*   Each `<failure>` element corresponds to a single failed googletest
+    assertion.
+
+**Availability**: Linux, Windows, Mac.
+
+#### Generating an JSON Report
+
+googletest can also emit a JSON report as an alternative format to XML. To
+generate the JSON report, set the `GTEST_OUTPUT` environment variable or the
+`--gtest_output` flag to the string `"json:path_to_output_file"`, which will
+create the file at the given location. You can also just use the string
+`"json"`, in which case the output can be found in the `test_detail.json` file
+in the current directory.
+
+The report format conforms to the following JSON Schema:
+
+```json
+{
+  "$schema": "http://json-schema.org/schema#",
+  "type": "object",
+  "definitions": {
+    "TestCase": {
+      "type": "object",
+      "properties": {
+        "name": { "type": "string" },
+        "tests": { "type": "integer" },
+        "failures": { "type": "integer" },
+        "disabled": { "type": "integer" },
+        "time": { "type": "string" },
+        "testsuite": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/TestInfo"
+          }
+        }
+      }
+    },
+    "TestInfo": {
+      "type": "object",
+      "properties": {
+        "name": { "type": "string" },
+        "status": {
+          "type": "string",
+          "enum": ["RUN", "NOTRUN"]
+        },
+        "time": { "type": "string" },
+        "classname": { "type": "string" },
+        "failures": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/Failure"
+          }
+        }
+      }
+    },
+    "Failure": {
+      "type": "object",
+      "properties": {
+        "failures": { "type": "string" },
+        "type": { "type": "string" }
+      }
+    }
+  },
+  "properties": {
+    "tests": { "type": "integer" },
+    "failures": { "type": "integer" },
+    "disabled": { "type": "integer" },
+    "errors": { "type": "integer" },
+    "timestamp": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "time": { "type": "string" },
+    "name": { "type": "string" },
+    "testsuites": {
+      "type": "array",
+      "items": {
+        "$ref": "#/definitions/TestCase"
+      }
+    }
+  }
+}
+```
+
+The report uses the format that conforms to the following Proto3 using the [JSON
+encoding](https://developers.google.com/protocol-buffers/docs/proto3#json):
+
+```proto
+syntax = "proto3";
+
+package googletest;
+
+import "google/protobuf/timestamp.proto";
+import "google/protobuf/duration.proto";
+
+message UnitTest {
+  int32 tests = 1;
+  int32 failures = 2;
+  int32 disabled = 3;
+  int32 errors = 4;
+  google.protobuf.Timestamp timestamp = 5;
+  google.protobuf.Duration time = 6;
+  string name = 7;
+  repeated TestCase testsuites = 8;
+}
+
+message TestCase {
+  string name = 1;
+  int32 tests = 2;
+  int32 failures = 3;
+  int32 disabled = 4;
+  int32 errors = 5;
+  google.protobuf.Duration time = 6;
+  repeated TestInfo testsuite = 7;
+}
+
+message TestInfo {
+  string name = 1;
+  enum Status {
+    RUN = 0;
+    NOTRUN = 1;
+  }
+  Status status = 2;
+  google.protobuf.Duration time = 3;
+  string classname = 4;
+  message Failure {
+    string failures = 1;
+    string type = 2;
+  }
+  repeated Failure failures = 5;
+}
+```
+
+For instance, the following program
+
+```c++
+TEST(MathTest, Addition) { ... }
+TEST(MathTest, Subtraction) { ... }
+TEST(LogicTest, NonContradiction) { ... }
+```
+
+could generate this report:
+
+```json
+{
+  "tests": 3,
+  "failures": 1,
+  "errors": 0,
+  "time": "0.035s",
+  "timestamp": "2011-10-31T18:52:42Z"
+  "name": "AllTests",
+  "testsuites": [
+    {
+      "name": "MathTest",
+      "tests": 2,
+      "failures": 1,
+      "errors": 0,
+      "time": "0.015s",
+      "testsuite": [
+        {
+          "name": "Addition",
+          "status": "RUN",
+          "time": "0.007s",
+          "classname": "",
+          "failures": [
+            {
+              "message": "Value of: add(1, 1)\x0A  Actual: 3\x0AExpected: 2",
+              "type": ""
+            },
+            {
+              "message": "Value of: add(1, -1)\x0A  Actual: 1\x0AExpected: 0",
+              "type": ""
+            }
+          ]
+        },
+        {
+          "name": "Subtraction",
+          "status": "RUN",
+          "time": "0.005s",
+          "classname": ""
+        }
+      ]
+    }
+    {
+      "name": "LogicTest",
+      "tests": 1,
+      "failures": 0,
+      "errors": 0,
+      "time": "0.005s",
+      "testsuite": [
+        {
+          "name": "NonContradiction",
+          "status": "RUN",
+          "time": "0.005s",
+          "classname": ""
+        }
+      ]
+    }
+  ]
+}
+```
+
+IMPORTANT: The exact format of the JSON document is subject to change.
+
+**Availability**: Linux, Windows, Mac.
+
+### Controlling How Failures Are Reported
+
+#### Turning Assertion Failures into Break-Points
+
+When running test programs under a debugger, it's very convenient if the
+debugger can catch an assertion failure and automatically drop into interactive
+mode. googletest's *break-on-failure* mode supports this behavior.
+
+To enable it, set the `GTEST_BREAK_ON_FAILURE` environment variable to a value
+other than `0` . Alternatively, you can use the `--gtest_break_on_failure`
+command line flag.
+
+**Availability**: Linux, Windows, Mac.
+
+#### Disabling Catching Test-Thrown Exceptions
+
+googletest can be used either with or without exceptions enabled. If a test
+throws a C++ exception or (on Windows) a structured exception (SEH), by default
+googletest catches it, reports it as a test failure, and continues with the next
+test method. This maximizes the coverage of a test run. Also, on Windows an
+uncaught exception will cause a pop-up window, so catching the exceptions allows
+you to run the tests automatically.
+
+When debugging the test failures, however, you may instead want the exceptions
+to be handled by the debugger, such that you can examine the call stack when an
+exception is thrown. To achieve that, set the `GTEST_CATCH_EXCEPTIONS`
+environment variable to `0`, or use the `--gtest_catch_exceptions=0` flag when
+running the tests.
+
+**Availability**: Linux, Windows, Mac.
+
diff --git a/security/nss/gtests/google_test/gtest/docs/faq.md b/security/nss/gtests/google_test/gtest/docs/faq.md
new file mode 100644
index 0000000000..7d42ff7dba
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/docs/faq.md
@@ -0,0 +1,770 @@
+# Googletest FAQ
+
+
+## Why should test case names and test names not contain underscore?
+
+Underscore (`_`) is special, as C++ reserves the following to be used by the
+compiler and the standard library:
+
+1.  any identifier that starts with an `_` followed by an upper-case letter, and
+1.  any identifier that contains two consecutive underscores (i.e. `__`)
+    *anywhere* in its name.
+
+User code is *prohibited* from using such identifiers.
+
+Now let's look at what this means for `TEST` and `TEST_F`.
+
+Currently `TEST(TestCaseName, TestName)` generates a class named
+`TestCaseName_TestName_Test`. What happens if `TestCaseName` or `TestName`
+contains `_`?
+
+1.  If `TestCaseName` starts with an `_` followed by an upper-case letter (say,
+    `_Foo`), we end up with `_Foo_TestName_Test`, which is reserved and thus
+    invalid.
+1.  If `TestCaseName` ends with an `_` (say, `Foo_`), we get
+    `Foo__TestName_Test`, which is invalid.
+1.  If `TestName` starts with an `_` (say, `_Bar`), we get
+    `TestCaseName__Bar_Test`, which is invalid.
+1.  If `TestName` ends with an `_` (say, `Bar_`), we get
+    `TestCaseName_Bar__Test`, which is invalid.
+
+So clearly `TestCaseName` and `TestName` cannot start or end with `_` (Actually,
+`TestCaseName` can start with `_` -- as long as the `_` isn't followed by an
+upper-case letter. But that's getting complicated. So for simplicity we just say
+that it cannot start with `_`.).
+
+It may seem fine for `TestCaseName` and `TestName` to contain `_` in the middle.
+However, consider this:
+
+```c++
+TEST(Time, Flies_Like_An_Arrow) { ... }
+TEST(Time_Flies, Like_An_Arrow) { ... }
+```
+
+Now, the two `TEST`s will both generate the same class
+(`Time_Flies_Like_An_Arrow_Test`). That's not good.
+
+So for simplicity, we just ask the users to avoid `_` in `TestCaseName` and
+`TestName`. The rule is more constraining than necessary, but it's simple and
+easy to remember. It also gives googletest some wiggle room in case its
+implementation needs to change in the future.
+
+If you violate the rule, there may not be immediate consequences, but your test
+may (just may) break with a new compiler (or a new version of the compiler you
+are using) or with a new version of googletest. Therefore it's best to follow
+the rule.
+
+## Why does googletest support `EXPECT_EQ(NULL, ptr)` and `ASSERT_EQ(NULL, ptr)` but not `EXPECT_NE(NULL, ptr)` and `ASSERT_NE(NULL, ptr)`?
+
+First of all you can use `EXPECT_NE(nullptr, ptr)` and `ASSERT_NE(nullptr,
+ptr)`. This is the preferred syntax in the style guide because nullptr does not
+have the type problems that NULL does. Which is why NULL does not work.
+
+Due to some peculiarity of C++, it requires some non-trivial template meta
+programming tricks to support using `NULL` as an argument of the `EXPECT_XX()`
+and `ASSERT_XX()` macros. Therefore we only do it where it's most needed
+(otherwise we make the implementation of googletest harder to maintain and more
+error-prone than necessary).
+
+The `EXPECT_EQ()` macro takes the *expected* value as its first argument and the
+*actual* value as the second. It's reasonable that someone wants to write
+`EXPECT_EQ(NULL, some_expression)`, and this indeed was requested several times.
+Therefore we implemented it.
+
+The need for `EXPECT_NE(NULL, ptr)` isn't nearly as strong. When the assertion
+fails, you already know that `ptr` must be `NULL`, so it doesn't add any
+information to print `ptr` in this case. That means `EXPECT_TRUE(ptr != NULL)`
+works just as well.
+
+If we were to support `EXPECT_NE(NULL, ptr)`, for consistency we'll have to
+support `EXPECT_NE(ptr, NULL)` as well, as unlike `EXPECT_EQ`, we don't have a
+convention on the order of the two arguments for `EXPECT_NE`. This means using
+the template meta programming tricks twice in the implementation, making it even
+harder to understand and maintain. We believe the benefit doesn't justify the
+cost.
+
+Finally, with the growth of the gMock matcher library, we are encouraging people
+to use the unified `EXPECT_THAT(value, matcher)` syntax more often in tests. One
+significant advantage of the matcher approach is that matchers can be easily
+combined to form new matchers, while the `EXPECT_NE`, etc, macros cannot be
+easily combined. Therefore we want to invest more in the matchers than in the
+`EXPECT_XX()` macros.
+
+## I need to test that different implementations of an interface satisfy some common requirements. Should I use typed tests or value-parameterized tests?
+
+For testing various implementations of the same interface, either typed tests or
+value-parameterized tests can get it done. It's really up to you the user to
+decide which is more convenient for you, depending on your particular case. Some
+rough guidelines:
+
+*   Typed tests can be easier to write if instances of the different
+    implementations can be created the same way, modulo the type. For example,
+    if all these implementations have a public default constructor (such that
+    you can write `new TypeParam`), or if their factory functions have the same
+    form (e.g. `CreateInstance<TypeParam>()`).
+*   Value-parameterized tests can be easier to write if you need different code
+    patterns to create different implementations' instances, e.g. `new Foo` vs
+    `new Bar(5)`. To accommodate for the differences, you can write factory
+    function wrappers and pass these function pointers to the tests as their
+    parameters.
+*   When a typed test fails, the output includes the name of the type, which can
+    help you quickly identify which implementation is wrong. Value-parameterized
+    tests cannot do this, so there you'll have to look at the iteration number
+    to know which implementation the failure is from, which is less direct.
+*   If you make a mistake writing a typed test, the compiler errors can be
+    harder to digest, as the code is templatized.
+*   When using typed tests, you need to make sure you are testing against the
+    interface type, not the concrete types (in other words, you want to make
+    sure `implicit_cast<MyInterface*>(my_concrete_impl)` works, not just that
+    `my_concrete_impl` works). It's less likely to make mistakes in this area
+    when using value-parameterized tests.
+
+I hope I didn't confuse you more. :-) If you don't mind, I'd suggest you to give
+both approaches a try. Practice is a much better way to grasp the subtle
+differences between the two tools. Once you have some concrete experience, you
+can much more easily decide which one to use the next time.
+
+## My death tests became very slow - what happened?
+
+In August 2008 we had to switch the default death test style from `fast` to
+`threadsafe`, as the former is no longer safe now that threaded logging is the
+default. This caused many death tests to slow down. Unfortunately this change
+was necessary.
+
+Please read [Fixing Failing Death Tests](death_test_styles.md) for what you can
+do.
+
+## I got some run-time errors about invalid proto descriptors when using `ProtocolMessageEquals`. Help!
+
+**Note:** `ProtocolMessageEquals` and `ProtocolMessageEquiv` are *deprecated*
+now. Please use `EqualsProto`, etc instead.
+
+`ProtocolMessageEquals` and `ProtocolMessageEquiv` were redefined recently and
+are now less tolerant on invalid protocol buffer definitions. In particular, if
+you have a `foo.proto` that doesn't fully qualify the type of a protocol message
+it references (e.g. `message<Bar>` where it should be `message<blah.Bar>`), you
+will now get run-time errors like:
+
+```
+... descriptor.cc:...] Invalid proto descriptor for file "path/to/foo.proto":
+... descriptor.cc:...]  blah.MyMessage.my_field: ".Bar" is not defined.
+```
+
+If you see this, your `.proto` file is broken and needs to be fixed by making
+the types fully qualified. The new definition of `ProtocolMessageEquals` and
+`ProtocolMessageEquiv` just happen to reveal your bug.
+
+## My death test modifies some state, but the change seems lost after the death test finishes. Why?
+
+Death tests (`EXPECT_DEATH`, etc) are executed in a sub-process s.t. the
+expected crash won't kill the test program (i.e. the parent process). As a
+result, any in-memory side effects they incur are observable in their respective
+sub-processes, but not in the parent process. You can think of them as running
+in a parallel universe, more or less.
+
+In particular, if you use [gMock](../../googlemock) and the death test statement
+invokes some mock methods, the parent process will think the calls have never
+occurred. Therefore, you may want to move your `EXPECT_CALL` statements inside
+the `EXPECT_DEATH` macro.
+
+## EXPECT_EQ(htonl(blah), blah_blah) generates weird compiler errors in opt mode. Is this a googletest bug?
+
+Actually, the bug is in `htonl()`.
+
+According to `'man htonl'`, `htonl()` is a *function*, which means it's valid to
+use `htonl` as a function pointer. However, in opt mode `htonl()` is defined as
+a *macro*, which breaks this usage.
+
+Worse, the macro definition of `htonl()` uses a `gcc` extension and is *not*
+standard C++. That hacky implementation has some ad hoc limitations. In
+particular, it prevents you from writing `Foo<sizeof(htonl(x))>()`, where `Foo`
+is a template that has an integral argument.
+
+The implementation of `EXPECT_EQ(a, b)` uses `sizeof(... a ...)` inside a
+template argument, and thus doesn't compile in opt mode when `a` contains a call
+to `htonl()`. It is difficult to make `EXPECT_EQ` bypass the `htonl()` bug, as
+the solution must work with different compilers on various platforms.
+
+`htonl()` has some other problems as described in `//util/endian/endian.h`,
+which defines `ghtonl()` to replace it. `ghtonl()` does the same thing `htonl()`
+does, only without its problems. We suggest you to use `ghtonl()` instead of
+`htonl()`, both in your tests and production code.
+
+`//util/endian/endian.h` also defines `ghtons()`, which solves similar problems
+in `htons()`.
+
+Don't forget to add `//util/endian` to the list of dependencies in the `BUILD`
+file wherever `ghtonl()` and `ghtons()` are used. The library consists of a
+single header file and will not bloat your binary.
+
+## The compiler complains about "undefined references" to some static const member variables, but I did define them in the class body. What's wrong?
+
+If your class has a static data member:
+
+```c++
+// foo.h
+class Foo {
+  ...
+  static const int kBar = 100;
+};
+```
+
+You also need to define it *outside* of the class body in `foo.cc`:
+
+```c++
+const int Foo::kBar;  // No initializer here.
+```
+
+Otherwise your code is **invalid C++**, and may break in unexpected ways. In
+particular, using it in googletest comparison assertions (`EXPECT_EQ`, etc) will
+generate an "undefined reference" linker error. The fact that "it used to work"
+doesn't mean it's valid. It just means that you were lucky. :-)
+
+## Can I derive a test fixture from another?
+
+Yes.
+
+Each test fixture has a corresponding and same named test case. This means only
+one test case can use a particular fixture. Sometimes, however, multiple test
+cases may want to use the same or slightly different fixtures. For example, you
+may want to make sure that all of a GUI library's test cases don't leak
+important system resources like fonts and brushes.
+
+In googletest, you share a fixture among test cases by putting the shared logic
+in a base test fixture, then deriving from that base a separate fixture for each
+test case that wants to use this common logic. You then use `TEST_F()` to write
+tests using each derived fixture.
+
+Typically, your code looks like this:
+
+```c++
+// Defines a base test fixture.
+class BaseTest : public ::testing::Test {
+ protected:
+  ...
+};
+
+// Derives a fixture FooTest from BaseTest.
+class FooTest : public BaseTest {
+ protected:
+  void SetUp() override {
+    BaseTest::SetUp();  // Sets up the base fixture first.
+    ... additional set-up work ...
+  }
+
+  void TearDown() override {
+    ... clean-up work for FooTest ...
+    BaseTest::TearDown();  // Remember to tear down the base fixture
+                           // after cleaning up FooTest!
+  }
+
+  ... functions and variables for FooTest ...
+};
+
+// Tests that use the fixture FooTest.
+TEST_F(FooTest, Bar) { ... }
+TEST_F(FooTest, Baz) { ... }
+
+... additional fixtures derived from BaseTest ...
+```
+
+If necessary, you can continue to derive test fixtures from a derived fixture.
+googletest has no limit on how deep the hierarchy can be.
+
+For a complete example using derived test fixtures, see [googletest
+sample](https://github.com/google/googletest/blob/master/googletest/samples/sample5_unittest.cc)
+
+## My compiler complains "void value not ignored as it ought to be." What does this mean?
+
+You're probably using an `ASSERT_*()` in a function that doesn't return `void`.
+`ASSERT_*()` can only be used in `void` functions, due to exceptions being
+disabled by our build system. Please see more details
+[here](advanced.md#assertion-placement).
+
+## My death test hangs (or seg-faults). How do I fix it?
+
+In googletest, death tests are run in a child process and the way they work is
+delicate. To write death tests you really need to understand how they work.
+Please make sure you have read [this](advanced.md#how-it-works).
+
+In particular, death tests don't like having multiple threads in the parent
+process. So the first thing you can try is to eliminate creating threads outside
+of `EXPECT_DEATH()`. For example, you may want to use [mocks](../../googlemock)
+or fake objects instead of real ones in your tests.
+
+Sometimes this is impossible as some library you must use may be creating
+threads before `main()` is even reached. In this case, you can try to minimize
+the chance of conflicts by either moving as many activities as possible inside
+`EXPECT_DEATH()` (in the extreme case, you want to move everything inside), or
+leaving as few things as possible in it. Also, you can try to set the death test
+style to `"threadsafe"`, which is safer but slower, and see if it helps.
+
+If you go with thread-safe death tests, remember that they rerun the test
+program from the beginning in the child process. Therefore make sure your
+program can run side-by-side with itself and is deterministic.
+
+In the end, this boils down to good concurrent programming. You have to make
+sure that there is no race conditions or dead locks in your program. No silver
+bullet - sorry!
+
+## Should I use the constructor/destructor of the test fixture or SetUp()/TearDown()?
+
+The first thing to remember is that googletest does **not** reuse the same test
+fixture object across multiple tests. For each `TEST_F`, googletest will create
+a **fresh** test fixture object, immediately call `SetUp()`, run the test body,
+call `TearDown()`, and then delete the test fixture object.
+
+When you need to write per-test set-up and tear-down logic, you have the choice
+between using the test fixture constructor/destructor or `SetUp()/TearDown()`.
+The former is usually preferred, as it has the following benefits:
+
+*   By initializing a member variable in the constructor, we have the option to
+    make it `const`, which helps prevent accidental changes to its value and
+    makes the tests more obviously correct.
+*   In case we need to subclass the test fixture class, the subclass'
+    constructor is guaranteed to call the base class' constructor *first*, and
+    the subclass' destructor is guaranteed to call the base class' destructor
+    *afterward*. With `SetUp()/TearDown()`, a subclass may make the mistake of
+    forgetting to call the base class' `SetUp()/TearDown()` or call them at the
+    wrong time.
+
+You may still want to use `SetUp()/TearDown()` in the following rare cases:
+
+*   In the body of a constructor (or destructor), it's not possible to use the
+    `ASSERT_xx` macros. Therefore, if the set-up operation could cause a fatal
+    test failure that should prevent the test from running, it's necessary to
+    use a `CHECK` macro or to use `SetUp()` instead of a constructor.
+*   If the tear-down operation could throw an exception, you must use
+    `TearDown()` as opposed to the destructor, as throwing in a destructor leads
+    to undefined behavior and usually will kill your program right away. Note
+    that many standard libraries (like STL) may throw when exceptions are
+    enabled in the compiler. Therefore you should prefer `TearDown()` if you
+    want to write portable tests that work with or without exceptions.
+*   The googletest team is considering making the assertion macros throw on
+    platforms where exceptions are enabled (e.g. Windows, Mac OS, and Linux
+    client-side), which will eliminate the need for the user to propagate
+    failures from a subroutine to its caller. Therefore, you shouldn't use
+    googletest assertions in a destructor if your code could run on such a
+    platform.
+*   In a constructor or destructor, you cannot make a virtual function call on
+    this object. (You can call a method declared as virtual, but it will be
+    statically bound.) Therefore, if you need to call a method that will be
+    overridden in a derived class, you have to use `SetUp()/TearDown()`.
+
+
+## The compiler complains "no matching function to call" when I use ASSERT_PRED*. How do I fix it?
+
+If the predicate function you use in `ASSERT_PRED*` or `EXPECT_PRED*` is
+overloaded or a template, the compiler will have trouble figuring out which
+overloaded version it should use. `ASSERT_PRED_FORMAT*` and
+`EXPECT_PRED_FORMAT*` don't have this problem.
+
+If you see this error, you might want to switch to
+`(ASSERT|EXPECT)_PRED_FORMAT*`, which will also give you a better failure
+message. If, however, that is not an option, you can resolve the problem by
+explicitly telling the compiler which version to pick.
+
+For example, suppose you have
+
+```c++
+bool IsPositive(int n) {
+  return n > 0;
+}
+
+bool IsPositive(double x) {
+  return x > 0;
+}
+```
+
+you will get a compiler error if you write
+
+```c++
+EXPECT_PRED1(IsPositive, 5);
+```
+
+However, this will work:
+
+```c++
+EXPECT_PRED1(static_cast<bool (*)(int)>(IsPositive), 5);
+```
+
+(The stuff inside the angled brackets for the `static_cast` operator is the type
+of the function pointer for the `int`-version of `IsPositive()`.)
+
+As another example, when you have a template function
+
+```c++
+template <typename T>
+bool IsNegative(T x) {
+  return x < 0;
+}
+```
+
+you can use it in a predicate assertion like this:
+
+```c++
+ASSERT_PRED1(IsNegative<int>, -5);
+```
+
+Things are more interesting if your template has more than one parameters. The
+following won't compile:
+
+```c++
+ASSERT_PRED2(GreaterThan<int, int>, 5, 0);
+```
+
+as the C++ pre-processor thinks you are giving `ASSERT_PRED2` 4 arguments, which
+is one more than expected. The workaround is to wrap the predicate function in
+parentheses:
+
+```c++
+ASSERT_PRED2((GreaterThan<int, int>), 5, 0);
+```
+
+
+## My compiler complains about "ignoring return value" when I call RUN_ALL_TESTS(). Why?
+
+Some people had been ignoring the return value of `RUN_ALL_TESTS()`. That is,
+instead of
+
+```c++
+  return RUN_ALL_TESTS();
+```
+
+they write
+
+```c++
+  RUN_ALL_TESTS();
+```
+
+This is **wrong and dangerous**. The testing services needs to see the return
+value of `RUN_ALL_TESTS()` in order to determine if a test has passed. If your
+`main()` function ignores it, your test will be considered successful even if it
+has a googletest assertion failure. Very bad.
+
+We have decided to fix this (thanks to Michael Chastain for the idea). Now, your
+code will no longer be able to ignore `RUN_ALL_TESTS()` when compiled with
+`gcc`. If you do so, you'll get a compiler error.
+
+If you see the compiler complaining about you ignoring the return value of
+`RUN_ALL_TESTS()`, the fix is simple: just make sure its value is used as the
+return value of `main()`.
+
+But how could we introduce a change that breaks existing tests? Well, in this
+case, the code was already broken in the first place, so we didn't break it. :-)
+
+## My compiler complains that a constructor (or destructor) cannot return a value. What's going on?
+
+Due to a peculiarity of C++, in order to support the syntax for streaming
+messages to an `ASSERT_*`, e.g.
+
+```c++
+  ASSERT_EQ(1, Foo()) << "blah blah" << foo;
+```
+
+we had to give up using `ASSERT*` and `FAIL*` (but not `EXPECT*` and
+`ADD_FAILURE*`) in constructors and destructors. The workaround is to move the
+content of your constructor/destructor to a private void member function, or
+switch to `EXPECT_*()` if that works. This
+[section](advanced.md#assertion-placement) in the user's guide explains it.
+
+## My SetUp() function is not called. Why?
+
+C++ is case-sensitive. Did you spell it as `Setup()`?
+
+Similarly, sometimes people spell `SetUpTestCase()` as `SetupTestCase()` and
+wonder why it's never called.
+
+## How do I jump to the line of a failure in Emacs directly?
+
+googletest's failure message format is understood by Emacs and many other IDEs,
+like acme and XCode. If a googletest message is in a compilation buffer in
+Emacs, then it's clickable.
+
+
+## I have several test cases which share the same test fixture logic, do I have to define a new test fixture class for each of them? This seems pretty tedious.
+
+You don't have to. Instead of
+
+```c++
+class FooTest : public BaseTest {};
+
+TEST_F(FooTest, Abc) { ... }
+TEST_F(FooTest, Def) { ... }
+
+class BarTest : public BaseTest {};
+
+TEST_F(BarTest, Abc) { ... }
+TEST_F(BarTest, Def) { ... }
+```
+
+you can simply `typedef` the test fixtures:
+
+```c++
+typedef BaseTest FooTest;
+
+TEST_F(FooTest, Abc) { ... }
+TEST_F(FooTest, Def) { ... }
+
+typedef BaseTest BarTest;
+
+TEST_F(BarTest, Abc) { ... }
+TEST_F(BarTest, Def) { ... }
+```
+
+## googletest output is buried in a whole bunch of LOG messages. What do I do?
+
+The googletest output is meant to be a concise and human-friendly report. If
+your test generates textual output itself, it will mix with the googletest
+output, making it hard to read. However, there is an easy solution to this
+problem.
+
+Since `LOG` messages go to stderr, we decided to let googletest output go to
+stdout. This way, you can easily separate the two using redirection. For
+example:
+
+```shell
+$ ./my_test > gtest_output.txt
+```
+
+
+## Why should I prefer test fixtures over global variables?
+
+There are several good reasons:
+
+1.  It's likely your test needs to change the states of its global variables.
+    This makes it difficult to keep side effects from escaping one test and
+    contaminating others, making debugging difficult. By using fixtures, each
+    test has a fresh set of variables that's different (but with the same
+    names). Thus, tests are kept independent of each other.
+1.  Global variables pollute the global namespace.
+1.  Test fixtures can be reused via subclassing, which cannot be done easily
+    with global variables. This is useful if many test cases have something in
+    common.
+
+
+    ## What can the statement argument in ASSERT_DEATH() be?
+
+`ASSERT_DEATH(*statement*, *regex*)` (or any death assertion macro) can be used
+wherever `*statement*` is valid. So basically `*statement*` can be any C++
+statement that makes sense in the current context. In particular, it can
+reference global and/or local variables, and can be:
+
+*   a simple function call (often the case),
+*   a complex expression, or
+*   a compound statement.
+
+Some examples are shown here:
+
+```c++
+// A death test can be a simple function call.
+TEST(MyDeathTest, FunctionCall) {
+  ASSERT_DEATH(Xyz(5), "Xyz failed");
+}
+
+// Or a complex expression that references variables and functions.
+TEST(MyDeathTest, ComplexExpression) {
+  const bool c = Condition();
+  ASSERT_DEATH((c ? Func1(0) : object2.Method("test")),
+               "(Func1|Method) failed");
+}
+
+// Death assertions can be used any where in a function.  In
+// particular, they can be inside a loop.
+TEST(MyDeathTest, InsideLoop) {
+  // Verifies that Foo(0), Foo(1), ..., and Foo(4) all die.
+  for (int i = 0; i < 5; i++) {
+    EXPECT_DEATH_M(Foo(i), "Foo has \\d+ errors",
+                   ::testing::Message() << "where i is " << i);
+  }
+}
+
+// A death assertion can contain a compound statement.
+TEST(MyDeathTest, CompoundStatement) {
+  // Verifies that at lease one of Bar(0), Bar(1), ..., and
+  // Bar(4) dies.
+  ASSERT_DEATH({
+    for (int i = 0; i < 5; i++) {
+      Bar(i);
+    }
+  },
+  "Bar has \\d+ errors");
+}
+```
+
+gtest-death-test_test.cc contains more examples if you are interested.
+
+## I have a fixture class `FooTest`, but `TEST_F(FooTest, Bar)` gives me error ``"no matching function for call to `FooTest::FooTest()'"``. Why?
+
+Googletest needs to be able to create objects of your test fixture class, so it
+must have a default constructor. Normally the compiler will define one for you.
+However, there are cases where you have to define your own:
+
+*   If you explicitly declare a non-default constructor for class `FooTest`
+    (`DISALLOW_EVIL_CONSTRUCTORS()` does this), then you need to define a
+    default constructor, even if it would be empty.
+*   If `FooTest` has a const non-static data member, then you have to define the
+    default constructor *and* initialize the const member in the initializer
+    list of the constructor. (Early versions of `gcc` doesn't force you to
+    initialize the const member. It's a bug that has been fixed in `gcc 4`.)
+
+## Why does ASSERT_DEATH complain about previous threads that were already joined?
+
+With the Linux pthread library, there is no turning back once you cross the line
+from single thread to multiple threads. The first time you create a thread, a
+manager thread is created in addition, so you get 3, not 2, threads. Later when
+the thread you create joins the main thread, the thread count decrements by 1,
+but the manager thread will never be killed, so you still have 2 threads, which
+means you cannot safely run a death test.
+
+The new NPTL thread library doesn't suffer from this problem, as it doesn't
+create a manager thread. However, if you don't control which machine your test
+runs on, you shouldn't depend on this.
+
+## Why does googletest require the entire test case, instead of individual tests, to be named *DeathTest when it uses ASSERT_DEATH?
+
+googletest does not interleave tests from different test cases. That is, it runs
+all tests in one test case first, and then runs all tests in the next test case,
+and so on. googletest does this because it needs to set up a test case before
+the first test in it is run, and tear it down afterwords. Splitting up the test
+case would require multiple set-up and tear-down processes, which is inefficient
+and makes the semantics unclean.
+
+If we were to determine the order of tests based on test name instead of test
+case name, then we would have a problem with the following situation:
+
+```c++
+TEST_F(FooTest, AbcDeathTest) { ... }
+TEST_F(FooTest, Uvw) { ... }
+
+TEST_F(BarTest, DefDeathTest) { ... }
+TEST_F(BarTest, Xyz) { ... }
+```
+
+Since `FooTest.AbcDeathTest` needs to run before `BarTest.Xyz`, and we don't
+interleave tests from different test cases, we need to run all tests in the
+`FooTest` case before running any test in the `BarTest` case. This contradicts
+with the requirement to run `BarTest.DefDeathTest` before `FooTest.Uvw`.
+
+## But I don't like calling my entire test case \*DeathTest when it contains both death tests and non-death tests. What do I do?
+
+You don't have to, but if you like, you may split up the test case into
+`FooTest` and `FooDeathTest`, where the names make it clear that they are
+related:
+
+```c++
+class FooTest : public ::testing::Test { ... };
+
+TEST_F(FooTest, Abc) { ... }
+TEST_F(FooTest, Def) { ... }
+
+using FooDeathTest = FooTest;
+
+TEST_F(FooDeathTest, Uvw) { ... EXPECT_DEATH(...) ... }
+TEST_F(FooDeathTest, Xyz) { ... ASSERT_DEATH(...) ... }
+```
+
+## googletest prints the LOG messages in a death test's child process only when the test fails. How can I see the LOG messages when the death test succeeds?
+
+Printing the LOG messages generated by the statement inside `EXPECT_DEATH()`
+makes it harder to search for real problems in the parent's log. Therefore,
+googletest only prints them when the death test has failed.
+
+If you really need to see such LOG messages, a workaround is to temporarily
+break the death test (e.g. by changing the regex pattern it is expected to
+match). Admittedly, this is a hack. We'll consider a more permanent solution
+after the fork-and-exec-style death tests are implemented.
+
+## The compiler complains about "no match for 'operator<<'" when I use an assertion. What gives?
+
+If you use a user-defined type `FooType` in an assertion, you must make sure
+there is an `std::ostream& operator<<(std::ostream&, const FooType&)` function
+defined such that we can print a value of `FooType`.
+
+In addition, if `FooType` is declared in a name space, the `<<` operator also
+needs to be defined in the *same* name space. See go/totw/49 for details.
+
+## How do I suppress the memory leak messages on Windows?
+
+Since the statically initialized googletest singleton requires allocations on
+the heap, the Visual C++ memory leak detector will report memory leaks at the
+end of the program run. The easiest way to avoid this is to use the
+`_CrtMemCheckpoint` and `_CrtMemDumpAllObjectsSince` calls to not report any
+statically initialized heap objects. See MSDN for more details and additional
+heap check/debug routines.
+
+
+## How can my code detect if it is running in a test?
+
+If you write code that sniffs whether it's running in a test and does different
+things accordingly, you are leaking test-only logic into production code and
+there is no easy way to ensure that the test-only code paths aren't run by
+mistake in production. Such cleverness also leads to
+[Heisenbugs](https://en.wikipedia.org/wiki/Heisenbug). Therefore we strongly
+advise against the practice, and googletest doesn't provide a way to do it.
+
+In general, the recommended way to cause the code to behave differently under
+test is [Dependency Injection](https://en.wikipedia.org/wiki/Dependency_injection). You can inject
+different functionality from the test and from the production code. Since your
+production code doesn't link in the for-test logic at all (the
+[`testonly`](https://docs.bazel.build/versions/master/be/common-definitions.html#common.testonly)
+attribute for BUILD targets helps to ensure that), there is no danger in
+accidentally running it.
+
+However, if you *really*, *really*, *really* have no choice, and if you follow
+the rule of ending your test program names with `_test`, you can use the
+*horrible* hack of sniffing your executable name (`argv[0]` in `main()`) to know
+whether the code is under test.
+
+
+## How do I temporarily disable a test?
+
+If you have a broken test that you cannot fix right away, you can add the
+DISABLED_ prefix to its name. This will exclude it from execution. This is
+better than commenting out the code or using #if 0, as disabled tests are still
+compiled (and thus won't rot).
+
+To include disabled tests in test execution, just invoke the test program with
+the --gtest_also_run_disabled_tests flag.
+
+## Is it OK if I have two separate `TEST(Foo, Bar)` test methods defined in different namespaces?
+
+Yes.
+
+The rule is **all test methods in the same test case must use the same fixture
+class.** This means that the following is **allowed** because both tests use the
+same fixture class (`::testing::Test`).
+
+```c++
+namespace foo {
+TEST(CoolTest, DoSomething) {
+  SUCCEED();
+}
+}  // namespace foo
+
+namespace bar {
+TEST(CoolTest, DoSomething) {
+  SUCCEED();
+}
+}  // namespace bar
+```
+
+However, the following code is **not allowed** and will produce a runtime error
+from googletest because the test methods are using different test fixture
+classes with the same test case name.
+
+```c++
+namespace foo {
+class CoolTest : public ::testing::Test {};  // Fixture foo::CoolTest
+TEST_F(CoolTest, DoSomething) {
+  SUCCEED();
+}
+}  // namespace foo
+
+namespace bar {
+class CoolTest : public ::testing::Test {};  // Fixture: bar::CoolTest
+TEST_F(CoolTest, DoSomething) {
+  SUCCEED();
+}
+}  // namespace bar
+```
diff --git a/security/nss/gtests/google_test/gtest/docs/primer.md b/security/nss/gtests/google_test/gtest/docs/primer.md
new file mode 100644
index 0000000000..7a8ea8d717
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/docs/primer.md
@@ -0,0 +1,569 @@
+# Googletest Primer
+
+
+## Introduction: Why googletest?
+
+*googletest* helps you write better C++ tests.
+
+googletest is a testing framework developed by the Testing
+Technology team with Google's specific
+requirements and constraints in mind. No matter whether you work on Linux,
+Windows, or a Mac, if you write C++ code, googletest can help you. And it
+supports *any* kind of tests, not just unit tests.
+
+So what makes a good test, and how does googletest fit in? We believe:
+
+1.  Tests should be *independent* and *repeatable*. It's a pain to debug a test
+    that succeeds or fails as a result of other tests. googletest isolates the
+    tests by running each of them on a different object. When a test fails,
+    googletest allows you to run it in isolation for quick debugging.
+1.  Tests should be well *organized* and reflect the structure of the tested
+    code. googletest groups related tests into test cases that can share data
+    and subroutines. This common pattern is easy to recognize and makes tests
+    easy to maintain. Such consistency is especially helpful when people switch
+    projects and start to work on a new code base.
+1.  Tests should be *portable* and *reusable*. Google has a lot of code that is
+    platform-neutral, its tests should also be platform-neutral. googletest
+    works on different OSes, with different compilers (gcc, icc, and MSVC), with
+    or without exceptions, so googletest tests can easily work with a variety of
+    configurations.
+1.  When tests fail, they should provide as much *information* about the problem
+    as possible. googletest doesn't stop at the first test failure. Instead, it
+    only stops the current test and continues with the next. You can also set up
+    tests that report non-fatal failures after which the current test continues.
+    Thus, you can detect and fix multiple bugs in a single run-edit-compile
+    cycle.
+1.  The testing framework should liberate test writers from housekeeping chores
+    and let them focus on the test *content*. googletest automatically keeps
+    track of all tests defined, and doesn't require the user to enumerate them
+    in order to run them.
+1.  Tests should be *fast*. With googletest, you can reuse shared resources
+    across tests and pay for the set-up/tear-down only once, without making
+    tests depend on each other.
+
+Since googletest is based on the popular xUnit architecture, you'll feel right
+at home if you've used JUnit or PyUnit before. If not, it will take you about 10
+minutes to learn the basics and get started. So let's go!
+
+## Beware of the nomenclature
+
+_Note:_ There might be some confusion of idea due to different
+definitions of the terms _Test_, _Test Case_ and _Test Suite_, so beware
+of misunderstanding these.
+
+Historically, googletest started to use the term _Test Case_ for grouping
+related tests, whereas current publications including the International Software
+Testing Qualifications Board ([ISTQB](http://www.istqb.org/)) and various
+textbooks on Software Quality use the term _[Test
+Suite](http://glossary.istqb.org/search/test%20suite)_ for this.
+
+The related term _Test_, as it is used in the googletest, is corresponding to
+the term _[Test Case](http://glossary.istqb.org/search/test%20case)_ of ISTQB
+and others.
+
+The term _Test_ is commonly of broad enough sense, including ISTQB's
+definition of _Test Case_, so it's not much of a problem here. But the
+term _Test Case_ as used in Google Test is of contradictory sense and thus confusing.
+
+Unfortunately replacing the term _Test Case_ by _Test Suite_ throughout the
+googletest is not easy without breaking dependent projects, as `TestCase` is
+part of the public API at various places.
+
+So for the time being, please be aware of the different definitions of
+the terms:
+
+Meaning                                                                              | googletest Term                                                                                            | [ISTQB](http://www.istqb.org/) Term
+:----------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------------------------------- | :----------------------------------
+Exercise a particular program path with specific input values and verify the results | [TEST()](#simple-tests)                                                                                    | [Test Case](http://glossary.istqb.org/search/test%20case)
+A set of several tests related to one component                                      | [TestCase](#basic-concepts) | [TestSuite](http://glossary.istqb.org/search/test%20suite)
+
+## Basic Concepts
+
+When using googletest, you start by writing *assertions*, which are statements
+that check whether a condition is true. An assertion's result can be *success*,
+*nonfatal failure*, or *fatal failure*. If a fatal failure occurs, it aborts the
+current function; otherwise the program continues normally.
+
+*Tests* use assertions to verify the tested code's behavior. If a test crashes
+or has a failed assertion, then it *fails*; otherwise it *succeeds*.
+
+A *test case* contains one or many tests. You should group your tests into test
+cases that reflect the structure of the tested code. When multiple tests in a
+test case need to share common objects and subroutines, you can put them into a
+*test fixture* class.
+
+A *test program* can contain multiple test cases.
+
+We'll now explain how to write a test program, starting at the individual
+assertion level and building up to tests and test cases.
+
+## Assertions
+
+googletest assertions are macros that resemble function calls. You test a class
+or function by making assertions about its behavior. When an assertion fails,
+googletest prints the assertion's source file and line number location, along
+with a failure message. You may also supply a custom failure message which will
+be appended to googletest's message.
+
+The assertions come in pairs that test the same thing but have different effects
+on the current function. `ASSERT_*` versions generate fatal failures when they
+fail, and **abort the current function**. `EXPECT_*` versions generate nonfatal
+failures, which don't abort the current function. Usually `EXPECT_*` are
+preferred, as they allow more than one failure to be reported in a test.
+However, you should use `ASSERT_*` if it doesn't make sense to continue when the
+assertion in question fails.
+
+Since a failed `ASSERT_*` returns from the current function immediately,
+possibly skipping clean-up code that comes after it, it may cause a space leak.
+Depending on the nature of the leak, it may or may not be worth fixing - so keep
+this in mind if you get a heap checker error in addition to assertion errors.
+
+To provide a custom failure message, simply stream it into the macro using the
+`<<` operator, or a sequence of such operators. An example:
+
+```c++
+ASSERT_EQ(x.size(), y.size()) << "Vectors x and y are of unequal length";
+
+for (int i = 0; i < x.size(); ++i) {
+  EXPECT_EQ(x[i], y[i]) << "Vectors x and y differ at index " << i;
+}
+```
+
+Anything that can be streamed to an `ostream` can be streamed to an assertion
+macro--in particular, C strings and `string` objects. If a wide string
+(`wchar_t*`, `TCHAR*` in `UNICODE` mode on Windows, or `std::wstring`) is
+streamed to an assertion, it will be translated to UTF-8 when printed.
+
+### Basic Assertions
+
+These assertions do basic true/false condition testing.
+
+Fatal assertion            | Nonfatal assertion         | Verifies
+-------------------------- | -------------------------- | --------------------
+`ASSERT_TRUE(condition);`  | `EXPECT_TRUE(condition);`  | `condition` is true
+`ASSERT_FALSE(condition);` | `EXPECT_FALSE(condition);` | `condition` is false
+
+Remember, when they fail, `ASSERT_*` yields a fatal failure and returns from the
+current function, while `EXPECT_*` yields a nonfatal failure, allowing the
+function to continue running. In either case, an assertion failure means its
+containing test fails.
+
+**Availability**: Linux, Windows, Mac.
+
+### Binary Comparison
+
+This section describes assertions that compare two values.
+
+Fatal assertion          | Nonfatal assertion       | Verifies
+------------------------ | ------------------------ | --------------
+`ASSERT_EQ(val1, val2);` | `EXPECT_EQ(val1, val2);` | `val1 == val2`
+`ASSERT_NE(val1, val2);` | `EXPECT_NE(val1, val2);` | `val1 != val2`
+`ASSERT_LT(val1, val2);` | `EXPECT_LT(val1, val2);` | `val1 < val2`
+`ASSERT_LE(val1, val2);` | `EXPECT_LE(val1, val2);` | `val1 <= val2`
+`ASSERT_GT(val1, val2);` | `EXPECT_GT(val1, val2);` | `val1 > val2`
+`ASSERT_GE(val1, val2);` | `EXPECT_GE(val1, val2);` | `val1 >= val2`
+
+Value arguments must be comparable by the assertion's comparison operator or
+you'll get a compiler error. We used to require the arguments to support the
+`<<` operator for streaming to an `ostream`, but it's no longer necessary. If
+`<<` is supported, it will be called to print the arguments when the assertion
+fails; otherwise googletest will attempt to print them in the best way it can.
+For more details and how to customize the printing of the arguments, see
+gMock [recipe](../../googlemock/docs/CookBook.md#teaching-google-mock-how-to-print-your-values).).
+
+These assertions can work with a user-defined type, but only if you define the
+corresponding comparison operator (e.g. `==`, `<`, etc). Since this is
+discouraged by the Google [C++ Style
+Guide](https://google.github.io/styleguide/cppguide.html#Operator_Overloading),
+you may need to use `ASSERT_TRUE()` or `EXPECT_TRUE()` to assert the equality of
+two objects of a user-defined type.
+
+However, when possible, `ASSERT_EQ(actual, expected)` is preferred to
+`ASSERT_TRUE(actual == expected)`, since it tells you `actual` and `expected`'s
+values on failure.
+
+Arguments are always evaluated exactly once. Therefore, it's OK for the
+arguments to have side effects. However, as with any ordinary C/C++ function,
+the arguments' evaluation order is undefined (i.e. the compiler is free to
+choose any order) and your code should not depend on any particular argument
+evaluation order.
+
+`ASSERT_EQ()` does pointer equality on pointers. If used on two C strings, it
+tests if they are in the same memory location, not if they have the same value.
+Therefore, if you want to compare C strings (e.g. `const char*`) by value, use
+`ASSERT_STREQ()`, which will be described later on. In particular, to assert
+that a C string is `NULL`, use `ASSERT_STREQ(c_string, NULL)`. Consider use
+`ASSERT_EQ(c_string, nullptr)` if c++11 is supported. To compare two `string`
+objects, you should use `ASSERT_EQ`.
+
+When doing pointer comparisons use `*_EQ(ptr, nullptr)` and `*_NE(ptr, nullptr)`
+instead of `*_EQ(ptr, NULL)` and `*_NE(ptr, NULL)`. This is because `nullptr` is
+typed while `NULL` is not. See [FAQ](faq.md#why-does-google-test-support-expect_eqnull-ptr-and-assert_eqnull-ptr-but-not-expect_nenull-ptr-and-assert_nenull-ptr)
+for more details.
+
+If you're working with floating point numbers, you may want to use the floating
+point variations of some of these macros in order to avoid problems caused by
+rounding. See [Advanced googletest Topics](advanced.md) for details.
+
+Macros in this section work with both narrow and wide string objects (`string`
+and `wstring`).
+
+**Availability**: Linux, Windows, Mac.
+
+**Historical note**: Before February 2016 `*_EQ` had a convention of calling it
+as `ASSERT_EQ(expected, actual)`, so lots of existing code uses this order. Now
+`*_EQ` treats both parameters in the same way.
+
+### String Comparison
+
+The assertions in this group compare two **C strings**. If you want to compare
+two `string` objects, use `EXPECT_EQ`, `EXPECT_NE`, and etc instead.
+
+| Fatal assertion                 | Nonfatal assertion              | Verifies                                                 |
+| ------------------------------- | ------------------------------- | -------------------------------------------------------- |
+| `ASSERT_STREQ(str1, str2);`     | `EXPECT_STREQ(str1, str2);`     | the two C strings have the same content                  |
+| `ASSERT_STRNE(str1, str2);`     | `EXPECT_STRNE(str1, str2);`     | the two C strings have different contents                |
+| `ASSERT_STRCASEEQ(str1, str2);` | `EXPECT_STRCASEEQ(str1, str2);` | the two C strings have the same content, ignoring case   |
+| `ASSERT_STRCASENE(str1, str2);` | `EXPECT_STRCASENE(str1, str2);` | the two C strings have different contents, ignoring case |
+
+Note that "CASE" in an assertion name means that case is ignored. A `NULL`
+pointer and an empty string are considered *different*.
+
+`*STREQ*` and `*STRNE*` also accept wide C strings (`wchar_t*`). If a comparison
+of two wide strings fails, their values will be printed as UTF-8 narrow strings.
+
+**Availability**: Linux, Windows, Mac.
+
+**See also**: For more string comparison tricks (substring, prefix, suffix, and
+regular expression matching, for example), see
+[this](https://github.com/google/googletest/blob/master/googletest/docs/advanced.md)
+in the Advanced googletest Guide.
+
+## Simple Tests
+
+To create a test:
+
+1.  Use the `TEST()` macro to define and name a test function, These are
+    ordinary C++ functions that don't return a value.
+1.  In this function, along with any valid C++ statements you want to include,
+    use the various googletest assertions to check values.
+1.  The test's result is determined by the assertions; if any assertion in the
+    test fails (either fatally or non-fatally), or if the test crashes, the
+    entire test fails. Otherwise, it succeeds.
+
+```c++
+TEST(TestCaseName, TestName) {
+  ... test body ...
+}
+```
+
+`TEST()` arguments go from general to specific. The *first* argument is the name
+of the test case, and the *second* argument is the test's name within the test
+case. Both names must be valid C++ identifiers, and they should not contain
+underscore (`_`). A test's *full name* consists of its containing test case and
+its individual name. Tests from different test cases can have the same
+individual name.
+
+For example, let's take a simple integer function:
+
+```c++
+int Factorial(int n);  // Returns the factorial of n
+```
+
+A test case for this function might look like:
+
+```c++
+// Tests factorial of 0.
+TEST(FactorialTest, HandlesZeroInput) {
+  EXPECT_EQ(Factorial(0), 1);
+}
+
+// Tests factorial of positive numbers.
+TEST(FactorialTest, HandlesPositiveInput) {
+  EXPECT_EQ(Factorial(1), 1);
+  EXPECT_EQ(Factorial(2), 2);
+  EXPECT_EQ(Factorial(3), 6);
+  EXPECT_EQ(Factorial(8), 40320);
+}
+```
+
+googletest groups the test results by test cases, so logically-related tests
+should be in the same test case; in other words, the first argument to their
+`TEST()` should be the same. In the above example, we have two tests,
+`HandlesZeroInput` and `HandlesPositiveInput`, that belong to the same test case
+`FactorialTest`.
+
+When naming your test cases and tests, you should follow the same convention as
+for [naming functions and
+classes](https://google.github.io/styleguide/cppguide.html#Function_Names).
+
+**Availability**: Linux, Windows, Mac.
+
+## Test Fixtures: Using the Same Data Configuration for Multiple Tests
+
+If you find yourself writing two or more tests that operate on similar data, you
+can use a *test fixture*. It allows you to reuse the same configuration of
+objects for several different tests.
+
+To create a fixture:
+
+1.  Derive a class from `::testing::Test` . Start its body with `protected:` as
+    we'll want to access fixture members from sub-classes.
+1.  Inside the class, declare any objects you plan to use.
+1.  If necessary, write a default constructor or `SetUp()` function to prepare
+    the objects for each test. A common mistake is to spell `SetUp()` as
+    **`Setup()`** with a small `u` - Use `override` in C++11 to make sure you
+    spelled it correctly
+1.  If necessary, write a destructor or `TearDown()` function to release any
+    resources you allocated in `SetUp()` . To learn when you should use the
+    constructor/destructor and when you should use `SetUp()/TearDown()`, read
+    this [FAQ](faq.md#should-i-use-the-constructordestructor-of-the-test-fixture-or-setupteardown) entry.
+1.  If needed, define subroutines for your tests to share.
+
+When using a fixture, use `TEST_F()` instead of `TEST()` as it allows you to
+access objects and subroutines in the test fixture:
+
+```c++
+TEST_F(TestCaseName, TestName) {
+  ... test body ...
+}
+```
+
+Like `TEST()`, the first argument is the test case name, but for `TEST_F()` this
+must be the name of the test fixture class. You've probably guessed: `_F` is for
+fixture.
+
+Unfortunately, the C++ macro system does not allow us to create a single macro
+that can handle both types of tests. Using the wrong macro causes a compiler
+error.
+
+Also, you must first define a test fixture class before using it in a
+`TEST_F()`, or you'll get the compiler error "`virtual outside class
+declaration`".
+
+For each test defined with `TEST_F()` , googletest will create a *fresh* test
+fixture at runtime, immediately initialize it via `SetUp()` , run the test,
+clean up by calling `TearDown()` , and then delete the test fixture. Note that
+different tests in the same test case have different test fixture objects, and
+googletest always deletes a test fixture before it creates the next one.
+googletest does **not** reuse the same test fixture for multiple tests. Any
+changes one test makes to the fixture do not affect other tests.
+
+As an example, let's write tests for a FIFO queue class named `Queue`, which has
+the following interface:
+
+```c++
+template <typename E>  // E is the element type.
+class Queue {
+ public:
+  Queue();
+  void Enqueue(const E& element);
+  E* Dequeue();  // Returns NULL if the queue is empty.
+  size_t size() const;
+  ...
+};
+```
+
+First, define a fixture class. By convention, you should give it the name
+`FooTest` where `Foo` is the class being tested.
+
+```c++
+class QueueTest : public ::testing::Test {
+ protected:
+  void SetUp() override {
+     q1_.Enqueue(1);
+     q2_.Enqueue(2);
+     q2_.Enqueue(3);
+  }
+
+  // void TearDown() override {}
+
+  Queue<int> q0_;
+  Queue<int> q1_;
+  Queue<int> q2_;
+};
+```
+
+In this case, `TearDown()` is not needed since we don't have to clean up after
+each test, other than what's already done by the destructor.
+
+Now we'll write tests using `TEST_F()` and this fixture.
+
+```c++
+TEST_F(QueueTest, IsEmptyInitially) {
+  EXPECT_EQ(q0_.size(), 0);
+}
+
+TEST_F(QueueTest, DequeueWorks) {
+  int* n = q0_.Dequeue();
+  EXPECT_EQ(n, nullptr);
+
+  n = q1_.Dequeue();
+  ASSERT_NE(n, nullptr);
+  EXPECT_EQ(*n, 1);
+  EXPECT_EQ(q1_.size(), 0);
+  delete n;
+
+  n = q2_.Dequeue();
+  ASSERT_NE(n, nullptr);
+  EXPECT_EQ(*n, 2);
+  EXPECT_EQ(q2_.size(), 1);
+  delete n;
+}
+```
+
+The above uses both `ASSERT_*` and `EXPECT_*` assertions. The rule of thumb is
+to use `EXPECT_*` when you want the test to continue to reveal more errors after
+the assertion failure, and use `ASSERT_*` when continuing after failure doesn't
+make sense. For example, the second assertion in the `Dequeue` test is
+=ASSERT_NE(nullptr, n)=, as we need to dereference the pointer `n` later, which
+would lead to a segfault when `n` is `NULL`.
+
+When these tests run, the following happens:
+
+1.  googletest constructs a `QueueTest` object (let's call it `t1` ).
+1.  `t1.SetUp()` initializes `t1` .
+1.  The first test ( `IsEmptyInitially` ) runs on `t1` .
+1.  `t1.TearDown()` cleans up after the test finishes.
+1.  `t1` is destructed.
+1.  The above steps are repeated on another `QueueTest` object, this time
+    running the `DequeueWorks` test.
+
+**Availability**: Linux, Windows, Mac.
+
+
+## Invoking the Tests
+
+`TEST()` and `TEST_F()` implicitly register their tests with googletest. So,
+unlike with many other C++ testing frameworks, you don't have to re-list all
+your defined tests in order to run them.
+
+After defining your tests, you can run them with `RUN_ALL_TESTS()` , which
+returns `0` if all the tests are successful, or `1` otherwise. Note that
+`RUN_ALL_TESTS()` runs *all tests* in your link unit -- they can be from
+different test cases, or even different source files.
+
+When invoked, the `RUN_ALL_TESTS()` macro:
+
+1. Saves the state of all googletest flags
+
+*   Creates a test fixture object for the first test.
+
+*   Initializes it via `SetUp()`.
+
+*   Runs the test on the fixture object.
+
+*   Cleans up the fixture via `TearDown()`.
+
+*   Deletes the fixture.
+
+* Restores the state of all googletest flags
+
+*   Repeats the above steps for the next test, until all tests have run.
+
+If a fatal failure happens the subsequent steps will be skipped.
+
+> IMPORTANT: You must **not** ignore the return value of `RUN_ALL_TESTS()`, or
+> you will get a compiler error. The rationale for this design is that the
+> automated testing service determines whether a test has passed based on its
+> exit code, not on its stdout/stderr output; thus your `main()` function must
+> return the value of `RUN_ALL_TESTS()`.
+>
+> Also, you should call `RUN_ALL_TESTS()` only **once**. Calling it more than
+> once conflicts with some advanced googletest features (e.g. thread-safe [death
+> tests](advanced#death-tests)) and thus is not supported.
+
+**Availability**: Linux, Windows, Mac.
+
+## Writing the main() Function
+
+In `google3`, the simplest approach is to use the default main() function
+provided by linking in `"//testing/base/public:gtest_main"`. If that doesn't
+cover what you need, you should write your own main() function, which should
+return the value of `RUN_ALL_TESTS()`. Link to `"//testing/base/public:gunit"`.
+You can start from this boilerplate:
+
+```c++
+#include "this/package/foo.h"
+#include "gtest/gtest.h"
+
+namespace {
+
+// The fixture for testing class Foo.
+class FooTest : public ::testing::Test {
+ protected:
+  // You can remove any or all of the following functions if its body
+  // is empty.
+
+  FooTest() {
+     // You can do set-up work for each test here.
+  }
+
+  ~FooTest() override {
+     // You can do clean-up work that doesn't throw exceptions here.
+  }
+
+  // If the constructor and destructor are not enough for setting up
+  // and cleaning up each test, you can define the following methods:
+
+  void SetUp() override {
+     // Code here will be called immediately after the constructor (right
+     // before each test).
+  }
+
+  void TearDown() override {
+     // Code here will be called immediately after each test (right
+     // before the destructor).
+  }
+
+  // Objects declared here can be used by all tests in the test case for Foo.
+};
+
+// Tests that the Foo::Bar() method does Abc.
+TEST_F(FooTest, MethodBarDoesAbc) {
+  const std::string input_filepath = "this/package/testdata/myinputfile.dat";
+  const std::string output_filepath = "this/package/testdata/myoutputfile.dat";
+  Foo f;
+  EXPECT_EQ(f.Bar(input_filepath, output_filepath), 0);
+}
+
+// Tests that Foo does Xyz.
+TEST_F(FooTest, DoesXyz) {
+  // Exercises the Xyz feature of Foo.
+}
+
+}  // namespace
+
+int main(int argc, char **argv) {
+  ::testing::InitGoogleTest(&argc, argv);
+  return RUN_ALL_TESTS();
+}
+```
+
+
+The `::testing::InitGoogleTest()` function parses the command line for
+googletest flags, and removes all recognized flags. This allows the user to
+control a test program's behavior via various flags, which we'll cover in
+[AdvancedGuide](advanced.md). You **must** call this function before calling
+`RUN_ALL_TESTS()`, or the flags won't be properly initialized.
+
+On Windows, `InitGoogleTest()` also works with wide strings, so it can be used
+in programs compiled in `UNICODE` mode as well.
+
+But maybe you think that writing all those main() functions is too much work? We
+agree with you completely and that's why Google Test provides a basic
+implementation of main(). If it fits your needs, then just link your test with
+gtest\_main library and you are good to go.
+
+NOTE: `ParseGUnitFlags()` is deprecated in favor of `InitGoogleTest()`.
+
+
+## Known Limitations
+
+*   Google Test is designed to be thread-safe. The implementation is thread-safe
+    on systems where the `pthreads` library is available. It is currently
+    _unsafe_ to use Google Test assertions from two threads concurrently on
+    other systems (e.g. Windows). In most tests this is not an issue as usually
+    the assertions are done in the main thread. If you want to help, you can
+    volunteer to implement the necessary synchronization primitives in
+    `gtest-port.h` for your platform.
diff --git a/security/nss/gtests/google_test/gtest/docs/samples.md b/security/nss/gtests/google_test/gtest/docs/samples.md
new file mode 100644
index 0000000000..18dcca3814
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/docs/samples.md
@@ -0,0 +1,22 @@
+# Googletest Samples {#samples}
+
+If you're like us, you'd like to look at [googletest
+samples.](https://github.com/google/googletest/tree/master/googletest/samples)
+The sample directory has a number of well-commented samples showing how to use a
+variety of googletest features.
+
+*   Sample #1 shows the basic steps of using googletest to test C++ functions.
+*   Sample #2 shows a more complex unit test for a class with multiple member
+    functions.
+*   Sample #3 uses a test fixture.
+*   Sample #4 teaches you how to use googletest and `googletest.h` together to
+    get the best of both libraries.
+*   Sample #5 puts shared testing logic in a base test fixture, and reuses it in
+    derived fixtures.
+*   Sample #6 demonstrates type-parameterized tests.
+*   Sample #7 teaches the basics of value-parameterized tests.
+*   Sample #8 shows using `Combine()` in value-parameterized tests.
+*   Sample #9 shows use of the listener API to modify Google Test's console
+    output and the use of its reflection API to inspect test results.
+*   Sample #10 shows use of the listener API to implement a primitive memory
+    leak checker.
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/gtest-death-test.h b/security/nss/gtests/google_test/gtest/include/gtest/gtest-death-test.h
index 957a69c6a9..20c54d8695 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/gtest-death-test.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/gtest-death-test.h
@@ -26,14 +26,14 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: wan@google.com (Zhanyong Wan)
-//
-// The Google C++ Testing Framework (Google Test)
+// The Google C++ Testing and Mocking Framework (Google Test)
 //
 // This header file defines the public API for death tests.  It is
 // #included by gtest.h so a user doesn't need to include this
 // directly.
+// GOOGLETEST_CM0001 DO NOT DELETE
 
 #ifndef GTEST_INCLUDE_GTEST_GTEST_DEATH_TEST_H_
 #define GTEST_INCLUDE_GTEST_GTEST_DEATH_TEST_H_
@@ -99,10 +99,11 @@ GTEST_API_ bool InDeathTestChild();
 //
 // On the regular expressions used in death tests:
 //
+//   GOOGLETEST_CM0005 DO NOT DELETE
 //   On POSIX-compliant systems (*nix), we use the <regex.h> library,
 //   which uses the POSIX extended regex syntax.
 //
-//   On other platforms (e.g. Windows), we only support a simple regex
+//   On other platforms (e.g. Windows or Mac), we only support a simple regex
 //   syntax implemented as part of Google Test.  This limited
 //   implementation should be enough most of the time when writing
 //   death tests; though it lacks many features you can find in PCRE
@@ -160,7 +161,7 @@ GTEST_API_ bool InDeathTestChild();
 //   is rarely a problem as people usually don't put the test binary
 //   directory in PATH.
 //
-// TODO(wan@google.com): make thread-safe death tests search the PATH.
+// FIXME: make thread-safe death tests search the PATH.
 
 // Asserts that a given statement causes the program to exit, with an
 // integer exit status that satisfies predicate, and emitting error output
@@ -198,9 +199,10 @@ class GTEST_API_ ExitedWithCode {
   const int exit_code_;
 };
 
-# if !GTEST_OS_WINDOWS
+# if !GTEST_OS_WINDOWS && !GTEST_OS_FUCHSIA
 // Tests that an exit code describes an exit due to termination by a
 // given signal.
+// GOOGLETEST_CM0006 DO NOT DELETE
 class GTEST_API_ KilledBySignal {
  public:
   explicit KilledBySignal(int signum);
@@ -272,6 +274,54 @@ class GTEST_API_ KilledBySignal {
 # endif  // NDEBUG for EXPECT_DEBUG_DEATH
 #endif  // GTEST_HAS_DEATH_TEST
 
+// This macro is used for implementing macros such as
+// EXPECT_DEATH_IF_SUPPORTED and ASSERT_DEATH_IF_SUPPORTED on systems where
+// death tests are not supported. Those macros must compile on such systems
+// iff EXPECT_DEATH and ASSERT_DEATH compile with the same parameters on
+// systems that support death tests. This allows one to write such a macro
+// on a system that does not support death tests and be sure that it will
+// compile on a death-test supporting system. It is exposed publicly so that
+// systems that have death-tests with stricter requirements than
+// GTEST_HAS_DEATH_TEST can write their own equivalent of
+// EXPECT_DEATH_IF_SUPPORTED and ASSERT_DEATH_IF_SUPPORTED.
+//
+// Parameters:
+//   statement -  A statement that a macro such as EXPECT_DEATH would test
+//                for program termination. This macro has to make sure this
+//                statement is compiled but not executed, to ensure that
+//                EXPECT_DEATH_IF_SUPPORTED compiles with a certain
+//                parameter iff EXPECT_DEATH compiles with it.
+//   regex     -  A regex that a macro such as EXPECT_DEATH would use to test
+//                the output of statement.  This parameter has to be
+//                compiled but not evaluated by this macro, to ensure that
+//                this macro only accepts expressions that a macro such as
+//                EXPECT_DEATH would accept.
+//   terminator - Must be an empty statement for EXPECT_DEATH_IF_SUPPORTED
+//                and a return statement for ASSERT_DEATH_IF_SUPPORTED.
+//                This ensures that ASSERT_DEATH_IF_SUPPORTED will not
+//                compile inside functions where ASSERT_DEATH doesn't
+//                compile.
+//
+//  The branch that has an always false condition is used to ensure that
+//  statement and regex are compiled (and thus syntactically correct) but
+//  never executed. The unreachable code macro protects the terminator
+//  statement from generating an 'unreachable code' warning in case
+//  statement unconditionally returns or throws. The Message constructor at
+//  the end allows the syntax of streaming additional messages into the
+//  macro, for compilational compatibility with EXPECT_DEATH/ASSERT_DEATH.
+# define GTEST_UNSUPPORTED_DEATH_TEST(statement, regex, terminator) \
+    GTEST_AMBIGUOUS_ELSE_BLOCKER_ \
+    if (::testing::internal::AlwaysTrue()) { \
+      GTEST_LOG_(WARNING) \
+          << "Death tests are not supported on this platform.\n" \
+          << "Statement '" #statement "' cannot be verified."; \
+    } else if (::testing::internal::AlwaysFalse()) { \
+      ::testing::internal::RE::PartialMatch(".*", (regex)); \
+      GTEST_SUPPRESS_UNREACHABLE_CODE_WARNING_BELOW_(statement); \
+      terminator; \
+    } else \
+      ::testing::Message()
+
 // EXPECT_DEATH_IF_SUPPORTED(statement, regex) and
 // ASSERT_DEATH_IF_SUPPORTED(statement, regex) expand to real death tests if
 // death tests are supported; otherwise they just issue a warning.  This is
@@ -284,9 +334,9 @@ class GTEST_API_ KilledBySignal {
     ASSERT_DEATH(statement, regex)
 #else
 # define EXPECT_DEATH_IF_SUPPORTED(statement, regex) \
-    GTEST_UNSUPPORTED_DEATH_TEST_(statement, regex, )
+    GTEST_UNSUPPORTED_DEATH_TEST(statement, regex, )
 # define ASSERT_DEATH_IF_SUPPORTED(statement, regex) \
-    GTEST_UNSUPPORTED_DEATH_TEST_(statement, regex, return)
+    GTEST_UNSUPPORTED_DEATH_TEST(statement, regex, return)
 #endif
 
 }  // namespace testing
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/gtest-message.h b/security/nss/gtests/google_test/gtest/include/gtest/gtest-message.h
index fe879bca79..5ca041614c 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/gtest-message.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/gtest-message.h
@@ -26,10 +26,9 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: wan@google.com (Zhanyong Wan)
-//
-// The Google C++ Testing Framework (Google Test)
+// The Google C++ Testing and Mocking Framework (Google Test)
 //
 // This header file defines the Message class.
 //
@@ -43,6 +42,8 @@
 // to CHANGE WITHOUT NOTICE.  Therefore DO NOT DEPEND ON IT in a user
 // program!
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_GTEST_MESSAGE_H_
 #define GTEST_INCLUDE_GTEST_GTEST_MESSAGE_H_
 
@@ -50,6 +51,9 @@
 
 #include "gtest/internal/gtest-port.h"
 
+GTEST_DISABLE_MSC_WARNINGS_PUSH_(4251 \
+/* class A needs to have dll-interface to be used by clients of class B */)
+
 // Ensures that there is at least one operator<< in the global namespace.
 // See Message& operator<<(...) below for why.
 void operator<<(const testing::internal::Secret&, int);
@@ -196,7 +200,6 @@ class GTEST_API_ Message {
   std::string GetString() const;
 
  private:
-
 #if GTEST_OS_SYMBIAN
   // These are needed as the Nokia Symbian Compiler cannot decide between
   // const T& and const T* in a function template. The Nokia compiler _can_
@@ -247,4 +250,6 @@ std::string StreamableToString(const T& streamable) {
 }  // namespace internal
 }  // namespace testing
 
+GTEST_DISABLE_MSC_WARNINGS_POP_()  //  4251
+
 #endif  // GTEST_INCLUDE_GTEST_GTEST_MESSAGE_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/gtest-param-test.h b/security/nss/gtests/google_test/gtest/include/gtest/gtest-param-test.h
index d6702c8f16..3e95e4390e 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/gtest-param-test.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/gtest-param-test.h
@@ -31,13 +31,12 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Authors: vladl@google.com (Vlad Losev)
-//
 // Macros and functions for implementing parameterized tests
-// in Google C++ Testing Framework (Google Test)
+// in Google C++ Testing and Mocking Framework (Google Test)
 //
 // This file is generated by a SCRIPT.  DO NOT EDIT BY HAND!
 //
+// GOOGLETEST_CM0001 DO NOT DELETE
 #ifndef GTEST_INCLUDE_GTEST_GTEST_PARAM_TEST_H_
 #define GTEST_INCLUDE_GTEST_GTEST_PARAM_TEST_H_
 
@@ -79,7 +78,7 @@ TEST_P(FooTest, HasBlahBlah) {
 // Finally, you can use INSTANTIATE_TEST_CASE_P to instantiate the test
 // case with any set of parameters you want. Google Test defines a number
 // of functions for generating test parameters. They return what we call
-// (surprise!) parameter generators. Here is a  summary of them, which
+// (surprise!) parameter generators. Here is a summary of them, which
 // are all in the testing namespace:
 //
 //
@@ -185,15 +184,10 @@ TEST_P(DerivedTest, DoesBlah) {
 # include <utility>
 #endif
 
-// scripts/fuse_gtest.py depends on gtest's own header being #included
-// *unconditionally*.  Therefore these #includes cannot be moved
-// inside #if GTEST_HAS_PARAM_TEST.
 #include "gtest/internal/gtest-internal.h"
 #include "gtest/internal/gtest-param-util.h"
 #include "gtest/internal/gtest-param-util-generated.h"
 
-#if GTEST_HAS_PARAM_TEST
-
 namespace testing {
 
 // Functions producing parameter generators.
@@ -273,7 +267,7 @@ internal::ParamGenerator<T> Range(T start, T end) {
 // each with C-string values of "foo", "bar", and "baz":
 //
 // const char* strings[] = {"foo", "bar", "baz"};
-// INSTANTIATE_TEST_CASE_P(StringSequence, SrtingTest, ValuesIn(strings));
+// INSTANTIATE_TEST_CASE_P(StringSequence, StringTest, ValuesIn(strings));
 //
 // This instantiates tests from test case StlStringTest
 // each with STL strings with values "a" and "b":
@@ -1375,8 +1369,6 @@ internal::CartesianProductHolder10<Generator1, Generator2, Generator3,
 }
 # endif  // GTEST_HAS_COMBINE
 
-
-
 # define TEST_P(test_case_name, test_name) \
   class GTEST_TEST_CLASS_NAME_(test_case_name, test_name) \
       : public test_case_name { \
@@ -1387,14 +1379,17 @@ internal::CartesianProductHolder10<Generator1, Generator2, Generator3,
     static int AddToRegistry() { \
       ::testing::UnitTest::GetInstance()->parameterized_test_registry(). \
           GetTestCasePatternHolder<test_case_name>(\
-              #test_case_name, __FILE__, __LINE__)->AddTestPattern(\
-                  #test_case_name, \
-                  #test_name, \
-                  new ::testing::internal::TestMetaFactory< \
-                      GTEST_TEST_CLASS_NAME_(test_case_name, test_name)>()); \
+              #test_case_name, \
+              ::testing::internal::CodeLocation(\
+                  __FILE__, __LINE__))->AddTestPattern(\
+                      GTEST_STRINGIFY_(test_case_name), \
+                      GTEST_STRINGIFY_(test_name), \
+                      new ::testing::internal::TestMetaFactory< \
+                          GTEST_TEST_CLASS_NAME_(\
+                              test_case_name, test_name)>()); \
       return 0; \
     } \
-    static int gtest_registering_dummy_; \
+    static int gtest_registering_dummy_ GTEST_ATTRIBUTE_UNUSED_; \
     GTEST_DISALLOW_COPY_AND_ASSIGN_(\
         GTEST_TEST_CLASS_NAME_(test_case_name, test_name)); \
   }; \
@@ -1403,19 +1398,37 @@ internal::CartesianProductHolder10<Generator1, Generator2, Generator3,
       GTEST_TEST_CLASS_NAME_(test_case_name, test_name)::AddToRegistry(); \
   void GTEST_TEST_CLASS_NAME_(test_case_name, test_name)::TestBody()
 
-# define INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) \
-  ::testing::internal::ParamGenerator<test_case_name::ParamType> \
+// The optional last argument to INSTANTIATE_TEST_CASE_P allows the user
+// to specify a function or functor that generates custom test name suffixes
+// based on the test parameters. The function should accept one argument of
+// type testing::TestParamInfo<class ParamType>, and return std::string.
+//
+// testing::PrintToStringParamName is a builtin test suffix generator that
+// returns the value of testing::PrintToString(GetParam()).
+//
+// Note: test names must be non-empty, unique, and may only contain ASCII
+// alphanumeric characters or underscore. Because PrintToString adds quotes
+// to std::string and C strings, it won't work for these types.
+
+# define INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator, ...) \
+  static ::testing::internal::ParamGenerator<test_case_name::ParamType> \
       gtest_##prefix##test_case_name##_EvalGenerator_() { return generator; } \
-  int gtest_##prefix##test_case_name##_dummy_ = \
+  static ::std::string gtest_##prefix##test_case_name##_EvalGenerateName_( \
+      const ::testing::TestParamInfo<test_case_name::ParamType>& info) { \
+    return ::testing::internal::GetParamNameGen<test_case_name::ParamType> \
+        (__VA_ARGS__)(info); \
+  } \
+  static int gtest_##prefix##test_case_name##_dummy_ GTEST_ATTRIBUTE_UNUSED_ = \
       ::testing::UnitTest::GetInstance()->parameterized_test_registry(). \
           GetTestCasePatternHolder<test_case_name>(\
-              #test_case_name, __FILE__, __LINE__)->AddTestCaseInstantiation(\
-                  #prefix, \
-                  &gtest_##prefix##test_case_name##_EvalGenerator_, \
-                  __FILE__, __LINE__)
+              #test_case_name, \
+              ::testing::internal::CodeLocation(\
+                  __FILE__, __LINE__))->AddTestCaseInstantiation(\
+                      #prefix, \
+                      &gtest_##prefix##test_case_name##_EvalGenerator_, \
+                      &gtest_##prefix##test_case_name##_EvalGenerateName_, \
+                      __FILE__, __LINE__)
 
 }  // namespace testing
 
-#endif  // GTEST_HAS_PARAM_TEST
-
 #endif  // GTEST_INCLUDE_GTEST_GTEST_PARAM_TEST_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/gtest-param-test.h.pump b/security/nss/gtests/google_test/gtest/include/gtest/gtest-param-test.h.pump
index 2dc9303b5e..274f2b3b56 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/gtest-param-test.h.pump
+++ b/security/nss/gtests/google_test/gtest/include/gtest/gtest-param-test.h.pump
@@ -30,13 +30,12 @@ $var maxtuple = 10  $$ Maximum number of Combine arguments we want to support.
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Authors: vladl@google.com (Vlad Losev)
-//
 // Macros and functions for implementing parameterized tests
-// in Google C++ Testing Framework (Google Test)
+// in Google C++ Testing and Mocking Framework (Google Test)
 //
 // This file is generated by a SCRIPT.  DO NOT EDIT BY HAND!
 //
+// GOOGLETEST_CM0001 DO NOT DELETE
 #ifndef GTEST_INCLUDE_GTEST_GTEST_PARAM_TEST_H_
 #define GTEST_INCLUDE_GTEST_GTEST_PARAM_TEST_H_
 
@@ -78,7 +77,7 @@ TEST_P(FooTest, HasBlahBlah) {
 // Finally, you can use INSTANTIATE_TEST_CASE_P to instantiate the test
 // case with any set of parameters you want. Google Test defines a number
 // of functions for generating test parameters. They return what we call
-// (surprise!) parameter generators. Here is a  summary of them, which
+// (surprise!) parameter generators. Here is a summary of them, which
 // are all in the testing namespace:
 //
 //
@@ -184,15 +183,10 @@ TEST_P(DerivedTest, DoesBlah) {
 # include <utility>
 #endif
 
-// scripts/fuse_gtest.py depends on gtest's own header being #included
-// *unconditionally*.  Therefore these #includes cannot be moved
-// inside #if GTEST_HAS_PARAM_TEST.
 #include "gtest/internal/gtest-internal.h"
 #include "gtest/internal/gtest-param-util.h"
 #include "gtest/internal/gtest-param-util-generated.h"
 
-#if GTEST_HAS_PARAM_TEST
-
 namespace testing {
 
 // Functions producing parameter generators.
@@ -272,7 +266,7 @@ internal::ParamGenerator<T> Range(T start, T end) {
 // each with C-string values of "foo", "bar", and "baz":
 //
 // const char* strings[] = {"foo", "bar", "baz"};
-// INSTANTIATE_TEST_CASE_P(StringSequence, SrtingTest, ValuesIn(strings));
+// INSTANTIATE_TEST_CASE_P(StringSequence, StringTest, ValuesIn(strings));
 //
 // This instantiates tests from test case StlStringTest
 // each with STL strings with values "a" and "b":
@@ -441,8 +435,6 @@ internal::CartesianProductHolder$i<$for j, [[Generator$j]]> Combine(
 ]]
 # endif  // GTEST_HAS_COMBINE
 
-
-
 # define TEST_P(test_case_name, test_name) \
   class GTEST_TEST_CLASS_NAME_(test_case_name, test_name) \
       : public test_case_name { \
@@ -453,14 +445,17 @@ internal::CartesianProductHolder$i<$for j, [[Generator$j]]> Combine(
     static int AddToRegistry() { \
       ::testing::UnitTest::GetInstance()->parameterized_test_registry(). \
           GetTestCasePatternHolder<test_case_name>(\
-              #test_case_name, __FILE__, __LINE__)->AddTestPattern(\
-                  #test_case_name, \
-                  #test_name, \
-                  new ::testing::internal::TestMetaFactory< \
-                      GTEST_TEST_CLASS_NAME_(test_case_name, test_name)>()); \
+              #test_case_name, \
+              ::testing::internal::CodeLocation(\
+                  __FILE__, __LINE__))->AddTestPattern(\
+                      GTEST_STRINGIFY_(test_case_name), \
+                      GTEST_STRINGIFY_(test_name), \
+                      new ::testing::internal::TestMetaFactory< \
+                          GTEST_TEST_CLASS_NAME_(\
+                              test_case_name, test_name)>()); \
       return 0; \
     } \
-    static int gtest_registering_dummy_; \
+    static int gtest_registering_dummy_ GTEST_ATTRIBUTE_UNUSED_; \
     GTEST_DISALLOW_COPY_AND_ASSIGN_(\
         GTEST_TEST_CLASS_NAME_(test_case_name, test_name)); \
   }; \
@@ -469,19 +464,37 @@ internal::CartesianProductHolder$i<$for j, [[Generator$j]]> Combine(
       GTEST_TEST_CLASS_NAME_(test_case_name, test_name)::AddToRegistry(); \
   void GTEST_TEST_CLASS_NAME_(test_case_name, test_name)::TestBody()
 
-# define INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator) \
-  ::testing::internal::ParamGenerator<test_case_name::ParamType> \
+// The optional last argument to INSTANTIATE_TEST_CASE_P allows the user
+// to specify a function or functor that generates custom test name suffixes
+// based on the test parameters. The function should accept one argument of
+// type testing::TestParamInfo<class ParamType>, and return std::string.
+//
+// testing::PrintToStringParamName is a builtin test suffix generator that
+// returns the value of testing::PrintToString(GetParam()).
+//
+// Note: test names must be non-empty, unique, and may only contain ASCII
+// alphanumeric characters or underscore. Because PrintToString adds quotes
+// to std::string and C strings, it won't work for these types.
+
+# define INSTANTIATE_TEST_CASE_P(prefix, test_case_name, generator, ...) \
+  static ::testing::internal::ParamGenerator<test_case_name::ParamType> \
       gtest_##prefix##test_case_name##_EvalGenerator_() { return generator; } \
-  int gtest_##prefix##test_case_name##_dummy_ = \
+  static ::std::string gtest_##prefix##test_case_name##_EvalGenerateName_( \
+      const ::testing::TestParamInfo<test_case_name::ParamType>& info) { \
+    return ::testing::internal::GetParamNameGen<test_case_name::ParamType> \
+        (__VA_ARGS__)(info); \
+  } \
+  static int gtest_##prefix##test_case_name##_dummy_ GTEST_ATTRIBUTE_UNUSED_ = \
       ::testing::UnitTest::GetInstance()->parameterized_test_registry(). \
           GetTestCasePatternHolder<test_case_name>(\
-              #test_case_name, __FILE__, __LINE__)->AddTestCaseInstantiation(\
-                  #prefix, \
-                  &gtest_##prefix##test_case_name##_EvalGenerator_, \
-                  __FILE__, __LINE__)
+              #test_case_name, \
+              ::testing::internal::CodeLocation(\
+                  __FILE__, __LINE__))->AddTestCaseInstantiation(\
+                      #prefix, \
+                      &gtest_##prefix##test_case_name##_EvalGenerator_, \
+                      &gtest_##prefix##test_case_name##_EvalGenerateName_, \
+                      __FILE__, __LINE__)
 
 }  // namespace testing
 
-#endif  // GTEST_HAS_PARAM_TEST
-
 #endif  // GTEST_INCLUDE_GTEST_GTEST_PARAM_TEST_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/gtest-printers.h b/security/nss/gtests/google_test/gtest/include/gtest/gtest-printers.h
index 18ee7bc643..51865f84e6 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/gtest-printers.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/gtest-printers.h
@@ -26,10 +26,9 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
 
-// Google Test - The Google C++ Testing Framework
+
+// Google Test - The Google C++ Testing and Mocking Framework
 //
 // This file implements a universal value printer that can print a
 // value of any type T:
@@ -46,6 +45,10 @@
 //   2. operator<<(ostream&, const T&) defined in either foo or the
 //      global namespace.
 //
+// However if T is an STL-style container then it is printed element-wise
+// unless foo::PrintTo(const T&, ostream*) is defined. Note that
+// operator<<() is ignored for container types.
+//
 // If none of the above is defined, it will print the debug string of
 // the value if it is a protocol buffer, or print the raw bytes in the
 // value otherwise.
@@ -92,6 +95,8 @@
 // being defined as many user-defined container types don't have
 // value_type.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_GTEST_PRINTERS_H_
 #define GTEST_INCLUDE_GTEST_GTEST_PRINTERS_H_
 
@@ -107,6 +112,12 @@
 # include <tuple>
 #endif
 
+#if GTEST_HAS_ABSL
+#include "absl/strings/string_view.h"
+#include "absl/types/optional.h"
+#include "absl/types/variant.h"
+#endif  // GTEST_HAS_ABSL
+
 namespace testing {
 
 // Definitions in the 'internal' and 'internal2' name spaces are
@@ -125,7 +136,11 @@ enum TypeKind {
   kProtobuf,              // a protobuf type
   kConvertibleToInteger,  // a type implicitly convertible to BiggestInt
                           // (e.g. a named or unnamed enum type)
-  kOtherType              // anything else
+#if GTEST_HAS_ABSL
+  kConvertibleToStringView,  // a type implicitly convertible to
+                             // absl::string_view
+#endif
+  kOtherType  // anything else
 };
 
 // TypeWithoutFormatter<T, kTypeKind>::PrintValue(value, os) is called
@@ -137,7 +152,8 @@ class TypeWithoutFormatter {
  public:
   // This default version is called when kTypeKind is kOtherType.
   static void PrintValue(const T& value, ::std::ostream* os) {
-    PrintBytesInObjectTo(reinterpret_cast<const unsigned char*>(&value),
+    PrintBytesInObjectTo(static_cast<const unsigned char*>(
+                             reinterpret_cast<const void*>(&value)),
                          sizeof(value), os);
   }
 };
@@ -151,10 +167,10 @@ template <typename T>
 class TypeWithoutFormatter<T, kProtobuf> {
  public:
   static void PrintValue(const T& value, ::std::ostream* os) {
-    const ::testing::internal::string short_str = value.ShortDebugString();
-    const ::testing::internal::string pretty_str =
-        short_str.length() <= kProtobufOneLinerMaxLength ?
-        short_str : ("\n" + value.DebugString());
+    std::string pretty_str = value.ShortDebugString();
+    if (pretty_str.length() > kProtobufOneLinerMaxLength) {
+      pretty_str = "\n" + value.DebugString();
+    }
     *os << ("<" + pretty_str + ">");
   }
 };
@@ -175,6 +191,19 @@ class TypeWithoutFormatter<T, kConvertibleToInteger> {
   }
 };
 
+#if GTEST_HAS_ABSL
+template <typename T>
+class TypeWithoutFormatter<T, kConvertibleToStringView> {
+ public:
+  // Since T has neither operator<< nor PrintTo() but can be implicitly
+  // converted to absl::string_view, we print it as a absl::string_view.
+  //
+  // Note: the implementation is further below, as it depends on
+  // internal::PrintTo symbol which is defined later in the file.
+  static void PrintValue(const T& value, ::std::ostream* os);
+};
+#endif
+
 // Prints the given value to the given ostream.  If the value is a
 // protocol message, its debug string is printed; if it's an enum or
 // of a type implicitly convertible to BiggestInt, it's printed as an
@@ -202,10 +231,19 @@ class TypeWithoutFormatter<T, kConvertibleToInteger> {
 template <typename Char, typename CharTraits, typename T>
 ::std::basic_ostream<Char, CharTraits>& operator<<(
     ::std::basic_ostream<Char, CharTraits>& os, const T& x) {
-  TypeWithoutFormatter<T,
-      (internal::IsAProtocolMessage<T>::value ? kProtobuf :
-       internal::ImplicitlyConvertible<const T&, internal::BiggestInt>::value ?
-       kConvertibleToInteger : kOtherType)>::PrintValue(x, &os);
+  TypeWithoutFormatter<T, (internal::IsAProtocolMessage<T>::value
+                               ? kProtobuf
+                               : internal::ImplicitlyConvertible<
+                                     const T&, internal::BiggestInt>::value
+                                     ? kConvertibleToInteger
+                                     :
+#if GTEST_HAS_ABSL
+                                     internal::ImplicitlyConvertible<
+                                         const T&, absl::string_view>::value
+                                         ? kConvertibleToStringView
+                                         :
+#endif
+                                         kOtherType)>::PrintValue(x, &os);
   return os;
 }
 
@@ -254,6 +292,103 @@ void DefaultPrintNonContainerTo(const T& value, ::std::ostream* os) {
 namespace testing {
 namespace internal {
 
+// FormatForComparison<ToPrint, OtherOperand>::Format(value) formats a
+// value of type ToPrint that is an operand of a comparison assertion
+// (e.g. ASSERT_EQ).  OtherOperand is the type of the other operand in
+// the comparison, and is used to help determine the best way to
+// format the value.  In particular, when the value is a C string
+// (char pointer) and the other operand is an STL string object, we
+// want to format the C string as a string, since we know it is
+// compared by value with the string object.  If the value is a char
+// pointer but the other operand is not an STL string object, we don't
+// know whether the pointer is supposed to point to a NUL-terminated
+// string, and thus want to print it as a pointer to be safe.
+//
+// INTERNAL IMPLEMENTATION - DO NOT USE IN A USER PROGRAM.
+
+// The default case.
+template <typename ToPrint, typename OtherOperand>
+class FormatForComparison {
+ public:
+  static ::std::string Format(const ToPrint& value) {
+    return ::testing::PrintToString(value);
+  }
+};
+
+// Array.
+template <typename ToPrint, size_t N, typename OtherOperand>
+class FormatForComparison<ToPrint[N], OtherOperand> {
+ public:
+  static ::std::string Format(const ToPrint* value) {
+    return FormatForComparison<const ToPrint*, OtherOperand>::Format(value);
+  }
+};
+
+// By default, print C string as pointers to be safe, as we don't know
+// whether they actually point to a NUL-terminated string.
+
+#define GTEST_IMPL_FORMAT_C_STRING_AS_POINTER_(CharType)                \
+  template <typename OtherOperand>                                      \
+  class FormatForComparison<CharType*, OtherOperand> {                  \
+   public:                                                              \
+    static ::std::string Format(CharType* value) {                      \
+      return ::testing::PrintToString(static_cast<const void*>(value)); \
+    }                                                                   \
+  }
+
+GTEST_IMPL_FORMAT_C_STRING_AS_POINTER_(char);
+GTEST_IMPL_FORMAT_C_STRING_AS_POINTER_(const char);
+GTEST_IMPL_FORMAT_C_STRING_AS_POINTER_(wchar_t);
+GTEST_IMPL_FORMAT_C_STRING_AS_POINTER_(const wchar_t);
+
+#undef GTEST_IMPL_FORMAT_C_STRING_AS_POINTER_
+
+// If a C string is compared with an STL string object, we know it's meant
+// to point to a NUL-terminated string, and thus can print it as a string.
+
+#define GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(CharType, OtherStringType) \
+  template <>                                                           \
+  class FormatForComparison<CharType*, OtherStringType> {               \
+   public:                                                              \
+    static ::std::string Format(CharType* value) {                      \
+      return ::testing::PrintToString(value);                           \
+    }                                                                   \
+  }
+
+GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(char, ::std::string);
+GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(const char, ::std::string);
+
+#if GTEST_HAS_GLOBAL_STRING
+GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(char, ::string);
+GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(const char, ::string);
+#endif
+
+#if GTEST_HAS_GLOBAL_WSTRING
+GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(wchar_t, ::wstring);
+GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(const wchar_t, ::wstring);
+#endif
+
+#if GTEST_HAS_STD_WSTRING
+GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(wchar_t, ::std::wstring);
+GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(const wchar_t, ::std::wstring);
+#endif
+
+#undef GTEST_IMPL_FORMAT_C_STRING_AS_STRING_
+
+// Formats a comparison assertion (e.g. ASSERT_EQ, EXPECT_LT, and etc)
+// operand to be used in a failure message.  The type (but not value)
+// of the other operand may affect the format.  This allows us to
+// print a char* as a raw pointer when it is compared against another
+// char* or void*, and print it as a C string when it is compared
+// against an std::string object, for example.
+//
+// INTERNAL IMPLEMENTATION - DO NOT USE IN A USER PROGRAM.
+template <typename T1, typename T2>
+std::string FormatForComparisonFailureMessage(
+    const T1& value, const T2& /* other_operand */) {
+  return FormatForComparison<T1, T2>::Format(value);
+}
+
 // UniversalPrinter<T>::Print(value, ostream_ptr) prints the given
 // value to the given ostream.  The caller must ensure that
 // 'ostream_ptr' is not NULL, or the behavior is undefined.
@@ -267,11 +402,18 @@ class UniversalPrinter;
 template <typename T>
 void UniversalPrint(const T& value, ::std::ostream* os);
 
+enum DefaultPrinterType {
+  kPrintContainer,
+  kPrintPointer,
+  kPrintFunctionPointer,
+  kPrintOther,
+};
+template <DefaultPrinterType type> struct WrapPrinterType {};
+
 // Used to print an STL-style container when the user doesn't define
 // a PrintTo() for it.
 template <typename C>
-void DefaultPrintTo(IsContainer /* dummy */,
-                    false_type /* is not a pointer */,
+void DefaultPrintTo(WrapPrinterType<kPrintContainer> /* dummy */,
                     const C& container, ::std::ostream* os) {
   const size_t kMaxCount = 32;  // The maximum number of elements to print.
   *os << '{';
@@ -304,40 +446,34 @@ void DefaultPrintTo(IsContainer /* dummy */,
 // implementation-defined.  Therefore they will be printed as raw
 // bytes.)
 template <typename T>
-void DefaultPrintTo(IsNotContainer /* dummy */,
-                    true_type /* is a pointer */,
+void DefaultPrintTo(WrapPrinterType<kPrintPointer> /* dummy */,
                     T* p, ::std::ostream* os) {
   if (p == NULL) {
     *os << "NULL";
   } else {
-    // C++ doesn't allow casting from a function pointer to any object
-    // pointer.
-    //
-    // IsTrue() silences warnings: "Condition is always true",
-    // "unreachable code".
-    if (IsTrue(ImplicitlyConvertible<T*, const void*>::value)) {
-      // T is not a function type.  We just call << to print p,
-      // relying on ADL to pick up user-defined << for their pointer
-      // types, if any.
-      *os << p;
-    } else {
-      // T is a function type, so '*os << p' doesn't do what we want
-      // (it just prints p as bool).  We want to print p as a const
-      // void*.  However, we cannot cast it to const void* directly,
-      // even using reinterpret_cast, as earlier versions of gcc
-      // (e.g. 3.4.5) cannot compile the cast when p is a function
-      // pointer.  Casting to UInt64 first solves the problem.
-      *os << reinterpret_cast<const void*>(
-          reinterpret_cast<internal::UInt64>(p));
-    }
+    // T is not a function type.  We just call << to print p,
+    // relying on ADL to pick up user-defined << for their pointer
+    // types, if any.
+    *os << p;
+  }
+}
+template <typename T>
+void DefaultPrintTo(WrapPrinterType<kPrintFunctionPointer> /* dummy */,
+                    T* p, ::std::ostream* os) {
+  if (p == NULL) {
+    *os << "NULL";
+  } else {
+    // T is a function type, so '*os << p' doesn't do what we want
+    // (it just prints p as bool).  We want to print p as a const
+    // void*.
+    *os << reinterpret_cast<const void*>(p);
   }
 }
 
 // Used to print a non-container, non-pointer value when the user
 // doesn't define PrintTo() for it.
 template <typename T>
-void DefaultPrintTo(IsNotContainer /* dummy */,
-                    false_type /* is not a pointer */,
+void DefaultPrintTo(WrapPrinterType<kPrintOther> /* dummy */,
                     const T& value, ::std::ostream* os) {
   ::testing_internal::DefaultPrintNonContainerTo(value, os);
 }
@@ -355,11 +491,8 @@ void DefaultPrintTo(IsNotContainer /* dummy */,
 // wants).
 template <typename T>
 void PrintTo(const T& value, ::std::ostream* os) {
-  // DefaultPrintTo() is overloaded.  The type of its first two
-  // arguments determine which version will be picked.  If T is an
-  // STL-style container, the version for container will be called; if
-  // T is a pointer, the pointer version will be called; otherwise the
-  // generic version will be called.
+  // DefaultPrintTo() is overloaded.  The type of its first argument
+  // determines which version will be picked.
   //
   // Note that we check for container types here, prior to we check
   // for protocol message types in our operator<<.  The rationale is:
@@ -371,13 +504,27 @@ void PrintTo(const T& value, ::std::ostream* os) {
   // elements; therefore we check for container types here to ensure
   // that our format is used.
   //
-  // The second argument of DefaultPrintTo() is needed to bypass a bug
-  // in Symbian's C++ compiler that prevents it from picking the right
-  // overload between:
-  //
-  //   PrintTo(const T& x, ...);
-  //   PrintTo(T* x, ...);
-  DefaultPrintTo(IsContainerTest<T>(0), is_pointer<T>(), value, os);
+  // Note that MSVC and clang-cl do allow an implicit conversion from
+  // pointer-to-function to pointer-to-object, but clang-cl warns on it.
+  // So don't use ImplicitlyConvertible if it can be helped since it will
+  // cause this warning, and use a separate overload of DefaultPrintTo for
+  // function pointers so that the `*os << p` in the object pointer overload
+  // doesn't cause that warning either.
+  DefaultPrintTo(
+      WrapPrinterType <
+                  (sizeof(IsContainerTest<T>(0)) == sizeof(IsContainer)) &&
+              !IsRecursiveContainer<T>::value
+          ? kPrintContainer
+          : !is_pointer<T>::value
+                ? kPrintOther
+#if GTEST_LANG_CXX11
+                : std::is_function<typename std::remove_pointer<T>::type>::value
+#else
+                : !internal::ImplicitlyConvertible<T, const void*>::value
+#endif
+                      ? kPrintFunctionPointer
+                      : kPrintPointer > (),
+      value, os);
 }
 
 // The following list of PrintTo() overloads tells
@@ -484,6 +631,17 @@ inline void PrintTo(const ::std::wstring& s, ::std::ostream* os) {
 }
 #endif  // GTEST_HAS_STD_WSTRING
 
+#if GTEST_HAS_ABSL
+// Overload for absl::string_view.
+inline void PrintTo(absl::string_view sp, ::std::ostream* os) {
+  PrintTo(::std::string(sp), os);
+}
+#endif  // GTEST_HAS_ABSL
+
+#if GTEST_LANG_CXX11
+inline void PrintTo(std::nullptr_t, ::std::ostream* os) { *os << "(nullptr)"; }
+#endif  // GTEST_LANG_CXX11
+
 #if GTEST_HAS_TR1_TUPLE || GTEST_HAS_STD_TUPLE_
 // Helper function for printing a tuple.  T must be instantiated with
 // a tuple type.
@@ -613,6 +771,48 @@ class UniversalPrinter {
   GTEST_DISABLE_MSC_WARNINGS_POP_()
 };
 
+#if GTEST_HAS_ABSL
+
+// Printer for absl::optional
+
+template <typename T>
+class UniversalPrinter<::absl::optional<T>> {
+ public:
+  static void Print(const ::absl::optional<T>& value, ::std::ostream* os) {
+    *os << '(';
+    if (!value) {
+      *os << "nullopt";
+    } else {
+      UniversalPrint(*value, os);
+    }
+    *os << ')';
+  }
+};
+
+// Printer for absl::variant
+
+template <typename... T>
+class UniversalPrinter<::absl::variant<T...>> {
+ public:
+  static void Print(const ::absl::variant<T...>& value, ::std::ostream* os) {
+    *os << '(';
+    absl::visit(Visitor{os}, value);
+    *os << ')';
+  }
+
+ private:
+  struct Visitor {
+    template <typename U>
+    void operator()(const U& u) const {
+      *os << "'" << GetTypeName<U>() << "' with value ";
+      UniversalPrint(u, os);
+    }
+    ::std::ostream* os;
+  };
+};
+
+#endif  // GTEST_HAS_ABSL
+
 // UniversalPrintArray(begin, len, os) prints an array of 'len'
 // elements, starting at address 'begin'.
 template <typename T>
@@ -626,7 +826,7 @@ void UniversalPrintArray(const T* begin, size_t len, ::std::ostream* os) {
     // If the array has more than kThreshold elements, we'll have to
     // omit some details by printing only the first and the last
     // kChunkSize elements.
-    // TODO(wan@google.com): let the user control the threshold using a flag.
+    // FIXME: let the user control the threshold using a flag.
     if (len <= kThreshold) {
       PrintRawArrayTo(begin, len, os);
     } else {
@@ -708,7 +908,7 @@ class UniversalTersePrinter<const char*> {
     if (str == NULL) {
       *os << "NULL";
     } else {
-      UniversalPrint(string(str), os);
+      UniversalPrint(std::string(str), os);
     }
   }
 };
@@ -759,7 +959,7 @@ void UniversalPrint(const T& value, ::std::ostream* os) {
   UniversalPrinter<T1>::Print(value, os);
 }
 
-typedef ::std::vector<string> Strings;
+typedef ::std::vector< ::std::string> Strings;
 
 // TuplePolicy<TupleT> must provide:
 // - tuple_size
@@ -778,12 +978,13 @@ struct TuplePolicy {
   static const size_t tuple_size = ::std::tr1::tuple_size<Tuple>::value;
 
   template <size_t I>
-  struct tuple_element : ::std::tr1::tuple_element<I, Tuple> {};
+  struct tuple_element : ::std::tr1::tuple_element<static_cast<int>(I), Tuple> {
+  };
 
   template <size_t I>
-  static typename AddReference<
-      const typename ::std::tr1::tuple_element<I, Tuple>::type>::type get(
-      const Tuple& tuple) {
+  static typename AddReference<const typename ::std::tr1::tuple_element<
+      static_cast<int>(I), Tuple>::type>::type
+  get(const Tuple& tuple) {
     return ::std::tr1::get<I>(tuple);
   }
 };
@@ -879,6 +1080,16 @@ Strings UniversalTersePrintTupleFieldsToStrings(const Tuple& value) {
 
 }  // namespace internal
 
+#if GTEST_HAS_ABSL
+namespace internal2 {
+template <typename T>
+void TypeWithoutFormatter<T, kConvertibleToStringView>::PrintValue(
+    const T& value, ::std::ostream* os) {
+  internal::PrintTo(absl::string_view(value), os);
+}
+}  // namespace internal2
+#endif
+
 template <typename T>
 ::std::string PrintToString(const T& value) {
   ::std::stringstream ss;
@@ -888,4 +1099,9 @@ template <typename T>
 
 }  // namespace testing
 
+// Include any custom printer added by the local installation.
+// We must include this header at the end to make sure it can use the
+// declarations from this file.
+#include "gtest/internal/custom/gtest-printers.h"
+
 #endif  // GTEST_INCLUDE_GTEST_GTEST_PRINTERS_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/gtest-spi.h b/security/nss/gtests/google_test/gtest/include/gtest/gtest-spi.h
index f63fa9a1b2..1e8983938e 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/gtest-spi.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/gtest-spi.h
@@ -26,17 +26,21 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 //
 // Utilities for testing Google Test itself and code that uses Google Test
 // (e.g. frameworks built on top of Google Test).
 
+// GOOGLETEST_CM0004 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_GTEST_SPI_H_
 #define GTEST_INCLUDE_GTEST_GTEST_SPI_H_
 
 #include "gtest/gtest.h"
 
+GTEST_DISABLE_MSC_WARNINGS_PUSH_(4251 \
+/* class A needs to have dll-interface to be used by clients of class B */)
+
 namespace testing {
 
 // This helper class can be used to mock out Google Test failure reporting
@@ -97,13 +101,12 @@ class GTEST_API_ SingleFailureChecker {
  public:
   // The constructor remembers the arguments.
   SingleFailureChecker(const TestPartResultArray* results,
-                       TestPartResult::Type type,
-                       const string& substr);
+                       TestPartResult::Type type, const std::string& substr);
   ~SingleFailureChecker();
  private:
   const TestPartResultArray* const results_;
   const TestPartResult::Type type_;
-  const string substr_;
+  const std::string substr_;
 
   GTEST_DISALLOW_COPY_AND_ASSIGN_(SingleFailureChecker);
 };
@@ -112,6 +115,8 @@ class GTEST_API_ SingleFailureChecker {
 
 }  // namespace testing
 
+GTEST_DISABLE_MSC_WARNINGS_POP_()  //  4251
+
 // A set of macros for testing Google Test assertions or code that's expected
 // to generate Google Test fatal failures.  It verifies that the given
 // statement will cause exactly one fatal Google Test failure with 'substr'
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/gtest-test-part.h b/security/nss/gtests/google_test/gtest/include/gtest/gtest-test-part.h
index 77eb844839..1c7b89e087 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/gtest-test-part.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/gtest-test-part.h
@@ -27,8 +27,7 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Author: mheule@google.com (Markus Heule)
-//
+// GOOGLETEST_CM0001 DO NOT DELETE
 
 #ifndef GTEST_INCLUDE_GTEST_GTEST_TEST_PART_H_
 #define GTEST_INCLUDE_GTEST_GTEST_TEST_PART_H_
@@ -38,6 +37,9 @@
 #include "gtest/internal/gtest-internal.h"
 #include "gtest/internal/gtest-string.h"
 
+GTEST_DISABLE_MSC_WARNINGS_PUSH_(4251 \
+/* class A needs to have dll-interface to be used by clients of class B */)
+
 namespace testing {
 
 // A copyable object representing the result of a test part (i.e. an
@@ -143,7 +145,7 @@ class GTEST_API_ TestPartResultArray {
 };
 
 // This interface knows how to report a test part result.
-class TestPartResultReporterInterface {
+class GTEST_API_ TestPartResultReporterInterface {
  public:
   virtual ~TestPartResultReporterInterface() {}
 
@@ -176,4 +178,6 @@ class GTEST_API_ HasNewFatalFailureHelper
 
 }  // namespace testing
 
+GTEST_DISABLE_MSC_WARNINGS_POP_()  //  4251
+
 #endif  // GTEST_INCLUDE_GTEST_GTEST_TEST_PART_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/gtest-typed-test.h b/security/nss/gtests/google_test/gtest/include/gtest/gtest-typed-test.h
index fe1e83b274..74bce46bdc 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/gtest-typed-test.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/gtest-typed-test.h
@@ -26,8 +26,9 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
+
+// GOOGLETEST_CM0001 DO NOT DELETE
 
 #ifndef GTEST_INCLUDE_GTEST_GTEST_TYPED_TEST_H_
 #define GTEST_INCLUDE_GTEST_GTEST_TYPED_TEST_H_
@@ -82,6 +83,24 @@ TYPED_TEST(FooTest, DoesBlah) {
 
 TYPED_TEST(FooTest, HasPropertyA) { ... }
 
+// TYPED_TEST_CASE takes an optional third argument which allows to specify a
+// class that generates custom test name suffixes based on the type. This should
+// be a class which has a static template function GetName(int index) returning
+// a string for each type. The provided integer index equals the index of the
+// type in the provided type list. In many cases the index can be ignored.
+//
+// For example:
+//   class MyTypeNames {
+//    public:
+//     template <typename T>
+//     static std::string GetName(int) {
+//       if (std::is_same<T, char>()) return "char";
+//       if (std::is_same<T, int>()) return "int";
+//       if (std::is_same<T, unsigned int>()) return "unsignedInt";
+//     }
+//   };
+//   TYPED_TEST_CASE(FooTest, MyTypes, MyTypeNames);
+
 #endif  // 0
 
 // Type-parameterized tests are abstract test patterns parameterized
@@ -143,6 +162,11 @@ INSTANTIATE_TYPED_TEST_CASE_P(My, FooTest, MyTypes);
 // If the type list contains only one type, you can write that type
 // directly without Types<...>:
 //   INSTANTIATE_TYPED_TEST_CASE_P(My, FooTest, int);
+//
+// Similar to the optional argument of TYPED_TEST_CASE above,
+// INSTANTIATE_TEST_CASE_P takes an optional fourth argument which allows to
+// generate custom names.
+//   INSTANTIATE_TYPED_TEST_CASE_P(My, FooTest, MyTypes, MyTypeNames);
 
 #endif  // 0
 
@@ -159,31 +183,46 @@ INSTANTIATE_TYPED_TEST_CASE_P(My, FooTest, MyTypes);
 // given test case.
 # define GTEST_TYPE_PARAMS_(TestCaseName) gtest_type_params_##TestCaseName##_
 
+// Expands to the name of the typedef for the NameGenerator, responsible for
+// creating the suffixes of the name.
+#define GTEST_NAME_GENERATOR_(TestCaseName) \
+  gtest_type_params_##TestCaseName##_NameGenerator
+
 // The 'Types' template argument below must have spaces around it
 // since some compilers may choke on '>>' when passing a template
 // instance (e.g. Types<int>)
-# define TYPED_TEST_CASE(CaseName, Types) \
-  typedef ::testing::internal::TypeList< Types >::type \
-      GTEST_TYPE_PARAMS_(CaseName)
-
-# define TYPED_TEST(CaseName, TestName) \
-  template <typename gtest_TypeParam_> \
-  class GTEST_TEST_CLASS_NAME_(CaseName, TestName) \
-      : public CaseName<gtest_TypeParam_> { \
-   private: \
-    typedef CaseName<gtest_TypeParam_> TestFixture; \
-    typedef gtest_TypeParam_ TypeParam; \
-    virtual void TestBody(); \
-  }; \
-  bool gtest_##CaseName##_##TestName##_registered_ GTEST_ATTRIBUTE_UNUSED_ = \
-      ::testing::internal::TypeParameterizedTest< \
-          CaseName, \
-          ::testing::internal::TemplateSel< \
-              GTEST_TEST_CLASS_NAME_(CaseName, TestName)>, \
-          GTEST_TYPE_PARAMS_(CaseName)>::Register(\
-              "", #CaseName, #TestName, 0); \
-  template <typename gtest_TypeParam_> \
-  void GTEST_TEST_CLASS_NAME_(CaseName, TestName)<gtest_TypeParam_>::TestBody()
+# define TYPED_TEST_CASE(CaseName, Types, ...)                             \
+  typedef ::testing::internal::TypeList< Types >::type GTEST_TYPE_PARAMS_( \
+      CaseName);                                                           \
+  typedef ::testing::internal::NameGeneratorSelector<__VA_ARGS__>::type    \
+      GTEST_NAME_GENERATOR_(CaseName)
+
+# define TYPED_TEST(CaseName, TestName)                                       \
+  template <typename gtest_TypeParam_>                                        \
+  class GTEST_TEST_CLASS_NAME_(CaseName, TestName)                            \
+      : public CaseName<gtest_TypeParam_> {                                   \
+   private:                                                                   \
+    typedef CaseName<gtest_TypeParam_> TestFixture;                           \
+    typedef gtest_TypeParam_ TypeParam;                                       \
+    virtual void TestBody();                                                  \
+  };                                                                          \
+  static bool gtest_##CaseName##_##TestName##_registered_                     \
+        GTEST_ATTRIBUTE_UNUSED_ =                                             \
+      ::testing::internal::TypeParameterizedTest<                             \
+          CaseName,                                                           \
+          ::testing::internal::TemplateSel<GTEST_TEST_CLASS_NAME_(CaseName,   \
+                                                                  TestName)>, \
+          GTEST_TYPE_PARAMS_(                                                 \
+              CaseName)>::Register("",                                        \
+                                   ::testing::internal::CodeLocation(         \
+                                       __FILE__, __LINE__),                   \
+                                   #CaseName, #TestName, 0,                   \
+                                   ::testing::internal::GenerateNames<        \
+                                       GTEST_NAME_GENERATOR_(CaseName),       \
+                                       GTEST_TYPE_PARAMS_(CaseName)>());      \
+  template <typename gtest_TypeParam_>                                        \
+  void GTEST_TEST_CLASS_NAME_(CaseName,                                       \
+                              TestName)<gtest_TypeParam_>::TestBody()
 
 #endif  // GTEST_HAS_TYPED_TEST
 
@@ -240,19 +279,27 @@ INSTANTIATE_TYPED_TEST_CASE_P(My, FooTest, MyTypes);
   namespace GTEST_CASE_NAMESPACE_(CaseName) { \
   typedef ::testing::internal::Templates<__VA_ARGS__>::type gtest_AllTests_; \
   } \
-  static const char* const GTEST_REGISTERED_TEST_NAMES_(CaseName) = \
-      GTEST_TYPED_TEST_CASE_P_STATE_(CaseName).VerifyRegisteredTestNames(\
-          __FILE__, __LINE__, #__VA_ARGS__)
+  static const char* const GTEST_REGISTERED_TEST_NAMES_(CaseName) \
+      GTEST_ATTRIBUTE_UNUSED_ = \
+          GTEST_TYPED_TEST_CASE_P_STATE_(CaseName).VerifyRegisteredTestNames( \
+              __FILE__, __LINE__, #__VA_ARGS__)
 
 // The 'Types' template argument below must have spaces around it
 // since some compilers may choke on '>>' when passing a template
 // instance (e.g. Types<int>)
-# define INSTANTIATE_TYPED_TEST_CASE_P(Prefix, CaseName, Types) \
-  bool gtest_##Prefix##_##CaseName GTEST_ATTRIBUTE_UNUSED_ = \
-      ::testing::internal::TypeParameterizedTestCase<CaseName, \
-          GTEST_CASE_NAMESPACE_(CaseName)::gtest_AllTests_, \
-          ::testing::internal::TypeList< Types >::type>::Register(\
-              #Prefix, #CaseName, GTEST_REGISTERED_TEST_NAMES_(CaseName))
+# define INSTANTIATE_TYPED_TEST_CASE_P(Prefix, CaseName, Types, ...)      \
+  static bool gtest_##Prefix##_##CaseName GTEST_ATTRIBUTE_UNUSED_ =       \
+      ::testing::internal::TypeParameterizedTestCase<                     \
+          CaseName, GTEST_CASE_NAMESPACE_(CaseName)::gtest_AllTests_,     \
+          ::testing::internal::TypeList< Types >::type>::                 \
+          Register(#Prefix,                                               \
+                   ::testing::internal::CodeLocation(__FILE__, __LINE__), \
+                   &GTEST_TYPED_TEST_CASE_P_STATE_(CaseName), #CaseName,  \
+                   GTEST_REGISTERED_TEST_NAMES_(CaseName),                \
+                   ::testing::internal::GenerateNames<                    \
+                       ::testing::internal::NameGeneratorSelector<        \
+                           __VA_ARGS__>::type,                            \
+                       ::testing::internal::TypeList< Types >::type>())
 
 #endif  // GTEST_HAS_TYPED_TEST_P
 
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/gtest.h b/security/nss/gtests/google_test/gtest/include/gtest/gtest.h
index 38ca3e976a..5df4b0a3a7 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/gtest.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/gtest.h
@@ -26,10 +26,9 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: wan@google.com (Zhanyong Wan)
-//
-// The Google C++ Testing Framework (Google Test)
+// The Google C++ Testing and Mocking Framework (Google Test)
 //
 // This header file defines the public API for Google Test.  It should be
 // included by any test program that uses Google Test.
@@ -48,6 +47,8 @@
 // registration from Barthelemy Dagenais' (barthelemy@prologique.com)
 // easyUnit framework.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_GTEST_H_
 #define GTEST_INCLUDE_GTEST_GTEST_H_
 
@@ -65,6 +66,9 @@
 #include "gtest/gtest-test-part.h"
 #include "gtest/gtest-typed-test.h"
 
+GTEST_DISABLE_MSC_WARNINGS_PUSH_(4251 \
+/* class A needs to have dll-interface to be used by clients of class B */)
+
 // Depending on the platform, different string classes are available.
 // On Linux, in addition to ::std::string, Google also makes use of
 // class ::string, which has the same interface as ::std::string, but
@@ -82,6 +86,15 @@
 
 namespace testing {
 
+// Silence C4100 (unreferenced formal parameter) and 4805
+// unsafe mix of type 'const int' and type 'const bool'
+#ifdef _MSC_VER
+# pragma warning(push)
+# pragma warning(disable:4805)
+# pragma warning(disable:4100)
+#endif
+
+
 // Declares the flags.
 
 // This flag temporary enables the disabled tests.
@@ -103,6 +116,10 @@ GTEST_DECLARE_string_(color);
 // the tests to run. If the filter is not given all tests are executed.
 GTEST_DECLARE_string_(filter);
 
+// This flag controls whether Google Test installs a signal handler that dumps
+// debugging information when fatal signals are raised.
+GTEST_DECLARE_bool_(install_failure_signal_handler);
+
 // This flag causes the Google Test to list tests. None of the tests listed
 // are actually run if the flag is provided.
 GTEST_DECLARE_bool_(list_tests);
@@ -115,6 +132,9 @@ GTEST_DECLARE_string_(output);
 // test.
 GTEST_DECLARE_bool_(print_time);
 
+// This flags control whether Google Test prints UTF8 characters as text.
+GTEST_DECLARE_bool_(print_utf8);
+
 // This flag specifies the random number seed.
 GTEST_DECLARE_int32_(random_seed);
 
@@ -135,7 +155,7 @@ GTEST_DECLARE_int32_(stack_trace_depth);
 
 // When this flag is specified, a failed assertion will throw an
 // exception if exceptions are enabled, or exit the program with a
-// non-zero code otherwise.
+// non-zero code otherwise. For use with an external test framework.
 GTEST_DECLARE_bool_(throw_on_failure);
 
 // When this flag is set with a "host:port" string, on supported
@@ -143,6 +163,10 @@ GTEST_DECLARE_bool_(throw_on_failure);
 // the specified host machine.
 GTEST_DECLARE_string_(stream_result_to);
 
+#if GTEST_USE_OWN_FLAGFILE_FLAG_
+GTEST_DECLARE_string_(flagfile);
+#endif  // GTEST_USE_OWN_FLAGFILE_FLAG_
+
 // The upper limit for valid stack trace depths.
 const int kMaxStackTraceDepth = 100;
 
@@ -160,6 +184,7 @@ class TestEventListenersAccessor;
 class TestEventRepeater;
 class UnitTestRecordPropertyTestHelper;
 class WindowsDeathTest;
+class FuchsiaDeathTest;
 class UnitTestImpl* GetUnitTestImpl();
 void ReportFailureInUnknownLocation(TestPartResult::Type result_type,
                                     const std::string& message);
@@ -259,7 +284,9 @@ class GTEST_API_ AssertionResult {
   // Used in EXPECT_TRUE/FALSE(assertion_result).
   AssertionResult(const AssertionResult& other);
 
+#if defined(_MSC_VER) && _MSC_VER < 1910
   GTEST_DISABLE_MSC_WARNINGS_PUSH_(4800 /* forcing value to bool */)
+#endif
 
   // Used in the EXPECT_TRUE/FALSE(bool_expression).
   //
@@ -276,7 +303,9 @@ class GTEST_API_ AssertionResult {
           /*enabler*/ = NULL)
       : success_(success) {}
 
+#if defined(_MSC_VER) && _MSC_VER < 1910
   GTEST_DISABLE_MSC_WARNINGS_POP_()
+#endif
 
   // Assignment operator.
   AssertionResult& operator=(AssertionResult other) {
@@ -297,7 +326,7 @@ class GTEST_API_ AssertionResult {
   const char* message() const {
     return message_.get() != NULL ?  message_->c_str() : "";
   }
-  // TODO(vladl@google.com): Remove this after making sure no clients use it.
+  // FIXME: Remove this after making sure no clients use it.
   // Deprecated; please use message() instead.
   const char* failure_message() const { return message(); }
 
@@ -345,6 +374,15 @@ GTEST_API_ AssertionResult AssertionFailure();
 // Deprecated; use AssertionFailure() << msg.
 GTEST_API_ AssertionResult AssertionFailure(const Message& msg);
 
+}  // namespace testing
+
+// Includes the auto-generated header that implements a family of generic
+// predicate assertion macros. This include comes late because it relies on
+// APIs declared above.
+#include "gtest/gtest_pred_impl.h"
+
+namespace testing {
+
 // The abstract class that all tests inherit from.
 //
 // In Google Test, a unit test program contains one or many TestCases, and
@@ -355,12 +393,12 @@ GTEST_API_ AssertionResult AssertionFailure(const Message& msg);
 // this for you.
 //
 // The only time you derive from Test is when defining a test fixture
-// to be used a TEST_F.  For example:
+// to be used in a TEST_F.  For example:
 //
 //   class FooTest : public testing::Test {
 //    protected:
-//     virtual void SetUp() { ... }
-//     virtual void TearDown() { ... }
+//     void SetUp() override { ... }
+//     void TearDown() override { ... }
 //     ...
 //   };
 //
@@ -452,8 +490,7 @@ class GTEST_API_ Test {
   // internal method to avoid clashing with names used in user TESTs.
   void DeleteSelf_() { delete this; }
 
-  // Uses a GTestFlagSaver to save and restore all Google Test flags.
-  const internal::GTestFlagSaver* const gtest_flag_saver_;
+  const internal::scoped_ptr< GTEST_FLAG_SAVER_ > gtest_flag_saver_;
 
   // Often a user misspells SetUp() as Setup() and spends a long time
   // wondering why it is never called by Google Test.  The declaration of
@@ -551,9 +588,8 @@ class GTEST_API_ TestResult {
   // Returns the elapsed time, in milliseconds.
   TimeInMillis elapsed_time() const { return elapsed_time_; }
 
-  // Returns the i-th test part result among all the results. i can range
-  // from 0 to test_property_count() - 1. If i is not in that range, aborts
-  // the program.
+  // Returns the i-th test part result among all the results. i can range from 0
+  // to total_part_count() - 1. If i is not in that range, aborts the program.
   const TestPartResult& GetTestPartResult(int i) const;
 
   // Returns the i-th test property. i can range from 0 to
@@ -570,6 +606,7 @@ class GTEST_API_ TestResult {
   friend class internal::TestResultAccessor;
   friend class internal::UnitTestImpl;
   friend class internal::WindowsDeathTest;
+  friend class internal::FuchsiaDeathTest;
 
   // Gets the vector of TestPartResults.
   const std::vector<TestPartResult>& test_part_results() const {
@@ -595,7 +632,7 @@ class GTEST_API_ TestResult {
 
   // Adds a failure if the key is a reserved attribute of Google Test
   // testcase tags.  Returns true if the property is valid.
-  // TODO(russr): Validate attribute names are legal and human readable.
+  // FIXME: Validate attribute names are legal and human readable.
   static bool ValidateTestProperty(const std::string& xml_element,
                                    const TestProperty& test_property);
 
@@ -670,6 +707,15 @@ class GTEST_API_ TestInfo {
     return NULL;
   }
 
+  // Returns the file name where this test is defined.
+  const char* file() const { return location_.file.c_str(); }
+
+  // Returns the line where this test is defined.
+  int line() const { return location_.line; }
+
+  // Return true if this test should not be run because it's in another shard.
+  bool is_in_another_shard() const { return is_in_another_shard_; }
+
   // Returns true if this test should run, that is if the test is not
   // disabled (or it is disabled but the also_run_disabled_tests flag has
   // been specified) and its full name matches the user-specified filter.
@@ -690,10 +736,9 @@ class GTEST_API_ TestInfo {
 
   // Returns true iff this test will appear in the XML report.
   bool is_reportable() const {
-    // For now, the XML report includes all tests matching the filter.
-    // In the future, we may trim tests that are excluded because of
-    // sharding.
-    return matches_filter_;
+    // The XML report includes tests matching the filter, excluding those
+    // run in other shards.
+    return matches_filter_ && !is_in_another_shard_;
   }
 
   // Returns the result of the test.
@@ -712,6 +757,7 @@ class GTEST_API_ TestInfo {
       const char* name,
       const char* type_param,
       const char* value_param,
+      internal::CodeLocation code_location,
       internal::TypeId fixture_class_id,
       Test::SetUpTestCaseFunc set_up_tc,
       Test::TearDownTestCaseFunc tear_down_tc,
@@ -723,6 +769,7 @@ class GTEST_API_ TestInfo {
            const std::string& name,
            const char* a_type_param,   // NULL if not a type-parameterized test
            const char* a_value_param,  // NULL if not a value-parameterized test
+           internal::CodeLocation a_code_location,
            internal::TypeId fixture_class_id,
            internal::TestFactoryBase* factory);
 
@@ -749,11 +796,13 @@ class GTEST_API_ TestInfo {
   // Text representation of the value parameter, or NULL if this is not a
   // value-parameterized test.
   const internal::scoped_ptr<const ::std::string> value_param_;
+  internal::CodeLocation location_;
   const internal::TypeId fixture_class_id_;   // ID of the test fixture class
   bool should_run_;                 // True iff this test should run
   bool is_disabled_;                // True iff this test is disabled
   bool matches_filter_;             // True if this test matches the
                                     // user-specified filter.
+  bool is_in_another_shard_;        // Will be run in another shard.
   internal::TestFactoryBase* const factory_;  // The factory that creates
                                               // the test object
 
@@ -978,6 +1027,18 @@ class Environment {
   virtual Setup_should_be_spelled_SetUp* Setup() { return NULL; }
 };
 
+#if GTEST_HAS_EXCEPTIONS
+
+// Exception which can be thrown from TestEventListener::OnTestPartResult.
+class GTEST_API_ AssertionException
+    : public internal::GoogleTestFailureException {
+ public:
+  explicit AssertionException(const TestPartResult& result)
+      : GoogleTestFailureException(result) {}
+};
+
+#endif  // GTEST_HAS_EXCEPTIONS
+
 // The interface for tracing execution of tests. The methods are organized in
 // the order the corresponding events are fired.
 class TestEventListener {
@@ -1006,6 +1067,8 @@ class TestEventListener {
   virtual void OnTestStart(const TestInfo& test_info) = 0;
 
   // Fired after a failed assertion or a SUCCEED() invocation.
+  // If you want to throw an exception from this function to skip to the next
+  // TEST, it must be AssertionException defined above, or inherited from it.
   virtual void OnTestPartResult(const TestPartResult& test_part_result) = 0;
 
   // Fired after the test ends.
@@ -1172,14 +1235,12 @@ class GTEST_API_ UnitTest {
   // Returns the random seed used at the start of the current test run.
   int random_seed() const;
 
-#if GTEST_HAS_PARAM_TEST
   // Returns the ParameterizedTestCaseRegistry object used to keep track of
   // value-parameterized tests and instantiate and register them.
   //
   // INTERNAL IMPLEMENTATION - DO NOT USE IN A USER PROGRAM.
   internal::ParameterizedTestCaseRegistry& parameterized_test_registry()
       GTEST_LOCK_EXCLUDED_(mutex_);
-#endif  // GTEST_HAS_PARAM_TEST
 
   // Gets the number of successful test cases.
   int successful_test_case_count() const;
@@ -1279,11 +1340,11 @@ class GTEST_API_ UnitTest {
   internal::UnitTestImpl* impl() { return impl_; }
   const internal::UnitTestImpl* impl() const { return impl_; }
 
-  // These classes and funcions are friends as they need to access private
+  // These classes and functions are friends as they need to access private
   // members of UnitTest.
+  friend class ScopedTrace;
   friend class Test;
   friend class internal::AssertHelper;
-  friend class internal::ScopedTrace;
   friend class internal::StreamingListenerTest;
   friend class internal::UnitTestRecordPropertyTestHelper;
   friend Environment* AddGlobalTestEnvironment(Environment* env);
@@ -1360,129 +1421,40 @@ GTEST_API_ void InitGoogleTest(int* argc, wchar_t** argv);
 
 namespace internal {
 
-// FormatForComparison<ToPrint, OtherOperand>::Format(value) formats a
-// value of type ToPrint that is an operand of a comparison assertion
-// (e.g. ASSERT_EQ).  OtherOperand is the type of the other operand in
-// the comparison, and is used to help determine the best way to
-// format the value.  In particular, when the value is a C string
-// (char pointer) and the other operand is an STL string object, we
-// want to format the C string as a string, since we know it is
-// compared by value with the string object.  If the value is a char
-// pointer but the other operand is not an STL string object, we don't
-// know whether the pointer is supposed to point to a NUL-terminated
-// string, and thus want to print it as a pointer to be safe.
-//
-// INTERNAL IMPLEMENTATION - DO NOT USE IN A USER PROGRAM.
-
-// The default case.
-template <typename ToPrint, typename OtherOperand>
-class FormatForComparison {
- public:
-  static ::std::string Format(const ToPrint& value) {
-    return ::testing::PrintToString(value);
-  }
-};
-
-// Array.
-template <typename ToPrint, size_t N, typename OtherOperand>
-class FormatForComparison<ToPrint[N], OtherOperand> {
- public:
-  static ::std::string Format(const ToPrint* value) {
-    return FormatForComparison<const ToPrint*, OtherOperand>::Format(value);
-  }
-};
-
-// By default, print C string as pointers to be safe, as we don't know
-// whether they actually point to a NUL-terminated string.
-
-#define GTEST_IMPL_FORMAT_C_STRING_AS_POINTER_(CharType)                \
-  template <typename OtherOperand>                                      \
-  class FormatForComparison<CharType*, OtherOperand> {                  \
-   public:                                                              \
-    static ::std::string Format(CharType* value) {                      \
-      return ::testing::PrintToString(static_cast<const void*>(value)); \
-    }                                                                   \
-  }
-
-GTEST_IMPL_FORMAT_C_STRING_AS_POINTER_(char);
-GTEST_IMPL_FORMAT_C_STRING_AS_POINTER_(const char);
-GTEST_IMPL_FORMAT_C_STRING_AS_POINTER_(wchar_t);
-GTEST_IMPL_FORMAT_C_STRING_AS_POINTER_(const wchar_t);
-
-#undef GTEST_IMPL_FORMAT_C_STRING_AS_POINTER_
-
-// If a C string is compared with an STL string object, we know it's meant
-// to point to a NUL-terminated string, and thus can print it as a string.
-
-#define GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(CharType, OtherStringType) \
-  template <>                                                           \
-  class FormatForComparison<CharType*, OtherStringType> {               \
-   public:                                                              \
-    static ::std::string Format(CharType* value) {                      \
-      return ::testing::PrintToString(value);                           \
-    }                                                                   \
-  }
-
-GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(char, ::std::string);
-GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(const char, ::std::string);
-
-#if GTEST_HAS_GLOBAL_STRING
-GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(char, ::string);
-GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(const char, ::string);
-#endif
-
-#if GTEST_HAS_GLOBAL_WSTRING
-GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(wchar_t, ::wstring);
-GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(const wchar_t, ::wstring);
-#endif
-
-#if GTEST_HAS_STD_WSTRING
-GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(wchar_t, ::std::wstring);
-GTEST_IMPL_FORMAT_C_STRING_AS_STRING_(const wchar_t, ::std::wstring);
-#endif
-
-#undef GTEST_IMPL_FORMAT_C_STRING_AS_STRING_
-
-// Formats a comparison assertion (e.g. ASSERT_EQ, EXPECT_LT, and etc)
-// operand to be used in a failure message.  The type (but not value)
-// of the other operand may affect the format.  This allows us to
-// print a char* as a raw pointer when it is compared against another
-// char* or void*, and print it as a C string when it is compared
-// against an std::string object, for example.
-//
-// INTERNAL IMPLEMENTATION - DO NOT USE IN A USER PROGRAM.
+// Separate the error generating code from the code path to reduce the stack
+// frame size of CmpHelperEQ. This helps reduce the overhead of some sanitizers
+// when calling EXPECT_* in a tight loop.
 template <typename T1, typename T2>
-std::string FormatForComparisonFailureMessage(
-    const T1& value, const T2& /* other_operand */) {
-  return FormatForComparison<T1, T2>::Format(value);
+AssertionResult CmpHelperEQFailure(const char* lhs_expression,
+                                   const char* rhs_expression,
+                                   const T1& lhs, const T2& rhs) {
+  return EqFailure(lhs_expression,
+                   rhs_expression,
+                   FormatForComparisonFailureMessage(lhs, rhs),
+                   FormatForComparisonFailureMessage(rhs, lhs),
+                   false);
 }
 
 // The helper function for {ASSERT|EXPECT}_EQ.
 template <typename T1, typename T2>
-AssertionResult CmpHelperEQ(const char* expected_expression,
-                            const char* actual_expression,
-                            const T1& expected,
-                            const T2& actual) {
-GTEST_DISABLE_MSC_WARNINGS_PUSH_(4389 /* signed/unsigned mismatch */)
-  if (expected == actual) {
+AssertionResult CmpHelperEQ(const char* lhs_expression,
+                            const char* rhs_expression,
+                            const T1& lhs,
+                            const T2& rhs) {
+  if (lhs == rhs) {
     return AssertionSuccess();
   }
-GTEST_DISABLE_MSC_WARNINGS_POP_()
 
-  return EqFailure(expected_expression,
-                   actual_expression,
-                   FormatForComparisonFailureMessage(expected, actual),
-                   FormatForComparisonFailureMessage(actual, expected),
-                   false);
+  return CmpHelperEQFailure(lhs_expression, rhs_expression, lhs, rhs);
 }
 
 // With this overloaded version, we allow anonymous enums to be used
 // in {ASSERT|EXPECT}_EQ when compiled with gcc 4, as anonymous enums
 // can be implicitly cast to BiggestInt.
-GTEST_API_ AssertionResult CmpHelperEQ(const char* expected_expression,
-                                       const char* actual_expression,
-                                       BiggestInt expected,
-                                       BiggestInt actual);
+GTEST_API_ AssertionResult CmpHelperEQ(const char* lhs_expression,
+                                       const char* rhs_expression,
+                                       BiggestInt lhs,
+                                       BiggestInt rhs);
 
 // The helper class for {ASSERT|EXPECT}_EQ.  The template argument
 // lhs_is_null_literal is true iff the first argument to ASSERT_EQ()
@@ -1493,12 +1465,11 @@ class EqHelper {
  public:
   // This templatized version is for the general case.
   template <typename T1, typename T2>
-  static AssertionResult Compare(const char* expected_expression,
-                                 const char* actual_expression,
-                                 const T1& expected,
-                                 const T2& actual) {
-    return CmpHelperEQ(expected_expression, actual_expression, expected,
-                       actual);
+  static AssertionResult Compare(const char* lhs_expression,
+                                 const char* rhs_expression,
+                                 const T1& lhs,
+                                 const T2& rhs) {
+    return CmpHelperEQ(lhs_expression, rhs_expression, lhs, rhs);
   }
 
   // With this overloaded version, we allow anonymous enums to be used
@@ -1507,12 +1478,11 @@ class EqHelper {
   //
   // Even though its body looks the same as the above version, we
   // cannot merge the two, as it will make anonymous enums unhappy.
-  static AssertionResult Compare(const char* expected_expression,
-                                 const char* actual_expression,
-                                 BiggestInt expected,
-                                 BiggestInt actual) {
-    return CmpHelperEQ(expected_expression, actual_expression, expected,
-                       actual);
+  static AssertionResult Compare(const char* lhs_expression,
+                                 const char* rhs_expression,
+                                 BiggestInt lhs,
+                                 BiggestInt rhs) {
+    return CmpHelperEQ(lhs_expression, rhs_expression, lhs, rhs);
   }
 };
 
@@ -1527,40 +1497,52 @@ class EqHelper<true> {
   // EXPECT_EQ(false, a_bool).
   template <typename T1, typename T2>
   static AssertionResult Compare(
-      const char* expected_expression,
-      const char* actual_expression,
-      const T1& expected,
-      const T2& actual,
+      const char* lhs_expression,
+      const char* rhs_expression,
+      const T1& lhs,
+      const T2& rhs,
       // The following line prevents this overload from being considered if T2
       // is not a pointer type.  We need this because ASSERT_EQ(NULL, my_ptr)
       // expands to Compare("", "", NULL, my_ptr), which requires a conversion
       // to match the Secret* in the other overload, which would otherwise make
       // this template match better.
       typename EnableIf<!is_pointer<T2>::value>::type* = 0) {
-    return CmpHelperEQ(expected_expression, actual_expression, expected,
-                       actual);
+    return CmpHelperEQ(lhs_expression, rhs_expression, lhs, rhs);
   }
 
   // This version will be picked when the second argument to ASSERT_EQ() is a
   // pointer, e.g. ASSERT_EQ(NULL, a_pointer).
   template <typename T>
   static AssertionResult Compare(
-      const char* expected_expression,
-      const char* actual_expression,
+      const char* lhs_expression,
+      const char* rhs_expression,
       // We used to have a second template parameter instead of Secret*.  That
       // template parameter would deduce to 'long', making this a better match
       // than the first overload even without the first overload's EnableIf.
       // Unfortunately, gcc with -Wconversion-null warns when "passing NULL to
       // non-pointer argument" (even a deduced integral argument), so the old
       // implementation caused warnings in user code.
-      Secret* /* expected (NULL) */,
-      T* actual) {
-    // We already know that 'expected' is a null pointer.
-    return CmpHelperEQ(expected_expression, actual_expression,
-                       static_cast<T*>(NULL), actual);
+      Secret* /* lhs (NULL) */,
+      T* rhs) {
+    // We already know that 'lhs' is a null pointer.
+    return CmpHelperEQ(lhs_expression, rhs_expression,
+                       static_cast<T*>(NULL), rhs);
   }
 };
 
+// Separate the error generating code from the code path to reduce the stack
+// frame size of CmpHelperOP. This helps reduce the overhead of some sanitizers
+// when calling EXPECT_OP in a tight loop.
+template <typename T1, typename T2>
+AssertionResult CmpHelperOpFailure(const char* expr1, const char* expr2,
+                                   const T1& val1, const T2& val2,
+                                   const char* op) {
+  return AssertionFailure()
+         << "Expected: (" << expr1 << ") " << op << " (" << expr2
+         << "), actual: " << FormatForComparisonFailureMessage(val1, val2)
+         << " vs " << FormatForComparisonFailureMessage(val2, val1);
+}
+
 // A macro for implementing the helper functions needed to implement
 // ASSERT_?? and EXPECT_??.  It is here just to avoid copy-and-paste
 // of similar code.
@@ -1571,6 +1553,7 @@ class EqHelper<true> {
 // with gcc 4.
 //
 // INTERNAL IMPLEMENTATION - DO NOT USE IN A USER PROGRAM.
+
 #define GTEST_IMPL_CMP_HELPER_(op_name, op)\
 template <typename T1, typename T2>\
 AssertionResult CmpHelper##op_name(const char* expr1, const char* expr2, \
@@ -1578,10 +1561,7 @@ AssertionResult CmpHelper##op_name(const char* expr1, const char* expr2, \
   if (val1 op val2) {\
     return AssertionSuccess();\
   } else {\
-    return AssertionFailure() \
-        << "Expected: (" << expr1 << ") " #op " (" << expr2\
-        << "), actual: " << FormatForComparisonFailureMessage(val1, val2)\
-        << " vs " << FormatForComparisonFailureMessage(val2, val1);\
+    return CmpHelperOpFailure(expr1, expr2, val1, val2, #op);\
   }\
 }\
 GTEST_API_ AssertionResult CmpHelper##op_name(\
@@ -1605,18 +1585,18 @@ GTEST_IMPL_CMP_HELPER_(GT, >);
 // The helper function for {ASSERT|EXPECT}_STREQ.
 //
 // INTERNAL IMPLEMENTATION - DO NOT USE IN A USER PROGRAM.
-GTEST_API_ AssertionResult CmpHelperSTREQ(const char* expected_expression,
-                                          const char* actual_expression,
-                                          const char* expected,
-                                          const char* actual);
+GTEST_API_ AssertionResult CmpHelperSTREQ(const char* s1_expression,
+                                          const char* s2_expression,
+                                          const char* s1,
+                                          const char* s2);
 
 // The helper function for {ASSERT|EXPECT}_STRCASEEQ.
 //
 // INTERNAL IMPLEMENTATION - DO NOT USE IN A USER PROGRAM.
-GTEST_API_ AssertionResult CmpHelperSTRCASEEQ(const char* expected_expression,
-                                              const char* actual_expression,
-                                              const char* expected,
-                                              const char* actual);
+GTEST_API_ AssertionResult CmpHelperSTRCASEEQ(const char* s1_expression,
+                                              const char* s2_expression,
+                                              const char* s1,
+                                              const char* s2);
 
 // The helper function for {ASSERT|EXPECT}_STRNE.
 //
@@ -1638,10 +1618,10 @@ GTEST_API_ AssertionResult CmpHelperSTRCASENE(const char* s1_expression,
 // Helper function for *_STREQ on wide strings.
 //
 // INTERNAL IMPLEMENTATION - DO NOT USE IN A USER PROGRAM.
-GTEST_API_ AssertionResult CmpHelperSTREQ(const char* expected_expression,
-                                          const char* actual_expression,
-                                          const wchar_t* expected,
-                                          const wchar_t* actual);
+GTEST_API_ AssertionResult CmpHelperSTREQ(const char* s1_expression,
+                                          const char* s2_expression,
+                                          const wchar_t* s1,
+                                          const wchar_t* s2);
 
 // Helper function for *_STRNE on wide strings.
 //
@@ -1699,28 +1679,28 @@ namespace internal {
 //
 // INTERNAL IMPLEMENTATION - DO NOT USE IN A USER PROGRAM.
 template <typename RawType>
-AssertionResult CmpHelperFloatingPointEQ(const char* expected_expression,
-                                         const char* actual_expression,
-                                         RawType expected,
-                                         RawType actual) {
-  const FloatingPoint<RawType> lhs(expected), rhs(actual);
+AssertionResult CmpHelperFloatingPointEQ(const char* lhs_expression,
+                                         const char* rhs_expression,
+                                         RawType lhs_value,
+                                         RawType rhs_value) {
+  const FloatingPoint<RawType> lhs(lhs_value), rhs(rhs_value);
 
   if (lhs.AlmostEquals(rhs)) {
     return AssertionSuccess();
   }
 
-  ::std::stringstream expected_ss;
-  expected_ss << std::setprecision(std::numeric_limits<RawType>::digits10 + 2)
-              << expected;
+  ::std::stringstream lhs_ss;
+  lhs_ss << std::setprecision(std::numeric_limits<RawType>::digits10 + 2)
+         << lhs_value;
 
-  ::std::stringstream actual_ss;
-  actual_ss << std::setprecision(std::numeric_limits<RawType>::digits10 + 2)
-            << actual;
+  ::std::stringstream rhs_ss;
+  rhs_ss << std::setprecision(std::numeric_limits<RawType>::digits10 + 2)
+         << rhs_value;
 
-  return EqFailure(expected_expression,
-                   actual_expression,
-                   StringStreamToString(&expected_ss),
-                   StringStreamToString(&actual_ss),
+  return EqFailure(lhs_expression,
+                   rhs_expression,
+                   StringStreamToString(&lhs_ss),
+                   StringStreamToString(&rhs_ss),
                    false);
 }
 
@@ -1777,7 +1757,6 @@ class GTEST_API_ AssertHelper {
 
 }  // namespace internal
 
-#if GTEST_HAS_PARAM_TEST
 // The pure interface class that all value-parameterized tests inherit from.
 // A value-parameterized class must inherit from both ::testing::Test and
 // ::testing::WithParamInterface. In most cases that just means inheriting
@@ -1854,8 +1833,6 @@ template <typename T>
 class TestWithParam : public Test, public WithParamInterface<T> {
 };
 
-#endif  // GTEST_HAS_PARAM_TEST
-
 // Macros for indicating success/failure in test code.
 
 // ADD_FAILURE unconditionally adds a failure to the current test.
@@ -1940,18 +1917,14 @@ class TestWithParam : public Test, public WithParamInterface<T> {
   GTEST_TEST_BOOLEAN_(!(condition), #condition, true, false, \
                       GTEST_FATAL_FAILURE_)
 
-// Includes the auto-generated header that implements a family of
-// generic predicate assertion macros.
-#include "gtest/gtest_pred_impl.h"
-
 // Macros for testing equalities and inequalities.
 //
-//    * {ASSERT|EXPECT}_EQ(expected, actual): Tests that expected == actual
-//    * {ASSERT|EXPECT}_NE(v1, v2):           Tests that v1 != v2
-//    * {ASSERT|EXPECT}_LT(v1, v2):           Tests that v1 < v2
-//    * {ASSERT|EXPECT}_LE(v1, v2):           Tests that v1 <= v2
-//    * {ASSERT|EXPECT}_GT(v1, v2):           Tests that v1 > v2
-//    * {ASSERT|EXPECT}_GE(v1, v2):           Tests that v1 >= v2
+//    * {ASSERT|EXPECT}_EQ(v1, v2): Tests that v1 == v2
+//    * {ASSERT|EXPECT}_NE(v1, v2): Tests that v1 != v2
+//    * {ASSERT|EXPECT}_LT(v1, v2): Tests that v1 < v2
+//    * {ASSERT|EXPECT}_LE(v1, v2): Tests that v1 <= v2
+//    * {ASSERT|EXPECT}_GT(v1, v2): Tests that v1 > v2
+//    * {ASSERT|EXPECT}_GE(v1, v2): Tests that v1 >= v2
 //
 // When they are not, Google Test prints both the tested expressions and
 // their actual values.  The values must be compatible built-in types,
@@ -1973,8 +1946,8 @@ class TestWithParam : public Test, public WithParamInterface<T> {
 //   are related, not how their content is related.  To compare two C
 //   strings by content, use {ASSERT|EXPECT}_STR*().
 //
-//   3. {ASSERT|EXPECT}_EQ(expected, actual) is preferred to
-//   {ASSERT|EXPECT}_TRUE(expected == actual), as the former tells you
+//   3. {ASSERT|EXPECT}_EQ(v1, v2) is preferred to
+//   {ASSERT|EXPECT}_TRUE(v1 == v2), as the former tells you
 //   what the actual value is when it fails, and similarly for the
 //   other comparisons.
 //
@@ -1985,17 +1958,17 @@ class TestWithParam : public Test, public WithParamInterface<T> {
 //
 // Examples:
 //
-//   EXPECT_NE(5, Foo());
-//   EXPECT_EQ(NULL, a_pointer);
+//   EXPECT_NE(Foo(), 5);
+//   EXPECT_EQ(a_pointer, NULL);
 //   ASSERT_LT(i, array_size);
 //   ASSERT_GT(records.size(), 0) << "There is no record left.";
 
-#define EXPECT_EQ(expected, actual) \
+#define EXPECT_EQ(val1, val2) \
   EXPECT_PRED_FORMAT2(::testing::internal:: \
-                      EqHelper<GTEST_IS_NULL_LITERAL_(expected)>::Compare, \
-                      expected, actual)
-#define EXPECT_NE(expected, actual) \
-  EXPECT_PRED_FORMAT2(::testing::internal::CmpHelperNE, expected, actual)
+                      EqHelper<GTEST_IS_NULL_LITERAL_(val1)>::Compare, \
+                      val1, val2)
+#define EXPECT_NE(val1, val2) \
+  EXPECT_PRED_FORMAT2(::testing::internal::CmpHelperNE, val1, val2)
 #define EXPECT_LE(val1, val2) \
   EXPECT_PRED_FORMAT2(::testing::internal::CmpHelperLE, val1, val2)
 #define EXPECT_LT(val1, val2) \
@@ -2005,10 +1978,10 @@ class TestWithParam : public Test, public WithParamInterface<T> {
 #define EXPECT_GT(val1, val2) \
   EXPECT_PRED_FORMAT2(::testing::internal::CmpHelperGT, val1, val2)
 
-#define GTEST_ASSERT_EQ(expected, actual) \
+#define GTEST_ASSERT_EQ(val1, val2) \
   ASSERT_PRED_FORMAT2(::testing::internal:: \
-                      EqHelper<GTEST_IS_NULL_LITERAL_(expected)>::Compare, \
-                      expected, actual)
+                      EqHelper<GTEST_IS_NULL_LITERAL_(val1)>::Compare, \
+                      val1, val2)
 #define GTEST_ASSERT_NE(val1, val2) \
   ASSERT_PRED_FORMAT2(::testing::internal::CmpHelperNE, val1, val2)
 #define GTEST_ASSERT_LE(val1, val2) \
@@ -2063,29 +2036,29 @@ class TestWithParam : public Test, public WithParamInterface<T> {
 //
 // These macros evaluate their arguments exactly once.
 
-#define EXPECT_STREQ(expected, actual) \
-  EXPECT_PRED_FORMAT2(::testing::internal::CmpHelperSTREQ, expected, actual)
+#define EXPECT_STREQ(s1, s2) \
+  EXPECT_PRED_FORMAT2(::testing::internal::CmpHelperSTREQ, s1, s2)
 #define EXPECT_STRNE(s1, s2) \
   EXPECT_PRED_FORMAT2(::testing::internal::CmpHelperSTRNE, s1, s2)
-#define EXPECT_STRCASEEQ(expected, actual) \
-  EXPECT_PRED_FORMAT2(::testing::internal::CmpHelperSTRCASEEQ, expected, actual)
+#define EXPECT_STRCASEEQ(s1, s2) \
+  EXPECT_PRED_FORMAT2(::testing::internal::CmpHelperSTRCASEEQ, s1, s2)
 #define EXPECT_STRCASENE(s1, s2)\
   EXPECT_PRED_FORMAT2(::testing::internal::CmpHelperSTRCASENE, s1, s2)
 
-#define ASSERT_STREQ(expected, actual) \
-  ASSERT_PRED_FORMAT2(::testing::internal::CmpHelperSTREQ, expected, actual)
+#define ASSERT_STREQ(s1, s2) \
+  ASSERT_PRED_FORMAT2(::testing::internal::CmpHelperSTREQ, s1, s2)
 #define ASSERT_STRNE(s1, s2) \
   ASSERT_PRED_FORMAT2(::testing::internal::CmpHelperSTRNE, s1, s2)
-#define ASSERT_STRCASEEQ(expected, actual) \
-  ASSERT_PRED_FORMAT2(::testing::internal::CmpHelperSTRCASEEQ, expected, actual)
+#define ASSERT_STRCASEEQ(s1, s2) \
+  ASSERT_PRED_FORMAT2(::testing::internal::CmpHelperSTRCASEEQ, s1, s2)
 #define ASSERT_STRCASENE(s1, s2)\
   ASSERT_PRED_FORMAT2(::testing::internal::CmpHelperSTRCASENE, s1, s2)
 
 // Macros for comparing floating-point numbers.
 //
-//    * {ASSERT|EXPECT}_FLOAT_EQ(expected, actual):
+//    * {ASSERT|EXPECT}_FLOAT_EQ(val1, val2):
 //         Tests that two float values are almost equal.
-//    * {ASSERT|EXPECT}_DOUBLE_EQ(expected, actual):
+//    * {ASSERT|EXPECT}_DOUBLE_EQ(val1, val2):
 //         Tests that two double values are almost equal.
 //    * {ASSERT|EXPECT}_NEAR(v1, v2, abs_error):
 //         Tests that v1 and v2 are within the given distance to each other.
@@ -2095,21 +2068,21 @@ class TestWithParam : public Test, public WithParamInterface<T> {
 // FloatingPoint template class in gtest-internal.h if you are
 // interested in the implementation details.
 
-#define EXPECT_FLOAT_EQ(expected, actual)\
+#define EXPECT_FLOAT_EQ(val1, val2)\
   EXPECT_PRED_FORMAT2(::testing::internal::CmpHelperFloatingPointEQ<float>, \
-                      expected, actual)
+                      val1, val2)
 
-#define EXPECT_DOUBLE_EQ(expected, actual)\
+#define EXPECT_DOUBLE_EQ(val1, val2)\
   EXPECT_PRED_FORMAT2(::testing::internal::CmpHelperFloatingPointEQ<double>, \
-                      expected, actual)
+                      val1, val2)
 
-#define ASSERT_FLOAT_EQ(expected, actual)\
+#define ASSERT_FLOAT_EQ(val1, val2)\
   ASSERT_PRED_FORMAT2(::testing::internal::CmpHelperFloatingPointEQ<float>, \
-                      expected, actual)
+                      val1, val2)
 
-#define ASSERT_DOUBLE_EQ(expected, actual)\
+#define ASSERT_DOUBLE_EQ(val1, val2)\
   ASSERT_PRED_FORMAT2(::testing::internal::CmpHelperFloatingPointEQ<double>, \
-                      expected, actual)
+                      val1, val2)
 
 #define EXPECT_NEAR(val1, val2, abs_error)\
   EXPECT_PRED_FORMAT3(::testing::internal::DoubleNearPredFormat, \
@@ -2172,6 +2145,57 @@ GTEST_API_ AssertionResult DoubleLE(const char* expr1, const char* expr2,
 #define EXPECT_NO_FATAL_FAILURE(statement) \
     GTEST_TEST_NO_FATAL_FAILURE_(statement, GTEST_NONFATAL_FAILURE_)
 
+// Causes a trace (including the given source file path and line number,
+// and the given message) to be included in every test failure message generated
+// by code in the scope of the lifetime of an instance of this class. The effect
+// is undone with the destruction of the instance.
+//
+// The message argument can be anything streamable to std::ostream.
+//
+// Example:
+//   testing::ScopedTrace trace("file.cc", 123, "message");
+//
+class GTEST_API_ ScopedTrace {
+ public:
+  // The c'tor pushes the given source file location and message onto
+  // a trace stack maintained by Google Test.
+
+  // Template version. Uses Message() to convert the values into strings.
+  // Slow, but flexible.
+  template <typename T>
+  ScopedTrace(const char* file, int line, const T& message) {
+    PushTrace(file, line, (Message() << message).GetString());
+  }
+
+  // Optimize for some known types.
+  ScopedTrace(const char* file, int line, const char* message) {
+    PushTrace(file, line, message ? message : "(null)");
+  }
+
+#if GTEST_HAS_GLOBAL_STRING
+  ScopedTrace(const char* file, int line, const ::string& message) {
+    PushTrace(file, line, message);
+  }
+#endif
+
+  ScopedTrace(const char* file, int line, const std::string& message) {
+    PushTrace(file, line, message);
+  }
+
+  // The d'tor pops the info pushed by the c'tor.
+  //
+  // Note that the d'tor is not virtual in order to be efficient.
+  // Don't inherit from ScopedTrace!
+  ~ScopedTrace();
+
+ private:
+  void PushTrace(const char* file, int line, std::string message);
+
+  GTEST_DISALLOW_COPY_AND_ASSIGN_(ScopedTrace);
+} GTEST_ATTRIBUTE_UNUSED_;  // A ScopedTrace object does its job in its
+                            // c'tor and d'tor.  Therefore it doesn't
+                            // need to be used otherwise.
+
 // Causes a trace (including the source file path, the current line
 // number, and the given message) to be included in every test failure
 // message generated by code in the current scope.  The effect is
@@ -2183,9 +2207,14 @@ GTEST_API_ AssertionResult DoubleLE(const char* expr1, const char* expr2,
 // of the dummy variable name, thus allowing multiple SCOPED_TRACE()s
 // to appear in the same block - as long as they are on different
 // lines.
+//
+// Assuming that each thread maintains its own stack of traces.
+// Therefore, a SCOPED_TRACE() would (correctly) only affect the
+// assertions in its own thread.
 #define SCOPED_TRACE(message) \
-  ::testing::internal::ScopedTrace GTEST_CONCAT_TOKEN_(gtest_trace_, __LINE__)(\
-    __FILE__, __LINE__, ::testing::Message() << (message))
+  ::testing::ScopedTrace GTEST_CONCAT_TOKEN_(gtest_trace_, __LINE__)(\
+    __FILE__, __LINE__, (message))
+
 
 // Compile-time assertion for type equality.
 // StaticAssertTypeEq<type1, type2>() compiles iff type1 and type2 are
@@ -2265,7 +2294,7 @@ bool StaticAssertTypeEq() {
 // name of the test within the test case.
 //
 // A test fixture class must be declared earlier.  The user should put
-// his test code between braces after using this macro.  Example:
+// the test code between braces after using this macro.  Example:
 //
 //   class FooTest : public testing::Test {
 //    protected:
@@ -2280,14 +2309,22 @@ bool StaticAssertTypeEq() {
 //   }
 //
 //   TEST_F(FooTest, ReturnsElementCountCorrectly) {
-//     EXPECT_EQ(0, a_.size());
-//     EXPECT_EQ(1, b_.size());
+//     EXPECT_EQ(a_.size(), 0);
+//     EXPECT_EQ(b_.size(), 1);
 //   }
 
 #define TEST_F(test_fixture, test_name)\
   GTEST_TEST_(test_fixture, test_name, test_fixture, \
               ::testing::internal::GetTypeId<test_fixture>())
 
+// Returns a path to temporary directory.
+// Tries to determine an appropriate directory for the platform.
+GTEST_API_ std::string TempDir();
+
+#ifdef _MSC_VER
+#  pragma warning(pop)
+#endif
+
 }  // namespace testing
 
 // Use this function in main() to run all tests.  It returns 0 if all
@@ -2304,4 +2341,6 @@ inline int RUN_ALL_TESTS() {
   return ::testing::UnitTest::GetInstance()->Run();
 }
 
+GTEST_DISABLE_MSC_WARNINGS_POP_()  //  4251
+
 #endif  // GTEST_INCLUDE_GTEST_GTEST_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/gtest_pred_impl.h b/security/nss/gtests/google_test/gtest/include/gtest/gtest_pred_impl.h
index 30ae712f50..0c1105cb8e 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/gtest_pred_impl.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/gtest_pred_impl.h
@@ -27,18 +27,19 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-// This file is AUTOMATICALLY GENERATED on 10/31/2011 by command
+// This file is AUTOMATICALLY GENERATED on 01/02/2018 by command
 // 'gen_gtest_pred_impl.py 5'.  DO NOT EDIT BY HAND!
 //
 // Implements a family of generic predicate assertion macros.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_GTEST_PRED_IMPL_H_
 #define GTEST_INCLUDE_GTEST_GTEST_PRED_IMPL_H_
 
-// Makes sure this header is not included before gtest.h.
-#ifndef GTEST_INCLUDE_GTEST_GTEST_H_
-# error Do not include gtest_pred_impl.h directly.  Include gtest.h instead.
-#endif  // GTEST_INCLUDE_GTEST_GTEST_H_
+#include "gtest/gtest.h"
+
+namespace testing {
 
 // This header implements a family of generic predicate assertion
 // macros:
@@ -66,8 +67,6 @@
 // We also define the EXPECT_* variations.
 //
 // For now we only support predicates whose arity is at most 5.
-// Please email googletestframework@googlegroups.com if you need
-// support for higher arities.
 
 // GTEST_ASSERT_ is the basic statement to which all of the assertions
 // in this file reduce.  Don't use this in your code.
@@ -355,4 +354,6 @@ AssertionResult AssertPred5Helper(const char* pred_text,
 
 
 
+}  // namespace testing
+
 #endif  // GTEST_INCLUDE_GTEST_GTEST_PRED_IMPL_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/gtest_prod.h b/security/nss/gtests/google_test/gtest/include/gtest/gtest_prod.h
index da80ddc6c7..e651671ebd 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/gtest_prod.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/gtest_prod.h
@@ -26,10 +26,10 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: wan@google.com (Zhanyong Wan)
-//
-// Google C++ Testing Framework definitions useful in production code.
+// Google C++ Testing and Mocking Framework definitions useful in production code.
+// GOOGLETEST_CM0003 DO NOT DELETE
 
 #ifndef GTEST_INCLUDE_GTEST_GTEST_PROD_H_
 #define GTEST_INCLUDE_GTEST_GTEST_PROD_H_
@@ -40,17 +40,20 @@
 //
 // class MyClass {
 //  private:
-//   void MyMethod();
-//   FRIEND_TEST(MyClassTest, MyMethod);
+//   void PrivateMethod();
+//   FRIEND_TEST(MyClassTest, PrivateMethodWorks);
 // };
 //
 // class MyClassTest : public testing::Test {
 //   // ...
 // };
 //
-// TEST_F(MyClassTest, MyMethod) {
-//   // Can call MyClass::MyMethod() here.
+// TEST_F(MyClassTest, PrivateMethodWorks) {
+//   // Can call MyClass::PrivateMethod() here.
 // }
+//
+// Note: The test class must be in the same namespace as the class being tested.
+// For example, putting MyClassTest in an anonymous namespace will not work.
 
 #define FRIEND_TEST(test_case_name, test_name)\
 friend class test_case_name##_##test_name##_Test
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/custom/README.md b/security/nss/gtests/google_test/gtest/include/gtest/internal/custom/README.md
new file mode 100644
index 0000000000..ff391fb4e2
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/custom/README.md
@@ -0,0 +1,56 @@
+# Customization Points
+
+The custom directory is an injection point for custom user configurations.
+
+## Header `gtest.h`
+
+### The following macros can be defined:
+
+*   `GTEST_OS_STACK_TRACE_GETTER_` - The name of an implementation of
+    `OsStackTraceGetterInterface`.
+*   `GTEST_CUSTOM_TEMPDIR_FUNCTION_` - An override for `testing::TempDir()`. See
+    `testing::TempDir` for semantics and signature.
+
+## Header `gtest-port.h`
+
+The following macros can be defined:
+
+### Flag related macros:
+
+*   `GTEST_FLAG(flag_name)`
+*   `GTEST_USE_OWN_FLAGFILE_FLAG_` - Define to 0 when the system provides its
+    own flagfile flag parsing.
+*   `GTEST_DECLARE_bool_(name)`
+*   `GTEST_DECLARE_int32_(name)`
+*   `GTEST_DECLARE_string_(name)`
+*   `GTEST_DEFINE_bool_(name, default_val, doc)`
+*   `GTEST_DEFINE_int32_(name, default_val, doc)`
+*   `GTEST_DEFINE_string_(name, default_val, doc)`
+
+### Logging:
+
+*   `GTEST_LOG_(severity)`
+*   `GTEST_CHECK_(condition)`
+*   Functions `LogToStderr()` and `FlushInfoLog()` have to be provided too.
+
+### Threading:
+
+*   `GTEST_HAS_NOTIFICATION_` - Enabled if Notification is already provided.
+*   `GTEST_HAS_MUTEX_AND_THREAD_LOCAL_` - Enabled if `Mutex` and `ThreadLocal`
+    are already provided. Must also provide `GTEST_DECLARE_STATIC_MUTEX_(mutex)`
+    and `GTEST_DEFINE_STATIC_MUTEX_(mutex)`
+*   `GTEST_EXCLUSIVE_LOCK_REQUIRED_(locks)`
+*   `GTEST_LOCK_EXCLUDED_(locks)`
+
+### Underlying library support features
+
+*   `GTEST_HAS_CXXABI_H_`
+
+### Exporting API symbols:
+
+*   `GTEST_API_` - Specifier for exported symbols.
+
+## Header `gtest-printers.h`
+
+*   See documentation at `gtest/gtest-printers.h` for details on how to define a
+    custom printer.
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/custom/gtest-port.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/custom/gtest-port.h
new file mode 100644
index 0000000000..cd85d956d2
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/custom/gtest-port.h
@@ -0,0 +1,37 @@
+// Copyright 2015, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+//
+// Injection point for custom user configurations. See README for details
+//
+// ** Custom implementation starts here **
+
+#ifndef GTEST_INCLUDE_GTEST_INTERNAL_CUSTOM_GTEST_PORT_H_
+#define GTEST_INCLUDE_GTEST_INTERNAL_CUSTOM_GTEST_PORT_H_
+
+#endif  // GTEST_INCLUDE_GTEST_INTERNAL_CUSTOM_GTEST_PORT_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/custom/gtest-printers.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/custom/gtest-printers.h
new file mode 100644
index 0000000000..eb4467abca
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/custom/gtest-printers.h
@@ -0,0 +1,42 @@
+// Copyright 2015, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+//
+// This file provides an injection point for custom printers in a local
+// installation of gTest.
+// It will be included from gtest-printers.h and the overrides in this file
+// will be visible to everyone.
+//
+// Injection point for custom user configurations. See README for details
+//
+// ** Custom implementation starts here **
+
+#ifndef GTEST_INCLUDE_GTEST_INTERNAL_CUSTOM_GTEST_PRINTERS_H_
+#define GTEST_INCLUDE_GTEST_INTERNAL_CUSTOM_GTEST_PRINTERS_H_
+
+#endif  // GTEST_INCLUDE_GTEST_INTERNAL_CUSTOM_GTEST_PRINTERS_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/custom/gtest.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/custom/gtest.h
new file mode 100644
index 0000000000..4c8e07be23
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/custom/gtest.h
@@ -0,0 +1,37 @@
+// Copyright 2015, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+//
+// Injection point for custom user configurations. See README for details
+//
+// ** Custom implementation starts here **
+
+#ifndef GTEST_INCLUDE_GTEST_INTERNAL_CUSTOM_GTEST_H_
+#define GTEST_INCLUDE_GTEST_INTERNAL_CUSTOM_GTEST_H_
+
+#endif  // GTEST_INCLUDE_GTEST_INTERNAL_CUSTOM_GTEST_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-death-test-internal.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-death-test-internal.h
index 2b3a78f5bf..0a9b42c8a5 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-death-test-internal.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-death-test-internal.h
@@ -27,12 +27,11 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Authors: wan@google.com (Zhanyong Wan), eefacm@gmail.com (Sean Mcafee)
-//
-// The Google C++ Testing Framework (Google Test)
+// The Google C++ Testing and Mocking Framework (Google Test)
 //
 // This header file defines internal utilities needed for implementing
 // death tests.  They are subject to change without notice.
+// GOOGLETEST_CM0001 DO NOT DELETE
 
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_DEATH_TEST_INTERNAL_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_DEATH_TEST_INTERNAL_H_
@@ -53,6 +52,9 @@ const char kInternalRunDeathTestFlag[] = "internal_run_death_test";
 
 #if GTEST_HAS_DEATH_TEST
 
+GTEST_DISABLE_MSC_WARNINGS_PUSH_(4251 \
+/* class A needs to have dll-interface to be used by clients of class B */)
+
 // DeathTest is a class that hides much of the complexity of the
 // GTEST_DEATH_TEST_ macro.  It is abstract; its static Create method
 // returns a concrete class that depends on the prevailing death test
@@ -136,6 +138,8 @@ class GTEST_API_ DeathTest {
   GTEST_DISALLOW_COPY_AND_ASSIGN_(DeathTest);
 };
 
+GTEST_DISABLE_MSC_WARNINGS_POP_()  //  4251
+
 // Factory interface for death tests.  May be mocked out for testing.
 class DeathTestFactory {
  public:
@@ -218,14 +222,18 @@ GTEST_API_ bool ExitedUnsuccessfully(int exit_status);
 // can be streamed.
 
 // This macro is for implementing ASSERT/EXPECT_DEBUG_DEATH when compiled in
-// NDEBUG mode. In this case we need the statements to be executed, the regex is
-// ignored, and the macro must accept a streamed message even though the message
-// is never printed.
-# define GTEST_EXECUTE_STATEMENT_(statement, regex) \
-  GTEST_AMBIGUOUS_ELSE_BLOCKER_ \
-  if (::testing::internal::AlwaysTrue()) { \
-     GTEST_SUPPRESS_UNREACHABLE_CODE_WARNING_BELOW_(statement); \
-  } else \
+// NDEBUG mode. In this case we need the statements to be executed and the macro
+// must accept a streamed message even though the message is never printed.
+// The regex object is not evaluated, but it is used to prevent "unused"
+// warnings and to avoid an expression that doesn't compile in debug mode.
+#define GTEST_EXECUTE_STATEMENT_(statement, regex)             \
+  GTEST_AMBIGUOUS_ELSE_BLOCKER_                                \
+  if (::testing::internal::AlwaysTrue()) {                     \
+    GTEST_SUPPRESS_UNREACHABLE_CODE_WARNING_BELOW_(statement); \
+  } else if (!::testing::internal::AlwaysTrue()) {             \
+    const ::testing::internal::RE& gtest_regex = (regex);      \
+    static_cast<void>(gtest_regex);                            \
+  } else                                                       \
     ::testing::Message()
 
 // A class representing the parsed contents of the
@@ -264,53 +272,6 @@ class InternalRunDeathTestFlag {
 // the flag is specified; otherwise returns NULL.
 InternalRunDeathTestFlag* ParseInternalRunDeathTestFlag();
 
-#else  // GTEST_HAS_DEATH_TEST
-
-// This macro is used for implementing macros such as
-// EXPECT_DEATH_IF_SUPPORTED and ASSERT_DEATH_IF_SUPPORTED on systems where
-// death tests are not supported. Those macros must compile on such systems
-// iff EXPECT_DEATH and ASSERT_DEATH compile with the same parameters on
-// systems that support death tests. This allows one to write such a macro
-// on a system that does not support death tests and be sure that it will
-// compile on a death-test supporting system.
-//
-// Parameters:
-//   statement -  A statement that a macro such as EXPECT_DEATH would test
-//                for program termination. This macro has to make sure this
-//                statement is compiled but not executed, to ensure that
-//                EXPECT_DEATH_IF_SUPPORTED compiles with a certain
-//                parameter iff EXPECT_DEATH compiles with it.
-//   regex     -  A regex that a macro such as EXPECT_DEATH would use to test
-//                the output of statement.  This parameter has to be
-//                compiled but not evaluated by this macro, to ensure that
-//                this macro only accepts expressions that a macro such as
-//                EXPECT_DEATH would accept.
-//   terminator - Must be an empty statement for EXPECT_DEATH_IF_SUPPORTED
-//                and a return statement for ASSERT_DEATH_IF_SUPPORTED.
-//                This ensures that ASSERT_DEATH_IF_SUPPORTED will not
-//                compile inside functions where ASSERT_DEATH doesn't
-//                compile.
-//
-//  The branch that has an always false condition is used to ensure that
-//  statement and regex are compiled (and thus syntactically correct) but
-//  never executed. The unreachable code macro protects the terminator
-//  statement from generating an 'unreachable code' warning in case
-//  statement unconditionally returns or throws. The Message constructor at
-//  the end allows the syntax of streaming additional messages into the
-//  macro, for compilational compatibility with EXPECT_DEATH/ASSERT_DEATH.
-# define GTEST_UNSUPPORTED_DEATH_TEST_(statement, regex, terminator) \
-    GTEST_AMBIGUOUS_ELSE_BLOCKER_ \
-    if (::testing::internal::AlwaysTrue()) { \
-      GTEST_LOG_(WARNING) \
-          << "Death tests are not supported on this platform.\n" \
-          << "Statement '" #statement "' cannot be verified."; \
-    } else if (::testing::internal::AlwaysFalse()) { \
-      ::testing::internal::RE::PartialMatch(".*", (regex)); \
-      GTEST_SUPPRESS_UNREACHABLE_CODE_WARNING_BELOW_(statement); \
-      terminator; \
-    } else \
-      ::testing::Message()
-
 #endif  // GTEST_HAS_DEATH_TEST
 
 }  // namespace internal
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-filepath.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-filepath.h
index 7a13b4b0de..ae38d95bf8 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-filepath.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-filepath.h
@@ -27,21 +27,24 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Author: keith.ray@gmail.com (Keith Ray)
-//
 // Google Test filepath utilities
 //
 // This header file declares classes and functions used internally by
 // Google Test.  They are subject to change without notice.
 //
-// This file is #included in <gtest/internal/gtest-internal.h>.
+// This file is #included in gtest/internal/gtest-internal.h.
 // Do not include this header file separately!
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_FILEPATH_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_FILEPATH_H_
 
 #include "gtest/internal/gtest-string.h"
 
+GTEST_DISABLE_MSC_WARNINGS_PUSH_(4251 \
+/* class A needs to have dll-interface to be used by clients of class B */)
+
 namespace testing {
 namespace internal {
 
@@ -203,4 +206,6 @@ class GTEST_API_ FilePath {
 }  // namespace internal
 }  // namespace testing
 
+GTEST_DISABLE_MSC_WARNINGS_POP_()  //  4251
+
 #endif  // GTEST_INCLUDE_GTEST_INTERNAL_GTEST_FILEPATH_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-internal.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-internal.h
index 21a0f567b6..b762f61fc5 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-internal.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-internal.h
@@ -27,13 +27,13 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Authors: wan@google.com (Zhanyong Wan), eefacm@gmail.com (Sean Mcafee)
-//
-// The Google C++ Testing Framework (Google Test)
+// The Google C++ Testing and Mocking Framework (Google Test)
 //
 // This header file declares functions and macros used internally by
 // Google Test.  They are subject to change without notice.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_INTERNAL_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_INTERNAL_H_
 
@@ -55,13 +55,14 @@
 #include <string.h>
 #include <iomanip>
 #include <limits>
+#include <map>
 #include <set>
 #include <string>
 #include <vector>
 
 #include "gtest/gtest-message.h"
-#include "gtest/internal/gtest-string.h"
 #include "gtest/internal/gtest-filepath.h"
+#include "gtest/internal/gtest-string.h"
 #include "gtest/internal/gtest-type-util.h"
 
 // Due to C++ preprocessor weirdness, we need double indirection to
@@ -75,6 +76,9 @@
 #define GTEST_CONCAT_TOKEN_(foo, bar) GTEST_CONCAT_TOKEN_IMPL_(foo, bar)
 #define GTEST_CONCAT_TOKEN_IMPL_(foo, bar) foo ## bar
 
+// Stringifies its argument.
+#define GTEST_STRINGIFY_(name) #name
+
 class ProtocolMessage;
 namespace proto2 { class Message; }
 
@@ -95,13 +99,9 @@ template <typename T>
 namespace internal {
 
 struct TraceInfo;                      // Information about a trace point.
-class ScopedTrace;                     // Implements scoped trace.
 class TestInfoImpl;                    // Opaque implementation of TestInfo
 class UnitTestImpl;                    // Opaque implementation of UnitTest
 
-// How many times InitGoogleTest() has been called.
-GTEST_API_ extern int g_init_gtest_count;
-
 // The text used in failure messages to indicate the start of the
 // stack trace.
 GTEST_API_ extern const char kStackTraceMarker[];
@@ -141,6 +141,9 @@ GTEST_API_ std::string AppendUserMessage(
 
 #if GTEST_HAS_EXCEPTIONS
 
+GTEST_DISABLE_MSC_WARNINGS_PUSH_(4275 \
+/* an exported class was derived from a class that was not exported */)
+
 // This exception is thrown by (and only by) a failed Google Test
 // assertion when GTEST_FLAG(throw_on_failure) is true (if exceptions
 // are enabled).  We derive it from std::runtime_error, which is for
@@ -152,32 +155,15 @@ class GTEST_API_ GoogleTestFailureException : public ::std::runtime_error {
   explicit GoogleTestFailureException(const TestPartResult& failure);
 };
 
-#endif  // GTEST_HAS_EXCEPTIONS
-
-// A helper class for creating scoped traces in user programs.
-class GTEST_API_ ScopedTrace {
- public:
-  // The c'tor pushes the given source file location and message onto
-  // a trace stack maintained by Google Test.
-  ScopedTrace(const char* file, int line, const Message& message);
-
-  // The d'tor pops the info pushed by the c'tor.
-  //
-  // Note that the d'tor is not virtual in order to be efficient.
-  // Don't inherit from ScopedTrace!
-  ~ScopedTrace();
+GTEST_DISABLE_MSC_WARNINGS_POP_()  //  4275
 
- private:
-  GTEST_DISALLOW_COPY_AND_ASSIGN_(ScopedTrace);
-} GTEST_ATTRIBUTE_UNUSED_;  // A ScopedTrace object does its job in its
-                            // c'tor and d'tor.  Therefore it doesn't
-                            // need to be used otherwise.
+#endif  // GTEST_HAS_EXCEPTIONS
 
 namespace edit_distance {
 // Returns the optimal edits to go from 'left' to 'right'.
 // All edits cost the same, with replace having lower priority than
 // add/remove.
-// Simple implementation of the Wagner–Fischer algorithm.
+// Simple implementation of the Wagner-Fischer algorithm.
 // See http://en.wikipedia.org/wiki/Wagner-Fischer_algorithm
 enum EditType { kMatch, kAdd, kRemove, kReplace };
 GTEST_API_ std::vector<EditType> CalculateOptimalEdits(
@@ -503,6 +489,14 @@ GTEST_API_ AssertionResult IsHRESULTFailure(const char* expr,
 typedef void (*SetUpTestCaseFunc)();
 typedef void (*TearDownTestCaseFunc)();
 
+struct CodeLocation {
+  CodeLocation(const std::string& a_file, int a_line)
+      : file(a_file), line(a_line) {}
+
+  std::string file;
+  int line;
+};
+
 // Creates a new TestInfo object and registers it with Google Test;
 // returns the created object.
 //
@@ -514,6 +508,7 @@ typedef void (*TearDownTestCaseFunc)();
 //                     this is not a typed or a type-parameterized test.
 //   value_param       text representation of the test's value parameter,
 //                     or NULL if this is not a type-parameterized test.
+//   code_location:    code location where the test is defined
 //   fixture_class_id: ID of the test fixture class
 //   set_up_tc:        pointer to the function that sets up the test case
 //   tear_down_tc:     pointer to the function that tears down the test case
@@ -525,6 +520,7 @@ GTEST_API_ TestInfo* MakeAndRegisterTestInfo(
     const char* name,
     const char* type_param,
     const char* value_param,
+    CodeLocation code_location,
     TypeId fixture_class_id,
     SetUpTestCaseFunc set_up_tc,
     TearDownTestCaseFunc tear_down_tc,
@@ -537,6 +533,9 @@ GTEST_API_ bool SkipPrefix(const char* prefix, const char** pstr);
 
 #if GTEST_HAS_TYPED_TEST || GTEST_HAS_TYPED_TEST_P
 
+GTEST_DISABLE_MSC_WARNINGS_PUSH_(4251 \
+/* class A needs to have dll-interface to be used by clients of class B */)
+
 // State of the definition of a type-parameterized test case.
 class GTEST_API_ TypedTestCasePState {
  public:
@@ -554,10 +553,21 @@ class GTEST_API_ TypedTestCasePState {
       fflush(stderr);
       posix::Abort();
     }
-    defined_test_names_.insert(test_name);
+    registered_tests_.insert(
+        ::std::make_pair(test_name, CodeLocation(file, line)));
     return true;
   }
 
+  bool TestExists(const std::string& test_name) const {
+    return registered_tests_.count(test_name) > 0;
+  }
+
+  const CodeLocation& GetCodeLocation(const std::string& test_name) const {
+    RegisteredTestsMap::const_iterator it = registered_tests_.find(test_name);
+    GTEST_CHECK_(it != registered_tests_.end());
+    return it->second;
+  }
+
   // Verifies that registered_tests match the test names in
   // defined_test_names_; returns registered_tests if successful, or
   // aborts the program otherwise.
@@ -565,10 +575,14 @@ class GTEST_API_ TypedTestCasePState {
       const char* file, int line, const char* registered_tests);
 
  private:
+  typedef ::std::map<std::string, CodeLocation> RegisteredTestsMap;
+
   bool registered_;
-  ::std::set<const char*> defined_test_names_;
+  RegisteredTestsMap registered_tests_;
 };
 
+GTEST_DISABLE_MSC_WARNINGS_POP_()  //  4251
+
 // Skips to the first non-space char after the first comma in 'str';
 // returns NULL if no comma is found in 'str'.
 inline const char* SkipComma(const char* str) {
@@ -587,6 +601,42 @@ inline std::string GetPrefixUntilComma(const char* str) {
   return comma == NULL ? str : std::string(str, comma);
 }
 
+// Splits a given string on a given delimiter, populating a given
+// vector with the fields.
+void SplitString(const ::std::string& str, char delimiter,
+                 ::std::vector< ::std::string>* dest);
+
+// The default argument to the template below for the case when the user does
+// not provide a name generator.
+struct DefaultNameGenerator {
+  template <typename T>
+  static std::string GetName(int i) {
+    return StreamableToString(i);
+  }
+};
+
+template <typename Provided = DefaultNameGenerator>
+struct NameGeneratorSelector {
+  typedef Provided type;
+};
+
+template <typename NameGenerator>
+void GenerateNamesRecursively(Types0, std::vector<std::string>*, int) {}
+
+template <typename NameGenerator, typename Types>
+void GenerateNamesRecursively(Types, std::vector<std::string>* result, int i) {
+  result->push_back(NameGenerator::template GetName<typename Types::Head>(i));
+  GenerateNamesRecursively<NameGenerator>(typename Types::Tail(), result,
+                                          i + 1);
+}
+
+template <typename NameGenerator, typename Types>
+std::vector<std::string> GenerateNames() {
+  std::vector<std::string> result;
+  GenerateNamesRecursively<NameGenerator>(Types(), &result, 0);
+  return result;
+}
+
 // TypeParameterizedTest<Fixture, TestSel, Types>::Register()
 // registers a list of type-parameterized tests with Google Test.  The
 // return value is insignificant - we just need to return something
@@ -601,8 +651,10 @@ class TypeParameterizedTest {
   // specified in INSTANTIATE_TYPED_TEST_CASE_P(Prefix, TestCase,
   // Types).  Valid values for 'index' are [0, N - 1] where N is the
   // length of Types.
-  static bool Register(const char* prefix, const char* case_name,
-                       const char* test_names, int index) {
+  static bool Register(const char* prefix, const CodeLocation& code_location,
+                       const char* case_name, const char* test_names, int index,
+                       const std::vector<std::string>& type_names =
+                           GenerateNames<DefaultNameGenerator, Types>()) {
     typedef typename Types::Head Type;
     typedef Fixture<Type> FixtureClass;
     typedef typename GTEST_BIND_(TestSel, Type) TestClass;
@@ -610,19 +662,23 @@ class TypeParameterizedTest {
     // First, registers the first type-parameterized test in the type
     // list.
     MakeAndRegisterTestInfo(
-        (std::string(prefix) + (prefix[0] == '\0' ? "" : "/") + case_name + "/"
-         + StreamableToString(index)).c_str(),
-        GetPrefixUntilComma(test_names).c_str(),
+        (std::string(prefix) + (prefix[0] == '\0' ? "" : "/") + case_name +
+         "/" + type_names[index])
+            .c_str(),
+        StripTrailingSpaces(GetPrefixUntilComma(test_names)).c_str(),
         GetTypeName<Type>().c_str(),
         NULL,  // No value parameter.
-        GetTypeId<FixtureClass>(),
-        TestClass::SetUpTestCase,
-        TestClass::TearDownTestCase,
-        new TestFactoryImpl<TestClass>);
+        code_location, GetTypeId<FixtureClass>(), TestClass::SetUpTestCase,
+        TestClass::TearDownTestCase, new TestFactoryImpl<TestClass>);
 
     // Next, recurses (at compile time) with the tail of the type list.
-    return TypeParameterizedTest<Fixture, TestSel, typename Types::Tail>
-        ::Register(prefix, case_name, test_names, index + 1);
+    return TypeParameterizedTest<Fixture, TestSel,
+                                 typename Types::Tail>::Register(prefix,
+                                                                 code_location,
+                                                                 case_name,
+                                                                 test_names,
+                                                                 index + 1,
+                                                                 type_names);
   }
 };
 
@@ -630,8 +686,11 @@ class TypeParameterizedTest {
 template <GTEST_TEMPLATE_ Fixture, class TestSel>
 class TypeParameterizedTest<Fixture, TestSel, Types0> {
  public:
-  static bool Register(const char* /*prefix*/, const char* /*case_name*/,
-                       const char* /*test_names*/, int /*index*/) {
+  static bool Register(const char* /*prefix*/, const CodeLocation&,
+                       const char* /*case_name*/, const char* /*test_names*/,
+                       int /*index*/,
+                       const std::vector<std::string>& =
+                           std::vector<std::string>() /*type_names*/) {
     return true;
   }
 };
@@ -643,17 +702,35 @@ class TypeParameterizedTest<Fixture, TestSel, Types0> {
 template <GTEST_TEMPLATE_ Fixture, typename Tests, typename Types>
 class TypeParameterizedTestCase {
  public:
-  static bool Register(const char* prefix, const char* case_name,
-                       const char* test_names) {
+  static bool Register(const char* prefix, CodeLocation code_location,
+                       const TypedTestCasePState* state, const char* case_name,
+                       const char* test_names,
+                       const std::vector<std::string>& type_names =
+                           GenerateNames<DefaultNameGenerator, Types>()) {
+    std::string test_name = StripTrailingSpaces(
+        GetPrefixUntilComma(test_names));
+    if (!state->TestExists(test_name)) {
+      fprintf(stderr, "Failed to get code location for test %s.%s at %s.",
+              case_name, test_name.c_str(),
+              FormatFileLocation(code_location.file.c_str(),
+                                 code_location.line).c_str());
+      fflush(stderr);
+      posix::Abort();
+    }
+    const CodeLocation& test_location = state->GetCodeLocation(test_name);
+
     typedef typename Tests::Head Head;
 
     // First, register the first test in 'Test' for each type in 'Types'.
     TypeParameterizedTest<Fixture, Head, Types>::Register(
-        prefix, case_name, test_names, 0);
+        prefix, test_location, case_name, test_names, 0, type_names);
 
     // Next, recurses (at compile time) with the tail of the test list.
-    return TypeParameterizedTestCase<Fixture, typename Tests::Tail, Types>
-        ::Register(prefix, case_name, SkipComma(test_names));
+    return TypeParameterizedTestCase<Fixture, typename Tests::Tail,
+                                     Types>::Register(prefix, code_location,
+                                                      state, case_name,
+                                                      SkipComma(test_names),
+                                                      type_names);
   }
 };
 
@@ -661,8 +738,11 @@ class TypeParameterizedTestCase {
 template <GTEST_TEMPLATE_ Fixture, typename Types>
 class TypeParameterizedTestCase<Fixture, Templates0, Types> {
  public:
-  static bool Register(const char* /*prefix*/, const char* /*case_name*/,
-                       const char* /*test_names*/) {
+  static bool Register(const char* /*prefix*/, const CodeLocation&,
+                       const TypedTestCasePState* /*state*/,
+                       const char* /*case_name*/, const char* /*test_names*/,
+                       const std::vector<std::string>& =
+                           std::vector<std::string>() /*type_names*/) {
     return true;
   }
 };
@@ -779,31 +859,6 @@ struct RemoveConst<T[N]> {
 #define GTEST_REMOVE_REFERENCE_AND_CONST_(T) \
     GTEST_REMOVE_CONST_(GTEST_REMOVE_REFERENCE_(T))
 
-// Adds reference to a type if it is not a reference type,
-// otherwise leaves it unchanged.  This is the same as
-// tr1::add_reference, which is not widely available yet.
-template <typename T>
-struct AddReference { typedef T& type; };  // NOLINT
-template <typename T>
-struct AddReference<T&> { typedef T& type; };  // NOLINT
-
-// A handy wrapper around AddReference that works when the argument T
-// depends on template parameters.
-#define GTEST_ADD_REFERENCE_(T) \
-    typename ::testing::internal::AddReference<T>::type
-
-// Adds a reference to const on top of T as necessary.  For example,
-// it transforms
-//
-//   char         ==> const char&
-//   const char   ==> const char&
-//   char&        ==> const char&
-//   const char&  ==> const char&
-//
-// The argument T must depend on some template parameters.
-#define GTEST_REFERENCE_TO_CONST_(T) \
-    GTEST_ADD_REFERENCE_(const GTEST_REMOVE_REFERENCE_(T))
-
 // ImplicitlyConvertible<From, To>::value is a compile-time bool
 // constant that's true iff type From can be implicitly converted to
 // type To.
@@ -873,8 +928,11 @@ struct IsAProtocolMessage
 // a container class by checking the type of IsContainerTest<C>(0).
 // The value of the expression is insignificant.
 //
-// Note that we look for both C::iterator and C::const_iterator.  The
-// reason is that C++ injects the name of a class as a member of the
+// In C++11 mode we check the existence of a const_iterator and that an
+// iterator is properly implemented for the container.
+//
+// For pre-C++11 that we look for both C::iterator and C::const_iterator.
+// The reason is that C++ injects the name of a class as a member of the
 // class itself (e.g. you can refer to class iterator as either
 // 'iterator' or 'iterator::iterator').  If we look for C::iterator
 // only, for example, we would mistakenly think that a class named
@@ -884,17 +942,96 @@ struct IsAProtocolMessage
 // IsContainerTest(typename C::const_iterator*) and
 // IsContainerTest(...) doesn't work with Visual Age C++ and Sun C++.
 typedef int IsContainer;
+#if GTEST_LANG_CXX11
+template <class C,
+          class Iterator = decltype(::std::declval<const C&>().begin()),
+          class = decltype(::std::declval<const C&>().end()),
+          class = decltype(++::std::declval<Iterator&>()),
+          class = decltype(*::std::declval<Iterator>()),
+          class = typename C::const_iterator>
+IsContainer IsContainerTest(int /* dummy */) {
+  return 0;
+}
+#else
 template <class C>
 IsContainer IsContainerTest(int /* dummy */,
                             typename C::iterator* /* it */ = NULL,
                             typename C::const_iterator* /* const_it */ = NULL) {
   return 0;
 }
+#endif  // GTEST_LANG_CXX11
 
 typedef char IsNotContainer;
 template <class C>
 IsNotContainer IsContainerTest(long /* dummy */) { return '\0'; }
 
+// Trait to detect whether a type T is a hash table.
+// The heuristic used is that the type contains an inner type `hasher` and does
+// not contain an inner type `reverse_iterator`.
+// If the container is iterable in reverse, then order might actually matter.
+template <typename T>
+struct IsHashTable {
+ private:
+  template <typename U>
+  static char test(typename U::hasher*, typename U::reverse_iterator*);
+  template <typename U>
+  static int test(typename U::hasher*, ...);
+  template <typename U>
+  static char test(...);
+
+ public:
+  static const bool value = sizeof(test<T>(0, 0)) == sizeof(int);
+};
+
+template <typename T>
+const bool IsHashTable<T>::value;
+
+template<typename T>
+struct VoidT {
+    typedef void value_type;
+};
+
+template <typename T, typename = void>
+struct HasValueType : false_type {};
+template <typename T>
+struct HasValueType<T, VoidT<typename T::value_type> > : true_type {
+};
+
+template <typename C,
+          bool = sizeof(IsContainerTest<C>(0)) == sizeof(IsContainer),
+          bool = HasValueType<C>::value>
+struct IsRecursiveContainerImpl;
+
+template <typename C, bool HV>
+struct IsRecursiveContainerImpl<C, false, HV> : public false_type {};
+
+// Since the IsRecursiveContainerImpl depends on the IsContainerTest we need to
+// obey the same inconsistencies as the IsContainerTest, namely check if
+// something is a container is relying on only const_iterator in C++11 and
+// is relying on both const_iterator and iterator otherwise
+template <typename C>
+struct IsRecursiveContainerImpl<C, true, false> : public false_type {};
+
+template <typename C>
+struct IsRecursiveContainerImpl<C, true, true> {
+  #if GTEST_LANG_CXX11
+  typedef typename IteratorTraits<typename C::const_iterator>::value_type
+      value_type;
+#else
+  typedef typename IteratorTraits<typename C::iterator>::value_type value_type;
+#endif
+  typedef is_same<value_type, C> type;
+};
+
+// IsRecursiveContainer<Type> is a unary compile-time predicate that
+// evaluates whether C is a recursive container type. A recursive container
+// type is a container type whose value_type is equal to the container type
+// itself. An example for a recursive container type is
+// boost::filesystem::path, whose iterator has a value_type that is equal to
+// boost::filesystem::path.
+template <typename C>
+struct IsRecursiveContainer : public IsRecursiveContainerImpl<C>::type {};
+
 // EnableIf<condition>::type is void when 'Cond' is true, and
 // undefined when 'Cond' is false.  To use SFINAE to make a function
 // overload only apply when a particular expression is true, add
@@ -1026,7 +1163,7 @@ class NativeArray {
  private:
   enum {
     kCheckTypeIsNotConstOrAReference = StaticAssertTypeEqHelper<
-        Element, GTEST_REMOVE_REFERENCE_AND_CONST_(Element)>::value,
+        Element, GTEST_REMOVE_REFERENCE_AND_CONST_(Element)>::value
   };
 
   // Initializes this object with a copy of the input.
@@ -1071,7 +1208,7 @@ class NativeArray {
 #define GTEST_SUCCESS_(message) \
   GTEST_MESSAGE_(message, ::testing::TestPartResult::kSuccess)
 
-// Suppresses MSVC warnings 4072 (unreachable code) for the code following
+// Suppress MSVC warning 4702 (unreachable code) for the code following
 // statement if it returns or throws (or doesn't return or throw in some
 // situations).
 #define GTEST_SUPPRESS_UNREACHABLE_CODE_WARNING_BELOW_(statement) \
@@ -1182,6 +1319,7 @@ class GTEST_TEST_CLASS_NAME_(test_case_name, test_name) : public parent_class {\
   ::test_info_ =\
     ::testing::internal::MakeAndRegisterTestInfo(\
         #test_case_name, #test_name, NULL, NULL, \
+        ::testing::internal::CodeLocation(__FILE__, __LINE__), \
         (parent_id), \
         parent_class::SetUpTestCase, \
         parent_class::TearDownTestCase, \
@@ -1190,4 +1328,3 @@ class GTEST_TEST_CLASS_NAME_(test_case_name, test_name) : public parent_class {\
 void GTEST_TEST_CLASS_NAME_(test_case_name, test_name)::TestBody()
 
 #endif  // GTEST_INCLUDE_GTEST_INTERNAL_GTEST_INTERNAL_H_
-
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-linked_ptr.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-linked_ptr.h
index b1362cd002..082b87289a 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-linked_ptr.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-linked_ptr.h
@@ -27,8 +27,6 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Authors: Dan Egnor (egnor@google.com)
-//
 // A "smart" pointer type with reference tracking.  Every pointer to a
 // particular object is kept on a circular linked list.  When the last pointer
 // to an object is destroyed or reassigned, the object is deleted.
@@ -62,9 +60,11 @@
 //       raw pointer (e.g. via get()) concurrently, and
 //     - it's safe to write to two linked_ptrs that point to the same
 //       shared object concurrently.
-// TODO(wan@google.com): rename this to safe_linked_ptr to avoid
+// FIXME: rename this to safe_linked_ptr to avoid
 // confusion with normal linked_ptr.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_LINKED_PTR_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_LINKED_PTR_H_
 
@@ -110,7 +110,12 @@ class linked_ptr_internal {
     MutexLock lock(&g_linked_ptr_mutex);
 
     linked_ptr_internal const* p = ptr;
-    while (p->next_ != ptr) p = p->next_;
+    while (p->next_ != ptr) {
+      assert(p->next_ != this &&
+             "Trying to join() a linked ring we are already in. "
+             "Is GMock thread safety enabled?");
+      p = p->next_;
+    }
     p->next_ = this;
     next_ = ptr;
   }
@@ -123,7 +128,12 @@ class linked_ptr_internal {
 
     if (next_ == this) return true;
     linked_ptr_internal const* p = next_;
-    while (p->next_ != this) p = p->next_;
+    while (p->next_ != this) {
+      assert(p->next_ != next_ &&
+             "Trying to depart() a linked ring we are not in. "
+             "Is GMock thread safety enabled?");
+      p = p->next_;
+    }
     p->next_ = next_;
     return false;
   }
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-param-util-generated.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-param-util-generated.h
index 6dbaf4b7ae..4fac8c0270 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-param-util-generated.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-param-util-generated.h
@@ -30,8 +30,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: vladl@google.com (Vlad Losev)
+
 
 // Type and function utilities for implementing parameterized tests.
 // This file is generated by a SCRIPT.  DO NOT EDIT BY HAND!
@@ -43,17 +42,14 @@
 // by the maximum arity of the implementation of tuple which is
 // currently set at 10.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PARAM_UTIL_GENERATED_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PARAM_UTIL_GENERATED_H_
 
-// scripts/fuse_gtest.py depends on gtest's own header being #included
-// *unconditionally*.  Therefore these #includes cannot be moved
-// inside #if GTEST_HAS_PARAM_TEST.
 #include "gtest/internal/gtest-param-util.h"
 #include "gtest/internal/gtest-port.h"
 
-#if GTEST_HAS_PARAM_TEST
-
 namespace testing {
 
 // Forward declarations of ValuesIn(), which is implemented in
@@ -79,7 +75,12 @@ class ValueArray1 {
   explicit ValueArray1(T1 v1) : v1_(v1) {}
 
   template <typename T>
-  operator ParamGenerator<T>() const { return ValuesIn(&v1_, &v1_ + 1); }
+  operator ParamGenerator<T>() const {
+    const T array[] = {static_cast<T>(v1_)};
+    return ValuesIn(array);
+  }
+
+  ValueArray1(const ValueArray1& other) : v1_(other.v1_) {}
 
  private:
   // No implementation - assignment is unsupported.
@@ -99,6 +100,8 @@ class ValueArray2 {
     return ValuesIn(array);
   }
 
+  ValueArray2(const ValueArray2& other) : v1_(other.v1_), v2_(other.v2_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray2& other);
@@ -119,6 +122,9 @@ class ValueArray3 {
     return ValuesIn(array);
   }
 
+  ValueArray3(const ValueArray3& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray3& other);
@@ -141,6 +147,9 @@ class ValueArray4 {
     return ValuesIn(array);
   }
 
+  ValueArray4(const ValueArray4& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray4& other);
@@ -164,6 +173,9 @@ class ValueArray5 {
     return ValuesIn(array);
   }
 
+  ValueArray5(const ValueArray5& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray5& other);
@@ -190,6 +202,9 @@ class ValueArray6 {
     return ValuesIn(array);
   }
 
+  ValueArray6(const ValueArray6& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray6& other);
@@ -217,6 +232,10 @@ class ValueArray7 {
     return ValuesIn(array);
   }
 
+  ValueArray7(const ValueArray7& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray7& other);
@@ -246,6 +265,10 @@ class ValueArray8 {
     return ValuesIn(array);
   }
 
+  ValueArray8(const ValueArray8& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray8& other);
@@ -277,6 +300,10 @@ class ValueArray9 {
     return ValuesIn(array);
   }
 
+  ValueArray9(const ValueArray9& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray9& other);
@@ -309,6 +336,10 @@ class ValueArray10 {
     return ValuesIn(array);
   }
 
+  ValueArray10(const ValueArray10& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray10& other);
@@ -343,6 +374,11 @@ class ValueArray11 {
     return ValuesIn(array);
   }
 
+  ValueArray11(const ValueArray11& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray11& other);
@@ -379,6 +415,11 @@ class ValueArray12 {
     return ValuesIn(array);
   }
 
+  ValueArray12(const ValueArray12& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray12& other);
@@ -417,6 +458,11 @@ class ValueArray13 {
     return ValuesIn(array);
   }
 
+  ValueArray13(const ValueArray13& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray13& other);
@@ -456,6 +502,11 @@ class ValueArray14 {
     return ValuesIn(array);
   }
 
+  ValueArray14(const ValueArray14& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray14& other);
@@ -497,6 +548,12 @@ class ValueArray15 {
     return ValuesIn(array);
   }
 
+  ValueArray15(const ValueArray15& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray15& other);
@@ -541,6 +598,12 @@ class ValueArray16 {
     return ValuesIn(array);
   }
 
+  ValueArray16(const ValueArray16& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray16& other);
@@ -586,6 +649,12 @@ class ValueArray17 {
     return ValuesIn(array);
   }
 
+  ValueArray17(const ValueArray17& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray17& other);
@@ -633,6 +702,12 @@ class ValueArray18 {
     return ValuesIn(array);
   }
 
+  ValueArray18(const ValueArray18& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray18& other);
@@ -681,6 +756,13 @@ class ValueArray19 {
     return ValuesIn(array);
   }
 
+  ValueArray19(const ValueArray19& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray19& other);
@@ -731,6 +813,13 @@ class ValueArray20 {
     return ValuesIn(array);
   }
 
+  ValueArray20(const ValueArray20& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray20& other);
@@ -784,6 +873,13 @@ class ValueArray21 {
     return ValuesIn(array);
   }
 
+  ValueArray21(const ValueArray21& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray21& other);
@@ -838,6 +934,13 @@ class ValueArray22 {
     return ValuesIn(array);
   }
 
+  ValueArray22(const ValueArray22& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray22& other);
@@ -894,6 +997,14 @@ class ValueArray23 {
     return ValuesIn(array);
   }
 
+  ValueArray23(const ValueArray23& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray23& other);
@@ -952,6 +1063,14 @@ class ValueArray24 {
     return ValuesIn(array);
   }
 
+  ValueArray24(const ValueArray24& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray24& other);
@@ -1011,6 +1130,14 @@ class ValueArray25 {
     return ValuesIn(array);
   }
 
+  ValueArray25(const ValueArray25& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray25& other);
@@ -1072,6 +1199,14 @@ class ValueArray26 {
     return ValuesIn(array);
   }
 
+  ValueArray26(const ValueArray26& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray26& other);
@@ -1136,6 +1271,15 @@ class ValueArray27 {
     return ValuesIn(array);
   }
 
+  ValueArray27(const ValueArray27& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray27& other);
@@ -1201,6 +1345,15 @@ class ValueArray28 {
     return ValuesIn(array);
   }
 
+  ValueArray28(const ValueArray28& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray28& other);
@@ -1267,6 +1420,15 @@ class ValueArray29 {
     return ValuesIn(array);
   }
 
+  ValueArray29(const ValueArray29& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray29& other);
@@ -1336,6 +1498,15 @@ class ValueArray30 {
     return ValuesIn(array);
   }
 
+  ValueArray30(const ValueArray30& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray30& other);
@@ -1407,6 +1578,16 @@ class ValueArray31 {
     return ValuesIn(array);
   }
 
+  ValueArray31(const ValueArray31& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray31& other);
@@ -1479,6 +1660,16 @@ class ValueArray32 {
     return ValuesIn(array);
   }
 
+  ValueArray32(const ValueArray32& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray32& other);
@@ -1554,6 +1745,16 @@ class ValueArray33 {
     return ValuesIn(array);
   }
 
+  ValueArray33(const ValueArray33& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray33& other);
@@ -1630,6 +1831,16 @@ class ValueArray34 {
     return ValuesIn(array);
   }
 
+  ValueArray34(const ValueArray34& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray34& other);
@@ -1707,6 +1918,17 @@ class ValueArray35 {
     return ValuesIn(array);
   }
 
+  ValueArray35(const ValueArray35& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray35& other);
@@ -1787,6 +2009,17 @@ class ValueArray36 {
     return ValuesIn(array);
   }
 
+  ValueArray36(const ValueArray36& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray36& other);
@@ -1869,6 +2102,17 @@ class ValueArray37 {
     return ValuesIn(array);
   }
 
+  ValueArray37(const ValueArray37& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray37& other);
@@ -1952,6 +2196,17 @@ class ValueArray38 {
     return ValuesIn(array);
   }
 
+  ValueArray38(const ValueArray38& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray38& other);
@@ -2037,6 +2292,18 @@ class ValueArray39 {
     return ValuesIn(array);
   }
 
+  ValueArray39(const ValueArray39& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_),
+      v39_(other.v39_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray39& other);
@@ -2124,6 +2391,18 @@ class ValueArray40 {
     return ValuesIn(array);
   }
 
+  ValueArray40(const ValueArray40& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_),
+      v39_(other.v39_), v40_(other.v40_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray40& other);
@@ -2213,6 +2492,18 @@ class ValueArray41 {
     return ValuesIn(array);
   }
 
+  ValueArray41(const ValueArray41& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_),
+      v39_(other.v39_), v40_(other.v40_), v41_(other.v41_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray41& other);
@@ -2304,6 +2595,18 @@ class ValueArray42 {
     return ValuesIn(array);
   }
 
+  ValueArray42(const ValueArray42& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_),
+      v39_(other.v39_), v40_(other.v40_), v41_(other.v41_), v42_(other.v42_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray42& other);
@@ -2396,6 +2699,19 @@ class ValueArray43 {
     return ValuesIn(array);
   }
 
+  ValueArray43(const ValueArray43& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_),
+      v39_(other.v39_), v40_(other.v40_), v41_(other.v41_), v42_(other.v42_),
+      v43_(other.v43_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray43& other);
@@ -2490,6 +2806,19 @@ class ValueArray44 {
     return ValuesIn(array);
   }
 
+  ValueArray44(const ValueArray44& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_),
+      v39_(other.v39_), v40_(other.v40_), v41_(other.v41_), v42_(other.v42_),
+      v43_(other.v43_), v44_(other.v44_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray44& other);
@@ -2586,6 +2915,19 @@ class ValueArray45 {
     return ValuesIn(array);
   }
 
+  ValueArray45(const ValueArray45& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_),
+      v39_(other.v39_), v40_(other.v40_), v41_(other.v41_), v42_(other.v42_),
+      v43_(other.v43_), v44_(other.v44_), v45_(other.v45_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray45& other);
@@ -2684,6 +3026,19 @@ class ValueArray46 {
     return ValuesIn(array);
   }
 
+  ValueArray46(const ValueArray46& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_),
+      v39_(other.v39_), v40_(other.v40_), v41_(other.v41_), v42_(other.v42_),
+      v43_(other.v43_), v44_(other.v44_), v45_(other.v45_), v46_(other.v46_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray46& other);
@@ -2784,6 +3139,20 @@ class ValueArray47 {
     return ValuesIn(array);
   }
 
+  ValueArray47(const ValueArray47& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_),
+      v39_(other.v39_), v40_(other.v40_), v41_(other.v41_), v42_(other.v42_),
+      v43_(other.v43_), v44_(other.v44_), v45_(other.v45_), v46_(other.v46_),
+      v47_(other.v47_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray47& other);
@@ -2886,6 +3255,20 @@ class ValueArray48 {
     return ValuesIn(array);
   }
 
+  ValueArray48(const ValueArray48& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_),
+      v39_(other.v39_), v40_(other.v40_), v41_(other.v41_), v42_(other.v42_),
+      v43_(other.v43_), v44_(other.v44_), v45_(other.v45_), v46_(other.v46_),
+      v47_(other.v47_), v48_(other.v48_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray48& other);
@@ -2989,6 +3372,20 @@ class ValueArray49 {
     return ValuesIn(array);
   }
 
+  ValueArray49(const ValueArray49& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_),
+      v39_(other.v39_), v40_(other.v40_), v41_(other.v41_), v42_(other.v42_),
+      v43_(other.v43_), v44_(other.v44_), v45_(other.v45_), v46_(other.v46_),
+      v47_(other.v47_), v48_(other.v48_), v49_(other.v49_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray49& other);
@@ -3093,6 +3490,20 @@ class ValueArray50 {
     return ValuesIn(array);
   }
 
+  ValueArray50(const ValueArray50& other) : v1_(other.v1_), v2_(other.v2_),
+      v3_(other.v3_), v4_(other.v4_), v5_(other.v5_), v6_(other.v6_),
+      v7_(other.v7_), v8_(other.v8_), v9_(other.v9_), v10_(other.v10_),
+      v11_(other.v11_), v12_(other.v12_), v13_(other.v13_), v14_(other.v14_),
+      v15_(other.v15_), v16_(other.v16_), v17_(other.v17_), v18_(other.v18_),
+      v19_(other.v19_), v20_(other.v20_), v21_(other.v21_), v22_(other.v22_),
+      v23_(other.v23_), v24_(other.v24_), v25_(other.v25_), v26_(other.v26_),
+      v27_(other.v27_), v28_(other.v28_), v29_(other.v29_), v30_(other.v30_),
+      v31_(other.v31_), v32_(other.v32_), v33_(other.v33_), v34_(other.v34_),
+      v35_(other.v35_), v36_(other.v36_), v37_(other.v37_), v38_(other.v38_),
+      v39_(other.v39_), v40_(other.v40_), v41_(other.v41_), v42_(other.v42_),
+      v43_(other.v43_), v44_(other.v44_), v45_(other.v45_), v46_(other.v46_),
+      v47_(other.v47_), v48_(other.v48_), v49_(other.v49_), v50_(other.v50_) {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray50& other);
@@ -3205,7 +3616,7 @@ class CartesianProductGenerator2
     virtual ParamIteratorInterface<ParamType>* Clone() const {
       return new Iterator(*this);
     }
-    virtual const ParamType* Current() const { return &current_value_; }
+    virtual const ParamType* Current() const { return current_value_.get(); }
     virtual bool Equals(const ParamIteratorInterface<ParamType>& other) const {
       // Having the same base generator guarantees that the other
       // iterator is of the same type and we can downcast.
@@ -3237,7 +3648,7 @@ class CartesianProductGenerator2
 
     void ComputeCurrentValue() {
       if (!AtEnd())
-        current_value_ = ParamType(*current1_, *current2_);
+        current_value_.reset(new ParamType(*current1_, *current2_));
     }
     bool AtEnd() const {
       // We must report iterator past the end of the range when either of the
@@ -3259,7 +3670,7 @@ class CartesianProductGenerator2
     const typename ParamGenerator<T2>::iterator begin2_;
     const typename ParamGenerator<T2>::iterator end2_;
     typename ParamGenerator<T2>::iterator current2_;
-    ParamType current_value_;
+    linked_ptr<ParamType> current_value_;
   };  // class CartesianProductGenerator2::Iterator
 
   // No implementation - assignment is unsupported.
@@ -3328,7 +3739,7 @@ class CartesianProductGenerator3
     virtual ParamIteratorInterface<ParamType>* Clone() const {
       return new Iterator(*this);
     }
-    virtual const ParamType* Current() const { return &current_value_; }
+    virtual const ParamType* Current() const { return current_value_.get(); }
     virtual bool Equals(const ParamIteratorInterface<ParamType>& other) const {
       // Having the same base generator guarantees that the other
       // iterator is of the same type and we can downcast.
@@ -3364,7 +3775,7 @@ class CartesianProductGenerator3
 
     void ComputeCurrentValue() {
       if (!AtEnd())
-        current_value_ = ParamType(*current1_, *current2_, *current3_);
+        current_value_.reset(new ParamType(*current1_, *current2_, *current3_));
     }
     bool AtEnd() const {
       // We must report iterator past the end of the range when either of the
@@ -3390,7 +3801,7 @@ class CartesianProductGenerator3
     const typename ParamGenerator<T3>::iterator begin3_;
     const typename ParamGenerator<T3>::iterator end3_;
     typename ParamGenerator<T3>::iterator current3_;
-    ParamType current_value_;
+    linked_ptr<ParamType> current_value_;
   };  // class CartesianProductGenerator3::Iterator
 
   // No implementation - assignment is unsupported.
@@ -3469,7 +3880,7 @@ class CartesianProductGenerator4
     virtual ParamIteratorInterface<ParamType>* Clone() const {
       return new Iterator(*this);
     }
-    virtual const ParamType* Current() const { return &current_value_; }
+    virtual const ParamType* Current() const { return current_value_.get(); }
     virtual bool Equals(const ParamIteratorInterface<ParamType>& other) const {
       // Having the same base generator guarantees that the other
       // iterator is of the same type and we can downcast.
@@ -3509,8 +3920,8 @@ class CartesianProductGenerator4
 
     void ComputeCurrentValue() {
       if (!AtEnd())
-        current_value_ = ParamType(*current1_, *current2_, *current3_,
-            *current4_);
+        current_value_.reset(new ParamType(*current1_, *current2_, *current3_,
+            *current4_));
     }
     bool AtEnd() const {
       // We must report iterator past the end of the range when either of the
@@ -3540,7 +3951,7 @@ class CartesianProductGenerator4
     const typename ParamGenerator<T4>::iterator begin4_;
     const typename ParamGenerator<T4>::iterator end4_;
     typename ParamGenerator<T4>::iterator current4_;
-    ParamType current_value_;
+    linked_ptr<ParamType> current_value_;
   };  // class CartesianProductGenerator4::Iterator
 
   // No implementation - assignment is unsupported.
@@ -3627,7 +4038,7 @@ class CartesianProductGenerator5
     virtual ParamIteratorInterface<ParamType>* Clone() const {
       return new Iterator(*this);
     }
-    virtual const ParamType* Current() const { return &current_value_; }
+    virtual const ParamType* Current() const { return current_value_.get(); }
     virtual bool Equals(const ParamIteratorInterface<ParamType>& other) const {
       // Having the same base generator guarantees that the other
       // iterator is of the same type and we can downcast.
@@ -3671,8 +4082,8 @@ class CartesianProductGenerator5
 
     void ComputeCurrentValue() {
       if (!AtEnd())
-        current_value_ = ParamType(*current1_, *current2_, *current3_,
-            *current4_, *current5_);
+        current_value_.reset(new ParamType(*current1_, *current2_, *current3_,
+            *current4_, *current5_));
     }
     bool AtEnd() const {
       // We must report iterator past the end of the range when either of the
@@ -3706,7 +4117,7 @@ class CartesianProductGenerator5
     const typename ParamGenerator<T5>::iterator begin5_;
     const typename ParamGenerator<T5>::iterator end5_;
     typename ParamGenerator<T5>::iterator current5_;
-    ParamType current_value_;
+    linked_ptr<ParamType> current_value_;
   };  // class CartesianProductGenerator5::Iterator
 
   // No implementation - assignment is unsupported.
@@ -3804,7 +4215,7 @@ class CartesianProductGenerator6
     virtual ParamIteratorInterface<ParamType>* Clone() const {
       return new Iterator(*this);
     }
-    virtual const ParamType* Current() const { return &current_value_; }
+    virtual const ParamType* Current() const { return current_value_.get(); }
     virtual bool Equals(const ParamIteratorInterface<ParamType>& other) const {
       // Having the same base generator guarantees that the other
       // iterator is of the same type and we can downcast.
@@ -3852,8 +4263,8 @@ class CartesianProductGenerator6
 
     void ComputeCurrentValue() {
       if (!AtEnd())
-        current_value_ = ParamType(*current1_, *current2_, *current3_,
-            *current4_, *current5_, *current6_);
+        current_value_.reset(new ParamType(*current1_, *current2_, *current3_,
+            *current4_, *current5_, *current6_));
     }
     bool AtEnd() const {
       // We must report iterator past the end of the range when either of the
@@ -3891,7 +4302,7 @@ class CartesianProductGenerator6
     const typename ParamGenerator<T6>::iterator begin6_;
     const typename ParamGenerator<T6>::iterator end6_;
     typename ParamGenerator<T6>::iterator current6_;
-    ParamType current_value_;
+    linked_ptr<ParamType> current_value_;
   };  // class CartesianProductGenerator6::Iterator
 
   // No implementation - assignment is unsupported.
@@ -3998,7 +4409,7 @@ class CartesianProductGenerator7
     virtual ParamIteratorInterface<ParamType>* Clone() const {
       return new Iterator(*this);
     }
-    virtual const ParamType* Current() const { return &current_value_; }
+    virtual const ParamType* Current() const { return current_value_.get(); }
     virtual bool Equals(const ParamIteratorInterface<ParamType>& other) const {
       // Having the same base generator guarantees that the other
       // iterator is of the same type and we can downcast.
@@ -4050,8 +4461,8 @@ class CartesianProductGenerator7
 
     void ComputeCurrentValue() {
       if (!AtEnd())
-        current_value_ = ParamType(*current1_, *current2_, *current3_,
-            *current4_, *current5_, *current6_, *current7_);
+        current_value_.reset(new ParamType(*current1_, *current2_, *current3_,
+            *current4_, *current5_, *current6_, *current7_));
     }
     bool AtEnd() const {
       // We must report iterator past the end of the range when either of the
@@ -4093,7 +4504,7 @@ class CartesianProductGenerator7
     const typename ParamGenerator<T7>::iterator begin7_;
     const typename ParamGenerator<T7>::iterator end7_;
     typename ParamGenerator<T7>::iterator current7_;
-    ParamType current_value_;
+    linked_ptr<ParamType> current_value_;
   };  // class CartesianProductGenerator7::Iterator
 
   // No implementation - assignment is unsupported.
@@ -4211,7 +4622,7 @@ class CartesianProductGenerator8
     virtual ParamIteratorInterface<ParamType>* Clone() const {
       return new Iterator(*this);
     }
-    virtual const ParamType* Current() const { return &current_value_; }
+    virtual const ParamType* Current() const { return current_value_.get(); }
     virtual bool Equals(const ParamIteratorInterface<ParamType>& other) const {
       // Having the same base generator guarantees that the other
       // iterator is of the same type and we can downcast.
@@ -4267,8 +4678,8 @@ class CartesianProductGenerator8
 
     void ComputeCurrentValue() {
       if (!AtEnd())
-        current_value_ = ParamType(*current1_, *current2_, *current3_,
-            *current4_, *current5_, *current6_, *current7_, *current8_);
+        current_value_.reset(new ParamType(*current1_, *current2_, *current3_,
+            *current4_, *current5_, *current6_, *current7_, *current8_));
     }
     bool AtEnd() const {
       // We must report iterator past the end of the range when either of the
@@ -4314,7 +4725,7 @@ class CartesianProductGenerator8
     const typename ParamGenerator<T8>::iterator begin8_;
     const typename ParamGenerator<T8>::iterator end8_;
     typename ParamGenerator<T8>::iterator current8_;
-    ParamType current_value_;
+    linked_ptr<ParamType> current_value_;
   };  // class CartesianProductGenerator8::Iterator
 
   // No implementation - assignment is unsupported.
@@ -4440,7 +4851,7 @@ class CartesianProductGenerator9
     virtual ParamIteratorInterface<ParamType>* Clone() const {
       return new Iterator(*this);
     }
-    virtual const ParamType* Current() const { return &current_value_; }
+    virtual const ParamType* Current() const { return current_value_.get(); }
     virtual bool Equals(const ParamIteratorInterface<ParamType>& other) const {
       // Having the same base generator guarantees that the other
       // iterator is of the same type and we can downcast.
@@ -4500,9 +4911,9 @@ class CartesianProductGenerator9
 
     void ComputeCurrentValue() {
       if (!AtEnd())
-        current_value_ = ParamType(*current1_, *current2_, *current3_,
+        current_value_.reset(new ParamType(*current1_, *current2_, *current3_,
             *current4_, *current5_, *current6_, *current7_, *current8_,
-            *current9_);
+            *current9_));
     }
     bool AtEnd() const {
       // We must report iterator past the end of the range when either of the
@@ -4552,7 +4963,7 @@ class CartesianProductGenerator9
     const typename ParamGenerator<T9>::iterator begin9_;
     const typename ParamGenerator<T9>::iterator end9_;
     typename ParamGenerator<T9>::iterator current9_;
-    ParamType current_value_;
+    linked_ptr<ParamType> current_value_;
   };  // class CartesianProductGenerator9::Iterator
 
   // No implementation - assignment is unsupported.
@@ -4687,7 +5098,7 @@ class CartesianProductGenerator10
     virtual ParamIteratorInterface<ParamType>* Clone() const {
       return new Iterator(*this);
     }
-    virtual const ParamType* Current() const { return &current_value_; }
+    virtual const ParamType* Current() const { return current_value_.get(); }
     virtual bool Equals(const ParamIteratorInterface<ParamType>& other) const {
       // Having the same base generator guarantees that the other
       // iterator is of the same type and we can downcast.
@@ -4751,9 +5162,9 @@ class CartesianProductGenerator10
 
     void ComputeCurrentValue() {
       if (!AtEnd())
-        current_value_ = ParamType(*current1_, *current2_, *current3_,
+        current_value_.reset(new ParamType(*current1_, *current2_, *current3_,
             *current4_, *current5_, *current6_, *current7_, *current8_,
-            *current9_, *current10_);
+            *current9_, *current10_));
     }
     bool AtEnd() const {
       // We must report iterator past the end of the range when either of the
@@ -4807,7 +5218,7 @@ class CartesianProductGenerator10
     const typename ParamGenerator<T10>::iterator begin10_;
     const typename ParamGenerator<T10>::iterator end10_;
     typename ParamGenerator<T10>::iterator current10_;
-    ParamType current_value_;
+    linked_ptr<ParamType> current_value_;
   };  // class CartesianProductGenerator10::Iterator
 
   // No implementation - assignment is unsupported.
@@ -5138,6 +5549,4 @@ CartesianProductHolder10(const Generator1& g1, const Generator2& g2,
 }  // namespace internal
 }  // namespace testing
 
-#endif  //  GTEST_HAS_PARAM_TEST
-
 #endif  // GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PARAM_UTIL_GENERATED_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-param-util-generated.h.pump b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-param-util-generated.h.pump
index 801a2fc7d4..30dffe43c3 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-param-util-generated.h.pump
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-param-util-generated.h.pump
@@ -29,8 +29,7 @@ $var maxtuple = 10  $$ Maximum number of Combine arguments we want to support.
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: vladl@google.com (Vlad Losev)
+
 
 // Type and function utilities for implementing parameterized tests.
 // This file is generated by a SCRIPT.  DO NOT EDIT BY HAND!
@@ -42,17 +41,14 @@ $var maxtuple = 10  $$ Maximum number of Combine arguments we want to support.
 // by the maximum arity of the implementation of tuple which is
 // currently set at $maxtuple.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PARAM_UTIL_GENERATED_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PARAM_UTIL_GENERATED_H_
 
-// scripts/fuse_gtest.py depends on gtest's own header being #included
-// *unconditionally*.  Therefore these #includes cannot be moved
-// inside #if GTEST_HAS_PARAM_TEST.
 #include "gtest/internal/gtest-param-util.h"
 #include "gtest/internal/gtest-port.h"
 
-#if GTEST_HAS_PARAM_TEST
-
 namespace testing {
 
 // Forward declarations of ValuesIn(), which is implemented in
@@ -72,29 +68,14 @@ internal::ParamGenerator<typename Container::value_type> ValuesIn(
 namespace internal {
 
 // Used in the Values() function to provide polymorphic capabilities.
-template <typename T1>
-class ValueArray1 {
- public:
-  explicit ValueArray1(T1 v1) : v1_(v1) {}
-
-  template <typename T>
-  operator ParamGenerator<T>() const { return ValuesIn(&v1_, &v1_ + 1); }
-
- private:
-  // No implementation - assignment is unsupported.
-  void operator=(const ValueArray1& other);
-
-  const T1 v1_;
-};
-
-$range i 2..n
+$range i 1..n
 $for i [[
 $range j 1..i
 
 template <$for j, [[typename T$j]]>
 class ValueArray$i {
  public:
-  ValueArray$i($for j, [[T$j v$j]]) : $for j, [[v$(j)_(v$j)]] {}
+  $if i==1 [[explicit ]]ValueArray$i($for j, [[T$j v$j]]) : $for j, [[v$(j)_(v$j)]] {}
 
   template <typename T>
   operator ParamGenerator<T>() const {
@@ -102,6 +83,8 @@ class ValueArray$i {
     return ValuesIn(array);
   }
 
+  ValueArray$i(const ValueArray$i& other) : $for j, [[v$(j)_(other.v$(j)_)]] {}
+
  private:
   // No implementation - assignment is unsupported.
   void operator=(const ValueArray$i& other);
@@ -180,7 +163,7 @@ $for k [[
     virtual ParamIteratorInterface<ParamType>* Clone() const {
       return new Iterator(*this);
     }
-    virtual const ParamType* Current() const { return &current_value_; }
+    virtual const ParamType* Current() const { return current_value_.get(); }
     virtual bool Equals(const ParamIteratorInterface<ParamType>& other) const {
       // Having the same base generator guarantees that the other
       // iterator is of the same type and we can downcast.
@@ -212,7 +195,7 @@ $for k [[
 
     void ComputeCurrentValue() {
       if (!AtEnd())
-        current_value_ = ParamType($for j, [[*current$(j)_]]);
+        current_value_.reset(new ParamType($for j, [[*current$(j)_]]));
     }
     bool AtEnd() const {
       // We must report iterator past the end of the range when either of the
@@ -237,7 +220,7 @@ $for j [[
     typename ParamGenerator<T$j>::iterator current$(j)_;
 ]]
 
-    ParamType current_value_;
+    linked_ptr<ParamType> current_value_;
   };  // class CartesianProductGenerator$i::Iterator
 
   // No implementation - assignment is unsupported.
@@ -296,6 +279,4 @@ $for j [[
 }  // namespace internal
 }  // namespace testing
 
-#endif  //  GTEST_HAS_PARAM_TEST
-
 #endif  // GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PARAM_UTIL_GENERATED_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-param-util.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-param-util.h
index d5e1028b0c..d64f620c4c 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-param-util.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-param-util.h
@@ -26,29 +26,49 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: vladl@google.com (Vlad Losev)
+
 
 // Type and function utilities for implementing parameterized tests.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PARAM_UTIL_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PARAM_UTIL_H_
 
+#include <ctype.h>
+
 #include <iterator>
+#include <set>
 #include <utility>
 #include <vector>
 
-// scripts/fuse_gtest.py depends on gtest's own header being #included
-// *unconditionally*.  Therefore these #includes cannot be moved
-// inside #if GTEST_HAS_PARAM_TEST.
 #include "gtest/internal/gtest-internal.h"
 #include "gtest/internal/gtest-linked_ptr.h"
 #include "gtest/internal/gtest-port.h"
 #include "gtest/gtest-printers.h"
 
-#if GTEST_HAS_PARAM_TEST
-
 namespace testing {
+
+// Input to a parameterized test name generator, describing a test parameter.
+// Consists of the parameter value and the integer parameter index.
+template <class ParamType>
+struct TestParamInfo {
+  TestParamInfo(const ParamType& a_param, size_t an_index) :
+    param(a_param),
+    index(an_index) {}
+  ParamType param;
+  size_t index;
+};
+
+// A builtin parameterized test name generator which returns the result of
+// testing::PrintToString.
+struct PrintToStringParamName {
+  template <class ParamType>
+  std::string operator()(const TestParamInfo<ParamType>& info) const {
+    return PrintToString(info.param);
+  }
+};
+
 namespace internal {
 
 // INTERNAL IMPLEMENTATION - DO NOT USE IN USER CODE.
@@ -58,7 +78,7 @@ namespace internal {
 // TEST_P macro is used to define two tests with the same name
 // but in different namespaces.
 GTEST_API_ void ReportInvalidTestCaseType(const char* test_case_name,
-                                          const char* file, int line);
+                                          CodeLocation code_location);
 
 template <typename> class ParamGeneratorInterface;
 template <typename> class ParamGenerator;
@@ -206,7 +226,7 @@ class RangeGenerator : public ParamGeneratorInterface<T> {
       return base_;
     }
     virtual void Advance() {
-      value_ = value_ + step_;
+      value_ = static_cast<T>(value_ + step_);
       index_++;
     }
     virtual ParamIteratorInterface<T>* Clone() const {
@@ -243,7 +263,7 @@ class RangeGenerator : public ParamGeneratorInterface<T> {
                                const T& end,
                                const IncrementT& step) {
     int end_index = 0;
-    for (T i = begin; i < end; i = i + step)
+    for (T i = begin; i < end; i = static_cast<T>(i + step))
       end_index++;
     return end_index;
   }
@@ -347,6 +367,37 @@ class ValuesInIteratorRangeGenerator : public ParamGeneratorInterface<T> {
 
 // INTERNAL IMPLEMENTATION - DO NOT USE IN USER CODE.
 //
+// Default parameterized test name generator, returns a string containing the
+// integer test parameter index.
+template <class ParamType>
+std::string DefaultParamName(const TestParamInfo<ParamType>& info) {
+  Message name_stream;
+  name_stream << info.index;
+  return name_stream.GetString();
+}
+
+// INTERNAL IMPLEMENTATION - DO NOT USE IN USER CODE.
+//
+// Parameterized test name overload helpers, which help the
+// INSTANTIATE_TEST_CASE_P macro choose between the default parameterized
+// test name generator and user param name generator.
+template <class ParamType, class ParamNameGenFunctor>
+ParamNameGenFunctor GetParamNameGen(ParamNameGenFunctor func) {
+  return func;
+}
+
+template <class ParamType>
+struct ParamNameGenFunc {
+  typedef std::string Type(const TestParamInfo<ParamType>&);
+};
+
+template <class ParamType>
+typename ParamNameGenFunc<ParamType>::Type *GetParamNameGen() {
+  return DefaultParamName;
+}
+
+// INTERNAL IMPLEMENTATION - DO NOT USE IN USER CODE.
+//
 // Stores a parameter value and later creates tests parameterized with that
 // value.
 template <class TestClass>
@@ -417,7 +468,7 @@ class ParameterizedTestCaseInfoBase {
   virtual ~ParameterizedTestCaseInfoBase() {}
 
   // Base part of test case name for display purposes.
-  virtual const string& GetTestCaseName() const = 0;
+  virtual const std::string& GetTestCaseName() const = 0;
   // Test case id to verify identity.
   virtual TypeId GetTestCaseTypeId() const = 0;
   // UnitTest class invokes this method to register tests in this
@@ -449,12 +500,14 @@ class ParameterizedTestCaseInfo : public ParameterizedTestCaseInfoBase {
   typedef typename TestCase::ParamType ParamType;
   // A function that returns an instance of appropriate generator type.
   typedef ParamGenerator<ParamType>(GeneratorCreationFunc)();
+  typedef typename ParamNameGenFunc<ParamType>::Type ParamNameGeneratorFunc;
 
-  explicit ParameterizedTestCaseInfo(const char* name)
-      : test_case_name_(name) {}
+  explicit ParameterizedTestCaseInfo(
+      const char* name, CodeLocation code_location)
+      : test_case_name_(name), code_location_(code_location) {}
 
   // Test case base name for display purposes.
-  virtual const string& GetTestCaseName() const { return test_case_name_; }
+  virtual const std::string& GetTestCaseName() const { return test_case_name_; }
   // Test case id to verify identity.
   virtual TypeId GetTestCaseTypeId() const { return GetTypeId<TestCase>(); }
   // TEST_P macro uses AddTestPattern() to record information
@@ -472,11 +525,12 @@ class ParameterizedTestCaseInfo : public ParameterizedTestCaseInfoBase {
   }
   // INSTANTIATE_TEST_CASE_P macro uses AddGenerator() to record information
   // about a generator.
-  int AddTestCaseInstantiation(const string& instantiation_name,
+  int AddTestCaseInstantiation(const std::string& instantiation_name,
                                GeneratorCreationFunc* func,
-                               const char* /* file */,
-                               int /* line */) {
-    instantiations_.push_back(::std::make_pair(instantiation_name, func));
+                               ParamNameGeneratorFunc* name_func,
+                               const char* file, int line) {
+    instantiations_.push_back(
+        InstantiationInfo(instantiation_name, func, name_func, file, line));
     return 0;  // Return value used only to run this method in namespace scope.
   }
   // UnitTest class invokes this method to register tests in this test case
@@ -491,25 +545,45 @@ class ParameterizedTestCaseInfo : public ParameterizedTestCaseInfoBase {
       for (typename InstantiationContainer::iterator gen_it =
                instantiations_.begin(); gen_it != instantiations_.end();
                ++gen_it) {
-        const string& instantiation_name = gen_it->first;
-        ParamGenerator<ParamType> generator((*gen_it->second)());
+        const std::string& instantiation_name = gen_it->name;
+        ParamGenerator<ParamType> generator((*gen_it->generator)());
+        ParamNameGeneratorFunc* name_func = gen_it->name_func;
+        const char* file = gen_it->file;
+        int line = gen_it->line;
 
-        string test_case_name;
+        std::string test_case_name;
         if ( !instantiation_name.empty() )
           test_case_name = instantiation_name + "/";
         test_case_name += test_info->test_case_base_name;
 
-        int i = 0;
+        size_t i = 0;
+        std::set<std::string> test_param_names;
         for (typename ParamGenerator<ParamType>::iterator param_it =
                  generator.begin();
              param_it != generator.end(); ++param_it, ++i) {
           Message test_name_stream;
-          test_name_stream << test_info->test_base_name << "/" << i;
+
+          std::string param_name = name_func(
+              TestParamInfo<ParamType>(*param_it, i));
+
+          GTEST_CHECK_(IsValidParamName(param_name))
+              << "Parameterized test name '" << param_name
+              << "' is invalid, in " << file
+              << " line " << line << std::endl;
+
+          GTEST_CHECK_(test_param_names.count(param_name) == 0)
+              << "Duplicate parameterized test name '" << param_name
+              << "', in " << file << " line " << line << std::endl;
+
+          test_param_names.insert(param_name);
+
+          test_name_stream << test_info->test_base_name << "/" << param_name;
           MakeAndRegisterTestInfo(
               test_case_name.c_str(),
               test_name_stream.GetString().c_str(),
               NULL,  // No type parameter.
               PrintToString(*param_it).c_str(),
+              code_location_,
               GetTestCaseTypeId(),
               TestCase::SetUpTestCase,
               TestCase::TearDownTestCase,
@@ -530,17 +604,50 @@ class ParameterizedTestCaseInfo : public ParameterizedTestCaseInfoBase {
         test_base_name(a_test_base_name),
         test_meta_factory(a_test_meta_factory) {}
 
-    const string test_case_base_name;
-    const string test_base_name;
+    const std::string test_case_base_name;
+    const std::string test_base_name;
     const scoped_ptr<TestMetaFactoryBase<ParamType> > test_meta_factory;
   };
   typedef ::std::vector<linked_ptr<TestInfo> > TestInfoContainer;
-  // Keeps pairs of <Instantiation name, Sequence generator creation function>
-  // received from INSTANTIATE_TEST_CASE_P macros.
-  typedef ::std::vector<std::pair<string, GeneratorCreationFunc*> >
-      InstantiationContainer;
+  // Records data received from INSTANTIATE_TEST_CASE_P macros:
+  //  <Instantiation name, Sequence generator creation function,
+  //     Name generator function, Source file, Source line>
+  struct InstantiationInfo {
+      InstantiationInfo(const std::string &name_in,
+                        GeneratorCreationFunc* generator_in,
+                        ParamNameGeneratorFunc* name_func_in,
+                        const char* file_in,
+                        int line_in)
+          : name(name_in),
+            generator(generator_in),
+            name_func(name_func_in),
+            file(file_in),
+            line(line_in) {}
+
+      std::string name;
+      GeneratorCreationFunc* generator;
+      ParamNameGeneratorFunc* name_func;
+      const char* file;
+      int line;
+  };
+  typedef ::std::vector<InstantiationInfo> InstantiationContainer;
 
-  const string test_case_name_;
+  static bool IsValidParamName(const std::string& name) {
+    // Check for empty string
+    if (name.empty())
+      return false;
+
+    // Check for invalid characters
+    for (std::string::size_type index = 0; index < name.size(); ++index) {
+      if (!isalnum(name[index]) && name[index] != '_')
+        return false;
+    }
+
+    return true;
+  }
+
+  const std::string test_case_name_;
+  CodeLocation code_location_;
   TestInfoContainer tests_;
   InstantiationContainer instantiations_;
 
@@ -568,8 +675,7 @@ class ParameterizedTestCaseRegistry {
   template <class TestCase>
   ParameterizedTestCaseInfo<TestCase>* GetTestCasePatternHolder(
       const char* test_case_name,
-      const char* file,
-      int line) {
+      CodeLocation code_location) {
     ParameterizedTestCaseInfo<TestCase>* typed_test_info = NULL;
     for (TestCaseInfoContainer::iterator it = test_case_infos_.begin();
          it != test_case_infos_.end(); ++it) {
@@ -578,7 +684,7 @@ class ParameterizedTestCaseRegistry {
           // Complain about incorrect usage of Google Test facilities
           // and terminate the program since we cannot guaranty correct
           // test case setup and tear-down in this case.
-          ReportInvalidTestCaseType(test_case_name,  file, line);
+          ReportInvalidTestCaseType(test_case_name, code_location);
           posix::Abort();
         } else {
           // At this point we are sure that the object we found is of the same
@@ -591,7 +697,8 @@ class ParameterizedTestCaseRegistry {
       }
     }
     if (typed_test_info == NULL) {
-      typed_test_info = new ParameterizedTestCaseInfo<TestCase>(test_case_name);
+      typed_test_info = new ParameterizedTestCaseInfo<TestCase>(
+          test_case_name, code_location);
       test_case_infos_.push_back(typed_test_info);
     }
     return typed_test_info;
@@ -614,6 +721,4 @@ class ParameterizedTestCaseRegistry {
 }  // namespace internal
 }  // namespace testing
 
-#endif  //  GTEST_HAS_PARAM_TEST
-
 #endif  // GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PARAM_UTIL_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-port-arch.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-port-arch.h
new file mode 100644
index 0000000000..f83700e06d
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-port-arch.h
@@ -0,0 +1,100 @@
+// Copyright 2015, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+//
+// The Google C++ Testing and Mocking Framework (Google Test)
+//
+// This header file defines the GTEST_OS_* macro.
+// It is separate from gtest-port.h so that custom/gtest-port.h can include it.
+
+#ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PORT_ARCH_H_
+#define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PORT_ARCH_H_
+
+// Determines the platform on which Google Test is compiled.
+#ifdef __CYGWIN__
+# define GTEST_OS_CYGWIN 1
+#elif defined __SYMBIAN32__
+# define GTEST_OS_SYMBIAN 1
+#elif defined _WIN32
+# define GTEST_OS_WINDOWS 1
+# ifdef _WIN32_WCE
+#  define GTEST_OS_WINDOWS_MOBILE 1
+# elif defined(__MINGW__) || defined(__MINGW32__)
+#  define GTEST_OS_WINDOWS_MINGW 1
+# elif defined(WINAPI_FAMILY)
+#  include <winapifamily.h>
+#  if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)
+#   define GTEST_OS_WINDOWS_DESKTOP 1
+#  elif WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_PHONE_APP)
+#   define GTEST_OS_WINDOWS_PHONE 1
+#  elif WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP)
+#   define GTEST_OS_WINDOWS_RT 1
+#  elif WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_TV_TITLE)
+#   define GTEST_OS_WINDOWS_PHONE 1
+#   define GTEST_OS_WINDOWS_TV_TITLE 1
+#  else
+    // WINAPI_FAMILY defined but no known partition matched.
+    // Default to desktop.
+#   define GTEST_OS_WINDOWS_DESKTOP 1
+#  endif
+# else
+#  define GTEST_OS_WINDOWS_DESKTOP 1
+# endif  // _WIN32_WCE
+#elif defined __APPLE__
+# define GTEST_OS_MAC 1
+# if TARGET_OS_IPHONE
+#  define GTEST_OS_IOS 1
+# endif
+#elif defined __FreeBSD__
+# define GTEST_OS_FREEBSD 1
+#elif defined __Fuchsia__
+# define GTEST_OS_FUCHSIA 1
+#elif defined __linux__
+# define GTEST_OS_LINUX 1
+# if defined __ANDROID__
+#  define GTEST_OS_LINUX_ANDROID 1
+# endif
+#elif defined __MVS__
+# define GTEST_OS_ZOS 1
+#elif defined(__sun) && defined(__SVR4)
+# define GTEST_OS_SOLARIS 1
+#elif defined(_AIX)
+# define GTEST_OS_AIX 1
+#elif defined(__hpux)
+# define GTEST_OS_HPUX 1
+#elif defined __native_client__
+# define GTEST_OS_NACL 1
+#elif defined __NetBSD__
+# define GTEST_OS_NETBSD 1
+#elif defined __OpenBSD__
+# define GTEST_OS_OPENBSD 1
+#elif defined __QNX__
+# define GTEST_OS_QNX 1
+#endif  // __CYGWIN__
+
+#endif  // GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PORT_ARCH_H_
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-port.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-port.h
index f376dfa004..786497d854 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-port.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-port.h
@@ -27,8 +27,6 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Authors: wan@google.com (Zhanyong Wan)
-//
 // Low-level types and utilities for porting Google Test to various
 // platforms.  All macros ending with _ and symbols defined in an
 // internal namespace are subject to change without notice.  Code
@@ -40,6 +38,8 @@
 // files are expected to #include this.  Therefore, it cannot #include
 // any other Google Test header.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PORT_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PORT_H_
 
@@ -73,11 +73,9 @@
 //   GTEST_HAS_EXCEPTIONS     - Define it to 1/0 to indicate that exceptions
 //                              are enabled.
 //   GTEST_HAS_GLOBAL_STRING  - Define it to 1/0 to indicate that ::string
-//                              is/isn't available (some systems define
-//                              ::string, which is different to std::string).
-//   GTEST_HAS_GLOBAL_WSTRING - Define it to 1/0 to indicate that ::string
-//                              is/isn't available (some systems define
-//                              ::wstring, which is different to std::wstring).
+//                              is/isn't available
+//   GTEST_HAS_GLOBAL_WSTRING - Define it to 1/0 to indicate that ::wstring
+//                              is/isn't available
 //   GTEST_HAS_POSIX_RE       - Define it to 1/0 to indicate that POSIX regular
 //                              expressions are/aren't available.
 //   GTEST_HAS_PTHREAD        - Define it to 1/0 to indicate that <pthread.h>
@@ -109,6 +107,12 @@
 //   GTEST_CREATE_SHARED_LIBRARY
 //                            - Define to 1 when compiling Google Test itself
 //                              as a shared library.
+//   GTEST_DEFAULT_DEATH_TEST_STYLE
+//                            - The default value of --gtest_death_test_style.
+//                              The legacy default has been "fast" in the open
+//                              source version since 2008. The recommended value
+//                              is "threadsafe", and can be set in
+//                              custom/gtest-port.h.
 
 // Platform-indicating macros
 // --------------------------
@@ -121,13 +125,15 @@
 //
 //   GTEST_OS_AIX      - IBM AIX
 //   GTEST_OS_CYGWIN   - Cygwin
+//   GTEST_OS_FREEBSD  - FreeBSD
+//   GTEST_OS_FUCHSIA  - Fuchsia
 //   GTEST_OS_HPUX     - HP-UX
 //   GTEST_OS_LINUX    - Linux
 //     GTEST_OS_LINUX_ANDROID - Google Android
 //   GTEST_OS_MAC      - Mac OS X
 //     GTEST_OS_IOS    - iOS
-//       GTEST_OS_IOS_SIMULATOR - iOS simulator
 //   GTEST_OS_NACL     - Google Native Client (NaCl)
+//   GTEST_OS_NETBSD   - NetBSD
 //   GTEST_OS_OPENBSD  - OpenBSD
 //   GTEST_OS_QNX      - QNX
 //   GTEST_OS_SOLARIS  - Sun Solaris
@@ -169,15 +175,15 @@
 //   GTEST_HAS_COMBINE      - the Combine() function (for value-parameterized
 //                            tests)
 //   GTEST_HAS_DEATH_TEST   - death tests
-//   GTEST_HAS_PARAM_TEST   - value-parameterized tests
 //   GTEST_HAS_TYPED_TEST   - typed tests
 //   GTEST_HAS_TYPED_TEST_P - type-parameterized tests
 //   GTEST_IS_THREADSAFE    - Google Test is thread-safe.
+//   GOOGLETEST_CM0007 DO NOT DELETE
 //   GTEST_USES_POSIX_RE    - enhanced POSIX regex is used. Do not confuse with
 //                            GTEST_HAS_POSIX_RE (see above) which users can
 //                            define themselves.
 //   GTEST_USES_SIMPLE_RE   - our own simple regex is used;
-//                            the above two are mutually exclusive.
+//                            the above RE\b(s) are mutually exclusive.
 //   GTEST_CAN_COMPARE_NULL - accepts untyped NULL in EXPECT_EQ().
 
 // Misc public macros
@@ -206,7 +212,8 @@
 //
 // C++11 feature wrappers:
 //
-//   GTEST_MOVE_          - portability wrapper for std::move.
+//   testing::internal::forward - portability wrapper for std::forward.
+//   testing::internal::move  - portability wrapper for std::move.
 //
 // Synchronization:
 //   Mutex, MutexLock, ThreadLocal, GetThreadCount()
@@ -222,10 +229,10 @@
 //
 // Regular expressions:
 //   RE             - a simple regular expression class using the POSIX
-//                    Extended Regular Expression syntax on UNIX-like
-//                    platforms, or a reduced regular exception syntax on
-//                    other platforms, including Windows.
-//
+//                    Extended Regular Expression syntax on UNIX-like platforms
+//                    GOOGLETEST_CM0008 DO NOT DELETE
+//                    or a reduced regular exception syntax on other
+//                    platforms, including Windows.
 // Logging:
 //   GTEST_LOG_()   - logs messages at the specified severity level.
 //   LogToStderr()  - directs all log messages to stderr.
@@ -271,18 +278,30 @@
 # include <TargetConditionals.h>
 #endif
 
+// Brings in the definition of HAS_GLOBAL_STRING.  This must be done
+// BEFORE we test HAS_GLOBAL_STRING.
+#include <string>  // NOLINT
 #include <algorithm>  // NOLINT
 #include <iostream>  // NOLINT
 #include <sstream>  // NOLINT
-#include <string>  // NOLINT
 #include <utility>
+#include <vector>  // NOLINT
 
-#define GTEST_DEV_EMAIL_ "googletestframework@@googlegroups.com"
-#define GTEST_FLAG_PREFIX_ "gtest_"
-#define GTEST_FLAG_PREFIX_DASH_ "gtest-"
-#define GTEST_FLAG_PREFIX_UPPER_ "GTEST_"
-#define GTEST_NAME_ "Google Test"
-#define GTEST_PROJECT_URL_ "http://code.google.com/p/googletest/"
+#include "gtest/internal/gtest-port-arch.h"
+#include "gtest/internal/custom/gtest-port.h"
+
+#if !defined(GTEST_DEV_EMAIL_)
+# define GTEST_DEV_EMAIL_ "googletestframework@@googlegroups.com"
+# define GTEST_FLAG_PREFIX_ "gtest_"
+# define GTEST_FLAG_PREFIX_DASH_ "gtest-"
+# define GTEST_FLAG_PREFIX_UPPER_ "GTEST_"
+# define GTEST_NAME_ "Google Test"
+# define GTEST_PROJECT_URL_ "https://github.com/google/googletest/"
+#endif  // !defined(GTEST_DEV_EMAIL_)
+
+#if !defined(GTEST_INIT_GOOGLE_TEST_NAME_)
+# define GTEST_INIT_GOOGLE_TEST_NAME_ "testing::InitGoogleTest"
+#endif  // !defined(GTEST_INIT_GOOGLE_TEST_NAME_)
 
 // Determines the version of gcc that is used to compile this.
 #ifdef __GNUC__
@@ -291,68 +310,12 @@
     (__GNUC__*10000 + __GNUC_MINOR__*100 + __GNUC_PATCHLEVEL__)
 #endif  // __GNUC__
 
-// Determines the platform on which Google Test is compiled.
-#ifdef __CYGWIN__
-# define GTEST_OS_CYGWIN 1
-#elif defined __SYMBIAN32__
-# define GTEST_OS_SYMBIAN 1
-#elif defined _WIN32
-# define GTEST_OS_WINDOWS 1
-# ifdef _WIN32_WCE
-#  define GTEST_OS_WINDOWS_MOBILE 1
-# elif defined(__MINGW__) || defined(__MINGW32__)
-#  define GTEST_OS_WINDOWS_MINGW 1
-# elif defined(WINAPI_FAMILY)
-#  include <winapifamily.h>
-#  if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)
-#   define GTEST_OS_WINDOWS_DESKTOP 1
-#  elif WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_PHONE_APP)
-#   define GTEST_OS_WINDOWS_PHONE 1
-#  elif WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP)
-#   define GTEST_OS_WINDOWS_RT 1
-#  else
-    // WINAPI_FAMILY defined but no known partition matched.
-    // Default to desktop.
-#   define GTEST_OS_WINDOWS_DESKTOP 1
-#  endif
-# else
-#  define GTEST_OS_WINDOWS_DESKTOP 1
-# endif  // _WIN32_WCE
-#elif defined __APPLE__
-# define GTEST_OS_MAC 1
-# if TARGET_OS_IPHONE
-#  define GTEST_OS_IOS 1
-#  if TARGET_IPHONE_SIMULATOR
-#   define GTEST_OS_IOS_SIMULATOR 1
-#  endif
-# endif
-#elif defined __linux__
-# define GTEST_OS_LINUX 1
-# if defined __ANDROID__
-#  define GTEST_OS_LINUX_ANDROID 1
-# endif
-#elif defined __MVS__
-# define GTEST_OS_ZOS 1
-#elif defined(__sun) && defined(__SVR4)
-# define GTEST_OS_SOLARIS 1
-#elif defined(_AIX)
-# define GTEST_OS_AIX 1
-#elif defined(__hpux)
-# define GTEST_OS_HPUX 1
-#elif defined __native_client__
-# define GTEST_OS_NACL 1
-#elif defined __OpenBSD__
-# define GTEST_OS_OPENBSD 1
-#elif defined __QNX__
-# define GTEST_OS_QNX 1
-#endif  // __CYGWIN__
-
 // Macros for disabling Microsoft Visual C++ warnings.
 //
 //   GTEST_DISABLE_MSC_WARNINGS_PUSH_(4800 4385)
 //   /* code that triggers warnings C4800 and C4385 */
 //   GTEST_DISABLE_MSC_WARNINGS_POP_()
-#if _MSC_VER >= 1500
+#if _MSC_VER >= 1400
 # define GTEST_DISABLE_MSC_WARNINGS_PUSH_(warnings) \
     __pragma(warning(push))                        \
     __pragma(warning(disable: warnings))
@@ -364,12 +327,28 @@
 # define GTEST_DISABLE_MSC_WARNINGS_POP_()
 #endif
 
+// Clang on Windows does not understand MSVC's pragma warning.
+// We need clang-specific way to disable function deprecation warning.
+#ifdef __clang__
+# define GTEST_DISABLE_MSC_DEPRECATED_PUSH_()                         \
+    _Pragma("clang diagnostic push")                                  \
+    _Pragma("clang diagnostic ignored \"-Wdeprecated-declarations\"") \
+    _Pragma("clang diagnostic ignored \"-Wdeprecated-implementations\"")
+#define GTEST_DISABLE_MSC_DEPRECATED_POP_() \
+    _Pragma("clang diagnostic pop")
+#else
+# define GTEST_DISABLE_MSC_DEPRECATED_PUSH_() \
+    GTEST_DISABLE_MSC_WARNINGS_PUSH_(4996)
+# define GTEST_DISABLE_MSC_DEPRECATED_POP_() \
+    GTEST_DISABLE_MSC_WARNINGS_POP_()
+#endif
+
 #ifndef GTEST_LANG_CXX11
 // gcc and clang define __GXX_EXPERIMENTAL_CXX0X__ when
 // -std={c,gnu}++{0x,11} is passed.  The C++11 standard specifies a
 // value for __cplusplus, and recent versions of clang, gcc, and
 // probably other compilers set that too in C++11 mode.
-# if __GXX_EXPERIMENTAL_CXX0X__ || __cplusplus >= 201103L
+# if __GXX_EXPERIMENTAL_CXX0X__ || __cplusplus >= 201103L || _MSC_VER >= 1900
 // Compiling in at least C++11 mode.
 #  define GTEST_LANG_CXX11 1
 # else
@@ -377,12 +356,40 @@
 # endif
 #endif
 
-// C++11 specifies that <initializer_list> provides std::initializer_list. Use
-// that if gtest is used in C++11 mode and libstdc++ isn't very old (binaries
-// targeting OS X 10.6 can build with clang but need to use gcc4.2's
-// libstdc++).
-#if GTEST_LANG_CXX11 && (!defined(__GLIBCXX__) || __GLIBCXX__ > 20110325)
+// Distinct from C++11 language support, some environments don't provide
+// proper C++11 library support. Notably, it's possible to build in
+// C++11 mode when targeting Mac OS X 10.6, which has an old libstdc++
+// with no C++11 support.
+//
+// libstdc++ has sufficient C++11 support as of GCC 4.6.0, __GLIBCXX__
+// 20110325, but maintenance releases in the 4.4 and 4.5 series followed
+// this date, so check for those versions by their date stamps.
+// https://gcc.gnu.org/onlinedocs/libstdc++/manual/abi.html#abi.versioning
+#if GTEST_LANG_CXX11 && \
+    (!defined(__GLIBCXX__) || ( \
+        __GLIBCXX__ >= 20110325ul &&  /* GCC >= 4.6.0 */ \
+        /* Blacklist of patch releases of older branches: */ \
+        __GLIBCXX__ != 20110416ul &&  /* GCC 4.4.6 */ \
+        __GLIBCXX__ != 20120313ul &&  /* GCC 4.4.7 */ \
+        __GLIBCXX__ != 20110428ul &&  /* GCC 4.5.3 */ \
+        __GLIBCXX__ != 20120702ul))   /* GCC 4.5.4 */
+# define GTEST_STDLIB_CXX11 1
+#endif
+
+// Only use C++11 library features if the library provides them.
+#if GTEST_STDLIB_CXX11
+# define GTEST_HAS_STD_BEGIN_AND_END_ 1
+# define GTEST_HAS_STD_FORWARD_LIST_ 1
+# if !defined(_MSC_VER) || (_MSC_FULL_VER >= 190023824)
+// works only with VS2015U2 and better
+#   define GTEST_HAS_STD_FUNCTION_ 1
+# endif
 # define GTEST_HAS_STD_INITIALIZER_LIST_ 1
+# define GTEST_HAS_STD_MOVE_ 1
+# define GTEST_HAS_STD_UNIQUE_PTR_ 1
+# define GTEST_HAS_STD_SHARED_PTR_ 1
+# define GTEST_HAS_UNORDERED_MAP_ 1
+# define GTEST_HAS_UNORDERED_SET_ 1
 #endif
 
 // C++11 specifies that <tuple> provides std::tuple.
@@ -390,7 +397,8 @@
 #if GTEST_LANG_CXX11
 # define GTEST_HAS_STD_TUPLE_ 1
 # if defined(__clang__)
-// Inspired by http://clang.llvm.org/docs/LanguageExtensions.html#__has_include
+// Inspired by
+// https://clang.llvm.org/docs/LanguageExtensions.html#include-file-checking-macros
 #  if defined(__has_include) && !__has_include(<tuple>)
 #   undef GTEST_HAS_STD_TUPLE_
 #  endif
@@ -402,7 +410,7 @@
 # elif defined(__GLIBCXX__)
 // Inspired by boost/config/stdlib/libstdcpp3.hpp,
 // http://gcc.gnu.org/gcc-4.2/changes.html and
-// http://gcc.gnu.org/onlinedocs/libstdc++/manual/bk01pt01ch01.html#manual.intro.status.standard.200x
+// https://web.archive.org/web/20140227044429/gcc.gnu.org/onlinedocs/libstdc++/manual/bk01pt01ch01.html#manual.intro.status.standard.200x
 #  if __GNUC__ < 4 || (__GNUC__ == 4 && __GNUC_MINOR__ < 2)
 #   undef GTEST_HAS_STD_TUPLE_
 #  endif
@@ -418,10 +426,16 @@
 #  include <io.h>
 # endif
 // In order to avoid having to include <windows.h>, use forward declaration
-// assuming CRITICAL_SECTION is a typedef of _RTL_CRITICAL_SECTION.
+#if GTEST_OS_WINDOWS_MINGW && !defined(__MINGW64_VERSION_MAJOR)
+// MinGW defined _CRITICAL_SECTION and _RTL_CRITICAL_SECTION as two
+// separate (equivalent) structs, instead of using typedef
+typedef struct _CRITICAL_SECTION GTEST_CRITICAL_SECTION;
+#else
+// Assume CRITICAL_SECTION is a typedef of _RTL_CRITICAL_SECTION.
 // This assumption is verified by
 // WindowsTypesTest.CRITICAL_SECTIONIs_RTL_CRITICAL_SECTION.
-struct _RTL_CRITICAL_SECTION;
+typedef struct _RTL_CRITICAL_SECTION GTEST_CRITICAL_SECTION;
+#endif
 #else
 // This assumes that non-Windows OSes provide unistd.h. For OSes where this
 // is not the case, we need to include headers that provide the functions
@@ -445,7 +459,10 @@ struct _RTL_CRITICAL_SECTION;
 # endif
 #endif
 
-#if GTEST_HAS_POSIX_RE
+#if GTEST_USES_PCRE
+// The appropriate headers have already been included.
+
+#elif GTEST_HAS_POSIX_RE
 
 // On some platforms, <regex.h> needs someone to define size_t, and
 // won't compile otherwise.  We can #include it here as we already
@@ -467,19 +484,31 @@ struct _RTL_CRITICAL_SECTION;
 // simple regex implementation instead.
 # define GTEST_USES_SIMPLE_RE 1
 
-#endif  // GTEST_HAS_POSIX_RE
+#endif  // GTEST_USES_PCRE
 
 #ifndef GTEST_HAS_EXCEPTIONS
 // The user didn't tell us whether exceptions are enabled, so we need
 // to figure it out.
-# if defined(_MSC_VER) || defined(__BORLANDC__)
-// MSVC's and C++Builder's implementations of the STL use the _HAS_EXCEPTIONS
+# if defined(_MSC_VER) && defined(_CPPUNWIND)
+// MSVC defines _CPPUNWIND to 1 iff exceptions are enabled.
+#  define GTEST_HAS_EXCEPTIONS 1
+# elif defined(__BORLANDC__)
+// C++Builder's implementation of the STL uses the _HAS_EXCEPTIONS
 // macro to enable exceptions, so we'll do the same.
 // Assumes that exceptions are enabled by default.
 #  ifndef _HAS_EXCEPTIONS
 #   define _HAS_EXCEPTIONS 1
 #  endif  // _HAS_EXCEPTIONS
 #  define GTEST_HAS_EXCEPTIONS _HAS_EXCEPTIONS
+# elif defined(__clang__)
+// clang defines __EXCEPTIONS iff exceptions are enabled before clang 220714,
+// but iff cleanups are enabled after that. In Obj-C++ files, there can be
+// cleanups for ObjC exceptions which also need cleanups, even if C++ exceptions
+// are disabled. clang has __has_feature(cxx_exceptions) which checks for C++
+// exceptions starting at clang r206352, but which checked for cleanups prior to
+// that. To reliably check for C++ exception availability with clang, check for
+// __EXCEPTIONS && __has_feature(cxx_exceptions).
+#  define GTEST_HAS_EXCEPTIONS (__EXCEPTIONS && __has_feature(cxx_exceptions))
 # elif defined(__GNUC__) && __EXCEPTIONS
 // gcc defines __EXCEPTIONS to 1 iff exceptions are enabled.
 #  define GTEST_HAS_EXCEPTIONS 1
@@ -508,21 +537,17 @@ struct _RTL_CRITICAL_SECTION;
 # define GTEST_HAS_STD_STRING 1
 #elif !GTEST_HAS_STD_STRING
 // The user told us that ::std::string isn't available.
-# error "Google Test cannot be used where ::std::string isn't available."
+# error "::std::string isn't available."
 #endif  // !defined(GTEST_HAS_STD_STRING)
 
 #ifndef GTEST_HAS_GLOBAL_STRING
-// The user didn't tell us whether ::string is available, so we need
-// to figure it out.
-
 # define GTEST_HAS_GLOBAL_STRING 0
-
 #endif  // GTEST_HAS_GLOBAL_STRING
 
 #ifndef GTEST_HAS_STD_WSTRING
 // The user didn't tell us whether ::std::wstring is available, so we need
 // to figure it out.
-// TODO(wan@google.com): uses autoconf to detect whether ::std::wstring
+// FIXME: uses autoconf to detect whether ::std::wstring
 //   is available.
 
 // Cygwin 1.7 and below doesn't support ::std::wstring.
@@ -605,13 +630,14 @@ struct _RTL_CRITICAL_SECTION;
 
 // Determines whether Google Test can use the pthreads library.
 #ifndef GTEST_HAS_PTHREAD
-// The user didn't tell us explicitly, so we assume pthreads support is
-// available on Linux and Mac.
+// The user didn't tell us explicitly, so we make reasonable assumptions about
+// which platforms have pthreads support.
 //
 // To disable threading support in Google Test, add -DGTEST_HAS_PTHREAD=0
 // to your compiler flags.
-# define GTEST_HAS_PTHREAD (GTEST_OS_LINUX || GTEST_OS_MAC || GTEST_OS_HPUX \
-    || GTEST_OS_QNX)
+#define GTEST_HAS_PTHREAD                                             \
+  (GTEST_OS_LINUX || GTEST_OS_MAC || GTEST_OS_HPUX || GTEST_OS_QNX || \
+   GTEST_OS_FREEBSD || GTEST_OS_NACL || GTEST_OS_NETBSD || GTEST_OS_FUCHSIA)
 #endif  // GTEST_HAS_PTHREAD
 
 #if GTEST_HAS_PTHREAD
@@ -623,6 +649,15 @@ struct _RTL_CRITICAL_SECTION;
 # include <time.h>  // NOLINT
 #endif
 
+// Determines if hash_map/hash_set are available.
+// Only used for testing against those containers.
+#if !defined(GTEST_HAS_HASH_MAP_)
+# if defined(_MSC_VER) && (_MSC_VER < 1900)
+#  define GTEST_HAS_HASH_MAP_ 1  // Indicates that hash_map is available.
+#  define GTEST_HAS_HASH_SET_ 1  // Indicates that hash_set is available.
+# endif  // _MSC_VER
+#endif  // !defined(GTEST_HAS_HASH_MAP_)
+
 // Determines whether Google Test can use tr1/tuple.  You can define
 // this macro to 0 to prevent Google Test from using tuple (any
 // feature depending on tuple with be disabled in this mode).
@@ -630,6 +665,14 @@ struct _RTL_CRITICAL_SECTION;
 # if GTEST_OS_LINUX_ANDROID && defined(_STLPORT_MAJOR)
 // STLport, provided with the Android NDK, has neither <tr1/tuple> or <tuple>.
 #  define GTEST_HAS_TR1_TUPLE 0
+# elif defined(_MSC_VER) && (_MSC_VER >= 1910)
+// Prevent `warning C4996: 'std::tr1': warning STL4002:
+// The non-Standard std::tr1 namespace and TR1-only machinery
+// are deprecated and will be REMOVED.`
+#  define GTEST_HAS_TR1_TUPLE 0
+# elif GTEST_LANG_CXX11 && defined(_LIBCPP_VERSION)
+// libc++ doesn't support TR1.
+#  define GTEST_HAS_TR1_TUPLE 0
 # else
 // The user didn't tell us not to do it, so we assume it's OK.
 #  define GTEST_HAS_TR1_TUPLE 1
@@ -639,6 +682,10 @@ struct _RTL_CRITICAL_SECTION;
 // Determines whether Google Test's own tr1 tuple implementation
 // should be used.
 #ifndef GTEST_USE_OWN_TR1_TUPLE
+// We use our own tuple implementation on Symbian.
+# if GTEST_OS_SYMBIAN
+#  define GTEST_USE_OWN_TR1_TUPLE 1
+# else
 // The user didn't tell us, so we need to figure it out.
 
 // We use our own TR1 tuple if we aren't sure the user has an
@@ -652,7 +699,8 @@ struct _RTL_CRITICAL_SECTION;
 // support TR1 tuple.  libc++ only provides std::tuple, in C++11 mode,
 // and it can be used with some compilers that define __GNUC__.
 # if (defined(__GNUC__) && !defined(__CUDACC__) && (GTEST_GCC_VER_ >= 40000) \
-      && !GTEST_OS_QNX && !defined(_LIBCPP_VERSION)) || _MSC_VER >= 1600
+      && !GTEST_OS_QNX && !defined(_LIBCPP_VERSION)) \
+      || (_MSC_VER >= 1600 && _MSC_VER < 1900)
 #  define GTEST_ENV_HAS_TR1_TUPLE_ 1
 # endif
 
@@ -668,12 +716,11 @@ struct _RTL_CRITICAL_SECTION;
 # else
 #  define GTEST_USE_OWN_TR1_TUPLE 1
 # endif
-
+# endif  // GTEST_OS_SYMBIAN
 #endif  // GTEST_USE_OWN_TR1_TUPLE
 
-// To avoid conditional compilation everywhere, we make it
-// gtest-port.h's responsibility to #include the header implementing
-// tuple.
+// To avoid conditional compilation we make it gtest-port.h's responsibility
+// to #include the header implementing tuple.
 #if GTEST_HAS_STD_TUPLE_
 # include <tuple>  // IWYU pragma: export
 # define GTEST_TUPLE_NAMESPACE_ ::std
@@ -688,22 +735,6 @@ struct _RTL_CRITICAL_SECTION;
 
 # if GTEST_USE_OWN_TR1_TUPLE
 #  include "gtest/internal/gtest-tuple.h"  // IWYU pragma: export  // NOLINT
-# elif GTEST_ENV_HAS_STD_TUPLE_
-#  include <tuple>
-// C++11 puts its tuple into the ::std namespace rather than
-// ::std::tr1.  gtest expects tuple to live in ::std::tr1, so put it there.
-// This causes undefined behavior, but supported compilers react in
-// the way we intend.
-namespace std {
-namespace tr1 {
-using ::std::get;
-using ::std::make_tuple;
-using ::std::tuple;
-using ::std::tuple_element;
-using ::std::tuple_size;
-}
-}
-
 # elif GTEST_OS_SYMBIAN
 
 // On Symbian, BOOST_HAS_TR1_TUPLE causes Boost's TR1 tuple library to
@@ -728,20 +759,22 @@ using ::std::tuple_size;
 // Until version 4.3.2, gcc has a bug that causes <tr1/functional>,
 // which is #included by <tr1/tuple>, to not compile when RTTI is
 // disabled.  _TR1_FUNCTIONAL is the header guard for
-// <tr1/functional>.  Hence the following #define is a hack to prevent
+// <tr1/functional>.  Hence the following #define is used to prevent
 // <tr1/functional> from being included.
 #   define _TR1_FUNCTIONAL 1
 #   include <tr1/tuple>
 #   undef _TR1_FUNCTIONAL  // Allows the user to #include
-                        // <tr1/functional> if he chooses to.
+                        // <tr1/functional> if they choose to.
 #  else
 #   include <tr1/tuple>  // NOLINT
 #  endif  // !GTEST_HAS_RTTI && GTEST_GCC_VER_ < 40302
 
-# else
-// If the compiler is not GCC 4.0+, we assume the user is using a
-// spec-conforming TR1 implementation.
+// VS 2010 now has tr1 support.
+# elif _MSC_VER >= 1600
 #  include <tuple>  // IWYU pragma: export  // NOLINT
+
+# else  // GTEST_USE_OWN_TR1_TUPLE
+#  include <tr1/tuple>  // IWYU pragma: export  // NOLINT
 # endif  // GTEST_USE_OWN_TR1_TUPLE
 
 #endif  // GTEST_HAS_TR1_TUPLE
@@ -755,8 +788,12 @@ using ::std::tuple_size;
 
 # if GTEST_OS_LINUX && !defined(__ia64__)
 #  if GTEST_OS_LINUX_ANDROID
-// On Android, clone() is only available on ARM starting with Gingerbread.
-#    if defined(__arm__) && __ANDROID_API__ >= 9
+// On Android, clone() became available at different API levels for each 32-bit
+// architecture.
+#    if defined(__LP64__) || \
+        (defined(__arm__) && __ANDROID_API__ >= 9) || \
+        (defined(__mips__) && __ANDROID_API__ >= 12) || \
+        (defined(__i386__) && __ANDROID_API__ >= 17)
 #     define GTEST_HAS_CLONE 1
 #    else
 #     define GTEST_HAS_CLONE 0
@@ -787,20 +824,15 @@ using ::std::tuple_size;
 // Google Test does not support death tests for VC 7.1 and earlier as
 // abort() in a VC 7.1 application compiled as GUI in debug config
 // pops up a dialog window that cannot be suppressed programmatically.
-#if (GTEST_OS_LINUX || GTEST_OS_CYGWIN || GTEST_OS_SOLARIS || \
-     (GTEST_OS_MAC && !GTEST_OS_IOS) || GTEST_OS_IOS_SIMULATOR || \
-     (GTEST_OS_WINDOWS_DESKTOP && _MSC_VER >= 1400) || \
+#if (GTEST_OS_LINUX || GTEST_OS_CYGWIN || GTEST_OS_SOLARIS ||   \
+     (GTEST_OS_MAC && !GTEST_OS_IOS) ||                         \
+     (GTEST_OS_WINDOWS_DESKTOP && _MSC_VER >= 1400) ||          \
      GTEST_OS_WINDOWS_MINGW || GTEST_OS_AIX || GTEST_OS_HPUX || \
-     GTEST_OS_OPENBSD || GTEST_OS_QNX)
+     GTEST_OS_OPENBSD || GTEST_OS_QNX || GTEST_OS_FREEBSD || \
+     GTEST_OS_NETBSD || GTEST_OS_FUCHSIA)
 # define GTEST_HAS_DEATH_TEST 1
-# include <vector>  // NOLINT
 #endif
 
-// We don't support MSVC 7.1 with exceptions disabled now.  Therefore
-// all the compilers we care about are adequate for supporting
-// value-parameterized tests.
-#define GTEST_HAS_PARAM_TEST 1
-
 // Determines whether to support type-driven tests.
 
 // Typed tests need <typeinfo> and variadic macros, which GCC, VC++ 8.0,
@@ -815,7 +847,7 @@ using ::std::tuple_size;
 // value-parameterized tests are enabled.  The implementation doesn't
 // work on Sun Studio since it doesn't understand templated conversion
 // operators.
-#if GTEST_HAS_PARAM_TEST && GTEST_HAS_TR1_TUPLE && !defined(__SUNPRO_CC)
+#if (GTEST_HAS_TR1_TUPLE || GTEST_HAS_STD_TUPLE_) && !defined(__SUNPRO_CC)
 # define GTEST_HAS_COMBINE 1
 #endif
 
@@ -857,19 +889,48 @@ using ::std::tuple_size;
 // compiler the variable/parameter does not have to be used.
 #if defined(__GNUC__) && !defined(COMPILER_ICC)
 # define GTEST_ATTRIBUTE_UNUSED_ __attribute__ ((unused))
-#else
+#elif defined(__clang__)
+# if __has_attribute(unused)
+#  define GTEST_ATTRIBUTE_UNUSED_ __attribute__ ((unused))
+# endif
+#endif
+#ifndef GTEST_ATTRIBUTE_UNUSED_
 # define GTEST_ATTRIBUTE_UNUSED_
 #endif
 
+#if GTEST_LANG_CXX11
+# define GTEST_CXX11_EQUALS_DELETE_ = delete
+#else  // GTEST_LANG_CXX11
+# define GTEST_CXX11_EQUALS_DELETE_
+#endif  // GTEST_LANG_CXX11
+
+// Use this annotation before a function that takes a printf format string.
+#if (defined(__GNUC__) || defined(__clang__)) && !defined(COMPILER_ICC)
+# if defined(__MINGW_PRINTF_FORMAT)
+// MinGW has two different printf implementations. Ensure the format macro
+// matches the selected implementation. See
+// https://sourceforge.net/p/mingw-w64/wiki2/gnu%20printf/.
+#  define GTEST_ATTRIBUTE_PRINTF_(string_index, first_to_check) \
+       __attribute__((__format__(__MINGW_PRINTF_FORMAT, string_index, \
+                                 first_to_check)))
+# else
+#  define GTEST_ATTRIBUTE_PRINTF_(string_index, first_to_check) \
+       __attribute__((__format__(__printf__, string_index, first_to_check)))
+# endif
+#else
+# define GTEST_ATTRIBUTE_PRINTF_(string_index, first_to_check)
+#endif
+
+
 // A macro to disallow operator=
 // This should be used in the private: declarations for a class.
-#define GTEST_DISALLOW_ASSIGN_(type)\
-  void operator=(type const &)
+#define GTEST_DISALLOW_ASSIGN_(type) \
+  void operator=(type const &) GTEST_CXX11_EQUALS_DELETE_
 
 // A macro to disallow copy constructor and operator=
 // This should be used in the private: declarations for a class.
-#define GTEST_DISALLOW_COPY_AND_ASSIGN_(type)\
-  type(type const &);\
+#define GTEST_DISALLOW_COPY_AND_ASSIGN_(type) \
+  type(type const &) GTEST_CXX11_EQUALS_DELETE_; \
   GTEST_DISALLOW_ASSIGN_(type)
 
 // Tell the compiler to warn about unused return values for functions declared
@@ -883,12 +944,6 @@ using ::std::tuple_size;
 # define GTEST_MUST_USE_RESULT_
 #endif  // __GNUC__ && (GTEST_GCC_VER_ >= 30400) && !COMPILER_ICC
 
-#if GTEST_LANG_CXX11
-# define GTEST_MOVE_(x) ::std::move(x)  // NOLINT
-#else
-# define GTEST_MOVE_(x) x
-#endif
-
 // MS C++ compiler emits warning when a conditional expression is compile time
 // constant. In some contexts this warning is false positive and needs to be
 // suppressed. Use the following two macros in such cases:
@@ -917,25 +972,36 @@ using ::std::tuple_size;
 # endif
 
 #define GTEST_IS_THREADSAFE \
-    (0 \
+    (GTEST_HAS_MUTEX_AND_THREAD_LOCAL_ \
      || (GTEST_OS_WINDOWS && !GTEST_OS_WINDOWS_PHONE && !GTEST_OS_WINDOWS_RT) \
      || GTEST_HAS_PTHREAD)
 
 #endif  // GTEST_HAS_SEH
 
-#ifdef _MSC_VER
+// GTEST_API_ qualifies all symbols that must be exported. The definitions below
+// are guarded by #ifndef to give embedders a chance to define GTEST_API_ in
+// gtest/internal/custom/gtest-port.h
+#ifndef GTEST_API_
 
+#ifdef _MSC_VER
 # if GTEST_LINKED_AS_SHARED_LIBRARY
 #  define GTEST_API_ __declspec(dllimport)
 # elif GTEST_CREATE_SHARED_LIBRARY
 #  define GTEST_API_ __declspec(dllexport)
 # endif
-
+#elif __GNUC__ >= 4 || defined(__clang__)
+# define GTEST_API_ __attribute__((visibility ("default")))
 #endif  // _MSC_VER
 
+#endif  // GTEST_API_
+
 #ifndef GTEST_API_
 # define GTEST_API_
-#endif
+#endif  // GTEST_API_
+
+#ifndef GTEST_DEFAULT_DEATH_TEST_STYLE
+# define GTEST_DEFAULT_DEATH_TEST_STYLE  "fast"
+#endif  // GTEST_DEFAULT_DEATH_TEST_STYLE
 
 #ifdef __GNUC__
 // Ask the compiler to never inline a given function.
@@ -945,10 +1011,12 @@ using ::std::tuple_size;
 #endif
 
 // _LIBCPP_VERSION is defined by the libc++ library from the LLVM project.
-#if defined(__GLIBCXX__) || defined(_LIBCPP_VERSION)
-# define GTEST_HAS_CXXABI_H_ 1
-#else
-# define GTEST_HAS_CXXABI_H_ 0
+#if !defined(GTEST_HAS_CXXABI_H_)
+# if defined(__GLIBCXX__) || (defined(_LIBCPP_VERSION) && !defined(_MSC_VER))
+#  define GTEST_HAS_CXXABI_H_ 1
+# else
+#  define GTEST_HAS_CXXABI_H_ 0
+# endif
 #endif
 
 // A function level attribute to disable checking for use of uninitialized
@@ -1025,16 +1093,22 @@ class Secret;
 // the expression is false, most compilers will issue a warning/error
 // containing the name of the variable.
 
+#if GTEST_LANG_CXX11
+# define GTEST_COMPILE_ASSERT_(expr, msg) static_assert(expr, #msg)
+#else  // !GTEST_LANG_CXX11
 template <bool>
-struct CompileAssert {
+  struct CompileAssert {
 };
 
-#define GTEST_COMPILE_ASSERT_(expr, msg) \
+# define GTEST_COMPILE_ASSERT_(expr, msg) \
   typedef ::testing::internal::CompileAssert<(static_cast<bool>(expr))> \
       msg[static_cast<bool>(expr) ? 1 : -1] GTEST_ATTRIBUTE_UNUSED_
+#endif  // !GTEST_LANG_CXX11
 
 // Implementation details of GTEST_COMPILE_ASSERT_:
 //
+// (In C++11, we simply use static_assert instead of the following)
+//
 // - GTEST_COMPILE_ASSERT_ works by defining an array type that has -1
 //   elements (and thus is invalid) when the expression is false.
 //
@@ -1085,6 +1159,16 @@ struct StaticAssertTypeEqHelper<T, T> {
   enum { value = true };
 };
 
+// Same as std::is_same<>.
+template <typename T, typename U>
+struct IsSame {
+  enum { value = false };
+};
+template <typename T>
+struct IsSame<T, T> {
+  enum { value = true };
+};
+
 // Evaluates to the number of elements in 'array'.
 #define GTEST_ARRAY_SIZE_(array) (sizeof(array) / sizeof(array[0]))
 
@@ -1148,6 +1232,10 @@ class scoped_ptr {
 
 // Defines RE.
 
+#if GTEST_USES_PCRE
+// if used, PCRE is injected by custom/gtest-port.h
+#elif GTEST_USES_POSIX_RE || GTEST_USES_SIMPLE_RE
+
 // A simple C++ wrapper for <regex.h>.  It uses the POSIX Extended
 // Regular Expression syntax.
 class GTEST_API_ RE {
@@ -1159,11 +1247,11 @@ class GTEST_API_ RE {
   // Constructs an RE from a string.
   RE(const ::std::string& regex) { Init(regex.c_str()); }  // NOLINT
 
-#if GTEST_HAS_GLOBAL_STRING
+# if GTEST_HAS_GLOBAL_STRING
 
   RE(const ::string& regex) { Init(regex.c_str()); }  // NOLINT
 
-#endif  // GTEST_HAS_GLOBAL_STRING
+# endif  // GTEST_HAS_GLOBAL_STRING
 
   RE(const char* regex) { Init(regex); }  // NOLINT
   ~RE();
@@ -1176,7 +1264,7 @@ class GTEST_API_ RE {
   // PartialMatch(str, re) returns true iff regular expression re
   // matches a substring of str (including str itself).
   //
-  // TODO(wan@google.com): make FullMatch() and PartialMatch() work
+  // FIXME: make FullMatch() and PartialMatch() work
   // when str contains NUL characters.
   static bool FullMatch(const ::std::string& str, const RE& re) {
     return FullMatch(str.c_str(), re);
@@ -1185,7 +1273,7 @@ class GTEST_API_ RE {
     return PartialMatch(str.c_str(), re);
   }
 
-#if GTEST_HAS_GLOBAL_STRING
+# if GTEST_HAS_GLOBAL_STRING
 
   static bool FullMatch(const ::string& str, const RE& re) {
     return FullMatch(str.c_str(), re);
@@ -1194,7 +1282,7 @@ class GTEST_API_ RE {
     return PartialMatch(str.c_str(), re);
   }
 
-#endif  // GTEST_HAS_GLOBAL_STRING
+# endif  // GTEST_HAS_GLOBAL_STRING
 
   static bool FullMatch(const char* str, const RE& re);
   static bool PartialMatch(const char* str, const RE& re);
@@ -1203,25 +1291,27 @@ class GTEST_API_ RE {
   void Init(const char* regex);
 
   // We use a const char* instead of an std::string, as Google Test used to be
-  // used where std::string is not available.  TODO(wan@google.com): change to
+  // used where std::string is not available.  FIXME: change to
   // std::string.
   const char* pattern_;
   bool is_valid_;
 
-#if GTEST_USES_POSIX_RE
+# if GTEST_USES_POSIX_RE
 
   regex_t full_regex_;     // For FullMatch().
   regex_t partial_regex_;  // For PartialMatch().
 
-#else  // GTEST_USES_SIMPLE_RE
+# else  // GTEST_USES_SIMPLE_RE
 
   const char* full_pattern_;  // For FullMatch();
 
-#endif
+# endif
 
   GTEST_DISALLOW_ASSIGN_(RE);
 };
 
+#endif  // GTEST_USES_PCRE
+
 // Formats a source file path and a line number as they would appear
 // in an error message from the compiler used to compile this code.
 GTEST_API_ ::std::string FormatFileLocation(const char* file, int line);
@@ -1263,13 +1353,18 @@ class GTEST_API_ GTestLog {
   GTEST_DISALLOW_COPY_AND_ASSIGN_(GTestLog);
 };
 
-#define GTEST_LOG_(severity) \
+#if !defined(GTEST_LOG_)
+
+# define GTEST_LOG_(severity) \
     ::testing::internal::GTestLog(::testing::internal::GTEST_##severity, \
                                   __FILE__, __LINE__).GetStream()
 
 inline void LogToStderr() {}
 inline void FlushInfoLog() { fflush(NULL); }
 
+#endif  // !defined(GTEST_LOG_)
+
+#if !defined(GTEST_CHECK_)
 // INTERNAL IMPLEMENTATION - DO NOT USE.
 //
 // GTEST_CHECK_ is an all-mode assert. It aborts the program if the condition
@@ -1284,12 +1379,13 @@ inline void FlushInfoLog() { fflush(NULL); }
 //    condition itself, plus additional message streamed into it, if any,
 //    and then it aborts the program. It aborts the program irrespective of
 //    whether it is built in the debug mode or not.
-#define GTEST_CHECK_(condition) \
+# define GTEST_CHECK_(condition) \
     GTEST_AMBIGUOUS_ELSE_BLOCKER_ \
     if (::testing::internal::IsTrue(condition)) \
       ; \
     else \
       GTEST_LOG_(FATAL) << "Condition " #condition " failed. "
+#endif  // !defined(GTEST_CHECK_)
 
 // An all-mode assert to verify that the given POSIX-style function
 // call returns 0 (indicating success).  Known limitation: this
@@ -1301,6 +1397,61 @@ inline void FlushInfoLog() { fflush(NULL); }
     GTEST_LOG_(FATAL) << #posix_call << "failed with error " \
                       << gtest_error
 
+// Adds reference to a type if it is not a reference type,
+// otherwise leaves it unchanged.  This is the same as
+// tr1::add_reference, which is not widely available yet.
+template <typename T>
+struct AddReference { typedef T& type; };  // NOLINT
+template <typename T>
+struct AddReference<T&> { typedef T& type; };  // NOLINT
+
+// A handy wrapper around AddReference that works when the argument T
+// depends on template parameters.
+#define GTEST_ADD_REFERENCE_(T) \
+    typename ::testing::internal::AddReference<T>::type
+
+// Transforms "T" into "const T&" according to standard reference collapsing
+// rules (this is only needed as a backport for C++98 compilers that do not
+// support reference collapsing). Specifically, it transforms:
+//
+//   char         ==> const char&
+//   const char   ==> const char&
+//   char&        ==> char&
+//   const char&  ==> const char&
+//
+// Note that the non-const reference will not have "const" added. This is
+// standard, and necessary so that "T" can always bind to "const T&".
+template <typename T>
+struct ConstRef { typedef const T& type; };
+template <typename T>
+struct ConstRef<T&> { typedef T& type; };
+
+// The argument T must depend on some template parameters.
+#define GTEST_REFERENCE_TO_CONST_(T) \
+  typename ::testing::internal::ConstRef<T>::type
+
+#if GTEST_HAS_STD_MOVE_
+using std::forward;
+using std::move;
+
+template <typename T>
+struct RvalueRef {
+  typedef T&& type;
+};
+#else  // GTEST_HAS_STD_MOVE_
+template <typename T>
+const T& move(const T& t) {
+  return t;
+}
+template <typename T>
+GTEST_ADD_REFERENCE_(T) forward(GTEST_ADD_REFERENCE_(T) t) { return t; }
+
+template <typename T>
+struct RvalueRef {
+  typedef const T& type;
+};
+#endif  // GTEST_HAS_STD_MOVE_
+
 // INTERNAL IMPLEMENTATION - DO NOT USE IN USER CODE.
 //
 // Use ImplicitCast_ as a safe version of static_cast for upcasting in
@@ -1374,6 +1525,11 @@ template <class Derived, class Base>
 Derived* CheckedDowncastToActualType(Base* base) {
 #if GTEST_HAS_RTTI
   GTEST_CHECK_(typeid(*base) == typeid(Derived));
+#endif
+
+#if GTEST_HAS_DOWNCAST_
+  return ::down_cast<Derived*>(base);
+#elif GTEST_HAS_RTTI
   return dynamic_cast<Derived*>(base);  // NOLINT
 #else
   return static_cast<Derived*>(base);  // Poor man's downcast.
@@ -1394,16 +1550,25 @@ GTEST_API_ void CaptureStderr();
 GTEST_API_ std::string GetCapturedStderr();
 
 #endif  // GTEST_HAS_STREAM_REDIRECTION
+// Returns the size (in bytes) of a file.
+GTEST_API_ size_t GetFileSize(FILE* file);
 
+// Reads the entire content of a file as a string.
+GTEST_API_ std::string ReadEntireFile(FILE* file);
 
-#if GTEST_HAS_DEATH_TEST
+// All command line arguments.
+GTEST_API_ std::vector<std::string> GetArgvs();
 
-const ::std::vector<testing::internal::string>& GetInjectableArgvs();
-void SetInjectableArgvs(const ::std::vector<testing::internal::string>*
-                             new_argvs);
+#if GTEST_HAS_DEATH_TEST
 
-// A copy of all command line arguments.  Set by InitGoogleTest().
-extern ::std::vector<testing::internal::string> g_argvs;
+std::vector<std::string> GetInjectableArgvs();
+// Deprecated: pass the args vector by value instead.
+void SetInjectableArgvs(const std::vector<std::string>* new_argvs);
+void SetInjectableArgvs(const std::vector<std::string>& new_argvs);
+#if GTEST_HAS_GLOBAL_STRING
+void SetInjectableArgvs(const std::vector< ::string>& new_argvs);
+#endif  // GTEST_HAS_GLOBAL_STRING
+void ClearInjectableArgvs();
 
 #endif  // GTEST_HAS_DEATH_TEST
 
@@ -1422,7 +1587,10 @@ inline void SleepMilliseconds(int n) {
 }
 # endif  // GTEST_HAS_PTHREAD
 
-# if 0  // OS detection
+# if GTEST_HAS_NOTIFICATION_
+// Notification has already been imported into the namespace.
+// Nothing to do here.
+
 # elif GTEST_HAS_PTHREAD
 // Allows a controller thread to pause execution of newly created
 // threads until notified.  Instances of this class must be created
@@ -1516,7 +1684,7 @@ class GTEST_API_ Notification {
 
   GTEST_DISALLOW_COPY_AND_ASSIGN_(Notification);
 };
-# endif  // OS detection
+# endif  // GTEST_HAS_NOTIFICATION_
 
 // On MinGW, we can have both GTEST_OS_WINDOWS and GTEST_HAS_PTHREAD
 // defined, but we don't want to use MinGW's pthreads implementation, which
@@ -1599,9 +1767,13 @@ class ThreadWithParam : public ThreadWithParamBase {
 
   GTEST_DISALLOW_COPY_AND_ASSIGN_(ThreadWithParam);
 };
-# endif  // GTEST_HAS_PTHREAD && !GTEST_OS_WINDOWS_MINGW
+# endif  // !GTEST_OS_WINDOWS && GTEST_HAS_PTHREAD ||
+         // GTEST_HAS_MUTEX_AND_THREAD_LOCAL_
+
+# if GTEST_HAS_MUTEX_AND_THREAD_LOCAL_
+// Mutex and ThreadLocal have already been imported into the namespace.
+// Nothing to do here.
 
-# if 0  // OS detection
 # elif GTEST_OS_WINDOWS && !GTEST_OS_WINDOWS_PHONE && !GTEST_OS_WINDOWS_RT
 
 // Mutex implements mutex on Windows platforms.  It is used in conjunction
@@ -1646,7 +1818,7 @@ class GTEST_API_ Mutex {
   // Initializes owner_thread_id_ and critical_section_ in static mutexes.
   void ThreadSafeLazyInit();
 
-  // Per http://blogs.msdn.com/b/oldnewthing/archive/2004/02/23/78395.aspx,
+  // Per https://blogs.msdn.microsoft.com/oldnewthing/20040223-00/?p=40503,
   // we assume that 0 is an invalid value for thread IDs.
   unsigned int owner_thread_id_;
 
@@ -1654,7 +1826,7 @@ class GTEST_API_ Mutex {
   // by the linker.
   MutexType type_;
   long critical_section_init_phase_;  // NOLINT
-  _RTL_CRITICAL_SECTION* critical_section_;
+  GTEST_CRITICAL_SECTION* critical_section_;
 
   GTEST_DISALLOW_COPY_AND_ASSIGN_(Mutex);
 };
@@ -1806,8 +1978,9 @@ class ThreadWithParam : public ThreadWithParamBase {
 template <typename T>
 class ThreadLocal : public ThreadLocalBase {
  public:
-  ThreadLocal() : default_() {}
-  explicit ThreadLocal(const T& value) : default_(value) {}
+  ThreadLocal() : default_factory_(new DefaultValueHolderFactory()) {}
+  explicit ThreadLocal(const T& value)
+      : default_factory_(new InstanceValueHolderFactory(value)) {}
 
   ~ThreadLocal() { ThreadLocalRegistry::OnThreadLocalDestroyed(this); }
 
@@ -1821,6 +1994,7 @@ class ThreadLocal : public ThreadLocalBase {
   // knowing the type of T.
   class ValueHolder : public ThreadLocalValueHolderBase {
    public:
+    ValueHolder() : value_() {}
     explicit ValueHolder(const T& value) : value_(value) {}
 
     T* pointer() { return &value_; }
@@ -1837,10 +2011,42 @@ class ThreadLocal : public ThreadLocalBase {
   }
 
   virtual ThreadLocalValueHolderBase* NewValueForCurrentThread() const {
-    return new ValueHolder(default_);
+    return default_factory_->MakeNewHolder();
   }
 
-  const T default_;  // The default value for each thread.
+  class ValueHolderFactory {
+   public:
+    ValueHolderFactory() {}
+    virtual ~ValueHolderFactory() {}
+    virtual ValueHolder* MakeNewHolder() const = 0;
+
+   private:
+    GTEST_DISALLOW_COPY_AND_ASSIGN_(ValueHolderFactory);
+  };
+
+  class DefaultValueHolderFactory : public ValueHolderFactory {
+   public:
+    DefaultValueHolderFactory() {}
+    virtual ValueHolder* MakeNewHolder() const { return new ValueHolder(); }
+
+   private:
+    GTEST_DISALLOW_COPY_AND_ASSIGN_(DefaultValueHolderFactory);
+  };
+
+  class InstanceValueHolderFactory : public ValueHolderFactory {
+   public:
+    explicit InstanceValueHolderFactory(const T& value) : value_(value) {}
+    virtual ValueHolder* MakeNewHolder() const {
+      return new ValueHolder(value_);
+    }
+
+   private:
+    const T value_;  // The value for each thread.
+
+    GTEST_DISALLOW_COPY_AND_ASSIGN_(InstanceValueHolderFactory);
+  };
+
+  scoped_ptr<ValueHolderFactory> default_factory_;
 
   GTEST_DISALLOW_COPY_AND_ASSIGN_(ThreadLocal);
 };
@@ -1901,8 +2107,8 @@ class MutexBase {
 // particular, the owner_ field (a pthread_t) is not explicitly initialized.
 // This allows initialization to work whether pthread_t is a scalar or struct.
 // The flag -Wmissing-field-initializers must not be specified for this to work.
-#  define GTEST_DEFINE_STATIC_MUTEX_(mutex) \
-     ::testing::internal::MutexBase mutex = { PTHREAD_MUTEX_INITIALIZER, false }
+#define GTEST_DEFINE_STATIC_MUTEX_(mutex) \
+  ::testing::internal::MutexBase mutex = {PTHREAD_MUTEX_INITIALIZER, false, 0}
 
 // The Mutex class can only be used for mutexes created at runtime. It
 // shares its API with MutexBase otherwise.
@@ -1959,12 +2165,13 @@ extern "C" inline void DeleteThreadLocalValue(void* value_holder) {
 
 // Implements thread-local storage on pthreads-based systems.
 template <typename T>
-class ThreadLocal {
+class GTEST_API_ ThreadLocal {
  public:
-  ThreadLocal() : key_(CreateKey()),
-                  default_() {}
-  explicit ThreadLocal(const T& value) : key_(CreateKey()),
-                                         default_(value) {}
+  ThreadLocal()
+      : key_(CreateKey()), default_factory_(new DefaultValueHolderFactory()) {}
+  explicit ThreadLocal(const T& value)
+      : key_(CreateKey()),
+        default_factory_(new InstanceValueHolderFactory(value)) {}
 
   ~ThreadLocal() {
     // Destroys the managed object for the current thread, if any.
@@ -1984,6 +2191,7 @@ class ThreadLocal {
   // Holds a value of type T.
   class ValueHolder : public ThreadLocalValueHolderBase {
    public:
+    ValueHolder() : value_() {}
     explicit ValueHolder(const T& value) : value_(value) {}
 
     T* pointer() { return &value_; }
@@ -2009,20 +2217,52 @@ class ThreadLocal {
       return CheckedDowncastToActualType<ValueHolder>(holder)->pointer();
     }
 
-    ValueHolder* const new_holder = new ValueHolder(default_);
+    ValueHolder* const new_holder = default_factory_->MakeNewHolder();
     ThreadLocalValueHolderBase* const holder_base = new_holder;
     GTEST_CHECK_POSIX_SUCCESS_(pthread_setspecific(key_, holder_base));
     return new_holder->pointer();
   }
 
+  class ValueHolderFactory {
+   public:
+    ValueHolderFactory() {}
+    virtual ~ValueHolderFactory() {}
+    virtual ValueHolder* MakeNewHolder() const = 0;
+
+   private:
+    GTEST_DISALLOW_COPY_AND_ASSIGN_(ValueHolderFactory);
+  };
+
+  class DefaultValueHolderFactory : public ValueHolderFactory {
+   public:
+    DefaultValueHolderFactory() {}
+    virtual ValueHolder* MakeNewHolder() const { return new ValueHolder(); }
+
+   private:
+    GTEST_DISALLOW_COPY_AND_ASSIGN_(DefaultValueHolderFactory);
+  };
+
+  class InstanceValueHolderFactory : public ValueHolderFactory {
+   public:
+    explicit InstanceValueHolderFactory(const T& value) : value_(value) {}
+    virtual ValueHolder* MakeNewHolder() const {
+      return new ValueHolder(value_);
+    }
+
+   private:
+    const T value_;  // The value for each thread.
+
+    GTEST_DISALLOW_COPY_AND_ASSIGN_(InstanceValueHolderFactory);
+  };
+
   // A key pthreads uses for looking up per-thread values.
   const pthread_key_t key_;
-  const T default_;  // The default value for each thread.
+  scoped_ptr<ValueHolderFactory> default_factory_;
 
   GTEST_DISALLOW_COPY_AND_ASSIGN_(ThreadLocal);
 };
 
-# endif  // OS detection
+# endif  // GTEST_HAS_MUTEX_AND_THREAD_LOCAL_
 
 #else  // GTEST_IS_THREADSAFE
 
@@ -2057,7 +2297,7 @@ class GTestMutexLock {
 typedef GTestMutexLock MutexLock;
 
 template <typename T>
-class ThreadLocal {
+class GTEST_API_ ThreadLocal {
  public:
   ThreadLocal() : value_() {}
   explicit ThreadLocal(const T& value) : value_(value) {}
@@ -2076,12 +2316,13 @@ class ThreadLocal {
 GTEST_API_ size_t GetThreadCount();
 
 // Passing non-POD classes through ellipsis (...) crashes the ARM
-// compiler and generates a warning in Sun Studio.  The Nokia Symbian
+// compiler and generates a warning in Sun Studio before 12u4. The Nokia Symbian
 // and the IBM XL C/C++ compiler try to instantiate a copy constructor
 // for objects passed through ellipsis (...), failing for uncopyable
 // objects.  We define this to ensure that only POD is passed through
 // ellipsis on these systems.
-#if defined(__SYMBIAN32__) || defined(__IBMCPP__) || defined(__SUNPRO_CC)
+#if defined(__SYMBIAN32__) || defined(__IBMCPP__) || \
+     (defined(__SUNPRO_CC) && __SUNPRO_CC < 0x5130)
 // We lose support for NULL detection where the compiler doesn't like
 // passing non-POD classes through ellipsis (...).
 # define GTEST_ELLIPSIS_NEEDS_POD_ 1
@@ -2107,6 +2348,13 @@ template <bool bool_value> const bool bool_constant<bool_value>::value;
 typedef bool_constant<false> false_type;
 typedef bool_constant<true> true_type;
 
+template <typename T, typename U>
+struct is_same : public false_type {};
+
+template <typename T>
+struct is_same<T, T> : public true_type {};
+
+
 template <typename T>
 struct is_pointer : public false_type {};
 
@@ -2118,6 +2366,7 @@ struct IteratorTraits {
   typedef typename Iterator::value_type value_type;
 };
 
+
 template <typename T>
 struct IteratorTraits<T*> {
   typedef T value_type;
@@ -2179,6 +2428,13 @@ inline char ToUpper(char ch) {
   return static_cast<char>(toupper(static_cast<unsigned char>(ch)));
 }
 
+inline std::string StripTrailingSpaces(std::string str) {
+  std::string::iterator it = str.end();
+  while (it != str.begin() && IsSpace(*--it))
+    it = str.erase(it);
+  return str;
+}
+
 // The testing::internal::posix namespace holds wrappers for common
 // POSIX functions.  These wrappers hide the differences between
 // Windows/MSVC and POSIX systems.  Since some compilers define these
@@ -2242,7 +2498,7 @@ inline bool IsDir(const StatStruct& st) { return S_ISDIR(st.st_mode); }
 
 // Functions deprecated by MSVC 8.0.
 
-GTEST_DISABLE_MSC_WARNINGS_PUSH_(4996 /* deprecated function */)
+GTEST_DISABLE_MSC_DEPRECATED_PUSH_()
 
 inline const char* StrNCpy(char* dest, const char* src, size_t n) {
   return strncpy(dest, src, n);
@@ -2276,8 +2532,9 @@ inline int Close(int fd) { return close(fd); }
 inline const char* StrError(int errnum) { return strerror(errnum); }
 #endif
 inline const char* GetEnv(const char* name) {
-#if GTEST_OS_WINDOWS_MOBILE || GTEST_OS_WINDOWS_PHONE | GTEST_OS_WINDOWS_RT
+#if GTEST_OS_WINDOWS_MOBILE || GTEST_OS_WINDOWS_PHONE || GTEST_OS_WINDOWS_RT
   // We are on Windows CE, which has no environment variables.
+  static_cast<void>(name);  // To prevent 'unused argument' warning.
   return NULL;
 #elif defined(__BORLANDC__) || defined(__SunOS_5_8) || defined(__SunOS_5_9)
   // Environment variables which we programmatically clear will be set to the
@@ -2289,7 +2546,7 @@ inline const char* GetEnv(const char* name) {
 #endif
 }
 
-GTEST_DISABLE_MSC_WARNINGS_POP_()
+GTEST_DISABLE_MSC_DEPRECATED_POP_()
 
 #if GTEST_OS_WINDOWS_MOBILE
 // Windows CE has no C library. The abort() function is used in
@@ -2390,31 +2647,44 @@ typedef TypeWithSize<8>::Int TimeInMillis;  // Represents time in milliseconds.
 // Utilities for command line flags and environment variables.
 
 // Macro for referencing flags.
-#define GTEST_FLAG(name) FLAGS_gtest_##name
+#if !defined(GTEST_FLAG)
+# define GTEST_FLAG(name) FLAGS_gtest_##name
+#endif  // !defined(GTEST_FLAG)
+
+#if !defined(GTEST_USE_OWN_FLAGFILE_FLAG_)
+# define GTEST_USE_OWN_FLAGFILE_FLAG_ 1
+#endif  // !defined(GTEST_USE_OWN_FLAGFILE_FLAG_)
+
+#if !defined(GTEST_DECLARE_bool_)
+# define GTEST_FLAG_SAVER_ ::testing::internal::GTestFlagSaver
 
 // Macros for declaring flags.
-#define GTEST_DECLARE_bool_(name) GTEST_API_ extern bool GTEST_FLAG(name)
-#define GTEST_DECLARE_int32_(name) \
+# define GTEST_DECLARE_bool_(name) GTEST_API_ extern bool GTEST_FLAG(name)
+# define GTEST_DECLARE_int32_(name) \
     GTEST_API_ extern ::testing::internal::Int32 GTEST_FLAG(name)
-#define GTEST_DECLARE_string_(name) \
+# define GTEST_DECLARE_string_(name) \
     GTEST_API_ extern ::std::string GTEST_FLAG(name)
 
 // Macros for defining flags.
-#define GTEST_DEFINE_bool_(name, default_val, doc) \
+# define GTEST_DEFINE_bool_(name, default_val, doc) \
     GTEST_API_ bool GTEST_FLAG(name) = (default_val)
-#define GTEST_DEFINE_int32_(name, default_val, doc) \
+# define GTEST_DEFINE_int32_(name, default_val, doc) \
     GTEST_API_ ::testing::internal::Int32 GTEST_FLAG(name) = (default_val)
-#define GTEST_DEFINE_string_(name, default_val, doc) \
+# define GTEST_DEFINE_string_(name, default_val, doc) \
     GTEST_API_ ::std::string GTEST_FLAG(name) = (default_val)
 
+#endif  // !defined(GTEST_DECLARE_bool_)
+
 // Thread annotations
-#define GTEST_EXCLUSIVE_LOCK_REQUIRED_(locks)
-#define GTEST_LOCK_EXCLUDED_(locks)
+#if !defined(GTEST_EXCLUSIVE_LOCK_REQUIRED_)
+# define GTEST_EXCLUSIVE_LOCK_REQUIRED_(locks)
+# define GTEST_LOCK_EXCLUDED_(locks)
+#endif  // !defined(GTEST_EXCLUSIVE_LOCK_REQUIRED_)
 
 // Parses 'str' for a 32-bit signed integer.  If successful, writes the result
 // to *value and returns true; otherwise leaves *value unchanged and returns
 // false.
-// TODO(chandlerc): Find a better way to refactor flag and environment parsing
+// FIXME: Find a better way to refactor flag and environment parsing
 // out of both gtest-port.cc and gtest.cc to avoid exporting this utility
 // function.
 bool ParseInt32(const Message& src_text, const char* str, Int32* value);
@@ -2423,10 +2693,10 @@ bool ParseInt32(const Message& src_text, const char* str, Int32* value);
 // corresponding to the given Google Test flag.
 bool BoolFromGTestEnv(const char* flag, bool default_val);
 GTEST_API_ Int32 Int32FromGTestEnv(const char* flag, Int32 default_val);
+std::string OutputFlagAlsoCheckEnvVar();
 const char* StringFromGTestEnv(const char* flag, const char* default_val);
 
 }  // namespace internal
 }  // namespace testing
 
 #endif  // GTEST_INCLUDE_GTEST_INTERNAL_GTEST_PORT_H_
-
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-string.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-string.h
index 97f1a7fdd2..4c9b6262c3 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-string.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-string.h
@@ -27,17 +27,17 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Authors: wan@google.com (Zhanyong Wan), eefacm@gmail.com (Sean Mcafee)
-//
-// The Google C++ Testing Framework (Google Test)
+// The Google C++ Testing and Mocking Framework (Google Test)
 //
 // This header file declares the String class and functions used internally by
 // Google Test.  They are subject to change without notice. They should not used
 // by code external to Google Test.
 //
-// This header file is #included by <gtest/internal/gtest-internal.h>.
+// This header file is #included by gtest-internal.h.
 // It should not be #included by other files.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_STRING_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_STRING_H_
 
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-tuple.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-tuple.h
index e9b405340a..78a3a6a01f 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-tuple.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-tuple.h
@@ -30,11 +30,12 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // Implements a subset of TR1 tuple needed by Google Test and Google Mock.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_TUPLE_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_TUPLE_H_
 
@@ -42,7 +43,7 @@
 
 // The compiler used in Symbian has a bug that prevents us from declaring the
 // tuple template as a friend (it complains that tuple is redefined).  This
-// hack bypasses the bug by declaring the members that should otherwise be
+// bypasses the bug by declaring the members that should otherwise be
 // private as public.
 // Sun Studio versions < 12 also have the above bug.
 #if defined(__SYMBIAN32__) || (defined(__SUNPRO_CC) && __SUNPRO_CC < 0x590)
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-tuple.h.pump b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-tuple.h.pump
index 429ddfeeca..bb626e049f 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-tuple.h.pump
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-tuple.h.pump
@@ -29,11 +29,12 @@ $$ This meta comment fixes auto-indentation in Emacs. }}
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // Implements a subset of TR1 tuple needed by Google Test and Google Mock.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_TUPLE_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_TUPLE_H_
 
@@ -41,7 +42,7 @@ $$ This meta comment fixes auto-indentation in Emacs. }}
 
 // The compiler used in Symbian has a bug that prevents us from declaring the
 // tuple template as a friend (it complains that tuple is redefined).  This
-// hack bypasses the bug by declaring the members that should otherwise be
+// bypasses the bug by declaring the members that should otherwise be
 // private as public.
 // Sun Studio versions < 12 also have the above bug.
 #if defined(__SYMBIAN32__) || (defined(__SUNPRO_CC) && __SUNPRO_CC < 0x590)
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-type-util.h b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-type-util.h
index e46f7cfcb4..28e4112453 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-type-util.h
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-type-util.h
@@ -30,8 +30,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // Type utilities needed for implementing typed and type-parameterized
 // tests.  This file is generated by a SCRIPT.  DO NOT EDIT BY HAND!
@@ -41,6 +40,8 @@
 // Please contact googletestframework@googlegroups.com if you need
 // more.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_TYPE_UTIL_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_TYPE_UTIL_H_
 
@@ -57,6 +58,22 @@
 namespace testing {
 namespace internal {
 
+// Canonicalizes a given name with respect to the Standard C++ Library.
+// This handles removing the inline namespace within `std` that is
+// used by various standard libraries (e.g., `std::__1`).  Names outside
+// of namespace std are returned unmodified.
+inline std::string CanonicalizeForStdLibVersioning(std::string s) {
+  static const char prefix[] = "std::__";
+  if (s.compare(0, strlen(prefix), prefix) == 0) {
+    std::string::size_type end = s.find("::", strlen(prefix));
+    if (end != s.npos) {
+      // Erase everything between the initial `std` and the second `::`.
+      s.erase(strlen("std"), end - strlen("std"));
+    }
+  }
+  return s;
+}
+
 // GetTypeName<T>() returns a human-readable name of type T.
 // NB: This function is also used in Google Mock, so don't move it inside of
 // the typed-test-only section below.
@@ -75,7 +92,7 @@ std::string GetTypeName() {
   char* const readable_name = __cxa_demangle(name, 0, 0, &status);
   const std::string name_str(status == 0 ? readable_name : name);
   free(readable_name);
-  return name_str;
+  return CanonicalizeForStdLibVersioning(name_str);
 #  else
   return name;
 #  endif  // GTEST_HAS_CXXABI_H_ || __HP_aCC
diff --git a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-type-util.h.pump b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-type-util.h.pump
index 251fdf025b..0001a5d39d 100644
--- a/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-type-util.h.pump
+++ b/security/nss/gtests/google_test/gtest/include/gtest/internal/gtest-type-util.h.pump
@@ -28,8 +28,7 @@ $var n = 50  $$ Maximum length of type lists we want to support.
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // Type utilities needed for implementing typed and type-parameterized
 // tests.  This file is generated by a SCRIPT.  DO NOT EDIT BY HAND!
@@ -39,6 +38,8 @@ $var n = 50  $$ Maximum length of type lists we want to support.
 // Please contact googletestframework@googlegroups.com if you need
 // more.
 
+// GOOGLETEST_CM0001 DO NOT DELETE
+
 #ifndef GTEST_INCLUDE_GTEST_INTERNAL_GTEST_TYPE_UTIL_H_
 #define GTEST_INCLUDE_GTEST_INTERNAL_GTEST_TYPE_UTIL_H_
 
@@ -55,6 +56,22 @@ $var n = 50  $$ Maximum length of type lists we want to support.
 namespace testing {
 namespace internal {
 
+// Canonicalizes a given name with respect to the Standard C++ Library.
+// This handles removing the inline namespace within `std` that is
+// used by various standard libraries (e.g., `std::__1`).  Names outside
+// of namespace std are returned unmodified.
+inline std::string CanonicalizeForStdLibVersioning(std::string s) {
+  static const char prefix[] = "std::__";
+  if (s.compare(0, strlen(prefix), prefix) == 0) {
+    std::string::size_type end = s.find("::", strlen(prefix));
+    if (end != s.npos) {
+      // Erase everything between the initial `std` and the second `::`.
+      s.erase(strlen("std"), end - strlen("std"));
+    }
+  }
+  return s;
+}
+
 // GetTypeName<T>() returns a human-readable name of type T.
 // NB: This function is also used in Google Mock, so don't move it inside of
 // the typed-test-only section below.
@@ -73,7 +90,7 @@ std::string GetTypeName() {
   char* const readable_name = __cxa_demangle(name, 0, 0, &status);
   const std::string name_str(status == 0 ? readable_name : name);
   free(readable_name);
-  return name_str;
+  return CanonicalizeForStdLibVersioning(name_str);
 #  else
   return name;
 #  endif  // GTEST_HAS_CXXABI_H_ || __HP_aCC
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest-md.sln b/security/nss/gtests/google_test/gtest/msvc/2010/gtest-md.sln
new file mode 100644
index 0000000000..e36b33b621
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest-md.sln
@@ -0,0 +1,55 @@
+Microsoft Visual Studio Solution File, Format Version 11.00
+# Visual C++ Express 2010
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest-md", "gtest-md.vcxproj", "{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest_main-md", "gtest_main-md.vcxproj", "{3AF54C8A-10BF-4332-9147-F68ED9862033}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest_prod_test-md", "gtest_prod_test-md.vcxproj", "{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest_unittest-md", "gtest_unittest-md.vcxproj", "{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Debug|x64 = Debug|x64
+		Release|Win32 = Release|Win32
+		Release|x64 = Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}.Debug|Win32.ActiveCfg = Debug|Win32
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}.Debug|Win32.Build.0 = Debug|Win32
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}.Debug|x64.ActiveCfg = Debug|x64
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}.Debug|x64.Build.0 = Debug|x64
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}.Release|Win32.ActiveCfg = Release|Win32
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}.Release|Win32.Build.0 = Release|Win32
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}.Release|x64.ActiveCfg = Release|x64
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}.Release|x64.Build.0 = Release|x64
+		{3AF54C8A-10BF-4332-9147-F68ED9862033}.Debug|Win32.ActiveCfg = Debug|Win32
+		{3AF54C8A-10BF-4332-9147-F68ED9862033}.Debug|Win32.Build.0 = Debug|Win32
+		{3AF54C8A-10BF-4332-9147-F68ED9862033}.Debug|x64.ActiveCfg = Debug|x64
+		{3AF54C8A-10BF-4332-9147-F68ED9862033}.Debug|x64.Build.0 = Debug|x64
+		{3AF54C8A-10BF-4332-9147-F68ED9862033}.Release|Win32.ActiveCfg = Release|Win32
+		{3AF54C8A-10BF-4332-9147-F68ED9862033}.Release|Win32.Build.0 = Release|Win32
+		{3AF54C8A-10BF-4332-9147-F68ED9862033}.Release|x64.ActiveCfg = Release|x64
+		{3AF54C8A-10BF-4332-9147-F68ED9862033}.Release|x64.Build.0 = Release|x64
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}.Debug|Win32.ActiveCfg = Debug|Win32
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}.Debug|Win32.Build.0 = Debug|Win32
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}.Debug|x64.ActiveCfg = Debug|x64
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}.Debug|x64.Build.0 = Debug|x64
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}.Release|Win32.ActiveCfg = Release|Win32
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}.Release|Win32.Build.0 = Release|Win32
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}.Release|x64.ActiveCfg = Release|x64
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}.Release|x64.Build.0 = Release|x64
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}.Debug|Win32.ActiveCfg = Debug|Win32
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}.Debug|Win32.Build.0 = Debug|Win32
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}.Debug|x64.ActiveCfg = Debug|x64
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}.Debug|x64.Build.0 = Debug|x64
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}.Release|Win32.ActiveCfg = Release|Win32
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}.Release|Win32.Build.0 = Release|Win32
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}.Release|x64.ActiveCfg = Release|x64
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}.Release|x64.Build.0 = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest-md.vcxproj b/security/nss/gtests/google_test/gtest/msvc/2010/gtest-md.vcxproj
new file mode 100644
index 0000000000..16a6ff12f7
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest-md.vcxproj
@@ -0,0 +1,149 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>10.0.40219.1</_ProjectFileVersion>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(OutDir)$(ProjectName)\</IntDir>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(OutDir)$(ProjectName)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)$(ProjectName)\</IntDir>
+    <TargetName>gtestd</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)$(ProjectName)\</IntDir>
+    <TargetName>gtest</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <TargetName>gtestd</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <TargetName>gtest</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib />
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib />
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib />
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib />
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\src\gtest-all.cc">
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest-md.vcxproj.filters b/security/nss/gtests/google_test/gtest/msvc/2010/gtest-md.vcxproj.filters
new file mode 100644
index 0000000000..69edeff230
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest-md.vcxproj.filters
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\src\gtest-all.cc">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest.sln b/security/nss/gtests/google_test/gtest/msvc/2010/gtest.sln
new file mode 100644
index 0000000000..cacd5c0ce6
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest.sln
@@ -0,0 +1,55 @@
+Microsoft Visual Studio Solution File, Format Version 11.00
+# Visual C++ Express 2010
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest", "gtest.vcxproj", "{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest_main", "gtest_main.vcxproj", "{3AF54C8A-10BF-4332-9147-F68ED9862032}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest_unittest", "gtest_unittest.vcxproj", "{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest_prod_test", "gtest_prod_test.vcxproj", "{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Debug|x64 = Debug|x64
+		Release|Win32 = Release|Win32
+		Release|x64 = Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}.Debug|Win32.ActiveCfg = Debug|Win32
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}.Debug|Win32.Build.0 = Debug|Win32
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}.Debug|x64.ActiveCfg = Debug|x64
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}.Debug|x64.Build.0 = Debug|x64
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}.Release|Win32.ActiveCfg = Release|Win32
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}.Release|Win32.Build.0 = Release|Win32
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}.Release|x64.ActiveCfg = Release|x64
+		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}.Release|x64.Build.0 = Release|x64
+		{3AF54C8A-10BF-4332-9147-F68ED9862032}.Debug|Win32.ActiveCfg = Debug|Win32
+		{3AF54C8A-10BF-4332-9147-F68ED9862032}.Debug|Win32.Build.0 = Debug|Win32
+		{3AF54C8A-10BF-4332-9147-F68ED9862032}.Debug|x64.ActiveCfg = Debug|x64
+		{3AF54C8A-10BF-4332-9147-F68ED9862032}.Debug|x64.Build.0 = Debug|x64
+		{3AF54C8A-10BF-4332-9147-F68ED9862032}.Release|Win32.ActiveCfg = Release|Win32
+		{3AF54C8A-10BF-4332-9147-F68ED9862032}.Release|Win32.Build.0 = Release|Win32
+		{3AF54C8A-10BF-4332-9147-F68ED9862032}.Release|x64.ActiveCfg = Release|x64
+		{3AF54C8A-10BF-4332-9147-F68ED9862032}.Release|x64.Build.0 = Release|x64
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}.Debug|Win32.ActiveCfg = Debug|Win32
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}.Debug|Win32.Build.0 = Debug|Win32
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}.Debug|x64.ActiveCfg = Debug|x64
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}.Debug|x64.Build.0 = Debug|x64
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}.Release|Win32.ActiveCfg = Release|Win32
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}.Release|Win32.Build.0 = Release|Win32
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}.Release|x64.ActiveCfg = Release|x64
+		{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}.Release|x64.Build.0 = Release|x64
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}.Debug|Win32.ActiveCfg = Debug|Win32
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}.Debug|Win32.Build.0 = Debug|Win32
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}.Debug|x64.ActiveCfg = Debug|x64
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}.Debug|x64.Build.0 = Debug|x64
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}.Release|Win32.ActiveCfg = Release|Win32
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}.Release|Win32.Build.0 = Release|Win32
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}.Release|x64.ActiveCfg = Release|x64
+		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}.Release|x64.Build.0 = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest.vcxproj b/security/nss/gtests/google_test/gtest/msvc/2010/gtest.vcxproj
new file mode 100644
index 0000000000..a46f5c7af2
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest.vcxproj
@@ -0,0 +1,149 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>10.0.40219.1</_ProjectFileVersion>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(OutDir)temp\$(ProjectName)\</IntDir>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(OutDir)temp\$(ProjectName)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)temp\$(ProjectName)\</IntDir>
+    <TargetName>gtestd</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)temp\$(ProjectName)\</IntDir>
+    <TargetName>gtest</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <TargetName>gtestd</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <TargetName>gtest</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib />
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib />
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib />
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib />
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\src\gtest-all.cc">
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest.vcxproj.filters b/security/nss/gtests/google_test/gtest/msvc/2010/gtest.vcxproj.filters
new file mode 100644
index 0000000000..69edeff230
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest.vcxproj.filters
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\src\gtest-all.cc">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest_main-md.vcxproj b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_main-md.vcxproj
new file mode 100644
index 0000000000..3d773895b7
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_main-md.vcxproj
@@ -0,0 +1,154 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{3AF54C8A-10BF-4332-9147-F68ED9862033}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>10.0.40219.1</_ProjectFileVersion>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(OutDir)$(ProjectName)\</IntDir>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(OutDir)$(ProjectName)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)$(ProjectName)\</IntDir>
+    <TargetName>gtest_maind</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)$(ProjectName)\</IntDir>
+    <TargetName>gtest_main</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <TargetName>gtest_maind</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <TargetName>gtest_main</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib />
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib />
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib />
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib />
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\src\gtest_main.cc">
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="gtest-md.vcxproj">
+      <Project>{c8f6c172-56f2-4e76-b5fa-c3b423b31be8}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest_main-md.vcxproj.filters b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_main-md.vcxproj.filters
new file mode 100644
index 0000000000..726c773ccb
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_main-md.vcxproj.filters
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\src\gtest_main.cc">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest_main.vcxproj b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_main.vcxproj
new file mode 100644
index 0000000000..8fb25897c8
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_main.vcxproj
@@ -0,0 +1,162 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{3AF54C8A-10BF-4332-9147-F68ED9862032}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>10.0.40219.1</_ProjectFileVersion>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(OutDir)temp\$(ProjectName)\</IntDir>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(OutDir)temp\$(ProjectName)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)temp\$(ProjectName)\</IntDir>
+    <TargetName>gtest_maind</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)temp\$(ProjectName)\</IntDir>
+    <TargetName>gtest_main</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <TargetName>gtest_maind</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <TargetName>gtest_main</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib>
+      <OutputFile>$(OutDir)$(ProjectName)d.lib</OutputFile>
+    </Lib>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib>
+      <OutputFile>$(OutDir)$(ProjectName)d.lib</OutputFile>
+    </Lib>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib>
+      <OutputFile>$(OutDir)$(ProjectName).lib</OutputFile>
+    </Lib>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Lib>
+      <OutputFile>$(OutDir)$(ProjectName).lib</OutputFile>
+    </Lib>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\src\gtest_main.cc">
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="gtest.vcxproj">
+      <Project>{c8f6c172-56f2-4e76-b5fa-c3b423b31be7}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest_main.vcxproj.filters b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_main.vcxproj.filters
new file mode 100644
index 0000000000..726c773ccb
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_main.vcxproj.filters
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\src\gtest_main.cc">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest_prod_test-md.vcxproj b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_prod_test-md.vcxproj
new file mode 100644
index 0000000000..830e5dce41
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_prod_test-md.vcxproj
@@ -0,0 +1,199 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>10.0.40219.1</_ProjectFileVersion>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(OutDir)$(ProjectName)\</IntDir>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</LinkIncremental>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</LinkIncremental>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(OutDir)$(ProjectName)\</IntDir>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</LinkIncremental>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)$(ProjectName)\</IntDir>
+    <TargetName>gtest_prod_test</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)$(ProjectName)\</IntDir>
+    <TargetName>gtest_prod_test</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <TargetName>gtest_prod_test</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <TargetName>gtest_prod_test</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ProgramDatabaseFile>$(OutDir)gtest_prod_test.pdb</ProgramDatabaseFile>
+      <SubSystem>Console</SubSystem>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ProgramDatabaseFile>$(OutDir)gtest_prod_test.pdb</ProgramDatabaseFile>
+      <SubSystem>Console</SubSystem>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Console</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Console</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\test\gtest_prod_test.cc">
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+      </PrecompiledHeader>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+      </PrecompiledHeader>
+    </ClCompile>
+    <ClCompile Include="..\..\test\production.cc">
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+      </PrecompiledHeader>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+      </PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\test\production.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="gtest_main-md.vcxproj">
+      <Project>{3af54c8a-10bf-4332-9147-f68ed9862033}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest_prod_test-md.vcxproj.filters b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_prod_test-md.vcxproj.filters
new file mode 100644
index 0000000000..ac367310ae
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_prod_test-md.vcxproj.filters
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\test\gtest_prod_test.cc">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\test\production.cc">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\test\production.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest_prod_test.vcxproj b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_prod_test.vcxproj
new file mode 100644
index 0000000000..d42e13511d
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_prod_test.vcxproj
@@ -0,0 +1,191 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>10.0.40219.1</_ProjectFileVersion>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(OutDir)temp\$(ProjectName)\</IntDir>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</LinkIncremental>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</LinkIncremental>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(OutDir)temp\$(ProjectName)\</IntDir>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</LinkIncremental>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)temp\$(ProjectName)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)temp\$(ProjectName)\</IntDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ProgramDatabaseFile>$(OutDir)gtest_prod_test.pdb</ProgramDatabaseFile>
+      <SubSystem>Console</SubSystem>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ProgramDatabaseFile>$(OutDir)gtest_prod_test.pdb</ProgramDatabaseFile>
+      <SubSystem>Console</SubSystem>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Console</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Console</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\test\gtest_prod_test.cc">
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+      </PrecompiledHeader>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+      </PrecompiledHeader>
+    </ClCompile>
+    <ClCompile Include="..\..\test\production.cc">
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+      </PrecompiledHeader>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+      </PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\test\production.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="gtest_main.vcxproj">
+      <Project>{3af54c8a-10bf-4332-9147-f68ed9862032}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest_prod_test.vcxproj.filters b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_prod_test.vcxproj.filters
new file mode 100644
index 0000000000..ac367310ae
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_prod_test.vcxproj.filters
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\test\gtest_prod_test.cc">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\test\production.cc">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\test\production.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest_unittest-md.vcxproj b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_unittest-md.vcxproj
new file mode 100644
index 0000000000..93b0dc4e1a
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_unittest-md.vcxproj
@@ -0,0 +1,188 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>10.0.40219.1</_ProjectFileVersion>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(OutDir)$(ProjectName)\</IntDir>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</LinkIncremental>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</LinkIncremental>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(OutDir)$(ProjectName)\</IntDir>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</LinkIncremental>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)$(ProjectName)\</IntDir>
+    <TargetName>gtest_unittest</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)$(ProjectName)\</IntDir>
+    <TargetName>gtest_unittest</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <TargetName>gtest_unittest</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <TargetName>gtest_unittest</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ProgramDatabaseFile>$(OutDir)gtest_unittest.pdb</ProgramDatabaseFile>
+      <SubSystem>Console</SubSystem>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ProgramDatabaseFile>$(OutDir)gtest_unittest.pdb</ProgramDatabaseFile>
+      <SubSystem>Console</SubSystem>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Console</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Console</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\test\gtest_unittest.cc">
+      <Optimization Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">MinSpace</Optimization>
+      <Optimization Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">MinSpace</Optimization>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <BasicRuntimeChecks Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Default</BasicRuntimeChecks>
+      <BasicRuntimeChecks Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Default</BasicRuntimeChecks>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+      </PrecompiledHeader>
+      <DebugInformationFormat Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">ProgramDatabase</DebugInformationFormat>
+      <DebugInformationFormat Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+      </PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="gtest_main-md.vcxproj">
+      <Project>{3af54c8a-10bf-4332-9147-f68ed9862033}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest_unittest-md.vcxproj.filters b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_unittest-md.vcxproj.filters
new file mode 100644
index 0000000000..047dae513e
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_unittest-md.vcxproj.filters
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\test\gtest_unittest.cc">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest_unittest.vcxproj b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_unittest.vcxproj
new file mode 100644
index 0000000000..ec6abde7da
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_unittest.vcxproj
@@ -0,0 +1,180 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v100</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>10.0.40219.1</_ProjectFileVersion>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">$(OutDir)temp\$(ProjectName)\</IntDir>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">true</LinkIncremental>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</LinkIncremental>
+    <OutDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">$(OutDir)temp\$(ProjectName)\</IntDir>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</LinkIncremental>
+    <LinkIncremental Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)temp\$(ProjectName)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <OutDir>$(SolutionDir)$(SolutionName)\$(Platform)-$(Configuration)\</OutDir>
+    <IntDir>$(OutDir)temp\$(ProjectName)\</IntDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ProgramDatabaseFile>$(OutDir)gtest_unittest.pdb</ProgramDatabaseFile>
+      <SubSystem>Console</SubSystem>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ProgramDatabaseFile>$(OutDir)gtest_unittest.pdb</ProgramDatabaseFile>
+      <SubSystem>Console</SubSystem>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Console</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <PreprocessorDefinitions>WIN32;_VARIADIC_MAX=10;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories>..\..\include;..\..;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Console</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\test\gtest_unittest.cc">
+      <Optimization Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">MinSpace</Optimization>
+      <Optimization Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">MinSpace</Optimization>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <BasicRuntimeChecks Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Default</BasicRuntimeChecks>
+      <BasicRuntimeChecks Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Default</BasicRuntimeChecks>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+      </PrecompiledHeader>
+      <DebugInformationFormat Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">ProgramDatabase</DebugInformationFormat>
+      <DebugInformationFormat Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">ProgramDatabase</DebugInformationFormat>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories Condition="'$(Configuration)|$(Platform)'=='Release|x64'">..;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+      </PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="gtest_main.vcxproj">
+      <Project>{3af54c8a-10bf-4332-9147-f68ed9862032}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/2010/gtest_unittest.vcxproj.filters b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_unittest.vcxproj.filters
new file mode 100644
index 0000000000..047dae513e
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/msvc/2010/gtest_unittest.vcxproj.filters
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\test\gtest_unittest.cc">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/security/nss/gtests/google_test/gtest/msvc/gtest-md.sln b/security/nss/gtests/google_test/gtest/msvc/gtest-md.sln
deleted file mode 100644
index f7908da11f..0000000000
--- a/security/nss/gtests/google_test/gtest/msvc/gtest-md.sln
+++ /dev/null
@@ -1,45 +0,0 @@
-Microsoft Visual Studio Solution File, Format Version 8.00

-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest-md", "gtest-md.vcproj", "{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}"

-	ProjectSection(ProjectDependencies) = postProject

-	EndProjectSection

-EndProject

-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest_main-md", "gtest_main-md.vcproj", "{3AF54C8A-10BF-4332-9147-F68ED9862033}"

-	ProjectSection(ProjectDependencies) = postProject

-	EndProjectSection

-EndProject

-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest_prod_test-md", "gtest_prod_test-md.vcproj", "{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}"

-	ProjectSection(ProjectDependencies) = postProject

-	EndProjectSection

-EndProject

-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest_unittest-md", "gtest_unittest-md.vcproj", "{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}"

-	ProjectSection(ProjectDependencies) = postProject

-	EndProjectSection

-EndProject

-Global

-	GlobalSection(SolutionConfiguration) = preSolution

-		Debug = Debug

-		Release = Release

-	EndGlobalSection

-	GlobalSection(ProjectConfiguration) = postSolution

-		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}.Debug.ActiveCfg = Debug|Win32

-		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}.Debug.Build.0 = Debug|Win32

-		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}.Release.ActiveCfg = Release|Win32

-		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}.Release.Build.0 = Release|Win32

-		{3AF54C8A-10BF-4332-9147-F68ED9862033}.Debug.ActiveCfg = Debug|Win32

-		{3AF54C8A-10BF-4332-9147-F68ED9862033}.Debug.Build.0 = Debug|Win32

-		{3AF54C8A-10BF-4332-9147-F68ED9862033}.Release.ActiveCfg = Release|Win32

-		{3AF54C8A-10BF-4332-9147-F68ED9862033}.Release.Build.0 = Release|Win32

-		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}.Debug.ActiveCfg = Debug|Win32

-		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}.Debug.Build.0 = Debug|Win32

-		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}.Release.ActiveCfg = Release|Win32

-		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}.Release.Build.0 = Release|Win32

-		{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}.Debug.ActiveCfg = Debug|Win32

-		{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}.Debug.Build.0 = Debug|Win32

-		{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}.Release.ActiveCfg = Release|Win32

-		{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}.Release.Build.0 = Release|Win32

-	EndGlobalSection

-	GlobalSection(ExtensibilityGlobals) = postSolution

-	EndGlobalSection

-	GlobalSection(ExtensibilityAddIns) = postSolution

-	EndGlobalSection

-EndGlobal

diff --git a/security/nss/gtests/google_test/gtest/msvc/gtest-md.vcproj b/security/nss/gtests/google_test/gtest/msvc/gtest-md.vcproj
deleted file mode 100644
index 1c35c3a5ed..0000000000
--- a/security/nss/gtests/google_test/gtest/msvc/gtest-md.vcproj
+++ /dev/null
@@ -1,126 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>

-<VisualStudioProject

-	ProjectType="Visual C++"

-	Version="7.10"

-	Name="gtest-md"

-	ProjectGUID="{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}"

-	Keyword="Win32Proj">

-	<Platforms>

-		<Platform

-			Name="Win32"/>

-	</Platforms>

-	<Configurations>

-		<Configuration

-			Name="Debug|Win32"

-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"

-			IntermediateDirectory="$(OutDir)/$(ProjectName)"

-			ConfigurationType="4"

-			CharacterSet="2"

-			ReferencesPath="">

-			<Tool

-				Name="VCCLCompilerTool"

-				Optimization="0"

-				PreprocessorDefinitions="WIN32;_DEBUG;_LIB"

-				MinimalRebuild="TRUE"

-				BasicRuntimeChecks="3"

-				RuntimeLibrary="3"

-				UsePrecompiledHeader="0"

-				WarningLevel="3"

-				Detect64BitPortabilityProblems="FALSE"

-				DebugInformationFormat="4"/>

-			<Tool

-				Name="VCCustomBuildTool"/>

-			<Tool

-				Name="VCLibrarianTool"

-				OutputFile="$(OutDir)/gtestd.lib"/>

-			<Tool

-				Name="VCMIDLTool"/>

-			<Tool

-				Name="VCPostBuildEventTool"/>

-			<Tool

-				Name="VCPreBuildEventTool"/>

-			<Tool

-				Name="VCPreLinkEventTool"/>

-			<Tool

-				Name="VCResourceCompilerTool"/>

-			<Tool

-				Name="VCWebServiceProxyGeneratorTool"/>

-			<Tool

-				Name="VCXMLDataGeneratorTool"/>

-			<Tool

-				Name="VCManagedWrapperGeneratorTool"/>

-			<Tool

-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>

-		</Configuration>

-		<Configuration

-			Name="Release|Win32"

-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"

-			IntermediateDirectory="$(OutDir)/$(ProjectName)"

-			ConfigurationType="4"

-			CharacterSet="2"

-			ReferencesPath="&quot;..\include&quot;;&quot;..&quot;">

-			<Tool

-				Name="VCCLCompilerTool"

-				PreprocessorDefinitions="WIN32;NDEBUG;_LIB"

-				RuntimeLibrary="2"

-				UsePrecompiledHeader="0"

-				WarningLevel="3"

-				Detect64BitPortabilityProblems="FALSE"

-				DebugInformationFormat="3"/>

-			<Tool

-				Name="VCCustomBuildTool"/>

-			<Tool

-				Name="VCLibrarianTool"

-				OutputFile="$(OutDir)/gtest.lib"/>

-			<Tool

-				Name="VCMIDLTool"/>

-			<Tool

-				Name="VCPostBuildEventTool"/>

-			<Tool

-				Name="VCPreBuildEventTool"/>

-			<Tool

-				Name="VCPreLinkEventTool"/>

-			<Tool

-				Name="VCResourceCompilerTool"/>

-			<Tool

-				Name="VCWebServiceProxyGeneratorTool"/>

-			<Tool

-				Name="VCXMLDataGeneratorTool"/>

-			<Tool

-				Name="VCManagedWrapperGeneratorTool"/>

-			<Tool

-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>

-		</Configuration>

-	</Configurations>

-	<References>

-	</References>

-	<Files>

-		<Filter

-			Name="Source Files"

-			Filter="cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx"

-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}">

-			<File

-				RelativePath="..\src\gtest-all.cc">

-				<FileConfiguration

-					Name="Debug|Win32">

-					<Tool

-						Name="VCCLCompilerTool"

-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"/>

-				</FileConfiguration>

-				<FileConfiguration

-					Name="Release|Win32">

-					<Tool

-						Name="VCCLCompilerTool"

-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"/>

-				</FileConfiguration>

-			</File>

-		</Filter>

-		<Filter

-			Name="Header Files"

-			Filter="h;hpp;hxx;hm;inl;inc;xsd"

-			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}">

-		</Filter>

-	</Files>

-	<Globals>

-	</Globals>

-</VisualStudioProject>

diff --git a/security/nss/gtests/google_test/gtest/msvc/gtest.sln b/security/nss/gtests/google_test/gtest/msvc/gtest.sln
deleted file mode 100644
index ef4b057fff..0000000000
--- a/security/nss/gtests/google_test/gtest/msvc/gtest.sln
+++ /dev/null
@@ -1,45 +0,0 @@
-Microsoft Visual Studio Solution File, Format Version 8.00

-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest", "gtest.vcproj", "{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}"

-	ProjectSection(ProjectDependencies) = postProject

-	EndProjectSection

-EndProject

-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest_main", "gtest_main.vcproj", "{3AF54C8A-10BF-4332-9147-F68ED9862032}"

-	ProjectSection(ProjectDependencies) = postProject

-	EndProjectSection

-EndProject

-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest_unittest", "gtest_unittest.vcproj", "{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}"

-	ProjectSection(ProjectDependencies) = postProject

-	EndProjectSection

-EndProject

-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gtest_prod_test", "gtest_prod_test.vcproj", "{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}"

-	ProjectSection(ProjectDependencies) = postProject

-	EndProjectSection

-EndProject

-Global

-	GlobalSection(SolutionConfiguration) = preSolution

-		Debug = Debug

-		Release = Release

-	EndGlobalSection

-	GlobalSection(ProjectConfiguration) = postSolution

-		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}.Debug.ActiveCfg = Debug|Win32

-		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}.Debug.Build.0 = Debug|Win32

-		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}.Release.ActiveCfg = Release|Win32

-		{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}.Release.Build.0 = Release|Win32

-		{3AF54C8A-10BF-4332-9147-F68ED9862032}.Debug.ActiveCfg = Debug|Win32

-		{3AF54C8A-10BF-4332-9147-F68ED9862032}.Debug.Build.0 = Debug|Win32

-		{3AF54C8A-10BF-4332-9147-F68ED9862032}.Release.ActiveCfg = Release|Win32

-		{3AF54C8A-10BF-4332-9147-F68ED9862032}.Release.Build.0 = Release|Win32

-		{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}.Debug.ActiveCfg = Debug|Win32

-		{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}.Debug.Build.0 = Debug|Win32

-		{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}.Release.ActiveCfg = Release|Win32

-		{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}.Release.Build.0 = Release|Win32

-		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}.Debug.ActiveCfg = Debug|Win32

-		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}.Debug.Build.0 = Debug|Win32

-		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}.Release.ActiveCfg = Release|Win32

-		{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}.Release.Build.0 = Release|Win32

-	EndGlobalSection

-	GlobalSection(ExtensibilityGlobals) = postSolution

-	EndGlobalSection

-	GlobalSection(ExtensibilityAddIns) = postSolution

-	EndGlobalSection

-EndGlobal

diff --git a/security/nss/gtests/google_test/gtest/msvc/gtest.vcproj b/security/nss/gtests/google_test/gtest/msvc/gtest.vcproj
deleted file mode 100644
index a8373ce9a4..0000000000
--- a/security/nss/gtests/google_test/gtest/msvc/gtest.vcproj
+++ /dev/null
@@ -1,126 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>

-<VisualStudioProject

-	ProjectType="Visual C++"

-	Version="7.10"

-	Name="gtest"

-	ProjectGUID="{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}"

-	Keyword="Win32Proj">

-	<Platforms>

-		<Platform

-			Name="Win32"/>

-	</Platforms>

-	<Configurations>

-		<Configuration

-			Name="Debug|Win32"

-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"

-			IntermediateDirectory="$(OutDir)/$(ProjectName)"

-			ConfigurationType="4"

-			CharacterSet="2"

-			ReferencesPath="">

-			<Tool

-				Name="VCCLCompilerTool"

-				Optimization="0"

-				PreprocessorDefinitions="WIN32;_DEBUG;_LIB"

-				MinimalRebuild="TRUE"

-				BasicRuntimeChecks="3"

-				RuntimeLibrary="5"

-				UsePrecompiledHeader="0"

-				WarningLevel="3"

-				Detect64BitPortabilityProblems="FALSE"

-				DebugInformationFormat="4"/>

-			<Tool

-				Name="VCCustomBuildTool"/>

-			<Tool

-				Name="VCLibrarianTool"

-				OutputFile="$(OutDir)/gtestd.lib"/>

-			<Tool

-				Name="VCMIDLTool"/>

-			<Tool

-				Name="VCPostBuildEventTool"/>

-			<Tool

-				Name="VCPreBuildEventTool"/>

-			<Tool

-				Name="VCPreLinkEventTool"/>

-			<Tool

-				Name="VCResourceCompilerTool"/>

-			<Tool

-				Name="VCWebServiceProxyGeneratorTool"/>

-			<Tool

-				Name="VCXMLDataGeneratorTool"/>

-			<Tool

-				Name="VCManagedWrapperGeneratorTool"/>

-			<Tool

-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>

-		</Configuration>

-		<Configuration

-			Name="Release|Win32"

-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"

-			IntermediateDirectory="$(OutDir)/$(ProjectName)"

-			ConfigurationType="4"

-			CharacterSet="2"

-			ReferencesPath="&quot;..\include&quot;;&quot;..&quot;">

-			<Tool

-				Name="VCCLCompilerTool"

-				PreprocessorDefinitions="WIN32;NDEBUG;_LIB"

-				RuntimeLibrary="4"

-				UsePrecompiledHeader="0"

-				WarningLevel="3"

-				Detect64BitPortabilityProblems="FALSE"

-				DebugInformationFormat="3"/>

-			<Tool

-				Name="VCCustomBuildTool"/>

-			<Tool

-				Name="VCLibrarianTool"

-				OutputFile="$(OutDir)/gtest.lib"/>

-			<Tool

-				Name="VCMIDLTool"/>

-			<Tool

-				Name="VCPostBuildEventTool"/>

-			<Tool

-				Name="VCPreBuildEventTool"/>

-			<Tool

-				Name="VCPreLinkEventTool"/>

-			<Tool

-				Name="VCResourceCompilerTool"/>

-			<Tool

-				Name="VCWebServiceProxyGeneratorTool"/>

-			<Tool

-				Name="VCXMLDataGeneratorTool"/>

-			<Tool

-				Name="VCManagedWrapperGeneratorTool"/>

-			<Tool

-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>

-		</Configuration>

-	</Configurations>

-	<References>

-	</References>

-	<Files>

-		<Filter

-			Name="Source Files"

-			Filter="cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx"

-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}">

-			<File

-				RelativePath="..\src\gtest-all.cc">

-				<FileConfiguration

-					Name="Debug|Win32">

-					<Tool

-						Name="VCCLCompilerTool"

-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"/>

-				</FileConfiguration>

-				<FileConfiguration

-					Name="Release|Win32">

-					<Tool

-						Name="VCCLCompilerTool"

-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"/>

-				</FileConfiguration>

-			</File>

-		</Filter>

-		<Filter

-			Name="Header Files"

-			Filter="h;hpp;hxx;hm;inl;inc;xsd"

-			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}">

-		</Filter>

-	</Files>

-	<Globals>

-	</Globals>

-</VisualStudioProject>

diff --git a/security/nss/gtests/google_test/gtest/msvc/gtest_main-md.vcproj b/security/nss/gtests/google_test/gtest/msvc/gtest_main-md.vcproj
deleted file mode 100644
index b5379fe610..0000000000
--- a/security/nss/gtests/google_test/gtest/msvc/gtest_main-md.vcproj
+++ /dev/null
@@ -1,129 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>

-<VisualStudioProject

-	ProjectType="Visual C++"

-	Version="7.10"

-	Name="gtest_main-md"

-	ProjectGUID="{3AF54C8A-10BF-4332-9147-F68ED9862033}"

-	Keyword="Win32Proj">

-	<Platforms>

-		<Platform

-			Name="Win32"/>

-	</Platforms>

-	<Configurations>

-		<Configuration

-			Name="Debug|Win32"

-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"

-			IntermediateDirectory="$(OutDir)/$(ProjectName)"

-			ConfigurationType="4"

-			CharacterSet="2"

-			ReferencesPath="">

-			<Tool

-				Name="VCCLCompilerTool"

-				Optimization="0"

-				PreprocessorDefinitions="WIN32;_DEBUG;_LIB"

-				MinimalRebuild="TRUE"

-				BasicRuntimeChecks="3"

-				RuntimeLibrary="3"

-				UsePrecompiledHeader="0"

-				WarningLevel="3"

-				Detect64BitPortabilityProblems="FALSE"

-				DebugInformationFormat="4"/>

-			<Tool

-				Name="VCCustomBuildTool"/>

-			<Tool

-				Name="VCLibrarianTool"

-				OutputFile="$(OutDir)/$(ProjectName)d.lib"/>

-			<Tool

-				Name="VCMIDLTool"/>

-			<Tool

-				Name="VCPostBuildEventTool"/>

-			<Tool

-				Name="VCPreBuildEventTool"/>

-			<Tool

-				Name="VCPreLinkEventTool"/>

-			<Tool

-				Name="VCResourceCompilerTool"/>

-			<Tool

-				Name="VCWebServiceProxyGeneratorTool"/>

-			<Tool

-				Name="VCXMLDataGeneratorTool"/>

-			<Tool

-				Name="VCManagedWrapperGeneratorTool"/>

-			<Tool

-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>

-		</Configuration>

-		<Configuration

-			Name="Release|Win32"

-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"

-			IntermediateDirectory="$(OutDir)/$(ProjectName)"

-			ConfigurationType="4"

-			CharacterSet="2"

-			ReferencesPath="&quot;..\include&quot;;&quot;..&quot;">

-			<Tool

-				Name="VCCLCompilerTool"

-				PreprocessorDefinitions="WIN32;NDEBUG;_LIB"

-				RuntimeLibrary="2"

-				UsePrecompiledHeader="0"

-				WarningLevel="3"

-				Detect64BitPortabilityProblems="FALSE"

-				DebugInformationFormat="3"/>

-			<Tool

-				Name="VCCustomBuildTool"/>

-			<Tool

-				Name="VCLibrarianTool"

-				OutputFile="$(OutDir)/$(ProjectName).lib"/>

-			<Tool

-				Name="VCMIDLTool"/>

-			<Tool

-				Name="VCPostBuildEventTool"/>

-			<Tool

-				Name="VCPreBuildEventTool"/>

-			<Tool

-				Name="VCPreLinkEventTool"/>

-			<Tool

-				Name="VCResourceCompilerTool"/>

-			<Tool

-				Name="VCWebServiceProxyGeneratorTool"/>

-			<Tool

-				Name="VCXMLDataGeneratorTool"/>

-			<Tool

-				Name="VCManagedWrapperGeneratorTool"/>

-			<Tool

-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>

-		</Configuration>

-	</Configurations>

-	<References>

-		<ProjectReference

-			ReferencedProjectIdentifier="{C8F6C172-56F2-4E76-B5FA-C3B423B31BE8}"

-			Name="gtest-md"/>

-	</References>

-	<Files>

-		<Filter

-			Name="Source Files"

-			Filter="cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx"

-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}">

-			<File

-				RelativePath="..\src\gtest_main.cc">

-				<FileConfiguration

-					Name="Debug|Win32">

-					<Tool

-						Name="VCCLCompilerTool"

-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"/>

-				</FileConfiguration>

-				<FileConfiguration

-					Name="Release|Win32">

-					<Tool

-						Name="VCCLCompilerTool"

-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"/>

-				</FileConfiguration>

-			</File>

-		</Filter>

-		<Filter

-			Name="Header Files"

-			Filter="h;hpp;hxx;hm;inl;inc;xsd"

-			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}">

-		</Filter>

-	</Files>

-	<Globals>

-	</Globals>

-</VisualStudioProject>

diff --git a/security/nss/gtests/google_test/gtest/msvc/gtest_main.vcproj b/security/nss/gtests/google_test/gtest/msvc/gtest_main.vcproj
deleted file mode 100644
index e8b763c56d..0000000000
--- a/security/nss/gtests/google_test/gtest/msvc/gtest_main.vcproj
+++ /dev/null
@@ -1,129 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>

-<VisualStudioProject

-	ProjectType="Visual C++"

-	Version="7.10"

-	Name="gtest_main"

-	ProjectGUID="{3AF54C8A-10BF-4332-9147-F68ED9862032}"

-	Keyword="Win32Proj">

-	<Platforms>

-		<Platform

-			Name="Win32"/>

-	</Platforms>

-	<Configurations>

-		<Configuration

-			Name="Debug|Win32"

-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"

-			IntermediateDirectory="$(OutDir)/$(ProjectName)"

-			ConfigurationType="4"

-			CharacterSet="2"

-			ReferencesPath="">

-			<Tool

-				Name="VCCLCompilerTool"

-				Optimization="0"

-				PreprocessorDefinitions="WIN32;_DEBUG;_LIB"

-				MinimalRebuild="TRUE"

-				BasicRuntimeChecks="3"

-				RuntimeLibrary="5"

-				UsePrecompiledHeader="0"

-				WarningLevel="3"

-				Detect64BitPortabilityProblems="FALSE"

-				DebugInformationFormat="4"/>

-			<Tool

-				Name="VCCustomBuildTool"/>

-			<Tool

-				Name="VCLibrarianTool"

-				OutputFile="$(OutDir)/$(ProjectName)d.lib"/>

-			<Tool

-				Name="VCMIDLTool"/>

-			<Tool

-				Name="VCPostBuildEventTool"/>

-			<Tool

-				Name="VCPreBuildEventTool"/>

-			<Tool

-				Name="VCPreLinkEventTool"/>

-			<Tool

-				Name="VCResourceCompilerTool"/>

-			<Tool

-				Name="VCWebServiceProxyGeneratorTool"/>

-			<Tool

-				Name="VCXMLDataGeneratorTool"/>

-			<Tool

-				Name="VCManagedWrapperGeneratorTool"/>

-			<Tool

-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>

-		</Configuration>

-		<Configuration

-			Name="Release|Win32"

-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"

-			IntermediateDirectory="$(OutDir)/$(ProjectName)"

-			ConfigurationType="4"

-			CharacterSet="2"

-			ReferencesPath="&quot;..\include&quot;;&quot;..&quot;">

-			<Tool

-				Name="VCCLCompilerTool"

-				PreprocessorDefinitions="WIN32;NDEBUG;_LIB"

-				RuntimeLibrary="4"

-				UsePrecompiledHeader="0"

-				WarningLevel="3"

-				Detect64BitPortabilityProblems="FALSE"

-				DebugInformationFormat="3"/>

-			<Tool

-				Name="VCCustomBuildTool"/>

-			<Tool

-				Name="VCLibrarianTool"

-				OutputFile="$(OutDir)/$(ProjectName).lib"/>

-			<Tool

-				Name="VCMIDLTool"/>

-			<Tool

-				Name="VCPostBuildEventTool"/>

-			<Tool

-				Name="VCPreBuildEventTool"/>

-			<Tool

-				Name="VCPreLinkEventTool"/>

-			<Tool

-				Name="VCResourceCompilerTool"/>

-			<Tool

-				Name="VCWebServiceProxyGeneratorTool"/>

-			<Tool

-				Name="VCXMLDataGeneratorTool"/>

-			<Tool

-				Name="VCManagedWrapperGeneratorTool"/>

-			<Tool

-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>

-		</Configuration>

-	</Configurations>

-	<References>

-		<ProjectReference

-			ReferencedProjectIdentifier="{C8F6C172-56F2-4E76-B5FA-C3B423B31BE7}"

-			Name="gtest"/>

-	</References>

-	<Files>

-		<Filter

-			Name="Source Files"

-			Filter="cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx"

-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}">

-			<File

-				RelativePath="..\src\gtest_main.cc">

-				<FileConfiguration

-					Name="Debug|Win32">

-					<Tool

-						Name="VCCLCompilerTool"

-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"/>

-				</FileConfiguration>

-				<FileConfiguration

-					Name="Release|Win32">

-					<Tool

-						Name="VCCLCompilerTool"

-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"/>

-				</FileConfiguration>

-			</File>

-		</Filter>

-		<Filter

-			Name="Header Files"

-			Filter="h;hpp;hxx;hm;inl;inc;xsd"

-			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}">

-		</Filter>

-	</Files>

-	<Globals>

-	</Globals>

-</VisualStudioProject>

diff --git a/security/nss/gtests/google_test/gtest/msvc/gtest_prod_test-md.vcproj b/security/nss/gtests/google_test/gtest/msvc/gtest_prod_test-md.vcproj
deleted file mode 100644
index 05b05d9ed9..0000000000
--- a/security/nss/gtests/google_test/gtest/msvc/gtest_prod_test-md.vcproj
+++ /dev/null
@@ -1,164 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>

-<VisualStudioProject

-	ProjectType="Visual C++"

-	Version="7.10"

-	Name="gtest_prod_test-md"

-	ProjectGUID="{24848551-EF4F-47E8-9A9D-EA4D49BC3ECB}"

-	Keyword="Win32Proj">

-	<Platforms>

-		<Platform

-			Name="Win32"/>

-	</Platforms>

-	<Configurations>

-		<Configuration

-			Name="Debug|Win32"

-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"

-			IntermediateDirectory="$(OutDir)/$(ProjectName)"

-			ConfigurationType="1"

-			CharacterSet="2">

-			<Tool

-				Name="VCCLCompilerTool"

-				Optimization="0"

-				PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE"

-				MinimalRebuild="TRUE"

-				BasicRuntimeChecks="3"

-				RuntimeLibrary="3"

-				UsePrecompiledHeader="3"

-				WarningLevel="3"

-				Detect64BitPortabilityProblems="FALSE"

-				DebugInformationFormat="4"/>

-			<Tool

-				Name="VCCustomBuildTool"/>

-			<Tool

-				Name="VCLinkerTool"

-				OutputFile="$(OutDir)/gtest_prod_test.exe"

-				LinkIncremental="2"

-				GenerateDebugInformation="TRUE"

-				ProgramDatabaseFile="$(OutDir)/gtest_prod_test.pdb"

-				SubSystem="1"

-				TargetMachine="1"/>

-			<Tool

-				Name="VCMIDLTool"/>

-			<Tool

-				Name="VCPostBuildEventTool"/>

-			<Tool

-				Name="VCPreBuildEventTool"/>

-			<Tool

-				Name="VCPreLinkEventTool"/>

-			<Tool

-				Name="VCResourceCompilerTool"/>

-			<Tool

-				Name="VCWebServiceProxyGeneratorTool"/>

-			<Tool

-				Name="VCXMLDataGeneratorTool"/>

-			<Tool

-				Name="VCWebDeploymentTool"/>

-			<Tool

-				Name="VCManagedWrapperGeneratorTool"/>

-			<Tool

-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>

-		</Configuration>

-		<Configuration

-			Name="Release|Win32"

-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"

-			IntermediateDirectory="$(OutDir)/$(ProjectName)"

-			ConfigurationType="1"

-			CharacterSet="2">

-			<Tool

-				Name="VCCLCompilerTool"

-				PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE"

-				RuntimeLibrary="2"

-				UsePrecompiledHeader="3"

-				WarningLevel="3"

-				Detect64BitPortabilityProblems="FALSE"

-				DebugInformationFormat="3"/>

-			<Tool

-				Name="VCCustomBuildTool"/>

-			<Tool

-				Name="VCLinkerTool"

-				OutputFile="$(OutDir)/gtest_prod_test.exe"

-				LinkIncremental="1"

-				GenerateDebugInformation="TRUE"

-				SubSystem="1"

-				OptimizeReferences="2"

-				EnableCOMDATFolding="2"

-				TargetMachine="1"/>

-			<Tool

-				Name="VCMIDLTool"/>

-			<Tool

-				Name="VCPostBuildEventTool"/>

-			<Tool

-				Name="VCPreBuildEventTool"/>

-			<Tool

-				Name="VCPreLinkEventTool"/>

-			<Tool

-				Name="VCResourceCompilerTool"/>

-			<Tool

-				Name="VCWebServiceProxyGeneratorTool"/>

-			<Tool

-				Name="VCXMLDataGeneratorTool"/>

-			<Tool

-				Name="VCWebDeploymentTool"/>

-			<Tool

-				Name="VCManagedWrapperGeneratorTool"/>

-			<Tool

-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>

-		</Configuration>

-	</Configurations>

-	<References>

-		<ProjectReference

-			ReferencedProjectIdentifier="{3AF54C8A-10BF-4332-9147-F68ED9862033}"

-			Name="gtest_main-md"/>

-	</References>

-	<Files>

-		<Filter

-			Name="Source Files"

-			Filter="cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx"

-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}">

-			<File

-				RelativePath="..\test\gtest_prod_test.cc">

-				<FileConfiguration

-					Name="Debug|Win32">

-					<Tool

-						Name="VCCLCompilerTool"

-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"

-						UsePrecompiledHeader="0"/>

-				</FileConfiguration>

-				<FileConfiguration

-					Name="Release|Win32">

-					<Tool

-						Name="VCCLCompilerTool"

-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"

-						UsePrecompiledHeader="0"/>

-				</FileConfiguration>

-			</File>

-			<File

-				RelativePath="..\test\production.cc">

-				<FileConfiguration

-					Name="Debug|Win32">

-					<Tool

-						Name="VCCLCompilerTool"

-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"

-						UsePrecompiledHeader="0"/>

-				</FileConfiguration>

-				<FileConfiguration

-					Name="Release|Win32">

-					<Tool

-						Name="VCCLCompilerTool"

-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"

-						UsePrecompiledHeader="0"/>

-				</FileConfiguration>

-			</File>

-		</Filter>

-		<Filter

-			Name="Header Files"

-			Filter="h;hpp;hxx;hm;inl;inc;xsd"

-			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}">

-			<File

-				RelativePath="..\test\production.h">

-			</File>

-		</Filter>

-	</Files>

-	<Globals>

-	</Globals>

-</VisualStudioProject>

diff --git a/security/nss/gtests/google_test/gtest/msvc/gtest_prod_test.vcproj b/security/nss/gtests/google_test/gtest/msvc/gtest_prod_test.vcproj
deleted file mode 100644
index 6d7a2f021b..0000000000
--- a/security/nss/gtests/google_test/gtest/msvc/gtest_prod_test.vcproj
+++ /dev/null
@@ -1,164 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>

-<VisualStudioProject

-	ProjectType="Visual C++"

-	Version="7.10"

-	Name="gtest_prod_test"

-	ProjectGUID="{24848551-EF4F-47E8-9A9D-EA4D49BC3ECA}"

-	Keyword="Win32Proj">

-	<Platforms>

-		<Platform

-			Name="Win32"/>

-	</Platforms>

-	<Configurations>

-		<Configuration

-			Name="Debug|Win32"

-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"

-			IntermediateDirectory="$(OutDir)/$(ProjectName)"

-			ConfigurationType="1"

-			CharacterSet="2">

-			<Tool

-				Name="VCCLCompilerTool"

-				Optimization="0"

-				PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE"

-				MinimalRebuild="TRUE"

-				BasicRuntimeChecks="3"

-				RuntimeLibrary="5"

-				UsePrecompiledHeader="3"

-				WarningLevel="3"

-				Detect64BitPortabilityProblems="FALSE"

-				DebugInformationFormat="4"/>

-			<Tool

-				Name="VCCustomBuildTool"/>

-			<Tool

-				Name="VCLinkerTool"

-				OutputFile="$(OutDir)/gtest_prod_test.exe"

-				LinkIncremental="2"

-				GenerateDebugInformation="TRUE"

-				ProgramDatabaseFile="$(OutDir)/gtest_prod_test.pdb"

-				SubSystem="1"

-				TargetMachine="1"/>

-			<Tool

-				Name="VCMIDLTool"/>

-			<Tool

-				Name="VCPostBuildEventTool"/>

-			<Tool

-				Name="VCPreBuildEventTool"/>

-			<Tool

-				Name="VCPreLinkEventTool"/>

-			<Tool

-				Name="VCResourceCompilerTool"/>

-			<Tool

-				Name="VCWebServiceProxyGeneratorTool"/>

-			<Tool

-				Name="VCXMLDataGeneratorTool"/>

-			<Tool

-				Name="VCWebDeploymentTool"/>

-			<Tool

-				Name="VCManagedWrapperGeneratorTool"/>

-			<Tool

-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>

-		</Configuration>

-		<Configuration

-			Name="Release|Win32"

-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"

-			IntermediateDirectory="$(OutDir)/$(ProjectName)"

-			ConfigurationType="1"

-			CharacterSet="2">

-			<Tool

-				Name="VCCLCompilerTool"

-				PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE"

-				RuntimeLibrary="4"

-				UsePrecompiledHeader="3"

-				WarningLevel="3"

-				Detect64BitPortabilityProblems="FALSE"

-				DebugInformationFormat="3"/>

-			<Tool

-				Name="VCCustomBuildTool"/>

-			<Tool

-				Name="VCLinkerTool"

-				OutputFile="$(OutDir)/gtest_prod_test.exe"

-				LinkIncremental="1"

-				GenerateDebugInformation="TRUE"

-				SubSystem="1"

-				OptimizeReferences="2"

-				EnableCOMDATFolding="2"

-				TargetMachine="1"/>

-			<Tool

-				Name="VCMIDLTool"/>

-			<Tool

-				Name="VCPostBuildEventTool"/>

-			<Tool

-				Name="VCPreBuildEventTool"/>

-			<Tool

-				Name="VCPreLinkEventTool"/>

-			<Tool

-				Name="VCResourceCompilerTool"/>

-			<Tool

-				Name="VCWebServiceProxyGeneratorTool"/>

-			<Tool

-				Name="VCXMLDataGeneratorTool"/>

-			<Tool

-				Name="VCWebDeploymentTool"/>

-			<Tool

-				Name="VCManagedWrapperGeneratorTool"/>

-			<Tool

-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>

-		</Configuration>

-	</Configurations>

-	<References>

-		<ProjectReference

-			ReferencedProjectIdentifier="{3AF54C8A-10BF-4332-9147-F68ED9862032}"

-			Name="gtest_main"/>

-	</References>

-	<Files>

-		<Filter

-			Name="Source Files"

-			Filter="cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx"

-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}">

-			<File

-				RelativePath="..\test\gtest_prod_test.cc">

-				<FileConfiguration

-					Name="Debug|Win32">

-					<Tool

-						Name="VCCLCompilerTool"

-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"

-						UsePrecompiledHeader="0"/>

-				</FileConfiguration>

-				<FileConfiguration

-					Name="Release|Win32">

-					<Tool

-						Name="VCCLCompilerTool"

-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"

-						UsePrecompiledHeader="0"/>

-				</FileConfiguration>

-			</File>

-			<File

-				RelativePath="..\test\production.cc">

-				<FileConfiguration

-					Name="Debug|Win32">

-					<Tool

-						Name="VCCLCompilerTool"

-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"

-						UsePrecompiledHeader="0"/>

-				</FileConfiguration>

-				<FileConfiguration

-					Name="Release|Win32">

-					<Tool

-						Name="VCCLCompilerTool"

-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"

-						UsePrecompiledHeader="0"/>

-				</FileConfiguration>

-			</File>

-		</Filter>

-		<Filter

-			Name="Header Files"

-			Filter="h;hpp;hxx;hm;inl;inc;xsd"

-			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}">

-			<File

-				RelativePath="..\test\production.h">

-			</File>

-		</Filter>

-	</Files>

-	<Globals>

-	</Globals>

-</VisualStudioProject>

diff --git a/security/nss/gtests/google_test/gtest/msvc/gtest_unittest-md.vcproj b/security/nss/gtests/google_test/gtest/msvc/gtest_unittest-md.vcproj
deleted file mode 100644
index 38a5e5663c..0000000000
--- a/security/nss/gtests/google_test/gtest/msvc/gtest_unittest-md.vcproj
+++ /dev/null
@@ -1,147 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>

-<VisualStudioProject

-	ProjectType="Visual C++"

-	Version="7.10"

-	Name="gtest_unittest-md"

-	ProjectGUID="{4D9FDFB5-986A-4139-823C-F4EE0ED481A2}"

-	Keyword="Win32Proj">

-	<Platforms>

-		<Platform

-			Name="Win32"/>

-	</Platforms>

-	<Configurations>

-		<Configuration

-			Name="Debug|Win32"

-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"

-			IntermediateDirectory="$(OutDir)/$(ProjectName)"

-			ConfigurationType="1"

-			CharacterSet="2">

-			<Tool

-				Name="VCCLCompilerTool"

-				Optimization="0"

-				PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE"

-				MinimalRebuild="TRUE"

-				BasicRuntimeChecks="3"

-				RuntimeLibrary="3"

-				UsePrecompiledHeader="3"

-				WarningLevel="3"

-				Detect64BitPortabilityProblems="FALSE"

-				DebugInformationFormat="4"/>

-			<Tool

-				Name="VCCustomBuildTool"/>

-			<Tool

-				Name="VCLinkerTool"

-				OutputFile="$(OutDir)/gtest_unittest.exe"

-				LinkIncremental="2"

-				GenerateDebugInformation="TRUE"

-				ProgramDatabaseFile="$(OutDir)/gtest_unittest.pdb"

-				SubSystem="1"

-				TargetMachine="1"/>

-			<Tool

-				Name="VCMIDLTool"/>

-			<Tool

-				Name="VCPostBuildEventTool"/>

-			<Tool

-				Name="VCPreBuildEventTool"/>

-			<Tool

-				Name="VCPreLinkEventTool"/>

-			<Tool

-				Name="VCResourceCompilerTool"/>

-			<Tool

-				Name="VCWebServiceProxyGeneratorTool"/>

-			<Tool

-				Name="VCXMLDataGeneratorTool"/>

-			<Tool

-				Name="VCWebDeploymentTool"/>

-			<Tool

-				Name="VCManagedWrapperGeneratorTool"/>

-			<Tool

-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>

-		</Configuration>

-		<Configuration

-			Name="Release|Win32"

-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"

-			IntermediateDirectory="$(OutDir)/$(ProjectName)"

-			ConfigurationType="1"

-			CharacterSet="2">

-			<Tool

-				Name="VCCLCompilerTool"

-				PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE"

-				RuntimeLibrary="2"

-				UsePrecompiledHeader="3"

-				WarningLevel="3"

-				Detect64BitPortabilityProblems="FALSE"

-				DebugInformationFormat="3"/>

-			<Tool

-				Name="VCCustomBuildTool"/>

-			<Tool

-				Name="VCLinkerTool"

-				OutputFile="$(OutDir)/gtest_unittest.exe"

-				LinkIncremental="1"

-				GenerateDebugInformation="TRUE"

-				SubSystem="1"

-				OptimizeReferences="2"

-				EnableCOMDATFolding="2"

-				TargetMachine="1"/>

-			<Tool

-				Name="VCMIDLTool"/>

-			<Tool

-				Name="VCPostBuildEventTool"/>

-			<Tool

-				Name="VCPreBuildEventTool"/>

-			<Tool

-				Name="VCPreLinkEventTool"/>

-			<Tool

-				Name="VCResourceCompilerTool"/>

-			<Tool

-				Name="VCWebServiceProxyGeneratorTool"/>

-			<Tool

-				Name="VCXMLDataGeneratorTool"/>

-			<Tool

-				Name="VCWebDeploymentTool"/>

-			<Tool

-				Name="VCManagedWrapperGeneratorTool"/>

-			<Tool

-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>

-		</Configuration>

-	</Configurations>

-	<References>

-		<ProjectReference

-			ReferencedProjectIdentifier="{3AF54C8A-10BF-4332-9147-F68ED9862033}"

-			Name="gtest_main-md"/>

-	</References>

-	<Files>

-		<Filter

-			Name="Source Files"

-			Filter="cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx"

-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}">

-			<File

-				RelativePath="..\test\gtest_unittest.cc">

-				<FileConfiguration

-					Name="Debug|Win32">

-					<Tool

-						Name="VCCLCompilerTool"

-						Optimization="1"

-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"

-						BasicRuntimeChecks="0"

-						UsePrecompiledHeader="0"

-						DebugInformationFormat="3"/>

-				</FileConfiguration>

-				<FileConfiguration

-					Name="Release|Win32">

-					<Tool

-						Name="VCCLCompilerTool"

-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"

-						UsePrecompiledHeader="0"/>

-				</FileConfiguration>

-			</File>

-		</Filter>

-		<Filter

-			Name="Header Files"

-			Filter="h;hpp;hxx;hm;inl;inc;xsd"

-			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}">

-		</Filter>

-	</Files>

-	<Globals>

-	</Globals>

-</VisualStudioProject>

diff --git a/security/nss/gtests/google_test/gtest/msvc/gtest_unittest.vcproj b/security/nss/gtests/google_test/gtest/msvc/gtest_unittest.vcproj
deleted file mode 100644
index cb1f52b1f5..0000000000
--- a/security/nss/gtests/google_test/gtest/msvc/gtest_unittest.vcproj
+++ /dev/null
@@ -1,147 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>

-<VisualStudioProject

-	ProjectType="Visual C++"

-	Version="7.10"

-	Name="gtest_unittest"

-	ProjectGUID="{4D9FDFB5-986A-4139-823C-F4EE0ED481A1}"

-	Keyword="Win32Proj">

-	<Platforms>

-		<Platform

-			Name="Win32"/>

-	</Platforms>

-	<Configurations>

-		<Configuration

-			Name="Debug|Win32"

-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"

-			IntermediateDirectory="$(OutDir)/$(ProjectName)"

-			ConfigurationType="1"

-			CharacterSet="2">

-			<Tool

-				Name="VCCLCompilerTool"

-				Optimization="0"

-				PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE"

-				MinimalRebuild="TRUE"

-				BasicRuntimeChecks="3"

-				RuntimeLibrary="5"

-				UsePrecompiledHeader="3"

-				WarningLevel="3"

-				Detect64BitPortabilityProblems="FALSE"

-				DebugInformationFormat="4"/>

-			<Tool

-				Name="VCCustomBuildTool"/>

-			<Tool

-				Name="VCLinkerTool"

-				OutputFile="$(OutDir)/gtest_unittest.exe"

-				LinkIncremental="2"

-				GenerateDebugInformation="TRUE"

-				ProgramDatabaseFile="$(OutDir)/gtest_unittest.pdb"

-				SubSystem="1"

-				TargetMachine="1"/>

-			<Tool

-				Name="VCMIDLTool"/>

-			<Tool

-				Name="VCPostBuildEventTool"/>

-			<Tool

-				Name="VCPreBuildEventTool"/>

-			<Tool

-				Name="VCPreLinkEventTool"/>

-			<Tool

-				Name="VCResourceCompilerTool"/>

-			<Tool

-				Name="VCWebServiceProxyGeneratorTool"/>

-			<Tool

-				Name="VCXMLDataGeneratorTool"/>

-			<Tool

-				Name="VCWebDeploymentTool"/>

-			<Tool

-				Name="VCManagedWrapperGeneratorTool"/>

-			<Tool

-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>

-		</Configuration>

-		<Configuration

-			Name="Release|Win32"

-			OutputDirectory="$(SolutionName)/$(ConfigurationName)"

-			IntermediateDirectory="$(OutDir)/$(ProjectName)"

-			ConfigurationType="1"

-			CharacterSet="2">

-			<Tool

-				Name="VCCLCompilerTool"

-				PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE"

-				RuntimeLibrary="4"

-				UsePrecompiledHeader="3"

-				WarningLevel="3"

-				Detect64BitPortabilityProblems="FALSE"

-				DebugInformationFormat="3"/>

-			<Tool

-				Name="VCCustomBuildTool"/>

-			<Tool

-				Name="VCLinkerTool"

-				OutputFile="$(OutDir)/gtest_unittest.exe"

-				LinkIncremental="1"

-				GenerateDebugInformation="TRUE"

-				SubSystem="1"

-				OptimizeReferences="2"

-				EnableCOMDATFolding="2"

-				TargetMachine="1"/>

-			<Tool

-				Name="VCMIDLTool"/>

-			<Tool

-				Name="VCPostBuildEventTool"/>

-			<Tool

-				Name="VCPreBuildEventTool"/>

-			<Tool

-				Name="VCPreLinkEventTool"/>

-			<Tool

-				Name="VCResourceCompilerTool"/>

-			<Tool

-				Name="VCWebServiceProxyGeneratorTool"/>

-			<Tool

-				Name="VCXMLDataGeneratorTool"/>

-			<Tool

-				Name="VCWebDeploymentTool"/>

-			<Tool

-				Name="VCManagedWrapperGeneratorTool"/>

-			<Tool

-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>

-		</Configuration>

-	</Configurations>

-	<References>

-		<ProjectReference

-			ReferencedProjectIdentifier="{3AF54C8A-10BF-4332-9147-F68ED9862032}"

-			Name="gtest_main"/>

-	</References>

-	<Files>

-		<Filter

-			Name="Source Files"

-			Filter="cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx"

-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}">

-			<File

-				RelativePath="..\test\gtest_unittest.cc">

-				<FileConfiguration

-					Name="Debug|Win32">

-					<Tool

-						Name="VCCLCompilerTool"

-						Optimization="1"

-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"

-						BasicRuntimeChecks="0"

-						UsePrecompiledHeader="0"

-						DebugInformationFormat="3"/>

-				</FileConfiguration>

-				<FileConfiguration

-					Name="Release|Win32">

-					<Tool

-						Name="VCCLCompilerTool"

-						AdditionalIncludeDirectories="&quot;..&quot;;&quot;..\include&quot;"

-						UsePrecompiledHeader="0"/>

-				</FileConfiguration>

-			</File>

-		</Filter>

-		<Filter

-			Name="Header Files"

-			Filter="h;hpp;hxx;hm;inl;inc;xsd"

-			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}">

-		</Filter>

-	</Files>

-	<Globals>

-	</Globals>

-</VisualStudioProject>

diff --git a/security/nss/gtests/google_test/gtest/samples/prime_tables.h b/security/nss/gtests/google_test/gtest/samples/prime_tables.h
index 92ce16a014..523c50b9af 100644
--- a/security/nss/gtests/google_test/gtest/samples/prime_tables.h
+++ b/security/nss/gtests/google_test/gtest/samples/prime_tables.h
@@ -26,9 +26,8 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
-// Author: vladl@google.com (Vlad Losev)
+
+
 
 // This provides interface PrimeTable that determines whether a number is a
 // prime and determines a next prime number. This interface is used
@@ -103,11 +102,15 @@ class PreCalculatedPrimeTable : public PrimeTable {
     ::std::fill(is_prime_, is_prime_ + is_prime_size_, true);
     is_prime_[0] = is_prime_[1] = false;
 
-    for (int i = 2; i <= max; i++) {
+    // Checks every candidate for prime number (we know that 2 is the only even
+    // prime).
+    for (int i = 2; i*i <= max; i += i%2+1) {
       if (!is_prime_[i]) continue;
 
       // Marks all multiples of i (except i itself) as non-prime.
-      for (int j = 2*i; j <= max; j += i) {
+      // We are starting here from i-th multiplier, because all smaller
+      // complex numbers were already marked.
+      for (int j = i*i; j <= max; j += i) {
         is_prime_[j] = false;
       }
     }
diff --git a/security/nss/gtests/google_test/gtest/samples/sample1.cc b/security/nss/gtests/google_test/gtest/samples/sample1.cc
index f171e2609d..13cec1d0fb 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample1.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample1.cc
@@ -28,8 +28,6 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 // A sample program demonstrating using Google C++ testing framework.
-//
-// Author: wan@google.com (Zhanyong Wan)
 
 #include "sample1.h"
 
@@ -55,7 +53,7 @@ bool IsPrime(int n) {
 
   // Try to divide n by every odd number i, starting from 3
   for (int i = 3; ; i += 2) {
-    // We only have to try i up to the squre root of n
+    // We only have to try i up to the square root of n
     if (i > n/i) break;
 
     // Now, we have i <= n/i < n.
diff --git a/security/nss/gtests/google_test/gtest/samples/sample1.h b/security/nss/gtests/google_test/gtest/samples/sample1.h
index 3dfeb98c45..2c3e9f05f1 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample1.h
+++ b/security/nss/gtests/google_test/gtest/samples/sample1.h
@@ -28,8 +28,6 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 // A sample program demonstrating using Google C++ testing framework.
-//
-// Author: wan@google.com (Zhanyong Wan)
 
 #ifndef GTEST_SAMPLES_SAMPLE1_H_
 #define GTEST_SAMPLES_SAMPLE1_H_
diff --git a/security/nss/gtests/google_test/gtest/samples/sample10_unittest.cc b/security/nss/gtests/google_test/gtest/samples/sample10_unittest.cc
index 0051cd5dcd..7ce9550f88 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample10_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample10_unittest.cc
@@ -25,8 +25,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: vladl@google.com (Vlad Losev)
+
 
 // This sample shows how to use Google Test listener API to implement
 // a primitive leak checker.
@@ -35,18 +34,15 @@
 #include <stdlib.h>
 
 #include "gtest/gtest.h"
-
 using ::testing::EmptyTestEventListener;
 using ::testing::InitGoogleTest;
 using ::testing::Test;
-using ::testing::TestCase;
 using ::testing::TestEventListeners;
 using ::testing::TestInfo;
 using ::testing::TestPartResult;
 using ::testing::UnitTest;
 
 namespace {
-
 // We will track memory used by this class.
 class Water {
  public:
@@ -106,7 +102,6 @@ TEST(ListenersTest, LeaksWater) {
   Water* water = new Water;
   EXPECT_TRUE(water != NULL);
 }
-
 }  // namespace
 
 int main(int argc, char **argv) {
diff --git a/security/nss/gtests/google_test/gtest/samples/sample1_unittest.cc b/security/nss/gtests/google_test/gtest/samples/sample1_unittest.cc
index aefc4f1d86..cb08b61a59 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample1_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample1_unittest.cc
@@ -28,9 +28,6 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 // A sample program demonstrating using Google C++ testing framework.
-//
-// Author: wan@google.com (Zhanyong Wan)
-
 
 // This sample shows how to write a simple unit test for a function,
 // using Google C++ testing framework.
@@ -46,7 +43,7 @@
 #include <limits.h>
 #include "sample1.h"
 #include "gtest/gtest.h"
-
+namespace {
 
 // Step 2. Use the TEST macro to define your tests.
 //
@@ -139,6 +136,7 @@ TEST(IsPrimeTest, Positive) {
   EXPECT_FALSE(IsPrime(6));
   EXPECT_TRUE(IsPrime(23));
 }
+}  // namespace
 
 // Step 3. Call RUN_ALL_TESTS() in main().
 //
diff --git a/security/nss/gtests/google_test/gtest/samples/sample2.cc b/security/nss/gtests/google_test/gtest/samples/sample2.cc
index 5f763b9bdf..f3b722fcac 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample2.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample2.cc
@@ -28,8 +28,6 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 // A sample program demonstrating using Google C++ testing framework.
-//
-// Author: wan@google.com (Zhanyong Wan)
 
 #include "sample2.h"
 
diff --git a/security/nss/gtests/google_test/gtest/samples/sample2.h b/security/nss/gtests/google_test/gtest/samples/sample2.h
index cb485c70fb..58f360f45c 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample2.h
+++ b/security/nss/gtests/google_test/gtest/samples/sample2.h
@@ -28,8 +28,6 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 // A sample program demonstrating using Google C++ testing framework.
-//
-// Author: wan@google.com (Zhanyong Wan)
 
 #ifndef GTEST_SAMPLES_SAMPLE2_H_
 #define GTEST_SAMPLES_SAMPLE2_H_
diff --git a/security/nss/gtests/google_test/gtest/samples/sample2_unittest.cc b/security/nss/gtests/google_test/gtest/samples/sample2_unittest.cc
index 4fa19b71c7..0848826192 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample2_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample2_unittest.cc
@@ -28,9 +28,6 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 // A sample program demonstrating using Google C++ testing framework.
-//
-// Author: wan@google.com (Zhanyong Wan)
-
 
 // This sample shows how to write a more complex unit test for a class
 // that has multiple member functions.
@@ -42,7 +39,7 @@
 
 #include "sample2.h"
 #include "gtest/gtest.h"
-
+namespace {
 // In this example, we test the MyString class (a simple string).
 
 // Tests the default c'tor.
@@ -107,3 +104,4 @@ TEST(MyString, Set) {
   s.Set(NULL);
   EXPECT_STREQ(NULL, s.c_string());
 }
+}  // namespace
diff --git a/security/nss/gtests/google_test/gtest/samples/sample3-inl.h b/security/nss/gtests/google_test/gtest/samples/sample3-inl.h
index 7e3084d638..1a29ce9296 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample3-inl.h
+++ b/security/nss/gtests/google_test/gtest/samples/sample3-inl.h
@@ -28,8 +28,6 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 // A sample program demonstrating using Google C++ testing framework.
-//
-// Author: wan@google.com (Zhanyong Wan)
 
 #ifndef GTEST_SAMPLES_SAMPLE3_INL_H_
 #define GTEST_SAMPLES_SAMPLE3_INL_H_
diff --git a/security/nss/gtests/google_test/gtest/samples/sample3_unittest.cc b/security/nss/gtests/google_test/gtest/samples/sample3_unittest.cc
index bf3877d013..e093c25885 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample3_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample3_unittest.cc
@@ -28,9 +28,6 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 // A sample program demonstrating using Google C++ testing framework.
-//
-// Author: wan@google.com (Zhanyong Wan)
-
 
 // In this example, we use a more advanced feature of Google Test called
 // test fixture.
@@ -65,14 +62,14 @@
 
 #include "sample3-inl.h"
 #include "gtest/gtest.h"
-
+namespace {
 // To use a test fixture, derive a class from testing::Test.
-class QueueTest : public testing::Test {
+class QueueTestSmpl3 : public testing::Test {
  protected:  // You should make the members protected s.t. they can be
              // accessed from sub-classes.
 
   // virtual void SetUp() will be called before each test is run.  You
-  // should define it if you need to initialize the varaibles.
+  // should define it if you need to initialize the variables.
   // Otherwise, this can be skipped.
   virtual void SetUp() {
     q1_.Enqueue(1);
@@ -120,13 +117,13 @@ class QueueTest : public testing::Test {
 // instead of TEST.
 
 // Tests the default c'tor.
-TEST_F(QueueTest, DefaultConstructor) {
+TEST_F(QueueTestSmpl3, DefaultConstructor) {
   // You can access data in the test fixture here.
   EXPECT_EQ(0u, q0_.Size());
 }
 
 // Tests Dequeue().
-TEST_F(QueueTest, Dequeue) {
+TEST_F(QueueTestSmpl3, Dequeue) {
   int * n = q0_.Dequeue();
   EXPECT_TRUE(n == NULL);
 
@@ -144,8 +141,9 @@ TEST_F(QueueTest, Dequeue) {
 }
 
 // Tests the Queue::Map() function.
-TEST_F(QueueTest, Map) {
+TEST_F(QueueTestSmpl3, Map) {
   MapTester(&q0_);
   MapTester(&q1_);
   MapTester(&q2_);
 }
+}  // namespace
diff --git a/security/nss/gtests/google_test/gtest/samples/sample4.cc b/security/nss/gtests/google_test/gtest/samples/sample4.cc
index ae44bda6f1..b0ee6093b4 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample4.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample4.cc
@@ -28,8 +28,6 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 // A sample program demonstrating using Google C++ testing framework.
-//
-// Author: wan@google.com (Zhanyong Wan)
 
 #include <stdio.h>
 
@@ -40,6 +38,16 @@ int Counter::Increment() {
   return counter_++;
 }
 
+// Returns the current counter value, and decrements it.
+// counter can not be less than 0, return 0 in this case
+int Counter::Decrement() {
+  if (counter_ == 0) {
+    return counter_;
+  } else  {
+    return counter_--;
+  }
+}
+
 // Prints the current counter value to STDOUT.
 void Counter::Print() const {
   printf("%d", counter_);
diff --git a/security/nss/gtests/google_test/gtest/samples/sample4.h b/security/nss/gtests/google_test/gtest/samples/sample4.h
index cd60f0dd2d..e256f4064f 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample4.h
+++ b/security/nss/gtests/google_test/gtest/samples/sample4.h
@@ -28,9 +28,6 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 // A sample program demonstrating using Google C++ testing framework.
-//
-// Author: wan@google.com (Zhanyong Wan)
-
 #ifndef GTEST_SAMPLES_SAMPLE4_H_
 #define GTEST_SAMPLES_SAMPLE4_H_
 
@@ -46,6 +43,9 @@ class Counter {
   // Returns the current counter value, and increments it.
   int Increment();
 
+  // Returns the current counter value, and decrements it.
+  int Decrement();
+
   // Prints the current counter value to STDOUT.
   void Print() const;
 };
diff --git a/security/nss/gtests/google_test/gtest/samples/sample4_unittest.cc b/security/nss/gtests/google_test/gtest/samples/sample4_unittest.cc
index fa5afc7d5a..d5144c0d00 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample4_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample4_unittest.cc
@@ -26,20 +26,28 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
 
-#include "gtest/gtest.h"
+
 #include "sample4.h"
+#include "gtest/gtest.h"
 
+namespace {
 // Tests the Increment() method.
+
 TEST(Counter, Increment) {
   Counter c;
 
+  // Test that counter 0 returns 0
+  EXPECT_EQ(0, c.Decrement());
+
   // EXPECT_EQ() evaluates its arguments exactly once, so they
   // can have side effects.
 
   EXPECT_EQ(0, c.Increment());
   EXPECT_EQ(1, c.Increment());
   EXPECT_EQ(2, c.Increment());
+
+  EXPECT_EQ(3, c.Decrement());
 }
+
+}  // namespace
diff --git a/security/nss/gtests/google_test/gtest/samples/sample5_unittest.cc b/security/nss/gtests/google_test/gtest/samples/sample5_unittest.cc
index 43d8e57775..d8a8788c6d 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample5_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample5_unittest.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // This sample teaches how to reuse a test fixture in multiple test
 // cases by deriving sub-fixtures from it.
@@ -46,10 +45,10 @@
 
 #include <limits.h>
 #include <time.h>
-#include "sample3-inl.h"
 #include "gtest/gtest.h"
 #include "sample1.h"
-
+#include "sample3-inl.h"
+namespace {
 // In this sample, we want to ensure that every test finishes within
 // ~5 seconds.  If a test takes longer to run, we consider it a
 // failure.
@@ -191,7 +190,7 @@ TEST_F(QueueTest, Dequeue) {
   EXPECT_EQ(1u, q2_.Size());
   delete n;
 }
-
+}  // namespace
 // If necessary, you can derive further test fixtures from a derived
 // fixture itself.  For example, you can derive another fixture from
 // QueueTest.  Google Test imposes no limit on how deep the hierarchy
diff --git a/security/nss/gtests/google_test/gtest/samples/sample6_unittest.cc b/security/nss/gtests/google_test/gtest/samples/sample6_unittest.cc
index 8f2036a516..ddf2f1c13b 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample6_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample6_unittest.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // This sample shows how to test common properties of multiple
 // implementations of the same interface (aka interface tests).
@@ -36,7 +35,7 @@
 #include "prime_tables.h"
 
 #include "gtest/gtest.h"
-
+namespace {
 // First, we define some factory functions for creating instances of
 // the implementations.  You may be able to skip this step if all your
 // implementations can be constructed the same way.
@@ -222,3 +221,4 @@ INSTANTIATE_TYPED_TEST_CASE_P(OnTheFlyAndPreCalculated,    // Instance name
                               PrimeTableImplementations);  // Type list
 
 #endif  // GTEST_HAS_TYPED_TEST_P
+}  // namespace
diff --git a/security/nss/gtests/google_test/gtest/samples/sample7_unittest.cc b/security/nss/gtests/google_test/gtest/samples/sample7_unittest.cc
index 1b651a21d6..c1ae8bdedc 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample7_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample7_unittest.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: vladl@google.com (Vlad Losev)
+
 
 // This sample shows how to test common properties of multiple
 // implementations of an interface (aka interface tests) using
@@ -39,8 +38,7 @@
 #include "prime_tables.h"
 
 #include "gtest/gtest.h"
-
-#if GTEST_HAS_PARAM_TEST
+namespace {
 
 using ::testing::TestWithParam;
 using ::testing::Values;
@@ -65,9 +63,9 @@ PrimeTable* CreatePreCalculatedPrimeTable() {
 // can refer to the test parameter by GetParam().  In this case, the test
 // parameter is a factory function which we call in fixture's SetUp() to
 // create and store an instance of PrimeTable.
-class PrimeTableTest : public TestWithParam<CreatePrimeTableFunc*> {
+class PrimeTableTestSmpl7 : public TestWithParam<CreatePrimeTableFunc*> {
  public:
-  virtual ~PrimeTableTest() { delete table_; }
+  virtual ~PrimeTableTestSmpl7() { delete table_; }
   virtual void SetUp() { table_ = (*GetParam())(); }
   virtual void TearDown() {
     delete table_;
@@ -78,7 +76,7 @@ class PrimeTableTest : public TestWithParam<CreatePrimeTableFunc*> {
   PrimeTable* table_;
 };
 
-TEST_P(PrimeTableTest, ReturnsFalseForNonPrimes) {
+TEST_P(PrimeTableTestSmpl7, ReturnsFalseForNonPrimes) {
   EXPECT_FALSE(table_->IsPrime(-5));
   EXPECT_FALSE(table_->IsPrime(0));
   EXPECT_FALSE(table_->IsPrime(1));
@@ -87,7 +85,7 @@ TEST_P(PrimeTableTest, ReturnsFalseForNonPrimes) {
   EXPECT_FALSE(table_->IsPrime(100));
 }
 
-TEST_P(PrimeTableTest, ReturnsTrueForPrimes) {
+TEST_P(PrimeTableTestSmpl7, ReturnsTrueForPrimes) {
   EXPECT_TRUE(table_->IsPrime(2));
   EXPECT_TRUE(table_->IsPrime(3));
   EXPECT_TRUE(table_->IsPrime(5));
@@ -96,7 +94,7 @@ TEST_P(PrimeTableTest, ReturnsTrueForPrimes) {
   EXPECT_TRUE(table_->IsPrime(131));
 }
 
-TEST_P(PrimeTableTest, CanGetNextPrime) {
+TEST_P(PrimeTableTestSmpl7, CanGetNextPrime) {
   EXPECT_EQ(2, table_->GetNextPrime(0));
   EXPECT_EQ(3, table_->GetNextPrime(2));
   EXPECT_EQ(5, table_->GetNextPrime(3));
@@ -112,19 +110,8 @@ TEST_P(PrimeTableTest, CanGetNextPrime) {
 //
 // Here, we instantiate our tests with a list of two PrimeTable object
 // factory functions:
-INSTANTIATE_TEST_CASE_P(
-    OnTheFlyAndPreCalculated,
-    PrimeTableTest,
-    Values(&CreateOnTheFlyPrimeTable, &CreatePreCalculatedPrimeTable<1000>));
-
-#else
-
-// Google Test may not support value-parameterized tests with some
-// compilers. If we use conditional compilation to compile out all
-// code referring to the gtest_main library, MSVC linker will not link
-// that library at all and consequently complain about missing entry
-// point defined in that library (fatal error LNK1561: entry point
-// must be defined). This dummy test keeps gtest_main linked in.
-TEST(DummyTest, ValueParameterizedTestsAreNotSupportedOnThisPlatform) {}
+INSTANTIATE_TEST_CASE_P(OnTheFlyAndPreCalculated, PrimeTableTestSmpl7,
+                        Values(&CreateOnTheFlyPrimeTable,
+                               &CreatePreCalculatedPrimeTable<1000>));
 
-#endif  // GTEST_HAS_PARAM_TEST
+}  // namespace
diff --git a/security/nss/gtests/google_test/gtest/samples/sample8_unittest.cc b/security/nss/gtests/google_test/gtest/samples/sample8_unittest.cc
index 7274334067..ce75cf0308 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample8_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample8_unittest.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: vladl@google.com (Vlad Losev)
+
 
 // This sample shows how to test code relying on some global flag variables.
 // Combine() helps with generating all possible combinations of such flags,
@@ -37,7 +36,7 @@
 #include "prime_tables.h"
 
 #include "gtest/gtest.h"
-
+namespace {
 #if GTEST_HAS_COMBINE
 
 // Suppose we want to introduce a new, improved implementation of PrimeTable
@@ -171,3 +170,4 @@ INSTANTIATE_TEST_CASE_P(MeaningfulTestParameters,
 TEST(DummyTest, CombineIsNotSupportedOnThisPlatform) {}
 
 #endif  // GTEST_HAS_COMBINE
+}  // namespace
diff --git a/security/nss/gtests/google_test/gtest/samples/sample9_unittest.cc b/security/nss/gtests/google_test/gtest/samples/sample9_unittest.cc
index b2e2079bf3..53f9af5ba1 100644
--- a/security/nss/gtests/google_test/gtest/samples/sample9_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/samples/sample9_unittest.cc
@@ -25,8 +25,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: vladl@google.com (Vlad Losev)
+
 
 // This sample shows how to use Google Test listener API to implement
 // an alternative console output and how to use the UnitTest reflection API
@@ -44,9 +43,7 @@ using ::testing::TestEventListeners;
 using ::testing::TestInfo;
 using ::testing::TestPartResult;
 using ::testing::UnitTest;
-
 namespace {
-
 // Provides alternative output mode which produces minimal amount of
 // information about tests.
 class TersePrinter : public EmptyTestEventListener {
@@ -102,7 +99,6 @@ TEST(CustomOutputTest, Fails) {
   EXPECT_EQ(1, 2)
       << "This test fails in order to demonstrate alternative failure messages";
 }
-
 }  // namespace
 
 int main(int argc, char **argv) {
diff --git a/security/nss/gtests/google_test/gtest/scripts/fuse_gtest_files.py b/security/nss/gtests/google_test/gtest/scripts/fuse_gtest_files.py
index 57ef72f0e3..d0dd464fe8 100755
--- a/security/nss/gtests/google_test/gtest/scripts/fuse_gtest_files.py
+++ b/security/nss/gtests/google_test/gtest/scripts/fuse_gtest_files.py
@@ -52,7 +52,7 @@ EXAMPLES
 This tool is experimental.  In particular, it assumes that there is no
 conditional inclusion of Google Test headers.  Please report any
 problems to googletestframework@googlegroups.com.  You can read
-http://code.google.com/p/googletest/wiki/GoogleTestAdvancedGuide for
+https://github.com/google/googletest/blob/master/googletest/docs/advanced.md for
 more information.
 """
 
@@ -60,7 +60,10 @@ __author__ = 'wan@google.com (Zhanyong Wan)'
 
 import os
 import re
-import sets
+try:
+  from sets import Set as set  # For Python 2.3 compatibility
+except ImportError:
+  pass
 import sys
 
 # We assume that this file is in the scripts/ directory in the Google
@@ -90,10 +93,10 @@ def VerifyFileExists(directory, relative_path):
   """
 
   if not os.path.isfile(os.path.join(directory, relative_path)):
-    print 'ERROR: Cannot find %s in directory %s.' % (relative_path,
-                                                      directory)
-    print ('Please either specify a valid project root directory '
-           'or omit it on the command line.')
+    print('ERROR: Cannot find %s in directory %s.' % (relative_path,
+                                                      directory))
+    print('Please either specify a valid project root directory '
+          'or omit it on the command line.')
     sys.exit(1)
 
 
@@ -119,11 +122,11 @@ def VerifyOutputFile(output_dir, relative_path):
     # TODO(wan@google.com): The following user-interaction doesn't
     # work with automated processes.  We should provide a way for the
     # Makefile to force overwriting the files.
-    print ('%s already exists in directory %s - overwrite it? (y/N) ' %
-           (relative_path, output_dir))
+    print('%s already exists in directory %s - overwrite it? (y/N) ' %
+          (relative_path, output_dir))
     answer = sys.stdin.readline().strip()
     if answer not in ['y', 'Y']:
-      print 'ABORTED.'
+      print('ABORTED.')
       sys.exit(1)
 
   # Makes sure the directory holding the output file exists; creates
@@ -146,8 +149,8 @@ def ValidateOutputDir(output_dir):
 def FuseGTestH(gtest_root, output_dir):
   """Scans folder gtest_root to generate gtest/gtest.h in output_dir."""
 
-  output_file = file(os.path.join(output_dir, GTEST_H_OUTPUT), 'w')
-  processed_files = sets.Set()  # Holds all gtest headers we've processed.
+  output_file = open(os.path.join(output_dir, GTEST_H_OUTPUT), 'w')
+  processed_files = set()  # Holds all gtest headers we've processed.
 
   def ProcessFile(gtest_header_path):
     """Processes the given gtest header file."""
@@ -159,7 +162,7 @@ def FuseGTestH(gtest_root, output_dir):
     processed_files.add(gtest_header_path)
 
     # Reads each line in the given gtest header.
-    for line in file(os.path.join(gtest_root, gtest_header_path), 'r'):
+    for line in open(os.path.join(gtest_root, gtest_header_path), 'r'):
       m = INCLUDE_GTEST_FILE_REGEX.match(line)
       if m:
         # It's '#include "gtest/..."' - let's process it recursively.
@@ -175,7 +178,7 @@ def FuseGTestH(gtest_root, output_dir):
 def FuseGTestAllCcToFile(gtest_root, output_file):
   """Scans folder gtest_root to generate gtest/gtest-all.cc in output_file."""
 
-  processed_files = sets.Set()
+  processed_files = set()
 
   def ProcessFile(gtest_source_file):
     """Processes the given gtest source file."""
@@ -187,7 +190,7 @@ def FuseGTestAllCcToFile(gtest_root, output_file):
     processed_files.add(gtest_source_file)
 
     # Reads each line in the given gtest source file.
-    for line in file(os.path.join(gtest_root, gtest_source_file), 'r'):
+    for line in open(os.path.join(gtest_root, gtest_source_file), 'r'):
       m = INCLUDE_GTEST_FILE_REGEX.match(line)
       if m:
         if 'include/' + m.group(1) == GTEST_SPI_H_SEED:
@@ -218,7 +221,7 @@ def FuseGTestAllCcToFile(gtest_root, output_file):
 def FuseGTestAllCc(gtest_root, output_dir):
   """Scans folder gtest_root to generate gtest/gtest-all.cc in output_dir."""
 
-  output_file = file(os.path.join(output_dir, GTEST_ALL_CC_OUTPUT), 'w')
+  output_file = open(os.path.join(output_dir, GTEST_ALL_CC_OUTPUT), 'w')
   FuseGTestAllCcToFile(gtest_root, output_file)
   output_file.close()
 
@@ -242,7 +245,7 @@ def main():
     # fuse_gtest_files.py GTEST_ROOT_DIR OUTPUT_DIR
     FuseGTest(sys.argv[1], sys.argv[2])
   else:
-    print __doc__
+    print(__doc__)
     sys.exit(1)
 
 
diff --git a/security/nss/gtests/google_test/gtest/scripts/gen_gtest_pred_impl.py b/security/nss/gtests/google_test/gtest/scripts/gen_gtest_pred_impl.py
index 3e7ab042ea..b43efdf41e 100755
--- a/security/nss/gtests/google_test/gtest/scripts/gen_gtest_pred_impl.py
+++ b/security/nss/gtests/google_test/gtest/scripts/gen_gtest_pred_impl.py
@@ -115,10 +115,9 @@ def HeaderPreamble(n):
 #ifndef GTEST_INCLUDE_GTEST_GTEST_PRED_IMPL_H_
 #define GTEST_INCLUDE_GTEST_GTEST_PRED_IMPL_H_
 
-// Makes sure this header is not included before gtest.h.
-#ifndef GTEST_INCLUDE_GTEST_GTEST_H_
-# error Do not include gtest_pred_impl.h directly.  Include gtest.h instead.
-#endif  // GTEST_INCLUDE_GTEST_GTEST_H_
+#include "gtest/gtest.h"
+
+namespace testing {
 
 // This header implements a family of generic predicate assertion
 // macros:
@@ -295,16 +294,17 @@ def HeaderPostamble():
 
   return """
 
+}  // namespace testing
+
 #endif  // GTEST_INCLUDE_GTEST_GTEST_PRED_IMPL_H_
 """
 
 
 def GenerateFile(path, content):
-  """Given a file path and a content string, overwrites it with the
-  given content."""
-
+  """Given a file path and a content string
+     overwrites it with the given content.
+  """
   print 'Updating file %s . . .' % path
-
   f = file(path, 'w+')
   print >>f, content,
   f.close()
@@ -314,8 +314,8 @@ def GenerateFile(path, content):
 
 def GenerateHeader(n):
   """Given the maximum arity n, updates the header file that implements
-  the predicate assertions."""
-
+  the predicate assertions.
+  """
   GenerateFile(HEADER,
                HeaderPreamble(n)
                + ''.join([ImplementationForArity(i) for i in OneTo(n)])
diff --git a/security/nss/gtests/google_test/gtest/scripts/upload.py b/security/nss/gtests/google_test/gtest/scripts/upload.py
index 6e6f9a1471..c852e4c91e 100755
--- a/security/nss/gtests/google_test/gtest/scripts/upload.py
+++ b/security/nss/gtests/google_test/gtest/scripts/upload.py
@@ -242,7 +242,7 @@ class AbstractRpcServer(object):
     The authentication process works as follows:
      1) We get a username and password from the user
      2) We use ClientLogin to obtain an AUTH token for the user
-        (see http://code.google.com/apis/accounts/AuthForInstalledApps.html).
+        (see https://developers.google.com/identity/protocols/AuthForInstalledApps).
      3) We pass the auth token to /_ah/login on the server to obtain an
         authentication cookie. If login was successful, it tries to redirect
         us to the URL we provided.
@@ -506,7 +506,7 @@ def EncodeMultipartFormData(fields, files):
     (content_type, body) ready for httplib.HTTP instance.
 
   Source:
-    http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/146306
+    https://web.archive.org/web/20160116052001/code.activestate.com/recipes/146306
   """
   BOUNDARY = '-M-A-G-I-C---B-O-U-N-D-A-R-Y-'
   CRLF = '\r\n'
@@ -732,7 +732,7 @@ class SubversionVCS(VersionControlSystem):
     else:
       self.rev_start = self.rev_end = None
     # Cache output from "svn list -r REVNO dirname".
-    # Keys: dirname, Values: 2-tuple (ouput for start rev and end rev).
+    # Keys: dirname, Values: 2-tuple (output for start rev and end rev).
     self.svnls_cache = {}
     # SVN base URL is required to fetch files deleted in an older revision.
     # Result is cached to not guess it over and over again in GetBaseFile().
@@ -807,7 +807,7 @@ class SubversionVCS(VersionControlSystem):
     # svn cat translates keywords but svn diff doesn't. As a result of this
     # behavior patching.PatchChunks() fails with a chunk mismatch error.
     # This part was originally written by the Review Board development team
-    # who had the same problem (http://reviews.review-board.org/r/276/).
+    # who had the same problem (https://reviews.reviewboard.org/r/276/).
     # Mapping of keywords to known aliases
     svn_keywords = {
       # Standard keywords
@@ -860,7 +860,7 @@ class SubversionVCS(VersionControlSystem):
       status_lines = status.splitlines()
       # If file is in a cl, the output will begin with
       # "\n--- Changelist 'cl_name':\n".  See
-      # http://svn.collab.net/repos/svn/trunk/notes/changelist-design.txt
+      # https://web.archive.org/web/20090918234815/svn.collab.net/repos/svn/trunk/notes/changelist-design.txt
       if (len(status_lines) == 3 and
           not status_lines[0] and
           status_lines[1].startswith("--- Changelist")):
diff --git a/security/nss/gtests/google_test/gtest/src/gtest-all.cc b/security/nss/gtests/google_test/gtest/src/gtest-all.cc
index 0a9cee5223..b217a18006 100644
--- a/security/nss/gtests/google_test/gtest/src/gtest-all.cc
+++ b/security/nss/gtests/google_test/gtest/src/gtest-all.cc
@@ -26,10 +26,9 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: mheule@google.com (Markus Heule)
-//
-// Google C++ Testing Framework (Google Test)
+// Google C++ Testing and Mocking Framework (Google Test)
 //
 // Sometimes it's desirable to build Google Test by compiling a single file.
 // This file serves this purpose.
diff --git a/security/nss/gtests/google_test/gtest/src/gtest-death-test.cc b/security/nss/gtests/google_test/gtest/src/gtest-death-test.cc
index a0a8c7baf9..0908355161 100644
--- a/security/nss/gtests/google_test/gtest/src/gtest-death-test.cc
+++ b/security/nss/gtests/google_test/gtest/src/gtest-death-test.cc
@@ -26,13 +26,13 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan), vladl@google.com (Vlad Losev)
+
 //
 // This file implements death tests.
 
 #include "gtest/gtest-death-test.h"
 #include "gtest/internal/gtest-port.h"
+#include "gtest/internal/custom/gtest.h"
 
 #if GTEST_HAS_DEATH_TEST
 
@@ -61,26 +61,30 @@
 #  include <spawn.h>
 # endif  // GTEST_OS_QNX
 
+# if GTEST_OS_FUCHSIA
+#  include <lib/fdio/io.h>
+#  include <lib/fdio/spawn.h>
+#  include <zircon/processargs.h>
+#  include <zircon/syscalls.h>
+#  include <zircon/syscalls/port.h>
+# endif  // GTEST_OS_FUCHSIA
+
 #endif  // GTEST_HAS_DEATH_TEST
 
 #include "gtest/gtest-message.h"
 #include "gtest/internal/gtest-string.h"
-
-// Indicates that this translation unit is part of Google Test's
-// implementation.  It must come before gtest-internal-inl.h is
-// included, or there will be a compiler error.  This trick exists to
-// prevent the accidental inclusion of gtest-internal-inl.h in the
-// user's code.
-#define GTEST_IMPLEMENTATION_ 1
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 namespace testing {
 
 // Constants.
 
 // The default death test style.
-static const char kDefaultDeathTestStyle[] = "fast";
+//
+// This is defined in internal/gtest-port.h as "fast", but can be overridden by
+// a definition in internal/custom/gtest-port.h. The recommended value, which is
+// used internally at Google, is "threadsafe".
+static const char kDefaultDeathTestStyle[] = GTEST_DEFAULT_DEATH_TEST_STYLE;
 
 GTEST_DEFINE_string_(
     death_test_style,
@@ -120,7 +124,9 @@ namespace internal {
 
 // Valid only for fast death tests. Indicates the code is running in the
 // child process of a fast style death test.
+# if !GTEST_OS_WINDOWS && !GTEST_OS_FUCHSIA
 static bool g_in_fast_death_test_child = false;
+# endif
 
 // Returns a Boolean value indicating whether the caller is currently
 // executing in the context of the death test child process.  Tools such as
@@ -128,10 +134,10 @@ static bool g_in_fast_death_test_child = false;
 // tests.  IMPORTANT: This is an internal utility.  Using it may break the
 // implementation of death tests.  User code MUST NOT use it.
 bool InDeathTestChild() {
-# if GTEST_OS_WINDOWS
+# if GTEST_OS_WINDOWS || GTEST_OS_FUCHSIA
 
-  // On Windows, death tests are thread-safe regardless of the value of the
-  // death_test_style flag.
+  // On Windows and Fuchsia, death tests are thread-safe regardless of the value
+  // of the death_test_style flag.
   return !GTEST_FLAG(internal_run_death_test).empty();
 
 # else
@@ -151,7 +157,7 @@ ExitedWithCode::ExitedWithCode(int exit_code) : exit_code_(exit_code) {
 
 // ExitedWithCode function-call operator.
 bool ExitedWithCode::operator()(int exit_status) const {
-# if GTEST_OS_WINDOWS
+# if GTEST_OS_WINDOWS || GTEST_OS_FUCHSIA
 
   return exit_status == exit_code_;
 
@@ -159,19 +165,27 @@ bool ExitedWithCode::operator()(int exit_status) const {
 
   return WIFEXITED(exit_status) && WEXITSTATUS(exit_status) == exit_code_;
 
-# endif  // GTEST_OS_WINDOWS
+# endif  // GTEST_OS_WINDOWS || GTEST_OS_FUCHSIA
 }
 
-# if !GTEST_OS_WINDOWS
+# if !GTEST_OS_WINDOWS && !GTEST_OS_FUCHSIA
 // KilledBySignal constructor.
 KilledBySignal::KilledBySignal(int signum) : signum_(signum) {
 }
 
 // KilledBySignal function-call operator.
 bool KilledBySignal::operator()(int exit_status) const {
+#  if defined(GTEST_KILLED_BY_SIGNAL_OVERRIDE_)
+  {
+    bool result;
+    if (GTEST_KILLED_BY_SIGNAL_OVERRIDE_(signum_, exit_status, &result)) {
+      return result;
+    }
+  }
+#  endif  // defined(GTEST_KILLED_BY_SIGNAL_OVERRIDE_)
   return WIFSIGNALED(exit_status) && WTERMSIG(exit_status) == signum_;
 }
-# endif  // !GTEST_OS_WINDOWS
+# endif  // !GTEST_OS_WINDOWS && !GTEST_OS_FUCHSIA
 
 namespace internal {
 
@@ -182,7 +196,7 @@ namespace internal {
 static std::string ExitSummary(int exit_code) {
   Message m;
 
-# if GTEST_OS_WINDOWS
+# if GTEST_OS_WINDOWS || GTEST_OS_FUCHSIA
 
   m << "Exited with exit status " << exit_code;
 
@@ -198,7 +212,7 @@ static std::string ExitSummary(int exit_code) {
     m << " (core dumped)";
   }
 #  endif
-# endif  // GTEST_OS_WINDOWS
+# endif  // GTEST_OS_WINDOWS || GTEST_OS_FUCHSIA
 
   return m.GetString();
 }
@@ -209,7 +223,7 @@ bool ExitedUnsuccessfully(int exit_status) {
   return !ExitedWithCode(0)(exit_status);
 }
 
-# if !GTEST_OS_WINDOWS
+# if !GTEST_OS_WINDOWS && !GTEST_OS_FUCHSIA
 // Generates a textual failure message when a death test finds more than
 // one thread running, or cannot determine the number of threads, prior
 // to executing the given statement.  It is the responsibility of the
@@ -218,13 +232,19 @@ static std::string DeathTestThreadWarning(size_t thread_count) {
   Message msg;
   msg << "Death tests use fork(), which is unsafe particularly"
       << " in a threaded context. For this test, " << GTEST_NAME_ << " ";
-  if (thread_count == 0)
+  if (thread_count == 0) {
     msg << "couldn't detect the number of threads.";
-  else
+  } else {
     msg << "detected " << thread_count << " threads.";
+  }
+  msg << " See "
+         "https://github.com/google/googletest/blob/master/googletest/docs/"
+         "advanced.md#death-tests-and-threads"
+      << " for more explanation and suggested solutions, especially if"
+      << " this is the last message you see before your test times out.";
   return msg.GetString();
 }
-# endif  // !GTEST_OS_WINDOWS
+# endif  // !GTEST_OS_WINDOWS && !GTEST_OS_FUCHSIA
 
 // Flag characters for reporting a death test that did not die.
 static const char kDeathTestLived = 'L';
@@ -232,6 +252,13 @@ static const char kDeathTestReturned = 'R';
 static const char kDeathTestThrew = 'T';
 static const char kDeathTestInternalError = 'I';
 
+#if GTEST_OS_FUCHSIA
+
+// File descriptor used for the pipe in the child process.
+static const int kFuchsiaReadPipeFd = 3;
+
+#endif
+
 // An enumeration describing all of the possible ways that a death test can
 // conclude.  DIED means that the process died while executing the test
 // code; LIVED means that process lived beyond the end of the test code;
@@ -239,7 +266,7 @@ static const char kDeathTestInternalError = 'I';
 // statement, which is not allowed; THREW means that the test statement
 // returned control by throwing an exception.  IN_PROGRESS means the test
 // has not yet concluded.
-// TODO(vladl@google.com): Unify names and possibly values for
+// FIXME: Unify names and possibly values for
 // AbortReason, DeathTestOutcome, and flag characters above.
 enum DeathTestOutcome { IN_PROGRESS, DIED, LIVED, RETURNED, THREW };
 
@@ -248,7 +275,7 @@ enum DeathTestOutcome { IN_PROGRESS, DIED, LIVED, RETURNED, THREW };
 // message is propagated back to the parent process.  Otherwise, the
 // message is simply printed to stderr.  In either case, the program
 // then exits with status 1.
-void DeathTestAbort(const std::string& message) {
+static void DeathTestAbort(const std::string& message) {
   // On a POSIX system, this function may be called from a threadsafe-style
   // death test child process, which operates on a very small stack.  Use
   // the heap for any additional non-minuscule memory requirements.
@@ -552,7 +579,12 @@ bool DeathTestImpl::Passed(bool status_ok) {
       break;
     case DIED:
       if (status_ok) {
+# if GTEST_USES_PCRE
+        // PCRE regexes support embedded NULs.
+        const bool matched = RE::PartialMatch(error_message, *regex());
+# else
         const bool matched = RE::PartialMatch(error_message.c_str(), *regex());
+# endif  // GTEST_USES_PCRE
         if (matched) {
           success = true;
         } else {
@@ -768,7 +800,200 @@ DeathTest::TestRole WindowsDeathTest::AssumeRole() {
   set_spawned(true);
   return OVERSEE_TEST;
 }
-# else  // We are not on Windows.
+
+# elif GTEST_OS_FUCHSIA
+
+class FuchsiaDeathTest : public DeathTestImpl {
+ public:
+  FuchsiaDeathTest(const char* a_statement,
+                   const RE* a_regex,
+                   const char* file,
+                   int line)
+      : DeathTestImpl(a_statement, a_regex), file_(file), line_(line) {}
+  virtual ~FuchsiaDeathTest() {
+    zx_status_t status = zx_handle_close(child_process_);
+    GTEST_DEATH_TEST_CHECK_(status == ZX_OK);
+    status = zx_handle_close(port_);
+    GTEST_DEATH_TEST_CHECK_(status == ZX_OK);
+  }
+
+  // All of these virtual functions are inherited from DeathTest.
+  virtual int Wait();
+  virtual TestRole AssumeRole();
+
+ private:
+  // The name of the file in which the death test is located.
+  const char* const file_;
+  // The line number on which the death test is located.
+  const int line_;
+
+  zx_handle_t child_process_ = ZX_HANDLE_INVALID;
+  zx_handle_t port_ = ZX_HANDLE_INVALID;
+};
+
+// Utility class for accumulating command-line arguments.
+class Arguments {
+ public:
+  Arguments() {
+    args_.push_back(NULL);
+  }
+
+  ~Arguments() {
+    for (std::vector<char*>::iterator i = args_.begin(); i != args_.end();
+         ++i) {
+      free(*i);
+    }
+  }
+  void AddArgument(const char* argument) {
+    args_.insert(args_.end() - 1, posix::StrDup(argument));
+  }
+
+  template <typename Str>
+  void AddArguments(const ::std::vector<Str>& arguments) {
+    for (typename ::std::vector<Str>::const_iterator i = arguments.begin();
+         i != arguments.end();
+         ++i) {
+      args_.insert(args_.end() - 1, posix::StrDup(i->c_str()));
+    }
+  }
+  char* const* Argv() {
+    return &args_[0];
+  }
+
+  int size() {
+    return args_.size() - 1;
+  }
+
+ private:
+  std::vector<char*> args_;
+};
+
+// Waits for the child in a death test to exit, returning its exit
+// status, or 0 if no child process exists.  As a side effect, sets the
+// outcome data member.
+int FuchsiaDeathTest::Wait() {
+  if (!spawned())
+    return 0;
+
+  // Register to wait for the child process to terminate.
+  zx_status_t status_zx;
+  status_zx = zx_object_wait_async(child_process_,
+                                   port_,
+                                   0 /* key */,
+                                   ZX_PROCESS_TERMINATED,
+                                   ZX_WAIT_ASYNC_ONCE);
+  GTEST_DEATH_TEST_CHECK_(status_zx == ZX_OK);
+
+  // Wait for it to terminate, or an exception to be received.
+  zx_port_packet_t packet;
+  status_zx = zx_port_wait(port_, ZX_TIME_INFINITE, &packet);
+  GTEST_DEATH_TEST_CHECK_(status_zx == ZX_OK);
+
+  if (ZX_PKT_IS_EXCEPTION(packet.type)) {
+    // Process encountered an exception. Kill it directly rather than letting
+    // other handlers process the event.
+    status_zx = zx_task_kill(child_process_);
+    GTEST_DEATH_TEST_CHECK_(status_zx == ZX_OK);
+
+    // Now wait for |child_process_| to terminate.
+    zx_signals_t signals = 0;
+    status_zx = zx_object_wait_one(
+        child_process_, ZX_PROCESS_TERMINATED, ZX_TIME_INFINITE, &signals);
+    GTEST_DEATH_TEST_CHECK_(status_zx == ZX_OK);
+    GTEST_DEATH_TEST_CHECK_(signals & ZX_PROCESS_TERMINATED);
+  } else {
+    // Process terminated.
+    GTEST_DEATH_TEST_CHECK_(ZX_PKT_IS_SIGNAL_ONE(packet.type));
+    GTEST_DEATH_TEST_CHECK_(packet.signal.observed & ZX_PROCESS_TERMINATED);
+  }
+
+  ReadAndInterpretStatusByte();
+
+  zx_info_process_t buffer;
+  status_zx = zx_object_get_info(
+      child_process_,
+      ZX_INFO_PROCESS,
+      &buffer,
+      sizeof(buffer),
+      nullptr,
+      nullptr);
+  GTEST_DEATH_TEST_CHECK_(status_zx == ZX_OK);
+
+  GTEST_DEATH_TEST_CHECK_(buffer.exited);
+  set_status(buffer.return_code);
+  return status();
+}
+
+// The AssumeRole process for a Fuchsia death test.  It creates a child
+// process with the same executable as the current process to run the
+// death test.  The child process is given the --gtest_filter and
+// --gtest_internal_run_death_test flags such that it knows to run the
+// current death test only.
+DeathTest::TestRole FuchsiaDeathTest::AssumeRole() {
+  const UnitTestImpl* const impl = GetUnitTestImpl();
+  const InternalRunDeathTestFlag* const flag =
+      impl->internal_run_death_test_flag();
+  const TestInfo* const info = impl->current_test_info();
+  const int death_test_index = info->result()->death_test_count();
+
+  if (flag != NULL) {
+    // ParseInternalRunDeathTestFlag() has performed all the necessary
+    // processing.
+    set_write_fd(kFuchsiaReadPipeFd);
+    return EXECUTE_TEST;
+  }
+
+  CaptureStderr();
+  // Flush the log buffers since the log streams are shared with the child.
+  FlushInfoLog();
+
+  // Build the child process command line.
+  const std::string filter_flag =
+      std::string("--") + GTEST_FLAG_PREFIX_ + kFilterFlag + "="
+      + info->test_case_name() + "." + info->name();
+  const std::string internal_flag =
+      std::string("--") + GTEST_FLAG_PREFIX_ + kInternalRunDeathTestFlag + "="
+      + file_ + "|"
+      + StreamableToString(line_) + "|"
+      + StreamableToString(death_test_index);
+  Arguments args;
+  args.AddArguments(GetInjectableArgvs());
+  args.AddArgument(filter_flag.c_str());
+  args.AddArgument(internal_flag.c_str());
+
+  // Build the pipe for communication with the child.
+  zx_status_t status;
+  zx_handle_t child_pipe_handle;
+  uint32_t type;
+  status = fdio_pipe_half(&child_pipe_handle, &type);
+  GTEST_DEATH_TEST_CHECK_(status >= 0);
+  set_read_fd(status);
+
+  // Set the pipe handle for the child.
+  fdio_spawn_action_t add_handle_action = {};
+  add_handle_action.action = FDIO_SPAWN_ACTION_ADD_HANDLE;
+  add_handle_action.h.id = PA_HND(type, kFuchsiaReadPipeFd);
+  add_handle_action.h.handle = child_pipe_handle;
+
+  // Spawn the child process.
+  status = fdio_spawn_etc(ZX_HANDLE_INVALID, FDIO_SPAWN_CLONE_ALL,
+                          args.Argv()[0], args.Argv(), nullptr, 1,
+                          &add_handle_action, &child_process_, nullptr);
+  GTEST_DEATH_TEST_CHECK_(status == ZX_OK);
+
+  // Create an exception port and attach it to the |child_process_|, to allow
+  // us to suppress the system default exception handler from firing.
+  status = zx_port_create(0, &port_);
+  GTEST_DEATH_TEST_CHECK_(status == ZX_OK);
+  status = zx_task_bind_exception_port(
+      child_process_, port_, 0 /* key */, 0 /*options */);
+  GTEST_DEATH_TEST_CHECK_(status == ZX_OK);
+
+  set_spawned(true);
+  return OVERSEE_TEST;
+}
+
+#else  // We are neither on Windows, nor on Fuchsia.
 
 // ForkingDeathTest provides implementations for most of the abstract
 // methods of the DeathTest interface.  Only the AssumeRole method is
@@ -872,9 +1097,13 @@ class ExecDeathTest : public ForkingDeathTest {
       ForkingDeathTest(a_statement, a_regex), file_(file), line_(line) { }
   virtual TestRole AssumeRole();
  private:
-  static ::std::vector<testing::internal::string>
-  GetArgvsForDeathTestChildProcess() {
-    ::std::vector<testing::internal::string> args = GetInjectableArgvs();
+  static ::std::vector<std::string> GetArgvsForDeathTestChildProcess() {
+    ::std::vector<std::string> args = GetInjectableArgvs();
+#  if defined(GTEST_EXTRA_DEATH_TEST_COMMAND_LINE_ARGS_)
+    ::std::vector<std::string> extra_args =
+        GTEST_EXTRA_DEATH_TEST_COMMAND_LINE_ARGS_();
+    args.insert(args.end(), extra_args.begin(), extra_args.end());
+#  endif  // defined(GTEST_EXTRA_DEATH_TEST_COMMAND_LINE_ARGS_)
     return args;
   }
   // The name of the file in which the death test is located.
@@ -970,6 +1199,7 @@ static int ExecDeathTestChildMain(void* child_arg) {
 }
 #  endif  // !GTEST_OS_QNX
 
+#  if GTEST_HAS_CLONE
 // Two utility routines that together determine the direction the stack
 // grows.
 // This could be accomplished more elegantly by a single recursive
@@ -979,20 +1209,22 @@ static int ExecDeathTestChildMain(void* child_arg) {
 // GTEST_NO_INLINE_ is required to prevent GCC 4.6 from inlining
 // StackLowerThanAddress into StackGrowsDown, which then doesn't give
 // correct answer.
-void StackLowerThanAddress(const void* ptr, bool* result) GTEST_NO_INLINE_;
-void StackLowerThanAddress(const void* ptr, bool* result) {
+static void StackLowerThanAddress(const void* ptr,
+                                  bool* result) GTEST_NO_INLINE_;
+static void StackLowerThanAddress(const void* ptr, bool* result) {
   int dummy;
   *result = (&dummy < ptr);
 }
 
 // Make sure AddressSanitizer does not tamper with the stack here.
 GTEST_ATTRIBUTE_NO_SANITIZE_ADDRESS_
-bool StackGrowsDown() {
+static bool StackGrowsDown() {
   int dummy;
   bool result;
   StackLowerThanAddress(&dummy, &result);
   return result;
 }
+#  endif  // GTEST_HAS_CLONE
 
 // Spawns a child process with the same executable as the current process in
 // a thread-safe manner and instructs it to run the death test.  The
@@ -1184,6 +1416,13 @@ bool DefaultDeathTestFactory::Create(const char* statement, const RE* regex,
     *test = new WindowsDeathTest(statement, regex, file, line);
   }
 
+# elif GTEST_OS_FUCHSIA
+
+  if (GTEST_FLAG(death_test_style) == "threadsafe" ||
+      GTEST_FLAG(death_test_style) == "fast") {
+    *test = new FuchsiaDeathTest(statement, regex, file, line);
+  }
+
 # else
 
   if (GTEST_FLAG(death_test_style) == "threadsafe") {
@@ -1204,31 +1443,11 @@ bool DefaultDeathTestFactory::Create(const char* statement, const RE* regex,
   return true;
 }
 
-// Splits a given string on a given delimiter, populating a given
-// vector with the fields.  GTEST_HAS_DEATH_TEST implies that we have
-// ::std::string, so we can use it here.
-static void SplitString(const ::std::string& str, char delimiter,
-                        ::std::vector< ::std::string>* dest) {
-  ::std::vector< ::std::string> parsed;
-  ::std::string::size_type pos = 0;
-  while (::testing::internal::AlwaysTrue()) {
-    const ::std::string::size_type colon = str.find(delimiter, pos);
-    if (colon == ::std::string::npos) {
-      parsed.push_back(str.substr(pos));
-      break;
-    } else {
-      parsed.push_back(str.substr(pos, colon - pos));
-      pos = colon + 1;
-    }
-  }
-  dest->swap(parsed);
-}
-
 # if GTEST_OS_WINDOWS
 // Recreates the pipe and event handles from the provided parameters,
 // signals the event, and returns a file descriptor wrapped around the pipe
 // handle. This function is called in the child process only.
-int GetStatusFileDescriptor(unsigned int parent_process_id,
+static int GetStatusFileDescriptor(unsigned int parent_process_id,
                             size_t write_handle_as_size_t,
                             size_t event_handle_as_size_t) {
   AutoHandle parent_process_handle(::OpenProcess(PROCESS_DUP_HANDLE,
@@ -1239,7 +1458,7 @@ int GetStatusFileDescriptor(unsigned int parent_process_id,
                    StreamableToString(parent_process_id));
   }
 
-  // TODO(vladl@google.com): Replace the following check with a
+  // FIXME: Replace the following check with a
   // compile-time assertion when available.
   GTEST_CHECK_(sizeof(HANDLE) <= sizeof(size_t));
 
@@ -1247,7 +1466,7 @@ int GetStatusFileDescriptor(unsigned int parent_process_id,
       reinterpret_cast<HANDLE>(write_handle_as_size_t);
   HANDLE dup_write_handle;
 
-  // The newly initialized handle is accessible only in in the parent
+  // The newly initialized handle is accessible only in the parent
   // process. To obtain one accessible within the child, we need to use
   // DuplicateHandle.
   if (!::DuplicateHandle(parent_process_handle.Get(), write_handle,
@@ -1324,6 +1543,16 @@ InternalRunDeathTestFlag* ParseInternalRunDeathTestFlag() {
   write_fd = GetStatusFileDescriptor(parent_process_id,
                                      write_handle_as_size_t,
                                      event_handle_as_size_t);
+
+# elif GTEST_OS_FUCHSIA
+
+  if (fields.size() != 3
+      || !ParseNaturalNumber(fields[1], &line)
+      || !ParseNaturalNumber(fields[2], &index)) {
+    DeathTestAbort("Bad --gtest_internal_run_death_test flag: "
+        + GTEST_FLAG(internal_run_death_test));
+  }
+
 # else
 
   if (fields.size() != 4
diff --git a/security/nss/gtests/google_test/gtest/src/gtest-filepath.cc b/security/nss/gtests/google_test/gtest/src/gtest-filepath.cc
index 0292dc1195..a7e65c082a 100644
--- a/security/nss/gtests/google_test/gtest/src/gtest-filepath.cc
+++ b/security/nss/gtests/google_test/gtest/src/gtest-filepath.cc
@@ -26,14 +26,12 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Authors: keith.ray@gmail.com (Keith Ray)
 
-#include "gtest/gtest-message.h"
 #include "gtest/internal/gtest-filepath.h"
-#include "gtest/internal/gtest-port.h"
 
 #include <stdlib.h>
+#include "gtest/internal/gtest-port.h"
+#include "gtest/gtest-message.h"
 
 #if GTEST_OS_WINDOWS_MOBILE
 # include <windows.h>
@@ -48,6 +46,8 @@
 # include <climits>  // Some Linux distributions define PATH_MAX here.
 #endif  // GTEST_OS_WINDOWS_MOBILE
 
+#include "gtest/internal/gtest-string.h"
+
 #if GTEST_OS_WINDOWS
 # define GTEST_PATH_MAX_ _MAX_PATH
 #elif defined(PATH_MAX)
@@ -58,8 +58,6 @@
 # define GTEST_PATH_MAX_ _POSIX_PATH_MAX
 #endif  // GTEST_OS_WINDOWS
 
-#include "gtest/internal/gtest-string.h"
-
 namespace testing {
 namespace internal {
 
@@ -130,7 +128,7 @@ FilePath FilePath::RemoveExtension(const char* extension) const {
   return *this;
 }
 
-// Returns a pointer to the last occurence of a valid path separator in
+// Returns a pointer to the last occurrence of a valid path separator in
 // the FilePath. On Windows, for example, both '/' and '\' are valid path
 // separators. Returns NULL if no path separator was found.
 const char* FilePath::FindLastPathSeparator() const {
@@ -252,7 +250,7 @@ bool FilePath::DirectoryExists() const {
 // root directory per disk drive.)
 bool FilePath::IsRootDirectory() const {
 #if GTEST_OS_WINDOWS
-  // TODO(wan@google.com): on Windows a network share like
+  // FIXME: on Windows a network share like
   // \\server\share can be a root directory, although it cannot be the
   // current directory.  Handle this properly.
   return pathname_.length() == 3 && IsAbsolutePath();
@@ -352,7 +350,7 @@ FilePath FilePath::RemoveTrailingPathSeparator() const {
 // Removes any redundant separators that might be in the pathname.
 // For example, "bar///foo" becomes "bar/foo". Does not eliminate other
 // redundancies that might be in a pathname involving "." or "..".
-// TODO(wan@google.com): handle Windows network shares (e.g. \\server\share).
+// FIXME: handle Windows network shares (e.g. \\server\share).
 void FilePath::Normalize() {
   if (pathname_.c_str() == NULL) {
     pathname_ = "";
diff --git a/security/nss/gtests/google_test/gtest/src/gtest-internal-inl.h b/security/nss/gtests/google_test/gtest/src/gtest-internal-inl.h
index 0ac7a109b0..479004149b 100644
--- a/security/nss/gtests/google_test/gtest/src/gtest-internal-inl.h
+++ b/security/nss/gtests/google_test/gtest/src/gtest-internal-inl.h
@@ -27,24 +27,13 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-// Utility functions and classes used by the Google C++ testing framework.
-//
-// Author: wan@google.com (Zhanyong Wan)
-//
+// Utility functions and classes used by the Google C++ testing framework.//
 // This file contains purely Google Test's internal implementation.  Please
 // DO NOT #INCLUDE IT IN A USER PROGRAM.
 
 #ifndef GTEST_SRC_GTEST_INTERNAL_INL_H_
 #define GTEST_SRC_GTEST_INTERNAL_INL_H_
 
-// GTEST_IMPLEMENTATION_ is defined to 1 iff the current translation unit is
-// part of Google Test's implementation; otherwise it's undefined.
-#if !GTEST_IMPLEMENTATION_
-// If this file is included from the user's code, just say no.
-# error "gtest-internal-inl.h is part of Google Test's internal implementation."
-# error "It must not be included except by Google Test itself."
-#endif  // GTEST_IMPLEMENTATION_
-
 #ifndef _WIN32_WCE
 # include <errno.h>
 #endif  // !_WIN32_WCE
@@ -67,9 +56,12 @@
 # include <windows.h>  // NOLINT
 #endif  // GTEST_OS_WINDOWS
 
-#include "gtest/gtest.h"  // NOLINT
+#include "gtest/gtest.h"
 #include "gtest/gtest-spi.h"
 
+GTEST_DISABLE_MSC_WARNINGS_PUSH_(4251 \
+/* class A needs to have dll-interface to be used by clients of class B */)
+
 namespace testing {
 
 // Declares the flags.
@@ -94,12 +86,14 @@ const char kFilterFlag[] = "filter";
 const char kListTestsFlag[] = "list_tests";
 const char kOutputFlag[] = "output";
 const char kPrintTimeFlag[] = "print_time";
+const char kPrintUTF8Flag[] = "print_utf8";
 const char kRandomSeedFlag[] = "random_seed";
 const char kRepeatFlag[] = "repeat";
 const char kShuffleFlag[] = "shuffle";
 const char kStackTraceDepthFlag[] = "stack_trace_depth";
 const char kStreamResultToFlag[] = "stream_result_to";
 const char kThrowOnFailureFlag[] = "throw_on_failure";
+const char kFlagfileFlag[] = "flagfile";
 
 // A valid random seed must be in [1, kMaxRandomSeed].
 const int kMaxRandomSeed = 99999;
@@ -173,6 +167,7 @@ class GTestFlagSaver {
     list_tests_ = GTEST_FLAG(list_tests);
     output_ = GTEST_FLAG(output);
     print_time_ = GTEST_FLAG(print_time);
+    print_utf8_ = GTEST_FLAG(print_utf8);
     random_seed_ = GTEST_FLAG(random_seed);
     repeat_ = GTEST_FLAG(repeat);
     shuffle_ = GTEST_FLAG(shuffle);
@@ -194,6 +189,7 @@ class GTestFlagSaver {
     GTEST_FLAG(list_tests) = list_tests_;
     GTEST_FLAG(output) = output_;
     GTEST_FLAG(print_time) = print_time_;
+    GTEST_FLAG(print_utf8) = print_utf8_;
     GTEST_FLAG(random_seed) = random_seed_;
     GTEST_FLAG(repeat) = repeat_;
     GTEST_FLAG(shuffle) = shuffle_;
@@ -215,6 +211,7 @@ class GTestFlagSaver {
   bool list_tests_;
   std::string output_;
   bool print_time_;
+  bool print_utf8_;
   internal::Int32 random_seed_;
   internal::Int32 repeat_;
   bool shuffle_;
@@ -425,13 +422,17 @@ class OsStackTraceGetterInterface {
   //                in the trace.
   //   skip_count - the number of top frames to be skipped; doesn't count
   //                against max_depth.
-  virtual string CurrentStackTrace(int max_depth, int skip_count) = 0;
+  virtual std::string CurrentStackTrace(int max_depth, int skip_count) = 0;
 
   // UponLeavingGTest() should be called immediately before Google Test calls
   // user code. It saves some information about the current stack that
   // CurrentStackTrace() will use to find and hide Google Test stack frames.
   virtual void UponLeavingGTest() = 0;
 
+  // This string is inserted in place of stack frames that are part of
+  // Google Test's implementation.
+  static const char* const kElidedFramesMarker;
+
  private:
   GTEST_DISALLOW_COPY_AND_ASSIGN_(OsStackTraceGetterInterface);
 };
@@ -439,25 +440,21 @@ class OsStackTraceGetterInterface {
 // A working implementation of the OsStackTraceGetterInterface interface.
 class OsStackTraceGetter : public OsStackTraceGetterInterface {
  public:
-  OsStackTraceGetter() : caller_frame_(NULL) {}
+  OsStackTraceGetter() {}
 
-  virtual string CurrentStackTrace(int max_depth, int skip_count)
-      GTEST_LOCK_EXCLUDED_(mutex_);
-
-  virtual void UponLeavingGTest() GTEST_LOCK_EXCLUDED_(mutex_);
-
-  // This string is inserted in place of stack frames that are part of
-  // Google Test's implementation.
-  static const char* const kElidedFramesMarker;
+  virtual std::string CurrentStackTrace(int max_depth, int skip_count);
+  virtual void UponLeavingGTest();
 
  private:
-  Mutex mutex_;  // protects all internal state
+#if GTEST_HAS_ABSL
+  Mutex mutex_;  // Protects all internal state.
 
   // We save the stack frame below the frame that calls user code.
   // We do this because the address of the frame immediately below
   // the user code changes between the call to UponLeavingGTest()
-  // and any calls to CurrentStackTrace() from within the user code.
-  void* caller_frame_;
+  // and any calls to the stack trace code from within the user code.
+  void* caller_frame_ = nullptr;
+#endif  // GTEST_HAS_ABSL
 
   GTEST_DISALLOW_COPY_AND_ASSIGN_(OsStackTraceGetter);
 };
@@ -673,13 +670,11 @@ class GTEST_API_ UnitTestImpl {
                 tear_down_tc)->AddTestInfo(test_info);
   }
 
-#if GTEST_HAS_PARAM_TEST
   // Returns ParameterizedTestCaseRegistry object used to keep track of
   // value-parameterized tests and instantiate and register them.
   internal::ParameterizedTestCaseRegistry& parameterized_test_registry() {
     return parameterized_test_registry_;
   }
-#endif  // GTEST_HAS_PARAM_TEST
 
   // Sets the TestCase object for the test that's currently running.
   void set_current_test_case(TestCase* a_current_test_case) {
@@ -854,14 +849,12 @@ class GTEST_API_ UnitTestImpl {
   // shuffled order.
   std::vector<int> test_case_indices_;
 
-#if GTEST_HAS_PARAM_TEST
   // ParameterizedTestRegistry object used to register value-parameterized
   // tests.
   internal::ParameterizedTestCaseRegistry parameterized_test_registry_;
 
   // Indicates whether RegisterParameterizedTests() has been called already.
   bool parameterized_tests_registered_;
-#endif  // GTEST_HAS_PARAM_TEST
 
   // Index of the last death test case registered.  Initially -1.
   int last_death_test_case_;
@@ -1001,7 +994,7 @@ bool ParseNaturalNumber(const ::std::string& str, Integer* number) {
 
   const bool parse_success = *end == '\0' && errno == 0;
 
-  // TODO(vladl@google.com): Convert this to compile time assertion when it is
+  // FIXME: Convert this to compile time assertion when it is
   // available.
   GTEST_CHECK_(sizeof(Integer) <= sizeof(parsed));
 
@@ -1049,21 +1042,19 @@ class StreamingListener : public EmptyTestEventListener {
     virtual ~AbstractSocketWriter() {}
 
     // Sends a string to the socket.
-    virtual void Send(const string& message) = 0;
+    virtual void Send(const std::string& message) = 0;
 
     // Closes the socket.
     virtual void CloseConnection() {}
 
     // Sends a string and a newline to the socket.
-    void SendLn(const string& message) {
-      Send(message + "\n");
-    }
+    void SendLn(const std::string& message) { Send(message + "\n"); }
   };
 
   // Concrete class for actually writing strings to a socket.
   class SocketWriter : public AbstractSocketWriter {
    public:
-    SocketWriter(const string& host, const string& port)
+    SocketWriter(const std::string& host, const std::string& port)
         : sockfd_(-1), host_name_(host), port_num_(port) {
       MakeConnection();
     }
@@ -1074,7 +1065,7 @@ class StreamingListener : public EmptyTestEventListener {
     }
 
     // Sends a string to the socket.
-    virtual void Send(const string& message) {
+    virtual void Send(const std::string& message) {
       GTEST_CHECK_(sockfd_ != -1)
           << "Send() can be called only when there is a connection.";
 
@@ -1100,17 +1091,19 @@ class StreamingListener : public EmptyTestEventListener {
     }
 
     int sockfd_;  // socket file descriptor
-    const string host_name_;
-    const string port_num_;
+    const std::string host_name_;
+    const std::string port_num_;
 
     GTEST_DISALLOW_COPY_AND_ASSIGN_(SocketWriter);
   };  // class SocketWriter
 
   // Escapes '=', '&', '%', and '\n' characters in str as "%xx".
-  static string UrlEncode(const char* str);
+  static std::string UrlEncode(const char* str);
 
-  StreamingListener(const string& host, const string& port)
-      : socket_writer_(new SocketWriter(host, port)) { Start(); }
+  StreamingListener(const std::string& host, const std::string& port)
+      : socket_writer_(new SocketWriter(host, port)) {
+    Start();
+  }
 
   explicit StreamingListener(AbstractSocketWriter* socket_writer)
       : socket_writer_(socket_writer) { Start(); }
@@ -1171,13 +1164,13 @@ class StreamingListener : public EmptyTestEventListener {
 
  private:
   // Sends the given message and a newline to the socket.
-  void SendLn(const string& message) { socket_writer_->SendLn(message); }
+  void SendLn(const std::string& message) { socket_writer_->SendLn(message); }
 
   // Called at the start of streaming to notify the receiver what
   // protocol we are using.
   void Start() { SendLn("gtest_streaming_protocol_version=1.0"); }
 
-  string FormatBool(bool value) { return value ? "1" : "0"; }
+  std::string FormatBool(bool value) { return value ? "1" : "0"; }
 
   const scoped_ptr<AbstractSocketWriter> socket_writer_;
 
@@ -1189,4 +1182,6 @@ class StreamingListener : public EmptyTestEventListener {
 }  // namespace internal
 }  // namespace testing
 
+GTEST_DISABLE_MSC_WARNINGS_POP_()  //  4251
+
 #endif  // GTEST_SRC_GTEST_INTERNAL_INL_H_
diff --git a/security/nss/gtests/google_test/gtest/src/gtest-port.cc b/security/nss/gtests/google_test/gtest/src/gtest-port.cc
index b032745b4d..fecb5d11c2 100644
--- a/security/nss/gtests/google_test/gtest/src/gtest-port.cc
+++ b/security/nss/gtests/google_test/gtest/src/gtest-port.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 #include "gtest/internal/gtest-port.h"
 
@@ -35,6 +34,7 @@
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
+#include <fstream>
 
 #if GTEST_OS_WINDOWS
 # include <windows.h>
@@ -57,19 +57,21 @@
 # include <sys/procfs.h>
 #endif  // GTEST_OS_QNX
 
+#if GTEST_OS_AIX
+# include <procinfo.h>
+# include <sys/types.h>
+#endif  // GTEST_OS_AIX
+
+#if GTEST_OS_FUCHSIA
+# include <zircon/process.h>
+# include <zircon/syscalls.h>
+#endif  // GTEST_OS_FUCHSIA
+
 #include "gtest/gtest-spi.h"
 #include "gtest/gtest-message.h"
 #include "gtest/internal/gtest-internal.h"
 #include "gtest/internal/gtest-string.h"
-
-// Indicates that this translation unit is part of Google Test's
-// implementation.  It must come before gtest-internal-inl.h is
-// included, or there will be a compiler error.  This trick exists to
-// prevent the accidental inclusion of gtest-internal-inl.h in the
-// user's code.
-#define GTEST_IMPLEMENTATION_ 1
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 namespace testing {
 namespace internal {
@@ -83,10 +85,31 @@ const int kStdOutFileno = STDOUT_FILENO;
 const int kStdErrFileno = STDERR_FILENO;
 #endif  // _MSC_VER
 
-#if GTEST_OS_MAC
+#if GTEST_OS_LINUX
+
+namespace {
+template <typename T>
+T ReadProcFileField(const std::string& filename, int field) {
+  std::string dummy;
+  std::ifstream file(filename.c_str());
+  while (field-- > 0) {
+    file >> dummy;
+  }
+  T output = 0;
+  file >> output;
+  return output;
+}
+}  // namespace
+
+// Returns the number of active threads, or 0 when there is an error.
+size_t GetThreadCount() {
+  const std::string filename =
+      (Message() << "/proc/" << getpid() << "/stat").GetString();
+  return ReadProcFileField<int>(filename, 19);
+}
+
+#elif GTEST_OS_MAC
 
-// Returns the number of threads running in the process, or 0 to indicate that
-// we cannot detect it.
 size_t GetThreadCount() {
   const task_t task = mach_task_self();
   mach_msg_type_number_t thread_count;
@@ -124,6 +147,38 @@ size_t GetThreadCount() {
   }
 }
 
+#elif GTEST_OS_AIX
+
+size_t GetThreadCount() {
+  struct procentry64 entry;
+  pid_t pid = getpid();
+  int status = getprocs64(&entry, sizeof(entry), NULL, 0, &pid, 1);
+  if (status == 1) {
+    return entry.pi_thcount;
+  } else {
+    return 0;
+  }
+}
+
+#elif GTEST_OS_FUCHSIA
+
+size_t GetThreadCount() {
+  int dummy_buffer;
+  size_t avail;
+  zx_status_t status = zx_object_get_info(
+      zx_process_self(),
+      ZX_INFO_PROCESS_THREADS,
+      &dummy_buffer,
+      0,
+      nullptr,
+      &avail);
+  if (status == ZX_OK) {
+    return avail;
+  } else {
+    return 0;
+  }
+}
+
 #else
 
 size_t GetThreadCount() {
@@ -132,7 +187,7 @@ size_t GetThreadCount() {
   return 0;
 }
 
-#endif  // GTEST_OS_MAC
+#endif  // GTEST_OS_LINUX
 
 #if GTEST_IS_THREADSAFE && GTEST_OS_WINDOWS
 
@@ -196,8 +251,8 @@ void Notification::WaitForNotification() {
 }
 
 Mutex::Mutex()
-    : type_(kDynamic),
-      owner_thread_id_(0),
+    : owner_thread_id_(0),
+      type_(kDynamic),
       critical_section_init_phase_(0),
       critical_section_(new CRITICAL_SECTION) {
   ::InitializeCriticalSection(critical_section_);
@@ -206,9 +261,9 @@ Mutex::Mutex()
 Mutex::~Mutex() {
   // Static mutexes are leaked intentionally. It is not thread-safe to try
   // to clean them up.
-  // TODO(yukawa): Switch to Slim Reader/Writer (SRW) Locks, which requires
+  // FIXME: Switch to Slim Reader/Writer (SRW) Locks, which requires
   // nothing to clean it up but is available only on Vista and later.
-  // http://msdn.microsoft.com/en-us/library/windows/desktop/aa904937.aspx
+  // https://docs.microsoft.com/en-us/windows/desktop/Sync/slim-reader-writer--srw--locks
   if (type_ == kDynamic) {
     ::DeleteCriticalSection(critical_section_);
     delete critical_section_;
@@ -239,6 +294,43 @@ void Mutex::AssertHeld() {
       << "The current thread is not holding the mutex @" << this;
 }
 
+namespace {
+
+// Use the RAII idiom to flag mem allocs that are intentionally never
+// deallocated. The motivation is to silence the false positive mem leaks
+// that are reported by the debug version of MS's CRT which can only detect
+// if an alloc is missing a matching deallocation.
+// Example:
+//    MemoryIsNotDeallocated memory_is_not_deallocated;
+//    critical_section_ = new CRITICAL_SECTION;
+//
+class MemoryIsNotDeallocated
+{
+ public:
+  MemoryIsNotDeallocated() : old_crtdbg_flag_(0) {
+#ifdef _MSC_VER
+    old_crtdbg_flag_ = _CrtSetDbgFlag(_CRTDBG_REPORT_FLAG);
+    // Set heap allocation block type to _IGNORE_BLOCK so that MS debug CRT
+    // doesn't report mem leak if there's no matching deallocation.
+    _CrtSetDbgFlag(old_crtdbg_flag_ & ~_CRTDBG_ALLOC_MEM_DF);
+#endif  //  _MSC_VER
+  }
+
+  ~MemoryIsNotDeallocated() {
+#ifdef _MSC_VER
+    // Restore the original _CRTDBG_ALLOC_MEM_DF flag
+    _CrtSetDbgFlag(old_crtdbg_flag_);
+#endif  //  _MSC_VER
+  }
+
+ private:
+  int old_crtdbg_flag_;
+
+  GTEST_DISALLOW_COPY_AND_ASSIGN_(MemoryIsNotDeallocated);
+};
+
+}  // namespace
+
 // Initializes owner_thread_id_ and critical_section_ in static mutexes.
 void Mutex::ThreadSafeLazyInit() {
   // Dynamic mutexes are initialized in the constructor.
@@ -249,7 +341,11 @@ void Mutex::ThreadSafeLazyInit() {
         // If critical_section_init_phase_ was 0 before the exchange, we
         // are the first to test it and need to perform the initialization.
         owner_thread_id_ = 0;
-        critical_section_ = new CRITICAL_SECTION;
+        {
+          // Use RAII to flag that following mem alloc is never deallocated.
+          MemoryIsNotDeallocated memory_is_not_deallocated;
+          critical_section_ = new CRITICAL_SECTION;
+        }
         ::InitializeCriticalSection(critical_section_);
         // Updates the critical_section_init_phase_ to 2 to signal
         // initialization complete.
@@ -288,7 +384,7 @@ class ThreadWithParamSupport : public ThreadWithParamBase {
                              Notification* thread_can_start) {
     ThreadMainParam* param = new ThreadMainParam(runnable, thread_can_start);
     DWORD thread_id;
-    // TODO(yukawa): Consider to use _beginthreadex instead.
+    // FIXME: Consider to use _beginthreadex instead.
     HANDLE thread_handle = ::CreateThread(
         NULL,    // Default security.
         0,       // Default stack size.
@@ -456,7 +552,7 @@ class ThreadLocalRegistryImpl {
                                  FALSE,
                                  thread_id);
     GTEST_CHECK_(thread != NULL);
-    // We need to to pass a valid thread ID pointer into CreateThread for it
+    // We need to pass a valid thread ID pointer into CreateThread for it
     // to work correctly under Win98.
     DWORD watcher_thread_id;
     HANDLE watcher_thread = ::CreateThread(
@@ -491,7 +587,8 @@ class ThreadLocalRegistryImpl {
   // Returns map of thread local instances.
   static ThreadIdToThreadLocals* GetThreadLocalsMapLocked() {
     mutex_.AssertHeld();
-    static ThreadIdToThreadLocals* map = new ThreadIdToThreadLocals;
+    MemoryIsNotDeallocated memory_is_not_deallocated;
+    static ThreadIdToThreadLocals* map = new ThreadIdToThreadLocals();
     return map;
   }
 
@@ -631,7 +728,7 @@ bool AtomMatchesChar(bool escaped, char pattern_char, char ch) {
 }
 
 // Helper function used by ValidateRegex() to format error messages.
-std::string FormatRegexSyntaxError(const char* regex, int index) {
+static std::string FormatRegexSyntaxError(const char* regex, int index) {
   return (Message() << "Syntax error at index " << index
           << " in simple regular expression \"" << regex << "\": ").GetString();
 }
@@ -640,7 +737,7 @@ std::string FormatRegexSyntaxError(const char* regex, int index) {
 // otherwise returns true.
 bool ValidateRegex(const char* regex) {
   if (regex == NULL) {
-    // TODO(wan@google.com): fix the source file location in the
+    // FIXME: fix the source file location in the
     // assertion failures to match where the regex is used in user
     // code.
     ADD_FAILURE() << "NULL is not a valid simple regular expression.";
@@ -865,7 +962,6 @@ GTEST_API_ ::std::string FormatCompilerIndependentFileLocation(
     return file_name + ":" + StreamableToString(line);
 }
 
-
 GTestLog::GTestLog(GTestLogSeverity severity, const char* file, int line)
     : severity_(severity) {
   const char* const marker =
@@ -884,9 +980,10 @@ GTestLog::~GTestLog() {
     posix::Abort();
   }
 }
+
 // Disable Microsoft deprecation warnings for POSIX functions called from
 // this class (creat, dup, dup2, and close)
-GTEST_DISABLE_MSC_WARNINGS_PUSH_(4996)
+GTEST_DISABLE_MSC_DEPRECATED_PUSH_()
 
 #if GTEST_HAS_STREAM_REDIRECTION
 
@@ -962,12 +1059,6 @@ class CapturedStream {
   }
 
  private:
-  // Reads the entire content of a file as an std::string.
-  static std::string ReadEntireFile(FILE* file);
-
-  // Returns the size (in bytes) of a file.
-  static size_t GetFileSize(FILE* file);
-
   const int fd_;  // A stream to capture.
   int uncaptured_fd_;
   // Name of the temporary file holding the stderr output.
@@ -976,42 +1067,14 @@ class CapturedStream {
   GTEST_DISALLOW_COPY_AND_ASSIGN_(CapturedStream);
 };
 
-// Returns the size (in bytes) of a file.
-size_t CapturedStream::GetFileSize(FILE* file) {
-  fseek(file, 0, SEEK_END);
-  return static_cast<size_t>(ftell(file));
-}
-
-// Reads the entire content of a file as a string.
-std::string CapturedStream::ReadEntireFile(FILE* file) {
-  const size_t file_size = GetFileSize(file);
-  char* const buffer = new char[file_size];
-
-  size_t bytes_last_read = 0;  // # of bytes read in the last fread()
-  size_t bytes_read = 0;       // # of bytes read so far
-
-  fseek(file, 0, SEEK_SET);
-
-  // Keeps reading the file until we cannot read further or the
-  // pre-determined file size is reached.
-  do {
-    bytes_last_read = fread(buffer+bytes_read, 1, file_size-bytes_read, file);
-    bytes_read += bytes_last_read;
-  } while (bytes_last_read > 0 && bytes_read < file_size);
-
-  const std::string content(buffer, bytes_read);
-  delete[] buffer;
-
-  return content;
-}
-
-GTEST_DISABLE_MSC_WARNINGS_POP_()
+GTEST_DISABLE_MSC_DEPRECATED_POP_()
 
 static CapturedStream* g_captured_stderr = NULL;
 static CapturedStream* g_captured_stdout = NULL;
 
 // Starts capturing an output stream (stdout/stderr).
-void CaptureStream(int fd, const char* stream_name, CapturedStream** stream) {
+static void CaptureStream(int fd, const char* stream_name,
+                          CapturedStream** stream) {
   if (*stream != NULL) {
     GTEST_LOG_(FATAL) << "Only one " << stream_name
                       << " capturer can exist at a time.";
@@ -1020,7 +1083,7 @@ void CaptureStream(int fd, const char* stream_name, CapturedStream** stream) {
 }
 
 // Stops capturing the output stream and returns the captured string.
-std::string GetCapturedStream(CapturedStream** captured_stream) {
+static std::string GetCapturedStream(CapturedStream** captured_stream) {
   const std::string content = (*captured_stream)->GetCapturedString();
 
   delete *captured_stream;
@@ -1051,25 +1114,67 @@ std::string GetCapturedStderr() {
 
 #endif  // GTEST_HAS_STREAM_REDIRECTION
 
-#if GTEST_HAS_DEATH_TEST
 
-// A copy of all command line arguments.  Set by InitGoogleTest().
-::std::vector<testing::internal::string> g_argvs;
 
-static const ::std::vector<testing::internal::string>* g_injected_test_argvs =
-                                        NULL;  // Owned.
 
-void SetInjectableArgvs(const ::std::vector<testing::internal::string>* argvs) {
-  if (g_injected_test_argvs != argvs)
-    delete g_injected_test_argvs;
-  g_injected_test_argvs = argvs;
+
+size_t GetFileSize(FILE* file) {
+  fseek(file, 0, SEEK_END);
+  return static_cast<size_t>(ftell(file));
 }
 
-const ::std::vector<testing::internal::string>& GetInjectableArgvs() {
+std::string ReadEntireFile(FILE* file) {
+  const size_t file_size = GetFileSize(file);
+  char* const buffer = new char[file_size];
+
+  size_t bytes_last_read = 0;  // # of bytes read in the last fread()
+  size_t bytes_read = 0;       // # of bytes read so far
+
+  fseek(file, 0, SEEK_SET);
+
+  // Keeps reading the file until we cannot read further or the
+  // pre-determined file size is reached.
+  do {
+    bytes_last_read = fread(buffer+bytes_read, 1, file_size-bytes_read, file);
+    bytes_read += bytes_last_read;
+  } while (bytes_last_read > 0 && bytes_read < file_size);
+
+  const std::string content(buffer, bytes_read);
+  delete[] buffer;
+
+  return content;
+}
+
+#if GTEST_HAS_DEATH_TEST
+static const std::vector<std::string>* g_injected_test_argvs = NULL;  // Owned.
+
+std::vector<std::string> GetInjectableArgvs() {
   if (g_injected_test_argvs != NULL) {
     return *g_injected_test_argvs;
   }
-  return g_argvs;
+  return GetArgvs();
+}
+
+void SetInjectableArgvs(const std::vector<std::string>* new_argvs) {
+  if (g_injected_test_argvs != new_argvs) delete g_injected_test_argvs;
+  g_injected_test_argvs = new_argvs;
+}
+
+void SetInjectableArgvs(const std::vector<std::string>& new_argvs) {
+  SetInjectableArgvs(
+      new std::vector<std::string>(new_argvs.begin(), new_argvs.end()));
+}
+
+#if GTEST_HAS_GLOBAL_STRING
+void SetInjectableArgvs(const std::vector< ::string>& new_argvs) {
+  SetInjectableArgvs(
+      new std::vector<std::string>(new_argvs.begin(), new_argvs.end()));
+}
+#endif  // GTEST_HAS_GLOBAL_STRING
+
+void ClearInjectableArgvs() {
+  delete g_injected_test_argvs;
+  g_injected_test_argvs = NULL;
 }
 #endif  // GTEST_HAS_DEATH_TEST
 
@@ -1143,16 +1248,23 @@ bool ParseInt32(const Message& src_text, const char* str, Int32* value) {
 //
 // The value is considered true iff it's not "0".
 bool BoolFromGTestEnv(const char* flag, bool default_value) {
+#if defined(GTEST_GET_BOOL_FROM_ENV_)
+  return GTEST_GET_BOOL_FROM_ENV_(flag, default_value);
+#else
   const std::string env_var = FlagToEnvVar(flag);
   const char* const string_value = posix::GetEnv(env_var.c_str());
   return string_value == NULL ?
       default_value : strcmp(string_value, "0") != 0;
+#endif  // defined(GTEST_GET_BOOL_FROM_ENV_)
 }
 
 // Reads and returns a 32-bit integer stored in the environment
 // variable corresponding to the given flag; if it isn't set or
 // doesn't represent a valid 32-bit integer, returns default_value.
 Int32 Int32FromGTestEnv(const char* flag, Int32 default_value) {
+#if defined(GTEST_GET_INT32_FROM_ENV_)
+  return GTEST_GET_INT32_FROM_ENV_(flag, default_value);
+#else
   const std::string env_var = FlagToEnvVar(flag);
   const char* const string_value = posix::GetEnv(env_var.c_str());
   if (string_value == NULL) {
@@ -1170,14 +1282,36 @@ Int32 Int32FromGTestEnv(const char* flag, Int32 default_value) {
   }
 
   return result;
+#endif  // defined(GTEST_GET_INT32_FROM_ENV_)
+}
+
+// As a special case for the 'output' flag, if GTEST_OUTPUT is not
+// set, we look for XML_OUTPUT_FILE, which is set by the Bazel build
+// system.  The value of XML_OUTPUT_FILE is a filename without the
+// "xml:" prefix of GTEST_OUTPUT.
+// Note that this is meant to be called at the call site so it does
+// not check that the flag is 'output'
+// In essence this checks an env variable called XML_OUTPUT_FILE
+// and if it is set we prepend "xml:" to its value, if it not set we return ""
+std::string OutputFlagAlsoCheckEnvVar(){
+  std::string default_value_for_output_flag = "";
+  const char* xml_output_file_env = posix::GetEnv("XML_OUTPUT_FILE");
+  if (NULL != xml_output_file_env) {
+    default_value_for_output_flag = std::string("xml:") + xml_output_file_env;
+  }
+  return default_value_for_output_flag;
 }
 
 // Reads and returns the string environment variable corresponding to
 // the given flag; if it's not set, returns default_value.
 const char* StringFromGTestEnv(const char* flag, const char* default_value) {
+#if defined(GTEST_GET_STRING_FROM_ENV_)
+  return GTEST_GET_STRING_FROM_ENV_(flag, default_value);
+#else
   const std::string env_var = FlagToEnvVar(flag);
   const char* const value = posix::GetEnv(env_var.c_str());
   return value == NULL ? default_value : value;
+#endif  // defined(GTEST_GET_STRING_FROM_ENV_)
 }
 
 }  // namespace internal
diff --git a/security/nss/gtests/google_test/gtest/src/gtest-printers.cc b/security/nss/gtests/google_test/gtest/src/gtest-printers.cc
index a2df412f8a..de4d245e9f 100644
--- a/security/nss/gtests/google_test/gtest/src/gtest-printers.cc
+++ b/security/nss/gtests/google_test/gtest/src/gtest-printers.cc
@@ -26,10 +26,9 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
 
-// Google Test - The Google C++ Testing Framework
+
+// Google Test - The Google C++ Testing and Mocking Framework
 //
 // This file implements a universal value printer that can print a
 // value of any type T:
@@ -43,12 +42,13 @@
 // defines Foo.
 
 #include "gtest/gtest-printers.h"
-#include <ctype.h>
 #include <stdio.h>
+#include <cctype>
 #include <cwchar>
 #include <ostream>  // NOLINT
 #include <string>
 #include "gtest/internal/gtest-port.h"
+#include "src/gtest-internal-inl.h"
 
 namespace testing {
 
@@ -89,7 +89,7 @@ void PrintBytesInObjectToImpl(const unsigned char* obj_bytes, size_t count,
   // If the object size is bigger than kThreshold, we'll have to omit
   // some details by printing only the first and the last kChunkSize
   // bytes.
-  // TODO(wan): let the user control the threshold using a flag.
+  // FIXME: let the user control the threshold using a flag.
   if (count < kThreshold) {
     PrintByteSegmentInObjectTo(obj_bytes, 0, count, os);
   } else {
@@ -123,7 +123,7 @@ namespace internal {
 // Depending on the value of a char (or wchar_t), we print it in one
 // of three formats:
 //   - as is if it's a printable ASCII (e.g. 'a', '2', ' '),
-//   - as a hexidecimal escape sequence (e.g. '\x7F'), or
+//   - as a hexadecimal escape sequence (e.g. '\x7F'), or
 //   - as a special escape sequence (e.g. '\r', '\n').
 enum CharFormat {
   kAsIs,
@@ -180,7 +180,10 @@ static CharFormat PrintAsCharLiteralTo(Char c, ostream* os) {
         *os << static_cast<char>(c);
         return kAsIs;
       } else {
-        *os << "\\x" + String::FormatHexInt(static_cast<UnsignedChar>(c));
+        ostream::fmtflags flags = os->flags();
+        *os << "\\x" << std::hex << std::uppercase
+            << static_cast<int>(static_cast<UnsignedChar>(c));
+        os->flags(flags);
         return kHexEscape;
       }
   }
@@ -227,7 +230,7 @@ void PrintCharAndCodeTo(Char c, ostream* os) {
     return;
   *os << " (" << static_cast<int>(c);
 
-  // For more convenience, we print c's code again in hexidecimal,
+  // For more convenience, we print c's code again in hexadecimal,
   // unless c was already printed in the form '\x##' or the code is in
   // [1, 9].
   if (format == kHexEscape || (1 <= c && c <= 9)) {
@@ -259,11 +262,12 @@ template <typename CharType>
 GTEST_ATTRIBUTE_NO_SANITIZE_MEMORY_
 GTEST_ATTRIBUTE_NO_SANITIZE_ADDRESS_
 GTEST_ATTRIBUTE_NO_SANITIZE_THREAD_
-static void PrintCharsAsStringTo(
+static CharFormat PrintCharsAsStringTo(
     const CharType* begin, size_t len, ostream* os) {
   const char* const kQuoteBegin = sizeof(CharType) == 1 ? "\"" : "L\"";
   *os << kQuoteBegin;
   bool is_previous_hex = false;
+  CharFormat print_format = kAsIs;
   for (size_t index = 0; index < len; ++index) {
     const CharType cur = begin[index];
     if (is_previous_hex && IsXDigit(cur)) {
@@ -273,8 +277,13 @@ static void PrintCharsAsStringTo(
       *os << "\" " << kQuoteBegin;
     }
     is_previous_hex = PrintAsStringLiteralTo(cur, os) == kHexEscape;
+    // Remember if any characters required hex escaping.
+    if (is_previous_hex) {
+      print_format = kHexEscape;
+    }
   }
   *os << "\"";
+  return print_format;
 }
 
 // Prints a (const) char/wchar_t array of 'len' elements, starting at address
@@ -344,15 +353,90 @@ void PrintTo(const wchar_t* s, ostream* os) {
 }
 #endif  // wchar_t is native
 
+namespace {
+
+bool ContainsUnprintableControlCodes(const char* str, size_t length) {
+  const unsigned char *s = reinterpret_cast<const unsigned char *>(str);
+
+  for (size_t i = 0; i < length; i++) {
+    unsigned char ch = *s++;
+    if (std::iscntrl(ch)) {
+        switch (ch) {
+        case '\t':
+        case '\n':
+        case '\r':
+          break;
+        default:
+          return true;
+        }
+      }
+  }
+  return false;
+}
+
+bool IsUTF8TrailByte(unsigned char t) { return 0x80 <= t && t<= 0xbf; }
+
+bool IsValidUTF8(const char* str, size_t length) {
+  const unsigned char *s = reinterpret_cast<const unsigned char *>(str);
+
+  for (size_t i = 0; i < length;) {
+    unsigned char lead = s[i++];
+
+    if (lead <= 0x7f) {
+      continue;  // single-byte character (ASCII) 0..7F
+    }
+    if (lead < 0xc2) {
+      return false;  // trail byte or non-shortest form
+    } else if (lead <= 0xdf && (i + 1) <= length && IsUTF8TrailByte(s[i])) {
+      ++i;  // 2-byte character
+    } else if (0xe0 <= lead && lead <= 0xef && (i + 2) <= length &&
+               IsUTF8TrailByte(s[i]) &&
+               IsUTF8TrailByte(s[i + 1]) &&
+               // check for non-shortest form and surrogate
+               (lead != 0xe0 || s[i] >= 0xa0) &&
+               (lead != 0xed || s[i] < 0xa0)) {
+      i += 2;  // 3-byte character
+    } else if (0xf0 <= lead && lead <= 0xf4 && (i + 3) <= length &&
+               IsUTF8TrailByte(s[i]) &&
+               IsUTF8TrailByte(s[i + 1]) &&
+               IsUTF8TrailByte(s[i + 2]) &&
+               // check for non-shortest form
+               (lead != 0xf0 || s[i] >= 0x90) &&
+               (lead != 0xf4 || s[i] < 0x90)) {
+      i += 3;  // 4-byte character
+    } else {
+      return false;
+    }
+  }
+  return true;
+}
+
+void ConditionalPrintAsText(const char* str, size_t length, ostream* os) {
+  if (!ContainsUnprintableControlCodes(str, length) &&
+      IsValidUTF8(str, length)) {
+    *os << "\n    As Text: \"" << str << "\"";
+  }
+}
+
+}  // anonymous namespace
+
 // Prints a ::string object.
 #if GTEST_HAS_GLOBAL_STRING
 void PrintStringTo(const ::string& s, ostream* os) {
-  PrintCharsAsStringTo(s.data(), s.size(), os);
+  if (PrintCharsAsStringTo(s.data(), s.size(), os) == kHexEscape) {
+    if (GTEST_FLAG(print_utf8)) {
+      ConditionalPrintAsText(s.data(), s.size(), os);
+    }
+  }
 }
 #endif  // GTEST_HAS_GLOBAL_STRING
 
 void PrintStringTo(const ::std::string& s, ostream* os) {
-  PrintCharsAsStringTo(s.data(), s.size(), os);
+  if (PrintCharsAsStringTo(s.data(), s.size(), os) == kHexEscape) {
+    if (GTEST_FLAG(print_utf8)) {
+      ConditionalPrintAsText(s.data(), s.size(), os);
+    }
+  }
 }
 
 // Prints a ::wstring object.
diff --git a/security/nss/gtests/google_test/gtest/src/gtest-test-part.cc b/security/nss/gtests/google_test/gtest/src/gtest-test-part.cc
index fb0e35425e..c88860d923 100644
--- a/security/nss/gtests/google_test/gtest/src/gtest-test-part.cc
+++ b/security/nss/gtests/google_test/gtest/src/gtest-test-part.cc
@@ -26,21 +26,12 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: mheule@google.com (Markus Heule)
-//
-// The Google C++ Testing Framework (Google Test)
+// The Google C++ Testing and Mocking Framework (Google Test)
 
 #include "gtest/gtest-test-part.h"
-
-// Indicates that this translation unit is part of Google Test's
-// implementation.  It must come before gtest-internal-inl.h is
-// included, or there will be a compiler error.  This trick exists to
-// prevent the accidental inclusion of gtest-internal-inl.h in the
-// user's code.
-#define GTEST_IMPLEMENTATION_ 1
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 namespace testing {
 
diff --git a/security/nss/gtests/google_test/gtest/src/gtest-typed-test.cc b/security/nss/gtests/google_test/gtest/src/gtest-typed-test.cc
index f0079f407c..1dc2ad38ba 100644
--- a/security/nss/gtests/google_test/gtest/src/gtest-typed-test.cc
+++ b/security/nss/gtests/google_test/gtest/src/gtest-typed-test.cc
@@ -26,10 +26,10 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 #include "gtest/gtest-typed-test.h"
+
 #include "gtest/gtest.h"
 
 namespace testing {
@@ -45,33 +45,41 @@ static const char* SkipSpaces(const char* str) {
   return str;
 }
 
+static std::vector<std::string> SplitIntoTestNames(const char* src) {
+  std::vector<std::string> name_vec;
+  src = SkipSpaces(src);
+  for (; src != NULL; src = SkipComma(src)) {
+    name_vec.push_back(StripTrailingSpaces(GetPrefixUntilComma(src)));
+  }
+  return name_vec;
+}
+
 // Verifies that registered_tests match the test names in
-// defined_test_names_; returns registered_tests if successful, or
+// registered_tests_; returns registered_tests if successful, or
 // aborts the program otherwise.
 const char* TypedTestCasePState::VerifyRegisteredTestNames(
     const char* file, int line, const char* registered_tests) {
-  typedef ::std::set<const char*>::const_iterator DefinedTestIter;
+  typedef RegisteredTestsMap::const_iterator RegisteredTestIter;
   registered_ = true;
 
-  // Skip initial whitespace in registered_tests since some
-  // preprocessors prefix stringizied literals with whitespace.
-  registered_tests = SkipSpaces(registered_tests);
+  std::vector<std::string> name_vec = SplitIntoTestNames(registered_tests);
 
   Message errors;
-  ::std::set<std::string> tests;
-  for (const char* names = registered_tests; names != NULL;
-       names = SkipComma(names)) {
-    const std::string name = GetPrefixUntilComma(names);
+
+  std::set<std::string> tests;
+  for (std::vector<std::string>::const_iterator name_it = name_vec.begin();
+       name_it != name_vec.end(); ++name_it) {
+    const std::string& name = *name_it;
     if (tests.count(name) != 0) {
       errors << "Test " << name << " is listed more than once.\n";
       continue;
     }
 
     bool found = false;
-    for (DefinedTestIter it = defined_test_names_.begin();
-         it != defined_test_names_.end();
+    for (RegisteredTestIter it = registered_tests_.begin();
+         it != registered_tests_.end();
          ++it) {
-      if (name == *it) {
+      if (name == it->first) {
         found = true;
         break;
       }
@@ -85,11 +93,11 @@ const char* TypedTestCasePState::VerifyRegisteredTestNames(
     }
   }
 
-  for (DefinedTestIter it = defined_test_names_.begin();
-       it != defined_test_names_.end();
+  for (RegisteredTestIter it = registered_tests_.begin();
+       it != registered_tests_.end();
        ++it) {
-    if (tests.count(*it) == 0) {
-      errors << "You forgot to list test " << *it << ".\n";
+    if (tests.count(it->first) == 0) {
+      errors << "You forgot to list test " << it->first << ".\n";
     }
   }
 
diff --git a/security/nss/gtests/google_test/gtest/src/gtest.cc b/security/nss/gtests/google_test/gtest/src/gtest.cc
index e4f3df3eae..96b07c68ab 100644
--- a/security/nss/gtests/google_test/gtest/src/gtest.cc
+++ b/security/nss/gtests/google_test/gtest/src/gtest.cc
@@ -26,12 +26,12 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: wan@google.com (Zhanyong Wan)
-//
-// The Google C++ Testing Framework (Google Test)
+// The Google C++ Testing and Mocking Framework (Google Test)
 
 #include "gtest/gtest.h"
+#include "gtest/internal/custom/gtest.h"
 #include "gtest/gtest-spi.h"
 
 #include <ctype.h>
@@ -54,7 +54,7 @@
 
 #if GTEST_OS_LINUX
 
-// TODO(kenton@google.com): Use autoconf to detect availability of
+// FIXME: Use autoconf to detect availability of
 // gettimeofday().
 # define GTEST_HAS_GETTIMEOFDAY_ 1
 
@@ -93,9 +93,9 @@
 
 # if GTEST_OS_WINDOWS_MINGW
 // MinGW has gettimeofday() but not _ftime64().
-// TODO(kenton@google.com): Use autoconf to detect availability of
+// FIXME: Use autoconf to detect availability of
 //   gettimeofday().
-// TODO(kenton@google.com): There are other ways to get the time on
+// FIXME: There are other ways to get the time on
 //   Windows, like GetTickCount() or GetSystemTimeAsFileTime().  MinGW
 //   supports these.  consider using them instead.
 #  define GTEST_HAS_GETTIMEOFDAY_ 1
@@ -110,7 +110,7 @@
 #else
 
 // Assume other platforms have gettimeofday().
-// TODO(kenton@google.com): Use autoconf to detect availability of
+// FIXME: Use autoconf to detect availability of
 //   gettimeofday().
 # define GTEST_HAS_GETTIMEOFDAY_ 1
 
@@ -128,21 +128,29 @@
 #if GTEST_CAN_STREAM_RESULTS_
 # include <arpa/inet.h>  // NOLINT
 # include <netdb.h>  // NOLINT
+# include <sys/socket.h>  // NOLINT
+# include <sys/types.h>  // NOLINT
 #endif
 
-// Indicates that this translation unit is part of Google Test's
-// implementation.  It must come before gtest-internal-inl.h is
-// included, or there will be a compiler error.  This trick is to
-// prevent a user from accidentally including gtest-internal-inl.h in
-// his code.
-#define GTEST_IMPLEMENTATION_ 1
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 #if GTEST_OS_WINDOWS
 # define vsnprintf _vsnprintf
 #endif  // GTEST_OS_WINDOWS
 
+#if GTEST_OS_MAC
+#ifndef GTEST_OS_IOS
+#include <crt_externs.h>
+#endif
+#endif
+
+#if GTEST_HAS_ABSL
+#include "absl/debugging/failure_signal_handler.h"
+#include "absl/debugging/stacktrace.h"
+#include "absl/debugging/symbolize.h"
+#include "absl/strings/str_cat.h"
+#endif  // GTEST_HAS_ABSL
+
 namespace testing {
 
 using internal::CountIf;
@@ -164,8 +172,10 @@ static const char kDeathTestCaseFilter[] = "*DeathTest:*DeathTest/*";
 // A test filter that matches everything.
 static const char kUniversalFilter[] = "*";
 
-// The default output file for XML output.
-static const char kDefaultOutputFile[] = "test_detail.xml";
+// The default output format.
+static const char kDefaultOutputFormat[] = "xml";
+// The default output file.
+static const char kDefaultOutputFile[] = "test_detail";
 
 // The environment variable name for the test shard index.
 static const char kTestShardIndex[] = "GTEST_SHARD_INDEX";
@@ -184,9 +194,31 @@ const char kStackTraceMarker[] = "\nStack trace:\n";
 // specified on the command line.
 bool g_help_flag = false;
 
+// Utilty function to Open File for Writing
+static FILE* OpenFileForWriting(const std::string& output_file) {
+  FILE* fileout = NULL;
+  FilePath output_file_path(output_file);
+  FilePath output_dir(output_file_path.RemoveFileName());
+
+  if (output_dir.CreateDirectoriesRecursively()) {
+    fileout = posix::FOpen(output_file.c_str(), "w");
+  }
+  if (fileout == NULL) {
+    GTEST_LOG_(FATAL) << "Unable to open file \"" << output_file << "\"";
+  }
+  return fileout;
+}
+
 }  // namespace internal
 
+// Bazel passes in the argument to '--test_filter' via the TESTBRIDGE_TEST_ONLY
+// environment variable.
 static const char* GetDefaultFilter() {
+  const char* const testbridge_test_only =
+      internal::posix::GetEnv("TESTBRIDGE_TEST_ONLY");
+  if (testbridge_test_only != NULL) {
+    return testbridge_test_only;
+  }
   return kUniversalFilter;
 }
 
@@ -223,15 +255,28 @@ GTEST_DEFINE_string_(
     "exclude).  A test is run if it matches one of the positive "
     "patterns and does not match any of the negative patterns.");
 
+GTEST_DEFINE_bool_(
+    install_failure_signal_handler,
+    internal::BoolFromGTestEnv("install_failure_signal_handler", false),
+    "If true and supported on the current platform, " GTEST_NAME_ " should "
+    "install a signal handler that dumps debugging information when fatal "
+    "signals are raised.");
+
 GTEST_DEFINE_bool_(list_tests, false,
                    "List all tests without running them.");
 
+// The net priority order after flag processing is thus:
+//   --gtest_output command line flag
+//   GTEST_OUTPUT environment variable
+//   XML_OUTPUT_FILE environment variable
+//   ''
 GTEST_DEFINE_string_(
     output,
-    internal::StringFromGTestEnv("output", ""),
-    "A format (currently must be \"xml\"), optionally followed "
-    "by a colon and an output file name or directory. A directory "
-    "is indicated by a trailing pathname separator. "
+    internal::StringFromGTestEnv("output",
+      internal::OutputFlagAlsoCheckEnvVar().c_str()),
+    "A format (defaults to \"xml\" but can be specified to be \"json\"), "
+    "optionally followed by a colon and an output file name or directory. "
+    "A directory is indicated by a trailing pathname separator. "
     "Examples: \"xml:filename.xml\", \"xml::directoryname/\". "
     "If a directory is specified, output files will be created "
     "within that directory, with file-names based on the test "
@@ -244,6 +289,12 @@ GTEST_DEFINE_bool_(
     "True iff " GTEST_NAME_
     " should display elapsed time in text output.");
 
+GTEST_DEFINE_bool_(
+    print_utf8,
+    internal::BoolFromGTestEnv("print_utf8", true),
+    "True iff " GTEST_NAME_
+    " prints UTF8 characters as text.");
+
 GTEST_DEFINE_int32_(
     random_seed,
     internal::Int32FromGTestEnv("random_seed", 0),
@@ -285,7 +336,14 @@ GTEST_DEFINE_bool_(
     internal::BoolFromGTestEnv("throw_on_failure", false),
     "When this flag is specified, a failed assertion will throw an exception "
     "if exceptions are enabled or exit the program with a non-zero code "
-    "otherwise.");
+    "otherwise. For use with an external test framework.");
+
+#if GTEST_USE_OWN_FLAGFILE_FLAG_
+GTEST_DEFINE_string_(
+    flagfile,
+    internal::StringFromGTestEnv("flagfile", ""),
+    "This flag specifies the flagfile to read command-line flags from.");
+#endif  // GTEST_USE_OWN_FLAGFILE_FLAG_
 
 namespace internal {
 
@@ -294,7 +352,8 @@ namespace internal {
 // than kMaxRange.
 UInt32 Random::Generate(UInt32 range) {
   // These constants are the same as are used in glibc's rand(3).
-  state_ = (1103515245U*state_ + 12345U) % kMaxRange;
+  // Use wider types than necessary to prevent unsigned overflow diagnostics.
+  state_ = static_cast<UInt32>(1103515245ULL*state_ + 12345U) % kMaxRange;
 
   GTEST_CHECK_(range > 0)
       << "Cannot generate a number in the range [0, 0).";
@@ -311,13 +370,7 @@ UInt32 Random::Generate(UInt32 range) {
 // GTestIsInitialized() returns true iff the user has initialized
 // Google Test.  Useful for catching the user mistake of not initializing
 // Google Test before calling RUN_ALL_TESTS().
-//
-// A user must call testing::InitGoogleTest() to initialize Google
-// Test.  g_init_gtest_count is set to the number of times
-// InitGoogleTest() has been called.  We don't protect this variable
-// under a mutex as it is only accessed in the main thread.
-GTEST_API_ int g_init_gtest_count = 0;
-static bool GTestIsInitialized() { return g_init_gtest_count != 0; }
+static bool GTestIsInitialized() { return GetArgvs().size() > 0; }
 
 // Iterates over a vector of TestCases, keeping a running sum of the
 // results of calling a given int-returning method on each.
@@ -373,8 +426,19 @@ void AssertHelper::operator=(const Message& message) const {
 // Mutex for linked pointers.
 GTEST_API_ GTEST_DEFINE_STATIC_MUTEX_(g_linked_ptr_mutex);
 
-// Application pathname gotten in InitGoogleTest.
-std::string g_executable_path;
+// A copy of all command line arguments.  Set by InitGoogleTest().
+static ::std::vector<std::string> g_argvs;
+
+::std::vector<std::string> GetArgvs() {
+#if defined(GTEST_CUSTOM_GET_ARGVS_)
+  // GTEST_CUSTOM_GET_ARGVS_() may return a container of std::string or
+  // ::string. This code converts it to the appropriate type.
+  const auto& custom = GTEST_CUSTOM_GET_ARGVS_();
+  return ::std::vector<std::string>(custom.begin(), custom.end());
+#else   // defined(GTEST_CUSTOM_GET_ARGVS_)
+  return g_argvs;
+#endif  // defined(GTEST_CUSTOM_GET_ARGVS_)
+}
 
 // Returns the current application's name, removing directory path if that
 // is present.
@@ -382,9 +446,9 @@ FilePath GetCurrentExecutableName() {
   FilePath result;
 
 #if GTEST_OS_WINDOWS
-  result.Set(FilePath(g_executable_path).RemoveExtension("exe"));
+  result.Set(FilePath(GetArgvs()[0]).RemoveExtension("exe"));
 #else
-  result.Set(FilePath(g_executable_path));
+  result.Set(FilePath(GetArgvs()[0]));
 #endif  // GTEST_OS_WINDOWS
 
   return result.RemoveDirectoryName();
@@ -395,8 +459,6 @@ FilePath GetCurrentExecutableName() {
 // Returns the output format, or "" for normal printed output.
 std::string UnitTestOptions::GetOutputFormat() {
   const char* const gtest_output_flag = GTEST_FLAG(output).c_str();
-  if (gtest_output_flag == NULL) return std::string("");
-
   const char* const colon = strchr(gtest_output_flag, ':');
   return (colon == NULL) ?
       std::string(gtest_output_flag) :
@@ -407,19 +469,22 @@ std::string UnitTestOptions::GetOutputFormat() {
 // was explicitly specified.
 std::string UnitTestOptions::GetAbsolutePathToOutputFile() {
   const char* const gtest_output_flag = GTEST_FLAG(output).c_str();
-  if (gtest_output_flag == NULL)
-    return "";
+
+  std::string format = GetOutputFormat();
+  if (format.empty())
+    format = std::string(kDefaultOutputFormat);
 
   const char* const colon = strchr(gtest_output_flag, ':');
   if (colon == NULL)
-    return internal::FilePath::ConcatPaths(
+    return internal::FilePath::MakeFileName(
         internal::FilePath(
             UnitTest::GetInstance()->original_working_dir()),
-        internal::FilePath(kDefaultOutputFile)).string();
+        internal::FilePath(kDefaultOutputFile), 0,
+        format.c_str()).string();
 
   internal::FilePath output_name(colon + 1);
   if (!output_name.IsAbsolutePath())
-    // TODO(wan@google.com): on Windows \some\path is not an absolute
+    // FIXME: on Windows \some\path is not an absolute
     // path (as its meaning depends on the current drive), yet the
     // following logic for turning it into an absolute path is wrong.
     // Fix it.
@@ -610,12 +675,12 @@ extern const TypeId kTestTypeIdInGoogleTest = GetTestTypeId();
 // This predicate-formatter checks that 'results' contains a test part
 // failure of the given type and that the failure message contains the
 // given substring.
-AssertionResult HasOneFailure(const char* /* results_expr */,
-                              const char* /* type_expr */,
-                              const char* /* substr_expr */,
-                              const TestPartResultArray& results,
-                              TestPartResult::Type type,
-                              const string& substr) {
+static AssertionResult HasOneFailure(const char* /* results_expr */,
+                                     const char* /* type_expr */,
+                                     const char* /* substr_expr */,
+                                     const TestPartResultArray& results,
+                                     TestPartResult::Type type,
+                                     const std::string& substr) {
   const std::string expected(type == TestPartResult::kFatalFailure ?
                         "1 fatal failure" :
                         "1 non-fatal failure");
@@ -649,13 +714,10 @@ AssertionResult HasOneFailure(const char* /* results_expr */,
 // The constructor of SingleFailureChecker remembers where to look up
 // test part results, what type of failure we expect, and what
 // substring the failure message should contain.
-SingleFailureChecker:: SingleFailureChecker(
-    const TestPartResultArray* results,
-    TestPartResult::Type type,
-    const string& substr)
-    : results_(results),
-      type_(type),
-      substr_(substr) {}
+SingleFailureChecker::SingleFailureChecker(const TestPartResultArray* results,
+                                           TestPartResult::Type type,
+                                           const std::string& substr)
+    : results_(results), type_(type), substr_(substr) {}
 
 // The destructor of SingleFailureChecker verifies that the given
 // TestPartResultArray contains exactly one failure that has the given
@@ -776,8 +838,12 @@ int UnitTestImpl::test_to_run_count() const {
 // CurrentOsStackTraceExceptTop(1), Foo() will be included in the
 // trace but Bar() and CurrentOsStackTraceExceptTop() won't.
 std::string UnitTestImpl::CurrentOsStackTraceExceptTop(int skip_count) {
-  (void)skip_count;
-  return "";
+  return os_stack_trace_getter()->CurrentStackTrace(
+      static_cast<int>(GTEST_FLAG(stack_trace_depth)),
+      skip_count + 1
+      // Skips the user-specified number of frames plus this function
+      // itself.
+      );  // NOLINT
 }
 
 // Returns the current time in milliseconds.
@@ -792,7 +858,7 @@ TimeInMillis GetTimeInMillis() {
   SYSTEMTIME now_systime;
   FILETIME now_filetime;
   ULARGE_INTEGER now_int64;
-  // TODO(kenton@google.com): Shouldn't this just use
+  // FIXME: Shouldn't this just use
   //   GetSystemTimeAsFileTime()?
   GetSystemTime(&now_systime);
   if (SystemTimeToFileTime(&now_systime, &now_filetime)) {
@@ -808,11 +874,11 @@ TimeInMillis GetTimeInMillis() {
 
   // MSVC 8 deprecates _ftime64(), so we want to suppress warning 4996
   // (deprecated function) there.
-  // TODO(kenton@google.com): Use GetTickCount()?  Or use
+  // FIXME: Use GetTickCount()?  Or use
   //   SystemTimeToFileTime()
-  GTEST_DISABLE_MSC_WARNINGS_PUSH_(4996)
+  GTEST_DISABLE_MSC_DEPRECATED_PUSH_()
   _ftime64(&now);
-  GTEST_DISABLE_MSC_WARNINGS_POP_()
+  GTEST_DISABLE_MSC_DEPRECATED_POP_()
 
   return static_cast<TimeInMillis>(now.time) * 1000 + now.millitm;
 #elif GTEST_HAS_GETTIMEOFDAY_
@@ -897,6 +963,23 @@ static void StreamWideCharsToMessage(const wchar_t* wstr, size_t length,
 
 #endif  // GTEST_HAS_STD_WSTRING || GTEST_HAS_GLOBAL_WSTRING
 
+void SplitString(const ::std::string& str, char delimiter,
+                 ::std::vector< ::std::string>* dest) {
+  ::std::vector< ::std::string> parsed;
+  ::std::string::size_type pos = 0;
+  while (::testing::internal::AlwaysTrue()) {
+    const ::std::string::size_type colon = str.find(delimiter, pos);
+    if (colon == ::std::string::npos) {
+      parsed.push_back(str.substr(pos));
+      break;
+    } else {
+      parsed.push_back(str.substr(pos, colon - pos));
+      pos = colon + 1;
+    }
+  }
+  dest->swap(parsed);
+}
+
 }  // namespace internal
 
 // Constructs an empty Message.
@@ -1132,7 +1215,7 @@ class Hunk {
   // Print a unified diff header for one hunk.
   // The format is
   //   "@@ -<left_start>,<left_length> +<right_start>,<right_length> @@"
-  // where the left/right parts are ommitted if unnecessary.
+  // where the left/right parts are omitted if unnecessary.
   void PrintHeader(std::ostream* ss) const {
     *ss << "@@ ";
     if (removes_) {
@@ -1262,41 +1345,42 @@ std::vector<std::string> SplitEscapedString(const std::string& str) {
 // and their values, as strings.  For example, for ASSERT_EQ(foo, bar)
 // where foo is 5 and bar is 6, we have:
 //
-//   expected_expression: "foo"
-//   actual_expression:   "bar"
-//   expected_value:      "5"
-//   actual_value:        "6"
+//   lhs_expression: "foo"
+//   rhs_expression: "bar"
+//   lhs_value:      "5"
+//   rhs_value:      "6"
 //
 // The ignoring_case parameter is true iff the assertion is a
-// *_STRCASEEQ*.  When it's true, the string " (ignoring case)" will
+// *_STRCASEEQ*.  When it's true, the string "Ignoring case" will
 // be inserted into the message.
-AssertionResult EqFailure(const char* expected_expression,
-                          const char* actual_expression,
-                          const std::string& expected_value,
-                          const std::string& actual_value,
+AssertionResult EqFailure(const char* lhs_expression,
+                          const char* rhs_expression,
+                          const std::string& lhs_value,
+                          const std::string& rhs_value,
                           bool ignoring_case) {
   Message msg;
-  msg << "Value of: " << actual_expression;
-  if (actual_value != actual_expression) {
-    msg << "\n  Actual: " << actual_value;
+  msg << "Expected equality of these values:";
+  msg << "\n  " << lhs_expression;
+  if (lhs_value != lhs_expression) {
+    msg << "\n    Which is: " << lhs_value;
+  }
+  msg << "\n  " << rhs_expression;
+  if (rhs_value != rhs_expression) {
+    msg << "\n    Which is: " << rhs_value;
   }
 
-  msg << "\nExpected: " << expected_expression;
   if (ignoring_case) {
-    msg << " (ignoring case)";
-  }
-  if (expected_value != expected_expression) {
-    msg << "\nWhich is: " << expected_value;
+    msg << "\nIgnoring case";
   }
 
-  if (!expected_value.empty() && !actual_value.empty()) {
-    const std::vector<std::string> expected_lines =
-        SplitEscapedString(expected_value);
-    const std::vector<std::string> actual_lines =
-        SplitEscapedString(actual_value);
-    if (expected_lines.size() > 1 || actual_lines.size() > 1) {
+  if (!lhs_value.empty() && !rhs_value.empty()) {
+    const std::vector<std::string> lhs_lines =
+        SplitEscapedString(lhs_value);
+    const std::vector<std::string> rhs_lines =
+        SplitEscapedString(rhs_value);
+    if (lhs_lines.size() > 1 || rhs_lines.size() > 1) {
       msg << "\nWith diff:\n"
-          << edit_distance::CreateUnifiedDiff(expected_lines, actual_lines);
+          << edit_distance::CreateUnifiedDiff(lhs_lines, rhs_lines);
     }
   }
 
@@ -1329,7 +1413,7 @@ AssertionResult DoubleNearPredFormat(const char* expr1,
   const double diff = fabs(val1 - val2);
   if (diff <= abs_error) return AssertionSuccess();
 
-  // TODO(wan): do not print the value of an expression if it's
+  // FIXME: do not print the value of an expression if it's
   // already a literal.
   return AssertionFailure()
       << "The difference between " << expr1 << " and " << expr2
@@ -1395,18 +1479,18 @@ namespace internal {
 
 // The helper function for {ASSERT|EXPECT}_EQ with int or enum
 // arguments.
-AssertionResult CmpHelperEQ(const char* expected_expression,
-                            const char* actual_expression,
-                            BiggestInt expected,
-                            BiggestInt actual) {
-  if (expected == actual) {
+AssertionResult CmpHelperEQ(const char* lhs_expression,
+                            const char* rhs_expression,
+                            BiggestInt lhs,
+                            BiggestInt rhs) {
+  if (lhs == rhs) {
     return AssertionSuccess();
   }
 
-  return EqFailure(expected_expression,
-                   actual_expression,
-                   FormatForComparisonFailureMessage(expected, actual),
-                   FormatForComparisonFailureMessage(actual, expected),
+  return EqFailure(lhs_expression,
+                   rhs_expression,
+                   FormatForComparisonFailureMessage(lhs, rhs),
+                   FormatForComparisonFailureMessage(rhs, lhs),
                    false);
 }
 
@@ -1445,34 +1529,34 @@ GTEST_IMPL_CMP_HELPER_(GT, > )
 #undef GTEST_IMPL_CMP_HELPER_
 
 // The helper function for {ASSERT|EXPECT}_STREQ.
-AssertionResult CmpHelperSTREQ(const char* expected_expression,
-                               const char* actual_expression,
-                               const char* expected,
-                               const char* actual) {
-  if (String::CStringEquals(expected, actual)) {
+AssertionResult CmpHelperSTREQ(const char* lhs_expression,
+                               const char* rhs_expression,
+                               const char* lhs,
+                               const char* rhs) {
+  if (String::CStringEquals(lhs, rhs)) {
     return AssertionSuccess();
   }
 
-  return EqFailure(expected_expression,
-                   actual_expression,
-                   PrintToString(expected),
-                   PrintToString(actual),
+  return EqFailure(lhs_expression,
+                   rhs_expression,
+                   PrintToString(lhs),
+                   PrintToString(rhs),
                    false);
 }
 
 // The helper function for {ASSERT|EXPECT}_STRCASEEQ.
-AssertionResult CmpHelperSTRCASEEQ(const char* expected_expression,
-                                   const char* actual_expression,
-                                   const char* expected,
-                                   const char* actual) {
-  if (String::CaseInsensitiveCStringEquals(expected, actual)) {
+AssertionResult CmpHelperSTRCASEEQ(const char* lhs_expression,
+                                   const char* rhs_expression,
+                                   const char* lhs,
+                                   const char* rhs) {
+  if (String::CaseInsensitiveCStringEquals(lhs, rhs)) {
     return AssertionSuccess();
   }
 
-  return EqFailure(expected_expression,
-                   actual_expression,
-                   PrintToString(expected),
-                   PrintToString(actual),
+  return EqFailure(lhs_expression,
+                   rhs_expression,
+                   PrintToString(lhs),
+                   PrintToString(rhs),
                    true);
 }
 
@@ -1624,7 +1708,7 @@ namespace {
 AssertionResult HRESULTFailureHelper(const char* expr,
                                      const char* expected,
                                      long hr) {  // NOLINT
-# if GTEST_OS_WINDOWS_MOBILE
+# if GTEST_OS_WINDOWS_MOBILE || GTEST_OS_WINDOWS_TV_TITLE
 
   // Windows CE doesn't support FormatMessage.
   const char error_text[] = "";
@@ -1681,7 +1765,7 @@ AssertionResult IsHRESULTFailure(const char* expr, long hr) {  // NOLINT
 // Utility functions for encoding Unicode text (wide strings) in
 // UTF-8.
 
-// A Unicode code-point can have upto 21 bits, and is encoded in UTF-8
+// A Unicode code-point can have up to 21 bits, and is encoded in UTF-8
 // like this:
 //
 // Code-point length   Encoding
@@ -1745,7 +1829,7 @@ std::string CodePointToUtf8(UInt32 code_point) {
   return str;
 }
 
-// The following two functions only make sense if the the system
+// The following two functions only make sense if the system
 // uses UTF-16 for wide string encoding. All supported systems
 // with 16 bit wchar_t (Windows, Cygwin, Symbian OS) do use UTF-16.
 
@@ -1827,18 +1911,18 @@ bool String::WideCStringEquals(const wchar_t * lhs, const wchar_t * rhs) {
 }
 
 // Helper function for *_STREQ on wide strings.
-AssertionResult CmpHelperSTREQ(const char* expected_expression,
-                               const char* actual_expression,
-                               const wchar_t* expected,
-                               const wchar_t* actual) {
-  if (String::WideCStringEquals(expected, actual)) {
+AssertionResult CmpHelperSTREQ(const char* lhs_expression,
+                               const char* rhs_expression,
+                               const wchar_t* lhs,
+                               const wchar_t* rhs) {
+  if (String::WideCStringEquals(lhs, rhs)) {
     return AssertionSuccess();
   }
 
-  return EqFailure(expected_expression,
-                   actual_expression,
-                   PrintToString(expected),
-                   PrintToString(actual),
+  return EqFailure(lhs_expression,
+                   rhs_expression,
+                   PrintToString(lhs),
+                   PrintToString(rhs),
                    false);
 }
 
@@ -2057,13 +2141,8 @@ static const char* const kReservedTestSuiteAttributes[] = {
 
 // The list of reserved attributes used in the <testcase> element of XML output.
 static const char* const kReservedTestCaseAttributes[] = {
-  "classname",
-  "name",
-  "status",
-  "time",
-  "type_param",
-  "value_param"
-};
+    "classname",  "name",        "status", "time",
+    "type_param", "value_param", "file",   "line"};
 
 template <int kSize>
 std::vector<std::string> ArrayAsVector(const char* const (&array)[kSize]) {
@@ -2099,8 +2178,9 @@ static std::string FormatWordList(const std::vector<std::string>& words) {
   return word_list.GetString();
 }
 
-bool ValidateTestPropertyName(const std::string& property_name,
-                              const std::vector<std::string>& reserved_names) {
+static bool ValidateTestPropertyName(
+    const std::string& property_name,
+    const std::vector<std::string>& reserved_names) {
   if (std::find(reserved_names.begin(), reserved_names.end(), property_name) !=
           reserved_names.end()) {
     ADD_FAILURE() << "Reserved key used in RecordProperty(): " << property_name
@@ -2171,14 +2251,15 @@ int TestResult::test_property_count() const {
 
 // Creates a Test object.
 
-// The c'tor saves the values of all Google Test flags.
+// The c'tor saves the states of all flags.
 Test::Test()
-    : gtest_flag_saver_(new internal::GTestFlagSaver) {
+    : gtest_flag_saver_(new GTEST_FLAG_SAVER_) {
 }
 
-// The d'tor restores the values of all Google Test flags.
+// The d'tor restores the states of all flags.  The actual work is
+// done by the d'tor of the gtest_flag_saver_ field, and thus not
+// visible here.
 Test::~Test() {
-  delete gtest_flag_saver_;
 }
 
 // Sets up the test fixture.
@@ -2396,6 +2477,8 @@ Result HandleExceptionsInMethodIfSupported(
 #if GTEST_HAS_EXCEPTIONS
     try {
       return HandleSehExceptionsInMethodIfSupported(object, method, location);
+    } catch (const AssertionException&) {  // NOLINT
+      // This failure was reported already.
     } catch (const internal::GoogleTestFailureException&) {  // NOLINT
       // This exception type can only be thrown by a failed Google
       // Test assertion with the intention of letting another testing
@@ -2462,12 +2545,14 @@ TestInfo::TestInfo(const std::string& a_test_case_name,
                    const std::string& a_name,
                    const char* a_type_param,
                    const char* a_value_param,
+                   internal::CodeLocation a_code_location,
                    internal::TypeId fixture_class_id,
                    internal::TestFactoryBase* factory)
     : test_case_name_(a_test_case_name),
       name_(a_name),
       type_param_(a_type_param ? new std::string(a_type_param) : NULL),
       value_param_(a_value_param ? new std::string(a_value_param) : NULL),
+      location_(a_code_location),
       fixture_class_id_(fixture_class_id),
       should_run_(false),
       is_disabled_(false),
@@ -2491,6 +2576,7 @@ namespace internal {
 //                     this is not a typed or a type-parameterized test.
 //   value_param:      text representation of the test's value parameter,
 //                     or NULL if this is not a value-parameterized test.
+//   code_location:    code location where the test is defined
 //   fixture_class_id: ID of the test fixture class
 //   set_up_tc:        pointer to the function that sets up the test case
 //   tear_down_tc:     pointer to the function that tears down the test case
@@ -2502,20 +2588,20 @@ TestInfo* MakeAndRegisterTestInfo(
     const char* name,
     const char* type_param,
     const char* value_param,
+    CodeLocation code_location,
     TypeId fixture_class_id,
     SetUpTestCaseFunc set_up_tc,
     TearDownTestCaseFunc tear_down_tc,
     TestFactoryBase* factory) {
   TestInfo* const test_info =
       new TestInfo(test_case_name, name, type_param, value_param,
-                   fixture_class_id, factory);
+                   code_location, fixture_class_id, factory);
   GetUnitTestImpl()->AddTestInfo(set_up_tc, tear_down_tc, test_info);
   return test_info;
 }
 
-#if GTEST_HAS_PARAM_TEST
 void ReportInvalidTestCaseType(const char* test_case_name,
-                               const char* file, int line) {
+                               CodeLocation code_location) {
   Message errors;
   errors
       << "Attempted redefinition of test case " << test_case_name << ".\n"
@@ -2527,11 +2613,10 @@ void ReportInvalidTestCaseType(const char* test_case_name,
       << "probably rename one of the classes to put the tests into different\n"
       << "test cases.";
 
-  fprintf(stderr, "%s %s", FormatFileLocation(file, line).c_str(),
-          errors.GetString().c_str());
+  GTEST_LOG_(ERROR) << FormatFileLocation(code_location.file.c_str(),
+                                          code_location.line)
+                    << " " << errors.GetString();
 }
-#endif  // GTEST_HAS_PARAM_TEST
-
 }  // namespace internal
 
 namespace {
@@ -2569,12 +2654,10 @@ namespace internal {
 // and INSTANTIATE_TEST_CASE_P into regular tests and registers those.
 // This will be done just once during the program runtime.
 void UnitTestImpl::RegisterParameterizedTests() {
-#if GTEST_HAS_PARAM_TEST
   if (!parameterized_tests_registered_) {
     parameterized_test_registry_.RegisterTests();
     parameterized_tests_registered_ = true;
   }
-#endif
 }
 
 }  // namespace internal
@@ -2602,18 +2685,18 @@ void TestInfo::Run() {
       factory_, &internal::TestFactoryBase::CreateTest,
       "the test fixture's constructor");
 
-  // Runs the test only if the test object was created and its
-  // constructor didn't generate a fatal failure.
-  if ((test != NULL) && !Test::HasFatalFailure()) {
+  // Runs the test if the constructor didn't generate a fatal failure.
+  // Note that the object will not be null
+  if (!Test::HasFatalFailure()) {
     // This doesn't throw as all user code that can throw are wrapped into
     // exception handling code.
     test->Run();
   }
 
-  // Deletes the test object.
-  impl->os_stack_trace_getter()->UponLeavingGTest();
-  internal::HandleExceptionsInMethodIfSupported(
-      test, &Test::DeleteSelf_, "the test fixture's destructor");
+    // Deletes the test object.
+    impl->os_stack_trace_getter()->UponLeavingGTest();
+    internal::HandleExceptionsInMethodIfSupported(
+        test, &Test::DeleteSelf_, "the test fixture's destructor");
 
   result_.set_elapsed_time(internal::GetTimeInMillis() - start);
 
@@ -2839,10 +2922,10 @@ enum GTestColor {
 };
 
 #if GTEST_OS_WINDOWS && !GTEST_OS_WINDOWS_MOBILE && \
-    !GTEST_OS_WINDOWS_PHONE && !GTEST_OS_WINDOWS_RT
+    !GTEST_OS_WINDOWS_PHONE && !GTEST_OS_WINDOWS_RT && !GTEST_OS_WINDOWS_MINGW
 
 // Returns the character attribute for the given color.
-WORD GetColorAttribute(GTestColor color) {
+static WORD GetColorAttribute(GTestColor color) {
   switch (color) {
     case COLOR_RED:    return FOREGROUND_RED;
     case COLOR_GREEN:  return FOREGROUND_GREEN;
@@ -2851,11 +2934,42 @@ WORD GetColorAttribute(GTestColor color) {
   }
 }
 
+static int GetBitOffset(WORD color_mask) {
+  if (color_mask == 0) return 0;
+
+  int bitOffset = 0;
+  while ((color_mask & 1) == 0) {
+    color_mask >>= 1;
+    ++bitOffset;
+  }
+  return bitOffset;
+}
+
+static WORD GetNewColor(GTestColor color, WORD old_color_attrs) {
+  // Let's reuse the BG
+  static const WORD background_mask = BACKGROUND_BLUE | BACKGROUND_GREEN |
+                                      BACKGROUND_RED | BACKGROUND_INTENSITY;
+  static const WORD foreground_mask = FOREGROUND_BLUE | FOREGROUND_GREEN |
+                                      FOREGROUND_RED | FOREGROUND_INTENSITY;
+  const WORD existing_bg = old_color_attrs & background_mask;
+
+  WORD new_color =
+      GetColorAttribute(color) | existing_bg | FOREGROUND_INTENSITY;
+  static const int bg_bitOffset = GetBitOffset(background_mask);
+  static const int fg_bitOffset = GetBitOffset(foreground_mask);
+
+  if (((new_color & background_mask) >> bg_bitOffset) ==
+      ((new_color & foreground_mask) >> fg_bitOffset)) {
+    new_color ^= FOREGROUND_INTENSITY;  // invert intensity
+  }
+  return new_color;
+}
+
 #else
 
 // Returns the ANSI color code for the given color.  COLOR_DEFAULT is
 // an invalid input.
-const char* GetAnsiColorCode(GTestColor color) {
+static const char* GetAnsiColorCode(GTestColor color) {
   switch (color) {
     case COLOR_RED:     return "1";
     case COLOR_GREEN:   return "2";
@@ -2871,7 +2985,7 @@ bool ShouldUseColor(bool stdout_is_tty) {
   const char* const gtest_color = GTEST_FLAG(color).c_str();
 
   if (String::CaseInsensitiveCStringEquals(gtest_color, "auto")) {
-#if GTEST_OS_WINDOWS
+#if GTEST_OS_WINDOWS && !GTEST_OS_WINDOWS_MINGW
     // On Windows the TERM variable is usually not set, but the
     // console there does support colors.
     return stdout_is_tty;
@@ -2884,6 +2998,10 @@ bool ShouldUseColor(bool stdout_is_tty) {
         String::CStringEquals(term, "xterm-256color") ||
         String::CStringEquals(term, "screen") ||
         String::CStringEquals(term, "screen-256color") ||
+        String::CStringEquals(term, "tmux") ||
+        String::CStringEquals(term, "tmux-256color") ||
+        String::CStringEquals(term, "rxvt-unicode") ||
+        String::CStringEquals(term, "rxvt-unicode-256color") ||
         String::CStringEquals(term, "linux") ||
         String::CStringEquals(term, "cygwin");
     return stdout_is_tty && term_supports_color;
@@ -2903,13 +3021,13 @@ bool ShouldUseColor(bool stdout_is_tty) {
 // cannot simply emit special characters and have the terminal change colors.
 // This routine must actually emit the characters rather than return a string
 // that would be colored when printed, as can be done on Linux.
-void ColoredPrintf(GTestColor color, const char* fmt, ...) {
+static void ColoredPrintf(GTestColor color, const char* fmt, ...) {
   va_list args;
   va_start(args, fmt);
 
 #if GTEST_OS_WINDOWS_MOBILE || GTEST_OS_SYMBIAN || GTEST_OS_ZOS || \
     GTEST_OS_IOS || GTEST_OS_WINDOWS_PHONE || GTEST_OS_WINDOWS_RT
-  const bool use_color = false;
+  const bool use_color = AlwaysFalse();
 #else
   static const bool in_color_mode =
       ShouldUseColor(posix::IsATTY(posix::FileNo(stdout)) != 0);
@@ -2924,20 +3042,21 @@ void ColoredPrintf(GTestColor color, const char* fmt, ...) {
   }
 
 #if GTEST_OS_WINDOWS && !GTEST_OS_WINDOWS_MOBILE && \
-    !GTEST_OS_WINDOWS_PHONE && !GTEST_OS_WINDOWS_RT
+    !GTEST_OS_WINDOWS_PHONE && !GTEST_OS_WINDOWS_RT && !GTEST_OS_WINDOWS_MINGW
   const HANDLE stdout_handle = GetStdHandle(STD_OUTPUT_HANDLE);
 
   // Gets the current text color.
   CONSOLE_SCREEN_BUFFER_INFO buffer_info;
   GetConsoleScreenBufferInfo(stdout_handle, &buffer_info);
   const WORD old_color_attrs = buffer_info.wAttributes;
+  const WORD new_color = GetNewColor(color, old_color_attrs);
 
   // We need to flush the stream buffers into the console before each
   // SetConsoleTextAttribute call lest it affect the text that is already
   // printed but has not yet reached the console.
   fflush(stdout);
-  SetConsoleTextAttribute(stdout_handle,
-                          GetColorAttribute(color) | FOREGROUND_INTENSITY);
+  SetConsoleTextAttribute(stdout_handle, new_color);
+
   vprintf(fmt, args);
 
   fflush(stdout);
@@ -2951,12 +3070,12 @@ void ColoredPrintf(GTestColor color, const char* fmt, ...) {
   va_end(args);
 }
 
-// Text printed in Google Test's text output and --gunit_list_tests
+// Text printed in Google Test's text output and --gtest_list_tests
 // output to label the type parameter and value parameter for a test.
 static const char kTypeParamLabel[] = "TypeParam";
 static const char kValueParamLabel[] = "GetParam()";
 
-void PrintFullTestCommentIfPresent(const TestInfo& test_info) {
+static void PrintFullTestCommentIfPresent(const TestInfo& test_info) {
   const char* const type_param = test_info.type_param();
   const char* const value_param = test_info.value_param();
 
@@ -3227,7 +3346,7 @@ void TestEventRepeater::Append(TestEventListener *listener) {
   listeners_.push_back(listener);
 }
 
-// TODO(vladl@google.com): Factor the search functionality into Vector::Find.
+// FIXME: Factor the search functionality into Vector::Find.
 TestEventListener* TestEventRepeater::Release(TestEventListener *listener) {
   for (size_t i = 0; i < listeners_.size(); ++i) {
     if (listeners_[i] == listener) {
@@ -3301,6 +3420,11 @@ class XmlUnitTestResultPrinter : public EmptyTestEventListener {
   explicit XmlUnitTestResultPrinter(const char* output_file);
 
   virtual void OnTestIterationEnd(const UnitTest& unit_test, int iteration);
+  void ListTestsMatchingFilter(const std::vector<TestCase*>& test_cases);
+
+  // Prints an XML summary of all unit tests.
+  static void PrintXmlTestsList(std::ostream* stream,
+                                const std::vector<TestCase*>& test_cases);
 
  private:
   // Is c a whitespace character that is normalized to a space character
@@ -3362,6 +3486,11 @@ class XmlUnitTestResultPrinter : public EmptyTestEventListener {
   // to delimit this attribute from prior attributes.
   static std::string TestPropertiesAsXmlAttributes(const TestResult& result);
 
+  // Streams an XML representation of the test properties of a TestResult
+  // object.
+  static void OutputXmlTestProperties(std::ostream* stream,
+                                      const TestResult& result);
+
   // The output file.
   const std::string output_file_;
 
@@ -3371,46 +3500,30 @@ class XmlUnitTestResultPrinter : public EmptyTestEventListener {
 // Creates a new XmlUnitTestResultPrinter.
 XmlUnitTestResultPrinter::XmlUnitTestResultPrinter(const char* output_file)
     : output_file_(output_file) {
-  if (output_file_.c_str() == NULL || output_file_.empty()) {
-    fprintf(stderr, "XML output file may not be null\n");
-    fflush(stderr);
-    exit(EXIT_FAILURE);
+  if (output_file_.empty()) {
+    GTEST_LOG_(FATAL) << "XML output file may not be null";
   }
 }
 
 // Called after the unit test ends.
 void XmlUnitTestResultPrinter::OnTestIterationEnd(const UnitTest& unit_test,
                                                   int /*iteration*/) {
-  FILE* xmlout = NULL;
-  FilePath output_file(output_file_);
-  FilePath output_dir(output_file.RemoveFileName());
-
-  if (output_dir.CreateDirectoriesRecursively()) {
-    xmlout = posix::FOpen(output_file_.c_str(), "w");
-  }
-  if (xmlout == NULL) {
-    // TODO(wan): report the reason of the failure.
-    //
-    // We don't do it for now as:
-    //
-    //   1. There is no urgent need for it.
-    //   2. It's a bit involved to make the errno variable thread-safe on
-    //      all three operating systems (Linux, Windows, and Mac OS).
-    //   3. To interpret the meaning of errno in a thread-safe way,
-    //      we need the strerror_r() function, which is not available on
-    //      Windows.
-    fprintf(stderr,
-            "Unable to open file \"%s\"\n",
-            output_file_.c_str());
-    fflush(stderr);
-    exit(EXIT_FAILURE);
-  }
+  FILE* xmlout = OpenFileForWriting(output_file_);
   std::stringstream stream;
   PrintXmlUnitTest(&stream, unit_test);
   fprintf(xmlout, "%s", StringStreamToString(&stream).c_str());
   fclose(xmlout);
 }
 
+void XmlUnitTestResultPrinter::ListTestsMatchingFilter(
+    const std::vector<TestCase*>& test_cases) {
+  FILE* xmlout = OpenFileForWriting(output_file_);
+  std::stringstream stream;
+  PrintXmlTestsList(&stream, test_cases);
+  fprintf(xmlout, "%s", StringStreamToString(&stream).c_str());
+  fclose(xmlout);
+}
+
 // Returns an XML-escaped copy of the input string str.  If is_attribute
 // is true, the text is meant to appear as an attribute value, and
 // normalizable whitespace is preserved by replacing it with character
@@ -3421,7 +3534,7 @@ void XmlUnitTestResultPrinter::OnTestIterationEnd(const UnitTest& unit_test,
 // module will consist of ordinary English text.
 // If this module is ever modified to produce version 1.1 XML output,
 // most invalid characters can be retained using character references.
-// TODO(wan): It might be nice to have a minimally invasive, human-readable
+// FIXME: It might be nice to have a minimally invasive, human-readable
 // escaping scheme for invalid characters, rather than dropping them.
 std::string XmlUnitTestResultPrinter::EscapeXml(
     const std::string& str, bool is_attribute) {
@@ -3482,6 +3595,7 @@ std::string XmlUnitTestResultPrinter::RemoveInvalidXmlCharacters(
 
 // The following routines generate an XML representation of a UnitTest
 // object.
+// GOOGLETEST_CM0009 DO NOT DELETE
 //
 // This is how Google Test concepts map to the DTD:
 //
@@ -3499,23 +3613,32 @@ std::string XmlUnitTestResultPrinter::RemoveInvalidXmlCharacters(
 // Formats the given time in milliseconds as seconds.
 std::string FormatTimeInMillisAsSeconds(TimeInMillis ms) {
   ::std::stringstream ss;
-  ss << ms/1000.0;
+  ss << (static_cast<double>(ms) * 1e-3);
   return ss.str();
 }
 
+static bool PortableLocaltime(time_t seconds, struct tm* out) {
+#if defined(_MSC_VER)
+  return localtime_s(out, &seconds) == 0;
+#elif defined(__MINGW32__) || defined(__MINGW64__)
+  // MINGW <time.h> provides neither localtime_r nor localtime_s, but uses
+  // Windows' localtime(), which has a thread-local tm buffer.
+  struct tm* tm_ptr = localtime(&seconds);  // NOLINT
+  if (tm_ptr == NULL)
+    return false;
+  *out = *tm_ptr;
+  return true;
+#else
+  return localtime_r(&seconds, out) != NULL;
+#endif
+}
+
 // Converts the given epoch time in milliseconds to a date string in the ISO
 // 8601 format, without the timezone information.
 std::string FormatEpochTimeInMillisAsIso8601(TimeInMillis ms) {
-  time_t seconds = static_cast<time_t>(ms / 1000);
   struct tm time_struct;
-#ifdef _MSC_VER
-  if (localtime_s(&time_struct, &seconds) != 0)
-    return "";  // Invalid ms value
-#else
-  if (localtime_r(&seconds, &time_struct) == NULL)
-    return "";  // Invalid ms value
-#endif
-
+  if (!PortableLocaltime(static_cast<time_t>(ms / 1000), &time_struct))
+    return "";
   // YYYY-MM-DDThh:mm:ss
   return StreamableToString(time_struct.tm_year + 1900) + "-" +
       String::FormatIntWidth2(time_struct.tm_mon + 1) + "-" +
@@ -3562,13 +3685,17 @@ void XmlUnitTestResultPrinter::OutputXmlAttribute(
 }
 
 // Prints an XML representation of a TestInfo object.
-// TODO(wan): There is also value in printing properties with the plain printer.
+// FIXME: There is also value in printing properties with the plain printer.
 void XmlUnitTestResultPrinter::OutputXmlTestInfo(::std::ostream* stream,
                                                  const char* test_case_name,
                                                  const TestInfo& test_info) {
   const TestResult& result = *test_info.result();
   const std::string kTestcase = "testcase";
 
+  if (test_info.is_in_another_shard()) {
+    return;
+  }
+
   *stream << "    <testcase";
   OutputXmlAttribute(stream, kTestcase, "name", test_info.name());
 
@@ -3579,13 +3706,19 @@ void XmlUnitTestResultPrinter::OutputXmlTestInfo(::std::ostream* stream,
   if (test_info.type_param() != NULL) {
     OutputXmlAttribute(stream, kTestcase, "type_param", test_info.type_param());
   }
+  if (GTEST_FLAG(list_tests)) {
+    OutputXmlAttribute(stream, kTestcase, "file", test_info.file());
+    OutputXmlAttribute(stream, kTestcase, "line",
+                       StreamableToString(test_info.line()));
+    *stream << " />\n";
+    return;
+  }
 
   OutputXmlAttribute(stream, kTestcase, "status",
                      test_info.should_run() ? "run" : "notrun");
   OutputXmlAttribute(stream, kTestcase, "time",
                      FormatTimeInMillisAsSeconds(result.elapsed_time()));
   OutputXmlAttribute(stream, kTestcase, "classname", test_case_name);
-  *stream << TestPropertiesAsXmlAttributes(result);
 
   int failures = 0;
   for (int i = 0; i < result.total_part_count(); ++i) {
@@ -3594,22 +3727,28 @@ void XmlUnitTestResultPrinter::OutputXmlTestInfo(::std::ostream* stream,
       if (++failures == 1) {
         *stream << ">\n";
       }
-      const string location = internal::FormatCompilerIndependentFileLocation(
-          part.file_name(), part.line_number());
-      const string summary = location + "\n" + part.summary();
+      const std::string location =
+          internal::FormatCompilerIndependentFileLocation(part.file_name(),
+                                                          part.line_number());
+      const std::string summary = location + "\n" + part.summary();
       *stream << "      <failure message=\""
               << EscapeXmlAttribute(summary.c_str())
               << "\" type=\"\">";
-      const string detail = location + "\n" + part.message();
+      const std::string detail = location + "\n" + part.message();
       OutputXmlCDataSection(stream, RemoveInvalidXmlCharacters(detail).c_str());
       *stream << "</failure>\n";
     }
   }
 
-  if (failures == 0)
+  if (failures == 0 && result.test_property_count() == 0) {
     *stream << " />\n";
-  else
+  } else {
+    if (failures == 0) {
+      *stream << ">\n";
+    }
+    OutputXmlTestProperties(stream, result);
     *stream << "    </testcase>\n";
+  }
 }
 
 // Prints an XML representation of a TestCase object
@@ -3620,17 +3759,18 @@ void XmlUnitTestResultPrinter::PrintXmlTestCase(std::ostream* stream,
   OutputXmlAttribute(stream, kTestsuite, "name", test_case.name());
   OutputXmlAttribute(stream, kTestsuite, "tests",
                      StreamableToString(test_case.reportable_test_count()));
-  OutputXmlAttribute(stream, kTestsuite, "failures",
-                     StreamableToString(test_case.failed_test_count()));
-  OutputXmlAttribute(
-      stream, kTestsuite, "disabled",
-      StreamableToString(test_case.reportable_disabled_test_count()));
-  OutputXmlAttribute(stream, kTestsuite, "errors", "0");
-  OutputXmlAttribute(stream, kTestsuite, "time",
-                     FormatTimeInMillisAsSeconds(test_case.elapsed_time()));
-  *stream << TestPropertiesAsXmlAttributes(test_case.ad_hoc_test_result())
-          << ">\n";
-
+  if (!GTEST_FLAG(list_tests)) {
+    OutputXmlAttribute(stream, kTestsuite, "failures",
+                       StreamableToString(test_case.failed_test_count()));
+    OutputXmlAttribute(
+        stream, kTestsuite, "disabled",
+        StreamableToString(test_case.reportable_disabled_test_count()));
+    OutputXmlAttribute(stream, kTestsuite, "errors", "0");
+    OutputXmlAttribute(stream, kTestsuite, "time",
+                       FormatTimeInMillisAsSeconds(test_case.elapsed_time()));
+    *stream << TestPropertiesAsXmlAttributes(test_case.ad_hoc_test_result());
+  }
+  *stream << ">\n";
   for (int i = 0; i < test_case.total_test_count(); ++i) {
     if (test_case.GetTestInfo(i)->is_reportable())
       OutputXmlTestInfo(stream, test_case.name(), *test_case.GetTestInfo(i));
@@ -3664,7 +3804,6 @@ void XmlUnitTestResultPrinter::PrintXmlUnitTest(std::ostream* stream,
     OutputXmlAttribute(stream, kTestsuites, "random_seed",
                        StreamableToString(unit_test.random_seed()));
   }
-
   *stream << TestPropertiesAsXmlAttributes(unit_test.ad_hoc_test_result());
 
   OutputXmlAttribute(stream, kTestsuites, "name", "AllTests");
@@ -3677,6 +3816,28 @@ void XmlUnitTestResultPrinter::PrintXmlUnitTest(std::ostream* stream,
   *stream << "</" << kTestsuites << ">\n";
 }
 
+void XmlUnitTestResultPrinter::PrintXmlTestsList(
+    std::ostream* stream, const std::vector<TestCase*>& test_cases) {
+  const std::string kTestsuites = "testsuites";
+
+  *stream << "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
+  *stream << "<" << kTestsuites;
+
+  int total_tests = 0;
+  for (size_t i = 0; i < test_cases.size(); ++i) {
+    total_tests += test_cases[i]->total_test_count();
+  }
+  OutputXmlAttribute(stream, kTestsuites, "tests",
+                     StreamableToString(total_tests));
+  OutputXmlAttribute(stream, kTestsuites, "name", "AllTests");
+  *stream << ">\n";
+
+  for (size_t i = 0; i < test_cases.size(); ++i) {
+    PrintXmlTestCase(stream, *test_cases[i]);
+  }
+  *stream << "</" << kTestsuites << ">\n";
+}
+
 // Produces a string representing the test properties in a result as space
 // delimited XML attributes based on the property key="value" pairs.
 std::string XmlUnitTestResultPrinter::TestPropertiesAsXmlAttributes(
@@ -3690,8 +3851,390 @@ std::string XmlUnitTestResultPrinter::TestPropertiesAsXmlAttributes(
   return attributes.GetString();
 }
 
+void XmlUnitTestResultPrinter::OutputXmlTestProperties(
+    std::ostream* stream, const TestResult& result) {
+  const std::string kProperties = "properties";
+  const std::string kProperty = "property";
+
+  if (result.test_property_count() <= 0) {
+    return;
+  }
+
+  *stream << "<" << kProperties << ">\n";
+  for (int i = 0; i < result.test_property_count(); ++i) {
+    const TestProperty& property = result.GetTestProperty(i);
+    *stream << "<" << kProperty;
+    *stream << " name=\"" << EscapeXmlAttribute(property.key()) << "\"";
+    *stream << " value=\"" << EscapeXmlAttribute(property.value()) << "\"";
+    *stream << "/>\n";
+  }
+  *stream << "</" << kProperties << ">\n";
+}
+
 // End XmlUnitTestResultPrinter
 
+// This class generates an JSON output file.
+class JsonUnitTestResultPrinter : public EmptyTestEventListener {
+ public:
+  explicit JsonUnitTestResultPrinter(const char* output_file);
+
+  virtual void OnTestIterationEnd(const UnitTest& unit_test, int iteration);
+
+  // Prints an JSON summary of all unit tests.
+  static void PrintJsonTestList(::std::ostream* stream,
+                                const std::vector<TestCase*>& test_cases);
+
+ private:
+  // Returns an JSON-escaped copy of the input string str.
+  static std::string EscapeJson(const std::string& str);
+
+  //// Verifies that the given attribute belongs to the given element and
+  //// streams the attribute as JSON.
+  static void OutputJsonKey(std::ostream* stream,
+                            const std::string& element_name,
+                            const std::string& name,
+                            const std::string& value,
+                            const std::string& indent,
+                            bool comma = true);
+  static void OutputJsonKey(std::ostream* stream,
+                            const std::string& element_name,
+                            const std::string& name,
+                            int value,
+                            const std::string& indent,
+                            bool comma = true);
+
+  // Streams a JSON representation of a TestInfo object.
+  static void OutputJsonTestInfo(::std::ostream* stream,
+                                 const char* test_case_name,
+                                 const TestInfo& test_info);
+
+  // Prints a JSON representation of a TestCase object
+  static void PrintJsonTestCase(::std::ostream* stream,
+                                const TestCase& test_case);
+
+  // Prints a JSON summary of unit_test to output stream out.
+  static void PrintJsonUnitTest(::std::ostream* stream,
+                                const UnitTest& unit_test);
+
+  // Produces a string representing the test properties in a result as
+  // a JSON dictionary.
+  static std::string TestPropertiesAsJson(const TestResult& result,
+                                          const std::string& indent);
+
+  // The output file.
+  const std::string output_file_;
+
+  GTEST_DISALLOW_COPY_AND_ASSIGN_(JsonUnitTestResultPrinter);
+};
+
+// Creates a new JsonUnitTestResultPrinter.
+JsonUnitTestResultPrinter::JsonUnitTestResultPrinter(const char* output_file)
+    : output_file_(output_file) {
+  if (output_file_.empty()) {
+    GTEST_LOG_(FATAL) << "JSON output file may not be null";
+  }
+}
+
+void JsonUnitTestResultPrinter::OnTestIterationEnd(const UnitTest& unit_test,
+                                                  int /*iteration*/) {
+  FILE* jsonout = OpenFileForWriting(output_file_);
+  std::stringstream stream;
+  PrintJsonUnitTest(&stream, unit_test);
+  fprintf(jsonout, "%s", StringStreamToString(&stream).c_str());
+  fclose(jsonout);
+}
+
+// Returns an JSON-escaped copy of the input string str.
+std::string JsonUnitTestResultPrinter::EscapeJson(const std::string& str) {
+  Message m;
+
+  for (size_t i = 0; i < str.size(); ++i) {
+    const char ch = str[i];
+    switch (ch) {
+      case '\\':
+      case '"':
+      case '/':
+        m << '\\' << ch;
+        break;
+      case '\b':
+        m << "\\b";
+        break;
+      case '\t':
+        m << "\\t";
+        break;
+      case '\n':
+        m << "\\n";
+        break;
+      case '\f':
+        m << "\\f";
+        break;
+      case '\r':
+        m << "\\r";
+        break;
+      default:
+        if (ch < ' ') {
+          m << "\\u00" << String::FormatByte(static_cast<unsigned char>(ch));
+        } else {
+          m << ch;
+        }
+        break;
+    }
+  }
+
+  return m.GetString();
+}
+
+// The following routines generate an JSON representation of a UnitTest
+// object.
+
+// Formats the given time in milliseconds as seconds.
+static std::string FormatTimeInMillisAsDuration(TimeInMillis ms) {
+  ::std::stringstream ss;
+  ss << (static_cast<double>(ms) * 1e-3) << "s";
+  return ss.str();
+}
+
+// Converts the given epoch time in milliseconds to a date string in the
+// RFC3339 format, without the timezone information.
+static std::string FormatEpochTimeInMillisAsRFC3339(TimeInMillis ms) {
+  struct tm time_struct;
+  if (!PortableLocaltime(static_cast<time_t>(ms / 1000), &time_struct))
+    return "";
+  // YYYY-MM-DDThh:mm:ss
+  return StreamableToString(time_struct.tm_year + 1900) + "-" +
+      String::FormatIntWidth2(time_struct.tm_mon + 1) + "-" +
+      String::FormatIntWidth2(time_struct.tm_mday) + "T" +
+      String::FormatIntWidth2(time_struct.tm_hour) + ":" +
+      String::FormatIntWidth2(time_struct.tm_min) + ":" +
+      String::FormatIntWidth2(time_struct.tm_sec) + "Z";
+}
+
+static inline std::string Indent(int width) {
+  return std::string(width, ' ');
+}
+
+void JsonUnitTestResultPrinter::OutputJsonKey(
+    std::ostream* stream,
+    const std::string& element_name,
+    const std::string& name,
+    const std::string& value,
+    const std::string& indent,
+    bool comma) {
+  const std::vector<std::string>& allowed_names =
+      GetReservedAttributesForElement(element_name);
+
+  GTEST_CHECK_(std::find(allowed_names.begin(), allowed_names.end(), name) !=
+                   allowed_names.end())
+      << "Key \"" << name << "\" is not allowed for value \"" << element_name
+      << "\".";
+
+  *stream << indent << "\"" << name << "\": \"" << EscapeJson(value) << "\"";
+  if (comma)
+    *stream << ",\n";
+}
+
+void JsonUnitTestResultPrinter::OutputJsonKey(
+    std::ostream* stream,
+    const std::string& element_name,
+    const std::string& name,
+    int value,
+    const std::string& indent,
+    bool comma) {
+  const std::vector<std::string>& allowed_names =
+      GetReservedAttributesForElement(element_name);
+
+  GTEST_CHECK_(std::find(allowed_names.begin(), allowed_names.end(), name) !=
+                   allowed_names.end())
+      << "Key \"" << name << "\" is not allowed for value \"" << element_name
+      << "\".";
+
+  *stream << indent << "\"" << name << "\": " << StreamableToString(value);
+  if (comma)
+    *stream << ",\n";
+}
+
+// Prints a JSON representation of a TestInfo object.
+void JsonUnitTestResultPrinter::OutputJsonTestInfo(::std::ostream* stream,
+                                                   const char* test_case_name,
+                                                   const TestInfo& test_info) {
+  const TestResult& result = *test_info.result();
+  const std::string kTestcase = "testcase";
+  const std::string kIndent = Indent(10);
+
+  *stream << Indent(8) << "{\n";
+  OutputJsonKey(stream, kTestcase, "name", test_info.name(), kIndent);
+
+  if (test_info.value_param() != NULL) {
+    OutputJsonKey(stream, kTestcase, "value_param",
+                  test_info.value_param(), kIndent);
+  }
+  if (test_info.type_param() != NULL) {
+    OutputJsonKey(stream, kTestcase, "type_param", test_info.type_param(),
+                  kIndent);
+  }
+  if (GTEST_FLAG(list_tests)) {
+    OutputJsonKey(stream, kTestcase, "file", test_info.file(), kIndent);
+    OutputJsonKey(stream, kTestcase, "line", test_info.line(), kIndent, false);
+    *stream << "\n" << Indent(8) << "}";
+    return;
+  }
+
+  OutputJsonKey(stream, kTestcase, "status",
+                test_info.should_run() ? "RUN" : "NOTRUN", kIndent);
+  OutputJsonKey(stream, kTestcase, "time",
+                FormatTimeInMillisAsDuration(result.elapsed_time()), kIndent);
+  OutputJsonKey(stream, kTestcase, "classname", test_case_name, kIndent, false);
+  *stream << TestPropertiesAsJson(result, kIndent);
+
+  int failures = 0;
+  for (int i = 0; i < result.total_part_count(); ++i) {
+    const TestPartResult& part = result.GetTestPartResult(i);
+    if (part.failed()) {
+      *stream << ",\n";
+      if (++failures == 1) {
+        *stream << kIndent << "\"" << "failures" << "\": [\n";
+      }
+      const std::string location =
+          internal::FormatCompilerIndependentFileLocation(part.file_name(),
+                                                          part.line_number());
+      const std::string message = EscapeJson(location + "\n" + part.message());
+      *stream << kIndent << "  {\n"
+              << kIndent << "    \"failure\": \"" << message << "\",\n"
+              << kIndent << "    \"type\": \"\"\n"
+              << kIndent << "  }";
+    }
+  }
+
+  if (failures > 0)
+    *stream << "\n" << kIndent << "]";
+  *stream << "\n" << Indent(8) << "}";
+}
+
+// Prints an JSON representation of a TestCase object
+void JsonUnitTestResultPrinter::PrintJsonTestCase(std::ostream* stream,
+                                                  const TestCase& test_case) {
+  const std::string kTestsuite = "testsuite";
+  const std::string kIndent = Indent(6);
+
+  *stream << Indent(4) << "{\n";
+  OutputJsonKey(stream, kTestsuite, "name", test_case.name(), kIndent);
+  OutputJsonKey(stream, kTestsuite, "tests", test_case.reportable_test_count(),
+                kIndent);
+  if (!GTEST_FLAG(list_tests)) {
+    OutputJsonKey(stream, kTestsuite, "failures", test_case.failed_test_count(),
+                  kIndent);
+    OutputJsonKey(stream, kTestsuite, "disabled",
+                  test_case.reportable_disabled_test_count(), kIndent);
+    OutputJsonKey(stream, kTestsuite, "errors", 0, kIndent);
+    OutputJsonKey(stream, kTestsuite, "time",
+                  FormatTimeInMillisAsDuration(test_case.elapsed_time()),
+                  kIndent, false);
+    *stream << TestPropertiesAsJson(test_case.ad_hoc_test_result(), kIndent)
+            << ",\n";
+  }
+
+  *stream << kIndent << "\"" << kTestsuite << "\": [\n";
+
+  bool comma = false;
+  for (int i = 0; i < test_case.total_test_count(); ++i) {
+    if (test_case.GetTestInfo(i)->is_reportable()) {
+      if (comma) {
+        *stream << ",\n";
+      } else {
+        comma = true;
+      }
+      OutputJsonTestInfo(stream, test_case.name(), *test_case.GetTestInfo(i));
+    }
+  }
+  *stream << "\n" << kIndent << "]\n" << Indent(4) << "}";
+}
+
+// Prints a JSON summary of unit_test to output stream out.
+void JsonUnitTestResultPrinter::PrintJsonUnitTest(std::ostream* stream,
+                                                  const UnitTest& unit_test) {
+  const std::string kTestsuites = "testsuites";
+  const std::string kIndent = Indent(2);
+  *stream << "{\n";
+
+  OutputJsonKey(stream, kTestsuites, "tests", unit_test.reportable_test_count(),
+                kIndent);
+  OutputJsonKey(stream, kTestsuites, "failures", unit_test.failed_test_count(),
+                kIndent);
+  OutputJsonKey(stream, kTestsuites, "disabled",
+                unit_test.reportable_disabled_test_count(), kIndent);
+  OutputJsonKey(stream, kTestsuites, "errors", 0, kIndent);
+  if (GTEST_FLAG(shuffle)) {
+    OutputJsonKey(stream, kTestsuites, "random_seed", unit_test.random_seed(),
+                  kIndent);
+  }
+  OutputJsonKey(stream, kTestsuites, "timestamp",
+                FormatEpochTimeInMillisAsRFC3339(unit_test.start_timestamp()),
+                kIndent);
+  OutputJsonKey(stream, kTestsuites, "time",
+                FormatTimeInMillisAsDuration(unit_test.elapsed_time()), kIndent,
+                false);
+
+  *stream << TestPropertiesAsJson(unit_test.ad_hoc_test_result(), kIndent)
+          << ",\n";
+
+  OutputJsonKey(stream, kTestsuites, "name", "AllTests", kIndent);
+  *stream << kIndent << "\"" << kTestsuites << "\": [\n";
+
+  bool comma = false;
+  for (int i = 0; i < unit_test.total_test_case_count(); ++i) {
+    if (unit_test.GetTestCase(i)->reportable_test_count() > 0) {
+      if (comma) {
+        *stream << ",\n";
+      } else {
+        comma = true;
+      }
+      PrintJsonTestCase(stream, *unit_test.GetTestCase(i));
+    }
+  }
+
+  *stream << "\n" << kIndent << "]\n" << "}\n";
+}
+
+void JsonUnitTestResultPrinter::PrintJsonTestList(
+    std::ostream* stream, const std::vector<TestCase*>& test_cases) {
+  const std::string kTestsuites = "testsuites";
+  const std::string kIndent = Indent(2);
+  *stream << "{\n";
+  int total_tests = 0;
+  for (size_t i = 0; i < test_cases.size(); ++i) {
+    total_tests += test_cases[i]->total_test_count();
+  }
+  OutputJsonKey(stream, kTestsuites, "tests", total_tests, kIndent);
+
+  OutputJsonKey(stream, kTestsuites, "name", "AllTests", kIndent);
+  *stream << kIndent << "\"" << kTestsuites << "\": [\n";
+
+  for (size_t i = 0; i < test_cases.size(); ++i) {
+    if (i != 0) {
+      *stream << ",\n";
+    }
+    PrintJsonTestCase(stream, *test_cases[i]);
+  }
+
+  *stream << "\n"
+          << kIndent << "]\n"
+          << "}\n";
+}
+// Produces a string representing the test properties in a result as
+// a JSON dictionary.
+std::string JsonUnitTestResultPrinter::TestPropertiesAsJson(
+    const TestResult& result, const std::string& indent) {
+  Message attributes;
+  for (int i = 0; i < result.test_property_count(); ++i) {
+    const TestProperty& property = result.GetTestProperty(i);
+    attributes << ",\n" << indent << "\"" << property.key() << "\": "
+               << "\"" << EscapeJson(property.value()) << "\"";
+  }
+  return attributes.GetString();
+}
+
+// End JsonUnitTestResultPrinter
+
 #if GTEST_CAN_STREAM_RESULTS_
 
 // Checks if str contains '=', '&', '%' or '\n' characters. If yes,
@@ -3699,8 +4242,8 @@ std::string XmlUnitTestResultPrinter::TestPropertiesAsXmlAttributes(
 // example, replaces "=" with "%3D".  This algorithm is O(strlen(str))
 // in both time and space -- important as the input str may contain an
 // arbitrarily long test failure message and stack trace.
-string StreamingListener::UrlEncode(const char* str) {
-  string result;
+std::string StreamingListener::UrlEncode(const char* str) {
+  std::string result;
   result.reserve(strlen(str) + 1);
   for (char ch = *str; ch != '\0'; ch = *++str) {
     switch (ch) {
@@ -3762,58 +4305,82 @@ void StreamingListener::SocketWriter::MakeConnection() {
 // End of class Streaming Listener
 #endif  // GTEST_CAN_STREAM_RESULTS__
 
-// Class ScopedTrace
+// class OsStackTraceGetter
 
-// Pushes the given source file location and message onto a per-thread
-// trace stack maintained by Google Test.
-ScopedTrace::ScopedTrace(const char* file, int line, const Message& message)
-    GTEST_LOCK_EXCLUDED_(&UnitTest::mutex_) {
-  TraceInfo trace;
-  trace.file = file;
-  trace.line = line;
-  trace.message = message.GetString();
+const char* const OsStackTraceGetterInterface::kElidedFramesMarker =
+    "... " GTEST_NAME_ " internal frames ...";
 
-  UnitTest::GetInstance()->PushGTestTrace(trace);
-}
+std::string OsStackTraceGetter::CurrentStackTrace(int max_depth, int skip_count)
+    GTEST_LOCK_EXCLUDED_(mutex_) {
+#if GTEST_HAS_ABSL
+  std::string result;
 
-// Pops the info pushed by the c'tor.
-ScopedTrace::~ScopedTrace()
-    GTEST_LOCK_EXCLUDED_(&UnitTest::mutex_) {
-  UnitTest::GetInstance()->PopGTestTrace();
-}
+  if (max_depth <= 0) {
+    return result;
+  }
 
+  max_depth = std::min(max_depth, kMaxStackTraceDepth);
 
-// class OsStackTraceGetter
+  std::vector<void*> raw_stack(max_depth);
+  // Skips the frames requested by the caller, plus this function.
+  const int raw_stack_size =
+      absl::GetStackTrace(&raw_stack[0], max_depth, skip_count + 1);
 
-// Returns the current OS stack trace as an std::string.  Parameters:
-//
-//   max_depth  - the maximum number of stack frames to be included
-//                in the trace.
-//   skip_count - the number of top frames to be skipped; doesn't count
-//                against max_depth.
-//
-string OsStackTraceGetter::CurrentStackTrace(int /* max_depth */,
-                                             int /* skip_count */)
-    GTEST_LOCK_EXCLUDED_(mutex_) {
+  void* caller_frame = nullptr;
+  {
+    MutexLock lock(&mutex_);
+    caller_frame = caller_frame_;
+  }
+
+  for (int i = 0; i < raw_stack_size; ++i) {
+    if (raw_stack[i] == caller_frame &&
+        !GTEST_FLAG(show_internal_stack_frames)) {
+      // Add a marker to the trace and stop adding frames.
+      absl::StrAppend(&result, kElidedFramesMarker, "\n");
+      break;
+    }
+
+    char tmp[1024];
+    const char* symbol = "(unknown)";
+    if (absl::Symbolize(raw_stack[i], tmp, sizeof(tmp))) {
+      symbol = tmp;
+    }
+
+    char line[1024];
+    snprintf(line, sizeof(line), "  %p: %s\n", raw_stack[i], symbol);
+    result += line;
+  }
+
+  return result;
+
+#else  // !GTEST_HAS_ABSL
+  static_cast<void>(max_depth);
+  static_cast<void>(skip_count);
   return "";
+#endif  // GTEST_HAS_ABSL
 }
 
-void OsStackTraceGetter::UponLeavingGTest()
-    GTEST_LOCK_EXCLUDED_(mutex_) {
-}
+void OsStackTraceGetter::UponLeavingGTest() GTEST_LOCK_EXCLUDED_(mutex_) {
+#if GTEST_HAS_ABSL
+  void* caller_frame = nullptr;
+  if (absl::GetStackTrace(&caller_frame, 1, 3) <= 0) {
+    caller_frame = nullptr;
+  }
 
-const char* const
-OsStackTraceGetter::kElidedFramesMarker =
-    "... " GTEST_NAME_ " internal frames ...";
+  MutexLock lock(&mutex_);
+  caller_frame_ = caller_frame;
+#endif  // GTEST_HAS_ABSL
+}
 
 // A helper class that creates the premature-exit file in its
 // constructor and deletes the file in its destructor.
 class ScopedPrematureExitFile {
  public:
   explicit ScopedPrematureExitFile(const char* premature_exit_filepath)
-      : premature_exit_filepath_(premature_exit_filepath) {
+      : premature_exit_filepath_(premature_exit_filepath ?
+                                 premature_exit_filepath : "") {
     // If a path to the premature-exit file is specified...
-    if (premature_exit_filepath != NULL && *premature_exit_filepath != '\0') {
+    if (!premature_exit_filepath_.empty()) {
       // create the file with a single "0" character in it.  I/O
       // errors are ignored as there's nothing better we can do and we
       // don't want to fail the test because of this.
@@ -3824,13 +4391,18 @@ class ScopedPrematureExitFile {
   }
 
   ~ScopedPrematureExitFile() {
-    if (premature_exit_filepath_ != NULL && *premature_exit_filepath_ != '\0') {
-      remove(premature_exit_filepath_);
+    if (!premature_exit_filepath_.empty()) {
+      int retval = remove(premature_exit_filepath_.c_str());
+      if (retval) {
+        GTEST_LOG_(ERROR) << "Failed to remove premature exit filepath \""
+                          << premature_exit_filepath_ << "\" with error "
+                          << retval;
+      }
     }
   }
 
  private:
-  const char* const premature_exit_filepath_;
+  const std::string premature_exit_filepath_;
 
   GTEST_DISALLOW_COPY_AND_ASSIGN_(ScopedPrematureExitFile);
 };
@@ -4100,6 +4672,11 @@ void UnitTest::AddTestPartResult(
       // when a failure happens and both the --gtest_break_on_failure and
       // the --gtest_catch_exceptions flags are specified.
       DebugBreak();
+#elif (!defined(__native_client__)) &&            \
+    ((defined(__clang__) || defined(__GNUC__)) && \
+     (defined(__x86_64__) || defined(__i386__)))
+      // with clang/gcc we can achieve the same effect on x86 by invoking int3
+      asm("int3");
 #else
       // Dereference NULL through a volatile pointer to prevent the compiler
       // from removing. We use this rather than abort() or __builtin_trap() for
@@ -4167,7 +4744,7 @@ int UnitTest::Run() {
   // used for the duration of the program.
   impl()->set_catch_exceptions(GTEST_FLAG(catch_exceptions));
 
-#if GTEST_HAS_SEH
+#if GTEST_OS_WINDOWS
   // Either the user wants Google Test to catch exceptions thrown by the
   // tests or this is executing in the context of death test child
   // process. In either case the user does not want to see pop-up dialogs
@@ -4196,7 +4773,7 @@ int UnitTest::Run() {
     // VC++ doesn't define _set_abort_behavior() prior to the version 8.0.
     // Users of prior VC versions shall suffer the agony and pain of
     // clicking through the countless debug dialogs.
-    // TODO(vladl@google.com): find a way to suppress the abort dialog() in the
+    // FIXME: find a way to suppress the abort dialog() in the
     // debug mode when compiled with VC 7.1 or lower.
     if (!GTEST_FLAG(break_on_failure))
       _set_abort_behavior(
@@ -4204,7 +4781,7 @@ int UnitTest::Run() {
           _WRITE_ABORT_MSG | _CALL_REPORTFAULT);  // pop-up window, core dump.
 # endif
   }
-#endif  // GTEST_HAS_SEH
+#endif  // GTEST_OS_WINDOWS
 
   return internal::HandleExceptionsInMethodIfSupported(
       impl(),
@@ -4237,7 +4814,6 @@ const TestInfo* UnitTest::current_test_info() const
 // Returns the random seed used at the start of the current test run.
 int UnitTest::random_seed() const { return impl_->random_seed(); }
 
-#if GTEST_HAS_PARAM_TEST
 // Returns ParameterizedTestCaseRegistry object used to keep track of
 // value-parameterized tests and instantiate and register them.
 internal::ParameterizedTestCaseRegistry&
@@ -4245,7 +4821,6 @@ internal::ParameterizedTestCaseRegistry&
         GTEST_LOCK_EXCLUDED_(mutex_) {
   return impl_->parameterized_test_registry();
 }
-#endif  // GTEST_HAS_PARAM_TEST
 
 // Creates an empty UnitTest.
 UnitTest::UnitTest() {
@@ -4284,10 +4859,8 @@ UnitTestImpl::UnitTestImpl(UnitTest* parent)
           &default_global_test_part_result_reporter_),
       per_thread_test_part_result_reporter_(
           &default_per_thread_test_part_result_reporter_),
-#if GTEST_HAS_PARAM_TEST
       parameterized_test_registry_(),
       parameterized_tests_registered_(false),
-#endif  // GTEST_HAS_PARAM_TEST
       last_death_test_case_(-1),
       current_test_case_(NULL),
       current_test_info_(NULL),
@@ -4354,10 +4927,12 @@ void UnitTestImpl::ConfigureXmlOutput() {
   if (output_format == "xml") {
     listeners()->SetDefaultXmlGenerator(new XmlUnitTestResultPrinter(
         UnitTestOptions::GetAbsolutePathToOutputFile().c_str()));
+  } else if (output_format == "json") {
+    listeners()->SetDefaultXmlGenerator(new JsonUnitTestResultPrinter(
+        UnitTestOptions::GetAbsolutePathToOutputFile().c_str()));
   } else if (output_format != "") {
-    printf("WARNING: unrecognized output format \"%s\" ignored.\n",
-           output_format.c_str());
-    fflush(stdout);
+    GTEST_LOG_(WARNING) << "WARNING: unrecognized output format \""
+                        << output_format << "\" ignored.";
   }
 }
 
@@ -4372,9 +4947,8 @@ void UnitTestImpl::ConfigureStreamingOutput() {
       listeners()->Append(new StreamingListener(target.substr(0, pos),
                                                 target.substr(pos+1)));
     } else {
-      printf("WARNING: unrecognized streaming target \"%s\" ignored.\n",
-             target.c_str());
-      fflush(stdout);
+      GTEST_LOG_(WARNING) << "unrecognized streaming target \"" << target
+                          << "\" ignored.";
     }
   }
 }
@@ -4390,6 +4964,11 @@ void UnitTestImpl::PostFlagParsingInit() {
   if (!post_flag_parse_init_performed_) {
     post_flag_parse_init_performed_ = true;
 
+#if defined(GTEST_CUSTOM_TEST_EVENT_LISTENER_)
+    // Register to send notifications about key process state changes.
+    listeners()->Append(new GTEST_CUSTOM_TEST_EVENT_LISTENER_());
+#endif  // defined(GTEST_CUSTOM_TEST_EVENT_LISTENER_)
+
 #if GTEST_HAS_DEATH_TEST
     InitDeathTestSubprocessControlInfo();
     SuppressTestEventsIfInSubprocess();
@@ -4408,6 +4987,13 @@ void UnitTestImpl::PostFlagParsingInit() {
     // Configures listeners for streaming test results to the specified server.
     ConfigureStreamingOutput();
 #endif  // GTEST_CAN_STREAM_RESULTS_
+
+#if GTEST_HAS_ABSL
+    if (GTEST_FLAG(install_failure_signal_handler)) {
+      absl::FailureSignalHandlerOptions options;
+      absl::InstallFailureSignalHandler(options);
+    }
+#endif  // GTEST_HAS_ABSL
   }
 }
 
@@ -4451,11 +5037,11 @@ TestCase* UnitTestImpl::GetTestCase(const char* test_case_name,
                                     Test::SetUpTestCaseFunc set_up_tc,
                                     Test::TearDownTestCaseFunc tear_down_tc) {
   // Can we find a TestCase with the given name?
-  const std::vector<TestCase*>::const_iterator test_case =
-      std::find_if(test_cases_.begin(), test_cases_.end(),
+  const std::vector<TestCase*>::const_reverse_iterator test_case =
+      std::find_if(test_cases_.rbegin(), test_cases_.rend(),
                    TestCaseNameIs(test_case_name));
 
-  if (test_case != test_cases_.end())
+  if (test_case != test_cases_.rend())
     return *test_case;
 
   // No.  Let's create one.
@@ -4496,13 +5082,8 @@ static void TearDownEnvironment(Environment* env) { env->TearDown(); }
 // All other functions called from RunAllTests() may safely assume that
 // parameterized tests are ready to be counted and run.
 bool UnitTestImpl::RunAllTests() {
-  // Makes sure InitGoogleTest() was called.
-  if (!GTestIsInitialized()) {
-    printf("%s",
-           "\nThis test program did NOT call ::testing::InitGoogleTest "
-           "before calling RUN_ALL_TESTS().  Please fix it.\n");
-    return false;
-  }
+  // True iff Google Test is initialized before RUN_ALL_TESTS() is called.
+  const bool gtest_is_initialized_before_run_all_tests = GTestIsInitialized();
 
   // Do not run any test if the --help flag was specified.
   if (g_help_flag)
@@ -4523,6 +5104,11 @@ bool UnitTestImpl::RunAllTests() {
 
 #if GTEST_HAS_DEATH_TEST
   in_subprocess_for_death_test = (internal_run_death_test_flag_.get() != NULL);
+# if defined(GTEST_EXTRA_DEATH_TEST_CHILD_SETUP_)
+  if (in_subprocess_for_death_test) {
+    GTEST_EXTRA_DEATH_TEST_CHILD_SETUP_();
+  }
+# endif  // defined(GTEST_EXTRA_DEATH_TEST_CHILD_SETUP_)
 #endif  // GTEST_HAS_DEATH_TEST
 
   const bool should_shard = ShouldShard(kTestTotalShards, kTestShardIndex,
@@ -4625,6 +5211,20 @@ bool UnitTestImpl::RunAllTests() {
 
   repeater->OnTestProgramEnd(*parent_);
 
+  if (!gtest_is_initialized_before_run_all_tests) {
+    ColoredPrintf(
+        COLOR_RED,
+        "\nIMPORTANT NOTICE - DO NOT IGNORE:\n"
+        "This test program did NOT call " GTEST_INIT_GOOGLE_TEST_NAME_
+        "() before calling RUN_ALL_TESTS(). This is INVALID. Soon " GTEST_NAME_
+        " will start to enforce the valid usage. "
+        "Please fix it ASAP, or IT WILL START TO FAIL.\n");  // NOLINT
+#if GTEST_FOR_GOOGLE_
+    ColoredPrintf(COLOR_RED,
+                  "For more details, see http://wiki/Main/ValidGUnitMain.\n");
+#endif  // GTEST_FOR_GOOGLE_
+  }
+
   return !failed;
 }
 
@@ -4726,8 +5326,8 @@ bool ShouldRunTestOnShard(int total_shards, int shard_index, int test_id) {
 // each TestCase and TestInfo object.
 // If shard_tests == true, further filters tests based on sharding
 // variables in the environment - see
-// http://code.google.com/p/googletest/wiki/GoogleTestAdvancedGuide.
-// Returns the number of tests that should run.
+// https://github.com/google/googletest/blob/master/googletest/docs/advanced.md
+// . Returns the number of tests that should run.
 int UnitTestImpl::FilterTests(ReactionToSharding shard_tests) {
   const Int32 total_shards = shard_tests == HONOR_SHARDING_PROTOCOL ?
       Int32FromEnvOrDie(kTestTotalShards, -1) : -1;
@@ -4766,10 +5366,11 @@ int UnitTestImpl::FilterTests(ReactionToSharding shard_tests) {
           (GTEST_FLAG(also_run_disabled_tests) || !is_disabled) &&
           matches_filter;
 
-      const bool is_selected = is_runnable &&
-          (shard_tests == IGNORE_SHARDING_PROTOCOL ||
-           ShouldRunTestOnShard(total_shards, shard_index,
-                                num_runnable_tests));
+      const bool is_in_another_shard =
+          shard_tests != IGNORE_SHARDING_PROTOCOL &&
+          !ShouldRunTestOnShard(total_shards, shard_index, num_runnable_tests);
+      test_info->is_in_another_shard_ = is_in_another_shard;
+      const bool is_selected = is_runnable && !is_in_another_shard;
 
       num_runnable_tests += is_runnable;
       num_selected_tests += is_selected;
@@ -4839,6 +5440,23 @@ void UnitTestImpl::ListTestsMatchingFilter() {
     }
   }
   fflush(stdout);
+  const std::string& output_format = UnitTestOptions::GetOutputFormat();
+  if (output_format == "xml" || output_format == "json") {
+    FILE* fileout = OpenFileForWriting(
+        UnitTestOptions::GetAbsolutePathToOutputFile().c_str());
+    std::stringstream stream;
+    if (output_format == "xml") {
+      XmlUnitTestResultPrinter(
+          UnitTestOptions::GetAbsolutePathToOutputFile().c_str())
+          .PrintXmlTestsList(&stream, test_cases_);
+    } else if (output_format == "json") {
+      JsonUnitTestResultPrinter(
+          UnitTestOptions::GetAbsolutePathToOutputFile().c_str())
+          .PrintJsonTestList(&stream, test_cases_);
+    }
+    fprintf(fileout, "%s", StringStreamToString(&stream).c_str());
+    fclose(fileout);
+  }
 }
 
 // Sets the OS stack trace getter.
@@ -4859,17 +5477,25 @@ void UnitTestImpl::set_os_stack_trace_getter(
 // getter, and returns it.
 OsStackTraceGetterInterface* UnitTestImpl::os_stack_trace_getter() {
   if (os_stack_trace_getter_ == NULL) {
+#ifdef GTEST_OS_STACK_TRACE_GETTER_
+    os_stack_trace_getter_ = new GTEST_OS_STACK_TRACE_GETTER_;
+#else
     os_stack_trace_getter_ = new OsStackTraceGetter;
+#endif  // GTEST_OS_STACK_TRACE_GETTER_
   }
 
   return os_stack_trace_getter_;
 }
 
-// Returns the TestResult for the test that's currently running, or
-// the TestResult for the ad hoc test if no test is running.
+// Returns the most specific TestResult currently running.
 TestResult* UnitTestImpl::current_test_result() {
-  return current_test_info_ ?
-      &(current_test_info_->result_) : &ad_hoc_test_result_;
+  if (current_test_info_ != NULL) {
+    return &current_test_info_->result_;
+  }
+  if (current_test_case_ != NULL) {
+    return &current_test_case_->ad_hoc_test_result_;
+  }
+  return &ad_hoc_test_result_;
 }
 
 // Shuffles all test cases, and the tests within each test case,
@@ -4950,9 +5576,8 @@ bool SkipPrefix(const char* prefix, const char** pstr) {
 // part can be omitted.
 //
 // Returns the value of the flag, or NULL if the parsing failed.
-const char* ParseFlagValue(const char* str,
-                           const char* flag,
-                           bool def_optional) {
+static const char* ParseFlagValue(const char* str, const char* flag,
+                                  bool def_optional) {
   // str and flag must not be NULL.
   if (str == NULL || flag == NULL) return NULL;
 
@@ -4988,7 +5613,7 @@ const char* ParseFlagValue(const char* str,
 //
 // On success, stores the value of the flag in *value, and returns
 // true.  On failure, returns false without changing *value.
-bool ParseBoolFlag(const char* str, const char* flag, bool* value) {
+static bool ParseBoolFlag(const char* str, const char* flag, bool* value) {
   // Gets the value of the flag as a string.
   const char* const value_str = ParseFlagValue(str, flag, true);
 
@@ -5022,7 +5647,8 @@ bool ParseInt32Flag(const char* str, const char* flag, Int32* value) {
 //
 // On success, stores the value of the flag in *value, and returns
 // true.  On failure, returns false without changing *value.
-bool ParseStringFlag(const char* str, const char* flag, std::string* value) {
+template <typename String>
+static bool ParseStringFlag(const char* str, const char* flag, String* value) {
   // Gets the value of the flag as a string.
   const char* const value_str = ParseFlagValue(str, flag, false);
 
@@ -5058,7 +5684,7 @@ static bool HasGoogleTestFlagPrefix(const char* str) {
 //   @Y    changes the color to yellow.
 //   @D    changes to the default terminal text color.
 //
-// TODO(wan@google.com): Write tests for this once we add stdout
+// FIXME: Write tests for this once we add stdout
 // capturing to Google Test.
 static void PrintColorEncoded(const char* str) {
   GTestColor color = COLOR_DEFAULT;  // The current color.
@@ -5124,24 +5750,25 @@ static const char kColorEncodedHelpMessage[] =
 "      Enable/disable colored output. The default is @Gauto@D.\n"
 "  -@G-" GTEST_FLAG_PREFIX_ "print_time=0@D\n"
 "      Don't print the elapsed time of each test.\n"
-"  @G--" GTEST_FLAG_PREFIX_ "output=xml@Y[@G:@YDIRECTORY_PATH@G"
+"  @G--" GTEST_FLAG_PREFIX_ "output=@Y(@Gjson@Y|@Gxml@Y)[@G:@YDIRECTORY_PATH@G"
     GTEST_PATH_SEP_ "@Y|@G:@YFILE_PATH]@D\n"
-"      Generate an XML report in the given directory or with the given file\n"
-"      name. @YFILE_PATH@D defaults to @Gtest_details.xml@D.\n"
-#if GTEST_CAN_STREAM_RESULTS_
+"      Generate a JSON or XML report in the given directory or with the given\n"
+"      file name. @YFILE_PATH@D defaults to @Gtest_details.xml@D.\n"
+# if GTEST_CAN_STREAM_RESULTS_
 "  @G--" GTEST_FLAG_PREFIX_ "stream_result_to=@YHOST@G:@YPORT@D\n"
 "      Stream test results to the given server.\n"
-#endif  // GTEST_CAN_STREAM_RESULTS_
+# endif  // GTEST_CAN_STREAM_RESULTS_
 "\n"
 "Assertion Behavior:\n"
-#if GTEST_HAS_DEATH_TEST && !GTEST_OS_WINDOWS
+# if GTEST_HAS_DEATH_TEST && !GTEST_OS_WINDOWS
 "  @G--" GTEST_FLAG_PREFIX_ "death_test_style=@Y(@Gfast@Y|@Gthreadsafe@Y)@D\n"
 "      Set the default death test style.\n"
-#endif  // GTEST_HAS_DEATH_TEST && !GTEST_OS_WINDOWS
+# endif  // GTEST_HAS_DEATH_TEST && !GTEST_OS_WINDOWS
 "  @G--" GTEST_FLAG_PREFIX_ "break_on_failure@D\n"
 "      Turn assertion failures into debugger break-points.\n"
 "  @G--" GTEST_FLAG_PREFIX_ "throw_on_failure@D\n"
-"      Turn assertion failures into C++ exceptions.\n"
+"      Turn assertion failures into C++ exceptions for use by an external\n"
+"      test framework.\n"
 "  @G--" GTEST_FLAG_PREFIX_ "catch_exceptions=0@D\n"
 "      Do not report exceptions as test failures. Instead, allow them\n"
 "      to crash the program or throw a pop-up (on Windows).\n"
@@ -5158,6 +5785,56 @@ static const char kColorEncodedHelpMessage[] =
 "(not one in your own code or tests), please report it to\n"
 "@G<" GTEST_DEV_EMAIL_ ">@D.\n";
 
+static bool ParseGoogleTestFlag(const char* const arg) {
+  return ParseBoolFlag(arg, kAlsoRunDisabledTestsFlag,
+                       &GTEST_FLAG(also_run_disabled_tests)) ||
+      ParseBoolFlag(arg, kBreakOnFailureFlag,
+                    &GTEST_FLAG(break_on_failure)) ||
+      ParseBoolFlag(arg, kCatchExceptionsFlag,
+                    &GTEST_FLAG(catch_exceptions)) ||
+      ParseStringFlag(arg, kColorFlag, &GTEST_FLAG(color)) ||
+      ParseStringFlag(arg, kDeathTestStyleFlag,
+                      &GTEST_FLAG(death_test_style)) ||
+      ParseBoolFlag(arg, kDeathTestUseFork,
+                    &GTEST_FLAG(death_test_use_fork)) ||
+      ParseStringFlag(arg, kFilterFlag, &GTEST_FLAG(filter)) ||
+      ParseStringFlag(arg, kInternalRunDeathTestFlag,
+                      &GTEST_FLAG(internal_run_death_test)) ||
+      ParseBoolFlag(arg, kListTestsFlag, &GTEST_FLAG(list_tests)) ||
+      ParseStringFlag(arg, kOutputFlag, &GTEST_FLAG(output)) ||
+      ParseBoolFlag(arg, kPrintTimeFlag, &GTEST_FLAG(print_time)) ||
+      ParseBoolFlag(arg, kPrintUTF8Flag, &GTEST_FLAG(print_utf8)) ||
+      ParseInt32Flag(arg, kRandomSeedFlag, &GTEST_FLAG(random_seed)) ||
+      ParseInt32Flag(arg, kRepeatFlag, &GTEST_FLAG(repeat)) ||
+      ParseBoolFlag(arg, kShuffleFlag, &GTEST_FLAG(shuffle)) ||
+      ParseInt32Flag(arg, kStackTraceDepthFlag,
+                     &GTEST_FLAG(stack_trace_depth)) ||
+      ParseStringFlag(arg, kStreamResultToFlag,
+                      &GTEST_FLAG(stream_result_to)) ||
+      ParseBoolFlag(arg, kThrowOnFailureFlag,
+                    &GTEST_FLAG(throw_on_failure));
+}
+
+#if GTEST_USE_OWN_FLAGFILE_FLAG_
+static void LoadFlagsFromFile(const std::string& path) {
+  FILE* flagfile = posix::FOpen(path.c_str(), "r");
+  if (!flagfile) {
+    GTEST_LOG_(FATAL) << "Unable to open file \"" << GTEST_FLAG(flagfile)
+                      << "\"";
+  }
+  std::string contents(ReadEntireFile(flagfile));
+  posix::FClose(flagfile);
+  std::vector<std::string> lines;
+  SplitString(contents, '\n', &lines);
+  for (size_t i = 0; i < lines.size(); ++i) {
+    if (lines[i].empty())
+      continue;
+    if (!ParseGoogleTestFlag(lines[i].c_str()))
+      g_help_flag = true;
+  }
+}
+#endif  // GTEST_USE_OWN_FLAGFILE_FLAG_
+
 // Parses the command line for Google Test flags, without initializing
 // other parts of Google Test.  The type parameter CharType can be
 // instantiated to either char or wchar_t.
@@ -5171,35 +5848,24 @@ void ParseGoogleTestFlagsOnlyImpl(int* argc, CharType** argv) {
     using internal::ParseInt32Flag;
     using internal::ParseStringFlag;
 
-    // Do we see a Google Test flag?
-    if (ParseBoolFlag(arg, kAlsoRunDisabledTestsFlag,
-                      &GTEST_FLAG(also_run_disabled_tests)) ||
-        ParseBoolFlag(arg, kBreakOnFailureFlag,
-                      &GTEST_FLAG(break_on_failure)) ||
-        ParseBoolFlag(arg, kCatchExceptionsFlag,
-                      &GTEST_FLAG(catch_exceptions)) ||
-        ParseStringFlag(arg, kColorFlag, &GTEST_FLAG(color)) ||
-        ParseStringFlag(arg, kDeathTestStyleFlag,
-                        &GTEST_FLAG(death_test_style)) ||
-        ParseBoolFlag(arg, kDeathTestUseFork,
-                      &GTEST_FLAG(death_test_use_fork)) ||
-        ParseStringFlag(arg, kFilterFlag, &GTEST_FLAG(filter)) ||
-        ParseStringFlag(arg, kInternalRunDeathTestFlag,
-                        &GTEST_FLAG(internal_run_death_test)) ||
-        ParseBoolFlag(arg, kListTestsFlag, &GTEST_FLAG(list_tests)) ||
-        ParseStringFlag(arg, kOutputFlag, &GTEST_FLAG(output)) ||
-        ParseBoolFlag(arg, kPrintTimeFlag, &GTEST_FLAG(print_time)) ||
-        ParseInt32Flag(arg, kRandomSeedFlag, &GTEST_FLAG(random_seed)) ||
-        ParseInt32Flag(arg, kRepeatFlag, &GTEST_FLAG(repeat)) ||
-        ParseBoolFlag(arg, kShuffleFlag, &GTEST_FLAG(shuffle)) ||
-        ParseInt32Flag(arg, kStackTraceDepthFlag,
-                       &GTEST_FLAG(stack_trace_depth)) ||
-        ParseStringFlag(arg, kStreamResultToFlag,
-                        &GTEST_FLAG(stream_result_to)) ||
-        ParseBoolFlag(arg, kThrowOnFailureFlag,
-                      &GTEST_FLAG(throw_on_failure))
-        ) {
-      // Yes.  Shift the remainder of the argv list left by one.  Note
+    bool remove_flag = false;
+    if (ParseGoogleTestFlag(arg)) {
+      remove_flag = true;
+#if GTEST_USE_OWN_FLAGFILE_FLAG_
+    } else if (ParseStringFlag(arg, kFlagfileFlag, &GTEST_FLAG(flagfile))) {
+      LoadFlagsFromFile(GTEST_FLAG(flagfile));
+      remove_flag = true;
+#endif  // GTEST_USE_OWN_FLAGFILE_FLAG_
+    } else if (arg_string == "--help" || arg_string == "-h" ||
+               arg_string == "-?" || arg_string == "/?" ||
+               HasGoogleTestFlagPrefix(arg)) {
+      // Both help flag and unrecognized Google Test flags (excluding
+      // internal ones) trigger help display.
+      g_help_flag = true;
+    }
+
+    if (remove_flag) {
+      // Shift the remainder of the argv list left by one.  Note
       // that argv has (*argc + 1) elements, the last one always being
       // NULL.  The following loop moves the trailing NULL element as
       // well.
@@ -5213,12 +5879,6 @@ void ParseGoogleTestFlagsOnlyImpl(int* argc, CharType** argv) {
       // We also need to decrement the iterator as we just removed
       // an element.
       i--;
-    } else if (arg_string == "--help" || arg_string == "-h" ||
-               arg_string == "-?" || arg_string == "/?" ||
-               HasGoogleTestFlagPrefix(arg)) {
-      // Both help flag and unrecognized Google Test flags (excluding
-      // internal ones) trigger help display.
-      g_help_flag = true;
     }
   }
 
@@ -5234,6 +5894,17 @@ void ParseGoogleTestFlagsOnlyImpl(int* argc, CharType** argv) {
 // other parts of Google Test.
 void ParseGoogleTestFlagsOnly(int* argc, char** argv) {
   ParseGoogleTestFlagsOnlyImpl(argc, argv);
+
+  // Fix the value of *_NSGetArgc() on macOS, but iff
+  // *_NSGetArgv() == argv
+  // Only applicable to char** version of argv
+#if GTEST_OS_MAC
+#ifndef GTEST_OS_IOS
+  if (*_NSGetArgv() == argv) {
+    *_NSGetArgc() = *argc;
+  }
+#endif
+#endif
 }
 void ParseGoogleTestFlagsOnly(int* argc, wchar_t** argv) {
   ParseGoogleTestFlagsOnlyImpl(argc, argv);
@@ -5245,23 +5916,19 @@ void ParseGoogleTestFlagsOnly(int* argc, wchar_t** argv) {
 // wchar_t.
 template <typename CharType>
 void InitGoogleTestImpl(int* argc, CharType** argv) {
-  g_init_gtest_count++;
-
   // We don't want to run the initialization code twice.
-  if (g_init_gtest_count != 1) return;
+  if (GTestIsInitialized()) return;
 
   if (*argc <= 0) return;
 
-  internal::g_executable_path = internal::StreamableToString(argv[0]);
-
-#if GTEST_HAS_DEATH_TEST
-
   g_argvs.clear();
   for (int i = 0; i != *argc; i++) {
     g_argvs.push_back(StreamableToString(argv[i]));
   }
 
-#endif  // GTEST_HAS_DEATH_TEST
+#if GTEST_HAS_ABSL
+  absl::InitializeSymbolizer(g_argvs[0].c_str());
+#endif  // GTEST_HAS_ABSL
 
   ParseGoogleTestFlagsOnly(argc, argv);
   GetUnitTestImpl()->PostFlagParsingInit();
@@ -5279,13 +5946,62 @@ void InitGoogleTestImpl(int* argc, CharType** argv) {
 //
 // Calling the function for the second time has no user-visible effect.
 void InitGoogleTest(int* argc, char** argv) {
+#if defined(GTEST_CUSTOM_INIT_GOOGLE_TEST_FUNCTION_)
+  GTEST_CUSTOM_INIT_GOOGLE_TEST_FUNCTION_(argc, argv);
+#else  // defined(GTEST_CUSTOM_INIT_GOOGLE_TEST_FUNCTION_)
   internal::InitGoogleTestImpl(argc, argv);
+#endif  // defined(GTEST_CUSTOM_INIT_GOOGLE_TEST_FUNCTION_)
 }
 
 // This overloaded version can be used in Windows programs compiled in
 // UNICODE mode.
 void InitGoogleTest(int* argc, wchar_t** argv) {
+#if defined(GTEST_CUSTOM_INIT_GOOGLE_TEST_FUNCTION_)
+  GTEST_CUSTOM_INIT_GOOGLE_TEST_FUNCTION_(argc, argv);
+#else  // defined(GTEST_CUSTOM_INIT_GOOGLE_TEST_FUNCTION_)
   internal::InitGoogleTestImpl(argc, argv);
+#endif  // defined(GTEST_CUSTOM_INIT_GOOGLE_TEST_FUNCTION_)
+}
+
+std::string TempDir() {
+#if defined(GTEST_CUSTOM_TEMPDIR_FUNCTION_)
+  return GTEST_CUSTOM_TEMPDIR_FUNCTION_();
+#endif
+
+#if GTEST_OS_WINDOWS_MOBILE
+  return "\\temp\\";
+#elif GTEST_OS_WINDOWS
+  const char* temp_dir = internal::posix::GetEnv("TEMP");
+  if (temp_dir == NULL || temp_dir[0] == '\0')
+    return "\\temp\\";
+  else if (temp_dir[strlen(temp_dir) - 1] == '\\')
+    return temp_dir;
+  else
+    return std::string(temp_dir) + "\\";
+#elif GTEST_OS_LINUX_ANDROID
+  return "/sdcard/";
+#else
+  return "/tmp/";
+#endif  // GTEST_OS_WINDOWS_MOBILE
+}
+
+// Class ScopedTrace
+
+// Pushes the given source file location and message onto a per-thread
+// trace stack maintained by Google Test.
+void ScopedTrace::PushTrace(const char* file, int line, std::string message) {
+  internal::TraceInfo trace;
+  trace.file = file;
+  trace.line = line;
+  trace.message.swap(message);
+
+  UnitTest::GetInstance()->PushGTestTrace(trace);
+}
+
+// Pops the info pushed by the c'tor.
+ScopedTrace::~ScopedTrace()
+    GTEST_LOCK_EXCLUDED_(&UnitTest::mutex_) {
+  UnitTest::GetInstance()->PopGTestTrace();
 }
 
 }  // namespace testing
diff --git a/security/nss/gtests/google_test/gtest/src/gtest_main.cc b/security/nss/gtests/google_test/gtest/src/gtest_main.cc
index f302822552..2113f621e6 100644
--- a/security/nss/gtests/google_test/gtest/src/gtest_main.cc
+++ b/security/nss/gtests/google_test/gtest/src/gtest_main.cc
@@ -28,11 +28,10 @@
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 #include <stdio.h>
-
 #include "gtest/gtest.h"
 
 GTEST_API_ int main(int argc, char **argv) {
-  printf("Running main() from gtest_main.cc\n");
+  printf("Running main() from %s\n", __FILE__);
   testing::InitGoogleTest(&argc, argv);
   return RUN_ALL_TESTS();
 }
diff --git a/security/nss/gtests/google_test/gtest/test/BUILD.bazel b/security/nss/gtests/google_test/gtest/test/BUILD.bazel
new file mode 100644
index 0000000000..a930d65e04
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/BUILD.bazel
@@ -0,0 +1,527 @@
+# Copyright 2017 Google Inc.
+# All Rights Reserved.
+#
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+# Author: misterg@google.com (Gennadiy Civil)
+#
+# Bazel BUILD for The Google C++ Testing Framework (Google Test)
+
+licenses(["notice"])
+
+config_setting(
+    name = "windows",
+    values = {"cpu": "x64_windows"},
+)
+
+config_setting(
+    name = "windows_msvc",
+    values = {"cpu": "x64_windows_msvc"},
+)
+
+config_setting(
+    name = "has_absl",
+    values = {"define": "absl=1"},
+)
+
+#on windows exclude gtest-tuple.h and googletest-tuple-test.cc
+cc_test(
+    name = "gtest_all_test",
+    size = "small",
+    srcs = glob(
+        include = [
+            "gtest-*.cc",
+            "googletest-*.cc",
+            "*.h",
+            "googletest/include/gtest/**/*.h",
+        ],
+        exclude = [
+            "gtest-unittest-api_test.cc",
+            "googletest-tuple-test.cc",
+            "googletest/src/gtest-all.cc",
+            "gtest_all_test.cc",
+            "gtest-death-test_ex_test.cc",
+            "gtest-listener_test.cc",
+            "gtest-unittest-api_test.cc",
+            "googletest-param-test-test.cc",
+            "googletest-catch-exceptions-test_.cc",
+            "googletest-color-test_.cc",
+            "googletest-env-var-test_.cc",
+            "googletest-filter-unittest_.cc",
+            "googletest-break-on-failure-unittest_.cc",
+             "googletest-listener-test.cc",
+             "googletest-output-test_.cc",
+             "googletest-list-tests-unittest_.cc",
+             "googletest-shuffle-test_.cc",
+             "googletest-uninitialized-test_.cc",
+             "googletest-death-test_ex_test.cc",
+             "googletest-param-test-test",
+             "googletest-throw-on-failure-test_.cc",
+             "googletest-param-test-invalid-name1-test_.cc",
+             "googletest-param-test-invalid-name2-test_.cc",
+
+        ],
+    ) + select({
+        "//:windows": [],
+        "//:windows_msvc": [],
+        "//conditions:default": [
+            "googletest-tuple-test.cc",
+        ],
+    }),
+    copts = select({
+        "//:windows": ["-DGTEST_USE_OWN_TR1_TUPLE=0"],
+        "//:windows_msvc": ["-DGTEST_USE_OWN_TR1_TUPLE=0"],
+        "//conditions:default": ["-DGTEST_USE_OWN_TR1_TUPLE=1"],
+    }),
+    includes = [
+        "googletest",
+        "googletest/include",
+        "googletest/include/internal",
+        "googletest/test",
+    ],
+    linkopts = select({
+        "//:windows": [],
+        "//:windows_msvc": [],
+        "//conditions:default": [
+            "-pthread",
+        ],
+    }),
+    deps = ["//:gtest_main"],
+)
+
+
+# Tests death tests.
+cc_test(
+    name = "googletest-death-test-test",
+    size = "medium",
+    srcs = ["googletest-death-test-test.cc"],
+    deps = ["//:gtest_main"],
+)
+
+cc_test(
+    name = "gtest_test_macro_stack_footprint_test",
+    size = "small",
+    srcs = ["gtest_test_macro_stack_footprint_test.cc"],
+    deps = ["//:gtest"],
+)
+
+#These googletest tests have their own main()
+cc_test(
+    name = "googletest-listener-test",
+    size = "small",
+    srcs = ["googletest-listener-test.cc"],
+    deps = ["//:gtest_main"],
+)
+
+cc_test(
+    name = "gtest-unittest-api_test",
+    size = "small",
+    srcs = [
+        "gtest-unittest-api_test.cc",
+    ],
+    deps = [
+        "//:gtest",
+    ],
+)
+
+cc_test(
+    name = "googletest-param-test-test",
+    size = "small",
+    srcs = [
+        "googletest-param-test-test.cc",
+        "googletest-param-test-test.h",
+        "googletest-param-test2-test.cc",
+    ],
+    deps = ["//:gtest"],
+)
+
+cc_test(
+    name = "gtest_unittest",
+    size = "small",
+    srcs = ["gtest_unittest.cc"],
+    args = ["--heap_check=strict"],
+    shard_count = 2,
+    deps = ["//:gtest_main"],
+)
+
+#  Py tests
+
+py_library(
+    name = "gtest_test_utils",
+    testonly = 1,
+    srcs = ["gtest_test_utils.py"],
+)
+
+cc_binary(
+    name = "gtest_help_test_",
+    testonly = 1,
+    srcs = ["gtest_help_test_.cc"],
+    deps = ["//:gtest_main"],
+)
+
+py_test(
+    name = "gtest_help_test",
+    size = "small",
+    srcs = ["gtest_help_test.py"],
+    data = [":gtest_help_test_"],
+    deps = [":gtest_test_utils"],
+)
+
+cc_binary(
+    name = "googletest-output-test_",
+    testonly = 1,
+    srcs = ["googletest-output-test_.cc"],
+    deps = ["//:gtest"],
+)
+
+
+py_test(
+    name = "googletest-output-test",
+    size = "small",
+    srcs = ["googletest-output-test.py"],
+    args = select({
+        ":has_absl": [],
+        "//conditions:default": ["--no_stacktrace_support"],
+    }),
+    data = [
+        "googletest-output-test-golden-lin.txt",
+        ":googletest-output-test_",
+    ],
+    deps = [":gtest_test_utils"],
+)
+
+cc_binary(
+    name = "googletest-color-test_",
+    testonly = 1,
+    srcs = ["googletest-color-test_.cc"],
+    deps = ["//:gtest"],
+)
+
+py_test(
+    name = "googletest-color-test",
+    size = "small",
+    srcs = ["googletest-color-test.py"],
+    data = [":googletest-color-test_"],
+    deps = [":gtest_test_utils"],
+)
+
+cc_binary(
+    name = "googletest-env-var-test_",
+    testonly = 1,
+    srcs = ["googletest-env-var-test_.cc"],
+    deps = ["//:gtest"],
+)
+
+py_test(
+    name = "googletest-env-var-test",
+    size = "medium",
+    srcs = ["googletest-env-var-test.py"],
+    data = [":googletest-env-var-test_"],
+    deps = [":gtest_test_utils"],
+)
+
+cc_binary(
+    name = "googletest-filter-unittest_",
+    testonly = 1,
+    srcs = ["googletest-filter-unittest_.cc"],
+    deps = ["//:gtest"],
+)
+
+py_test(
+    name = "googletest-filter-unittest",
+    size = "medium",
+    srcs = ["googletest-filter-unittest.py"],
+    data = [":googletest-filter-unittest_"],
+    deps = [":gtest_test_utils"],
+)
+
+
+cc_binary(
+    name = "googletest-break-on-failure-unittest_",
+    testonly = 1,
+    srcs = ["googletest-break-on-failure-unittest_.cc"],
+    deps = ["//:gtest"],
+)
+
+
+
+py_test(
+    name = "googletest-break-on-failure-unittest",
+    size = "small",
+    srcs = ["googletest-break-on-failure-unittest.py"],
+    data = [":googletest-break-on-failure-unittest_"],
+    deps = [":gtest_test_utils"],
+)
+
+
+cc_test(
+    name = "gtest_assert_by_exception_test",
+    size = "small",
+    srcs = ["gtest_assert_by_exception_test.cc"],
+    deps = ["//:gtest"],
+)
+
+
+
+cc_binary(
+    name = "googletest-throw-on-failure-test_",
+    testonly = 1,
+    srcs = ["googletest-throw-on-failure-test_.cc"],
+    deps = ["//:gtest"],
+)
+
+py_test(
+    name = "googletest-throw-on-failure-test",
+    size = "small",
+    srcs = ["googletest-throw-on-failure-test.py"],
+    data = [":googletest-throw-on-failure-test_"],
+    deps = [":gtest_test_utils"],
+)
+
+
+cc_binary(
+    name = "googletest-list-tests-unittest_",
+    testonly = 1,
+    srcs = ["googletest-list-tests-unittest_.cc"],
+    deps = ["//:gtest"],
+)
+
+py_test(
+    name = "googletest-list-tests-unittest",
+    size = "small",
+    srcs = ["googletest-list-tests-unittest.py"],
+    data = [":googletest-list-tests-unittest_"],
+    deps = [":gtest_test_utils"],
+)
+
+cc_binary(
+    name = "googletest-shuffle-test_",
+    srcs = ["googletest-shuffle-test_.cc"],
+    deps = ["//:gtest"],
+)
+
+py_test(
+    name = "googletest-shuffle-test",
+    size = "small",
+    srcs = ["googletest-shuffle-test.py"],
+    data = [":googletest-shuffle-test_"],
+    deps = [":gtest_test_utils"],
+)
+
+cc_binary(
+    name = "googletest-catch-exceptions-no-ex-test_",
+    testonly = 1,
+    srcs = ["googletest-catch-exceptions-test_.cc"],
+    deps = ["//:gtest_main"],
+)
+
+cc_binary(
+    name = "googletest-catch-exceptions-ex-test_",
+    testonly = 1,
+    srcs = ["googletest-catch-exceptions-test_.cc"],
+    copts = ["-fexceptions"],
+    deps = ["//:gtest_main"],
+)
+
+py_test(
+    name = "googletest-catch-exceptions-test",
+    size = "small",
+    srcs = ["googletest-catch-exceptions-test.py"],
+    data = [
+        ":googletest-catch-exceptions-ex-test_",
+        ":googletest-catch-exceptions-no-ex-test_",
+    ],
+    deps = [":gtest_test_utils"],
+)
+
+cc_binary(
+    name = "gtest_xml_output_unittest_",
+    testonly = 1,
+    srcs = ["gtest_xml_output_unittest_.cc"],
+    deps = ["//:gtest"],
+)
+
+cc_test(
+    name = "gtest_no_test_unittest",
+    size = "small",
+    srcs = ["gtest_no_test_unittest.cc"],
+    deps = ["//:gtest"],
+)
+
+py_test(
+    name = "gtest_xml_output_unittest",
+    size = "small",
+    srcs = [
+        "gtest_xml_output_unittest.py",
+        "gtest_xml_test_utils.py",
+    ],
+    args = select({
+        ":has_absl": [],
+        "//conditions:default": ["--no_stacktrace_support"],
+    }),
+    data = [
+        # We invoke gtest_no_test_unittest to verify the XML output
+        # when the test program contains no test definition.
+        ":gtest_no_test_unittest",
+        ":gtest_xml_output_unittest_",
+    ],
+    deps = [":gtest_test_utils"],
+)
+
+cc_binary(
+    name = "gtest_xml_outfile1_test_",
+    testonly = 1,
+    srcs = ["gtest_xml_outfile1_test_.cc"],
+    deps = ["//:gtest_main"],
+)
+
+cc_binary(
+    name = "gtest_xml_outfile2_test_",
+    testonly = 1,
+    srcs = ["gtest_xml_outfile2_test_.cc"],
+    deps = ["//:gtest_main"],
+)
+
+py_test(
+    name = "gtest_xml_outfiles_test",
+    size = "small",
+    srcs = [
+        "gtest_xml_outfiles_test.py",
+        "gtest_xml_test_utils.py",
+    ],
+    data = [
+        ":gtest_xml_outfile1_test_",
+        ":gtest_xml_outfile2_test_",
+    ],
+    deps = [":gtest_test_utils"],
+)
+
+cc_binary(
+    name = "googletest-uninitialized-test_",
+    testonly = 1,
+    srcs = ["googletest-uninitialized-test_.cc"],
+    deps = ["//:gtest"],
+)
+
+py_test(
+    name = "googletest-uninitialized-test",
+    size = "medium",
+    srcs = ["googletest-uninitialized-test.py"],
+    data = ["googletest-uninitialized-test_"],
+    deps = [":gtest_test_utils"],
+)
+
+cc_binary(
+    name = "gtest_testbridge_test_",
+    testonly = 1,
+    srcs = ["gtest_testbridge_test_.cc"],
+    deps = ["//:gtest_main"],
+)
+
+# Tests that filtering via testbridge works
+py_test(
+    name = "gtest_testbridge_test",
+    size = "small",
+    srcs = ["gtest_testbridge_test.py"],
+    data = [":gtest_testbridge_test_"],
+    deps = [":gtest_test_utils"],
+)
+
+
+py_test(
+    name = "googletest-json-outfiles-test",
+    size = "small",
+    srcs = [
+        "googletest-json-outfiles-test.py",
+        "gtest_json_test_utils.py",
+    ],
+    data = [
+        ":gtest_xml_outfile1_test_",
+        ":gtest_xml_outfile2_test_",
+    ],
+    deps = [":gtest_test_utils"],
+)
+
+py_test(
+    name = "googletest-json-output-unittest",
+    size = "medium",
+    srcs = [
+        "googletest-json-output-unittest.py",
+        "gtest_json_test_utils.py",
+    ],
+    data = [
+        # We invoke gtest_no_test_unittest to verify the JSON output
+        # when the test program contains no test definition.
+        ":gtest_no_test_unittest",
+        ":gtest_xml_output_unittest_",
+    ],
+    args = select({
+        ":has_absl": [],
+        "//conditions:default": ["--no_stacktrace_support"],
+    }),
+    deps = [":gtest_test_utils"],
+)
+# Verifies interaction of death tests and exceptions.
+cc_test(
+    name = "googletest-death-test_ex_catch_test",
+    size = "medium",
+    srcs = ["googletest-death-test_ex_test.cc"],
+    copts = ["-fexceptions"],
+    defines = ["GTEST_ENABLE_CATCH_EXCEPTIONS_=1"],
+    deps = ["//:gtest"],
+)
+
+cc_binary(
+    name = "googletest-param-test-invalid-name1-test_",
+    testonly = 1,
+    srcs = ["googletest-param-test-invalid-name1-test_.cc"],
+    deps = ["//:gtest"],
+)
+
+cc_binary(
+    name = "googletest-param-test-invalid-name2-test_",
+    testonly = 1,
+    srcs = ["googletest-param-test-invalid-name2-test_.cc"],
+    deps = ["//:gtest"],
+)
+
+py_test(
+    name = "googletest-param-test-invalid-name1-test",
+    size = "small",
+    srcs = ["googletest-param-test-invalid-name1-test.py"],
+    data = [":googletest-param-test-invalid-name1-test_"],
+    deps = [":gtest_test_utils"],
+)
+
+py_test(
+    name = "googletest-param-test-invalid-name2-test",
+    size = "small",
+    srcs = ["googletest-param-test-invalid-name2-test.py"],
+    data = [":googletest-param-test-invalid-name2-test_"],
+    deps = [":gtest_test_utils"],
+)
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_break_on_failure_unittest.py b/security/nss/gtests/google_test/gtest/test/googletest-break-on-failure-unittest.py
index 78f3e0f53b..a5dfbc693b 100755..100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_break_on_failure_unittest.py
+++ b/security/nss/gtests/google_test/gtest/test/googletest-break-on-failure-unittest.py
@@ -34,16 +34,12 @@
 A user can ask Google Test to seg-fault when an assertion fails, using
 either the GTEST_BREAK_ON_FAILURE environment variable or the
 --gtest_break_on_failure flag.  This script tests such functionality
-by invoking gtest_break_on_failure_unittest_ (a program written with
+by invoking googletest-break-on-failure-unittest_ (a program written with
 Google Test) with different environments and command line flags.
 """
 
-__author__ = 'wan@google.com (Zhanyong Wan)'
-
-import gtest_test_utils
 import os
-import sys
-
+import gtest_test_utils
 
 # Constants.
 
@@ -61,9 +57,9 @@ THROW_ON_FAILURE_ENV_VAR = 'GTEST_THROW_ON_FAILURE'
 # The environment variable for enabling/disabling the catch-exceptions mode.
 CATCH_EXCEPTIONS_ENV_VAR = 'GTEST_CATCH_EXCEPTIONS'
 
-# Path to the gtest_break_on_failure_unittest_ program.
+# Path to the googletest-break-on-failure-unittest_ program.
 EXE_PATH = gtest_test_utils.GetTestExecutablePath(
-    'gtest_break_on_failure_unittest_')
+    'googletest-break-on-failure-unittest_')
 
 
 environ = gtest_test_utils.environ
@@ -97,7 +93,7 @@ class GTestBreakOnFailureUnitTest(gtest_test_utils.TestCase):
   """
 
   def RunAndVerify(self, env_var_value, flag_value, expect_seg_fault):
-    """Runs gtest_break_on_failure_unittest_ and verifies that it does
+    """Runs googletest-break-on-failure-unittest_ and verifies that it does
     (or does not) have a seg-fault.
 
     Args:
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_break_on_failure_unittest_.cc b/security/nss/gtests/google_test/gtest/test/googletest-break-on-failure-unittest_.cc
index dd07478c07..f84957a2d0 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_break_on_failure_unittest_.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-break-on-failure-unittest_.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // Unit test for Google Test's break-on-failure mode.
 //
@@ -80,8 +79,7 @@ int main(int argc, char **argv) {
   SetUnhandledExceptionFilter(ExitWithExceptionCode);
 
 # endif
-#endif
-
+#endif  // GTEST_OS_WINDOWS
   testing::InitGoogleTest(&argc, argv);
 
   return RUN_ALL_TESTS();
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_catch_exceptions_test.py b/security/nss/gtests/google_test/gtest/test/googletest-catch-exceptions-test.py
index e6fc22fd1f..5d49c1023c 100755..100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_catch_exceptions_test.py
+++ b/security/nss/gtests/google_test/gtest/test/googletest-catch-exceptions-test.py
@@ -30,15 +30,11 @@
 
 """Tests Google Test's exception catching behavior.
 
-This script invokes gtest_catch_exceptions_test_ and
-gtest_catch_exceptions_ex_test_ (programs written with
+This script invokes googletest-catch-exceptions-test_ and
+googletest-catch-exceptions-ex-test_ (programs written with
 Google Test) and verifies their output.
 """
 
-__author__ = 'vladl@google.com (Vlad Losev)'
-
-import os
-
 import gtest_test_utils
 
 # Constants.
@@ -47,15 +43,15 @@ LIST_TESTS_FLAG = FLAG_PREFIX + 'list_tests'
 NO_CATCH_EXCEPTIONS_FLAG = FLAG_PREFIX + 'catch_exceptions=0'
 FILTER_FLAG = FLAG_PREFIX + 'filter'
 
-# Path to the gtest_catch_exceptions_ex_test_ binary, compiled with
+# Path to the googletest-catch-exceptions-ex-test_ binary, compiled with
 # exceptions enabled.
 EX_EXE_PATH = gtest_test_utils.GetTestExecutablePath(
-    'gtest_catch_exceptions_ex_test_')
+    'googletest-catch-exceptions-ex-test_')
 
-# Path to the gtest_catch_exceptions_test_ binary, compiled with
+# Path to the googletest-catch-exceptions-test_ binary, compiled with
 # exceptions disabled.
 EXE_PATH = gtest_test_utils.GetTestExecutablePath(
-    'gtest_catch_exceptions_no_ex_test_')
+    'googletest-catch-exceptions-no-ex-test_')
 
 environ = gtest_test_utils.environ
 SetEnvVar = gtest_test_utils.SetEnvVar
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_catch_exceptions_test_.cc b/security/nss/gtests/google_test/gtest/test/googletest-catch-exceptions-test_.cc
index d0fc82c998..09dae70030 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_catch_exceptions_test_.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-catch-exceptions-test_.cc
@@ -26,17 +26,17 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: vladl@google.com (Vlad Losev)
+
 //
 // Tests for Google Test itself. Tests in this file throw C++ or SEH
-// exceptions, and the output is verified by gtest_catch_exceptions_test.py.
-
-#include "gtest/gtest.h"
+// exceptions, and the output is verified by
+// googletest-catch-exceptions-test.py.
 
 #include <stdio.h>  // NOLINT
 #include <stdlib.h>  // For exit().
 
+#include "gtest/gtest.h"
+
 #if GTEST_HAS_SEH
 # include <windows.h>
 #endif
@@ -138,7 +138,7 @@ TEST_F(CxxExceptionInConstructorTest, ThrowsExceptionInConstructor) {
 }
 
 // Exceptions in destructors are not supported in C++11.
-#if !defined(__GXX_EXPERIMENTAL_CXX0X__) &&  __cplusplus < 201103L
+#if !GTEST_LANG_CXX11
 class CxxExceptionInDestructorTest : public Test {
  public:
   static void TearDownTestCase() {
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_color_test.py b/security/nss/gtests/google_test/gtest/test/googletest-color-test.py
index d02a53ed85..f3b7c9990b 100755..100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_color_test.py
+++ b/security/nss/gtests/google_test/gtest/test/googletest-color-test.py
@@ -31,17 +31,14 @@
 
 """Verifies that Google Test correctly determines whether to use colors."""
 
-__author__ = 'wan@google.com (Zhanyong Wan)'
-
 import os
 import gtest_test_utils
 
-
-IS_WINDOWS = os.name = 'nt'
+IS_WINDOWS = os.name == 'nt'
 
 COLOR_ENV_VAR = 'GTEST_COLOR'
 COLOR_FLAG = 'gtest_color'
-COMMAND = gtest_test_utils.GetTestExecutablePath('gtest_color_test_')
+COMMAND = gtest_test_utils.GetTestExecutablePath('googletest-color-test_')
 
 
 def SetEnvVar(env_var, value):
@@ -54,7 +51,7 @@ def SetEnvVar(env_var, value):
 
 
 def UsesColor(term, color_env_var, color_flag):
-  """Runs gtest_color_test_ and returns its exit code."""
+  """Runs googletest-color-test_ and returns its exit code."""
 
   SetEnvVar('TERM', term)
   SetEnvVar(COLOR_ENV_VAR, color_env_var)
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_color_test_.cc b/security/nss/gtests/google_test/gtest/test/googletest-color-test_.cc
index f61ebb89b8..220a3a0054 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_color_test_.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-color-test_.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // A helper program for testing how Google Test determines whether to use
 // colors in the output.  It prints "YES" and returns 1 if Google Test
@@ -36,15 +35,7 @@
 #include <stdio.h>
 
 #include "gtest/gtest.h"
-
-// Indicates that this translation unit is part of Google Test's
-// implementation.  It must come before gtest-internal-inl.h is
-// included, or there will be a compiler error.  This trick is to
-// prevent a user from accidentally including gtest-internal-inl.h in
-// his code.
-#define GTEST_IMPLEMENTATION_ 1
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 using testing::internal::ShouldUseColor;
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-death-test_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-death-test-test.cc
index b25bc2296a..c0c3026fb5 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-death-test_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-death-test-test.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 //
 // Tests for death tests.
 
@@ -56,15 +55,7 @@ using testing::internal::AlwaysTrue;
 # endif  // GTEST_OS_LINUX
 
 # include "gtest/gtest-spi.h"
-
-// Indicates that this translation unit is part of Google Test's
-// implementation.  It must come before gtest-internal-inl.h is
-// included, or there will be a compiler error.  This trick is to
-// prevent a user from accidentally including gtest-internal-inl.h in
-// his code.
-# define GTEST_IMPLEMENTATION_ 1
 # include "src/gtest-internal-inl.h"
-# undef GTEST_IMPLEMENTATION_
 
 namespace posix = ::testing::internal::posix;
 
@@ -208,7 +199,7 @@ int DieInDebugElse12(int* sideeffect) {
   return 12;
 }
 
-# if GTEST_OS_WINDOWS
+# if GTEST_OS_WINDOWS || GTEST_OS_FUCHSIA
 
 // Tests the ExitedWithCode predicate.
 TEST(ExitStatusPredicateTest, ExitedWithCode) {
@@ -280,7 +271,7 @@ TEST(ExitStatusPredicateTest, KilledBySignal) {
   EXPECT_FALSE(pred_kill(status_segv));
 }
 
-# endif  // GTEST_OS_WINDOWS
+# endif  // GTEST_OS_WINDOWS || GTEST_OS_FUCHSIA
 
 // Tests that the death test macros expand to code which may or may not
 // be followed by operator<<, and that in either case the complete text
@@ -313,14 +304,14 @@ void DieWithEmbeddedNul() {
 }
 
 # if GTEST_USES_PCRE
+
 // Tests that EXPECT_DEATH and ASSERT_DEATH work when the error
 // message has a NUL character in it.
 TEST_F(TestForDeathTest, EmbeddedNulInMessage) {
-  // TODO(wan@google.com): <regex.h> doesn't support matching strings
-  // with embedded NUL characters - find a way to workaround it.
   EXPECT_DEATH(DieWithEmbeddedNul(), "my null world");
   ASSERT_DEATH(DieWithEmbeddedNul(), "my null world");
 }
+
 # endif  // GTEST_USES_PCRE
 
 // Tests that death test macros expand to code which interacts well with switch
@@ -505,13 +496,17 @@ TEST_F(TestForDeathTest, AcceptsAnythingConvertibleToRE) {
 
 # if GTEST_HAS_GLOBAL_STRING
 
-  const string regex_str(regex_c_str);
+  const ::string regex_str(regex_c_str);
   EXPECT_DEATH(GlobalFunction(), regex_str);
 
 # endif  // GTEST_HAS_GLOBAL_STRING
 
+# if !GTEST_USES_PCRE
+
   const ::std::string regex_std_str(regex_c_str);
   EXPECT_DEATH(GlobalFunction(), regex_std_str);
+
+# endif  // !GTEST_USES_PCRE
 }
 
 // Tests that a non-void function can be used in a death test.
@@ -621,7 +616,11 @@ TEST_F(TestForDeathTest, ReturnIsFailure) {
 TEST_F(TestForDeathTest, TestExpectDebugDeath) {
   int sideeffect = 0;
 
-  EXPECT_DEBUG_DEATH(DieInDebugElse12(&sideeffect), "death.*DieInDebugElse12")
+  // Put the regex in a local variable to make sure we don't get an "unused"
+  // warning in opt mode.
+  const char* regex = "death.*DieInDebugElse12";
+
+  EXPECT_DEBUG_DEATH(DieInDebugElse12(&sideeffect), regex)
       << "Must accept a streamed message";
 
 # ifdef NDEBUG
@@ -784,11 +783,12 @@ static void TestExitMacros() {
 
   // Of all signals effects on the process exit code, only those of SIGABRT
   // are documented on Windows.
-  // See http://msdn.microsoft.com/en-us/library/dwwzkt4c(VS.71).aspx.
+  // See https://msdn.microsoft.com/en-us/query-bi/m/dwwzkt4c.
   EXPECT_EXIT(raise(SIGABRT), testing::ExitedWithCode(3), "") << "b_ar";
 
-# else
+# elif !GTEST_OS_FUCHSIA
 
+  // Fuchsia has no unix signals.
   EXPECT_EXIT(raise(SIGKILL), testing::KilledBySignal(SIGKILL), "") << "foo";
   ASSERT_EXIT(raise(SIGUSR2), testing::KilledBySignal(SIGUSR2), "") << "bar";
 
@@ -887,9 +887,9 @@ class MockDeathTestFactory : public DeathTestFactory {
   // Accessors.
   int AssumeRoleCalls() const { return assume_role_calls_; }
   int WaitCalls() const { return wait_calls_; }
-  int PassedCalls() const { return passed_args_.size(); }
+  size_t PassedCalls() const { return passed_args_.size(); }
   bool PassedArgument(int n) const { return passed_args_[n]; }
-  int AbortCalls() const { return abort_args_.size(); }
+  size_t AbortCalls() const { return abort_args_.size(); }
   DeathTest::AbortReason AbortArgument(int n) const {
     return abort_args_[n];
   }
@@ -1050,8 +1050,8 @@ TEST_F(MacroLogicDeathTest, NothingHappens) {
   EXPECT_FALSE(flag);
   EXPECT_EQ(0, factory_->AssumeRoleCalls());
   EXPECT_EQ(0, factory_->WaitCalls());
-  EXPECT_EQ(0, factory_->PassedCalls());
-  EXPECT_EQ(0, factory_->AbortCalls());
+  EXPECT_EQ(0U, factory_->PassedCalls());
+  EXPECT_EQ(0U, factory_->AbortCalls());
   EXPECT_FALSE(factory_->TestDeleted());
 }
 
@@ -1065,9 +1065,9 @@ TEST_F(MacroLogicDeathTest, ChildExitsSuccessfully) {
   EXPECT_FALSE(flag);
   EXPECT_EQ(1, factory_->AssumeRoleCalls());
   EXPECT_EQ(1, factory_->WaitCalls());
-  ASSERT_EQ(1, factory_->PassedCalls());
+  ASSERT_EQ(1U, factory_->PassedCalls());
   EXPECT_FALSE(factory_->PassedArgument(0));
-  EXPECT_EQ(0, factory_->AbortCalls());
+  EXPECT_EQ(0U, factory_->AbortCalls());
   EXPECT_TRUE(factory_->TestDeleted());
 }
 
@@ -1080,9 +1080,9 @@ TEST_F(MacroLogicDeathTest, ChildExitsUnsuccessfully) {
   EXPECT_FALSE(flag);
   EXPECT_EQ(1, factory_->AssumeRoleCalls());
   EXPECT_EQ(1, factory_->WaitCalls());
-  ASSERT_EQ(1, factory_->PassedCalls());
+  ASSERT_EQ(1U, factory_->PassedCalls());
   EXPECT_TRUE(factory_->PassedArgument(0));
-  EXPECT_EQ(0, factory_->AbortCalls());
+  EXPECT_EQ(0U, factory_->AbortCalls());
   EXPECT_TRUE(factory_->TestDeleted());
 }
 
@@ -1096,8 +1096,8 @@ TEST_F(MacroLogicDeathTest, ChildPerformsReturn) {
   EXPECT_TRUE(flag);
   EXPECT_EQ(1, factory_->AssumeRoleCalls());
   EXPECT_EQ(0, factory_->WaitCalls());
-  EXPECT_EQ(0, factory_->PassedCalls());
-  EXPECT_EQ(1, factory_->AbortCalls());
+  EXPECT_EQ(0U, factory_->PassedCalls());
+  EXPECT_EQ(1U, factory_->AbortCalls());
   EXPECT_EQ(DeathTest::TEST_ENCOUNTERED_RETURN_STATEMENT,
             factory_->AbortArgument(0));
   EXPECT_TRUE(factory_->TestDeleted());
@@ -1112,13 +1112,13 @@ TEST_F(MacroLogicDeathTest, ChildDoesNotDie) {
   EXPECT_TRUE(flag);
   EXPECT_EQ(1, factory_->AssumeRoleCalls());
   EXPECT_EQ(0, factory_->WaitCalls());
-  EXPECT_EQ(0, factory_->PassedCalls());
+  EXPECT_EQ(0U, factory_->PassedCalls());
   // This time there are two calls to Abort: one since the test didn't
   // die, and another from the ReturnSentinel when it's destroyed.  The
   // sentinel normally isn't destroyed if a test doesn't die, since
   // _exit(2) is called in that case by ForkingDeathTest, but not by
   // our MockDeathTest.
-  ASSERT_EQ(2, factory_->AbortCalls());
+  ASSERT_EQ(2U, factory_->AbortCalls());
   EXPECT_EQ(DeathTest::TEST_DID_NOT_DIE,
             factory_->AbortArgument(0));
   EXPECT_EQ(DeathTest::TEST_ENCOUNTERED_RETURN_STATEMENT,
@@ -1279,7 +1279,7 @@ TEST(ParseNaturalNumberTest, WorksForShorterIntegers) {
 
 # if GTEST_OS_WINDOWS
 TEST(EnvironmentTest, HandleFitsIntoSizeT) {
-  // TODO(vladl@google.com): Remove this test after this condition is verified
+  // FIXME: Remove this test after this condition is verified
   // in a static assertion in gtest-death-test.cc in the function
   // GetStatusFileDescriptor.
   ASSERT_TRUE(sizeof(HANDLE) <= sizeof(size_t));
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-death-test_ex_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-death-test_ex_test.cc
index b50a13d5e2..b8b9470fc8 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-death-test_ex_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-death-test_ex_test.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: vladl@google.com (Vlad Losev)
+
 //
 // Tests that verify interaction of exceptions and death tests.
 
@@ -69,7 +68,7 @@ TEST(CxxExceptionDeathTest, PrintsMessageForStdExceptions) {
                           "exceptional message");
   // Verifies that the location is mentioned in the failure text.
   EXPECT_NONFATAL_FAILURE(EXPECT_DEATH(throw TestException(), ""),
-                          "gtest-death-test_ex_test.cc");
+                          "googletest-death-test_ex_test.cc");
 }
 # endif  // GTEST_HAS_EXCEPTIONS
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_env_var_test.py b/security/nss/gtests/google_test/gtest/test/googletest-env-var-test.py
index ac24337fa1..e1efeee1ea 100755..100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_env_var_test.py
+++ b/security/nss/gtests/google_test/gtest/test/googletest-env-var-test.py
@@ -31,8 +31,6 @@
 
 """Verifies that Google Test correctly parses environment variables."""
 
-__author__ = 'wan@google.com (Zhanyong Wan)'
-
 import os
 import gtest_test_utils
 
@@ -40,7 +38,7 @@ import gtest_test_utils
 IS_WINDOWS = os.name == 'nt'
 IS_LINUX = os.name == 'posix' and os.uname()[0] == 'Linux'
 
-COMMAND = gtest_test_utils.GetTestExecutablePath('gtest_env_var_test_')
+COMMAND = gtest_test_utils.GetTestExecutablePath('googletest-env-var-test_')
 
 environ = os.environ.copy()
 
@@ -62,7 +60,7 @@ def SetEnvVar(env_var, value):
 
 
 def GetFlag(flag):
-  """Runs gtest_env_var_test_ and returns its output."""
+  """Runs googletest-env-var-test_ and returns its output."""
 
   args = [COMMAND]
   if flag is not None:
@@ -81,12 +79,14 @@ def TestFlag(flag, test_val, default_val):
 
 
 class GTestEnvVarTest(gtest_test_utils.TestCase):
+
   def testEnvVarAffectsFlag(self):
     """Tests that environment variable should affect the corresponding flag."""
 
     TestFlag('break_on_failure', '1', '0')
     TestFlag('color', 'yes', 'auto')
     TestFlag('filter', 'FooTest.Bar', '*')
+    SetEnvVar('XML_OUTPUT_FILE', None)  # For 'output' test
     TestFlag('output', 'xml:tmp/foo.xml', '')
     TestFlag('print_time', '0', '1')
     TestFlag('repeat', '999', '1')
@@ -99,5 +99,19 @@ class GTestEnvVarTest(gtest_test_utils.TestCase):
       TestFlag('stack_trace_depth', '0', '100')
 
 
+  def testXmlOutputFile(self):
+    """Tests that $XML_OUTPUT_FILE affects the output flag."""
+
+    SetEnvVar('GTEST_OUTPUT', None)
+    SetEnvVar('XML_OUTPUT_FILE', 'tmp/bar.xml')
+    AssertEq('xml:tmp/bar.xml', GetFlag('output'))
+
+  def testXmlOutputFileOverride(self):
+    """Tests that $XML_OUTPUT_FILE is overridden by $GTEST_OUTPUT."""
+
+    SetEnvVar('GTEST_OUTPUT', 'xml:tmp/foo.xml')
+    SetEnvVar('XML_OUTPUT_FILE', 'tmp/bar.xml')
+    AssertEq('xml:tmp/foo.xml', GetFlag('output'))
+
 if __name__ == '__main__':
   gtest_test_utils.Main()
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_env_var_test_.cc b/security/nss/gtests/google_test/gtest/test/googletest-env-var-test_.cc
index 539afc9683..fd2aa82f74 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_env_var_test_.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-env-var-test_.cc
@@ -26,19 +26,15 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // A helper program for testing that Google Test parses the environment
 // variables correctly.
 
-#include "gtest/gtest.h"
-
 #include <iostream>
 
-#define GTEST_IMPLEMENTATION_ 1
+#include "gtest/gtest.h"
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 using ::std::cout;
 
@@ -117,7 +113,7 @@ int main(int argc, char** argv) {
   testing::InitGoogleTest(&argc, argv);
 
   if (argc != 2) {
-    cout << "Usage: gtest_env_var_test_ NAME_OF_FLAG\n";
+    cout << "Usage: googletest-env-var-test_ NAME_OF_FLAG\n";
     return 1;
   }
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-filepath_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-filepath-test.cc
index ae9f55a0c9..37f02fb4bd 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-filepath_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-filepath-test.cc
@@ -27,28 +27,17 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Authors: keith.ray@gmail.com (Keith Ray)
-//
 // Google Test filepath utilities
 //
 // This file tests classes and functions used internally by
 // Google Test.  They are subject to change without notice.
 //
-// This file is #included from gtest_unittest.cc, to avoid changing
-// build or make-files for some existing Google Test clients. Do not
-// #include this file anywhere else!
+// This file is #included from gtest-internal.h.
+// Do not #include this file anywhere else!
 
 #include "gtest/internal/gtest-filepath.h"
 #include "gtest/gtest.h"
-
-// Indicates that this translation unit is part of Google Test's
-// implementation.  It must come before gtest-internal-inl.h is
-// included, or there will be a compiler error.  This trick is to
-// prevent a user from accidentally including gtest-internal-inl.h in
-// his code.
-#define GTEST_IMPLEMENTATION_ 1
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 #if GTEST_OS_WINDOWS_MOBILE
 # include <windows.h>  // NOLINT
@@ -61,7 +50,7 @@ namespace internal {
 namespace {
 
 #if GTEST_OS_WINDOWS_MOBILE
-// TODO(wan@google.com): Move these to the POSIX adapter section in
+// FIXME: Move these to the POSIX adapter section in
 // gtest-port.h.
 
 // Windows CE doesn't have the remove C function.
@@ -514,24 +503,6 @@ class DirectoryCreationTest : public Test {
     posix::RmDir(testdata_path_.c_str());
   }
 
-  std::string TempDir() const {
-#if GTEST_OS_WINDOWS_MOBILE
-    return "\\temp\\";
-#elif GTEST_OS_WINDOWS
-    const char* temp_dir = posix::GetEnv("TEMP");
-    if (temp_dir == NULL || temp_dir[0] == '\0')
-      return "\\temp\\";
-    else if (temp_dir[strlen(temp_dir) - 1] == '\\')
-      return temp_dir;
-    else
-      return std::string(temp_dir) + "\\";
-#elif GTEST_OS_LINUX_ANDROID
-    return "/sdcard/";
-#else
-    return "/tmp/";
-#endif  // GTEST_OS_WINDOWS_MOBILE
-  }
-
   void CreateTextFile(const char* filename) {
     FILE* f = posix::FOpen(filename, "w");
     fprintf(f, "text\n");
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_filter_unittest.py b/security/nss/gtests/google_test/gtest/test/googletest-filter-unittest.py
index 0d1a770058..dc0b5bd9a5 100755..100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_filter_unittest.py
+++ b/security/nss/gtests/google_test/gtest/test/googletest-filter-unittest.py
@@ -33,20 +33,17 @@
 A user can specify which test(s) in a Google Test program to run via either
 the GTEST_FILTER environment variable or the --gtest_filter flag.
 This script tests such functionality by invoking
-gtest_filter_unittest_ (a program written with Google Test) with different
+googletest-filter-unittest_ (a program written with Google Test) with different
 environments and command line flags.
 
 Note that test sharding may also influence which tests are filtered. Therefore,
 we test that here also.
 """
 
-__author__ = 'wan@google.com (Zhanyong Wan)'
-
 import os
 import re
 import sets
 import sys
-
 import gtest_test_utils
 
 # Constants.
@@ -56,10 +53,12 @@ import gtest_test_utils
 # script in a subprocess to print whether the variable is STILL in
 # os.environ.  We then use 'eval' to parse the child's output so that an
 # exception is thrown if the input is anything other than 'True' nor 'False'.
-os.environ['EMPTY_VAR'] = ''
-child = gtest_test_utils.Subprocess(
-    [sys.executable, '-c', 'import os; print \'EMPTY_VAR\' in os.environ'])
-CAN_PASS_EMPTY_ENV = eval(child.output)
+CAN_PASS_EMPTY_ENV = False
+if sys.executable:
+  os.environ['EMPTY_VAR'] = ''
+  child = gtest_test_utils.Subprocess(
+      [sys.executable, '-c', 'import os; print \'EMPTY_VAR\' in os.environ'])
+  CAN_PASS_EMPTY_ENV = eval(child.output)
 
 
 # Check if this platform can unset environment variables in child processes.
@@ -68,11 +67,14 @@ CAN_PASS_EMPTY_ENV = eval(child.output)
 # is NO LONGER in os.environ.
 # We use 'eval' to parse the child's output so that an exception
 # is thrown if the input is neither 'True' nor 'False'.
-os.environ['UNSET_VAR'] = 'X'
-del os.environ['UNSET_VAR']
-child = gtest_test_utils.Subprocess(
-    [sys.executable, '-c', 'import os; print \'UNSET_VAR\' not in os.environ'])
-CAN_UNSET_ENV = eval(child.output)
+CAN_UNSET_ENV = False
+if sys.executable:
+  os.environ['UNSET_VAR'] = 'X'
+  del os.environ['UNSET_VAR']
+  child = gtest_test_utils.Subprocess(
+      [sys.executable, '-c', 'import os; print \'UNSET_VAR\' not in os.environ'
+      ])
+  CAN_UNSET_ENV = eval(child.output)
 
 
 # Checks if we should test with an empty filter. This doesn't
@@ -94,10 +96,10 @@ SHARD_STATUS_FILE_ENV_VAR = 'GTEST_SHARD_STATUS_FILE'
 FILTER_FLAG = 'gtest_filter'
 
 # The command line flag for including disabled tests.
-ALSO_RUN_DISABED_TESTS_FLAG = 'gtest_also_run_disabled_tests'
+ALSO_RUN_DISABLED_TESTS_FLAG = 'gtest_also_run_disabled_tests'
 
-# Command to run the gtest_filter_unittest_ program.
-COMMAND = gtest_test_utils.GetTestExecutablePath('gtest_filter_unittest_')
+# Command to run the googletest-filter-unittest_ program.
+COMMAND = gtest_test_utils.GetTestExecutablePath('googletest-filter-unittest_')
 
 # Regex for determining whether parameterized tests are enabled in the binary.
 PARAM_TEST_REGEX = re.compile(r'/ParamTest')
@@ -116,7 +118,7 @@ LIST_TESTS_FLAG = '--gtest_list_tests'
 SUPPORTS_DEATH_TESTS = 'HasDeathTest' in gtest_test_utils.Subprocess(
     [COMMAND, LIST_TESTS_FLAG]).output
 
-# Full names of all tests in gtest_filter_unittests_.
+# Full names of all tests in googletest-filter-unittests_.
 PARAM_TESTS = [
     'SeqP/ParamTest.TestX/0',
     'SeqP/ParamTest.TestX/1',
@@ -288,9 +290,10 @@ class GTestFilterUnitTest(gtest_test_utils.TestCase):
                                args=None, check_exit_0=False):
     """Checks that binary runs correct tests for the given filter and shard.
 
-    Runs all shards of gtest_filter_unittest_ with the given filter, and
+    Runs all shards of googletest-filter-unittest_ with the given filter, and
     verifies that the right set of tests were run. The union of tests run
     on each shard should be identical to tests_to_run, without duplicates.
+    If check_exit_0, .
 
     Args:
       gtest_filter: A filter to apply to the tests.
@@ -325,7 +328,7 @@ class GTestFilterUnitTest(gtest_test_utils.TestCase):
   def RunAndVerifyAllowingDisabled(self, gtest_filter, tests_to_run):
     """Checks that the binary runs correct set of tests for the given filter.
 
-    Runs gtest_filter_unittest_ with the given filter, and enables
+    Runs googletest-filter-unittest_ with the given filter, and enables
     disabled tests. Verifies that the right set of tests were run.
 
     Args:
@@ -336,7 +339,7 @@ class GTestFilterUnitTest(gtest_test_utils.TestCase):
     tests_to_run = self.AdjustForParameterizedTests(tests_to_run)
 
     # Construct the command line.
-    args = ['--%s' % ALSO_RUN_DISABED_TESTS_FLAG]
+    args = ['--%s' % ALSO_RUN_DISABLED_TESTS_FLAG]
     if gtest_filter is not None:
       args.append('--%s=%s' % (FILTER_FLAG, gtest_filter))
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_filter_unittest_.cc b/security/nss/gtests/google_test/gtest/test/googletest-filter-unittest_.cc
index 77deffc38f..d335b60391 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_filter_unittest_.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-filter-unittest_.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // Unit test for Google Test test filters.
 //
@@ -117,7 +116,6 @@ TEST(DISABLED_FoobarbazTest, TestA) {
   FAIL() << "Expected failure.";
 }
 
-#if GTEST_HAS_PARAM_TEST
 class ParamTest : public testing::TestWithParam<int> {
 };
 
@@ -129,7 +127,6 @@ TEST_P(ParamTest, TestY) {
 
 INSTANTIATE_TEST_CASE_P(SeqP, ParamTest, testing::Values(1, 2));
 INSTANTIATE_TEST_CASE_P(SeqQ, ParamTest, testing::Values(5, 6));
-#endif  // GTEST_HAS_PARAM_TEST
 
 }  // namespace
 
diff --git a/security/nss/gtests/google_test/gtest/test/googletest-json-outfiles-test.py b/security/nss/gtests/google_test/gtest/test/googletest-json-outfiles-test.py
new file mode 100644
index 0000000000..c99be48e8a
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/googletest-json-outfiles-test.py
@@ -0,0 +1,162 @@
+#!/usr/bin/env python
+# Copyright 2018, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+"""Unit test for the gtest_json_output module."""
+
+import json
+import os
+import gtest_json_test_utils
+import gtest_test_utils
+
+GTEST_OUTPUT_SUBDIR = 'json_outfiles'
+GTEST_OUTPUT_1_TEST = 'gtest_xml_outfile1_test_'
+GTEST_OUTPUT_2_TEST = 'gtest_xml_outfile2_test_'
+
+EXPECTED_1 = {
+    u'tests': 1,
+    u'failures': 0,
+    u'disabled': 0,
+    u'errors': 0,
+    u'time': u'*',
+    u'timestamp': u'*',
+    u'name': u'AllTests',
+    u'testsuites': [{
+        u'name': u'PropertyOne',
+        u'tests': 1,
+        u'failures': 0,
+        u'disabled': 0,
+        u'errors': 0,
+        u'time': u'*',
+        u'testsuite': [{
+            u'name': u'TestSomeProperties',
+            u'status': u'RUN',
+            u'time': u'*',
+            u'classname': u'PropertyOne',
+            u'SetUpProp': u'1',
+            u'TestSomeProperty': u'1',
+            u'TearDownProp': u'1',
+        }],
+    }],
+}
+
+EXPECTED_2 = {
+    u'tests': 1,
+    u'failures': 0,
+    u'disabled': 0,
+    u'errors': 0,
+    u'time': u'*',
+    u'timestamp': u'*',
+    u'name': u'AllTests',
+    u'testsuites': [{
+        u'name': u'PropertyTwo',
+        u'tests': 1,
+        u'failures': 0,
+        u'disabled': 0,
+        u'errors': 0,
+        u'time': u'*',
+        u'testsuite': [{
+            u'name': u'TestSomeProperties',
+            u'status': u'RUN',
+            u'time': u'*',
+            u'classname': u'PropertyTwo',
+            u'SetUpProp': u'2',
+            u'TestSomeProperty': u'2',
+            u'TearDownProp': u'2',
+        }],
+    }],
+}
+
+
+class GTestJsonOutFilesTest(gtest_test_utils.TestCase):
+  """Unit test for Google Test's JSON output functionality."""
+
+  def setUp(self):
+    # We want the trailing '/' that the last "" provides in os.path.join, for
+    # telling Google Test to create an output directory instead of a single file
+    # for xml output.
+    self.output_dir_ = os.path.join(gtest_test_utils.GetTempDir(),
+                                    GTEST_OUTPUT_SUBDIR, '')
+    self.DeleteFilesAndDir()
+
+  def tearDown(self):
+    self.DeleteFilesAndDir()
+
+  def DeleteFilesAndDir(self):
+    try:
+      os.remove(os.path.join(self.output_dir_, GTEST_OUTPUT_1_TEST + '.json'))
+    except os.error:
+      pass
+    try:
+      os.remove(os.path.join(self.output_dir_, GTEST_OUTPUT_2_TEST + '.json'))
+    except os.error:
+      pass
+    try:
+      os.rmdir(self.output_dir_)
+    except os.error:
+      pass
+
+  def testOutfile1(self):
+    self._TestOutFile(GTEST_OUTPUT_1_TEST, EXPECTED_1)
+
+  def testOutfile2(self):
+    self._TestOutFile(GTEST_OUTPUT_2_TEST, EXPECTED_2)
+
+  def _TestOutFile(self, test_name, expected):
+    gtest_prog_path = gtest_test_utils.GetTestExecutablePath(test_name)
+    command = [gtest_prog_path, '--gtest_output=json:%s' % self.output_dir_]
+    p = gtest_test_utils.Subprocess(command,
+                                    working_dir=gtest_test_utils.GetTempDir())
+    self.assert_(p.exited)
+    self.assertEquals(0, p.exit_code)
+
+    # FIXME: libtool causes the built test binary to be
+    #   named lt-gtest_xml_outfiles_test_ instead of
+    #   gtest_xml_outfiles_test_.  To account for this possibility, we
+    #   allow both names in the following code.  We should remove this
+    #   when libtool replacement tool is ready.
+    output_file_name1 = test_name + '.json'
+    output_file1 = os.path.join(self.output_dir_, output_file_name1)
+    output_file_name2 = 'lt-' + output_file_name1
+    output_file2 = os.path.join(self.output_dir_, output_file_name2)
+    self.assert_(os.path.isfile(output_file1) or os.path.isfile(output_file2),
+                 output_file1)
+
+    if os.path.isfile(output_file1):
+      with open(output_file1) as f:
+        actual = json.load(f)
+    else:
+      with open(output_file2) as f:
+        actual = json.load(f)
+    self.assertEqual(expected, gtest_json_test_utils.normalize(actual))
+
+
+if __name__ == '__main__':
+  os.environ['GTEST_STACK_TRACE_DEPTH'] = '0'
+  gtest_test_utils.Main()
diff --git a/security/nss/gtests/google_test/gtest/test/googletest-json-output-unittest.py b/security/nss/gtests/google_test/gtest/test/googletest-json-output-unittest.py
new file mode 100644
index 0000000000..57dcd5fa1c
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/googletest-json-output-unittest.py
@@ -0,0 +1,618 @@
+#!/usr/bin/env python
+# Copyright 2018, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+"""Unit test for the gtest_json_output module."""
+
+import datetime
+import errno
+import json
+import os
+import re
+import sys
+
+import gtest_json_test_utils
+import gtest_test_utils
+
+GTEST_FILTER_FLAG = '--gtest_filter'
+GTEST_LIST_TESTS_FLAG = '--gtest_list_tests'
+GTEST_OUTPUT_FLAG = '--gtest_output'
+GTEST_DEFAULT_OUTPUT_FILE = 'test_detail.json'
+GTEST_PROGRAM_NAME = 'gtest_xml_output_unittest_'
+
+# The flag indicating stacktraces are not supported
+NO_STACKTRACE_SUPPORT_FLAG = '--no_stacktrace_support'
+
+SUPPORTS_STACK_TRACES = NO_STACKTRACE_SUPPORT_FLAG not in sys.argv
+
+if SUPPORTS_STACK_TRACES:
+  STACK_TRACE_TEMPLATE = '\nStack trace:\n*'
+else:
+  STACK_TRACE_TEMPLATE = ''
+
+EXPECTED_NON_EMPTY = {
+    u'tests': 23,
+    u'failures': 4,
+    u'disabled': 2,
+    u'errors': 0,
+    u'timestamp': u'*',
+    u'time': u'*',
+    u'ad_hoc_property': u'42',
+    u'name': u'AllTests',
+    u'testsuites': [
+        {
+            u'name': u'SuccessfulTest',
+            u'tests': 1,
+            u'failures': 0,
+            u'disabled': 0,
+            u'errors': 0,
+            u'time': u'*',
+            u'testsuite': [
+                {
+                    u'name': u'Succeeds',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'SuccessfulTest'
+                }
+            ]
+        },
+        {
+            u'name': u'FailedTest',
+            u'tests': 1,
+            u'failures': 1,
+            u'disabled': 0,
+            u'errors': 0,
+            u'time': u'*',
+            u'testsuite': [
+                {
+                    u'name': u'Fails',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'FailedTest',
+                    u'failures': [
+                        {
+                            u'failure':
+                                u'gtest_xml_output_unittest_.cc:*\n'
+                                u'Expected equality of these values:\n'
+                                u'  1\n  2' + STACK_TRACE_TEMPLATE,
+                            u'type': u''
+                        }
+                    ]
+                }
+            ]
+        },
+        {
+            u'name': u'DisabledTest',
+            u'tests': 1,
+            u'failures': 0,
+            u'disabled': 1,
+            u'errors': 0,
+            u'time': u'*',
+            u'testsuite': [
+                {
+                    u'name': u'DISABLED_test_not_run',
+                    u'status': u'NOTRUN',
+                    u'time': u'*',
+                    u'classname': u'DisabledTest'
+                }
+            ]
+        },
+        {
+            u'name': u'MixedResultTest',
+            u'tests': 3,
+            u'failures': 1,
+            u'disabled': 1,
+            u'errors': 0,
+            u'time': u'*',
+            u'testsuite': [
+                {
+                    u'name': u'Succeeds',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'MixedResultTest'
+                },
+                {
+                    u'name': u'Fails',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'MixedResultTest',
+                    u'failures': [
+                        {
+                            u'failure':
+                                u'gtest_xml_output_unittest_.cc:*\n'
+                                u'Expected equality of these values:\n'
+                                u'  1\n  2' + STACK_TRACE_TEMPLATE,
+                            u'type': u''
+                        },
+                        {
+                            u'failure':
+                                u'gtest_xml_output_unittest_.cc:*\n'
+                                u'Expected equality of these values:\n'
+                                u'  2\n  3' + STACK_TRACE_TEMPLATE,
+                            u'type': u''
+                        }
+                    ]
+                },
+                {
+                    u'name': u'DISABLED_test',
+                    u'status': u'NOTRUN',
+                    u'time': u'*',
+                    u'classname': u'MixedResultTest'
+                }
+            ]
+        },
+        {
+            u'name': u'XmlQuotingTest',
+            u'tests': 1,
+            u'failures': 1,
+            u'disabled': 0,
+            u'errors': 0,
+            u'time': u'*',
+            u'testsuite': [
+                {
+                    u'name': u'OutputsCData',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'XmlQuotingTest',
+                    u'failures': [
+                        {
+                            u'failure':
+                                u'gtest_xml_output_unittest_.cc:*\n'
+                                u'Failed\nXML output: <?xml encoding="utf-8">'
+                                u'<top><![CDATA[cdata text]]></top>' +
+                                STACK_TRACE_TEMPLATE,
+                            u'type': u''
+                        }
+                    ]
+                }
+            ]
+        },
+        {
+            u'name': u'InvalidCharactersTest',
+            u'tests': 1,
+            u'failures': 1,
+            u'disabled': 0,
+            u'errors': 0,
+            u'time': u'*',
+            u'testsuite': [
+                {
+                    u'name': u'InvalidCharactersInMessage',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'InvalidCharactersTest',
+                    u'failures': [
+                        {
+                            u'failure':
+                                u'gtest_xml_output_unittest_.cc:*\n'
+                                u'Failed\nInvalid characters in brackets'
+                                u' [\x01\x02]' + STACK_TRACE_TEMPLATE,
+                            u'type': u''
+                        }
+                    ]
+                }
+            ]
+        },
+        {
+            u'name': u'PropertyRecordingTest',
+            u'tests': 4,
+            u'failures': 0,
+            u'disabled': 0,
+            u'errors': 0,
+            u'time': u'*',
+            u'SetUpTestCase': u'yes',
+            u'TearDownTestCase': u'aye',
+            u'testsuite': [
+                {
+                    u'name': u'OneProperty',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'PropertyRecordingTest',
+                    u'key_1': u'1'
+                },
+                {
+                    u'name': u'IntValuedProperty',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'PropertyRecordingTest',
+                    u'key_int': u'1'
+                },
+                {
+                    u'name': u'ThreeProperties',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'PropertyRecordingTest',
+                    u'key_1': u'1',
+                    u'key_2': u'2',
+                    u'key_3': u'3'
+                },
+                {
+                    u'name': u'TwoValuesForOneKeyUsesLastValue',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'PropertyRecordingTest',
+                    u'key_1': u'2'
+                }
+            ]
+        },
+        {
+            u'name': u'NoFixtureTest',
+            u'tests': 3,
+            u'failures': 0,
+            u'disabled': 0,
+            u'errors': 0,
+            u'time': u'*',
+            u'testsuite': [
+                {
+                    u'name': u'RecordProperty',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'NoFixtureTest',
+                    u'key': u'1'
+                },
+                {
+                    u'name': u'ExternalUtilityThatCallsRecordIntValuedProperty',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'NoFixtureTest',
+                    u'key_for_utility_int': u'1'
+                },
+                {
+                    u'name':
+                        u'ExternalUtilityThatCallsRecordStringValuedProperty',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'NoFixtureTest',
+                    u'key_for_utility_string': u'1'
+                }
+            ]
+        },
+        {
+            u'name': u'TypedTest/0',
+            u'tests': 1,
+            u'failures': 0,
+            u'disabled': 0,
+            u'errors': 0,
+            u'time': u'*',
+            u'testsuite': [
+                {
+                    u'name': u'HasTypeParamAttribute',
+                    u'type_param': u'int',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'TypedTest/0'
+                }
+            ]
+        },
+        {
+            u'name': u'TypedTest/1',
+            u'tests': 1,
+            u'failures': 0,
+            u'disabled': 0,
+            u'errors': 0,
+            u'time': u'*',
+            u'testsuite': [
+                {
+                    u'name': u'HasTypeParamAttribute',
+                    u'type_param': u'long',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'TypedTest/1'
+                }
+            ]
+        },
+        {
+            u'name': u'Single/TypeParameterizedTestCase/0',
+            u'tests': 1,
+            u'failures': 0,
+            u'disabled': 0,
+            u'errors': 0,
+            u'time': u'*',
+            u'testsuite': [
+                {
+                    u'name': u'HasTypeParamAttribute',
+                    u'type_param': u'int',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'Single/TypeParameterizedTestCase/0'
+                }
+            ]
+        },
+        {
+            u'name': u'Single/TypeParameterizedTestCase/1',
+            u'tests': 1,
+            u'failures': 0,
+            u'disabled': 0,
+            u'errors': 0,
+            u'time': u'*',
+            u'testsuite': [
+                {
+                    u'name': u'HasTypeParamAttribute',
+                    u'type_param': u'long',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'Single/TypeParameterizedTestCase/1'
+                }
+            ]
+        },
+        {
+            u'name': u'Single/ValueParamTest',
+            u'tests': 4,
+            u'failures': 0,
+            u'disabled': 0,
+            u'errors': 0,
+            u'time': u'*',
+            u'testsuite': [
+                {
+                    u'name': u'HasValueParamAttribute/0',
+                    u'value_param': u'33',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'Single/ValueParamTest'
+                },
+                {
+                    u'name': u'HasValueParamAttribute/1',
+                    u'value_param': u'42',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'Single/ValueParamTest'
+                },
+                {
+                    u'name': u'AnotherTestThatHasValueParamAttribute/0',
+                    u'value_param': u'33',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'Single/ValueParamTest'
+                },
+                {
+                    u'name': u'AnotherTestThatHasValueParamAttribute/1',
+                    u'value_param': u'42',
+                    u'status': u'RUN',
+                    u'time': u'*',
+                    u'classname': u'Single/ValueParamTest'
+                }
+            ]
+        }
+    ]
+}
+
+EXPECTED_FILTERED = {
+    u'tests': 1,
+    u'failures': 0,
+    u'disabled': 0,
+    u'errors': 0,
+    u'time': u'*',
+    u'timestamp': u'*',
+    u'name': u'AllTests',
+    u'ad_hoc_property': u'42',
+    u'testsuites': [{
+        u'name': u'SuccessfulTest',
+        u'tests': 1,
+        u'failures': 0,
+        u'disabled': 0,
+        u'errors': 0,
+        u'time': u'*',
+        u'testsuite': [{
+            u'name': u'Succeeds',
+            u'status': u'RUN',
+            u'time': u'*',
+            u'classname': u'SuccessfulTest',
+        }]
+    }],
+}
+
+EXPECTED_EMPTY = {
+    u'tests': 0,
+    u'failures': 0,
+    u'disabled': 0,
+    u'errors': 0,
+    u'time': u'*',
+    u'timestamp': u'*',
+    u'name': u'AllTests',
+    u'testsuites': [],
+}
+
+GTEST_PROGRAM_PATH = gtest_test_utils.GetTestExecutablePath(GTEST_PROGRAM_NAME)
+
+SUPPORTS_TYPED_TESTS = 'TypedTest' in gtest_test_utils.Subprocess(
+    [GTEST_PROGRAM_PATH, GTEST_LIST_TESTS_FLAG], capture_stderr=False).output
+
+
+class GTestJsonOutputUnitTest(gtest_test_utils.TestCase):
+  """Unit test for Google Test's JSON output functionality.
+  """
+
+  # This test currently breaks on platforms that do not support typed and
+  # type-parameterized tests, so we don't run it under them.
+  if SUPPORTS_TYPED_TESTS:
+
+    def testNonEmptyJsonOutput(self):
+      """Verifies JSON output for a Google Test binary with non-empty output.
+
+      Runs a test program that generates a non-empty JSON output, and
+      tests that the JSON output is expected.
+      """
+      self._TestJsonOutput(GTEST_PROGRAM_NAME, EXPECTED_NON_EMPTY, 1)
+
+  def testEmptyJsonOutput(self):
+    """Verifies JSON output for a Google Test binary without actual tests.
+
+    Runs a test program that generates an empty JSON output, and
+    tests that the JSON output is expected.
+    """
+
+    self._TestJsonOutput('gtest_no_test_unittest', EXPECTED_EMPTY, 0)
+
+  def testTimestampValue(self):
+    """Checks whether the timestamp attribute in the JSON output is valid.
+
+    Runs a test program that generates an empty JSON output, and checks if
+    the timestamp attribute in the testsuites tag is valid.
+    """
+    actual = self._GetJsonOutput('gtest_no_test_unittest', [], 0)
+    date_time_str = actual['timestamp']
+    # datetime.strptime() is only available in Python 2.5+ so we have to
+    # parse the expected datetime manually.
+    match = re.match(r'(\d+)-(\d\d)-(\d\d)T(\d\d):(\d\d):(\d\d)', date_time_str)
+    self.assertTrue(
+        re.match,
+        'JSON datettime string %s has incorrect format' % date_time_str)
+    date_time_from_json = datetime.datetime(
+        year=int(match.group(1)), month=int(match.group(2)),
+        day=int(match.group(3)), hour=int(match.group(4)),
+        minute=int(match.group(5)), second=int(match.group(6)))
+
+    time_delta = abs(datetime.datetime.now() - date_time_from_json)
+    # timestamp value should be near the current local time
+    self.assertTrue(time_delta < datetime.timedelta(seconds=600),
+                    'time_delta is %s' % time_delta)
+
+  def testDefaultOutputFile(self):
+    """Verifies the default output file name.
+
+    Confirms that Google Test produces an JSON output file with the expected
+    default name if no name is explicitly specified.
+    """
+    output_file = os.path.join(gtest_test_utils.GetTempDir(),
+                               GTEST_DEFAULT_OUTPUT_FILE)
+    gtest_prog_path = gtest_test_utils.GetTestExecutablePath(
+        'gtest_no_test_unittest')
+    try:
+      os.remove(output_file)
+    except OSError:
+      e = sys.exc_info()[1]
+      if e.errno != errno.ENOENT:
+        raise
+
+    p = gtest_test_utils.Subprocess(
+        [gtest_prog_path, '%s=json' % GTEST_OUTPUT_FLAG],
+        working_dir=gtest_test_utils.GetTempDir())
+    self.assert_(p.exited)
+    self.assertEquals(0, p.exit_code)
+    self.assert_(os.path.isfile(output_file))
+
+  def testSuppressedJsonOutput(self):
+    """Verifies that no JSON output is generated.
+
+    Tests that no JSON file is generated if the default JSON listener is
+    shut down before RUN_ALL_TESTS is invoked.
+    """
+
+    json_path = os.path.join(gtest_test_utils.GetTempDir(),
+                             GTEST_PROGRAM_NAME + 'out.json')
+    if os.path.isfile(json_path):
+      os.remove(json_path)
+
+    command = [GTEST_PROGRAM_PATH,
+               '%s=json:%s' % (GTEST_OUTPUT_FLAG, json_path),
+               '--shut_down_xml']
+    p = gtest_test_utils.Subprocess(command)
+    if p.terminated_by_signal:
+      # p.signal is available only if p.terminated_by_signal is True.
+      self.assertFalse(
+          p.terminated_by_signal,
+          '%s was killed by signal %d' % (GTEST_PROGRAM_NAME, p.signal))
+    else:
+      self.assert_(p.exited)
+      self.assertEquals(1, p.exit_code,
+                        "'%s' exited with code %s, which doesn't match "
+                        'the expected exit code %s.'
+                        % (command, p.exit_code, 1))
+
+    self.assert_(not os.path.isfile(json_path))
+
+  def testFilteredTestJsonOutput(self):
+    """Verifies JSON output when a filter is applied.
+
+    Runs a test program that executes only some tests and verifies that
+    non-selected tests do not show up in the JSON output.
+    """
+
+    self._TestJsonOutput(GTEST_PROGRAM_NAME, EXPECTED_FILTERED, 0,
+                         extra_args=['%s=SuccessfulTest.*' % GTEST_FILTER_FLAG])
+
+  def _GetJsonOutput(self, gtest_prog_name, extra_args, expected_exit_code):
+    """Returns the JSON output generated by running the program gtest_prog_name.
+
+    Furthermore, the program's exit code must be expected_exit_code.
+
+    Args:
+      gtest_prog_name: Google Test binary name.
+      extra_args: extra arguments to binary invocation.
+      expected_exit_code: program's exit code.
+    """
+    json_path = os.path.join(gtest_test_utils.GetTempDir(),
+                             gtest_prog_name + 'out.json')
+    gtest_prog_path = gtest_test_utils.GetTestExecutablePath(gtest_prog_name)
+
+    command = (
+        [gtest_prog_path, '%s=json:%s' % (GTEST_OUTPUT_FLAG, json_path)] +
+        extra_args
+    )
+    p = gtest_test_utils.Subprocess(command)
+    if p.terminated_by_signal:
+      self.assert_(False,
+                   '%s was killed by signal %d' % (gtest_prog_name, p.signal))
+    else:
+      self.assert_(p.exited)
+      self.assertEquals(expected_exit_code, p.exit_code,
+                        "'%s' exited with code %s, which doesn't match "
+                        'the expected exit code %s.'
+                        % (command, p.exit_code, expected_exit_code))
+    with open(json_path) as f:
+      actual = json.load(f)
+    return actual
+
+  def _TestJsonOutput(self, gtest_prog_name, expected,
+                      expected_exit_code, extra_args=None):
+    """Checks the JSON output generated by the Google Test binary.
+
+    Asserts that the JSON document generated by running the program
+    gtest_prog_name matches expected_json, a string containing another
+    JSON document.  Furthermore, the program's exit code must be
+    expected_exit_code.
+
+    Args:
+      gtest_prog_name: Google Test binary name.
+      expected: expected output.
+      expected_exit_code: program's exit code.
+      extra_args: extra arguments to binary invocation.
+    """
+
+    actual = self._GetJsonOutput(gtest_prog_name, extra_args or [],
+                                 expected_exit_code)
+    self.assertEqual(expected, gtest_json_test_utils.normalize(actual))
+
+
+if __name__ == '__main__':
+  if NO_STACKTRACE_SUPPORT_FLAG in sys.argv:
+    # unittest.main() can't handle unknown flags
+    sys.argv.remove(NO_STACKTRACE_SUPPORT_FLAG)
+
+  os.environ['GTEST_STACK_TRACE_DEPTH'] = '1'
+  gtest_test_utils.Main()
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-linked_ptr_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-linked-ptr-test.cc
index 6fcf5124a8..fa00f34296 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-linked_ptr_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-linked-ptr-test.cc
@@ -26,13 +26,10 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Authors: Dan Egnor (egnor@google.com)
-// Ported to Windows: Vadim Berman (vadimb@google.com)
-
-#include "gtest/internal/gtest-linked_ptr.h"
 
 #include <stdlib.h>
+
+#include "gtest/internal/gtest-linked_ptr.h"
 #include "gtest/gtest.h"
 
 namespace {
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_list_tests_unittest.py b/security/nss/gtests/google_test/gtest/test/googletest-list-tests-unittest.py
index 925b09d9cb..81423a339e 100755..100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_list_tests_unittest.py
+++ b/security/nss/gtests/google_test/gtest/test/googletest-list-tests-unittest.py
@@ -33,25 +33,22 @@
 
 A user can ask Google Test to list all tests by specifying the
 --gtest_list_tests flag.  This script tests such functionality
-by invoking gtest_list_tests_unittest_ (a program written with
+by invoking googletest-list-tests-unittest_ (a program written with
 Google Test) the command line flags.
 """
 
-__author__ = 'phanna@google.com (Patrick Hanna)'
-
-import gtest_test_utils
 import re
-
+import gtest_test_utils
 
 # Constants.
 
 # The command line flag for enabling/disabling listing all tests.
 LIST_TESTS_FLAG = 'gtest_list_tests'
 
-# Path to the gtest_list_tests_unittest_ program.
-EXE_PATH = gtest_test_utils.GetTestExecutablePath('gtest_list_tests_unittest_')
+# Path to the googletest-list-tests-unittest_ program.
+EXE_PATH = gtest_test_utils.GetTestExecutablePath('googletest-list-tests-unittest_')
 
-# The expected output when running gtest_list_tests_unittest_ with
+# The expected output when running googletest-list-tests-unittest_ with
 # --gtest_list_tests
 EXPECTED_OUTPUT_NO_FILTER_RE = re.compile(r"""FooDeathTest\.
   Test1
@@ -71,7 +68,7 @@ FooTest\.
 TypedTest/0\.  # TypeParam = (VeryLo{245}|class VeryLo{239})\.\.\.
   TestA
   TestB
-TypedTest/1\.  # TypeParam = int\s*\*
+TypedTest/1\.  # TypeParam = int\s*\*( __ptr64)?
   TestA
   TestB
 TypedTest/2\.  # TypeParam = .*MyArray<bool,\s*42>
@@ -80,7 +77,7 @@ TypedTest/2\.  # TypeParam = .*MyArray<bool,\s*42>
 My/TypeParamTest/0\.  # TypeParam = (VeryLo{245}|class VeryLo{239})\.\.\.
   TestA
   TestB
-My/TypeParamTest/1\.  # TypeParam = int\s*\*
+My/TypeParamTest/1\.  # TypeParam = int\s*\*( __ptr64)?
   TestA
   TestB
 My/TypeParamTest/2\.  # TypeParam = .*MyArray<bool,\s*42>
@@ -95,7 +92,7 @@ MyInstantiation/ValueParamTest\.
   TestB/2  # GetParam\(\) = a very\\nlo{241}\.\.\.
 """)
 
-# The expected output when running gtest_list_tests_unittest_ with
+# The expected output when running googletest-list-tests-unittest_ with
 # --gtest_list_tests and --gtest_filter=Foo*.
 EXPECTED_OUTPUT_FILTER_FOO_RE = re.compile(r"""FooDeathTest\.
   Test1
@@ -115,7 +112,7 @@ FooTest\.
 
 
 def Run(args):
-  """Runs gtest_list_tests_unittest_ and returns the list of tests printed."""
+  """Runs googletest-list-tests-unittest_ and returns the list of tests printed."""
 
   return gtest_test_utils.Subprocess([EXE_PATH] + args,
                                      capture_stderr=False).output
@@ -123,11 +120,12 @@ def Run(args):
 
 # The unit test.
 
+
 class GTestListTestsUnitTest(gtest_test_utils.TestCase):
   """Tests using the --gtest_list_tests flag to list all tests."""
 
   def RunAndVerify(self, flag_value, expected_output_re, other_flag):
-    """Runs gtest_list_tests_unittest_ and verifies that it prints
+    """Runs googletest-list-tests-unittest_ and verifies that it prints
     the correct tests.
 
     Args:
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_list_tests_unittest_.cc b/security/nss/gtests/google_test/gtest/test/googletest-list-tests-unittest_.cc
index 907c176ba9..f473c7d1a4 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_list_tests_unittest_.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-list-tests-unittest_.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: phanna@google.com (Patrick Hanna)
+
 
 // Unit test for Google Test's --gtest_list_tests flag.
 //
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-listener_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-listener-test.cc
index 99662cff33..8355597151 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-listener_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-listener-test.cc
@@ -25,17 +25,17 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: vladl@google.com (Vlad Losev)
-//
-// The Google C++ Testing Framework (Google Test)
+// The Google C++ Testing and Mocking Framework (Google Test)
 //
 // This file verifies Google Test event listeners receive events at the
 // right times.
 
-#include "gtest/gtest.h"
 #include <vector>
 
+#include "gtest/gtest.h"
+
 using ::testing::AddGlobalTestEnvironment;
 using ::testing::Environment;
 using ::testing::InitGoogleTest;
@@ -176,16 +176,16 @@ using ::testing::internal::EventRecordingListener;
 
 void VerifyResults(const std::vector<std::string>& data,
                    const char* const* expected_data,
-                   int expected_data_size) {
-  const int actual_size = data.size();
+                   size_t expected_data_size) {
+  const size_t actual_size = data.size();
   // If the following assertion fails, a new entry will be appended to
   // data.  Hence we save data.size() first.
   EXPECT_EQ(expected_data_size, actual_size);
 
   // Compares the common prefix.
-  const int shorter_size = expected_data_size <= actual_size ?
+  const size_t shorter_size = expected_data_size <= actual_size ?
       expected_data_size : actual_size;
-  int i = 0;
+  size_t i = 0;
   for (; i < shorter_size; ++i) {
     ASSERT_STREQ(expected_data[i], data[i].c_str())
         << "at position " << i;
@@ -193,7 +193,8 @@ void VerifyResults(const std::vector<std::string>& data,
 
   // Prints extra elements in the actual data.
   for (; i < actual_size; ++i) {
-    printf("  Actual event #%d: %s\n", i, data[i].c_str());
+    printf("  Actual event #%lu: %s\n",
+        static_cast<unsigned long>(i), data[i].c_str());
   }
 }
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-message_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-message-test.cc
index 175238ef4e..c6445853e4 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-message_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-message-test.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 //
 // Tests for the Message class.
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-options_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-options-test.cc
index 5586dc3b1b..edd4eba3bd 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-options_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-options-test.cc
@@ -27,8 +27,6 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Authors: keith.ray@gmail.com (Keith Ray)
-//
 // Google Test UnitTestOptions tests
 //
 // This file tests classes and functions used internally by
@@ -46,14 +44,7 @@
 # include <direct.h>
 #endif  // GTEST_OS_WINDOWS_MOBILE
 
-// Indicates that this translation unit is part of Google Test's
-// implementation.  It must come before gtest-internal-inl.h is
-// included, or there will be a compiler error.  This trick is to
-// prevent a user from accidentally including gtest-internal-inl.h in
-// his code.
-#define GTEST_IMPLEMENTATION_ 1
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 namespace testing {
 namespace internal {
@@ -107,15 +98,16 @@ TEST(OutputFileHelpersTest, GetCurrentExecutableName) {
   const std::string exe_str = GetCurrentExecutableName().string();
 #if GTEST_OS_WINDOWS
   const bool success =
-      _strcmpi("gtest-options_test", exe_str.c_str()) == 0 ||
+      _strcmpi("googletest-options-test", exe_str.c_str()) == 0 ||
       _strcmpi("gtest-options-ex_test", exe_str.c_str()) == 0 ||
       _strcmpi("gtest_all_test", exe_str.c_str()) == 0 ||
       _strcmpi("gtest_dll_test", exe_str.c_str()) == 0;
+#elif GTEST_OS_FUCHSIA
+  const bool success = exe_str == "app";
 #else
-  // TODO(wan@google.com): remove the hard-coded "lt-" prefix when
-  //   Chandler Carruth's libtool replacement is ready.
+  // FIXME: remove the hard-coded "lt-" prefix when libtool replacement is ready
   const bool success =
-      exe_str == "gtest-options_test" ||
+      exe_str == "googletest-options-test" ||
       exe_str == "gtest_all_test" ||
       exe_str == "lt-gtest_all_test" ||
       exe_str == "gtest_dll_test";
@@ -124,6 +116,8 @@ TEST(OutputFileHelpersTest, GetCurrentExecutableName) {
     FAIL() << "GetCurrentExecutableName() returns " << exe_str;
 }
 
+#if !GTEST_OS_FUCHSIA
+
 class XmlOutputChangeDirTest : public Test {
  protected:
   virtual void SetUp() {
@@ -210,6 +204,8 @@ TEST_F(XmlOutputChangeDirTest, PreserveOriginalWorkingDirWithAbsolutePath) {
 #endif
 }
 
+#endif  // !GTEST_OS_FUCHSIA
+
 }  // namespace
 }  // namespace internal
 }  // namespace testing
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_output_test_golden_lin.txt b/security/nss/gtests/google_test/gtest/test/googletest-output-test-golden-lin.txt
index da541700e9..86da845b7d 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_output_test_golden_lin.txt
+++ b/security/nss/gtests/google_test/gtest/test/googletest-output-test-golden-lin.txt
@@ -1,13 +1,18 @@
 The non-test part of the code is expected to have 2 failures.
 
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Value of: false
   Actual: false
 Expected: true
-gtest_output_test_.cc:#: Failure
-Value of: 3
-Expected: 2
-[==========] Running 64 tests from 28 test cases.
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  2
+  3
+Stack trace: (omitted)
+
+[==========] Running 76 tests from 34 test cases.
 [----------] Global test environment set-up.
 FooEnvironment::SetUp() called.
 BarEnvironment::SetUp() called.
@@ -33,237 +38,351 @@ BarEnvironment::SetUp() called.
 [       OK ] PassingTest.PassingTest2
 [----------] 2 tests from NonfatalFailureTest
 [ RUN      ] NonfatalFailureTest.EscapesStringOperands
-gtest_output_test_.cc:#: Failure
-Value of: actual
-  Actual: "actual \"string\""
-Expected: kGoldenString
-Which is: "\"Line"
-gtest_output_test_.cc:#: Failure
-Value of: actual
-  Actual: "actual \"string\""
-Expected: golden
-Which is: "\"Line"
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  kGoldenString
+    Which is: "\"Line"
+  actual
+    Which is: "actual \"string\""
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  golden
+    Which is: "\"Line"
+  actual
+    Which is: "actual \"string\""
+Stack trace: (omitted)
+
 [  FAILED  ] NonfatalFailureTest.EscapesStringOperands
 [ RUN      ] NonfatalFailureTest.DiffForLongStrings
-gtest_output_test_.cc:#: Failure
-Value of: "Line 2"
-Expected: golden_str
-Which is: "\"Line\0 1\"\nLine 2"
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  golden_str
+    Which is: "\"Line\0 1\"\nLine 2"
+  "Line 2"
 With diff:
 @@ -1,2 @@
 -\"Line\0 1\"
  Line 2
 
+Stack trace: (omitted)
+
 [  FAILED  ] NonfatalFailureTest.DiffForLongStrings
 [----------] 3 tests from FatalFailureTest
 [ RUN      ] FatalFailureTest.FatalFailureInSubroutine
 (expecting a failure that x should be 1)
-gtest_output_test_.cc:#: Failure
-Value of: x
-  Actual: 2
-Expected: 1
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1
+  x
+    Which is: 2
+Stack trace: (omitted)
+
 [  FAILED  ] FatalFailureTest.FatalFailureInSubroutine
 [ RUN      ] FatalFailureTest.FatalFailureInNestedSubroutine
 (expecting a failure that x should be 1)
-gtest_output_test_.cc:#: Failure
-Value of: x
-  Actual: 2
-Expected: 1
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1
+  x
+    Which is: 2
+Stack trace: (omitted)
+
 [  FAILED  ] FatalFailureTest.FatalFailureInNestedSubroutine
 [ RUN      ] FatalFailureTest.NonfatalFailureInSubroutine
 (expecting a failure on false)
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Value of: false
   Actual: false
 Expected: true
+Stack trace: (omitted)
+
 [  FAILED  ] FatalFailureTest.NonfatalFailureInSubroutine
 [----------] 1 test from LoggingTest
 [ RUN      ] LoggingTest.InterleavingLoggingAndAssertions
 (expecting 2 failures on (3) >= (a[i]))
 i == 0
 i == 1
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Expected: (3) >= (a[i]), actual: 3 vs 9
+Stack trace: (omitted)
+
 i == 2
 i == 3
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Expected: (3) >= (a[i]), actual: 3 vs 6
+Stack trace: (omitted)
+
 [  FAILED  ] LoggingTest.InterleavingLoggingAndAssertions
-[----------] 6 tests from SCOPED_TRACETest
+[----------] 7 tests from SCOPED_TRACETest
+[ RUN      ] SCOPED_TRACETest.AcceptedValues
+googletest-output-test_.cc:#: Failure
+Failed
+Just checking that all these values work fine.
+Google Test trace:
+googletest-output-test_.cc:#: (null)
+googletest-output-test_.cc:#: 1337
+googletest-output-test_.cc:#: std::string
+googletest-output-test_.cc:#: literal string
+Stack trace: (omitted)
+
+[  FAILED  ] SCOPED_TRACETest.AcceptedValues
 [ RUN      ] SCOPED_TRACETest.ObeysScopes
 (expected to fail)
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Failed
 This failure is expected, and shouldn't have a trace.
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 This failure is expected, and should have a trace.
 Google Test trace:
-gtest_output_test_.cc:#: Expected trace
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Expected trace
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 This failure is expected, and shouldn't have a trace.
+Stack trace: (omitted)
+
 [  FAILED  ] SCOPED_TRACETest.ObeysScopes
 [ RUN      ] SCOPED_TRACETest.WorksInLoop
 (expected to fail)
-gtest_output_test_.cc:#: Failure
-Value of: n
-  Actual: 1
-Expected: 2
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  2
+  n
+    Which is: 1
 Google Test trace:
-gtest_output_test_.cc:#: i = 1
-gtest_output_test_.cc:#: Failure
-Value of: n
-  Actual: 2
-Expected: 1
+googletest-output-test_.cc:#: i = 1
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1
+  n
+    Which is: 2
 Google Test trace:
-gtest_output_test_.cc:#: i = 2
+googletest-output-test_.cc:#: i = 2
+Stack trace: (omitted)
+
 [  FAILED  ] SCOPED_TRACETest.WorksInLoop
 [ RUN      ] SCOPED_TRACETest.WorksInSubroutine
 (expected to fail)
-gtest_output_test_.cc:#: Failure
-Value of: n
-  Actual: 1
-Expected: 2
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  2
+  n
+    Which is: 1
 Google Test trace:
-gtest_output_test_.cc:#: n = 1
-gtest_output_test_.cc:#: Failure
-Value of: n
-  Actual: 2
-Expected: 1
+googletest-output-test_.cc:#: n = 1
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1
+  n
+    Which is: 2
 Google Test trace:
-gtest_output_test_.cc:#: n = 2
+googletest-output-test_.cc:#: n = 2
+Stack trace: (omitted)
+
 [  FAILED  ] SCOPED_TRACETest.WorksInSubroutine
 [ RUN      ] SCOPED_TRACETest.CanBeNested
 (expected to fail)
-gtest_output_test_.cc:#: Failure
-Value of: n
-  Actual: 2
-Expected: 1
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1
+  n
+    Which is: 2
 Google Test trace:
-gtest_output_test_.cc:#: n = 2
-gtest_output_test_.cc:#: 
+googletest-output-test_.cc:#: n = 2
+googletest-output-test_.cc:#: 
+Stack trace: (omitted)
+
 [  FAILED  ] SCOPED_TRACETest.CanBeNested
 [ RUN      ] SCOPED_TRACETest.CanBeRepeated
 (expected to fail)
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Failed
 This failure is expected, and should contain trace point A.
 Google Test trace:
-gtest_output_test_.cc:#: A
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: A
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 This failure is expected, and should contain trace point A and B.
 Google Test trace:
-gtest_output_test_.cc:#: B
-gtest_output_test_.cc:#: A
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: B
+googletest-output-test_.cc:#: A
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 This failure is expected, and should contain trace point A, B, and C.
 Google Test trace:
-gtest_output_test_.cc:#: C
-gtest_output_test_.cc:#: B
-gtest_output_test_.cc:#: A
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: C
+googletest-output-test_.cc:#: B
+googletest-output-test_.cc:#: A
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 This failure is expected, and should contain trace point A, B, and D.
 Google Test trace:
-gtest_output_test_.cc:#: D
-gtest_output_test_.cc:#: B
-gtest_output_test_.cc:#: A
+googletest-output-test_.cc:#: D
+googletest-output-test_.cc:#: B
+googletest-output-test_.cc:#: A
+Stack trace: (omitted)
+
 [  FAILED  ] SCOPED_TRACETest.CanBeRepeated
 [ RUN      ] SCOPED_TRACETest.WorksConcurrently
 (expecting 6 failures)
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #1 (in thread B, only trace B alive).
 Google Test trace:
-gtest_output_test_.cc:#: Trace B
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Trace B
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #2 (in thread A, trace A & B both alive).
 Google Test trace:
-gtest_output_test_.cc:#: Trace A
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Trace A
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #3 (in thread B, trace A & B both alive).
 Google Test trace:
-gtest_output_test_.cc:#: Trace B
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Trace B
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #4 (in thread B, only trace A alive).
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #5 (in thread A, only trace A alive).
 Google Test trace:
-gtest_output_test_.cc:#: Trace A
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Trace A
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #6 (in thread A, no trace alive).
+Stack trace: (omitted)
+
 [  FAILED  ] SCOPED_TRACETest.WorksConcurrently
+[----------] 1 test from ScopedTraceTest
+[ RUN      ] ScopedTraceTest.WithExplicitFileAndLine
+googletest-output-test_.cc:#: Failure
+Failed
+Check that the trace is attached to a particular location.
+Google Test trace:
+explicit_file.cc:123: expected trace message
+Stack trace: (omitted)
+
+[  FAILED  ] ScopedTraceTest.WithExplicitFileAndLine
 [----------] 1 test from NonFatalFailureInFixtureConstructorTest
 [ RUN      ] NonFatalFailureInFixtureConstructorTest.FailureInConstructor
 (expecting 5 failures)
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #1, in the test fixture c'tor.
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #2, in SetUp().
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #3, in the test body.
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #4, in TearDown.
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #5, in the test fixture d'tor.
+Stack trace: (omitted)
+
 [  FAILED  ] NonFatalFailureInFixtureConstructorTest.FailureInConstructor
 [----------] 1 test from FatalFailureInFixtureConstructorTest
 [ RUN      ] FatalFailureInFixtureConstructorTest.FailureInConstructor
 (expecting 2 failures)
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #1, in the test fixture c'tor.
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #2, in the test fixture d'tor.
+Stack trace: (omitted)
+
 [  FAILED  ] FatalFailureInFixtureConstructorTest.FailureInConstructor
 [----------] 1 test from NonFatalFailureInSetUpTest
 [ RUN      ] NonFatalFailureInSetUpTest.FailureInSetUp
 (expecting 4 failures)
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #1, in SetUp().
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #2, in the test function.
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #3, in TearDown().
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #4, in the test fixture d'tor.
+Stack trace: (omitted)
+
 [  FAILED  ] NonFatalFailureInSetUpTest.FailureInSetUp
 [----------] 1 test from FatalFailureInSetUpTest
 [ RUN      ] FatalFailureInSetUpTest.FailureInSetUp
 (expecting 3 failures)
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #1, in SetUp().
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #2, in TearDown().
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected failure #3, in the test fixture d'tor.
+Stack trace: (omitted)
+
 [  FAILED  ] FatalFailureInSetUpTest.FailureInSetUp
 [----------] 1 test from AddFailureAtTest
 [ RUN      ] AddFailureAtTest.MessageContainsSpecifiedFileAndLineNumber
 foo.cc:42: Failure
 Failed
 Expected failure in foo.cc
+Stack trace: (omitted)
+
 [  FAILED  ] AddFailureAtTest.MessageContainsSpecifiedFileAndLineNumber
 [----------] 4 tests from MixedUpTestCaseTest
 [ RUN      ] MixedUpTestCaseTest.FirstTestFromNamespaceFoo
@@ -280,6 +399,8 @@ using two different test fixture classes.  This can happen if
 the two classes are from different namespaces or translation
 units and have the same name.  You should probably rename one
 of the classes to put the tests into different test cases.
+Stack trace: (omitted)
+
 [  FAILED  ] MixedUpTestCaseTest.ThisShouldFail
 [ RUN      ] MixedUpTestCaseTest.ThisShouldFailToo
 gtest.cc:#: Failure
@@ -291,6 +412,8 @@ using two different test fixture classes.  This can happen if
 the two classes are from different namespaces or translation
 units and have the same name.  You should probably rename one
 of the classes to put the tests into different test cases.
+Stack trace: (omitted)
+
 [  FAILED  ] MixedUpTestCaseTest.ThisShouldFailToo
 [----------] 2 tests from MixedUpTestCaseWithSameTestNameTest
 [ RUN      ] MixedUpTestCaseWithSameTestNameTest.TheSecondTestWithThisNameShouldFail
@@ -305,6 +428,8 @@ using two different test fixture classes.  This can happen if
 the two classes are from different namespaces or translation
 units and have the same name.  You should probably rename one
 of the classes to put the tests into different test cases.
+Stack trace: (omitted)
+
 [  FAILED  ] MixedUpTestCaseWithSameTestNameTest.TheSecondTestWithThisNameShouldFail
 [----------] 2 tests from TEST_F_before_TEST_in_same_test_case
 [ RUN      ] TEST_F_before_TEST_in_same_test_case.DefinedUsingTEST_F
@@ -319,6 +444,8 @@ test DefinedUsingTEST_F is defined using TEST_F but
 test DefinedUsingTESTAndShouldFail is defined using TEST.  You probably
 want to change the TEST to TEST_F or move it to another test
 case.
+Stack trace: (omitted)
+
 [  FAILED  ] TEST_F_before_TEST_in_same_test_case.DefinedUsingTESTAndShouldFail
 [----------] 2 tests from TEST_before_TEST_F_in_same_test_case
 [ RUN      ] TEST_before_TEST_F_in_same_test_case.DefinedUsingTEST
@@ -333,6 +460,8 @@ test DefinedUsingTEST_FAndShouldFail is defined using TEST_F but
 test DefinedUsingTEST is defined using TEST.  You probably
 want to change the TEST to TEST_F or move it to another test
 case.
+Stack trace: (omitted)
+
 [  FAILED  ] TEST_before_TEST_F_in_same_test_case.DefinedUsingTEST_FAndShouldFail
 [----------] 8 tests from ExpectNonfatalFailureTest
 [ RUN      ] ExpectNonfatalFailureTest.CanReferenceGlobalVariables
@@ -346,19 +475,27 @@ case.
 gtest.cc:#: Failure
 Expected: 1 non-fatal failure
   Actual: 0 failures
+Stack trace: (omitted)
+
 [  FAILED  ] ExpectNonfatalFailureTest.FailsWhenThereIsNoNonfatalFailure
 [ RUN      ] ExpectNonfatalFailureTest.FailsWhenThereAreTwoNonfatalFailures
 (expecting a failure)
 gtest.cc:#: Failure
 Expected: 1 non-fatal failure
   Actual: 2 failures
-gtest_output_test_.cc:#: Non-fatal failure:
+googletest-output-test_.cc:#: Non-fatal failure:
 Failed
 Expected non-fatal failure 1.
+Stack trace: (omitted)
+
 
-gtest_output_test_.cc:#: Non-fatal failure:
+googletest-output-test_.cc:#: Non-fatal failure:
 Failed
 Expected non-fatal failure 2.
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 [  FAILED  ] ExpectNonfatalFailureTest.FailsWhenThereAreTwoNonfatalFailures
 [ RUN      ] ExpectNonfatalFailureTest.FailsWhenThereIsOneFatalFailure
@@ -366,9 +503,13 @@ Expected non-fatal failure 2.
 gtest.cc:#: Failure
 Expected: 1 non-fatal failure
   Actual:
-gtest_output_test_.cc:#: Fatal failure:
+googletest-output-test_.cc:#: Fatal failure:
 Failed
 Expected fatal failure.
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 [  FAILED  ] ExpectNonfatalFailureTest.FailsWhenThereIsOneFatalFailure
 [ RUN      ] ExpectNonfatalFailureTest.FailsWhenStatementReturns
@@ -376,12 +517,16 @@ Expected fatal failure.
 gtest.cc:#: Failure
 Expected: 1 non-fatal failure
   Actual: 0 failures
+Stack trace: (omitted)
+
 [  FAILED  ] ExpectNonfatalFailureTest.FailsWhenStatementReturns
 [ RUN      ] ExpectNonfatalFailureTest.FailsWhenStatementThrows
 (expecting a failure)
 gtest.cc:#: Failure
 Expected: 1 non-fatal failure
   Actual: 0 failures
+Stack trace: (omitted)
+
 [  FAILED  ] ExpectNonfatalFailureTest.FailsWhenStatementThrows
 [----------] 8 tests from ExpectFatalFailureTest
 [ RUN      ] ExpectFatalFailureTest.CanReferenceGlobalVariables
@@ -395,19 +540,27 @@ Expected: 1 non-fatal failure
 gtest.cc:#: Failure
 Expected: 1 fatal failure
   Actual: 0 failures
+Stack trace: (omitted)
+
 [  FAILED  ] ExpectFatalFailureTest.FailsWhenThereIsNoFatalFailure
 [ RUN      ] ExpectFatalFailureTest.FailsWhenThereAreTwoFatalFailures
 (expecting a failure)
 gtest.cc:#: Failure
 Expected: 1 fatal failure
   Actual: 2 failures
-gtest_output_test_.cc:#: Fatal failure:
+googletest-output-test_.cc:#: Fatal failure:
 Failed
 Expected fatal failure.
+Stack trace: (omitted)
 
-gtest_output_test_.cc:#: Fatal failure:
+
+googletest-output-test_.cc:#: Fatal failure:
 Failed
 Expected fatal failure.
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 [  FAILED  ] ExpectFatalFailureTest.FailsWhenThereAreTwoFatalFailures
 [ RUN      ] ExpectFatalFailureTest.FailsWhenThereIsOneNonfatalFailure
@@ -415,9 +568,13 @@ Expected fatal failure.
 gtest.cc:#: Failure
 Expected: 1 fatal failure
   Actual:
-gtest_output_test_.cc:#: Non-fatal failure:
+googletest-output-test_.cc:#: Non-fatal failure:
 Failed
 Expected non-fatal failure.
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 [  FAILED  ] ExpectFatalFailureTest.FailsWhenThereIsOneNonfatalFailure
 [ RUN      ] ExpectFatalFailureTest.FailsWhenStatementReturns
@@ -425,69 +582,140 @@ Expected non-fatal failure.
 gtest.cc:#: Failure
 Expected: 1 fatal failure
   Actual: 0 failures
+Stack trace: (omitted)
+
 [  FAILED  ] ExpectFatalFailureTest.FailsWhenStatementReturns
 [ RUN      ] ExpectFatalFailureTest.FailsWhenStatementThrows
 (expecting a failure)
 gtest.cc:#: Failure
 Expected: 1 fatal failure
   Actual: 0 failures
+Stack trace: (omitted)
+
 [  FAILED  ] ExpectFatalFailureTest.FailsWhenStatementThrows
 [----------] 2 tests from TypedTest/0, where TypeParam = int
 [ RUN      ] TypedTest/0.Success
 [       OK ] TypedTest/0.Success
 [ RUN      ] TypedTest/0.Failure
-gtest_output_test_.cc:#: Failure
-Value of: TypeParam()
-  Actual: 0
-Expected: 1
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1
+  TypeParam()
+    Which is: 0
 Expected failure
+Stack trace: (omitted)
+
 [  FAILED  ] TypedTest/0.Failure, where TypeParam = int
+[----------] 2 tests from TypedTestWithNames/char0, where TypeParam = char
+[ RUN      ] TypedTestWithNames/char0.Success
+[       OK ] TypedTestWithNames/char0.Success
+[ RUN      ] TypedTestWithNames/char0.Failure
+googletest-output-test_.cc:#: Failure
+Failed
+Stack trace: (omitted)
+
+[  FAILED  ] TypedTestWithNames/char0.Failure, where TypeParam = char
+[----------] 2 tests from TypedTestWithNames/int1, where TypeParam = int
+[ RUN      ] TypedTestWithNames/int1.Success
+[       OK ] TypedTestWithNames/int1.Success
+[ RUN      ] TypedTestWithNames/int1.Failure
+googletest-output-test_.cc:#: Failure
+Failed
+Stack trace: (omitted)
+
+[  FAILED  ] TypedTestWithNames/int1.Failure, where TypeParam = int
 [----------] 2 tests from Unsigned/TypedTestP/0, where TypeParam = unsigned char
 [ RUN      ] Unsigned/TypedTestP/0.Success
 [       OK ] Unsigned/TypedTestP/0.Success
 [ RUN      ] Unsigned/TypedTestP/0.Failure
-gtest_output_test_.cc:#: Failure
-Value of: TypeParam()
-  Actual: '\0'
-Expected: 1U
-Which is: 1
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1U
+    Which is: 1
+  TypeParam()
+    Which is: '\0'
 Expected failure
+Stack trace: (omitted)
+
 [  FAILED  ] Unsigned/TypedTestP/0.Failure, where TypeParam = unsigned char
 [----------] 2 tests from Unsigned/TypedTestP/1, where TypeParam = unsigned int
 [ RUN      ] Unsigned/TypedTestP/1.Success
 [       OK ] Unsigned/TypedTestP/1.Success
 [ RUN      ] Unsigned/TypedTestP/1.Failure
-gtest_output_test_.cc:#: Failure
-Value of: TypeParam()
-  Actual: 0
-Expected: 1U
-Which is: 1
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1U
+    Which is: 1
+  TypeParam()
+    Which is: 0
 Expected failure
+Stack trace: (omitted)
+
 [  FAILED  ] Unsigned/TypedTestP/1.Failure, where TypeParam = unsigned int
+[----------] 2 tests from UnsignedCustomName/TypedTestP/unsignedChar0, where TypeParam = unsigned char
+[ RUN      ] UnsignedCustomName/TypedTestP/unsignedChar0.Success
+[       OK ] UnsignedCustomName/TypedTestP/unsignedChar0.Success
+[ RUN      ] UnsignedCustomName/TypedTestP/unsignedChar0.Failure
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1U
+    Which is: 1
+  TypeParam()
+    Which is: '\0'
+Expected failure
+Stack trace: (omitted)
+
+[  FAILED  ] UnsignedCustomName/TypedTestP/unsignedChar0.Failure, where TypeParam = unsigned char
+[----------] 2 tests from UnsignedCustomName/TypedTestP/unsignedInt1, where TypeParam = unsigned int
+[ RUN      ] UnsignedCustomName/TypedTestP/unsignedInt1.Success
+[       OK ] UnsignedCustomName/TypedTestP/unsignedInt1.Success
+[ RUN      ] UnsignedCustomName/TypedTestP/unsignedInt1.Failure
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1U
+    Which is: 1
+  TypeParam()
+    Which is: 0
+Expected failure
+Stack trace: (omitted)
+
+[  FAILED  ] UnsignedCustomName/TypedTestP/unsignedInt1.Failure, where TypeParam = unsigned int
 [----------] 4 tests from ExpectFailureTest
 [ RUN      ] ExpectFailureTest.ExpectFatalFailure
 (expecting 1 failure)
 gtest.cc:#: Failure
 Expected: 1 fatal failure
   Actual:
-gtest_output_test_.cc:#: Success:
+googletest-output-test_.cc:#: Success:
 Succeeded
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 (expecting 1 failure)
 gtest.cc:#: Failure
 Expected: 1 fatal failure
   Actual:
-gtest_output_test_.cc:#: Non-fatal failure:
+googletest-output-test_.cc:#: Non-fatal failure:
 Failed
 Expected non-fatal failure.
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 (expecting 1 failure)
 gtest.cc:#: Failure
 Expected: 1 fatal failure containing "Some other fatal failure expected."
   Actual:
-gtest_output_test_.cc:#: Fatal failure:
+googletest-output-test_.cc:#: Fatal failure:
 Failed
 Expected fatal failure.
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 [  FAILED  ] ExpectFailureTest.ExpectFatalFailure
 [ RUN      ] ExpectFailureTest.ExpectNonFatalFailure
@@ -495,24 +723,36 @@ Expected fatal failure.
 gtest.cc:#: Failure
 Expected: 1 non-fatal failure
   Actual:
-gtest_output_test_.cc:#: Success:
+googletest-output-test_.cc:#: Success:
 Succeeded
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 (expecting 1 failure)
 gtest.cc:#: Failure
 Expected: 1 non-fatal failure
   Actual:
-gtest_output_test_.cc:#: Fatal failure:
+googletest-output-test_.cc:#: Fatal failure:
 Failed
 Expected fatal failure.
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 (expecting 1 failure)
 gtest.cc:#: Failure
 Expected: 1 non-fatal failure containing "Some other non-fatal failure."
   Actual:
-gtest_output_test_.cc:#: Non-fatal failure:
+googletest-output-test_.cc:#: Non-fatal failure:
 Failed
 Expected non-fatal failure.
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 [  FAILED  ] ExpectFailureTest.ExpectNonFatalFailure
 [ RUN      ] ExpectFailureTest.ExpectFatalFailureOnAllThreads
@@ -520,24 +760,36 @@ Expected non-fatal failure.
 gtest.cc:#: Failure
 Expected: 1 fatal failure
   Actual:
-gtest_output_test_.cc:#: Success:
+googletest-output-test_.cc:#: Success:
 Succeeded
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 (expecting 1 failure)
 gtest.cc:#: Failure
 Expected: 1 fatal failure
   Actual:
-gtest_output_test_.cc:#: Non-fatal failure:
+googletest-output-test_.cc:#: Non-fatal failure:
 Failed
 Expected non-fatal failure.
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 (expecting 1 failure)
 gtest.cc:#: Failure
 Expected: 1 fatal failure containing "Some other fatal failure expected."
   Actual:
-gtest_output_test_.cc:#: Fatal failure:
+googletest-output-test_.cc:#: Fatal failure:
 Failed
 Expected fatal failure.
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 [  FAILED  ] ExpectFailureTest.ExpectFatalFailureOnAllThreads
 [ RUN      ] ExpectFailureTest.ExpectNonFatalFailureOnAllThreads
@@ -545,86 +797,132 @@ Expected fatal failure.
 gtest.cc:#: Failure
 Expected: 1 non-fatal failure
   Actual:
-gtest_output_test_.cc:#: Success:
+googletest-output-test_.cc:#: Success:
 Succeeded
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 (expecting 1 failure)
 gtest.cc:#: Failure
 Expected: 1 non-fatal failure
   Actual:
-gtest_output_test_.cc:#: Fatal failure:
+googletest-output-test_.cc:#: Fatal failure:
 Failed
 Expected fatal failure.
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 (expecting 1 failure)
 gtest.cc:#: Failure
 Expected: 1 non-fatal failure containing "Some other non-fatal failure."
   Actual:
-gtest_output_test_.cc:#: Non-fatal failure:
+googletest-output-test_.cc:#: Non-fatal failure:
 Failed
 Expected non-fatal failure.
+Stack trace: (omitted)
+
+
+Stack trace: (omitted)
 
 [  FAILED  ] ExpectFailureTest.ExpectNonFatalFailureOnAllThreads
 [----------] 2 tests from ExpectFailureWithThreadsTest
 [ RUN      ] ExpectFailureWithThreadsTest.ExpectFatalFailure
 (expecting 2 failures)
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Failed
 Expected fatal failure.
+Stack trace: (omitted)
+
 gtest.cc:#: Failure
 Expected: 1 fatal failure
   Actual: 0 failures
+Stack trace: (omitted)
+
 [  FAILED  ] ExpectFailureWithThreadsTest.ExpectFatalFailure
 [ RUN      ] ExpectFailureWithThreadsTest.ExpectNonFatalFailure
 (expecting 2 failures)
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Failed
 Expected non-fatal failure.
+Stack trace: (omitted)
+
 gtest.cc:#: Failure
 Expected: 1 non-fatal failure
   Actual: 0 failures
+Stack trace: (omitted)
+
 [  FAILED  ] ExpectFailureWithThreadsTest.ExpectNonFatalFailure
 [----------] 1 test from ScopedFakeTestPartResultReporterTest
 [ RUN      ] ScopedFakeTestPartResultReporterTest.InterceptOnlyCurrentThread
 (expecting 2 failures)
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Failed
 Expected fatal failure.
-gtest_output_test_.cc:#: Failure
+Stack trace: (omitted)
+
+googletest-output-test_.cc:#: Failure
 Failed
 Expected non-fatal failure.
+Stack trace: (omitted)
+
 [  FAILED  ] ScopedFakeTestPartResultReporterTest.InterceptOnlyCurrentThread
 [----------] 1 test from PrintingFailingParams/FailingParamTest
 [ RUN      ] PrintingFailingParams/FailingParamTest.Fails/0
-gtest_output_test_.cc:#: Failure
-Value of: GetParam()
-  Actual: 2
-Expected: 1
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1
+  GetParam()
+    Which is: 2
+Stack trace: (omitted)
+
 [  FAILED  ] PrintingFailingParams/FailingParamTest.Fails/0, where GetParam() = 2
+[----------] 2 tests from PrintingStrings/ParamTest
+[ RUN      ] PrintingStrings/ParamTest.Success/a
+[       OK ] PrintingStrings/ParamTest.Success/a
+[ RUN      ] PrintingStrings/ParamTest.Failure/a
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  "b"
+  GetParam()
+    Which is: "a"
+Expected failure
+Stack trace: (omitted)
+
+[  FAILED  ] PrintingStrings/ParamTest.Failure/a, where GetParam() = "a"
 [----------] Global test environment tear-down
 BarEnvironment::TearDown() called.
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Failed
 Expected non-fatal failure.
+Stack trace: (omitted)
+
 FooEnvironment::TearDown() called.
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Failed
 Expected fatal failure.
-[==========] 64 tests from 28 test cases ran.
-[  PASSED  ] 21 tests.
-[  FAILED  ] 43 tests, listed below:
+Stack trace: (omitted)
+
+[==========] 76 tests from 34 test cases ran.
+[  PASSED  ] 26 tests.
+[  FAILED  ] 50 tests, listed below:
 [  FAILED  ] NonfatalFailureTest.EscapesStringOperands
 [  FAILED  ] NonfatalFailureTest.DiffForLongStrings
 [  FAILED  ] FatalFailureTest.FatalFailureInSubroutine
 [  FAILED  ] FatalFailureTest.FatalFailureInNestedSubroutine
 [  FAILED  ] FatalFailureTest.NonfatalFailureInSubroutine
 [  FAILED  ] LoggingTest.InterleavingLoggingAndAssertions
+[  FAILED  ] SCOPED_TRACETest.AcceptedValues
 [  FAILED  ] SCOPED_TRACETest.ObeysScopes
 [  FAILED  ] SCOPED_TRACETest.WorksInLoop
 [  FAILED  ] SCOPED_TRACETest.WorksInSubroutine
 [  FAILED  ] SCOPED_TRACETest.CanBeNested
 [  FAILED  ] SCOPED_TRACETest.CanBeRepeated
 [  FAILED  ] SCOPED_TRACETest.WorksConcurrently
+[  FAILED  ] ScopedTraceTest.WithExplicitFileAndLine
 [  FAILED  ] NonFatalFailureInFixtureConstructorTest.FailureInConstructor
 [  FAILED  ] FatalFailureInFixtureConstructorTest.FailureInConstructor
 [  FAILED  ] NonFatalFailureInSetUpTest.FailureInSetUp
@@ -646,8 +944,12 @@ Expected fatal failure.
 [  FAILED  ] ExpectFatalFailureTest.FailsWhenStatementReturns
 [  FAILED  ] ExpectFatalFailureTest.FailsWhenStatementThrows
 [  FAILED  ] TypedTest/0.Failure, where TypeParam = int
+[  FAILED  ] TypedTestWithNames/char0.Failure, where TypeParam = char
+[  FAILED  ] TypedTestWithNames/int1.Failure, where TypeParam = int
 [  FAILED  ] Unsigned/TypedTestP/0.Failure, where TypeParam = unsigned char
 [  FAILED  ] Unsigned/TypedTestP/1.Failure, where TypeParam = unsigned int
+[  FAILED  ] UnsignedCustomName/TypedTestP/unsignedChar0.Failure, where TypeParam = unsigned char
+[  FAILED  ] UnsignedCustomName/TypedTestP/unsignedInt1.Failure, where TypeParam = unsigned int
 [  FAILED  ] ExpectFailureTest.ExpectFatalFailure
 [  FAILED  ] ExpectFailureTest.ExpectNonFatalFailure
 [  FAILED  ] ExpectFailureTest.ExpectFatalFailureOnAllThreads
@@ -656,8 +958,9 @@ Expected fatal failure.
 [  FAILED  ] ExpectFailureWithThreadsTest.ExpectNonFatalFailure
 [  FAILED  ] ScopedFakeTestPartResultReporterTest.InterceptOnlyCurrentThread
 [  FAILED  ] PrintingFailingParams/FailingParamTest.Fails/0, where GetParam() = 2
+[  FAILED  ] PrintingStrings/ParamTest.Failure/a, where GetParam() = "a"
 
-43 FAILED TESTS
+50 FAILED TESTS
   YOU HAVE 1 DISABLED TEST
 
 Note: Google Test filter = FatalFailureTest.*:LoggingTest.*
@@ -666,24 +969,32 @@ Expected fatal failure.
 [----------] 3 tests from FatalFailureTest
 [ RUN      ] FatalFailureTest.FatalFailureInSubroutine
 (expecting a failure that x should be 1)
-gtest_output_test_.cc:#: Failure
-Value of: x
-  Actual: 2
-Expected: 1
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1
+  x
+    Which is: 2
+Stack trace: (omitted)
+
 [  FAILED  ] FatalFailureTest.FatalFailureInSubroutine (? ms)
 [ RUN      ] FatalFailureTest.FatalFailureInNestedSubroutine
 (expecting a failure that x should be 1)
-gtest_output_test_.cc:#: Failure
-Value of: x
-  Actual: 2
-Expected: 1
+googletest-output-test_.cc:#: Failure
+Expected equality of these values:
+  1
+  x
+    Which is: 2
+Stack trace: (omitted)
+
 [  FAILED  ] FatalFailureTest.FatalFailureInNestedSubroutine (? ms)
 [ RUN      ] FatalFailureTest.NonfatalFailureInSubroutine
 (expecting a failure on false)
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Value of: false
   Actual: false
 Expected: true
+Stack trace: (omitted)
+
 [  FAILED  ] FatalFailureTest.NonfatalFailureInSubroutine (? ms)
 [----------] 3 tests from FatalFailureTest (? ms total)
 
@@ -692,12 +1003,16 @@ Expected: true
 (expecting 2 failures on (3) >= (a[i]))
 i == 0
 i == 1
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Expected: (3) >= (a[i]), actual: 3 vs 9
+Stack trace: (omitted)
+
 i == 2
 i == 3
-gtest_output_test_.cc:#: Failure
+googletest-output-test_.cc:#: Failure
 Expected: (3) >= (a[i]), actual: 3 vs 6
+Stack trace: (omitted)
+
 [  FAILED  ] LoggingTest.InterleavingLoggingAndAssertions (? ms)
 [----------] 1 test from LoggingTest (? ms total)
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_output_test.py b/security/nss/gtests/google_test/gtest/test/googletest-output-test.py
index fa1a311728..2d69e353a1 100755..100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_output_test.py
+++ b/security/nss/gtests/google_test/gtest/test/googletest-output-test.py
@@ -29,17 +29,16 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-"""Tests the text output of Google C++ Testing Framework.
+"""Tests the text output of Google C++ Testing and Mocking Framework.
 
-SYNOPSIS
-       gtest_output_test.py --build_dir=BUILD/DIR --gengolden
-         # where BUILD/DIR contains the built gtest_output_test_ file.
-       gtest_output_test.py --gengolden
-       gtest_output_test.py
+To update the golden file:
+googletest_output_test.py --build_dir=BUILD/DIR --gengolden
+where BUILD/DIR contains the built googletest-output-test_ file.
+googletest_output_test.py --gengolden
+googletest_output_test.py
 """
 
-__author__ = 'wan@google.com (Zhanyong Wan)'
-
+import difflib
 import os
 import re
 import sys
@@ -50,30 +49,34 @@ import gtest_test_utils
 GENGOLDEN_FLAG = '--gengolden'
 CATCH_EXCEPTIONS_ENV_VAR_NAME = 'GTEST_CATCH_EXCEPTIONS'
 
+# The flag indicating stacktraces are not supported
+NO_STACKTRACE_SUPPORT_FLAG = '--no_stacktrace_support'
+
+IS_LINUX = os.name == 'posix' and os.uname()[0] == 'Linux'
 IS_WINDOWS = os.name == 'nt'
 
-# TODO(vladl@google.com): remove the _lin suffix.
-GOLDEN_NAME = 'gtest_output_test_golden_lin.txt'
+# FIXME: remove the _lin suffix.
+GOLDEN_NAME = 'googletest-output-test-golden-lin.txt'
 
-PROGRAM_PATH = gtest_test_utils.GetTestExecutablePath('gtest_output_test_')
+PROGRAM_PATH = gtest_test_utils.GetTestExecutablePath('googletest-output-test_')
 
 # At least one command we exercise must not have the
-# --gtest_internal_skip_environment_and_ad_hoc_tests flag.
+# 'internal_skip_environment_and_ad_hoc_tests' argument.
 COMMAND_LIST_TESTS = ({}, [PROGRAM_PATH, '--gtest_list_tests'])
 COMMAND_WITH_COLOR = ({}, [PROGRAM_PATH, '--gtest_color=yes'])
 COMMAND_WITH_TIME = ({}, [PROGRAM_PATH,
                           '--gtest_print_time',
-                          '--gtest_internal_skip_environment_and_ad_hoc_tests',
+                          'internal_skip_environment_and_ad_hoc_tests',
                           '--gtest_filter=FatalFailureTest.*:LoggingTest.*'])
 COMMAND_WITH_DISABLED = (
     {}, [PROGRAM_PATH,
          '--gtest_also_run_disabled_tests',
-         '--gtest_internal_skip_environment_and_ad_hoc_tests',
+         'internal_skip_environment_and_ad_hoc_tests',
          '--gtest_filter=*DISABLED_*'])
 COMMAND_WITH_SHARDING = (
     {'GTEST_SHARD_INDEX': '1', 'GTEST_TOTAL_SHARDS': '2'},
     [PROGRAM_PATH,
-     '--gtest_internal_skip_environment_and_ad_hoc_tests',
+     'internal_skip_environment_and_ad_hoc_tests',
      '--gtest_filter=PassingTest.*'])
 
 GOLDEN_PATH = os.path.join(gtest_test_utils.GetSourceDir(), GOLDEN_NAME)
@@ -98,7 +101,8 @@ def RemoveLocations(test_output):
        'FILE_NAME:#: '.
   """
 
-  return re.sub(r'.*[/\\](.+)(\:\d+|\(\d+\))\: ', r'\1:#: ', test_output)
+  return re.sub(r'.*[/\\]((googletest-output-test_|gtest).cc)(\:\d+|\(\d+\))\: ',
+                r'\1:#: ', test_output)
 
 
 def RemoveStackTraceDetails(output):
@@ -188,7 +192,7 @@ def RemoveMatchingTests(test_output, pattern):
 
 
 def NormalizeOutput(output):
-  """Normalizes output (the output of gtest_output_test_.exe)."""
+  """Normalizes output (the output of googletest-output-test_.exe)."""
 
   output = ToUnixLineEnding(output)
   output = RemoveLocations(output)
@@ -248,12 +252,12 @@ test_list = GetShellCommandOutput(COMMAND_LIST_TESTS)
 SUPPORTS_DEATH_TESTS = 'DeathTest' in test_list
 SUPPORTS_TYPED_TESTS = 'TypedTest' in test_list
 SUPPORTS_THREADS = 'ExpectFailureWithThreadsTest' in test_list
-SUPPORTS_STACK_TRACES = False
+SUPPORTS_STACK_TRACES = NO_STACKTRACE_SUPPORT_FLAG not in sys.argv
 
 CAN_GENERATE_GOLDEN_FILE = (SUPPORTS_DEATH_TESTS and
                             SUPPORTS_TYPED_TESTS and
                             SUPPORTS_THREADS and
-                            not IS_WINDOWS)
+                            SUPPORTS_STACK_TRACES)
 
 class GTestOutputTest(gtest_test_utils.TestCase):
   def RemoveUnsupportedTests(self, test_output):
@@ -294,7 +298,11 @@ class GTestOutputTest(gtest_test_utils.TestCase):
     normalized_golden = RemoveTypeInfoDetails(golden)
 
     if CAN_GENERATE_GOLDEN_FILE:
-      self.assertEqual(normalized_golden, normalized_actual)
+      self.assertEqual(normalized_golden, normalized_actual,
+                       '\n'.join(difflib.unified_diff(
+                           normalized_golden.split('\n'),
+                           normalized_actual.split('\n'),
+                           'golden', 'actual')))
     else:
       normalized_actual = NormalizeToCurrentPlatform(
           RemoveTestCounts(normalized_actual))
@@ -305,18 +313,22 @@ class GTestOutputTest(gtest_test_utils.TestCase):
       if os.getenv('DEBUG_GTEST_OUTPUT_TEST'):
         open(os.path.join(
             gtest_test_utils.GetSourceDir(),
-            '_gtest_output_test_normalized_actual.txt'), 'wb').write(
+            '_googletest-output-test_normalized_actual.txt'), 'wb').write(
                 normalized_actual)
         open(os.path.join(
             gtest_test_utils.GetSourceDir(),
-            '_gtest_output_test_normalized_golden.txt'), 'wb').write(
+            '_googletest-output-test_normalized_golden.txt'), 'wb').write(
                 normalized_golden)
 
       self.assertEqual(normalized_golden, normalized_actual)
 
 
 if __name__ == '__main__':
-  if sys.argv[1:] == [GENGOLDEN_FLAG]:
+  if NO_STACKTRACE_SUPPORT_FLAG in sys.argv:
+    # unittest.main() can't handle unknown flags
+    sys.argv.remove(NO_STACKTRACE_SUPPORT_FLAG)
+
+  if GENGOLDEN_FLAG in sys.argv:
     if CAN_GENERATE_GOLDEN_FILE:
       output = GetOutputOfAllCommands()
       golden_file = open(GOLDEN_PATH, 'wb')
@@ -325,9 +337,9 @@ if __name__ == '__main__':
     else:
       message = (
           """Unable to write a golden file when compiled in an environment
-that does not support all the required features (death tests, typed tests,
-and multiple threads).  Please generate the golden file using a binary built
-with those features enabled.""")
+that does not support all the required features (death tests,
+typed tests, stack traces, and multiple threads).
+Please build this test and generate the golden file using Blaze on Linux.""")
 
       sys.stderr.write(message)
       sys.exit(1)
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_output_test_.cc b/security/nss/gtests/google_test/gtest/test/googletest-output-test_.cc
index 5361d8d87a..f6525ec970 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_output_test_.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-output-test_.cc
@@ -29,26 +29,20 @@
 //
 // The purpose of this file is to generate Google Test output under
 // various conditions.  The output will then be verified by
-// gtest_output_test.py to ensure that Google Test generates the
+// googletest-output-test.py to ensure that Google Test generates the
 // desired messages.  Therefore, most tests in this file are MEANT TO
 // FAIL.
-//
-// Author: wan@google.com (Zhanyong Wan)
 
 #include "gtest/gtest-spi.h"
 #include "gtest/gtest.h"
-
-// Indicates that this translation unit is part of Google Test's
-// implementation.  It must come before gtest-internal-inl.h is
-// included, or there will be a compiler error.  This trick is to
-// prevent a user from accidentally including gtest-internal-inl.h in
-// his code.
-#define GTEST_IMPLEMENTATION_ 1
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 #include <stdlib.h>
 
+#if _MSC_VER
+GTEST_DISABLE_MSC_WARNINGS_PUSH_(4127 /* conditional expression is constant */)
+#endif  //  _MSC_VER
+
 #if GTEST_IS_THREADSAFE
 using testing::ScopedFakeTestPartResultReporter;
 using testing::TestPartResultArray;
@@ -58,7 +52,6 @@ using testing::internal::ThreadWithParam;
 #endif
 
 namespace posix = ::testing::internal::posix;
-using testing::internal::scoped_ptr;
 
 // Tests catching fatal failures.
 
@@ -177,6 +170,16 @@ void SubWithTrace(int n) {
   SubWithoutTrace(n);
 }
 
+TEST(SCOPED_TRACETest, AcceptedValues) {
+  SCOPED_TRACE("literal string");
+  SCOPED_TRACE(std::string("std::string"));
+  SCOPED_TRACE(1337);  // streamable type
+  const char* null_value = NULL;
+  SCOPED_TRACE(null_value);
+
+  ADD_FAILURE() << "Just checking that all these values work fine.";
+}
+
 // Tests that SCOPED_TRACE() obeys lexical scopes.
 TEST(SCOPED_TRACETest, ObeysScopes) {
   printf("(expected to fail)\n");
@@ -324,6 +327,13 @@ TEST(SCOPED_TRACETest, WorksConcurrently) {
 }
 #endif  // GTEST_IS_THREADSAFE
 
+// Tests basic functionality of the ScopedTrace utility (most of its features
+// are already tested in SCOPED_TRACETest).
+TEST(ScopedTraceTest, WithExplicitFileAndLine) {
+  testing::ScopedTrace trace("explicit_file.cc", 123, "expected trace message");
+  ADD_FAILURE() << "Check that the trace is attached to a particular location.";
+}
+
 TEST(DisabledTestsWarningTest,
      DISABLED_AlsoRunDisabledTestsFlagSuppressesWarning) {
   // This test body is intentionally empty.  Its sole purpose is for
@@ -515,7 +525,8 @@ class DeathTestAndMultiThreadsTest : public testing::Test {
 
  private:
   SpawnThreadNotifications notifications_;
-  scoped_ptr<ThreadWithParam<SpawnThreadNotifications*> > thread_;
+  testing::internal::scoped_ptr<ThreadWithParam<SpawnThreadNotifications*> >
+      thread_;
 };
 
 #endif  // GTEST_IS_THREADSAFE
@@ -755,6 +766,28 @@ TEST(ExpectFatalFailureTest, FailsWhenStatementThrows) {
 
 #endif  // GTEST_HAS_EXCEPTIONS
 
+// This #ifdef block tests the output of value-parameterized tests.
+
+std::string ParamNameFunc(const testing::TestParamInfo<std::string>& info) {
+  return info.param;
+}
+
+class ParamTest : public testing::TestWithParam<std::string> {
+};
+
+TEST_P(ParamTest, Success) {
+  EXPECT_EQ("a", GetParam());
+}
+
+TEST_P(ParamTest, Failure) {
+  EXPECT_EQ("b", GetParam()) << "Expected failure";
+}
+
+INSTANTIATE_TEST_CASE_P(PrintingStrings,
+                        ParamTest,
+                        testing::Values(std::string("a")),
+                        ParamNameFunc);
+
 // This #ifdef block tests the output of typed tests.
 #if GTEST_HAS_TYPED_TEST
 
@@ -772,6 +805,28 @@ TYPED_TEST(TypedTest, Failure) {
   EXPECT_EQ(1, TypeParam()) << "Expected failure";
 }
 
+typedef testing::Types<char, int> TypesForTestWithNames;
+
+template <typename T>
+class TypedTestWithNames : public testing::Test {};
+
+class TypedTestNames {
+ public:
+  template <typename T>
+  static std::string GetName(int i) {
+    if (testing::internal::IsSame<T, char>::value)
+      return std::string("char") + ::testing::PrintToString(i);
+    if (testing::internal::IsSame<T, int>::value)
+      return std::string("int") + ::testing::PrintToString(i);
+  }
+};
+
+TYPED_TEST_CASE(TypedTestWithNames, TypesForTestWithNames, TypedTestNames);
+
+TYPED_TEST(TypedTestWithNames, Success) {}
+
+TYPED_TEST(TypedTestWithNames, Failure) { FAIL(); }
+
 #endif  // GTEST_HAS_TYPED_TEST
 
 // This #ifdef block tests the output of type-parameterized tests.
@@ -796,6 +851,22 @@ REGISTER_TYPED_TEST_CASE_P(TypedTestP, Success, Failure);
 typedef testing::Types<unsigned char, unsigned int> UnsignedTypes;
 INSTANTIATE_TYPED_TEST_CASE_P(Unsigned, TypedTestP, UnsignedTypes);
 
+class TypedTestPNames {
+ public:
+  template <typename T>
+  static std::string GetName(int i) {
+    if (testing::internal::IsSame<T, unsigned char>::value) {
+      return std::string("unsignedChar") + ::testing::PrintToString(i);
+    }
+    if (testing::internal::IsSame<T, unsigned int>::value) {
+      return std::string("unsignedInt") + ::testing::PrintToString(i);
+    }
+  }
+};
+
+INSTANTIATE_TYPED_TEST_CASE_P(UnsignedCustomName, TypedTestP, UnsignedTypes,
+                              TypedTestPNames);
+
 #endif  // GTEST_HAS_TYPED_TEST_P
 
 #if GTEST_HAS_DEATH_TEST
@@ -990,8 +1061,6 @@ class BarEnvironment : public testing::Environment {
   }
 };
 
-bool GTEST_FLAG(internal_skip_environment_and_ad_hoc_tests) = false;
-
 // The main function.
 //
 // The idea is to use Google Test to run all the tests we have defined (some
@@ -1008,10 +1077,9 @@ int main(int argc, char **argv) {
   // global side effects.  The following line serves as a sanity test
   // for it.
   testing::InitGoogleTest(&argc, argv);
-  if (argc >= 2 &&
-      (std::string(argv[1]) ==
-       "--gtest_internal_skip_environment_and_ad_hoc_tests"))
-    GTEST_FLAG(internal_skip_environment_and_ad_hoc_tests) = true;
+  bool internal_skip_environment_and_ad_hoc_tests =
+      std::count(argv, argv + argc,
+                 std::string("internal_skip_environment_and_ad_hoc_tests")) > 0;
 
 #if GTEST_HAS_DEATH_TEST
   if (testing::internal::GTEST_FLAG(internal_run_death_test) != "") {
@@ -1026,7 +1094,7 @@ int main(int argc, char **argv) {
   }
 #endif  // GTEST_HAS_DEATH_TEST
 
-  if (GTEST_FLAG(internal_skip_environment_and_ad_hoc_tests))
+  if (internal_skip_environment_and_ad_hoc_tests)
     return RUN_ALL_TESTS();
 
   // Registers two global test environments.
@@ -1034,6 +1102,8 @@ int main(int argc, char **argv) {
   // are registered, and torn down in the reverse order.
   testing::AddGlobalTestEnvironment(new FooEnvironment);
   testing::AddGlobalTestEnvironment(new BarEnvironment);
-
+#if _MSC_VER
+GTEST_DISABLE_MSC_WARNINGS_POP_()  //  4127
+#endif  //  _MSC_VER
   return RunAllTests();
 }
diff --git a/security/nss/gtests/google_test/gtest/test/googletest-param-test-invalid-name1-test.py b/security/nss/gtests/google_test/gtest/test/googletest-param-test-invalid-name1-test.py
new file mode 100644
index 0000000000..2a08477a77
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/googletest-param-test-invalid-name1-test.py
@@ -0,0 +1,63 @@
+#!/usr/bin/env python
+#
+# Copyright 2015 Google Inc. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+"""Verifies that Google Test warns the user when not initialized properly."""
+
+import gtest_test_utils
+
+binary_name = 'googletest-param-test-invalid-name1-test_'
+COMMAND = gtest_test_utils.GetTestExecutablePath(binary_name)
+
+
+def Assert(condition):
+  if not condition:
+    raise AssertionError
+
+
+def TestExitCodeAndOutput(command):
+  """Runs the given command and verifies its exit code and output."""
+
+  err = ('Parameterized test name \'"InvalidWithQuotes"\' is invalid')
+
+  p = gtest_test_utils.Subprocess(command)
+  Assert(p.terminated_by_signal)
+
+  # Verify the output message contains appropriate output
+  Assert(err in p.output)
+
+
+class GTestParamTestInvalidName1Test(gtest_test_utils.TestCase):
+
+  def testExitCodeAndOutput(self):
+    TestExitCodeAndOutput(COMMAND)
+
+
+if __name__ == '__main__':
+  gtest_test_utils.Main()
diff --git a/security/nss/gtests/google_test/gtest/test/googletest-param-test-invalid-name1-test_.cc b/security/nss/gtests/google_test/gtest/test/googletest-param-test-invalid-name1-test_.cc
new file mode 100644
index 0000000000..5a95155b23
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/googletest-param-test-invalid-name1-test_.cc
@@ -0,0 +1,50 @@
+// Copyright 2015, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+#include "gtest/gtest.h"
+
+namespace {
+class DummyTest : public ::testing::TestWithParam<const char *> {};
+
+TEST_P(DummyTest, Dummy) {
+}
+
+INSTANTIATE_TEST_CASE_P(InvalidTestName,
+                        DummyTest,
+                        ::testing::Values("InvalidWithQuotes"),
+                        ::testing::PrintToStringParamName());
+
+}  // namespace
+
+int main(int argc, char *argv[]) {
+  testing::InitGoogleTest(&argc, argv);
+  return RUN_ALL_TESTS();
+}
+
diff --git a/security/nss/gtests/google_test/gtest/test/googletest-param-test-invalid-name2-test.py b/security/nss/gtests/google_test/gtest/test/googletest-param-test-invalid-name2-test.py
new file mode 100644
index 0000000000..ab838f4632
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/googletest-param-test-invalid-name2-test.py
@@ -0,0 +1,62 @@
+#!/usr/bin/env python
+#
+# Copyright 2015 Google Inc. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+"""Verifies that Google Test warns the user when not initialized properly."""
+
+import gtest_test_utils
+
+binary_name = 'googletest-param-test-invalid-name2-test_'
+COMMAND = gtest_test_utils.GetTestExecutablePath(binary_name)
+
+
+def Assert(condition):
+  if not condition:
+    raise AssertionError
+
+
+def TestExitCodeAndOutput(command):
+  """Runs the given command and verifies its exit code and output."""
+
+  err = ('Duplicate parameterized test name \'a\'')
+
+  p = gtest_test_utils.Subprocess(command)
+  Assert(p.terminated_by_signal)
+
+  # Check for appropriate output
+  Assert(err in p.output)
+
+
+class GTestParamTestInvalidName2Test(gtest_test_utils.TestCase):
+
+  def testExitCodeAndOutput(self):
+    TestExitCodeAndOutput(COMMAND)
+
+if __name__ == '__main__':
+  gtest_test_utils.Main()
diff --git a/security/nss/gtests/google_test/gtest/test/googletest-param-test-invalid-name2-test_.cc b/security/nss/gtests/google_test/gtest/test/googletest-param-test-invalid-name2-test_.cc
new file mode 100644
index 0000000000..ef093490e9
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/googletest-param-test-invalid-name2-test_.cc
@@ -0,0 +1,55 @@
+// Copyright 2015, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+#include "gtest/gtest.h"
+
+namespace {
+class DummyTest : public ::testing::TestWithParam<const char *> {};
+
+std::string StringParamTestSuffix(
+    const testing::TestParamInfo<const char*>& info) {
+  return std::string(info.param);
+}
+
+TEST_P(DummyTest, Dummy) {
+}
+
+INSTANTIATE_TEST_CASE_P(DuplicateTestNames,
+                        DummyTest,
+                        ::testing::Values("a", "b", "a", "c"),
+                        StringParamTestSuffix);
+}  // namespace
+
+int main(int argc, char *argv[]) {
+  testing::InitGoogleTest(&argc, argv);
+  return RUN_ALL_TESTS();
+}
+
+
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-param-test_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-param-test-test.cc
index cc1dc65fb8..f789cab270 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-param-test_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-param-test-test.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: vladl@google.com (Vlad Losev)
+
 //
 // Tests for Google Test itself. This file verifies that the parameter
 // generators objects produce correct parameter sequences and that
@@ -35,8 +34,6 @@
 
 #include "gtest/gtest.h"
 
-#if GTEST_HAS_PARAM_TEST
-
 # include <algorithm>
 # include <iostream>
 # include <list>
@@ -44,12 +41,8 @@
 # include <string>
 # include <vector>
 
-// To include gtest-internal-inl.h.
-# define GTEST_IMPLEMENTATION_ 1
 # include "src/gtest-internal-inl.h"  // for UnitTestOptions
-# undef GTEST_IMPLEMENTATION_
-
-# include "test/gtest-param-test_test.h"
+# include "test/googletest-param-test-test.h"
 
 using ::std::vector;
 using ::std::sort;
@@ -74,7 +67,7 @@ using ::testing::internal::UnitTestOptions;
 
 // Prints a value to a string.
 //
-// TODO(wan@google.com): remove PrintValue() when we move matchers and
+// FIXME: remove PrintValue() when we move matchers and
 // EXPECT_THAT() from Google Mock to Google Test.  At that time, we
 // can write EXPECT_THAT(x, Eq(y)) to compare two tuples x and y, as
 // EXPECT_THAT() and the matchers know how to print tuples.
@@ -141,7 +134,7 @@ void VerifyGenerator(const ParamGenerator<T>& generator,
         << ", expected_values[i] is " << PrintValue(expected_values[i])
         << ", *it is " << PrintValue(*it)
         << ", and 'it' is an iterator created with the copy constructor.\n";
-    it++;
+    ++it;
   }
   EXPECT_TRUE(it == generator.end())
         << "At the presumed end of sequence when accessing via an iterator "
@@ -161,7 +154,7 @@ void VerifyGenerator(const ParamGenerator<T>& generator,
         << ", expected_values[i] is " << PrintValue(expected_values[i])
         << ", *it is " << PrintValue(*it)
         << ", and 'it' is an iterator created with the copy constructor.\n";
-    it++;
+    ++it;
   }
   EXPECT_TRUE(it == generator.end())
         << "At the presumed end of sequence when accessing via an iterator "
@@ -196,7 +189,7 @@ TEST(IteratorTest, ParamIteratorConformsToForwardIteratorConcept) {
                            << "element same as its source points to";
 
   // Verifies that iterator assignment works as expected.
-  it++;
+  ++it;
   EXPECT_FALSE(*it == *it2);
   it2 = it;
   EXPECT_TRUE(*it == *it2) << "Assigned iterators must point to the "
@@ -215,7 +208,7 @@ TEST(IteratorTest, ParamIteratorConformsToForwardIteratorConcept) {
   // Verifies that prefix and postfix operator++() advance an iterator
   // all the same.
   it2 = it;
-  it++;
+  ++it;
   ++it2;
   EXPECT_TRUE(*it == *it2);
 }
@@ -542,6 +535,51 @@ TEST(CombineTest, CombineWithMaxNumberOfParameters) {
   VerifyGenerator(gen, expected_values);
 }
 
+#if GTEST_LANG_CXX11
+
+class NonDefaultConstructAssignString {
+ public:
+  NonDefaultConstructAssignString(const std::string& s) : str_(s) {}
+
+  const std::string& str() const { return str_; }
+
+ private:
+  std::string str_;
+
+  // Not default constructible
+  NonDefaultConstructAssignString();
+  // Not assignable
+  void operator=(const NonDefaultConstructAssignString&);
+};
+
+TEST(CombineTest, NonDefaultConstructAssign) {
+  const ParamGenerator<tuple<int, NonDefaultConstructAssignString> > gen =
+      Combine(Values(0, 1), Values(NonDefaultConstructAssignString("A"),
+                                   NonDefaultConstructAssignString("B")));
+
+  ParamGenerator<tuple<int, NonDefaultConstructAssignString> >::iterator it =
+      gen.begin();
+
+  EXPECT_EQ(0, std::get<0>(*it));
+  EXPECT_EQ("A", std::get<1>(*it).str());
+  ++it;
+
+  EXPECT_EQ(0, std::get<0>(*it));
+  EXPECT_EQ("B", std::get<1>(*it).str());
+  ++it;
+
+  EXPECT_EQ(1, std::get<0>(*it));
+  EXPECT_EQ("A", std::get<1>(*it).str());
+  ++it;
+
+  EXPECT_EQ(1, std::get<0>(*it));
+  EXPECT_EQ("B", std::get<1>(*it).str());
+  ++it;
+
+  EXPECT_TRUE(it == gen.end());
+}
+
+#endif   // GTEST_LANG_CXX11
 # endif  // GTEST_HAS_COMBINE
 
 // Tests that an generator produces correct sequence after being
@@ -809,6 +847,184 @@ TEST_P(NamingTest, TestsReportCorrectNamesAndParameters) {
 
 INSTANTIATE_TEST_CASE_P(ZeroToFiveSequence, NamingTest, Range(0, 5));
 
+// Tests that macros in test names are expanded correctly.
+class MacroNamingTest : public TestWithParam<int> {};
+
+#define PREFIX_WITH_FOO(test_name) Foo##test_name
+#define PREFIX_WITH_MACRO(test_name) Macro##test_name
+
+TEST_P(PREFIX_WITH_MACRO(NamingTest), PREFIX_WITH_FOO(SomeTestName)) {
+  const ::testing::TestInfo* const test_info =
+     ::testing::UnitTest::GetInstance()->current_test_info();
+
+  EXPECT_STREQ("FortyTwo/MacroNamingTest", test_info->test_case_name());
+  EXPECT_STREQ("FooSomeTestName", test_info->name());
+}
+
+INSTANTIATE_TEST_CASE_P(FortyTwo, MacroNamingTest, Values(42));
+
+// Tests the same thing for non-parametrized tests.
+class MacroNamingTestNonParametrized : public ::testing::Test {};
+
+TEST_F(PREFIX_WITH_MACRO(NamingTestNonParametrized),
+       PREFIX_WITH_FOO(SomeTestName)) {
+  const ::testing::TestInfo* const test_info =
+     ::testing::UnitTest::GetInstance()->current_test_info();
+
+  EXPECT_STREQ("MacroNamingTestNonParametrized", test_info->test_case_name());
+  EXPECT_STREQ("FooSomeTestName", test_info->name());
+}
+
+// Tests that user supplied custom parameter names are working correctly.
+// Runs the test with a builtin helper method which uses PrintToString,
+// as well as a custom function and custom functor to ensure all possible
+// uses work correctly.
+class CustomFunctorNamingTest : public TestWithParam<std::string> {};
+TEST_P(CustomFunctorNamingTest, CustomTestNames) {}
+
+struct CustomParamNameFunctor {
+  std::string operator()(const ::testing::TestParamInfo<std::string>& inf) {
+    return inf.param;
+  }
+};
+
+INSTANTIATE_TEST_CASE_P(CustomParamNameFunctor,
+                        CustomFunctorNamingTest,
+                        Values(std::string("FunctorName")),
+                        CustomParamNameFunctor());
+
+INSTANTIATE_TEST_CASE_P(AllAllowedCharacters,
+                        CustomFunctorNamingTest,
+                        Values("abcdefghijklmnopqrstuvwxyz",
+                               "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
+                               "01234567890_"),
+                        CustomParamNameFunctor());
+
+inline std::string CustomParamNameFunction(
+    const ::testing::TestParamInfo<std::string>& inf) {
+  return inf.param;
+}
+
+class CustomFunctionNamingTest : public TestWithParam<std::string> {};
+TEST_P(CustomFunctionNamingTest, CustomTestNames) {}
+
+INSTANTIATE_TEST_CASE_P(CustomParamNameFunction,
+                        CustomFunctionNamingTest,
+                        Values(std::string("FunctionName")),
+                        CustomParamNameFunction);
+
+#if GTEST_LANG_CXX11
+
+// Test custom naming with a lambda
+
+class CustomLambdaNamingTest : public TestWithParam<std::string> {};
+TEST_P(CustomLambdaNamingTest, CustomTestNames) {}
+
+INSTANTIATE_TEST_CASE_P(CustomParamNameLambda, CustomLambdaNamingTest,
+                        Values(std::string("LambdaName")),
+                        [](const ::testing::TestParamInfo<std::string>& inf) {
+                          return inf.param;
+                        });
+
+#endif  // GTEST_LANG_CXX11
+
+TEST(CustomNamingTest, CheckNameRegistry) {
+  ::testing::UnitTest* unit_test = ::testing::UnitTest::GetInstance();
+  std::set<std::string> test_names;
+  for (int case_num = 0;
+       case_num < unit_test->total_test_case_count();
+       ++case_num) {
+    const ::testing::TestCase* test_case = unit_test->GetTestCase(case_num);
+    for (int test_num = 0;
+         test_num < test_case->total_test_count();
+         ++test_num) {
+      const ::testing::TestInfo* test_info = test_case->GetTestInfo(test_num);
+      test_names.insert(std::string(test_info->name()));
+    }
+  }
+  EXPECT_EQ(1u, test_names.count("CustomTestNames/FunctorName"));
+  EXPECT_EQ(1u, test_names.count("CustomTestNames/FunctionName"));
+#if GTEST_LANG_CXX11
+  EXPECT_EQ(1u, test_names.count("CustomTestNames/LambdaName"));
+#endif  // GTEST_LANG_CXX11
+}
+
+// Test a numeric name to ensure PrintToStringParamName works correctly.
+
+class CustomIntegerNamingTest : public TestWithParam<int> {};
+
+TEST_P(CustomIntegerNamingTest, TestsReportCorrectNames) {
+  const ::testing::TestInfo* const test_info =
+     ::testing::UnitTest::GetInstance()->current_test_info();
+  Message test_name_stream;
+  test_name_stream << "TestsReportCorrectNames/" << GetParam();
+  EXPECT_STREQ(test_name_stream.GetString().c_str(), test_info->name());
+}
+
+INSTANTIATE_TEST_CASE_P(PrintToString,
+                        CustomIntegerNamingTest,
+                        Range(0, 5),
+                        ::testing::PrintToStringParamName());
+
+// Test a custom struct with PrintToString.
+
+struct CustomStruct {
+  explicit CustomStruct(int value) : x(value) {}
+  int x;
+};
+
+std::ostream& operator<<(std::ostream& stream, const CustomStruct& val) {
+  stream << val.x;
+  return stream;
+}
+
+class CustomStructNamingTest : public TestWithParam<CustomStruct> {};
+
+TEST_P(CustomStructNamingTest, TestsReportCorrectNames) {
+  const ::testing::TestInfo* const test_info =
+     ::testing::UnitTest::GetInstance()->current_test_info();
+  Message test_name_stream;
+  test_name_stream << "TestsReportCorrectNames/" << GetParam();
+  EXPECT_STREQ(test_name_stream.GetString().c_str(), test_info->name());
+}
+
+INSTANTIATE_TEST_CASE_P(PrintToString,
+                        CustomStructNamingTest,
+                        Values(CustomStruct(0), CustomStruct(1)),
+                        ::testing::PrintToStringParamName());
+
+// Test that using a stateful parameter naming function works as expected.
+
+struct StatefulNamingFunctor {
+  StatefulNamingFunctor() : sum(0) {}
+  std::string operator()(const ::testing::TestParamInfo<int>& info) {
+    int value = info.param + sum;
+    sum += info.param;
+    return ::testing::PrintToString(value);
+  }
+  int sum;
+};
+
+class StatefulNamingTest : public ::testing::TestWithParam<int> {
+ protected:
+  StatefulNamingTest() : sum_(0) {}
+  int sum_;
+};
+
+TEST_P(StatefulNamingTest, TestsReportCorrectNames) {
+  const ::testing::TestInfo* const test_info =
+     ::testing::UnitTest::GetInstance()->current_test_info();
+  sum_ += GetParam();
+  Message test_name_stream;
+  test_name_stream << "TestsReportCorrectNames/" << sum_;
+  EXPECT_STREQ(test_name_stream.GetString().c_str(), test_info->name());
+}
+
+INSTANTIATE_TEST_CASE_P(StatefulNamingFunctor,
+                        StatefulNamingTest,
+                        Range(0, 5),
+                        StatefulNamingFunctor());
+
 // Class that cannot be streamed into an ostream.  It needs to be copyable
 // (and, in case of MSVC, also assignable) in order to be a test parameter
 // type.  Its default copy constructor and assignment operator do exactly
@@ -874,31 +1090,20 @@ TEST_F(ParameterizedDeathTest, GetParamDiesFromTestF) {
 
 INSTANTIATE_TEST_CASE_P(RangeZeroToFive, ParameterizedDerivedTest, Range(0, 5));
 
-#endif  // GTEST_HAS_PARAM_TEST
-
-TEST(CompileTest, CombineIsDefinedOnlyWhenGtestHasParamTestIsDefined) {
-#if GTEST_HAS_COMBINE && !GTEST_HAS_PARAM_TEST
-  FAIL() << "GTEST_HAS_COMBINE is defined while GTEST_HAS_PARAM_TEST is not\n"
-#endif
-}
 
 int main(int argc, char **argv) {
-#if GTEST_HAS_PARAM_TEST
   // Used in TestGenerationTest test case.
   AddGlobalTestEnvironment(TestGenerationTest::Environment::Instance());
   // Used in GeneratorEvaluationTest test case. Tests that the updated value
   // will be picked up for instantiating tests in GeneratorEvaluationTest.
   GeneratorEvaluationTest::set_param_value(1);
-#endif  // GTEST_HAS_PARAM_TEST
 
   ::testing::InitGoogleTest(&argc, argv);
 
-#if GTEST_HAS_PARAM_TEST
   // Used in GeneratorEvaluationTest test case. Tests that value updated
   // here will NOT be used for instantiating tests in
   // GeneratorEvaluationTest.
   GeneratorEvaluationTest::set_param_value(2);
-#endif  // GTEST_HAS_PARAM_TEST
 
   return RUN_ALL_TESTS();
 }
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-param-test_test.h b/security/nss/gtests/google_test/gtest/test/googletest-param-test-test.h
index 26ea122b10..632a61f492 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-param-test_test.h
+++ b/security/nss/gtests/google_test/gtest/test/googletest-param-test-test.h
@@ -27,9 +27,7 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Authors: vladl@google.com (Vlad Losev)
-//
-// The Google C++ Testing Framework (Google Test)
+// The Google C++ Testing and Mocking Framework (Google Test)
 //
 // This header file provides classes and functions used internally
 // for testing Google Test itself.
@@ -39,8 +37,6 @@
 
 #include "gtest/gtest.h"
 
-#if GTEST_HAS_PARAM_TEST
-
 // Test fixture for testing definition and instantiation of a test
 // in separate translation units.
 class ExternalInstantiationTest : public ::testing::TestWithParam<int> {
@@ -52,6 +48,4 @@ class InstantiationInMultipleTranslaionUnitsTest
     : public ::testing::TestWithParam<int> {
 };
 
-#endif  // GTEST_HAS_PARAM_TEST
-
 #endif  // GTEST_TEST_GTEST_PARAM_TEST_TEST_H_
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-param-test2_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-param-test2-test.cc
index 4a782fe708..25bb945c2f 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-param-test2_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-param-test2-test.cc
@@ -26,40 +26,36 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: vladl@google.com (Vlad Losev)
+
 //
 // Tests for Google Test itself.  This verifies that the basic constructs of
 // Google Test work.
 
 #include "gtest/gtest.h"
-
-#include "test/gtest-param-test_test.h"
-
-#if GTEST_HAS_PARAM_TEST
+#include "test/googletest-param-test-test.h"
 
 using ::testing::Values;
 using ::testing::internal::ParamGenerator;
 
 // Tests that generators defined in a different translation unit
 // are functional. The test using extern_gen is defined
-// in gtest-param-test_test.cc.
+// in googletest-param-test-test.cc.
 ParamGenerator<int> extern_gen = Values(33);
 
 // Tests that a parameterized test case can be defined in one translation unit
-// and instantiated in another. The test is defined in gtest-param-test_test.cc
-// and ExternalInstantiationTest fixture class is defined in
-// gtest-param-test_test.h.
+// and instantiated in another. The test is defined in
+// googletest-param-test-test.cc and ExternalInstantiationTest fixture class is
+// defined in gtest-param-test_test.h.
 INSTANTIATE_TEST_CASE_P(MultiplesOf33,
                         ExternalInstantiationTest,
                         Values(33, 66));
 
 // Tests that a parameterized test case can be instantiated
 // in multiple translation units. Another instantiation is defined
-// in gtest-param-test_test.cc and InstantiationInMultipleTranslaionUnitsTest
-// fixture is defined in gtest-param-test_test.h
+// in googletest-param-test-test.cc and
+// InstantiationInMultipleTranslaionUnitsTest fixture is defined in
+// gtest-param-test_test.h
 INSTANTIATE_TEST_CASE_P(Sequence2,
                         InstantiationInMultipleTranslaionUnitsTest,
                         Values(42*3, 42*4, 42*5));
 
-#endif  // GTEST_HAS_PARAM_TEST
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-port_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-port-test.cc
index 370c952b2c..399316f95b 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-port_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-port-test.cc
@@ -27,14 +27,11 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Authors: vladl@google.com (Vlad Losev), wan@google.com (Zhanyong Wan)
-//
 // This file tests the internal cross-platform support utilities.
+#include <stdio.h>
 
 #include "gtest/internal/gtest-port.h"
 
-#include <stdio.h>
-
 #if GTEST_OS_MAC
 # include <time.h>
 #endif  // GTEST_OS_MAC
@@ -45,15 +42,7 @@
 
 #include "gtest/gtest.h"
 #include "gtest/gtest-spi.h"
-
-// Indicates that this translation unit is part of Google Test's
-// implementation.  It must come before gtest-internal-inl.h is
-// included, or there will be a compiler error.  This trick is to
-// prevent a user from accidentally including gtest-internal-inl.h in
-// his code.
-#define GTEST_IMPLEMENTATION_ 1
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 using std::make_pair;
 using std::pair;
@@ -75,8 +64,8 @@ TEST(IsXDigitTest, WorksForNarrowAscii) {
 }
 
 TEST(IsXDigitTest, ReturnsFalseForNarrowNonAscii) {
-  EXPECT_FALSE(IsXDigit(static_cast<char>(0x80)));
-  EXPECT_FALSE(IsXDigit(static_cast<char>('0' | 0x80)));
+  EXPECT_FALSE(IsXDigit(static_cast<char>('\x80')));
+  EXPECT_FALSE(IsXDigit(static_cast<char>('0' | '\x80')));
 }
 
 TEST(IsXDigitTest, WorksForWideAscii) {
@@ -235,7 +224,7 @@ TEST(ScopedPtrTest, DefinesElementType) {
   StaticAssertTypeEq<int, ::testing::internal::scoped_ptr<int>::element_type>();
 }
 
-// TODO(vladl@google.com): Implement THE REST of scoped_ptr tests.
+// FIXME: Implement THE REST of scoped_ptr tests.
 
 TEST(GtestCheckSyntaxTest, BehavesLikeASingleStatement) {
   if (AlwaysFalse())
@@ -304,68 +293,61 @@ TEST(FormatCompilerIndependentFileLocationTest, FormatsUknownFileAndLine) {
   EXPECT_EQ("unknown file", FormatCompilerIndependentFileLocation(NULL, -1));
 }
 
-#if GTEST_OS_MAC || GTEST_OS_QNX
+#if GTEST_OS_LINUX || GTEST_OS_MAC || GTEST_OS_QNX || GTEST_OS_FUCHSIA
 void* ThreadFunc(void* data) {
-  pthread_mutex_t* mutex = static_cast<pthread_mutex_t*>(data);
-  pthread_mutex_lock(mutex);
-  pthread_mutex_unlock(mutex);
+  internal::Mutex* mutex = static_cast<internal::Mutex*>(data);
+  mutex->Lock();
+  mutex->Unlock();
   return NULL;
 }
 
 TEST(GetThreadCountTest, ReturnsCorrectValue) {
-  EXPECT_EQ(1U, GetThreadCount());
-  pthread_mutex_t mutex;
-  pthread_attr_t  attr;
+  const size_t starting_count = GetThreadCount();
   pthread_t       thread_id;
 
-  // TODO(vladl@google.com): turn mutex into internal::Mutex for automatic
-  // destruction.
-  pthread_mutex_init(&mutex, NULL);
-  pthread_mutex_lock(&mutex);
-  ASSERT_EQ(0, pthread_attr_init(&attr));
-  ASSERT_EQ(0, pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_JOINABLE));
-
-  const int status = pthread_create(&thread_id, &attr, &ThreadFunc, &mutex);
-  ASSERT_EQ(0, pthread_attr_destroy(&attr));
-  ASSERT_EQ(0, status);
-  EXPECT_EQ(2U, GetThreadCount());
-  pthread_mutex_unlock(&mutex);
+  internal::Mutex mutex;
+  {
+    internal::MutexLock lock(&mutex);
+    pthread_attr_t  attr;
+    ASSERT_EQ(0, pthread_attr_init(&attr));
+    ASSERT_EQ(0, pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_JOINABLE));
+
+    const int status = pthread_create(&thread_id, &attr, &ThreadFunc, &mutex);
+    ASSERT_EQ(0, pthread_attr_destroy(&attr));
+    ASSERT_EQ(0, status);
+    EXPECT_EQ(starting_count + 1, GetThreadCount());
+  }
 
   void* dummy;
   ASSERT_EQ(0, pthread_join(thread_id, &dummy));
 
-# if GTEST_OS_MAC
-
-  // MacOS X may not immediately report the updated thread count after
+  // The OS may not immediately report the updated thread count after
   // joining a thread, causing flakiness in this test. To counter that, we
   // wait for up to .5 seconds for the OS to report the correct value.
   for (int i = 0; i < 5; ++i) {
-    if (GetThreadCount() == 1)
+    if (GetThreadCount() == starting_count)
       break;
 
     SleepMilliseconds(100);
   }
 
-# endif  // GTEST_OS_MAC
-
-  EXPECT_EQ(1U, GetThreadCount());
-  pthread_mutex_destroy(&mutex);
+  EXPECT_EQ(starting_count, GetThreadCount());
 }
 #else
 TEST(GetThreadCountTest, ReturnsZeroWhenUnableToCountThreads) {
   EXPECT_EQ(0U, GetThreadCount());
 }
-#endif  // GTEST_OS_MAC || GTEST_OS_QNX
+#endif  // GTEST_OS_LINUX || GTEST_OS_MAC || GTEST_OS_QNX || GTEST_OS_FUCHSIA
 
 TEST(GtestCheckDeathTest, DiesWithCorrectOutputOnFailure) {
   const bool a_false_condition = false;
   const char regex[] =
 #ifdef _MSC_VER
-     "gtest-port_test\\.cc\\(\\d+\\):"
+     "googletest-port-test\\.cc\\(\\d+\\):"
 #elif GTEST_USES_POSIX_RE
-     "gtest-port_test\\.cc:[0-9]+"
+     "googletest-port-test\\.cc:[0-9]+"
 #else
-     "gtest-port_test\\.cc:\\d+"
+     "googletest-port-test\\.cc:\\d+"
 #endif  // _MSC_VER
      ".*a_false_condition.*Extra info.*";
 
@@ -389,15 +371,17 @@ TEST(GtestCheckDeathTest, LivesSilentlyOnSuccess) {
 // the platform. The test will produce compiler errors in case of failure.
 // For simplicity, we only cover the most important platforms here.
 TEST(RegexEngineSelectionTest, SelectsCorrectRegexEngine) {
-#if GTEST_HAS_POSIX_RE
+#if !GTEST_USES_PCRE
+# if GTEST_HAS_POSIX_RE
 
   EXPECT_TRUE(GTEST_USES_POSIX_RE);
 
-#else
+# else
 
   EXPECT_TRUE(GTEST_USES_SIMPLE_RE);
 
-#endif
+# endif
+#endif  // !GTEST_USES_PCRE
 }
 
 #if GTEST_USES_POSIX_RE
@@ -1214,16 +1198,16 @@ class DestructorTracker {
       : index_(GetNewIndex()) {}
   ~DestructorTracker() {
     // We never access DestructorCall::List() concurrently, so we don't need
-    // to protect this acccess with a mutex.
+    // to protect this access with a mutex.
     DestructorCall::List()[index_]->ReportDestroyed();
   }
 
  private:
-  static int GetNewIndex() {
+  static size_t GetNewIndex() {
     DestructorCall::List().push_back(new DestructorCall);
     return DestructorCall::List().size() - 1;
   }
-  const int index_;
+  const size_t index_;
 
   GTEST_DISALLOW_ASSIGN_(DestructorTracker);
 };
@@ -1240,25 +1224,18 @@ TEST(ThreadLocalTest, DestroysManagedObjectForOwnThreadWhenDying) {
   DestructorCall::ResetList();
 
   {
-    // The next line default constructs a DestructorTracker object as
-    // the default value of objects managed by thread_local_tracker.
     ThreadLocal<DestructorTracker> thread_local_tracker;
-    ASSERT_EQ(1U, DestructorCall::List().size());
-    ASSERT_FALSE(DestructorCall::List()[0]->CheckDestroyed());
+    ASSERT_EQ(0U, DestructorCall::List().size());
 
     // This creates another DestructorTracker object for the main thread.
     thread_local_tracker.get();
-    ASSERT_EQ(2U, DestructorCall::List().size());
+    ASSERT_EQ(1U, DestructorCall::List().size());
     ASSERT_FALSE(DestructorCall::List()[0]->CheckDestroyed());
-    ASSERT_FALSE(DestructorCall::List()[1]->CheckDestroyed());
   }
 
-  // Now thread_local_tracker has died.  It should have destroyed both the
-  // default value shared by all threads and the value for the main
-  // thread.
-  ASSERT_EQ(2U, DestructorCall::List().size());
+  // Now thread_local_tracker has died.
+  ASSERT_EQ(1U, DestructorCall::List().size());
   EXPECT_TRUE(DestructorCall::List()[0]->CheckDestroyed());
-  EXPECT_TRUE(DestructorCall::List()[1]->CheckDestroyed());
 
   DestructorCall::ResetList();
 }
@@ -1269,29 +1246,22 @@ TEST(ThreadLocalTest, DestroysManagedObjectAtThreadExit) {
   DestructorCall::ResetList();
 
   {
-    // The next line default constructs a DestructorTracker object as
-    // the default value of objects managed by thread_local_tracker.
     ThreadLocal<DestructorTracker> thread_local_tracker;
-    ASSERT_EQ(1U, DestructorCall::List().size());
-    ASSERT_FALSE(DestructorCall::List()[0]->CheckDestroyed());
+    ASSERT_EQ(0U, DestructorCall::List().size());
 
     // This creates another DestructorTracker object in the new thread.
     ThreadWithParam<ThreadParam> thread(
         &CallThreadLocalGet, &thread_local_tracker, NULL);
     thread.Join();
 
-    // The thread has exited, and we should have another DestroyedTracker
+    // The thread has exited, and we should have a DestroyedTracker
     // instance created for it. But it may not have been destroyed yet.
-    // The instance for the main thread should still persist.
-    ASSERT_EQ(2U, DestructorCall::List().size());
-    ASSERT_FALSE(DestructorCall::List()[0]->CheckDestroyed());
+    ASSERT_EQ(1U, DestructorCall::List().size());
   }
 
-  // The thread has exited and thread_local_tracker has died.  The default
-  // value should have been destroyed too.
-  ASSERT_EQ(2U, DestructorCall::List().size());
+  // The thread has exited and thread_local_tracker has died.
+  ASSERT_EQ(1U, DestructorCall::List().size());
   EXPECT_TRUE(DestructorCall::List()[0]->CheckDestroyed());
-  EXPECT_TRUE(DestructorCall::List()[1]->CheckDestroyed());
 
   DestructorCall::ResetList();
 }
@@ -1314,9 +1284,16 @@ TEST(WindowsTypesTest, HANDLEIsVoidStar) {
   StaticAssertTypeEq<HANDLE, void*>();
 }
 
+#if GTEST_OS_WINDOWS_MINGW && !defined(__MINGW64_VERSION_MAJOR)
+TEST(WindowsTypesTest, _CRITICAL_SECTIONIs_CRITICAL_SECTION) {
+  StaticAssertTypeEq<CRITICAL_SECTION, _CRITICAL_SECTION>();
+}
+#else
 TEST(WindowsTypesTest, CRITICAL_SECTIONIs_RTL_CRITICAL_SECTION) {
   StaticAssertTypeEq<CRITICAL_SECTION, _RTL_CRITICAL_SECTION>();
 }
+#endif
+
 #endif  // GTEST_OS_WINDOWS
 
 }  // namespace internal
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-printers_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-printers-test.cc
index 7b07fd105b..ea8369d27e 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-printers_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-printers-test.cc
@@ -26,15 +26,12 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
 
-// Google Test - The Google C++ Testing Framework
+
+// Google Test - The Google C++ Testing and Mocking Framework
 //
 // This file tests the universal value printer.
 
-#include "gtest/gtest-printers.h"
-
 #include <ctype.h>
 #include <limits.h>
 #include <string.h>
@@ -48,15 +45,20 @@
 #include <utility>
 #include <vector>
 
+#include "gtest/gtest-printers.h"
 #include "gtest/gtest.h"
 
-// hash_map and hash_set are available under Visual C++.
-#if _MSC_VER
-# define GTEST_HAS_HASH_MAP_ 1  // Indicates that hash_map is available.
-# include <hash_map>            // NOLINT
-# define GTEST_HAS_HASH_SET_ 1  // Indicates that hash_set is available.
-# include <hash_set>            // NOLINT
-#endif  // GTEST_OS_WINDOWS
+#if GTEST_HAS_UNORDERED_MAP_
+# include <unordered_map>  // NOLINT
+#endif  // GTEST_HAS_UNORDERED_MAP_
+
+#if GTEST_HAS_UNORDERED_SET_
+# include <unordered_set>  // NOLINT
+#endif  // GTEST_HAS_UNORDERED_SET_
+
+#if GTEST_HAS_STD_FORWARD_LIST_
+# include <forward_list> // NOLINT
+#endif  // GTEST_HAS_STD_FORWARD_LIST_
 
 // Some user-defined types for testing the universal value printer.
 
@@ -183,6 +185,25 @@ inline ::std::ostream& operator<<(::std::ostream& os,
   return os << "StreamableTemplateInFoo: " << x.value();
 }
 
+// A user-defined streamable but recursivly-defined container type in
+// a user namespace, it mimics therefore std::filesystem::path or
+// boost::filesystem::path.
+class PathLike {
+ public:
+  struct iterator {
+    typedef PathLike value_type;
+  };
+
+  PathLike() {}
+
+  iterator begin() const { return iterator(); }
+  iterator end() const { return iterator(); }
+
+  friend ::std::ostream& operator<<(::std::ostream& os, const PathLike&) {
+    return os << "Streamable-PathLike";
+  }
+};
+
 }  // namespace foo
 
 namespace testing {
@@ -207,28 +228,14 @@ using ::testing::internal::Strings;
 using ::testing::internal::UniversalPrint;
 using ::testing::internal::UniversalPrinter;
 using ::testing::internal::UniversalTersePrint;
+#if GTEST_HAS_TR1_TUPLE || GTEST_HAS_STD_TUPLE_
 using ::testing::internal::UniversalTersePrintTupleFieldsToStrings;
-using ::testing::internal::string;
-
-// The hash_* classes are not part of the C++ standard.  STLport
-// defines them in namespace std.  MSVC defines them in ::stdext.  GCC
-// defines them in ::.
-#ifdef _STLP_HASH_MAP  // We got <hash_map> from STLport.
-using ::std::hash_map;
-using ::std::hash_set;
-using ::std::hash_multimap;
-using ::std::hash_multiset;
-#elif _MSC_VER
-using ::stdext::hash_map;
-using ::stdext::hash_set;
-using ::stdext::hash_multimap;
-using ::stdext::hash_multiset;
 #endif
 
 // Prints a value to a string using the universal value printer.  This
 // is a helper for testing UniversalPrinter<T>::Print() for various types.
 template <typename T>
-string Print(const T& value) {
+std::string Print(const T& value) {
   ::std::stringstream ss;
   UniversalPrinter<T>::Print(value, &ss);
   return ss.str();
@@ -238,7 +245,7 @@ string Print(const T& value) {
 // value printer.  This is a helper for testing
 // UniversalPrinter<T&>::Print() for various types.
 template <typename T>
-string PrintByRef(const T& value) {
+std::string PrintByRef(const T& value) {
   ::std::stringstream ss;
   UniversalPrinter<T&>::Print(value, &ss);
   return ss.str();
@@ -375,7 +382,7 @@ TEST(PrintBuiltInTypeTest, FloatingPoints) {
 // Since ::std::stringstream::operator<<(const void *) formats the pointer
 // output differently with different compilers, we have to create the expected
 // output first and use it as our expectation.
-static string PrintPointer(const void *p) {
+static std::string PrintPointer(const void* p) {
   ::std::stringstream expected_result_stream;
   expected_result_stream << p;
   return expected_result_stream.str();
@@ -563,7 +570,7 @@ struct Foo {
 TEST(PrintPointerTest, MemberVariablePointer) {
   EXPECT_TRUE(HasPrefix(Print(&Foo::value),
                         Print(sizeof(&Foo::value)) + "-byte object "));
-  int (Foo::*p) = NULL;  // NOLINT
+  int Foo::*p = NULL;  // NOLINT
   EXPECT_TRUE(HasPrefix(Print(p),
                         Print(sizeof(p)) + "-byte object "));
 }
@@ -588,7 +595,7 @@ TEST(PrintPointerTest, MemberFunctionPointer) {
 // The difference between this and Print() is that it ensures that the
 // argument is a reference to an array.
 template <typename T, size_t N>
-string PrintArrayHelper(T (&a)[N]) {
+std::string PrintArrayHelper(T (&a)[N]) {
   return Print(a);
 }
 
@@ -641,7 +648,7 @@ TEST(PrintArrayTest, WConstCharArrayWithTerminatingNul) {
 
 // Array of objects.
 TEST(PrintArrayTest, ObjectArray) {
-  string a[3] = { "Hi", "Hello", "Ni hao" };
+  std::string a[3] = {"Hi", "Hello", "Ni hao"};
   EXPECT_EQ("{ \"Hi\", \"Hello\", \"Ni hao\" }", PrintArrayHelper(a));
 }
 
@@ -778,22 +785,22 @@ TEST(PrintTypeWithGenericStreamingTest, TypeImplicitlyConvertible) {
   EXPECT_EQ("AllowsGenericStreamingAndImplicitConversionTemplate", Print(a));
 }
 
-#if GTEST_HAS_STRING_PIECE_
+#if GTEST_HAS_ABSL
 
-// Tests printing StringPiece.
+// Tests printing ::absl::string_view.
 
-TEST(PrintStringPieceTest, SimpleStringPiece) {
-  const StringPiece sp = "Hello";
+TEST(PrintStringViewTest, SimpleStringView) {
+  const ::absl::string_view sp = "Hello";
   EXPECT_EQ("\"Hello\"", Print(sp));
 }
 
-TEST(PrintStringPieceTest, UnprintableCharacters) {
+TEST(PrintStringViewTest, UnprintableCharacters) {
   const char str[] = "NUL (\0) and \r\t";
-  const StringPiece sp(str, sizeof(str) - 1);
+  const ::absl::string_view sp(str, sizeof(str) - 1);
   EXPECT_EQ("\"NUL (\\0) and \\r\\t\"", Print(sp));
 }
 
-#endif  // GTEST_HAS_STRING_PIECE_
+#endif  // GTEST_HAS_ABSL
 
 // Tests printing STL containers.
 
@@ -809,44 +816,44 @@ TEST(PrintStlContainerTest, NonEmptyDeque) {
   EXPECT_EQ("{ 1, 3 }", Print(non_empty));
 }
 
-#if GTEST_HAS_HASH_MAP_
+#if GTEST_HAS_UNORDERED_MAP_
 
 TEST(PrintStlContainerTest, OneElementHashMap) {
-  hash_map<int, char> map1;
+  ::std::unordered_map<int, char> map1;
   map1[1] = 'a';
   EXPECT_EQ("{ (1, 'a' (97, 0x61)) }", Print(map1));
 }
 
 TEST(PrintStlContainerTest, HashMultiMap) {
-  hash_multimap<int, bool> map1;
+  ::std::unordered_multimap<int, bool> map1;
   map1.insert(make_pair(5, true));
   map1.insert(make_pair(5, false));
 
   // Elements of hash_multimap can be printed in any order.
-  const string result = Print(map1);
+  const std::string result = Print(map1);
   EXPECT_TRUE(result == "{ (5, true), (5, false) }" ||
               result == "{ (5, false), (5, true) }")
                   << " where Print(map1) returns \"" << result << "\".";
 }
 
-#endif  // GTEST_HAS_HASH_MAP_
+#endif  // GTEST_HAS_UNORDERED_MAP_
 
-#if GTEST_HAS_HASH_SET_
+#if GTEST_HAS_UNORDERED_SET_
 
 TEST(PrintStlContainerTest, HashSet) {
-  hash_set<string> set1;
-  set1.insert("hello");
-  EXPECT_EQ("{ \"hello\" }", Print(set1));
+  ::std::unordered_set<int> set1;
+  set1.insert(1);
+  EXPECT_EQ("{ 1 }", Print(set1));
 }
 
 TEST(PrintStlContainerTest, HashMultiSet) {
   const int kSize = 5;
   int a[kSize] = { 1, 1, 2, 5, 1 };
-  hash_multiset<int> set1(a, a + kSize);
+  ::std::unordered_multiset<int> set1(a, a + kSize);
 
   // Elements of hash_multiset can be printed in any order.
-  const string result = Print(set1);
-  const string expected_pattern = "{ d, d, d, d, d }";  // d means a digit.
+  const std::string result = Print(set1);
+  const std::string expected_pattern = "{ d, d, d, d, d }";  // d means a digit.
 
   // Verifies the result matches the expected pattern; also extracts
   // the numbers in the result.
@@ -868,14 +875,11 @@ TEST(PrintStlContainerTest, HashMultiSet) {
   EXPECT_TRUE(std::equal(a, a + kSize, numbers.begin()));
 }
 
-#endif  // GTEST_HAS_HASH_SET_
+#endif  //  GTEST_HAS_UNORDERED_SET_
 
 TEST(PrintStlContainerTest, List) {
-  const string a[] = {
-    "hello",
-    "world"
-  };
-  const list<string> strings(a, a + 2);
+  const std::string a[] = {"hello", "world"};
+  const list<std::string> strings(a, a + 2);
   EXPECT_EQ("{ \"hello\", \"world\" }", Print(strings));
 }
 
@@ -913,6 +917,15 @@ TEST(PrintStlContainerTest, MultiSet) {
   EXPECT_EQ("{ 1, 1, 1, 2, 5 }", Print(set1));
 }
 
+#if GTEST_HAS_STD_FORWARD_LIST_
+
+TEST(PrintStlContainerTest, SinglyLinkedList) {
+  int a[] = { 9, 2, 8 };
+  const std::forward_list<int> ints(a, a + 3);
+  EXPECT_EQ("{ 9, 2, 8 }", Print(ints));
+}
+#endif  // GTEST_HAS_STD_FORWARD_LIST_
+
 TEST(PrintStlContainerTest, Pair) {
   pair<const bool, int> p(true, 5);
   EXPECT_EQ("(true, 5)", Print(p));
@@ -1020,8 +1033,9 @@ TEST(PrintTr1TupleTest, VariousSizes) {
   // VC++ 2010's implementation of tuple of C++0x is deficient, requiring
   // an explicit type cast of NULL to be used.
   ::std::tr1::tuple<bool, char, short, testing::internal::Int32,  // NOLINT
-      testing::internal::Int64, float, double, const char*, void*, string>
-      t10(false, 'a', 3, 4, 5, 1.5F, -2.5, str,
+                    testing::internal::Int64, float, double, const char*, void*,
+                    std::string>
+      t10(false, 'a', static_cast<short>(3), 4, 5, 1.5F, -2.5, str,  // NOLINT
           ImplicitCast_<void*>(NULL), "10");
   EXPECT_EQ("(false, 'a' (97, 0x61), 3, 4, 5, 1.5, -2.5, " + PrintPointer(str) +
             " pointing to \"8\", NULL, \"10\")",
@@ -1037,7 +1051,7 @@ TEST(PrintTr1TupleTest, NestedTuple) {
 
 #endif  // GTEST_HAS_TR1_TUPLE
 
-#if GTEST_LANG_CXX11
+#if GTEST_HAS_STD_TUPLE_
 // Tests printing ::std::tuples.
 
 // Tuples of various arities.
@@ -1079,8 +1093,9 @@ TEST(PrintStdTupleTest, VariousSizes) {
   // VC++ 2010's implementation of tuple of C++0x is deficient, requiring
   // an explicit type cast of NULL to be used.
   ::std::tuple<bool, char, short, testing::internal::Int32,  // NOLINT
-      testing::internal::Int64, float, double, const char*, void*, string>
-      t10(false, 'a', 3, 4, 5, 1.5F, -2.5, str,
+               testing::internal::Int64, float, double, const char*, void*,
+               std::string>
+      t10(false, 'a', static_cast<short>(3), 4, 5, 1.5F, -2.5, str,  // NOLINT
           ImplicitCast_<void*>(NULL), "10");
   EXPECT_EQ("(false, 'a' (97, 0x61), 3, 4, 5, 1.5, -2.5, " + PrintPointer(str) +
             " pointing to \"8\", NULL, \"10\")",
@@ -1096,6 +1111,12 @@ TEST(PrintStdTupleTest, NestedTuple) {
 
 #endif  // GTEST_LANG_CXX11
 
+#if GTEST_LANG_CXX11
+TEST(PrintNullptrT, Basic) {
+  EXPECT_EQ("(nullptr)", Print(nullptr));
+}
+#endif  // GTEST_LANG_CXX11
+
 // Tests printing user-defined unprintable types.
 
 // Unprintable types in the global namespace.
@@ -1143,6 +1164,15 @@ TEST(PrintStreamableTypeTest, TemplateTypeInUserNamespace) {
             Print(::foo::StreamableTemplateInFoo<int>()));
 }
 
+// Tests printing a user-defined recursive container type that has a <<
+// operator.
+TEST(PrintStreamableTypeTest, PathLikeInUserNamespace) {
+  ::foo::PathLike x;
+  EXPECT_EQ("Streamable-PathLike", Print(x));
+  const ::foo::PathLike cx;
+  EXPECT_EQ("Streamable-PathLike", Print(cx));
+}
+
 // Tests printing user-defined types that have a PrintTo() function.
 TEST(PrintPrintableTypeTest, InUserNamespace) {
   EXPECT_EQ("PrintableViaPrintTo: 0",
@@ -1162,37 +1192,6 @@ TEST(PrintPrintableTypeTest, TemplateInUserNamespace) {
             Print(::foo::PrintableViaPrintToTemplate<int>(5)));
 }
 
-#if GTEST_HAS_PROTOBUF_
-
-// Tests printing a short proto2 message.
-TEST(PrintProto2MessageTest, PrintsShortDebugStringWhenItIsShort) {
-  testing::internal::FooMessage msg;
-  msg.set_int_field(2);
-  msg.set_string_field("hello");
-  EXPECT_PRED2(RE::FullMatch, Print(msg),
-               "<int_field:\\s*2\\s+string_field:\\s*\"hello\">");
-}
-
-// Tests printing a long proto2 message.
-TEST(PrintProto2MessageTest, PrintsDebugStringWhenItIsLong) {
-  testing::internal::FooMessage msg;
-  msg.set_int_field(2);
-  msg.set_string_field("hello");
-  msg.add_names("peter");
-  msg.add_names("paul");
-  msg.add_names("mary");
-  EXPECT_PRED2(RE::FullMatch, Print(msg),
-               "<\n"
-               "int_field:\\s*2\n"
-               "string_field:\\s*\"hello\"\n"
-               "names:\\s*\"peter\"\n"
-               "names:\\s*\"paul\"\n"
-               "names:\\s*\"mary\"\n"
-               ">");
-}
-
-#endif  // GTEST_HAS_PROTOBUF_
-
 // Tests that the universal printer prints both the address and the
 // value of a reference.
 TEST(PrintReferenceTest, PrintsAddressAndValue) {
@@ -1216,13 +1215,13 @@ TEST(PrintReferenceTest, PrintsAddressAndValue) {
 // reference.
 TEST(PrintReferenceTest, HandlesFunctionPointer) {
   void (*fp)(int n) = &MyFunction;
-  const string fp_pointer_string =
+  const std::string fp_pointer_string =
       PrintPointer(reinterpret_cast<const void*>(&fp));
   // We cannot directly cast &MyFunction to const void* because the
   // standard disallows casting between pointers to functions and
   // pointers to objects, and some compilers (e.g. GCC 3.4) enforce
   // this limitation.
-  const string fp_string = PrintPointer(reinterpret_cast<const void*>(
+  const std::string fp_string = PrintPointer(reinterpret_cast<const void*>(
       reinterpret_cast<internal::BiggestInt>(fp)));
   EXPECT_EQ("@" + fp_pointer_string + " " + fp_string,
             PrintByRef(fp));
@@ -1247,7 +1246,7 @@ TEST(PrintReferenceTest, HandlesMemberFunctionPointer) {
 // Tests that the universal printer prints a member variable pointer
 // passed by reference.
 TEST(PrintReferenceTest, HandlesMemberVariablePointer) {
-  int (Foo::*p) = &Foo::value;  // NOLINT
+  int Foo::*p = &Foo::value;  // NOLINT
   EXPECT_TRUE(HasPrefix(
       PrintByRef(p),
       "@" + PrintPointer(&p) + " " + Print(sizeof(p)) + "-byte object "));
@@ -1280,7 +1279,7 @@ TEST(FormatForComparisonFailureMessageTest, FormatsNonCharArrayAsPointer) {
 }
 
 // Tests formatting a char pointer when it's compared with another pointer.
-// In this case we want to print it as a raw pointer, as the comparision is by
+// In this case we want to print it as a raw pointer, as the comparison is by
 // pointer.
 
 // char pointer vs pointer
@@ -1505,6 +1504,78 @@ TEST(PrintToStringTest, WorksForCharArrayWithEmbeddedNul) {
   EXPECT_PRINT_TO_STRING_(mutable_str_with_nul, "\"hello\\0 world\"");
 }
 
+  TEST(PrintToStringTest, ContainsNonLatin) {
+  // Sanity test with valid UTF-8. Prints both in hex and as text.
+  std::string non_ascii_str = ::std::string("오전 4:30");
+  EXPECT_PRINT_TO_STRING_(non_ascii_str,
+                          "\"\\xEC\\x98\\xA4\\xEC\\xA0\\x84 4:30\"\n"
+                          "    As Text: \"오전 4:30\"");
+  non_ascii_str = ::std::string("From ä — ẑ");
+  EXPECT_PRINT_TO_STRING_(non_ascii_str,
+                          "\"From \\xC3\\xA4 \\xE2\\x80\\x94 \\xE1\\xBA\\x91\""
+                          "\n    As Text: \"From ä — ẑ\"");
+}
+
+TEST(IsValidUTF8Test, IllFormedUTF8) {
+  // The following test strings are ill-formed UTF-8 and are printed
+  // as hex only (or ASCII, in case of ASCII bytes) because IsValidUTF8() is
+  // expected to fail, thus output does not contain "As Text:".
+
+  static const char *const kTestdata[][2] = {
+    // 2-byte lead byte followed by a single-byte character.
+    {"\xC3\x74", "\"\\xC3t\""},
+    // Valid 2-byte character followed by an orphan trail byte.
+    {"\xC3\x84\xA4", "\"\\xC3\\x84\\xA4\""},
+    // Lead byte without trail byte.
+    {"abc\xC3", "\"abc\\xC3\""},
+    // 3-byte lead byte, single-byte character, orphan trail byte.
+    {"x\xE2\x70\x94", "\"x\\xE2p\\x94\""},
+    // Truncated 3-byte character.
+    {"\xE2\x80", "\"\\xE2\\x80\""},
+    // Truncated 3-byte character followed by valid 2-byte char.
+    {"\xE2\x80\xC3\x84", "\"\\xE2\\x80\\xC3\\x84\""},
+    // Truncated 3-byte character followed by a single-byte character.
+    {"\xE2\x80\x7A", "\"\\xE2\\x80z\""},
+    // 3-byte lead byte followed by valid 3-byte character.
+    {"\xE2\xE2\x80\x94", "\"\\xE2\\xE2\\x80\\x94\""},
+    // 4-byte lead byte followed by valid 3-byte character.
+    {"\xF0\xE2\x80\x94", "\"\\xF0\\xE2\\x80\\x94\""},
+    // Truncated 4-byte character.
+    {"\xF0\xE2\x80", "\"\\xF0\\xE2\\x80\""},
+     // Invalid UTF-8 byte sequences embedded in other chars.
+    {"abc\xE2\x80\x94\xC3\x74xyc", "\"abc\\xE2\\x80\\x94\\xC3txyc\""},
+    {"abc\xC3\x84\xE2\x80\xC3\x84xyz",
+     "\"abc\\xC3\\x84\\xE2\\x80\\xC3\\x84xyz\""},
+    // Non-shortest UTF-8 byte sequences are also ill-formed.
+    // The classics: xC0, xC1 lead byte.
+    {"\xC0\x80", "\"\\xC0\\x80\""},
+    {"\xC1\x81", "\"\\xC1\\x81\""},
+    // Non-shortest sequences.
+    {"\xE0\x80\x80", "\"\\xE0\\x80\\x80\""},
+    {"\xf0\x80\x80\x80", "\"\\xF0\\x80\\x80\\x80\""},
+    // Last valid code point before surrogate range, should be printed as text,
+    // too.
+    {"\xED\x9F\xBF", "\"\\xED\\x9F\\xBF\"\n    As Text: \"퟿\""},
+    // Start of surrogate lead. Surrogates are not printed as text.
+    {"\xED\xA0\x80", "\"\\xED\\xA0\\x80\""},
+    // Last non-private surrogate lead.
+    {"\xED\xAD\xBF", "\"\\xED\\xAD\\xBF\""},
+    // First private-use surrogate lead.
+    {"\xED\xAE\x80", "\"\\xED\\xAE\\x80\""},
+    // Last private-use surrogate lead.
+    {"\xED\xAF\xBF", "\"\\xED\\xAF\\xBF\""},
+    // Mid-point of surrogate trail.
+    {"\xED\xB3\xBF", "\"\\xED\\xB3\\xBF\""},
+    // First valid code point after surrogate range, should be printed as text,
+    // too.
+    {"\xEE\x80\x80", "\"\\xEE\\x80\\x80\"\n    As Text: \"\""}
+  };
+
+  for (int i = 0; i < int(sizeof(kTestdata)/sizeof(kTestdata[0])); ++i) {
+    EXPECT_PRINT_TO_STRING_(kTestdata[i][0], kTestdata[i][1]);
+  }
+}
+
 #undef EXPECT_PRINT_TO_STRING_
 
 TEST(UniversalTersePrintTest, WorksForNonReference) {
@@ -1554,12 +1625,12 @@ TEST(UniversalPrintTest, WorksForCString) {
   const char* s1 = "abc";
   ::std::stringstream ss1;
   UniversalPrint(s1, &ss1);
-  EXPECT_EQ(PrintPointer(s1) + " pointing to \"abc\"", string(ss1.str()));
+  EXPECT_EQ(PrintPointer(s1) + " pointing to \"abc\"", std::string(ss1.str()));
 
   char* s2 = const_cast<char*>(s1);
   ::std::stringstream ss2;
   UniversalPrint(s2, &ss2);
-  EXPECT_EQ(PrintPointer(s2) + " pointing to \"abc\"", string(ss2.str()));
+  EXPECT_EQ(PrintPointer(s2) + " pointing to \"abc\"", std::string(ss2.str()));
 
   const char* s3 = NULL;
   ::std::stringstream ss3;
@@ -1646,6 +1717,32 @@ TEST(UniversalTersePrintTupleFieldsToStringsTestWithStd, PrintsTersely) {
 
 #endif  // GTEST_HAS_STD_TUPLE_
 
+#if GTEST_HAS_ABSL
+
+TEST(PrintOptionalTest, Basic) {
+  absl::optional<int> value;
+  EXPECT_EQ("(nullopt)", PrintToString(value));
+  value = {7};
+  EXPECT_EQ("(7)", PrintToString(value));
+  EXPECT_EQ("(1.1)", PrintToString(absl::optional<double>{1.1}));
+  EXPECT_EQ("(\"A\")", PrintToString(absl::optional<std::string>{"A"}));
+}
+
+struct NonPrintable {
+  unsigned char contents = 17;
+};
+
+TEST(PrintOneofTest, Basic) {
+  using Type = absl::variant<int, StreamableInGlobal, NonPrintable>;
+  EXPECT_EQ("('int' with value 7)", PrintToString(Type(7)));
+  EXPECT_EQ("('StreamableInGlobal' with value StreamableInGlobal)",
+            PrintToString(Type(StreamableInGlobal{})));
+  EXPECT_EQ(
+      "('testing::gtest_printers_test::NonPrintable' with value 1-byte object "
+      "<11>)",
+      PrintToString(Type(NonPrintable{})));
+}
+#endif  // GTEST_HAS_ABSL
+
 }  // namespace gtest_printers_test
 }  // namespace testing
-
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_shuffle_test.py b/security/nss/gtests/google_test/gtest/test/googletest-shuffle-test.py
index 30d0303d19..573cc5eca3 100755..100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_shuffle_test.py
+++ b/security/nss/gtests/google_test/gtest/test/googletest-shuffle-test.py
@@ -30,13 +30,11 @@
 
 """Verifies that test shuffling works."""
 
-__author__ = 'wan@google.com (Zhanyong Wan)'
-
 import os
 import gtest_test_utils
 
-# Command to run the gtest_shuffle_test_ program.
-COMMAND = gtest_test_utils.GetTestExecutablePath('gtest_shuffle_test_')
+# Command to run the googletest-shuffle-test_ program.
+COMMAND = gtest_test_utils.GetTestExecutablePath('googletest-shuffle-test_')
 
 # The environment variables for test sharding.
 TOTAL_SHARDS_ENV_VAR = 'GTEST_TOTAL_SHARDS'
@@ -89,7 +87,7 @@ def GetTestsForAllIterations(extra_env, args):
 
   Args:
     extra_env: a map from environment variables to their values
-    args: command line flags to pass to gtest_shuffle_test_
+    args: command line flags to pass to googletest-shuffle-test_
 
   Returns:
     A list where the i-th element is the list of tests run in the i-th
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_shuffle_test_.cc b/security/nss/gtests/google_test/gtest/test/googletest-shuffle-test_.cc
index 6fb441bd4d..1fe5f6aba2 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_shuffle_test_.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-shuffle-test_.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // Verifies that test shuffling works.
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-test-part_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-test-part-test.cc
index ca8ba933ae..cd2d6f9e85 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-test-part_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-test-part-test.cc
@@ -26,9 +26,6 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: mheule@google.com (Markus Heule)
-//
 
 #include "gtest/gtest-test-part.h"
 
@@ -203,6 +200,6 @@ TEST_F(TestPartResultArrayDeathTest, DiesWhenIndexIsOutOfBound) {
   EXPECT_DEATH_IF_SUPPORTED(results.GetTestPartResult(1), "");
 }
 
-// TODO(mheule@google.com): Add a test for the class HasNewFatalFailureHelper.
+// FIXME: Add a test for the class HasNewFatalFailureHelper.
 
 }  // namespace
diff --git a/security/nss/gtests/google_test/gtest/test/googletest-test2_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-test2_test.cc
new file mode 100644
index 0000000000..c2f98dc7d1
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/googletest-test2_test.cc
@@ -0,0 +1,61 @@
+// Copyright 2008, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+//
+// Tests for Google Test itself.  This verifies that the basic constructs of
+// Google Test work.
+
+#include "gtest/gtest.h"
+#include "googletest-param-test-test.h"
+
+using ::testing::Values;
+using ::testing::internal::ParamGenerator;
+
+// Tests that generators defined in a different translation unit
+// are functional. The test using extern_gen_2 is defined
+// in googletest-param-test-test.cc.
+ParamGenerator<int> extern_gen_2 = Values(33);
+
+// Tests that a parameterized test case can be defined in one translation unit
+// and instantiated in another. The test is defined in
+// googletest-param-test-test.cc and ExternalInstantiationTest fixture class is
+// defined in gtest-param-test_test.h.
+INSTANTIATE_TEST_CASE_P(MultiplesOf33,
+                        ExternalInstantiationTest,
+                        Values(33, 66));
+
+// Tests that a parameterized test case can be instantiated
+// in multiple translation units. Another instantiation is defined
+// in googletest-param-test-test.cc and
+// InstantiationInMultipleTranslaionUnitsTest fixture is defined in
+// gtest-param-test_test.h
+INSTANTIATE_TEST_CASE_P(Sequence2,
+                        InstantiationInMultipleTranslaionUnitsTest,
+                        Values(42*3, 42*4, 42*5));
+
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_throw_on_failure_test.py b/security/nss/gtests/google_test/gtest/test/googletest-throw-on-failure-test.py
index 5678ffeaf6..46cb9f6da3 100755..100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_throw_on_failure_test.py
+++ b/security/nss/gtests/google_test/gtest/test/googletest-throw-on-failure-test.py
@@ -31,12 +31,10 @@
 
 """Tests Google Test's throw-on-failure mode with exceptions disabled.
 
-This script invokes gtest_throw_on_failure_test_ (a program written with
+This script invokes googletest-throw-on-failure-test_ (a program written with
 Google Test) with different environments and command line flags.
 """
 
-__author__ = 'wan@google.com (Zhanyong Wan)'
-
 import os
 import gtest_test_utils
 
@@ -46,10 +44,10 @@ import gtest_test_utils
 # The command line flag for enabling/disabling the throw-on-failure mode.
 THROW_ON_FAILURE = 'gtest_throw_on_failure'
 
-# Path to the gtest_throw_on_failure_test_ program, compiled with
+# Path to the googletest-throw-on-failure-test_ program, compiled with
 # exceptions disabled.
 EXE_PATH = gtest_test_utils.GetTestExecutablePath(
-    'gtest_throw_on_failure_test_')
+    'googletest-throw-on-failure-test_')
 
 
 # Utilities.
@@ -75,13 +73,13 @@ def Run(command):
   return p.exited and p.exit_code == 0
 
 
-# The tests.  TODO(wan@google.com): refactor the class to share common
-# logic with code in gtest_break_on_failure_unittest.py.
+# The tests.  FIXME: refactor the class to share common
+# logic with code in googletest-break-on-failure-unittest.py.
 class ThrowOnFailureTest(gtest_test_utils.TestCase):
   """Tests the throw-on-failure mode."""
 
   def RunAndVerify(self, env_var_value, flag_value, should_fail):
-    """Runs gtest_throw_on_failure_test_ and verifies that it does
+    """Runs googletest-throw-on-failure-test_ and verifies that it does
     (or does not) exit with a non-zero code.
 
     Args:
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_throw_on_failure_test_.cc b/security/nss/gtests/google_test/gtest/test/googletest-throw-on-failure-test_.cc
index 2b88fe3d9b..f9a2c6448a 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_throw_on_failure_test_.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-throw-on-failure-test_.cc
@@ -26,13 +26,12 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // Tests Google Test's throw-on-failure mode with exceptions disabled.
 //
 // This program must be compiled with exceptions disabled.  It will be
-// invoked by gtest_throw_on_failure_test.py, and is expected to exit
+// invoked by googletest-throw-on-failure-test.py, and is expected to exit
 // with non-zero in the throw-on-failure mode or 0 otherwise.
 
 #include "gtest/gtest.h"
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-tuple_test.cc b/security/nss/gtests/google_test/gtest/test/googletest-tuple-test.cc
index bfaa3e0ac4..dd82c160f1 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-tuple_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-tuple-test.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 #include "gtest/internal/gtest-tuple.h"
 #include <utility>
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_uninitialized_test.py b/security/nss/gtests/google_test/gtest/test/googletest-uninitialized-test.py
index 6ae57eeeda..5b7d1e74f6 100755..100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_uninitialized_test.py
+++ b/security/nss/gtests/google_test/gtest/test/googletest-uninitialized-test.py
@@ -31,12 +31,9 @@
 
 """Verifies that Google Test warns the user when not initialized properly."""
 
-__author__ = 'wan@google.com (Zhanyong Wan)'
-
 import gtest_test_utils
 
-
-COMMAND = gtest_test_utils.GetTestExecutablePath('gtest_uninitialized_test_')
+COMMAND = gtest_test_utils.GetTestExecutablePath('googletest-uninitialized-test_')
 
 
 def Assert(condition):
@@ -56,8 +53,8 @@ def TestExitCodeAndOutput(command):
 
   # Verifies that 'command' exits with code 1.
   p = gtest_test_utils.Subprocess(command)
-  Assert(p.exited)
-  AssertEq(1, p.exit_code)
+  if p.exited and p.exit_code == 0:
+    Assert('IMPORTANT NOTICE' in p.output);
   Assert('InitGoogleTest' in p.output)
 
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_uninitialized_test_.cc b/security/nss/gtests/google_test/gtest/test/googletest-uninitialized-test_.cc
index 44316987fb..b4434d51ee 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_uninitialized_test_.cc
+++ b/security/nss/gtests/google_test/gtest/test/googletest-uninitialized-test_.cc
@@ -26,16 +26,15 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 #include "gtest/gtest.h"
 
 TEST(DummyTest, Dummy) {
   // This test doesn't verify anything.  We just need it to create a
   // realistic stage for testing the behavior of Google Test when
-  // RUN_ALL_TESTS() is called without testing::InitGoogleTest() being
-  // called first.
+  // RUN_ALL_TESTS() is called without
+  // testing::InitGoogleTest() being called first.
 }
 
 int main() {
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-typed-test2_test.cc b/security/nss/gtests/google_test/gtest/test/gtest-typed-test2_test.cc
index c284700b02..ed96421c67 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-typed-test2_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest-typed-test2_test.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 #include <vector>
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-typed-test_test.cc b/security/nss/gtests/google_test/gtest/test/gtest-typed-test_test.cc
index c3e66c2db0..4e398697d6 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-typed-test_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest-typed-test_test.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 #include "test/gtest-typed-test_test.h"
 
@@ -36,6 +35,10 @@
 
 #include "gtest/gtest.h"
 
+#if _MSC_VER
+GTEST_DISABLE_MSC_WARNINGS_PUSH_(4127 /* conditional expression is constant */)
+#endif  //  _MSC_VER
+
 using testing::Test;
 
 // Used for testing that SetUpTestCase()/TearDownTestCase(), fixture
@@ -166,6 +169,40 @@ TYPED_TEST(NumericTest, DefaultIsZero) {
 
 }  // namespace library1
 
+// Tests that custom names work.
+template <typename T>
+class TypedTestWithNames : public Test {};
+
+class TypedTestNames {
+ public:
+  template <typename T>
+  static std::string GetName(int i) {
+    if (testing::internal::IsSame<T, char>::value) {
+      return std::string("char") + ::testing::PrintToString(i);
+    }
+    if (testing::internal::IsSame<T, int>::value) {
+      return std::string("int") + ::testing::PrintToString(i);
+    }
+  }
+};
+
+TYPED_TEST_CASE(TypedTestWithNames, TwoTypes, TypedTestNames);
+
+TYPED_TEST(TypedTestWithNames, TestCaseName) {
+  if (testing::internal::IsSame<TypeParam, char>::value) {
+    EXPECT_STREQ(::testing::UnitTest::GetInstance()
+                     ->current_test_info()
+                     ->test_case_name(),
+                 "TypedTestWithNames/char0");
+  }
+  if (testing::internal::IsSame<TypeParam, int>::value) {
+    EXPECT_STREQ(::testing::UnitTest::GetInstance()
+                     ->current_test_info()
+                     ->test_case_name(),
+                 "TypedTestWithNames/int1");
+  }
+}
+
 #endif  // GTEST_HAS_TYPED_TEST
 
 // This #ifdef block tests type-parameterized tests.
@@ -266,6 +303,46 @@ REGISTER_TYPED_TEST_CASE_P(DerivedTest,
 typedef Types<short, long> MyTwoTypes;
 INSTANTIATE_TYPED_TEST_CASE_P(My, DerivedTest, MyTwoTypes);
 
+// Tests that custom names work with type parametrized tests. We reuse the
+// TwoTypes from above here.
+template <typename T>
+class TypeParametrizedTestWithNames : public Test {};
+
+TYPED_TEST_CASE_P(TypeParametrizedTestWithNames);
+
+TYPED_TEST_P(TypeParametrizedTestWithNames, TestCaseName) {
+  if (testing::internal::IsSame<TypeParam, char>::value) {
+    EXPECT_STREQ(::testing::UnitTest::GetInstance()
+                     ->current_test_info()
+                     ->test_case_name(),
+                 "CustomName/TypeParametrizedTestWithNames/parChar0");
+  }
+  if (testing::internal::IsSame<TypeParam, int>::value) {
+    EXPECT_STREQ(::testing::UnitTest::GetInstance()
+                     ->current_test_info()
+                     ->test_case_name(),
+                 "CustomName/TypeParametrizedTestWithNames/parInt1");
+  }
+}
+
+REGISTER_TYPED_TEST_CASE_P(TypeParametrizedTestWithNames, TestCaseName);
+
+class TypeParametrizedTestNames {
+ public:
+  template <typename T>
+  static std::string GetName(int i) {
+    if (testing::internal::IsSame<T, char>::value) {
+      return std::string("parChar") + ::testing::PrintToString(i);
+    }
+    if (testing::internal::IsSame<T, int>::value) {
+      return std::string("parInt") + ::testing::PrintToString(i);
+    }
+  }
+};
+
+INSTANTIATE_TYPED_TEST_CASE_P(CustomName, TypeParametrizedTestWithNames,
+                              TwoTypes, TypeParametrizedTestNames);
+
 // Tests that multiple TYPED_TEST_CASE_P's can be defined in the same
 // translation unit.
 
@@ -344,6 +421,25 @@ REGISTER_TYPED_TEST_CASE_P(NumericTest,
 typedef Types<int, double> NumericTypes;
 INSTANTIATE_TYPED_TEST_CASE_P(My, NumericTest, NumericTypes);
 
+static const char* GetTestName() {
+  return testing::UnitTest::GetInstance()->current_test_info()->name();
+}
+// Test the stripping of space from test names
+template <typename T> class TrimmedTest : public Test { };
+TYPED_TEST_CASE_P(TrimmedTest);
+TYPED_TEST_P(TrimmedTest, Test1) { EXPECT_STREQ("Test1", GetTestName()); }
+TYPED_TEST_P(TrimmedTest, Test2) { EXPECT_STREQ("Test2", GetTestName()); }
+TYPED_TEST_P(TrimmedTest, Test3) { EXPECT_STREQ("Test3", GetTestName()); }
+TYPED_TEST_P(TrimmedTest, Test4) { EXPECT_STREQ("Test4", GetTestName()); }
+TYPED_TEST_P(TrimmedTest, Test5) { EXPECT_STREQ("Test5", GetTestName()); }
+REGISTER_TYPED_TEST_CASE_P(
+    TrimmedTest,
+    Test1, Test2,Test3 , Test4 ,Test5 );  // NOLINT
+template <typename T1, typename T2> struct MyPair {};
+// Be sure to try a type with a comma in its name just in case it matters.
+typedef Types<int, double, MyPair<int, int> > TrimTypes;
+INSTANTIATE_TYPED_TEST_CASE_P(My, TrimmedTest, TrimTypes);
+
 }  // namespace library2
 
 #endif  // GTEST_HAS_TYPED_TEST_P
@@ -358,4 +454,8 @@ INSTANTIATE_TYPED_TEST_CASE_P(My, NumericTest, NumericTypes);
 // must be defined). This dummy test keeps gtest_main linked in.
 TEST(DummyTest, TypedTestsAreNotSupportedOnThisPlatform) {}
 
+#if _MSC_VER
+GTEST_DISABLE_MSC_WARNINGS_POP_()  //  4127
+#endif                             //  _MSC_VER
+
 #endif  // #if !defined(GTEST_HAS_TYPED_TEST) && !defined(GTEST_HAS_TYPED_TEST_P)
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-typed-test_test.h b/security/nss/gtests/google_test/gtest/test/gtest-typed-test_test.h
index 41d75704cf..2cce67c825 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-typed-test_test.h
+++ b/security/nss/gtests/google_test/gtest/test/gtest-typed-test_test.h
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 #ifndef GTEST_TEST_GTEST_TYPED_TEST_TEST_H_
 #define GTEST_TEST_GTEST_TYPED_TEST_TEST_H_
diff --git a/security/nss/gtests/google_test/gtest/test/gtest-unittest-api_test.cc b/security/nss/gtests/google_test/gtest/test/gtest-unittest-api_test.cc
index b1f51688af..f3ea03a596 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest-unittest-api_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest-unittest-api_test.cc
@@ -25,10 +25,9 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: vladl@google.com (Vlad Losev)
-//
-// The Google C++ Testing Framework (Google Test)
+// The Google C++ Testing and Mocking Framework (Google Test)
 //
 // This file contains tests verifying correctness of data provided via
 // UnitTest's public methods.
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_all_test.cc b/security/nss/gtests/google_test/gtest/test/gtest_all_test.cc
index 955aa62828..e61e36b1df 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_all_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_all_test.cc
@@ -26,21 +26,20 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: wan@google.com (Zhanyong Wan)
-//
-// Tests for Google C++ Testing Framework (Google Test)
+// Tests for Google C++ Testing and Mocking Framework (Google Test)
 //
 // Sometimes it's desirable to build most of Google Test's own tests
 // by compiling a single file.  This file serves this purpose.
-#include "test/gtest-filepath_test.cc"
-#include "test/gtest-linked_ptr_test.cc"
-#include "test/gtest-message_test.cc"
-#include "test/gtest-options_test.cc"
-#include "test/gtest-port_test.cc"
+#include "test/googletest-filepath-test.cc"
+#include "test/googletest-linked-ptr-test.cc"
+#include "test/googletest-message-test.cc"
+#include "test/googletest-options-test.cc"
+#include "test/googletest-port-test.cc"
 #include "test/gtest_pred_impl_unittest.cc"
 #include "test/gtest_prod_test.cc"
-#include "test/gtest-test-part_test.cc"
+#include "test/googletest-test-part-test.cc"
 #include "test/gtest-typed-test_test.cc"
 #include "test/gtest-typed-test2_test.cc"
 #include "test/gtest_unittest.cc"
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_assert_by_exception_test.cc b/security/nss/gtests/google_test/gtest/test/gtest_assert_by_exception_test.cc
new file mode 100644
index 0000000000..0eae8575f3
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/gtest_assert_by_exception_test.cc
@@ -0,0 +1,118 @@
+// Copyright 2009, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+// Tests Google Test's assert-by-exception mode with exceptions enabled.
+
+#include "gtest/gtest.h"
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdexcept>
+
+class ThrowListener : public testing::EmptyTestEventListener {
+  void OnTestPartResult(const testing::TestPartResult& result) override {
+    if (result.type() == testing::TestPartResult::kFatalFailure) {
+      throw testing::AssertionException(result);
+    }
+  }
+};
+
+// Prints the given failure message and exits the program with
+// non-zero.  We use this instead of a Google Test assertion to
+// indicate a failure, as the latter is been tested and cannot be
+// relied on.
+void Fail(const char* msg) {
+  printf("FAILURE: %s\n", msg);
+  fflush(stdout);
+  exit(1);
+}
+
+static void AssertFalse() {
+  ASSERT_EQ(2, 3) << "Expected failure";
+}
+
+// Tests that an assertion failure throws a subclass of
+// std::runtime_error.
+TEST(Test, Test) {
+  // A successful assertion shouldn't throw.
+  try {
+    EXPECT_EQ(3, 3);
+  } catch(...) {
+    Fail("A successful assertion wrongfully threw.");
+  }
+
+  // A successful assertion shouldn't throw.
+  try {
+    EXPECT_EQ(3, 4);
+  } catch(...) {
+    Fail("A failed non-fatal assertion wrongfully threw.");
+  }
+
+  // A failed assertion should throw.
+  try {
+    AssertFalse();
+  } catch(const testing::AssertionException& e) {
+    if (strstr(e.what(), "Expected failure") != NULL)
+      throw;
+
+    printf("%s",
+           "A failed assertion did throw an exception of the right type, "
+           "but the message is incorrect.  Instead of containing \"Expected "
+           "failure\", it is:\n");
+    Fail(e.what());
+  } catch(...) {
+    Fail("A failed assertion threw the wrong type of exception.");
+  }
+  Fail("A failed assertion should've thrown but didn't.");
+}
+
+int kTestForContinuingTest = 0;
+
+TEST(Test, Test2) {
+  // FIXME: how to force Test2 to be after Test?
+  kTestForContinuingTest = 1;
+}
+
+int main(int argc, char** argv) {
+  testing::InitGoogleTest(&argc, argv);
+  testing::UnitTest::GetInstance()->listeners().Append(new ThrowListener);
+
+  int result = RUN_ALL_TESTS();
+  if (result == 0) {
+    printf("RUN_ALL_TESTS returned %d\n", result);
+    Fail("Expected failure instead.");
+  }
+
+  if (kTestForContinuingTest == 0) {
+    Fail("Should have continued with other tests, but did not.");
+  }
+  return 0;
+}
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_environment_test.cc b/security/nss/gtests/google_test/gtest/test/gtest_environment_test.cc
index 3cff19e70e..bc9524d663 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_environment_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_environment_test.cc
@@ -26,18 +26,14 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 //
 // Tests using global test environments.
 
 #include <stdlib.h>
 #include <stdio.h>
 #include "gtest/gtest.h"
-
-#define GTEST_IMPLEMENTATION_ 1  // Required for the next #include.
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 namespace testing {
 GTEST_DECLARE_string_(filter);
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_help_test.py b/security/nss/gtests/google_test/gtest/test/gtest_help_test.py
index 093c838d9e..582d24c2dc 100755
--- a/security/nss/gtests/google_test/gtest/test/gtest_help_test.py
+++ b/security/nss/gtests/google_test/gtest/test/gtest_help_test.py
@@ -29,7 +29,7 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-"""Tests the --help flag of Google C++ Testing Framework.
+"""Tests the --help flag of Google C++ Testing and Mocking Framework.
 
 SYNOPSIS
        gtest_help_test.py --build_dir=BUILD/DIR
@@ -37,8 +37,6 @@ SYNOPSIS
        gtest_help_test.py
 """
 
-__author__ = 'wan@google.com (Zhanyong Wan)'
-
 import os
 import re
 import gtest_test_utils
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_help_test_.cc b/security/nss/gtests/google_test/gtest/test/gtest_help_test_.cc
index 31f78c2441..750ae6ce95 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_help_test_.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_help_test_.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // This program is meant to be run by gtest_help_test.py.  Do not run
 // it directly.
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_json_test_utils.py b/security/nss/gtests/google_test/gtest/test/gtest_json_test_utils.py
new file mode 100644
index 0000000000..62bbfc288f
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/gtest_json_test_utils.py
@@ -0,0 +1,60 @@
+# Copyright 2018, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+"""Unit test utilities for gtest_json_output."""
+
+import re
+
+
+def normalize(obj):
+  """Normalize output object.
+
+  Args:
+     obj: Google Test's JSON output object to normalize.
+
+  Returns:
+     Normalized output without any references to transient information that may
+     change from run to run.
+  """
+  def _normalize(key, value):
+    if key == 'time':
+      return re.sub(r'^\d+(\.\d+)?s$', '*', value)
+    elif key == 'timestamp':
+      return re.sub(r'^\d{4}-\d\d-\d\dT\d\d:\d\d:\d\dZ$', '*', value)
+    elif key == 'failure':
+      value = re.sub(r'^.*[/\\](.*:)\d+\n', '\\1*\n', value)
+      return re.sub(r'Stack trace:\n(.|\n)*', 'Stack trace:\n*', value)
+    else:
+      return normalize(value)
+  if isinstance(obj, dict):
+    return {k: _normalize(k, v) for k, v in obj.items()}
+  if isinstance(obj, list):
+    return [normalize(x) for x in obj]
+  else:
+    return obj
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_list_output_unittest.py b/security/nss/gtests/google_test/gtest/test/gtest_list_output_unittest.py
new file mode 100644
index 0000000000..3bba7ea2cf
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/gtest_list_output_unittest.py
@@ -0,0 +1,141 @@
+#!/usr/bin/env python
+#
+# Copyright 2006, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+"""Unit test for Google Test's --gtest_list_tests flag.
+
+A user can ask Google Test to list all tests by specifying the
+--gtest_list_tests flag. If output is requested, via --gtest_output=xml
+or --gtest_output=json, the tests are listed, with extra information in the
+output file.
+This script tests such functionality by invoking gtest_list_output_unittest_
+ (a program written with Google Test) the command line flags.
+"""
+
+import os
+import re
+import gtest_test_utils
+
+GTEST_LIST_TESTS_FLAG = '--gtest_list_tests'
+GTEST_OUTPUT_FLAG = '--gtest_output'
+
+EXPECTED_XML = """<\?xml version="1.0" encoding="UTF-8"\?>
+<testsuites tests="2" name="AllTests">
+  <testsuite name="FooTest" tests="2">
+    <testcase name="Test1" file=".*gtest_list_output_unittest_.cc" line="43" />
+    <testcase name="Test2" file=".*gtest_list_output_unittest_.cc" line="45" />
+  </testsuite>
+</testsuites>
+"""
+
+EXPECTED_JSON = """{
+  "tests": 2,
+  "name": "AllTests",
+  "testsuites": \[
+    {
+      "name": "FooTest",
+      "tests": 2,
+      "testsuite": \[
+        {
+          "name": "Test1",
+          "file": ".*gtest_list_output_unittest_.cc",
+          "line": 43
+        },
+        {
+          "name": "Test2",
+          "file": ".*gtest_list_output_unittest_.cc",
+          "line": 45
+        }
+      \]
+    }
+  \]
+}
+"""
+
+
+class GTestListTestsOutputUnitTest(gtest_test_utils.TestCase):
+  """Unit test for Google Test's list tests with output to file functionality.
+  """
+
+  def testXml(self):
+    """Verifies XML output for listing tests in a Google Test binary.
+
+    Runs a test program that generates an empty XML output, and
+    tests that the XML output is expected.
+    """
+    self._TestOutput('xml', EXPECTED_XML)
+
+  def testJSON(self):
+    """Verifies XML output for listing tests in a Google Test binary.
+
+    Runs a test program that generates an empty XML output, and
+    tests that the XML output is expected.
+    """
+    self._TestOutput('json', EXPECTED_JSON)
+
+  def _GetOutput(self, out_format):
+    file_path = os.path.join(gtest_test_utils.GetTempDir(),
+                             'test_out.' + out_format)
+    gtest_prog_path = gtest_test_utils.GetTestExecutablePath(
+        'gtest_list_output_unittest_')
+
+    command = ([
+        gtest_prog_path,
+        '%s=%s:%s' % (GTEST_OUTPUT_FLAG, out_format, file_path),
+        '--gtest_list_tests'
+    ])
+    environ_copy = os.environ.copy()
+    p = gtest_test_utils.Subprocess(
+        command, env=environ_copy, working_dir=gtest_test_utils.GetTempDir())
+
+    self.assert_(p.exited)
+    self.assertEquals(0, p.exit_code)
+    with open(file_path) as f:
+      result = f.read()
+    return result
+
+  def _TestOutput(self, test_format, expected_output):
+    actual = self._GetOutput(test_format)
+    actual_lines = actual.splitlines()
+    expected_lines = expected_output.splitlines()
+    line_count = 0
+    for actual_line in actual_lines:
+      expected_line = expected_lines[line_count]
+      expected_line_re = re.compile(expected_line.strip())
+      self.assert_(
+          expected_line_re.match(actual_line.strip()),
+          ('actual output of "%s",\n'
+           'which does not match expected regex of "%s"\n'
+           'on line %d' % (actual, expected_output, line_count)))
+      line_count = line_count + 1
+
+
+if __name__ == '__main__':
+  os.environ['GTEST_STACK_TRACE_DEPTH'] = '1'
+  gtest_test_utils.Main()
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_list_output_unittest_.cc b/security/nss/gtests/google_test/gtest/test/gtest_list_output_unittest_.cc
new file mode 100644
index 0000000000..b1c7b4de34
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/gtest_list_output_unittest_.cc
@@ -0,0 +1,51 @@
+// Copyright 2018, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+//
+// Author: david.schuldenfrei@gmail.com (David Schuldenfrei)
+
+// Unit test for Google Test's --gtest_list_tests and --gtest_output flag.
+//
+// A user can ask Google Test to list all tests that will run,
+// and have the output saved in a Json/Xml file.
+// The tests will not be run after listing.
+//
+// This program will be invoked from a Python unit test.
+// Don't run it directly.
+
+#include "gtest/gtest.h"
+
+TEST(FooTest, Test1) {}
+
+TEST(FooTest, Test2) {}
+
+int main(int argc, char **argv) {
+  ::testing::InitGoogleTest(&argc, argv);
+
+  return RUN_ALL_TESTS();
+}
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_main_unittest.cc b/security/nss/gtests/google_test/gtest/test/gtest_main_unittest.cc
index ecd9bb876f..eddedeabe8 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_main_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_main_unittest.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 #include "gtest/gtest.h"
 
@@ -41,5 +40,5 @@ TEST(GTestMainTest, ShouldSucceed) {
 
 }  // namespace
 
-// We are using the main() function defined in src/gtest_main.cc, so
-// we don't define it here.
+// We are using the main() function defined in gtest_main.cc, so we
+// don't define it here.
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_no_test_unittest.cc b/security/nss/gtests/google_test/gtest/test/gtest_no_test_unittest.cc
index 292599af8d..d4f88dbfdf 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_no_test_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_no_test_unittest.cc
@@ -29,8 +29,6 @@
 
 // Tests that a Google Test program that has no test defined can run
 // successfully.
-//
-// Author: wan@google.com (Zhanyong Wan)
 
 #include "gtest/gtest.h"
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_pred_impl_unittest.cc b/security/nss/gtests/google_test/gtest/test/gtest_pred_impl_unittest.cc
index a84eff860a..b466c150ae 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_pred_impl_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_pred_impl_unittest.cc
@@ -27,7 +27,7 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-// This file is AUTOMATICALLY GENERATED on 10/31/2011 by command
+// This file is AUTOMATICALLY GENERATED on 01/02/2018 by command
 // 'gen_gtest_pred_impl.py 5'.  DO NOT EDIT BY HAND!
 
 // Regression test for gtest_pred_impl.h
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_premature_exit_test.cc b/security/nss/gtests/google_test/gtest/test/gtest_premature_exit_test.cc
index c1ed96866f..c1e93056d8 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_premature_exit_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_premature_exit_test.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 //
 // Tests that Google Test manipulates the premature-exit-detection
 // file correctly.
@@ -44,10 +43,6 @@ using ::testing::internal::posix::StatStruct;
 
 namespace {
 
-// Is the TEST_PREMATURE_EXIT_FILE environment variable expected to be
-// set?
-const bool kTestPrematureExitFileEnvVarShouldBeSet = false;
-
 class PrematureExitTest : public Test {
  public:
   // Returns true iff the given file exists.
@@ -97,18 +92,6 @@ TEST_F(PrematureExitDeathTest, FileExistsDuringExecutionOfDeathTest) {
     }, "");
 }
 
-// Tests that TEST_PREMATURE_EXIT_FILE is set where it's expected to
-// be set.
-TEST_F(PrematureExitTest, TestPrematureExitFileEnvVarIsSet) {
-  GTEST_INTENTIONAL_CONST_COND_PUSH_()
-  if (kTestPrematureExitFileEnvVarShouldBeSet) {
-  GTEST_INTENTIONAL_CONST_COND_POP_()
-    const char* const filepath = GetEnv("TEST_PREMATURE_EXIT_FILE");
-    ASSERT_TRUE(filepath != NULL);
-    ASSERT_NE(*filepath, '\0');
-  }
-}
-
 // Tests that the premature-exit file exists during the execution of a
 // normal (non-death) test.
 TEST_F(PrematureExitTest, PrematureExitFileExistsDuringTestExecution) {
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_prod_test.cc b/security/nss/gtests/google_test/gtest/test/gtest_prod_test.cc
index 060abce187..ede81a0d17 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_prod_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_prod_test.cc
@@ -26,13 +26,12 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: wan@google.com (Zhanyong Wan)
-//
-// Unit test for include/gtest/gtest_prod.h.
+// Unit test for gtest_prod.h.
 
+#include "production.h"
 #include "gtest/gtest.h"
-#include "test/production.h"
 
 // Tests that private members can be accessed from a TEST declared as
 // a friend of the class.
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_repeat_test.cc b/security/nss/gtests/google_test/gtest/test/gtest_repeat_test.cc
index 481012adc2..1e8f499bb9 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_repeat_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_repeat_test.cc
@@ -26,23 +26,14 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // Tests the --gtest_repeat=number flag.
 
 #include <stdlib.h>
 #include <iostream>
 #include "gtest/gtest.h"
-
-// Indicates that this translation unit is part of Google Test's
-// implementation.  It must come before gtest-internal-inl.h is
-// included, or there will be a compiler error.  This trick is to
-// prevent a user from accidentally including gtest-internal-inl.h in
-// his code.
-#define GTEST_IMPLEMENTATION_ 1
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 namespace testing {
 
@@ -75,7 +66,7 @@ namespace {
 
 
 // Used for verifying that global environment set-up and tear-down are
-// inside the gtest_repeat loop.
+// inside the --gtest_repeat loop.
 
 int g_environment_set_up_count = 0;
 int g_environment_tear_down_count = 0;
@@ -119,7 +110,6 @@ TEST(BarDeathTest, ThreadSafeAndFast) {
   EXPECT_DEATH_IF_SUPPORTED(::testing::internal::posix::Abort(), "");
 }
 
-#if GTEST_HAS_PARAM_TEST
 int g_param_test_count = 0;
 
 const int kNumberOfParamTests = 10;
@@ -127,15 +117,13 @@ const int kNumberOfParamTests = 10;
 class MyParamTest : public testing::TestWithParam<int> {};
 
 TEST_P(MyParamTest, ShouldPass) {
-  // TODO(vladl@google.com): Make parameter value checking robust
-  //                         WRT order of tests.
+  // FIXME: Make parameter value checking robust WRT order of tests.
   GTEST_CHECK_INT_EQ_(g_param_test_count % kNumberOfParamTests, GetParam());
   g_param_test_count++;
 }
 INSTANTIATE_TEST_CASE_P(MyParamSequence,
                         MyParamTest,
                         testing::Range(0, kNumberOfParamTests));
-#endif  // GTEST_HAS_PARAM_TEST
 
 // Resets the count for each test.
 void ResetCounts() {
@@ -144,9 +132,7 @@ void ResetCounts() {
   g_should_fail_count = 0;
   g_should_pass_count = 0;
   g_death_test_count = 0;
-#if GTEST_HAS_PARAM_TEST
   g_param_test_count = 0;
-#endif  // GTEST_HAS_PARAM_TEST
 }
 
 // Checks that the count for each test is expected.
@@ -156,9 +142,7 @@ void CheckCounts(int expected) {
   GTEST_CHECK_INT_EQ_(expected, g_should_fail_count);
   GTEST_CHECK_INT_EQ_(expected, g_should_pass_count);
   GTEST_CHECK_INT_EQ_(expected, g_death_test_count);
-#if GTEST_HAS_PARAM_TEST
   GTEST_CHECK_INT_EQ_(expected * kNumberOfParamTests, g_param_test_count);
-#endif  // GTEST_HAS_PARAM_TEST
 }
 
 // Tests the behavior of Google Test when --gtest_repeat is not specified.
@@ -201,9 +185,7 @@ void TestRepeatWithFilterForSuccessfulTests(int repeat) {
   GTEST_CHECK_INT_EQ_(0, g_should_fail_count);
   GTEST_CHECK_INT_EQ_(repeat, g_should_pass_count);
   GTEST_CHECK_INT_EQ_(repeat, g_death_test_count);
-#if GTEST_HAS_PARAM_TEST
   GTEST_CHECK_INT_EQ_(repeat * kNumberOfParamTests, g_param_test_count);
-#endif  // GTEST_HAS_PARAM_TEST
 }
 
 // Tests using --gtest_repeat when --gtest_filter specifies a set of
@@ -219,15 +201,14 @@ void TestRepeatWithFilterForFailedTests(int repeat) {
   GTEST_CHECK_INT_EQ_(repeat, g_should_fail_count);
   GTEST_CHECK_INT_EQ_(0, g_should_pass_count);
   GTEST_CHECK_INT_EQ_(0, g_death_test_count);
-#if GTEST_HAS_PARAM_TEST
   GTEST_CHECK_INT_EQ_(0, g_param_test_count);
-#endif  // GTEST_HAS_PARAM_TEST
 }
 
 }  // namespace
 
 int main(int argc, char **argv) {
   testing::InitGoogleTest(&argc, argv);
+
   testing::AddGlobalTestEnvironment(new MyEnvironment);
 
   TestRepeatUnspecified();
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_sole_header_test.cc b/security/nss/gtests/google_test/gtest/test/gtest_sole_header_test.cc
index ccd091a281..1d94ac6b3a 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_sole_header_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_sole_header_test.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: mheule@google.com (Markus Heule)
+
 //
 // This test verifies that it's possible to use Google Test by including
 // the gtest.h header file alone.
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_stress_test.cc b/security/nss/gtests/google_test/gtest/test/gtest_stress_test.cc
index e7daa430df..95ada39c33 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_stress_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_stress_test.cc
@@ -26,23 +26,16 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // Tests that SCOPED_TRACE() and various Google Test assertions can be
 // used in a large number of threads concurrently.
 
 #include "gtest/gtest.h"
 
-#include <iostream>
 #include <vector>
 
-// We must define this macro in order to #include
-// gtest-internal-inl.h.  This is how Google Test prevents a user from
-// accidentally depending on its internal implementation.
-#define GTEST_IMPLEMENTATION_ 1
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 #if GTEST_IS_THREADSAFE
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_test_macro_stack_footprint_test.cc b/security/nss/gtests/google_test/gtest/test/gtest_test_macro_stack_footprint_test.cc
new file mode 100644
index 0000000000..a48db05012
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/gtest_test_macro_stack_footprint_test.cc
@@ -0,0 +1,89 @@
+// Copyright 2013, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+//
+// Each TEST() expands to some static registration logic.  GCC puts all
+// such static initialization logic for a translation unit in a common,
+// internal function.  Since Google's build system restricts how much
+// stack space a function can use, there's a limit on how many TEST()s
+// one can put in a single C++ test file.  This test ensures that a large
+// number of TEST()s can be defined in the same translation unit.
+
+#include "gtest/gtest.h"
+
+// This macro defines 10 dummy tests.
+#define TEN_TESTS_(test_case_name) \
+  TEST(test_case_name, T0) {} \
+  TEST(test_case_name, T1) {} \
+  TEST(test_case_name, T2) {} \
+  TEST(test_case_name, T3) {} \
+  TEST(test_case_name, T4) {} \
+  TEST(test_case_name, T5) {} \
+  TEST(test_case_name, T6) {} \
+  TEST(test_case_name, T7) {} \
+  TEST(test_case_name, T8) {} \
+  TEST(test_case_name, T9) {}
+
+// This macro defines 100 dummy tests.
+#define HUNDRED_TESTS_(test_case_name_prefix) \
+  TEN_TESTS_(test_case_name_prefix ## 0) \
+  TEN_TESTS_(test_case_name_prefix ## 1) \
+  TEN_TESTS_(test_case_name_prefix ## 2) \
+  TEN_TESTS_(test_case_name_prefix ## 3) \
+  TEN_TESTS_(test_case_name_prefix ## 4) \
+  TEN_TESTS_(test_case_name_prefix ## 5) \
+  TEN_TESTS_(test_case_name_prefix ## 6) \
+  TEN_TESTS_(test_case_name_prefix ## 7) \
+  TEN_TESTS_(test_case_name_prefix ## 8) \
+  TEN_TESTS_(test_case_name_prefix ## 9)
+
+// This macro defines 1000 dummy tests.
+#define THOUSAND_TESTS_(test_case_name_prefix) \
+  HUNDRED_TESTS_(test_case_name_prefix ## 0) \
+  HUNDRED_TESTS_(test_case_name_prefix ## 1) \
+  HUNDRED_TESTS_(test_case_name_prefix ## 2) \
+  HUNDRED_TESTS_(test_case_name_prefix ## 3) \
+  HUNDRED_TESTS_(test_case_name_prefix ## 4) \
+  HUNDRED_TESTS_(test_case_name_prefix ## 5) \
+  HUNDRED_TESTS_(test_case_name_prefix ## 6) \
+  HUNDRED_TESTS_(test_case_name_prefix ## 7) \
+  HUNDRED_TESTS_(test_case_name_prefix ## 8) \
+  HUNDRED_TESTS_(test_case_name_prefix ## 9)
+
+// Ensures that we can define 1000 TEST()s in the same translation
+// unit.
+THOUSAND_TESTS_(T)
+
+int main(int argc, char **argv) {
+  testing::InitGoogleTest(&argc, argv);
+
+  // We don't actually need to run the dummy tests - the purpose is to
+  // ensure that they compile.
+  return 0;
+}
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_test_utils.py b/security/nss/gtests/google_test/gtest/test/gtest_test_utils.py
index 7e3cbcafd9..43cba8f4cd 100755
--- a/security/nss/gtests/google_test/gtest/test/gtest_test_utils.py
+++ b/security/nss/gtests/google_test/gtest/test/gtest_test_utils.py
@@ -1,5 +1,3 @@
-#!/usr/bin/env python
-#
 # Copyright 2006, Google Inc.
 # All rights reserved.
 #
@@ -29,20 +27,21 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-"""Unit test utilities for Google C++ Testing Framework."""
+"""Unit test utilities for Google C++ Testing and Mocking Framework."""
+# Suppresses the 'Import not at the top of the file' lint complaint.
+# pylint: disable-msg=C6204
+
+import os
+import sys
 
-__author__ = 'wan@google.com (Zhanyong Wan)'
+IS_WINDOWS = os.name == 'nt'
+IS_CYGWIN = os.name == 'posix' and 'CYGWIN' in os.uname()[0]
 
 import atexit
-import os
 import shutil
-import sys
 import tempfile
-import unittest
-_test_module = unittest
+import unittest as _test_module
 
-# Suppresses the 'Import not at the top of the file' lint complaint.
-# pylint: disable-msg=C6204
 try:
   import subprocess
   _SUBPROCESS_MODULE_AVAILABLE = True
@@ -53,9 +52,6 @@ except:
 
 GTEST_OUTPUT_VAR_NAME = 'GTEST_OUTPUT'
 
-IS_WINDOWS = os.name == 'nt'
-IS_CYGWIN = os.name == 'posix' and 'CYGWIN' in os.uname()[0]
-
 # The environment variable for specifying the path to the premature-exit file.
 PREMATURE_EXIT_FILE_ENV_VAR = 'TEST_PREMATURE_EXIT_FILE'
 
@@ -74,7 +70,7 @@ def SetEnvVar(env_var, value):
 # Here we expose a class from a particular module, depending on the
 # environment. The comment suppresses the 'Invalid variable name' lint
 # complaint.
-TestCase = _test_module.TestCase  # pylint: disable-msg=C6409
+TestCase = _test_module.TestCase  # pylint: disable=C6409
 
 # Initially maps a flag to its default value. After
 # _ParseAndStripGTestFlags() is called, maps a flag to its actual value.
@@ -88,7 +84,7 @@ def _ParseAndStripGTestFlags(argv):
 
   # Suppresses the lint complaint about a global variable since we need it
   # here to maintain module-wide state.
-  global _gtest_flags_are_parsed  # pylint: disable-msg=W0603
+  global _gtest_flags_are_parsed  # pylint: disable=W0603
   if _gtest_flags_are_parsed:
     return
 
@@ -145,8 +141,6 @@ atexit.register(_RemoveTempDir)
 
 
 def GetTempDir():
-  """Returns a directory for temporary files."""
-
   global _temp_dir
   if not _temp_dir:
     _temp_dir = tempfile.mkdtemp()
@@ -245,7 +239,7 @@ class Subprocess:
       p = subprocess.Popen(command,
                            stdout=subprocess.PIPE, stderr=stderr,
                            cwd=working_dir, universal_newlines=True, env=env)
-      # communicate returns a tuple with the file obect for the child's
+      # communicate returns a tuple with the file object for the child's
       # output.
       self.output = p.communicate()[0]
       self._return_code = p.returncode
@@ -312,7 +306,7 @@ def Main():
   _ParseAndStripGTestFlags(sys.argv)
   # The tested binaries should not be writing XML output files unless the
   # script explicitly instructs them to.
-  # TODO(vladl@google.com): Move this into Subprocess when we implement
+  # FIXME: Move this into Subprocess when we implement
   # passing environment into it as a parameter.
   if GTEST_OUTPUT_VAR_NAME in os.environ:
     del os.environ[GTEST_OUTPUT_VAR_NAME]
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_testbridge_test.py b/security/nss/gtests/google_test/gtest/test/gtest_testbridge_test.py
new file mode 100644
index 0000000000..87ffad73d4
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/gtest_testbridge_test.py
@@ -0,0 +1,63 @@
+#!/usr/bin/env python
+#
+# Copyright 2018 Google LLC. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+"""Verifies that Google Test uses filter provided via testbridge."""
+
+import os
+
+import gtest_test_utils
+
+binary_name = 'gtest_testbridge_test_'
+COMMAND = gtest_test_utils.GetTestExecutablePath(binary_name)
+TESTBRIDGE_NAME = 'TESTBRIDGE_TEST_ONLY'
+
+
+def Assert(condition):
+  if not condition:
+    raise AssertionError
+
+
+class GTestTestFilterTest(gtest_test_utils.TestCase):
+
+  def testTestExecutionIsFiltered(self):
+    """Tests that the test filter is picked up from the testbridge env var."""
+    subprocess_env = os.environ.copy()
+
+    subprocess_env[TESTBRIDGE_NAME] = '*.TestThatSucceeds'
+    p = gtest_test_utils.Subprocess(COMMAND, env=subprocess_env)
+
+    self.assertEquals(0, p.exit_code)
+
+    Assert('filter = *.TestThatSucceeds' in p.output)
+    Assert('[       OK ] TestFilterTest.TestThatSucceeds' in p.output)
+    Assert('[  PASSED  ] 1 test.' in p.output)
+
+
+if __name__ == '__main__':
+  gtest_test_utils.Main()
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_testbridge_test_.cc b/security/nss/gtests/google_test/gtest/test/gtest_testbridge_test_.cc
new file mode 100644
index 0000000000..24617b209e
--- /dev/null
+++ b/security/nss/gtests/google_test/gtest/test/gtest_testbridge_test_.cc
@@ -0,0 +1,43 @@
+// Copyright 2018, Google LLC.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+// This program is meant to be run by gtest_test_filter_test.py.  Do not run
+// it directly.
+
+#include "gtest/gtest.h"
+
+// These tests are used to detect if filtering is working. Only
+// 'TestThatSucceeds' should ever run.
+
+TEST(TestFilterTest, TestThatSucceeds) {}
+
+TEST(TestFilterTest, TestThatFails) {
+  ASSERT_TRUE(false) << "This test should never be run.";
+}
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_throw_on_failure_ex_test.cc b/security/nss/gtests/google_test/gtest/test/gtest_throw_on_failure_ex_test.cc
index 8d46c76f16..93f59d49cf 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_throw_on_failure_ex_test.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_throw_on_failure_ex_test.cc
@@ -26,8 +26,7 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 
 // Tests Google Test's throw-on-failure mode with exceptions enabled.
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_unittest.cc b/security/nss/gtests/google_test/gtest/test/gtest_unittest.cc
index 9625fa4e81..f7213fbf3e 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_unittest.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_unittest.cc
@@ -26,17 +26,16 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// Author: wan@google.com (Zhanyong Wan)
+
 //
 // Tests for Google Test itself.  This verifies that the basic constructs of
 // Google Test work.
 
 #include "gtest/gtest.h"
 
-// Verifies that the command line flag variables can be accessed
-// in code once <gtest/gtest.h> has been #included.
-// Do not move it after other #includes.
+// Verifies that the command line flag variables can be accessed in
+// code once "gtest.h" has been #included.
+// Do not move it after other gtest #includes.
 TEST(CommandLineFlagsTest, CanBeAccessedInCodeOnceGTestHIsIncluded) {
   bool dummy = testing::GTEST_FLAG(also_run_disabled_tests)
       || testing::GTEST_FLAG(break_on_failure)
@@ -64,17 +63,12 @@ TEST(CommandLineFlagsTest, CanBeAccessedInCodeOnceGTestHIsIncluded) {
 #include <map>
 #include <vector>
 #include <ostream>
+#if GTEST_LANG_CXX11
+#include <unordered_set>
+#endif  // GTEST_LANG_CXX11
 
 #include "gtest/gtest-spi.h"
-
-// Indicates that this translation unit is part of Google Test's
-// implementation.  It must come before gtest-internal-inl.h is
-// included, or there will be a compiler error.  This trick is to
-// prevent a user from accidentally including gtest-internal-inl.h in
-// his code.
-#define GTEST_IMPLEMENTATION_ 1
 #include "src/gtest-internal-inl.h"
-#undef GTEST_IMPLEMENTATION_
 
 namespace testing {
 namespace internal {
@@ -86,18 +80,19 @@ class StreamingListenerTest : public Test {
   class FakeSocketWriter : public StreamingListener::AbstractSocketWriter {
    public:
     // Sends a string to the socket.
-    virtual void Send(const string& message) { output_ += message; }
+    virtual void Send(const std::string& message) { output_ += message; }
 
-    string output_;
+    std::string output_;
   };
 
   StreamingListenerTest()
       : fake_sock_writer_(new FakeSocketWriter),
         streamer_(fake_sock_writer_),
-        test_info_obj_("FooTest", "Bar", NULL, NULL, 0, NULL) {}
+        test_info_obj_("FooTest", "Bar", NULL, NULL,
+                       CodeLocation(__FILE__, __LINE__), 0, NULL) {}
 
  protected:
-  string* output() { return &(fake_sock_writer_->output_); }
+  std::string* output() { return &(fake_sock_writer_->output_); }
 
   FakeSocketWriter* const fake_sock_writer_;
   StreamingListener streamer_;
@@ -265,6 +260,8 @@ using testing::internal::IsContainer;
 using testing::internal::IsContainerTest;
 using testing::internal::IsNotContainer;
 using testing::internal::NativeArray;
+using testing::internal::OsStackTraceGetter;
+using testing::internal::OsStackTraceGetterInterface;
 using testing::internal::ParseInt32Flag;
 using testing::internal::RelationToSourceCopy;
 using testing::internal::RelationToSourceReference;
@@ -281,13 +278,13 @@ using testing::internal::String;
 using testing::internal::TestEventListenersAccessor;
 using testing::internal::TestResultAccessor;
 using testing::internal::UInt32;
+using testing::internal::UnitTestImpl;
 using testing::internal::WideStringToUtf8;
 using testing::internal::edit_distance::CalculateOptimalEdits;
 using testing::internal::edit_distance::CreateUnifiedDiff;
 using testing::internal::edit_distance::EditType;
 using testing::internal::kMaxRandomSeed;
 using testing::internal::kTestTypeIdInGoogleTest;
-using testing::internal::scoped_ptr;
 using testing::kMaxStackTraceDepth;
 
 #if GTEST_HAS_STREAM_REDIRECTION
@@ -382,6 +379,31 @@ TEST(GetTestTypeIdTest, ReturnsTheSameValueInsideOrOutsideOfGoogleTest) {
   EXPECT_EQ(kTestTypeIdInGoogleTest, GetTestTypeId());
 }
 
+// Tests CanonicalizeForStdLibVersioning.
+
+using ::testing::internal::CanonicalizeForStdLibVersioning;
+
+TEST(CanonicalizeForStdLibVersioning, LeavesUnversionedNamesUnchanged) {
+  EXPECT_EQ("std::bind", CanonicalizeForStdLibVersioning("std::bind"));
+  EXPECT_EQ("std::_", CanonicalizeForStdLibVersioning("std::_"));
+  EXPECT_EQ("std::__foo", CanonicalizeForStdLibVersioning("std::__foo"));
+  EXPECT_EQ("gtl::__1::x", CanonicalizeForStdLibVersioning("gtl::__1::x"));
+  EXPECT_EQ("__1::x", CanonicalizeForStdLibVersioning("__1::x"));
+  EXPECT_EQ("::__1::x", CanonicalizeForStdLibVersioning("::__1::x"));
+}
+
+TEST(CanonicalizeForStdLibVersioning, ElidesDoubleUnderNames) {
+  EXPECT_EQ("std::bind", CanonicalizeForStdLibVersioning("std::__1::bind"));
+  EXPECT_EQ("std::_", CanonicalizeForStdLibVersioning("std::__1::_"));
+
+  EXPECT_EQ("std::bind", CanonicalizeForStdLibVersioning("std::__g::bind"));
+  EXPECT_EQ("std::_", CanonicalizeForStdLibVersioning("std::__g::_"));
+
+  EXPECT_EQ("std::bind",
+            CanonicalizeForStdLibVersioning("std::__google::bind"));
+  EXPECT_EQ("std::_", CanonicalizeForStdLibVersioning("std::__google::_"));
+}
+
 // Tests FormatTimeInMillisAsSeconds().
 
 TEST(FormatTimeInMillisAsSecondsTest, FormatsZero) {
@@ -421,10 +443,10 @@ class FormatEpochTimeInMillisAsIso8601Test : public Test {
   virtual void SetUp() {
     saved_tz_ = NULL;
 
-    GTEST_DISABLE_MSC_WARNINGS_PUSH_(4996 /* PR_GetEnvSecure, strdup: deprecated */)
-    if (PR_GetEnvSecure("TZ"))
-      saved_tz_ = strdup(PR_GetEnvSecure("TZ"));
-    GTEST_DISABLE_MSC_WARNINGS_POP_()
+    GTEST_DISABLE_MSC_DEPRECATED_PUSH_(/* getenv, strdup: deprecated */)
+    if (getenv("TZ"))
+      saved_tz_ = strdup(getenv("TZ"));
+    GTEST_DISABLE_MSC_DEPRECATED_POP_()
 
     // Set up the time zone for FormatEpochTimeInMillisAsIso8601 to use.  We
     // cannot use the local time zone because the function's output depends
@@ -442,7 +464,7 @@ class FormatEpochTimeInMillisAsIso8601Test : public Test {
     // tzset() distinguishes between the TZ variable being present and empty
     // and not being present, so we have to consider the case of time_zone
     // being NULL.
-#if _MSC_VER
+#if _MSC_VER || GTEST_OS_WINDOWS_MINGW
     // ...Unless it's MSVC, whose standard library's _putenv doesn't
     // distinguish between an empty and a missing variable.
     const std::string env_var =
@@ -546,7 +568,7 @@ TEST(CodePointToUtf8Test, CanEncode8To11Bits) {
 
   // 101 0111 0110 => 110-10101 10-110110
   // Some compilers (e.g., GCC on MinGW) cannot handle non-ASCII codepoints
-  // in wide strings and wide chars. In order to accomodate them, we have to
+  // in wide strings and wide chars. In order to accommodate them, we have to
   // introduce such character constants as integers.
   EXPECT_EQ("\xD5\xB6",
             CodePointToUtf8(static_cast<wchar_t>(0x576)));
@@ -1362,8 +1384,7 @@ class TestResultTest : public Test {
     // In order to test TestResult, we need to modify its internal
     // state, in particular the TestPartResult vector it holds.
     // test_part_results() returns a const reference to this vector.
-    // We cast it to a non-const object s.t. it can be modified (yes,
-    // this is a hack).
+    // We cast it to a non-const object s.t. it can be modified
     TPRVector* results1 = const_cast<TPRVector*>(
         &TestResultAccessor::test_part_results(*r1));
     TPRVector* results2 = const_cast<TPRVector*>(
@@ -1388,7 +1409,7 @@ class TestResultTest : public Test {
     delete r2;
   }
 
-  // Helper that compares two two TestPartResults.
+  // Helper that compares two TestPartResults.
   static void CompareTestPartResult(const TestPartResult& expected,
                                     const TestPartResult& actual) {
     EXPECT_EQ(expected.type(), actual.type());
@@ -1518,6 +1539,16 @@ TEST(TestResultPropertyTest, GetTestProperty) {
   EXPECT_DEATH_IF_SUPPORTED(test_result.GetTestProperty(-1), "");
 }
 
+// Tests the Test class.
+//
+// It's difficult to test every public method of this class (we are
+// already stretching the limit of Google Test by using it to test itself!).
+// Fortunately, we don't have to do that, as we are already testing
+// the functionalities of the Test class extensively by using Google Test
+// alone.
+//
+// Therefore, this section only contains one test.
+
 // Tests that GTestFlagSaver works on Windows and Mac.
 
 class GTestFlagSaverTest : public Test {
@@ -1661,6 +1692,8 @@ TEST(Int32FromGTestEnvTest, ReturnsDefaultWhenVariableIsNotSet) {
   EXPECT_EQ(10, Int32FromGTestEnv("temp", 10));
 }
 
+# if !defined(GTEST_GET_INT32_FROM_ENV_)
+
 // Tests that Int32FromGTestEnv() returns the default value when the
 // environment variable overflows as an Int32.
 TEST(Int32FromGTestEnvTest, ReturnsDefaultWhenValueOverflows) {
@@ -1685,6 +1718,8 @@ TEST(Int32FromGTestEnvTest, ReturnsDefaultWhenValueIsInvalid) {
   EXPECT_EQ(50, Int32FromGTestEnv("temp", 50));
 }
 
+# endif  // !defined(GTEST_GET_INT32_FROM_ENV_)
+
 // Tests that Int32FromGTestEnv() parses and returns the value of the
 // environment variable when it represents a valid decimal integer in
 // the range of an Int32.
@@ -1773,7 +1808,7 @@ TEST(Int32FromEnvOrDieDeathTest, AbortsOnFailure) {
 }
 
 // Tests that Int32FromEnvOrDie() aborts with an error message
-// if the variable cannot be represnted by an Int32.
+// if the variable cannot be represented by an Int32.
 TEST(Int32FromEnvOrDieDeathTest, AbortsOnInt32Overflow) {
   SetEnv(GTEST_FLAG_PREFIX_UPPER_ "VAR", "1234567891234567891234");
   EXPECT_DEATH_IF_SUPPORTED(
@@ -2055,8 +2090,8 @@ TEST_F(UnitTestRecordPropertyTest,
        AddRecordWithReservedKeysGeneratesCorrectPropertyList) {
   EXPECT_NONFATAL_FAILURE(
       Test::RecordProperty("name", "1"),
-      "'classname', 'name', 'status', 'time', 'type_param', and 'value_param'"
-      " are reserved");
+      "'classname', 'name', 'status', 'time', 'type_param', 'value_param',"
+      " 'file', and 'line' are reserved");
 }
 
 class UnitTestRecordPropertyTestEnvironment : public Environment {
@@ -2416,7 +2451,7 @@ TEST(StringAssertionTest, ASSERT_STREQ) {
   ASSERT_STREQ(p1, p2);
 
   EXPECT_FATAL_FAILURE(ASSERT_STREQ("bad", "good"),
-                       "Expected: \"bad\"");
+                       "  \"bad\"\n  \"good\"");
 }
 
 // Tests ASSERT_STREQ with NULL arguments.
@@ -2452,7 +2487,7 @@ TEST(StringAssertionTest, ASSERT_STRCASEEQ) {
 
   ASSERT_STRCASEEQ("", "");
   EXPECT_FATAL_FAILURE(ASSERT_STRCASEEQ("Hi", "hi2"),
-                       "(ignoring case)");
+                       "Ignoring case");
 }
 
 // Tests ASSERT_STRCASENE.
@@ -3101,13 +3136,13 @@ TEST(DISABLED_TestCase, DISABLED_TestShouldNotRun) {
   FAIL() << "Unexpected failure: Test in disabled test case should not be run.";
 }
 
-// Check that when all tests in a test case are disabled, SetupTestCase() and
+// Check that when all tests in a test case are disabled, SetUpTestCase() and
 // TearDownTestCase() are not called.
 class DisabledTestsTest : public Test {
  protected:
   static void SetUpTestCase() {
     FAIL() << "Unexpected failure: All tests disabled in test case. "
-              "SetupTestCase() should not be called.";
+              "SetUpTestCase() should not be called.";
   }
 
   static void TearDownTestCase() {
@@ -3246,7 +3281,7 @@ TEST_F(SingleEvaluationTest, ASSERT_STR) {
 
   // failed EXPECT_STRCASEEQ
   EXPECT_NONFATAL_FAILURE(EXPECT_STRCASEEQ(p1_++, p2_++),
-                          "ignoring case");
+                          "Ignoring case");
   EXPECT_EQ(s1_ + 2, p1_);
   EXPECT_EQ(s2_ + 2, p2_);
 }
@@ -3354,7 +3389,7 @@ class NoFatalFailureTest : public Test {
 
   void DoAssertNoFatalFailureOnFails() {
     ASSERT_NO_FATAL_FAILURE(Fails());
-    ADD_FAILURE() << "shold not reach here.";
+    ADD_FAILURE() << "should not reach here.";
   }
 
   void DoExpectNoFatalFailureOnFails() {
@@ -3514,35 +3549,39 @@ TEST(AssertionTest, EqFailure) {
       EqFailure("foo", "bar", foo_val, bar_val, false)
       .failure_message());
   EXPECT_STREQ(
-      "Value of: bar\n"
-      "  Actual: 6\n"
-      "Expected: foo\n"
-      "Which is: 5",
+      "Expected equality of these values:\n"
+      "  foo\n"
+      "    Which is: 5\n"
+      "  bar\n"
+      "    Which is: 6",
       msg1.c_str());
 
   const std::string msg2(
       EqFailure("foo", "6", foo_val, bar_val, false)
       .failure_message());
   EXPECT_STREQ(
-      "Value of: 6\n"
-      "Expected: foo\n"
-      "Which is: 5",
+      "Expected equality of these values:\n"
+      "  foo\n"
+      "    Which is: 5\n"
+      "  6",
       msg2.c_str());
 
   const std::string msg3(
       EqFailure("5", "bar", foo_val, bar_val, false)
       .failure_message());
   EXPECT_STREQ(
-      "Value of: bar\n"
-      "  Actual: 6\n"
-      "Expected: 5",
+      "Expected equality of these values:\n"
+      "  5\n"
+      "  bar\n"
+      "    Which is: 6",
       msg3.c_str());
 
   const std::string msg4(
       EqFailure("5", "6", foo_val, bar_val, false).failure_message());
   EXPECT_STREQ(
-      "Value of: 6\n"
-      "Expected: 5",
+      "Expected equality of these values:\n"
+      "  5\n"
+      "  6",
       msg4.c_str());
 
   const std::string msg5(
@@ -3550,10 +3589,12 @@ TEST(AssertionTest, EqFailure) {
                 std::string("\"x\""), std::string("\"y\""),
                 true).failure_message());
   EXPECT_STREQ(
-      "Value of: bar\n"
-      "  Actual: \"y\"\n"
-      "Expected: foo (ignoring case)\n"
-      "Which is: \"x\"",
+      "Expected equality of these values:\n"
+      "  foo\n"
+      "    Which is: \"x\"\n"
+      "  bar\n"
+      "    Which is: \"y\"\n"
+      "Ignoring case",
       msg5.c_str());
 }
 
@@ -3565,11 +3606,12 @@ TEST(AssertionTest, EqFailureWithDiff) {
   const std::string msg1(
       EqFailure("left", "right", left, right, false).failure_message());
   EXPECT_STREQ(
-      "Value of: right\n"
-      "  Actual: 1\\n2\\n3\\n4\\n5\\n6\\n7\\n8\\n9\\n11\\n12\\n13\\n14\n"
-      "Expected: left\n"
-      "Which is: "
+      "Expected equality of these values:\n"
+      "  left\n"
+      "    Which is: "
       "1\\n2XXX\\n3\\n5\\n6\\n7\\n8\\n9\\n10\\n11\\n12XXX\\n13\\n14\\n15\n"
+      "  right\n"
+      "    Which is: 1\\n2\\n3\\n4\\n5\\n6\\n7\\n8\\n9\\n11\\n12\\n13\\n14\n"
       "With diff:\n@@ -1,5 +1,6 @@\n 1\n-2XXX\n+2\n 3\n+4\n 5\n 6\n"
       "@@ -7,8 +8,6 @@\n 8\n 9\n-10\n 11\n-12XXX\n+12\n 13\n 14\n-15\n",
       msg1.c_str());
@@ -3644,7 +3686,7 @@ TEST(AssertionTest, AssertFalseWithAssertionResult) {
 }
 
 #ifdef __BORLANDC__
-// Restores warnings after previous "#pragma option push" supressed them
+// Restores warnings after previous "#pragma option push" suppressed them
 # pragma option pop
 #endif
 
@@ -3664,9 +3706,10 @@ TEST(ExpectTest, ASSERT_EQ_Double) {
 TEST(AssertionTest, ASSERT_EQ) {
   ASSERT_EQ(5, 2 + 3);
   EXPECT_FATAL_FAILURE(ASSERT_EQ(5, 2*3),
-                       "Value of: 2*3\n"
-                       "  Actual: 6\n"
-                       "Expected: 5");
+                       "Expected equality of these values:\n"
+                       "  5\n"
+                       "  2*3\n"
+                       "    Which is: 6");
 }
 
 // Tests ASSERT_EQ(NULL, pointer).
@@ -3674,7 +3717,7 @@ TEST(AssertionTest, ASSERT_EQ) {
 TEST(AssertionTest, ASSERT_EQ_NULL) {
   // A success.
   const char* p = NULL;
-  // Some older GCC versions may issue a spurious waring in this or the next
+  // Some older GCC versions may issue a spurious warning in this or the next
   // assertion statement. This warning should not be suppressed with
   // static_cast since the test verifies the ability to use bare NULL as the
   // expected parameter to the macro.
@@ -3683,7 +3726,7 @@ TEST(AssertionTest, ASSERT_EQ_NULL) {
   // A failure.
   static int n = 0;
   EXPECT_FATAL_FAILURE(ASSERT_EQ(NULL, &n),
-                       "Value of: &n\n");
+                       "  &n\n    Which is:");
 }
 #endif  // GTEST_CAN_COMPARE_NULL
 
@@ -3699,7 +3742,7 @@ TEST(ExpectTest, ASSERT_EQ_0) {
 
   // A failure.
   EXPECT_FATAL_FAILURE(ASSERT_EQ(0, 5.6),
-                       "Expected: 0");
+                       "  0\n  5.6");
 }
 
 // Tests ASSERT_NE.
@@ -3798,7 +3841,7 @@ void TestEq1(int x) {
 // Tests calling a test subroutine that's not part of a fixture.
 TEST(AssertionTest, NonFixtureSubroutine) {
   EXPECT_FATAL_FAILURE(TestEq1(2),
-                       "Value of: x");
+                       "  x\n    Which is: 2");
 }
 
 // An uncopyable class.
@@ -3847,7 +3890,8 @@ TEST(AssertionTest, AssertWorksWithUncopyableObject) {
   EXPECT_FATAL_FAILURE(TestAssertNonPositive(),
     "IsPositiveUncopyable(y) evaluates to false, where\ny evaluates to -1");
   EXPECT_FATAL_FAILURE(TestAssertEqualsUncopyable(),
-    "Value of: y\n  Actual: -1\nExpected: x\nWhich is: 5");
+                       "Expected equality of these values:\n"
+                       "  x\n    Which is: 5\n  y\n    Which is: -1");
 }
 
 // Tests that uncopyable objects can be used in expects.
@@ -3859,7 +3903,8 @@ TEST(AssertionTest, ExpectWorksWithUncopyableObject) {
     "IsPositiveUncopyable(y) evaluates to false, where\ny evaluates to -1");
   EXPECT_EQ(x, x);
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(x, y),
-    "Value of: y\n  Actual: -1\nExpected: x\nWhich is: 5");
+                          "Expected equality of these values:\n"
+                          "  x\n    Which is: 5\n  y\n    Which is: -1");
 }
 
 enum NamedEnum {
@@ -3871,7 +3916,7 @@ TEST(AssertionTest, NamedEnum) {
   EXPECT_EQ(kE1, kE1);
   EXPECT_LT(kE1, kE2);
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(kE1, kE2), "Which is: 0");
-  EXPECT_NONFATAL_FAILURE(EXPECT_EQ(kE1, kE2), "Actual: 1");
+  EXPECT_NONFATAL_FAILURE(EXPECT_EQ(kE1, kE2), "Which is: 1");
 }
 
 // The version of gcc used in XCode 2.2 has a bug and doesn't allow
@@ -3935,13 +3980,13 @@ TEST(AssertionTest, AnonymousEnum) {
 
   // ICE's in C++Builder.
   EXPECT_FATAL_FAILURE(ASSERT_EQ(kCaseA, kCaseB),
-                       "Value of: kCaseB");
+                       "  kCaseB\n    Which is: ");
   EXPECT_FATAL_FAILURE(ASSERT_EQ(kCaseA, kCaseC),
-                       "Actual: 42");
+                       "\n    Which is: 42");
 # endif
 
   EXPECT_FATAL_FAILURE(ASSERT_EQ(kCaseA, kCaseC),
-                       "Which is: -1");
+                       "\n    Which is: -1");
 }
 
 #endif  // !GTEST_OS_MAC && !defined(__SUNPRO_CC)
@@ -4367,7 +4412,7 @@ TEST(ExpectTest, ExpectFalseWithAssertionResult) {
 }
 
 #ifdef __BORLANDC__
-// Restores warnings after previous "#pragma option push" supressed them
+// Restores warnings after previous "#pragma option push" suppressed them
 # pragma option pop
 #endif
 
@@ -4375,9 +4420,10 @@ TEST(ExpectTest, ExpectFalseWithAssertionResult) {
 TEST(ExpectTest, EXPECT_EQ) {
   EXPECT_EQ(5, 2 + 3);
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(5, 2*3),
-                          "Value of: 2*3\n"
-                          "  Actual: 6\n"
-                          "Expected: 5");
+                          "Expected equality of these values:\n"
+                          "  5\n"
+                          "  2*3\n"
+                          "    Which is: 6");
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(5, 2 - 3),
                           "2 - 3");
 }
@@ -4408,7 +4454,7 @@ TEST(ExpectTest, EXPECT_EQ_NULL) {
   // A failure.
   int n = 0;
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(NULL, &n),
-                          "Value of: &n\n");
+                          "  &n\n    Which is:");
 }
 #endif  // GTEST_CAN_COMPARE_NULL
 
@@ -4424,7 +4470,7 @@ TEST(ExpectTest, EXPECT_EQ_0) {
 
   // A failure.
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(0, 5.6),
-                          "Expected: 0");
+                          "  0\n  5.6");
 }
 
 // Tests EXPECT_NE.
@@ -4524,7 +4570,7 @@ TEST(ExpectTest, EXPECT_ANY_THROW) {
 TEST(ExpectTest, ExpectPrecedence) {
   EXPECT_EQ(1 < 2, true);
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(true, true && false),
-                          "Value of: true && false");
+                          "  true && false\n    Which is: false");
 }
 
 
@@ -4641,7 +4687,7 @@ TEST(MacroTest, ADD_FAILURE_AT) {
   // Unfortunately, we cannot verify that the failure message contains
   // the right file path and line number the same way, as
   // EXPECT_NONFATAL_FAILURE() doesn't get to see the file path and
-  // line number.  Instead, we do that in gtest_output_test_.cc.
+  // line number.  Instead, we do that in googletest-output-test_.cc.
 }
 
 // Tests FAIL.
@@ -4671,14 +4717,14 @@ TEST(EqAssertionTest, Bool) {
   EXPECT_FATAL_FAILURE({
       bool false_value = false;
       ASSERT_EQ(false_value, true);
-    }, "Value of: true");
+    }, "  false_value\n    Which is: false\n  true");
 }
 
 // Tests using int values in {EXPECT|ASSERT}_EQ.
 TEST(EqAssertionTest, Int) {
   ASSERT_EQ(32, 32);
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(32, 33),
-                          "33");
+                          "  32\n  33");
 }
 
 // Tests using time_t values in {EXPECT|ASSERT}_EQ.
@@ -4695,9 +4741,9 @@ TEST(EqAssertionTest, Char) {
   ASSERT_EQ('z', 'z');
   const char ch = 'b';
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ('\0', ch),
-                          "ch");
+                          "  ch\n    Which is: 'b'");
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ('a', ch),
-                          "ch");
+                          "  ch\n    Which is: 'b'");
 }
 
 // Tests using wchar_t values in {EXPECT|ASSERT}_EQ.
@@ -4705,10 +4751,11 @@ TEST(EqAssertionTest, WideChar) {
   EXPECT_EQ(L'b', L'b');
 
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(L'\0', L'x'),
-                          "Value of: L'x'\n"
-                          "  Actual: L'x' (120, 0x78)\n"
-                          "Expected: L'\0'\n"
-                          "Which is: L'\0' (0, 0x0)");
+                          "Expected equality of these values:\n"
+                          "  L'\0'\n"
+                          "    Which is: L'\0' (0, 0x0)\n"
+                          "  L'x'\n"
+                          "    Which is: L'x' (120, 0x78)");
 
   static wchar_t wchar;
   wchar = L'b';
@@ -4716,7 +4763,7 @@ TEST(EqAssertionTest, WideChar) {
                           "wchar");
   wchar = 0x8119;
   EXPECT_FATAL_FAILURE(ASSERT_EQ(static_cast<wchar_t>(0x8120), wchar),
-                       "Value of: wchar");
+                       "  wchar\n    Which is: L'");
 }
 
 // Tests using ::std::string values in {EXPECT|ASSERT}_EQ.
@@ -4745,8 +4792,7 @@ TEST(EqAssertionTest, StdString) {
   static ::std::string str3(str1);
   str3.at(2) = '\0';
   EXPECT_FATAL_FAILURE(ASSERT_EQ(str1, str3),
-                       "Value of: str3\n"
-                       "  Actual: \"A \\0 in the middle\"");
+                       "  str3\n    Which is: \"A \\0 in the middle\"");
 }
 
 #if GTEST_HAS_STD_WSTRING
@@ -4866,9 +4912,9 @@ TEST(EqAssertionTest, CharPointer) {
   ASSERT_EQ(p1, p1);
 
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(p0, p2),
-                          "Value of: p2");
+                          "  p2\n    Which is:");
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(p1, p2),
-                          "p2");
+                          "  p2\n    Which is:");
   EXPECT_FATAL_FAILURE(ASSERT_EQ(reinterpret_cast<char*>(0x1234),
                                  reinterpret_cast<char*>(0xABC0)),
                        "ABC0");
@@ -4888,9 +4934,9 @@ TEST(EqAssertionTest, WideCharPointer) {
   EXPECT_EQ(p0, p0);
 
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(p0, p2),
-                          "Value of: p2");
+                          "  p2\n    Which is:");
   EXPECT_NONFATAL_FAILURE(EXPECT_EQ(p1, p2),
-                          "p2");
+                          "  p2\n    Which is:");
   void* pv3 = (void*)0x1234;  // NOLINT
   void* pv4 = (void*)0xABC0;  // NOLINT
   const wchar_t* p3 = reinterpret_cast<const wchar_t*>(pv3);
@@ -5319,6 +5365,59 @@ TEST_F(TestInfoTest, result) {
   ASSERT_EQ(0, GetTestResult(test_info)->total_part_count());
 }
 
+#define VERIFY_CODE_LOCATION \
+  const int expected_line = __LINE__ - 1; \
+  const TestInfo* const test_info = GetUnitTestImpl()->current_test_info(); \
+  ASSERT_TRUE(test_info); \
+  EXPECT_STREQ(__FILE__, test_info->file()); \
+  EXPECT_EQ(expected_line, test_info->line())
+
+TEST(CodeLocationForTEST, Verify) {
+  VERIFY_CODE_LOCATION;
+}
+
+class CodeLocationForTESTF : public Test {
+};
+
+TEST_F(CodeLocationForTESTF, Verify) {
+  VERIFY_CODE_LOCATION;
+}
+
+class CodeLocationForTESTP : public TestWithParam<int> {
+};
+
+TEST_P(CodeLocationForTESTP, Verify) {
+  VERIFY_CODE_LOCATION;
+}
+
+INSTANTIATE_TEST_CASE_P(, CodeLocationForTESTP, Values(0));
+
+template <typename T>
+class CodeLocationForTYPEDTEST : public Test {
+};
+
+TYPED_TEST_CASE(CodeLocationForTYPEDTEST, int);
+
+TYPED_TEST(CodeLocationForTYPEDTEST, Verify) {
+  VERIFY_CODE_LOCATION;
+}
+
+template <typename T>
+class CodeLocationForTYPEDTESTP : public Test {
+};
+
+TYPED_TEST_CASE_P(CodeLocationForTYPEDTESTP);
+
+TYPED_TEST_P(CodeLocationForTYPEDTESTP, Verify) {
+  VERIFY_CODE_LOCATION;
+}
+
+REGISTER_TYPED_TEST_CASE_P(CodeLocationForTYPEDTESTP, Verify);
+
+INSTANTIATE_TYPED_TEST_CASE_P(My, CodeLocationForTYPEDTESTP, int);
+
+#undef VERIFY_CODE_LOCATION
+
 // Tests setting up and tearing down a test case.
 
 class SetUpTestCaseTest : public Test {
@@ -5382,7 +5481,8 @@ TEST_F(SetUpTestCaseTest, Test2) {
   EXPECT_STREQ("123", shared_resource_);
 }
 
-// The InitGoogleTestTest test case tests testing::InitGoogleTest().
+
+// The ParseFlagsTest test case tests ParseGoogleTestFlagsOnly.
 
 // The Flags struct stores a copy of all Google Test flags.
 struct Flags {
@@ -5468,8 +5568,8 @@ struct Flags {
     return flags;
   }
 
-  // Creates a Flags struct where the gtest_random_seed flag has
-  // the given value.
+  // Creates a Flags struct where the gtest_random_seed flag has the given
+  // value.
   static Flags RandomSeed(Int32 random_seed) {
     Flags flags;
     flags.random_seed = random_seed;
@@ -5484,8 +5584,8 @@ struct Flags {
     return flags;
   }
 
-  // Creates a Flags struct where the gtest_shuffle flag has
-  // the given value.
+  // Creates a Flags struct where the gtest_shuffle flag has the given
+  // value.
   static Flags Shuffle(bool shuffle) {
     Flags flags;
     flags.shuffle = shuffle;
@@ -5533,8 +5633,8 @@ struct Flags {
   bool throw_on_failure;
 };
 
-// Fixture for testing InitGoogleTest().
-class InitGoogleTestTest : public Test {
+// Fixture for testing ParseGoogleTestFlagsOnly().
+class ParseFlagsTest : public Test {
  protected:
   // Clears the flags before each test.
   virtual void SetUp() {
@@ -5595,16 +5695,16 @@ class InitGoogleTestTest : public Test {
     const bool saved_help_flag = ::testing::internal::g_help_flag;
     ::testing::internal::g_help_flag = false;
 
-#if GTEST_HAS_STREAM_REDIRECTION
+# if GTEST_HAS_STREAM_REDIRECTION
     CaptureStdout();
-#endif
+# endif
 
     // Parses the command line.
     internal::ParseGoogleTestFlagsOnly(&argc1, const_cast<CharType**>(argv1));
 
-#if GTEST_HAS_STREAM_REDIRECTION
+# if GTEST_HAS_STREAM_REDIRECTION
     const std::string captured_stdout = GetCapturedStdout();
-#endif
+# endif
 
     // Verifies the flag values.
     CheckFlags(expected);
@@ -5617,7 +5717,7 @@ class InitGoogleTestTest : public Test {
     // help message for the flags it recognizes.
     EXPECT_EQ(should_print_help, ::testing::internal::g_help_flag);
 
-#if GTEST_HAS_STREAM_REDIRECTION
+# if GTEST_HAS_STREAM_REDIRECTION
     const char* const expected_help_fragment =
         "This program contains tests written using";
     if (should_print_help) {
@@ -5626,7 +5726,7 @@ class InitGoogleTestTest : public Test {
       EXPECT_PRED_FORMAT2(IsNotSubstring,
                           expected_help_fragment, captured_stdout);
     }
-#endif  // GTEST_HAS_STREAM_REDIRECTION
+# endif  // GTEST_HAS_STREAM_REDIRECTION
 
     ::testing::internal::g_help_flag = saved_help_flag;
   }
@@ -5634,14 +5734,14 @@ class InitGoogleTestTest : public Test {
   // This macro wraps TestParsingFlags s.t. the user doesn't need
   // to specify the array sizes.
 
-#define GTEST_TEST_PARSING_FLAGS_(argv1, argv2, expected, should_print_help) \
+# define GTEST_TEST_PARSING_FLAGS_(argv1, argv2, expected, should_print_help) \
   TestParsingFlags(sizeof(argv1)/sizeof(*argv1) - 1, argv1, \
                    sizeof(argv2)/sizeof(*argv2) - 1, argv2, \
                    expected, should_print_help)
 };
 
 // Tests parsing an empty command line.
-TEST_F(InitGoogleTestTest, Empty) {
+TEST_F(ParseFlagsTest, Empty) {
   const char* argv[] = {
     NULL
   };
@@ -5654,7 +5754,7 @@ TEST_F(InitGoogleTestTest, Empty) {
 }
 
 // Tests parsing a command line that has no flag.
-TEST_F(InitGoogleTestTest, NoFlag) {
+TEST_F(ParseFlagsTest, NoFlag) {
   const char* argv[] = {
     "foo.exe",
     NULL
@@ -5669,7 +5769,7 @@ TEST_F(InitGoogleTestTest, NoFlag) {
 }
 
 // Tests parsing a bad --gtest_filter flag.
-TEST_F(InitGoogleTestTest, FilterBad) {
+TEST_F(ParseFlagsTest, FilterBad) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_filter",
@@ -5686,7 +5786,7 @@ TEST_F(InitGoogleTestTest, FilterBad) {
 }
 
 // Tests parsing an empty --gtest_filter flag.
-TEST_F(InitGoogleTestTest, FilterEmpty) {
+TEST_F(ParseFlagsTest, FilterEmpty) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_filter=",
@@ -5702,7 +5802,7 @@ TEST_F(InitGoogleTestTest, FilterEmpty) {
 }
 
 // Tests parsing a non-empty --gtest_filter flag.
-TEST_F(InitGoogleTestTest, FilterNonEmpty) {
+TEST_F(ParseFlagsTest, FilterNonEmpty) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_filter=abc",
@@ -5718,7 +5818,7 @@ TEST_F(InitGoogleTestTest, FilterNonEmpty) {
 }
 
 // Tests parsing --gtest_break_on_failure.
-TEST_F(InitGoogleTestTest, BreakOnFailureWithoutValue) {
+TEST_F(ParseFlagsTest, BreakOnFailureWithoutValue) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_break_on_failure",
@@ -5734,7 +5834,7 @@ TEST_F(InitGoogleTestTest, BreakOnFailureWithoutValue) {
 }
 
 // Tests parsing --gtest_break_on_failure=0.
-TEST_F(InitGoogleTestTest, BreakOnFailureFalse_0) {
+TEST_F(ParseFlagsTest, BreakOnFailureFalse_0) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_break_on_failure=0",
@@ -5750,7 +5850,7 @@ TEST_F(InitGoogleTestTest, BreakOnFailureFalse_0) {
 }
 
 // Tests parsing --gtest_break_on_failure=f.
-TEST_F(InitGoogleTestTest, BreakOnFailureFalse_f) {
+TEST_F(ParseFlagsTest, BreakOnFailureFalse_f) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_break_on_failure=f",
@@ -5766,7 +5866,7 @@ TEST_F(InitGoogleTestTest, BreakOnFailureFalse_f) {
 }
 
 // Tests parsing --gtest_break_on_failure=F.
-TEST_F(InitGoogleTestTest, BreakOnFailureFalse_F) {
+TEST_F(ParseFlagsTest, BreakOnFailureFalse_F) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_break_on_failure=F",
@@ -5783,7 +5883,7 @@ TEST_F(InitGoogleTestTest, BreakOnFailureFalse_F) {
 
 // Tests parsing a --gtest_break_on_failure flag that has a "true"
 // definition.
-TEST_F(InitGoogleTestTest, BreakOnFailureTrue) {
+TEST_F(ParseFlagsTest, BreakOnFailureTrue) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_break_on_failure=1",
@@ -5799,7 +5899,7 @@ TEST_F(InitGoogleTestTest, BreakOnFailureTrue) {
 }
 
 // Tests parsing --gtest_catch_exceptions.
-TEST_F(InitGoogleTestTest, CatchExceptions) {
+TEST_F(ParseFlagsTest, CatchExceptions) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_catch_exceptions",
@@ -5815,7 +5915,7 @@ TEST_F(InitGoogleTestTest, CatchExceptions) {
 }
 
 // Tests parsing --gtest_death_test_use_fork.
-TEST_F(InitGoogleTestTest, DeathTestUseFork) {
+TEST_F(ParseFlagsTest, DeathTestUseFork) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_death_test_use_fork",
@@ -5832,7 +5932,7 @@ TEST_F(InitGoogleTestTest, DeathTestUseFork) {
 
 // Tests having the same flag twice with different values.  The
 // expected behavior is that the one coming last takes precedence.
-TEST_F(InitGoogleTestTest, DuplicatedFlags) {
+TEST_F(ParseFlagsTest, DuplicatedFlags) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_filter=a",
@@ -5849,7 +5949,7 @@ TEST_F(InitGoogleTestTest, DuplicatedFlags) {
 }
 
 // Tests having an unrecognized flag on the command line.
-TEST_F(InitGoogleTestTest, UnrecognizedFlag) {
+TEST_F(ParseFlagsTest, UnrecognizedFlag) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_break_on_failure",
@@ -5871,7 +5971,7 @@ TEST_F(InitGoogleTestTest, UnrecognizedFlag) {
 }
 
 // Tests having a --gtest_list_tests flag
-TEST_F(InitGoogleTestTest, ListTestsFlag) {
+TEST_F(ParseFlagsTest, ListTestsFlag) {
     const char* argv[] = {
       "foo.exe",
       "--gtest_list_tests",
@@ -5887,7 +5987,7 @@ TEST_F(InitGoogleTestTest, ListTestsFlag) {
 }
 
 // Tests having a --gtest_list_tests flag with a "true" value
-TEST_F(InitGoogleTestTest, ListTestsTrue) {
+TEST_F(ParseFlagsTest, ListTestsTrue) {
     const char* argv[] = {
       "foo.exe",
       "--gtest_list_tests=1",
@@ -5903,7 +6003,7 @@ TEST_F(InitGoogleTestTest, ListTestsTrue) {
 }
 
 // Tests having a --gtest_list_tests flag with a "false" value
-TEST_F(InitGoogleTestTest, ListTestsFalse) {
+TEST_F(ParseFlagsTest, ListTestsFalse) {
     const char* argv[] = {
       "foo.exe",
       "--gtest_list_tests=0",
@@ -5919,7 +6019,7 @@ TEST_F(InitGoogleTestTest, ListTestsFalse) {
 }
 
 // Tests parsing --gtest_list_tests=f.
-TEST_F(InitGoogleTestTest, ListTestsFalse_f) {
+TEST_F(ParseFlagsTest, ListTestsFalse_f) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_list_tests=f",
@@ -5935,7 +6035,7 @@ TEST_F(InitGoogleTestTest, ListTestsFalse_f) {
 }
 
 // Tests parsing --gtest_list_tests=F.
-TEST_F(InitGoogleTestTest, ListTestsFalse_F) {
+TEST_F(ParseFlagsTest, ListTestsFalse_F) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_list_tests=F",
@@ -5951,7 +6051,7 @@ TEST_F(InitGoogleTestTest, ListTestsFalse_F) {
 }
 
 // Tests parsing --gtest_output (invalid).
-TEST_F(InitGoogleTestTest, OutputEmpty) {
+TEST_F(ParseFlagsTest, OutputEmpty) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_output",
@@ -5968,7 +6068,7 @@ TEST_F(InitGoogleTestTest, OutputEmpty) {
 }
 
 // Tests parsing --gtest_output=xml
-TEST_F(InitGoogleTestTest, OutputXml) {
+TEST_F(ParseFlagsTest, OutputXml) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_output=xml",
@@ -5984,7 +6084,7 @@ TEST_F(InitGoogleTestTest, OutputXml) {
 }
 
 // Tests parsing --gtest_output=xml:file
-TEST_F(InitGoogleTestTest, OutputXmlFile) {
+TEST_F(ParseFlagsTest, OutputXmlFile) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_output=xml:file",
@@ -6000,7 +6100,7 @@ TEST_F(InitGoogleTestTest, OutputXmlFile) {
 }
 
 // Tests parsing --gtest_output=xml:directory/path/
-TEST_F(InitGoogleTestTest, OutputXmlDirectory) {
+TEST_F(ParseFlagsTest, OutputXmlDirectory) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_output=xml:directory/path/",
@@ -6017,7 +6117,7 @@ TEST_F(InitGoogleTestTest, OutputXmlDirectory) {
 }
 
 // Tests having a --gtest_print_time flag
-TEST_F(InitGoogleTestTest, PrintTimeFlag) {
+TEST_F(ParseFlagsTest, PrintTimeFlag) {
     const char* argv[] = {
       "foo.exe",
       "--gtest_print_time",
@@ -6033,7 +6133,7 @@ TEST_F(InitGoogleTestTest, PrintTimeFlag) {
 }
 
 // Tests having a --gtest_print_time flag with a "true" value
-TEST_F(InitGoogleTestTest, PrintTimeTrue) {
+TEST_F(ParseFlagsTest, PrintTimeTrue) {
     const char* argv[] = {
       "foo.exe",
       "--gtest_print_time=1",
@@ -6049,7 +6149,7 @@ TEST_F(InitGoogleTestTest, PrintTimeTrue) {
 }
 
 // Tests having a --gtest_print_time flag with a "false" value
-TEST_F(InitGoogleTestTest, PrintTimeFalse) {
+TEST_F(ParseFlagsTest, PrintTimeFalse) {
     const char* argv[] = {
       "foo.exe",
       "--gtest_print_time=0",
@@ -6065,7 +6165,7 @@ TEST_F(InitGoogleTestTest, PrintTimeFalse) {
 }
 
 // Tests parsing --gtest_print_time=f.
-TEST_F(InitGoogleTestTest, PrintTimeFalse_f) {
+TEST_F(ParseFlagsTest, PrintTimeFalse_f) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_print_time=f",
@@ -6081,7 +6181,7 @@ TEST_F(InitGoogleTestTest, PrintTimeFalse_f) {
 }
 
 // Tests parsing --gtest_print_time=F.
-TEST_F(InitGoogleTestTest, PrintTimeFalse_F) {
+TEST_F(ParseFlagsTest, PrintTimeFalse_F) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_print_time=F",
@@ -6097,7 +6197,7 @@ TEST_F(InitGoogleTestTest, PrintTimeFalse_F) {
 }
 
 // Tests parsing --gtest_random_seed=number
-TEST_F(InitGoogleTestTest, RandomSeed) {
+TEST_F(ParseFlagsTest, RandomSeed) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_random_seed=1000",
@@ -6113,7 +6213,7 @@ TEST_F(InitGoogleTestTest, RandomSeed) {
 }
 
 // Tests parsing --gtest_repeat=number
-TEST_F(InitGoogleTestTest, Repeat) {
+TEST_F(ParseFlagsTest, Repeat) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_repeat=1000",
@@ -6129,7 +6229,7 @@ TEST_F(InitGoogleTestTest, Repeat) {
 }
 
 // Tests having a --gtest_also_run_disabled_tests flag
-TEST_F(InitGoogleTestTest, AlsoRunDisabledTestsFlag) {
+TEST_F(ParseFlagsTest, AlsoRunDisabledTestsFlag) {
     const char* argv[] = {
       "foo.exe",
       "--gtest_also_run_disabled_tests",
@@ -6146,7 +6246,7 @@ TEST_F(InitGoogleTestTest, AlsoRunDisabledTestsFlag) {
 }
 
 // Tests having a --gtest_also_run_disabled_tests flag with a "true" value
-TEST_F(InitGoogleTestTest, AlsoRunDisabledTestsTrue) {
+TEST_F(ParseFlagsTest, AlsoRunDisabledTestsTrue) {
     const char* argv[] = {
       "foo.exe",
       "--gtest_also_run_disabled_tests=1",
@@ -6163,7 +6263,7 @@ TEST_F(InitGoogleTestTest, AlsoRunDisabledTestsTrue) {
 }
 
 // Tests having a --gtest_also_run_disabled_tests flag with a "false" value
-TEST_F(InitGoogleTestTest, AlsoRunDisabledTestsFalse) {
+TEST_F(ParseFlagsTest, AlsoRunDisabledTestsFalse) {
     const char* argv[] = {
       "foo.exe",
       "--gtest_also_run_disabled_tests=0",
@@ -6180,7 +6280,7 @@ TEST_F(InitGoogleTestTest, AlsoRunDisabledTestsFalse) {
 }
 
 // Tests parsing --gtest_shuffle.
-TEST_F(InitGoogleTestTest, ShuffleWithoutValue) {
+TEST_F(ParseFlagsTest, ShuffleWithoutValue) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_shuffle",
@@ -6196,7 +6296,7 @@ TEST_F(InitGoogleTestTest, ShuffleWithoutValue) {
 }
 
 // Tests parsing --gtest_shuffle=0.
-TEST_F(InitGoogleTestTest, ShuffleFalse_0) {
+TEST_F(ParseFlagsTest, ShuffleFalse_0) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_shuffle=0",
@@ -6211,9 +6311,8 @@ TEST_F(InitGoogleTestTest, ShuffleFalse_0) {
   GTEST_TEST_PARSING_FLAGS_(argv, argv2, Flags::Shuffle(false), false);
 }
 
-// Tests parsing a --gtest_shuffle flag that has a "true"
-// definition.
-TEST_F(InitGoogleTestTest, ShuffleTrue) {
+// Tests parsing a --gtest_shuffle flag that has a "true" definition.
+TEST_F(ParseFlagsTest, ShuffleTrue) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_shuffle=1",
@@ -6229,7 +6328,7 @@ TEST_F(InitGoogleTestTest, ShuffleTrue) {
 }
 
 // Tests parsing --gtest_stack_trace_depth=number.
-TEST_F(InitGoogleTestTest, StackTraceDepth) {
+TEST_F(ParseFlagsTest, StackTraceDepth) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_stack_trace_depth=5",
@@ -6244,7 +6343,7 @@ TEST_F(InitGoogleTestTest, StackTraceDepth) {
   GTEST_TEST_PARSING_FLAGS_(argv, argv2, Flags::StackTraceDepth(5), false);
 }
 
-TEST_F(InitGoogleTestTest, StreamResultTo) {
+TEST_F(ParseFlagsTest, StreamResultTo) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_stream_result_to=localhost:1234",
@@ -6261,7 +6360,7 @@ TEST_F(InitGoogleTestTest, StreamResultTo) {
 }
 
 // Tests parsing --gtest_throw_on_failure.
-TEST_F(InitGoogleTestTest, ThrowOnFailureWithoutValue) {
+TEST_F(ParseFlagsTest, ThrowOnFailureWithoutValue) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_throw_on_failure",
@@ -6277,7 +6376,7 @@ TEST_F(InitGoogleTestTest, ThrowOnFailureWithoutValue) {
 }
 
 // Tests parsing --gtest_throw_on_failure=0.
-TEST_F(InitGoogleTestTest, ThrowOnFailureFalse_0) {
+TEST_F(ParseFlagsTest, ThrowOnFailureFalse_0) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_throw_on_failure=0",
@@ -6294,7 +6393,7 @@ TEST_F(InitGoogleTestTest, ThrowOnFailureFalse_0) {
 
 // Tests parsing a --gtest_throw_on_failure flag that has a "true"
 // definition.
-TEST_F(InitGoogleTestTest, ThrowOnFailureTrue) {
+TEST_F(ParseFlagsTest, ThrowOnFailureTrue) {
   const char* argv[] = {
     "foo.exe",
     "--gtest_throw_on_failure=1",
@@ -6309,9 +6408,9 @@ TEST_F(InitGoogleTestTest, ThrowOnFailureTrue) {
   GTEST_TEST_PARSING_FLAGS_(argv, argv2, Flags::ThrowOnFailure(true), false);
 }
 
-#if GTEST_OS_WINDOWS
+# if GTEST_OS_WINDOWS
 // Tests parsing wide strings.
-TEST_F(InitGoogleTestTest, WideStrings) {
+TEST_F(ParseFlagsTest, WideStrings) {
   const wchar_t* argv[] = {
     L"foo.exe",
     L"--gtest_filter=Foo*",
@@ -6334,7 +6433,108 @@ TEST_F(InitGoogleTestTest, WideStrings) {
 
   GTEST_TEST_PARSING_FLAGS_(argv, argv2, expected_flags, false);
 }
-#endif  // GTEST_OS_WINDOWS
+# endif  // GTEST_OS_WINDOWS
+
+#if GTEST_USE_OWN_FLAGFILE_FLAG_
+class FlagfileTest : public ParseFlagsTest {
+ public:
+  virtual void SetUp() {
+    ParseFlagsTest::SetUp();
+
+    testdata_path_.Set(internal::FilePath(
+        testing::TempDir() + internal::GetCurrentExecutableName().string() +
+        "_flagfile_test"));
+    testing::internal::posix::RmDir(testdata_path_.c_str());
+    EXPECT_TRUE(testdata_path_.CreateFolder());
+  }
+
+  virtual void TearDown() {
+    testing::internal::posix::RmDir(testdata_path_.c_str());
+    ParseFlagsTest::TearDown();
+  }
+
+  internal::FilePath CreateFlagfile(const char* contents) {
+    internal::FilePath file_path(internal::FilePath::GenerateUniqueFileName(
+        testdata_path_, internal::FilePath("unique"), "txt"));
+    FILE* f = testing::internal::posix::FOpen(file_path.c_str(), "w");
+    fprintf(f, "%s", contents);
+    fclose(f);
+    return file_path;
+  }
+
+ private:
+  internal::FilePath testdata_path_;
+};
+
+// Tests an empty flagfile.
+TEST_F(FlagfileTest, Empty) {
+  internal::FilePath flagfile_path(CreateFlagfile(""));
+  std::string flagfile_flag =
+      std::string("--" GTEST_FLAG_PREFIX_ "flagfile=") + flagfile_path.c_str();
+
+  const char* argv[] = {
+    "foo.exe",
+    flagfile_flag.c_str(),
+    NULL
+  };
+
+  const char* argv2[] = {
+    "foo.exe",
+    NULL
+  };
+
+  GTEST_TEST_PARSING_FLAGS_(argv, argv2, Flags(), false);
+}
+
+// Tests passing a non-empty --gtest_filter flag via --gtest_flagfile.
+TEST_F(FlagfileTest, FilterNonEmpty) {
+  internal::FilePath flagfile_path(CreateFlagfile(
+      "--"  GTEST_FLAG_PREFIX_  "filter=abc"));
+  std::string flagfile_flag =
+      std::string("--" GTEST_FLAG_PREFIX_ "flagfile=") + flagfile_path.c_str();
+
+  const char* argv[] = {
+    "foo.exe",
+    flagfile_flag.c_str(),
+    NULL
+  };
+
+  const char* argv2[] = {
+    "foo.exe",
+    NULL
+  };
+
+  GTEST_TEST_PARSING_FLAGS_(argv, argv2, Flags::Filter("abc"), false);
+}
+
+// Tests passing several flags via --gtest_flagfile.
+TEST_F(FlagfileTest, SeveralFlags) {
+  internal::FilePath flagfile_path(CreateFlagfile(
+      "--"  GTEST_FLAG_PREFIX_  "filter=abc\n"
+      "--"  GTEST_FLAG_PREFIX_  "break_on_failure\n"
+      "--"  GTEST_FLAG_PREFIX_  "list_tests"));
+  std::string flagfile_flag =
+      std::string("--" GTEST_FLAG_PREFIX_ "flagfile=") + flagfile_path.c_str();
+
+  const char* argv[] = {
+    "foo.exe",
+    flagfile_flag.c_str(),
+    NULL
+  };
+
+  const char* argv2[] = {
+    "foo.exe",
+    NULL
+  };
+
+  Flags expected_flags;
+  expected_flags.break_on_failure = true;
+  expected_flags.filter = "abc";
+  expected_flags.list_tests = true;
+
+  GTEST_TEST_PARSING_FLAGS_(argv, argv2, expected_flags, false);
+}
+#endif  // GTEST_USE_OWN_FLAGFILE_FLAG_
 
 // Tests current_test_info() in UnitTest.
 class CurrentTestInfoTest : public Test {
@@ -6389,6 +6589,7 @@ TEST_F(CurrentTestInfoTest, WorksForSecondTestInATestCase) {
 
 }  // namespace testing
 
+
 // These two lines test that we can define tests in a namespace that
 // has the name "testing" and is nested in another namespace.
 namespace my_namespace {
@@ -6469,7 +6670,7 @@ TEST(StreamingAssertionsTest, Truth2) {
 }
 
 #ifdef __BORLANDC__
-// Restores warnings after previous "#pragma option push" supressed them
+// Restores warnings after previous "#pragma option push" suppressed them
 # pragma option pop
 #endif
 
@@ -6672,6 +6873,18 @@ TEST(ColoredOutputTest, UsesColorsWhenTermSupportsColors) {
   SetEnv("TERM", "screen-256color");  // TERM supports colors.
   EXPECT_TRUE(ShouldUseColor(true));  // Stdout is a TTY.
 
+  SetEnv("TERM", "tmux");  // TERM supports colors.
+  EXPECT_TRUE(ShouldUseColor(true));  // Stdout is a TTY.
+
+  SetEnv("TERM", "tmux-256color");  // TERM supports colors.
+  EXPECT_TRUE(ShouldUseColor(true));  // Stdout is a TTY.
+
+  SetEnv("TERM", "rxvt-unicode");  // TERM supports colors.
+  EXPECT_TRUE(ShouldUseColor(true));  // Stdout is a TTY.
+
+  SetEnv("TERM", "rxvt-unicode-256color");  // TERM supports colors.
+  EXPECT_TRUE(ShouldUseColor(true));  // Stdout is a TTY.
+
   SetEnv("TERM", "linux");  // TERM supports colors.
   EXPECT_TRUE(ShouldUseColor(true));  // Stdout is a TTY.
 
@@ -6707,14 +6920,6 @@ TEST(StaticAssertTypeEqTest, CompilesForEqualTypes) {
   StaticAssertTypeEq<int*, IntAlias*>();
 }
 
-TEST(GetCurrentOsStackTraceExceptTopTest, ReturnsTheStackTrace) {
-  testing::UnitTest* const unit_test = testing::UnitTest::GetInstance();
-
-  // We don't have a stack walker in Google Test yet.
-  EXPECT_STREQ("", GetCurrentOsStackTraceExceptTop(unit_test, 0).c_str());
-  EXPECT_STREQ("", GetCurrentOsStackTraceExceptTop(unit_test, 1).c_str());
-}
-
 TEST(HasNonfatalFailureTest, ReturnsFalseWhenThereIsNoFailure) {
   EXPECT_FALSE(HasNonfatalFailure());
 }
@@ -7166,7 +7371,7 @@ GTEST_TEST(AlternativeNameTest, Works) {  // GTEST_TEST is the same as TEST.
 
 // Tests for internal utilities necessary for implementation of the universal
 // printing.
-// TODO(vladl@google.com): Find a better home for them.
+// FIXME: Find a better home for them.
 
 class ConversionHelperBase {};
 class ConversionHelperDerived : public ConversionHelperBase {};
@@ -7350,6 +7555,50 @@ TEST(IsContainerTestTest, WorksForContainer) {
             sizeof(IsContainerTest<std::map<int, double> >(0)));
 }
 
+#if GTEST_LANG_CXX11
+struct ConstOnlyContainerWithPointerIterator {
+  using const_iterator = int*;
+  const_iterator begin() const;
+  const_iterator end() const;
+};
+
+struct ConstOnlyContainerWithClassIterator {
+  struct const_iterator {
+    const int& operator*() const;
+    const_iterator& operator++(/* pre-increment */);
+  };
+  const_iterator begin() const;
+  const_iterator end() const;
+};
+
+TEST(IsContainerTestTest, ConstOnlyContainer) {
+  EXPECT_EQ(sizeof(IsContainer),
+            sizeof(IsContainerTest<ConstOnlyContainerWithPointerIterator>(0)));
+  EXPECT_EQ(sizeof(IsContainer),
+            sizeof(IsContainerTest<ConstOnlyContainerWithClassIterator>(0)));
+}
+#endif  // GTEST_LANG_CXX11
+
+// Tests IsHashTable.
+struct AHashTable {
+  typedef void hasher;
+};
+struct NotReallyAHashTable {
+  typedef void hasher;
+  typedef void reverse_iterator;
+};
+TEST(IsHashTable, Basic) {
+  EXPECT_TRUE(testing::internal::IsHashTable<AHashTable>::value);
+  EXPECT_FALSE(testing::internal::IsHashTable<NotReallyAHashTable>::value);
+#if GTEST_LANG_CXX11
+  EXPECT_FALSE(testing::internal::IsHashTable<std::vector<int>>::value);
+  EXPECT_TRUE(testing::internal::IsHashTable<std::unordered_set<int>>::value);
+#endif  // GTEST_LANG_CXX11
+#if GTEST_HAS_HASH_SET_
+  EXPECT_TRUE(testing::internal::IsHashTable<__gnu_cxx::hash_set<int>>::value);
+#endif  // GTEST_HAS_HASH_SET_
+}
+
 // Tests ArrayEq().
 
 TEST(ArrayEqTest, WorksForDegeneratedArrays) {
@@ -7523,3 +7772,24 @@ TEST(SkipPrefixTest, DoesNotSkipWhenPrefixDoesNotMatch) {
   EXPECT_EQ(str, p);
 }
 
+// Tests ad_hoc_test_result().
+
+class AdHocTestResultTest : public testing::Test {
+ protected:
+  static void SetUpTestCase() {
+    FAIL() << "A failure happened inside SetUpTestCase().";
+  }
+};
+
+TEST_F(AdHocTestResultTest, AdHocTestResultForTestCaseShowsFailure) {
+  const testing::TestResult& test_result = testing::UnitTest::GetInstance()
+                                               ->current_test_case()
+                                               ->ad_hoc_test_result();
+  EXPECT_TRUE(test_result.Failed());
+}
+
+TEST_F(AdHocTestResultTest, AdHocTestResultTestForUnitTestDoesNotShowFailure) {
+  const testing::TestResult& test_result =
+      testing::UnitTest::GetInstance()->ad_hoc_test_result();
+  EXPECT_FALSE(test_result.Failed());
+}
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_xml_outfile1_test_.cc b/security/nss/gtests/google_test/gtest/test/gtest_xml_outfile1_test_.cc
index 531ced49d4..a38ebac839 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_xml_outfile1_test_.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_xml_outfile1_test_.cc
@@ -27,8 +27,6 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Author: keith.ray@gmail.com (Keith Ray)
-//
 // gtest_xml_outfile1_test_ writes some xml via TestProperty used by
 // gtest_xml_outfiles_test.py
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_xml_outfile2_test_.cc b/security/nss/gtests/google_test/gtest/test/gtest_xml_outfile2_test_.cc
index 7b400b2760..afaf15a5dc 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_xml_outfile2_test_.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_xml_outfile2_test_.cc
@@ -27,8 +27,6 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 //
-// Author: keith.ray@gmail.com (Keith Ray)
-//
 // gtest_xml_outfile2_test_ writes some xml via TestProperty used by
 // gtest_xml_outfiles_test.py
 
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_xml_outfiles_test.py b/security/nss/gtests/google_test/gtest/test/gtest_xml_outfiles_test.py
index 524e437e6c..2c031ff8db 100755
--- a/security/nss/gtests/google_test/gtest/test/gtest_xml_outfiles_test.py
+++ b/security/nss/gtests/google_test/gtest/test/gtest_xml_outfiles_test.py
@@ -31,15 +31,11 @@
 
 """Unit test for the gtest_xml_output module."""
 
-__author__ = "keith.ray@gmail.com (Keith Ray)"
-
 import os
 from xml.dom import minidom, Node
-
 import gtest_test_utils
 import gtest_xml_test_utils
 
-
 GTEST_OUTPUT_SUBDIR = "xml_outfiles"
 GTEST_OUTPUT_1_TEST = "gtest_xml_outfile1_test_"
 GTEST_OUTPUT_2_TEST = "gtest_xml_outfile2_test_"
@@ -47,7 +43,13 @@ GTEST_OUTPUT_2_TEST = "gtest_xml_outfile2_test_"
 EXPECTED_XML_1 = """<?xml version="1.0" encoding="UTF-8"?>
 <testsuites tests="1" failures="0" disabled="0" errors="0" time="*" timestamp="*" name="AllTests">
   <testsuite name="PropertyOne" tests="1" failures="0" disabled="0" errors="0" time="*">
-    <testcase name="TestSomeProperties" status="run" time="*" classname="PropertyOne" SetUpProp="1" TestSomeProperty="1" TearDownProp="1" />
+    <testcase name="TestSomeProperties" status="run" time="*" classname="PropertyOne">
+      <properties>
+        <property name="SetUpProp" value="1"/>
+        <property name="TestSomeProperty" value="1"/>
+        <property name="TearDownProp" value="1"/>
+      </properties>
+    </testcase>
   </testsuite>
 </testsuites>
 """
@@ -55,7 +57,13 @@ EXPECTED_XML_1 = """<?xml version="1.0" encoding="UTF-8"?>
 EXPECTED_XML_2 = """<?xml version="1.0" encoding="UTF-8"?>
 <testsuites tests="1" failures="0" disabled="0" errors="0" time="*" timestamp="*" name="AllTests">
   <testsuite name="PropertyTwo" tests="1" failures="0" disabled="0" errors="0" time="*">
-    <testcase name="TestSomeProperties" status="run" time="*" classname="PropertyTwo" SetUpProp="2" TestSomeProperty="2" TearDownProp="2" />
+    <testcase name="TestSomeProperties" status="run" time="*" classname="PropertyTwo">
+      <properties>
+        <property name="SetUpProp" value="2"/>
+        <property name="TestSomeProperty" value="2"/>
+        <property name="TearDownProp" value="2"/>
+      </properties>
+    </testcase>
   </testsuite>
 </testsuites>
 """
@@ -103,11 +111,11 @@ class GTestXMLOutFilesTest(gtest_xml_test_utils.GTestXMLTestCase):
     self.assert_(p.exited)
     self.assertEquals(0, p.exit_code)
 
-    # TODO(wan@google.com): libtool causes the built test binary to be
+    # FIXME: libtool causes the built test binary to be
     #   named lt-gtest_xml_outfiles_test_ instead of
-    #   gtest_xml_outfiles_test_.  To account for this possibillity, we
+    #   gtest_xml_outfiles_test_.  To account for this possibility, we
     #   allow both names in the following code.  We should remove this
-    #   hack when Chandler Carruth's libtool replacement tool is ready.
+    #   when libtool replacement tool is ready.
     output_file_name1 = test_name + ".xml"
     output_file1 = os.path.join(self.output_dir_, output_file_name1)
     output_file_name2 = 'lt-' + output_file_name1
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_xml_output_unittest.py b/security/nss/gtests/google_test/gtest/test/gtest_xml_output_unittest.py
index f605d4ee2a..faedd4e6ce 100755
--- a/security/nss/gtests/google_test/gtest/test/gtest_xml_output_unittest.py
+++ b/security/nss/gtests/google_test/gtest/test/gtest_xml_output_unittest.py
@@ -31,8 +31,6 @@
 
 """Unit test for the gtest_xml_output module"""
 
-__author__ = 'eefacm@gmail.com (Sean Mcafee)'
-
 import datetime
 import errno
 import os
@@ -43,19 +41,28 @@ from xml.dom import minidom, Node
 import gtest_test_utils
 import gtest_xml_test_utils
 
-
 GTEST_FILTER_FLAG = '--gtest_filter'
 GTEST_LIST_TESTS_FLAG = '--gtest_list_tests'
-GTEST_OUTPUT_FLAG         = "--gtest_output"
-GTEST_DEFAULT_OUTPUT_FILE = "test_detail.xml"
-GTEST_PROGRAM_NAME = "gtest_xml_output_unittest_"
+GTEST_OUTPUT_FLAG = '--gtest_output'
+GTEST_DEFAULT_OUTPUT_FILE = 'test_detail.xml'
+GTEST_PROGRAM_NAME = 'gtest_xml_output_unittest_'
+
+# The flag indicating stacktraces are not supported
+NO_STACKTRACE_SUPPORT_FLAG = '--no_stacktrace_support'
 
-SUPPORTS_STACK_TRACES = False
+# The environment variables for test sharding.
+TOTAL_SHARDS_ENV_VAR = 'GTEST_TOTAL_SHARDS'
+SHARD_INDEX_ENV_VAR = 'GTEST_SHARD_INDEX'
+SHARD_STATUS_FILE_ENV_VAR = 'GTEST_SHARD_STATUS_FILE'
+
+SUPPORTS_STACK_TRACES = NO_STACKTRACE_SUPPORT_FLAG not in sys.argv
 
 if SUPPORTS_STACK_TRACES:
   STACK_TRACE_TEMPLATE = '\nStack trace:\n*'
 else:
   STACK_TRACE_TEMPLATE = ''
+  # unittest.main() can't handle unknown flags
+  sys.argv.remove(NO_STACKTRACE_SUPPORT_FLAG)
 
 EXPECTED_NON_EMPTY_XML = """<?xml version="1.0" encoding="UTF-8"?>
 <testsuites tests="23" failures="4" disabled="2" errors="0" time="*" timestamp="*" name="AllTests" ad_hoc_property="42">
@@ -64,20 +71,23 @@ EXPECTED_NON_EMPTY_XML = """<?xml version="1.0" encoding="UTF-8"?>
   </testsuite>
   <testsuite name="FailedTest" tests="1" failures="1" disabled="0" errors="0" time="*">
     <testcase name="Fails" status="run" time="*" classname="FailedTest">
-      <failure message="gtest_xml_output_unittest_.cc:*&#x0A;Value of: 2&#x0A;Expected: 1" type=""><![CDATA[gtest_xml_output_unittest_.cc:*
-Value of: 2
-Expected: 1%(stack)s]]></failure>
+      <failure message="gtest_xml_output_unittest_.cc:*&#x0A;Expected equality of these values:&#x0A;  1&#x0A;  2" type=""><![CDATA[gtest_xml_output_unittest_.cc:*
+Expected equality of these values:
+  1
+  2%(stack)s]]></failure>
     </testcase>
   </testsuite>
   <testsuite name="MixedResultTest" tests="3" failures="1" disabled="1" errors="0" time="*">
     <testcase name="Succeeds" status="run" time="*" classname="MixedResultTest"/>
     <testcase name="Fails" status="run" time="*" classname="MixedResultTest">
-      <failure message="gtest_xml_output_unittest_.cc:*&#x0A;Value of: 2&#x0A;Expected: 1" type=""><![CDATA[gtest_xml_output_unittest_.cc:*
-Value of: 2
-Expected: 1%(stack)s]]></failure>
-      <failure message="gtest_xml_output_unittest_.cc:*&#x0A;Value of: 3&#x0A;Expected: 2" type=""><![CDATA[gtest_xml_output_unittest_.cc:*
-Value of: 3
-Expected: 2%(stack)s]]></failure>
+      <failure message="gtest_xml_output_unittest_.cc:*&#x0A;Expected equality of these values:&#x0A;  1&#x0A;  2" type=""><![CDATA[gtest_xml_output_unittest_.cc:*
+Expected equality of these values:
+  1
+  2%(stack)s]]></failure>
+      <failure message="gtest_xml_output_unittest_.cc:*&#x0A;Expected equality of these values:&#x0A;  2&#x0A;  3" type=""><![CDATA[gtest_xml_output_unittest_.cc:*
+Expected equality of these values:
+  2
+  3%(stack)s]]></failure>
     </testcase>
     <testcase name="DISABLED_test" status="notrun" time="*" classname="MixedResultTest"/>
   </testsuite>
@@ -99,15 +109,45 @@ Invalid characters in brackets []%(stack)s]]></failure>
     <testcase name="DISABLED_test_not_run" status="notrun" time="*" classname="DisabledTest"/>
   </testsuite>
   <testsuite name="PropertyRecordingTest" tests="4" failures="0" disabled="0" errors="0" time="*" SetUpTestCase="yes" TearDownTestCase="aye">
-    <testcase name="OneProperty" status="run" time="*" classname="PropertyRecordingTest" key_1="1"/>
-    <testcase name="IntValuedProperty" status="run" time="*" classname="PropertyRecordingTest" key_int="1"/>
-    <testcase name="ThreeProperties" status="run" time="*" classname="PropertyRecordingTest" key_1="1" key_2="2" key_3="3"/>
-    <testcase name="TwoValuesForOneKeyUsesLastValue" status="run" time="*" classname="PropertyRecordingTest" key_1="2"/>
+    <testcase name="OneProperty" status="run" time="*" classname="PropertyRecordingTest">
+      <properties>
+        <property name="key_1" value="1"/>
+      </properties>
+    </testcase>
+    <testcase name="IntValuedProperty" status="run" time="*" classname="PropertyRecordingTest">
+      <properties>
+        <property name="key_int" value="1"/>
+      </properties>
+    </testcase>
+    <testcase name="ThreeProperties" status="run" time="*" classname="PropertyRecordingTest">
+      <properties>
+        <property name="key_1" value="1"/>
+        <property name="key_2" value="2"/>
+        <property name="key_3" value="3"/>
+      </properties>
+    </testcase>
+    <testcase name="TwoValuesForOneKeyUsesLastValue" status="run" time="*" classname="PropertyRecordingTest">
+      <properties>
+        <property name="key_1" value="2"/>
+      </properties>
+    </testcase>
   </testsuite>
   <testsuite name="NoFixtureTest" tests="3" failures="0" disabled="0" errors="0" time="*">
-     <testcase name="RecordProperty" status="run" time="*" classname="NoFixtureTest" key="1"/>
-     <testcase name="ExternalUtilityThatCallsRecordIntValuedProperty" status="run" time="*" classname="NoFixtureTest" key_for_utility_int="1"/>
-     <testcase name="ExternalUtilityThatCallsRecordStringValuedProperty" status="run" time="*" classname="NoFixtureTest" key_for_utility_string="1"/>
+     <testcase name="RecordProperty" status="run" time="*" classname="NoFixtureTest">
+       <properties>
+         <property name="key" value="1"/>
+       </properties>
+     </testcase>
+     <testcase name="ExternalUtilityThatCallsRecordIntValuedProperty" status="run" time="*" classname="NoFixtureTest">
+       <properties>
+         <property name="key_for_utility_int" value="1"/>
+       </properties>
+     </testcase>
+     <testcase name="ExternalUtilityThatCallsRecordStringValuedProperty" status="run" time="*" classname="NoFixtureTest">
+       <properties>
+         <property name="key_for_utility_string" value="1"/>
+       </properties>
+     </testcase>
   </testsuite>
   <testsuite name="Single/ValueParamTest" tests="4" failures="0" disabled="0" errors="0" time="*">
     <testcase name="HasValueParamAttribute/0" value_param="33" status="run" time="*" classname="Single/ValueParamTest" />
@@ -138,6 +178,23 @@ EXPECTED_FILTERED_TEST_XML = """<?xml version="1.0" encoding="UTF-8"?>
   </testsuite>
 </testsuites>"""
 
+EXPECTED_SHARDED_TEST_XML = """<?xml version="1.0" encoding="UTF-8"?>
+<testsuites tests="3" failures="0" disabled="0" errors="0" time="*" timestamp="*" name="AllTests" ad_hoc_property="42">
+  <testsuite name="SuccessfulTest" tests="1" failures="0" disabled="0" errors="0" time="*">
+    <testcase name="Succeeds" status="run" time="*" classname="SuccessfulTest"/>
+  </testsuite>
+  <testsuite name="NoFixtureTest" tests="1" failures="0" disabled="0" errors="0" time="*">
+     <testcase name="RecordProperty" status="run" time="*" classname="NoFixtureTest">
+       <properties>
+         <property name="key" value="1"/>
+       </properties>
+     </testcase>
+  </testsuite>
+  <testsuite name="Single/ValueParamTest" tests="1" failures="0" disabled="0" errors="0" time="*">
+    <testcase name="AnotherTestThatHasValueParamAttribute/1" value_param="42" status="run" time="*" classname="Single/ValueParamTest" />
+  </testsuite>
+</testsuites>"""
+
 EXPECTED_EMPTY_XML = """<?xml version="1.0" encoding="UTF-8"?>
 <testsuites tests="0" failures="0" disabled="0" errors="0" time="*"
             timestamp="*" name="AllTests">
@@ -179,7 +236,7 @@ class GTestXMLOutputUnitTest(gtest_xml_test_utils.GTestXMLTestCase):
     Runs a test program that generates an empty XML output, and checks if
     the timestamp attribute in the testsuites tag is valid.
     """
-    actual = self._GetXmlOutput('gtest_no_test_unittest', [], 0)
+    actual = self._GetXmlOutput('gtest_no_test_unittest', [], {}, 0)
     date_time_str = actual.documentElement.getAttributeNode('timestamp').value
     # datetime.strptime() is only available in Python 2.5+ so we have to
     # parse the expected datetime manually.
@@ -236,7 +293,7 @@ class GTestXMLOutputUnitTest(gtest_xml_test_utils.GTestXMLTestCase):
                '--shut_down_xml']
     p = gtest_test_utils.Subprocess(command)
     if p.terminated_by_signal:
-      # p.signal is avalable only if p.terminated_by_signal is True.
+      # p.signal is available only if p.terminated_by_signal is True.
       self.assertFalse(
           p.terminated_by_signal,
           '%s was killed by signal %d' % (GTEST_PROGRAM_NAME, p.signal))
@@ -259,7 +316,22 @@ class GTestXMLOutputUnitTest(gtest_xml_test_utils.GTestXMLTestCase):
     self._TestXmlOutput(GTEST_PROGRAM_NAME, EXPECTED_FILTERED_TEST_XML, 0,
                         extra_args=['%s=SuccessfulTest.*' % GTEST_FILTER_FLAG])
 
-  def _GetXmlOutput(self, gtest_prog_name, extra_args, expected_exit_code):
+  def testShardedTestXmlOutput(self):
+    """Verifies XML output when run using multiple shards.
+
+    Runs a test program that executes only one shard and verifies that tests
+    from other shards do not show up in the XML output.
+    """
+
+    self._TestXmlOutput(
+        GTEST_PROGRAM_NAME,
+        EXPECTED_SHARDED_TEST_XML,
+        0,
+        extra_env={SHARD_INDEX_ENV_VAR: '0',
+                   TOTAL_SHARDS_ENV_VAR: '10'})
+
+  def _GetXmlOutput(self, gtest_prog_name, extra_args, extra_env,
+                    expected_exit_code):
     """
     Returns the xml output generated by running the program gtest_prog_name.
     Furthermore, the program's exit code must be expected_exit_code.
@@ -270,7 +342,11 @@ class GTestXMLOutputUnitTest(gtest_xml_test_utils.GTestXMLTestCase):
 
     command = ([gtest_prog_path, '%s=xml:%s' % (GTEST_OUTPUT_FLAG, xml_path)] +
                extra_args)
-    p = gtest_test_utils.Subprocess(command)
+    environ_copy = os.environ.copy()
+    if extra_env:
+      environ_copy.update(extra_env)
+    p = gtest_test_utils.Subprocess(command, env=environ_copy)
+
     if p.terminated_by_signal:
       self.assert_(False,
                    '%s was killed by signal %d' % (gtest_prog_name, p.signal))
@@ -284,7 +360,7 @@ class GTestXMLOutputUnitTest(gtest_xml_test_utils.GTestXMLTestCase):
     return actual
 
   def _TestXmlOutput(self, gtest_prog_name, expected_xml,
-                     expected_exit_code, extra_args=None):
+                     expected_exit_code, extra_args=None, extra_env=None):
     """
     Asserts that the XML document generated by running the program
     gtest_prog_name matches expected_xml, a string containing another
@@ -293,7 +369,7 @@ class GTestXMLOutputUnitTest(gtest_xml_test_utils.GTestXMLTestCase):
     """
 
     actual = self._GetXmlOutput(gtest_prog_name, extra_args or [],
-                                expected_exit_code)
+                                extra_env or {}, expected_exit_code)
     expected = minidom.parseString(expected_xml)
     self.NormalizeXml(actual.documentElement)
     self.AssertEquivalentNodes(expected.documentElement,
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_xml_output_unittest_.cc b/security/nss/gtests/google_test/gtest/test/gtest_xml_output_unittest_.cc
index 48b8771b52..2ee8838005 100644
--- a/security/nss/gtests/google_test/gtest/test/gtest_xml_output_unittest_.cc
+++ b/security/nss/gtests/google_test/gtest/test/gtest_xml_output_unittest_.cc
@@ -27,8 +27,6 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-// Author: eefacm@gmail.com (Sean Mcafee)
-
 // Unit test for Google Test XML output.
 //
 // A user can specify XML output in a Google Test program to run via
diff --git a/security/nss/gtests/google_test/gtest/test/gtest_xml_test_utils.py b/security/nss/gtests/google_test/gtest/test/gtest_xml_test_utils.py
index 3d0c3b2c2d..1e0358592f 100755
--- a/security/nss/gtests/google_test/gtest/test/gtest_xml_test_utils.py
+++ b/security/nss/gtests/google_test/gtest/test/gtest_xml_test_utils.py
@@ -1,5 +1,3 @@
-#!/usr/bin/env python
-#
 # Copyright 2006, Google Inc.
 # All rights reserved.
 #
@@ -31,15 +29,10 @@
 
 """Unit test utilities for gtest_xml_output"""
 
-__author__ = 'eefacm@gmail.com (Sean Mcafee)'
-
 import re
 from xml.dom import minidom, Node
-
 import gtest_test_utils
 
-
-GTEST_OUTPUT_FLAG         = '--gtest_output'
 GTEST_DEFAULT_OUTPUT_FILE = 'test_detail.xml'
 
 class GTestXMLTestCase(gtest_test_utils.TestCase):
@@ -108,19 +101,22 @@ class GTestXMLTestCase(gtest_test_utils.TestCase):
       self.AssertEquivalentNodes(child, actual_children[child_id])
 
   identifying_attribute = {
-    'testsuites': 'name',
-    'testsuite': 'name',
-    'testcase':  'name',
-    'failure':   'message',
-    }
+      'testsuites': 'name',
+      'testsuite': 'name',
+      'testcase': 'name',
+      'failure': 'message',
+      'property': 'name',
+  }
 
   def _GetChildren(self, element):
     """
     Fetches all of the child nodes of element, a DOM Element object.
     Returns them as the values of a dictionary keyed by the IDs of the
-    children.  For <testsuites>, <testsuite> and <testcase> elements, the ID
-    is the value of their "name" attribute; for <failure> elements, it is
-    the value of the "message" attribute; CDATA sections and non-whitespace
+    children.  For <testsuites>, <testsuite>, <testcase>, and <property>
+    elements, the ID is the value of their "name" attribute; for <failure>
+    elements, it is the value of the "message" attribute; for <properties>
+    elements, it is the value of their parent's "name" attribute plus the
+    literal string "properties"; CDATA sections and non-whitespace
     text nodes are concatenated into a single CDATA section with ID
     "detail".  An exception is raised if any element other than the above
     four is encountered, if two child elements with the same identifying
@@ -130,11 +126,17 @@ class GTestXMLTestCase(gtest_test_utils.TestCase):
     children = {}
     for child in element.childNodes:
       if child.nodeType == Node.ELEMENT_NODE:
-        self.assert_(child.tagName in self.identifying_attribute,
-                     'Encountered unknown element <%s>' % child.tagName)
-        childID = child.getAttribute(self.identifying_attribute[child.tagName])
-        self.assert_(childID not in children)
-        children[childID] = child
+        if child.tagName == 'properties':
+          self.assert_(child.parentNode is not None,
+                       'Encountered <properties> element without a parent')
+          child_id = child.parentNode.getAttribute('name') + '-properties'
+        else:
+          self.assert_(child.tagName in self.identifying_attribute,
+                       'Encountered unknown element <%s>' % child.tagName)
+          child_id = child.getAttribute(
+              self.identifying_attribute[child.tagName])
+        self.assert_(child_id not in children)
+        children[child_id] = child
       elif child.nodeType in [Node.TEXT_NODE, Node.CDATA_SECTION_NODE]:
         if 'detail' not in children:
           if (child.nodeType == Node.CDATA_SECTION_NODE or
@@ -187,8 +189,8 @@ class GTestXMLTestCase(gtest_test_utils.TestCase):
           # Replaces the source line information with a normalized form.
           cdata = re.sub(source_line_pat, '\\1*\n', child.nodeValue)
           # Removes the actual stack trace.
-          child.nodeValue = re.sub(r'\nStack trace:\n(.|\n)*',
-                                   '', cdata)
+          child.nodeValue = re.sub(r'Stack trace:\n(.|\n)*',
+                                   'Stack trace:\n*', cdata)
     for child in element.childNodes:
       if child.nodeType == Node.ELEMENT_NODE:
         self.NormalizeXml(child)
diff --git a/security/nss/gtests/google_test/gtest/test/production.cc b/security/nss/gtests/google_test/gtest/test/production.cc
index 8b8a40b44e..0f69f6dbd2 100644
--- a/security/nss/gtests/google_test/gtest/test/production.cc
+++ b/security/nss/gtests/google_test/gtest/test/production.cc
@@ -26,10 +26,9 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: wan@google.com (Zhanyong Wan)
-//
-// This is part of the unit test for include/gtest/gtest_prod.h.
+// This is part of the unit test for gtest_prod.h.
 
 #include "production.h"
 
diff --git a/security/nss/gtests/google_test/gtest/test/production.h b/security/nss/gtests/google_test/gtest/test/production.h
index 98fd5e476c..542723b708 100644
--- a/security/nss/gtests/google_test/gtest/test/production.h
+++ b/security/nss/gtests/google_test/gtest/test/production.h
@@ -26,10 +26,9 @@
 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 //
-// Author: wan@google.com (Zhanyong Wan)
-//
-// This is part of the unit test for include/gtest/gtest_prod.h.
+// This is part of the unit test for gtest_prod.h.
 
 #ifndef GTEST_TEST_PRODUCTION_H_
 #define GTEST_TEST_PRODUCTION_H_
diff --git a/security/nss/gtests/google_test/gtest/xcode/Config/DebugProject.xcconfig b/security/nss/gtests/google_test/gtest/xcode/Config/DebugProject.xcconfig
index 3d68157d5d..645701e22d 100644
--- a/security/nss/gtests/google_test/gtest/xcode/Config/DebugProject.xcconfig
+++ b/security/nss/gtests/google_test/gtest/xcode/Config/DebugProject.xcconfig
@@ -5,7 +5,7 @@
 //  examples. It is set in the "Based On:" dropdown in the "Project" info
 //  dialog.
 //  This file is based on the Xcode Configuration files in:
-//  http://code.google.com/p/google-toolbox-for-mac/
+//  https://github.com/google/google-toolbox-for-mac
 // 
 
 #include "General.xcconfig"
diff --git a/security/nss/gtests/google_test/gtest/xcode/Config/FrameworkTarget.xcconfig b/security/nss/gtests/google_test/gtest/xcode/Config/FrameworkTarget.xcconfig
index 357b1c8fbf..77081fbcb0 100644
--- a/security/nss/gtests/google_test/gtest/xcode/Config/FrameworkTarget.xcconfig
+++ b/security/nss/gtests/google_test/gtest/xcode/Config/FrameworkTarget.xcconfig
@@ -4,7 +4,7 @@
 //  These are Framework target settings for the gtest framework and examples. It
 //  is set in the "Based On:" dropdown in the "Target" info dialog.
 //  This file is based on the Xcode Configuration files in:
-//  http://code.google.com/p/google-toolbox-for-mac/
+//  https://github.com/google/google-toolbox-for-mac
 // 
 
 // Dynamic libs need to be position independent
diff --git a/security/nss/gtests/google_test/gtest/xcode/Config/General.xcconfig b/security/nss/gtests/google_test/gtest/xcode/Config/General.xcconfig
index f23e322272..1aba486f05 100644
--- a/security/nss/gtests/google_test/gtest/xcode/Config/General.xcconfig
+++ b/security/nss/gtests/google_test/gtest/xcode/Config/General.xcconfig
@@ -4,7 +4,7 @@
 //  These are General configuration settings for the gtest framework and
 //  examples.
 //  This file is based on the Xcode Configuration files in:
-//  http://code.google.com/p/google-toolbox-for-mac/
+//  https://github.com/google/google-toolbox-for-mac
 // 
 
 // Build for PPC and Intel, 32- and 64-bit
diff --git a/security/nss/gtests/google_test/gtest/xcode/Config/ReleaseProject.xcconfig b/security/nss/gtests/google_test/gtest/xcode/Config/ReleaseProject.xcconfig
index 5349f0a04a..df9a38f89b 100644
--- a/security/nss/gtests/google_test/gtest/xcode/Config/ReleaseProject.xcconfig
+++ b/security/nss/gtests/google_test/gtest/xcode/Config/ReleaseProject.xcconfig
@@ -5,7 +5,7 @@
 //  and examples. It is set in the "Based On:" dropdown in the "Project" info
 //  dialog.
 //  This file is based on the Xcode Configuration files in:
-//  http://code.google.com/p/google-toolbox-for-mac/
+//  https://github.com/google/google-toolbox-for-mac
 // 
 
 #include "General.xcconfig"
diff --git a/security/nss/gtests/google_test/gtest/xcode/Config/StaticLibraryTarget.xcconfig b/security/nss/gtests/google_test/gtest/xcode/Config/StaticLibraryTarget.xcconfig
index 3922fa51d5..d2424fe80d 100644
--- a/security/nss/gtests/google_test/gtest/xcode/Config/StaticLibraryTarget.xcconfig
+++ b/security/nss/gtests/google_test/gtest/xcode/Config/StaticLibraryTarget.xcconfig
@@ -4,7 +4,7 @@
 //  These are static library target settings for libgtest.a. It
 //  is set in the "Based On:" dropdown in the "Target" info dialog.
 //  This file is based on the Xcode Configuration files in:
-//  http://code.google.com/p/google-toolbox-for-mac/
+//  https://github.com/google/google-toolbox-for-mac
 // 
 
 // Static libs can be included in bundles so make them position independent
diff --git a/security/nss/gtests/google_test/gtest/xcode/Scripts/versiongenerate.py b/security/nss/gtests/google_test/gtest/xcode/Scripts/versiongenerate.py
index 81de8c96ac..bdd7541ad7 100644
--- a/security/nss/gtests/google_test/gtest/xcode/Scripts/versiongenerate.py
+++ b/security/nss/gtests/google_test/gtest/xcode/Scripts/versiongenerate.py
@@ -29,7 +29,7 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-"""A script to prepare version informtion for use the gtest Info.plist file.
+"""A script to prepare version information for use the gtest Info.plist file.
 
   This script extracts the version information from the configure.ac file and
   uses it to generate a header file containing the same information. The
@@ -42,7 +42,7 @@
     1. The AC_INIT macro will be contained within the first 1024 characters
        of configure.ac
     2. The version string will be 3 integers separated by periods and will be
-       surrounded by squre brackets, "[" and "]" (e.g. [1.0.1]). The first
+       surrounded by square brackets, "[" and "]" (e.g. [1.0.1]). The first
        segment represents the major version, the second represents the minor
        version and the third represents the fix version.
     3. No ")" character exists between the opening "(" and closing ")" of
@@ -68,7 +68,7 @@ config_file.close()
 
 # Extract the version string from the AC_INIT macro
 #   The following init_expression means:
-#     Extract three integers separated by periods and surrounded by squre
+#     Extract three integers separated by periods and surrounded by square
 #     brackets(e.g. "[1.0.1]") between "AC_INIT(" and ")". Do not be greedy
 #     (*? is the non-greedy flag) since that would pull in everything between
 #     the first "(" and the last ")" in the file.
@@ -88,7 +88,7 @@ file_data = """//
 // is executed in a "Run Script" build phase when creating gtest.framework. This
 // header file is not used during compilation of C-source. Rather, it simply
 // defines some version strings for substitution in the Info.plist. Because of
-// this, we are not not restricted to C-syntax nor are we using include guards.
+// this, we are not restricted to C-syntax nor are we using include guards.
 //
 
 #define GTEST_VERSIONINFO_SHORT %s.%s
diff --git a/security/nss/gtests/google_test/gtest/xcode/gtest.xcodeproj/project.pbxproj b/security/nss/gtests/google_test/gtest/xcode/gtest.xcodeproj/project.pbxproj
index 0452a63d0c..003bff8cb8 100644
--- a/security/nss/gtests/google_test/gtest/xcode/gtest.xcodeproj/project.pbxproj
+++ b/security/nss/gtests/google_test/gtest/xcode/gtest.xcodeproj/project.pbxproj
@@ -46,7 +46,7 @@
 		4048843B0E2F799B00CF7658 /* gtest.h in Headers */ = {isa = PBXBuildFile; fileRef = 404883DE0E2F799B00CF7658 /* gtest.h */; settings = {ATTRIBUTES = (Public, ); }; };
 		4048843C0E2F799B00CF7658 /* gtest_pred_impl.h in Headers */ = {isa = PBXBuildFile; fileRef = 404883DF0E2F799B00CF7658 /* gtest_pred_impl.h */; settings = {ATTRIBUTES = (Public, ); }; };
 		4048843D0E2F799B00CF7658 /* gtest_prod.h in Headers */ = {isa = PBXBuildFile; fileRef = 404883E00E2F799B00CF7658 /* gtest_prod.h */; settings = {ATTRIBUTES = (Public, ); }; };
-		404884500E2F799B00CF7658 /* README in Resources */ = {isa = PBXBuildFile; fileRef = 404883F60E2F799B00CF7658 /* README */; };
+		404884500E2F799B00CF7658 /* README.md in Resources */ = {isa = PBXBuildFile; fileRef = 404883F60E2F799B00CF7658 /* README.md */; };
 		404884A00E2F7BE600CF7658 /* gtest-death-test-internal.h in Copy Headers Internal */ = {isa = PBXBuildFile; fileRef = 404883E20E2F799B00CF7658 /* gtest-death-test-internal.h */; };
 		404884A10E2F7BE600CF7658 /* gtest-filepath.h in Copy Headers Internal */ = {isa = PBXBuildFile; fileRef = 404883E30E2F799B00CF7658 /* gtest-filepath.h */; };
 		404884A20E2F7BE600CF7658 /* gtest-internal.h in Copy Headers Internal */ = {isa = PBXBuildFile; fileRef = 404883E40E2F799B00CF7658 /* gtest-internal.h */; };
@@ -79,6 +79,13 @@
 		4539C9390EC280E200A70F4C /* gtest-param-util-generated.h in Copy Headers Internal */ = {isa = PBXBuildFile; fileRef = 4539C9360EC280E200A70F4C /* gtest-param-util-generated.h */; };
 		4539C93A0EC280E200A70F4C /* gtest-param-util.h in Copy Headers Internal */ = {isa = PBXBuildFile; fileRef = 4539C9370EC280E200A70F4C /* gtest-param-util.h */; };
 		4567C8181264FF71007740BE /* gtest-printers.h in Headers */ = {isa = PBXBuildFile; fileRef = 4567C8171264FF71007740BE /* gtest-printers.h */; settings = {ATTRIBUTES = (Public, ); }; };
+		F67D4F3E1C7F5D8B0017C729 /* gtest-port-arch.h in Headers */ = {isa = PBXBuildFile; fileRef = F67D4F3D1C7F5D8B0017C729 /* gtest-port-arch.h */; };
+		F67D4F3F1C7F5DA70017C729 /* gtest-port-arch.h in Copy Headers Internal */ = {isa = PBXBuildFile; fileRef = F67D4F3D1C7F5D8B0017C729 /* gtest-port-arch.h */; };
+		F67D4F441C7F5DD00017C729 /* gtest-port.h in Headers */ = {isa = PBXBuildFile; fileRef = F67D4F411C7F5DD00017C729 /* gtest-port.h */; };
+		F67D4F451C7F5DD00017C729 /* gtest-printers.h in Headers */ = {isa = PBXBuildFile; fileRef = F67D4F421C7F5DD00017C729 /* gtest-printers.h */; };
+		F67D4F461C7F5DD00017C729 /* gtest.h in Headers */ = {isa = PBXBuildFile; fileRef = F67D4F431C7F5DD00017C729 /* gtest.h */; };
+		F67D4F481C7F5E160017C729 /* gtest-port.h in Copy Headers Internal Custom */ = {isa = PBXBuildFile; fileRef = F67D4F411C7F5DD00017C729 /* gtest-port.h */; };
+		F67D4F491C7F5E260017C729 /* gtest-printers.h in Copy Headers Internal Custom */ = {isa = PBXBuildFile; fileRef = F67D4F421C7F5DD00017C729 /* gtest-printers.h */; };
 /* End PBXBuildFile section */
 
 /* Begin PBXContainerItemProxy section */
@@ -182,6 +189,7 @@
 			dstPath = Headers/internal;
 			dstSubfolderSpec = 6;
 			files = (
+				F67D4F3F1C7F5DA70017C729 /* gtest-port-arch.h in Copy Headers Internal */,
 				404884A00E2F7BE600CF7658 /* gtest-death-test-internal.h in Copy Headers Internal */,
 				404884A10E2F7BE600CF7658 /* gtest-filepath.h in Copy Headers Internal */,
 				404884A20E2F7BE600CF7658 /* gtest-internal.h in Copy Headers Internal */,
@@ -196,6 +204,18 @@
 			name = "Copy Headers Internal";
 			runOnlyForDeploymentPostprocessing = 0;
 		};
+		F67D4F471C7F5DF60017C729 /* Copy Headers Internal Custom */ = {
+			isa = PBXCopyFilesBuildPhase;
+			buildActionMask = 2147483647;
+			dstPath = Headers/internal/custom;
+			dstSubfolderSpec = 6;
+			files = (
+				F67D4F491C7F5E260017C729 /* gtest-printers.h in Copy Headers Internal Custom */,
+				F67D4F481C7F5E160017C729 /* gtest-port.h in Copy Headers Internal Custom */,
+			);
+			name = "Copy Headers Internal Custom";
+			runOnlyForDeploymentPostprocessing = 0;
+		};
 /* End PBXCopyFilesBuildPhase section */
 
 /* Begin PBXFileReference section */
@@ -217,7 +237,7 @@
 		404883E40E2F799B00CF7658 /* gtest-internal.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "gtest-internal.h"; sourceTree = "<group>"; };
 		404883E50E2F799B00CF7658 /* gtest-port.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "gtest-port.h"; sourceTree = "<group>"; };
 		404883E60E2F799B00CF7658 /* gtest-string.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "gtest-string.h"; sourceTree = "<group>"; };
-		404883F60E2F799B00CF7658 /* README */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = README; path = ../README; sourceTree = SOURCE_ROOT; };
+		404883F60E2F799B00CF7658 /* README.md */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = README.md; path = ../README.md; sourceTree = SOURCE_ROOT; };
 		4048840D0E2F799B00CF7658 /* gtest_main.cc */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = gtest_main.cc; sourceTree = "<group>"; };
 		404884A90E2F7CD900CF7658 /* CHANGES */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = CHANGES; path = ../CHANGES; sourceTree = SOURCE_ROOT; };
 		404884AA0E2F7CD900CF7658 /* CONTRIBUTORS */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = CONTRIBUTORS; path = ../CONTRIBUTORS; sourceTree = SOURCE_ROOT; };
@@ -244,6 +264,10 @@
 		4539C9360EC280E200A70F4C /* gtest-param-util-generated.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "gtest-param-util-generated.h"; sourceTree = "<group>"; };
 		4539C9370EC280E200A70F4C /* gtest-param-util.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "gtest-param-util.h"; sourceTree = "<group>"; };
 		4567C8171264FF71007740BE /* gtest-printers.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "gtest-printers.h"; sourceTree = "<group>"; };
+		F67D4F3D1C7F5D8B0017C729 /* gtest-port-arch.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "gtest-port-arch.h"; sourceTree = "<group>"; };
+		F67D4F411C7F5DD00017C729 /* gtest-port.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "gtest-port.h"; sourceTree = "<group>"; };
+		F67D4F421C7F5DD00017C729 /* gtest-printers.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "gtest-printers.h"; sourceTree = "<group>"; };
+		F67D4F431C7F5DD00017C729 /* gtest.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = gtest.h; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
 /* Begin PBXFrameworksBuildPhase section */
@@ -318,7 +342,7 @@
 				404884A90E2F7CD900CF7658 /* CHANGES */,
 				404884AA0E2F7CD900CF7658 /* CONTRIBUTORS */,
 				404884AB0E2F7CD900CF7658 /* LICENSE */,
-				404883F60E2F799B00CF7658 /* README */,
+				404883F60E2F799B00CF7658 /* README.md */,
 				404883D90E2F799B00CF7658 /* include */,
 				4089A02F0FFACF84000B29AE /* samples */,
 				404884070E2F799B00CF7658 /* src */,
@@ -375,6 +399,7 @@
 		404883E10E2F799B00CF7658 /* internal */ = {
 			isa = PBXGroup;
 			children = (
+				F67D4F401C7F5DD00017C729 /* custom */,
 				404883E20E2F799B00CF7658 /* gtest-death-test-internal.h */,
 				404883E30E2F799B00CF7658 /* gtest-filepath.h */,
 				404883E40E2F799B00CF7658 /* gtest-internal.h */,
@@ -382,6 +407,7 @@
 				4539C9360EC280E200A70F4C /* gtest-param-util-generated.h */,
 				4539C9370EC280E200A70F4C /* gtest-param-util.h */,
 				404883E50E2F799B00CF7658 /* gtest-port.h */,
+				F67D4F3D1C7F5D8B0017C729 /* gtest-port-arch.h */,
 				404883E60E2F799B00CF7658 /* gtest-string.h */,
 				40899F4D0FFA7271000B29AE /* gtest-tuple.h */,
 				3BF6F29F0E79B5AD000F2EEE /* gtest-type-util.h */,
@@ -430,6 +456,16 @@
 			path = Resources;
 			sourceTree = "<group>";
 		};
+		F67D4F401C7F5DD00017C729 /* custom */ = {
+			isa = PBXGroup;
+			children = (
+				F67D4F411C7F5DD00017C729 /* gtest-port.h */,
+				F67D4F421C7F5DD00017C729 /* gtest-printers.h */,
+				F67D4F431C7F5DD00017C729 /* gtest.h */,
+			);
+			path = custom;
+			sourceTree = "<group>";
+		};
 /* End PBXGroup section */
 
 /* Begin PBXHeadersBuildPhase section */
@@ -437,10 +473,14 @@
 			isa = PBXHeadersBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				F67D4F451C7F5DD00017C729 /* gtest-printers.h in Headers */,
 				404884380E2F799B00CF7658 /* gtest-death-test.h in Headers */,
 				404884390E2F799B00CF7658 /* gtest-message.h in Headers */,
 				4539C9340EC280AE00A70F4C /* gtest-param-test.h in Headers */,
+				F67D4F461C7F5DD00017C729 /* gtest.h in Headers */,
+				F67D4F441C7F5DD00017C729 /* gtest-port.h in Headers */,
 				4567C8181264FF71007740BE /* gtest-printers.h in Headers */,
+				F67D4F3E1C7F5D8B0017C729 /* gtest-port-arch.h in Headers */,
 				3BF6F2A50E79B616000F2EEE /* gtest-typed-test.h in Headers */,
 				4048843A0E2F799B00CF7658 /* gtest-spi.h in Headers */,
 				4048843B0E2F799B00CF7658 /* gtest.h in Headers */,
@@ -560,6 +600,7 @@
 				8D07F2C10486CC7A007CD1D0 /* Sources */,
 				8D07F2BD0486CC7A007CD1D0 /* Headers */,
 				404884A50E2F7C0400CF7658 /* Copy Headers Internal */,
+				F67D4F471C7F5DF60017C729 /* Copy Headers Internal Custom */,
 				8D07F2BF0486CC7A007CD1D0 /* Resources */,
 			);
 			buildRules = (
@@ -617,7 +658,7 @@
 			isa = PBXResourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
-				404884500E2F799B00CF7658 /* README in Resources */,
+				404884500E2F799B00CF7658 /* README.md in Resources */,
 				404884AC0E2F7CD900CF7658 /* CHANGES in Resources */,
 				404884AD0E2F7CD900CF7658 /* CONTRIBUTORS in Resources */,
 				404884AE0E2F7CD900CF7658 /* LICENSE in Resources */,
@@ -1026,6 +1067,9 @@
 			isa = XCBuildConfiguration;
 			baseConfigurationReference = 40D4CDF10E30E07400294801 /* DebugProject.xcconfig */;
 			buildSettings = {
+				CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
+				CLANG_CXX_LIBRARY = "libc++";
+				MACOSX_DEPLOYMENT_TARGET = 10.7;
 			};
 			name = Debug;
 		};
@@ -1033,6 +1077,9 @@
 			isa = XCBuildConfiguration;
 			baseConfigurationReference = 40D4CDF40E30E07400294801 /* ReleaseProject.xcconfig */;
 			buildSettings = {
+				CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x";
+				CLANG_CXX_LIBRARY = "libc++";
+				MACOSX_DEPLOYMENT_TARGET = 10.7;
 			};
 			name = Release;
 		};
diff --git a/security/nss/gtests/google_test/update.sh b/security/nss/gtests/google_test/update.sh
new file mode 100644
index 0000000000..cab804f698
--- /dev/null
+++ b/security/nss/gtests/google_test/update.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+# Use this script to update the copy of google test.
+# This won't commit any changes, so build and test afterwards.
+
+set -e
+
+if [ $# -lt 1 ]; then
+    echo "Usage: $0 <tag/commit>" 1>&2
+    exit 2
+fi
+
+cd "$(dirname "$0")"
+d=$(mktemp -d)
+trap 'rm -rf "$d"' EXIT
+../../fuzz/config/git-copy.sh https://github.com/google/googletest \
+    "$1" "$d"/googletest
+rm -rf gtest
+mv "$d"/googletest/googletest gtest
+echo "$1" > VERSION
+cat "$d"/googletest/.git-copy >> VERSION
diff --git a/security/nss/gtests/mozpkix_gtest/README.txt b/security/nss/gtests/mozpkix_gtest/README.txt
new file mode 100644
index 0000000000..5d3484a219
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/README.txt
@@ -0,0 +1,61 @@
+-------------
+Running Tests
+-------------
+
+Because of the rules below, you can run all the unit tests in this directory,
+and only these tests, with:
+
+  mach gtest "pkix*"
+
+You can run just the tests for functions defined in filename pkixfoo.cpp with:
+
+  mach gtest "pkixfoo*"
+
+If you run "mach gtest" then you'll end up running every gtest in Gecko.
+
+
+
+------------
+Naming Files
+------------
+
+Name files containing tests according to one of the following patterns:
+
+  * <filename>_tests.cpp
+  * <filename>_<Function>_tests.cpp
+  * <filename>_<category>_tests.cpp
+
+  <filename> is the name of the file containing the definitions of the
+             function(s) being tested by every test.
+  <Function> is the name of the function that is being tested by every
+             test.
+  <category> describes the group of related functions that are being
+             tested by every test.
+
+
+
+------------------------------------------------
+Always Use a Fixture Class: TEST_F(), not TEST()
+------------------------------------------------
+
+Many tests don't technically need a fixture, and so TEST() could technically
+be used to define the test. However, when you use TEST_F() instead of TEST(),
+the compiler will not allow you to make any typos in the test case name, but
+if you use TEST() then the name of the test case is not checked.
+
+See https://code.google.com/p/googletest/wiki/Primer#Test_Fixtures:_Using_the_Same_Data_Configuration_for_Multiple_Te
+to learn more about test fixtures.
+
+---------------
+Naming Fixtures
+---------------
+
+When all tests in a file use the same fixture, use the base name of the file
+without the "_tests" suffix as the name of the fixture class; e.g. tests in
+"pkixocsp.cpp" should use a fixture "class pkixocsp" by default.
+
+Sometimes tests in a file need separate fixtures. In this case, name the
+fixture class according to the pattern <fixture_base>_<fixture_suffix>, where
+<fixture_base> is the base name of the file without the "_tests" suffix, and
+<fixture_suffix> is a descriptive name for the fixture class, e.g.
+"class pkixocsp_DelegatedResponder".
diff --git a/security/nss/gtests/mozpkix_gtest/mozpkix_gtest.gyp b/security/nss/gtests/mozpkix_gtest/mozpkix_gtest.gyp
new file mode 100644
index 0000000000..899b849fcb
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/mozpkix_gtest.gyp
@@ -0,0 +1,71 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+  'includes': [
+    '../../coreconf/config.gypi',
+    '../common/gtest.gypi',
+  ],
+  'targets': [
+    {
+      'target_name': 'mozpkix_gtest',
+      'type': 'executable',
+      'sources': [
+        '<(DEPTH)/gtests/common/gtests.cc',
+        'pkixbuild_tests.cpp',
+        'pkixcert_extension_tests.cpp',
+        'pkixcert_signature_algorithm_tests.cpp',
+        'pkixcheck_CheckExtendedKeyUsage_tests.cpp',
+        'pkixcheck_CheckIssuer_tests.cpp',
+        'pkixcheck_CheckKeyUsage_tests.cpp',
+        'pkixcheck_CheckSignatureAlgorithm_tests.cpp',
+        'pkixcheck_CheckValidity_tests.cpp',
+        'pkixcheck_ParseValidity_tests.cpp',
+        'pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp',
+        'pkixder_input_tests.cpp',
+        'pkixder_pki_types_tests.cpp',
+        'pkixder_universal_types_tests.cpp',
+        'pkixgtest.cpp',
+        'pkixnames_tests.cpp',
+        'pkixocsp_CreateEncodedOCSPRequest_tests.cpp',
+        'pkixocsp_VerifyEncodedOCSPResponse.cpp',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        '<(DEPTH)/gtests/google_test/google_test.gyp:gtest',
+        '<(DEPTH)/lib/util/util.gyp:nssutil',
+        '<(DEPTH)/lib/ssl/ssl.gyp:ssl',
+        '<(DEPTH)/lib/nss/nss.gyp:nss_static',
+        '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap_static',
+        '<(DEPTH)/lib/cryptohi/cryptohi.gyp:cryptohi',
+        '<(DEPTH)/lib/certhigh/certhigh.gyp:certhi',
+        '<(DEPTH)/lib/certdb/certdb.gyp:certdb',
+        '<(DEPTH)/lib/base/base.gyp:nssb',
+        '<(DEPTH)/lib/dev/dev.gyp:nssdev',
+        '<(DEPTH)/lib/pki/pki.gyp:nsspki',
+        '<(DEPTH)/lib/mozpkix/mozpkix.gyp:mozpkix',
+        '<(DEPTH)/lib/mozpkix/mozpkix.gyp:mozpkix-testlib',
+      ],
+      'include_dirs': [
+        '<(DEPTH)/lib/mozpkix/',
+        '<(DEPTH)/lib/mozpkix/lib',
+        '<(DEPTH)/lib/mozpkix/include/',
+        '<(DEPTH)/lib/mozpkix/include/pkix-test/',
+      ],
+      'conditions': [
+        [ 'OS=="win"', {
+          'libraries': [
+            'advapi32.lib',
+          ],
+        }],
+      ],
+      'defines': [
+        'NSS_USE_STATIC_LIBS'
+      ],
+    }
+  ],
+  'variables': {
+    'module': 'nss',
+    'use_static_libs': 1,
+  }
+}
diff --git a/security/nss/gtests/mozpkix_gtest/pkixbuild_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixbuild_tests.cpp
new file mode 100644
index 0000000000..e173210758
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixbuild_tests.cpp
@@ -0,0 +1,894 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#if defined(_MSC_VER) && _MSC_VER < 1900
+// When building with -D_HAS_EXCEPTIONS=0, MSVC's <xtree> header triggers
+// warning C4702: unreachable code.
+// https://connect.microsoft.com/VisualStudio/feedback/details/809962
+#pragma warning(push)
+#pragma warning(disable: 4702)
+#endif
+
+#include <map>
+#include <vector>
+
+#if defined(_MSC_VER) && _MSC_VER < 1900
+#pragma warning(pop)
+#endif
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixder.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+static ByteString
+CreateCert(const char* issuerCN, // null means "empty name"
+           const char* subjectCN, // null means "empty name"
+           EndEntityOrCA endEntityOrCA,
+           /*optional modified*/ std::map<ByteString, ByteString>*
+             subjectDERToCertDER = nullptr,
+           /*optional*/ const ByteString* extension = nullptr,
+           /*optional*/ const TestKeyPair* issuerKeyPair = nullptr,
+           /*optional*/ const TestKeyPair* subjectKeyPair = nullptr)
+{
+  static long serialNumberValue = 0;
+  ++serialNumberValue;
+  ByteString serialNumber(CreateEncodedSerialNumber(serialNumberValue));
+  EXPECT_FALSE(ENCODING_FAILED(serialNumber));
+
+  ByteString issuerDER(issuerCN ? CNToDERName(issuerCN) : Name(ByteString()));
+  ByteString subjectDER(subjectCN ? CNToDERName(subjectCN) : Name(ByteString()));
+
+  std::vector<ByteString> extensions;
+  if (endEntityOrCA == EndEntityOrCA::MustBeCA) {
+    ByteString basicConstraints =
+      CreateEncodedBasicConstraints(true, nullptr, Critical::Yes);
+    EXPECT_FALSE(ENCODING_FAILED(basicConstraints));
+    extensions.push_back(basicConstraints);
+  }
+  if (extension) {
+    extensions.push_back(*extension);
+  }
+  extensions.push_back(ByteString()); // marks the end of the list
+
+  ScopedTestKeyPair reusedKey(CloneReusedKeyPair());
+  ByteString certDER(CreateEncodedCertificate(
+                       v3, sha256WithRSAEncryption(), serialNumber, issuerDER,
+                       oneDayBeforeNow, oneDayAfterNow, subjectDER,
+                       subjectKeyPair ? *subjectKeyPair : *reusedKey,
+                       extensions.data(),
+                       issuerKeyPair ? *issuerKeyPair : *reusedKey,
+                       sha256WithRSAEncryption()));
+  EXPECT_FALSE(ENCODING_FAILED(certDER));
+
+  if (subjectDERToCertDER) {
+    (*subjectDERToCertDER)[subjectDER] = certDER;
+  }
+
+  return certDER;
+}
+
+class TestTrustDomain final : public DefaultCryptoTrustDomain
+{
+public:
+  // The "cert chain tail" is a longish chain of certificates that is used by
+  // all of the tests here. We share this chain across all the tests in order
+  // to speed up the tests (generating keypairs for the certs is very slow).
+  bool SetUpCertChainTail()
+  {
+    static char const* const names[] = {
+        "CA1 (Root)", "CA2", "CA3", "CA4", "CA5", "CA6", "CA7"
+    };
+
+    for (size_t i = 0; i < MOZILLA_PKIX_ARRAY_LENGTH(names); ++i) {
+      const char* issuerName = i == 0 ? names[0] : names[i-1];
+      CreateCACert(issuerName, names[i]);
+      if (i == 0) {
+        rootCACertDER = leafCACertDER;
+      }
+    }
+
+    return true;
+  }
+
+  void CreateCACert(const char* issuerName, const char* subjectName)
+  {
+    leafCACertDER = CreateCert(issuerName, subjectName,
+                               EndEntityOrCA::MustBeCA, &subjectDERToCertDER);
+    assert(!ENCODING_FAILED(leafCACertDER));
+  }
+
+  ByteString GetLeafCACertDER() const { return leafCACertDER; }
+
+private:
+  Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input candidateCert,
+                      /*out*/ TrustLevel& trustLevel) override
+  {
+    trustLevel = InputEqualsByteString(candidateCert, rootCACertDER)
+               ? TrustLevel::TrustAnchor
+               : TrustLevel::InheritsTrust;
+    return Success;
+  }
+
+  Result FindIssuer(Input encodedIssuerName, IssuerChecker& checker, Time)
+                    override
+  {
+    ByteString subjectDER(InputToByteString(encodedIssuerName));
+    ByteString certDER(subjectDERToCertDER[subjectDER]);
+    Input derCert;
+    Result rv = derCert.Init(certDER.data(), certDER.length());
+    if (rv != Success) {
+      return rv;
+    }
+    bool keepGoing;
+    rv = checker.Check(derCert, nullptr/*additionalNameConstraints*/,
+                       keepGoing);
+    if (rv != Success) {
+      return rv;
+    }
+    return Success;
+  }
+
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*, /*optional*/ const Input*)
+                         override
+  {
+    return Success;
+  }
+
+  Result IsChainValid(const DERArray&, Time, const CertPolicyId&) override
+  {
+    return Success;
+  }
+
+  std::map<ByteString, ByteString> subjectDERToCertDER;
+  ByteString leafCACertDER;
+  ByteString rootCACertDER;
+};
+
+class pkixbuild : public ::testing::Test
+{
+public:
+  static void SetUpTestCase()
+  {
+    if (!trustDomain.SetUpCertChainTail()) {
+      abort();
+    }
+  }
+
+protected:
+
+  static TestTrustDomain trustDomain;
+};
+
+/*static*/ TestTrustDomain pkixbuild::trustDomain;
+
+TEST_F(pkixbuild, MaxAcceptableCertChainLength)
+{
+  {
+    ByteString leafCACert(trustDomain.GetLeafCACertDER());
+    Input certDER;
+    ASSERT_EQ(Success, certDER.Init(leafCACert.data(), leafCACert.length()));
+    ASSERT_EQ(Success,
+              BuildCertChain(trustDomain, certDER, Now(),
+                             EndEntityOrCA::MustBeCA,
+                             KeyUsage::noParticularKeyUsageRequired,
+                             KeyPurposeId::id_kp_serverAuth,
+                             CertPolicyId::anyPolicy,
+                             nullptr/*stapledOCSPResponse*/));
+  }
+
+  {
+    ByteString certDER(CreateCert("CA7", "Direct End-Entity",
+                                  EndEntityOrCA::MustBeEndEntity));
+    ASSERT_FALSE(ENCODING_FAILED(certDER));
+    Input certDERInput;
+    ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
+    ASSERT_EQ(Success,
+              BuildCertChain(trustDomain, certDERInput, Now(),
+                             EndEntityOrCA::MustBeEndEntity,
+                             KeyUsage::noParticularKeyUsageRequired,
+                             KeyPurposeId::id_kp_serverAuth,
+                             CertPolicyId::anyPolicy,
+                             nullptr/*stapledOCSPResponse*/));
+  }
+}
+
+TEST_F(pkixbuild, BeyondMaxAcceptableCertChainLength)
+{
+  static char const* const caCertName = "CA Too Far";
+
+  trustDomain.CreateCACert("CA7", caCertName);
+
+  {
+    ByteString certDER(trustDomain.GetLeafCACertDER());
+    Input certDERInput;
+    ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
+    ASSERT_EQ(Result::ERROR_UNKNOWN_ISSUER,
+              BuildCertChain(trustDomain, certDERInput, Now(),
+                             EndEntityOrCA::MustBeCA,
+                             KeyUsage::noParticularKeyUsageRequired,
+                             KeyPurposeId::id_kp_serverAuth,
+                             CertPolicyId::anyPolicy,
+                             nullptr/*stapledOCSPResponse*/));
+  }
+
+  {
+    ByteString certDER(CreateCert(caCertName, "End-Entity Too Far",
+                                  EndEntityOrCA::MustBeEndEntity));
+    ASSERT_FALSE(ENCODING_FAILED(certDER));
+    Input certDERInput;
+    ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
+    ASSERT_EQ(Result::ERROR_UNKNOWN_ISSUER,
+              BuildCertChain(trustDomain, certDERInput, Now(),
+                             EndEntityOrCA::MustBeEndEntity,
+                             KeyUsage::noParticularKeyUsageRequired,
+                             KeyPurposeId::id_kp_serverAuth,
+                             CertPolicyId::anyPolicy,
+                             nullptr/*stapledOCSPResponse*/));
+  }
+}
+
+// A TrustDomain that checks certificates against a given root certificate.
+// It is initialized with the DER encoding of a root certificate that
+// is treated as a trust anchor and is assumed to have issued all certificates
+// (i.e. FindIssuer always attempts to build the next step in the chain with
+// it).
+class SingleRootTrustDomain : public DefaultCryptoTrustDomain
+{
+public:
+  explicit SingleRootTrustDomain(ByteString aRootDER)
+    : rootDER(aRootDER)
+  {
+  }
+
+  // The CertPolicyId argument is unused because we don't care about EV.
+  Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input candidateCert,
+                      /*out*/ TrustLevel& trustLevel) override
+  {
+    Input rootCert;
+    Result rv = rootCert.Init(rootDER.data(), rootDER.length());
+    if (rv != Success) {
+      return rv;
+    }
+    if (InputsAreEqual(candidateCert, rootCert)) {
+      trustLevel = TrustLevel::TrustAnchor;
+    } else {
+      trustLevel = TrustLevel::InheritsTrust;
+    }
+    return Success;
+  }
+
+  Result FindIssuer(Input, IssuerChecker& checker, Time) override
+  {
+    // keepGoing is an out parameter from IssuerChecker.Check. It would tell us
+    // whether or not to continue attempting other potential issuers. We only
+    // know of one potential issuer, however, so we ignore it.
+    bool keepGoing;
+    Input rootCert;
+    Result rv = rootCert.Init(rootDER.data(), rootDER.length());
+    if (rv != Success) {
+      return rv;
+    }
+    return checker.Check(rootCert, nullptr, keepGoing);
+  }
+
+  Result IsChainValid(const DERArray&, Time, const CertPolicyId&) override
+  {
+    return Success;
+  }
+
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*, /*optional*/ const Input*)
+                         override
+  {
+    return Success;
+  }
+
+private:
+  ByteString rootDER;
+};
+
+// A TrustDomain that explicitly fails if CheckRevocation is called.
+class ExpiredCertTrustDomain final : public SingleRootTrustDomain
+{
+public:
+  explicit ExpiredCertTrustDomain(ByteString aRootDER)
+    : SingleRootTrustDomain(aRootDER)
+  {
+  }
+
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*, /*optional*/ const Input*)
+                         override
+  {
+    ADD_FAILURE();
+    return NotReached("CheckRevocation should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+};
+
+TEST_F(pkixbuild, NoRevocationCheckingForExpiredCert)
+{
+  const char* rootCN = "Root CA";
+  ByteString rootDER(CreateCert(rootCN, rootCN, EndEntityOrCA::MustBeCA,
+                                nullptr));
+  EXPECT_FALSE(ENCODING_FAILED(rootDER));
+  ExpiredCertTrustDomain expiredCertTrustDomain(rootDER);
+
+  ByteString serialNumber(CreateEncodedSerialNumber(100));
+  EXPECT_FALSE(ENCODING_FAILED(serialNumber));
+  ByteString issuerDER(CNToDERName(rootCN));
+  ByteString subjectDER(CNToDERName("Expired End-Entity Cert"));
+  ScopedTestKeyPair reusedKey(CloneReusedKeyPair());
+  ByteString certDER(CreateEncodedCertificate(
+                       v3, sha256WithRSAEncryption(),
+                       serialNumber, issuerDER,
+                       twoDaysBeforeNow,
+                       oneDayBeforeNow,
+                       subjectDER, *reusedKey, nullptr, *reusedKey,
+                       sha256WithRSAEncryption()));
+  EXPECT_FALSE(ENCODING_FAILED(certDER));
+
+  Input cert;
+  ASSERT_EQ(Success, cert.Init(certDER.data(), certDER.length()));
+  ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE,
+            BuildCertChain(expiredCertTrustDomain, cert, Now(),
+                           EndEntityOrCA::MustBeEndEntity,
+                           KeyUsage::noParticularKeyUsageRequired,
+                           KeyPurposeId::id_kp_serverAuth,
+                           CertPolicyId::anyPolicy,
+                           nullptr));
+}
+
+class DSSTrustDomain final : public EverythingFailsByDefaultTrustDomain
+{
+public:
+  Result GetCertTrust(EndEntityOrCA, const CertPolicyId&,
+                      Input, /*out*/ TrustLevel& trustLevel) override
+  {
+    trustLevel = TrustLevel::TrustAnchor;
+    return Success;
+  }
+};
+
+class pkixbuild_DSS : public ::testing::Test { };
+
+TEST_F(pkixbuild_DSS, DSSEndEntityKeyNotAccepted)
+{
+  DSSTrustDomain trustDomain;
+
+  ByteString serialNumber(CreateEncodedSerialNumber(1));
+  ASSERT_FALSE(ENCODING_FAILED(serialNumber));
+
+  ByteString subjectDER(CNToDERName("DSS"));
+  ASSERT_FALSE(ENCODING_FAILED(subjectDER));
+  ScopedTestKeyPair subjectKey(GenerateDSSKeyPair());
+  ASSERT_TRUE(subjectKey.get());
+
+  ByteString issuerDER(CNToDERName("RSA"));
+  ASSERT_FALSE(ENCODING_FAILED(issuerDER));
+  ScopedTestKeyPair issuerKey(CloneReusedKeyPair());
+  ASSERT_TRUE(issuerKey.get());
+
+  ByteString cert(CreateEncodedCertificate(v3, sha256WithRSAEncryption(),
+                                           serialNumber, issuerDER,
+                                           oneDayBeforeNow, oneDayAfterNow,
+                                           subjectDER, *subjectKey, nullptr,
+                                           *issuerKey, sha256WithRSAEncryption()));
+  ASSERT_FALSE(ENCODING_FAILED(cert));
+  Input certDER;
+  ASSERT_EQ(Success, certDER.Init(cert.data(), cert.length()));
+
+  ASSERT_EQ(Result::ERROR_UNSUPPORTED_KEYALG,
+            BuildCertChain(trustDomain, certDER, Now(),
+                           EndEntityOrCA::MustBeEndEntity,
+                           KeyUsage::noParticularKeyUsageRequired,
+                           KeyPurposeId::id_kp_serverAuth,
+                           CertPolicyId::anyPolicy,
+                           nullptr/*stapledOCSPResponse*/));
+}
+
+class IssuerNameCheckTrustDomain final : public DefaultCryptoTrustDomain
+{
+public:
+  IssuerNameCheckTrustDomain(const ByteString& aIssuer, bool aExpectedKeepGoing)
+    : issuer(aIssuer)
+    , expectedKeepGoing(aExpectedKeepGoing)
+  {
+  }
+
+  Result GetCertTrust(EndEntityOrCA endEntityOrCA, const CertPolicyId&, Input,
+                      /*out*/ TrustLevel& trustLevel) override
+  {
+    trustLevel = endEntityOrCA == EndEntityOrCA::MustBeCA
+               ? TrustLevel::TrustAnchor
+               : TrustLevel::InheritsTrust;
+    return Success;
+  }
+
+  Result FindIssuer(Input, IssuerChecker& checker, Time) override
+  {
+    Input issuerInput;
+    EXPECT_EQ(Success, issuerInput.Init(issuer.data(), issuer.length()));
+    bool keepGoing;
+    EXPECT_EQ(Success,
+              checker.Check(issuerInput, nullptr /*additionalNameConstraints*/,
+                            keepGoing));
+    EXPECT_EQ(expectedKeepGoing, keepGoing);
+    return Success;
+  }
+
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*, /*optional*/ const Input*)
+                         override
+  {
+    return Success;
+  }
+
+  Result IsChainValid(const DERArray&, Time, const CertPolicyId&) override
+  {
+    return Success;
+  }
+
+private:
+  const ByteString issuer;
+  const bool expectedKeepGoing;
+};
+
+struct IssuerNameCheckParams
+{
+  const char* subjectIssuerCN; // null means "empty name"
+  const char* issuerSubjectCN; // null means "empty name"
+  bool matches;
+  Result expectedError;
+};
+
+static const IssuerNameCheckParams ISSUER_NAME_CHECK_PARAMS[] =
+{
+  { "foo", "foo", true, Success },
+  { "foo", "bar", false, Result::ERROR_UNKNOWN_ISSUER },
+  { "f", "foo", false, Result::ERROR_UNKNOWN_ISSUER }, // prefix
+  { "foo", "f", false, Result::ERROR_UNKNOWN_ISSUER }, // prefix
+  { "foo", "Foo", false, Result::ERROR_UNKNOWN_ISSUER }, // case sensitive
+  { "", "", true, Success },
+  { nullptr, nullptr, false, Result::ERROR_EMPTY_ISSUER_NAME }, // empty issuer
+
+  // check that certificate-related errors are deferred and superseded by
+  // ERROR_UNKNOWN_ISSUER when a chain can't be built due to name mismatches
+  { "foo", nullptr, false, Result::ERROR_UNKNOWN_ISSUER },
+  { nullptr, "foo", false, Result::ERROR_UNKNOWN_ISSUER }
+};
+
+class pkixbuild_IssuerNameCheck
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<IssuerNameCheckParams>
+{
+};
+
+TEST_P(pkixbuild_IssuerNameCheck, MatchingName)
+{
+  const IssuerNameCheckParams& params(GetParam());
+
+  ByteString issuerCertDER(CreateCert(params.issuerSubjectCN,
+                                      params.issuerSubjectCN,
+                                      EndEntityOrCA::MustBeCA, nullptr));
+  ASSERT_FALSE(ENCODING_FAILED(issuerCertDER));
+
+  ByteString subjectCertDER(CreateCert(params.subjectIssuerCN, "end-entity",
+                                       EndEntityOrCA::MustBeEndEntity,
+                                       nullptr));
+  ASSERT_FALSE(ENCODING_FAILED(subjectCertDER));
+
+  Input subjectCertDERInput;
+  ASSERT_EQ(Success, subjectCertDERInput.Init(subjectCertDER.data(),
+                                              subjectCertDER.length()));
+
+  IssuerNameCheckTrustDomain trustDomain(issuerCertDER, !params.matches);
+  ASSERT_EQ(params.expectedError,
+            BuildCertChain(trustDomain, subjectCertDERInput, Now(),
+                           EndEntityOrCA::MustBeEndEntity,
+                           KeyUsage::noParticularKeyUsageRequired,
+                           KeyPurposeId::id_kp_serverAuth,
+                           CertPolicyId::anyPolicy,
+                           nullptr/*stapledOCSPResponse*/));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixbuild_IssuerNameCheck, pkixbuild_IssuerNameCheck,
+                        testing::ValuesIn(ISSUER_NAME_CHECK_PARAMS));
+
+
+// Records the embedded SCT list extension for later examination.
+class EmbeddedSCTListTestTrustDomain final : public SingleRootTrustDomain
+{
+public:
+  explicit EmbeddedSCTListTestTrustDomain(ByteString aRootDER)
+    : SingleRootTrustDomain(aRootDER)
+  {
+  }
+
+  virtual void NoteAuxiliaryExtension(AuxiliaryExtension extension,
+                                      Input extensionData) override
+  {
+    if (extension == AuxiliaryExtension::EmbeddedSCTList) {
+      signedCertificateTimestamps = InputToByteString(extensionData);
+    } else {
+      ADD_FAILURE();
+    }
+  }
+
+  ByteString signedCertificateTimestamps;
+};
+
+TEST_F(pkixbuild, CertificateTransparencyExtension)
+{
+  // python security/pkix/tools/DottedOIDToCode.py --tlv
+  //   id-embeddedSctList 1.3.6.1.4.1.11129.2.4.2
+  static const uint8_t tlv_id_embeddedSctList[] = {
+    0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x04, 0x02
+  };
+  static const uint8_t dummySctList[] = {
+    0x01, 0x02, 0x03, 0x04, 0x05
+  };
+
+  ByteString ctExtension = TLV(der::SEQUENCE,
+    BytesToByteString(tlv_id_embeddedSctList) +
+    Boolean(false) +
+    TLV(der::OCTET_STRING,
+      // SignedCertificateTimestampList structure is encoded as an OCTET STRING
+      // within the X.509v3 extension (see RFC 6962 section 3.3).
+      // pkix decodes it internally and returns the actual structure.
+      TLV(der::OCTET_STRING, BytesToByteString(dummySctList))));
+
+  const char* rootCN = "Root CA";
+  ByteString rootDER(CreateCert(rootCN, rootCN, EndEntityOrCA::MustBeCA));
+  ASSERT_FALSE(ENCODING_FAILED(rootDER));
+
+  ByteString certDER(CreateCert(rootCN, "Cert with SCT list",
+                                EndEntityOrCA::MustBeEndEntity,
+                                nullptr, /*subjectDERToCertDER*/
+                                &ctExtension));
+  ASSERT_FALSE(ENCODING_FAILED(certDER));
+
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(certDER.data(), certDER.length()));
+
+  EmbeddedSCTListTestTrustDomain extTrustDomain(rootDER);
+  ASSERT_EQ(Success,
+            BuildCertChain(extTrustDomain, certInput, Now(),
+                           EndEntityOrCA::MustBeEndEntity,
+                           KeyUsage::noParticularKeyUsageRequired,
+                           KeyPurposeId::anyExtendedKeyUsage,
+                           CertPolicyId::anyPolicy,
+                           nullptr /*stapledOCSPResponse*/));
+  ASSERT_EQ(BytesToByteString(dummySctList),
+            extTrustDomain.signedCertificateTimestamps);
+}
+
+// This TrustDomain implements a hierarchy like so:
+//
+// A   B
+// |   |
+// C   D
+//  \ /
+//   E
+//
+// where A is a trust anchor, B is not a trust anchor and has no known issuer, C
+// and D are intermediates with the same subject and subject public key, and E
+// is an end-entity (in practice, the end-entity will be generated by the test
+// functions using this trust domain).
+class MultiplePathTrustDomain: public DefaultCryptoTrustDomain
+{
+public:
+  void SetUpCerts()
+  {
+    ASSERT_FALSE(ENCODING_FAILED(CreateCert("UntrustedRoot", "UntrustedRoot",
+                                            EndEntityOrCA::MustBeCA,
+                                            &subjectDERToCertDER)));
+    // The subject DER -> cert DER mapping would be overwritten for subject
+    // "Intermediate" when we create the second "Intermediate" certificate, so
+    // we keep a copy of this "Intermediate".
+    intermediateSignedByUntrustedRootCertDER =
+      CreateCert("UntrustedRoot", "Intermediate", EndEntityOrCA::MustBeCA);
+    ASSERT_FALSE(ENCODING_FAILED(intermediateSignedByUntrustedRootCertDER));
+    rootCACertDER = CreateCert("TrustedRoot", "TrustedRoot",
+                               EndEntityOrCA::MustBeCA, &subjectDERToCertDER);
+    ASSERT_FALSE(ENCODING_FAILED(rootCACertDER));
+    ASSERT_FALSE(ENCODING_FAILED(CreateCert("TrustedRoot", "Intermediate",
+                                            EndEntityOrCA::MustBeCA,
+                                            &subjectDERToCertDER)));
+  }
+
+private:
+  Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input candidateCert,
+                      /*out*/ TrustLevel& trustLevel) override
+  {
+    trustLevel = InputEqualsByteString(candidateCert, rootCACertDER)
+               ? TrustLevel::TrustAnchor
+               : TrustLevel::InheritsTrust;
+    return Success;
+  }
+
+  Result CheckCert(ByteString& certDER, IssuerChecker& checker, bool& keepGoing)
+  {
+    Input derCert;
+    Result rv = derCert.Init(certDER.data(), certDER.length());
+    if (rv != Success) {
+      return rv;
+    }
+    return checker.Check(derCert, nullptr/*additionalNameConstraints*/,
+                         keepGoing);
+  }
+
+  Result FindIssuer(Input encodedIssuerName, IssuerChecker& checker, Time)
+                    override
+  {
+    ByteString subjectDER(InputToByteString(encodedIssuerName));
+    ByteString certDER(subjectDERToCertDER[subjectDER]);
+    assert(!ENCODING_FAILED(certDER));
+    bool keepGoing;
+    Result rv = CheckCert(certDER, checker, keepGoing);
+    if (rv != Success) {
+      return rv;
+    }
+    // Also try the other intermediate.
+    if (keepGoing) {
+      rv = CheckCert(intermediateSignedByUntrustedRootCertDER, checker,
+                     keepGoing);
+      if (rv != Success) {
+        return rv;
+      }
+    }
+    return Success;
+  }
+
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*,
+                         /*optional*/ const Input*) override
+  {
+    return Success;
+  }
+
+  Result IsChainValid(const DERArray&, Time, const CertPolicyId&) override
+  {
+    return Success;
+  }
+
+  std::map<ByteString, ByteString> subjectDERToCertDER;
+  ByteString rootCACertDER;
+  ByteString intermediateSignedByUntrustedRootCertDER;
+};
+
+TEST_F(pkixbuild, BadEmbeddedSCTWithMultiplePaths)
+{
+  MultiplePathTrustDomain localTrustDomain;
+  localTrustDomain.SetUpCerts();
+
+  // python security/pkix/tools/DottedOIDToCode.py --tlv
+  //   id-embeddedSctList 1.3.6.1.4.1.11129.2.4.2
+  static const uint8_t tlv_id_embeddedSctList[] = {
+    0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x04, 0x02
+  };
+  static const uint8_t dummySctList[] = {
+    0x01, 0x02, 0x03, 0x04, 0x05
+  };
+  ByteString ctExtension = TLV(der::SEQUENCE,
+    BytesToByteString(tlv_id_embeddedSctList) +
+    Boolean(false) +
+    // The contents of the OCTET STRING are supposed to consist of an OCTET
+    // STRING of useful data. We're testing what happens if it isn't, so shove
+    // some bogus (non-OCTET STRING) data in there.
+    TLV(der::OCTET_STRING, BytesToByteString(dummySctList)));
+  ByteString certDER(CreateCert("Intermediate", "Cert with bogus SCT list",
+                                EndEntityOrCA::MustBeEndEntity,
+                                nullptr, /*subjectDERToCertDER*/
+                                &ctExtension));
+  ASSERT_FALSE(ENCODING_FAILED(certDER));
+  Input certDERInput;
+  ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            BuildCertChain(localTrustDomain, certDERInput, Now(),
+                           EndEntityOrCA::MustBeEndEntity,
+                           KeyUsage::noParticularKeyUsageRequired,
+                           KeyPurposeId::id_kp_serverAuth,
+                           CertPolicyId::anyPolicy,
+                           nullptr/*stapledOCSPResponse*/));
+}
+
+// Same as a MultiplePathTrustDomain, but the end-entity is revoked.
+class RevokedEndEntityTrustDomain final : public MultiplePathTrustDomain
+{
+public:
+  Result CheckRevocation(EndEntityOrCA endEntityOrCA, const CertID&, Time,
+                         Duration, /*optional*/ const Input*,
+                         /*optional*/ const Input*) override
+  {
+    if (endEntityOrCA == EndEntityOrCA::MustBeEndEntity) {
+      return Result::ERROR_REVOKED_CERTIFICATE;
+    }
+    return Success;
+  }
+};
+
+TEST_F(pkixbuild, RevokedEndEntityWithMultiplePaths)
+{
+  RevokedEndEntityTrustDomain localTrustDomain;
+  localTrustDomain.SetUpCerts();
+  ByteString certDER(CreateCert("Intermediate", "RevokedEndEntity",
+                                EndEntityOrCA::MustBeEndEntity));
+  ASSERT_FALSE(ENCODING_FAILED(certDER));
+  Input certDERInput;
+  ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
+  ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE,
+            BuildCertChain(localTrustDomain, certDERInput, Now(),
+                           EndEntityOrCA::MustBeEndEntity,
+                           KeyUsage::noParticularKeyUsageRequired,
+                           KeyPurposeId::id_kp_serverAuth,
+                           CertPolicyId::anyPolicy,
+                           nullptr/*stapledOCSPResponse*/));
+}
+
+// This represents a collection of different certificates that all have the same
+// subject and issuer distinguished name.
+class SelfIssuedCertificatesTrustDomain final : public DefaultCryptoTrustDomain
+{
+public:
+  void SetUpCerts(size_t totalCerts)
+  {
+    ASSERT_TRUE(totalCerts > 0);
+    // First we generate a trust anchor.
+    ScopedTestKeyPair rootKeyPair(GenerateKeyPair());
+    rootCACertDER = CreateCert("DN", "DN", EndEntityOrCA::MustBeCA, nullptr,
+                               nullptr, rootKeyPair.get(), rootKeyPair.get());
+    ASSERT_FALSE(ENCODING_FAILED(rootCACertDER));
+    certs.push_back(rootCACertDER);
+    ScopedTestKeyPair issuerKeyPair(rootKeyPair.release());
+    size_t subCAsGenerated;
+    // Then we generate 6 sub-CAs (given that we were requested to generate at
+    // least that many).
+    for (subCAsGenerated = 0;
+         subCAsGenerated < totalCerts - 1 && subCAsGenerated < 6;
+         subCAsGenerated++) {
+      // Each certificate has to have a unique SPKI (mozilla::pkix does loop
+      // detection and stops searching if it encounters two certificates in a
+      // path with the same subject and SPKI).
+      ScopedTestKeyPair keyPair(GenerateKeyPair());
+      ByteString cert(CreateCert("DN", "DN", EndEntityOrCA::MustBeCA, nullptr,
+                                 nullptr, issuerKeyPair.get(), keyPair.get()));
+      ASSERT_FALSE(ENCODING_FAILED(cert));
+      certs.push_back(cert);
+      issuerKeyPair.reset(keyPair.release());
+    }
+    // We set firstIssuerKey here because we can't end up with a path that has
+    // more than 7 CAs in it (because mozilla::pkix limits the path length).
+    firstIssuerKey.reset(issuerKeyPair.release());
+    // For any more sub CAs we generate, it doesn't matter what their keys are
+    // as long as they're different.
+    for (; subCAsGenerated < totalCerts - 1; subCAsGenerated++) {
+      ScopedTestKeyPair keyPair(GenerateKeyPair());
+      ByteString cert(CreateCert("DN", "DN", EndEntityOrCA::MustBeCA, nullptr,
+                                 nullptr, keyPair.get(), keyPair.get()));
+      ASSERT_FALSE(ENCODING_FAILED(cert));
+      certs.insert(certs.begin(), cert);
+    }
+  }
+
+  const TestKeyPair* GetFirstIssuerKey()
+  {
+    return firstIssuerKey.get();
+  }
+
+private:
+  Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input candidateCert,
+                      /*out*/ TrustLevel& trustLevel) override
+  {
+    trustLevel = InputEqualsByteString(candidateCert, rootCACertDER)
+               ? TrustLevel::TrustAnchor
+               : TrustLevel::InheritsTrust;
+    return Success;
+  }
+
+  Result FindIssuer(Input, IssuerChecker& checker, Time) override
+  {
+    bool keepGoing;
+    for (auto& cert: certs) {
+      Input certInput;
+      Result rv = certInput.Init(cert.data(), cert.length());
+      if (rv != Success) {
+        return rv;
+      }
+      rv = checker.Check(certInput, nullptr, keepGoing);
+      if (rv != Success || !keepGoing) {
+        return rv;
+      }
+    }
+    return Success;
+  }
+
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*, /*optional*/ const Input*)
+                         override
+  {
+    return Success;
+  }
+
+  Result IsChainValid(const DERArray&, Time, const CertPolicyId&) override
+  {
+    return Success;
+  }
+
+  std::vector<ByteString> certs;
+  ByteString rootCACertDER;
+  ScopedTestKeyPair firstIssuerKey;
+};
+
+TEST_F(pkixbuild, AvoidUnboundedPathSearchingFailure)
+{
+  SelfIssuedCertificatesTrustDomain localTrustDomain;
+  // This creates a few hundred million potential paths of length 8 (end entity
+  // + 6 sub-CAs + root). It would be prohibitively expensive to enumerate all
+  // of these, so we give mozilla::pkix a budget that is spent when searching
+  // paths. If the budget is exhausted, it simply returns an unknown issuer
+  // error. In the future it might be nice to return a specific error that would
+  // give the front-end a hint that maybe it shouldn't have so many certificates
+  // that all have the same subject and issuer DN but different SPKIs.
+  localTrustDomain.SetUpCerts(18);
+  ByteString certDER(CreateCert("DN", "DN", EndEntityOrCA::MustBeEndEntity,
+                                nullptr, nullptr,
+                                localTrustDomain.GetFirstIssuerKey()));
+  ASSERT_FALSE(ENCODING_FAILED(certDER));
+  Input certDERInput;
+  ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
+  ASSERT_EQ(Result::ERROR_UNKNOWN_ISSUER,
+            BuildCertChain(localTrustDomain, certDERInput, Now(),
+                           EndEntityOrCA::MustBeEndEntity,
+                           KeyUsage::noParticularKeyUsageRequired,
+                           KeyPurposeId::id_kp_serverAuth,
+                           CertPolicyId::anyPolicy,
+                           nullptr/*stapledOCSPResponse*/));
+}
+
+TEST_F(pkixbuild, AvoidUnboundedPathSearchingSuccess)
+{
+  SelfIssuedCertificatesTrustDomain localTrustDomain;
+  // This creates a few hundred thousand possible potential paths of length 8
+  // (end entity + 6 sub-CAs + root). This will nearly exhaust mozilla::pkix's
+  // search budget, so this should succeed.
+  localTrustDomain.SetUpCerts(10);
+  ByteString certDER(CreateCert("DN", "DN", EndEntityOrCA::MustBeEndEntity,
+                                nullptr, nullptr,
+                                localTrustDomain.GetFirstIssuerKey()));
+  ASSERT_FALSE(ENCODING_FAILED(certDER));
+  Input certDERInput;
+  ASSERT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
+  ASSERT_EQ(Success,
+            BuildCertChain(localTrustDomain, certDERInput, Now(),
+                           EndEntityOrCA::MustBeEndEntity,
+                           KeyUsage::noParticularKeyUsageRequired,
+                           KeyPurposeId::id_kp_serverAuth,
+                           CertPolicyId::anyPolicy,
+                           nullptr/*stapledOCSPResponse*/));
+}
diff --git a/security/nss/gtests/mozpkix_gtest/pkixcert_extension_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixcert_extension_tests.cpp
new file mode 100644
index 0000000000..762fac1462
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixcert_extension_tests.cpp
@@ -0,0 +1,276 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixder.h"
+#include "mozpkix/test/pkixtestutil.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+// Creates a self-signed certificate with the given extension.
+static ByteString
+CreateCertWithExtensions(const char* subjectCN,
+                         const ByteString* extensions)
+{
+  static long serialNumberValue = 0;
+  ++serialNumberValue;
+  ByteString serialNumber(CreateEncodedSerialNumber(serialNumberValue));
+  EXPECT_FALSE(ENCODING_FAILED(serialNumber));
+  ByteString issuerDER(CNToDERName(subjectCN));
+  EXPECT_FALSE(ENCODING_FAILED(issuerDER));
+  ByteString subjectDER(CNToDERName(subjectCN));
+  EXPECT_FALSE(ENCODING_FAILED(subjectDER));
+  ScopedTestKeyPair subjectKey(CloneReusedKeyPair());
+  return CreateEncodedCertificate(v3, sha256WithRSAEncryption(),
+                                  serialNumber, issuerDER,
+                                  oneDayBeforeNow, oneDayAfterNow,
+                                  subjectDER, *subjectKey, extensions,
+                                  *subjectKey,
+                                  sha256WithRSAEncryption());
+}
+
+// Creates a self-signed certificate with the given extension.
+static ByteString
+CreateCertWithOneExtension(const char* subjectStr, const ByteString& extension)
+{
+  const ByteString extensions[] = { extension, ByteString() };
+  return CreateCertWithExtensions(subjectStr, extensions);
+}
+
+class TrustEverythingTrustDomain final : public DefaultCryptoTrustDomain
+{
+private:
+  Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input,
+                      /*out*/ TrustLevel& trustLevel) override
+  {
+    trustLevel = TrustLevel::TrustAnchor;
+    return Success;
+  }
+
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*, /*optional*/ const Input*)
+                         override
+  {
+    return Success;
+  }
+
+  Result IsChainValid(const DERArray&, Time, const CertPolicyId&) override
+  {
+    return Success;
+  }
+};
+
+// python DottedOIDToCode.py --tlv unknownExtensionOID 1.3.6.1.4.1.13769.666.666.666.1.500.9.3
+static const uint8_t tlv_unknownExtensionOID[] = {
+  0x06, 0x12, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xeb, 0x49, 0x85, 0x1a, 0x85, 0x1a,
+  0x85, 0x1a, 0x01, 0x83, 0x74, 0x09, 0x03
+};
+
+// python DottedOIDToCode.py --tlv id-pe-authorityInformationAccess 1.3.6.1.5.5.7.1.1
+static const uint8_t tlv_id_pe_authorityInformationAccess[] = {
+  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01
+};
+
+// python DottedOIDToCode.py --tlv wrongExtensionOID 1.3.6.6.1.5.5.7.1.1
+// (there is an extra "6" that shouldn't be in this OID)
+static const uint8_t tlv_wrongExtensionOID[] = {
+  0x06, 0x09, 0x2b, 0x06, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01
+};
+
+// python DottedOIDToCode.py --tlv id-ce-unknown 2.5.29.55
+// (this is a made-up OID for testing "id-ce"-prefixed OIDs that mozilla::pkix
+// doesn't handle)
+static const uint8_t tlv_id_ce_unknown[] = {
+  0x06, 0x03, 0x55, 0x1d, 0x37
+};
+
+// python DottedOIDToCode.py --tlv id-ce-inhibitAnyPolicy 2.5.29.54
+static const uint8_t tlv_id_ce_inhibitAnyPolicy[] = {
+  0x06, 0x03, 0x55, 0x1d, 0x36
+};
+
+// python DottedOIDToCode.py --tlv id-pkix-ocsp-nocheck 1.3.6.1.5.5.7.48.1.5
+static const uint8_t tlv_id_pkix_ocsp_nocheck[] = {
+  0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x05
+};
+
+struct ExtensionTestcase
+{
+  ByteString extension;
+  Result expectedResult;
+};
+
+::std::ostream& operator<<(::std::ostream& os, const ExtensionTestcase&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+static const ExtensionTestcase EXTENSION_TESTCASES[] =
+{
+  // Tests that a non-critical extension not in the id-ce or id-pe arcs (which
+  // is thus unknown to us) verifies successfully even if empty (extensions we
+  // know about aren't normally allowed to be empty).
+  { TLV(der::SEQUENCE,
+        BytesToByteString(tlv_unknownExtensionOID) +
+        TLV(der::OCTET_STRING, ByteString())),
+    Success
+  },
+
+  // Tests that a critical extension not in the id-ce or id-pe arcs (which is
+  // thus unknown to us) is detected and that verification fails with the
+  // appropriate error.
+  { TLV(der::SEQUENCE,
+        BytesToByteString(tlv_unknownExtensionOID) +
+        Boolean(true) +
+        TLV(der::OCTET_STRING, ByteString())),
+    Result::ERROR_UNKNOWN_CRITICAL_EXTENSION
+  },
+
+  // Tests that a id-pe-authorityInformationAccess critical extension
+  // is detected and that verification succeeds.
+  // XXX: According to RFC 5280 an AIA that consists of an empty sequence is
+  // not legal, but we accept it and that is not what we're testing here.
+  { TLV(der::SEQUENCE,
+        BytesToByteString(tlv_id_pe_authorityInformationAccess) +
+        Boolean(true) +
+        TLV(der::OCTET_STRING, TLV(der::SEQUENCE, ByteString()))),
+    Success
+  },
+
+  // Tests that an incorrect OID for id-pe-authorityInformationAccess
+  // (when marked critical) is detected and that verification fails.
+  // (Until bug 1020993 was fixed, this wrong value was used for
+  // id-pe-authorityInformationAccess.)
+  { TLV(der::SEQUENCE,
+        BytesToByteString(tlv_wrongExtensionOID) +
+        Boolean(true) +
+        TLV(der::OCTET_STRING, ByteString())),
+    Result::ERROR_UNKNOWN_CRITICAL_EXTENSION
+  },
+
+  // We know about some id-ce extensions (OID arc 2.5.29), but not all of them.
+  // Tests that an unknown id-ce extension is detected and that verification
+  // fails.
+  { TLV(der::SEQUENCE,
+        BytesToByteString(tlv_id_ce_unknown) +
+        Boolean(true) +
+        TLV(der::OCTET_STRING, ByteString())),
+    Result::ERROR_UNKNOWN_CRITICAL_EXTENSION
+  },
+
+  // Tests that a certificate with a known critical id-ce extension (in this
+  // case, OID 2.5.29.54, which is id-ce-inhibitAnyPolicy), verifies
+  // successfully.
+  { TLV(der::SEQUENCE,
+        BytesToByteString(tlv_id_ce_inhibitAnyPolicy) +
+        Boolean(true) +
+        TLV(der::OCTET_STRING, Integer(0))),
+    Success
+  },
+
+  // Tests that a certificate with the id-pkix-ocsp-nocheck extension (marked
+  // critical) verifies successfully.
+  // RFC 6960:
+  //   ext-ocsp-nocheck EXTENSION ::= { SYNTAX NULL IDENTIFIED
+  //                                    BY id-pkix-ocsp-nocheck }
+  { TLV(der::SEQUENCE,
+        BytesToByteString(tlv_id_pkix_ocsp_nocheck) +
+        Boolean(true) +
+        TLV(der::OCTET_STRING, TLV(der::NULLTag, ByteString()))),
+    Success
+  },
+
+  // Tests that a certificate with another representation of the
+  // id-pkix-ocsp-nocheck extension (marked critical) verifies successfully.
+  // According to http://comments.gmane.org/gmane.ietf.x509/30947,
+  // some code creates certificates where value of the extension is
+  // an empty OCTET STRING.
+  { TLV(der::SEQUENCE,
+        BytesToByteString(tlv_id_pkix_ocsp_nocheck) +
+        Boolean(true) +
+        TLV(der::OCTET_STRING, ByteString())),
+    Success
+  },
+};
+
+class pkixcert_extension
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<ExtensionTestcase>
+{
+protected:
+  static TrustEverythingTrustDomain trustDomain;
+};
+
+/*static*/ TrustEverythingTrustDomain pkixcert_extension::trustDomain;
+
+TEST_P(pkixcert_extension, ExtensionHandledProperly)
+{
+  const ExtensionTestcase& testcase(GetParam());
+  const char* cn = "Cert Extension Test";
+  ByteString cert(CreateCertWithOneExtension(cn, testcase.extension));
+  ASSERT_FALSE(ENCODING_FAILED(cert));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+  ASSERT_EQ(testcase.expectedResult,
+            BuildCertChain(trustDomain, certInput, Now(),
+                           EndEntityOrCA::MustBeEndEntity,
+                           KeyUsage::noParticularKeyUsageRequired,
+                           KeyPurposeId::anyExtendedKeyUsage,
+                           CertPolicyId::anyPolicy,
+                           nullptr/*stapledOCSPResponse*/));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixcert_extension,
+                        pkixcert_extension,
+                        testing::ValuesIn(EXTENSION_TESTCASES));
+
+// Two subjectAltNames must result in an error.
+TEST_F(pkixcert_extension, DuplicateSubjectAltName)
+{
+  // python DottedOIDToCode.py --tlv id-ce-subjectAltName 2.5.29.17
+  static const uint8_t tlv_id_ce_subjectAltName[] = {
+    0x06, 0x03, 0x55, 0x1d, 0x11
+  };
+
+  ByteString subjectAltName(
+    TLV(der::SEQUENCE,
+        BytesToByteString(tlv_id_ce_subjectAltName) +
+        TLV(der::OCTET_STRING, TLV(der::SEQUENCE, DNSName("example.com")))));
+  static const ByteString extensions[] = { subjectAltName, subjectAltName,
+                                           ByteString() };
+  static const char* certCN = "Cert With Duplicate subjectAltName";
+  ByteString cert(CreateCertWithExtensions(certCN, extensions));
+  ASSERT_FALSE(ENCODING_FAILED(cert));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+  ASSERT_EQ(Result::ERROR_EXTENSION_VALUE_INVALID,
+            BuildCertChain(trustDomain, certInput, Now(),
+                           EndEntityOrCA::MustBeEndEntity,
+                           KeyUsage::noParticularKeyUsageRequired,
+                           KeyPurposeId::anyExtendedKeyUsage,
+                           CertPolicyId::anyPolicy,
+                           nullptr/*stapledOCSPResponse*/));
+}
diff --git a/security/nss/gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp
new file mode 100644
index 0000000000..00ccffb043
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp
@@ -0,0 +1,259 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixder.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+static ByteString
+CreateCert(const char* issuerCN,
+           const char* subjectCN,
+           EndEntityOrCA endEntityOrCA,
+           const TestSignatureAlgorithm& signatureAlgorithm,
+           /*out*/ ByteString& subjectDER)
+{
+  static long serialNumberValue = 0;
+  ++serialNumberValue;
+  ByteString serialNumber(CreateEncodedSerialNumber(serialNumberValue));
+  EXPECT_FALSE(ENCODING_FAILED(serialNumber));
+
+  ByteString issuerDER(CNToDERName(issuerCN));
+  EXPECT_FALSE(ENCODING_FAILED(issuerDER));
+  subjectDER = CNToDERName(subjectCN);
+  EXPECT_FALSE(ENCODING_FAILED(subjectDER));
+
+  ByteString extensions[2];
+  if (endEntityOrCA == EndEntityOrCA::MustBeCA) {
+    extensions[0] =
+      CreateEncodedBasicConstraints(true, nullptr, Critical::Yes);
+    EXPECT_FALSE(ENCODING_FAILED(extensions[0]));
+  }
+
+  ScopedTestKeyPair reusedKey(CloneReusedKeyPair());
+  ByteString certDER(CreateEncodedCertificate(v3, signatureAlgorithm,
+                                              serialNumber, issuerDER,
+                                              oneDayBeforeNow, oneDayAfterNow,
+                                              subjectDER, *reusedKey,
+                                              extensions, *reusedKey,
+                                              signatureAlgorithm));
+  EXPECT_FALSE(ENCODING_FAILED(certDER));
+  return certDER;
+}
+
+class AlgorithmTestsTrustDomain final : public DefaultCryptoTrustDomain
+{
+public:
+  AlgorithmTestsTrustDomain(const ByteString& aRootDER,
+                            const ByteString& aRootSubjectDER,
+               /*optional*/ const ByteString& aIntDER,
+               /*optional*/ const ByteString& aIntSubjectDER)
+    : rootDER(aRootDER)
+    , rootSubjectDER(aRootSubjectDER)
+    , intDER(aIntDER)
+    , intSubjectDER(aIntSubjectDER)
+  {
+  }
+
+private:
+  Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input candidateCert,
+                      /*out*/ TrustLevel& trustLevel) override
+  {
+    if (InputEqualsByteString(candidateCert, rootDER)) {
+      trustLevel = TrustLevel::TrustAnchor;
+    } else {
+      trustLevel = TrustLevel::InheritsTrust;
+    }
+    return Success;
+  }
+
+  Result FindIssuer(Input encodedIssuerName, IssuerChecker& checker, Time)
+                    override
+  {
+    ByteString* issuerDER = nullptr;
+    if (InputEqualsByteString(encodedIssuerName, rootSubjectDER)) {
+      issuerDER = &rootDER;
+    } else if (InputEqualsByteString(encodedIssuerName, intSubjectDER)) {
+      issuerDER = &intDER;
+    } else {
+      // FindIssuer just returns success if it can't find a potential issuer.
+      return Success;
+    }
+    Input issuerCert;
+    Result rv = issuerCert.Init(issuerDER->data(), issuerDER->length());
+    if (rv != Success) {
+      return rv;
+    }
+    bool keepGoing;
+    return checker.Check(issuerCert, nullptr, keepGoing);
+  }
+
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         const Input*, const Input*) override
+  {
+    return Success;
+  }
+
+  Result IsChainValid(const DERArray&, Time, const CertPolicyId&) override
+  {
+    return Success;
+  }
+
+  ByteString rootDER;
+  ByteString rootSubjectDER;
+  ByteString intDER;
+  ByteString intSubjectDER;
+};
+
+static const TestSignatureAlgorithm NO_INTERMEDIATE
+{
+  TestPublicKeyAlgorithm(ByteString()),
+  TestDigestAlgorithmID::MD2,
+  ByteString(),
+  false
+};
+
+struct ChainValidity final
+{
+  ChainValidity(const TestSignatureAlgorithm& aEndEntitySignatureAlgorithm,
+                const TestSignatureAlgorithm& aOptionalIntSignatureAlgorithm,
+                const TestSignatureAlgorithm& aRootSignatureAlgorithm,
+                bool aIsValid)
+    : endEntitySignatureAlgorithm(aEndEntitySignatureAlgorithm)
+    , optionalIntermediateSignatureAlgorithm(aOptionalIntSignatureAlgorithm)
+    , rootSignatureAlgorithm(aRootSignatureAlgorithm)
+    , isValid(aIsValid)
+  { }
+
+  // In general, a certificate is generated for each of these.  However, if
+  // optionalIntermediateSignatureAlgorithm is NO_INTERMEDIATE, then only 2
+  // certificates are generated.
+  // The certificate generated for the given rootSignatureAlgorithm is the
+  // trust anchor.
+  TestSignatureAlgorithm endEntitySignatureAlgorithm;
+  TestSignatureAlgorithm optionalIntermediateSignatureAlgorithm;
+  TestSignatureAlgorithm rootSignatureAlgorithm;
+  bool isValid;
+};
+
+static const ChainValidity CHAIN_VALIDITY[] =
+{
+  // The trust anchor may have a signature with an unsupported signature
+  // algorithm.
+  ChainValidity(sha256WithRSAEncryption(),
+                NO_INTERMEDIATE,
+                md5WithRSAEncryption(),
+                true),
+  ChainValidity(sha256WithRSAEncryption(),
+                NO_INTERMEDIATE,
+                md2WithRSAEncryption(),
+                true),
+
+  // Certificates that are not trust anchors must not have a signature with an
+  // unsupported signature algorithm.
+  ChainValidity(md5WithRSAEncryption(),
+                NO_INTERMEDIATE,
+                sha256WithRSAEncryption(),
+                false),
+  ChainValidity(md2WithRSAEncryption(),
+                NO_INTERMEDIATE,
+                sha256WithRSAEncryption(),
+                false),
+  ChainValidity(md2WithRSAEncryption(),
+                NO_INTERMEDIATE,
+                md5WithRSAEncryption(),
+                false),
+  ChainValidity(sha256WithRSAEncryption(),
+                md5WithRSAEncryption(),
+                sha256WithRSAEncryption(),
+                false),
+  ChainValidity(sha256WithRSAEncryption(),
+                md2WithRSAEncryption(),
+                sha256WithRSAEncryption(),
+                false),
+  ChainValidity(sha256WithRSAEncryption(),
+                md2WithRSAEncryption(),
+                md5WithRSAEncryption(),
+                false),
+};
+
+class pkixcert_IsValidChainForAlgorithm
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<ChainValidity>
+{
+};
+
+::std::ostream& operator<<(::std::ostream& os,
+                           const pkixcert_IsValidChainForAlgorithm&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+::std::ostream& operator<<(::std::ostream& os, const ChainValidity&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+TEST_P(pkixcert_IsValidChainForAlgorithm, IsValidChainForAlgorithm)
+{
+  const ChainValidity& chainValidity(GetParam());
+  const char* rootCN = "CN=Root";
+  ByteString rootSubjectDER;
+  ByteString rootEncoded(
+    CreateCert(rootCN, rootCN, EndEntityOrCA::MustBeCA,
+               chainValidity.rootSignatureAlgorithm, rootSubjectDER));
+  EXPECT_FALSE(ENCODING_FAILED(rootEncoded));
+  EXPECT_FALSE(ENCODING_FAILED(rootSubjectDER));
+
+  const char* issuerCN = rootCN;
+
+  const char* intermediateCN = "CN=Intermediate";
+  ByteString intermediateSubjectDER;
+  ByteString intermediateEncoded;
+
+  // If the the algorithmIdentifier is empty, then it's NO_INTERMEDIATE.
+  if (!chainValidity.optionalIntermediateSignatureAlgorithm
+                    .algorithmIdentifier.empty()) {
+    intermediateEncoded =
+      CreateCert(rootCN, intermediateCN, EndEntityOrCA::MustBeCA,
+                 chainValidity.optionalIntermediateSignatureAlgorithm,
+                 intermediateSubjectDER);
+    EXPECT_FALSE(ENCODING_FAILED(intermediateEncoded));
+    EXPECT_FALSE(ENCODING_FAILED(intermediateSubjectDER));
+    issuerCN = intermediateCN;
+  }
+
+  AlgorithmTestsTrustDomain trustDomain(rootEncoded, rootSubjectDER,
+                                        intermediateEncoded,
+                                        intermediateSubjectDER);
+
+  const char* endEntityCN = "CN=End Entity";
+  ByteString endEntitySubjectDER;
+  ByteString endEntityEncoded(
+    CreateCert(issuerCN, endEntityCN, EndEntityOrCA::MustBeEndEntity,
+               chainValidity.endEntitySignatureAlgorithm,
+               endEntitySubjectDER));
+  EXPECT_FALSE(ENCODING_FAILED(endEntityEncoded));
+  EXPECT_FALSE(ENCODING_FAILED(endEntitySubjectDER));
+
+  Input endEntity;
+  ASSERT_EQ(Success, endEntity.Init(endEntityEncoded.data(),
+                                    endEntityEncoded.length()));
+  Result expectedResult = chainValidity.isValid
+                        ? Success
+                        : Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED;
+  ASSERT_EQ(expectedResult,
+            BuildCertChain(trustDomain, endEntity, Now(),
+                           EndEntityOrCA::MustBeEndEntity,
+                           KeyUsage::noParticularKeyUsageRequired,
+                           KeyPurposeId::id_kp_serverAuth,
+                           CertPolicyId::anyPolicy, nullptr));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixcert_IsValidChainForAlgorithm,
+                        pkixcert_IsValidChainForAlgorithm,
+                        testing::ValuesIn(CHAIN_VALIDITY));
diff --git a/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp
new file mode 100644
index 0000000000..0aef3d5c12
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp
@@ -0,0 +1,722 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2016 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixder.h"
+#include "mozpkix/pkixutil.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+namespace mozilla { namespace pkix {
+
+extern Result CheckExtendedKeyUsage(EndEntityOrCA endEntityOrCA,
+                                    const Input* encodedExtendedKeyUsage,
+                                    KeyPurposeId requiredEKU,
+                                    TrustDomain& trustDomain, Time notBefore);
+
+} } // namespace mozilla::pkix
+
+class pkixcheck_CheckExtendedKeyUsage : public ::testing::Test
+{
+protected:
+  DefaultCryptoTrustDomain mTrustDomain;
+};
+
+#define ASSERT_BAD(x) ASSERT_EQ(Result::ERROR_INADEQUATE_CERT_TYPE, x)
+
+// tlv_id_kp_OCSPSigning and tlv_id_kp_serverAuth are defined in pkixtestutil.h
+
+// python DottedOIDToCode.py --tlv id-kp-clientAuth 1.3.6.1.5.5.7.3.2
+static const uint8_t tlv_id_kp_clientAuth[] = {
+  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02
+};
+
+// python DottedOIDToCode.py --tlv id-kp-codeSigning 1.3.6.1.5.5.7.3.3
+static const uint8_t tlv_id_kp_codeSigning[] = {
+  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03
+};
+
+// python DottedOIDToCode.py --tlv id_kp_emailProtection 1.3.6.1.5.5.7.3.4
+static const uint8_t tlv_id_kp_emailProtection[] = {
+  0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04
+};
+
+// python DottedOIDToCode.py --tlv id-Netscape-stepUp 2.16.840.1.113730.4.1
+static const uint8_t tlv_id_Netscape_stepUp[] = {
+  0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x04, 0x01
+};
+
+// python DottedOIDToCode.py --tlv unknownOID 1.3.6.1.4.1.13769.666.666.666.1.500.9.3
+static const uint8_t tlv_unknownOID[] = {
+  0x06, 0x12, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xeb, 0x49, 0x85, 0x1a, 0x85, 0x1a,
+  0x85, 0x1a, 0x01, 0x83, 0x74, 0x09, 0x03
+};
+
+// python DottedOIDToCode.py --tlv anyExtendedKeyUsage 2.5.29.37.0
+static const uint8_t tlv_anyExtendedKeyUsage[] = {
+  0x06, 0x04, 0x55, 0x1d, 0x25, 0x00
+};
+
+TEST_F(pkixcheck_CheckExtendedKeyUsage, none)
+{
+  // The input Input is nullptr. This means the cert had no extended key usage
+  // extension. This is always valid except for when the certificate is an
+  // end-entity and the required usage is id-kp-OCSPSigning.
+
+  ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
+                                           nullptr,
+                                           KeyPurposeId::anyExtendedKeyUsage,
+                                           mTrustDomain, Now()));
+  ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
+                                           KeyPurposeId::anyExtendedKeyUsage,
+                                           mTrustDomain, Now()));
+  ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
+                                           nullptr,
+                                           KeyPurposeId::id_kp_serverAuth,
+                                           mTrustDomain, Now()));
+  ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
+                                           KeyPurposeId::id_kp_serverAuth,
+                                           mTrustDomain, Now()));
+  ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
+                                           nullptr,
+                                           KeyPurposeId::id_kp_clientAuth,
+                                           mTrustDomain, Now()));
+  ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
+                                           KeyPurposeId::id_kp_clientAuth,
+                                           mTrustDomain, Now()));
+  ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
+                                           nullptr,
+                                           KeyPurposeId::id_kp_codeSigning,
+                                           mTrustDomain, Now()));
+  ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
+                                           KeyPurposeId::id_kp_codeSigning,
+                                           mTrustDomain, Now()));
+  ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity,
+                                           nullptr,
+                                           KeyPurposeId::id_kp_emailProtection,
+                                           mTrustDomain, Now()));
+  ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
+                                           KeyPurposeId::id_kp_emailProtection,
+                                           mTrustDomain, Now()));
+  ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
+                                   KeyPurposeId::id_kp_OCSPSigning,
+                                   mTrustDomain, Now()));
+  ASSERT_EQ(Success, CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
+                                           KeyPurposeId::id_kp_OCSPSigning,
+                                           mTrustDomain, Now()));
+}
+
+static const Input empty_null;
+
+TEST_F(pkixcheck_CheckExtendedKeyUsage, empty)
+{
+  // The input Input is empty. The cert has an empty extended key usage
+  // extension, which is syntactically invalid.
+  ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity, &empty_null,
+                                   KeyPurposeId::id_kp_serverAuth,
+                                   mTrustDomain, Now()));
+  ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, &empty_null,
+                                   KeyPurposeId::id_kp_serverAuth,
+                                   mTrustDomain, Now()));
+
+  static const uint8_t dummy = 0x00;
+  Input empty_nonnull;
+  ASSERT_EQ(Success, empty_nonnull.Init(&dummy, 0));
+  ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity, &empty_nonnull,
+                                   KeyPurposeId::id_kp_serverAuth,
+                                   mTrustDomain, Now()));
+  ASSERT_BAD(CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, &empty_nonnull,
+                                   KeyPurposeId::id_kp_serverAuth,
+                                   mTrustDomain, Now()));
+}
+
+struct EKUTestcase
+{
+  ByteString ekuSEQUENCE;
+  KeyPurposeId keyPurposeId;
+  Result expectedResultEndEntity;
+  Result expectedResultCA;
+};
+
+::std::ostream& operator<<(::std::ostream& os, const EKUTestcase&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+class CheckExtendedKeyUsageTest
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<EKUTestcase>
+{
+protected:
+  DefaultCryptoTrustDomain mTrustDomain;
+};
+
+TEST_P(CheckExtendedKeyUsageTest, EKUTestcase)
+{
+  const EKUTestcase& param(GetParam());
+  Input encodedEKU;
+  ASSERT_EQ(Success, encodedEKU.Init(param.ekuSEQUENCE.data(),
+                                     param.ekuSEQUENCE.length()));
+  ASSERT_EQ(param.expectedResultEndEntity,
+            CheckExtendedKeyUsage(EndEntityOrCA::MustBeEndEntity, &encodedEKU,
+                                  param.keyPurposeId,
+                                  mTrustDomain, Now()));
+  ASSERT_EQ(param.expectedResultCA,
+            CheckExtendedKeyUsage(EndEntityOrCA::MustBeCA, &encodedEKU,
+                                  param.keyPurposeId,
+                                  mTrustDomain, Now()));
+}
+
+#define SINGLE_EKU_SUCCESS(oidBytes, keyPurposeId) \
+  { TLV(der::SEQUENCE, BytesToByteString(oidBytes)), keyPurposeId, \
+    Success, Success }
+#define SINGLE_EKU_SUCCESS_CA(oidBytes, keyPurposeId) \
+  { TLV(der::SEQUENCE, BytesToByteString(oidBytes)), keyPurposeId, \
+    Result::ERROR_INADEQUATE_CERT_TYPE, Success }
+#define SINGLE_EKU_FAILURE(oidBytes, keyPurposeId) \
+  { TLV(der::SEQUENCE, BytesToByteString(oidBytes)), keyPurposeId, \
+    Result::ERROR_INADEQUATE_CERT_TYPE, Result::ERROR_INADEQUATE_CERT_TYPE }
+#define DOUBLE_EKU_SUCCESS(oidBytes1, oidBytes2, keyPurposeId) \
+  { TLV(der::SEQUENCE, \
+        BytesToByteString(oidBytes1) + BytesToByteString(oidBytes2)), \
+    keyPurposeId, \
+    Success, Success }
+#define DOUBLE_EKU_SUCCESS_CA(oidBytes1, oidBytes2, keyPurposeId) \
+  { TLV(der::SEQUENCE, \
+        BytesToByteString(oidBytes1) + BytesToByteString(oidBytes2)), \
+    keyPurposeId, \
+    Result::ERROR_INADEQUATE_CERT_TYPE, Success }
+#define DOUBLE_EKU_FAILURE(oidBytes1, oidBytes2, keyPurposeId) \
+  { TLV(der::SEQUENCE, \
+        BytesToByteString(oidBytes1) + BytesToByteString(oidBytes2)), \
+    keyPurposeId, \
+    Result::ERROR_INADEQUATE_CERT_TYPE, Result::ERROR_INADEQUATE_CERT_TYPE }
+
+static const EKUTestcase EKU_TESTCASES[] =
+{
+  SINGLE_EKU_SUCCESS(tlv_id_kp_serverAuth, KeyPurposeId::anyExtendedKeyUsage),
+  SINGLE_EKU_SUCCESS(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_serverAuth),
+  SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_clientAuth),
+  SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_codeSigning),
+  SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_emailProtection),
+  SINGLE_EKU_FAILURE(tlv_id_kp_serverAuth, KeyPurposeId::id_kp_OCSPSigning),
+
+  SINGLE_EKU_SUCCESS(tlv_id_kp_clientAuth, KeyPurposeId::anyExtendedKeyUsage),
+  SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_serverAuth),
+  SINGLE_EKU_SUCCESS(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_clientAuth),
+  SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_codeSigning),
+  SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_emailProtection),
+  SINGLE_EKU_FAILURE(tlv_id_kp_clientAuth, KeyPurposeId::id_kp_OCSPSigning),
+
+  SINGLE_EKU_SUCCESS(tlv_id_kp_codeSigning, KeyPurposeId::anyExtendedKeyUsage),
+  SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_serverAuth),
+  SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_clientAuth),
+  SINGLE_EKU_SUCCESS(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_codeSigning),
+  SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_emailProtection),
+  SINGLE_EKU_FAILURE(tlv_id_kp_codeSigning, KeyPurposeId::id_kp_OCSPSigning),
+
+  SINGLE_EKU_SUCCESS(tlv_id_kp_emailProtection, KeyPurposeId::anyExtendedKeyUsage),
+  SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_serverAuth),
+  SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_clientAuth),
+  SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_codeSigning),
+  SINGLE_EKU_SUCCESS(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_emailProtection),
+  SINGLE_EKU_FAILURE(tlv_id_kp_emailProtection, KeyPurposeId::id_kp_OCSPSigning),
+
+  // For end-entities, if id-kp-OCSPSigning is present, no usage is allowed
+  // except OCSPSigning.
+  SINGLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
+  SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
+  SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
+  SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
+  SINGLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
+  SINGLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
+
+  SINGLE_EKU_SUCCESS(tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
+  // For compatibility, id-Netscape-stepUp is treated as equivalent to
+  // id-kp-serverAuth for CAs.
+  SINGLE_EKU_SUCCESS_CA(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
+  SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
+  SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
+  SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
+  SINGLE_EKU_FAILURE(tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
+
+  SINGLE_EKU_SUCCESS(tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
+  SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
+  SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
+  SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
+  SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
+  SINGLE_EKU_FAILURE(tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
+
+  SINGLE_EKU_SUCCESS(tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
+  SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
+  SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
+  SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
+  SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
+  SINGLE_EKU_FAILURE(tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_clientAuth, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_serverAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_codeSigning, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_clientAuth, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_emailProtection, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_codeSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_kp_OCSPSigning, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_emailProtection, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, tlv_id_Netscape_stepUp, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_SUCCESS(tlv_id_kp_OCSPSigning, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_unknownOID, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_SUCCESS_CA(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_id_Netscape_stepUp, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
+
+  DOUBLE_EKU_SUCCESS(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::anyExtendedKeyUsage),
+  DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_serverAuth),
+  DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_clientAuth),
+  DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_codeSigning),
+  DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_emailProtection),
+  DOUBLE_EKU_FAILURE(tlv_unknownOID, tlv_anyExtendedKeyUsage, KeyPurposeId::id_kp_OCSPSigning),
+};
+
+INSTANTIATE_TEST_CASE_P(pkixcheck_CheckExtendedKeyUsage,
+                        CheckExtendedKeyUsageTest,
+                        ::testing::ValuesIn(EKU_TESTCASES));
+
+struct EKUChainTestcase
+{
+  ByteString ekuExtensionEE;
+  ByteString ekuExtensionCA;
+  KeyPurposeId keyPurposeId;
+  Result expectedResult;
+};
+
+::std::ostream& operator<<(::std::ostream& os, const EKUChainTestcase&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+class CheckExtendedKeyUsageChainTest
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<EKUChainTestcase>
+{
+};
+
+static ByteString
+CreateCert(const char* issuerCN, const char* subjectCN,
+           EndEntityOrCA endEntityOrCA, ByteString encodedEKU)
+{
+  static long serialNumberValue = 0;
+  ++serialNumberValue;
+  ByteString serialNumber(CreateEncodedSerialNumber(serialNumberValue));
+  EXPECT_FALSE(ENCODING_FAILED(serialNumber));
+
+  ByteString issuerDER(CNToDERName(issuerCN));
+  ByteString subjectDER(CNToDERName(subjectCN));
+
+  ByteString extensions[3];
+  extensions[0] =
+    CreateEncodedBasicConstraints(endEntityOrCA == EndEntityOrCA::MustBeCA,
+                                  nullptr, Critical::Yes);
+  EXPECT_FALSE(ENCODING_FAILED(extensions[0]));
+  if (encodedEKU.length() > 0) {
+    extensions[1] = encodedEKU;
+  }
+
+  ScopedTestKeyPair reusedKey(CloneReusedKeyPair());
+  ByteString certDER(CreateEncodedCertificate(
+                       v3, sha256WithRSAEncryption(), serialNumber, issuerDER,
+                       oneDayBeforeNow, oneDayAfterNow, subjectDER,
+                       *reusedKey, extensions, *reusedKey,
+                       sha256WithRSAEncryption()));
+  EXPECT_FALSE(ENCODING_FAILED(certDER));
+
+  return certDER;
+}
+
+class EKUTrustDomain final : public DefaultCryptoTrustDomain
+{
+public:
+  explicit EKUTrustDomain(ByteString issuerCertDER)
+    : mIssuerCertDER(issuerCertDER)
+  {
+  }
+
+private:
+  Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input candidateCert,
+                      TrustLevel& trustLevel) override
+  {
+    trustLevel = InputEqualsByteString(candidateCert, mIssuerCertDER)
+               ? TrustLevel::TrustAnchor
+               : TrustLevel::InheritsTrust;
+    return Success;
+  }
+
+  Result FindIssuer(Input, IssuerChecker& checker, Time) override
+  {
+    Input derCert;
+    Result rv = derCert.Init(mIssuerCertDER.data(), mIssuerCertDER.length());
+    if (rv != Success) {
+      return rv;
+    }
+    bool keepGoing;
+    return checker.Check(derCert, nullptr, keepGoing);
+  }
+
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         const Input*, const Input*) override
+  {
+    return Success;
+  }
+
+  Result IsChainValid(const DERArray&, Time, const CertPolicyId&) override
+  {
+    return Success;
+  }
+
+  ByteString mIssuerCertDER;
+};
+
+TEST_P(CheckExtendedKeyUsageChainTest, EKUChainTestcase)
+{
+  const EKUChainTestcase& param(GetParam());
+  ByteString issuerCertDER(CreateCert("CA", "CA", EndEntityOrCA::MustBeCA,
+                                      param.ekuExtensionCA));
+  ByteString subjectCertDER(CreateCert("CA", "EE",
+                                       EndEntityOrCA::MustBeEndEntity,
+                                       param.ekuExtensionEE));
+
+  EKUTrustDomain trustDomain(issuerCertDER);
+
+  Input subjectCertDERInput;
+  ASSERT_EQ(Success, subjectCertDERInput.Init(subjectCertDER.data(),
+                                              subjectCertDER.length()));
+  ASSERT_EQ(param.expectedResult,
+            BuildCertChain(trustDomain, subjectCertDERInput, Now(),
+                           EndEntityOrCA::MustBeEndEntity,
+                           KeyUsage::noParticularKeyUsageRequired,
+                           param.keyPurposeId,
+                           CertPolicyId::anyPolicy,
+                           nullptr));
+}
+
+// python DottedOIDToCode.py --tlv id-ce-extKeyUsage 2.5.29.37
+static const uint8_t tlv_id_ce_extKeyUsage[] = {
+  0x06, 0x03, 0x55, 0x1d, 0x25
+};
+
+static inline ByteString
+CreateEKUExtension(ByteString ekuOIDs)
+{
+  return TLV(der::SEQUENCE,
+             BytesToByteString(tlv_id_ce_extKeyUsage) +
+               TLV(der::OCTET_STRING, TLV(der::SEQUENCE, ekuOIDs)));
+}
+
+static const EKUChainTestcase EKU_CHAIN_TESTCASES[] =
+{
+  {
+    // Both end-entity and CA have id-kp-serverAuth => should succeed
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
+    KeyPurposeId::id_kp_serverAuth,
+    Success
+  },
+  {
+    // CA has no EKU extension => should succeed
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
+    ByteString(),
+    KeyPurposeId::id_kp_serverAuth,
+    Success
+  },
+  {
+    // End-entity has no EKU extension => should succeed
+    ByteString(),
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
+    KeyPurposeId::id_kp_serverAuth,
+    Success
+  },
+  {
+    // No EKU extensions at all => should succeed
+    ByteString(),
+    ByteString(),
+    KeyPurposeId::id_kp_serverAuth,
+    Success
+  },
+  {
+    // CA has EKU without id-kp-serverAuth => should fail
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
+    KeyPurposeId::id_kp_serverAuth,
+    Result::ERROR_INADEQUATE_CERT_TYPE
+  },
+  {
+    // End-entity has EKU without id-kp-serverAuth => should fail
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
+    KeyPurposeId::id_kp_serverAuth,
+    Result::ERROR_INADEQUATE_CERT_TYPE
+  },
+  {
+    // Both end-entity and CA have EKU without id-kp-serverAuth => should fail
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
+    KeyPurposeId::id_kp_serverAuth,
+    Result::ERROR_INADEQUATE_CERT_TYPE
+  },
+  {
+    // End-entity has no EKU, CA doesn't have id-kp-serverAuth => should fail
+    ByteString(),
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
+    KeyPurposeId::id_kp_serverAuth,
+    Result::ERROR_INADEQUATE_CERT_TYPE
+  },
+  {
+    // End-entity doesn't have id-kp-serverAuth, CA has no EKU => should fail
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_clientAuth)),
+    ByteString(),
+    KeyPurposeId::id_kp_serverAuth,
+    Result::ERROR_INADEQUATE_CERT_TYPE
+  },
+  {
+    // CA has id-Netscape-stepUp => should succeed
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
+    CreateEKUExtension(BytesToByteString(tlv_id_Netscape_stepUp)),
+    KeyPurposeId::id_kp_serverAuth,
+    Success
+  },
+  {
+    // End-entity has id-Netscape-stepUp => should fail
+    CreateEKUExtension(BytesToByteString(tlv_id_Netscape_stepUp)),
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth)),
+    KeyPurposeId::id_kp_serverAuth,
+    Result::ERROR_INADEQUATE_CERT_TYPE
+  },
+  {
+    // End-entity and CA have id-kp-serverAuth and id-kp-clientAuth => should
+    // succeed
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
+                       BytesToByteString(tlv_id_kp_clientAuth)),
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
+                       BytesToByteString(tlv_id_kp_clientAuth)),
+    KeyPurposeId::id_kp_serverAuth,
+    Success
+  },
+  {
+    // End-entity has id-kp-serverAuth and id-kp-OCSPSigning => should fail
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
+                       BytesToByteString(tlv_id_kp_OCSPSigning)),
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
+                       BytesToByteString(tlv_id_kp_clientAuth)),
+    KeyPurposeId::id_kp_serverAuth,
+    Result::ERROR_INADEQUATE_CERT_TYPE
+  },
+  {
+    // CA has id-kp-serverAuth and id-kp-OCSPSigning => should succeed
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
+                       BytesToByteString(tlv_id_kp_clientAuth)),
+    CreateEKUExtension(BytesToByteString(tlv_id_kp_serverAuth) +
+                       BytesToByteString(tlv_id_kp_OCSPSigning)),
+    KeyPurposeId::id_kp_serverAuth,
+    Success
+  },
+};
+
+INSTANTIATE_TEST_CASE_P(pkixcheck_CheckExtendedKeyUsage,
+                        CheckExtendedKeyUsageChainTest,
+                        ::testing::ValuesIn(EKU_CHAIN_TESTCASES));
diff --git a/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckIssuer_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckIssuer_tests.cpp
new file mode 100644
index 0000000000..bcc2c11986
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckIssuer_tests.cpp
@@ -0,0 +1,63 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2016 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixcheck.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+class pkixcheck_CheckIssuer : public ::testing::Test { };
+
+static const uint8_t EMPTY_NAME_DATA[] = {
+  0x30, 0x00 /* tag, length */
+};
+static const Input EMPTY_NAME(EMPTY_NAME_DATA);
+
+static const uint8_t VALID_NAME_DATA[] = {
+  /* From https://www.example.com/: C=US, O=DigiCert Inc, OU=www.digicert.com,
+   * CN=DigiCert SHA2 High Assurance Server CA */
+  0x30, 0x70, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+  0x02, 0x55, 0x53, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0A,
+  0x13, 0x0C, 0x44, 0x69, 0x67, 0x69, 0x43, 0x65, 0x72, 0x74, 0x20, 0x49,
+  0x6E, 0x63, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x13,
+  0x10, 0x77, 0x77, 0x77, 0x2E, 0x64, 0x69, 0x67, 0x69, 0x63, 0x65, 0x72,
+  0x74, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x2F, 0x30, 0x2D, 0x06, 0x03, 0x55,
+  0x04, 0x03, 0x13, 0x26, 0x44, 0x69, 0x67, 0x69, 0x43, 0x65, 0x72, 0x74,
+  0x20, 0x53, 0x48, 0x41, 0x32, 0x20, 0x48, 0x69, 0x67, 0x68, 0x20, 0x41,
+  0x73, 0x73, 0x75, 0x72, 0x61, 0x6E, 0x63, 0x65, 0x20, 0x53, 0x65, 0x72,
+  0x76, 0x65, 0x72, 0x20, 0x43, 0x41
+};
+static const Input VALID_NAME(VALID_NAME_DATA);
+
+TEST_F(pkixcheck_CheckIssuer, ValidIssuer)
+{
+  ASSERT_EQ(Success, CheckIssuer(VALID_NAME));
+}
+
+TEST_F(pkixcheck_CheckIssuer, EmptyIssuer)
+{
+  ASSERT_EQ(Result::ERROR_EMPTY_ISSUER_NAME, CheckIssuer(EMPTY_NAME));
+}
diff --git a/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp
new file mode 100644
index 0000000000..136f8719a8
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp
@@ -0,0 +1,284 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+namespace mozilla { namespace pkix {
+
+extern Result CheckKeyUsage(EndEntityOrCA endEntityOrCA,
+                            const Input* encodedKeyUsage,
+                            KeyUsage requiredKeyUsageIfPresent);
+
+} } // namespace mozilla::pkix
+
+class pkixcheck_CheckKeyUsage : public ::testing::Test { };
+
+#define ASSERT_BAD(x) ASSERT_EQ(Result::ERROR_INADEQUATE_KEY_USAGE, x)
+
+// Make it easy to define test data for the common, simplest cases.
+#define NAMED_SIMPLE_KU(name, unusedBits, bits) \
+  const uint8_t name##_bytes[4] = { \
+    0x03/*BIT STRING*/, 0x02/*LENGTH=2*/, unusedBits, bits \
+  }; \
+  const Input name(name##_bytes);
+
+static const Input empty_null;
+
+// Note that keyCertSign is really the only interesting case for CA
+// certificates since we don't support cRLSign.
+
+TEST_F(pkixcheck_CheckKeyUsage, EE_none)
+{
+  // The input Input is nullptr. This means the cert had no keyUsage
+  // extension. This is always valid because no key usage in an end-entity
+  // means that there are no key usage restrictions.
+
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
+                                   KeyUsage::noParticularKeyUsageRequired));
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
+                                   KeyUsage::digitalSignature));
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
+                                   KeyUsage::nonRepudiation));
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
+                                   KeyUsage::keyEncipherment));
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
+                                   KeyUsage::dataEncipherment));
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, nullptr,
+                                   KeyUsage::keyAgreement));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, EE_empty)
+{
+  // The input Input is empty. The cert had an empty keyUsage extension,
+  // which is syntactically invalid.
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &empty_null,
+                           KeyUsage::digitalSignature));
+  static const uint8_t dummy = 0x00;
+  Input empty_nonnull;
+  ASSERT_EQ(Success, empty_nonnull.Init(&dummy, 0));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &empty_nonnull,
+                           KeyUsage::digitalSignature));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, CA_none)
+{
+  // A CA certificate does not have a KU extension.
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeCA, nullptr,
+                                   KeyUsage::keyCertSign));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, CA_empty)
+{
+  // A CA certificate has an empty KU extension.
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &empty_null,
+                           KeyUsage::keyCertSign));
+  static const uint8_t dummy = 0x00;
+  Input empty_nonnull;
+  ASSERT_EQ(Success, empty_nonnull.Init(&dummy, 0));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &empty_nonnull,
+                           KeyUsage::keyCertSign));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, maxUnusedBits)
+{
+  NAMED_SIMPLE_KU(encoded, 7, 0x80);
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &encoded,
+                                   KeyUsage::digitalSignature));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, tooManyUnusedBits)
+{
+  static uint8_t oneValueByteData[] = {
+    0x03/*BIT STRING*/, 0x02/*LENGTH=2*/, 8/*unused bits*/, 0x80
+  };
+  static const Input oneValueByte(oneValueByteData);
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &oneValueByte,
+                           KeyUsage::digitalSignature));
+
+  static uint8_t twoValueBytesData[] = {
+    0x03/*BIT STRING*/, 0x03/*LENGTH=3*/, 8/*unused bits*/, 0x01, 0x00
+  };
+  static const Input twoValueBytes(twoValueBytesData);
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &twoValueBytes,
+                           KeyUsage::digitalSignature));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, NoValueBytes_NoPaddingBits)
+{
+  static const uint8_t DER_BYTES[] = {
+    0x03/*BIT STRING*/, 0x01/*LENGTH=1*/, 0/*unused bits*/
+  };
+  static const Input DER(DER_BYTES);
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &DER,
+                           KeyUsage::digitalSignature));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &DER,
+                           KeyUsage::keyCertSign));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, NoValueBytes_7PaddingBits)
+{
+  static const uint8_t DER_BYTES[] = {
+    0x03/*BIT STRING*/, 0x01/*LENGTH=1*/, 7/*unused bits*/
+  };
+  static const Input DER(DER_BYTES);
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &DER,
+                           KeyUsage::digitalSignature));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &DER,
+                           KeyUsage::keyCertSign));
+}
+
+void ASSERT_SimpleCase(uint8_t unusedBits, uint8_t bits, KeyUsage usage)
+{
+  // Test that only the right bit is accepted for the usage for both EE and CA
+  // certs.
+  NAMED_SIMPLE_KU(good, unusedBits, bits);
+  ASSERT_EQ(Success,
+            CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &good, usage));
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeCA, &good, usage));
+
+  // We use (~bits >> unusedBits) << unusedBits) instead of using the same
+  // calculation that is in CheckKeyUsage to validate that the calculation in
+  // CheckKeyUsage is correct.
+
+  // Test that none of the other non-padding bits are mistaken for the given
+  // key usage in the single-byte value case.
+  NAMED_SIMPLE_KU(notGood, unusedBits,
+                  static_cast<uint8_t>((~bits >> unusedBits) << unusedBits));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &notGood, usage));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &notGood, usage));
+
+  // Test that none of the other non-padding bits are mistaken for the given
+  // key usage in the two-byte value case.
+  const uint8_t twoByteNotGoodData[] = {
+    0x03/*BIT STRING*/, 0x03/*LENGTH=3*/, unusedBits,
+    static_cast<uint8_t>(~bits),
+    static_cast<uint8_t>((0xFFu >> unusedBits) << unusedBits)
+  };
+  Input twoByteNotGood(twoByteNotGoodData);
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &twoByteNotGood,
+                           usage));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &twoByteNotGood, usage));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, simpleCases)
+{
+  ASSERT_SimpleCase(7, 0x80, KeyUsage::digitalSignature);
+  ASSERT_SimpleCase(6, 0x40, KeyUsage::nonRepudiation);
+  ASSERT_SimpleCase(5, 0x20, KeyUsage::keyEncipherment);
+  ASSERT_SimpleCase(4, 0x10, KeyUsage::dataEncipherment);
+  ASSERT_SimpleCase(3, 0x08, KeyUsage::keyAgreement);
+}
+
+// Only CAs are allowed to assert keyCertSign.
+// End-entity certs may assert it along with other key usages if keyCertSign
+// isn't the required key usage. This is for compatibility.
+TEST_F(pkixcheck_CheckKeyUsage, keyCertSign)
+{
+  NAMED_SIMPLE_KU(good, 2, 0x04);
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &good,
+                           KeyUsage::keyCertSign));
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeCA, &good,
+                                   KeyUsage::keyCertSign));
+
+  // Test that none of the other non-padding bits are mistaken for the given
+  // key usage in the one-byte value case.
+  NAMED_SIMPLE_KU(notGood, 2, 0xFB);
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &notGood,
+                           KeyUsage::keyCertSign));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &notGood,
+                           KeyUsage::keyCertSign));
+
+  // Test that none of the other non-padding bits are mistaken for the given
+  // key usage in the two-byte value case.
+  static uint8_t twoByteNotGoodData[] = {
+    0x03/*BIT STRING*/, 0x03/*LENGTH=3*/, 2/*unused bits*/, 0xFBu, 0xFCu
+  };
+  static const Input twoByteNotGood(twoByteNotGoodData);
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &twoByteNotGood,
+                           KeyUsage::keyCertSign));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &twoByteNotGood,
+                           KeyUsage::keyCertSign));
+
+  // If an end-entity certificate does assert keyCertSign, this is allowed
+  // as long as that isn't the required key usage.
+  NAMED_SIMPLE_KU(digitalSignatureAndKeyCertSign, 2, 0x84);
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity,
+                                   &digitalSignatureAndKeyCertSign,
+                                   KeyUsage::digitalSignature));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity,
+                           &digitalSignatureAndKeyCertSign,
+                           KeyUsage::keyCertSign));
+}
+
+TEST_F(pkixcheck_CheckKeyUsage, unusedBitNotZero)
+{
+  // single byte control case
+  static uint8_t controlOneValueByteData[] = {
+    0x03/*BIT STRING*/, 0x02/*LENGTH=2*/, 7/*unused bits*/, 0x80
+  };
+  static const Input controlOneValueByte(controlOneValueByteData);
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity,
+                                   &controlOneValueByte,
+                                   KeyUsage::digitalSignature));
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeCA,
+                                   &controlOneValueByte,
+                                   KeyUsage::digitalSignature));
+
+  // single-byte test case
+  static uint8_t oneValueByteData[] = {
+    0x03/*BIT STRING*/, 0x02/*LENGTH=2*/, 7/*unused bits*/, 0x80 | 0x01
+  };
+  static const Input oneValueByte(oneValueByteData);
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &oneValueByte,
+                           KeyUsage::digitalSignature));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &oneValueByte,
+                           KeyUsage::digitalSignature));
+
+  // two-byte control case
+  static uint8_t controlTwoValueBytesData[] = {
+    0x03/*BIT STRING*/, 0x03/*LENGTH=3*/, 7/*unused bits*/,
+    0x80 | 0x01, 0x80
+  };
+  static const Input controlTwoValueBytes(controlTwoValueBytesData);
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeEndEntity,
+                                   &controlTwoValueBytes,
+                                   KeyUsage::digitalSignature));
+  ASSERT_EQ(Success, CheckKeyUsage(EndEntityOrCA::MustBeCA,
+                                   &controlTwoValueBytes,
+                                   KeyUsage::digitalSignature));
+
+  // two-byte test case
+  static uint8_t twoValueBytesData[] = {
+    0x03/*BIT STRING*/, 0x03/*LENGTH=3*/, 7/*unused bits*/,
+    0x80 | 0x01, 0x80 | 0x01
+  };
+  static const Input twoValueBytes(twoValueBytesData);
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeEndEntity, &twoValueBytes,
+                           KeyUsage::digitalSignature));
+  ASSERT_BAD(CheckKeyUsage(EndEntityOrCA::MustBeCA, &twoValueBytes,
+                           KeyUsage::digitalSignature));
+}
diff --git a/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp
new file mode 100644
index 0000000000..70e6fd410b
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp
@@ -0,0 +1,367 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2015 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixder.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+namespace mozilla { namespace pkix {
+
+extern Result CheckSignatureAlgorithm(
+                TrustDomain& trustDomain, EndEntityOrCA endEntityOrCA,
+                Time notBefore,
+                const der::SignedDataWithSignature& signedData,
+                Input signatureValue);
+
+} } // namespace mozilla::pkix
+
+struct CheckSignatureAlgorithmTestParams
+{
+  ByteString signatureAlgorithmValue;
+  ByteString signatureValue;
+  unsigned int signatureLengthInBytes;
+  Result expectedResult;
+};
+
+::std::ostream& operator<<(::std::ostream& os,
+                           const CheckSignatureAlgorithmTestParams&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+#define BS(s) ByteString(s, MOZILLA_PKIX_ARRAY_LENGTH(s))
+
+// python DottedOIDToCode.py --tlv sha256WithRSAEncryption 1.2.840.113549.1.1.11
+static const uint8_t tlv_sha256WithRSAEncryption[] = {
+  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b
+};
+
+// Same as tlv_sha256WithRSAEncryption, except one without the "0x0b" and with
+// the DER length decreased accordingly.
+static const uint8_t tlv_sha256WithRSAEncryption_truncated[] = {
+  0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01
+};
+
+// python DottedOIDToCode.py --tlv sha-1WithRSAEncryption 1.2.840.113549.1.1.5
+static const uint8_t tlv_sha_1WithRSAEncryption[] = {
+  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05
+};
+
+// python DottedOIDToCode.py --tlv sha1WithRSASignature 1.3.14.3.2.29
+static const uint8_t tlv_sha1WithRSASignature[] = {
+  0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1d
+};
+
+// python DottedOIDToCode.py --tlv md5WithRSAEncryption 1.2.840.113549.1.1.4
+static const uint8_t tlv_md5WithRSAEncryption[] = {
+  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x04
+};
+
+static const CheckSignatureAlgorithmTestParams
+  CHECKSIGNATUREALGORITHM_TEST_PARAMS[] =
+{
+  { // Both algorithm IDs are empty
+    ByteString(),
+    ByteString(),
+    2048 / 8,
+    Result::ERROR_BAD_DER,
+  },
+  { // signatureAlgorithm is empty, signature is supported.
+    ByteString(),
+    BS(tlv_sha256WithRSAEncryption),
+    2048 / 8,
+    Result::ERROR_BAD_DER,
+  },
+  { // signatureAlgorithm is supported, signature is empty.
+    BS(tlv_sha256WithRSAEncryption),
+    ByteString(),
+    2048 / 8,
+    Result::ERROR_BAD_DER,
+  },
+  { // Algorithms match, both are supported.
+    BS(tlv_sha256WithRSAEncryption),
+    BS(tlv_sha256WithRSAEncryption),
+    2048 / 8,
+    Success
+  },
+  { // Algorithms do not match because signatureAlgorithm is truncated.
+    BS(tlv_sha256WithRSAEncryption_truncated),
+    BS(tlv_sha256WithRSAEncryption),
+    2048 / 8,
+    Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+  },
+  { // Algorithms do not match because signature is truncated.
+    BS(tlv_sha256WithRSAEncryption),
+    BS(tlv_sha256WithRSAEncryption_truncated),
+    2048 / 8,
+    Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+  },
+  { // Algorithms do not match, both are supported.
+    BS(tlv_sha_1WithRSAEncryption),
+    BS(tlv_sha256WithRSAEncryption),
+    2048 / 8,
+    Result::ERROR_SIGNATURE_ALGORITHM_MISMATCH,
+  },
+  { // Algorithms do not match, both are supported.
+    BS(tlv_sha256WithRSAEncryption),
+    BS(tlv_sha_1WithRSAEncryption),
+    2048 / 8,
+    Result::ERROR_SIGNATURE_ALGORITHM_MISMATCH,
+  },
+  { // Algorithms match, both are unsupported.
+    BS(tlv_md5WithRSAEncryption),
+    BS(tlv_md5WithRSAEncryption),
+    2048 / 8,
+    Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+  },
+  { // signatureAlgorithm is unsupported, signature is supported.
+    BS(tlv_md5WithRSAEncryption),
+    BS(tlv_sha256WithRSAEncryption),
+    2048 / 8,
+    Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+  },
+  { // signatureAlgorithm is supported, signature is unsupported.
+    BS(tlv_sha256WithRSAEncryption),
+    BS(tlv_md5WithRSAEncryption),
+    2048 / 8,
+    Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
+  },
+  { // Both have the optional NULL parameter.
+    BS(tlv_sha256WithRSAEncryption) + TLV(der::NULLTag, ByteString()),
+    BS(tlv_sha256WithRSAEncryption) + TLV(der::NULLTag, ByteString()),
+    2048 / 8,
+    Success
+  },
+  { // signatureAlgorithm has the optional NULL parameter, signature doesn't.
+    BS(tlv_sha256WithRSAEncryption) + TLV(der::NULLTag, ByteString()),
+    BS(tlv_sha256WithRSAEncryption),
+    2048 / 8,
+    Success
+  },
+  { // signatureAlgorithm does not have the optional NULL parameter, signature
+    // does.
+    BS(tlv_sha256WithRSAEncryption),
+    BS(tlv_sha256WithRSAEncryption) + TLV(der::NULLTag, ByteString()),
+    2048 / 8,
+    Success
+  },
+  { // The different OIDs for RSA-with-SHA1 we support are semantically
+    // equivalent.
+    BS(tlv_sha1WithRSASignature),
+    BS(tlv_sha_1WithRSAEncryption),
+    2048 / 8,
+    Success,
+  },
+  { // The different OIDs for RSA-with-SHA1 we support are semantically
+    // equivalent (opposite order).
+    BS(tlv_sha_1WithRSAEncryption),
+    BS(tlv_sha1WithRSASignature),
+    2048 / 8,
+    Success,
+  },
+  { // Algorithms match, both are supported, key size is not a multile of 128
+    // bits. This test verifies that we're not wrongly rounding up the
+    // signature size like we did in the original patch for bug 1131767.
+    BS(tlv_sha256WithRSAEncryption),
+    BS(tlv_sha256WithRSAEncryption),
+    (2048 / 8) - 1,
+    Success
+  },
+};
+
+class pkixcheck_CheckSignatureAlgorithm
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<CheckSignatureAlgorithmTestParams>
+{
+};
+
+class pkixcheck_CheckSignatureAlgorithm_TrustDomain final
+  : public EverythingFailsByDefaultTrustDomain
+{
+public:
+  explicit pkixcheck_CheckSignatureAlgorithm_TrustDomain(
+             unsigned int aPublicKeySizeInBits)
+    : publicKeySizeInBits(aPublicKeySizeInBits)
+    , checkedDigestAlgorithm(false)
+    , checkedModulusSizeInBits(false)
+  {
+  }
+
+  Result CheckSignatureDigestAlgorithm(DigestAlgorithm, EndEntityOrCA, Time)
+    override
+  {
+    checkedDigestAlgorithm = true;
+    return Success;
+  }
+
+  Result CheckRSAPublicKeyModulusSizeInBits(EndEntityOrCA endEntityOrCA,
+                                            unsigned int modulusSizeInBits)
+    override
+  {
+    EXPECT_EQ(EndEntityOrCA::MustBeEndEntity, endEntityOrCA);
+    EXPECT_EQ(publicKeySizeInBits, modulusSizeInBits);
+    checkedModulusSizeInBits = true;
+    return Success;
+  }
+
+  const unsigned int publicKeySizeInBits;
+  bool checkedDigestAlgorithm;
+  bool checkedModulusSizeInBits;
+};
+
+TEST_P(pkixcheck_CheckSignatureAlgorithm, CheckSignatureAlgorithm)
+{
+  const Time now(Now());
+  const CheckSignatureAlgorithmTestParams& params(GetParam());
+
+  Input signatureValueInput;
+  ASSERT_EQ(Success,
+            signatureValueInput.Init(params.signatureValue.data(),
+                                     params.signatureValue.length()));
+
+  pkixcheck_CheckSignatureAlgorithm_TrustDomain
+    trustDomain(params.signatureLengthInBytes * 8);
+
+  der::SignedDataWithSignature signedData;
+  ASSERT_EQ(Success,
+            signedData.algorithm.Init(params.signatureAlgorithmValue.data(),
+                                      params.signatureAlgorithmValue.length()));
+
+  ByteString dummySignature(params.signatureLengthInBytes, 0xDE);
+  ASSERT_EQ(Success,
+            signedData.signature.Init(dummySignature.data(),
+                                      dummySignature.length()));
+
+  ASSERT_EQ(params.expectedResult,
+            CheckSignatureAlgorithm(trustDomain, EndEntityOrCA::MustBeEndEntity,
+                                    now, signedData, signatureValueInput));
+  ASSERT_EQ(params.expectedResult == Success,
+            trustDomain.checkedDigestAlgorithm);
+  ASSERT_EQ(params.expectedResult == Success,
+            trustDomain.checkedModulusSizeInBits);
+}
+
+INSTANTIATE_TEST_CASE_P(
+  pkixcheck_CheckSignatureAlgorithm, pkixcheck_CheckSignatureAlgorithm,
+  testing::ValuesIn(CHECKSIGNATUREALGORITHM_TEST_PARAMS));
+
+class pkixcheck_CheckSignatureAlgorithm_BuildCertChain_TrustDomain
+  : public DefaultCryptoTrustDomain
+{
+public:
+  explicit pkixcheck_CheckSignatureAlgorithm_BuildCertChain_TrustDomain(
+             const ByteString& aIssuer)
+    : issuer(aIssuer)
+  {
+  }
+
+  Result GetCertTrust(EndEntityOrCA, const CertPolicyId&,
+                      Input cert, /*out*/ TrustLevel& trustLevel) override
+  {
+    trustLevel = InputEqualsByteString(cert, issuer)
+               ? TrustLevel::TrustAnchor
+               : TrustLevel::InheritsTrust;
+    return Success;
+  }
+
+  Result FindIssuer(Input, IssuerChecker& checker, Time) override
+  {
+    EXPECT_FALSE(ENCODING_FAILED(issuer));
+
+    Input issuerInput;
+    EXPECT_EQ(Success, issuerInput.Init(issuer.data(), issuer.length()));
+
+    bool keepGoing;
+    EXPECT_EQ(Success, checker.Check(issuerInput, nullptr, keepGoing));
+    EXPECT_FALSE(keepGoing);
+
+    return Success;
+  }
+
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*,
+                         /*optional*/ const Input*) override
+  {
+    return Success;
+  }
+
+  Result IsChainValid(const DERArray&, Time, const CertPolicyId&) override
+  {
+    return Success;
+  }
+
+  ByteString issuer;
+};
+
+// Test that CheckSignatureAlgorithm actually gets called at some point when
+// BuildCertChain is called.
+TEST_F(pkixcheck_CheckSignatureAlgorithm, BuildCertChain)
+{
+  ScopedTestKeyPair keyPair(CloneReusedKeyPair());
+  ASSERT_TRUE(keyPair.get());
+
+  ByteString issuerExtensions[2];
+  issuerExtensions[0] = CreateEncodedBasicConstraints(true, nullptr,
+                                                      Critical::No);
+  ASSERT_FALSE(ENCODING_FAILED(issuerExtensions[0]));
+
+  ByteString issuer(CreateEncodedCertificate(3,
+                                             sha256WithRSAEncryption(),
+                                             CreateEncodedSerialNumber(1),
+                                             CNToDERName("issuer"),
+                                             oneDayBeforeNow, oneDayAfterNow,
+                                             CNToDERName("issuer"),
+                                             *keyPair,
+                                             issuerExtensions,
+                                             *keyPair,
+                                             sha256WithRSAEncryption()));
+  ASSERT_FALSE(ENCODING_FAILED(issuer));
+
+  ByteString subject(CreateEncodedCertificate(3,
+                                              sha1WithRSAEncryption(),
+                                              CreateEncodedSerialNumber(2),
+                                              CNToDERName("issuer"),
+                                              oneDayBeforeNow, oneDayAfterNow,
+                                              CNToDERName("subject"),
+                                              *keyPair,
+                                              nullptr,
+                                              *keyPair,
+                                              sha256WithRSAEncryption()));
+  ASSERT_FALSE(ENCODING_FAILED(subject));
+
+  Input subjectInput;
+  ASSERT_EQ(Success, subjectInput.Init(subject.data(), subject.length()));
+  pkixcheck_CheckSignatureAlgorithm_BuildCertChain_TrustDomain
+    trustDomain(issuer);
+  Result rv = BuildCertChain(trustDomain, subjectInput, Now(),
+                             EndEntityOrCA::MustBeEndEntity,
+                             KeyUsage::noParticularKeyUsageRequired,
+                             KeyPurposeId::anyExtendedKeyUsage,
+                             CertPolicyId::anyPolicy,
+                             nullptr);
+  ASSERT_EQ(Result::ERROR_SIGNATURE_ALGORITHM_MISMATCH, rv);
+}
diff --git a/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckValidity_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckValidity_tests.cpp
new file mode 100644
index 0000000000..a1a6f998bd
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixcheck_CheckValidity_tests.cpp
@@ -0,0 +1,128 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixcheck.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+static const Time PAST_TIME(YMDHMS(1998, 12, 31, 12, 23, 56));
+
+#define OLDER_GENERALIZEDTIME \
+  0x18, 15,                               /* tag, length */ \
+  '1', '9', '9', '9', '0', '1', '0', '1', /* 1999-01-01 */ \
+  '0', '0', '0', '0', '0', '0', 'Z'       /* 00:00:00Z */
+
+#define OLDER_UTCTIME \
+  0x17, 13,                               /* tag, length */ \
+  '9', '9', '0', '1', '0', '1',           /* (19)99-01-01 */ \
+  '0', '0', '0', '0', '0', '0', 'Z'       /* 00:00:00Z */
+
+static const Time NOW(YMDHMS(2016, 12, 31, 12, 23, 56));
+
+#define NEWER_GENERALIZEDTIME \
+  0x18, 15,                               /* tag, length */ \
+  '2', '0', '2', '1', '0', '1', '0', '1', /* 2021-01-01 */ \
+  '0', '0', '0', '0', '0', '0', 'Z'       /* 00:00:00Z */
+
+#define NEWER_UTCTIME \
+  0x17, 13,                               /* tag, length */ \
+  '2', '1', '0', '1', '0', '1',           /* 2021-01-01 */ \
+  '0', '0', '0', '0', '0', '0', 'Z'       /* 00:00:00Z */
+
+static const Time FUTURE_TIME(YMDHMS(2025, 12, 31, 12, 23, 56));
+
+class pkixcheck_CheckValidity : public ::testing::Test { };
+
+static const uint8_t OLDER_UTCTIME_NEWER_UTCTIME_DATA[] = {
+  OLDER_UTCTIME,
+  NEWER_UTCTIME,
+};
+static const Input
+OLDER_UTCTIME_NEWER_UTCTIME(OLDER_UTCTIME_NEWER_UTCTIME_DATA);
+
+TEST_F(pkixcheck_CheckValidity, Valid_UTCTIME_UTCTIME)
+{
+  static Time notBefore(Time::uninitialized);
+  static Time notAfter(Time::uninitialized);
+  ASSERT_EQ(Success, ParseValidity(OLDER_UTCTIME_NEWER_UTCTIME, &notBefore, &notAfter));
+  ASSERT_EQ(Success, CheckValidity(NOW, notBefore, notAfter));
+}
+
+TEST_F(pkixcheck_CheckValidity, Valid_GENERALIZEDTIME_GENERALIZEDTIME)
+{
+  static const uint8_t DER[] = {
+    OLDER_GENERALIZEDTIME,
+    NEWER_GENERALIZEDTIME,
+  };
+  static const Input validity(DER);
+  static Time notBefore(Time::uninitialized);
+  static Time notAfter(Time::uninitialized);
+  ASSERT_EQ(Success, ParseValidity(validity, &notBefore, &notAfter));
+  ASSERT_EQ(Success, CheckValidity(NOW, notBefore, notAfter));
+}
+
+TEST_F(pkixcheck_CheckValidity, Valid_GENERALIZEDTIME_UTCTIME)
+{
+  static const uint8_t DER[] = {
+    OLDER_GENERALIZEDTIME,
+    NEWER_UTCTIME,
+  };
+  static const Input validity(DER);
+  static Time notBefore(Time::uninitialized);
+  static Time notAfter(Time::uninitialized);
+  ASSERT_EQ(Success, ParseValidity(validity, &notBefore, &notAfter));
+  ASSERT_EQ(Success, CheckValidity(NOW, notBefore, notAfter));
+}
+
+TEST_F(pkixcheck_CheckValidity, Valid_UTCTIME_GENERALIZEDTIME)
+{
+  static const uint8_t DER[] = {
+    OLDER_UTCTIME,
+    NEWER_GENERALIZEDTIME,
+  };
+  static const Input validity(DER);
+  static Time notBefore(Time::uninitialized);
+  static Time notAfter(Time::uninitialized);
+  ASSERT_EQ(Success, ParseValidity(validity, &notBefore, &notAfter));
+  ASSERT_EQ(Success, CheckValidity(NOW, notBefore, notAfter));
+}
+
+TEST_F(pkixcheck_CheckValidity, InvalidBeforeNotBefore)
+{
+  static Time notBefore(Time::uninitialized);
+  static Time notAfter(Time::uninitialized);
+  ASSERT_EQ(Success, ParseValidity(OLDER_UTCTIME_NEWER_UTCTIME, &notBefore, &notAfter));
+  ASSERT_EQ(Result::ERROR_NOT_YET_VALID_CERTIFICATE, CheckValidity(PAST_TIME, notBefore, notAfter));
+}
+
+TEST_F(pkixcheck_CheckValidity, InvalidAfterNotAfter)
+{
+  static Time notBefore(Time::uninitialized);
+  static Time notAfter(Time::uninitialized);
+  ASSERT_EQ(Success, ParseValidity(OLDER_UTCTIME_NEWER_UTCTIME, &notBefore, &notAfter));
+  ASSERT_EQ(Result::ERROR_EXPIRED_CERTIFICATE, CheckValidity(FUTURE_TIME, notBefore, notAfter));
+}
diff --git a/security/nss/gtests/mozpkix_gtest/pkixcheck_ParseValidity_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixcheck_ParseValidity_tests.cpp
new file mode 100644
index 0000000000..7255bb5df7
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixcheck_ParseValidity_tests.cpp
@@ -0,0 +1,84 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixcheck.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+#define OLDER_UTCTIME \
+  0x17, 13,                               /* tag, length */ \
+  '9', '9', '0', '1', '0', '1',           /* (19)99-01-01 */ \
+  '0', '0', '0', '0', '0', '0', 'Z'       /* 00:00:00Z */
+
+#define NEWER_UTCTIME \
+  0x17, 13,                               /* tag, length */ \
+  '2', '1', '0', '1', '0', '1',           /* 2021-01-01 */ \
+  '0', '0', '0', '0', '0', '0', 'Z'       /* 00:00:00Z */
+
+static const Time FUTURE_TIME(YMDHMS(2025, 12, 31, 12, 23, 56));
+
+class pkixcheck_ParseValidity : public ::testing::Test { };
+
+TEST_F(pkixcheck_ParseValidity, BothEmptyNull)
+{
+  static const uint8_t DER[] = {
+    0x17/*UTCTime*/, 0/*length*/,
+    0x17/*UTCTime*/, 0/*length*/,
+  };
+  static const Input validity(DER);
+  ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, ParseValidity(validity));
+}
+
+TEST_F(pkixcheck_ParseValidity, NotBeforeEmptyNull)
+{
+  static const uint8_t DER[] = {
+    0x17/*UTCTime*/, 0x00/*length*/,
+    NEWER_UTCTIME
+  };
+  static const Input validity(DER);
+  ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, ParseValidity(validity));
+}
+
+TEST_F(pkixcheck_ParseValidity, NotAfterEmptyNull)
+{
+  static const uint8_t DER[] = {
+    NEWER_UTCTIME,
+    0x17/*UTCTime*/, 0x00/*length*/,
+  };
+  static const Input validity(DER);
+  ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, ParseValidity(validity));
+}
+
+TEST_F(pkixcheck_ParseValidity, InvalidNotAfterBeforeNotBefore)
+{
+  static const uint8_t DER[] = {
+    NEWER_UTCTIME,
+    OLDER_UTCTIME,
+  };
+  static const Input validity(DER);
+  ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, ParseValidity(validity));
+}
diff --git a/security/nss/gtests/mozpkix_gtest/pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp
new file mode 100644
index 0000000000..b7809cc602
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixcheck_TLSFeaturesSatisfiedInternal_tests.cpp
@@ -0,0 +1,120 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2015 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixder.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+namespace mozilla { namespace pkix {
+  extern Result TLSFeaturesSatisfiedInternal(const Input* requiredTLSFeatures,
+                                             const Input* stapledOCSPResponse);
+} } // namespace mozilla::pkix
+
+struct TLSFeaturesTestParams
+{
+  ByteString requiredTLSFeatures;
+  Result expectedResultWithResponse;
+  Result expectedResultWithoutResponse;
+};
+
+::std::ostream& operator<<(::std::ostream& os, const TLSFeaturesTestParams&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+#define BS(s) ByteString(s, MOZILLA_PKIX_ARRAY_LENGTH(s))
+static const uint8_t statusRequest[] = {
+  0x30, 0x03, 0x02, 0x01, 0x05
+};
+
+static const uint8_t unknown[] = {
+  0x30, 0x03, 0x02, 0x01, 0x06
+};
+
+static const uint8_t statusRequestAndUnknown[] = {
+  0x30, 0x06, 0x02, 0x01, 0x05, 0x02, 0x01, 0x06
+};
+
+static const uint8_t duplicateStatusRequest[] = {
+  0x30, 0x06, 0x02, 0x01, 0x05, 0x02, 0x01, 0x05
+};
+
+static const uint8_t twoByteUnknown[] = {
+  0x30, 0x04, 0x02, 0x02, 0x05, 0x05
+};
+
+static const uint8_t zeroByteInteger[] = {
+  0x30, 0x02, 0x02, 0x00
+};
+
+static const TLSFeaturesTestParams
+  TLSFEATURESSATISFIED_TEST_PARAMS[] =
+{
+  // some tests with checks enforced
+  { ByteString(), Result::ERROR_BAD_DER, Result::ERROR_BAD_DER },
+  { BS(statusRequest), Success, Result::ERROR_REQUIRED_TLS_FEATURE_MISSING },
+  { BS(unknown), Result::ERROR_REQUIRED_TLS_FEATURE_MISSING,
+    Result::ERROR_REQUIRED_TLS_FEATURE_MISSING },
+  { BS(statusRequestAndUnknown), Result::ERROR_REQUIRED_TLS_FEATURE_MISSING,
+    Result::ERROR_REQUIRED_TLS_FEATURE_MISSING },
+  { BS(duplicateStatusRequest), Success,
+    Result::ERROR_REQUIRED_TLS_FEATURE_MISSING },
+  { BS(twoByteUnknown), Result::ERROR_REQUIRED_TLS_FEATURE_MISSING,
+    Result::ERROR_REQUIRED_TLS_FEATURE_MISSING },
+  { BS(zeroByteInteger), Result::ERROR_REQUIRED_TLS_FEATURE_MISSING,
+    Result::ERROR_REQUIRED_TLS_FEATURE_MISSING },
+};
+
+class pkixcheck_TLSFeaturesSatisfiedInternal
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<TLSFeaturesTestParams>
+{
+};
+
+TEST_P(pkixcheck_TLSFeaturesSatisfiedInternal, TLSFeaturesSatisfiedInternal) {
+  const TLSFeaturesTestParams& params(GetParam());
+
+  Input featuresInput;
+  ASSERT_EQ(Success, featuresInput.Init(params.requiredTLSFeatures.data(),
+                                        params.requiredTLSFeatures.length()));
+  Input responseInput;
+  // just create an input with any data in it
+  ByteString stapledOCSPResponse = BS(statusRequest);
+  ASSERT_EQ(Success, responseInput.Init(stapledOCSPResponse.data(),
+                                        stapledOCSPResponse.length()));
+  // first we omit the response
+  ASSERT_EQ(params.expectedResultWithoutResponse,
+            TLSFeaturesSatisfiedInternal(&featuresInput, nullptr));
+  // then we try again with the response
+  ASSERT_EQ(params.expectedResultWithResponse,
+            TLSFeaturesSatisfiedInternal(&featuresInput, &responseInput));
+}
+
+INSTANTIATE_TEST_CASE_P(
+  pkixcheck_TLSFeaturesSatisfiedInternal,
+  pkixcheck_TLSFeaturesSatisfiedInternal,
+  testing::ValuesIn(TLSFEATURESSATISFIED_TEST_PARAMS));
diff --git a/security/nss/gtests/mozpkix_gtest/pkixder_input_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixder_input_tests.cpp
new file mode 100644
index 0000000000..cf91fa2c61
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixder_input_tests.cpp
@@ -0,0 +1,920 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <functional>
+#include <vector>
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixder.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::der;
+
+namespace {
+
+class pkixder_input_tests : public ::testing::Test { };
+
+static const uint8_t DER_SEQUENCE_EMPTY[] = {
+  0x30,                       // SEQUENCE
+  0x00,                       // length
+};
+
+static const uint8_t DER_SEQUENCE_NOT_EMPTY[] = {
+  0x30,                       // SEQUENCE
+  0x01,                       // length
+  'X',                        // value
+};
+
+static const uint8_t DER_SEQUENCE_NOT_EMPTY_VALUE[] = {
+  'X',                        // value
+};
+
+static const uint8_t DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED[] = {
+  0x30,                       // SEQUENCE
+  0x01,                       // length
+};
+
+const uint8_t DER_SEQUENCE_OF_INT8[] = {
+  0x30,                       // SEQUENCE
+  0x09,                       // length
+  0x02, 0x01, 0x01,           // INTEGER length 1 value 0x01
+  0x02, 0x01, 0x02,           // INTEGER length 1 value 0x02
+  0x02, 0x01, 0x03            // INTEGER length 1 value 0x03
+};
+
+const uint8_t DER_TRUNCATED_SEQUENCE_OF_INT8[] = {
+  0x30,                       // SEQUENCE
+  0x09,                       // length
+  0x02, 0x01, 0x01,           // INTEGER length 1 value 0x01
+  0x02, 0x01, 0x02            // INTEGER length 1 value 0x02
+  // MISSING DATA HERE ON PURPOSE
+};
+
+const uint8_t DER_OVERRUN_SEQUENCE_OF_INT8[] = {
+  0x30,                       // SEQUENCE
+  0x09,                       // length
+  0x02, 0x01, 0x01,           // INTEGER length 1 value 0x01
+  0x02, 0x01, 0x02,           // INTEGER length 1 value 0x02
+  0x02, 0x02, 0xFF, 0x03      // INTEGER length 2 value 0xFF03
+};
+
+const uint8_t DER_INT16[] = {
+  0x02,                       // INTEGER
+  0x02,                       // length
+  0x12, 0x34                  // 0x1234
+};
+
+static const Input EMPTY_INPUT;
+
+TEST_F(pkixder_input_tests, InputInit)
+{
+  Input buf;
+  ASSERT_EQ(Success,
+            buf.Init(DER_SEQUENCE_OF_INT8, sizeof DER_SEQUENCE_OF_INT8));
+}
+
+TEST_F(pkixder_input_tests, InputInitWithNullPointerOrZeroLength)
+{
+  Input buf;
+  ASSERT_EQ(Result::ERROR_BAD_DER, buf.Init(nullptr, 0));
+
+  ASSERT_EQ(Result::ERROR_BAD_DER, buf.Init(nullptr, 100));
+
+  // Though it seems odd to initialize with zero-length and non-null ptr, this
+  // is working as intended. The Reader class was intended to protect against
+  // buffer overflows, and there's no risk with the current behavior. See bug
+  // 1000354.
+  ASSERT_EQ(Success, buf.Init((const uint8_t*) "hello", 0));
+  ASSERT_TRUE(buf.GetLength() == 0);
+}
+
+TEST_F(pkixder_input_tests, InputInitWithLargeData)
+{
+  Input buf;
+  // Data argument length does not matter, it is not touched, just
+  // needs to be non-null
+  ASSERT_EQ(Result::ERROR_BAD_DER, buf.Init((const uint8_t*) "", 0xffff+1));
+
+  ASSERT_EQ(Success, buf.Init((const uint8_t*) "", 0xffff));
+}
+
+TEST_F(pkixder_input_tests, InputInitMultipleTimes)
+{
+  Input buf;
+
+  ASSERT_EQ(Success,
+            buf.Init(DER_SEQUENCE_OF_INT8, sizeof DER_SEQUENCE_OF_INT8));
+
+  ASSERT_EQ(Result::FATAL_ERROR_INVALID_ARGS,
+            buf.Init(DER_SEQUENCE_OF_INT8, sizeof DER_SEQUENCE_OF_INT8));
+}
+
+TEST_F(pkixder_input_tests, PeekWithinBounds)
+{
+  const uint8_t der[] = { 0x11, 0x11 };
+  Input buf(der);
+  Reader input(buf);
+  ASSERT_TRUE(input.Peek(0x11));
+  ASSERT_FALSE(input.Peek(0x22));
+}
+
+TEST_F(pkixder_input_tests, PeekPastBounds)
+{
+  const uint8_t der[] = { 0x11, 0x22 };
+  Input buf;
+  ASSERT_EQ(Success, buf.Init(der, 1));
+  Reader input(buf);
+
+  uint8_t readByte;
+  ASSERT_EQ(Success, input.Read(readByte));
+  ASSERT_EQ(0x11, readByte);
+  ASSERT_FALSE(input.Peek(0x22));
+}
+
+TEST_F(pkixder_input_tests, ReadByte)
+{
+  const uint8_t der[] = { 0x11, 0x22 };
+  Input buf(der);
+  Reader input(buf);
+
+  uint8_t readByte1;
+  ASSERT_EQ(Success, input.Read(readByte1));
+  ASSERT_EQ(0x11, readByte1);
+
+  uint8_t readByte2;
+  ASSERT_EQ(Success, input.Read(readByte2));
+  ASSERT_EQ(0x22, readByte2);
+}
+
+TEST_F(pkixder_input_tests, ReadBytePastEnd)
+{
+  const uint8_t der[] = { 0x11, 0x22 };
+  Input buf;
+  ASSERT_EQ(Success, buf.Init(der, 1));
+  Reader input(buf);
+
+  uint8_t readByte1 = 0;
+  ASSERT_EQ(Success, input.Read(readByte1));
+  ASSERT_EQ(0x11, readByte1);
+
+  uint8_t readByte2 = 0;
+  ASSERT_EQ(Result::ERROR_BAD_DER, input.Read(readByte2));
+  ASSERT_NE(0x22, readByte2);
+}
+
+TEST_F(pkixder_input_tests, ReadByteWrapAroundPointer)
+{
+  // The original implementation of our buffer read overflow checks was
+  // susceptible to integer overflows which could make the checks ineffective.
+  // This attempts to verify that we've fixed that. Unfortunately, decrementing
+  // a null pointer is undefined behavior according to the C++ language spec.,
+  // but this should catch the problem on at least some compilers, if not all of
+  // them.
+  const uint8_t* der = nullptr;
+  --der;
+  Input buf;
+  ASSERT_EQ(Success, buf.Init(der, 0));
+  Reader input(buf);
+
+  uint8_t b;
+  ASSERT_EQ(Result::ERROR_BAD_DER, input.Read(b));
+}
+
+TEST_F(pkixder_input_tests, ReadWord)
+{
+  const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+
+  uint16_t readWord1 = 0;
+  ASSERT_EQ(Success, input.Read(readWord1));
+  ASSERT_EQ(0x1122, readWord1);
+
+  uint16_t readWord2 = 0;
+  ASSERT_EQ(Success, input.Read(readWord2));
+  ASSERT_EQ(0x3344, readWord2);
+}
+
+TEST_F(pkixder_input_tests, ReadWordPastEnd)
+{
+  const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf;
+  ASSERT_EQ(Success, buf.Init(der, 2)); // Initialize with too-short length
+  Reader input(buf);
+
+  uint16_t readWord1 = 0;
+  ASSERT_EQ(Success, input.Read(readWord1));
+  ASSERT_EQ(0x1122, readWord1);
+
+  uint16_t readWord2 = 0;
+  ASSERT_EQ(Result::ERROR_BAD_DER, input.Read(readWord2));
+  ASSERT_NE(0x3344, readWord2);
+}
+
+TEST_F(pkixder_input_tests, ReadWordWithInsufficentData)
+{
+  const uint8_t der[] = { 0x11, 0x22 };
+  Input buf;
+  ASSERT_EQ(Success, buf.Init(der, 1));
+  Reader input(buf);
+
+  uint16_t readWord1 = 0;
+  ASSERT_EQ(Result::ERROR_BAD_DER, input.Read(readWord1));
+  ASSERT_NE(0x1122, readWord1);
+}
+
+TEST_F(pkixder_input_tests, ReadWordWrapAroundPointer)
+{
+  // The original implementation of our buffer read overflow checks was
+  // susceptible to integer overflows which could make the checks ineffective.
+  // This attempts to verify that we've fixed that. Unfortunately, decrementing
+  // a null pointer is undefined behavior according to the C++ language spec.,
+  // but this should catch the problem on at least some compilers, if not all of
+  // them.
+  const uint8_t* der = nullptr;
+  --der;
+  Input buf;
+  ASSERT_EQ(Success, buf.Init(der, 0));
+  Reader input(buf);
+  uint16_t b;
+  ASSERT_EQ(Result::ERROR_BAD_DER, input.Read(b));
+}
+
+TEST_F(pkixder_input_tests, Skip)
+{
+  const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+
+  ASSERT_EQ(Success, input.Skip(1));
+
+  uint8_t readByte1 = 0;
+  ASSERT_EQ(Success, input.Read(readByte1));
+  ASSERT_EQ(0x22, readByte1);
+
+  ASSERT_EQ(Success, input.Skip(1));
+
+  uint8_t readByte2 = 0;
+  ASSERT_EQ(Success, input.Read(readByte2));
+  ASSERT_EQ(0x44, readByte2);
+}
+
+TEST_F(pkixder_input_tests, Skip_ToEnd)
+{
+  const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+  ASSERT_EQ(Success, input.Skip(sizeof der));
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, Skip_PastEnd)
+{
+  const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+
+  ASSERT_EQ(Result::ERROR_BAD_DER, input.Skip(sizeof der + 1));
+}
+
+TEST_F(pkixder_input_tests, Skip_ToNewInput)
+{
+  const uint8_t der[] = { 0x01, 0x02, 0x03, 0x04 };
+  Input buf(der);
+  Reader input(buf);
+
+  Reader skippedInput;
+  ASSERT_EQ(Success, input.Skip(3, skippedInput));
+
+  uint8_t readByte1 = 0;
+  ASSERT_EQ(Success, input.Read(readByte1));
+  ASSERT_EQ(0x04, readByte1);
+
+  ASSERT_TRUE(input.AtEnd());
+
+  // Reader has no Remaining() or Length() so we simply read the bytes
+  // and then expect to be at the end.
+
+  for (uint8_t i = 1; i <= 3; ++i) {
+    uint8_t readByte = 0;
+    ASSERT_EQ(Success, skippedInput.Read(readByte));
+    ASSERT_EQ(i, readByte);
+  }
+
+  ASSERT_TRUE(skippedInput.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, Skip_ToNewInputPastEnd)
+{
+  const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+
+  Reader skippedInput;
+  ASSERT_EQ(Result::ERROR_BAD_DER, input.Skip(sizeof der * 2, skippedInput));
+}
+
+TEST_F(pkixder_input_tests, Skip_ToInput)
+{
+  const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+
+  const uint8_t expectedItemData[] = { 0x11, 0x22, 0x33 };
+
+  Input item;
+  ASSERT_EQ(Success, input.Skip(sizeof expectedItemData, item));
+
+  Input expected(expectedItemData);
+  ASSERT_TRUE(InputsAreEqual(expected, item));
+}
+
+TEST_F(pkixder_input_tests, Skip_WrapAroundPointer)
+{
+  // The original implementation of our buffer read overflow checks was
+  // susceptible to integer overflows which could make the checks ineffective.
+  // This attempts to verify that we've fixed that. Unfortunately, decrementing
+  // a null pointer is undefined behavior according to the C++ language spec.,
+  // but this should catch the problem on at least some compilers, if not all of
+  // them.
+  const uint8_t* der = nullptr;
+  --der;
+  Input buf;
+  ASSERT_EQ(Success, buf.Init(der, 0));
+  Reader input(buf);
+  ASSERT_EQ(Result::ERROR_BAD_DER, input.Skip(1));
+}
+
+TEST_F(pkixder_input_tests, Skip_ToInputPastEnd)
+{
+  const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+
+  Input skipped;
+  ASSERT_EQ(Result::ERROR_BAD_DER, input.Skip(sizeof der + 1, skipped));
+}
+
+TEST_F(pkixder_input_tests, SkipToEnd_ToInput)
+{
+  static const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+
+  Input skipped;
+  ASSERT_EQ(Success, input.SkipToEnd(skipped));
+}
+
+TEST_F(pkixder_input_tests, SkipToEnd_ToInput_InputAlreadyInited)
+{
+  static const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+
+  static const uint8_t initialValue[] = { 0x01, 0x02, 0x03 };
+  Input x(initialValue);
+  // Fails because skipped was already initialized once, and Inputs are not
+  // allowed to be Init()d multiple times.
+  ASSERT_EQ(Result::FATAL_ERROR_INVALID_ARGS, input.SkipToEnd(x));
+  ASSERT_TRUE(InputsAreEqual(x, Input(initialValue)));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndSkipValue)
+{
+  Input buf(DER_SEQUENCE_OF_INT8);
+  Reader input(buf);
+
+  ASSERT_EQ(Success, ExpectTagAndSkipValue(input, SEQUENCE));
+  ASSERT_EQ(Success, End(input));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndSkipValueWithTruncatedData)
+{
+  Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+  Reader input(buf);
+
+  ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndSkipValue(input, SEQUENCE));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndSkipValueWithOverrunData)
+{
+  Input buf(DER_OVERRUN_SEQUENCE_OF_INT8);
+  Reader input(buf);
+  ASSERT_EQ(Success, ExpectTagAndSkipValue(input, SEQUENCE));
+  ASSERT_EQ(Result::ERROR_BAD_DER, End(input));
+}
+
+TEST_F(pkixder_input_tests, AtEndOnUnInitializedInput)
+{
+  Reader input;
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, AtEndAtBeginning)
+{
+  const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+  ASSERT_FALSE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, AtEndAtEnd)
+{
+  const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+  ASSERT_EQ(Success, input.Skip(sizeof der));
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, MarkAndGetInput)
+{
+  const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+
+  Reader::Mark mark = input.GetMark();
+
+  const uint8_t expectedItemData[] = { 0x11, 0x22, 0x33 };
+
+  ASSERT_EQ(Success, input.Skip(sizeof expectedItemData));
+
+  Input item;
+  ASSERT_EQ(Success, input.GetInput(mark, item));
+  Input expected(expectedItemData);
+  ASSERT_TRUE(InputsAreEqual(expected, item));
+}
+
+// Cannot run this test on debug builds because of the NotReached
+#ifdef NDEBUG
+TEST_F(pkixder_input_tests, MarkAndGetInputDifferentInput)
+{
+  const uint8_t der[] = { 0x11, 0x22, 0x33, 0x44 };
+  Input buf(der);
+  Reader input(buf);
+
+  Reader another;
+  Reader::Mark mark = another.GetMark();
+
+  ASSERT_EQ(Success, input.Skip(3));
+
+  Input item;
+  ASSERT_EQ(Result::FATAL_ERROR_INVALID_ARGS, input.GetInput(mark, item));
+}
+#endif
+
+TEST_F(pkixder_input_tests, ReadTagAndGetValue_Input_AtEnd)
+{
+  Reader input(EMPTY_INPUT);
+  uint8_t tag;
+  Input value;
+  ASSERT_EQ(Result::ERROR_BAD_DER, ReadTagAndGetValue(input, tag, value));
+}
+
+TEST_F(pkixder_input_tests, ReadTagAndGetValue_Input_TruncatedAfterTag)
+{
+  static const uint8_t DER[] = { SEQUENCE };
+  Input buf(DER);
+  Reader input(buf);
+  uint8_t tag;
+  Input value;
+  ASSERT_EQ(Result::ERROR_BAD_DER, ReadTagAndGetValue(input, tag, value));
+}
+
+TEST_F(pkixder_input_tests, ReadTagAndGetValue_Input_ValidEmpty)
+{
+  Input buf(DER_SEQUENCE_EMPTY);
+  Reader input(buf);
+  uint8_t tag = 0;
+  Input value;
+  ASSERT_EQ(Success, ReadTagAndGetValue(input, tag, value));
+  ASSERT_EQ(SEQUENCE, tag);
+  ASSERT_EQ(0u, value.GetLength());
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, ReadTagAndGetValue_Input_ValidNotEmpty)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY);
+  Reader input(buf);
+  uint8_t tag = 0;
+  Input value;
+  ASSERT_EQ(Success, ReadTagAndGetValue(input, tag, value));
+  ASSERT_EQ(SEQUENCE, tag);
+  Input expected(DER_SEQUENCE_NOT_EMPTY_VALUE);
+  ASSERT_TRUE(InputsAreEqual(expected, value));
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests,
+       ReadTagAndGetValue_Input_InvalidNotEmptyValueTruncated)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
+  Reader input(buf);
+  uint8_t tag;
+  Input value;
+  ASSERT_EQ(Result::ERROR_BAD_DER, ReadTagAndGetValue(input, tag, value));
+}
+
+TEST_F(pkixder_input_tests, ReadTagAndGetValue_Input_InvalidWrongLength)
+{
+  Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+  Reader input(buf);
+  uint8_t tag;
+  Input value;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            ReadTagAndGetValue(input, tag, value));
+}
+
+TEST_F(pkixder_input_tests, ReadTagAndGetValue_Input_InvalidHighTagNumberForm1)
+{
+  // High tag number form is not allowed (illegal 1 byte tag)
+  //
+  // If the decoder treats 0x1F as a valid low tag number tag, then it will
+  // treat the actual tag (1) as a length, and then it will return Success
+  // with value == { 0x00 } and tag == 0x1f.
+  //
+  // It is illegal to encode tag 1 in the high tag number form because it isn't
+  // the shortest encoding (the low tag number form is).
+  static const uint8_t DER[] = {
+    0x1F, // high tag number form indicator
+    1,    // tag 1 (not legal!)
+    0     // length zero
+  };
+  Input buf(DER);
+  Reader input(buf);
+  uint8_t tag;
+  Input value;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            ReadTagAndGetValue(input, tag, value));
+}
+
+TEST_F(pkixder_input_tests, ReadTagAndGetValue_Input_InvalidHighTagNumberForm2)
+{
+  // High tag number form is not allowed (legal 1 byte tag).
+  //
+  // ReadTagAndGetValue's check to prohibit the high tag number form has no
+  // effect on whether this test passes or fails, because ReadTagAndGetValue
+  // will interpret the second byte (31) as a length, and the input doesn't
+  // have 31 bytes following it. This test is here to guard against the case
+  // where somebody actually implements high tag number form parsing, to remind
+  // that person that they need to add tests here, including in particular
+  // tests for overly-long encodings.
+  static const uint8_t DER[] = {
+    0x1F, // high tag number form indicator
+    31,   // tag 31
+    0     // length zero
+  };
+  Input buf(DER);
+  Reader input(buf);
+  uint8_t tag;
+  Input value;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            ReadTagAndGetValue(input, tag, value));
+}
+
+TEST_F(pkixder_input_tests, ReadTagAndGetValue_Input_InvalidHighTagNumberForm3)
+{
+  // High tag number form is not allowed (2 byte legal tag)
+  //
+  // ReadTagAndGetValue's check to prohibit the high tag number form has no
+  // effect on whether this test passes or fails, because ReadTagAndGetValue
+  // will interpret the second byte as a length, and the input doesn't have
+  // that many bytes following it. This test is here to guard against the case
+  // where somebody actually implements high tag number form parsing, to remind
+  // that person that they need to add tests here, including in particular
+  // tests for overly-long encodings.
+  static const uint8_t DER[] = {
+    0x1F,              // high tag number form indicator
+    0x80 | 0x01, 0x00, // tag 0x100 (256)
+    0                  // length zero
+  };
+  Input buf(DER);
+  Reader input(buf);
+  uint8_t tag;
+  Input value;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            ReadTagAndGetValue(input, tag, value));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Reader_ValidEmpty)
+{
+  Input buf(DER_SEQUENCE_EMPTY);
+  Reader input(buf);
+  Reader value;
+  ASSERT_EQ(Success, ExpectTagAndGetValue(input, SEQUENCE, value));
+  ASSERT_TRUE(value.AtEnd());
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Reader_ValidNotEmpty)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY);
+  Reader input(buf);
+  Reader value;
+  ASSERT_EQ(Success, ExpectTagAndGetValue(input, SEQUENCE, value));
+  ASSERT_TRUE(value.MatchRest(DER_SEQUENCE_NOT_EMPTY_VALUE));
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests,
+       ExpectTagAndGetValue_Reader_InvalidNotEmptyValueTruncated)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
+  Reader input(buf);
+  Reader value;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            ExpectTagAndGetValue(input, SEQUENCE, value));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Reader_InvalidWrongLength)
+{
+  Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+  Reader input(buf);
+  Reader value;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            ExpectTagAndGetValue(input, SEQUENCE, value));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Reader_InvalidWrongTag)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY);
+  Reader input(buf);
+  Reader value;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            ExpectTagAndGetValue(input, INTEGER, value));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Input_ValidEmpty)
+{
+  Input buf(DER_SEQUENCE_EMPTY);
+  Reader input(buf);
+  Input value;
+  ASSERT_EQ(Success, ExpectTagAndGetValue(input, SEQUENCE, value));
+  ASSERT_EQ(0u, value.GetLength());
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Input_ValidNotEmpty)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY);
+  Reader input(buf);
+  Input value;
+  ASSERT_EQ(Success, ExpectTagAndGetValue(input, SEQUENCE, value));
+  Input expected(DER_SEQUENCE_NOT_EMPTY_VALUE);
+  ASSERT_TRUE(InputsAreEqual(expected, value));
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests,
+       ExpectTagAndGetValue_Input_InvalidNotEmptyValueTruncated)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
+  Reader input(buf);
+  Input value;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            ExpectTagAndGetValue(input, SEQUENCE, value));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Input_InvalidWrongLength)
+{
+  Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+  Reader input(buf);
+  Input value;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            ExpectTagAndGetValue(input, SEQUENCE, value));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetValue_Input_InvalidWrongTag)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY);
+  Reader input(buf);
+  Input value;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            ExpectTagAndGetValue(input, INTEGER, value));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndEmptyValue_ValidEmpty)
+{
+  Input buf(DER_SEQUENCE_EMPTY);
+  Reader input(buf);
+  ASSERT_EQ(Success, ExpectTagAndEmptyValue(input, SEQUENCE));
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndEmptyValue_InValidNotEmpty)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY);
+  Reader input(buf);
+  ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndEmptyValue(input, SEQUENCE));
+}
+
+TEST_F(pkixder_input_tests,
+       ExpectTagAndEmptyValue_Input_InvalidNotEmptyValueTruncated)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
+  Reader input(buf);
+  ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndEmptyValue(input, SEQUENCE));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndEmptyValue_InvalidWrongLength)
+{
+  Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+  Reader input(buf);
+  ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndEmptyValue(input, SEQUENCE));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndEmptyValue_InvalidWrongTag)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY);
+  Reader input(buf);
+  ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndEmptyValue(input, INTEGER));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_Input_ValidEmpty)
+{
+  Input buf(DER_SEQUENCE_EMPTY);
+  Reader input(buf);
+  Input tlv;
+  ASSERT_EQ(Success, ExpectTagAndGetTLV(input, SEQUENCE, tlv));
+  Input expected(DER_SEQUENCE_EMPTY);
+  ASSERT_TRUE(InputsAreEqual(expected, tlv));
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_Input_ValidNotEmpty)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY);
+  Reader input(buf);
+  Input tlv;
+  ASSERT_EQ(Success, ExpectTagAndGetTLV(input, SEQUENCE, tlv));
+  Input expected(DER_SEQUENCE_NOT_EMPTY);
+  ASSERT_TRUE(InputsAreEqual(expected, tlv));
+  ASSERT_TRUE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests,
+       ExpectTagAndGetTLV_Input_InvalidNotEmptyValueTruncated)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY_VALUE_TRUNCATED);
+  Reader input(buf);
+  Input tlv;
+  ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndGetTLV(input, SEQUENCE, tlv));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_Input_InvalidWrongLength)
+{
+  Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+  Reader input(buf);
+  Input tlv;
+  ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndGetTLV(input, SEQUENCE, tlv));
+}
+
+TEST_F(pkixder_input_tests, ExpectTagAndGetTLV_Input_InvalidWrongTag)
+{
+  Input buf(DER_SEQUENCE_NOT_EMPTY);
+  Reader input(buf);
+  Input tlv;
+  ASSERT_EQ(Result::ERROR_BAD_DER, ExpectTagAndGetTLV(input, INTEGER, tlv));
+}
+
+TEST_F(pkixder_input_tests, EndAtEnd)
+{
+  Input buf(DER_INT16);
+  Reader input(buf);
+  ASSERT_EQ(Success, input.Skip(4));
+  ASSERT_EQ(Success, End(input));
+}
+
+TEST_F(pkixder_input_tests, EndBeforeEnd)
+{
+  Input buf(DER_INT16);
+  Reader input(buf);
+  ASSERT_EQ(Success, input.Skip(2));
+  ASSERT_EQ(Result::ERROR_BAD_DER, End(input));
+}
+
+TEST_F(pkixder_input_tests, EndAtBeginning)
+{
+  Input buf(DER_INT16);
+  Reader input(buf);
+  ASSERT_EQ(Result::ERROR_BAD_DER, End(input));
+}
+
+// TODO: Need tests for Nested too?
+
+Result NestedOfHelper(Reader& input, std::vector<uint8_t>& readValues)
+{
+  uint8_t value = 0;
+  Result rv = input.Read(value);
+  EXPECT_EQ(Success, rv);
+  if (rv != Success) {
+    return rv;
+  }
+  readValues.push_back(value);
+  return Success;
+}
+
+TEST_F(pkixder_input_tests, NestedOf)
+{
+  Input buf(DER_SEQUENCE_OF_INT8);
+  Reader input(buf);
+
+  std::vector<uint8_t> readValues;
+  ASSERT_EQ(Success,
+            NestedOf(input, SEQUENCE, INTEGER, EmptyAllowed::No,
+                     [&readValues](Reader& r) {
+                       return NestedOfHelper(r, readValues);
+                     }));
+  ASSERT_EQ(3u, readValues.size());
+  ASSERT_EQ(0x01, readValues[0]);
+  ASSERT_EQ(0x02, readValues[1]);
+  ASSERT_EQ(0x03, readValues[2]);
+  ASSERT_EQ(Success, End(input));
+}
+
+TEST_F(pkixder_input_tests, NestedOfWithTruncatedData)
+{
+  Input buf(DER_TRUNCATED_SEQUENCE_OF_INT8);
+  Reader input(buf);
+
+  std::vector<uint8_t> readValues;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            NestedOf(input, SEQUENCE, INTEGER, EmptyAllowed::No,
+                     [&readValues](Reader& r) {
+                       return NestedOfHelper(r, readValues);
+                     }));
+  ASSERT_EQ(0u, readValues.size());
+}
+
+TEST_F(pkixder_input_tests, MatchRestAtEnd)
+{
+  static const uint8_t der[1] = { };
+  Input buf;
+  ASSERT_EQ(Success, buf.Init(der, 0));
+  Reader input(buf);
+  ASSERT_TRUE(input.AtEnd());
+  static const uint8_t toMatch[] = { 1 };
+  ASSERT_FALSE(input.MatchRest(toMatch));
+}
+
+TEST_F(pkixder_input_tests, MatchRest1Match)
+{
+  static const uint8_t der[] = { 1 };
+  Input buf(der);
+  Reader input(buf);
+  ASSERT_FALSE(input.AtEnd());
+  ASSERT_TRUE(input.MatchRest(der));
+}
+
+TEST_F(pkixder_input_tests, MatchRest1Mismatch)
+{
+  static const uint8_t der[] = { 1 };
+  Input buf(der);
+  Reader input(buf);
+  static const uint8_t toMatch[] = { 2 };
+  ASSERT_FALSE(input.MatchRest(toMatch));
+  ASSERT_FALSE(input.AtEnd());
+}
+
+TEST_F(pkixder_input_tests, MatchRest2WithTrailingByte)
+{
+  static const uint8_t der[] = { 1, 2, 3 };
+  Input buf(der);
+  Reader input(buf);
+  static const uint8_t toMatch[] = { 1, 2 };
+  ASSERT_FALSE(input.MatchRest(toMatch));
+}
+
+TEST_F(pkixder_input_tests, MatchRest2Mismatch)
+{
+  static const uint8_t der[] = { 1, 2, 3 };
+  Input buf(der);
+  Reader input(buf);
+  static const uint8_t toMatchMismatch[] = { 1, 3 };
+  ASSERT_FALSE(input.MatchRest(toMatchMismatch));
+  ASSERT_TRUE(input.MatchRest(der));
+}
+
+} // namespace
diff --git a/security/nss/gtests/mozpkix_gtest/pkixder_pki_types_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixder_pki_types_tests.cpp
new file mode 100644
index 0000000000..989f3d2965
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixder_pki_types_tests.cpp
@@ -0,0 +1,480 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <functional>
+#include <vector>
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixtypes.h"
+#include "mozpkix/pkixder.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::der;
+
+class pkixder_pki_types_tests : public ::testing::Test { };
+
+TEST_F(pkixder_pki_types_tests, CertificateSerialNumber)
+{
+  const uint8_t DER_CERT_SERIAL[] = {
+    0x02,                       // INTEGER
+    8,                          // length
+    0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef
+  };
+  Input input(DER_CERT_SERIAL);
+  Reader reader(input);
+
+  Input item;
+  ASSERT_EQ(Success, CertificateSerialNumber(reader, item));
+
+  Input expected;
+  ASSERT_EQ(Success,
+            expected.Init(DER_CERT_SERIAL + 2, sizeof DER_CERT_SERIAL - 2));
+  ASSERT_TRUE(InputsAreEqual(expected, item));
+}
+
+TEST_F(pkixder_pki_types_tests, CertificateSerialNumberLongest)
+{
+  const uint8_t DER_CERT_SERIAL_LONGEST[] = {
+    0x02,                       // INTEGER
+    20,                         // length
+    1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20
+  };
+  Input input(DER_CERT_SERIAL_LONGEST);
+  Reader reader(input);
+
+  Input item;
+  ASSERT_EQ(Success, CertificateSerialNumber(reader, item));
+
+  Input expected;
+  ASSERT_EQ(Success,
+            expected.Init(DER_CERT_SERIAL_LONGEST + 2,
+                          sizeof DER_CERT_SERIAL_LONGEST - 2));
+  ASSERT_TRUE(InputsAreEqual(expected, item));
+}
+
+TEST_F(pkixder_pki_types_tests, CertificateSerialNumberCrazyLong)
+{
+  const uint8_t DER_CERT_SERIAL_CRAZY_LONG[] = {
+    0x02,                       // INTEGER
+    32,                         // length
+    1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
+    17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32
+  };
+  Input input(DER_CERT_SERIAL_CRAZY_LONG);
+  Reader reader(input);
+
+  Input item;
+  ASSERT_EQ(Success, CertificateSerialNumber(reader, item));
+}
+
+TEST_F(pkixder_pki_types_tests, CertificateSerialNumberZeroLength)
+{
+  const uint8_t DER_CERT_SERIAL_ZERO_LENGTH[] = {
+    0x02,                       // INTEGER
+    0x00                        // length
+  };
+  Input input(DER_CERT_SERIAL_ZERO_LENGTH);
+  Reader reader(input);
+
+  Input item;
+  ASSERT_EQ(Result::ERROR_INVALID_INTEGER_ENCODING,
+            CertificateSerialNumber(reader, item));
+}
+
+TEST_F(pkixder_pki_types_tests, OptionalVersionV1ExplicitEncodingAllowed)
+{
+  const uint8_t DER_OPTIONAL_VERSION_V1[] = {
+    0xa0, 0x03,                   // context specific 0
+    0x02, 0x01, 0x00              // INTEGER(0)
+  };
+  Input input(DER_OPTIONAL_VERSION_V1);
+  Reader reader(input);
+
+  // XXX(bug 1031093): We shouldn't accept an explicit encoding of v1, but we
+  // do here for compatibility reasons.
+  // Version version;
+  // ASSERT_EQ(Result::ERROR_BAD_DER, OptionalVersion(reader, version));
+  der::Version version = der::Version::v3;
+  ASSERT_EQ(Success, OptionalVersion(reader, version));
+  ASSERT_EQ(der::Version::v1, version);
+}
+
+TEST_F(pkixder_pki_types_tests, OptionalVersionV2)
+{
+  const uint8_t DER_OPTIONAL_VERSION_V2[] = {
+    0xa0, 0x03,                   // context specific 0
+    0x02, 0x01, 0x01              // INTEGER(1)
+  };
+  Input input(DER_OPTIONAL_VERSION_V2);
+  Reader reader(input);
+
+  der::Version version = der::Version::v1;
+  ASSERT_EQ(Success, OptionalVersion(reader, version));
+  ASSERT_EQ(der::Version::v2, version);
+}
+
+TEST_F(pkixder_pki_types_tests, OptionalVersionV3)
+{
+  const uint8_t DER_OPTIONAL_VERSION_V3[] = {
+    0xa0, 0x03,                   // context specific 0
+    0x02, 0x01, 0x02              // INTEGER(2)
+  };
+  Input input(DER_OPTIONAL_VERSION_V3);
+  Reader reader(input);
+
+  der::Version version = der::Version::v1;
+  ASSERT_EQ(Success, OptionalVersion(reader, version));
+  ASSERT_EQ(der::Version::v3, version);
+}
+
+TEST_F(pkixder_pki_types_tests, OptionalVersionUnknown)
+{
+  const uint8_t DER_OPTIONAL_VERSION_INVALID[] = {
+    0xa0, 0x03,                   // context specific 0
+    0x02, 0x01, 0x42              // INTEGER(0x42)
+  };
+  Input input(DER_OPTIONAL_VERSION_INVALID);
+  Reader reader(input);
+
+  der::Version version = der::Version::v1;
+  ASSERT_EQ(Result::ERROR_BAD_DER, OptionalVersion(reader, version));
+}
+
+TEST_F(pkixder_pki_types_tests, OptionalVersionInvalidTooLong)
+{
+  const uint8_t DER_OPTIONAL_VERSION_INVALID_TOO_LONG[] = {
+    0xa0, 0x03,                   // context specific 0
+    0x02, 0x02, 0x12, 0x34        // INTEGER(0x1234)
+  };
+  Input input(DER_OPTIONAL_VERSION_INVALID_TOO_LONG);
+  Reader reader(input);
+
+  der::Version version;
+  ASSERT_EQ(Result::ERROR_BAD_DER, OptionalVersion(reader, version));
+}
+
+TEST_F(pkixder_pki_types_tests, OptionalVersionMissing)
+{
+  const uint8_t DER_OPTIONAL_VERSION_MISSING[] = {
+    0x02, 0x11, 0x22              // INTEGER
+  };
+  Input input(DER_OPTIONAL_VERSION_MISSING);
+  Reader reader(input);
+
+  der::Version version = der::Version::v3;
+  ASSERT_EQ(Success, OptionalVersion(reader, version));
+  ASSERT_EQ(der::Version::v1, version);
+}
+
+static const size_t MAX_ALGORITHM_OID_DER_LENGTH = 13;
+
+struct InvalidAlgorithmIdentifierTestInfo
+{
+  uint8_t der[MAX_ALGORITHM_OID_DER_LENGTH];
+  size_t derLength;
+};
+
+struct ValidDigestAlgorithmIdentifierTestInfo
+{
+  DigestAlgorithm algorithm;
+  uint8_t der[MAX_ALGORITHM_OID_DER_LENGTH];
+  size_t derLength;
+};
+
+class pkixder_DigestAlgorithmIdentifier_Valid
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<ValidDigestAlgorithmIdentifierTestInfo>
+{
+};
+
+static const ValidDigestAlgorithmIdentifierTestInfo
+  VALID_DIGEST_ALGORITHM_TEST_INFO[] =
+{
+  { DigestAlgorithm::sha512,
+    { 0x30, 0x0b, 0x06, 0x09,
+      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03 },
+    13
+  },
+  { DigestAlgorithm::sha384,
+    { 0x30, 0x0b, 0x06, 0x09,
+      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02 },
+    13
+  },
+  { DigestAlgorithm::sha256,
+    { 0x30, 0x0b, 0x06, 0x09,
+      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 },
+    13
+  },
+  { DigestAlgorithm::sha1,
+    { 0x30, 0x07, 0x06, 0x05,
+      0x2b, 0x0e, 0x03, 0x02, 0x1a },
+    9
+  },
+};
+
+TEST_P(pkixder_DigestAlgorithmIdentifier_Valid, Valid)
+{
+  const ValidDigestAlgorithmIdentifierTestInfo& param(GetParam());
+
+  {
+    Input input;
+    ASSERT_EQ(Success, input.Init(param.der, param.derLength));
+    Reader reader(input);
+    DigestAlgorithm alg;
+    ASSERT_EQ(Success, DigestAlgorithmIdentifier(reader, alg));
+    ASSERT_EQ(param.algorithm, alg);
+    ASSERT_EQ(Success, End(reader));
+  }
+
+  {
+    uint8_t derWithNullParam[MAX_ALGORITHM_OID_DER_LENGTH + 2];
+    memcpy(derWithNullParam, param.der, param.derLength);
+    derWithNullParam[1] += 2; // we're going to expand the value by 2 bytes
+    derWithNullParam[param.derLength] = 0x05; // NULL tag
+    derWithNullParam[param.derLength + 1] = 0x00; // length zero
+
+    Input input;
+    ASSERT_EQ(Success, input.Init(derWithNullParam, param.derLength + 2));
+    Reader reader(input);
+    DigestAlgorithm alg;
+    ASSERT_EQ(Success, DigestAlgorithmIdentifier(reader, alg));
+    ASSERT_EQ(param.algorithm, alg);
+    ASSERT_EQ(Success, End(reader));
+  }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixder_DigestAlgorithmIdentifier_Valid,
+                        pkixder_DigestAlgorithmIdentifier_Valid,
+                        testing::ValuesIn(VALID_DIGEST_ALGORITHM_TEST_INFO));
+
+class pkixder_DigestAlgorithmIdentifier_Invalid
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<InvalidAlgorithmIdentifierTestInfo>
+{
+};
+
+static const InvalidAlgorithmIdentifierTestInfo
+  INVALID_DIGEST_ALGORITHM_TEST_INFO[] =
+{
+  { // MD5
+    { 0x30, 0x0a, 0x06, 0x08,
+      0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05 },
+    12,
+  },
+  { // ecdsa-with-SHA256 (1.2.840.10045.4.3.2) (not a hash algorithm)
+    { 0x30, 0x0a, 0x06, 0x08,
+      0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02 },
+    12,
+  },
+};
+
+TEST_P(pkixder_DigestAlgorithmIdentifier_Invalid, Invalid)
+{
+  const InvalidAlgorithmIdentifierTestInfo& param(GetParam());
+  Input input;
+  ASSERT_EQ(Success, input.Init(param.der, param.derLength));
+  Reader reader(input);
+  DigestAlgorithm alg;
+  ASSERT_EQ(Result::ERROR_INVALID_ALGORITHM,
+            DigestAlgorithmIdentifier(reader, alg));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixder_DigestAlgorithmIdentifier_Invalid,
+                        pkixder_DigestAlgorithmIdentifier_Invalid,
+                        testing::ValuesIn(INVALID_DIGEST_ALGORITHM_TEST_INFO));
+
+struct ValidSignatureAlgorithmIdentifierValueTestInfo
+{
+  PublicKeyAlgorithm publicKeyAlg;
+  DigestAlgorithm digestAlg;
+  uint8_t der[MAX_ALGORITHM_OID_DER_LENGTH];
+  size_t derLength;
+};
+
+static const ValidSignatureAlgorithmIdentifierValueTestInfo
+  VALID_SIGNATURE_ALGORITHM_VALUE_TEST_INFO[] =
+{
+  // ECDSA
+  { PublicKeyAlgorithm::ECDSA,
+    DigestAlgorithm::sha512,
+    { 0x06, 0x08,
+      0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04 },
+    10,
+  },
+  { PublicKeyAlgorithm::ECDSA,
+    DigestAlgorithm::sha384,
+    { 0x06, 0x08,
+      0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x03 },
+    10,
+  },
+  { PublicKeyAlgorithm::ECDSA,
+    DigestAlgorithm::sha256,
+    { 0x06, 0x08,
+      0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02 },
+    10,
+  },
+  { PublicKeyAlgorithm::ECDSA,
+    DigestAlgorithm::sha1,
+    { 0x06, 0x07,
+      0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x01 },
+    9,
+  },
+
+  // RSA
+  { PublicKeyAlgorithm::RSA_PKCS1,
+    DigestAlgorithm::sha512,
+    { 0x06, 0x09,
+      0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0d },
+    11,
+  },
+  { PublicKeyAlgorithm::RSA_PKCS1,
+    DigestAlgorithm::sha384,
+    { 0x06, 0x09,
+      0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0c },
+    11,
+  },
+  { PublicKeyAlgorithm::RSA_PKCS1,
+    DigestAlgorithm::sha256,
+    { 0x06, 0x09,
+      0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b },
+    11,
+  },
+  { PublicKeyAlgorithm::RSA_PKCS1,
+    DigestAlgorithm::sha1,
+    // IETF Standard OID
+    { 0x06, 0x09,
+      0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05 },
+    11,
+  },
+  { PublicKeyAlgorithm::RSA_PKCS1,
+    DigestAlgorithm::sha1,
+    // Legacy OIW OID (bug 1042479)
+    { 0x06, 0x05,
+      0x2b, 0x0e, 0x03, 0x02, 0x1d },
+    7,
+  },
+};
+
+class pkixder_SignatureAlgorithmIdentifierValue_Valid
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<
+             ValidSignatureAlgorithmIdentifierValueTestInfo>
+{
+};
+
+TEST_P(pkixder_SignatureAlgorithmIdentifierValue_Valid, Valid)
+{
+  const ValidSignatureAlgorithmIdentifierValueTestInfo& param(GetParam());
+
+  {
+    Input input;
+    ASSERT_EQ(Success, input.Init(param.der, param.derLength));
+    Reader reader(input);
+    PublicKeyAlgorithm publicKeyAlg;
+    DigestAlgorithm digestAlg;
+    ASSERT_EQ(Success,
+              SignatureAlgorithmIdentifierValue(reader, publicKeyAlg,
+                                                digestAlg));
+    ASSERT_EQ(param.publicKeyAlg, publicKeyAlg);
+    ASSERT_EQ(param.digestAlg, digestAlg);
+    ASSERT_EQ(Success, End(reader));
+  }
+
+  {
+    uint8_t derWithNullParam[MAX_ALGORITHM_OID_DER_LENGTH + 2];
+    memcpy(derWithNullParam, param.der, param.derLength);
+    derWithNullParam[param.derLength] = 0x05; // NULL tag
+    derWithNullParam[param.derLength + 1] = 0x00; // length zero
+
+    Input input;
+    ASSERT_EQ(Success, input.Init(derWithNullParam, param.derLength + 2));
+    Reader reader(input);
+    PublicKeyAlgorithm publicKeyAlg;
+    DigestAlgorithm digestAlg;
+    ASSERT_EQ(Success,
+              SignatureAlgorithmIdentifierValue(reader, publicKeyAlg,
+                                                digestAlg));
+    ASSERT_EQ(param.publicKeyAlg, publicKeyAlg);
+    ASSERT_EQ(param.digestAlg, digestAlg);
+    ASSERT_EQ(Success, End(reader));
+  }
+}
+
+INSTANTIATE_TEST_CASE_P(
+  pkixder_SignatureAlgorithmIdentifierValue_Valid,
+  pkixder_SignatureAlgorithmIdentifierValue_Valid,
+  testing::ValuesIn(VALID_SIGNATURE_ALGORITHM_VALUE_TEST_INFO));
+
+static const InvalidAlgorithmIdentifierTestInfo
+  INVALID_SIGNATURE_ALGORITHM_VALUE_TEST_INFO[] =
+{
+  // id-dsa-with-sha256 (2.16.840.1.101.3.4.3.2)
+  { { 0x06, 0x09,
+      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x02 },
+    11,
+  },
+
+  // id-dsa-with-sha1 (1.2.840.10040.4.3)
+  { { 0x06, 0x07,
+      0x2a, 0x86, 0x48, 0xce, 0x38, 0x04, 0x03 },
+    9,
+  },
+
+  // RSA-with-MD5 (1.2.840.113549.1.1.4)
+  { { 0x06, 0x09,
+      0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x04 },
+    11,
+  },
+
+  // id-sha256 (2.16.840.1.101.3.4.2.1). It is invalid because SHA-256 is not
+  // a signature algorithm.
+  { { 0x06, 0x09,
+      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 },
+    11,
+  },
+};
+
+class pkixder_SignatureAlgorithmIdentifier_Invalid
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<InvalidAlgorithmIdentifierTestInfo>
+{
+};
+
+TEST_P(pkixder_SignatureAlgorithmIdentifier_Invalid, Invalid)
+{
+  const InvalidAlgorithmIdentifierTestInfo& param(GetParam());
+  Input input;
+  ASSERT_EQ(Success, input.Init(param.der, param.derLength));
+  Reader reader(input);
+  der::PublicKeyAlgorithm publicKeyAlg;
+  DigestAlgorithm digestAlg;
+  ASSERT_EQ(Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED,
+            SignatureAlgorithmIdentifierValue(reader, publicKeyAlg, digestAlg));
+}
+
+INSTANTIATE_TEST_CASE_P(
+  pkixder_SignatureAlgorithmIdentifier_Invalid,
+  pkixder_SignatureAlgorithmIdentifier_Invalid,
+  testing::ValuesIn(INVALID_SIGNATURE_ALGORITHM_VALUE_TEST_INFO));
diff --git a/security/nss/gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp
new file mode 100644
index 0000000000..260c735ece
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp
@@ -0,0 +1,1226 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <limits>
+#include <stdint.h>
+#include <vector>
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixder.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::der;
+using namespace mozilla::pkix::test;
+using namespace std;
+
+class pkixder_universal_types_tests : public ::testing::Test { };
+
+TEST_F(pkixder_universal_types_tests, BooleanTrue01)
+{
+  const uint8_t DER_BOOLEAN_TRUE_01[] = {
+    0x01,                       // BOOLEAN
+    0x01,                       // length
+    0x01                        // invalid
+  };
+  Input input(DER_BOOLEAN_TRUE_01);
+  Reader reader(input);
+  bool value = false;
+  ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(reader, value));
+}
+
+TEST_F(pkixder_universal_types_tests, BooleanTrue42)
+{
+  const uint8_t DER_BOOLEAN_TRUE_42[] = {
+    0x01,                       // BOOLEAN
+    0x01,                       // length
+    0x42                        // invalid
+  };
+  Input input(DER_BOOLEAN_TRUE_42);
+  Reader reader(input);
+  bool value = false;
+  ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(reader, value));
+}
+
+static const uint8_t DER_BOOLEAN_TRUE[] = {
+  0x01,                       // BOOLEAN
+  0x01,                       // length
+  0xff                        // true
+};
+
+TEST_F(pkixder_universal_types_tests, BooleanTrueFF)
+{
+  Input input(DER_BOOLEAN_TRUE);
+  Reader reader(input);
+  bool value = false;
+  ASSERT_EQ(Success, Boolean(reader, value));
+  ASSERT_TRUE(value);
+}
+
+TEST_F(pkixder_universal_types_tests, BooleanFalse)
+{
+  const uint8_t DER_BOOLEAN_FALSE[] = {
+    0x01,                       // BOOLEAN
+    0x01,                       // length
+    0x00                        // false
+  };
+  Input input(DER_BOOLEAN_FALSE);
+  Reader reader(input);
+
+  bool value = true;
+  ASSERT_EQ(Success, Boolean(reader, value));
+  ASSERT_FALSE(value);
+}
+
+TEST_F(pkixder_universal_types_tests, BooleanInvalidLength)
+{
+  const uint8_t DER_BOOLEAN_INVALID_LENGTH[] = {
+    0x01,                       // BOOLEAN
+    0x02,                       // length
+    0x42, 0x42                  // invalid
+  };
+  Input input(DER_BOOLEAN_INVALID_LENGTH);
+  Reader reader(input);
+
+  bool value = true;
+  ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(reader, value));
+}
+
+TEST_F(pkixder_universal_types_tests, BooleanInvalidZeroLength)
+{
+  const uint8_t DER_BOOLEAN_INVALID_ZERO_LENGTH[] = {
+    0x01,                       // BOOLEAN
+    0x00                        // length
+  };
+  Input input(DER_BOOLEAN_INVALID_ZERO_LENGTH);
+  Reader reader(input);
+
+  bool value = true;
+  ASSERT_EQ(Result::ERROR_BAD_DER, Boolean(reader, value));
+}
+
+// OptionalBoolean implements decoding of OPTIONAL BOOLEAN DEFAULT FALSE.
+// If the field is present, it must be a valid encoding of a BOOLEAN with
+// value TRUE. If the field is not present, it defaults to FALSE. For
+// compatibility reasons, OptionalBoolean also accepts encodings where the field
+// is present with value FALSE (this is technically not a valid DER encoding).
+TEST_F(pkixder_universal_types_tests, OptionalBooleanValidEncodings)
+{
+  {
+    const uint8_t DER_OPTIONAL_BOOLEAN_PRESENT_TRUE[] = {
+      0x01,                       // BOOLEAN
+      0x01,                       // length
+      0xff                        // true
+    };
+    Input input(DER_OPTIONAL_BOOLEAN_PRESENT_TRUE);
+    Reader reader(input);
+    bool value = false;
+    ASSERT_EQ(Success, OptionalBoolean(reader, value)) <<
+      "Should accept the only valid encoding of a present OPTIONAL BOOLEAN";
+    ASSERT_TRUE(value);
+    ASSERT_TRUE(reader.AtEnd());
+  }
+
+  {
+    // The OPTIONAL BOOLEAN is omitted in this data.
+    const uint8_t DER_INTEGER_05[] = {
+      0x02,                       // INTEGER
+      0x01,                       // length
+      0x05
+    };
+    Input input(DER_INTEGER_05);
+    Reader reader(input);
+    bool value = true;
+    ASSERT_EQ(Success, OptionalBoolean(reader, value)) <<
+      "Should accept a valid encoding of an omitted OPTIONAL BOOLEAN";
+    ASSERT_FALSE(value);
+    ASSERT_FALSE(reader.AtEnd());
+  }
+
+  {
+    Input input;
+    ASSERT_EQ(Success, input.Init(reinterpret_cast<const uint8_t*>(""), 0));
+    Reader reader(input);
+    bool value = true;
+    ASSERT_EQ(Success, OptionalBoolean(reader, value)) <<
+      "Should accept another valid encoding of an omitted OPTIONAL BOOLEAN";
+    ASSERT_FALSE(value);
+    ASSERT_TRUE(reader.AtEnd());
+  }
+}
+
+TEST_F(pkixder_universal_types_tests, OptionalBooleanInvalidEncodings)
+{
+  const uint8_t DER_OPTIONAL_BOOLEAN_PRESENT_FALSE[] = {
+    0x01,                       // BOOLEAN
+    0x01,                       // length
+    0x00                        // false
+  };
+
+  {
+    Input input(DER_OPTIONAL_BOOLEAN_PRESENT_FALSE);
+    Reader reader(input);
+    bool value = true;
+    ASSERT_EQ(Success, OptionalBoolean(reader, value)) <<
+      "Should accept an invalid, default-value encoding of OPTIONAL BOOLEAN";
+    ASSERT_FALSE(value);
+    ASSERT_TRUE(reader.AtEnd());
+  }
+
+  const uint8_t DER_OPTIONAL_BOOLEAN_PRESENT_42[] = {
+    0x01,                       // BOOLEAN
+    0x01,                       // length
+    0x42                        // (invalid value for a BOOLEAN)
+  };
+
+  {
+    Input input(DER_OPTIONAL_BOOLEAN_PRESENT_42);
+    Reader reader(input);
+    bool value;
+    ASSERT_EQ(Result::ERROR_BAD_DER, OptionalBoolean(reader, value)) <<
+      "Should reject an invalid-valued encoding of OPTIONAL BOOLEAN";
+  }
+}
+
+TEST_F(pkixder_universal_types_tests, Enumerated)
+{
+  const uint8_t DER_ENUMERATED[] = {
+    0x0a,                       // ENUMERATED
+    0x01,                       // length
+    0x42                        // value
+  };
+  Input input(DER_ENUMERATED);
+  Reader reader(input);
+
+  uint8_t value = 0;
+  ASSERT_EQ(Success, Enumerated(reader, value));
+  ASSERT_EQ(0x42, value);
+}
+
+TEST_F(pkixder_universal_types_tests, EnumeratedNotShortestPossibleDER)
+{
+  const uint8_t DER_ENUMERATED[] = {
+    0x0a,                       // ENUMERATED
+    0x02,                       // length
+    0x00, 0x01                  // value
+  };
+  Input input(DER_ENUMERATED);
+  Reader reader(input);
+
+  uint8_t value = 0;
+  ASSERT_EQ(Result::ERROR_INVALID_INTEGER_ENCODING, Enumerated(reader, value));
+}
+
+TEST_F(pkixder_universal_types_tests, EnumeratedOutOfAcceptedRange)
+{
+  // Although this is a valid ENUMERATED value according to ASN.1, we
+  // intentionally don't support these large values because there are no
+  // ENUMERATED values in X.509 certs or OCSP this large, and we're trying to
+  // keep the parser simple and fast.
+  const uint8_t DER_ENUMERATED_INVALID_LENGTH[] = {
+    0x0a,                       // ENUMERATED
+    0x02,                       // length
+    0x12, 0x34                  // value
+  };
+  Input input(DER_ENUMERATED_INVALID_LENGTH);
+  Reader reader(input);
+
+  uint8_t value = 0;
+  ASSERT_EQ(Result::ERROR_INVALID_INTEGER_ENCODING, Enumerated(reader, value));
+}
+
+TEST_F(pkixder_universal_types_tests, EnumeratedInvalidZeroLength)
+{
+  const uint8_t DER_ENUMERATED_INVALID_ZERO_LENGTH[] = {
+    0x0a,                       // ENUMERATED
+    0x00                        // length
+  };
+  Input input(DER_ENUMERATED_INVALID_ZERO_LENGTH);
+  Reader reader(input);
+
+  uint8_t value = 0;
+  ASSERT_EQ(Result::ERROR_INVALID_INTEGER_ENCODING, Enumerated(reader, value));
+}
+
+////////////////////////////////////////
+// GeneralizedTime and TimeChoice
+//
+// From RFC 5280 section 4.1.2.5.2
+//
+//   For the purposes of this profile, GeneralizedTime values MUST be
+//   expressed in Greenwich Mean Time (Zulu) and MUST include seconds
+//   (i.e., times are YYYYMMDDHHMMSSZ), even where the number of seconds
+//   is zero.  GeneralizedTime values MUST NOT include fractional seconds.
+//
+// And from from RFC 6960 (OCSP) section 4.2.2.1:
+//
+//   Responses can contain four times -- thisUpdate, nextUpdate,
+//   producedAt, and revocationTime.  The semantics of these fields are
+//   defined in Section 2.4.  The format for GeneralizedTime is as
+//   specified in Section 4.1.2.5.2 of [RFC5280].
+//
+// So while we can could accept other ASN1 (ITU-T X.680) encodings for
+// GeneralizedTime we should not accept them, and breaking reading of these
+// other encodings is actually encouraged.
+
+// e.g. TWO_CHARS(53) => '5', '3'
+#define TWO_CHARS(t) \
+  static_cast<uint8_t>('0' + (static_cast<uint8_t>(t) / 10u)), \
+  static_cast<uint8_t>('0' + (static_cast<uint8_t>(t) % 10u))
+
+// Calls TimeChoice on the UTCTime variant of the given generalized time.
+template <uint16_t LENGTH>
+Result
+TimeChoiceForEquivalentUTCTime(const uint8_t (&generalizedTimeDER)[LENGTH],
+                               /*out*/ Time& value)
+{
+  static_assert(LENGTH >= 4,
+                "TimeChoiceForEquivalentUTCTime input too small");
+  uint8_t utcTimeDER[LENGTH - 2];
+  utcTimeDER[0] = 0x17; // tag UTCTime
+  utcTimeDER[1] = LENGTH - 1/*tag*/ - 1/*value*/ - 2/*century*/;
+  // Copy the value except for the first two digits of the year
+  for (size_t i = 2; i < LENGTH - 2; ++i) {
+    utcTimeDER[i] = generalizedTimeDER[i + 2];
+  }
+
+  Input input(utcTimeDER);
+  Reader reader(input);
+  return TimeChoice(reader, value);
+}
+
+template <uint16_t LENGTH>
+void
+ExpectGoodTime(Time expectedValue,
+               const uint8_t (&generalizedTimeDER)[LENGTH])
+{
+  // GeneralizedTime
+  {
+    Input input(generalizedTimeDER);
+    Reader reader(input);
+    Time value(Time::uninitialized);
+    ASSERT_EQ(Success, GeneralizedTime(reader, value));
+    EXPECT_EQ(expectedValue, value);
+  }
+
+  // TimeChoice: GeneralizedTime
+  {
+    Input input(generalizedTimeDER);
+    Reader reader(input);
+    Time value(Time::uninitialized);
+    ASSERT_EQ(Success, TimeChoice(reader, value));
+    EXPECT_EQ(expectedValue, value);
+  }
+
+  // TimeChoice: UTCTime
+  {
+    Time value(Time::uninitialized);
+    ASSERT_EQ(Success,
+              TimeChoiceForEquivalentUTCTime(generalizedTimeDER, value));
+    EXPECT_EQ(expectedValue, value);
+  }
+}
+
+template <uint16_t LENGTH>
+void
+ExpectBadTime(const uint8_t (&generalizedTimeDER)[LENGTH])
+{
+  // GeneralizedTime
+  {
+    Input input(generalizedTimeDER);
+    Reader reader(input);
+    Time value(Time::uninitialized);
+    ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, GeneralizedTime(reader, value));
+  }
+
+  // TimeChoice: GeneralizedTime
+  {
+    Input input(generalizedTimeDER);
+    Reader reader(input);
+    Time value(Time::uninitialized);
+    ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, TimeChoice(reader, value));
+  }
+
+  // TimeChoice: UTCTime
+  {
+    Time value(Time::uninitialized);
+    ASSERT_EQ(Result::ERROR_INVALID_DER_TIME,
+              TimeChoiceForEquivalentUTCTime(generalizedTimeDER, value));
+  }
+}
+
+// Control value: a valid time
+TEST_F(pkixder_universal_types_tests, ValidControl)
+{
+  const uint8_t GT_DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '1', '9', '9', '1', '0', '5', '0', '6', '1', '6', '4', '5', '4', '0', 'Z'
+  };
+  ExpectGoodTime(YMDHMS(1991, 5, 6, 16, 45, 40), GT_DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeTimeZoneOffset)
+{
+  const uint8_t DER_GENERALIZED_TIME_OFFSET[] = {
+    0x18,                           // Generalized Time
+    19,                             // Length = 19
+    '1', '9', '9', '1', '0', '5', '0', '6', '1', '6', '4', '5', '4', '0', '-',
+    '0', '7', '0', '0'
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_OFFSET);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeInvalidZeroLength)
+{
+  const uint8_t DER_GENERALIZED_TIME_INVALID_ZERO_LENGTH[] = {
+    0x18,                           // GeneralizedTime
+    0x00                            // Length = 0
+  };
+
+  Time value(Time::uninitialized);
+
+  // GeneralizedTime
+  Input gtBuf(DER_GENERALIZED_TIME_INVALID_ZERO_LENGTH);
+  Reader gt(gtBuf);
+  ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, GeneralizedTime(gt, value));
+
+  // TimeChoice: GeneralizedTime
+  Input tc_gt_buf(DER_GENERALIZED_TIME_INVALID_ZERO_LENGTH);
+  Reader tc_gt(tc_gt_buf);
+  ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, TimeChoice(tc_gt, value));
+
+  // TimeChoice: UTCTime
+  const uint8_t DER_UTCTIME_INVALID_ZERO_LENGTH[] = {
+    0x17, // UTCTime
+    0x00  // Length = 0
+  };
+  Input tc_utc_buf(DER_UTCTIME_INVALID_ZERO_LENGTH);
+  Reader tc_utc(tc_utc_buf);
+  ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, TimeChoice(tc_utc, value));
+}
+
+// A non zulu time should fail
+TEST_F(pkixder_universal_types_tests, TimeInvalidLocal)
+{
+  const uint8_t DER_GENERALIZED_TIME_INVALID_LOCAL[] = {
+    0x18,                           // Generalized Time
+    14,                             // Length = 14
+    '1', '9', '9', '1', '0', '5', '0', '6', '1', '6', '4', '5', '4', '0'
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_INVALID_LOCAL);
+}
+
+// A time missing seconds and zulu should fail
+TEST_F(pkixder_universal_types_tests, TimeInvalidTruncated)
+{
+  const uint8_t DER_GENERALIZED_TIME_INVALID_TRUNCATED[] = {
+    0x18,                           // Generalized Time
+    12,                             // Length = 12
+    '1', '9', '9', '1', '0', '5', '0', '6', '1', '6', '4', '5'
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_INVALID_TRUNCATED);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeNoSeconds)
+{
+  const uint8_t DER_GENERALIZED_TIME_NO_SECONDS[] = {
+    0x18,                           // Generalized Time
+    13,                             // Length = 13
+    '1', '9', '9', '1', '0', '5', '0', '6', '1', '6', '4', '5', 'Z'
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_NO_SECONDS);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeInvalidPrefixedYear)
+{
+  const uint8_t DER_GENERALIZED_TIME_INVALID_PREFIXED_YEAR[] = {
+    0x18,                           // Generalized Time
+    16,                             // Length = 16
+    ' ', '1', '9', '9', '1', '0', '1', '0', '1', '0', '1', '0', '1', '0', '1', 'Z'
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_INVALID_PREFIXED_YEAR);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeTooManyDigits)
+{
+  const uint8_t DER_GENERALIZED_TIME_TOO_MANY_DIGITS[] = {
+    0x18,                           // Generalized Time
+    16,                             // Length = 16
+    '1', '1', '1', '1', '1', '0', '1', '0', '1', '0', '1', '0', '1', '0', '1', 'Z'
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_TOO_MANY_DIGITS);
+}
+
+// In order to ensure we we don't run into any trouble with conversions to and
+// from time_t we only accept times from 1970 onwards.
+TEST_F(pkixder_universal_types_tests, GeneralizedTimeYearValidRange)
+{
+  // Note that by using the last second of the last day of the year, we're also
+  // effectively testing all the accumulated conversions from Gregorian to to
+  // Julian time, including in particular the effects of leap years.
+
+  for (uint16_t i = 1970; i <= 9999; ++i) {
+    const uint8_t DER[] = {
+      0x18,                           // Generalized Time
+      15,                             // Length = 15
+      TWO_CHARS(i / 100), TWO_CHARS(i % 100), // YYYY
+      '1', '2', '3', '1', // 12-31
+      '2', '3', '5', '9', '5', '9', 'Z' // 23:59:59Z
+    };
+
+    Time expectedValue = YMDHMS(i, 12, 31, 23, 59, 59);
+
+    // We have to test GeneralizedTime separately from UTCTime instead of using
+    // ExpectGooDtime because the range of UTCTime is less than the range of
+    // GeneralizedTime.
+
+    // GeneralizedTime
+    {
+      Input input(DER);
+      Reader reader(input);
+      Time value(Time::uninitialized);
+      ASSERT_EQ(Success, GeneralizedTime(reader, value));
+      EXPECT_EQ(expectedValue, value);
+    }
+
+    // TimeChoice: GeneralizedTime
+    {
+      Input input(DER);
+      Reader reader(input);
+      Time value(Time::uninitialized);
+      ASSERT_EQ(Success, TimeChoice(reader, value));
+      EXPECT_EQ(expectedValue, value);
+    }
+
+    // TimeChoice: UTCTime, which is limited to years less than 2049.
+    if (i <= 2049) {
+      Time value(Time::uninitialized);
+      ASSERT_EQ(Success, TimeChoiceForEquivalentUTCTime(DER, value));
+      EXPECT_EQ(expectedValue, value);
+    }
+  }
+}
+
+// In order to ensure we we don't run into any trouble with conversions to and
+// from time_t we only accept times from 1970 onwards.
+TEST_F(pkixder_universal_types_tests, TimeYearInvalid1969)
+{
+  static const uint8_t DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '1', '9', '6', '9', '1', '2', '3', '1', // !!!1969!!!-12-31
+    '2', '3', '5', '9', '5', '9', 'Z' // 23:59:59Z
+  };
+  ExpectBadTime(DER);
+}
+
+static const uint8_t DAYS_IN_MONTH[] = {
+  0,  // unused
+  31, // January
+  28, // February (leap years tested separately)
+  31, // March
+  30, // April
+  31, // May
+  30, // Jun
+  31, // July
+  31, // August
+  30, // September
+  31, // October
+  30, // November
+  31, // December
+};
+
+TEST_F(pkixder_universal_types_tests, TimeMonthDaysValidRange)
+{
+  for (uint16_t month = 1; month <= 12; ++month) {
+    for (uint8_t day = 1; day <= DAYS_IN_MONTH[month]; ++day) {
+      const uint8_t DER[] = {
+        0x18,                           // Generalized Time
+        15,                             // Length = 15
+        '2', '0', '1', '5', TWO_CHARS(month), TWO_CHARS(day), // (2015-mm-dd)
+        '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+      };
+      ExpectGoodTime(YMDHMS(2015, month, day, 16, 45, 40), DER);
+    }
+  }
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMonthInvalid0)
+{
+  static const uint8_t DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '2', '0', '1', '5', '0', '0', '1', '5', // 2015-!!!00!!!-15
+    '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+  };
+  ExpectBadTime(DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMonthInvalid13)
+{
+  const uint8_t DER_GENERALIZED_TIME_13TH_MONTH[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '1', '9', '9', '1', //YYYY (1991)
+    '1', '3', //MM 13th month of the year
+    '0', '6', '1', '6', '4', '5', '4', '0', 'Z'
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_13TH_MONTH);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeDayInvalid0)
+{
+  static const uint8_t DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '2', '0', '1', '5', '0', '1', '0', '0', // 2015-01-!!!00!!!
+    '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+  };
+  ExpectBadTime(DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMonthDayInvalidPastEndOfMonth)
+{
+  for (int16_t month = 1; month <= 12; ++month) {
+    const uint8_t DER[] = {
+      0x18,                           // Generalized Time
+      15,                             // Length = 15
+      '1', '9', '9', '1', // YYYY 1991
+      TWO_CHARS(month), // MM
+      TWO_CHARS(1 + (month == 2 ? 29 : DAYS_IN_MONTH[month])), // !!!DD!!!
+      '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+    };
+    ExpectBadTime(DER);
+  }
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMonthFebLeapYear2016)
+{
+  static const uint8_t DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '2', '0', '1', '6', '0', '2', '2', '9', // 2016-02-29
+    '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+  };
+  ExpectGoodTime(YMDHMS(2016, 2, 29, 16, 45, 40), DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMonthFebLeapYear2000)
+{
+  static const uint8_t DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '2', '0', '0', '0', '0', '2', '2', '9', // 2000-02-29
+    '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+  };
+  ExpectGoodTime(YMDHMS(2000, 2, 29, 16, 45, 40), DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMonthFebLeapYear2400)
+{
+  static const uint8_t DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '2', '4', '0', '0', '0', '2', '2', '9', // 2400-02-29
+    '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+  };
+
+  // We don't use ExpectGoodTime here because UTCTime can't represent 2400.
+
+  Time expectedValue = YMDHMS(2400, 2, 29, 16, 45, 40);
+
+  // GeneralizedTime
+  {
+    Input input(DER);
+    Reader reader(input);
+    Time value(Time::uninitialized);
+    ASSERT_EQ(Success, GeneralizedTime(reader, value));
+    EXPECT_EQ(expectedValue, value);
+  }
+
+  // TimeChoice: GeneralizedTime
+  {
+    Input input(DER);
+    Reader reader(input);
+    Time value(Time::uninitialized);
+    ASSERT_EQ(Success, TimeChoice(reader, value));
+    EXPECT_EQ(expectedValue, value);
+  }
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMonthFebNotLeapYear2014)
+{
+  static const uint8_t DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '2', '0', '1', '4', '0', '2', '2', '9', // 2014-02-29
+    '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+  };
+  ExpectBadTime(DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMonthFebNotLeapYear2100)
+{
+  static const uint8_t DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '2', '1', '0', '0', '0', '2', '2', '9', // 2100-02-29
+    '1', '6', '4', '5', '4', '0', 'Z' // 16:45:40
+  };
+
+  // We don't use ExpectBadTime here because UTCTime can't represent 2100.
+
+  // GeneralizedTime
+  {
+    Input input(DER);
+    Reader reader(input);
+    Time value(Time::uninitialized);
+    ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, GeneralizedTime(reader, value));
+  }
+
+  // TimeChoice: GeneralizedTime
+  {
+    Input input(DER);
+    Reader reader(input);
+    Time value(Time::uninitialized);
+    ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, TimeChoice(reader, value));
+  }
+}
+
+TEST_F(pkixder_universal_types_tests, TimeHoursValidRange)
+{
+  for (uint8_t i = 0; i <= 23; ++i) {
+    const uint8_t DER[] = {
+      0x18,                           // Generalized Time
+      15,                             // Length = 15
+      '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+      TWO_CHARS(i), '5', '9', '0', '1', 'Z' // HHMMSSZ (!!!!ii!!!!:59:01 Zulu)
+    };
+    ExpectGoodTime(YMDHMS(2012, 6, 30, i, 59, 1), DER);
+  }
+}
+
+TEST_F(pkixder_universal_types_tests, TimeHoursInvalid_24_00_00)
+{
+  static const uint8_t DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+    '2', '4', '0', '0', '0', '0', 'Z' // HHMMSSZ (!!24!!:00:00 Zulu)
+  };
+  ExpectBadTime(DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMinutesValidRange)
+{
+  for (uint8_t i = 0; i <= 59; ++i) {
+    const uint8_t DER[] = {
+      0x18,                           // Generalized Time
+      15,                             // Length = 15
+      '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+      '2', '3', TWO_CHARS(i), '0', '1', 'Z' // HHMMSSZ (23:!!!!ii!!!!:01 Zulu)
+    };
+    ExpectGoodTime(YMDHMS(2012, 6, 30, 23, i, 1), DER);
+  }
+}
+
+TEST_F(pkixder_universal_types_tests, TimeMinutesInvalid60)
+{
+  const uint8_t DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+    '2', '3', '6', '0', '5', '9', 'Z' // HHMMSSZ (23:!!!60!!!:01 Zulu)
+  };
+  ExpectBadTime(DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeSecondsValidRange)
+{
+  for (uint8_t i = 0; i <= 59; ++i) {
+    const uint8_t DER[] = {
+      0x18,                           // Generalized Time
+      15,                             // Length = 15
+      '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+      '2', '3', '5', '9', TWO_CHARS(i), 'Z' // HHMMSSZ (23:59:!!!!ii!!!! Zulu)
+    };
+    ExpectGoodTime(YMDHMS(2012, 6, 30, 23, 59, i), DER);
+  }
+}
+
+// No Leap Seconds (60)
+TEST_F(pkixder_universal_types_tests, TimeSecondsInvalid60)
+{
+  static const uint8_t DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+    '2', '3', '5', '9', '6', '0', 'Z' // HHMMSSZ (23:59:!!!!60!!!! Zulu)
+  };
+  ExpectBadTime(DER);
+}
+
+// No Leap Seconds (61)
+TEST_F(pkixder_universal_types_tests, TimeSecondsInvalid61)
+{
+  static const uint8_t DER[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+    '2', '3', '5', '9', '6', '1', 'Z' // HHMMSSZ (23:59:!!!!61!!!! Zulu)
+  };
+  ExpectBadTime(DER);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeInvalidZulu)
+{
+  const uint8_t DER_GENERALIZED_TIME_INVALID_ZULU[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+    '2', '3', '5', '9', '5', '9', 'z' // HHMMSSZ (23:59:59 !!!z!!!) should be Z
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_INVALID_ZULU);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeInvalidExtraData)
+{
+  const uint8_t DER_GENERALIZED_TIME_INVALID_EXTRA_DATA[] = {
+    0x18,                           // Generalized Time
+    16,                             // Length = 16
+    '2', '0', '1', '2', '0', '6', '3', '0', // YYYYMMDD (2012-06-30)
+    '2', '3', '5', '9', '5', '9', 'Z', // HHMMSSZ (23:59:59Z)
+    0 // Extra null character
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_INVALID_EXTRA_DATA);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeInvalidCenturyChar)
+{
+  const uint8_t DER_GENERALIZED_TIME_INVALID_CENTURY_CHAR[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    'X', '9', '9', '1', '1', '2', '0', '6', // YYYYMMDD (X991-12-06)
+    '1', '6', '4', '5', '4', '0', 'Z' // HHMMSSZ (16:45:40Z)
+  };
+
+  // We can't use ExpectBadTime here, because ExpectBadTime requires
+  // consistent results for GeneralizedTime and UTCTime, but the results
+  // for this input are different.
+
+  // GeneralizedTime
+  {
+    Input input(DER_GENERALIZED_TIME_INVALID_CENTURY_CHAR);
+    Reader reader(input);
+    Time value(Time::uninitialized);
+    ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, GeneralizedTime(reader, value));
+  }
+
+  // TimeChoice: GeneralizedTime
+  {
+    Input input(DER_GENERALIZED_TIME_INVALID_CENTURY_CHAR);
+    Reader reader(input);
+    Time value(Time::uninitialized);
+    ASSERT_EQ(Result::ERROR_INVALID_DER_TIME, TimeChoice(reader, value));
+  }
+
+  // This test is not applicable to TimeChoice: UTCTime
+}
+
+TEST_F(pkixder_universal_types_tests, TimeInvalidYearChar)
+{
+  const uint8_t DER_GENERALIZED_TIME_INVALID_YEAR_CHAR[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '1', '9', '9', 'I', '0', '1', '0', '6', // YYYYMMDD (199I-12-06)
+    '1', '6', '4', '5', '4', '0', 'Z' // HHMMSSZ (16:45:40Z)
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_INVALID_YEAR_CHAR);
+}
+
+TEST_F(pkixder_universal_types_tests, GeneralizedTimeInvalidMonthChar)
+{
+  const uint8_t DER_GENERALIZED_TIME_INVALID_MONTH_CHAR[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '1', '9', '9', '1', '0', 'I', '0', '6', // YYYYMMDD (1991-0I-06)
+    '1', '6', '4', '5', '4', '0', 'Z' // HHMMSSZ (16:45:40Z)
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_INVALID_MONTH_CHAR);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeInvalidDayChar)
+{
+  const uint8_t DER_GENERALIZED_TIME_INVALID_DAY_CHAR[] = {
+    0x18,                           // Generalized Time
+    15,                             // Length = 15
+    '1', '9', '9', '1', '0', '1', '0', 'S', // YYYYMMDD (1991-01-0S)
+    '1', '6', '4', '5', '4', '0', 'Z' // HHMMSSZ (16:45:40Z)
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_INVALID_DAY_CHAR);
+}
+
+TEST_F(pkixder_universal_types_tests, TimeInvalidFractionalSeconds)
+{
+  const uint8_t DER_GENERALIZED_TIME_INVALID_FRACTIONAL_SECONDS[] = {
+    0x18,                           // Generalized Time
+    17,                             // Length = 17
+    '1', '9', '9', '1', '0', '1', '0', '1', // YYYYMMDD (1991-01-01)
+    '1', '6', '4', '5', '4', '0', '.', '3', 'Z' // HHMMSS.FFF (16:45:40.3Z)
+  };
+  ExpectBadTime(DER_GENERALIZED_TIME_INVALID_FRACTIONAL_SECONDS);
+}
+
+struct IntegerTestParams
+{
+  ByteString encoded;
+  struct PositiveIntegerParams
+  {
+    Result expectedResult;
+    Input::size_type significantBytesIfValid;
+  } positiveInteger;
+  struct SmallNonnegativeIntegerParams
+  {
+    Result expectedResult;
+    uint8_t valueIfValid;
+  } smallNonnegativeInteger;
+};
+
+class pkixder_universal_types_tests_Integer
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<IntegerTestParams>
+{
+};
+
+::std::ostream& operator<<(::std::ostream& os, const IntegerTestParams&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+#define INVALID 0xFF
+
+static const IntegerTestParams INTEGER_TEST_PARAMS[] =
+{
+  // Zero is encoded with one value byte of 0x00.
+  { TLV(2, ByteString()),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\x00"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Success, 0 } },
+
+  // Positive single-byte values
+  { TLV(2, "\x01"), { Success, 1 }, { Success, 1} },
+  { TLV(2, "\x02"), { Success, 1 }, { Success, 2} },
+  { TLV(2, "\x7e"), { Success, 1 }, { Success, 0x7e} },
+  { TLV(2, "\x7f"), { Success, 1 }, { Success, 0x7f} },
+
+  // Negative single-byte values
+  { TLV(2, "\x80"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\x81"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\xFE"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\xFF"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+
+  // Positive two-byte values not starting with 0x00
+  { TLV(2, "\x7F\x00"),
+    { Success, 2 },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\x01\x00"),
+    { Success, 2 },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\x01\x02"),
+    { Success, 2 },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+
+  // Negative two-byte values not starting with 0xFF
+  { TLV(2, "\x80\x00"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\x80\x7F"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\x80\x80"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\x80\xFF"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+
+  // The leading zero is necessary.
+  { TLV(2, "\x00\x80"),
+    { Success, 1},
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\x00\x81"),
+    { Success, 1},
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\x00\xFF"),
+    { Success, 1},
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+
+  // The leading zero is unnecessary.
+  { TLV(2, "\x00\x01"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\x00\x7F"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+
+  // The leading 0xFF is necessary.
+  { TLV(2, "\xFF\x00"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\xFF\x7F"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+
+  // The leading 0xFF is unnecessary.
+  { TLV(2, "\xFF\x80"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2, "\xFF\xFF"),
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+
+  // Truncated values
+  { TLV(2, 1, ByteString(/*missing value*/)),
+    { Result::ERROR_BAD_DER, INVALID },
+    { Result::ERROR_BAD_DER, INVALID } },
+  { TLV(2, 3, "\x11\x22" /*truncated*/),
+    { Result::ERROR_BAD_DER, INVALID },
+    { Result::ERROR_BAD_DER, INVALID } },
+  { TLV(2, 4, "\x11\x22" /*truncated*/),
+    { Result::ERROR_BAD_DER, INVALID },
+    { Result::ERROR_BAD_DER, INVALID } },
+  { TLV(2, 2, "\x00" /*truncated*/),
+    { Result::ERROR_BAD_DER, INVALID },
+    { Result::ERROR_BAD_DER, INVALID } },
+  { TLV(2, 2, "\xFF" /*truncated*/),
+    { Result::ERROR_BAD_DER, INVALID },
+    { Result::ERROR_BAD_DER, INVALID } },
+  { TLV(2, 3, "\x00\x80" /*truncated*/),
+    { Result::ERROR_BAD_DER, INVALID },
+    { Result::ERROR_BAD_DER, INVALID } },
+  { TLV(2, 3, "\xFF\x00" /*truncated*/),
+    { Result::ERROR_BAD_DER, INVALID },
+    { Result::ERROR_BAD_DER, INVALID } },
+
+  // Misc. larger values
+  { TLV(2, 4, "\x11\x22\x33\x44"),
+    { Success, 4 },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+  { TLV(2,
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"
+        "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x00"),
+    { Success, 256 },
+    { Result::ERROR_INVALID_INTEGER_ENCODING, INVALID } },
+};
+
+TEST_P(pkixder_universal_types_tests_Integer, Integer)
+{
+  const IntegerTestParams& params(GetParam());
+  Input input;
+  ASSERT_EQ(Success, input.Init(params.encoded.data(),
+                                params.encoded.length()));
+  Reader reader(input);
+  Result expectedResult = params.smallNonnegativeInteger.expectedResult;
+  uint8_t value;
+  ASSERT_EQ(expectedResult, der::Integer(reader, value));
+  if (expectedResult == Success) {
+    ASSERT_EQ(params.smallNonnegativeInteger.valueIfValid, value);
+    ASSERT_TRUE(reader.AtEnd());
+  }
+}
+
+TEST_P(pkixder_universal_types_tests_Integer,
+       PositiveInteger_without_significantBytes)
+{
+  const IntegerTestParams& params(GetParam());
+  Input input;
+  ASSERT_EQ(Success, input.Init(params.encoded.data(),
+                                params.encoded.length()));
+  Reader reader(input);
+  Result expectedResult = params.positiveInteger.expectedResult;
+  Input value;
+  ASSERT_EQ(expectedResult, der::PositiveInteger(reader, value));
+  if (expectedResult == Success) {
+    Reader anotherReader(input);
+    Input expectedValue;
+    ASSERT_EQ(Success, ExpectTagAndGetValue(anotherReader,
+                                            der::INTEGER, expectedValue));
+    ASSERT_TRUE(InputsAreEqual(expectedValue, value));
+    ASSERT_TRUE(reader.AtEnd());
+  }
+}
+
+TEST_P(pkixder_universal_types_tests_Integer,
+       PositiveInteger_with_significantBytes)
+{
+  const IntegerTestParams& params(GetParam());
+  Input input;
+  ASSERT_EQ(Success, input.Init(params.encoded.data(),
+                                params.encoded.length()));
+  Reader reader(input);
+  Result expectedResult = params.positiveInteger.expectedResult;
+  Input value;
+  Input::size_type significantBytes = INVALID;
+  ASSERT_EQ(expectedResult, der::PositiveInteger(reader, value,
+                                                 &significantBytes));
+  if (expectedResult == Success) {
+    ASSERT_NE(INVALID, params.positiveInteger.significantBytesIfValid);
+    ASSERT_EQ(params.positiveInteger.significantBytesIfValid,
+              significantBytes);
+
+    Reader anotherReader(input);
+    Input expectedValue;
+    ASSERT_EQ(Success, ExpectTagAndGetValue(anotherReader,
+                                            der::INTEGER, expectedValue));
+    ASSERT_TRUE(InputsAreEqual(expectedValue, value));
+    ASSERT_TRUE(reader.AtEnd());
+  }
+}
+
+#undef INVALID
+
+INSTANTIATE_TEST_CASE_P(pkixder_universal_types_tests_Integer,
+                        pkixder_universal_types_tests_Integer,
+                        testing::ValuesIn(INTEGER_TEST_PARAMS));
+
+TEST_F(pkixder_universal_types_tests, OptionalIntegerSupportedDefault)
+{
+  // The input is a BOOLEAN and not INTEGER for the input so we'll not parse
+  // anything and instead use the default value.
+  Input input(DER_BOOLEAN_TRUE);
+  Reader reader(input);
+
+  long value = 1;
+  ASSERT_EQ(Success, OptionalInteger(reader, -1, value));
+  ASSERT_EQ(-1, value);
+  bool boolValue;
+  ASSERT_EQ(Success, Boolean(reader, boolValue));
+}
+
+TEST_F(pkixder_universal_types_tests, OptionalIntegerUnsupportedDefault)
+{
+  // The same as the previous test, except with an unsupported default value
+  // passed in.
+  Input input(DER_BOOLEAN_TRUE);
+  Reader reader(input);
+
+  long value;
+  ASSERT_EQ(Result::FATAL_ERROR_INVALID_ARGS, OptionalInteger(reader, 0, value));
+}
+
+TEST_F(pkixder_universal_types_tests, OptionalIntegerSupportedDefaultAtEnd)
+{
+  static const uint8_t dummy = 1;
+  Input input;
+  ASSERT_EQ(Success, input.Init(&dummy, 0));
+  Reader reader(input);
+
+  long value = 1;
+  ASSERT_EQ(Success, OptionalInteger(reader, -1, value));
+  ASSERT_EQ(-1, value);
+}
+
+TEST_F(pkixder_universal_types_tests, OptionalIntegerNonDefaultValue)
+{
+  static const uint8_t DER[] = {
+    0x02, // INTEGER
+    0x01, // length
+    0x00
+  };
+  Input input(DER);
+  Reader reader(input);
+
+  long value = 2;
+  ASSERT_EQ(Success, OptionalInteger(reader, -1, value));
+  ASSERT_EQ(0, value);
+  ASSERT_TRUE(reader.AtEnd());
+}
+
+TEST_F(pkixder_universal_types_tests, Null)
+{
+  const uint8_t DER_NUL[] = {
+    0x05,
+    0x00
+  };
+  Input input(DER_NUL);
+  Reader reader(input);
+
+  ASSERT_EQ(Success, Null(reader));
+}
+
+TEST_F(pkixder_universal_types_tests, NullWithBadLength)
+{
+  const uint8_t DER_NULL_BAD_LENGTH[] = {
+    0x05,
+    0x01,
+    0x00
+  };
+  Input input(DER_NULL_BAD_LENGTH);
+  Reader reader(input);
+
+  ASSERT_EQ(Result::ERROR_BAD_DER, Null(reader));
+}
+
+TEST_F(pkixder_universal_types_tests, OID)
+{
+  const uint8_t DER_VALID_OID[] = {
+    0x06,
+    0x09,
+    0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
+  };
+  Input input(DER_VALID_OID);
+  Reader reader(input);
+
+  const uint8_t expectedOID[] = {
+    0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
+  };
+
+  ASSERT_EQ(Success, OID(reader, expectedOID));
+}
diff --git a/security/nss/gtests/mozpkix_gtest/pkixgtest.cpp b/security/nss/gtests/mozpkix_gtest/pkixgtest.cpp
new file mode 100644
index 0000000000..45932731bd
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixgtest.cpp
@@ -0,0 +1,46 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+#include <ctime>
+
+#include "mozpkix/Time.h"
+
+namespace mozilla { namespace pkix { namespace test {
+
+static const std::time_t ONE_DAY_IN_SECONDS_AS_TIME_T =
+  static_cast<std::time_t>(Time::ONE_DAY_IN_SECONDS);
+
+// This assumes that time/time_t are POSIX-compliant in that time() returns
+// the number of seconds since the Unix epoch.
+static const std::time_t now(time(nullptr));
+const std::time_t oneDayBeforeNow(now - ONE_DAY_IN_SECONDS_AS_TIME_T);
+const std::time_t oneDayAfterNow(now + ONE_DAY_IN_SECONDS_AS_TIME_T);
+const std::time_t twoDaysBeforeNow(now - (2 * ONE_DAY_IN_SECONDS_AS_TIME_T));
+const std::time_t twoDaysAfterNow(now + (2 * ONE_DAY_IN_SECONDS_AS_TIME_T));
+const std::time_t tenDaysBeforeNow(now - (10 * ONE_DAY_IN_SECONDS_AS_TIME_T));
+const std::time_t tenDaysAfterNow(now + (10 * ONE_DAY_IN_SECONDS_AS_TIME_T));
+
+} } } // namespace mozilla::pkix::test
diff --git a/security/nss/gtests/mozpkix_gtest/pkixgtest.h b/security/nss/gtests/mozpkix_gtest/pkixgtest.h
new file mode 100644
index 0000000000..bb3491d444
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixgtest.h
@@ -0,0 +1,229 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef mozilla_pkix_pkixgtest_h
+#define mozilla_pkix_pkixgtest_h
+
+#include <ostream>
+
+#if defined(__clang__)
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated"
+#pragma clang diagnostic ignored "-Wmissing-noreturn"
+#pragma clang diagnostic ignored "-Wshift-sign-overflow"
+#pragma clang diagnostic ignored "-Wsign-conversion"
+#pragma clang diagnostic ignored "-Wundef"
+#elif defined(__GNUC__)
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wextra"
+#elif defined(_MSC_VER)
+#pragma warning(push, 3)
+// C4224: Nonstandard extension used: formal parameter 'X' was previously
+//        defined as a type.
+#pragma warning(disable : 4224)
+// C4826: Conversion from 'type1 ' to 'type_2' is sign - extended. This may
+//        cause unexpected runtime behavior.
+#pragma warning(disable : 4826)
+#endif
+
+#include "gtest/gtest.h"
+
+#if defined(__clang__)
+#pragma clang diagnostic pop
+#elif defined(__GNUC__)
+#pragma GCC diagnostic pop
+#elif defined(_MSC_VER)
+#pragma warning(pop)
+#endif
+
+#include "mozpkix/pkix.h"
+#include "mozpkix/test/pkixtestutil.h"
+
+// PrintTo must be in the same namespace as the type we're overloading it for.
+namespace mozilla {
+namespace pkix {
+
+inline void PrintTo(const Result& result, ::std::ostream* os) {
+  const char* stringified = MapResultToName(result);
+  if (stringified) {
+    *os << stringified;
+  } else {
+    *os << "mozilla::pkix::Result(" << static_cast<unsigned int>(result) << ")";
+  }
+}
+}
+}  // namespace mozilla::pkix
+
+namespace mozilla {
+namespace pkix {
+namespace test {
+
+extern const std::time_t oneDayBeforeNow;
+extern const std::time_t oneDayAfterNow;
+extern const std::time_t twoDaysBeforeNow;
+extern const std::time_t twoDaysAfterNow;
+extern const std::time_t tenDaysBeforeNow;
+extern const std::time_t tenDaysAfterNow;
+
+class EverythingFailsByDefaultTrustDomain : public TrustDomain {
+ public:
+  Result GetCertTrust(EndEntityOrCA, const CertPolicyId&, Input,
+                      /*out*/ TrustLevel&) override {
+    ADD_FAILURE();
+    return NotReached("GetCertTrust should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+
+  Result FindIssuer(Input, IssuerChecker&, Time) override {
+    ADD_FAILURE();
+    return NotReached("FindIssuer should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+
+  Result CheckRevocation(EndEntityOrCA, const CertID&, Time, Duration,
+                         /*optional*/ const Input*,
+                         /*optional*/ const Input*) override {
+    ADD_FAILURE();
+    return NotReached("CheckRevocation should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+
+  Result IsChainValid(const DERArray&, Time, const CertPolicyId&) override {
+    ADD_FAILURE();
+    return NotReached("IsChainValid should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+
+  Result DigestBuf(Input, DigestAlgorithm, /*out*/ uint8_t*, size_t) override {
+    ADD_FAILURE();
+    return NotReached("DigestBuf should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+
+  Result CheckSignatureDigestAlgorithm(DigestAlgorithm, EndEntityOrCA,
+                                       Time) override {
+    ADD_FAILURE();
+    return NotReached("CheckSignatureDigestAlgorithm should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+
+  Result CheckECDSACurveIsAcceptable(EndEntityOrCA, NamedCurve) override {
+    ADD_FAILURE();
+    return NotReached("CheckECDSACurveIsAcceptable should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+
+  Result VerifyECDSASignedDigest(const SignedDigest&, Input) override {
+    ADD_FAILURE();
+    return NotReached("VerifyECDSASignedDigest should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+
+  Result CheckRSAPublicKeyModulusSizeInBits(EndEntityOrCA,
+                                            unsigned int) override {
+    ADD_FAILURE();
+    return NotReached("CheckRSAPublicKeyModulusSizeInBits should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+
+  Result VerifyRSAPKCS1SignedDigest(const SignedDigest&, Input) override {
+    ADD_FAILURE();
+    return NotReached("VerifyRSAPKCS1SignedDigest should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+
+  Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA,
+                                   KeyPurposeId) override {
+    ADD_FAILURE();
+    return NotReached("CheckValidityIsAcceptable should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+
+  Result NetscapeStepUpMatchesServerAuth(Time, bool&) override {
+    ADD_FAILURE();
+    return NotReached("NetscapeStepUpMatchesServerAuth should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
+
+  virtual void NoteAuxiliaryExtension(AuxiliaryExtension, Input) override {
+    ADD_FAILURE();
+  }
+};
+
+class DefaultCryptoTrustDomain : public EverythingFailsByDefaultTrustDomain {
+  Result DigestBuf(Input item, DigestAlgorithm digestAlg,
+                   /*out*/ uint8_t* digestBuf, size_t digestBufLen) override {
+    return TestDigestBuf(item, digestAlg, digestBuf, digestBufLen);
+  }
+
+  Result CheckSignatureDigestAlgorithm(DigestAlgorithm, EndEntityOrCA,
+                                       Time) override {
+    return Success;
+  }
+
+  Result CheckECDSACurveIsAcceptable(EndEntityOrCA, NamedCurve) override {
+    return Success;
+  }
+
+  Result VerifyECDSASignedDigest(const SignedDigest& signedDigest,
+                                 Input subjectPublicKeyInfo) override {
+    return TestVerifyECDSASignedDigest(signedDigest, subjectPublicKeyInfo);
+  }
+
+  Result CheckRSAPublicKeyModulusSizeInBits(EndEntityOrCA,
+                                            unsigned int) override {
+    return Success;
+  }
+
+  Result VerifyRSAPKCS1SignedDigest(const SignedDigest& signedDigest,
+                                    Input subjectPublicKeyInfo) override {
+    return TestVerifyRSAPKCS1SignedDigest(signedDigest, subjectPublicKeyInfo);
+  }
+
+  Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA,
+                                   KeyPurposeId) override {
+    return Success;
+  }
+
+  Result NetscapeStepUpMatchesServerAuth(Time, /*out*/ bool& matches) override {
+    matches = true;
+    return Success;
+  }
+
+  void NoteAuxiliaryExtension(AuxiliaryExtension, Input) override {}
+};
+
+class DefaultNameMatchingPolicy : public NameMatchingPolicy {
+ public:
+  virtual Result FallBackToCommonName(
+      Time,
+      /*out*/ FallBackToSearchWithinSubject& fallBackToCommonName) override {
+    fallBackToCommonName = FallBackToSearchWithinSubject::Yes;
+    return Success;
+  }
+};
+}
+}
+}  // namespace mozilla::pkix::test
+
+#endif  // mozilla_pkix_pkixgtest_h
diff --git a/security/nss/gtests/mozpkix_gtest/pkixnames_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixnames_tests.cpp
new file mode 100644
index 0000000000..2169db9db7
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixnames_tests.cpp
@@ -0,0 +1,2838 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixcheck.h"
+#include "mozpkix/pkixder.h"
+#include "mozpkix/pkixutil.h"
+
+namespace mozilla { namespace pkix {
+
+Result MatchPresentedDNSIDWithReferenceDNSID(Input presentedDNSID,
+                                             Input referenceDNSID,
+                                             /*out*/ bool& matches);
+
+bool IsValidReferenceDNSID(Input hostname);
+bool IsValidPresentedDNSID(Input hostname);
+bool ParseIPv4Address(Input hostname, /*out*/ uint8_t (&out)[4]);
+bool ParseIPv6Address(Input hostname, /*out*/ uint8_t (&out)[16]);
+
+} } // namespace mozilla::pkix
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+struct PresentedMatchesReference
+{
+  ByteString presentedDNSID;
+  ByteString referenceDNSID;
+  Result expectedResult;
+  bool expectedMatches; // only valid when expectedResult == Success
+};
+
+::std::ostream& operator<<(::std::ostream& os, const PresentedMatchesReference&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+#define DNS_ID_MATCH(a, b) \
+  { \
+    ByteString(reinterpret_cast<const uint8_t*>(a), sizeof(a) - 1), \
+    ByteString(reinterpret_cast<const uint8_t*>(b), sizeof(b) - 1), \
+    Success, \
+    true \
+  }
+
+#define DNS_ID_MISMATCH(a, b) \
+  { \
+    ByteString(reinterpret_cast<const uint8_t*>(a), sizeof(a) - 1), \
+    ByteString(reinterpret_cast<const uint8_t*>(b), sizeof(b) - 1), \
+    Success, \
+    false \
+  }
+
+#define DNS_ID_BAD_DER(a, b) \
+  { \
+    ByteString(reinterpret_cast<const uint8_t*>(a), sizeof(a) - 1), \
+    ByteString(reinterpret_cast<const uint8_t*>(b), sizeof(b) - 1), \
+    Result::ERROR_BAD_DER, \
+    false \
+  }
+
+static const PresentedMatchesReference DNSID_MATCH_PARAMS[] =
+{
+  DNS_ID_BAD_DER("", "a"),
+
+  DNS_ID_MATCH("a", "a"),
+  DNS_ID_MISMATCH("b", "a"),
+
+  DNS_ID_MATCH("*.b.a", "c.b.a"),
+  DNS_ID_MISMATCH("*.b.a", "b.a"),
+  DNS_ID_MISMATCH("*.b.a", "b.a."),
+
+  // We allow underscores for compatibility with existing practices.
+  DNS_ID_MATCH("a_b", "a_b"),
+  DNS_ID_MATCH("*.example.com", "uses_underscore.example.com"),
+  DNS_ID_MATCH("*.uses_underscore.example.com", "a.uses_underscore.example.com"),
+
+  // See bug 1139039
+  DNS_ID_MATCH("_.example.com", "_.example.com"),
+  DNS_ID_MATCH("*.example.com", "_.example.com"),
+  DNS_ID_MATCH("_", "_"),
+  DNS_ID_MATCH("___", "___"),
+  DNS_ID_MATCH("example_", "example_"),
+  DNS_ID_MATCH("_example", "_example"),
+  DNS_ID_MATCH("*._._", "x._._"),
+
+  // See bug 1139039
+  // A DNS-ID must not end in an all-numeric label. We don't consider
+  // underscores to be numeric.
+  DNS_ID_MATCH("_1", "_1"),
+  DNS_ID_MATCH("example._1", "example._1"),
+  DNS_ID_MATCH("example.1_", "example.1_"),
+
+  // Wildcard not in leftmost label
+  DNS_ID_MATCH("d.c.b.a", "d.c.b.a"),
+  DNS_ID_BAD_DER("d.*.b.a", "d.c.b.a"),
+  DNS_ID_BAD_DER("d.c*.b.a", "d.c.b.a"),
+  DNS_ID_BAD_DER("d.c*.b.a", "d.cc.b.a"),
+
+  // case sensitivity
+  DNS_ID_MATCH("abcdefghijklmnopqrstuvwxyz", "ABCDEFGHIJKLMNOPQRSTUVWXYZ"),
+  DNS_ID_MATCH("ABCDEFGHIJKLMNOPQRSTUVWXYZ", "abcdefghijklmnopqrstuvwxyz"),
+  DNS_ID_MATCH("aBc", "Abc"),
+
+  // digits
+  DNS_ID_MATCH("a1", "a1"),
+
+  // A trailing dot indicates an absolute name. Absolute presented names are
+  // not allowed, but absolute reference names are allowed.
+  DNS_ID_MATCH("example", "example"),
+  DNS_ID_BAD_DER("example.", "example."),
+  DNS_ID_MATCH("example", "example."),
+  DNS_ID_BAD_DER("example.", "example"),
+  DNS_ID_MATCH("example.com", "example.com"),
+  DNS_ID_BAD_DER("example.com.", "example.com."),
+  DNS_ID_MATCH("example.com", "example.com."),
+  DNS_ID_BAD_DER("example.com.", "example.com"),
+  DNS_ID_BAD_DER("example.com..", "example.com."),
+  DNS_ID_BAD_DER("example.com..", "example.com"),
+  DNS_ID_BAD_DER("example.com...", "example.com."),
+
+  // xn-- IDN prefix
+  DNS_ID_BAD_DER("x*.b.a", "xa.b.a"),
+  DNS_ID_BAD_DER("x*.b.a", "xna.b.a"),
+  DNS_ID_BAD_DER("x*.b.a", "xn-a.b.a"),
+  DNS_ID_BAD_DER("x*.b.a", "xn--a.b.a"),
+  DNS_ID_BAD_DER("xn*.b.a", "xn--a.b.a"),
+  DNS_ID_BAD_DER("xn-*.b.a", "xn--a.b.a"),
+  DNS_ID_BAD_DER("xn--*.b.a", "xn--a.b.a"),
+  DNS_ID_BAD_DER("xn*.b.a", "xn--a.b.a"),
+  DNS_ID_BAD_DER("xn-*.b.a", "xn--a.b.a"),
+  DNS_ID_BAD_DER("xn--*.b.a", "xn--a.b.a"),
+  DNS_ID_BAD_DER("xn---*.b.a", "xn--a.b.a"),
+
+  // "*" cannot expand to nothing.
+  DNS_ID_BAD_DER("c*.b.a", "c.b.a"),
+
+  /////////////////////////////////////////////////////////////////////////////
+  // These are test cases adapted from Chromium's x509_certificate_unittest.cc.
+  // The parameter order is the opposite in Chromium's tests. Also, some tests
+  // were modified to fit into this framework or due to intentional differences
+  // between mozilla::pkix and Chromium.
+
+  DNS_ID_MATCH("foo.com", "foo.com"),
+  DNS_ID_MATCH("f", "f"),
+  DNS_ID_MISMATCH("i", "h"),
+  DNS_ID_MATCH("*.foo.com", "bar.foo.com"),
+  DNS_ID_MATCH("*.test.fr", "www.test.fr"),
+  DNS_ID_MATCH("*.test.FR", "wwW.tESt.fr"),
+  DNS_ID_BAD_DER(".uk", "f.uk"),
+  DNS_ID_BAD_DER("?.bar.foo.com", "w.bar.foo.com"),
+  DNS_ID_BAD_DER("(www|ftp).foo.com", "www.foo.com"), // regex!
+  DNS_ID_BAD_DER("www.foo.com\0", "www.foo.com"),
+  DNS_ID_BAD_DER("www.foo.com\0*.foo.com", "www.foo.com"),
+  DNS_ID_MISMATCH("ww.house.example", "www.house.example"),
+  DNS_ID_MISMATCH("www.test.org", "test.org"),
+  DNS_ID_MISMATCH("*.test.org", "test.org"),
+  DNS_ID_BAD_DER("*.org", "test.org"),
+  DNS_ID_BAD_DER("w*.bar.foo.com", "w.bar.foo.com"),
+  DNS_ID_BAD_DER("ww*ww.bar.foo.com", "www.bar.foo.com"),
+  DNS_ID_BAD_DER("ww*ww.bar.foo.com", "wwww.bar.foo.com"),
+
+  // Different than Chromium, matches NSS.
+  DNS_ID_BAD_DER("w*w.bar.foo.com", "wwww.bar.foo.com"),
+
+  DNS_ID_BAD_DER("w*w.bar.foo.c0m", "wwww.bar.foo.com"),
+
+  // '*' must be the only character in the wildcard label
+  DNS_ID_BAD_DER("wa*.bar.foo.com", "WALLY.bar.foo.com"),
+
+  // We require "*" to be the last character in a wildcard label, but
+  // Chromium does not.
+  DNS_ID_BAD_DER("*Ly.bar.foo.com", "wally.bar.foo.com"),
+
+  // Chromium does URL decoding of the reference ID, but we don't, and we also
+  // require that the reference ID is valid, so we can't test these two.
+  // DNS_ID_MATCH("www.foo.com", "ww%57.foo.com"),
+  // DNS_ID_MATCH("www&.foo.com", "www%26.foo.com"),
+
+  DNS_ID_MISMATCH("*.test.de", "www.test.co.jp"),
+  DNS_ID_BAD_DER("*.jp", "www.test.co.jp"),
+  DNS_ID_MISMATCH("www.test.co.uk", "www.test.co.jp"),
+  DNS_ID_BAD_DER("www.*.co.jp", "www.test.co.jp"),
+  DNS_ID_MATCH("www.bar.foo.com", "www.bar.foo.com"),
+  DNS_ID_MISMATCH("*.foo.com", "www.bar.foo.com"),
+  DNS_ID_BAD_DER("*.*.foo.com", "www.bar.foo.com"),
+  DNS_ID_BAD_DER("*.*.foo.com", "www.bar.foo.com"),
+
+  // Our matcher requires the reference ID to be a valid DNS name, so we cannot
+  // test this case.
+  //DNS_ID_BAD_DER("*.*.bar.foo.com", "*..bar.foo.com"),
+
+  DNS_ID_MATCH("www.bath.org", "www.bath.org"),
+
+  // Our matcher requires the reference ID to be a valid DNS name, so we cannot
+  // test these cases.
+  // DNS_ID_BAD_DER("www.bath.org", ""),
+  // DNS_ID_BAD_DER("www.bath.org", "20.30.40.50"),
+  // DNS_ID_BAD_DER("www.bath.org", "66.77.88.99"),
+
+  // IDN tests
+  DNS_ID_MATCH("xn--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br"),
+  DNS_ID_MATCH("*.xn--poema-9qae5a.com.br", "www.xn--poema-9qae5a.com.br"),
+  DNS_ID_MISMATCH("*.xn--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br"),
+  DNS_ID_BAD_DER("xn--poema-*.com.br", "xn--poema-9qae5a.com.br"),
+  DNS_ID_BAD_DER("xn--*-9qae5a.com.br", "xn--poema-9qae5a.com.br"),
+  DNS_ID_BAD_DER("*--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br"),
+
+  // The following are adapted from the examples quoted from
+  //   http://tools.ietf.org/html/rfc6125#section-6.4.3
+  // (e.g., *.example.com would match foo.example.com but
+  // not bar.foo.example.com or example.com).
+  DNS_ID_MATCH("*.example.com", "foo.example.com"),
+  DNS_ID_MISMATCH("*.example.com", "bar.foo.example.com"),
+  DNS_ID_MISMATCH("*.example.com", "example.com"),
+  // (e.g., baz*.example.net and *baz.example.net and b*z.example.net would
+  // be taken to match baz1.example.net and foobaz.example.net and
+  // buzz.example.net, respectively. However, we don't allow any characters
+  // other than '*' in the wildcard label.
+  DNS_ID_BAD_DER("baz*.example.net", "baz1.example.net"),
+
+  // Both of these are different from Chromium, but match NSS, becaues the
+  // wildcard character "*" is not the last character of the label.
+  DNS_ID_BAD_DER("*baz.example.net", "foobaz.example.net"),
+  DNS_ID_BAD_DER("b*z.example.net", "buzz.example.net"),
+
+  // Wildcards should not be valid for public registry controlled domains,
+  // and unknown/unrecognized domains, at least three domain components must
+  // be present. For mozilla::pkix and NSS, there must always be at least two
+  // labels after the wildcard label.
+  DNS_ID_MATCH("*.test.example", "www.test.example"),
+  DNS_ID_MATCH("*.example.co.uk", "test.example.co.uk"),
+  DNS_ID_BAD_DER("*.exmaple", "test.example"),
+
+  // The result is different than Chromium, because Chromium takes into account
+  // the additional knowledge it has that "co.uk" is a TLD. mozilla::pkix does
+  // not know that.
+  DNS_ID_MATCH("*.co.uk", "example.co.uk"),
+
+  DNS_ID_BAD_DER("*.com", "foo.com"),
+  DNS_ID_BAD_DER("*.us", "foo.us"),
+  DNS_ID_BAD_DER("*", "foo"),
+
+  // IDN variants of wildcards and registry controlled domains.
+  DNS_ID_MATCH("*.xn--poema-9qae5a.com.br", "www.xn--poema-9qae5a.com.br"),
+  DNS_ID_MATCH("*.example.xn--mgbaam7a8h", "test.example.xn--mgbaam7a8h"),
+
+  // RFC6126 allows this, and NSS accepts it, but Chromium disallows it.
+  // TODO: File bug against Chromium.
+  DNS_ID_MATCH("*.com.br", "xn--poema-9qae5a.com.br"),
+
+  DNS_ID_BAD_DER("*.xn--mgbaam7a8h", "example.xn--mgbaam7a8h"),
+  // Wildcards should be permissible for 'private' registry-controlled
+  // domains. (In mozilla::pkix, we do not know if it is a private registry-
+  // controlled domain or not.)
+  DNS_ID_MATCH("*.appspot.com", "www.appspot.com"),
+  DNS_ID_MATCH("*.s3.amazonaws.com", "foo.s3.amazonaws.com"),
+
+  // Multiple wildcards are not valid.
+  DNS_ID_BAD_DER("*.*.com", "foo.example.com"),
+  DNS_ID_BAD_DER("*.bar.*.com", "foo.bar.example.com"),
+
+  // Absolute vs relative DNS name tests. Although not explicitly specified
+  // in RFC 6125, absolute reference names (those ending in a .) should
+  // match either absolute or relative presented names. We don't allow
+  // absolute presented names.
+  // TODO: File errata against RFC 6125 about this.
+  DNS_ID_BAD_DER("foo.com.", "foo.com"),
+  DNS_ID_MATCH("foo.com", "foo.com."),
+  DNS_ID_BAD_DER("foo.com.", "foo.com."),
+  DNS_ID_BAD_DER("f.", "f"),
+  DNS_ID_MATCH("f", "f."),
+  DNS_ID_BAD_DER("f.", "f."),
+  DNS_ID_BAD_DER("*.bar.foo.com.", "www-3.bar.foo.com"),
+  DNS_ID_MATCH("*.bar.foo.com", "www-3.bar.foo.com."),
+  DNS_ID_BAD_DER("*.bar.foo.com.", "www-3.bar.foo.com."),
+
+  // We require the reference ID to be a valid DNS name, so we cannot test this
+  // case.
+  // DNS_ID_MISMATCH(".", "."),
+
+  DNS_ID_BAD_DER("*.com.", "example.com"),
+  DNS_ID_BAD_DER("*.com", "example.com."),
+  DNS_ID_BAD_DER("*.com.", "example.com."),
+  DNS_ID_BAD_DER("*.", "foo."),
+  DNS_ID_BAD_DER("*.", "foo"),
+
+  // The result is different than Chromium because we don't know that co.uk is
+  // a TLD.
+  DNS_ID_MATCH("*.co.uk", "foo.co.uk"),
+  DNS_ID_MATCH("*.co.uk", "foo.co.uk."),
+  DNS_ID_BAD_DER("*.co.uk.", "foo.co.uk"),
+  DNS_ID_BAD_DER("*.co.uk.", "foo.co.uk."),
+
+  DNS_ID_MISMATCH("*.example.com", "localhost"),
+  DNS_ID_MISMATCH("*.example.com", "localhost."),
+  // Note that we already have the testcase DNS_ID_BAD_DER("*", "foo") above
+};
+
+struct InputValidity
+{
+  ByteString input;
+  bool isValidReferenceID;
+  bool isValidPresentedID;
+};
+
+::std::ostream& operator<<(::std::ostream& os, const InputValidity&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+// str is null-terminated, which is why we subtract 1. str may contain embedded
+// nulls (including at the end) preceding the null terminator though.
+#define I(str, validReferenceID, validPresentedID) \
+  { \
+    ByteString(reinterpret_cast<const uint8_t*>(str), sizeof(str) - 1), \
+    validReferenceID, \
+    validPresentedID, \
+  }
+
+static const InputValidity DNSNAMES_VALIDITY[] =
+{
+  I("a", true, true),
+  I("a.b", true, true),
+  I("a.b.c", true, true),
+  I("a.b.c.d", true, true),
+
+  // empty labels
+  I("", false, false),
+  I(".", false, false),
+  I("a", true, true),
+  I(".a", false, false),
+  I(".a.b", false, false),
+  I("..a", false, false),
+  I("a..b", false, false),
+  I("a...b", false, false),
+  I("a..b.c", false, false),
+  I("a.b..c", false, false),
+  I(".a.b.c.", false, false),
+
+  // absolute names (only allowed for reference names)
+  I("a.", true, false),
+  I("a.b.", true, false),
+  I("a.b.c.", true, false),
+
+  // absolute names with empty label at end
+  I("a..", false, false),
+  I("a.b..", false, false),
+  I("a.b.c..", false, false),
+  I("a...", false, false),
+
+  // Punycode
+  I("xn--", false, false),
+  I("xn--.", false, false),
+  I("xn--.a", false, false),
+  I("a.xn--", false, false),
+  I("a.xn--.", false, false),
+  I("a.xn--.b", false, false),
+  I("a.xn--.b", false, false),
+  I("a.xn--\0.b", false, false),
+  I("a.xn--a.b", true, true),
+  I("xn--a", true, true),
+  I("a.xn--a", true, true),
+  I("a.xn--a.a", true, true),
+  I("\xc4\x95.com", false, false), // UTF-8 ĕ
+  I("xn--jea.com", true, true), // punycode ĕ
+  I("xn--\xc4\x95.com", false, false), // UTF-8 ĕ, malformed punycode + UTF-8 mashup
+
+  // Surprising punycode
+  I("xn--google.com", true, true), // 䕮䕵䕶䕱.com
+  I("xn--citibank.com", true, true), // 岍岊岊岅岉岎.com
+  I("xn--cnn.com", true, true), // 䁾.com
+  I("a.xn--cnn", true, true), // a.䁾
+  I("a.xn--cnn.com", true, true), // a.䁾.com
+
+  I("1.2.3.4", false, false), // IPv4 address
+  I("1::2", false, false), // IPV6 address
+
+  // whitespace not allowed anywhere.
+  I(" ", false, false),
+  I(" a", false, false),
+  I("a ", false, false),
+  I("a b", false, false),
+  I("a.b 1", false, false),
+  I("a\t", false, false),
+
+  // Nulls not allowed
+  I("\0", false, false),
+  I("a\0", false, false),
+  I("example.org\0.example.com", false, false), // Hi Moxie!
+  I("\0a", false, false),
+  I("xn--\0", false, false),
+
+  // Allowed character set
+  I("a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z", true, true),
+  I("A.B.C.D.E.F.G.H.I.J.K.L.M.N.O.P.Q.R.S.T.U.V.W.X.Y.Z", true, true),
+  I("0.1.2.3.4.5.6.7.8.9.a", true, true), // "a" needed to avoid numeric last label
+  I("a-b", true, true), // hyphen (a label cannot start or end with a hyphen)
+
+  // Underscores
+  I("a_b", true, true),
+  // See bug 1139039
+  I("_", true, true),
+  I("a_", true, true),
+  I("_a", true, true),
+  I("_1", true, true),
+  I("1_", true, true),
+  I("___", true, true),
+
+  // An invalid character in various positions
+  I("!", false, false),
+  I("!a", false, false),
+  I("a!", false, false),
+  I("a!b", false, false),
+  I("a.!", false, false),
+  I("a.a!", false, false),
+  I("a.!a", false, false),
+  I("a.a!a", false, false),
+  I("a.!a.a", false, false),
+  I("a.a!.a", false, false),
+  I("a.a!a.a", false, false),
+
+  // Various other invalid characters
+  I("a!", false, false),
+  I("a@", false, false),
+  I("a#", false, false),
+  I("a$", false, false),
+  I("a%", false, false),
+  I("a^", false, false),
+  I("a&", false, false),
+  I("a*", false, false),
+  I("a(", false, false),
+  I("a)", false, false),
+
+  // last label can't be fully numeric
+  I("1", false, false),
+  I("a.1", false, false),
+
+  // other labels can be fully numeric
+  I("1.a", true, true),
+  I("1.2.a", true, true),
+  I("1.2.3.a", true, true),
+
+  // last label can be *partly* numeric
+  I("1a", true, true),
+  I("1.1a", true, true),
+  I("1-1", true, true),
+  I("a.1-1", true, true),
+  I("a.1-a", true, true),
+
+  // labels cannot start with a hyphen
+  I("-", false, false),
+  I("-1", false, false),
+
+  // labels cannot end with a hyphen
+  I("1-", false, false),
+  I("1-.a", false, false),
+  I("a-", false, false),
+  I("a-.a", false, false),
+  I("a.1-.a", false, false),
+  I("a.a-.a", false, false),
+
+  // labels can contain a hyphen in the middle
+  I("a-b", true, true),
+  I("1-2", true, true),
+  I("a.a-1", true, true),
+
+  // multiple consecutive hyphens allowed
+  I("a--1", true, true),
+  I("1---a", true, true),
+  I("a-----------------b", true, true),
+
+  // Wildcard specifications are not valid reference names, but are valid
+  // presented names if there are enough labels and if '*' is the only
+  // character in the wildcard label.
+  I("*.a", false, false),
+  I("a*", false, false),
+  I("a*.", false, false),
+  I("a*.a", false, false),
+  I("a*.a.", false, false),
+  I("*.a.b", false, true),
+  I("*.a.b.", false, false),
+  I("a*.b.c", false, false),
+  I("*.a.b.c", false, true),
+  I("a*.b.c.d", false, false),
+
+  // Multiple wildcards are not allowed.
+  I("a**.b.c", false, false),
+  I("a*b*.c.d", false, false),
+  I("a*.b*.c", false, false),
+
+  // Wildcards are only allowed in the first label.
+  I("a.*", false, false),
+  I("a.*.b", false, false),
+  I("a.b.*", false, false),
+  I("a.b*.c", false, false),
+  I("*.b*.c", false, false),
+  I(".*.a.b", false, false),
+  I(".a*.b.c", false, false),
+
+  // Wildcards must be at the *end* of the first label.
+  I("*a.b.c", false, false),
+  I("a*b.c.d", false, false),
+
+  // Wildcards not allowed with IDNA prefix
+  I("x*.a.b", false, false),
+  I("xn*.a.b", false, false),
+  I("xn-*.a.b", false, false),
+  I("xn--*.a.b", false, false),
+  I("xn--w*.a.b", false, false),
+
+  // Redacted labels from RFC6962bis draft 4
+  // https://tools.ietf.org/html/draft-ietf-trans-rfc6962-bis-04#section-3.2.2
+  I("(PRIVATE).foo", false, false),
+
+  // maximum label length is 63 characters
+  I("1234567890" "1234567890" "1234567890"
+    "1234567890" "1234567890" "1234567890" "abc", true, true),
+  I("1234567890" "1234567890" "1234567890"
+    "1234567890" "1234567890" "1234567890" "abcd", false, false),
+
+  // maximum total length is 253 characters
+  I("1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "."
+    "1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "."
+    "1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "."
+    "1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "."
+    "1234567890" "1234567890" "1234567890" "1234567890" "12345678" "a",
+    true, true),
+  I("1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "."
+    "1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "."
+    "1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "."
+    "1234567890" "1234567890" "1234567890" "1234567890" "1234567890" "."
+    "1234567890" "1234567890" "1234567890" "1234567890" "123456789" "a",
+    false, false),
+};
+
+static const InputValidity DNSNAMES_VALIDITY_TURKISH_I[] =
+{
+  // http://en.wikipedia.org/wiki/Dotted_and_dotless_I#In_computing
+  // IDN registration rules disallow "latin capital letter i with dot above,"
+  // but our checks aren't intended to enforce those rules.
+  I("I", true, true), // ASCII capital I
+  I("i", true, true), // ASCII lowercase i
+  I("\xC4\xB0", false, false), // latin capital letter i with dot above
+  I("\xC4\xB1", false, false), // latin small letter dotless i
+  I("xn--i-9bb", true, true), // latin capital letter i with dot above, in punycode
+  I("xn--cfa", true, true), // latin small letter dotless i, in punycode
+  I("xn--\xC4\xB0", false, false), // latin capital letter i with dot above, mashup
+  I("xn--\xC4\xB1", false, false), // latin small letter dotless i, mashup
+};
+
+static const uint8_t LOWERCASE_I_VALUE[1] = { 'i' };
+static const uint8_t UPPERCASE_I_VALUE[1] = { 'I' };
+static const Input LOWERCASE_I(LOWERCASE_I_VALUE);
+static const Input UPPERCASE_I(UPPERCASE_I_VALUE);
+
+template <unsigned int L>
+struct IPAddressParams
+{
+  ByteString input;
+  bool isValid;
+  uint8_t expectedValueIfValid[L];
+};
+
+template <unsigned int L>
+::std::ostream& operator<<(::std::ostream& os, const IPAddressParams<L>&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+#define IPV4_VALID(str, a, b, c, d) \
+  { \
+    ByteString(reinterpret_cast<const uint8_t*>(str), sizeof(str) - 1), \
+    true, \
+    { a, b, c, d } \
+  }
+
+// The value of expectedValueIfValid must be ignored for invalid IP addresses.
+// The value { 73, 73, 73, 73 } is used because it is unlikely to result in an
+// accidental match, unlike { 0, 0, 0, 0 }, which is a value we actually test.
+#define IPV4_INVALID(str) \
+  { \
+    ByteString(reinterpret_cast<const uint8_t*>(str), sizeof(str) - 1), \
+    false, \
+    { 73, 73, 73, 73 } \
+  }
+
+static const IPAddressParams<4> IPV4_ADDRESSES[] =
+{
+  IPV4_INVALID(""),
+  IPV4_INVALID("1"),
+  IPV4_INVALID("1.2"),
+  IPV4_INVALID("1.2.3"),
+  IPV4_VALID("1.2.3.4", 1, 2, 3, 4),
+  IPV4_INVALID("1.2.3.4.5"),
+
+  IPV4_INVALID("1.2.3.4a"), // a DNSName!
+  IPV4_INVALID("a.2.3.4"), // not even a DNSName!
+  IPV4_INVALID("1::2"), // IPv6 address
+
+  // Whitespace not allowed
+  IPV4_INVALID(" 1.2.3.4"),
+  IPV4_INVALID("1.2.3.4 "),
+  IPV4_INVALID("1 .2.3.4"),
+  IPV4_INVALID("\n1.2.3.4"),
+  IPV4_INVALID("1.2.3.4\n"),
+
+  // Nulls not allowed
+  IPV4_INVALID("\0"),
+  IPV4_INVALID("\0" "1.2.3.4"),
+  IPV4_INVALID("1.2.3.4\0"),
+  IPV4_INVALID("1.2.3.4\0.5"),
+
+  // Range
+  IPV4_VALID("0.0.0.0", 0, 0, 0, 0),
+  IPV4_VALID("255.255.255.255", 255, 255, 255, 255),
+  IPV4_INVALID("256.0.0.0"),
+  IPV4_INVALID("0.256.0.0"),
+  IPV4_INVALID("0.0.256.0"),
+  IPV4_INVALID("0.0.0.256"),
+  IPV4_INVALID("999.0.0.0"),
+  IPV4_INVALID("9999999999999999999.0.0.0"),
+
+  // All digits allowed
+  IPV4_VALID("0.1.2.3", 0, 1, 2, 3),
+  IPV4_VALID("4.5.6.7", 4, 5, 6, 7),
+  IPV4_VALID("8.9.0.1", 8, 9, 0, 1),
+
+  // Leading zeros not allowed
+  IPV4_INVALID("01.2.3.4"),
+  IPV4_INVALID("001.2.3.4"),
+  IPV4_INVALID("00000000001.2.3.4"),
+  IPV4_INVALID("010.2.3.4"),
+  IPV4_INVALID("1.02.3.4"),
+  IPV4_INVALID("1.2.03.4"),
+  IPV4_INVALID("1.2.3.04"),
+
+  // Empty components
+  IPV4_INVALID(".2.3.4"),
+  IPV4_INVALID("1..3.4"),
+  IPV4_INVALID("1.2..4"),
+  IPV4_INVALID("1.2.3."),
+
+  // Too many components
+  IPV4_INVALID("1.2.3.4.5"),
+  IPV4_INVALID("1.2.3.4.5.6"),
+  IPV4_INVALID("0.1.2.3.4"),
+  IPV4_INVALID("1.2.3.4.0"),
+
+  // Leading/trailing dot
+  IPV4_INVALID(".1.2.3.4"),
+  IPV4_INVALID("1.2.3.4."),
+
+  // Other common forms of IPv4 address
+  // http://en.wikipedia.org/wiki/IPv4#Address_representations
+  IPV4_VALID("192.0.2.235", 192, 0, 2, 235), // dotted decimal (control value)
+  IPV4_INVALID("0xC0.0x00.0x02.0xEB"), // dotted hex
+  IPV4_INVALID("0301.0000.0002.0353"), // dotted octal
+  IPV4_INVALID("0xC00002EB"), // non-dotted hex
+  IPV4_INVALID("3221226219"), // non-dotted decimal
+  IPV4_INVALID("030000001353"), // non-dotted octal
+  IPV4_INVALID("192.0.0002.0xEB"), // mixed
+};
+
+#define IPV6_VALID(str, a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p) \
+  { \
+    ByteString(reinterpret_cast<const uint8_t*>(str), sizeof(str) - 1), \
+    true, \
+    { a, b, c, d, \
+      e, f, g, h, \
+      i, j, k, l, \
+      m, n, o, p } \
+  }
+
+#define IPV6_INVALID(str) \
+  { \
+    ByteString(reinterpret_cast<const uint8_t*>(str), sizeof(str) - 1), \
+    false, \
+    { 73, 73, 73, 73, \
+      73, 73, 73, 73, \
+      73, 73, 73, 73, \
+      73, 73, 73, 73 } \
+  }
+
+static const IPAddressParams<16> IPV6_ADDRESSES[] =
+{
+  IPV6_INVALID(""),
+  IPV6_INVALID("1234"),
+  IPV6_INVALID("1234:5678"),
+  IPV6_INVALID("1234:5678:9abc"),
+  IPV6_INVALID("1234:5678:9abc:def0"),
+  IPV6_INVALID("1234:5678:9abc:def0:1234:"),
+  IPV6_INVALID("1234:5678:9abc:def0:1234:5678:"),
+  IPV6_INVALID("1234:5678:9abc:def0:1234:5678:9abc:"),
+  IPV6_VALID("1234:5678:9abc:def0:1234:5678:9abc:def0",
+             0x12, 0x34, 0x56, 0x78,
+             0x9a, 0xbc, 0xde, 0xf0,
+             0x12, 0x34, 0x56, 0x78,
+             0x9a, 0xbc, 0xde, 0xf0),
+  IPV6_INVALID("1234:5678:9abc:def0:1234:5678:9abc:def0:"),
+  IPV6_INVALID(":1234:5678:9abc:def0:1234:5678:9abc:def0"),
+  IPV6_INVALID("1234:5678:9abc:def0:1234:5678:9abc:def0:0000"),
+
+  // Valid contractions
+  IPV6_VALID("::1",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x01),
+  IPV6_VALID("::1234",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x12, 0x34),
+  IPV6_VALID("1234::",
+             0x12, 0x34, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00),
+  IPV6_VALID("1234::5678",
+             0x12, 0x34, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x56, 0x78),
+  IPV6_VALID("1234:5678::abcd",
+             0x12, 0x34, 0x56, 0x78,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0xab, 0xcd),
+  IPV6_VALID("1234:5678:9abc:def0:1234:5678:9abc::",
+             0x12, 0x34, 0x56, 0x78,
+             0x9a, 0xbc, 0xde, 0xf0,
+             0x12, 0x34, 0x56, 0x78,
+             0x9a, 0xbc, 0x00, 0x00),
+
+  // Contraction in full IPv6 addresses not allowed
+  IPV6_INVALID("::1234:5678:9abc:def0:1234:5678:9abc:def0"), // start
+  IPV6_INVALID("1234:5678:9abc:def0:1234:5678:9abc:def0::"), // end
+  IPV6_INVALID("1234:5678::9abc:def0:1234:5678:9abc:def0"), // interior
+
+  // Multiple contractions not allowed
+  IPV6_INVALID("::1::"),
+  IPV6_INVALID("::1::2"),
+  IPV6_INVALID("1::2::"),
+
+  // Colon madness!
+  IPV6_INVALID(":"),
+  IPV6_INVALID("::"),
+  IPV6_INVALID(":::"),
+  IPV6_INVALID("::::"),
+  IPV6_INVALID(":::1"),
+  IPV6_INVALID("::::1"),
+  IPV6_INVALID("1:::2"),
+  IPV6_INVALID("1::::2"),
+  IPV6_INVALID("1:2:::"),
+  IPV6_INVALID("1:2::::"),
+  IPV6_INVALID("::1234:"),
+  IPV6_INVALID(":1234::"),
+
+  IPV6_INVALID("01234::"), // too many digits, even if zero
+  IPV6_INVALID("12345678::"), // too many digits or missing colon
+
+  // uppercase
+  IPV6_VALID("ABCD:EFAB::",
+             0xab, 0xcd, 0xef, 0xab,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00),
+
+  // miXeD CAse
+  IPV6_VALID("aBcd:eFAb::",
+             0xab, 0xcd, 0xef, 0xab,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00),
+
+  // IPv4-style
+  IPV6_VALID("::2.3.4.5",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x02, 0x03, 0x04, 0x05),
+  IPV6_VALID("1234::2.3.4.5",
+             0x12, 0x34, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x02, 0x03, 0x04, 0x05),
+  IPV6_VALID("::abcd:2.3.4.5",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0xab, 0xcd,
+             0x02, 0x03, 0x04, 0x05),
+  IPV6_VALID("1234:5678:9abc:def0:1234:5678:252.253.254.255",
+             0x12, 0x34, 0x56, 0x78,
+             0x9a, 0xbc, 0xde, 0xf0,
+             0x12, 0x34, 0x56, 0x78,
+             252,  253,  254,  255),
+  IPV6_VALID("1234:5678:9abc:def0:1234::252.253.254.255",
+             0x12, 0x34, 0x56, 0x78,
+             0x9a, 0xbc, 0xde, 0xf0,
+             0x12, 0x34, 0x00, 0x00,
+             252,  253,  254,  255),
+  IPV6_INVALID("1234::252.253.254"),
+  IPV6_INVALID("::252.253.254"),
+  IPV6_INVALID("::252.253.254.300"),
+  IPV6_INVALID("1234::252.253.254.255:"),
+  IPV6_INVALID("1234::252.253.254.255:5678"),
+
+  // Contractions that don't contract
+  IPV6_INVALID("::1234:5678:9abc:def0:1234:5678:9abc:def0"),
+  IPV6_INVALID("1234:5678:9abc:def0:1234:5678:9abc:def0::"),
+  IPV6_INVALID("1234:5678:9abc:def0::1234:5678:9abc:def0"),
+  IPV6_INVALID("1234:5678:9abc:def0:1234:5678::252.253.254.255"),
+
+  // With and without leading zeros
+  IPV6_VALID("::123",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x01, 0x23),
+  IPV6_VALID("::0123",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x01, 0x23),
+  IPV6_VALID("::012",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x12),
+  IPV6_VALID("::0012",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x12),
+  IPV6_VALID("::01",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x01),
+  IPV6_VALID("::001",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x01),
+  IPV6_VALID("::0001",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x01),
+  IPV6_VALID("::0",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00),
+  IPV6_VALID("::00",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00),
+  IPV6_VALID("::000",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00),
+  IPV6_VALID("::0000",
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00,
+             0x00, 0x00, 0x00, 0x00),
+  IPV6_INVALID("::01234"),
+  IPV6_INVALID("::00123"),
+  IPV6_INVALID("::000123"),
+
+  // Trailing zero
+  IPV6_INVALID("::12340"),
+
+  // Whitespace
+  IPV6_INVALID(" 1234:5678:9abc:def0:1234:5678:9abc:def0"),
+  IPV6_INVALID("\t1234:5678:9abc:def0:1234:5678:9abc:def0"),
+  IPV6_INVALID("\t1234:5678:9abc:def0:1234:5678:9abc:def0\n"),
+  IPV6_INVALID("1234 :5678:9abc:def0:1234:5678:9abc:def0"),
+  IPV6_INVALID("1234: 5678:9abc:def0:1234:5678:9abc:def0"),
+  IPV6_INVALID(":: 2.3.4.5"),
+  IPV6_INVALID("1234::252.253.254.255 "),
+  IPV6_INVALID("1234::252.253.254.255\n"),
+  IPV6_INVALID("1234::252.253. 254.255"),
+
+  // Nulls
+  IPV6_INVALID("\0"),
+  IPV6_INVALID("::1\0:2"),
+  IPV6_INVALID("::1\0"),
+  IPV6_INVALID("::1.2.3.4\0"),
+  IPV6_INVALID("::1.2\02.3.4"),
+};
+
+class pkixnames_MatchPresentedDNSIDWithReferenceDNSID
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<PresentedMatchesReference>
+{
+public:
+  DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+TEST_P(pkixnames_MatchPresentedDNSIDWithReferenceDNSID,
+       MatchPresentedDNSIDWithReferenceDNSID)
+{
+  const PresentedMatchesReference& param(GetParam());
+  SCOPED_TRACE(param.presentedDNSID.c_str());
+  SCOPED_TRACE(param.referenceDNSID.c_str());
+  Input presented;
+  ASSERT_EQ(Success, presented.Init(param.presentedDNSID.data(),
+                                    param.presentedDNSID.length()));
+  Input reference;
+  ASSERT_EQ(Success, reference.Init(param.referenceDNSID.data(),
+                                    param.referenceDNSID.length()));
+
+  // sanity check that test makes sense
+  ASSERT_TRUE(IsValidReferenceDNSID(reference));
+
+  bool matches;
+  ASSERT_EQ(param.expectedResult,
+            MatchPresentedDNSIDWithReferenceDNSID(presented, reference,
+                                                  matches));
+  if (param.expectedResult == Success) {
+    ASSERT_EQ(param.expectedMatches, matches);
+  }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_MatchPresentedDNSIDWithReferenceDNSID,
+                        pkixnames_MatchPresentedDNSIDWithReferenceDNSID,
+                        testing::ValuesIn(DNSID_MATCH_PARAMS));
+
+class pkixnames_Turkish_I_Comparison
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<InputValidity>
+{
+public:
+  DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+TEST_P(pkixnames_Turkish_I_Comparison, MatchPresentedDNSIDWithReferenceDNSID)
+{
+  // Make sure we don't have the similar problems that strcasecmp and others
+  // have with the other kinds of "i" and "I" commonly used in Turkish locales.
+
+  const InputValidity& inputValidity(GetParam());
+  SCOPED_TRACE(inputValidity.input.c_str());
+  Input input;
+  ASSERT_EQ(Success, input.Init(inputValidity.input.data(),
+                                inputValidity.input.length()));
+
+  bool isASCII = InputsAreEqual(LOWERCASE_I, input) ||
+                 InputsAreEqual(UPPERCASE_I, input);
+  {
+    bool matches;
+    ASSERT_EQ(inputValidity.isValidPresentedID ? Success
+                                               : Result::ERROR_BAD_DER,
+              MatchPresentedDNSIDWithReferenceDNSID(input, LOWERCASE_I,
+                                                    matches));
+    if (inputValidity.isValidPresentedID) {
+      ASSERT_EQ(isASCII, matches);
+    }
+  }
+  {
+    bool matches;
+    ASSERT_EQ(inputValidity.isValidPresentedID ? Success
+                                               : Result::ERROR_BAD_DER,
+              MatchPresentedDNSIDWithReferenceDNSID(input, UPPERCASE_I,
+                                                    matches));
+    if (inputValidity.isValidPresentedID) {
+      ASSERT_EQ(isASCII, matches);
+    }
+  }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_Turkish_I_Comparison,
+                        pkixnames_Turkish_I_Comparison,
+                        testing::ValuesIn(DNSNAMES_VALIDITY_TURKISH_I));
+
+class pkixnames_IsValidReferenceDNSID
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<InputValidity>
+{
+public:
+  DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+TEST_P(pkixnames_IsValidReferenceDNSID, IsValidReferenceDNSID)
+{
+  const InputValidity& inputValidity(GetParam());
+  SCOPED_TRACE(inputValidity.input.c_str());
+  Input input;
+  ASSERT_EQ(Success, input.Init(inputValidity.input.data(),
+                                inputValidity.input.length()));
+  ASSERT_EQ(inputValidity.isValidReferenceID, IsValidReferenceDNSID(input));
+  ASSERT_EQ(inputValidity.isValidPresentedID, IsValidPresentedDNSID(input));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_IsValidReferenceDNSID,
+                        pkixnames_IsValidReferenceDNSID,
+                        testing::ValuesIn(DNSNAMES_VALIDITY));
+INSTANTIATE_TEST_CASE_P(pkixnames_IsValidReferenceDNSID_Turkish_I,
+                        pkixnames_IsValidReferenceDNSID,
+                        testing::ValuesIn(DNSNAMES_VALIDITY_TURKISH_I));
+
+class pkixnames_ParseIPv4Address
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<IPAddressParams<4>>
+{
+public:
+  DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+TEST_P(pkixnames_ParseIPv4Address, ParseIPv4Address)
+{
+  const IPAddressParams<4>& param(GetParam());
+  SCOPED_TRACE(param.input.c_str());
+  Input input;
+  ASSERT_EQ(Success, input.Init(param.input.data(),
+                                param.input.length()));
+  uint8_t ipAddress[4];
+  ASSERT_EQ(param.isValid, ParseIPv4Address(input, ipAddress));
+  if (param.isValid) {
+    for (size_t i = 0; i < sizeof(ipAddress); ++i) {
+      ASSERT_EQ(param.expectedValueIfValid[i], ipAddress[i]);
+    }
+  }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_ParseIPv4Address,
+                        pkixnames_ParseIPv4Address,
+                        testing::ValuesIn(IPV4_ADDRESSES));
+
+class pkixnames_ParseIPv6Address
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<IPAddressParams<16>>
+{
+public:
+  DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+TEST_P(pkixnames_ParseIPv6Address, ParseIPv6Address)
+{
+  const IPAddressParams<16>& param(GetParam());
+  SCOPED_TRACE(param.input.c_str());
+  Input input;
+  ASSERT_EQ(Success, input.Init(param.input.data(),
+                                param.input.length()));
+  uint8_t ipAddress[16];
+  ASSERT_EQ(param.isValid, ParseIPv6Address(input, ipAddress));
+  if (param.isValid) {
+    for (size_t i = 0; i < sizeof(ipAddress); ++i) {
+      ASSERT_EQ(param.expectedValueIfValid[i], ipAddress[i]);
+    }
+  }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_ParseIPv6Address,
+                        pkixnames_ParseIPv6Address,
+                        testing::ValuesIn(IPV6_ADDRESSES));
+
+// This is an arbitrary string that is used to indicate that no SAN extension
+// should be put into the generated certificate. It needs to be different from
+// "" or any other subjectAltName value that we actually want to test, but its
+// actual value does not matter. Note that this isn't a correctly-encoded SAN
+// extension value!
+static const ByteString
+  NO_SAN(reinterpret_cast<const uint8_t*>("I'm a bad, bad, certificate"));
+
+struct CheckCertHostnameParams
+{
+  ByteString hostname;
+  ByteString subject;
+  ByteString subjectAltName;
+  Result result;
+};
+
+::std::ostream& operator<<(::std::ostream& os, const CheckCertHostnameParams&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+class pkixnames_CheckCertHostname
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<CheckCertHostnameParams>
+{
+public:
+  DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+#define WITH_SAN(r, ps, psan, result) \
+  { \
+    ByteString(reinterpret_cast<const uint8_t*>(r), sizeof(r) - 1), \
+    ps, \
+    psan, \
+    result \
+  }
+
+#define WITHOUT_SAN(r, ps, result) \
+  { \
+    ByteString(reinterpret_cast<const uint8_t*>(r), sizeof(r) - 1), \
+    ps, \
+    NO_SAN, \
+    result \
+  }
+
+static const uint8_t example_com[] = {
+  'e', 'x', 'a', 'm', 'p', 'l', 'e', '.', 'c', 'o', 'm'
+};
+
+// Note that We avoid zero-valued bytes in these IP addresses so that we don't
+// get false negatives from anti-NULL-byte defenses in dNSName decoding.
+static const uint8_t ipv4_addr_bytes[] = {
+  1, 2, 3, 4
+};
+static const uint8_t ipv4_addr_bytes_as_str[] = "\x01\x02\x03\x04";
+static const uint8_t ipv4_addr_str[] = "1.2.3.4";
+static const uint8_t ipv4_addr_bytes_FFFFFFFF[8] = {
+  1, 2, 3, 4, 0xff, 0xff, 0xff, 0xff
+};
+
+static const uint8_t ipv4_compatible_ipv6_addr_bytes[] = {
+  0, 0, 0, 0,
+  0, 0, 0, 0,
+  0, 0, 0, 0,
+  1, 2, 3, 4
+};
+static const uint8_t ipv4_compatible_ipv6_addr_str[] = "::1.2.3.4";
+
+static const uint8_t ipv4_mapped_ipv6_addr_bytes[] = {
+  0, 0, 0, 0,
+  0, 0, 0, 0,
+  0, 0, 0xFF, 0xFF,
+  1, 2, 3, 4
+};
+static const uint8_t ipv4_mapped_ipv6_addr_str[] = "::FFFF:1.2.3.4";
+
+static const uint8_t ipv6_addr_bytes[] = {
+  0x11, 0x22, 0x33, 0x44,
+  0x55, 0x66, 0x77, 0x88,
+  0x99, 0xaa, 0xbb, 0xcc,
+  0xdd, 0xee, 0xff, 0x11
+};
+static const uint8_t ipv6_addr_bytes_as_str[] =
+  "\x11\x22\x33\x44"
+  "\x55\x66\x77\x88"
+  "\x99\xaa\xbb\xcc"
+  "\xdd\xee\xff\x11";
+
+static const uint8_t ipv6_addr_str[] =
+  "1122:3344:5566:7788:99aa:bbcc:ddee:ff11";
+
+static const uint8_t ipv6_other_addr_bytes[] = {
+  0xff, 0xee, 0xdd, 0xcc,
+  0xbb, 0xaa, 0x99, 0x88,
+  0x77, 0x66, 0x55, 0x44,
+  0x33, 0x22, 0x11, 0x00,
+};
+
+static const uint8_t ipv4_other_addr_bytes[] = {
+  5, 6, 7, 8
+};
+static const uint8_t ipv4_other_addr_bytes_FFFFFFFF[] = {
+  5, 6, 7, 8, 0xff, 0xff, 0xff, 0xff
+};
+
+static const uint8_t ipv4_addr_00000000_bytes[] = {
+  0, 0, 0, 0
+};
+static const uint8_t ipv4_addr_FFFFFFFF_bytes[] = {
+  0, 0, 0, 0
+};
+
+static const uint8_t ipv4_constraint_all_zeros_bytes[] = {
+  0, 0, 0, 0, 0, 0, 0, 0
+};
+
+static const uint8_t ipv6_addr_all_zeros_bytes[] = {
+  0, 0, 0, 0, 0, 0, 0, 0,
+  0, 0, 0, 0, 0, 0, 0, 0,
+};
+
+static const uint8_t ipv6_constraint_all_zeros_bytes[] = {
+  0, 0, 0, 0, 0, 0, 0, 0,
+  0, 0, 0, 0, 0, 0, 0, 0,
+  0, 0, 0, 0, 0, 0, 0, 0,
+  0, 0, 0, 0, 0, 0, 0, 0
+};
+
+static const uint8_t ipv4_constraint_CIDR_16_bytes[] = {
+  1, 2, 0, 0, 0xff, 0xff, 0, 0
+};
+static const uint8_t ipv4_constraint_CIDR_17_bytes[] = {
+  1, 2, 0, 0, 0xff, 0xff, 0x80, 0
+};
+
+// The subnet is 1.2.0.0/16 but it is specified as 1.2.3.0/16
+static const uint8_t ipv4_constraint_CIDR_16_bad_addr_bytes[] = {
+  1, 2, 3, 0, 0xff, 0xff, 0, 0
+};
+
+// Masks are supposed to be of the form <ones><zeros>, but this one is of the
+// form <ones><zeros><ones><zeros>.
+static const uint8_t ipv4_constraint_bad_mask_bytes[] = {
+  1, 2, 3, 0, 0xff, 0, 0xff, 0
+};
+
+static const uint8_t ipv6_constraint_CIDR_16_bytes[] = {
+  0x11, 0x22, 0, 0, 0, 0, 0, 0,
+     0,    0, 0, 0, 0, 0, 0, 0,
+  0xff, 0xff, 0, 0, 0, 0, 0, 0,
+     0,    0, 0, 0, 0, 0, 0, 0
+};
+
+// The subnet is 1122::/16 but it is specified as 1122:3344::/16
+static const uint8_t ipv6_constraint_CIDR_16_bad_addr_bytes[] = {
+  0x11, 0x22, 0x33, 0x44, 0, 0, 0, 0,
+     0,    0,    0,    0, 0, 0, 0, 0,
+  0xff, 0xff,    0,    0, 0, 0, 0, 0,
+     0,    0,    0,    0, 0, 0, 0, 0
+};
+
+// Masks are supposed to be of the form <ones><zeros>, but this one is of the
+// form <ones><zeros><ones><zeros>.
+static const uint8_t ipv6_constraint_bad_mask_bytes[] = {
+  0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0, 0,
+     0,    0,    0,    0,    0,    0, 0, 0,
+  0xff, 0xff,    0,    0, 0xff, 0xff, 0, 0,
+     0,    0,    0,    0,    0,    0, 0, 0,
+};
+
+static const uint8_t ipv4_addr_truncated_bytes[] = {
+  1, 2, 3
+};
+static const uint8_t ipv4_addr_overlong_bytes[] = {
+  1, 2, 3, 4, 5
+};
+static const uint8_t ipv4_constraint_truncated_bytes[] = {
+  0, 0, 0, 0,
+  0, 0, 0,
+};
+static const uint8_t ipv4_constraint_overlong_bytes[] = {
+  0, 0, 0, 0,
+  0, 0, 0, 0, 0
+};
+
+static const uint8_t ipv6_addr_truncated_bytes[] = {
+  0x11, 0x22, 0x33, 0x44,
+  0x55, 0x66, 0x77, 0x88,
+  0x99, 0xaa, 0xbb, 0xcc,
+  0xdd, 0xee, 0xff
+};
+static const uint8_t ipv6_addr_overlong_bytes[] = {
+  0x11, 0x22, 0x33, 0x44,
+  0x55, 0x66, 0x77, 0x88,
+  0x99, 0xaa, 0xbb, 0xcc,
+  0xdd, 0xee, 0xff, 0x11, 0x00
+};
+static const uint8_t ipv6_constraint_truncated_bytes[] = {
+  0x11, 0x22, 0, 0, 0, 0, 0, 0,
+     0,    0, 0, 0, 0, 0, 0, 0,
+  0xff, 0xff, 0, 0, 0, 0, 0, 0,
+     0,    0, 0, 0, 0, 0, 0
+};
+static const uint8_t ipv6_constraint_overlong_bytes[] = {
+  0x11, 0x22, 0, 0, 0, 0, 0, 0,
+     0,    0, 0, 0, 0, 0, 0, 0,
+  0xff, 0xff, 0, 0, 0, 0, 0, 0,
+     0,    0, 0, 0, 0, 0, 0, 0, 0
+};
+
+// Note that, for DNSNames, these test cases in CHECK_CERT_HOSTNAME_PARAMS are
+// mostly about testing different scenerios regarding the structure of entries
+// in the subjectAltName and subject of the certificate, than about the how
+// specific presented identifier values are matched against the reference
+// identifier values. This is because we also use the test cases in
+// DNSNAMES_VALIDITY to test CheckCertHostname. Consequently, tests about
+// whether specific presented DNSNames (including wildcards, in particular) are
+// matched against a reference DNSName only need to be added to
+// DNSNAMES_VALIDITY, and not here.
+static const CheckCertHostnameParams CHECK_CERT_HOSTNAME_PARAMS[] =
+{
+  // This is technically illegal. PrintableString is defined in such a way that
+  // '*' is not an allowed character, but there are many real-world certificates
+  // that are encoded this way.
+  WITHOUT_SAN("foo.example.com", RDN(CN("*.example.com", der::PrintableString)),
+              Success),
+  WITHOUT_SAN("foo.example.com", RDN(CN("*.example.com", der::UTF8String)),
+              Success),
+
+  // Many certificates use TeletexString when encoding wildcards in CN-IDs
+  // because PrintableString is defined as not allowing '*' and UTF8String was,
+  // at one point in history, considered too new to depend on for compatibility.
+  // We accept TeletexString-encoded CN-IDs when they don't contain any escape
+  // sequences. The reference I used for the escape codes was
+  // https://tools.ietf.org/html/rfc1468. The escaping mechanism is actually
+  // pretty complex and these tests don't even come close to testing all the
+  // possibilities.
+  WITHOUT_SAN("foo.example.com", RDN(CN("*.example.com", der::TeletexString)),
+              Success),
+  // "ESC ( B" ({0x1B,0x50,0x42}) is the escape code to switch to ASCII, which
+  // is redundant because it already the default.
+  WITHOUT_SAN("foo.example.com",
+              RDN(CN("\x1B(B*.example.com", der::TeletexString)),
+              Result::ERROR_BAD_CERT_DOMAIN),
+  WITHOUT_SAN("foo.example.com",
+              RDN(CN("*.example\x1B(B.com", der::TeletexString)),
+              Result::ERROR_BAD_CERT_DOMAIN),
+  WITHOUT_SAN("foo.example.com",
+              RDN(CN("*.example.com\x1B(B", der::TeletexString)),
+              Result::ERROR_BAD_CERT_DOMAIN),
+  // "ESC $ B" ({0x1B,0x24,0x42}) is the escape code to switch to
+  // JIS X 0208-1983 (a Japanese character set).
+  WITHOUT_SAN("foo.example.com",
+              RDN(CN("\x1B$B*.example.com", der::TeletexString)),
+              Result::ERROR_BAD_CERT_DOMAIN),
+  WITHOUT_SAN("foo.example.com",
+              RDN(CN("*.example.com\x1B$B", der::TeletexString)),
+              Result::ERROR_BAD_CERT_DOMAIN),
+
+  // Match a DNSName SAN entry with a redundant (ignored) matching CN-ID.
+  WITH_SAN("a", RDN(CN("a")), DNSName("a"), Success),
+  // Match a DNSName SAN entry when there is an CN-ID that doesn't match.
+  WITH_SAN("b", RDN(CN("a")), DNSName("b"), Success),
+  // Do not match a CN-ID when there is a valid DNSName SAN Entry.
+  WITH_SAN("a", RDN(CN("a")), DNSName("b"), Result::ERROR_BAD_CERT_DOMAIN),
+  // Do not match a CN-ID when there is a malformed DNSName SAN Entry.
+  WITH_SAN("a", RDN(CN("a")), DNSName("!"), Result::ERROR_BAD_DER),
+  // Do not match a matching CN-ID when there is a valid IPAddress SAN entry.
+  WITH_SAN("a", RDN(CN("a")), IPAddress(ipv4_addr_bytes),
+           Result::ERROR_BAD_CERT_DOMAIN),
+  // Do not match a matching CN-ID when there is a malformed IPAddress SAN entry.
+  WITH_SAN("a", RDN(CN("a")), IPAddress(example_com),
+           Result::ERROR_BAD_CERT_DOMAIN),
+  // Match a DNSName against a matching CN-ID when there is a SAN, but the SAN
+  // does not contain an DNSName or IPAddress entry.
+  WITH_SAN("a", RDN(CN("a")), RFC822Name("foo@example.com"), Success),
+  // Match a matching CN-ID when there is no SAN.
+  WITHOUT_SAN("a", RDN(CN("a")), Success),
+  // Do not match a mismatching CN-ID when there is no SAN.
+  WITHOUT_SAN("a", RDN(CN("b")), Result::ERROR_BAD_CERT_DOMAIN),
+
+  // The first DNSName matches.
+  WITH_SAN("a", RDN(CN("foo")), DNSName("a") + DNSName("b"), Success),
+  // The last DNSName matches.
+  WITH_SAN("b", RDN(CN("foo")), DNSName("a") + DNSName("b"), Success),
+  // The middle DNSName matches.
+  WITH_SAN("b", RDN(CN("foo")),
+           DNSName("a") + DNSName("b") + DNSName("c"), Success),
+  // After an IP address.
+  WITH_SAN("b", RDN(CN("foo")),
+           IPAddress(ipv4_addr_bytes) + DNSName("b"), Success),
+  // Before an IP address.
+  WITH_SAN("a", RDN(CN("foo")),
+           DNSName("a") + IPAddress(ipv4_addr_bytes), Success),
+  // Between an RFC822Name and an IP address.
+  WITH_SAN("b", RDN(CN("foo")),
+           RFC822Name("foo@example.com") + DNSName("b") +
+                                           IPAddress(ipv4_addr_bytes),
+           Success),
+  // Duplicate DNSName.
+  WITH_SAN("a", RDN(CN("foo")), DNSName("a") + DNSName("a"), Success),
+  // After an invalid DNSName.
+  WITH_SAN("b", RDN(CN("foo")), DNSName("!") + DNSName("b"),
+           Result::ERROR_BAD_DER),
+
+  // http://tools.ietf.org/html/rfc5280#section-4.2.1.6: "If the subjectAltName
+  // extension is present, the sequence MUST contain at least one entry."
+  // However, for compatibility reasons, this is not enforced. See bug 1143085.
+  // This case is treated as if the extension is not present (i.e. name
+  // matching falls back to the subject CN).
+  WITH_SAN("a", RDN(CN("a")), ByteString(), Success),
+  WITH_SAN("a", RDN(CN("b")), ByteString(), Result::ERROR_BAD_CERT_DOMAIN),
+
+  // http://tools.ietf.org/html/rfc5280#section-4.1.2.6 says "If subject naming
+  // information is present only in the subjectAltName extension (e.g., a key
+  // bound only to an email address or URI), then the subject name MUST be an
+  // empty sequence and the subjectAltName extension MUST be critical." So, we
+  // have to support an empty subject. We don't enforce that the SAN must be
+  // critical or even that there is a SAN when the subject is empty, though.
+  WITH_SAN("a", ByteString(), DNSName("a"), Success),
+  // Make sure we return ERROR_BAD_CERT_DOMAIN and not ERROR_BAD_DER.
+  WITHOUT_SAN("a", ByteString(), Result::ERROR_BAD_CERT_DOMAIN),
+
+  // Two CNs in the same RDN, both match.
+  WITHOUT_SAN("a", RDN(CN("a") + CN("a")), Success),
+  // Two CNs in the same RDN, both DNSNames, first one matches.
+  WITHOUT_SAN("a", RDN(CN("a") + CN("b")),
+              Result::ERROR_BAD_CERT_DOMAIN),
+  // Two CNs in the same RDN, both DNSNames, last one matches.
+  WITHOUT_SAN("b", RDN(CN("a") + CN("b")), Success),
+  // Two CNs in the same RDN, first one matches, second isn't a DNSName.
+  WITHOUT_SAN("a", RDN(CN("a") + CN("Not a DNSName")),
+              Result::ERROR_BAD_CERT_DOMAIN),
+  // Two CNs in the same RDN, first one not a DNSName, second matches.
+  WITHOUT_SAN("b", RDN(CN("Not a DNSName") + CN("b")), Success),
+
+  // Two CNs in separate RDNs, both match.
+  WITHOUT_SAN("a", RDN(CN("a")) + RDN(CN("a")), Success),
+  // Two CNs in separate RDNs, both DNSNames, first one matches.
+  WITHOUT_SAN("a", RDN(CN("a")) + RDN(CN("b")),
+              Result::ERROR_BAD_CERT_DOMAIN),
+  // Two CNs in separate RDNs, both DNSNames, last one matches.
+  WITHOUT_SAN("b", RDN(CN("a")) + RDN(CN("b")), Success),
+  // Two CNs in separate RDNs, first one matches, second isn't a DNSName.
+  WITHOUT_SAN("a", RDN(CN("a")) + RDN(CN("Not a DNSName")),
+              Result::ERROR_BAD_CERT_DOMAIN),
+  // Two CNs in separate RDNs, first one not a DNSName, second matches.
+  WITHOUT_SAN("b", RDN(CN("Not a DNSName")) + RDN(CN("b")), Success),
+
+  // One CN, one RDN, CN is the first AVA in the RDN, CN matches.
+  WITHOUT_SAN("a", RDN(CN("a") + OU("b")), Success),
+  // One CN, one RDN, CN is the first AVA in the RDN, CN does not match.
+  WITHOUT_SAN("b", RDN(CN("a") + OU("b")),
+              Result::ERROR_BAD_CERT_DOMAIN),
+  // One CN, one RDN, CN is not the first AVA in the RDN, CN matches.
+  WITHOUT_SAN("b", RDN(OU("a") + CN("b")), Success),
+  // One CN, one RDN, CN is not the first AVA in the RDN, CN does not match.
+  WITHOUT_SAN("a", RDN(OU("a") + CN("b")),
+              Result::ERROR_BAD_CERT_DOMAIN),
+
+  // One CN, multiple RDNs, CN is in the first RDN, CN matches.
+  WITHOUT_SAN("a", RDN(CN("a")) + RDN(OU("b")), Success),
+  // One CN, multiple RDNs, CN is in the first RDN, CN does not match.
+  WITHOUT_SAN("b", RDN(CN("a")) + RDN(OU("b")), Result::ERROR_BAD_CERT_DOMAIN),
+  // One CN, multiple RDNs, CN is not in the first RDN, CN matches.
+  WITHOUT_SAN("b", RDN(OU("a")) + RDN(CN("b")), Success),
+  // One CN, multiple RDNs, CN is not in the first RDN, CN does not match.
+  WITHOUT_SAN("a", RDN(OU("a")) + RDN(CN("b")), Result::ERROR_BAD_CERT_DOMAIN),
+
+  // One CN, one RDN, CN is not in the first or last AVA, CN matches.
+  WITHOUT_SAN("b", RDN(OU("a") + CN("b") + OU("c")), Success),
+  // One CN, multiple RDNs, CN is not in the first or last RDN, CN matches.
+  WITHOUT_SAN("b", RDN(OU("a")) + RDN(CN("b")) + RDN(OU("c")), Success),
+
+  // Empty CN does not match.
+  WITHOUT_SAN("example.com", RDN(CN("")), Result::ERROR_BAD_CERT_DOMAIN),
+
+  WITHOUT_SAN("uses_underscore.example.com", RDN(CN("*.example.com")), Success),
+  WITHOUT_SAN("a.uses_underscore.example.com",
+              RDN(CN("*.uses_underscore.example.com")), Success),
+  WITH_SAN("uses_underscore.example.com", RDN(CN("foo")),
+           DNSName("*.example.com"), Success),
+  WITH_SAN("a.uses_underscore.example.com", RDN(CN("foo")),
+           DNSName("*.uses_underscore.example.com"), Success),
+
+  // Do not match a DNSName that is encoded in a malformed IPAddress.
+  WITH_SAN("example.com", RDN(CN("foo")), IPAddress(example_com),
+           Result::ERROR_BAD_CERT_DOMAIN),
+
+  // We skip over the malformed IPAddress and match the DNSName entry because
+  // we've heard reports of real-world certificates that have malformed
+  // IPAddress SANs.
+  WITH_SAN("example.org", RDN(CN("foo")),
+           IPAddress(example_com) + DNSName("example.org"), Success),
+
+  WITH_SAN("example.com", RDN(CN("foo")),
+           DNSName("!") + DNSName("example.com"), Result::ERROR_BAD_DER),
+
+  // Match a matching IPv4 address SAN entry.
+  WITH_SAN(ipv4_addr_str, RDN(CN("foo")), IPAddress(ipv4_addr_bytes),
+           Success),
+  // Match a matching IPv4 addresses in the CN when there is no SAN
+  WITHOUT_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_str)), Success),
+  // Do not match a matching IPv4 address in the CN when there is a SAN with
+  // a DNSName entry.
+  WITH_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_str)),
+           DNSName("example.com"), Result::ERROR_BAD_CERT_DOMAIN),
+  // Do not match a matching IPv4 address in the CN when there is a SAN with
+  // a non-matching IPAddress entry.
+  WITH_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_str)),
+           IPAddress(ipv6_addr_bytes), Result::ERROR_BAD_CERT_DOMAIN),
+  // Match a matching IPv4 address in the CN when there is a SAN with a
+  // non-IPAddress, non-DNSName entry.
+  WITH_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_str)),
+           RFC822Name("foo@example.com"), Success),
+  // Do not match a matching IPv4 address in the CN when there is a SAN with a
+  // malformed IPAddress entry.
+  WITH_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_str)),
+           IPAddress(example_com), Result::ERROR_BAD_CERT_DOMAIN),
+  // Do not match a matching IPv4 address in the CN when there is a SAN with a
+  // malformed DNSName entry.
+  WITH_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_str)),
+           DNSName("!"), Result::ERROR_BAD_CERT_DOMAIN),
+
+  // We don't match IPv6 addresses in the CN, regardless of whether there is
+  // a SAN.
+  WITHOUT_SAN(ipv6_addr_str, RDN(CN(ipv6_addr_str)),
+              Result::ERROR_BAD_CERT_DOMAIN),
+  WITH_SAN(ipv6_addr_str, RDN(CN(ipv6_addr_str)),
+           DNSName("example.com"), Result::ERROR_BAD_CERT_DOMAIN),
+  WITH_SAN(ipv6_addr_str, RDN(CN(ipv6_addr_str)),
+                          IPAddress(ipv6_addr_bytes), Success),
+  WITH_SAN(ipv6_addr_str, RDN(CN("foo")), IPAddress(ipv6_addr_bytes),
+           Success),
+
+  // We don't match the binary encoding of the bytes of IP addresses in the
+  // CN.
+  WITHOUT_SAN(ipv4_addr_str, RDN(CN(ipv4_addr_bytes_as_str)),
+              Result::ERROR_BAD_CERT_DOMAIN),
+  WITHOUT_SAN(ipv6_addr_str, RDN(CN(ipv6_addr_bytes_as_str)),
+              Result::ERROR_BAD_CERT_DOMAIN),
+
+  // We don't match IP addresses with DNSName SANs.
+  WITH_SAN(ipv4_addr_str, RDN(CN("foo")),
+           DNSName(ipv4_addr_bytes_as_str), Result::ERROR_BAD_CERT_DOMAIN),
+  WITH_SAN(ipv4_addr_str, RDN(CN("foo")), DNSName(ipv4_addr_str),
+           Result::ERROR_BAD_CERT_DOMAIN),
+  WITH_SAN(ipv6_addr_str, RDN(CN("foo")),
+           DNSName(ipv6_addr_bytes_as_str), Result::ERROR_BAD_CERT_DOMAIN),
+  WITH_SAN(ipv6_addr_str, RDN(CN("foo")), DNSName(ipv6_addr_str),
+           Result::ERROR_BAD_CERT_DOMAIN),
+
+  // Do not match an IPv4 reference ID against the equivalent IPv4-compatible
+  // IPv6 SAN entry.
+  WITH_SAN(ipv4_addr_str, RDN(CN("foo")),
+           IPAddress(ipv4_compatible_ipv6_addr_bytes),
+           Result::ERROR_BAD_CERT_DOMAIN),
+  // Do not match an IPv4 reference ID against the equivalent IPv4-mapped IPv6
+  // SAN entry.
+  WITH_SAN(ipv4_addr_str, RDN(CN("foo")),
+           IPAddress(ipv4_mapped_ipv6_addr_bytes),
+           Result::ERROR_BAD_CERT_DOMAIN),
+  // Do not match an IPv4-compatible IPv6 reference ID against the equivalent
+  // IPv4 SAN entry.
+  WITH_SAN(ipv4_compatible_ipv6_addr_str, RDN(CN("foo")),
+           IPAddress(ipv4_addr_bytes), Result::ERROR_BAD_CERT_DOMAIN),
+  // Do not match an IPv4 reference ID against the equivalent IPv4-mapped IPv6
+  // SAN entry.
+  WITH_SAN(ipv4_mapped_ipv6_addr_str, RDN(CN("foo")),
+           IPAddress(ipv4_addr_bytes),
+           Result::ERROR_BAD_CERT_DOMAIN),
+
+  // Test that the presence of an otherName entry is handled appropriately.
+  // (The actual value of the otherName entry isn't important - that's not what
+  // we're testing here.)
+  WITH_SAN("example.com", ByteString(),
+           // The tag for otherName is CONTEXT_SPECIFIC | CONSTRUCTED | 0
+           TLV((2 << 6) | (1 << 5) | 0, ByteString()) + DNSName("example.com"),
+           Success),
+  WITH_SAN("example.com", ByteString(),
+           TLV((2 << 6) | (1 << 5) | 0, ByteString()),
+           Result::ERROR_BAD_CERT_DOMAIN),
+};
+
+ByteString
+CreateCert(const ByteString& subject, const ByteString& subjectAltName,
+           EndEntityOrCA endEntityOrCA = EndEntityOrCA::MustBeEndEntity)
+{
+  ByteString serialNumber(CreateEncodedSerialNumber(1));
+  EXPECT_FALSE(ENCODING_FAILED(serialNumber));
+
+  ByteString issuerDER(Name(RDN(CN("issuer"))));
+  EXPECT_FALSE(ENCODING_FAILED(issuerDER));
+
+  ByteString extensions[2];
+  if (subjectAltName != NO_SAN) {
+    extensions[0] = CreateEncodedSubjectAltName(subjectAltName);
+    EXPECT_FALSE(ENCODING_FAILED(extensions[0]));
+  }
+  if (endEntityOrCA == EndEntityOrCA::MustBeCA) {
+    // Currently, these tests assume that if we're creating a CA certificate, it
+    // will not have a subjectAlternativeName extension. If that assumption
+    // changes, this code will have to be updated. Ideally this would be
+    // ASSERT_EQ, but that inserts a 'return;', which doesn't match this
+    // function's return type.
+    EXPECT_EQ(subjectAltName, NO_SAN);
+    extensions[0] = CreateEncodedBasicConstraints(true, nullptr,
+                                                  Critical::Yes);
+    EXPECT_FALSE(ENCODING_FAILED(extensions[0]));
+  }
+
+  ScopedTestKeyPair keyPair(CloneReusedKeyPair());
+  return CreateEncodedCertificate(
+                    v3, sha256WithRSAEncryption(), serialNumber, issuerDER,
+                    oneDayBeforeNow, oneDayAfterNow, Name(subject), *keyPair,
+                    extensions, *keyPair, sha256WithRSAEncryption());
+}
+
+TEST_P(pkixnames_CheckCertHostname, CheckCertHostname)
+{
+  const CheckCertHostnameParams& param(GetParam());
+
+  ByteString cert(CreateCert(param.subject, param.subjectAltName));
+  ASSERT_FALSE(ENCODING_FAILED(cert));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+
+  Input hostnameInput;
+  ASSERT_EQ(Success, hostnameInput.Init(param.hostname.data(),
+                                        param.hostname.length()));
+
+  ASSERT_EQ(param.result, CheckCertHostname(certInput, hostnameInput,
+                                            mNameMatchingPolicy));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_CheckCertHostname,
+                        pkixnames_CheckCertHostname,
+                        testing::ValuesIn(CHECK_CERT_HOSTNAME_PARAMS));
+
+TEST_F(pkixnames_CheckCertHostname, SANWithoutSequence)
+{
+  // A certificate with a truly empty SAN extension (one that doesn't even
+  // contain a SEQUENCE at all) is malformed. If we didn't treat this as
+  // malformed then we'd have to treat it like the CN_EmptySAN cases.
+
+  ByteString serialNumber(CreateEncodedSerialNumber(1));
+  EXPECT_FALSE(ENCODING_FAILED(serialNumber));
+
+  ByteString extensions[2];
+  extensions[0] = CreateEncodedEmptySubjectAltName();
+  ASSERT_FALSE(ENCODING_FAILED(extensions[0]));
+
+  ScopedTestKeyPair keyPair(CloneReusedKeyPair());
+  ByteString certDER(CreateEncodedCertificate(
+                       v3, sha256WithRSAEncryption(), serialNumber,
+                       Name(RDN(CN("issuer"))), oneDayBeforeNow, oneDayAfterNow,
+                       Name(RDN(CN("a"))), *keyPair, extensions,
+                       *keyPair, sha256WithRSAEncryption()));
+  ASSERT_FALSE(ENCODING_FAILED(certDER));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(certDER.data(), certDER.length()));
+
+  static const uint8_t a[] = { 'a' };
+  ASSERT_EQ(Result::ERROR_EXTENSION_VALUE_INVALID,
+            CheckCertHostname(certInput, Input(a), mNameMatchingPolicy));
+}
+
+class pkixnames_CheckCertHostname_PresentedMatchesReference
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<PresentedMatchesReference>
+{
+public:
+  DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+TEST_P(pkixnames_CheckCertHostname_PresentedMatchesReference, CN_NoSAN)
+{
+  // Since there is no SAN, a valid presented DNS ID in the subject CN field
+  // should result in a match.
+
+  const PresentedMatchesReference& param(GetParam());
+
+  ByteString cert(CreateCert(RDN(CN(param.presentedDNSID)), NO_SAN));
+  ASSERT_FALSE(ENCODING_FAILED(cert));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+
+  Input hostnameInput;
+  ASSERT_EQ(Success, hostnameInput.Init(param.referenceDNSID.data(),
+                                        param.referenceDNSID.length()));
+
+  ASSERT_EQ(param.expectedMatches ? Success : Result::ERROR_BAD_CERT_DOMAIN,
+            CheckCertHostname(certInput, hostnameInput, mNameMatchingPolicy));
+}
+
+TEST_P(pkixnames_CheckCertHostname_PresentedMatchesReference,
+       SubjectAltName_CNNotDNSName)
+{
+  // A DNSName SAN entry should match, regardless of the contents of the
+  // subject CN.
+
+  const PresentedMatchesReference& param(GetParam());
+
+  ByteString cert(CreateCert(RDN(CN("Common Name")),
+                             DNSName(param.presentedDNSID)));
+  ASSERT_FALSE(ENCODING_FAILED(cert));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+
+  Input hostnameInput;
+  ASSERT_EQ(Success, hostnameInput.Init(param.referenceDNSID.data(),
+                                        param.referenceDNSID.length()));
+  Result expectedResult
+    = param.expectedResult != Success ? param.expectedResult
+    : param.expectedMatches ? Success
+    : Result::ERROR_BAD_CERT_DOMAIN;
+  ASSERT_EQ(expectedResult, CheckCertHostname(certInput, hostnameInput,
+                                              mNameMatchingPolicy));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_CheckCertHostname_DNSID_MATCH_PARAMS,
+                        pkixnames_CheckCertHostname_PresentedMatchesReference,
+                        testing::ValuesIn(DNSID_MATCH_PARAMS));
+
+TEST_P(pkixnames_Turkish_I_Comparison, CheckCertHostname_CN_NoSAN)
+{
+  // Make sure we don't have the similar problems that strcasecmp and others
+  // have with the other kinds of "i" and "I" commonly used in Turkish locales,
+  // when we're matching a CN due to lack of subjectAltName.
+
+  const InputValidity& param(GetParam());
+  SCOPED_TRACE(param.input.c_str());
+
+  Input input;
+  ASSERT_EQ(Success, input.Init(param.input.data(), param.input.length()));
+
+  ByteString cert(CreateCert(RDN(CN(param.input)), NO_SAN));
+  ASSERT_FALSE(ENCODING_FAILED(cert));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+
+  Result expectedResult = (InputsAreEqual(LOWERCASE_I, input) ||
+                           InputsAreEqual(UPPERCASE_I, input))
+                        ? Success
+                        : Result::ERROR_BAD_CERT_DOMAIN;
+
+  ASSERT_EQ(expectedResult, CheckCertHostname(certInput, UPPERCASE_I,
+                                              mNameMatchingPolicy));
+  ASSERT_EQ(expectedResult, CheckCertHostname(certInput, LOWERCASE_I,
+                                              mNameMatchingPolicy));
+}
+
+TEST_P(pkixnames_Turkish_I_Comparison, CheckCertHostname_SAN)
+{
+  // Make sure we don't have the similar problems that strcasecmp and others
+  // have with the other kinds of "i" and "I" commonly used in Turkish locales,
+  // when we're matching a dNSName in the SAN.
+
+  const InputValidity& param(GetParam());
+  SCOPED_TRACE(param.input.c_str());
+
+  Input input;
+  ASSERT_EQ(Success, input.Init(param.input.data(), param.input.length()));
+
+  ByteString cert(CreateCert(RDN(CN("Common Name")), DNSName(param.input)));
+  ASSERT_FALSE(ENCODING_FAILED(cert));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+
+  Result expectedResult
+    = (!param.isValidPresentedID) ? Result::ERROR_BAD_DER
+    : (InputsAreEqual(LOWERCASE_I, input) ||
+       InputsAreEqual(UPPERCASE_I, input)) ? Success
+    : Result::ERROR_BAD_CERT_DOMAIN;
+
+  ASSERT_EQ(expectedResult, CheckCertHostname(certInput, UPPERCASE_I,
+                                              mNameMatchingPolicy));
+  ASSERT_EQ(expectedResult, CheckCertHostname(certInput, LOWERCASE_I,
+                                              mNameMatchingPolicy));
+}
+
+class pkixnames_CheckCertHostname_IPV4_Addresses
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<IPAddressParams<4>>
+{
+public:
+  DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+TEST_P(pkixnames_CheckCertHostname_IPV4_Addresses,
+       ValidIPv4AddressInIPAddressSAN)
+{
+  // When the reference hostname is a valid IPv4 address, a correctly-formed
+  // IPv4 Address SAN matches it.
+
+  const IPAddressParams<4>& param(GetParam());
+
+  ByteString cert(CreateCert(RDN(CN("Common Name")),
+                             IPAddress(param.expectedValueIfValid)));
+  ASSERT_FALSE(ENCODING_FAILED(cert));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+
+  Input hostnameInput;
+  ASSERT_EQ(Success, hostnameInput.Init(param.input.data(),
+                                        param.input.length()));
+
+  ASSERT_EQ(param.isValid ? Success : Result::ERROR_BAD_CERT_DOMAIN,
+            CheckCertHostname(certInput, hostnameInput, mNameMatchingPolicy));
+}
+
+TEST_P(pkixnames_CheckCertHostname_IPV4_Addresses,
+       ValidIPv4AddressInCN_NoSAN)
+{
+  // When the reference hostname is a valid IPv4 address, a correctly-formed
+  // IPv4 Address in the CN matches it when there is no SAN.
+
+  const IPAddressParams<4>& param(GetParam());
+
+  SCOPED_TRACE(param.input.c_str());
+
+  ByteString cert(CreateCert(RDN(CN(param.input)), NO_SAN));
+  ASSERT_FALSE(ENCODING_FAILED(cert));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(cert.data(), cert.length()));
+
+  Input hostnameInput;
+  ASSERT_EQ(Success, hostnameInput.Init(param.input.data(),
+                                        param.input.length()));
+
+  // Some of the invalid IPv4 addresses are valid DNS names!
+  Result expectedResult = (param.isValid || IsValidReferenceDNSID(hostnameInput))
+                        ? Success
+                        : Result::ERROR_BAD_CERT_DOMAIN;
+
+  ASSERT_EQ(expectedResult, CheckCertHostname(certInput, hostnameInput,
+                                              mNameMatchingPolicy));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_CheckCertHostname_IPV4_ADDRESSES,
+                        pkixnames_CheckCertHostname_IPV4_Addresses,
+                        testing::ValuesIn(IPV4_ADDRESSES));
+
+struct NameConstraintParams
+{
+  ByteString subject;
+  ByteString subjectAltName;
+  ByteString subtrees;
+  Result expectedPermittedSubtreesResult;
+  Result expectedExcludedSubtreesResult;
+};
+
+::std::ostream& operator<<(::std::ostream& os, const NameConstraintParams&)
+{
+  return os << "TODO (bug 1318770)";
+}
+
+static ByteString
+PermittedSubtrees(const ByteString& generalSubtrees)
+{
+  return TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
+             generalSubtrees);
+}
+
+static ByteString
+ExcludedSubtrees(const ByteString& generalSubtrees)
+{
+  return TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1,
+             generalSubtrees);
+}
+
+// Does not encode min or max.
+static ByteString
+GeneralSubtree(const ByteString& base)
+{
+  return TLV(der::SEQUENCE, base);
+}
+
+static const NameConstraintParams NAME_CONSTRAINT_PARAMS[] =
+{
+  /////////////////////////////////////////////////////////////////////////////
+  // XXX: Malformed name constraints for supported types of names are ignored
+  // when there are no names of that type to constrain.
+  { ByteString(), NO_SAN,
+    GeneralSubtree(DNSName("!")),
+    Success, Success
+  },
+  { // DirectoryName constraints are an exception, because *every* certificate
+    // has at least one DirectoryName (tbsCertificate.subject).
+    ByteString(), NO_SAN,
+    GeneralSubtree(Name(ByteString(reinterpret_cast<const uint8_t*>("!"), 1))),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { ByteString(), NO_SAN,
+    GeneralSubtree(IPAddress(ipv4_constraint_truncated_bytes)),
+    Success, Success
+  },
+  { ByteString(), NO_SAN,
+    GeneralSubtree(IPAddress(ipv4_constraint_overlong_bytes)),
+    Success, Success
+  },
+  { ByteString(), NO_SAN,
+  GeneralSubtree(IPAddress(ipv6_constraint_truncated_bytes)),
+  Success, Success
+  },
+  { ByteString(), NO_SAN,
+  GeneralSubtree(IPAddress(ipv6_constraint_overlong_bytes)),
+  Success, Success
+  },
+  { ByteString(), NO_SAN,
+    GeneralSubtree(RFC822Name("!")),
+    Success, Success
+  },
+
+  /////////////////////////////////////////////////////////////////////////////
+  // Edge cases of name constraint absolute vs. relative and subdomain matching
+  // that are not clearly explained in RFC 5280. (See the long comment above
+  // MatchPresentedDNSIDWithReferenceDNSID.)
+
+  // Q: Does a presented identifier equal (case insensitive) to the name
+  //    constraint match the constraint? For example, does the presented
+  //    ID "host.example.com" match a "host.example.com" constraint?
+  { ByteString(), DNSName("host.example.com"),
+    GeneralSubtree(DNSName("host.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // This test case is an example from RFC 5280.
+    ByteString(), DNSName("host1.example.com"),
+    GeneralSubtree(DNSName("host.example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { ByteString(), RFC822Name("a@host.example.com"),
+    GeneralSubtree(RFC822Name("host.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // This test case is an example from RFC 5280.
+    ByteString(), RFC822Name("a@host1.example.com"),
+    GeneralSubtree(RFC822Name("host.example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+
+  // Q: When the name constraint does not start with ".", do subdomain
+  //    presented identifiers match it? For example, does the presented
+  //    ID "www.host.example.com" match a "host.example.com" constraint?
+  { // This test case is an example from RFC 5280.
+    ByteString(),  DNSName("www.host.example.com"),
+    GeneralSubtree(DNSName(    "host.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // The subdomain matching rule for host names that do not start with "." is
+    // different for RFC822Names than for DNSNames!
+    ByteString(),  RFC822Name("a@www.host.example.com"),
+    GeneralSubtree(RFC822Name(      "host.example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE,
+    Success
+  },
+
+  // Q: When the name constraint does not start with ".", does a
+  //    non-subdomain prefix match it? For example, does "bigfoo.bar.com"
+  //    match "foo.bar.com"?
+  { ByteString(), DNSName("bigfoo.bar.com"),
+    GeneralSubtree(DNSName(  "foo.bar.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { ByteString(), RFC822Name("a@bigfoo.bar.com"),
+    GeneralSubtree(RFC822Name(    "foo.bar.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+
+  // Q: Is a name constraint that starts with "." valid, and if so, what
+  //    semantics does it have? For example, does a presented ID of
+  //    "www.example.com" match a constraint of ".example.com"? Does a
+  //    presented ID of "example.com" match a constraint of ".example.com"?
+  { ByteString(), DNSName("www.example.com"),
+    GeneralSubtree(DNSName(  ".example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // When there is no Local-part, an RFC822 name constraint's domain may
+    // start with '.', and the semantics are the same as for DNSNames.
+    ByteString(), RFC822Name("a@www.example.com"),
+    GeneralSubtree(RFC822Name(    ".example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // When there is a Local-part, an RFC822 name constraint's domain must not
+    // start with '.'.
+    ByteString(), RFC822Name("a@www.example.com"),
+    GeneralSubtree(RFC822Name(  "a@.example.com")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // Check that we only allow subdomains to match.
+    ByteString(), DNSName(  "example.com"),
+    GeneralSubtree(DNSName(".example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // Check that we only allow subdomains to match.
+    ByteString(), RFC822Name("a@example.com"),
+    GeneralSubtree(RFC822Name(".example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // Check that we don't get confused and consider "b" == "."
+    ByteString(), DNSName("bexample.com"),
+    GeneralSubtree(DNSName(".example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // Check that we don't get confused and consider "b" == "."
+    ByteString(), RFC822Name("a@bexample.com"),
+    GeneralSubtree(RFC822Name( ".example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+
+  // Q: Is there a way to prevent subdomain matches?
+  // (This is tested in a different set of tests because it requires a
+  // combination of permittedSubtrees and excludedSubtrees.)
+
+  // Q: Are name constraints allowed to be specified as absolute names?
+  //    For example, does a presented ID of "example.com" match a name
+  //    constraint of "example.com." and vice versa?
+  //
+  { // The DNSName in the constraint is not valid because constraint DNS IDs
+    // are not allowed to be absolute.
+    ByteString(), DNSName("example.com"),
+    GeneralSubtree(DNSName("example.com.")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER,
+  },
+  { ByteString(), RFC822Name("a@example.com"),
+    GeneralSubtree(RFC822Name( "example.com.")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER,
+  },
+  { // The DNSName in the SAN is not valid because presented DNS IDs are not
+    // allowed to be absolute.
+    ByteString(), DNSName("example.com."),
+    GeneralSubtree(DNSName("example.com")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER,
+  },
+  { ByteString(), RFC822Name("a@example.com."),
+    GeneralSubtree(RFC822Name( "example.com")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER,
+  },
+  { // The presented DNSName is the same length as the constraint, because the
+    // subdomain is only one character long and because the constraint both
+    // begins and ends with ".". But, it doesn't matter because absolute names
+    // are not allowed for DNSName constraints.
+    ByteString(), DNSName("p.example.com"),
+    GeneralSubtree(DNSName(".example.com.")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER,
+  },
+  { // The presented DNSName is the same length as the constraint, because the
+    // subdomain is only one character long and because the constraint both
+    // begins and ends with ".".
+    ByteString(), RFC822Name("a@p.example.com"),
+    GeneralSubtree(RFC822Name(  ".example.com.")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER,
+  },
+  { // Same as previous test case, but using a wildcard presented ID.
+    ByteString(), DNSName("*.example.com"),
+    GeneralSubtree(DNSName(".example.com.")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // Same as previous test case, but using a wildcard presented ID, which is
+    // invalid in an RFC822Name.
+    ByteString(), RFC822Name("a@*.example.com"),
+    GeneralSubtree(RFC822Name(  ".example.com.")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+
+  // Q: Are "" and "." valid DNSName constraints? If so, what do they mean?
+  { ByteString(), DNSName("example.com"),
+    GeneralSubtree(DNSName("")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), RFC822Name("a@example.com"),
+    GeneralSubtree(RFC822Name("")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // The malformed (absolute) presented ID does not match.
+    ByteString(), DNSName("example.com."),
+    GeneralSubtree(DNSName("")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { ByteString(), RFC822Name("a@example.com."),
+    GeneralSubtree(RFC822Name("")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // Invalid syntax in name constraint
+    ByteString(), DNSName("example.com"),
+    GeneralSubtree(DNSName(".")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER,
+  },
+  { // Invalid syntax in name constraint
+    ByteString(), RFC822Name("a@example.com"),
+    GeneralSubtree(RFC822Name(".")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER,
+  },
+  { ByteString(), DNSName("example.com."),
+    GeneralSubtree(DNSName(".")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { ByteString(), RFC822Name("a@example.com."),
+    GeneralSubtree(RFC822Name(".")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+
+  /////////////////////////////////////////////////////////////////////////////
+  // Basic IP Address constraints (non-CN-ID)
+
+  // The Mozilla CA Policy says this means "no IPv4 addresses allowed."
+  { ByteString(), IPAddress(ipv4_addr_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), IPAddress(ipv4_addr_00000000_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), IPAddress(ipv4_addr_FFFFFFFF_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+
+  // The Mozilla CA Policy says this means "no IPv6 addresses allowed."
+  { ByteString(), IPAddress(ipv6_addr_bytes),
+    GeneralSubtree(IPAddress(ipv6_constraint_all_zeros_bytes)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), IPAddress(ipv6_addr_all_zeros_bytes),
+    GeneralSubtree(IPAddress(ipv6_constraint_all_zeros_bytes)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+
+  // RFC 5280 doesn't partition IP address constraints into separate IPv4 and
+  // IPv6 categories, so a IPv4 permittedSubtrees constraint excludes all IPv6
+  // addresses, and vice versa.
+  { ByteString(), IPAddress(ipv4_addr_bytes),
+    GeneralSubtree(IPAddress(ipv6_constraint_all_zeros_bytes)),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { ByteString(), IPAddress(ipv6_addr_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+
+  // IPv4 Subnets
+  { ByteString(), IPAddress(ipv4_addr_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_CIDR_16_bytes)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), IPAddress(ipv4_addr_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_CIDR_17_bytes)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), IPAddress(ipv4_other_addr_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_CIDR_16_bytes)),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // XXX(bug 1089430): We don't reject this even though it is weird.
+    ByteString(), IPAddress(ipv4_addr_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_CIDR_16_bad_addr_bytes)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // XXX(bug 1089430): We don't reject this even though it is weird.
+    ByteString(), IPAddress(ipv4_other_addr_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_bad_mask_bytes)),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+
+  // IPv6 Subnets
+  { ByteString(), IPAddress(ipv6_addr_bytes),
+    GeneralSubtree(IPAddress(ipv6_constraint_CIDR_16_bytes)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), IPAddress(ipv6_other_addr_bytes),
+    GeneralSubtree(IPAddress(ipv6_constraint_CIDR_16_bytes)),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // XXX(bug 1089430): We don't reject this even though it is weird.
+    ByteString(), IPAddress(ipv6_addr_bytes),
+    GeneralSubtree(IPAddress(ipv6_constraint_CIDR_16_bad_addr_bytes)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // XXX(bug 1089430): We don't reject this even though it is weird.
+    ByteString(), IPAddress(ipv6_other_addr_bytes),
+    GeneralSubtree(IPAddress(ipv6_constraint_bad_mask_bytes)),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+
+  // Malformed presented IP addresses and constraints
+
+  { // The presented IPv4 address is empty
+    ByteString(), IPAddress(),
+    GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // The presented IPv4 address is truncated
+    ByteString(), IPAddress(ipv4_addr_truncated_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // The presented IPv4 address is too long
+    ByteString(), IPAddress(ipv4_addr_overlong_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_all_zeros_bytes)),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // The presented IPv4 constraint is empty
+    ByteString(), IPAddress(ipv4_addr_bytes),
+    GeneralSubtree(IPAddress()),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // The presented IPv4 constraint is truncated
+    ByteString(), IPAddress(ipv4_addr_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_truncated_bytes)),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // The presented IPv4 constraint is too long
+    ByteString(), IPAddress(ipv4_addr_bytes),
+    GeneralSubtree(IPAddress(ipv4_constraint_overlong_bytes)),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // The presented IPv6 address is empty
+    ByteString(), IPAddress(),
+    GeneralSubtree(IPAddress(ipv6_constraint_all_zeros_bytes)),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // The presented IPv6 address is truncated
+    ByteString(), IPAddress(ipv6_addr_truncated_bytes),
+    GeneralSubtree(IPAddress(ipv6_constraint_all_zeros_bytes)),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // The presented IPv6 address is too long
+    ByteString(), IPAddress(ipv6_addr_overlong_bytes),
+    GeneralSubtree(IPAddress(ipv6_constraint_all_zeros_bytes)),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // The presented IPv6 constraint is empty
+    ByteString(), IPAddress(ipv6_addr_bytes),
+    GeneralSubtree(IPAddress()),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // The presented IPv6 constraint is truncated
+    ByteString(), IPAddress(ipv6_addr_bytes),
+    GeneralSubtree(IPAddress(ipv6_constraint_truncated_bytes)),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  { // The presented IPv6 constraint is too long
+    ByteString(), IPAddress(ipv6_addr_bytes),
+    GeneralSubtree(IPAddress(ipv6_constraint_overlong_bytes)),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+
+  /////////////////////////////////////////////////////////////////////////////
+  // XXX: We don't reject malformed name constraints when there are no names of
+  // that type.
+  { ByteString(), NO_SAN, GeneralSubtree(DNSName("!")),
+    Success, Success
+  },
+  { ByteString(), NO_SAN, GeneralSubtree(IPAddress(ipv4_addr_overlong_bytes)),
+    Success, Success
+  },
+  { ByteString(), NO_SAN, GeneralSubtree(IPAddress(ipv6_addr_overlong_bytes)),
+    Success, Success
+  },
+  { ByteString(), NO_SAN, GeneralSubtree(RFC822Name("\0")),
+    Success, Success
+  },
+
+  /////////////////////////////////////////////////////////////////////////////
+  // Basic CN-ID DNSName constraint tests.
+
+  { // Empty Name is ignored for DNSName constraints.
+    ByteString(), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Success, Success
+  },
+  { // Empty CN is ignored for DNSName constraints because it isn't a
+    // syntactically-valid DNSName.
+    //
+    // NSS gives different results.
+    RDN(CN("")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Success, Success
+  },
+  { // IP Address is ignored for DNSName constraints.
+    //
+    // NSS gives different results.
+    RDN(CN("1.2.3.4")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Success, Success
+  },
+  { // OU has something that looks like a dNSName that matches.
+    RDN(OU("a.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Success, Success
+  },
+  { // OU has something that looks like a dNSName that does not match.
+    RDN(OU("b.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Success, Success
+  },
+  { // NSS gives different results.
+    RDN(CN("Not a DNSName")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Success, Success
+  },
+  { RDN(CN("a.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { RDN(CN("b.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // DNSName CN-ID match is detected when there is a SAN w/o any DNSName or
+    // IPAddress
+    RDN(CN("a.example.com")), RFC822Name("foo@example.com"),
+    GeneralSubtree(DNSName("a.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // DNSName CN-ID mismatch is detected when there is a SAN w/o any DNSName
+    // or IPAddress
+    RDN(CN("a.example.com")), RFC822Name("foo@example.com"),
+    GeneralSubtree(DNSName("b.example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // DNSName CN-ID match not reported when there is a DNSName SAN
+    RDN(CN("a.example.com")), DNSName("b.example.com"),
+    GeneralSubtree(DNSName("a.example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // DNSName CN-ID mismatch not reported when there is a DNSName SAN
+    RDN(CN("a.example.com")), DNSName("b.example.com"),
+    GeneralSubtree(DNSName("b.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE,
+  },
+  { // DNSName CN-ID match not reported when there is an IPAddress SAN
+    RDN(CN("a.example.com")), IPAddress(ipv4_addr_bytes),
+    GeneralSubtree(DNSName("a.example.com")),
+    Success, Success
+  },
+  { // DNSName CN-ID mismatch not reported when there is an IPAddress SAN
+    RDN(CN("a.example.com")), IPAddress(ipv4_addr_bytes),
+    GeneralSubtree(DNSName("b.example.com")),
+    Success, Success
+  },
+
+  { // IPAddress CN-ID match is detected when there is a SAN w/o any DNSName or
+    // IPAddress
+    RDN(CN(ipv4_addr_str)), RFC822Name("foo@example.com"),
+    GeneralSubtree(IPAddress(ipv4_addr_bytes_FFFFFFFF)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // IPAddress CN-ID mismatch is detected when there is a SAN w/o any DNSName
+    // or IPAddress
+    RDN(CN(ipv4_addr_str)), RFC822Name("foo@example.com"),
+    GeneralSubtree(IPAddress(ipv4_other_addr_bytes_FFFFFFFF)),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // IPAddress CN-ID match not reported when there is a DNSName SAN
+    RDN(CN(ipv4_addr_str)), DNSName("b.example.com"),
+    GeneralSubtree(IPAddress(ipv4_addr_bytes_FFFFFFFF)),
+    Success, Success
+  },
+  { // IPAddress CN-ID mismatch not reported when there is a DNSName SAN
+    RDN(CN(ipv4_addr_str)), DNSName("b.example.com"),
+    GeneralSubtree(IPAddress(ipv4_addr_bytes_FFFFFFFF)),
+    Success, Success
+  },
+  { // IPAddress CN-ID match not reported when there is an IPAddress SAN
+    RDN(CN(ipv4_addr_str)), IPAddress(ipv4_other_addr_bytes),
+    GeneralSubtree(IPAddress(ipv4_addr_bytes_FFFFFFFF)),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // IPAddress CN-ID mismatch not reported when there is an IPAddress SAN
+    RDN(CN(ipv4_addr_str)), IPAddress(ipv4_other_addr_bytes),
+    GeneralSubtree(IPAddress(ipv4_other_addr_bytes_FFFFFFFF)),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+
+  /////////////////////////////////////////////////////////////////////////////
+  // Test that constraints are applied to the most specific (last) CN, and only
+  // that CN-ID.
+
+  { // Name constraint only matches a.example.com, but the most specific CN
+    // (i.e. the CN-ID) is b.example.com. (Two CNs in one RDN.)
+    RDN(CN("a.example.com") + CN("b.example.com")), NO_SAN,
+    GeneralSubtree(DNSName("a.example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // Name constraint only matches a.example.com, but the most specific CN
+    // (i.e. the CN-ID) is b.example.com. (Two CNs in separate RDNs.)
+    RDN(CN("a.example.com")) + RDN(CN("b.example.com")), NO_SAN,
+    GeneralSubtree(DNSName("a.example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Success
+  },
+  { // Name constraint only permits b.example.com, and the most specific CN
+    // (i.e. the CN-ID) is b.example.com. (Two CNs in one RDN.)
+    RDN(CN("a.example.com") + CN("b.example.com")), NO_SAN,
+    GeneralSubtree(DNSName("b.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // Name constraint only permits b.example.com, and the most specific CN
+    // (i.e. the CN-ID) is b.example.com. (Two CNs in separate RDNs.)
+    RDN(CN("a.example.com")) + RDN(CN("b.example.com")), NO_SAN,
+    GeneralSubtree(DNSName("b.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+
+  /////////////////////////////////////////////////////////////////////////////
+  // Additional RFC822 name constraint tests. There are more tests regarding
+  // the DNSName part of the constraint mixed into the DNSName constraint
+  // tests.
+
+  { ByteString(), RFC822Name("a@example.com"),
+    GeneralSubtree(RFC822Name("a@example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+
+  // Bug 1056773: name constraints that omit Local-part but include '@' are
+  // invalid.
+  { ByteString(), RFC822Name("a@example.com"),
+    GeneralSubtree(RFC822Name("@example.com")),
+    Result::ERROR_BAD_DER,
+    Result::ERROR_BAD_DER
+  },
+  { ByteString(), RFC822Name("@example.com"),
+    GeneralSubtree(RFC822Name("@example.com")),
+    Result::ERROR_BAD_DER,
+    Result::ERROR_BAD_DER
+  },
+  { ByteString(), RFC822Name("example.com"),
+    GeneralSubtree(RFC822Name("@example.com")),
+    Result::ERROR_BAD_DER,
+    Result::ERROR_BAD_DER
+  },
+  { ByteString(), RFC822Name("a@mail.example.com"),
+    GeneralSubtree(RFC822Name("a@*.example.com")),
+    Result::ERROR_BAD_DER,
+    Result::ERROR_BAD_DER
+  },
+  { ByteString(), RFC822Name("a@*.example.com"),
+    GeneralSubtree(RFC822Name(".example.com")),
+    Result::ERROR_BAD_DER,
+    Result::ERROR_BAD_DER
+  },
+  { ByteString(), RFC822Name("@example.com"),
+    GeneralSubtree(RFC822Name(".example.com")),
+    Result::ERROR_BAD_DER,
+    Result::ERROR_BAD_DER
+  },
+  { ByteString(), RFC822Name("@a.example.com"),
+    GeneralSubtree(RFC822Name(".example.com")),
+    Result::ERROR_BAD_DER,
+    Result::ERROR_BAD_DER
+  },
+
+  /////////////////////////////////////////////////////////////////////////////
+  // Test name constraints with underscores.
+  //
+  { ByteString(), DNSName("uses_underscore.example.com"),
+    GeneralSubtree(DNSName("uses_underscore.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), DNSName("uses_underscore.example.com"),
+    GeneralSubtree(DNSName("example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), DNSName("a.uses_underscore.example.com"),
+    GeneralSubtree(DNSName("uses_underscore.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), RFC822Name("a@uses_underscore.example.com"),
+    GeneralSubtree(RFC822Name("uses_underscore.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), RFC822Name("uses_underscore@example.com"),
+    GeneralSubtree(RFC822Name("example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), RFC822Name("a@a.uses_underscore.example.com"),
+    GeneralSubtree(RFC822Name(".uses_underscore.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+
+  /////////////////////////////////////////////////////////////////////////////
+  // Name constraint tests that relate to having an empty SAN. According to RFC
+  // 5280 this isn't valid, but we allow it for compatibility reasons (see bug
+  // 1143085).
+  { // For DNSNames, we fall back to the subject CN.
+    RDN(CN("a.example.com")), ByteString(),
+    GeneralSubtree(DNSName("a.example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // For RFC822Names, we do not fall back to the subject emailAddress.
+    // This new implementation seems to conform better to the standards for
+    // RFC822 name constraints, by only applying the name constraints to
+    // emailAddress names in the certificate subject if there is no
+    // subjectAltName extension in the cert.
+    // In this case, the presence of the (empty) SAN extension means that RFC822
+    // name constraints are not enforced on the emailAddress attributes of the
+    // subject.
+    RDN(emailAddress("a@example.com")), ByteString(),
+    GeneralSubtree(RFC822Name("a@example.com")),
+    Success, Success
+  },
+  { // Compare this to the case where there is no SAN (i.e. the name
+    // constraints are enforced, because the extension is not present at all).
+    RDN(emailAddress("a@example.com")), NO_SAN,
+    GeneralSubtree(RFC822Name("a@example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+
+  /////////////////////////////////////////////////////////////////////////////
+  // DirectoryName name constraint tests
+
+  { // One AVA per RDN
+    RDN(OU("Example Organization")) + RDN(CN("example.com")), NO_SAN,
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization")) +
+                                      RDN(CN("example.com"))))),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // RDNs can have multiple AVAs.
+    RDN(OU("Example Organization") + CN("example.com")), NO_SAN,
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization") +
+                                          CN("example.com"))))),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // The constraint is a prefix of the subject DN.
+    RDN(OU("Example Organization")) + RDN(CN("example.com")), NO_SAN,
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // The name constraint is not a prefix of the subject DN.
+    // Note that for excludedSubtrees, we simply prohibit any non-empty
+    // directoryName constraint to ensure we are not being too lenient.
+    RDN(OU("Other Example Organization")) + RDN(CN("example.com")), NO_SAN,
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization")) +
+                                      RDN(CN("example.com"))))),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // Same as the previous one, but one RDN with multiple AVAs.
+    RDN(OU("Other Example Organization") + CN("example.com")), NO_SAN,
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization") +
+                                          CN("example.com"))))),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // With multiple AVAs per RDN in the subject DN, the constraint is not a
+    // prefix of the subject DN.
+    RDN(OU("Example Organization") + CN("example.com")), NO_SAN,
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // The subject DN RDN has multiple AVAs, but the name constraint has only
+    // one AVA per RDN.
+    RDN(OU("Example Organization") + CN("example.com")), NO_SAN,
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization")) +
+                                      RDN(CN("example.com"))))),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // The name constraint RDN has multiple AVAs, but the subject DN has only
+    // one AVA per RDN.
+    RDN(OU("Example Organization")) + RDN(CN("example.com")), NO_SAN,
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization") +
+                                          CN("example.com"))))),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // In this case, the constraint uses a different encoding from the subject.
+    // We consider them to match because we allow UTF8String and
+    // PrintableString to compare equal when their contents are equal.
+    RDN(OU("Example Organization", der::UTF8String)) + RDN(CN("example.com")),
+    NO_SAN, GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization",
+                                                     der::PrintableString)) +
+                                              RDN(CN("example.com"))))),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // Same as above, but with UTF8String/PrintableString switched.
+    RDN(OU("Example Organization", der::PrintableString)) + RDN(CN("example.com")),
+    NO_SAN, GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization",
+                                                     der::UTF8String)) +
+                                              RDN(CN("example.com"))))),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // If the contents aren't the same, then they shouldn't match.
+    RDN(OU("Other Example Organization", der::UTF8String)) + RDN(CN("example.com")),
+    NO_SAN, GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization",
+                                                     der::PrintableString)) +
+                                              RDN(CN("example.com"))))),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { // Only UTF8String and PrintableString are considered equivalent.
+    RDN(OU("Example Organization", der::PrintableString)) + RDN(CN("example.com")),
+    NO_SAN, GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization",
+                                                     der::TeletexString)) +
+                                              RDN(CN("example.com"))))),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  // Some additional tests for completeness:
+  // Ensure that wildcards are handled:
+  { RDN(CN("*.example.com")), NO_SAN, GeneralSubtree(DNSName("example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), DNSName("*.example.com"),
+    GeneralSubtree(DNSName("example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), DNSName("www.example.com"),
+    GeneralSubtree(DNSName("*.example.com")),
+    Result::ERROR_BAD_DER, Result::ERROR_BAD_DER
+  },
+  // Handle multiple name constraint entries:
+  { RDN(CN("example.com")), NO_SAN,
+    GeneralSubtree(DNSName("example.org")) +
+      GeneralSubtree(DNSName("example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { ByteString(), DNSName("example.com"),
+    GeneralSubtree(DNSName("example.org")) +
+      GeneralSubtree(DNSName("example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  // Handle multiple names in subject alternative name extension:
+  { ByteString(), DNSName("example.com") + DNSName("example.org"),
+    GeneralSubtree(DNSName("example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  // Handle a mix of DNSName and DirectoryName:
+  { RDN(OU("Example Organization")), DNSName("example.com"),
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))) +
+      GeneralSubtree(DNSName("example.com")),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { RDN(OU("Other Example Organization")), DNSName("example.com"),
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))) +
+      GeneralSubtree(DNSName("example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  { RDN(OU("Example Organization")), DNSName("example.org"),
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))) +
+      GeneralSubtree(DNSName("example.com")),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  // Handle a certificate with no DirectoryName:
+  { ByteString(), DNSName("example.com"),
+    GeneralSubtree(DirectoryName(Name(RDN(OU("Example Organization"))))),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+};
+
+class pkixnames_CheckNameConstraints
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<NameConstraintParams>
+{
+public:
+  DefaultNameMatchingPolicy mNameMatchingPolicy;
+};
+
+TEST_P(pkixnames_CheckNameConstraints,
+       NameConstraintsEnforcedForDirectlyIssuedEndEntity)
+{
+  // Test that name constraints are enforced on a certificate directly issued by
+  // a certificate with the given name constraints.
+
+  const NameConstraintParams& param(GetParam());
+
+  ByteString certDER(CreateCert(param.subject, param.subjectAltName));
+  ASSERT_FALSE(ENCODING_FAILED(certDER));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(certDER.data(), certDER.length()));
+  BackCert cert(certInput, EndEntityOrCA::MustBeEndEntity, nullptr);
+  ASSERT_EQ(Success, cert.Init());
+
+  {
+    ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+                                      PermittedSubtrees(param.subtrees)));
+    Input nameConstraints;
+    ASSERT_EQ(Success,
+              nameConstraints.Init(nameConstraintsDER.data(),
+                                   nameConstraintsDER.length()));
+    ASSERT_EQ(param.expectedPermittedSubtreesResult,
+              CheckNameConstraints(nameConstraints, cert,
+                                   KeyPurposeId::id_kp_serverAuth));
+  }
+  {
+    ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+                                      ExcludedSubtrees(param.subtrees)));
+    Input nameConstraints;
+    ASSERT_EQ(Success,
+              nameConstraints.Init(nameConstraintsDER.data(),
+                                   nameConstraintsDER.length()));
+    ASSERT_EQ(param.expectedExcludedSubtreesResult,
+              CheckNameConstraints(nameConstraints, cert,
+                                   KeyPurposeId::id_kp_serverAuth));
+  }
+  {
+    ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+                                      PermittedSubtrees(param.subtrees) +
+                                      ExcludedSubtrees(param.subtrees)));
+    Input nameConstraints;
+    ASSERT_EQ(Success,
+              nameConstraints.Init(nameConstraintsDER.data(),
+                                   nameConstraintsDER.length()));
+    ASSERT_EQ((param.expectedPermittedSubtreesResult ==
+               param.expectedExcludedSubtreesResult)
+                ? param.expectedExcludedSubtreesResult
+                : Result::ERROR_CERT_NOT_IN_NAME_SPACE,
+              CheckNameConstraints(nameConstraints, cert,
+                                   KeyPurposeId::id_kp_serverAuth));
+  }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_CheckNameConstraints,
+                        pkixnames_CheckNameConstraints,
+                        testing::ValuesIn(NAME_CONSTRAINT_PARAMS));
+
+// The |subjectAltName| param is not used for these test cases (hence the use of
+// "NO_SAN").
+static const NameConstraintParams NO_FALLBACK_NAME_CONSTRAINT_PARAMS[] =
+{
+  // The only difference between end-entities being verified for serverAuth and
+  // intermediates or end-entities being verified for other uses is that for
+  // the latter cases, there is no fallback matching of DNSName entries to the
+  // subject common name.
+  { RDN(CN("Not a DNSName")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Success, Success
+  },
+  { RDN(CN("a.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Success, Success
+  },
+  { RDN(CN("b.example.com")), NO_SAN, GeneralSubtree(DNSName("a.example.com")),
+    Success, Success
+  },
+  // Sanity-check that name constraints are in fact enforced in these cases.
+  { RDN(CN("Example Name")), NO_SAN,
+    GeneralSubtree(DirectoryName(Name(RDN(CN("Example Name"))))),
+    Success, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+  // (In this implementation, if a DirectoryName is in excludedSubtrees, nothing
+  // is considered to be in the name space.)
+  { RDN(CN("Other Example Name")), NO_SAN,
+    GeneralSubtree(DirectoryName(Name(RDN(CN("Example Name"))))),
+    Result::ERROR_CERT_NOT_IN_NAME_SPACE, Result::ERROR_CERT_NOT_IN_NAME_SPACE
+  },
+};
+
+class pkixnames_CheckNameConstraintsOnIntermediate
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<NameConstraintParams>
+{
+};
+
+TEST_P(pkixnames_CheckNameConstraintsOnIntermediate,
+       NameConstraintsEnforcedOnIntermediate)
+{
+  // Test that name constraints are enforced on an intermediate certificate
+  // directly issued by a certificate with the given name constraints.
+
+  const NameConstraintParams& param(GetParam());
+
+  ByteString certDER(CreateCert(param.subject, NO_SAN,
+                                EndEntityOrCA::MustBeCA));
+  ASSERT_FALSE(ENCODING_FAILED(certDER));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(certDER.data(), certDER.length()));
+  BackCert cert(certInput, EndEntityOrCA::MustBeCA, nullptr);
+  ASSERT_EQ(Success, cert.Init());
+
+  {
+    ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+                                      PermittedSubtrees(param.subtrees)));
+    Input nameConstraints;
+    ASSERT_EQ(Success,
+              nameConstraints.Init(nameConstraintsDER.data(),
+                                   nameConstraintsDER.length()));
+    ASSERT_EQ(param.expectedPermittedSubtreesResult,
+              CheckNameConstraints(nameConstraints, cert,
+                                   KeyPurposeId::id_kp_serverAuth));
+  }
+  {
+    ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+                                      ExcludedSubtrees(param.subtrees)));
+    Input nameConstraints;
+    ASSERT_EQ(Success,
+              nameConstraints.Init(nameConstraintsDER.data(),
+                                   nameConstraintsDER.length()));
+    ASSERT_EQ(param.expectedExcludedSubtreesResult,
+              CheckNameConstraints(nameConstraints, cert,
+                                   KeyPurposeId::id_kp_serverAuth));
+  }
+  {
+    ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+                                      PermittedSubtrees(param.subtrees) +
+                                      ExcludedSubtrees(param.subtrees)));
+    Input nameConstraints;
+    ASSERT_EQ(Success,
+              nameConstraints.Init(nameConstraintsDER.data(),
+                                   nameConstraintsDER.length()));
+    ASSERT_EQ(param.expectedExcludedSubtreesResult,
+              CheckNameConstraints(nameConstraints, cert,
+                                   KeyPurposeId::id_kp_serverAuth));
+  }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_CheckNameConstraintsOnIntermediate,
+                        pkixnames_CheckNameConstraintsOnIntermediate,
+                        testing::ValuesIn(NO_FALLBACK_NAME_CONSTRAINT_PARAMS));
+
+class pkixnames_CheckNameConstraintsForNonServerAuthUsage
+  : public ::testing::Test
+  , public ::testing::WithParamInterface<NameConstraintParams>
+{
+};
+
+TEST_P(pkixnames_CheckNameConstraintsForNonServerAuthUsage,
+       NameConstraintsEnforcedForNonServerAuthUsage)
+{
+  // Test that for key purposes other than serverAuth, fallback to the subject
+  // common name does not occur.
+
+  const NameConstraintParams& param(GetParam());
+
+  ByteString certDER(CreateCert(param.subject, NO_SAN));
+  ASSERT_FALSE(ENCODING_FAILED(certDER));
+  Input certInput;
+  ASSERT_EQ(Success, certInput.Init(certDER.data(), certDER.length()));
+  BackCert cert(certInput, EndEntityOrCA::MustBeEndEntity, nullptr);
+  ASSERT_EQ(Success, cert.Init());
+
+  {
+    ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+                                      PermittedSubtrees(param.subtrees)));
+    Input nameConstraints;
+    ASSERT_EQ(Success,
+              nameConstraints.Init(nameConstraintsDER.data(),
+                                   nameConstraintsDER.length()));
+    ASSERT_EQ(param.expectedPermittedSubtreesResult,
+              CheckNameConstraints(nameConstraints, cert,
+                                   KeyPurposeId::id_kp_clientAuth));
+  }
+  {
+    ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+                                      ExcludedSubtrees(param.subtrees)));
+    Input nameConstraints;
+    ASSERT_EQ(Success,
+              nameConstraints.Init(nameConstraintsDER.data(),
+                                   nameConstraintsDER.length()));
+    ASSERT_EQ(param.expectedExcludedSubtreesResult,
+              CheckNameConstraints(nameConstraints, cert,
+                                   KeyPurposeId::id_kp_clientAuth));
+  }
+  {
+    ByteString nameConstraintsDER(TLV(der::SEQUENCE,
+                                      PermittedSubtrees(param.subtrees) +
+                                      ExcludedSubtrees(param.subtrees)));
+    Input nameConstraints;
+    ASSERT_EQ(Success,
+              nameConstraints.Init(nameConstraintsDER.data(),
+                                   nameConstraintsDER.length()));
+    ASSERT_EQ(param.expectedExcludedSubtreesResult,
+              CheckNameConstraints(nameConstraints, cert,
+                                   KeyPurposeId::id_kp_clientAuth));
+  }
+}
+
+INSTANTIATE_TEST_CASE_P(pkixnames_CheckNameConstraintsForNonServerAuthUsage,
+                        pkixnames_CheckNameConstraintsForNonServerAuthUsage,
+                        testing::ValuesIn(NO_FALLBACK_NAME_CONSTRAINT_PARAMS));
diff --git a/security/nss/gtests/mozpkix_gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp b/security/nss/gtests/mozpkix_gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
new file mode 100644
index 0000000000..ff154e7ec7
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixocsp_CreateEncodedOCSPRequest_tests.cpp
@@ -0,0 +1,146 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixder.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+class CreateEncodedOCSPRequestTrustDomain final
+  : public EverythingFailsByDefaultTrustDomain
+{
+private:
+  Result DigestBuf(Input item, DigestAlgorithm digestAlg,
+                   /*out*/ uint8_t *digestBuf, size_t digestBufLen)
+                   override
+  {
+    return TestDigestBuf(item, digestAlg, digestBuf, digestBufLen);
+  }
+
+  Result CheckRSAPublicKeyModulusSizeInBits(EndEntityOrCA, unsigned int)
+                                            override
+  {
+    return Success;
+  }
+};
+
+class pkixocsp_CreateEncodedOCSPRequest : public ::testing::Test
+{
+protected:
+  void MakeIssuerCertIDComponents(const char* issuerASCII,
+                                  /*out*/ ByteString& issuerDER,
+                                  /*out*/ ByteString& issuerSPKI)
+  {
+    issuerDER = CNToDERName(issuerASCII);
+    ASSERT_FALSE(ENCODING_FAILED(issuerDER));
+
+    ScopedTestKeyPair keyPair(GenerateKeyPair());
+    ASSERT_TRUE(keyPair.get());
+    issuerSPKI = keyPair->subjectPublicKeyInfo;
+  }
+
+  CreateEncodedOCSPRequestTrustDomain trustDomain;
+};
+
+// Test that the large length of the child serial number causes
+// CreateEncodedOCSPRequest to fail.
+TEST_F(pkixocsp_CreateEncodedOCSPRequest, ChildCertLongSerialNumberTest)
+{
+  static const uint8_t UNSUPPORTED_LEN = 128; // must be larger than 127
+
+  ByteString serialNumberString;
+  // tag + length + value is 1 + 2 + UNSUPPORTED_LEN
+  // Encoding the length takes two bytes: one byte to indicate that a
+  // second byte follows, and the second byte to indicate the length.
+  serialNumberString.push_back(0x80 + 1);
+  serialNumberString.push_back(UNSUPPORTED_LEN);
+  // value is 0x010000...00
+  serialNumberString.push_back(0x01);
+  for (size_t i = 1; i < UNSUPPORTED_LEN; ++i) {
+    serialNumberString.push_back(0x00);
+  }
+
+  ByteString issuerDER;
+  ByteString issuerSPKI;
+  ASSERT_NO_FATAL_FAILURE(MakeIssuerCertIDComponents("CA", issuerDER,
+                                                     issuerSPKI));
+
+  Input issuer;
+  ASSERT_EQ(Success, issuer.Init(issuerDER.data(), issuerDER.length()));
+
+  Input spki;
+  ASSERT_EQ(Success, spki.Init(issuerSPKI.data(), issuerSPKI.length()));
+
+  Input serialNumber;
+  ASSERT_EQ(Success, serialNumber.Init(serialNumberString.data(),
+                                       serialNumberString.length()));
+
+  uint8_t ocspRequest[OCSP_REQUEST_MAX_LENGTH];
+  size_t ocspRequestLength;
+  ASSERT_EQ(Result::ERROR_BAD_DER,
+            CreateEncodedOCSPRequest(trustDomain,
+                                     CertID(issuer, spki, serialNumber),
+                                     ocspRequest, ocspRequestLength));
+}
+
+// Test that CreateEncodedOCSPRequest handles the longest serial number that
+// it's required to support (i.e. 20 octets).
+TEST_F(pkixocsp_CreateEncodedOCSPRequest, LongestSupportedSerialNumberTest)
+{
+  static const uint8_t LONGEST_REQUIRED_LEN = 20;
+
+  ByteString serialNumberString;
+  // tag + length + value is 1 + 1 + LONGEST_REQUIRED_LEN
+  serialNumberString.push_back(der::INTEGER);
+  serialNumberString.push_back(LONGEST_REQUIRED_LEN);
+  serialNumberString.push_back(0x01);
+  // value is 0x010000...00
+  for (size_t i = 1; i < LONGEST_REQUIRED_LEN; ++i) {
+    serialNumberString.push_back(0x00);
+  }
+
+  ByteString issuerDER;
+  ByteString issuerSPKI;
+  ASSERT_NO_FATAL_FAILURE(MakeIssuerCertIDComponents("CA", issuerDER,
+                                                     issuerSPKI));
+
+  Input issuer;
+  ASSERT_EQ(Success, issuer.Init(issuerDER.data(), issuerDER.length()));
+
+  Input spki;
+  ASSERT_EQ(Success, spki.Init(issuerSPKI.data(), issuerSPKI.length()));
+
+  Input serialNumber;
+  ASSERT_EQ(Success, serialNumber.Init(serialNumberString.data(),
+                                       serialNumberString.length()));
+
+  uint8_t ocspRequest[OCSP_REQUEST_MAX_LENGTH];
+  size_t ocspRequestLength;
+  ASSERT_EQ(Success,
+            CreateEncodedOCSPRequest(trustDomain,
+                                     CertID(issuer, spki, serialNumber),
+                                     ocspRequest, ocspRequestLength));
+}
diff --git a/security/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp b/security/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
new file mode 100644
index 0000000000..3fe4e7b5ac
--- /dev/null
+++ b/security/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
@@ -0,0 +1,1064 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "pkixgtest.h"
+
+#include "mozpkix/pkixder.h"
+
+using namespace mozilla::pkix;
+using namespace mozilla::pkix::test;
+
+const uint16_t END_ENTITY_MAX_LIFETIME_IN_DAYS = 10;
+
+// Note that CheckRevocation is never called for OCSP signing certificates.
+class OCSPTestTrustDomain : public DefaultCryptoTrustDomain
+{
+public:
+  OCSPTestTrustDomain() { }
+
+  Result GetCertTrust(EndEntityOrCA endEntityOrCA, const CertPolicyId&,
+                      Input, /*out*/ TrustLevel& trustLevel)
+                      /*non-final*/ override
+  {
+    EXPECT_EQ(endEntityOrCA, EndEntityOrCA::MustBeEndEntity);
+    trustLevel = TrustLevel::InheritsTrust;
+    return Success;
+  }
+
+  virtual void NoteAuxiliaryExtension(AuxiliaryExtension extension,
+                                      Input extensionData) override
+  {
+    if (extension == AuxiliaryExtension::SCTListFromOCSPResponse) {
+      signedCertificateTimestamps = InputToByteString(extensionData);
+    } else {
+      // We do not currently expect to receive any other extension here.
+      ADD_FAILURE();
+    }
+  }
+
+  ByteString signedCertificateTimestamps;
+};
+
+namespace {
+char const* const rootName = "Test CA 1";
+} // namespace
+
+class pkixocsp_VerifyEncodedResponse : public ::testing::Test
+{
+public:
+  static void SetUpTestCase()
+  {
+    rootKeyPair.reset(GenerateKeyPair());
+    if (!rootKeyPair) {
+      abort();
+    }
+  }
+
+  void SetUp()
+  {
+    rootNameDER = CNToDERName(rootName);
+    if (ENCODING_FAILED(rootNameDER)) {
+      abort();
+    }
+    Input rootNameDERInput;
+    if (rootNameDERInput.Init(rootNameDER.data(), rootNameDER.length())
+          != Success) {
+      abort();
+    }
+
+    serialNumberDER =
+      CreateEncodedSerialNumber(static_cast<long>(++rootIssuedCount));
+    if (ENCODING_FAILED(serialNumberDER)) {
+      abort();
+    }
+    Input serialNumberDERInput;
+    if (serialNumberDERInput.Init(serialNumberDER.data(),
+                                  serialNumberDER.length()) != Success) {
+      abort();
+    }
+
+    Input rootSPKIDER;
+    if (rootSPKIDER.Init(rootKeyPair->subjectPublicKeyInfo.data(),
+                         rootKeyPair->subjectPublicKeyInfo.length())
+          != Success) {
+      abort();
+    }
+    endEntityCertID.reset(new (std::nothrow) CertID(rootNameDERInput, rootSPKIDER,
+                                                    serialNumberDERInput));
+    if (!endEntityCertID) {
+      abort();
+    }
+  }
+
+  static ScopedTestKeyPair rootKeyPair;
+  static uint32_t rootIssuedCount;
+  OCSPTestTrustDomain trustDomain;
+
+  // endEntityCertID references rootKeyPair, rootNameDER, and serialNumberDER.
+  ByteString rootNameDER;
+  ByteString serialNumberDER;
+  // endEntityCertID references rootKeyPair, rootNameDER, and serialNumberDER.
+  ScopedCertID endEntityCertID;
+};
+
+/*static*/ ScopedTestKeyPair pkixocsp_VerifyEncodedResponse::rootKeyPair;
+/*static*/ uint32_t pkixocsp_VerifyEncodedResponse::rootIssuedCount = 0;
+
+///////////////////////////////////////////////////////////////////////////////
+// responseStatus
+
+struct WithoutResponseBytes
+{
+  uint8_t responseStatus;
+  Result expectedError;
+};
+
+static const WithoutResponseBytes WITHOUT_RESPONSEBYTES[] = {
+  { OCSPResponseContext::successful, Result::ERROR_OCSP_MALFORMED_RESPONSE },
+  { OCSPResponseContext::malformedRequest, Result::ERROR_OCSP_MALFORMED_REQUEST },
+  { OCSPResponseContext::internalError, Result::ERROR_OCSP_SERVER_ERROR },
+  { OCSPResponseContext::tryLater, Result::ERROR_OCSP_TRY_SERVER_LATER },
+  { 4/*unused*/, Result::ERROR_OCSP_UNKNOWN_RESPONSE_STATUS },
+  { OCSPResponseContext::sigRequired, Result::ERROR_OCSP_REQUEST_NEEDS_SIG },
+  { OCSPResponseContext::unauthorized, Result::ERROR_OCSP_UNAUTHORIZED_REQUEST },
+  { OCSPResponseContext::unauthorized + 1,
+    Result::ERROR_OCSP_UNKNOWN_RESPONSE_STATUS
+  },
+};
+
+class pkixocsp_VerifyEncodedResponse_WithoutResponseBytes
+  : public pkixocsp_VerifyEncodedResponse
+  , public ::testing::WithParamInterface<WithoutResponseBytes>
+{
+protected:
+  ByteString CreateEncodedOCSPErrorResponse(uint8_t status)
+  {
+    static const Input EMPTY;
+    OCSPResponseContext context(CertID(EMPTY, EMPTY, EMPTY),
+                                oneDayBeforeNow);
+    context.responseStatus = status;
+    context.skipResponseBytes = true;
+    return CreateEncodedOCSPResponse(context);
+  }
+};
+
+TEST_P(pkixocsp_VerifyEncodedResponse_WithoutResponseBytes, CorrectErrorCode)
+{
+  ByteString
+    responseString(CreateEncodedOCSPErrorResponse(GetParam().responseStatus));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(GetParam().expectedError,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+}
+
+INSTANTIATE_TEST_CASE_P(pkixocsp_VerifyEncodedResponse_WithoutResponseBytes,
+                        pkixocsp_VerifyEncodedResponse_WithoutResponseBytes,
+                        testing::ValuesIn(WITHOUT_RESPONSEBYTES));
+
+///////////////////////////////////////////////////////////////////////////////
+// "successful" responses
+
+namespace {
+
+// Alias for nullptr to aid readability in the code below.
+static const char* byKey = nullptr;
+
+} // namespace
+
+class pkixocsp_VerifyEncodedResponse_successful
+  : public pkixocsp_VerifyEncodedResponse
+{
+public:
+  void SetUp()
+  {
+    pkixocsp_VerifyEncodedResponse::SetUp();
+  }
+
+  static void SetUpTestCase()
+  {
+    pkixocsp_VerifyEncodedResponse::SetUpTestCase();
+  }
+
+  ByteString CreateEncodedOCSPSuccessfulResponse(
+                    OCSPResponseContext::CertStatus certStatus,
+                    const CertID& certID,
+       /*optional*/ const char* signerName,
+                    const TestKeyPair& signerKeyPair,
+                    time_t producedAt, time_t thisUpdate,
+       /*optional*/ const time_t* nextUpdate,
+                    const TestSignatureAlgorithm& signatureAlgorithm,
+       /*optional*/ const ByteString* certs = nullptr,
+       /*optional*/ OCSPResponseExtension* singleExtensions = nullptr,
+       /*optional*/ OCSPResponseExtension* responseExtensions = nullptr)
+  {
+    OCSPResponseContext context(certID, producedAt);
+    if (signerName) {
+      context.signerNameDER = CNToDERName(signerName);
+      EXPECT_FALSE(ENCODING_FAILED(context.signerNameDER));
+    }
+    context.signerKeyPair.reset(signerKeyPair.Clone());
+    EXPECT_TRUE(context.signerKeyPair.get());
+    context.responseStatus = OCSPResponseContext::successful;
+    context.producedAt = producedAt;
+    context.signatureAlgorithm = signatureAlgorithm;
+    context.certs = certs;
+    context.singleExtensions = singleExtensions;
+    context.responseExtensions = responseExtensions;
+
+    context.certStatus = static_cast<uint8_t>(certStatus);
+    context.thisUpdate = thisUpdate;
+    context.nextUpdate = nextUpdate ? *nextUpdate : 0;
+    context.includeNextUpdate = nextUpdate != nullptr;
+
+    return CreateEncodedOCSPResponse(context);
+  }
+};
+
+TEST_F(pkixocsp_VerifyEncodedResponse_successful, good_byKey)
+{
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID, byKey,
+                         *rootKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, &oneDayAfterNow,
+                         sha256WithRSAEncryption()));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Success,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
+                                      Now(), END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_successful, good_byName)
+{
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID, rootName,
+                         *rootKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, &oneDayAfterNow,
+                         sha256WithRSAEncryption()));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Success,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_successful, good_byKey_without_nextUpdate)
+{
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID, byKey,
+                         *rootKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, nullptr,
+                         sha256WithRSAEncryption()));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Success,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_successful, revoked)
+{
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::revoked, *endEntityCertID, byKey,
+                         *rootKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, &oneDayAfterNow,
+                         sha256WithRSAEncryption()));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_REVOKED_CERTIFICATE,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_successful, unknown)
+{
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::unknown, *endEntityCertID, byKey,
+                         *rootKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, &oneDayAfterNow,
+                         sha256WithRSAEncryption()));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_UNKNOWN_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_successful,
+       good_unsupportedSignatureAlgorithm)
+{
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID, byKey,
+                         *rootKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, &oneDayAfterNow,
+                         md5WithRSAEncryption()));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
+                                      Now(), END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+// Added for bug 1079436. The output variable validThrough represents the
+// latest time for which VerifyEncodedOCSPResponse will succeed, which is
+// different from the nextUpdate time in the OCSP response due to the slop we
+// add for time comparisons to deal with clock skew.
+TEST_F(pkixocsp_VerifyEncodedResponse_successful, check_validThrough)
+{
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID, byKey,
+                         *rootKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, &oneDayAfterNow,
+                         sha256WithRSAEncryption()));
+  Time validThrough(Time::uninitialized);
+  {
+    Input response;
+    ASSERT_EQ(Success,
+              response.Init(responseString.data(), responseString.length()));
+    bool expired;
+    ASSERT_EQ(Success,
+              VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
+                                        Now(), END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                        response, expired, nullptr,
+                                        &validThrough));
+    ASSERT_FALSE(expired);
+    // The response was created to be valid until one day after now, so the
+    // value we got for validThrough should be after that.
+    Time oneDayAfterNowAsPKIXTime(
+          TimeFromEpochInSeconds(static_cast<uint64_t>(oneDayAfterNow)));
+    ASSERT_TRUE(validThrough > oneDayAfterNowAsPKIXTime);
+  }
+  {
+    Input response;
+    ASSERT_EQ(Success,
+              response.Init(responseString.data(), responseString.length()));
+    bool expired;
+    // Given validThrough from a previous verification, this response should be
+    // valid through that time.
+    ASSERT_EQ(Success,
+              VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
+                                        validThrough, END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                        response, expired));
+    ASSERT_FALSE(expired);
+  }
+  {
+    Time noLongerValid(validThrough);
+    ASSERT_EQ(Success, noLongerValid.AddSeconds(1));
+    Input response;
+    ASSERT_EQ(Success,
+              response.Init(responseString.data(), responseString.length()));
+    bool expired;
+    // The verification time is now after when the response will be considered
+    // valid.
+    ASSERT_EQ(Result::ERROR_OCSP_OLD_RESPONSE,
+              VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
+                                        noLongerValid, END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                        response, expired));
+    ASSERT_TRUE(expired);
+  }
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_successful, ct_extension)
+{
+  // python DottedOIDToCode.py --tlv
+  //   id_ocsp_singleExtensionSctList 1.3.6.1.4.1.11129.2.4.5
+  static const uint8_t tlv_id_ocsp_singleExtensionSctList[] = {
+    0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x04, 0x05
+  };
+  static const uint8_t dummySctList[] = {
+    0x01, 0x02, 0x03, 0x04, 0x05
+  };
+
+  OCSPResponseExtension ctExtension;
+  ctExtension.id = BytesToByteString(tlv_id_ocsp_singleExtensionSctList);
+  // SignedCertificateTimestampList structure is encoded as an OCTET STRING
+  // within the extension value (see RFC 6962 section 3.3).
+  // pkix decodes it internally and returns the actual structure.
+  ctExtension.value = TLV(der::OCTET_STRING, BytesToByteString(dummySctList));
+
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID, byKey,
+                         *rootKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, &oneDayAfterNow,
+                         sha256WithRSAEncryption(),
+                         /*certs*/ nullptr,
+                         &ctExtension));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+
+  bool expired;
+  ASSERT_EQ(Success,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
+                                      Now(), END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+  ASSERT_EQ(BytesToByteString(dummySctList),
+            trustDomain.signedCertificateTimestamps);
+}
+
+///////////////////////////////////////////////////////////////////////////////
+// indirect responses (signed by a delegated OCSP responder cert)
+
+class pkixocsp_VerifyEncodedResponse_DelegatedResponder
+  : public pkixocsp_VerifyEncodedResponse_successful
+{
+protected:
+  // certSubjectName should be unique for each call. This way, we avoid any
+  // issues with NSS caching the certificates internally. For the same reason,
+  // we generate a new keypair on each call. Either one of these should be
+  // sufficient to avoid issues with the NSS cache, but we do both to be
+  // cautious.
+  //
+  // signerName should be byKey to use the byKey ResponderID construction, or
+  // another value (usually equal to certSubjectName) to use the byName
+  // ResponderID construction.
+  //
+  // certSignatureAlgorithm specifies the signature algorithm that the
+  // certificate will be signed with, not the OCSP response.
+  //
+  // If signerEKU is omitted, then the certificate will have the
+  // id-kp-OCSPSigning EKU. If signerEKU is SEC_OID_UNKNOWN then it will not
+  // have any EKU extension. Otherwise, the certificate will have the given
+  // EKU.
+  ByteString CreateEncodedIndirectOCSPSuccessfulResponse(
+               const char* certSubjectName,
+               OCSPResponseContext::CertStatus certStatus,
+               const char* signerName,
+               const TestSignatureAlgorithm& certSignatureAlgorithm,
+               /*optional*/ const Input* signerEKUDER = &OCSPSigningEKUDER,
+               /*optional, out*/ ByteString* signerDEROut = nullptr)
+  {
+    assert(certSubjectName);
+
+    const ByteString extensions[] = {
+      signerEKUDER
+        ? CreateEncodedEKUExtension(*signerEKUDER, Critical::No)
+        : ByteString(),
+      ByteString()
+    };
+    ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
+    ByteString signerDER(CreateEncodedCertificate(
+                           ++rootIssuedCount, certSignatureAlgorithm,
+                           rootName, oneDayBeforeNow, oneDayAfterNow,
+                           certSubjectName, *signerKeyPair,
+                           signerEKUDER ? extensions : nullptr,
+                           *rootKeyPair));
+    EXPECT_FALSE(ENCODING_FAILED(signerDER));
+    if (signerDEROut) {
+      *signerDEROut = signerDER;
+    }
+
+    ByteString signerNameDER;
+    if (signerName) {
+      signerNameDER = CNToDERName(signerName);
+      EXPECT_FALSE(ENCODING_FAILED(signerNameDER));
+    }
+    ByteString certs[] = { signerDER, ByteString() };
+    return CreateEncodedOCSPSuccessfulResponse(certStatus, *endEntityCertID,
+                                               signerName, *signerKeyPair,
+                                               oneDayBeforeNow,
+                                               oneDayBeforeNow,
+                                               &oneDayAfterNow,
+                                               sha256WithRSAEncryption(),
+                                               certs);
+  }
+
+  static ByteString CreateEncodedCertificate(uint32_t serialNumber,
+                                             const TestSignatureAlgorithm& signatureAlg,
+                                             const char* issuer,
+                                             time_t notBefore,
+                                             time_t notAfter,
+                                             const char* subject,
+                                             const TestKeyPair& subjectKeyPair,
+                                /*optional*/ const ByteString* extensions,
+                                             const TestKeyPair& signerKeyPair)
+  {
+    ByteString serialNumberDER(CreateEncodedSerialNumber(
+                                 static_cast<long>(serialNumber)));
+    if (ENCODING_FAILED(serialNumberDER)) {
+      return ByteString();
+    }
+    ByteString issuerDER(CNToDERName(issuer));
+    if (ENCODING_FAILED(issuerDER)) {
+      return ByteString();
+    }
+    ByteString subjectDER(CNToDERName(subject));
+    if (ENCODING_FAILED(subjectDER)) {
+      return ByteString();
+    }
+    return ::mozilla::pkix::test::CreateEncodedCertificate(
+                                    v3, signatureAlg, serialNumberDER,
+                                    issuerDER, notBefore, notAfter,
+                                    subjectDER, subjectKeyPair, extensions,
+                                    signerKeyPair, signatureAlg);
+  }
+
+  static const Input OCSPSigningEKUDER;
+};
+
+/*static*/ const Input pkixocsp_VerifyEncodedResponse_DelegatedResponder::
+  OCSPSigningEKUDER(tlv_id_kp_OCSPSigning);
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_byKey)
+{
+  ByteString responseString(
+               CreateEncodedIndirectOCSPSuccessfulResponse(
+                         "good_indirect_byKey", OCSPResponseContext::good,
+                         byKey, sha256WithRSAEncryption()));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Success,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_byName)
+{
+  ByteString responseString(
+               CreateEncodedIndirectOCSPSuccessfulResponse(
+                         "good_indirect_byName", OCSPResponseContext::good,
+                         "good_indirect_byName", sha256WithRSAEncryption()));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Success,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
+       good_byKey_missing_signer)
+{
+  ScopedTestKeyPair missingSignerKeyPair(GenerateKeyPair());
+  ASSERT_TRUE(missingSignerKeyPair.get());
+
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID, byKey,
+                         *missingSignerKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, nullptr,
+                         sha256WithRSAEncryption()));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
+       good_byName_missing_signer)
+{
+  ScopedTestKeyPair missingSignerKeyPair(GenerateKeyPair());
+  ASSERT_TRUE(missingSignerKeyPair.get());
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID,
+                         "missing", *missingSignerKeyPair,
+                         oneDayBeforeNow, oneDayBeforeNow, nullptr,
+                         sha256WithRSAEncryption()));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_expired)
+{
+  static const char* signerName = "good_indirect_expired";
+
+  const ByteString extensions[] = {
+    CreateEncodedEKUExtension(OCSPSigningEKUDER, Critical::No),
+    ByteString()
+  };
+
+  ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
+  ByteString signerDER(CreateEncodedCertificate(
+                          ++rootIssuedCount, sha256WithRSAEncryption(),
+                          rootName,
+                          tenDaysBeforeNow,
+                          twoDaysBeforeNow,
+                          signerName, *signerKeyPair, extensions,
+                          *rootKeyPair));
+  ASSERT_FALSE(ENCODING_FAILED(signerDER));
+
+  ByteString certs[] = { signerDER, ByteString() };
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID,
+                         signerName, *signerKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, &oneDayAfterNow,
+                         sha256WithRSAEncryption(), certs));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_future)
+{
+  static const char* signerName = "good_indirect_future";
+
+  const ByteString extensions[] = {
+    CreateEncodedEKUExtension(OCSPSigningEKUDER, Critical::No),
+    ByteString()
+  };
+
+  ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
+  ByteString signerDER(CreateEncodedCertificate(
+                         ++rootIssuedCount, sha256WithRSAEncryption(),
+                         rootName,
+                         twoDaysAfterNow,
+                         tenDaysAfterNow,
+                         signerName, *signerKeyPair, extensions,
+                         *rootKeyPair));
+  ASSERT_FALSE(ENCODING_FAILED(signerDER));
+
+  ByteString certs[] = { signerDER, ByteString() };
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID,
+                         signerName, *signerKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, &oneDayAfterNow,
+                         sha256WithRSAEncryption(), certs));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_no_eku)
+{
+  ByteString responseString(
+               CreateEncodedIndirectOCSPSuccessfulResponse(
+                         "good_indirect_wrong_eku",
+                         OCSPResponseContext::good, byKey,
+                         sha256WithRSAEncryption(), nullptr));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+static const Input serverAuthEKUDER(tlv_id_kp_serverAuth);
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
+       good_indirect_wrong_eku)
+{
+  ByteString responseString(
+               CreateEncodedIndirectOCSPSuccessfulResponse(
+                        "good_indirect_wrong_eku",
+                        OCSPResponseContext::good, byKey,
+                        sha256WithRSAEncryption(), &serverAuthEKUDER));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+// Test that signature of OCSP response signer cert is verified
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_tampered_eku)
+{
+  ByteString tamperedResponse(
+               CreateEncodedIndirectOCSPSuccessfulResponse(
+                         "good_indirect_tampered_eku",
+                         OCSPResponseContext::good, byKey,
+                         sha256WithRSAEncryption(), &serverAuthEKUDER));
+  ASSERT_EQ(Success,
+            TamperOnce(tamperedResponse,
+                       ByteString(tlv_id_kp_serverAuth,
+                                  sizeof(tlv_id_kp_serverAuth)),
+                       ByteString(tlv_id_kp_OCSPSigning,
+                                  sizeof(tlv_id_kp_OCSPSigning))));
+  Input tamperedResponseInput;
+  ASSERT_EQ(Success, tamperedResponseInput.Init(tamperedResponse.data(),
+                                                tamperedResponse.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      tamperedResponseInput, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder, good_unknown_issuer)
+{
+  static const char* subCAName = "good_indirect_unknown_issuer sub-CA";
+  static const char* signerName = "good_indirect_unknown_issuer OCSP signer";
+
+  // unknown issuer
+  ScopedTestKeyPair unknownKeyPair(GenerateKeyPair());
+  ASSERT_TRUE(unknownKeyPair.get());
+
+  // Delegated responder cert signed by unknown issuer
+  const ByteString extensions[] = {
+    CreateEncodedEKUExtension(OCSPSigningEKUDER, Critical::No),
+    ByteString()
+  };
+  ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
+  ByteString signerDER(CreateEncodedCertificate(
+                         1, sha256WithRSAEncryption(), subCAName,
+                         oneDayBeforeNow, oneDayAfterNow, signerName,
+                         *signerKeyPair, extensions, *unknownKeyPair));
+  ASSERT_FALSE(ENCODING_FAILED(signerDER));
+
+  // OCSP response signed by that delegated responder
+  ByteString certs[] = { signerDER, ByteString() };
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID,
+                         signerName, *signerKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, &oneDayAfterNow,
+                         sha256WithRSAEncryption(), certs));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+// The CA that issued the OCSP responder cert is a sub-CA of the issuer of
+// the certificate that the OCSP response is for. That sub-CA cert is included
+// in the OCSP response before the OCSP responder cert.
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
+       good_indirect_subca_1_first)
+{
+  static const char* subCAName = "good_indirect_subca_1_first sub-CA";
+  static const char* signerName = "good_indirect_subca_1_first OCSP signer";
+  static const long zero = 0;
+
+  // sub-CA of root (root is the direct issuer of endEntity)
+  const ByteString subCAExtensions[] = {
+    CreateEncodedBasicConstraints(true, &zero, Critical::No),
+    ByteString()
+  };
+  ScopedTestKeyPair subCAKeyPair(GenerateKeyPair());
+  ByteString subCADER(CreateEncodedCertificate(
+                        ++rootIssuedCount, sha256WithRSAEncryption(), rootName,
+                        oneDayBeforeNow, oneDayAfterNow, subCAName,
+                        *subCAKeyPair, subCAExtensions, *rootKeyPair));
+  ASSERT_FALSE(ENCODING_FAILED(subCADER));
+
+  // Delegated responder cert signed by that sub-CA
+  const ByteString extensions[] = {
+    CreateEncodedEKUExtension(OCSPSigningEKUDER, Critical::No),
+    ByteString(),
+  };
+  ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
+  ByteString signerDER(CreateEncodedCertificate(
+                         1, sha256WithRSAEncryption(), subCAName,
+                         oneDayBeforeNow, oneDayAfterNow, signerName,
+                         *signerKeyPair, extensions, *subCAKeyPair));
+  ASSERT_FALSE(ENCODING_FAILED(signerDER));
+
+  // OCSP response signed by the delegated responder issued by the sub-CA
+  // that is trying to impersonate the root.
+  ByteString certs[] = { subCADER, signerDER, ByteString() };
+  ByteString responseString(
+               CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID,
+                         signerName, *signerKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, &oneDayAfterNow,
+                         sha256WithRSAEncryption(), certs));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+// The CA that issued the OCSP responder cert is a sub-CA of the issuer of
+// the certificate that the OCSP response is for. That sub-CA cert is included
+// in the OCSP response after the OCSP responder cert.
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
+       good_indirect_subca_1_second)
+{
+  static const char* subCAName = "good_indirect_subca_1_second sub-CA";
+  static const char* signerName = "good_indirect_subca_1_second OCSP signer";
+  static const long zero = 0;
+
+  // sub-CA of root (root is the direct issuer of endEntity)
+  const ByteString subCAExtensions[] = {
+    CreateEncodedBasicConstraints(true, &zero, Critical::No),
+    ByteString()
+  };
+  ScopedTestKeyPair subCAKeyPair(GenerateKeyPair());
+  ByteString subCADER(CreateEncodedCertificate(++rootIssuedCount,
+                                               sha256WithRSAEncryption(),
+                                               rootName,
+                                               oneDayBeforeNow, oneDayAfterNow,
+                                               subCAName, *subCAKeyPair,
+                                               subCAExtensions, *rootKeyPair));
+  ASSERT_FALSE(ENCODING_FAILED(subCADER));
+
+  // Delegated responder cert signed by that sub-CA
+  const ByteString extensions[] = {
+    CreateEncodedEKUExtension(OCSPSigningEKUDER, Critical::No),
+    ByteString()
+  };
+  ScopedTestKeyPair signerKeyPair(GenerateKeyPair());
+  ByteString signerDER(CreateEncodedCertificate(
+                         1, sha256WithRSAEncryption(), subCAName,
+                         oneDayBeforeNow, oneDayAfterNow, signerName,
+                         *signerKeyPair, extensions, *subCAKeyPair));
+  ASSERT_FALSE(ENCODING_FAILED(signerDER));
+
+  // OCSP response signed by the delegated responder issued by the sub-CA
+  // that is trying to impersonate the root.
+  ByteString certs[] = { signerDER, subCADER, ByteString() };
+  ByteString responseString(
+                 CreateEncodedOCSPSuccessfulResponse(
+                         OCSPResponseContext::good, *endEntityCertID,
+                         signerName, *signerKeyPair, oneDayBeforeNow,
+                         oneDayBeforeNow, &oneDayAfterNow,
+                         sha256WithRSAEncryption(), certs));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
+       good_unsupportedSignatureAlgorithmOnResponder)
+{
+  // Note that the algorithm ID (md5WithRSAEncryption) identifies the signature
+  // algorithm that will be used to sign the certificate that issues the OCSP
+  // responses, not the responses themselves.
+  ByteString responseString(
+               CreateEncodedIndirectOCSPSuccessfulResponse(
+                         "good_indirect_unsupportedSignatureAlgorithm",
+                         OCSPResponseContext::good, byKey,
+                         md5WithRSAEncryption()));
+  Input response;
+  ASSERT_EQ(Success,
+            response.Init(responseString.data(), responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+}
+
+class pkixocsp_VerifyEncodedResponse_GetCertTrust
+  : public pkixocsp_VerifyEncodedResponse_DelegatedResponder {
+public:
+  void SetUp()
+  {
+    pkixocsp_VerifyEncodedResponse_DelegatedResponder::SetUp();
+
+    responseString =
+        CreateEncodedIndirectOCSPSuccessfulResponse(
+          "OCSPGetCertTrustTest Signer", OCSPResponseContext::good,
+          byKey, sha256WithRSAEncryption(), &OCSPSigningEKUDER,
+          &signerCertDER);
+    if (ENCODING_FAILED(responseString)) {
+      abort();
+    }
+    if (response.Init(responseString.data(), responseString.length())
+          != Success) {
+      abort();
+    }
+    if (signerCertDER.length() == 0) {
+      abort();
+    }
+  }
+
+  class TrustDomain final : public OCSPTestTrustDomain
+  {
+  public:
+    TrustDomain()
+      : certTrustLevel(TrustLevel::InheritsTrust)
+    {
+    }
+
+    bool SetCertTrust(const ByteString& aCertDER, TrustLevel aCertTrustLevel)
+    {
+      this->certDER = aCertDER;
+      this->certTrustLevel = aCertTrustLevel;
+      return true;
+    }
+  private:
+    Result GetCertTrust(EndEntityOrCA endEntityOrCA, const CertPolicyId&,
+                        Input candidateCert, /*out*/ TrustLevel& trustLevel)
+                        override
+    {
+      EXPECT_EQ(endEntityOrCA, EndEntityOrCA::MustBeEndEntity);
+      EXPECT_FALSE(certDER.empty());
+      Input certDERInput;
+      EXPECT_EQ(Success, certDERInput.Init(certDER.data(), certDER.length()));
+      EXPECT_TRUE(InputsAreEqual(certDERInput, candidateCert));
+      trustLevel = certTrustLevel;
+      return Success;
+    }
+
+    ByteString certDER;
+    TrustLevel certTrustLevel;
+  };
+
+// trustDomain deliberately shadows the inherited field so that it isn't used
+// by accident. See bug 1339921.
+// Unfortunately GCC can't parse __has_warning("-Wshadow-field") even if it's
+// the latter part of a conjunction that would evaluate to false, so we have to
+// wrap it in a separate preprocessor conditional rather than using &&.
+#if defined(__clang__)
+  #if __has_warning("-Wshadow-field")
+    #pragma clang diagnostic push
+    #pragma clang diagnostic ignored "-Wshadow-field"
+  #endif
+#endif
+  TrustDomain trustDomain;
+#if defined(__clang__)
+  #if __has_warning("-Wshadow-field")
+    #pragma clang diagnostic pop
+  #endif
+#endif
+  ByteString signerCertDER;
+  ByteString responseString;
+  Input response; // references data in responseString
+};
+
+TEST_F(pkixocsp_VerifyEncodedResponse_GetCertTrust, InheritTrust)
+{
+  ASSERT_TRUE(trustDomain.SetCertTrust(signerCertDER,
+                                       TrustLevel::InheritsTrust));
+  bool expired;
+  ASSERT_EQ(Success,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_GetCertTrust, TrustAnchor)
+{
+  ASSERT_TRUE(trustDomain.SetCertTrust(signerCertDER,
+                                       TrustLevel::TrustAnchor));
+  bool expired;
+  ASSERT_EQ(Success,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      response, expired));
+  ASSERT_FALSE(expired);
+}
+
+TEST_F(pkixocsp_VerifyEncodedResponse_GetCertTrust, ActivelyDistrusted)
+{
+  ASSERT_TRUE(trustDomain.SetCertTrust(signerCertDER,
+                                       TrustLevel::ActivelyDistrusted));
+  Input responseInput;
+  ASSERT_EQ(Success,
+            responseInput.Init(responseString.data(),
+                               responseString.length()));
+  bool expired;
+  ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
+            VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),
+                                      END_ENTITY_MAX_LIFETIME_IN_DAYS,
+                                      responseInput, expired));
+  ASSERT_FALSE(expired);
+}
diff --git a/security/nss/gtests/nss_bogo_shim/config.json b/security/nss/gtests/nss_bogo_shim/config.json
index 6dc155befa..5c7a2e3481 100644
--- a/security/nss/gtests/nss_bogo_shim/config.json
+++ b/security/nss/gtests/nss_bogo_shim/config.json
@@ -1,6 +1,9 @@
 {
     "DisabledTests": {
         "### These tests break whenever we rev versions, so just leave them here for easy uncommenting":"",
+        "*TLS13Draft*":"NSS supports RFC 8446 only.",
+        "IgnoreClientVersionOrder":"Uses draft23",
+        "DuplicateCertCompressionExt*":"BoGo expects that an alert is sent if more than one compression algorithm is sent.",
         "ServerBogusVersion":"Check that SH.legacy_version=TLS12 when the server picks TLS 1.3 (Bug 1443761)",
         "DummyPQPadding-Server*":"Boring is testing a dummy PQ padding extension",
         "VerifyPreferences-Enforced":"NSS sends alerts in response to errors in protected handshake messages in the clear",
@@ -12,17 +15,10 @@
         "ServerCipherFilter*":"Add Ed25519 support (Bug 1325335)",
         "GarbageCertificate*":"Send bad_certificate alert when certificate parsing fails (Bug 1441565)",
         "SupportedVersionSelection-TLS12":"Should maybe reject TLS 1.2 in SH.supported_versions (Bug 1438266)",
-        "*TLS13*":"(NSS=19, BoGo=18)",
-        "*HelloRetryRequest*":"(NSS=19, BoGo=18)",
-        "*KeyShare*":"(NSS=19, BoGo=18)",
-        "*EncryptedExtensions*":"(NSS=19, BoGo=18)",
-        "*SecondClientHello*":"(NSS=19, BoGo=18)",
-        "*IgnoreClientVersionOrder*":"(NSS=19, BoGo=18)",
-        "SkipEarlyData*":"(NSS=19, BoGo=18)",
-        "*Binder*":"(NSS=19, BoGo=18)",
         "Resume-Server-BinderWrongLength":"Alert disagreement (Bug 1317633)",
         "Resume-Server-NoPSKBinder":"Alert disagreement (Bug 1317633)",
         "CheckRecordVersion-TLS*":"Bug 1317634",
+        "GarbageInitialRecordVersion-TLS*":"NSS doesn't strictly check the ClientHello record version",
         "GREASE-Server-TLS13":"BoringSSL GREASEs without a flag, but we ignore it",
         "TLS13-ExpectNoSessionTicketOnBadKEMode-Server":"Bug in NSS. Don't send ticket when not permitted by KE modes (Bug 1317635)",
         "*KeyUpdate*":"KeyUpdate Unimplemented",
@@ -48,14 +44,14 @@
         "StrayHelloRequest*":"NSS doesn't disable renegotiation by default",
         "NoSupportedCurves-TLS13":"wanted SSL_ERROR_NO_CYPHER_OVERLAP, got missing extension error",
         "FragmentedClientVersion":"received a malformed Client Hello handshake message",
-        "UnofferedExtension-Client-TLS13":"nss updated/broken",
-        "UnknownExtension-Client-TLS13":"nss updated/broken",
-        "WrongMessageType-TLS13-EncryptedExtensions":"nss updated/broken",
-        "WrongMessageType-TLS13-CertificateRequest":"nss updated/broken",
-        "WrongMessageType-TLS13-ServerCertificateVerify":"nss updated/broken",
-        "WrongMessageType-TLS13-ServerCertificate":"nss updated/broken",
-        "WrongMessageType-TLS13-ServerFinished":"nss updated/broken",
-        "EmptyEncryptedExtensions":"nss updated/broken",
+        "WrongMessageType-TLS13-EncryptedExtensions":"Boring expects CCS (Bugs 1481209, 1304603)",
+        "TrailingMessageData-TLS13-EncryptedExtensions":"Boring expects CCS (Bugs 1481209, 1304603)",
+        "UnofferedExtension-Client-TLS13":"Boring expects CCS (Bugs 1481209, 1304603)",
+        "UnknownExtension-Client-TLS13":"Boring expects CCS (Bugs 1481209, 1304603)",
+        "WrongMessageType-TLS13-CertificateRequest":"Boring expects CCS (Bugs 1481209, 1304603)",
+        "WrongMessageType-TLS13-ServerCertificateVerify":"Boring expects CCS (Bugs 1481209, 1304603)",
+        "WrongMessageType-TLS13-ServerCertificate":"Boring expects CCS (Bugs 1481209, 1304603)",
+        "WrongMessageType-TLS13-ServerFinished":"Boring expects CCS (Bugs 1481209, 1304603)",
         "TrailingMessageData-*": "Bug 1304575",
         "DuplicateKeyShares":"Bug 1304578",
         "Resume-Server-TLS13-TLS13":"Bug 1314351",
@@ -68,7 +64,8 @@
         "RequireAnyClientCertificate-TLS1*":"Bug 1339387",
         "SendExtensionOnClientCertificate-TLS13":"Bug 1339392",
         "ALPNClient-Mismatch-TLS13":"NSS sends alerts in response to errors in protected handshake messages in the clear",
-        "P224-Server":"NSS doesn't support P-224"
+        "P224-Server":"NSS doesn't support P-224",
+        "ClientAuth-SHA1-Fallback*":"Boring wants us to fall back to SHA-1 if supported_signature_algorithms in CR is empty."
     },
     "ErrorMap" : {
         ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:":"SSL_ERROR_NO_CYPHER_OVERLAP",
diff --git a/security/nss/gtests/nss_bogo_shim/manifest.mn b/security/nss/gtests/nss_bogo_shim/manifest.mn
index 2d60ddea31..f8a6b07aff 100644
--- a/security/nss/gtests/nss_bogo_shim/manifest.mn
+++ b/security/nss/gtests/nss_bogo_shim/manifest.mn
@@ -12,9 +12,11 @@ CPPSRCS = \
       nss_bogo_shim.cc \
       $(NULL)
 
-REQUIRES = nspr nss libdbm
+INCLUDES += -I$(CORE_DEPTH)/cpputil
+
+REQUIRES = nspr nss libdbm cpputil
 
 PROGRAM = nss_bogo_shim
-#EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)softokn.$(LIB_SUFFIX)
+EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)cpputil.$(LIB_SUFFIX)
 
 USE_STATIC_LIBS = 1
diff --git a/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc b/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc
index 72dbd57711..b2ce6898da 100644
--- a/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc
+++ b/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc
@@ -18,6 +18,7 @@
 #include "ssl3prot.h"
 #include "sslerr.h"
 #include "sslproto.h"
+#include "nss_scoped_ptrs.h"
 
 #include "nsskeys.h"
 
@@ -33,30 +34,9 @@ std::string FormatError(PRErrorCode code) {
 
 class TestAgent {
  public:
-  TestAgent(const Config& cfg)
-      : cfg_(cfg),
-        pr_fd_(nullptr),
-        ssl_fd_(nullptr),
-        cert_(nullptr),
-        key_(nullptr) {}
+  TestAgent(const Config& cfg) : cfg_(cfg) {}
 
-  ~TestAgent() {
-    if (pr_fd_) {
-      PR_Close(pr_fd_);
-    }
-
-    if (ssl_fd_) {
-      PR_Close(ssl_fd_);
-    }
-
-    if (key_) {
-      SECKEY_DestroyPrivateKey(key_);
-    }
-
-    if (cert_) {
-      CERT_DestroyCertificate(cert_);
-    }
-  }
+  ~TestAgent() {}
 
   static std::unique_ptr<TestAgent> Create(const Config& cfg) {
     std::unique_ptr<TestAgent> agent(new TestAgent(cfg));
@@ -81,39 +61,46 @@ class TestAgent {
       return false;
     }
 
-    SECStatus rv = SSL_ResetHandshake(ssl_fd_, cfg_.get<bool>("server"));
+    SECStatus rv = SSL_ResetHandshake(ssl_fd_.get(), cfg_.get<bool>("server"));
     if (rv != SECSuccess) return false;
 
     return true;
   }
 
   bool ConnectTcp() {
+    // Try IPv6 first, then IPv4 in case of failure.
+    if (!OpenConnection("::1") && !OpenConnection("127.0.0.1")) {
+      return false;
+    }
+
+    ssl_fd_ = ScopedPRFileDesc(SSL_ImportFD(NULL, pr_fd_.get()));
+    if (!ssl_fd_) {
+      return false;
+    }
+    pr_fd_.release();
+
+    return true;
+  }
+
+  bool OpenConnection(const char* ip) {
     PRStatus prv;
     PRNetAddr addr;
 
-    // Try IPv6 first.
-    prv = PR_StringToNetAddr("::1", &addr);
+    prv = PR_StringToNetAddr(ip, &addr);
+
     if (prv != PR_SUCCESS) {
-      // If that fails, try IPv4.
-      prv = PR_StringToNetAddr("127.0.0.1", &addr);
-      if (prv != PR_SUCCESS) {
-        return false;
-      }
+      return false;
     }
+
     addr.inet.port = PR_htons(cfg_.get<int>("port"));
 
-    pr_fd_ = PR_OpenTCPSocket(addr.raw.family);
+    pr_fd_ = ScopedPRFileDesc(PR_OpenTCPSocket(addr.raw.family));
     if (!pr_fd_) return false;
 
-    prv = PR_Connect(pr_fd_, &addr, PR_INTERVAL_NO_TIMEOUT);
+    prv = PR_Connect(pr_fd_.get(), &addr, PR_INTERVAL_NO_TIMEOUT);
     if (prv != PR_SUCCESS) {
       return false;
     }
-
-    ssl_fd_ = SSL_ImportFD(NULL, pr_fd_);
-    if (!ssl_fd_) return false;
-    pr_fd_ = nullptr;
-
     return true;
   }
 
@@ -121,21 +108,24 @@ class TestAgent {
     SECStatus rv;
 
     if (cfg_.get<std::string>("key-file") != "") {
-      key_ = ReadPrivateKey(cfg_.get<std::string>("key-file"));
+      key_ = ScopedSECKEYPrivateKey(
+          ReadPrivateKey(cfg_.get<std::string>("key-file")));
       if (!key_) return false;
     }
     if (cfg_.get<std::string>("cert-file") != "") {
-      cert_ = ReadCertificate(cfg_.get<std::string>("cert-file"));
+      cert_ = ScopedCERTCertificate(
+          ReadCertificate(cfg_.get<std::string>("cert-file")));
       if (!cert_) return false;
     }
 
     // Needed because certs are not entirely valid.
-    rv = SSL_AuthCertificateHook(ssl_fd_, AuthCertificateHook, this);
+    rv = SSL_AuthCertificateHook(ssl_fd_.get(), AuthCertificateHook, this);
     if (rv != SECSuccess) return false;
 
     if (cfg_.get<bool>("server")) {
       // Server
-      rv = SSL_ConfigServerCert(ssl_fd_, cert_, key_, nullptr, 0);
+      rv = SSL_ConfigServerCert(ssl_fd_.get(), cert_.get(), key_.get(), nullptr,
+                                0);
       if (rv != SECSuccess) {
         std::cerr << "Couldn't configure server cert\n";
         return false;
@@ -143,7 +133,8 @@ class TestAgent {
 
     } else if (key_ && cert_) {
       // Client.
-      rv = SSL_GetClientAuthDataHook(ssl_fd_, GetClientAuthDataHook, this);
+      rv =
+          SSL_GetClientAuthDataHook(ssl_fd_.get(), GetClientAuthDataHook, this);
       if (rv != SECSuccess) return false;
     }
 
@@ -263,36 +254,36 @@ class TestAgent {
 
   bool SetupOptions() {
     SECStatus rv =
-        SSL_OptionSet(ssl_fd_, SSL_ENABLE_TLS13_COMPAT_MODE, PR_TRUE);
+        SSL_OptionSet(ssl_fd_.get(), SSL_ENABLE_TLS13_COMPAT_MODE, PR_TRUE);
     if (rv != SECSuccess) return false;
 
-    rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE);
+    rv = SSL_OptionSet(ssl_fd_.get(), SSL_ENABLE_SESSION_TICKETS, PR_TRUE);
     if (rv != SECSuccess) return false;
 
     SSLVersionRange vrange;
     if (!GetVersionRange(&vrange, ssl_variant_stream)) return false;
 
-    rv = SSL_VersionRangeSet(ssl_fd_, &vrange);
+    rv = SSL_VersionRangeSet(ssl_fd_.get(), &vrange);
     if (rv != SECSuccess) return false;
 
     SSLVersionRange verify_vrange;
-    rv = SSL_VersionRangeGet(ssl_fd_, &verify_vrange);
+    rv = SSL_VersionRangeGet(ssl_fd_.get(), &verify_vrange);
     if (rv != SECSuccess) return false;
     if (vrange.min != verify_vrange.min || vrange.max != verify_vrange.max)
       return false;
 
-    rv = SSL_OptionSet(ssl_fd_, SSL_NO_CACHE, false);
+    rv = SSL_OptionSet(ssl_fd_.get(), SSL_NO_CACHE, false);
     if (rv != SECSuccess) return false;
 
     auto alpn = cfg_.get<std::string>("advertise-alpn");
     if (!alpn.empty()) {
       assert(!cfg_.get<bool>("server"));
 
-      rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_ALPN, PR_TRUE);
+      rv = SSL_OptionSet(ssl_fd_.get(), SSL_ENABLE_ALPN, PR_TRUE);
       if (rv != SECSuccess) return false;
 
       rv = SSL_SetNextProtoNego(
-          ssl_fd_, reinterpret_cast<const unsigned char*>(alpn.c_str()),
+          ssl_fd_.get(), reinterpret_cast<const unsigned char*>(alpn.c_str()),
           alpn.size());
       if (rv != SECSuccess) return false;
     }
@@ -312,23 +303,23 @@ class TestAgent {
           [](int scheme) { return static_cast<SSLSignatureScheme>(scheme); });
 
       rv = SSL_SignatureSchemePrefSet(
-          ssl_fd_, sig_schemes.data(),
+          ssl_fd_.get(), sig_schemes.data(),
           static_cast<unsigned int>(sig_schemes.size()));
       if (rv != SECSuccess) return false;
     }
 
     if (cfg_.get<bool>("fallback-scsv")) {
-      rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_FALLBACK_SCSV, PR_TRUE);
+      rv = SSL_OptionSet(ssl_fd_.get(), SSL_ENABLE_FALLBACK_SCSV, PR_TRUE);
       if (rv != SECSuccess) return false;
     }
 
     if (cfg_.get<bool>("false-start")) {
-      rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_FALSE_START, PR_TRUE);
+      rv = SSL_OptionSet(ssl_fd_.get(), SSL_ENABLE_FALSE_START, PR_TRUE);
       if (rv != SECSuccess) return false;
     }
 
     if (cfg_.get<bool>("enable-ocsp-stapling")) {
-      rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
+      rv = SSL_OptionSet(ssl_fd_.get(), SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
       if (rv != SECSuccess) return false;
     }
 
@@ -336,29 +327,63 @@ class TestAgent {
     if (requireClientCert || cfg_.get<bool>("verify-peer")) {
       assert(cfg_.get<bool>("server"));
 
-      rv = SSL_OptionSet(ssl_fd_, SSL_REQUEST_CERTIFICATE, PR_TRUE);
+      rv = SSL_OptionSet(ssl_fd_.get(), SSL_REQUEST_CERTIFICATE, PR_TRUE);
       if (rv != SECSuccess) return false;
 
       rv = SSL_OptionSet(
-          ssl_fd_, SSL_REQUIRE_CERTIFICATE,
+          ssl_fd_.get(), SSL_REQUIRE_CERTIFICATE,
           requireClientCert ? SSL_REQUIRE_ALWAYS : SSL_REQUIRE_NO_ERROR);
       if (rv != SECSuccess) return false;
     }
 
     if (!cfg_.get<bool>("server")) {
       // Needed to make resumption work.
-      rv = SSL_SetURL(ssl_fd_, "server");
+      rv = SSL_SetURL(ssl_fd_.get(), "server");
       if (rv != SECSuccess) return false;
     }
 
-    rv = SSL_OptionSet(ssl_fd_, SSL_ENABLE_EXTENDED_MASTER_SECRET, PR_TRUE);
+    rv = SSL_OptionSet(ssl_fd_.get(), SSL_ENABLE_EXTENDED_MASTER_SECRET,
+                       PR_TRUE);
     if (rv != SECSuccess) return false;
 
-    if (!EnableNonExportCiphers()) return false;
+    if (!ConfigureCiphers()) return false;
 
     return true;
   }
 
+  bool ConfigureCiphers() {
+    auto cipherList = cfg_.get<std::string>("nss-cipher");
+
+    if (cipherList.empty()) {
+      return EnableNonExportCiphers();
+    }
+
+    for (size_t i = 0; i < SSL_NumImplementedCiphers; ++i) {
+      SSLCipherSuiteInfo csinfo;
+      std::string::size_type n;
+      SECStatus rv = SSL_GetCipherSuiteInfo(SSL_ImplementedCiphers[i], &csinfo,
+                                            sizeof(csinfo));
+      if (rv != SECSuccess) {
+        return false;
+      }
+
+      // Check if cipherList contains the name of the Cipher Suite and
+      // enable/disable accordingly.
+      n = cipherList.find(csinfo.cipherSuiteName, 0);
+      if (std::string::npos == n) {
+        rv = SSL_CipherPrefSet(ssl_fd_.get(), SSL_ImplementedCiphers[i],
+                               PR_FALSE);
+      } else {
+        rv = SSL_CipherPrefSet(ssl_fd_.get(), SSL_ImplementedCiphers[i],
+                               PR_TRUE);
+      }
+      if (rv != SECSuccess) {
+        return false;
+      }
+    }
+    return true;
+  }
+
   bool EnableNonExportCiphers() {
     for (size_t i = 0; i < SSL_NumImplementedCiphers; ++i) {
       SSLCipherSuiteInfo csinfo;
@@ -369,7 +394,7 @@ class TestAgent {
         return false;
       }
 
-      rv = SSL_CipherPrefSet(ssl_fd_, SSL_ImplementedCiphers[i], PR_TRUE);
+      rv = SSL_CipherPrefSet(ssl_fd_.get(), SSL_ImplementedCiphers[i], PR_TRUE);
       if (rv != SECSuccess) {
         return false;
       }
@@ -388,19 +413,19 @@ class TestAgent {
                                          CERTCertificate** cert,
                                          SECKEYPrivateKey** privKey) {
     TestAgent* a = static_cast<TestAgent*>(self);
-    *cert = CERT_DupCertificate(a->cert_);
-    *privKey = SECKEY_CopyPrivateKey(a->key_);
+    *cert = CERT_DupCertificate(a->cert_.get());
+    *privKey = SECKEY_CopyPrivateKey(a->key_.get());
     return SECSuccess;
   }
 
-  SECStatus Handshake() { return SSL_ForceHandshake(ssl_fd_); }
+  SECStatus Handshake() { return SSL_ForceHandshake(ssl_fd_.get()); }
 
   // Implement a trivial echo client/server. Read bytes from the other side,
   // flip all the bits, and send them back.
   SECStatus ReadWrite() {
     for (;;) {
       uint8_t block[512];
-      int32_t rv = PR_Read(ssl_fd_, block, sizeof(block));
+      int32_t rv = PR_Read(ssl_fd_.get(), block, sizeof(block));
       if (rv < 0) {
         std::cerr << "Failure reading\n";
         return SECFailure;
@@ -412,7 +437,7 @@ class TestAgent {
         block[i] ^= 0xff;
       }
 
-      rv = PR_Write(ssl_fd_, block, len);
+      rv = PR_Write(ssl_fd_.get(), block, len);
       if (rv != len) {
         std::cerr << "Write failure\n";
         PORT_SetError(SEC_ERROR_OUTPUT_LEN);
@@ -431,7 +456,7 @@ class TestAgent {
     // reader and writer.
     uint8_t block[600];
     memset(block, ch, sizeof(block));
-    int32_t rv = PR_Write(ssl_fd_, block, sizeof(block));
+    int32_t rv = PR_Write(ssl_fd_.get(), block, sizeof(block));
     if (rv != sizeof(block)) {
       std::cerr << "Write failure\n";
       PORT_SetError(SEC_ERROR_OUTPUT_LEN);
@@ -440,7 +465,7 @@ class TestAgent {
 
     size_t left = sizeof(block);
     while (left) {
-      rv = PR_Read(ssl_fd_, block, left);
+      rv = PR_Read(ssl_fd_.get(), block, left);
       if (rv < 0) {
         std::cerr << "Failure reading\n";
         return SECFailure;
@@ -494,7 +519,7 @@ class TestAgent {
       SSLNextProtoState state;
       char chosen[256];
       unsigned int chosen_len;
-      rv = SSL_GetNextProto(ssl_fd_, &state,
+      rv = SSL_GetNextProto(ssl_fd_.get(), &state,
                             reinterpret_cast<unsigned char*>(chosen),
                             &chosen_len, sizeof(chosen));
       if (rv != SECSuccess) {
@@ -514,7 +539,7 @@ class TestAgent {
     auto sig_alg = cfg_.get<int>("expect-peer-signature-algorithm");
     if (sig_alg) {
       SSLChannelInfo info;
-      rv = SSL_GetChannelInfo(ssl_fd_, &info, sizeof(info));
+      rv = SSL_GetChannelInfo(ssl_fd_.get(), &info, sizeof(info));
       if (rv != SECSuccess) {
         PRErrorCode err = PR_GetError();
         std::cerr << "SSL_GetChannelInfo failed with error=" << FormatError(err)
@@ -534,10 +559,10 @@ class TestAgent {
 
  private:
   const Config& cfg_;
-  PRFileDesc* pr_fd_;
-  PRFileDesc* ssl_fd_;
-  CERTCertificate* cert_;
-  SECKEYPrivateKey* key_;
+  ScopedPRFileDesc pr_fd_;
+  ScopedPRFileDesc ssl_fd_;
+  ScopedCERTCertificate cert_;
+  ScopedSECKEYPrivateKey key_;
 };
 
 std::unique_ptr<const Config> ReadConfig(int argc, char** argv) {
@@ -559,11 +584,14 @@ std::unique_ptr<const Config> ReadConfig(int argc, char** argv) {
   cfg->AddEntry<bool>("write-then-read", false);
   cfg->AddEntry<bool>("require-any-client-certificate", false);
   cfg->AddEntry<bool>("verify-peer", false);
+  cfg->AddEntry<bool>("is-handshaker-supported", false);
+  cfg->AddEntry<std::string>("handshaker-path", "");  // Ignore this
   cfg->AddEntry<std::string>("advertise-alpn", "");
   cfg->AddEntry<std::string>("expect-alpn", "");
   cfg->AddEntry<std::vector<int>>("signing-prefs", std::vector<int>());
   cfg->AddEntry<std::vector<int>>("verify-prefs", std::vector<int>());
   cfg->AddEntry<int>("expect-peer-signature-algorithm", 0);
+  cfg->AddEntry<std::string>("nss-cipher", "");
 
   auto rv = cfg->ParseArgs(argc, argv);
   switch (rv) {
@@ -602,6 +630,11 @@ int main(int argc, char** argv) {
     return GetExitCode(false);
   }
 
+  if (cfg->get<bool>("is-handshaker-supported")) {
+    std::cout << "No\n";
+    return 0;
+  }
+
   if (cfg->get<bool>("server")) {
     if (SSL_ConfigServerSessionIDCache(1024, 0, 0, ".") != SECSuccess) {
       std::cerr << "Couldn't configure session cache\n";
diff --git a/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.gyp b/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.gyp
index b8f71f95f5..d08a6bde3a 100644
--- a/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.gyp
+++ b/security/nss/gtests/nss_bogo_shim/nss_bogo_shim.gyp
@@ -37,6 +37,7 @@
         '<(DEPTH)/lib/freebl/freebl.gyp:freebl',
         '<(DEPTH)/lib/zlib/zlib.gyp:nss_zlib',
         '<(DEPTH)/lib/libpkix/libpkix.gyp:libpkix',
+        '<(DEPTH)/cpputil/cpputil.gyp:cpputil',
       ],
       'conditions': [
         [ 'disable_dbm==0', {
diff --git a/security/nss/gtests/pk11_gtest/manifest.mn b/security/nss/gtests/pk11_gtest/manifest.mn
index a3dff9d100..ea7b43a2b0 100644
--- a/security/nss/gtests/pk11_gtest/manifest.mn
+++ b/security/nss/gtests/pk11_gtest/manifest.mn
@@ -16,6 +16,7 @@ CPPSRCS = \
       pk11_pbkdf2_unittest.cc \
       pk11_prf_unittest.cc \
       pk11_prng_unittest.cc \
+      pk11_rsapkcs1_unittest.cc \
       pk11_rsapss_unittest.cc \
       pk11_der_private_key_import_unittest.cc \
       $(NULL)
diff --git a/security/nss/gtests/pk11_gtest/pk11_aes_gcm_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_aes_gcm_unittest.cc
index a4e8bedba1..4072cf2b72 100644
--- a/security/nss/gtests/pk11_gtest/pk11_aes_gcm_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_aes_gcm_unittest.cc
@@ -10,7 +10,7 @@
 #include "secerr.h"
 #include "sechash.h"
 
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 #include "gcm-vectors.h"
 #include "gtest/gtest.h"
diff --git a/security/nss/gtests/pk11_gtest/pk11_aeskeywrap_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_aeskeywrap_unittest.cc
index a0226e6dfd..4d4250a5e9 100644
--- a/security/nss/gtests/pk11_gtest/pk11_aeskeywrap_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_aeskeywrap_unittest.cc
@@ -9,7 +9,7 @@
 #include "pk11pub.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 namespace nss_test {
 
@@ -129,4 +129,4 @@ TEST_F(Pkcs11AESKeyWrapTest, WrapUnwrepTest6) {
   WrapUnwrap(kKEK3, sizeof(kKEK3), kKD6, sizeof(kKD6), kC6);
 }
 
-} /* nss_test */
\ No newline at end of file
+} /* nss_test */
diff --git a/security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
index dac2a41ba8..07bc91ee69 100644
--- a/security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
@@ -10,7 +10,7 @@
 #include "sechash.h"
 
 #include "cpputil.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 #include "gtest/gtest.h"
 
diff --git a/security/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc
new file mode 100644
index 0000000000..38982fd885
--- /dev/null
+++ b/security/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc
@@ -0,0 +1,80 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#include "gtest/gtest.h"
+
+#include <assert.h>
+#include <limits.h>
+#include <prinit.h>
+#include <nss.h>
+#include <pk11pub.h>
+
+static const size_t kKeyLen = 128 / 8;
+
+namespace nss_test {
+
+//
+// The ciper tests using the bltest command cover a great deal of testing.
+// However, Bug 1489691 revealed a corner case which is covered here.
+// This test will make multiple calls to PK11_CipherOp using the same
+// cipher context with data that is not cipher block aligned.
+//
+
+static SECStatus GetBytes(PK11Context* ctx, uint8_t* bytes, size_t len) {
+  std::vector<uint8_t> in(len, 0);
+
+  int outlen;
+  SECStatus rv = PK11_CipherOp(ctx, bytes, &outlen, len, &in[0], len);
+  if (static_cast<size_t>(outlen) != len) {
+    return SECFailure;
+  }
+  return rv;
+}
+
+TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOps) {
+  PK11SlotInfo* slot;
+  PK11SymKey* key;
+  PK11Context* ctx;
+
+  NSSInitContext* globalctx =
+      NSS_InitContext("", "", "", "", NULL,
+                      NSS_INIT_READONLY | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB |
+                          NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT);
+
+  const CK_MECHANISM_TYPE cipher = CKM_AES_CTR;
+
+  slot = PK11_GetInternalSlot();
+  ASSERT_TRUE(slot);
+
+  // Use arbitrary bytes for the AES key
+  uint8_t key_bytes[kKeyLen];
+  for (size_t i = 0; i < kKeyLen; i++) {
+    key_bytes[i] = i;
+  }
+
+  SECItem keyItem = {siBuffer, key_bytes, kKeyLen};
+
+  // The IV can be all zeros since we only encrypt once with
+  // each AES key.
+  CK_AES_CTR_PARAMS param = {128, {}};
+  SECItem paramItem = {siBuffer, reinterpret_cast<unsigned char*>(&param),
+                       sizeof(CK_AES_CTR_PARAMS)};
+
+  key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, CKA_ENCRYPT,
+                          &keyItem, NULL);
+  ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT, key, &paramItem);
+  ASSERT_TRUE(key);
+  ASSERT_TRUE(ctx);
+
+  uint8_t outbuf[128];
+  ASSERT_EQ(GetBytes(ctx, outbuf, 7), SECSuccess);
+  ASSERT_EQ(GetBytes(ctx, outbuf, 17), SECSuccess);
+
+  PK11_FreeSymKey(key);
+  PK11_FreeSlot(slot);
+  PK11_DestroyContext(ctx, PR_TRUE);
+  NSS_ShutdownContext(globalctx);
+}
+
+}  // namespace nss_test
diff --git a/security/nss/gtests/pk11_gtest/pk11_curve25519_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_curve25519_unittest.cc
index 40b5362073..009c44fce8 100644
--- a/security/nss/gtests/pk11_gtest/pk11_curve25519_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_curve25519_unittest.cc
@@ -7,7 +7,7 @@
 #include "pk11pub.h"
 
 #include "cpputil.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 #include "gtest/gtest.h"
 
diff --git a/security/nss/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc
index 836cc78765..88c2833170 100644
--- a/security/nss/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc
@@ -11,7 +11,7 @@
 #include "secutil.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 namespace nss_test {
 
diff --git a/security/nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc
index fb06598525..e905f78350 100644
--- a/security/nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_ecdsa_unittest.cc
@@ -8,7 +8,7 @@
 #include "sechash.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 #include "pk11_ecdsa_vectors.h"
 #include "pk11_signature_test.h"
diff --git a/security/nss/gtests/pk11_gtest/pk11_encrypt_derive_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_encrypt_derive_unittest.cc
index aa92756f26..f4accac023 100644
--- a/security/nss/gtests/pk11_gtest/pk11_encrypt_derive_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_encrypt_derive_unittest.cc
@@ -8,7 +8,7 @@
 #include "prerror.h"
 #include "nss.h"
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "cpputil.h"
 #include "databuffer.h"
 #include "util.h"
diff --git a/security/nss/gtests/pk11_gtest/pk11_export_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_export_unittest.cc
index e5d5ae8e99..bfd65b952e 100644
--- a/security/nss/gtests/pk11_gtest/pk11_export_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_export_unittest.cc
@@ -9,7 +9,7 @@
 #include "pk11pub.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 namespace nss_test {
 
diff --git a/security/nss/gtests/pk11_gtest/pk11_gtest.gyp b/security/nss/gtests/pk11_gtest/pk11_gtest.gyp
index 076b4d37ff..c73139b05a 100644
--- a/security/nss/gtests/pk11_gtest/pk11_gtest.gyp
+++ b/security/nss/gtests/pk11_gtest/pk11_gtest.gyp
@@ -14,12 +14,14 @@
         'pk11_aeskeywrap_unittest.cc',
         'pk11_aes_gcm_unittest.cc',
         'pk11_chacha20poly1305_unittest.cc',
+        'pk11_cipherop_unittest.cc',
         'pk11_curve25519_unittest.cc',
         'pk11_ecdsa_unittest.cc',
         'pk11_encrypt_derive_unittest.cc',
         'pk11_pbkdf2_unittest.cc',
         'pk11_prf_unittest.cc',
         'pk11_prng_unittest.cc',
+        'pk11_rsapkcs1_unittest.cc',
         'pk11_rsapss_unittest.cc',
         'pk11_der_private_key_import_unittest.cc',
         '<(DEPTH)/gtests/common/gtests.cc'
diff --git a/security/nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc
index d72f94c2cb..fc055f4009 100644
--- a/security/nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_pbkdf2_unittest.cc
@@ -9,7 +9,7 @@
 #include "pk11pub.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 namespace nss_test {
 
diff --git a/security/nss/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc
new file mode 100644
index 0000000000..044d4e25e8
--- /dev/null
+++ b/security/nss/gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc
@@ -0,0 +1,109 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <stdint.h>
+#include "cryptohi.h"
+#include "nss.h"
+#include "pk11pub.h"
+
+#include "gtest/gtest.h"
+#include "nss_scoped_ptrs.h"
+#include "cpputil.h"
+
+namespace nss_test {
+
+// Test that the RSASSA-PKCS1-v1_5 implementation enforces the missing NULL
+// parameter.
+TEST(RsaPkcs1Test, RequireNullParameter) {
+  // kSpki is an RSA public key in an X.509 SubjectPublicKeyInfo.
+  const uint8_t kSpki[] = {
+      0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+      0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81,
+      0x89, 0x02, 0x81, 0x81, 0x00, 0xf8, 0xb8, 0x6c, 0x83, 0xb4, 0xbc, 0xd9,
+      0xa8, 0x57, 0xc0, 0xa5, 0xb4, 0x59, 0x76, 0x8c, 0x54, 0x1d, 0x79, 0xeb,
+      0x22, 0x52, 0x04, 0x7e, 0xd3, 0x37, 0xeb, 0x41, 0xfd, 0x83, 0xf9, 0xf0,
+      0xa6, 0x85, 0x15, 0x34, 0x75, 0x71, 0x5a, 0x84, 0xa8, 0x3c, 0xd2, 0xef,
+      0x5a, 0x4e, 0xd3, 0xde, 0x97, 0x8a, 0xdd, 0xff, 0xbb, 0xcf, 0x0a, 0xaa,
+      0x86, 0x92, 0xbe, 0xb8, 0x50, 0xe4, 0xcd, 0x6f, 0x80, 0x33, 0x30, 0x76,
+      0x13, 0x8f, 0xca, 0x7b, 0xdc, 0xec, 0x5a, 0xca, 0x63, 0xc7, 0x03, 0x25,
+      0xef, 0xa8, 0x8a, 0x83, 0x58, 0x76, 0x20, 0xfa, 0x16, 0x77, 0xd7, 0x79,
+      0x92, 0x63, 0x01, 0x48, 0x1a, 0xd8, 0x7b, 0x67, 0xf1, 0x52, 0x55, 0x49,
+      0x4e, 0xd6, 0x6e, 0x4a, 0x5c, 0xd7, 0x7a, 0x37, 0x36, 0x0c, 0xde, 0xdd,
+      0x8f, 0x44, 0xe8, 0xc2, 0xa7, 0x2c, 0x2b, 0xb5, 0xaf, 0x64, 0x4b, 0x61,
+      0x07, 0x02, 0x03, 0x01, 0x00, 0x01,
+  };
+  // kHash is the SHA-256 hash of {1,2,3,4}.
+  const uint8_t kHash[] = {
+      0x9f, 0x64, 0xa7, 0x47, 0xe1, 0xb9, 0x7f, 0x13, 0x1f, 0xab, 0xb6,
+      0xb4, 0x47, 0x29, 0x6c, 0x9b, 0x6f, 0x02, 0x01, 0xe7, 0x9f, 0xb3,
+      0xc5, 0x35, 0x6e, 0x6c, 0x77, 0xe8, 0x9b, 0x6a, 0x80, 0x6a,
+  };
+  // kSignature is the signature of kHash with RSASSA-PKCS1-v1_5.
+  const uint8_t kSignature[] = {
+      0xa5, 0xf0, 0x8a, 0x47, 0x5d, 0x3c, 0xb3, 0xcc, 0xa9, 0x79, 0xaf, 0x4d,
+      0x8c, 0xae, 0x4c, 0x14, 0xef, 0xc2, 0x0b, 0x34, 0x36, 0xde, 0xf4, 0x3e,
+      0x3d, 0xbb, 0x4a, 0x60, 0x5c, 0xc8, 0x91, 0x28, 0xda, 0xfb, 0x7e, 0x04,
+      0x96, 0x7e, 0x63, 0x13, 0x90, 0xce, 0xb9, 0xb4, 0x62, 0x7a, 0xfd, 0x09,
+      0x3d, 0xc7, 0x67, 0x78, 0x54, 0x04, 0xeb, 0x52, 0x62, 0x6e, 0x24, 0x67,
+      0xb4, 0x40, 0xfc, 0x57, 0x62, 0xc6, 0xf1, 0x67, 0xc1, 0x97, 0x8f, 0x6a,
+      0xa8, 0xae, 0x44, 0x46, 0x5e, 0xab, 0x67, 0x17, 0x53, 0x19, 0x3a, 0xda,
+      0x5a, 0xc8, 0x16, 0x3e, 0x86, 0xd5, 0xc5, 0x71, 0x2f, 0xfc, 0x23, 0x48,
+      0xd9, 0x0b, 0x13, 0xdd, 0x7b, 0x5a, 0x25, 0x79, 0xef, 0xa5, 0x7b, 0x04,
+      0xed, 0x44, 0xf6, 0x18, 0x55, 0xe4, 0x0a, 0xe9, 0x57, 0x79, 0x5d, 0xd7,
+      0x55, 0xa7, 0xab, 0x45, 0x02, 0x97, 0x60, 0x42,
+  };
+  // kSignature is an invalid signature of kHash with RSASSA-PKCS1-v1_5 with the
+  // NULL parameter omitted.
+  const uint8_t kSignatureInvalid[] = {
+      0x71, 0x6c, 0x24, 0x4e, 0xc9, 0x9b, 0x19, 0xc7, 0x49, 0x29, 0xb8, 0xd4,
+      0xfb, 0x26, 0x23, 0xc0, 0x96, 0x18, 0xcd, 0x1e, 0x60, 0xe8, 0x88, 0x94,
+      0x8c, 0x59, 0xfb, 0x58, 0x5c, 0x61, 0x58, 0x7a, 0xae, 0xcc, 0xeb, 0xee,
+      0x1e, 0x85, 0x7d, 0x83, 0xa9, 0xdc, 0x6f, 0x4c, 0x34, 0x5c, 0xcb, 0xd9,
+      0xde, 0x58, 0x76, 0xdf, 0x1f, 0x5e, 0xd4, 0x57, 0x5b, 0xeb, 0xaf, 0x4f,
+      0x7a, 0xa7, 0x6b, 0x21, 0xf1, 0x0a, 0x96, 0x78, 0xc7, 0xa8, 0x02, 0x7a,
+      0xc2, 0x06, 0xd3, 0x18, 0x79, 0x72, 0x6b, 0xfe, 0x2d, 0xec, 0xd8, 0x8e,
+      0x98, 0x86, 0x89, 0xf4, 0x67, 0x14, 0x2b, 0xac, 0x6d, 0xd7, 0x04, 0xd8,
+      0xab, 0x05, 0xe6, 0x51, 0xf6, 0xee, 0x58, 0x63, 0xef, 0x6a, 0x3e, 0x89,
+      0x99, 0x2a, 0x1c, 0x10, 0xc2, 0xd0, 0x41, 0x9e, 0x1e, 0x9a, 0x9a, 0x57,
+      0x32, 0x0f, 0x49, 0xb4, 0x57, 0x37, 0xa4, 0x26,
+  };
+
+  // The test vectors may be verified with:
+  //
+  // openssl rsautl -keyform der -pubin -inkey spki.bin -in sig.bin | der2ascii
+  // openssl rsautl -keyform der -pubin -inkey spki.bin -in sig2.bin | der2ascii
+
+  // Import public key.
+  SECItem spkiItem = {siBuffer, toUcharPtr(kSpki), sizeof(kSpki)};
+  ScopedCERTSubjectPublicKeyInfo certSpki(
+      SECKEY_DecodeDERSubjectPublicKeyInfo(&spkiItem));
+  ASSERT_TRUE(certSpki);
+  ScopedSECKEYPublicKey pubKey(SECKEY_ExtractPublicKey(certSpki.get()));
+  ASSERT_TRUE(pubKey);
+
+  SECItem hash = {siBuffer, toUcharPtr(kHash), sizeof(kHash)};
+
+  // kSignature is a valid signature.
+  SECItem sigItem = {siBuffer, toUcharPtr(kSignature), sizeof(kSignature)};
+  SECStatus rv = VFY_VerifyDigestDirect(&hash, pubKey.get(), &sigItem,
+                                        SEC_OID_PKCS1_RSA_ENCRYPTION,
+                                        SEC_OID_SHA256, nullptr);
+  EXPECT_EQ(SECSuccess, rv);
+
+  // kSignatureInvalid is not.
+  sigItem = {siBuffer, toUcharPtr(kSignatureInvalid),
+             sizeof(kSignatureInvalid)};
+  rv = VFY_VerifyDigestDirect(&hash, pubKey.get(), &sigItem,
+                              SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA256,
+                              nullptr);
+#ifdef NSS_PKCS1_AllowMissingParameters
+  EXPECT_EQ(SECSuccess, rv);
+#else
+  EXPECT_EQ(SECFailure, rv);
+#endif
+}
+
+}  // namespace nss_test
diff --git a/security/nss/gtests/pk11_gtest/pk11_rsapss_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_rsapss_unittest.cc
index 6c8c5ab4e9..ed0573027f 100644
--- a/security/nss/gtests/pk11_gtest/pk11_rsapss_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_rsapss_unittest.cc
@@ -10,7 +10,7 @@
 #include "sechash.h"
 
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 #include "pk11_signature_test.h"
 #include "pk11_rsapss_vectors.h"
diff --git a/security/nss/gtests/pk11_gtest/pk11_signature_test.h b/security/nss/gtests/pk11_gtest/pk11_signature_test.h
index 8a12171a0a..0526fea559 100644
--- a/security/nss/gtests/pk11_gtest/pk11_signature_test.h
+++ b/security/nss/gtests/pk11_gtest/pk11_signature_test.h
@@ -8,7 +8,7 @@
 #include "sechash.h"
 
 #include "cpputil.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "databuffer.h"
 
 #include "gtest/gtest.h"
diff --git a/security/nss/gtests/softoken_gtest/softoken_gtest.cc b/security/nss/gtests/softoken_gtest/softoken_gtest.cc
index d61e2e75fa..5e2a497b8b 100644
--- a/security/nss/gtests/softoken_gtest/softoken_gtest.cc
+++ b/security/nss/gtests/softoken_gtest/softoken_gtest.cc
@@ -11,7 +11,7 @@
 #include "pk11pub.h"
 #include "secerr.h"
 
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
diff --git a/security/nss/gtests/ssl_gtest/manifest.mn b/security/nss/gtests/ssl_gtest/manifest.mn
index 8547e56d1d..7f4ee79539 100644
--- a/security/nss/gtests/ssl_gtest/manifest.mn
+++ b/security/nss/gtests/ssl_gtest/manifest.mn
@@ -52,6 +52,7 @@ CPPSRCS = \
       tls_hkdf_unittest.cc \
       tls_filter.cc \
       tls_protect.cc \
+      tls_esni_unittest.cc \
       $(NULL)
 
 INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \
diff --git a/security/nss/gtests/ssl_gtest/rsa8193.h b/security/nss/gtests/ssl_gtest/rsa8193.h
index 6265163896..1ac8503bc0 100644
--- a/security/nss/gtests/ssl_gtest/rsa8193.h
+++ b/security/nss/gtests/ssl_gtest/rsa8193.h
@@ -206,4 +206,4 @@ static const uint8_t rsa8193[] = {
     0x13, 0x34, 0x9d, 0x34, 0xb8, 0xef, 0x13, 0x3a, 0x20, 0xf5, 0x74, 0x02,
     0x70, 0x3b, 0x41, 0x60, 0x1f, 0x5e, 0x76, 0x0a, 0xb1, 0x17, 0xd5, 0xcf,
     0x79, 0xef, 0xf7, 0xab, 0xe7, 0xd6, 0x0f, 0xad, 0x85, 0x2c, 0x52, 0x67,
-    0xb5, 0xa0, 0x4a, 0xfd, 0xaf};
\ No newline at end of file
+    0xb5, 0xa0, 0x4a, 0xfd, 0xaf};
diff --git a/security/nss/gtests/ssl_gtest/selfencrypt_unittest.cc b/security/nss/gtests/ssl_gtest/selfencrypt_unittest.cc
index 4bae9dec95..0c62c4cac3 100644
--- a/security/nss/gtests/ssl_gtest/selfencrypt_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/selfencrypt_unittest.cc
@@ -19,7 +19,7 @@ extern "C" {
 
 #include "databuffer.h"
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 namespace nss_test {
 
diff --git a/security/nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc
index 28fdc66318..07eadfbd1e 100644
--- a/security/nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc
@@ -16,7 +16,7 @@ extern "C" {
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
diff --git a/security/nss/gtests/ssl_gtest/ssl_agent_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_agent_unittest.cc
index 6be3b61f8d..c3455d130c 100644
--- a/security/nss/gtests/ssl_gtest/ssl_agent_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_agent_unittest.cc
@@ -34,7 +34,7 @@ const static uint8_t kCannedTls13ClientHello[] = {
     0xc2, 0xb3, 0xc6, 0x80, 0x72, 0x86, 0x08, 0x86, 0x8f, 0x52, 0xc5, 0xcb,
     0xbf, 0x2a, 0xb5, 0x59, 0x64, 0xcc, 0x0c, 0x49, 0x95, 0x36, 0xe4, 0xd9,
     0x2f, 0xd4, 0x24, 0x66, 0x71, 0x6f, 0x5d, 0x70, 0xe2, 0xa0, 0xea, 0x26,
-    0x00, 0x2b, 0x00, 0x03, 0x02, 0x7f, kD13, 0x00, 0x0d, 0x00, 0x20, 0x00,
+    0x00, 0x2b, 0x00, 0x03, 0x02, 0x03, 0x04, 0x00, 0x0d, 0x00, 0x20, 0x00,
     0x1e, 0x04, 0x03, 0x05, 0x03, 0x06, 0x03, 0x02, 0x03, 0x08, 0x04, 0x08,
     0x05, 0x08, 0x06, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01, 0x02, 0x01, 0x04,
     0x02, 0x05, 0x02, 0x06, 0x02, 0x02, 0x02};
@@ -64,8 +64,8 @@ TEST_P(TlsAgentTestClient13, CannedHello) {
   auto sh = MakeCannedTls13ServerHello();
   MakeHandshakeMessage(kTlsHandshakeServerHello, sh.data(), sh.len(),
                        &server_hello);
-  MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3,
-             server_hello.data(), server_hello.len(), &buffer);
+  MakeRecord(ssl_ct_handshake, SSL_LIBRARY_VERSION_TLS_1_3, server_hello.data(),
+             server_hello.len(), &buffer);
   ProcessMessage(buffer, TlsAgent::STATE_CONNECTING);
 }
 
@@ -79,8 +79,8 @@ TEST_P(TlsAgentTestClient13, EncryptedExtensionsInClear) {
                        &encrypted_extensions, 1);
   server_hello.Append(encrypted_extensions);
   DataBuffer buffer;
-  MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3,
-             server_hello.data(), server_hello.len(), &buffer);
+  MakeRecord(ssl_ct_handshake, SSL_LIBRARY_VERSION_TLS_1_3, server_hello.data(),
+             server_hello.len(), &buffer);
   EnsureInit();
   ExpectAlert(kTlsAlertUnexpectedMessage);
   ProcessMessage(buffer, TlsAgent::STATE_ERROR,
@@ -97,11 +97,11 @@ TEST_F(TlsAgentStreamTestClient, EncryptedExtensionsInClearTwoPieces) {
                        &encrypted_extensions, 1);
   server_hello.Append(encrypted_extensions);
   DataBuffer buffer;
-  MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3,
-             server_hello.data(), kFirstFragmentSize, &buffer);
+  MakeRecord(ssl_ct_handshake, SSL_LIBRARY_VERSION_TLS_1_3, server_hello.data(),
+             kFirstFragmentSize, &buffer);
 
   DataBuffer buffer2;
-  MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3,
+  MakeRecord(ssl_ct_handshake, SSL_LIBRARY_VERSION_TLS_1_3,
              server_hello.data() + kFirstFragmentSize,
              server_hello.len() - kFirstFragmentSize, &buffer2);
 
@@ -129,11 +129,11 @@ TEST_F(TlsAgentDgramTestClient, EncryptedExtensionsInClearTwoPieces) {
                        &encrypted_extensions, 1);
   server_hello_frag2.Append(encrypted_extensions);
   DataBuffer buffer;
-  MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3,
+  MakeRecord(ssl_ct_handshake, SSL_LIBRARY_VERSION_TLS_1_3,
              server_hello_frag1.data(), server_hello_frag1.len(), &buffer);
 
   DataBuffer buffer2;
-  MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3,
+  MakeRecord(ssl_ct_handshake, SSL_LIBRARY_VERSION_TLS_1_3,
              server_hello_frag2.data(), server_hello_frag2.len(), &buffer2, 1);
 
   EnsureInit();
@@ -150,7 +150,7 @@ TEST_F(TlsAgentDgramTestClient, AckWithBogusLengthField) {
   // Length doesn't match
   const uint8_t ackBuf[] = {0x00, 0x08, 0x00};
   DataBuffer record;
-  MakeRecord(variant_, kTlsAckType, SSL_LIBRARY_VERSION_TLS_1_2, ackBuf,
+  MakeRecord(variant_, ssl_ct_ack, SSL_LIBRARY_VERSION_TLS_1_2, ackBuf,
              sizeof(ackBuf), &record, 0);
   agent_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_3,
                           SSL_LIBRARY_VERSION_TLS_1_3);
@@ -164,7 +164,7 @@ TEST_F(TlsAgentDgramTestClient, AckWithNonEvenLength) {
   // Length isn't a multiple of 8
   const uint8_t ackBuf[] = {0x00, 0x01, 0x00};
   DataBuffer record;
-  MakeRecord(variant_, kTlsAckType, SSL_LIBRARY_VERSION_TLS_1_2, ackBuf,
+  MakeRecord(variant_, ssl_ct_ack, SSL_LIBRARY_VERSION_TLS_1_2, ackBuf,
              sizeof(ackBuf), &record, 0);
   agent_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_3,
                           SSL_LIBRARY_VERSION_TLS_1_3);
@@ -196,7 +196,7 @@ TEST_F(TlsAgentStreamTestClient, Set0RttOptionThenRead) {
   agent_->StartConnect();
   agent_->Set0RttEnabled(true);
   DataBuffer buffer;
-  MakeRecord(kTlsApplicationDataType, SSL_LIBRARY_VERSION_TLS_1_3,
+  MakeRecord(ssl_ct_application_data, SSL_LIBRARY_VERSION_TLS_1_3,
              reinterpret_cast<const uint8_t *>(k0RttData), strlen(k0RttData),
              &buffer);
   ExpectAlert(kTlsAlertUnexpectedMessage);
@@ -214,10 +214,10 @@ TEST_F(TlsAgentStreamTestServer, Set0RttOptionClientHelloThenRead) {
   agent_->StartConnect();
   agent_->Set0RttEnabled(true);
   DataBuffer buffer;
-  MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3,
+  MakeRecord(ssl_ct_handshake, SSL_LIBRARY_VERSION_TLS_1_3,
              kCannedTls13ClientHello, sizeof(kCannedTls13ClientHello), &buffer);
   ProcessMessage(buffer, TlsAgent::STATE_CONNECTING);
-  MakeRecord(kTlsApplicationDataType, SSL_LIBRARY_VERSION_TLS_1_3,
+  MakeRecord(ssl_ct_application_data, SSL_LIBRARY_VERSION_TLS_1_3,
              reinterpret_cast<const uint8_t *>(k0RttData), strlen(k0RttData),
              &buffer);
   ExpectAlert(kTlsAlertBadRecordMac);
diff --git a/security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc
index e2a30e6bcb..3a52ac20c5 100644
--- a/security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc
@@ -15,7 +15,7 @@ extern "C" {
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
@@ -37,6 +37,50 @@ TEST_P(TlsConnectGeneric, ServerAuthRsaChain) {
   EXPECT_EQ(2UL, chain_length);
 }
 
+TEST_P(TlsConnectTls12Plus, ServerAuthRsaPss) {
+  static const SSLSignatureScheme kSignatureSchemePss[] = {
+      ssl_sig_rsa_pss_pss_sha256};
+
+  Reset(TlsAgent::kServerRsaPss);
+  client_->SetSignatureSchemes(kSignatureSchemePss,
+                               PR_ARRAY_SIZE(kSignatureSchemePss));
+  server_->SetSignatureSchemes(kSignatureSchemePss,
+                               PR_ARRAY_SIZE(kSignatureSchemePss));
+  Connect();
+  CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_pss,
+            ssl_sig_rsa_pss_pss_sha256);
+}
+
+// PSS doesn't work with TLS 1.0 or 1.1 because we can't signal it.
+TEST_P(TlsConnectPre12, ServerAuthRsaPssFails) {
+  static const SSLSignatureScheme kSignatureSchemePss[] = {
+      ssl_sig_rsa_pss_pss_sha256};
+
+  Reset(TlsAgent::kServerRsaPss);
+  client_->SetSignatureSchemes(kSignatureSchemePss,
+                               PR_ARRAY_SIZE(kSignatureSchemePss));
+  server_->SetSignatureSchemes(kSignatureSchemePss,
+                               PR_ARRAY_SIZE(kSignatureSchemePss));
+  ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
+  server_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
+  client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
+}
+
+// Check that a PSS certificate with no parameters works.
+TEST_P(TlsConnectTls12Plus, ServerAuthRsaPssNoParameters) {
+  static const SSLSignatureScheme kSignatureSchemePss[] = {
+      ssl_sig_rsa_pss_pss_sha256};
+
+  Reset("rsa_pss_noparam");
+  client_->SetSignatureSchemes(kSignatureSchemePss,
+                               PR_ARRAY_SIZE(kSignatureSchemePss));
+  server_->SetSignatureSchemes(kSignatureSchemePss,
+                               PR_ARRAY_SIZE(kSignatureSchemePss));
+  Connect();
+  CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, ssl_auth_rsa_pss,
+            ssl_sig_rsa_pss_pss_sha256);
+}
+
 TEST_P(TlsConnectGeneric, ServerAuthRsaPssChain) {
   Reset("rsa_pss_chain");
   Connect();
@@ -55,6 +99,76 @@ TEST_P(TlsConnectGeneric, ServerAuthRsaCARsaPssChain) {
   EXPECT_EQ(2UL, chain_length);
 }
 
+TEST_P(TlsConnectGeneric, ServerAuthRejected) {
+  EnsureTlsSetup();
+  client_->SetAuthCertificateCallback(
+      [](TlsAgent*, PRBool, PRBool) -> SECStatus { return SECFailure; });
+  ConnectExpectAlert(client_, kTlsAlertBadCertificate);
+  client_->CheckErrorCode(SSL_ERROR_BAD_CERTIFICATE);
+  server_->CheckErrorCode(SSL_ERROR_BAD_CERT_ALERT);
+  EXPECT_EQ(TlsAgent::STATE_ERROR, client_->state());
+}
+
+struct AuthCompleteArgs : public PollTarget {
+  AuthCompleteArgs(const std::shared_ptr<TlsAgent>& a, PRErrorCode c)
+      : agent(a), code(c) {}
+
+  std::shared_ptr<TlsAgent> agent;
+  PRErrorCode code;
+};
+
+static void CallAuthComplete(PollTarget* target, Event event) {
+  EXPECT_EQ(TIMER_EVENT, event);
+  auto args = reinterpret_cast<AuthCompleteArgs*>(target);
+  std::cerr << args->agent->role_str() << ": call SSL_AuthCertificateComplete "
+            << (args->code ? PR_ErrorToName(args->code) : "no error")
+            << std::endl;
+  EXPECT_EQ(SECSuccess,
+            SSL_AuthCertificateComplete(args->agent->ssl_fd(), args->code));
+  args->agent->Handshake();  // Make the TlsAgent aware of the error.
+  delete args;
+}
+
+// Install an AuthCertificateCallback that blocks when called.  Then
+// SSL_AuthCertificateComplete is called on a very short timer.  This allows any
+// processing that might follow the callback to complete.
+static void SetDeferredAuthCertificateCallback(std::shared_ptr<TlsAgent> agent,
+                                               PRErrorCode code) {
+  auto args = new AuthCompleteArgs(agent, code);
+  agent->SetAuthCertificateCallback(
+      [args](TlsAgent*, PRBool, PRBool) -> SECStatus {
+        // This can't be 0 or we race the message from the client to the server,
+        // and tests assume that we lose that race.
+        std::shared_ptr<Poller::Timer> timer_handle;
+        Poller::Instance()->SetTimer(1U, args, CallAuthComplete, &timer_handle);
+        return SECWouldBlock;
+      });
+}
+
+TEST_P(TlsConnectTls13, ServerAuthRejectAsync) {
+  SetDeferredAuthCertificateCallback(client_, SEC_ERROR_REVOKED_CERTIFICATE);
+  ConnectExpectAlert(client_, kTlsAlertCertificateRevoked);
+  // We only detect the error here when we attempt to handshake, so all the
+  // client learns is that the handshake has already failed.
+  client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILED);
+  server_->CheckErrorCode(SSL_ERROR_REVOKED_CERT_ALERT);
+}
+
+// In TLS 1.2 and earlier, this will result in the client sending its Finished
+// before learning that the server certificate is bad.  That means that the
+// server will believe that the handshake is complete.
+TEST_P(TlsConnectGenericPre13, ServerAuthRejectAsync) {
+  SetDeferredAuthCertificateCallback(client_, SEC_ERROR_EXPIRED_CERTIFICATE);
+  client_->ExpectSendAlert(kTlsAlertCertificateExpired);
+  server_->ExpectReceiveAlert(kTlsAlertCertificateExpired);
+  ConnectExpectFailOneSide(TlsAgent::CLIENT);
+  client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILED);
+
+  // The server might not receive the alert that the client sends, which would
+  // cause the test to fail when it cleans up.  Reset expectations.
+  server_->ExpectReceiveAlert(kTlsAlertCloseNotify, kTlsAlertWarning);
+}
+
 TEST_P(TlsConnectGeneric, ClientAuth) {
   client_->SetupClientAuth();
   server_->RequestClientAuth(true);
@@ -153,6 +267,81 @@ TEST_P(TlsConnectTls12, ClientAuthBigRsaCheckSigAlg) {
                  2048);
 }
 
+// Replaces the signature scheme in a CertificateVerify message.
+class TlsReplaceSignatureSchemeFilter : public TlsHandshakeFilter {
+ public:
+  TlsReplaceSignatureSchemeFilter(const std::shared_ptr<TlsAgent>& a,
+                                  SSLSignatureScheme scheme)
+      : TlsHandshakeFilter(a, {kTlsHandshakeCertificateVerify}),
+        scheme_(scheme) {
+    EnableDecryption();
+  }
+
+ protected:
+  virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
+                                               const DataBuffer& input,
+                                               DataBuffer* output) {
+    *output = input;
+    output->Write(0, scheme_, 2);
+    return CHANGE;
+  }
+
+ private:
+  SSLSignatureScheme scheme_;
+};
+
+// Check if CertificateVerify signed with rsa_pss_rsae_* is properly
+// rejected when the certificate is RSA-PSS.
+//
+// This only works under TLS 1.2, because PSS doesn't work with TLS
+// 1.0 or TLS 1.1 and the TLS 1.3 1-RTT handshake is partially
+// successful at the client side.
+TEST_P(TlsConnectTls12, ClientAuthInconsistentRsaeSignatureScheme) {
+  static const SSLSignatureScheme kSignatureSchemePss[] = {
+      ssl_sig_rsa_pss_pss_sha256, ssl_sig_rsa_pss_rsae_sha256};
+
+  Reset(TlsAgent::kServerRsa, "rsa_pss");
+  client_->SetSignatureSchemes(kSignatureSchemePss,
+                               PR_ARRAY_SIZE(kSignatureSchemePss));
+  server_->SetSignatureSchemes(kSignatureSchemePss,
+                               PR_ARRAY_SIZE(kSignatureSchemePss));
+  client_->SetupClientAuth();
+  server_->RequestClientAuth(true);
+
+  EnsureTlsSetup();
+
+  MakeTlsFilter<TlsReplaceSignatureSchemeFilter>(client_,
+                                                 ssl_sig_rsa_pss_rsae_sha256);
+
+  ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
+}
+
+// Check if CertificateVerify signed with rsa_pss_pss_* is properly
+// rejected when the certificate is RSA.
+//
+// This only works under TLS 1.2, because PSS doesn't work with TLS
+// 1.0 or TLS 1.1 and the TLS 1.3 1-RTT handshake is partially
+// successful at the client side.
+TEST_P(TlsConnectTls12, ClientAuthInconsistentPssSignatureScheme) {
+  static const SSLSignatureScheme kSignatureSchemePss[] = {
+      ssl_sig_rsa_pss_rsae_sha256, ssl_sig_rsa_pss_pss_sha256};
+
+  Reset(TlsAgent::kServerRsa, "rsa");
+  client_->SetSignatureSchemes(kSignatureSchemePss,
+                               PR_ARRAY_SIZE(kSignatureSchemePss));
+  server_->SetSignatureSchemes(kSignatureSchemePss,
+                               PR_ARRAY_SIZE(kSignatureSchemePss));
+  client_->SetupClientAuth();
+  server_->RequestClientAuth(true);
+
+  EnsureTlsSetup();
+
+  MakeTlsFilter<TlsReplaceSignatureSchemeFilter>(client_,
+                                                 ssl_sig_rsa_pss_pss_sha256);
+
+  ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
+}
+
 class TlsZeroCertificateRequestSigAlgsFilter : public TlsHandshakeFilter {
  public:
   TlsZeroCertificateRequestSigAlgsFilter(const std::shared_ptr<TlsAgent>& a)
@@ -197,9 +386,9 @@ class TlsZeroCertificateRequestSigAlgsFilter : public TlsHandshakeFilter {
   }
 };
 
-// Check that we fall back to SHA-1 when the server doesn't provide any
+// Check that we send an alert when the server doesn't provide any
 // supported_signature_algorithms in the CertificateRequest message.
-TEST_P(TlsConnectTls12, ClientAuthNoSigAlgsFallback) {
+TEST_P(TlsConnectTls12, ClientAuthNoSigAlgs) {
   EnsureTlsSetup();
   MakeTlsFilter<TlsZeroCertificateRequestSigAlgsFilter>(server_);
   auto capture_cert_verify = MakeTlsFilter<TlsHandshakeRecorder>(
@@ -207,24 +396,19 @@ TEST_P(TlsConnectTls12, ClientAuthNoSigAlgsFallback) {
   client_->SetupClientAuth();
   server_->RequestClientAuth(true);
 
-  ConnectExpectAlert(server_, kTlsAlertDecryptError);
-
-  // We're expecting a bad signature here because we tampered with a handshake
-  // message (CertReq). Previously, without the SHA-1 fallback, we would've
-  // seen a malformed record alert.
-  server_->CheckErrorCode(SEC_ERROR_BAD_SIGNATURE);
-  client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
+  ConnectExpectAlert(client_, kTlsAlertHandshakeFailure);
 
-  CheckSigScheme(capture_cert_verify, 0, server_, ssl_sig_rsa_pkcs1_sha1, 1024);
+  server_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILURE_ALERT);
+  client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
 }
 
-static const SSLSignatureScheme SignatureSchemeEcdsaSha384[] = {
+static const SSLSignatureScheme kSignatureSchemeEcdsaSha384[] = {
     ssl_sig_ecdsa_secp384r1_sha384};
-static const SSLSignatureScheme SignatureSchemeEcdsaSha256[] = {
+static const SSLSignatureScheme kSignatureSchemeEcdsaSha256[] = {
     ssl_sig_ecdsa_secp256r1_sha256};
-static const SSLSignatureScheme SignatureSchemeRsaSha384[] = {
+static const SSLSignatureScheme kSignatureSchemeRsaSha384[] = {
     ssl_sig_rsa_pkcs1_sha384};
-static const SSLSignatureScheme SignatureSchemeRsaSha256[] = {
+static const SSLSignatureScheme kSignatureSchemeRsaSha256[] = {
     ssl_sig_rsa_pkcs1_sha256};
 
 static SSLNamedGroup NamedGroupForEcdsa384(uint16_t version) {
@@ -241,10 +425,10 @@ static SSLNamedGroup NamedGroupForEcdsa384(uint16_t version) {
 // for TLS 1.1 and 1.0, where they should be ignored.
 TEST_P(TlsConnectGeneric, SignatureAlgorithmServerAuth) {
   Reset(TlsAgent::kServerEcdsa384);
-  client_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
-                               PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
-  server_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
-                               PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
+  client_->SetSignatureSchemes(kSignatureSchemeEcdsaSha384,
+                               PR_ARRAY_SIZE(kSignatureSchemeEcdsaSha384));
+  server_->SetSignatureSchemes(kSignatureSchemeEcdsaSha384,
+                               PR_ARRAY_SIZE(kSignatureSchemeEcdsaSha384));
   Connect();
   CheckKeys(ssl_kea_ecdh, NamedGroupForEcdsa384(version_), ssl_auth_ecdsa,
             ssl_sig_ecdsa_secp384r1_sha384);
@@ -273,8 +457,8 @@ TEST_P(TlsConnectGeneric, SignatureAlgorithmClientOnly) {
 // Defaults on the client include the provided option.
 TEST_P(TlsConnectGeneric, SignatureAlgorithmServerOnly) {
   Reset(TlsAgent::kServerEcdsa384);
-  server_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
-                               PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
+  server_->SetSignatureSchemes(kSignatureSchemeEcdsaSha384,
+                               PR_ARRAY_SIZE(kSignatureSchemeEcdsaSha384));
   Connect();
   CheckKeys(ssl_kea_ecdh, NamedGroupForEcdsa384(version_), ssl_auth_ecdsa,
             ssl_sig_ecdsa_secp384r1_sha384);
@@ -283,16 +467,16 @@ TEST_P(TlsConnectGeneric, SignatureAlgorithmServerOnly) {
 // In TLS 1.2, curve and hash aren't bound together.
 TEST_P(TlsConnectTls12, SignatureSchemeCurveMismatch) {
   Reset(TlsAgent::kServerEcdsa256);
-  client_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
-                               PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
+  client_->SetSignatureSchemes(kSignatureSchemeEcdsaSha384,
+                               PR_ARRAY_SIZE(kSignatureSchemeEcdsaSha384));
   Connect();
 }
 
 // In TLS 1.3, curve and hash are coupled.
 TEST_P(TlsConnectTls13, SignatureSchemeCurveMismatch) {
   Reset(TlsAgent::kServerEcdsa256);
-  client_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
-                               PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
+  client_->SetSignatureSchemes(kSignatureSchemeEcdsaSha384,
+                               PR_ARRAY_SIZE(kSignatureSchemeEcdsaSha384));
   ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
   server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
   client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
@@ -301,16 +485,16 @@ TEST_P(TlsConnectTls13, SignatureSchemeCurveMismatch) {
 // Configuring a P-256 cert with only SHA-384 signatures is OK in TLS 1.2.
 TEST_P(TlsConnectTls12, SignatureSchemeBadConfig) {
   Reset(TlsAgent::kServerEcdsa256);  // P-256 cert can't be used.
-  server_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
-                               PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
+  server_->SetSignatureSchemes(kSignatureSchemeEcdsaSha384,
+                               PR_ARRAY_SIZE(kSignatureSchemeEcdsaSha384));
   Connect();
 }
 
 // A P-256 certificate in TLS 1.3 needs a SHA-256 signature scheme.
 TEST_P(TlsConnectTls13, SignatureSchemeBadConfig) {
   Reset(TlsAgent::kServerEcdsa256);  // P-256 cert can't be used.
-  server_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
-                               PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
+  server_->SetSignatureSchemes(kSignatureSchemeEcdsaSha384,
+                               PR_ARRAY_SIZE(kSignatureSchemeEcdsaSha384));
   ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
   server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
   client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
@@ -319,10 +503,10 @@ TEST_P(TlsConnectTls13, SignatureSchemeBadConfig) {
 // Where there is no overlap on signature schemes, we still connect successfully
 // if we aren't going to use a signature.
 TEST_P(TlsConnectGenericPre13, SignatureAlgorithmNoOverlapStaticRsa) {
-  client_->SetSignatureSchemes(SignatureSchemeRsaSha384,
-                               PR_ARRAY_SIZE(SignatureSchemeRsaSha384));
-  server_->SetSignatureSchemes(SignatureSchemeRsaSha256,
-                               PR_ARRAY_SIZE(SignatureSchemeRsaSha256));
+  client_->SetSignatureSchemes(kSignatureSchemeRsaSha384,
+                               PR_ARRAY_SIZE(kSignatureSchemeRsaSha384));
+  server_->SetSignatureSchemes(kSignatureSchemeRsaSha256,
+                               PR_ARRAY_SIZE(kSignatureSchemeRsaSha256));
   EnableOnlyStaticRsaCiphers();
   Connect();
   CheckKeys(ssl_kea_rsa, ssl_auth_rsa_decrypt);
@@ -330,10 +514,10 @@ TEST_P(TlsConnectGenericPre13, SignatureAlgorithmNoOverlapStaticRsa) {
 
 TEST_P(TlsConnectTls12Plus, SignatureAlgorithmNoOverlapEcdsa) {
   Reset(TlsAgent::kServerEcdsa256);
-  client_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
-                               PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
-  server_->SetSignatureSchemes(SignatureSchemeEcdsaSha256,
-                               PR_ARRAY_SIZE(SignatureSchemeEcdsaSha256));
+  client_->SetSignatureSchemes(kSignatureSchemeEcdsaSha384,
+                               PR_ARRAY_SIZE(kSignatureSchemeEcdsaSha384));
+  server_->SetSignatureSchemes(kSignatureSchemeEcdsaSha256,
+                               PR_ARRAY_SIZE(kSignatureSchemeEcdsaSha256));
   ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
   client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
   server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
@@ -342,10 +526,10 @@ TEST_P(TlsConnectTls12Plus, SignatureAlgorithmNoOverlapEcdsa) {
 // Pre 1.2, a mismatch on signature algorithms shouldn't affect anything.
 TEST_P(TlsConnectPre12, SignatureAlgorithmNoOverlapEcdsa) {
   Reset(TlsAgent::kServerEcdsa256);
-  client_->SetSignatureSchemes(SignatureSchemeEcdsaSha384,
-                               PR_ARRAY_SIZE(SignatureSchemeEcdsaSha384));
-  server_->SetSignatureSchemes(SignatureSchemeEcdsaSha256,
-                               PR_ARRAY_SIZE(SignatureSchemeEcdsaSha256));
+  client_->SetSignatureSchemes(kSignatureSchemeEcdsaSha384,
+                               PR_ARRAY_SIZE(kSignatureSchemeEcdsaSha384));
+  server_->SetSignatureSchemes(kSignatureSchemeEcdsaSha256,
+                               PR_ARRAY_SIZE(kSignatureSchemeEcdsaSha256));
   Connect();
 }
 
@@ -366,29 +550,6 @@ TEST_P(TlsConnectTls12, SignatureAlgorithmDrop) {
   server_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
 }
 
-// Replaces the signature scheme in a TLS 1.3 CertificateVerify message.
-class TlsReplaceSignatureSchemeFilter : public TlsHandshakeFilter {
- public:
-  TlsReplaceSignatureSchemeFilter(const std::shared_ptr<TlsAgent>& a,
-                                  SSLSignatureScheme scheme)
-      : TlsHandshakeFilter(a, {kTlsHandshakeCertificateVerify}),
-        scheme_(scheme) {
-    EnableDecryption();
-  }
-
- protected:
-  virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
-                                               const DataBuffer& input,
-                                               DataBuffer* output) {
-    *output = input;
-    output->Write(0, scheme_, 2);
-    return CHANGE;
-  }
-
- private:
-  SSLSignatureScheme scheme_;
-};
-
 TEST_P(TlsConnectTls13, UnsupportedSignatureSchemeAlert) {
   EnsureTlsSetup();
   MakeTlsFilter<TlsReplaceSignatureSchemeFilter>(server_, ssl_sig_none);
@@ -411,8 +572,8 @@ TEST_P(TlsConnectTls13, InconsistentSignatureSchemeAlert) {
 }
 
 TEST_P(TlsConnectTls12Plus, RequestClientAuthWithSha384) {
-  server_->SetSignatureSchemes(SignatureSchemeRsaSha384,
-                               PR_ARRAY_SIZE(SignatureSchemeRsaSha384));
+  server_->SetSignatureSchemes(kSignatureSchemeRsaSha384,
+                               PR_ARRAY_SIZE(kSignatureSchemeRsaSha384));
   server_->RequestClientAuth(false);
   Connect();
 }
@@ -438,7 +599,7 @@ class BeforeFinished : public TlsRecordFilter {
     switch (state_) {
       case BEFORE_CCS:
         // Awaken when we see the CCS.
-        if (header.content_type() == kTlsChangeCipherSpecType) {
+        if (header.content_type() == ssl_ct_change_cipher_spec) {
           before_ccs_();
 
           // Write the CCS out as a separate write, so that we can make
@@ -455,7 +616,7 @@ class BeforeFinished : public TlsRecordFilter {
         break;
 
       case AFTER_CCS:
-        EXPECT_EQ(kTlsHandshakeType, header.content_type());
+        EXPECT_EQ(ssl_ct_handshake, header.content_type());
         // This could check that data contains a Finished message, but it's
         // encrypted, so that's too much extra work.
 
@@ -552,25 +713,11 @@ TEST_F(TlsConnectDatagram13, AuthCompleteBeforeFinished) {
   Connect();
 }
 
-static void TriggerAuthComplete(PollTarget* target, Event event) {
-  std::cerr << "client: call SSL_AuthCertificateComplete" << std::endl;
-  EXPECT_EQ(TIMER_EVENT, event);
-  TlsAgent* client = static_cast<TlsAgent*>(target);
-  EXPECT_EQ(SECSuccess, SSL_AuthCertificateComplete(client->ssl_fd(), 0));
-}
-
 // This test uses a simple AuthCertificateCallback.  Due to the way that the
 // entire server flight is processed, the call to SSL_AuthCertificateComplete
 // will trigger after the Finished message is processed.
 TEST_F(TlsConnectDatagram13, AuthCompleteAfterFinished) {
-  client_->SetAuthCertificateCallback(
-      [this](TlsAgent*, PRBool, PRBool) -> SECStatus {
-        std::shared_ptr<Poller::Timer> timer_handle;
-        // This is really just to unroll the stack.
-        Poller::Instance()->SetTimer(1U, client_.get(), TriggerAuthComplete,
-                                     &timer_handle);
-        return SECWouldBlock;
-      });
+  SetDeferredAuthCertificateCallback(client_, 0);  // 0 = success.
   Connect();
 }
 
@@ -754,15 +901,15 @@ TEST_F(TlsAgentStreamTestServer, ConfigureCertRsaPkcs1SignAndKEX) {
   PRFileDesc* ssl_fd = agent_->ssl_fd();
   EXPECT_TRUE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_decrypt));
   EXPECT_TRUE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_sign));
-  EXPECT_TRUE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_pss));
+  EXPECT_FALSE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_pss));
 
-  // Configuring for only rsa_sign, rsa_pss, or rsa_decrypt should work.
+  // Configuring for only rsa_sign or rsa_decrypt should work.
   EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsa, false,
                                        &ServerCertDataRsaPkcs1Decrypt));
   EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsa, false,
                                        &ServerCertDataRsaPkcs1Sign));
-  EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsa, false,
-                                       &ServerCertDataRsaPss));
+  EXPECT_FALSE(agent_->ConfigServerCert(TlsAgent::kServerRsa, false,
+                                        &ServerCertDataRsaPss));
 }
 
 // Test RSA cert with usage=[signature].
@@ -772,17 +919,17 @@ TEST_F(TlsAgentStreamTestServer, ConfigureCertRsaPkcs1Sign) {
   PRFileDesc* ssl_fd = agent_->ssl_fd();
   EXPECT_FALSE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_decrypt));
   EXPECT_TRUE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_sign));
-  EXPECT_TRUE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_pss));
+  EXPECT_FALSE(SSLInt_HasCertWithAuthType(ssl_fd, ssl_auth_rsa_pss));
 
   // Configuring for only rsa_decrypt should fail.
   EXPECT_FALSE(agent_->ConfigServerCert(TlsAgent::kServerRsaSign, false,
                                         &ServerCertDataRsaPkcs1Decrypt));
 
-  // Configuring for only rsa_sign or rsa_pss should work.
+  // Configuring for only rsa_sign should work.
   EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsaSign, false,
                                        &ServerCertDataRsaPkcs1Sign));
-  EXPECT_TRUE(agent_->ConfigServerCert(TlsAgent::kServerRsaSign, false,
-                                       &ServerCertDataRsaPss));
+  EXPECT_FALSE(agent_->ConfigServerCert(TlsAgent::kServerRsaSign, false,
+                                        &ServerCertDataRsaPss));
 }
 
 // Test RSA cert with usage=[encipherment].
diff --git a/security/nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
index ec289bdd69..194cbab47f 100644
--- a/security/nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
@@ -84,6 +84,18 @@ class TlsCipherSuiteTestBase : public TlsConnectTestBase {
           Reset(TlsAgent::kRsa2048);
           auth_type_ = ssl_auth_rsa_sign;
           break;
+        case ssl_sig_rsa_pss_pss_sha256:
+          Reset(TlsAgent::kServerRsaPss);
+          auth_type_ = ssl_auth_rsa_pss;
+          break;
+        case ssl_sig_rsa_pss_pss_sha384:
+          Reset("rsa_pss384");
+          auth_type_ = ssl_auth_rsa_pss;
+          break;
+        case ssl_sig_rsa_pss_pss_sha512:
+          Reset("rsa_pss512");
+          auth_type_ = ssl_auth_rsa_pss;
+          break;
         case ssl_sig_ecdsa_secp256r1_sha256:
           Reset(TlsAgent::kServerEcdsa256);
           auth_type_ = ssl_auth_ecdsa;
@@ -270,7 +282,7 @@ TEST_P(TlsCipherSuiteTest, ReadLimit) {
   } else {
     epoch = 0;
   }
-  TlsAgentTestBase::MakeRecord(variant_, kTlsApplicationDataType, version_,
+  TlsAgentTestBase::MakeRecord(variant_, ssl_ct_application_data, version_,
                                payload, sizeof(payload), &record,
                                (epoch << 48) | record_limit());
   client_->SendDirect(record);
@@ -310,14 +322,13 @@ static const auto kDummyNamedGroupParams = ::testing::Values(ssl_grp_none);
 static const auto kDummySignatureSchemesParams =
     ::testing::Values(ssl_sig_none);
 
-#ifndef NSS_DISABLE_TLS_1_3
 static SSLSignatureScheme kSignatureSchemesParamsArr[] = {
     ssl_sig_rsa_pkcs1_sha256,       ssl_sig_rsa_pkcs1_sha384,
     ssl_sig_rsa_pkcs1_sha512,       ssl_sig_ecdsa_secp256r1_sha256,
     ssl_sig_ecdsa_secp384r1_sha384, ssl_sig_rsa_pss_rsae_sha256,
     ssl_sig_rsa_pss_rsae_sha384,    ssl_sig_rsa_pss_rsae_sha512,
-};
-#endif
+    ssl_sig_rsa_pss_pss_sha256,     ssl_sig_rsa_pss_pss_sha384,
+    ssl_sig_rsa_pss_pss_sha512};
 
 INSTANTIATE_CIPHER_TEST_P(RC4, Stream, V10ToV12, kDummyNamedGroupParams,
                           kDummySignatureSchemesParams,
@@ -372,6 +383,14 @@ INSTANTIATE_CIPHER_TEST_P(
     TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA);
+INSTANTIATE_CIPHER_TEST_P(
+    TLS12SigSchemes, All, V12, ::testing::ValuesIn(kFasterDHEGroups),
+    ::testing::ValuesIn(kSignatureSchemesParamsArr),
+    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+    TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
+    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256);
 #ifndef NSS_DISABLE_TLS_1_3
 INSTANTIATE_CIPHER_TEST_P(TLS13, All, V13,
                           ::testing::ValuesIn(kFasterDHEGroups),
diff --git a/security/nss/gtests/ssl_gtest/ssl_custext_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_custext_unittest.cc
index 5be62e5065..68c789a383 100644
--- a/security/nss/gtests/ssl_gtest/ssl_custext_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_custext_unittest.cc
@@ -132,7 +132,7 @@ TEST_F(TlsConnectStreamTls13, CustomExtensionEmptyWriterServer) {
   // Sending extensions that the client doesn't expect leads to extensions
   // appearing even if the client didn't send one, or in the wrong messages.
   client_->ExpectSendAlert(kTlsAlertUnsupportedExtension);
-  server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   ConnectExpectFail();
 }
 
@@ -350,7 +350,7 @@ TEST_F(TlsConnectStreamTls13, CustomExtensionUnsolicitedServer) {
   auto capture = MakeTlsFilter<TlsExtensionCapture>(server_, extension_code);
 
   client_->ExpectSendAlert(kTlsAlertUnsupportedExtension);
-  server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   ConnectExpectFail();
 
   EXPECT_TRUE(capture->captured());
@@ -401,7 +401,7 @@ TEST_F(TlsConnectStreamTls13, CustomExtensionClientReject) {
   EXPECT_EQ(SECSuccess, rv);
 
   client_->ExpectSendAlert(kTlsAlertHandshakeFailure);
-  server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   ConnectExpectFail();
 }
 
@@ -451,7 +451,7 @@ TEST_F(TlsConnectStreamTls13, CustomExtensionClientRejectAlert) {
   EXPECT_EQ(SECSuccess, rv);
 
   client_->ExpectSendAlert(kCustomAlert);
-  server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   ConnectExpectFail();
 }
 
diff --git a/security/nss/gtests/ssl_gtest/ssl_damage_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_damage_unittest.cc
index b8836d7fc2..0723c9bee5 100644
--- a/security/nss/gtests/ssl_gtest/ssl_damage_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_damage_unittest.cc
@@ -17,7 +17,7 @@ extern "C" {
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
diff --git a/security/nss/gtests/ssl_gtest/ssl_dhe_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_dhe_unittest.cc
index b99461632c..f1ccc28644 100644
--- a/security/nss/gtests/ssl_gtest/ssl_dhe_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_dhe_unittest.cc
@@ -13,7 +13,7 @@
 #include "sslproto.h"
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
@@ -643,4 +643,43 @@ TEST_P(TlsConnectGenericPre13, InvalidDERSignatureFfdhe) {
   client_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
 }
 
+// Replace SignatureAndHashAlgorithm of a SKE.
+class DHEServerKEXSigAlgReplacer : public TlsHandshakeFilter {
+ public:
+  DHEServerKEXSigAlgReplacer(const std::shared_ptr<TlsAgent>& server,
+                             SSLSignatureScheme sig_scheme)
+      : TlsHandshakeFilter(server, {kTlsHandshakeServerKeyExchange}),
+        sig_scheme_(sig_scheme) {}
+
+ protected:
+  virtual PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
+                                               const DataBuffer& input,
+                                               DataBuffer* output) {
+    *output = input;
+
+    uint32_t len;
+    uint32_t idx = 0;
+    EXPECT_TRUE(output->Read(idx, 2, &len));
+    idx += 2 + len;
+    EXPECT_TRUE(output->Read(idx, 2, &len));
+    idx += 2 + len;
+    EXPECT_TRUE(output->Read(idx, 2, &len));
+    idx += 2 + len;
+    output->Write(idx, sig_scheme_, 2);
+
+    return CHANGE;
+  }
+
+ private:
+  SSLSignatureScheme sig_scheme_;
+};
+
+TEST_P(TlsConnectTls12, ConnectInconsistentSigAlgDHE) {
+  EnableOnlyDheCiphers();
+
+  MakeTlsFilter<DHEServerKEXSigAlgReplacer>(server_,
+                                            ssl_sig_ecdsa_secp256r1_sha256);
+  ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
+}
+
 }  // namespace nss_test
diff --git a/security/nss/gtests/ssl_gtest/ssl_drop_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_drop_unittest.cc
index e5b52ff06b..f25efc77ad 100644
--- a/security/nss/gtests/ssl_gtest/ssl_drop_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_drop_unittest.cc
@@ -14,7 +14,7 @@ extern "C" {
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
@@ -123,7 +123,7 @@ class TlsDropDatagram13 : public TlsConnectDatagram13,
 
     void Init(const std::shared_ptr<TlsAgent>& agent) {
       records_ = std::make_shared<TlsRecordRecorder>(agent);
-      ack_ = std::make_shared<TlsRecordRecorder>(agent, content_ack);
+      ack_ = std::make_shared<TlsRecordRecorder>(agent, ssl_ct_ack);
       ack_->EnableDecryption();
       drop_ = std::make_shared<SelectiveRecordDropFilter>(agent, 0, false);
       chain_ = std::make_shared<ChainedPacketFilter>(
@@ -670,7 +670,7 @@ TEST_P(TlsDropDatagram13, SendOutOfOrderAppWithHandshakeKey) {
   ASSERT_NE(nullptr, spec.get());
   ASSERT_EQ(2, spec->epoch());
   ASSERT_TRUE(client_->SendEncryptedRecord(spec, 0x0002000000000002,
-                                           kTlsApplicationDataType,
+                                           ssl_ct_application_data,
                                            DataBuffer(buf, sizeof(buf))));
 
   // Now have the server consume the bogus message.
@@ -696,7 +696,7 @@ TEST_P(TlsDropDatagram13, SendOutOfOrderHsNonsenseWithHandshakeKey) {
   ASSERT_NE(nullptr, spec.get());
   ASSERT_EQ(2, spec->epoch());
   ASSERT_TRUE(client_->SendEncryptedRecord(spec, 0x0002000000000002,
-                                           kTlsHandshakeType,
+                                           ssl_ct_handshake,
                                            DataBuffer(buf, sizeof(buf))));
   server_->Handshake();
   EXPECT_EQ(2UL, server_filters_.ack_->count());
@@ -899,7 +899,7 @@ class TlsReplaceFirstRecordWithJunk : public TlsRecordFilter {
     }
     replaced_ = true;
     TlsRecordHeader out_header(header.variant(), header.version(),
-                               kTlsApplicationDataType,
+                               ssl_ct_application_data,
                                header.sequence_number());
 
     static const uint8_t junk[] = {1, 2, 3, 4};
diff --git a/security/nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc
index 12c6e8516c..f1cf1fabca 100644
--- a/security/nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc
@@ -17,7 +17,7 @@ extern "C" {
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
diff --git a/security/nss/gtests/ssl_gtest/ssl_ems_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_ems_unittest.cc
index dad6ca0265..39b2d58736 100644
--- a/security/nss/gtests/ssl_gtest/ssl_ems_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_ems_unittest.cc
@@ -10,7 +10,7 @@
 #include "sslproto.h"
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
diff --git a/security/nss/gtests/ssl_gtest/ssl_extension_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_extension_unittest.cc
index 6965e9ca75..5819af7468 100644
--- a/security/nss/gtests/ssl_gtest/ssl_extension_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_extension_unittest.cc
@@ -9,6 +9,9 @@
 #include "sslerr.h"
 #include "sslproto.h"
 
+// This is only to get DTLS_1_3_DRAFT_VERSION
+#include "ssl3prot.h"
+
 #include <memory>
 
 #include "tls_connect.h"
@@ -41,28 +44,6 @@ class TlsExtensionTruncator : public TlsExtensionFilter {
   size_t length_;
 };
 
-class TlsExtensionDamager : public TlsExtensionFilter {
- public:
-  TlsExtensionDamager(const std::shared_ptr<TlsAgent>& a, uint16_t extension,
-                      size_t index)
-      : TlsExtensionFilter(a), extension_(extension), index_(index) {}
-  virtual PacketFilter::Action FilterExtension(uint16_t extension_type,
-                                               const DataBuffer& input,
-                                               DataBuffer* output) {
-    if (extension_type != extension_) {
-      return KEEP;
-    }
-
-    *output = input;
-    output->data()[index_] += 73;  // Increment selected for maximum damage
-    return CHANGE;
-  }
-
- private:
-  uint16_t extension_;
-  size_t index_;
-};
-
 class TlsExtensionAppender : public TlsHandshakeFilter {
  public:
   TlsExtensionAppender(const std::shared_ptr<TlsAgent>& a,
@@ -454,6 +435,25 @@ TEST_P(TlsExtensionTest12Plus, SignatureAlgorithmsOddLength) {
       client_, ssl_signature_algorithms_xtn, extension));
 }
 
+TEST_F(TlsExtensionTest13Stream, SignatureAlgorithmsPrecedingGarbage) {
+  // 31 unknown signature algorithms followed by sha-256, rsa
+  const uint8_t val[] = {
+      0x00, 0x40, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x04, 0x01};
+  DataBuffer extension(val, sizeof(val));
+  MakeTlsFilter<TlsExtensionReplacer>(client_, ssl_signature_algorithms_xtn,
+                                      extension);
+  client_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  ConnectExpectFail();
+  client_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
+  server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
+}
+
 TEST_P(TlsExtensionTestGeneric, NoSupportedGroups) {
   ClientHelloErrorTest(
       std::make_shared<TlsExtensionDropper>(client_, ssl_supported_groups_xtn),
@@ -563,10 +563,10 @@ TEST_F(TlsExtensionTest13Stream, DropServerKeyShare) {
   EnsureTlsSetup();
   MakeTlsFilter<TlsExtensionDropper>(server_, ssl_tls13_key_share_xtn);
   client_->ExpectSendAlert(kTlsAlertMissingExtension);
-  server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   ConnectExpectFail();
   EXPECT_EQ(SSL_ERROR_MISSING_KEY_SHARE, client_->error_code());
-  EXPECT_EQ(SSL_ERROR_BAD_MAC_READ, server_->error_code());
+  EXPECT_EQ(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE, server_->error_code());
 }
 
 TEST_F(TlsExtensionTest13Stream, WrongServerKeyShare) {
@@ -583,13 +583,12 @@ TEST_F(TlsExtensionTest13Stream, WrongServerKeyShare) {
   EnsureTlsSetup();
   MakeTlsFilter<TlsExtensionReplacer>(server_, ssl_tls13_key_share_xtn, buf);
   client_->ExpectSendAlert(kTlsAlertIllegalParameter);
-  server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   ConnectExpectFail();
   EXPECT_EQ(SSL_ERROR_RX_MALFORMED_KEY_SHARE, client_->error_code());
-  EXPECT_EQ(SSL_ERROR_BAD_MAC_READ, server_->error_code());
+  EXPECT_EQ(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE, server_->error_code());
 }
 
-// TODO(ekr@rtfm.com): This is the wrong error code. See bug 1307269.
 TEST_F(TlsExtensionTest13Stream, UnknownServerKeyShare) {
   const uint16_t wrong_group = 0xffff;
 
@@ -603,11 +602,11 @@ TEST_F(TlsExtensionTest13Stream, UnknownServerKeyShare) {
   DataBuffer buf(key_share, sizeof(key_share));
   EnsureTlsSetup();
   MakeTlsFilter<TlsExtensionReplacer>(server_, ssl_tls13_key_share_xtn, buf);
-  client_->ExpectSendAlert(kTlsAlertMissingExtension);
-  server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  client_->ExpectSendAlert(kTlsAlertIllegalParameter);
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   ConnectExpectFail();
-  EXPECT_EQ(SSL_ERROR_MISSING_KEY_SHARE, client_->error_code());
-  EXPECT_EQ(SSL_ERROR_BAD_MAC_READ, server_->error_code());
+  EXPECT_EQ(SSL_ERROR_RX_MALFORMED_KEY_SHARE, client_->error_code());
+  EXPECT_EQ(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE, server_->error_code());
 }
 
 TEST_F(TlsExtensionTest13Stream, AddServerSignatureAlgorithmsOnResumption) {
@@ -616,10 +615,10 @@ TEST_F(TlsExtensionTest13Stream, AddServerSignatureAlgorithmsOnResumption) {
   MakeTlsFilter<TlsExtensionInjector>(server_, ssl_signature_algorithms_xtn,
                                       empty);
   client_->ExpectSendAlert(kTlsAlertUnsupportedExtension);
-  server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   ConnectExpectFail();
   EXPECT_EQ(SSL_ERROR_EXTENSION_DISALLOWED_FOR_VERSION, client_->error_code());
-  EXPECT_EQ(SSL_ERROR_BAD_MAC_READ, server_->error_code());
+  EXPECT_EQ(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE, server_->error_code());
 }
 
 struct PskIdentity {
@@ -912,23 +911,32 @@ TEST_P(TlsExtensionTest13, RemoveTls13FromVersionListServerV12) {
 // 3. Server supports 1.2 and 1.3, client supports 1.2 and 1.3
 // but advertises 1.2 (because we changed things).
 TEST_P(TlsExtensionTest13, RemoveTls13FromVersionListBothV12) {
+  client_->SetOption(SSL_ENABLE_HELLO_DOWNGRADE_CHECK, PR_TRUE);
   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
                            SSL_LIBRARY_VERSION_TLS_1_3);
   server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
                            SSL_LIBRARY_VERSION_TLS_1_3);
-#ifndef TLS_1_3_DRAFT_VERSION
-  ExpectAlert(server_, kTlsAlertIllegalParameter);
-#else
-  ExpectAlert(server_, kTlsAlertDecryptError);
+// The downgrade check is disabled in DTLS 1.3, so all that happens when we
+// tamper with the supported versions is that the Finished check fails.
+#ifdef DTLS_1_3_DRAFT_VERSION
+  if (variant_ == ssl_variant_datagram) {
+    ExpectAlert(server_, kTlsAlertDecryptError);
+  } else
 #endif
+  {
+    ExpectAlert(client_, kTlsAlertIllegalParameter);
+  }
   ConnectWithReplacementVersionList(SSL_LIBRARY_VERSION_TLS_1_2);
-#ifndef TLS_1_3_DRAFT_VERSION
-  client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
-  server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
-#else
-  client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
-  server_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
+#ifdef DTLS_1_3_DRAFT_VERSION
+  if (variant_ == ssl_variant_datagram) {
+    client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
+    server_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
+  } else
 #endif
+  {
+    client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
+    server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
+  }
 }
 
 TEST_P(TlsExtensionTest13, HrrThenRemoveSignatureAlgorithms) {
@@ -1017,7 +1025,7 @@ class TlsBogusExtensionTest13 : public TlsBogusExtensionTest {
     client_->ExpectSendAlert(alert);
     client_->Handshake();
     if (variant_ == ssl_variant_stream) {
-      server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+      server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
     }
     server_->Handshake();
   }
diff --git a/security/nss/gtests/ssl_gtest/ssl_fragment_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_fragment_unittest.cc
index 92947c2c70..3752812633 100644
--- a/security/nss/gtests/ssl_gtest/ssl_fragment_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_fragment_unittest.cc
@@ -10,7 +10,7 @@
 #include "sslproto.h"
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
@@ -106,8 +106,8 @@ class RecordFragmenter : public PacketFilter {
         }
 
         // Just rewrite the sequence number (CCS only).
-        if (header.content_type() != kTlsHandshakeType) {
-          EXPECT_EQ(kTlsChangeCipherSpecType, header.content_type());
+        if (header.content_type() != ssl_ct_handshake) {
+          EXPECT_EQ(ssl_ct_change_cipher_spec, header.content_type());
           WriteRecord(header, record);
           continue;
         }
diff --git a/security/nss/gtests/ssl_gtest/ssl_fuzz_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_fuzz_unittest.cc
index f0afc9118a..f033b78439 100644
--- a/security/nss/gtests/ssl_gtest/ssl_fuzz_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_fuzz_unittest.cc
@@ -33,7 +33,7 @@ class TlsApplicationDataRecorder : public TlsRecordFilter {
   virtual PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
                                             const DataBuffer& input,
                                             DataBuffer* output) {
-    if (header.content_type() == kTlsApplicationDataType) {
+    if (header.content_type() == ssl_ct_application_data) {
       buffer_.Append(input);
     }
 
diff --git a/security/nss/gtests/ssl_gtest/ssl_gather_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_gather_unittest.cc
index f47b2f4452..745432951a 100644
--- a/security/nss/gtests/ssl_gtest/ssl_gather_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_gather_unittest.cc
@@ -15,6 +15,7 @@ class GatherV2ClientHelloTest : public TlsConnectTestBase {
 
   void ConnectExpectMalformedClientHello(const DataBuffer &data) {
     EnsureTlsSetup();
+    server_->SetOption(SSL_ENABLE_V2_COMPATIBLE_HELLO, PR_TRUE);
     server_->ExpectSendAlert(kTlsAlertIllegalParameter);
     client_->SendDirect(data);
     server_->StartConnect();
diff --git a/security/nss/gtests/ssl_gtest/ssl_gtest.gyp b/security/nss/gtests/ssl_gtest/ssl_gtest.gyp
index 17677713d6..be1c4ea325 100644
--- a/security/nss/gtests/ssl_gtest/ssl_gtest.gyp
+++ b/security/nss/gtests/ssl_gtest/ssl_gtest.gyp
@@ -51,6 +51,7 @@
         'tls_connect.cc',
         'tls_filter.cc',
         'tls_hkdf_unittest.cc',
+        'tls_esni_unittest.cc',
         'tls_protect.cc'
       ],
       'dependencies': [
diff --git a/security/nss/gtests/ssl_gtest/ssl_hrr_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_hrr_unittest.cc
index 77b335e86b..27bc036547 100644
--- a/security/nss/gtests/ssl_gtest/ssl_hrr_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_hrr_unittest.cc
@@ -9,11 +9,11 @@
 #include "sslerr.h"
 #include "sslproto.h"
 
-// This is internal, just to get TLS_1_3_DRAFT_VERSION.
+// This is internal, just to get DTLS_1_3_DRAFT_VERSION.
 #include "ssl3prot.h"
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
@@ -76,7 +76,7 @@ class CorrectMessageSeqAfterHrrFilter : public TlsRecordFilter {
   PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
                                     const DataBuffer& record, size_t* offset,
                                     DataBuffer* output) {
-    if (filtered_packets() > 0 || header.content_type() != content_handshake) {
+    if (filtered_packets() > 0 || header.content_type() != ssl_ct_handshake) {
       return KEEP;
     }
 
@@ -718,6 +718,86 @@ TEST_F(TlsConnectStreamTls13, RetryStatelessDamageSecondClientHello) {
   client_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
 }
 
+// Stream because SSL_SendSessionTicket only supports that.
+TEST_F(TlsConnectStreamTls13, SecondClientHelloSendSameTicket) {
+  // This simulates the scenario described at:
+  // https://bugzilla.mozilla.org/show_bug.cgi?id=1481271#c7
+  //
+  // Here two connections are interleaved.  Tickets are issued on one
+  // connection.  A HelloRetryRequest is triggered on the second connection,
+  // meaning that there are two ClientHellos.  We need to check that both
+  // ClientHellos have the same ticket, even if a new ticket is issued on the
+  // other connection in the meantime.
+  //
+  // Connection 1: <handshake>
+  // Connection 1: S->C: NST=X
+  // Connection 2: C->S: CH [PSK_ID=X]
+  // Connection 1: S->C: NST=Y
+  // Connection 2: S->C: HRR
+  // Connection 2: C->S: CH [PSK_ID=Y]
+
+  // Connection 1, send a ticket after handshake is complete.
+  ConfigureSessionCache(RESUME_TICKET, RESUME_TICKET);
+
+  Connect();
+
+  // Set this token so that RetryHelloWithToken() will check that this
+  // is the token that it receives in the HelloRetryRequest callback.
+  EXPECT_EQ(SECSuccess,
+            SSL_SendSessionTicket(server_->ssl_fd(), kApplicationToken,
+                                  sizeof(kApplicationToken)));
+  SendReceive(50);
+
+  // Connection 2, trigger HRR.
+  auto client2 =
+      std::make_shared<TlsAgent>(client_->name(), TlsAgent::CLIENT, variant_);
+  auto server2 =
+      std::make_shared<TlsAgent>(server_->name(), TlsAgent::SERVER, variant_);
+
+  client2->SetPeer(server2);
+  server2->SetPeer(client2);
+
+  client_.swap(client2);
+  server_.swap(server2);
+
+  ConfigureSessionCache(RESUME_TICKET, RESUME_TICKET);
+
+  ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+
+  client_->StartConnect();
+  server_->StartConnect();
+
+  size_t cb_called = 0;
+  EXPECT_EQ(SECSuccess,
+            SSL_HelloRetryRequestCallback(server_->ssl_fd(),
+                                          RetryHelloWithToken, &cb_called));
+  client_->Handshake();  // Send ClientHello.
+  server_->Handshake();  // Process ClientHello, send HelloRetryRequest.
+
+  EXPECT_EQ(1U, cb_called) << "callback should be called once here";
+
+  // Connection 1, send another ticket.
+  client_.swap(client2);
+  server_.swap(server2);
+
+  // If the client uses this token, RetryHelloWithToken() will fail the test.
+  const uint8_t kAnotherApplicationToken[] = {0x92, 0x44, 0x01};
+  EXPECT_EQ(SECSuccess,
+            SSL_SendSessionTicket(server_->ssl_fd(), kAnotherApplicationToken,
+                                  sizeof(kAnotherApplicationToken)));
+  SendReceive(60);
+
+  // Connection 2, continue the handshake.
+  // The client should use kApplicationToken, not kAnotherApplicationToken.
+  client_.swap(client2);
+  server_.swap(server2);
+
+  client_->Handshake();
+  server_->Handshake();
+
+  EXPECT_EQ(2U, cb_called) << "callback should be called twice here";
+}
+
 // Read the cipher suite from the HRR and disable it on the identified agent.
 static void DisableSuiteFromHrr(
     std::shared_ptr<TlsAgent>& agent,
@@ -844,10 +924,10 @@ TEST_F(TlsConnectStreamTls13, RetryWithDifferentCipherSuite) {
                                              TLS_CHACHA20_POLY1305_SHA256);
 
   client_->ExpectSendAlert(kTlsAlertIllegalParameter);
-  server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   ConnectExpectFail();
   EXPECT_EQ(SSL_ERROR_RX_MALFORMED_SERVER_HELLO, client_->error_code());
-  EXPECT_EQ(SSL_ERROR_BAD_MAC_READ, server_->error_code());
+  EXPECT_EQ(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE, server_->error_code());
 }
 
 // This tests that the second attempt at sending a ClientHello (after receiving
@@ -1007,14 +1087,17 @@ class HelloRetryRequestAgentTest : public TlsAgentTestClient {
     // Now the supported version.
     i = hrr_data.Write(i, ssl_tls13_supported_versions_xtn, 2);
     i = hrr_data.Write(i, 2, 2);
-    i = hrr_data.Write(i, 0x7f00 | TLS_1_3_DRAFT_VERSION, 2);
+    i = hrr_data.Write(i, (variant_ == ssl_variant_datagram)
+                              ? (0x7f00 | DTLS_1_3_DRAFT_VERSION)
+                              : SSL_LIBRARY_VERSION_TLS_1_3,
+                       2);
     if (len) {
       hrr_data.Write(i, body, len);
     }
     DataBuffer hrr;
     MakeHandshakeMessage(kTlsHandshakeServerHello, hrr_data.data(),
                          hrr_data.len(), &hrr, seq_num);
-    MakeRecord(kTlsHandshakeType, SSL_LIBRARY_VERSION_TLS_1_3, hrr.data(),
+    MakeRecord(ssl_ct_handshake, SSL_LIBRARY_VERSION_TLS_1_3, hrr.data(),
                hrr.len(), hrr_record, seq_num);
   }
 
diff --git a/security/nss/gtests/ssl_gtest/ssl_keyupdate_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_keyupdate_unittest.cc
index d03775c25d..d6ac99a58d 100644
--- a/security/nss/gtests/ssl_gtest/ssl_keyupdate_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_keyupdate_unittest.cc
@@ -15,7 +15,7 @@ extern "C" {
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
diff --git a/security/nss/gtests/ssl_gtest/ssl_loopback_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_loopback_unittest.cc
index 5adbd9dc71..12c2496a6e 100644
--- a/security/nss/gtests/ssl_gtest/ssl_loopback_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_loopback_unittest.cc
@@ -18,7 +18,7 @@ extern "C" {
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
@@ -65,7 +65,7 @@ class TlsAlertRecorder : public TlsRecordFilter {
     if (level_ != 255) {  // Already captured.
       return KEEP;
     }
-    if (header.content_type() != kTlsAlertType) {
+    if (header.content_type() != ssl_ct_alert) {
       return KEEP;
     }
 
@@ -130,7 +130,7 @@ TEST_P(TlsConnectTls13, CaptureAlertClient) {
   client_->Handshake();
   if (variant_ == ssl_variant_stream) {
     // DTLS just drops the alert it can't decrypt.
-    server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+    server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   }
   server_->Handshake();
   EXPECT_EQ(kTlsAlertFatal, alert_recorder->level());
@@ -320,6 +320,53 @@ TEST_F(TlsConnectStreamTls13, DropRecordClient) {
   SendReceive();
 }
 
+// Check that a server can use 0.5 RTT if client authentication isn't enabled.
+TEST_P(TlsConnectTls13, WriteBeforeClientFinished) {
+  EnsureTlsSetup();
+  StartConnect();
+  client_->Handshake();  // ClientHello
+  server_->Handshake();  // ServerHello
+
+  server_->SendData(10);
+  client_->ReadBytes(10);  // Client should emit the Finished as a side-effect.
+  server_->Handshake();    // Server consumes the Finished.
+  CheckConnected();
+}
+
+// We don't allow 0.5 RTT if client authentication is requested.
+TEST_P(TlsConnectTls13, WriteBeforeClientFinishedClientAuth) {
+  client_->SetupClientAuth();
+  server_->RequestClientAuth(false);
+  StartConnect();
+  client_->Handshake();  // ClientHello
+  server_->Handshake();  // ServerHello
+
+  static const uint8_t data[] = {1, 2, 3};
+  EXPECT_GT(0, PR_Write(server_->ssl_fd(), data, sizeof(data)));
+  EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError());
+
+  Handshake();
+  CheckConnected();
+  SendReceive();
+}
+
+// 0.5 RTT should fail with client authentication required.
+TEST_P(TlsConnectTls13, WriteBeforeClientFinishedClientAuthRequired) {
+  client_->SetupClientAuth();
+  server_->RequestClientAuth(true);
+  StartConnect();
+  client_->Handshake();  // ClientHello
+  server_->Handshake();  // ServerHello
+
+  static const uint8_t data[] = {1, 2, 3};
+  EXPECT_GT(0, PR_Write(server_->ssl_fd(), data, sizeof(data)));
+  EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError());
+
+  Handshake();
+  CheckConnected();
+  SendReceive();
+}
+
 // The next two tests takes advantage of the fact that we
 // automatically read the first 1024 bytes, so if
 // we provide 1200 bytes, they overrun the read buffer
@@ -426,13 +473,15 @@ class TlsPreCCSHeaderInjector : public TlsRecordFilter {
   virtual PacketFilter::Action FilterRecord(
       const TlsRecordHeader& record_header, const DataBuffer& input,
       size_t* offset, DataBuffer* output) override {
-    if (record_header.content_type() != kTlsChangeCipherSpecType) return KEEP;
+    if (record_header.content_type() != ssl_ct_change_cipher_spec) {
+      return KEEP;
+    }
 
     std::cerr << "Injecting Finished header before CCS\n";
     const uint8_t hhdr[] = {kTlsHandshakeFinished, 0x00, 0x00, 0x0c};
     DataBuffer hhdr_buf(hhdr, sizeof(hhdr));
     TlsRecordHeader nhdr(record_header.variant(), record_header.version(),
-                         kTlsHandshakeType, 0);
+                         ssl_ct_handshake, 0);
     *offset = nhdr.Write(output, *offset, hhdr_buf);
     *offset = record_header.Write(output, *offset, input);
     return CHANGE;
@@ -477,6 +526,26 @@ TEST_P(TlsConnectTls13, AlertWrongLevel) {
   client_->WaitForErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT, 2000);
 }
 
+TEST_P(TlsConnectTls13, UnknownRecord) {
+  static const uint8_t kUknownRecord[] = {
+      0xff, SSL_LIBRARY_VERSION_TLS_1_2 >> 8,
+      SSL_LIBRARY_VERSION_TLS_1_2 & 0xff, 0, 0};
+
+  Connect();
+  if (variant_ == ssl_variant_stream) {
+    // DTLS just drops the record with an invalid type.
+    server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
+  }
+  client_->SendDirect(DataBuffer(kUknownRecord, sizeof(kUknownRecord)));
+  server_->ExpectReadWriteError();
+  server_->ReadBytes();
+  if (variant_ == ssl_variant_stream) {
+    EXPECT_EQ(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE, server_->error_code());
+  } else {
+    EXPECT_EQ(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE, server_->error_code());
+  }
+}
+
 TEST_F(TlsConnectStreamTls13, Tls13FailedWriteSecondFlight) {
   EnsureTlsSetup();
   StartConnect();
@@ -539,6 +608,126 @@ TEST_F(TlsConnectTest, OneNRecordSplitting) {
   EXPECT_EQ(ExpectedCbcLen(20), records->record(2).buffer.len());
 }
 
+// We can't test for randomness easily here, but we can test that we don't
+// produce a zero value, or produce the same value twice.  There are 5 values
+// here: two ClientHello.random, two ServerHello.random, and one zero value.
+// Matrix them and fail if any are the same.
+TEST_P(TlsConnectGeneric, CheckRandoms) {
+  ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
+
+  static const size_t random_len = 32;
+  uint8_t crandom1[random_len], srandom1[random_len];
+  uint8_t z[random_len] = {0};
+
+  auto ch = MakeTlsFilter<TlsHandshakeRecorder>(client_, ssl_hs_client_hello);
+  auto sh = MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_server_hello);
+  Connect();
+  ASSERT_TRUE(ch->buffer().len() > (random_len + 2));
+  ASSERT_TRUE(sh->buffer().len() > (random_len + 2));
+  memcpy(crandom1, ch->buffer().data() + 2, random_len);
+  memcpy(srandom1, sh->buffer().data() + 2, random_len);
+  EXPECT_NE(0, memcmp(crandom1, srandom1, random_len));
+  EXPECT_NE(0, memcmp(crandom1, z, random_len));
+  EXPECT_NE(0, memcmp(srandom1, z, random_len));
+
+  Reset();
+  ch = MakeTlsFilter<TlsHandshakeRecorder>(client_, ssl_hs_client_hello);
+  sh = MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_server_hello);
+  Connect();
+  ASSERT_TRUE(ch->buffer().len() > (random_len + 2));
+  ASSERT_TRUE(sh->buffer().len() > (random_len + 2));
+  const uint8_t* crandom2 = ch->buffer().data() + 2;
+  const uint8_t* srandom2 = sh->buffer().data() + 2;
+
+  EXPECT_NE(0, memcmp(crandom2, srandom2, random_len));
+  EXPECT_NE(0, memcmp(crandom2, z, random_len));
+  EXPECT_NE(0, memcmp(srandom2, z, random_len));
+
+  EXPECT_NE(0, memcmp(crandom1, crandom2, random_len));
+  EXPECT_NE(0, memcmp(crandom1, srandom2, random_len));
+  EXPECT_NE(0, memcmp(srandom1, crandom2, random_len));
+  EXPECT_NE(0, memcmp(srandom1, srandom2, random_len));
+}
+
+void FailOnCloseNotify(const PRFileDesc* fd, void* arg, const SSLAlert* alert) {
+  ADD_FAILURE() << "received alert " << alert->description;
+}
+
+void CheckCloseNotify(const PRFileDesc* fd, void* arg, const SSLAlert* alert) {
+  *reinterpret_cast<bool*>(arg) = true;
+  EXPECT_EQ(close_notify, alert->description);
+  EXPECT_EQ(alert_warning, alert->level);
+}
+
+TEST_P(TlsConnectGeneric, ShutdownOneSide) {
+  Connect();
+
+  // Setup to check alerts.
+  EXPECT_EQ(SECSuccess, SSL_AlertSentCallback(server_->ssl_fd(),
+                                              FailOnCloseNotify, nullptr));
+  EXPECT_EQ(SECSuccess, SSL_AlertReceivedCallback(client_->ssl_fd(),
+                                                  FailOnCloseNotify, nullptr));
+
+  bool client_sent = false;
+  EXPECT_EQ(SECSuccess, SSL_AlertSentCallback(client_->ssl_fd(),
+                                              CheckCloseNotify, &client_sent));
+  bool server_received = false;
+  EXPECT_EQ(SECSuccess,
+            SSL_AlertReceivedCallback(server_->ssl_fd(), CheckCloseNotify,
+                                      &server_received));
+  EXPECT_EQ(PR_SUCCESS, PR_Shutdown(client_->ssl_fd(), PR_SHUTDOWN_SEND));
+
+  // Make sure that the server reads out the close_notify.
+  uint8_t buf[10];
+  EXPECT_EQ(0, PR_Read(server_->ssl_fd(), buf, sizeof(buf)));
+
+  // Reading and writing should still work in the one open direction.
+  EXPECT_TRUE(client_sent);
+  EXPECT_TRUE(server_received);
+  server_->SendData(10, 10);
+  client_->ReadBytes(10);
+
+  // Now close the other side and do the same checks.
+  bool server_sent = false;
+  EXPECT_EQ(SECSuccess, SSL_AlertSentCallback(server_->ssl_fd(),
+                                              CheckCloseNotify, &server_sent));
+  bool client_received = false;
+  EXPECT_EQ(SECSuccess,
+            SSL_AlertReceivedCallback(client_->ssl_fd(), CheckCloseNotify,
+                                      &client_received));
+  EXPECT_EQ(PR_SUCCESS, PR_Shutdown(server_->ssl_fd(), PR_SHUTDOWN_SEND));
+
+  EXPECT_EQ(0, PR_Read(client_->ssl_fd(), buf, sizeof(buf)));
+  EXPECT_TRUE(server_sent);
+  EXPECT_TRUE(client_received);
+}
+
+TEST_P(TlsConnectGeneric, ShutdownOneSideThenCloseTcp) {
+  Connect();
+
+  bool client_sent = false;
+  EXPECT_EQ(SECSuccess, SSL_AlertSentCallback(client_->ssl_fd(),
+                                              CheckCloseNotify, &client_sent));
+  bool server_received = false;
+  EXPECT_EQ(SECSuccess,
+            SSL_AlertReceivedCallback(server_->ssl_fd(), CheckCloseNotify,
+                                      &server_received));
+  EXPECT_EQ(PR_SUCCESS, PR_Shutdown(client_->ssl_fd(), PR_SHUTDOWN_SEND));
+
+  // Make sure that the server reads out the close_notify.
+  uint8_t buf[10];
+  EXPECT_EQ(0, PR_Read(server_->ssl_fd(), buf, sizeof(buf)));
+
+  // Now simulate the underlying connection closing.
+  client_->adapter()->Reset();
+
+  // Now close the other side and see that things don't explode.
+  EXPECT_EQ(PR_SUCCESS, PR_Shutdown(server_->ssl_fd(), PR_SHUTDOWN_SEND));
+
+  EXPECT_GT(0, PR_Read(client_->ssl_fd(), buf, sizeof(buf)));
+  EXPECT_EQ(PR_NOT_CONNECTED_ERROR, PR_GetError());
+}
+
 INSTANTIATE_TEST_CASE_P(
     GenericStream, TlsConnectGeneric,
     ::testing::Combine(TlsConnectTestBase::kTlsVariantsStream,
diff --git a/security/nss/gtests/ssl_gtest/ssl_record_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_record_unittest.cc
index 53b11c61a5..f1e85e8983 100644
--- a/security/nss/gtests/ssl_gtest/ssl_record_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_record_unittest.cc
@@ -111,7 +111,7 @@ class RecordReplacer : public TlsRecordFilter {
   PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
                                     const DataBuffer& data,
                                     DataBuffer* changed) override {
-    EXPECT_EQ(kTlsApplicationDataType, header.content_type());
+    EXPECT_EQ(ssl_ct_application_data, header.content_type());
     changed->Allocate(size_);
 
     for (size_t i = 0; i < size_; ++i) {
diff --git a/security/nss/gtests/ssl_gtest/ssl_recordsize_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_recordsize_unittest.cc
index 00651aec5f..0a54ae1a80 100644
--- a/security/nss/gtests/ssl_gtest/ssl_recordsize_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_recordsize_unittest.cc
@@ -10,7 +10,7 @@
 #include "sslproto.h"
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
@@ -34,7 +34,7 @@ class TlsRecordMaximum : public TlsRecordFilter {
                                     DataBuffer* output) override {
     std::cerr << "max: " << record << std::endl;
     // Ignore unprotected packets.
-    if (header.content_type() != kTlsApplicationDataType) {
+    if (header.content_type() != ssl_ct_application_data) {
       return KEEP;
     }
 
@@ -187,7 +187,7 @@ class TlsRecordExpander : public TlsRecordFilter {
   virtual PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
                                             const DataBuffer& data,
                                             DataBuffer* changed) {
-    if (header.content_type() != kTlsApplicationDataType) {
+    if (header.content_type() != ssl_ct_application_data) {
       return KEEP;
     }
     changed->Allocate(data.len() + expansion_);
@@ -252,7 +252,7 @@ class TlsRecordPadder : public TlsRecordFilter {
   PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
                                     const DataBuffer& record, size_t* offset,
                                     DataBuffer* output) override {
-    if (header.content_type() != kTlsApplicationDataType) {
+    if (header.content_type() != ssl_ct_application_data) {
       return KEEP;
     }
 
@@ -262,7 +262,7 @@ class TlsRecordPadder : public TlsRecordFilter {
       return KEEP;
     }
 
-    if (inner_content_type != kTlsApplicationDataType) {
+    if (inner_content_type != ssl_ct_application_data) {
       return KEEP;
     }
 
diff --git a/security/nss/gtests/ssl_gtest/ssl_resumption_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_resumption_unittest.cc
index 2cc98a3278..264bde67f6 100644
--- a/security/nss/gtests/ssl_gtest/ssl_resumption_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_resumption_unittest.cc
@@ -18,7 +18,8 @@ extern "C" {
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
+#include "scoped_ptrs_ssl.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
@@ -171,21 +172,143 @@ TEST_P(TlsConnectGenericResumption, ConnectResumeClientNoneServerBoth) {
   SendReceive();
 }
 
-TEST_P(TlsConnectGenericPre13, ConnectResumeWithHigherVersion) {
+TEST_P(TlsConnectGenericPre13, ResumeWithHigherVersionTls13) {
+  uint16_t lower_version = version_;
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  Connect();
+  SendReceive();
+  CheckKeys();
+
+  Reset();
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  EnsureTlsSetup();
+  auto psk_ext = std::make_shared<TlsExtensionCapture>(
+      client_, ssl_tls13_pre_shared_key_xtn);
+  auto ticket_ext =
+      std::make_shared<TlsExtensionCapture>(client_, ssl_session_ticket_xtn);
+  client_->SetFilter(std::make_shared<ChainedPacketFilter>(
+      ChainedPacketFilterInit({psk_ext, ticket_ext})));
+  SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+  client_->SetVersionRange(lower_version, SSL_LIBRARY_VERSION_TLS_1_3);
+  server_->SetVersionRange(lower_version, SSL_LIBRARY_VERSION_TLS_1_3);
+  ExpectResumption(RESUME_NONE);
+  Connect();
+
+  // The client shouldn't have sent a PSK, though it will send a ticket.
+  EXPECT_FALSE(psk_ext->captured());
+  EXPECT_TRUE(ticket_ext->captured());
+}
+
+class CaptureSessionId : public TlsHandshakeFilter {
+ public:
+  CaptureSessionId(const std::shared_ptr<TlsAgent>& a)
+      : TlsHandshakeFilter(
+            a, {kTlsHandshakeClientHello, kTlsHandshakeServerHello}),
+        sid_() {}
+
+  const DataBuffer& sid() const { return sid_; }
+
+ protected:
+  PacketFilter::Action FilterHandshake(const HandshakeHeader& header,
+                                       const DataBuffer& input,
+                                       DataBuffer* output) override {
+    // The session_id is in the same place in both Hello messages:
+    size_t offset = 2 + 32;  // Version(2) + Random(32)
+    uint32_t len = 0;
+    EXPECT_TRUE(input.Read(offset, 1, &len));
+    offset++;
+    if (input.len() < offset + len) {
+      ADD_FAILURE() << "session_id overflows the Hello message";
+      return KEEP;
+    }
+    sid_.Assign(input.data() + offset, len);
+    return KEEP;
+  }
+
+ private:
+  DataBuffer sid_;
+};
+
+// Attempting to resume from TLS 1.2 when 1.3 is possible should not result in
+// resumption, though it will appear to be TLS 1.3 compatibility mode if the
+// server uses a session ID.
+TEST_P(TlsConnectGenericPre13, ResumeWithHigherVersionTls13SessionId) {
+  uint16_t lower_version = version_;
   ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID);
-  ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_1);
-  SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_1);
+  auto original_sid = MakeTlsFilter<CaptureSessionId>(server_);
+  Connect();
+  CheckKeys();
+  EXPECT_EQ(32U, original_sid->sid().len());
+
+  // The client should now attempt to resume with the session ID from the last
+  // connection.  This looks like compatibility mode, we just want to ensure
+  // that we get TLS 1.3 rather than 1.2 (and no resumption).
+  Reset();
+  auto client_sid = MakeTlsFilter<CaptureSessionId>(client_);
+  auto server_sid = MakeTlsFilter<CaptureSessionId>(server_);
+  ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID);
+  SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+  client_->SetVersionRange(lower_version, SSL_LIBRARY_VERSION_TLS_1_3);
+  server_->SetVersionRange(lower_version, SSL_LIBRARY_VERSION_TLS_1_3);
+  ExpectResumption(RESUME_NONE);
+
+  Connect();
+  SendReceive();
+
+  EXPECT_EQ(client_sid->sid(), original_sid->sid());
+  if (variant_ == ssl_variant_stream) {
+    EXPECT_EQ(client_sid->sid(), server_sid->sid());
+  } else {
+    // DTLS servers don't echo the session ID.
+    EXPECT_EQ(0U, server_sid->sid().len());
+  }
+}
+
+TEST_P(TlsConnectPre12, ResumeWithHigherVersionTls12) {
+  uint16_t lower_version = version_;
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
   Connect();
 
   Reset();
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
   EnsureTlsSetup();
-  SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_2);
-  client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
-                           SSL_LIBRARY_VERSION_TLS_1_2);
-  server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
-                           SSL_LIBRARY_VERSION_TLS_1_2);
+  SetExpectedVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+  client_->SetVersionRange(lower_version, SSL_LIBRARY_VERSION_TLS_1_3);
+  server_->SetVersionRange(lower_version, SSL_LIBRARY_VERSION_TLS_1_3);
+  ExpectResumption(RESUME_NONE);
+  Connect();
+}
+
+TEST_P(TlsConnectGenericPre13, ResumeWithLowerVersionFromTls13) {
+  uint16_t original_version = version_;
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+  Connect();
+  SendReceive();
+  CheckKeys();
+
+  Reset();
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  ConfigureVersion(original_version);
   ExpectResumption(RESUME_NONE);
   Connect();
+  SendReceive();
+}
+
+TEST_P(TlsConnectPre12, ResumeWithLowerVersionFromTls12) {
+  uint16_t original_version = version_;
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_2);
+  Connect();
+  SendReceive();
+  CheckKeys();
+
+  Reset();
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  ConfigureVersion(original_version);
+  ExpectResumption(RESUME_NONE);
+  Connect();
+  SendReceive();
 }
 
 TEST_P(TlsConnectGeneric, ConnectResumeClientBothTicketServerTicketForget) {
@@ -276,8 +399,13 @@ TEST_P(TlsConnectGeneric, ConnectResumeCorruptTicket) {
   ASSERT_NE(nullptr, hmac_key);
   SSLInt_SetSelfEncryptMacKey(hmac_key);
   ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
-  ConnectExpectAlert(server_, illegal_parameter);
-  server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
+  if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
+    ExpectResumption(RESUME_NONE);
+    Connect();
+  } else {
+    ConnectExpectAlert(server_, illegal_parameter);
+    server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
+  }
 }
 
 // This callback switches out the "server" cert used on the server with
@@ -394,6 +522,64 @@ TEST_P(TlsConnectTls13, TestTls13ResumeDifferentGroup) {
             ssl_sig_rsa_pss_rsae_sha256);
 }
 
+// Verify that TLS 1.3 server doesn't request certificate in the main
+// handshake, after resumption.
+TEST_P(TlsConnectTls13, TestTls13ResumeNoCertificateRequest) {
+  ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
+  client_->SetupClientAuth();
+  server_->RequestClientAuth(true);
+  Connect();
+  SendReceive();  // Need to read so that we absorb the session ticket.
+  ScopedCERTCertificate cert1(SSL_LocalCertificate(client_->ssl_fd()));
+
+  Reset();
+  ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
+  ExpectResumption(RESUME_TICKET);
+  server_->RequestClientAuth(false);
+  auto cr_capture =
+      MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_certificate_request);
+  cr_capture->EnableDecryption();
+  Connect();
+  SendReceive();
+  EXPECT_EQ(0U, cr_capture->buffer().len()) << "expect nothing captured yet";
+
+  // Sanity check whether the client certificate matches the one
+  // decrypted from ticket.
+  ScopedCERTCertificate cert2(SSL_PeerCertificate(server_->ssl_fd()));
+  EXPECT_TRUE(SECITEM_ItemsAreEqual(&cert1->derCert, &cert2->derCert));
+}
+
+// Here we test that 0.5 RTT is available at the server when resuming, even if
+// configured to request a client certificate.  The resumed handshake relies on
+// the authentication from the original handshake, so no certificate is
+// requested this time around.  The server can write before the handshake
+// completes because the PSK binder is sufficient authentication for the client.
+TEST_P(TlsConnectTls13, WriteBeforeHandshakeCompleteOnResumption) {
+  ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
+  client_->SetupClientAuth();
+  server_->RequestClientAuth(true);
+  Connect();
+  SendReceive();  // Absorb the session ticket.
+  ScopedCERTCertificate cert1(SSL_LocalCertificate(client_->ssl_fd()));
+
+  Reset();
+  ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
+  ExpectResumption(RESUME_TICKET);
+  server_->RequestClientAuth(false);
+  StartConnect();
+  client_->Handshake();  // ClientHello
+  server_->Handshake();  // ServerHello
+
+  server_->SendData(10);
+  client_->ReadBytes(10);  // Client should emit the Finished as a side-effect.
+  server_->Handshake();    // Server consumes the Finished.
+  CheckConnected();
+
+  // Check whether the client certificate matches the one from the ticket.
+  ScopedCERTCertificate cert2(SSL_PeerCertificate(server_->ssl_fd()));
+  EXPECT_TRUE(SECITEM_ItemsAreEqual(&cert1->derCert, &cert2->derCert));
+}
+
 // We need to enable different cipher suites at different times in the following
 // tests.  Those cipher suites need to be suited to the version.
 static uint16_t ChooseOneCipher(uint16_t version) {
@@ -467,7 +653,7 @@ TEST_P(TlsConnectStream, TestResumptionOverrideCipher) {
 
   if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
     client_->ExpectSendAlert(kTlsAlertIllegalParameter);
-    server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+    server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   } else {
     ExpectAlert(client_, kTlsAlertHandshakeFailure);
   }
@@ -476,7 +662,7 @@ TEST_P(TlsConnectStream, TestResumptionOverrideCipher) {
   if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
     // The reason this test is stream only: the server is unable to decrypt
     // the alert that the client sends, see bug 1304603.
-    server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
+    server_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE);
   } else {
     server_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILURE_ALERT);
   }
@@ -760,6 +946,36 @@ TEST_F(TlsConnectDatagram13, SendSessionTicketDtls) {
   EXPECT_EQ(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION, PORT_GetError());
 }
 
+TEST_F(TlsConnectStreamTls13, ExternalResumptionUseSecondTicket) {
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+
+  struct ResumptionTicketState {
+    std::vector<uint8_t> ticket;
+    size_t invoked = 0;
+  } ticket_state;
+  auto cb = [](PRFileDesc* fd, const PRUint8* ticket, unsigned int ticket_len,
+               void* arg) -> SECStatus {
+    auto state = reinterpret_cast<ResumptionTicketState*>(arg);
+    state->ticket.assign(ticket, ticket + ticket_len);
+    state->invoked++;
+    return SECSuccess;
+  };
+  SSL_SetResumptionTokenCallback(client_->ssl_fd(), cb, &ticket_state);
+
+  Connect();
+  EXPECT_EQ(SECSuccess, SSL_SendSessionTicket(server_->ssl_fd(), nullptr, 0));
+  SendReceive();
+  EXPECT_EQ(2U, ticket_state.invoked);
+
+  Reset();
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  client_->SetResumptionToken(ticket_state.ticket);
+  ExpectResumption(RESUME_TICKET);
+  Connect();
+  SendReceive();
+}
+
 TEST_F(TlsConnectTest, TestTls13ResumptionDowngrade) {
   ConfigureSessionCache(RESUME_BOTH, RESUME_TICKET);
   ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
@@ -830,10 +1046,10 @@ TEST_F(TlsConnectTest, TestTls13ResumptionForcedDowngrade) {
   // client expects to receive an unencrypted TLS 1.2 Certificate message.
   // The server can't decrypt the alert.
   client_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
-  server_->ExpectSendAlert(kTlsAlertBadRecordMac);  // Server can't read
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);  // Server can't read
   ConnectExpectFail();
   client_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA);
-  server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
+  server_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE);
 }
 
 TEST_P(TlsConnectGenericResumption, ReConnectTicket) {
@@ -908,6 +1124,36 @@ void CheckGetInfoResult(uint32_t alpnSize, uint32_t earlyDataSize,
   EXPECT_EQ(0, memcmp("a", token->alpnSelection, token->alpnSelectionLen));
 
   ASSERT_EQ(earlyDataSize, token->maxEarlyDataSize);
+
+  ASSERT_LT(ssl_TimeUsec(), token->expirationTime);
+}
+
+// The client should generate a new, randomized session_id
+// when resuming using an external token.
+TEST_P(TlsConnectGenericResumptionToken, CheckSessionId) {
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  auto original_sid = MakeTlsFilter<CaptureSessionId>(client_);
+  Connect();
+  SendReceive();
+
+  Reset();
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  ExpectResumption(RESUME_TICKET);
+
+  StartConnect();
+  ASSERT_TRUE(client_->MaybeSetResumptionToken());
+  auto resumed_sid = MakeTlsFilter<CaptureSessionId>(client_);
+
+  Handshake();
+  CheckConnected();
+  SendReceive();
+
+  if (version_ < SSL_LIBRARY_VERSION_TLS_1_3) {
+    EXPECT_NE(resumed_sid->sid(), original_sid->sid());
+    EXPECT_EQ(32U, resumed_sid->sid().len());
+  } else {
+    EXPECT_EQ(0U, resumed_sid->sid().len());
+  }
 }
 
 TEST_P(TlsConnectGenericResumptionToken, ConnectResumeGetInfo) {
@@ -1026,4 +1272,34 @@ TEST_P(TlsConnectGenericResumption, ConnectResumeClientAuth) {
   SendReceive();
 }
 
+TEST_F(TlsConnectStreamTls13, ExternalTokenAfterHrr) {
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  Connect();
+  SendReceive();
+
+  Reset();
+  ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
+  ExpectResumption(RESUME_TICKET);
+
+  static const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1,
+                                                    ssl_grp_ec_secp521r1};
+  server_->ConfigNamedGroups(groups);
+
+  StartConnect();
+  ASSERT_TRUE(client_->MaybeSetResumptionToken());
+
+  client_->Handshake();  // Send ClientHello.
+  server_->Handshake();  // Process ClientHello, send HelloRetryRequest.
+
+  auto& token = client_->GetResumptionToken();
+  SECStatus rv =
+      SSL_SetResumptionToken(client_->ssl_fd(), token.data(), token.size());
+  ASSERT_EQ(SECFailure, rv);
+  ASSERT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
+
+  Handshake();
+  CheckConnected();
+  SendReceive();
+}
+
 }  // namespace nss_test
diff --git a/security/nss/gtests/ssl_gtest/ssl_skip_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_skip_unittest.cc
index 9ef19653bc..3ed42e86b3 100644
--- a/security/nss/gtests/ssl_gtest/ssl_skip_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_skip_unittest.cc
@@ -32,7 +32,7 @@ class TlsHandshakeSkipFilter : public TlsRecordFilter {
   virtual PacketFilter::Action FilterRecord(
       const TlsRecordHeader& record_header, const DataBuffer& input,
       DataBuffer* output) {
-    if (record_header.content_type() != kTlsHandshakeType) {
+    if (record_header.content_type() != ssl_ct_handshake) {
       return KEEP;
     }
 
diff --git a/security/nss/gtests/ssl_gtest/ssl_staticrsa_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_staticrsa_unittest.cc
index ff4091b9a3..abddaa5b61 100644
--- a/security/nss/gtests/ssl_gtest/ssl_staticrsa_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_staticrsa_unittest.cc
@@ -17,7 +17,7 @@ extern "C" {
 }
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
diff --git a/security/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc
index 42f1065f6e..ecb63d4764 100644
--- a/security/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc
@@ -82,7 +82,7 @@ class Tls13CompatTest : public TlsConnectStreamTls13 {
         // Only the second record can be a CCS.
         bool expected_match = expected && (i == 1);
         EXPECT_EQ(expected_match,
-                  kTlsChangeCipherSpecType ==
+                  ssl_ct_change_cipher_spec ==
                       records_->record(i).header.content_type());
       }
     }
@@ -299,15 +299,15 @@ TEST_F(TlsConnectTest, TLS13NonCompatModeSessionID) {
 
   MakeTlsFilter<TlsSessionIDInjectFilter>(server_);
   client_->ExpectSendAlert(kTlsAlertIllegalParameter);
-  server_->ExpectSendAlert(kTlsAlertBadRecordMac);
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
   ConnectExpectFail();
 
   client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
-  server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
+  server_->CheckErrorCode(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE);
 }
 
 static const uint8_t kCannedCcs[] = {
-    kTlsChangeCipherSpecType,
+    ssl_ct_change_cipher_spec,
     SSL_LIBRARY_VERSION_TLS_1_2 >> 8,
     SSL_LIBRARY_VERSION_TLS_1_2 & 0xff,
     0,
@@ -362,6 +362,19 @@ TEST_F(TlsConnectStreamTls13, ChangeCipherSpecBeforeClientHello12) {
   client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
 }
 
+TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterFinished13) {
+  EnsureTlsSetup();
+  ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+  Connect();
+  SendReceive(10);
+  // Client sends CCS after the handshake.
+  client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));
+  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
+  server_->ExpectReadWriteError();
+  server_->ReadBytes();
+  EXPECT_EQ(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE, server_->error_code());
+}
+
 TEST_F(TlsConnectDatagram13, CompatModeDtlsClient) {
   EnsureTlsSetup();
   client_->SetOption(SSL_ENABLE_TLS13_COMPAT_MODE, PR_TRUE);
@@ -370,14 +383,14 @@ TEST_F(TlsConnectDatagram13, CompatModeDtlsClient) {
   Connect();
 
   ASSERT_EQ(2U, client_records->count());  // CH, Fin
-  EXPECT_EQ(kTlsHandshakeType, client_records->record(0).header.content_type());
-  EXPECT_EQ(kTlsApplicationDataType,
+  EXPECT_EQ(ssl_ct_handshake, client_records->record(0).header.content_type());
+  EXPECT_EQ(ssl_ct_application_data,
             client_records->record(1).header.content_type());
 
   ASSERT_EQ(6U, server_records->count());  // SH, EE, CT, CV, Fin, Ack
-  EXPECT_EQ(kTlsHandshakeType, server_records->record(0).header.content_type());
+  EXPECT_EQ(ssl_ct_handshake, server_records->record(0).header.content_type());
   for (size_t i = 1; i < server_records->count(); ++i) {
-    EXPECT_EQ(kTlsApplicationDataType,
+    EXPECT_EQ(ssl_ct_application_data,
               server_records->record(i).header.content_type());
   }
 }
@@ -422,12 +435,12 @@ TEST_F(TlsConnectDatagram13, CompatModeDtlsServer) {
   client_->Handshake();
 
   ASSERT_EQ(1U, client_records->count());
-  EXPECT_EQ(kTlsHandshakeType, client_records->record(0).header.content_type());
+  EXPECT_EQ(ssl_ct_handshake, client_records->record(0).header.content_type());
 
   ASSERT_EQ(5U, server_records->count());  // SH, EE, CT, CV, Fin
-  EXPECT_EQ(kTlsHandshakeType, server_records->record(0).header.content_type());
+  EXPECT_EQ(ssl_ct_handshake, server_records->record(0).header.content_type());
   for (size_t i = 1; i < server_records->count(); ++i) {
-    EXPECT_EQ(kTlsApplicationDataType,
+    EXPECT_EQ(ssl_ct_application_data,
               server_records->record(i).header.content_type());
   }
 
diff --git a/security/nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc
index 1005957322..cafbcce683 100644
--- a/security/nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc
@@ -151,6 +151,7 @@ class SSLv2ClientHelloTestF : public TlsConnectTestBase {
   void SetUp() override {
     TlsConnectTestBase::SetUp();
     filter_ = MakeTlsFilter<SSLv2ClientHelloFilter>(client_, version_);
+    server_->SetOption(SSL_ENABLE_V2_COMPATIBLE_HELLO, PR_TRUE);
   }
 
   void SetExpectedVersion(uint16_t version) {
@@ -197,6 +198,27 @@ TEST_P(SSLv2ClientHelloTest, Connect) {
   Connect();
 }
 
+TEST_P(SSLv2ClientHelloTest, ConnectDisabled) {
+  server_->SetOption(SSL_ENABLE_V2_COMPATIBLE_HELLO, PR_FALSE);
+  SetAvailableCipherSuite(TLS_DHE_RSA_WITH_AES_128_CBC_SHA);
+
+  StartConnect();
+  client_->Handshake();  // Send the modified ClientHello.
+  server_->Handshake();  // Read some.
+  // The problem here is that the v2 ClientHello puts the version where the v3
+  // ClientHello puts a version number.  So the version number (0x0301+) appears
+  // to be a length and server blocks waiting for that much data.
+  EXPECT_EQ(PR_WOULD_BLOCK_ERROR, PORT_GetError());
+
+  // This is usually what happens with v2-compatible: the server hangs.
+  // But to be certain, feed in more data to see if an error comes out.
+  uint8_t zeros[SSL_LIBRARY_VERSION_TLS_1_2] = {0};
+  client_->SendDirect(DataBuffer(zeros, sizeof(zeros)));
+  ExpectAlert(server_, kTlsAlertIllegalParameter);
+  server_->Handshake();
+  client_->Handshake();
+}
+
 // Sending a v2 ClientHello after a no-op v3 record must fail.
 TEST_P(SSLv2ClientHelloTest, ConnectAfterEmptyV3Record) {
   DataBuffer buffer;
@@ -328,6 +350,30 @@ TEST_P(SSLv2ClientHelloTest, RequireSafeRenegotiationWithSCSV) {
   Connect();
 }
 
+TEST_P(SSLv2ClientHelloTest, CheckServerRandom) {
+  ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
+  SetAvailableCipherSuite(TLS_DHE_RSA_WITH_AES_128_CBC_SHA);
+
+  static const size_t random_len = 32;
+  uint8_t srandom1[random_len];
+  uint8_t z[random_len] = {0};
+
+  auto sh = MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_server_hello);
+  Connect();
+  ASSERT_TRUE(sh->buffer().len() > (random_len + 2));
+  memcpy(srandom1, sh->buffer().data() + 2, random_len);
+  EXPECT_NE(0, memcmp(srandom1, z, random_len));
+
+  Reset();
+  sh = MakeTlsFilter<TlsHandshakeRecorder>(server_, ssl_hs_server_hello);
+  Connect();
+  ASSERT_TRUE(sh->buffer().len() > (random_len + 2));
+  const uint8_t* srandom2 = sh->buffer().data() + 2;
+
+  EXPECT_NE(0, memcmp(srandom2, z, random_len));
+  EXPECT_NE(0, memcmp(srandom1, srandom2, random_len));
+}
+
 // Connect to the server with TLS 1.1, signalling that this is a fallback from
 // a higher version. As the server doesn't support anything higher than TLS 1.1
 // it must accept the connection.
diff --git a/security/nss/gtests/ssl_gtest/ssl_version_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_version_unittest.cc
index 4e9099561f..ffc0893e90 100644
--- a/security/nss/gtests/ssl_gtest/ssl_version_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_version_unittest.cc
@@ -11,7 +11,7 @@
 #include "sslproto.h"
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
@@ -48,7 +48,6 @@ TEST_P(TlsConnectGeneric, ServerNegotiateTls12) {
                            SSL_LIBRARY_VERSION_TLS_1_2);
   Connect();
 }
-#ifndef TLS_1_3_DRAFT_VERSION
 
 // Test the ServerRandom version hack from
 // [draft-ietf-tls-tls13-11 Section 6.3.1.1].
@@ -56,71 +55,116 @@ TEST_P(TlsConnectGeneric, ServerNegotiateTls12) {
 // two validate that we can also detect fallback using the
 // SSL_SetDowngradeCheckVersion() API.
 TEST_F(TlsConnectTest, TestDowngradeDetectionToTls11) {
+  client_->SetOption(SSL_ENABLE_HELLO_DOWNGRADE_CHECK, PR_TRUE);
   MakeTlsFilter<TlsClientHelloVersionSetter>(client_,
                                              SSL_LIBRARY_VERSION_TLS_1_1);
-  ConnectExpectFail();
-  ASSERT_EQ(SSL_ERROR_RX_MALFORMED_SERVER_HELLO, client_->error_code());
+  ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
+  client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
+  server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
 }
 
-/* Attempt to negotiate the bogus DTLS 1.1 version. */
+// Attempt to negotiate the bogus DTLS 1.1 version.
 TEST_F(DtlsConnectTest, TestDtlsVersion11) {
   MakeTlsFilter<TlsClientHelloVersionSetter>(client_, ((~0x0101) & 0xffff));
-  ConnectExpectFail();
+  ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
   // It's kind of surprising that SSL_ERROR_NO_CYPHER_OVERLAP is
   // what is returned here, but this is deliberate in ssl3_HandleAlert().
-  EXPECT_EQ(SSL_ERROR_NO_CYPHER_OVERLAP, client_->error_code());
-  EXPECT_EQ(SSL_ERROR_UNSUPPORTED_VERSION, server_->error_code());
+  client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
+  server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_VERSION);
 }
 
-// Disabled as long as we have draft version.
 TEST_F(TlsConnectTest, TestDowngradeDetectionToTls12) {
-  EnsureTlsSetup();
-  MakeTlsFilter<TlsClientHelloVersionSetter>(client_,
-                                             SSL_LIBRARY_VERSION_TLS_1_2);
+  client_->SetOption(SSL_ENABLE_HELLO_DOWNGRADE_CHECK, PR_TRUE);
+  MakeTlsFilter<TlsExtensionDropper>(client_, ssl_tls13_supported_versions_xtn);
   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
                            SSL_LIBRARY_VERSION_TLS_1_3);
   server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
                            SSL_LIBRARY_VERSION_TLS_1_3);
-  ConnectExpectFail();
-  ASSERT_EQ(SSL_ERROR_RX_MALFORMED_SERVER_HELLO, client_->error_code());
+  ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
+  client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
+  server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
+}
+
+// Disabling downgrade checks will be caught when the Finished MAC check fails.
+TEST_F(TlsConnectTest, TestDisableDowngradeDetection) {
+  client_->SetOption(SSL_ENABLE_HELLO_DOWNGRADE_CHECK, PR_FALSE);
+  MakeTlsFilter<TlsExtensionDropper>(client_, ssl_tls13_supported_versions_xtn);
+  client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
+                           SSL_LIBRARY_VERSION_TLS_1_3);
+  server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
+                           SSL_LIBRARY_VERSION_TLS_1_3);
+  ConnectExpectAlert(server_, kTlsAlertDecryptError);
+  client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
+  server_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
 }
 
 // TLS 1.1 clients do not check the random values, so we should
 // instead get a handshake failure alert from the server.
 TEST_F(TlsConnectTest, TestDowngradeDetectionToTls10) {
+  // Setting the option here has no effect.
+  client_->SetOption(SSL_ENABLE_HELLO_DOWNGRADE_CHECK, PR_TRUE);
   MakeTlsFilter<TlsClientHelloVersionSetter>(client_,
                                              SSL_LIBRARY_VERSION_TLS_1_0);
   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
                            SSL_LIBRARY_VERSION_TLS_1_1);
   server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_0,
                            SSL_LIBRARY_VERSION_TLS_1_2);
-  ConnectExpectFail();
-  ASSERT_EQ(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE, server_->error_code());
-  ASSERT_EQ(SSL_ERROR_DECRYPT_ERROR_ALERT, client_->error_code());
+  ConnectExpectAlert(server_, kTlsAlertDecryptError);
+  server_->CheckErrorCode(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
+  client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
 }
 
 TEST_F(TlsConnectTest, TestFallbackFromTls12) {
-  EnsureTlsSetup();
+  client_->SetOption(SSL_ENABLE_HELLO_DOWNGRADE_CHECK, PR_TRUE);
   client_->SetDowngradeCheckVersion(SSL_LIBRARY_VERSION_TLS_1_2);
   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
                            SSL_LIBRARY_VERSION_TLS_1_1);
   server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
                            SSL_LIBRARY_VERSION_TLS_1_2);
-  ConnectExpectFail();
-  ASSERT_EQ(SSL_ERROR_RX_MALFORMED_SERVER_HELLO, client_->error_code());
+  ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
+  client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
+  server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
+}
+
+static SECStatus AllowFalseStart(PRFileDesc* fd, void* arg,
+                                 PRBool* can_false_start) {
+  bool* false_start_attempted = reinterpret_cast<bool*>(arg);
+  *false_start_attempted = true;
+  *can_false_start = PR_TRUE;
+  return SECSuccess;
+}
+
+// If we disable the downgrade check, the sentinel is still generated, and we
+// disable false start instead.
+TEST_F(TlsConnectTest, DisableFalseStartOnFallback) {
+  // Don't call client_->EnableFalseStart(), because that sets the client up for
+  // success, and we want false start to fail.
+  client_->SetOption(SSL_ENABLE_FALSE_START, PR_TRUE);
+  bool false_start_attempted = false;
+  EXPECT_EQ(SECSuccess,
+            SSL_SetCanFalseStartCallback(client_->ssl_fd(), AllowFalseStart,
+                                         &false_start_attempted));
+
+  client_->SetDowngradeCheckVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+  client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
+                           SSL_LIBRARY_VERSION_TLS_1_2);
+  server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
+                           SSL_LIBRARY_VERSION_TLS_1_3);
+  Connect();
+  EXPECT_FALSE(false_start_attempted);
 }
 
 TEST_F(TlsConnectTest, TestFallbackFromTls13) {
-  EnsureTlsSetup();
+  client_->SetOption(SSL_ENABLE_HELLO_DOWNGRADE_CHECK, PR_TRUE);
   client_->SetDowngradeCheckVersion(SSL_LIBRARY_VERSION_TLS_1_3);
   client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
                            SSL_LIBRARY_VERSION_TLS_1_2);
   server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_1,
                            SSL_LIBRARY_VERSION_TLS_1_3);
-  ConnectExpectFail();
-  ASSERT_EQ(SSL_ERROR_RX_MALFORMED_SERVER_HELLO, client_->error_code());
+  ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
+  client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_SERVER_HELLO);
+  server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
 }
-#endif
 
 TEST_P(TlsConnectGeneric, TestFallbackSCSVVersionMatch) {
   client_->SetOption(SSL_ENABLE_FALLBACK_SCSV, PR_TRUE);
@@ -132,6 +176,7 @@ TEST_P(TlsConnectGenericPre13, TestFallbackSCSVVersionMismatch) {
   server_->SetVersionRange(version_, version_ + 1);
   ConnectExpectAlert(server_, kTlsAlertInappropriateFallback);
   client_->CheckErrorCode(SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT);
+  server_->CheckErrorCode(SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT);
 }
 
 // The TLS v1.3 spec section C.4 states that 'Implementations MUST NOT send or
@@ -158,7 +203,7 @@ TEST_P(TlsConnectGeneric, AlertBeforeServerHello) {
   static const uint8_t kWarningAlert[] = {kTlsAlertWarning,
                                           kTlsAlertUnrecognizedName};
   DataBuffer alert;
-  TlsAgentTestBase::MakeRecord(variant_, kTlsAlertType,
+  TlsAgentTestBase::MakeRecord(variant_, ssl_ct_alert,
                                SSL_LIBRARY_VERSION_TLS_1_0, kWarningAlert,
                                PR_ARRAY_SIZE(kWarningAlert), &alert);
   client_->adapter()->PacketReceived(alert);
diff --git a/security/nss/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc
index 09d7801e9a..a75dbb7aa7 100644
--- a/security/nss/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc
@@ -12,7 +12,7 @@
 #include "sslproto.h"
 
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "tls_connect.h"
 #include "tls_filter.h"
 #include "tls_parser.h"
diff --git a/security/nss/gtests/ssl_gtest/test_io.cc b/security/nss/gtests/ssl_gtest/test_io.cc
index d76b3526c6..6d792c520c 100644
--- a/security/nss/gtests/ssl_gtest/test_io.cc
+++ b/security/nss/gtests/ssl_gtest/test_io.cc
@@ -31,6 +31,20 @@ ScopedPRFileDesc DummyPrSocket::CreateFD() {
   return DummyIOLayerMethods::CreateFD(test_fd_identity, this);
 }
 
+void DummyPrSocket::Reset() {
+  auto p = peer_.lock();
+  peer_.reset();
+  if (p) {
+    p->peer_.reset();
+    p->Reset();
+  }
+  while (!input_.empty()) {
+    input_.pop();
+  }
+  filter_ = nullptr;
+  write_error_ = 0;
+}
+
 void DummyPrSocket::PacketReceived(const DataBuffer &packet) {
   input_.push(Packet(packet));
 }
@@ -42,6 +56,12 @@ int32_t DummyPrSocket::Read(PRFileDesc *f, void *data, int32_t len) {
     return -1;
   }
 
+  auto dst = peer_.lock();
+  if (!dst) {
+    PR_SetError(PR_NOT_CONNECTED_ERROR, 0);
+    return -1;
+  }
+
   if (input_.empty()) {
     LOGV("Read --> wouldblock " << len);
     PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
@@ -74,6 +94,12 @@ int32_t DummyPrSocket::Recv(PRFileDesc *f, void *buf, int32_t buflen,
     return Read(f, buf, buflen);
   }
 
+  auto dst = peer_.lock();
+  if (!dst) {
+    PR_SetError(PR_NOT_CONNECTED_ERROR, 0);
+    return -1;
+  }
+
   if (input_.empty()) {
     PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
     return -1;
@@ -101,7 +127,7 @@ int32_t DummyPrSocket::Write(PRFileDesc *f, const void *buf, int32_t length) {
 
   auto dst = peer_.lock();
   if (!dst) {
-    PR_SetError(PR_IO_ERROR, 0);
+    PR_SetError(PR_NOT_CONNECTED_ERROR, 0);
     return -1;
   }
 
diff --git a/security/nss/gtests/ssl_gtest/test_io.h b/security/nss/gtests/ssl_gtest/test_io.h
index 8327373ce5..062ae86c8b 100644
--- a/security/nss/gtests/ssl_gtest/test_io.h
+++ b/security/nss/gtests/ssl_gtest/test_io.h
@@ -17,7 +17,7 @@
 #include "databuffer.h"
 #include "dummy_io.h"
 #include "prio.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "sslt.h"
 
 namespace nss_test {
diff --git a/security/nss/gtests/ssl_gtest/tls_agent.cc b/security/nss/gtests/ssl_gtest/tls_agent.cc
index 9bed1ce1b7..fb66196b5b 100644
--- a/security/nss/gtests/ssl_gtest/tls_agent.cc
+++ b/security/nss/gtests/ssl_gtest/tls_agent.cc
@@ -15,6 +15,9 @@
 #include "tls_filter.h"
 #include "tls_parser.h"
 
+// This is an internal header, used to get DTLS_1_3_DRAFT_VERSION.
+#include "ssl3prot.h"
+
 extern "C" {
 // This is not something that should make you happy.
 #include "libssl_internals.h"
@@ -23,7 +26,7 @@ extern "C" {
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 extern std::string g_working_dir_path;
 
@@ -53,7 +56,7 @@ static const uint8_t kCannedTls13ServerHello[] = {
     0x00, 0x1d, 0x00, 0x20, 0xc2, 0xcf, 0x23, 0x17, 0x64, 0x23, 0x03,
     0xf0, 0xfb, 0x45, 0x98, 0x26, 0xd1, 0x65, 0x24, 0xa1, 0x6c, 0xa9,
     0x80, 0x8f, 0x2c, 0xac, 0x0a, 0xea, 0x53, 0x3a, 0xcb, 0xe3, 0x08,
-    0x84, 0xae, 0x19, 0x00, 0x2b, 0x00, 0x02, 0x7f, kD13};
+    0x84, 0xae, 0x19, 0x00, 0x2b, 0x00, 0x02, 0x03, 0x04};
 
 TlsAgent::TlsAgent(const std::string& nm, Role rl, SSLProtocolVariant var)
     : name_(nm),
@@ -226,6 +229,7 @@ bool TlsAgent::EnsureTlsSetup(PRFileDesc* modelSocket) {
 
 bool TlsAgent::MaybeSetResumptionToken() {
   if (!resumption_token_.empty()) {
+    LOG("setting external resumption token");
     SECStatus rv = SSL_SetResumptionToken(ssl_fd(), resumption_token_.data(),
                                           resumption_token_.size());
 
@@ -583,6 +587,7 @@ void TlsAgent::CheckAuthType(SSLAuthType auth,
   // switch statement because default label is different.
   switch (auth) {
     case ssl_auth_rsa_sign:
+    case ssl_auth_rsa_pss:
       EXPECT_EQ(ssl_auth_rsa_decrypt, csinfo_.authAlgorithm)
           << "authAlgorithm for RSA is always decrypt";
       break;
@@ -934,8 +939,8 @@ void TlsAgent::SendRecordDirect(const TlsRecord& record) {
   SendDirect(buf);
 }
 
-static bool ErrorIsNonFatal(PRErrorCode code) {
-  return code == PR_WOULD_BLOCK_ERROR || code == SSL_ERROR_RX_SHORT_DTLS_READ;
+static bool ErrorIsFatal(PRErrorCode code) {
+  return code != PR_WOULD_BLOCK_ERROR && code != SSL_ERROR_RX_SHORT_DTLS_READ;
 }
 
 void TlsAgent::SendData(size_t bytes, size_t blocksize) {
@@ -975,7 +980,7 @@ bool TlsAgent::SendEncryptedRecord(const std::shared_ptr<TlsCipherSpec>& spec,
   LOGV("Encrypting " << buf.len() << " bytes");
   // Ensure that we are doing TLS 1.3.
   EXPECT_GE(expected_version_, SSL_LIBRARY_VERSION_TLS_1_3);
-  TlsRecordHeader header(variant_, expected_version_, kTlsApplicationDataType,
+  TlsRecordHeader header(variant_, expected_version_, ssl_ct_application_data,
                          seq);
   DataBuffer padded = buf;
   padded.Write(padded.len(), ct, 1);
@@ -994,28 +999,39 @@ bool TlsAgent::SendEncryptedRecord(const std::shared_ptr<TlsCipherSpec>& spec,
 void TlsAgent::ReadBytes(size_t amount) {
   uint8_t block[16384];
 
-  int32_t rv = PR_Read(ssl_fd(), block, (std::min)(amount, sizeof(block)));
-  LOGV("ReadBytes " << rv);
-  int32_t err;
+  size_t remaining = amount;
+  while (remaining > 0) {
+    int32_t rv = PR_Read(ssl_fd(), block, (std::min)(amount, sizeof(block)));
+    LOGV("ReadBytes " << rv);
 
-  if (rv >= 0) {
-    size_t count = static_cast<size_t>(rv);
-    for (size_t i = 0; i < count; ++i) {
-      ASSERT_EQ(recv_ctr_ & 0xff, block[i]);
-      recv_ctr_++;
-    }
-  } else {
-    err = PR_GetError();
-    LOG("Read error " << PORT_ErrorToName(err) << ": "
-                      << PORT_ErrorToString(err));
-    if (err != PR_WOULD_BLOCK_ERROR && expect_readwrite_error_) {
-      error_code_ = err;
-      expect_readwrite_error_ = false;
+    if (rv > 0) {
+      size_t count = static_cast<size_t>(rv);
+      for (size_t i = 0; i < count; ++i) {
+        ASSERT_EQ(recv_ctr_ & 0xff, block[i]);
+        recv_ctr_++;
+      }
+      remaining -= rv;
+    } else {
+      PRErrorCode err = 0;
+      if (rv < 0) {
+        err = PR_GetError();
+        LOG("Read error " << PORT_ErrorToName(err) << ": "
+                          << PORT_ErrorToString(err));
+        if (err != PR_WOULD_BLOCK_ERROR && expect_readwrite_error_) {
+          error_code_ = err;
+          expect_readwrite_error_ = false;
+        }
+      }
+      if (err != 0 && ErrorIsFatal(err)) {
+        // If we hit a fatal error, we're done.
+        remaining = 0;
+      }
+      break;
     }
   }
 
   // If closed, then don't bother waiting around.
-  if (rv > 0 || (rv < 0 && ErrorIsNonFatal(err))) {
+  if (remaining) {
     LOGV("Re-arming");
     Poller::Instance()->Wait(READABLE_EVENT, adapter_, this,
                              &TlsAgent::ReadableCallback);
@@ -1104,7 +1120,7 @@ void TlsAgentTestBase::MakeRecord(SSLProtocolVariant variant, uint8_t type,
   if (variant == ssl_variant_stream) {
     index = out->Write(index, version, 2);
   } else if (version >= SSL_LIBRARY_VERSION_TLS_1_3 &&
-             type == kTlsApplicationDataType) {
+             type == ssl_ct_application_data) {
     uint32_t epoch = (sequence_number >> 48) & 0x3;
     uint32_t seqno = sequence_number & ((1ULL << 30) - 1);
     index = out->Write(index, (epoch << 30) | seqno, 4);
@@ -1157,10 +1173,10 @@ void TlsAgentTestBase::MakeTrivialHandshakeRecord(uint8_t hs_type,
                                                   size_t hs_len,
                                                   DataBuffer* out) {
   size_t index = 0;
-  index = out->Write(index, kTlsHandshakeType, 1);  // Content Type
-  index = out->Write(index, 3, 1);                  // Version high
-  index = out->Write(index, 1, 1);                  // Version low
-  index = out->Write(index, 4 + hs_len, 2);         // Length
+  index = out->Write(index, ssl_ct_handshake, 1);  // Content Type
+  index = out->Write(index, 3, 1);                 // Version high
+  index = out->Write(index, 1, 1);                 // Version low
+  index = out->Write(index, 4 + hs_len, 2);        // Length
 
   index = out->Write(index, hs_type, 1);  // Handshake record type.
   index = out->Write(index, hs_len, 3);   // Handshake length
@@ -1173,6 +1189,11 @@ DataBuffer TlsAgentTestBase::MakeCannedTls13ServerHello() {
   DataBuffer sh(kCannedTls13ServerHello, sizeof(kCannedTls13ServerHello));
   if (variant_ == ssl_variant_datagram) {
     sh.Write(0, SSL_LIBRARY_VERSION_DTLS_1_2_WIRE, 2);
+    // The version should be at the end.
+    uint32_t v;
+    EXPECT_TRUE(sh.Read(sh.len() - 2, 2, &v));
+    EXPECT_EQ(static_cast<uint32_t>(SSL_LIBRARY_VERSION_TLS_1_3), v);
+    sh.Write(sh.len() - 2, 0x7f00 | DTLS_1_3_DRAFT_VERSION, 2);
   }
   return sh;
 }
diff --git a/security/nss/gtests/ssl_gtest/tls_agent.h b/security/nss/gtests/ssl_gtest/tls_agent.h
index a93d0c6ee5..0202218682 100644
--- a/security/nss/gtests/ssl_gtest/tls_agent.h
+++ b/security/nss/gtests/ssl_gtest/tls_agent.h
@@ -10,9 +10,6 @@
 #include "prio.h"
 #include "ssl.h"
 
-// This is an internal header, used to get TLS_1_3_DRAFT_VERSION.
-#include "ssl3prot.h"
-
 #include <functional>
 #include <iostream>
 
@@ -20,7 +17,8 @@
 
 #define GTEST_HAS_RTTI 0
 #include "gtest/gtest.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
+#include "scoped_ptrs_ssl.h"
 
 extern bool g_ssl_gtest_verbose;
 
@@ -60,8 +58,6 @@ typedef std::function<int32_t(TlsAgent* agent, const SECItem* srvNameArr,
                               PRUint32 srvNameArrSize)>
     SniCallbackFunction;
 
-static const uint8_t kD13 = TLS_1_3_DRAFT_VERSION;
-
 class TlsAgent : public PollTarget {
  public:
   enum Role { CLIENT, SERVER };
diff --git a/security/nss/gtests/ssl_gtest/tls_connect.cc b/security/nss/gtests/ssl_gtest/tls_connect.cc
index 68f6d21e9c..c48ae38ecf 100644
--- a/security/nss/gtests/ssl_gtest/tls_connect.cc
+++ b/security/nss/gtests/ssl_gtest/tls_connect.cc
@@ -14,7 +14,7 @@ extern "C" {
 
 #include "databuffer.h"
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "sslproto.h"
 
 extern std::string g_working_dir_path;
@@ -559,13 +559,15 @@ void TlsConnectTestBase::CheckResumption(SessionResumptionMode expected) {
   EXPECT_EQ(stateless_count, stats->hsh_sid_stateless_resumes);
 
   if (expected != RESUME_NONE) {
-    if (client_->version() < SSL_LIBRARY_VERSION_TLS_1_3) {
+    if (client_->version() < SSL_LIBRARY_VERSION_TLS_1_3 &&
+        client_->GetResumptionToken().size() == 0) {
       // Check that the last two session ids match.
       ASSERT_EQ(1U + expected_resumptions_, session_ids_.size());
       EXPECT_EQ(session_ids_[session_ids_.size() - 1],
                 session_ids_[session_ids_.size() - 2]);
     } else {
-      // TLS 1.3 only uses tickets.
+      // We've either chosen TLS 1.3 or are using an external resumption token,
+      // both of which only use tickets.
       EXPECT_TRUE(expected & RESUME_TICKET);
     }
   }
diff --git a/security/nss/gtests/ssl_gtest/tls_esni_unittest.cc b/security/nss/gtests/ssl_gtest/tls_esni_unittest.cc
new file mode 100644
index 0000000000..3c860a0b2b
--- /dev/null
+++ b/security/nss/gtests/ssl_gtest/tls_esni_unittest.cc
@@ -0,0 +1,470 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <ctime>
+
+#include "secerr.h"
+#include "ssl.h"
+
+#include "gtest_utils.h"
+#include "tls_agent.h"
+#include "tls_connect.h"
+
+namespace nss_test {
+
+static const char* kDummySni("dummy.invalid");
+
+std::vector<uint16_t> kDefaultSuites = {TLS_AES_256_GCM_SHA384,
+                                        TLS_AES_128_GCM_SHA256};
+std::vector<uint16_t> kChaChaSuite = {TLS_CHACHA20_POLY1305_SHA256};
+std::vector<uint16_t> kBogusSuites = {0};
+std::vector<uint16_t> kTls12Suites = {
+    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256};
+
+static void NamedGroup2ECParams(SSLNamedGroup group, SECItem* params) {
+  auto groupDef = ssl_LookupNamedGroup(group);
+  ASSERT_NE(nullptr, groupDef);
+
+  auto oidData = SECOID_FindOIDByTag(groupDef->oidTag);
+  ASSERT_NE(nullptr, oidData);
+  ASSERT_NE(nullptr,
+            SECITEM_AllocItem(nullptr, params, (2 + oidData->oid.len)));
+
+  /*
+   * params->data needs to contain the ASN encoding of an object ID (OID)
+   * representing the named curve. The actual OID is in
+   * oidData->oid.data so we simply prepend 0x06 and OID length
+   */
+  params->data[0] = SEC_ASN1_OBJECT_ID;
+  params->data[1] = oidData->oid.len;
+  memcpy(params->data + 2, oidData->oid.data, oidData->oid.len);
+}
+
+/* Checksum is a 4-byte array. */
+static void UpdateEsniKeysChecksum(DataBuffer* buf) {
+  SECStatus rv;
+  PRUint8 sha256[32];
+
+  /* Stomp the checksum. */
+  PORT_Memset(buf->data() + 2, 0, 4);
+
+  rv = PK11_HashBuf(ssl3_HashTypeToOID(ssl_hash_sha256), sha256, buf->data(),
+                    buf->len());
+  ASSERT_EQ(SECSuccess, rv);
+  buf->Write(2, sha256, 4);
+}
+
+static void GenerateEsniKey(time_t windowStart, SSLNamedGroup group,
+                            std::vector<uint16_t>& cipher_suites,
+                            DataBuffer* record,
+                            ScopedSECKEYPublicKey* pubKey = nullptr,
+                            ScopedSECKEYPrivateKey* privKey = nullptr) {
+  SECKEYECParams ecParams = {siBuffer, NULL, 0};
+  NamedGroup2ECParams(group, &ecParams);
+
+  SECKEYPublicKey* pub = nullptr;
+  SECKEYPrivateKey* priv = SECKEY_CreateECPrivateKey(&ecParams, &pub, nullptr);
+  ASSERT_NE(nullptr, priv);
+  SECITEM_FreeItem(&ecParams, PR_FALSE);
+  PRUint8 encoded[1024];
+  unsigned int encoded_len;
+
+  SECStatus rv = SSL_EncodeESNIKeys(
+      &cipher_suites[0], cipher_suites.size(), group, pub, 100, windowStart,
+      windowStart + 10, encoded, &encoded_len, sizeof(encoded));
+  ASSERT_EQ(SECSuccess, rv);
+  ASSERT_GT(encoded_len, 0U);
+
+  if (pubKey) {
+    pubKey->reset(pub);
+  } else {
+    SECKEY_DestroyPublicKey(pub);
+  }
+  if (privKey) {
+    privKey->reset(priv);
+  } else {
+    SECKEY_DestroyPrivateKey(priv);
+  }
+  record->Truncate(0);
+  record->Write(0, encoded, encoded_len);
+}
+
+static void SetupEsni(const std::shared_ptr<TlsAgent>& client,
+                      const std::shared_ptr<TlsAgent>& server,
+                      SSLNamedGroup group = ssl_grp_ec_curve25519) {
+  ScopedSECKEYPublicKey pub;
+  ScopedSECKEYPrivateKey priv;
+  DataBuffer record;
+
+  GenerateEsniKey(time(nullptr), ssl_grp_ec_curve25519, kDefaultSuites, &record,
+                  &pub, &priv);
+  SECStatus rv = SSL_SetESNIKeyPair(server->ssl_fd(), priv.get(), record.data(),
+                                    record.len());
+  ASSERT_EQ(SECSuccess, rv);
+
+  rv = SSL_EnableESNI(client->ssl_fd(), record.data(), record.len(), kDummySni);
+  ASSERT_EQ(SECSuccess, rv);
+}
+
+static void CheckSniExtension(const DataBuffer& data) {
+  TlsParser parser(data.data(), data.len());
+  uint32_t tmp;
+  ASSERT_TRUE(parser.Read(&tmp, 2));
+  ASSERT_EQ(parser.remaining(), tmp);
+  ASSERT_TRUE(parser.Read(&tmp, 1));
+  ASSERT_EQ(0U, tmp); /* sni_nametype_hostname */
+  DataBuffer name;
+  ASSERT_TRUE(parser.ReadVariable(&name, 2));
+  ASSERT_EQ(0U, parser.remaining());
+  DataBuffer expected(reinterpret_cast<const uint8_t*>(kDummySni),
+                      strlen(kDummySni));
+  ASSERT_EQ(expected, name);
+}
+
+static void ClientInstallEsni(std::shared_ptr<TlsAgent>& agent,
+                              const DataBuffer& record, PRErrorCode err = 0) {
+  SECStatus rv =
+      SSL_EnableESNI(agent->ssl_fd(), record.data(), record.len(), kDummySni);
+  if (err == 0) {
+    ASSERT_EQ(SECSuccess, rv);
+  } else {
+    ASSERT_EQ(SECFailure, rv);
+    ASSERT_EQ(err, PORT_GetError());
+  }
+}
+
+TEST_P(TlsAgentTestClient13, EsniInstall) {
+  EnsureInit();
+  DataBuffer record;
+  GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
+  ClientInstallEsni(agent_, record);
+}
+
+// The next set of tests fail at setup time.
+TEST_P(TlsAgentTestClient13, EsniInvalidHash) {
+  EnsureInit();
+  DataBuffer record;
+  GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
+  record.data()[2]++;
+  ClientInstallEsni(agent_, record, SSL_ERROR_RX_MALFORMED_ESNI_KEYS);
+}
+
+TEST_P(TlsAgentTestClient13, EsniInvalidVersion) {
+  EnsureInit();
+  DataBuffer record;
+  GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
+  record.Write(0, 0xffff, 2);
+  ClientInstallEsni(agent_, record, SSL_ERROR_UNSUPPORTED_VERSION);
+}
+
+TEST_P(TlsAgentTestClient13, EsniShort) {
+  EnsureInit();
+  DataBuffer record;
+  GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
+  record.Truncate(record.len() - 1);
+  UpdateEsniKeysChecksum(&record);
+  ClientInstallEsni(agent_, record, SSL_ERROR_RX_MALFORMED_ESNI_KEYS);
+}
+
+TEST_P(TlsAgentTestClient13, EsniLong) {
+  EnsureInit();
+  DataBuffer record;
+  GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
+  record.Write(record.len(), 1, 1);
+  UpdateEsniKeysChecksum(&record);
+  ClientInstallEsni(agent_, record, SSL_ERROR_RX_MALFORMED_ESNI_KEYS);
+}
+
+TEST_P(TlsAgentTestClient13, EsniExtensionMismatch) {
+  EnsureInit();
+  DataBuffer record;
+  GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
+  record.Write(record.len() - 1, 1, 1);
+  UpdateEsniKeysChecksum(&record);
+  ClientInstallEsni(agent_, record, SSL_ERROR_RX_MALFORMED_ESNI_KEYS);
+}
+
+// The following tests fail by ignoring the Esni block.
+TEST_P(TlsAgentTestClient13, EsniUnknownGroup) {
+  EnsureInit();
+  DataBuffer record;
+  GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
+  record.Write(8, 0xffff, 2);  // Fake group
+  UpdateEsniKeysChecksum(&record);
+  ClientInstallEsni(agent_, record, 0);
+  auto filter =
+      MakeTlsFilter<TlsExtensionCapture>(agent_, ssl_tls13_encrypted_sni_xtn);
+  agent_->Handshake();
+  ASSERT_EQ(TlsAgent::STATE_CONNECTING, agent_->state());
+  ASSERT_TRUE(!filter->captured());
+}
+
+TEST_P(TlsAgentTestClient13, EsniUnknownCS) {
+  EnsureInit();
+  DataBuffer record;
+  GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kBogusSuites, &record);
+  ClientInstallEsni(agent_, record, 0);
+  auto filter =
+      MakeTlsFilter<TlsExtensionCapture>(agent_, ssl_tls13_encrypted_sni_xtn);
+  agent_->Handshake();
+  ASSERT_EQ(TlsAgent::STATE_CONNECTING, agent_->state());
+  ASSERT_TRUE(!filter->captured());
+}
+
+TEST_P(TlsAgentTestClient13, EsniInvalidCS) {
+  EnsureInit();
+  DataBuffer record;
+  GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kTls12Suites, &record);
+  UpdateEsniKeysChecksum(&record);
+  ClientInstallEsni(agent_, record, 0);
+  auto filter =
+      MakeTlsFilter<TlsExtensionCapture>(agent_, ssl_tls13_encrypted_sni_xtn);
+  agent_->Handshake();
+  ASSERT_EQ(TlsAgent::STATE_CONNECTING, agent_->state());
+  ASSERT_TRUE(!filter->captured());
+}
+
+TEST_P(TlsAgentTestClient13, EsniNotReady) {
+  EnsureInit();
+  DataBuffer record;
+  GenerateEsniKey(time(0) + 1000, ssl_grp_ec_curve25519, kDefaultSuites,
+                  &record);
+  ClientInstallEsni(agent_, record, 0);
+  auto filter =
+      MakeTlsFilter<TlsExtensionCapture>(agent_, ssl_tls13_encrypted_sni_xtn);
+  agent_->Handshake();
+  ASSERT_TRUE(!filter->captured());
+}
+
+TEST_P(TlsAgentTestClient13, EsniExpired) {
+  EnsureInit();
+  DataBuffer record;
+  GenerateEsniKey(time(0) - 1000, ssl_grp_ec_curve25519, kDefaultSuites,
+                  &record);
+  ClientInstallEsni(agent_, record, 0);
+  auto filter =
+      MakeTlsFilter<TlsExtensionCapture>(agent_, ssl_tls13_encrypted_sni_xtn);
+  agent_->Handshake();
+  ASSERT_TRUE(!filter->captured());
+}
+
+TEST_P(TlsAgentTestClient13, NoSniSoNoEsni) {
+  EnsureInit();
+  DataBuffer record;
+  GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
+  SSL_SetURL(agent_->ssl_fd(), "");
+  ClientInstallEsni(agent_, record, 0);
+  auto filter =
+      MakeTlsFilter<TlsExtensionCapture>(agent_, ssl_tls13_encrypted_sni_xtn);
+  agent_->Handshake();
+  ASSERT_TRUE(!filter->captured());
+}
+
+static int32_t SniCallback(TlsAgent* agent, const SECItem* srvNameAddr,
+                           PRUint32 srvNameArrSize) {
+  EXPECT_EQ(1U, srvNameArrSize);
+  SECItem expected = {
+      siBuffer, reinterpret_cast<unsigned char*>(const_cast<char*>("server")),
+      6};
+  EXPECT_TRUE(!SECITEM_CompareItem(&expected, &srvNameAddr[0]));
+  return SECSuccess;
+}
+
+TEST_P(TlsConnectTls13, ConnectEsni) {
+  EnsureTlsSetup();
+  SetupEsni(client_, server_);
+  auto cFilterSni =
+      MakeTlsFilter<TlsExtensionCapture>(client_, ssl_server_name_xtn);
+  auto cFilterEsni =
+      MakeTlsFilter<TlsExtensionCapture>(client_, ssl_tls13_encrypted_sni_xtn);
+  client_->SetFilter(std::make_shared<ChainedPacketFilter>(
+      ChainedPacketFilterInit({cFilterSni, cFilterEsni})));
+  auto sfilter =
+      MakeTlsFilter<TlsExtensionCapture>(server_, ssl_server_name_xtn);
+  sfilter->EnableDecryption();
+  server_->SetSniCallback(SniCallback);
+  Connect();
+  CheckSniExtension(cFilterSni->extension());
+  ASSERT_TRUE(cFilterEsni->captured());
+  // Check that our most preferred suite got chosen.
+  uint32_t suite;
+  ASSERT_TRUE(cFilterEsni->extension().Read(0, 2, &suite));
+  ASSERT_EQ(TLS_AES_128_GCM_SHA256, static_cast<PRUint16>(suite));
+  ASSERT_TRUE(!sfilter->captured());
+}
+
+TEST_P(TlsConnectTls13, ConnectEsniHrr) {
+  EnsureTlsSetup();
+  const std::vector<SSLNamedGroup> groups = {ssl_grp_ec_secp384r1};
+  server_->ConfigNamedGroups(groups);
+  SetupEsni(client_, server_);
+  auto hrr_capture = MakeTlsFilter<TlsHandshakeRecorder>(
+      server_, kTlsHandshakeHelloRetryRequest);
+  auto filter =
+      MakeTlsFilter<TlsExtensionCapture>(client_, ssl_server_name_xtn);
+  auto cfilter =
+      MakeTlsFilter<TlsExtensionCapture>(client_, ssl_server_name_xtn);
+  server_->SetSniCallback(SniCallback);
+  Connect();
+  CheckSniExtension(cfilter->extension());
+  EXPECT_NE(0UL, hrr_capture->buffer().len());
+}
+
+TEST_P(TlsConnectTls13, ConnectEsniNoDummy) {
+  EnsureTlsSetup();
+  ScopedSECKEYPublicKey pub;
+  ScopedSECKEYPrivateKey priv;
+  DataBuffer record;
+
+  GenerateEsniKey(time(nullptr), ssl_grp_ec_curve25519, kDefaultSuites, &record,
+                  &pub, &priv);
+  SECStatus rv = SSL_SetESNIKeyPair(server_->ssl_fd(), priv.get(),
+                                    record.data(), record.len());
+  ASSERT_EQ(SECSuccess, rv);
+  rv = SSL_EnableESNI(client_->ssl_fd(), record.data(), record.len(), "");
+  ASSERT_EQ(SECSuccess, rv);
+
+  auto cfilter =
+      MakeTlsFilter<TlsExtensionCapture>(client_, ssl_server_name_xtn);
+  auto sfilter =
+      MakeTlsFilter<TlsExtensionCapture>(server_, ssl_server_name_xtn);
+  server_->SetSniCallback(SniCallback);
+  Connect();
+  ASSERT_TRUE(!cfilter->captured());
+  ASSERT_TRUE(!sfilter->captured());
+}
+
+TEST_P(TlsConnectTls13, ConnectEsniNullDummy) {
+  EnsureTlsSetup();
+  ScopedSECKEYPublicKey pub;
+  ScopedSECKEYPrivateKey priv;
+  DataBuffer record;
+
+  GenerateEsniKey(time(nullptr), ssl_grp_ec_curve25519, kDefaultSuites, &record,
+                  &pub, &priv);
+  SECStatus rv = SSL_SetESNIKeyPair(server_->ssl_fd(), priv.get(),
+                                    record.data(), record.len());
+  ASSERT_EQ(SECSuccess, rv);
+  rv = SSL_EnableESNI(client_->ssl_fd(), record.data(), record.len(), nullptr);
+  ASSERT_EQ(SECSuccess, rv);
+
+  auto cfilter =
+      MakeTlsFilter<TlsExtensionCapture>(client_, ssl_server_name_xtn);
+  auto sfilter =
+      MakeTlsFilter<TlsExtensionCapture>(server_, ssl_server_name_xtn);
+  server_->SetSniCallback(SniCallback);
+  Connect();
+  ASSERT_TRUE(!cfilter->captured());
+  ASSERT_TRUE(!sfilter->captured());
+}
+
+/* Tell the client that it supports AES but the server that it supports ChaCha
+ */
+TEST_P(TlsConnectTls13, ConnectEsniCSMismatch) {
+  EnsureTlsSetup();
+  ScopedSECKEYPublicKey pub;
+  ScopedSECKEYPrivateKey priv;
+  DataBuffer record;
+
+  GenerateEsniKey(time(nullptr), ssl_grp_ec_curve25519, kDefaultSuites, &record,
+                  &pub, &priv);
+  PRUint8 encoded[1024];
+  unsigned int encoded_len;
+
+  SECStatus rv = SSL_EncodeESNIKeys(
+      &kChaChaSuite[0], kChaChaSuite.size(), ssl_grp_ec_curve25519, pub.get(),
+      100, time(0), time(0) + 10, encoded, &encoded_len, sizeof(encoded));
+  rv = SSL_SetESNIKeyPair(server_->ssl_fd(), priv.get(), encoded, encoded_len);
+  ASSERT_EQ(SECSuccess, rv);
+  rv = SSL_EnableESNI(client_->ssl_fd(), record.data(), record.len(), "");
+  ASSERT_EQ(SECSuccess, rv);
+  ConnectExpectAlert(server_, illegal_parameter);
+  server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
+}
+
+TEST_P(TlsConnectTls13, ConnectEsniP256) {
+  EnsureTlsSetup();
+  SetupEsni(client_, server_, ssl_grp_ec_secp256r1);
+  auto cfilter =
+      MakeTlsFilter<TlsExtensionCapture>(client_, ssl_server_name_xtn);
+  auto sfilter =
+      MakeTlsFilter<TlsExtensionCapture>(server_, ssl_server_name_xtn);
+  server_->SetSniCallback(SniCallback);
+  Connect();
+  CheckSniExtension(cfilter->extension());
+  ASSERT_TRUE(!sfilter->captured());
+}
+
+TEST_P(TlsConnectTls13, ConnectMismatchedEsniKeys) {
+  EnsureTlsSetup();
+  SetupEsni(client_, server_);
+  // Now install a new set of keys on the client, so we have a mismatch.
+  DataBuffer record;
+  GenerateEsniKey(time(0), ssl_grp_ec_curve25519, kDefaultSuites, &record);
+  ClientInstallEsni(client_, record, 0);
+  ConnectExpectAlert(server_, illegal_parameter);
+  server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
+}
+
+TEST_P(TlsConnectTls13, ConnectDamagedEsniExtensionCH) {
+  EnsureTlsSetup();
+  SetupEsni(client_, server_);
+  auto filter = MakeTlsFilter<TlsExtensionDamager>(
+      client_, ssl_tls13_encrypted_sni_xtn, 50);  // in the ciphertext
+  ConnectExpectAlert(server_, illegal_parameter);
+  server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO);
+}
+
+TEST_P(TlsConnectTls13, ConnectRemoveEsniExtensionEE) {
+  EnsureTlsSetup();
+  SetupEsni(client_, server_);
+  auto filter =
+      MakeTlsFilter<TlsExtensionDropper>(server_, ssl_tls13_encrypted_sni_xtn);
+  filter->EnableDecryption();
+  ConnectExpectAlert(client_, missing_extension);
+  client_->CheckErrorCode(SSL_ERROR_MISSING_ESNI_EXTENSION);
+}
+
+TEST_P(TlsConnectTls13, ConnectShortEsniExtensionEE) {
+  EnsureTlsSetup();
+  SetupEsni(client_, server_);
+  DataBuffer shortNonce;
+  auto filter = MakeTlsFilter<TlsExtensionReplacer>(
+      server_, ssl_tls13_encrypted_sni_xtn, shortNonce);
+  filter->EnableDecryption();
+  ConnectExpectAlert(client_, illegal_parameter);
+  client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_ESNI_EXTENSION);
+}
+
+TEST_P(TlsConnectTls13, ConnectBogusEsniExtensionEE) {
+  EnsureTlsSetup();
+  SetupEsni(client_, server_);
+  const uint8_t bogusNonceBuf[16] = {0};
+  DataBuffer bogusNonce(bogusNonceBuf, sizeof(bogusNonceBuf));
+  auto filter = MakeTlsFilter<TlsExtensionReplacer>(
+      server_, ssl_tls13_encrypted_sni_xtn, bogusNonce);
+  filter->EnableDecryption();
+  ConnectExpectAlert(client_, illegal_parameter);
+  client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_ESNI_EXTENSION);
+}
+
+// ESNI is a commitment to doing TLS 1.3 or above.
+// The TLS 1.2 server ignores ESNI and processes the dummy SNI.
+// The client then aborts when it sees the server did TLS 1.2.
+TEST_P(TlsConnectTls13, EsniButTLS12Server) {
+  EnsureTlsSetup();
+  SetupEsni(client_, server_);
+  client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
+                           SSL_LIBRARY_VERSION_TLS_1_3);
+  server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
+                           SSL_LIBRARY_VERSION_TLS_1_2);
+  ConnectExpectAlert(client_, kTlsAlertProtocolVersion);
+  client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_VERSION);
+  server_->CheckErrorCode(SSL_ERROR_PROTOCOL_VERSION_ALERT);
+  ASSERT_FALSE(SSLInt_ExtensionNegotiated(server_->ssl_fd(),
+                                          ssl_tls13_encrypted_sni_xtn));
+}
+}
diff --git a/security/nss/gtests/ssl_gtest/tls_filter.cc b/security/nss/gtests/ssl_gtest/tls_filter.cc
index aa03cba70b..25ad606fcc 100644
--- a/security/nss/gtests/ssl_gtest/tls_filter.cc
+++ b/security/nss/gtests/ssl_gtest/tls_filter.cc
@@ -131,7 +131,7 @@ PacketFilter::Action TlsRecordFilter::Filter(const DataBuffer& input,
     // spec to another active cipher spec (KeyUpdate for instance) AND writes
     // are consolidated across that change, this code could use the wrong
     // sequence numbers when re-encrypting records with the old keys.
-    if (header.content_type() == kTlsApplicationDataType) {
+    if (header.content_type() == ssl_ct_application_data) {
       in_sequence_number_ =
           (std::max)(in_sequence_number_, header.sequence_number() + 1);
     }
@@ -194,7 +194,7 @@ PacketFilter::Action TlsRecordFilter::FilterRecord(
 
   uint64_t seq_num;
   if (header.is_dtls() || !cipher_spec_ ||
-      header.content_type() != kTlsApplicationDataType) {
+      header.content_type() != ssl_ct_application_data) {
     seq_num = header.sequence_number();
   } else {
     seq_num = out_sequence_number_++;
@@ -277,7 +277,7 @@ bool TlsRecordHeader::Parse(bool is_dtls13, uint64_t seqno, TlsParser* parser,
 
 #ifndef UNSAFE_FUZZER_MODE
     // Deal with the 7 octet header.
-    if (content_type_ == kTlsApplicationDataType) {
+    if (content_type_ == ssl_ct_application_data) {
       uint32_t tmp;
       if (!parser->Read(&tmp, 4)) {
         return false;
@@ -298,7 +298,7 @@ bool TlsRecordHeader::Parse(bool is_dtls13, uint64_t seqno, TlsParser* parser,
       }
       // Need to use the low 5 bits of the first octet too.
       tmp |= (content_type_ & 0x1f) << 8;
-      content_type_ = kTlsApplicationDataType;
+      content_type_ = ssl_ct_application_data;
       sequence_number_ = ParseSequenceNumber(seqno, tmp, 12, 1);
 
       if (!parser->ReadFromMark(&header_, parser->consumed() - mark, mark)) {
@@ -308,9 +308,9 @@ bool TlsRecordHeader::Parse(bool is_dtls13, uint64_t seqno, TlsParser* parser,
     }
 
     // The full 13 octet header can only be used for a few types.
-    EXPECT_TRUE(content_type_ == kTlsAlertType ||
-                content_type_ == kTlsHandshakeType ||
-                content_type_ == kTlsAckType);
+    EXPECT_TRUE(content_type_ == ssl_ct_alert ||
+                content_type_ == ssl_ct_handshake ||
+                content_type_ == ssl_ct_ack);
 #endif
   }
 
@@ -347,7 +347,7 @@ size_t TlsRecordHeader::WriteHeader(DataBuffer* buffer, size_t offset,
                                     size_t body_len) const {
   offset = buffer->Write(offset, content_type_, 1);
   if (is_dtls() && version_ >= SSL_LIBRARY_VERSION_TLS_1_3 &&
-      content_type() == kTlsApplicationDataType) {
+      content_type() == ssl_ct_application_data) {
     // application_data records in TLS 1.3 have a different header format.
     // Always use the long header here for simplicity.
     uint32_t e = (sequence_number_ >> 48) & 0x3;
@@ -377,7 +377,7 @@ bool TlsRecordFilter::Unprotect(const TlsRecordHeader& header,
                                 const DataBuffer& ciphertext,
                                 uint8_t* inner_content_type,
                                 DataBuffer* plaintext) {
-  if (!cipher_spec_ || header.content_type() != kTlsApplicationDataType) {
+  if (!cipher_spec_ || header.content_type() != ssl_ct_application_data) {
     *inner_content_type = header.content_type();
     *plaintext = ciphertext;
     return true;
@@ -411,7 +411,7 @@ bool TlsRecordFilter::Protect(const TlsRecordHeader& header,
                               uint8_t inner_content_type,
                               const DataBuffer& plaintext,
                               DataBuffer* ciphertext, size_t padding) {
-  if (!cipher_spec_ || header.content_type() != kTlsApplicationDataType) {
+  if (!cipher_spec_ || header.content_type() != ssl_ct_application_data) {
     *ciphertext = plaintext;
     return true;
   }
@@ -453,8 +453,7 @@ PacketFilter::Action TlsHandshakeFilter::FilterRecord(
     const TlsRecordHeader& record_header, const DataBuffer& input,
     DataBuffer* output) {
   // Check that the first byte is as requested.
-  if ((record_header.content_type() != kTlsHandshakeType) &&
-      (record_header.content_type() != kTlsAltHandshakeType)) {
+  if (record_header.content_type() != ssl_ct_handshake) {
     return KEEP;
   }
 
@@ -879,6 +878,17 @@ PacketFilter::Action TlsExtensionDropper::FilterExtension(
   return KEEP;
 }
 
+PacketFilter::Action TlsExtensionDamager::FilterExtension(
+    uint16_t extension_type, const DataBuffer& input, DataBuffer* output) {
+  if (extension_type != extension_) {
+    return KEEP;
+  }
+
+  *output = input;
+  output->data()[index_] += 73;  // Increment selected for maximum damage
+  return CHANGE;
+}
+
 PacketFilter::Action TlsExtensionInjector::FilterHandshake(
     const HandshakeHeader& header, const DataBuffer& input,
     DataBuffer* output) {
diff --git a/security/nss/gtests/ssl_gtest/tls_filter.h b/security/nss/gtests/ssl_gtest/tls_filter.h
index effda4aa06..2b6e886456 100644
--- a/security/nss/gtests/ssl_gtest/tls_filter.h
+++ b/security/nss/gtests/ssl_gtest/tls_filter.h
@@ -172,20 +172,19 @@ inline std::ostream& operator<<(std::ostream& stream,
   hdr.WriteStream(stream);
   stream << ' ';
   switch (hdr.content_type()) {
-    case kTlsChangeCipherSpecType:
+    case ssl_ct_change_cipher_spec:
       stream << "CCS";
       break;
-    case kTlsAlertType:
+    case ssl_ct_alert:
       stream << "Alert";
       break;
-    case kTlsHandshakeType:
-    case kTlsAltHandshakeType:
+    case ssl_ct_handshake:
       stream << "Handshake";
       break;
-    case kTlsApplicationDataType:
+    case ssl_ct_application_data:
       stream << "Data";
       break;
-    case kTlsAckType:
+    case ssl_ct_ack:
       stream << "ACK";
       break;
     default:
@@ -301,7 +300,7 @@ class TlsRecordRecorder : public TlsRecordFilter {
   TlsRecordRecorder(const std::shared_ptr<TlsAgent>& a)
       : TlsRecordFilter(a),
         filter_(false),
-        ct_(content_handshake),  // dummy (<optional> is C++14)
+        ct_(ssl_ct_handshake),  // dummy (<optional> is C++14)
         records_() {}
   virtual PacketFilter::Action FilterRecord(const TlsRecordHeader& header,
                                             const DataBuffer& input,
@@ -466,6 +465,20 @@ class TlsExtensionInjector : public TlsHandshakeFilter {
   const DataBuffer data_;
 };
 
+class TlsExtensionDamager : public TlsExtensionFilter {
+ public:
+  TlsExtensionDamager(const std::shared_ptr<TlsAgent>& a, uint16_t extension,
+                      size_t index)
+      : TlsExtensionFilter(a), extension_(extension), index_(index) {}
+  virtual PacketFilter::Action FilterExtension(uint16_t extension_type,
+                                               const DataBuffer& input,
+                                               DataBuffer* output);
+
+ private:
+  uint16_t extension_;
+  size_t index_;
+};
+
 typedef std::function<void(void)> VoidFunction;
 
 class AfterRecordN : public TlsRecordFilter {
diff --git a/security/nss/gtests/ssl_gtest/tls_hkdf_unittest.cc b/security/nss/gtests/ssl_gtest/tls_hkdf_unittest.cc
index 45f6cf2bd9..004da3b1cc 100644
--- a/security/nss/gtests/ssl_gtest/tls_hkdf_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/tls_hkdf_unittest.cc
@@ -11,7 +11,7 @@
 
 #include "databuffer.h"
 #include "gtest_utils.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 namespace nss_test {
 
@@ -60,9 +60,11 @@ const std::string kHashName[] = {"None",    "MD5",     "SHA-1",  "SHA-224",
                                  "SHA-256", "SHA-384", "SHA-512"};
 
 static void ImportKey(ScopedPK11SymKey* to, const DataBuffer& key,
-                      PK11SlotInfo* slot) {
+                      SSLHashType hash_type, PK11SlotInfo* slot) {
+  ASSERT_LT(hash_type, sizeof(kHashLength));
+  ASSERT_LE(kHashLength[hash_type], key.len());
   SECItem key_item = {siBuffer, const_cast<uint8_t*>(key.data()),
-                      static_cast<unsigned int>(key.len())};
+                      static_cast<unsigned int>(kHashLength[hash_type])};
 
   PK11SymKey* inner =
       PK11_ImportSymKey(slot, CKM_SSL3_MASTER_KEY_DERIVE, PK11_OriginUnwrap,
@@ -106,8 +108,8 @@ class TlsHkdfTest : public ::testing::Test,
   }
 
   void SetUp() {
-    ImportKey(&k1_, kKey1, slot_.get());
-    ImportKey(&k2_, kKey2, slot_.get());
+    ImportKey(&k1_, kKey1, hash_type_, slot_.get());
+    ImportKey(&k2_, kKey2, hash_type_, slot_.get());
   }
 
   void VerifyKey(const ScopedPK11SymKey& key, const DataBuffer& expected) {
@@ -183,9 +185,9 @@ TEST_P(TlsHkdfTest, HkdfKey1Only) {
       {/* ssl_hash_md5    */},
       {/* ssl_hash_sha1   */},
       {/* ssl_hash_sha224 */},
-      {0x11, 0x87, 0x38, 0x28, 0xa9, 0x19, 0x78, 0x11, 0x33, 0x91, 0x24,
-       0xb5, 0x8a, 0x1b, 0xb0, 0x9f, 0x7f, 0x0d, 0x8d, 0xbb, 0x10, 0xf4,
-       0x9c, 0x54, 0xbd, 0x1f, 0xd8, 0x85, 0xcd, 0x15, 0x30, 0x33},
+      {0x41, 0x6c, 0x53, 0x92, 0xb9, 0xf3, 0x6d, 0xf1, 0x88, 0xe9, 0x0e,
+       0xb1, 0x4d, 0x17, 0xbf, 0x0d, 0xa1, 0x90, 0xbf, 0xdb, 0x7f, 0x1f,
+       0x49, 0x56, 0xe6, 0xe5, 0x66, 0xa5, 0x69, 0xc8, 0xb1, 0x5c},
       {0x51, 0xb1, 0xd5, 0xb4, 0x59, 0x79, 0x79, 0x08, 0x4a, 0x15, 0xb2, 0xdb,
        0x84, 0xd3, 0xd6, 0xbc, 0xfc, 0x93, 0x45, 0xd9, 0xdc, 0x74, 0xda, 0x1a,
        0x57, 0xc2, 0x76, 0x9f, 0x3f, 0x83, 0x45, 0x2f, 0xf6, 0xf3, 0x56, 0x1f,
@@ -201,11 +203,9 @@ TEST_P(TlsHkdfTest, HkdfKey2Only) {
       {/* ssl_hash_md5    */},
       {/* ssl_hash_sha1   */},
       {/* ssl_hash_sha224 */},
-      {
-          0x2f, 0x5f, 0x78, 0xd0, 0xa4, 0xc4, 0x36, 0xee, 0x6c, 0x8a, 0x4e,
-          0xf9, 0xd0, 0x43, 0x81, 0x02, 0x13, 0xfd, 0x47, 0x83, 0x63, 0x3a,
-          0xd2, 0xe1, 0x40, 0x6d, 0x2d, 0x98, 0x00, 0xfd, 0xc1, 0x87,
-      },
+      {0x16, 0xaf, 0x00, 0x54, 0x3a, 0x56, 0xc8, 0x26, 0xa2, 0xa7, 0xfc,
+       0xb6, 0x34, 0x66, 0x8a, 0xfd, 0x36, 0xdc, 0x8e, 0xce, 0xc4, 0xd2,
+       0x6c, 0x7a, 0xdc, 0xe3, 0x70, 0x36, 0x3d, 0x60, 0xfa, 0x0b},
       {0x7b, 0x40, 0xf9, 0xef, 0x91, 0xff, 0xc9, 0xd1, 0x29, 0x24, 0x5c, 0xbf,
        0xf8, 0x82, 0x76, 0x68, 0xae, 0x4b, 0x63, 0xe8, 0x03, 0xdd, 0x39, 0xa8,
        0xd4, 0x6a, 0xf6, 0xe5, 0xec, 0xea, 0xf8, 0x7d, 0x91, 0x71, 0x81, 0xf1,
@@ -221,11 +221,9 @@ TEST_P(TlsHkdfTest, HkdfKey1Key2) {
       {/* ssl_hash_md5    */},
       {/* ssl_hash_sha1   */},
       {/* ssl_hash_sha224 */},
-      {
-          0x79, 0x53, 0xb8, 0xdd, 0x6b, 0x98, 0xce, 0x00, 0xb7, 0xdc, 0xe8,
-          0x03, 0x70, 0x8c, 0xe3, 0xac, 0x06, 0x8b, 0x22, 0xfd, 0x0e, 0x34,
-          0x48, 0xe6, 0xe5, 0xe0, 0x8a, 0xd6, 0x16, 0x18, 0xe5, 0x48,
-      },
+      {0xa5, 0x68, 0x02, 0x5a, 0x95, 0xc9, 0x7f, 0x55, 0x38, 0xbc, 0xf7,
+       0x97, 0xcc, 0x0f, 0xd5, 0xf6, 0xa8, 0x8d, 0x15, 0xbc, 0x0e, 0x85,
+       0x74, 0x70, 0x3c, 0xa3, 0x65, 0xbd, 0x76, 0xcf, 0x9f, 0xd3},
       {0x01, 0x93, 0xc0, 0x07, 0x3f, 0x6a, 0x83, 0x0e, 0x2e, 0x4f, 0xb2, 0x58,
        0xe4, 0x00, 0x08, 0x5c, 0x68, 0x9c, 0x37, 0x32, 0x00, 0x37, 0xff, 0xc3,
        0x1c, 0x5b, 0x98, 0x0b, 0x02, 0x92, 0x3f, 0xfd, 0x73, 0x5a, 0x6f, 0x2a,
@@ -241,9 +239,9 @@ TEST_P(TlsHkdfTest, HkdfExpandLabel) {
       {/* ssl_hash_md5    */},
       {/* ssl_hash_sha1   */},
       {/* ssl_hash_sha224 */},
-      {0xc6, 0xdd, 0x6e, 0xc4, 0x76, 0xb8, 0x55, 0xf2, 0xa4, 0xfc, 0x59,
-       0x04, 0xa4, 0x90, 0xdc, 0xa7, 0xa7, 0x0d, 0x94, 0x8f, 0xc2, 0xdc,
-       0x15, 0x6d, 0x48, 0x93, 0x9d, 0x05, 0xbb, 0x9a, 0xbc, 0xc1},
+      {0x3e, 0x4e, 0x6e, 0xd0, 0xbc, 0xc4, 0xf4, 0xff, 0xf0, 0xf5, 0x69,
+       0xd0, 0x6c, 0x1e, 0x0e, 0x10, 0x32, 0xaa, 0xd7, 0xa3, 0xef, 0xf6,
+       0xa8, 0x65, 0x8e, 0xbe, 0xee, 0xc7, 0x1f, 0x01, 0x6d, 0x3c},
       {0x41, 0xea, 0x77, 0x09, 0x8c, 0x90, 0x04, 0x10, 0xec, 0xbc, 0x37, 0xd8,
        0x5b, 0x54, 0xcd, 0x7b, 0x08, 0x15, 0x13, 0x20, 0xed, 0x1e, 0x3f, 0x54,
        0x74, 0xf7, 0x8b, 0x06, 0x38, 0x28, 0x06, 0x37, 0x75, 0x23, 0xa2, 0xb7,
diff --git a/security/nss/gtests/util_gtest/util_pkcs11uri_unittest.cc b/security/nss/gtests/util_gtest/util_pkcs11uri_unittest.cc
index 5f1d94acf2..680e2f4a2b 100644
--- a/security/nss/gtests/util_gtest/util_pkcs11uri_unittest.cc
+++ b/security/nss/gtests/util_gtest/util_pkcs11uri_unittest.cc
@@ -160,6 +160,7 @@ TEST_F(PK11URITest, ParseRetrieveTest) {
 
 TEST_F(PK11URITest, ParseFormatTest) {
   TestParseFormat("pkcs11:", "pkcs11:");
+  TestParseFormat("PKCS11:", "pkcs11:");
   TestParseFormat("pkcs11:token=aaa", "pkcs11:token=aaa");
   TestParseFormat("pkcs11:token=aaa;manufacturer=bbb",
                   "pkcs11:token=aaa;manufacturer=bbb");
diff --git a/security/nss/help.txt b/security/nss/help.txt
index b4ffc03827..1df72736e0 100644
--- a/security/nss/help.txt
+++ b/security/nss/help.txt
@@ -1,15 +1,15 @@
-Usage: build.sh [-hcv] [-cc] [-j <n>] [--nspr] [--gyp|-g] [--opt|-o] [-m32]
-                [--test] [--pprof] [--scan-build[=output]] [--ct-verif]
-                [--asan] [--ubsan] [--msan] [--sancov[=edge|bb|func|...]]
-                [--disable-tests] [--fuzz[=tls|oss]] [--system-sqlite]
-                [--no-zdefs] [--with-nspr] [--system-nspr] [--enable-libpkix]
-                [--enable-fips]
+Usage: build.sh [-h] [-c|-cc] [-v] [-j <n>] [--gyp|-g] [--opt|-o]
+                [-t <x64|x86|...>|--target=<x64|x86|...>]
+                [--clang|--gcc|--msvc] [--scan-build[=dir]] [--disable-tests]
+                [--pprof] [--asan] [--msan] [--ubsan[=bool,shift,...]
+                [--fuzz[=tls|oss]] [--sancov[=edge|bb|func|...]]
+                [--emit-llvm] [--no-zdefs] [--test] [--ct-verif]
+                [--nspr|--with-nspr=<include>:<lib>|--system-nspr]
+                [--system-sqlite] [--enable-fips] [--enable-libpkix]
+                [--mozpkix-only]
 
 This script builds NSS with gyp and ninja.
 
-This build system is still under development.  It does not yet support all
-the features or platforms that NSS supports.
-
 NSS build tool options:
 
     -h               display this help and exit
@@ -17,34 +17,37 @@ NSS build tool options:
     -cc              clean without building
     -v               verbose build
     -j <n>           run at most <n> concurrent jobs
-    --nspr           force a rebuild of NSPR
     --gyp|-g         force a rerun of gyp
     --opt|-o         do an opt build
-    -m32             do a 32-bit build on a 64-bit system
+    --target|-t      specify target architecture (e.g., x86, x64, aarch64)
     --clang          build with clang and clang++
     --gcc            build with gcc and g++
-    --test           ignore map files and export everything we have
+    --msvc           build with MSVC
+    --scan-build     run the build with scan-build
+                     --scan-build=<dir> sets the output path for scan-build
+    --disable-tests  don't build tests and corresponding cmdline utils
+    --pprof          build with gperftool support
+    --asan           enable address sanitizer
+    --msan           enable memory sanitizer
+    --ubsan          enable undefined behavior sanitizer
+                     --ubsan=bool,shift,... sets specific UB sanitizers
     --fuzz           build fuzzing targets (this always enables test builds)
                      --fuzz=tls to enable TLS fuzzing mode
                      --fuzz=oss to build for OSS-Fuzz
-    --pprof          build with gperftool support
-    --ct-verif       build with valgrind for ct-verif
-    --scan-build     run the build with scan-build (scan-build has to be in the path)
-                     --scan-build=/out/path sets the output path for scan-build
-    --asan           do an asan build
-    --ubsan          do an ubsan build
-                     --ubsan=bool,shift,... sets specific UB sanitizers
-    --msan           do an msan build
     --sancov         do sanitize coverage builds
                      --sancov=func sets coverage to function level for example
     --emit-llvm      emit LLVM bitcode while building
                      (requires the gold linker, use clang-3.8 for SAW)
-    --disable-tests  don't build tests and corresponding cmdline utils
-    --system-sqlite  use system sqlite
     --no-zdefs       don't set -Wl,-z,defs
-    --with-nspr      don't build NSPR but use the one at the given location, e.g.
-                     --with-nspr=/path/to/nspr/include:/path/to/nspr/lib
-    --system-nspr    use system nspr. This requires an installation of NSPR and
-                     might not work on all systems.
-    --enable-libpkix make libpkix part of the build.
-    --enable-fips    don't disable FIPS checks.
+    --test           ignore map files and export everything we have
+    --ct-verif       build with valgrind for ct-verif
+    --nspr           force a rebuild of NSPR
+    --with-nspr      use the NSPR build at the given locations
+                     --with-nspr=<include>:<lib> sets include and lib paths
+    --system-nspr    attempt to use system nspr
+                     shorthand for --with-nspr=/usr/include/nspr:
+    --system-sqlite  use system sqlite
+    --enable-fips    enable FIPS checks
+    --enable-libpkix make libpkix part of the build
+    --mozpkix-only   build only static mozpkix and mozpkix-test libraries
+                     support for this build option is limited
diff --git a/security/nss/lib/base/error.c b/security/nss/lib/base/error.c
index 95a76cf799..2ef0329334 100644
--- a/security/nss/lib/base/error.c
+++ b/security/nss/lib/base/error.c
@@ -15,6 +15,10 @@
 #include <limits.h> /* for UINT_MAX */
 #include <string.h> /* for memmove */
 
+#if defined(__MINGW32__)
+#include <windows.h>
+#endif
+
 #define NSS_MAX_ERROR_STACK_COUNT 16 /* error codes */
 
 /*
@@ -65,7 +69,32 @@ static const PRCallOnceType error_call_again;
 static PRStatus
 error_once_function(void)
 {
+
+/*
+ * This #ifdef function is redundant. It performs the same thing as the
+ * else case.
+ *
+ * However, the MinGW version looks up the function from nss3's export
+ * table, and on MinGW _that_ behaves differently than passing a
+ * function pointer in a different module because MinGW has
+ * -mnop-fun-dllimport specified, which generates function thunks for
+ * cross-module calls. And when a module (like nssckbi) gets unloaded,
+ * and you try to call into that thunk (which is now missing) you'll
+ * crash. So we do this bit of ugly to avoid that crash. Fortunately
+ * this is the only place we've had to do this.
+ */
+#if defined(__MINGW32__)
+    HMODULE nss3 = GetModuleHandleW(L"nss3");
+    if (nss3) {
+        FARPROC freePtr = GetProcAddress(nss3, "PR_Free");
+        if (freePtr) {
+            return PR_NewThreadPrivateIndex(&error_stack_index, freePtr);
+        }
+    }
+    return PR_NewThreadPrivateIndex(&error_stack_index, PR_Free);
+#else
     return PR_NewThreadPrivateIndex(&error_stack_index, PR_Free);
+#endif
 }
 
 /*
diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h
index c76a5a9b03..333ba4c9dd 100644
--- a/security/nss/lib/certdb/cert.h
+++ b/security/nss/lib/certdb/cert.h
@@ -18,7 +18,7 @@
 #include "seccomon.h"
 #include "secdert.h"
 #include "secoidt.h"
-#include "keyt.h"
+#include "keythi.h"
 #include "certt.h"
 
 SEC_BEGIN_PROTOS
diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c
index 1a676a7207..85b5f29170 100644
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -446,6 +446,74 @@ cert_GetCertType(CERTCertificate *cert)
     return SECSuccess;
 }
 
+PRBool
+cert_EKUAllowsIPsecIKE(CERTCertificate *cert, PRBool *isCritical)
+{
+    SECStatus rv;
+    SECItem encodedExtKeyUsage;
+    CERTOidSequence *extKeyUsage = NULL;
+    PRBool result = PR_FALSE;
+
+    rv = CERT_GetExtenCriticality(cert->extensions,
+                                  SEC_OID_X509_EXT_KEY_USAGE,
+                                  isCritical);
+    if (rv != SECSuccess) {
+        *isCritical = PR_FALSE;
+    }
+
+    encodedExtKeyUsage.data = NULL;
+    rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE,
+                                &encodedExtKeyUsage);
+    if (rv != SECSuccess) {
+        /* EKU not present, allowed. */
+        result = PR_TRUE;
+        goto done;
+    }
+
+    extKeyUsage = CERT_DecodeOidSequence(&encodedExtKeyUsage);
+    if (!extKeyUsage) {
+        /* failure */
+        goto done;
+    }
+
+    if (findOIDinOIDSeqByTagNum(extKeyUsage,
+                                SEC_OID_X509_ANY_EXT_KEY_USAGE) ==
+        SECSuccess) {
+        result = PR_TRUE;
+        goto done;
+    }
+
+    if (findOIDinOIDSeqByTagNum(extKeyUsage,
+                                SEC_OID_EXT_KEY_USAGE_IPSEC_IKE) ==
+        SECSuccess) {
+        result = PR_TRUE;
+        goto done;
+    }
+
+    if (findOIDinOIDSeqByTagNum(extKeyUsage,
+                                SEC_OID_IPSEC_IKE_END) ==
+        SECSuccess) {
+        result = PR_TRUE;
+        goto done;
+    }
+
+    if (findOIDinOIDSeqByTagNum(extKeyUsage,
+                                SEC_OID_IPSEC_IKE_INTERMEDIATE) ==
+        SECSuccess) {
+        result = PR_TRUE;
+        goto done;
+    }
+
+done:
+    if (encodedExtKeyUsage.data != NULL) {
+        PORT_Free(encodedExtKeyUsage.data);
+    }
+    if (extKeyUsage != NULL) {
+        CERT_DestroyOidSequence(extKeyUsage);
+    }
+    return result;
+}
+
 PRUint32
 cert_ComputeCertType(CERTCertificate *cert)
 {
@@ -1083,6 +1151,10 @@ CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage, PRBool ca,
                 requiredKeyUsage = KU_KEY_CERT_SIGN;
                 requiredCertType = NS_CERT_TYPE_SSL_CA;
                 break;
+            case certUsageIPsec:
+                requiredKeyUsage = KU_KEY_CERT_SIGN;
+                requiredCertType = NS_CERT_TYPE_SSL_CA;
+                break;
             case certUsageSSLCA:
                 requiredKeyUsage = KU_KEY_CERT_SIGN;
                 requiredCertType = NS_CERT_TYPE_SSL_CA;
@@ -1125,6 +1197,11 @@ CERT_KeyUsageAndTypeForCertUsage(SECCertUsage usage, PRBool ca,
                 requiredKeyUsage = KU_KEY_AGREEMENT_OR_ENCIPHERMENT;
                 requiredCertType = NS_CERT_TYPE_SSL_SERVER;
                 break;
+            case certUsageIPsec:
+                /* RFC 4945 Section 5.1.3.2 */
+                requiredKeyUsage = KU_DIGITAL_SIGNATURE_OR_NON_REPUDIATION;
+                requiredCertType = 0;
+                break;
             case certUsageSSLServerWithStepUp:
                 requiredKeyUsage =
                     KU_KEY_AGREEMENT_OR_ENCIPHERMENT | KU_NS_GOVT_APPROVED;
diff --git a/security/nss/lib/certdb/certi.h b/security/nss/lib/certdb/certi.h
index 456f2fc4ea..2a8ae2758f 100644
--- a/security/nss/lib/certdb/certi.h
+++ b/security/nss/lib/certdb/certi.h
@@ -294,6 +294,9 @@ extern SECStatus cert_GetCertType(CERTCertificate* cert);
  */
 extern PRUint32 cert_ComputeCertType(CERTCertificate* cert);
 
+extern PRBool cert_EKUAllowsIPsecIKE(CERTCertificate* cert,
+                                     PRBool* isCritical);
+
 void cert_AddToVerifyLog(CERTVerifyLog* log, CERTCertificate* cert,
                          long errorCode, unsigned int depth, void* arg);
 
diff --git a/security/nss/lib/certdb/certt.h b/security/nss/lib/certdb/certt.h
index 797f9f5856..9cac70ca62 100644
--- a/security/nss/lib/certdb/certt.h
+++ b/security/nss/lib/certdb/certt.h
@@ -447,7 +447,8 @@ typedef enum SECCertUsageEnum {
     certUsageVerifyCA = 8,
     certUsageProtectedObjectSigner = 9,
     certUsageStatusResponder = 10,
-    certUsageAnyCA = 11
+    certUsageAnyCA = 11,
+    certUsageIPsec = 12
 } SECCertUsage;
 
 typedef PRInt64 SECCertificateUsage;
@@ -465,8 +466,9 @@ typedef PRInt64 SECCertificateUsage;
 #define certificateUsageProtectedObjectSigner (0x0200)
 #define certificateUsageStatusResponder (0x0400)
 #define certificateUsageAnyCA (0x0800)
+#define certificateUsageIPsec (0x1000)
 
-#define certificateUsageHighest certificateUsageAnyCA
+#define certificateUsageHighest certificateUsageIPsec
 
 /*
  * Does the cert belong to the user, a peer, or a CA.
diff --git a/security/nss/lib/certhigh/certreq.c b/security/nss/lib/certhigh/certreq.c
index 4087bc978e..2ab4f1ab7b 100644
--- a/security/nss/lib/certhigh/certreq.c
+++ b/security/nss/lib/certhigh/certreq.c
@@ -5,7 +5,7 @@
 #include "cert.h"
 #include "certt.h"
 #include "secder.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secitem.h"
 #include "secasn1.h"
 #include "secerr.h"
diff --git a/security/nss/lib/certhigh/certvfy.c b/security/nss/lib/certhigh/certvfy.c
index ccd38e660d..3a94a4150c 100644
--- a/security/nss/lib/certhigh/certvfy.c
+++ b/security/nss/lib/certhigh/certvfy.c
@@ -25,7 +25,7 @@
 #include "pkim.h"
 #include "pki3hack.h"
 #include "base.h"
-#include "keyhi.h"
+#include "keyi.h"
 
 /*
  * Check the validity times of a certificate
@@ -73,12 +73,38 @@ checkKeyParams(const SECAlgorithmID *sigAlgorithm, const SECKEYPublicKey *key)
                 return SECFailure;
             }
             return SECSuccess;
+
+        case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: {
+            PORTCheapArenaPool tmpArena;
+            SECOidTag hashAlg;
+            SECOidTag maskHashAlg;
+
+            PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
+            rv = sec_DecodeRSAPSSParams(&tmpArena.arena,
+                                        &sigAlgorithm->parameters,
+                                        &hashAlg, &maskHashAlg, NULL);
+            PORT_DestroyCheapArena(&tmpArena);
+            if (rv != SECSuccess) {
+                return SECFailure;
+            }
+
+            if (NSS_GetAlgorithmPolicy(hashAlg, &policyFlags) == SECSuccess &&
+                !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
+                PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+                return SECFailure;
+            }
+            if (NSS_GetAlgorithmPolicy(maskHashAlg, &policyFlags) == SECSuccess &&
+                !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
+                PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+                return SECFailure;
+            }
+        }
+        /* fall through to RSA key checking */
         case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
         case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
         case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
         case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
         case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
-        case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
         case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE:
         case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE:
             if (key->keyType != rsaKey && key->keyType != rsaPssKey) {
@@ -289,6 +315,10 @@ CERT_TrustFlagsForCACertUsage(SECCertUsage usage,
             requiredFlags = CERTDB_TRUSTED_CA;
             trustType = trustSSL;
             break;
+        case certUsageIPsec:
+            requiredFlags = CERTDB_TRUSTED_CA;
+            trustType = trustSSL;
+            break;
         case certUsageSSLServerWithStepUp:
             requiredFlags = CERTDB_TRUSTED_CA | CERTDB_GOVT_APPROVED_CA;
             trustType = trustSSL;
@@ -579,6 +609,7 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
     switch (certUsage) {
         case certUsageSSLClient:
         case certUsageSSLServer:
+        case certUsageIPsec:
         case certUsageSSLCA:
         case certUsageSSLServerWithStepUp:
         case certUsageEmailSigner:
@@ -645,7 +676,8 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
             CERTGeneralName *subjectNameList;
             int subjectNameListLen;
             int i;
-            PRBool getSubjectCN = (!count && certUsage == certUsageSSLServer);
+            PRBool getSubjectCN = (!count &&
+                                   (certUsage == certUsageSSLServer || certUsage == certUsageIPsec));
             subjectNameList =
                 CERT_GetConstrainedCertificateNames(subjectCert, arena,
                                                     getSubjectCN);
@@ -986,6 +1018,7 @@ CERT_VerifyCACertForUsage(CERTCertDBHandle *handle, CERTCertificate *cert,
     switch (certUsage) {
         case certUsageSSLClient:
         case certUsageSSLServer:
+        case certUsageIPsec:
         case certUsageSSLCA:
         case certUsageSSLServerWithStepUp:
         case certUsageEmailSigner:
@@ -1171,6 +1204,7 @@ cert_CheckLeafTrust(CERTCertificate *cert, SECCertUsage certUsage,
         switch (certUsage) {
             case certUsageSSLClient:
             case certUsageSSLServer:
+            case certUsageIPsec:
                 flags = trust.sslFlags;
 
                 /* is the cert directly trusted or not trusted ? */
@@ -1347,7 +1381,8 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
 
     /* make sure that the cert is valid at time t */
     allowOverride = (PRBool)((requiredUsages & certificateUsageSSLServer) ||
-                             (requiredUsages & certificateUsageSSLServerWithStepUp));
+                             (requiredUsages & certificateUsageSSLServerWithStepUp) ||
+                             (requiredUsages & certificateUsageIPsec));
     validity = CERT_CheckCertValidTimes(cert, t, allowOverride);
     if (validity != secCertTimeValid) {
         valid = SECFailure;
@@ -1360,6 +1395,7 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
 
     for (i = 1; i <= certificateUsageHighest &&
                 (SECSuccess == valid || returnedUsages || log);) {
+        PRBool typeAndEKUAllowed = PR_TRUE;
         PRBool requiredUsage = (i & requiredUsages) ? PR_TRUE : PR_FALSE;
         if (PR_FALSE == requiredUsage && PR_FALSE == checkAllUsages) {
             NEXT_USAGE();
@@ -1376,6 +1412,7 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
             case certUsageEmailRecipient:
             case certUsageObjectSigner:
             case certUsageStatusResponder:
+            case certUsageIPsec:
                 rv = CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_FALSE,
                                                       &requiredKeyUsage,
                                                       &requiredCertType);
@@ -1408,7 +1445,19 @@ CERT_VerifyCertificate(CERTCertDBHandle *handle, CERTCertificate *cert,
             LOG_ERROR(log, cert, 0, requiredKeyUsage);
             INVALID_USAGE();
         }
-        if (!(certType & requiredCertType)) {
+        if (certUsage != certUsageIPsec) {
+            if (!(certType & requiredCertType)) {
+                typeAndEKUAllowed = PR_FALSE;
+            }
+        } else {
+            PRBool isCritical;
+            PRBool allowed = cert_EKUAllowsIPsecIKE(cert, &isCritical);
+            /* If the extension isn't critical, we allow any EKU value. */
+            if (isCritical && !allowed) {
+                typeAndEKUAllowed = PR_FALSE;
+            }
+        }
+        if (!typeAndEKUAllowed) {
             if (PR_TRUE == requiredUsage) {
                 PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE);
             }
@@ -1508,7 +1557,8 @@ cert_VerifyCertWithFlags(CERTCertDBHandle *handle, CERTCertificate *cert,
 
     /* make sure that the cert is valid at time t */
     allowOverride = (PRBool)((certUsage == certUsageSSLServer) ||
-                             (certUsage == certUsageSSLServerWithStepUp));
+                             (certUsage == certUsageSSLServerWithStepUp) ||
+                             (certUsage == certUsageIPsec));
     validity = CERT_CheckCertValidTimes(cert, t, allowOverride);
     if (validity != secCertTimeValid) {
         LOG_ERROR_OR_EXIT(log, cert, 0, validity);
@@ -1521,6 +1571,7 @@ cert_VerifyCertWithFlags(CERTCertDBHandle *handle, CERTCertificate *cert,
         case certUsageSSLClient:
         case certUsageSSLServer:
         case certUsageSSLServerWithStepUp:
+        case certUsageIPsec:
         case certUsageSSLCA:
         case certUsageEmailSigner:
         case certUsageEmailRecipient:
@@ -1633,6 +1684,7 @@ CERT_VerifyCertNow(CERTCertDBHandle *handle, CERTCertificate *cert,
  *  certUsageSSLClient
  *  certUsageSSLServer
  *  certUsageSSLServerWithStepUp
+ *  certUsageIPsec
  *  certUsageEmailSigner
  *  certUsageEmailRecipient
  *  certUsageObjectSigner
diff --git a/security/nss/lib/certhigh/ocsp.h b/security/nss/lib/certhigh/ocsp.h
index ac9dd64656..1b94aec2e3 100644
--- a/security/nss/lib/certhigh/ocsp.h
+++ b/security/nss/lib/certhigh/ocsp.h
@@ -12,7 +12,7 @@
 #include "plarena.h"
 #include "seccomon.h"
 #include "secoidt.h"
-#include "keyt.h"
+#include "keythi.h"
 #include "certt.h"
 #include "ocspt.h"
 
diff --git a/security/nss/lib/ckfw/builtins/certdata.txt b/security/nss/lib/ckfw/builtins/certdata.txt
index d291f28a5d..182dda65eb 100644
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -2145,146 +2145,6 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "Visa eCommerce Root"
-#
-# Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
-# Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62
-# Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
-# Not Valid Before: Wed Jun 26 02:18:36 2002
-# Not Valid After : Fri Jun 24 00:16:12 2022
-# Fingerprint (MD5): FC:11:B8:D8:08:93:30:00:6D:23:F9:7E:EB:52:1E:02
-# Fingerprint (SHA1): 70:17:9B:86:8C:00:A4:FA:60:91:52:22:3F:9F:3E:32:BD:E0:05:62
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Visa eCommerce Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
-\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
-\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
-\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
-\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145
-\103\157\155\155\145\162\143\145\040\122\157\157\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
-\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
-\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
-\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
-\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145
-\103\157\155\155\145\162\143\145\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\023\206\065\115\035\077\006\362\301\371\145\005\325\220
-\034\142
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\242\060\202\002\212\240\003\002\001\002\002\020\023
-\206\065\115\035\077\006\362\301\371\145\005\325\220\034\142\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\153
-\061\013\060\011\006\003\125\004\006\023\002\125\123\061\015\060
-\013\006\003\125\004\012\023\004\126\111\123\101\061\057\060\055
-\006\003\125\004\013\023\046\126\151\163\141\040\111\156\164\145
-\162\156\141\164\151\157\156\141\154\040\123\145\162\166\151\143
-\145\040\101\163\163\157\143\151\141\164\151\157\156\061\034\060
-\032\006\003\125\004\003\023\023\126\151\163\141\040\145\103\157
-\155\155\145\162\143\145\040\122\157\157\164\060\036\027\015\060
-\062\060\066\062\066\060\062\061\070\063\066\132\027\015\062\062
-\060\066\062\064\060\060\061\066\061\062\132\060\153\061\013\060
-\011\006\003\125\004\006\023\002\125\123\061\015\060\013\006\003
-\125\004\012\023\004\126\111\123\101\061\057\060\055\006\003\125
-\004\013\023\046\126\151\163\141\040\111\156\164\145\162\156\141
-\164\151\157\156\141\154\040\123\145\162\166\151\143\145\040\101
-\163\163\157\143\151\141\164\151\157\156\061\034\060\032\006\003
-\125\004\003\023\023\126\151\163\141\040\145\103\157\155\155\145
-\162\143\145\040\122\157\157\164\060\202\001\042\060\015\006\011
-\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000
-\060\202\001\012\002\202\001\001\000\257\127\336\126\036\156\241
-\332\140\261\224\047\313\027\333\007\077\200\205\117\310\234\266
-\320\364\157\117\317\231\330\341\333\302\110\134\072\254\071\063
-\307\037\152\213\046\075\053\065\365\110\261\221\301\002\116\004
-\226\221\173\260\063\360\261\024\116\021\157\265\100\257\033\105
-\245\112\357\176\266\254\362\240\037\130\077\022\106\140\074\215
-\241\340\175\317\127\076\063\036\373\107\361\252\025\227\007\125
-\146\245\265\055\056\330\200\131\262\247\015\267\106\354\041\143
-\377\065\253\245\002\317\052\364\114\376\173\365\224\135\204\115
-\250\362\140\217\333\016\045\074\237\163\161\317\224\337\112\352
-\333\337\162\070\214\363\226\275\361\027\274\322\272\073\105\132
-\306\247\366\306\027\213\001\235\374\031\250\052\203\026\270\072
-\110\376\116\076\240\253\006\031\351\123\363\200\023\007\355\055
-\277\077\012\074\125\040\071\054\054\000\151\164\225\112\274\040
-\262\251\171\345\030\211\221\250\334\034\115\357\273\176\067\013
-\135\376\071\245\210\122\214\000\154\354\030\174\101\275\366\213
-\165\167\272\140\235\204\347\376\055\002\003\001\000\001\243\102
-\060\100\060\017\006\003\125\035\023\001\001\377\004\005\060\003
-\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003
-\002\001\006\060\035\006\003\125\035\016\004\026\004\024\025\070
-\203\017\077\054\077\160\063\036\315\106\376\007\214\040\340\327
-\303\267\060\015\006\011\052\206\110\206\367\015\001\001\005\005
-\000\003\202\001\001\000\137\361\101\175\174\134\010\271\053\340
-\325\222\107\372\147\134\245\023\303\003\041\233\053\114\211\106
-\317\131\115\311\376\245\100\266\143\315\335\161\050\225\147\021
-\314\044\254\323\104\154\161\256\001\040\153\003\242\217\030\267
-\051\072\175\345\026\140\123\170\074\300\257\025\203\367\217\122
-\063\044\275\144\223\227\356\213\367\333\030\250\155\161\263\367
-\054\027\320\164\045\151\367\376\153\074\224\276\115\113\101\214
-\116\342\163\320\343\220\042\163\103\315\363\357\352\163\316\105
-\212\260\246\111\377\114\175\235\161\210\304\166\035\220\133\035
-\356\375\314\367\356\375\140\245\261\172\026\161\321\026\320\174
-\022\074\154\151\227\333\256\137\071\232\160\057\005\074\031\106
-\004\231\040\066\320\140\156\141\006\273\026\102\214\160\367\060
-\373\340\333\146\243\000\001\275\346\054\332\221\137\240\106\213
-\115\152\234\075\075\335\005\106\376\166\277\240\012\074\344\000
-\346\047\267\377\204\055\336\272\042\047\226\020\161\353\042\355
-\337\337\063\234\317\343\255\256\216\324\216\346\117\121\257\026
-\222\340\134\366\007\017
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "Visa eCommerce Root"
-# Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
-# Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62
-# Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
-# Not Valid Before: Wed Jun 26 02:18:36 2002
-# Not Valid After : Fri Jun 24 00:16:12 2022
-# Fingerprint (MD5): FC:11:B8:D8:08:93:30:00:6D:23:F9:7E:EB:52:1E:02
-# Fingerprint (SHA1): 70:17:9B:86:8C:00:A4:FA:60:91:52:22:3F:9F:3E:32:BD:E0:05:62
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Visa eCommerce Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\160\027\233\206\214\000\244\372\140\221\122\042\077\237\076\062
-\275\340\005\142
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\374\021\270\330\010\223\060\000\155\043\371\176\353\122\036\002
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
-\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
-\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
-\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
-\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145
-\103\157\155\155\145\162\143\145\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\023\206\065\115\035\077\006\362\301\371\145\005\325\220
-\034\142
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Certum Root CA"
 #
 # Issuer: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
@@ -7054,193 +6914,6 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "AC Raiz Certicamara S.A."
-#
-# Issuer: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO
-# Serial Number:07:7e:52:93:7b:e0:15:e3:57:f0:69:8c:cb:ec:0c
-# Subject: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO
-# Not Valid Before: Mon Nov 27 20:46:29 2006
-# Not Valid After : Tue Apr 02 21:42:02 2030
-# Fingerprint (MD5): 93:2A:3E:F6:FD:23:69:0D:71:20:D4:2B:47:99:2B:A6
-# Fingerprint (SHA1): CB:A1:C5:F8:B0:E3:5E:B8:B9:45:12:D3:F9:34:A2:E9:06:10:D3:36
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AC Ra\xC3\xADz Certic\xC3\xA1mara S.A."
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\173\061\013\060\011\006\003\125\004\006\023\002\103\117\061
-\107\060\105\006\003\125\004\012\014\076\123\157\143\151\145\144
-\141\144\040\103\141\155\145\162\141\154\040\144\145\040\103\145
-\162\164\151\146\151\143\141\143\151\303\263\156\040\104\151\147
-\151\164\141\154\040\055\040\103\145\162\164\151\143\303\241\155
-\141\162\141\040\123\056\101\056\061\043\060\041\006\003\125\004
-\003\014\032\101\103\040\122\141\303\255\172\040\103\145\162\164
-\151\143\303\241\155\141\162\141\040\123\056\101\056
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\173\061\013\060\011\006\003\125\004\006\023\002\103\117\061
-\107\060\105\006\003\125\004\012\014\076\123\157\143\151\145\144
-\141\144\040\103\141\155\145\162\141\154\040\144\145\040\103\145
-\162\164\151\146\151\143\141\143\151\303\263\156\040\104\151\147
-\151\164\141\154\040\055\040\103\145\162\164\151\143\303\241\155
-\141\162\141\040\123\056\101\056\061\043\060\041\006\003\125\004
-\003\014\032\101\103\040\122\141\303\255\172\040\103\145\162\164
-\151\143\303\241\155\141\162\141\040\123\056\101\056
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\017\007\176\122\223\173\340\025\343\127\360\151\214\313\354
-\014
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\006\146\060\202\004\116\240\003\002\001\002\002\017\007
-\176\122\223\173\340\025\343\127\360\151\214\313\354\014\060\015
-\006\011\052\206\110\206\367\015\001\001\005\005\000\060\173\061
-\013\060\011\006\003\125\004\006\023\002\103\117\061\107\060\105
-\006\003\125\004\012\014\076\123\157\143\151\145\144\141\144\040
-\103\141\155\145\162\141\154\040\144\145\040\103\145\162\164\151
-\146\151\143\141\143\151\303\263\156\040\104\151\147\151\164\141
-\154\040\055\040\103\145\162\164\151\143\303\241\155\141\162\141
-\040\123\056\101\056\061\043\060\041\006\003\125\004\003\014\032
-\101\103\040\122\141\303\255\172\040\103\145\162\164\151\143\303
-\241\155\141\162\141\040\123\056\101\056\060\036\027\015\060\066
-\061\061\062\067\062\060\064\066\062\071\132\027\015\063\060\060
-\064\060\062\062\061\064\062\060\062\132\060\173\061\013\060\011
-\006\003\125\004\006\023\002\103\117\061\107\060\105\006\003\125
-\004\012\014\076\123\157\143\151\145\144\141\144\040\103\141\155
-\145\162\141\154\040\144\145\040\103\145\162\164\151\146\151\143
-\141\143\151\303\263\156\040\104\151\147\151\164\141\154\040\055
-\040\103\145\162\164\151\143\303\241\155\141\162\141\040\123\056
-\101\056\061\043\060\041\006\003\125\004\003\014\032\101\103\040
-\122\141\303\255\172\040\103\145\162\164\151\143\303\241\155\141
-\162\141\040\123\056\101\056\060\202\002\042\060\015\006\011\052
-\206\110\206\367\015\001\001\001\005\000\003\202\002\017\000\060
-\202\002\012\002\202\002\001\000\253\153\211\243\123\314\110\043
-\010\373\303\317\121\226\010\056\270\010\172\155\074\220\027\206
-\251\351\355\056\023\064\107\262\320\160\334\311\074\320\215\312
-\356\113\027\253\320\205\260\247\043\004\313\250\242\374\345\165
-\333\100\312\142\211\217\120\236\001\075\046\133\030\204\034\313
-\174\067\267\175\354\323\177\163\031\260\152\262\330\210\212\055
-\105\164\250\367\263\270\300\324\332\315\042\211\164\115\132\025
-\071\163\030\164\117\265\353\231\247\301\036\210\264\302\223\220
-\143\227\363\247\247\022\262\011\042\007\063\331\221\315\016\234
-\037\016\040\307\356\273\063\215\217\302\322\130\247\137\375\145
-\067\342\210\302\330\217\206\165\136\371\055\247\207\063\362\170
-\067\057\213\274\035\206\067\071\261\224\362\330\274\112\234\203
-\030\132\006\374\363\324\324\272\214\025\011\045\360\371\266\215
-\004\176\027\022\063\153\127\110\114\117\333\046\036\353\314\220
-\347\213\371\150\174\160\017\243\052\320\072\070\337\067\227\342
-\133\336\200\141\323\200\330\221\203\102\132\114\004\211\150\021
-\074\254\137\150\200\101\314\140\102\316\015\132\052\014\017\233
-\060\300\246\360\206\333\253\111\327\227\155\110\213\371\003\300
-\122\147\233\022\367\302\362\056\230\145\102\331\326\232\343\320
-\031\061\014\255\207\325\127\002\172\060\350\206\046\373\217\043
-\212\124\207\344\277\074\356\353\303\165\110\137\036\071\157\201
-\142\154\305\055\304\027\124\031\267\067\215\234\067\221\310\366
-\013\325\352\143\157\203\254\070\302\363\077\336\232\373\341\043
-\141\360\310\046\313\066\310\241\363\060\217\244\243\242\241\335
-\123\263\336\360\232\062\037\203\221\171\060\301\251\037\123\233
-\123\242\025\123\077\335\235\263\020\073\110\175\211\017\374\355
-\003\365\373\045\144\165\016\027\031\015\217\000\026\147\171\172
-\100\374\055\131\007\331\220\372\232\255\075\334\200\212\346\134
-\065\242\147\114\021\153\261\370\200\144\000\055\157\042\141\305
-\254\113\046\345\132\020\202\233\244\203\173\064\367\236\211\221
-\040\227\216\267\102\307\146\303\320\351\244\326\365\040\215\304
-\303\225\254\104\012\235\133\163\074\046\075\057\112\276\247\311
-\247\020\036\373\237\120\151\363\002\003\001\000\001\243\201\346
-\060\201\343\060\017\006\003\125\035\023\001\001\377\004\005\060
-\003\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004
-\003\002\001\006\060\035\006\003\125\035\016\004\026\004\024\321
-\011\320\351\327\316\171\164\124\371\072\060\263\364\155\054\003
-\003\033\150\060\201\240\006\003\125\035\040\004\201\230\060\201
-\225\060\201\222\006\004\125\035\040\000\060\201\211\060\053\006
-\010\053\006\001\005\005\007\002\001\026\037\150\164\164\160\072
-\057\057\167\167\167\056\143\145\162\164\151\143\141\155\141\162
-\141\056\143\157\155\057\144\160\143\057\060\132\006\010\053\006
-\001\005\005\007\002\002\060\116\032\114\114\151\155\151\164\141
-\143\151\157\156\145\163\040\144\145\040\147\141\162\141\156\164
-\355\141\163\040\144\145\040\145\163\164\145\040\143\145\162\164
-\151\146\151\143\141\144\157\040\163\145\040\160\165\145\144\145
-\156\040\145\156\143\157\156\164\162\141\162\040\145\156\040\154
-\141\040\104\120\103\056\060\015\006\011\052\206\110\206\367\015
-\001\001\005\005\000\003\202\002\001\000\134\224\265\270\105\221
-\115\216\141\037\003\050\017\123\174\346\244\131\251\263\212\172
-\305\260\377\010\174\054\243\161\034\041\023\147\241\225\022\100
-\065\203\203\217\164\333\063\134\360\111\166\012\201\122\335\111
-\324\232\062\063\357\233\247\313\165\345\172\313\227\022\220\134
-\272\173\305\233\337\273\071\043\310\377\230\316\012\115\042\001
-\110\007\176\212\300\325\040\102\224\104\357\277\167\242\211\147
-\110\033\100\003\005\241\211\354\317\142\343\075\045\166\146\277
-\046\267\273\042\276\157\377\071\127\164\272\172\311\001\225\301
-\225\121\350\253\054\370\261\206\040\351\077\313\065\133\322\027
-\351\052\376\203\023\027\100\356\210\142\145\133\325\073\140\351
-\173\074\270\311\325\177\066\002\045\252\150\302\061\025\267\060
-\145\353\177\035\110\171\261\317\071\342\102\200\026\323\365\223
-\043\374\114\227\311\132\067\154\174\042\330\112\315\322\216\066
-\203\071\221\220\020\310\361\311\065\176\077\270\323\201\306\040
-\144\032\266\120\302\041\244\170\334\320\057\073\144\223\164\360
-\226\220\361\357\373\011\132\064\100\226\360\066\022\301\243\164
-\214\223\176\101\336\167\213\354\206\331\322\017\077\055\321\314
-\100\242\211\146\110\036\040\263\234\043\131\163\251\104\163\274
-\044\171\220\126\067\263\306\051\176\243\017\361\051\071\357\176
-\134\050\062\160\065\254\332\270\310\165\146\374\233\114\071\107
-\216\033\157\233\115\002\124\042\063\357\141\272\236\051\204\357
-\116\113\063\107\166\227\152\313\176\137\375\025\246\236\102\103
-\133\146\132\212\210\015\367\026\271\077\121\145\053\146\152\213
-\321\070\122\242\326\106\021\372\374\232\034\164\236\217\227\013
-\002\117\144\306\365\150\323\113\055\377\244\067\036\213\077\277
-\104\276\141\106\241\204\075\010\047\114\201\040\167\211\010\352
-\147\100\136\154\010\121\137\064\132\214\226\150\315\327\367\211
-\302\034\323\062\000\257\122\313\323\140\133\052\072\107\176\153
-\060\063\241\142\051\177\112\271\341\055\347\024\043\016\016\030
-\107\341\171\374\025\125\320\261\374\045\161\143\165\063\034\043
-\053\257\134\331\355\107\167\140\016\073\017\036\322\300\334\144
-\005\211\374\170\326\134\054\046\103\251
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "AC Raiz Certicamara S.A."
-# Issuer: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO
-# Serial Number:07:7e:52:93:7b:e0:15:e3:57:f0:69:8c:cb:ec:0c
-# Subject: CN=AC Ra..z Certic..mara S.A.,O=Sociedad Cameral de Certificaci..n Digital - Certic..mara S.A.,C=CO
-# Not Valid Before: Mon Nov 27 20:46:29 2006
-# Not Valid After : Tue Apr 02 21:42:02 2030
-# Fingerprint (MD5): 93:2A:3E:F6:FD:23:69:0D:71:20:D4:2B:47:99:2B:A6
-# Fingerprint (SHA1): CB:A1:C5:F8:B0:E3:5E:B8:B9:45:12:D3:F9:34:A2:E9:06:10:D3:36
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AC Ra\xC3\xADz Certic\xC3\xA1mara S.A."
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\313\241\305\370\260\343\136\270\271\105\022\323\371\064\242\351
-\006\020\323\066
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\223\052\076\366\375\043\151\015\161\040\324\053\107\231\053\246
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\173\061\013\060\011\006\003\125\004\006\023\002\103\117\061
-\107\060\105\006\003\125\004\012\014\076\123\157\143\151\145\144
-\141\144\040\103\141\155\145\162\141\154\040\144\145\040\103\145
-\162\164\151\146\151\143\141\143\151\303\263\156\040\104\151\147
-\151\164\141\154\040\055\040\103\145\162\164\151\143\303\241\155
-\141\162\141\040\123\056\101\056\061\043\060\041\006\003\125\004
-\003\014\032\101\103\040\122\141\303\255\172\040\103\145\162\164
-\151\143\303\241\155\141\162\141\040\123\056\101\056
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\017\007\176\122\223\173\340\025\343\127\360\151\214\313\354
-\014
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Deutsche Telekom Root CA 2"
 #
 # Issuer: CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE
@@ -7382,136 +7055,6 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "ComSign CA"
-#
-# Issuer: C=IL,O=ComSign,CN=ComSign CA
-# Serial Number:14:13:96:83:14:55:8c:ea:7b:63:e5:fc:34:87:77:44
-# Subject: C=IL,O=ComSign,CN=ComSign CA
-# Not Valid Before: Wed Mar 24 11:32:18 2004
-# Not Valid After : Mon Mar 19 15:02:18 2029
-# Fingerprint (MD5): CD:F4:39:F3:B5:18:50:D7:3E:A4:C5:91:A0:3E:21:4B
-# Fingerprint (SHA1): E1:A4:5B:14:1A:21:DA:1A:79:F4:1A:42:A9:61:D6:69:CD:06:34:C1
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "ComSign CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\064\061\023\060\021\006\003\125\004\003\023\012\103\157\155
-\123\151\147\156\040\103\101\061\020\060\016\006\003\125\004\012
-\023\007\103\157\155\123\151\147\156\061\013\060\011\006\003\125
-\004\006\023\002\111\114
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\064\061\023\060\021\006\003\125\004\003\023\012\103\157\155
-\123\151\147\156\040\103\101\061\020\060\016\006\003\125\004\012
-\023\007\103\157\155\123\151\147\156\061\013\060\011\006\003\125
-\004\006\023\002\111\114
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\024\023\226\203\024\125\214\352\173\143\345\374\064\207
-\167\104
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\223\060\202\002\173\240\003\002\001\002\002\020\024
-\023\226\203\024\125\214\352\173\143\345\374\064\207\167\104\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\064
-\061\023\060\021\006\003\125\004\003\023\012\103\157\155\123\151
-\147\156\040\103\101\061\020\060\016\006\003\125\004\012\023\007
-\103\157\155\123\151\147\156\061\013\060\011\006\003\125\004\006
-\023\002\111\114\060\036\027\015\060\064\060\063\062\064\061\061
-\063\062\061\070\132\027\015\062\071\060\063\061\071\061\065\060
-\062\061\070\132\060\064\061\023\060\021\006\003\125\004\003\023
-\012\103\157\155\123\151\147\156\040\103\101\061\020\060\016\006
-\003\125\004\012\023\007\103\157\155\123\151\147\156\061\013\060
-\011\006\003\125\004\006\023\002\111\114\060\202\001\042\060\015
-\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001
-\017\000\060\202\001\012\002\202\001\001\000\360\344\124\151\053
-\323\307\217\152\104\344\176\130\047\370\013\320\344\224\022\212
-\361\033\070\070\057\037\061\234\006\324\054\247\336\013\052\256
-\032\240\343\236\152\277\237\074\307\156\242\371\213\144\154\072
-\255\205\125\121\124\245\070\125\270\253\203\004\362\077\144\066
-\367\300\215\103\103\152\146\321\367\027\052\325\357\066\372\060
-\020\102\327\123\315\371\372\063\163\114\263\351\204\040\212\326
-\101\047\065\344\070\372\224\233\270\172\344\171\037\063\373\033
-\330\041\011\050\174\115\030\151\136\144\212\172\031\223\312\176
-\354\363\162\347\067\007\130\131\050\254\102\371\305\377\315\077
-\347\245\372\070\261\320\014\307\331\122\032\123\326\201\314\102
-\172\065\133\355\113\072\172\366\265\216\314\377\017\174\344\140
-\066\207\057\255\360\241\045\175\377\322\113\021\210\160\124\246
-\101\250\147\123\122\102\136\344\064\236\344\276\243\354\252\142
-\135\335\303\114\246\202\101\344\063\013\254\311\063\017\144\202
-\127\052\375\014\255\066\341\014\256\113\305\357\073\231\331\043
-\263\133\135\264\127\354\164\160\014\052\117\002\003\001\000\001
-\243\201\240\060\201\235\060\014\006\003\125\035\023\004\005\060
-\003\001\001\377\060\075\006\003\125\035\037\004\066\060\064\060
-\062\240\060\240\056\206\054\150\164\164\160\072\057\057\146\145
-\144\151\162\056\143\157\155\163\151\147\156\056\143\157\056\151
-\154\057\143\162\154\057\103\157\155\123\151\147\156\103\101\056
-\143\162\154\060\016\006\003\125\035\017\001\001\377\004\004\003
-\002\001\206\060\037\006\003\125\035\043\004\030\060\026\200\024
-\113\001\233\076\126\032\145\066\166\313\173\227\252\222\005\356
-\062\347\050\061\060\035\006\003\125\035\016\004\026\004\024\113
-\001\233\076\126\032\145\066\166\313\173\227\252\222\005\356\062
-\347\050\061\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\003\202\001\001\000\320\331\245\176\376\051\140\105\235
-\176\203\317\156\274\107\156\365\032\236\124\166\102\161\264\074
-\130\077\055\100\045\102\366\201\234\361\211\020\310\016\252\170
-\117\070\011\127\260\074\300\010\374\065\216\361\110\121\215\014
-\161\164\272\204\304\327\162\233\204\174\070\116\144\006\047\052
-\341\247\265\354\010\231\264\012\015\324\205\163\310\022\341\065
-\355\361\005\061\035\163\231\014\353\226\312\335\323\346\205\252
-\360\212\373\165\301\362\011\074\145\145\144\363\114\330\255\313
-\210\151\363\344\203\267\014\275\027\132\226\027\312\133\377\255
-\273\034\351\055\204\200\330\041\276\205\122\331\324\164\271\151
-\205\272\115\355\050\062\353\371\141\112\344\304\066\036\031\334
-\157\204\021\037\225\365\203\050\030\250\063\222\103\047\335\135
-\023\004\105\117\207\325\106\315\075\250\272\360\363\270\126\044
-\105\353\067\307\341\166\117\162\071\030\337\176\164\162\307\163
-\055\071\352\140\346\255\021\242\126\207\173\303\150\232\376\370
-\214\160\250\337\145\062\364\244\100\214\241\302\104\003\016\224
-\000\147\240\161\000\202\110
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "ComSign CA"
-# Issuer: C=IL,O=ComSign,CN=ComSign CA
-# Serial Number:14:13:96:83:14:55:8c:ea:7b:63:e5:fc:34:87:77:44
-# Subject: C=IL,O=ComSign,CN=ComSign CA
-# Not Valid Before: Wed Mar 24 11:32:18 2004
-# Not Valid After : Mon Mar 19 15:02:18 2029
-# Fingerprint (MD5): CD:F4:39:F3:B5:18:50:D7:3E:A4:C5:91:A0:3E:21:4B
-# Fingerprint (SHA1): E1:A4:5B:14:1A:21:DA:1A:79:F4:1A:42:A9:61:D6:69:CD:06:34:C1
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "ComSign CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\341\244\133\024\032\041\332\032\171\364\032\102\251\141\326\151
-\315\006\064\301
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\315\364\071\363\265\030\120\327\076\244\305\221\240\076\041\113
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\064\061\023\060\021\006\003\125\004\003\023\012\103\157\155
-\123\151\147\156\040\103\101\061\020\060\016\006\003\125\004\012
-\023\007\103\157\155\123\151\147\156\061\013\060\011\006\003\125
-\004\006\023\002\111\114
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\024\023\226\203\024\125\214\352\173\143\345\374\064\207
-\167\104
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Cybertrust Global Root"
 #
 # Issuer: CN=Cybertrust Global Root,O="Cybertrust, Inc"
@@ -19149,707 +18692,6 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "Certplus Root CA G1"
-#
-# Issuer: CN=Certplus Root CA G1,O=Certplus,C=FR
-# Serial Number:11:20:55:83:e4:2d:3e:54:56:85:2d:83:37:b7:2c:dc:46:11
-# Subject: CN=Certplus Root CA G1,O=Certplus,C=FR
-# Not Valid Before: Mon May 26 00:00:00 2014
-# Not Valid After : Fri Jan 15 00:00:00 2038
-# Fingerprint (SHA-256): 15:2A:40:2B:FC:DF:2C:D5:48:05:4D:22:75:B3:9C:7F:CA:3E:C0:97:80:78:B0:F0:EA:76:E5:61:A6:C7:43:3E
-# Fingerprint (SHA1): 22:FD:D0:B7:FD:A2:4E:0D:AC:49:2C:A0:AC:A6:7B:6A:1F:E3:F7:66
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Certplus Root CA G1"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\076\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\021\060\017\006\003\125\004\012\014\010\103\145\162\164\160\154
-\165\163\061\034\060\032\006\003\125\004\003\014\023\103\145\162
-\164\160\154\165\163\040\122\157\157\164\040\103\101\040\107\061
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\076\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\021\060\017\006\003\125\004\012\014\010\103\145\162\164\160\154
-\165\163\061\034\060\032\006\003\125\004\003\014\023\103\145\162
-\164\160\154\165\163\040\122\157\157\164\040\103\101\040\107\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\022\021\040\125\203\344\055\076\124\126\205\055\203\067\267
-\054\334\106\021
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\153\060\202\003\123\240\003\002\001\002\002\022\021
-\040\125\203\344\055\076\124\126\205\055\203\067\267\054\334\106
-\021\060\015\006\011\052\206\110\206\367\015\001\001\015\005\000
-\060\076\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\021\060\017\006\003\125\004\012\014\010\103\145\162\164\160\154
-\165\163\061\034\060\032\006\003\125\004\003\014\023\103\145\162
-\164\160\154\165\163\040\122\157\157\164\040\103\101\040\107\061
-\060\036\027\015\061\064\060\065\062\066\060\060\060\060\060\060
-\132\027\015\063\070\060\061\061\065\060\060\060\060\060\060\132
-\060\076\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\021\060\017\006\003\125\004\012\014\010\103\145\162\164\160\154
-\165\163\061\034\060\032\006\003\125\004\003\014\023\103\145\162
-\164\160\154\165\163\040\122\157\157\164\040\103\101\040\107\061
-\060\202\002\042\060\015\006\011\052\206\110\206\367\015\001\001
-\001\005\000\003\202\002\017\000\060\202\002\012\002\202\002\001
-\000\332\120\207\266\332\270\251\076\235\144\372\126\063\232\126
-\075\026\345\003\225\262\064\034\232\155\142\005\324\330\217\347
-\211\144\237\272\333\144\213\144\346\171\052\141\315\257\217\132
-\211\221\145\271\130\374\264\003\137\221\077\055\020\025\340\176
-\317\274\374\177\103\147\250\255\136\066\043\330\230\263\115\363
-\103\236\071\174\052\374\354\210\325\210\356\160\275\205\026\055
-\352\113\211\074\243\161\102\376\034\375\323\034\055\020\270\206
-\124\352\103\270\333\306\207\332\250\256\200\045\317\172\046\035
-\252\221\260\110\157\256\265\336\236\330\327\372\000\375\306\217
-\320\121\273\142\175\244\261\214\262\377\040\021\272\065\143\005
-\206\107\140\103\063\220\366\107\242\003\117\226\115\235\117\301
-\352\352\234\242\376\064\056\336\267\312\033\166\244\267\255\237
-\351\250\324\170\077\170\376\362\070\011\066\035\322\026\002\310
-\354\052\150\257\365\216\224\357\055\023\172\036\102\112\035\025
-\061\256\014\004\127\374\141\163\363\061\126\206\061\200\240\304
-\021\156\060\166\343\224\360\137\004\304\254\207\162\211\230\305
-\235\314\127\010\232\364\014\374\175\172\005\072\372\107\200\071
-\266\317\204\023\167\157\047\352\377\226\147\027\010\155\351\015
-\326\043\120\060\260\025\164\023\076\345\057\377\016\315\304\013
-\112\135\360\330\000\063\111\146\353\241\030\174\131\056\075\050
-\271\141\161\313\265\245\272\270\352\334\342\160\157\010\152\334
-\207\147\064\357\337\060\162\335\363\311\077\043\377\065\341\276
-\041\051\040\060\201\344\031\245\040\351\045\312\163\061\164\051
-\276\342\102\325\363\262\046\146\307\150\375\031\263\347\040\223
-\231\350\135\340\136\207\347\106\350\045\234\012\051\044\324\315
-\130\206\122\100\044\262\173\017\230\022\040\044\366\220\154\107
-\310\015\273\030\040\056\331\375\374\213\362\051\352\207\164\225
-\340\102\120\170\204\004\101\141\260\364\041\043\217\055\313\050
-\041\362\152\154\364\032\246\305\024\264\067\145\117\225\375\200
-\310\370\162\345\045\153\304\140\261\173\155\216\112\212\163\316
-\131\373\160\172\163\006\023\331\323\164\067\044\101\012\021\157
-\227\334\347\344\176\241\275\025\362\272\207\017\075\150\212\026
-\007\002\003\001\000\001\243\143\060\141\060\016\006\003\125\035
-\017\001\001\377\004\004\003\002\001\006\060\017\006\003\125\035
-\023\001\001\377\004\005\060\003\001\001\377\060\035\006\003\125
-\035\016\004\026\004\024\250\301\300\233\221\250\103\025\174\135
-\006\047\264\052\121\330\227\013\201\261\060\037\006\003\125\035
-\043\004\030\060\026\200\024\250\301\300\233\221\250\103\025\174
-\135\006\047\264\052\121\330\227\013\201\261\060\015\006\011\052
-\206\110\206\367\015\001\001\015\005\000\003\202\002\001\000\234
-\126\157\001\176\321\275\114\365\212\306\360\046\037\344\340\070
-\030\314\062\303\051\073\235\101\051\064\141\306\327\360\000\241
-\353\244\162\217\224\027\274\023\054\165\264\127\356\012\174\011
-\172\334\325\312\241\320\064\023\370\167\253\237\345\376\330\036
-\164\212\205\007\217\177\314\171\172\312\226\315\315\375\117\373
-\375\043\015\220\365\364\136\323\306\141\175\236\021\340\002\356
-\011\004\331\007\335\246\212\267\014\203\044\273\203\120\222\376
-\140\165\021\076\330\235\260\212\172\265\340\235\233\313\220\122
-\113\260\223\052\324\076\026\063\345\236\306\145\025\076\144\073
-\004\077\333\014\217\137\134\035\151\037\257\363\351\041\214\363
-\357\227\366\232\267\031\266\204\164\234\243\124\265\160\116\143
-\330\127\135\123\041\233\100\222\103\372\326\167\125\063\117\144
-\325\373\320\054\152\216\155\045\246\357\205\350\002\304\123\076
-\271\236\207\274\314\065\032\336\241\351\212\143\207\145\036\021
-\052\333\143\167\227\024\276\232\024\231\021\262\300\356\260\117
-\370\024\041\062\103\117\237\253\242\313\250\017\252\073\006\125
-\306\022\051\127\010\324\067\327\207\047\255\111\131\247\221\253
-\104\172\136\215\160\333\227\316\110\120\261\163\223\366\360\203
-\140\371\315\361\341\061\375\133\174\161\041\143\024\024\252\257
-\305\336\223\176\150\261\354\042\242\252\220\165\236\265\103\162
-\352\144\243\204\113\375\014\250\046\153\161\227\356\126\143\146
-\350\102\124\371\307\035\337\320\217\133\337\310\060\157\210\376
-\015\304\063\034\123\250\243\375\110\020\362\344\012\116\341\025
-\127\374\156\144\060\302\125\021\334\352\251\315\112\124\254\051
-\143\104\317\112\100\240\326\150\131\033\063\371\357\072\213\333
-\040\222\334\102\204\277\001\253\207\300\325\040\202\333\306\271
-\203\205\102\134\017\103\073\152\111\065\325\230\364\025\277\372
-\141\201\014\011\040\030\322\320\027\014\313\110\000\120\351\166
-\202\214\144\327\072\240\007\125\314\036\061\300\357\072\264\145
-\373\343\277\102\153\236\017\250\275\153\230\334\330\333\313\213
-\244\335\327\131\364\156\335\376\252\303\221\320\056\102\007\300
-\014\115\123\315\044\261\114\133\036\121\364\337\351\222\372
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "Certplus Root CA G1"
-# Issuer: CN=Certplus Root CA G1,O=Certplus,C=FR
-# Serial Number:11:20:55:83:e4:2d:3e:54:56:85:2d:83:37:b7:2c:dc:46:11
-# Subject: CN=Certplus Root CA G1,O=Certplus,C=FR
-# Not Valid Before: Mon May 26 00:00:00 2014
-# Not Valid After : Fri Jan 15 00:00:00 2038
-# Fingerprint (SHA-256): 15:2A:40:2B:FC:DF:2C:D5:48:05:4D:22:75:B3:9C:7F:CA:3E:C0:97:80:78:B0:F0:EA:76:E5:61:A6:C7:43:3E
-# Fingerprint (SHA1): 22:FD:D0:B7:FD:A2:4E:0D:AC:49:2C:A0:AC:A6:7B:6A:1F:E3:F7:66
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Certplus Root CA G1"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\042\375\320\267\375\242\116\015\254\111\054\240\254\246\173\152
-\037\343\367\146
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\177\011\234\367\331\271\134\151\151\126\325\067\076\024\015\102
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\076\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\021\060\017\006\003\125\004\012\014\010\103\145\162\164\160\154
-\165\163\061\034\060\032\006\003\125\004\003\014\023\103\145\162
-\164\160\154\165\163\040\122\157\157\164\040\103\101\040\107\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\022\021\040\125\203\344\055\076\124\126\205\055\203\067\267
-\054\334\106\021
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Certplus Root CA G2"
-#
-# Issuer: CN=Certplus Root CA G2,O=Certplus,C=FR
-# Serial Number:11:20:d9:91:ce:ae:a3:e8:c5:e7:ff:e9:02:af:cf:73:bc:55
-# Subject: CN=Certplus Root CA G2,O=Certplus,C=FR
-# Not Valid Before: Mon May 26 00:00:00 2014
-# Not Valid After : Fri Jan 15 00:00:00 2038
-# Fingerprint (SHA-256): 6C:C0:50:41:E6:44:5E:74:69:6C:4C:FB:C9:F8:0F:54:3B:7E:AB:BB:44:B4:CE:6F:78:7C:6A:99:71:C4:2F:17
-# Fingerprint (SHA1): 4F:65:8E:1F:E9:06:D8:28:02:E9:54:47:41:C9:54:25:5D:69:CC:1A
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Certplus Root CA G2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\076\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\021\060\017\006\003\125\004\012\014\010\103\145\162\164\160\154
-\165\163\061\034\060\032\006\003\125\004\003\014\023\103\145\162
-\164\160\154\165\163\040\122\157\157\164\040\103\101\040\107\062
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\076\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\021\060\017\006\003\125\004\012\014\010\103\145\162\164\160\154
-\165\163\061\034\060\032\006\003\125\004\003\014\023\103\145\162
-\164\160\154\165\163\040\122\157\157\164\040\103\101\040\107\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\022\021\040\331\221\316\256\243\350\305\347\377\351\002\257
-\317\163\274\125
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\034\060\202\001\242\240\003\002\001\002\002\022\021
-\040\331\221\316\256\243\350\305\347\377\351\002\257\317\163\274
-\125\060\012\006\010\052\206\110\316\075\004\003\003\060\076\061
-\013\060\011\006\003\125\004\006\023\002\106\122\061\021\060\017
-\006\003\125\004\012\014\010\103\145\162\164\160\154\165\163\061
-\034\060\032\006\003\125\004\003\014\023\103\145\162\164\160\154
-\165\163\040\122\157\157\164\040\103\101\040\107\062\060\036\027
-\015\061\064\060\065\062\066\060\060\060\060\060\060\132\027\015
-\063\070\060\061\061\065\060\060\060\060\060\060\132\060\076\061
-\013\060\011\006\003\125\004\006\023\002\106\122\061\021\060\017
-\006\003\125\004\012\014\010\103\145\162\164\160\154\165\163\061
-\034\060\032\006\003\125\004\003\014\023\103\145\162\164\160\154
-\165\163\040\122\157\157\164\040\103\101\040\107\062\060\166\060
-\020\006\007\052\206\110\316\075\002\001\006\005\053\201\004\000
-\042\003\142\000\004\315\017\133\126\202\337\360\105\032\326\255
-\367\171\360\035\311\254\226\326\236\116\234\037\264\102\021\312
-\206\277\155\373\205\243\305\345\031\134\327\356\246\077\151\147
-\330\170\342\246\311\304\333\055\171\056\347\213\215\002\157\061
-\042\115\006\343\140\162\105\235\016\102\167\236\316\317\345\177
-\205\233\030\344\374\314\056\162\323\026\223\116\312\231\143\134
-\241\005\052\154\006\243\143\060\141\060\016\006\003\125\035\017
-\001\001\377\004\004\003\002\001\006\060\017\006\003\125\035\023
-\001\001\377\004\005\060\003\001\001\377\060\035\006\003\125\035
-\016\004\026\004\024\332\203\143\002\171\216\332\114\306\074\043
-\024\330\217\303\040\253\050\140\131\060\037\006\003\125\035\043
-\004\030\060\026\200\024\332\203\143\002\171\216\332\114\306\074
-\043\024\330\217\303\040\253\050\140\131\060\012\006\010\052\206
-\110\316\075\004\003\003\003\150\000\060\145\002\060\160\376\260
-\013\331\367\203\227\354\363\125\035\324\334\263\006\016\376\063
-\230\235\213\071\220\153\224\041\355\266\327\135\326\114\327\041
-\247\347\277\041\017\053\315\367\052\334\205\007\235\002\061\000
-\206\024\026\345\334\260\145\302\300\216\024\237\277\044\026\150
-\345\274\371\171\151\334\255\105\053\367\266\061\163\314\006\245
-\123\223\221\032\223\256\160\152\147\272\327\236\345\141\032\137
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "Certplus Root CA G2"
-# Issuer: CN=Certplus Root CA G2,O=Certplus,C=FR
-# Serial Number:11:20:d9:91:ce:ae:a3:e8:c5:e7:ff:e9:02:af:cf:73:bc:55
-# Subject: CN=Certplus Root CA G2,O=Certplus,C=FR
-# Not Valid Before: Mon May 26 00:00:00 2014
-# Not Valid After : Fri Jan 15 00:00:00 2038
-# Fingerprint (SHA-256): 6C:C0:50:41:E6:44:5E:74:69:6C:4C:FB:C9:F8:0F:54:3B:7E:AB:BB:44:B4:CE:6F:78:7C:6A:99:71:C4:2F:17
-# Fingerprint (SHA1): 4F:65:8E:1F:E9:06:D8:28:02:E9:54:47:41:C9:54:25:5D:69:CC:1A
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Certplus Root CA G2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\117\145\216\037\351\006\330\050\002\351\124\107\101\311\124\045
-\135\151\314\032
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\247\356\304\170\055\033\356\055\271\051\316\326\247\226\062\061
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\076\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\021\060\017\006\003\125\004\012\014\010\103\145\162\164\160\154
-\165\163\061\034\060\032\006\003\125\004\003\014\023\103\145\162
-\164\160\154\165\163\040\122\157\157\164\040\103\101\040\107\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\022\021\040\331\221\316\256\243\350\305\347\377\351\002\257
-\317\163\274\125
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "OpenTrust Root CA G1"
-#
-# Issuer: CN=OpenTrust Root CA G1,O=OpenTrust,C=FR
-# Serial Number:11:20:b3:90:55:39:7d:7f:36:6d:64:c2:a7:9f:6b:63:8e:67
-# Subject: CN=OpenTrust Root CA G1,O=OpenTrust,C=FR
-# Not Valid Before: Mon May 26 08:45:50 2014
-# Not Valid After : Fri Jan 15 00:00:00 2038
-# Fingerprint (SHA-256): 56:C7:71:28:D9:8C:18:D9:1B:4C:FD:FF:BC:25:EE:91:03:D4:75:8E:A2:AB:AD:82:6A:90:F3:45:7D:46:0E:B4
-# Fingerprint (SHA1): 79:91:E8:34:F7:E2:EE:DD:08:95:01:52:E9:55:2D:14:E9:58:D5:7E
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "OpenTrust Root CA G1"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\100\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\022\060\020\006\003\125\004\012\014\011\117\160\145\156\124\162
-\165\163\164\061\035\060\033\006\003\125\004\003\014\024\117\160
-\145\156\124\162\165\163\164\040\122\157\157\164\040\103\101\040
-\107\061
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\100\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\022\060\020\006\003\125\004\012\014\011\117\160\145\156\124\162
-\165\163\164\061\035\060\033\006\003\125\004\003\014\024\117\160
-\145\156\124\162\165\163\164\040\122\157\157\164\040\103\101\040
-\107\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\022\021\040\263\220\125\071\175\177\066\155\144\302\247\237
-\153\143\216\147
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\157\060\202\003\127\240\003\002\001\002\002\022\021
-\040\263\220\125\071\175\177\066\155\144\302\247\237\153\143\216
-\147\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000
-\060\100\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\022\060\020\006\003\125\004\012\014\011\117\160\145\156\124\162
-\165\163\164\061\035\060\033\006\003\125\004\003\014\024\117\160
-\145\156\124\162\165\163\164\040\122\157\157\164\040\103\101\040
-\107\061\060\036\027\015\061\064\060\065\062\066\060\070\064\065
-\065\060\132\027\015\063\070\060\061\061\065\060\060\060\060\060
-\060\132\060\100\061\013\060\011\006\003\125\004\006\023\002\106
-\122\061\022\060\020\006\003\125\004\012\014\011\117\160\145\156
-\124\162\165\163\164\061\035\060\033\006\003\125\004\003\014\024
-\117\160\145\156\124\162\165\163\164\040\122\157\157\164\040\103
-\101\040\107\061\060\202\002\042\060\015\006\011\052\206\110\206
-\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002\012
-\002\202\002\001\000\370\171\106\332\226\305\060\136\212\161\003
-\055\160\244\273\260\305\010\334\315\346\065\300\200\244\021\055
-\335\346\207\256\135\075\221\322\207\154\067\267\332\142\236\233
-\302\044\327\217\361\333\246\246\337\106\157\121\246\161\313\076
-\033\061\147\142\367\021\133\064\047\325\171\116\214\233\130\275
-\042\020\015\134\047\014\335\060\345\250\323\135\041\070\164\027
-\376\343\037\266\117\073\153\055\333\175\140\037\214\175\114\005
-\302\353\001\026\025\230\024\216\321\220\167\042\077\354\302\071
-\270\171\072\360\111\044\342\225\221\334\141\064\222\214\124\164
-\357\261\175\214\001\342\070\175\301\137\152\137\044\262\216\142
-\027\255\171\040\255\253\035\267\340\264\226\110\117\146\103\020
-\006\026\044\003\341\340\234\216\306\106\117\216\032\231\341\217
-\271\216\063\154\151\336\130\255\240\016\247\144\124\021\151\104
-\146\117\114\022\247\216\054\175\304\324\133\305\000\064\060\301
-\331\231\376\062\316\007\204\264\116\315\012\377\066\115\142\361
-\247\143\127\344\333\152\247\256\277\053\271\311\346\262\047\211
-\345\176\232\034\115\150\306\301\030\336\063\053\121\106\113\034
-\216\367\075\014\371\212\064\024\304\373\063\065\043\361\314\361
-\052\307\245\273\260\242\316\376\123\153\115\101\033\146\050\262
-\226\372\247\256\012\116\271\071\063\104\234\164\301\223\034\370
-\340\236\044\045\103\361\233\043\202\252\337\054\040\260\334\066
-\116\003\263\174\002\324\346\173\032\252\207\023\277\076\241\164
-\273\233\016\341\300\223\237\327\244\146\312\273\033\073\343\060
-\364\063\131\212\007\162\003\125\347\163\152\003\061\156\157\226
-\033\343\242\237\257\222\307\355\365\102\267\045\114\073\023\004
-\317\034\226\257\034\042\243\320\253\005\262\114\022\043\122\334
-\375\031\133\047\234\036\073\172\375\102\043\333\043\200\023\360
-\274\121\025\124\224\246\167\076\320\164\121\275\121\024\010\071
-\067\313\037\064\251\060\235\122\204\056\125\220\261\272\337\125
-\000\013\330\126\055\261\111\111\162\200\251\142\327\300\366\030
-\021\004\125\315\164\173\317\141\160\171\364\173\054\134\134\222
-\374\345\270\132\253\114\223\225\241\047\356\245\276\317\161\043
-\102\272\233\166\055\002\003\001\000\001\243\143\060\141\060\016
-\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060\017
-\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060
-\035\006\003\125\035\016\004\026\004\024\227\106\041\127\041\065
-\332\066\125\307\363\361\067\160\345\010\366\223\051\266\060\037
-\006\003\125\035\043\004\030\060\026\200\024\227\106\041\127\041
-\065\332\066\125\307\363\361\067\160\345\010\366\223\051\266\060
-\015\006\011\052\206\110\206\367\015\001\001\013\005\000\003\202
-\002\001\000\035\335\002\140\174\340\065\247\346\230\173\352\104
-\316\147\100\117\362\223\156\146\324\071\211\046\254\323\115\004
-\074\273\207\041\077\067\364\161\045\332\113\272\253\226\202\201
-\221\266\355\331\261\244\145\227\342\157\144\131\244\226\356\140
-\312\037\043\373\105\272\377\217\044\360\312\251\061\177\171\037
-\200\263\055\062\272\144\147\140\257\271\131\315\337\232\111\323
-\250\202\261\371\230\224\212\314\340\273\340\004\033\231\140\261
-\106\145\334\010\242\262\106\236\104\210\352\223\176\127\026\322
-\025\162\137\056\113\253\324\235\143\270\343\110\345\376\204\056
-\130\012\237\103\035\376\267\030\222\206\103\113\016\234\062\206
-\054\140\365\351\110\352\225\355\160\051\361\325\057\375\065\264
-\127\317\333\205\110\231\271\302\157\154\217\315\170\225\254\144
-\050\375\126\260\303\157\303\276\131\122\341\137\204\217\200\362
-\364\015\066\255\166\263\243\265\341\144\166\072\130\334\175\117
-\136\126\154\345\125\131\127\245\337\361\212\146\060\214\324\122
-\142\070\167\264\276\050\327\312\066\304\233\005\360\370\025\333
-\333\361\357\064\235\035\170\112\210\126\147\156\140\377\217\310
-\213\341\216\275\102\251\063\012\131\102\022\022\052\372\261\235
-\103\216\005\233\231\332\142\255\127\066\263\035\266\015\171\055
-\226\270\353\362\014\113\014\245\224\306\060\247\046\031\055\355
-\114\006\120\060\361\375\130\075\271\113\027\137\031\264\152\204
-\124\264\070\117\071\242\015\226\150\303\050\224\375\355\055\037
-\112\153\103\226\056\220\001\020\373\070\246\201\013\320\277\165
-\323\324\271\316\361\077\157\016\034\036\067\161\345\030\207\165
-\031\077\120\271\136\244\105\064\255\260\312\346\345\023\166\017
-\061\024\251\216\055\224\326\325\205\115\163\025\117\113\362\262
-\076\355\154\275\375\016\235\146\163\260\075\264\367\277\250\340
-\021\244\304\256\165\011\112\143\000\110\040\246\306\235\013\011
-\212\264\340\346\316\076\307\076\046\070\351\053\336\246\010\111
-\003\004\220\212\351\217\277\350\266\264\052\243\043\215\034\034
-\262\071\222\250\217\002\134\100\071\165\324\163\101\002\167\336
-\315\340\103\207\326\344\272\112\303\154\022\177\376\052\346\043
-\326\214\161
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "OpenTrust Root CA G1"
-# Issuer: CN=OpenTrust Root CA G1,O=OpenTrust,C=FR
-# Serial Number:11:20:b3:90:55:39:7d:7f:36:6d:64:c2:a7:9f:6b:63:8e:67
-# Subject: CN=OpenTrust Root CA G1,O=OpenTrust,C=FR
-# Not Valid Before: Mon May 26 08:45:50 2014
-# Not Valid After : Fri Jan 15 00:00:00 2038
-# Fingerprint (SHA-256): 56:C7:71:28:D9:8C:18:D9:1B:4C:FD:FF:BC:25:EE:91:03:D4:75:8E:A2:AB:AD:82:6A:90:F3:45:7D:46:0E:B4
-# Fingerprint (SHA1): 79:91:E8:34:F7:E2:EE:DD:08:95:01:52:E9:55:2D:14:E9:58:D5:7E
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "OpenTrust Root CA G1"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\171\221\350\064\367\342\356\335\010\225\001\122\351\125\055\024
-\351\130\325\176
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\166\000\314\201\051\315\125\136\210\152\172\056\367\115\071\332
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\100\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\022\060\020\006\003\125\004\012\014\011\117\160\145\156\124\162
-\165\163\164\061\035\060\033\006\003\125\004\003\014\024\117\160
-\145\156\124\162\165\163\164\040\122\157\157\164\040\103\101\040
-\107\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\022\021\040\263\220\125\071\175\177\066\155\144\302\247\237
-\153\143\216\147
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "OpenTrust Root CA G2"
-#
-# Issuer: CN=OpenTrust Root CA G2,O=OpenTrust,C=FR
-# Serial Number:11:20:a1:69:1b:bf:bd:b9:bd:52:96:8f:23:e8:48:bf:26:11
-# Subject: CN=OpenTrust Root CA G2,O=OpenTrust,C=FR
-# Not Valid Before: Mon May 26 00:00:00 2014
-# Not Valid After : Fri Jan 15 00:00:00 2038
-# Fingerprint (SHA-256): 27:99:58:29:FE:6A:75:15:C1:BF:E8:48:F9:C4:76:1D:B1:6C:22:59:29:25:7B:F4:0D:08:94:F2:9E:A8:BA:F2
-# Fingerprint (SHA1): 79:5F:88:60:C5:AB:7C:3D:92:E6:CB:F4:8D:E1:45:CD:11:EF:60:0B
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "OpenTrust Root CA G2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\100\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\022\060\020\006\003\125\004\012\014\011\117\160\145\156\124\162
-\165\163\164\061\035\060\033\006\003\125\004\003\014\024\117\160
-\145\156\124\162\165\163\164\040\122\157\157\164\040\103\101\040
-\107\062
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\100\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\022\060\020\006\003\125\004\012\014\011\117\160\145\156\124\162
-\165\163\164\061\035\060\033\006\003\125\004\003\014\024\117\160
-\145\156\124\162\165\163\164\040\122\157\157\164\040\103\101\040
-\107\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\022\021\040\241\151\033\277\275\271\275\122\226\217\043\350
-\110\277\046\021
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\157\060\202\003\127\240\003\002\001\002\002\022\021
-\040\241\151\033\277\275\271\275\122\226\217\043\350\110\277\046
-\021\060\015\006\011\052\206\110\206\367\015\001\001\015\005\000
-\060\100\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\022\060\020\006\003\125\004\012\014\011\117\160\145\156\124\162
-\165\163\164\061\035\060\033\006\003\125\004\003\014\024\117\160
-\145\156\124\162\165\163\164\040\122\157\157\164\040\103\101\040
-\107\062\060\036\027\015\061\064\060\065\062\066\060\060\060\060
-\060\060\132\027\015\063\070\060\061\061\065\060\060\060\060\060
-\060\132\060\100\061\013\060\011\006\003\125\004\006\023\002\106
-\122\061\022\060\020\006\003\125\004\012\014\011\117\160\145\156
-\124\162\165\163\164\061\035\060\033\006\003\125\004\003\014\024
-\117\160\145\156\124\162\165\163\164\040\122\157\157\164\040\103
-\101\040\107\062\060\202\002\042\060\015\006\011\052\206\110\206
-\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002\012
-\002\202\002\001\000\314\266\127\245\063\224\020\201\062\123\337
-\141\176\017\166\071\317\134\302\123\165\035\111\172\226\070\335
-\242\163\152\361\157\336\136\242\132\271\161\041\276\066\331\241
-\374\274\356\154\250\174\064\032\161\032\350\032\330\137\016\104
-\006\355\247\340\363\322\141\013\340\062\242\226\321\070\360\302
-\332\001\027\374\344\254\117\350\356\211\036\164\253\117\277\036
-\011\266\066\152\126\363\341\356\226\211\146\044\006\344\315\102
-\072\112\335\340\232\260\304\202\105\263\376\311\253\134\174\076
-\311\353\027\057\014\175\156\256\245\217\310\254\045\012\157\372
-\325\105\230\322\065\011\366\003\103\224\376\331\277\040\225\171
-\200\230\212\331\211\065\273\121\033\244\067\175\374\231\073\253
-\377\277\254\015\217\103\261\231\173\026\020\176\035\157\107\304
-\025\217\004\226\010\006\102\004\370\204\326\035\274\221\246\102
-\276\111\325\152\210\077\274\055\121\321\236\215\340\122\314\127
-\335\065\065\130\333\264\217\044\210\344\213\337\334\153\124\322
-\201\053\262\316\222\113\034\037\106\372\035\330\222\313\166\147
-\265\011\231\011\345\254\027\024\125\160\306\074\240\126\012\003
-\263\334\142\031\337\310\265\060\177\365\074\046\165\021\275\327
-\033\263\207\236\007\257\145\161\345\240\317\032\247\011\020\035
-\223\211\146\133\350\074\142\062\265\265\072\156\351\205\001\213
-\236\103\214\147\163\050\131\133\353\343\334\054\314\245\046\162
-\142\022\264\346\234\203\104\366\121\244\342\300\172\044\127\312
-\016\245\077\072\265\073\213\345\166\356\160\346\222\336\026\134
-\050\133\227\031\047\222\376\172\222\124\316\223\071\012\026\207
-\274\143\263\365\261\223\134\340\156\267\320\352\371\142\062\210
-\104\373\277\047\050\266\060\225\135\022\050\271\225\276\217\123
-\030\345\242\030\026\342\126\244\262\054\020\365\035\067\246\370
-\267\366\320\131\134\211\367\302\325\265\224\164\321\325\376\033
-\266\360\346\326\036\173\322\074\313\250\343\365\030\363\041\037
-\156\357\115\150\006\173\055\135\156\103\211\246\300\371\240\277
-\202\036\317\123\177\264\353\054\333\135\366\152\175\100\044\005
-\162\211\070\001\223\313\161\302\071\135\006\021\366\157\170\370
-\067\015\071\204\047\002\003\001\000\001\243\143\060\141\060\016
-\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060\017
-\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060
-\035\006\003\125\035\016\004\026\004\024\152\071\372\102\042\367
-\346\211\000\115\136\175\063\203\313\270\156\167\206\257\060\037
-\006\003\125\035\043\004\030\060\026\200\024\152\071\372\102\042
-\367\346\211\000\115\136\175\063\203\313\270\156\167\206\257\060
-\015\006\011\052\206\110\206\367\015\001\001\015\005\000\003\202
-\002\001\000\230\313\253\100\074\345\063\002\227\177\055\207\246
-\217\324\136\112\257\270\036\347\273\161\373\200\144\045\251\263
-\032\076\150\135\047\046\247\272\052\341\360\127\203\012\144\117
-\036\042\164\033\351\220\137\360\254\317\377\117\150\172\070\244
-\020\154\015\261\307\244\167\200\030\266\242\050\104\166\247\064
-\235\161\204\057\312\131\322\107\210\231\101\042\311\060\230\141
-\156\075\250\250\005\155\321\037\300\121\104\126\177\047\065\002
-\335\136\230\012\102\353\060\277\215\241\233\121\252\073\352\223
-\106\144\305\000\171\336\041\153\366\127\240\206\327\006\162\354
-\160\106\113\213\163\335\240\041\165\076\334\035\300\217\323\117
-\163\034\205\331\376\177\142\310\225\157\266\323\173\214\272\123
-\302\157\233\104\114\171\320\035\160\263\327\237\002\364\262\007
-\260\307\345\370\255\043\016\246\126\311\051\022\167\110\331\057
-\106\375\073\360\374\164\160\222\245\216\070\010\037\144\060\266
-\267\113\373\066\254\020\216\240\122\063\143\235\003\065\126\305
-\151\275\306\043\132\047\224\366\244\022\370\055\063\074\241\126
-\245\137\326\031\351\355\174\010\275\167\315\047\144\314\224\332
-\116\106\120\207\340\371\301\123\200\036\273\255\373\107\122\213
-\033\375\242\371\336\016\042\267\075\063\131\154\324\336\365\225
-\006\062\015\121\031\101\134\076\117\006\367\271\053\200\047\366
-\243\252\172\174\006\341\103\303\023\071\142\032\066\275\340\050
-\056\224\002\344\051\056\140\125\256\100\075\260\164\222\136\360
-\040\144\226\077\137\105\135\210\265\212\332\002\240\133\105\124
-\336\070\075\011\300\250\112\145\106\026\374\252\277\124\116\115
-\133\276\070\103\267\050\312\213\063\252\032\045\272\045\134\051
-\057\133\112\156\214\352\055\234\052\366\005\166\340\167\227\200
-\210\335\147\023\157\035\150\044\213\117\267\164\201\345\364\140
-\237\172\125\327\076\067\332\026\153\076\167\254\256\030\160\225
-\010\171\051\003\212\376\301\073\263\077\032\017\244\073\136\037
-\130\241\225\311\253\057\163\112\320\055\156\232\131\017\125\030
-\170\055\074\121\246\227\213\346\273\262\160\252\114\021\336\377
-\174\053\067\324\172\321\167\064\217\347\371\102\367\074\201\014
-\113\122\012
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "OpenTrust Root CA G2"
-# Issuer: CN=OpenTrust Root CA G2,O=OpenTrust,C=FR
-# Serial Number:11:20:a1:69:1b:bf:bd:b9:bd:52:96:8f:23:e8:48:bf:26:11
-# Subject: CN=OpenTrust Root CA G2,O=OpenTrust,C=FR
-# Not Valid Before: Mon May 26 00:00:00 2014
-# Not Valid After : Fri Jan 15 00:00:00 2038
-# Fingerprint (SHA-256): 27:99:58:29:FE:6A:75:15:C1:BF:E8:48:F9:C4:76:1D:B1:6C:22:59:29:25:7B:F4:0D:08:94:F2:9E:A8:BA:F2
-# Fingerprint (SHA1): 79:5F:88:60:C5:AB:7C:3D:92:E6:CB:F4:8D:E1:45:CD:11:EF:60:0B
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "OpenTrust Root CA G2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\171\137\210\140\305\253\174\075\222\346\313\364\215\341\105\315
-\021\357\140\013
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\127\044\266\131\044\153\256\310\376\034\014\040\362\300\116\353
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\100\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\022\060\020\006\003\125\004\012\014\011\117\160\145\156\124\162
-\165\163\164\061\035\060\033\006\003\125\004\003\014\024\117\160
-\145\156\124\162\165\163\164\040\122\157\157\164\040\103\101\040
-\107\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\022\021\040\241\151\033\277\275\271\275\122\226\217\043\350
-\110\277\046\021
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "OpenTrust Root CA G3"
-#
-# Issuer: CN=OpenTrust Root CA G3,O=OpenTrust,C=FR
-# Serial Number:11:20:e6:f8:4c:fc:24:b0:be:05:40:ac:da:83:1b:34:60:3f
-# Subject: CN=OpenTrust Root CA G3,O=OpenTrust,C=FR
-# Not Valid Before: Mon May 26 00:00:00 2014
-# Not Valid After : Fri Jan 15 00:00:00 2038
-# Fingerprint (SHA-256): B7:C3:62:31:70:6E:81:07:8C:36:7C:B8:96:19:8F:1E:32:08:DD:92:69:49:DD:8F:57:09:A4:10:F7:5B:62:92
-# Fingerprint (SHA1): 6E:26:64:F3:56:BF:34:55:BF:D1:93:3F:7C:01:DE:D8:13:DA:8A:A6
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "OpenTrust Root CA G3"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\100\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\022\060\020\006\003\125\004\012\014\011\117\160\145\156\124\162
-\165\163\164\061\035\060\033\006\003\125\004\003\014\024\117\160
-\145\156\124\162\165\163\164\040\122\157\157\164\040\103\101\040
-\107\063
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\100\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\022\060\020\006\003\125\004\012\014\011\117\160\145\156\124\162
-\165\163\164\061\035\060\033\006\003\125\004\003\014\024\117\160
-\145\156\124\162\165\163\164\040\122\157\157\164\040\103\101\040
-\107\063
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\022\021\040\346\370\114\374\044\260\276\005\100\254\332\203
-\033\064\140\077
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\002\041\060\202\001\246\240\003\002\001\002\002\022\021
-\040\346\370\114\374\044\260\276\005\100\254\332\203\033\064\140
-\077\060\012\006\010\052\206\110\316\075\004\003\003\060\100\061
-\013\060\011\006\003\125\004\006\023\002\106\122\061\022\060\020
-\006\003\125\004\012\014\011\117\160\145\156\124\162\165\163\164
-\061\035\060\033\006\003\125\004\003\014\024\117\160\145\156\124
-\162\165\163\164\040\122\157\157\164\040\103\101\040\107\063\060
-\036\027\015\061\064\060\065\062\066\060\060\060\060\060\060\132
-\027\015\063\070\060\061\061\065\060\060\060\060\060\060\132\060
-\100\061\013\060\011\006\003\125\004\006\023\002\106\122\061\022
-\060\020\006\003\125\004\012\014\011\117\160\145\156\124\162\165
-\163\164\061\035\060\033\006\003\125\004\003\014\024\117\160\145
-\156\124\162\165\163\164\040\122\157\157\164\040\103\101\040\107
-\063\060\166\060\020\006\007\052\206\110\316\075\002\001\006\005
-\053\201\004\000\042\003\142\000\004\112\356\130\256\115\312\146
-\336\006\072\243\021\374\340\030\360\156\034\272\055\060\014\211
-\331\326\356\233\163\203\251\043\025\214\057\131\212\132\335\024
-\352\235\131\053\103\267\006\354\062\266\272\356\101\265\255\135
-\241\205\314\352\035\024\146\243\147\176\106\342\224\363\347\266
-\126\241\025\131\241\117\067\227\271\042\036\275\021\353\364\262
-\037\136\303\024\232\345\331\227\231\243\143\060\141\060\016\006
-\003\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006
-\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060\035
-\006\003\125\035\016\004\026\004\024\107\167\303\024\213\142\071
-\014\311\157\341\120\115\320\020\130\334\225\210\155\060\037\006
-\003\125\035\043\004\030\060\026\200\024\107\167\303\024\213\142
-\071\014\311\157\341\120\115\320\020\130\334\225\210\155\060\012
-\006\010\052\206\110\316\075\004\003\003\003\151\000\060\146\002
-\061\000\217\250\334\235\272\014\004\027\372\025\351\075\057\051
-\001\227\277\201\026\063\100\223\154\374\371\355\200\160\157\252
-\217\333\204\302\213\365\065\312\006\334\144\157\150\026\341\217
-\221\271\002\061\000\330\113\245\313\302\320\010\154\351\030\373
-\132\335\115\137\044\013\260\000\041\045\357\217\247\004\046\161
-\342\174\151\345\135\232\370\101\037\073\071\223\223\235\125\352
-\315\215\361\373\301
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "OpenTrust Root CA G3"
-# Issuer: CN=OpenTrust Root CA G3,O=OpenTrust,C=FR
-# Serial Number:11:20:e6:f8:4c:fc:24:b0:be:05:40:ac:da:83:1b:34:60:3f
-# Subject: CN=OpenTrust Root CA G3,O=OpenTrust,C=FR
-# Not Valid Before: Mon May 26 00:00:00 2014
-# Not Valid After : Fri Jan 15 00:00:00 2038
-# Fingerprint (SHA-256): B7:C3:62:31:70:6E:81:07:8C:36:7C:B8:96:19:8F:1E:32:08:DD:92:69:49:DD:8F:57:09:A4:10:F7:5B:62:92
-# Fingerprint (SHA1): 6E:26:64:F3:56:BF:34:55:BF:D1:93:3F:7C:01:DE:D8:13:DA:8A:A6
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "OpenTrust Root CA G3"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\156\046\144\363\126\277\064\125\277\321\223\077\174\001\336\330
-\023\332\212\246
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\041\067\264\027\026\222\173\147\106\160\251\226\327\250\023\044
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\100\061\013\060\011\006\003\125\004\006\023\002\106\122\061
-\022\060\020\006\003\125\004\012\014\011\117\160\145\156\124\162
-\165\163\164\061\035\060\033\006\003\125\004\003\014\024\117\160
-\145\156\124\162\165\163\164\040\122\157\157\164\040\103\101\040
-\107\063
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\022\021\040\346\370\114\374\044\260\276\005\100\254\332\203
-\033\064\140\077
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "ISRG Root X1"
 #
 # Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US
@@ -22993,3 +21835,1321 @@ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "GlobalSign Root CA - R6"
+#
+# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R6
+# Serial Number:45:e6:bb:03:83:33:c3:85:65:48:e6:ff:45:51
+# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R6
+# Not Valid Before: Wed Dec 10 00:00:00 2014
+# Not Valid After : Sun Dec 10 00:00:00 2034
+# Fingerprint (SHA-256): 2C:AB:EA:FE:37:D0:6C:A2:2A:BA:73:91:C0:03:3D:25:98:29:52:C4:53:64:73:49:76:3A:3A:B5:AD:6C:CF:69
+# Fingerprint (SHA1): 80:94:64:0E:B5:A7:A1:CA:11:9C:1F:DD:D5:9F:81:02:63:A7:FB:D1
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GlobalSign Root CA - R6"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\114\061\040\060\036\006\003\125\004\013\023\027\107\154\157
+\142\141\154\123\151\147\156\040\122\157\157\164\040\103\101\040
+\055\040\122\066\061\023\060\021\006\003\125\004\012\023\012\107
+\154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125
+\004\003\023\012\107\154\157\142\141\154\123\151\147\156
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\114\061\040\060\036\006\003\125\004\013\023\027\107\154\157
+\142\141\154\123\151\147\156\040\122\157\157\164\040\103\101\040
+\055\040\122\066\061\023\060\021\006\003\125\004\012\023\012\107
+\154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125
+\004\003\023\012\107\154\157\142\141\154\123\151\147\156
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\016\105\346\273\003\203\063\303\205\145\110\346\377\105\121
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\203\060\202\003\153\240\003\002\001\002\002\016\105
+\346\273\003\203\063\303\205\145\110\346\377\105\121\060\015\006
+\011\052\206\110\206\367\015\001\001\014\005\000\060\114\061\040
+\060\036\006\003\125\004\013\023\027\107\154\157\142\141\154\123
+\151\147\156\040\122\157\157\164\040\103\101\040\055\040\122\066
+\061\023\060\021\006\003\125\004\012\023\012\107\154\157\142\141
+\154\123\151\147\156\061\023\060\021\006\003\125\004\003\023\012
+\107\154\157\142\141\154\123\151\147\156\060\036\027\015\061\064
+\061\062\061\060\060\060\060\060\060\060\132\027\015\063\064\061
+\062\061\060\060\060\060\060\060\060\132\060\114\061\040\060\036
+\006\003\125\004\013\023\027\107\154\157\142\141\154\123\151\147
+\156\040\122\157\157\164\040\103\101\040\055\040\122\066\061\023
+\060\021\006\003\125\004\012\023\012\107\154\157\142\141\154\123
+\151\147\156\061\023\060\021\006\003\125\004\003\023\012\107\154
+\157\142\141\154\123\151\147\156\060\202\002\042\060\015\006\011
+\052\206\110\206\367\015\001\001\001\005\000\003\202\002\017\000
+\060\202\002\012\002\202\002\001\000\225\007\350\163\312\146\371
+\354\024\312\173\074\367\015\010\361\264\105\013\054\202\264\110
+\306\353\133\074\256\203\270\101\222\063\024\244\157\177\351\052
+\314\306\260\210\153\305\266\211\321\306\262\377\024\316\121\024
+\041\354\112\335\033\132\306\326\207\356\115\072\025\006\355\144
+\146\013\222\200\312\104\336\163\224\116\363\247\211\177\117\170
+\143\010\310\022\120\155\102\146\057\115\271\171\050\115\122\032
+\212\032\200\267\031\201\016\176\304\212\274\144\114\041\034\103
+\150\327\075\074\212\305\262\146\325\220\232\267\061\006\305\276
+\342\155\062\006\246\036\371\271\353\252\243\270\277\276\202\143
+\120\320\360\030\211\337\344\017\171\365\352\242\037\052\322\160
+\056\173\347\274\223\273\155\123\342\110\174\214\020\007\070\377
+\146\262\167\141\176\340\352\214\074\252\264\244\366\363\225\112
+\022\007\155\375\214\262\211\317\320\240\141\167\310\130\164\260
+\324\043\072\367\135\072\312\242\333\235\011\336\135\104\055\220
+\361\201\315\127\222\372\176\274\120\004\143\064\337\153\223\030
+\276\153\066\262\071\344\254\044\066\267\360\357\266\034\023\127
+\223\266\336\262\370\342\205\267\163\242\270\065\252\105\362\340
+\235\066\241\157\124\212\361\162\126\156\056\210\305\121\102\104
+\025\224\356\243\305\070\226\233\116\116\132\013\107\363\006\066
+\111\167\060\274\161\067\345\246\354\041\010\165\374\346\141\026
+\077\167\325\331\221\227\204\012\154\324\002\115\164\300\024\355
+\375\071\373\203\362\136\024\241\004\260\013\351\376\356\217\341
+\156\013\262\010\263\141\146\011\152\261\006\072\145\226\131\300
+\360\065\375\311\332\050\215\032\021\207\160\201\012\250\232\165
+\035\236\072\206\005\000\236\333\200\326\045\371\334\005\236\047
+\131\114\166\071\133\352\371\245\241\330\203\017\321\377\337\060
+\021\371\205\317\063\110\365\312\155\144\024\054\172\130\117\323
+\113\010\111\305\225\144\032\143\016\171\075\365\263\214\312\130
+\255\234\102\105\171\156\016\207\031\134\124\261\145\266\277\214
+\233\334\023\351\015\157\270\056\334\147\156\311\213\021\265\204
+\024\212\000\031\160\203\171\221\227\221\324\032\047\277\067\036
+\062\007\330\024\143\074\050\114\257\002\003\001\000\001\243\143
+\060\141\060\016\006\003\125\035\017\001\001\377\004\004\003\002
+\001\006\060\017\006\003\125\035\023\001\001\377\004\005\060\003
+\001\001\377\060\035\006\003\125\035\016\004\026\004\024\256\154
+\005\243\223\023\342\242\347\342\327\034\326\307\360\177\310\147
+\123\240\060\037\006\003\125\035\043\004\030\060\026\200\024\256
+\154\005\243\223\023\342\242\347\342\327\034\326\307\360\177\310
+\147\123\240\060\015\006\011\052\206\110\206\367\015\001\001\014
+\005\000\003\202\002\001\000\203\045\355\350\321\375\225\122\315
+\236\300\004\240\221\151\346\134\320\204\336\334\255\242\117\350
+\107\170\326\145\230\251\133\250\074\207\174\002\212\321\156\267
+\026\163\346\137\300\124\230\325\164\276\301\315\342\021\221\255
+\043\030\075\335\341\162\104\226\264\225\136\300\173\216\231\170
+\026\103\023\126\127\263\242\263\073\265\167\334\100\162\254\243
+\353\233\065\076\261\010\041\241\347\304\103\067\171\062\276\265
+\347\234\054\114\274\103\051\231\216\060\323\254\041\340\343\035
+\372\330\007\063\166\124\000\042\052\271\115\040\056\160\150\332
+\345\123\374\203\134\323\235\362\377\104\014\104\146\362\322\343
+\275\106\000\032\155\002\272\045\135\215\241\061\121\335\124\106
+\034\115\333\231\226\357\032\034\004\134\246\025\357\170\340\171
+\376\135\333\076\252\114\125\375\232\025\251\157\341\246\373\337
+\160\060\351\303\356\102\106\355\302\223\005\211\372\175\143\173
+\077\320\161\201\174\000\350\230\256\016\170\064\303\045\373\257
+\012\237\040\153\335\073\023\217\022\214\342\101\032\110\172\163
+\240\167\151\307\266\134\177\202\310\036\376\130\033\050\053\250
+\154\255\136\155\300\005\322\173\267\353\200\376\045\067\376\002
+\233\150\254\102\135\303\356\365\314\334\360\120\165\322\066\151
+\234\346\173\004\337\156\006\151\266\336\012\011\110\131\207\353
+\173\024\140\172\144\252\151\103\357\221\307\114\354\030\335\154
+\357\123\055\214\231\341\136\362\162\076\317\124\310\275\147\354
+\244\017\114\105\377\323\271\060\043\007\114\217\020\277\206\226
+\331\231\132\264\231\127\034\244\314\273\025\211\123\272\054\005
+\017\344\304\236\031\261\030\064\325\114\235\272\355\367\037\257
+\044\225\004\170\250\003\273\356\201\345\332\137\174\213\112\241
+\220\164\045\247\263\076\113\310\054\126\275\307\310\357\070\342
+\134\222\360\171\367\234\204\272\164\055\141\001\040\176\176\321
+\362\117\007\131\137\213\055\103\122\353\106\014\224\341\365\146
+\107\171\167\325\124\133\037\255\044\067\313\105\132\116\240\104
+\110\310\330\260\231\305\025\204\011\366\326\111\111\300\145\270
+\346\032\161\156\240\250\361\202\350\105\076\154\326\002\327\012
+\147\203\005\132\311\244\020
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "GlobalSign Root CA - R6"
+# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R6
+# Serial Number:45:e6:bb:03:83:33:c3:85:65:48:e6:ff:45:51
+# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R6
+# Not Valid Before: Wed Dec 10 00:00:00 2014
+# Not Valid After : Sun Dec 10 00:00:00 2034
+# Fingerprint (SHA-256): 2C:AB:EA:FE:37:D0:6C:A2:2A:BA:73:91:C0:03:3D:25:98:29:52:C4:53:64:73:49:76:3A:3A:B5:AD:6C:CF:69
+# Fingerprint (SHA1): 80:94:64:0E:B5:A7:A1:CA:11:9C:1F:DD:D5:9F:81:02:63:A7:FB:D1
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GlobalSign Root CA - R6"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\200\224\144\016\265\247\241\312\021\234\037\335\325\237\201\002
+\143\247\373\321
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\117\335\007\344\324\042\144\071\036\014\067\102\352\321\306\256
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\114\061\040\060\036\006\003\125\004\013\023\027\107\154\157
+\142\141\154\123\151\147\156\040\122\157\157\164\040\103\101\040
+\055\040\122\066\061\023\060\021\006\003\125\004\012\023\012\107
+\154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125
+\004\003\023\012\107\154\157\142\141\154\123\151\147\156
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\016\105\346\273\003\203\063\303\205\145\110\346\377\105\121
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "OISTE WISeKey Global Root GC CA"
+#
+# Issuer: CN=OISTE WISeKey Global Root GC CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH
+# Serial Number:21:2a:56:0c:ae:da:0c:ab:40:45:bf:2b:a2:2d:3a:ea
+# Subject: CN=OISTE WISeKey Global Root GC CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH
+# Not Valid Before: Tue May 09 09:48:34 2017
+# Not Valid After : Fri May 09 09:58:33 2042
+# Fingerprint (SHA-256): 85:60:F9:1C:36:24:DA:BA:95:70:B5:FE:A0:DB:E3:6F:F1:1A:83:23:BE:94:86:85:4F:B3:F3:4A:55:71:19:8D
+# Fingerprint (SHA1): E0:11:84:5E:34:DE:BE:88:81:B9:9C:F6:16:26:D1:96:1F:C3:B9:31
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "OISTE WISeKey Global Root GC CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\155\061\013\060\011\006\003\125\004\006\023\002\103\110\061
+\020\060\016\006\003\125\004\012\023\007\127\111\123\145\113\145
+\171\061\042\060\040\006\003\125\004\013\023\031\117\111\123\124
+\105\040\106\157\165\156\144\141\164\151\157\156\040\105\156\144
+\157\162\163\145\144\061\050\060\046\006\003\125\004\003\023\037
+\117\111\123\124\105\040\127\111\123\145\113\145\171\040\107\154
+\157\142\141\154\040\122\157\157\164\040\107\103\040\103\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\155\061\013\060\011\006\003\125\004\006\023\002\103\110\061
+\020\060\016\006\003\125\004\012\023\007\127\111\123\145\113\145
+\171\061\042\060\040\006\003\125\004\013\023\031\117\111\123\124
+\105\040\106\157\165\156\144\141\164\151\157\156\040\105\156\144
+\157\162\163\145\144\061\050\060\046\006\003\125\004\003\023\037
+\117\111\123\124\105\040\127\111\123\145\113\145\171\040\107\154
+\157\142\141\154\040\122\157\157\164\040\107\103\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\041\052\126\014\256\332\014\253\100\105\277\053\242\055
+\072\352
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\151\060\202\001\357\240\003\002\001\002\002\020\041
+\052\126\014\256\332\014\253\100\105\277\053\242\055\072\352\060
+\012\006\010\052\206\110\316\075\004\003\003\060\155\061\013\060
+\011\006\003\125\004\006\023\002\103\110\061\020\060\016\006\003
+\125\004\012\023\007\127\111\123\145\113\145\171\061\042\060\040
+\006\003\125\004\013\023\031\117\111\123\124\105\040\106\157\165
+\156\144\141\164\151\157\156\040\105\156\144\157\162\163\145\144
+\061\050\060\046\006\003\125\004\003\023\037\117\111\123\124\105
+\040\127\111\123\145\113\145\171\040\107\154\157\142\141\154\040
+\122\157\157\164\040\107\103\040\103\101\060\036\027\015\061\067
+\060\065\060\071\060\071\064\070\063\064\132\027\015\064\062\060
+\065\060\071\060\071\065\070\063\063\132\060\155\061\013\060\011
+\006\003\125\004\006\023\002\103\110\061\020\060\016\006\003\125
+\004\012\023\007\127\111\123\145\113\145\171\061\042\060\040\006
+\003\125\004\013\023\031\117\111\123\124\105\040\106\157\165\156
+\144\141\164\151\157\156\040\105\156\144\157\162\163\145\144\061
+\050\060\046\006\003\125\004\003\023\037\117\111\123\124\105\040
+\127\111\123\145\113\145\171\040\107\154\157\142\141\154\040\122
+\157\157\164\040\107\103\040\103\101\060\166\060\020\006\007\052
+\206\110\316\075\002\001\006\005\053\201\004\000\042\003\142\000
+\004\114\351\120\300\306\017\162\030\274\330\361\272\263\211\342
+\171\112\243\026\247\153\124\044\333\121\377\352\364\011\044\303
+\013\042\237\313\152\047\202\201\015\322\300\257\061\344\164\202
+\156\312\045\331\214\165\235\361\333\320\232\242\113\041\176\026
+\247\143\220\322\071\324\261\207\170\137\030\226\017\120\033\065
+\067\017\152\306\334\331\023\115\244\216\220\067\346\275\133\061
+\221\243\124\060\122\060\016\006\003\125\035\017\001\001\377\004
+\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377\004
+\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026\004
+\024\110\207\024\254\343\303\236\220\140\072\327\312\211\356\323
+\255\214\264\120\146\060\020\006\011\053\006\001\004\001\202\067
+\025\001\004\003\002\001\000\060\012\006\010\052\206\110\316\075
+\004\003\003\003\150\000\060\145\002\060\046\307\151\133\334\325
+\347\262\347\310\014\214\214\303\335\171\214\033\143\325\311\122
+\224\116\115\202\112\163\036\262\200\204\251\045\300\114\132\155
+\111\051\140\170\023\342\176\110\353\144\002\061\000\333\064\040
+\062\010\377\232\111\002\266\210\336\024\257\135\154\231\161\215
+\032\077\213\327\340\242\066\206\034\007\202\072\166\123\375\302
+\242\355\357\173\260\200\117\130\017\113\123\071\275
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "OISTE WISeKey Global Root GC CA"
+# Issuer: CN=OISTE WISeKey Global Root GC CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH
+# Serial Number:21:2a:56:0c:ae:da:0c:ab:40:45:bf:2b:a2:2d:3a:ea
+# Subject: CN=OISTE WISeKey Global Root GC CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH
+# Not Valid Before: Tue May 09 09:48:34 2017
+# Not Valid After : Fri May 09 09:58:33 2042
+# Fingerprint (SHA-256): 85:60:F9:1C:36:24:DA:BA:95:70:B5:FE:A0:DB:E3:6F:F1:1A:83:23:BE:94:86:85:4F:B3:F3:4A:55:71:19:8D
+# Fingerprint (SHA1): E0:11:84:5E:34:DE:BE:88:81:B9:9C:F6:16:26:D1:96:1F:C3:B9:31
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "OISTE WISeKey Global Root GC CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\340\021\204\136\064\336\276\210\201\271\234\366\026\046\321\226
+\037\303\271\061
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\251\326\271\055\057\223\144\370\245\151\312\221\351\150\007\043
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\155\061\013\060\011\006\003\125\004\006\023\002\103\110\061
+\020\060\016\006\003\125\004\012\023\007\127\111\123\145\113\145
+\171\061\042\060\040\006\003\125\004\013\023\031\117\111\123\124
+\105\040\106\157\165\156\144\141\164\151\157\156\040\105\156\144
+\157\162\163\145\144\061\050\060\046\006\003\125\004\003\023\037
+\117\111\123\124\105\040\127\111\123\145\113\145\171\040\107\154
+\157\142\141\154\040\122\157\157\164\040\107\103\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\041\052\126\014\256\332\014\253\100\105\277\053\242\055
+\072\352
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "GTS Root R1"
+#
+# Issuer: CN=GTS Root R1,O=Google Trust Services LLC,C=US
+# Serial Number:6e:47:a9:c5:4b:47:0c:0d:ec:33:d0:89:b9:1c:f4:e1
+# Subject: CN=GTS Root R1,O=Google Trust Services LLC,C=US
+# Not Valid Before: Wed Jun 22 00:00:00 2016
+# Not Valid After : Sun Jun 22 00:00:00 2036
+# Fingerprint (SHA-256): 2A:57:54:71:E3:13:40:BC:21:58:1C:BD:2C:F1:3E:15:84:63:20:3E:CE:94:BC:F9:D3:CC:19:6B:F0:9A:54:72
+# Fingerprint (SHA1): E1:C9:50:E6:EF:22:F8:4C:56:45:72:8B:92:20:60:D7:D5:A7:A3:E8
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTS Root R1"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145
+\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040
+\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124
+\123\040\122\157\157\164\040\122\061
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145
+\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040
+\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124
+\123\040\122\157\157\164\040\122\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\156\107\251\305\113\107\014\015\354\063\320\211\271\034
+\364\341
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\132\060\202\003\102\240\003\002\001\002\002\020\156
+\107\251\305\113\107\014\015\354\063\320\211\271\034\364\341\060
+\015\006\011\052\206\110\206\367\015\001\001\014\005\000\060\107
+\061\013\060\011\006\003\125\004\006\023\002\125\123\061\042\060
+\040\006\003\125\004\012\023\031\107\157\157\147\154\145\040\124
+\162\165\163\164\040\123\145\162\166\151\143\145\163\040\114\114
+\103\061\024\060\022\006\003\125\004\003\023\013\107\124\123\040
+\122\157\157\164\040\122\061\060\036\027\015\061\066\060\066\062
+\062\060\060\060\060\060\060\132\027\015\063\066\060\066\062\062
+\060\060\060\060\060\060\132\060\107\061\013\060\011\006\003\125
+\004\006\023\002\125\123\061\042\060\040\006\003\125\004\012\023
+\031\107\157\157\147\154\145\040\124\162\165\163\164\040\123\145
+\162\166\151\143\145\163\040\114\114\103\061\024\060\022\006\003
+\125\004\003\023\013\107\124\123\040\122\157\157\164\040\122\061
+\060\202\002\042\060\015\006\011\052\206\110\206\367\015\001\001
+\001\005\000\003\202\002\017\000\060\202\002\012\002\202\002\001
+\000\266\021\002\213\036\343\241\167\233\073\334\277\224\076\267
+\225\247\100\074\241\375\202\371\175\062\006\202\161\366\366\214
+\177\373\350\333\274\152\056\227\227\243\214\113\371\053\366\261
+\371\316\204\035\261\371\305\227\336\357\271\362\243\351\274\022
+\211\136\247\252\122\253\370\043\047\313\244\261\234\143\333\327
+\231\176\360\012\136\353\150\246\364\306\132\107\015\115\020\063
+\343\116\261\023\243\310\030\154\113\354\374\011\220\337\235\144
+\051\045\043\007\241\264\322\075\056\140\340\317\322\011\207\273
+\315\110\360\115\302\302\172\210\212\273\272\317\131\031\326\257
+\217\260\007\260\236\061\361\202\301\300\337\056\246\155\154\031
+\016\265\330\176\046\032\105\003\075\260\171\244\224\050\255\017
+\177\046\345\250\010\376\226\350\074\150\224\123\356\203\072\210
+\053\025\226\011\262\340\172\214\056\165\326\234\353\247\126\144
+\217\226\117\150\256\075\227\302\204\217\300\274\100\300\013\134
+\275\366\207\263\065\154\254\030\120\177\204\340\114\315\222\323
+\040\351\063\274\122\231\257\062\265\051\263\045\052\264\110\371
+\162\341\312\144\367\346\202\020\215\350\235\302\212\210\372\070
+\146\212\374\143\371\001\371\170\375\173\134\167\372\166\207\372
+\354\337\261\016\171\225\127\264\275\046\357\326\001\321\353\026
+\012\273\216\013\265\305\305\212\125\253\323\254\352\221\113\051
+\314\031\244\062\045\116\052\361\145\104\320\002\316\252\316\111
+\264\352\237\174\203\260\100\173\347\103\253\247\154\243\217\175
+\211\201\372\114\245\377\325\216\303\316\113\340\265\330\263\216
+\105\317\166\300\355\100\053\375\123\017\260\247\325\073\015\261
+\212\242\003\336\061\255\314\167\352\157\173\076\326\337\221\042
+\022\346\276\372\330\062\374\020\143\024\121\162\336\135\326\026
+\223\275\051\150\063\357\072\146\354\007\212\046\337\023\327\127
+\145\170\047\336\136\111\024\000\242\000\177\232\250\041\266\251
+\261\225\260\245\271\015\026\021\332\307\154\110\074\100\340\176
+\015\132\315\126\074\321\227\005\271\313\113\355\071\113\234\304
+\077\322\125\023\156\044\260\326\161\372\364\301\272\314\355\033
+\365\376\201\101\330\000\230\075\072\310\256\172\230\067\030\005
+\225\002\003\001\000\001\243\102\060\100\060\016\006\003\125\035
+\017\001\001\377\004\004\003\002\001\006\060\017\006\003\125\035
+\023\001\001\377\004\005\060\003\001\001\377\060\035\006\003\125
+\035\016\004\026\004\024\344\257\053\046\161\032\053\110\047\205
+\057\122\146\054\357\360\211\023\161\076\060\015\006\011\052\206
+\110\206\367\015\001\001\014\005\000\003\202\002\001\000\070\226
+\012\356\075\264\226\036\137\357\235\234\013\063\237\053\340\312
+\375\322\216\012\037\101\164\245\174\252\204\324\345\362\036\346
+\067\122\062\234\013\321\141\035\277\050\301\266\104\051\065\165
+\167\230\262\174\331\275\164\254\212\150\343\251\061\011\051\001
+\140\163\343\107\174\123\250\220\112\047\357\113\327\237\223\347
+\202\066\316\232\150\014\202\347\317\324\020\026\157\137\016\231
+\134\366\037\161\175\357\357\173\057\176\352\066\326\227\160\013
+\025\356\327\134\126\152\063\245\343\111\070\014\270\175\373\215
+\205\244\261\131\136\364\152\341\335\241\366\144\104\256\346\121
+\203\041\146\306\021\076\363\316\107\356\234\050\037\045\332\377
+\254\146\225\335\065\017\134\357\040\054\142\375\221\272\251\314
+\374\132\234\223\201\203\051\227\112\174\132\162\264\071\320\267
+\167\313\171\375\151\072\222\067\355\156\070\145\106\176\351\140
+\275\171\210\227\137\070\022\364\356\257\133\202\310\206\325\341
+\231\155\214\004\362\166\272\111\366\156\351\155\036\137\240\357
+\047\202\166\100\370\246\323\130\134\017\054\102\332\102\306\173
+\210\064\307\301\330\105\233\301\076\305\141\035\331\143\120\111
+\366\064\205\152\340\030\305\156\107\253\101\102\051\233\366\140
+\015\322\061\323\143\230\043\223\132\000\201\110\264\357\315\212
+\315\311\317\231\356\331\236\252\066\341\150\113\161\111\024\066
+\050\072\075\035\316\232\217\045\346\200\161\141\053\265\173\314
+\371\045\026\201\341\061\137\241\243\176\026\244\234\026\152\227
+\030\275\166\162\245\013\236\035\066\346\057\241\057\276\160\221
+\017\250\346\332\370\304\222\100\154\045\176\173\263\011\334\262
+\027\255\200\104\360\150\245\217\224\165\377\164\132\350\250\002
+\174\014\011\342\251\113\013\240\205\013\142\271\357\241\061\222
+\373\357\366\121\004\211\154\350\251\164\241\273\027\263\265\375
+\111\017\174\074\354\203\030\040\103\116\325\223\272\264\064\261
+\037\026\066\037\014\346\144\071\026\114\334\340\376\035\310\251
+\142\075\100\352\312\305\064\002\264\256\211\210\063\065\334\054
+\023\163\330\047\361\320\162\356\165\073\042\336\230\150\146\133
+\361\306\143\107\125\034\272\245\010\121\165\246\110\045
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "GTS Root R1"
+# Issuer: CN=GTS Root R1,O=Google Trust Services LLC,C=US
+# Serial Number:6e:47:a9:c5:4b:47:0c:0d:ec:33:d0:89:b9:1c:f4:e1
+# Subject: CN=GTS Root R1,O=Google Trust Services LLC,C=US
+# Not Valid Before: Wed Jun 22 00:00:00 2016
+# Not Valid After : Sun Jun 22 00:00:00 2036
+# Fingerprint (SHA-256): 2A:57:54:71:E3:13:40:BC:21:58:1C:BD:2C:F1:3E:15:84:63:20:3E:CE:94:BC:F9:D3:CC:19:6B:F0:9A:54:72
+# Fingerprint (SHA1): E1:C9:50:E6:EF:22:F8:4C:56:45:72:8B:92:20:60:D7:D5:A7:A3:E8
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTS Root R1"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\341\311\120\346\357\042\370\114\126\105\162\213\222\040\140\327
+\325\247\243\350
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\202\032\357\324\322\112\362\237\342\075\227\006\024\160\162\205
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145
+\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040
+\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124
+\123\040\122\157\157\164\040\122\061
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\156\107\251\305\113\107\014\015\354\063\320\211\271\034
+\364\341
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "GTS Root R2"
+#
+# Issuer: CN=GTS Root R2,O=Google Trust Services LLC,C=US
+# Serial Number:6e:47:a9:c6:5a:b3:e7:20:c5:30:9a:3f:68:52:f2:6f
+# Subject: CN=GTS Root R2,O=Google Trust Services LLC,C=US
+# Not Valid Before: Wed Jun 22 00:00:00 2016
+# Not Valid After : Sun Jun 22 00:00:00 2036
+# Fingerprint (SHA-256): C4:5D:7B:B0:8E:6D:67:E6:2E:42:35:11:0B:56:4E:5F:78:FD:92:EF:05:8C:84:0A:EA:4E:64:55:D7:58:5C:60
+# Fingerprint (SHA1): D2:73:96:2A:2A:5E:39:9F:73:3F:E1:C7:1E:64:3F:03:38:34:FC:4D
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTS Root R2"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145
+\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040
+\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124
+\123\040\122\157\157\164\040\122\062
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145
+\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040
+\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124
+\123\040\122\157\157\164\040\122\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\156\107\251\306\132\263\347\040\305\060\232\077\150\122
+\362\157
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\132\060\202\003\102\240\003\002\001\002\002\020\156
+\107\251\306\132\263\347\040\305\060\232\077\150\122\362\157\060
+\015\006\011\052\206\110\206\367\015\001\001\014\005\000\060\107
+\061\013\060\011\006\003\125\004\006\023\002\125\123\061\042\060
+\040\006\003\125\004\012\023\031\107\157\157\147\154\145\040\124
+\162\165\163\164\040\123\145\162\166\151\143\145\163\040\114\114
+\103\061\024\060\022\006\003\125\004\003\023\013\107\124\123\040
+\122\157\157\164\040\122\062\060\036\027\015\061\066\060\066\062
+\062\060\060\060\060\060\060\132\027\015\063\066\060\066\062\062
+\060\060\060\060\060\060\132\060\107\061\013\060\011\006\003\125
+\004\006\023\002\125\123\061\042\060\040\006\003\125\004\012\023
+\031\107\157\157\147\154\145\040\124\162\165\163\164\040\123\145
+\162\166\151\143\145\163\040\114\114\103\061\024\060\022\006\003
+\125\004\003\023\013\107\124\123\040\122\157\157\164\040\122\062
+\060\202\002\042\060\015\006\011\052\206\110\206\367\015\001\001
+\001\005\000\003\202\002\017\000\060\202\002\012\002\202\002\001
+\000\316\336\375\246\373\354\354\024\064\074\007\006\132\154\131
+\367\031\065\335\367\301\235\125\252\323\315\073\244\223\162\357
+\012\372\155\235\366\360\205\200\133\241\110\122\237\071\305\267
+\356\050\254\357\313\166\150\024\271\337\255\001\154\231\037\304
+\042\035\237\376\162\167\340\054\133\257\344\004\277\117\162\240
+\032\064\230\350\071\150\354\225\045\173\166\241\346\151\271\205
+\031\275\211\214\376\255\355\066\352\163\274\377\203\342\313\175
+\301\322\316\112\263\215\005\236\213\111\223\337\301\133\320\156
+\136\360\056\060\056\202\374\372\274\264\027\012\110\345\210\233
+\305\233\153\336\260\312\264\003\360\332\364\220\270\145\144\367
+\134\114\255\350\176\146\136\231\327\270\302\076\310\320\023\235
+\255\356\344\105\173\211\125\367\212\037\142\122\204\022\263\302
+\100\227\343\212\037\107\221\246\164\132\322\370\261\143\050\020
+\270\263\011\270\126\167\100\242\046\230\171\306\376\337\045\356
+\076\345\240\177\324\141\017\121\113\074\077\214\332\341\160\164
+\330\302\150\241\371\301\014\351\241\342\177\273\125\074\166\006
+\356\152\116\314\222\210\060\115\232\275\117\013\110\232\204\265
+\230\243\325\373\163\301\127\141\335\050\126\165\023\256\207\216
+\347\014\121\011\020\165\210\114\274\215\371\173\074\324\042\110
+\037\052\334\353\153\273\104\261\313\063\161\062\106\257\255\112
+\361\214\350\164\072\254\347\032\042\163\200\322\060\367\045\102
+\307\042\073\073\022\255\226\056\306\303\166\007\252\040\267\065
+\111\127\351\222\111\350\166\026\162\061\147\053\226\176\212\243
+\307\224\126\042\277\152\113\176\001\041\262\043\062\337\344\232
+\104\155\131\133\135\365\000\240\034\233\306\170\227\215\220\377
+\233\310\252\264\257\021\121\071\136\331\373\147\255\325\133\021
+\235\062\232\033\275\325\272\133\245\311\313\045\151\123\125\047
+\134\340\312\066\313\210\141\373\036\267\320\313\356\026\373\323
+\246\114\336\222\245\324\342\337\365\006\124\336\056\235\113\264
+\223\060\252\201\316\335\032\334\121\163\015\117\160\351\345\266
+\026\041\031\171\262\346\211\013\165\144\312\325\253\274\011\301
+\030\241\377\324\124\241\205\074\375\024\044\003\262\207\323\244
+\267\002\003\001\000\001\243\102\060\100\060\016\006\003\125\035
+\017\001\001\377\004\004\003\002\001\006\060\017\006\003\125\035
+\023\001\001\377\004\005\060\003\001\001\377\060\035\006\003\125
+\035\016\004\026\004\024\273\377\312\216\043\237\117\231\312\333
+\342\150\246\245\025\047\027\036\331\016\060\015\006\011\052\206
+\110\206\367\015\001\001\014\005\000\003\202\002\001\000\266\151
+\360\246\167\376\236\356\013\201\255\341\300\251\307\371\065\035
+\100\202\253\346\004\264\337\313\367\035\017\203\360\176\023\115
+\215\214\356\343\063\042\303\071\374\100\337\156\101\113\102\123
+\276\026\210\361\322\070\136\304\150\231\034\230\122\223\214\347
+\150\355\033\152\163\172\005\100\115\177\145\073\326\130\361\316
+\203\107\140\343\377\227\251\234\140\167\030\125\265\176\010\223
+\317\320\366\074\147\003\025\141\011\371\201\171\365\354\123\244
+\237\311\217\001\213\163\304\167\166\334\203\242\365\014\111\032
+\250\166\336\222\233\144\370\263\054\305\047\323\007\300\010\200
+\244\230\222\343\001\226\002\252\002\356\217\073\305\321\155\012
+\063\060\163\170\271\117\124\026\277\013\007\241\244\134\346\313
+\311\134\204\217\017\340\025\167\054\176\046\176\332\304\113\333
+\247\026\167\007\260\315\165\350\162\102\326\225\204\235\206\203
+\362\344\220\315\011\107\324\213\003\160\332\132\306\003\102\364
+\355\067\242\360\033\120\124\113\016\330\204\336\031\050\231\201
+\107\256\011\033\077\110\321\303\157\342\260\140\027\365\356\043
+\002\245\332\000\133\155\220\253\356\242\351\033\073\351\307\104
+\047\105\216\153\237\365\244\204\274\167\371\153\227\254\076\121
+\105\242\021\246\314\205\356\012\150\362\076\120\070\172\044\142
+\036\027\040\067\155\152\115\267\011\233\311\374\244\130\365\266
+\373\234\116\030\273\225\002\347\241\255\233\007\356\066\153\044
+\322\071\206\301\223\203\120\322\201\106\250\137\142\127\054\273
+\154\144\210\010\156\357\023\124\137\335\055\304\147\143\323\317
+\211\067\277\235\040\364\373\172\203\233\240\036\201\000\120\302
+\344\014\042\131\122\020\355\103\126\207\000\370\024\122\247\035
+\213\223\214\242\115\106\177\047\306\161\233\044\336\344\332\206
+\213\015\176\153\040\301\300\236\341\145\330\152\243\246\350\205
+\213\072\007\010\034\272\365\217\125\232\030\165\176\345\354\201
+\146\321\041\163\241\065\104\013\200\075\133\234\136\157\052\027
+\226\321\203\043\210\146\155\346\206\342\160\062\057\122\042\347
+\310\347\177\304\054\140\135\057\303\257\236\105\005\303\204\002
+\267\375\054\010\122\117\202\335\243\360\324\206\011\002
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "GTS Root R2"
+# Issuer: CN=GTS Root R2,O=Google Trust Services LLC,C=US
+# Serial Number:6e:47:a9:c6:5a:b3:e7:20:c5:30:9a:3f:68:52:f2:6f
+# Subject: CN=GTS Root R2,O=Google Trust Services LLC,C=US
+# Not Valid Before: Wed Jun 22 00:00:00 2016
+# Not Valid After : Sun Jun 22 00:00:00 2036
+# Fingerprint (SHA-256): C4:5D:7B:B0:8E:6D:67:E6:2E:42:35:11:0B:56:4E:5F:78:FD:92:EF:05:8C:84:0A:EA:4E:64:55:D7:58:5C:60
+# Fingerprint (SHA1): D2:73:96:2A:2A:5E:39:9F:73:3F:E1:C7:1E:64:3F:03:38:34:FC:4D
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTS Root R2"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\322\163\226\052\052\136\071\237\163\077\341\307\036\144\077\003
+\070\064\374\115
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\104\355\232\016\244\011\073\000\362\256\114\243\306\141\260\213
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145
+\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040
+\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124
+\123\040\122\157\157\164\040\122\062
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\156\107\251\306\132\263\347\040\305\060\232\077\150\122
+\362\157
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "GTS Root R3"
+#
+# Issuer: CN=GTS Root R3,O=Google Trust Services LLC,C=US
+# Serial Number:6e:47:a9:c7:6c:a9:73:24:40:89:0f:03:55:dd:8d:1d
+# Subject: CN=GTS Root R3,O=Google Trust Services LLC,C=US
+# Not Valid Before: Wed Jun 22 00:00:00 2016
+# Not Valid After : Sun Jun 22 00:00:00 2036
+# Fingerprint (SHA-256): 15:D5:B8:77:46:19:EA:7D:54:CE:1C:A6:D0:B0:C4:03:E0:37:A9:17:F1:31:E8:A0:4E:1E:6B:7A:71:BA:BC:E5
+# Fingerprint (SHA1): 30:D4:24:6F:07:FF:DB:91:89:8A:0B:E9:49:66:11:EB:8C:5E:46:E5
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTS Root R3"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145
+\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040
+\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124
+\123\040\122\157\157\164\040\122\063
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145
+\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040
+\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124
+\123\040\122\157\157\164\040\122\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\156\107\251\307\154\251\163\044\100\211\017\003\125\335
+\215\035
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\014\060\202\001\221\240\003\002\001\002\002\020\156
+\107\251\307\154\251\163\044\100\211\017\003\125\335\215\035\060
+\012\006\010\052\206\110\316\075\004\003\003\060\107\061\013\060
+\011\006\003\125\004\006\023\002\125\123\061\042\060\040\006\003
+\125\004\012\023\031\107\157\157\147\154\145\040\124\162\165\163
+\164\040\123\145\162\166\151\143\145\163\040\114\114\103\061\024
+\060\022\006\003\125\004\003\023\013\107\124\123\040\122\157\157
+\164\040\122\063\060\036\027\015\061\066\060\066\062\062\060\060
+\060\060\060\060\132\027\015\063\066\060\066\062\062\060\060\060
+\060\060\060\132\060\107\061\013\060\011\006\003\125\004\006\023
+\002\125\123\061\042\060\040\006\003\125\004\012\023\031\107\157
+\157\147\154\145\040\124\162\165\163\164\040\123\145\162\166\151
+\143\145\163\040\114\114\103\061\024\060\022\006\003\125\004\003
+\023\013\107\124\123\040\122\157\157\164\040\122\063\060\166\060
+\020\006\007\052\206\110\316\075\002\001\006\005\053\201\004\000
+\042\003\142\000\004\037\117\063\207\063\051\212\241\204\336\313
+\307\041\130\101\211\352\126\235\053\113\205\306\035\114\047\274
+\177\046\121\162\157\342\237\326\243\312\314\105\024\106\213\255
+\357\176\206\214\354\261\176\057\377\251\161\235\030\204\105\004
+\101\125\156\053\352\046\177\273\220\001\343\113\031\272\344\124
+\226\105\011\261\325\154\221\104\255\204\023\216\232\214\015\200
+\014\062\366\340\047\243\102\060\100\060\016\006\003\125\035\017
+\001\001\377\004\004\003\002\001\006\060\017\006\003\125\035\023
+\001\001\377\004\005\060\003\001\001\377\060\035\006\003\125\035
+\016\004\026\004\024\301\361\046\272\240\055\256\205\201\317\323
+\361\052\022\275\270\012\147\375\274\060\012\006\010\052\206\110
+\316\075\004\003\003\003\151\000\060\146\002\061\000\200\133\244
+\174\043\300\225\245\054\334\276\211\157\043\271\243\335\145\000
+\122\136\221\254\310\235\162\164\202\123\013\175\251\100\275\150
+\140\305\341\270\124\073\301\066\027\045\330\301\275\002\061\000
+\236\065\222\164\205\045\121\365\044\354\144\122\044\120\245\037
+\333\350\313\311\166\354\354\202\156\365\205\030\123\350\270\343
+\232\051\252\226\323\203\043\311\244\173\141\263\314\002\350\135
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "GTS Root R3"
+# Issuer: CN=GTS Root R3,O=Google Trust Services LLC,C=US
+# Serial Number:6e:47:a9:c7:6c:a9:73:24:40:89:0f:03:55:dd:8d:1d
+# Subject: CN=GTS Root R3,O=Google Trust Services LLC,C=US
+# Not Valid Before: Wed Jun 22 00:00:00 2016
+# Not Valid After : Sun Jun 22 00:00:00 2036
+# Fingerprint (SHA-256): 15:D5:B8:77:46:19:EA:7D:54:CE:1C:A6:D0:B0:C4:03:E0:37:A9:17:F1:31:E8:A0:4E:1E:6B:7A:71:BA:BC:E5
+# Fingerprint (SHA1): 30:D4:24:6F:07:FF:DB:91:89:8A:0B:E9:49:66:11:EB:8C:5E:46:E5
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTS Root R3"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\060\324\044\157\007\377\333\221\211\212\013\351\111\146\021\353
+\214\136\106\345
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\032\171\133\153\004\122\234\135\307\164\063\033\045\232\371\045
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145
+\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040
+\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124
+\123\040\122\157\157\164\040\122\063
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\156\107\251\307\154\251\163\044\100\211\017\003\125\335
+\215\035
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "GTS Root R4"
+#
+# Issuer: CN=GTS Root R4,O=Google Trust Services LLC,C=US
+# Serial Number:6e:47:a9:c8:8b:94:b6:e8:bb:3b:2a:d8:a2:b2:c1:99
+# Subject: CN=GTS Root R4,O=Google Trust Services LLC,C=US
+# Not Valid Before: Wed Jun 22 00:00:00 2016
+# Not Valid After : Sun Jun 22 00:00:00 2036
+# Fingerprint (SHA-256): 71:CC:A5:39:1F:9E:79:4B:04:80:25:30:B3:63:E1:21:DA:8A:30:43:BB:26:66:2F:EA:4D:CA:7F:C9:51:A4:BD
+# Fingerprint (SHA1): 2A:1D:60:27:D9:4A:B1:0A:1C:4D:91:5C:CD:33:A0:CB:3E:2D:54:CB
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTS Root R4"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145
+\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040
+\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124
+\123\040\122\157\157\164\040\122\064
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145
+\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040
+\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124
+\123\040\122\157\157\164\040\122\064
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\156\107\251\310\213\224\266\350\273\073\052\330\242\262
+\301\231
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\002\012\060\202\001\221\240\003\002\001\002\002\020\156
+\107\251\310\213\224\266\350\273\073\052\330\242\262\301\231\060
+\012\006\010\052\206\110\316\075\004\003\003\060\107\061\013\060
+\011\006\003\125\004\006\023\002\125\123\061\042\060\040\006\003
+\125\004\012\023\031\107\157\157\147\154\145\040\124\162\165\163
+\164\040\123\145\162\166\151\143\145\163\040\114\114\103\061\024
+\060\022\006\003\125\004\003\023\013\107\124\123\040\122\157\157
+\164\040\122\064\060\036\027\015\061\066\060\066\062\062\060\060
+\060\060\060\060\132\027\015\063\066\060\066\062\062\060\060\060
+\060\060\060\132\060\107\061\013\060\011\006\003\125\004\006\023
+\002\125\123\061\042\060\040\006\003\125\004\012\023\031\107\157
+\157\147\154\145\040\124\162\165\163\164\040\123\145\162\166\151
+\143\145\163\040\114\114\103\061\024\060\022\006\003\125\004\003
+\023\013\107\124\123\040\122\157\157\164\040\122\064\060\166\060
+\020\006\007\052\206\110\316\075\002\001\006\005\053\201\004\000
+\042\003\142\000\004\363\164\163\247\150\213\140\256\103\270\065
+\305\201\060\173\113\111\235\373\301\141\316\346\336\106\275\153
+\325\141\030\065\256\100\335\163\367\211\221\060\132\353\074\356
+\205\174\242\100\166\073\251\306\270\107\330\052\347\222\221\152
+\163\351\261\162\071\237\051\237\242\230\323\137\136\130\206\145
+\017\241\204\145\006\321\334\213\311\307\163\310\214\152\057\345
+\304\253\321\035\212\243\102\060\100\060\016\006\003\125\035\017
+\001\001\377\004\004\003\002\001\006\060\017\006\003\125\035\023
+\001\001\377\004\005\060\003\001\001\377\060\035\006\003\125\035
+\016\004\026\004\024\200\114\326\353\164\377\111\066\243\325\330
+\374\265\076\305\152\360\224\035\214\060\012\006\010\052\206\110
+\316\075\004\003\003\003\147\000\060\144\002\060\152\120\122\164
+\010\304\160\334\236\120\164\041\350\215\172\041\303\117\226\156
+\025\321\042\065\141\055\372\010\067\356\031\155\255\333\262\314
+\175\007\064\365\140\031\054\265\064\331\157\040\002\060\003\161
+\261\272\243\140\013\206\355\232\010\152\225\150\237\342\263\341
+\223\144\174\136\223\246\337\171\055\215\205\343\224\317\043\135
+\161\314\362\260\115\326\376\231\310\224\251\165\242\343
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "GTS Root R4"
+# Issuer: CN=GTS Root R4,O=Google Trust Services LLC,C=US
+# Serial Number:6e:47:a9:c8:8b:94:b6:e8:bb:3b:2a:d8:a2:b2:c1:99
+# Subject: CN=GTS Root R4,O=Google Trust Services LLC,C=US
+# Not Valid Before: Wed Jun 22 00:00:00 2016
+# Not Valid After : Sun Jun 22 00:00:00 2036
+# Fingerprint (SHA-256): 71:CC:A5:39:1F:9E:79:4B:04:80:25:30:B3:63:E1:21:DA:8A:30:43:BB:26:66:2F:EA:4D:CA:7F:C9:51:A4:BD
+# Fingerprint (SHA1): 2A:1D:60:27:D9:4A:B1:0A:1C:4D:91:5C:CD:33:A0:CB:3E:2D:54:CB
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "GTS Root R4"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\052\035\140\047\331\112\261\012\034\115\221\134\315\063\240\313
+\076\055\124\313
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\135\266\152\304\140\027\044\152\032\231\250\113\356\136\264\046
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+\042\060\040\006\003\125\004\012\023\031\107\157\157\147\154\145
+\040\124\162\165\163\164\040\123\145\162\166\151\143\145\163\040
+\114\114\103\061\024\060\022\006\003\125\004\003\023\013\107\124
+\123\040\122\157\157\164\040\122\064
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\156\107\251\310\213\224\266\350\273\073\052\330\242\262
+\301\231
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "UCA Global G2 Root"
+#
+# Issuer: CN=UCA Global G2 Root,O=UniTrust,C=CN
+# Serial Number:5d:df:b1:da:5a:a3:ed:5d:be:5a:65:20:65:03:90:ef
+# Subject: CN=UCA Global G2 Root,O=UniTrust,C=CN
+# Not Valid Before: Fri Mar 11 00:00:00 2016
+# Not Valid After : Mon Dec 31 00:00:00 2040
+# Fingerprint (SHA-256): 9B:EA:11:C9:76:FE:01:47:64:C1:BE:56:A6:F9:14:B5:A5:60:31:7A:BD:99:88:39:33:82:E5:16:1A:A0:49:3C
+# Fingerprint (SHA1): 28:F9:78:16:19:7A:FF:18:25:18:AA:44:FE:C1:A0:CE:5C:B6:4C:8A
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "UCA Global G2 Root"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\075\061\013\060\011\006\003\125\004\006\023\002\103\116\061
+\021\060\017\006\003\125\004\012\014\010\125\156\151\124\162\165
+\163\164\061\033\060\031\006\003\125\004\003\014\022\125\103\101
+\040\107\154\157\142\141\154\040\107\062\040\122\157\157\164
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\075\061\013\060\011\006\003\125\004\006\023\002\103\116\061
+\021\060\017\006\003\125\004\012\014\010\125\156\151\124\162\165
+\163\164\061\033\060\031\006\003\125\004\003\014\022\125\103\101
+\040\107\154\157\142\141\154\040\107\062\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\135\337\261\332\132\243\355\135\276\132\145\040\145\003
+\220\357
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\106\060\202\003\056\240\003\002\001\002\002\020\135
+\337\261\332\132\243\355\135\276\132\145\040\145\003\220\357\060
+\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\075
+\061\013\060\011\006\003\125\004\006\023\002\103\116\061\021\060
+\017\006\003\125\004\012\014\010\125\156\151\124\162\165\163\164
+\061\033\060\031\006\003\125\004\003\014\022\125\103\101\040\107
+\154\157\142\141\154\040\107\062\040\122\157\157\164\060\036\027
+\015\061\066\060\063\061\061\060\060\060\060\060\060\132\027\015
+\064\060\061\062\063\061\060\060\060\060\060\060\132\060\075\061
+\013\060\011\006\003\125\004\006\023\002\103\116\061\021\060\017
+\006\003\125\004\012\014\010\125\156\151\124\162\165\163\164\061
+\033\060\031\006\003\125\004\003\014\022\125\103\101\040\107\154
+\157\142\141\154\040\107\062\040\122\157\157\164\060\202\002\042
+\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
+\202\002\017\000\060\202\002\012\002\202\002\001\000\305\346\053
+\157\174\357\046\005\047\243\201\044\332\157\313\001\371\231\232
+\251\062\302\042\207\141\101\221\073\313\303\150\033\006\305\114
+\251\053\301\147\027\042\035\053\355\371\051\211\223\242\170\275
+\222\153\240\243\015\242\176\312\223\263\246\321\214\065\325\165
+\371\027\366\317\105\305\345\172\354\167\223\240\217\043\256\016
+\032\003\177\276\324\320\355\056\173\253\106\043\133\377\054\346
+\124\172\224\300\052\025\360\311\215\260\172\073\044\341\327\150
+\342\061\074\006\063\106\266\124\021\246\245\057\042\124\052\130
+\015\001\002\361\372\025\121\147\154\300\372\327\266\033\177\321
+\126\210\057\032\072\215\073\273\202\021\340\107\000\320\122\207
+\253\373\206\176\017\044\153\100\235\064\147\274\215\307\055\206
+\157\171\076\216\251\074\027\113\177\260\231\343\260\161\140\334
+\013\365\144\303\316\103\274\155\161\271\322\336\047\133\212\350
+\330\306\256\341\131\175\317\050\055\065\270\225\126\032\361\262
+\130\113\267\022\067\310\174\263\355\113\200\341\215\372\062\043
+\266\157\267\110\225\010\261\104\116\205\214\072\002\124\040\057
+\337\277\127\117\073\072\220\041\327\301\046\065\124\040\354\307
+\077\107\354\357\132\277\113\172\301\255\073\027\120\134\142\330
+\017\113\112\334\053\372\156\274\163\222\315\354\307\120\350\101
+\226\327\251\176\155\330\351\035\217\212\265\271\130\222\272\112
+\222\053\014\126\375\200\353\010\360\136\051\156\033\034\014\257
+\217\223\211\255\333\275\243\236\041\312\211\031\354\337\265\303
+\032\353\026\376\170\066\114\326\156\320\076\027\034\220\027\153
+\046\272\373\172\057\277\021\034\030\016\055\163\003\217\240\345
+\065\240\132\342\114\165\035\161\341\071\070\123\170\100\314\203
+\223\327\012\236\235\133\217\212\344\345\340\110\344\110\262\107
+\315\116\052\165\052\173\362\042\366\311\276\011\221\226\127\172
+\210\210\254\356\160\254\371\334\051\343\014\034\073\022\116\104
+\326\247\116\260\046\310\363\331\032\227\221\150\352\357\215\106
+\006\322\126\105\130\232\074\014\017\203\270\005\045\303\071\317
+\073\244\064\211\267\171\022\057\107\305\347\251\227\151\374\246
+\167\147\265\337\173\361\172\145\025\344\141\126\145\002\003\001
+\000\001\243\102\060\100\060\016\006\003\125\035\017\001\001\377
+\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377
+\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026
+\004\024\201\304\214\314\365\344\060\377\245\014\010\137\214\025
+\147\041\164\001\337\337\060\015\006\011\052\206\110\206\367\015
+\001\001\013\005\000\003\202\002\001\000\023\145\042\365\216\053
+\255\104\344\313\377\271\150\346\303\200\110\075\004\173\372\043
+\057\172\355\066\332\262\316\155\366\346\236\345\137\130\217\313
+\067\062\241\310\145\266\256\070\075\065\033\076\274\073\266\004
+\320\274\371\111\365\233\367\205\305\066\266\313\274\370\310\071
+\325\344\137\007\275\025\124\227\164\312\312\355\117\272\272\144
+\166\237\201\270\204\105\111\114\215\157\242\353\261\314\321\303
+\224\332\104\302\346\342\352\030\350\242\037\047\005\272\327\345
+\326\251\315\335\357\166\230\215\000\016\315\033\372\003\267\216
+\200\130\016\047\077\122\373\224\242\312\136\145\311\326\204\332
+\271\065\161\363\046\300\117\167\346\201\047\322\167\073\232\024
+\157\171\364\366\320\341\323\224\272\320\127\121\275\047\005\015
+\301\375\310\022\060\356\157\215\021\053\010\235\324\324\277\200
+\105\024\232\210\104\332\060\352\264\247\343\356\357\133\202\325
+\076\326\255\170\222\333\134\074\363\330\255\372\270\153\177\304
+\066\050\266\002\025\212\124\054\234\260\027\163\216\320\067\243
+\024\074\230\225\000\014\051\005\133\236\111\111\261\137\307\343
+\313\317\047\145\216\065\027\267\127\310\060\331\101\133\271\024
+\266\350\302\017\224\061\247\224\230\314\152\353\265\341\047\365
+\020\250\001\350\216\022\142\350\210\314\265\177\106\227\300\233
+\020\146\070\032\066\106\137\042\150\075\337\311\306\023\047\253
+\123\006\254\242\074\206\006\145\157\261\176\261\051\104\232\243
+\272\111\151\050\151\217\327\345\137\255\004\206\144\157\032\240
+\014\305\010\142\316\200\243\320\363\354\150\336\276\063\307\027
+\133\177\200\304\114\114\261\246\204\212\303\073\270\011\315\024
+\201\272\030\343\124\127\066\376\333\057\174\107\241\072\063\310
+\371\130\073\104\117\261\312\002\211\004\226\050\150\305\113\270
+\046\211\273\326\063\057\120\325\376\232\211\272\030\062\222\124
+\306\133\340\235\371\136\345\015\042\233\366\332\342\310\041\262
+\142\041\252\206\100\262\056\144\323\137\310\343\176\021\147\105
+\037\005\376\343\242\357\263\250\263\363\175\217\370\014\037\042
+\037\055\160\264\270\001\064\166\060\000\345\043\170\247\126\327
+\120\037\212\373\006\365\302\031\360\320
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "UCA Global G2 Root"
+# Issuer: CN=UCA Global G2 Root,O=UniTrust,C=CN
+# Serial Number:5d:df:b1:da:5a:a3:ed:5d:be:5a:65:20:65:03:90:ef
+# Subject: CN=UCA Global G2 Root,O=UniTrust,C=CN
+# Not Valid Before: Fri Mar 11 00:00:00 2016
+# Not Valid After : Mon Dec 31 00:00:00 2040
+# Fingerprint (SHA-256): 9B:EA:11:C9:76:FE:01:47:64:C1:BE:56:A6:F9:14:B5:A5:60:31:7A:BD:99:88:39:33:82:E5:16:1A:A0:49:3C
+# Fingerprint (SHA1): 28:F9:78:16:19:7A:FF:18:25:18:AA:44:FE:C1:A0:CE:5C:B6:4C:8A
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "UCA Global G2 Root"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\050\371\170\026\031\172\377\030\045\030\252\104\376\301\240\316
+\134\266\114\212
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\200\376\360\304\112\360\134\142\062\237\034\272\170\251\120\370
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\075\061\013\060\011\006\003\125\004\006\023\002\103\116\061
+\021\060\017\006\003\125\004\012\014\010\125\156\151\124\162\165
+\163\164\061\033\060\031\006\003\125\004\003\014\022\125\103\101
+\040\107\154\157\142\141\154\040\107\062\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\135\337\261\332\132\243\355\135\276\132\145\040\145\003
+\220\357
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "UCA Extended Validation Root"
+#
+# Issuer: CN=UCA Extended Validation Root,O=UniTrust,C=CN
+# Serial Number:4f:d2:2b:8f:f5:64:c8:33:9e:4f:34:58:66:23:70:60
+# Subject: CN=UCA Extended Validation Root,O=UniTrust,C=CN
+# Not Valid Before: Fri Mar 13 00:00:00 2015
+# Not Valid After : Fri Dec 31 00:00:00 2038
+# Fingerprint (SHA-256): D4:3A:F9:B3:54:73:75:5C:96:84:FC:06:D7:D8:CB:70:EE:5C:28:E7:73:FB:29:4E:B4:1E:E7:17:22:92:4D:24
+# Fingerprint (SHA1): A3:A1:B0:6F:24:61:23:4A:E3:36:A5:C2:37:FC:A6:FF:DD:F0:D7:3A
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "UCA Extended Validation Root"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\103\116\061
+\021\060\017\006\003\125\004\012\014\010\125\156\151\124\162\165
+\163\164\061\045\060\043\006\003\125\004\003\014\034\125\103\101
+\040\105\170\164\145\156\144\145\144\040\126\141\154\151\144\141
+\164\151\157\156\040\122\157\157\164
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\103\116\061
+\021\060\017\006\003\125\004\012\014\010\125\156\151\124\162\165
+\163\164\061\045\060\043\006\003\125\004\003\014\034\125\103\101
+\040\105\170\164\145\156\144\145\144\040\126\141\154\151\144\141
+\164\151\157\156\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\117\322\053\217\365\144\310\063\236\117\064\130\146\043
+\160\140
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\005\132\060\202\003\102\240\003\002\001\002\002\020\117
+\322\053\217\365\144\310\063\236\117\064\130\146\043\160\140\060
+\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060\107
+\061\013\060\011\006\003\125\004\006\023\002\103\116\061\021\060
+\017\006\003\125\004\012\014\010\125\156\151\124\162\165\163\164
+\061\045\060\043\006\003\125\004\003\014\034\125\103\101\040\105
+\170\164\145\156\144\145\144\040\126\141\154\151\144\141\164\151
+\157\156\040\122\157\157\164\060\036\027\015\061\065\060\063\061
+\063\060\060\060\060\060\060\132\027\015\063\070\061\062\063\061
+\060\060\060\060\060\060\132\060\107\061\013\060\011\006\003\125
+\004\006\023\002\103\116\061\021\060\017\006\003\125\004\012\014
+\010\125\156\151\124\162\165\163\164\061\045\060\043\006\003\125
+\004\003\014\034\125\103\101\040\105\170\164\145\156\144\145\144
+\040\126\141\154\151\144\141\164\151\157\156\040\122\157\157\164
+\060\202\002\042\060\015\006\011\052\206\110\206\367\015\001\001
+\001\005\000\003\202\002\017\000\060\202\002\012\002\202\002\001
+\000\251\011\007\050\023\002\260\231\340\144\252\036\103\026\172
+\163\261\221\240\165\076\250\372\343\070\000\172\354\211\152\040
+\017\213\305\260\233\063\003\132\206\306\130\206\325\301\205\273
+\117\306\234\100\115\312\276\356\151\226\270\255\201\060\232\174
+\222\005\353\005\053\232\110\320\270\166\076\226\310\040\273\322
+\260\361\217\330\254\105\106\377\252\147\140\264\167\176\152\037
+\074\032\122\172\004\075\007\074\205\015\204\320\037\166\012\367
+\152\024\337\162\343\064\174\127\116\126\001\076\171\361\252\051
+\073\154\372\370\217\155\115\310\065\337\256\353\334\044\356\171
+\105\247\205\266\005\210\336\210\135\045\174\227\144\147\011\331
+\277\132\025\005\206\363\011\036\354\130\062\063\021\363\167\144
+\260\166\037\344\020\065\027\033\362\016\261\154\244\052\243\163
+\374\011\037\036\062\031\123\021\347\331\263\054\056\166\056\241
+\243\336\176\152\210\011\350\362\007\212\370\262\315\020\347\342
+\163\100\223\273\010\321\077\341\374\013\224\263\045\357\174\246
+\327\321\257\237\377\226\232\365\221\173\230\013\167\324\176\350
+\007\322\142\265\225\071\343\363\361\155\017\016\145\204\212\143
+\124\305\200\266\340\236\113\175\107\046\247\001\010\135\321\210
+\236\327\303\062\104\372\202\112\012\150\124\177\070\123\003\314
+\244\000\063\144\121\131\013\243\202\221\172\136\354\026\302\363
+\052\346\142\332\052\333\131\142\020\045\112\052\201\013\107\007
+\103\006\160\207\322\372\223\021\051\172\110\115\353\224\307\160
+\115\257\147\325\121\261\200\040\001\001\264\172\010\246\220\177
+\116\340\357\007\101\207\257\152\245\136\213\373\317\120\262\232
+\124\257\303\211\272\130\055\365\060\230\261\066\162\071\176\111
+\004\375\051\247\114\171\344\005\127\333\224\271\026\123\215\106
+\263\035\225\141\127\126\177\257\360\026\133\141\130\157\066\120
+\021\013\330\254\053\225\026\032\016\037\010\315\066\064\145\020
+\142\146\325\200\137\024\040\137\055\014\240\170\012\150\326\054
+\327\351\157\053\322\112\005\223\374\236\157\153\147\377\210\361
+\116\245\151\112\122\067\005\352\306\026\215\322\304\231\321\202
+\053\073\272\065\165\367\121\121\130\363\310\007\335\344\264\003
+\177\002\003\001\000\001\243\102\060\100\060\035\006\003\125\035
+\016\004\026\004\024\331\164\072\344\060\075\015\367\022\334\176
+\132\005\237\036\064\232\367\341\024\060\017\006\003\125\035\023
+\001\001\377\004\005\060\003\001\001\377\060\016\006\003\125\035
+\017\001\001\377\004\004\003\002\001\206\060\015\006\011\052\206
+\110\206\367\015\001\001\013\005\000\003\202\002\001\000\066\215
+\227\314\102\025\144\051\067\233\046\054\326\373\256\025\151\054
+\153\032\032\367\137\266\371\007\114\131\352\363\311\310\271\256
+\314\272\056\172\334\300\365\260\055\300\073\257\237\160\005\021
+\152\237\045\117\001\051\160\343\345\014\341\352\132\174\334\111
+\273\301\036\052\201\365\026\113\162\221\310\242\061\271\252\332
+\374\235\037\363\135\100\002\023\374\116\034\006\312\263\024\220
+\124\027\031\022\032\361\037\327\014\151\132\366\161\170\364\224
+\175\221\013\216\354\220\124\216\274\157\241\114\253\374\164\144
+\375\161\232\370\101\007\241\315\221\344\074\232\340\233\062\071
+\163\253\052\325\151\310\170\221\046\061\175\342\307\060\361\374
+\024\170\167\022\016\023\364\335\026\224\277\113\147\173\160\123
+\205\312\260\273\363\070\115\054\220\071\300\015\302\135\153\351
+\342\345\325\210\215\326\054\277\253\033\276\265\050\207\022\027
+\164\156\374\175\374\217\320\207\046\260\033\373\271\154\253\342
+\236\075\025\301\073\056\147\002\130\221\237\357\370\102\037\054
+\267\150\365\165\255\317\265\366\377\021\175\302\360\044\245\255
+\323\372\240\074\251\372\135\334\245\240\357\104\244\276\326\350
+\345\344\023\226\027\173\006\076\062\355\307\267\102\274\166\243
+\330\145\070\053\070\065\121\041\016\016\157\056\064\023\100\341
+\053\147\014\155\112\101\060\030\043\132\062\125\231\311\027\340
+\074\336\366\354\171\255\053\130\031\242\255\054\042\032\225\216
+\276\226\220\135\102\127\304\371\024\003\065\053\034\055\121\127
+\010\247\072\336\077\344\310\264\003\163\302\301\046\200\273\013
+\102\037\255\015\257\046\162\332\314\276\263\243\203\130\015\202
+\305\037\106\121\343\234\030\314\215\233\215\354\111\353\165\120
+\325\214\050\131\312\164\064\332\214\013\041\253\036\352\033\345
+\307\375\025\076\300\027\252\373\043\156\046\106\313\372\371\261
+\162\153\151\317\042\204\013\142\017\254\331\031\000\224\242\166
+\074\324\055\232\355\004\236\055\006\142\020\067\122\034\205\162
+\033\047\345\314\306\061\354\067\354\143\131\233\013\035\166\314
+\176\062\232\210\225\010\066\122\273\336\166\137\166\111\111\255
+\177\275\145\040\262\311\301\053\166\030\166\237\126\261
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "UCA Extended Validation Root"
+# Issuer: CN=UCA Extended Validation Root,O=UniTrust,C=CN
+# Serial Number:4f:d2:2b:8f:f5:64:c8:33:9e:4f:34:58:66:23:70:60
+# Subject: CN=UCA Extended Validation Root,O=UniTrust,C=CN
+# Not Valid Before: Fri Mar 13 00:00:00 2015
+# Not Valid After : Fri Dec 31 00:00:00 2038
+# Fingerprint (SHA-256): D4:3A:F9:B3:54:73:75:5C:96:84:FC:06:D7:D8:CB:70:EE:5C:28:E7:73:FB:29:4E:B4:1E:E7:17:22:92:4D:24
+# Fingerprint (SHA1): A3:A1:B0:6F:24:61:23:4A:E3:36:A5:C2:37:FC:A6:FF:DD:F0:D7:3A
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "UCA Extended Validation Root"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\243\241\260\157\044\141\043\112\343\066\245\302\067\374\246\377
+\335\360\327\072
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\241\363\137\103\306\064\233\332\277\214\176\005\123\255\226\342
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\107\061\013\060\011\006\003\125\004\006\023\002\103\116\061
+\021\060\017\006\003\125\004\012\014\010\125\156\151\124\162\165
+\163\164\061\045\060\043\006\003\125\004\003\014\034\125\103\101
+\040\105\170\164\145\156\144\145\144\040\126\141\154\151\144\141
+\164\151\157\156\040\122\157\157\164
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\020\117\322\053\217\365\144\310\063\236\117\064\130\146\043
+\160\140
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+#
+# Certificate "Certigna Root CA"
+#
+# Issuer: CN=Certigna Root CA,OU=0002 48146308100036,O=Dhimyotis,C=FR
+# Serial Number:00:ca:e9:1b:89:f1:55:03:0d:a3:e6:41:6d:c4:e3:a6:e1
+# Subject: CN=Certigna Root CA,OU=0002 48146308100036,O=Dhimyotis,C=FR
+# Not Valid Before: Tue Oct 01 08:32:27 2013
+# Not Valid After : Sat Oct 01 08:32:27 2033
+# Fingerprint (SHA-256): D4:8D:3D:23:EE:DB:50:A4:59:E5:51:97:60:1C:27:77:4B:9D:7B:18:C9:4D:5A:05:95:11:A1:02:50:B9:31:68
+# Fingerprint (SHA1): 2D:0D:52:14:FF:9E:AD:99:24:01:74:20:47:6E:6C:85:27:27:F5:43
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Certigna Root CA"
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+CKA_SUBJECT MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\106\122\061
+\022\060\020\006\003\125\004\012\014\011\104\150\151\155\171\157
+\164\151\163\061\034\060\032\006\003\125\004\013\014\023\060\060
+\060\062\040\064\070\061\064\066\063\060\070\061\060\060\060\063
+\066\061\031\060\027\006\003\125\004\003\014\020\103\145\162\164
+\151\147\156\141\040\122\157\157\164\040\103\101
+END
+CKA_ID UTF8 "0"
+CKA_ISSUER MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\106\122\061
+\022\060\020\006\003\125\004\012\014\011\104\150\151\155\171\157
+\164\151\163\061\034\060\032\006\003\125\004\013\014\023\060\060
+\060\062\040\064\070\061\064\066\063\060\070\061\060\060\060\063
+\066\061\031\060\027\006\003\125\004\003\014\020\103\145\162\164
+\151\147\156\141\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\021\000\312\351\033\211\361\125\003\015\243\346\101\155\304
+\343\246\341
+END
+CKA_VALUE MULTILINE_OCTAL
+\060\202\006\133\060\202\004\103\240\003\002\001\002\002\021\000
+\312\351\033\211\361\125\003\015\243\346\101\155\304\343\246\341
+\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060
+\132\061\013\060\011\006\003\125\004\006\023\002\106\122\061\022
+\060\020\006\003\125\004\012\014\011\104\150\151\155\171\157\164
+\151\163\061\034\060\032\006\003\125\004\013\014\023\060\060\060
+\062\040\064\070\061\064\066\063\060\070\061\060\060\060\063\066
+\061\031\060\027\006\003\125\004\003\014\020\103\145\162\164\151
+\147\156\141\040\122\157\157\164\040\103\101\060\036\027\015\061
+\063\061\060\060\061\060\070\063\062\062\067\132\027\015\063\063
+\061\060\060\061\060\070\063\062\062\067\132\060\132\061\013\060
+\011\006\003\125\004\006\023\002\106\122\061\022\060\020\006\003
+\125\004\012\014\011\104\150\151\155\171\157\164\151\163\061\034
+\060\032\006\003\125\004\013\014\023\060\060\060\062\040\064\070
+\061\064\066\063\060\070\061\060\060\060\063\066\061\031\060\027
+\006\003\125\004\003\014\020\103\145\162\164\151\147\156\141\040
+\122\157\157\164\040\103\101\060\202\002\042\060\015\006\011\052
+\206\110\206\367\015\001\001\001\005\000\003\202\002\017\000\060
+\202\002\012\002\202\002\001\000\315\030\071\145\032\131\261\352
+\144\026\016\214\224\044\225\174\203\323\305\071\046\334\014\357
+\026\127\215\327\330\254\243\102\177\202\312\355\315\133\333\016
+\267\055\355\105\010\027\262\331\263\313\326\027\122\162\050\333
+\216\116\236\212\266\013\371\236\204\232\115\166\336\042\051\134
+\322\263\322\006\076\060\071\251\164\243\222\126\034\241\157\114
+\012\040\155\237\043\172\264\306\332\054\344\035\054\334\263\050
+\320\023\362\114\116\002\111\241\124\100\236\346\345\005\240\055
+\204\310\377\230\154\320\353\212\032\204\010\036\267\150\043\356
+\043\325\160\316\155\121\151\020\356\241\172\302\321\042\061\302
+\202\205\322\362\125\166\120\174\045\172\311\204\134\013\254\335
+\102\116\053\347\202\242\044\211\313\220\262\320\356\043\272\146
+\114\273\142\244\371\123\132\144\173\174\230\372\243\110\236\017
+\225\256\247\030\364\152\354\056\003\105\257\360\164\370\052\315
+\172\135\321\276\104\046\062\051\361\361\365\154\314\176\002\041
+\013\237\157\244\077\276\235\123\342\317\175\251\054\174\130\032
+\227\341\075\067\067\030\146\050\322\100\305\121\212\214\303\055
+\316\123\210\044\130\144\060\026\305\252\340\326\012\246\100\337
+\170\366\365\004\174\151\023\204\274\321\321\247\006\317\001\367
+\150\300\250\127\273\072\141\255\004\214\223\343\255\374\360\333
+\104\155\131\334\111\131\256\254\232\231\066\060\101\173\166\063
+\042\207\243\302\222\206\156\371\160\356\256\207\207\225\033\304
+\172\275\061\363\324\322\345\231\377\276\110\354\165\365\170\026
+\035\246\160\301\177\074\033\241\222\373\317\310\074\326\305\223
+\012\217\365\125\072\166\225\316\131\230\212\011\225\167\062\232
+\203\272\054\004\072\227\275\324\057\276\327\154\233\242\312\175
+\155\046\311\125\325\317\303\171\122\010\011\231\007\044\055\144
+\045\153\246\041\151\233\152\335\164\115\153\227\172\101\275\253
+\027\371\220\027\110\217\066\371\055\325\305\333\356\252\205\105
+\101\372\315\072\105\261\150\346\066\114\233\220\127\354\043\271
+\207\010\302\304\011\361\227\206\052\050\115\342\164\300\332\304
+\214\333\337\342\241\027\131\316\044\131\164\061\332\177\375\060
+\155\331\334\341\152\341\374\137\002\003\001\000\001\243\202\001
+\032\060\202\001\026\060\017\006\003\125\035\023\001\001\377\004
+\005\060\003\001\001\377\060\016\006\003\125\035\017\001\001\377
+\004\004\003\002\001\006\060\035\006\003\125\035\016\004\026\004
+\024\030\207\126\340\156\167\356\044\065\074\116\163\232\037\326
+\341\342\171\176\053\060\037\006\003\125\035\043\004\030\060\026
+\200\024\030\207\126\340\156\167\356\044\065\074\116\163\232\037
+\326\341\342\171\176\053\060\104\006\003\125\035\040\004\075\060
+\073\060\071\006\004\125\035\040\000\060\061\060\057\006\010\053
+\006\001\005\005\007\002\001\026\043\150\164\164\160\163\072\057
+\057\167\167\167\167\056\143\145\162\164\151\147\156\141\056\146
+\162\057\141\165\164\157\162\151\164\145\163\057\060\155\006\003
+\125\035\037\004\146\060\144\060\057\240\055\240\053\206\051\150
+\164\164\160\072\057\057\143\162\154\056\143\145\162\164\151\147
+\156\141\056\146\162\057\143\145\162\164\151\147\156\141\162\157
+\157\164\143\141\056\143\162\154\060\061\240\057\240\055\206\053
+\150\164\164\160\072\057\057\143\162\154\056\144\150\151\155\171
+\157\164\151\163\056\143\157\155\057\143\145\162\164\151\147\156
+\141\162\157\157\164\143\141\056\143\162\154\060\015\006\011\052
+\206\110\206\367\015\001\001\013\005\000\003\202\002\001\000\224
+\270\236\117\360\343\225\010\042\347\315\150\101\367\034\125\325
+\174\000\342\055\072\211\135\150\070\057\121\042\013\112\215\313
+\351\273\135\076\273\134\075\261\050\376\344\123\125\023\317\241
+\220\033\002\035\137\146\106\011\063\050\341\015\044\227\160\323
+\020\037\352\144\127\226\273\135\332\347\304\214\117\114\144\106
+\035\134\207\343\131\336\102\321\233\250\176\246\211\335\217\034
+\311\060\202\355\073\234\315\300\351\031\340\152\330\002\165\067
+\253\367\064\050\050\221\362\004\012\117\065\343\140\046\001\372
+\320\021\214\371\021\152\356\257\075\303\120\323\217\137\063\171
+\074\206\250\163\105\220\214\040\266\162\163\027\043\276\007\145
+\345\170\222\015\272\001\300\353\214\034\146\277\254\206\167\001
+\224\015\234\346\351\071\215\037\246\121\214\231\014\071\167\341
+\264\233\372\034\147\127\157\152\152\216\251\053\114\127\171\172
+\127\042\317\315\137\143\106\215\134\131\072\206\370\062\107\142
+\243\147\015\030\221\334\373\246\153\365\110\141\163\043\131\216
+\002\247\274\104\352\364\111\235\361\124\130\371\140\257\332\030
+\244\057\050\105\334\172\240\210\206\135\363\073\347\377\051\065
+\200\374\144\103\224\346\343\034\157\276\255\016\052\143\231\053
+\311\176\205\366\161\350\006\003\225\376\336\217\110\034\132\324
+\222\350\053\356\347\061\333\272\004\152\207\230\347\305\137\357
+\175\247\042\367\001\330\115\371\211\320\016\232\005\131\244\236
+\230\331\157\053\312\160\276\144\302\125\243\364\351\257\303\222
+\051\334\210\026\044\231\074\215\046\230\266\133\267\314\316\267
+\067\007\375\046\331\230\205\044\377\131\043\003\232\355\235\235
+\250\344\136\070\316\327\122\015\157\322\077\155\261\005\153\111
+\316\212\221\106\163\364\366\057\360\250\163\167\016\145\254\241
+\215\146\122\151\176\113\150\014\307\036\067\047\203\245\214\307
+\002\344\024\315\111\001\260\163\263\375\306\220\072\157\322\154
+\355\073\356\354\221\276\242\103\135\213\000\112\146\045\104\160
+\336\100\017\370\174\025\367\242\316\074\327\136\023\214\201\027
+\030\027\321\275\361\167\020\072\324\145\071\301\047\254\127\054
+\045\124\377\242\332\117\212\141\071\136\256\075\112\214\275
+END
+CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
+
+# Trust for "Certigna Root CA"
+# Issuer: CN=Certigna Root CA,OU=0002 48146308100036,O=Dhimyotis,C=FR
+# Serial Number:00:ca:e9:1b:89:f1:55:03:0d:a3:e6:41:6d:c4:e3:a6:e1
+# Subject: CN=Certigna Root CA,OU=0002 48146308100036,O=Dhimyotis,C=FR
+# Not Valid Before: Tue Oct 01 08:32:27 2013
+# Not Valid After : Sat Oct 01 08:32:27 2033
+# Fingerprint (SHA-256): D4:8D:3D:23:EE:DB:50:A4:59:E5:51:97:60:1C:27:77:4B:9D:7B:18:C9:4D:5A:05:95:11:A1:02:50:B9:31:68
+# Fingerprint (SHA1): 2D:0D:52:14:FF:9E:AD:99:24:01:74:20:47:6E:6C:85:27:27:F5:43
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "Certigna Root CA"
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+\055\015\122\024\377\236\255\231\044\001\164\040\107\156\154\205
+\047\047\365\103
+END
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
+\016\134\060\142\047\353\133\274\327\256\142\272\351\325\337\167
+END
+CKA_ISSUER MULTILINE_OCTAL
+\060\132\061\013\060\011\006\003\125\004\006\023\002\106\122\061
+\022\060\020\006\003\125\004\012\014\011\104\150\151\155\171\157
+\164\151\163\061\034\060\032\006\003\125\004\013\014\023\060\060
+\060\062\040\064\070\061\064\066\063\060\070\061\060\060\060\063
+\066\061\031\060\027\006\003\125\004\003\014\020\103\145\162\164
+\151\147\156\141\040\122\157\157\164\040\103\101
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\021\000\312\351\033\211\361\125\003\015\243\346\101\155\304
+\343\246\341
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
diff --git a/security/nss/lib/ckfw/builtins/nssckbi.h b/security/nss/lib/ckfw/builtins/nssckbi.h
index d40c8080eb..157d9c40df 100644
--- a/security/nss/lib/ckfw/builtins/nssckbi.h
+++ b/security/nss/lib/ckfw/builtins/nssckbi.h
@@ -46,8 +46,8 @@
  * It's recommend to switch back to 0 after having reached version 98/99.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 24
-#define NSS_BUILTINS_LIBRARY_VERSION "2.24"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 30
+#define NSS_BUILTINS_LIBRARY_VERSION "2.30"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
diff --git a/security/nss/lib/ckfw/ckfw.h b/security/nss/lib/ckfw/ckfw.h
index d4a2ead992..9e7e17e364 100644
--- a/security/nss/lib/ckfw/ckfw.h
+++ b/security/nss/lib/ckfw/ckfw.h
@@ -1604,8 +1604,8 @@ nssCKFWSession_InitPIN(
 NSS_EXTERN CK_RV
 nssCKFWSession_SetPIN(
     NSSCKFWSession *fwSession,
-    NSSItem *newPin,
-    NSSItem *oldPin);
+    const NSSItem *oldPin,
+    NSSItem *newPin);
 
 /*
  * nssCKFWSession_GetOperationStateLen
diff --git a/security/nss/lib/ckfw/session.c b/security/nss/lib/ckfw/session.c
index 7efedf4035..e2613089b0 100644
--- a/security/nss/lib/ckfw/session.c
+++ b/security/nss/lib/ckfw/session.c
@@ -871,7 +871,7 @@ nssCKFWSession_InitPIN(
 NSS_IMPLEMENT CK_RV
 nssCKFWSession_SetPIN(
     NSSCKFWSession *fwSession,
-    NSSItem *oldPin,
+    const NSSItem *oldPin,
     NSSItem *newPin)
 {
     CK_RV error = CKR_OK;
@@ -907,7 +907,7 @@ nssCKFWSession_SetPIN(
 
     error = fwSession->mdSession->SetPIN(fwSession->mdSession, fwSession,
                                          fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
-                                         fwSession->fwInstance, oldPin, newPin);
+                                         fwSession->fwInstance, (NSSItem *)oldPin, newPin);
 
     return error;
 }
diff --git a/security/nss/lib/cryptohi/cryptohi.h b/security/nss/lib/cryptohi/cryptohi.h
index e529fa34f5..7b66f0b0b9 100644
--- a/security/nss/lib/cryptohi/cryptohi.h
+++ b/security/nss/lib/cryptohi/cryptohi.h
@@ -14,7 +14,7 @@
 #include "secoidt.h"
 #include "secdert.h"
 #include "cryptoht.h"
-#include "keyt.h"
+#include "keythi.h"
 #include "certt.h"
 
 SEC_BEGIN_PROTOS
diff --git a/security/nss/lib/cryptohi/key.h b/security/nss/lib/cryptohi/key.h
index 3e89b74cb6..8392031c5a 100644
--- a/security/nss/lib/cryptohi/key.h
+++ b/security/nss/lib/cryptohi/key.h
@@ -2,11 +2,13 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-/* This header is deprecated.  Please include keyhi.h instead. */
-
 #ifndef _KEY_H_
 #define _KEY_H_
 
+#if defined(_MSC_VER) || defined(__GNUC__) || defined(__clang__)
+#pragma message("key.h is deprecated. Please include keyhi.h instead.")
+#endif
+
 #include "keyhi.h"
 
 #endif /* _KEY_H_ */
diff --git a/security/nss/lib/cryptohi/keyi.h b/security/nss/lib/cryptohi/keyi.h
index ee11fc905e..b746d3c8d8 100644
--- a/security/nss/lib/cryptohi/keyi.h
+++ b/security/nss/lib/cryptohi/keyi.h
@@ -17,8 +17,21 @@ KeyType seckey_GetKeyType(SECOidTag pubKeyOid);
 SECStatus sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
                            const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg);
 
-SECStatus sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech,
-                                      const SECKEYRSAPSSParams *params);
+/* extract the RSA-PSS hash algorithms and salt length from
+ * parameters, taking into account of the default implications.
+ *
+ * (parameters is the parameters field of a algorithm ID structure
+ * (SECAlgorithmID)*/
+SECStatus sec_DecodeRSAPSSParams(PLArenaPool *arena,
+                                 const SECItem *params,
+                                 SECOidTag *hashAlg,
+                                 SECOidTag *maskHashAlg,
+                                 unsigned long *saltLength);
+
+/* convert the encoded RSA-PSS parameters into PKCS #11 mechanism parameters */
+SECStatus sec_DecodeRSAPSSParamsToMechanism(PLArenaPool *arena,
+                                            const SECItem *params,
+                                            CK_RSA_PKCS_PSS_PARAMS *mech);
 
 SEC_END_PROTOS
 
diff --git a/security/nss/lib/cryptohi/keyt.h b/security/nss/lib/cryptohi/keyt.h
index 99da312f6d..5a0d2c2e7c 100644
--- a/security/nss/lib/cryptohi/keyt.h
+++ b/security/nss/lib/cryptohi/keyt.h
@@ -5,6 +5,10 @@
 #ifndef _KEYT_H_
 #define _KEYT_H_
 
+#if defined(_MSC_VER) || defined(__GNUC__) || defined(__clang__)
+#pragma message("keyt.h is deprecated. Please include keythi.h instead.")
+#endif
+
 #include "keythi.h"
 
 #endif /* _KEYT_H_ */
diff --git a/security/nss/lib/cryptohi/seckey.c b/security/nss/lib/cryptohi/seckey.c
index 0f9353f3be..0809097723 100644
--- a/security/nss/lib/cryptohi/seckey.c
+++ b/security/nss/lib/cryptohi/seckey.c
@@ -2015,66 +2015,63 @@ sec_GetMgfTypeByOidTag(SECOidTag tag)
 }
 
 SECStatus
-sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech,
-                            const SECKEYRSAPSSParams *params)
+sec_DecodeRSAPSSParams(PLArenaPool *arena,
+                       const SECItem *params,
+                       SECOidTag *retHashAlg, SECOidTag *retMaskHashAlg,
+                       unsigned long *retSaltLength)
 {
-    SECStatus rv = SECSuccess;
-    SECOidTag hashAlgTag;
+    SECKEYRSAPSSParams pssParams;
+    SECOidTag hashAlg;
+    SECOidTag maskHashAlg;
     unsigned long saltLength;
     unsigned long trailerField;
+    SECStatus rv;
 
-    PORT_Memset(mech, 0, sizeof(CK_RSA_PKCS_PSS_PARAMS));
+    PORT_Memset(&pssParams, 0, sizeof(pssParams));
+    rv = SEC_QuickDERDecodeItem(arena, &pssParams,
+                                SECKEY_RSAPSSParamsTemplate,
+                                params);
+    if (rv != SECSuccess) {
+        return rv;
+    }
 
-    if (params->hashAlg) {
-        hashAlgTag = SECOID_GetAlgorithmTag(params->hashAlg);
+    if (pssParams.hashAlg) {
+        hashAlg = SECOID_GetAlgorithmTag(pssParams.hashAlg);
     } else {
-        hashAlgTag = SEC_OID_SHA1; /* default, SHA-1 */
-    }
-    mech->hashAlg = sec_GetHashMechanismByOidTag(hashAlgTag);
-    if (mech->hashAlg == CKM_INVALID_MECHANISM) {
-        return SECFailure;
+        hashAlg = SEC_OID_SHA1; /* default, SHA-1 */
     }
 
-    if (params->maskAlg) {
-        SECAlgorithmID maskHashAlg;
-        SECOidTag maskHashAlgTag;
-        PORTCheapArenaPool tmpArena;
+    if (pssParams.maskAlg) {
+        SECAlgorithmID algId;
 
-        if (SECOID_GetAlgorithmTag(params->maskAlg) != SEC_OID_PKCS1_MGF1) {
+        if (SECOID_GetAlgorithmTag(pssParams.maskAlg) != SEC_OID_PKCS1_MGF1) {
             /* only MGF1 is known to PKCS#11 */
             PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
             return SECFailure;
         }
 
-        PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
-        rv = SEC_QuickDERDecodeItem(&tmpArena.arena, &maskHashAlg,
+        rv = SEC_QuickDERDecodeItem(arena, &algId,
                                     SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
-                                    &params->maskAlg->parameters);
-        PORT_DestroyCheapArena(&tmpArena);
+                                    &pssParams.maskAlg->parameters);
         if (rv != SECSuccess) {
             return rv;
         }
-        maskHashAlgTag = SECOID_GetAlgorithmTag(&maskHashAlg);
-        mech->mgf = sec_GetMgfTypeByOidTag(maskHashAlgTag);
-        if (mech->mgf == 0) {
-            return SECFailure;
-        }
+        maskHashAlg = SECOID_GetAlgorithmTag(&algId);
     } else {
-        mech->mgf = CKG_MGF1_SHA1; /* default, MGF1 with SHA-1 */
+        maskHashAlg = SEC_OID_SHA1; /* default, MGF1 with SHA-1 */
     }
 
-    if (params->saltLength.data) {
-        rv = SEC_ASN1DecodeInteger((SECItem *)&params->saltLength, &saltLength);
+    if (pssParams.saltLength.data) {
+        rv = SEC_ASN1DecodeInteger((SECItem *)&pssParams.saltLength, &saltLength);
         if (rv != SECSuccess) {
             return rv;
         }
     } else {
         saltLength = 20; /* default, 20 */
     }
-    mech->sLen = saltLength;
 
-    if (params->trailerField.data) {
-        rv = SEC_ASN1DecodeInteger((SECItem *)&params->trailerField, &trailerField);
+    if (pssParams.trailerField.data) {
+        rv = SEC_ASN1DecodeInteger((SECItem *)&pssParams.trailerField, &trailerField);
         if (rv != SECSuccess) {
             return rv;
         }
@@ -2086,5 +2083,46 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech,
         }
     }
 
-    return rv;
+    if (retHashAlg) {
+        *retHashAlg = hashAlg;
+    }
+    if (retMaskHashAlg) {
+        *retMaskHashAlg = maskHashAlg;
+    }
+    if (retSaltLength) {
+        *retSaltLength = saltLength;
+    }
+
+    return SECSuccess;
+}
+
+SECStatus
+sec_DecodeRSAPSSParamsToMechanism(PLArenaPool *arena,
+                                  const SECItem *params,
+                                  CK_RSA_PKCS_PSS_PARAMS *mech)
+{
+    SECOidTag hashAlg;
+    SECOidTag maskHashAlg;
+    unsigned long saltLength;
+    SECStatus rv;
+
+    rv = sec_DecodeRSAPSSParams(arena, params,
+                                &hashAlg, &maskHashAlg, &saltLength);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    mech->hashAlg = sec_GetHashMechanismByOidTag(hashAlg);
+    if (mech->hashAlg == CKM_INVALID_MECHANISM) {
+        return SECFailure;
+    }
+
+    mech->mgf = sec_GetMgfTypeByOidTag(maskHashAlg);
+    if (mech->mgf == 0) {
+        return SECFailure;
+    }
+
+    mech->sLen = saltLength;
+
+    return SECSuccess;
 }
diff --git a/security/nss/lib/cryptohi/secsign.c b/security/nss/lib/cryptohi/secsign.c
index dc10f2fa60..8a8d0f6643 100644
--- a/security/nss/lib/cryptohi/secsign.c
+++ b/security/nss/lib/cryptohi/secsign.c
@@ -225,22 +225,13 @@ SGN_End(SGNContext *cx, SECItem *result)
         PORT_Memset(&mech, 0, sizeof(mech));
 
         if (cx->params && cx->params->data) {
-            SECKEYRSAPSSParams params;
-
             arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
             if (!arena) {
                 rv = SECFailure;
                 goto loser;
             }
 
-            PORT_Memset(&params, 0, sizeof(params));
-            rv = SEC_QuickDERDecodeItem(arena, &params,
-                                        SECKEY_RSAPSSParamsTemplate,
-                                        cx->params);
-            if (rv != SECSuccess) {
-                goto loser;
-            }
-            rv = sec_RSAPSSParamsToMechanism(&mech, &params);
+            rv = sec_DecodeRSAPSSParamsToMechanism(arena, cx->params, &mech);
             if (rv != SECSuccess) {
                 goto loser;
             }
diff --git a/security/nss/lib/cryptohi/secvfy.c b/security/nss/lib/cryptohi/secvfy.c
index 83c9c579da..aa3d6778c8 100644
--- a/security/nss/lib/cryptohi/secvfy.c
+++ b/security/nss/lib/cryptohi/secvfy.c
@@ -161,7 +161,7 @@ verifyPKCS1DigestInfo(const VFYContext *cx, const SECItem *digest)
     pkcs1DigestInfo.len = cx->pkcs1RSADigestInfoLen;
     return _SGN_VerifyPKCS1DigestInfo(
         cx->hashAlg, digest, &pkcs1DigestInfo,
-        PR_TRUE /*XXX: unsafeAllowMissingParameters*/);
+        PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
 }
 
 /*
@@ -257,25 +257,13 @@ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
             break;
         case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
             if (param && param->data) {
-                SECKEYRSAPSSParams pssParam;
-                arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-                if (arena == NULL) {
-                    return SECFailure;
-                }
-                PORT_Memset(&pssParam, 0, sizeof pssParam);
-                rv = SEC_QuickDERDecodeItem(arena, &pssParam,
-                                            SECKEY_RSAPSSParamsTemplate,
-                                            param);
-                if (rv != SECSuccess) {
-                    PORT_FreeArena(arena, PR_FALSE);
-                    return rv;
-                }
-                if (pssParam.hashAlg) {
-                    *hashalg = SECOID_GetAlgorithmTag(pssParam.hashAlg);
-                } else {
-                    *hashalg = SEC_OID_SHA1; /* default, SHA-1 */
-                }
-                PORT_FreeArena(arena, PR_FALSE);
+                PORTCheapArenaPool tmpArena;
+
+                PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
+                rv = sec_DecodeRSAPSSParams(&tmpArena.arena, param,
+                                            hashalg, NULL, NULL);
+                PORT_DestroyCheapArena(&tmpArena);
+
                 /* only accept hash algorithms */
                 if (HASH_GetHashTypeByOidTag(*hashalg) == HASH_AlgNULL) {
                     /* error set by HASH_GetHashTypeByOidTag */
@@ -658,27 +646,17 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig)
             if (cx->encAlg == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
                 CK_RSA_PKCS_PSS_PARAMS mech;
                 SECItem mechItem = { siBuffer, (unsigned char *)&mech, sizeof(mech) };
-                SECKEYRSAPSSParams params;
-                PLArenaPool *arena;
+                PORTCheapArenaPool tmpArena;
 
-                arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-                if (arena == NULL) {
-                    return SECFailure;
-                }
-
-                PORT_Memset(&params, 0, sizeof(params));
-                rv = SEC_QuickDERDecodeItem(arena, &params,
-                                            SECKEY_RSAPSSParamsTemplate,
-                                            cx->params);
-                if (rv != SECSuccess) {
-                    PORT_FreeArena(arena, PR_FALSE);
-                    return SECFailure;
-                }
-                rv = sec_RSAPSSParamsToMechanism(&mech, &params);
-                PORT_FreeArena(arena, PR_FALSE);
+                PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
+                rv = sec_DecodeRSAPSSParamsToMechanism(&tmpArena.arena,
+                                                       cx->params,
+                                                       &mech);
+                PORT_DestroyCheapArena(&tmpArena);
                 if (rv != SECSuccess) {
                     return SECFailure;
                 }
+
                 rsasig.data = cx->u.buffer;
                 rsasig.len = SECKEY_SignatureLen(cx->key);
                 if (rsasig.len == 0) {
diff --git a/security/nss/lib/freebl/ctr.c b/security/nss/lib/freebl/ctr.c
index b7167d4c4a..d7652c0606 100644
--- a/security/nss/lib/freebl/ctr.c
+++ b/security/nss/lib/freebl/ctr.c
@@ -219,15 +219,18 @@ CTR_Update_HW_AES(CTRContext *ctr, unsigned char *outbuf,
         PORT_Assert(ctr->bufPtr == blocksize);
     }
 
-    intel_aes_ctr_worker(((AESContext *)(ctr->context))->Nr)(
-        ctr, outbuf, outlen, maxout, inbuf, inlen, blocksize);
-    /* XXX intel_aes_ctr_worker should set *outlen. */
-    PORT_Assert(*outlen == 0);
-    fullblocks = (inlen / blocksize) * blocksize;
-    *outlen += fullblocks;
-    outbuf += fullblocks;
-    inbuf += fullblocks;
-    inlen -= fullblocks;
+    if (inlen >= blocksize) {
+        rv = intel_aes_ctr_worker(((AESContext *)(ctr->context))->Nr)(
+            ctr, outbuf, outlen, maxout, inbuf, inlen, blocksize);
+        if (rv != SECSuccess) {
+            return SECFailure;
+        }
+        fullblocks = (inlen / blocksize) * blocksize;
+        *outlen += fullblocks;
+        outbuf += fullblocks;
+        inbuf += fullblocks;
+        inlen -= fullblocks;
+    }
 
     if (inlen == 0) {
         return SECSuccess;
diff --git a/security/nss/lib/freebl/freebl.gyp b/security/nss/lib/freebl/freebl.gyp
index 004807483e..288ff07a3b 100644
--- a/security/nss/lib/freebl/freebl.gyp
+++ b/security/nss/lib/freebl/freebl.gyp
@@ -7,6 +7,30 @@
   ],
   'targets': [
     {
+      'target_name': 'intel-gcm-s_lib',
+      'type': 'static_library',
+      'sources': [
+        'intel-aes.s',
+        'intel-gcm.s',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports'
+      ],
+      'conditions': [
+        [ 'cc_is_clang==1', {
+          'cflags': [
+            '-no-integrated-as',
+          ],
+          'cflags_mozilla': [
+            '-no-integrated-as',
+          ],
+          'asflags_mozilla': [
+            '-no-integrated-as',
+          ],
+        }],
+      ],
+    },
+    {
       'target_name': 'intel-gcm-wrap_c_lib',
       'type': 'static_library',
       'sources': [
@@ -15,12 +39,19 @@
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports'
       ],
+      'conditions': [
+        [ '(OS=="linux" or OS=="android") and target_arch=="x64"', {
+          'dependencies': [
+            'intel-gcm-s_lib',
+          ],
+        }],
+      ],
       'cflags': [
-        '-mssse3'
+        '-mssse3',
       ],
       'cflags_mozilla': [
         '-mssse3'
-      ]
+      ],
     },
     {
       # TODO: make this so that all hardware accelerated code is in here.
diff --git a/security/nss/lib/freebl/freebl_base.gypi b/security/nss/lib/freebl/freebl_base.gypi
index 1372994f4c..76df714972 100644
--- a/security/nss/lib/freebl/freebl_base.gypi
+++ b/security/nss/lib/freebl/freebl_base.gypi
@@ -67,14 +67,12 @@
         [ 'target_arch=="x64"', {
           'sources': [
             'arcfour-amd64-gas.s',
-            'intel-aes.s',
-            'intel-gcm.s',
             'mpi/mpi_amd64.c',
             'mpi/mpi_amd64_gas.s',
             'mpi/mp_comba.c',
           ],
           'conditions': [
-            [ 'cc_is_clang==1', {
+            [ 'cc_is_clang==1 and fuzz!=1', {
               'cflags': [
                 '-no-integrated-as',
               ],
@@ -114,8 +112,7 @@
             'intel-gcm-x64-masm.asm',
           ],
         }],
-	      [ 'cc_use_gnu_ld!=1 and target_arch!="x64"', {
-          # not x64
+        [ 'cc_use_gnu_ld!=1 and target_arch=="ia32"', {
           'sources': [
             'mpi/mpi_x86_asm.c',
             'intel-aes-x86-masm.asm',
diff --git a/security/nss/lib/freebl/mpi/mpi.c b/security/nss/lib/freebl/mpi/mpi.c
index 8c893fb5fa..401eac51db 100644
--- a/security/nss/lib/freebl/mpi/mpi.c
+++ b/security/nss/lib/freebl/mpi/mpi.c
@@ -4775,38 +4775,61 @@ mp_to_signed_octets(const mp_int *mp, unsigned char *str, mp_size maxlen)
 /* }}} */
 
 /* {{{ mp_to_fixlen_octets(mp, str) */
-/* output a buffer of big endian octets exactly as long as requested. */
+/* output a buffer of big endian octets exactly as long as requested.
+   constant time on the value of mp. */
 mp_err
 mp_to_fixlen_octets(const mp_int *mp, unsigned char *str, mp_size length)
 {
-    int ix, pos = 0;
+    int ix, jx;
     unsigned int bytes;
 
-    ARGCHK(mp != NULL && str != NULL && !SIGN(mp), MP_BADARG);
-
-    bytes = mp_unsigned_octet_size(mp);
-    ARGCHK(bytes <= length, MP_BADARG);
+    ARGCHK(mp != NULL, MP_BADARG);
+    ARGCHK(str != NULL, MP_BADARG);
+    ARGCHK(!SIGN(mp), MP_BADARG);
+    ARGCHK(length > 0, MP_BADARG);
+
+    /* Constant time on the value of mp.  Don't use mp_unsigned_octet_size. */
+    bytes = USED(mp) * MP_DIGIT_SIZE;
+
+    /* If the output is shorter than the native size of mp, then check that any
+     * bytes not written have zero values.  This check isn't constant time on
+     * the assumption that timing-sensitive callers can guarantee that mp fits
+     * in the allocated space. */
+    ix = USED(mp) - 1;
+    if (bytes > length) {
+        unsigned int zeros = bytes - length;
+
+        while (zeros >= MP_DIGIT_SIZE) {
+            ARGCHK(DIGIT(mp, ix) == 0, MP_BADARG);
+            zeros -= MP_DIGIT_SIZE;
+            ix--;
+        }
 
-    /* place any needed leading zeros */
-    for (; length > bytes; --length) {
-        *str++ = 0;
+        if (zeros > 0) {
+            mp_digit d = DIGIT(mp, ix);
+            mp_digit m = ~0ULL << ((MP_DIGIT_SIZE - zeros) * CHAR_BIT);
+            ARGCHK((d & m) == 0, MP_BADARG);
+            for (jx = MP_DIGIT_SIZE - zeros - 1; jx >= 0; jx--) {
+                *str++ = d >> (jx * CHAR_BIT);
+            }
+            ix--;
+        }
+    } else if (bytes < length) {
+        /* Place any needed leading zeros. */
+        unsigned int zeros = length - bytes;
+        memset(str, 0, zeros);
+        str += zeros;
     }
 
-    /* Iterate over each digit... */
-    for (ix = USED(mp) - 1; ix >= 0; ix--) {
+    /* Iterate over each whole digit... */
+    for (; ix >= 0; ix--) {
         mp_digit d = DIGIT(mp, ix);
-        int jx;
 
         /* Unpack digit bytes, high order first */
-        for (jx = sizeof(mp_digit) - 1; jx >= 0; jx--) {
-            unsigned char x = (unsigned char)(d >> (jx * CHAR_BIT));
-            if (!pos && !x) /* suppress leading zeros */
-                continue;
-            str[pos++] = x;
+        for (jx = MP_DIGIT_SIZE - 1; jx >= 0; jx--) {
+            *str++ = d >> (jx * CHAR_BIT);
         }
     }
-    if (!pos)
-        str[pos++] = 0;
     return MP_OKAY;
 } /* end mp_to_fixlen_octets() */
 /* }}} */
diff --git a/security/nss/lib/freebl/mpi/mpi.h b/security/nss/lib/freebl/mpi/mpi.h
index 97af0f069b..d5aef46d7c 100644
--- a/security/nss/lib/freebl/mpi/mpi.h
+++ b/security/nss/lib/freebl/mpi/mpi.h
@@ -128,7 +128,8 @@ typedef int mp_sword;
 #define MP_WORD_MAX UINT_MAX
 #endif
 
-#define MP_DIGIT_BIT (CHAR_BIT * sizeof(mp_digit))
+#define MP_DIGIT_SIZE sizeof(mp_digit)
+#define MP_DIGIT_BIT (CHAR_BIT * MP_DIGIT_SIZE)
 #define MP_WORD_BIT (CHAR_BIT * sizeof(mp_word))
 #define MP_RADIX (1 + (mp_word)MP_DIGIT_MAX)
 
diff --git a/security/nss/lib/freebl/mpi/mpi_arm.c b/security/nss/lib/freebl/mpi/mpi_arm.c
index b5139f28de..27e4efdad1 100644
--- a/security/nss/lib/freebl/mpi/mpi_arm.c
+++ b/security/nss/lib/freebl/mpi/mpi_arm.c
@@ -29,17 +29,17 @@ s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
         "1:\n"
         "mov     r4, #0\n"
         "ldr     r6, [%0], #4\n"
-        "umlal   r5, r4, r6, %2\n"
-        "str     r5, [%3], #4\n"
+        "umlal   r5, r4, r6, %3\n"
+        "str     r5, [%2], #4\n"
         "mov     r5, r4\n"
 
         "subs    %1, #1\n"
         "bne     1b\n"
 
         "2:\n"
-        "str     r5, [%3]\n"
-        :
-        : "r"(a), "r"(a_len), "r"(b), "r"(c)
+        "str     r5, [%2]\n"
+        : "+r"(a), "+l"(a_len), "+r"(c)
+        : "r"(b)
         : "memory", "cc", "%r4", "%r5", "%r6");
 }
 
@@ -57,22 +57,22 @@ s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
 
         "1:\n"
         "mov     r4, #0\n"
-        "ldr     r6, [%3]\n"
+        "ldr     r6, [%2]\n"
         "adds    r5, r6\n"
         "adc     r4, r4, #0\n"
 
         "ldr     r6, [%0], #4\n"
-        "umlal   r5, r4, r6, %2\n"
-        "str     r5, [%3], #4\n"
+        "umlal   r5, r4, r6, %3\n"
+        "str     r5, [%2], #4\n"
         "mov     r5, r4\n"
 
         "subs    %1, #1\n"
         "bne     1b\n"
 
         "2:\n"
-        "str     r5, [%3]\n"
-        :
-        : "r"(a), "r"(a_len), "r"(b), "r"(c)
+        "str     r5, [%2]\n"
+        : "+r"(a), "+l"(a_len), "+r"(c)
+        : "r"(b)
         : "memory", "cc", "%r4", "%r5", "%r6");
 }
 
@@ -87,12 +87,12 @@ s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
 
         "1:\n"
         "mov     r4, #0\n"
-        "ldr     r6, [%3]\n"
+        "ldr     r6, [%2]\n"
         "adds    r5, r6\n"
         "adc     r4, r4, #0\n"
         "ldr     r6, [%0], #4\n"
-        "umlal   r5, r4, r6, %2\n"
-        "str     r5, [%3], #4\n"
+        "umlal   r5, r4, r6, %3\n"
+        "str     r5, [%2], #4\n"
         "mov     r5, r4\n"
 
         "subs    %1, #1\n"
@@ -107,16 +107,16 @@ s_mpv_mul_d_add_prop(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
 
         "2:\n"
         "mov     r4, #0\n"
-        "ldr     r6, [%3]\n"
+        "ldr     r6, [%2]\n"
         "adds    r5, r6\n"
         "adc     r4, r4, #0\n"
-        "str     r5, [%3], #4\n"
+        "str     r5, [%2], #4\n"
         "movs    r5, r4\n"
         "bne     2b\n"
 
         "3:\n"
-        :
-        : "r"(a), "r"(a_len), "r"(b), "r"(c)
+        : "+r"(a), "+l"(a_len), "+r"(c)
+        : "r"(b)
         : "memory", "cc", "%r4", "%r5", "%r6");
 }
 #endif
@@ -167,8 +167,8 @@ s_mpv_sqr_add_prop(const mp_digit *pa, mp_size a_len, mp_digit *ps)
         "bne     2b\n"
 
         "3:"
+        : "+r"(pa), "+r"(a_len), "+r"(ps)
         :
-        : "r"(pa), "r"(a_len), "r"(ps)
         : "memory", "cc", "%r3", "%r4", "%r5", "%r6");
 }
 #endif
diff --git a/security/nss/lib/freebl/rsapkcs.c b/security/nss/lib/freebl/rsapkcs.c
index ad18c8b733..875e4e28d3 100644
--- a/security/nss/lib/freebl/rsapkcs.c
+++ b/security/nss/lib/freebl/rsapkcs.c
@@ -938,48 +938,56 @@ RSA_DecryptBlock(RSAPrivateKey *key,
                  const unsigned char *input,
                  unsigned int inputLen)
 {
-    SECStatus rv;
+    PRInt8 rv;
     unsigned int modulusLen = rsa_modulusLen(&key->modulus);
     unsigned int i;
-    unsigned char *buffer;
+    unsigned char *buffer = NULL;
+    unsigned int outLen = 0;
+    unsigned int copyOutLen = modulusLen - 11;
 
-    if (inputLen != modulusLen)
-        goto failure;
+    if (inputLen != modulusLen || modulusLen < 10) {
+        return SECFailure;
+    }
 
-    buffer = (unsigned char *)PORT_Alloc(modulusLen + 1);
-    if (!buffer)
-        goto failure;
+    if (copyOutLen > maxOutputLen) {
+        copyOutLen = maxOutputLen;
+    }
 
-    rv = RSA_PrivateKeyOp(key, buffer, input);
-    if (rv != SECSuccess)
-        goto loser;
+    // Allocate enough space to decrypt + copyOutLen to allow copying outLen later.
+    buffer = PORT_ZAlloc(modulusLen + 1 + copyOutLen);
+    if (!buffer) {
+        return SECFailure;
+    }
 
-    /* XXX(rsleevi): Constant time */
-    if (buffer[0] != RSA_BLOCK_FIRST_OCTET ||
-        buffer[1] != (unsigned char)RSA_BlockPublic) {
-        goto loser;
+    // rv is 0 if everything is going well and 1 if an error occurs.
+    rv = RSA_PrivateKeyOp(key, buffer, input) != SECSuccess;
+    rv |= (buffer[0] != RSA_BLOCK_FIRST_OCTET) |
+          (buffer[1] != (unsigned char)RSA_BlockPublic);
+
+    // There have to be at least 8 bytes of padding.
+    for (i = 2; i < 10; i++) {
+        rv |= buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET;
     }
-    *outputLen = 0;
-    for (i = 2; i < modulusLen; i++) {
-        if (buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET) {
-            *outputLen = modulusLen - i - 1;
-            break;
-        }
+
+    for (i = 10; i < modulusLen; i++) {
+        unsigned int newLen = modulusLen - i - 1;
+        unsigned int c = (buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET) & (outLen == 0);
+        outLen = constantTimeCondition(c, newLen, outLen);
     }
-    if (*outputLen == 0)
-        goto loser;
-    if (*outputLen > maxOutputLen)
-        goto loser;
+    rv |= outLen == 0;
+    rv |= outLen > maxOutputLen;
 
-    PORT_Memcpy(output, buffer + modulusLen - *outputLen, *outputLen);
+    // Note that output is set even if SECFailure is returned.
+    PORT_Memcpy(output, buffer + modulusLen - outLen, copyOutLen);
+    *outputLen = constantTimeCondition(outLen > maxOutputLen, maxOutputLen,
+                                       outLen);
 
     PORT_Free(buffer);
-    return SECSuccess;
 
-loser:
-    PORT_Free(buffer);
-failure:
-    return SECFailure;
+    for (i = 1; i < sizeof(rv) * 8; i <<= 1) {
+        rv |= rv << i;
+    }
+    return (SECStatus)rv;
 }
 
 /*
diff --git a/security/nss/lib/jar/jarint.h b/security/nss/lib/jar/jarint.h
index 21aecef89a..0f40f931f6 100644
--- a/security/nss/lib/jar/jarint.h
+++ b/security/nss/lib/jar/jarint.h
@@ -5,7 +5,7 @@
 /* JAR internal routines */
 
 #include "nspr.h"
-#include "key.h"
+#include "keyhi.h"
 #include "base64.h"
 
 extern CERTCertDBHandle *JAR_open_database(void);
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
index fa8f1851ea..145dcff9a2 100644
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
@@ -2914,7 +2914,8 @@ PKIX_PL_Cert_CheckValidity(
         requiredUsages = ((PKIX_PL_NssContext*)plContext)->certificateUsage;
         allowOverride =
             (PRBool)((requiredUsages & certificateUsageSSLServer) ||
-                     (requiredUsages & certificateUsageSSLServerWithStepUp));
+                     (requiredUsages & certificateUsageSSLServerWithStepUp) ||
+                     (requiredUsages & certificateUsageIPsec));
         val = CERT_CheckCertValidTimes(cert->nssCert, timeToCheck, allowOverride);
         if (val != secCertTimeValid){
                 PKIX_ERROR(PKIX_CERTCHECKCERTVALIDTIMESFAILED);
@@ -3001,8 +3002,17 @@ PKIX_PL_Cert_VerifyCertAndKeyType(
     if (CERT_CheckKeyUsage(cert->nssCert, requiredKeyUsage) != SECSuccess) {
         PKIX_ERROR(PKIX_CERTCHECKKEYUSAGEFAILED);
     }
-    if (!(certType & requiredCertType)) {
-        PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);
+    if (certUsage != certUsageIPsec) {
+        if (!(certType & requiredCertType)) {
+            PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);
+        }
+    } else {
+        PRBool isCritical;
+        PRBool allowed = cert_EKUAllowsIPsecIKE(cert->nssCert, &isCritical);
+        /* If the extension isn't critical, we allow any EKU value. */
+        if (isCritical && !allowed) {
+            PKIX_ERROR(PKIX_CERTCHECKCERTTYPEFAILED);
+        }
     }
 cleanup:
     PKIX_DECREF(basicConstraints);
diff --git a/security/nss/lib/mozpkix/.clang-format b/security/nss/lib/mozpkix/.clang-format
new file mode 100644
index 0000000000..06e3c5115f
--- /dev/null
+++ b/security/nss/lib/mozpkix/.clang-format
@@ -0,0 +1,4 @@
+---
+Language: Cpp
+BasedOnStyle: Google
+...
diff --git a/security/nss/lib/mozpkix/exports.gyp b/security/nss/lib/mozpkix/exports.gyp
new file mode 100644
index 0000000000..248efc910e
--- /dev/null
+++ b/security/nss/lib/mozpkix/exports.gyp
@@ -0,0 +1,47 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+  'includes': [
+    '../../coreconf/config.gypi'
+  ],
+  'targets': [
+    {
+      'target_name': 'lib_mozpkix_exports',
+      'type': 'none',
+      'copies': [
+        {
+          'files': [
+            '<(DEPTH)/cpputil/nss_scoped_ptrs.h',
+            'include/pkix/Input.h',
+            'include/pkix/Time.h',
+            'include/pkix/Result.h',
+            'include/pkix/pkix.h',
+            'include/pkix/pkixnss.h',
+            'include/pkix/pkixtypes.h',
+            'include/pkix/pkixutil.h',
+            'include/pkix/pkixcheck.h',
+            'include/pkix/pkixder.h',
+          ],
+          'destination': '<(nss_public_dist_dir)/<(module)/mozpkix'
+        },
+      ],
+    },
+    {
+      'target_name': 'lib_mozpkix_test_exports',
+      'type': 'none',
+      'copies': [
+        {
+          'files': [
+            'include/pkix-test/pkixtestutil.h',
+            'include/pkix-test/pkixtestnss.h',
+          ],
+          'destination': '<(nss_public_dist_dir)/<(module)/mozpkix/test'
+        },
+      ],
+    }
+  ],
+  'variables': {
+    'module': 'nss'
+  }
+}
\ No newline at end of file
diff --git a/security/nss/lib/mozpkix/include/pkix-test/pkixtestnss.h b/security/nss/lib/mozpkix/include/pkix-test/pkixtestnss.h
new file mode 100644
index 0000000000..5ae776f6ad
--- /dev/null
+++ b/security/nss/lib/mozpkix/include/pkix-test/pkixtestnss.h
@@ -0,0 +1,48 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2018 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// This file provides some implementation-specific test utilities. This is only
+// necessary because some PSM xpcshell test utilities overlap in functionality
+// with these test utilities, so the underlying implementation is shared.
+
+#ifndef mozilla_pkix_test_pkixtestnss_h
+#define mozilla_pkix_test_pkixtestnss_h
+
+#include <keyhi.h>
+#include <keythi.h>
+#include "mozpkix/nss_scoped_ptrs.h"
+#include "mozpkix/test/pkixtestutil.h"
+
+namespace mozilla {
+namespace pkix {
+namespace test {
+
+TestKeyPair* CreateTestKeyPair(const TestPublicKeyAlgorithm publicKeyAlg,
+                               const ScopedSECKEYPublicKey& publicKey,
+                               const ScopedSECKEYPrivateKey& privateKey);
+}
+}
+}  // namespace mozilla::pkix::test
+
+#endif  // mozilla_pkix_test_pkixtestnss_h
diff --git a/security/nss/lib/mozpkix/include/pkix-test/pkixtestutil.h b/security/nss/lib/mozpkix/include/pkix-test/pkixtestutil.h
new file mode 100644
index 0000000000..55c435419f
--- /dev/null
+++ b/security/nss/lib/mozpkix/include/pkix-test/pkixtestutil.h
@@ -0,0 +1,406 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_test_pkixtestutil_h
+#define mozilla_pkix_test_pkixtestutil_h
+
+#include <cstdint>
+#include <cstring>
+#include <ctime>
+#include <string>
+
+#include "mozpkix/pkixtypes.h"
+
+namespace mozilla {
+namespace pkix {
+namespace test {
+
+typedef std::basic_string<uint8_t> ByteString;
+
+inline bool ENCODING_FAILED(const ByteString& bs) { return bs.empty(); }
+
+template <size_t L>
+inline ByteString BytesToByteString(const uint8_t (&bytes)[L]) {
+  return ByteString(bytes, L);
+}
+
+// XXX: Ideally, we should define this instead:
+//
+//   template <typename T, std::size_t N>
+//   constexpr inline std::size_t
+//   ArrayLength(T (&)[N])
+//   {
+//     return N;
+//   }
+//
+// However, we don't because not all supported compilers support constexpr,
+// and we need to calculate array lengths in static_assert sometimes.
+//
+// XXX: Evaluates its argument twice
+#define MOZILLA_PKIX_ARRAY_LENGTH(x) (sizeof(x) / sizeof((x)[0]))
+
+bool InputEqualsByteString(Input input, const ByteString& bs);
+ByteString InputToByteString(Input input);
+
+// python DottedOIDToCode.py --tlv id-kp-OCSPSigning 1.3.6.1.5.5.7.3.9
+static const uint8_t tlv_id_kp_OCSPSigning[] = {0x06, 0x08, 0x2b, 0x06, 0x01,
+                                                0x05, 0x05, 0x07, 0x03, 0x09};
+
+// python DottedOIDToCode.py --tlv id-kp-serverAuth 1.3.6.1.5.5.7.3.1
+static const uint8_t tlv_id_kp_serverAuth[] = {0x06, 0x08, 0x2b, 0x06, 0x01,
+                                               0x05, 0x05, 0x07, 0x03, 0x01};
+
+enum class TestDigestAlgorithmID {
+  MD2,
+  MD5,
+  SHA1,
+  SHA224,
+  SHA256,
+  SHA384,
+  SHA512,
+};
+
+struct TestPublicKeyAlgorithm {
+  explicit TestPublicKeyAlgorithm(const ByteString& aAlgorithmIdentifier)
+      : algorithmIdentifier(aAlgorithmIdentifier) {}
+  bool operator==(const TestPublicKeyAlgorithm& other) const {
+    return algorithmIdentifier == other.algorithmIdentifier;
+  }
+  ByteString algorithmIdentifier;
+};
+
+ByteString DSS_P();
+ByteString DSS_Q();
+ByteString DSS_G();
+
+TestPublicKeyAlgorithm DSS();
+TestPublicKeyAlgorithm RSA_PKCS1();
+
+struct TestSignatureAlgorithm {
+  TestSignatureAlgorithm(const TestPublicKeyAlgorithm& publicKeyAlg,
+                         TestDigestAlgorithmID digestAlg,
+                         const ByteString& algorithmIdentifier, bool accepted);
+
+  TestPublicKeyAlgorithm publicKeyAlg;
+  TestDigestAlgorithmID digestAlg;
+  ByteString algorithmIdentifier;
+  bool accepted;
+};
+
+TestSignatureAlgorithm md2WithRSAEncryption();
+TestSignatureAlgorithm md5WithRSAEncryption();
+TestSignatureAlgorithm sha1WithRSAEncryption();
+TestSignatureAlgorithm sha256WithRSAEncryption();
+
+// e.g. YMDHMS(2016, 12, 31, 1, 23, 45) => 2016-12-31:01:23:45 (GMT)
+mozilla::pkix::Time YMDHMS(uint16_t year, uint16_t month, uint16_t day,
+                           uint16_t hour, uint16_t minutes, uint16_t seconds);
+
+ByteString TLV(uint8_t tag, size_t length, const ByteString& value);
+
+inline ByteString TLV(uint8_t tag, const ByteString& value) {
+  return TLV(tag, value.length(), value);
+}
+
+// Although we can't enforce it without relying on Cuser-defined literals,
+// which aren't supported by all of our compilers yet, you should only pass
+// string literals as the last parameter to the following two functions.
+
+template <size_t N>
+inline ByteString TLV(uint8_t tag, const char (&value)[N]) {
+  static_assert(N > 0, "cannot have string literal of size 0");
+  assert(value[N - 1] == 0);
+  return TLV(tag, ByteString(reinterpret_cast<const uint8_t*>(&value), N - 1));
+}
+
+template <size_t N>
+inline ByteString TLV(uint8_t tag, size_t length, const char (&value)[N]) {
+  static_assert(N > 0, "cannot have string literal of size 0");
+  assert(value[N - 1] == 0);
+  return TLV(tag, length,
+             ByteString(reinterpret_cast<const uint8_t*>(&value), N - 1));
+}
+
+ByteString Boolean(bool value);
+ByteString Integer(long value);
+
+ByteString CN(const ByteString&, uint8_t encodingTag = 0x0c /*UTF8String*/);
+
+inline ByteString CN(const char* value,
+                     uint8_t encodingTag = 0x0c /*UTF8String*/) {
+  return CN(
+      ByteString(reinterpret_cast<const uint8_t*>(value), std::strlen(value)),
+      encodingTag);
+}
+
+ByteString OU(const ByteString&, uint8_t encodingTag = 0x0c /*UTF8String*/);
+
+inline ByteString OU(const char* value,
+                     uint8_t encodingTag = 0x0c /*UTF8String*/) {
+  return OU(
+      ByteString(reinterpret_cast<const uint8_t*>(value), std::strlen(value)),
+      encodingTag);
+}
+
+ByteString emailAddress(const ByteString&);
+
+inline ByteString emailAddress(const char* value) {
+  return emailAddress(
+      ByteString(reinterpret_cast<const uint8_t*>(value), std::strlen(value)));
+}
+
+// RelativeDistinguishedName ::=
+//   SET SIZE (1..MAX) OF AttributeTypeAndValue
+//
+ByteString RDN(const ByteString& avas);
+
+// Name ::= CHOICE { -- only one possibility for now --
+//   rdnSequence  RDNSequence }
+//
+// RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+//
+ByteString Name(const ByteString& rdns);
+
+inline ByteString CNToDERName(const ByteString& cn) {
+  return Name(RDN(CN(cn)));
+}
+
+inline ByteString CNToDERName(const char* cn) { return Name(RDN(CN(cn))); }
+
+// GeneralName ::= CHOICE {
+//      otherName                       [0]     OtherName,
+//      rfc822Name                      [1]     IA5String,
+//      dNSName                         [2]     IA5String,
+//      x400Address                     [3]     ORAddress,
+//      directoryName                   [4]     Name,
+//      ediPartyName                    [5]     EDIPartyName,
+//      uniformResourceIdentifier       [6]     IA5String,
+//      iPAddress                       [7]     OCTET STRING,
+//      registeredID                    [8]     OBJECT IDENTIFIER }
+
+inline ByteString RFC822Name(const ByteString& name) {
+  // (2 << 6) means "context-specific", 1 is the GeneralName tag.
+  return TLV((2 << 6) | 1, name);
+}
+
+template <size_t L>
+inline ByteString RFC822Name(const char (&bytes)[L]) {
+  return RFC822Name(
+      ByteString(reinterpret_cast<const uint8_t*>(&bytes), L - 1));
+}
+
+inline ByteString DNSName(const ByteString& name) {
+  // (2 << 6) means "context-specific", 2 is the GeneralName tag.
+  return TLV((2 << 6) | 2, name);
+}
+
+template <size_t L>
+inline ByteString DNSName(const char (&bytes)[L]) {
+  return DNSName(ByteString(reinterpret_cast<const uint8_t*>(&bytes), L - 1));
+}
+
+inline ByteString DirectoryName(const ByteString& name) {
+  // (2 << 6) means "context-specific", (1 << 5) means "constructed", and 4 is
+  // the DirectoryName tag.
+  return TLV((2 << 6) | (1 << 5) | 4, name);
+}
+
+inline ByteString IPAddress() {
+  // (2 << 6) means "context-specific", 7 is the GeneralName tag.
+  return TLV((2 << 6) | 7, ByteString());
+}
+
+template <size_t L>
+inline ByteString IPAddress(const uint8_t (&bytes)[L]) {
+  // (2 << 6) means "context-specific", 7 is the GeneralName tag.
+  return TLV((2 << 6) | 7, ByteString(bytes, L));
+}
+
+// Names should be zero or more GeneralNames, like DNSName and IPAddress return,
+// concatenated together.
+//
+// CreatedEncodedSubjectAltName(ByteString()) results in a SAN with an empty
+// sequence. CreateEmptyEncodedSubjectName() results in a SAN without any
+// sequence.
+ByteString CreateEncodedSubjectAltName(const ByteString& names);
+ByteString CreateEncodedEmptySubjectAltName();
+
+class TestKeyPair {
+ public:
+  virtual ~TestKeyPair() {}
+
+  const TestPublicKeyAlgorithm publicKeyAlg;
+
+  // The DER encoding of the entire SubjectPublicKeyInfo structure. This is
+  // what is encoded in certificates.
+  const ByteString subjectPublicKeyInfo;
+
+  // The DER encoding of subjectPublicKeyInfo.subjectPublicKey. This is what is
+  // hashed to create CertIDs for OCSP.
+  const ByteString subjectPublicKey;
+
+  virtual Result SignData(const ByteString& tbs,
+                          const TestSignatureAlgorithm& signatureAlgorithm,
+                          /*out*/ ByteString& signature) const = 0;
+
+  virtual TestKeyPair* Clone() const = 0;
+
+ protected:
+  TestKeyPair(const TestPublicKeyAlgorithm& publicKeyAlg,
+              const ByteString& spk);
+  TestKeyPair(const TestKeyPair&) = delete;
+  void operator=(const TestKeyPair&) = delete;
+};
+
+TestKeyPair* CloneReusedKeyPair();
+TestKeyPair* GenerateKeyPair();
+TestKeyPair* GenerateDSSKeyPair();
+inline void DeleteTestKeyPair(TestKeyPair* keyPair) { delete keyPair; }
+typedef std::unique_ptr<TestKeyPair> ScopedTestKeyPair;
+
+Result TestVerifyECDSASignedDigest(const SignedDigest& signedDigest,
+                                   Input subjectPublicKeyInfo);
+Result TestVerifyRSAPKCS1SignedDigest(const SignedDigest& signedDigest,
+                                      Input subjectPublicKeyInfo);
+Result TestDigestBuf(Input item, DigestAlgorithm digestAlg,
+                     /*out*/ uint8_t* digestBuf, size_t digestBufLen);
+
+// Replace one substring in item with another of the same length, but only if
+// the substring was found exactly once. The "same length" restriction is
+// useful for avoiding invalidating lengths encoded within the item. The
+// "only once" restriction is helpful for avoiding making accidental changes.
+//
+// The string to search for must be 8 or more bytes long so that it is
+// extremely unlikely that there will ever be any false positive matches
+// in digital signatures, keys, hashes, etc.
+Result TamperOnce(/*in/out*/ ByteString& item, const ByteString& from,
+                  const ByteString& to);
+
+///////////////////////////////////////////////////////////////////////////////
+// Encode Certificates
+
+enum Version { v1 = 0, v2 = 1, v3 = 2 };
+
+// signature is assumed to be the DER encoding of an AlgorithmIdentifer. It is
+// put into the signature field of the TBSCertificate. In most cases, it will
+// be the same as signatureAlgorithm, which is the algorithm actually used
+// to sign the certificate.
+// serialNumber is assumed to be the DER encoding of an INTEGER.
+//
+// If extensions is null, then no extensions will be encoded. Otherwise,
+// extensions must point to an array of ByteStrings, terminated with an empty
+// ByteString. (If the first item of the array is empty then an empty
+// Extensions sequence will be encoded.)
+ByteString CreateEncodedCertificate(
+    long version, const TestSignatureAlgorithm& signature,
+    const ByteString& serialNumber, const ByteString& issuerNameDER,
+    time_t notBefore, time_t notAfter, const ByteString& subjectNameDER,
+    const TestKeyPair& subjectKeyPair,
+    /*optional*/ const ByteString* extensions, const TestKeyPair& issuerKeyPair,
+    const TestSignatureAlgorithm& signatureAlgorithm);
+
+ByteString CreateEncodedSerialNumber(long value);
+
+enum class Critical { No = 0, Yes = 1 };
+
+ByteString CreateEncodedBasicConstraints(
+    bool isCA,
+    /*optional in*/ const long* pathLenConstraint, Critical critical);
+
+// Creates a DER-encoded extKeyUsage extension with one EKU OID.
+ByteString CreateEncodedEKUExtension(Input eku, Critical critical);
+
+///////////////////////////////////////////////////////////////////////////////
+// Encode OCSP responses
+
+class OCSPResponseExtension final {
+ public:
+  OCSPResponseExtension();
+
+  ByteString id;
+  bool critical;
+  ByteString value;
+  OCSPResponseExtension* next;
+};
+
+class OCSPResponseContext final {
+ public:
+  OCSPResponseContext(const CertID& certID, std::time_t time);
+
+  const CertID& certID;
+  // TODO(bug 980538): add a way to specify what certificates are included.
+
+  // The fields below are in the order that they appear in an OCSP response.
+
+  enum OCSPResponseStatus {
+    successful = 0,
+    malformedRequest = 1,
+    internalError = 2,
+    tryLater = 3,
+    // 4 is not used
+    sigRequired = 5,
+    unauthorized = 6,
+  };
+  uint8_t responseStatus;  // an OCSPResponseStatus or an invalid value
+  bool skipResponseBytes;  // If true, don't include responseBytes
+
+  // responderID
+  ByteString signerNameDER;  // If set, responderID will use the byName
+                             // form; otherwise responderID will use the
+                             // byKeyHash form.
+
+  std::time_t producedAt;
+
+  // SingleResponse extensions (for the certID given in the constructor).
+  OCSPResponseExtension* singleExtensions;
+  // ResponseData extensions.
+  OCSPResponseExtension* responseExtensions;
+  bool includeEmptyExtensions;  // If true, include the extension wrapper
+                                // regardless of if there are any actual
+                                // extensions.
+  ScopedTestKeyPair signerKeyPair;
+  TestSignatureAlgorithm signatureAlgorithm;
+  bool badSignature;        // If true, alter the signature to fail verification
+  const ByteString* certs;  // optional; array terminated by an empty string
+
+  // The following fields are on a per-SingleResponse basis. In the future we
+  // may support including multiple SingleResponses per response.
+  enum CertStatus {
+    good = 0,
+    revoked = 1,
+    unknown = 2,
+  };
+  uint8_t certStatus;          // CertStatus or an invalid value
+  std::time_t revocationTime;  // For certStatus == revoked
+  std::time_t thisUpdate;
+  std::time_t nextUpdate;
+  bool includeNextUpdate;
+};
+
+ByteString CreateEncodedOCSPResponse(OCSPResponseContext& context);
+}
+}
+}  // namespace mozilla::pkix::test
+
+#endif  // mozilla_pkix_test_pkixtestutil_h
diff --git a/security/nss/lib/mozpkix/include/pkix/Input.h b/security/nss/lib/mozpkix/include/pkix/Input.h
new file mode 100644
index 0000000000..11b2a0f7e4
--- /dev/null
+++ b/security/nss/lib/mozpkix/include/pkix/Input.h
@@ -0,0 +1,310 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_Input_h
+#define mozilla_pkix_Input_h
+
+#include <algorithm>
+
+#include "mozpkix/Result.h"
+#include "stdint.h"
+
+namespace mozilla {
+namespace pkix {
+
+class Reader;
+
+// An Input is a safety-oriented immutable weak reference to a array of bytes
+// of a known size. The data can only be legally accessed by constructing a
+// Reader object, which guarantees all accesses to the data are memory safe.
+// Neither Input not Reader provide any facilities for modifying the data
+// they reference.
+//
+// Inputs are small and should usually be passed by value, not by reference,
+// though for inline functions the distinction doesn't matter:
+//
+//    Result GoodExample(Input input);
+//    Result BadExample(const Input& input);
+//    Result WorseExample(const uint8_t* input, size_t len);
+//
+// Note that in the example, GoodExample has the same performance
+// characteristics as WorseExample, but with much better safety guarantees.
+class Input final {
+ public:
+  typedef uint16_t size_type;
+
+  // This constructor is useful for inputs that are statically known to be of a
+  // fixed size, e.g.:
+  //
+  //   static const uint8_t EXPECTED_BYTES[] = { 0x00, 0x01, 0x02 };
+  //   const Input expected(EXPECTED_BYTES);
+  //
+  // This is equivalent to (and preferred over):
+  //
+  //   static const uint8_t EXPECTED_BYTES[] = { 0x00, 0x01, 0x02 };
+  //   Input expected;
+  //   Result rv = expected.Init(EXPECTED_BYTES, sizeof EXPECTED_BYTES);
+  template <size_type N>
+  explicit Input(const uint8_t (&aData)[N]) : data(aData), len(N) {}
+
+  // Construct a valid, empty, Init-able Input.
+  Input() : data(nullptr), len(0u) {}
+
+  // This is intentionally not explicit in order to allow value semantics.
+  Input(const Input&) = default;
+
+  // Initialize the input. data must be non-null and len must be less than
+  // 65536. Init may not be called more than once.
+  Result Init(const uint8_t* aData, size_t aLen) {
+    if (this->data) {
+      // already initialized
+      return Result::FATAL_ERROR_INVALID_ARGS;
+    }
+    if (!aData || aLen > 0xffffu) {
+      // input too large
+      return Result::ERROR_BAD_DER;
+    }
+
+    this->data = aData;
+    this->len = aLen;
+
+    return Success;
+  }
+
+  // Initialize the input to be equivalent to the given input. Init may not be
+  // called more than once.
+  //
+  // This is basically operator=, but it wasn't given that name because
+  // normally callers do not check the result of operator=, and normally
+  // operator= can be used multiple times.
+  Result Init(Input other) { return Init(other.data, other.len); }
+
+  // Returns the length of the input.
+  //
+  // Having the return type be size_type instead of size_t avoids the need for
+  // callers to ensure that the result is small enough.
+  size_type GetLength() const { return static_cast<size_type>(len); }
+
+  // Don't use this. It is here because we have some "friend" functions that we
+  // don't want to declare in this header file.
+  const uint8_t* UnsafeGetData() const { return data; }
+
+ private:
+  const uint8_t* data;
+  size_t len;
+
+  void operator=(const Input&) = delete;  // Use Init instead.
+};
+
+inline bool InputsAreEqual(const Input& a, const Input& b) {
+  return a.GetLength() == b.GetLength() &&
+         std::equal(a.UnsafeGetData(), a.UnsafeGetData() + a.GetLength(),
+                    b.UnsafeGetData());
+}
+
+// An Reader is a cursor/iterator through the contents of an Input, designed to
+// maximize safety during parsing while minimizing the performance cost of that
+// safety. In particular, all methods do strict bounds checking to ensure
+// buffer overflows are impossible, and they are all inline so that the
+// compiler can coalesce as many of those checks together as possible.
+//
+// In general, Reader allows for one byte of lookahead and no backtracking.
+// However, the Match* functions internally may have more lookahead.
+class Reader final {
+ public:
+  Reader() : input(nullptr), end(nullptr) {}
+
+  explicit Reader(Input aInput)
+      : input(aInput.UnsafeGetData()),
+        end(aInput.UnsafeGetData() + aInput.GetLength()) {}
+
+  Result Init(Input aInput) {
+    if (this->input) {
+      return Result::FATAL_ERROR_INVALID_ARGS;
+    }
+    this->input = aInput.UnsafeGetData();
+    this->end = aInput.UnsafeGetData() + aInput.GetLength();
+    return Success;
+  }
+
+  bool Peek(uint8_t expectedByte) const {
+    return input < end && *input == expectedByte;
+  }
+
+  Result Read(uint8_t& out) {
+    Result rv = EnsureLength(1);
+    if (rv != Success) {
+      return rv;
+    }
+    out = *input++;
+    return Success;
+  }
+
+  Result Read(uint16_t& out) {
+    Result rv = EnsureLength(2);
+    if (rv != Success) {
+      return rv;
+    }
+    out = *input++;
+    out <<= 8u;
+    out |= *input++;
+    return Success;
+  }
+
+  template <Input::size_type N>
+  bool MatchRest(const uint8_t (&toMatch)[N]) {
+    // Normally we use EnsureLength which compares (input + len < end), but
+    // here we want to be sure that there is nothing following the matched
+    // bytes
+    if (static_cast<size_t>(end - input) != N) {
+      return false;
+    }
+    if (!std::equal(input, end, toMatch)) {
+      return false;
+    }
+    input = end;
+    return true;
+  }
+
+  bool MatchRest(Input toMatch) {
+    // Normally we use EnsureLength which compares (input + len < end), but
+    // here we want to be sure that there is nothing following the matched
+    // bytes
+    size_t remaining = static_cast<size_t>(end - input);
+    if (toMatch.GetLength() != remaining) {
+      return false;
+    }
+    if (!std::equal(input, end, toMatch.UnsafeGetData())) {
+      return false;
+    }
+    input = end;
+    return true;
+  }
+
+  Result Skip(Input::size_type len) {
+    Result rv = EnsureLength(len);
+    if (rv != Success) {
+      return rv;
+    }
+    input += len;
+    return Success;
+  }
+
+  Result Skip(Input::size_type len, Reader& skipped) {
+    Result rv = EnsureLength(len);
+    if (rv != Success) {
+      return rv;
+    }
+    rv = skipped.Init(input, len);
+    if (rv != Success) {
+      return rv;
+    }
+    input += len;
+    return Success;
+  }
+
+  Result Skip(Input::size_type len, /*out*/ Input& skipped) {
+    Result rv = EnsureLength(len);
+    if (rv != Success) {
+      return rv;
+    }
+    rv = skipped.Init(input, len);
+    if (rv != Success) {
+      return rv;
+    }
+    input += len;
+    return Success;
+  }
+
+  void SkipToEnd() { input = end; }
+
+  Result SkipToEnd(/*out*/ Input& skipped) {
+    return Skip(static_cast<Input::size_type>(end - input), skipped);
+  }
+
+  Result EnsureLength(Input::size_type len) {
+    if (static_cast<size_t>(end - input) < len) {
+      return Result::ERROR_BAD_DER;
+    }
+    return Success;
+  }
+
+  bool AtEnd() const { return input == end; }
+
+  class Mark final {
+   public:
+    Mark(const Mark&) = default;  // Intentionally not explicit.
+   private:
+    friend class Reader;
+    Mark(const Reader& aInput, const uint8_t* aMark)
+        : input(aInput), mark(aMark) {}
+    const Reader& input;
+    const uint8_t* const mark;
+    void operator=(const Mark&) = delete;
+  };
+
+  Mark GetMark() const { return Mark(*this, input); }
+
+  Result GetInput(const Mark& mark, /*out*/ Input& item) {
+    if (&mark.input != this || mark.mark > input) {
+      return NotReached("invalid mark", Result::FATAL_ERROR_INVALID_ARGS);
+    }
+    return item.Init(mark.mark,
+                     static_cast<Input::size_type>(input - mark.mark));
+  }
+
+ private:
+  Result Init(const uint8_t* data, Input::size_type len) {
+    if (input) {
+      // already initialized
+      return Result::FATAL_ERROR_INVALID_ARGS;
+    }
+    input = data;
+    end = data + len;
+    return Success;
+  }
+
+  const uint8_t* input;
+  const uint8_t* end;
+
+  Reader(const Reader&) = delete;
+  void operator=(const Reader&) = delete;
+};
+
+inline bool InputContains(const Input& input, uint8_t toFind) {
+  Reader reader(input);
+  for (;;) {
+    uint8_t b;
+    if (reader.Read(b) != Success) {
+      return false;
+    }
+    if (b == toFind) {
+      return true;
+    }
+  }
+}
+}
+}  // namespace mozilla::pkix
+
+#endif  // mozilla_pkix_Input_h
diff --git a/security/nss/lib/mozpkix/include/pkix/Result.h b/security/nss/lib/mozpkix/include/pkix/Result.h
new file mode 100644
index 0000000000..29461dc1a5
--- /dev/null
+++ b/security/nss/lib/mozpkix/include/pkix/Result.h
@@ -0,0 +1,219 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_Result_h
+#define mozilla_pkix_Result_h
+
+#include <cassert>
+
+namespace mozilla {
+namespace pkix {
+
+static const unsigned int FATAL_ERROR_FLAG = 0x800;
+
+// ----------------------------------------------------------------------------
+// SELECTED ERROR CODE EXPLANATIONS
+//
+// Result::ERROR_UNTRUSTED_CERT
+//         means that the end-entity certificate was actively distrusted.
+// Result::ERROR_UNTRUSTED_ISSUER
+//         means that path building failed because of active distrust.
+// Result::ERROR_INVALID_DER_TIME
+//         means the DER-encoded time was unexpected, such as being before the
+//         UNIX epoch (allowed by X500, but not valid here).
+// Result::ERROR_EXPIRED_CERTIFICATE
+//         means the end entity certificate expired.
+// Result::ERROR_EXPIRED_ISSUER_CERTIFICATE
+//         means the CA certificate expired.
+// Result::ERROR_UNKNOWN_ISSUER
+//         means that the CA could not be found in the root store.
+// Result::ERROR_POLICY_VALIDATION_FAILED
+//         means that an encoded policy could not be applied or wasn't present
+//         when expected. Usually this is in the context of Extended Validation.
+// Result::ERROR_BAD_CERT_DOMAIN
+//         means that the certificate's name couldn't be matched to the
+//         reference identifier.
+// Result::ERROR_CERT_NOT_IN_NAME_SPACE
+//         typically means the certificate violates name constraints applied
+//         by the issuer.
+// Result::ERROR_BAD_DER
+//         means the input was improperly encoded.
+// Result::ERROR_UNKNOWN_ERROR
+//         means that an external library (NSS) provided an error we didn't
+//         anticipate. See the map below in Result.h to add new ones.
+// Result::FATAL_ERROR_LIBRARY_FAILURE
+//         is an unexpected fatal error indicating a library had an unexpected
+//         failure, and we can't proceed.
+// Result::FATAL_ERROR_INVALID_ARGS
+//         means that we violated our own expectations on inputs and there's a
+//         bug somewhere.
+// Result::FATAL_ERROR_INVALID_STATE
+//         means that we violated our own expectations on state and there's a
+//         bug somewhere.
+// Result::FATAL_ERROR_NO_MEMORY
+//         means a memory allocation failed, prohibiting validation.
+// ----------------------------------------------------------------------------
+
+// The first argument to MOZILLA_PKIX_MAP() is used for building the mapping
+// from error code to error name in MapResultToName.
+//
+// The second argument is for defining the value for the enum literal in the
+// Result enum class.
+//
+// The third argument to MOZILLA_PKIX_MAP() is used, along with the first
+// argument, for maintaining the mapping of mozilla::pkix error codes to
+// NSS/NSPR error codes in pkixnss.cpp.
+#define MOZILLA_PKIX_MAP_LIST                                                  \
+  MOZILLA_PKIX_MAP(Success, 0, 0)                                              \
+  MOZILLA_PKIX_MAP(ERROR_BAD_DER, 1, SEC_ERROR_BAD_DER)                        \
+  MOZILLA_PKIX_MAP(ERROR_CA_CERT_INVALID, 2, SEC_ERROR_CA_CERT_INVALID)        \
+  MOZILLA_PKIX_MAP(ERROR_BAD_SIGNATURE, 3, SEC_ERROR_BAD_SIGNATURE)            \
+  MOZILLA_PKIX_MAP(ERROR_CERT_BAD_ACCESS_LOCATION, 4,                          \
+                   SEC_ERROR_CERT_BAD_ACCESS_LOCATION)                         \
+  MOZILLA_PKIX_MAP(ERROR_CERT_NOT_IN_NAME_SPACE, 5,                            \
+                   SEC_ERROR_CERT_NOT_IN_NAME_SPACE)                           \
+  MOZILLA_PKIX_MAP(ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED, 6,                 \
+                   SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED)                \
+  MOZILLA_PKIX_MAP(ERROR_CONNECT_REFUSED, 7, PR_CONNECT_REFUSED_ERROR)         \
+  MOZILLA_PKIX_MAP(ERROR_EXPIRED_CERTIFICATE, 8,                               \
+                   SEC_ERROR_EXPIRED_CERTIFICATE)                              \
+  MOZILLA_PKIX_MAP(ERROR_EXTENSION_VALUE_INVALID, 9,                           \
+                   SEC_ERROR_EXTENSION_VALUE_INVALID)                          \
+  MOZILLA_PKIX_MAP(ERROR_INADEQUATE_CERT_TYPE, 10,                             \
+                   SEC_ERROR_INADEQUATE_CERT_TYPE)                             \
+  MOZILLA_PKIX_MAP(ERROR_INADEQUATE_KEY_USAGE, 11,                             \
+                   SEC_ERROR_INADEQUATE_KEY_USAGE)                             \
+  MOZILLA_PKIX_MAP(ERROR_INVALID_ALGORITHM, 12, SEC_ERROR_INVALID_ALGORITHM)   \
+  MOZILLA_PKIX_MAP(ERROR_INVALID_DER_TIME, 13, SEC_ERROR_INVALID_TIME)         \
+  MOZILLA_PKIX_MAP(ERROR_KEY_PINNING_FAILURE, 14,                              \
+                   MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE)                     \
+  MOZILLA_PKIX_MAP(ERROR_PATH_LEN_CONSTRAINT_INVALID, 15,                      \
+                   SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID)                      \
+  MOZILLA_PKIX_MAP(ERROR_POLICY_VALIDATION_FAILED, 16,                         \
+                   SEC_ERROR_POLICY_VALIDATION_FAILED)                         \
+  MOZILLA_PKIX_MAP(ERROR_REVOKED_CERTIFICATE, 17,                              \
+                   SEC_ERROR_REVOKED_CERTIFICATE)                              \
+  MOZILLA_PKIX_MAP(ERROR_UNKNOWN_CRITICAL_EXTENSION, 18,                       \
+                   SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION)                       \
+  MOZILLA_PKIX_MAP(ERROR_UNKNOWN_ERROR, 19, PR_UNKNOWN_ERROR)                  \
+  MOZILLA_PKIX_MAP(ERROR_UNKNOWN_ISSUER, 20, SEC_ERROR_UNKNOWN_ISSUER)         \
+  MOZILLA_PKIX_MAP(ERROR_UNTRUSTED_CERT, 21, SEC_ERROR_UNTRUSTED_CERT)         \
+  MOZILLA_PKIX_MAP(ERROR_UNTRUSTED_ISSUER, 22, SEC_ERROR_UNTRUSTED_ISSUER)     \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_BAD_SIGNATURE, 23, SEC_ERROR_OCSP_BAD_SIGNATURE) \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_INVALID_SIGNING_CERT, 24,                        \
+                   SEC_ERROR_OCSP_INVALID_SIGNING_CERT)                        \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_MALFORMED_REQUEST, 25,                           \
+                   SEC_ERROR_OCSP_MALFORMED_REQUEST)                           \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_MALFORMED_RESPONSE, 26,                          \
+                   SEC_ERROR_OCSP_MALFORMED_RESPONSE)                          \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_OLD_RESPONSE, 27, SEC_ERROR_OCSP_OLD_RESPONSE)   \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_REQUEST_NEEDS_SIG, 28,                           \
+                   SEC_ERROR_OCSP_REQUEST_NEEDS_SIG)                           \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_RESPONDER_CERT_INVALID, 29,                      \
+                   SEC_ERROR_OCSP_RESPONDER_CERT_INVALID)                      \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_SERVER_ERROR, 30, SEC_ERROR_OCSP_SERVER_ERROR)   \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_TRY_SERVER_LATER, 31,                            \
+                   SEC_ERROR_OCSP_TRY_SERVER_LATER)                            \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_UNAUTHORIZED_REQUEST, 32,                        \
+                   SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST)                        \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_UNKNOWN_RESPONSE_STATUS, 33,                     \
+                   SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS)                     \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_UNKNOWN_CERT, 34, SEC_ERROR_OCSP_UNKNOWN_CERT)   \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_FUTURE_RESPONSE, 35,                             \
+                   SEC_ERROR_OCSP_FUTURE_RESPONSE)                             \
+  MOZILLA_PKIX_MAP(ERROR_INVALID_KEY, 36, SEC_ERROR_INVALID_KEY)               \
+  MOZILLA_PKIX_MAP(ERROR_UNSUPPORTED_KEYALG, 37, SEC_ERROR_UNSUPPORTED_KEYALG) \
+  MOZILLA_PKIX_MAP(ERROR_EXPIRED_ISSUER_CERTIFICATE, 38,                       \
+                   SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE)                       \
+  MOZILLA_PKIX_MAP(ERROR_CA_CERT_USED_AS_END_ENTITY, 39,                       \
+                   MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY)              \
+  MOZILLA_PKIX_MAP(ERROR_INADEQUATE_KEY_SIZE, 40,                              \
+                   MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE)                     \
+  MOZILLA_PKIX_MAP(ERROR_V1_CERT_USED_AS_CA, 41,                               \
+                   MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA)                      \
+  MOZILLA_PKIX_MAP(ERROR_BAD_CERT_DOMAIN, 42, SSL_ERROR_BAD_CERT_DOMAIN)       \
+  MOZILLA_PKIX_MAP(ERROR_NO_RFC822NAME_MATCH, 43,                              \
+                   MOZILLA_PKIX_ERROR_NO_RFC822NAME_MATCH)                     \
+  MOZILLA_PKIX_MAP(ERROR_UNSUPPORTED_ELLIPTIC_CURVE, 44,                       \
+                   SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE)                       \
+  MOZILLA_PKIX_MAP(ERROR_NOT_YET_VALID_CERTIFICATE, 45,                        \
+                   MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE)               \
+  MOZILLA_PKIX_MAP(ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE, 46,                 \
+                   MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE)        \
+  MOZILLA_PKIX_MAP(ERROR_UNSUPPORTED_EC_POINT_FORM, 47,                        \
+                   SEC_ERROR_UNSUPPORTED_EC_POINT_FORM)                        \
+  MOZILLA_PKIX_MAP(ERROR_SIGNATURE_ALGORITHM_MISMATCH, 48,                     \
+                   MOZILLA_PKIX_ERROR_SIGNATURE_ALGORITHM_MISMATCH)            \
+  MOZILLA_PKIX_MAP(ERROR_OCSP_RESPONSE_FOR_CERT_MISSING, 49,                   \
+                   MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING)          \
+  MOZILLA_PKIX_MAP(ERROR_VALIDITY_TOO_LONG, 50,                                \
+                   MOZILLA_PKIX_ERROR_VALIDITY_TOO_LONG)                       \
+  MOZILLA_PKIX_MAP(ERROR_REQUIRED_TLS_FEATURE_MISSING, 51,                     \
+                   MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING)            \
+  MOZILLA_PKIX_MAP(ERROR_INVALID_INTEGER_ENCODING, 52,                         \
+                   MOZILLA_PKIX_ERROR_INVALID_INTEGER_ENCODING)                \
+  MOZILLA_PKIX_MAP(ERROR_EMPTY_ISSUER_NAME, 53,                                \
+                   MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME)                       \
+  MOZILLA_PKIX_MAP(ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED, 54,              \
+                   MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED)     \
+  MOZILLA_PKIX_MAP(ERROR_SELF_SIGNED_CERT, 55,                                 \
+                   MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT)                        \
+  MOZILLA_PKIX_MAP(ERROR_MITM_DETECTED, 56, MOZILLA_PKIX_ERROR_MITM_DETECTED)  \
+  MOZILLA_PKIX_MAP(FATAL_ERROR_INVALID_ARGS, FATAL_ERROR_FLAG | 1,             \
+                   SEC_ERROR_INVALID_ARGS)                                     \
+  MOZILLA_PKIX_MAP(FATAL_ERROR_INVALID_STATE, FATAL_ERROR_FLAG | 2,            \
+                   PR_INVALID_STATE_ERROR)                                     \
+  MOZILLA_PKIX_MAP(FATAL_ERROR_LIBRARY_FAILURE, FATAL_ERROR_FLAG | 3,          \
+                   SEC_ERROR_LIBRARY_FAILURE)                                  \
+  MOZILLA_PKIX_MAP(FATAL_ERROR_NO_MEMORY, FATAL_ERROR_FLAG | 4,                \
+                   SEC_ERROR_NO_MEMORY)                                        \
+/* nothing here */
+
+enum class Result {
+#define MOZILLA_PKIX_MAP(name, value, nss_name) name = value,
+  MOZILLA_PKIX_MAP_LIST
+#undef MOZILLA_PKIX_MAP
+};
+
+// Returns the stringified name of the given result, e.g. "Result::Success",
+// or nullptr if result is unknown (invalid).
+const char* MapResultToName(Result result);
+
+// We write many comparisons as (x != Success), and this shortened name makes
+// those comparisons clearer, especially because the shortened name often
+// results in less line wrapping.
+static const Result Success = Result::Success;
+
+inline bool IsFatalError(Result rv) {
+  return (static_cast<unsigned int>(rv) & FATAL_ERROR_FLAG) != 0;
+}
+
+inline Result NotReached(const char* /*explanation*/, Result result) {
+  assert(false);
+  return result;
+}
+}
+}  // namespace mozilla::pkix
+
+#endif  // mozilla_pkix_Result_h
diff --git a/security/nss/lib/mozpkix/include/pkix/Time.h b/security/nss/lib/mozpkix/include/pkix/Time.h
new file mode 100644
index 0000000000..8aea5479bf
--- /dev/null
+++ b/security/nss/lib/mozpkix/include/pkix/Time.h
@@ -0,0 +1,137 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_Time_h
+#define mozilla_pkix_Time_h
+
+#include <stdint.h>
+#include <ctime>
+#include <limits>
+
+#include "mozpkix/Result.h"
+
+namespace mozilla {
+namespace pkix {
+
+// Time with a range from the first second of year 0 (AD) through at least the
+// last second of year 9999, which is the range of legal times in X.509 and
+// OCSP. This type has second-level precision. The time zone is always UTC.
+//
+// Pass by value, not by reference.
+class Time final {
+ public:
+  // Construct an uninitialized instance.
+  //
+  // This will fail to compile because there is no default constructor:
+  //    Time x;
+  //
+  // This will succeed, leaving the time uninitialized:
+  //    Time x(Time::uninitialized);
+  enum Uninitialized { uninitialized };
+  explicit Time(Uninitialized) {}
+
+  bool operator==(const Time& other) const {
+    return elapsedSecondsAD == other.elapsedSecondsAD;
+  }
+  bool operator>(const Time& other) const {
+    return elapsedSecondsAD > other.elapsedSecondsAD;
+  }
+  bool operator>=(const Time& other) const {
+    return elapsedSecondsAD >= other.elapsedSecondsAD;
+  }
+  bool operator<(const Time& other) const {
+    return elapsedSecondsAD < other.elapsedSecondsAD;
+  }
+  bool operator<=(const Time& other) const {
+    return elapsedSecondsAD <= other.elapsedSecondsAD;
+  }
+
+  Result AddSeconds(uint64_t seconds) {
+    if (std::numeric_limits<uint64_t>::max() - elapsedSecondsAD < seconds) {
+      return Result::FATAL_ERROR_INVALID_ARGS;  // integer overflow
+    }
+    elapsedSecondsAD += seconds;
+    return Success;
+  }
+
+  Result SubtractSeconds(uint64_t seconds) {
+    if (seconds > elapsedSecondsAD) {
+      return Result::FATAL_ERROR_INVALID_ARGS;  // integer overflow
+    }
+    elapsedSecondsAD -= seconds;
+    return Success;
+  }
+
+  static const uint64_t ONE_DAY_IN_SECONDS =
+      UINT64_C(24) * UINT64_C(60) * UINT64_C(60);
+
+ private:
+  // This constructor is hidden to prevent accidents like this:
+  //
+  //    Time foo(time_t t)
+  //    {
+  //      // WRONG! 1970-01-01-00:00:00 == time_t(0), but not Time(0)!
+  //      return Time(t);
+  //    }
+  explicit Time(uint64_t aElapsedSecondsAD)
+      : elapsedSecondsAD(aElapsedSecondsAD) {}
+  friend Time TimeFromElapsedSecondsAD(uint64_t);
+  friend class Duration;
+
+  uint64_t elapsedSecondsAD;
+};
+
+inline Time TimeFromElapsedSecondsAD(uint64_t aElapsedSecondsAD) {
+  return Time(aElapsedSecondsAD);
+}
+
+Time Now();
+
+// Note the epoch is the unix epoch (ie 00:00:00 UTC, 1 January 1970)
+Time TimeFromEpochInSeconds(uint64_t secondsSinceEpoch);
+
+class Duration final {
+ public:
+  Duration(Time timeA, Time timeB)
+      : durationInSeconds(
+            timeA < timeB ? timeB.elapsedSecondsAD - timeA.elapsedSecondsAD
+                          : timeA.elapsedSecondsAD - timeB.elapsedSecondsAD) {}
+
+  explicit Duration(uint64_t aDurationInSeconds)
+      : durationInSeconds(aDurationInSeconds) {}
+
+  bool operator>(const Duration& other) const {
+    return durationInSeconds > other.durationInSeconds;
+  }
+  bool operator<(const Duration& other) const {
+    return durationInSeconds < other.durationInSeconds;
+  }
+
+ private:
+  uint64_t durationInSeconds;
+};
+}
+}  // namespace mozilla::pkix
+
+#endif  // mozilla_pkix_Time_h
diff --git a/security/nss/lib/mozpkix/include/pkix/pkix.h b/security/nss/lib/mozpkix/include/pkix/pkix.h
new file mode 100644
index 0000000000..1cd6548e48
--- /dev/null
+++ b/security/nss/lib/mozpkix/include/pkix/pkix.h
@@ -0,0 +1,160 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_pkix_h
+#define mozilla_pkix_pkix_h
+
+#include "mozpkix/pkixtypes.h"
+
+namespace mozilla {
+namespace pkix {
+
+// ----------------------------------------------------------------------------
+// LIMITED SUPPORT FOR CERTIFICATE POLICIES
+//
+// If SEC_OID_X509_ANY_POLICY is passed as the value of the requiredPolicy
+// parameter then all policy validation will be skipped. Otherwise, path
+// building and validation will be done for the given policy.
+//
+// In RFC 5280 terms:
+//
+//    * user-initial-policy-set = { requiredPolicy }.
+//    * initial-explicit-policy = true
+//    * initial-any-policy-inhibit = false
+//
+// We allow intermediate cerificates to use this extension but since
+// we do not process the inhibit anyPolicy extesion we will fail if this
+// extension is present. TODO(bug 989051)
+// Because we force explicit policy and because we prohibit policy mapping, we
+// do not bother processing the policy mapping, or policy constraint.
+//
+// ----------------------------------------------------------------------------
+// ERROR RANKING
+//
+// BuildCertChain prioritizes certain checks ahead of others so that when a
+// certificate chain has multiple errors, the "most serious" error is
+// returned. In practice, this ranking of seriousness is tied directly to how
+// Firefox's certificate error override mechanism.
+//
+// The ranking is:
+//
+//    1. Active distrust (Result::ERROR_UNTRUSTED_CERT).
+//    2. Problems with issuer-independent properties for CA certificates.
+//    3. Unknown issuer (Result::ERROR_UNKNOWN_ISSUER).
+//    4. Problems with issuer-independent properties for EE certificates.
+//    5. Revocation.
+//
+// In particular, if BuildCertChain returns Result::ERROR_UNKNOWN_ISSUER then
+// the caller can call CERT_CheckCertValidTimes to determine if the certificate
+// is ALSO expired.
+//
+// It would be better if revocation were prioritized above expiration and
+// unknown issuer. However, it is impossible to do revocation checking without
+// knowing the issuer, since the issuer information is needed to validate the
+// revocation information. Also, generally revocation checking only works
+// during the validity period of the certificate.
+//
+// In general, when path building fails, BuildCertChain will return
+// Result::ERROR_UNKNOWN_ISSUER. However, if all attempted paths resulted in
+// the same error (which is trivially true when there is only one potential
+// path), more specific errors will be returned.
+//
+// ----------------------------------------------------------------------------
+// Meanings of specific error codes can be found in Result.h
+
+// This function attempts to find a trustworthy path from the supplied
+// certificate to a trust anchor. In the event that no trusted path is found,
+// the method returns an error result; the error ranking is described above.
+//
+// Parameters:
+//  time:
+//         Timestamp for which the chain should be valid; this is useful to
+//         analyze whether a record was trustworthy when it was made.
+//  requiredKeyUsageIfPresent:
+//         What key usage bits must be set, if the extension is present at all,
+//         to be considered a valid chain. Multiple values should be OR'd
+//         together. If you don't want to specify anything, use
+//         KeyUsage::noParticularKeyUsageRequired.
+//  requiredEKUIfPresent:
+//         What extended key usage bits must be set, if the EKU extension
+//         exists, to be considered a valid chain. Multiple values should be
+//         OR'd together. If you don't want to specify anything, use
+//         KeyPurposeId::anyExtendedKeyUsage.
+//  requiredPolicy:
+//         This is the policy to apply; typically included in EV certificates.
+//         If there is no policy, pass in CertPolicyId::anyPolicy.
+Result BuildCertChain(TrustDomain& trustDomain, Input cert, Time time,
+                      EndEntityOrCA endEntityOrCA,
+                      KeyUsage requiredKeyUsageIfPresent,
+                      KeyPurposeId requiredEKUIfPresent,
+                      const CertPolicyId& requiredPolicy,
+                      /*optional*/ const Input* stapledOCSPResponse);
+
+// Verify that the given end-entity cert, which is assumed to have been already
+// validated with BuildCertChain, is valid for the given hostname. The matching
+// function attempts to implement RFC 6125 with a couple of differences:
+// - IP addresses are out of scope of RFC 6125, but this method accepts them for
+//   backward compatibility (see SearchNames in pkixnames.cpp)
+// - A wildcard in a DNS-ID may only appear as the entirety of the first label.
+Result CheckCertHostname(Input cert, Input hostname,
+                         NameMatchingPolicy& nameMatchingPolicy);
+
+// Construct an RFC-6960-encoded OCSP request, ready for submission to a
+// responder, for the provided CertID. The request has no extensions.
+static const size_t OCSP_REQUEST_MAX_LENGTH = 127;
+Result CreateEncodedOCSPRequest(TrustDomain& trustDomain, const CertID& certID,
+                                /*out*/ uint8_t (&out)[OCSP_REQUEST_MAX_LENGTH],
+                                /*out*/ size_t& outLen);
+
+// The out parameter expired will be true if the response has expired. If the
+// response also indicates a revoked or unknown certificate, that error
+// will be returned. Otherwise, Result::ERROR_OCSP_OLD_RESPONSE will be
+// returned for an expired response.
+//
+// The optional parameter thisUpdate will be the thisUpdate value of
+// the encoded response if it is considered trustworthy. Only
+// good, unknown, or revoked responses that verify correctly are considered
+// trustworthy. If the response is not trustworthy, thisUpdate will be 0.
+// Similarly, the optional parameter validThrough will be the time through
+// which the encoded response is considered trustworthy (that is, as long as
+// the given time at which to validate is less than or equal to validThrough,
+// the response will be considered trustworthy).
+Result VerifyEncodedOCSPResponse(
+    TrustDomain& trustDomain, const CertID& certID, Time time,
+    uint16_t maxLifetimeInDays, Input encodedResponse,
+    /* out */ bool& expired,
+    /* optional out */ Time* thisUpdate = nullptr,
+    /* optional out */ Time* validThrough = nullptr);
+
+// Check that the TLSFeature extensions in a given end-entity cert (which is
+// assumed to have been already validated with BuildCertChain) are satisfied.
+// The only feature which we cancurrently process a requirement for is
+// status_request (OCSP stapling) so we reject any extension that specifies a
+// requirement for another value. Empty extensions are also rejected.
+Result CheckTLSFeaturesAreSatisfied(Input& cert,
+                                    const Input* stapledOCSPResponse);
+}
+}  // namespace mozilla::pkix
+
+#endif  // mozilla_pkix_pkix_h
diff --git a/security/nss/lib/mozpkix/include/pkix/pkixcheck.h b/security/nss/lib/mozpkix/include/pkix/pkixcheck.h
new file mode 100644
index 0000000000..e04780e572
--- /dev/null
+++ b/security/nss/lib/mozpkix/include/pkix/pkixcheck.h
@@ -0,0 +1,65 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_pkixcheck_h
+#define mozilla_pkix_pkixcheck_h
+
+#include "mozpkix/pkixtypes.h"
+
+namespace mozilla {
+namespace pkix {
+
+class BackCert;
+
+Result CheckIssuerIndependentProperties(TrustDomain& trustDomain,
+                                        const BackCert& cert, Time time,
+                                        KeyUsage requiredKeyUsageIfPresent,
+                                        KeyPurposeId requiredEKUIfPresent,
+                                        const CertPolicyId& requiredPolicy,
+                                        unsigned int subCACount,
+                                        /*out*/ TrustLevel& trustLevel);
+
+Result CheckNameConstraints(Input encodedNameConstraints,
+                            const BackCert& firstChild,
+                            KeyPurposeId requiredEKUIfPresent);
+
+Result CheckIssuer(Input encodedIssuer);
+
+// ParseValidity and CheckValidity are usually used together.  First you parse
+// the dates from the DER Validity sequence, then you compare them to the time
+// at which you are validating.  They are separate so that the notBefore and
+// notAfter times can be used for other things before they are checked against
+// the time of validation.
+Result ParseValidity(Input encodedValidity,
+                     /*optional out*/ Time* notBeforeOut = nullptr,
+                     /*optional out*/ Time* notAfterOut = nullptr);
+Result CheckValidity(Time time, Time notBefore, Time notAfter);
+
+// Check that a subject has TLS Feature (rfc7633) requirements that match its
+// potential issuer
+Result CheckTLSFeatures(const BackCert& subject, BackCert& potentialIssuer);
+}
+}  // namespace mozilla::pkix
+
+#endif  // mozilla_pkix_pkixcheck_h
diff --git a/security/nss/lib/mozpkix/include/pkix/pkixder.h b/security/nss/lib/mozpkix/include/pkix/pkixder.h
new file mode 100644
index 0000000000..3aae0ecf69
--- /dev/null
+++ b/security/nss/lib/mozpkix/include/pkix/pkixder.h
@@ -0,0 +1,520 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_pkixder_h
+#define mozilla_pkix_pkixder_h
+
+// Expect* functions advance the input mark and return Success if the input
+// matches the given criteria; they fail with the input mark in an undefined
+// state if the input does not match the criteria.
+//
+// Match* functions advance the input mark and return true if the input matches
+// the given criteria; they return false without changing the input mark if the
+// input does not match the criteria.
+//
+// Skip* functions unconditionally advance the input mark and return Success if
+// they are able to do so; otherwise they fail with the input mark in an
+// undefined state.
+
+#include "mozpkix/Input.h"
+#include "mozpkix/pkixtypes.h"
+
+namespace mozilla {
+namespace pkix {
+namespace der {
+
+enum Class : uint8_t {
+  UNIVERSAL = 0 << 6,
+  // APPLICATION = 1 << 6, // unused
+  CONTEXT_SPECIFIC = 2 << 6,
+  // PRIVATE = 3 << 6 // unused
+};
+
+enum Constructed { CONSTRUCTED = 1 << 5 };
+
+enum Tag : uint8_t {
+  BOOLEAN = UNIVERSAL | 0x01,
+  INTEGER = UNIVERSAL | 0x02,
+  BIT_STRING = UNIVERSAL | 0x03,
+  OCTET_STRING = UNIVERSAL | 0x04,
+  NULLTag = UNIVERSAL | 0x05,
+  OIDTag = UNIVERSAL | 0x06,
+  ENUMERATED = UNIVERSAL | 0x0a,
+  UTF8String = UNIVERSAL | 0x0c,
+  SEQUENCE = UNIVERSAL | CONSTRUCTED | 0x10,  // 0x30
+  SET = UNIVERSAL | CONSTRUCTED | 0x11,       // 0x31
+  PrintableString = UNIVERSAL | 0x13,
+  TeletexString = UNIVERSAL | 0x14,
+  IA5String = UNIVERSAL | 0x16,
+  UTCTime = UNIVERSAL | 0x17,
+  GENERALIZED_TIME = UNIVERSAL | 0x18,
+};
+
+enum class EmptyAllowed { No = 0, Yes = 1 };
+
+Result ReadTagAndGetValue(Reader& input, /*out*/ uint8_t& tag,
+                          /*out*/ Input& value);
+Result End(Reader& input);
+
+inline Result ExpectTagAndGetValue(Reader& input, uint8_t tag,
+                                   /*out*/ Input& value) {
+  uint8_t actualTag;
+  Result rv = ReadTagAndGetValue(input, actualTag, value);
+  if (rv != Success) {
+    return rv;
+  }
+  if (tag != actualTag) {
+    return Result::ERROR_BAD_DER;
+  }
+  return Success;
+}
+
+inline Result ExpectTagAndGetValue(Reader& input, uint8_t tag,
+                                   /*out*/ Reader& value) {
+  Input valueInput;
+  Result rv = ExpectTagAndGetValue(input, tag, valueInput);
+  if (rv != Success) {
+    return rv;
+  }
+  return value.Init(valueInput);
+}
+
+inline Result ExpectTagAndEmptyValue(Reader& input, uint8_t tag) {
+  Reader value;
+  Result rv = ExpectTagAndGetValue(input, tag, value);
+  if (rv != Success) {
+    return rv;
+  }
+  return End(value);
+}
+
+inline Result ExpectTagAndSkipValue(Reader& input, uint8_t tag) {
+  Input ignoredValue;
+  return ExpectTagAndGetValue(input, tag, ignoredValue);
+}
+
+// Like ExpectTagAndGetValue, except the output Input will contain the
+// encoded tag and length along with the value.
+inline Result ExpectTagAndGetTLV(Reader& input, uint8_t tag,
+                                 /*out*/ Input& tlv) {
+  Reader::Mark mark(input.GetMark());
+  Result rv = ExpectTagAndSkipValue(input, tag);
+  if (rv != Success) {
+    return rv;
+  }
+  return input.GetInput(mark, tlv);
+}
+
+inline Result End(Reader& input) {
+  if (!input.AtEnd()) {
+    return Result::ERROR_BAD_DER;
+  }
+
+  return Success;
+}
+
+template <typename Decoder>
+inline Result Nested(Reader& input, uint8_t tag, Decoder decoder) {
+  Reader nested;
+  Result rv = ExpectTagAndGetValue(input, tag, nested);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = decoder(nested);
+  if (rv != Success) {
+    return rv;
+  }
+  return End(nested);
+}
+
+template <typename Decoder>
+inline Result Nested(Reader& input, uint8_t outerTag, uint8_t innerTag,
+                     Decoder decoder) {
+  Reader nestedInput;
+  Result rv = ExpectTagAndGetValue(input, outerTag, nestedInput);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = Nested(nestedInput, innerTag, decoder);
+  if (rv != Success) {
+    return rv;
+  }
+  return End(nestedInput);
+}
+
+// This can be used to decode constructs like this:
+//
+//     ...
+//     foos SEQUENCE OF Foo,
+//     ...
+//     Foo ::= SEQUENCE {
+//     }
+//
+// using code like this:
+//
+//    Result Foo(Reader& r) { /*...*/ }
+//
+//    rv = der::NestedOf(input, der::SEQEUENCE, der::SEQUENCE, Foo);
+//
+// or:
+//
+//    Result Bar(Reader& r, int value) { /*...*/ }
+//
+//    int value = /*...*/;
+//
+//    rv = der::NestedOf(input, der::SEQUENCE, [value](Reader& r) {
+//      return Bar(r, value);
+//    });
+//
+// In these examples the function will get called once for each element of
+// foos.
+//
+template <typename Decoder>
+inline Result NestedOf(Reader& input, uint8_t outerTag, uint8_t innerTag,
+                       EmptyAllowed mayBeEmpty, Decoder decoder) {
+  Reader inner;
+  Result rv = ExpectTagAndGetValue(input, outerTag, inner);
+  if (rv != Success) {
+    return rv;
+  }
+
+  if (inner.AtEnd()) {
+    if (mayBeEmpty != EmptyAllowed::Yes) {
+      return Result::ERROR_BAD_DER;
+    }
+    return Success;
+  }
+
+  do {
+    rv = Nested(inner, innerTag, decoder);
+    if (rv != Success) {
+      return rv;
+    }
+  } while (!inner.AtEnd());
+
+  return Success;
+}
+
+// Often, a function will need to decode an Input or Reader that contains
+// DER-encoded data wrapped in a SEQUENCE (or similar) with nothing after it.
+// This function reduces the boilerplate necessary for stripping the outermost
+// SEQUENCE (or similar) and ensuring that nothing follows it.
+inline Result ExpectTagAndGetValueAtEnd(Reader& outer, uint8_t expectedTag,
+                                        /*out*/ Reader& inner) {
+  Result rv = der::ExpectTagAndGetValue(outer, expectedTag, inner);
+  if (rv != Success) {
+    return rv;
+  }
+  return der::End(outer);
+}
+
+// Similar to the above, but takes an Input instead of a Reader&.
+inline Result ExpectTagAndGetValueAtEnd(Input outer, uint8_t expectedTag,
+                                        /*out*/ Reader& inner) {
+  Reader outerReader(outer);
+  return ExpectTagAndGetValueAtEnd(outerReader, expectedTag, inner);
+}
+
+// Universal types
+
+namespace internal {
+
+enum class IntegralValueRestriction {
+  NoRestriction,
+  MustBePositive,
+  MustBe0To127,
+};
+
+Result IntegralBytes(
+    Reader& input, uint8_t tag, IntegralValueRestriction valueRestriction,
+    /*out*/ Input& value,
+    /*optional out*/ Input::size_type* significantBytes = nullptr);
+
+// This parser will only parse values between 0..127. If this range is
+// increased then callers will need to be changed.
+Result IntegralValue(Reader& input, uint8_t tag, /*out*/ uint8_t& value);
+
+}  // namespace internal
+
+Result BitStringWithNoUnusedBits(Reader& input, /*out*/ Input& value);
+
+inline Result Boolean(Reader& input, /*out*/ bool& value) {
+  Reader valueReader;
+  Result rv = ExpectTagAndGetValue(input, BOOLEAN, valueReader);
+  if (rv != Success) {
+    return rv;
+  }
+
+  uint8_t intValue;
+  rv = valueReader.Read(intValue);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = End(valueReader);
+  if (rv != Success) {
+    return rv;
+  }
+  switch (intValue) {
+    case 0:
+      value = false;
+      return Success;
+    case 0xFF:
+      value = true;
+      return Success;
+    default:
+      return Result::ERROR_BAD_DER;
+  }
+}
+
+// This is for BOOLEAN DEFAULT FALSE.
+// The standard stipulates that "The encoding of a set value or sequence value
+// shall not include an encoding for any component value which is equal to its
+// default value." However, it appears to be common that other libraries
+// incorrectly include the value of a BOOLEAN even when it's equal to the
+// default value, so we allow invalid explicit encodings here.
+inline Result OptionalBoolean(Reader& input, /*out*/ bool& value) {
+  value = false;
+  if (input.Peek(BOOLEAN)) {
+    Result rv = Boolean(input, value);
+    if (rv != Success) {
+      return rv;
+    }
+  }
+  return Success;
+}
+
+// This parser will only parse values between 0..127. If this range is
+// increased then callers will need to be changed.
+inline Result Enumerated(Reader& input, uint8_t& value) {
+  return internal::IntegralValue(input, ENUMERATED | 0, value);
+}
+
+namespace internal {
+
+// internal::TimeChoice implements the shared functionality of GeneralizedTime
+// and TimeChoice. tag must be either UTCTime or GENERALIZED_TIME.
+//
+// Only times from 1970-01-01-00:00:00 onward are accepted, in order to
+// eliminate the chance for complications in converting times to traditional
+// time formats that start at 1970.
+Result TimeChoice(Reader& input, uint8_t tag, /*out*/ Time& time);
+
+}  // namespace internal
+
+// Only times from 1970-01-01-00:00:00 onward are accepted, in order to
+// eliminate the chance for complications in converting times to traditional
+// time formats that start at 1970.
+inline Result GeneralizedTime(Reader& input, /*out*/ Time& time) {
+  return internal::TimeChoice(input, GENERALIZED_TIME, time);
+}
+
+// Only times from 1970-01-01-00:00:00 onward are accepted, in order to
+// eliminate the chance for complications in converting times to traditional
+// time formats that start at 1970.
+inline Result TimeChoice(Reader& input, /*out*/ Time& time) {
+  uint8_t expectedTag = input.Peek(UTCTime) ? UTCTime : GENERALIZED_TIME;
+  return internal::TimeChoice(input, expectedTag, time);
+}
+
+// Parse a DER integer value into value. Empty values, negative values, and
+// zero are rejected. If significantBytes is not null, then it will be set to
+// the number of significant bytes in the value (the length of the value, less
+// the length of any leading padding), which is useful for key size checks.
+inline Result PositiveInteger(
+    Reader& input, /*out*/ Input& value,
+    /*optional out*/ Input::size_type* significantBytes = nullptr) {
+  return internal::IntegralBytes(
+      input, INTEGER, internal::IntegralValueRestriction::MustBePositive, value,
+      significantBytes);
+}
+
+// This parser will only parse values between 0..127. If this range is
+// increased then callers will need to be changed.
+inline Result Integer(Reader& input, /*out*/ uint8_t& value) {
+  return internal::IntegralValue(input, INTEGER, value);
+}
+
+// This parser will only parse values between 0..127. If this range is
+// increased then callers will need to be changed. The default value must be
+// -1; defaultValue is only a parameter to make it clear in the calling code
+// what the default value is.
+inline Result OptionalInteger(Reader& input, long defaultValue,
+                              /*out*/ long& value) {
+  // If we need to support a different default value in the future, we need to
+  // test that parsedValue != defaultValue.
+  if (defaultValue != -1) {
+    return Result::FATAL_ERROR_INVALID_ARGS;
+  }
+
+  if (!input.Peek(INTEGER)) {
+    value = defaultValue;
+    return Success;
+  }
+
+  uint8_t parsedValue;
+  Result rv = Integer(input, parsedValue);
+  if (rv != Success) {
+    return rv;
+  }
+  value = parsedValue;
+  return Success;
+}
+
+inline Result Null(Reader& input) {
+  return ExpectTagAndEmptyValue(input, NULLTag);
+}
+
+template <uint8_t Len>
+Result OID(Reader& input, const uint8_t (&expectedOid)[Len]) {
+  Reader value;
+  Result rv = ExpectTagAndGetValue(input, OIDTag, value);
+  if (rv != Success) {
+    return rv;
+  }
+  if (!value.MatchRest(expectedOid)) {
+    return Result::ERROR_BAD_DER;
+  }
+  return Success;
+}
+
+// PKI-specific types
+
+inline Result CertificateSerialNumber(Reader& input, /*out*/ Input& value) {
+  // http://tools.ietf.org/html/rfc5280#section-4.1.2.2:
+  //
+  // * "The serial number MUST be a positive integer assigned by the CA to
+  //   each certificate."
+  // * "Certificate users MUST be able to handle serialNumber values up to 20
+  //   octets. Conforming CAs MUST NOT use serialNumber values longer than 20
+  //   octets."
+  // * "Note: Non-conforming CAs may issue certificates with serial numbers
+  //   that are negative or zero.  Certificate users SHOULD be prepared to
+  //   gracefully handle such certificates."
+  return internal::IntegralBytes(
+      input, INTEGER, internal::IntegralValueRestriction::NoRestriction, value);
+}
+
+// x.509 and OCSP both use this same version numbering scheme, though OCSP
+// only supports v1.
+enum class Version { v1 = 0, v2 = 1, v3 = 2, v4 = 3, Uninitialized = 255 };
+
+// X.509 Certificate and OCSP ResponseData both use
+// "[0] EXPLICIT Version DEFAULT v1". Although an explicit encoding of v1 is
+// illegal, we support it because some real-world OCSP responses explicitly
+// encode it.
+Result OptionalVersion(Reader& input, /*out*/ Version& version);
+
+template <typename ExtensionHandler>
+inline Result OptionalExtensions(Reader& input, uint8_t tag,
+                                 ExtensionHandler extensionHandler) {
+  if (!input.Peek(tag)) {
+    return Success;
+  }
+
+  return Nested(input, tag, [extensionHandler](Reader& tagged) {
+    // Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
+    //
+    // TODO(bug 997994): According to the specification, there should never be
+    // an empty sequence of extensions but we've found OCSP responses that have
+    // that (see bug 991898).
+    return NestedOf(
+        tagged, SEQUENCE, SEQUENCE, EmptyAllowed::Yes,
+        [extensionHandler](Reader& extension) -> Result {
+          // Extension  ::=  SEQUENCE  {
+          //      extnID      OBJECT IDENTIFIER,
+          //      critical    BOOLEAN DEFAULT FALSE,
+          //      extnValue   OCTET STRING
+          //      }
+          Reader extnID;
+          Result rv = ExpectTagAndGetValue(extension, OIDTag, extnID);
+          if (rv != Success) {
+            return rv;
+          }
+          bool critical;
+          rv = OptionalBoolean(extension, critical);
+          if (rv != Success) {
+            return rv;
+          }
+          Input extnValue;
+          rv = ExpectTagAndGetValue(extension, OCTET_STRING, extnValue);
+          if (rv != Success) {
+            return rv;
+          }
+          bool understood = false;
+          rv = extensionHandler(extnID, extnValue, critical, understood);
+          if (rv != Success) {
+            return rv;
+          }
+          if (critical && !understood) {
+            return Result::ERROR_UNKNOWN_CRITICAL_EXTENSION;
+          }
+          return Success;
+        });
+  });
+}
+
+Result DigestAlgorithmIdentifier(Reader& input,
+                                 /*out*/ DigestAlgorithm& algorithm);
+
+enum class PublicKeyAlgorithm { RSA_PKCS1, ECDSA, Uninitialized };
+
+Result SignatureAlgorithmIdentifierValue(
+    Reader& input,
+    /*out*/ PublicKeyAlgorithm& publicKeyAlgorithm,
+    /*out*/ DigestAlgorithm& digestAlgorithm);
+
+struct SignedDataWithSignature final {
+ public:
+  Input data;
+  Input algorithm;
+  Input signature;
+
+  void operator=(const SignedDataWithSignature&) = delete;
+};
+
+// Parses a SEQUENCE into tbs and then parses an AlgorithmIdentifier followed
+// by a BIT STRING into signedData. This handles the commonality between
+// parsing the signed/signature fields of certificates and OCSP responses. In
+// the case of an OCSP response, the caller needs to parse the certs
+// separately.
+//
+// Note that signatureAlgorithm is NOT parsed or validated.
+//
+// Certificate  ::=  SEQUENCE  {
+//        tbsCertificate       TBSCertificate,
+//        signatureAlgorithm   AlgorithmIdentifier,
+//        signatureValue       BIT STRING  }
+//
+// BasicOCSPResponse       ::= SEQUENCE {
+//    tbsResponseData      ResponseData,
+//    signatureAlgorithm   AlgorithmIdentifier,
+//    signature            BIT STRING,
+//    certs            [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+Result SignedData(Reader& input, /*out*/ Reader& tbs,
+                  /*out*/ SignedDataWithSignature& signedDataWithSignature);
+}
+}
+}  // namespace mozilla::pkix::der
+
+#endif  // mozilla_pkix_pkixder_h
diff --git a/security/nss/lib/mozpkix/include/pkix/pkixnss.h b/security/nss/lib/mozpkix/include/pkix/pkixnss.h
new file mode 100644
index 0000000000..b181ca541e
--- /dev/null
+++ b/security/nss/lib/mozpkix/include/pkix/pkixnss.h
@@ -0,0 +1,106 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_pkixnss_h
+#define mozilla_pkix_pkixnss_h
+
+#include <seccomon.h>
+#include "mozpkix/pkixtypes.h"
+#include "prerror.h"
+
+namespace mozilla {
+namespace pkix {
+
+// Verifies the PKCS#1.5 signature on the given data using the given RSA public
+// key.
+Result VerifyRSAPKCS1SignedDigestNSS(const SignedDigest& sd,
+                                     Input subjectPublicKeyInfo,
+                                     void* pkcs11PinArg);
+
+// Verifies the ECDSA signature on the given data using the given ECC public
+// key.
+Result VerifyECDSASignedDigestNSS(const SignedDigest& sd,
+                                  Input subjectPublicKeyInfo,
+                                  void* pkcs11PinArg);
+
+// Computes the digest of the given data using the given digest algorithm.
+//
+// item contains the data to hash.
+// digestBuf must point to a buffer to where the digest will be written.
+// digestBufLen must be the size of the buffer, which must be exactly equal
+//              to the size of the digest output (20 for SHA-1, 32 for SHA-256,
+//              etc.)
+//
+// TODO: Taking the output buffer as (uint8_t*, size_t) is counter to our
+// other, extensive, memory safety efforts in mozilla::pkix, and we should find
+// a way to provide a more-obviously-safe interface.
+Result DigestBufNSS(Input item, DigestAlgorithm digestAlg,
+                    /*out*/ uint8_t* digestBuf, size_t digestBufLen);
+
+Result MapPRErrorCodeToResult(PRErrorCode errorCode);
+PRErrorCode MapResultToPRErrorCode(Result result);
+
+// The error codes within each module must fit in 16 bits. We want these
+// errors to fit in the same module as the NSS errors but not overlap with
+// any of them. Converting an NSS SEC, NSS SSL, or PSM error to an NS error
+// involves negating the value of the error and then synthesizing an error
+// in the NS_ERROR_MODULE_SECURITY module. Hence, PSM errors will start at
+// a negative value that both doesn't overlap with the current value
+// ranges for NSS errors and that will fit in 16 bits when negated.
+static const PRErrorCode ERROR_BASE = -0x4000;
+static const PRErrorCode ERROR_LIMIT = ERROR_BASE + 1000;
+
+enum ErrorCode {
+  MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE = ERROR_BASE + 0,
+  MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = ERROR_BASE + 1,
+  MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = ERROR_BASE + 2,
+  MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA = ERROR_BASE + 3,
+  MOZILLA_PKIX_ERROR_NO_RFC822NAME_MATCH = ERROR_BASE + 4,
+  MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE = ERROR_BASE + 5,
+  MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE = ERROR_BASE + 6,
+  MOZILLA_PKIX_ERROR_SIGNATURE_ALGORITHM_MISMATCH = ERROR_BASE + 7,
+  MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING = ERROR_BASE + 8,
+  MOZILLA_PKIX_ERROR_VALIDITY_TOO_LONG = ERROR_BASE + 9,
+  MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING = ERROR_BASE + 10,
+  MOZILLA_PKIX_ERROR_INVALID_INTEGER_ENCODING = ERROR_BASE + 11,
+  MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME = ERROR_BASE + 12,
+  MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED = ERROR_BASE + 13,
+  MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT = ERROR_BASE + 14,
+  MOZILLA_PKIX_ERROR_MITM_DETECTED = ERROR_BASE + 15,
+  END_OF_LIST
+};
+
+void RegisterErrorTable();
+
+inline SECItem UnsafeMapInputToSECItem(Input input) {
+  SECItem result = {siBuffer, const_cast<uint8_t*>(input.UnsafeGetData()),
+                    input.GetLength()};
+  static_assert(sizeof(decltype(input.GetLength())) <= sizeof(result.len),
+                "input.GetLength() must fit in a SECItem");
+  return result;
+}
+}
+}  // namespace mozilla::pkix
+
+#endif  // mozilla_pkix_pkixnss_h
diff --git a/security/nss/lib/mozpkix/include/pkix/pkixtypes.h b/security/nss/lib/mozpkix/include/pkix/pkixtypes.h
new file mode 100644
index 0000000000..6b12edbb10
--- /dev/null
+++ b/security/nss/lib/mozpkix/include/pkix/pkixtypes.h
@@ -0,0 +1,400 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_pkixtypes_h
+#define mozilla_pkix_pkixtypes_h
+
+#include <memory>
+
+#include "mozpkix/Input.h"
+#include "mozpkix/Time.h"
+#include "stdint.h"
+
+namespace mozilla {
+namespace pkix {
+
+enum class DigestAlgorithm {
+  sha512 = 1,
+  sha384 = 2,
+  sha256 = 3,
+  sha1 = 4,
+};
+
+enum class NamedCurve {
+  // secp521r1 (OID 1.3.132.0.35, RFC 5480)
+  secp521r1 = 1,
+
+  // secp384r1 (OID 1.3.132.0.34, RFC 5480)
+  secp384r1 = 2,
+
+  // secp256r1 (OID 1.2.840.10045.3.1.7, RFC 5480)
+  secp256r1 = 3,
+};
+
+struct SignedDigest final {
+  Input digest;
+  DigestAlgorithm digestAlgorithm;
+  Input signature;
+
+  void operator=(const SignedDigest&) = delete;
+};
+
+enum class EndEntityOrCA { MustBeEndEntity = 0, MustBeCA = 1 };
+
+enum class KeyUsage : uint8_t {
+  digitalSignature = 0,
+  nonRepudiation = 1,
+  keyEncipherment = 2,
+  dataEncipherment = 3,
+  keyAgreement = 4,
+  keyCertSign = 5,
+  // cRLSign       = 6,
+  // encipherOnly  = 7,
+  // decipherOnly  = 8,
+  noParticularKeyUsageRequired = 0xff,
+};
+
+enum class KeyPurposeId {
+  anyExtendedKeyUsage = 0,
+  id_kp_serverAuth = 1,       // id-kp-serverAuth
+  id_kp_clientAuth = 2,       // id-kp-clientAuth
+  id_kp_codeSigning = 3,      // id-kp-codeSigning
+  id_kp_emailProtection = 4,  // id-kp-emailProtection
+  id_kp_OCSPSigning = 9,      // id-kp-OCSPSigning
+};
+
+struct CertPolicyId final {
+  uint16_t numBytes;
+  static const uint16_t MAX_BYTES = 24;
+  uint8_t bytes[MAX_BYTES];
+
+  bool IsAnyPolicy() const;
+  bool operator==(const CertPolicyId& other) const;
+
+  static const CertPolicyId anyPolicy;
+};
+
+enum class TrustLevel {
+  TrustAnchor = 1,         // certificate is a trusted root CA certificate or
+                           // equivalent *for the given policy*.
+  ActivelyDistrusted = 2,  // certificate is known to be bad
+  InheritsTrust = 3        // certificate must chain to a trust anchor
+};
+
+// Extensions extracted during the verification flow.
+// See TrustDomain::NoteAuxiliaryExtension.
+enum class AuxiliaryExtension {
+  // Certificate Transparency data, specifically Signed Certificate
+  // Timestamps (SCTs). See RFC 6962.
+
+  // SCT list embedded in the end entity certificate. Called by BuildCertChain
+  // after the certificate containing the SCTs has passed the revocation checks.
+  EmbeddedSCTList = 1,
+  // SCT list from OCSP response. Called by VerifyEncodedOCSPResponse
+  // when its result is a success and the SCT list is present.
+  SCTListFromOCSPResponse = 2
+};
+
+// CertID references the information needed to do revocation checking for the
+// certificate issued by the given issuer with the given serial number.
+//
+// issuer must be the DER-encoded issuer field from the certificate for which
+// revocation checking is being done, **NOT** the subject field of the issuer
+// certificate. (Those two fields must be equal to each other, but they may not
+// be encoded exactly the same, and the encoding matters for OCSP.)
+// issuerSubjectPublicKeyInfo is the entire DER-encoded subjectPublicKeyInfo
+// field from the issuer's certificate. serialNumber is the entire DER-encoded
+// serial number from the subject certificate (the certificate for which we are
+// checking the revocation status).
+struct CertID final {
+ public:
+  CertID(Input aIssuer, Input aIssuerSubjectPublicKeyInfo, Input aSerialNumber)
+      : issuer(aIssuer),
+        issuerSubjectPublicKeyInfo(aIssuerSubjectPublicKeyInfo),
+        serialNumber(aSerialNumber) {}
+  const Input issuer;
+  const Input issuerSubjectPublicKeyInfo;
+  const Input serialNumber;
+
+  void operator=(const CertID&) = delete;
+};
+typedef std::unique_ptr<CertID> ScopedCertID;
+
+class DERArray {
+ public:
+  // Returns the number of DER-encoded items in the array.
+  virtual size_t GetLength() const = 0;
+
+  // Returns a weak (non-owning) pointer the ith DER-encoded item in the array
+  // (0-indexed). The result is guaranteed to be non-null if i < GetLength(),
+  // and the result is guaranteed to be nullptr if i >= GetLength().
+  virtual const Input* GetDER(size_t i) const = 0;
+
+ protected:
+  DERArray() {}
+  virtual ~DERArray() {}
+};
+
+// Applications control the behavior of path building and verification by
+// implementing the TrustDomain interface. The TrustDomain is used for all
+// cryptography and for determining which certificates are trusted or
+// distrusted.
+class TrustDomain {
+ public:
+  virtual ~TrustDomain() {}
+
+  // Determine the level of trust in the given certificate for the given role.
+  // This will be called for every certificate encountered during path
+  // building.
+  //
+  // When policy.IsAnyPolicy(), then no policy-related checking should be done.
+  // When !policy.IsAnyPolicy(), then GetCertTrust MUST NOT return with
+  // trustLevel == TrustAnchor unless the given cert is considered a trust
+  // anchor *for that policy*. In particular, if the user has marked an
+  // intermediate certificate as trusted, but that intermediate isn't in the
+  // list of EV roots, then GetCertTrust must result in
+  // trustLevel == InheritsTrust instead of trustLevel == TrustAnchor
+  // (assuming the candidate cert is not actively distrusted).
+  virtual Result GetCertTrust(EndEntityOrCA endEntityOrCA,
+                              const CertPolicyId& policy,
+                              Input candidateCertDER,
+                              /*out*/ TrustLevel& trustLevel) = 0;
+
+  class IssuerChecker {
+   public:
+    // potentialIssuerDER is the complete DER encoding of the certificate to
+    // be checked as a potential issuer.
+    //
+    // If additionalNameConstraints is not nullptr then it must point to an
+    // encoded NameConstraints extension value; in that case, those name
+    // constraints will be checked in addition to any any name constraints
+    // contained in potentialIssuerDER.
+    virtual Result Check(Input potentialIssuerDER,
+                         /*optional*/ const Input* additionalNameConstraints,
+                         /*out*/ bool& keepGoing) = 0;
+
+   protected:
+    IssuerChecker();
+    virtual ~IssuerChecker();
+
+    IssuerChecker(const IssuerChecker&) = delete;
+    void operator=(const IssuerChecker&) = delete;
+  };
+
+  // Search for a CA certificate with the given name. The implementation must
+  // call checker.Check with the DER encoding of the potential issuer
+  // certificate. The implementation must follow these rules:
+  //
+  // * The implementation must be reentrant and must limit the amount of stack
+  //   space it uses; see the note on reentrancy and stack usage below.
+  // * When checker.Check does not return Success then immediately return its
+  //   return value.
+  // * When checker.Check returns Success and sets keepGoing = false, then
+  //   immediately return Success.
+  // * When checker.Check returns Success and sets keepGoing = true, then
+  //   call checker.Check again with a different potential issuer certificate,
+  //   if any more are available.
+  // * When no more potential issuer certificates are available, return
+  //   Success.
+  // * Don't call checker.Check with the same potential issuer certificate more
+  //   than once in a given call of FindIssuer.
+  // * The given time parameter may be used to filter out certificates that are
+  //   not valid at the given time, or it may be ignored.
+  //
+  // Note on reentrancy and stack usage: checker.Check will attempt to
+  // recursively build a certificate path from the potential issuer it is given
+  // to a trusted root, as determined by this TrustDomain. That means that
+  // checker.Check may call any/all of the methods on this TrustDomain. In
+  // particular, there will be call stacks that look like this:
+  //
+  //    BuildCertChain
+  //      [...]
+  //        TrustDomain::FindIssuer
+  //          [...]
+  //            IssuerChecker::Check
+  //              [...]
+  //                TrustDomain::FindIssuer
+  //                  [...]
+  //                    IssuerChecker::Check
+  //                      [...]
+  //
+  // checker.Check is responsible for limiting the recursion to a reasonable
+  // limit.
+  //
+  // checker.Check will verify that the subject's issuer field matches the
+  // potential issuer's subject field. It will also check that the potential
+  // issuer is valid at the given time. However, if the FindIssuer
+  // implementation has an efficient way of filtering potential issuers by name
+  // and/or validity period itself, then it is probably better for performance
+  // for it to do so.
+  virtual Result FindIssuer(Input encodedIssuerName, IssuerChecker& checker,
+                            Time time) = 0;
+
+  // Called as soon as we think we have a valid chain but before revocation
+  // checks are done. This function can be used to compute additional checks,
+  // especially checks that require the entire certificate chain. This callback
+  // can also be used to save a copy of the built certificate chain for later
+  // use.
+  //
+  // This function may be called multiple times, regardless of whether it
+  // returns success or failure. It is guaranteed that BuildCertChain will not
+  // return Success unless the last call to IsChainValid returns Success.
+  // Further,
+  // it is guaranteed that when BuildCertChain returns Success the last chain
+  // passed to IsChainValid is the valid chain that should be used for further
+  // operations that require the whole chain.
+  //
+  // Keep in mind, in particular, that if the application saves a copy of the
+  // certificate chain the last invocation of IsChainValid during a validation,
+  // it is still possible for BuildCertChain to fail, in which case the
+  // application must not assume anything about the validity of the last
+  // certificate chain passed to IsChainValid; especially, it would be very
+  // wrong to assume that the certificate chain is valid.
+  //
+  // certChain.GetDER(0) is the trust anchor.
+  virtual Result IsChainValid(const DERArray& certChain, Time time,
+                              const CertPolicyId& requiredPolicy) = 0;
+
+  virtual Result CheckRevocation(EndEntityOrCA endEntityOrCA,
+                                 const CertID& certID, Time time,
+                                 Duration validityDuration,
+                                 /*optional*/ const Input* stapledOCSPresponse,
+                                 /*optional*/ const Input* aiaExtension) = 0;
+
+  // Check that the given digest algorithm is acceptable for use in signatures.
+  //
+  // Return Success if the algorithm is acceptable,
+  // Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED if the algorithm is not
+  // acceptable, or another error code if another error occurred.
+  virtual Result CheckSignatureDigestAlgorithm(DigestAlgorithm digestAlg,
+                                               EndEntityOrCA endEntityOrCA,
+                                               Time notBefore) = 0;
+
+  // Check that the RSA public key size is acceptable.
+  //
+  // Return Success if the key size is acceptable,
+  // Result::ERROR_INADEQUATE_KEY_SIZE if the key size is not acceptable,
+  // or another error code if another error occurred.
+  virtual Result CheckRSAPublicKeyModulusSizeInBits(
+      EndEntityOrCA endEntityOrCA, unsigned int modulusSizeInBits) = 0;
+
+  // Verify the given RSA PKCS#1.5 signature on the given digest using the
+  // given RSA public key.
+  //
+  // CheckRSAPublicKeyModulusSizeInBits will be called before calling this
+  // function, so it is not necessary to repeat those checks here. However,
+  // VerifyRSAPKCS1SignedDigest *is* responsible for doing the mathematical
+  // verification of the public key validity as specified in NIST SP 800-56A.
+  virtual Result VerifyRSAPKCS1SignedDigest(const SignedDigest& signedDigest,
+                                            Input subjectPublicKeyInfo) = 0;
+
+  // Check that the given named ECC curve is acceptable for ECDSA signatures.
+  //
+  // Return Success if the curve is acceptable,
+  // Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE if the curve is not acceptable,
+  // or another error code if another error occurred.
+  virtual Result CheckECDSACurveIsAcceptable(EndEntityOrCA endEntityOrCA,
+                                             NamedCurve curve) = 0;
+
+  // Verify the given ECDSA signature on the given digest using the given ECC
+  // public key.
+  //
+  // CheckECDSACurveIsAcceptable will be called before calling this function,
+  // so it is not necessary to repeat that check here. However,
+  // VerifyECDSASignedDigest *is* responsible for doing the mathematical
+  // verification of the public key validity as specified in NIST SP 800-56A.
+  virtual Result VerifyECDSASignedDigest(const SignedDigest& signedDigest,
+                                         Input subjectPublicKeyInfo) = 0;
+
+  // Check that the validity duration is acceptable.
+  //
+  // Return Success if the validity duration is acceptable,
+  // Result::ERROR_VALIDITY_TOO_LONG if the validity duration is not acceptable,
+  // or another error code if another error occurred.
+  virtual Result CheckValidityIsAcceptable(Time notBefore, Time notAfter,
+                                           EndEntityOrCA endEntityOrCA,
+                                           KeyPurposeId keyPurpose) = 0;
+
+  // For compatibility, a CA certificate with an extended key usage that
+  // contains the id-Netscape-stepUp OID but does not contain the
+  // id-kp-serverAuth OID may be considered valid for issuing server auth
+  // certificates. This function allows TrustDomain implementations to control
+  // this setting based on the start of the validity period of the certificate
+  // in question.
+  virtual Result NetscapeStepUpMatchesServerAuth(Time notBefore,
+                                                 /*out*/ bool& matches) = 0;
+
+  // Some certificate or OCSP response extensions do not directly participate
+  // in the verification flow, but might still be of interest to the clients
+  // (notably Certificate Transparency data, RFC 6962). Such extensions are
+  // extracted and passed to this function for further processing.
+  virtual void NoteAuxiliaryExtension(AuxiliaryExtension extension,
+                                      Input extensionData) = 0;
+
+  // Compute a digest of the data in item using the given digest algorithm.
+  //
+  // item contains the data to hash.
+  // digestBuf points to a buffer to where the digest will be written.
+  // digestBufLen will be the size of the digest output (20 for SHA-1,
+  // 32 for SHA-256, etc.).
+  //
+  // TODO: Taking the output buffer as (uint8_t*, size_t) is counter to our
+  // other, extensive, memory safety efforts in mozilla::pkix, and we should
+  // find a way to provide a more-obviously-safe interface.
+  virtual Result DigestBuf(Input item, DigestAlgorithm digestAlg,
+                           /*out*/ uint8_t* digestBuf, size_t digestBufLen) = 0;
+
+ protected:
+  TrustDomain() {}
+
+  TrustDomain(const TrustDomain&) = delete;
+  void operator=(const TrustDomain&) = delete;
+};
+
+enum class FallBackToSearchWithinSubject { No = 0, Yes = 1 };
+
+// Applications control the behavior of matching presented name information from
+// a certificate against a reference hostname by implementing the
+// NameMatchingPolicy interface. Used in concert with CheckCertHostname.
+class NameMatchingPolicy {
+ public:
+  virtual ~NameMatchingPolicy() {}
+
+  // Given that the certificate in question has a notBefore field with the given
+  // value, should name matching fall back to searching within the subject
+  // common name field?
+  virtual Result FallBackToCommonName(
+      Time notBefore,
+      /*out*/ FallBackToSearchWithinSubject& fallBackToCommonName) = 0;
+
+ protected:
+  NameMatchingPolicy() {}
+
+  NameMatchingPolicy(const NameMatchingPolicy&) = delete;
+  void operator=(const NameMatchingPolicy&) = delete;
+};
+}
+}  // namespace mozilla::pkix
+
+#endif  // mozilla_pkix_pkixtypes_h
diff --git a/security/nss/lib/mozpkix/include/pkix/pkixutil.h b/security/nss/lib/mozpkix/include/pkix/pkixutil.h
new file mode 100644
index 0000000000..ca5b5a2d7b
--- /dev/null
+++ b/security/nss/lib/mozpkix/include/pkix/pkixutil.h
@@ -0,0 +1,265 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef mozilla_pkix_pkixutil_h
+#define mozilla_pkix_pkixutil_h
+
+#include "mozpkix/pkixder.h"
+
+namespace mozilla {
+namespace pkix {
+
+// During path building and verification, we build a linked list of BackCerts
+// from the current cert toward the end-entity certificate. The linked list
+// is used to verify properties that aren't local to the current certificate
+// and/or the direct link between the current certificate and its issuer,
+// such as name constraints.
+//
+// Each BackCert contains pointers to all the given certificate's extensions
+// so that we can parse the extension block once and then process the
+// extensions in an order that may be different than they appear in the cert.
+class BackCert final {
+ public:
+  // certDER and childCert must be valid for the lifetime of BackCert.
+  BackCert(Input aCertDER, EndEntityOrCA aEndEntityOrCA,
+           const BackCert* aChildCert)
+      : der(aCertDER),
+        endEntityOrCA(aEndEntityOrCA),
+        childCert(aChildCert),
+        version(der::Version::Uninitialized) {}
+
+  Result Init();
+
+  const Input GetDER() const { return der; }
+  const der::SignedDataWithSignature& GetSignedData() const {
+    return signedData;
+  }
+
+  der::Version GetVersion() const { return version; }
+  const Input GetSerialNumber() const { return serialNumber; }
+  const Input GetSignature() const { return signature; }
+  const Input GetIssuer() const { return issuer; }
+  // XXX: "validity" is a horrible name for the structure that holds
+  // notBefore & notAfter, but that is the name used in RFC 5280 and we use the
+  // RFC 5280 names for everything.
+  const Input GetValidity() const { return validity; }
+  const Input GetSubject() const { return subject; }
+  const Input GetSubjectPublicKeyInfo() const { return subjectPublicKeyInfo; }
+  const Input* GetAuthorityInfoAccess() const {
+    return MaybeInput(authorityInfoAccess);
+  }
+  const Input* GetBasicConstraints() const {
+    return MaybeInput(basicConstraints);
+  }
+  const Input* GetCertificatePolicies() const {
+    return MaybeInput(certificatePolicies);
+  }
+  const Input* GetExtKeyUsage() const { return MaybeInput(extKeyUsage); }
+  const Input* GetKeyUsage() const { return MaybeInput(keyUsage); }
+  const Input* GetInhibitAnyPolicy() const {
+    return MaybeInput(inhibitAnyPolicy);
+  }
+  const Input* GetNameConstraints() const {
+    return MaybeInput(nameConstraints);
+  }
+  const Input* GetSubjectAltName() const { return MaybeInput(subjectAltName); }
+  const Input* GetRequiredTLSFeatures() const {
+    return MaybeInput(requiredTLSFeatures);
+  }
+  const Input* GetSignedCertificateTimestamps() const {
+    return MaybeInput(signedCertificateTimestamps);
+  }
+
+ private:
+  const Input der;
+
+ public:
+  const EndEntityOrCA endEntityOrCA;
+  BackCert const* const childCert;
+
+ private:
+  // When parsing certificates in BackCert::Init, we don't accept empty
+  // extensions. Consequently, we don't have to store a distinction between
+  // empty extensions and extensions that weren't included. However, when
+  // *processing* extensions, we distinguish between whether an extension was
+  // included or not based on whetehr the GetXXX function for the extension
+  // returns nullptr.
+  static inline const Input* MaybeInput(const Input& item) {
+    return item.GetLength() > 0 ? &item : nullptr;
+  }
+
+  der::SignedDataWithSignature signedData;
+
+  der::Version version;
+  Input serialNumber;
+  Input signature;
+  Input issuer;
+  // XXX: "validity" is a horrible name for the structure that holds
+  // notBefore & notAfter, but that is the name used in RFC 5280 and we use the
+  // RFC 5280 names for everything.
+  Input validity;
+  Input subject;
+  Input subjectPublicKeyInfo;
+
+  Input authorityInfoAccess;
+  Input basicConstraints;
+  Input certificatePolicies;
+  Input extKeyUsage;
+  Input inhibitAnyPolicy;
+  Input keyUsage;
+  Input nameConstraints;
+  Input subjectAltName;
+  Input criticalNetscapeCertificateType;
+  Input requiredTLSFeatures;
+  Input signedCertificateTimestamps;  // RFC 6962 (Certificate Transparency)
+
+  Result RememberExtension(Reader& extnID, Input extnValue, bool critical,
+                           /*out*/ bool& understood);
+
+  BackCert(const BackCert&) = delete;
+  void operator=(const BackCert&) = delete;
+};
+
+class NonOwningDERArray final : public DERArray {
+ public:
+  NonOwningDERArray() : numItems(0) {
+    // we don't need to initialize the items array because we always check
+    // numItems before accessing i.
+  }
+
+  size_t GetLength() const override { return numItems; }
+
+  const Input* GetDER(size_t i) const override {
+    return i < numItems ? &items[i] : nullptr;
+  }
+
+  Result Append(Input der) {
+    if (numItems >= MAX_LENGTH) {
+      return Result::FATAL_ERROR_INVALID_ARGS;
+    }
+    Result rv = items[numItems].Init(der);  // structure assignment
+    if (rv != Success) {
+      return rv;
+    }
+    ++numItems;
+    return Success;
+  }
+
+  // Public so we can static_assert on this. Keep in sync with MAX_SUBCA_COUNT.
+  static const size_t MAX_LENGTH = 8;
+
+ private:
+  Input items[MAX_LENGTH];  // avoids any heap allocations
+  size_t numItems;
+
+  NonOwningDERArray(const NonOwningDERArray&) = delete;
+  void operator=(const NonOwningDERArray&) = delete;
+};
+
+// Extracts the SignedCertificateTimestampList structure which is encoded as an
+// OCTET STRING within the X.509v3 / OCSP extensions (see RFC 6962 section 3.3).
+Result ExtractSignedCertificateTimestampListFromExtension(Input extnValue,
+                                                          Input& sctList);
+
+inline unsigned int DaysBeforeYear(unsigned int year) {
+  assert(year <= 9999);
+  return ((year - 1u) * 365u) +
+         ((year - 1u) / 4u)       // leap years are every 4 years,
+         - ((year - 1u) / 100u)   // except years divisible by 100,
+         + ((year - 1u) / 400u);  // except years divisible by 400.
+}
+
+static const size_t MAX_DIGEST_SIZE_IN_BYTES = 512 / 8;  // sha-512
+
+Result DigestSignedData(TrustDomain& trustDomain,
+                        const der::SignedDataWithSignature& signedData,
+                        /*out*/ uint8_t (&digestBuf)[MAX_DIGEST_SIZE_IN_BYTES],
+                        /*out*/ der::PublicKeyAlgorithm& publicKeyAlg,
+                        /*out*/ SignedDigest& signedDigest);
+
+Result VerifySignedDigest(TrustDomain& trustDomain,
+                          der::PublicKeyAlgorithm publicKeyAlg,
+                          const SignedDigest& signedDigest,
+                          Input signerSubjectPublicKeyInfo);
+
+// Combines DigestSignedData and VerifySignedDigest
+Result VerifySignedData(TrustDomain& trustDomain,
+                        const der::SignedDataWithSignature& signedData,
+                        Input signerSubjectPublicKeyInfo);
+
+// Extracts the key parameters from |subjectPublicKeyInfo|, invoking
+// the relevant methods of |trustDomain|.
+Result CheckSubjectPublicKeyInfo(Input subjectPublicKeyInfo,
+                                 TrustDomain& trustDomain,
+                                 EndEntityOrCA endEntityOrCA);
+
+// In a switch over an enum, sometimes some compilers are not satisfied that
+// all control flow paths have been considered unless there is a default case.
+// However, in our code, such a default case is almost always unreachable dead
+// code. That can be particularly problematic when the compiler wants the code
+// to choose a value, such as a return value, for the default case, but there's
+// no appropriate "impossible case" value to choose.
+//
+// MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM accounts for this. Example:
+//
+//     // In xy.cpp
+//     #include "xt.h"
+//
+//     enum class XY { X, Y };
+//
+//     int func(XY xy) {
+//       switch (xy) {
+//         case XY::X: return 1;
+//         case XY::Y; return 2;
+//         MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+//       }
+//     }
+#if defined(__clang__)
+// Clang will warn if not all cases are covered (-Wswitch-enum) AND it will
+// warn if a switch statement that covers every enum label has a default case
+// (-W-covered-switch-default). Versions prior to 3.5 warned about unreachable
+// code in such default cases (-Wunreachable-code) even when
+// -W-covered-switch-default was disabled, but that changed in Clang 3.5.
+#define MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM  // empty
+#elif defined(__GNUC__)
+// GCC will warn if not all cases are covered (-Wswitch-enum). It does not
+// assume that the default case is unreachable.
+#define MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM \
+  default:                                    \
+    assert(false);                            \
+    __builtin_unreachable();
+#elif defined(_MSC_VER)
+// MSVC will warn if not all cases are covered (C4061, level 4). It does not
+// assume that the default case is unreachable.
+#define MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM \
+  default:                                    \
+    assert(false);                            \
+    __assume(0);
+#else
+#error Unsupported compiler for MOZILLA_PKIX_UNREACHABLE_DEFAULT.
+#endif
+}
+}  // namespace mozilla::pkix
+
+#endif  // mozilla_pkix_pkixutil_h
diff --git a/security/nss/lib/mozpkix/lib/pkixbuild.cpp b/security/nss/lib/mozpkix/lib/pkixbuild.cpp
new file mode 100644
index 0000000000..0ac2cb8830
--- /dev/null
+++ b/security/nss/lib/mozpkix/lib/pkixbuild.cpp
@@ -0,0 +1,418 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mozpkix/pkix.h"
+
+#include "mozpkix/pkixcheck.h"
+#include "mozpkix/pkixutil.h"
+
+namespace mozilla { namespace pkix {
+
+static Result BuildForward(TrustDomain& trustDomain,
+                           const BackCert& subject,
+                           Time time,
+                           KeyUsage requiredKeyUsageIfPresent,
+                           KeyPurposeId requiredEKUIfPresent,
+                           const CertPolicyId& requiredPolicy,
+                           /*optional*/ const Input* stapledOCSPResponse,
+                           unsigned int subCACount,
+                           unsigned int& buildForwardCallBudget);
+
+TrustDomain::IssuerChecker::IssuerChecker() { }
+TrustDomain::IssuerChecker::~IssuerChecker() { }
+
+// The implementation of TrustDomain::IssuerTracker is in a subclass only to
+// hide the implementation from external users.
+class PathBuildingStep final : public TrustDomain::IssuerChecker
+{
+public:
+  PathBuildingStep(TrustDomain& aTrustDomain, const BackCert& aSubject,
+                   Time aTime, KeyPurposeId aRequiredEKUIfPresent,
+                   const CertPolicyId& aRequiredPolicy,
+                   /*optional*/ const Input* aStapledOCSPResponse,
+                   unsigned int aSubCACount, Result aDeferredSubjectError,
+                   unsigned int& aBuildForwardCallBudget)
+    : trustDomain(aTrustDomain)
+    , subject(aSubject)
+    , time(aTime)
+    , requiredEKUIfPresent(aRequiredEKUIfPresent)
+    , requiredPolicy(aRequiredPolicy)
+    , stapledOCSPResponse(aStapledOCSPResponse)
+    , subCACount(aSubCACount)
+    , deferredSubjectError(aDeferredSubjectError)
+    , subjectSignaturePublicKeyAlg(der::PublicKeyAlgorithm::Uninitialized)
+    , result(Result::FATAL_ERROR_LIBRARY_FAILURE)
+    , resultWasSet(false)
+    , buildForwardCallBudget(aBuildForwardCallBudget)
+  {
+  }
+
+  Result Check(Input potentialIssuerDER,
+               /*optional*/ const Input* additionalNameConstraints,
+               /*out*/ bool& keepGoing) override;
+
+  Result CheckResult() const;
+
+private:
+  TrustDomain& trustDomain;
+  const BackCert& subject;
+  const Time time;
+  const KeyPurposeId requiredEKUIfPresent;
+  const CertPolicyId& requiredPolicy;
+  /*optional*/ Input const* const stapledOCSPResponse;
+  const unsigned int subCACount;
+  const Result deferredSubjectError;
+
+  // Initialized lazily.
+  uint8_t subjectSignatureDigestBuf[MAX_DIGEST_SIZE_IN_BYTES];
+  der::PublicKeyAlgorithm subjectSignaturePublicKeyAlg;
+  SignedDigest subjectSignature;
+
+  Result RecordResult(Result currentResult, /*out*/ bool& keepGoing);
+  Result result;
+  bool resultWasSet;
+  unsigned int& buildForwardCallBudget;
+
+  PathBuildingStep(const PathBuildingStep&) = delete;
+  void operator=(const PathBuildingStep&) = delete;
+};
+
+Result
+PathBuildingStep::RecordResult(Result newResult, /*out*/ bool& keepGoing)
+{
+  if (newResult == Result::ERROR_UNTRUSTED_CERT) {
+    newResult = Result::ERROR_UNTRUSTED_ISSUER;
+  } else if (newResult == Result::ERROR_EXPIRED_CERTIFICATE) {
+    newResult = Result::ERROR_EXPIRED_ISSUER_CERTIFICATE;
+  } else if (newResult == Result::ERROR_NOT_YET_VALID_CERTIFICATE) {
+    newResult = Result::ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE;
+  }
+
+  if (resultWasSet) {
+    if (result == Success) {
+      return NotReached("RecordResult called after finding a chain",
+                        Result::FATAL_ERROR_INVALID_STATE);
+    }
+    // If every potential issuer has the same problem (e.g. expired) and/or if
+    // there is only one bad potential issuer, then return a more specific
+    // error. Otherwise, punt on trying to decide which error should be
+    // returned by returning the generic Result::ERROR_UNKNOWN_ISSUER error.
+    if (newResult != Success && newResult != result) {
+      newResult = Result::ERROR_UNKNOWN_ISSUER;
+    }
+  }
+
+  result = newResult;
+  resultWasSet = true;
+  keepGoing = result != Success;
+  return Success;
+}
+
+Result
+PathBuildingStep::CheckResult() const
+{
+  if (!resultWasSet) {
+    return Result::ERROR_UNKNOWN_ISSUER;
+  }
+  return result;
+}
+
+// The code that executes in the inner loop of BuildForward
+Result
+PathBuildingStep::Check(Input potentialIssuerDER,
+           /*optional*/ const Input* additionalNameConstraints,
+                /*out*/ bool& keepGoing)
+{
+  BackCert potentialIssuer(potentialIssuerDER, EndEntityOrCA::MustBeCA,
+                           &subject);
+  Result rv = potentialIssuer.Init();
+  if (rv != Success) {
+    return RecordResult(rv, keepGoing);
+  }
+
+  // Simple TrustDomain::FindIssuers implementations may pass in all possible
+  // CA certificates without any filtering. Because of this, we don't consider
+  // a mismatched name to be an error. Instead, we just pretend that any
+  // certificate without a matching name was never passed to us. In particular,
+  // we treat the case where the TrustDomain only asks us to check CA
+  // certificates with mismatched names as equivalent to the case where the
+  // TrustDomain never called Check() at all.
+  if (!InputsAreEqual(potentialIssuer.GetSubject(), subject.GetIssuer())) {
+    keepGoing = true;
+    return Success;
+  }
+
+  // Loop prevention, done as recommended by RFC4158 Section 5.2
+  // TODO: this doesn't account for subjectAltNames!
+  // TODO(perf): This probably can and should be optimized in some way.
+  for (const BackCert* prev = potentialIssuer.childCert; prev;
+       prev = prev->childCert) {
+    if (InputsAreEqual(potentialIssuer.GetSubjectPublicKeyInfo(),
+                       prev->GetSubjectPublicKeyInfo()) &&
+        InputsAreEqual(potentialIssuer.GetSubject(), prev->GetSubject())) {
+      // XXX: error code
+      return RecordResult(Result::ERROR_UNKNOWN_ISSUER, keepGoing);
+    }
+  }
+
+  if (potentialIssuer.GetNameConstraints()) {
+    rv = CheckNameConstraints(*potentialIssuer.GetNameConstraints(),
+                              subject, requiredEKUIfPresent);
+    if (rv != Success) {
+       return RecordResult(rv, keepGoing);
+    }
+  }
+
+  if (additionalNameConstraints) {
+    rv = CheckNameConstraints(*additionalNameConstraints, subject,
+                              requiredEKUIfPresent);
+    if (rv != Success) {
+       return RecordResult(rv, keepGoing);
+    }
+  }
+
+  rv = CheckTLSFeatures(subject, potentialIssuer);
+  if (rv != Success) {
+    return RecordResult(rv, keepGoing);
+  }
+
+  // If we've ran out of budget, stop searching.
+  if (buildForwardCallBudget == 0) {
+    Result savedRv = RecordResult(Result::ERROR_UNKNOWN_ISSUER, keepGoing);
+    keepGoing = false;
+    return savedRv;
+  }
+  buildForwardCallBudget--;
+
+  // RFC 5280, Section 4.2.1.3: "If the keyUsage extension is present, then the
+  // subject public key MUST NOT be used to verify signatures on certificates
+  // or CRLs unless the corresponding keyCertSign or cRLSign bit is set."
+  rv = BuildForward(trustDomain, potentialIssuer, time, KeyUsage::keyCertSign,
+                    requiredEKUIfPresent, requiredPolicy, nullptr, subCACount,
+                    buildForwardCallBudget);
+  if (rv != Success) {
+    return RecordResult(rv, keepGoing);
+  }
+
+  // Calculate the digest of the subject's signed data if we haven't already
+  // done so. We do this lazily to avoid doing it at all if we backtrack before
+  // getting to this point. We cache the result to avoid recalculating it if we
+  // backtrack after getting to this point.
+  if (subjectSignature.digest.GetLength() == 0) {
+    rv = DigestSignedData(trustDomain, subject.GetSignedData(),
+                          subjectSignatureDigestBuf,
+                          subjectSignaturePublicKeyAlg, subjectSignature);
+    if (rv != Success) {
+      return rv;
+    }
+  }
+
+  rv = VerifySignedDigest(trustDomain, subjectSignaturePublicKeyAlg,
+                          subjectSignature,
+                          potentialIssuer.GetSubjectPublicKeyInfo());
+  if (rv != Success) {
+    return RecordResult(rv, keepGoing);
+  }
+
+  // We avoid doing revocation checking for expired certificates because OCSP
+  // responders are allowed to forget about expired certificates, and many OCSP
+  // responders return an error when asked for the status of an expired
+  // certificate.
+  if (deferredSubjectError != Result::ERROR_EXPIRED_CERTIFICATE) {
+    CertID certID(subject.GetIssuer(), potentialIssuer.GetSubjectPublicKeyInfo(),
+                  subject.GetSerialNumber());
+    Time notBefore(Time::uninitialized);
+    Time notAfter(Time::uninitialized);
+    // This should never fail. If we're here, we've already parsed the validity
+    // and checked that the given time is in the certificate's validity period.
+    rv = ParseValidity(subject.GetValidity(), &notBefore, &notAfter);
+    if (rv != Success) {
+      return rv;
+    }
+    Duration validityDuration(notAfter, notBefore);
+    rv = trustDomain.CheckRevocation(subject.endEntityOrCA, certID, time,
+                                     validityDuration, stapledOCSPResponse,
+                                     subject.GetAuthorityInfoAccess());
+    if (rv != Success) {
+      // Since this is actually a problem with the current subject certificate
+      // (rather than the issuer), it doesn't make sense to keep going; all
+      // paths through this certificate will fail.
+      Result savedRv = RecordResult(rv, keepGoing);
+      keepGoing = false;
+      return savedRv;
+    }
+
+    if (subject.endEntityOrCA == EndEntityOrCA::MustBeEndEntity) {
+      const Input* sctExtension = subject.GetSignedCertificateTimestamps();
+      if (sctExtension) {
+        Input sctList;
+        rv = ExtractSignedCertificateTimestampListFromExtension(*sctExtension,
+                                                                sctList);
+        if (rv != Success) {
+          // Again, the problem is with this certificate, and all paths through
+          // it will fail.
+          Result savedRv = RecordResult(rv, keepGoing);
+          keepGoing = false;
+          return savedRv;
+        }
+        trustDomain.NoteAuxiliaryExtension(AuxiliaryExtension::EmbeddedSCTList,
+                                           sctList);
+      }
+    }
+  }
+
+  return RecordResult(Success, keepGoing);
+}
+
+// Recursively build the path from the given subject certificate to the root.
+//
+// Be very careful about changing the order of checks. The order is significant
+// because it affects which error we return when a certificate or certificate
+// chain has multiple problems. See the error ranking documentation in
+// pkix/pkix.h.
+static Result
+BuildForward(TrustDomain& trustDomain,
+             const BackCert& subject,
+             Time time,
+             KeyUsage requiredKeyUsageIfPresent,
+             KeyPurposeId requiredEKUIfPresent,
+             const CertPolicyId& requiredPolicy,
+             /*optional*/ const Input* stapledOCSPResponse,
+             unsigned int subCACount,
+             unsigned int& buildForwardCallBudget)
+{
+  Result rv;
+
+  TrustLevel trustLevel;
+  // If this is an end-entity and not a trust anchor, we defer reporting
+  // any error found here until after attempting to find a valid chain.
+  // See the explanation of error prioritization in pkix.h.
+  rv = CheckIssuerIndependentProperties(trustDomain, subject, time,
+                                        requiredKeyUsageIfPresent,
+                                        requiredEKUIfPresent, requiredPolicy,
+                                        subCACount, trustLevel);
+  Result deferredEndEntityError = Success;
+  if (rv != Success) {
+    if (subject.endEntityOrCA == EndEntityOrCA::MustBeEndEntity &&
+        trustLevel != TrustLevel::TrustAnchor) {
+      deferredEndEntityError = rv;
+    } else {
+      return rv;
+    }
+  }
+
+  if (trustLevel == TrustLevel::TrustAnchor) {
+    // End of the recursion.
+
+    NonOwningDERArray chain;
+    for (const BackCert* cert = &subject; cert; cert = cert->childCert) {
+      rv = chain.Append(cert->GetDER());
+      if (rv != Success) {
+        return NotReached("NonOwningDERArray::SetItem failed.", rv);
+      }
+    }
+
+    // This must be done here, after the chain is built but before any
+    // revocation checks have been done.
+    return trustDomain.IsChainValid(chain, time, requiredPolicy);
+  }
+
+  if (subject.endEntityOrCA == EndEntityOrCA::MustBeCA) {
+    // Avoid stack overflows and poor performance by limiting cert chain
+    // length.
+    static const unsigned int MAX_SUBCA_COUNT = 6;
+    static_assert(1/*end-entity*/ + MAX_SUBCA_COUNT + 1/*root*/ ==
+                  NonOwningDERArray::MAX_LENGTH,
+                  "MAX_SUBCA_COUNT and NonOwningDERArray::MAX_LENGTH mismatch.");
+    if (subCACount >= MAX_SUBCA_COUNT) {
+      return Result::ERROR_UNKNOWN_ISSUER;
+    }
+    ++subCACount;
+  } else {
+    assert(subCACount == 0);
+  }
+
+  // Find a trusted issuer.
+
+  PathBuildingStep pathBuilder(trustDomain, subject, time,
+                               requiredEKUIfPresent, requiredPolicy,
+                               stapledOCSPResponse, subCACount,
+                               deferredEndEntityError, buildForwardCallBudget);
+
+  // TODO(bug 965136): Add SKI/AKI matching optimizations
+  rv = trustDomain.FindIssuer(subject.GetIssuer(), pathBuilder, time);
+  if (rv != Success) {
+    return rv;
+  }
+
+  rv = pathBuilder.CheckResult();
+  if (rv != Success) {
+    return rv;
+  }
+
+  // If we found a valid chain but deferred reporting an error with the
+  // end-entity certificate, report it now.
+  if (deferredEndEntityError != Success) {
+    return deferredEndEntityError;
+  }
+
+  // We've built a valid chain from the subject cert up to a trusted root.
+  return Success;
+}
+
+Result
+BuildCertChain(TrustDomain& trustDomain, Input certDER,
+               Time time, EndEntityOrCA endEntityOrCA,
+               KeyUsage requiredKeyUsageIfPresent,
+               KeyPurposeId requiredEKUIfPresent,
+               const CertPolicyId& requiredPolicy,
+               /*optional*/ const Input* stapledOCSPResponse)
+{
+  // XXX: Support the legacy use of the subject CN field for indicating the
+  // domain name the certificate is valid for.
+  BackCert cert(certDER, endEntityOrCA, nullptr);
+  Result rv = cert.Init();
+  if (rv != Success) {
+    return rv;
+  }
+
+  // See bug 1056341 for context. If mozilla::pkix is being used in an
+  // environment where there are many certificates that all have the same
+  // distinguished name as their subject and issuer (but different SPKIs - see
+  // the loop prevention as per RFC4158 Section 5.2 in PathBuildingStep::Check),
+  // the space to search becomes exponential. Because it would be prohibitively
+  // expensive to explore the entire space, we introduce a budget here that,
+  // when exhausted, terminates the search with the result
+  // Result::ERROR_UNKNOWN_ISSUER. Essentially, we limit the total number of
+  // times `BuildForward` can be called. The current value appears to be a good
+  // balance between finding a path when one exists (when the space isn't too
+  // large) and timing out quickly enough when the space is too large or there
+  // is no valid path to a trust anchor.
+  unsigned int buildForwardCallBudget = 200000;
+  return BuildForward(trustDomain, cert, time, requiredKeyUsageIfPresent,
+                      requiredEKUIfPresent, requiredPolicy, stapledOCSPResponse,
+                      0/*subCACount*/, buildForwardCallBudget);
+}
+
+} } // namespace mozilla::pkix
diff --git a/security/nss/lib/mozpkix/lib/pkixcert.cpp b/security/nss/lib/mozpkix/lib/pkixcert.cpp
new file mode 100644
index 0000000000..a304837382
--- /dev/null
+++ b/security/nss/lib/mozpkix/lib/pkixcert.cpp
@@ -0,0 +1,323 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mozpkix/pkixutil.h"
+
+namespace mozilla { namespace pkix {
+
+Result
+BackCert::Init()
+{
+  Result rv;
+
+  // Certificate  ::=  SEQUENCE  {
+  //         tbsCertificate       TBSCertificate,
+  //         signatureAlgorithm   AlgorithmIdentifier,
+  //         signatureValue       BIT STRING  }
+
+  Reader tbsCertificate;
+
+  // The scope of |input| and |certificate| are limited to this block so we
+  // don't accidentally confuse them for tbsCertificate later.
+  {
+    Reader certificate;
+    rv = der::ExpectTagAndGetValueAtEnd(der, der::SEQUENCE, certificate);
+    if (rv != Success) {
+      return rv;
+    }
+    rv = der::SignedData(certificate, tbsCertificate, signedData);
+    if (rv != Success) {
+      return rv;
+    }
+    rv = der::End(certificate);
+    if (rv != Success) {
+      return rv;
+    }
+  }
+
+  // TBSCertificate  ::=  SEQUENCE  {
+  //      version         [0]  EXPLICIT Version DEFAULT v1,
+  //      serialNumber         CertificateSerialNumber,
+  //      signature            AlgorithmIdentifier,
+  //      issuer               Name,
+  //      validity             Validity,
+  //      subject              Name,
+  //      subjectPublicKeyInfo SubjectPublicKeyInfo,
+  //      issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
+  //                           -- If present, version MUST be v2 or v3
+  //      subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
+  //                           -- If present, version MUST be v2 or v3
+  //      extensions      [3]  EXPLICIT Extensions OPTIONAL
+  //                           -- If present, version MUST be v3
+  //      }
+  rv = der::OptionalVersion(tbsCertificate, version);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = der::CertificateSerialNumber(tbsCertificate, serialNumber);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = der::ExpectTagAndGetValue(tbsCertificate, der::SEQUENCE, signature);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = der::ExpectTagAndGetTLV(tbsCertificate, der::SEQUENCE, issuer);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = der::ExpectTagAndGetValue(tbsCertificate, der::SEQUENCE, validity);
+  if (rv != Success) {
+    return rv;
+  }
+  // TODO(bug XXXXXXX): We rely on the the caller of mozilla::pkix to validate
+  // that the name is syntactically valid, if they care. In Gecko we do this
+  // implicitly by parsing the certificate into a CERTCertificate object.
+  // Instead of relying on the caller to do this, we should do it ourselves.
+  rv = der::ExpectTagAndGetTLV(tbsCertificate, der::SEQUENCE, subject);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = der::ExpectTagAndGetTLV(tbsCertificate, der::SEQUENCE,
+                               subjectPublicKeyInfo);
+  if (rv != Success) {
+    return rv;
+  }
+
+  static const uint8_t CSC = der::CONTEXT_SPECIFIC | der::CONSTRUCTED;
+
+  // According to RFC 5280, all fields below this line are forbidden for
+  // certificate versions less than v3.  However, for compatibility reasons,
+  // we parse v1/v2 certificates in the same way as v3 certificates.  So if
+  // these fields appear in a v1 certificate, they will be used.
+
+  // Ignore issuerUniqueID if present.
+  if (tbsCertificate.Peek(CSC | 1)) {
+    rv = der::ExpectTagAndSkipValue(tbsCertificate, CSC | 1);
+    if (rv != Success) {
+      return rv;
+    }
+  }
+
+  // Ignore subjectUniqueID if present.
+  if (tbsCertificate.Peek(CSC | 2)) {
+    rv = der::ExpectTagAndSkipValue(tbsCertificate, CSC | 2);
+    if (rv != Success) {
+      return rv;
+    }
+  }
+
+  rv = der::OptionalExtensions(
+         tbsCertificate, CSC | 3,
+         [this](Reader& extnID, const Input& extnValue, bool critical,
+                /*out*/ bool& understood) {
+           return RememberExtension(extnID, extnValue, critical, understood);
+         });
+  if (rv != Success) {
+    return rv;
+  }
+
+  // The Netscape Certificate Type extension is an obsolete
+  // Netscape-proprietary mechanism that we ignore in favor of the standard
+  // extensions. However, some CAs have issued certificates with the Netscape
+  // Cert Type extension marked critical. Thus, for compatibility reasons, we
+  // "understand" this extension by ignoring it when it is not critical, and
+  // by ensuring that the equivalent standardized extensions are present when
+  // it is marked critical, based on the assumption that the information in
+  // the Netscape Cert Type extension is consistent with the information in
+  // the standard extensions.
+  //
+  // Here is a mapping between the Netscape Cert Type extension and the
+  // standard extensions:
+  //
+  // Netscape Cert Type  |  BasicConstraints.cA  |  Extended Key Usage
+  // --------------------+-----------------------+----------------------
+  // SSL Server          |  false                |  id_kp_serverAuth
+  // SSL Client          |  false                |  id_kp_clientAuth
+  // S/MIME Client       |  false                |  id_kp_emailProtection
+  // Object Signing      |  false                |  id_kp_codeSigning
+  // SSL Server CA       |  true                 |  id_kp_serverAuth
+  // SSL Client CA       |  true                 |  id_kp_clientAuth
+  // S/MIME CA           |  true                 |  id_kp_emailProtection
+  // Object Signing CA   |  true                 |  id_kp_codeSigning
+  if (criticalNetscapeCertificateType.GetLength() > 0 &&
+      (basicConstraints.GetLength() == 0 || extKeyUsage.GetLength() == 0)) {
+    return Result::ERROR_UNKNOWN_CRITICAL_EXTENSION;
+  }
+
+  return der::End(tbsCertificate);
+}
+
+Result
+BackCert::RememberExtension(Reader& extnID, Input extnValue,
+                            bool critical, /*out*/ bool& understood)
+{
+  understood = false;
+
+  // python DottedOIDToCode.py id-ce-keyUsage 2.5.29.15
+  static const uint8_t id_ce_keyUsage[] = {
+    0x55, 0x1d, 0x0f
+  };
+  // python DottedOIDToCode.py id-ce-subjectAltName 2.5.29.17
+  static const uint8_t id_ce_subjectAltName[] = {
+    0x55, 0x1d, 0x11
+  };
+  // python DottedOIDToCode.py id-ce-basicConstraints 2.5.29.19
+  static const uint8_t id_ce_basicConstraints[] = {
+    0x55, 0x1d, 0x13
+  };
+  // python DottedOIDToCode.py id-ce-nameConstraints 2.5.29.30
+  static const uint8_t id_ce_nameConstraints[] = {
+    0x55, 0x1d, 0x1e
+  };
+  // python DottedOIDToCode.py id-ce-certificatePolicies 2.5.29.32
+  static const uint8_t id_ce_certificatePolicies[] = {
+    0x55, 0x1d, 0x20
+  };
+  // python DottedOIDToCode.py id-ce-policyConstraints 2.5.29.36
+  static const uint8_t id_ce_policyConstraints[] = {
+    0x55, 0x1d, 0x24
+  };
+  // python DottedOIDToCode.py id-ce-extKeyUsage 2.5.29.37
+  static const uint8_t id_ce_extKeyUsage[] = {
+    0x55, 0x1d, 0x25
+  };
+  // python DottedOIDToCode.py id-ce-inhibitAnyPolicy 2.5.29.54
+  static const uint8_t id_ce_inhibitAnyPolicy[] = {
+    0x55, 0x1d, 0x36
+  };
+  // python DottedOIDToCode.py id-pe-authorityInfoAccess 1.3.6.1.5.5.7.1.1
+  static const uint8_t id_pe_authorityInfoAccess[] = {
+    0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01
+  };
+  // python DottedOIDToCode.py id-pkix-ocsp-nocheck 1.3.6.1.5.5.7.48.1.5
+  static const uint8_t id_pkix_ocsp_nocheck[] = {
+    0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x05
+  };
+  // python DottedOIDToCode.py Netscape-certificate-type 2.16.840.1.113730.1.1
+  static const uint8_t Netscape_certificate_type[] = {
+    0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x01, 0x01
+  };
+  // python DottedOIDToCode.py id-pe-tlsfeature 1.3.6.1.5.5.7.1.24
+  static const uint8_t id_pe_tlsfeature[] = {
+    0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x18
+  };
+  // python DottedOIDToCode.py id-embeddedSctList 1.3.6.1.4.1.11129.2.4.2
+  // See Section 3.3 of RFC 6962.
+  static const uint8_t id_embeddedSctList[] = {
+    0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x04, 0x02
+  };
+
+  Input* out = nullptr;
+
+  // We already enforce the maximum possible constraints for policies so we
+  // can safely ignore even critical policy constraint extensions.
+  //
+  // XXX: Doing it this way won't allow us to detect duplicate
+  // policyConstraints extensions, but that's OK because (and only because) we
+  // ignore the extension.
+  Input dummyPolicyConstraints;
+
+  // We don't need to save the contents of this extension if it is present. We
+  // just need to handle its presence (it is essentially ignored right now).
+  Input dummyOCSPNocheck;
+
+  // For compatibility reasons, for some extensions we have to allow empty
+  // extension values. This would normally interfere with our duplicate
+  // extension checking code. However, as long as the extensions we allow to
+  // have empty values are also the ones we implicitly allow duplicates of,
+  // this will work fine.
+  bool emptyValueAllowed = false;
+
+  // RFC says "Conforming CAs MUST mark this extension as non-critical" for
+  // both authorityKeyIdentifier and subjectKeyIdentifier, and we do not use
+  // them for anything, so we totally ignore them here.
+
+  if (extnID.MatchRest(id_ce_keyUsage)) {
+    out = &keyUsage;
+  } else if (extnID.MatchRest(id_ce_subjectAltName)) {
+    out = &subjectAltName;
+  } else if (extnID.MatchRest(id_ce_basicConstraints)) {
+    out = &basicConstraints;
+  } else if (extnID.MatchRest(id_ce_nameConstraints)) {
+    out = &nameConstraints;
+  } else if (extnID.MatchRest(id_ce_certificatePolicies)) {
+    out = &certificatePolicies;
+  } else if (extnID.MatchRest(id_ce_policyConstraints)) {
+    out = &dummyPolicyConstraints;
+  } else if (extnID.MatchRest(id_ce_extKeyUsage)) {
+    out = &extKeyUsage;
+  } else if (extnID.MatchRest(id_ce_inhibitAnyPolicy)) {
+    out = &inhibitAnyPolicy;
+  } else if (extnID.MatchRest(id_pe_authorityInfoAccess)) {
+    out = &authorityInfoAccess;
+  } else if (extnID.MatchRest(id_pe_tlsfeature)) {
+    out = &requiredTLSFeatures;
+  } else if (extnID.MatchRest(id_embeddedSctList)) {
+    out = &signedCertificateTimestamps;
+  } else if (extnID.MatchRest(id_pkix_ocsp_nocheck) && critical) {
+    // We need to make sure we don't reject delegated OCSP response signing
+    // certificates that contain the id-pkix-ocsp-nocheck extension marked as
+    // critical when validating OCSP responses. Without this, an application
+    // that implements soft-fail OCSP might ignore a valid Revoked or Unknown
+    // response, and an application that implements hard-fail OCSP might fail
+    // to connect to a server given a valid Good response.
+    out = &dummyOCSPNocheck;
+    // We allow this extension to have an empty value.
+    // See http://comments.gmane.org/gmane.ietf.x509/30947
+    emptyValueAllowed = true;
+  } else if (extnID.MatchRest(Netscape_certificate_type) && critical) {
+    out = &criticalNetscapeCertificateType;
+  }
+
+  if (out) {
+    // Don't allow an empty value for any extension we understand. This way, we
+    // can test out->GetLength() != 0 or out->Init() to check for duplicates.
+    if (extnValue.GetLength() == 0 && !emptyValueAllowed) {
+      return Result::ERROR_EXTENSION_VALUE_INVALID;
+    }
+    if (out->Init(extnValue) != Success) {
+      // Duplicate extension
+      return Result::ERROR_EXTENSION_VALUE_INVALID;
+    }
+    understood = true;
+  }
+
+  return Success;
+}
+
+Result
+ExtractSignedCertificateTimestampListFromExtension(Input extnValue,
+                                                   Input& sctList)
+{
+  Reader decodedValue;
+  Result rv = der::ExpectTagAndGetValueAtEnd(extnValue, der::OCTET_STRING,
+                                             decodedValue);
+  if (rv != Success) {
+    return rv;
+  }
+  return decodedValue.SkipToEnd(sctList);
+}
+
+} } // namespace mozilla::pkix
diff --git a/security/nss/lib/mozpkix/lib/pkixcheck.cpp b/security/nss/lib/mozpkix/lib/pkixcheck.cpp
new file mode 100644
index 0000000000..317db01e23
--- /dev/null
+++ b/security/nss/lib/mozpkix/lib/pkixcheck.cpp
@@ -0,0 +1,1100 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mozpkix/pkixcheck.h"
+
+#include "mozpkix/pkixder.h"
+#include "mozpkix/pkixutil.h"
+
+namespace mozilla { namespace pkix {
+
+// 4.1.1.2 signatureAlgorithm
+// 4.1.2.3 signature
+
+Result
+CheckSignatureAlgorithm(TrustDomain& trustDomain,
+                        EndEntityOrCA endEntityOrCA,
+                        Time notBefore,
+                        const der::SignedDataWithSignature& signedData,
+                        Input signatureValue)
+{
+  // 4.1.1.2. signatureAlgorithm
+  der::PublicKeyAlgorithm publicKeyAlg;
+  DigestAlgorithm digestAlg;
+  Reader signatureAlgorithmReader(signedData.algorithm);
+  Result rv = der::SignatureAlgorithmIdentifierValue(signatureAlgorithmReader,
+                                                     publicKeyAlg, digestAlg);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = der::End(signatureAlgorithmReader);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // 4.1.2.3. Signature
+  der::PublicKeyAlgorithm signedPublicKeyAlg;
+  DigestAlgorithm signedDigestAlg;
+  Reader signedSignatureAlgorithmReader(signatureValue);
+  rv = der::SignatureAlgorithmIdentifierValue(signedSignatureAlgorithmReader,
+                                              signedPublicKeyAlg,
+                                              signedDigestAlg);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = der::End(signedSignatureAlgorithmReader);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // "This field MUST contain the same algorithm identifier as the
+  // signatureAlgorithm field in the sequence Certificate." However, it may
+  // be encoded differently. In particular, one of the fields may have a NULL
+  // parameter while the other one may omit the parameter field altogether, and
+  // these are considered equivalent. Some certificates generation software
+  // actually generates certificates like that, so we compare the parsed values
+  // instead of comparing the encoded values byte-for-byte.
+  //
+  // Along the same lines, we accept two different OIDs for RSA-with-SHA1, and
+  // we consider those OIDs to be equivalent here.
+  if (publicKeyAlg != signedPublicKeyAlg || digestAlg != signedDigestAlg) {
+    return Result::ERROR_SIGNATURE_ALGORITHM_MISMATCH;
+  }
+
+  // During the time of the deprecation of SHA-1 and the deprecation of RSA
+  // keys of less than 2048 bits, we will encounter many certs signed using
+  // SHA-1 and/or too-small RSA keys. With this in mind, we ask the trust
+  // domain early on if it knows it will reject the signature purely based on
+  // the digest algorithm and/or the RSA key size (if an RSA signature). This
+  // is a good optimization because it completely avoids calling
+  // trustDomain.FindIssuers (which may be slow) for such rejected certs, and
+  // more generally it short-circuits any path building with them (which, of
+  // course, is even slower).
+
+  rv = trustDomain.CheckSignatureDigestAlgorithm(digestAlg, endEntityOrCA,
+                                                 notBefore);
+  if (rv != Success) {
+    return rv;
+  }
+
+  switch (publicKeyAlg) {
+    case der::PublicKeyAlgorithm::RSA_PKCS1:
+    {
+      // The RSA computation may give a result that requires fewer bytes to
+      // encode than the public key (since it is modular arithmetic). However,
+      // the last step of generating a PKCS#1.5 signature is the I2OSP
+      // procedure, which pads any such shorter result with zeros so that it
+      // is exactly the same length as the public key.
+      unsigned int signatureSizeInBits = signedData.signature.GetLength() * 8u;
+      return trustDomain.CheckRSAPublicKeyModulusSizeInBits(
+               endEntityOrCA, signatureSizeInBits);
+    }
+
+    case der::PublicKeyAlgorithm::ECDSA:
+      // In theory, we could implement a similar early-pruning optimization for
+      // ECDSA curves. However, since there has been no similar deprecation for
+      // for any curve that we support, the chances of us encountering a curve
+      // during path building is too low to be worth bothering with.
+      break;
+    case der::PublicKeyAlgorithm::Uninitialized:
+    {
+      assert(false);
+      return Result::FATAL_ERROR_LIBRARY_FAILURE;
+    }
+    MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+  }
+
+  return Success;
+}
+
+// 4.1.2.4 Issuer
+
+Result
+CheckIssuer(Input encodedIssuer)
+{
+  // "The issuer field MUST contain a non-empty distinguished name (DN)."
+  Reader issuer(encodedIssuer);
+  Input encodedRDNs;
+  ExpectTagAndGetValue(issuer, der::SEQUENCE, encodedRDNs);
+  Reader rdns(encodedRDNs);
+  // Check that the issuer name contains at least one RDN
+  // (Note: this does not check related grammar rules, such as there being one
+  // or more AVAs in each RDN, or the values in AVAs not being empty strings)
+  if (rdns.AtEnd()) {
+    return Result::ERROR_EMPTY_ISSUER_NAME;
+  }
+  return Success;
+}
+
+// 4.1.2.5 Validity
+
+Result
+ParseValidity(Input encodedValidity,
+              /*optional out*/ Time* notBeforeOut,
+              /*optional out*/ Time* notAfterOut)
+{
+  Reader validity(encodedValidity);
+  Time notBefore(Time::uninitialized);
+  if (der::TimeChoice(validity, notBefore) != Success) {
+    return Result::ERROR_INVALID_DER_TIME;
+  }
+
+  Time notAfter(Time::uninitialized);
+  if (der::TimeChoice(validity, notAfter) != Success) {
+    return Result::ERROR_INVALID_DER_TIME;
+  }
+
+  if (der::End(validity) != Success) {
+    return Result::ERROR_INVALID_DER_TIME;
+  }
+
+  if (notBefore > notAfter) {
+    return Result::ERROR_INVALID_DER_TIME;
+  }
+
+  if (notBeforeOut) {
+    *notBeforeOut = notBefore;
+  }
+  if (notAfterOut) {
+    *notAfterOut = notAfter;
+  }
+
+  return Success;
+}
+
+Result
+CheckValidity(Time time, Time notBefore, Time notAfter)
+{
+  if (time < notBefore) {
+    return Result::ERROR_NOT_YET_VALID_CERTIFICATE;
+  }
+
+  if (time > notAfter) {
+    return Result::ERROR_EXPIRED_CERTIFICATE;
+  }
+
+  return Success;
+}
+
+// 4.1.2.7 Subject Public Key Info
+
+Result
+CheckSubjectPublicKeyInfoContents(Reader& input, TrustDomain& trustDomain,
+                                  EndEntityOrCA endEntityOrCA)
+{
+  // Here, we validate the syntax and do very basic semantic validation of the
+  // public key of the certificate. The intention here is to filter out the
+  // types of bad inputs that are most likely to trigger non-mathematical
+  // security vulnerabilities in the TrustDomain, like buffer overflows or the
+  // use of unsafe elliptic curves.
+  //
+  // We don't check (all of) the mathematical properties of the public key here
+  // because it is more efficient for the TrustDomain to do it during signature
+  // verification and/or other use of the public key. In particular, we
+  // delegate the arithmetic validation of the public key, as specified in
+  // NIST SP800-56A section 5.6.2, to the TrustDomain, at least for now.
+
+  Reader algorithm;
+  Input subjectPublicKey;
+  Result rv = der::ExpectTagAndGetValue(input, der::SEQUENCE, algorithm);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = der::BitStringWithNoUnusedBits(input, subjectPublicKey);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = der::End(input);
+  if (rv != Success) {
+    return rv;
+  }
+
+  Reader subjectPublicKeyReader(subjectPublicKey);
+
+  Reader algorithmOID;
+  rv = der::ExpectTagAndGetValue(algorithm, der::OIDTag, algorithmOID);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // RFC 3279 Section 2.3.1
+  // python DottedOIDToCode.py rsaEncryption 1.2.840.113549.1.1.1
+  static const uint8_t rsaEncryption[] = {
+    0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01
+  };
+
+  // RFC 3279 Section 2.3.5 and RFC 5480 Section 2.1.1
+  // python DottedOIDToCode.py id-ecPublicKey 1.2.840.10045.2.1
+  static const uint8_t id_ecPublicKey[] = {
+    0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01
+  };
+
+  if (algorithmOID.MatchRest(id_ecPublicKey)) {
+    // An id-ecPublicKey AlgorithmIdentifier has a parameter that identifes
+    // the curve being used. Although RFC 5480 specifies multiple forms, we
+    // only supported the NamedCurve form, where the curve is identified by an
+    // OID.
+
+    Reader namedCurveOIDValue;
+    rv = der::ExpectTagAndGetValue(algorithm, der::OIDTag,
+                                   namedCurveOIDValue);
+    if (rv != Success) {
+      return rv;
+    }
+
+    // RFC 5480
+    // python DottedOIDToCode.py secp256r1 1.2.840.10045.3.1.7
+    static const uint8_t secp256r1[] = {
+      0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
+    };
+
+    // RFC 5480
+    // python DottedOIDToCode.py secp384r1 1.3.132.0.34
+    static const uint8_t secp384r1[] = {
+      0x2b, 0x81, 0x04, 0x00, 0x22
+    };
+
+    // RFC 5480
+    // python DottedOIDToCode.py secp521r1 1.3.132.0.35
+    static const uint8_t secp521r1[] = {
+      0x2b, 0x81, 0x04, 0x00, 0x23
+    };
+
+    // Matching is attempted based on a rough estimate of the commonality of the
+    // elliptic curve, to minimize the number of MatchRest calls.
+    NamedCurve curve;
+    unsigned int bits;
+    if (namedCurveOIDValue.MatchRest(secp256r1)) {
+      curve = NamedCurve::secp256r1;
+      bits = 256;
+    } else if (namedCurveOIDValue.MatchRest(secp384r1)) {
+      curve = NamedCurve::secp384r1;
+      bits = 384;
+    } else if (namedCurveOIDValue.MatchRest(secp521r1)) {
+      curve = NamedCurve::secp521r1;
+      bits = 521;
+    } else {
+      return Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
+    }
+
+    rv = trustDomain.CheckECDSACurveIsAcceptable(endEntityOrCA, curve);
+    if (rv != Success) {
+      return rv;
+    }
+
+    // RFC 5480 Section 2.2 says that the first octet will be 0x04 to indicate
+    // an uncompressed point, which is the only encoding we support.
+    uint8_t compressedOrUncompressed;
+    rv = subjectPublicKeyReader.Read(compressedOrUncompressed);
+    if (rv != Success) {
+      return rv;
+    }
+    if (compressedOrUncompressed != 0x04) {
+      return Result::ERROR_UNSUPPORTED_EC_POINT_FORM;
+    }
+
+    // The point is encoded as two raw (not DER-encoded) integers, each padded
+    // to the bit length (rounded up to the nearest byte).
+    Input point;
+    rv = subjectPublicKeyReader.SkipToEnd(point);
+    if (rv != Success) {
+      return rv;
+    }
+    if (point.GetLength() != ((bits + 7) / 8u) * 2u) {
+      return Result::ERROR_BAD_DER;
+    }
+
+    // XXX: We defer the mathematical verification of the validity of the point
+    // until signature verification. This means that if we never verify a
+    // signature, we'll never fully check whether the public key is valid.
+  } else if (algorithmOID.MatchRest(rsaEncryption)) {
+    // RFC 3279 Section 2.3.1 says "The parameters field MUST have ASN.1 type
+    // NULL for this algorithm identifier."
+    rv = der::ExpectTagAndEmptyValue(algorithm, der::NULLTag);
+    if (rv != Success) {
+      return rv;
+    }
+
+    // RSAPublicKey :: = SEQUENCE{
+    //    modulus            INTEGER,    --n
+    //    publicExponent     INTEGER  }  --e
+    rv = der::Nested(subjectPublicKeyReader, der::SEQUENCE,
+                     [&trustDomain, endEntityOrCA](Reader& r) {
+      Input modulus;
+      Input::size_type modulusSignificantBytes;
+      Result nestedRv =
+        der::PositiveInteger(r, modulus, &modulusSignificantBytes);
+      if (nestedRv != Success) {
+        return nestedRv;
+      }
+      // XXX: Should we do additional checks of the modulus?
+      nestedRv = trustDomain.CheckRSAPublicKeyModulusSizeInBits(
+        endEntityOrCA, modulusSignificantBytes * 8u);
+      if (nestedRv != Success) {
+        return nestedRv;
+      }
+
+      // XXX: We don't allow the TrustDomain to validate the exponent.
+      // XXX: We don't do our own sanity checking of the exponent.
+      Input exponent;
+      return der::PositiveInteger(r, exponent);
+    });
+    if (rv != Success) {
+      return rv;
+    }
+  } else {
+    return Result::ERROR_UNSUPPORTED_KEYALG;
+  }
+
+  rv = der::End(algorithm);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = der::End(subjectPublicKeyReader);
+  if (rv != Success) {
+    return rv;
+  }
+
+  return Success;
+}
+
+Result
+CheckSubjectPublicKeyInfo(Input subjectPublicKeyInfo, TrustDomain& trustDomain,
+                          EndEntityOrCA endEntityOrCA)
+{
+  Reader spkiReader(subjectPublicKeyInfo);
+  Result rv = der::Nested(spkiReader, der::SEQUENCE, [&](Reader& r) {
+    return CheckSubjectPublicKeyInfoContents(r, trustDomain, endEntityOrCA);
+  });
+  if (rv != Success) {
+    return rv;
+  }
+  return der::End(spkiReader);
+}
+
+// 4.2.1.3. Key Usage (id-ce-keyUsage)
+
+// As explained in the comment in CheckKeyUsage, bit 0 is the most significant
+// bit and bit 7 is the least significant bit.
+inline uint8_t KeyUsageToBitMask(KeyUsage keyUsage)
+{
+  assert(keyUsage != KeyUsage::noParticularKeyUsageRequired);
+  return 0x80u >> static_cast<uint8_t>(keyUsage);
+}
+
+Result
+CheckKeyUsage(EndEntityOrCA endEntityOrCA, const Input* encodedKeyUsage,
+              KeyUsage requiredKeyUsageIfPresent)
+{
+  if (!encodedKeyUsage) {
+    // TODO(bug 970196): Reject certificates that are being used to verify
+    // certificate signatures unless the certificate is a trust anchor, to
+    // reduce the chances of an end-entity certificate being abused as a CA
+    // certificate.
+    // if (endEntityOrCA == EndEntityOrCA::MustBeCA && !isTrustAnchor) {
+    //   return Result::ERROR_INADEQUATE_KEY_USAGE;
+    // }
+    //
+    // TODO: Users may configure arbitrary certificates as trust anchors, not
+    // just roots. We should only allow a certificate without a key usage to be
+    // used as a CA when it is self-issued and self-signed.
+    return Success;
+  }
+
+  Reader input(*encodedKeyUsage);
+  Reader value;
+  if (der::ExpectTagAndGetValue(input, der::BIT_STRING, value) != Success) {
+    return Result::ERROR_INADEQUATE_KEY_USAGE;
+  }
+
+  uint8_t numberOfPaddingBits;
+  if (value.Read(numberOfPaddingBits) != Success) {
+    return Result::ERROR_INADEQUATE_KEY_USAGE;
+  }
+  if (numberOfPaddingBits > 7) {
+    return Result::ERROR_INADEQUATE_KEY_USAGE;
+  }
+
+  uint8_t bits;
+  if (value.Read(bits) != Success) {
+    // Reject empty bit masks.
+    return Result::ERROR_INADEQUATE_KEY_USAGE;
+  }
+
+  // The most significant bit is numbered 0 (digitalSignature) and the least
+  // significant bit is numbered 7 (encipherOnly), and the padding is in the
+  // least significant bits of the last byte. The numbering of bits in a byte
+  // is backwards from how we usually interpret them.
+  //
+  // For example, let's say bits is encoded in one byte with of value 0xB0 and
+  // numberOfPaddingBits == 4. Then, bits is 10110000 in binary:
+  //
+  //      bit 0  bit 3
+  //          |  |
+  //          v  v
+  //          10110000
+  //              ^^^^
+  //               |
+  //               4 padding bits
+  //
+  // Since bits is the last byte, we have to consider the padding by ensuring
+  // that the least significant 4 bits are all zero, since DER rules require
+  // all padding bits to be zero. Then we have to look at the bit N bits to the
+  // right of the most significant bit, where N is a value from the KeyUsage
+  // enumeration.
+  //
+  // Let's say we're interested in the keyCertSign (5) bit. We'd need to look
+  // at bit 5, which is zero, so keyCertSign is not asserted. (Since we check
+  // that the padding is all zeros, it is OK to read from the padding bits.)
+  //
+  // Let's say we're interested in the digitalSignature (0) bit. We'd need to
+  // look at the bit 0 (the most significant bit), which is set, so that means
+  // digitalSignature is asserted. Similarly, keyEncipherment (2) and
+  // dataEncipherment (3) are asserted.
+  //
+  // Note that since the KeyUsage enumeration is limited to values 0-7, we
+  // only ever need to examine the first byte test for
+  // requiredKeyUsageIfPresent.
+
+  if (requiredKeyUsageIfPresent != KeyUsage::noParticularKeyUsageRequired) {
+    // Check that the required key usage bit is set.
+    if ((bits & KeyUsageToBitMask(requiredKeyUsageIfPresent)) == 0) {
+      return Result::ERROR_INADEQUATE_KEY_USAGE;
+    }
+  }
+
+  // RFC 5280 says "The keyCertSign bit is asserted when the subject public
+  // key is used for verifying signatures on public key certificates. If the
+  // keyCertSign bit is asserted, then the cA bit in the basic constraints
+  // extension (Section 4.2.1.9) MUST also be asserted."
+  // However, we allow end-entity certificates (i.e. certificates without
+  // basicConstraints.cA set to TRUE) to claim keyCertSign for compatibility
+  // reasons. This does not compromise security because we only allow
+  // certificates with basicConstraints.cA set to TRUE to act as CAs.
+  if (requiredKeyUsageIfPresent == KeyUsage::keyCertSign &&
+      endEntityOrCA != EndEntityOrCA::MustBeCA) {
+    return Result::ERROR_INADEQUATE_KEY_USAGE;
+  }
+
+  // The padding applies to the last byte, so skip to the last byte.
+  while (!value.AtEnd()) {
+    if (value.Read(bits) != Success) {
+      return Result::ERROR_INADEQUATE_KEY_USAGE;
+    }
+  }
+
+  // All of the padding bits must be zero, according to DER rules.
+  uint8_t paddingMask = static_cast<uint8_t>((1 << numberOfPaddingBits) - 1);
+  if ((bits & paddingMask) != 0) {
+    return Result::ERROR_INADEQUATE_KEY_USAGE;
+  }
+
+  return Success;
+}
+
+// RFC5820 4.2.1.4. Certificate Policies
+
+// "The user-initial-policy-set contains the special value any-policy if the
+// user is not concerned about certificate policy."
+//
+// python DottedOIDToCode.py anyPolicy 2.5.29.32.0
+
+static const uint8_t anyPolicy[] = {
+  0x55, 0x1d, 0x20, 0x00
+};
+
+/*static*/ const CertPolicyId CertPolicyId::anyPolicy = {
+  4, { 0x55, 0x1d, 0x20, 0x00 }
+};
+
+bool
+CertPolicyId::IsAnyPolicy() const {
+  if (this == &CertPolicyId::anyPolicy) {
+    return true;
+  }
+  return numBytes == sizeof(::mozilla::pkix::anyPolicy) &&
+         std::equal(bytes, bytes + numBytes, ::mozilla::pkix::anyPolicy);
+}
+
+bool
+CertPolicyId::operator==(const CertPolicyId& other) const
+{
+  return numBytes == other.numBytes &&
+         std::equal(bytes, bytes + numBytes, other.bytes);
+}
+
+// certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
+Result
+CheckCertificatePolicies(EndEntityOrCA endEntityOrCA,
+                         const Input* encodedCertificatePolicies,
+                         const Input* encodedInhibitAnyPolicy,
+                         TrustLevel trustLevel,
+                         const CertPolicyId& requiredPolicy)
+{
+  if (requiredPolicy.numBytes == 0 ||
+      requiredPolicy.numBytes > sizeof requiredPolicy.bytes) {
+    return Result::FATAL_ERROR_INVALID_ARGS;
+  }
+
+  bool requiredPolicyFound = requiredPolicy.IsAnyPolicy();
+  if (requiredPolicyFound) {
+    return Success;
+  }
+
+  // Bug 989051. Until we handle inhibitAnyPolicy we will fail close when
+  // inhibitAnyPolicy extension is present and we are validating for a policy.
+  if (!requiredPolicyFound && encodedInhibitAnyPolicy) {
+    return Result::ERROR_POLICY_VALIDATION_FAILED;
+  }
+
+  // The root CA certificate may omit the policies that it has been
+  // trusted for, so we cannot require the policies to be present in those
+  // certificates. Instead, the determination of which roots are trusted for
+  // which policies is made by the TrustDomain's GetCertTrust method.
+  if (trustLevel == TrustLevel::TrustAnchor &&
+      endEntityOrCA == EndEntityOrCA::MustBeCA) {
+    requiredPolicyFound = true;
+  }
+
+  Input requiredPolicyDER;
+  if (requiredPolicyDER.Init(requiredPolicy.bytes, requiredPolicy.numBytes)
+        != Success) {
+    return Result::FATAL_ERROR_INVALID_ARGS;
+  }
+
+  if (encodedCertificatePolicies) {
+    Reader extension(*encodedCertificatePolicies);
+    Reader certificatePolicies;
+    Result rv = der::ExpectTagAndGetValue(extension, der::SEQUENCE,
+                                          certificatePolicies);
+    if (rv != Success) {
+      return Result::ERROR_POLICY_VALIDATION_FAILED;
+    }
+    if (!extension.AtEnd()) {
+      return Result::ERROR_POLICY_VALIDATION_FAILED;
+    }
+
+    do {
+      // PolicyInformation ::= SEQUENCE {
+      //         policyIdentifier   CertPolicyId,
+      //         policyQualifiers   SEQUENCE SIZE (1..MAX) OF
+      //                                 PolicyQualifierInfo OPTIONAL }
+      Reader policyInformation;
+      rv = der::ExpectTagAndGetValue(certificatePolicies, der::SEQUENCE,
+                                     policyInformation);
+      if (rv != Success) {
+        return Result::ERROR_POLICY_VALIDATION_FAILED;
+      }
+
+      Reader policyIdentifier;
+      rv = der::ExpectTagAndGetValue(policyInformation, der::OIDTag,
+                                     policyIdentifier);
+      if (rv != Success) {
+        return rv;
+      }
+
+      if (policyIdentifier.MatchRest(requiredPolicyDER)) {
+        requiredPolicyFound = true;
+      } else if (endEntityOrCA == EndEntityOrCA::MustBeCA &&
+                 policyIdentifier.MatchRest(anyPolicy)) {
+        requiredPolicyFound = true;
+      }
+
+      // RFC 5280 Section 4.2.1.4 says "Optional qualifiers, which MAY be
+      // present, are not expected to change the definition of the policy." Also,
+      // it seems that Section 6, which defines validation, does not require any
+      // matching of qualifiers. Thus, doing anything with the policy qualifiers
+      // would be a waste of time and a source of potential incompatibilities, so
+      // we just ignore them.
+    } while (!requiredPolicyFound && !certificatePolicies.AtEnd());
+  }
+
+  if (!requiredPolicyFound) {
+    return Result::ERROR_POLICY_VALIDATION_FAILED;
+  }
+
+  return Success;
+}
+
+static const long UNLIMITED_PATH_LEN = -1; // must be less than zero
+
+//  BasicConstraints ::= SEQUENCE {
+//          cA                      BOOLEAN DEFAULT FALSE,
+//          pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
+
+// RFC5280 4.2.1.9. Basic Constraints (id-ce-basicConstraints)
+Result
+CheckBasicConstraints(EndEntityOrCA endEntityOrCA,
+                      const Input* encodedBasicConstraints,
+                      const der::Version version, TrustLevel trustLevel,
+                      unsigned int subCACount)
+{
+  bool isCA = false;
+  long pathLenConstraint = UNLIMITED_PATH_LEN;
+
+  if (encodedBasicConstraints) {
+    Reader input(*encodedBasicConstraints);
+    Result rv = der::Nested(input, der::SEQUENCE,
+                            [&isCA, &pathLenConstraint](Reader& r) {
+      Result nestedRv = der::OptionalBoolean(r, isCA);
+      if (nestedRv != Success) {
+        return nestedRv;
+      }
+      // TODO(bug 985025): If isCA is false, pathLenConstraint
+      // MUST NOT be included (as per RFC 5280 section
+      // 4.2.1.9), but for compatibility reasons, we don't
+      // check this.
+      return der::OptionalInteger(r, UNLIMITED_PATH_LEN, pathLenConstraint);
+    });
+    if (rv != Success) {
+      return Result::ERROR_EXTENSION_VALUE_INVALID;
+    }
+    if (der::End(input) != Success) {
+      return Result::ERROR_EXTENSION_VALUE_INVALID;
+    }
+  } else {
+    // "If the basic constraints extension is not present in a version 3
+    //  certificate, or the extension is present but the cA boolean is not
+    //  asserted, then the certified public key MUST NOT be used to verify
+    //  certificate signatures."
+    //
+    // For compatibility, we must accept v1 trust anchors without basic
+    // constraints as CAs.
+    //
+    // There are devices with v1 certificates that are unlikely to be trust
+    // anchors. In order to allow applications to treat this case differently
+    // from other basic constraints violations (e.g. allowing certificate error
+    // overrides for only this case), we return a different error code.
+    //
+    // TODO: add check for self-signedness?
+    if (endEntityOrCA == EndEntityOrCA::MustBeCA && version == der::Version::v1) {
+      if (trustLevel == TrustLevel::TrustAnchor) {
+        isCA = true;
+      } else {
+        return Result::ERROR_V1_CERT_USED_AS_CA;
+      }
+    }
+  }
+
+  if (endEntityOrCA == EndEntityOrCA::MustBeEndEntity) {
+    // CA certificates are not trusted as EE certs.
+
+    if (isCA) {
+      // Note that this check prevents a delegated OCSP response signing
+      // certificate with the CA bit from successfully validating when we check
+      // it from pkixocsp.cpp, which is a good thing.
+      return Result::ERROR_CA_CERT_USED_AS_END_ENTITY;
+    }
+
+    return Success;
+  }
+
+  assert(endEntityOrCA == EndEntityOrCA::MustBeCA);
+
+  // End-entity certificates are not allowed to act as CA certs.
+  if (!isCA) {
+    return Result::ERROR_CA_CERT_INVALID;
+  }
+
+  if (pathLenConstraint >= 0 &&
+      static_cast<long>(subCACount) > pathLenConstraint) {
+    return Result::ERROR_PATH_LEN_CONSTRAINT_INVALID;
+  }
+
+  return Success;
+}
+
+// 4.2.1.12. Extended Key Usage (id-ce-extKeyUsage)
+
+static Result
+MatchEKU(Reader& value, KeyPurposeId requiredEKU,
+         EndEntityOrCA endEntityOrCA, TrustDomain& trustDomain,
+         Time notBefore, /*in/out*/ bool& found,
+         /*in/out*/ bool& foundOCSPSigning)
+{
+  // See Section 5.9 of "A Layman's Guide to a Subset of ASN.1, BER, and DER"
+  // for a description of ASN.1 DER encoding of OIDs.
+
+  // id-pkix  OBJECT IDENTIFIER  ::=
+  //            { iso(1) identified-organization(3) dod(6) internet(1)
+  //                    security(5) mechanisms(5) pkix(7) }
+  // id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
+  // id-kp-serverAuth      OBJECT IDENTIFIER ::= { id-kp 1 }
+  // id-kp-clientAuth      OBJECT IDENTIFIER ::= { id-kp 2 }
+  // id-kp-codeSigning     OBJECT IDENTIFIER ::= { id-kp 3 }
+  // id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }
+  // id-kp-OCSPSigning     OBJECT IDENTIFIER ::= { id-kp 9 }
+  static const uint8_t server[] = { (40*1)+3, 6, 1, 5, 5, 7, 3, 1 };
+  static const uint8_t client[] = { (40*1)+3, 6, 1, 5, 5, 7, 3, 2 };
+  static const uint8_t code  [] = { (40*1)+3, 6, 1, 5, 5, 7, 3, 3 };
+  static const uint8_t email [] = { (40*1)+3, 6, 1, 5, 5, 7, 3, 4 };
+  static const uint8_t ocsp  [] = { (40*1)+3, 6, 1, 5, 5, 7, 3, 9 };
+
+  // id-Netscape        OBJECT IDENTIFIER ::= { 2 16 840 1 113730 }
+  // id-Netscape-policy OBJECT IDENTIFIER ::= { id-Netscape 4 }
+  // id-Netscape-stepUp OBJECT IDENTIFIER ::= { id-Netscape-policy 1 }
+  static const uint8_t serverStepUp[] =
+    { (40*2)+16, 128+6,72, 1, 128+6,128+120,66, 4, 1 };
+
+  bool match = false;
+
+  if (!found) {
+    switch (requiredEKU) {
+      case KeyPurposeId::id_kp_serverAuth: {
+        if (value.MatchRest(server)) {
+          match = true;
+          break;
+        }
+        // Potentially treat CA certs with step-up OID as also having SSL server
+        // type. Comodo has issued certificates that require this behavior that
+        // don't expire until June 2020!
+        if (endEntityOrCA == EndEntityOrCA::MustBeCA &&
+            value.MatchRest(serverStepUp)) {
+          Result rv = trustDomain.NetscapeStepUpMatchesServerAuth(notBefore,
+                                                                  match);
+          if (rv != Success) {
+            return rv;
+          }
+        }
+        break;
+      }
+
+      case KeyPurposeId::id_kp_clientAuth:
+        match = value.MatchRest(client);
+        break;
+
+      case KeyPurposeId::id_kp_codeSigning:
+        match = value.MatchRest(code);
+        break;
+
+      case KeyPurposeId::id_kp_emailProtection:
+        match = value.MatchRest(email);
+        break;
+
+      case KeyPurposeId::id_kp_OCSPSigning:
+        match = value.MatchRest(ocsp);
+        break;
+
+      case KeyPurposeId::anyExtendedKeyUsage:
+        return NotReached("anyExtendedKeyUsage should start with found==true",
+                          Result::FATAL_ERROR_LIBRARY_FAILURE);
+    }
+  }
+
+  if (match) {
+    found = true;
+    if (requiredEKU == KeyPurposeId::id_kp_OCSPSigning) {
+      foundOCSPSigning = true;
+    }
+  } else if (value.MatchRest(ocsp)) {
+    foundOCSPSigning = true;
+  }
+
+  value.SkipToEnd(); // ignore unmatched OIDs.
+
+  return Success;
+}
+
+Result
+CheckExtendedKeyUsage(EndEntityOrCA endEntityOrCA,
+                      const Input* encodedExtendedKeyUsage,
+                      KeyPurposeId requiredEKU, TrustDomain& trustDomain,
+                      Time notBefore)
+{
+  // XXX: We're using Result::ERROR_INADEQUATE_CERT_TYPE here so that callers
+  // can distinguish EKU mismatch from KU mismatch from basic constraints
+  // mismatch. We should probably add a new error code that is more clear for
+  // this type of problem.
+
+  bool foundOCSPSigning = false;
+
+  if (encodedExtendedKeyUsage) {
+    bool found = requiredEKU == KeyPurposeId::anyExtendedKeyUsage;
+
+    Reader input(*encodedExtendedKeyUsage);
+    Result rv = der::NestedOf(input, der::SEQUENCE, der::OIDTag,
+                              der::EmptyAllowed::No, [&](Reader& r) {
+      return MatchEKU(r, requiredEKU, endEntityOrCA, trustDomain, notBefore,
+                      found, foundOCSPSigning);
+    });
+    if (rv != Success) {
+      return Result::ERROR_INADEQUATE_CERT_TYPE;
+    }
+    if (der::End(input) != Success) {
+      return Result::ERROR_INADEQUATE_CERT_TYPE;
+    }
+
+    // If the EKU extension was included, then the required EKU must be in the
+    // list.
+    if (!found) {
+      return Result::ERROR_INADEQUATE_CERT_TYPE;
+    }
+  }
+
+  // pkixocsp.cpp depends on the following additional checks.
+
+  if (endEntityOrCA == EndEntityOrCA::MustBeEndEntity) {
+    // When validating anything other than an delegated OCSP signing cert,
+    // reject any cert that also claims to be an OCSP responder, because such
+    // a cert does not make sense. For example, if an SSL certificate were to
+    // assert id-kp-OCSPSigning then it could sign OCSP responses for itself,
+    // if not for this check.
+    // That said, we accept CA certificates with id-kp-OCSPSigning because
+    // some CAs in Mozilla's CA program have issued such intermediate
+    // certificates, and because some CAs have reported some Microsoft server
+    // software wrongly requires CA certificates to have id-kp-OCSPSigning.
+    // Allowing this exception does not cause any security issues because we
+    // require delegated OCSP response signing certificates to be end-entity
+    // certificates.
+    if (foundOCSPSigning && requiredEKU != KeyPurposeId::id_kp_OCSPSigning) {
+      return Result::ERROR_INADEQUATE_CERT_TYPE;
+    }
+    // http://tools.ietf.org/html/rfc6960#section-4.2.2.2:
+    // "OCSP signing delegation SHALL be designated by the inclusion of
+    // id-kp-OCSPSigning in an extended key usage certificate extension
+    // included in the OCSP response signer's certificate."
+    //
+    // id-kp-OCSPSigning is the only EKU that isn't implicitly assumed when the
+    // EKU extension is missing from an end-entity certificate. However, any CA
+    // certificate can issue a delegated OCSP response signing certificate, so
+    // we can't require the EKU be explicitly included for CA certificates.
+    if (!foundOCSPSigning && requiredEKU == KeyPurposeId::id_kp_OCSPSigning) {
+      return Result::ERROR_INADEQUATE_CERT_TYPE;
+    }
+  }
+
+  return Success;
+}
+
+Result
+CheckTLSFeatures(const BackCert& subject, BackCert& potentialIssuer)
+{
+  const Input* issuerTLSFeatures = potentialIssuer.GetRequiredTLSFeatures();
+  if (!issuerTLSFeatures) {
+    return Success;
+  }
+
+  const Input* subjectTLSFeatures = subject.GetRequiredTLSFeatures();
+  if (issuerTLSFeatures->GetLength() == 0 ||
+      !subjectTLSFeatures ||
+      !InputsAreEqual(*issuerTLSFeatures, *subjectTLSFeatures)) {
+    return Result::ERROR_REQUIRED_TLS_FEATURE_MISSING;
+  }
+
+  return Success;
+}
+
+Result
+TLSFeaturesSatisfiedInternal(const Input* requiredTLSFeatures,
+                             const Input* stapledOCSPResponse)
+{
+  if (!requiredTLSFeatures) {
+    return Success;
+  }
+
+  // RFC 6066 10.2: ExtensionType status_request
+  const static uint8_t status_request = 5;
+  const static uint8_t status_request_bytes[] = { status_request };
+
+  Reader input(*requiredTLSFeatures);
+  return der::NestedOf(input, der::SEQUENCE, der::INTEGER,
+                       der::EmptyAllowed::No, [&](Reader& r) {
+    if (!r.MatchRest(status_request_bytes)) {
+      return Result::ERROR_REQUIRED_TLS_FEATURE_MISSING;
+    }
+
+    if (!stapledOCSPResponse) {
+      return Result::ERROR_REQUIRED_TLS_FEATURE_MISSING;
+    }
+
+    return Result::Success;
+  });
+}
+
+Result
+CheckTLSFeaturesAreSatisfied(Input& cert,
+                             const Input* stapledOCSPResponse)
+{
+  BackCert backCert(cert, EndEntityOrCA::MustBeEndEntity, nullptr);
+  Result rv = backCert.Init();
+  if (rv != Success) {
+    return rv;
+  }
+
+  return TLSFeaturesSatisfiedInternal(backCert.GetRequiredTLSFeatures(),
+                                      stapledOCSPResponse);
+}
+
+Result
+CheckIssuerIndependentProperties(TrustDomain& trustDomain,
+                                 const BackCert& cert,
+                                 Time time,
+                                 KeyUsage requiredKeyUsageIfPresent,
+                                 KeyPurposeId requiredEKUIfPresent,
+                                 const CertPolicyId& requiredPolicy,
+                                 unsigned int subCACount,
+                                 /*out*/ TrustLevel& trustLevel)
+{
+  Result rv;
+
+  const EndEntityOrCA endEntityOrCA = cert.endEntityOrCA;
+
+  // Check the cert's trust first, because we want to minimize the amount of
+  // processing we do on a distrusted cert, in case it is trying to exploit
+  // some bug in our processing.
+  rv = trustDomain.GetCertTrust(endEntityOrCA, requiredPolicy, cert.GetDER(),
+                                trustLevel);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // IMPORTANT: We parse the validity interval here, so that we can use the
+  // notBefore and notAfter values in checks for things that might be deprecated
+  // over time. However, we must not fail for semantic errors until the end of
+  // this method, in order to preserve error ranking.
+  Time notBefore(Time::uninitialized);
+  Time notAfter(Time::uninitialized);
+  rv = ParseValidity(cert.GetValidity(), &notBefore, &notAfter);
+  if (rv != Success) {
+    return rv;
+  }
+
+  if (trustLevel == TrustLevel::TrustAnchor &&
+      endEntityOrCA == EndEntityOrCA::MustBeEndEntity &&
+      requiredEKUIfPresent == KeyPurposeId::id_kp_OCSPSigning) {
+    // OCSP signer certificates can never be trust anchors, especially
+    // since we don't support designated OCSP responders. All of the checks
+    // below that are dependent on trustLevel rely on this overriding of the
+    // trust level for OCSP signers.
+    trustLevel = TrustLevel::InheritsTrust;
+  }
+
+  switch (trustLevel) {
+    case TrustLevel::InheritsTrust:
+      rv = CheckSignatureAlgorithm(trustDomain, endEntityOrCA, notBefore,
+                                   cert.GetSignedData(), cert.GetSignature());
+      if (rv != Success) {
+        return rv;
+      }
+      break;
+
+    case TrustLevel::TrustAnchor:
+      // We don't even bother checking signatureAlgorithm or signature for
+      // syntactic validity for trust anchors, because we don't use those
+      // fields for anything, and because the trust anchor might be signed
+      // with a signature algorithm we don't actually support.
+      break;
+
+    case TrustLevel::ActivelyDistrusted:
+      return Result::ERROR_UNTRUSTED_CERT;
+  }
+
+  // Check the SPKI early, because it is one of the most selective properties
+  // of the certificate due to SHA-1 deprecation and the deprecation of
+  // certificates with keys weaker than RSA 2048.
+  rv = CheckSubjectPublicKeyInfo(cert.GetSubjectPublicKeyInfo(), trustDomain,
+                                 endEntityOrCA);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // 4.1.2.4. Issuer
+  rv = CheckIssuer(cert.GetIssuer());
+  if (rv != Success) {
+    return rv;
+  }
+
+  // 4.2.1.1. Authority Key Identifier is ignored (see bug 965136).
+
+  // 4.2.1.2. Subject Key Identifier is ignored (see bug 965136).
+
+  // 4.2.1.3. Key Usage
+  rv = CheckKeyUsage(endEntityOrCA, cert.GetKeyUsage(),
+                     requiredKeyUsageIfPresent);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // 4.2.1.4. Certificate Policies
+  rv = CheckCertificatePolicies(endEntityOrCA, cert.GetCertificatePolicies(),
+                                cert.GetInhibitAnyPolicy(), trustLevel,
+                                requiredPolicy);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // 4.2.1.5. Policy Mappings are not supported; see the documentation about
+  //          policy enforcement in pkix.h.
+
+  // 4.2.1.6. Subject Alternative Name dealt with during name constraint
+  //          checking and during name verification (CERT_VerifyCertName).
+
+  // 4.2.1.7. Issuer Alternative Name is not something that needs checking.
+
+  // 4.2.1.8. Subject Directory Attributes is not something that needs
+  //          checking.
+
+  // 4.2.1.9. Basic Constraints.
+  rv = CheckBasicConstraints(endEntityOrCA, cert.GetBasicConstraints(),
+                             cert.GetVersion(), trustLevel, subCACount);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // 4.2.1.10. Name Constraints is dealt with in during path building.
+
+  // 4.2.1.11. Policy Constraints are implicitly supported; see the
+  //           documentation about policy enforcement in pkix.h.
+
+  // 4.2.1.12. Extended Key Usage
+  rv = CheckExtendedKeyUsage(endEntityOrCA, cert.GetExtKeyUsage(),
+                             requiredEKUIfPresent, trustDomain, notBefore);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // 4.2.1.13. CRL Distribution Points is not supported, though the
+  //           TrustDomain's CheckRevocation method may parse it and process it
+  //           on its own.
+
+  // 4.2.1.14. Inhibit anyPolicy is implicitly supported; see the documentation
+  //           about policy enforcement in pkix.h.
+
+  // IMPORTANT: Even though we parse validity above, we wait until this point to
+  // check it, so that error ranking works correctly.
+  rv = CheckValidity(time, notBefore, notAfter);
+  if (rv != Success) {
+    return rv;
+  }
+
+  rv = trustDomain.CheckValidityIsAcceptable(notBefore, notAfter, endEntityOrCA,
+                                             requiredEKUIfPresent);
+  if (rv != Success) {
+    return rv;
+  }
+
+  return Success;
+}
+
+} } // namespace mozilla::pkix
diff --git a/security/nss/lib/mozpkix/lib/pkixder.cpp b/security/nss/lib/mozpkix/lib/pkixder.cpp
new file mode 100644
index 0000000000..152d11a23e
--- /dev/null
+++ b/security/nss/lib/mozpkix/lib/pkixder.cpp
@@ -0,0 +1,611 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mozpkix/pkixder.h"
+
+#include "mozpkix/pkixutil.h"
+
+namespace mozilla { namespace pkix { namespace der {
+
+// Too complicated to be inline
+Result
+ReadTagAndGetValue(Reader& input, /*out*/ uint8_t& tag, /*out*/ Input& value)
+{
+  Result rv;
+
+  rv = input.Read(tag);
+  if (rv != Success) {
+    return rv;
+  }
+  if ((tag & 0x1F) == 0x1F) {
+    return Result::ERROR_BAD_DER; // high tag number form not allowed
+  }
+
+  uint16_t length;
+
+  // The short form of length is a single byte with the high order bit set
+  // to zero. The long form of length is one byte with the high order bit
+  // set, followed by N bytes, where N is encoded in the lowest 7 bits of
+  // the first byte.
+  uint8_t length1;
+  rv = input.Read(length1);
+  if (rv != Success) {
+    return rv;
+  }
+  if (!(length1 & 0x80)) {
+    length = length1;
+  } else if (length1 == 0x81) {
+    uint8_t length2;
+    rv = input.Read(length2);
+    if (rv != Success) {
+      return rv;
+    }
+    if (length2 < 128) {
+      // Not shortest possible encoding
+      return Result::ERROR_BAD_DER;
+    }
+    length = length2;
+  } else if (length1 == 0x82) {
+    rv = input.Read(length);
+    if (rv != Success) {
+      return rv;
+    }
+    if (length < 256) {
+      // Not shortest possible encoding
+      return Result::ERROR_BAD_DER;
+    }
+  } else {
+    // We don't support lengths larger than 2^16 - 1.
+    return Result::ERROR_BAD_DER;
+  }
+
+  return input.Skip(length, value);
+}
+
+static Result
+OptionalNull(Reader& input)
+{
+  if (input.Peek(NULLTag)) {
+    return Null(input);
+  }
+  return Success;
+}
+
+namespace {
+
+Result
+AlgorithmIdentifierValue(Reader& input, /*out*/ Reader& algorithmOIDValue)
+{
+  Result rv = ExpectTagAndGetValue(input, der::OIDTag, algorithmOIDValue);
+  if (rv != Success) {
+    return rv;
+  }
+  return OptionalNull(input);
+}
+
+} // namespace
+
+Result
+SignatureAlgorithmIdentifierValue(Reader& input,
+                                 /*out*/ PublicKeyAlgorithm& publicKeyAlgorithm,
+                                 /*out*/ DigestAlgorithm& digestAlgorithm)
+{
+  // RFC 5758 Section 3.2 (ECDSA with SHA-2), and RFC 3279 Section 2.2.3
+  // (ECDSA with SHA-1) say that parameters must be omitted.
+  //
+  // RFC 4055 Section 5 and RFC 3279 Section 2.2.1 both say that parameters for
+  // RSA must be encoded as NULL; we relax that requirement by allowing the
+  // NULL to be omitted, to match all the other signature algorithms we support
+  // and for compatibility.
+  Reader algorithmID;
+  Result rv = AlgorithmIdentifierValue(input, algorithmID);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // RFC 5758 Section 3.2 (ecdsa-with-SHA224 is intentionally excluded)
+  // python DottedOIDToCode.py ecdsa-with-SHA256 1.2.840.10045.4.3.2
+  static const uint8_t ecdsa_with_SHA256[] = {
+    0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02
+  };
+  // python DottedOIDToCode.py ecdsa-with-SHA384 1.2.840.10045.4.3.3
+  static const uint8_t ecdsa_with_SHA384[] = {
+    0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x03
+  };
+  // python DottedOIDToCode.py ecdsa-with-SHA512 1.2.840.10045.4.3.4
+  static const uint8_t ecdsa_with_SHA512[] = {
+    0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04
+  };
+
+  // RFC 4055 Section 5 (sha224WithRSAEncryption is intentionally excluded)
+  // python DottedOIDToCode.py sha256WithRSAEncryption 1.2.840.113549.1.1.11
+  static const uint8_t sha256WithRSAEncryption[] = {
+    0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b
+  };
+  // python DottedOIDToCode.py sha384WithRSAEncryption 1.2.840.113549.1.1.12
+  static const uint8_t sha384WithRSAEncryption[] = {
+    0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0c
+  };
+  // python DottedOIDToCode.py sha512WithRSAEncryption 1.2.840.113549.1.1.13
+  static const uint8_t sha512WithRSAEncryption[] = {
+    0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0d
+  };
+
+  // RFC 3279 Section 2.2.1
+  // python DottedOIDToCode.py sha-1WithRSAEncryption 1.2.840.113549.1.1.5
+  static const uint8_t sha_1WithRSAEncryption[] = {
+    0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05
+  };
+
+  // NIST Open Systems Environment (OSE) Implementor's Workshop (OIW)
+  // http://www.oiw.org/agreements/stable/12s-9412.txt (no longer works).
+  // http://www.imc.org/ietf-pkix/old-archive-97/msg01166.html
+  // We need to support this this non-PKIX OID for compatibility.
+  // python DottedOIDToCode.py sha1WithRSASignature 1.3.14.3.2.29
+  static const uint8_t sha1WithRSASignature[] = {
+    0x2b, 0x0e, 0x03, 0x02, 0x1d
+  };
+
+  // RFC 3279 Section 2.2.3
+  // python DottedOIDToCode.py ecdsa-with-SHA1 1.2.840.10045.4.1
+  static const uint8_t ecdsa_with_SHA1[] = {
+    0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x01
+  };
+
+  // Matching is attempted based on a rough estimate of the commonality of the
+  // algorithm, to minimize the number of MatchRest calls.
+  if (algorithmID.MatchRest(sha256WithRSAEncryption)) {
+    publicKeyAlgorithm = PublicKeyAlgorithm::RSA_PKCS1;
+    digestAlgorithm = DigestAlgorithm::sha256;
+  } else if (algorithmID.MatchRest(ecdsa_with_SHA256)) {
+    publicKeyAlgorithm = PublicKeyAlgorithm::ECDSA;
+    digestAlgorithm = DigestAlgorithm::sha256;
+  } else if (algorithmID.MatchRest(sha_1WithRSAEncryption)) {
+    publicKeyAlgorithm = PublicKeyAlgorithm::RSA_PKCS1;
+    digestAlgorithm = DigestAlgorithm::sha1;
+  } else if (algorithmID.MatchRest(ecdsa_with_SHA1)) {
+    publicKeyAlgorithm = PublicKeyAlgorithm::ECDSA;
+    digestAlgorithm = DigestAlgorithm::sha1;
+  } else if (algorithmID.MatchRest(ecdsa_with_SHA384)) {
+    publicKeyAlgorithm = PublicKeyAlgorithm::ECDSA;
+    digestAlgorithm = DigestAlgorithm::sha384;
+  } else if (algorithmID.MatchRest(ecdsa_with_SHA512)) {
+    publicKeyAlgorithm = PublicKeyAlgorithm::ECDSA;
+    digestAlgorithm = DigestAlgorithm::sha512;
+  } else if (algorithmID.MatchRest(sha384WithRSAEncryption)) {
+    publicKeyAlgorithm = PublicKeyAlgorithm::RSA_PKCS1;
+    digestAlgorithm = DigestAlgorithm::sha384;
+  } else if (algorithmID.MatchRest(sha512WithRSAEncryption)) {
+    publicKeyAlgorithm = PublicKeyAlgorithm::RSA_PKCS1;
+    digestAlgorithm = DigestAlgorithm::sha512;
+  } else if (algorithmID.MatchRest(sha1WithRSASignature)) {
+    // XXX(bug 1042479): recognize this old OID for compatibility.
+    publicKeyAlgorithm = PublicKeyAlgorithm::RSA_PKCS1;
+    digestAlgorithm = DigestAlgorithm::sha1;
+  } else {
+    return Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED;
+  }
+
+  return Success;
+}
+
+Result
+DigestAlgorithmIdentifier(Reader& input, /*out*/ DigestAlgorithm& algorithm)
+{
+  return der::Nested(input, SEQUENCE, [&algorithm](Reader& r) -> Result {
+    Reader algorithmID;
+    Result rv = AlgorithmIdentifierValue(r, algorithmID);
+    if (rv != Success) {
+      return rv;
+    }
+
+    // RFC 4055 Section 2.1
+    // python DottedOIDToCode.py id-sha1 1.3.14.3.2.26
+    static const uint8_t id_sha1[] = {
+      0x2b, 0x0e, 0x03, 0x02, 0x1a
+    };
+    // python DottedOIDToCode.py id-sha256 2.16.840.1.101.3.4.2.1
+    static const uint8_t id_sha256[] = {
+      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01
+    };
+    // python DottedOIDToCode.py id-sha384 2.16.840.1.101.3.4.2.2
+    static const uint8_t id_sha384[] = {
+      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02
+    };
+    // python DottedOIDToCode.py id-sha512 2.16.840.1.101.3.4.2.3
+    static const uint8_t id_sha512[] = {
+      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03
+    };
+
+    // Matching is attempted based on a rough estimate of the commonality of the
+    // algorithm, to minimize the number of MatchRest calls.
+    if (algorithmID.MatchRest(id_sha1)) {
+      algorithm = DigestAlgorithm::sha1;
+    } else if (algorithmID.MatchRest(id_sha256)) {
+      algorithm = DigestAlgorithm::sha256;
+    } else if (algorithmID.MatchRest(id_sha384)) {
+      algorithm = DigestAlgorithm::sha384;
+    } else if (algorithmID.MatchRest(id_sha512)) {
+      algorithm = DigestAlgorithm::sha512;
+    } else {
+      return Result::ERROR_INVALID_ALGORITHM;
+    }
+
+    return Success;
+  });
+}
+
+Result
+SignedData(Reader& input, /*out*/ Reader& tbs,
+           /*out*/ SignedDataWithSignature& signedData)
+{
+  Reader::Mark mark(input.GetMark());
+
+  Result rv;
+  rv = ExpectTagAndGetValue(input, SEQUENCE, tbs);
+  if (rv != Success) {
+    return rv;
+  }
+
+  rv = input.GetInput(mark, signedData.data);
+  if (rv != Success) {
+    return rv;
+  }
+
+  rv = ExpectTagAndGetValue(input, der::SEQUENCE, signedData.algorithm);
+  if (rv != Success) {
+    return rv;
+  }
+
+  rv = BitStringWithNoUnusedBits(input, signedData.signature);
+  if (rv == Result::ERROR_BAD_DER) {
+    rv = Result::ERROR_BAD_SIGNATURE;
+  }
+  return rv;
+}
+
+Result
+BitStringWithNoUnusedBits(Reader& input, /*out*/ Input& value)
+{
+  Reader valueWithUnusedBits;
+  Result rv = ExpectTagAndGetValue(input, BIT_STRING, valueWithUnusedBits);
+  if (rv != Success) {
+    return rv;
+  }
+
+  uint8_t unusedBitsAtEnd;
+  if (valueWithUnusedBits.Read(unusedBitsAtEnd) != Success) {
+    return Result::ERROR_BAD_DER;
+  }
+  // XXX: Really the constraint should be that unusedBitsAtEnd must be less
+  // than 7. But, we suspect there are no real-world values in OCSP responses
+  // or certificates with non-zero unused bits. It seems like NSS assumes this
+  // in various places, so we enforce it too in order to simplify this code. If
+  // we find compatibility issues, we'll know we're wrong and we'll have to
+  // figure out how to shift the bits around.
+  if (unusedBitsAtEnd != 0) {
+    return Result::ERROR_BAD_DER;
+  }
+  return valueWithUnusedBits.SkipToEnd(value);
+}
+
+static inline Result
+ReadDigit(Reader& input, /*out*/ unsigned int& value)
+{
+  uint8_t b;
+  if (input.Read(b) != Success) {
+    return Result::ERROR_INVALID_DER_TIME;
+  }
+  if (b < '0' || b > '9') {
+    return Result::ERROR_INVALID_DER_TIME;
+  }
+  value = static_cast<unsigned int>(b - static_cast<uint8_t>('0'));
+  return Success;
+}
+
+static inline Result
+ReadTwoDigits(Reader& input, unsigned int minValue, unsigned int maxValue,
+              /*out*/ unsigned int& value)
+{
+  unsigned int hi;
+  Result rv = ReadDigit(input, hi);
+  if (rv != Success) {
+    return rv;
+  }
+  unsigned int lo;
+  rv = ReadDigit(input, lo);
+  if (rv != Success) {
+    return rv;
+  }
+  value = (hi * 10) + lo;
+  if (value < minValue || value > maxValue) {
+    return Result::ERROR_INVALID_DER_TIME;
+  }
+  return Success;
+}
+
+namespace internal {
+
+// We parse GeneralizedTime and UTCTime according to RFC 5280 and we do not
+// accept all time formats allowed in the ASN.1 spec. That is,
+// GeneralizedTime must always be in the format YYYYMMDDHHMMSSZ and UTCTime
+// must always be in the format YYMMDDHHMMSSZ. Timezone formats of the form
+// +HH:MM or -HH:MM or NOT accepted.
+Result
+TimeChoice(Reader& tagged, uint8_t expectedTag, /*out*/ Time& time)
+{
+  unsigned int days;
+
+  Reader input;
+  Result rv = ExpectTagAndGetValue(tagged, expectedTag, input);
+  if (rv != Success) {
+    return rv;
+  }
+
+  unsigned int yearHi;
+  unsigned int yearLo;
+  if (expectedTag == GENERALIZED_TIME) {
+    rv = ReadTwoDigits(input, 0, 99, yearHi);
+    if (rv != Success) {
+      return rv;
+    }
+    rv = ReadTwoDigits(input, 0, 99, yearLo);
+    if (rv != Success) {
+      return rv;
+    }
+  } else if (expectedTag == UTCTime) {
+    rv = ReadTwoDigits(input, 0, 99, yearLo);
+    if (rv != Success) {
+      return rv;
+    }
+    yearHi = yearLo >= 50u ? 19u : 20u;
+  } else {
+    return NotReached("invalid tag given to TimeChoice",
+                      Result::ERROR_INVALID_DER_TIME);
+  }
+  unsigned int year = (yearHi * 100u) + yearLo;
+  if (year < 1970u) {
+    // We don't support dates before January 1, 1970 because that is the epoch.
+    return Result::ERROR_INVALID_DER_TIME;
+  }
+  days = DaysBeforeYear(year);
+
+  unsigned int month;
+  rv = ReadTwoDigits(input, 1u, 12u, month);
+  if (rv != Success) {
+    return rv;
+  }
+  unsigned int daysInMonth;
+  static const unsigned int jan = 31u;
+  const unsigned int feb = ((year % 4u == 0u) &&
+                           ((year % 100u != 0u) || (year % 400u == 0u)))
+                         ? 29u
+                         : 28u;
+  static const unsigned int mar = 31u;
+  static const unsigned int apr = 30u;
+  static const unsigned int may = 31u;
+  static const unsigned int jun = 30u;
+  static const unsigned int jul = 31u;
+  static const unsigned int aug = 31u;
+  static const unsigned int sep = 30u;
+  static const unsigned int oct = 31u;
+  static const unsigned int nov = 30u;
+  static const unsigned int dec = 31u;
+  switch (month) {
+    case 1:  daysInMonth = jan; break;
+    case 2:  daysInMonth = feb; days += jan; break;
+    case 3:  daysInMonth = mar; days += jan + feb; break;
+    case 4:  daysInMonth = apr; days += jan + feb + mar; break;
+    case 5:  daysInMonth = may; days += jan + feb + mar + apr; break;
+    case 6:  daysInMonth = jun; days += jan + feb + mar + apr + may; break;
+    case 7:  daysInMonth = jul; days += jan + feb + mar + apr + may + jun;
+             break;
+    case 8:  daysInMonth = aug; days += jan + feb + mar + apr + may + jun +
+                                        jul;
+             break;
+    case 9:  daysInMonth = sep; days += jan + feb + mar + apr + may + jun +
+                                        jul + aug;
+             break;
+    case 10: daysInMonth = oct; days += jan + feb + mar + apr + may + jun +
+                                        jul + aug + sep;
+             break;
+    case 11: daysInMonth = nov; days += jan + feb + mar + apr + may + jun +
+                                        jul + aug + sep + oct;
+             break;
+    case 12: daysInMonth = dec; days += jan + feb + mar + apr + may + jun +
+                                        jul + aug + sep + oct + nov;
+             break;
+    default:
+      return NotReached("month already bounds-checked by ReadTwoDigits",
+                        Result::FATAL_ERROR_INVALID_STATE);
+  }
+
+  unsigned int dayOfMonth;
+  rv = ReadTwoDigits(input, 1u, daysInMonth, dayOfMonth);
+  if (rv != Success) {
+    return rv;
+  }
+  days += dayOfMonth - 1;
+
+  unsigned int hours;
+  rv = ReadTwoDigits(input, 0u, 23u, hours);
+  if (rv != Success) {
+    return rv;
+  }
+  unsigned int minutes;
+  rv = ReadTwoDigits(input, 0u, 59u, minutes);
+  if (rv != Success) {
+    return rv;
+  }
+  unsigned int seconds;
+  rv = ReadTwoDigits(input, 0u, 59u, seconds);
+  if (rv != Success) {
+    return rv;
+  }
+
+  uint8_t b;
+  if (input.Read(b) != Success) {
+    return Result::ERROR_INVALID_DER_TIME;
+  }
+  if (b != 'Z') {
+    return Result::ERROR_INVALID_DER_TIME;
+  }
+  if (End(input) != Success) {
+    return Result::ERROR_INVALID_DER_TIME;
+  }
+
+  uint64_t totalSeconds = (static_cast<uint64_t>(days) * 24u * 60u * 60u) +
+                          (static_cast<uint64_t>(hours)      * 60u * 60u) +
+                          (static_cast<uint64_t>(minutes)          * 60u) +
+                          seconds;
+
+  time = TimeFromElapsedSecondsAD(totalSeconds);
+  return Success;
+}
+
+Result
+IntegralBytes(Reader& input, uint8_t tag,
+              IntegralValueRestriction valueRestriction,
+              /*out*/ Input& value,
+              /*optional out*/ Input::size_type* significantBytes)
+{
+  Result rv = ExpectTagAndGetValue(input, tag, value);
+  if (rv != Success) {
+    return rv;
+  }
+  Reader reader(value);
+
+  // There must be at least one byte in the value. (Zero is encoded with a
+  // single 0x00 value byte.)
+  uint8_t firstByte;
+  rv = reader.Read(firstByte);
+  if (rv != Success) {
+    if (rv == Result::ERROR_BAD_DER) {
+      return Result::ERROR_INVALID_INTEGER_ENCODING;
+    }
+
+    return rv;
+  }
+
+  // If there is a byte after an initial 0x00/0xFF, then the initial byte
+  // indicates a positive/negative integer value with its high bit set/unset.
+  bool prefixed = !reader.AtEnd() && (firstByte == 0 || firstByte == 0xff);
+
+  if (prefixed) {
+    uint8_t nextByte;
+    if (reader.Read(nextByte) != Success) {
+      return NotReached("Read of one byte failed but not at end.",
+                        Result::FATAL_ERROR_LIBRARY_FAILURE);
+    }
+    if ((firstByte & 0x80) == (nextByte & 0x80)) {
+      return Result::ERROR_INVALID_INTEGER_ENCODING;
+    }
+  }
+
+  switch (valueRestriction) {
+    case IntegralValueRestriction::MustBe0To127:
+      if (value.GetLength() != 1 || (firstByte & 0x80) != 0) {
+        return Result::ERROR_INVALID_INTEGER_ENCODING;
+      }
+      break;
+
+    case IntegralValueRestriction::MustBePositive:
+      if ((value.GetLength() == 1 && firstByte == 0) ||
+          (firstByte & 0x80) != 0) {
+        return Result::ERROR_INVALID_INTEGER_ENCODING;
+      }
+      break;
+
+    case IntegralValueRestriction::NoRestriction:
+      break;
+  }
+
+  if (significantBytes) {
+    *significantBytes = value.GetLength();
+    if (prefixed) {
+      assert(*significantBytes > 1);
+      --*significantBytes;
+    }
+
+    assert(*significantBytes > 0);
+  }
+
+  return Success;
+}
+
+// This parser will only parse values between 0..127. If this range is
+// increased then callers will need to be changed.
+Result
+IntegralValue(Reader& input, uint8_t tag, /*out*/ uint8_t& value)
+{
+  // Conveniently, all the Integers that we actually have to be able to parse
+  // are positive and very small. Consequently, this parser is *much* simpler
+  // than a general Integer parser would need to be.
+  Input valueBytes;
+  Result rv = IntegralBytes(input, tag, IntegralValueRestriction::MustBe0To127,
+                            valueBytes, nullptr);
+  if (rv != Success) {
+    return rv;
+  }
+  Reader valueReader(valueBytes);
+  rv = valueReader.Read(value);
+  if (rv != Success) {
+    return NotReached("IntegralBytes already validated the value.", rv);
+  }
+  rv = End(valueReader);
+  assert(rv == Success); // guaranteed by IntegralBytes's range checks.
+  return rv;
+}
+
+} // namespace internal
+
+Result
+OptionalVersion(Reader& input, /*out*/ Version& version)
+{
+  static const uint8_t TAG = CONTEXT_SPECIFIC | CONSTRUCTED | 0;
+  if (!input.Peek(TAG)) {
+    version = Version::v1;
+    return Success;
+  }
+  return Nested(input, TAG, [&version](Reader& value) -> Result {
+    uint8_t integerValue;
+    Result rv = Integer(value, integerValue);
+    if (rv != Success) {
+      return rv;
+    }
+    // XXX(bug 1031093): We shouldn't accept an explicit encoding of v1,
+    // but we do here for compatibility reasons.
+    switch (integerValue) {
+      case static_cast<uint8_t>(Version::v3): version = Version::v3; break;
+      case static_cast<uint8_t>(Version::v2): version = Version::v2; break;
+      case static_cast<uint8_t>(Version::v1): version = Version::v1; break;
+      case static_cast<uint8_t>(Version::v4): version = Version::v4; break;
+      default:
+        return Result::ERROR_BAD_DER;
+    }
+    return Success;
+  });
+}
+
+} } } // namespace mozilla::pkix::der
diff --git a/security/nss/lib/mozpkix/lib/pkixnames.cpp b/security/nss/lib/mozpkix/lib/pkixnames.cpp
new file mode 100644
index 0000000000..6f40800d7e
--- /dev/null
+++ b/security/nss/lib/mozpkix/lib/pkixnames.cpp
@@ -0,0 +1,2050 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// This code implements RFC6125-ish name matching, RFC5280-ish name constraint
+// checking, and related things.
+//
+// In this code, identifiers are classified as either "presented" or
+// "reference" identifiers are defined in
+// http://tools.ietf.org/html/rfc6125#section-1.8. A "presented identifier" is
+// one in the subjectAltName of the certificate, or sometimes within a CN of
+// the certificate's subject. The "reference identifier" is the one we are
+// being asked to match the certificate against. When checking name
+// constraints, the reference identifier is the entire encoded name constraint
+// extension value.
+
+#include <algorithm>
+
+#include "mozpkix/pkixcheck.h"
+#include "mozpkix/pkixutil.h"
+
+namespace mozilla { namespace pkix {
+
+namespace {
+
+// GeneralName ::= CHOICE {
+//      otherName                       [0]     OtherName,
+//      rfc822Name                      [1]     IA5String,
+//      dNSName                         [2]     IA5String,
+//      x400Address                     [3]     ORAddress,
+//      directoryName                   [4]     Name,
+//      ediPartyName                    [5]     EDIPartyName,
+//      uniformResourceIdentifier       [6]     IA5String,
+//      iPAddress                       [7]     OCTET STRING,
+//      registeredID                    [8]     OBJECT IDENTIFIER }
+enum class GeneralNameType : uint8_t
+{
+  // Note that these values are NOT contiguous. Some values have the
+  // der::CONSTRUCTED bit set while others do not.
+  // (The der::CONSTRUCTED bit is for types where the value is a SEQUENCE.)
+  otherName = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
+  rfc822Name = der::CONTEXT_SPECIFIC | 1,
+  dNSName = der::CONTEXT_SPECIFIC | 2,
+  x400Address = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 3,
+  directoryName = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 4,
+  ediPartyName = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 5,
+  uniformResourceIdentifier = der::CONTEXT_SPECIFIC | 6,
+  iPAddress = der::CONTEXT_SPECIFIC | 7,
+  registeredID = der::CONTEXT_SPECIFIC | 8,
+  // nameConstraints is a pseudo-GeneralName used to signify that a
+  // reference ID is actually the entire name constraint extension.
+  nameConstraints = 0xff
+};
+
+inline Result
+ReadGeneralName(Reader& reader,
+                /*out*/ GeneralNameType& generalNameType,
+                /*out*/ Input& value)
+{
+  uint8_t tag;
+  Result rv = der::ReadTagAndGetValue(reader, tag, value);
+  if (rv != Success) {
+    return rv;
+  }
+  switch (tag) {
+    case static_cast<uint8_t>(GeneralNameType::otherName):
+      generalNameType = GeneralNameType::otherName;
+      break;
+    case static_cast<uint8_t>(GeneralNameType::rfc822Name):
+      generalNameType = GeneralNameType::rfc822Name;
+      break;
+    case static_cast<uint8_t>(GeneralNameType::dNSName):
+      generalNameType = GeneralNameType::dNSName;
+      break;
+    case static_cast<uint8_t>(GeneralNameType::x400Address):
+      generalNameType = GeneralNameType::x400Address;
+      break;
+    case static_cast<uint8_t>(GeneralNameType::directoryName):
+      generalNameType = GeneralNameType::directoryName;
+      break;
+    case static_cast<uint8_t>(GeneralNameType::ediPartyName):
+      generalNameType = GeneralNameType::ediPartyName;
+      break;
+    case static_cast<uint8_t>(GeneralNameType::uniformResourceIdentifier):
+      generalNameType = GeneralNameType::uniformResourceIdentifier;
+      break;
+    case static_cast<uint8_t>(GeneralNameType::iPAddress):
+      generalNameType = GeneralNameType::iPAddress;
+      break;
+    case static_cast<uint8_t>(GeneralNameType::registeredID):
+      generalNameType = GeneralNameType::registeredID;
+      break;
+    default:
+      return Result::ERROR_BAD_DER;
+  }
+  return Success;
+}
+
+enum class MatchResult
+{
+  NoNamesOfGivenType = 0,
+  Mismatch = 1,
+  Match = 2
+};
+
+Result SearchNames(const Input* subjectAltName, Input subject,
+                   GeneralNameType referenceIDType,
+                   Input referenceID,
+                   FallBackToSearchWithinSubject fallBackToCommonName,
+                   /*out*/ MatchResult& match);
+Result SearchWithinRDN(Reader& rdn,
+                       GeneralNameType referenceIDType,
+                       Input referenceID,
+                       FallBackToSearchWithinSubject fallBackToEmailAddress,
+                       FallBackToSearchWithinSubject fallBackToCommonName,
+                       /*in/out*/ MatchResult& match);
+Result MatchAVA(Input type,
+                uint8_t valueEncodingTag,
+                Input presentedID,
+                GeneralNameType referenceIDType,
+                Input referenceID,
+                FallBackToSearchWithinSubject fallBackToEmailAddress,
+                FallBackToSearchWithinSubject fallBackToCommonName,
+                /*in/out*/ MatchResult& match);
+Result ReadAVA(Reader& rdn,
+               /*out*/ Input& type,
+               /*out*/ uint8_t& valueTag,
+               /*out*/ Input& value);
+void MatchSubjectPresentedIDWithReferenceID(GeneralNameType presentedIDType,
+                                            Input presentedID,
+                                            GeneralNameType referenceIDType,
+                                            Input referenceID,
+                                            /*in/out*/ MatchResult& match);
+
+Result MatchPresentedIDWithReferenceID(GeneralNameType presentedIDType,
+                                       Input presentedID,
+                                       GeneralNameType referenceIDType,
+                                       Input referenceID,
+                                       /*in/out*/ MatchResult& matchResult);
+Result CheckPresentedIDConformsToConstraints(GeneralNameType referenceIDType,
+                                             Input presentedID,
+                                             Input nameConstraints);
+
+uint8_t LocaleInsensitveToLower(uint8_t a);
+bool StartsWithIDNALabel(Input id);
+
+enum class IDRole
+{
+  ReferenceID = 0,
+  PresentedID = 1,
+  NameConstraint = 2,
+};
+
+enum class AllowWildcards { No = 0, Yes = 1 };
+
+// DNSName constraints implicitly allow subdomain matching when there is no
+// leading dot ("foo.example.com" matches a constraint of "example.com"), but
+// RFC822Name constraints only allow subdomain matching when there is a leading
+// dot ("foo.example.com" does not match "example.com" but does match
+// ".example.com").
+enum class AllowDotlessSubdomainMatches { No = 0, Yes = 1 };
+
+bool IsValidDNSID(Input hostname, IDRole idRole,
+                  AllowWildcards allowWildcards);
+
+Result MatchPresentedDNSIDWithReferenceDNSID(
+         Input presentedDNSID,
+         AllowWildcards allowWildcards,
+         AllowDotlessSubdomainMatches allowDotlessSubdomainMatches,
+         IDRole referenceDNSIDRole,
+         Input referenceDNSID,
+         /*out*/ bool& matches);
+
+Result MatchPresentedRFC822NameWithReferenceRFC822Name(
+         Input presentedRFC822Name, IDRole referenceRFC822NameRole,
+         Input referenceRFC822Name, /*out*/ bool& matches);
+
+} // namespace
+
+bool IsValidReferenceDNSID(Input hostname);
+bool IsValidPresentedDNSID(Input hostname);
+bool ParseIPv4Address(Input hostname, /*out*/ uint8_t (&out)[4]);
+bool ParseIPv6Address(Input hostname, /*out*/ uint8_t (&out)[16]);
+
+// This is used by the pkixnames_tests.cpp tests.
+Result
+MatchPresentedDNSIDWithReferenceDNSID(Input presentedDNSID,
+                                      Input referenceDNSID,
+                                      /*out*/ bool& matches)
+{
+  return MatchPresentedDNSIDWithReferenceDNSID(
+           presentedDNSID, AllowWildcards::Yes,
+           AllowDotlessSubdomainMatches::Yes, IDRole::ReferenceID,
+           referenceDNSID, matches);
+}
+
+// Verify that the given end-entity cert, which is assumed to have been already
+// validated with BuildCertChain, is valid for the given hostname. hostname is
+// assumed to be a string representation of an IPv4 address, an IPv6 addresss,
+// or a normalized ASCII (possibly punycode) DNS name.
+Result
+CheckCertHostname(Input endEntityCertDER, Input hostname,
+                  NameMatchingPolicy& nameMatchingPolicy)
+{
+  BackCert cert(endEntityCertDER, EndEntityOrCA::MustBeEndEntity, nullptr);
+  Result rv = cert.Init();
+  if (rv != Success) {
+    return rv;
+  }
+
+  Time notBefore(Time::uninitialized);
+  rv = ParseValidity(cert.GetValidity(), &notBefore);
+  if (rv != Success) {
+    return rv;
+  }
+  FallBackToSearchWithinSubject fallBackToSearchWithinSubject;
+  rv = nameMatchingPolicy.FallBackToCommonName(notBefore,
+                                               fallBackToSearchWithinSubject);
+  if (rv != Success) {
+    return rv;
+  }
+
+  const Input* subjectAltName(cert.GetSubjectAltName());
+  Input subject(cert.GetSubject());
+
+  // For backward compatibility with legacy certificates, we may fall back to
+  // searching for a name match in the subject common name for DNS names and
+  // IPv4 addresses. We don't do so for IPv6 addresses because we do not think
+  // there are many certificates that would need such fallback, and because
+  // comparisons of string representations of IPv6 addresses are particularly
+  // error prone due to the syntactic flexibility that IPv6 addresses have.
+  //
+  // IPv4 and IPv6 addresses are represented using the same type of GeneralName
+  // (iPAddress); they are differentiated by the lengths of the values.
+  MatchResult match;
+  uint8_t ipv6[16];
+  uint8_t ipv4[4];
+  if (IsValidReferenceDNSID(hostname)) {
+    rv = SearchNames(subjectAltName, subject, GeneralNameType::dNSName,
+                     hostname, fallBackToSearchWithinSubject, match);
+  } else if (ParseIPv6Address(hostname, ipv6)) {
+    rv = SearchNames(subjectAltName, subject, GeneralNameType::iPAddress,
+                     Input(ipv6), FallBackToSearchWithinSubject::No, match);
+  } else if (ParseIPv4Address(hostname, ipv4)) {
+    rv = SearchNames(subjectAltName, subject, GeneralNameType::iPAddress,
+                     Input(ipv4), fallBackToSearchWithinSubject, match);
+  } else {
+    return Result::ERROR_BAD_CERT_DOMAIN;
+  }
+  if (rv != Success) {
+    return rv;
+  }
+  switch (match) {
+    case MatchResult::NoNamesOfGivenType: // fall through
+    case MatchResult::Mismatch:
+      return Result::ERROR_BAD_CERT_DOMAIN;
+    case MatchResult::Match:
+      return Success;
+    MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+  }
+}
+
+// 4.2.1.10. Name Constraints
+Result
+CheckNameConstraints(Input encodedNameConstraints,
+                     const BackCert& firstChild,
+                     KeyPurposeId requiredEKUIfPresent)
+{
+  for (const BackCert* child = &firstChild; child; child = child->childCert) {
+    FallBackToSearchWithinSubject fallBackToCommonName
+      = (child->endEntityOrCA == EndEntityOrCA::MustBeEndEntity &&
+         requiredEKUIfPresent == KeyPurposeId::id_kp_serverAuth)
+      ? FallBackToSearchWithinSubject::Yes
+      : FallBackToSearchWithinSubject::No;
+
+    MatchResult match;
+    Result rv = SearchNames(child->GetSubjectAltName(), child->GetSubject(),
+                            GeneralNameType::nameConstraints,
+                            encodedNameConstraints, fallBackToCommonName,
+                            match);
+    if (rv != Success) {
+      return rv;
+    }
+    switch (match) {
+      case MatchResult::Match: // fall through
+      case MatchResult::NoNamesOfGivenType:
+        break;
+      case MatchResult::Mismatch:
+        return Result::ERROR_CERT_NOT_IN_NAME_SPACE;
+    }
+  }
+
+  return Success;
+}
+
+namespace {
+
+// SearchNames is used by CheckCertHostname and CheckNameConstraints.
+//
+// When called during name constraint checking, referenceIDType is
+// GeneralNameType::nameConstraints and referenceID is the entire encoded name
+// constraints extension value.
+//
+// The main benefit of using the exact same code paths for both is that we
+// ensure consistency between name validation and name constraint enforcement
+// regarding thing like "Which CN attributes should be considered as potential
+// CN-IDs" and "Which character sets are acceptable for CN-IDs?" If the name
+// matching and the name constraint enforcement logic were out of sync on these
+// issues (e.g. if name matching were to consider all subject CN attributes,
+// but name constraints were only enforced on the most specific subject CN),
+// trivial name constraint bypasses could result.
+
+Result
+SearchNames(/*optional*/ const Input* subjectAltName,
+            Input subject,
+            GeneralNameType referenceIDType,
+            Input referenceID,
+            FallBackToSearchWithinSubject fallBackToCommonName,
+            /*out*/ MatchResult& match)
+{
+  Result rv;
+
+  match = MatchResult::NoNamesOfGivenType;
+
+  // RFC 6125 says "A client MUST NOT seek a match for a reference identifier
+  // of CN-ID if the presented identifiers include a DNS-ID, SRV-ID, URI-ID, or
+  // any application-specific identifier types supported by the client."
+  // Accordingly, we only consider CN-IDs if there are no DNS-IDs in the
+  // subjectAltName.
+  //
+  // RFC 6125 says that IP addresses are out of scope, but for backward
+  // compatibility we accept them, by considering IP addresses to be an
+  // "application-specific identifier type supported by the client."
+  //
+  // TODO(bug XXXXXXX): Consider strengthening this check to "A client MUST NOT
+  // seek a match for a reference identifier of CN-ID if the certificate
+  // contains a subjectAltName extension."
+  //
+  // TODO(bug XXXXXXX): Consider dropping support for IP addresses as
+  // identifiers completely.
+
+  if (subjectAltName) {
+    Reader altNames;
+    rv = der::ExpectTagAndGetValueAtEnd(*subjectAltName, der::SEQUENCE,
+                                        altNames);
+    if (rv != Success) {
+      return rv;
+    }
+
+    // According to RFC 5280, "If the subjectAltName extension is present, the
+    // sequence MUST contain at least one entry." For compatibility reasons, we
+    // do not enforce this. See bug 1143085.
+    while (!altNames.AtEnd()) {
+      GeneralNameType presentedIDType;
+      Input presentedID;
+      rv = ReadGeneralName(altNames, presentedIDType, presentedID);
+      if (rv != Success) {
+        return rv;
+      }
+
+      rv = MatchPresentedIDWithReferenceID(presentedIDType, presentedID,
+                                           referenceIDType, referenceID,
+                                           match);
+      if (rv != Success) {
+        return rv;
+      }
+      if (referenceIDType != GeneralNameType::nameConstraints &&
+          match == MatchResult::Match) {
+        return Success;
+      }
+      if (presentedIDType == GeneralNameType::dNSName ||
+          presentedIDType == GeneralNameType::iPAddress) {
+        fallBackToCommonName = FallBackToSearchWithinSubject::No;
+      }
+    }
+  }
+
+  if (referenceIDType == GeneralNameType::nameConstraints) {
+    rv = CheckPresentedIDConformsToConstraints(GeneralNameType::directoryName,
+                                               subject, referenceID);
+    if (rv != Success) {
+      return rv;
+    }
+  }
+
+  FallBackToSearchWithinSubject fallBackToEmailAddress;
+  if (!subjectAltName &&
+      (referenceIDType == GeneralNameType::rfc822Name ||
+       referenceIDType == GeneralNameType::nameConstraints)) {
+    fallBackToEmailAddress = FallBackToSearchWithinSubject::Yes;
+  } else {
+    fallBackToEmailAddress = FallBackToSearchWithinSubject::No;
+  }
+
+  // Short-circuit the parsing of the subject name if we're not going to match
+  // any names in it
+  if (fallBackToEmailAddress == FallBackToSearchWithinSubject::No &&
+      fallBackToCommonName == FallBackToSearchWithinSubject::No) {
+    return Success;
+  }
+
+  // Attempt to match the reference ID against the CN-ID, which we consider to
+  // be the most-specific CN AVA in the subject field.
+  //
+  // https://tools.ietf.org/html/rfc6125#section-2.3.1 says:
+  //
+  //   To reduce confusion, in this specification we avoid such terms and
+  //   instead use the terms provided under Section 1.8; in particular, we
+  //   do not use the term "(most specific) Common Name field in the subject
+  //   field" from [HTTP-TLS] and instead state that a CN-ID is a Relative
+  //   Distinguished Name (RDN) in the certificate subject containing one
+  //   and only one attribute-type-and-value pair of type Common Name (thus
+  //   removing the possibility that an RDN might contain multiple AVAs
+  //   (Attribute Value Assertions) of type CN, one of which could be
+  //   considered "most specific").
+  //
+  // https://tools.ietf.org/html/rfc6125#section-7.4 says:
+  //
+  //   [...] Although it would be preferable to
+  //   forbid multiple CN-IDs entirely, there are several reasons at this
+  //   time why this specification states that they SHOULD NOT (instead of
+  //   MUST NOT) be included [...]
+  //
+  // Consequently, it is unclear what to do when there are multiple CNs in the
+  // subject, regardless of whether there "SHOULD NOT" be.
+  //
+  // NSS's CERT_VerifyCertName mostly follows RFC2818 in this instance, which
+  // says:
+  //
+  //   If a subjectAltName extension of type dNSName is present, that MUST
+  //   be used as the identity. Otherwise, the (most specific) Common Name
+  //   field in the Subject field of the certificate MUST be used.
+  //
+  //   [...]
+  //
+  //   In some cases, the URI is specified as an IP address rather than a
+  //   hostname. In this case, the iPAddress subjectAltName must be present
+  //   in the certificate and must exactly match the IP in the URI.
+  //
+  // (The main difference from RFC2818 is that NSS's CERT_VerifyCertName also
+  // matches IP addresses in the most-specific CN.)
+  //
+  // NSS's CERT_VerifyCertName finds the most specific CN via
+  // CERT_GetCommoName, which uses CERT_GetLastNameElement. Note that many
+  // NSS-based applications, including Gecko, also use CERT_GetCommonName. It
+  // is likely that other, non-NSS-based, applications also expect only the
+  // most specific CN to be matched against the reference ID.
+  //
+  // "A Layman's Guide to a Subset of ASN.1, BER, and DER" and other sources
+  // agree that an RDNSequence is ordered from most significant (least
+  // specific) to least significant (most specific), as do other references.
+  //
+  // However, Chromium appears to use the least-specific (first) CN instead of
+  // the most-specific; see https://crbug.com/366957. Also, MSIE and some other
+  // popular implementations apparently attempt to match the reference ID
+  // against any/all CNs in the subject. Since we're trying to phase out the
+  // use of CN-IDs, we intentionally avoid trying to match MSIE's more liberal
+  // behavior.
+
+  // Name ::= CHOICE { -- only one possibility for now --
+  //   rdnSequence  RDNSequence }
+  //
+  // RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+  //
+  // RelativeDistinguishedName ::=
+  //   SET SIZE (1..MAX) OF AttributeTypeAndValue
+  Reader subjectReader(subject);
+  return der::NestedOf(subjectReader, der::SEQUENCE, der::SET,
+                       der::EmptyAllowed::Yes, [&](Reader& r) {
+    return SearchWithinRDN(r, referenceIDType, referenceID,
+                          fallBackToEmailAddress, fallBackToCommonName, match);
+  });
+}
+
+// RelativeDistinguishedName ::=
+//   SET SIZE (1..MAX) OF AttributeTypeAndValue
+//
+// AttributeTypeAndValue ::= SEQUENCE {
+//   type     AttributeType,
+//   value    AttributeValue }
+Result
+SearchWithinRDN(Reader& rdn,
+                GeneralNameType referenceIDType,
+                Input referenceID,
+                FallBackToSearchWithinSubject fallBackToEmailAddress,
+                FallBackToSearchWithinSubject fallBackToCommonName,
+                /*in/out*/ MatchResult& match)
+{
+  do {
+    Input type;
+    uint8_t valueTag;
+    Input value;
+    Result rv = ReadAVA(rdn, type, valueTag, value);
+    if (rv != Success) {
+      return rv;
+    }
+    rv = MatchAVA(type, valueTag, value, referenceIDType, referenceID,
+                  fallBackToEmailAddress, fallBackToCommonName, match);
+    if (rv != Success) {
+      return rv;
+    }
+  } while (!rdn.AtEnd());
+
+  return Success;
+}
+
+// AttributeTypeAndValue ::= SEQUENCE {
+//   type     AttributeType,
+//   value    AttributeValue }
+//
+// AttributeType ::= OBJECT IDENTIFIER
+//
+// AttributeValue ::= ANY -- DEFINED BY AttributeType
+//
+// DirectoryString ::= CHOICE {
+//       teletexString           TeletexString (SIZE (1..MAX)),
+//       printableString         PrintableString (SIZE (1..MAX)),
+//       universalString         UniversalString (SIZE (1..MAX)),
+//       utf8String              UTF8String (SIZE (1..MAX)),
+//       bmpString               BMPString (SIZE (1..MAX)) }
+Result
+MatchAVA(Input type, uint8_t valueEncodingTag, Input presentedID,
+         GeneralNameType referenceIDType,
+         Input referenceID,
+         FallBackToSearchWithinSubject fallBackToEmailAddress,
+         FallBackToSearchWithinSubject fallBackToCommonName,
+         /*in/out*/ MatchResult& match)
+{
+  // Try to match the  CN as a DNSName or an IPAddress.
+  //
+  // id-at-commonName        AttributeType ::= { id-at 3 }
+  //
+  // -- Naming attributes of type X520CommonName:
+  // --   X520CommonName ::= DirectoryName (SIZE (1..ub-common-name))
+  // --
+  // -- Expanded to avoid parameterized type:
+  // X520CommonName ::= CHOICE {
+  //       teletexString     TeletexString   (SIZE (1..ub-common-name)),
+  //       printableString   PrintableString (SIZE (1..ub-common-name)),
+  //       universalString   UniversalString (SIZE (1..ub-common-name)),
+  //       utf8String        UTF8String      (SIZE (1..ub-common-name)),
+  //       bmpString         BMPString       (SIZE (1..ub-common-name)) }
+  //
+  // python DottedOIDToCode.py id-at-commonName 2.5.4.3
+  static const uint8_t id_at_commonName[] = {
+    0x55, 0x04, 0x03
+  };
+  if (fallBackToCommonName == FallBackToSearchWithinSubject::Yes &&
+      InputsAreEqual(type, Input(id_at_commonName))) {
+    // We might have previously found a match. Now that we've found another CN,
+    // we no longer consider that previous match to be a match, so "forget" about
+    // it.
+    match = MatchResult::NoNamesOfGivenType;
+
+    // PrintableString is a subset of ASCII that contains all the characters
+    // allowed in CN-IDs except '*'. Although '*' is illegal, there are many
+    // real-world certificates that are encoded this way, so we accept it.
+    //
+    // In the case of UTF8String, we rely on the fact that in UTF-8 the octets in
+    // a multi-byte encoding of a code point are always distinct from ASCII. Any
+    // non-ASCII byte in a UTF-8 string causes us to fail to match. We make no
+    // attempt to detect or report malformed UTF-8 (e.g. incomplete or overlong
+    // encodings of code points, or encodings of invalid code points).
+    //
+    // TeletexString is supported as long as it does not contain any escape
+    // sequences, which are not supported. We'll reject escape sequences as
+    // invalid characters in names, which means we only accept strings that are
+    // in the default character set, which is a superset of ASCII. Note that NSS
+    // actually treats TeletexString as ISO-8859-1. Many certificates that have
+    // wildcard CN-IDs (e.g. "*.example.com") use TeletexString because
+    // PrintableString is defined to not allow '*' and because, at one point in
+    // history, UTF8String was too new to use for compatibility reasons.
+    //
+    // UniversalString and BMPString are also deprecated, and they are a little
+    // harder to support because they are not single-byte ASCII superset
+    // encodings, so we don't bother.
+    if (valueEncodingTag != der::PrintableString &&
+        valueEncodingTag != der::UTF8String &&
+        valueEncodingTag != der::TeletexString) {
+      return Success;
+    }
+
+    if (IsValidPresentedDNSID(presentedID)) {
+      MatchSubjectPresentedIDWithReferenceID(GeneralNameType::dNSName,
+                                             presentedID, referenceIDType,
+                                             referenceID, match);
+    } else {
+      // We don't match CN-IDs for IPv6 addresses.
+      // MatchSubjectPresentedIDWithReferenceID ensures that it won't match an
+      // IPv4 address with an IPv6 address, so we don't need to check that
+      // referenceID is an IPv4 address here.
+      uint8_t ipv4[4];
+      if (ParseIPv4Address(presentedID, ipv4)) {
+        MatchSubjectPresentedIDWithReferenceID(GeneralNameType::iPAddress,
+                                               Input(ipv4), referenceIDType,
+                                               referenceID, match);
+      }
+    }
+
+    // Regardless of whether there was a match, we keep going in case we find
+    // another CN later. If we do find another one, then this match/mismatch
+    // will be ignored, because we only care about the most specific CN.
+
+    return Success;
+  }
+
+  // Match an email address against an emailAddress attribute in the
+  // subject.
+  //
+  // id-emailAddress      AttributeType ::= { pkcs-9 1 }
+  //
+  // EmailAddress ::=     IA5String (SIZE (1..ub-emailaddress-length))
+  //
+  // python DottedOIDToCode.py id-emailAddress 1.2.840.113549.1.9.1
+  static const uint8_t id_emailAddress[] = {
+    0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01
+  };
+  if (fallBackToEmailAddress == FallBackToSearchWithinSubject::Yes &&
+      InputsAreEqual(type, Input(id_emailAddress))) {
+    if (referenceIDType == GeneralNameType::rfc822Name &&
+        match == MatchResult::Match) {
+      // We already found a match; we don't need to match another one
+      return Success;
+    }
+    if (valueEncodingTag != der::IA5String) {
+      return Result::ERROR_BAD_DER;
+    }
+    return MatchPresentedIDWithReferenceID(GeneralNameType::rfc822Name,
+                                           presentedID, referenceIDType,
+                                           referenceID, match);
+  }
+
+  return Success;
+}
+
+void
+MatchSubjectPresentedIDWithReferenceID(GeneralNameType presentedIDType,
+                                       Input presentedID,
+                                       GeneralNameType referenceIDType,
+                                       Input referenceID,
+                                       /*in/out*/ MatchResult& match)
+{
+  Result rv = MatchPresentedIDWithReferenceID(presentedIDType, presentedID,
+                                              referenceIDType, referenceID,
+                                              match);
+  if (rv != Success) {
+    match = MatchResult::Mismatch;
+  }
+}
+
+Result
+MatchPresentedIDWithReferenceID(GeneralNameType presentedIDType,
+                                Input presentedID,
+                                GeneralNameType referenceIDType,
+                                Input referenceID,
+                                /*out*/ MatchResult& matchResult)
+{
+  if (referenceIDType == GeneralNameType::nameConstraints) {
+    // matchResult is irrelevant when checking name constraints; only the
+    // pass/fail result of CheckPresentedIDConformsToConstraints matters.
+    return CheckPresentedIDConformsToConstraints(presentedIDType, presentedID,
+                                                 referenceID);
+  }
+
+  if (presentedIDType != referenceIDType) {
+    matchResult = MatchResult::Mismatch;
+    return Success;
+  }
+
+  Result rv;
+  bool foundMatch;
+
+  switch (referenceIDType) {
+    case GeneralNameType::dNSName:
+      rv = MatchPresentedDNSIDWithReferenceDNSID(
+             presentedID, AllowWildcards::Yes,
+             AllowDotlessSubdomainMatches::Yes, IDRole::ReferenceID,
+             referenceID, foundMatch);
+      break;
+
+    case GeneralNameType::iPAddress:
+      foundMatch = InputsAreEqual(presentedID, referenceID);
+      rv = Success;
+      break;
+
+    case GeneralNameType::rfc822Name:
+      rv = MatchPresentedRFC822NameWithReferenceRFC822Name(
+             presentedID, IDRole::ReferenceID, referenceID, foundMatch);
+      break;
+
+    case GeneralNameType::directoryName:
+      // TODO: At some point, we may add APIs for matching DirectoryNames.
+      // fall through
+
+    case GeneralNameType::otherName: // fall through
+    case GeneralNameType::x400Address: // fall through
+    case GeneralNameType::ediPartyName: // fall through
+    case GeneralNameType::uniformResourceIdentifier: // fall through
+    case GeneralNameType::registeredID: // fall through
+    case GeneralNameType::nameConstraints:
+      return NotReached("unexpected nameType for SearchType::Match",
+                        Result::FATAL_ERROR_INVALID_ARGS);
+
+    MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+ }
+
+  if (rv != Success) {
+    return rv;
+  }
+  matchResult = foundMatch ? MatchResult::Match : MatchResult::Mismatch;
+  return Success;
+}
+
+enum class NameConstraintsSubtrees : uint8_t
+{
+  permittedSubtrees = der::CONSTRUCTED | der::CONTEXT_SPECIFIC | 0,
+  excludedSubtrees  = der::CONSTRUCTED | der::CONTEXT_SPECIFIC | 1
+};
+
+Result CheckPresentedIDConformsToNameConstraintsSubtrees(
+         GeneralNameType presentedIDType,
+         Input presentedID,
+         Reader& nameConstraints,
+         NameConstraintsSubtrees subtreesType);
+Result MatchPresentedIPAddressWithConstraint(Input presentedID,
+                                             Input iPAddressConstraint,
+                                             /*out*/ bool& foundMatch);
+Result MatchPresentedDirectoryNameWithConstraint(
+         NameConstraintsSubtrees subtreesType, Input presentedID,
+         Input directoryNameConstraint, /*out*/ bool& matches);
+
+Result
+CheckPresentedIDConformsToConstraints(
+  GeneralNameType presentedIDType,
+  Input presentedID,
+  Input encodedNameConstraints)
+{
+  // NameConstraints ::= SEQUENCE {
+  //      permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,
+  //      excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }
+  Reader nameConstraints;
+  Result rv = der::ExpectTagAndGetValueAtEnd(encodedNameConstraints,
+                                             der::SEQUENCE, nameConstraints);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // RFC 5280 says "Conforming CAs MUST NOT issue certificates where name
+  // constraints is an empty sequence. That is, either the permittedSubtrees
+  // field or the excludedSubtrees MUST be present."
+  if (nameConstraints.AtEnd()) {
+    return Result::ERROR_BAD_DER;
+  }
+
+  rv = CheckPresentedIDConformsToNameConstraintsSubtrees(
+         presentedIDType, presentedID, nameConstraints,
+         NameConstraintsSubtrees::permittedSubtrees);
+  if (rv != Success) {
+    return rv;
+  }
+
+  rv = CheckPresentedIDConformsToNameConstraintsSubtrees(
+         presentedIDType, presentedID, nameConstraints,
+         NameConstraintsSubtrees::excludedSubtrees);
+  if (rv != Success) {
+    return rv;
+  }
+
+  return der::End(nameConstraints);
+}
+
+Result
+CheckPresentedIDConformsToNameConstraintsSubtrees(
+  GeneralNameType presentedIDType,
+  Input presentedID,
+  Reader& nameConstraints,
+  NameConstraintsSubtrees subtreesType)
+{
+  if (!nameConstraints.Peek(static_cast<uint8_t>(subtreesType))) {
+    return Success;
+  }
+
+  Reader subtrees;
+  Result rv = der::ExpectTagAndGetValue(nameConstraints,
+                                        static_cast<uint8_t>(subtreesType),
+                                        subtrees);
+  if (rv != Success) {
+    return rv;
+  }
+
+  bool hasPermittedSubtreesMatch = false;
+  bool hasPermittedSubtreesMismatch = false;
+
+  // GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree
+  //
+  // do { ... } while(...) because subtrees isn't allowed to be empty.
+  do {
+    // GeneralSubtree ::= SEQUENCE {
+    //      base                    GeneralName,
+    //      minimum         [0]     BaseDistance DEFAULT 0,
+    //      maximum         [1]     BaseDistance OPTIONAL }
+    Reader subtree;
+    rv = ExpectTagAndGetValue(subtrees, der::SEQUENCE, subtree);
+    if (rv != Success) {
+      return rv;
+    }
+    GeneralNameType nameConstraintType;
+    Input base;
+    rv = ReadGeneralName(subtree, nameConstraintType, base);
+    if (rv != Success) {
+      return rv;
+    }
+    // http://tools.ietf.org/html/rfc5280#section-4.2.1.10: "Within this
+    // profile, the minimum and maximum fields are not used with any name
+    // forms, thus, the minimum MUST be zero, and maximum MUST be absent."
+    //
+    // Since the default value isn't allowed to be encoded according to the DER
+    // encoding rules for DEFAULT, this is equivalent to saying that neither
+    // minimum or maximum must be encoded.
+    rv = der::End(subtree);
+    if (rv != Success) {
+      return rv;
+    }
+
+    if (presentedIDType == nameConstraintType) {
+      bool matches;
+
+      switch (presentedIDType) {
+        case GeneralNameType::dNSName:
+          rv = MatchPresentedDNSIDWithReferenceDNSID(
+                 presentedID, AllowWildcards::Yes,
+                 AllowDotlessSubdomainMatches::Yes, IDRole::NameConstraint,
+                 base, matches);
+          if (rv != Success) {
+            return rv;
+          }
+          break;
+
+        case GeneralNameType::iPAddress:
+          rv = MatchPresentedIPAddressWithConstraint(presentedID, base,
+                                                     matches);
+          if (rv != Success) {
+            return rv;
+          }
+          break;
+
+        case GeneralNameType::directoryName:
+          rv = MatchPresentedDirectoryNameWithConstraint(subtreesType,
+                                                         presentedID, base,
+                                                         matches);
+          if (rv != Success) {
+            return rv;
+          }
+          break;
+
+        case GeneralNameType::rfc822Name:
+          rv = MatchPresentedRFC822NameWithReferenceRFC822Name(
+                 presentedID, IDRole::NameConstraint, base, matches);
+          if (rv != Success) {
+            return rv;
+          }
+          break;
+
+        // RFC 5280 says "Conforming CAs [...] SHOULD NOT impose name
+        // constraints on the x400Address, ediPartyName, or registeredID
+        // name forms. It also says "Applications conforming to this profile
+        // [...] SHOULD be able to process name constraints that are imposed
+        // on [...] uniformResourceIdentifier [...]", but we don't bother.
+        //
+        // TODO: Ask to have spec updated to say ""Conforming CAs [...] SHOULD
+        // NOT impose name constraints on the otherName, x400Address,
+        // ediPartyName, uniformResourceIdentifier, or registeredID name
+        // forms."
+        case GeneralNameType::otherName: // fall through
+        case GeneralNameType::x400Address: // fall through
+        case GeneralNameType::ediPartyName: // fall through
+        case GeneralNameType::uniformResourceIdentifier: // fall through
+        case GeneralNameType::registeredID: // fall through
+          return Result::ERROR_CERT_NOT_IN_NAME_SPACE;
+
+        case GeneralNameType::nameConstraints:
+          return NotReached("invalid presentedIDType",
+                            Result::FATAL_ERROR_LIBRARY_FAILURE);
+
+        MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+      }
+
+      switch (subtreesType) {
+        case NameConstraintsSubtrees::permittedSubtrees:
+          if (matches) {
+            hasPermittedSubtreesMatch = true;
+          } else {
+            hasPermittedSubtreesMismatch = true;
+          }
+          break;
+        case NameConstraintsSubtrees::excludedSubtrees:
+          if (matches) {
+            return Result::ERROR_CERT_NOT_IN_NAME_SPACE;
+          }
+          break;
+      }
+    }
+  } while (!subtrees.AtEnd());
+
+  if (hasPermittedSubtreesMismatch && !hasPermittedSubtreesMatch) {
+    // If there was any entry of the given type in permittedSubtrees, then it
+    // required that at least one of them must match. Since none of them did,
+    // we have a failure.
+    return Result::ERROR_CERT_NOT_IN_NAME_SPACE;
+  }
+
+  return Success;
+}
+
+// We do not distinguish between a syntactically-invalid presentedDNSID and one
+// that is syntactically valid but does not match referenceDNSID; in both
+// cases, the result is false.
+//
+// We assume that both presentedDNSID and referenceDNSID are encoded in such a
+// way that US-ASCII (7-bit) characters are encoded in one byte and no encoding
+// of a non-US-ASCII character contains a code point in the range 0-127. For
+// example, UTF-8 is OK but UTF-16 is not.
+//
+// RFC6125 says that a wildcard label may be of the form <x>*<y>.<DNSID>, where
+// <x> and/or <y> may be empty. However, NSS requires <y> to be empty, and we
+// follow NSS's stricter policy by accepting wildcards only of the form
+// <x>*.<DNSID>, where <x> may be empty.
+//
+// An relative presented DNS ID matches both an absolute reference ID and a
+// relative reference ID. Absolute presented DNS IDs are not supported:
+//
+//      Presented ID   Reference ID  Result
+//      -------------------------------------
+//      example.com    example.com   Match
+//      example.com.   example.com   Mismatch
+//      example.com    example.com.  Match
+//      example.com.   example.com.  Mismatch
+//
+// There are more subtleties documented inline in the code.
+//
+// Name constraints ///////////////////////////////////////////////////////////
+//
+// This is all RFC 5280 has to say about DNSName constraints:
+//
+//     DNS name restrictions are expressed as host.example.com.  Any DNS
+//     name that can be constructed by simply adding zero or more labels to
+//     the left-hand side of the name satisfies the name constraint.  For
+//     example, www.host.example.com would satisfy the constraint but
+//     host1.example.com would not.
+//
+// This lack of specificity has lead to a lot of uncertainty regarding
+// subdomain matching. In particular, the following questions have been
+// raised and answered:
+//
+//     Q: Does a presented identifier equal (case insensitive) to the name
+//        constraint match the constraint? For example, does the presented
+//        ID "host.example.com" match a "host.example.com" constraint?
+//     A: Yes. RFC5280 says "by simply adding zero or more labels" and this
+//        is the case of adding zero labels.
+//
+//     Q: When the name constraint does not start with ".", do subdomain
+//        presented identifiers match it? For example, does the presented
+//        ID "www.host.example.com" match a "host.example.com" constraint?
+//     A: Yes. RFC5280 says "by simply adding zero or more labels" and this
+//        is the case of adding more than zero labels. The example is the
+//        one from RFC 5280.
+//
+//     Q: When the name constraint does not start with ".", does a
+//        non-subdomain prefix match it? For example, does "bigfoo.bar.com"
+//        match "foo.bar.com"? [4]
+//     A: No. We interpret RFC 5280's language of "adding zero or more labels"
+//        to mean that whole labels must be prefixed.
+//
+//     (Note that the above three scenarios are the same as the RFC 6265
+//     domain matching rules [0].)
+//
+//     Q: Is a name constraint that starts with "." valid, and if so, what
+//        semantics does it have? For example, does a presented ID of
+//        "www.example.com" match a constraint of ".example.com"? Does a
+//        presented ID of "example.com" match a constraint of ".example.com"?
+//     A: This implementation, NSS[1], and SChannel[2] all support a
+//        leading ".", but OpenSSL[3] does not yet. Amongst the
+//        implementations that support it, a leading "." is legal and means
+//        the same thing as when the "." is omitted, EXCEPT that a
+//        presented identifier equal (case insensitive) to the name
+//        constraint is not matched; i.e. presented DNSName identifiers
+//        must be subdomains. Some CAs in Mozilla's CA program (e.g. HARICA)
+//        have name constraints with the leading "." in their root
+//        certificates. The name constraints imposed on DCISS by Mozilla also
+//        have the it, so supporting this is a requirement for backward
+//        compatibility, even if it is not yet standardized. So, for example, a
+//        presented ID of "www.example.com" matches a constraint of
+//        ".example.com" but a presented ID of "example.com" does not.
+//
+//     Q: Is there a way to prevent subdomain matches?
+//     A: Yes.
+//
+//        Some people have proposed that dNSName constraints that do not
+//        start with a "." should be restricted to exact (case insensitive)
+//        matches. However, such a change of semantics from what RFC5280
+//        specifies would be a non-backward-compatible change in the case of
+//        permittedSubtrees constraints, and it would be a security issue for
+//        excludedSubtrees constraints.
+//
+//        However, it can be done with a combination of permittedSubtrees and
+//        excludedSubtrees, e.g. "example.com" in permittedSubtrees and
+//        ".example.com" in excudedSubtrees.
+//
+//     Q: Are name constraints allowed to be specified as absolute names?
+//        For example, does a presented ID of "example.com" match a name
+//        constraint of "example.com." and vice versa.
+//     A: Absolute names are not supported as presented IDs or name
+//        constraints. Only reference IDs may be absolute.
+//
+//     Q: Is "" a valid DNSName constraints? If so, what does it mean?
+//     A: Yes. Any valid presented DNSName can be formed "by simply adding zero
+//        or more labels to the left-hand side" of "". In particular, an
+//        excludedSubtrees DNSName constraint of "" forbids all DNSNames.
+//
+//     Q: Is "." a valid DNSName constraints? If so, what does it mean?
+//     A: No, because absolute names are not allowed (see above).
+//
+// [0] RFC 6265 (Cookies) Domain Matching rules:
+//     http://tools.ietf.org/html/rfc6265#section-5.1.3
+// [1] NSS source code:
+//     https://mxr.mozilla.org/nss/source/lib/certdb/genname.c?rev=2a7348f013cb#1209
+// [2] Description of SChannel's behavior from Microsoft:
+//     http://www.imc.org/ietf-pkix/mail-archive/msg04668.html
+// [3] Proposal to add such support to OpenSSL:
+//     http://www.mail-archive.com/openssl-dev%40openssl.org/msg36204.html
+//     https://rt.openssl.org/Ticket/Display.html?id=3562
+// [4] Feedback on the lack of clarify in the definition that never got
+//     incorporated into the spec:
+//     https://www.ietf.org/mail-archive/web/pkix/current/msg21192.html
+Result
+MatchPresentedDNSIDWithReferenceDNSID(
+  Input presentedDNSID,
+  AllowWildcards allowWildcards,
+  AllowDotlessSubdomainMatches allowDotlessSubdomainMatches,
+  IDRole referenceDNSIDRole,
+  Input referenceDNSID,
+  /*out*/ bool& matches)
+{
+  if (!IsValidDNSID(presentedDNSID, IDRole::PresentedID, allowWildcards)) {
+    return Result::ERROR_BAD_DER;
+  }
+
+  if (!IsValidDNSID(referenceDNSID, referenceDNSIDRole, AllowWildcards::No)) {
+    return Result::ERROR_BAD_DER;
+  }
+
+  Reader presented(presentedDNSID);
+  Reader reference(referenceDNSID);
+
+  switch (referenceDNSIDRole)
+  {
+    case IDRole::ReferenceID:
+      break;
+
+    case IDRole::NameConstraint:
+    {
+      if (presentedDNSID.GetLength() > referenceDNSID.GetLength()) {
+        if (referenceDNSID.GetLength() == 0) {
+          // An empty constraint matches everything.
+          matches = true;
+          return Success;
+        }
+        // If the reference ID starts with a dot then skip the prefix of
+        // of the presented ID and start the comparison at the position of that
+        // dot. Examples:
+        //
+        //                                       Matches     Doesn't Match
+        //     -----------------------------------------------------------
+        //       original presented ID:  www.example.com    badexample.com
+        //                     skipped:  www                ba
+        //     presented ID w/o prefix:     .example.com      dexample.com
+        //                reference ID:     .example.com      .example.com
+        //
+        // If the reference ID does not start with a dot then we skip the
+        // prefix of the presented ID but also verify that the prefix ends with
+        // a dot. Examples:
+        //
+        //                                       Matches     Doesn't Match
+        //     -----------------------------------------------------------
+        //       original presented ID:  www.example.com    badexample.com
+        //                     skipped:  www                ba
+        //                 must be '.':     .                 d
+        //     presented ID w/o prefix:      example.com       example.com
+        //                reference ID:      example.com       example.com
+        //
+        if (reference.Peek('.')) {
+          if (presented.Skip(static_cast<Input::size_type>(
+                               presentedDNSID.GetLength() -
+                                 referenceDNSID.GetLength())) != Success) {
+            return NotReached("skipping subdomain failed",
+                              Result::FATAL_ERROR_LIBRARY_FAILURE);
+          }
+        } else if (allowDotlessSubdomainMatches ==
+                   AllowDotlessSubdomainMatches::Yes) {
+          if (presented.Skip(static_cast<Input::size_type>(
+                               presentedDNSID.GetLength() -
+                                 referenceDNSID.GetLength() - 1)) != Success) {
+            return NotReached("skipping subdomains failed",
+                              Result::FATAL_ERROR_LIBRARY_FAILURE);
+          }
+          uint8_t b;
+          if (presented.Read(b) != Success) {
+            return NotReached("reading from presentedDNSID failed",
+                              Result::FATAL_ERROR_LIBRARY_FAILURE);
+          }
+          if (b != '.') {
+            matches = false;
+            return Success;
+          }
+        }
+      }
+      break;
+    }
+
+    case IDRole::PresentedID: // fall through
+      return NotReached("IDRole::PresentedID is not a valid referenceDNSIDRole",
+                        Result::FATAL_ERROR_INVALID_ARGS);
+  }
+
+  // We only allow wildcard labels that consist only of '*'.
+  if (presented.Peek('*')) {
+    if (presented.Skip(1) != Success) {
+      return NotReached("Skipping '*' failed",
+                        Result::FATAL_ERROR_LIBRARY_FAILURE);
+    }
+    do {
+      // This will happen if reference is a single, relative label
+      if (reference.AtEnd()) {
+        matches = false;
+        return Success;
+      }
+      uint8_t referenceByte;
+      if (reference.Read(referenceByte) != Success) {
+        return NotReached("invalid reference ID",
+                          Result::FATAL_ERROR_INVALID_ARGS);
+      }
+    } while (!reference.Peek('.'));
+  }
+
+  for (;;) {
+    uint8_t presentedByte;
+    if (presented.Read(presentedByte) != Success) {
+      matches = false;
+      return Success;
+    }
+    uint8_t referenceByte;
+    if (reference.Read(referenceByte) != Success) {
+      matches = false;
+      return Success;
+    }
+    if (LocaleInsensitveToLower(presentedByte) !=
+        LocaleInsensitveToLower(referenceByte)) {
+      matches = false;
+      return Success;
+    }
+    if (presented.AtEnd()) {
+      // Don't allow presented IDs to be absolute.
+      if (presentedByte == '.') {
+        return Result::ERROR_BAD_DER;
+      }
+      break;
+    }
+  }
+
+  // Allow a relative presented DNS ID to match an absolute reference DNS ID,
+  // unless we're matching a name constraint.
+  if (!reference.AtEnd()) {
+    if (referenceDNSIDRole != IDRole::NameConstraint) {
+      uint8_t referenceByte;
+      if (reference.Read(referenceByte) != Success) {
+        return NotReached("read failed but not at end",
+                          Result::FATAL_ERROR_LIBRARY_FAILURE);
+      }
+      if (referenceByte != '.') {
+        matches = false;
+        return Success;
+      }
+    }
+    if (!reference.AtEnd()) {
+      matches = false;
+      return Success;
+    }
+  }
+
+  matches = true;
+  return Success;
+}
+
+// https://tools.ietf.org/html/rfc5280#section-4.2.1.10 says:
+//
+//     For IPv4 addresses, the iPAddress field of GeneralName MUST contain
+//     eight (8) octets, encoded in the style of RFC 4632 (CIDR) to represent
+//     an address range [RFC4632].  For IPv6 addresses, the iPAddress field
+//     MUST contain 32 octets similarly encoded.  For example, a name
+//     constraint for "class C" subnet 192.0.2.0 is represented as the
+//     octets C0 00 02 00 FF FF FF 00, representing the CIDR notation
+//     192.0.2.0/24 (mask 255.255.255.0).
+Result
+MatchPresentedIPAddressWithConstraint(Input presentedID,
+                                      Input iPAddressConstraint,
+                                      /*out*/ bool& foundMatch)
+{
+  if (presentedID.GetLength() != 4 && presentedID.GetLength() != 16) {
+    return Result::ERROR_BAD_DER;
+  }
+  if (iPAddressConstraint.GetLength() != 8 &&
+      iPAddressConstraint.GetLength() != 32) {
+    return Result::ERROR_BAD_DER;
+  }
+
+  // an IPv4 address never matches an IPv6 constraint, and vice versa.
+  if (presentedID.GetLength() * 2 != iPAddressConstraint.GetLength()) {
+    foundMatch = false;
+    return Success;
+  }
+
+  Reader constraint(iPAddressConstraint);
+  Reader constraintAddress;
+  Result rv = constraint.Skip(iPAddressConstraint.GetLength() / 2u,
+                              constraintAddress);
+  if (rv != Success) {
+    return rv;
+  }
+  Reader constraintMask;
+  rv = constraint.Skip(iPAddressConstraint.GetLength() / 2u, constraintMask);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = der::End(constraint);
+  if (rv != Success) {
+    return rv;
+  }
+
+  Reader presented(presentedID);
+  do {
+    uint8_t presentedByte;
+    rv = presented.Read(presentedByte);
+    if (rv != Success) {
+      return rv;
+    }
+    uint8_t constraintAddressByte;
+    rv = constraintAddress.Read(constraintAddressByte);
+    if (rv != Success) {
+      return rv;
+    }
+    uint8_t constraintMaskByte;
+    rv = constraintMask.Read(constraintMaskByte);
+    if (rv != Success) {
+      return rv;
+    }
+    foundMatch =
+      ((presentedByte ^ constraintAddressByte) & constraintMaskByte) == 0;
+  } while (foundMatch && !presented.AtEnd());
+
+  return Success;
+}
+
+// AttributeTypeAndValue ::= SEQUENCE {
+//   type     AttributeType,
+//   value    AttributeValue }
+//
+// AttributeType ::= OBJECT IDENTIFIER
+//
+// AttributeValue ::= ANY -- DEFINED BY AttributeType
+Result
+ReadAVA(Reader& rdn,
+        /*out*/ Input& type,
+        /*out*/ uint8_t& valueTag,
+        /*out*/ Input& value)
+{
+  return der::Nested(rdn, der::SEQUENCE, [&](Reader& ava) -> Result {
+    Result rv = der::ExpectTagAndGetValue(ava, der::OIDTag, type);
+    if (rv != Success) {
+      return rv;
+    }
+    rv = der::ReadTagAndGetValue(ava, valueTag, value);
+    if (rv != Success) {
+      return rv;
+    }
+    return Success;
+  });
+}
+
+// Names are sequences of RDNs. RDNS are sets of AVAs. That means that RDNs are
+// unordered, so in theory we should match RDNs with equivalent AVAs that are
+// in different orders. Within the AVAs are DirectoryNames that are supposed to
+// be compared according to LDAP stringprep normalization rules (e.g.
+// normalizing whitespace), consideration of different character encodings,
+// etc. Indeed, RFC 5280 says we MUST deal with all of that.
+//
+// In practice, many implementations, including NSS, only match Names in a way
+// that only meets a subset of the requirements of RFC 5280. Those
+// normalization and character encoding conversion steps appear to be
+// unnecessary for processing real-world certificates, based on experience from
+// having used NSS in Firefox for many years.
+//
+// RFC 5280 also says "CAs issuing certificates with a restriction of the form
+// directoryName SHOULD NOT rely on implementation of the full
+// ISO DN name comparison algorithm. This implies name restrictions MUST
+// be stated identically to the encoding used in the subject field or
+// subjectAltName extension." It goes on to say, in the security
+// considerations:
+//
+//     In addition, name constraints for distinguished names MUST be stated
+//     identically to the encoding used in the subject field or
+//     subjectAltName extension.  If not, then name constraints stated as
+//     excludedSubtrees will not match and invalid paths will be accepted
+//     and name constraints expressed as permittedSubtrees will not match
+//     and valid paths will be rejected.  To avoid acceptance of invalid
+//     paths, CAs SHOULD state name constraints for distinguished names as
+//     permittedSubtrees wherever possible.
+//
+// For permittedSubtrees, the MUST-level requirement is relaxed for
+// compatibility in the case of PrintableString and UTF8String. That is, if a
+// name constraint has been encoded using UTF8String and the presented ID has
+// been encoded with a PrintableString (or vice-versa), they are considered to
+// match if they are equal everywhere except for the tag identifying the
+// encoding. See bug 1150114.
+//
+// For excludedSubtrees, we simply prohibit any non-empty directoryName
+// constraint to ensure we are not being too lenient. We support empty
+// DirectoryName constraints in excludedSubtrees so that a CA can say "Do not
+// allow any DirectoryNames in issued certificates."
+Result
+MatchPresentedDirectoryNameWithConstraint(NameConstraintsSubtrees subtreesType,
+                                          Input presentedID,
+                                          Input directoryNameConstraint,
+                                          /*out*/ bool& matches)
+{
+  Reader constraintRDNs;
+  Result rv = der::ExpectTagAndGetValueAtEnd(directoryNameConstraint,
+                                             der::SEQUENCE, constraintRDNs);
+  if (rv != Success) {
+    return rv;
+  }
+  Reader presentedRDNs;
+  rv = der::ExpectTagAndGetValueAtEnd(presentedID, der::SEQUENCE,
+                                      presentedRDNs);
+  if (rv != Success) {
+    return rv;
+  }
+
+  switch (subtreesType) {
+    case NameConstraintsSubtrees::permittedSubtrees:
+      break; // dealt with below
+    case NameConstraintsSubtrees::excludedSubtrees:
+      if (!constraintRDNs.AtEnd() || !presentedRDNs.AtEnd()) {
+        return Result::ERROR_CERT_NOT_IN_NAME_SPACE;
+      }
+      matches = true;
+      return Success;
+  }
+
+  for (;;) {
+    // The AVAs have to be fully equal, but the constraint RDNs just need to be
+    // a prefix of the presented RDNs.
+    if (constraintRDNs.AtEnd()) {
+      matches = true;
+      return Success;
+    }
+    if (presentedRDNs.AtEnd()) {
+      matches = false;
+      return Success;
+    }
+    Reader constraintRDN;
+    rv = der::ExpectTagAndGetValue(constraintRDNs, der::SET, constraintRDN);
+    if (rv != Success) {
+      return rv;
+    }
+    Reader presentedRDN;
+    rv = der::ExpectTagAndGetValue(presentedRDNs, der::SET, presentedRDN);
+    if (rv != Success) {
+      return rv;
+    }
+    while (!constraintRDN.AtEnd() && !presentedRDN.AtEnd()) {
+      Input constraintType;
+      uint8_t constraintValueTag;
+      Input constraintValue;
+      rv = ReadAVA(constraintRDN, constraintType, constraintValueTag,
+                   constraintValue);
+      if (rv != Success) {
+        return rv;
+      }
+      Input presentedType;
+      uint8_t presentedValueTag;
+      Input presentedValue;
+      rv = ReadAVA(presentedRDN, presentedType, presentedValueTag,
+                   presentedValue);
+      if (rv != Success) {
+        return rv;
+      }
+      // TODO (bug 1155767): verify that if an AVA is a PrintableString it
+      // consists only of characters valid for PrintableStrings.
+      bool avasMatch =
+        InputsAreEqual(constraintType, presentedType) &&
+        InputsAreEqual(constraintValue, presentedValue) &&
+        (constraintValueTag == presentedValueTag ||
+         (constraintValueTag == der::Tag::UTF8String &&
+          presentedValueTag == der::Tag::PrintableString) ||
+         (constraintValueTag == der::Tag::PrintableString &&
+          presentedValueTag == der::Tag::UTF8String));
+      if (!avasMatch) {
+        matches = false;
+        return Success;
+      }
+    }
+    if (!constraintRDN.AtEnd() || !presentedRDN.AtEnd()) {
+      matches = false;
+      return Success;
+    }
+  }
+}
+
+// RFC 5280 says:
+//
+//     The format of an rfc822Name is a "Mailbox" as defined in Section 4.1.2
+//     of [RFC2821]. A Mailbox has the form "Local-part@Domain".  Note that a
+//     Mailbox has no phrase (such as a common name) before it, has no comment
+//     (text surrounded in parentheses) after it, and is not surrounded by "<"
+//     and ">".  Rules for encoding Internet mail addresses that include
+//     internationalized domain names are specified in Section 7.5.
+//
+// and:
+//
+//     A name constraint for Internet mail addresses MAY specify a
+//     particular mailbox, all addresses at a particular host, or all
+//     mailboxes in a domain.  To indicate a particular mailbox, the
+//     constraint is the complete mail address.  For example,
+//     "root@example.com" indicates the root mailbox on the host
+//     "example.com".  To indicate all Internet mail addresses on a
+//     particular host, the constraint is specified as the host name.  For
+//     example, the constraint "example.com" is satisfied by any mail
+//     address at the host "example.com".  To specify any address within a
+//     domain, the constraint is specified with a leading period (as with
+//     URIs).  For example, ".example.com" indicates all the Internet mail
+//     addresses in the domain "example.com", but not Internet mail
+//     addresses on the host "example.com".
+
+bool
+IsValidRFC822Name(Input input)
+{
+  Reader reader(input);
+
+  // Local-part@.
+  bool startOfAtom = true;
+  for (;;) {
+    uint8_t presentedByte;
+    if (reader.Read(presentedByte) != Success) {
+      return false;
+    }
+    switch (presentedByte) {
+      // atext is defined in https://tools.ietf.org/html/rfc2822#section-3.2.4
+      case 'A': case 'a': case 'N': case 'n': case '0': case '!': case '#':
+      case 'B': case 'b': case 'O': case 'o': case '1': case '$': case '%':
+      case 'C': case 'c': case 'P': case 'p': case '2': case '&': case '\'':
+      case 'D': case 'd': case 'Q': case 'q': case '3': case '*': case '+':
+      case 'E': case 'e': case 'R': case 'r': case '4': case '-': case '/':
+      case 'F': case 'f': case 'S': case 's': case '5': case '=': case '?':
+      case 'G': case 'g': case 'T': case 't': case '6': case '^': case '_':
+      case 'H': case 'h': case 'U': case 'u': case '7': case '`': case '{':
+      case 'I': case 'i': case 'V': case 'v': case '8': case '|': case '}':
+      case 'J': case 'j': case 'W': case 'w': case '9': case '~':
+      case 'K': case 'k': case 'X': case 'x':
+      case 'L': case 'l': case 'Y': case 'y':
+      case 'M': case 'm': case 'Z': case 'z':
+        startOfAtom = false;
+        break;
+
+      case '.':
+        if (startOfAtom) {
+          return false;
+        }
+        startOfAtom = true;
+        break;
+
+      case '@':
+      {
+        if (startOfAtom) {
+          return false;
+        }
+        Input domain;
+        if (reader.SkipToEnd(domain) != Success) {
+          return false;
+        }
+        return IsValidDNSID(domain, IDRole::PresentedID, AllowWildcards::No);
+      }
+
+      default:
+        return false;
+    }
+  }
+}
+
+Result
+MatchPresentedRFC822NameWithReferenceRFC822Name(Input presentedRFC822Name,
+                                                IDRole referenceRFC822NameRole,
+                                                Input referenceRFC822Name,
+                                                /*out*/ bool& matches)
+{
+  if (!IsValidRFC822Name(presentedRFC822Name)) {
+    return Result::ERROR_BAD_DER;
+  }
+  Reader presented(presentedRFC822Name);
+
+  switch (referenceRFC822NameRole)
+  {
+    case IDRole::PresentedID:
+      return Result::FATAL_ERROR_INVALID_ARGS;
+
+    case IDRole::ReferenceID:
+      break;
+
+    case IDRole::NameConstraint:
+    {
+      if (InputContains(referenceRFC822Name, '@')) {
+        // The constraint is of the form "Local-part@Domain".
+        break;
+      }
+
+      // The constraint is of the form "example.com" or ".example.com".
+
+      // Skip past the '@' in the presented ID.
+      for (;;) {
+        uint8_t presentedByte;
+        if (presented.Read(presentedByte) != Success) {
+          return Result::FATAL_ERROR_LIBRARY_FAILURE;
+        }
+        if (presentedByte == '@') {
+          break;
+        }
+      }
+
+      Input presentedDNSID;
+      if (presented.SkipToEnd(presentedDNSID) != Success) {
+        return Result::FATAL_ERROR_LIBRARY_FAILURE;
+      }
+
+      return MatchPresentedDNSIDWithReferenceDNSID(
+               presentedDNSID, AllowWildcards::No,
+               AllowDotlessSubdomainMatches::No, IDRole::NameConstraint,
+               referenceRFC822Name, matches);
+    }
+  }
+
+  if (!IsValidRFC822Name(referenceRFC822Name)) {
+    return Result::ERROR_BAD_DER;
+  }
+
+  Reader reference(referenceRFC822Name);
+
+  for (;;) {
+    uint8_t presentedByte;
+    if (presented.Read(presentedByte) != Success) {
+      matches = reference.AtEnd();
+      return Success;
+    }
+    uint8_t referenceByte;
+    if (reference.Read(referenceByte) != Success) {
+      matches = false;
+      return Success;
+    }
+    if (LocaleInsensitveToLower(presentedByte) !=
+        LocaleInsensitveToLower(referenceByte)) {
+      matches = false;
+      return Success;
+    }
+  }
+}
+
+// We avoid isdigit because it is locale-sensitive. See
+// http://pubs.opengroup.org/onlinepubs/009695399/functions/tolower.html.
+inline uint8_t
+LocaleInsensitveToLower(uint8_t a)
+{
+  if (a >= 'A' && a <= 'Z') { // unlikely
+    return static_cast<uint8_t>(
+             static_cast<uint8_t>(a - static_cast<uint8_t>('A')) +
+             static_cast<uint8_t>('a'));
+  }
+  return a;
+}
+
+bool
+StartsWithIDNALabel(Input id)
+{
+  static const uint8_t IDN_ALABEL_PREFIX[4] = { 'x', 'n', '-', '-' };
+  Reader input(id);
+  for (const uint8_t prefixByte : IDN_ALABEL_PREFIX) {
+    uint8_t b;
+    if (input.Read(b) != Success) {
+      return false;
+    }
+    if (b != prefixByte) {
+      return false;
+    }
+  }
+  return true;
+}
+
+bool
+ReadIPv4AddressComponent(Reader& input, bool lastComponent,
+                         /*out*/ uint8_t& valueOut)
+{
+  size_t length = 0;
+  unsigned int value = 0; // Must be larger than uint8_t.
+
+  for (;;) {
+    if (input.AtEnd() && lastComponent) {
+      break;
+    }
+
+    uint8_t b;
+    if (input.Read(b) != Success) {
+      return false;
+    }
+
+    if (b >= '0' && b <= '9') {
+      if (value == 0 && length > 0) {
+        return false; // Leading zeros are not allowed.
+      }
+      value = (value * 10) + (b - '0');
+      if (value > 255) {
+        return false; // Component's value is too large.
+      }
+      ++length;
+    } else if (!lastComponent && b == '.') {
+      break;
+    } else {
+      return false; // Invalid character.
+    }
+  }
+
+  if (length == 0) {
+    return false; // empty components not allowed
+  }
+
+  valueOut = static_cast<uint8_t>(value);
+  return true;
+}
+
+} // namespace
+
+// On Windows and maybe other platforms, OS-provided IP address parsing
+// functions might fail if the protocol (IPv4 or IPv6) has been disabled, so we
+// can't rely on them.
+bool
+ParseIPv4Address(Input hostname, /*out*/ uint8_t (&out)[4])
+{
+  Reader input(hostname);
+  return ReadIPv4AddressComponent(input, false, out[0]) &&
+         ReadIPv4AddressComponent(input, false, out[1]) &&
+         ReadIPv4AddressComponent(input, false, out[2]) &&
+         ReadIPv4AddressComponent(input, true, out[3]);
+}
+
+namespace {
+
+bool
+FinishIPv6Address(/*in/out*/ uint8_t (&address)[16], int numComponents,
+                  int contractionIndex)
+{
+  assert(numComponents >= 0);
+  assert(numComponents <= 8);
+  assert(contractionIndex >= -1);
+  assert(contractionIndex <= 8);
+  assert(contractionIndex <= numComponents);
+  if (!(numComponents >= 0 &&
+        numComponents <= 8 &&
+        contractionIndex >= -1 &&
+        contractionIndex <= 8 &&
+        contractionIndex <= numComponents)) {
+    return false;
+  }
+
+  if (contractionIndex == -1) {
+    // no contraction
+    return numComponents == 8;
+  }
+
+  if (numComponents >= 8) {
+    return false; // no room left to expand the contraction.
+  }
+
+  // Shift components that occur after the contraction over.
+  std::copy_backward(address + (2u * static_cast<size_t>(contractionIndex)),
+                     address + (2u * static_cast<size_t>(numComponents)),
+                     address + (2u * 8u));
+  // Fill in the contracted area with zeros.
+  std::fill_n(address + 2u * static_cast<size_t>(contractionIndex),
+              (8u - static_cast<size_t>(numComponents)) * 2u, static_cast<uint8_t>(0u));
+
+  return true;
+}
+
+} // namespace
+
+// On Windows and maybe other platforms, OS-provided IP address parsing
+// functions might fail if the protocol (IPv4 or IPv6) has been disabled, so we
+// can't rely on them.
+bool
+ParseIPv6Address(Input hostname, /*out*/ uint8_t (&out)[16])
+{
+  Reader input(hostname);
+
+  int currentComponentIndex = 0;
+  int contractionIndex = -1;
+
+  if (input.Peek(':')) {
+    // A valid input can only start with ':' if there is a contraction at the
+    // beginning.
+    uint8_t b;
+    if (input.Read(b) != Success || b != ':') {
+      assert(false);
+      return false;
+    }
+    if (input.Read(b) != Success) {
+      return false;
+    }
+    if (b != ':') {
+      return false;
+    }
+    contractionIndex = 0;
+  }
+
+  for (;;) {
+    // If we encounter a '.' then we'll have to backtrack to parse the input
+    // from startOfComponent to the end of the input as an IPv4 address.
+    Reader::Mark startOfComponent(input.GetMark());
+    uint16_t componentValue = 0;
+    size_t componentLength = 0;
+    while (!input.AtEnd() && !input.Peek(':')) {
+      uint8_t value;
+      uint8_t b;
+      if (input.Read(b) != Success) {
+        assert(false);
+        return false;
+      }
+      switch (b) {
+        case '0': case '1': case '2': case '3': case '4':
+        case '5': case '6': case '7': case '8': case '9':
+          value = static_cast<uint8_t>(b - static_cast<uint8_t>('0'));
+          break;
+        case 'a': case 'b': case 'c': case 'd': case 'e': case 'f':
+          value = static_cast<uint8_t>(b - static_cast<uint8_t>('a') +
+                                       UINT8_C(10));
+          break;
+        case 'A': case 'B': case 'C': case 'D': case 'E': case 'F':
+          value = static_cast<uint8_t>(b - static_cast<uint8_t>('A') +
+                                       UINT8_C(10));
+          break;
+        case '.':
+        {
+          // A dot indicates we hit a IPv4-syntax component. Backtrack, parsing
+          // the input from startOfComponent to the end of the input as an IPv4
+          // address, and then combine it with the other components.
+
+          if (currentComponentIndex > 6) {
+            return false; // Too many components before the IPv4 component
+          }
+
+          input.SkipToEnd();
+          Input ipv4Component;
+          if (input.GetInput(startOfComponent, ipv4Component) != Success) {
+            return false;
+          }
+          uint8_t (*ipv4)[4] =
+            reinterpret_cast<uint8_t(*)[4]>(&out[2 * currentComponentIndex]);
+          if (!ParseIPv4Address(ipv4Component, *ipv4)) {
+            return false;
+          }
+          assert(input.AtEnd());
+          currentComponentIndex += 2;
+
+          return FinishIPv6Address(out, currentComponentIndex,
+                                   contractionIndex);
+        }
+        default:
+          return false;
+      }
+      if (componentLength >= 4) {
+        // component too long
+        return false;
+      }
+      ++componentLength;
+      componentValue = (componentValue * 0x10u) + value;
+    }
+
+    if (currentComponentIndex >= 8) {
+      return false; // too many components
+    }
+
+    if (componentLength == 0) {
+      if (input.AtEnd() && currentComponentIndex == contractionIndex) {
+        if (contractionIndex == 0) {
+          // don't accept "::"
+          return false;
+        }
+        return FinishIPv6Address(out, currentComponentIndex,
+                                 contractionIndex);
+      }
+      return false;
+    }
+
+    out[2 * currentComponentIndex] =
+      static_cast<uint8_t>(componentValue / 0x100);
+    out[(2 * currentComponentIndex) + 1] =
+      static_cast<uint8_t>(componentValue % 0x100);
+
+    ++currentComponentIndex;
+
+    if (input.AtEnd()) {
+      return FinishIPv6Address(out, currentComponentIndex,
+                               contractionIndex);
+    }
+
+    uint8_t b;
+    if (input.Read(b) != Success || b != ':') {
+      assert(false);
+      return false;
+    }
+
+    if (input.Peek(':')) {
+      // Contraction
+      if (contractionIndex != -1) {
+        return false; // multiple contractions are not allowed.
+      }
+      if (input.Read(b) != Success || b != ':') {
+        assert(false);
+        return false;
+      }
+      contractionIndex = currentComponentIndex;
+      if (input.AtEnd()) {
+        // "::" at the end of the input.
+        return FinishIPv6Address(out, currentComponentIndex,
+                                 contractionIndex);
+      }
+    }
+  }
+}
+
+bool
+IsValidReferenceDNSID(Input hostname)
+{
+  return IsValidDNSID(hostname, IDRole::ReferenceID, AllowWildcards::No);
+}
+
+bool
+IsValidPresentedDNSID(Input hostname)
+{
+  return IsValidDNSID(hostname, IDRole::PresentedID, AllowWildcards::Yes);
+}
+
+namespace {
+
+// RFC 5280 Section 4.2.1.6 says that a dNSName "MUST be in the 'preferred name
+// syntax', as specified by Section 3.5 of [RFC1034] and as modified by Section
+// 2.1 of [RFC1123]" except "a dNSName of ' ' MUST NOT be used." Additionally,
+// we allow underscores for compatibility with existing practice.
+bool
+IsValidDNSID(Input hostname, IDRole idRole, AllowWildcards allowWildcards)
+{
+  if (hostname.GetLength() > 253) {
+    return false;
+  }
+
+  Reader input(hostname);
+
+  if (idRole == IDRole::NameConstraint && input.AtEnd()) {
+    return true;
+  }
+
+  size_t dotCount = 0;
+  size_t labelLength = 0;
+  bool labelIsAllNumeric = false;
+  bool labelEndsWithHyphen = false;
+
+  // Only presented IDs are allowed to have wildcard labels. And, like
+  // Chromium, be stricter than RFC 6125 requires by insisting that a
+  // wildcard label consist only of '*'.
+  bool isWildcard = allowWildcards == AllowWildcards::Yes && input.Peek('*');
+  bool isFirstByte = !isWildcard;
+  if (isWildcard) {
+    Result rv = input.Skip(1);
+    if (rv != Success) {
+      assert(false);
+      return false;
+    }
+
+    uint8_t b;
+    rv = input.Read(b);
+    if (rv != Success) {
+      return false;
+    }
+    if (b != '.') {
+      return false;
+    }
+    ++dotCount;
+  }
+
+  do {
+    static const size_t MAX_LABEL_LENGTH = 63;
+
+    uint8_t b;
+    if (input.Read(b) != Success) {
+      return false;
+    }
+    switch (b) {
+      case '-':
+        if (labelLength == 0) {
+          return false; // Labels must not start with a hyphen.
+        }
+        labelIsAllNumeric = false;
+        labelEndsWithHyphen = true;
+        ++labelLength;
+        if (labelLength > MAX_LABEL_LENGTH) {
+          return false;
+        }
+        break;
+
+      // We avoid isdigit because it is locale-sensitive. See
+      // http://pubs.opengroup.org/onlinepubs/009695399/functions/isdigit.html
+      case '0': case '5':
+      case '1': case '6':
+      case '2': case '7':
+      case '3': case '8':
+      case '4': case '9':
+        if (labelLength == 0) {
+          labelIsAllNumeric = true;
+        }
+        labelEndsWithHyphen = false;
+        ++labelLength;
+        if (labelLength > MAX_LABEL_LENGTH) {
+          return false;
+        }
+        break;
+
+      // We avoid using islower/isupper/tolower/toupper or similar things, to
+      // avoid any possibility of this code being locale-sensitive. See
+      // http://pubs.opengroup.org/onlinepubs/009695399/functions/isupper.html
+      case 'a': case 'A': case 'n': case 'N':
+      case 'b': case 'B': case 'o': case 'O':
+      case 'c': case 'C': case 'p': case 'P':
+      case 'd': case 'D': case 'q': case 'Q':
+      case 'e': case 'E': case 'r': case 'R':
+      case 'f': case 'F': case 's': case 'S':
+      case 'g': case 'G': case 't': case 'T':
+      case 'h': case 'H': case 'u': case 'U':
+      case 'i': case 'I': case 'v': case 'V':
+      case 'j': case 'J': case 'w': case 'W':
+      case 'k': case 'K': case 'x': case 'X':
+      case 'l': case 'L': case 'y': case 'Y':
+      case 'm': case 'M': case 'z': case 'Z':
+      // We allow underscores for compatibility with existing practices.
+      // See bug 1136616.
+      case '_':
+        labelIsAllNumeric = false;
+        labelEndsWithHyphen = false;
+        ++labelLength;
+        if (labelLength > MAX_LABEL_LENGTH) {
+          return false;
+        }
+        break;
+
+      case '.':
+        ++dotCount;
+        if (labelLength == 0 &&
+            (idRole != IDRole::NameConstraint || !isFirstByte)) {
+          return false;
+        }
+        if (labelEndsWithHyphen) {
+          return false; // Labels must not end with a hyphen.
+        }
+        labelLength = 0;
+        break;
+
+      default:
+        return false; // Invalid character.
+    }
+    isFirstByte = false;
+  } while (!input.AtEnd());
+
+  // Only reference IDs, not presented IDs or name constraints, may be
+  // absolute.
+  if (labelLength == 0 && idRole != IDRole::ReferenceID) {
+    return false;
+  }
+
+  if (labelEndsWithHyphen) {
+    return false; // Labels must not end with a hyphen.
+  }
+
+  if (labelIsAllNumeric) {
+    return false; // Last label must not be all numeric.
+  }
+
+  if (isWildcard) {
+    // If the DNS ID ends with a dot, the last dot signifies an absolute ID.
+    size_t labelCount = (labelLength == 0) ? dotCount : (dotCount + 1);
+
+    // Like NSS, require at least two labels to follow the wildcard label.
+    //
+    // TODO(bug XXXXXXX): Allow the TrustDomain to control this on a
+    // per-eTLD+1 basis, similar to Chromium. Even then, it might be better to
+    // still enforce that there are at least two labels after the wildcard.
+    if (labelCount < 3) {
+      return false;
+    }
+    // XXX: RFC6125 says that we shouldn't accept wildcards within an IDN
+    // A-Label. The consequence of this is that we effectively discriminate
+    // against users of languages that cannot be encoded with ASCII.
+    if (StartsWithIDNALabel(hostname)) {
+      return false;
+    }
+
+    // TODO(bug XXXXXXX): Wildcards are not allowed for EV certificates.
+    // Provide an option to indicate whether wildcards should be matched, for
+    // the purpose of helping the application enforce this.
+  }
+
+  return true;
+}
+
+} // namespace
+
+} } // namespace mozilla::pkix
diff --git a/security/nss/lib/mozpkix/lib/pkixnss.cpp b/security/nss/lib/mozpkix/lib/pkixnss.cpp
new file mode 100644
index 0000000000..9b293d5fda
--- /dev/null
+++ b/security/nss/lib/mozpkix/lib/pkixnss.cpp
@@ -0,0 +1,236 @@
+/*- *- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mozpkix/pkixnss.h"
+
+#include <limits>
+
+#include "cryptohi.h"
+#include "keyhi.h"
+#include "pk11pub.h"
+#include "mozpkix/nss_scoped_ptrs.h"
+#include "mozpkix/pkix.h"
+#include "mozpkix/pkixutil.h"
+#include "secerr.h"
+#include "sslerr.h"
+
+namespace mozilla { namespace pkix {
+
+namespace {
+
+Result
+VerifySignedDigest(const SignedDigest& sd,
+                   Input subjectPublicKeyInfo,
+                   SECOidTag pubKeyAlg,
+                   void* pkcs11PinArg)
+{
+  SECOidTag digestAlg;
+  switch (sd.digestAlgorithm) {
+    case DigestAlgorithm::sha512: digestAlg = SEC_OID_SHA512; break;
+    case DigestAlgorithm::sha384: digestAlg = SEC_OID_SHA384; break;
+    case DigestAlgorithm::sha256: digestAlg = SEC_OID_SHA256; break;
+    case DigestAlgorithm::sha1: digestAlg = SEC_OID_SHA1; break;
+    MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+  }
+
+  SECItem subjectPublicKeyInfoSECItem =
+    UnsafeMapInputToSECItem(subjectPublicKeyInfo);
+  ScopedCERTSubjectPublicKeyInfo
+    spki(SECKEY_DecodeDERSubjectPublicKeyInfo(&subjectPublicKeyInfoSECItem));
+  if (!spki) {
+    return MapPRErrorCodeToResult(PR_GetError());
+  }
+  ScopedSECKEYPublicKey
+    pubKey(SECKEY_ExtractPublicKey(spki.get()));
+  if (!pubKey) {
+    return MapPRErrorCodeToResult(PR_GetError());
+  }
+
+  SECItem digestSECItem(UnsafeMapInputToSECItem(sd.digest));
+  SECItem signatureSECItem(UnsafeMapInputToSECItem(sd.signature));
+  SECStatus srv = VFY_VerifyDigestDirect(&digestSECItem, pubKey.get(),
+                                         &signatureSECItem, pubKeyAlg,
+                                         digestAlg, pkcs11PinArg);
+  if (srv != SECSuccess) {
+    return MapPRErrorCodeToResult(PR_GetError());
+  }
+
+  return Success;
+}
+
+} // namespace
+
+Result
+VerifyRSAPKCS1SignedDigestNSS(const SignedDigest& sd,
+                              Input subjectPublicKeyInfo,
+                              void* pkcs11PinArg)
+{
+  return VerifySignedDigest(sd, subjectPublicKeyInfo,
+                            SEC_OID_PKCS1_RSA_ENCRYPTION, pkcs11PinArg);
+}
+
+Result
+VerifyECDSASignedDigestNSS(const SignedDigest& sd,
+                           Input subjectPublicKeyInfo,
+                           void* pkcs11PinArg)
+{
+  return VerifySignedDigest(sd, subjectPublicKeyInfo,
+                            SEC_OID_ANSIX962_EC_PUBLIC_KEY, pkcs11PinArg);
+}
+
+Result
+DigestBufNSS(Input item,
+             DigestAlgorithm digestAlg,
+             /*out*/ uint8_t* digestBuf,
+             size_t digestBufLen)
+{
+  SECOidTag oid;
+  size_t bits;
+  switch (digestAlg) {
+    case DigestAlgorithm::sha512: oid = SEC_OID_SHA512; bits = 512; break;
+    case DigestAlgorithm::sha384: oid = SEC_OID_SHA384; bits = 384; break;
+    case DigestAlgorithm::sha256: oid = SEC_OID_SHA256; bits = 256; break;
+    case DigestAlgorithm::sha1: oid = SEC_OID_SHA1; bits = 160; break;
+    MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+  }
+  if (digestBufLen != bits / 8) {
+    return Result::FATAL_ERROR_INVALID_ARGS;
+  }
+
+  SECItem itemSECItem = UnsafeMapInputToSECItem(item);
+  if (itemSECItem.len >
+        static_cast<decltype(itemSECItem.len)>(
+          std::numeric_limits<int32_t>::max())) {
+    PR_NOT_REACHED("large items should not be possible here");
+    return Result::FATAL_ERROR_INVALID_ARGS;
+  }
+  SECStatus srv = PK11_HashBuf(oid, digestBuf, itemSECItem.data,
+                               static_cast<int32_t>(itemSECItem.len));
+  if (srv != SECSuccess) {
+    return MapPRErrorCodeToResult(PR_GetError());
+  }
+  return Success;
+}
+
+Result
+MapPRErrorCodeToResult(PRErrorCode error)
+{
+  switch (error)
+  {
+#define MOZILLA_PKIX_MAP(mozilla_pkix_result, value, nss_result) \
+    case nss_result: return Result::mozilla_pkix_result;
+
+    MOZILLA_PKIX_MAP_LIST
+
+#undef MOZILLA_PKIX_MAP
+
+    default:
+      return Result::ERROR_UNKNOWN_ERROR;
+  }
+}
+
+PRErrorCode
+MapResultToPRErrorCode(Result result)
+{
+  switch (result)
+  {
+#define MOZILLA_PKIX_MAP(mozilla_pkix_result, value, nss_result) \
+    case Result::mozilla_pkix_result: return nss_result;
+
+    MOZILLA_PKIX_MAP_LIST
+
+#undef MOZILLA_PKIX_MAP
+
+    MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+  }
+}
+
+void
+RegisterErrorTable()
+{
+  // Note that these error strings are not localizable.
+  // When these strings change, update the localization information too.
+  static const PRErrorMessage ErrorTableText[] = {
+    { "MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE",
+      "The server uses key pinning (HPKP) but no trusted certificate chain "
+      "could be constructed that matches the pinset. Key pinning violations "
+      "cannot be overridden." },
+    { "MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY",
+      "The server uses a certificate with a basic constraints extension "
+      "identifying it as a certificate authority. For a properly-issued "
+      "certificate, this should not be the case." },
+    { "MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE",
+      "The server presented a certificate with a key size that is too small "
+      "to establish a secure connection." },
+    { "MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA",
+      "An X.509 version 1 certificate that is not a trust anchor was used to "
+      "issue the server's certificate. X.509 version 1 certificates are "
+      "deprecated and should not be used to sign other certificates." },
+    { "MOZILLA_PKIX_ERROR_NO_RFC822NAME_MATCH",
+      "The certificate is not valid for the given email address." },
+    { "MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE",
+      "The server presented a certificate that is not yet valid." },
+    { "MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE",
+      "A certificate that is not yet valid was used to issue the server's "
+      "certificate." },
+    { "MOZILLA_PKIX_ERROR_SIGNATURE_ALGORITHM_MISMATCH",
+      "The signature algorithm in the signature field of the certificate does "
+      "not match the algorithm in its signatureAlgorithm field." },
+    { "MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING",
+      "The OCSP response does not include a status for the certificate being "
+      "verified." },
+    { "MOZILLA_PKIX_ERROR_VALIDITY_TOO_LONG",
+      "The server presented a certificate that is valid for too long." },
+    { "MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING",
+      "A required TLS feature is missing." },
+    { "MOZILLA_PKIX_ERROR_INVALID_INTEGER_ENCODING",
+      "The server presented a certificate that contains an invalid encoding of "
+      "an integer. Common causes include negative serial numbers, negative RSA "
+      "moduli, and encodings that are longer than necessary." },
+    { "MOZILLA_PKIX_ERROR_EMPTY_ISSUER_NAME",
+      "The server presented a certificate with an empty issuer distinguished "
+      "name." },
+    { "MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED",
+      "An additional policy constraint failed when validating this "
+      "certificate." },
+    { "MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT",
+      "The certificate is not trusted because it is self-signed." },
+    { "MOZILLA_PKIX_ERROR_MITM_DETECTED",
+      "Your connection is being intercepted by a TLS proxy. Uninstall it if "
+      "possible or configure your device to trust its root certificate." },
+  };
+  // Note that these error strings are not localizable.
+  // When these strings change, update the localization information too.
+
+  static const PRErrorTable ErrorTable = {
+    ErrorTableText,
+    "pkixerrors",
+    ERROR_BASE,
+    PR_ARRAY_SIZE(ErrorTableText)
+  };
+
+  (void) PR_ErrorInstallTable(&ErrorTable);
+}
+
+} } // namespace mozilla::pkix
diff --git a/security/nss/lib/mozpkix/lib/pkixocsp.cpp b/security/nss/lib/mozpkix/lib/pkixocsp.cpp
new file mode 100644
index 0000000000..a81154417d
--- /dev/null
+++ b/security/nss/lib/mozpkix/lib/pkixocsp.cpp
@@ -0,0 +1,1012 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <limits>
+
+#include "mozpkix/pkix.h"
+#include "mozpkix/pkixcheck.h"
+#include "mozpkix/pkixutil.h"
+
+namespace {
+
+const size_t SHA1_DIGEST_LENGTH = 160 / 8;
+
+} // namespace
+
+namespace mozilla { namespace pkix {
+
+// These values correspond to the tag values in the ASN.1 CertStatus
+enum class CertStatus : uint8_t {
+  Good = der::CONTEXT_SPECIFIC | 0,
+  Revoked = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1,
+  Unknown = der::CONTEXT_SPECIFIC | 2
+};
+
+class Context final
+{
+public:
+  Context(TrustDomain& aTrustDomain, const CertID& aCertID, Time aTime,
+          uint16_t aMaxLifetimeInDays, /*optional out*/ Time* aThisUpdate,
+          /*optional out*/ Time* aValidThrough)
+    : trustDomain(aTrustDomain)
+    , certID(aCertID)
+    , time(aTime)
+    , maxLifetimeInDays(aMaxLifetimeInDays)
+    , certStatus(CertStatus::Unknown)
+    , thisUpdate(aThisUpdate)
+    , validThrough(aValidThrough)
+    , expired(false)
+    , matchFound(false)
+  {
+    if (thisUpdate) {
+      *thisUpdate = TimeFromElapsedSecondsAD(0);
+    }
+    if (validThrough) {
+      *validThrough = TimeFromElapsedSecondsAD(0);
+    }
+  }
+
+  TrustDomain& trustDomain;
+  const CertID& certID;
+  const Time time;
+  const uint16_t maxLifetimeInDays;
+  CertStatus certStatus;
+  Time* thisUpdate;
+  Time* validThrough;
+  bool expired;
+
+  Input signedCertificateTimestamps;
+
+  // Keep track of whether the OCSP response contains the status of the
+  // certificate we're interested in. Responders might reply without
+  // including the status of any of the requested certs, we should
+  // indicate a server failure in those cases.
+  bool matchFound;
+
+  Context(const Context&) = delete;
+  void operator=(const Context&) = delete;
+};
+
+// Verify that potentialSigner is a valid delegated OCSP response signing cert
+// according to RFC 6960 section 4.2.2.2.
+static Result
+CheckOCSPResponseSignerCert(TrustDomain& trustDomain,
+                            BackCert& potentialSigner,
+                            Input issuerSubject,
+                            Input issuerSubjectPublicKeyInfo,
+                            Time time)
+{
+  Result rv;
+
+  // We don't need to do a complete verification of the signer (i.e. we don't
+  // have to call BuildCertChain to verify the entire chain) because we
+  // already know that the issuer is valid, since revocation checking is done
+  // from the root to the parent after we've built a complete chain that we
+  // know is otherwise valid. Rather, we just need to do a one-step validation
+  // from potentialSigner to the issuer.
+  //
+  // It seems reasonable to require the KU_DIGITAL_SIGNATURE key usage on the
+  // OCSP responder certificate if the OCSP responder certificate has a
+  // key usage extension. However, according to bug 240456, some OCSP responder
+  // certificates may have only the nonRepudiation bit set. Also, the OCSP
+  // specification (RFC 6960) does not mandate any particular key usage to be
+  // asserted for OCSP responde signers. Oddly, the CABForum Baseline
+  // Requirements v.1.1.5 do say "If the Root CA Private Key is used for
+  // signing OCSP responses, then the digitalSignature bit MUST be set."
+  //
+  // Note that CheckIssuerIndependentProperties processes
+  // SEC_OID_OCSP_RESPONDER in the way that the OCSP specification requires us
+  // to--in particular, it doesn't allow SEC_OID_OCSP_RESPONDER to be implied
+  // by a missing EKU extension, unlike other EKUs.
+  //
+  // TODO(bug 926261): If we're validating for a policy then the policy OID we
+  // are validating for should be passed to CheckIssuerIndependentProperties.
+  TrustLevel unusedTrustLevel;
+  rv = CheckIssuerIndependentProperties(trustDomain, potentialSigner, time,
+                                        KeyUsage::noParticularKeyUsageRequired,
+                                        KeyPurposeId::id_kp_OCSPSigning,
+                                        CertPolicyId::anyPolicy, 0,
+                                        unusedTrustLevel);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // It is possible that there exists a certificate with the same key as the
+  // issuer but with a different name, so we need to compare names
+  // XXX(bug 926270) XXX(bug 1008133) XXX(bug 980163): Improve name
+  // comparison.
+  // TODO: needs test
+  if (!InputsAreEqual(potentialSigner.GetIssuer(), issuerSubject)) {
+    return Result::ERROR_OCSP_RESPONDER_CERT_INVALID;
+  }
+
+  // TODO(bug 926260): check name constraints
+
+  rv = VerifySignedData(trustDomain, potentialSigner.GetSignedData(),
+                        issuerSubjectPublicKeyInfo);
+
+  // TODO: check for revocation of the OCSP responder certificate unless no-check
+  // or the caller forcing no-check. To properly support the no-check policy, we'd
+  // need to enforce policy constraints from the issuerChain.
+
+  return rv;
+}
+
+enum class ResponderIDType : uint8_t
+{
+  byName = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1,
+  byKey = der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 2
+};
+
+static inline Result OCSPResponse(Reader&, Context&);
+static inline Result ResponseBytes(Reader&, Context&);
+static inline Result BasicResponse(Reader&, Context&);
+static inline Result ResponseData(
+                       Reader& tbsResponseData,
+                       Context& context,
+                       const der::SignedDataWithSignature& signedResponseData,
+                       const DERArray& certs);
+static inline Result SingleResponse(Reader& input, Context& context);
+static Result ExtensionNotUnderstood(Reader& extnID, Input extnValue,
+                                     bool critical, /*out*/ bool& understood);
+static Result RememberSingleExtension(Context& context, Reader& extnID,
+                                      Input extnValue, bool critical,
+                                      /*out*/ bool& understood);
+// It is convention to name the function after the part of the data structure
+// we're parsing from the RFC (e.g. OCSPResponse, ResponseBytes).
+// But since we also have a C++ type called CertID, this function doesn't
+// follow the convention to prevent shadowing.
+static inline Result MatchCertID(Reader& input,
+                                 const Context& context,
+                                 /*out*/ bool& match);
+static Result MatchKeyHash(TrustDomain& trustDomain,
+                           Input issuerKeyHash,
+                           Input issuerSubjectPublicKeyInfo,
+                           /*out*/ bool& match);
+static Result KeyHash(TrustDomain& trustDomain,
+                      Input subjectPublicKeyInfo,
+                      /*out*/ uint8_t* hashBuf, size_t hashBufSize);
+
+static Result
+MatchResponderID(TrustDomain& trustDomain,
+                 ResponderIDType responderIDType,
+                 Input responderID,
+                 Input potentialSignerSubject,
+                 Input potentialSignerSubjectPublicKeyInfo,
+                 /*out*/ bool& match)
+{
+  match = false;
+
+  switch (responderIDType) {
+    case ResponderIDType::byName:
+      // XXX(bug 926270) XXX(bug 1008133) XXX(bug 980163): Improve name
+      // comparison.
+      match = InputsAreEqual(responderID, potentialSignerSubject);
+      return Success;
+
+    case ResponderIDType::byKey:
+    {
+      Reader input(responderID);
+      Input keyHash;
+      Result rv = der::ExpectTagAndGetValue(input, der::OCTET_STRING, keyHash);
+      if (rv != Success) {
+        return rv;
+      }
+      return MatchKeyHash(trustDomain, keyHash,
+                          potentialSignerSubjectPublicKeyInfo, match);
+    }
+
+    MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+  }
+}
+
+static Result
+VerifyOCSPSignedData(TrustDomain& trustDomain,
+                     const der::SignedDataWithSignature& signedResponseData,
+                     Input spki)
+{
+  Result rv = VerifySignedData(trustDomain, signedResponseData, spki);
+  if (rv == Result::ERROR_BAD_SIGNATURE) {
+    rv = Result::ERROR_OCSP_BAD_SIGNATURE;
+  }
+  return rv;
+}
+
+// RFC 6960 section 4.2.2.2: The OCSP responder must either be the issuer of
+// the cert or it must be a delegated OCSP response signing cert directly
+// issued by the issuer. If the OCSP responder is a delegated OCSP response
+// signer, then its certificate is (probably) embedded within the OCSP
+// response and we'll need to verify that it is a valid certificate that chains
+// *directly* to issuerCert.
+static Result
+VerifySignature(Context& context, ResponderIDType responderIDType,
+                Input responderID, const DERArray& certs,
+                const der::SignedDataWithSignature& signedResponseData)
+{
+  bool match;
+  Result rv = MatchResponderID(context.trustDomain, responderIDType,
+                               responderID, context.certID.issuer,
+                               context.certID.issuerSubjectPublicKeyInfo,
+                               match);
+  if (rv != Success) {
+    return rv;
+  }
+  if (match) {
+    return VerifyOCSPSignedData(context.trustDomain, signedResponseData,
+                                context.certID.issuerSubjectPublicKeyInfo);
+  }
+
+  size_t numCerts = certs.GetLength();
+  for (size_t i = 0; i < numCerts; ++i) {
+    BackCert cert(*certs.GetDER(i), EndEntityOrCA::MustBeEndEntity, nullptr);
+    rv = cert.Init();
+    if (rv != Success) {
+      return rv;
+    }
+    rv = MatchResponderID(context.trustDomain, responderIDType, responderID,
+                          cert.GetSubject(), cert.GetSubjectPublicKeyInfo(),
+                          match);
+    if (rv != Success) {
+      if (IsFatalError(rv)) {
+        return rv;
+      }
+      continue;
+    }
+
+    if (match) {
+      rv = CheckOCSPResponseSignerCert(context.trustDomain, cert,
+                                       context.certID.issuer,
+                                       context.certID.issuerSubjectPublicKeyInfo,
+                                       context.time);
+      if (rv != Success) {
+        if (IsFatalError(rv)) {
+          return rv;
+        }
+        continue;
+      }
+
+      return VerifyOCSPSignedData(context.trustDomain, signedResponseData,
+                                  cert.GetSubjectPublicKeyInfo());
+    }
+  }
+
+  return Result::ERROR_OCSP_INVALID_SIGNING_CERT;
+}
+
+static inline Result
+MapBadDERToMalformedOCSPResponse(Result rv)
+{
+  if (rv == Result::ERROR_BAD_DER) {
+    return Result::ERROR_OCSP_MALFORMED_RESPONSE;
+  }
+  return rv;
+}
+
+Result
+VerifyEncodedOCSPResponse(TrustDomain& trustDomain, const struct CertID& certID,
+                          Time time, uint16_t maxOCSPLifetimeInDays,
+                          Input encodedResponse,
+                          /*out*/ bool& expired,
+                          /*optional out*/ Time* thisUpdate,
+                          /*optional out*/ Time* validThrough)
+{
+  // Always initialize this to something reasonable.
+  expired = false;
+
+  Context context(trustDomain, certID, time, maxOCSPLifetimeInDays,
+                  thisUpdate, validThrough);
+
+  Reader input(encodedResponse);
+  Result rv = der::Nested(input, der::SEQUENCE, [&context](Reader& r) {
+    return OCSPResponse(r, context);
+  });
+  if (rv != Success) {
+    return MapBadDERToMalformedOCSPResponse(rv);
+  }
+  rv = der::End(input);
+  if (rv != Success) {
+    return MapBadDERToMalformedOCSPResponse(rv);
+  }
+  if (!context.matchFound) {
+    return Result::ERROR_OCSP_RESPONSE_FOR_CERT_MISSING;
+  }
+
+  expired = context.expired;
+
+  switch (context.certStatus) {
+    case CertStatus::Good:
+      if (expired) {
+        return Result::ERROR_OCSP_OLD_RESPONSE;
+      }
+      if (context.signedCertificateTimestamps.GetLength()) {
+        Input sctList;
+        rv = ExtractSignedCertificateTimestampListFromExtension(
+          context.signedCertificateTimestamps, sctList);
+        if (rv != Success) {
+          return MapBadDERToMalformedOCSPResponse(rv);
+        }
+        context.trustDomain.NoteAuxiliaryExtension(
+          AuxiliaryExtension::SCTListFromOCSPResponse, sctList);
+      }
+      return Success;
+    case CertStatus::Revoked:
+      return Result::ERROR_REVOKED_CERTIFICATE;
+    case CertStatus::Unknown:
+      return Result::ERROR_OCSP_UNKNOWN_CERT;
+     MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+  }
+}
+
+// OCSPResponse ::= SEQUENCE {
+//       responseStatus         OCSPResponseStatus,
+//       responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }
+//
+static inline Result
+OCSPResponse(Reader& input, Context& context)
+{
+  // OCSPResponseStatus ::= ENUMERATED {
+  //     successful            (0),  -- Response has valid confirmations
+  //     malformedRequest      (1),  -- Illegal confirmation request
+  //     internalError         (2),  -- Internal error in issuer
+  //     tryLater              (3),  -- Try again later
+  //                                 -- (4) is not used
+  //     sigRequired           (5),  -- Must sign the request
+  //     unauthorized          (6)   -- Request unauthorized
+  // }
+  uint8_t responseStatus;
+
+  Result rv = der::Enumerated(input, responseStatus);
+  if (rv != Success) {
+    return rv;
+  }
+  switch (responseStatus) {
+    case 0: break; // successful
+    case 1: return Result::ERROR_OCSP_MALFORMED_REQUEST;
+    case 2: return Result::ERROR_OCSP_SERVER_ERROR;
+    case 3: return Result::ERROR_OCSP_TRY_SERVER_LATER;
+    case 5: return Result::ERROR_OCSP_REQUEST_NEEDS_SIG;
+    case 6: return Result::ERROR_OCSP_UNAUTHORIZED_REQUEST;
+    default: return Result::ERROR_OCSP_UNKNOWN_RESPONSE_STATUS;
+  }
+
+  return der::Nested(input, der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
+                     der::SEQUENCE, [&context](Reader& r) {
+    return ResponseBytes(r, context);
+  });
+}
+
+// ResponseBytes ::=       SEQUENCE {
+//     responseType   OBJECT IDENTIFIER,
+//     response       OCTET STRING }
+static inline Result
+ResponseBytes(Reader& input, Context& context)
+{
+  static const uint8_t id_pkix_ocsp_basic[] = {
+    0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
+  };
+
+  Result rv = der::OID(input, id_pkix_ocsp_basic);
+  if (rv != Success) {
+    return rv;
+  }
+
+  return der::Nested(input, der::OCTET_STRING, der::SEQUENCE,
+                     [&context](Reader& r) {
+    return BasicResponse(r, context);
+  });
+}
+
+// BasicOCSPResponse       ::= SEQUENCE {
+//    tbsResponseData      ResponseData,
+//    signatureAlgorithm   AlgorithmIdentifier,
+//    signature            BIT STRING,
+//    certs            [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+Result
+BasicResponse(Reader& input, Context& context)
+{
+  Reader tbsResponseData;
+  der::SignedDataWithSignature signedData;
+  Result rv = der::SignedData(input, tbsResponseData, signedData);
+  if (rv != Success) {
+    if (rv == Result::ERROR_BAD_SIGNATURE) {
+      return Result::ERROR_OCSP_BAD_SIGNATURE;
+    }
+    return rv;
+  }
+
+  // Parse certificates, if any
+  NonOwningDERArray certs;
+  if (!input.AtEnd()) {
+    rv = der::Nested(input, der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
+                     der::SEQUENCE, [&certs](Reader& certsDER) -> Result {
+      while (!certsDER.AtEnd()) {
+        Input cert;
+        Result nestedRv =
+          der::ExpectTagAndGetTLV(certsDER, der::SEQUENCE, cert);
+        if (nestedRv != Success) {
+          return nestedRv;
+        }
+        nestedRv = certs.Append(cert);
+        if (nestedRv != Success) {
+          return Result::ERROR_BAD_DER; // Too many certs
+        }
+      }
+      return Success;
+    });
+    if (rv != Success) {
+      return rv;
+    }
+  }
+
+  return ResponseData(tbsResponseData, context, signedData, certs);
+}
+
+// ResponseData ::= SEQUENCE {
+//    version             [0] EXPLICIT Version DEFAULT v1,
+//    responderID             ResponderID,
+//    producedAt              GeneralizedTime,
+//    responses               SEQUENCE OF SingleResponse,
+//    responseExtensions  [1] EXPLICIT Extensions OPTIONAL }
+static inline Result
+ResponseData(Reader& input, Context& context,
+             const der::SignedDataWithSignature& signedResponseData,
+             const DERArray& certs)
+{
+  der::Version version;
+  Result rv = der::OptionalVersion(input, version);
+  if (rv != Success) {
+    return rv;
+  }
+  if (version != der::Version::v1) {
+    // TODO: more specific error code for bad version?
+    return Result::ERROR_BAD_DER;
+  }
+
+  // ResponderID ::= CHOICE {
+  //    byName              [1] Name,
+  //    byKey               [2] KeyHash }
+  Input responderID;
+  ResponderIDType responderIDType
+    = input.Peek(static_cast<uint8_t>(ResponderIDType::byName))
+    ? ResponderIDType::byName
+    : ResponderIDType::byKey;
+  rv = der::ExpectTagAndGetValue(input, static_cast<uint8_t>(responderIDType),
+                                 responderID);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // This is the soonest we can verify the signature. We verify the signature
+  // right away to follow the principal of minimizing the processing of data
+  // before verifying its signature.
+  rv = VerifySignature(context, responderIDType, responderID, certs,
+                       signedResponseData);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // TODO: Do we even need to parse this? Should we just skip it?
+  Time producedAt(Time::uninitialized);
+  rv = der::GeneralizedTime(input, producedAt);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // We don't accept an empty sequence of responses. In practice, a legit OCSP
+  // responder will never return an empty response, and handling the case of an
+  // empty response makes things unnecessarily complicated.
+  rv = der::NestedOf(input, der::SEQUENCE, der::SEQUENCE,
+                     der::EmptyAllowed::No, [&context](Reader& r) {
+    return SingleResponse(r, context);
+  });
+  if (rv != Success) {
+    return rv;
+  }
+
+  return der::OptionalExtensions(input,
+                                 der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1,
+                                 ExtensionNotUnderstood);
+}
+
+// SingleResponse ::= SEQUENCE {
+//    certID                       CertID,
+//    certStatus                   CertStatus,
+//    thisUpdate                   GeneralizedTime,
+//    nextUpdate           [0]     EXPLICIT GeneralizedTime OPTIONAL,
+//    singleExtensions     [1]     EXPLICIT Extensions{{re-ocsp-crl |
+//                                              re-ocsp-archive-cutoff |
+//                                              CrlEntryExtensions, ...}
+//                                              } OPTIONAL }
+static inline Result
+SingleResponse(Reader& input, Context& context)
+{
+  bool match = false;
+  Result rv = der::Nested(input, der::SEQUENCE, [&context, &match](Reader& r) {
+    return MatchCertID(r, context, match);
+  });
+  if (rv != Success) {
+    return rv;
+  }
+
+  if (!match) {
+    // This response does not reference the certificate we're interested in.
+    // By consuming the rest of our input and returning successfully, we can
+    // continue processing and examine another response that might have what
+    // we want.
+    input.SkipToEnd();
+    return Success;
+  }
+
+  // We found a response for the cert we're interested in.
+  context.matchFound = true;
+
+  // CertStatus ::= CHOICE {
+  //     good        [0]     IMPLICIT NULL,
+  //     revoked     [1]     IMPLICIT RevokedInfo,
+  //     unknown     [2]     IMPLICIT UnknownInfo }
+  //
+  // In the event of multiple SingleResponses for a cert that have conflicting
+  // statuses, we use the following precedence rules:
+  //
+  // * revoked overrides good and unknown
+  // * good overrides unknown
+  if (input.Peek(static_cast<uint8_t>(CertStatus::Good))) {
+    rv = der::ExpectTagAndEmptyValue(input,
+                                     static_cast<uint8_t>(CertStatus::Good));
+    if (rv != Success) {
+      return rv;
+    }
+    if (context.certStatus != CertStatus::Revoked) {
+      context.certStatus = CertStatus::Good;
+    }
+  } else if (input.Peek(static_cast<uint8_t>(CertStatus::Revoked))) {
+    // We don't need any info from the RevokedInfo structure, so we don't even
+    // parse it. TODO: We should mention issues like this in the explanation of
+    // why we treat invalid OCSP responses equivalently to revoked for OCSP
+    // stapling.
+    rv = der::ExpectTagAndSkipValue(input,
+                                    static_cast<uint8_t>(CertStatus::Revoked));
+    if (rv != Success) {
+      return rv;
+    }
+    context.certStatus = CertStatus::Revoked;
+  } else {
+    rv = der::ExpectTagAndEmptyValue(input,
+                                     static_cast<uint8_t>(CertStatus::Unknown));
+    if (rv != Success) {
+      return rv;
+    }
+  }
+
+  // http://tools.ietf.org/html/rfc6960#section-3.2
+  // 5. The time at which the status being indicated is known to be
+  //    correct (thisUpdate) is sufficiently recent;
+  // 6. When available, the time at or before which newer information will
+  //    be available about the status of the certificate (nextUpdate) is
+  //    greater than the current time.
+
+  Time thisUpdate(Time::uninitialized);
+  rv = der::GeneralizedTime(input, thisUpdate);
+  if (rv != Success) {
+    return rv;
+  }
+
+  static const uint64_t SLOP_SECONDS = Time::ONE_DAY_IN_SECONDS;
+
+  Time timePlusSlop(context.time);
+  rv = timePlusSlop.AddSeconds(SLOP_SECONDS);
+  if (rv != Success) {
+    return rv;
+  }
+  if (thisUpdate > timePlusSlop) {
+    return Result::ERROR_OCSP_FUTURE_RESPONSE;
+  }
+
+  Time notAfter(Time::uninitialized);
+  static const uint8_t NEXT_UPDATE_TAG =
+    der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0;
+  if (input.Peek(NEXT_UPDATE_TAG)) {
+    Time nextUpdate(Time::uninitialized);
+    rv = der::Nested(input, NEXT_UPDATE_TAG, [&nextUpdate](Reader& r) {
+      return der::GeneralizedTime(r, nextUpdate);
+    });
+    if (rv != Success) {
+      return rv;
+    }
+
+    if (nextUpdate < thisUpdate) {
+      return Result::ERROR_OCSP_MALFORMED_RESPONSE;
+    }
+    notAfter = thisUpdate;
+    if (notAfter.AddSeconds(context.maxLifetimeInDays *
+                            Time::ONE_DAY_IN_SECONDS) != Success) {
+      // This could only happen if we're dealing with times beyond the year
+      // 10,000AD.
+      return Result::ERROR_OCSP_FUTURE_RESPONSE;
+    }
+    if (nextUpdate <= notAfter) {
+      notAfter = nextUpdate;
+    }
+  } else {
+    // NSS requires all OCSP responses without a nextUpdate to be recent.
+    // Match that stricter behavior.
+    notAfter = thisUpdate;
+    if (notAfter.AddSeconds(Time::ONE_DAY_IN_SECONDS) != Success) {
+      // This could only happen if we're dealing with times beyond the year
+      // 10,000AD.
+      return Result::ERROR_OCSP_FUTURE_RESPONSE;
+    }
+  }
+
+  // Add some slop to hopefully handle clock-skew.
+  Time notAfterPlusSlop(notAfter);
+  rv = notAfterPlusSlop.AddSeconds(SLOP_SECONDS);
+  if (rv != Success) {
+    // This could only happen if we're dealing with times beyond the year
+    // 10,000AD.
+    return Result::ERROR_OCSP_FUTURE_RESPONSE;
+  }
+  if (context.time > notAfterPlusSlop) {
+    context.expired = true;
+  }
+
+  rv = der::OptionalExtensions(
+    input,
+    der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1,
+    [&context](Reader& extnID, const Input& extnValue, bool critical,
+               /*out*/ bool& understood) {
+      return RememberSingleExtension(context, extnID, extnValue, critical,
+                                     understood);
+    });
+
+  if (rv != Success) {
+    return rv;
+  }
+
+  if (context.thisUpdate) {
+    *context.thisUpdate = thisUpdate;
+  }
+  if (context.validThrough) {
+    *context.validThrough = notAfterPlusSlop;
+  }
+
+  return Success;
+}
+
+// CertID          ::=     SEQUENCE {
+//        hashAlgorithm       AlgorithmIdentifier,
+//        issuerNameHash      OCTET STRING, -- Hash of issuer's DN
+//        issuerKeyHash       OCTET STRING, -- Hash of issuer's public key
+//        serialNumber        CertificateSerialNumber }
+static inline Result
+MatchCertID(Reader& input, const Context& context, /*out*/ bool& match)
+{
+  match = false;
+
+  DigestAlgorithm hashAlgorithm;
+  Result rv = der::DigestAlgorithmIdentifier(input, hashAlgorithm);
+  if (rv != Success) {
+    if (rv == Result::ERROR_INVALID_ALGORITHM) {
+      // Skip entries that are hashed with algorithms we don't support.
+      input.SkipToEnd();
+      return Success;
+    }
+    return rv;
+  }
+
+  Input issuerNameHash;
+  rv = der::ExpectTagAndGetValue(input, der::OCTET_STRING, issuerNameHash);
+  if (rv != Success) {
+    return rv;
+  }
+
+  Input issuerKeyHash;
+  rv = der::ExpectTagAndGetValue(input, der::OCTET_STRING, issuerKeyHash);
+  if (rv != Success) {
+    return rv;
+  }
+
+  Input serialNumber;
+  rv = der::CertificateSerialNumber(input, serialNumber);
+  if (rv != Success) {
+    return rv;
+  }
+
+  if (!InputsAreEqual(serialNumber, context.certID.serialNumber)) {
+    // This does not reference the certificate we're interested in.
+    // Consume the rest of the input and return successfully to
+    // potentially continue processing other responses.
+    input.SkipToEnd();
+    return Success;
+  }
+
+  // TODO: support SHA-2 hashes.
+
+  if (hashAlgorithm != DigestAlgorithm::sha1) {
+    // Again, not interested in this response. Consume input, return success.
+    input.SkipToEnd();
+    return Success;
+  }
+
+  if (issuerNameHash.GetLength() != SHA1_DIGEST_LENGTH) {
+    return Result::ERROR_OCSP_MALFORMED_RESPONSE;
+  }
+
+  // From http://tools.ietf.org/html/rfc6960#section-4.1.1:
+  // "The hash shall be calculated over the DER encoding of the
+  // issuer's name field in the certificate being checked."
+  uint8_t hashBuf[SHA1_DIGEST_LENGTH];
+  rv = context.trustDomain.DigestBuf(context.certID.issuer,
+                                     DigestAlgorithm::sha1, hashBuf,
+                                     sizeof(hashBuf));
+  if (rv != Success) {
+    return rv;
+  }
+  Input computed(hashBuf);
+  if (!InputsAreEqual(computed, issuerNameHash)) {
+    // Again, not interested in this response. Consume input, return success.
+    input.SkipToEnd();
+    return Success;
+  }
+
+  return MatchKeyHash(context.trustDomain, issuerKeyHash,
+                      context.certID.issuerSubjectPublicKeyInfo, match);
+}
+
+// From http://tools.ietf.org/html/rfc6960#section-4.1.1:
+// "The hash shall be calculated over the value (excluding tag and length) of
+// the subject public key field in the issuer's certificate."
+//
+// From http://tools.ietf.org/html/rfc6960#appendix-B.1:
+// KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
+//                          -- (i.e., the SHA-1 hash of the value of the
+//                          -- BIT STRING subjectPublicKey [excluding
+//                          -- the tag, length, and number of unused
+//                          -- bits] in the responder's certificate)
+static Result
+MatchKeyHash(TrustDomain& trustDomain, Input keyHash,
+             const Input subjectPublicKeyInfo, /*out*/ bool& match)
+{
+  if (keyHash.GetLength() != SHA1_DIGEST_LENGTH)  {
+    return Result::ERROR_OCSP_MALFORMED_RESPONSE;
+  }
+  uint8_t hashBuf[SHA1_DIGEST_LENGTH];
+  Result rv = KeyHash(trustDomain, subjectPublicKeyInfo, hashBuf,
+                      sizeof hashBuf);
+  if (rv != Success) {
+    return rv;
+  }
+  Input computed(hashBuf);
+  match = InputsAreEqual(computed, keyHash);
+  return Success;
+}
+
+// TODO(bug 966856): support SHA-2 hashes
+Result
+KeyHash(TrustDomain& trustDomain, const Input subjectPublicKeyInfo,
+        /*out*/ uint8_t* hashBuf, size_t hashBufSize)
+{
+  if (!hashBuf || hashBufSize != SHA1_DIGEST_LENGTH) {
+    return Result::FATAL_ERROR_LIBRARY_FAILURE;
+  }
+
+  // RFC 5280 Section 4.1
+  //
+  // SubjectPublicKeyInfo  ::=  SEQUENCE  {
+  //    algorithm            AlgorithmIdentifier,
+  //    subjectPublicKey     BIT STRING  }
+
+  Reader spki;
+  Result rv = der::ExpectTagAndGetValueAtEnd(subjectPublicKeyInfo,
+                                             der::SEQUENCE, spki);
+  if (rv != Success) {
+    return rv;
+  }
+
+  // Skip AlgorithmIdentifier
+  rv = der::ExpectTagAndSkipValue(spki, der::SEQUENCE);
+  if (rv != Success) {
+    return rv;
+  }
+
+  Input subjectPublicKey;
+  rv = der::BitStringWithNoUnusedBits(spki, subjectPublicKey);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = der::End(spki);
+  if (rv != Success) {
+    return rv;
+  }
+
+  return trustDomain.DigestBuf(subjectPublicKey, DigestAlgorithm::sha1,
+                               hashBuf, hashBufSize);
+}
+
+Result
+ExtensionNotUnderstood(Reader& /*extnID*/, Input /*extnValue*/,
+                       bool /*critical*/, /*out*/ bool& understood)
+{
+  understood = false;
+  return Success;
+}
+
+Result
+RememberSingleExtension(Context& context, Reader& extnID, Input extnValue,
+                        bool /*critical*/, /*out*/ bool& understood)
+{
+  understood = false;
+
+  // SingleExtension for Signed Certificate Timestamp List.
+  // See Section 3.3 of RFC 6962.
+  // python DottedOIDToCode.py
+  //   id_ocsp_singleExtensionSctList 1.3.6.1.4.1.11129.2.4.5
+  static const uint8_t id_ocsp_singleExtensionSctList[] = {
+    0x2b, 0x06, 0x01, 0x04, 0x01, 0xd6, 0x79, 0x02, 0x04, 0x05
+  };
+
+  if (extnID.MatchRest(id_ocsp_singleExtensionSctList)) {
+    // Empty values are not allowed for this extension. Note that
+    // we assume this later, when checking if the extension was present.
+    if (extnValue.GetLength() == 0) {
+      return Result::ERROR_EXTENSION_VALUE_INVALID;
+    }
+    if (context.signedCertificateTimestamps.Init(extnValue) != Success) {
+      // Duplicate extension.
+      return Result::ERROR_EXTENSION_VALUE_INVALID;
+    }
+    understood = true;
+  }
+
+  return Success;
+}
+
+//   1. The certificate identified in a received response corresponds to
+//      the certificate that was identified in the corresponding request;
+//   2. The signature on the response is valid;
+//   3. The identity of the signer matches the intended recipient of the
+//      request;
+//   4. The signer is currently authorized to provide a response for the
+//      certificate in question;
+//   5. The time at which the status being indicated is known to be
+//      correct (thisUpdate) is sufficiently recent;
+//   6. When available, the time at or before which newer information will
+//      be available about the status of the certificate (nextUpdate) is
+//      greater than the current time.
+//
+//   Responses whose nextUpdate value is earlier than
+//   the local system time value SHOULD be considered unreliable.
+//   Responses whose thisUpdate time is later than the local system time
+//   SHOULD be considered unreliable.
+//
+//   If nextUpdate is not set, the responder is indicating that newer
+//   revocation information is available all the time.
+//
+// http://tools.ietf.org/html/rfc5019#section-4
+
+Result
+CreateEncodedOCSPRequest(TrustDomain& trustDomain, const struct CertID& certID,
+                         /*out*/ uint8_t (&out)[OCSP_REQUEST_MAX_LENGTH],
+                         /*out*/ size_t& outLen)
+{
+  // We do not add any extensions to the request.
+
+  // RFC 6960 says "An OCSP client MAY wish to specify the kinds of response
+  // types it understands. To do so, it SHOULD use an extension with the OID
+  // id-pkix-ocsp-response." This use of MAY and SHOULD is unclear. MSIE11
+  // on Windows 8.1 does not include any extensions, whereas NSS has always
+  // included the id-pkix-ocsp-response extension. Avoiding the sending the
+  // extension is better for OCSP GET because it makes the request smaller,
+  // and thus more likely to fit within the 255 byte limit for OCSP GET that
+  // is specified in RFC 5019 Section 5.
+
+  // Bug 966856: Add the id-pkix-ocsp-pref-sig-algs extension.
+
+  // Since we don't know whether the OCSP responder supports anything other
+  // than SHA-1, we have no choice but to use SHA-1 for issuerNameHash and
+  // issuerKeyHash.
+  static const uint8_t hashAlgorithm[11] = {
+    0x30, 0x09,                               // SEQUENCE
+    0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, //   OBJECT IDENTIFIER id-sha1
+    0x05, 0x00,                               //   NULL
+  };
+  static const uint8_t hashLen = 160 / 8;
+
+  static const unsigned int totalLenWithoutSerialNumberData
+    = 2                             // OCSPRequest
+    + 2                             //   tbsRequest
+    + 2                             //     requestList
+    + 2                             //       Request
+    + 2                             //         reqCert (CertID)
+    + sizeof(hashAlgorithm)         //           hashAlgorithm
+    + 2 + hashLen                   //           issuerNameHash
+    + 2 + hashLen                   //           issuerKeyHash
+    + 2;                            //           serialNumber (header)
+
+  // The only way we could have a request this large is if the serialNumber was
+  // ridiculously and unreasonably large. RFC 5280 says "Conforming CAs MUST
+  // NOT use serialNumber values longer than 20 octets." With this restriction,
+  // we allow for some amount of non-conformance with that requirement while
+  // still ensuring we can encode the length values in the ASN.1 TLV structures
+  // in a single byte.
+  static_assert(totalLenWithoutSerialNumberData < OCSP_REQUEST_MAX_LENGTH,
+                "totalLenWithoutSerialNumberData too big");
+  if (certID.serialNumber.GetLength() >
+        OCSP_REQUEST_MAX_LENGTH - totalLenWithoutSerialNumberData) {
+    return Result::ERROR_BAD_DER;
+  }
+
+  outLen = totalLenWithoutSerialNumberData + certID.serialNumber.GetLength();
+
+  uint8_t totalLen = static_cast<uint8_t>(outLen);
+
+  uint8_t* d = out;
+  *d++ = 0x30; *d++ = totalLen - 2u;  // OCSPRequest (SEQUENCE)
+  *d++ = 0x30; *d++ = totalLen - 4u;  //   tbsRequest (SEQUENCE)
+  *d++ = 0x30; *d++ = totalLen - 6u;  //     requestList (SEQUENCE OF)
+  *d++ = 0x30; *d++ = totalLen - 8u;  //       Request (SEQUENCE)
+  *d++ = 0x30; *d++ = totalLen - 10u; //         reqCert (CertID SEQUENCE)
+
+  // reqCert.hashAlgorithm
+  for (const uint8_t hashAlgorithmByte : hashAlgorithm) {
+    *d++ = hashAlgorithmByte;
+  }
+
+  // reqCert.issuerNameHash (OCTET STRING)
+  *d++ = 0x04;
+  *d++ = hashLen;
+  Result rv = trustDomain.DigestBuf(certID.issuer, DigestAlgorithm::sha1, d,
+                                    hashLen);
+  if (rv != Success) {
+    return rv;
+  }
+  d += hashLen;
+
+  // reqCert.issuerKeyHash (OCTET STRING)
+  *d++ = 0x04;
+  *d++ = hashLen;
+  rv = KeyHash(trustDomain, certID.issuerSubjectPublicKeyInfo, d, hashLen);
+  if (rv != Success) {
+    return rv;
+  }
+  d += hashLen;
+
+  // reqCert.serialNumber (INTEGER)
+  *d++ = 0x02; // INTEGER
+  *d++ = static_cast<uint8_t>(certID.serialNumber.GetLength());
+  Reader serialNumber(certID.serialNumber);
+  do {
+    rv = serialNumber.Read(*d);
+    if (rv != Success) {
+      return rv;
+    }
+    ++d;
+  } while (!serialNumber.AtEnd());
+
+  assert(d == out + totalLen);
+
+  return Success;
+}
+
+} } // namespace mozilla::pkix
diff --git a/security/nss/lib/mozpkix/lib/pkixresult.cpp b/security/nss/lib/mozpkix/lib/pkixresult.cpp
new file mode 100644
index 0000000000..871d9a0fe9
--- /dev/null
+++ b/security/nss/lib/mozpkix/lib/pkixresult.cpp
@@ -0,0 +1,46 @@
+/*- *- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mozpkix/Result.h"
+#include "mozpkix/pkixutil.h"
+
+namespace mozilla { namespace pkix {
+
+const char*
+MapResultToName(Result result)
+{
+  switch (result)
+  {
+#define MOZILLA_PKIX_MAP(mozilla_pkix_result, value, nss_result) \
+    case Result::mozilla_pkix_result: return "Result::" #mozilla_pkix_result;
+
+    MOZILLA_PKIX_MAP_LIST
+
+#undef MOZILLA_PKIX_MAP
+
+    MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+  }
+}
+
+} } // namespace mozilla::pkix
diff --git a/security/nss/lib/mozpkix/lib/pkixtime.cpp b/security/nss/lib/mozpkix/lib/pkixtime.cpp
new file mode 100644
index 0000000000..38e0638040
--- /dev/null
+++ b/security/nss/lib/mozpkix/lib/pkixtime.cpp
@@ -0,0 +1,78 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2014 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mozpkix/Time.h"
+#include "mozpkix/pkixutil.h"
+
+#ifdef _WINDOWS
+#ifdef _MSC_VER
+#pragma warning(push, 3)
+#endif
+#include "windows.h"
+#ifdef _MSC_VER
+#pragma warning(pop)
+#endif
+#else
+#include "sys/time.h"
+#endif
+
+namespace mozilla { namespace pkix {
+
+Time
+Now()
+{
+  uint64_t seconds;
+
+#ifdef _WINDOWS
+  // "Contains a 64-bit value representing the number of 100-nanosecond
+  // intervals since January 1, 1601 (UTC)."
+  //   - http://msdn.microsoft.com/en-us/library/windows/desktop/ms724284(v=vs.85).aspx
+  FILETIME ft;
+  GetSystemTimeAsFileTime(&ft);
+  uint64_t ft64 = (static_cast<uint64_t>(ft.dwHighDateTime) << 32) |
+                  ft.dwLowDateTime;
+  seconds = (DaysBeforeYear(1601) * Time::ONE_DAY_IN_SECONDS) +
+            ft64 / (1000u * 1000u * 1000u / 100u);
+#else
+  // "The gettimeofday() function shall obtain the current time, expressed as
+  // seconds and microseconds since the Epoch."
+  //   - http://pubs.opengroup.org/onlinepubs/009695399/functions/gettimeofday.html
+  timeval tv;
+  (void) gettimeofday(&tv, nullptr);
+  seconds = (DaysBeforeYear(1970) * Time::ONE_DAY_IN_SECONDS) +
+            static_cast<uint64_t>(tv.tv_sec);
+#endif
+
+  return TimeFromElapsedSecondsAD(seconds);
+}
+
+Time
+TimeFromEpochInSeconds(uint64_t secondsSinceEpoch)
+{
+  uint64_t seconds = (DaysBeforeYear(1970) * Time::ONE_DAY_IN_SECONDS) +
+                     secondsSinceEpoch;
+  return TimeFromElapsedSecondsAD(seconds);
+}
+
+} } // namespace mozilla::pkix
diff --git a/security/nss/lib/mozpkix/lib/pkixverify.cpp b/security/nss/lib/mozpkix/lib/pkixverify.cpp
new file mode 100644
index 0000000000..8ceb2c184c
--- /dev/null
+++ b/security/nss/lib/mozpkix/lib/pkixverify.cpp
@@ -0,0 +1,106 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2015 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mozpkix/pkixutil.h"
+
+namespace mozilla { namespace pkix {
+
+Result
+DigestSignedData(TrustDomain& trustDomain,
+                 const der::SignedDataWithSignature& signedData,
+                 /*out*/ uint8_t(&digestBuf)[MAX_DIGEST_SIZE_IN_BYTES],
+                 /*out*/ der::PublicKeyAlgorithm& publicKeyAlg,
+                 /*out*/ SignedDigest& signedDigest)
+{
+  Reader signatureAlg(signedData.algorithm);
+  Result rv = der::SignatureAlgorithmIdentifierValue(
+                signatureAlg, publicKeyAlg, signedDigest.digestAlgorithm);
+  if (rv != Success) {
+    return rv;
+  }
+  if (!signatureAlg.AtEnd()) {
+    return Result::ERROR_BAD_DER;
+  }
+
+  size_t digestLen;
+  switch (signedDigest.digestAlgorithm) {
+    case DigestAlgorithm::sha512: digestLen = 512 / 8; break;
+    case DigestAlgorithm::sha384: digestLen = 384 / 8; break;
+    case DigestAlgorithm::sha256: digestLen = 256 / 8; break;
+    case DigestAlgorithm::sha1: digestLen = 160 / 8; break;
+    MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+  }
+  assert(digestLen <= sizeof(digestBuf));
+
+  rv = trustDomain.DigestBuf(signedData.data, signedDigest.digestAlgorithm,
+                             digestBuf, digestLen);
+  if (rv != Success) {
+    return rv;
+  }
+  rv = signedDigest.digest.Init(digestBuf, digestLen);
+  if (rv != Success) {
+    return rv;
+  }
+
+  return signedDigest.signature.Init(signedData.signature);
+}
+
+Result
+VerifySignedDigest(TrustDomain& trustDomain,
+                   der::PublicKeyAlgorithm publicKeyAlg,
+                   const SignedDigest& signedDigest,
+                   Input signerSubjectPublicKeyInfo)
+{
+  switch (publicKeyAlg) {
+    case der::PublicKeyAlgorithm::ECDSA:
+      return trustDomain.VerifyECDSASignedDigest(signedDigest,
+                                                 signerSubjectPublicKeyInfo);
+    case der::PublicKeyAlgorithm::RSA_PKCS1:
+      return trustDomain.VerifyRSAPKCS1SignedDigest(signedDigest,
+                                                    signerSubjectPublicKeyInfo);
+    case der::PublicKeyAlgorithm::Uninitialized:
+      assert(false);
+      return Result::FATAL_ERROR_LIBRARY_FAILURE;
+    MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+  }
+}
+
+Result
+VerifySignedData(TrustDomain& trustDomain,
+                 const der::SignedDataWithSignature& signedData,
+                 Input signerSubjectPublicKeyInfo)
+{
+  uint8_t digestBuf[MAX_DIGEST_SIZE_IN_BYTES];
+  der::PublicKeyAlgorithm publicKeyAlg;
+  SignedDigest signedDigest;
+  Result rv = DigestSignedData(trustDomain, signedData, digestBuf,
+                               publicKeyAlg, signedDigest);
+  if (rv != Success) {
+    return rv;
+  }
+  return VerifySignedDigest(trustDomain, publicKeyAlg, signedDigest,
+                            signerSubjectPublicKeyInfo);
+}
+
+} } // namespace mozilla::pkix
diff --git a/security/nss/lib/mozpkix/mozpkix.gyp b/security/nss/lib/mozpkix/mozpkix.gyp
new file mode 100644
index 0000000000..1c552ba5fa
--- /dev/null
+++ b/security/nss/lib/mozpkix/mozpkix.gyp
@@ -0,0 +1,60 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+  'includes': [
+    '../../coreconf/config.gypi'
+  ],
+  'targets': [
+    {
+      'target_name': 'mozpkix',
+      'type': 'static_library',
+      'standalone_static_library': 1,
+      'sources': [
+        'lib/pkixbuild.cpp',
+        'lib/pkixcert.cpp',
+        'lib/pkixcheck.cpp',
+        'lib/pkixder.cpp',
+        'lib/pkixnames.cpp',
+        'lib/pkixnss.cpp',
+        'lib/pkixocsp.cpp',
+        'lib/pkixresult.cpp',
+        'lib/pkixtime.cpp',
+        'lib/pkixverify.cpp',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_mozpkix_exports',
+      ],
+      'conditions': [
+        [ 'mozpkix_only==0', {
+          'dependencies': [
+            '<(DEPTH)/exports.gyp:nss_exports'
+          ],
+        }],
+      ],
+    },
+    {
+      'target_name': 'mozpkix-testlib',
+      'type': 'static_library',
+      'standalone_static_library': 1,
+      'sources': [
+        'test-lib/pkixtestalg.cpp',
+        'test-lib/pkixtestnss.cpp',
+        'test-lib/pkixtestutil.cpp',
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_mozpkix_exports',
+      ],
+      'conditions': [
+        [ 'mozpkix_only==0', {
+          'dependencies': [
+            '<(DEPTH)/exports.gyp:nss_exports'
+          ],
+        }],
+      ],
+    },
+  ],
+  'variables': {
+    'module': 'nss',
+  }
+}
diff --git a/security/nss/lib/mozpkix/test-lib/pkixtestalg.cpp b/security/nss/lib/mozpkix/test-lib/pkixtestalg.cpp
new file mode 100644
index 0000000000..304641e2ff
--- /dev/null
+++ b/security/nss/lib/mozpkix/test-lib/pkixtestalg.cpp
@@ -0,0 +1,211 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2015 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mozpkix/test/pkixtestutil.h"
+
+#include "mozpkix/pkixder.h"
+#include "mozpkix/nss_scoped_ptrs.h"
+
+// python DottedOIDToCode.py --prefixdefine PREFIX_1_2_840_10040 1.2.840.10040
+#define PREFIX_1_2_840_10040 0x2a, 0x86, 0x48, 0xce, 0x38
+
+// python DottedOIDToCode.py --prefixdefine PREFIX_1_2_840_10045 1.2.840.10045
+#define PREFIX_1_2_840_10045 0x2a, 0x86, 0x48, 0xce, 0x3d
+
+// python DottedOIDToCode.py --prefixdefine PREFIX_1_2_840_113549 1.2.840.113549
+#define PREFIX_1_2_840_113549 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d
+
+namespace mozilla { namespace pkix { namespace test {
+
+namespace {
+
+enum class NULLParam { NO, YES };
+
+template <size_t SIZE>
+ByteString
+OID(const uint8_t (&rawValue)[SIZE])
+{
+  return TLV(der::OIDTag, ByteString(rawValue, SIZE));
+}
+
+template <size_t SIZE>
+ByteString
+SimpleAlgID(const uint8_t (&rawValue)[SIZE],
+            NULLParam nullParam = NULLParam::NO)
+{
+  ByteString sequenceValue(OID(rawValue));
+  if (nullParam == NULLParam::YES) {
+    sequenceValue.append(TLV(der::NULLTag, ByteString()));
+  }
+  return TLV(der::SEQUENCE, sequenceValue);
+}
+
+template <size_t SIZE>
+ByteString
+DERInteger(const uint8_t (&rawValue)[SIZE])
+{
+  ByteString value(rawValue, SIZE);
+  if (value[0] & 0x80u) {
+    // Prefix with a leading zero to disambiguate this from a negative value.
+    value.insert(value.begin(), 0x00);
+  }
+  return TLV(der::INTEGER, value);
+}
+
+// Generated with "openssl dsaparam -C -noout 2048" and reformatted.
+// openssl 1.0 or later must be used so that a 256-bit Q value is
+// generated.
+static const uint8_t DSS_P_RAW[] =
+{
+  0xB3,0xCD,0x29,0x44,0xF0,0x25,0xA7,0x73,0xFC,0x86,0x70,0xA2,
+  0x69,0x5A,0x97,0x3F,0xBD,0x1C,0x6F,0xAA,0x4A,0x40,0x42,0x8E,
+  0xCF,0xAE,0x62,0x12,0xED,0xB4,0xFD,0x05,0xC2,0xAE,0xB1,0x8C,
+  0xFC,0xBE,0x38,0x90,0xBB,0x7C,0xFF,0x16,0xF4,0xED,0xCE,0x72,
+  0x12,0x93,0x83,0xF0,0xA4,0xA1,0x71,0xDC,0x4B,0xF0,0x4E,0x3A,
+  0x2B,0xFA,0x17,0xB7,0xB3,0x2A,0xCC,0x2C,0xD3,0xC8,0x21,0x49,
+  0x7A,0x83,0x71,0x8B,0x3D,0x62,0x96,0xDC,0xAD,0xA8,0x03,0xBE,
+  0x1D,0x33,0x11,0xF3,0xEB,0xD8,0x1B,0x8D,0xDB,0x62,0x79,0x83,
+  0xF8,0x67,0x4E,0x62,0x21,0x2C,0x81,0x59,0xE8,0x73,0xD7,0xAF,
+  0xB9,0x63,0x60,0xEA,0xAE,0xEC,0x68,0x6A,0xB4,0xB0,0x65,0xBA,
+  0xA3,0x4C,0x09,0x99,0x29,0x6A,0x2E,0x2B,0xFC,0x6D,0x51,0xCA,
+  0x30,0xA2,0x2F,0x7A,0x65,0x76,0xA7,0x55,0x13,0x11,0xA0,0x02,
+  0xA2,0x59,0x4B,0xCE,0xA7,0x05,0xF6,0x07,0x35,0x9B,0x41,0xD7,
+  0x11,0x5A,0x18,0x57,0xA7,0x78,0x88,0xC3,0xA8,0xE3,0x39,0xF5,
+  0x47,0x3D,0x2E,0x18,0x54,0xB0,0xF0,0xBF,0x65,0x3F,0x77,0xC7,
+  0x11,0xB8,0x0D,0x52,0xAD,0xC8,0xE8,0x6D,0xF6,0x7E,0x88,0x65,
+  0x84,0x2B,0xF7,0xEF,0x8E,0xB5,0x7C,0xBD,0x2E,0x0D,0xF3,0xC6,
+  0xDD,0x0B,0xB4,0xF2,0x23,0x1F,0xDA,0x55,0x05,0xF5,0xDC,0x53,
+  0xA6,0x83,0xDA,0x5C,0xEF,0x29,0x02,0x78,0x68,0xD0,0xA4,0x39,
+  0x09,0x7F,0xFA,0x49,0x18,0xD0,0xB5,0x19,0x35,0x31,0x8E,0xDE,
+  0x43,0x35,0xA3,0xB9,0x6D,0xC1,0x70,0xC6,0x0D,0x18,0x24,0xEB,
+  0x1E,0x4D,0x52,0xB7,
+};
+
+static const uint8_t DSS_Q_RAW[] =
+{
+  0x8D,0x6B,0x86,0x89,0x9C,0x8D,0x30,0x91,0xCC,0x6E,0x34,0xF1,
+  0xE8,0x9C,0x8A,0x5C,0xD6,0xAB,0x01,0x1E,0xC4,0xDB,0xFD,0x07,
+  0xEB,0x5F,0x4E,0xE8,0xFA,0xFC,0x98,0x2D,
+};
+
+static const uint8_t DSS_G_RAW[] =
+{
+  0x0E,0x2C,0x34,0xB2,0xE1,0x66,0x49,0xB6,0x9A,0x7D,0x67,0x3E,
+  0xEE,0x98,0x35,0x18,0x28,0x35,0xFC,0x05,0x36,0x3B,0x94,0xE6,
+  0x1E,0x1C,0x5B,0x05,0x3E,0x86,0x1B,0xE3,0xED,0xD2,0xE1,0xF3,
+  0xF7,0xF7,0x60,0x6D,0x7D,0xA1,0xAF,0x9A,0xD1,0xDF,0xA2,0x9C,
+  0xFC,0xA2,0xEB,0x90,0x8B,0x1C,0x82,0x92,0x45,0x7B,0x30,0x2A,
+  0xFD,0x7A,0xE6,0x68,0x8F,0xEC,0x89,0x3A,0x9A,0xAD,0xFE,0x25,
+  0x5E,0x51,0xC5,0x29,0x45,0x7F,0xAC,0xDE,0xFC,0xB4,0x1B,0x3A,
+  0xDA,0xC7,0x21,0x68,0x87,0x27,0x8D,0x7B,0xB2,0xBB,0x41,0x60,
+  0x46,0x42,0x5B,0x6B,0xE8,0x80,0xD2,0xE4,0xA3,0x30,0x8F,0xD5,
+  0x71,0x07,0x8A,0x7B,0x32,0x56,0x84,0x41,0x1C,0xDF,0x69,0xE9,
+  0xFD,0xBA,0x48,0xE0,0x43,0xA0,0x38,0x92,0x12,0xF3,0x52,0xA5,
+  0x40,0x87,0xCB,0x34,0xBB,0x3E,0x25,0x29,0x3C,0xC6,0xA5,0x17,
+  0xFD,0x58,0x47,0x89,0xDB,0x9B,0xB9,0xCF,0xE9,0xA8,0xF2,0xEC,
+  0x55,0x76,0xF5,0xF1,0x9C,0x6E,0x0A,0x3F,0x16,0x5F,0x49,0x31,
+  0x31,0x1C,0x43,0xA2,0x83,0xDA,0xDD,0x7F,0x1C,0xEA,0x05,0x36,
+  0x7B,0xED,0x09,0xFB,0x6F,0x8A,0x2B,0x55,0xB9,0xBC,0x4A,0x8C,
+  0x28,0xC1,0x4D,0x13,0x6E,0x47,0xF4,0xAD,0x79,0x00,0xE9,0x5A,
+  0xB6,0xC7,0x73,0x28,0xA9,0x89,0xAD,0xE8,0x6E,0xC6,0x54,0xA5,
+  0x56,0x2D,0xAA,0x81,0x83,0x9E,0xC1,0x13,0x79,0xA4,0x12,0xE0,
+  0x76,0x1F,0x25,0x43,0xB6,0xDE,0x56,0xF7,0x52,0xCC,0x07,0xB8,
+  0x37,0xE2,0x8C,0xC5,0x56,0x8C,0xDD,0x63,0xF5,0xB6,0xA3,0x46,
+  0x62,0xF6,0x35,0x76,
+};
+
+} // namespace
+
+TestSignatureAlgorithm::TestSignatureAlgorithm(
+  const TestPublicKeyAlgorithm& aPublicKeyAlg,
+  TestDigestAlgorithmID aDigestAlg,
+  const ByteString& aAlgorithmIdentifier,
+  bool aAccepted)
+  : publicKeyAlg(aPublicKeyAlg)
+  , digestAlg(aDigestAlg)
+  , algorithmIdentifier(aAlgorithmIdentifier)
+  , accepted(aAccepted)
+{
+}
+
+ByteString DSS_P() { return ByteString(DSS_P_RAW, sizeof(DSS_P_RAW)); }
+ByteString DSS_Q() { return ByteString(DSS_Q_RAW, sizeof(DSS_Q_RAW)); }
+ByteString DSS_G() { return ByteString(DSS_G_RAW, sizeof(DSS_G_RAW)); }
+
+TestPublicKeyAlgorithm
+DSS()
+{
+  static const uint8_t oidValue[] = { PREFIX_1_2_840_10040, 4, 1 };
+
+  // RFC 3279 Section-2.3.2
+  return TestPublicKeyAlgorithm(
+           TLV(der::SEQUENCE,
+               OID(oidValue) +
+               TLV(der::SEQUENCE,
+                   DERInteger(DSS_P_RAW) +
+                   DERInteger(DSS_Q_RAW) +
+                   DERInteger(DSS_G_RAW))));
+}
+
+// RFC 3279 Section 2.3.1
+TestPublicKeyAlgorithm
+RSA_PKCS1()
+{
+  static const uint8_t rsaEncryption[] = { PREFIX_1_2_840_113549, 1, 1, 1 };
+  return TestPublicKeyAlgorithm(SimpleAlgID(rsaEncryption, NULLParam::YES));
+}
+
+// RFC 3279 Section 2.2.1
+TestSignatureAlgorithm md2WithRSAEncryption()
+{
+  static const uint8_t oidValue[] = { PREFIX_1_2_840_113549, 1, 1, 2 };
+  return TestSignatureAlgorithm(RSA_PKCS1(), TestDigestAlgorithmID::MD2,
+                                SimpleAlgID(oidValue), false);
+}
+
+// RFC 3279 Section 2.2.1
+TestSignatureAlgorithm md5WithRSAEncryption()
+{
+  static const uint8_t oidValue[] = { PREFIX_1_2_840_113549, 1, 1, 4 };
+  return TestSignatureAlgorithm(RSA_PKCS1(), TestDigestAlgorithmID::MD5,
+                                SimpleAlgID(oidValue), false);
+}
+
+// RFC 3279 Section 2.2.1
+TestSignatureAlgorithm sha1WithRSAEncryption()
+{
+  static const uint8_t oidValue[] = { PREFIX_1_2_840_113549, 1, 1, 5 };
+  return TestSignatureAlgorithm(RSA_PKCS1(), TestDigestAlgorithmID::SHA1,
+                                SimpleAlgID(oidValue), true);
+}
+
+// RFC 4055 Section 5
+TestSignatureAlgorithm sha256WithRSAEncryption()
+{
+  static const uint8_t oidValue[] = { PREFIX_1_2_840_113549, 1, 1, 11 };
+  return TestSignatureAlgorithm(RSA_PKCS1(), TestDigestAlgorithmID::SHA256,
+                                SimpleAlgID(oidValue), true);
+}
+
+} } } // namespace mozilla::pkix
diff --git a/security/nss/lib/mozpkix/test-lib/pkixtestnss.cpp b/security/nss/lib/mozpkix/test-lib/pkixtestnss.cpp
new file mode 100644
index 0000000000..ee59b1d970
--- /dev/null
+++ b/security/nss/lib/mozpkix/test-lib/pkixtestnss.cpp
@@ -0,0 +1,364 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mozpkix/test/pkixtestutil.h"
+#include "mozpkix/test/pkixtestnss.h"
+
+#include <limits>
+
+#include "cryptohi.h"
+#include "keyhi.h"
+#include "nss.h"
+#include "pk11pqg.h"
+#include "pk11pub.h"
+#include "mozpkix/nss_scoped_ptrs.h"
+#include "mozpkix/pkixnss.h"
+#include "mozpkix/pkixder.h"
+#include "mozpkix/pkixutil.h"
+#include "prinit.h"
+#include "secerr.h"
+#include "secitem.h"
+
+namespace mozilla { namespace pkix { namespace test {
+
+namespace {
+
+TestKeyPair* GenerateKeyPairInner();
+
+void
+InitNSSIfNeeded()
+{
+  if (NSS_NoDB_Init(nullptr) != SECSuccess) {
+    abort();
+  }
+}
+
+static ScopedTestKeyPair reusedKeyPair;
+
+PRStatus
+InitReusedKeyPair()
+{
+  InitNSSIfNeeded();
+  reusedKeyPair.reset(GenerateKeyPairInner());
+  return reusedKeyPair ? PR_SUCCESS : PR_FAILURE;
+}
+
+class NSSTestKeyPair final : public TestKeyPair
+{
+public:
+  NSSTestKeyPair(const TestPublicKeyAlgorithm& aPublicKeyAlg,
+                 const ByteString& spk,
+                 const ByteString& aEncryptedPrivateKey,
+                 const ByteString& aEncryptionAlgorithm,
+                 const ByteString& aEncryptionParams)
+    : TestKeyPair(aPublicKeyAlg, spk)
+    , encryptedPrivateKey(aEncryptedPrivateKey)
+    , encryptionAlgorithm(aEncryptionAlgorithm)
+    , encryptionParams(aEncryptionParams)
+  {
+  }
+
+  Result SignData(const ByteString& tbs,
+                  const TestSignatureAlgorithm& signatureAlgorithm,
+                  /*out*/ ByteString& signature) const override
+  {
+    SECOidTag oidTag;
+    if (signatureAlgorithm.publicKeyAlg == RSA_PKCS1()) {
+      switch (signatureAlgorithm.digestAlg) {
+        case TestDigestAlgorithmID::MD2:
+          oidTag = SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;
+          break;
+        case TestDigestAlgorithmID::MD5:
+          oidTag = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
+          break;
+        case TestDigestAlgorithmID::SHA1:
+          oidTag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
+          break;
+        case TestDigestAlgorithmID::SHA224:
+          oidTag = SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION;
+          break;
+        case TestDigestAlgorithmID::SHA256:
+          oidTag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
+          break;
+        case TestDigestAlgorithmID::SHA384:
+          oidTag = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
+          break;
+        case TestDigestAlgorithmID::SHA512:
+          oidTag = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
+          break;
+        MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
+      }
+    } else {
+      abort();
+    }
+
+    ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+    if (!slot) {
+      return MapPRErrorCodeToResult(PR_GetError());
+    }
+    SECItem encryptedPrivateKeyInfoItem = {
+      siBuffer,
+      const_cast<uint8_t*>(encryptedPrivateKey.data()),
+      static_cast<unsigned int>(encryptedPrivateKey.length())
+    };
+    SECItem encryptionAlgorithmItem = {
+      siBuffer,
+      const_cast<uint8_t*>(encryptionAlgorithm.data()),
+      static_cast<unsigned int>(encryptionAlgorithm.length())
+    };
+    SECItem encryptionParamsItem = {
+      siBuffer,
+      const_cast<uint8_t*>(encryptionParams.data()),
+      static_cast<unsigned int>(encryptionParams.length())
+    };
+    SECKEYEncryptedPrivateKeyInfo encryptedPrivateKeyInfo = {
+      nullptr,
+      { encryptionAlgorithmItem, encryptionParamsItem },
+      encryptedPrivateKeyInfoItem
+    };
+    SECItem passwordItem = { siBuffer, nullptr, 0 };
+    SECItem publicValueItem = {
+      siBuffer,
+      const_cast<uint8_t*>(subjectPublicKey.data()),
+      static_cast<unsigned int>(subjectPublicKey.length())
+    };
+    SECKEYPrivateKey* privateKey;
+    // This should always be an RSA key (we'll have aborted above if we're not
+    // doing an RSA signature).
+    if (PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(
+          slot.get(), &encryptedPrivateKeyInfo, &passwordItem, nullptr,
+          &publicValueItem, false, false, rsaKey, KU_ALL, &privateKey,
+          nullptr) != SECSuccess) {
+      return MapPRErrorCodeToResult(PR_GetError());
+    }
+    ScopedSECKEYPrivateKey scopedPrivateKey(privateKey);
+    SECItem signatureItem;
+    if (SEC_SignData(&signatureItem, tbs.data(),
+                     static_cast<int>(tbs.length()),
+                     scopedPrivateKey.get(), oidTag) != SECSuccess) {
+      return MapPRErrorCodeToResult(PR_GetError());
+    }
+    signature.assign(signatureItem.data, signatureItem.len);
+    SECITEM_FreeItem(&signatureItem, false);
+    return Success;
+  }
+
+  TestKeyPair* Clone() const override
+  {
+    return new (std::nothrow) NSSTestKeyPair(publicKeyAlg,
+                                             subjectPublicKey,
+                                             encryptedPrivateKey,
+                                             encryptionAlgorithm,
+                                             encryptionParams);
+  }
+
+private:
+  const ByteString encryptedPrivateKey;
+  const ByteString encryptionAlgorithm;
+  const ByteString encryptionParams;
+};
+
+} // namespace
+
+// This private function is also used by Gecko's PSM test framework
+// (OCSPCommon.cpp).
+TestKeyPair* CreateTestKeyPair(const TestPublicKeyAlgorithm publicKeyAlg,
+                               const ScopedSECKEYPublicKey& publicKey,
+                               const ScopedSECKEYPrivateKey& privateKey)
+{
+  ScopedCERTSubjectPublicKeyInfo
+    spki(SECKEY_CreateSubjectPublicKeyInfo(publicKey.get()));
+  if (!spki) {
+    return nullptr;
+  }
+  SECItem spkDER = spki->subjectPublicKey;
+  DER_ConvertBitString(&spkDER); // bits to bytes
+  ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+  if (!slot) {
+    return nullptr;
+  }
+  // Because NSSTestKeyPair isn't tracked by XPCOM and won't otherwise be aware
+  // of shutdown, we don't have a way to release NSS resources at the
+  // appropriate time. To work around this, NSSTestKeyPair doesn't hold on to
+  // NSS resources. Instead, we export the generated private key part as an
+  // encrypted blob (with an empty password and fairly lame encryption). When we
+  // need to use it (e.g. to sign something), we decrypt it and create a
+  // temporary key object.
+  SECItem passwordItem = { siBuffer, nullptr, 0 };
+  ScopedSECKEYEncryptedPrivateKeyInfo encryptedPrivateKey(
+    PK11_ExportEncryptedPrivKeyInfo(
+      slot.get(), SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC,
+      &passwordItem, privateKey.get(), 1, nullptr));
+  if (!encryptedPrivateKey) {
+    return nullptr;
+  }
+
+  return new (std::nothrow) NSSTestKeyPair(
+    publicKeyAlg,
+    ByteString(spkDER.data, spkDER.len),
+    ByteString(encryptedPrivateKey->encryptedData.data,
+               encryptedPrivateKey->encryptedData.len),
+    ByteString(encryptedPrivateKey->algorithm.algorithm.data,
+               encryptedPrivateKey->algorithm.algorithm.len),
+    ByteString(encryptedPrivateKey->algorithm.parameters.data,
+               encryptedPrivateKey->algorithm.parameters.len));
+}
+
+namespace {
+
+TestKeyPair*
+GenerateKeyPairInner()
+{
+  ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+  if (!slot) {
+    abort();
+  }
+
+  // Bug 1012786: PK11_GenerateKeyPair can fail if there is insufficient
+  // entropy to generate a random key. Attempting to add some entropy and
+  // retrying appears to solve this issue.
+  for (uint32_t retries = 0; retries < 10; retries++) {
+    PK11RSAGenParams params;
+    params.keySizeInBits = 2048;
+    params.pe = 3;
+    SECKEYPublicKey* publicKeyTemp = nullptr;
+    ScopedSECKEYPrivateKey
+      privateKey(PK11_GenerateKeyPair(slot.get(), CKM_RSA_PKCS_KEY_PAIR_GEN,
+                                      &params, &publicKeyTemp, false, true,
+                                      nullptr));
+    ScopedSECKEYPublicKey publicKey(publicKeyTemp);
+    if (privateKey) {
+      return CreateTestKeyPair(RSA_PKCS1(), publicKey, privateKey);
+    }
+
+    assert(!publicKeyTemp);
+
+    if (PR_GetError() != SEC_ERROR_PKCS11_FUNCTION_FAILED) {
+      break;
+    }
+
+    // Since these keys are only for testing, we don't need them to be good,
+    // random keys.
+    // https://xkcd.com/221/
+    static const uint8_t RANDOM_NUMBER[] = { 4, 4, 4, 4, 4, 4, 4, 4 };
+    if (PK11_RandomUpdate((void*) &RANDOM_NUMBER,
+                          sizeof(RANDOM_NUMBER)) != SECSuccess) {
+      break;
+    }
+  }
+
+  abort();
+}
+
+} // namespace
+
+TestKeyPair*
+GenerateKeyPair()
+{
+  InitNSSIfNeeded();
+  return GenerateKeyPairInner();
+}
+
+TestKeyPair*
+CloneReusedKeyPair()
+{
+  static PRCallOnceType initCallOnce;
+  if (PR_CallOnce(&initCallOnce, InitReusedKeyPair) != PR_SUCCESS) {
+    abort();
+  }
+  assert(reusedKeyPair);
+  return reusedKeyPair->Clone();
+}
+
+TestKeyPair*
+GenerateDSSKeyPair()
+{
+  InitNSSIfNeeded();
+
+  ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+  if (!slot) {
+    return nullptr;
+  }
+
+  ByteString p(DSS_P());
+  ByteString q(DSS_Q());
+  ByteString g(DSS_G());
+
+  static const PQGParams PARAMS = {
+    nullptr,
+    { siBuffer,
+      const_cast<uint8_t*>(p.data()),
+      static_cast<unsigned int>(p.length())
+    },
+    { siBuffer,
+      const_cast<uint8_t*>(q.data()),
+      static_cast<unsigned int>(q.length())
+    },
+    { siBuffer,
+      const_cast<uint8_t*>(g.data()),
+      static_cast<unsigned int>(g.length())
+    }
+  };
+
+  SECKEYPublicKey* publicKeyTemp = nullptr;
+  ScopedSECKEYPrivateKey
+    privateKey(PK11_GenerateKeyPair(slot.get(), CKM_DSA_KEY_PAIR_GEN,
+                                    const_cast<PQGParams*>(&PARAMS),
+                                    &publicKeyTemp, false, true, nullptr));
+  if (!privateKey) {
+    return nullptr;
+  }
+  ScopedSECKEYPublicKey publicKey(publicKeyTemp);
+  return CreateTestKeyPair(DSS(), publicKey, privateKey);
+}
+
+Result
+TestVerifyECDSASignedDigest(const SignedDigest& signedDigest,
+                            Input subjectPublicKeyInfo)
+{
+  InitNSSIfNeeded();
+  return VerifyECDSASignedDigestNSS(signedDigest, subjectPublicKeyInfo,
+                                    nullptr);
+}
+
+Result
+TestVerifyRSAPKCS1SignedDigest(const SignedDigest& signedDigest,
+                               Input subjectPublicKeyInfo)
+{
+  InitNSSIfNeeded();
+  return VerifyRSAPKCS1SignedDigestNSS(signedDigest, subjectPublicKeyInfo,
+                                       nullptr);
+}
+
+Result
+TestDigestBuf(Input item,
+              DigestAlgorithm digestAlg,
+              /*out*/ uint8_t* digestBuf,
+              size_t digestBufLen)
+{
+  InitNSSIfNeeded();
+  return DigestBufNSS(item, digestAlg, digestBuf, digestBufLen);
+}
+
+} } } // namespace mozilla::pkix::test
diff --git a/security/nss/lib/mozpkix/test-lib/pkixtestutil.cpp b/security/nss/lib/mozpkix/test-lib/pkixtestutil.cpp
new file mode 100644
index 0000000000..b1b89c07e0
--- /dev/null
+++ b/security/nss/lib/mozpkix/test-lib/pkixtestutil.cpp
@@ -0,0 +1,1155 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This code is made available to you under your choice of the following sets
+ * of licensing terms:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* Copyright 2013 Mozilla Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mozpkix/test/pkixtestutil.h"
+
+#include <cerrno>
+#include <cstdio>
+#include <limits>
+#include <new>
+#include <sstream>
+#include <cstdlib>
+
+#include "mozpkix/pkixder.h"
+#include "mozpkix/pkixutil.h"
+
+using namespace std;
+
+namespace mozilla { namespace pkix { namespace test {
+
+namespace {
+
+struct ScopedMaybeDeleteFile {
+  void operator()(FILE* f) {
+    if (f) {
+      (void)fclose(f);
+    }
+  }
+};
+typedef std::unique_ptr<FILE, ScopedMaybeDeleteFile> ScopedFILE;
+
+FILE*
+OpenFile(const string& dir, const string& filename, const string& mode)
+{
+  string path = dir + '/' + filename;
+
+  ScopedFILE file;
+#ifdef _MSC_VER
+  {
+    FILE* rawFile;
+    errno_t error = fopen_s(&rawFile, path.c_str(), mode.c_str());
+    if (error) {
+      // TODO: map error to NSPR error code
+      rawFile = nullptr;
+    }
+    file.reset(rawFile);
+  }
+#else
+  file.reset(fopen(path.c_str(), mode.c_str()));
+#endif
+  return file.release();
+}
+
+} // namespace
+
+bool
+InputEqualsByteString(Input input, const ByteString& bs)
+{
+  Input bsInput;
+  if (bsInput.Init(bs.data(), bs.length()) != Success) {
+    // Init can only fail if it is given a bad pointer or if the input is too
+    // long, which won't ever happen. Plus, if it does, it is ok to call abort
+    // since this is only test code.
+    abort();
+  }
+  return InputsAreEqual(input, bsInput);
+}
+
+ByteString
+InputToByteString(Input input)
+{
+  ByteString result;
+  Reader reader(input);
+  for (;;) {
+    uint8_t b;
+    if (reader.Read(b) != Success) {
+      return result;
+    }
+    result.push_back(b);
+  }
+}
+
+Result
+TamperOnce(/*in/out*/ ByteString& item, const ByteString& from,
+           const ByteString& to)
+{
+  if (from.length() < 8) {
+    return Result::FATAL_ERROR_INVALID_ARGS;
+  }
+  if (from.length() != to.length()) {
+    return Result::FATAL_ERROR_INVALID_ARGS;
+  }
+  size_t pos = item.find(from);
+  if (pos == string::npos) {
+    return Result::FATAL_ERROR_INVALID_ARGS; // No matches.
+  }
+  if (item.find(from, pos + from.length()) != string::npos) {
+    return Result::FATAL_ERROR_INVALID_ARGS; // More than once match.
+  }
+  item.replace(pos, from.length(), to);
+  return Success;
+}
+
+// Given a tag and a value, generates a DER-encoded tag-length-value item.
+ByteString
+TLV(uint8_t tag, size_t length, const ByteString& value)
+{
+  ByteString result;
+  result.push_back(tag);
+
+  if (value.length() < 128) {
+    result.push_back(static_cast<uint8_t>(length));
+  } else if (value.length() < 256) {
+    result.push_back(0x81u);
+    result.push_back(static_cast<uint8_t>(length));
+  } else if (value.length() < 65536) {
+    result.push_back(0x82u);
+    result.push_back(static_cast<uint8_t>(length / 256));
+    result.push_back(static_cast<uint8_t>(length % 256));
+  } else {
+    // It is MUCH more convenient for TLV to be infallible than for it to have
+    // "proper" error handling.
+    abort();
+  }
+  result.append(value);
+  return result;
+}
+
+OCSPResponseExtension::OCSPResponseExtension()
+  : id()
+  , critical(false)
+  , value()
+  , next(nullptr)
+{
+}
+
+OCSPResponseContext::OCSPResponseContext(const CertID& aCertID, time_t time)
+  : certID(aCertID)
+  , responseStatus(successful)
+  , skipResponseBytes(false)
+  , producedAt(time)
+  , singleExtensions(nullptr)
+  , responseExtensions(nullptr)
+  , includeEmptyExtensions(false)
+  , signatureAlgorithm(sha256WithRSAEncryption())
+  , badSignature(false)
+  , certs(nullptr)
+
+  , certStatus(good)
+  , revocationTime(0)
+  , thisUpdate(time)
+  , nextUpdate(time + static_cast<time_t>(Time::ONE_DAY_IN_SECONDS))
+  , includeNextUpdate(true)
+{
+}
+
+static ByteString ResponseBytes(OCSPResponseContext& context);
+static ByteString BasicOCSPResponse(OCSPResponseContext& context);
+static ByteString ResponseData(OCSPResponseContext& context);
+static ByteString ResponderID(OCSPResponseContext& context);
+static ByteString KeyHash(const ByteString& subjectPublicKeyInfo);
+static ByteString SingleResponse(OCSPResponseContext& context);
+static ByteString CertID(OCSPResponseContext& context);
+static ByteString CertStatus(OCSPResponseContext& context);
+
+static ByteString
+SHA1(const ByteString& toHash)
+{
+  uint8_t digestBuf[20];
+  Input input;
+  if (input.Init(toHash.data(), toHash.length()) != Success) {
+    abort();
+  }
+  Result rv = TestDigestBuf(input, DigestAlgorithm::sha1, digestBuf,
+                            sizeof(digestBuf));
+  if (rv != Success) {
+    abort();
+  }
+  return ByteString(digestBuf, sizeof(digestBuf));
+}
+
+static ByteString
+HashedOctetString(const ByteString& bytes)
+{
+  ByteString digest(SHA1(bytes));
+  if (ENCODING_FAILED(digest)) {
+    return ByteString();
+  }
+  return TLV(der::OCTET_STRING, digest);
+}
+
+static ByteString
+BitString(const ByteString& rawBytes, bool corrupt)
+{
+  ByteString prefixed;
+  // We have to add a byte at the beginning indicating no unused bits.
+  // TODO: add ability to have bit strings of bit length not divisible by 8,
+  // resulting in unused bits in the bitstring encoding
+  prefixed.push_back(0);
+  prefixed.append(rawBytes);
+  if (corrupt) {
+    assert(prefixed.length() > 8);
+    prefixed[8]++;
+  }
+  return TLV(der::BIT_STRING, prefixed);
+}
+
+ByteString
+Boolean(bool value)
+{
+  ByteString encodedValue;
+  encodedValue.push_back(value ? 0xffu : 0x00u);
+  return TLV(der::BOOLEAN, encodedValue);
+}
+
+ByteString
+Integer(long value)
+{
+  if (value < 0 || value > 127) {
+    // TODO: add encoding of larger values
+    // It is MUCH more convenient for Integer to be infallible than for it to
+    // have "proper" error handling.
+    abort();
+  }
+
+  ByteString encodedValue;
+  encodedValue.push_back(static_cast<uint8_t>(value));
+  return TLV(der::INTEGER, encodedValue);
+}
+
+enum TimeEncoding { UTCTime = 0, GeneralizedTime = 1 };
+
+// Windows doesn't provide gmtime_r, but it provides something very similar.
+#if defined(_WINDOWS) && (!defined(_POSIX_C_SOURCE) || !defined(_POSIX_THREAD_SAFE_FUNCTIONS))
+static tm*
+gmtime_r(const time_t* t, /*out*/ tm* exploded)
+{
+  if (gmtime_s(exploded, t) != 0) {
+    return nullptr;
+  }
+  return exploded;
+}
+#endif
+
+// http://tools.ietf.org/html/rfc5280#section-4.1.2.5
+// UTCTime:           YYMMDDHHMMSSZ (years 1950-2049 only)
+// GeneralizedTime: YYYYMMDDHHMMSSZ
+//
+// This assumes that time/time_t are POSIX-compliant in that time() returns
+// the number of seconds since the Unix epoch.
+static ByteString
+TimeToEncodedTime(time_t time, TimeEncoding encoding)
+{
+  assert(encoding == UTCTime || encoding == GeneralizedTime);
+
+  tm exploded;
+  if (!gmtime_r(&time, &exploded)) {
+    return ByteString();
+  }
+
+  if (exploded.tm_sec >= 60) {
+    // round down for leap seconds
+    exploded.tm_sec = 59;
+  }
+
+  // exploded.tm_year is the year offset by 1900.
+  int year = exploded.tm_year + 1900;
+
+  if (encoding == UTCTime && (year < 1950 || year >= 2050)) {
+    return ByteString();
+  }
+
+  ByteString value;
+
+  if (encoding == GeneralizedTime) {
+    value.push_back(static_cast<uint8_t>('0' + (year / 1000)));
+    value.push_back(static_cast<uint8_t>('0' + ((year % 1000) / 100)));
+  }
+
+  value.push_back(static_cast<uint8_t>('0' + ((year % 100) / 10)));
+  value.push_back(static_cast<uint8_t>('0' + (year % 10)));
+  value.push_back(static_cast<uint8_t>('0' + ((exploded.tm_mon + 1) / 10)));
+  value.push_back(static_cast<uint8_t>('0' + ((exploded.tm_mon + 1) % 10)));
+  value.push_back(static_cast<uint8_t>('0' + (exploded.tm_mday / 10)));
+  value.push_back(static_cast<uint8_t>('0' + (exploded.tm_mday % 10)));
+  value.push_back(static_cast<uint8_t>('0' + (exploded.tm_hour / 10)));
+  value.push_back(static_cast<uint8_t>('0' + (exploded.tm_hour % 10)));
+  value.push_back(static_cast<uint8_t>('0' + (exploded.tm_min / 10)));
+  value.push_back(static_cast<uint8_t>('0' + (exploded.tm_min % 10)));
+  value.push_back(static_cast<uint8_t>('0' + (exploded.tm_sec / 10)));
+  value.push_back(static_cast<uint8_t>('0' + (exploded.tm_sec % 10)));
+  value.push_back('Z');
+
+  return TLV(encoding == GeneralizedTime ? der::GENERALIZED_TIME : der::UTCTime,
+             value);
+}
+
+static ByteString
+TimeToGeneralizedTime(time_t time)
+{
+  return TimeToEncodedTime(time, GeneralizedTime);
+}
+
+// http://tools.ietf.org/html/rfc5280#section-4.1.2.5: "CAs conforming to this
+// profile MUST always encode certificate validity dates through the year 2049
+// as UTCTime; certificate validity dates in 2050 or later MUST be encoded as
+// GeneralizedTime." (This is a special case of the rule that we must always
+// use the shortest possible encoding.)
+static ByteString
+TimeToTimeChoice(time_t time)
+{
+  tm exploded;
+  if (!gmtime_r(&time, &exploded)) {
+    return ByteString();
+  }
+  TimeEncoding encoding = (exploded.tm_year + 1900 >= 1950 &&
+                           exploded.tm_year + 1900 < 2050)
+                        ? UTCTime
+                        : GeneralizedTime;
+
+  return TimeToEncodedTime(time, encoding);
+}
+
+Time
+YMDHMS(uint16_t year, uint16_t month, uint16_t day,
+       uint16_t hour, uint16_t minutes, uint16_t seconds)
+{
+  assert(year <= 9999);
+  assert(month >= 1);
+  assert(month <= 12);
+  assert(day >= 1);
+  assert(hour < 24);
+  assert(minutes < 60);
+  assert(seconds < 60);
+
+  uint64_t days = DaysBeforeYear(year);
+
+  {
+    static const int16_t DAYS_IN_MONTH[] = {
+      31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31
+    };
+
+    int16_t i = 1;
+    for (;;) {
+      int16_t daysInMonth = DAYS_IN_MONTH[i - 1];
+      if (i == 2 &&
+          ((year % 4 == 0) && ((year % 100 != 0) || (year % 400 == 0)))) {
+        // Add leap day
+        ++daysInMonth;
+      }
+      if (i == month) {
+        assert(day <= daysInMonth);
+        break;
+      }
+      days += daysInMonth;
+      ++i;
+    }
+  }
+
+  days += (day - 1);
+
+  uint64_t totalSeconds = days * Time::ONE_DAY_IN_SECONDS;
+  totalSeconds += hour * 60 * 60;
+  totalSeconds += minutes * 60;
+  totalSeconds += seconds;
+  return TimeFromElapsedSecondsAD(totalSeconds);
+}
+
+static ByteString
+SignedData(const ByteString& tbsData,
+           const TestKeyPair& keyPair,
+           const TestSignatureAlgorithm& signatureAlgorithm,
+           bool corrupt, /*optional*/ const ByteString* certs)
+{
+  ByteString signature;
+  if (keyPair.SignData(tbsData, signatureAlgorithm, signature) != Success) {
+    return ByteString();
+  }
+
+  // TODO: add ability to have signatures of bit length not divisible by 8,
+  // resulting in unused bits in the bitstring encoding
+  ByteString signatureNested(BitString(signature, corrupt));
+  if (ENCODING_FAILED(signatureNested)) {
+    return ByteString();
+  }
+
+  ByteString certsNested;
+  if (certs) {
+    ByteString certsSequenceValue;
+    while (!(*certs).empty()) {
+      certsSequenceValue.append(*certs);
+      ++certs;
+    }
+    ByteString certsSequence(TLV(der::SEQUENCE, certsSequenceValue));
+    certsNested = TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
+                      certsSequence);
+  }
+
+  ByteString value;
+  value.append(tbsData);
+  value.append(signatureAlgorithm.algorithmIdentifier);
+  value.append(signatureNested);
+  value.append(certsNested);
+  return TLV(der::SEQUENCE, value);
+}
+
+// Extension  ::=  SEQUENCE  {
+//      extnID      OBJECT IDENTIFIER,
+//      critical    BOOLEAN DEFAULT FALSE,
+//      extnValue   OCTET STRING
+//                  -- contains the DER encoding of an ASN.1 value
+//                  -- corresponding to the extension type identified
+//                  -- by extnID
+//      }
+static ByteString
+Extension(Input extnID, Critical critical, const ByteString& extnValueBytes)
+{
+  ByteString encoded;
+
+  encoded.append(ByteString(extnID.UnsafeGetData(), extnID.GetLength()));
+
+  if (critical == Critical::Yes) {
+    encoded.append(Boolean(true));
+  }
+
+  ByteString extnValueSequence(TLV(der::SEQUENCE, extnValueBytes));
+  ByteString extnValue(TLV(der::OCTET_STRING, extnValueSequence));
+  encoded.append(extnValue);
+  return TLV(der::SEQUENCE, encoded);
+}
+
+static ByteString
+EmptyExtension(Input extnID, Critical critical)
+{
+  ByteString encoded(extnID.UnsafeGetData(), extnID.GetLength());
+
+  if (critical == Critical::Yes) {
+    encoded.append(Boolean(true));
+  }
+
+  ByteString extnValue(TLV(der::OCTET_STRING, ByteString()));
+  encoded.append(extnValue);
+  return TLV(der::SEQUENCE, encoded);
+}
+
+std::string
+GetEnv(const char* name)
+{
+  std::string result;
+
+#ifndef _MSC_VER
+  // XXX: Not thread safe.
+  const char* value = getenv(name);
+  if (value) {
+    result = value;
+  }
+#else
+  char* value = nullptr;
+  size_t valueLength = 0;
+  if (_dupenv_s(&value, &valueLength, name) != 0) {
+    abort();
+  }
+  if (value) {
+    result = value;
+    free(value);
+  }
+#endif
+  return result;
+}
+
+void
+MaybeLogOutput(const ByteString& result, const char* suffix)
+{
+  assert(suffix);
+
+  // This allows us to more easily debug the generated output, by creating a
+  // file in the directory given by MOZILLA_PKIX_TEST_LOG_DIR for each
+  // NOT THREAD-SAFE!!!
+  std::string logPath(GetEnv("MOZILLA_PKIX_TEST_LOG_DIR"));
+  if (!logPath.empty()) {
+    static int counter = 0;
+
+    std::ostringstream counterStream;
+    counterStream << counter;
+    if (!counterStream) {
+      assert(false);
+      return;
+    }
+    string filename = counterStream.str() + '-' + suffix + ".der";
+
+    ++counter;
+    ScopedFILE file(OpenFile(logPath, filename, "wb"));
+    if (file) {
+      (void) fwrite(result.data(), result.length(), 1, file.get());
+    }
+  }
+}
+
+///////////////////////////////////////////////////////////////////////////////
+// Certificates
+
+static ByteString TBSCertificate(long version, const ByteString& serialNumber,
+                                 const ByteString& signature,
+                                 const ByteString& issuer,
+                                 time_t notBefore, time_t notAfter,
+                                 const ByteString& subject,
+                                 const ByteString& subjectPublicKeyInfo,
+                                 /*optional*/ const ByteString* extensions);
+
+// Certificate  ::=  SEQUENCE  {
+//         tbsCertificate       TBSCertificate,
+//         signatureAlgorithm   AlgorithmIdentifier,
+//         signatureValue       BIT STRING  }
+ByteString
+CreateEncodedCertificate(long version,
+                         const TestSignatureAlgorithm& signature,
+                         const ByteString& serialNumber,
+                         const ByteString& issuerNameDER,
+                         time_t notBefore, time_t notAfter,
+                         const ByteString& subjectNameDER,
+                         const TestKeyPair& subjectKeyPair,
+                         /*optional*/ const ByteString* extensions,
+                         const TestKeyPair& issuerKeyPair,
+                         const TestSignatureAlgorithm& signatureAlgorithm)
+{
+  ByteString tbsCertificate(TBSCertificate(version, serialNumber,
+                                           signature.algorithmIdentifier,
+                                           issuerNameDER, notBefore,
+                                           notAfter, subjectNameDER,
+                                           subjectKeyPair.subjectPublicKeyInfo,
+                                           extensions));
+  if (ENCODING_FAILED(tbsCertificate)) {
+    return ByteString();
+  }
+
+  ByteString result(SignedData(tbsCertificate, issuerKeyPair,
+                               signatureAlgorithm, false, nullptr));
+  if (ENCODING_FAILED(result)) {
+    return ByteString();
+  }
+
+  MaybeLogOutput(result, "cert");
+
+  return result;
+}
+
+// TBSCertificate  ::=  SEQUENCE  {
+//      version         [0]  Version DEFAULT v1,
+//      serialNumber         CertificateSerialNumber,
+//      signature            AlgorithmIdentifier,
+//      issuer               Name,
+//      validity             Validity,
+//      subject              Name,
+//      subjectPublicKeyInfo SubjectPublicKeyInfo,
+//      issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
+//                           -- If present, version MUST be v2 or v3
+//      subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
+//                           -- If present, version MUST be v2 or v3
+//      extensions      [3]  Extensions OPTIONAL
+//                           -- If present, version MUST be v3 --  }
+static ByteString
+TBSCertificate(long versionValue,
+               const ByteString& serialNumber, const ByteString& signature,
+               const ByteString& issuer, time_t notBeforeTime,
+               time_t notAfterTime, const ByteString& subject,
+               const ByteString& subjectPublicKeyInfo,
+               /*optional*/ const ByteString* extensions)
+{
+  ByteString value;
+
+  if (versionValue != static_cast<long>(der::Version::v1)) {
+    ByteString versionInteger(Integer(versionValue));
+    ByteString version(TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 0,
+                           versionInteger));
+    value.append(version);
+  }
+
+  value.append(serialNumber);
+  value.append(signature);
+  value.append(issuer);
+
+  // Validity ::= SEQUENCE {
+  //       notBefore      Time,
+  //       notAfter       Time }
+  ByteString validity;
+  {
+    ByteString notBefore(TimeToTimeChoice(notBeforeTime));
+    if (ENCODING_FAILED(notBefore)) {
+      return ByteString();
+    }
+    ByteString notAfter(TimeToTimeChoice(notAfterTime));
+    if (ENCODING_FAILED(notAfter)) {
+      return ByteString();
+    }
+    ByteString validityValue;
+    validityValue.append(notBefore);
+    validityValue.append(notAfter);
+    validity = TLV(der::SEQUENCE, validityValue);
+    if (ENCODING_FAILED(validity)) {
+      return ByteString();
+    }
+  }
+  value.append(validity);
+
+  value.append(subject);
+
+  value.append(subjectPublicKeyInfo);
+
+  if (extensions) {
+    ByteString extensionsValue;
+    while (!(*extensions).empty()) {
+      extensionsValue.append(*extensions);
+      ++extensions;
+    }
+    ByteString extensionsSequence(TLV(der::SEQUENCE, extensionsValue));
+    if (ENCODING_FAILED(extensionsSequence)) {
+      return ByteString();
+    }
+    ByteString extensionsWrapped(
+      TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 3, extensionsSequence));
+    if (ENCODING_FAILED(extensionsWrapped)) {
+      return ByteString();
+    }
+    value.append(extensionsWrapped);
+  }
+
+  return TLV(der::SEQUENCE, value);
+}
+
+// AttributeTypeAndValue ::= SEQUENCE {
+//   type     AttributeType,
+//   value    AttributeValue }
+//
+// AttributeType ::= OBJECT IDENTIFIER
+//
+// AttributeValue ::= ANY -- DEFINED BY AttributeType
+//
+// DirectoryString ::= CHOICE {
+//       teletexString           TeletexString (SIZE (1..MAX)),
+//       printableString         PrintableString (SIZE (1..MAX)),
+//       universalString         UniversalString (SIZE (1..MAX)),
+//       utf8String              UTF8String (SIZE (1..MAX)),
+//       bmpString               BMPString (SIZE (1..MAX)) }
+template <size_t N>
+static ByteString
+AVA(const uint8_t (&type)[N], uint8_t directoryStringType,
+    const ByteString& value)
+{
+  ByteString wrappedValue(TLV(directoryStringType, value));
+  ByteString ava;
+  ava.append(type, N);
+  ava.append(wrappedValue);
+  return TLV(der::SEQUENCE, ava);
+}
+
+ByteString
+CN(const ByteString& value, uint8_t encodingTag)
+{
+  // id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 }
+  // id-at-commonName        AttributeType ::= { id-at 3 }
+  // python DottedOIDToCode.py --tlv id-at-commonName 2.5.4.3
+  static const uint8_t tlv_id_at_commonName[] = {
+    0x06, 0x03, 0x55, 0x04, 0x03
+  };
+  return AVA(tlv_id_at_commonName, encodingTag, value);
+}
+
+ByteString
+OU(const ByteString& value, uint8_t encodingTag)
+{
+  // id-at OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) 4 }
+  // id-at-organizationalUnitName AttributeType ::= { id-at 11 }
+  // python DottedOIDToCode.py --tlv id-at-organizationalUnitName 2.5.4.11
+  static const uint8_t tlv_id_at_organizationalUnitName[] = {
+    0x06, 0x03, 0x55, 0x04, 0x0b
+  };
+
+  return AVA(tlv_id_at_organizationalUnitName, encodingTag, value);
+}
+
+ByteString
+emailAddress(const ByteString& value)
+{
+  // id-emailAddress AttributeType ::= { pkcs-9 1 }
+  // python DottedOIDToCode.py --tlv id-emailAddress 1.2.840.113549.1.9.1
+  static const uint8_t tlv_id_emailAddress[] = {
+    0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01
+  };
+
+  return AVA(tlv_id_emailAddress, der::IA5String, value);
+}
+
+// RelativeDistinguishedName ::=
+//   SET SIZE (1..MAX) OF AttributeTypeAndValue
+//
+ByteString
+RDN(const ByteString& avas)
+{
+  return TLV(der::SET, avas);
+}
+
+// Name ::= CHOICE { -- only one possibility for now --
+//   rdnSequence  RDNSequence }
+//
+// RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+//
+ByteString
+Name(const ByteString& rdns)
+{
+  return TLV(der::SEQUENCE, rdns);
+}
+
+ByteString
+CreateEncodedSerialNumber(long serialNumberValue)
+{
+  return Integer(serialNumberValue);
+}
+
+// BasicConstraints ::= SEQUENCE {
+//         cA                      BOOLEAN DEFAULT FALSE,
+//         pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
+ByteString
+CreateEncodedBasicConstraints(bool isCA,
+                              /*optional in*/ const long* pathLenConstraintValue,
+                              Critical critical)
+{
+  ByteString value;
+
+  if (isCA) {
+    ByteString cA(Boolean(true));
+    value.append(cA);
+  }
+
+  if (pathLenConstraintValue) {
+    ByteString pathLenConstraint(Integer(*pathLenConstraintValue));
+    value.append(pathLenConstraint);
+  }
+
+  // python DottedOIDToCode.py --tlv id-ce-basicConstraints 2.5.29.19
+  static const uint8_t tlv_id_ce_basicConstraints[] = {
+    0x06, 0x03, 0x55, 0x1d, 0x13
+  };
+  return Extension(Input(tlv_id_ce_basicConstraints), critical, value);
+}
+
+// ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
+// KeyPurposeId ::= OBJECT IDENTIFIER
+ByteString
+CreateEncodedEKUExtension(Input ekuOID, Critical critical)
+{
+  ByteString value(ekuOID.UnsafeGetData(), ekuOID.GetLength());
+
+  // python DottedOIDToCode.py --tlv id-ce-extKeyUsage 2.5.29.37
+  static const uint8_t tlv_id_ce_extKeyUsage[] = {
+    0x06, 0x03, 0x55, 0x1d, 0x25
+  };
+
+  return Extension(Input(tlv_id_ce_extKeyUsage), critical, value);
+}
+
+// python DottedOIDToCode.py --tlv id-ce-subjectAltName 2.5.29.17
+static const uint8_t tlv_id_ce_subjectAltName[] = {
+  0x06, 0x03, 0x55, 0x1d, 0x11
+};
+
+ByteString
+CreateEncodedSubjectAltName(const ByteString& names)
+{
+  return Extension(Input(tlv_id_ce_subjectAltName), Critical::No, names);
+}
+
+ByteString
+CreateEncodedEmptySubjectAltName()
+{
+  return EmptyExtension(Input(tlv_id_ce_subjectAltName), Critical::No);
+}
+
+///////////////////////////////////////////////////////////////////////////////
+// OCSP responses
+
+ByteString
+CreateEncodedOCSPResponse(OCSPResponseContext& context)
+{
+  if (!context.skipResponseBytes) {
+    if (!context.signerKeyPair) {
+      return ByteString();
+    }
+  }
+
+  // OCSPResponse ::= SEQUENCE {
+  //    responseStatus          OCSPResponseStatus,
+  //    responseBytes       [0] EXPLICIT ResponseBytes OPTIONAL }
+
+  // OCSPResponseStatus ::= ENUMERATED {
+  //    successful          (0),  -- Response has valid confirmations
+  //    malformedRequest    (1),  -- Illegal confirmation request
+  //    internalError       (2),  -- Internal error in issuer
+  //    tryLater            (3),  -- Try again later
+  //                              -- (4) is not used
+  //    sigRequired         (5),  -- Must sign the request
+  //    unauthorized        (6)   -- Request unauthorized
+  // }
+  ByteString reponseStatusValue;
+  reponseStatusValue.push_back(context.responseStatus);
+  ByteString responseStatus(TLV(der::ENUMERATED, reponseStatusValue));
+
+  ByteString responseBytesNested;
+  if (!context.skipResponseBytes) {
+    ByteString responseBytes(ResponseBytes(context));
+    if (ENCODING_FAILED(responseBytes)) {
+      return ByteString();
+    }
+
+    responseBytesNested = TLV(der::CONSTRUCTED | der::CONTEXT_SPECIFIC,
+                              responseBytes);
+  }
+
+  ByteString value;
+  value.append(responseStatus);
+  value.append(responseBytesNested);
+  ByteString result(TLV(der::SEQUENCE, value));
+
+  MaybeLogOutput(result, "ocsp");
+
+  return result;
+}
+
+// ResponseBytes ::= SEQUENCE {
+//    responseType            OBJECT IDENTIFIER,
+//    response                OCTET STRING }
+ByteString
+ResponseBytes(OCSPResponseContext& context)
+{
+  // Includes tag and length
+  static const uint8_t id_pkix_ocsp_basic_encoded[] = {
+    0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
+  };
+  ByteString response(BasicOCSPResponse(context));
+  if (ENCODING_FAILED(response)) {
+    return ByteString();
+  }
+  ByteString responseNested = TLV(der::OCTET_STRING, response);
+
+  ByteString value;
+  value.append(id_pkix_ocsp_basic_encoded,
+               sizeof(id_pkix_ocsp_basic_encoded));
+  value.append(responseNested);
+  return TLV(der::SEQUENCE, value);
+}
+
+// BasicOCSPResponse ::= SEQUENCE {
+//   tbsResponseData          ResponseData,
+//   signatureAlgorithm       AlgorithmIdentifier,
+//   signature                BIT STRING,
+//   certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+ByteString
+BasicOCSPResponse(OCSPResponseContext& context)
+{
+  ByteString tbsResponseData(ResponseData(context));
+  if (ENCODING_FAILED(tbsResponseData)) {
+    return ByteString();
+  }
+
+  return SignedData(tbsResponseData, *context.signerKeyPair,
+                    context.signatureAlgorithm, context.badSignature,
+                    context.certs);
+}
+
+// Extension ::= SEQUENCE {
+//   id               OBJECT IDENTIFIER,
+//   critical         BOOLEAN DEFAULT FALSE
+//   value            OCTET STRING
+// }
+static ByteString
+OCSPExtension(OCSPResponseExtension& extension)
+{
+  ByteString encoded;
+  encoded.append(extension.id);
+  if (extension.critical) {
+    encoded.append(Boolean(true));
+  }
+  ByteString value(TLV(der::OCTET_STRING, extension.value));
+  encoded.append(value);
+  return TLV(der::SEQUENCE, encoded);
+}
+
+// Extensions ::= [1] {
+//   SEQUENCE OF Extension
+// }
+static ByteString
+OCSPExtensions(OCSPResponseExtension* extensions)
+{
+  ByteString value;
+  for (OCSPResponseExtension* extension = extensions;
+       extension; extension = extension->next) {
+    ByteString extensionEncoded(OCSPExtension(*extension));
+    if (ENCODING_FAILED(extensionEncoded)) {
+      return ByteString();
+    }
+    value.append(extensionEncoded);
+  }
+  ByteString sequence(TLV(der::SEQUENCE, value));
+  return TLV(der::CONSTRUCTED | der::CONTEXT_SPECIFIC | 1, sequence);
+}
+
+// ResponseData ::= SEQUENCE {
+//    version             [0] EXPLICIT Version DEFAULT v1,
+//    responderID             ResponderID,
+//    producedAt              GeneralizedTime,
+//    responses               SEQUENCE OF SingleResponse,
+//    responseExtensions  [1] EXPLICIT Extensions OPTIONAL }
+ByteString
+ResponseData(OCSPResponseContext& context)
+{
+  ByteString responderID(ResponderID(context));
+  if (ENCODING_FAILED(responderID)) {
+    return ByteString();
+  }
+  ByteString producedAtEncoded(TimeToGeneralizedTime(context.producedAt));
+  if (ENCODING_FAILED(producedAtEncoded)) {
+    return ByteString();
+  }
+  ByteString response(SingleResponse(context));
+  if (ENCODING_FAILED(response)) {
+    return ByteString();
+  }
+  ByteString responses(TLV(der::SEQUENCE, response));
+  ByteString responseExtensions;
+  if (context.responseExtensions || context.includeEmptyExtensions) {
+    responseExtensions = OCSPExtensions(context.responseExtensions);
+  }
+
+  ByteString value;
+  value.append(responderID);
+  value.append(producedAtEncoded);
+  value.append(responses);
+  value.append(responseExtensions);
+  return TLV(der::SEQUENCE, value);
+}
+
+// ResponderID ::= CHOICE {
+//    byName              [1] Name,
+//    byKey               [2] KeyHash }
+// }
+ByteString
+ResponderID(OCSPResponseContext& context)
+{
+  ByteString contents;
+  uint8_t responderIDType;
+  if (!context.signerNameDER.empty()) {
+    contents = context.signerNameDER;
+    responderIDType = 1; // byName
+  } else {
+    contents = KeyHash(context.signerKeyPair->subjectPublicKey);
+    if (ENCODING_FAILED(contents)) {
+      return ByteString();
+    }
+    responderIDType = 2; // byKey
+  }
+
+  // XXX: MSVC 2015 wrongly warns about signed/unsigned conversion without the
+  // static_cast.
+  uint8_t tag = static_cast<uint8_t>(der::CONSTRUCTED | der::CONTEXT_SPECIFIC |
+                                     responderIDType);
+  return TLV(tag, contents);
+}
+
+// KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
+//                          -- (i.e., the SHA-1 hash of the value of the
+//                          -- BIT STRING subjectPublicKey [excluding
+//                          -- the tag, length, and number of unused
+//                          -- bits] in the responder's certificate)
+ByteString
+KeyHash(const ByteString& subjectPublicKey)
+{
+  return HashedOctetString(subjectPublicKey);
+}
+
+// SingleResponse ::= SEQUENCE {
+//    certID                  CertID,
+//    certStatus              CertStatus,
+//    thisUpdate              GeneralizedTime,
+//    nextUpdate          [0] EXPLICIT GeneralizedTime OPTIONAL,
+//    singleExtensions    [1] EXPLICIT Extensions OPTIONAL }
+ByteString
+SingleResponse(OCSPResponseContext& context)
+{
+  ByteString certID(CertID(context));
+  if (ENCODING_FAILED(certID)) {
+    return ByteString();
+  }
+  ByteString certStatus(CertStatus(context));
+  if (ENCODING_FAILED(certStatus)) {
+    return ByteString();
+  }
+  ByteString thisUpdateEncoded(TimeToGeneralizedTime(context.thisUpdate));
+  if (ENCODING_FAILED(thisUpdateEncoded)) {
+    return ByteString();
+  }
+  ByteString nextUpdateEncodedNested;
+  if (context.includeNextUpdate) {
+    ByteString nextUpdateEncoded(TimeToGeneralizedTime(context.nextUpdate));
+    if (ENCODING_FAILED(nextUpdateEncoded)) {
+      return ByteString();
+    }
+    nextUpdateEncodedNested = TLV(der::CONSTRUCTED | der::CONTEXT_SPECIFIC | 0,
+                                  nextUpdateEncoded);
+  }
+  ByteString singleExtensions;
+  if (context.singleExtensions || context.includeEmptyExtensions) {
+    singleExtensions = OCSPExtensions(context.singleExtensions);
+  }
+
+  ByteString value;
+  value.append(certID);
+  value.append(certStatus);
+  value.append(thisUpdateEncoded);
+  value.append(nextUpdateEncodedNested);
+  value.append(singleExtensions);
+  return TLV(der::SEQUENCE, value);
+}
+
+// CertID          ::=     SEQUENCE {
+//        hashAlgorithm       AlgorithmIdentifier,
+//        issuerNameHash      OCTET STRING, -- Hash of issuer's DN
+//        issuerKeyHash       OCTET STRING, -- Hash of issuer's public key
+//        serialNumber        CertificateSerialNumber }
+ByteString
+CertID(OCSPResponseContext& context)
+{
+  ByteString issuerName(context.certID.issuer.UnsafeGetData(),
+                        context.certID.issuer.GetLength());
+  ByteString issuerNameHash(HashedOctetString(issuerName));
+  if (ENCODING_FAILED(issuerNameHash)) {
+    return ByteString();
+  }
+
+  ByteString issuerKeyHash;
+  {
+    // context.certID.issuerSubjectPublicKeyInfo is the entire
+    // SubjectPublicKeyInfo structure, but we need just the subjectPublicKey
+    // part.
+    Reader input(context.certID.issuerSubjectPublicKeyInfo);
+    Reader contents;
+    if (der::ExpectTagAndGetValue(input, der::SEQUENCE, contents) != Success) {
+      return ByteString();
+    }
+    // Skip AlgorithmIdentifier
+    if (der::ExpectTagAndSkipValue(contents, der::SEQUENCE) != Success) {
+      return ByteString();
+    }
+    Input subjectPublicKey;
+    if (der::BitStringWithNoUnusedBits(contents, subjectPublicKey)
+          != Success) {
+      return ByteString();
+    }
+    issuerKeyHash = KeyHash(ByteString(subjectPublicKey.UnsafeGetData(),
+                                       subjectPublicKey.GetLength()));
+    if (ENCODING_FAILED(issuerKeyHash)) {
+      return ByteString();
+    }
+  }
+
+  ByteString serialNumberValue(context.certID.serialNumber.UnsafeGetData(),
+                               context.certID.serialNumber.GetLength());
+  ByteString serialNumber(TLV(der::INTEGER, serialNumberValue));
+
+  // python DottedOIDToCode.py --alg id-sha1 1.3.14.3.2.26
+  static const uint8_t alg_id_sha1[] = {
+    0x30, 0x07, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a
+  };
+
+  ByteString value;
+  value.append(alg_id_sha1, sizeof(alg_id_sha1));
+  value.append(issuerNameHash);
+  value.append(issuerKeyHash);
+  value.append(serialNumber);
+  return TLV(der::SEQUENCE, value);
+}
+
+// CertStatus ::= CHOICE {
+//    good                [0] IMPLICIT NULL,
+//    revoked             [1] IMPLICIT RevokedInfo,
+//    unknown             [2] IMPLICIT UnknownInfo }
+//
+// RevokedInfo ::= SEQUENCE {
+//    revocationTime              GeneralizedTime,
+//    revocationReason    [0]     EXPLICIT CRLReason OPTIONAL }
+//
+// UnknownInfo ::= NULL
+//
+ByteString
+CertStatus(OCSPResponseContext& context)
+{
+  switch (context.certStatus) {
+    // Both good and unknown are ultimately represented as NULL - the only
+    // difference is in the tag that identifies them.
+    case 0:
+    case 2:
+    {
+      // XXX: MSVC 2015 wrongly warns about signed/unsigned conversion without
+      // the static cast.
+      return TLV(static_cast<uint8_t>(der::CONTEXT_SPECIFIC |
+                                      context.certStatus), ByteString());
+    }
+    case 1:
+    {
+      ByteString revocationTime(TimeToGeneralizedTime(context.revocationTime));
+      if (ENCODING_FAILED(revocationTime)) {
+        return ByteString();
+      }
+      // TODO(bug 980536): add support for revocationReason
+      return TLV(der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 1, revocationTime);
+    }
+    default:
+      assert(false);
+      // fall through
+  }
+  return ByteString();
+}
+
+static const ByteString NO_UNUSED_BITS(1, 0x00);
+
+// The SubjectPublicKeyInfo syntax is specified in RFC 5280 Section 4.1.
+TestKeyPair::TestKeyPair(const TestPublicKeyAlgorithm& aPublicKeyAlg,
+                         const ByteString& spk)
+  : publicKeyAlg(aPublicKeyAlg)
+  , subjectPublicKeyInfo(TLV(der::SEQUENCE,
+                             aPublicKeyAlg.algorithmIdentifier +
+                             TLV(der::BIT_STRING, NO_UNUSED_BITS + spk)))
+  , subjectPublicKey(spk)
+{
+}
+
+} } } // namespace mozilla::pkix::test
diff --git a/security/nss/lib/mozpkix/tools/DottedOIDToCode.py b/security/nss/lib/mozpkix/tools/DottedOIDToCode.py
new file mode 100644
index 0000000000..dfd4ade074
--- /dev/null
+++ b/security/nss/lib/mozpkix/tools/DottedOIDToCode.py
@@ -0,0 +1,216 @@
+# This code is made available to you under your choice of the following sets
+# of licensing terms:
+###############################################################################
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+###############################################################################
+# Copyright 2013 Mozilla Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import print_function
+import argparse
+import itertools
+import sys
+
+
+def base128(value):
+    """
+    Given an integral value, returns an array of the base-128 representation
+    of that value, with all but the last byte having the high bit set as
+    required by the DER rules for the nodes of an OID after the first two
+    bytes.
+
+    >>> base128(1)
+    [1]
+    >>> base128(10045)
+    [206, 61]
+    """
+
+    if value < 0:
+        raise ValueError("An OID must have only positive-value nodes.")
+
+    # least significant byte has highest bit unset
+    result = [value % 0x80]
+    value /= 0x80
+
+    while value != 0:
+        result = [0x80 | (value % 0x80)] + result
+        value /= 0x80
+
+    return result
+
+
+def dottedOIDToEncodedArray(dottedOID):
+    """
+    Takes a dotted OID string (e.g. '1.2.840.10045.4.3.4') as input, and
+    returns an array that contains the DER encoding of its value, without
+    the tag and length (e.g. [0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04]).
+    """
+    nodes = [int(x) for x in dottedOID.strip().split(".")]
+    if len(nodes) < 2:
+        raise ValueError("An OID must have at least two nodes.")
+    if not (0 <= nodes[0] <= 2):
+        raise ValueError("The first node of an OID must be 0, 1, or 2.")
+    if not (0 <= nodes[1] <= 39):
+        # XXX: Does this restriction apply when the first part is 2?
+        raise ValueError("The second node of an OID must be 0-39.")
+    firstByte = (40 * nodes[0]) + nodes[1]
+    restBase128 = [base128(x) for x in nodes[2:]]
+    return [firstByte] + list(itertools.chain.from_iterable(restBase128))
+
+
+def dottedOIDToCArray(dottedOID, mode):
+    """
+    Takes a dotted OID string (e.g. '1.2.840.10045.4.3.4') as input, and
+    returns a string that contains the hex encoding of the OID in C++ literal
+    notation, e.g. '0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04'.
+    """
+    bytes = dottedOIDToEncodedArray(dottedOID)
+
+    if mode != "value" and mode != "prefixdefine":
+        bytes = [0x06, len(bytes)] + bytes
+
+    if mode == "alg":
+        # Wrap the DER-encoded OID in a SEQUENCE to create an
+        # AlgorithmIdentifier with no parameters.
+        bytes = [0x30, len(bytes)] + bytes
+
+    return ", ".join(["0x%.2x" % b for b in bytes])
+
+
+def specNameToCName(specName):
+    """
+    Given an string containing an ASN.1 name, returns a string that is a valid
+    C++ identifier that is as similar to that name as possible. Since most
+    ASN.1 identifiers used in PKIX specifications are legal C++ names except
+    for containing hyphens, this function just converts the hyphens to
+    underscores. This may need to be improved in the future if we encounter
+    names with other funny characters.
+    """
+    return specName.replace("-", "_")
+
+
+def toCode(programName, specName, dottedOID, mode):
+    """
+    Given an ASN.1 name and a string containing the dotted representation of an
+    OID, returns a string that contains a C++ declaration for a named constant
+    that contains that OID value. If mode is "value" then only the value of
+    the OID (without the tag or length) will be included in the output. If mode
+    is "tlv" then the value will be prefixed with the tag and length. If mode
+    is "alg" then the value will be a complete der-encoded AlgorithmIdentifier
+    with no parameters.
+
+    This:
+
+        toCode("DottedOIDToCode.py", "ecdsa-with-SHA512", "1.2.840.10045.4.3.4",
+               "value")
+
+    would result in a string like:
+
+        // python DottedOIDToCode.py ecdsa-with-SHA512 1.2.840.10045.4.3.4
+        static const uint8_t ecdsa_with_SHA512[] = {
+          0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04
+        };
+
+    This:
+
+        toCode("DottedOIDToCode.py", "ecdsa-with-SHA512", "1.2.840.10045.4.3.4",
+               "tlv")
+
+    would result in a string like:
+
+        // python DottedOIDToCode.py --tlv ecdsa-with-SHA512 1.2.840.10045.4.3.4
+        static const uint8_t tlv_ecdsa_with_SHA512[] = {
+          0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04
+        };
+
+    This:
+
+        toCode("DottedOIDToCode.py", "ecdsa-with-SHA512", "1.2.840.10045.4.3.4",
+               "alg")
+
+    would result in a string like:
+
+        // python DottedOIDToCode.py --alg ecdsa-with-SHA512 1.2.840.10045.4.3.4
+        static const uint8_t alg_ecdsa_with_SHA512[] = {
+          0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x04
+        };
+
+    This:
+
+        toCode("DottedOIDToCode.py", "PREFIX_1_2_840_10045", "1.2.840.10045",
+               "prefixdefine")
+
+    would result in a string like this (note the lack of indention):
+
+      // python DottedOIDToCode.py --prefixdefine PREFIX_1_2_840_10045 1.2.840.10045
+      #define PREFIX_1_2_840_10045 0x2a, 0x86, 0x48, 0xce, 0x3d
+    """
+    programNameWithOptions = programName
+
+    if mode == "prefixdefine":
+        programNameWithOptions += " --prefixdefine"
+        varName = specName
+        return ("// python %s %s %s\n" +
+                "#define %s %s\n") % (programNameWithOptions, specName,
+                                      dottedOID, varName,
+                                      dottedOIDToCArray(dottedOID, mode))
+
+    varName = specNameToCName(specName)
+    if mode == "tlv":
+        programNameWithOptions += " --tlv"
+        varName = "tlv_" + varName
+    elif mode == "alg":
+        programNameWithOptions += " --alg"
+        varName = "alg_" + varName
+    elif mode == "prefixdefine":
+        programNameWithOptions += " --alg"
+        varName = varName
+
+    return ("  // python %s %s %s\n" +
+            "  static const uint8_t %s[] = {\n" +
+            "    %s\n" +
+            "  };\n") % (programNameWithOptions, specName, dottedOID, varName,
+                         dottedOIDToCArray(dottedOID, mode))
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(
+        description="Generate code snippets to handle OIDs in C++",
+        epilog="example: python %s ecdsa-with-SHA1 1.2.840.10045.4.1"
+        % sys.argv[0])
+    group = parser.add_mutually_exclusive_group()
+    group.add_argument("--tlv", action='store_true',
+                       help="Wrap the encoded OID value with the tag and length")
+    group.add_argument("--alg", action='store_true',
+                       help="Wrap the encoded OID value in an encoded SignatureAlgorithm")
+    group.add_argument("--prefixdefine", action='store_true',
+                       help="generate a OID prefix #define")
+    parser.add_argument("name",
+                        help="The name given to the OID in the specification")
+    parser.add_argument("dottedOID", metavar="dotted-oid",
+                        help="The OID value, in dotted notation")
+
+    args = parser.parse_args()
+    if args.alg:
+        mode = 'alg'
+    elif args.tlv:
+        mode = 'tlv'
+    elif args.prefixdefine:
+        mode = 'prefixdefine'
+    else:
+        mode = 'value'
+
+    print(toCode(sys.argv[0], args.name, args.dottedOID, mode))
diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def
index 4f0ade4d0b..8a9b3b030c 100644
--- a/security/nss/lib/nss/nss.def
+++ b/security/nss/lib/nss/nss.def
@@ -1133,3 +1133,9 @@ SEC_CreateSignatureAlgorithmParameters;
 ;+    local:
 ;+       *;
 ;+};
+;+NSS_3.39 { 	# NSS 3.39 release
+;+    global:
+CERT_GetCertKeyType;
+;+    local:
+;+       *;
+;+};
diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h
index efb0827c51..49c545ecc3 100644
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -22,9 +22,9 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION "3.38" _NSS_CUSTOMIZED
+#define NSS_VERSION "3.41" _NSS_CUSTOMIZED
 #define NSS_VMAJOR 3
-#define NSS_VMINOR 38
+#define NSS_VMINOR 41
 #define NSS_VPATCH 0
 #define NSS_VBUILD 0
 #define NSS_BETA PR_FALSE
diff --git a/security/nss/lib/nss/nssinit.c b/security/nss/lib/nss/nssinit.c
index 5d62d479cd..9b60127715 100644
--- a/security/nss/lib/nss/nssinit.c
+++ b/security/nss/lib/nss/nssinit.c
@@ -12,7 +12,7 @@
 #include "prprf.h"
 #include "prmem.h"
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secmod.h"
 #include "secoid.h"
 #include "nss.h"
@@ -54,7 +54,7 @@ nss_mktemp(char *path)
 
 #define NSS_MAX_FLAG_SIZE sizeof("readOnly") + sizeof("noCertDB") +                                  \
                               sizeof("noModDB") + sizeof("forceOpen") + sizeof("passwordRequired") + \
-                              sizeof("optimizeSpace")
+                              sizeof("optimizeSpace") + sizeof("printPolicyFeedback")
 #define NSS_DEFAULT_MOD_NAME "NSS Internal Module"
 
 static char *
@@ -702,6 +702,30 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
         if (SECOID_Init() != SECSuccess) {
             goto loser;
         }
+#ifdef POLICY_FILE
+        /* Load the system crypto policy file if it exists,
+         * unless the NSS_IGNORE_SYSTEM_POLICY environment
+         * variable has been set to 1. */
+        ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
+        if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
+            if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
+                SECMODModule *module = SECMOD_LoadModule(
+                    "name=\"Policy File\" "
+                    "parameters=\"configdir='sql:" POLICY_PATH "' "
+                    "secmod='" POLICY_FILE "' "
+                    "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
+                    "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
+                    parent, PR_TRUE);
+                if (module) {
+                    PRBool isLoaded = module->loaded;
+                    SECMOD_DestroyModule(module);
+                    if (!isLoaded) {
+                        goto loser;
+                    }
+                }
+            }
+        }
+#endif
         if (STAN_LoadDefaultNSS3TrustDomain() != PR_SUCCESS) {
             goto loser;
         }
@@ -730,30 +754,6 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
                 }
             }
         }
-#ifdef POLICY_FILE
-        /* Load the system crypto policy file if it exists,
-         * unless the NSS_IGNORE_SYSTEM_POLICY environment
-         * variable has been set to 1. */
-        ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
-        if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
-            if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
-                SECMODModule *module = SECMOD_LoadModule(
-                    "name=\"Policy File\" "
-                    "parameters=\"configdir='sql:" POLICY_PATH "' "
-                    "secmod='" POLICY_FILE "' "
-                    "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
-                    "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
-                    parent, PR_TRUE);
-                if (module) {
-                    PRBool isLoaded = module->loaded;
-                    SECMOD_DestroyModule(module);
-                    if (!isLoaded) {
-                        goto loser;
-                    }
-                }
-            }
-        }
-#endif
         pk11sdr_Init();
         cert_CreateSubjectKeyIDHashTable();
 
diff --git a/security/nss/lib/pk11wrap/pk11akey.c b/security/nss/lib/pk11wrap/pk11akey.c
index 346e473a96..c6070e264d 100644
--- a/security/nss/lib/pk11wrap/pk11akey.c
+++ b/security/nss/lib/pk11wrap/pk11akey.c
@@ -13,7 +13,7 @@
 #include "pkcs11t.h"
 #include "pk11func.h"
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "keyi.h"
 #include "secitem.h"
 #include "secasn1.h"
@@ -804,30 +804,12 @@ PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType,
     /* don't know? look it up */
     if (keyType == nullKey) {
         CK_KEY_TYPE pk11Type = CKK_RSA;
-        SECItem info;
 
         pk11Type = PK11_ReadULongAttribute(slot, privID, CKA_KEY_TYPE);
         isTemp = (PRBool)!PK11_HasAttributeSet(slot, privID, CKA_TOKEN, PR_FALSE);
         switch (pk11Type) {
             case CKK_RSA:
                 keyType = rsaKey;
-                /* determine RSA key type from the CKA_PUBLIC_KEY_INFO if present */
-                rv = PK11_ReadAttribute(slot, privID, CKA_PUBLIC_KEY_INFO, NULL, &info);
-                if (rv == SECSuccess) {
-                    CERTSubjectPublicKeyInfo *spki;
-
-                    spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&info);
-                    if (spki) {
-                        SECOidTag tag;
-
-                        tag = SECOID_GetAlgorithmTag(&spki->algorithm);
-                        if (tag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE)
-                            keyType = rsaPssKey;
-                        SECKEY_DestroySubjectPublicKeyInfo(spki);
-                    }
-                    SECITEM_FreeItem(&info, PR_FALSE);
-                }
-
                 break;
             case CKK_DSA:
                 keyType = dsaKey;
diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c
index c1caf5e60b..8197696431 100644
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@@ -15,7 +15,7 @@
 #include "cert.h"
 #include "certi.h"
 #include "secitem.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secoid.h"
 #include "pkcs7t.h"
 #include "cmsreclist.h"
@@ -741,7 +741,7 @@ find_certs_from_nickname(const char *nickname, void *wincx)
     char *delimit = NULL;
     char *tokenName;
 
-    if (!strncmp(nickname, "pkcs11:", strlen("pkcs11:"))) {
+    if (!PORT_Strncasecmp(nickname, "pkcs11:", strlen("pkcs11:"))) {
         certs = find_certs_from_uri(nickname, wincx);
         if (certs)
             return certs;
diff --git a/security/nss/lib/pk11wrap/pk11kea.c b/security/nss/lib/pk11wrap/pk11kea.c
index 331a19c168..1f228cfaf7 100644
--- a/security/nss/lib/pk11wrap/pk11kea.c
+++ b/security/nss/lib/pk11wrap/pk11kea.c
@@ -14,7 +14,7 @@
 #include "pkcs11.h"
 #include "pk11func.h"
 #include "secitem.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "sechash.h"
 #include "cert.h"
diff --git a/security/nss/lib/pk11wrap/pk11obj.c b/security/nss/lib/pk11wrap/pk11obj.c
index b97caddd44..937ac654a5 100644
--- a/security/nss/lib/pk11wrap/pk11obj.c
+++ b/security/nss/lib/pk11wrap/pk11obj.c
@@ -11,7 +11,7 @@
 #include "pkcs11.h"
 #include "pkcs11t.h"
 #include "pk11func.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secitem.h"
 #include "secerr.h"
 #include "sslerr.h"
diff --git a/security/nss/lib/pk11wrap/pk11pars.c b/security/nss/lib/pk11wrap/pk11pars.c
index c165e1ef24..db60f7c9dd 100644
--- a/security/nss/lib/pk11wrap/pk11pars.c
+++ b/security/nss/lib/pk11wrap/pk11pars.c
@@ -109,6 +109,7 @@ secmod_NewModule(void)
                                                  *other flags are set */
 #define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02
 #define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
+#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY 0x08
 
 /* private flags for internal (field in SECMODModule). */
 /* The meaing of these flags is as follows:
@@ -193,7 +194,7 @@ typedef struct {
  *  This table should be merged with the SECOID table.
  */
 #define CIPHER_NAME(x) x, (sizeof(x) - 1)
-static const oidValDef algOptList[] = {
+static const oidValDef curveOptList[] = {
     /* Curves */
     { CIPHER_NAME("PRIME192V1"), SEC_OID_ANSIX962_EC_PRIME192V1,
       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
@@ -315,7 +316,9 @@ static const oidValDef algOptList[] = {
       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
     { CIPHER_NAME("SECT571R1"), SEC_OID_SECG_EC_SECT571R1,
       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+};
 
+static const oidValDef hashOptList[] = {
     /* Hashes */
     { CIPHER_NAME("MD2"), SEC_OID_MD2,
       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
@@ -333,7 +336,9 @@ static const oidValDef algOptList[] = {
       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
     { CIPHER_NAME("SHA512"), SEC_OID_SHA512,
       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+};
 
+static const oidValDef macOptList[] = {
     /* MACs */
     { CIPHER_NAME("HMAC-SHA1"), SEC_OID_HMAC_SHA1, NSS_USE_ALG_IN_SSL },
     { CIPHER_NAME("HMAC-SHA224"), SEC_OID_HMAC_SHA224, NSS_USE_ALG_IN_SSL },
@@ -341,7 +346,9 @@ static const oidValDef algOptList[] = {
     { CIPHER_NAME("HMAC-SHA384"), SEC_OID_HMAC_SHA384, NSS_USE_ALG_IN_SSL },
     { CIPHER_NAME("HMAC-SHA512"), SEC_OID_HMAC_SHA512, NSS_USE_ALG_IN_SSL },
     { CIPHER_NAME("HMAC-MD5"), SEC_OID_HMAC_MD5, NSS_USE_ALG_IN_SSL },
+};
 
+static const oidValDef cipherOptList[] = {
     /* Ciphers */
     { CIPHER_NAME("AES128-CBC"), SEC_OID_AES_128_CBC, NSS_USE_ALG_IN_SSL },
     { CIPHER_NAME("AES192-CBC"), SEC_OID_AES_192_CBC, NSS_USE_ALG_IN_SSL },
@@ -361,7 +368,9 @@ static const oidValDef algOptList[] = {
     { CIPHER_NAME("RC2"), SEC_OID_RC2_CBC, NSS_USE_ALG_IN_SSL },
     { CIPHER_NAME("RC4"), SEC_OID_RC4, NSS_USE_ALG_IN_SSL },
     { CIPHER_NAME("IDEA"), SEC_OID_IDEA_CBC, NSS_USE_ALG_IN_SSL },
+};
 
+static const oidValDef kxOptList[] = {
     /* Key exchange */
     { CIPHER_NAME("RSA"), SEC_OID_TLS_RSA, NSS_USE_ALG_IN_SSL_KX },
     { CIPHER_NAME("RSA-EXPORT"), SEC_OID_TLS_RSA_EXPORT, NSS_USE_ALG_IN_SSL_KX },
@@ -375,6 +384,20 @@ static const oidValDef algOptList[] = {
     { CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX },
 };
 
+typedef struct {
+    const oidValDef *list;
+    PRUint32 entries;
+    const char *description;
+} algListsDef;
+
+static const algListsDef algOptLists[] = {
+    { curveOptList, PR_ARRAY_SIZE(curveOptList), "ECC" },
+    { hashOptList, PR_ARRAY_SIZE(hashOptList), "HASH" },
+    { macOptList, PR_ARRAY_SIZE(macOptList), "MAC" },
+    { cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER" },
+    { kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX" },
+};
+
 static const optionFreeDef sslOptList[] = {
     /* Versions */
     { CIPHER_NAME("SSL2.0"), 0x002 },
@@ -401,7 +424,7 @@ static const optionFreeDef freeOptList[] = {
     { CIPHER_NAME("TLS-VERSION-MAX"), NSS_TLS_VERSION_MAX_POLICY },
     /* constraints on DTLS Protocols */
     { CIPHER_NAME("DTLS-VERSION-MIN"), NSS_DTLS_VERSION_MIN_POLICY },
-    { CIPHER_NAME("DTLS-VERSION-MAX"), NSS_DTLS_VERSION_MIN_POLICY }
+    { CIPHER_NAME("DTLS-VERSION-MAX"), NSS_DTLS_VERSION_MAX_POLICY }
 };
 
 static const policyFlagDef policyFlagList[] = {
@@ -446,7 +469,8 @@ secmod_ArgGetSubValue(const char *cipher, char sep1, char sep2,
 }
 
 static PRUint32
-secmod_parsePolicyValue(const char *policyFlags, int policyLength)
+secmod_parsePolicyValue(const char *policyFlags, int policyLength,
+                        PRBool printPolicyFeedback)
 {
     const char *flag, *currentString;
     PRUint32 flags = 0;
@@ -455,6 +479,7 @@ secmod_parsePolicyValue(const char *policyFlags, int policyLength)
     for (currentString = policyFlags; currentString &&
                                       currentString < policyFlags + policyLength;) {
         int length;
+        PRBool unknown = PR_TRUE;
         flag = secmod_ArgGetSubValue(currentString, ',', ':', &length,
                                      &currentString);
         if (length == 0) {
@@ -466,41 +491,49 @@ secmod_parsePolicyValue(const char *policyFlags, int policyLength)
             if ((policy->name_size == length) &&
                 PORT_Strncasecmp(policy->name, flag, name_size) == 0) {
                 flags |= policy->flag;
+                unknown = PR_FALSE;
                 break;
             }
         }
+        if (unknown && printPolicyFeedback) {
+            PR_SetEnv("NSS_POLICY_FAIL=1");
+            fprintf(stderr, "NSS-POLICY-FAIL %.*s: unknown value: %.*s\n",
+                    policyLength, policyFlags, length, flag);
+        }
     }
     return flags;
 }
 
 /* allow symbolic names for values. The only ones currently defines or
  * SSL protocol versions. */
-static PRInt32
-secmod_getPolicyOptValue(const char *policyValue, int policyValueLength)
+static SECStatus
+secmod_getPolicyOptValue(const char *policyValue, int policyValueLength,
+                         PRInt32 *result)
 {
     PRInt32 val = atoi(policyValue);
     int i;
 
     if ((val != 0) || (*policyValue == '0')) {
-        return val;
+        *result = val;
+        return SECSuccess;
     }
     for (i = 0; i < PR_ARRAY_SIZE(sslOptList); i++) {
         if (policyValueLength == sslOptList[i].name_size &&
             PORT_Strncasecmp(sslOptList[i].name, policyValue,
                              sslOptList[i].name_size) == 0) {
-            val = sslOptList[i].option;
-            break;
+            *result = sslOptList[i].option;
+            return SECSuccess;
         }
     }
-    return val;
+    return SECFailure;
 }
 
 static SECStatus
-secmod_applyCryptoPolicy(const char *policyString,
-                         PRBool allow)
+secmod_applyCryptoPolicy(const char *policyString, PRBool allow,
+                         PRBool printPolicyFeedback)
 {
     const char *cipher, *currentString;
-    unsigned i;
+    unsigned i, j;
     SECStatus rv = SECSuccess;
     PRBool unknown;
 
@@ -525,56 +558,63 @@ secmod_applyCryptoPolicy(const char *policyString,
             /* disable or enable all options by default */
             PRUint32 value = 0;
             if (newValue) {
-                value = secmod_parsePolicyValue(&cipher[3] + 1, length - 3 - 1);
+                value = secmod_parsePolicyValue(&cipher[3] + 1, length - 3 - 1, printPolicyFeedback);
             }
-            for (i = 0; i < PR_ARRAY_SIZE(algOptList); i++) {
-                PRUint32 enable, disable;
-                if (!newValue) {
-                    value = algOptList[i].val;
-                }
-                if (allow) {
-                    enable = value;
-                    disable = 0;
-                } else {
-                    enable = 0;
-                    disable = value;
+            for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) {
+                const algListsDef *algOptList = &algOptLists[i];
+                for (j = 0; j < algOptList->entries; j++) {
+                    PRUint32 enable, disable;
+                    if (!newValue) {
+                        value = algOptList->list[j].val;
+                    }
+                    if (allow) {
+                        enable = value;
+                        disable = 0;
+                    } else {
+                        enable = 0;
+                        disable = value;
+                    }
+                    NSS_SetAlgorithmPolicy(algOptList->list[j].oid, enable, disable);
                 }
-                NSS_SetAlgorithmPolicy(algOptList[i].oid, enable, disable);
             }
             continue;
         }
 
-        for (i = 0; i < PR_ARRAY_SIZE(algOptList); i++) {
-            const oidValDef *algOpt = &algOptList[i];
-            unsigned name_size = algOpt->name_size;
-            PRBool newOption = PR_FALSE;
+        for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) {
+            const algListsDef *algOptList = &algOptLists[i];
+            for (j = 0; j < algOptList->entries; j++) {
+                const oidValDef *algOpt = &algOptList->list[j];
+                unsigned name_size = algOpt->name_size;
+                PRBool newOption = PR_FALSE;
 
-            if ((length >= name_size) && (cipher[name_size] == '/')) {
-                newOption = PR_TRUE;
-            }
-            if ((newOption || algOpt->name_size == length) &&
-                PORT_Strncasecmp(algOpt->name, cipher, name_size) == 0) {
-                PRUint32 value = algOpt->val;
-                PRUint32 enable, disable;
-                if (newOption) {
-                    value = secmod_parsePolicyValue(&cipher[name_size] + 1,
-                                                    length - name_size - 1);
+                if ((length >= name_size) && (cipher[name_size] == '/')) {
+                    newOption = PR_TRUE;
                 }
-                if (allow) {
-                    enable = value;
-                    disable = 0;
-                } else {
-                    enable = 0;
-                    disable = value;
-                }
-                rv = NSS_SetAlgorithmPolicy(algOpt->oid, enable, disable);
-                if (rv != SECSuccess) {
-                    /* could not enable option */
-                    /* NSS_SetAlgorithPolicy should have set the error code */
-                    return SECFailure;
+                if ((newOption || algOpt->name_size == length) &&
+                    PORT_Strncasecmp(algOpt->name, cipher, name_size) == 0) {
+                    PRUint32 value = algOpt->val;
+                    PRUint32 enable, disable;
+                    if (newOption) {
+                        value = secmod_parsePolicyValue(&cipher[name_size] + 1,
+                                                        length - name_size - 1,
+                                                        printPolicyFeedback);
+                    }
+                    if (allow) {
+                        enable = value;
+                        disable = 0;
+                    } else {
+                        enable = 0;
+                        disable = value;
+                    }
+                    rv = NSS_SetAlgorithmPolicy(algOpt->oid, enable, disable);
+                    if (rv != SECSuccess) {
+                        /* could not enable option */
+                        /* NSS_SetAlgorithPolicy should have set the error code */
+                        return SECFailure;
+                    }
+                    unknown = PR_FALSE;
+                    break;
                 }
-                unknown = PR_FALSE;
-                break;
             }
         }
         if (!unknown) {
@@ -587,9 +627,19 @@ secmod_applyCryptoPolicy(const char *policyString,
 
             if ((length > name_size) && cipher[name_size] == '=' &&
                 PORT_Strncasecmp(freeOpt->name, cipher, name_size) == 0) {
-                PRInt32 val = secmod_getPolicyOptValue(&cipher[name_size + 1],
-                                                       length - name_size - 1);
-
+                PRInt32 val;
+                const char *policyValue = &cipher[name_size + 1];
+                int policyValueLength = length - name_size - 1;
+                rv = secmod_getPolicyOptValue(policyValue, policyValueLength,
+                                              &val);
+                if (rv != SECSuccess) {
+                    if (printPolicyFeedback) {
+                        PR_SetEnv("NSS_POLICY_FAIL=1");
+                        fprintf(stderr, "NSS-POLICY-FAIL %.*s: unknown value: %.*s\n",
+                                length, cipher, policyValueLength, policyValue);
+                    }
+                    return SECFailure;
+                }
                 rv = NSS_OptionSet(freeOpt->option, val);
                 if (rv != SECSuccess) {
                     /* could not enable option */
@@ -602,12 +652,83 @@ secmod_applyCryptoPolicy(const char *policyString,
                 break;
             }
         }
+
+        if (unknown && printPolicyFeedback) {
+            PR_SetEnv("NSS_POLICY_FAIL=1");
+            fprintf(stderr, "NSS-POLICY-FAIL %s: unknown identifier: %.*s\n",
+                    allow ? "allow" : "disallow", length, cipher);
+        }
     }
     return rv;
 }
 
+static void
+secmod_sanityCheckCryptoPolicy(void)
+{
+    unsigned i, j;
+    SECStatus rv = SECSuccess;
+    unsigned num_kx_enabled = 0;
+    unsigned num_ssl_enabled = 0;
+    unsigned num_sig_enabled = 0;
+    unsigned enabledCount[PR_ARRAY_SIZE(algOptLists)];
+    const char *sWarn = "WARN";
+    const char *sInfo = "INFO";
+    PRBool haveWarning = PR_FALSE;
+
+    for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) {
+        const algListsDef *algOptList = &algOptLists[i];
+        enabledCount[i] = 0;
+        for (j = 0; j < algOptList->entries; j++) {
+            const oidValDef *algOpt = &algOptList->list[j];
+            PRUint32 value;
+            PRBool anyEnabled = PR_FALSE;
+            rv = NSS_GetAlgorithmPolicy(algOpt->oid, &value);
+            if (rv != SECSuccess) {
+                PR_SetEnv("NSS_POLICY_FAIL=1");
+                fprintf(stderr, "NSS-POLICY-FAIL: internal failure with NSS_GetAlgorithmPolicy at %u\n", i);
+                return;
+            }
+
+            if ((algOpt->val & NSS_USE_ALG_IN_SSL_KX) && (value & NSS_USE_ALG_IN_SSL_KX)) {
+                ++num_kx_enabled;
+                anyEnabled = PR_TRUE;
+                fprintf(stderr, "NSS-POLICY-INFO: %s is enabled for KX\n", algOpt->name);
+            }
+            if ((algOpt->val & NSS_USE_ALG_IN_SSL) && (value & NSS_USE_ALG_IN_SSL)) {
+                ++num_ssl_enabled;
+                anyEnabled = PR_TRUE;
+                fprintf(stderr, "NSS-POLICY-INFO: %s is enabled for SSL\n", algOpt->name);
+            }
+            if ((algOpt->val & NSS_USE_ALG_IN_CERT_SIGNATURE) && (value & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
+                ++num_sig_enabled;
+                anyEnabled = PR_TRUE;
+                fprintf(stderr, "NSS-POLICY-INFO: %s is enabled for CERT-SIGNATURE\n", algOpt->name);
+            }
+            if (anyEnabled) {
+                ++enabledCount[i];
+            }
+        }
+    }
+    fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-SSL-ALG-KX: %u\n", num_kx_enabled ? sInfo : sWarn, num_kx_enabled);
+    fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-SSL-ALG: %u\n", num_ssl_enabled ? sInfo : sWarn, num_ssl_enabled);
+    fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-CERT-SIG: %u\n", num_sig_enabled ? sInfo : sWarn, num_sig_enabled);
+    if (!num_kx_enabled || !num_ssl_enabled || !num_sig_enabled) {
+        haveWarning = PR_TRUE;
+    }
+    for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) {
+        const algListsDef *algOptList = &algOptLists[i];
+        fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-%s: %u\n", enabledCount[i] ? sInfo : sWarn, algOptList->description, enabledCount[i]);
+        if (!enabledCount[i]) {
+            haveWarning = PR_TRUE;
+        }
+    }
+    if (haveWarning) {
+        PR_SetEnv("NSS_POLICY_WARN=1");
+    }
+}
+
 static SECStatus
-secmod_parseCryptoPolicy(const char *policyConfig)
+secmod_parseCryptoPolicy(const char *policyConfig, PRBool printPolicyFeedback)
 {
     char *disallow, *allow;
     SECStatus rv;
@@ -622,16 +743,26 @@ secmod_parseCryptoPolicy(const char *policyConfig)
         return rv;
     }
     disallow = NSSUTIL_ArgGetParamValue("disallow", policyConfig);
-    rv = secmod_applyCryptoPolicy(disallow, PR_FALSE);
+    rv = secmod_applyCryptoPolicy(disallow, PR_FALSE, printPolicyFeedback);
     if (disallow)
         PORT_Free(disallow);
     if (rv != SECSuccess) {
         return rv;
     }
     allow = NSSUTIL_ArgGetParamValue("allow", policyConfig);
-    rv = secmod_applyCryptoPolicy(allow, PR_TRUE);
+    rv = secmod_applyCryptoPolicy(allow, PR_TRUE, printPolicyFeedback);
     if (allow)
         PORT_Free(allow);
+    if (rv != SECSuccess) {
+        return rv;
+    }
+    if (printPolicyFeedback) {
+        /* This helps to distinguish configurations that don't contain any
+         * policy config= statement. */
+        PR_SetEnv("NSS_POLICY_LOADED=1");
+        fprintf(stderr, "NSS-POLICY-INFO: LOADED-SUCCESSFULLY\n");
+        secmod_sanityCheckCryptoPolicy();
+    }
     return rv;
 }
 
@@ -648,11 +779,16 @@ SECMOD_CreateModuleEx(const char *library, const char *moduleName,
     char *slotParams, *ciphers;
     /* pk11pars.h still does not have const char * interfaces */
     char *nssc = (char *)nss;
+    PRBool printPolicyFeedback = NSSUTIL_ArgHasFlag("flags", "printPolicyFeedback", nssc);
 
-    rv = secmod_parseCryptoPolicy(config);
+    rv = secmod_parseCryptoPolicy(config, printPolicyFeedback);
 
     /* do not load the module if policy parsing fails */
     if (rv != SECSuccess) {
+        if (printPolicyFeedback) {
+            PR_SetEnv("NSS_POLICY_FAIL=1");
+            fprintf(stderr, "NSS-POLICY-FAIL: policy config parsing failed, not loading module %s\n", moduleName);
+        }
         return NULL;
     }
 
@@ -703,6 +839,9 @@ SECMOD_CreateModuleEx(const char *library, const char *moduleName,
         if (NSSUTIL_ArgHasFlag("flags", "defaultModDB", nssc)) {
             flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
         }
+        if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {
+            flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;
+        }
         /* additional moduleDB flags could be added here in the future */
         mod->isModuleDB = (PRBool)flags;
     }
@@ -743,6 +882,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule *mod)
 }
 
 PRBool
+secmod_PolicyOnly(SECMODModule *mod)
+{
+    char flags = (char)mod->isModuleDB;
+
+    return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE;
+}
+
+PRBool
 secmod_IsInternalKeySlot(SECMODModule *mod)
 {
     char flags = (char)mod->internal;
@@ -1635,6 +1782,7 @@ SECMOD_LoadModule(char *modulespec, SECMODModule *parent, PRBool recurse)
     SECMODModule *module = NULL;
     SECMODModule *oldModule = NULL;
     SECStatus rv;
+    PRBool forwardPolicyFeedback = PR_FALSE;
 
     /* initialize the underlying module structures */
     SECMOD_Init();
@@ -1647,6 +1795,7 @@ SECMOD_LoadModule(char *modulespec, SECMODModule *parent, PRBool recurse)
     }
 
     module = SECMOD_CreateModuleEx(library, moduleName, parameters, nss, config);
+    forwardPolicyFeedback = NSSUTIL_ArgHasFlag("flags", "printPolicyFeedback", nss);
     if (library)
         PORT_Free(library);
     if (moduleName)
@@ -1660,6 +1809,12 @@ SECMOD_LoadModule(char *modulespec, SECMODModule *parent, PRBool recurse)
     if (!module) {
         goto loser;
     }
+
+    /* a policy only stanza doesn't actually get 'loaded'. policy has already
+     * been parsed as a side effect of the CreateModuleEx call */
+    if (secmod_PolicyOnly(module)) {
+        return module;
+    }
     if (parent) {
         module->parent = SECMOD_ReferenceModule(parent);
         if (module->internal && secmod_IsInternalKeySlot(parent)) {
@@ -1703,7 +1858,15 @@ SECMOD_LoadModule(char *modulespec, SECMODModule *parent, PRBool recurse)
                     rv = SECFailure;
                     break;
                 }
-                child = SECMOD_LoadModule(*index, module, PR_TRUE);
+                if (!forwardPolicyFeedback) {
+                    child = SECMOD_LoadModule(*index, module, PR_TRUE);
+                } else {
+                    /* Add printPolicyFeedback to the nss flags */
+                    char *specWithForwards =
+                        NSSUTIL_AddNSSFlagToModuleSpec(*index, "printPolicyFeedback");
+                    child = SECMOD_LoadModule(specWithForwards, module, PR_TRUE);
+                    PORT_Free(specWithForwards);
+                }
                 if (!child)
                     break;
                 if (child->isCritical && !child->loaded) {
diff --git a/security/nss/lib/pk11wrap/pk11pbe.c b/security/nss/lib/pk11wrap/pk11pbe.c
index 5f68f399e5..4b6645578d 100644
--- a/security/nss/lib/pk11wrap/pk11pbe.c
+++ b/security/nss/lib/pk11wrap/pk11pbe.c
@@ -23,7 +23,7 @@
 #include "pkcs11.h"
 #include "pk11func.h"
 #include "secitem.h"
-#include "key.h"
+#include "keyhi.h"
 
 typedef struct SEC_PKCS5PBEParameterStr SEC_PKCS5PBEParameter;
 struct SEC_PKCS5PBEParameterStr {
diff --git a/security/nss/lib/pk11wrap/pk11pk12.c b/security/nss/lib/pk11wrap/pk11pk12.c
index 035143af80..47b6702c6d 100644
--- a/security/nss/lib/pk11wrap/pk11pk12.c
+++ b/security/nss/lib/pk11wrap/pk11pk12.c
@@ -14,7 +14,7 @@
 #include "pkcs11.h"
 #include "pk11func.h"
 #include "secitem.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secoid.h"
 #include "secasn1.h"
 #include "secerr.h"
diff --git a/security/nss/lib/pk11wrap/pk11priv.h b/security/nss/lib/pk11wrap/pk11priv.h
index 9281923fac..8848c81eca 100644
--- a/security/nss/lib/pk11wrap/pk11priv.h
+++ b/security/nss/lib/pk11wrap/pk11priv.h
@@ -7,7 +7,7 @@
 #include "seccomon.h"
 #include "secoidt.h"
 #include "secdert.h"
-#include "keyt.h"
+#include "keythi.h"
 #include "certt.h"
 #include "pkcs11t.h"
 #include "secmodt.h"
diff --git a/security/nss/lib/pk11wrap/pk11pub.h b/security/nss/lib/pk11wrap/pk11pub.h
index dbd8da0923..8db969e4cf 100644
--- a/security/nss/lib/pk11wrap/pk11pub.h
+++ b/security/nss/lib/pk11wrap/pk11pub.h
@@ -7,7 +7,7 @@
 #include "seccomon.h"
 #include "secoidt.h"
 #include "secdert.h"
-#include "keyt.h"
+#include "keythi.h"
 #include "certt.h"
 #include "pkcs11t.h"
 #include "secmodt.h"
diff --git a/security/nss/lib/pk11wrap/pk11slot.c b/security/nss/lib/pk11wrap/pk11slot.c
index c39abe17e6..ebe54d4956 100644
--- a/security/nss/lib/pk11wrap/pk11slot.c
+++ b/security/nss/lib/pk11wrap/pk11slot.c
@@ -607,12 +607,32 @@ PK11_FindSlotsByNames(const char *dllName, const char *slotName,
     return slotList;
 }
 
-PK11SlotInfo *
-PK11_FindSlotByName(const char *name)
+typedef PRBool (*PK11SlotMatchFunc)(PK11SlotInfo *slot, const void *arg);
+
+static PRBool
+pk11_MatchSlotByTokenName(PK11SlotInfo *slot, const void *arg)
+{
+    return PORT_Strcmp(slot->token_name, arg) == 0;
+}
+
+static PRBool
+pk11_MatchSlotBySerial(PK11SlotInfo *slot, const void *arg)
 {
+    return PORT_Memcmp(slot->serial, arg, sizeof(slot->serial)) == 0;
+}
+
+static PRBool
+pk11_MatchSlotByTokenURI(PK11SlotInfo *slot, const void *arg)
+{
+    return pk11_MatchUriTokenInfo(slot, (PK11URI *)arg);
+}
+
+static PK11SlotInfo *
+pk11_FindSlot(const void *arg, PK11SlotMatchFunc func)
+{
+    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
     SECMODModuleList *mlp;
     SECMODModuleList *modules;
-    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
     int i;
     PK11SlotInfo *slot = NULL;
 
@@ -620,10 +640,6 @@ PK11_FindSlotByName(const char *name)
         PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
         return slot;
     }
-    if ((name == NULL) || (*name == 0)) {
-        return PK11_GetInternalKeySlot();
-    }
-
     /* work through all the slots */
     SECMOD_GetReadLock(moduleLock);
     modules = SECMOD_GetDefaultModuleList();
@@ -631,7 +647,7 @@ PK11_FindSlotByName(const char *name)
         for (i = 0; i < mlp->module->slotCount; i++) {
             PK11SlotInfo *tmpSlot = mlp->module->slots[i];
             if (PK11_IsPresent(tmpSlot)) {
-                if (PORT_Strcmp(tmpSlot->token_name, name) == 0) {
+                if (func(tmpSlot, arg)) {
                     slot = PK11_ReferenceSlot(tmpSlot);
                     break;
                 }
@@ -649,43 +665,41 @@ PK11_FindSlotByName(const char *name)
     return slot;
 }
 
-PK11SlotInfo *
-PK11_FindSlotBySerial(char *serial)
+static PK11SlotInfo *
+pk11_FindSlotByTokenURI(const char *uriString)
 {
-    SECMODModuleList *mlp;
-    SECMODModuleList *modules;
-    SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
-    int i;
     PK11SlotInfo *slot = NULL;
+    PK11URI *uri;
 
-    if (!moduleLock) {
-        PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
+    uri = PK11URI_ParseURI(uriString);
+    if (!uri) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return slot;
     }
-    /* work through all the slots */
-    SECMOD_GetReadLock(moduleLock);
-    modules = SECMOD_GetDefaultModuleList();
-    for (mlp = modules; mlp != NULL; mlp = mlp->next) {
-        for (i = 0; i < mlp->module->slotCount; i++) {
-            PK11SlotInfo *tmpSlot = mlp->module->slots[i];
-            if (PK11_IsPresent(tmpSlot)) {
-                if (PORT_Memcmp(tmpSlot->serial, serial,
-                                sizeof(tmpSlot->serial)) == 0) {
-                    slot = PK11_ReferenceSlot(tmpSlot);
-                    break;
-                }
-            }
-        }
-        if (slot != NULL)
-            break;
+
+    slot = pk11_FindSlot(uri, pk11_MatchSlotByTokenURI);
+    PK11URI_DestroyURI(uri);
+    return slot;
+}
+
+PK11SlotInfo *
+PK11_FindSlotByName(const char *name)
+{
+    if ((name == NULL) || (*name == 0)) {
+        return PK11_GetInternalKeySlot();
     }
-    SECMOD_ReleaseReadLock(moduleLock);
 
-    if (slot == NULL) {
-        PORT_SetError(SEC_ERROR_NO_TOKEN);
+    if (!PORT_Strncasecmp(name, "pkcs11:", strlen("pkcs11:"))) {
+        return pk11_FindSlotByTokenURI(name);
     }
 
-    return slot;
+    return pk11_FindSlot(name, pk11_MatchSlotByTokenName);
+}
+
+PK11SlotInfo *
+PK11_FindSlotBySerial(char *serial)
+{
+    return pk11_FindSlot(serial, pk11_MatchSlotBySerial);
 }
 
 /*
diff --git a/security/nss/lib/pk11wrap/secmodi.h b/security/nss/lib/pk11wrap/secmodi.h
index 84f5f2a306..7ec77ced60 100644
--- a/security/nss/lib/pk11wrap/secmodi.h
+++ b/security/nss/lib/pk11wrap/secmodi.h
@@ -13,7 +13,7 @@
 #include "secdert.h"
 #include "certt.h"
 #include "secmodt.h"
-#include "keyt.h"
+#include "keythi.h"
 
 SEC_BEGIN_PROTOS
 
diff --git a/security/nss/lib/pkcs12/p12.h b/security/nss/lib/pkcs12/p12.h
index 118db6efaf..495bbf6c49 100644
--- a/security/nss/lib/pkcs12/p12.h
+++ b/security/nss/lib/pkcs12/p12.h
@@ -6,7 +6,7 @@
 #define _P12_H_
 
 #include "secoid.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secpkcs7.h"
 #include "p12t.h"
 
diff --git a/security/nss/lib/pkcs12/p12t.h b/security/nss/lib/pkcs12/p12t.h
index 62c2b502e2..b22f0dd823 100644
--- a/security/nss/lib/pkcs12/p12t.h
+++ b/security/nss/lib/pkcs12/p12t.h
@@ -6,7 +6,7 @@
 #define _P12T_H_
 
 #include "secoid.h"
-#include "key.h"
+#include "keythi.h"
 #include "pkcs11.h"
 #include "secpkcs7.h"
 #include "secdig.h" /* for SGNDigestInfo */
diff --git a/security/nss/lib/pkcs12/pkcs12t.h b/security/nss/lib/pkcs12/pkcs12t.h
index ad00d7b5b5..db10d28af7 100644
--- a/security/nss/lib/pkcs12/pkcs12t.h
+++ b/security/nss/lib/pkcs12/pkcs12t.h
@@ -8,7 +8,7 @@
 #include "seccomon.h"
 #include "secoid.h"
 #include "cert.h"
-#include "key.h"
+#include "keythi.h"
 #include "plarena.h"
 #include "secpkcs7.h"
 #include "secdig.h" /* for SGNDigestInfo */
diff --git a/security/nss/lib/pkcs7/p7decode.c b/security/nss/lib/pkcs7/p7decode.c
index ba51955abf..641d201e5a 100644
--- a/security/nss/lib/pkcs7/p7decode.c
+++ b/security/nss/lib/pkcs7/p7decode.c
@@ -16,7 +16,7 @@
                     /* include should be removed! */
 /*#include "cdbhdl.h" */
 #include "cryptohi.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
diff --git a/security/nss/lib/pkcs7/secmime.c b/security/nss/lib/pkcs7/secmime.c
index ca1046aa51..8a4afe45b7 100644
--- a/security/nss/lib/pkcs7/secmime.c
+++ b/security/nss/lib/pkcs7/secmime.c
@@ -14,7 +14,7 @@
 #include "secasn1.h"
 #include "secitem.h"
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secerr.h"
 
 typedef struct smime_cipher_map_struct {
diff --git a/security/nss/lib/pkcs7/secpkcs7.h b/security/nss/lib/pkcs7/secpkcs7.h
index 78270bd150..4a88df1dfb 100644
--- a/security/nss/lib/pkcs7/secpkcs7.h
+++ b/security/nss/lib/pkcs7/secpkcs7.h
@@ -13,7 +13,7 @@
 
 #include "secoidt.h"
 #include "certt.h"
-#include "keyt.h"
+#include "keythi.h"
 #include "hasht.h"
 #include "pkcs7t.h"
 
diff --git a/security/nss/lib/smime/cms.h b/security/nss/lib/smime/cms.h
index 244df4879d..f4a8a39e9e 100644
--- a/security/nss/lib/smime/cms.h
+++ b/security/nss/lib/smime/cms.h
@@ -13,7 +13,7 @@
 
 #include "secoidt.h"
 #include "certt.h"
-#include "keyt.h"
+#include "keythi.h"
 #include "hasht.h"
 #include "cmst.h"
 
diff --git a/security/nss/lib/smime/cmsasn1.c b/security/nss/lib/smime/cmsasn1.c
index 15cf08fcc9..8ba95d044e 100644
--- a/security/nss/lib/smime/cmsasn1.c
+++ b/security/nss/lib/smime/cmsasn1.c
@@ -9,7 +9,7 @@
 #include "cmslocal.h"
 
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
diff --git a/security/nss/lib/smime/cmsdecode.c b/security/nss/lib/smime/cmsdecode.c
index 62b4ebfe54..69965bdd7d 100644
--- a/security/nss/lib/smime/cmsdecode.c
+++ b/security/nss/lib/smime/cmsdecode.c
@@ -9,7 +9,7 @@
 #include "cmslocal.h"
 
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
diff --git a/security/nss/lib/smime/cmsdigest.c b/security/nss/lib/smime/cmsdigest.c
index 64b64a0f8e..bd14740682 100644
--- a/security/nss/lib/smime/cmsdigest.c
+++ b/security/nss/lib/smime/cmsdigest.c
@@ -9,7 +9,7 @@
 #include "cmslocal.h"
 
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secitem.h"
 #include "secoid.h"
 #include "pk11func.h"
diff --git a/security/nss/lib/smime/cmsencdata.c b/security/nss/lib/smime/cmsencdata.c
index c3a4549adb..d2fc3358b9 100644
--- a/security/nss/lib/smime/cmsencdata.c
+++ b/security/nss/lib/smime/cmsencdata.c
@@ -8,7 +8,7 @@
 
 #include "cmslocal.h"
 
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
diff --git a/security/nss/lib/smime/cmsencode.c b/security/nss/lib/smime/cmsencode.c
index 0d723e865f..703492b5e3 100644
--- a/security/nss/lib/smime/cmsencode.c
+++ b/security/nss/lib/smime/cmsencode.c
@@ -9,7 +9,7 @@
 #include "cmslocal.h"
 
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "secoid.h"
 #include "secitem.h"
diff --git a/security/nss/lib/smime/cmsenvdata.c b/security/nss/lib/smime/cmsenvdata.c
index f2c8e171dc..d5d5c41239 100644
--- a/security/nss/lib/smime/cmsenvdata.c
+++ b/security/nss/lib/smime/cmsenvdata.c
@@ -9,7 +9,7 @@
 #include "cmslocal.h"
 
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
diff --git a/security/nss/lib/smime/cmspubkey.c b/security/nss/lib/smime/cmspubkey.c
index bc3cd993e7..8f18f60de1 100644
--- a/security/nss/lib/smime/cmspubkey.c
+++ b/security/nss/lib/smime/cmspubkey.c
@@ -9,7 +9,7 @@
 #include "cmslocal.h"
 
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
diff --git a/security/nss/lib/smime/cmsrecinfo.c b/security/nss/lib/smime/cmsrecinfo.c
index 8cab288d2e..20dd698e8f 100644
--- a/security/nss/lib/smime/cmsrecinfo.c
+++ b/security/nss/lib/smime/cmsrecinfo.c
@@ -9,7 +9,7 @@
 #include "cmslocal.h"
 
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
diff --git a/security/nss/lib/smime/cmsreclist.c b/security/nss/lib/smime/cmsreclist.c
index 99d7e90875..f753474073 100644
--- a/security/nss/lib/smime/cmsreclist.c
+++ b/security/nss/lib/smime/cmsreclist.c
@@ -9,7 +9,7 @@
 #include "cmslocal.h"
 
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
diff --git a/security/nss/lib/smime/cmssiginfo.c b/security/nss/lib/smime/cmssiginfo.c
index ce4f87c0ae..79aaf8f0aa 100644
--- a/security/nss/lib/smime/cmssiginfo.c
+++ b/security/nss/lib/smime/cmssiginfo.c
@@ -9,7 +9,7 @@
 #include "cmslocal.h"
 
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
diff --git a/security/nss/lib/smime/cmsutil.c b/security/nss/lib/smime/cmsutil.c
index cd12603fa3..713b94aacb 100644
--- a/security/nss/lib/smime/cmsutil.c
+++ b/security/nss/lib/smime/cmsutil.c
@@ -9,7 +9,7 @@
 #include "cmslocal.h"
 
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
diff --git a/security/nss/lib/smime/smimemessage.c b/security/nss/lib/smime/smimemessage.c
index 774b9f3fd4..3073ab2457 100644
--- a/security/nss/lib/smime/smimemessage.c
+++ b/security/nss/lib/smime/smimemessage.c
@@ -10,7 +10,7 @@
 #include "smime.h"
 
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
diff --git a/security/nss/lib/smime/smimeutil.c b/security/nss/lib/smime/smimeutil.c
index 7674a65fdb..0e6bd32fdc 100644
--- a/security/nss/lib/smime/smimeutil.c
+++ b/security/nss/lib/smime/smimeutil.c
@@ -13,7 +13,7 @@
 #include "secasn1.h"
 #include "secitem.h"
 #include "cert.h"
-#include "key.h"
+#include "keyhi.h"
 #include "secerr.h"
 #include "cms.h"
 #include "nss.h"
diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c
index 385d3c1444..7eec3d7ee8 100644
--- a/security/nss/lib/softoken/pkcs11c.c
+++ b/security/nss/lib/softoken/pkcs11c.c
@@ -3106,7 +3106,7 @@ RSA_HashCheckSign(SECOidTag digestOid, NSSLOWKEYPublicKey *key,
         digest.len = digestLen;
         rv = _SGN_VerifyPKCS1DigestInfo(
             digestOid, &digest, &pkcs1DigestInfo,
-            PR_TRUE /*XXX: unsafeAllowMissingParameters*/);
+            PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
     }
 
     PORT_Free(pkcs1DigestInfoData);
diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h
index 827bf2e221..c1f63d7698 100644
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -17,9 +17,9 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION "3.38" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION "3.41" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR 3
-#define SOFTOKEN_VMINOR 38
+#define SOFTOKEN_VMINOR 41
 #define SOFTOKEN_VPATCH 0
 #define SOFTOKEN_VBUILD 0
 #define SOFTOKEN_BETA PR_FALSE
diff --git a/security/nss/lib/ssl/SSLerrs.h b/security/nss/lib/ssl/SSLerrs.h
index f01d165833..9be2194949 100644
--- a/security/nss/lib/ssl/SSLerrs.h
+++ b/security/nss/lib/ssl/SSLerrs.h
@@ -552,3 +552,15 @@ ER3(SSL_ERROR_RX_MALFORMED_DTLS_ACK, (SSL_ERROR_BASE + 174),
 
 ER3(SSL_ERROR_DH_KEY_TOO_LONG, (SSL_ERROR_BASE + 175),
     "SSL received a DH key share that's too long (>8192 bit).")
+
+ER3(SSL_ERROR_RX_MALFORMED_ESNI_KEYS, (SSL_ERROR_BASE + 176),
+    "SSL received a malformed ESNI keys structure")
+
+ER3(SSL_ERROR_RX_MALFORMED_ESNI_EXTENSION, (SSL_ERROR_BASE + 177),
+    "SSL received a malformed ESNI extension")
+
+ER3(SSL_ERROR_MISSING_ESNI_EXTENSION, (SSL_ERROR_BASE + 178),
+    "SSL did not receive an ESNI extension")
+
+ER3(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE, (SSL_ERROR_BASE + 179),
+    "SSL received an unexpected record type.")
diff --git a/security/nss/lib/ssl/authcert.c b/security/nss/lib/ssl/authcert.c
index 2765c83420..d05b30a72c 100644
--- a/security/nss/lib/ssl/authcert.c
+++ b/security/nss/lib/ssl/authcert.c
@@ -13,7 +13,7 @@
 #include "cert.h"
 #include "nspr.h"
 #include "secder.h"
-#include "key.h"
+#include "keyhi.h"
 #include "nss.h"
 #include "ssl.h"
 #include "pk11func.h" /* for PK11_ function calls */
diff --git a/security/nss/lib/ssl/cmpcert.c b/security/nss/lib/ssl/cmpcert.c
index e6edbee83e..8ab4a7f8d9 100644
--- a/security/nss/lib/ssl/cmpcert.c
+++ b/security/nss/lib/ssl/cmpcert.c
@@ -13,7 +13,7 @@
 #include "cert.h"
 #include "nspr.h"
 #include "secder.h"
-#include "key.h"
+#include "keyhi.h"
 #include "nss.h"
 
 /*
@@ -27,13 +27,9 @@ NSS_CmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames)
     SECItem *caname;
     CERTCertificate *curcert;
     CERTCertificate *oldcert;
-    PRInt32 contentlen;
     int j;
-    int headerlen;
     int depth;
-    SECStatus rv;
     SECItem issuerName;
-    SECItem compatIssuerName;
 
     if (!cert || !caNames || !caNames->nnames || !caNames->names ||
         !caNames->names->data)
@@ -44,29 +40,11 @@ NSS_CmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames)
     while (curcert) {
         issuerName = curcert->derIssuer;
 
-        /* compute an alternate issuer name for compatibility with 2.0
-         * enterprise server, which send the CA names without
-         * the outer layer of DER header
-         */
-        rv = DER_Lengths(&issuerName, &headerlen, (PRUint32 *)&contentlen);
-        if (rv == SECSuccess) {
-            compatIssuerName.data = &issuerName.data[headerlen];
-            compatIssuerName.len = issuerName.len - headerlen;
-        } else {
-            compatIssuerName.data = NULL;
-            compatIssuerName.len = 0;
-        }
-
         for (j = 0; j < caNames->nnames; j++) {
             caname = &caNames->names[j];
             if (SECITEM_CompareItem(&issuerName, caname) == SECEqual) {
-                rv = SECSuccess;
                 CERT_DestroyCertificate(curcert);
-                goto done;
-            } else if (SECITEM_CompareItem(&compatIssuerName, caname) == SECEqual) {
-                rv = SECSuccess;
-                CERT_DestroyCertificate(curcert);
-                goto done;
+                return SECSuccess;
             }
         }
         if ((depth <= 20) &&
@@ -82,8 +60,5 @@ NSS_CmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames)
             curcert = NULL;
         }
     }
-    rv = SECFailure;
-
-done:
-    return rv;
+    return SECFailure;
 }
diff --git a/security/nss/lib/ssl/config.mk b/security/nss/lib/ssl/config.mk
index d13613f78c..b901a8830d 100644
--- a/security/nss/lib/ssl/config.mk
+++ b/security/nss/lib/ssl/config.mk
@@ -60,3 +60,7 @@ endif
 ifdef NSS_DISABLE_TLS_1_3
 DEFINES += -DNSS_DISABLE_TLS_1_3
 endif
+
+ifeq (,$(filter-out DragonFly FreeBSD Linux NetBSD OpenBSD, $(OS_TARGET)))
+CFLAGS += -std=gnu99
+endif
diff --git a/security/nss/lib/ssl/dtls13con.c b/security/nss/lib/ssl/dtls13con.c
index de6cb47ca2..81d196deee 100644
--- a/security/nss/lib/ssl/dtls13con.c
+++ b/security/nss/lib/ssl/dtls13con.c
@@ -32,7 +32,7 @@ dtls13_InsertCipherTextHeader(const sslSocket *ss, ssl3CipherSpec *cwSpec,
         return sslBuffer_AppendNumber(wrBuf, seq, 2);
     }
 
-    rv = sslBuffer_AppendNumber(wrBuf, content_application_data, 1);
+    rv = sslBuffer_AppendNumber(wrBuf, ssl_ct_application_data, 1);
     if (rv != SECSuccess) {
         return SECFailure;
     }
@@ -147,7 +147,7 @@ dtls13_SendAck(sslSocket *ss)
     }
 
     ssl_GetXmitBufLock(ss);
-    sent = ssl3_SendRecord(ss, NULL, content_ack,
+    sent = ssl3_SendRecord(ss, NULL, ssl_ct_ack,
                            buf.buf, buf.len, 0);
     ssl_ReleaseXmitBufLock(ss);
     if (sent != buf.len) {
@@ -343,7 +343,7 @@ dtls13_SetupAcks(sslSocket *ss)
  */
 SECStatus
 dtls13_HandleOutOfEpochRecord(sslSocket *ss, const ssl3CipherSpec *spec,
-                              SSL3ContentType rType,
+                              SSLContentType rType,
                               sslBuffer *databuf)
 {
     SECStatus rv;
@@ -360,7 +360,7 @@ dtls13_HandleOutOfEpochRecord(sslSocket *ss, const ssl3CipherSpec *spec,
     SSL_TRC(10, ("%d: DTLS13[%d]: handle out of epoch record: type=%d", SSL_GETPID(),
                  ss->fd, rType));
 
-    if (rType == content_ack) {
+    if (rType == ssl_ct_ack) {
         ssl_GetSSL3HandshakeLock(ss);
         rv = dtls13_HandleAck(ss, &buf);
         ssl_ReleaseSSL3HandshakeLock(ss);
@@ -380,7 +380,7 @@ dtls13_HandleOutOfEpochRecord(sslSocket *ss, const ssl3CipherSpec *spec,
              * retransmitted Finished (e.g., because our ACK got lost.)
              * We just retransmit the previous Finished to let the client
              * complete. */
-            if (rType == content_handshake) {
+            if (rType == ssl_ct_handshake) {
                 if ((ss->sec.isServer) &&
                     (ss->ssl3.hs.ws == idle_handshake)) {
                     PORT_Assert(dtls_TimerActive(ss, ss->ssl3.hs.hdTimer));
diff --git a/security/nss/lib/ssl/dtls13con.h b/security/nss/lib/ssl/dtls13con.h
index ca48ef3638..ce92a8a55b 100644
--- a/security/nss/lib/ssl/dtls13con.h
+++ b/security/nss/lib/ssl/dtls13con.h
@@ -21,7 +21,7 @@ PRBool dtls_NextUnackedRange(sslSocket *ss, PRUint16 msgSeq, PRUint32 offset,
                              PRUint32 len, PRUint32 *startOut, PRUint32 *endOut);
 SECStatus dtls13_SetupAcks(sslSocket *ss);
 SECStatus dtls13_HandleOutOfEpochRecord(sslSocket *ss, const ssl3CipherSpec *spec,
-                                        SSL3ContentType rType,
+                                        SSLContentType rType,
                                         sslBuffer *databuf);
 SECStatus dtls13_HandleAck(sslSocket *ss, sslBuffer *databuf);
 
diff --git a/security/nss/lib/ssl/dtlscon.c b/security/nss/lib/ssl/dtlscon.c
index a82295c668..a5c604bca3 100644
--- a/security/nss/lib/ssl/dtlscon.c
+++ b/security/nss/lib/ssl/dtlscon.c
@@ -120,7 +120,7 @@ ssl3_DisableNonDTLSSuites(sslSocket *ss)
  * Called from dtls_QueueMessage()
  */
 static DTLSQueuedMessage *
-dtls_AllocQueuedMessage(ssl3CipherSpec *cwSpec, SSL3ContentType type,
+dtls_AllocQueuedMessage(ssl3CipherSpec *cwSpec, SSLContentType ct,
                         const unsigned char *data, PRUint32 len)
 {
     DTLSQueuedMessage *msg;
@@ -138,7 +138,7 @@ dtls_AllocQueuedMessage(ssl3CipherSpec *cwSpec, SSL3ContentType type,
 
     msg->len = len;
     msg->cwSpec = cwSpec;
-    msg->type = type;
+    msg->type = ct;
     /* Safe if we are < 1.3, since the refct is
      * already very high. */
     ssl_CipherSpecAddRef(cwSpec);
@@ -517,7 +517,7 @@ loser:
  *              ssl3_SendChangeCipherSpecs()
  */
 SECStatus
-dtls_QueueMessage(sslSocket *ss, SSL3ContentType type,
+dtls_QueueMessage(sslSocket *ss, SSLContentType ct,
                   const PRUint8 *pIn, PRInt32 nIn)
 {
     SECStatus rv = SECSuccess;
@@ -528,7 +528,7 @@ dtls_QueueMessage(sslSocket *ss, SSL3ContentType type,
     PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
 
     spec = ss->ssl3.cwSpec;
-    msg = dtls_AllocQueuedMessage(spec, type, pIn, nIn);
+    msg = dtls_AllocQueuedMessage(spec, ct, pIn, nIn);
 
     if (!msg) {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
@@ -562,7 +562,7 @@ dtls_StageHandshakeMessage(sslSocket *ss)
     if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len)
         return rv;
 
-    rv = dtls_QueueMessage(ss, content_handshake,
+    rv = dtls_QueueMessage(ss, ssl_ct_handshake,
                            ss->sec.ci.sendBuf.buf, ss->sec.ci.sendBuf.len);
 
     /* Whether we succeeded or failed, toss the old handshake data. */
@@ -696,7 +696,7 @@ dtls_FragmentHandshake(sslSocket *ss, DTLSQueuedMessage *msg)
     PORT_Assert(msg->len >= DTLS_HS_HDR_LEN);
 
     /* DTLS only supports fragmenting handshaking messages. */
-    PORT_Assert(msg->type == content_handshake);
+    PORT_Assert(msg->type == ssl_ct_handshake);
 
     msgSeq = (msg->data[4] << 8) | msg->data[5];
 
@@ -848,7 +848,7 @@ dtls_TransmitMessageFlight(sslSocket *ss)
          * be quite fragmented.  Adding an extra flush here would push new
          * messages into new records and reduce fragmentation. */
 
-        if (msg->type == content_handshake) {
+        if (msg->type == ssl_ct_handshake) {
             rv = dtls_FragmentHandshake(ss, msg);
         } else {
             PORT_Assert(!tls13_MaybeTls13(ss));
@@ -1327,9 +1327,9 @@ dtls_IsLongHeader(SSL3ProtocolVersion version, PRUint8 firstOctet)
 {
 #ifndef UNSAFE_FUZZER_MODE
     return version < SSL_LIBRARY_VERSION_TLS_1_3 ||
-           firstOctet == content_handshake ||
-           firstOctet == content_ack ||
-           firstOctet == content_alert;
+           firstOctet == ssl_ct_handshake ||
+           firstOctet == ssl_ct_ack ||
+           firstOctet == ssl_ct_alert;
 #else
     return PR_TRUE;
 #endif
@@ -1359,7 +1359,7 @@ dtls_ReadEpoch(const ssl3CipherSpec *crSpec, const PRUint8 *hdr)
     }
 
     /* dtls_GatherData should ensure that this works. */
-    PORT_Assert(hdr[0] == content_application_data);
+    PORT_Assert(hdr[0] == ssl_ct_application_data);
 
     /* This uses the same method as is used to recover the sequence number in
      * dtls_ReadSequenceNumber, except that the maximum value is set to the
diff --git a/security/nss/lib/ssl/dtlscon.h b/security/nss/lib/ssl/dtlscon.h
index 45fc069b97..4ede3c2ca9 100644
--- a/security/nss/lib/ssl/dtlscon.h
+++ b/security/nss/lib/ssl/dtlscon.h
@@ -23,7 +23,7 @@ extern SECStatus dtls_HandleHandshake(sslSocket *ss, DTLSEpoch epoch,
 extern SECStatus dtls_HandleHelloVerifyRequest(sslSocket *ss,
                                                PRUint8 *b, PRUint32 length);
 extern SECStatus dtls_StageHandshakeMessage(sslSocket *ss);
-extern SECStatus dtls_QueueMessage(sslSocket *ss, SSL3ContentType type,
+extern SECStatus dtls_QueueMessage(sslSocket *ss, SSLContentType type,
                                    const PRUint8 *pIn, PRInt32 nIn);
 extern SECStatus dtls_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags);
 SECStatus ssl3_DisableNonDTLSSuites(sslSocket *ss);
diff --git a/security/nss/lib/ssl/manifest.mn b/security/nss/lib/ssl/manifest.mn
index ca9b9ee7bd..fe9470bd01 100644
--- a/security/nss/lib/ssl/manifest.mn
+++ b/security/nss/lib/ssl/manifest.mn
@@ -1,4 +1,3 @@
-#
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
@@ -56,6 +55,7 @@ CSRCS = \
         tls13replay.c \
         sslcert.c \
         sslgrp.c \
+        tls13esni.c \
         $(NULL)
 
 LIBRARY_NAME = ssl
diff --git a/security/nss/lib/ssl/ssl.gyp b/security/nss/lib/ssl/ssl.gyp
index 3694ab91a5..2e28f67757 100644
--- a/security/nss/lib/ssl/ssl.gyp
+++ b/security/nss/lib/ssl/ssl.gyp
@@ -43,6 +43,7 @@
         'ssltrace.c',
         'sslver.c',
         'tls13con.c',
+        'tls13esni.c',
         'tls13exthandle.c',
         'tls13hashstate.c',
         'tls13hkdf.c',
@@ -67,6 +68,11 @@
             'UNSAFE_FUZZER_MODE',
           ],
         }],
+        [ 'OS=="dragonfly" or OS=="freebsd" or OS=="netbsd" or OS=="openbsd" or OS=="linux"', {
+          'cflags': [
+            '-std=gnu99',
+          ],
+        }],
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h
index ecc4f95066..fc4a4a70cb 100644
--- a/security/nss/lib/ssl/ssl.h
+++ b/security/nss/lib/ssl/ssl.h
@@ -13,7 +13,7 @@
 #include "prio.h"
 #include "seccomon.h"
 #include "cert.h"
-#include "keyt.h"
+#include "keythi.h"
 
 #include "sslt.h" /* public ssl data types */
 
@@ -282,6 +282,23 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd);
  */
 #define SSL_ENABLE_DTLS_SHORT_HEADER 36
 
+/*
+ * Enables the processing of the downgrade sentinel that can be added to the
+ * ServerHello.random by a server that supports Section 4.1.3 of TLS 1.3
+ * [RFC8446].  This sentinel will always be generated by a server that
+ * negotiates a version lower than its maximum, this only controls whether a
+ * client will treat receipt of a value that indicates a downgrade as an error.
+ */
+#define SSL_ENABLE_HELLO_DOWNGRADE_CHECK 37
+
+/* Enables the SSLv2-compatible ClientHello for servers. NSS does not support
+ * SSLv2 and will never send an SSLv2-compatible ClientHello as a client.  An
+ * NSS server with this option enabled will accept a ClientHello that is
+ * v2-compatible as defined in Appendix E.1 of RFC 6101.
+ *
+ * This is disabled by default and will be removed in a future version. */
+#define SSL_ENABLE_V2_COMPATIBLE_HELLO 38
+
 #ifdef SSL_DEPRECATED_FUNCTION
 /* Old deprecated function names */
 SSL_IMPORT SECStatus SSL_Enable(PRFileDesc *fd, int option, PRIntn on);
diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c
index 466fc296ff..3b5c69b114 100644
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -93,8 +93,8 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
  { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
    /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
     * bug 946147.
     */
@@ -114,7 +114,7 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
  { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE,  PR_FALSE},
  { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_DSS_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
@@ -143,7 +143,7 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
 
  /* RSA */
  { TLS_RSA_WITH_AES_128_GCM_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
- { TLS_RSA_WITH_AES_256_GCM_SHA384,         SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_AES_256_GCM_SHA384,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_RSA_WITH_AES_128_CBC_SHA,            SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_RSA_WITH_AES_128_CBC_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
@@ -501,19 +501,19 @@ ssl3_DecodeContentType(int msgType)
     static char line[40];
 
     switch (msgType) {
-        case content_change_cipher_spec:
+        case ssl_ct_change_cipher_spec:
             rv = "change_cipher_spec (20)";
             break;
-        case content_alert:
+        case ssl_ct_alert:
             rv = "alert      (21)";
             break;
-        case content_handshake:
+        case ssl_ct_handshake:
             rv = "handshake  (22)";
             break;
-        case content_application_data:
+        case ssl_ct_application_data:
             rv = "application_data (23)";
             break;
-        case content_ack:
+        case ssl_ct_ack:
             rv = "ack (25)";
             break;
         default:
@@ -656,7 +656,7 @@ ssl_LookupCipherSuiteCfgMutable(ssl3CipherSuite suite,
     return NULL;
 }
 
-const static ssl3CipherSuiteCfg *
+const ssl3CipherSuiteCfg *
 ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite, const ssl3CipherSuiteCfg *suites)
 {
     return ssl_LookupCipherSuiteCfgMutable(suite,
@@ -765,6 +765,9 @@ ssl_HasCert(const sslSocket *ss, SSLAuthType authType)
         }
         return PR_TRUE;
     }
+    if (authType == ssl_auth_rsa_sign) {
+        return ssl_HasCert(ss, ssl_auth_rsa_pss);
+    }
     return PR_FALSE;
 }
 
@@ -851,9 +854,9 @@ ssl3_config_match_init(sslSocket *ss)
 /* Return PR_TRUE if suite is usable.  This if the suite is permitted by policy,
  * enabled, has a certificate (as needed), has a viable key agreement method, is
  * usable with the negotiated TLS version, and is otherwise usable. */
-static PRBool
-config_match(const ssl3CipherSuiteCfg *suite, PRUint8 policy,
-             const SSLVersionRange *vrange, const sslSocket *ss)
+PRBool
+ssl3_config_match(const ssl3CipherSuiteCfg *suite, PRUint8 policy,
+                  const SSLVersionRange *vrange, const sslSocket *ss)
 {
     const ssl3CipherSuiteDef *cipher_def;
     const ssl3KEADef *kea_def;
@@ -896,7 +899,7 @@ count_cipher_suites(sslSocket *ss, PRUint8 policy)
         return 0;
     }
     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
-        if (config_match(&ss->cipherSuites[i], policy, &ss->vrange, ss))
+        if (ssl3_config_match(&ss->cipherSuites[i], policy, &ss->vrange, ss))
             count++;
     }
     if (count == 0) {
@@ -1120,6 +1123,8 @@ ssl3_SignHashes(sslSocket *ss, SSL3Hashes *hash, SECKEYPrivateKey *key,
 
     if (ss->sec.isServer) {
         ss->sec.signatureScheme = ss->ssl3.hs.signatureScheme;
+        ss->sec.authType =
+            ssl_SignatureSchemeToAuthType(ss->ssl3.hs.signatureScheme);
     }
     PRINT_BUF(60, (NULL, "signed hashes", (unsigned char *)buf->data, buf->len));
 done:
@@ -1255,6 +1260,7 @@ ssl3_VerifySignedHashes(sslSocket *ss, SSLSignatureScheme scheme, SSL3Hashes *ha
     }
     if (!ss->sec.isServer) {
         ss->sec.signatureScheme = scheme;
+        ss->sec.authType = ssl_SignatureSchemeToAuthType(scheme);
     }
 
 loser:
@@ -1506,7 +1512,7 @@ loser:
 static SECStatus
 ssl3_BuildRecordPseudoHeader(DTLSEpoch epoch,
                              sslSequenceNumber seqNum,
-                             SSL3ContentType type,
+                             SSLContentType ct,
                              PRBool includesVersion,
                              SSL3ProtocolVersion version,
                              PRBool isDTLS,
@@ -1526,7 +1532,7 @@ ssl3_BuildRecordPseudoHeader(DTLSEpoch epoch,
     if (rv != SECSuccess) {
         return SECFailure;
     }
-    rv = sslBuffer_AppendNumber(buf, type, 1);
+    rv = sslBuffer_AppendNumber(buf, ct, 1);
     if (rv != SECSuccess) {
         return SECFailure;
     }
@@ -1994,7 +2000,7 @@ SECStatus
 ssl3_MACEncryptRecord(ssl3CipherSpec *cwSpec,
                       PRBool isServer,
                       PRBool isDTLS,
-                      SSL3ContentType type,
+                      SSLContentType ct,
                       const PRUint8 *pIn,
                       PRUint32 contentLen,
                       sslBuffer *wrBuf)
@@ -2041,7 +2047,7 @@ ssl3_MACEncryptRecord(ssl3CipherSpec *cwSpec,
     }
 
     rv = ssl3_BuildRecordPseudoHeader(
-        cwSpec->epoch, cwSpec->nextSeqNum, type,
+        cwSpec->epoch, cwSpec->nextSeqNum, ct,
         cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_0, cwSpec->recordVersion,
         isDTLS, contentLen, &pseudoHeader);
     PORT_Assert(rv == SECSuccess);
@@ -2163,7 +2169,7 @@ ssl3_MACEncryptRecord(ssl3CipherSpec *cwSpec,
 /* Note: though this can report failure, it shouldn't. */
 SECStatus
 ssl_InsertRecordHeader(const sslSocket *ss, ssl3CipherSpec *cwSpec,
-                       SSL3ContentType contentType, sslBuffer *wrBuf,
+                       SSLContentType contentType, sslBuffer *wrBuf,
                        PRBool *needsLength)
 {
     SECStatus rv;
@@ -2175,7 +2181,7 @@ ssl_InsertRecordHeader(const sslSocket *ss, ssl3CipherSpec *cwSpec,
             return dtls13_InsertCipherTextHeader(ss, cwSpec, wrBuf,
                                                  needsLength);
         }
-        contentType = content_application_data;
+        contentType = ssl_ct_application_data;
     }
 #endif
     rv = sslBuffer_AppendNumber(wrBuf, contentType, 1);
@@ -2202,7 +2208,7 @@ ssl_InsertRecordHeader(const sslSocket *ss, ssl3CipherSpec *cwSpec,
 }
 
 SECStatus
-ssl_ProtectRecord(sslSocket *ss, ssl3CipherSpec *cwSpec, SSL3ContentType type,
+ssl_ProtectRecord(sslSocket *ss, ssl3CipherSpec *cwSpec, SSLContentType ct,
                   const PRUint8 *pIn, PRUint32 contentLen, sslBuffer *wrBuf)
 {
     PRBool needsLength;
@@ -2222,7 +2228,7 @@ ssl_ProtectRecord(sslSocket *ss, ssl3CipherSpec *cwSpec, SSL3ContentType type,
         return SECFailure;
     }
 
-    rv = ssl_InsertRecordHeader(ss, cwSpec, type, wrBuf, &needsLength);
+    rv = ssl_InsertRecordHeader(ss, cwSpec, ct, wrBuf, &needsLength);
     if (rv != SECSuccess) {
         return SECFailure;
     }
@@ -2246,9 +2252,9 @@ ssl_ProtectRecord(sslSocket *ss, ssl3CipherSpec *cwSpec, SSL3ContentType type,
     }
 #else
     if (cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
-        rv = tls13_ProtectRecord(ss, cwSpec, type, pIn, contentLen, wrBuf);
+        rv = tls13_ProtectRecord(ss, cwSpec, ct, pIn, contentLen, wrBuf);
     } else {
-        rv = ssl3_MACEncryptRecord(cwSpec, ss->sec.isServer, IS_DTLS(ss), type,
+        rv = ssl3_MACEncryptRecord(cwSpec, ss->sec.isServer, IS_DTLS(ss), ct,
                                    pIn, contentLen, wrBuf);
     }
 #endif
@@ -2270,7 +2276,7 @@ ssl_ProtectRecord(sslSocket *ss, ssl3CipherSpec *cwSpec, SSL3ContentType type,
 }
 
 SECStatus
-ssl_ProtectNextRecord(sslSocket *ss, ssl3CipherSpec *spec, SSL3ContentType type,
+ssl_ProtectNextRecord(sslSocket *ss, ssl3CipherSpec *spec, SSLContentType ct,
                       const PRUint8 *pIn, unsigned int nIn,
                       unsigned int *written)
 {
@@ -2294,7 +2300,7 @@ ssl_ProtectNextRecord(sslSocket *ss, ssl3CipherSpec *spec, SSL3ContentType type,
         }
     }
 
-    rv = ssl_ProtectRecord(ss, spec, type, pIn, contentLen, wrBuf);
+    rv = ssl_ProtectRecord(ss, spec, ct, pIn, contentLen, wrBuf);
     if (rv != SECSuccess) {
         return SECFailure;
     }
@@ -2328,7 +2334,7 @@ ssl_ProtectNextRecord(sslSocket *ss, ssl3CipherSpec *spec, SSL3ContentType type,
 PRInt32
 ssl3_SendRecord(sslSocket *ss,
                 ssl3CipherSpec *cwSpec, /* non-NULL for DTLS retransmits */
-                SSL3ContentType type,
+                SSLContentType ct,
                 const PRUint8 *pIn, /* input buffer */
                 PRInt32 nIn,        /* bytes of input */
                 PRInt32 flags)
@@ -2339,7 +2345,7 @@ ssl3_SendRecord(sslSocket *ss,
     PRInt32 totalSent = 0;
 
     SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d",
-                SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
+                SSL_GETPID(), ss->fd, ssl3_DecodeContentType(ct),
                 nIn));
     PRINT_BUF(50, (ss, "Send record (plain text)", pIn, nIn));
 
@@ -2349,7 +2355,7 @@ ssl3_SendRecord(sslSocket *ss,
     if (ss->ssl3.fatalAlertSent) {
         SSL_TRC(3, ("%d: SSL3[%d] Suppress write, fatal alert already sent",
                     SSL_GETPID(), ss->fd));
-        if (type != content_alert) {
+        if (ct != ssl_ct_alert) {
             /* If we are sending an alert, then we already have an
              * error, so don't overwrite. */
             PORT_SetError(SSL_ERROR_HANDSHAKE_FAILED);
@@ -2366,8 +2372,8 @@ ssl3_SendRecord(sslSocket *ss,
     if (cwSpec) {
         /* cwSpec can only be set for retransmissions of the DTLS handshake. */
         PORT_Assert(IS_DTLS(ss) &&
-                    (type == content_handshake ||
-                     type == content_change_cipher_spec));
+                    (ct == ssl_ct_handshake ||
+                     ct == ssl_ct_change_cipher_spec));
         spec = cwSpec;
     } else {
         spec = ss->ssl3.cwSpec;
@@ -2378,7 +2384,7 @@ ssl3_SendRecord(sslSocket *ss,
         PRInt32 sent;
 
         ssl_GetSpecReadLock(ss);
-        rv = ssl_ProtectNextRecord(ss, spec, type, pIn, nIn, &written);
+        rv = ssl_ProtectNextRecord(ss, spec, ct, pIn, nIn, &written);
         ssl_ReleaseSpecReadLock(ss);
         if (rv != SECSuccess) {
             goto loser;
@@ -2386,7 +2392,7 @@ ssl3_SendRecord(sslSocket *ss,
 
         PORT_Assert(written > 0);
         /* DTLS should not fragment non-application data here. */
-        if (IS_DTLS(ss) && type != content_application_data) {
+        if (IS_DTLS(ss) && ct != ssl_ct_application_data) {
             PORT_Assert(written == nIn);
         }
 
@@ -2535,7 +2541,7 @@ ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
          * Note that the 0 epoch is OK because flags will never require
          * its use, as guaranteed by the PORT_Assert above.
          */
-        sent = ssl3_SendRecord(ss, NULL, content_application_data,
+        sent = ssl3_SendRecord(ss, NULL, ssl_ct_application_data,
                                in + totalSent, toSend, flags);
         if (sent < 0) {
             if (totalSent > 0 && PR_GetError() == PR_WOULD_BLOCK_ERROR) {
@@ -2618,7 +2624,7 @@ ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags)
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
-    count = ssl3_SendRecord(ss, NULL, content_handshake,
+    count = ssl3_SendRecord(ss, NULL, ssl_ct_handshake,
                             ss->sec.ci.sendBuf.buf,
                             ss->sec.ci.sendBuf.len, flags);
     if (count < 0) {
@@ -2744,7 +2750,7 @@ SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, SSL3AlertDescription desc)
     rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
     if (rv == SECSuccess) {
         PRInt32 sent;
-        sent = ssl3_SendRecord(ss, NULL, content_alert, bytes, 2,
+        sent = ssl3_SendRecord(ss, NULL, ssl_ct_alert, bytes, 2,
                                (desc == no_certificate) ? ssl_SEND_FLAG_FORCE_INTO_BUFFER : 0);
         rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
     }
@@ -3041,13 +3047,13 @@ ssl3_SendChangeCipherSpecsInt(sslSocket *ss)
 
     if (!IS_DTLS(ss)) {
         PRInt32 sent;
-        sent = ssl3_SendRecord(ss, NULL, content_change_cipher_spec,
+        sent = ssl3_SendRecord(ss, NULL, ssl_ct_change_cipher_spec,
                                &change, 1, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
         if (sent < 0) {
             return SECFailure; /* error code set by ssl3_SendRecord */
         }
     } else {
-        rv = dtls_QueueMessage(ss, content_change_cipher_spec, &change, 1);
+        rv = dtls_QueueMessage(ss, ssl_ct_change_cipher_spec, &change, 1);
         if (rv != SECSuccess) {
             return SECFailure;
         }
@@ -4002,8 +4008,8 @@ ssl_SignatureSchemeToHashType(SSLSignatureScheme scheme)
     return ssl_hash_none;
 }
 
-KeyType
-ssl_SignatureSchemeToKeyType(SSLSignatureScheme scheme)
+static PRBool
+ssl_SignatureSchemeMatchesSpkiOid(SSLSignatureScheme scheme, SECOidTag spkiOid)
 {
     switch (scheme) {
         case ssl_sig_rsa_pkcs1_sha256:
@@ -4013,133 +4019,243 @@ ssl_SignatureSchemeToKeyType(SSLSignatureScheme scheme)
         case ssl_sig_rsa_pss_rsae_sha256:
         case ssl_sig_rsa_pss_rsae_sha384:
         case ssl_sig_rsa_pss_rsae_sha512:
+        case ssl_sig_rsa_pkcs1_sha1md5:
+            return (spkiOid == SEC_OID_X500_RSA_ENCRYPTION) ||
+                   (spkiOid == SEC_OID_PKCS1_RSA_ENCRYPTION);
         case ssl_sig_rsa_pss_pss_sha256:
         case ssl_sig_rsa_pss_pss_sha384:
         case ssl_sig_rsa_pss_pss_sha512:
-        case ssl_sig_rsa_pkcs1_sha1md5:
-            return rsaKey;
+            return spkiOid == SEC_OID_PKCS1_RSA_PSS_SIGNATURE;
         case ssl_sig_ecdsa_secp256r1_sha256:
         case ssl_sig_ecdsa_secp384r1_sha384:
         case ssl_sig_ecdsa_secp521r1_sha512:
         case ssl_sig_ecdsa_sha1:
-            return ecKey;
+            return spkiOid == SEC_OID_ANSIX962_EC_PUBLIC_KEY;
         case ssl_sig_dsa_sha256:
         case ssl_sig_dsa_sha384:
         case ssl_sig_dsa_sha512:
         case ssl_sig_dsa_sha1:
-            return dsaKey;
+            return spkiOid == SEC_OID_ANSIX9_DSA_SIGNATURE;
         case ssl_sig_none:
         case ssl_sig_ed25519:
         case ssl_sig_ed448:
             break;
     }
     PORT_Assert(0);
-    return nullKey;
+    return PR_FALSE;
 }
 
-static SSLNamedGroup
-ssl_NamedGroupForSignatureScheme(SSLSignatureScheme scheme)
+/* Validate that the signature scheme works for the given key type. */
+static PRBool
+ssl_SignatureSchemeValid(SSLSignatureScheme scheme, SECOidTag spkiOid,
+                         PRBool isTls13)
 {
-    switch (scheme) {
-        case ssl_sig_ecdsa_secp256r1_sha256:
-            return ssl_grp_ec_secp256r1;
-        case ssl_sig_ecdsa_secp384r1_sha384:
-            return ssl_grp_ec_secp384r1;
-        case ssl_sig_ecdsa_secp521r1_sha512:
-            return ssl_grp_ec_secp521r1;
-        default:
+    if (!ssl_IsSupportedSignatureScheme(scheme)) {
+        return PR_FALSE;
+    }
+    if (!ssl_SignatureSchemeMatchesSpkiOid(scheme, spkiOid)) {
+        return PR_FALSE;
+    }
+    if (isTls13) {
+        if (ssl_SignatureSchemeToHashType(scheme) == ssl_hash_sha1) {
+            return PR_FALSE;
+        }
+        /* With TLS 1.3, EC keys should have been selected based on calling
+         * ssl_SignatureSchemeFromSpki(), reject them otherwise. */
+        return spkiOid != SEC_OID_ANSIX962_EC_PUBLIC_KEY;
+    }
+    return PR_TRUE;
+}
+
+static SECStatus
+ssl_SignatureSchemeFromPssSpki(CERTSubjectPublicKeyInfo *spki,
+                               SSLSignatureScheme *scheme)
+{
+    SECKEYRSAPSSParams pssParam = { 0 };
+    PORTCheapArenaPool arena;
+    SECStatus rv;
+
+    /* The key doesn't have parameters, boo. */
+    if (!spki->algorithm.parameters.len) {
+        *scheme = ssl_sig_none;
+        return SECSuccess;
+    }
+
+    PORT_InitCheapArena(&arena, DER_DEFAULT_CHUNKSIZE);
+    rv = SEC_QuickDERDecodeItem(&arena.arena, &pssParam,
+                                SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate),
+                                &spki->algorithm.parameters);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    /* Not having hashAlg means SHA-1 and we don't accept that. */
+    if (!pssParam.hashAlg) {
+        goto loser;
+    }
+    switch (SECOID_GetAlgorithmTag(pssParam.hashAlg)) {
+        case SEC_OID_SHA256:
+            *scheme = ssl_sig_rsa_pss_pss_sha256;
             break;
+        case SEC_OID_SHA384:
+            *scheme = ssl_sig_rsa_pss_pss_sha384;
+            break;
+        case SEC_OID_SHA512:
+            *scheme = ssl_sig_rsa_pss_pss_sha512;
+            break;
+        default:
+            goto loser;
     }
-    PORT_Assert(0);
-    return 0;
+
+    PORT_DestroyCheapArena(&arena);
+    return SECSuccess;
+
+loser:
+    PORT_DestroyCheapArena(&arena);
+    PORT_SetError(SSL_ERROR_BAD_CERTIFICATE);
+    return SECFailure;
 }
 
-/* Validate that the signature scheme works for the given key.
- * If |allowSha1| is set, we allow the use of SHA-1.
- * If |matchGroup| is set, we also check that the group and hash match. */
-static PRBool
-ssl_SignatureSchemeValidForKey(PRBool allowSha1, PRBool matchGroup,
-                               KeyType keyType,
-                               const sslNamedGroupDef *ecGroup,
-                               SSLSignatureScheme scheme)
+static SECStatus
+ssl_SignatureSchemeFromEcSpki(CERTSubjectPublicKeyInfo *spki,
+                              SSLSignatureScheme *scheme)
 {
-    if (!ssl_IsSupportedSignatureScheme(scheme)) {
-        return PR_FALSE;
+    const sslNamedGroupDef *group;
+    SECKEYPublicKey *key;
+
+    key = SECKEY_ExtractPublicKey(spki);
+    if (!key) {
+        PORT_SetError(SSL_ERROR_BAD_CERTIFICATE);
+        return SECFailure;
     }
-    if (keyType != ssl_SignatureSchemeToKeyType(scheme)) {
-        return PR_FALSE;
+    group = ssl_ECPubKey2NamedGroup(key);
+    SECKEY_DestroyPublicKey(key);
+    if (!group) {
+        PORT_SetError(SSL_ERROR_BAD_CERTIFICATE);
+        return SECFailure;
     }
-    if (!allowSha1 && ssl_SignatureSchemeToHashType(scheme) == ssl_hash_sha1) {
-        return PR_FALSE;
+    switch (group->name) {
+        case ssl_grp_ec_secp256r1:
+            *scheme = ssl_sig_ecdsa_secp256r1_sha256;
+            return SECSuccess;
+        case ssl_grp_ec_secp384r1:
+            *scheme = ssl_sig_ecdsa_secp384r1_sha384;
+            return SECSuccess;
+        case ssl_grp_ec_secp521r1:
+            *scheme = ssl_sig_ecdsa_secp521r1_sha512;
+            return SECSuccess;
+        default:
+            break;
     }
-    if (keyType != ecKey) {
-        return PR_TRUE;
+    PORT_SetError(SSL_ERROR_BAD_CERTIFICATE);
+    return SECFailure;
+}
+
+/* Newer signature schemes are designed so that a single SPKI can be used with
+ * that scheme.  This determines that scheme from the SPKI. If the SPKI doesn't
+ * have a single scheme, |*scheme| is set to ssl_sig_none. */
+static SECStatus
+ssl_SignatureSchemeFromSpki(CERTSubjectPublicKeyInfo *spki,
+                            PRBool isTls13, SSLSignatureScheme *scheme)
+{
+    SECOidTag spkiOid = SECOID_GetAlgorithmTag(&spki->algorithm);
+
+    if (spkiOid == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
+        return ssl_SignatureSchemeFromPssSpki(spki, scheme);
     }
-    if (!ecGroup) {
-        return PR_FALSE;
+
+    /* Only do this lookup for TLS 1.3, where the scheme can be determined from
+     * the SPKI alone because the ECDSA key size determines the hash. Earlier
+     * TLS versions allow the same EC key to be used with different hashes. */
+    if (isTls13 && spkiOid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
+        return ssl_SignatureSchemeFromEcSpki(spki, scheme);
     }
-    /* If |allowSha1| is present and the scheme is ssl_sig_ecdsa_sha1, it's OK.
-     * This scheme isn't bound to a specific group. */
-    if (allowSha1 && (scheme == ssl_sig_ecdsa_sha1)) {
-        return PR_TRUE;
+
+    *scheme = ssl_sig_none;
+    return SECSuccess;
+}
+
+static PRBool
+ssl_SignatureSchemeEnabled(sslSocket *ss, SSLSignatureScheme scheme)
+{
+    unsigned int i;
+    for (i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
+        if (scheme == ss->ssl3.signatureSchemes[i]) {
+            return PR_TRUE;
+        }
     }
-    if (!matchGroup) {
-        return PR_TRUE;
+    return PR_FALSE;
+}
+
+static PRBool
+ssl_SignatureKeyMatchesSpkiOid(const ssl3KEADef *keaDef, SECOidTag spkiOid)
+{
+    switch (spkiOid) {
+        case SEC_OID_X500_RSA_ENCRYPTION:
+        case SEC_OID_PKCS1_RSA_ENCRYPTION:
+        case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
+            return keaDef->signKeyType == rsaKey;
+        case SEC_OID_ANSIX9_DSA_SIGNATURE:
+            return keaDef->signKeyType == dsaKey;
+        case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
+            return keaDef->signKeyType == ecKey;
+        default:
+            break;
     }
-    return ecGroup->name == ssl_NamedGroupForSignatureScheme(scheme);
+    return PR_FALSE;
 }
 
-/* ssl3_CheckSignatureSchemeConsistency checks that the signature
- * algorithm identifier in |sigAndHash| is consistent with the public key in
- * |cert|. It also checks the hash algorithm against the configured signature
- * algorithms.  If all the tests pass, SECSuccess is returned. Otherwise,
- * PORT_SetError is called and SECFailure is returned. */
+/* ssl3_CheckSignatureSchemeConsistency checks that the signature algorithm
+ * identifier in |scheme| is consistent with the public key in |cert|. It also
+ * checks the hash algorithm against the configured signature algorithms.  If
+ * all the tests pass, SECSuccess is returned. Otherwise, PORT_SetError is
+ * called and SECFailure is returned. */
 SECStatus
-ssl_CheckSignatureSchemeConsistency(
-    sslSocket *ss, SSLSignatureScheme scheme, CERTCertificate *cert)
+ssl_CheckSignatureSchemeConsistency(sslSocket *ss, SSLSignatureScheme scheme,
+                                    CERTCertificate *cert)
 {
-    unsigned int i;
-    const sslNamedGroupDef *group = NULL;
-    SECKEYPublicKey *key;
-    KeyType keyType;
+    SSLSignatureScheme spkiScheme;
     PRBool isTLS13 = ss->version == SSL_LIBRARY_VERSION_TLS_1_3;
+    SECOidTag spkiOid;
+    SECStatus rv;
 
-    key = CERT_ExtractPublicKey(cert);
-    if (key == NULL) {
-        ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
+    rv = ssl_SignatureSchemeFromSpki(&cert->subjectPublicKeyInfo, isTLS13,
+                                     &spkiScheme);
+    if (rv != SECSuccess) {
         return SECFailure;
     }
-
-    keyType = SECKEY_GetPublicKeyType(key);
-    if (keyType == ecKey) {
-        group = ssl_ECPubKey2NamedGroup(key);
+    if (spkiScheme != ssl_sig_none) {
+        /* The SPKI in the certificate can only be used for a single scheme. */
+        if (spkiScheme != scheme ||
+            !ssl_SignatureSchemeEnabled(ss, scheme)) {
+            PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
+            return SECFailure;
+        }
+        return SECSuccess;
     }
-    SECKEY_DestroyPublicKey(key);
+
+    spkiOid = SECOID_GetAlgorithmTag(&cert->subjectPublicKeyInfo.algorithm);
 
     /* If we're a client, check that the signature algorithm matches the signing
      * key type of the cipher suite. */
-    if (!isTLS13 &&
-        !ss->sec.isServer &&
-        ss->ssl3.hs.kea_def->signKeyType != keyType) {
-        PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
-        return SECFailure;
+    if (!isTLS13 && !ss->sec.isServer) {
+        if (!ssl_SignatureKeyMatchesSpkiOid(ss->ssl3.hs.kea_def, spkiOid)) {
+            PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
+            return SECFailure;
+        }
     }
 
     /* Verify that the signature scheme matches the signing key. */
-    if (!ssl_SignatureSchemeValidForKey(!isTLS13 /* allowSha1 */,
-                                        isTLS13 /* matchGroup */,
-                                        keyType, group, scheme)) {
+    if (!ssl_SignatureSchemeValid(scheme, spkiOid, isTLS13)) {
         PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
         return SECFailure;
     }
 
-    for (i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
-        if (scheme == ss->ssl3.signatureSchemes[i]) {
-            return SECSuccess;
-        }
+    if (!ssl_SignatureSchemeEnabled(ss, scheme)) {
+        PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
+        return SECFailure;
     }
-    PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
-    return SECFailure;
+
+    return SECSuccess;
 }
 
 PRBool
@@ -4153,6 +4269,9 @@ ssl_IsSupportedSignatureScheme(SSLSignatureScheme scheme)
         case ssl_sig_rsa_pss_rsae_sha256:
         case ssl_sig_rsa_pss_rsae_sha384:
         case ssl_sig_rsa_pss_rsae_sha512:
+        case ssl_sig_rsa_pss_pss_sha256:
+        case ssl_sig_rsa_pss_pss_sha384:
+        case ssl_sig_rsa_pss_pss_sha512:
         case ssl_sig_ecdsa_secp256r1_sha256:
         case ssl_sig_ecdsa_secp384r1_sha384:
         case ssl_sig_ecdsa_secp521r1_sha512:
@@ -4164,9 +4283,6 @@ ssl_IsSupportedSignatureScheme(SSLSignatureScheme scheme)
             return PR_TRUE;
 
         case ssl_sig_rsa_pkcs1_sha1md5:
-        case ssl_sig_rsa_pss_pss_sha256:
-        case ssl_sig_rsa_pss_pss_sha384:
-        case ssl_sig_rsa_pss_pss_sha512:
         case ssl_sig_none:
         case ssl_sig_ed25519:
         case ssl_sig_ed448:
@@ -4182,6 +4298,9 @@ ssl_IsRsaPssSignatureScheme(SSLSignatureScheme scheme)
         case ssl_sig_rsa_pss_rsae_sha256:
         case ssl_sig_rsa_pss_rsae_sha384:
         case ssl_sig_rsa_pss_rsae_sha512:
+        case ssl_sig_rsa_pss_pss_sha256:
+        case ssl_sig_rsa_pss_pss_sha384:
+        case ssl_sig_rsa_pss_pss_sha512:
             return PR_TRUE;
 
         default:
@@ -4190,6 +4309,41 @@ ssl_IsRsaPssSignatureScheme(SSLSignatureScheme scheme)
     return PR_FALSE;
 }
 
+SSLAuthType
+ssl_SignatureSchemeToAuthType(SSLSignatureScheme scheme)
+{
+    switch (scheme) {
+        case ssl_sig_rsa_pkcs1_sha1:
+        case ssl_sig_rsa_pkcs1_sha1md5:
+        case ssl_sig_rsa_pkcs1_sha256:
+        case ssl_sig_rsa_pkcs1_sha384:
+        case ssl_sig_rsa_pkcs1_sha512:
+        /* We report based on the key type for PSS signatures. */
+        case ssl_sig_rsa_pss_rsae_sha256:
+        case ssl_sig_rsa_pss_rsae_sha384:
+        case ssl_sig_rsa_pss_rsae_sha512:
+            return ssl_auth_rsa_sign;
+        case ssl_sig_rsa_pss_pss_sha256:
+        case ssl_sig_rsa_pss_pss_sha384:
+        case ssl_sig_rsa_pss_pss_sha512:
+            return ssl_auth_rsa_pss;
+        case ssl_sig_ecdsa_secp256r1_sha256:
+        case ssl_sig_ecdsa_secp384r1_sha384:
+        case ssl_sig_ecdsa_secp521r1_sha512:
+        case ssl_sig_ecdsa_sha1:
+            return ssl_auth_ecdsa;
+        case ssl_sig_dsa_sha1:
+        case ssl_sig_dsa_sha256:
+        case ssl_sig_dsa_sha384:
+        case ssl_sig_dsa_sha512:
+            return ssl_auth_dsa;
+
+        default:
+            PORT_Assert(0);
+    }
+    return ssl_auth_null;
+}
+
 /* ssl_ConsumeSignatureScheme reads a SSLSignatureScheme (formerly
  * SignatureAndHashAlgorithm) structure from |b| and puts the resulting value
  * into |out|. |b| and |length| are updated accordingly.
@@ -4617,9 +4771,13 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type)
      * If we have an sid and it comes from an external cache, we use it. */
     if (ss->sec.ci.sid && ss->sec.ci.sid->cached == in_external_cache) {
         PORT_Assert(!ss->sec.isServer);
-        sid = ss->sec.ci.sid;
+        sid = ssl_ReferenceSID(ss->sec.ci.sid);
         SSL_TRC(3, ("%d: SSL3[%d]: using external resumption token in ClientHello",
                     SSL_GETPID(), ss->fd));
+    } else if (ss->sec.ci.sid && ss->statelessResume && type == client_hello_retry) {
+        /* If we are sending a second ClientHello, reuse the same SID
+         * as the original one. */
+        sid = ssl_ReferenceSID(ss->sec.ci.sid);
     } else if (!ss->opt.noCache) {
         /* We ignore ss->sec.ci.sid here, and use ssl_Lookup because Lookup
          * handles expired entries and other details.
@@ -4644,7 +4802,7 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type)
         suite = ssl_LookupCipherSuiteCfg(sid->u.ssl3.cipherSuite,
                                          ss->cipherSuites);
         PORT_Assert(suite);
-        if (!suite || !config_match(suite, ss->ssl3.policy, &ss->vrange, ss)) {
+        if (!suite || !ssl3_config_match(suite, ss->ssl3.policy, &ss->vrange, ss)) {
             sidOK = PR_FALSE;
         }
 
@@ -4765,9 +4923,7 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type)
     }
     ssl_ReleaseSpecWriteLock(ss);
 
-    if (ss->sec.ci.sid != NULL) {
-        ssl_FreeSID(ss->sec.ci.sid); /* decrement ref count, free if zero */
-    }
+    ssl_FreeSID(ss->sec.ci.sid); /* release the old sid */
     ss->sec.ci.sid = sid;
 
     /* HACK for SCSV in SSL 3.0.  On initial handshake, prepend SCSV,
@@ -4792,6 +4948,14 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type)
         PR_RWLock_Rlock(sid->u.ssl3.lock);
     }
 
+    /* Generate a new random if this is the first attempt. */
+    if (type == client_hello_initial) {
+        rv = ssl3_GetNewRandom(ss->ssl3.hs.client_random);
+        if (rv != SECSuccess) {
+            goto loser; /* err set by GetNewRandom. */
+        }
+    }
+
     if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3 &&
         type == client_hello_initial) {
         rv = tls13_SetupClientHello(ss);
@@ -4799,6 +4963,7 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type)
             goto loser;
         }
     }
+
     if (isTLS || (ss->firstHsDone && ss->peerRequestedProtection)) {
         rv = ssl_ConstructExtensions(ss, &extensionBuf, ssl_hs_client_hello);
         if (rv != SECSuccess) {
@@ -4870,13 +5035,6 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type)
         goto loser; /* err set by ssl3_AppendHandshake* */
     }
 
-    /* Generate a new random if this is the first attempt. */
-    if (type == client_hello_initial) {
-        rv = ssl3_GetNewRandom(ss->ssl3.hs.client_random);
-        if (rv != SECSuccess) {
-            goto loser; /* err set by GetNewRandom. */
-        }
-    }
     rv = ssl3_AppendHandshake(ss, ss->ssl3.hs.client_random,
                               SSL3_RANDOM_LENGTH);
     if (rv != SECSuccess) {
@@ -4931,7 +5089,7 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type)
     }
     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
         ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
-        if (config_match(suite, ss->ssl3.policy, &ss->vrange, ss)) {
+        if (ssl3_config_match(suite, ss->ssl3.policy, &ss->vrange, ss)) {
             actual_count++;
             if (actual_count > num_suites) {
                 /* set error card removal/insertion error */
@@ -5394,6 +5552,7 @@ ssl3_GetWrappingKey(sslSocket *ss,
     switch (authType) {
         case ssl_auth_rsa_decrypt:
         case ssl_auth_rsa_sign: /* bad: see Bug 1248320 */
+        case ssl_auth_rsa_pss:
             asymWrapMechanism = CKM_RSA_PKCS;
             rv = PK11_PubWrapSymKey(asymWrapMechanism, svrPubKey,
                                     unwrappedWrappingKey, &wrappedKey);
@@ -5843,20 +6002,59 @@ ssl3_SendClientKeyExchange(sslSocket *ss)
     return rv; /* err code already set. */
 }
 
+/* Used by ssl_PickSignatureScheme(). */
+static PRBool
+ssl_CanUseSignatureScheme(SSLSignatureScheme scheme,
+                          const SSLSignatureScheme *peerSchemes,
+                          unsigned int peerSchemeCount,
+                          PRBool requireSha1,
+                          PRBool slotDoesPss)
+{
+    SSLHashType hashType;
+    SECOidTag hashOID;
+    PRUint32 policy;
+    unsigned int i;
+
+    /* Skip RSA-PSS schemes when the certificate's private key slot does
+     * not support this signature mechanism. */
+    if (ssl_IsRsaPssSignatureScheme(scheme) && !slotDoesPss) {
+        return PR_FALSE;
+    }
+
+    hashType = ssl_SignatureSchemeToHashType(scheme);
+    if (requireSha1 && (hashType != ssl_hash_sha1)) {
+        return PR_FALSE;
+    }
+    hashOID = ssl3_HashTypeToOID(hashType);
+    if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) &&
+        !(policy & NSS_USE_ALG_IN_SSL_KX)) {
+        return PR_FALSE;
+    }
+
+    for (i = 0; i < peerSchemeCount; i++) {
+        if (peerSchemes[i] == scheme) {
+            return PR_TRUE;
+        }
+    }
+    return PR_FALSE;
+}
+
 SECStatus
 ssl_PickSignatureScheme(sslSocket *ss,
+                        CERTCertificate *cert,
                         SECKEYPublicKey *pubKey,
                         SECKEYPrivateKey *privKey,
                         const SSLSignatureScheme *peerSchemes,
                         unsigned int peerSchemeCount,
                         PRBool requireSha1)
 {
-    unsigned int i, j;
-    const sslNamedGroupDef *group = NULL;
-    KeyType keyType;
+    unsigned int i;
     PK11SlotInfo *slot;
     PRBool slotDoesPss;
     PRBool isTLS13 = ss->version >= SSL_LIBRARY_VERSION_TLS_1_3;
+    SECStatus rv;
+    SSLSignatureScheme scheme;
+    SECOidTag spkiOid;
 
     /* We can't require SHA-1 in TLS 1.3. */
     PORT_Assert(!(requireSha1 && isTLS13));
@@ -5874,47 +6072,35 @@ ssl_PickSignatureScheme(sslSocket *ss,
     slotDoesPss = PK11_DoesMechanism(slot, auth_alg_defs[ssl_auth_rsa_pss]);
     PK11_FreeSlot(slot);
 
-    keyType = SECKEY_GetPublicKeyType(pubKey);
-    if (keyType == ecKey) {
-        group = ssl_ECPubKey2NamedGroup(pubKey);
+    /* If the certificate SPKI indicates a single scheme, don't search. */
+    rv = ssl_SignatureSchemeFromSpki(&cert->subjectPublicKeyInfo,
+                                     isTLS13, &scheme);
+    if (rv != SECSuccess) {
+        return SECFailure;
     }
-
-    /* Here we look for the first local preference that the client has
-     * indicated support for in their signature_algorithms extension. */
-    for (i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
-        SSLHashType hashType;
-        SECOidTag hashOID;
-        SSLSignatureScheme preferred = ss->ssl3.signatureSchemes[i];
-        PRUint32 policy;
-
-        if (!ssl_SignatureSchemeValidForKey(!isTLS13 /* allowSha1 */,
-                                            isTLS13 /* matchGroup */,
-                                            keyType, group, preferred)) {
-            continue;
+    if (scheme != ssl_sig_none) {
+        if (!ssl_SignatureSchemeEnabled(ss, scheme) ||
+            !ssl_CanUseSignatureScheme(scheme, peerSchemes, peerSchemeCount,
+                                       requireSha1, slotDoesPss)) {
+            PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
+            return SECFailure;
         }
+        ss->ssl3.hs.signatureScheme = scheme;
+        return SECSuccess;
+    }
 
-        /* Skip RSA-PSS schemes when the certificate's private key slot does
-         * not support this signature mechanism. */
-        if (ssl_IsRsaPssSignatureScheme(preferred) && !slotDoesPss) {
-            continue;
-        }
+    spkiOid = SECOID_GetAlgorithmTag(&cert->subjectPublicKeyInfo.algorithm);
 
-        hashType = ssl_SignatureSchemeToHashType(preferred);
-        if (requireSha1 && (hashType != ssl_hash_sha1)) {
-            continue;
-        }
-        hashOID = ssl3_HashTypeToOID(hashType);
-        if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) &&
-            !(policy & NSS_USE_ALG_IN_SSL_KX)) {
-            /* we ignore hashes we don't support */
-            continue;
-        }
+    /* Now we have to search based on the key type. Go through our preferred
+     * schemes in order and find the first that can be used. */
+    for (i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
+        scheme = ss->ssl3.signatureSchemes[i];
 
-        for (j = 0; j < peerSchemeCount; j++) {
-            if (peerSchemes[j] == preferred) {
-                ss->ssl3.hs.signatureScheme = preferred;
-                return SECSuccess;
-            }
+        if (ssl_SignatureSchemeValid(scheme, spkiOid, isTLS13) &&
+            ssl_CanUseSignatureScheme(scheme, peerSchemes, peerSchemeCount,
+                                      requireSha1, slotDoesPss)) {
+            ss->ssl3.hs.signatureScheme = scheme;
+            return SECSuccess;
         }
     }
 
@@ -5956,17 +6142,19 @@ ssl_PickFallbackSignatureScheme(sslSocket *ss, SECKEYPublicKey *pubKey)
 static SECStatus
 ssl3_PickServerSignatureScheme(sslSocket *ss)
 {
-    sslKeyPair *keyPair = ss->sec.serverCert->serverKeyPair;
+    const sslServerCert *cert = ss->sec.serverCert;
     PRBool isTLS12 = ss->version >= SSL_LIBRARY_VERSION_TLS_1_2;
 
     if (!isTLS12 || !ssl3_ExtensionNegotiated(ss, ssl_signature_algorithms_xtn)) {
         /* If the client didn't provide any signature_algorithms extension then
          * we can assume that they support SHA-1: RFC5246, Section 7.4.1.4.1. */
-        return ssl_PickFallbackSignatureScheme(ss, keyPair->pubKey);
+        return ssl_PickFallbackSignatureScheme(ss, cert->serverKeyPair->pubKey);
     }
 
     /* Sets error code, if needed. */
-    return ssl_PickSignatureScheme(ss, keyPair->pubKey, keyPair->privKey,
+    return ssl_PickSignatureScheme(ss, cert->serverCert,
+                                   cert->serverKeyPair->pubKey,
+                                   cert->serverKeyPair->privKey,
                                    ss->xtnData.sigSchemes,
                                    ss->xtnData.numSigSchemes,
                                    PR_FALSE /* requireSha1 */);
@@ -5977,23 +6165,18 @@ ssl_PickClientSignatureScheme(sslSocket *ss, const SSLSignatureScheme *schemes,
                               unsigned int numSchemes)
 {
     SECKEYPrivateKey *privKey = ss->ssl3.clientPrivateKey;
-    SECKEYPublicKey *pubKey;
     SECStatus rv;
-
     PRBool isTLS13 = (PRBool)ss->version >= SSL_LIBRARY_VERSION_TLS_1_3;
-    pubKey = CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
+    SECKEYPublicKey *pubKey = CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
+
     PORT_Assert(pubKey);
 
-    if (!isTLS13 && numSchemes == 0) {
-        /* If the server didn't provide any signature algorithms
-         * then let's assume they support SHA-1. */
-        rv = ssl_PickFallbackSignatureScheme(ss, pubKey);
-        SECKEY_DestroyPublicKey(pubKey);
-        return rv;
+    if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
+        /* We should have already checked that a signature scheme was
+         * listed in the request. */
+        PORT_Assert(schemes && numSchemes > 0);
     }
 
-    PORT_Assert(schemes && numSchemes > 0);
-
     if (!isTLS13 &&
         (SECKEY_GetPublicKeyType(pubKey) == rsaKey ||
          SECKEY_GetPublicKeyType(pubKey) == dsaKey) &&
@@ -6004,7 +6187,8 @@ ssl_PickClientSignatureScheme(sslSocket *ss, const SSLSignatureScheme *schemes,
          * older, DSA key size is at most 1024 bits and the hash function must
          * be SHA-1.
          */
-        rv = ssl_PickSignatureScheme(ss, pubKey, privKey, schemes, numSchemes,
+        rv = ssl_PickSignatureScheme(ss, ss->ssl3.clientCertificate,
+                                     pubKey, privKey, schemes, numSchemes,
                                      PR_TRUE /* requireSha1 */);
         if (rv == SECSuccess) {
             SECKEY_DestroyPublicKey(pubKey);
@@ -6013,7 +6197,8 @@ ssl_PickClientSignatureScheme(sslSocket *ss, const SSLSignatureScheme *schemes,
         /* If this fails, that's because the peer doesn't advertise SHA-1,
          * so fall back to the full negotiation. */
     }
-    rv = ssl_PickSignatureScheme(ss, pubKey, privKey, schemes, numSchemes,
+    rv = ssl_PickSignatureScheme(ss, ss->ssl3.clientCertificate,
+                                 pubKey, privKey, schemes, numSchemes,
                                  PR_FALSE /* requireSha1 */);
     SECKEY_DestroyPublicKey(pubKey);
     return rv;
@@ -6141,7 +6326,7 @@ ssl_ClientSetCipherSuite(sslSocket *ss, SSL3ProtocolVersion version,
         ssl3CipherSuiteCfg *suiteCfg = &ss->cipherSuites[i];
         if (suite == suiteCfg->cipher_suite) {
             SSLVersionRange vrange = { version, version };
-            if (!config_match(suiteCfg, ss->ssl3.policy, &vrange, ss)) {
+            if (!ssl3_config_match(suiteCfg, ss->ssl3.policy, &vrange, ss)) {
                 /* config_match already checks whether the cipher suite is
                  * acceptable for the version, but the check is repeated here
                  * in order to give a more precise error code. */
@@ -6201,18 +6386,56 @@ ssl_CheckServerSessionIdCorrectness(sslSocket *ss, SECItem *sidBytes)
 
     /* TLS 1.2: Session ID shouldn't match if we sent a fake. */
     if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
-        return !sentFakeSid || !sidMatch;
+        if (sentFakeSid) {
+            return !sidMatch;
+        }
+        return PR_TRUE;
     }
 
     /* TLS 1.3: We sent a session ID.  The server's should match. */
-    if (sentRealSid || sentFakeSid) {
+    if (!IS_DTLS(ss) && (sentRealSid || sentFakeSid)) {
         return sidMatch;
     }
 
-    /* TLS 1.3: The server shouldn't send a session ID. */
+    /* TLS 1.3 (no SID)/DTLS 1.3: The server shouldn't send a session ID. */
     return sidBytes->len == 0;
 }
 
+static SECStatus
+ssl_CheckServerRandom(sslSocket *ss)
+{
+    /* Check the ServerHello.random per [RFC 8446 Section 4.1.3].
+     *
+     * TLS 1.3 clients receiving a ServerHello indicating TLS 1.2 or below
+     * MUST check that the last 8 bytes are not equal to either of these
+     * values.  TLS 1.2 clients SHOULD also check that the last 8 bytes are
+     * not equal to the second value if the ServerHello indicates TLS 1.1 or
+     * below.  If a match is found, the client MUST abort the handshake with
+     * an "illegal_parameter" alert.
+     */
+    SSL3ProtocolVersion checkVersion =
+        ss->ssl3.downgradeCheckVersion ? ss->ssl3.downgradeCheckVersion
+                                       : ss->vrange.max;
+
+    if (checkVersion >= SSL_LIBRARY_VERSION_TLS_1_2 &&
+        checkVersion > ss->version) {
+        /* Both sections use the same sentinel region. */
+        PRUint8 *downgrade_sentinel =
+            ss->ssl3.hs.server_random +
+            SSL3_RANDOM_LENGTH - sizeof(tls13_downgrade_random);
+        if (!PORT_Memcmp(downgrade_sentinel,
+                         tls13_downgrade_random,
+                         sizeof(tls13_downgrade_random)) ||
+            !PORT_Memcmp(downgrade_sentinel,
+                         tls12_downgrade_random,
+                         sizeof(tls12_downgrade_random))) {
+            return SECFailure;
+        }
+    }
+
+    return SECSuccess;
+}
+
 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
  * ssl3 ServerHello message.
  * Caller must hold Handshake and RecvBuf locks.
@@ -6229,9 +6452,6 @@ ssl3_HandleServerHello(sslSocket *ss, PRUint8 *b, PRUint32 length)
     SSL3AlertDescription desc = illegal_parameter;
     const PRUint8 *savedMsg = b;
     const PRUint32 savedLength = length;
-#ifndef TLS_1_3_DRAFT_VERSION
-    SSL3ProtocolVersion downgradeCheckVersion;
-#endif
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello handshake",
                 SSL_GETPID(), ss->fd));
@@ -6341,9 +6561,20 @@ ssl3_HandleServerHello(sslSocket *ss, PRUint8 *b, PRUint32 length)
         goto alert_loser;
     }
 
-    /* The server didn't pick 1.3 although we either received a
-     * HelloRetryRequest, or we prepared to send early app data. */
+    /* There are three situations in which the server must pick
+     * TLS 1.3.
+     *
+     * 1. We offered ESNI.
+     * 2. We received HRR
+     * 3. We sent early app data.
+     *
+     */
     if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
+        if (ss->xtnData.esniPrivateKey) {
+            desc = protocol_version;
+            errCode = SSL_ERROR_UNSUPPORTED_VERSION;
+            goto alert_loser;
+        }
         if (isHelloRetry || ss->ssl3.hs.helloRetry) {
             /* SSL3_SendAlert() will uncache the SID. */
             desc = illegal_parameter;
@@ -6368,39 +6599,19 @@ ssl3_HandleServerHello(sslSocket *ss, PRUint8 *b, PRUint32 length)
         goto alert_loser;
     }
 
-#ifndef TLS_1_3_DRAFT_VERSION
-    /* Check the ServerHello.random per
-     * [draft-ietf-tls-tls13-11 Section 6.3.1.1].
-     *
-     * TLS 1.3 clients receiving a TLS 1.2 or below ServerHello MUST check
-     * that the top eight octets are not equal to either of these values.
-     * TLS 1.2 clients SHOULD also perform this check if the ServerHello
-     * indicates TLS 1.1 or below.  If a match is found the client MUST
-     * abort the handshake with a fatal "illegal_parameter" alert.
-     *
-     * Disable this test during the TLS 1.3 draft version period.
-     */
-    downgradeCheckVersion = ss->ssl3.downgradeCheckVersion ? ss->ssl3.downgradeCheckVersion
-                                                           : ss->vrange.max;
-
-    if (downgradeCheckVersion >= SSL_LIBRARY_VERSION_TLS_1_2 &&
-        downgradeCheckVersion > ss->version) {
-        /* Both sections use the same sentinel region. */
-        PRUint8 *downgrade_sentinel =
-            ss->ssl3.hs.server_random +
-            SSL3_RANDOM_LENGTH - sizeof(tls13_downgrade_random);
-        if (!PORT_Memcmp(downgrade_sentinel,
-                         tls13_downgrade_random,
-                         sizeof(tls13_downgrade_random)) ||
-            !PORT_Memcmp(downgrade_sentinel,
-                         tls12_downgrade_random,
-                         sizeof(tls12_downgrade_random))) {
+    if (ss->opt.enableHelloDowngradeCheck
+#ifdef DTLS_1_3_DRAFT_VERSION
+        /* Disable this check while we are on draft DTLS 1.3 versions. */
+        && !IS_DTLS(ss)
+#endif
+            ) {
+        rv = ssl_CheckServerRandom(ss);
+        if (rv != SECSuccess) {
             desc = illegal_parameter;
             errCode = SSL_ERROR_RX_MALFORMED_SERVER_HELLO;
             goto alert_loser;
         }
     }
-#endif
 
     /* Finally, now all the version-related checks have passed. */
     ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version;
@@ -6776,12 +6987,12 @@ ssl_HandleDHServerKeyExchange(sslSocket *ss, PRUint8 *b, PRUint32 length)
     if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
         rv = ssl_ConsumeSignatureScheme(ss, &b, &length, &sigScheme);
         if (rv != SECSuccess) {
-            goto loser; /* malformed or unsupported. */
+            goto alert_loser; /* malformed or unsupported. */
         }
         rv = ssl_CheckSignatureSchemeConsistency(ss, sigScheme,
                                                  ss->sec.peerCert);
         if (rv != SECSuccess) {
-            goto loser;
+            goto alert_loser;
         }
         hashAlg = ssl_SignatureSchemeToHashType(sigScheme);
     } else {
@@ -7005,7 +7216,8 @@ ssl_ParseSignatureSchemes(const sslSocket *ss, PLArenaPool *arena,
     SECStatus rv;
     SECItem buf;
     SSLSignatureScheme *schemes = NULL;
-    unsigned int numSchemes = 0;
+    unsigned int numSupported = 0;
+    unsigned int numRemaining = 0;
     unsigned int max;
 
     rv = ssl3_ExtConsumeHandshakeVariable(ss, &buf, 2, b, len);
@@ -7024,7 +7236,8 @@ ssl_ParseSignatureSchemes(const sslSocket *ss, PLArenaPool *arena,
     }
 
     /* Limit the number of schemes we read. */
-    max = PR_MIN(buf.len / 2, MAX_SIGNATURE_SCHEMES);
+    numRemaining = buf.len / 2;
+    max = PR_MIN(numRemaining, MAX_SIGNATURE_SCHEMES);
 
     if (arena) {
         schemes = PORT_ArenaZNewArray(arena, SSLSignatureScheme, max);
@@ -7036,7 +7249,7 @@ ssl_ParseSignatureSchemes(const sslSocket *ss, PLArenaPool *arena,
         return SECFailure;
     }
 
-    for (; max; --max) {
+    for (; numRemaining && numSupported < MAX_SIGNATURE_SCHEMES; --numRemaining) {
         PRUint32 tmp;
         rv = ssl3_ExtConsumeHandshakeNumber(ss, &tmp, 2, &buf.data, &buf.len);
         if (rv != SECSuccess) {
@@ -7045,11 +7258,11 @@ ssl_ParseSignatureSchemes(const sslSocket *ss, PLArenaPool *arena,
             return SECFailure;
         }
         if (ssl_IsSupportedSignatureScheme((SSLSignatureScheme)tmp)) {
-            schemes[numSchemes++] = (SSLSignatureScheme)tmp;
+            schemes[numSupported++] = (SSLSignatureScheme)tmp;
         }
     }
 
-    if (!numSchemes) {
+    if (!numSupported) {
         if (!arena) {
             PORT_Free(schemes);
         }
@@ -7058,7 +7271,7 @@ ssl_ParseSignatureSchemes(const sslSocket *ss, PLArenaPool *arena,
 
 done:
     *schemesOut = schemes;
-    *numSchemesOut = numSchemes;
+    *numSchemesOut = numSupported;
     return SECSuccess;
 }
 
@@ -7114,6 +7327,11 @@ ssl3_HandleCertificateRequest(sslSocket *ss, PRUint8 *b, PRUint32 length)
             PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_REQUEST);
             goto loser; /* malformed, alert has been sent */
         }
+        if (signatureSchemeCount == 0) {
+            errCode = SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM;
+            desc = handshake_failure;
+            goto alert_loser;
+        }
     }
 
     rv = ssl3_ParseCertificateRequestCAs(ss, &b, &length, &ca_list);
@@ -7239,16 +7457,25 @@ ssl3_CheckFalseStart(sslSocket *ss)
         SSL_TRC(3, ("%d: SSL[%d]: no false start callback so no false start",
                     SSL_GETPID(), ss->fd));
     } else {
-        PRBool maybeFalseStart;
+        PRBool maybeFalseStart = PR_TRUE;
         SECStatus rv;
 
+        rv = ssl_CheckServerRandom(ss);
+        if (rv != SECSuccess) {
+            SSL_TRC(3, ("%d: SSL[%d]: no false start due to possible downgrade",
+                        SSL_GETPID(), ss->fd));
+            maybeFalseStart = PR_FALSE;
+        }
+
         /* An attacker can control the selected ciphersuite so we only wish to
          * do False Start in the case that the selected ciphersuite is
          * sufficiently strong that the attack can gain no advantage.
          * Therefore we always require an 80-bit cipher. */
-        ssl_GetSpecReadLock(ss);
-        maybeFalseStart = ss->ssl3.cwSpec->cipherDef->secret_key_size >= 10;
-        ssl_ReleaseSpecReadLock(ss);
+        if (maybeFalseStart) {
+            ssl_GetSpecReadLock(ss);
+            maybeFalseStart = ss->ssl3.cwSpec->cipherDef->secret_key_size >= 10;
+            ssl_ReleaseSpecReadLock(ss);
+        }
 
         if (!maybeFalseStart) {
             SSL_TRC(3, ("%d: SSL[%d]: no false start due to weak cipher",
@@ -7647,6 +7874,30 @@ ssl3_KEASupportsTickets(const ssl3KEADef *kea_def)
     return PR_TRUE;
 }
 
+SECStatus
+ssl3_NegotiateCipherSuiteInner(sslSocket *ss, const SECItem *suites,
+                               PRUint16 version, PRUint16 *suitep)
+{
+    unsigned int j;
+    unsigned int i;
+
+    for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
+        ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
+        SSLVersionRange vrange = { version, version };
+        if (!ssl3_config_match(suite, ss->ssl3.policy, &vrange, ss)) {
+            continue;
+        }
+        for (i = 0; i + 1 < suites->len; i += 2) {
+            PRUint16 suite_i = (suites->data[i] << 8) | suites->data[i + 1];
+            if (suite_i == suite->cipher_suite) {
+                *suitep = suite_i;
+                return SECSuccess;
+            }
+        }
+    }
+    return SECFailure;
+}
+
 /* Select a cipher suite.
 **
 ** NOTE: This suite selection algorithm should be the same as the one in
@@ -7665,24 +7916,16 @@ SECStatus
 ssl3_NegotiateCipherSuite(sslSocket *ss, const SECItem *suites,
                           PRBool initHashes)
 {
-    unsigned int j;
-    unsigned int i;
+    PRUint16 selected;
+    SECStatus rv;
 
-    for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
-        ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
-        SSLVersionRange vrange = { ss->version, ss->version };
-        if (!config_match(suite, ss->ssl3.policy, &vrange, ss)) {
-            continue;
-        }
-        for (i = 0; i + 1 < suites->len; i += 2) {
-            PRUint16 suite_i = (suites->data[i] << 8) | suites->data[i + 1];
-            if (suite_i == suite->cipher_suite) {
-                ss->ssl3.hs.cipher_suite = suite_i;
-                return ssl3_SetupCipherSuite(ss, initHashes);
-            }
-        }
+    rv = ssl3_NegotiateCipherSuiteInner(ss, suites, ss->version, &selected);
+    if (rv != SECSuccess) {
+        return SECFailure;
     }
-    return SECFailure;
+
+    ss->ssl3.hs.cipher_suite = selected;
+    return ssl3_SetupCipherSuite(ss, initHashes);
 }
 
 /*
@@ -7814,9 +8057,12 @@ ssl3_ServerCallSNICallback(sslSocket *ss)
                 }
                 /* Need to tell the client that application has picked
                  * the name from the offered list and reconfigured the socket.
+                 * Don't do this if we negotiated ESNI.
                  */
-                ssl3_RegisterExtensionSender(ss, &ss->xtnData, ssl_server_name_xtn,
-                                             ssl_SendEmptyExtension);
+                if (!ssl3_ExtensionNegotiated(ss, ssl_tls13_encrypted_sni_xtn)) {
+                    ssl3_RegisterExtensionSender(ss, &ss->xtnData, ssl_server_name_xtn,
+                                                 ssl_SendEmptyExtension);
+                }
             } else {
                 /* Callback returned index outside of the boundary. */
                 PORT_Assert((unsigned int)ret < ss->xtnData.sniNameArrSize);
@@ -7845,6 +8091,7 @@ ssl3_SelectServerCert(sslSocket *ss)
 {
     const ssl3KEADef *kea_def = ss->ssl3.hs.kea_def;
     PRCList *cursor;
+    SECStatus rv;
 
     /* If the client didn't include the supported groups extension, assume just
      * P-256 support and disable all the other ECDHE groups.  This also affects
@@ -7870,30 +8117,102 @@ ssl3_SelectServerCert(sslSocket *ss)
          cursor != &ss->serverCerts;
          cursor = PR_NEXT_LINK(cursor)) {
         sslServerCert *cert = (sslServerCert *)cursor;
-        if (!SSL_CERT_IS(cert, kea_def->authKeyType)) {
-            continue;
-        }
-        if (SSL_CERT_IS_EC(cert) &&
-            !ssl_NamedGroupEnabled(ss, cert->namedCurve)) {
-            continue;
+        if (kea_def->authKeyType == ssl_auth_rsa_sign) {
+            /* We consider PSS certificates here as well for TLS 1.2. */
+            if (!SSL_CERT_IS(cert, ssl_auth_rsa_sign) &&
+                (!SSL_CERT_IS(cert, ssl_auth_rsa_pss) ||
+                 ss->version < SSL_LIBRARY_VERSION_TLS_1_2)) {
+                continue;
+            }
+        } else {
+            if (!SSL_CERT_IS(cert, kea_def->authKeyType)) {
+                continue;
+            }
+            if (SSL_CERT_IS_EC(cert) &&
+                !ssl_NamedGroupEnabled(ss, cert->namedCurve)) {
+                continue;
+            }
         }
 
         /* Found one. */
         ss->sec.serverCert = cert;
-        ss->sec.authType = kea_def->authKeyType;
         ss->sec.authKeyBits = cert->serverKeyBits;
 
         /* Don't pick a signature scheme if we aren't going to use it. */
         if (kea_def->signKeyType == nullKey) {
+            ss->sec.authType = kea_def->authKeyType;
             return SECSuccess;
         }
-        return ssl3_PickServerSignatureScheme(ss);
+
+        rv = ssl3_PickServerSignatureScheme(ss);
+        if (rv != SECSuccess) {
+            return SECFailure;
+        }
+        ss->sec.authType =
+            ssl_SignatureSchemeToAuthType(ss->ssl3.hs.signatureScheme);
+        return SECSuccess;
     }
 
     PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
     return SECFailure;
 }
 
+static SECStatus
+ssl_GenerateServerRandom(sslSocket *ss)
+{
+    SECStatus rv = ssl3_GetNewRandom(ss->ssl3.hs.server_random);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    if (ss->version == ss->vrange.max) {
+        return SECSuccess;
+    }
+#ifdef DTLS_1_3_DRAFT_VERSION
+    if (IS_DTLS(ss)) {
+        return SECSuccess;
+    }
+#endif
+
+    /*
+     * [RFC 8446 Section 4.1.3].
+     *
+     * TLS 1.3 servers which negotiate TLS 1.2 or below in response to a
+     * ClientHello MUST set the last 8 bytes of their Random value specially in
+     * their ServerHello.
+     *
+     * If negotiating TLS 1.2, TLS 1.3 servers MUST set the last 8 bytes of
+     * their Random value to the bytes:
+     *
+     *   44 4F 57 4E 47 52 44 01
+     *
+     * If negotiating TLS 1.1 or below, TLS 1.3 servers MUST, and TLS 1.2
+     * servers SHOULD, set the last 8 bytes of their ServerHello.Random value to
+     * the bytes:
+     *
+     *   44 4F 57 4E 47 52 44 00
+     */
+    PRUint8 *downgradeSentinel =
+        ss->ssl3.hs.server_random +
+        SSL3_RANDOM_LENGTH - sizeof(tls13_downgrade_random);
+
+    switch (ss->vrange.max) {
+        case SSL_LIBRARY_VERSION_TLS_1_3:
+            PORT_Memcpy(downgradeSentinel,
+                        tls13_downgrade_random, sizeof(tls13_downgrade_random));
+            break;
+        case SSL_LIBRARY_VERSION_TLS_1_2:
+            PORT_Memcpy(downgradeSentinel,
+                        tls12_downgrade_random, sizeof(tls12_downgrade_random));
+            break;
+        default:
+            /* Do not change random. */
+            break;
+    }
+
+    return SECSuccess;
+}
+
 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
  * ssl3 Client Hello message.
  * Caller must hold Handshake and RecvBuf locks.
@@ -8088,56 +8407,6 @@ ssl3_HandleClientHello(sslSocket *ss, PRUint8 *b, PRUint32 length)
         }
     }
 
-    /* Generate the Server Random now so it is available
-     * when we process the ClientKeyShare in TLS 1.3 */
-    rv = ssl3_GetNewRandom(ss->ssl3.hs.server_random);
-    if (rv != SECSuccess) {
-        errCode = SSL_ERROR_GENERATE_RANDOM_FAILURE;
-        goto loser;
-    }
-
-#ifndef TLS_1_3_DRAFT_VERSION
-    /*
-     * [draft-ietf-tls-tls13-11 Section 6.3.1.1].
-     * TLS 1.3 server implementations which respond to a ClientHello with a
-     * client_version indicating TLS 1.2 or below MUST set the last eight
-     * bytes of their Random value to the bytes:
-     *
-     * 44 4F 57 4E 47 52 44 01
-     *
-     * TLS 1.2 server implementations which respond to a ClientHello with a
-     * client_version indicating TLS 1.1 or below SHOULD set the last eight
-     * bytes of their Random value to the bytes:
-     *
-     * 44 4F 57 4E 47 52 44 00
-     *
-     * TODO(ekr@rtfm.com): Note this change was not added in the SSLv2
-     * compat processing code since that will most likely be removed before
-     * we ship the final version of TLS 1.3. Bug 1306672.
-     */
-    if (ss->vrange.max > ss->version) {
-        PRUint8 *downgrade_sentinel =
-            ss->ssl3.hs.server_random +
-            SSL3_RANDOM_LENGTH - sizeof(tls13_downgrade_random);
-
-        switch (ss->vrange.max) {
-            case SSL_LIBRARY_VERSION_TLS_1_3:
-                PORT_Memcpy(downgrade_sentinel,
-                            tls13_downgrade_random,
-                            sizeof(tls13_downgrade_random));
-                break;
-            case SSL_LIBRARY_VERSION_TLS_1_2:
-                PORT_Memcpy(downgrade_sentinel,
-                            tls12_downgrade_random,
-                            sizeof(tls12_downgrade_random));
-                break;
-            default:
-                /* Do not change random. */
-                break;
-        }
-    }
-#endif
-
     /* If there is a cookie, then this is a second ClientHello (TLS 1.3). */
     if (ssl3_FindExtension(ss, ssl_tls13_cookie_xtn)) {
         ss->ssl3.hs.helloRetry = PR_TRUE;
@@ -8397,7 +8666,7 @@ ssl3_HandleClientHelloPart2(sslSocket *ss,
              * The product policy won't change during the process lifetime.
              * Implemented ("isPresent") shouldn't change for servers.
              */
-            if (!config_match(suite, ss->ssl3.policy, &vrange, ss))
+            if (!ssl3_config_match(suite, ss->ssl3.policy, &vrange, ss))
                 break;
 #else
             if (!suite->enabled)
@@ -8779,7 +9048,7 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, unsigned int leng
     for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
         ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
         SSLVersionRange vrange = { ss->version, ss->version };
-        if (!config_match(suite, ss->ssl3.policy, &vrange, ss)) {
+        if (!ssl3_config_match(suite, ss->ssl3.policy, &vrange, ss)) {
             continue;
         }
         for (i = 0; i + 2 < suite_length; i += 3) {
@@ -8884,6 +9153,7 @@ ssl_ConstructServerHello(sslSocket *ss, PRBool helloRetry,
     SECStatus rv;
     SSL3ProtocolVersion version;
     sslSessionID *sid = ss->sec.ci.sid;
+    const PRUint8 *random;
 
     version = PR_MIN(ss->version, SSL_LIBRARY_VERSION_TLS_1_2);
     if (IS_DTLS(ss)) {
@@ -8893,9 +9163,17 @@ ssl_ConstructServerHello(sslSocket *ss, PRBool helloRetry,
     if (rv != SECSuccess) {
         return SECFailure;
     }
-    /* Random already generated in ssl3_HandleClientHello */
-    rv = sslBuffer_Append(messageBuf, helloRetry ? ssl_hello_retry_random : ss->ssl3.hs.server_random,
-                          SSL3_RANDOM_LENGTH);
+
+    if (helloRetry) {
+        random = ssl_hello_retry_random;
+    } else {
+        rv = ssl_GenerateServerRandom(ss);
+        if (rv != SECSuccess) {
+            return SECFailure;
+        }
+        random = ss->ssl3.hs.server_random;
+    }
+    rv = sslBuffer_Append(messageBuf, random, SSL3_RANDOM_LENGTH);
     if (rv != SECSuccess) {
         return SECFailure;
     }
@@ -9368,7 +9646,7 @@ ssl3_HandleCertificateVerify(sslSocket *ss, PRUint8 *b, PRUint32 length)
                                                  ss->sec.peerCert);
         if (rv != SECSuccess) {
             errCode = PORT_GetError();
-            desc = decrypt_error;
+            desc = illegal_parameter;
             goto alert_loser;
         }
 
@@ -9501,6 +9779,23 @@ ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
     return pms;
 }
 
+static void
+ssl3_CSwapPK11SymKey(PK11SymKey **x, PK11SymKey **y, PRBool c)
+{
+    uintptr_t mask = (uintptr_t)c;
+    unsigned int i;
+    for (i = 1; i < sizeof(uintptr_t) * 8; i <<= 1) {
+        mask |= mask << i;
+    }
+    uintptr_t x_ptr = (uintptr_t)*x;
+    uintptr_t y_ptr = (uintptr_t)*y;
+    uintptr_t tmp = (x_ptr ^ y_ptr) & mask;
+    x_ptr = x_ptr ^ tmp;
+    y_ptr = y_ptr ^ tmp;
+    *x = (PK11SymKey *)x_ptr;
+    *y = (PK11SymKey *)y_ptr;
+}
+
 /* Note: The Bleichenbacher attack on PKCS#1 necessitates that we NEVER
  * return any indication of failure of the Client Key Exchange message,
  * where that failure is caused by the content of the client's message.
@@ -9521,9 +9816,9 @@ ssl3_HandleRSAClientKeyExchange(sslSocket *ss,
 {
     SECStatus rv;
     SECItem enc_pms;
-    PK11SymKey *tmpPms[2] = { NULL, NULL };
-    PK11SlotInfo *slot;
-    int useFauxPms = 0;
+    PK11SymKey *pms = NULL;
+    PK11SymKey *fauxPms = NULL;
+    PK11SlotInfo *slot = NULL;
 
     PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
     PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
@@ -9544,11 +9839,6 @@ ssl3_HandleRSAClientKeyExchange(sslSocket *ss,
         }
     }
 
-#define currentPms tmpPms[!useFauxPms]
-#define unusedPms tmpPms[useFauxPms]
-#define realPms tmpPms[1]
-#define fauxPms tmpPms[0]
-
     /*
      * Get as close to algorithm 2 from RFC 5246; Section 7.4.7.1
      * as we can within the constraints of the PKCS#11 interface.
@@ -9603,40 +9893,33 @@ ssl3_HandleRSAClientKeyExchange(sslSocket *ss,
      *  the unwrap.  Rather, it is the mechanism with which the
      *      unwrapped pms will be used.
      */
-    realPms = PK11_PubUnwrapSymKey(serverKeyPair->privKey, &enc_pms,
-                                   CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0);
+    pms = PK11_PubUnwrapSymKey(serverKeyPair->privKey, &enc_pms,
+                               CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0);
     /* Temporarily use the PMS if unwrapping the real PMS fails. */
-    useFauxPms |= (realPms == NULL);
+    ssl3_CSwapPK11SymKey(&pms, &fauxPms, pms == NULL);
 
     /* Attempt to derive the MS from the PMS. This is the only way to
      * check the version field in the RSA PMS. If this fails, we
      * then use the faux PMS in place of the PMS. Note that this
      * operation should never fail if we are using the faux PMS
      * since it is correctly formatted. */
-    rv = ssl3_ComputeMasterSecret(ss, currentPms, NULL);
-
-    /* If we succeeded, then select the true PMS and discard the
-     * FPMS. Else, select the FPMS and select the true PMS */
-    useFauxPms |= (rv != SECSuccess);
+    rv = ssl3_ComputeMasterSecret(ss, pms, NULL);
 
-    if (unusedPms) {
-        PK11_FreeSymKey(unusedPms);
-    }
+    /* If we succeeded, then select the true PMS, else select the FPMS. */
+    ssl3_CSwapPK11SymKey(&pms, &fauxPms, (rv != SECSuccess) & (fauxPms != NULL));
 
     /* This step will derive the MS from the PMS, among other things. */
-    rv = ssl3_InitPendingCipherSpecs(ss, currentPms, PR_TRUE);
-    PK11_FreeSymKey(currentPms);
+    rv = ssl3_InitPendingCipherSpecs(ss, pms, PR_TRUE);
+
+    /* Clear both PMS. */
+    PK11_FreeSymKey(pms);
+    PK11_FreeSymKey(fauxPms);
 
     if (rv != SECSuccess) {
         (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
         return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */
     }
 
-#undef currentPms
-#undef unusedPms
-#undef realPms
-#undef fauxPms
-
     return SECSuccess;
 }
 
@@ -10429,6 +10712,9 @@ ssl3_AuthCertificate(sslSocket *ss)
                                            PR_TRUE, isServer);
     if (rv != SECSuccess) {
         errCode = PORT_GetError();
+        if (errCode == 0) {
+            errCode = SSL_ERROR_BAD_CERTIFICATE;
+        }
         if (rv != SECWouldBlock) {
             if (ss->handleBadCert) {
                 rv = (*ss->handleBadCert)(ss->badCertArg, ss->fd);
@@ -11252,7 +11538,7 @@ ssl3_FinishHandshake(sslSocket *ss)
 }
 
 SECStatus
-ssl_HashHandshakeMessageInt(sslSocket *ss, SSLHandshakeType type,
+ssl_HashHandshakeMessageInt(sslSocket *ss, SSLHandshakeType ct,
                             PRUint32 dtlsSeq,
                             const PRUint8 *b, PRUint32 length)
 {
@@ -11262,7 +11548,7 @@ ssl_HashHandshakeMessageInt(sslSocket *ss, SSLHandshakeType type,
 
     PRINT_BUF(50, (ss, "Hash handshake message:", b, length));
 
-    hdr[0] = (PRUint8)type;
+    hdr[0] = (PRUint8)ct;
     hdr[1] = (PRUint8)(length >> 16);
     hdr[2] = (PRUint8)(length >> 8);
     hdr[3] = (PRUint8)(length);
@@ -11302,10 +11588,10 @@ ssl_HashHandshakeMessageInt(sslSocket *ss, SSLHandshakeType type,
 }
 
 SECStatus
-ssl_HashHandshakeMessage(sslSocket *ss, SSLHandshakeType type,
+ssl_HashHandshakeMessage(sslSocket *ss, SSLHandshakeType ct,
                          const PRUint8 *b, PRUint32 length)
 {
-    return ssl_HashHandshakeMessageInt(ss, type, ss->ssl3.hs.recvMessageSeq,
+    return ssl_HashHandshakeMessageInt(ss, ct, ss->ssl3.hs.recvMessageSeq,
                                        b, length);
 }
 
@@ -11885,7 +12171,7 @@ ssl3_UnprotectRecord(sslSocket *ss,
     PRBool isTLS;
     unsigned int good;
     unsigned int ivLen = 0;
-    SSL3ContentType rType;
+    SSLContentType rType;
     SSL3ProtocolVersion rVersion;
     unsigned int minLength;
     unsigned int originalLen = 0;
@@ -11959,7 +12245,7 @@ ssl3_UnprotectRecord(sslSocket *ss,
         return SECFailure;
     }
 
-    rType = (SSL3ContentType)cText->hdr[0];
+    rType = (SSLContentType)cText->hdr[0];
     rVersion = ((SSL3ProtocolVersion)cText->hdr[1] << 8) |
                (SSL3ProtocolVersion)cText->hdr[2];
     if (cipher_def->type == type_aead) {
@@ -12071,7 +12357,7 @@ ssl3_UnprotectRecord(sslSocket *ss,
 }
 
 SECStatus
-ssl3_HandleNonApplicationData(sslSocket *ss, SSL3ContentType rType,
+ssl3_HandleNonApplicationData(sslSocket *ss, SSLContentType rType,
                               DTLSEpoch epoch, sslSequenceNumber seqNum,
                               sslBuffer *databuf)
 {
@@ -12089,20 +12375,20 @@ ssl3_HandleNonApplicationData(sslSocket *ss, SSL3ContentType rType,
     ** they return SECFailure or SECWouldBlock.
     */
     switch (rType) {
-        case content_change_cipher_spec:
+        case ssl_ct_change_cipher_spec:
             rv = ssl3_HandleChangeCipherSpecs(ss, databuf);
             break;
-        case content_alert:
+        case ssl_ct_alert:
             rv = ssl3_HandleAlert(ss, databuf);
             break;
-        case content_handshake:
+        case ssl_ct_handshake:
             if (!IS_DTLS(ss)) {
                 rv = ssl3_HandleHandshake(ss, databuf);
             } else {
                 rv = dtls_HandleHandshake(ss, epoch, seqNum, databuf);
             }
             break;
-        case content_ack:
+        case ssl_ct_ack:
             if (IS_DTLS(ss) && tls13_MaybeTls13(ss)) {
                 rv = dtls13_HandleAck(ss, databuf);
                 break;
@@ -12190,7 +12476,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText)
     ssl3CipherSpec *spec = NULL;
     PRUint16 recordSizeLimit;
     PRBool outOfOrderSpec = PR_FALSE;
-    SSL3ContentType rType;
+    SSLContentType rType;
     sslBuffer *plaintext = &ss->gs.buf;
     SSL3AlertDescription alert = internal_error;
     PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
@@ -12208,7 +12494,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText)
     /* We're waiting for another ClientHello, which will appear unencrypted.
      * Use the content type to tell whether this should be discarded. */
     if (ss->ssl3.hs.zeroRttIgnore == ssl_0rtt_ignore_hrr &&
-        cText->hdr[0] == content_application_data) {
+        cText->hdr[0] == ssl_ct_application_data) {
         PORT_Assert(ss->ssl3.hs.ws == wait_client_hello);
         return SECSuccess;
     }
@@ -12269,7 +12555,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText)
     /* Encrypted application data records could arrive before the handshake
      * completes in DTLS 1.3. These can look like valid TLS 1.2 application_data
      * records in epoch 0, which is never valid. Pretend they didn't decrypt. */
-    if (spec->epoch == 0 && rType == content_application_data) {
+    if (spec->epoch == 0 && rType == ssl_ct_application_data) {
         PORT_SetError(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA);
         alert = unexpected_message;
         rv = SECFailure;
@@ -12304,7 +12590,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText)
          * 0-RTT session that is resumed from a session that did negotiate it.
          * We don't care about that corner case right now. */
         if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 &&
-            cText->hdr[0] == content_change_cipher_spec &&
+            cText->hdr[0] == ssl_ct_change_cipher_spec &&
             ss->ssl3.hs.ws != idle_handshake &&
             cText->buf->len == 1 &&
             cText->buf->buf[0] == change_cipher_spec_choice) {
@@ -12364,7 +12650,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText)
     /* Application data records are processed by the caller of this
     ** function, not by this function.
     */
-    if (rType == content_application_data) {
+    if (rType == ssl_ct_application_data) {
         if (ss->firstHsDone)
             return SECSuccess;
         if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 &&
diff --git a/security/nss/lib/ssl/ssl3ecc.c b/security/nss/lib/ssl/ssl3ecc.c
index f8b9a94000..52d5bb5152 100644
--- a/security/nss/lib/ssl/ssl3ecc.c
+++ b/security/nss/lib/ssl/ssl3ecc.c
@@ -327,16 +327,13 @@ ssl3_HandleECDHClientKeyExchange(sslSocket *ss, PRUint8 *b,
 ** Take an encoded key share and make a public key out of it.
 */
 SECStatus
-ssl_ImportECDHKeyShare(sslSocket *ss, SECKEYPublicKey *peerKey,
+ssl_ImportECDHKeyShare(SECKEYPublicKey *peerKey,
                        PRUint8 *b, PRUint32 length,
                        const sslNamedGroupDef *ecGroup)
 {
     SECStatus rv;
     SECItem ecPoint = { siBuffer, NULL, 0 };
 
-    PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
-    PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-
     if (!length) {
         PORT_SetError(SSL_ERROR_RX_MALFORMED_ECDHE_KEY_SHARE);
         return SECFailure;
@@ -616,7 +613,7 @@ ssl3_HandleECDHServerKeyExchange(sslSocket *ss, PRUint8 *b, PRUint32 length)
     peerKey->arena = arena;
 
     /* create public key from point data */
-    rv = ssl_ImportECDHKeyShare(ss, peerKey, ec_point.data, ec_point.len,
+    rv = ssl_ImportECDHKeyShare(peerKey, ec_point.data, ec_point.len,
                                 ecGroup);
     if (rv != SECSuccess) {
         /* error code is set */
diff --git a/security/nss/lib/ssl/ssl3ext.c b/security/nss/lib/ssl/ssl3ext.c
index 9b6c719f88..60b5889e72 100644
--- a/security/nss/lib/ssl/ssl3ext.c
+++ b/security/nss/lib/ssl/ssl3ext.c
@@ -50,6 +50,7 @@ static const ssl3ExtensionHandler clientHelloHandlers[] = {
     { ssl_tls13_early_data_xtn, &tls13_ServerHandleEarlyDataXtn },
     { ssl_tls13_psk_key_exchange_modes_xtn, &tls13_ServerHandlePskModesXtn },
     { ssl_tls13_cookie_xtn, &tls13_ServerHandleCookieXtn },
+    { ssl_tls13_encrypted_sni_xtn, &tls13_ServerHandleEsniXtn },
     { ssl_record_size_limit_xtn, &ssl_HandleRecordSizeLimitXtn },
     { 0, NULL }
 };
@@ -136,6 +137,7 @@ static const sslExtensionBuilder clientHelloSendersTLS[] =
       { ssl_signature_algorithms_xtn, &ssl3_SendSigAlgsXtn },
       { ssl_tls13_cookie_xtn, &tls13_ClientSendHrrCookieXtn },
       { ssl_tls13_psk_key_exchange_modes_xtn, &tls13_ClientSendPskModesXtn },
+      { ssl_tls13_encrypted_sni_xtn, &tls13_ClientSendEsniXtn },
       { ssl_record_size_limit_xtn, &ssl_SendRecordSizeLimitXtn },
       /* The pre_shared_key extension MUST be last. */
       { ssl_tls13_pre_shared_key_xtn, &tls13_ClientSendPreSharedKeyXtn },
@@ -338,8 +340,6 @@ ssl3_ParseExtensions(sslSocket *ss, PRUint8 **b, PRUint32 *length)
             return SECFailure; /* alert already sent */
         }
 
-        SSL_TRC(10, ("%d: SSL3[%d]: parsing extension %d",
-                     SSL_GETPID(), ss->fd, extension_type));
         /* Check whether an extension has been sent multiple times. */
         for (cursor = PR_NEXT_LINK(&ss->ssl3.hs.remoteExtensions);
              cursor != &ss->ssl3.hs.remoteExtensions;
@@ -357,6 +357,9 @@ ssl3_ParseExtensions(sslSocket *ss, PRUint8 **b, PRUint32 *length)
             return rv; /* alert already sent */
         }
 
+        SSL_TRC(10, ("%d: SSL3[%d]: parsed extension %d len=%u",
+                     SSL_GETPID(), ss->fd, extension_type, extension_data.len));
+
         extension = PORT_ZNew(TLSExtension);
         if (!extension) {
             return SECFailure;
@@ -409,7 +412,9 @@ ssl_CallExtensionHandler(sslSocket *ss, SSLHandshakeType handshakeMessage,
         /* Find extension_type in table of Hello Extension Handlers. */
         for (; handler->ex_handler != NULL; ++handler) {
             if (handler->ex_type == extension->type) {
-                rv = (*handler->ex_handler)(ss, &ss->xtnData, &extension->data);
+                SECItem tmp = extension->data;
+
+                rv = (*handler->ex_handler)(ss, &ss->xtnData, &tmp);
                 break;
             }
         }
@@ -960,6 +965,8 @@ ssl3_DestroyExtensionData(TLSExtensionData *xtnData)
         xtnData->certReqAuthorities.arena = NULL;
     }
     PORT_Free(xtnData->advertised);
+    ssl_FreeEphemeralKeyPair(xtnData->esniPrivateKey);
+    SECITEM_FreeItem(&xtnData->keyShareExtension, PR_FALSE);
 }
 
 /* Free everything that has been allocated and then reset back to
diff --git a/security/nss/lib/ssl/ssl3ext.h b/security/nss/lib/ssl/ssl3ext.h
index 6d77c7459e..d96b4cffe6 100644
--- a/security/nss/lib/ssl/ssl3ext.h
+++ b/security/nss/lib/ssl/ssl3ext.h
@@ -11,6 +11,8 @@
 
 #include "sslencode.h"
 
+#define TLS13_ESNI_NONCE_SIZE 16
+
 typedef enum {
     sni_nametype_hostname
 } SNINameType;
@@ -101,6 +103,14 @@ struct TLSExtensionDataStr {
 
     /* The record size limit set by the peer. Our value is kept in ss->opt. */
     PRUint16 recordSizeLimit;
+
+    /* ESNI working state */
+    SECItem keyShareExtension;
+    ssl3CipherSuite esniSuite;
+    sslEphemeralKeyPair *esniPrivateKey;
+    /* Pointer into |ss->esniKeys->keyShares| */
+    TLS13KeyShareEntry *peerEsniShare;
+    PRUint8 esniNonce[TLS13_ESNI_NONCE_SIZE];
 };
 
 typedef struct TLSExtensionStr {
diff --git a/security/nss/lib/ssl/ssl3exthandle.c b/security/nss/lib/ssl/ssl3exthandle.c
index d1f286dc3c..a2d83fa97a 100644
--- a/security/nss/lib/ssl/ssl3exthandle.c
+++ b/security/nss/lib/ssl/ssl3exthandle.c
@@ -15,30 +15,40 @@
 #include "selfencrypt.h"
 #include "ssl3ext.h"
 #include "ssl3exthandle.h"
+#include "tls13esni.h"
 #include "tls13exthandle.h" /* For tls13_ServerSendStatusRequestXtn. */
 
+PRBool
+ssl_ShouldSendSNIExtension(const sslSocket *ss, const char *url)
+{
+    PRNetAddr netAddr;
+
+    /* must have a hostname */
+    if (!url || !url[0]) {
+        return PR_FALSE;
+    }
+    /* must not be an IPv4 or IPv6 address */
+    if (PR_SUCCESS == PR_StringToNetAddr(url, &netAddr)) {
+        /* is an IP address (v4 or v6) */
+        return PR_FALSE;
+    }
+
+    return PR_TRUE;
+}
+
 /* Format an SNI extension, using the name from the socket's URL,
  * unless that name is a dotted decimal string.
  * Used by client and server.
  */
 SECStatus
-ssl3_ClientSendServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData,
-                             sslBuffer *buf, PRBool *added)
+ssl3_ClientFormatServerNameXtn(const sslSocket *ss, const char *url,
+                               TLSExtensionData *xtnData,
+                               sslBuffer *buf)
 {
     unsigned int len;
-    PRNetAddr netAddr;
     SECStatus rv;
 
-    /* must have a hostname */
-    if (!ss->url || !ss->url[0]) {
-        return SECSuccess;
-    }
-    /* must not be an IPv4 or IPv6 address */
-    if (PR_SUCCESS == PR_StringToNetAddr(ss->url, &netAddr)) {
-        /* is an IP address (v4 or v6) */
-        return SECSuccess;
-    }
-    len = PORT_Strlen(ss->url);
+    len = PORT_Strlen(url);
     /* length of server_name_list */
     rv = sslBuffer_AppendNumber(buf, len + 3, 2);
     if (rv != SECSuccess) {
@@ -50,7 +60,33 @@ ssl3_ClientSendServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData,
         return SECFailure;
     }
     /* HostName (length and value) */
-    rv = sslBuffer_AppendVariable(buf, (const PRUint8 *)ss->url, len, 2);
+    rv = sslBuffer_AppendVariable(buf, (const PRUint8 *)url, len, 2);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+SECStatus
+ssl3_ClientSendServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+                             sslBuffer *buf, PRBool *added)
+{
+    SECStatus rv;
+
+    const char *url = ss->url;
+
+    /* We only make an ESNI private key if we are going to
+     * send ESNI. */
+    if (ss->xtnData.esniPrivateKey != NULL) {
+        url = ss->esniKeys->dummySni;
+    }
+
+    if (!ssl_ShouldSendSNIExtension(ss, url)) {
+        return SECSuccess;
+    }
+
+    rv = ssl3_ClientFormatServerNameXtn(ss, url, xtnData, buf);
     if (rv != SECSuccess) {
         return SECFailure;
     }
@@ -59,7 +95,6 @@ ssl3_ClientSendServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData,
     return SECSuccess;
 }
 
-/* Handle an incoming SNI extension. */
 SECStatus
 ssl3_HandleServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData,
                          SECItem *data)
@@ -72,6 +107,13 @@ ssl3_HandleServerNameXtn(const sslSocket *ss, TLSExtensionData *xtnData,
         return SECSuccess; /* ignore extension */
     }
 
+    if (ssl3_ExtensionNegotiated(ss, ssl_tls13_encrypted_sni_xtn)) {
+        /* If we already have ESNI, make sure we don't overwrite
+         * the value. */
+        PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3);
+        return SECSuccess;
+    }
+
     /* Server side - consume client data and register server sender. */
     /* do not parse the data if don't have user extension handling function. */
     if (!ss->sniSocketConfig) {
@@ -1174,17 +1216,18 @@ ssl3_ProcessSessionTicketCommon(sslSocket *ss, const SECItem *ticket,
                                   &decryptedTicket.len,
                                   decryptedTicket.len);
     if (rv != SECSuccess) {
-        SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE);
-
-        /* Fail with no ticket if we're not a recipient. Otherwise
-         * it's a hard failure. */
-        if (PORT_GetError() != SEC_ERROR_NOT_A_RECIPIENT) {
-            SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
-            return SECFailure;
+        /* Ignore decryption failure if we are doing TLS 1.3; that
+         * means the server rejects the client's resumption
+         * attempt. In TLS 1.2, however, it's a hard failure, unless
+         * it's just because we're not the recipient of the ticket. */
+        if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 ||
+            PORT_GetError() == SEC_ERROR_NOT_A_RECIPIENT) {
+            SECITEM_ZfreeItem(&decryptedTicket, PR_FALSE);
+            return SECSuccess;
         }
 
-        /* We didn't have the right key, so pretend we don't have a
-         * ticket. */
+        SSL3_SendAlert(ss, alert_fatal, illegal_parameter);
+        goto loser;
     }
 
     rv = ssl_ParseSessionTicket(ss, &decryptedTicket, &parsedTicket);
diff --git a/security/nss/lib/ssl/ssl3exthandle.h b/security/nss/lib/ssl/ssl3exthandle.h
index eaf7f0081c..3e9b418cfe 100644
--- a/security/nss/lib/ssl/ssl3exthandle.h
+++ b/security/nss/lib/ssl/ssl3exthandle.h
@@ -91,6 +91,10 @@ SECStatus ssl3_HandleExtendedMasterSecretXtn(const sslSocket *ss,
                                              SECItem *data);
 SECStatus ssl3_ProcessSessionTicketCommon(sslSocket *ss, const SECItem *ticket,
                                           /* out */ SECItem *appToken);
+PRBool ssl_ShouldSendSNIExtension(const sslSocket *ss, const char *url);
+SECStatus ssl3_ClientFormatServerNameXtn(const sslSocket *ss, const char *url,
+                                         TLSExtensionData *xtnData,
+                                         sslBuffer *buf);
 SECStatus ssl3_ClientSendServerNameXtn(const sslSocket *ss,
                                        TLSExtensionData *xtnData,
                                        sslBuffer *buf, PRBool *added);
diff --git a/security/nss/lib/ssl/ssl3gthr.c b/security/nss/lib/ssl/ssl3gthr.c
index 5ea7cc249e..64a1878f76 100644
--- a/security/nss/lib/ssl/ssl3gthr.c
+++ b/security/nss/lib/ssl/ssl3gthr.c
@@ -60,8 +60,8 @@ ssl3_isLikelyV3Hello(const unsigned char *buf)
     }
 
     /* Check for a typical V3 record header. */
-    return (PRBool)(buf[0] >= content_change_cipher_spec &&
-                    buf[0] <= content_application_data &&
+    return (PRBool)(buf[0] >= ssl_ct_change_cipher_spec &&
+                    buf[0] <= ssl_ct_application_data &&
                     buf[1] == MSB(SSL_LIBRARY_VERSION_3_0));
 }
 
@@ -314,7 +314,7 @@ dtls_GatherData(sslSocket *ss, sslGather *gs, int flags)
     contentType = gs->dtlsPacket.buf[gs->dtlsPacketOffset];
     if (dtls_IsLongHeader(ss->version, contentType)) {
         headerLen = 13;
-    } else if (contentType == content_application_data) {
+    } else if (contentType == ssl_ct_application_data) {
         headerLen = 7;
     } else if ((contentType & 0xe0) == 0x20) {
         headerLen = 2;
@@ -463,15 +463,15 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
             SSL_DBG(("%d: SSL3[%d]: resuming handshake",
                      SSL_GETPID(), ss->fd));
             PORT_Assert(!IS_DTLS(ss));
-            rv = ssl3_HandleNonApplicationData(ss, content_handshake,
+            rv = ssl3_HandleNonApplicationData(ss, ssl_ct_handshake,
                                                0, 0, &ss->gs.buf);
         } else {
             /* State for SSLv2 client hello support. */
             ssl2Gather ssl2gs = { PR_FALSE, 0 };
             ssl2Gather *ssl2gs_ptr = NULL;
 
-            /* If we're a server and waiting for a client hello, accept v2. */
-            if (ss->sec.isServer && ss->ssl3.hs.ws == wait_client_hello) {
+            if (ss->sec.isServer && ss->opt.enableV2CompatibleHello &&
+                ss->ssl3.hs.ws == wait_client_hello) {
                 ssl2gs_ptr = &ssl2gs;
             }
 
@@ -484,8 +484,8 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
             }
 
             if (!IS_DTLS(ss)) {
-                /* If we're a server waiting for a ClientHello then pass
-                 * ssl2gs to support SSLv2 ClientHello messages. */
+                /* Passing a non-NULL ssl2gs here enables detection of
+                 * SSLv2-compatible ClientHello messages. */
                 rv = ssl3_GatherData(ss, &ss->gs, flags, ssl2gs_ptr);
             } else {
                 rv = dtls_GatherData(ss, &ss->gs, flags);
diff --git a/security/nss/lib/ssl/ssl3prot.h b/security/nss/lib/ssl/ssl3prot.h
index 8e6cf27456..bfaa10d3fb 100644
--- a/security/nss/lib/ssl/ssl3prot.h
+++ b/security/nss/lib/ssl/ssl3prot.h
@@ -13,10 +13,8 @@
 typedef PRUint16 SSL3ProtocolVersion;
 /* version numbers are defined in sslproto.h */
 
-/* The TLS 1.3 draft version. Used to avoid negotiating
- * between incompatible pre-standard TLS 1.3 drafts.
- * TODO(ekr@rtfm.com): Remove when TLS 1.3 is published. */
-#define TLS_1_3_DRAFT_VERSION 28
+/* DTLS 1.3 is still a draft. */
+#define DTLS_1_3_DRAFT_VERSION 28
 
 typedef PRUint16 ssl3CipherSuite;
 /* The cipher suites are defined in sslproto.h */
@@ -35,15 +33,6 @@ typedef PRUint16 ssl3CipherSuite;
 
 #define MAX_FRAGMENT_LENGTH 16384
 
-typedef enum {
-    content_change_cipher_spec = 20,
-    content_alert = 21,
-    content_handshake = 22,
-    content_application_data = 23,
-    content_alt_handshake = 24,
-    content_ack = 25
-} SSL3ContentType;
-
 typedef enum { change_cipher_spec_choice = 1 } SSL3ChangeCipherSpecChoice;
 
 typedef enum { alert_warning = 1,
diff --git a/security/nss/lib/ssl/sslcert.c b/security/nss/lib/ssl/sslcert.c
index 1c3ddb0e75..878df761ed 100644
--- a/security/nss/lib/ssl/sslcert.c
+++ b/security/nss/lib/ssl/sslcert.c
@@ -436,8 +436,6 @@ ssl_GetCertificateAuthTypes(CERTCertificate *cert, SSLAuthType targetAuthType)
         case SEC_OID_PKCS1_RSA_ENCRYPTION:
             if (cert->keyUsage & KU_DIGITAL_SIGNATURE) {
                 authTypes |= 1 << ssl_auth_rsa_sign;
-                /* This certificate is RSA, assume that it's also PSS. */
-                authTypes |= 1 << ssl_auth_rsa_pss;
             }
 
             if (cert->keyUsage & KU_KEY_ENCIPHERMENT) {
diff --git a/security/nss/lib/ssl/sslerr.h b/security/nss/lib/ssl/sslerr.h
index 518a2b8875..a4aa276576 100644
--- a/security/nss/lib/ssl/sslerr.h
+++ b/security/nss/lib/ssl/sslerr.h
@@ -264,6 +264,10 @@ typedef enum {
     SSL_ERROR_BAD_RESUMPTION_TOKEN_ERROR = (SSL_ERROR_BASE + 173),
     SSL_ERROR_RX_MALFORMED_DTLS_ACK = (SSL_ERROR_BASE + 174),
     SSL_ERROR_DH_KEY_TOO_LONG = (SSL_ERROR_BASE + 175),
+    SSL_ERROR_RX_MALFORMED_ESNI_KEYS = (SSL_ERROR_BASE + 176),
+    SSL_ERROR_RX_MALFORMED_ESNI_EXTENSION = (SSL_ERROR_BASE + 177),
+    SSL_ERROR_MISSING_ESNI_EXTENSION = (SSL_ERROR_BASE + 178),
+    SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE = (SSL_ERROR_BASE + 179),
     SSL_ERROR_END_OF_LIST   /* let the c compiler determine the value of this. */
 } SSLErrorCodes;
 #endif /* NO_SECURITY_ERROR_ENUM */
diff --git a/security/nss/lib/ssl/sslexp.h b/security/nss/lib/ssl/sslexp.h
index 08654f8854..f450e528dc 100644
--- a/security/nss/lib/ssl/sslexp.h
+++ b/security/nss/lib/ssl/sslexp.h
@@ -367,6 +367,7 @@ typedef struct SSLResumptionTokenInfoStr {
     PRUint8 *alpnSelection;
     PRUint32 alpnSelectionLen;
     PRUint32 maxEarlyDataSize;
+    PRTime expirationTime; /* added in NSS 3.41 */
 } SSLResumptionTokenInfo;
 
 /*
@@ -452,8 +453,65 @@ typedef SECStatus(PR_CALLBACK *SSLResumptionTokenCallback)(
                          (PRFileDesc * _fd, PRUint32 _size), \
                          (fd, size))
 
-/* Deprecated experimental APIs */
+/* Set the ESNI key pair on a socket (server side)
+ *
+ * fd -- the socket
+ * record/recordLen -- the encoded DNS record (not base64)
+ *
+ * Important: the suites that are advertised in the record must
+ * be configured on, or this call will fail.
+ */
+#define SSL_SetESNIKeyPair(fd,                                              \
+                           privKey, record, recordLen)                      \
+    SSL_EXPERIMENTAL_API("SSL_SetESNIKeyPair",                              \
+                         (PRFileDesc * _fd,                                 \
+                          SECKEYPrivateKey * _privKey,                      \
+                          const PRUint8 *_record, unsigned int _recordLen), \
+                         (fd, privKey,                                      \
+                          record, recordLen))
 
+/* Set the ESNI keys on a client
+ *
+ * fd -- the socket
+ * ensikeys/esniKeysLen -- the ESNI key structure (not base64)
+ * dummyESNI -- the dummy ESNI to use (if any)
+ */
+#define SSL_EnableESNI(fd, esniKeys, esniKeysLen, dummySNI) \
+    SSL_EXPERIMENTAL_API("SSL_EnableESNI",                  \
+                         (PRFileDesc * _fd,                 \
+                          const PRUint8 *_esniKeys,         \
+                          unsigned int _esniKeysLen,        \
+                          const char *_dummySNI),           \
+                         (fd, esniKeys, esniKeysLen, dummySNI))
+
+/*
+ * Generate an encoded ESNIKeys structure (presumably server side).
+ *
+ * cipherSuites -- the cipher suites that can be used
+ * cipherSuitesCount -- the number of suites in cipherSuites
+ * group -- the named group this key corresponds to
+ * pubKey -- the public key for the key pair
+ * pad -- the length to pad to
+ * notBefore/notAfter -- validity range
+ * out/outlen/maxlen -- where to output the data
+ */
+#define SSL_EncodeESNIKeys(cipherSuites, cipherSuiteCount,          \
+                           group, pubKey, pad, notBefore, notAfter, \
+                           out, outlen, maxlen)                     \
+    SSL_EXPERIMENTAL_API("SSL_EncodeESNIKeys",                      \
+                         (PRUint16 * _cipherSuites,                 \
+                          unsigned int _cipherSuiteCount,           \
+                          SSLNamedGroup _group,                     \
+                          SECKEYPublicKey *_pubKey,                 \
+                          PRUint16 _pad,                            \
+                          PRUint64 _notBefore, PRUint64 _notAfter,  \
+                          PRUint8 *_out, unsigned int *_outlen,     \
+                          unsigned int _maxlen),                    \
+                         (cipherSuites, cipherSuiteCount,           \
+                          group, pubKey, pad, notBefore, notAfter,  \
+                          out, outlen, maxlen))
+
+/* Deprecated experimental APIs */
 #define SSL_UseAltServerHelloType(fd, enable) SSL_DEPRECATED_EXPERIMENTAL_API
 
 SEC_END_PROTOS
diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h
index a2209e90a1..35240d2fba 100644
--- a/security/nss/lib/ssl/sslimpl.h
+++ b/security/nss/lib/ssl/sslimpl.h
@@ -36,6 +36,10 @@
 
 typedef struct sslSocketStr sslSocket;
 typedef struct sslNamedGroupDefStr sslNamedGroupDef;
+typedef struct sslEsniKeysStr sslEsniKeys;
+typedef struct sslEphemeralKeyPairStr sslEphemeralKeyPair;
+typedef struct TLS13KeyShareEntryStr TLS13KeyShareEntry;
+
 #include "sslencode.h"
 #include "sslexp.h"
 #include "ssl3ext.h"
@@ -230,7 +234,7 @@ typedef struct {
 #define MAX_DTLS_SRTP_CIPHER_SUITES 4
 
 /* MAX_SIGNATURE_SCHEMES allows for all the values we support. */
-#define MAX_SIGNATURE_SCHEMES 15
+#define MAX_SIGNATURE_SCHEMES 18
 
 typedef struct sslOptionsStr {
     /* If SSL_SetNextProtoNego has been called, then this contains the
@@ -266,6 +270,8 @@ typedef struct sslOptionsStr {
     unsigned int enable0RttData : 1;
     unsigned int enableTls13CompatMode : 1;
     unsigned int enableDtlsShortHeader : 1;
+    unsigned int enableHelloDowngradeCheck : 1;
+    unsigned int enableV2CompatibleHello : 1;
 } sslOptions;
 
 typedef enum { sslHandshakingUndetermined = 0,
@@ -552,16 +558,16 @@ typedef SECStatus (*sslRestartTarget)(sslSocket *);
 typedef struct DTLSQueuedMessageStr {
     PRCList link;           /* The linked list link */
     ssl3CipherSpec *cwSpec; /* The cipher spec to use, null for none */
-    SSL3ContentType type;   /* The message type */
+    SSLContentType type;    /* The message type */
     unsigned char *data;    /* The data */
     PRUint16 len;           /* The data length */
 } DTLSQueuedMessage;
 
-typedef struct TLS13KeyShareEntryStr {
+struct TLS13KeyShareEntryStr {
     PRCList link;                  /* The linked list link */
     const sslNamedGroupDef *group; /* The group for the entry */
     SECItem key_exchange;          /* The share itself */
-} TLS13KeyShareEntry;
+};
 
 typedef struct TLS13EarlyDataStr {
     PRCList link; /* The linked list link */
@@ -803,11 +809,11 @@ struct sslKeyPairStr {
     PRInt32 refCount; /* use PR_Atomic calls for this. */
 };
 
-typedef struct {
+struct sslEphemeralKeyPairStr {
     PRCList link;
     const sslNamedGroupDef *group;
     sslKeyPair *keys;
-} sslEphemeralKeyPair;
+};
 
 struct ssl3DHParamsStr {
     SSLNamedGroup name;
@@ -1064,6 +1070,10 @@ struct sslSocketStr {
 
     /* Whether we are doing stream or datagram mode */
     SSLProtocolVariant protocolVariant;
+
+    /* The information from the ESNI keys record
+     * (also the private key for the server). */
+    sslEsniKeys *esniKeys;
 };
 
 struct sslSelfEncryptKeysStr {
@@ -1168,11 +1178,13 @@ extern int ssl_Do1stHandshake(sslSocket *ss);
 
 extern SECStatus ssl3_InitPendingCipherSpecs(sslSocket *ss, PK11SymKey *secret,
                                              PRBool derive);
+extern void ssl_DestroyKeyMaterial(ssl3KeyMaterial *keyMaterial);
 extern sslSessionID *ssl3_NewSessionID(sslSocket *ss, PRBool is_server);
 extern sslSessionID *ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port,
                                    const char *peerID, const char *urlSvrName);
 extern void ssl_FreeSID(sslSessionID *sid);
 extern void ssl_DestroySID(sslSessionID *sid, PRBool freeIt);
+extern sslSessionID *ssl_ReferenceSID(sslSessionID *sid);
 
 extern int ssl3_SendApplicationData(sslSocket *ss, const PRUint8 *in,
                                     int len, int flags);
@@ -1215,7 +1227,7 @@ SECStatus ssl_HashHandshakeMessage(sslSocket *ss, SSLHandshakeType type,
 extern PRBool ssl3_WaitingForServerSecondRound(sslSocket *ss);
 
 extern PRInt32 ssl3_SendRecord(sslSocket *ss, ssl3CipherSpec *cwSpec,
-                               SSL3ContentType type,
+                               SSLContentType type,
                                const PRUint8 *pIn, PRInt32 nIn,
                                PRInt32 flags);
 
@@ -1387,7 +1399,7 @@ SECStatus ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type);
  * input into the SSL3 machinery from the actualy network reading code
  */
 SECStatus ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cipher);
-SECStatus ssl3_HandleNonApplicationData(sslSocket *ss, SSL3ContentType rType,
+SECStatus ssl3_HandleNonApplicationData(sslSocket *ss, SSLContentType rType,
                                         DTLSEpoch epoch,
                                         sslSequenceNumber seqNum,
                                         sslBuffer *databuf);
@@ -1497,7 +1509,7 @@ extern SECStatus ssl3_HandleECDHClientKeyExchange(sslSocket *ss,
                                                   sslKeyPair *serverKeys);
 extern SECStatus ssl3_SendECDHServerKeyExchange(sslSocket *ss);
 extern SECStatus ssl_ImportECDHKeyShare(
-    sslSocket *ss, SECKEYPublicKey *peerKey,
+    SECKEYPublicKey *peerKey,
     PRUint8 *b, PRUint32 length, const sslNamedGroupDef *curve);
 
 extern SECStatus ssl3_ComputeCommonKeyHash(SSLHashType hashAlg,
@@ -1562,6 +1574,12 @@ extern void ssl_FreePRSocket(PRFileDesc *fd);
  * various ciphers */
 extern unsigned int ssl3_config_match_init(sslSocket *);
 
+/* Return PR_TRUE if suite is usable.  This if the suite is permitted by policy,
+ * enabled, has a certificate (as needed), has a viable key agreement method, is
+ * usable with the negotiated TLS version, and is otherwise usable. */
+PRBool ssl3_config_match(const ssl3CipherSuiteCfg *suite, PRUint8 policy,
+                         const SSLVersionRange *vrange, const sslSocket *ss);
+
 /* calls for accessing wrapping keys across processes. */
 extern SECStatus
 ssl_GetWrappingKey(unsigned int symWrapMechIndex, unsigned int wrapKeyIndex,
@@ -1591,6 +1609,8 @@ extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit);
 extern SECStatus ssl_FreeSessionCacheLocks(void);
 
 CK_MECHANISM_TYPE ssl3_Alg2Mech(SSLCipherAlgorithm calg);
+SECStatus ssl3_NegotiateCipherSuiteInner(sslSocket *ss, const SECItem *suites,
+                                         PRUint16 version, PRUint16 *suitep);
 SECStatus ssl3_NegotiateCipherSuite(sslSocket *ss, const SECItem *suites,
                                     PRBool initHashes);
 SECStatus ssl3_InitHandshakeHashes(sslSocket *ss);
@@ -1638,8 +1658,12 @@ PK11SymKey *ssl3_GetWrappingKey(sslSocket *ss,
 SECStatus ssl3_FillInCachedSID(sslSocket *ss, sslSessionID *sid,
                                PK11SymKey *secret);
 const ssl3CipherSuiteDef *ssl_LookupCipherSuiteDef(ssl3CipherSuite suite);
+const ssl3CipherSuiteCfg *ssl_LookupCipherSuiteCfg(ssl3CipherSuite suite,
+                                                   const ssl3CipherSuiteCfg *suites);
+
 SECStatus ssl3_SelectServerCert(sslSocket *ss);
 SECStatus ssl_PickSignatureScheme(sslSocket *ss,
+                                  CERTCertificate *cert,
                                   SECKEYPublicKey *pubKey,
                                   SECKEYPrivateKey *privKey,
                                   const SSLSignatureScheme *peerSchemes,
@@ -1647,11 +1671,11 @@ SECStatus ssl_PickSignatureScheme(sslSocket *ss,
                                   PRBool requireSha1);
 SECOidTag ssl3_HashTypeToOID(SSLHashType hashType);
 SSLHashType ssl_SignatureSchemeToHashType(SSLSignatureScheme scheme);
-KeyType ssl_SignatureSchemeToKeyType(SSLSignatureScheme scheme);
+SSLAuthType ssl_SignatureSchemeToAuthType(SSLSignatureScheme scheme);
 
 SECStatus ssl3_SetupCipherSuite(sslSocket *ss, PRBool initHashes);
 SECStatus ssl_InsertRecordHeader(const sslSocket *ss, ssl3CipherSpec *cwSpec,
-                                 SSL3ContentType contentType, sslBuffer *wrBuf,
+                                 SSLContentType contentType, sslBuffer *wrBuf,
                                  PRBool *needsLength);
 
 /* Pull in DTLS functions */
@@ -1703,7 +1727,7 @@ void ssl_Trace(const char *format, ...);
 void ssl_CacheExternalToken(sslSocket *ss);
 SECStatus ssl_DecodeResumptionToken(sslSessionID *sid, const PRUint8 *encodedTicket,
                                     PRUint32 encodedTicketLen);
-PRBool ssl_IsResumptionTokenValid(sslSocket *ss);
+PRBool ssl_IsResumptionTokenUsable(sslSocket *ss, sslSessionID *sid);
 
 /* Remove when stable. */
 
diff --git a/security/nss/lib/ssl/sslnonce.c b/security/nss/lib/ssl/sslnonce.c
index f79c23fc72..f8fb5d50f1 100644
--- a/security/nss/lib/ssl/sslnonce.c
+++ b/security/nss/lib/ssl/sslnonce.c
@@ -234,9 +234,20 @@ ssl_FreeLockedSID(sslSessionID *sid)
 void
 ssl_FreeSID(sslSessionID *sid)
 {
+    if (sid) {
+        LOCK_CACHE;
+        ssl_FreeLockedSID(sid);
+        UNLOCK_CACHE;
+    }
+}
+
+sslSessionID *
+ssl_ReferenceSID(sslSessionID *sid)
+{
     LOCK_CACHE;
-    ssl_FreeLockedSID(sid);
+    sid->references++;
     UNLOCK_CACHE;
+    return sid;
 }
 
 /************************************************************************/
@@ -704,10 +715,9 @@ ssl_DecodeResumptionToken(sslSessionID *sid, const PRUint8 *encodedToken,
 }
 
 PRBool
-ssl_IsResumptionTokenValid(sslSocket *ss)
+ssl_IsResumptionTokenUsable(sslSocket *ss, sslSessionID *sid)
 {
     PORT_Assert(ss);
-    sslSessionID *sid = ss->sec.ci.sid;
     PORT_Assert(sid);
 
     // Check that the ticket didn't expire.
@@ -1093,10 +1103,12 @@ ssl_CacheExternalToken(sslSocket *ss)
     PRINT_BUF(40, (ss, "SSL: encoded resumption token",
                    SSL_BUFFER_BASE(&encodedToken),
                    SSL_BUFFER_LEN(&encodedToken)));
-    ss->resumptionTokenCallback(ss->fd, SSL_BUFFER_BASE(&encodedToken),
-                                SSL_BUFFER_LEN(&encodedToken),
-                                ss->resumptionTokenContext);
-
+    SECStatus rv = ss->resumptionTokenCallback(
+        ss->fd, SSL_BUFFER_BASE(&encodedToken), SSL_BUFFER_LEN(&encodedToken),
+        ss->resumptionTokenContext);
+    if (rv == SECSuccess) {
+        sid->cached = in_external_cache;
+    }
     sslBuffer_Clear(&encodedToken);
 }
 
@@ -1200,17 +1212,23 @@ ssl3_SetSIDSessionTicket(sslSessionID *sid,
     PORT_Assert(newSessionTicket->ticket.data);
     PORT_Assert(newSessionTicket->ticket.len != 0);
 
-    /* if sid->u.ssl3.lock, we are updating an existing entry that is already
-     * cached or was once cached, so we need to acquire and release the write
-     * lock. Otherwise, this is a new session that isn't shared with anything
-     * yet, so no locking is needed.
+    /* If this is in the client cache, we are updating an existing entry that is
+     * already cached or was once cached, so we need to acquire and release the
+     * write lock. Otherwise, this is a new session that isn't shared with
+     * anything yet, so no locking is needed.
      */
     if (sid->u.ssl3.lock) {
+        PORT_Assert(sid->cached == in_client_cache);
         PR_RWLock_Wlock(sid->u.ssl3.lock);
-        if (sid->u.ssl3.locked.sessionTicket.ticket.data) {
-            SECITEM_FreeItem(&sid->u.ssl3.locked.sessionTicket.ticket,
-                             PR_FALSE);
-        }
+    }
+    /* If this was in the client cache, then we might have to free the old
+     * ticket.  In TLS 1.3, we might get a replacement ticket if the server
+     * sends more than one ticket. */
+    if (sid->u.ssl3.locked.sessionTicket.ticket.data) {
+        PORT_Assert(sid->cached == in_client_cache ||
+                    sid->version >= SSL_LIBRARY_VERSION_TLS_1_3);
+        SECITEM_FreeItem(&sid->u.ssl3.locked.sessionTicket.ticket,
+                         PR_FALSE);
     }
 
     PORT_Assert(!sid->u.ssl3.locked.sessionTicket.ticket.data);
diff --git a/security/nss/lib/ssl/sslsecur.c b/security/nss/lib/ssl/sslsecur.c
index a1d3892145..c011b66a11 100644
--- a/security/nss/lib/ssl/sslsecur.c
+++ b/security/nss/lib/ssl/sslsecur.c
@@ -685,23 +685,6 @@ ssl_SecureConnect(sslSocket *ss, const PRNetAddr *sa)
 }
 
 /*
- * The TLS 1.2 RFC 5246, Section 7.2.1 says:
- *
- *     Unless some other fatal alert has been transmitted, each party is
- *     required to send a close_notify alert before closing the write side
- *     of the connection.  The other party MUST respond with a close_notify
- *     alert of its own and close down the connection immediately,
- *     discarding any pending writes.  It is not required for the initiator
- *     of the close to wait for the responding close_notify alert before
- *     closing the read side of the connection.
- *
- * The second sentence requires that we send a close_notify alert when we
- * have received a close_notify alert.  In practice, all SSL implementations
- * close the socket immediately after sending a close_notify alert (which is
- * allowed by the third sentence), so responding with a close_notify alert
- * would result in a write failure with the ECONNRESET error.  This is why
- * we don't respond with a close_notify alert.
- *
  * Also, in the unlikely event that the TCP pipe is full and the peer stops
  * reading, the SSL3_SendAlert call in ssl_SecureClose and ssl_SecureShutdown
  * may block indefinitely in blocking mode, and may fail (without retrying)
@@ -714,8 +697,7 @@ ssl_SecureClose(sslSocket *ss)
     int rv;
 
     if (!(ss->shutdownHow & ssl_SHUTDOWN_SEND) &&
-        ss->firstHsDone &&
-        !ss->recvdCloseNotify) {
+        ss->firstHsDone) {
 
         /* We don't want the final alert to be Nagle delayed. */
         if (!ss->delayDisabled) {
@@ -744,8 +726,7 @@ ssl_SecureShutdown(sslSocket *ss, int nsprHow)
 
     if ((sslHow & ssl_SHUTDOWN_SEND) != 0 &&
         !(ss->shutdownHow & ssl_SHUTDOWN_SEND) &&
-        ss->firstHsDone &&
-        !ss->recvdCloseNotify) {
+        ss->firstHsDone) {
 
         (void)SSL3_SendAlert(ss, alert_warning, close_notify);
     }
@@ -936,6 +917,25 @@ ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
             firstClientWrite = ss->ssl3.hs.ws == idle_handshake;
             ssl_ReleaseSSL3HandshakeLock(ss);
         }
+        /* Allow the server to send 0.5 RTT data in TLS 1.3. Requesting a
+         * certificate implies that the server might condition its sending on
+         * client authentication, so force servers that do that to wait.
+         *
+         * What might not be obvious here is that this allows 0.5 RTT when doing
+         * PSK-based resumption.  As a result, 0.5 RTT is always enabled when
+         * early data is accepted.
+         *
+         * This check might be more conservative than absolutely necessary.
+         * It's possible that allowing 0.5 RTT data when the server requests,
+         * but does not require client authentication is safe because we can
+         * expect the server to check for a client certificate properly. */
+        if (ss->sec.isServer &&
+            ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 &&
+            !tls13_ShouldRequestClientAuth(ss)) {
+            ssl_GetSSL3HandshakeLock(ss);
+            allowEarlySend = TLS13_IN_HS_STATE(ss, wait_finished);
+            ssl_ReleaseSSL3HandshakeLock(ss);
+        }
         if (!allowEarlySend && ss->handshake) {
             rv = ssl_Do1stHandshake(ss);
         }
@@ -971,7 +971,7 @@ ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
          * 1-RTT later.
          */
         ssl_GetSpecReadLock(ss);
-        len = tls13_LimitEarlyData(ss, content_application_data, len);
+        len = tls13_LimitEarlyData(ss, ssl_ct_application_data, len);
         ssl_ReleaseSpecReadLock(ss);
     }
 
diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c
index 33595ffae9..ae904e29b8 100644
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -18,6 +18,8 @@
 #include "private/pprio.h"
 #include "nss.h"
 #include "pk11pqg.h"
+#include "pk11pub.h"
+#include "tls13esni.h"
 
 static const sslSocketOps ssl_default_ops = { /* No SSL. */
                                               ssl_DefConnect,
@@ -82,7 +84,9 @@ static sslOptions ssl_defaults = {
     .requireDHENamedGroups = PR_FALSE,
     .enable0RttData = PR_FALSE,
     .enableTls13CompatMode = PR_FALSE,
-    .enableDtlsShortHeader = PR_FALSE
+    .enableDtlsShortHeader = PR_FALSE,
+    .enableHelloDowngradeCheck = PR_FALSE,
+    .enableV2CompatibleHello = PR_FALSE
 };
 
 /*
@@ -359,6 +363,13 @@ ssl_DupSocket(sslSocket *os)
         ss->resumptionTokenCallback = os->resumptionTokenCallback;
         ss->resumptionTokenContext = os->resumptionTokenContext;
 
+        if (os->esniKeys) {
+            ss->esniKeys = tls13_CopyESNIKeys(os->esniKeys);
+            if (!ss->esniKeys) {
+                goto loser;
+            }
+        }
+
         /* Create security data */
         rv = ssl_CopySecurityInfo(ss, os);
         if (rv != SECSuccess) {
@@ -444,6 +455,8 @@ ssl_DestroySocketContents(sslSocket *ss)
 
     ssl_ClearPRCList(&ss->ssl3.hs.dtlsSentHandshake, NULL);
     ssl_ClearPRCList(&ss->ssl3.hs.dtlsRcvdHandshake, NULL);
+
+    tls13_DestroyESNIKeys(ss->esniKeys);
 }
 
 /*
@@ -821,6 +834,14 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRIntn val)
             ss->opt.enableDtlsShortHeader = val;
             break;
 
+        case SSL_ENABLE_HELLO_DOWNGRADE_CHECK:
+            ss->opt.enableHelloDowngradeCheck = val;
+            break;
+
+        case SSL_ENABLE_V2_COMPATIBLE_HELLO:
+            ss->opt.enableV2CompatibleHello = val;
+            break;
+
         default:
             PORT_SetError(SEC_ERROR_INVALID_ARGS);
             rv = SECFailure;
@@ -963,6 +984,12 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRIntn *pVal)
         case SSL_ENABLE_DTLS_SHORT_HEADER:
             val = ss->opt.enableDtlsShortHeader;
             break;
+        case SSL_ENABLE_HELLO_DOWNGRADE_CHECK:
+            val = ss->opt.enableHelloDowngradeCheck;
+            break;
+        case SSL_ENABLE_V2_COMPATIBLE_HELLO:
+            val = ss->opt.enableV2CompatibleHello;
+            break;
         default:
             PORT_SetError(SEC_ERROR_INVALID_ARGS);
             rv = SECFailure;
@@ -1089,6 +1116,12 @@ SSL_OptionGetDefault(PRInt32 which, PRIntn *pVal)
         case SSL_ENABLE_DTLS_SHORT_HEADER:
             val = ssl_defaults.enableDtlsShortHeader;
             break;
+        case SSL_ENABLE_HELLO_DOWNGRADE_CHECK:
+            val = ssl_defaults.enableHelloDowngradeCheck;
+            break;
+        case SSL_ENABLE_V2_COMPATIBLE_HELLO:
+            val = ssl_defaults.enableV2CompatibleHello;
+            break;
         default:
             PORT_SetError(SEC_ERROR_INVALID_ARGS);
             rv = SECFailure;
@@ -1284,6 +1317,14 @@ SSL_OptionSetDefault(PRInt32 which, PRIntn val)
             ssl_defaults.enableDtlsShortHeader = val;
             break;
 
+        case SSL_ENABLE_HELLO_DOWNGRADE_CHECK:
+            ssl_defaults.enableHelloDowngradeCheck = val;
+            break;
+
+        case SSL_ENABLE_V2_COMPATIBLE_HELLO:
+            ssl_defaults.enableV2CompatibleHello = val;
+            break;
+
         default:
             PORT_SetError(SEC_ERROR_INVALID_ARGS);
             return SECFailure;
@@ -3742,6 +3783,10 @@ ssl_GetKeyPairRef(sslKeyPair *keyPair)
 void
 ssl_FreeKeyPair(sslKeyPair *keyPair)
 {
+    if (!keyPair) {
+        return;
+    }
+
     PRInt32 newCount = PR_ATOMIC_DECREMENT(&keyPair->refCount);
     if (!newCount) {
         SECKEY_DestroyPrivateKey(keyPair->privKey);
@@ -3801,6 +3846,10 @@ ssl_CopyEphemeralKeyPair(sslEphemeralKeyPair *keyPair)
 void
 ssl_FreeEphemeralKeyPair(sslEphemeralKeyPair *keyPair)
 {
+    if (!keyPair) {
+        return;
+    }
+
     ssl_FreeKeyPair(keyPair->keys);
     PR_REMOVE_LINK(&keyPair->link);
     PORT_Free(keyPair);
@@ -3908,6 +3957,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant)
     PR_INIT_CLIST(&ss->ssl3.hs.dtlsRcvdHandshake);
     dtls_InitTimers(ss);
 
+    ss->esniKeys = NULL;
+
     if (makeLocks) {
         rv = ssl_MakeLocks(ss);
         if (rv != SECSuccess)
@@ -3984,6 +4035,9 @@ struct {
     EXP(SetResumptionToken),
     EXP(GetResumptionTokenInfo),
     EXP(DestroyResumptionTokenInfo),
+    EXP(SetESNIKeyPair),
+    EXP(EncodeESNIKeys),
+    EXP(EnableESNI),
 #endif
     { "", NULL }
 };
@@ -4049,6 +4103,7 @@ SSLExp_SetResumptionToken(PRFileDesc *fd, const PRUint8 *token,
                           unsigned int len)
 {
     sslSocket *ss = ssl_FindSocket(fd);
+    sslSessionID *sid = NULL;
 
     if (!ss) {
         SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetResumptionToken",
@@ -4062,7 +4117,7 @@ SSLExp_SetResumptionToken(PRFileDesc *fd, const PRUint8 *token,
     if (ss->firstHsDone || ss->ssl3.hs.ws != idle_handshake ||
         ss->sec.isServer || len == 0 || !token) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        goto done;
+        goto loser;
     }
 
     // We override any previously set session.
@@ -4073,41 +4128,44 @@ SSLExp_SetResumptionToken(PRFileDesc *fd, const PRUint8 *token,
 
     PRINT_BUF(50, (ss, "incoming resumption token", token, len));
 
-    ss->sec.ci.sid = ssl3_NewSessionID(ss, PR_FALSE);
-    if (!ss->sec.ci.sid) {
-        goto done;
+    sid = ssl3_NewSessionID(ss, PR_FALSE);
+    if (!sid) {
+        goto loser;
     }
 
     /* Populate NewSessionTicket values */
-    SECStatus rv = ssl_DecodeResumptionToken(ss->sec.ci.sid, token, len);
+    SECStatus rv = ssl_DecodeResumptionToken(sid, token, len);
     if (rv != SECSuccess) {
         // If decoding fails, we assume the token is bad.
         PORT_SetError(SSL_ERROR_BAD_RESUMPTION_TOKEN_ERROR);
-        ssl_FreeSID(ss->sec.ci.sid);
-        ss->sec.ci.sid = NULL;
-        goto done;
+        goto loser;
     }
 
-    // Make sure that the token is valid.
-    if (!ssl_IsResumptionTokenValid(ss)) {
-        ssl_FreeSID(ss->sec.ci.sid);
-        ss->sec.ci.sid = NULL;
+    // Make sure that the token is currently usable.
+    if (!ssl_IsResumptionTokenUsable(ss, sid)) {
         PORT_SetError(SSL_ERROR_BAD_RESUMPTION_TOKEN_ERROR);
-        goto done;
+        goto loser;
     }
 
+    // Generate a new random session ID for this ticket.
+    rv = PK11_GenerateRandom(sid->u.ssl3.sessionID, SSL3_SESSIONID_BYTES);
+    if (rv != SECSuccess) {
+        goto loser; // Code set by PK11_GenerateRandom.
+    }
+    sid->u.ssl3.sessionIDLength = SSL3_SESSIONID_BYTES;
     /* Use the sid->cached as marker that this is from an external cache and
      * we don't have to look up anything in the NSS internal cache. */
-    ss->sec.ci.sid->cached = in_external_cache;
-    // This has to be 2 to not free this in sendClientHello.
-    ss->sec.ci.sid->references = 2;
-    ss->sec.ci.sid->lastAccessTime = ssl_TimeSec();
+    sid->cached = in_external_cache;
+    sid->lastAccessTime = ssl_TimeSec();
+
+    ss->sec.ci.sid = sid;
 
     ssl_ReleaseSSL3HandshakeLock(ss);
     ssl_Release1stHandshakeLock(ss);
     return SECSuccess;
 
-done:
+loser:
+    ssl_FreeSID(sid);
     ssl_ReleaseSSL3HandshakeLock(ss);
     ssl_Release1stHandshakeLock(ss);
 
@@ -4164,6 +4222,7 @@ SSLExp_GetResumptionTokenInfo(const PRUint8 *tokenData, unsigned int tokenLen,
     } else {
         token.maxEarlyDataSize = 0;
     }
+    token.expirationTime = sid.expirationTime;
 
     token.length = PR_MIN(sizeof(SSLResumptionTokenInfo), len);
     PORT_Memcpy(tokenOut, &token, token.length);
diff --git a/security/nss/lib/ssl/sslspec.c b/security/nss/lib/ssl/sslspec.c
index 7833eeab69..f2e72a4ec4 100644
--- a/security/nss/lib/ssl/sslspec.c
+++ b/security/nss/lib/ssl/sslspec.c
@@ -203,7 +203,7 @@ ssl_CipherSpecAddRef(ssl3CipherSpec *spec)
                  SSL_GETPID(), SPEC_DIR(spec), spec, spec->refCt));
 }
 
-static void
+void
 ssl_DestroyKeyMaterial(ssl3KeyMaterial *keyMaterial)
 {
     PK11_FreeSymKey(keyMaterial->key);
diff --git a/security/nss/lib/ssl/sslt.h b/security/nss/lib/ssl/sslt.h
index bb1bec7a3d..bd32a6e180 100644
--- a/security/nss/lib/ssl/sslt.h
+++ b/security/nss/lib/ssl/sslt.h
@@ -35,6 +35,14 @@ typedef enum {
     ssl_hs_message_hash = 254, /* Not a real message. */
 } SSLHandshakeType;
 
+typedef enum {
+    ssl_ct_change_cipher_spec = 20,
+    ssl_ct_alert = 21,
+    ssl_ct_handshake = 22,
+    ssl_ct_application_data = 23,
+    ssl_ct_ack = 25
+} SSLContentType;
+
 typedef struct SSL3StatisticsStr {
     /* statistics from ssl3_SendClientHello (sch) */
     long sch_sid_cache_hits;
@@ -446,7 +454,8 @@ typedef enum {
     ssl_tls13_key_share_xtn = 51,
     ssl_next_proto_nego_xtn = 13172, /* Deprecated. */
     ssl_renegotiation_info_xtn = 0xff01,
-    ssl_tls13_short_header_xtn = 0xff03 /* Deprecated. */
+    ssl_tls13_short_header_xtn = 0xff03, /* Deprecated. */
+    ssl_tls13_encrypted_sni_xtn = 0xffce,
 } SSLExtensionType;
 
 /* This is the old name for the supported_groups extensions. */
diff --git a/security/nss/lib/ssl/tls13con.c b/security/nss/lib/ssl/tls13con.c
index 4d9170fb01..461cd2eb9c 100644
--- a/security/nss/lib/ssl/tls13con.c
+++ b/security/nss/lib/ssl/tls13con.c
@@ -21,6 +21,7 @@
 #include "tls13hkdf.h"
 #include "tls13con.h"
 #include "tls13err.h"
+#include "tls13esni.h"
 #include "tls13exthandle.h"
 #include "tls13hashstate.h"
 
@@ -117,6 +118,7 @@ const char kHkdfLabelFinishedSecret[] = "finished";
 const char kHkdfLabelResumptionMasterSecret[] = "res master";
 const char kHkdfLabelExporterMasterSecret[] = "exp master";
 const char kHkdfLabelResumption[] = "resumption";
+const char kHkdfLabelTrafficUpdate[] = "traffic upd";
 const char kHkdfPurposeKey[] = "key";
 const char kHkdfPurposeIv[] = "iv";
 
@@ -132,21 +134,6 @@ const char keylogLabelExporterSecret[] = "EXPORTER_SECRET";
 PR_STATIC_ASSERT(SSL_LIBRARY_VERSION_MAX_SUPPORTED <=
                  SSL_LIBRARY_VERSION_TLS_1_3);
 
-/* Use this instead of FATAL_ERROR when no alert shall be sent. */
-#define LOG_ERROR(ss, prError)                                                     \
-    do {                                                                           \
-        SSL_TRC(3, ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)",                 \
-                    SSL_GETPID(), ss->fd, prError, __func__, __FILE__, __LINE__)); \
-        PORT_SetError(prError);                                                    \
-    } while (0)
-
-/* Log an error and generate an alert because something is irreparably wrong. */
-#define FATAL_ERROR(ss, prError, desc)       \
-    do {                                     \
-        LOG_ERROR(ss, prError);              \
-        tls13_FatalError(ss, prError, desc); \
-    } while (0)
-
 void
 tls13_FatalError(sslSocket *ss, PRErrorCode prError, SSL3AlertDescription desc)
 {
@@ -354,16 +341,16 @@ tls13_ComputeHash(sslSocket *ss, SSL3Hashes *hashes,
 }
 
 SECStatus
-tls13_CreateKeyShare(sslSocket *ss, const sslNamedGroupDef *groupDef)
+tls13_CreateKeyShare(sslSocket *ss, const sslNamedGroupDef *groupDef,
+                     sslEphemeralKeyPair **keyPair)
 {
     SECStatus rv;
-    sslEphemeralKeyPair *keyPair = NULL;
     const ssl3DHParams *params;
 
     PORT_Assert(groupDef);
     switch (groupDef->keaType) {
         case ssl_kea_ecdh:
-            rv = ssl_CreateECDHEphemeralKeyPair(ss, groupDef, &keyPair);
+            rv = ssl_CreateECDHEphemeralKeyPair(ss, groupDef, keyPair);
             if (rv != SECSuccess) {
                 return SECFailure;
             }
@@ -371,7 +358,7 @@ tls13_CreateKeyShare(sslSocket *ss, const sslNamedGroupDef *groupDef)
         case ssl_kea_dh:
             params = ssl_GetDHEParams(groupDef);
             PORT_Assert(params->name != ssl_grp_ffdhe_custom);
-            rv = ssl_CreateDHEKeyPair(groupDef, params, &keyPair);
+            rv = ssl_CreateDHEKeyPair(groupDef, params, keyPair);
             if (rv != SECSuccess) {
                 return SECFailure;
             }
@@ -382,11 +369,24 @@ tls13_CreateKeyShare(sslSocket *ss, const sslNamedGroupDef *groupDef)
             return SECFailure;
     }
 
-    PR_APPEND_LINK(&keyPair->link, &ss->ephemeralKeyPairs);
     return rv;
 }
 
 SECStatus
+tls13_AddKeyShare(sslSocket *ss, const sslNamedGroupDef *groupDef)
+{
+    sslEphemeralKeyPair *keyPair = NULL;
+    SECStatus rv;
+
+    rv = tls13_CreateKeyShare(ss, groupDef, &keyPair);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+    PR_APPEND_LINK(&keyPair->link, &ss->ephemeralKeyPairs);
+    return SECSuccess;
+}
+
+SECStatus
 SSL_SendAdditionalKeyShares(PRFileDesc *fd, unsigned int count)
 {
     sslSocket *ss = ssl_FindSocket(fd);
@@ -413,20 +413,26 @@ tls13_SetupClientHello(sslSocket *ss)
     NewSessionTicket *session_ticket = NULL;
     sslSessionID *sid = ss->sec.ci.sid;
     unsigned int numShares = 0;
+    SECStatus rv;
 
     PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
     PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
     PORT_Assert(PR_CLIST_IS_EMPTY(&ss->ephemeralKeyPairs));
 
+    /* Do encrypted SNI. This may create a key share as a side effect. */
+    rv = tls13_ClientSetupESNI(ss);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
     /* Select the first enabled group.
      * TODO(ekr@rtfm.com): be smarter about offering the group
      * that the other side negotiated if we are resuming. */
     for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) {
-        SECStatus rv;
         if (!ss->namedGroupPreferences[i]) {
             continue;
         }
-        rv = tls13_CreateKeyShare(ss, ss->namedGroupPreferences[i]);
+        rv = tls13_AddKeyShare(ss, ss->namedGroupPreferences[i]);
         if (rv != SECSuccess) {
             return SECFailure;
         }
@@ -455,8 +461,6 @@ tls13_SetupClientHello(sslSocket *ss)
     }
 
     if (ss->statelessResume) {
-        SECStatus rv;
-
         PORT_Assert(ss->sec.ci.sid);
         rv = tls13_RecoverWrappedSharedSecret(ss, ss->sec.ci.sid);
         if (rv != SECSuccess) {
@@ -486,7 +490,7 @@ tls13_SetupClientHello(sslSocket *ss)
 }
 
 static SECStatus
-tls13_ImportDHEKeyShare(sslSocket *ss, SECKEYPublicKey *peerKey,
+tls13_ImportDHEKeyShare(SECKEYPublicKey *peerKey,
                         PRUint8 *b, PRUint32 length,
                         SECKEYPublicKey *pubKey)
 {
@@ -517,16 +521,20 @@ tls13_ImportDHEKeyShare(sslSocket *ss, SECKEYPublicKey *peerKey,
     return SECSuccess;
 }
 
-static SECStatus
+SECStatus
 tls13_HandleKeyShare(sslSocket *ss,
                      TLS13KeyShareEntry *entry,
-                     sslKeyPair *keyPair)
+                     sslKeyPair *keyPair,
+                     SSLHashType hash,
+                     PK11SymKey **out)
 {
     PORTCheapArenaPool arena;
     SECKEYPublicKey *peerKey;
     CK_MECHANISM_TYPE mechanism;
     PRErrorCode errorCode;
+    PK11SymKey *key;
     SECStatus rv;
+    int keySize = 0;
 
     PORT_InitCheapArena(&arena, DER_DEFAULT_CHUNKSIZE);
     peerKey = PORT_ArenaZNew(&arena.arena, SECKEYPublicKey);
@@ -539,18 +547,19 @@ tls13_HandleKeyShare(sslSocket *ss,
 
     switch (entry->group->keaType) {
         case ssl_kea_ecdh:
-            rv = ssl_ImportECDHKeyShare(ss, peerKey,
+            rv = ssl_ImportECDHKeyShare(peerKey,
                                         entry->key_exchange.data,
                                         entry->key_exchange.len,
                                         entry->group);
             mechanism = CKM_ECDH1_DERIVE;
             break;
         case ssl_kea_dh:
-            rv = tls13_ImportDHEKeyShare(ss, peerKey,
+            rv = tls13_ImportDHEKeyShare(peerKey,
                                          entry->key_exchange.data,
                                          entry->key_exchange.len,
                                          keyPair->pubKey);
             mechanism = CKM_DH_PKCS_DERIVE;
+            keySize = peerKey->u.dh.publicValue.len;
             break;
         default:
             PORT_Assert(0);
@@ -560,13 +569,14 @@ tls13_HandleKeyShare(sslSocket *ss,
         goto loser;
     }
 
-    ss->ssl3.hs.dheSecret = PK11_PubDeriveWithKDF(
+    key = PK11_PubDeriveWithKDF(
         keyPair->privKey, peerKey, PR_FALSE, NULL, NULL, mechanism,
-        tls13_GetHkdfMechanism(ss), CKA_DERIVE, 0, CKD_NULL, NULL, NULL);
-    if (!ss->ssl3.hs.dheSecret) {
+        tls13_GetHkdfMechanismForHash(hash), CKA_DERIVE, keySize, CKD_NULL, NULL, NULL);
+    if (!key) {
         ssl_MapLowLevelError(SSL_ERROR_KEY_EXCHANGE_FAILURE);
         goto loser;
     }
+    *out = key;
     PORT_DestroyCheapArena(&arena);
     return SECSuccess;
 
@@ -603,8 +613,8 @@ tls13_UpdateTrafficKeys(sslSocket *ss, CipherSpecDirection direction)
     secret = tls13_TrafficSecretRef(ss, direction);
     rv = tls13_HkdfExpandLabel(*secret, tls13_GetHash(ss),
                                NULL, 0,
-                               kHkdfLabelApplicationTrafficSecret,
-                               strlen(kHkdfLabelApplicationTrafficSecret),
+                               kHkdfLabelTrafficUpdate,
+                               strlen(kHkdfLabelTrafficUpdate),
                                tls13_GetHmacMechanism(ss),
                                tls13_GetHashSize(ss),
                                &updatedSecret);
@@ -1417,30 +1427,6 @@ tls13_NegotiateKeyExchange(sslSocket *ss,
     return SECSuccess;
 }
 
-SSLAuthType
-ssl_SignatureSchemeToAuthType(SSLSignatureScheme scheme)
-{
-    switch (scheme) {
-        case ssl_sig_rsa_pkcs1_sha1:
-        case ssl_sig_rsa_pkcs1_sha256:
-        case ssl_sig_rsa_pkcs1_sha384:
-        case ssl_sig_rsa_pkcs1_sha512:
-        /* We report PSS signatures as being just RSA signatures. */
-        case ssl_sig_rsa_pss_rsae_sha256:
-        case ssl_sig_rsa_pss_rsae_sha384:
-        case ssl_sig_rsa_pss_rsae_sha512:
-            return ssl_auth_rsa_sign;
-        case ssl_sig_ecdsa_secp256r1_sha256:
-        case ssl_sig_ecdsa_secp384r1_sha384:
-        case ssl_sig_ecdsa_secp521r1_sha512:
-        case ssl_sig_ecdsa_sha1:
-            return ssl_auth_ecdsa;
-        default:
-            PORT_Assert(0);
-    }
-    return ssl_auth_null;
-}
-
 SECStatus
 tls13_SelectServerCert(sslSocket *ss)
 {
@@ -1469,6 +1455,7 @@ tls13_SelectServerCert(sslSocket *ss)
         }
 
         rv = ssl_PickSignatureScheme(ss,
+                                     cert->serverCert,
                                      cert->serverKeyPair->pubKey,
                                      cert->serverKeyPair->privKey,
                                      ss->xtnData.sigSchemes,
@@ -2047,7 +2034,7 @@ tls13_HandleClientKeyShare(sslSocket *ss, TLS13KeyShareEntry *peerShare)
     tls13_SetKeyExchangeType(ss, peerShare->group);
 
     /* Generate our key */
-    rv = tls13_CreateKeyShare(ss, peerShare->group);
+    rv = tls13_AddKeyShare(ss, peerShare->group);
     if (rv != SECSuccess) {
         return rv;
     }
@@ -2067,7 +2054,9 @@ tls13_HandleClientKeyShare(sslSocket *ss, TLS13KeyShareEntry *peerShare)
         return SECFailure; /* Error code set already. */
     }
 
-    rv = tls13_HandleKeyShare(ss, peerShare, keyPair->keys);
+    rv = tls13_HandleKeyShare(ss, peerShare, keyPair->keys,
+                              tls13_GetHash(ss),
+                              &ss->ssl3.hs.dheSecret);
     return rv; /* Error code set already. */
 }
 
@@ -2334,6 +2323,13 @@ tls13_HandleCertificateRequest(sslSocket *ss, PRUint8 *b, PRUint32 length)
     return SECSuccess;
 }
 
+PRBool
+tls13_ShouldRequestClientAuth(sslSocket *ss)
+{
+    return ss->opt.requestCertificate &&
+           ss->ssl3.hs.kea_def->authKeyType != ssl_auth_psk;
+}
+
 static SECStatus
 tls13_SendEncryptedServerSequence(sslSocket *ss)
 {
@@ -2365,7 +2361,7 @@ tls13_SendEncryptedServerSequence(sslSocket *ss)
         return SECFailure; /* error code is set. */
     }
 
-    if (ss->opt.requestCertificate) {
+    if (tls13_ShouldRequestClientAuth(ss)) {
         rv = tls13_SendCertificateRequest(ss);
         if (rv != SECSuccess) {
             return SECFailure; /* error code is set. */
@@ -2484,9 +2480,11 @@ tls13_SendServerHelloSequence(sslSocket *ss)
             LOG_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE);
             return SECFailure;
         }
-        TLS13_SET_HS_STATE(ss,
-                           ss->opt.requestCertificate ? wait_client_cert
-                                                      : wait_finished);
+        if (tls13_ShouldRequestClientAuth(ss)) {
+            TLS13_SET_HS_STATE(ss, wait_client_cert);
+        } else {
+            TLS13_SET_HS_STATE(ss, wait_finished);
+        }
     }
 
     ss->ssl3.hs.serverHelloTime = ssl_TimeUsec();
@@ -2512,6 +2510,7 @@ tls13_HandleServerHelloPart2(sslSocket *ss)
     }
 
     if (ss->statelessResume) {
+        PORT_Assert(sid->version >= SSL_LIBRARY_VERSION_TLS_1_3);
         if (tls13_GetHash(ss) !=
             tls13_GetHashForCipherSuite(sid->u.ssl3.cipherSuite)) {
             FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO,
@@ -2657,7 +2656,9 @@ tls13_HandleServerKeyShare(sslSocket *ss)
 
     PORT_Assert(ssl_NamedGroupEnabled(ss, entry->group));
 
-    rv = tls13_HandleKeyShare(ss, entry, keyPair->keys);
+    rv = tls13_HandleKeyShare(ss, entry, keyPair->keys,
+                              tls13_GetHash(ss),
+                              &ss->ssl3.hs.dheSecret);
     if (rv != SECSuccess)
         return SECFailure; /* Error code set by caller. */
 
@@ -3213,6 +3214,21 @@ tls13_SetSpecRecordVersion(sslSocket *ss, ssl3CipherSpec *spec)
                  SSL_GETPID(), ss->fd, spec, spec->recordVersion));
 }
 
+SSLAEADCipher
+tls13_GetAead(const ssl3BulkCipherDef *cipherDef)
+{
+    switch (cipherDef->calg) {
+        case ssl_calg_aes_gcm:
+            return tls13_AESGCM;
+        case ssl_calg_chacha20:
+            return tls13_ChaCha20Poly1305;
+        default:
+            PORT_Assert(PR_FALSE);
+            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+            return NULL;
+    }
+}
+
 static SECStatus
 tls13_SetupPendingCipherSpec(sslSocket *ss, ssl3CipherSpec *spec)
 {
@@ -3236,16 +3252,9 @@ tls13_SetupPendingCipherSpec(sslSocket *ss, ssl3CipherSpec *spec)
                 SSL_GETPID(), ss->fd, suite));
 
     spec->cipherDef = ssl_GetBulkCipherDef(ssl_LookupCipherSuiteDef(suite));
-    switch (spec->cipherDef->calg) {
-        case ssl_calg_aes_gcm:
-            spec->aead = tls13_AESGCM;
-            break;
-        case ssl_calg_chacha20:
-            spec->aead = tls13_ChaCha20Poly1305;
-            break;
-        default:
-            PORT_Assert(0);
-            return SECFailure;
+    spec->aead = tls13_GetAead(spec->cipherDef);
+    if (!spec->aead) {
+        return SECFailure;
     }
 
     if (spec->epoch == TrafficKeyEarlyApplicationData) {
@@ -3427,9 +3436,31 @@ loser:
     return SECFailure;
 }
 
+TLS13KeyShareEntry *
+tls13_CopyKeyShareEntry(TLS13KeyShareEntry *o)
+{
+    TLS13KeyShareEntry *n;
+
+    PORT_Assert(o);
+    n = PORT_ZNew(TLS13KeyShareEntry);
+    if (!n) {
+        return NULL;
+    }
+
+    if (SECSuccess != SECITEM_CopyItem(NULL, &n->key_exchange, &o->key_exchange)) {
+        PORT_Free(n);
+        return NULL;
+    }
+    n->group = o->group;
+    return n;
+}
+
 void
 tls13_DestroyKeyShareEntry(TLS13KeyShareEntry *offer)
 {
+    if (!offer) {
+        return;
+    }
     SECITEM_ZfreeItem(&offer->key_exchange, PR_FALSE);
     PORT_ZFree(offer, sizeof(*offer));
 }
@@ -3550,7 +3581,7 @@ tls13_AESGCM(ssl3KeyMaterial *keys,
     CK_GCM_PARAMS gcmParams;
     unsigned char nonce[12];
 
-    PORT_Assert(additionalDataLen > 8);
+    PORT_Assert(additionalDataLen >= 8);
     memset(&gcmParams, 0, sizeof(gcmParams));
     gcmParams.pIv = nonce;
     gcmParams.ulIvLen = sizeof(nonce);
@@ -3627,7 +3658,23 @@ tls13_HandleEncryptedExtensions(sslSocket *ss, PRUint8 *b, PRUint32 length)
         ss->xtnData.nextProto.data = NULL;
         ss->xtnData.nextProtoState = SSL_NEXT_PROTO_NO_SUPPORT;
     }
-    rv = ssl3_HandleExtensions(ss, &b, &length, ssl_hs_encrypted_extensions);
+
+    rv = ssl3_ParseExtensions(ss, &b, &length);
+    if (rv != SECSuccess) {
+        return SECFailure; /* Error code set below */
+    }
+
+    /* If we sent ESNI, check the nonce. */
+    if (ss->xtnData.esniPrivateKey) {
+        PORT_Assert(ssl3_ExtensionAdvertised(ss, ssl_tls13_encrypted_sni_xtn));
+        rv = tls13_ClientCheckEsniXtn(ss);
+        if (rv != SECSuccess) {
+            return SECFailure;
+        }
+    }
+
+    /* Handle the rest of the extensions. */
+    rv = ssl3_HandleParsedExtensions(ss, ssl_hs_encrypted_extensions);
     if (rv != SECSuccess) {
         return SECFailure; /* Error code set below */
     }
@@ -4025,6 +4072,7 @@ tls13_ComputeFinished(sslSocket *ss, PK11SymKey *baseKey,
 
     PK11_FreeSymKey(secret);
     PK11_DestroyContext(hmacCtx, PR_TRUE);
+    PRINT_BUF(50, (ss, "finished value", output, outputLenUint));
     return SECSuccess;
 
 abort:
@@ -4189,7 +4237,7 @@ tls13_ServerHandleFinished(sslSocket *ss, PRUint8 *b, PRUint32 length)
         return SECFailure;
     }
 
-    if (!ss->opt.requestCertificate &&
+    if (!tls13_ShouldRequestClientAuth(ss) &&
         (ss->ssl3.hs.zeroRttState != ssl_0rtt_done)) {
         dtls_ReceivedFirstMessageInFlight(ss);
     }
@@ -4679,7 +4727,8 @@ tls13_HandleNewSessionTicket(sslSocket *ss, PRUint8 *b, PRUint32 length)
 
         /* Replace a previous session ticket when
          * we receive a second NewSessionTicket message. */
-        if (ss->sec.ci.sid->cached == in_client_cache) {
+        if (ss->sec.ci.sid->cached == in_client_cache ||
+            ss->sec.ci.sid->cached == in_external_cache) {
             /* Create a new session ID. */
             sslSessionID *sid = ssl3_NewSessionID(ss, PR_FALSE);
             if (!sid) {
@@ -4758,7 +4807,8 @@ static const struct {
     { ssl_tls13_certificate_authorities_xtn, _M1(certificate_request) },
     { ssl_tls13_supported_versions_xtn, _M3(client_hello, server_hello,
                                             hello_retry_request) },
-    { ssl_record_size_limit_xtn, _M2(client_hello, encrypted_extensions) }
+    { ssl_record_size_limit_xtn, _M2(client_hello, encrypted_extensions) },
+    { ssl_tls13_encrypted_sni_xtn, _M2(client_hello, encrypted_extensions) }
 };
 
 tls13ExtensionStatus
@@ -4834,11 +4884,11 @@ tls13_FormatAdditionalData(
 }
 
 PRInt32
-tls13_LimitEarlyData(sslSocket *ss, SSL3ContentType type, PRInt32 toSend)
+tls13_LimitEarlyData(sslSocket *ss, SSLContentType type, PRInt32 toSend)
 {
     PRInt32 reduced;
 
-    PORT_Assert(type == content_application_data);
+    PORT_Assert(type == ssl_ct_application_data);
     PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3);
     PORT_Assert(!ss->firstHsDone);
     if (ss->ssl3.cwSpec->epoch != TrafficKeyEarlyApplicationData) {
@@ -4858,7 +4908,7 @@ tls13_LimitEarlyData(sslSocket *ss, SSL3ContentType type, PRInt32 toSend)
 SECStatus
 tls13_ProtectRecord(sslSocket *ss,
                     ssl3CipherSpec *cwSpec,
-                    SSL3ContentType type,
+                    SSLContentType type,
                     const PRUint8 *pIn,
                     PRUint32 contentLen,
                     sslBuffer *wrBuf)
@@ -4899,7 +4949,7 @@ tls13_ProtectRecord(sslSocket *ss,
         *(SSL_BUFFER_NEXT(wrBuf) + contentLen) = type;
 
         /* Create the header (ugly that we have to do it twice). */
-        rv = ssl_InsertRecordHeader(ss, cwSpec, content_application_data,
+        rv = ssl_InsertRecordHeader(ss, cwSpec, ssl_ct_application_data,
                                     &buf, &needsLength);
         if (rv != SECSuccess) {
             return SECFailure;
@@ -4951,7 +5001,7 @@ tls13_UnprotectRecord(sslSocket *ss,
                       ssl3CipherSpec *spec,
                       SSL3Ciphertext *cText,
                       sslBuffer *plaintext,
-                      SSL3ContentType *innerType,
+                      SSLContentType *innerType,
                       SSL3AlertDescription *alert)
 {
     const ssl3BulkCipherDef *cipher_def = spec->cipherDef;
@@ -4966,26 +5016,26 @@ tls13_UnprotectRecord(sslSocket *ss,
                 SSL_GETPID(), ss->fd, spec, spec->epoch, spec->phase,
                 cText->seqNum, cText->buf->len));
 
-    /* We can perform this test in variable time because the record's total
-     * length and the ciphersuite are both public knowledge. */
-    if (cText->buf->len < cipher_def->tag_size) {
-        SSL_TRC(3,
-                ("%d: TLS13[%d]: record too short to contain valid AEAD data",
-                 SSL_GETPID(), ss->fd));
-        PORT_SetError(SSL_ERROR_BAD_MAC_READ);
-        return SECFailure;
-    }
-
     /* Verify that the content type is right, even though we overwrite it.
      * Also allow the DTLS short header in TLS 1.3. */
-    if (!(cText->hdr[0] == content_application_data ||
+    if (!(cText->hdr[0] == ssl_ct_application_data ||
           (IS_DTLS(ss) &&
            ss->version >= SSL_LIBRARY_VERSION_TLS_1_3 &&
            (cText->hdr[0] & 0xe0) == 0x20))) {
         SSL_TRC(3,
                 ("%d: TLS13[%d]: record has invalid exterior type=%2.2x",
                  SSL_GETPID(), ss->fd, cText->hdr[0]));
-        /* Do we need a better error here? */
+        PORT_SetError(SSL_ERROR_RX_UNEXPECTED_RECORD_TYPE);
+        *alert = unexpected_message;
+        return SECFailure;
+    }
+
+    /* We can perform this test in variable time because the record's total
+     * length and the ciphersuite are both public knowledge. */
+    if (cText->buf->len < cipher_def->tag_size) {
+        SSL_TRC(3,
+                ("%d: TLS13[%d]: record too short to contain valid AEAD data",
+                 SSL_GETPID(), ss->fd));
         PORT_SetError(SSL_ERROR_BAD_MAC_READ);
         return SECFailure;
     }
@@ -5054,12 +5104,12 @@ tls13_UnprotectRecord(sslSocket *ss,
     }
 
     /* Record the type. */
-    *innerType = (SSL3ContentType)plaintext->buf[plaintext->len - 1];
+    *innerType = (SSLContentType)plaintext->buf[plaintext->len - 1];
     --plaintext->len;
 
     /* Check that we haven't received too much 0-RTT data. */
     if (spec->epoch == TrafficKeyEarlyApplicationData &&
-        *innerType == content_application_data) {
+        *innerType == ssl_ct_application_data) {
         if (plaintext->len > spec->earlyDataRemaining) {
             *alert = unexpected_message;
             PORT_SetError(SSL_ERROR_TOO_MUCH_EARLY_DATA);
@@ -5242,9 +5292,11 @@ tls13_HandleEndOfEarlyData(sslSocket *ss, PRUint8 *b, PRUint32 length)
     }
 
     ss->ssl3.hs.zeroRttState = ssl_0rtt_done;
-    TLS13_SET_HS_STATE(ss,
-                       ss->opt.requestCertificate ? wait_client_cert
-                                                  : wait_finished);
+    if (tls13_ShouldRequestClientAuth(ss)) {
+        TLS13_SET_HS_STATE(ss, wait_client_cert);
+    } else {
+        TLS13_SET_HS_STATE(ss, wait_finished);
+    }
     return SECSuccess;
 }
 
@@ -5283,11 +5335,12 @@ tls13_HandleEarlyApplicationData(sslSocket *ss, sslBuffer *origBuf)
 }
 
 PRUint16
-tls13_EncodeDraftVersion(SSL3ProtocolVersion version)
+tls13_EncodeDraftVersion(SSL3ProtocolVersion version, SSLProtocolVariant variant)
 {
-#ifdef TLS_1_3_DRAFT_VERSION
-    if (version == SSL_LIBRARY_VERSION_TLS_1_3) {
-        return 0x7f00 | TLS_1_3_DRAFT_VERSION;
+#ifdef DTLS_1_3_DRAFT_VERSION
+    if (version == SSL_LIBRARY_VERSION_TLS_1_3 &&
+        variant == ssl_variant_datagram) {
+        return 0x7f00 | DTLS_1_3_DRAFT_VERSION;
     }
 #endif
     return (PRUint16)version;
@@ -5297,7 +5350,6 @@ SECStatus
 tls13_ClientReadSupportedVersion(sslSocket *ss)
 {
     PRUint32 temp;
-    SSL3ProtocolVersion v;
     TLSExtension *versionExtension;
     SECItem it;
     SECStatus rv;
@@ -5319,29 +5371,15 @@ tls13_ClientReadSupportedVersion(sslSocket *ss)
         FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, illegal_parameter);
         return SECFailure;
     }
-    v = (SSL3ProtocolVersion)temp;
 
-    /* You cannot negotiate < TLS 1.3 with supported_versions. */
-    if (v < SSL_LIBRARY_VERSION_TLS_1_3) {
+    if (temp != tls13_EncodeDraftVersion(SSL_LIBRARY_VERSION_TLS_1_3,
+                                         ss->protocolVariant)) {
+        /* You cannot negotiate < TLS 1.3 with supported_versions. */
         FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_SERVER_HELLO, illegal_parameter);
         return SECFailure;
     }
 
-#ifdef TLS_1_3_DRAFT_VERSION
-    if (temp == SSL_LIBRARY_VERSION_TLS_1_3) {
-        FATAL_ERROR(ss, SSL_ERROR_UNSUPPORTED_VERSION, protocol_version);
-        return SECFailure;
-    }
-    if (temp == tls13_EncodeDraftVersion(SSL_LIBRARY_VERSION_TLS_1_3)) {
-        v = SSL_LIBRARY_VERSION_TLS_1_3;
-    } else {
-        v = (SSL3ProtocolVersion)temp;
-    }
-#else
-    v = (SSL3ProtocolVersion)temp;
-#endif
-
-    ss->version = v;
+    ss->version = SSL_LIBRARY_VERSION_TLS_1_3;
     return SECSuccess;
 }
 
@@ -5365,7 +5403,7 @@ tls13_NegotiateVersion(sslSocket *ss, const TLSExtension *supportedVersions)
         return SECFailure;
     }
     for (version = ss->vrange.max; version >= ss->vrange.min; --version) {
-        PRUint16 wire = tls13_EncodeDraftVersion(version);
+        PRUint16 wire = tls13_EncodeDraftVersion(version, ss->protocolVariant);
         unsigned long offset;
 
         for (offset = 0; offset < versions.len; offset += 2) {
diff --git a/security/nss/lib/ssl/tls13con.h b/security/nss/lib/ssl/tls13con.h
index f35b20023d..f3b2cb3905 100644
--- a/security/nss/lib/ssl/tls13con.h
+++ b/security/nss/lib/ssl/tls13con.h
@@ -28,7 +28,7 @@ typedef enum {
 SECStatus tls13_UnprotectRecord(
     sslSocket *ss, ssl3CipherSpec *spec,
     SSL3Ciphertext *cText, sslBuffer *plaintext,
-    SSL3ContentType *innerType,
+    SSLContentType *innerType,
     SSL3AlertDescription *alert);
 
 #if defined(WIN32)
@@ -64,7 +64,7 @@ void tls13_FatalError(sslSocket *ss, PRErrorCode prError,
                       SSL3AlertDescription desc);
 SECStatus tls13_SetupClientHello(sslSocket *ss);
 SECStatus tls13_MaybeDo0RTTHandshake(sslSocket *ss);
-PRInt32 tls13_LimitEarlyData(sslSocket *ss, SSL3ContentType type, PRInt32 toSend);
+PRInt32 tls13_LimitEarlyData(sslSocket *ss, SSLContentType type, PRInt32 toSend);
 PRBool tls13_AllowPskCipher(const sslSocket *ss,
                             const ssl3CipherSuiteDef *cipher_def);
 PRBool tls13_PskSuiteEnabled(sslSocket *ss);
@@ -85,26 +85,36 @@ SECStatus tls13_ConstructHelloRetryRequest(sslSocket *ss,
                                            sslBuffer *buffer);
 SECStatus tls13_HandleHelloRetryRequest(sslSocket *ss, const PRUint8 *b,
                                         PRUint32 length);
+SECStatus tls13_HandleKeyShare(sslSocket *ss,
+                               TLS13KeyShareEntry *entry,
+                               sslKeyPair *keyPair,
+                               SSLHashType hash,
+                               PK11SymKey **out);
+TLS13KeyShareEntry *tls13_CopyKeyShareEntry(TLS13KeyShareEntry *o);
 void tls13_DestroyKeyShareEntry(TLS13KeyShareEntry *entry);
 void tls13_DestroyKeyShares(PRCList *list);
-SECStatus tls13_CreateKeyShare(sslSocket *ss, const sslNamedGroupDef *groupDef);
+SECStatus tls13_CreateKeyShare(sslSocket *ss, const sslNamedGroupDef *groupDef,
+                               sslEphemeralKeyPair **keyPair);
+SECStatus tls13_AddKeyShare(sslSocket *ss, const sslNamedGroupDef *groupDef);
 void tls13_DestroyEarlyData(PRCList *list);
 SECStatus tls13_SetAlertCipherSpec(sslSocket *ss);
 tls13ExtensionStatus tls13_ExtensionStatus(PRUint16 extension,
                                            SSLHandshakeType message);
 SECStatus tls13_ProtectRecord(sslSocket *ss,
                               ssl3CipherSpec *cwSpec,
-                              SSL3ContentType type,
+                              SSLContentType type,
                               const PRUint8 *pIn,
                               PRUint32 contentLen,
                               sslBuffer *wrBuf);
 PRInt32 tls13_Read0RttData(sslSocket *ss, void *buf, PRInt32 len);
 SECStatus tls13_HandleEarlyApplicationData(sslSocket *ss, sslBuffer *origBuf);
 PRBool tls13_ClientAllow0Rtt(const sslSocket *ss, const sslSessionID *sid);
-PRUint16 tls13_EncodeDraftVersion(SSL3ProtocolVersion version);
+PRUint16 tls13_EncodeDraftVersion(SSL3ProtocolVersion version,
+                                  SSLProtocolVariant variant);
 SECStatus tls13_ClientReadSupportedVersion(sslSocket *ss);
 SECStatus tls13_NegotiateVersion(sslSocket *ss,
                                  const TLSExtension *supported_versions);
+PRBool tls13_ShouldRequestClientAuth(sslSocket *ss);
 
 PRBool tls13_IsReplay(const sslSocket *ss, const sslSessionID *sid);
 void tls13_AntiReplayRollover(PRTime now);
@@ -119,6 +129,22 @@ SECStatus tls13_SendKeyUpdate(sslSocket *ss, tls13KeyUpdateRequest request,
                               PRBool buffer);
 SECStatus SSLExp_KeyUpdate(PRFileDesc *fd, PRBool requestUpdate);
 PRBool tls13_MaybeTls13(sslSocket *ss);
+SSLAEADCipher tls13_GetAead(const ssl3BulkCipherDef *cipherDef);
 void tls13_SetSpecRecordVersion(sslSocket *ss, ssl3CipherSpec *spec);
 
+/* Use this instead of FATAL_ERROR when no alert shall be sent. */
+#define LOG_ERROR(ss, prError)                                                     \
+    do {                                                                           \
+        SSL_TRC(3, ("%d: TLS13[%d]: fatal error %d in %s (%s:%d)",                 \
+                    SSL_GETPID(), ss->fd, prError, __func__, __FILE__, __LINE__)); \
+        PORT_SetError(prError);                                                    \
+    } while (0)
+
+/* Log an error and generate an alert because something is irreparably wrong. */
+#define FATAL_ERROR(ss, prError, desc)       \
+    do {                                     \
+        LOG_ERROR(ss, prError);              \
+        tls13_FatalError(ss, prError, desc); \
+    } while (0)
+
 #endif /* __tls13con_h_ */
diff --git a/security/nss/lib/ssl/tls13esni.c b/security/nss/lib/ssl/tls13esni.c
new file mode 100644
index 0000000000..e2328769bc
--- /dev/null
+++ b/security/nss/lib/ssl/tls13esni.c
@@ -0,0 +1,844 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#define TLS13_ESNI_VERSION 0xff01
+
+/*
+ *  struct {
+ *      uint16 version;
+ *      uint8 checksum[4];
+ *      KeyShareEntry keys<4..2^16-1>;
+ *      CipherSuite cipher_suites<2..2^16-2>;
+ *      uint16 padded_length;
+ *      uint64 not_before;
+ *      uint64 not_after;
+ *      Extension extensions<0..2^16-1>;
+ *  } ESNIKeys;
+ */
+#include "nss.h"
+#include "pk11func.h"
+#include "ssl.h"
+#include "sslproto.h"
+#include "sslimpl.h"
+#include "ssl3exthandle.h"
+#include "tls13esni.h"
+#include "tls13exthandle.h"
+#include "tls13hkdf.h"
+
+const char kHkdfPurposeEsniKey[] = "esni key";
+const char kHkdfPurposeEsniIv[] = "esni iv";
+
+void
+tls13_DestroyESNIKeys(sslEsniKeys *keys)
+{
+    if (!keys) {
+        return;
+    }
+    SECITEM_FreeItem(&keys->data, PR_FALSE);
+    PORT_Free((void *)keys->dummySni);
+    tls13_DestroyKeyShares(&keys->keyShares);
+    ssl_FreeEphemeralKeyPair(keys->privKey);
+    SECITEM_FreeItem(&keys->suites, PR_FALSE);
+    PORT_ZFree(keys, sizeof(sslEsniKeys));
+}
+
+sslEsniKeys *
+tls13_CopyESNIKeys(sslEsniKeys *okeys)
+{
+    sslEsniKeys *nkeys;
+    SECStatus rv;
+
+    PORT_Assert(okeys);
+
+    nkeys = PORT_ZNew(sslEsniKeys);
+    if (!nkeys) {
+        return NULL;
+    }
+    PR_INIT_CLIST(&nkeys->keyShares);
+    rv = SECITEM_CopyItem(NULL, &nkeys->data, &okeys->data);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    if (okeys->dummySni) {
+        nkeys->dummySni = PORT_Strdup(okeys->dummySni);
+        if (!nkeys->dummySni) {
+            goto loser;
+        }
+    }
+    for (PRCList *cur_p = PR_LIST_HEAD(&okeys->keyShares);
+         cur_p != &okeys->keyShares;
+         cur_p = PR_NEXT_LINK(cur_p)) {
+        TLS13KeyShareEntry *copy = tls13_CopyKeyShareEntry(
+            (TLS13KeyShareEntry *)cur_p);
+        if (!copy) {
+            goto loser;
+        }
+        PR_APPEND_LINK(&copy->link, &nkeys->keyShares);
+    }
+    if (okeys->privKey) {
+        nkeys->privKey = ssl_CopyEphemeralKeyPair(okeys->privKey);
+        if (!nkeys->privKey) {
+            goto loser;
+        }
+    }
+    rv = SECITEM_CopyItem(NULL, &nkeys->suites, &okeys->suites);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    nkeys->paddedLength = okeys->paddedLength;
+    nkeys->notBefore = okeys->notBefore;
+    nkeys->notAfter = okeys->notAfter;
+    return nkeys;
+
+loser:
+    tls13_DestroyESNIKeys(nkeys);
+    return NULL;
+}
+
+/* Checksum is a 4-byte array. */
+static SECStatus
+tls13_ComputeESNIKeysChecksum(const PRUint8 *buf, unsigned int len,
+                              PRUint8 *checksum)
+{
+    SECItem copy;
+    SECStatus rv;
+    PRUint8 sha256[32];
+
+    rv = SECITEM_MakeItem(NULL, &copy, buf, len);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    /* Stomp the checksum. */
+    PORT_Memset(copy.data + 2, 0, 4);
+
+    rv = PK11_HashBuf(ssl3_HashTypeToOID(ssl_hash_sha256),
+                      sha256,
+                      copy.data, copy.len);
+    SECITEM_FreeItem(&copy, PR_FALSE);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+    PORT_Memcpy(checksum, sha256, 4);
+    return SECSuccess;
+}
+
+static SECStatus
+tls13_DecodeESNIKeys(SECItem *data, sslEsniKeys **keysp)
+{
+    SECStatus rv;
+    sslReadBuffer tmp;
+    PRUint64 tmpn;
+    sslEsniKeys *keys;
+    PRUint8 checksum[4];
+    sslReader rdr = SSL_READER(data->data, data->len);
+
+    rv = sslRead_ReadNumber(&rdr, 2, &tmpn);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+    if (tmpn != TLS13_ESNI_VERSION) {
+        PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
+        return SECFailure;
+    }
+    keys = PORT_ZNew(sslEsniKeys);
+    if (!keys) {
+        return SECFailure;
+    }
+    PR_INIT_CLIST(&keys->keyShares);
+
+    /* Make a copy. */
+    rv = SECITEM_CopyItem(NULL, &keys->data, data);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = tls13_ComputeESNIKeysChecksum(data->data, data->len, checksum);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Read and check checksum. */
+    rv = sslRead_Read(&rdr, 4, &tmp);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    if (0 != NSS_SecureMemcmp(tmp.buf, checksum, 4)) {
+        goto loser;
+    }
+
+    /* Parse the key shares. */
+    rv = sslRead_ReadVariable(&rdr, 2, &tmp);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    sslReader rdr2 = SSL_READER(tmp.buf, tmp.len);
+    while (SSL_READER_REMAINING(&rdr2)) {
+        TLS13KeyShareEntry *ks = NULL;
+
+        rv = tls13_DecodeKeyShareEntry(&rdr2, &ks);
+        if (rv != SECSuccess) {
+            goto loser;
+        }
+
+        if (ks) {
+            PR_APPEND_LINK(&ks->link, &keys->keyShares);
+        }
+    }
+
+    /* Parse cipher suites. */
+    rv = sslRead_ReadVariable(&rdr, 2, &tmp);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    /* This can't be odd. */
+    if (tmp.len & 1) {
+        goto loser;
+    }
+    rv = SECITEM_MakeItem(NULL, &keys->suites, (PRUint8 *)tmp.buf, tmp.len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Padded Length */
+    rv = sslRead_ReadNumber(&rdr, 2, &tmpn);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    keys->paddedLength = (PRUint16)tmpn;
+
+    /* Not Before */
+    rv = sslRead_ReadNumber(&rdr, 8, &keys->notBefore);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Not After */
+    rv = sslRead_ReadNumber(&rdr, 8, &keys->notAfter);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Extensions, which we ignore. */
+    rv = sslRead_ReadVariable(&rdr, 2, &tmp);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Check that this is empty. */
+    if (SSL_READER_REMAINING(&rdr) > 0) {
+        goto loser;
+    }
+
+    *keysp = keys;
+    return SECSuccess;
+
+loser:
+    tls13_DestroyESNIKeys(keys);
+    PORT_SetError(SSL_ERROR_RX_MALFORMED_ESNI_KEYS);
+
+    return SECFailure;
+}
+
+/* Encode an ESNI keys structure. We only allow one key
+ * share. */
+SECStatus
+SSLExp_EncodeESNIKeys(PRUint16 *cipherSuites, unsigned int cipherSuiteCount,
+                      SSLNamedGroup group, SECKEYPublicKey *pubKey,
+                      PRUint16 pad, PRUint64 notBefore, PRUint64 notAfter,
+                      PRUint8 *out, unsigned int *outlen, unsigned int maxlen)
+{
+    unsigned int savedOffset;
+    SECStatus rv;
+    sslBuffer b = SSL_BUFFER_EMPTY;
+
+    rv = sslBuffer_AppendNumber(&b, TLS13_ESNI_VERSION, 2);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = sslBuffer_Skip(&b, 4, &savedOffset);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Length of vector. */
+    rv = sslBuffer_AppendNumber(
+        &b, tls13_SizeOfKeyShareEntry(pubKey), 2);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Our one key share. */
+    rv = tls13_EncodeKeyShareEntry(&b, group, pubKey);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Cipher suites. */
+    rv = sslBuffer_AppendNumber(&b, cipherSuiteCount * 2, 2);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    for (unsigned int i = 0; i < cipherSuiteCount; i++) {
+        rv = sslBuffer_AppendNumber(&b, cipherSuites[i], 2);
+        if (rv != SECSuccess) {
+            goto loser;
+        }
+    }
+
+    /* Padding Length. Fixed for now. */
+    rv = sslBuffer_AppendNumber(&b, pad, 2);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Start time. */
+    rv = sslBuffer_AppendNumber(&b, notBefore, 8);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* End time. */
+    rv = sslBuffer_AppendNumber(&b, notAfter, 8);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* No extensions. */
+    rv = sslBuffer_AppendNumber(&b, 0, 2);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = tls13_ComputeESNIKeysChecksum(SSL_BUFFER_BASE(&b),
+                                       SSL_BUFFER_LEN(&b),
+                                       SSL_BUFFER_BASE(&b) + 2);
+    if (rv != SECSuccess) {
+        PORT_Assert(PR_FALSE);
+        goto loser;
+    }
+
+    if (SSL_BUFFER_LEN(&b) > maxlen) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        goto loser;
+    }
+    PORT_Memcpy(out, SSL_BUFFER_BASE(&b), SSL_BUFFER_LEN(&b));
+    *outlen = SSL_BUFFER_LEN(&b);
+
+    sslBuffer_Clear(&b);
+    return SECSuccess;
+loser:
+    sslBuffer_Clear(&b);
+    return SECFailure;
+}
+
+SECStatus
+SSLExp_SetESNIKeyPair(PRFileDesc *fd,
+                      SECKEYPrivateKey *privKey,
+                      const PRUint8 *record, unsigned int recordLen)
+{
+    sslSocket *ss;
+    SECStatus rv;
+    sslEsniKeys *keys = NULL;
+    SECKEYPublicKey *pubKey = NULL;
+    SECItem data = { siBuffer, CONST_CAST(PRUint8, record), recordLen };
+    PLArenaPool *arena = NULL;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+        SSL_DBG(("%d: SSL[%d]: bad socket in %s",
+                 SSL_GETPID(), fd, __FUNCTION__));
+        return SECFailure;
+    }
+
+    rv = tls13_DecodeESNIKeys(&data, &keys);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    /* Check the cipher suites. */
+    (void)ssl3_config_match_init(ss);
+    /* Make sure the cipher suite is OK. */
+    SSLVersionRange vrange = { SSL_LIBRARY_VERSION_TLS_1_3,
+                               SSL_LIBRARY_VERSION_TLS_1_3 };
+
+    sslReader csrdr = SSL_READER(keys->suites.data,
+                                 keys->suites.len);
+    while (SSL_READER_REMAINING(&csrdr)) {
+        PRUint64 asuite;
+
+        rv = sslRead_ReadNumber(&csrdr, 2, &asuite);
+        if (rv != SECSuccess) {
+            goto loser;
+        }
+        const ssl3CipherSuiteCfg *suiteCfg =
+            ssl_LookupCipherSuiteCfg(asuite, ss->cipherSuites);
+        if (!ssl3_config_match(suiteCfg, ss->ssl3.policy, &vrange, ss)) {
+            /* Illegal suite. */
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            goto loser;
+        }
+    }
+
+    if (PR_CLIST_IS_EMPTY(&keys->keyShares)) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        goto loser;
+    }
+    if (PR_PREV_LINK(&keys->keyShares) != PR_NEXT_LINK(&keys->keyShares)) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        goto loser;
+    }
+    TLS13KeyShareEntry *entry = (TLS13KeyShareEntry *)PR_LIST_HEAD(
+        &keys->keyShares);
+    if (entry->group->keaType != ssl_kea_ecdh) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        goto loser;
+    }
+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+    if (!arena) {
+        goto loser;
+    }
+    pubKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
+    if (!pubKey) {
+        goto loser;
+    }
+    pubKey->arena = arena;
+    arena = NULL; /* From here, this will be destroyed with the pubkey. */
+    /* Dummy PKCS11 values because this key isn't on a slot. */
+    pubKey->pkcs11Slot = NULL;
+    pubKey->pkcs11ID = CK_INVALID_HANDLE;
+    rv = ssl_ImportECDHKeyShare(pubKey,
+                                entry->key_exchange.data,
+                                entry->key_exchange.len,
+                                entry->group);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    privKey = SECKEY_CopyPrivateKey(privKey);
+    if (!privKey) {
+        goto loser;
+    }
+    keys->privKey = ssl_NewEphemeralKeyPair(entry->group, privKey, pubKey);
+    if (!keys->privKey) {
+        goto loser;
+    }
+    pubKey = NULL;
+    ss->esniKeys = keys;
+    return SECSuccess;
+
+loser:
+    PORT_FreeArena(arena, PR_FALSE);
+    SECKEY_DestroyPublicKey(pubKey);
+    tls13_DestroyESNIKeys(keys);
+    return SECFailure;
+}
+
+SECStatus
+SSLExp_EnableESNI(PRFileDesc *fd,
+                  const PRUint8 *esniKeys,
+                  unsigned int esniKeysLen,
+                  const char *dummySNI)
+{
+    sslSocket *ss;
+    sslEsniKeys *keys = NULL;
+    SECItem data = { siBuffer, CONST_CAST(PRUint8, esniKeys), esniKeysLen };
+    SECStatus rv;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+        SSL_DBG(("%d: SSL[%d]: bad socket in %s",
+                 SSL_GETPID(), fd, __FUNCTION__));
+        return SECFailure;
+    }
+
+    rv = tls13_DecodeESNIKeys(&data, &keys);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    if (dummySNI) {
+        keys->dummySni = PORT_Strdup(dummySNI);
+        if (!keys->dummySni) {
+            tls13_DestroyESNIKeys(keys);
+            return SECFailure;
+        }
+    }
+
+    /* Delete in case it was set before. */
+    tls13_DestroyESNIKeys(ss->esniKeys);
+    ss->esniKeys = keys;
+
+    return SECSuccess;
+}
+
+/*
+ * struct {
+ *     opaque record_digest<0..2^16-1>;
+ *     KeyShareEntry esni_key_share;
+ *     Random client_hello_random;
+ * } ESNIContents;
+ */
+SECStatus
+tls13_ComputeESNIKeys(const sslSocket *ss,
+                      TLS13KeyShareEntry *entry,
+                      sslKeyPair *keyPair,
+                      const ssl3CipherSuiteDef *suite,
+                      const PRUint8 *esniKeysHash,
+                      const PRUint8 *keyShareBuf,
+                      unsigned int keyShareBufLen,
+                      const PRUint8 *clientRandom,
+                      ssl3KeyMaterial *keyMat)
+{
+    PK11SymKey *Z = NULL;
+    PK11SymKey *Zx = NULL;
+    SECStatus ret = SECFailure;
+    PRUint8 esniContentsBuf[256]; /* Just big enough. */
+    sslBuffer esniContents = SSL_BUFFER(esniContentsBuf);
+    PRUint8 hash[64];
+    const ssl3BulkCipherDef *cipherDef = ssl_GetBulkCipherDef(suite);
+    size_t keySize = cipherDef->key_size;
+    size_t ivSize = cipherDef->iv_size +
+                    cipherDef->explicit_nonce_size; /* This isn't always going to
+                                                     * work, but it does for
+                                                     * AES-GCM */
+    unsigned int hashSize = tls13_GetHashSizeForHash(suite->prf_hash);
+    SECStatus rv;
+
+    rv = tls13_HandleKeyShare(CONST_CAST(sslSocket, ss), entry, keyPair,
+                              suite->prf_hash, &Z);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    rv = tls13_HkdfExtract(NULL, Z, suite->prf_hash, &Zx);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Encode ESNIContents. */
+    rv = sslBuffer_AppendVariable(&esniContents,
+                                  esniKeysHash, hashSize, 2);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    rv = sslBuffer_Append(&esniContents, keyShareBuf, keyShareBufLen);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    rv = sslBuffer_Append(&esniContents, clientRandom, SSL3_RANDOM_LENGTH);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    PORT_Assert(hashSize <= sizeof(hash));
+    rv = PK11_HashBuf(ssl3_HashTypeToOID(suite->prf_hash),
+                      hash,
+                      SSL_BUFFER_BASE(&esniContents),
+                      SSL_BUFFER_LEN(&esniContents));
+    ;
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = tls13_HkdfExpandLabel(Zx, suite->prf_hash,
+                               hash, hashSize,
+                               kHkdfPurposeEsniKey, strlen(kHkdfPurposeEsniKey),
+                               ssl3_Alg2Mech(cipherDef->calg),
+                               keySize,
+                               &keyMat->key);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    rv = tls13_HkdfExpandLabelRaw(Zx, suite->prf_hash,
+                                  hash, hashSize,
+                                  kHkdfPurposeEsniIv, strlen(kHkdfPurposeEsniIv),
+                                  keyMat->iv, ivSize);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    ret = SECSuccess;
+
+loser:
+    PK11_FreeSymKey(Z);
+    PK11_FreeSymKey(Zx);
+    return ret;
+}
+
+/* Set up ESNI. This generates a private key as a side effect. */
+SECStatus
+tls13_ClientSetupESNI(sslSocket *ss)
+{
+    ssl3CipherSuite suite;
+    sslEphemeralKeyPair *keyPair;
+    size_t i;
+    PRCList *cur;
+    SECStatus rv;
+    TLS13KeyShareEntry *share;
+    const sslNamedGroupDef *group = NULL;
+    PRTime now = PR_Now() / PR_USEC_PER_SEC;
+
+    if (!ss->esniKeys) {
+        return SECSuccess;
+    }
+
+    if ((ss->esniKeys->notBefore > now) || (ss->esniKeys->notAfter < now)) {
+        return SECSuccess;
+    }
+
+    /* If we're not sending SNI, don't send ESNI. */
+    if (!ssl_ShouldSendSNIExtension(ss, ss->url)) {
+        return SECSuccess;
+    }
+
+    /* Pick the group. */
+    for (i = 0; i < SSL_NAMED_GROUP_COUNT; ++i) {
+        for (cur = PR_NEXT_LINK(&ss->esniKeys->keyShares);
+             cur != &ss->esniKeys->keyShares;
+             cur = PR_NEXT_LINK(cur)) {
+            if (!ss->namedGroupPreferences[i]) {
+                continue;
+            }
+            share = (TLS13KeyShareEntry *)cur;
+            if (share->group->name == ss->namedGroupPreferences[i]->name) {
+                group = ss->namedGroupPreferences[i];
+                break;
+            }
+        }
+    }
+
+    if (!group) {
+        /* No compatible group. */
+        return SECSuccess;
+    }
+
+    rv = ssl3_NegotiateCipherSuiteInner(ss, &ss->esniKeys->suites,
+                                        SSL_LIBRARY_VERSION_TLS_1_3, &suite);
+    if (rv != SECSuccess) {
+        return SECSuccess;
+    }
+
+    rv = tls13_CreateKeyShare(ss, group, &keyPair);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    ss->xtnData.esniPrivateKey = keyPair;
+    ss->xtnData.esniSuite = suite;
+    ss->xtnData.peerEsniShare = share;
+
+    return SECSuccess;
+}
+
+/*
+ * struct {
+ *     CipherSuite suite;
+ *     KeyShareEntry key_share;
+ *     opaque record_digest<0..2^16-1>;
+ *     opaque encrypted_sni<0..2^16-1>;
+ * } ClientEncryptedSNI;
+ *
+ * struct {
+ *     ServerNameList sni;
+ *     opaque zeros[ESNIKeys.padded_length - length(sni)];
+ * } PaddedServerNameList;
+ *
+ * struct {
+ *     uint8 nonce[16];
+ *     PaddedServerNameList realSNI;
+ * } ClientESNIInner;
+ */
+SECStatus
+tls13_FormatEsniAADInput(sslBuffer *aadInput,
+                         PRUint8 *keyShare, unsigned int keyShareLen)
+{
+    SECStatus rv;
+
+    /* 8 bytes of 0 for the sequence number. */
+    rv = sslBuffer_AppendNumber(aadInput, 0, 8);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    /* Key share. */
+    PORT_Assert(keyShareLen > 0);
+    rv = sslBuffer_Append(aadInput, keyShare, keyShareLen);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    return SECSuccess;
+}
+
+static SECStatus
+tls13_ServerGetEsniAEAD(const sslSocket *ss, PRUint64 suite,
+                        const ssl3CipherSuiteDef **suiteDefp,
+                        SSLAEADCipher *aeadp)
+{
+    SECStatus rv;
+    const ssl3CipherSuiteDef *suiteDef;
+    SSLAEADCipher aead;
+
+    /* Check against the suite list for ESNI */
+    PRBool csMatch = PR_FALSE;
+    sslReader csrdr = SSL_READER(ss->esniKeys->suites.data,
+                                 ss->esniKeys->suites.len);
+    while (SSL_READER_REMAINING(&csrdr)) {
+        PRUint64 asuite;
+
+        rv = sslRead_ReadNumber(&csrdr, 2, &asuite);
+        if (rv != SECSuccess) {
+            return SECFailure;
+        }
+        if (asuite == suite) {
+            csMatch = PR_TRUE;
+            break;
+        }
+    }
+    if (!csMatch) {
+        return SECFailure;
+    }
+
+    suiteDef = ssl_LookupCipherSuiteDef(suite);
+    PORT_Assert(suiteDef);
+    if (!suiteDef) {
+        return SECFailure;
+    }
+    aead = tls13_GetAead(ssl_GetBulkCipherDef(suiteDef));
+    if (!aead) {
+        return SECFailure;
+    }
+
+    *suiteDefp = suiteDef;
+    *aeadp = aead;
+    return SECSuccess;
+}
+
+SECStatus
+tls13_ServerDecryptEsniXtn(const sslSocket *ss, PRUint8 *in, unsigned int inLen,
+                           PRUint8 *out, int *outLen, int maxLen)
+{
+    sslReader rdr = SSL_READER(in, inLen);
+    PRUint64 suite;
+    const ssl3CipherSuiteDef *suiteDef;
+    SSLAEADCipher aead = NULL;
+    TLSExtension *keyShareExtension;
+    TLS13KeyShareEntry *entry = NULL;
+    ssl3KeyMaterial keyMat = { NULL };
+
+    sslBuffer aadInput = SSL_BUFFER_EMPTY;
+    const PRUint8 *keyShareBuf;
+    sslReadBuffer buf;
+    unsigned int keyShareBufLen;
+    PRUint8 hash[64];
+    SECStatus rv;
+
+    /* Read the cipher suite. */
+    rv = sslRead_ReadNumber(&rdr, 2, &suite);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Find the AEAD */
+    rv = tls13_ServerGetEsniAEAD(ss, suite, &suiteDef, &aead);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Note where the KeyShare starts. */
+    keyShareBuf = SSL_READER_CURRENT(&rdr);
+    rv = tls13_DecodeKeyShareEntry(&rdr, &entry);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    keyShareBufLen = SSL_READER_CURRENT(&rdr) - keyShareBuf;
+    if (!entry || entry->group->name != ss->esniKeys->privKey->group->name) {
+        goto loser;
+    }
+
+    /* The hash of the ESNIKeys structure. */
+    rv = sslRead_ReadVariable(&rdr, 2, &buf);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Check that the hash matches. */
+    unsigned int hashLen = tls13_GetHashSizeForHash(suiteDef->prf_hash);
+    PORT_Assert(hashLen <= sizeof(hash));
+    rv = PK11_HashBuf(ssl3_HashTypeToOID(suiteDef->prf_hash),
+                      hash,
+                      ss->esniKeys->data.data, ss->esniKeys->data.len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    if (buf.len != hashLen) {
+        /* This is malformed. */
+        goto loser;
+    }
+    if (0 != NSS_SecureMemcmp(hash, buf.buf, hashLen)) {
+        goto loser;
+    }
+
+    rv = tls13_ComputeESNIKeys(ss, entry,
+                               ss->esniKeys->privKey->keys,
+                               suiteDef,
+                               hash, keyShareBuf, keyShareBufLen,
+                               ((sslSocket *)ss)->ssl3.hs.client_random,
+                               &keyMat);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Read the ciphertext. */
+    rv = sslRead_ReadVariable(&rdr, 2, &buf);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Check that this is empty. */
+    if (SSL_READER_REMAINING(&rdr) > 0) {
+        goto loser;
+    }
+
+    /* Find the key share extension. */
+    keyShareExtension = ssl3_FindExtension(CONST_CAST(sslSocket, ss),
+                                           ssl_tls13_key_share_xtn);
+    if (!keyShareExtension) {
+        goto loser;
+    }
+    rv = tls13_FormatEsniAADInput(&aadInput,
+                                  keyShareExtension->data.data,
+                                  keyShareExtension->data.len);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = aead(&keyMat, PR_TRUE /* Decrypt */,
+              out, outLen, maxLen,
+              buf.buf, buf.len,
+              SSL_BUFFER_BASE(&aadInput),
+              SSL_BUFFER_LEN(&aadInput));
+    sslBuffer_Clear(&aadInput);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    ssl_DestroyKeyMaterial(&keyMat);
+    tls13_DestroyKeyShareEntry(entry);
+    return SECSuccess;
+
+loser:
+    FATAL_ERROR(CONST_CAST(sslSocket, ss), SSL_ERROR_RX_MALFORMED_ESNI_EXTENSION, illegal_parameter);
+    ssl_DestroyKeyMaterial(&keyMat); /* Safe because zeroed. */
+    if (entry) {
+        tls13_DestroyKeyShareEntry(entry);
+    }
+    return SECFailure;
+}
diff --git a/security/nss/lib/ssl/tls13esni.h b/security/nss/lib/ssl/tls13esni.h
new file mode 100644
index 0000000000..6c52c99525
--- /dev/null
+++ b/security/nss/lib/ssl/tls13esni.h
@@ -0,0 +1,51 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is PRIVATE to SSL.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef __tls13esni_h_
+#define __tls13esni_h_
+
+struct sslEsniKeysStr {
+    SECItem data; /* The encoded record. */
+    sslEphemeralKeyPair *privKey;
+    const char *dummySni;
+    PRCList keyShares; /* List of TLS13KeyShareEntry */
+    SECItem suites;
+    PRUint16 paddedLength;
+    PRUint64 notBefore;
+    PRUint64 notAfter;
+};
+
+SECStatus SSLExp_SetESNIKeyPair(PRFileDesc *fd,
+                                SECKEYPrivateKey *privKey,
+                                const PRUint8 *record, unsigned int recordLen);
+
+SECStatus SSLExp_EnableESNI(PRFileDesc *fd, const PRUint8 *esniKeys,
+                            unsigned int esniKeysLen, const char *dummySNI);
+SECStatus SSLExp_EncodeESNIKeys(PRUint16 *cipherSuites, unsigned int cipherSuiteCount,
+                                SSLNamedGroup group, SECKEYPublicKey *pubKey,
+                                PRUint16 pad, PRUint64 notBefore, PRUint64 notAfter,
+                                PRUint8 *out, unsigned int *outlen, unsigned int maxlen);
+sslEsniKeys *tls13_CopyESNIKeys(sslEsniKeys *okeys);
+void tls13_DestroyESNIKeys(sslEsniKeys *keys);
+SECStatus tls13_ClientSetupESNI(sslSocket *ss);
+SECStatus tls13_ComputeESNIKeys(const sslSocket *ss,
+                                TLS13KeyShareEntry *entry,
+                                sslKeyPair *keyPair,
+                                const ssl3CipherSuiteDef *suite,
+                                const PRUint8 *esniKeysHash,
+                                const PRUint8 *keyShareBuf,
+                                unsigned int keyShareBufLen,
+                                const PRUint8 *clientRandom,
+                                ssl3KeyMaterial *keyMat);
+SECStatus tls13_FormatEsniAADInput(sslBuffer *aadInput,
+                                   PRUint8 *keyShare, unsigned int keyShareLen);
+
+SECStatus tls13_ServerDecryptEsniXtn(const sslSocket *ss, PRUint8 *in, unsigned int inLen,
+                                     PRUint8 *out, int *outLen, int maxLen);
+
+#endif
diff --git a/security/nss/lib/ssl/tls13exthandle.c b/security/nss/lib/ssl/tls13exthandle.c
index 1ab8a8e597..8ed18f69cd 100644
--- a/security/nss/lib/ssl/tls13exthandle.c
+++ b/security/nss/lib/ssl/tls13exthandle.c
@@ -12,6 +12,7 @@
 #include "pk11pub.h"
 #include "ssl3ext.h"
 #include "ssl3exthandle.h"
+#include "tls13esni.h"
 #include "tls13exthandle.h"
 
 SECStatus
@@ -71,7 +72,7 @@ tls13_ServerSendStatusRequestXtn(const sslSocket *ss, TLSExtensionData *xtnData,
  *
  *     opaque point <1..2^8-1>;
  */
-static PRUint32
+PRUint32
 tls13_SizeOfKeyShareEntry(const SECKEYPublicKey *pubKey)
 {
     /* Size = NamedGroup(2) + length(2) + opaque<?> share */
@@ -86,14 +87,14 @@ tls13_SizeOfKeyShareEntry(const SECKEYPublicKey *pubKey)
     return 0;
 }
 
-static SECStatus
-tls13_EncodeKeyShareEntry(sslBuffer *buf, const sslEphemeralKeyPair *keyPair)
+SECStatus
+tls13_EncodeKeyShareEntry(sslBuffer *buf, SSLNamedGroup group,
+                          SECKEYPublicKey *pubKey)
 {
     SECStatus rv;
-    SECKEYPublicKey *pubKey = keyPair->keys->pubKey;
     unsigned int size = tls13_SizeOfKeyShareEntry(pubKey);
 
-    rv = sslBuffer_AppendNumber(buf, keyPair->group->name, 2);
+    rv = sslBuffer_AppendNumber(buf, group, 2);
     if (rv != SECSuccess)
         return rv;
     rv = sslBuffer_AppendNumber(buf, size - 4, 2);
@@ -123,6 +124,7 @@ tls13_ClientSendKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
 {
     SECStatus rv;
     PRCList *cursor;
+    unsigned int extStart;
     unsigned int lengthOffset;
 
     if (ss->vrange.max < SSL_LIBRARY_VERSION_TLS_1_3) {
@@ -134,6 +136,8 @@ tls13_ClientSendKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
     SSL_TRC(3, ("%d: TLS13[%d]: send client key share xtn",
                 SSL_GETPID(), ss->fd));
 
+    extStart = SSL_BUFFER_LEN(buf);
+
     /* Save the offset to the length. */
     rv = sslBuffer_Skip(buf, 2, &lengthOffset);
     if (rv != SECSuccess) {
@@ -144,7 +148,9 @@ tls13_ClientSendKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
          cursor != &ss->ephemeralKeyPairs;
          cursor = PR_NEXT_LINK(cursor)) {
         sslEphemeralKeyPair *keyPair = (sslEphemeralKeyPair *)cursor;
-        rv = tls13_EncodeKeyShareEntry(buf, keyPair);
+        rv = tls13_EncodeKeyShareEntry(buf,
+                                       keyPair->group->name,
+                                       keyPair->keys->pubKey);
         if (rv != SECSuccess) {
             return SECFailure;
         }
@@ -154,50 +160,62 @@ tls13_ClientSendKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
         return SECFailure;
     }
 
+    rv = SECITEM_MakeItem(NULL, &xtnData->keyShareExtension,
+                          SSL_BUFFER_BASE(buf) + extStart,
+                          SSL_BUFFER_LEN(buf) - extStart);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
     *added = PR_TRUE;
     return SECSuccess;
 }
 
-static SECStatus
-tls13_HandleKeyShareEntry(const sslSocket *ss, TLSExtensionData *xtnData, SECItem *data)
+SECStatus
+tls13_DecodeKeyShareEntry(sslReader *rdr, TLS13KeyShareEntry **ksp)
 {
     SECStatus rv;
-    PRUint32 group;
+    PRUint64 group;
     const sslNamedGroupDef *groupDef;
     TLS13KeyShareEntry *ks = NULL;
-    SECItem share = { siBuffer, NULL, 0 };
+    sslReadBuffer share;
 
-    rv = ssl3_ExtConsumeHandshakeNumber(ss, &group, 2, &data->data, &data->len);
+    rv = sslRead_ReadNumber(rdr, 2, &group);
     if (rv != SECSuccess) {
-        PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE);
         goto loser;
     }
     groupDef = ssl_LookupNamedGroup(group);
-    rv = ssl3_ExtConsumeHandshakeVariable(ss, &share, 2, &data->data,
-                                          &data->len);
+    rv = sslRead_ReadVariable(rdr, 2, &share);
     if (rv != SECSuccess) {
         goto loser;
     }
+
+    /* This has to happen here because we want to consume
+     * the entire entry even if the group is unknown
+     * or disabled. */
     /* If the group is disabled, continue. */
     if (!groupDef) {
         return SECSuccess;
     }
 
     ks = PORT_ZNew(TLS13KeyShareEntry);
-    if (!ks)
+    if (!ks) {
         goto loser;
+    }
     ks->group = groupDef;
 
-    rv = SECITEM_CopyItem(NULL, &ks->key_exchange, &share);
-    if (rv != SECSuccess)
+    rv = SECITEM_MakeItem(NULL, &ks->key_exchange,
+                          share.buf, share.len);
+    if (rv != SECSuccess) {
         goto loser;
+    }
 
-    PR_APPEND_LINK(&ks->link, &xtnData->remoteKeyShares);
+    *ksp = ks;
     return SECSuccess;
 
 loser:
-    if (ks)
-        tls13_DestroyKeyShareEntry(ks);
+    tls13_DestroyKeyShareEntry(ks);
+
     return SECFailure;
 }
 /* Handle an incoming KeyShare extension at the client and copy to
@@ -209,6 +227,7 @@ tls13_ClientHandleKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
 {
     SECStatus rv;
     PORT_Assert(PR_CLIST_IS_EMPTY(&xtnData->remoteKeyShares));
+    TLS13KeyShareEntry *ks = NULL;
 
     PORT_Assert(!ss->sec.isServer);
 
@@ -221,16 +240,20 @@ tls13_ClientHandleKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
     SSL_TRC(3, ("%d: SSL3[%d]: handle key_share extension",
                 SSL_GETPID(), ss->fd));
 
-    rv = tls13_HandleKeyShareEntry(ss, xtnData, data);
-    if (rv != SECSuccess) {
+    sslReader rdr = SSL_READER(data->data, data->len);
+    rv = tls13_DecodeKeyShareEntry(&rdr, &ks);
+    if ((rv != SECSuccess) || !ks) {
+        ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
         PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE);
         return SECFailure;
     }
 
-    if (data->len) {
+    if (SSL_READER_REMAINING(&rdr)) {
+        tls13_DestroyKeyShareEntry(ks);
         PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE);
         return SECFailure;
     }
+    PR_APPEND_LINK(&ks->link, &xtnData->remoteKeyShares);
 
     return SECSuccess;
 }
@@ -273,7 +296,7 @@ tls13_ClientHandleKeyShareXtnHrr(const sslSocket *ss, TLSExtensionData *xtnData,
     ssl_FreeEphemeralKeyPairs(CONST_CAST(sslSocket, ss));
 
     /* And replace with our new share. */
-    rv = tls13_CreateKeyShare(CONST_CAST(sslSocket, ss), group);
+    rv = tls13_AddKeyShare(CONST_CAST(sslSocket, ss), group);
     if (rv != SECSuccess) {
         ssl3_ExtSendAlert(ss, alert_fatal, internal_error);
         PORT_SetError(SEC_ERROR_KEYGEN_FAIL);
@@ -315,12 +338,24 @@ tls13_ServerHandleKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
         goto loser;
     }
 
-    while (data->len) {
-        rv = tls13_HandleKeyShareEntry(ss, xtnData, data);
-        if (rv != SECSuccess)
+    sslReader rdr = SSL_READER(data->data, data->len);
+    while (SSL_READER_REMAINING(&rdr)) {
+        TLS13KeyShareEntry *ks = NULL;
+        rv = tls13_DecodeKeyShareEntry(&rdr, &ks);
+        if (rv != SECSuccess) {
+            PORT_SetError(SSL_ERROR_RX_MALFORMED_KEY_SHARE);
             goto loser;
+        }
+        if (ks) {
+            /* |ks| == NULL if this is an unknown group. */
+            PR_APPEND_LINK(&ks->link, &xtnData->remoteKeyShares);
+        }
     }
 
+    /* Keep track of negotiated extensions. */
+    xtnData->negotiated[xtnData->numNegotiated++] =
+        ssl_tls13_key_share_xtn;
+
     return SECSuccess;
 
 loser:
@@ -342,7 +377,8 @@ tls13_ServerSendKeyShareXtn(const sslSocket *ss, TLSExtensionData *xtnData,
 
     keyPair = (sslEphemeralKeyPair *)PR_NEXT_LINK(&ss->ephemeralKeyPairs);
 
-    rv = tls13_EncodeKeyShareEntry(buf, keyPair);
+    rv = tls13_EncodeKeyShareEntry(buf, keyPair->group->name,
+                                   keyPair->keys->pubKey);
     if (rv != SECSuccess) {
         return SECFailure;
     }
@@ -396,6 +432,7 @@ tls13_ClientSendPreSharedKeyXtn(const sslSocket *ss, TLSExtensionData *xtnData,
     xtnData->lastXtnOffset = buf->len - 4;
 
     PORT_Assert(ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_3);
+    PORT_Assert(ss->sec.ci.sid->version >= SSL_LIBRARY_VERSION_TLS_1_3);
 
     /* Send a single ticket identity. */
     session_ticket = &ss->sec.ci.sid->u.ssl3.locked.sessionTicket;
@@ -751,7 +788,9 @@ tls13_ClientSendSupportedVersionsXtn(const sslSocket *ss, TLSExtensionData *xtnD
     }
 
     for (version = ss->vrange.max; version >= ss->vrange.min; --version) {
-        rv = sslBuffer_AppendNumber(buf, tls13_EncodeDraftVersion(version), 2);
+        PRUint16 wire = tls13_EncodeDraftVersion(version,
+                                                 ss->protocolVariant);
+        rv = sslBuffer_AppendNumber(buf, wire, 2);
         if (rv != SECSuccess) {
             return SECFailure;
         }
@@ -779,8 +818,9 @@ tls13_ServerSendSupportedVersionsXtn(const sslSocket *ss, TLSExtensionData *xtnD
     SSL_TRC(3, ("%d: TLS13[%d]: server send supported_versions extension",
                 SSL_GETPID(), ss->fd));
 
-    rv = sslBuffer_AppendNumber(
-        buf, tls13_EncodeDraftVersion(SSL_LIBRARY_VERSION_TLS_1_3), 2);
+    PRUint16 ver = tls13_EncodeDraftVersion(SSL_LIBRARY_VERSION_TLS_1_3,
+                                            ss->protocolVariant);
+    rv = sslBuffer_AppendNumber(buf, ver, 2);
     if (rv != SECSuccess) {
         return SECFailure;
     }
@@ -1056,3 +1096,276 @@ tls13_ServerSendHrrCookieXtn(const sslSocket *ss, TLSExtensionData *xtnData,
     *added = PR_TRUE;
     return SECSuccess;
 }
+
+SECStatus
+tls13_ClientSendEsniXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+                        sslBuffer *buf, PRBool *added)
+{
+    SECStatus rv;
+    PRUint8 sniBuf[1024];
+    PRUint8 hash[64];
+    sslBuffer sni = SSL_BUFFER(sniBuf);
+    const ssl3CipherSuiteDef *suiteDef;
+    ssl3KeyMaterial keyMat;
+    SSLAEADCipher aead;
+    PRUint8 outBuf[1024];
+    int outLen;
+    unsigned int sniStart;
+    unsigned int sniLen;
+    sslBuffer aadInput = SSL_BUFFER_EMPTY;
+    unsigned int keyShareBufStart;
+    unsigned int keyShareBufLen;
+
+    PORT_Memset(&keyMat, 0, sizeof(keyMat));
+
+    if (!ss->xtnData.esniPrivateKey) {
+        return SECSuccess;
+    }
+
+    /* nonce */
+    rv = PK11_GenerateRandom(
+        (unsigned char *)xtnData->esniNonce, sizeof(xtnData->esniNonce));
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+    rv = sslBuffer_Append(&sni, xtnData->esniNonce, sizeof(xtnData->esniNonce));
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    /* sni */
+    sniStart = SSL_BUFFER_LEN(&sni);
+    rv = ssl3_ClientFormatServerNameXtn(ss, ss->url, xtnData, &sni);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    sniLen = SSL_BUFFER_LEN(&sni) - sniStart;
+    /* Padding. */
+    if (ss->esniKeys->paddedLength > sniLen) {
+        unsigned int paddingRequired = ss->esniKeys->paddedLength - sniLen;
+        while (paddingRequired--) {
+            rv = sslBuffer_AppendNumber(&sni, 0, 1);
+            if (rv != SECSuccess) {
+                return SECFailure;
+            }
+        }
+    }
+
+    suiteDef = ssl_LookupCipherSuiteDef(xtnData->esniSuite);
+    PORT_Assert(suiteDef);
+    if (!suiteDef) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+    aead = tls13_GetAead(ssl_GetBulkCipherDef(suiteDef));
+    if (!aead) {
+        return SECFailure;
+    }
+
+    /* Format the first part of the extension so we have the
+     * encoded KeyShareEntry. */
+    rv = sslBuffer_AppendNumber(buf, xtnData->esniSuite, 2);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+    keyShareBufStart = SSL_BUFFER_LEN(buf);
+    rv = tls13_EncodeKeyShareEntry(buf,
+                                   xtnData->esniPrivateKey->group->name,
+                                   xtnData->esniPrivateKey->keys->pubKey);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+    keyShareBufLen = SSL_BUFFER_LEN(buf) - keyShareBufStart;
+
+    if (tls13_GetHashSizeForHash(suiteDef->prf_hash) > sizeof(hash)) {
+        PORT_Assert(PR_FALSE);
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+
+    rv = PK11_HashBuf(ssl3_HashTypeToOID(suiteDef->prf_hash),
+                      hash,
+                      ss->esniKeys->data.data,
+                      ss->esniKeys->data.len);
+    if (rv != SECSuccess) {
+        PORT_Assert(PR_FALSE);
+        return SECFailure;
+    }
+
+    rv = sslBuffer_AppendVariable(buf, hash,
+                                  tls13_GetHashSizeForHash(suiteDef->prf_hash), 2);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    /* Compute the ESNI keys. */
+    rv = tls13_ComputeESNIKeys(ss, xtnData->peerEsniShare,
+                               xtnData->esniPrivateKey->keys,
+                               suiteDef,
+                               hash,
+                               SSL_BUFFER_BASE(buf) + keyShareBufStart,
+                               keyShareBufLen,
+                               CONST_CAST(PRUint8, ss->ssl3.hs.client_random),
+                               &keyMat);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    rv = tls13_FormatEsniAADInput(&aadInput,
+                                  xtnData->keyShareExtension.data,
+                                  xtnData->keyShareExtension.len);
+    if (rv != SECSuccess) {
+        ssl_DestroyKeyMaterial(&keyMat);
+        return SECFailure;
+    }
+    /* Now encrypt. */
+    rv = aead(&keyMat, PR_FALSE /* Encrypt */,
+              outBuf, &outLen, sizeof(outBuf),
+              SSL_BUFFER_BASE(&sni),
+              SSL_BUFFER_LEN(&sni),
+              SSL_BUFFER_BASE(&aadInput),
+              SSL_BUFFER_LEN(&aadInput));
+    ssl_DestroyKeyMaterial(&keyMat);
+    sslBuffer_Clear(&aadInput);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    /* Encode the rest. */
+    rv = sslBuffer_AppendVariable(buf, outBuf, outLen, 2);
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    *added = PR_TRUE;
+    return SECSuccess;
+}
+
+static SECStatus
+tls13_ServerSendEsniXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+                        sslBuffer *buf, PRBool *added)
+{
+    SECStatus rv;
+
+    rv = sslBuffer_Append(buf, xtnData->esniNonce, sizeof(xtnData->esniNonce));
+    if (rv != SECSuccess) {
+        return SECFailure;
+    }
+
+    *added = PR_TRUE;
+    return SECSuccess;
+}
+
+SECStatus
+tls13_ServerHandleEsniXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+                          SECItem *data)
+{
+    sslReadBuffer buf;
+    PRUint8 *plainText = NULL;
+    int ptLen;
+    SECStatus rv;
+
+    /* If we are doing < TLS 1.3, then ignore this. */
+    if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) {
+        return SECSuccess;
+    }
+
+    if (!ss->esniKeys) {
+        /* Apparently we used to be configured for ESNI, but
+         * no longer. This violates the spec, or the client is
+         * broken. */
+        return SECFailure;
+    }
+
+    plainText = PORT_ZAlloc(data->len);
+    if (!plainText) {
+        return SECFailure;
+    }
+    rv = tls13_ServerDecryptEsniXtn(ss, data->data, data->len,
+                                    plainText, &ptLen, data->len);
+    if (rv) {
+        goto loser;
+    }
+
+    /* Read out the interior extension. */
+    sslReader sniRdr = SSL_READER(plainText, ptLen);
+
+    rv = sslRead_Read(&sniRdr, sizeof(xtnData->esniNonce), &buf);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    PORT_Memcpy(xtnData->esniNonce, buf.buf, sizeof(xtnData->esniNonce));
+
+    /* We need to capture the whole block with the length. */
+    SECItem sniItem = { siBuffer, (unsigned char *)SSL_READER_CURRENT(&sniRdr), 0 };
+    rv = sslRead_ReadVariable(&sniRdr, 2, &buf);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+    sniItem.len = buf.len + 2;
+
+    /* Check the padding. Note we don't need to do this in constant time
+     * because it's inside the AEAD boundary. */
+    /* TODO(ekr@rtfm.com): check that the padding is the right length. */
+    PRUint64 tmp;
+    while (SSL_READER_REMAINING(&sniRdr)) {
+        rv = sslRead_ReadNumber(&sniRdr, 1, &tmp);
+        if (rv != SECSuccess) {
+            goto loser;
+        }
+        if (tmp != 0) {
+            goto loser;
+        }
+    }
+
+    rv = ssl3_HandleServerNameXtn(ss, xtnData, &sniItem);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    rv = ssl3_RegisterExtensionSender(ss, xtnData,
+                                      ssl_tls13_encrypted_sni_xtn,
+                                      tls13_ServerSendEsniXtn);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    /* Keep track of negotiated extensions. */
+    xtnData->negotiated[xtnData->numNegotiated++] =
+        ssl_tls13_encrypted_sni_xtn;
+
+    PORT_ZFree(plainText, data->len);
+    return SECSuccess;
+loser:
+    PORT_ZFree(plainText, data->len);
+    return SECFailure;
+}
+
+/* Function to check the extension. We don't install a handler here
+ * because we need to check for the presence of the extension as
+ * well and it's easier to do it in one place. */
+SECStatus
+tls13_ClientCheckEsniXtn(sslSocket *ss)
+{
+    TLSExtension *esniExtension =
+        ssl3_FindExtension(ss, ssl_tls13_encrypted_sni_xtn);
+    if (!esniExtension) {
+        FATAL_ERROR(ss, SSL_ERROR_MISSING_ESNI_EXTENSION, missing_extension);
+        return SECFailure;
+    }
+
+    if (esniExtension->data.len != sizeof(ss->xtnData.esniNonce)) {
+        FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_ESNI_EXTENSION, illegal_parameter);
+        return SECFailure;
+    }
+
+    if (0 != NSS_SecureMemcmp(esniExtension->data.data,
+                              ss->xtnData.esniNonce,
+                              sizeof(ss->xtnData.esniNonce))) {
+        FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_ESNI_EXTENSION, illegal_parameter);
+        return SECFailure;
+    }
+
+    return SECSuccess;
+}
diff --git a/security/nss/lib/ssl/tls13exthandle.h b/security/nss/lib/ssl/tls13exthandle.h
index edce94d831..dd64b44ff4 100644
--- a/security/nss/lib/ssl/tls13exthandle.h
+++ b/security/nss/lib/ssl/tls13exthandle.h
@@ -84,5 +84,14 @@ SECStatus tls13_ServerSendHrrKeyShareXtn(const sslSocket *ss,
 SECStatus tls13_ServerSendHrrCookieXtn(const sslSocket *ss,
                                        TLSExtensionData *xtnData,
                                        sslBuffer *buf, PRBool *added);
+SECStatus tls13_DecodeKeyShareEntry(sslReader *rdr, TLS13KeyShareEntry **ksp);
+PRUint32 tls13_SizeOfKeyShareEntry(const SECKEYPublicKey *pubKey);
+SECStatus tls13_EncodeKeyShareEntry(sslBuffer *buf, SSLNamedGroup group,
+                                    SECKEYPublicKey *pubKey);
+SECStatus tls13_ClientSendEsniXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+                                  sslBuffer *buf, PRBool *added);
+SECStatus tls13_ServerHandleEsniXtn(const sslSocket *ss, TLSExtensionData *xtnData,
+                                    SECItem *data);
+SECStatus tls13_ClientCheckEsniXtn(sslSocket *ss);
 
 #endif
diff --git a/security/nss/lib/util/nssutil.def b/security/nss/lib/util/nssutil.def
index 26e438ba6a..8c233f7d36 100644
--- a/security/nss/lib/util/nssutil.def
+++ b/security/nss/lib/util/nssutil.def
@@ -328,3 +328,9 @@ SECITEM_MakeItem;
 ;+    local:
 ;+       *;
 ;+};
+;+NSSUTIL_3.39 {         # NSS Utilities 3.39 release
+;+    global:
+NSSUTIL_AddNSSFlagToModuleSpec;
+;+    local:
+;+       *;
+;+};
diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h
index 2749abaa16..62511eafed 100644
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -19,9 +19,9 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION "3.38"
+#define NSSUTIL_VERSION "3.41"
 #define NSSUTIL_VMAJOR 3
-#define NSSUTIL_VMINOR 38
+#define NSSUTIL_VMINOR 41
 #define NSSUTIL_VPATCH 0
 #define NSSUTIL_VBUILD 0
 #define NSSUTIL_BETA PR_FALSE
diff --git a/security/nss/lib/util/pkcs11p.h b/security/nss/lib/util/pkcs11p.h
index 2e904ee50c..1c9201350e 100644
--- a/security/nss/lib/util/pkcs11p.h
+++ b/security/nss/lib/util/pkcs11p.h
@@ -13,7 +13,10 @@
  * though it's still needed. put in a central file to help merging..
  */
 
-#if defined(_WIN32)
+#if defined(_WIN32) || defined(_WINDOWS)
+#ifdef __clang__
+#pragma clang diagnostic ignored "-Wpragma-pack"
+#endif
 #ifdef _MSC_VER
 #pragma warning(disable : 4103)
 #endif
diff --git a/security/nss/lib/util/pkcs11u.h b/security/nss/lib/util/pkcs11u.h
index be949bcd40..64ec2fdb5c 100644
--- a/security/nss/lib/util/pkcs11u.h
+++ b/security/nss/lib/util/pkcs11u.h
@@ -11,7 +11,10 @@
  * reset any packing set by pkcs11p.h
  */
 
-#if defined(_WIN32)
+#if defined(_WIN32) || defined(_WINDOWS)
+#ifdef __clang__
+#pragma clang diagnostic ignored "-Wpragma-pack"
+#endif
 #ifdef _MSC_VER
 #pragma warning(disable : 4103)
 #endif
diff --git a/security/nss/lib/util/pkcs11uri.c b/security/nss/lib/util/pkcs11uri.c
index 94b00171e9..c29521080b 100644
--- a/security/nss/lib/util/pkcs11uri.c
+++ b/security/nss/lib/util/pkcs11uri.c
@@ -674,7 +674,7 @@ PK11URI_ParseURI(const char *string)
     const char *p = string;
     SECStatus ret;
 
-    if (strncmp("pkcs11:", p, 7) != 0) {
+    if (PORT_Strncasecmp("pkcs11:", p, 7) != 0) {
         return NULL;
     }
     p += 7;
diff --git a/security/nss/lib/util/pkcs1sig.c b/security/nss/lib/util/pkcs1sig.c
index 502119aa5c..68588c7f80 100644
--- a/security/nss/lib/util/pkcs1sig.c
+++ b/security/nss/lib/util/pkcs1sig.c
@@ -15,13 +15,6 @@ struct pkcs1PrefixStr {
     PRUint8 *data;
 };
 
-typedef struct pkcs1PrefixesStr pkcs1Prefixes;
-struct pkcs1PrefixesStr {
-    unsigned int digestLen;
-    pkcs1Prefix prefixWithParams;
-    pkcs1Prefix prefixWithoutParams;
-};
-
 /* The value for SGN_PKCS1_DIGESTINFO_MAX_PREFIX_LEN_EXCLUDING_OID is based on
  * the possible prefix encodings as explained below.
  */
@@ -101,9 +94,8 @@ _SGN_VerifyPKCS1DigestInfo(SECOidTag digestAlg,
                            PRBool unsafeAllowMissingParameters)
 {
     SECOidData *hashOid;
-    pkcs1Prefixes pp;
-    const pkcs1Prefix *expectedPrefix;
-    SECStatus rv, rv2, rv3;
+    pkcs1Prefix prefix;
+    SECStatus rv;
 
     if (!digest || !digest->data ||
         !dataRecoveredFromSignature || !dataRecoveredFromSignature->data) {
@@ -117,17 +109,9 @@ _SGN_VerifyPKCS1DigestInfo(SECOidTag digestAlg,
         return SECFailure;
     }
 
-    pp.digestLen = digest->len;
-    pp.prefixWithParams.data = NULL;
-    pp.prefixWithoutParams.data = NULL;
+    prefix.data = NULL;
 
-    rv2 = encodePrefix(hashOid, pp.digestLen, &pp.prefixWithParams, PR_TRUE);
-    rv3 = encodePrefix(hashOid, pp.digestLen, &pp.prefixWithoutParams, PR_FALSE);
-
-    rv = SECSuccess;
-    if (rv2 != SECSuccess || rv3 != SECSuccess) {
-        rv = SECFailure;
-    }
+    rv = encodePrefix(hashOid, digest->len, &prefix, PR_TRUE);
 
     if (rv == SECSuccess) {
         /* We don't attempt to avoid timing attacks on these comparisons because
@@ -135,34 +119,39 @@ _SGN_VerifyPKCS1DigestInfo(SECOidTag digestAlg,
          * operation.
          */
 
-        if (dataRecoveredFromSignature->len ==
-            pp.prefixWithParams.len + pp.digestLen) {
-            expectedPrefix = &pp.prefixWithParams;
-        } else if (unsafeAllowMissingParameters &&
-                   dataRecoveredFromSignature->len ==
-                       pp.prefixWithoutParams.len + pp.digestLen) {
-            expectedPrefix = &pp.prefixWithoutParams;
-        } else {
-            PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-            rv = SECFailure;
+        if (dataRecoveredFromSignature->len != prefix.len + digest->len) {
+            PRBool lengthMismatch = PR_TRUE;
+#ifdef NSS_PKCS1_AllowMissingParameters
+            if (unsafeAllowMissingParameters) {
+                if (prefix.data) {
+                    PORT_Free(prefix.data);
+                    prefix.data = NULL;
+                }
+                rv = encodePrefix(hashOid, digest->len, &prefix, PR_FALSE);
+                if (rv != SECSuccess ||
+                    dataRecoveredFromSignature->len == prefix.len + digest->len) {
+                    lengthMismatch = PR_FALSE;
+                }
+            }
+#endif
+            if (lengthMismatch) {
+                PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+                rv = SECFailure;
+            }
         }
     }
 
     if (rv == SECSuccess) {
-        if (memcmp(dataRecoveredFromSignature->data, expectedPrefix->data,
-                   expectedPrefix->len) ||
-            memcmp(dataRecoveredFromSignature->data + expectedPrefix->len,
-                   digest->data, digest->len)) {
+        if (memcmp(dataRecoveredFromSignature->data, prefix.data, prefix.len) ||
+            memcmp(dataRecoveredFromSignature->data + prefix.len, digest->data,
+                   digest->len)) {
             PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
             rv = SECFailure;
         }
     }
 
-    if (pp.prefixWithParams.data) {
-        PORT_Free(pp.prefixWithParams.data);
-    }
-    if (pp.prefixWithoutParams.data) {
-        PORT_Free(pp.prefixWithoutParams.data);
+    if (prefix.data) {
+        PORT_Free(prefix.data);
     }
 
     return rv;
diff --git a/security/nss/lib/util/secder.h b/security/nss/lib/util/secder.h
index dbc35807d3..1b487d1938 100644
--- a/security/nss/lib/util/secder.h
+++ b/security/nss/lib/util/secder.h
@@ -34,6 +34,9 @@ SEC_BEGIN_PROTOS
 extern SECStatus DER_Encode(PLArenaPool *arena, SECItem *dest, DERTemplate *t,
                             void *src);
 
+/*
+** This function is deprecated.
+*/
 extern SECStatus DER_Lengths(SECItem *item, int *header_len_p,
                              PRUint32 *contents_len_p);
 
diff --git a/security/nss/lib/util/secitem.c b/security/nss/lib/util/secitem.c
index 1e505a9af1..cd69961782 100644
--- a/security/nss/lib/util/secitem.c
+++ b/security/nss/lib/util/secitem.c
@@ -76,10 +76,10 @@ loser:
 }
 
 SECStatus
-SECITEM_MakeItem(PLArenaPool *arena, SECItem *dest, unsigned char *data,
+SECITEM_MakeItem(PLArenaPool *arena, SECItem *dest, const unsigned char *data,
                  unsigned int len)
 {
-    SECItem it = { siBuffer, data, len };
+    SECItem it = { siBuffer, (unsigned char *)data, len };
 
     return SECITEM_CopyItem(arena, dest, &it);
 }
diff --git a/security/nss/lib/util/secitem.h b/security/nss/lib/util/secitem.h
index 4fb1239382..f7a8241b5d 100644
--- a/security/nss/lib/util/secitem.h
+++ b/security/nss/lib/util/secitem.h
@@ -41,7 +41,7 @@ extern SECItem *SECITEM_AllocItem(PLArenaPool *arena, SECItem *item,
  * always siBuffer.
  */
 extern SECStatus SECITEM_MakeItem(PLArenaPool *arena, SECItem *dest,
-                                  unsigned char *data, unsigned int len);
+                                  const unsigned char *data, unsigned int len);
 
 /*
 ** This is a legacy function containing bugs. It doesn't update item->len,
diff --git a/security/nss/lib/util/secoid.c b/security/nss/lib/util/secoid.c
index a05621c59e..06b0cbcc4a 100644
--- a/security/nss/lib/util/secoid.c
+++ b/security/nss/lib/util/secoid.c
@@ -122,7 +122,9 @@ const char __nss_util_version[] = "Version: NSS " NSSUTIL_VERSION _DEBUG_STRING;
 
 #define VERISIGN 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x45
 
-#define PKIX 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07
+#define INTERNET_SECURITY_MECH 0x2b, 0x06, 0x01, 0x05, 0x05
+
+#define PKIX INTERNET_SECURITY_MECH, 0x07
 #define PKIX_CERT_EXTENSIONS PKIX, 1
 #define PKIX_POLICY_QUALIFIERS PKIX, 2
 #define PKIX_KEY_USAGE PKIX, 3
@@ -360,6 +362,7 @@ CONST_OID x509FreshestCRL[] = { ID_CE_OID, 46 };
 CONST_OID x509InhibitAnyPolicy[] = { ID_CE_OID, 54 };
 
 CONST_OID x509CertificatePoliciesAnyPolicy[] = { ID_CE_OID, 32, 0 };
+CONST_OID x509ExtKeyUsageAnyUsage[] = { ID_CE_OID, 37, 0 };
 
 CONST_OID x509AuthInfoAccess[] = { PKIX_CERT_EXTENSIONS, 1 };
 CONST_OID x509SubjectInfoAccess[] = { PKIX_CERT_EXTENSIONS, 11 };
@@ -454,8 +457,13 @@ CONST_OID pkixExtendedKeyUsageCodeSign[] = { PKIX_KEY_USAGE, 3 };
 CONST_OID pkixExtendedKeyUsageEMailProtect[] = { PKIX_KEY_USAGE, 4 };
 CONST_OID pkixExtendedKeyUsageTimeStamp[] = { PKIX_KEY_USAGE, 8 };
 CONST_OID pkixOCSPResponderExtendedKeyUsage[] = { PKIX_KEY_USAGE, 9 };
+/* 17 replaces 5 + 6 + 7 (declared obsolete in RFC 4945) */
+CONST_OID pkixExtendedKeyUsageIPsecIKE[] = { PKIX_KEY_USAGE, 17 };
 CONST_OID msExtendedKeyUsageTrustListSigning[] = { MS_CRYPTO_EKU, 1 };
 
+CONST_OID ipsecIKEEnd[] = { INTERNET_SECURITY_MECH, 0x08, 0x02, 0x01 };
+CONST_OID ipsecIKEIntermediate[] = { INTERNET_SECURITY_MECH, 0x08, 0x02, 0x02 };
+
 /* OIDs for Netscape defined algorithms */
 CONST_OID netscapeSMimeKEA[] = { NETSCAPE_ALGS, 0x01 };
 
@@ -1754,6 +1762,22 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
        "Curve25519", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
     ODE(SEC_OID_TLS13_KEA_ANY,
         "TLS 1.3 fake key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+
+    OD(x509ExtKeyUsageAnyUsage, SEC_OID_X509_ANY_EXT_KEY_USAGE,
+       "Any Extended Key Usage",
+       CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD(pkixExtendedKeyUsageIPsecIKE,
+       SEC_OID_EXT_KEY_USAGE_IPSEC_IKE,
+       "IPsec IKE Certificate",
+       CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD(ipsecIKEEnd,
+       SEC_OID_IPSEC_IKE_END,
+       "IPsec IKE End",
+       CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+    OD(ipsecIKEIntermediate,
+       SEC_OID_IPSEC_IKE_INTERMEDIATE,
+       "IPsec IKE Intermediate",
+       CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
 };
 
 /* PRIVATE EXTENDED SECOID Table
diff --git a/security/nss/lib/util/secoidt.h b/security/nss/lib/util/secoidt.h
index 0a40f29fd2..c77aeb19fc 100644
--- a/security/nss/lib/util/secoidt.h
+++ b/security/nss/lib/util/secoidt.h
@@ -494,6 +494,11 @@ typedef enum {
 
     SEC_OID_TLS13_KEA_ANY = 356,
 
+    SEC_OID_X509_ANY_EXT_KEY_USAGE = 357,
+    SEC_OID_EXT_KEY_USAGE_IPSEC_IKE = 358,
+    SEC_OID_IPSEC_IKE_END = 359,
+    SEC_OID_IPSEC_IKE_INTERMEDIATE = 360,
+
     SEC_OID_TOTAL
 } SECOidTag;
 
diff --git a/security/nss/lib/util/secport.c b/security/nss/lib/util/secport.c
index e5bd4c1bbb..ae979ebada 100644
--- a/security/nss/lib/util/secport.c
+++ b/security/nss/lib/util/secport.c
@@ -199,9 +199,6 @@ PORT_Strdup(const char *str)
 void
 PORT_SetError(int value)
 {
-#ifdef DEBUG_jp96085
-    PORT_Assert(value != SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
-#endif
     PR_SetError(value, 0);
     return;
 }
diff --git a/security/nss/lib/util/utilpars.c b/security/nss/lib/util/utilpars.c
index e7435bfcc3..f9b807f7ed 100644
--- a/security/nss/lib/util/utilpars.c
+++ b/security/nss/lib/util/utilpars.c
@@ -913,6 +913,92 @@ NSSUTIL_MkModuleSpec(char *dllName, char *commonName, char *parameters,
     return NSSUTIL_MkModuleSpecEx(dllName, commonName, parameters, NSS, NULL);
 }
 
+/************************************************************************
+ * add a single flag to the Flags= section inside the spec's NSS= section */
+char *
+NSSUTIL_AddNSSFlagToModuleSpec(char *spec, char *addFlag)
+{
+    const char *prefix = "flags=";
+    const size_t prefixLen = strlen(prefix);
+    char *lib = NULL, *name = NULL, *param = NULL, *nss = NULL, *conf = NULL;
+    char *nss2 = NULL, *result = NULL;
+    SECStatus rv;
+
+    rv = NSSUTIL_ArgParseModuleSpecEx(spec, &lib, &name, &param, &nss, &conf);
+    if (rv != SECSuccess) {
+        return NULL;
+    }
+
+    if (nss && NSSUTIL_ArgHasFlag("flags", addFlag, nss)) {
+        /* It's already there, nothing to do! */
+        PORT_Free(lib);
+        PORT_Free(name);
+        PORT_Free(param);
+        PORT_Free(nss);
+        PORT_Free(conf);
+        return PORT_Strdup(spec);
+    }
+
+    if (!nss || !strlen(nss)) {
+        nss2 = PORT_Alloc(prefixLen + strlen(addFlag) + 1);
+        PORT_Strcpy(nss2, prefix);
+        PORT_Strcat(nss2, addFlag);
+    } else {
+        const char *iNss = nss;
+        PRBool alreadyAdded = PR_FALSE;
+        size_t maxSize = strlen(nss) + strlen(addFlag) + prefixLen + 2; /* space and null terminator */
+        nss2 = PORT_Alloc(maxSize);
+        *nss2 = 0;
+        while (*iNss) {
+            iNss = NSSUTIL_ArgStrip(iNss);
+            if (PORT_Strncasecmp(iNss, prefix, prefixLen) == 0) {
+                /* We found an existing Flags= section. */
+                char *oldFlags;
+                const char *valPtr;
+                int valSize;
+                valPtr = iNss + prefixLen;
+                oldFlags = NSSUTIL_ArgFetchValue(valPtr, &valSize);
+                iNss = valPtr + valSize;
+                PORT_Strcat(nss2, prefix);
+                PORT_Strcat(nss2, oldFlags);
+                PORT_Strcat(nss2, ",");
+                PORT_Strcat(nss2, addFlag);
+                PORT_Strcat(nss2, " ");
+                PORT_Free(oldFlags);
+                alreadyAdded = PR_TRUE;
+                iNss = NSSUTIL_ArgStrip(iNss);
+                PORT_Strcat(nss2, iNss); /* remainder of input */
+                break;
+            } else {
+                /* Append this other name=value pair and continue. */
+                const char *startOfNext = NSSUTIL_ArgSkipParameter(iNss);
+                PORT_Strncat(nss2, iNss, (startOfNext - iNss));
+                if (nss2[strlen(nss2) - 1] != ' ') {
+                    PORT_Strcat(nss2, " ");
+                }
+                iNss = startOfNext;
+            }
+            iNss = NSSUTIL_ArgStrip(iNss);
+        }
+        if (!alreadyAdded) {
+            /* nss wasn't empty, and it didn't contain a Flags section. We can
+             * assume that other content from nss has already been added to
+             * nss2, which means we already have a trailing space separator. */
+            PORT_Strcat(nss2, prefix);
+            PORT_Strcat(nss2, addFlag);
+        }
+    }
+
+    result = NSSUTIL_MkModuleSpecEx(lib, name, param, nss2, conf);
+    PORT_Free(lib);
+    PORT_Free(name);
+    PORT_Free(param);
+    PORT_Free(nss);
+    PORT_Free(nss2);
+    PORT_Free(conf);
+    return result;
+}
+
 #define NSSUTIL_ARG_FORTEZZA_FLAG "FORTEZZA"
 /******************************************************************************
  * Parse the cipher flags from the NSS parameter
diff --git a/security/nss/lib/util/utilpars.h b/security/nss/lib/util/utilpars.h
index 1b0b1ff1ce..289fdca975 100644
--- a/security/nss/lib/util/utilpars.h
+++ b/security/nss/lib/util/utilpars.h
@@ -46,6 +46,7 @@ char *NSSUTIL_MkModuleSpec(char *dllName, char *commonName,
                            char *parameters, char *NSS);
 char *NSSUTIL_MkModuleSpecEx(char *dllName, char *commonName,
                              char *parameters, char *NSS, char *config);
+char *NSSUTIL_AddNSSFlagToModuleSpec(char *spec, char *addFlag);
 void NSSUTIL_ArgParseCipherFlags(unsigned long *newCiphers,
                                  const char *cipherList);
 char *NSSUTIL_MkNSSString(char **slotStrings, int slotCount, PRBool internal,
diff --git a/security/nss/mach b/security/nss/mach
index 715f1a9e3f..178cfeb741 100644
--- a/security/nss/mach
+++ b/security/nss/mach
@@ -10,13 +10,32 @@
 
 import sys
 import argparse
+import fnmatch
 import subprocess
 import os
 import platform
+import tempfile
+
 from hashlib import sha256
 
+DEVNULL = open(os.devnull, 'wb')
 cwd = os.path.dirname(os.path.abspath(__file__))
 
+def run_tests(test, cycles="standard", env={}, silent=False):
+    domsuf = os.getenv('DOMSUF', "localdomain")
+    host = os.getenv('HOST', "localhost")
+    env = env.copy()
+    env.update({
+        "NSS_TESTS": test,
+        "NSS_CYCLES": cycles,
+        "DOMSUF": domsuf,
+        "HOST": host
+    })
+    os_env = os.environ
+    os_env.update(env)
+    command = cwd + "/tests/all.sh"
+    stdout = stderr = DEVNULL if silent else None
+    subprocess.check_call(command, env=os_env, stdout=stdout, stderr=stderr)
 
 class cfAction(argparse.Action):
     docker_command = ["docker"]
@@ -103,7 +122,7 @@ class cfAction(argparse.Action):
         files = []
         if os.path.exists(os.path.join(cwd, '.hg')):
             st = subprocess.Popen(['hg', 'status', '-m', '-a'],
-                                  cwd=cwd, stdout=subprocess.PIPE)
+                                  cwd=cwd, stdout=subprocess.PIPE, universal_newlines=True)
             for line in iter(st.stdout.readline, ''):
                 files += [line[2:].rstrip()]
         elif os.path.exists(os.path.join(cwd, '.git')):
@@ -127,29 +146,63 @@ class cfAction(argparse.Action):
 class buildAction(argparse.Action):
 
     def __call__(self, parser, args, values, option_string=None):
-        cwd = os.path.dirname(os.path.abspath(__file__))
         subprocess.check_call([cwd + "/build.sh"] + values)
 
 
 class testAction(argparse.Action):
 
-    def runTest(self, test, cycles="standard"):
-        cwd = os.path.dirname(os.path.abspath(__file__))
-        domsuf = os.getenv('DOMSUF', "localdomain")
-        host = os.getenv('HOST', "localhost")
+    def __call__(self, parser, args, values, option_string=None):
+        run_tests(values)
+
+
+class covAction(argparse.Action):
+
+    def runSslGtests(self, outdir):
         env = {
-            "NSS_TESTS": test,
-            "NSS_CYCLES": cycles,
-            "DOMSUF": domsuf,
-            "HOST": host
+            "GTESTFILTER": "*", # Prevent parallel test runs.
+            "ASAN_OPTIONS": "coverage=1:coverage_dir=" + outdir
         }
-        os_env = os.environ
-        os_env.update(env)
-        command = cwd + "/tests/all.sh"
-        subprocess.check_call(command, env=os_env)
+
+        run_tests("ssl_gtests", env=env, silent=True)
+
+    def findSanCovFile(self, outdir):
+        for file in os.listdir(outdir):
+            if fnmatch.fnmatch(file, 'ssl_gtest.*.sancov'):
+                return os.path.join(outdir, file)
+
+        return None
 
     def __call__(self, parser, args, values, option_string=None):
-        self.runTest(values)
+        outdir = args.outdir
+        print("Output directory: " + outdir)
+
+        print("\nBuild with coverage sanitizers...\n")
+        sancov_args = "edge,no-prune,trace-pc-guard,trace-cmp"
+        subprocess.check_call([
+            os.path.join(cwd, "build.sh"), "-c", "--clang", "--asan",
+            "--sancov=" + sancov_args
+        ])
+
+        print("\nRun ssl_gtests to get a coverage report...")
+        self.runSslGtests(outdir)
+        print("Done.")
+
+        sancov_file = self.findSanCovFile(outdir)
+        if not sancov_file:
+            print("Couldn't find .sancov file.")
+            sys.exit(1)
+
+        symcov_file = os.path.join(outdir, "ssl_gtest.symcov")
+        out = open(symcov_file, 'wb')
+        subprocess.check_call([
+            "sancov",
+            "-blacklist=" + os.path.join(cwd, ".sancov-blacklist"),
+            "-symbolize", sancov_file,
+            os.path.join(cwd, "../dist/Debug/bin/ssl_gtest")
+        ], stdout=out)
+        out.close()
+
+        print("\nCoverage report: " + symcov_file)
 
 
 class commandsAction(argparse.Action):
@@ -194,11 +247,21 @@ def parse_arguments():
     tests = [
         "cipher", "lowhash", "chains", "cert", "dbtests", "tools", "fips",
         "sdr", "crmf", "smime", "ssl", "ocsp", "merge", "pkits", "ec",
-        "gtests", "ssl_gtests"
+        "gtests", "ssl_gtests", "bogo", "interop", "policy"
     ]
     parser_test.add_argument(
         'test', choices=tests, help="Available tests", action=testAction)
 
+    parser_cov = subparsers.add_parser(
+        'coverage', help='Generate coverage report')
+    cov_modules = ["ssl_gtests"]
+    parser_cov.add_argument(
+        '--outdir', help='Output directory for coverage report data.',
+        default=tempfile.mkdtemp())
+    parser_cov.add_argument(
+        'module', choices=cov_modules, help="Available coverage modules",
+        action=covAction)
+
     parser_commands = subparsers.add_parser(
         'mach-commands',
         help="list commands")
diff --git a/security/nss/nss-tool/common/util.h b/security/nss/nss-tool/common/util.h
index 58fb058395..e7076336b6 100644
--- a/security/nss/nss-tool/common/util.h
+++ b/security/nss/nss-tool/common/util.h
@@ -6,7 +6,7 @@
 #define util_h__
 
 #include "nspr.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 
 #include <secmodt.h>
 #include <string>
diff --git a/security/nss/nss-tool/db/dbtool.cc b/security/nss/nss-tool/db/dbtool.cc
index 8c369cf056..5cd1f56083 100644
--- a/security/nss/nss-tool/db/dbtool.cc
+++ b/security/nss/nss-tool/db/dbtool.cc
@@ -4,7 +4,7 @@
 
 #include "dbtool.h"
 #include "argparse.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "util.h"
 
 #include <iomanip>
diff --git a/security/nss/nss-tool/digest/digesttool.cc b/security/nss/nss-tool/digest/digesttool.cc
index 08c3e3ba79..5efe6390ce 100644
--- a/security/nss/nss-tool/digest/digesttool.cc
+++ b/security/nss/nss-tool/digest/digesttool.cc
@@ -4,7 +4,7 @@
 
 #include "digesttool.h"
 #include "argparse.h"
-#include "scoped_ptrs.h"
+#include "nss_scoped_ptrs.h"
 #include "util.h"
 
 #include <algorithm>
diff --git a/security/nss/nss-tool/enc/enctool.h b/security/nss/nss-tool/enc/enctool.h
index 5a6a5a1640..f2296bb267 100644
--- a/security/nss/nss-tool/enc/enctool.h
+++ b/security/nss/nss-tool/enc/enctool.h
@@ -8,8 +8,8 @@
 #include <string>
 #include <vector>
 #include "argparse.h"
+#include "nss_scoped_ptrs.h"
 #include "prerror.h"
-#include "scoped_ptrs.h"
 #include "tool.h"
 
 class EncTool : public Tool {
diff --git a/security/nss/nss.gyp b/security/nss/nss.gyp
index 36b0dd9744..18fa92f125 100644
--- a/security/nss/nss.gyp
+++ b/security/nss/nss.gyp
@@ -5,115 +5,133 @@
   'includes': [
     'coreconf/config.gypi'
   ],
-  'targets': [
-    {
-      'target_name': 'nss_libs',
-      'type': 'none',
-      'dependencies': [
-        'lib/ckfw/builtins/builtins.gyp:nssckbi',
-        'lib/freebl/freebl.gyp:freebl3',
-        'lib/softoken/softoken.gyp:softokn3',
-      ],
-      'conditions': [
-        [ 'moz_fold_libs==0', {
-          'dependencies': [
-            'lib/nss/nss.gyp:nss3',
-            'lib/smime/smime.gyp:smime3',
-            'lib/sqlite/sqlite.gyp:sqlite3',
-            'lib/ssl/ssl.gyp:ssl3',
-            'lib/util/util.gyp:nssutil3',
-          ],
-        }],
-        [ 'OS=="linux"', {
+  'conditions': [
+    [ 'mozpkix_only==0', {
+      'targets': [
+        {
+          'target_name': 'nss_libs',
+          'type': 'none',
           'dependencies': [
-            'lib/freebl/freebl.gyp:freeblpriv3',
-            'lib/sysinit/sysinit.gyp:nsssysinit',
+            'lib/ckfw/builtins/builtins.gyp:nssckbi',
+            'lib/freebl/freebl.gyp:freebl3',
+            'lib/softoken/softoken.gyp:softokn3',
           ],
-        }],
-        [ 'disable_dbm==0', {
-          'dependencies': [
-            'lib/softoken/legacydb/legacydb.gyp:nssdbm3',
+          'conditions': [
+            [ 'moz_fold_libs==0', {
+              'dependencies': [
+                'lib/nss/nss.gyp:nss3',
+                'lib/smime/smime.gyp:smime3',
+                'lib/sqlite/sqlite.gyp:sqlite3',
+                'lib/ssl/ssl.gyp:ssl3',
+                'lib/util/util.gyp:nssutil3',
+              ],
+            }],
+            [ 'OS=="linux"', {
+              'dependencies': [
+                'lib/freebl/freebl.gyp:freeblpriv3',
+                'lib/sysinit/sysinit.gyp:nsssysinit',
+              ],
+            }],
+            [ 'disable_dbm==0', {
+              'dependencies': [
+                'lib/softoken/legacydb/legacydb.gyp:nssdbm3',
+              ],
+            }],
           ],
-        }],
-      ],
-    },
-    {
-      'target_name': 'nss_static_libs',
-      'type': 'none',
-      'dependencies': [
-        'cmd/lib/lib.gyp:sectool',
-        'lib/base/base.gyp:nssb',
-        'lib/certdb/certdb.gyp:certdb',
-        'lib/certhigh/certhigh.gyp:certhi',
-        'lib/ckfw/ckfw.gyp:nssckfw',
-        'lib/crmf/crmf.gyp:crmf',
-        'lib/cryptohi/cryptohi.gyp:cryptohi',
-        'lib/dev/dev.gyp:nssdev',
-        'lib/freebl/freebl.gyp:freebl',
-        'lib/jar/jar.gyp:jar',
-        'lib/nss/nss.gyp:nss_static',
-        'lib/pk11wrap/pk11wrap.gyp:pk11wrap',
-        'lib/pkcs12/pkcs12.gyp:pkcs12',
-        'lib/pkcs7/pkcs7.gyp:pkcs7',
-        'lib/pki/pki.gyp:nsspki',
-        'lib/smime/smime.gyp:smime',
-        'lib/softoken/softoken.gyp:softokn',
-        'lib/ssl/ssl.gyp:ssl',
-        'lib/util/util.gyp:nssutil',
-        'lib/libpkix/libpkix.gyp:libpkix',
-      ],
-      'conditions': [
-        [ 'OS=="linux"', {
+        },
+        {
+          'target_name': 'nss_static_libs',
+          'type': 'none',
           'dependencies': [
-            'lib/sysinit/sysinit.gyp:nsssysinit_static',
+            'cmd/lib/lib.gyp:sectool',
+            'lib/base/base.gyp:nssb',
+            'lib/certdb/certdb.gyp:certdb',
+            'lib/certhigh/certhigh.gyp:certhi',
+            'lib/ckfw/ckfw.gyp:nssckfw',
+            'lib/crmf/crmf.gyp:crmf',
+            'lib/cryptohi/cryptohi.gyp:cryptohi',
+            'lib/dev/dev.gyp:nssdev',
+            'lib/freebl/freebl.gyp:freebl',
+            'lib/jar/jar.gyp:jar',
+            'lib/libpkix/libpkix.gyp:libpkix',
+            # mozpkix and mozpkix-testlib are static C++ libs
+            'lib/mozpkix/mozpkix.gyp:mozpkix',
+            'lib/mozpkix/mozpkix.gyp:mozpkix-testlib',
+            'lib/nss/nss.gyp:nss_static',
+            'lib/pk11wrap/pk11wrap.gyp:pk11wrap',
+            'lib/pkcs12/pkcs12.gyp:pkcs12',
+            'lib/pkcs7/pkcs7.gyp:pkcs7',
+            'lib/pki/pki.gyp:nsspki',
+            'lib/smime/smime.gyp:smime',
+            'lib/softoken/softoken.gyp:softokn',
+            'lib/ssl/ssl.gyp:ssl',
+            'lib/util/util.gyp:nssutil',
           ],
-        }],
-        [ 'disable_dbm==0', {
-          'dependencies': [
-            'lib/dbm/src/src.gyp:dbm',
-            'lib/softoken/legacydb/legacydb.gyp:nssdbm',
+          'conditions': [
+            [ 'OS=="linux"', {
+              'dependencies': [
+                'lib/sysinit/sysinit.gyp:nsssysinit_static',
+              ],
+            }],
+            [ 'disable_dbm==0', {
+              'dependencies': [
+                'lib/dbm/src/src.gyp:dbm',
+                'lib/softoken/legacydb/legacydb.gyp:nssdbm',
+              ],
+            }],
+            [ 'use_system_sqlite==0', {
+              'dependencies': [
+                'lib/sqlite/sqlite.gyp:sqlite',
+              ],
+            }],
+            [ 'moz_fold_libs==1', {
+              'dependencies': [
+                'lib/nss/nss.gyp:nss3_static',
+                'lib/smime/smime.gyp:smime3_static',
+              ],
+            }],
           ],
-        }],
-        [ 'use_system_sqlite==0', {
+        },
+        {
+          'target_name': 'nss_cmds',
+          'type': 'none',
           'dependencies': [
-            'lib/sqlite/sqlite.gyp:sqlite',
+            'cmd/certutil/certutil.gyp:certutil',
+            'cmd/modutil/modutil.gyp:modutil',
+            'cmd/pk12util/pk12util.gyp:pk12util',
+            'cmd/shlibsign/shlibsign.gyp:shlibsign',
           ],
-        }],
-        [ 'moz_fold_libs==1', {
-          'dependencies': [
-            'lib/nss/nss.gyp:nss3_static',
-            'lib/smime/smime.gyp:smime3_static',
+          'conditions': [
+            [ 'mozilla_client==0', {
+              'dependencies': [
+                'cmd/crlutil/crlutil.gyp:crlutil',
+                'cmd/pwdecrypt/pwdecrypt.gyp:pwdecrypt',
+                'cmd/signtool/signtool.gyp:signtool',
+                'cmd/signver/signver.gyp:signver',
+                'cmd/smimetools/smimetools.gyp:cmsutil',
+                'cmd/ssltap/ssltap.gyp:ssltap',
+                'cmd/symkeyutil/symkeyutil.gyp:symkeyutil',
+                'nss-tool/nss_tool.gyp:nss',
+                'nss-tool/nss_tool.gyp:hw-support',
+              ],
+            }],
           ],
-        }],
-      ],
-    },
-    {
-      'target_name': 'nss_cmds',
-      'type': 'none',
-      'dependencies': [
-        'cmd/certutil/certutil.gyp:certutil',
-        'cmd/modutil/modutil.gyp:modutil',
-        'cmd/pk12util/pk12util.gyp:pk12util',
-        'cmd/shlibsign/shlibsign.gyp:shlibsign',
+        },
       ],
-      'conditions': [
-        [ 'mozilla_client==0', {
+    }, { # else, i.e. mozpkix_only==1
+      # Build only mozpkix.
+      'targets': [
+        {
+          'target_name': 'nss_mozpkix_libs',
+          'type': 'none',
           'dependencies': [
-            'cmd/crlutil/crlutil.gyp:crlutil',
-            'cmd/pwdecrypt/pwdecrypt.gyp:pwdecrypt',
-            'cmd/signtool/signtool.gyp:signtool',
-            'cmd/signver/signver.gyp:signver',
-            'cmd/smimetools/smimetools.gyp:cmsutil',
-            'cmd/ssltap/ssltap.gyp:ssltap',
-            'cmd/symkeyutil/symkeyutil.gyp:symkeyutil',
-            'nss-tool/nss_tool.gyp:nss',
-            'nss-tool/nss_tool.gyp:hw-support',
+            # mozpkix and mozpkix-testlib are static C++ libs
+            'lib/mozpkix/mozpkix.gyp:mozpkix',
+            'lib/mozpkix/mozpkix.gyp:mozpkix-testlib',
           ],
-        }],
+        },
       ],
-    },
-  ],
-  'conditions': [
+    }],
     [ 'disable_tests==0', {
       'targets': [
         {
@@ -135,6 +153,7 @@
             'cmd/listsuites/listsuites.gyp:listsuites',
             'cmd/makepqg/makepqg.gyp:makepqg',
             'cmd/multinit/multinit.gyp:multinit',
+            'cmd/nss-policy-check/nss-policy-check.gyp:nss-policy-check',
             'cmd/ocspclnt/ocspclnt.gyp:ocspclnt',
             'cmd/ocspresp/ocspresp.gyp:ocspresp',
             'cmd/oidcalc/oidcalc.gyp:oidcalc',
@@ -169,11 +188,12 @@
             'gtests/certdb_gtest/certdb_gtest.gyp:certdb_gtest',
             'gtests/freebl_gtest/freebl_gtest.gyp:prng_gtest',
             'gtests/freebl_gtest/freebl_gtest.gyp:blake2b_gtest',
+            'gtests/mozpkix_gtest/mozpkix_gtest.gyp:mozpkix_gtest',
+            'gtests/nss_bogo_shim/nss_bogo_shim.gyp:nss_bogo_shim',
             'gtests/pk11_gtest/pk11_gtest.gyp:pk11_gtest',
             'gtests/softoken_gtest/softoken_gtest.gyp:softoken_gtest',
             'gtests/ssl_gtest/ssl_gtest.gyp:ssl_gtest',
             'gtests/util_gtest/util_gtest.gyp:util_gtest',
-            'gtests/nss_bogo_shim/nss_bogo_shim.gyp:nss_bogo_shim',
           ],
           'conditions': [
             [ 'OS=="linux"', {
diff --git a/security/nss/readme.md b/security/nss/readme.md
index 17b99e805c..67eca19fb2 100644
--- a/security/nss/readme.md
+++ b/security/nss/readme.md
@@ -97,7 +97,7 @@ e.g. `NSS_TESTS=ssl_gtests ./all.sh` or by changing into the according directory
 and running the bash script there `cd ssl_gtests && ./ssl_gtests.sh`.  The
 following tests are available:
 
-    cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests bogo
+    cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests bogo policy
 
 To make tests run faster it's recommended to set `NSS_CYCLES=standard` to run
 only the standard cycle.
diff --git a/security/nss/tests/all.sh b/security/nss/tests/all.sh
index f8a777fb3b..5ad0b522e4 100755
--- a/security/nss/tests/all.sh
+++ b/security/nss/tests/all.sh
@@ -37,10 +37,13 @@
 #   memleak.sh   - memory leak testing (optional)
 #   ssl_gtests.sh- Gtest based unit tests for ssl
 #   gtests.sh    - Gtest based unit tests for everything else
+#   policy.sh    - Crypto Policy tests
 #   bogo.sh      - Bogo interop tests (disabled by default)
 #                  https://boringssl.googlesource.com/boringssl/+/master/ssl/test/PORTING.md
 #   interop.sh   - Interoperability tests (disabled by default)
 #                  https://github.com/ekr/tls_interop
+#   tlsfuzzer.sh - tlsfuzzer interop tests (disabled by default)
+#                  https://github.com/tomato42/tlsfuzzer/
 #
 # NSS testing is now devided to 4 cycles:
 # ---------------------------------------
@@ -300,7 +303,7 @@ if [ $NO_INIT_SUPPORT -eq 0 ]; then
     RUN_FIPS="fips"
 fi
 
-tests="cipher lowhash libpkix cert dbtests tools $RUN_FIPS sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests"
+tests="cipher lowhash libpkix cert dbtests tools $RUN_FIPS sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests policy"
 # Don't run chains tests when we have a gyp build.
 if [ "$OBJDIR" != "Debug" -a "$OBJDIR" != "Release" ]; then
   tests="$tests chains"
@@ -315,7 +318,7 @@ if [ $NO_INIT_SUPPORT -eq 0 ]; then
 fi
 NSS_SSL_TESTS="${NSS_SSL_TESTS:-$nss_ssl_tests}"
 
-nss_ssl_run="cov auth stapling stress"
+nss_ssl_run="cov auth stapling signed_cert_timestamps stress scheme"
 NSS_SSL_RUN="${NSS_SSL_RUN:-$nss_ssl_run}"
 
 # NOTE:
diff --git a/security/nss/tests/bogo/bogo.sh b/security/nss/tests/bogo/bogo.sh
index 4fccb845b4..e3e9c32dfb 100755
--- a/security/nss/tests/bogo/bogo.sh
+++ b/security/nss/tests/bogo/bogo.sh
@@ -25,7 +25,7 @@ bogo_init()
   BORING=${BORING:=boringssl}
   if [ ! -d "$BORING" ]; then
     git clone -q https://boringssl.googlesource.com/boringssl "$BORING"
-    git -C "$BORING" checkout -q ec55dc15d3a39e5f1a58bfd79148729f38f6acb4
+    git -C "$BORING" checkout -q 7f4f41fa81c03e0f8ef1ab5b3d1d566b5968f107
   fi
 
   SCRIPTNAME="bogo.sh"
@@ -39,9 +39,9 @@ bogo_cleanup()
   . common/cleanup.sh
 }
 
-cd ../
-cwd=$(cd $(dirname $0); pwd -P)
-SOURCE_DIR="$cwd"/..
+cd "$(dirname "$0")"
+cwd=$(pwd -P)
+SOURCE_DIR="$(cd "$cwd"/../..; pwd -P)"
 bogo_init
 (cd "$BORING"/ssl/test/runner;
  GOPATH="$cwd" go test -pipe -shim-path "${BINDIR}"/nss_bogo_shim \
diff --git a/security/nss/tests/cert/TestUser-rsa-pss-interop.p12 b/security/nss/tests/cert/TestUser-rsa-pss-interop.p12
new file mode 100644
index 0000000000..f0e8d24d62
--- /dev/null
+++ b/security/nss/tests/cert/TestUser-rsa-pss-interop.p12
diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh
index 34006efd19..b74de9be53 100755
--- a/security/nss/tests/cert/cert.sh
+++ b/security/nss/tests/cert/cert.sh
@@ -448,6 +448,27 @@ cert_add_cert()
 	fi
 	cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created"
 
+	echo "Importing RSA-PSS server certificate"
+	pk12u -i ${QADIR}/cert/TestUser-rsa-pss-interop.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${PROFILEDIR}
+	# Let's get the key ID of the imported private key.
+	KEYID=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \
+		grep 'TestUser-rsa-pss-interop$' | sed -n 's/^<.*> [^ ]\{1,\} *\([^ ]\{1,\}\).*/\1/p'`
+
+	CU_ACTION="Generate RSA-PSS Cert Request for $CERTNAME"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-rsa-pss@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	certu -R -d "${PROFILEDIR}" -k ${KEYID} -f "${R_PWFILE}" \
+	-z "${R_NOISE_FILE}" -o req 2>&1
+
+	CU_ACTION="Sign ${CERTNAME}'s RSA-PSS Request"
+	NEWSERIAL=`expr ${CERTSERIAL} + 30000`
+	certu -C -c "TestCA" -m "$NEWSERIAL" -v 60 -d "${P_R_CADIR}" \
+	      -i req -o "${CERTNAME}-rsa-pss.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+	CU_ACTION="Import $CERTNAME's RSA-PSS Cert -t u,u,u"
+	certu -A -n "$CERTNAME-rsa-pss" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+	      -i "${CERTNAME}-rsa-pss.cert" 2>&1
+	cert_log "SUCCESS: $CERTNAME's RSA-PSS Cert Created"
+
     return 0
 }
 
@@ -2103,6 +2124,23 @@ cert_test_implicit_db_init()
   certu -A -n ca -t 'C,C,C' -d ${P_R_IMPLICIT_INIT_DIR} -i "${SERVER_CADIR}/serverCA.ca.cert"
 }
 
+cert_test_token_uri()
+{
+  echo "$SCRIPTNAME: specify token with PKCS#11 URI"
+
+  CERTIFICATE_DB_URI=`${BINDIR}/certutil -U -f "${R_PWFILE}" -d ${P_R_SERVERDIR} | sed -n 's/^ *uri: \(.*NSS%20Certificate%20DB.*\)/\1/p'`
+  BUILTIN_OBJECTS_URI=`${BINDIR}/certutil -U -f "${R_PWFILE}" -d ${P_R_SERVERDIR} | sed -n 's/^ *uri: \(.*Builtin%20Object%20Token.*\)/\1/p'`
+
+  CU_ACTION="List keys in NSS Certificate DB"
+  certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${CERTIFICATE_DB_URI}
+
+  # This token shouldn't have any keys
+  CU_ACTION="List keys in NSS Builtin Objects"
+  RETEXPECTED=255
+  certu -K -f "${R_PWFILE}" -d ${P_R_SERVERDIR} -h ${BUILTIN_OBJECTS_URI}
+  RETEXPECTED=0
+}
+
 check_sign_algo()
 {
   certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \
@@ -2475,6 +2513,29 @@ EOF
   RETEXPECTED=0
 }
 
+cert_test_orphan_key_delete()
+{
+  CU_ACTION="Create orphan key in serverdir"
+  certu -G -k ec -q nistp256 -f "${R_PWFILE}" -z ${R_NOISE_FILE} -d ${PROFILEDIR}
+  # Let's get the key ID of the first orphan key.
+  # The output of certutil -K (list keys) isn't well formatted.
+  # The initial <key-number> part may or may not contain white space, which
+  # makes the use of awk to filter the column unreliable.
+  # To fix that, we remove the initial <number> field using sed, then select the
+  # column that contains the key ID.
+  ORPHAN=`${BINDIR}/certutil -d ${PROFILEDIR} -K -f ${R_PWFILE} | \
+          sed 's/^<.*>//g' | grep -w orphan | head -1 | awk '{print $2}'`
+  CU_ACTION="Delete orphan key"
+  certu -F -f "${R_PWFILE}" -k ${ORPHAN} -d ${PROFILEDIR}
+  # Ensure that the key is removed
+  certu -K -f "${R_PWFILE}" -d ${PROFILEDIR} | grep ${ORPHAN}
+  RET=$?
+  if [ "$RET" -eq 0 ]; then
+    html_failed "Deleting orphan key ($RET)"
+    cert_log "ERROR: Deleting orphan key failed $RET"
+  fi
+}
+
 cert_test_orphan_key_reuse()
 {
   CU_ACTION="Create orphan key in serverdir"
@@ -2500,6 +2561,43 @@ cert_test_orphan_key_reuse()
   fi
 }
 
+cert_test_rsapss_policy()
+{
+  CERTSERIAL=`expr $CERTSERIAL + 1`
+
+  CERTNAME="TestUser-rsa-pss-policy"
+
+  # Subject certificate: RSA-PSS
+  # Issuer certificate: RSA
+  # Signature: RSA-PSS (explicit, with --pss-sign and -Z SHA1)
+  CU_ACTION="Generate Cert Request for $CERTNAME"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
+
+  CU_ACTION="Sign ${CERTNAME}'s Request"
+  certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+        -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+  CU_ACTION="Import $CERTNAME's Cert"
+  certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+        -i "${CERTNAME}.cert" 2>&1
+
+  CU_ACTION="Verify $CERTNAME's Cert"
+  certu -V -n "TestUser-rsa-pss-policy" -u V -V -e -d "${PROFILEDIR}" -f "${R_PWFILE}"
+
+  CU_ACTION="Verify $CERTNAME's Cert with Policy"
+  cp ${PROFILEDIR}/pkcs11.txt pkcs11.txt.orig
+  cat >> ${PROFILEDIR}/pkcs11.txt << ++EOF++
+library=
+name=Policy
+config="disallow=SHA1"
+++EOF++
+  RETEXPECTED=255
+  certu -V -n "TestUser-rsa-pss-policy" -u V -V -e -d "${PROFILEDIR}" -f "${R_PWFILE}"
+  RETEXPECTED=0
+  cp pkcs11.txt.orig ${PROFILEDIR}/pkcs11.txt
+}
+
 ############################## cert_cleanup ############################
 # local shell function to finish this script (no exit since it might be
 # sourced)
@@ -2519,6 +2617,7 @@ cert_all_CA
 cert_test_implicit_db_init
 cert_extended_ssl
 cert_ssl
+cert_test_orphan_key_delete
 cert_test_orphan_key_reuse
 cert_smime_client
 IS_FIPS_DISABLED=`certutil --build-flags |grep -cw NSS_FIPS_DISABLED`
@@ -2534,6 +2633,10 @@ cert_test_password
 cert_test_distrust
 cert_test_ocspresp
 cert_test_rsapss
+if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
+  cert_test_rsapss_policy
+fi
+cert_test_token_uri
 
 if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
     cert_crl_ssl
diff --git a/security/nss/tests/chains/chains.sh b/security/nss/tests/chains/chains.sh
index 4c3fa57a0b..32c7ef54ce 100755
--- a/security/nss/tests/chains/chains.sh
+++ b/security/nss/tests/chains/chains.sh
@@ -51,13 +51,13 @@ is_httpserv_alive()
 wait_for_httpserv()
 {
   echo "trying to connect to httpserv at `date`"
-  echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
-  ${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
+  echo "tstclnt -4 -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
+  ${BINDIR}/tstclnt -4 -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
   if [ $? -ne 0 ]; then
       sleep 5
       echo "retrying to connect to httpserv at `date`"
-      echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
-      ${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
+      echo "tstclnt -4 -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
+      ${BINDIR}/tstclnt -4 -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
       if [ $? -ne 0 ]; then
           html_failed "Waiting for Server"
       fi
@@ -352,6 +352,12 @@ create_cert_req()
 -1
 y
 "
+    else
+        CA_FLAG="-2"
+        EXT_DATA="n
+-1
+y
+"
     fi
 
     process_crldp
@@ -974,8 +980,8 @@ check_ocsp()
     OCSP_HOST=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//")
     OCSP_PORT=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/^.*:.*:\/\/.*:\([0-9]*\).*$/\1/")
 
-    echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20"
-    tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20
+    echo "tstclnt -4 -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20"
+    tstclnt -4 -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20
     return $?
 }
 
@@ -1258,6 +1264,12 @@ process_scenario()
     rm ${AIA_FILES}
 }
 
+# process ipsec.cfg separately
+chains_ipsec()
+{
+    process_scenario "ipsec.cfg"
+}
+
 # process ocspd.cfg separately
 chains_ocspd()
 {
@@ -1279,6 +1291,7 @@ chains_main()
     do
         [ `echo ${LINE} | cut -b 1` != "#" ] || continue
 
+	[ ${LINE} != 'ipsec.cfg' ] || continue
 	[ ${LINE} != 'ocspd.cfg' ] || continue
 	[ ${LINE} != 'method.cfg' ] || continue
 
@@ -1292,6 +1305,7 @@ chains_init
 VERIFY_CLASSIC_ENGINE_TOO=
 chains_ocspd
 VERIFY_CLASSIC_ENGINE_TOO=1
+chains_ipsec
 chains_run_httpserv get
 chains_method
 chains_stop_httpserv
diff --git a/security/nss/tests/chains/scenarios/ipsec.cfg b/security/nss/tests/chains/scenarios/ipsec.cfg
new file mode 100644
index 0000000000..811bf9c09a
--- /dev/null
+++ b/security/nss/tests/chains/scenarios/ipsec.cfg
@@ -0,0 +1,61 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+scenario IPsec
+
+entity Root
+  type Root
+
+entity CA1
+  type Intermediate
+  issuer Root 
+
+entity NoKU
+  type EE
+  issuer CA1
+
+entity DigSig
+  type EE
+  issuer CA1
+    ku digitalSignature
+
+entity NonRep
+  type EE
+  issuer CA1
+    ku nonRepudiation
+
+entity DigSigNonRepAndExtra
+  type EE
+  issuer CA1
+    ku digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement
+
+entity NoMatch
+  type EE
+  issuer CA1
+    ku keyEncipherment,dataEncipherment,keyAgreement
+
+db All
+
+import Root::C,,
+import CA1:Root:
+
+verify NoKU:CA1
+  usage 12
+  result pass
+
+verify DigSig:CA1
+  usage 12
+  result pass
+
+verify NonRep:CA1
+  usage 12
+  result pass
+
+verify DigSigNonRepAndExtra:CA1
+  usage 12
+  result pass
+
+verify NoMatch:CA1
+  usage 12
+  result fail
diff --git a/security/nss/tests/chains/scenarios/realcerts.cfg b/security/nss/tests/chains/scenarios/realcerts.cfg
index d2a8c71436..305443fc34 100644
--- a/security/nss/tests/chains/scenarios/realcerts.cfg
+++ b/security/nss/tests/chains/scenarios/realcerts.cfg
@@ -21,7 +21,7 @@ verify TestUser51:x
   result pass
 
 verify PayPalEE:x
-  policy OID.2.16.840.1.114412.1.1 
+  policy OID.2.16.840.1.114412.2.1 
   result pass
 
 verify BrAirWaysBadSig:x
diff --git a/security/nss/tests/chains/scenarios/scenarios b/security/nss/tests/chains/scenarios/scenarios
index d26c3f92ef..4eafd9c8d0 100644
--- a/security/nss/tests/chains/scenarios/scenarios
+++ b/security/nss/tests/chains/scenarios/scenarios
@@ -22,3 +22,4 @@ ocsp.cfg
 crldp.cfg
 trustanchors.cfg
 nameconstraints.cfg
+ipsec.cfg
diff --git a/security/nss/tests/common/certsetup.sh b/security/nss/tests/common/certsetup.sh
new file mode 100644
index 0000000000..2b5cef840b
--- /dev/null
+++ b/security/nss/tests/common/certsetup.sh
@@ -0,0 +1,57 @@
+# Generate input to certutil
+certscript() {
+  ca=n
+  while [ $# -gt 0 ]; do
+    case $1 in
+      sign) echo 0 ;;
+      kex) echo 2 ;;
+      ca) echo 5;echo 6;ca=y ;;
+    esac; shift
+  done;
+  echo 9
+  echo n
+  echo $ca
+  echo
+  echo n
+}
+
+# $1: name
+# $2: type
+# $3+: usages: sign or kex
+make_cert() {
+  name=$1
+  type=$2
+
+  # defaults
+  type_args=()
+  trust=',,'
+  sign=(-x)
+  sighash=(-Z SHA256)
+
+  case $type in
+    dsa) type_args=(-g 1024) ;;
+    rsa) type_args=(-g 1024) ;;
+    rsa2048) type_args=(-g 2048);type=rsa ;;
+    rsa8192) type_args=(-g 8192);type=rsa ;;
+    rsapss) type_args=(-g 1024 --pss);type=rsa ;;
+    rsapss384) type_args=(-g 1024 --pss);type=rsa;sighash=(-Z SHA384) ;;
+    rsapss512) type_args=(-g 2048 --pss);type=rsa;sighash=(-Z SHA512) ;;
+    rsapss_noparam) type_args=(-g 2048 --pss);type=rsa;sighash=() ;;
+    p256) type_args=(-q nistp256);type=ec ;;
+    p384) type_args=(-q secp384r1);type=ec ;;
+    p521) type_args=(-q secp521r1);type=ec ;;
+    rsa_ca) type_args=(-g 1024);trust='CT,CT,CT';type=rsa ;;
+    rsa_chain) type_args=(-g 1024);sign=(-c rsa_ca);type=rsa;;
+    rsapss_ca) type_args=(-g 1024 --pss);trust='CT,CT,CT';type=rsa ;;
+    rsapss_chain) type_args=(-g 1024);sign=(-c rsa_pss_ca);type=rsa;;
+    rsa_ca_rsapss_chain) type_args=(-g 1024 --pss-sign);sign=(-c rsa_ca);type=rsa;;
+    ecdh_rsa) type_args=(-q nistp256);sign=(-c rsa_ca);type=ec ;;
+  esac
+  shift 2
+  counter=$(($counter + 1))
+  certscript $@ | ${BINDIR}/certutil -S \
+    -z ${R_NOISE_FILE} -d "${PROFILEDIR}" \
+    -n $name -s "CN=$name" -t "$trust" "${sign[@]}" -m "$counter" \
+    -w -2 -v 120 -k "$type" "${type_args[@]}" "${sighash[@]}" -1 -2
+  html_msg $? 0 "create certificate: $@"
+}
diff --git a/security/nss/tests/common/init.sh b/security/nss/tests/common/init.sh
index 6aa22af8d8..2896f1321b 100644
--- a/security/nss/tests/common/init.sh
+++ b/security/nss/tests/common/init.sh
@@ -356,40 +356,34 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
 
 #HOST and DOMSUF are needed for the server cert
 
-    DOMAINNAME=`which domainname`
-    if [ -z "${DOMSUF}" -a $? -eq 0 -a -n "${DOMAINNAME}" ]; then
+    if [ -z "$DOMSUF" ] && hash domainname 2>/dev/null; then
         DOMSUF=`domainname`
     fi
+    # hostname -d and domainname both return (none) if hostname doesn't
+    # include a dot.  Pretend we didn't get an answer.
+    if [ "$DOMSUF" = "(none)" ]; then
+        DOMSUF=
+    fi
 
-    case $HOST in
+    if [ -z "$HOST" ]; then
+        HOST=`uname -n`
+    fi
+    case "$HOST" in
         *\.*)
-            if [ -z "${DOMSUF}" ]; then
-                DOMSUF=`echo $HOST | sed -e "s/^[^.]*\.//"`
+            if [ -z "$DOMSUF" ]; then
+                DOMSUF="${HOST#*.}"
             fi
-            HOST=`echo $HOST | sed -e "s/\..*//"`
+            HOST="${HOST%%.*}"
             ;;
         ?*)
             ;;
         *)
-            HOST=`uname -n`
-            case $HOST in
-                *\.*)
-                    if [ -z "${DOMSUF}" ]; then
-                        DOMSUF=`echo $HOST | sed -e "s/^[^.]*\.//"`
-                    fi
-                    HOST=`echo $HOST | sed -e "s/\..*//"`
-                    ;;
-                ?*)
-                    ;;
-                *)
-                    echo "$SCRIPTNAME: Fatal HOST environment variable is not defined."
-                    exit 1 #does not need to be Exit, very early in script
-                    ;;
-            esac
+            echo "$SCRIPTNAME: Fatal HOST environment variable is not defined."
+            exit 1 #does not need to be Exit, very early in script
             ;;
     esac
 
-    if [ -z "${DOMSUF}" -a "${OS_ARCH}" != "Android" ]; then
+    if [ -z "$DOMSUF" -a "$OS_ARCH" != "Android" ]; then
         echo "$SCRIPTNAME: Fatal DOMSUF env. variable is not defined."
         exit 1 #does not need to be Exit, very early in script
     fi
@@ -397,8 +391,8 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
 #HOSTADDR was a workaround for the dist. stress test, and is probably
 #not needed anymore (purpose: be able to use IP address for the server
 #cert instead of PC name which was not in the DNS because of dyn IP address
-    if [ -z "$USE_IP" -o "$USE_IP" != "TRUE" ] ; then
-        if [ -z "${DOMSUF}" ]; then
+    if [ "$USE_IP" != "TRUE" ] ; then
+        if [ -z "$DOMSUF" ]; then
             HOSTADDR=${HOST}
         else
             HOSTADDR=${HOST}.${DOMSUF}
@@ -595,7 +589,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
         P_R_EXT_SERVERDIR="multiaccess:${D_EXT_SERVER}"
         P_R_EXT_CLIENTDIR="multiaccess:${D_EXT_CLIENT}"
         P_R_IMPLICIT_INIT_DIR="multiaccess:${D_IMPLICIT_INIT}"
-	P_R_RSAPSSDIR="multiaccess:${D_RSAPSS}"
+        P_R_RSAPSSDIR="multiaccess:${D_RSAPSS}"
     fi
 
     R_PWFILE=../tests.pw
diff --git a/security/nss/tests/interop/interop.sh b/security/nss/tests/interop/interop.sh
index 50c8bb3c18..18737c7265 100644
--- a/security/nss/tests/interop/interop.sh
+++ b/security/nss/tests/interop/interop.sh
@@ -24,8 +24,8 @@ interop_init()
   cd "${HOSTDIR}/interop"
   INTEROP=${INTEROP:=tls_interop}
   if [ ! -d "$INTEROP" ]; then
-    git clone -q https://github.com/ttaubert/tls-interop "$INTEROP"
-    git -C "$INTEROP" checkout -q d07b28ac32b390dea1c9bcca5c56716247d23e5e
+    git clone -q https://github.com/mozilla/tls-interop "$INTEROP"
+    git -C "$INTEROP" checkout -q c00685aa953c49f1e844e614746aadc783e81b19
   fi
   INTEROP=$(cd "$INTEROP";pwd -P)
 
@@ -33,9 +33,34 @@ interop_init()
   BORING=${BORING:=boringssl}
   if [ ! -d "$BORING" ]; then
     git clone -q https://boringssl.googlesource.com/boringssl "$BORING"
-    git -C "$BORING" checkout -q ea80f9d5df4c302de391e999395e1c87f9c786b3
+    git -C "$BORING" checkout -q 7f4f41fa81c03e0f8ef1ab5b3d1d566b5968f107
   fi
   BORING=$(cd "$BORING";pwd -P)
+  mkdir "$BORING/build"
+  cd "$BORING/build"
+  
+  # Build boring explicitly with gcc because it fails on builds where 
+  # CC=clang-5.0, for example on asan-builds.
+  export CC=gcc
+  cmake ..
+  make -j$(nproc)
+
+  # Check out and build OpenSSL. 
+  # Build with "enable-external-tests" to include the shim in the build. 
+  cd "${HOSTDIR}"
+  OSSL=${OSSL:=openssl}
+  if [ ! -d "$OSSL" ]; then
+    git clone -q https://github.com/openssl/openssl.git "$OSSL"
+    git -C "$OSSL" checkout -q 7d38ca3f8bca58bf7b69e78c1f1ab69e5f429dff
+  fi
+  OSSL=$(cd "$OSSL";pwd -P)
+  cd "$OSSL"
+  ./config enable-external-tests
+  make -j$(nproc)
+
+  #Some filenames in the OpenSSL repository contain "core".
+  #This prevents false positive "core file detected" errors.
+  detect_core
 
   SCRIPTNAME="interop.sh"
   html_head "interop test"
@@ -56,21 +81,26 @@ interop_run()
   server=$3
 
   (cd "$INTEROP";
-   cargo run -- --client "$client" --server "$server" --rootdir "$BORING"/ssl/test/runner/ --test-cases cases.json) 2>interop-${test_name}.errors | tee interop-${test_name}.log
+   cargo run -- --client "$client" --server "$server" --rootdir "$BORING"/ssl/test/runner/ --test-cases cases.json $4 $5 ) 2>interop-${test_name}.errors | tee interop-${test_name}.log
   RESULT=${PIPESTATUS[0]}
-  html_msg "${RESULT}" 0 "Interop" "Run successfully"
+  html_msg "${RESULT}" 0 "Interop ${test_name}" "Run successfully"
   if [ $RESULT -ne 0 ]; then
     cat interop-${test_name}.errors
     cat interop-${test_name}.log
   fi
   grep -i 'FAILED\|Assertion failure' interop-${test_name}.errors
-  html_msg $? 1 "Interop" "No failures"
+  html_msg $? 1 "Interop ${test_name}" "No failures"
 }
 
 cd "$(dirname "$0")"
-SOURCE_DIR="$PWD"/../..
 interop_init
 NSS_SHIM="$BINDIR"/nss_bogo_shim
 BORING_SHIM="$BORING"/build/ssl/test/bssl_shim
+OSSL_SHIM="$OSSL"/test/ossl_shim/ossl_shim
+export LD_LIBRARY_PATH="$LD_LIBRARY_PATH":"$OSSL"
 interop_run "nss_nss" ${NSS_SHIM} ${NSS_SHIM}
+interop_run "bssl_nss" ${BORING_SHIM} ${NSS_SHIM}
+interop_run "nss_bssl" ${NSS_SHIM} ${BORING_SHIM} "--client-writes-first"
+interop_run "ossl_nss" ${OSSL_SHIM} ${NSS_SHIM} "--force-IPv4"
+interop_run "nss_ossl" ${NSS_SHIM} ${OSSL_SHIM} "--client-writes-first" "--force-IPv4"
 interop_cleanup
diff --git a/security/nss/tests/libpkix/certs/PayPalEE.cert b/security/nss/tests/libpkix/certs/PayPalEE.cert
index d71fbb5016..aef4086762 100644
--- a/security/nss/tests/libpkix/certs/PayPalEE.cert
+++ b/security/nss/tests/libpkix/certs/PayPalEE.cert
diff --git a/security/nss/tests/libpkix/certs/PayPalICA.cert b/security/nss/tests/libpkix/certs/PayPalICA.cert
index 07e025defb..dd14c1b218 100644
--- a/security/nss/tests/libpkix/certs/PayPalICA.cert
+++ b/security/nss/tests/libpkix/certs/PayPalICA.cert
diff --git a/security/nss/tests/libpkix/vfychain_test.lst b/security/nss/tests/libpkix/vfychain_test.lst
index 78d6185c36..624c6466d5 100644
--- a/security/nss/tests/libpkix/vfychain_test.lst
+++ b/security/nss/tests/libpkix/vfychain_test.lst
@@ -1,4 +1,4 @@
 # Status | Leaf Cert | Policies | Others(undef)
 0 TestUser50 undef
 0 TestUser51 undef
-0 PayPalEE OID.2.16.840.1.114412.1.1
+0 PayPalEE OID.2.16.840.1.114412.2.1
diff --git a/security/nss/tests/policy/crypto-policy.txt b/security/nss/tests/policy/crypto-policy.txt
new file mode 100644
index 0000000000..9a8c0cd1b5
--- /dev/null
+++ b/security/nss/tests/policy/crypto-policy.txt
@@ -0,0 +1,19 @@
+# col 1: expected return value of nss-policy-check
+# col 2: policy config statement, using _ instead of space
+# col 3: an extended regular expression, expected to match the output
+# col 4: description of the test
+#
+0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Standard policy
+0 disallow=ALL_allow=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy policy
+0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Reduced policy
+2 disallow=ALL_allow=dtls-version-min=:dtls-version-max= NSS-POLICY-FAIL Missing value
+2 disallow=ALL_allow=RSA-MIN=whatever NSS-POLICY-FAIL Invalid value
+2 disallow=ALL_allow=flower NSS-POLICY-FAIL Invalid identifier
+1 disallow=all NSS-POLICY-WARN.*NUMBER-OF-CERT-SIG disallow all
+1 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-WARN.*NUMBER-OF-HASH No Hashes
+1 disallow=ALL_allow=tls-version-min=0:tls-version-max=0 NSS-POLICY-WARN.*NUMBER-OF-TLS-VERSIONS All TLS versions disabled
+1 disallow=ALL_allow=dtls-version-min=0:dtls-version-max=0 NSS-POLICY-WARN.*NUMBER-OF-DTLS-VERSIONS All DTLS versions disabled
+1 disallow=ALL_allow=tls-version-min=tls1.2:tls-version-max=tls1.1 NSS-POLICY-WARN.*NUMBER-OF-TLS-VERSIONS Invalid range of TLS versions
+1 disallow=ALL_allow=dtls-version-min=tls1.2:dtls-version-max=tls1.1 NSS-POLICY-WARN.*NUMBER-OF-DTLS-VERSIONS Invalid range of DTLS versions
+1 disallow=ALL_allow=tls-version-min=tls1.1:tls-version-max=tls1.2 NSS-POLICY-INFO.*NUMBER-OF-TLS-VERSIONS Valid range of TLS versions
+1 disallow=ALL_allow=dtls-version-min=tls1.1:dtls-version-max=tls1.2 NSS-POLICY-INFO.*NUMBER-OF-DTLS-VERSIONS Valid range of DTLS versions
diff --git a/security/nss/tests/policy/policy.sh b/security/nss/tests/policy/policy.sh
new file mode 100644
index 0000000000..228c982a5a
--- /dev/null
+++ b/security/nss/tests/policy/policy.sh
@@ -0,0 +1,58 @@
+#! /bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# mozilla/security/nss/tests/policy/policy.sh
+#
+# Script to test NSS crypto policy code
+#
+########################################################################
+
+ignore_blank_lines()
+{
+  LC_ALL=C grep -v '^[[:space:]]*\(#\|$\)' "$1"
+}
+
+policy_run_tests()
+{
+  html_head "CRYPTO-POLICY"
+
+  POLICY_INPUT=${QADIR}/policy/crypto-policy.txt
+
+  ignore_blank_lines ${POLICY_INPUT} | \
+  while read value policy match testname
+  do
+    echo "$SCRIPTNAME: running \"$testname\" ----------------------------"
+    policy=`echo ${policy} | sed -e 's;_; ;g'`
+    match=`echo ${match} | sed -e 's;_; ;g'`
+    POLICY_FILE="${TMP}/nss-policy"
+
+    echo "$SCRIPTNAME: policy: \"$policy\""
+
+    cat > "$POLICY_FILE" << ++EOF++
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+++EOF++
+    echo "config=\"${policy}\"" >> "$POLICY_FILE"
+    echo "" >> "$POLICY_FILE"
+
+    nss-policy-check "$POLICY_FILE" >${TMP}/$HOST.tmp.$$ 2>&1
+    ret=$?
+    cat ${TMP}/$HOST.tmp.$$
+
+    html_msg $ret $value "\"${testname}\"" \
+        "produced a returncode of $ret, expected is $value"
+
+    egrep "${match}" ${TMP}/$HOST.tmp.$$
+    ret=$?
+    html_msg $ret 0 "\"${testname}\" output is expected to match \"${match}\""
+
+  done
+}
+
+policy_run_tests
diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh
index 9a63bd9971..c1730d8d76 100755
--- a/security/nss/tests/ssl/ssl.sh
+++ b/security/nss/tests/ssl/ssl.sh
@@ -64,9 +64,9 @@ ssl_init()
     PORT=$(($PORT + $padd))
   fi
   NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
-  nss_ssl_run="stapling signed_cert_timestamps cov auth stress dtls"
+  nss_ssl_run="stapling signed_cert_timestamps cov auth stress dtls scheme"
   NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
-  
+
   # Test case files
   SSLCOV=${QADIR}/ssl/sslcov.txt
   SSLAUTH=${QADIR}/ssl/sslauth.txt
@@ -210,24 +210,28 @@ start_selfserv()
   if [ -n "$testname" ] ; then
       echo "$SCRIPTNAME: $testname ----"
   fi
-  sparam=`echo $sparam | sed -e 's;_; ;g'`
-  if [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1"  ] ; then
+  if [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then
       ECC_OPTIONS="-e ${HOSTADDR}-ecmixed -e ${HOSTADDR}-ec"
   else
       ECC_OPTIONS=""
   fi
+  if [ -z "$RSA_PSS_CERT" -o "$RSA_PSS_CERT" != "1" ] ; then
+      RSA_OPTIONS="-n ${HOSTADDR}"
+  else
+      RSA_OPTIONS="-n ${HOSTADDR}-rsa-pss"
+  fi
   echo "selfserv starting at `date`"
-  echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
-  echo "         ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
+  echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \\"
+  echo "         ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID}\\"
   echo "         -V ssl3:tls1.2 $verbose -H 1 &"
   if [ ${fileout} -eq 1 ]; then
-      ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
-               ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 \
+      ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \
+               ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 \
                > ${SERVEROUTFILE} 2>&1 &
       RET=$?
   else
-      ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
-               ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 &
+      ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} ${RSA_OPTIONS} ${SERVER_OPTIONS} \
+               ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss "$@" -i ${R_SERVERPID} -V ssl3:tls1.2 $verbose -H 1 &
       RET=$?
   fi
 
@@ -270,9 +274,8 @@ ssl_cov()
   html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
 
   testname=""
-  sparam="$CIPHER_SUITES"
 
-  start_selfserv # Launch the server
+  start_selfserv $CIPHER_SUITES # Launch the server
 
   VMIN="ssl3"
   VMAX="tls1.1"
@@ -283,6 +286,13 @@ ssl_cov()
       echo "${testname}" | grep "EXPORT" > /dev/null
       EXP=$?
 
+      # RSA-PSS tests are handled in a separate function
+      case $testname in
+        *RSA-PSS)
+          continue
+          ;;
+      esac
+
       echo "$SCRIPTNAME: running $testname ----------------------------"
       VMAX="ssl3"
       if [ "$testmax" = "TLS10" ]; then
@@ -313,6 +323,58 @@ ssl_cov()
   html "</TABLE><BR>"
 }
 
+ssl_cov_rsa_pss()
+{
+  #verbose="-v"
+  html_head "SSL Cipher Coverage (RSA-PSS) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+  testname=""
+
+  if [ "$NORM_EXT" = "Extended Test" ] ; then
+      echo "$SCRIPTNAME: skipping SSL Cipher Coverage (RSA-PSS) for $NORM_EXT"
+      return 0
+  fi
+
+  RSA_PSS_CERT=1
+  NO_ECC_CERTS=1
+  start_selfserv $CIPHER_SUITES
+  RSA_PSS_CERT=0
+  NO_ECC_CERTS=0
+
+  VMIN="tls1.2"
+  VMAX="tls1.2"
+
+  ignore_blank_lines ${SSLCOV} | \
+  while read ectype testmax param testname
+  do
+      case $testname in
+        *RSA-PSS)
+          ;;
+        *)
+          continue
+          ;;
+      esac
+
+      echo "$SCRIPTNAME: running $testname (RSA-PSS) ----------------------------"
+
+      echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
+      echo "        -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
+
+      rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+      ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
+              -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
+              >${TMP}/$HOST.tmp.$$  2>&1
+      ret=$?
+      cat ${TMP}/$HOST.tmp.$$
+      rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+      html_msg $ret 0 "${testname}" \
+               "produced a returncode of $ret, expected is 0"
+  done
+
+  kill_selfserv
+  html "</TABLE><BR>"
+}
+
 ############################## ssl_auth ################################
 # local shell function to perform SSL  Client Authentication tests
 ########################################################################
@@ -337,7 +399,7 @@ ssl_auth()
               cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
               sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
           fi
-          start_selfserv
+          start_selfserv `echo "$sparam" | sed -e 's,_, ,g'`
 
           echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
           echo "        ${cparam}  < ${REQUEST_FILE}"
@@ -370,15 +432,15 @@ ssl_stapling_sub()
     value=$3
 
     if [ "$NORM_EXT" = "Extended Test" ] ; then
-	# these tests use the ext_client directory for tstclnt,
-	# which doesn't contain the required "TestCA" for server cert
-	# verification, I don't know if it would be OK to add it...
-	echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
-	return 0
+        # these tests use the ext_client directory for tstclnt,
+        # which doesn't contain the required "TestCA" for server cert
+        # verification, I don't know if it would be OK to add it...
+        echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
+        return 0
     fi
     if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
           echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
-	return 0
+        return 0
     fi
 
     SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
@@ -395,8 +457,8 @@ ssl_stapling_sub()
     echo "        -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE}"
     rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
     ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
-	    -d ${P_R_CLIENTDIR} $verbose -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE} \
-	    >${TMP}/$HOST.tmp.$$  2>&1
+            -d ${P_R_CLIENTDIR} $verbose -c v -T -O -F -M 1 -V ssl3:tls1.2 < ${REQUEST_FILE} \
+            >${TMP}/$HOST.tmp.$$  2>&1
     ret=$?
     cat ${TMP}/$HOST.tmp.$$
     rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
@@ -405,7 +467,7 @@ ssl_stapling_sub()
     # (see commands in ssl_auth
 
     html_msg $ret $value "${testname}" \
-	    "produced a returncode of $ret, expected is $value"
+            "produced a returncode of $ret, expected is $value"
     kill_selfserv
 
     SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
@@ -419,15 +481,15 @@ ssl_stapling_stress()
     value=0
 
     if [ "$NORM_EXT" = "Extended Test" ] ; then
-	# these tests use the ext_client directory for tstclnt,
-	# which doesn't contain the required "TestCA" for server cert
-	# verification, I don't know if it would be OK to add it...
-	echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
-	return 0
+        # these tests use the ext_client directory for tstclnt,
+        # which doesn't contain the required "TestCA" for server cert
+        # verification, I don't know if it would be OK to add it...
+        echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
+        return 0
     fi
     if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
           echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
-	return 0
+        return 0
     fi
 
     SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}
@@ -443,13 +505,13 @@ ssl_stapling_stress()
     echo "         -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}"
     echo "strsclnt started at `date`"
     ${PROFTOOL} ${BINDIR}/strsclnt -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \
-	    -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}
+            -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}
     ret=$?
 
     echo "strsclnt completed at `date`"
     html_msg $ret $value \
-	    "${testname}" \
-	    "produced a returncode of $ret, expected is $value."
+            "${testname}" \
+            "produced a returncode of $ret, expected is $value."
     kill_selfserv
 
     SERVER_OPTIONS=${SAVE_SERVER_OPTIONS}
@@ -556,7 +618,7 @@ ssl_stress()
               sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
           fi
 
-          start_selfserv
+          start_selfserv `echo "$sparam" | sed -e 's,_, ,g'`
 
           if [ "`uname -n`" = "sjsu" ] ; then
               echo "debugging disapering selfserv... ps -ef | grep selfserv"
@@ -610,56 +672,56 @@ ssl_crl_ssl()
     if [ "$ectype" = "SNI" ]; then
         continue
     else
-	servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
-	pwd=`echo $cparam | grep nss`
-	user=`echo $cparam | grep TestUser`
-	_cparam=$cparam
-	case $servarg in
-	    1) if [ -z "$pwd" -o -z "$user" ]; then
+        servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
+        pwd=`echo $cparam | grep nss`
+        user=`echo $cparam | grep TestUser`
+        _cparam=$cparam
+        case $servarg in
+            1) if [ -z "$pwd" -o -z "$user" ]; then
                  rev_modvalue=0
                else
-	         rev_modvalue=254
+                 rev_modvalue=254
                fi
                ;;
-	    2) rev_modvalue=254 ;;
-	    3) if [ -z "$pwd" -o -z "$user" ]; then
-		rev_modvalue=0
-		else
-		rev_modvalue=1
-		fi
-		;;
-	    4) rev_modvalue=1 ;;
-	esac
-	TEMP_NUM=0
-	while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ]
-	  do
-	  CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}`
-	  TEMP_NUM=`expr $TEMP_NUM + 1`
-	  USER_NICKNAME="TestUser${CURR_SER_NUM}"
-	  cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
-	  start_selfserv
-
-	  echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
-	  echo "        ${cparam}  < ${REQUEST_FILE}"
-	  rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
-	  ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
-	      -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
-	      >${TMP}/$HOST.tmp.$$  2>&1
-	  ret=$?
-	  cat ${TMP}/$HOST.tmp.$$
-	  rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
-	  if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then
-	      modvalue=$rev_modvalue
+            2) rev_modvalue=254 ;;
+            3) if [ -z "$pwd" -o -z "$user" ]; then
+                rev_modvalue=0
+                else
+                rev_modvalue=1
+                fi
+                ;;
+            4) rev_modvalue=1 ;;
+        esac
+        TEMP_NUM=0
+        while [ $TEMP_NUM -lt $CRL_GROUP_RANGE ]
+          do
+          CURR_SER_NUM=`expr ${CRL_GROUP_BEGIN} + ${TEMP_NUM}`
+          TEMP_NUM=`expr $TEMP_NUM + 1`
+          USER_NICKNAME="TestUser${CURR_SER_NUM}"
+          cparam=`echo $_cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
+          start_selfserv `echo "$sparam" | sed -e 's,_, ,g'`
+
+          echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\"
+          echo "        ${cparam}  < ${REQUEST_FILE}"
+          rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+          ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
+              -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
+              >${TMP}/$HOST.tmp.$$  2>&1
+          ret=$?
+          cat ${TMP}/$HOST.tmp.$$
+          rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+          if [ $CURR_SER_NUM -ne $UNREVOKED_CERT ]; then
+              modvalue=$rev_modvalue
               testAddMsg="revoked"
-	  else
+          else
               testAddMsg="not revoked"
-	      modvalue=$value
-	  fi
+              modvalue=$value
+          fi
 
-	  html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \
-		"produced a returncode of $ret, expected is $modvalue"
-	  kill_selfserv
-	done
+          html_msg $ret $modvalue "${testname} (cert ${USER_NICKNAME} - $testAddMsg)" \
+                "produced a returncode of $ret, expected is $modvalue"
+          kill_selfserv
+        done
     fi
   done
 
@@ -702,7 +764,6 @@ ssl_policy()
   html_head "SSL POLICY $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
 
   testname=""
-  sparam="$CIPHER_SUITES"
 
   if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then
       html_failed "${SCRIPTNAME}: ${P_R_CLIENTDIR} is not initialized"
@@ -712,7 +773,7 @@ ssl_policy()
   echo "Saving pkcs11.txt"
   cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav
 
-  start_selfserv # Launch the server
+  start_selfserv $CIPHER_SUITES
 
   ignore_blank_lines ${SSLPOLICY} | \
   while read value ectype testmax param policy testname
@@ -775,7 +836,6 @@ ssl_policy_listsuites()
   html_head "SSL POLICY LISTSUITES $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
 
   testname=""
-  sparam="$CIPHER_SUITES"
 
   if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then
       html_failed "${SCRIPTNAME}: ${P_R_CLIENTDIR} is not initialized"
@@ -815,7 +875,6 @@ ssl_policy_selfserv()
   html_head "SSL POLICY SELFSERV $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
 
   testname=""
-  sparam="$CIPHER_SUITES"
 
   if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then
       html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized"
@@ -828,7 +887,7 @@ ssl_policy_selfserv()
   # Disallow RSA in key exchange explicitly
   setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_SERVERDIR}
 
-  start_selfserv # Launch the server
+  start_selfserv $CIPHER_SUITES
 
   VMIN="ssl3"
   VMAX="tls1.2"
@@ -956,7 +1015,7 @@ _EOF_REQUEST_
              -p ../tests.pw.928
         ret=$?
         if [ "$ret" -eq 0 ]; then
-	    html_passed "${CU_ACTION}"
+            html_passed "${CU_ACTION}"
             return 1
         fi
         start_selfserv
@@ -984,8 +1043,7 @@ ssl_crl_cache()
   echo $?
   while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ]
     do
-    sparam=$SERV_ARG
-    start_selfserv
+    start_selfserv `echo $SERV_ARG | sed -e 's,_, ,g'`
     exec < ${SSLAUTH_TMP}
     while read ectype value sparam cparam testname
       do
@@ -1013,7 +1071,7 @@ ssl_crl_cache()
                 fi
                 ;;
             4) rev_modvalue=1 ;;
-	  esac
+          esac
         TEMP_NUM=0
         LOADED_GRP=1
         while [ ${LOADED_GRP} -le ${TOTAL_GRP_NUM} ]
@@ -1030,7 +1088,7 @@ ssl_crl_cache()
             echo "        ${cparam}  < ${REQUEST_FILE}"
             rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
             ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \
-	        -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
+                -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \
                 >${TMP}/$HOST.tmp.$$  2>&1
             ret=$?
             cat ${TMP}/$HOST.tmp.$$
@@ -1069,7 +1127,7 @@ ssl_crl_cache()
         # Restart selfserv to roll back to two initial group 1 crls
         # TestCA CRL and TestCA-ec CRL
         kill_selfserv
-        start_selfserv
+        start_selfserv `echo "$sparam" | sed -e 's,_, ,g'`
       fi
     done
     kill_selfserv
@@ -1106,22 +1164,66 @@ ssl_dtls()
                 -d ${P_R_SERVERDIR} $verbose -U -V tls1.1:tls1.2 -P server -n ${HOSTADDR} -w nss < ${REQUEST_FILE} 2>&1 &
 
     PID=$!
-    
+
     sleep 1
-    
+
     echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
     echo "        -U -V tls1.1:tls1.2 -P client -Q < ${REQUEST_FILE}"
     ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
-            -d ${P_R_CLIENTDIR} $verbose -U -V tls1.1:tls1.2 -P client -Q < ${REQUEST_FILE} 2>&1 
+            -d ${P_R_CLIENTDIR} $verbose -U -V tls1.1:tls1.2 -P client -Q < ${REQUEST_FILE} 2>&1
     ret=$?
     html_msg $ret $value "${testname}" \
              "produced a returncode of $ret, expected is $value"
 
     kill ${PID}
-    
+
   html "</TABLE><BR>"
 }
 
+############################ ssl_scheme ###################################
+# local shell function to test tstclnt and selfserv handling of signature schemes
+#########################################################################
+ssl_scheme()
+{
+    if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
+        echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
+        return 0
+    fi
+
+    html_head "SSL SCHEME $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+
+    NO_ECC_CERTS=1
+    schemes=("rsa_pkcs1_sha256" "rsa_pss_rsae_sha256" "rsa_pkcs1_sha256,rsa_pss_rsae_sha256")
+    for sscheme in "${schemes[@]}"; do
+        for cscheme in "${schemes[@]}"; do
+            testname="ssl_scheme server='$sscheme' client='$cscheme'"
+            echo "${testname}"
+
+            start_selfserv -V tls1.2:tls1.2 -J "$sscheme"
+
+            echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\"
+            echo "        -V tls1.2:tls1.2 -J "$cscheme" < ${REQUEST_FILE}"
+            ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+                        -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -J "$cscheme" < ${REQUEST_FILE} 2>&1
+            ret=$?
+            # If both schemes include just one option and those options don't
+            # match, then the test should fail; otherwise, assume that it works.
+            if [ "${cscheme#*,}" = "$cscheme" -a \
+                 "${sscheme#*,}" = "$sscheme" -a \
+                 "$cscheme" != "$sscheme" ]; then
+                expected=254
+            else
+                expected=0
+            fi
+            html_msg $ret $expected "${testname}" \
+                     "produced a returncode of $ret, expected is $expected"
+            kill_selfserv
+        done
+    done
+    NO_ECC_CERTS=0
+
+    html "</TABLE><BR>"
+}
 
 ############################## ssl_cleanup #############################
 # local shell function to finish this script (no exit since it might be
@@ -1152,6 +1254,7 @@ ssl_run()
             ;;
         "cov")
             ssl_cov
+            ssl_cov_rsa_pss
             ;;
         "auth")
             ssl_auth
@@ -1162,6 +1265,9 @@ ssl_run()
         "dtls")
             ssl_dtls
             ;;
+        "scheme")
+            ssl_scheme
+            ;;
          esac
     done
 }
@@ -1182,9 +1288,9 @@ ssl_run_all()
     # in FIPS mode, so cope with that. Note there's also semicolon in here
     # but it doesn't need escaping/quoting; the shell copes.
     if [ "${CLIENT_MODE}" = "fips" ]; then
-	USER_NICKNAME="pkcs11:token=NSS%20FIPS%20140-2%20Certificate%20DB;object=TestUser"
+        USER_NICKNAME="pkcs11:token=NSS%20FIPS%20140-2%20Certificate%20DB;object=TestUser"
     else
-	USER_NICKNAME="pkcs11:token=NSS%20Certificate%20DB;object=TestUser"
+        USER_NICKNAME="pkcs11:token=NSS%20Certificate%20DB;object=TestUser"
     fi
     NORM_EXT=""
     cd ${CLIENTDIR}
@@ -1346,4 +1452,3 @@ ssl_run_tests()
 ssl_init
 ssl_run_tests
 ssl_cleanup
-
diff --git a/security/nss/tests/ssl/sslcov.txt b/security/nss/tests/ssl/sslcov.txt
index 1eb7f47def..93f247b964 100644
--- a/security/nss/tests/ssl/sslcov.txt
+++ b/security/nss/tests/ssl/sslcov.txt
@@ -141,3 +141,8 @@
    ECC   TLS12  :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    ECC   TLS12  :CCA8 TLS12_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    ECC   TLS12  :CCA9 TLS12_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+#
+# Test against server with RSA-PSS server certificate
+#
+   ECC   TLS12  :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - RSA-PSS
+   ECC   TLS12  :C030 TLS12_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - RSA-PSS
diff --git a/security/nss/tests/ssl/sslstress.txt b/security/nss/tests/ssl/sslstress.txt
index a87eedad72..44794f10f6 100644
--- a/security/nss/tests/ssl/sslstress.txt
+++ b/security/nss/tests/ssl/sslstress.txt
@@ -12,9 +12,6 @@
   noECC     0      _         -c_1000_-C_c                  Stress TLS  RC4 128 with MD5
   noECC     0      _         -c_1000_-C_c_-g               Stress TLS  RC4 128 with MD5 (false start)
   noECC     0      -u        -V_ssl3:tls1.2_-c_1000_-C_c_-u            Stress TLS  RC4 128 with MD5 (session ticket)
-  noECC     0      -z        -V_ssl3:tls1.2_-c_1000_-C_c_-z            Stress TLS  RC4 128 with MD5 (compression)
-  noECC     0      -u_-z     -V_ssl3:tls1.2_-c_1000_-C_c_-u_-z         Stress TLS  RC4 128 with MD5 (session ticket, compression)
-  noECC     0      -u_-z     -V_ssl3:tls1.2_-c_1000_-C_c_-u_-z_-g      Stress TLS  RC4 128 with MD5 (session ticket, compression, false start)
   SNI       0      -u_-a_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI)
 
 #
@@ -24,10 +21,6 @@
   noECC     0      -r_-r     -c_100_-C_c_-V_ssl3:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth, no login)
   noECC     0      -r_-r     -c_100_-C_c_-N_-n_TestUser    Stress TLS RC4 128 with MD5 (no reuse, client auth)
   noECC     0      -r_-r_-u  -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
-  noECC     0      -r_-r_-z  -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth)
-  noECC     0      -r_-r_-z  -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start)
-  noECC     0   -r_-r_-u_-z  -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth)
-  noECC     0   -r_-r_-u_-z  -V_ssl3:tls1.2_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start)
   SNI       0   -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host)
   SNI       0   -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:tls1.2_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host)
 
diff --git a/security/nss/tests/ssl_gtests/ssl_gtests.sh b/security/nss/tests/ssl_gtests/ssl_gtests.sh
index eef77f16f3..6c088d8a68 100755
--- a/security/nss/tests/ssl_gtests/ssl_gtests.sh
+++ b/security/nss/tests/ssl_gtests/ssl_gtests.sh
@@ -19,55 +19,6 @@
 #
 ########################################################################
 
-# Generate input to certutil
-certscript() {
-  ca=n
-  while [ $# -gt 0 ]; do
-    case $1 in
-      sign) echo 0 ;;
-      kex) echo 2 ;;
-      ca) echo 5;echo 6;ca=y ;;
-    esac; shift
-  done;
-  echo 9
-  echo n
-  echo $ca
-  echo
-  echo n
-}
-
-# $1: name
-# $2: type
-# $3+: usages: sign or kex
-make_cert() {
-  name=$1
-  type=$2
-  unset type_args trust sign
-  case $type in
-    dsa) type_args='-g 1024' ;;
-    rsa) type_args='-g 1024' ;;
-    rsa2048) type_args='-g 2048';type=rsa ;;
-    rsa8192) type_args='-g 8192';type=rsa ;;
-    rsapss) type_args='-g 1024 --pss';type=rsa ;;
-    p256) type_args='-q nistp256';type=ec ;;
-    p384) type_args='-q secp384r1';type=ec ;;
-    p521) type_args='-q secp521r1';type=ec ;;
-    rsa_ca) type_args='-g 1024';trust='CT,CT,CT';type=rsa ;;
-    rsa_chain) type_args='-g 1024';sign='-c rsa_ca';type=rsa;;
-    rsapss_ca) type_args='-g 1024 --pss';trust='CT,CT,CT';type=rsa ;;
-    rsapss_chain) type_args='-g 1024';sign='-c rsa_pss_ca';type=rsa;;
-    rsa_ca_rsapss_chain) type_args='-g 1024 --pss-sign';sign='-c rsa_ca';type=rsa;;
-    ecdh_rsa) type_args='-q nistp256';sign='-c rsa_ca';type=ec ;;
-  esac
-  shift 2
-  counter=$(($counter + 1))
-  certscript $@ | ${BINDIR}/certutil -S \
-    -z ${R_NOISE_FILE} -d "${PROFILEDIR}" \
-    -n $name -s "CN=$name" -t ${trust:-,,} ${sign:--x} -m $counter \
-    -w -2 -v 120 -k $type $type_args -Z SHA256 -1 -2
-  html_msg $? 0 "create certificate: $@"
-}
-
 ssl_gtest_certs() {
   mkdir -p "${SSLGTESTDIR}"
   cd "${SSLGTESTDIR}"
@@ -80,6 +31,10 @@ ssl_gtest_certs() {
   ${BINDIR}/certutil -N -d "${PROFILEDIR}" --empty-password 2>&1
   html_msg $? 0 "create ssl_gtest database"
 
+  pushd "${QADIR}"
+  . common/certsetup.sh
+  popd
+
   counter=0
   make_cert client rsa sign
   make_cert rsa rsa sign kex
@@ -87,6 +42,9 @@ ssl_gtest_certs() {
   make_cert rsa8192 rsa8192 sign kex
   make_cert rsa_sign rsa sign
   make_cert rsa_pss rsapss sign
+  make_cert rsa_pss384 rsapss384 sign
+  make_cert rsa_pss512 rsapss512 sign
+  make_cert rsa_pss_noparam rsapss_noparam sign
   make_cert rsa_decrypt rsa kex
   make_cert ecdsa256 p256 sign
   make_cert ecdsa384 p384 sign
diff --git a/security/nss/tests/tlsfuzzer/config.json.in b/security/nss/tests/tlsfuzzer/config.json.in
new file mode 100644
index 0000000000..051bae2beb
--- /dev/null
+++ b/security/nss/tests/tlsfuzzer/config.json.in
@@ -0,0 +1,166 @@
+[
+    {
+        "server_command": [
+            "@SELFSERV@", "-w", "nss", "-d", "@SERVERDIR@",
+            "-V", "tls1.0:", "-H", "1",
+            "-n", "rsa",
+            "-n", "rsa-pss",
+	    "-J", "rsa_pss_rsae_sha256,rsa_pss_rsae_sha384,rsa_pss_rsae_sha512,rsa_pss_pss_sha256",
+            "-u", "-Z", "-p", "@PORT@"
+        ],
+        "server_hostname": "@HOSTADDR@",
+        "server_port": @PORT@,
+        "tests" : [
+            {
+                "name" : "test-tls13-conversation.py",
+                "arguments": [
+                    "-p", "@PORT@"
+                ]
+            },
+            {
+                "name" : "test-tls13-count-tickets.py",
+                "arguments": [
+                    "-p", "@PORT@", "-t", "1"
+                ]
+            },
+            {
+                "name" : "test-tls13-dhe-shared-secret-padding.py",
+                "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1305243",
+                "arguments": [
+                    "-p", "@PORT@",
+                    "-e", "TLS 1.3 with x448"
+                ]
+            },
+            {
+                "name" : "test-tls13-empty-alert.py",
+                "arguments": [
+                    "-p", "@PORT@"
+                ],
+                "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1471656",
+                "exp_pass": false
+            },
+            {
+                "name" : "test-tls13-ffdhe-sanity.py",
+                "arguments": [
+                    "-p", "@PORT@"
+                ]
+            },
+            {
+                "name" : "test-tls13-finished.py",
+                "arguments": [
+                    "-p", "@PORT@"
+                ],
+                "comment" : "https://bugzilla.mozilla.org/show_bug.cgi?id=1472747",
+                "exp_pass": false
+            },
+            {
+                "name" : "test-tls13-0rtt-garbage.py",
+                "comment": "the disabled test timeouts because of https://bugzilla.mozilla.org/show_bug.cgi?id=1472747",
+                "arguments": [
+                    "-p", "@PORT@", "--cookie",
+                    "-e", "undecryptable record later in handshake together with early_data"
+                ]
+            },
+            {
+                "name" : "test-tls13-hrr.py",
+                "arguments": [
+                    "-p", "@PORT@", "--cookie"
+                ]
+            },
+            {
+                "name" : "test-tls13-legacy-version.py",
+                "arguments": [
+                    "-p", "@PORT@"
+                ],
+                "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1490006",
+                "exp_pass": false
+            },
+            {
+                "name" : "test-tls13-nociphers.py",
+                "arguments": [
+                    "-p", "@PORT@"
+                ]
+            },
+            {
+                "name" : "test-tls13-pkcs-signature.py",
+                "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1489997",
+                "arguments": [
+                    "-p", "@PORT@",
+                    "-e", "rsa_pkcs1_sha256 signature",
+                    "-e", "rsa_pkcs1_sha384 signature",
+                    "-e", "rsa_pkcs1_sha512 signature"
+                ]
+            },
+            {
+                "name" : "test-tls13-rsa-signatures.py",
+		"comment": "selfserv can be set up to use multiple certs, but only one for each auth type",
+                "arguments": [
+                    "-p", "@PORT@", "-b",
+		    "-e", "tls13 signature rsa_pss_pss_sha384",
+		    "-e", "tls13 signature rsa_pss_pss_sha512"
+                ]
+            },
+            {
+                "name" : "test-tls13-rsapss-signatures.py",
+		"comment": "selfserv can be set up to use multiple certs, but only one to each auth type",
+                "arguments": [
+                    "-p", "@PORT@", "-b",
+		    "-e", "tls13 signature rsa_pss_pss_sha384",
+		    "-e", "tls13 signature rsa_pss_pss_sha512"
+                ]
+            },
+            {
+                "name" : "test-tls13-record-padding.py",
+                "arguments": [
+                    "-p", "@PORT@"
+                ]
+            },
+            {
+                "name" : "test-tls13-session-resumption.py",
+                "arguments": [
+                    "-p", "@PORT@"
+                ]
+            },
+            {
+                "name" : "test-tls13-signature-algorithms.py",
+                "arguments": [
+                    "-p", "@PORT@"
+                ],
+                "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1482386",
+                "exp_pass": false
+            },
+            {
+                "name" : "test-tls13-unrecognised-groups.py",
+                "arguments": [
+                    "-p", "@PORT@", "--cookie"
+                ]
+            },
+            {
+                "name" : "test-tls13-version-negotiation.py",
+                "comment": "the disabled test timeouts because of https://github.com/tomato42/tlsfuzzer/issues/452",
+                "arguments": [
+                    "-p", "@PORT@",
+                    "-e", "SSL 2.0 ClientHello with TLS 1.3 version and TLS 1.3 only ciphersuites"
+                ]
+            },
+            {
+                "name" : "test-tls13-zero-length-data.py",
+                "arguments": [
+                    "-p", "@PORT@"
+                ]
+            },
+            {
+                "name" : "test-dhe-no-shared-secret-padding.py",
+                "comment": "https://bugzilla.mozilla.org/show_bug.cgi?id=1494221 and SSLv3 cannot be enabled in server",
+                "arguments": [
+                    "-p", "@PORT@",
+                    "-e", "Protocol (3, 0) in SSLv2 compatible ClientHello",
+                    "-e", "Protocol (3, 1) in SSLv2 compatible ClientHello",
+                    "-e", "Protocol (3, 2) in SSLv2 compatible ClientHello",
+                    "-e", "Protocol (3, 3) in SSLv2 compatible ClientHello",
+                    "-e", "Protocol (3, 0)"
+                ]
+            }
+        ]
+    }
+]
diff --git a/security/nss/tests/tlsfuzzer/tlsfuzzer.sh b/security/nss/tests/tlsfuzzer/tlsfuzzer.sh
new file mode 100644
index 0000000000..ecc146c240
--- /dev/null
+++ b/security/nss/tests/tlsfuzzer/tlsfuzzer.sh
@@ -0,0 +1,110 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+########################################################################
+#
+# tests/tlsfuzzer/tlsfuzzer.sh
+#
+# Script to drive the ssl tlsfuzzer interop unit tests
+#
+########################################################################
+
+tlsfuzzer_certs()
+{
+  PROFILEDIR=`pwd`
+
+  ${BINDIR}/certutil -N -d "${PROFILEDIR}" --empty-password 2>&1
+  html_msg $? 0 "create tlsfuzzer database"
+
+  pushd "${QADIR}"
+  . common/certsetup.sh
+  popd
+
+  counter=0
+  make_cert rsa rsa2048 sign kex
+  make_cert rsa-pss rsapss sign kex
+}
+
+tlsfuzzer_init()
+{
+  SCRIPTNAME="tlsfuzzer.sh"
+  if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ] ; then
+    cd ../common
+    . ./init.sh
+  fi
+
+  mkdir -p "${HOSTDIR}/tlsfuzzer"
+  pushd "${HOSTDIR}/tlsfuzzer"
+  tlsfuzzer_certs
+
+  TLSFUZZER=${TLSFUZZER:=tlsfuzzer}
+  if [ ! -d "$TLSFUZZER" ]; then
+    # Can't use git-copy.sh here, as tlsfuzzer doesn't have any tags
+    git clone -q https://github.com/tomato42/tlsfuzzer/ "$TLSFUZZER"
+    git -C "$TLSFUZZER" checkout a40ce4085052a4da9a05f9149b835a76c194a0c6
+
+    # We could use tlslite-ng from pip, but the pip command installed
+    # on TC is too old to support --pre
+    ${QADIR}/../fuzz/config/git-copy.sh https://github.com/tomato42/tlslite-ng/ v0.8.0-alpha18 tlslite-ng
+
+    pushd "$TLSFUZZER"
+    ln -s ../tlslite-ng/tlslite tlslite
+    popd
+
+    # Install tlslite-ng dependencies
+    ${QADIR}/../fuzz/config/git-copy.sh https://github.com/warner/python-ecdsa master python-ecdsa
+    ${QADIR}/../fuzz/config/git-copy.sh https://github.com/benjaminp/six master six
+
+    pushd "$TLSFUZZER"
+    ln -s ../python-ecdsa/src/ecdsa ecdsa
+    ln -s ../six/six.py .
+    popd
+  fi
+
+  # Find usable port
+  PORT=${PORT-8443}
+  while true; do
+    "${BINDIR}/selfserv" -w nss -d "${HOSTDIR}/tlsfuzzer" -n rsa \
+			 -p "${PORT}" -i selfserv.pid &
+    [ -f selfserv.pid ] || sleep 5
+    if [ -f selfserv.pid ]; then
+      kill $(cat selfserv.pid)
+      wait $(cat selfserv.pid)
+      rm -f selfserv.pid
+      break
+    fi
+    PORT=$(($PORT + 1))
+  done
+
+  sed -e "s|@PORT@|${PORT}|g" \
+      -e "s|@SELFSERV@|${BINDIR}/selfserv|g" \
+      -e "s|@SERVERDIR@|${HOSTDIR}/tlsfuzzer|g" \
+      -e "s|@HOSTADDR@|${HOSTADDR}|g" \
+      ${QADIR}/tlsfuzzer/config.json.in > ${TLSFUZZER}/config.json
+  popd
+
+  SCRIPTNAME="tlsfuzzer.sh"
+  html_head "tlsfuzzer test"
+}
+
+tlsfuzzer_cleanup()
+{
+  cd ${QADIR}
+  . common/cleanup.sh
+}
+
+tlsfuzzer_run_tests()
+{
+  pushd "${HOSTDIR}/tlsfuzzer/${TLSFUZZER}"
+  PYTHONPATH=. python tests/scripts_retention.py config.json "${BINDIR}/selfserv"
+  html_msg $? 0 "tlsfuzzer" "Run successfully"
+  popd
+}
+
+cd "$(dirname "$0")"
+tlsfuzzer_init
+tlsfuzzer_run_tests
+tlsfuzzer_cleanup
diff --git a/services/common/utils.js b/services/common/utils.js
index f0f57d14af..c90600ef4d 100644
--- a/services/common/utils.js
+++ b/services/common/utils.js
@@ -69,6 +69,10 @@ this.CommonUtils = {
     return true;
   },
 
+  // Import these from Log.jsm for backward compatibility
+  exceptionStr: Log.exceptionStr,
+  stackTrace: Log.stackTrace,
+
   /**
    * Encode byte string as base64URL (RFC 4648).
    *
diff --git a/services/sync/Makefile.in b/services/sync/Makefile.in
new file mode 100644
index 0000000000..7b2853b583
--- /dev/null
+++ b/services/sync/Makefile.in
@@ -0,0 +1,16 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# Definitions used by constants.js.
+weave_version := 1.45.0
+weave_id      := {340c2bbc-ce74-4362-90b5-7c26312808ef}
+
+# Preprocess files.
+SYNC_PP := modules/constants.js
+SYNC_PP_FLAGS := \
+ -Dweave_version=$(weave_version) \
+ -Dweave_id='$(weave_id)'
+SYNC_PP_PATH = $(FINAL_TARGET)/modules/services-sync
+PP_TARGETS += SYNC_PP
+
diff --git a/services/sync/Weave.js b/services/sync/Weave.js
index de131d08a9..5bafa07ad3 100644
--- a/services/sync/Weave.js
+++ b/services/sync/Weave.js
@@ -93,26 +93,6 @@ WeaveService.prototype = {
   },
 
   /**
-   * Whether Firefox Accounts is enabled.
-   *
-   * @return bool
-   */
-  get fxAccountsEnabled() {
-#ifdef MC_PALEMOON
-    return false;
-#else
-    try {
-      // Old sync guarantees '@' will never appear in the username while FxA
-      // uses the FxA email address - so '@' is the flag we use.
-      let username = Services.prefs.getCharPref(SYNC_PREFS_BRANCH + "username");
-      return !username || username.includes('@');
-    } catch (_) {
-      return true; // No username == only allow FxA to be configured.
-    }
-#endif
-  },
-
-  /**
    * Whether Sync appears to be enabled.
    *
    * This returns true if all the Sync preferences for storing account
@@ -123,7 +103,8 @@ WeaveService.prototype = {
    */
   get enabled() {
     let prefs = Services.prefs.getBranch(SYNC_PREFS_BRANCH);
-    return prefs.prefHasUserValue("username");
+    return prefs.prefHasUserValue("username") &&
+           prefs.prefHasUserValue("clusterURL");
   },
 
   observe: function (subject, topic, data) {
@@ -151,10 +132,7 @@ WeaveService.prototype = {
             Components.utils.import("resource://services-sync/main.js");
             isConfigured = Weave.Status.checkSetup() != Weave.CLIENT_NOT_CONFIGURED;
           }
-          let getHistogramById = Services.telemetry.getHistogramById;
-          getHistogramById("WEAVE_CONFIGURED").add(isConfigured);
           if (isConfigured) {
-            getHistogramById("WEAVE_CONFIGURED_MASTER_PASSWORD").add(Utils.mpEnabled());
             this.ensureLoaded();
           }
         }.bind(this)
diff --git a/services/sync/locales/en-US/errors.properties b/services/sync/locales/en-US/errors.properties
index f67f5ea1c3..e51eb422cf 100644
--- a/services/sync/locales/en-US/errors.properties
+++ b/services/sync/locales/en-US/errors.properties
@@ -12,7 +12,7 @@ error.login.reason.server       = Server incorrectly configured
 
 error.sync.failed_partial            = One or more data types could not be synced
 # LOCALIZATION NOTE (error.sync.reason.serverMaintenance): We removed the extraneous period from this string
-error.sync.reason.serverMaintenance  = Sync server maintenance is underway, syncing will resume automatically
+error.sync.reason.serverMaintenance  = Sync server maintenance is underway; syncing will resume automatically
 
 invalid-captcha = Incorrect words, try again
 weak-password   = Use a stronger password
@@ -20,8 +20,8 @@ weak-password   = Use a stronger password
 # this is the fallback, if we hit an error we didn't bother to localize
 error.reason.unknown          = Unknown error
 
-change.password.pwSameAsPassword     = Password can’t match current password
-change.password.pwSameAsUsername     = Password can’t match your user name
-change.password.pwSameAsEmail        = Password can’t match your email address
+change.password.pwSameAsPassword     = Password can't match current password
+change.password.pwSameAsUsername     = Password can't match your user name
+change.password.pwSameAsEmail        = Password can't match your email address
 change.password.mismatch             = The passwords entered do not match
 change.password.tooShort             = The password entered is too short
diff --git a/services/sync/locales/en-US/sync.properties b/services/sync/locales/en-US/sync.properties
index a1a6f76b2b..93369dd378 100644
--- a/services/sync/locales/en-US/sync.properties
+++ b/services/sync/locales/en-US/sync.properties
@@ -3,7 +3,7 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 # %1: the user name (Ed), %2: the app name (Firefox), %3: the operating system (Android)
-client.name2 = %1$S’s %2$S on %3$S
+client.name2 = %1$S's %2$S on %3$S
 
 # %S is the date and time at which the last sync successfully completed
 lastSync2.label = Last sync: %S
@@ -11,6 +11,12 @@ lastSync2.label = Last sync: %S
 # signInToSync.description is the tooltip for the Sync buttons when Sync is
 # not configured.
 signInToSync.description = Sign In To Sync
+mobile.label = Mobile Bookmarks
+
+remote.pending.label = Remote tabs are being synced…
+remote.missing2.label = Sync your other devices again to access their tabs
+remote.opened.label = All remote tabs are already open
+remote.notification.label = Recent desktop tabs will be available once they sync
 
 error.login.title = Error While Signing In
 error.login.description = Sync encountered an error while connecting: %1$S.  Please try again.
@@ -31,6 +37,8 @@ error.sync.tryAgainButton.label = Sync Now
 error.sync.tryAgainButton.accesskey = S
 warning.sync.quota.label = Approaching Server Quota
 warning.sync.quota.description = You are approaching the server quota. Please review which data to sync.
+error.sync.quota.label = Server Quota Exceeded
+error.sync.quota.description = Sync failed because it exceeded the server quota. Please review which data to sync.
 error.sync.viewQuotaButton.label = View Quota
 error.sync.viewQuotaButton.accesskey = V
 warning.sync.eol.label = Service Shutting Down
diff --git a/services/sync/locales/moz.build b/services/sync/locales/moz.build
index aac3a838c4..3bbe672975 100644
--- a/services/sync/locales/moz.build
+++ b/services/sync/locales/moz.build
@@ -1,4 +1,4 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
 # vim: set filetype=python:
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
diff --git a/services/sync/modules-testing/fakeservices.js b/services/sync/modules-testing/fakeservices.js
index 2895736dff..d8f73e981a 100644
--- a/services/sync/modules-testing/fakeservices.js
+++ b/services/sync/modules-testing/fakeservices.js
@@ -22,20 +22,6 @@ this.FakeFilesystemService = function FakeFilesystemService(contents) {
   this.fakeContents = contents;
   let self = this;
 
-  // Save away the unmocked versions of the functions we replace here for tests
-  // that really want the originals. As this may be called many times per test,
-  // we must be careful to not replace them with ones we previously replaced.
-  // (And WTF are we bothering with these mocks in the first place? Is the
-  // performance of the filesystem *really* such that it outweighs the downside
-  // of not running our real JSON functions in the tests? Eg, these mocks don't
-  // always throw exceptions when the real ones do. Anyway...)
-  for (let name of ["jsonSave", "jsonLoad", "jsonMove", "jsonRemove"]) {
-    let origName = "_real_" + name;
-    if (!Utils[origName]) {
-      Utils[origName] = Utils[name];
-    }
-  }
-
   Utils.jsonSave = function jsonSave(filePath, that, obj, callback) {
     let json = typeof obj == "function" ? obj.call(that) : obj;
     self.fakeContents["weave/" + filePath + ".json"] = JSON.stringify(json);
@@ -50,18 +36,6 @@ this.FakeFilesystemService = function FakeFilesystemService(contents) {
     }
     cb.call(that, obj);
   };
-
-  Utils.jsonMove = function jsonMove(aFrom, aTo, that) {
-    const fromPath = "weave/" + aFrom + ".json";
-    self.fakeContents["weave/" + aTo + ".json"] = self.fakeContents[fromPath];
-    delete self.fakeContents[fromPath];
-    return Promise.resolve();
-  };
-
-  Utils.jsonRemove = function jsonRemove(filePath, that) {
-    delete self.fakeContents["weave/" + filePath + ".json"];
-    return Promise.resolve();
-  };
 };
 
 this.fakeSHA256HMAC = function fakeSHA256HMAC(message) {
@@ -76,9 +50,7 @@ this.FakeGUIDService = function FakeGUIDService() {
   let latestGUID = 0;
 
   Utils.makeGUID = function makeGUID() {
-    // ensure that this always returns a unique 12 character string
-    let nextGUID = "fake-guid-" + String(latestGUID++).padStart(2, "0");
-    return nextGUID.slice(nextGUID.length-12, nextGUID.length);
+    return "fake-guid-" + latestGUID++;
   };
 }
 
diff --git a/services/sync/modules-testing/rotaryengine.js b/services/sync/modules-testing/rotaryengine.js
index 9d3bf723d3..3b76cd995f 100644
--- a/services/sync/modules-testing/rotaryengine.js
+++ b/services/sync/modules-testing/rotaryengine.js
@@ -32,8 +32,8 @@ RotaryRecord.prototype = {
 };
 Utils.deferGetSet(RotaryRecord, "cleartext", ["denomination"]);
 
-this.RotaryStore = function RotaryStore(name, engine) {
-  Store.call(this, name, engine);
+this.RotaryStore = function RotaryStore(engine) {
+  Store.call(this, "Rotary", engine);
   this.items = {};
 }
 RotaryStore.prototype = {
@@ -88,8 +88,8 @@ RotaryStore.prototype = {
   }
 };
 
-this.RotaryTracker = function RotaryTracker(name, engine) {
-  Tracker.call(this, name, engine);
+this.RotaryTracker = function RotaryTracker(engine) {
+  Tracker.call(this, "Rotary", engine);
 }
 RotaryTracker.prototype = {
   __proto__: Tracker.prototype
diff --git a/services/sync/modules-testing/utils.js b/services/sync/modules-testing/utils.js
index 261c2bb21d..fc14f2fbd8 100644
--- a/services/sync/modules-testing/utils.js
+++ b/services/sync/modules-testing/utils.js
@@ -7,20 +7,15 @@
 this.EXPORTED_SYMBOLS = [
   "btoa", // It comes from a module import.
   "encryptPayload",
-  "isConfiguredWithLegacyIdentity",
   "ensureLegacyIdentityManager",
   "setBasicCredentials",
   "makeIdentityConfig",
-  "makeFxAccountsInternalMock",
   "configureFxAccountIdentity",
   "configureIdentity",
   "SyncTestingInfrastructure",
   "waitForZeroTimer",
   "Promise", // from a module import
   "add_identity_test",
-  "MockFxaStorageManager",
-  "AccountState", // from a module import
-  "sumHistogram",
 ];
 
 var {utils: Cu} = Components;
@@ -34,49 +29,8 @@ Cu.import("resource://services-sync/browserid_identity.js");
 Cu.import("resource://testing-common/services/common/logging.js");
 Cu.import("resource://testing-common/services/sync/fakeservices.js");
 Cu.import("resource://gre/modules/FxAccounts.jsm");
-Cu.import("resource://gre/modules/FxAccountsClient.jsm");
 Cu.import("resource://gre/modules/FxAccountsCommon.js");
 Cu.import("resource://gre/modules/Promise.jsm");
-Cu.import("resource://gre/modules/Services.jsm");
-
-// and grab non-exported stuff via a backstage pass.
-const {AccountState} = Cu.import("resource://gre/modules/FxAccounts.jsm", {});
-
-// A mock "storage manager" for FxAccounts that doesn't actually write anywhere.
-function MockFxaStorageManager() {
-}
-
-MockFxaStorageManager.prototype = {
-  promiseInitialized: Promise.resolve(),
-
-  initialize(accountData) {
-    this.accountData = accountData;
-  },
-
-  finalize() {
-    return Promise.resolve();
-  },
-
-  getAccountData() {
-    return Promise.resolve(this.accountData);
-  },
-
-  updateAccountData(updatedFields) {
-    for (let [name, value] of Object.entries(updatedFields)) {
-      if (value == null) {
-        delete this.accountData[name];
-      } else {
-        this.accountData[name] = value;
-      }
-    }
-    return Promise.resolve();
-  },
-
-  deleteAccountData() {
-    this.accountData = null;
-    return Promise.resolve();
-  }
-}
 
 /**
  * First wait >100ms (nsITimers can take up to that much time to fire, so
@@ -97,18 +51,6 @@ this.waitForZeroTimer = function waitForZeroTimer(callback) {
 }
 
 /**
- * Return true if Sync is configured with the "legacy" identity provider.
- */
-this.isConfiguredWithLegacyIdentity = function() {
-  let ns = {};
-  Cu.import("resource://services-sync/service.js", ns);
-
-  // We can't use instanceof as BrowserIDManager (the "other" identity) inherits
-  // from IdentityManager so that would return true - so check the prototype.
-  return Object.getPrototypeOf(ns.Service.identity) === IdentityManager.prototype;
-}
-
-/**
   * Ensure Sync is configured with the "legacy" identity provider.
   */
 this.ensureLegacyIdentityManager = function() {
@@ -145,15 +87,14 @@ this.makeIdentityConfig = function(overrides) {
         kA: 'kA',
         kB: 'kB',
         sessionToken: 'sessionToken',
-        uid: "a".repeat(32),
+        uid: 'user_uid',
         verified: true,
       },
       token: {
-        endpoint: null,
+        endpoint: Svc.Prefs.get("tokenServerURI"),
         duration: 300,
         id: "id",
         key: "key",
-        hashed_fxa_uid: "f".repeat(32), // used during telemetry validation
         // uid will be set to the username.
       }
     },
@@ -181,47 +122,27 @@ this.makeIdentityConfig = function(overrides) {
   return result;
 }
 
-this.makeFxAccountsInternalMock = function(config) {
-  return {
-    newAccountState(credentials) {
-      // We only expect this to be called with null indicating the (mock)
-      // storage should be read.
-      if (credentials) {
-        throw new Error("Not expecting to have credentials passed");
-      }
-      let storageManager = new MockFxaStorageManager();
-      storageManager.initialize(config.fxaccount.user);
-      let accountState = new AccountState(storageManager);
-      return accountState;
-    },
-    _getAssertion(audience) {
-      return Promise.resolve("assertion");
-    },
-  };
-};
-
 // Configure an instance of an FxAccount identity provider with the specified
 // config (or the default config if not specified).
 this.configureFxAccountIdentity = function(authService,
-                                           config = makeIdentityConfig(),
-                                           fxaInternal = makeFxAccountsInternalMock(config)) {
+                                           config = makeIdentityConfig()) {
+  let MockInternal = {};
+  let fxa = new FxAccounts(MockInternal);
+
   // until we get better test infrastructure for bid_identity, we set the
   // signedin user's "email" to the username, simply as many tests rely on this.
   config.fxaccount.user.email = config.username;
-
-  let fxa = new FxAccounts(fxaInternal);
-
-  let MockFxAccountsClient = function() {
-    FxAccountsClient.apply(this);
+  fxa.internal.currentAccountState.signedInUser = {
+    version: DATA_FORMAT_VERSION,
+    accountData: config.fxaccount.user
   };
-  MockFxAccountsClient.prototype = {
-    __proto__: FxAccountsClient.prototype,
-    accountStatus() {
-      return Promise.resolve(true);
-    }
+  fxa.internal.currentAccountState.getCertificate = function(data, keyPair, mustBeValidUntil) {
+    this.cert = {
+      validUntil: fxa.internal.now() + CERT_LIFETIME,
+      cert: "certificate",
+    };
+    return Promise.resolve(this.cert.cert);
   };
-  let mockFxAClient = new MockFxAccountsClient();
-  fxa.internal._fxAccountsClient = mockFxAClient;
 
   let mockTSC = { // TokenServerClient
     getTokenFromBrowserIDAssertion: function(uri, assertion, cb) {
@@ -233,7 +154,7 @@ this.configureFxAccountIdentity = function(authService,
   authService._tokenServerClient = mockTSC;
   // Set the "account" of the browserId manager to be the "email" of the
   // logged in user of the mockFXA service.
-  authService._signedInUser = config.fxaccount.user;
+  authService._signedInUser = fxa.internal.currentAccountState.signedInUser.accountData;
   authService._account = config.fxaccount.user.email;
 }
 
@@ -320,7 +241,7 @@ this.add_identity_test = function(test, testFunction) {
   let ns = {};
   Cu.import("resource://services-sync/service.js", ns);
   // one task for the "old" identity manager.
-  test.add_task(function* () {
+  test.add_task(function() {
     note("sync");
     let oldIdentity = Status._authManager;
     ensureLegacyIdentityManager();
@@ -328,7 +249,7 @@ this.add_identity_test = function(test, testFunction) {
     Status.__authManager = ns.Service.identity = oldIdentity;
   });
   // another task for the FxAccounts identity manager.
-  test.add_task(function* () {
+  test.add_task(function() {
     note("FxAccounts");
     let oldIdentity = Status._authManager;
     Status.__authManager = ns.Service.identity = new BrowserIDManager();
@@ -336,15 +257,3 @@ this.add_identity_test = function(test, testFunction) {
     Status.__authManager = ns.Service.identity = oldIdentity;
   });
 }
-
-this.sumHistogram = function(name, options = {}) {
-  let histogram = options.key ? Services.telemetry.getKeyedHistogramById(name) :
-                  Services.telemetry.getHistogramById(name);
-  let snapshot = histogram.snapshot(options.key);
-  let sum = -Infinity;
-  if (snapshot) {
-    sum = snapshot.sum;
-  }
-  histogram.clear();
-  return sum;
-}
diff --git a/services/sync/modules/SyncedTabs.jsm b/services/sync/modules/SyncedTabs.jsm
deleted file mode 100644
index 1a69e35644..0000000000
--- a/services/sync/modules/SyncedTabs.jsm
+++ /dev/null
@@ -1,301 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-"use strict";
-
-this.EXPORTED_SYMBOLS = ["SyncedTabs"];
-
-
-const { classes: Cc, interfaces: Ci, results: Cr, utils: Cu } = Components;
-
-Cu.import("resource://gre/modules/Services.jsm");
-Cu.import("resource://gre/modules/XPCOMUtils.jsm");
-Cu.import("resource://gre/modules/Task.jsm");
-Cu.import("resource://gre/modules/Log.jsm");
-Cu.import("resource://gre/modules/PlacesUtils.jsm", this);
-Cu.import("resource://services-sync/main.js");
-Cu.import("resource://gre/modules/Preferences.jsm");
-
-// The Sync XPCOM service
-XPCOMUtils.defineLazyGetter(this, "weaveXPCService", function() {
-  return Cc["@mozilla.org/weave/service;1"]
-           .getService(Ci.nsISupports)
-           .wrappedJSObject;
-});
-
-// from MDN...
-function escapeRegExp(string) {
-  return string.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-}
-
-// A topic we fire whenever we have new tabs available. This might be due
-// to a request made by this module to refresh the tab list, or as the result
-// of a regularly scheduled sync. The intent is that consumers just listen
-// for this notification and update their UI in response.
-const TOPIC_TABS_CHANGED = "services.sync.tabs.changed";
-
-// The interval, in seconds, before which we consider the existing list
-// of tabs "fresh enough" and don't force a new sync.
-const TABS_FRESH_ENOUGH_INTERVAL = 30;
-
-let log = Log.repository.getLogger("Sync.RemoteTabs");
-// A new scope to do the logging thang...
-(function() {
-  let level = Preferences.get("services.sync.log.logger.tabs");
-  if (level) {
-    let appender = new Log.DumpAppender();
-    log.level = appender.level = Log.Level[level] || Log.Level.Debug;
-    log.addAppender(appender);
-  }
-})();
-
-
-// A private singleton that does the work.
-let SyncedTabsInternal = {
-  /* Make a "tab" record. Returns a promise */
-  _makeTab: Task.async(function* (client, tab, url, showRemoteIcons) {
-    let icon;
-    if (showRemoteIcons) {
-      icon = tab.icon;
-    }
-    if (!icon) {
-      try {
-        icon = (yield PlacesUtils.promiseFaviconLinkUrl(url)).spec;
-      } catch (ex) { /* no favicon avaiable */ }
-    }
-    if (!icon) {
-      icon = "";
-    }
-    return {
-      type:  "tab",
-      title: tab.title || url,
-      url,
-      icon,
-      client: client.id,
-      lastUsed: tab.lastUsed,
-    };
-  }),
-
-  /* Make a "client" record. Returns a promise for consistency with _makeTab */
-  _makeClient: Task.async(function* (client) {
-    return {
-      id: client.id,
-      type: "client",
-      name: Weave.Service.clientsEngine.getClientName(client.id),
-      isMobile: Weave.Service.clientsEngine.isMobile(client.id),
-      lastModified: client.lastModified * 1000, // sec to ms
-      tabs: []
-    };
-  }),
-
-  _tabMatchesFilter(tab, filter) {
-    let reFilter = new RegExp(escapeRegExp(filter), "i");
-    return tab.url.match(reFilter) || tab.title.match(reFilter);
-  },
-
-  getTabClients: Task.async(function* (filter) {
-    log.info("Generating tab list with filter", filter);
-    let result = [];
-
-    // If Sync isn't ready, don't try and get anything.
-    if (!weaveXPCService.ready) {
-      log.debug("Sync isn't yet ready, so returning an empty tab list");
-      return result;
-    }
-
-    // A boolean that controls whether we should show the icon from the remote tab.
-    const showRemoteIcons = Preferences.get("services.sync.syncedTabs.showRemoteIcons", true);
-
-    let engine = Weave.Service.engineManager.get("tabs");
-
-    let seenURLs = new Set();
-    let parentIndex = 0;
-    let ntabs = 0;
-
-    for (let [guid, client] of Object.entries(engine.getAllClients())) {
-      if (!Weave.Service.clientsEngine.remoteClientExists(client.id)) {
-        continue;
-      }
-      let clientRepr = yield this._makeClient(client);
-      log.debug("Processing client", clientRepr);
-
-      for (let tab of client.tabs) {
-        let url = tab.urlHistory[0];
-        log.debug("remote tab", url);
-        // Note there are some issues with tracking "seen" tabs, including:
-        // * We really can't return the entire urlHistory record as we are
-        //   only checking the first entry - others might be different.
-        // * We don't update the |lastUsed| timestamp to reflect the
-        //   most-recently-seen time.
-        // In a followup we should consider simply dropping this |seenUrls|
-        // check and return duplicate records - it seems the user will be more
-        // confused by tabs not showing up on a device (because it was detected
-        // as a dupe so it only appears on a different device) than being
-        // confused by seeing the same tab on different clients.
-        if (!url || seenURLs.has(url)) {
-          continue;
-        }
-        let tabRepr = yield this._makeTab(client, tab, url, showRemoteIcons);
-        if (filter && !this._tabMatchesFilter(tabRepr, filter)) {
-          continue;
-        }
-        seenURLs.add(url);
-        clientRepr.tabs.push(tabRepr);
-      }
-      // We return all clients, even those without tabs - the consumer should
-      // filter it if they care.
-      ntabs += clientRepr.tabs.length;
-      result.push(clientRepr);
-    }
-    log.info(`Final tab list has ${result.length} clients with ${ntabs} tabs.`);
-    return result;
-  }),
-
-  syncTabs(force) {
-    if (!force) {
-      // Don't bother refetching tabs if we already did so recently
-      let lastFetch = Preferences.get("services.sync.lastTabFetch", 0);
-      let now = Math.floor(Date.now() / 1000);
-      if (now - lastFetch < TABS_FRESH_ENOUGH_INTERVAL) {
-        log.info("_refetchTabs was done recently, do not doing it again");
-        return Promise.resolve(false);
-      }
-    }
-
-    // If Sync isn't configured don't try and sync, else we will get reports
-    // of a login failure.
-    if (Weave.Status.checkSetup() == Weave.CLIENT_NOT_CONFIGURED) {
-      log.info("Sync client is not configured, so not attempting a tab sync");
-      return Promise.resolve(false);
-    }
-    // Ask Sync to just do the tabs engine if it can.
-    // Sync is currently synchronous, so do it after an event-loop spin to help
-    // keep the UI responsive.
-    return new Promise((resolve, reject) => {
-      Services.tm.currentThread.dispatch(() => {
-        try {
-          log.info("Doing a tab sync.");
-          Weave.Service.sync(["tabs"]);
-          resolve(true);
-        } catch (ex) {
-          log.error("Sync failed", ex);
-          reject(ex);
-        };
-      }, Ci.nsIThread.DISPATCH_NORMAL);
-    });
-  },
-
-  observe(subject, topic, data) {
-    log.trace(`observed topic=${topic}, data=${data}, subject=${subject}`);
-    switch (topic) {
-      case "weave:engine:sync:finish":
-        if (data != "tabs") {
-          return;
-        }
-        // The tabs engine just finished syncing
-        // Set our lastTabFetch pref here so it tracks both explicit sync calls
-        // and normally scheduled ones.
-        Preferences.set("services.sync.lastTabFetch", Math.floor(Date.now() / 1000));
-        Services.obs.notifyObservers(null, TOPIC_TABS_CHANGED, null);
-        break;
-      case "weave:service:start-over":
-        // start-over needs to notify so consumers find no tabs.
-        Preferences.reset("services.sync.lastTabFetch");
-        Services.obs.notifyObservers(null, TOPIC_TABS_CHANGED, null);
-        break;
-      case "nsPref:changed":
-        Services.obs.notifyObservers(null, TOPIC_TABS_CHANGED, null);
-        break;
-      default:
-        break;
-    }
-  },
-
-  // Returns true if Sync is configured to Sync tabs, false otherwise
-  get isConfiguredToSyncTabs() {
-    if (!weaveXPCService.ready) {
-      log.debug("Sync isn't yet ready; assuming tab engine is enabled");
-      return true;
-    }
-
-    let engine = Weave.Service.engineManager.get("tabs");
-    return engine && engine.enabled;
-  },
-
-  get hasSyncedThisSession() {
-    let engine = Weave.Service.engineManager.get("tabs");
-    return engine && engine.hasSyncedThisSession;
-  },
-};
-
-Services.obs.addObserver(SyncedTabsInternal, "weave:engine:sync:finish", false);
-Services.obs.addObserver(SyncedTabsInternal, "weave:service:start-over", false);
-// Observe the pref the indicates the state of the tabs engine has changed.
-// This will force consumers to re-evaluate the state of sync and update
-// accordingly.
-Services.prefs.addObserver("services.sync.engine.tabs", SyncedTabsInternal, false);
-
-// The public interface.
-this.SyncedTabs = {
-  // A mock-point for tests.
-  _internal: SyncedTabsInternal,
-
-  // We make the topic for the observer notification public.
-  TOPIC_TABS_CHANGED,
-
-  // Returns true if Sync is configured to Sync tabs, false otherwise
-  get isConfiguredToSyncTabs() {
-    return this._internal.isConfiguredToSyncTabs;
-  },
-
-  // Returns true if a tab sync has completed once this session. If this
-  // returns false, then getting back no clients/tabs possibly just means we
-  // are waiting for that first sync to complete.
-  get hasSyncedThisSession() {
-    return this._internal.hasSyncedThisSession;
-  },
-
-  // Return a promise that resolves with an array of client records, each with
-  // a .tabs array. Note that part of the contract for this module is that the
-  // returned objects are not shared between invocations, so callers are free
-  // to mutate the returned objects (eg, sort, truncate) however they see fit.
-  getTabClients(query) {
-    return this._internal.getTabClients(query);
-  },
-
-  // Starts a background request to start syncing tabs. Returns a promise that
-  // resolves when the sync is complete, but there's no resolved value -
-  // callers should be listening for TOPIC_TABS_CHANGED.
-  // If |force| is true we always sync. If false, we only sync if the most
-  // recent sync wasn't "recently".
-  syncTabs(force) {
-    return this._internal.syncTabs(force);
-  },
-
-  sortTabClientsByLastUsed(clients, maxTabs = Infinity) {
-    // First sort and filter the list of tabs for each client. Note that
-    // this module promises that the objects it returns are never
-    // shared, so we are free to mutate those objects directly.
-    for (let client of clients) {
-      let tabs = client.tabs;
-      tabs.sort((a, b) => b.lastUsed - a.lastUsed);
-      if (Number.isFinite(maxTabs)) {
-        client.tabs = tabs.slice(0, maxTabs);
-      }
-    }
-    // Now sort the clients - the clients are sorted in the order of the
-    // most recent tab for that client (ie, it is important the tabs for
-    // each client are already sorted.)
-    clients.sort((a, b) => {
-      if (a.tabs.length == 0) {
-        return 1; // b comes first.
-      }
-      if (b.tabs.length == 0) {
-        return -1; // a comes first.
-      }
-      return b.tabs[0].lastUsed - a.tabs[0].lastUsed;
-    });
-  },
-};
-
diff --git a/services/sync/modules/addonsreconciler.js b/services/sync/modules/addonsreconciler.js
index a60fc8d566..ec0896bb27 100644
--- a/services/sync/modules/addonsreconciler.js
+++ b/services/sync/modules/addonsreconciler.js
@@ -434,8 +434,7 @@ AddonsReconciler.prototype = {
         modified: now,
         type: addon.type,
         scope: addon.scope,
-        foreignInstall: addon.foreignInstall,
-        isSyncable: addon.isSyncable,
+        foreignInstall: addon.foreignInstall
       };
       this._addons[id] = record;
       this._log.debug("Adding change because add-on not present locally: " +
@@ -445,7 +444,6 @@ AddonsReconciler.prototype = {
     }
 
     let record = this._addons[id];
-    record.isSyncable = addon.isSyncable;
 
     if (!record.installed) {
       // It is possible the record is marked as uninstalled because an
@@ -490,7 +488,7 @@ AddonsReconciler.prototype = {
       try {
         listener.changeListener.call(listener, date, change, state);
       } catch (ex) {
-        this._log.warn("Exception calling change listener", ex);
+        this._log.warn("Exception calling change listener: ", ex);
       }
     }
   },
@@ -636,7 +634,7 @@ AddonsReconciler.prototype = {
       }
     }
     catch (ex) {
-      this._log.warn("Exception", ex);
+      this._log.warn("Exception: ", ex);
     }
   },
 
diff --git a/services/sync/modules/addonutils.js b/services/sync/modules/addonutils.js
index 95da6be0a0..3332f4cfcb 100644
--- a/services/sync/modules/addonutils.js
+++ b/services/sync/modules/addonutils.js
@@ -38,10 +38,21 @@ AddonUtilsInternal.prototype = {
    *        Function to be called with result of operation.
    */
   getInstallFromSearchResult:
-    function getInstallFromSearchResult(addon, cb) {
+    function getInstallFromSearchResult(addon, cb, requireSecureURI=true) {
 
     this._log.debug("Obtaining install for " + addon.id);
 
+    // Verify that the source URI uses TLS. We don't allow installs from
+    // insecure sources for security reasons. The Addon Manager ensures that
+    // cert validation, etc is performed.
+    if (requireSecureURI) {
+      let scheme = addon.sourceURI.scheme;
+      if (scheme != "https") {
+        cb(new Error("Insecure source URI scheme: " + scheme), addon.install);
+        return;
+      }
+    }
+
     // We should theoretically be able to obtain (and use) addon.install if
     // it is available. However, the addon.sourceURI rewriting won't be
     // reflected in the AddonInstall, so we can't use it. If we ever get rid
@@ -69,6 +80,8 @@ AddonUtilsInternal.prototype = {
    *   syncGUID - Sync GUID to use for the new add-on.
    *   enabled - Boolean indicating whether the add-on should be enabled upon
    *             install.
+   *   requireSecureURI - Boolean indicating whether to require a secure
+   *     URI to install from. This defaults to true.
    *
    * When complete it calls a callback with 2 arguments, error and result.
    *
@@ -92,6 +105,10 @@ AddonUtilsInternal.prototype = {
     function installAddonFromSearchResult(addon, options, cb) {
     this._log.info("Trying to install add-on from search result: " + addon.id);
 
+    if (options.requireSecureURI === undefined) {
+      options.requireSecureURI = true;
+    }
+
     this.getInstallFromSearchResult(addon, function onResult(error, install) {
       if (error) {
         cb(error, null);
@@ -147,10 +164,10 @@ AddonUtilsInternal.prototype = {
         install.install();
       }
       catch (ex) {
-        this._log.error("Error installing add-on", ex);
+        this._log.error("Error installing add-on: ", ex);
         cb(ex, null);
       }
-    }.bind(this));
+    }.bind(this), options.requireSecureURI);
   },
 
   /**
@@ -244,7 +261,6 @@ AddonUtilsInternal.prototype = {
           installedIDs: [],
           installs:     [],
           addons:       [],
-          skipped:      [],
           errors:       []
         };
 
@@ -283,20 +299,14 @@ AddonUtilsInternal.prototype = {
         // ideally send proper URLs, but this solution was deemed too
         // complicated at the time the functionality was implemented.
         for (let addon of addons) {
-          // Find the specified options for this addon.
-          let options;
-          for (let install of installs) {
-            if (install.id == addon.id) {
-              options = install;
-              break;
-            }
-          }
-          if (!this.canInstallAddon(addon, options)) {
-            ourResult.skipped.push(addon.id);
+          // sourceURI presence isn't enforced by AddonRepository. So, we skip
+          // add-ons without a sourceURI.
+          if (!addon.sourceURI) {
+            this._log.info("Skipping install of add-on because missing " +
+                           "sourceURI: " + addon.id);
             continue;
           }
 
-          // We can go ahead and attempt to install it.
           toInstall.push(addon);
 
           // We should always be able to QI the nsIURI to nsIURL. If not, we
@@ -353,48 +363,6 @@ AddonUtilsInternal.prototype = {
   },
 
   /**
-   * Returns true if we are able to install the specified addon, false
-   * otherwise. It is expected that this will log the reason if it returns
-   * false.
-   *
-   * @param addon
-   *        (Addon) Add-on instance to check.
-   * @param options
-   *        (object) The options specified for this addon. See installAddons()
-   *        for the valid elements.
-   */
-  canInstallAddon(addon, options) {
-    // sourceURI presence isn't enforced by AddonRepository. So, we skip
-    // add-ons without a sourceURI.
-    if (!addon.sourceURI) {
-      this._log.info("Skipping install of add-on because missing " +
-                     "sourceURI: " + addon.id);
-      return false;
-    }
-    // Verify that the source URI uses TLS. We don't allow installs from
-    // insecure sources for security reasons. The Addon Manager ensures
-    // that cert validation etc is performed.
-    // (We should also consider just dropping this entirely and calling
-    // XPIProvider.isInstallAllowed, but that has additional semantics we might
-    // need to think through...)
-    let requireSecureURI = true;
-    if (options && options.requireSecureURI !== undefined) {
-      requireSecureURI = options.requireSecureURI;
-    }
-
-    if (requireSecureURI) {
-      let scheme = addon.sourceURI.scheme;
-      if (scheme != "https") {
-        this._log.info(`Skipping install of add-on "${addon.id}" because sourceURI's scheme of "${scheme}" is not trusted`);
-        return false;
-      }
-    }
-    this._log.info(`Add-on "${addon.id}" is able to be installed`);
-    return true;
-  },
-
-
-  /**
    * Update the user disabled flag for an add-on.
    *
    * The supplied callback will be called when the operation is
diff --git a/services/sync/modules/bookmark_validator.js b/services/sync/modules/bookmark_validator.js
deleted file mode 100644
index 2a94ba043a..0000000000
--- a/services/sync/modules/bookmark_validator.js
+++ /dev/null
@@ -1,784 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-"use strict";
-
-const Cu = Components.utils;
-
-Cu.import("resource://gre/modules/PlacesUtils.jsm");
-Cu.import("resource://gre/modules/PlacesSyncUtils.jsm");
-Cu.import("resource://gre/modules/Task.jsm");
-Cu.import("resource://gre/modules/XPCOMUtils.jsm");
-
-
-this.EXPORTED_SYMBOLS = ["BookmarkValidator", "BookmarkProblemData"];
-
-const LEFT_PANE_ROOT_ANNO = "PlacesOrganizer/OrganizerFolder";
-const LEFT_PANE_QUERY_ANNO = "PlacesOrganizer/OrganizerQuery";
-
-// Indicates if a local bookmark tree node should be excluded from syncing.
-function isNodeIgnored(treeNode) {
-  return treeNode.annos && treeNode.annos.some(anno => anno.name == LEFT_PANE_ROOT_ANNO ||
-                                                       anno.name == LEFT_PANE_QUERY_ANNO);
-}
-const BOOKMARK_VALIDATOR_VERSION = 1;
-
-/**
- * Result of bookmark validation. Contains the following fields which describe
- * server-side problems unless otherwise specified.
- *
- * - missingIDs (number): # of objects with missing ids
- * - duplicates (array of ids): ids seen more than once
- * - parentChildMismatches (array of {parent: parentid, child: childid}):
- *   instances where the child's parentid and the parent's children array
- *   do not match
- * - cycles (array of array of ids). List of cycles found in the server-side tree.
- * - clientCycles (array of array of ids). List of cycles found in the client-side tree.
- * - orphans (array of {id: string, parent: string}): List of nodes with
- *   either no parentid, or where the parent could not be found.
- * - missingChildren (array of {parent: id, child: id}):
- *   List of parent/children where the child id couldn't be found
- * - deletedChildren (array of { parent: id, child: id }):
- *   List of parent/children where child id was a deleted item (but still showed up
- *   in the children array)
- * - multipleParents (array of {child: id, parents: array of ids}):
- *   List of children that were part of multiple parent arrays
- * - deletedParents (array of ids) : List of records that aren't deleted but
- *   had deleted parents
- * - childrenOnNonFolder (array of ids): list of non-folders that still have
- *   children arrays
- * - duplicateChildren (array of ids): list of records who have the same
- *   child listed multiple times in their children array
- * - parentNotFolder (array of ids): list of records that have parents that
- *   aren't folders
- * - rootOnServer (boolean): true if the root came from the server
- * - badClientRoots (array of ids): Contains any client-side root ids where
- *   the root is missing or isn't a (direct) child of the places root.
- *
- * - clientMissing: Array of ids on the server missing from the client
- * - serverMissing: Array of ids on the client missing from the server
- * - serverDeleted: Array of ids on the client that the server had marked as deleted.
- * - serverUnexpected: Array of ids that appear on the server but shouldn't
- *   because the client attempts to never upload them.
- * - differences: Array of {id: string, differences: string array} recording
- *   the non-structural properties that are differente between the client and server
- * - structuralDifferences: As above, but contains the items where the differences were
- *   structural, that is, they contained childGUIDs or parentid
- */
-class BookmarkProblemData {
-  constructor() {
-    this.rootOnServer = false;
-    this.missingIDs = 0;
-
-    this.duplicates = [];
-    this.parentChildMismatches = [];
-    this.cycles = [];
-    this.clientCycles = [];
-    this.orphans = [];
-    this.missingChildren = [];
-    this.deletedChildren = [];
-    this.multipleParents = [];
-    this.deletedParents = [];
-    this.childrenOnNonFolder = [];
-    this.duplicateChildren = [];
-    this.parentNotFolder = [];
-
-    this.badClientRoots = [];
-    this.clientMissing = [];
-    this.serverMissing = [];
-    this.serverDeleted = [];
-    this.serverUnexpected = [];
-    this.differences = [];
-    this.structuralDifferences = [];
-  }
-
-  /**
-   * Convert ("difference", [{ differences: ["tags", "name"] }, { differences: ["name"] }]) into
-   * [{ name: "difference:tags", count: 1}, { name: "difference:name", count: 2 }], etc.
-   */
-  _summarizeDifferences(prefix, diffs) {
-    let diffCounts = new Map();
-    for (let { differences } of diffs) {
-      for (let type of differences) {
-        let name = prefix + ":" + type;
-        let count = diffCounts.get(name) || 0;
-        diffCounts.set(name, count + 1);
-      }
-    }
-    return [...diffCounts].map(([name, count]) => ({ name, count }));
-  }
-
-  /**
-   * Produce a list summarizing problems found. Each entry contains {name, count},
-   * where name is the field name for the problem, and count is the number of times
-   * the problem was encountered.
-   *
-   * Validation has failed if all counts are not 0.
-   *
-   * If the `full` argument is truthy, we also include information about which
-   * properties we saw structural differences in. Currently, this means either
-   * "sdiff:parentid" and "sdiff:childGUIDS" may be present.
-   */
-  getSummary(full) {
-    let result = [
-      { name: "clientMissing", count: this.clientMissing.length },
-      { name: "serverMissing", count: this.serverMissing.length },
-      { name: "serverDeleted", count: this.serverDeleted.length },
-      { name: "serverUnexpected", count: this.serverUnexpected.length },
-
-      { name: "structuralDifferences", count: this.structuralDifferences.length },
-      { name: "differences", count: this.differences.length },
-
-      { name: "missingIDs", count: this.missingIDs },
-      { name: "rootOnServer", count: this.rootOnServer ? 1 : 0 },
-
-      { name: "duplicates", count: this.duplicates.length },
-      { name: "parentChildMismatches", count: this.parentChildMismatches.length },
-      { name: "cycles", count: this.cycles.length },
-      { name: "clientCycles", count: this.clientCycles.length },
-      { name: "badClientRoots", count: this.badClientRoots.length },
-      { name: "orphans", count: this.orphans.length },
-      { name: "missingChildren", count: this.missingChildren.length },
-      { name: "deletedChildren", count: this.deletedChildren.length },
-      { name: "multipleParents", count: this.multipleParents.length },
-      { name: "deletedParents", count: this.deletedParents.length },
-      { name: "childrenOnNonFolder", count: this.childrenOnNonFolder.length },
-      { name: "duplicateChildren", count: this.duplicateChildren.length },
-      { name: "parentNotFolder", count: this.parentNotFolder.length },
-    ];
-    if (full) {
-      let structural = this._summarizeDifferences("sdiff", this.structuralDifferences);
-      result.push.apply(result, structural);
-    }
-    return result;
-  }
-}
-
-// Defined lazily to avoid initializing PlacesUtils.bookmarks too soon.
-XPCOMUtils.defineLazyGetter(this, "SYNCED_ROOTS", () => [
-  PlacesUtils.bookmarks.menuGuid,
-  PlacesUtils.bookmarks.toolbarGuid,
-  PlacesUtils.bookmarks.unfiledGuid,
-  PlacesUtils.bookmarks.mobileGuid,
-]);
-
-class BookmarkValidator {
-
-  _followQueries(recordMap) {
-    for (let [guid, entry] of recordMap) {
-      if (entry.type !== "query" && (!entry.bmkUri || !entry.bmkUri.startsWith("place:"))) {
-        continue;
-      }
-      // Might be worth trying to parse the place: query instead so that this
-      // works "automatically" with things like aboutsync.
-      let queryNodeParent = PlacesUtils.getFolderContents(entry, false, true);
-      if (!queryNodeParent || !queryNodeParent.root.hasChildren) {
-        continue;
-      }
-      queryNodeParent = queryNodeParent.root;
-      let queryNode = null;
-      let numSiblings = 0;
-      let containerWasOpen = queryNodeParent.containerOpen;
-      queryNodeParent.containerOpen = true;
-      try {
-        try {
-          numSiblings = queryNodeParent.childCount;
-        } catch (e) {
-          // This throws when we can't actually get the children. This is the
-          // case for history containers, tag queries, ...
-          continue;
-        }
-        for (let i = 0; i < numSiblings && !queryNode; ++i) {
-          let child = queryNodeParent.getChild(i);
-          if (child && child.bookmarkGuid && child.bookmarkGuid === guid) {
-            queryNode = child;
-          }
-        }
-      } finally {
-        queryNodeParent.containerOpen = containerWasOpen;
-      }
-      if (!queryNode) {
-        continue;
-      }
-
-      let concreteId = PlacesUtils.getConcreteItemGuid(queryNode);
-      if (!concreteId) {
-        continue;
-      }
-      let concreteItem = recordMap.get(concreteId);
-      if (!concreteItem) {
-        continue;
-      }
-      entry.concrete = concreteItem;
-    }
-  }
-
-  createClientRecordsFromTree(clientTree) {
-    // Iterate over the treeNode, converting it to something more similar to what
-    // the server stores.
-    let records = [];
-    let recordsByGuid = new Map();
-    let syncedRoots = SYNCED_ROOTS;
-    function traverse(treeNode, synced) {
-      if (!synced) {
-        synced = syncedRoots.includes(treeNode.guid);
-      } else if (isNodeIgnored(treeNode)) {
-        synced = false;
-      }
-      let guid = PlacesSyncUtils.bookmarks.guidToSyncId(treeNode.guid);
-      let itemType = 'item';
-      treeNode.ignored = !synced;
-      treeNode.id = guid;
-      switch (treeNode.type) {
-        case PlacesUtils.TYPE_X_MOZ_PLACE:
-          let query = null;
-          if (treeNode.annos && treeNode.uri.startsWith("place:")) {
-            query = treeNode.annos.find(({name}) =>
-              name === PlacesSyncUtils.bookmarks.SMART_BOOKMARKS_ANNO);
-          }
-          if (query && query.value) {
-            itemType = 'query';
-          } else {
-            itemType = 'bookmark';
-          }
-          break;
-        case PlacesUtils.TYPE_X_MOZ_PLACE_CONTAINER:
-          let isLivemark = false;
-          if (treeNode.annos) {
-            for (let anno of treeNode.annos) {
-              if (anno.name === PlacesUtils.LMANNO_FEEDURI) {
-                isLivemark = true;
-                treeNode.feedUri = anno.value;
-              } else if (anno.name === PlacesUtils.LMANNO_SITEURI) {
-                isLivemark = true;
-                treeNode.siteUri = anno.value;
-              }
-            }
-          }
-          itemType = isLivemark ? "livemark" : "folder";
-          break;
-        case PlacesUtils.TYPE_X_MOZ_PLACE_SEPARATOR:
-          itemType = 'separator';
-          break;
-      }
-
-      if (treeNode.tags) {
-        treeNode.tags = treeNode.tags.split(",");
-      } else {
-        treeNode.tags = [];
-      }
-      treeNode.type = itemType;
-      treeNode.pos = treeNode.index;
-      treeNode.bmkUri = treeNode.uri;
-      records.push(treeNode);
-      // We want to use the "real" guid here.
-      recordsByGuid.set(treeNode.guid, treeNode);
-      if (treeNode.type === 'folder') {
-        treeNode.childGUIDs = [];
-        if (!treeNode.children) {
-          treeNode.children = [];
-        }
-        for (let child of treeNode.children) {
-          traverse(child, synced);
-          child.parent = treeNode;
-          child.parentid = guid;
-          treeNode.childGUIDs.push(child.guid);
-        }
-      }
-    }
-    traverse(clientTree, false);
-    clientTree.id = 'places';
-    this._followQueries(recordsByGuid);
-    return records;
-  }
-
-  /**
-   * Process the server-side list. Mainly this builds the records into a tree,
-   * but it also records information about problems, and produces arrays of the
-   * deleted and non-deleted nodes.
-   *
-   * Returns an object containing:
-   * - records:Array of non-deleted records. Each record contains the following
-   *    properties
-   *     - childGUIDs (array of strings, only present if type is 'folder'): the
-   *       list of child GUIDs stored on the server.
-   *     - children (array of records, only present if type is 'folder'):
-   *       each record has these same properties. This may differ in content
-   *       from what you may expect from the childGUIDs list, as it won't
-   *       contain any records that could not be found.
-   *     - parent (record): The parent to this record.
-   *     - Unchanged properties send down from the server: id, title, type,
-   *       parentName, parentid, bmkURI, keyword, tags, pos, queryId, loadInSidebar
-   * - root: Root of the server-side bookmark tree. Has the same properties as
-   *   above.
-   * - deletedRecords: As above, but only contains items that the server sent
-   *   where it also sent indication that the item should be deleted.
-   * - problemData: a BookmarkProblemData object, with the caveat that
-   *   the fields describing client/server relationship will not have been filled
-   *   out yet.
-   */
-  inspectServerRecords(serverRecords) {
-    let deletedItemIds = new Set();
-    let idToRecord = new Map();
-    let deletedRecords = [];
-
-    let folders = [];
-    let problems = [];
-
-    let problemData = new BookmarkProblemData();
-
-    let resultRecords = [];
-
-    for (let record of serverRecords) {
-      if (!record.id) {
-        ++problemData.missingIDs;
-        continue;
-      }
-      if (record.deleted) {
-        deletedItemIds.add(record.id);
-      } else {
-        if (idToRecord.has(record.id)) {
-          problemData.duplicates.push(record.id);
-          continue;
-        }
-      }
-      idToRecord.set(record.id, record);
-
-      if (record.children) {
-        if (record.type !== "folder") {
-          // Due to implementation details in engines/bookmarks.js, (Livemark
-          // subclassing BookmarkFolder) Livemarks will have a children array,
-          // but it should still be empty.
-          if (!record.children.length) {
-            continue;
-          }
-          // Otherwise we mark it as an error and still try to resolve the children
-          problemData.childrenOnNonFolder.push(record.id);
-        }
-        folders.push(record);
-
-        if (new Set(record.children).size !== record.children.length) {
-          problemData.duplicateChildren.push(record.id)
-        }
-
-        // The children array stores special guids as their local guid values,
-        // e.g. 'menu________' instead of 'menu', but all other parts of the
-        // serverside bookmark info stores it as the special value ('menu').
-        record.childGUIDs = record.children;
-        record.children = record.children.map(childID => {
-          return PlacesSyncUtils.bookmarks.guidToSyncId(childID);
-        });
-      }
-    }
-
-    for (let deletedId of deletedItemIds) {
-      let record = idToRecord.get(deletedId);
-      if (record && !record.isDeleted) {
-        deletedRecords.push(record);
-        record.isDeleted = true;
-      }
-    }
-
-    let root = idToRecord.get('places');
-
-    if (!root) {
-      // Fabricate a root. We want to remember that it's fake so that we can
-      // avoid complaining about stuff like it missing it's childGUIDs later.
-      root = { id: 'places', children: [], type: 'folder', title: '', fake: true };
-      resultRecords.push(root);
-      idToRecord.set('places', root);
-    } else {
-      problemData.rootOnServer = true;
-    }
-
-    // Build the tree, find orphans, and record most problems having to do with
-    // the tree structure.
-    for (let [id, record] of idToRecord) {
-      if (record === root) {
-        continue;
-      }
-
-      if (record.isDeleted) {
-        continue;
-      }
-
-      let parentID = record.parentid;
-      if (!parentID) {
-        problemData.orphans.push({id: record.id, parent: parentID});
-        continue;
-      }
-
-      let parent = idToRecord.get(parentID);
-      if (!parent) {
-        problemData.orphans.push({id: record.id, parent: parentID});
-        continue;
-      }
-
-      if (parent.type !== 'folder') {
-        problemData.parentNotFolder.push(record.id);
-        if (!parent.children) {
-          parent.children = [];
-        }
-        if (!parent.childGUIDs) {
-          parent.childGUIDs = [];
-        }
-      }
-
-      if (!record.isDeleted) {
-        resultRecords.push(record);
-      }
-
-      record.parent = parent;
-      if (parent !== root || problemData.rootOnServer) {
-        let childIndex = parent.children.indexOf(id);
-        if (childIndex < 0) {
-          problemData.parentChildMismatches.push({parent: parent.id, child: record.id});
-        } else {
-          parent.children[childIndex] = record;
-        }
-      } else {
-        parent.children.push(record);
-      }
-
-      if (parent.isDeleted && !record.isDeleted) {
-        problemData.deletedParents.push(record.id);
-      }
-
-      // We used to check if the parentName on the server matches the actual
-      // local parent name, but given this is used only for de-duping a record
-      // the first time it is seen and expensive to keep up-to-date, we decided
-      // to just stop recording it. See bug 1276969 for more.
-    }
-
-    // Check that we aren't missing any children.
-    for (let folder of folders) {
-      folder.unfilteredChildren = folder.children;
-      folder.children = [];
-      for (let ci = 0; ci < folder.unfilteredChildren.length; ++ci) {
-        let child = folder.unfilteredChildren[ci];
-        let childObject;
-        if (typeof child == "string") {
-          // This can happen the parent refers to a child that has a different
-          // parentid, or if it refers to a missing or deleted child. It shouldn't
-          // be possible with totally valid bookmarks.
-          childObject = idToRecord.get(child);
-          if (!childObject) {
-            problemData.missingChildren.push({parent: folder.id, child});
-          } else {
-            folder.unfilteredChildren[ci] = childObject;
-            if (childObject.isDeleted) {
-              problemData.deletedChildren.push({ parent: folder.id, child });
-            }
-          }
-        } else {
-          childObject = child;
-        }
-
-        if (!childObject) {
-          continue;
-        }
-
-        if (childObject.parentid === folder.id) {
-          folder.children.push(childObject);
-          continue;
-        }
-
-        // The child is very probably in multiple `children` arrays --
-        // see if we already have a problem record about it.
-        let currentProblemRecord = problemData.multipleParents.find(pr =>
-          pr.child === child);
-
-        if (currentProblemRecord) {
-          currentProblemRecord.parents.push(folder.id);
-          continue;
-        }
-
-        let otherParent = idToRecord.get(childObject.parentid);
-        // it's really an ... orphan ... sort of.
-        if (!otherParent) {
-          // if we never end up adding to this parent's list, we filter it out after this loop.
-          problemData.multipleParents.push({
-            child,
-            parents: [folder.id]
-          });
-          if (!problemData.orphans.some(r => r.id === child)) {
-            problemData.orphans.push({
-              id: child,
-              parent: childObject.parentid
-            });
-          }
-          continue;
-        }
-
-        if (otherParent.isDeleted) {
-          if (!problemData.deletedParents.includes(child)) {
-            problemData.deletedParents.push(child);
-          }
-          continue;
-        }
-
-        if (otherParent.childGUIDs && !otherParent.childGUIDs.includes(child)) {
-          if (!problemData.parentChildMismatches.some(r => r.child === child)) {
-            // Might not be possible to get here.
-            problemData.parentChildMismatches.push({ child, parent: folder.id });
-          }
-        }
-
-        problemData.multipleParents.push({
-          child,
-          parents: [childObject.parentid, folder.id]
-        });
-      }
-    }
-    problemData.multipleParents = problemData.multipleParents.filter(record =>
-      record.parents.length >= 2);
-
-    problemData.cycles = this._detectCycles(resultRecords);
-
-    return {
-      deletedRecords,
-      records: resultRecords,
-      problemData,
-      root,
-    };
-  }
-
-  // helper for inspectServerRecords
-  _detectCycles(records) {
-    // currentPath and pathLookup contain the same data. pathLookup is faster to
-    // query, but currentPath gives is the order of traversal that we need in
-    // order to report the members of the cycles.
-    let pathLookup = new Set();
-    let currentPath = [];
-    let cycles = [];
-    let seenEver = new Set();
-    const traverse = node => {
-      if (pathLookup.has(node)) {
-        let cycleStart = currentPath.lastIndexOf(node);
-        let cyclePath = currentPath.slice(cycleStart).map(n => n.id);
-        cycles.push(cyclePath);
-        return;
-      } else if (seenEver.has(node)) {
-        // If we're checking the server, this is a problem, but it should already be reported.
-        // On the client, this could happen due to including `node.concrete` in the child list.
-        return;
-      }
-      seenEver.add(node);
-      let children = node.children || [];
-      if (node.concrete) {
-        children.push(node.concrete);
-      }
-      if (children) {
-        pathLookup.add(node);
-        currentPath.push(node);
-        for (let child of children) {
-          traverse(child);
-        }
-        currentPath.pop();
-        pathLookup.delete(node);
-      }
-    };
-    for (let record of records) {
-      if (!seenEver.has(record)) {
-        traverse(record);
-      }
-    }
-
-    return cycles;
-  }
-
-  // Perform client-side sanity checking that doesn't involve server data
-  _validateClient(problemData, clientRecords) {
-    problemData.clientCycles = this._detectCycles(clientRecords);
-    for (let rootGUID of SYNCED_ROOTS) {
-      let record = clientRecords.find(record =>
-        record.guid === rootGUID);
-      if (!record || record.parentid !== "places") {
-        problemData.badClientRoots.push(rootGUID);
-      }
-    }
-  }
-
-  /**
-   * Compare the list of server records with the client tree.
-   *
-   * Returns the same data as described in the inspectServerRecords comment,
-   * with the following additional fields.
-   * - clientRecords: an array of client records in a similar format to
-   *   the .records (ie, server records) entry.
-   * - problemData is the same as for inspectServerRecords, except all properties
-   *   will be filled out.
-   */
-  compareServerWithClient(serverRecords, clientTree) {
-
-    let clientRecords = this.createClientRecordsFromTree(clientTree);
-    let inspectionInfo = this.inspectServerRecords(serverRecords);
-    inspectionInfo.clientRecords = clientRecords;
-
-    // Mainly do this to remove deleted items and normalize child guids.
-    serverRecords = inspectionInfo.records;
-    let problemData = inspectionInfo.problemData;
-
-    this._validateClient(problemData, clientRecords);
-
-    let matches = [];
-
-    let allRecords = new Map();
-    let serverDeletedLookup = new Set(inspectionInfo.deletedRecords.map(r => r.id));
-
-    for (let sr of serverRecords) {
-      if (sr.fake) {
-        continue;
-      }
-      allRecords.set(sr.id, {client: null, server: sr});
-    }
-
-    for (let cr of clientRecords) {
-      let unified = allRecords.get(cr.id);
-      if (!unified) {
-        allRecords.set(cr.id, {client: cr, server: null});
-      } else {
-        unified.client = cr;
-      }
-    }
-
-
-    for (let [id, {client, server}] of allRecords) {
-      if (!client && server) {
-        problemData.clientMissing.push(id);
-        continue;
-      }
-      if (!server && client) {
-        if (serverDeletedLookup.has(id)) {
-          problemData.serverDeleted.push(id);
-        } else if (!client.ignored && client.id != "places") {
-          problemData.serverMissing.push(id);
-        }
-        continue;
-      }
-      if (server && client && client.ignored) {
-        problemData.serverUnexpected.push(id);
-      }
-      let differences = [];
-      let structuralDifferences = [];
-
-      // Don't bother comparing titles of roots. It's okay if locally it's
-      // "Mobile Bookmarks", but the server thinks it's "mobile".
-      // TODO: We probably should be handing other localized bookmarks (e.g.
-      // default bookmarks) here as well, see bug 1316041.
-      if (!SYNCED_ROOTS.includes(client.guid)) {
-        // We want to treat undefined, null and an empty string as identical
-        if ((client.title || "") !== (server.title || "")) {
-          differences.push("title");
-        }
-      }
-
-      if (client.parentid || server.parentid) {
-        if (client.parentid !== server.parentid) {
-          structuralDifferences.push('parentid');
-        }
-      }
-
-      if (client.tags || server.tags) {
-        let cl = client.tags || [];
-        let sl = server.tags || [];
-        if (cl.length !== sl.length || !cl.every((tag, i) => sl.indexOf(tag) >= 0)) {
-          differences.push('tags');
-        }
-      }
-
-      let sameType = client.type === server.type;
-      if (!sameType) {
-        if (server.type === "query" && client.type === "bookmark" && client.bmkUri.startsWith("place:")) {
-          sameType = true;
-        }
-      }
-
-
-      if (!sameType) {
-        differences.push('type');
-      } else {
-        switch (server.type) {
-          case 'bookmark':
-          case 'query':
-            if (server.bmkUri !== client.bmkUri) {
-              differences.push('bmkUri');
-            }
-            break;
-          case "livemark":
-            if (server.feedUri != client.feedUri) {
-              differences.push("feedUri");
-            }
-            if (server.siteUri != client.siteUri) {
-              differences.push("siteUri");
-            }
-            break;
-          case 'folder':
-            if (server.id === 'places' && !problemData.rootOnServer) {
-              // It's the fabricated places root. It won't have the GUIDs, but
-              // it doesn't matter.
-              break;
-            }
-            if (client.childGUIDs || server.childGUIDs) {
-              let cl = client.childGUIDs || [];
-              let sl = server.childGUIDs || [];
-              if (cl.length !== sl.length || !cl.every((id, i) => sl[i] === id)) {
-                structuralDifferences.push('childGUIDs');
-              }
-            }
-            break;
-        }
-      }
-
-      if (differences.length) {
-        problemData.differences.push({id, differences});
-      }
-      if (structuralDifferences.length) {
-        problemData.structuralDifferences.push({ id, differences: structuralDifferences });
-      }
-    }
-    return inspectionInfo;
-  }
-
-  _getServerState(engine) {
-    let collection = engine.itemSource();
-    let collectionKey = engine.service.collectionKeys.keyForCollection(engine.name);
-    collection.full = true;
-    let items = [];
-    collection.recordHandler = function(item) {
-      item.decrypt(collectionKey);
-      items.push(item.cleartext);
-    };
-    let resp = collection.getBatched();
-    if (!resp.success) {
-      throw resp;
-    }
-    return items;
-  }
-
-  validate(engine) {
-    let self = this;
-    return Task.spawn(function*() {
-      let start = Date.now();
-      let clientTree = yield PlacesUtils.promiseBookmarksTree("", {
-        includeItemIds: true
-      });
-      let serverState = self._getServerState(engine);
-      let serverRecordCount = serverState.length;
-      let result = self.compareServerWithClient(serverState, clientTree);
-      let end = Date.now();
-      let duration = end-start;
-      return {
-        duration,
-        version: self.version,
-        problems: result.problemData,
-        recordCount: serverRecordCount
-      };
-    });
-  }
-
-};
-
-BookmarkValidator.prototype.version = BOOKMARK_VALIDATOR_VERSION;
-
diff --git a/services/sync/modules/browserid_identity.js b/services/sync/modules/browserid_identity.js
deleted file mode 100644
index db38215184..0000000000
--- a/services/sync/modules/browserid_identity.js
+++ /dev/null
@@ -1,869 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-"use strict";
-
-this.EXPORTED_SYMBOLS = ["BrowserIDManager", "AuthenticationError"];
-
-var {classes: Cc, interfaces: Ci, utils: Cu, results: Cr} = Components;
-
-Cu.import("resource://gre/modules/Log.jsm");
-Cu.import("resource://services-common/async.js");
-Cu.import("resource://services-common/utils.js");
-Cu.import("resource://services-common/tokenserverclient.js");
-Cu.import("resource://services-crypto/utils.js");
-Cu.import("resource://services-sync/identity.js");
-Cu.import("resource://services-sync/util.js");
-Cu.import("resource://services-common/tokenserverclient.js");
-Cu.import("resource://gre/modules/Services.jsm");
-Cu.import("resource://services-sync/constants.js");
-Cu.import("resource://gre/modules/Promise.jsm");
-Cu.import("resource://services-sync/stages/cluster.js");
-Cu.import("resource://gre/modules/FxAccounts.jsm");
-
-// Lazy imports to prevent unnecessary load on startup.
-XPCOMUtils.defineLazyModuleGetter(this, "Weave",
-                                  "resource://services-sync/main.js");
-
-XPCOMUtils.defineLazyModuleGetter(this, "BulkKeyBundle",
-                                  "resource://services-sync/keys.js");
-
-XPCOMUtils.defineLazyModuleGetter(this, "fxAccounts",
-                                  "resource://gre/modules/FxAccounts.jsm");
-
-XPCOMUtils.defineLazyGetter(this, 'log', function() {
-  let log = Log.repository.getLogger("Sync.BrowserIDManager");
-  log.level = Log.Level[Svc.Prefs.get("log.logger.identity")] || Log.Level.Error;
-  return log;
-});
-
-// FxAccountsCommon.js doesn't use a "namespace", so create one here.
-var fxAccountsCommon = {};
-Cu.import("resource://gre/modules/FxAccountsCommon.js", fxAccountsCommon);
-
-const OBSERVER_TOPICS = [
-  fxAccountsCommon.ONLOGIN_NOTIFICATION,
-  fxAccountsCommon.ONLOGOUT_NOTIFICATION,
-  fxAccountsCommon.ON_ACCOUNT_STATE_CHANGE_NOTIFICATION,
-];
-
-const PREF_SYNC_SHOW_CUSTOMIZATION = "services.sync-setup.ui.showCustomizationDialog";
-
-function deriveKeyBundle(kB) {
-  let out = CryptoUtils.hkdf(kB, undefined,
-                             "identity.mozilla.com/picl/v1/oldsync", 2*32);
-  let bundle = new BulkKeyBundle();
-  // [encryptionKey, hmacKey]
-  bundle.keyPair = [out.slice(0, 32), out.slice(32, 64)];
-  return bundle;
-}
-
-/*
-  General authentication error for abstracting authentication
-  errors from multiple sources (e.g., from FxAccounts, TokenServer).
-  details is additional details about the error - it might be a string, or
-  some other error object (which should do the right thing when toString() is
-  called on it)
-*/
-function AuthenticationError(details, source) {
-  this.details = details;
-  this.source = source;
-}
-
-AuthenticationError.prototype = {
-  toString: function() {
-    return "AuthenticationError(" + this.details + ")";
-  }
-}
-
-this.BrowserIDManager = function BrowserIDManager() {
-  // NOTE: _fxaService and _tokenServerClient are replaced with mocks by
-  // the test suite.
-  this._fxaService = fxAccounts;
-  this._tokenServerClient = new TokenServerClient();
-  this._tokenServerClient.observerPrefix = "weave:service";
-  // will be a promise that resolves when we are ready to authenticate
-  this.whenReadyToAuthenticate = null;
-  this._log = log;
-};
-
-this.BrowserIDManager.prototype = {
-  __proto__: IdentityManager.prototype,
-
-  _fxaService: null,
-  _tokenServerClient: null,
-  // https://docs.services.mozilla.com/token/apis.html
-  _token: null,
-  _signedInUser: null, // the signedinuser we got from FxAccounts.
-
-  // null if no error, otherwise a LOGIN_FAILED_* value that indicates why
-  // we failed to authenticate (but note it might not be an actual
-  // authentication problem, just a transient network error or similar)
-  _authFailureReason: null,
-
-  // it takes some time to fetch a sync key bundle, so until this flag is set,
-  // we don't consider the lack of a keybundle as a failure state.
-  _shouldHaveSyncKeyBundle: false,
-
-  get needsCustomization() {
-    try {
-      return Services.prefs.getBoolPref(PREF_SYNC_SHOW_CUSTOMIZATION);
-    } catch (e) {
-      return false;
-    }
-  },
-
-  hashedUID() {
-    if (!this._token) {
-      throw new Error("hashedUID: Don't have token");
-    }
-    return this._token.hashed_fxa_uid
-  },
-
-  deviceID() {
-    return this._signedInUser && this._signedInUser.deviceId;
-  },
-
-  initialize: function() {
-    for (let topic of OBSERVER_TOPICS) {
-      Services.obs.addObserver(this, topic, false);
-    }
-    // and a background fetch of account data just so we can set this.account,
-    // so we have a username available before we've actually done a login.
-    // XXX - this is actually a hack just for tests and really shouldn't be
-    // necessary. Also, you'd think it would be safe to allow this.account to
-    // be set to null when there's no user logged in, but argue with the test
-    // suite, not with me :)
-    this._fxaService.getSignedInUser().then(accountData => {
-      if (accountData) {
-        this.account = accountData.email;
-      }
-    }).catch(err => {
-      // As above, this is only for tests so it is safe to ignore.
-    });
-  },
-
-  /**
-   * Ensure the user is logged in.  Returns a promise that resolves when
-   * the user is logged in, or is rejected if the login attempt has failed.
-   */
-  ensureLoggedIn: function() {
-    if (!this._shouldHaveSyncKeyBundle && this.whenReadyToAuthenticate) {
-      // We are already in the process of logging in.
-      return this.whenReadyToAuthenticate.promise;
-    }
-
-    // If we are already happy then there is nothing more to do.
-    if (this._syncKeyBundle) {
-      return Promise.resolve();
-    }
-
-    // Similarly, if we have a previous failure that implies an explicit
-    // re-entering of credentials by the user is necessary we don't take any
-    // further action - an observer will fire when the user does that.
-    if (Weave.Status.login == LOGIN_FAILED_LOGIN_REJECTED) {
-      return Promise.reject(new Error("User needs to re-authenticate"));
-    }
-
-    // So - we've a previous auth problem and aren't currently attempting to
-    // log in - so fire that off.
-    this.initializeWithCurrentIdentity();
-    return this.whenReadyToAuthenticate.promise;
-  },
-
-  finalize: function() {
-    // After this is called, we can expect Service.identity != this.
-    for (let topic of OBSERVER_TOPICS) {
-      Services.obs.removeObserver(this, topic);
-    }
-    this.resetCredentials();
-    this._signedInUser = null;
-  },
-
-  offerSyncOptions: function () {
-    // If the user chose to "Customize sync options" when signing
-    // up with Firefox Accounts, ask them to choose what to sync.
-    const url = "chrome://browser/content/sync/customize.xul";
-    const features = "centerscreen,chrome,modal,dialog,resizable=no";
-    let win = Services.wm.getMostRecentWindow("navigator:browser");
-
-    let data = {accepted: false};
-    win.openDialog(url, "_blank", features, data);
-
-    return data;
-  },
-
-  initializeWithCurrentIdentity: function(isInitialSync=false) {
-    // While this function returns a promise that resolves once we've started
-    // the auth process, that process is complete when
-    // this.whenReadyToAuthenticate.promise resolves.
-    this._log.trace("initializeWithCurrentIdentity");
-
-    // Reset the world before we do anything async.
-    this.whenReadyToAuthenticate = Promise.defer();
-    this.whenReadyToAuthenticate.promise.catch(err => {
-      this._log.error("Could not authenticate", err);
-    });
-
-    // initializeWithCurrentIdentity() can be called after the
-    // identity module was first initialized, e.g., after the
-    // user completes a force authentication, so we should make
-    // sure all credentials are reset before proceeding.
-    this.resetCredentials();
-    this._authFailureReason = null;
-
-    return this._fxaService.getSignedInUser().then(accountData => {
-      if (!accountData) {
-        this._log.info("initializeWithCurrentIdentity has no user logged in");
-        this.account = null;
-        // and we are as ready as we can ever be for auth.
-        this._shouldHaveSyncKeyBundle = true;
-        this.whenReadyToAuthenticate.reject("no user is logged in");
-        return;
-      }
-
-      this.account = accountData.email;
-      this._updateSignedInUser(accountData);
-      // The user must be verified before we can do anything at all; we kick
-      // this and the rest of initialization off in the background (ie, we
-      // don't return the promise)
-      this._log.info("Waiting for user to be verified.");
-      this._fxaService.whenVerified(accountData).then(accountData => {
-        this._updateSignedInUser(accountData);
-        this._log.info("Starting fetch for key bundle.");
-        if (this.needsCustomization) {
-          let data = this.offerSyncOptions();
-          if (data.accepted) {
-            Services.prefs.clearUserPref(PREF_SYNC_SHOW_CUSTOMIZATION);
-
-            // Mark any non-selected engines as declined.
-            Weave.Service.engineManager.declineDisabled();
-          } else {
-            // Log out if the user canceled the dialog.
-            return this._fxaService.signOut();
-          }
-        }
-      }).then(() => {
-        return this._fetchTokenForUser();
-      }).then(token => {
-        this._token = token;
-        this._shouldHaveSyncKeyBundle = true; // and we should actually have one...
-        this.whenReadyToAuthenticate.resolve();
-        this._log.info("Background fetch for key bundle done");
-        Weave.Status.login = LOGIN_SUCCEEDED;
-        if (isInitialSync) {
-          this._log.info("Doing initial sync actions");
-          Svc.Prefs.set("firstSync", "resetClient");
-          Services.obs.notifyObservers(null, "weave:service:setup-complete", null);
-          Weave.Utils.nextTick(Weave.Service.sync, Weave.Service);
-        }
-      }).catch(authErr => {
-        // report what failed...
-        this._log.error("Background fetch for key bundle failed", authErr);
-        this._shouldHaveSyncKeyBundle = true; // but we probably don't have one...
-        this.whenReadyToAuthenticate.reject(authErr);
-      });
-      // and we are done - the fetch continues on in the background...
-    }).catch(err => {
-      this._log.error("Processing logged in account", err);
-    });
-  },
-
-  _updateSignedInUser: function(userData) {
-    // This object should only ever be used for a single user.  It is an
-    // error to update the data if the user changes (but updates are still
-    // necessary, as each call may add more attributes to the user).
-    // We start with no user, so an initial update is always ok.
-    if (this._signedInUser && this._signedInUser.email != userData.email) {
-      throw new Error("Attempting to update to a different user.")
-    }
-    this._signedInUser = userData;
-  },
-
-  logout: function() {
-    // This will be called when sync fails (or when the account is being
-    // unlinked etc).  It may have failed because we got a 401 from a sync
-    // server, so we nuke the token.  Next time sync runs and wants an
-    // authentication header, we will notice the lack of the token and fetch a
-    // new one.
-    this._token = null;
-  },
-
-  observe: function (subject, topic, data) {
-    this._log.debug("observed " + topic);
-    switch (topic) {
-    case fxAccountsCommon.ONLOGIN_NOTIFICATION:
-      // This should only happen if we've been initialized without a current
-      // user - otherwise we'd have seen the LOGOUT notification and been
-      // thrown away.
-      // The exception is when we've initialized with a user that needs to
-      // reauth with the server - in that case we will also get here, but
-      // should have the same identity.
-      // initializeWithCurrentIdentity will throw and log if these constraints
-      // aren't met (indirectly, via _updateSignedInUser()), so just go ahead
-      // and do the init.
-      this.initializeWithCurrentIdentity(true);
-      break;
-
-    case fxAccountsCommon.ONLOGOUT_NOTIFICATION:
-      Weave.Service.startOver();
-      // startOver will cause this instance to be thrown away, so there's
-      // nothing else to do.
-      break;
-
-    case fxAccountsCommon.ON_ACCOUNT_STATE_CHANGE_NOTIFICATION:
-      // throw away token and fetch a new one
-      this.resetCredentials();
-      this._ensureValidToken().catch(err =>
-        this._log.error("Error while fetching a new token", err));
-      break;
-    }
-  },
-
-  /**
-   * Compute the sha256 of the message bytes.  Return bytes.
-   */
-  _sha256: function(message) {
-    let hasher = Cc["@mozilla.org/security/hash;1"]
-                    .createInstance(Ci.nsICryptoHash);
-    hasher.init(hasher.SHA256);
-    return CryptoUtils.digestBytes(message, hasher);
-  },
-
-  /**
-   * Compute the X-Client-State header given the byte string kB.
-   *
-   * Return string: hex(first16Bytes(sha256(kBbytes)))
-   */
-  _computeXClientState: function(kBbytes) {
-    return CommonUtils.bytesAsHex(this._sha256(kBbytes).slice(0, 16), false);
-  },
-
-  /**
-   * Provide override point for testing token expiration.
-   */
-  _now: function() {
-    return this._fxaService.now()
-  },
-
-  get _localtimeOffsetMsec() {
-    return this._fxaService.localtimeOffsetMsec;
-  },
-
-  usernameFromAccount: function(val) {
-    // we don't differentiate between "username" and "account"
-    return val;
-  },
-
-  /**
-   * Obtains the HTTP Basic auth password.
-   *
-   * Returns a string if set or null if it is not set.
-   */
-  get basicPassword() {
-    this._log.error("basicPassword getter should be not used in BrowserIDManager");
-    return null;
-  },
-
-  /**
-   * Set the HTTP basic password to use.
-   *
-   * Changes will not persist unless persistSyncCredentials() is called.
-   */
-  set basicPassword(value) {
-    throw "basicPassword setter should be not used in BrowserIDManager";
-  },
-
-  /**
-   * Obtain the Sync Key.
-   *
-   * This returns a 26 character "friendly" Base32 encoded string on success or
-   * null if no Sync Key could be found.
-   *
-   * If the Sync Key hasn't been set in this session, this will look in the
-   * password manager for the sync key.
-   */
-  get syncKey() {
-    if (this.syncKeyBundle) {
-      // TODO: This is probably fine because the code shouldn't be
-      // using the sync key directly (it should use the sync key
-      // bundle), but I don't like it. We should probably refactor
-      // code that is inspecting this to not do validation on this
-      // field directly and instead call a isSyncKeyValid() function
-      // that we can override.
-      return "99999999999999999999999999";
-    }
-    else {
-      return null;
-    }
-  },
-
-  set syncKey(value) {
-    throw "syncKey setter should be not used in BrowserIDManager";
-  },
-
-  get syncKeyBundle() {
-    return this._syncKeyBundle;
-  },
-
-  /**
-   * Resets/Drops all credentials we hold for the current user.
-   */
-  resetCredentials: function() {
-    this.resetSyncKey();
-    this._token = null;
-    // The cluster URL comes from the token, so resetting it to empty will
-    // force Sync to not accidentally use a value from an earlier token.
-    Weave.Service.clusterURL = null;
-  },
-
-  /**
-   * Resets/Drops the sync key we hold for the current user.
-   */
-  resetSyncKey: function() {
-    this._syncKey = null;
-    this._syncKeyBundle = null;
-    this._syncKeyUpdated = true;
-    this._shouldHaveSyncKeyBundle = false;
-  },
-
-  /**
-   * Pre-fetches any information that might help with migration away from this
-   * identity.  Called after every sync and is really just an optimization that
-   * allows us to avoid a network request for when we actually need the
-   * migration info.
-   */
-  prefetchMigrationSentinel: function(service) {
-    // nothing to do here until we decide to migrate away from FxA.
-  },
-
-  /**
-    * Return credentials hosts for this identity only.
-    */
-  _getSyncCredentialsHosts: function() {
-    return Utils.getSyncCredentialsHostsFxA();
-  },
-
-  /**
-   * The current state of the auth credentials.
-   *
-   * This essentially validates that enough credentials are available to use
-   * Sync. It doesn't check we have all the keys we need as the master-password
-   * may have been locked when we tried to get them - we rely on
-   * unlockAndVerifyAuthState to check that for us.
-   */
-  get currentAuthState() {
-    if (this._authFailureReason) {
-      this._log.info("currentAuthState returning " + this._authFailureReason +
-                     " due to previous failure");
-      return this._authFailureReason;
-    }
-    // TODO: need to revisit this. Currently this isn't ready to go until
-    // both the username and syncKeyBundle are both configured and having no
-    // username seems to make things fail fast so that's good.
-    if (!this.username) {
-      return LOGIN_FAILED_NO_USERNAME;
-    }
-
-    return STATUS_OK;
-  },
-
-  // Do we currently have keys, or do we have enough that we should be able
-  // to successfully fetch them?
-  _canFetchKeys: function() {
-    let userData = this._signedInUser;
-    // a keyFetchToken means we can almost certainly grab them.
-    // kA and kB means we already have them.
-    return userData && (userData.keyFetchToken || (userData.kA && userData.kB));
-  },
-
-  /**
-   * Verify the current auth state, unlocking the master-password if necessary.
-   *
-   * Returns a promise that resolves with the current auth state after
-   * attempting to unlock.
-   */
-  unlockAndVerifyAuthState: function() {
-    if (this._canFetchKeys()) {
-      log.debug("unlockAndVerifyAuthState already has (or can fetch) sync keys");
-      return Promise.resolve(STATUS_OK);
-    }
-    // so no keys - ensure MP unlocked.
-    if (!Utils.ensureMPUnlocked()) {
-      // user declined to unlock, so we don't know if they are stored there.
-      log.debug("unlockAndVerifyAuthState: user declined to unlock master-password");
-      return Promise.resolve(MASTER_PASSWORD_LOCKED);
-    }
-    // now we are unlocked we must re-fetch the user data as we may now have
-    // the details that were previously locked away.
-    return this._fxaService.getSignedInUser().then(
-      accountData => {
-        this._updateSignedInUser(accountData);
-        // If we still can't get keys it probably means the user authenticated
-        // without unlocking the MP or cleared the saved logins, so we've now
-        // lost them - the user will need to reauth before continuing.
-        let result;
-        if (this._canFetchKeys()) {
-          result = STATUS_OK;
-        } else {
-          result = LOGIN_FAILED_LOGIN_REJECTED;
-        }
-        log.debug("unlockAndVerifyAuthState re-fetched credentials and is returning", result);
-        return result;
-      }
-    );
-  },
-
-  /**
-   * Do we have a non-null, not yet expired token for the user currently
-   * signed in?
-   */
-  hasValidToken: function() {
-    // If pref is set to ignore cached authentication credentials for debugging,
-    // then return false to force the fetching of a new token.
-    let ignoreCachedAuthCredentials = false;
-    try {
-      ignoreCachedAuthCredentials = Svc.Prefs.get("debug.ignoreCachedAuthCredentials");
-    } catch(e) {
-      // Pref doesn't exist
-    }
-    if (ignoreCachedAuthCredentials) {
-      return false;
-    }
-    if (!this._token) {
-      return false;
-    }
-    if (this._token.expiration < this._now()) {
-      return false;
-    }
-    return true;
-  },
-
-  // Get our tokenServerURL - a private helper. Returns a string.
-  get _tokenServerUrl() {
-    // We used to support services.sync.tokenServerURI but this was a
-    // pain-point for people using non-default servers as Sync may auto-reset
-    // all services.sync prefs. So if that still exists, it wins.
-    let url = Svc.Prefs.get("tokenServerURI"); // Svc.Prefs "root" is services.sync
-    if (!url) {
-      url = Services.prefs.getCharPref("identity.sync.tokenserver.uri");
-    }
-    while (url.endsWith("/")) { // trailing slashes cause problems...
-      url = url.slice(0, -1);
-    }
-    return url;
-  },
-
-  // Refresh the sync token for our user. Returns a promise that resolves
-  // with a token (which may be null in one sad edge-case), or rejects with an
-  // error.
-  _fetchTokenForUser: function() {
-    // tokenServerURI is mis-named - convention is uri means nsISomething...
-    let tokenServerURI = this._tokenServerUrl;
-    let log = this._log;
-    let client = this._tokenServerClient;
-    let fxa = this._fxaService;
-    let userData = this._signedInUser;
-
-    // We need kA and kB for things to work.  If we don't have them, just
-    // return null for the token - sync calling unlockAndVerifyAuthState()
-    // before actually syncing will setup the error states if necessary.
-    if (!this._canFetchKeys()) {
-      log.info("Unable to fetch keys (master-password locked?), so aborting token fetch");
-      return Promise.resolve(null);
-    }
-
-    let maybeFetchKeys = () => {
-      // This is called at login time and every time we need a new token - in
-      // the latter case we already have kA and kB, so optimise that case.
-      if (userData.kA && userData.kB) {
-        return;
-      }
-      log.info("Fetching new keys");
-      return this._fxaService.getKeys().then(
-        newUserData => {
-          userData = newUserData;
-          this._updateSignedInUser(userData); // throws if the user changed.
-        }
-      );
-    }
-
-    let getToken = assertion => {
-      log.debug("Getting a token");
-      let deferred = Promise.defer();
-      let cb = function (err, token) {
-        if (err) {
-          return deferred.reject(err);
-        }
-        log.debug("Successfully got a sync token");
-        return deferred.resolve(token);
-      };
-
-      let kBbytes = CommonUtils.hexToBytes(userData.kB);
-      let headers = {"X-Client-State": this._computeXClientState(kBbytes)};
-      client.getTokenFromBrowserIDAssertion(tokenServerURI, assertion, cb, headers);
-      return deferred.promise;
-    }
-
-    let getAssertion = () => {
-      log.info("Getting an assertion from", tokenServerURI);
-      let audience = Services.io.newURI(tokenServerURI, null, null).prePath;
-      return fxa.getAssertion(audience);
-    };
-
-    // wait until the account email is verified and we know that
-    // getAssertion() will return a real assertion (not null).
-    return fxa.whenVerified(this._signedInUser)
-      .then(() => maybeFetchKeys())
-      .then(() => getAssertion())
-      .then(assertion => getToken(assertion))
-      .catch(err => {
-        // If we get a 401 fetching the token it may be that our certificate
-        // needs to be regenerated.
-        if (!err.response || err.response.status !== 401) {
-          return Promise.reject(err);
-        }
-        log.warn("Token server returned 401, refreshing certificate and retrying token fetch");
-        return fxa.invalidateCertificate()
-          .then(() => getAssertion())
-          .then(assertion => getToken(assertion))
-      })
-      .then(token => {
-        // TODO: Make it be only 80% of the duration, so refresh the token
-        // before it actually expires. This is to avoid sync storage errors
-        // otherwise, we get a nasty notification bar briefly. Bug 966568.
-        token.expiration = this._now() + (token.duration * 1000) * 0.80;
-        if (!this._syncKeyBundle) {
-          // We are given kA/kB as hex.
-          this._syncKeyBundle = deriveKeyBundle(Utils.hexToBytes(userData.kB));
-        }
-        return token;
-      })
-      .catch(err => {
-        // TODO: unify these errors - we need to handle errors thrown by
-        // both tokenserverclient and hawkclient.
-        // A tokenserver error thrown based on a bad response.
-        if (err.response && err.response.status === 401) {
-          err = new AuthenticationError(err, "tokenserver");
-        // A hawkclient error.
-        } else if (err.code && err.code === 401) {
-          err = new AuthenticationError(err, "hawkclient");
-        // An FxAccounts.jsm error.
-        } else if (err.message == fxAccountsCommon.ERROR_AUTH_ERROR) {
-          err = new AuthenticationError(err, "fxaccounts");
-        }
-
-        // TODO: write tests to make sure that different auth error cases are handled here
-        // properly: auth error getting assertion, auth error getting token (invalid generation
-        // and client-state error)
-        if (err instanceof AuthenticationError) {
-          this._log.error("Authentication error in _fetchTokenForUser", err);
-          // set it to the "fatal" LOGIN_FAILED_LOGIN_REJECTED reason.
-          this._authFailureReason = LOGIN_FAILED_LOGIN_REJECTED;
-        } else {
-          this._log.error("Non-authentication error in _fetchTokenForUser", err);
-          // for now assume it is just a transient network related problem
-          // (although sadly, it might also be a regular unhandled exception)
-          this._authFailureReason = LOGIN_FAILED_NETWORK_ERROR;
-        }
-        // this._authFailureReason being set to be non-null in the above if clause
-        // ensures we are in the correct currentAuthState, and
-        // this._shouldHaveSyncKeyBundle being true ensures everything that cares knows
-        // that there is no authentication dance still under way.
-        this._shouldHaveSyncKeyBundle = true;
-        Weave.Status.login = this._authFailureReason;
-        throw err;
-      });
-  },
-
-  // Returns a promise that is resolved when we have a valid token for the
-  // current user stored in this._token.  When resolved, this._token is valid.
-  _ensureValidToken: function() {
-    if (this.hasValidToken()) {
-      this._log.debug("_ensureValidToken already has one");
-      return Promise.resolve();
-    }
-    const notifyStateChanged =
-      () => Services.obs.notifyObservers(null, "weave:service:login:change", null);
-    // reset this._token as a safety net to reduce the possibility of us
-    // repeatedly attempting to use an invalid token if _fetchTokenForUser throws.
-    this._token = null;
-    return this._fetchTokenForUser().then(
-      token => {
-        this._token = token;
-        notifyStateChanged();
-      },
-      error => {
-        notifyStateChanged();
-        throw error
-      }
-    );
-  },
-
-  getResourceAuthenticator: function () {
-    return this._getAuthenticationHeader.bind(this);
-  },
-
-  /**
-   * Obtain a function to be used for adding auth to RESTRequest instances.
-   */
-  getRESTRequestAuthenticator: function() {
-    return this._addAuthenticationHeader.bind(this);
-  },
-
-  /**
-   * @return a Hawk HTTP Authorization Header, lightly wrapped, for the .uri
-   * of a RESTRequest or AsyncResponse object.
-   */
-  _getAuthenticationHeader: function(httpObject, method) {
-    let cb = Async.makeSpinningCallback();
-    this._ensureValidToken().then(cb, cb);
-    // Note that in failure states we return null, causing the request to be
-    // made without authorization headers, thereby presumably causing a 401,
-    // which causes Sync to log out. If we throw, this may not happen as
-    // expected.
-    try {
-      cb.wait();
-    } catch (ex) {
-      if (Async.isShutdownException(ex)) {
-        throw ex;
-      }
-      this._log.error("Failed to fetch a token for authentication", ex);
-      return null;
-    }
-    if (!this._token) {
-      return null;
-    }
-    let credentials = {algorithm: "sha256",
-                       id: this._token.id,
-                       key: this._token.key,
-                      };
-    method = method || httpObject.method;
-
-    // Get the local clock offset from the Firefox Accounts server.  This should
-    // be close to the offset from the storage server.
-    let options = {
-      now: this._now(),
-      localtimeOffsetMsec: this._localtimeOffsetMsec,
-      credentials: credentials,
-    };
-
-    let headerValue = CryptoUtils.computeHAWK(httpObject.uri, method, options);
-    return {headers: {authorization: headerValue.field}};
-  },
-
-  _addAuthenticationHeader: function(request, method) {
-    let header = this._getAuthenticationHeader(request, method);
-    if (!header) {
-      return null;
-    }
-    request.setHeader("authorization", header.headers.authorization);
-    return request;
-  },
-
-  createClusterManager: function(service) {
-    return new BrowserIDClusterManager(service);
-  },
-
-  // Tell Sync what the login status should be if it saw a 401 fetching
-  // info/collections as part of login verification (typically immediately
-  // after login.)
-  // In our case, it almost certainly means a transient error fetching a token
-  // (and hitting this will cause us to logout, which will correctly handle an
-  // authoritative login issue.)
-  loginStatusFromVerification404() {
-    return LOGIN_FAILED_NETWORK_ERROR;
-  },
-};
-
-/* An implementation of the ClusterManager for this identity
- */
-
-function BrowserIDClusterManager(service) {
-  ClusterManager.call(this, service);
-}
-
-BrowserIDClusterManager.prototype = {
-  __proto__: ClusterManager.prototype,
-
-  _findCluster: function() {
-    let endPointFromIdentityToken = function() {
-      // The only reason (in theory ;) that we can end up with a null token
-      // is when this.identity._canFetchKeys() returned false.  In turn, this
-      // should only happen if the master-password is locked or the credentials
-      // storage is screwed, and in those cases we shouldn't have started
-      // syncing so shouldn't get here anyway.
-      // But better safe than sorry! To keep things clearer, throw an explicit
-      // exception - the message will appear in the logs and the error will be
-      // treated as transient.
-      if (!this.identity._token) {
-        throw new Error("Can't get a cluster URL as we can't fetch keys.");
-      }
-      let endpoint = this.identity._token.endpoint;
-      // For Sync 1.5 storage endpoints, we use the base endpoint verbatim.
-      // However, it should end in "/" because we will extend it with
-      // well known path components. So we add a "/" if it's missing.
-      if (!endpoint.endsWith("/")) {
-        endpoint += "/";
-      }
-      log.debug("_findCluster returning " + endpoint);
-      return endpoint;
-    }.bind(this);
-
-    // Spinningly ensure we are ready to authenticate and have a valid token.
-    let promiseClusterURL = function() {
-      return this.identity.whenReadyToAuthenticate.promise.then(
-        () => {
-          // We need to handle node reassignment here.  If we are being asked
-          // for a clusterURL while the service already has a clusterURL, then
-          // it's likely a 401 was received using the existing token - in which
-          // case we just discard the existing token and fetch a new one.
-          if (this.service.clusterURL) {
-            log.debug("_findCluster has a pre-existing clusterURL, so discarding the current token");
-            this.identity._token = null;
-          }
-          return this.identity._ensureValidToken();
-        }
-      ).then(endPointFromIdentityToken
-      );
-    }.bind(this);
-
-    let cb = Async.makeSpinningCallback();
-    promiseClusterURL().then(function (clusterURL) {
-      cb(null, clusterURL);
-    }).then(
-      null, err => {
-      log.info("Failed to fetch the cluster URL", err);
-      // service.js's verifyLogin() method will attempt to fetch a cluster
-      // URL when it sees a 401.  If it gets null, it treats it as a "real"
-      // auth error and sets Status.login to LOGIN_FAILED_LOGIN_REJECTED, which
-      // in turn causes a notification bar to appear informing the user they
-      // need to re-authenticate.
-      // On the other hand, if fetching the cluster URL fails with an exception,
-      // verifyLogin() assumes it is a transient error, and thus doesn't show
-      // the notification bar under the assumption the issue will resolve
-      // itself.
-      // Thus:
-      // * On a real 401, we must return null.
-      // * On any other problem we must let an exception bubble up.
-      if (err instanceof AuthenticationError) {
-        // callback with no error and a null result - cb.wait() returns null.
-        cb(null, null);
-      } else {
-        // callback with an error - cb.wait() completes by raising an exception.
-        cb(err);
-      }
-    });
-    return cb.wait();
-  },
-
-  getUserBaseURL: function() {
-    // Legacy Sync and FxA Sync construct the userBaseURL differently. Legacy
-    // Sync appends path components onto an empty path, and in FxA Sync the
-    // token server constructs this for us in an opaque manner. Since the
-    // cluster manager already sets the clusterURL on Service and also has
-    // access to the current identity, we added this functionality here.
-    return this.service.clusterURL;
-  }
-}
diff --git a/services/sync/modules/collection_validator.js b/services/sync/modules/collection_validator.js
deleted file mode 100644
index 41141bba30..0000000000
--- a/services/sync/modules/collection_validator.js
+++ /dev/null
@@ -1,204 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-"use strict";
-
-const Cu = Components.utils;
-
-Cu.import("resource://services-sync/record.js");
-Cu.import("resource://services-sync/main.js");
-
-this.EXPORTED_SYMBOLS = ["CollectionValidator", "CollectionProblemData"];
-
-class CollectionProblemData {
-  constructor() {
-    this.missingIDs = 0;
-    this.duplicates = [];
-    this.clientMissing = [];
-    this.serverMissing = [];
-    this.serverDeleted = [];
-    this.serverUnexpected = [];
-    this.differences = [];
-  }
-
-  /**
-   * Produce a list summarizing problems found. Each entry contains {name, count},
-   * where name is the field name for the problem, and count is the number of times
-   * the problem was encountered.
-   *
-   * Validation has failed if all counts are not 0.
-   */
-  getSummary() {
-    return [
-      { name: "clientMissing", count: this.clientMissing.length },
-      { name: "serverMissing", count: this.serverMissing.length },
-      { name: "serverDeleted", count: this.serverDeleted.length },
-      { name: "serverUnexpected", count: this.serverUnexpected.length },
-      { name: "differences", count: this.differences.length },
-      { name: "missingIDs", count: this.missingIDs },
-      { name: "duplicates", count: this.duplicates.length }
-    ];
-  }
-}
-
-class CollectionValidator {
-  // Construct a generic collection validator. This is intended to be called by
-  // subclasses.
-  // - name: Name of the engine
-  // - idProp: Property that identifies a record. That is, if a client and server
-  //   record have the same value for the idProp property, they should be
-  //   compared against eachother.
-  // - props: Array of properties that should be compared
-  constructor(name, idProp, props) {
-    this.name = name;
-    this.props = props;
-    this.idProp = idProp;
-  }
-
-  // Should a custom ProblemData type be needed, return it here.
-  emptyProblemData() {
-    return new CollectionProblemData();
-  }
-
-  getServerItems(engine) {
-    let collection = engine.itemSource();
-    let collectionKey = engine.service.collectionKeys.keyForCollection(engine.name);
-    collection.full = true;
-    let items = [];
-    collection.recordHandler = function(item) {
-      item.decrypt(collectionKey);
-      items.push(item.cleartext);
-    };
-    let resp = collection.getBatched();
-    if (!resp.success) {
-      throw resp;
-    }
-    return items;
-  }
-
-  // Should return a promise that resolves to an array of client items.
-  getClientItems() {
-    return Promise.reject("Must implement");
-  }
-
-  // Turn the client item into something that can be compared with the server item,
-  // and is also safe to mutate.
-  normalizeClientItem(item) {
-    return Cu.cloneInto(item, {});
-  }
-
-  // Turn the server item into something that can be easily compared with the client
-  // items.
-  normalizeServerItem(item) {
-    return item;
-  }
-
-  // Return whether or not a server item should be present on the client. Expected
-  // to be overridden.
-  clientUnderstands(item) {
-    return true;
-  }
-
-  // Return whether or not a client item should be present on the server. Expected
-  // to be overridden
-  syncedByClient(item) {
-    return true;
-  }
-
-  // Compare the server item and the client item, and return a list of property
-  // names that are different. Can be overridden if needed.
-  getDifferences(client, server) {
-    let differences = [];
-    for (let prop of this.props) {
-      let clientProp = client[prop];
-      let serverProp = server[prop];
-      if ((clientProp || "") !== (serverProp || "")) {
-        differences.push(prop);
-      }
-    }
-    return differences;
-  }
-
-  // Returns an object containing
-  //   problemData: an instance of the class returned by emptyProblemData(),
-  //   clientRecords: Normalized client records
-  //   records: Normalized server records,
-  //   deletedRecords: Array of ids that were marked as deleted by the server.
-  compareClientWithServer(clientItems, serverItems) {
-    clientItems = clientItems.map(item => this.normalizeClientItem(item));
-    serverItems = serverItems.map(item => this.normalizeServerItem(item));
-    let problems = this.emptyProblemData();
-    let seenServer = new Map();
-    let serverDeleted = new Set();
-    let allRecords = new Map();
-
-    for (let record of serverItems) {
-      let id = record[this.idProp];
-      if (!id) {
-        ++problems.missingIDs;
-        continue;
-      }
-      if (record.deleted) {
-        serverDeleted.add(record);
-      } else {
-        let possibleDupe = seenServer.get(id);
-        if (possibleDupe) {
-          problems.duplicates.push(id);
-        } else {
-          seenServer.set(id, record);
-          allRecords.set(id, { server: record, client: null, });
-        }
-        record.understood = this.clientUnderstands(record);
-      }
-    }
-
-    let recordPairs = [];
-    let seenClient = new Map();
-    for (let record of clientItems) {
-      let id = record[this.idProp];
-      record.shouldSync = this.syncedByClient(record);
-      seenClient.set(id, record);
-      let combined = allRecords.get(id);
-      if (combined) {
-        combined.client = record;
-      } else {
-        allRecords.set(id,  { client: record, server: null });
-      }
-    }
-
-    for (let [id, { server, client }] of allRecords) {
-      if (!client && !server) {
-        throw new Error("Impossible: no client or server record for " + id);
-      } else if (server && !client) {
-        if (server.understood) {
-          problems.clientMissing.push(id);
-        }
-      } else if (client && !server) {
-        if (client.shouldSync) {
-          problems.serverMissing.push(id);
-        }
-      } else {
-        if (!client.shouldSync) {
-          if (!problems.serverUnexpected.includes(id)) {
-            problems.serverUnexpected.push(id);
-          }
-          continue;
-        }
-        let differences = this.getDifferences(client, server);
-        if (differences && differences.length) {
-          problems.differences.push({ id, differences });
-        }
-      }
-    }
-    return {
-      problemData: problems,
-      clientRecords: clientItems,
-      records: serverItems,
-      deletedRecords: [...serverDeleted]
-    };
-  }
-}
-
-// Default to 0, some engines may override.
-CollectionValidator.prototype.version = 0;
diff --git a/services/sync/modules/constants.js b/services/sync/modules/constants.js
index f70bbd61c1..88464f023a 100644
--- a/services/sync/modules/constants.js
+++ b/services/sync/modules/constants.js
@@ -45,7 +45,7 @@ MAX_IGNORE_ERROR_COUNT:                5,
 
 // Backoff intervals
 MINIMUM_BACKOFF_INTERVAL:              15 * 60 * 1000,      // 15 minutes
-MAXIMUM_BACKOFF_INTERVAL:              8 * 60 * 60 * 1000,  // 8 hours
+MAXIMUM_BACKOFF_INTERVAL:              8 * 60 * 60 * 1000,  // 8 hours 
 
 // HMAC event handling timeout.
 // 10 minutes: a compromise between the multi-desktop sync interval
@@ -76,10 +76,6 @@ PASSWORDS_STORE_BATCH_SIZE:            50,      // same as MOBILE_BATCH_SIZE
 ADDONS_STORE_BATCH_SIZE:               1000000, // process all addons at once
 APPS_STORE_BATCH_SIZE:                 50,      // same as MOBILE_BATCH_SIZE
 
-// Default batch size for download batching
-// (how many records are fetched at a time from the server when batching is used).
-DEFAULT_DOWNLOAD_BATCH_SIZE:           1000,
-
 // score thresholds for early syncs
 SINGLE_USER_THRESHOLD:                 1000,
 MULTI_DEVICE_THRESHOLD:                300,
@@ -98,16 +94,13 @@ SCORE_UPDATE_DELAY:                    100,
 // observed spurious idle/back events and short enough to pre-empt user activity.
 IDLE_OBSERVER_BACK_DELAY:              100,
 
-// Max number of records or bytes to upload in a single POST - we'll do multiple POSTS if either
-// MAX_UPLOAD_RECORDS or MAX_UPLOAD_BYTES is hit)
+// Number of records to upload in a single POST (multiple POSTS if exceeded)
+// FIXME: Record size limit is 256k (new cluster), so this can be quite large!
+// (Bug 569295)
 MAX_UPLOAD_RECORDS:                    100,
-MAX_UPLOAD_BYTES:                      1024 * 1023, // just under 1MB
 MAX_HISTORY_UPLOAD:                    5000,
 MAX_HISTORY_DOWNLOAD:                  5000,
 
-// TTL of the message sent to another device when sending a tab
-NOTIFY_TAB_SENT_TTL_SECS:              1 * 3600, // 1 hour
-
 // Top-level statuses:
 STATUS_OK:                             "success.status_ok",
 SYNC_FAILED:                           "error.sync.failed",
@@ -130,6 +123,7 @@ LOGIN_FAILED_NETWORK_ERROR:            "error.login.reason.network",
 LOGIN_FAILED_SERVER_ERROR:             "error.login.reason.server",
 LOGIN_FAILED_INVALID_PASSPHRASE:       "error.login.reason.recoverykey",
 LOGIN_FAILED_LOGIN_REJECTED:           "error.login.reason.account",
+LOGIN_FAILED_NOT_READY:                "error.login.reason.initializing",
 
 // sync failure status codes
 METARECORD_DOWNLOAD_FAIL:              "error.sync.reason.metarecord_download_fail",
@@ -152,8 +146,6 @@ ENGINE_UNKNOWN_FAIL:                   "error.engine.reason.unknown_fail",
 ENGINE_APPLY_FAIL:                     "error.engine.reason.apply_fail",
 ENGINE_METARECORD_DOWNLOAD_FAIL:       "error.engine.reason.metarecord_download_fail",
 ENGINE_METARECORD_UPLOAD_FAIL:         "error.engine.reason.metarecord_upload_fail",
-// an upload failure where the batch was interrupted with a 412
-ENGINE_BATCH_INTERRUPTED:              "error.engine.reason.batch_interrupted",
 
 JPAKE_ERROR_CHANNEL:                   "jpake.error.channel",
 JPAKE_ERROR_NETWORK:                   "jpake.error.network",
@@ -182,6 +174,7 @@ kFirstSyncChoiceNotMade:               "User has not selected an action for firs
 
 // Application IDs
 FIREFOX_ID:                            "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}",
+PALEMOON_ID:                           "{8de7fcbb-c55c-4fbe-bfc5-fc555c87dbc4}",
 FENNEC_ID:                             "{a23983c0-fd0e-11dc-95ff-0800200c9a66}",
 SEAMONKEY_ID:                          "{92650c4d-4b8e-4d2a-b7eb-24ecf4f6b63a}",
 TEST_HARNESS_ID:                       "xuth@mozilla.org",
@@ -192,6 +185,8 @@ MIN_PASS_LENGTH:                       8,
 DEVICE_TYPE_DESKTOP:                   "desktop",
 DEVICE_TYPE_MOBILE:                    "mobile",
 
+LOG_DATE_FORMAT:                       "%Y-%m-%d %H:%M:%S",
+
 })) {
   this[key] = val;
   this.EXPORTED_SYMBOLS.push(key);
diff --git a/services/sync/modules/engines.js b/services/sync/modules/engines.js
index 1eaa1863a8..4767a11035 100644
--- a/services/sync/modules/engines.js
+++ b/services/sync/modules/engines.js
@@ -7,8 +7,7 @@ this.EXPORTED_SYMBOLS = [
   "Engine",
   "SyncEngine",
   "Tracker",
-  "Store",
-  "Changeset"
+  "Store"
 ];
 
 var {classes: Cc, interfaces: Ci, results: Cr, utils: Cu} = Components;
@@ -16,15 +15,13 @@ var {classes: Cc, interfaces: Ci, results: Cr, utils: Cu} = Components;
 Cu.import("resource://services-common/async.js");
 Cu.import("resource://gre/modules/Log.jsm");
 Cu.import("resource://services-common/observers.js");
+Cu.import("resource://services-common/utils.js");
 Cu.import("resource://services-sync/constants.js");
 Cu.import("resource://services-sync/identity.js");
 Cu.import("resource://services-sync/record.js");
 Cu.import("resource://services-sync/resource.js");
 Cu.import("resource://services-sync/util.js");
 
-XPCOMUtils.defineLazyModuleGetter(this, "fxAccounts",
-  "resource://gre/modules/FxAccounts.jsm");
-
 /*
  * Trackers are associated with a single engine and deal with
  * listening for changes to their particular data type.
@@ -132,12 +129,6 @@ Tracker.prototype = {
       this._ignored.splice(index, 1);
   },
 
-  _saveChangedID(id, when) {
-    this._log.trace(`Adding changed ID: ${id}, ${JSON.stringify(when)}`);
-    this.changedIDs[id] = when;
-    this.saveChangedIDs(this.onSavedChangedIDs);
-  },
-
   addChangedID: function (id, when) {
     if (!id) {
       this._log.warn("Attempted to add undefined ID to tracker");
@@ -150,12 +141,14 @@ Tracker.prototype = {
 
     // Default to the current time in seconds if no time is provided.
     if (when == null) {
-      when = this._now();
+      when = Math.floor(Date.now() / 1000);
     }
 
     // Add/update the entry if we have a newer time.
     if ((this.changedIDs[id] || -Infinity) < when) {
-      this._saveChangedID(id, when);
+      this._log.trace("Adding changed ID: " + id + ", " + when);
+      this.changedIDs[id] = when;
+      this.saveChangedIDs(this.onSavedChangedIDs);
     }
 
     return true;
@@ -183,10 +176,6 @@ Tracker.prototype = {
     this.saveChangedIDs();
   },
 
-  _now() {
-    return Date.now() / 1000;
-  },
-
   _isTracking: false,
 
   // Override these in your subclasses.
@@ -314,18 +303,14 @@ Store.prototype = {
     for (let record of records) {
       try {
         this.applyIncoming(record);
+      } catch (ex if (ex.code == Engine.prototype.eEngineAbortApplyIncoming)) {
+        // This kind of exception should have a 'cause' attribute, which is an
+        // originating exception.
+        // ex.cause will carry its stack with it when rethrown.
+        throw ex.cause;
       } catch (ex) {
-        if (ex.code == Engine.prototype.eEngineAbortApplyIncoming) {
-          // This kind of exception should have a 'cause' attribute, which is an
-          // originating exception.
-          // ex.cause will carry its stack with it when rethrown.
-          throw ex.cause;
-        }
-        if (Async.isShutdownException(ex)) {
-          throw ex;
-        }
-        this._log.warn("Failed to apply incoming record " + record.id, ex);
-        this.engine._noteApplyFailure();
+        this._log.warn("Failed to apply incoming record " + record.id);
+        this._log.warn("Encountered exception: ", ex);
         failed.push(record.id);
       }
     };
@@ -593,11 +578,16 @@ EngineManager.prototype = {
         this._engines[name] = engine;
       }
     } catch (ex) {
+      this._log.error("Engine init error: ", ex);
+
+      let mesg = ex.message ? ex.message : ex;
       let name = engineObject || "";
       name = name.prototype || "";
       name = name.name || "";
 
-      this._log.error(`Could not initialize engine ${name}`, ex);
+      let out = "Could not initialize engine '" + name + "': " + mesg;
+      this._log.error(out);
+
       return engineObject;
     }
   },
@@ -643,17 +633,16 @@ Engine.prototype = {
   // Signal to the engine that processing further records is pointless.
   eEngineAbortApplyIncoming: "error.engine.abort.applyincoming",
 
-  // Should we keep syncing if we find a record that cannot be uploaded (ever)?
-  // If this is false, we'll throw, otherwise, we'll ignore the record and
-  // continue. This currently can only happen due to the record being larger
-  // than the record upload limit.
-  allowSkippedRecord: true,
-
   get prefName() {
     return this.name;
   },
 
   get enabled() {
+    // XXX: Disable non-functional add-ons syncing for the time being
+    // This check can go away when add-on syncing is addressed
+    if (this.prefName == "addons")
+      return false;
+
     return Svc.Prefs.get("engine." + this.prefName, false);
   },
 
@@ -711,15 +700,6 @@ Engine.prototype = {
 
   wipeClient: function () {
     this._notify("wipe-client", this.name, this._wipeClient)();
-  },
-
-  /**
-   * If one exists, initialize and return a validator for this engine (which
-   * must have a `validate(engine)` method that returns a promise to an object
-   * with a getSummary method). Otherwise return null.
-   */
-  getValidator: function () {
-    return null;
   }
 };
 
@@ -813,11 +793,7 @@ SyncEngine.prototype = {
     return this._toFetch;
   },
   set toFetch(val) {
-    let cb = (error) => {
-      if (error) {
-        this._log.error("Failed to read JSON records to fetch", error);
-      }
-    }
+    let cb = (error) => this._log.error("Failed to read JSON records to fetch: ", error);
     // Coerce the array to a string for more efficient comparison.
     if (val + "" == this._toFetch) {
       return;
@@ -881,8 +857,9 @@ SyncEngine.prototype = {
   },
 
   /*
-   * Returns a changeset for this sync. Engine implementations can override this
-   * method to bypass the tracker for certain or all changed items.
+   * Returns a mapping of IDs -> changed timestamp. Engine implementations
+   * can override this method to bypass the tracker for certain or all
+   * changed items.
    */
   getChangedIDs: function () {
     return this._tracker.changedIDs;
@@ -950,16 +927,20 @@ SyncEngine.prototype = {
     // this._modified to the tracker.
     this.lastSyncLocal = Date.now();
     if (this.lastSync) {
-      this._modified = this.pullNewChanges();
+      this._modified = this.getChangedIDs();
     } else {
+      // Mark all items to be uploaded, but treat them as changed from long ago
       this._log.debug("First sync, uploading all items");
-      this._modified = this.pullAllChanges();
+      this._modified = {};
+      for (let id in this._store.getAllIDs()) {
+        this._modified[id] = 0;
+      }
     }
     // Clear the tracker now. If the sync fails we'll add the ones we failed
     // to upload back.
     this._tracker.clearChangedIDs();
 
-    this._log.info(this._modified.count() +
+    this._log.info(Object.keys(this._modified).length +
                    " outgoing items pre-reconciliation");
 
     // Keep track of what to delete at the end of sync
@@ -970,7 +951,7 @@ SyncEngine.prototype = {
    * A tiny abstraction to make it easier to test incoming record
    * application.
    */
-  itemSource: function () {
+  _itemSource: function () {
     return new Collection(this.engineURL, this._recordObj, this.service);
   },
 
@@ -987,7 +968,7 @@ SyncEngine.prototype = {
     let isMobile = (Svc.Prefs.get("client.type") == "mobile");
 
     if (!newitems) {
-      newitems = this.itemSource();
+      newitems = this._itemSource();
     }
 
     if (this._defaultSort) {
@@ -1024,12 +1005,9 @@ SyncEngine.prototype = {
       try {
         failed = failed.concat(this._store.applyIncomingBatch(applyBatch));
       } catch (ex) {
-        if (Async.isShutdownException(ex)) {
-          throw ex;
-        }
         // Catch any error that escapes from applyIncomingBatch. At present
         // those will all be abort events.
-        this._log.warn("Got exception, aborting processIncoming", ex);
+        this._log.warn("Got exception, aborting processIncoming. ", ex);
         aborting = ex;
       }
       this._tracker.ignoreAll = false;
@@ -1074,10 +1052,7 @@ SyncEngine.prototype = {
       try {
         try {
           item.decrypt(key);
-        } catch (ex) {
-          if (!Utils.isHMACMismatch(ex)) {
-            throw ex;
-          }
+        } catch (ex if Utils.isHMACMismatch(ex)) {
           let strategy = self.handleHMACMismatch(item, true);
           if (strategy == SyncEngine.kRecoveryStrategy.retry) {
             // You only get one retry.
@@ -1087,10 +1062,7 @@ SyncEngine.prototype = {
               key = self.service.collectionKeys.keyForCollection(self.name);
               item.decrypt(key);
               strategy = null;
-            } catch (ex) {
-              if (!Utils.isHMACMismatch(ex)) {
-                throw ex;
-              }
+            } catch (ex if Utils.isHMACMismatch(ex)) {
               strategy = self.handleHMACMismatch(item, false);
             }
           }
@@ -1103,8 +1075,7 @@ SyncEngine.prototype = {
               self._log.debug("Ignoring second retry suggestion.");
               // Fall through to error case.
             case SyncEngine.kRecoveryStrategy.error:
-              self._log.warn("Error decrypting record", ex);
-              self._noteApplyFailure();
+              self._log.warn("Error decrypting record: ", ex);
               failed.push(item.id);
               return;
             case SyncEngine.kRecoveryStrategy.ignore:
@@ -1114,11 +1085,7 @@ SyncEngine.prototype = {
           }
         }
       } catch (ex) {
-        if (Async.isShutdownException(ex)) {
-          throw ex;
-        }
-        self._log.warn("Error decrypting record", ex);
-        self._noteApplyFailure();
+        self._log.warn("Error decrypting record: ", ex);
         failed.push(item.id);
         return;
       }
@@ -1126,20 +1093,15 @@ SyncEngine.prototype = {
       let shouldApply;
       try {
         shouldApply = self._reconcile(item);
+      } catch (ex if (ex.code == Engine.prototype.eEngineAbortApplyIncoming)) {
+        self._log.warn("Reconciliation failed: aborting incoming processing.");
+        failed.push(item.id);
+        aborting = ex.cause;
       } catch (ex) {
-        if (ex.code == Engine.prototype.eEngineAbortApplyIncoming) {
-          self._log.warn("Reconciliation failed: aborting incoming processing.");
-          self._noteApplyFailure();
-          failed.push(item.id);
-          aborting = ex.cause;
-        } else if (!Async.isShutdownException(ex)) {
-          self._log.warn("Failed to reconcile incoming record " + item.id, ex);
-          self._noteApplyFailure();
-          failed.push(item.id);
-          return;
-        } else {
-          throw ex;
-        }
+        self._log.warn("Failed to reconcile incoming record " + item.id);
+        self._log.warn("Encountered exception: ", ex);
+        failed.push(item.id);
+        return;
       }
 
       if (shouldApply) {
@@ -1158,7 +1120,7 @@ SyncEngine.prototype = {
 
     // Only bother getting data from the server if there's new things
     if (this.lastModified == null || this.lastModified > this.lastSync) {
-      let resp = newitems.getBatched();
+      let resp = newitems.get();
       doApplyBatchAndPersistFailed.call(this);
       if (!resp.success) {
         resp.failureCode = ENGINE_DOWNLOAD_FAIL;
@@ -1243,13 +1205,7 @@ SyncEngine.prototype = {
     // Apply remaining items.
     doApplyBatchAndPersistFailed.call(this);
 
-    count.newFailed = this.previousFailed.reduce((count, engine) => {
-      if (failedInPreviousSync.indexOf(engine) == -1) {
-        count++;
-        this._noteApplyNewFailure();
-      }
-      return count;
-    }, 0);
+    count.newFailed = Utils.arraySub(this.previousFailed, failedInPreviousSync).length;
     count.succeeded = Math.max(0, count.applied - count.failed);
     this._log.info(["Records:",
                     count.applied, "applied,",
@@ -1260,14 +1216,6 @@ SyncEngine.prototype = {
     Observers.notify("weave:engine:sync:applied", count, this.name);
   },
 
-  _noteApplyFailure: function () {
-    // here would be a good place to record telemetry...
-  },
-
-  _noteApplyNewFailure: function () {
-    // here would be a good place to record telemetry...
-  },
-
   /**
    * Find a GUID of an item that is a duplicate of the incoming item but happens
    * to have a different GUID
@@ -1278,16 +1226,6 @@ SyncEngine.prototype = {
     // By default, assume there's no dupe items for the engine
   },
 
-  // Called when the server has a record marked as deleted, but locally we've
-  // changed it more recently than the deletion. If we return false, the
-  // record will be deleted locally. If we return true, we'll reupload the
-  // record to the server -- any extra work that's needed as part of this
-  // process should be done at this point (such as mark the record's parent
-  // for reuploading in the case of bookmarks).
-  _shouldReviveRemotelyDeletedRecord(remoteItem) {
-    return true;
-  },
-
   _deleteId: function (id) {
     this._tracker.removeChangedID(id);
 
@@ -1298,18 +1236,6 @@ SyncEngine.prototype = {
       this._delete.ids.push(id);
   },
 
-  _switchItemToDupe(localDupeGUID, incomingItem) {
-    // The local, duplicate ID is always deleted on the server.
-    this._deleteId(localDupeGUID);
-
-    // We unconditionally change the item's ID in case the engine knows of
-    // an item but doesn't expose it through itemExists. If the API
-    // contract were stronger, this could be changed.
-    this._log.debug("Switching local ID to incoming: " + localDupeGUID + " -> " +
-                    incomingItem.id);
-    this._store.changeItemID(localDupeGUID, incomingItem.id);
-  },
-
   /**
    * Reconcile incoming record with local state.
    *
@@ -1329,12 +1255,12 @@ SyncEngine.prototype = {
     // because some state may change during the course of this function and we
     // need to operate on the original values.
     let existsLocally   = this._store.itemExists(item.id);
-    let locallyModified = this._modified.has(item.id);
+    let locallyModified = item.id in this._modified;
 
     // TODO Handle clock drift better. Tracked in bug 721181.
     let remoteAge = AsyncResource.serverTime - item.modified;
     let localAge  = locallyModified ?
-      (Date.now() / 1000 - this._modified.getModifiedTimestamp(item.id)) : null;
+      (Date.now() / 1000 - this._modified[item.id]) : null;
     let remoteIsNewer = remoteAge < localAge;
 
     this._log.trace("Reconciling " + item.id + ". exists=" +
@@ -1363,18 +1289,15 @@ SyncEngine.prototype = {
                         "exists and isn't modified.");
         return true;
       }
-      this._log.trace("Incoming record is deleted but we had local changes.");
-
-      if (remoteIsNewer) {
-        this._log.trace("Remote record is newer -- deleting local record.");
-        return true;
-      }
-      // If the local record is newer, we defer to individual engines for
-      // how to handle this. By default, we revive the record.
-      let willRevive = this._shouldReviveRemotelyDeletedRecord(item);
-      this._log.trace("Local record is newer -- reviving? " + willRevive);
 
-      return !willRevive;
+      // TODO As part of bug 720592, determine whether we should do more here.
+      // In the case where the local changes are newer, it is quite possible
+      // that the local client will restore data a remote client had tried to
+      // delete. There might be a good reason for that delete and it might be
+      // enexpected for this client to restore that data.
+      this._log.trace("Incoming record is deleted but we had local changes. " +
+                      "Applying the youngest record.");
+      return remoteIsNewer;
     }
 
     // At this point the incoming record is not for a deletion and must have
@@ -1386,32 +1309,40 @@ SyncEngine.prototype = {
     // refresh the metadata collected above. See bug 710448 for the history
     // of this logic.
     if (!existsLocally) {
-      let localDupeGUID = this._findDupe(item);
-      if (localDupeGUID) {
-        this._log.trace("Local item " + localDupeGUID + " is a duplicate for " +
+      let dupeID = this._findDupe(item);
+      if (dupeID) {
+        this._log.trace("Local item " + dupeID + " is a duplicate for " +
                         "incoming item " + item.id);
 
+        // The local, duplicate ID is always deleted on the server.
+        this._deleteId(dupeID);
+
         // The current API contract does not mandate that the ID returned by
         // _findDupe() actually exists. Therefore, we have to perform this
         // check.
-        existsLocally = this._store.itemExists(localDupeGUID);
+        existsLocally = this._store.itemExists(dupeID);
+
+        // We unconditionally change the item's ID in case the engine knows of
+        // an item but doesn't expose it through itemExists. If the API
+        // contract were stronger, this could be changed.
+        this._log.debug("Switching local ID to incoming: " + dupeID + " -> " +
+                        item.id);
+        this._store.changeItemID(dupeID, item.id);
 
         // If the local item was modified, we carry its metadata forward so
         // appropriate reconciling can be performed.
-        if (this._modified.has(localDupeGUID)) {
+        if (dupeID in this._modified) {
           locallyModified = true;
-          localAge = this._tracker._now() - this._modified.getModifiedTimestamp(localDupeGUID);
+          localAge = Date.now() / 1000 - this._modified[dupeID];
           remoteIsNewer = remoteAge < localAge;
 
-          this._modified.swap(localDupeGUID, item.id);
+          this._modified[item.id] = this._modified[dupeID];
+          delete this._modified[dupeID];
         } else {
           locallyModified = false;
           localAge = null;
         }
 
-        // Tell the engine to do whatever it needs to switch the items.
-        this._switchItemToDupe(localDupeGUID, item);
-
         this._log.debug("Local item after duplication: age=" + localAge +
                         "; modified=" + locallyModified + "; exists=" +
                         existsLocally);
@@ -1440,7 +1371,7 @@ SyncEngine.prototype = {
       if (remoteIsNewer) {
         this._log.trace("Applying incoming because local item was deleted " +
                         "before the incoming item was changed.");
-        this._modified.delete(item.id);
+        delete this._modified[item.id];
         return true;
       }
 
@@ -1466,7 +1397,7 @@ SyncEngine.prototype = {
       this._log.trace("Ignoring incoming item because the local item is " +
                       "identical.");
 
-      this._modified.delete(item.id);
+      delete this._modified[item.id];
       return false;
     }
 
@@ -1491,97 +1422,69 @@ SyncEngine.prototype = {
   _uploadOutgoing: function () {
     this._log.trace("Uploading local changes to server.");
 
-    let modifiedIDs = this._modified.ids();
+    let modifiedIDs = Object.keys(this._modified);
     if (modifiedIDs.length) {
       this._log.trace("Preparing " + modifiedIDs.length +
                       " outgoing records");
 
-      let counts = { sent: modifiedIDs.length, failed: 0 };
-
       // collection we'll upload
       let up = new Collection(this.engineURL, null, this.service);
+      let count = 0;
 
-      let failed = [];
-      let successful = [];
-      let handleResponse = (resp, batchOngoing = false) => {
-        // Note: We don't want to update this.lastSync, or this._modified until
-        // the batch is complete, however we want to remember success/failure
-        // indicators for when that happens.
+      // Upload what we've got so far in the collection
+      let doUpload = Utils.bind2(this, function(desc) {
+        this._log.info("Uploading " + desc + " of " + modifiedIDs.length +
+                       " records");
+        let resp = up.post();
         if (!resp.success) {
           this._log.debug("Uploading records failed: " + resp);
-          resp.failureCode = resp.status == 412 ? ENGINE_BATCH_INTERRUPTED : ENGINE_UPLOAD_FAIL;
+          resp.failureCode = ENGINE_UPLOAD_FAIL;
           throw resp;
         }
 
         // Update server timestamp from the upload.
-        failed = failed.concat(Object.keys(resp.obj.failed));
-        successful = successful.concat(resp.obj.success);
-
-        if (batchOngoing) {
-          // Nothing to do yet
-          return;
-        }
-        // Advance lastSync since we've finished the batch.
         let modified = resp.headers["x-weave-timestamp"];
-        if (modified > this.lastSync) {
+        if (modified > this.lastSync)
           this.lastSync = modified;
-        }
-        if (failed.length && this._log.level <= Log.Level.Debug) {
+
+        let failed_ids = Object.keys(resp.obj.failed);
+        if (failed_ids.length)
           this._log.debug("Records that will be uploaded again because "
                           + "the server couldn't store them: "
-                          + failed.join(", "));
-        }
-
-        counts.failed += failed.length;
+                          + failed_ids.join(", "));
 
-        for (let id of successful) {
-          this._modified.delete(id);
+        // Clear successfully uploaded objects.
+        for (let id of resp.obj.success) {
+          delete this._modified[id];
         }
 
-        this._onRecordsWritten(successful, failed);
-
-        // clear for next batch
-        failed.length = 0;
-        successful.length = 0;
-      };
-
-      let postQueue = up.newPostQueue(this._log, this.lastSync, handleResponse);
+        up.clearRecords();
+      });
 
       for (let id of modifiedIDs) {
-        let out;
-        let ok = false;
         try {
-          out = this._createRecord(id);
+          let out = this._createRecord(id);
           if (this._log.level <= Log.Level.Trace)
             this._log.trace("Outgoing: " + out);
 
           out.encrypt(this.service.collectionKeys.keyForCollection(this.name));
-          ok = true;
-        } catch (ex) {
-          if (Async.isShutdownException(ex)) {
-            throw ex;
-          }
-          this._log.warn("Error creating record", ex);
+          up.pushData(out);
         }
-        if (ok) {
-          let { enqueued, error } = postQueue.enqueue(out);
-          if (!enqueued) {
-            ++counts.failed;
-            if (!this.allowSkippedRecord) {
-              throw error;
-            }
-          }
+        catch(ex) {
+          this._log.warn("Error creating record: ", ex);
         }
+
+        // Partial upload
+        if ((++count % MAX_UPLOAD_RECORDS) == 0)
+          doUpload((count - MAX_UPLOAD_RECORDS) + " - " + count + " out");
+
         this._store._sleep(0);
       }
-      postQueue.flush(true);
-      Observers.notify("weave:engine:sync:uploaded", counts, this.name);
-    }
-  },
 
-  _onRecordsWritten(succeeded, failed) {
-    // Implement this method to take specific actions against successfully
-    // uploaded records and failed records.
+      // Final upload
+      if (count % MAX_UPLOAD_RECORDS > 0)
+        doUpload(count >= MAX_UPLOAD_RECORDS ? "last batch" : "all");
+    }
   },
 
   // Any cleanup necessary.
@@ -1619,8 +1522,10 @@ SyncEngine.prototype = {
     }
 
     // Mark failed WBOs as changed again so they are reuploaded next time.
-    this.trackRemainingChanges();
-    this._modified.clear();
+    for (let [id, when] in Iterator(this._modified)) {
+      this._tracker.addChangedID(id, when);
+    }
+    this._modified = {};
   },
 
   _sync: function () {
@@ -1656,11 +1561,9 @@ SyncEngine.prototype = {
     try {
       this._log.trace("Trying to decrypt a record from the server..");
       test.get();
-    } catch (ex) {
-      if (Async.isShutdownException(ex)) {
-        throw ex;
-      }
-      this._log.debug("Failed test decrypt", ex);
+    }
+    catch(ex) {
+      this._log.debug("Failed test decrypt: ", ex);
     }
 
     return canDecrypt;
@@ -1706,108 +1609,5 @@ SyncEngine.prototype = {
     return (this.service.handleHMACEvent() && mayRetry) ?
            SyncEngine.kRecoveryStrategy.retry :
            SyncEngine.kRecoveryStrategy.error;
-  },
-
-  /**
-   * Returns a changeset containing all items in the store. The default
-   * implementation returns a changeset with timestamps from long ago, to
-   * ensure we always use the remote version if one exists.
-   *
-   * This function is only called for the first sync. Subsequent syncs call
-   * `pullNewChanges`.
-   *
-   * @return A `Changeset` object.
-   */
-  pullAllChanges() {
-    let changeset = new Changeset();
-    for (let id in this._store.getAllIDs()) {
-      changeset.set(id, 0);
-    }
-    return changeset;
-  },
-
-  /*
-   * Returns a changeset containing entries for all currently tracked items.
-   * The default implementation returns a changeset with timestamps indicating
-   * when the item was added to the tracker.
-   *
-   * @return A `Changeset` object.
-   */
-  pullNewChanges() {
-    return new Changeset(this.getChangedIDs());
-  },
-
-  /**
-   * Adds all remaining changeset entries back to the tracker, typically for
-   * items that failed to upload. This method is called at the end of each sync.
-   *
-   */
-  trackRemainingChanges() {
-    for (let [id, change] of this._modified.entries()) {
-      this._tracker.addChangedID(id, change);
-    }
-  },
-};
-
-/**
- * A changeset is created for each sync in `Engine::get{Changed, All}IDs`,
- * and stores opaque change data for tracked IDs. The default implementation
- * only records timestamps, though engines can extend this to store additional
- * data for each entry.
- */
-class Changeset {
-  // Creates a changeset with an initial set of tracked entries.
-  constructor(changes = {}) {
-    this.changes = changes;
-  }
-
-  // Returns the last modified time, in seconds, for an entry in the changeset.
-  // `id` is guaranteed to be in the set.
-  getModifiedTimestamp(id) {
-    return this.changes[id];
-  }
-
-  // Adds a change for a tracked ID to the changeset.
-  set(id, change) {
-    this.changes[id] = change;
-  }
-
-  // Indicates whether an entry is in the changeset.
-  has(id) {
-    return id in this.changes;
   }
-
-  // Deletes an entry from the changeset. Used to clean up entries for
-  // reconciled and successfully uploaded records.
-  delete(id) {
-    delete this.changes[id];
-  }
-
-  // Swaps two entries in the changeset. Used when reconciling duplicates that
-  // have local changes.
-  swap(oldID, newID) {
-    this.changes[newID] = this.changes[oldID];
-    delete this.changes[oldID];
-  }
-
-  // Returns an array of all tracked IDs in this changeset.
-  ids() {
-    return Object.keys(this.changes);
-  }
-
-  // Returns an array of `[id, change]` tuples. Used to repopulate the tracker
-  // with entries for failed uploads at the end of a sync.
-  entries() {
-    return Object.entries(this.changes);
-  }
-
-  // Returns the number of entries in this changeset.
-  count() {
-    return this.ids().length;
-  }
-
-  // Clears the changeset.
-  clear() {
-    this.changes = {};
-  }
-}
+};
diff --git a/services/sync/modules/engines/addons.js b/services/sync/modules/engines/addons.js
index 01dab58d1c..3081e3e871 100644
--- a/services/sync/modules/engines/addons.js
+++ b/services/sync/modules/engines/addons.js
@@ -25,13 +25,10 @@
  *
  * Synchronization is influenced by the following preferences:
  *
+ *  - services.sync.addons.ignoreRepositoryChecking
  *  - services.sync.addons.ignoreUserEnabledChanges
  *  - services.sync.addons.trustedSourceHostnames
  *
- *  and also influenced by whether addons have repository caching enabled and
- *  whether they allow installation of addons from insecure options (both of
- *  which are themselves influenced by the "extensions." pref branch)
- *
  * See the documentation in services-sync.js for the behavior of these prefs.
  */
 "use strict";
@@ -44,7 +41,6 @@ Cu.import("resource://services-sync/engines.js");
 Cu.import("resource://services-sync/record.js");
 Cu.import("resource://services-sync/util.js");
 Cu.import("resource://services-sync/constants.js");
-Cu.import("resource://services-sync/collection_validator.js");
 Cu.import("resource://services-common/async.js");
 
 Cu.import("resource://gre/modules/Preferences.jsm");
@@ -54,7 +50,7 @@ XPCOMUtils.defineLazyModuleGetter(this, "AddonManager",
 XPCOMUtils.defineLazyModuleGetter(this, "AddonRepository",
                                   "resource://gre/modules/addons/AddonRepository.jsm");
 
-this.EXPORTED_SYMBOLS = ["AddonsEngine", "AddonValidator"];
+this.EXPORTED_SYMBOLS = ["AddonsEngine"];
 
 // 7 days in milliseconds.
 const PRUNE_ADDON_CHANGES_THRESHOLD = 60 * 60 * 24 * 7 * 1000;
@@ -177,7 +173,7 @@ AddonsEngine.prototype = {
           continue;
       }
 
-      if (!this.isAddonSyncable(addons[id])) {
+      if (!this._store.isAddonSyncable(addons[id])) {
         continue;
       }
 
@@ -235,10 +231,6 @@ AddonsEngine.prototype = {
     let cb = Async.makeSpinningCallback();
     this._reconciler.refreshGlobalState(cb);
     cb.wait();
-  },
-
-  isAddonSyncable(addon, ignoreRepoCheck) {
-    return this._store.isAddonSyncable(addon, ignoreRepoCheck);
   }
 };
 
@@ -286,14 +278,6 @@ AddonsStore.prototype = {
       }
     }
 
-    // Ignore incoming records for which an existing non-syncable addon
-    // exists.
-    let existingMeta = this.reconciler.addons[record.addonID];
-    if (existingMeta && !this.isAddonSyncable(existingMeta)) {
-      this._log.info("Ignoring incoming record for an existing but non-syncable addon", record.addonID);
-      return;
-    }
-
     Store.prototype.applyIncoming.call(this, record);
   },
 
@@ -314,14 +298,6 @@ AddonsStore.prototype = {
     // engine and the record will try to be applied later.
     let results = cb.wait();
 
-    if (results.skipped.includes(record.addonID)) {
-      this._log.info("Add-on skipped: " + record.addonID);
-      // Just early-return for skipped addons - we don't want to arrange to
-      // try again next time because the condition that caused up to skip
-      // will remain true for this addon forever.
-      return;
-    }
-
     let addon;
     for (let a of results.addons) {
       if (a.id == record.addonID) {
@@ -499,7 +475,7 @@ AddonsStore.prototype = {
       }
 
       this._log.info("Uninstalling add-on as part of wipe: " + addon.id);
-      Utils.catch.call(this, () => addon.uninstall())();
+      Utils.catch(addon.uninstall)();
     }
   },
 
@@ -538,22 +514,16 @@ AddonsStore.prototype = {
    *
    * @param  addon
    *         Addon instance
-   * @param ignoreRepoCheck
-   *         Should we skip checking the Addons repository (primarially useful
-   *         for testing and validation).
    * @return Boolean indicating whether it is appropriate for Sync
    */
-  isAddonSyncable: function isAddonSyncable(addon, ignoreRepoCheck = false) {
+  isAddonSyncable: function isAddonSyncable(addon) {
     // Currently, we limit syncable add-ons to those that are:
     //   1) In a well-defined set of types
     //   2) Installed in the current profile
     //   3) Not installed by a foreign entity (i.e. installed by the app)
     //      since they act like global extensions.
     //   4) Is not a hotfix.
-    //   5) The addons XPIProvider doesn't veto it (i.e not being installed in
-    //      the profile directory, or any other reasons it says the addon can't
-    //      be synced)
-    //   6) Are installed from AMO
+    //   5) Are installed from AMO
 
     // We could represent the test as a complex boolean expression. We go the
     // verbose route so the failure reason is logged.
@@ -573,12 +543,6 @@ AddonsStore.prototype = {
       return false;
     }
 
-    // If the addon manager says it's not syncable, we skip it.
-    if (!addon.isSyncable) {
-      this._log.debug(addon.id + " not syncable: vetoed by the addon manager.");
-      return false;
-    }
-
     // This may be too aggressive. If an add-on is downloaded from AMO and
     // manually placed in the profile directory, foreignInstall will be set.
     // Arguably, that add-on should be syncable.
@@ -589,20 +553,15 @@ AddonsStore.prototype = {
     }
 
     // Ignore hotfix extensions (bug 741670). The pref may not be defined.
-    // XXX - note that addon.isSyncable will be false for hotfix addons, so
-    // this check isn't strictly necessary - except for Sync tests which aren't
-    // setup to create a "real" hotfix addon. This can be removed once those
-    // tests are fixed (but keeping it doesn't hurt either)
     if (this._extensionsPrefs.get("hotfix.id", null) == addon.id) {
       this._log.debug(addon.id + " not syncable: is a hotfix.");
       return false;
     }
 
-    // If the AddonRepository's cache isn't enabled (which it typically isn't
-    // in tests), getCachedAddonByID always returns null - so skip the check
-    // in that case. We also provide a way to specifically opt-out of the check
-    // even if the cache is enabled, which is used by the validators.
-    if (ignoreRepoCheck || !AddonRepository.cacheEnabled) {
+    // We provide a back door to skip the repository checking of an add-on.
+    // This is utilized by the tests to make testing easier. Users could enable
+    // this, but it would sacrifice security.
+    if (Svc.Prefs.get("addons.ignoreRepositoryChecking", false)) {
       return true;
     }
 
@@ -745,69 +704,3 @@ AddonsTracker.prototype = {
     this.reconciler.stopListening();
   },
 };
-
-class AddonValidator extends CollectionValidator {
-  constructor(engine = null) {
-    super("addons", "id", [
-      "addonID",
-      "enabled",
-      "applicationID",
-      "source"
-    ]);
-    this.engine = engine;
-  }
-
-  getClientItems() {
-    return Promise.all([
-      new Promise(resolve =>
-        AddonManager.getAllAddons(resolve)),
-      new Promise(resolve =>
-        AddonManager.getAddonsWithOperationsByTypes(["extension", "theme"], resolve)),
-    ]).then(([installed, addonsWithPendingOperation]) => {
-      // Addons pending install won't be in the first list, but addons pending
-      // uninstall/enable/disable will be in both lists.
-      let all = new Map(installed.map(addon => [addon.id, addon]));
-      for (let addon of addonsWithPendingOperation) {
-        all.set(addon.id, addon);
-      }
-      // Convert to an array since Map.prototype.values returns an iterable
-      return [...all.values()];
-    });
-  }
-
-  normalizeClientItem(item) {
-    let enabled = !item.userDisabled;
-    if (item.pendingOperations & AddonManager.PENDING_ENABLE) {
-      enabled = true;
-    } else if (item.pendingOperations & AddonManager.PENDING_DISABLE) {
-      enabled = false;
-    }
-    return {
-      enabled,
-      id: item.syncGUID,
-      addonID: item.id,
-      applicationID: Services.appinfo.ID,
-      source: "amo", // check item.foreignInstall?
-      original: item
-    };
-  }
-
-  normalizeServerItem(item) {
-    let guid = this.engine._findDupe(item);
-    if (guid) {
-      item.id = guid;
-    }
-    return item;
-  }
-
-  clientUnderstands(item) {
-    return item.applicationID === Services.appinfo.ID;
-  }
-
-  syncedByClient(item) {
-    return !item.original.hidden &&
-           !item.original.isSystem &&
-           !(item.original.pendingOperations & AddonManager.PENDING_UNINSTALL) &&
-           this.engine.isAddonSyncable(item.original, true);
-  }
-}
diff --git a/services/sync/modules/engines/bookmarks.js b/services/sync/modules/engines/bookmarks.js
index 76a198a8bd..41283c06d7 100644
--- a/services/sync/modules/engines/bookmarks.js
+++ b/services/sync/modules/engines/bookmarks.js
@@ -11,7 +11,6 @@ var Ci = Components.interfaces;
 var Cu = Components.utils;
 
 Cu.import("resource://gre/modules/PlacesUtils.jsm");
-Cu.import("resource://gre/modules/PlacesSyncUtils.jsm");
 Cu.import("resource://gre/modules/XPCOMUtils.jsm");
 Cu.import("resource://services-common/async.js");
 Cu.import("resource://services-sync/constants.js");
@@ -20,57 +19,21 @@ Cu.import("resource://services-sync/record.js");
 Cu.import("resource://services-sync/util.js");
 Cu.import("resource://gre/modules/Task.jsm");
 Cu.import("resource://gre/modules/PlacesBackups.jsm");
-XPCOMUtils.defineLazyModuleGetter(this, "BookmarkValidator",
-                                  "resource://services-sync/bookmark_validator.js");
-XPCOMUtils.defineLazyGetter(this, "PlacesBundle", () => {
-  let bundleService = Cc["@mozilla.org/intl/stringbundle;1"]
-                        .getService(Ci.nsIStringBundleService);
-  return bundleService.createBundle("chrome://places/locale/places.properties");
-});
-
-const ANNOS_TO_TRACK = [PlacesSyncUtils.bookmarks.DESCRIPTION_ANNO,
-                        PlacesSyncUtils.bookmarks.SIDEBAR_ANNO,
+
+const ALLBOOKMARKS_ANNO    = "AllBookmarks";
+const DESCRIPTION_ANNO     = "bookmarkProperties/description";
+const SIDEBAR_ANNO         = "bookmarkProperties/loadInSidebar";
+const MOBILEROOT_ANNO      = "mobile/bookmarksRoot";
+const MOBILE_ANNO          = "MobileBookmarks";
+const EXCLUDEBACKUP_ANNO   = "places/excludeFromBackup";
+const SMART_BOOKMARKS_ANNO = "Places/SmartBookmark";
+const PARENT_ANNO          = "sync/parent";
+const ORGANIZERQUERY_ANNO  = "PlacesOrganizer/OrganizerQuery";
+const ANNOS_TO_TRACK = [DESCRIPTION_ANNO, SIDEBAR_ANNO,
                         PlacesUtils.LMANNO_FEEDURI, PlacesUtils.LMANNO_SITEURI];
 
 const SERVICE_NOT_SUPPORTED = "Service not supported on this platform";
 const FOLDER_SORTINDEX = 1000000;
-const {
-  SOURCE_SYNC,
-  SOURCE_IMPORT,
-  SOURCE_IMPORT_REPLACE,
-} = Ci.nsINavBookmarksService;
-
-const SQLITE_MAX_VARIABLE_NUMBER = 999;
-
-const ORGANIZERQUERY_ANNO = "PlacesOrganizer/OrganizerQuery";
-const ALLBOOKMARKS_ANNO = "AllBookmarks";
-const MOBILE_ANNO = "MobileBookmarks";
-
-// The tracker ignores changes made by bookmark import and restore, and
-// changes made by Sync. We don't need to exclude `SOURCE_IMPORT`, but both
-// import and restore fire `bookmarks-restore-*` observer notifications, and
-// the tracker doesn't currently distinguish between the two.
-const IGNORED_SOURCES = [SOURCE_SYNC, SOURCE_IMPORT, SOURCE_IMPORT_REPLACE];
-
-// Returns the constructor for a bookmark record type.
-function getTypeObject(type) {
-  switch (type) {
-    case "bookmark":
-    case "microsummary":
-      return Bookmark;
-    case "query":
-      return BookmarkQuery;
-    case "folder":
-      return BookmarkFolder;
-    case "livemark":
-      return Livemark;
-    case "separator":
-      return BookmarkSeparator;
-    case "item":
-      return PlacesItem;
-  }
-  return null;
-}
 
 this.PlacesItem = function PlacesItem(collection, id, type) {
   CryptoWrapper.call(this, collection, id);
@@ -89,32 +52,26 @@ PlacesItem.prototype = {
   },
 
   getTypeObject: function PlacesItem_getTypeObject(type) {
-    let recordObj = getTypeObject(type);
-    if (!recordObj) {
-      throw new Error("Unknown places item object type: " + type);
+    switch (type) {
+      case "bookmark":
+      case "microsummary":
+        return Bookmark;
+      case "query":
+        return BookmarkQuery;
+      case "folder":
+        return BookmarkFolder;
+      case "livemark":
+        return Livemark;
+      case "separator":
+        return BookmarkSeparator;
+      case "item":
+        return PlacesItem;
     }
-    return recordObj;
+    throw "Unknown places item object type: " + type;
   },
 
   __proto__: CryptoWrapper.prototype,
   _logName: "Sync.Record.PlacesItem",
-
-  // Converts the record to a Sync bookmark object that can be passed to
-  // `PlacesSyncUtils.bookmarks.{insert, update}`.
-  toSyncBookmark() {
-    return {
-      kind: this.type,
-      syncId: this.id,
-      parentSyncId: this.parentid,
-    };
-  },
-
-  // Populates the record from a Sync bookmark object returned from
-  // `PlacesSyncUtils.bookmarks.fetch`.
-  fromSyncBookmark(item) {
-    this.parentid = item.parentSyncId;
-    this.parentName = item.parentTitle;
-  },
 };
 
 Utils.deferGetSet(PlacesItem,
@@ -127,27 +84,6 @@ this.Bookmark = function Bookmark(collection, id, type) {
 Bookmark.prototype = {
   __proto__: PlacesItem.prototype,
   _logName: "Sync.Record.Bookmark",
-
-  toSyncBookmark() {
-    let info = PlacesItem.prototype.toSyncBookmark.call(this);
-    info.title = this.title;
-    info.url = this.bmkUri;
-    info.description = this.description;
-    info.loadInSidebar = this.loadInSidebar;
-    info.tags = this.tags;
-    info.keyword = this.keyword;
-    return info;
-  },
-
-  fromSyncBookmark(item) {
-    PlacesItem.prototype.fromSyncBookmark.call(this, item);
-    this.title = item.title;
-    this.bmkUri = item.url.href;
-    this.description = item.description;
-    this.loadInSidebar = item.loadInSidebar;
-    this.tags = item.tags;
-    this.keyword = item.keyword;
-  },
 };
 
 Utils.deferGetSet(Bookmark,
@@ -161,19 +97,6 @@ this.BookmarkQuery = function BookmarkQuery(collection, id) {
 BookmarkQuery.prototype = {
   __proto__: Bookmark.prototype,
   _logName: "Sync.Record.BookmarkQuery",
-
-  toSyncBookmark() {
-    let info = Bookmark.prototype.toSyncBookmark.call(this);
-    info.folder = this.folderName;
-    info.query = this.queryId;
-    return info;
-  },
-
-  fromSyncBookmark(item) {
-    Bookmark.prototype.fromSyncBookmark.call(this, item);
-    this.folderName = item.folder;
-    this.queryId = item.query;
-  },
 };
 
 Utils.deferGetSet(BookmarkQuery,
@@ -186,20 +109,6 @@ this.BookmarkFolder = function BookmarkFolder(collection, id, type) {
 BookmarkFolder.prototype = {
   __proto__: PlacesItem.prototype,
   _logName: "Sync.Record.Folder",
-
-  toSyncBookmark() {
-    let info = PlacesItem.prototype.toSyncBookmark.call(this);
-    info.description = this.description;
-    info.title = this.title;
-    return info;
-  },
-
-  fromSyncBookmark(item) {
-    PlacesItem.prototype.fromSyncBookmark.call(this, item);
-    this.title = item.title;
-    this.description = item.description;
-    this.children = item.childSyncIds;
-  },
 };
 
 Utils.deferGetSet(BookmarkFolder, "cleartext", ["description", "title",
@@ -211,21 +120,6 @@ this.Livemark = function Livemark(collection, id) {
 Livemark.prototype = {
   __proto__: BookmarkFolder.prototype,
   _logName: "Sync.Record.Livemark",
-
-  toSyncBookmark() {
-    let info = BookmarkFolder.prototype.toSyncBookmark.call(this);
-    info.feed = this.feedUri;
-    info.site = this.siteUri;
-    return info;
-  },
-
-  fromSyncBookmark(item) {
-    BookmarkFolder.prototype.fromSyncBookmark.call(this, item);
-    this.feedUri = item.feed.href;
-    if (item.site) {
-      this.siteUri = item.site.href;
-    }
-  },
 };
 
 Utils.deferGetSet(Livemark, "cleartext", ["siteUri", "feedUri"]);
@@ -236,15 +130,81 @@ this.BookmarkSeparator = function BookmarkSeparator(collection, id) {
 BookmarkSeparator.prototype = {
   __proto__: PlacesItem.prototype,
   _logName: "Sync.Record.Separator",
-
-  fromSyncBookmark(item) {
-    PlacesItem.prototype.fromSyncBookmark.call(this, item);
-    this.pos = item.index;
-  },
 };
 
 Utils.deferGetSet(BookmarkSeparator, "cleartext", "pos");
 
+
+let kSpecialIds = {
+
+  // Special IDs. Note that mobile can attempt to create a record on
+  // dereference; special accessors are provided to prevent recursion within
+  // observers.
+  guids: ["menu", "places", "tags", "toolbar", "unfiled", "mobile"],
+
+  // Create the special mobile folder to store mobile bookmarks.
+  createMobileRoot: function createMobileRoot() {
+    let root = PlacesUtils.placesRootId;
+    let mRoot = PlacesUtils.bookmarks.createFolder(root, "mobile", -1);
+    PlacesUtils.annotations.setItemAnnotation(
+      mRoot, MOBILEROOT_ANNO, 1, 0, PlacesUtils.annotations.EXPIRE_NEVER);
+    PlacesUtils.annotations.setItemAnnotation(
+      mRoot, EXCLUDEBACKUP_ANNO, 1, 0, PlacesUtils.annotations.EXPIRE_NEVER);
+    return mRoot;
+  },
+
+  findMobileRoot: function findMobileRoot(create) {
+    // Use the (one) mobile root if it already exists.
+    let root = PlacesUtils.annotations.getItemsWithAnnotation(MOBILEROOT_ANNO, {});
+    if (root.length != 0)
+      return root[0];
+
+    if (create)
+      return this.createMobileRoot();
+
+    return null;
+  },
+
+  // Accessors for IDs.
+  isSpecialGUID: function isSpecialGUID(g) {
+    return this.guids.indexOf(g) != -1;
+  },
+
+  specialIdForGUID: function specialIdForGUID(guid, create) {
+    if (guid == "mobile") {
+      return this.findMobileRoot(create);
+    }
+    return this[guid];
+  },
+
+  // Don't bother creating mobile: if it doesn't exist, this ID can't be it!
+  specialGUIDForId: function specialGUIDForId(id) {
+    for each (let guid in this.guids)
+      if (this.specialIdForGUID(guid, false) == id)
+        return guid;
+    return null;
+  },
+
+  get menu() {
+    return PlacesUtils.bookmarksMenuFolderId;
+  },
+  get places() {
+    return PlacesUtils.placesRootId;
+  },
+  get tags() {
+    return PlacesUtils.tagsFolderId;
+  },
+  get toolbar() {
+    return PlacesUtils.toolbarFolderId;
+  },
+  get unfiled() {
+    return PlacesUtils.unfiledBookmarksFolderId;
+  },
+  get mobile() {
+    return this.findMobileRoot(true);
+  },
+};
+
 this.BookmarksEngine = function BookmarksEngine(service) {
   SyncEngine.call(this, "Bookmarks", service);
 }
@@ -257,103 +217,68 @@ BookmarksEngine.prototype = {
   _defaultSort: "index",
 
   syncPriority: 4,
-  allowSkippedRecord: false,
-
-  // A diagnostic helper to get the string value for a bookmark's URL given
-  // its ID. Always returns a string - on error will return a string in the
-  // form of "<description of error>" as this is purely for, eg, logging.
-  // (This means hitting the DB directly and we don't bother using a cached
-  // statement - we should rarely hit this.)
-  _getStringUrlForId(id) {
-    let url;
-    try {
-      let stmt = this._store._getStmt(`
-            SELECT h.url
-            FROM moz_places h
-            JOIN moz_bookmarks b ON h.id = b.fk
-            WHERE b.id = :id`);
-      stmt.params.id = id;
-      let rows = Async.querySpinningly(stmt, ["url"]);
-      url = rows.length == 0 ? "<not found>" : rows[0].url;
-    } catch (ex) {
-      if (Async.isShutdownException(ex)) {
-        throw ex;
-      }
-      if (ex instanceof Ci.mozIStorageError) {
-        url = `<failed: Storage error: ${ex.message} (${ex.result})>`;
-      } else {
-        url = `<failed: ${ex.toString()}>`;
-      }
-    }
-    return url;
-  },
 
-  _guidMapFailed: false,
-  _buildGUIDMap: function _buildGUIDMap() {
-    let store = this._store;
-    let guidMap = {};
-    let tree = Async.promiseSpinningly(PlacesUtils.promiseBookmarksTree("", {
-      includeItemIds: true
-    }));
-    function* walkBookmarksTree(tree, parent=null) {
-      if (tree) {
-        // Skip root node
-        if (parent) {
-          yield [tree, parent];
+  _sync: function _sync() {
+    let engine = this;
+    let batchEx = null;
+
+    // Try running sync in batch mode
+    PlacesUtils.bookmarks.runInBatchMode({
+      runBatched: function wrappedSync() {
+        try {
+          SyncEngine.prototype._sync.call(engine);
         }
-        if (tree.children) {
-          for (let child of tree.children) {
-            store._sleep(0); // avoid jank while looping.
-            yield* walkBookmarksTree(child, tree);
-          }
+        catch(ex) {
+          batchEx = ex;
         }
       }
-    }
+    }, null);
 
-    function* walkBookmarksRoots(tree, rootIDs) {
-      for (let id of rootIDs) {
-        let bookmarkRoot = tree.children.find(child => child.id === id);
-        if (bookmarkRoot === null) {
-          continue;
-        }
-        yield* walkBookmarksTree(bookmarkRoot, tree);
-      }
+    // Expose the exception if something inside the batch failed
+    if (batchEx != null) {
+      throw batchEx;
     }
+  },
 
-    let rootsToWalk = getChangeRootIds();
-
-    for (let [node, parent] of walkBookmarksRoots(tree, rootsToWalk)) {
-      let {guid, id, type: placeType} = node;
-      guid = PlacesSyncUtils.bookmarks.guidToSyncId(guid);
+  _guidMapFailed: false,
+  _buildGUIDMap: function _buildGUIDMap() {
+    let guidMap = {};
+    for (let guid in this._store.getAllIDs()) {
+      // Figure out with which key to store the mapping.
       let key;
-      switch (placeType) {
-        case PlacesUtils.TYPE_X_MOZ_PLACE:
-          // Bookmark
-          let query = null;
-          if (node.annos && node.uri.startsWith("place:")) {
-            query = node.annos.find(({name}) =>
-              name === PlacesSyncUtils.bookmarks.SMART_BOOKMARKS_ANNO);
-          }
-          if (query && query.value) {
-            key = "q" + query.value;
-          } else {
-            key = "b" + node.uri + ":" + (node.title || "");
-          }
+      let id = this._store.idForGUID(guid);
+      switch (PlacesUtils.bookmarks.getItemType(id)) {
+        case PlacesUtils.bookmarks.TYPE_BOOKMARK:
+
+          // Smart bookmarks map to their annotation value.
+          let queryId;
+          try {
+            queryId = PlacesUtils.annotations.getItemAnnotation(
+              id, SMART_BOOKMARKS_ANNO);
+          } catch(ex) {}
+          
+          if (queryId)
+            key = "q" + queryId;
+          else
+            key = "b" + PlacesUtils.bookmarks.getBookmarkURI(id).spec + ":" +
+                  PlacesUtils.bookmarks.getItemTitle(id);
           break;
-        case PlacesUtils.TYPE_X_MOZ_PLACE_CONTAINER:
-          // Folder
-          key = "f" + (node.title || "");
+        case PlacesUtils.bookmarks.TYPE_FOLDER:
+          key = "f" + PlacesUtils.bookmarks.getItemTitle(id);
           break;
-        case PlacesUtils.TYPE_X_MOZ_PLACE_SEPARATOR:
-          // Separator
-          key = "s" + node.index;
+        case PlacesUtils.bookmarks.TYPE_SEPARATOR:
+          key = "s" + PlacesUtils.bookmarks.getItemIndex(id);
           break;
         default:
-          this._log.error("Unknown place type: '"+placeType+"'");
           continue;
       }
 
-      let parentName = parent.title || "";
+      // The mapping is on a per parent-folder-name basis.
+      let parent = PlacesUtils.bookmarks.getFolderIdForItem(id);
+      if (parent <= 0)
+        continue;
+
+      let parentName = PlacesUtils.bookmarks.getItemTitle(parent);
       if (guidMap[parentName] == null)
         guidMap[parentName] = {};
 
@@ -381,17 +306,17 @@ BookmarksEngine.prototype = {
         // hack should get them to dupe correctly.
         if (item.queryId) {
           key = "q" + item.queryId;
-          altKey = "b" + item.bmkUri + ":" + (item.title || "");
+          altKey = "b" + item.bmkUri + ":" + item.title;
           break;
         }
         // No queryID? Fall through to the regular bookmark case.
       case "bookmark":
       case "microsummary":
-        key = "b" + item.bmkUri + ":" + (item.title || "");
+        key = "b" + item.bmkUri + ":" + item.title;
         break;
       case "folder":
       case "livemark":
-        key = "f" + (item.title || "");
+        key = "f" + item.title;
         break;
       case "separator":
         key = "s" + item.pos;
@@ -405,22 +330,21 @@ BookmarksEngine.prototype = {
     let guidMap = this._guidMap;
 
     // Give the GUID if we have the matching pair.
-    let parentName = item.parentName || "";
-    this._log.trace("Finding mapping: " + parentName + ", " + key);
-    let parent = guidMap[parentName];
-
+    this._log.trace("Finding mapping: " + item.parentName + ", " + key);
+    let parent = guidMap[item.parentName];
+    
     if (!parent) {
       this._log.trace("No parent => no dupe.");
       return undefined;
     }
-
+      
     let dupe = parent[key];
-
+    
     if (dupe) {
       this._log.trace("Mapped dupe: " + dupe);
       return dupe;
     }
-
+    
     if (altKey) {
       dupe = parent[altKey];
       if (dupe) {
@@ -428,7 +352,7 @@ BookmarksEngine.prototype = {
         return dupe;
       }
     }
-
+    
     this._log.trace("No dupe found for key " + key + "/" + altKey + ".");
     return undefined;
   },
@@ -437,7 +361,7 @@ BookmarksEngine.prototype = {
     SyncEngine.prototype._syncStartup.call(this);
 
     let cb = Async.makeSpinningCallback();
-    Task.spawn(function* () {
+    Task.spawn(function() {
       // For first-syncs, make a backup for the user to restore
       if (this.lastSync == 0) {
         this._log.debug("Bookmarks backup starting.");
@@ -449,7 +373,7 @@ BookmarksEngine.prototype = {
         // Failure to create a backup is somewhat bad, but probably not bad
         // enough to prevent syncing of bookmarks - so just log the error and
         // continue.
-        this._log.warn("Error while backing up bookmarks, but continuing with sync", ex);
+        this._log.warn("Got exception backing up bookmarks, but continuing with sync.", ex);
         cb();
       }
     );
@@ -464,10 +388,8 @@ BookmarksEngine.prototype = {
       try {
         guidMap = this._buildGUIDMap();
       } catch (ex) {
-        if (Async.isShutdownException(ex)) {
-          throw ex;
-        }
-        this._log.warn("Error while building GUID map, skipping all other incoming items", ex);
+        this._log.warn("Got exception building GUID map." +
+                       " Skipping all other incoming items.", ex);
         throw {code: Engine.prototype.eEngineAbortApplyIncoming,
                cause: ex};
       }
@@ -476,71 +398,17 @@ BookmarksEngine.prototype = {
     });
 
     this._store._childrenToOrder = {};
-    this._store.clearPendingDeletions();
-  },
-
-  _deletePending() {
-    // Delete pending items -- See the comment above BookmarkStore's deletePending
-    let newlyModified = Async.promiseSpinningly(this._store.deletePending());
-    let now = this._tracker._now();
-    this._log.debug("Deleted pending items", newlyModified);
-    for (let modifiedSyncID of newlyModified) {
-      if (!this._modified.has(modifiedSyncID)) {
-        this._modified.set(modifiedSyncID, { timestamp: now, deleted: false });
-      }
-    }
-  },
-
-  // We avoid reviving folders since reviving them properly would require
-  // reviving their children as well. Unfortunately, this is the wrong choice
-  // in the case of a bookmark restore where wipeServer failed -- if the
-  // server has the folder as deleted, we *would* want to reupload this folder.
-  // This is mitigated by the fact that we move any undeleted children to the
-  // grandparent when deleting the parent.
-  _shouldReviveRemotelyDeletedRecord(item) {
-    let kind = Async.promiseSpinningly(
-      PlacesSyncUtils.bookmarks.getKindForSyncId(item.id));
-    if (kind === PlacesSyncUtils.bookmarks.KINDS.FOLDER) {
-      return false;
-    }
-
-    // In addition to preventing the deletion of this record (handled by the caller),
-    // we need to mark the parent of this record for uploading next sync, in order
-    // to ensure its children array is accurate.
-    let modifiedTimestamp = this._modified.getModifiedTimestamp(item.id);
-    if (!modifiedTimestamp) {
-      // We only expect this to be called with items locally modified, so
-      // something strange is going on - play it safe and don't revive it.
-      this._log.error("_shouldReviveRemotelyDeletedRecord called on unmodified item: " + item.id);
-      return false;
-    }
-
-    let localID = this._store.idForGUID(item.id);
-    let localParentID = PlacesUtils.bookmarks.getFolderIdForItem(localID);
-    let localParentSyncID = this._store.GUIDForId(localParentID);
-
-    this._log.trace(`Reviving item "${item.id}" and marking parent ${localParentSyncID} as modified.`);
-
-    if (!this._modified.has(localParentSyncID)) {
-      this._modified.set(localParentSyncID, {
-        timestamp: modifiedTimestamp,
-        deleted: false
-      });
-    }
-    return true
   },
 
   _processIncoming: function (newitems) {
     try {
       SyncEngine.prototype._processIncoming.call(this, newitems);
     } finally {
-      try {
-        this._deletePending();
-      } finally {
-        // Reorder children.
-        this._store._orderChildren();
-        delete this._store._childrenToOrder;
-      }
+      // Reorder children.
+      this._tracker.ignoreAll = true;
+      this._store._orderChildren();
+      this._tracker.ignoreAll = false;
+      delete this._store._childrenToOrder;
     }
   },
 
@@ -575,154 +443,16 @@ BookmarksEngine.prototype = {
     }
     let mapped = this._mapDupe(item);
     this._log.debug(item.id + " mapped to " + mapped);
-    // We must return a string, not an object, and the entries in the GUIDMap
-    // are created via "new String()" making them an object.
-    return mapped ? mapped.toString() : mapped;
-  },
-
-  pullAllChanges() {
-    return new BookmarksChangeset(this._store.getAllIDs());
-  },
-
-  pullNewChanges() {
-    let modifiedGUIDs = this._getModifiedGUIDs();
-    if (!modifiedGUIDs.length) {
-      return new BookmarksChangeset(this._tracker.changedIDs);
-    }
-
-    // We don't use `PlacesUtils.promiseDBConnection` here because
-    // `getChangedIDs` might be called while we're in a batch, meaning we
-    // won't see any changes until the batch finishes and the transaction
-    // commits.
-    let db = PlacesUtils.history.QueryInterface(Ci.nsPIPlacesDatabase)
-                        .DBConnection;
-
-    // Filter out tags, organizer queries, and other descendants that we're
-    // not tracking. We chunk `modifiedGUIDs` because SQLite limits the number
-    // of bound parameters per query.
-    for (let startIndex = 0;
-         startIndex < modifiedGUIDs.length;
-         startIndex += SQLITE_MAX_VARIABLE_NUMBER) {
-
-      let chunkLength = Math.min(SQLITE_MAX_VARIABLE_NUMBER,
-                                 modifiedGUIDs.length - startIndex);
-
-      let query = `
-        WITH RECURSIVE
-        modifiedGuids(guid) AS (
-          VALUES ${new Array(chunkLength).fill("(?)").join(", ")}
-        ),
-        syncedItems(id) AS (
-          VALUES ${getChangeRootIds().map(id => `(${id})`).join(", ")}
-          UNION ALL
-          SELECT b.id
-          FROM moz_bookmarks b
-          JOIN syncedItems s ON b.parent = s.id
-        )
-        SELECT b.guid
-        FROM modifiedGuids m
-        JOIN moz_bookmarks b ON b.guid = m.guid
-        LEFT JOIN syncedItems s ON b.id = s.id
-        WHERE s.id IS NULL
-      `;
-
-      let statement = db.createAsyncStatement(query);
-      try {
-        for (let i = 0; i < chunkLength; i++) {
-          statement.bindByIndex(i, modifiedGUIDs[startIndex + i]);
-        }
-        let results = Async.querySpinningly(statement, ["guid"]);
-        for (let { guid } of results) {
-          let syncID = PlacesSyncUtils.bookmarks.guidToSyncId(guid);
-          this._tracker.removeChangedID(syncID);
-        }
-      } finally {
-        statement.finalize();
-      }
-    }
-
-    return new BookmarksChangeset(this._tracker.changedIDs);
-  },
-
-  // Returns an array of Places GUIDs for all changed items. Ignores deletions,
-  // which won't exist in the DB and shouldn't be removed from the tracker.
-  _getModifiedGUIDs() {
-    let guids = [];
-    for (let syncID in this._tracker.changedIDs) {
-      if (this._tracker.changedIDs[syncID].deleted === true) {
-        // The `===` check also filters out old persisted timestamps,
-        // which won't have a `deleted` property.
-        continue;
-      }
-      let guid = PlacesSyncUtils.bookmarks.syncIdToGuid(syncID);
-      guids.push(guid);
-    }
-    return guids;
-  },
-
-  // Called when _findDupe returns a dupe item and the engine has decided to
-  // switch the existing item to the new incoming item.
-  _switchItemToDupe(localDupeGUID, incomingItem) {
-    // We unconditionally change the item's ID in case the engine knows of
-    // an item but doesn't expose it through itemExists. If the API
-    // contract were stronger, this could be changed.
-    this._log.debug("Switching local ID to incoming: " + localDupeGUID + " -> " +
-                    incomingItem.id);
-    this._store.changeItemID(localDupeGUID, incomingItem.id);
-
-    // And mark the parent as being modified. Given we de-dupe based on the
-    // parent *name* it's possible the item having its GUID changed has a
-    // different parent from the incoming record.
-    // So we need to find the GUID of the local parent.
-    let now = this._tracker._now();
-    let localID = this._store.idForGUID(incomingItem.id);
-    let localParentID = PlacesUtils.bookmarks.getFolderIdForItem(localID);
-    let localParentGUID = this._store.GUIDForId(localParentID);
-    this._modified.set(localParentGUID, { modified: now, deleted: false });
-
-    // And we also add the parent as reflected in the incoming record as the
-    // de-dupe process might have used an existing item in a different folder.
-    // But only if the parent exists, otherwise we will upload a deleted item
-    // when it might actually be valid, just unknown to us. Note that this
-    // scenario will still leave us with inconsistent client and server states;
-    // the incoming record on the server references a parent that isn't the
-    // actual parent locally - see bug 1297955.
-    if (localParentGUID != incomingItem.parentid) {
-      let remoteParentID = this._store.idForGUID(incomingItem.parentid);
-      if (remoteParentID > 0) {
-        // The parent specified in the record does exist, so we are going to
-        // attempt a move when we come to applying the record. Mark the parent
-        // as being modified so we will later upload it with the new child
-        // reference.
-        this._modified.set(incomingItem.parentid, { modified: now, deleted: false });
-      } else {
-        // We aren't going to do a move as we don't have the parent (yet?).
-        // When applying the record we will add our special PARENT_ANNO
-        // annotation, so if it arrives in the future (either this Sync or a
-        // later one) it will be reparented.
-        this._log.debug(`Incoming duplicate item ${incomingItem.id} specifies ` +
-                        `non-existing parent ${incomingItem.parentid}`);
-      }
-    }
-
-    // The local, duplicate ID is always deleted on the server - but for
-    // bookmarks it is a logical delete.
-    // Simply adding this (now non-existing) ID to the tracker is enough.
-    this._modified.set(localDupeGUID, { modified: now, deleted: true });
-  },
-  getValidator() {
-    return new BookmarkValidator();
+    return mapped;
   }
 };
 
 function BookmarksStore(name, engine) {
   Store.call(this, name, engine);
-  this._foldersToDelete = new Set();
-  this._atomsToDelete = new Set();
+
   // Explicitly nullify our references to our cached services so we don't leak
   Svc.Obs.add("places-shutdown", function() {
-    for (let query in this._stmts) {
-      let stmt = this._stmts[query];
+    for each (let [query, stmt] in Iterator(this._stmts)) {
       stmt.finalize();
     }
     this._stmts = {};
@@ -732,12 +462,70 @@ BookmarksStore.prototype = {
   __proto__: Store.prototype,
 
   itemExists: function BStore_itemExists(id) {
-    return this.idForGUID(id) > 0;
+    return this.idForGUID(id, true) > 0;
   },
+  
+  /*
+   * If the record is a tag query, rewrite it to refer to the local tag ID.
+   * 
+   * Otherwise, just return.
+   */
+  preprocessTagQuery: function preprocessTagQuery(record) {
+    if (record.type != "query" ||
+        record.bmkUri == null ||
+        !record.folderName)
+      return;
+    
+    // Yes, this works without chopping off the "place:" prefix.
+    let uri           = record.bmkUri
+    let queriesRef    = {};
+    let queryCountRef = {};
+    let optionsRef    = {};
+    PlacesUtils.history.queryStringToQueries(uri, queriesRef, queryCountRef,
+                                             optionsRef);
+    
+    // We only process tag URIs.
+    if (optionsRef.value.resultType != optionsRef.value.RESULTS_AS_TAG_CONTENTS)
+      return;
+    
+    // Tag something to ensure that the tag exists.
+    let tag = record.folderName;
+    let dummyURI = Utils.makeURI("about:weave#BStore_preprocess");
+    PlacesUtils.tagging.tagURI(dummyURI, [tag]);
+
+    // Look for the id of the tag, which might just have been added.
+    let tags = this._getNode(PlacesUtils.tagsFolderId);
+    if (!(tags instanceof Ci.nsINavHistoryQueryResultNode)) {
+      this._log.debug("tags isn't an nsINavHistoryQueryResultNode; aborting.");
+      return;
+    }
 
+    tags.containerOpen = true;
+    try {
+      for (let i = 0; i < tags.childCount; i++) {
+        let child = tags.getChild(i);
+        if (child.title == tag) {
+          // Found the tag, so fix up the query to use the right id.
+          this._log.debug("Tag query folder: " + tag + " = " + child.itemId);
+          
+          this._log.trace("Replacing folders in: " + uri);
+          for each (let q in queriesRef.value)
+            q.setFolders([child.itemId], 1);
+          
+          record.bmkUri = PlacesUtils.history.queriesToQueryString(
+            queriesRef.value, queryCountRef.value, optionsRef.value);
+          return;
+        }
+      }
+    }
+    finally {
+      tags.containerOpen = false;
+    }
+  },
+  
   applyIncoming: function BStore_applyIncoming(record) {
     this._log.debug("Applying record " + record.id);
-    let isSpecial = PlacesSyncUtils.bookmarks.ROOTS.includes(record.id);
+    let isSpecial = record.id in kSpecialIds;
 
     if (record.deleted) {
       if (isSpecial) {
@@ -765,217 +553,548 @@ BookmarksStore.prototype = {
       return;
     }
 
+    // Preprocess the record before doing the normal apply.
+    this.preprocessTagQuery(record);
+
     // Figure out the local id of the parent GUID if available
     let parentGUID = record.parentid;
     if (!parentGUID) {
       throw "Record " + record.id + " has invalid parentid: " + parentGUID;
     }
-    this._log.debug("Remote parent is " + parentGUID);
+    this._log.debug("Local parent is " + parentGUID);
+
+    let parentId = this.idForGUID(parentGUID);
+    if (parentId > 0) {
+      // Save the parent id for modifying the bookmark later
+      record._parent = parentId;
+      record._orphan = false;
+      this._log.debug("Record " + record.id + " is not an orphan.");
+    } else {
+      this._log.trace("Record " + record.id +
+                      " is an orphan: could not find parent " + parentGUID);
+      record._orphan = true;
+    }
 
     // Do the normal processing of incoming records
     Store.prototype.applyIncoming.call(this, record);
 
-    if (record.type == "folder" && record.children) {
-      this._childrenToOrder[record.id] = record.children;
+    // Do some post-processing if we have an item
+    let itemId = this.idForGUID(record.id);
+    if (itemId > 0) {
+      // Move any children that are looking for this folder as a parent
+      if (record.type == "folder") {
+        this._reparentOrphans(itemId);
+        // Reorder children later
+        if (record.children)
+          this._childrenToOrder[record.id] = record.children;
+      }
+
+      // Create an annotation to remember that it needs reparenting.
+      if (record._orphan) {
+        PlacesUtils.annotations.setItemAnnotation(
+          itemId, PARENT_ANNO, parentGUID, 0,
+          PlacesUtils.annotations.EXPIRE_NEVER);
+      }
+    }
+  },
+
+  /**
+   * Find all ids of items that have a given value for an annotation
+   */
+  _findAnnoItems: function BStore__findAnnoItems(anno, val) {
+    return PlacesUtils.annotations.getItemsWithAnnotation(anno, {})
+                      .filter(function(id) {
+      return PlacesUtils.annotations.getItemAnnotation(id, anno) == val;
+    });
+  },
+
+  /**
+   * For the provided parent item, attach its children to it
+   */
+  _reparentOrphans: function _reparentOrphans(parentId) {
+    // Find orphans and reunite with this folder parent
+    let parentGUID = this.GUIDForId(parentId);
+    let orphans = this._findAnnoItems(PARENT_ANNO, parentGUID);
+
+    this._log.debug("Reparenting orphans " + orphans + " to " + parentId);
+    orphans.forEach(function(orphan) {
+      // Move the orphan to the parent and drop the missing parent annotation
+      if (this._reparentItem(orphan, parentId)) {
+        PlacesUtils.annotations.removeItemAnnotation(orphan, PARENT_ANNO);
+      }
+    }, this);
+  },
+
+  _reparentItem: function _reparentItem(itemId, parentId) {
+    this._log.trace("Attempting to move item " + itemId + " to new parent " +
+                    parentId);
+    try {
+      if (parentId > 0) {
+        PlacesUtils.bookmarks.moveItem(itemId, parentId,
+                                       PlacesUtils.bookmarks.DEFAULT_INDEX);
+        return true;
+      }
+    } catch(ex) {
+      this._log.debug("Failed to reparent item. ", ex);
+    }
+    return false;
+  },
+
+  // Turn a record's nsINavBookmarksService constant and other attributes into
+  // a granular type for comparison.
+  _recordType: function _recordType(itemId) {
+    let bms  = PlacesUtils.bookmarks;
+    let type = bms.getItemType(itemId);
+
+    switch (type) {
+      case bms.TYPE_FOLDER:
+        if (PlacesUtils.annotations
+                       .itemHasAnnotation(itemId, PlacesUtils.LMANNO_FEEDURI)) {
+          return "livemark";
+        }
+        return "folder";
+
+      case bms.TYPE_BOOKMARK:
+        let bmkUri = bms.getBookmarkURI(itemId).spec;
+        if (bmkUri.indexOf("place:") == 0) {
+          return "query";
+        }
+        return "bookmark";
+
+      case bms.TYPE_SEPARATOR:
+        return "separator";
+
+      default:
+        return null;
     }
   },
 
   create: function BStore_create(record) {
-    let info = record.toSyncBookmark();
-    // This can throw if we're inserting an invalid or incomplete bookmark.
-    // That's fine; the exception will be caught by `applyIncomingBatch`
-    // without aborting further processing.
-    let item = Async.promiseSpinningly(PlacesSyncUtils.bookmarks.insert(info));
-    if (item) {
-      this._log.debug(`Created ${item.kind} ${item.syncId} under ${
-        item.parentSyncId}`, item);
+    // Default to unfiled if we don't have the parent yet.
+    
+    // Valid parent IDs are all positive integers. Other values -- undefined,
+    // null, -1 -- all compare false for > 0, so this catches them all. We
+    // don't just use <= without the !, because undefined and null compare
+    // false for that, too!
+    if (!(record._parent > 0)) {
+      this._log.debug("Parent is " + record._parent + "; reparenting to unfiled.");
+      record._parent = kSpecialIds.unfiled;
+    }
+
+    let newId;
+    switch (record.type) {
+    case "bookmark":
+    case "query":
+    case "microsummary": {
+      let uri = Utils.makeURI(record.bmkUri);
+      newId = PlacesUtils.bookmarks.insertBookmark(
+        record._parent, uri, PlacesUtils.bookmarks.DEFAULT_INDEX, record.title);
+      this._log.debug("created bookmark " + newId + " under " + record._parent
+                      + " as " + record.title + " " + record.bmkUri);
+
+      // Smart bookmark annotations are strings.
+      if (record.queryId) {
+        PlacesUtils.annotations.setItemAnnotation(
+          newId, SMART_BOOKMARKS_ANNO, record.queryId, 0,
+          PlacesUtils.annotations.EXPIRE_NEVER);
+      }
+
+      if (Array.isArray(record.tags)) {
+        this._tagURI(uri, record.tags);
+      }
+      PlacesUtils.bookmarks.setKeywordForBookmark(newId, record.keyword);
+      if (record.description) {
+        PlacesUtils.annotations.setItemAnnotation(
+          newId, DESCRIPTION_ANNO, record.description, 0,
+          PlacesUtils.annotations.EXPIRE_NEVER);
+      }
+
+      if (record.loadInSidebar) {
+        PlacesUtils.annotations.setItemAnnotation(
+          newId, SIDEBAR_ANNO, true, 0,
+          PlacesUtils.annotations.EXPIRE_NEVER);
+      }
+
+    } break;
+    case "folder":
+      newId = PlacesUtils.bookmarks.createFolder(
+        record._parent, record.title, PlacesUtils.bookmarks.DEFAULT_INDEX);
+      this._log.debug("created folder " + newId + " under " + record._parent
+                      + " as " + record.title);
+
+      if (record.description) {
+        PlacesUtils.annotations.setItemAnnotation(
+          newId, DESCRIPTION_ANNO, record.description, 0,
+          PlacesUtils.annotations.EXPIRE_NEVER);
+      }
+
+      // record.children will be dealt with in _orderChildren.
+      break;
+    case "livemark":
+      let siteURI = null;
+      if (!record.feedUri) {
+        this._log.debug("No feed URI: skipping livemark record " + record.id);
+        return;
+      }
+      if (PlacesUtils.annotations
+                     .itemHasAnnotation(record._parent, PlacesUtils.LMANNO_FEEDURI)) {
+        this._log.debug("Invalid parent: skipping livemark record " + record.id);
+        return;
+      }
+
+      if (record.siteUri != null)
+        siteURI = Utils.makeURI(record.siteUri);
+
+      // Until this engine can handle asynchronous error reporting, we need to
+      // detect errors on creation synchronously.
+      let spinningCb = Async.makeSpinningCallback();
+
+      let livemarkObj = {title: record.title,
+                         parentId: record._parent,
+                         index: PlacesUtils.bookmarks.DEFAULT_INDEX,
+                         feedURI: Utils.makeURI(record.feedUri),
+                         siteURI: siteURI,
+                         guid: record.id};
+      PlacesUtils.livemarks.addLivemark(livemarkObj).then(
+        aLivemark => { spinningCb(null, [Components.results.NS_OK, aLivemark]) },
+        () => { spinningCb(null, [Components.results.NS_ERROR_UNEXPECTED, aLivemark]) }
+      );
+
+      let [status, livemark] = spinningCb.wait();
+      if (!Components.isSuccessCode(status)) {
+        throw status;
+      }
+
+      this._log.debug("Created livemark " + livemark.id + " under " +
+                      livemark.parentId + " as " + livemark.title +
+                      ", " + livemark.siteURI.spec + ", " +
+                      livemark.feedURI.spec + ", GUID " +
+                      livemark.guid);
+      break;
+    case "separator":
+      newId = PlacesUtils.bookmarks.insertSeparator(
+        record._parent, PlacesUtils.bookmarks.DEFAULT_INDEX);
+      this._log.debug("created separator " + newId + " under " + record._parent);
+      break;
+    case "item":
+      this._log.debug(" -> got a generic places item.. do nothing?");
+      return;
+    default:
+      this._log.error("_create: Unknown item type: " + record.type);
+      return;
+    }
+
+    if (newId) {
+      // Livemarks can set the GUID through the API, so there's no need to
+      // do that here.
+      this._log.trace("Setting GUID of new item " + newId + " to " + record.id);
+      this._setGUID(newId, record.id);
+    }
+  },
+
+  // Factored out of `remove` to avoid redundant DB queries when the Places ID
+  // is already known.
+  removeById: function removeById(itemId, guid) {
+    let type = PlacesUtils.bookmarks.getItemType(itemId);
+
+    switch (type) {
+    case PlacesUtils.bookmarks.TYPE_BOOKMARK:
+      this._log.debug("  -> removing bookmark " + guid);
+      PlacesUtils.bookmarks.removeItem(itemId);
+      break;
+    case PlacesUtils.bookmarks.TYPE_FOLDER:
+      this._log.debug("  -> removing folder " + guid);
+      PlacesUtils.bookmarks.removeItem(itemId);
+      break;
+    case PlacesUtils.bookmarks.TYPE_SEPARATOR:
+      this._log.debug("  -> removing separator " + guid);
+      PlacesUtils.bookmarks.removeItem(itemId);
+      break;
+    default:
+      this._log.error("remove: Unknown item type: " + type);
+      break;
     }
   },
 
   remove: function BStore_remove(record) {
-    if (PlacesSyncUtils.bookmarks.isRootSyncID(record.id)) {
+    if (kSpecialIds.isSpecialGUID(record.id)) {
       this._log.warn("Refusing to remove special folder " + record.id);
       return;
     }
-    let recordKind = Async.promiseSpinningly(
-      PlacesSyncUtils.bookmarks.getKindForSyncId(record.id));
-    let isFolder = recordKind === PlacesSyncUtils.bookmarks.KINDS.FOLDER;
-    this._log.trace(`Buffering removal of item "${record.id}" of type "${recordKind}".`);
-    if (isFolder) {
-      this._foldersToDelete.add(record.id);
-    } else {
-      this._atomsToDelete.add(record.id);
+
+    let itemId = this.idForGUID(record.id);
+    if (itemId <= 0) {
+      this._log.debug("Item " + record.id + " already removed");
+      return;
     }
+    this.removeById(itemId, record.id);
   },
 
-  update: function BStore_update(record) {
-    let info = record.toSyncBookmark();
-    let item = Async.promiseSpinningly(PlacesSyncUtils.bookmarks.update(info));
-    if (item) {
-      this._log.debug(`Updated ${item.kind} ${item.syncId} under ${
-        item.parentSyncId}`, item);
-    }
+  _taggableTypes: ["bookmark", "microsummary", "query"],
+  isTaggable: function isTaggable(recordType) {
+    return this._taggableTypes.indexOf(recordType) != -1;
   },
 
-  _orderChildren: function _orderChildren() {
-    let promises = Object.keys(this._childrenToOrder).map(syncID => {
-      let children = this._childrenToOrder[syncID];
-      return PlacesSyncUtils.bookmarks.order(syncID, children).catch(ex => {
-        this._log.debug(`Could not order children for ${syncID}`, ex);
-      });
-    });
-    Async.promiseSpinningly(Promise.all(promises));
-  },
-
-  // There's some complexity here around pending deletions. Our goals:
-  //
-  // - Don't delete any bookmarks a user has created but not explicitly deleted
-  //   (This includes any bookmark that was not a child of the folder at the
-  //   time the deletion was recorded, and also bookmarks restored from a backup).
-  // - Don't undelete any bookmark without ensuring the server structure
-  //   includes it (see `BookmarkEngine.prototype._shouldReviveRemotelyDeletedRecord`)
-  //
-  // This leads the following approach:
-  //
-  // - Additions, moves, and updates are processed before deletions.
-  //     - To do this, all deletion operations are buffered during a sync. Folders
-  //       we plan on deleting have their sync id's stored in `this._foldersToDelete`,
-  //       and non-folders we plan on deleting have their sync id's stored in
-  //       `this._atomsToDelete`.
-  //     - The exception to this is the moves that occur to fix the order of bookmark
-  //       children, which are performed after we process deletions.
-  // - Non-folders are deleted before folder deletions, so that when we process
-  //   folder deletions we know the correct state.
-  // - Remote deletions always win for folders, but do not result in recursive
-  //   deletion of children. This is a hack because we're not able to distinguish
-  //   between value changes and structural changes to folders, and we don't even
-  //   have the old server record to compare to. See `BookmarkEngine`'s
-  //   `_shouldReviveRemotelyDeletedRecord` method.
-  // - When a folder is deleted, its remaining children are moved in order to
-  //   their closest living ancestor.  If this is interrupted (unlikely, but
-  //   possible given that we don't perform this operation in a transaction),
-  //   we revive the folder.
-  // - Remote deletions can lose for non-folders, but only until we handle
-  //   bookmark restores correctly (removing stale state from the server -- this
-  //   is to say, if bug 1230011 is fixed, we should never revive bookmarks).
-
-  deletePending: Task.async(function* deletePending() {
-    yield this._deletePendingAtoms();
-    let guidsToUpdate = yield this._deletePendingFolders();
-    this.clearPendingDeletions();
-    return guidsToUpdate;
-  }),
-
-  clearPendingDeletions() {
-    this._foldersToDelete.clear();
-    this._atomsToDelete.clear();
-  },
-
-  _deleteAtom: Task.async(function* _deleteAtom(syncID) {
-    try {
-      let info = yield PlacesSyncUtils.bookmarks.remove(syncID, {
-        preventRemovalOfNonEmptyFolders: true
-      });
-      this._log.trace(`Removed item ${syncID} with type ${info.type}`);
-    } catch (ex) {
-      // Likely already removed.
-      this._log.trace(`Error removing ${syncID}`, ex);
+  update: function BStore_update(record) {
+    let itemId = this.idForGUID(record.id);
+
+    if (itemId <= 0) {
+      this._log.debug("Skipping update for unknown item: " + record.id);
+      return;
     }
-  }),
-
-  _deletePendingAtoms() {
-    return Promise.all(
-      [...this._atomsToDelete.values()]
-        .map(syncID => this._deleteAtom(syncID)));
-  },
-
-  // Returns an array of sync ids that need updates.
-  _deletePendingFolders: Task.async(function* _deletePendingFolders() {
-    // To avoid data loss, we don't want to just delete the folder outright,
-    // so we buffer folder deletions and process them at the end (now).
-    //
-    // At this point, any member in the folder that remains is either a folder
-    // pending deletion (which we'll get to in this function), or an item that
-    // should not be deleted. To avoid deleting these items, we first move them
-    // to the parent of the folder we're about to delete.
-    let needUpdate = new Set();
-    for (let syncId of this._foldersToDelete) {
-      let childSyncIds = yield PlacesSyncUtils.bookmarks.fetchChildSyncIds(syncId);
-      if (!childSyncIds.length) {
-        // No children -- just delete the folder.
-        yield this._deleteAtom(syncId)
-        continue;
-      }
-      // We could avoid some redundant work here by finding the nearest
-      // grandparent who isn't present in `this._toDelete`...
 
-      let grandparentSyncId = this.GUIDForId(
-        PlacesUtils.bookmarks.getFolderIdForItem(
-          this.idForGUID(PlacesSyncUtils.bookmarks.syncIdToGuid(syncId))));
+    // Two items are the same type if they have the same ItemType in Places,
+    // and also share some key characteristics (e.g., both being livemarks).
+    // We figure this out by examining the item to find the equivalent granular
+    // (string) type.
+    // If they're not the same type, we can't just update attributes. Delete
+    // then recreate the record instead.
+    let localItemType    = this._recordType(itemId);
+    let remoteRecordType = record.type;
+    this._log.trace("Local type: " + localItemType + ". " +
+                    "Remote type: " + remoteRecordType + ".");
+
+    if (localItemType != remoteRecordType) {
+      this._log.debug("Local record and remote record differ in type. " +
+                      "Deleting and recreating.");
+      this.removeById(itemId, record.id);
+      this.create(record);
+      return;
+    }
 
-      this._log.trace(`Moving ${childSyncIds.length} children of "${syncId}" to ` +
-                      `grandparent "${grandparentSyncId}" before deletion.`);
+    this._log.trace("Updating " + record.id + " (" + itemId + ")");
 
-      // Move children out of the parent and into the grandparent
-      yield Promise.all(childSyncIds.map(child => PlacesSyncUtils.bookmarks.update({
-        syncId: child,
-        parentSyncId: grandparentSyncId
-      })));
+    // Move the bookmark to a new parent or new position if necessary
+    if (record._parent > 0 &&
+        PlacesUtils.bookmarks.getFolderIdForItem(itemId) != record._parent) {
+      this._reparentItem(itemId, record._parent);
+    }
 
-      // Delete the (now empty) parent
-      try {
-        yield PlacesSyncUtils.bookmarks.remove(syncId, {
-          preventRemovalOfNonEmptyFolders: true
-        });
-      } catch (e) {
-        // We failed, probably because someone added something to this folder
-        // between when we got the children and now (or the database is corrupt,
-        // or something else happened...) This is unlikely, but possible. To
-        // avoid corruption in this case, we need to reupload the record to the
-        // server.
-        //
-        // (Ideally this whole operation would be done in a transaction, and this
-        // wouldn't be possible).
-        needUpdate.add(syncId);
+    for (let [key, val] in Iterator(record.cleartext)) {
+      switch (key) {
+      case "title":
+        PlacesUtils.bookmarks.setItemTitle(itemId, val);
+        break;
+      case "bmkUri":
+        PlacesUtils.bookmarks.changeBookmarkURI(itemId, Utils.makeURI(val));
+        break;
+      case "tags":
+        if (Array.isArray(val)) {
+          if (this.isTaggable(remoteRecordType)) {
+            this._tagID(itemId, val);
+          } else {
+            this._log.debug("Remote record type is invalid for tags: " + remoteRecordType);
+          }
+        }
+        break;
+      case "keyword":
+        PlacesUtils.bookmarks.setKeywordForBookmark(itemId, val);
+        break;
+      case "description":
+        if (val) {
+          PlacesUtils.annotations.setItemAnnotation(
+            itemId, DESCRIPTION_ANNO, val, 0,
+            PlacesUtils.annotations.EXPIRE_NEVER);
+        } else {
+          PlacesUtils.annotations.removeItemAnnotation(itemId, DESCRIPTION_ANNO);
+        }
+        break;
+      case "loadInSidebar":
+        if (val) {
+          PlacesUtils.annotations.setItemAnnotation(
+            itemId, SIDEBAR_ANNO, true, 0,
+            PlacesUtils.annotations.EXPIRE_NEVER);
+        } else {
+          PlacesUtils.annotations.removeItemAnnotation(itemId, SIDEBAR_ANNO);
+        }
+        break;
+      case "queryId":
+        PlacesUtils.annotations.setItemAnnotation(
+          itemId, SMART_BOOKMARKS_ANNO, val, 0,
+          PlacesUtils.annotations.EXPIRE_NEVER);
+        break;
       }
+    }
+  },
 
-      // Add children (for parentid) and grandparent (for children list) to set
-      // of records needing an update, *unless* they're marked for deletion.
-      if (!this._foldersToDelete.has(grandparentSyncId)) {
-        needUpdate.add(grandparentSyncId);
-      }
-      for (let childSyncId of childSyncIds) {
-        if (!this._foldersToDelete.has(childSyncId)) {
-          needUpdate.add(childSyncId);
+  _orderChildren: function _orderChildren() {
+    for (let [guid, children] in Iterator(this._childrenToOrder)) {
+      // Reorder children according to the GUID list. Gracefully deal
+      // with missing items, e.g. locally deleted.
+      let delta = 0;
+      let parent = null;
+      for (let idx = 0; idx < children.length; idx++) {
+        let itemid = this.idForGUID(children[idx]);
+        if (itemid == -1) {
+          delta += 1;
+          this._log.trace("Could not locate record " + children[idx]);
+          continue;
+        }
+        try {
+          // This code path could be optimized by caching the parent earlier.
+          // Doing so should take in count any edge case due to reparenting
+          // or parent invalidations though.
+          if (!parent) {
+            parent = PlacesUtils.bookmarks.getFolderIdForItem(itemid);
+          }
+          PlacesUtils.bookmarks.moveItem(itemid, parent, idx - delta);
+        } catch (ex) {
+          this._log.debug("Could not move item " + children[idx] + ": " + ex);
         }
       }
     }
-    return [...needUpdate];
-  }),
+  },
 
   changeItemID: function BStore_changeItemID(oldID, newID) {
     this._log.debug("Changing GUID " + oldID + " to " + newID);
 
-    Async.promiseSpinningly(PlacesSyncUtils.bookmarks.changeGuid(oldID, newID));
+    // Make sure there's an item to change GUIDs
+    let itemId = this.idForGUID(oldID);
+    if (itemId <= 0)
+      return;
+
+    this._setGUID(itemId, newID);
+  },
+
+  _getNode: function BStore__getNode(folder) {
+    let query = PlacesUtils.history.getNewQuery();
+    query.setFolders([folder], 1);
+    return PlacesUtils.history.executeQuery(
+      query, PlacesUtils.history.getNewQueryOptions()).root;
+  },
+
+  _getTags: function BStore__getTags(uri) {
+    try {
+      if (typeof(uri) == "string")
+        uri = Utils.makeURI(uri);
+    } catch(e) {
+      this._log.warn("Could not parse URI \"" + uri + "\": " + e);
+    }
+    return PlacesUtils.tagging.getTagsForURI(uri, {});
+  },
+
+  _getDescription: function BStore__getDescription(id) {
+    try {
+      return PlacesUtils.annotations.getItemAnnotation(id, DESCRIPTION_ANNO);
+    } catch (e) {
+      return null;
+    }
+  },
+
+  _isLoadInSidebar: function BStore__isLoadInSidebar(id) {
+    return PlacesUtils.annotations.itemHasAnnotation(id, SIDEBAR_ANNO);
+  },
+
+  get _childGUIDsStm() {
+    return this._getStmt(
+      "SELECT id AS item_id, guid " +
+      "FROM moz_bookmarks " +
+      "WHERE parent = :parent " +
+      "ORDER BY position");
+  },
+  _childGUIDsCols: ["item_id", "guid"],
+
+  _getChildGUIDsForId: function _getChildGUIDsForId(itemid) {
+    let stmt = this._childGUIDsStm;
+    stmt.params.parent = itemid;
+    let rows = Async.querySpinningly(stmt, this._childGUIDsCols);
+    return rows.map(function (row) {
+      if (row.guid) {
+        return row.guid;
+      }
+      // A GUID hasn't been assigned to this item yet, do this now.
+      return this.GUIDForId(row.item_id);
+    }, this);
   },
 
   // Create a record starting from the weave id (places guid)
   createRecord: function createRecord(id, collection) {
-    let item = Async.promiseSpinningly(PlacesSyncUtils.bookmarks.fetch(id));
-    if (!item) { // deleted item
-      let record = new PlacesItem(collection, id);
+    let placeId = this.idForGUID(id);
+    let record;
+    if (placeId <= 0) { // deleted item
+      record = new PlacesItem(collection, id);
       record.deleted = true;
       return record;
     }
 
-    let recordObj = getTypeObject(item.kind);
-    if (!recordObj) {
-      this._log.warn("Unknown item type, cannot serialize: " + item.kind);
-      recordObj = PlacesItem;
+    let parent = PlacesUtils.bookmarks.getFolderIdForItem(placeId);
+    switch (PlacesUtils.bookmarks.getItemType(placeId)) {
+    case PlacesUtils.bookmarks.TYPE_BOOKMARK:
+      let bmkUri = PlacesUtils.bookmarks.getBookmarkURI(placeId).spec;
+      if (bmkUri.indexOf("place:") == 0) {
+        record = new BookmarkQuery(collection, id);
+
+        // Get the actual tag name instead of the local itemId
+        let folder = bmkUri.match(/[:&]folder=(\d+)/);
+        try {
+          // There might not be the tag yet when creating on a new client
+          if (folder != null) {
+            folder = folder[1];
+            record.folderName = PlacesUtils.bookmarks.getItemTitle(folder);
+            this._log.trace("query id: " + folder + " = " + record.folderName);
+          }
+        }
+        catch(ex) {}
+        
+        // Persist the Smart Bookmark anno, if found.
+        try {
+          let anno = PlacesUtils.annotations.getItemAnnotation(placeId, SMART_BOOKMARKS_ANNO);
+          if (anno != null) {
+            this._log.trace("query anno: " + SMART_BOOKMARKS_ANNO +
+                            " = " + anno);
+            record.queryId = anno;
+          }
+        }
+        catch(ex) {}
+      }
+      else {
+        record = new Bookmark(collection, id);
+      }
+      record.title = PlacesUtils.bookmarks.getItemTitle(placeId);
+
+      record.parentName = PlacesUtils.bookmarks.getItemTitle(parent);
+      record.bmkUri = bmkUri;
+      record.tags = this._getTags(record.bmkUri);
+      record.keyword = PlacesUtils.bookmarks.getKeywordForBookmark(placeId);
+      record.description = this._getDescription(placeId);
+      record.loadInSidebar = this._isLoadInSidebar(placeId);
+      break;
+
+    case PlacesUtils.bookmarks.TYPE_FOLDER:
+      if (PlacesUtils.annotations
+                     .itemHasAnnotation(placeId, PlacesUtils.LMANNO_FEEDURI)) {
+        record = new Livemark(collection, id);
+        let as = PlacesUtils.annotations;
+        record.feedUri = as.getItemAnnotation(placeId, PlacesUtils.LMANNO_FEEDURI);
+        try {
+          record.siteUri = as.getItemAnnotation(placeId, PlacesUtils.LMANNO_SITEURI);
+        } catch (ex) {}
+      } else {
+        record = new BookmarkFolder(collection, id);
+      }
+
+      if (parent > 0)
+        record.parentName = PlacesUtils.bookmarks.getItemTitle(parent);
+      record.title = PlacesUtils.bookmarks.getItemTitle(placeId);
+      record.description = this._getDescription(placeId);
+      record.children = this._getChildGUIDsForId(placeId);
+      break;
+
+    case PlacesUtils.bookmarks.TYPE_SEPARATOR:
+      record = new BookmarkSeparator(collection, id);
+      if (parent > 0)
+        record.parentName = PlacesUtils.bookmarks.getItemTitle(parent);
+      // Create a positioning identifier for the separator, used by _mapDupe
+      record.pos = PlacesUtils.bookmarks.getItemIndex(placeId);
+      break;
+
+    default:
+      record = new PlacesItem(collection, id);
+      this._log.warn("Unknown item type, cannot serialize: " +
+                     PlacesUtils.bookmarks.getItemType(placeId));
     }
-    let record = new recordObj(collection, id);
-    record.fromSyncBookmark(item);
 
+    record.parentid = this.GUIDForId(parent);
     record.sortindex = this._calculateIndex(record);
 
     return record;
@@ -997,22 +1116,84 @@ BookmarksStore.prototype = {
     return this._getStmt(
         "SELECT frecency " +
         "FROM moz_places " +
-        "WHERE url_hash = hash(:url) AND url = :url " +
+        "WHERE url = :url " +
         "LIMIT 1");
   },
   _frecencyCols: ["frecency"],
 
+  get _setGUIDStm() {
+    return this._getStmt(
+      "UPDATE moz_bookmarks " +
+      "SET guid = :guid " +
+      "WHERE id = :item_id");
+  },
+
+  // Some helper functions to handle GUIDs
+  _setGUID: function _setGUID(id, guid) {
+    if (!guid)
+      guid = Utils.makeGUID();
+
+    let stmt = this._setGUIDStm;
+    stmt.params.guid = guid;
+    stmt.params.item_id = id;
+    Async.querySpinningly(stmt);
+    return guid;
+  },
+
+  get _guidForIdStm() {
+    return this._getStmt(
+      "SELECT guid " +
+      "FROM moz_bookmarks " +
+      "WHERE id = :item_id");
+  },
+  _guidForIdCols: ["guid"],
+
   GUIDForId: function GUIDForId(id) {
-    let guid = Async.promiseSpinningly(PlacesUtils.promiseItemGuid(id));
-    return PlacesSyncUtils.bookmarks.guidToSyncId(guid);
+    let special = kSpecialIds.specialGUIDForId(id);
+    if (special)
+      return special;
+
+    let stmt = this._guidForIdStm;
+    stmt.params.item_id = id;
+
+    // Use the existing GUID if it exists
+    let result = Async.querySpinningly(stmt, this._guidForIdCols)[0];
+    if (result && result.guid)
+      return result.guid;
+
+    // Give the uri a GUID if it doesn't have one
+    return this._setGUID(id);
   },
 
-  idForGUID: function idForGUID(guid) {
-    // guid might be a String object rather than a string.
-    guid = PlacesSyncUtils.bookmarks.syncIdToGuid(guid.toString());
+  get _idForGUIDStm() {
+    return this._getStmt(
+      "SELECT id AS item_id " +
+      "FROM moz_bookmarks " +
+      "WHERE guid = :guid");
+  },
+  _idForGUIDCols: ["item_id"],
+
+  // noCreate is provided as an optional argument to prevent the creation of
+  // non-existent special records, such as "mobile".
+  idForGUID: function idForGUID(guid, noCreate) {
+    if (kSpecialIds.isSpecialGUID(guid))
+      return kSpecialIds.specialIdForGUID(guid, !noCreate);
 
-    return Async.promiseSpinningly(PlacesUtils.promiseItemId(guid).catch(
-      ex => -1));
+    let stmt = this._idForGUIDStm;
+    // guid might be a String object rather than a string.
+    stmt.params.guid = guid.toString();
+
+    let results = Async.querySpinningly(stmt, this._idForGUIDCols);
+    this._log.trace("Number of rows matching GUID " + guid + ": "
+                    + results.length);
+    
+    // Here's the one we care about: the first.
+    let result = results[0];
+    
+    if (!result)
+      return -1;
+    
+    return result.item_id;
   },
 
   _calculateIndex: function _calculateIndex(record) {
@@ -1037,48 +1218,106 @@ BookmarksStore.prototype = {
     return index;
   },
 
-  getAllIDs: function BStore_getAllIDs() {
-    let items = {};
-
-    let query = `
-      WITH RECURSIVE
-      changeRootContents(id) AS (
-        VALUES ${getChangeRootIds().map(id => `(${id})`).join(", ")}
-        UNION ALL
-        SELECT b.id
-        FROM moz_bookmarks b
-        JOIN changeRootContents c ON b.parent = c.id
-      )
-      SELECT guid
-      FROM changeRootContents
-      JOIN moz_bookmarks USING (id)
-    `;
-
-    let statement = this._getStmt(query);
-    let results = Async.querySpinningly(statement, ["guid"]);
-    for (let { guid } of results) {
-      let syncID = PlacesSyncUtils.bookmarks.guidToSyncId(guid);
-      items[syncID] = { modified: 0, deleted: false };
+  _getChildren: function BStore_getChildren(guid, items) {
+    let node = guid; // the recursion case
+    if (typeof(node) == "string") { // callers will give us the guid as the first arg
+      let nodeID = this.idForGUID(guid, true);
+      if (!nodeID) {
+        this._log.debug("No node for GUID " + guid + "; returning no children.");
+        return items;
+      }
+      node = this._getNode(nodeID);
+    }
+    
+    if (node.type == node.RESULT_TYPE_FOLDER) {
+      node.QueryInterface(Ci.nsINavHistoryQueryResultNode);
+      node.containerOpen = true;
+      try {
+        // Remember all the children GUIDs and recursively get more
+        for (let i = 0; i < node.childCount; i++) {
+          let child = node.getChild(i);
+          items[this.GUIDForId(child.itemId)] = true;
+          this._getChildren(child, items);
+        }
+      }
+      finally {
+        node.containerOpen = false;
+      }
     }
 
     return items;
   },
 
+  /**
+   * Associates the URI of the item with the provided ID with the
+   * provided array of tags.
+   * If the provided ID does not identify an item with a URI,
+   * returns immediately.
+   */
+  _tagID: function _tagID(itemID, tags) {
+    if (!itemID || !tags) {
+      return;
+    }
+
+    try {
+      let u = PlacesUtils.bookmarks.getBookmarkURI(itemID);
+      this._tagURI(u, tags);
+    } catch (e) {
+      this._log.warn("Got exception fetching URI for " + itemID + ": not tagging. ", e);
+
+      // I guess it doesn't have a URI. Don't try to tag it.
+      return;
+    }
+  },
+
+  /**
+   * Associate the provided URI with the provided array of tags.
+   * If the provided URI is falsy, returns immediately.
+   */
+  _tagURI: function _tagURI(bookmarkURI, tags) {
+    if (!bookmarkURI || !tags) {
+      return;
+    }
+
+    // Filter out any null/undefined/empty tags.
+    tags = tags.filter(t => t);
+
+    // Temporarily tag a dummy URI to preserve tag ids when untagging.
+    let dummyURI = Utils.makeURI("about:weave#BStore_tagURI");
+    PlacesUtils.tagging.tagURI(dummyURI, tags);
+    PlacesUtils.tagging.untagURI(bookmarkURI, null);
+    PlacesUtils.tagging.tagURI(bookmarkURI, tags);
+    PlacesUtils.tagging.untagURI(dummyURI, null);
+  },
+
+  getAllIDs: function BStore_getAllIDs() {
+    let items = {"menu": true,
+                 "toolbar": true};
+    for each (let guid in kSpecialIds.guids) {
+      if (guid != "places" && guid != "tags")
+        this._getChildren(guid, items);
+    }
+    return items;
+  },
+
   wipe: function BStore_wipe() {
-    this.clearPendingDeletions();
-    Async.promiseSpinningly(Task.spawn(function* () {
+    let cb = Async.makeSpinningCallback();
+    Task.spawn(function() {
       // Save a backup before clearing out all bookmarks.
       yield PlacesBackups.create(null, true);
-      yield PlacesUtils.bookmarks.eraseEverything({
-        source: SOURCE_SYNC,
-      });
-    }));
+      for each (let guid in kSpecialIds.guids)
+        if (guid != "places") {
+          let id = kSpecialIds.specialIdForGUID(guid);
+          if (id)
+            PlacesUtils.bookmarks.removeFolderChildren(id);
+        }
+      cb();
+    });
+    cb.wait();
   }
 };
 
 function BookmarksTracker(name, engine) {
-  this._batchDepth = 0;
-  this._batchSawScoreIncrement = false;
   Tracker.call(this, name, engine);
 
   Svc.Obs.add("places-shutdown", this);
@@ -1086,16 +1325,6 @@ function BookmarksTracker(name, engine) {
 BookmarksTracker.prototype = {
   __proto__: Tracker.prototype,
 
-  //`_ignore` checks the change source for each observer notification, so we
-  // don't want to let the engine ignore all changes during a sync.
-  get ignoreAll() {
-    return false;
-  },
-
-  // Define an empty setter so that the engine doesn't throw a `TypeError`
-  // setting a read-only property.
-  set ignoreAll(value) {},
-
   startTracking: function() {
     PlacesUtils.bookmarks.addObserver(this, true);
     Svc.Obs.add("bookmarks-restore-begin", this);
@@ -1116,9 +1345,11 @@ BookmarksTracker.prototype = {
     switch (topic) {
       case "bookmarks-restore-begin":
         this._log.debug("Ignoring changes from importing bookmarks.");
+        this.ignoreAll = true;
         break;
       case "bookmarks-restore-success":
         this._log.debug("Tracking all items on successful import.");
+        this.ignoreAll = false;
 
         this._log.debug("Restore succeeded: wiping server and other clients.");
         this.engine.service.resetClient([this.name]);
@@ -1127,6 +1358,7 @@ BookmarksTracker.prototype = {
         break;
       case "bookmarks-restore-failed":
         this._log.debug("Tracking all items on failed import.");
+        this.ignoreAll = false;
         break;
     }
   },
@@ -1137,68 +1369,73 @@ BookmarksTracker.prototype = {
     Ci.nsISupportsWeakReference
   ]),
 
-  addChangedID(id, change) {
-    if (!id) {
-      this._log.warn("Attempted to add undefined ID to tracker");
-      return false;
-    }
-    if (this._ignored.includes(id)) {
-      return false;
-    }
-    let shouldSaveChange = false;
-    let currentChange = this.changedIDs[id];
-    if (currentChange) {
-      if (typeof currentChange == "number") {
-        // Allow raw timestamps for backward-compatibility with persisted
-        // changed IDs. The new format uses tuples to track deleted items.
-        shouldSaveChange = currentChange < change.modified;
-      } else {
-        shouldSaveChange = currentChange.modified < change.modified ||
-                           currentChange.deleted != change.deleted;
-      }
-    } else {
-      shouldSaveChange = true;
-    }
-    if (shouldSaveChange) {
-      this._saveChangedID(id, change);
-    }
-    return true;
-  },
-
   /**
    * Add a bookmark GUID to be uploaded and bump up the sync score.
    *
-   * @param itemId
-   *        The Places item ID of the bookmark to upload.
-   * @param guid
-   *        The Places GUID of the bookmark to upload.
-   * @param isTombstone
-   *        Whether we're uploading a tombstone for a removed bookmark.
+   * @param itemGuid
+   *        GUID of the bookmark to upload.
    */
-  _add: function BMT__add(itemId, guid, isTombstone = false) {
-    let syncID = PlacesSyncUtils.bookmarks.guidToSyncId(guid);
-    let info = { modified: Date.now() / 1000, deleted: isTombstone };
-    if (this.addChangedID(syncID, info)) {
+  _add: function BMT__add(itemId, guid) {
+    guid = kSpecialIds.specialGUIDForId(itemId) || guid;
+    if (this.addChangedID(guid))
       this._upScore();
-    }
   },
 
-  /* Every add/remove/change will trigger a sync for MULTI_DEVICE (except in
-     a batch operation, where we do it at the end of the batch) */
+  /* Every add/remove/change will trigger a sync for MULTI_DEVICE. */
   _upScore: function BMT__upScore() {
-    if (this._batchDepth == 0) {
-      this.score += SCORE_INCREMENT_XLARGE;
-    } else {
-      this._batchSawScoreIncrement = true;
+    this.score += SCORE_INCREMENT_XLARGE;
+  },
+
+  /**
+   * Determine if a change should be ignored.
+   *
+   * @param itemId
+   *        Item under consideration to ignore
+   * @param folder (optional)
+   *        Folder of the item being changed
+   */
+  _ignore: function BMT__ignore(itemId, folder, guid) {
+    // Ignore unconditionally if the engine tells us to.
+    if (this.ignoreAll)
+      return true;
+
+    // Get the folder id if we weren't given one.
+    if (folder == null) {
+      try {
+        folder = PlacesUtils.bookmarks.getFolderIdForItem(itemId);
+      } catch (ex) {
+        this._log.debug("getFolderIdForItem(" + itemId +
+                        ") threw; calling _ensureMobileQuery.");
+        // I'm guessing that gFIFI can throw, and perhaps that's why
+        // _ensureMobileQuery is here at all. Try not to call it.
+        this._ensureMobileQuery();
+        folder = PlacesUtils.bookmarks.getFolderIdForItem(itemId);
+      }
+    }
+
+    // Ignore changes to tags (folders under the tags folder).
+    let tags = kSpecialIds.tags;
+    if (folder == tags)
+      return true;
+
+    // Ignore tag items (the actual instance of a tag for a bookmark).
+    if (PlacesUtils.bookmarks.getFolderIdForItem(folder) == tags)
+      return true;
+
+    // Make sure to remove items that have the exclude annotation.
+    if (PlacesUtils.annotations.itemHasAnnotation(itemId, EXCLUDEBACKUP_ANNO)) {
+      this.removeChangedID(guid);
+      return true;
     }
+
+    return false;
   },
 
   onItemAdded: function BMT_onItemAdded(itemId, folder, index,
                                         itemType, uri, title, dateAdded,
-                                        guid, parentGuid, source) {
-    if (IGNORED_SOURCES.includes(source)) {
+                                        guid, parentGuid) {
+    if (this._ignore(itemId, folder, guid))
       return;
-    }
 
     this._log.trace("onItemAdded: " + itemId);
     this._add(itemId, guid);
@@ -1206,51 +1443,13 @@ BookmarksTracker.prototype = {
   },
 
   onItemRemoved: function (itemId, parentId, index, type, uri,
-                           guid, parentGuid, source) {
-    if (IGNORED_SOURCES.includes(source)) {
-      return;
-    }
-
-    // Ignore changes to tags (folders under the tags folder).
-    if (parentId == PlacesUtils.tagsFolderId) {
-      return;
-    }
-
-    let grandParentId = -1;
-    try {
-      grandParentId = PlacesUtils.bookmarks.getFolderIdForItem(parentId);
-    } catch (ex) {
-      // `getFolderIdForItem` can throw if the item no longer exists, such as
-      // when we've removed a subtree using `removeFolderChildren`.
-      return;
-    }
-
-    // Ignore tag items (the actual instance of a tag for a bookmark).
-    if (grandParentId == PlacesUtils.tagsFolderId) {
+                           guid, parentGuid) {
+    if (this._ignore(itemId, parentId, guid)) {
       return;
     }
 
-    /**
-     * The above checks are incomplete: we can still write tombstones for
-     * items that we don't track, and upload extraneous roots.
-     *
-     * Consider the left pane root: it's a child of the Places root, and has
-     * children and grandchildren. `PlacesUIUtils` can create, delete, and
-     * recreate it as needed. We can't determine ancestors when the root or its
-     * children are deleted, because they've already been removed from the
-     * database when `onItemRemoved` is called. Likewise, we can't check their
-     * "exclude from backup" annos, because they've *also* been removed.
-     *
-     * So, we end up writing tombstones for the left pane queries and left
-     * pane root. For good measure, we'll also upload the Places root, because
-     * it's the parent of the left pane root.
-     *
-     * As a workaround, we can track the parent GUID and reconstruct the item's
-     * ancestry at sync time. This is complicated, and the previous behavior was
-     * already wrong, so we'll wait for bug 1258127 to fix this generally.
-     */
     this._log.trace("onItemRemoved: " + itemId);
-    this._add(itemId, guid, /* isTombstone */ true);
+    this._add(itemId, guid);
     this._add(parentId, parentGuid);
   },
 
@@ -1265,40 +1464,32 @@ BookmarksTracker.prototype = {
     if (all.length == 0)
       return;
 
+    // Disable handling of notifications while changing the mobile query
+    this.ignoreAll = true;
+
     let mobile = find(MOBILE_ANNO);
-    let queryURI = Utils.makeURI("place:folder=" + PlacesUtils.mobileFolderId);
-    let title = PlacesBundle.GetStringFromName("MobileBookmarksFolderTitle");
+    let queryURI = Utils.makeURI("place:folder=" + kSpecialIds.mobile);
+    let title = Str.sync.get("mobile.label");
 
     // Don't add OR remove the mobile bookmarks if there's nothing.
-    if (PlacesUtils.bookmarks.getIdForItemAt(PlacesUtils.mobileFolderId, 0) == -1) {
+    if (PlacesUtils.bookmarks.getIdForItemAt(kSpecialIds.mobile, 0) == -1) {
       if (mobile.length != 0)
-        PlacesUtils.bookmarks.removeItem(mobile[0], SOURCE_SYNC);
+        PlacesUtils.bookmarks.removeItem(mobile[0]);
     }
     // Add the mobile bookmarks query if it doesn't exist
     else if (mobile.length == 0) {
-      let query = PlacesUtils.bookmarks.insertBookmark(all[0], queryURI, -1, title, /* guid */ null, SOURCE_SYNC);
+      let query = PlacesUtils.bookmarks.insertBookmark(all[0], queryURI, -1, title);
       PlacesUtils.annotations.setItemAnnotation(query, ORGANIZERQUERY_ANNO, MOBILE_ANNO, 0,
-                                  PlacesUtils.annotations.EXPIRE_NEVER, SOURCE_SYNC);
-      PlacesUtils.annotations.setItemAnnotation(query, PlacesUtils.EXCLUDE_FROM_BACKUP_ANNO, 1, 0,
-                                  PlacesUtils.annotations.EXPIRE_NEVER, SOURCE_SYNC);
+                                  PlacesUtils.annotations.EXPIRE_NEVER);
+      PlacesUtils.annotations.setItemAnnotation(query, EXCLUDEBACKUP_ANNO, 1, 0,
+                                  PlacesUtils.annotations.EXPIRE_NEVER);
     }
-    // Make sure the existing query URL and title are correct
-    else {
-      if (!PlacesUtils.bookmarks.getBookmarkURI(mobile[0]).equals(queryURI)) {
-        PlacesUtils.bookmarks.changeBookmarkURI(mobile[0], queryURI,
-                                                SOURCE_SYNC);
-      }
-      let queryTitle = PlacesUtils.bookmarks.getItemTitle(mobile[0]);
-      if (queryTitle != title) {
-        PlacesUtils.bookmarks.setItemTitle(mobile[0], title, SOURCE_SYNC);
-      }
-      let rootTitle =
-        PlacesUtils.bookmarks.getItemTitle(PlacesUtils.mobileFolderId);
-      if (rootTitle != title) {
-        PlacesUtils.bookmarks.setItemTitle(PlacesUtils.mobileFolderId, title,
-                                           SOURCE_SYNC);
-      }
+    // Make sure the existing title is correct
+    else if (PlacesUtils.bookmarks.getItemTitle(mobile[0]) != title) {
+      PlacesUtils.bookmarks.setItemTitle(mobile[0], title);
     }
+
+    this.ignoreAll = false;
   },
 
   // This method is oddly structured, but the idea is to return as quickly as
@@ -1306,11 +1497,10 @@ BookmarksTracker.prototype = {
   // *each change*.
   onItemChanged: function BMT_onItemChanged(itemId, property, isAnno, value,
                                             lastModified, itemType, parentId,
-                                            guid, parentGuid, oldValue,
-                                            source) {
-    if (IGNORED_SOURCES.includes(source)) {
+                                            guid, parentGuid) {
+    // Quicker checks first.
+    if (this.ignoreAll)
       return;
-    }
 
     if (isAnno && (ANNOS_TO_TRACK.indexOf(property) == -1))
       // Ignore annotations except for the ones that we sync.
@@ -1320,6 +1510,9 @@ BookmarksTracker.prototype = {
     if (property == "favicon")
       return;
 
+    if (this._ignore(itemId, parentId, guid))
+      return;
+
     this._log.trace("onItemChanged: " + itemId +
                     (", " + property + (isAnno? " (anno)" : "")) +
                     (value ? (" = \"" + value + "\"") : ""));
@@ -1328,11 +1521,9 @@ BookmarksTracker.prototype = {
 
   onItemMoved: function BMT_onItemMoved(itemId, oldParent, oldIndex,
                                         newParent, newIndex, itemType,
-                                        guid, oldParentGuid, newParentGuid,
-                                        source) {
-    if (IGNORED_SOURCES.includes(source)) {
+                                        guid, oldParentGuid, newParentGuid) {
+    if (this._ignore(itemId, newParent, guid))
       return;
-    }
 
     this._log.trace("onItemMoved: " + itemId);
     this._add(oldParent, oldParentGuid);
@@ -1342,37 +1533,10 @@ BookmarksTracker.prototype = {
     }
 
     // Remove any position annotations now that the user moved the item
-    PlacesUtils.annotations.removeItemAnnotation(itemId,
-      PlacesSyncUtils.bookmarks.SYNC_PARENT_ANNO, SOURCE_SYNC);
+    PlacesUtils.annotations.removeItemAnnotation(itemId, PARENT_ANNO);
   },
 
-  onBeginUpdateBatch: function () {
-    ++this._batchDepth;
-  },
-  onEndUpdateBatch: function () {
-    if (--this._batchDepth === 0 && this._batchSawScoreIncrement) {
-      this.score += SCORE_INCREMENT_XLARGE;
-      this._batchSawScoreIncrement = false;
-    }
-  },
+  onBeginUpdateBatch: function () {},
+  onEndUpdateBatch: function () {},
   onItemVisited: function () {}
 };
-
-// Returns an array of root IDs to recursively query for synced bookmarks.
-// Items in other roots, including tags and organizer queries, will be
-// ignored.
-function getChangeRootIds() {
-  return [
-    PlacesUtils.bookmarksMenuFolderId,
-    PlacesUtils.toolbarFolderId,
-    PlacesUtils.unfiledBookmarksFolderId,
-    PlacesUtils.mobileFolderId,
-  ];
-}
-
-class BookmarksChangeset extends Changeset {
-  getModifiedTimestamp(id) {
-    let change = this.changes[id];
-    return change ? change.modified : Number.NaN;
-  }
-}
diff --git a/services/sync/modules/engines/clients.js b/services/sync/modules/engines/clients.js
index 3dd6795701..6c8e37a7b5 100644
--- a/services/sync/modules/engines/clients.js
+++ b/services/sync/modules/engines/clients.js
@@ -2,24 +2,6 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-/**
- * How does the clients engine work?
- *
- * - We use 2 files - commands.json and commands-syncing.json.
- *
- * - At sync upload time, we attempt a rename of commands.json to
- *   commands-syncing.json, and ignore errors (helps for crash during sync!).
- * - We load commands-syncing.json and stash the contents in
- *   _currentlySyncingCommands which lives for the duration of the upload process.
- * - We use _currentlySyncingCommands to build the outgoing records
- * - Immediately after successful upload, we delete commands-syncing.json from
- *   disk (and clear _currentlySyncingCommands). We reconcile our local records
- *   with what we just wrote in the server, and add failed IDs commands
- *   back in commands.json
- * - Any time we need to "save" a command for future syncs, we load
- *   commands.json, update it, and write it back out.
- */
-
 this.EXPORTED_SYMBOLS = [
   "ClientEngine",
   "ClientsRec"
@@ -27,32 +9,17 @@ this.EXPORTED_SYMBOLS = [
 
 var {classes: Cc, interfaces: Ci, utils: Cu} = Components;
 
-Cu.import("resource://services-common/async.js");
 Cu.import("resource://services-common/stringbundle.js");
 Cu.import("resource://services-sync/constants.js");
 Cu.import("resource://services-sync/engines.js");
 Cu.import("resource://services-sync/record.js");
-Cu.import("resource://services-sync/resource.js");
 Cu.import("resource://services-sync/util.js");
-Cu.import("resource://gre/modules/Services.jsm");
-
-XPCOMUtils.defineLazyModuleGetter(this, "fxAccounts",
-  "resource://gre/modules/FxAccounts.jsm");
 
 const CLIENTS_TTL = 1814400; // 21 days
 const CLIENTS_TTL_REFRESH = 604800; // 7 days
-const STALE_CLIENT_REMOTE_AGE = 604800; // 7 days
 
 const SUPPORTED_PROTOCOL_VERSIONS = ["1.1", "1.5"];
 
-function hasDupeCommand(commands, action) {
-  if (!commands) {
-    return false;
-  }
-  return commands.some(other => other.command == action.command &&
-    Utils.deepEquals(other.args, action.args));
-}
-
 this.ClientsRec = function ClientsRec(collection, id) {
   CryptoWrapper.call(this, collection, id);
 }
@@ -66,27 +33,23 @@ Utils.deferGetSet(ClientsRec,
                   "cleartext",
                   ["name", "type", "commands",
                    "version", "protocols",
-                   "formfactor", "os", "appPackage", "application", "device",
-                   "fxaDeviceId"]);
+                   "formfactor", "os", "appPackage", "application", "device"]);
 
 
 this.ClientEngine = function ClientEngine(service) {
   SyncEngine.call(this, "Clients", service);
 
-  // Reset the last sync timestamp on every startup so that we fetch all clients
-  this.resetLastSync();
+  // Reset the client on every startup so that we fetch recent clients
+  this._resetClient();
 }
 ClientEngine.prototype = {
   __proto__: SyncEngine.prototype,
   _storeObj: ClientStore,
   _recordObj: ClientsRec,
   _trackerObj: ClientsTracker,
-  allowSkippedRecord: false,
 
   // Always sync client data as it controls other sync behavior
-  get enabled() {
-    return true;
-  },
+  get enabled() true,
 
   get lastRecordUpload() {
     return Svc.Prefs.get(this.name + ".lastRecordUpload", 0);
@@ -95,20 +58,10 @@ ClientEngine.prototype = {
     Svc.Prefs.set(this.name + ".lastRecordUpload", Math.floor(value));
   },
 
-  get remoteClients() {
-    // return all non-stale clients for external consumption.
-    return Object.values(this._store._remoteClients).filter(v => !v.stale);
-  },
-
-  remoteClientExists(id) {
-    let client = this._store._remoteClients[id];
-    return !!(client && !client.stale);
-  },
-
   // Aggregate some stats on the composition of clients on this account
   get stats() {
     let stats = {
-      hasMobile: this.localType == DEVICE_TYPE_MOBILE,
+      hasMobile: this.localType == "mobile",
       names: [this.localName],
       numClients: 1,
     };
@@ -156,9 +109,7 @@ ClientEngine.prototype = {
     let localID = Svc.Prefs.get("client.GUID", "");
     return localID == "" ? this.localID = Utils.makeGUID() : localID;
   },
-  set localID(value) {
-    Svc.Prefs.set("client.GUID", value);
-  },
+  set localID(value) Svc.Prefs.set("client.GUID", value),
 
   get brandName() {
     let brand = new StringBundle("chrome://branding/locale/brand.properties");
@@ -166,97 +117,23 @@ ClientEngine.prototype = {
   },
 
   get localName() {
-    let name = Utils.getDeviceName();
-    // If `getDeviceName` returns the default name, set the pref. FxA registers
-    // the device before syncing, so we don't need to update the registration
-    // in this case.
-    Svc.Prefs.set("client.name", name);
-    return name;
-  },
-  set localName(value) {
-    Svc.Prefs.set("client.name", value);
-    // Update the registration in the background.
-    fxAccounts.updateDeviceRegistration().catch(error => {
-      this._log.warn("failed to update fxa device registration", error);
-    });
-  },
+    let localName = Svc.Prefs.get("client.name", "");
+    if (localName != "")
+      return localName;
 
-  get localType() {
-    return Utils.getDeviceType();
-  },
-  set localType(value) {
-    Svc.Prefs.set("client.type", value);
+    return this.localName = Utils.getDefaultDeviceName();
   },
+  set localName(value) Svc.Prefs.set("client.name", value),
 
-  getClientName(id) {
-    if (id == this.localID) {
-      return this.localName;
-    }
-    let client = this._store._remoteClients[id];
-    return client ? client.name : "";
-  },
-
-  getClientFxaDeviceId(id) {
-    if (this._store._remoteClients[id]) {
-      return this._store._remoteClients[id].fxaDeviceId;
-    }
-    return null;
-  },
+  get localType() Svc.Prefs.get("client.type", "desktop"),
+  set localType(value) Svc.Prefs.set("client.type", value),
 
   isMobile: function isMobile(id) {
     if (this._store._remoteClients[id])
-      return this._store._remoteClients[id].type == DEVICE_TYPE_MOBILE;
+      return this._store._remoteClients[id].type == "mobile";
     return false;
   },
 
-  _readCommands() {
-    let cb = Async.makeSpinningCallback();
-    Utils.jsonLoad("commands", this, commands => cb(null, commands));
-    return cb.wait() || {};
-  },
-
-  /**
-   * Low level function, do not use directly (use _addClientCommand instead).
-   */
-  _saveCommands(commands) {
-    let cb = Async.makeSpinningCallback();
-    Utils.jsonSave("commands", this, commands, error => {
-      if (error) {
-        this._log.error("Failed to save JSON outgoing commands", error);
-      }
-      cb();
-    });
-    cb.wait();
-  },
-
-  _prepareCommandsForUpload() {
-    let cb = Async.makeSpinningCallback();
-    Utils.jsonMove("commands", "commands-syncing", this).catch(() => {}) // Ignore errors
-      .then(() => {
-        Utils.jsonLoad("commands-syncing", this, commands => cb(null, commands));
-      });
-    return cb.wait() || {};
-  },
-
-  _deleteUploadedCommands() {
-    delete this._currentlySyncingCommands;
-    Async.promiseSpinningly(
-      Utils.jsonRemove("commands-syncing", this).catch(err => {
-        this._log.error("Failed to delete syncing-commands file", err);
-      })
-    );
-  },
-
-  _addClientCommand(clientId, command) {
-    const allCommands = this._readCommands();
-    const clientCommands = allCommands[clientId] || [];
-    if (hasDupeCommand(clientCommands, command)) {
-      return;
-    }
-    allCommands[clientId] = clientCommands.concat(command);
-    this._saveCommands(allCommands);
-  },
-
   _syncStartup: function _syncStartup() {
     // Reupload new client record periodically.
     if (Date.now() / 1000 - this.lastRecordUpload > CLIENTS_TTL_REFRESH) {
@@ -266,157 +143,9 @@ ClientEngine.prototype = {
     SyncEngine.prototype._syncStartup.call(this);
   },
 
-  _processIncoming() {
-    // Fetch all records from the server.
-    this.lastSync = 0;
-    this._incomingClients = {};
-    try {
-      SyncEngine.prototype._processIncoming.call(this);
-      // Since clients are synced unconditionally, any records in the local store
-      // that don't exist on the server must be for disconnected clients. Remove
-      // them, so that we don't upload records with commands for clients that will
-      // never see them. We also do this to filter out stale clients from the
-      // tabs collection, since showing their list of tabs is confusing.
-      for (let id in this._store._remoteClients) {
-        if (!this._incomingClients[id]) {
-          this._log.info(`Removing local state for deleted client ${id}`);
-          this._removeRemoteClient(id);
-        }
-      }
-      // Bug 1264498: Mobile clients don't remove themselves from the clients
-      // collection when the user disconnects Sync, so we mark as stale clients
-      // with the same name that haven't synced in over a week.
-      // (Note we can't simply delete them, or we re-apply them next sync - see
-      // bug 1287687)
-      delete this._incomingClients[this.localID];
-      let names = new Set([this.localName]);
-      for (let id in this._incomingClients) {
-        let record = this._store._remoteClients[id];
-        if (!names.has(record.name)) {
-          names.add(record.name);
-          continue;
-        }
-        let remoteAge = AsyncResource.serverTime - this._incomingClients[id];
-        if (remoteAge > STALE_CLIENT_REMOTE_AGE) {
-          this._log.info(`Hiding stale client ${id} with age ${remoteAge}`);
-          record.stale = true;
-        }
-      }
-    } finally {
-      this._incomingClients = null;
-    }
-  },
-
-  _uploadOutgoing() {
-    this._currentlySyncingCommands = this._prepareCommandsForUpload();
-    const clientWithPendingCommands = Object.keys(this._currentlySyncingCommands);
-    for (let clientId of clientWithPendingCommands) {
-      if (this._store._remoteClients[clientId] || this.localID == clientId) {
-        this._modified.set(clientId, 0);
-      }
-    }
-    SyncEngine.prototype._uploadOutgoing.call(this);
-  },
-
-  _onRecordsWritten(succeeded, failed) {
-    // Reconcile the status of the local records with what we just wrote on the
-    // server
-    for (let id of succeeded) {
-      const commandChanges = this._currentlySyncingCommands[id];
-      if (id == this.localID) {
-        if (this.localCommands) {
-          this.localCommands = this.localCommands.filter(command => !hasDupeCommand(commandChanges, command));
-        }
-      } else {
-        const clientRecord = this._store._remoteClients[id];
-        if (!commandChanges || !clientRecord) {
-          // should be impossible, else we wouldn't have been writing it.
-          this._log.warn("No command/No record changes for a client we uploaded");
-          continue;
-        }
-        // fixup the client record, so our copy of _remoteClients matches what we uploaded.
-        clientRecord.commands = this._store.createRecord(id);
-        // we could do better and pass the reference to the record we just uploaded,
-        // but this will do for now
-      }
-    }
-
-    // Re-add failed commands
-    for (let id of failed) {
-      const commandChanges = this._currentlySyncingCommands[id];
-      if (!commandChanges) {
-        continue;
-      }
-      this._addClientCommand(id, commandChanges);
-    }
-
-    this._deleteUploadedCommands();
-
-    // Notify other devices that their own client collection changed
-    const idsToNotify = succeeded.reduce((acc, id) => {
-      if (id == this.localID) {
-        return acc;
-      }
-      const fxaDeviceId = this.getClientFxaDeviceId(id);
-      return fxaDeviceId ? acc.concat(fxaDeviceId) : acc;
-    }, []);
-    if (idsToNotify.length > 0) {
-      this._notifyCollectionChanged(idsToNotify);
-    }
-  },
-
-  _notifyCollectionChanged(ids) {
-    const message = {
-      version: 1,
-      command: "sync:collection_changed",
-      data: {
-        collections: ["clients"]
-      }
-    };
-    fxAccounts.notifyDevices(ids, message, NOTIFY_TAB_SENT_TTL_SECS);
-  },
-
-  _syncFinish() {
-    // Record histograms for our device types, and also write them to a pref
-    // so non-histogram telemetry (eg, UITelemetry) has easy access to them.
-    for (let [deviceType, count] of this.deviceTypes) {
-      let hid;
-      let prefName = this.name + ".devices.";
-      switch (deviceType) {
-        case "desktop":
-          hid = "WEAVE_DEVICE_COUNT_DESKTOP";
-          prefName += "desktop";
-          break;
-        case "mobile":
-          hid = "WEAVE_DEVICE_COUNT_MOBILE";
-          prefName += "mobile";
-          break;
-        default:
-          this._log.warn(`Unexpected deviceType "${deviceType}" recording device telemetry.`);
-          continue;
-      }
-      Services.telemetry.getHistogramById(hid).add(count);
-      Svc.Prefs.set(prefName, count);
-    }
-    SyncEngine.prototype._syncFinish.call(this);
-  },
-
-  _reconcile: function _reconcile(item) {
-    // Every incoming record is reconciled, so we use this to track the
-    // contents of the collection on the server.
-    this._incomingClients[item.id] = item.modified;
-
-    if (!this._store.itemExists(item.id)) {
-      return true;
-    }
-    // Clients are synced unconditionally, so we'll always have new records.
-    // Unfortunately, this will cause the scheduler to use the immediate sync
-    // interval for the multi-device case, instead of the active interval. We
-    // work around this by updating the record during reconciliation, and
-    // returning false to indicate that the record doesn't need to be applied
-    // later.
-    this._store.update(item);
-    return false;
+  // Always process incoming items because they might have commands
+  _reconcile: function _reconcile() {
+    return true;
   },
 
   // Treat reset the same as wiping for locally cached clients
@@ -426,13 +155,7 @@ ClientEngine.prototype = {
 
   _wipeClient: function _wipeClient() {
     SyncEngine.prototype._resetClient.call(this);
-    delete this.localCommands;
     this._store.wipe();
-    const logRemoveError = err => this._log.warn("Could not delete json file", err);
-    Async.promiseSpinningly(
-      Utils.jsonRemove("commands", this).catch(logRemoveError)
-        .then(Utils.jsonRemove("commands-syncing", this).catch(logRemoveError))
-    );
   },
 
   removeClientData: function removeClientData() {
@@ -471,6 +194,14 @@ ClientEngine.prototype = {
   },
 
   /**
+   * Remove any commands for the local client and mark it for upload.
+   */
+  clearCommands: function clearCommands() {
+    delete this.localCommands;
+    this._tracker.addChangedID(this.localID);
+  },
+
+  /**
    * Sends a command+args pair to a specific client.
    *
    * @param command Command string
@@ -484,17 +215,30 @@ ClientEngine.prototype = {
     if (!client) {
       throw new Error("Unknown remote client ID: '" + clientId + "'.");
     }
-    if (client.stale) {
-      throw new Error("Stale remote client ID: '" + clientId + "'.");
-    }
+
+    // notDupe compares two commands and returns if they are not equal.
+    let notDupe = function(other) {
+      return other.command != command || !Utils.deepEquals(other.args, args);
+    };
 
     let action = {
       command: command,
       args: args,
     };
 
+    if (!client.commands) {
+      client.commands = [action];
+    }
+    // Add the new action if there are no duplicates.
+    else if (client.commands.every(notDupe)) {
+      client.commands.push(action);
+    }
+    // It must be a dupe. Skip.
+    else {
+      return;
+    }
+
     this._log.trace("Client " + clientId + " got a new action: " + [command, args]);
-    this._addClientCommand(clientId, action);
     this._tracker.addChangedID(clientId);
   },
 
@@ -505,17 +249,13 @@ ClientEngine.prototype = {
    */
   processIncomingCommands: function processIncomingCommands() {
     return this._notify("clients:process-commands", "", function() {
-      if (!this.localCommands) {
-        return true;
-      }
+      let commands = this.localCommands;
 
-      const clearedCommands = this._readCommands()[this.localID];
-      const commands = this.localCommands.filter(command => !hasDupeCommand(clearedCommands, command));
+      // Immediately clear out the commands as we've got them locally.
+      this.clearCommands();
 
-      let URIsToDisplay = [];
       // Process each command in order.
-      for (let rawCommand of commands) {
-        let {command, args} = rawCommand;
+      for each (let {command, args} in commands) {
         this._log.debug("Processing command: " + command + "(" + args + ")");
 
         let engines = [args[0]];
@@ -536,20 +276,12 @@ ClientEngine.prototype = {
             this.service.logout();
             return false;
           case "displayURI":
-            let [uri, clientId, title] = args;
-            URIsToDisplay.push({ uri, clientId, title });
+            this._handleDisplayURI.apply(this, args);
             break;
           default:
             this._log.debug("Received an unknown command: " + command);
             break;
         }
-        // Add the command to the "cleared" commands list
-        this._addClientCommand(this.localID, rawCommand)
-      }
-      this._tracker.addChangedID(this.localID);
-
-      if (URIsToDisplay.length) {
-        this._handleDisplayURIs(URIsToDisplay);
       }
 
       return true;
@@ -588,10 +320,8 @@ ClientEngine.prototype = {
     if (clientId) {
       this._sendCommandToClient(command, args, clientId);
     } else {
-      for (let [id, record] of Object.entries(this._store._remoteClients)) {
-        if (!record.stale) {
-          this._sendCommandToClient(command, args, id);
-        }
+      for (let id in this._store._remoteClients) {
+        this._sendCommandToClient(command, args, id);
       }
     }
   },
@@ -622,11 +352,11 @@ ClientEngine.prototype = {
   },
 
   /**
-   * Handle a bunch of received 'displayURI' commands.
+   * Handle a single received 'displayURI' command.
    *
-   * Interested parties should observe the "weave:engine:clients:display-uris"
-   * topic. The callback will receive an array as the subject parameter
-   * containing objects with the following keys:
+   * Interested parties should observe the "weave:engine:clients:display-uri"
+   * topic. The callback will receive an object as the subject parameter with
+   * the following keys:
    *
    *   uri       URI (string) that is requested for display.
    *   clientId  ID of client that sent the command.
@@ -634,24 +364,21 @@ ClientEngine.prototype = {
    *
    * The 'data' parameter to the callback will not be defined.
    *
-   * @param uris
-   *        An array containing URI objects to display
-   * @param uris[].uri
+   * @param uri
    *        String URI that was received
-   * @param uris[].clientId
+   * @param clientId
    *        ID of client that sent URI
-   * @param uris[].title
+   * @param title
    *        String title of page that URI corresponds to. Older clients may not
    *        send this.
    */
-  _handleDisplayURIs: function _handleDisplayURIs(uris) {
-    Svc.Obs.notify("weave:engine:clients:display-uris", uris);
-  },
+  _handleDisplayURI: function _handleDisplayURI(uri, clientId, title) {
+    this._log.info("Received a URI for display: " + uri + " (" + title +
+                   ") from " + clientId);
 
-  _removeRemoteClient(id) {
-    delete this._store._remoteClients[id];
-    this._tracker.removeChangedID(id);
-  },
+    let subject = {uri: uri, client: clientId, title: title};
+    Svc.Obs.notify("weave:engine:clients:display-uri", subject);
+  }
 };
 
 function ClientStore(name, engine) {
@@ -660,48 +387,29 @@ function ClientStore(name, engine) {
 ClientStore.prototype = {
   __proto__: Store.prototype,
 
-  _remoteClients: {},
-
   create(record) {
-    this.update(record);
+    this.update(record)
   },
 
   update: function update(record) {
-    if (record.id == this.engine.localID) {
-      // Only grab commands from the server; local name/type always wins
+    // Only grab commands from the server; local name/type always wins
+    if (record.id == this.engine.localID)
       this.engine.localCommands = record.commands;
-    } else {
+    else
       this._remoteClients[record.id] = record.cleartext;
-    }
   },
 
   createRecord: function createRecord(id, collection) {
     let record = new ClientsRec(collection, id);
 
-    const commandsChanges = this.engine._currentlySyncingCommands ?
-                            this.engine._currentlySyncingCommands[id] :
-                            [];
-
     // Package the individual components into a record for the local client
     if (id == this.engine.localID) {
-      let cb = Async.makeSpinningCallback();
-      fxAccounts.getDeviceId().then(id => cb(null, id), cb);
-      try {
-        record.fxaDeviceId = cb.wait();
-      } catch(error) {
-        this._log.warn("failed to get fxa device id", error);
-      }
       record.name = this.engine.localName;
       record.type = this.engine.localType;
+      record.commands = this.engine.localCommands;
       record.version = Services.appinfo.version;
       record.protocols = SUPPORTED_PROTOCOL_VERSIONS;
 
-      // Substract the commands we recorded that we've already executed
-      if (commandsChanges && commandsChanges.length &&
-          this.engine.localCommands && this.engine.localCommands.length) {
-        record.commands = this.engine.localCommands.filter(command => !hasDupeCommand(commandsChanges, command));
-      }
-
       // Optional fields.
       record.os = Services.appinfo.OS;             // "Darwin"
       record.appPackage = Services.appinfo.ID;
@@ -712,20 +420,6 @@ ClientStore.prototype = {
       // record.formfactor = "";        // Bug 1100722
     } else {
       record.cleartext = this._remoteClients[id];
-
-      // Add the commands we have to send
-      if (commandsChanges && commandsChanges.length) {
-        const recordCommands = record.cleartext.commands || [];
-        const newCommands = commandsChanges.filter(command => !hasDupeCommand(recordCommands, command));
-        record.cleartext.commands = recordCommands.concat(newCommands);
-      }
-
-      if (record.cleartext.stale) {
-        // It's almost certainly a logic error for us to upload a record we
-        // consider stale, so make log noise, but still remove the flag.
-        this._log.error(`Preparing to upload record ${id} that we consider stale`);
-        delete record.cleartext.stale;
-      }
     }
 
     return record;
@@ -768,7 +462,7 @@ ClientsTracker.prototype = {
         break;
       case "weave:engine:stop-tracking":
         if (this._enabled) {
-          Svc.Prefs.ignore("client.name", this);
+          Svc.Prefs.ignore("clients.name", this);
           this._enabled = false;
         }
         break;
diff --git a/services/sync/modules/engines/forms.js b/services/sync/modules/engines/forms.js
index 43f79d4f7e..11dd8d9761 100644
--- a/services/sync/modules/engines/forms.js
+++ b/services/sync/modules/engines/forms.js
@@ -2,7 +2,7 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-this.EXPORTED_SYMBOLS = ['FormEngine', 'FormRec', 'FormValidator'];
+this.EXPORTED_SYMBOLS = ['FormEngine', 'FormRec'];
 
 var Cc = Components.classes;
 var Ci = Components.interfaces;
@@ -14,10 +14,9 @@ Cu.import("resource://services-sync/record.js");
 Cu.import("resource://services-common/async.js");
 Cu.import("resource://services-sync/util.js");
 Cu.import("resource://services-sync/constants.js");
-Cu.import("resource://services-sync/collection_validator.js");
 Cu.import("resource://gre/modules/Log.jsm");
 
-const FORMS_TTL = 3 * 365 * 24 * 60 * 60;   // Three years in seconds.
+const FORMS_TTL = 5184000; // 60 days
 
 this.FormRec = function FormRec(collection, id) {
   CryptoWrapper.call(this, collection, id);
@@ -37,24 +36,20 @@ var FormWrapper = {
   _getEntryCols: ["fieldname", "value"],
   _guidCols:     ["guid"],
 
-  _promiseSearch: function(terms, searchData) {
-    return new Promise(resolve => {
-      let results = [];
-      let callbacks = {
-        handleResult(result) {
-          results.push(result);
-        },
-        handleCompletion(reason) {
-          resolve(results);
-        }
-      };
-      Svc.FormHistory.search(terms, searchData, callbacks);
-    })
-  },
-
   // Do a "sync" search by spinning the event loop until it completes.
   _searchSpinningly: function(terms, searchData) {
-    return Async.promiseSpinningly(this._promiseSearch(terms, searchData));
+    let results = [];
+    let cb = Async.makeSpinningCallback();
+    let callbacks = {
+      handleResult: function(result) {
+        results.push(result);
+      },
+      handleCompletion: function(reason) {
+        cb(null, results);
+      }
+    };
+    Svc.FormHistory.search(terms, searchData, callbacks);
+    return cb.wait();
   },
 
   _updateSpinningly: function(changes) {
@@ -114,9 +109,7 @@ FormEngine.prototype = {
 
   syncPriority: 6,
 
-  get prefName() {
-    return "history";
-  },
+  get prefName() "history",
 
   _findDupe: function _findDupe(item) {
     return FormWrapper.getGUID(item.name, item.value);
@@ -235,6 +228,7 @@ FormTracker.prototype = {
     if (this.ignoreAll) {
       return;
     }
+
     switch (topic) {
       case "satchel-storage-changed":
         if (data == "formhistory-add" || data == "formhistory-remove") {
@@ -250,56 +244,3 @@ FormTracker.prototype = {
     this.score += SCORE_INCREMENT_MEDIUM;
   },
 };
-
-
-class FormsProblemData extends CollectionProblemData {
-  getSummary() {
-    // We don't support syncing deleted form data, so "clientMissing" isn't a problem
-    return super.getSummary().filter(entry =>
-      entry.name !== "clientMissing");
-  }
-}
-
-class FormValidator extends CollectionValidator {
-  constructor() {
-    super("forms", "id", ["name", "value"]);
-  }
-
-  emptyProblemData() {
-    return new FormsProblemData();
-  }
-
-  getClientItems() {
-    return FormWrapper._promiseSearch(["guid", "fieldname", "value"], {});
-  }
-
-  normalizeClientItem(item) {
-    return {
-      id: item.guid,
-      guid: item.guid,
-      name: item.fieldname,
-      fieldname: item.fieldname,
-      value: item.value,
-      original: item,
-    };
-  }
-
-  normalizeServerItem(item) {
-    let res = Object.assign({
-      guid: item.id,
-      fieldname: item.name,
-      original: item,
-    }, item);
-    // Missing `name` or `value` causes the getGUID call to throw
-    if (item.name !== undefined && item.value !== undefined) {
-      let guid = FormWrapper.getGUID(item.name, item.value);
-      if (guid) {
-        res.guid = guid;
-        res.id = guid;
-        res.duped = true;
-      }
-    }
-
-    return res;
-  }
-}
\ No newline at end of file
diff --git a/services/sync/modules/engines/history.js b/services/sync/modules/engines/history.js
index 307d484c1f..e7f53766fa 100644
--- a/services/sync/modules/engines/history.js
+++ b/services/sync/modules/engines/history.js
@@ -44,25 +44,6 @@ HistoryEngine.prototype = {
   applyIncomingBatchSize: HISTORY_STORE_BATCH_SIZE,
 
   syncPriority: 7,
-
-  _processIncoming: function (newitems) {
-    // We want to notify history observers that a batch operation is underway
-    // so they don't do lots of work for each incoming record.
-    let observers = PlacesUtils.history.getObservers();
-    function notifyHistoryObservers(notification) {
-      for (let observer of observers) {
-        try {
-          observer[notification]();
-        } catch (ex) { }
-      }
-    }
-    notifyHistoryObservers("onBeginUpdateBatch");
-    try {
-      return SyncEngine.prototype._processIncoming.call(this, newitems);
-    } finally {
-      notifyHistoryObservers("onEndUpdateBatch");
-    }
-  },
 };
 
 function HistoryStore(name, engine) {
@@ -105,7 +86,7 @@ HistoryStore.prototype = {
     return this._getStmt(
       "UPDATE moz_places " +
       "SET guid = :guid " +
-      "WHERE url_hash = hash(:page_url) AND url = :page_url");
+      "WHERE url = :page_url");
   },
 
   // Some helper functions to handle GUIDs
@@ -127,7 +108,7 @@ HistoryStore.prototype = {
     return this._getStmt(
       "SELECT guid " +
       "FROM moz_places " +
-      "WHERE url_hash = hash(:page_url) AND url = :page_url");
+      "WHERE url = :page_url");
   },
   _guidCols: ["guid"],
 
@@ -146,12 +127,12 @@ HistoryStore.prototype = {
   },
 
   get _visitStm() {
-    return this._getStmt(`/* do not warn (bug 599936) */
-      SELECT visit_type type, visit_date date
-      FROM moz_historyvisits
-      JOIN moz_places h ON h.id = place_id
-      WHERE url_hash = hash(:url) AND url = :url
-      ORDER BY date DESC LIMIT 20`);
+    return this._getStmt(
+      "/* do not warn (bug 599936) */ " +
+      "SELECT visit_type type, visit_date date " +
+      "FROM moz_historyvisits " +
+      "WHERE place_id = (SELECT id FROM moz_places WHERE url = :url) " +
+      "ORDER BY date DESC LIMIT 10");
   },
   _visitCols: ["date", "type"],
 
@@ -223,10 +204,7 @@ HistoryStore.prototype = {
         } else {
           shouldApply = this._recordToPlaceInfo(record);
         }
-      } catch (ex) {
-        if (Async.isShutdownException(ex)) {
-          throw ex;
-        }
+      } catch(ex) {
         failed.push(record.id);
         shouldApply = false;
       }
@@ -299,14 +277,14 @@ HistoryStore.prototype = {
       if (!visit.date || typeof visit.date != "number") {
         this._log.warn("Encountered record with invalid visit date: "
                        + visit.date);
-        continue;
+        throw "Visit has no date!";
       }
 
-      if (!visit.type ||
-          !Object.values(PlacesUtils.history.TRANSITIONS).includes(visit.type)) {
-        this._log.warn("Encountered record with invalid visit type: " +
-                       visit.type + "; ignoring.");
-        continue;
+      if (!visit.type || !(visit.type >= PlacesUtils.history.TRANSITION_LINK &&
+                           visit.type <= PlacesUtils.history.TRANSITION_RELOAD)) {
+        this._log.warn("Encountered record with invalid visit type: "
+                       + visit.type);
+        throw "Invalid visit type!";
       }
 
       // Dates need to be integers.
@@ -317,7 +295,6 @@ HistoryStore.prototype = {
         // overwritten.
         continue;
       }
-
       visit.visitDate = visit.date;
       visit.transitionType = visit.type;
       k += 1;
@@ -369,9 +346,7 @@ HistoryStore.prototype = {
   },
 
   wipe: function HistStore_wipe() {
-    let cb = Async.makeSyncCallback();
-    PlacesUtils.history.clear().then(result => {cb(null, result)}, err => {cb(err)});
-    return Async.waitForSyncCallback(cb);
+    PlacesUtils.history.removeAllPages();
   }
 };
 
diff --git a/services/sync/modules/engines/passwords.js b/services/sync/modules/engines/passwords.js
index 51db49a0a8..0ccd2e7b05 100644
--- a/services/sync/modules/engines/passwords.js
+++ b/services/sync/modules/engines/passwords.js
@@ -2,16 +2,14 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-this.EXPORTED_SYMBOLS = ['PasswordEngine', 'LoginRec', 'PasswordValidator'];
+this.EXPORTED_SYMBOLS = ['PasswordEngine', 'LoginRec'];
 
 var {classes: Cc, interfaces: Ci, utils: Cu} = Components;
 
 Cu.import("resource://services-sync/record.js");
 Cu.import("resource://services-sync/constants.js");
-Cu.import("resource://services-sync/collection_validator.js");
 Cu.import("resource://services-sync/engines.js");
 Cu.import("resource://services-sync/util.js");
-Cu.import("resource://services-common/async.js");
 
 this.LoginRec = function LoginRec(collection, id) {
   CryptoWrapper.call(this, collection, id);
@@ -24,7 +22,6 @@ LoginRec.prototype = {
 Utils.deferGetSet(LoginRec, "cleartext", [
     "hostname", "formSubmitURL",
     "httpRealm", "username", "password", "usernameField", "passwordField",
-    "timeCreated", "timePasswordChanged",
     ]);
 
 
@@ -70,10 +67,7 @@ PasswordEngine.prototype = {
         Svc.Prefs.set("deletePwdFxA", true);
         Svc.Prefs.reset("deletePwd"); // The old prefname we previously used.
       } catch (ex) {
-        if (Async.isShutdownException(ex)) {
-          throw ex;
-        }
-        this._log.debug("Password deletes failed", ex);
+        this._log.debug("Password deletes failed: ", ex);
       }
     }
   },
@@ -104,13 +98,6 @@ function PasswordStore(name, engine) {
 PasswordStore.prototype = {
   __proto__: Store.prototype,
 
-  _newPropertyBag: function () {
-    return Cc["@mozilla.org/hash-property-bag;1"].createInstance(Ci.nsIWritablePropertyBag2);
-  },
-
-  /**
-   * Return an instance of nsILoginInfo (and, implicitly, nsILoginMetaInfo).
-   */
   _nsLoginInfoFromRecord: function (record) {
     function nullUndefined(x) {
       return (x == undefined) ? null : x;
@@ -131,21 +118,13 @@ PasswordStore.prototype = {
                                      record.password,
                                      record.usernameField,
                                      record.passwordField);
-
     info.QueryInterface(Ci.nsILoginMetaInfo);
     info.guid = record.id;
-    if (record.timeCreated) {
-      info.timeCreated = record.timeCreated;
-    }
-    if (record.timePasswordChanged) {
-      info.timePasswordChanged = record.timePasswordChanged;
-    }
-
     return info;
   },
 
   _getLoginFromGUID: function (id) {
-    let prop = this._newPropertyBag();
+    let prop = Cc["@mozilla.org/hash-property-bag;1"].createInstance(Ci.nsIWritablePropertyBag2);
     prop.setPropertyAsAUTF8String("guid", id);
 
     let logins = Services.logins.searchLogins({}, prop);
@@ -190,7 +169,8 @@ PasswordStore.prototype = {
       return;
     }
 
-    let prop = this._newPropertyBag();
+    let prop = Cc["@mozilla.org/hash-property-bag;1"]
+                 .createInstance(Ci.nsIWritablePropertyBag2);
     prop.setPropertyAsAUTF8String("guid", newID);
 
     Services.logins.modifyLogin(oldLogin, prop);
@@ -217,11 +197,6 @@ PasswordStore.prototype = {
     record.usernameField = login.usernameField;
     record.passwordField = login.passwordField;
 
-    // Optional fields.
-    login.QueryInterface(Ci.nsILoginMetaInfo);
-    record.timeCreated = login.timeCreated;
-    record.timePasswordChanged = login.timePasswordChanged;
-
     return record;
   },
 
@@ -237,7 +212,8 @@ PasswordStore.prototype = {
     try {
       Services.logins.addLogin(login);
     } catch(ex) {
-      this._log.debug(`Adding record ${record.id} resulted in exception`, ex);
+      this._log.debug("Adding record " + record.id +
+                      " resulted in exception ", ex);
     }
   },
 
@@ -269,7 +245,8 @@ PasswordStore.prototype = {
     try {
       Services.logins.modifyLogin(loginItem, newinfo);
     } catch(ex) {
-      this._log.debug(`Modifying record ${record.id} resulted in exception; not modifying`, ex);
+      this._log.debug("Modifying record " + record.id +
+                      " resulted in exception. Not modifying.", ex);
     }
   },
 
@@ -326,46 +303,3 @@ PasswordTracker.prototype = {
     }
   },
 };
-
-class PasswordValidator extends CollectionValidator {
-  constructor() {
-    super("passwords", "id", [
-      "hostname",
-      "formSubmitURL",
-      "httpRealm",
-      "password",
-      "passwordField",
-      "username",
-      "usernameField",
-    ]);
-  }
-
-  getClientItems() {
-    let logins = Services.logins.getAllLogins({});
-    let syncHosts = Utils.getSyncCredentialsHosts()
-    let result = logins.map(l => l.QueryInterface(Ci.nsILoginMetaInfo))
-                       .filter(l => !syncHosts.has(l.hostname));
-    return Promise.resolve(result);
-  }
-
-  normalizeClientItem(item) {
-    return {
-      id: item.guid,
-      guid: item.guid,
-      hostname: item.hostname,
-      formSubmitURL: item.formSubmitURL,
-      httpRealm: item.httpRealm,
-      password: item.password,
-      passwordField: item.passwordField,
-      username: item.username,
-      usernameField: item.usernameField,
-      original: item,
-    }
-  }
-
-  normalizeServerItem(item) {
-    return Object.assign({ guid: item.id }, item);
-  }
-}
-
-
diff --git a/services/sync/modules/engines/prefs.js b/services/sync/modules/engines/prefs.js
index 9ceeb9ac69..792e0c66ac 100644
--- a/services/sync/modules/engines/prefs.js
+++ b/services/sync/modules/engines/prefs.js
@@ -8,7 +8,7 @@ var Cc = Components.classes;
 var Ci = Components.interfaces;
 var Cu = Components.utils;
 
-const PREF_SYNC_PREFS_PREFIX = "services.sync.prefs.sync.";
+const SYNC_PREFS_PREFIX = "services.sync.prefs.sync.";
 
 Cu.import("resource://services-sync/engines.js");
 Cu.import("resource://services-sync/record.js");
@@ -42,7 +42,6 @@ PrefsEngine.prototype = {
   version: 2,
 
   syncPriority: 1,
-  allowSkippedRecord: false,
 
   getChangedIDs: function () {
     // No need for a proper timestamp (no conflict resolution needed).
@@ -88,45 +87,37 @@ PrefStore.prototype = {
   _getSyncPrefs: function () {
     let syncPrefs = Cc["@mozilla.org/preferences-service;1"]
                       .getService(Ci.nsIPrefService)
-                      .getBranch(PREF_SYNC_PREFS_PREFIX)
+                      .getBranch(SYNC_PREFS_PREFIX)
                       .getChildList("", {});
     // Also sync preferences that determine which prefs get synced.
-    let controlPrefs = syncPrefs.map(pref => PREF_SYNC_PREFS_PREFIX + pref);
+    let controlPrefs = syncPrefs.map(pref => SYNC_PREFS_PREFIX + pref);
     return controlPrefs.concat(syncPrefs);
   },
 
   _isSynced: function (pref) {
-    return pref.startsWith(PREF_SYNC_PREFS_PREFIX) ||
-           this._prefs.get(PREF_SYNC_PREFS_PREFIX + pref, false);
+    return pref.startsWith(SYNC_PREFS_PREFIX) ||
+            this._prefs.get(SYNC_PREFS_PREFIX + pref, false);
   },
 
   _getAllPrefs: function () {
     let values = {};
-    for (let pref of this._getSyncPrefs()) {
+    for each (let pref in this._getSyncPrefs()) {
       if (this._isSynced(pref)) {
-        // Missing and default prefs get the null value.
-        values[pref] = this._prefs.isSet(pref) ? this._prefs.get(pref, null) : null;
+        // Missing prefs get the null value.
+        values[pref] = this._prefs.get(pref, null);
       }
     }
     return values;
   },
 
-  _updateLightWeightTheme (themeID) {
-    let themeObject = null;
-    if (themeID) {
-      themeObject = LightweightThemeManager.getUsedTheme(themeID);
-    }
-    LightweightThemeManager.currentTheme = themeObject;
-  },
-
   _setAllPrefs: function (values) {
-    let selectedThemeIDPref = "lightweightThemes.selectedThemeID";
-    let selectedThemeIDBefore = this._prefs.get(selectedThemeIDPref, null);
-    let selectedThemeIDAfter = selectedThemeIDBefore;
+    let enabledPref = "lightweightThemes.isThemeSelected";
+    let enabledBefore = this._prefs.get(enabledPref, false);
+    let prevTheme = LightweightThemeManager.currentTheme;
 
     // Update 'services.sync.prefs.sync.foo.pref' before 'foo.pref', otherwise
     // _isSynced returns false when 'foo.pref' doesn't exist (e.g., on a new device).
-    let prefs = Object.keys(values).sort(a => -a.indexOf(PREF_SYNC_PREFS_PREFIX));
+    let prefs = Object.keys(values).sort(a => -a.indexOf(SYNC_PREFS_PREFIX));
     for (let pref of prefs) {
       if (!this._isSynced(pref)) {
         continue;
@@ -134,30 +125,26 @@ PrefStore.prototype = {
 
       let value = values[pref];
 
-      switch (pref) {
-        // Some special prefs we don't want to set directly.
-        case selectedThemeIDPref:
-          selectedThemeIDAfter = value;
-          break;
-
-        // default is to just set the pref
-        default:
-          if (value == null) {
-            // Pref has gone missing. The best we can do is reset it.
-            this._prefs.reset(pref);
-          } else {
-            try {
-              this._prefs.set(pref, value);
-            } catch(ex) {
-              this._log.trace("Failed to set pref: " + pref + ": " + ex);
-            }
-          }
+      // Pref has gone missing. The best we can do is reset it.
+      if (value == null) {
+        this._prefs.reset(pref);
+        continue;
       }
+
+      try {
+        this._prefs.set(pref, value);
+      } catch(ex) {
+        this._log.trace("Failed to set pref: " + pref + ": " + ex);
+      } 
     }
 
-    // Notify the lightweight theme manager if the selected theme has changed.
-    if (selectedThemeIDBefore != selectedThemeIDAfter) {
-      this._updateLightWeightTheme(selectedThemeIDAfter);
+    // Notify the lightweight theme manager of all the new values
+    let enabledNow = this._prefs.get(enabledPref, false);
+    if (enabledBefore && !enabledNow) {
+      LightweightThemeManager.currentTheme = null;
+    } else if (enabledNow && LightweightThemeManager.usedThemes[0] != prevTheme) {
+      LightweightThemeManager.currentTheme = null;
+      LightweightThemeManager.currentTheme = LightweightThemeManager.usedThemes[0];
     }
   },
 
@@ -261,8 +248,8 @@ PrefTracker.prototype = {
       case "nsPref:changed":
         // Trigger a sync for MULTI-DEVICE for a change that determines
         // which prefs are synced or a regular pref change.
-        if (data.indexOf(PREF_SYNC_PREFS_PREFIX) == 0 ||
-            this._prefs.get(PREF_SYNC_PREFS_PREFIX + data, false)) {
+        if (data.indexOf(SYNC_PREFS_PREFIX) == 0 ||
+            this._prefs.get(SYNC_PREFS_PREFIX + data, false)) {
           this.score += SCORE_INCREMENT_XLARGE;
           this.modified = true;
           this._log.trace("Preference " + data + " changed");
diff --git a/services/sync/modules/engines/tabs.js b/services/sync/modules/engines/tabs.js
index 45ece4a233..167faf6256 100644
--- a/services/sync/modules/engines/tabs.js
+++ b/services/sync/modules/engines/tabs.js
@@ -43,11 +43,6 @@ TabEngine.prototype = {
   _storeObj: TabStore,
   _trackerObj: TabTracker,
   _recordObj: TabSetRecord,
-  // A flag to indicate if we have synced in this session. This is to help
-  // consumers of remote tabs that may want to differentiate between "I've an
-  // empty tab list as I haven't yet synced" vs "I've an empty tab list
-  // as there really are no tabs"
-  hasSyncedThisSession: false,
 
   syncPriority: 3,
 
@@ -72,7 +67,6 @@ TabEngine.prototype = {
     SyncEngine.prototype._resetClient.call(this);
     this._store.wipe();
     this._tracker.modified = true;
-    this.hasSyncedThisSession = false;
   },
 
   removeClientData: function () {
@@ -100,12 +94,7 @@ TabEngine.prototype = {
     }
 
     return SyncEngine.prototype._reconcile.call(this, item);
-  },
-
-  _syncFinish() {
-    this.hasSyncedThisSession = true;
-    return SyncEngine.prototype._syncFinish.call(this);
-  },
+  }
 };
 
 
@@ -145,7 +134,7 @@ TabStore.prototype = {
       }
 
       for (let tab of win.gBrowser.tabs) {
-        let tabState = this.getTabState(tab);
+        tabState = this.getTabState(tab);
 
         // Make sure there are history entries to look at.
         if (!tabState || !tabState.entries.length) {
@@ -165,11 +154,6 @@ TabStore.prototype = {
           continue;
         }
 
-        if (current.url.length >= (MAX_UPLOAD_BYTES - 1000)) {
-          this._log.trace("Skipping over-long URL.");
-          continue;
-        }
-
         // The element at `index` is the current page. Previous URLs were
         // previously visited URLs; subsequent URLs are in the 'forward' stack,
         // which we can't represent in Sync, so we truncate here.
@@ -189,9 +173,7 @@ TabStore.prototype = {
         allTabs.push({
           title: current.title || "",
           urlHistory: urls,
-          icon: tabState.image ||
-                (tabState.attributes && tabState.attributes.image) ||
-                "",
+          icon: tabState.attributes && tabState.attributes.image || "",
           lastUsed: Math.floor((tabState.lastAccessed || 0) / 1000),
         });
       }
@@ -265,9 +247,27 @@ TabStore.prototype = {
 
   create: function (record) {
     this._log.debug("Adding remote tabs from " + record.clientName);
-    this._remoteClients[record.id] = Object.assign({}, record.cleartext, {
-      lastModified: record.modified
-    });
+    this._remoteClients[record.id] = record.cleartext;
+
+    // Lose some precision, but that's good enough (seconds).
+    let roundModify = Math.floor(record.modified / 1000);
+    let notifyState = Svc.Prefs.get("notifyTabState");
+
+    // If there's no existing pref, save this first modified time.
+    if (notifyState == null) {
+      Svc.Prefs.set("notifyTabState", roundModify);
+      return;
+    }
+
+    // Don't change notifyState if it's already 0 (don't notify).
+    if (notifyState == 0) {
+      return;
+    }
+
+    // We must have gotten a new tab that isn't the same as last time.
+    if (notifyState != roundModify) {
+      Svc.Prefs.set("notifyTabState", 0);
+    }
   },
 
   update: function (record) {
@@ -306,10 +306,6 @@ TabTracker.prototype = {
       window.addEventListener(topic, this.onTab, false);
     }
     window.addEventListener("unload", this._unregisterListeners, false);
-    // If it's got a tab browser we can listen for things like navigation.
-    if (window.gBrowser) {
-      window.gBrowser.addProgressListener(this);
-    }
   },
 
   _unregisterListeners: function (event) {
@@ -322,9 +318,6 @@ TabTracker.prototype = {
     for (let topic of this._topics) {
       window.removeEventListener(topic, this.onTab, false);
     }
-    if (window.gBrowser) {
-      window.gBrowser.removeProgressListener(this);
-    }
   },
 
   startTracking: function () {
@@ -380,14 +373,4 @@ TabTracker.prototype = {
       this.score += SCORE_INCREMENT_SMALL;
     }
   },
-
-  // web progress listeners.
-  onLocationChange: function (webProgress, request, location, flags) {
-    // We only care about top-level location changes which are not in the same
-    // document.
-    if (webProgress.isTopLevel &&
-        ((flags & Ci.nsIWebProgressListener.LOCATION_CHANGE_SAME_DOCUMENT) == 0)) {
-      this.modified = true;
-    }
-  },
 };
diff --git a/services/sync/modules/identity.js b/services/sync/modules/identity.js
index b4da8c0bb2..795901f890 100644
--- a/services/sync/modules/identity.js
+++ b/services/sync/modules/identity.js
@@ -13,7 +13,6 @@ Cu.import("resource://gre/modules/Promise.jsm");
 Cu.import("resource://services-sync/constants.js");
 Cu.import("resource://gre/modules/Log.jsm");
 Cu.import("resource://services-sync/util.js");
-Cu.import("resource://services-common/async.js");
 
 // Lazy import to prevent unnecessary load on startup.
 for (let symbol of ["BulkKeyBundle", "SyncKeyBundle"]) {
@@ -23,8 +22,7 @@ for (let symbol of ["BulkKeyBundle", "SyncKeyBundle"]) {
 }
 
 /**
- * Manages "legacy" identity and authentication for Sync.
- * See browserid_identity for the Firefox Accounts based identity manager.
+ * Manages identity and authentication for Sync.
  *
  * The following entities are managed:
  *
@@ -85,14 +83,18 @@ IdentityManager.prototype = {
   _syncKeyBundle: null,
 
   /**
-   * Initialize the identity provider.
+   * Initialize the identity provider.  Returns a promise that is resolved
+   * when initialization is complete and the provider can be queried for
+   * its state
    */
   initialize: function() {
     // Nothing to do for this identity provider.
+    return Promise.resolve();
   },
 
   finalize: function() {
     // Nothing to do for this identity provider.
+    return Promise.resolve();
   },
 
   /**
@@ -111,6 +113,14 @@ IdentityManager.prototype = {
     return Promise.resolve();
   },
 
+  /**
+   * Indicates if the identity manager is still initializing
+   */
+  get readyToAuthenticate() {
+    // We initialize in a fully sync manner, so we are always finished.
+    return true;
+  },
+
   get account() {
     return Svc.Prefs.get("account", this.username);
   },
@@ -326,7 +336,7 @@ IdentityManager.prototype = {
       try {
         this._syncKeyBundle = new SyncKeyBundle(this.username, this.syncKey);
       } catch (ex) {
-        this._log.warn("Failed to create sync bundle", ex);
+        this._log.warn("Failed to create sync key bundle", ex);
         return null;
       }
     }
@@ -447,9 +457,6 @@ IdentityManager.prototype = {
     try {
       service.recordManager.get(service.storageURL + "meta/fxa_credentials");
     } catch (ex) {
-      if (Async.isShutdownException(ex)) {
-        throw ex;
-      }
       this._log.warn("Failed to pre-fetch the migration sentinel", ex);
     }
   },
@@ -593,13 +600,4 @@ IdentityManager.prototype = {
     // Do nothing for Sync 1.1.
     return {accepted: true};
   },
-
-  // Tell Sync what the login status should be if it saw a 401 fetching
-  // info/collections as part of login verification (typically immediately
-  // after login.)
-  // In our case it means an authoritative "password is incorrect".
-  loginStatusFromVerification404() {
-    return LOGIN_FAILED_LOGIN_REJECTED;
-  }
-
 };
diff --git a/services/sync/modules/notifications.js b/services/sync/modules/notifications.js
index 72187a4cef..5a67a74148 100644
--- a/services/sync/modules/notifications.js
+++ b/services/sync/modules/notifications.js
@@ -119,7 +119,7 @@ this.NotificationButton =
       callback.apply(this, arguments);
     } catch (e) {
       let logger = Log.repository.getLogger("Sync.Notifications");
-      logger.error("An exception occurred: " + Utils.exceptionStr(e));
+      logger.error("An exception occurred: ", e);
       logger.info(Utils.stackTrace(e));
       throw e;
     }
diff --git a/services/sync/modules/policies.js b/services/sync/modules/policies.js
index a3933426d8..2d85b1428c 100644
--- a/services/sync/modules/policies.js
+++ b/services/sync/modules/policies.js
@@ -14,19 +14,9 @@ Cu.import("resource://services-sync/constants.js");
 Cu.import("resource://services-sync/engines.js");
 Cu.import("resource://services-sync/util.js");
 Cu.import("resource://services-common/logmanager.js");
-Cu.import("resource://services-common/async.js");
 
 XPCOMUtils.defineLazyModuleGetter(this, "Status",
                                   "resource://services-sync/status.js");
-XPCOMUtils.defineLazyModuleGetter(this, "AddonManager",
-                                  "resource://gre/modules/AddonManager.jsm");
-
-// Get the value for an interval that's stored in preferences. To save users
-// from themselves (and us from them!) the minimum time they can specify
-// is 60s.
-function getThrottledIntervalPreference(prefName) {
-  return Math.max(Svc.Prefs.get(prefName), 60) * 1000;
-}
 
 this.SyncScheduler = function SyncScheduler(service) {
   this.service = service;
@@ -53,14 +43,13 @@ SyncScheduler.prototype = {
                     .getService(Ci.nsISupports)
                     .wrappedJSObject;
 
-    let part = service.fxAccountsEnabled ? "fxa" : "sync11";
-    let prefSDInterval = "scheduler." + part + ".singleDeviceInterval";
-    this.singleDeviceInterval = getThrottledIntervalPreference(prefSDInterval);
+    let prefSDInterval = "scheduler.sync11.singleDeviceInterval";
+    this.singleDeviceInterval = Svc.Prefs.get(prefSDInterval) * 1000;
 
-    this.idleInterval         = getThrottledIntervalPreference("scheduler.idleInterval");
-    this.activeInterval       = getThrottledIntervalPreference("scheduler.activeInterval");
-    this.immediateInterval    = getThrottledIntervalPreference("scheduler.immediateInterval");
-    this.eolInterval          = getThrottledIntervalPreference("scheduler.eolInterval");
+    this.idleInterval         = Svc.Prefs.get("scheduler.idleInterval")         * 1000;
+    this.activeInterval       = Svc.Prefs.get("scheduler.activeInterval")       * 1000;
+    this.immediateInterval    = Svc.Prefs.get("scheduler.immediateInterval")    * 1000;
+    this.eolInterval          = Svc.Prefs.get("scheduler.eolInterval")          * 1000;
 
     // A user is non-idle on startup by default.
     this.idle = false;
@@ -71,40 +60,20 @@ SyncScheduler.prototype = {
   },
 
   // nextSync is in milliseconds, but prefs can't hold that much
-  get nextSync() {
-    return Svc.Prefs.get("nextSync", 0) * 1000;
-  },
-  set nextSync(value) {
-    Svc.Prefs.set("nextSync", Math.floor(value / 1000));
-  },
+  get nextSync() Svc.Prefs.get("nextSync", 0) * 1000,
+  set nextSync(value) Svc.Prefs.set("nextSync", Math.floor(value / 1000)),
 
-  get syncInterval() {
-    return Svc.Prefs.get("syncInterval", this.singleDeviceInterval);
-  },
-  set syncInterval(value) {
-    Svc.Prefs.set("syncInterval", value);
-  },
+  get syncInterval() Svc.Prefs.get("syncInterval", this.singleDeviceInterval),
+  set syncInterval(value) Svc.Prefs.set("syncInterval", value),
 
-  get syncThreshold() {
-    return Svc.Prefs.get("syncThreshold", SINGLE_USER_THRESHOLD);
-  },
-  set syncThreshold(value) {
-    Svc.Prefs.set("syncThreshold", value);
-  },
+  get syncThreshold() Svc.Prefs.get("syncThreshold", SINGLE_USER_THRESHOLD),
+  set syncThreshold(value) Svc.Prefs.set("syncThreshold", value),
 
-  get globalScore() {
-    return Svc.Prefs.get("globalScore", 0);
-  },
-  set globalScore(value) {
-    Svc.Prefs.set("globalScore", value);
-  },
+  get globalScore() Svc.Prefs.get("globalScore", 0),
+  set globalScore(value) Svc.Prefs.set("globalScore", value),
 
-  get numClients() {
-    return Svc.Prefs.get("numClients", 0);
-  },
-  set numClients(value) {
-    Svc.Prefs.set("numClients", value);
-  },
+  get numClients() Svc.Prefs.get("numClients", 0),
+  set numClients(value) Svc.Prefs.set("numClients", value),
 
   init: function init() {
     this._log.level = Log.Level[Svc.Prefs.get("log.logger.service.main")];
@@ -249,10 +218,7 @@ SyncScheduler.prototype = {
          this.setDefaults();
          try {
            Svc.Idle.removeIdleObserver(this, Svc.Prefs.get("scheduler.idleTime"));
-         } catch (ex) {
-           if (ex.result != Cr.NS_ERROR_FAILURE) {
-             throw ex;
-           }
+         } catch (ex if (ex.result == Cr.NS_ERROR_FAILURE)) {
            // In all likelihood we didn't have an idle observer registered yet.
            // It's all good.
          }
@@ -285,11 +251,10 @@ SyncScheduler.prototype = {
       case "wake_notification":
         this._log.debug("Woke from sleep.");
         Utils.nextTick(() => {
-          // Trigger a sync if we have multiple clients. We give it 5 seconds
-          // incase the network is still in the process of coming back up.
+          // Trigger a sync if we have multiple clients.
           if (this.numClients > 1) {
-            this._log.debug("More than 1 client. Will sync in 5s.");
-            this.scheduleNextSync(5000);
+            this._log.debug("More than 1 client. Syncing.");
+            this.scheduleNextSync(0);
           }
         });
         break;
@@ -531,6 +496,45 @@ SyncScheduler.prototype = {
       this.syncTimer.clear();
   },
 
+  /**
+   * Prevent new syncs from starting.  This is used by the FxA migration code
+   * where we can't afford to have a sync start partway through the migration.
+   * To handle the edge-case of a sync starting and not stopping, we store
+   * this state in a pref, so on the next startup we remain blocked (and thus
+   * sync will never start) so the migration can complete.
+   *
+   * As a safety measure, we only block for some period of time, and after
+   * that it will automatically unblock.  This ensures that if things go
+   * really pear-shaped and we never end up calling unblockSync() we haven't
+   * completely broken the world.
+   */
+  blockSync: function(until = null) {
+    if (!until) {
+      until = Date.now() + DEFAULT_BLOCK_PERIOD;
+    }
+    // until is specified in ms, but Prefs can't hold that much
+    Svc.Prefs.set("scheduler.blocked-until", Math.floor(until / 1000));
+  },
+
+  unblockSync: function() {
+    Svc.Prefs.reset("scheduler.blocked-until");
+    // the migration code should be ready to roll, so resume normal operations.
+    this.checkSyncStatus();
+  },
+
+  get isBlocked() {
+    let until = Svc.Prefs.get("scheduler.blocked-until");
+    if (until === undefined) {
+      return false;
+    }
+    if (until <= Math.floor(Date.now() / 1000)) {
+      // we were previously blocked but the time has expired.
+      Svc.Prefs.reset("scheduler.blocked-until");
+      return false;
+    }
+    // we remain blocked.
+    return true;
+  },
 };
 
 this.ErrorHandler = function ErrorHandler(service) {
@@ -570,10 +574,7 @@ ErrorHandler.prototype = {
     root.level = Log.Level[Svc.Prefs.get("log.rootLogger")];
 
     let logs = ["Sync", "FirefoxAccounts", "Hawk", "Common.TokenServerClient",
-                "Sync.SyncMigration", "browserwindow.syncui",
-                "Services.Common.RESTRequest", "Services.Common.RESTRequest",
-                "BookmarkSyncUtils"
-               ];
+                "Sync.SyncMigration"];
 
     this._logManager = new LogManager(Svc.Prefs, logs, "sync");
   },
@@ -590,25 +591,17 @@ ErrorHandler.prototype = {
           this._log.debug(data + " failed to apply some records.");
         }
         break;
-      case "weave:engine:sync:error": {
+      case "weave:engine:sync:error":
         let exception = subject;  // exception thrown by engine's sync() method
         let engine_name = data;   // engine name that threw the exception
 
         this.checkServerError(exception);
 
         Status.engines = [engine_name, exception.failureCode || ENGINE_UNKNOWN_FAIL];
-        if (Async.isShutdownException(exception)) {
-          this._log.debug(engine_name + " was interrupted due to the application shutting down");
-        } else {
-          this._log.debug(engine_name + " failed", exception);
-          Services.telemetry.getKeyedHistogramById("WEAVE_ENGINE_SYNC_ERRORS")
-                            .add(engine_name);
-        }
+        this._log.debug(engine_name + " failed: ", exception);
         break;
-      }
       case "weave:service:login:error":
-        this._log.error("Sync encountered a login error");
-        this.resetFileLog();
+        this.resetFileLog(this._logManager.REASON_ERROR);
 
         if (this.shouldReportError()) {
           this.notifyOnNextTick("weave:ui:login:error");
@@ -618,23 +611,12 @@ ErrorHandler.prototype = {
 
         this.dontIgnoreErrors = false;
         break;
-      case "weave:service:sync:error": {
+      case "weave:service:sync:error":
         if (Status.sync == CREDENTIALS_CHANGED) {
           this.service.logout();
         }
 
-        let exception = subject;
-        if (Async.isShutdownException(exception)) {
-          // If we are shutting down we just log the fact, attempt to flush
-          // the log file and get out of here!
-          this._log.error("Sync was interrupted due to the application shutting down");
-          this.resetFileLog();
-          break;
-        }
-
-        // Not a shutdown related exception...
-        this._log.error("Sync encountered an error", exception);
-        this.resetFileLog();
+        this.resetFileLog(this._logManager.REASON_ERROR);
 
         if (this.shouldReportError()) {
           this.notifyOnNextTick("weave:ui:sync:error");
@@ -644,7 +626,6 @@ ErrorHandler.prototype = {
 
         this.dontIgnoreErrors = false;
         break;
-      }
       case "weave:service:sync:finish":
         this._log.trace("Status.service is " + Status.service);
 
@@ -660,8 +641,8 @@ ErrorHandler.prototype = {
         }
 
         if (Status.service == SYNC_FAILED_PARTIAL) {
-          this._log.error("Some engines did not sync correctly.");
-          this.resetFileLog();
+          this._log.debug("Some engines did not sync correctly.");
+          this.resetFileLog(this._logManager.REASON_ERROR);
 
           if (this.shouldReportError()) {
             this.dontIgnoreErrors = false;
@@ -669,7 +650,7 @@ ErrorHandler.prototype = {
             break;
           }
         } else {
-          this.resetFileLog();
+          this.resetFileLog(this._logManager.REASON_SUCCESS);
         }
         this.dontIgnoreErrors = false;
         this.notifyOnNextTick("weave:ui:sync:finish");
@@ -696,52 +677,22 @@ ErrorHandler.prototype = {
     Utils.nextTick(this.service.sync, this.service);
   },
 
-  _dumpAddons: function _dumpAddons() {
-    // Just dump the items that sync may be concerned with. Specifically,
-    // active extensions that are not hidden.
-    let addonPromise = new Promise(resolve => {
-      try {
-        AddonManager.getAddonsByTypes(["extension"], resolve);
-      } catch (e) {
-        this._log.warn("Failed to dump addons", e)
-        resolve([])
-      }
-    });
-
-    return addonPromise.then(addons => {
-      let relevantAddons = addons.filter(x => x.isActive && !x.hidden);
-      this._log.debug("Addons installed", relevantAddons.length);
-      for (let addon of relevantAddons) {
-        this._log.debug(" - ${name}, version ${version}, id ${id}", addon);
-      }
-    });
-  },
-
   /**
    * Generate a log file for the sync that just completed
    * and refresh the input & output streams.
+   *
+   * @param reason
+   *        A constant from the LogManager that indicates the reason for the
+   *        reset.
    */
-  resetFileLog: function resetFileLog() {
-    let onComplete = logType => {
+  resetFileLog: function resetFileLog(reason) {
+    let onComplete = () => {
       Svc.Obs.notify("weave:service:reset-file-log");
       this._log.trace("Notified: " + Date.now());
-      if (logType == this._logManager.ERROR_LOG_WRITTEN) {
-        Cu.reportError("Sync encountered an error - see about:sync-log for the log file.");
-      }
     };
-
-    // If we're writing an error log, dump extensions that may be causing problems.
-    let beforeResetLog;
-    if (this._logManager.sawError) {
-      beforeResetLog = this._dumpAddons();
-    } else {
-      beforeResetLog = Promise.resolve();
-    }
     // Note we do not return the promise here - the caller doesn't need to wait
     // for this to complete.
-    beforeResetLog
-      .then(() => this._logManager.resetFileLog())
-      .then(onComplete, onComplete);
+    this._logManager.resetFileLog(reason).then(onComplete, onComplete);
   },
 
   /**
@@ -775,9 +726,6 @@ ErrorHandler.prototype = {
     }
   },
 
-  // A function to indicate if Sync errors should be "reported" - which in this
-  // context really means "should be notify observers of an error" - but note
-  // that since bug 1180587, no one is going to surface an error to the user.
   shouldReportError: function shouldReportError() {
     if (Status.login == MASTER_PASSWORD_LOCKED) {
       this._log.trace("shouldReportError: false (master password locked).");
@@ -817,12 +765,8 @@ ErrorHandler.prototype = {
       return false;
     }
 
-
-    let result = ([Status.login, Status.sync].indexOf(SERVER_MAINTENANCE) == -1 &&
-                  [Status.login, Status.sync].indexOf(LOGIN_FAILED_NETWORK_ERROR) == -1);
-    this._log.trace("shouldReportError: ${result} due to login=${login}, sync=${sync}",
-                    {result, login: Status.login, sync: Status.sync});
-    return result;
+    return ([Status.login, Status.sync].indexOf(SERVER_MAINTENANCE) == -1 &&
+            [Status.login, Status.sync].indexOf(LOGIN_FAILED_NETWORK_ERROR) == -1);
   },
 
   get currentAlertMode() {
@@ -925,7 +869,7 @@ ErrorHandler.prototype = {
       case 401:
         this.service.logout();
         this._log.info("Got 401 response; resetting clusterURL.");
-        this.service.clusterURL = null;
+        Svc.Prefs.reset("clusterURL");
 
         let delay = 0;
         if (Svc.Prefs.get("lastSyncReassigned")) {
diff --git a/services/sync/modules/record.js b/services/sync/modules/record.js
index f7a69d9ef1..5dc1c012ca 100644
--- a/services/sync/modules/record.js
+++ b/services/sync/modules/record.js
@@ -23,7 +23,6 @@ Cu.import("resource://services-sync/constants.js");
 Cu.import("resource://services-sync/keys.js");
 Cu.import("resource://services-sync/resource.js");
 Cu.import("resource://services-sync/util.js");
-Cu.import("resource://services-common/async.js");
 
 this.WBORecord = function WBORecord(collection, id) {
   this.data = {};
@@ -196,9 +195,7 @@ CryptoWrapper.prototype = {
   },
 
   // The custom setter below masks the parent's getter, so explicitly call it :(
-  get id() {
-    return WBORecord.prototype.__lookupGetter__("id").call(this);
-  },
+  get id() WBORecord.prototype.__lookupGetter__("id").call(this),
 
   // Keep both plaintext and encrypted versions of the id to verify integrity
   set id(val) {
@@ -238,11 +235,8 @@ RecordManager.prototype = {
       record.deserialize(this.response);
 
       return this.set(url, record);
-    } catch (ex) {
-      if (Async.isShutdownException(ex)) {
-        throw ex;
-      }
-      this._log.debug("Failed to import record", ex);
+    } catch(ex) {
+      this._log.debug("Failed to import record: ", ex);
       return null;
     }
   },
@@ -281,10 +275,10 @@ RecordManager.prototype = {
  * You can update this thing simply by giving it /info/collections. It'll
  * use the last modified time to bring itself up to date.
  */
-this.CollectionKeyManager = function CollectionKeyManager(lastModified, default_, collections) {
-  this.lastModified = lastModified || 0;
-  this._default = default_ || null;
-  this._collections = collections || {};
+this.CollectionKeyManager = function CollectionKeyManager() {
+  this.lastModified = 0;
+  this._collections = {};
+  this._default = null;
 
   this._log = Log.repository.getLogger("Sync.CollectionKeyManager");
 }
@@ -293,19 +287,6 @@ this.CollectionKeyManager = function CollectionKeyManager(lastModified, default_
 // Note that the last modified time needs to be preserved.
 CollectionKeyManager.prototype = {
 
-  /**
-   * Generate a new CollectionKeyManager that has the same attributes
-   * as this one.
-   */
-  clone() {
-    const newCollections = {};
-    for (let c in this._collections) {
-      newCollections[c] = this._collections[c];
-    }
-
-    return new CollectionKeyManager(this.lastModified, this._default, newCollections);
-  },
-
   // Return information about old vs new keys:
   // * same: true if two collections are equal
   // * changed: an array of collection names that changed.
@@ -374,15 +355,15 @@ CollectionKeyManager.prototype = {
   /**
    * Create a WBO for the current keys.
    */
-  asWBO: function(collection, id) {
-    return this._makeWBO(this._collections, this._default);
-  },
+  asWBO: function(collection, id)
+    this._makeWBO(this._collections, this._default),
 
   /**
    * Compute a new default key, and new keys for any specified collections.
    */
   newKeys: function(collections) {
-    let newDefaultKeyBundle = this.newDefaultKeyBundle();
+    let newDefaultKey = new BulkKeyBundle(DEFAULT_KEYBUNDLE_NAME);
+    newDefaultKey.generateRandom();
 
     let newColls = {};
     if (collections) {
@@ -392,7 +373,7 @@ CollectionKeyManager.prototype = {
         newColls[c] = b;
       });
     }
-    return [newDefaultKeyBundle, newColls];
+    return [newDefaultKey, newColls];
   },
 
   /**
@@ -406,57 +387,6 @@ CollectionKeyManager.prototype = {
     return this._makeWBO(newColls, newDefaultKey);
   },
 
-  /**
-   * Create a new default key.
-   *
-   * @returns {BulkKeyBundle}
-   */
-  newDefaultKeyBundle() {
-    const key = new BulkKeyBundle(DEFAULT_KEYBUNDLE_NAME);
-    key.generateRandom();
-    return key;
-  },
-
-  /**
-   * Create a new default key and store it as this._default, since without one you cannot use setContents.
-   */
-  generateDefaultKey() {
-    this._default = this.newDefaultKeyBundle();
-  },
-
-  /**
-   * Return true if keys are already present for each of the given
-   * collections.
-   */
-  hasKeysFor(collections) {
-    // We can't use filter() here because sometimes collections is an iterator.
-    for (let collection of collections) {
-      if (!this._collections[collection]) {
-        return false;
-      }
-    }
-    return true;
-  },
-
-  /**
-   * Return a new CollectionKeyManager that has keys for each of the
-   * given collections (creating new ones for collections where we
-   * don't already have keys).
-   */
-  ensureKeysFor(collections) {
-    const newKeys = Object.assign({}, this._collections);
-    for (let c of collections) {
-      if (newKeys[c]) {
-        continue;  // don't replace existing keys
-      }
-
-      const b = new BulkKeyBundle(c);
-      b.generateRandom();
-      newKeys[c] = b;
-    }
-    return new CollectionKeyManager(this.lastModified, this._default, newKeys);
-  },
-
   // Take the fetched info/collections WBO, checking the change
   // time of the crypto collection.
   updateNeeded: function(info_collections) {
@@ -487,6 +417,9 @@ CollectionKeyManager.prototype = {
   //
   setContents: function setContents(payload, modified) {
 
+    if (!modified)
+      throw "No modified time provided to setContents.";
+
     let self = this;
 
     this._log.info("Setting collection keys contents. Our last modified: " +
@@ -516,7 +449,9 @@ CollectionKeyManager.prototype = {
         if (v) {
           let keyObj = new BulkKeyBundle(k);
           keyObj.keyPairB64 = v;
-          newCollections[k] = keyObj;
+          if (keyObj) {
+            newCollections[k] = keyObj;
+          }
         }
       }
     }
@@ -527,11 +462,8 @@ CollectionKeyManager.prototype = {
     let sameColls = collComparison.same;
 
     if (sameDefault && sameColls) {
-      self._log.info("New keys are the same as our old keys!");
-      if (modified) {
-        self._log.info("Bumped local modified time.");
-        self.lastModified = modified;
-      }
+      self._log.info("New keys are the same as our old keys! Bumped local modified time.");
+      self.lastModified = modified;
       return false;
     }
 
@@ -543,10 +475,8 @@ CollectionKeyManager.prototype = {
     this._collections = newCollections;
 
     // Always trust the server.
-    if (modified) {
-      self._log.info("Bumping last modified to " + modified);
-      self.lastModified = modified;
-    }
+    self._log.info("Bumping last modified to " + modified);
+    self.lastModified = modified;
 
     return sameDefault ? collComparison.changed : true;
   },
@@ -594,12 +524,6 @@ this.Collection = function Collection(uri, recordObj, service) {
   this._older = 0;
   this._newer = 0;
   this._data = [];
-  // optional members used by batch upload operations.
-  this._batch = null;
-  this._commit = false;
-  // Used for batch download operations -- note that this is explicitly an
-  // opaque value and not (necessarily) a number.
-  this._offset = null;
 }
 Collection.prototype = {
   __proto__: Resource.prototype,
@@ -623,12 +547,6 @@ Collection.prototype = {
       args.push("ids=" + this.ids);
     if (this.limit > 0 && this.limit != Infinity)
       args.push("limit=" + this.limit);
-    if (this._batch)
-      args.push("batch=" + encodeURIComponent(this._batch));
-    if (this._commit)
-      args.push("commit=true");
-    if (this._offset)
-      args.push("offset=" + encodeURIComponent(this._offset));
 
     this.uri.query = (args.length > 0)? '?' + args.join('&') : '';
   },
@@ -641,14 +559,14 @@ Collection.prototype = {
   },
 
   // Apply the action to a certain set of ids
-  get ids() { return this._ids; },
+  get ids() this._ids,
   set ids(value) {
     this._ids = value;
     this._rebuildURL();
   },
 
   // Limit how many records to get
-  get limit() { return this._limit; },
+  get limit() this._limit,
   set limit(value) {
     this._limit = value;
     this._rebuildURL();
@@ -678,100 +596,12 @@ Collection.prototype = {
     this._rebuildURL();
   },
 
-  get offset() { return this._offset; },
-  set offset(value) {
-    this._offset = value;
-    this._rebuildURL();
-  },
-
-  // Set information about the batch for this request.
-  get batch() { return this._batch; },
-  set batch(value) {
-    this._batch = value;
-    this._rebuildURL();
-  },
-
-  get commit() { return this._commit; },
-  set commit(value) {
-    this._commit = value && true;
-    this._rebuildURL();
+  pushData: function Coll_pushData(data) {
+    this._data.push(data);
   },
 
-  // Similar to get(), but will page through the items `batchSize` at a time,
-  // deferring calling the record handler until we've gotten them all.
-  //
-  // Returns the last response processed, and doesn't run the record handler
-  // on any items if a non-success status is received while downloading the
-  // records (or if a network error occurs).
-  getBatched(batchSize = DEFAULT_DOWNLOAD_BATCH_SIZE) {
-    let totalLimit = Number(this.limit) || Infinity;
-    if (batchSize <= 0 || batchSize >= totalLimit) {
-      // Invalid batch sizes should arguably be an error, but they're easy to handle
-      return this.get();
-    }
-
-    if (!this.full) {
-      throw new Error("getBatched is unimplemented for guid-only GETs");
-    }
-
-    // _onComplete and _onProgress are reset after each `get` by AsyncResource.
-    // We overwrite _onRecord to something that stores the data in an array
-    // until the end.
-    let { _onComplete, _onProgress, _onRecord } = this;
-    let recordBuffer = [];
-    let resp;
-    try {
-      this._onRecord = r => recordBuffer.push(r);
-      let lastModifiedTime;
-      this.limit = batchSize;
-
-      do {
-        this._onProgress = _onProgress;
-        this._onComplete = _onComplete;
-        if (batchSize + recordBuffer.length > totalLimit) {
-          this.limit = totalLimit - recordBuffer.length;
-        }
-        this._log.trace("Performing batched GET", { limit: this.limit, offset: this.offset });
-        // Actually perform the request
-        resp = this.get();
-        if (!resp.success) {
-          break;
-        }
-
-        // Initialize last modified, or check that something broken isn't happening.
-        let lastModified = resp.headers["x-last-modified"];
-        if (!lastModifiedTime) {
-          lastModifiedTime = lastModified;
-          this.setHeader("X-If-Unmodified-Since", lastModified);
-        } else if (lastModified != lastModifiedTime) {
-          // Should be impossible -- We'd get a 412 in this case.
-          throw new Error("X-Last-Modified changed in the middle of a download batch! " +
-                          `${lastModified} => ${lastModifiedTime}`)
-        }
-
-        // If this is missing, we're finished.
-        this.offset = resp.headers["x-weave-next-offset"];
-      } while (this.offset && totalLimit > recordBuffer.length);
-    } finally {
-      // Ensure we undo any temporary state so that subsequent calls to get()
-      // or getBatched() work properly. We do this before calling the record
-      // handler so that we can more convincingly pretend to be a normal get()
-      // call. Note: we're resetting these to the values they had before this
-      // function was called.
-      this._onRecord = _onRecord;
-      this._limit = totalLimit;
-      this._offset = null;
-      delete this._headers["x-if-unmodified-since"];
-      this._rebuildURL();
-    }
-    if (resp.success && Async.checkAppReady()) {
-      // call the original _onRecord (e.g. the user supplied record handler)
-      // for each record we've stored
-      for (let record of recordBuffer) {
-        this._onRecord(record);
-      }
-    }
-    return resp;
+  clearRecords: function Coll_clearRecords() {
+    this._data = [];
   },
 
   set recordHandler(onRecord) {
@@ -781,8 +611,6 @@ Collection.prototype = {
     // Switch to newline separated records for incremental parsing
     coll.setHeader("Accept", "application/newlines");
 
-    this._onRecord = onRecord;
-
     this._onProgress = function() {
       let newline;
       while ((newline = this._data.indexOf("\n")) > 0) {
@@ -793,247 +621,8 @@ Collection.prototype = {
         // Deserialize a record from json and give it to the callback
         let record = new coll._recordObj();
         record.deserialize(json);
-        coll._onRecord(record);
+        onRecord(record);
       }
     };
   },
-
-  // This object only supports posting via the postQueue object.
-  post() {
-    throw new Error("Don't directly post to a collection - use newPostQueue instead");
-  },
-
-  newPostQueue(log, timestamp, postCallback) {
-    let poster = (data, headers, batch, commit) => {
-      this.batch = batch;
-      this.commit = commit;
-      for (let [header, value] of headers) {
-        this.setHeader(header, value);
-      }
-      return Resource.prototype.post.call(this, data);
-    }
-    let getConfig = (name, defaultVal) => {
-      if (this._service.serverConfiguration && this._service.serverConfiguration.hasOwnProperty(name)) {
-        return this._service.serverConfiguration[name];
-      }
-      return defaultVal;
-    }
-
-    let config = {
-      max_post_bytes: getConfig("max_post_bytes", MAX_UPLOAD_BYTES),
-      max_post_records: getConfig("max_post_records", MAX_UPLOAD_RECORDS),
-
-      max_batch_bytes: getConfig("max_total_bytes", Infinity),
-      max_batch_records: getConfig("max_total_records", Infinity),
-    }
-
-    // Handle config edge cases
-    if (config.max_post_records <= 0) { config.max_post_records = MAX_UPLOAD_RECORDS; }
-    if (config.max_batch_records <= 0) { config.max_batch_records = Infinity; }
-    if (config.max_post_bytes <= 0) { config.max_post_bytes = MAX_UPLOAD_BYTES; }
-    if (config.max_batch_bytes <= 0) { config.max_batch_bytes = Infinity; }
-
-    // Max size of BSO payload is 256k. This assumes at most 4k of overhead,
-    // which sounds like plenty. If the server says it can't handle this, we
-    // might have valid records we can't sync, so we give up on syncing.
-    let requiredMax = 260 * 1024;
-    if (config.max_post_bytes < requiredMax) {
-      this._log.error("Server configuration max_post_bytes is too low", config);
-      throw new Error("Server configuration max_post_bytes is too low");
-    }
-
-    return new PostQueue(poster, timestamp, config, log, postCallback);
-  },
 };
-
-/* A helper to manage the posting of records while respecting the various
-   size limits.
-
-   This supports the concept of a server-side "batch". The general idea is:
-   * We queue as many records as allowed in memory, then make a single POST.
-   * This first POST (optionally) gives us a batch ID, which we use for
-     all subsequent posts, until...
-   * At some point we hit a batch-maximum, and jump through a few hoops to
-     commit the current batch (ie, all previous POSTs) and start a new one.
-   * Eventually commit the final batch.
-
-  In most cases we expect there to be exactly 1 batch consisting of possibly
-  multiple POSTs.
-*/
-function PostQueue(poster, timestamp, config, log, postCallback) {
-  // The "post" function we should use when it comes time to do the post.
-  this.poster = poster;
-  this.log = log;
-
-  // The config we use. We expect it to have fields "max_post_records",
-  // "max_batch_records", "max_post_bytes", and "max_batch_bytes"
-  this.config = config;
-
-  // The callback we make with the response when we do get around to making the
-  // post (which could be during any of the enqueue() calls or the final flush())
-  // This callback may be called multiple times and must not add new items to
-  // the queue.
-  // The second argument passed to this callback is a boolean value that is true
-  // if we're in the middle of a batch, and false if either the batch is
-  // complete, or it's a post to a server that does not understand batching.
-  this.postCallback = postCallback;
-
-  // The string where we are capturing the stringified version of the records
-  // queued so far. It will always be invalid JSON as it is always missing the
-  // closing bracket.
-  this.queued = "";
-
-  // The number of records we've queued so far but are yet to POST.
-  this.numQueued = 0;
-
-  // The number of records/bytes we've processed in previous POSTs for our
-  // current batch. Does *not* include records currently queued for the next POST.
-  this.numAlreadyBatched = 0;
-  this.bytesAlreadyBatched = 0;
-
-  // The ID of our current batch. Can be undefined (meaning we are yet to make
-  // the first post of a patch, so don't know if we have a batch), null (meaning
-  // we've made the first post but the server response indicated no batching
-  // semantics), otherwise we have made the first post and it holds the batch ID
-  // returned from the server.
-  this.batchID = undefined;
-
-  // Time used for X-If-Unmodified-Since -- should be the timestamp from the last GET.
-  this.lastModified = timestamp;
-}
-
-PostQueue.prototype = {
-  enqueue(record) {
-    // We want to ensure the record has a .toJSON() method defined - even
-    // though JSON.stringify() would implicitly call it, the stringify might
-    // still work even if it isn't defined, which isn't what we want.
-    let jsonRepr = record.toJSON();
-    if (!jsonRepr) {
-      throw new Error("You must only call this with objects that explicitly support JSON");
-    }
-    let bytes = JSON.stringify(jsonRepr);
-
-    // Do a flush if we can't add this record without exceeding our single-request
-    // limits, or without exceeding the total limit for a single batch.
-    let newLength = this.queued.length + bytes.length + 2; // extras for leading "[" / "," and trailing "]"
-
-    let maxAllowedBytes = Math.min(256 * 1024, this.config.max_post_bytes);
-
-    let postSizeExceeded = this.numQueued >= this.config.max_post_records ||
-                           newLength >= maxAllowedBytes;
-
-    let batchSizeExceeded = (this.numQueued + this.numAlreadyBatched) >= this.config.max_batch_records ||
-                            (newLength + this.bytesAlreadyBatched) >= this.config.max_batch_bytes;
-
-    let singleRecordTooBig = bytes.length + 2 > maxAllowedBytes;
-
-    if (postSizeExceeded || batchSizeExceeded) {
-      this.log.trace(`PostQueue flushing due to postSizeExceeded=${postSizeExceeded}, batchSizeExceeded=${batchSizeExceeded}` +
-                     `, max_batch_bytes: ${this.config.max_batch_bytes}, max_post_bytes: ${this.config.max_post_bytes}`);
-
-      if (singleRecordTooBig) {
-        return { enqueued: false, error: new Error("Single record too large to submit to server") };
-      }
-
-      // We need to write the queue out before handling this one, but we only
-      // commit the batch (and thus start a new one) if the batch is full.
-      // Note that if a single record is too big for the batch or post, then
-      // the batch may be empty, and so we don't flush in that case.
-      if (this.numQueued) {
-        this.flush(batchSizeExceeded || singleRecordTooBig);
-      }
-    }
-    // Either a ',' or a '[' depending on whether this is the first record.
-    this.queued += this.numQueued ? "," : "[";
-    this.queued += bytes;
-    this.numQueued++;
-    return { enqueued: true };
-  },
-
-  flush(finalBatchPost) {
-    if (!this.queued) {
-      // nothing queued - we can't be in a batch, and something has gone very
-      // bad if we think we are.
-      if (this.batchID) {
-        throw new Error(`Flush called when no queued records but we are in a batch ${this.batchID}`);
-      }
-      return;
-    }
-    // the batch query-param and headers we'll send.
-    let batch;
-    let headers = [];
-    if (this.batchID === undefined) {
-      // First commit in a (possible) batch.
-      batch = "true";
-    } else if (this.batchID) {
-      // We have an existing batch.
-      batch = this.batchID;
-    } else {
-      // Not the first post and we know we have no batch semantics.
-      batch = null;
-    }
-
-    headers.push(["x-if-unmodified-since", this.lastModified]);
-
-    this.log.info(`Posting ${this.numQueued} records of ${this.queued.length+1} bytes with batch=${batch}`);
-    let queued = this.queued + "]";
-    if (finalBatchPost) {
-      this.bytesAlreadyBatched = 0;
-      this.numAlreadyBatched = 0;
-    } else {
-      this.bytesAlreadyBatched += queued.length;
-      this.numAlreadyBatched += this.numQueued;
-    }
-    this.queued = "";
-    this.numQueued = 0;
-    let response = this.poster(queued, headers, batch, !!(finalBatchPost && this.batchID !== null));
-
-    if (!response.success) {
-      this.log.trace("Server error response during a batch", response);
-      // not clear what we should do here - we expect the consumer of this to
-      // abort by throwing in the postCallback below.
-      return this.postCallback(response, !finalBatchPost);
-    }
-
-    if (finalBatchPost) {
-      this.log.trace("Committed batch", this.batchID);
-      this.batchID = undefined; // we are now in "first post for the batch" state.
-      this.lastModified = response.headers["x-last-modified"];
-      return this.postCallback(response, false);
-    }
-
-    if (response.status != 202) {
-      if (this.batchID) {
-        throw new Error("Server responded non-202 success code while a batch was in progress");
-      }
-      this.batchID = null; // no batch semantics are in place.
-      this.lastModified = response.headers["x-last-modified"];
-      return this.postCallback(response, false);
-    }
-
-    // this response is saying the server has batch semantics - we should
-    // always have a batch ID in the response.
-    let responseBatchID = response.obj.batch;
-    this.log.trace("Server responsed 202 with batch", responseBatchID);
-    if (!responseBatchID) {
-      this.log.error("Invalid server response: 202 without a batch ID", response);
-      throw new Error("Invalid server response: 202 without a batch ID");
-    }
-
-    if (this.batchID === undefined) {
-      this.batchID = responseBatchID;
-      if (!this.lastModified) {
-        this.lastModified = response.headers["x-last-modified"];
-        if (!this.lastModified) {
-          throw new Error("Batch response without x-last-modified");
-        }
-      }
-    }
-
-    if (this.batchID != responseBatchID) {
-      throw new Error(`Invalid client/server batch state - client has ${this.batchID}, server has ${responseBatchID}`);
-    }
-
-    this.postCallback(response, true);
-  },
-}
diff --git a/services/sync/modules/resource.js b/services/sync/modules/resource.js
index bf7066b9f2..a6c0739b68 100644
--- a/services/sync/modules/resource.js
+++ b/services/sync/modules/resource.js
@@ -13,7 +13,6 @@ var Cr = Components.results;
 var Cu = Components.utils;
 
 Cu.import("resource://gre/modules/Preferences.jsm");
-Cu.import("resource://gre/modules/NetUtil.jsm");
 Cu.import("resource://services-common/async.js");
 Cu.import("resource://gre/modules/Log.jsm");
 Cu.import("resource://services-common/observers.js");
@@ -74,6 +73,20 @@ AsyncResource.prototype = {
    */
   authenticator: null,
 
+  // The string to use as the base User-Agent in Sync requests.
+  // These strings will look something like
+  //
+  //   Firefox/4.0 FxSync/1.8.0.20100101.mobile
+  //
+  // or
+  //
+  //   Firefox Aurora/5.0a1 FxSync/1.9.0.20110409.desktop
+  //
+  _userAgent:
+    Services.appinfo.name + "/" + Services.appinfo.version +  // Product.
+    " FxSync/" + WEAVE_VERSION + "." +                        // Sync.
+    Services.appinfo.appBuildID + ".",                        // Build.
+
   // Wait 5 minutes before killing a request.
   ABORT_TIMEOUT: 300000,
 
@@ -121,9 +134,7 @@ AsyncResource.prototype = {
   //
   // Get and set the data encapulated in the resource.
   _data: null,
-  get data() {
-    return this._data;
-  },
+  get data() this._data,
   set data(value) {
     this._data = value;
   },
@@ -135,9 +146,16 @@ AsyncResource.prototype = {
   // to obtain a request channel.
   //
   _createRequest: function Res__createRequest(method) {
-    let channel = NetUtil.newChannel({uri: this.spec, loadUsingSystemPrincipal: true})
-                         .QueryInterface(Ci.nsIRequest)
-                         .QueryInterface(Ci.nsIHttpChannel);
+    let channel = Services.io.newChannel2(this.spec,
+                                          null,
+                                          null,
+                                          null,      // aLoadingNode
+                                          Services.scriptSecurityManager.getSystemPrincipal(),
+                                          null,      // aTriggeringPrincipal
+                                          Ci.nsILoadInfo.SEC_NORMAL,
+                                          Ci.nsIContentPolicy.TYPE_OTHER)
+                          .QueryInterface(Ci.nsIRequest)
+                          .QueryInterface(Ci.nsIHttpChannel);
 
     channel.loadFlags |= DEFAULT_LOAD_FLAGS;
 
@@ -147,7 +165,8 @@ AsyncResource.prototype = {
 
     // Compose a UA string fragment from the various available identifiers.
     if (Svc.Prefs.get("sendVersionInfo", true)) {
-      channel.setRequestHeader("user-agent", Utils.userAgent, false);
+      let ua = this._userAgent + Svc.Prefs.get("client.type", "desktop");
+      channel.setRequestHeader("user-agent", ua, false);
     }
 
     let headers = this.headers;
@@ -209,10 +228,10 @@ AsyncResource.prototype = {
                                        this._log, this.ABORT_TIMEOUT);
     channel.requestMethod = action;
     try {
-      channel.asyncOpen2(listener);
+      channel.asyncOpen(listener, null);
     } catch (ex) {
-      // asyncOpen2 can throw in a bunch of cases -- e.g., a forbidden port.
-      this._log.warn("Caught an error in asyncOpen2", ex);
+      // asyncOpen can throw in a bunch of cases -- e.g., a forbidden port.
+      this._log.warn("Caught an error in asyncOpen: ", ex);
       CommonUtils.nextTick(callback.bind(this, ex));
     }
   },
@@ -259,7 +278,8 @@ AsyncResource.prototype = {
     } catch(ex) {
       // Got a response, but an exception occurred during processing.
       // This shouldn't occur.
-      this._log.warn("Caught unexpected exception in _oncomplete", ex);
+      this._log.warn("Caught unexpected exception in _onComplete. ", ex);
+      this._log.debug(CommonUtils.stackTrace(ex));
     }
 
     // Process headers. They can be empty, or the call can otherwise fail, so
@@ -298,17 +318,14 @@ AsyncResource.prototype = {
       }
     } catch (ex) {
       this._log.debug("Caught exception visiting headers in _onComplete", ex);
+      this._log.debug(CommonUtils.stackTrace(ex));
     }
 
     let ret     = new String(data);
-    ret.url     = channel.URI.spec;
     ret.status  = status;
     ret.success = success;
     ret.headers = headers;
 
-    if (!success) {
-      this._log.warn(`${action} request to ${ret.url} failed with status ${status}`);
-    }
     // Make a lazy getter to convert the json response into an object.
     // Note that this can cause a parse error to be thrown far away from the
     // actual fetch, so be warned!
@@ -384,12 +401,7 @@ Resource.prototype = {
     try {
       this._doRequest(action, data, callback);
       return Async.waitForSyncCallback(cb);
-    } catch (ex) {
-      if (Async.isShutdownException(ex)) {
-        throw ex;
-      }
-      this._log.warn("${action} request to ${url} failed: ${ex}",
-                     { action, url: this.uri.spec, ex });
+    } catch(ex) {
       // Combine the channel stack with this request stack.  Need to create
       // a new error object for that.
       let error = Error(ex.message);
@@ -543,9 +555,6 @@ ChannelListener.prototype = {
     try {
       this._onProgress();
     } catch (ex) {
-      if (Async.isShutdownException(ex)) {
-        throw ex;
-      }
       this._log.warn("Got exception calling onProgress handler during fetch of "
                      + req.URI.spec, ex);
       this._log.trace("Rethrowing; expect a failure code from the HTTP channel.");
@@ -562,7 +571,7 @@ ChannelListener.prototype = {
     try {
       CommonUtils.namedTimer(this.abortRequest, this._timeout, this, "abortTimer");
     } catch (ex) {
-      this._log.warn("Got exception extending abort timer", ex);
+      this._log.warn("Got exception extending abort timer: ", ex);
     }
   },
 
@@ -656,14 +665,14 @@ ChannelNotificationListener.prototype = {
         }
       }
     } catch (ex) {
-      this._log.error("Error copying headers", ex);
+      this._log.error("Error copying headers: ", ex);
     }
 
     // We let all redirects proceed.
     try {
       callback.onRedirectVerifyCallback(Cr.NS_OK);
     } catch (ex) {
-      this._log.error("onRedirectVerifyCallback threw!", ex);
+      this._log.error("onRedirectVerifyCallback threw!" + CommonUtils.exceptionStr(ex));
     }
   }
 };
diff --git a/services/sync/modules/rest.js b/services/sync/modules/rest.js
index 94c096dba5..106ece2228 100644
--- a/services/sync/modules/rest.js
+++ b/services/sync/modules/rest.js
@@ -28,6 +28,21 @@ SyncStorageRequest.prototype = {
   _logName: "Sync.StorageRequest",
 
   /**
+   * The string to use as the base User-Agent in Sync requests.
+   * These strings will look something like
+   * 
+   *   Firefox/4.0 FxSync/1.8.0.20100101.mobile
+   * 
+   * or
+   * 
+   *   Firefox Aurora/5.0a1 FxSync/1.9.0.20110409.desktop
+   */
+  userAgent:
+    Services.appinfo.name + "/" + Services.appinfo.version +  // Product.
+    " FxSync/" + WEAVE_VERSION + "." +                        // Sync.
+    Services.appinfo.appBuildID + ".",                        // Build.
+
+  /**
    * Wait 5 minutes before killing a request.
    */
   timeout: STORAGE_REQUEST_TIMEOUT,
@@ -35,7 +50,8 @@ SyncStorageRequest.prototype = {
   dispatch: function dispatch(method, data, onComplete, onProgress) {
     // Compose a UA string fragment from the various available identifiers.
     if (Svc.Prefs.get("sendVersionInfo", true)) {
-      this.setHeader("user-agent", Utils.userAgent);
+      let ua = this.userAgent + Svc.Prefs.get("client.type", "desktop");
+      this.setHeader("user-agent", ua);
     }
 
     if (this.authenticator) {
diff --git a/services/sync/modules/service.js b/services/sync/modules/service.js
index 32e047f531..15884aca00 100644
--- a/services/sync/modules/service.js
+++ b/services/sync/modules/service.js
@@ -21,6 +21,7 @@ const KEYS_WBO = "keys";
 Cu.import("resource://gre/modules/Preferences.jsm");
 Cu.import("resource://gre/modules/XPCOMUtils.jsm");
 Cu.import("resource://gre/modules/Log.jsm");
+Cu.import("resource://services-common/utils.js");
 Cu.import("resource://services-sync/constants.js");
 Cu.import("resource://services-sync/engines.js");
 Cu.import("resource://services-sync/engines/clients.js");
@@ -32,7 +33,6 @@ Cu.import("resource://services-sync/rest.js");
 Cu.import("resource://services-sync/stages/enginesync.js");
 Cu.import("resource://services-sync/stages/declined.js");
 Cu.import("resource://services-sync/status.js");
-Cu.import("resource://services-sync/telemetry.js");
 Cu.import("resource://services-sync/userapi.js");
 Cu.import("resource://services-sync/util.js");
 
@@ -64,13 +64,8 @@ Sync11Service.prototype = {
   storageURL: null,
   metaURL: null,
   cryptoKeyURL: null,
-  // The cluster URL comes via the ClusterManager object, which in the FxA
-  // world is ebbedded in the token returned from the token server.
-  _clusterURL: null,
 
-  get serverURL() {
-    return Svc.Prefs.get("serverURL");
-  },
+  get serverURL() Svc.Prefs.get("serverURL"),
   set serverURL(value) {
     if (!value.endsWith("/")) {
       value += "/";
@@ -80,20 +75,14 @@ Sync11Service.prototype = {
     if (value == this.serverURL)
       return;
 
+    // A new server most likely uses a different cluster, so clear that
     Svc.Prefs.set("serverURL", value);
-
-    // A new server most likely uses a different cluster, so clear that.
-    this._clusterURL = null;
+    Svc.Prefs.reset("clusterURL");
   },
 
-  get clusterURL() {
-    return this._clusterURL || "";
-  },
+  get clusterURL() Svc.Prefs.get("clusterURL", ""),
   set clusterURL(value) {
-    if (value != null && typeof value != "string") {
-      throw new Error("cluster must be a string, got " + (typeof value));
-    }
-    this._clusterURL = value;
+    Svc.Prefs.set("clusterURL", value);
     this._updateCachedURLs();
   },
 
@@ -171,16 +160,8 @@ Sync11Service.prototype = {
 
   _updateCachedURLs: function _updateCachedURLs() {
     // Nothing to cache yet if we don't have the building blocks
-    if (!this.clusterURL || !this.identity.username) {
-      // Also reset all other URLs used by Sync to ensure we aren't accidentally
-      // using one cached earlier - if there's no cluster URL any cached ones
-      // are invalid.
-      this.infoURL = undefined;
-      this.storageURL = undefined;
-      this.metaURL = undefined;
-      this.cryptoKeysURL = undefined;
+    if (!this.clusterURL || !this.identity.username)
       return;
-    }
 
     this._log.debug("Caching URLs under storage user base: " + this.userBaseURL);
 
@@ -315,6 +296,21 @@ Sync11Service.prototype = {
     return false;
   },
 
+  // The global "enabled" state comes from prefs, and will be set to false
+  // whenever the UI that exposes what to sync finds all Sync engines disabled.
+  get enabled() {
+    return Svc.Prefs.get("enabled");
+  },
+  set enabled(val) {
+    // There's no real reason to impose this other than to catch someone doing
+    // something we don't expect with bad consequences - all setting of this
+    // pref are in the UI code and external to this module.
+    if (val) {
+      throw new Error("Only disabling via this setter is supported");
+    }
+    Svc.Prefs.set("enabled", val);
+  },
+
   /**
    * Prepare to initialize the rest of Weave after waiting a little bit
    */
@@ -344,8 +340,6 @@ Sync11Service.prototype = {
     this._clusterManager = this.identity.createClusterManager(this);
     this.recordManager = new RecordManager(this);
 
-    this.enabled = true;
-
     this._registerEngines();
 
     let ua = Cc["@mozilla.org/network/protocol;1?name=http"].
@@ -359,7 +353,6 @@ Sync11Service.prototype = {
     }
 
     Svc.Obs.add("weave:service:setup-complete", this);
-    Svc.Obs.add("sync:collection_changed", this); // Pulled from FxAccountsCommon
     Svc.Prefs.observe("engine.", this);
 
     this.scheduler = new SyncScheduler(this);
@@ -472,7 +465,7 @@ Sync11Service.prototype = {
 
         this.engineManager.register(ns[engineName]);
       } catch (ex) {
-        this._log.warn("Could not register engine " + name, ex);
+        this._log.warn("Could not register engine " + name + ": ", ex);
       }
     }
 
@@ -486,13 +479,6 @@ Sync11Service.prototype = {
 
   observe: function observe(subject, topic, data) {
     switch (topic) {
-      // Ideally this observer should be in the SyncScheduler, but it would require
-      // some work to know about the sync specific engines. We should move this there once it does.
-      case "sync:collection_changed":
-        if (data.includes("clients")) {
-          this.sync([]); // [] = clients collection only
-        }
-        break;
       case "weave:service:setup-complete":
         let status = this._checkSetup();
         if (status != STATUS_DISABLED && status != CLIENT_NOT_CONFIGURED)
@@ -557,8 +543,7 @@ Sync11Service.prototype = {
     // Always check for errors; this is also where we look for X-Weave-Alert.
     this.errorHandler.checkServerError(info);
     if (!info.success) {
-      this._log.error("Aborting sync: failed to get collections.")
-      throw info;
+      throw "Aborting sync: failed to get collections.";
     }
     return info;
   },
@@ -675,13 +660,20 @@ Sync11Service.prototype = {
 
     } catch (ex) {
       // This means no keys are present, or there's a network error.
-      this._log.debug("Failed to fetch and verify keys", ex);
+      this._log.debug("Failed to fetch and verify keys: ", ex);
       this.errorHandler.checkServerError(ex);
       return false;
     }
   },
 
   verifyLogin: function verifyLogin(allow40XRecovery = true) {
+    // If the identity isn't ready it  might not know the username...
+    if (!this.identity.readyToAuthenticate) {
+      this._log.info("Not ready to authenticate in verifyLogin.");
+      this.status.login = LOGIN_FAILED_NOT_READY;
+      return false;
+    }
+
     if (!this.identity.username) {
       this._log.warn("No username in verifyLogin.");
       this.status.login = LOGIN_FAILED_NO_USERNAME;
@@ -753,12 +745,8 @@ Sync11Service.prototype = {
             return this.verifyLogin(false);
           }
 
-          // We must have the right cluster, but the server doesn't expect us.
-          // The implications of this depend on the identity being used - for
-          // the legacy identity, it's an authoritatively "incorrect password",
-          // (ie, LOGIN_FAILED_LOGIN_REJECTED) but for FxA it probably means
-          // "transient error fetching auth token".
-          this.status.login = this.identity.loginStatusFromVerification404();
+          // We must have the right cluster, but the server doesn't expect us
+          this.status.login = LOGIN_FAILED_LOGIN_REJECTED;
           return false;
 
         default:
@@ -769,7 +757,7 @@ Sync11Service.prototype = {
       }
     } catch (ex) {
       // Must have failed on some network issue
-      this._log.debug("verifyLogin failed", ex);
+      this._log.debug("verifyLogin failed: ", ex);
       this.status.login = LOGIN_FAILED_NETWORK_ERROR;
       this.errorHandler.checkServerError(ex);
       return false;
@@ -842,7 +830,7 @@ Sync11Service.prototype = {
     try {
       cb.wait();
     } catch (ex) {
-      this._log.debug("Password change failed", ex);
+      this._log.debug("Password change failed: ", ex);
       return false;
     }
 
@@ -888,7 +876,7 @@ Sync11Service.prototype = {
         try {
           engine.removeClientData();
         } catch(ex) {
-          this._log.warn(`Deleting client data for ${engine.name} failed`, ex);
+          this._log.warn("Deleting client data for " + engine.name + " failed:", ex);
         }
       }
       this._log.debug("Finished deleting client data.");
@@ -914,7 +902,6 @@ Sync11Service.prototype = {
     this._ignorePrefObserver = true;
     Svc.Prefs.resetBranch("");
     this._ignorePrefObserver = false;
-    this.clusterURL = null;
 
     Svc.Prefs.set("lastversion", WEAVE_VERSION);
 
@@ -931,22 +918,25 @@ Sync11Service.prototype = {
       return;
     }
 
-    try {
-      this.identity.finalize();
-      // an observer so the FxA migration code can take some action before
-      // the new identity is created.
-      Svc.Obs.notify("weave:service:start-over:init-identity");
-      this.identity.username = "";
-      this.status.__authManager = null;
-      this.identity = Status._authManager;
-      this._clusterManager = this.identity.createClusterManager(this);
-      Svc.Obs.notify("weave:service:start-over:finish");
-    } catch (err) {
-      this._log.error("startOver failed to re-initialize the identity manager: " + err);
-      // Still send the observer notification so the current state is
-      // reflected in the UI.
-      Svc.Obs.notify("weave:service:start-over:finish");
-    }
+    this.identity.finalize().then(
+      () => {
+        // an observer so the FxA migration code can take some action before
+        // the new identity is created.
+        Svc.Obs.notify("weave:service:start-over:init-identity");
+        this.identity.username = "";
+        this.status.__authManager = null;
+        this.identity = Status._authManager;
+        this._clusterManager = this.identity.createClusterManager(this);
+        Svc.Obs.notify("weave:service:start-over:finish");
+      }
+    ).then(null,
+      err => {
+        this._log.error("startOver failed to re-initialize the identity manager: " + err);
+        // Still send the observer notification so the current state is
+        // reflected in the UI.
+        Svc.Obs.notify("weave:service:start-over:finish");
+      }
+    );
   },
 
   persistLogin: function persistLogin() {
@@ -981,12 +971,8 @@ Sync11Service.prototype = {
       }
 
       // Ask the identity manager to explicitly login now.
-      this._log.info("Logging in the user.");
       let cb = Async.makeSpinningCallback();
-      this.identity.ensureLoggedIn().then(
-        () => cb(null),
-        err => cb(err || "ensureLoggedIn failed")
-      );
+      this.identity.ensureLoggedIn().then(cb, cb);
 
       // Just let any errors bubble up - they've more context than we do!
       cb.wait();
@@ -997,9 +983,9 @@ Sync11Service.prototype = {
           && (username || password || passphrase)) {
         Svc.Obs.notify("weave:service:setup-complete");
       }
+      this._log.info("Logging in the user.");
       this._updateCachedURLs();
 
-      this._log.info("User logged in successfully - verifying login.");
       if (!this.verifyLogin()) {
         // verifyLogin sets the failure states here.
         throw "Login failed: " + this.status.login;
@@ -1064,49 +1050,11 @@ Sync11Service.prototype = {
     }
   },
 
-  // Note: returns false if we failed for a reason other than the server not yet
-  // supporting the api.
-  _fetchServerConfiguration() {
-    if (Svc.Prefs.get("APILevel") >= 2) {
-      // This is similar to _fetchInfo, but with different error handling.
-      // Only supported by later sync implementations.
-
-      let infoURL = this.userBaseURL + "info/configuration";
-      this._log.debug("Fetching server configuration", infoURL);
-      let configResponse;
-      try {
-        configResponse = this.resource(infoURL).get();
-      } catch (ex) {
-        // This is probably a network or similar error.
-        this._log.warn("Failed to fetch info/configuration", ex);
-        this.errorHandler.checkServerError(ex);
-        return false;
-      }
-
-      if (configResponse.status == 404) {
-        // This server doesn't support the URL yet - that's OK.
-        this._log.debug("info/configuration returned 404 - using default upload semantics");
-      } else if (configResponse.status != 200) {
-        this._log.warn(`info/configuration returned ${configResponse.status} - using default configuration`);
-        this.errorHandler.checkServerError(configResponse);
-        return false;
-      } else {
-        this.serverConfiguration = configResponse.obj;
-      }
-      this._log.trace("info/configuration for this server", this.serverConfiguration);
-    }
-    return true;
-  },
-
   // Stuff we need to do after login, before we can really do
   // anything (e.g. key setup).
   _remoteSetup: function _remoteSetup(infoResponse) {
     let reset = false;
 
-    if (!this._fetchServerConfiguration()) {
-      return false;
-    }
-
     this._log.debug("Fetching global metadata record");
     let meta = this.recordManager.get(this.metaURL);
 
@@ -1133,7 +1081,7 @@ Sync11Service.prototype = {
         return false;
       }
 
-      if (this.recordManager.response.status == 404) {
+      if (!this.recordManager.response.success || !newMeta) {
         this._log.debug("No meta/global record on the server. Creating one.");
         newMeta = new WBORecord("meta", "global");
         newMeta.payload.syncID = this.syncID;
@@ -1143,16 +1091,10 @@ Sync11Service.prototype = {
         newMeta.isNew = true;
 
         this.recordManager.set(this.metaURL, newMeta);
-        let uploadRes = newMeta.upload(this.resource(this.metaURL));
-        if (!uploadRes.success) {
+        if (!newMeta.upload(this.resource(this.metaURL)).success) {
           this._log.warn("Unable to upload new meta/global. Failing remote setup.");
-          this.errorHandler.checkServerError(uploadRes);
           return false;
         }
-      } else if (!newMeta) {
-        this._log.warn("Unable to get meta/global. Failing remote setup.");
-        this.errorHandler.checkServerError(this.recordManager.response);
-        return false;
       } else {
         // If newMeta, then it stands to reason that meta != null.
         newMeta.isNew   = meta.isNew;
@@ -1293,9 +1235,13 @@ Sync11Service.prototype = {
     return reason;
   },
 
-  sync: function sync(engineNamesToSync) {
-    let dateStr = Utils.formatTimestamp(new Date());
-    this._log.debug("User-Agent: " + Utils.userAgent);
+  sync: function sync() {
+    if (!this.enabled) {
+      this._log.debug("Not syncing as Sync is disabled.");
+      return;
+    }
+    let dateStr = new Date().toLocaleFormat(LOG_DATE_FORMAT);
+    this._log.debug("User-Agent: " + SyncStorageRequest.prototype.userAgent);
     this._log.info("Starting sync at " + dateStr);
     this._catch(function () {
       // Make sure we're logged in.
@@ -1309,60 +1255,50 @@ Sync11Service.prototype = {
       else {
         this._log.trace("In sync: no need to login.");
       }
-      return this._lockedSync(engineNamesToSync);
+      return this._lockedSync.apply(this, arguments);
     })();
   },
 
   /**
    * Sync up engines with the server.
    */
-  _lockedSync: function _lockedSync(engineNamesToSync) {
+  _lockedSync: function _lockedSync() {
     return this._lock("service.js: sync",
                       this._notify("sync", "", function onNotify() {
 
-      let histogram = Services.telemetry.getHistogramById("WEAVE_START_COUNT");
-      histogram.add(1);
-
       let synchronizer = new EngineSynchronizer(this);
       let cb = Async.makeSpinningCallback();
       synchronizer.onComplete = cb;
 
-      synchronizer.sync(engineNamesToSync);
+      synchronizer.sync();
       // wait() throws if the first argument is truthy, which is exactly what
       // we want.
       let result = cb.wait();
 
-      histogram = Services.telemetry.getHistogramById("WEAVE_COMPLETE_SUCCESS_COUNT");
-      histogram.add(1);
-
       // We successfully synchronized.
       // Check if the identity wants to pre-fetch a migration sentinel from
       // the server.
-      // Only supported by Sync server API level 2+
       // If we have no clusterURL, we are probably doing a node reassignment
       // so don't attempt to get it in that case.
-      if (Svc.Prefs.get("APILevel") >= 2 && this.clusterURL) {
-        this.identity.prefetchMigrationSentinel(this);
+      //if (this.clusterURL) {
+      //  this.identity.prefetchMigrationSentinel(this);
+      //}
+
+      // Now let's update our declined engines.
+      let meta = this.recordManager.get(this.metaURL);
+      if (!meta) {
+        this._log.warn("No meta/global; can't update declined state.");
+        return;
       }
 
-      // Now let's update our declined engines (but only if we have a metaURL;
-      // if Sync failed due to no node we will not have one)
-      if (this.metaURL) {
-        let meta = this.recordManager.get(this.metaURL);
-        if (!meta) {
-          this._log.warn("No meta/global; can't update declined state.");
-          return;
-        }
-
-        let declinedEngines = new DeclinedEngines(this);
-        let didChange = declinedEngines.updateDeclined(meta, this.engineManager);
-        if (!didChange) {
-          this._log.info("No change to declined engines. Not reuploading meta/global.");
-          return;
-        }
-
-        this.uploadMetaGlobal(meta);
+      let declinedEngines = new DeclinedEngines(this);
+      let didChange = declinedEngines.updateDeclined(meta, this.engineManager);
+      if (!didChange) {
+        this._log.info("No change to declined engines. Not reuploading meta/global.");
+        return;
       }
+
+      this.uploadMetaGlobal(meta);
     }))();
   },
 
@@ -1385,92 +1321,6 @@ Sync11Service.prototype = {
   },
 
   /**
-   * Get a migration sentinel for the Firefox Accounts migration.
-   * Returns a JSON blob - it is up to callers of this to make sense of the
-   * data.
-   *
-   * Returns a promise that resolves with the sentinel, or null.
-   */
-  getFxAMigrationSentinel: function() {
-    if (this._shouldLogin()) {
-      this._log.debug("In getFxAMigrationSentinel: should login.");
-      if (!this.login()) {
-        this._log.debug("Can't get migration sentinel: login returned false.");
-        return Promise.resolve(null);
-      }
-    }
-    if (!this.identity.syncKeyBundle) {
-      this._log.error("Can't get migration sentinel: no syncKeyBundle.");
-      return Promise.resolve(null);
-    }
-    try {
-      let collectionURL = this.storageURL + "meta/fxa_credentials";
-      let cryptoWrapper = this.recordManager.get(collectionURL);
-      if (!cryptoWrapper || !cryptoWrapper.payload) {
-        // nothing to decrypt - .decrypt is noisy in that case, so just bail
-        // now.
-        return Promise.resolve(null);
-      }
-      // If the payload has a sentinel it means we must have put back the
-      // decrypted version last time we were called.
-      if (cryptoWrapper.payload.sentinel) {
-        return Promise.resolve(cryptoWrapper.payload.sentinel);
-      }
-      // If decryption fails it almost certainly means the key is wrong - but
-      // it's not clear if we need to take special action for that case?
-      let payload = cryptoWrapper.decrypt(this.identity.syncKeyBundle);
-      // After decrypting the ciphertext is lost, so we just stash the
-      // decrypted payload back into the wrapper.
-      cryptoWrapper.payload = payload;
-      return Promise.resolve(payload.sentinel);
-    } catch (ex) {
-      this._log.error("Failed to fetch the migration sentinel: ${}", ex);
-      return Promise.resolve(null);
-    }
-  },
-
-  /**
-   * Set a migration sentinel for the Firefox Accounts migration.
-   * Accepts a JSON blob - it is up to callers of this to make sense of the
-   * data.
-   *
-   * Returns a promise that resolves with a boolean which indicates if the
-   * sentinel was successfully written.
-   */
-  setFxAMigrationSentinel: function(sentinel) {
-    if (this._shouldLogin()) {
-      this._log.debug("In setFxAMigrationSentinel: should login.");
-      if (!this.login()) {
-        this._log.debug("Can't set migration sentinel: login returned false.");
-        return Promise.resolve(false);
-      }
-    }
-    if (!this.identity.syncKeyBundle) {
-      this._log.error("Can't set migration sentinel: no syncKeyBundle.");
-      return Promise.resolve(false);
-    }
-    try {
-      let collectionURL = this.storageURL + "meta/fxa_credentials";
-      let cryptoWrapper = new CryptoWrapper("meta", "fxa_credentials");
-      cryptoWrapper.cleartext.sentinel = sentinel;
-
-      cryptoWrapper.encrypt(this.identity.syncKeyBundle);
-
-      let res = this.resource(collectionURL);
-      let response = res.put(cryptoWrapper.toJSON());
-
-      if (!response.success) {
-        throw response;
-      }
-      this.recordManager.set(collectionURL, cryptoWrapper);
-    } catch (ex) {
-      this._log.error("Failed to set the migration sentinel: ${}", ex);
-      return Promise.resolve(false);
-    }
-    return Promise.resolve(true);
-  },
-
-  /**
    * If we have a passphrase, rather than a 25-alphadigit sync key,
    * use the provided sync ID to bootstrap it using PBKDF2.
    *
@@ -1555,7 +1405,6 @@ Sync11Service.prototype = {
    */
   wipeServer: function wipeServer(collections) {
     let response;
-    let histogram = Services.telemetry.getHistogramById("WEAVE_WIPE_SERVER_SUCCEEDED");
     if (!collections) {
       // Strip the trailing slash.
       let res = this.resource(this.storageURL.slice(0, -1));
@@ -1563,17 +1412,14 @@ Sync11Service.prototype = {
       try {
         response = res.delete();
       } catch (ex) {
-        this._log.debug("Failed to wipe server", ex);
-        histogram.add(false);
+        this._log.debug("Failed to wipe server: ", ex);
         throw ex;
       }
       if (response.status != 200 && response.status != 404) {
         this._log.debug("Aborting wipeServer. Server responded with " +
                         response.status + " response for " + this.storageURL);
-        histogram.add(false);
         throw response;
       }
-      histogram.add(true);
       return response.headers["x-weave-timestamp"];
     }
 
@@ -1583,15 +1429,13 @@ Sync11Service.prototype = {
       try {
         response = this.resource(url).delete();
       } catch (ex) {
-        this._log.debug("Failed to wipe '" + name + "' collection", ex);
-        histogram.add(false);
+        this._log.debug("Failed to wipe '" + name + "' collection: ", ex);
         throw ex;
       }
 
       if (response.status != 200 && response.status != 404) {
         this._log.debug("Aborting wipeServer. Server responded with " +
                         response.status + " response for " + url);
-        histogram.add(false);
         throw response;
       }
 
@@ -1599,7 +1443,7 @@ Sync11Service.prototype = {
         timestamp = response.headers["x-weave-timestamp"];
       }
     }
-    histogram.add(true);
+
     return timestamp;
   },
 
@@ -1623,7 +1467,7 @@ Sync11Service.prototype = {
     }
 
     // Fully wipe each engine if it's able to decrypt data
-    for (let engine of engines) {
+    for each (let engine in engines) {
       if (engine.canDecrypt()) {
         engine.wipeClient();
       }
@@ -1731,7 +1575,7 @@ Sync11Service.prototype = {
     return this.getStorageRequest(url).get(function onComplete(error) {
       // Note: 'this' is the request.
       if (error) {
-        this._log.debug("Failed to retrieve '" + info_type + "'", error);
+        this._log.debug("Failed to retrieve '" + info_type + "': ", error);
         return callback(error);
       }
       if (this.response.status != 200) {
diff --git a/services/sync/modules/stages/cluster.js b/services/sync/modules/stages/cluster.js
index 7665ce8252..41afe61d8d 100644
--- a/services/sync/modules/stages/cluster.js
+++ b/services/sync/modules/stages/cluster.js
@@ -80,9 +80,6 @@ ClusterManager.prototype = {
       return false;
     }
 
-    // Convert from the funky "String object with additional properties" that
-    // resource.js returns to a plain-old string.
-    cluster = cluster.toString();
     // Don't update stuff if we already have the right cluster
     if (cluster == this.service.clusterURL) {
       return false;
@@ -90,6 +87,7 @@ ClusterManager.prototype = {
 
     this._log.debug("Setting cluster to " + cluster);
     this.service.clusterURL = cluster;
+    Svc.Prefs.set("lastClusterUpdate", Date.now().toString());
 
     return true;
   },
diff --git a/services/sync/modules/stages/enginesync.js b/services/sync/modules/stages/enginesync.js
index a00a2f48b9..61f2005d8e 100644
--- a/services/sync/modules/stages/enginesync.js
+++ b/services/sync/modules/stages/enginesync.js
@@ -15,9 +15,6 @@ Cu.import("resource://services-sync/constants.js");
 Cu.import("resource://services-sync/engines.js");
 Cu.import("resource://services-sync/policies.js");
 Cu.import("resource://services-sync/util.js");
-Cu.import("resource://services-common/observers.js");
-Cu.import("resource://services-common/async.js");
-Cu.import("resource://gre/modules/Task.jsm");
 
 /**
  * Perform synchronization of engines.
@@ -34,7 +31,7 @@ this.EngineSynchronizer = function EngineSynchronizer(service) {
 }
 
 EngineSynchronizer.prototype = {
-  sync: function sync(engineNamesToSync) {
+  sync: function sync() {
     if (!this.onComplete) {
       throw new Error("onComplete handler not installed.");
     }
@@ -99,9 +96,6 @@ EngineSynchronizer.prototype = {
       return;
     }
 
-    // We only honor the "hint" of what engines to Sync if this isn't
-    // a first sync.
-    let allowEnginesHint = false;
     // Wipe data in the desired direction if necessary
     switch (Svc.Prefs.get("firstSync")) {
       case "resetClient":
@@ -113,9 +107,6 @@ EngineSynchronizer.prototype = {
       case "wipeRemote":
         this.service.wipeRemote(engineManager.enabledEngineNames);
         break;
-      default:
-        allowEnginesHint = true;
-        break;
     }
 
     if (this.service.clientsEngine.localCommands) {
@@ -145,31 +136,19 @@ EngineSynchronizer.prototype = {
     try {
       this._updateEnabledEngines();
     } catch (ex) {
-      this._log.debug("Updating enabled engines failed", ex);
+      this._log.debug("Updating enabled engines failed: ", ex);
       this.service.errorHandler.checkServerError(ex);
       this.onComplete(ex);
       return;
     }
 
-    // If the engines to sync has been specified, we sync in the order specified.
-    let enginesToSync;
-    if (allowEnginesHint && engineNamesToSync) {
-      this._log.info("Syncing specified engines", engineNamesToSync);
-      enginesToSync = engineManager.get(engineNamesToSync).filter(e => e.enabled);
-    } else {
-      this._log.info("Syncing all enabled engines.");
-      enginesToSync = engineManager.getEnabled();
-    }
     try {
-      // We don't bother validating engines that failed to sync.
-      let enginesToValidate = [];
-      for (let engine of enginesToSync) {
+      for (let engine of engineManager.getEnabled()) {
         // If there's any problems with syncing the engine, report the failure
         if (!(this._syncEngine(engine)) || this.service.status.enforceBackoff) {
           this._log.info("Aborting sync for failure in " + engine.name);
           break;
         }
-        enginesToValidate.push(engine);
       }
 
       // If _syncEngine fails for a 401, we might not have a cluster URL here.
@@ -195,8 +174,6 @@ EngineSynchronizer.prototype = {
         }
       }
 
-      Async.promiseSpinningly(this._tryValidateEngines(enginesToValidate));
-
       // If there were no sync engine failures
       if (this.service.status.service != SYNC_FAILED_PARTIAL) {
         Svc.Prefs.set("lastSync", new Date().toString());
@@ -206,7 +183,7 @@ EngineSynchronizer.prototype = {
       Svc.Prefs.reset("firstSync");
 
       let syncTime = ((Date.now() - startTime) / 1000).toFixed(2);
-      let dateStr = Utils.formatTimestamp(new Date());
+      let dateStr = new Date().toLocaleFormat(LOG_DATE_FORMAT);
       this._log.info("Sync completed at " + dateStr
                      + " after " + syncTime + " secs.");
     }
@@ -214,106 +191,6 @@ EngineSynchronizer.prototype = {
     this.onComplete(null);
   },
 
-  _tryValidateEngines: Task.async(function* (recentlySyncedEngines) {
-    if (!Services.telemetry.canRecordBase || !Svc.Prefs.get("validation.enabled", false)) {
-      this._log.info("Skipping validation: validation or telemetry reporting is disabled");
-      return;
-    }
-
-    let lastValidation = Svc.Prefs.get("validation.lastTime", 0);
-    let validationInterval = Svc.Prefs.get("validation.interval");
-    let nowSeconds = Math.floor(Date.now() / 1000);
-
-    if (nowSeconds - lastValidation < validationInterval) {
-      this._log.info("Skipping validation: too recent since last validation attempt");
-      return;
-    }
-    // Update the time now, even if we may return false still. We don't want to
-    // check the rest of these more frequently than once a day.
-    Svc.Prefs.set("validation.lastTime", nowSeconds);
-
-    // Validation only occurs a certain percentage of the time.
-    let validationProbability = Svc.Prefs.get("validation.percentageChance", 0) / 100.0;
-    if (validationProbability < Math.random()) {
-      this._log.info("Skipping validation: Probability threshold not met");
-      return;
-    }
-    let maxRecords = Svc.Prefs.get("validation.maxRecords");
-    if (!maxRecords) {
-      // Don't bother asking the server for the counts if we know validation
-      // won't happen anyway.
-      return;
-    }
-
-    // maxRecords of -1 means "any number", so we can skip asking the server.
-    // Used for tests.
-    let info;
-    if (maxRecords < 0) {
-      info = {};
-      for (let e of recentlySyncedEngines) {
-        info[e.name] = 1; // needs to be < maxRecords
-      }
-      maxRecords = 2;
-    } else {
-
-      let collectionCountsURL = this.service.userBaseURL + "info/collection_counts";
-      try {
-        let infoResp = this.service._fetchInfo(collectionCountsURL);
-        if (!infoResp.success) {
-          this._log.error("Can't run validation: request to info/collection_counts responded with "
-                          + resp.status);
-          return;
-        }
-        info = infoResp.obj; // might throw because obj is a getter which parses json.
-      } catch (e) {
-        // Not running validation is totally fine, so we just write an error log and return.
-        this._log.error("Can't run validation: Caught error when fetching counts", e);
-        return;
-      }
-    }
-
-    if (!info) {
-      return;
-    }
-
-    let engineLookup = new Map(recentlySyncedEngines.map(e => [e.name, e]));
-    let toRun = [];
-    for (let [engineName, recordCount] of Object.entries(info)) {
-      let engine = engineLookup.get(engineName);
-      if (recordCount > maxRecords || !engine) {
-        this._log.debug(`Skipping validation for ${engineName} because it's not an engine or ` +
-                        `the number of records (${recordCount}) is greater than the maximum allowed (${maxRecords}).`);
-        continue;
-      }
-      let validator = engine.getValidator();
-      if (!validator) {
-        continue;
-      }
-      // Put this in an array so that we know how many we're going to do, so we
-      // don't tell users we're going to run some validators when we aren't.
-      toRun.push({ engine, validator });
-    }
-
-    if (!toRun.length) {
-      return;
-    }
-    Services.console.logStringMessage(
-      "Sync is about to run a consistency check. This may be slow, and " +
-      "can be controlled using the pref \"services.sync.validation.enabled\".\n" +
-      "If you encounter any problems because of this, please file a bug.");
-    for (let { validator, engine } of toRun) {
-      try {
-        let result = yield validator.validate(engine);
-        Observers.notify("weave:engine:validate:finish", result, engine.name);
-      } catch (e) {
-        this._log.error(`Failed to run validation on ${engine.name}!`, e);
-        Observers.notify("weave:engine:validate:error", e, engine.name)
-        // Keep validating -- there's no reason to think that a failure for one
-        // validator would mean the others will fail.
-      }
-    }
-  }),
-
   // Returns true if sync should proceed.
   // false / no return value means sync should be aborted.
   _syncEngine: function _syncEngine(engine) {
diff --git a/services/sync/modules/status.js b/services/sync/modules/status.js
index 100bc79652..a5b8305b41 100644
--- a/services/sync/modules/status.js
+++ b/services/sync/modules/status.js
@@ -12,7 +12,6 @@ var Cu = Components.utils;
 Cu.import("resource://services-sync/constants.js");
 Cu.import("resource://gre/modules/Log.jsm");
 Cu.import("resource://services-sync/identity.js");
-Cu.import("resource://services-sync/browserid_identity.js");
 Cu.import("resource://gre/modules/Services.jsm");
 Cu.import("resource://services-common/async.js");
 
@@ -28,9 +27,12 @@ this.Status = {
     let service = Components.classes["@mozilla.org/weave/service;1"]
                     .getService(Components.interfaces.nsISupports)
                     .wrappedJSObject;
-    let idClass = service.fxAccountsEnabled ? BrowserIDManager : IdentityManager;
+    let idClass = IdentityManager;
     this.__authManager = new idClass();
-    this.__authManager.initialize();
+    // .initialize returns a promise, so we need to spin until it resolves.
+    let cb = Async.makeSpinningCallback();
+    this.__authManager.initialize().then(cb, cb);
+    cb.wait();
     return this.__authManager;
   },
 
diff --git a/services/sync/modules/telemetry.js b/services/sync/modules/telemetry.js
deleted file mode 100644
index c311387f79..0000000000
--- a/services/sync/modules/telemetry.js
+++ /dev/null
@@ -1,578 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-"use strict";
-
-const {classes: Cc, interfaces: Ci, utils: Cu, results: Cr} = Components;
-
-this.EXPORTED_SYMBOLS = ["SyncTelemetry"];
-
-Cu.import("resource://services-sync/browserid_identity.js");
-Cu.import("resource://services-sync/main.js");
-Cu.import("resource://services-sync/status.js");
-Cu.import("resource://services-sync/util.js");
-Cu.import("resource://services-common/observers.js");
-Cu.import("resource://services-common/async.js");
-Cu.import("resource://gre/modules/Log.jsm");
-Cu.import("resource://gre/modules/TelemetryController.jsm");
-Cu.import("resource://gre/modules/FxAccounts.jsm");
-Cu.import("resource://gre/modules/XPCOMUtils.jsm");
-Cu.import("resource://gre/modules/osfile.jsm", this);
-
-let constants = {};
-Cu.import("resource://services-sync/constants.js", constants);
-
-var fxAccountsCommon = {};
-Cu.import("resource://gre/modules/FxAccountsCommon.js", fxAccountsCommon);
-
-XPCOMUtils.defineLazyServiceGetter(this, "Telemetry",
-                                   "@mozilla.org/base/telemetry;1",
-                                   "nsITelemetry");
-
-const log = Log.repository.getLogger("Sync.Telemetry");
-
-const TOPICS = [
-  "profile-before-change",
-  "weave:service:sync:start",
-  "weave:service:sync:finish",
-  "weave:service:sync:error",
-
-  "weave:engine:sync:start",
-  "weave:engine:sync:finish",
-  "weave:engine:sync:error",
-  "weave:engine:sync:applied",
-  "weave:engine:sync:uploaded",
-  "weave:engine:validate:finish",
-  "weave:engine:validate:error",
-];
-
-const PING_FORMAT_VERSION = 1;
-
-// The set of engines we record telemetry for - any other engines are ignored.
-const ENGINES = new Set(["addons", "bookmarks", "clients", "forms", "history",
-                         "passwords", "prefs", "tabs", "extension-storage"]);
-
-// A regex we can use to replace the profile dir in error messages. We use a
-// regexp so we can simply replace all case-insensitive occurences.
-// This escaping function is from:
-// https://developer.mozilla.org/en/docs/Web/JavaScript/Guide/Regular_Expressions
-const reProfileDir = new RegExp(
-        OS.Constants.Path.profileDir.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"),
-        "gi");
-
-function transformError(error, engineName) {
-  if (Async.isShutdownException(error)) {
-    return { name: "shutdownerror" };
-  }
-
-  if (typeof error === "string") {
-    if (error.startsWith("error.")) {
-      // This is hacky, but I can't imagine that it's not also accurate.
-      return { name: "othererror", error };
-    }
-    // There's a chance the profiledir is in the error string which is PII we
-    // want to avoid including in the ping.
-    error = error.replace(reProfileDir, "[profileDir]");
-    return { name: "unexpectederror", error };
-  }
-
-  if (error.failureCode) {
-    return { name: "othererror", error: error.failureCode };
-  }
-
-  if (error instanceof AuthenticationError) {
-    return { name: "autherror", from: error.source };
-  }
-
-  if (error instanceof Ci.mozIStorageError) {
-    return { name: "sqlerror", code: error.result };
-  }
-
-  let httpCode = error.status ||
-    (error.response && error.response.status) ||
-    error.code;
-
-  if (httpCode) {
-    return { name: "httperror", code: httpCode };
-  }
-
-  if (error.result) {
-    return { name: "nserror", code: error.result };
-  }
-
-  return {
-    name: "unexpectederror",
-    // as above, remove the profile dir value.
-    error: String(error).replace(reProfileDir, "[profileDir]")
-  }
-}
-
-function tryGetMonotonicTimestamp() {
-  try {
-    return Telemetry.msSinceProcessStart();
-  } catch (e) {
-    log.warn("Unable to get a monotonic timestamp!");
-    return -1;
-  }
-}
-
-function timeDeltaFrom(monotonicStartTime) {
-  let now = tryGetMonotonicTimestamp();
-  if (monotonicStartTime !== -1 && now !== -1) {
-    return Math.round(now - monotonicStartTime);
-  }
-  return -1;
-}
-
-class EngineRecord {
-  constructor(name) {
-    // startTime is in ms from process start, but is monotonic (unlike Date.now())
-    // so we need to keep both it and when.
-    this.startTime = tryGetMonotonicTimestamp();
-    this.name = name;
-  }
-
-  toJSON() {
-    let result = Object.assign({}, this);
-    delete result.startTime;
-    return result;
-  }
-
-  finished(error) {
-    let took = timeDeltaFrom(this.startTime);
-    if (took > 0) {
-      this.took = took;
-    }
-    if (error) {
-      this.failureReason = transformError(error, this.name);
-    }
-  }
-
-  recordApplied(counts) {
-    if (this.incoming) {
-      log.error(`Incoming records applied multiple times for engine ${this.name}!`);
-      return;
-    }
-    if (this.name === "clients" && !counts.failed) {
-      // ignore successful application of client records
-      // since otherwise they show up every time and are meaningless.
-      return;
-    }
-
-    let incomingData = {};
-    let properties = ["applied", "failed", "newFailed", "reconciled"];
-    // Only record non-zero properties and only record incoming at all if
-    // there's at least one property we care about.
-    for (let property of properties) {
-      if (counts[property]) {
-        incomingData[property] = counts[property];
-        this.incoming = incomingData;
-      }
-    }
-  }
-
-  recordValidation(validationResult) {
-    if (this.validation) {
-      log.error(`Multiple validations occurred for engine ${this.name}!`);
-      return;
-    }
-    let { problems, version, duration, recordCount } = validationResult;
-    let validation = {
-      version: version || 0,
-      checked: recordCount || 0,
-    };
-    if (duration > 0) {
-      validation.took = Math.round(duration);
-    }
-    let summarized = problems.getSummary(true).filter(({count}) => count > 0);
-    if (summarized.length) {
-      validation.problems = summarized;
-    }
-    this.validation = validation;
-  }
-
-  recordValidationError(e) {
-    if (this.validation) {
-      log.error(`Multiple validations occurred for engine ${this.name}!`);
-      return;
-    }
-
-    this.validation = {
-      failureReason: transformError(e)
-    };
-  }
-
-  recordUploaded(counts) {
-    if (counts.sent || counts.failed) {
-      if (!this.outgoing) {
-        this.outgoing = [];
-      }
-      this.outgoing.push({
-        sent: counts.sent || undefined,
-        failed: counts.failed || undefined,
-      });
-    }
-  }
-}
-
-class TelemetryRecord {
-  constructor(allowedEngines) {
-    this.allowedEngines = allowedEngines;
-    // Our failure reason. This property only exists in the generated ping if an
-    // error actually occurred.
-    this.failureReason = undefined;
-    this.uid = "";
-    this.when = Date.now();
-    this.startTime = tryGetMonotonicTimestamp();
-    this.took = 0; // will be set later.
-
-    // All engines that have finished (ie, does not include the "current" one)
-    // We omit this from the ping if it's empty.
-    this.engines = [];
-    // The engine that has started but not yet stopped.
-    this.currentEngine = null;
-  }
-
-  toJSON() {
-    let result = {
-      when: this.when,
-      uid: this.uid,
-      took: this.took,
-      failureReason: this.failureReason,
-      status: this.status,
-      deviceID: this.deviceID,
-      devices: this.devices,
-    };
-    let engines = [];
-    for (let engine of this.engines) {
-      engines.push(engine.toJSON());
-    }
-    if (engines.length > 0) {
-      result.engines = engines;
-    }
-    return result;
-  }
-
-  finished(error) {
-    this.took = timeDeltaFrom(this.startTime);
-    if (this.currentEngine != null) {
-      log.error("Finished called for the sync before the current engine finished");
-      this.currentEngine.finished(null);
-      this.onEngineStop(this.currentEngine.name);
-    }
-    if (error) {
-      this.failureReason = transformError(error);
-    }
-
-    // We don't bother including the "devices" field if we can't come up with a
-    // UID or device ID for *this* device -- If that's the case, any data we'd
-    // put there would be likely to be full of garbage anyway.
-    let includeDeviceInfo = false;
-    try {
-      this.uid = Weave.Service.identity.hashedUID();
-      let deviceID = Weave.Service.identity.deviceID();
-      if (deviceID) {
-        // Combine the raw device id with the metrics uid to create a stable
-        // unique identifier that can't be mapped back to the user's FxA
-        // identity without knowing the metrics HMAC key.
-        this.deviceID = Utils.sha256(deviceID + this.uid);
-        includeDeviceInfo = true;
-      }
-    } catch (e) {
-      this.uid = "0".repeat(32);
-      this.deviceID = undefined;
-    }
-
-    if (includeDeviceInfo) {
-      let remoteDevices = Weave.Service.clientsEngine.remoteClients;
-      this.devices = remoteDevices.map(device => {
-        return {
-          os: device.os,
-          version: device.version,
-          id: Utils.sha256(device.id + this.uid)
-        };
-      });
-    }
-
-    // Check for engine statuses. -- We do this now, and not in engine.finished
-    // to make sure any statuses that get set "late" are recorded
-    for (let engine of this.engines) {
-      let status = Status.engines[engine.name];
-      if (status && status !== constants.ENGINE_SUCCEEDED) {
-        engine.status = status;
-      }
-    }
-
-    let statusObject = {};
-
-    let serviceStatus = Status.service;
-    if (serviceStatus && serviceStatus !== constants.STATUS_OK) {
-      statusObject.service = serviceStatus;
-      this.status = statusObject;
-    }
-    let syncStatus = Status.sync;
-    if (syncStatus && syncStatus !== constants.SYNC_SUCCEEDED) {
-      statusObject.sync = syncStatus;
-      this.status = statusObject;
-    }
-  }
-
-  onEngineStart(engineName) {
-    if (this._shouldIgnoreEngine(engineName, false)) {
-      return;
-    }
-
-    if (this.currentEngine) {
-      log.error(`Being told that engine ${engineName} has started, but current engine ${
-        this.currentEngine.name} hasn't stopped`);
-      // Just discard the current engine rather than making up data for it.
-    }
-    this.currentEngine = new EngineRecord(engineName);
-  }
-
-  onEngineStop(engineName, error) {
-    // We only care if it's the current engine if we have a current engine.
-    if (this._shouldIgnoreEngine(engineName, !!this.currentEngine)) {
-      return;
-    }
-    if (!this.currentEngine) {
-      // It's possible for us to get an error before the start message of an engine
-      // (somehow), in which case we still want to record that error.
-      if (!error) {
-        return;
-      }
-      log.error(`Error triggered on ${engineName} when no current engine exists: ${error}`);
-      this.currentEngine = new EngineRecord(engineName);
-    }
-    this.currentEngine.finished(error);
-    this.engines.push(this.currentEngine);
-    this.currentEngine = null;
-  }
-
-  onEngineApplied(engineName, counts) {
-    if (this._shouldIgnoreEngine(engineName)) {
-      return;
-    }
-    this.currentEngine.recordApplied(counts);
-  }
-
-  onEngineValidated(engineName, validationData) {
-    if (this._shouldIgnoreEngine(engineName, false)) {
-      return;
-    }
-    let engine = this.engines.find(e => e.name === engineName);
-    if (!engine && this.currentEngine && engineName === this.currentEngine.name) {
-      engine = this.currentEngine;
-    }
-    if (engine) {
-      engine.recordValidation(validationData);
-    } else {
-      log.warn(`Validation event triggered for engine ${engineName}, which hasn't been synced!`);
-    }
-  }
-
-  onEngineValidateError(engineName, error) {
-    if (this._shouldIgnoreEngine(engineName, false)) {
-      return;
-    }
-    let engine = this.engines.find(e => e.name === engineName);
-    if (!engine && this.currentEngine && engineName === this.currentEngine.name) {
-      engine = this.currentEngine;
-    }
-    if (engine) {
-      engine.recordValidationError(error);
-    } else {
-      log.warn(`Validation failure event triggered for engine ${engineName}, which hasn't been synced!`);
-    }
-  }
-
-  onEngineUploaded(engineName, counts) {
-    if (this._shouldIgnoreEngine(engineName)) {
-      return;
-    }
-    this.currentEngine.recordUploaded(counts);
-  }
-
-  _shouldIgnoreEngine(engineName, shouldBeCurrent = true) {
-    if (!this.allowedEngines.has(engineName)) {
-      log.info(`Notification for engine ${engineName}, but we aren't recording telemetry for it`);
-      return true;
-    }
-    if (shouldBeCurrent) {
-      if (!this.currentEngine || engineName != this.currentEngine.name) {
-        log.error(`Notification for engine ${engineName} but it isn't current`);
-        return true;
-      }
-    }
-    return false;
-  }
-}
-
-class SyncTelemetryImpl {
-  constructor(allowedEngines) {
-    log.level = Log.Level[Svc.Prefs.get("log.logger.telemetry", "Trace")];
-    // This is accessible so we can enable custom engines during tests.
-    this.allowedEngines = allowedEngines;
-    this.current = null;
-    this.setupObservers();
-
-    this.payloads = [];
-    this.discarded = 0;
-    this.maxPayloadCount = Svc.Prefs.get("telemetry.maxPayloadCount");
-    this.submissionInterval = Svc.Prefs.get("telemetry.submissionInterval") * 1000;
-    this.lastSubmissionTime = Telemetry.msSinceProcessStart();
-  }
-
-  getPingJSON(reason) {
-    return {
-      why: reason,
-      discarded: this.discarded || undefined,
-      version: PING_FORMAT_VERSION,
-      syncs: this.payloads.slice(),
-    };
-  }
-
-  finish(reason) {
-    // Note that we might be in the middle of a sync right now, and so we don't
-    // want to touch this.current.
-    let result = this.getPingJSON(reason);
-    this.payloads = [];
-    this.discarded = 0;
-    this.submit(result);
-  }
-
-  setupObservers() {
-    for (let topic of TOPICS) {
-      Observers.add(topic, this, this);
-    }
-  }
-
-  shutdown() {
-    this.finish("shutdown");
-    for (let topic of TOPICS) {
-      Observers.remove(topic, this, this);
-    }
-  }
-
-  submit(record) {
-    // We still call submit() with possibly illegal payloads so that tests can
-    // know that the ping was built. We don't end up submitting them, however.
-    if (record.syncs.length) {
-      log.trace(`submitting ${record.syncs.length} sync record(s) to telemetry`);
-      TelemetryController.submitExternalPing("sync", record);
-    }
-  }
-
-
-  onSyncStarted() {
-    if (this.current) {
-      log.warn("Observed weave:service:sync:start, but we're already recording a sync!");
-      // Just discard the old record, consistent with our handling of engines, above.
-      this.current = null;
-    }
-    this.current = new TelemetryRecord(this.allowedEngines);
-  }
-
-  _checkCurrent(topic) {
-    if (!this.current) {
-      log.warn(`Observed notification ${topic} but no current sync is being recorded.`);
-      return false;
-    }
-    return true;
-  }
-
-  onSyncFinished(error) {
-    if (!this.current) {
-      log.warn("onSyncFinished but we aren't recording");
-      return;
-    }
-    this.current.finished(error);
-    if (this.payloads.length < this.maxPayloadCount) {
-      this.payloads.push(this.current.toJSON());
-    } else {
-      ++this.discarded;
-    }
-    this.current = null;
-    if ((Telemetry.msSinceProcessStart() - this.lastSubmissionTime) > this.submissionInterval) {
-      this.finish("schedule");
-      this.lastSubmissionTime = Telemetry.msSinceProcessStart();
-    }
-  }
-
-  observe(subject, topic, data) {
-    log.trace(`observed ${topic} ${data}`);
-
-    switch (topic) {
-      case "profile-before-change":
-        this.shutdown();
-        break;
-
-      /* sync itself state changes */
-      case "weave:service:sync:start":
-        this.onSyncStarted();
-        break;
-
-      case "weave:service:sync:finish":
-        if (this._checkCurrent(topic)) {
-          this.onSyncFinished(null);
-        }
-        break;
-
-      case "weave:service:sync:error":
-        // argument needs to be truthy (this should always be the case)
-        this.onSyncFinished(subject || "Unknown");
-        break;
-
-      /* engine sync state changes */
-      case "weave:engine:sync:start":
-        if (this._checkCurrent(topic)) {
-          this.current.onEngineStart(data);
-        }
-        break;
-      case "weave:engine:sync:finish":
-        if (this._checkCurrent(topic)) {
-          this.current.onEngineStop(data, null);
-        }
-        break;
-
-      case "weave:engine:sync:error":
-        if (this._checkCurrent(topic)) {
-          // argument needs to be truthy (this should always be the case)
-          this.current.onEngineStop(data, subject || "Unknown");
-        }
-        break;
-
-      /* engine counts */
-      case "weave:engine:sync:applied":
-        if (this._checkCurrent(topic)) {
-          this.current.onEngineApplied(data, subject);
-        }
-        break;
-
-      case "weave:engine:sync:uploaded":
-        if (this._checkCurrent(topic)) {
-          this.current.onEngineUploaded(data, subject);
-        }
-        break;
-
-      case "weave:engine:validate:finish":
-        if (this._checkCurrent(topic)) {
-          this.current.onEngineValidated(data, subject);
-        }
-        break;
-
-      case "weave:engine:validate:error":
-        if (this._checkCurrent(topic)) {
-          this.current.onEngineValidateError(data, subject || "Unknown");
-        }
-        break;
-
-      default:
-        log.warn(`unexpected observer topic ${topic}`);
-        break;
-    }
-  }
-}
-
-this.SyncTelemetry = new SyncTelemetryImpl(ENGINES);
diff --git a/services/sync/modules/util.js b/services/sync/modules/util.js
index e9dbcb37d2..12496d23a0 100644
--- a/services/sync/modules/util.js
+++ b/services/sync/modules/util.js
@@ -35,6 +35,8 @@ this.Utils = {
   // In the ideal world, references to these would be removed.
   nextTick: CommonUtils.nextTick,
   namedTimer: CommonUtils.namedTimer,
+  exceptionStr: CommonUtils.exceptionStr,
+  stackTrace: CommonUtils.stackTrace,
   makeURI: CommonUtils.makeURI,
   encodeUTF8: CommonUtils.encodeUTF8,
   decodeUTF8: CommonUtils.decodeUTF8,
@@ -52,7 +54,6 @@ this.Utils = {
   digestBytes: CryptoUtils.digestBytes,
   sha1: CryptoUtils.sha1,
   sha1Base32: CryptoUtils.sha1Base32,
-  sha256: CryptoUtils.sha256,
   makeHMACKey: CryptoUtils.makeHMACKey,
   makeHMACHasher: CryptoUtils.makeHMACHasher,
   hkdfExpand: CryptoUtils.hkdfExpand,
@@ -61,25 +62,6 @@ this.Utils = {
   getHTTPMACSHA1Header: CryptoUtils.getHTTPMACSHA1Header,
 
   /**
-   * The string to use as the base User-Agent in Sync requests.
-   * This string will look something like
-   *
-   *   Firefox/49.0a1 (Windows NT 6.1; WOW64; rv:46.0) FxSync/1.51.0.20160516142357.desktop
-   */
-  _userAgent: null,
-  get userAgent() {
-    if (!this._userAgent) {
-      let hph = Cc["@mozilla.org/network/protocol;1?name=http"].getService(Ci.nsIHttpProtocolHandler);
-      this._userAgent =
-        Services.appinfo.name + "/" + Services.appinfo.version +  // Product.
-        " (" + hph.oscpu + ")" +                                  // (oscpu)
-        " FxSync/" + WEAVE_VERSION + "." +                        // Sync.
-        Services.appinfo.appBuildID + ".";                        // Build.
-    }
-    return this._userAgent + Svc.Prefs.get("client.type", "desktop");
-  },
-
-  /**
    * Wrap a function to catch all exceptions and log them
    *
    * @usage MyObj._catch = Utils.catch;
@@ -95,7 +77,7 @@ this.Utils = {
         return func.call(thisArg);
       }
       catch(ex) {
-        thisArg._log.debug("Exception calling " + (func.name || "anonymous function"), ex);
+        thisArg._log.debug("Exception: ", ex);
         if (exceptionCallback) {
           return exceptionCallback.call(thisArg, ex);
         }
@@ -271,14 +253,14 @@ this.Utils = {
    */
   base32ToFriendly: function base32ToFriendly(input) {
     return input.toLowerCase()
-                .replace(/l/g, '8')
-                .replace(/o/g, '9');
+                .replace("l", '8', "g")
+                .replace("o", '9', "g");
   },
 
   base32FromFriendly: function base32FromFriendly(input) {
     return input.toUpperCase()
-                .replace(/8/g, 'L')
-                .replace(/9/g, 'O');
+                .replace("8", 'L', "g")
+                .replace("9", 'O', "g");
   },
 
   /**
@@ -411,52 +393,6 @@ this.Utils = {
     }
   }),
 
-  /**
-   * Move a json file in the profile directory. Will fail if a file exists at the
-   * destination.
-   *
-   * @returns a promise that resolves to undefined on success, or rejects on failure
-   *
-   * @param aFrom
-   *        Current path to the JSON file saved on disk, relative to profileDir/weave
-   *        .json will be appended to the file name.
-   * @param aTo
-   *        New path to the JSON file saved on disk, relative to profileDir/weave
-   *        .json will be appended to the file name.
-   * @param that
-   *        Object to use for logging
-   */
-  jsonMove(aFrom, aTo, that) {
-    let pathFrom = OS.Path.join(OS.Constants.Path.profileDir, "weave",
-                                ...(aFrom + ".json").split("/"));
-    let pathTo = OS.Path.join(OS.Constants.Path.profileDir, "weave",
-                              ...(aTo + ".json").split("/"));
-    if (that._log) {
-      that._log.trace("Moving " + pathFrom + " to " + pathTo);
-    }
-    return OS.File.move(pathFrom, pathTo, { noOverwrite: true });
-  },
-
-  /**
-   * Removes a json file in the profile directory.
-   *
-   * @returns a promise that resolves to undefined on success, or rejects on failure
-   *
-   * @param filePath
-   *        Current path to the JSON file saved on disk, relative to profileDir/weave
-   *        .json will be appended to the file name.
-   * @param that
-   *        Object to use for logging
-   */
-  jsonRemove(filePath, that) {
-    let path = OS.Path.join(OS.Constants.Path.profileDir, "weave",
-                            ...(filePath + ".json").split("/"));
-    if (that._log) {
-      that._log.trace("Deleting " + path);
-    }
-    return OS.File.remove(path, { ignoreAbsent: true });
-  },
-
   getErrorString: function Utils_getErrorString(error, args) {
     try {
       return Str.errors.get(error, args || null);
@@ -543,7 +479,7 @@ this.Utils = {
 
     // 20-char sync key.
     if (pp.length == 23 &&
-        [5, 11, 17].every(i => pp[i] == '-')) {
+        [5, 11, 17].every(function(i) pp[i] == '-')) {
 
       return pp.slice(0, 5) + pp.slice(6, 11)
              + pp.slice(12, 17) + pp.slice(18, 23);
@@ -551,7 +487,7 @@ this.Utils = {
 
     // "Modern" 26-char key.
     if (pp.length == 31 &&
-        [1, 7, 13, 19, 25].every(i => pp[i] == '-')) {
+        [1, 7, 13, 19, 25].every(function(i) pp[i] == '-')) {
 
       return pp.slice(0, 1) + pp.slice(2, 7)
              + pp.slice(8, 13) + pp.slice(14, 19)
@@ -681,12 +617,30 @@ this.Utils = {
    * Get the FxA identity hosts.
    */
   getSyncCredentialsHostsFxA: function() {
+    // This is somewhat expensive and the result static, so we cache the result.
+    if (this._syncCredentialsHostsFxA) {
+      return this._syncCredentialsHostsFxA;
+    }
     let result = new Set();
     // the FxA host
     result.add(FxAccountsCommon.FXA_PWDMGR_HOST);
-    // We used to include the FxA hosts (hence the Set() result) but we now
-    // don't give them special treatment (hence the Set() with exactly 1 item)
-    return result;
+    //
+    // The FxA hosts - these almost certainly all have the same hostname, but
+    // better safe than sorry...
+    for (let prefName of ["identity.fxaccounts.remote.force_auth.uri",
+                          "identity.fxaccounts.remote.signup.uri",
+                          "identity.fxaccounts.remote.signin.uri",
+                          "identity.fxaccounts.settings.uri"]) {
+      let prefVal;
+      try {
+        prefVal = Services.prefs.getCharPref(prefName);
+      } catch (_) {
+        continue;
+      }
+      let uri = Services.io.newURI(prefVal, null, null);
+      result.add(uri.prePath);
+    }
+    return this._syncCredentialsHostsFxA = result;
   },
 
   getDefaultDeviceName() {
@@ -720,32 +674,6 @@ this.Utils = {
       Cc["@mozilla.org/network/protocol;1?name=http"].getService(Ci.nsIHttpProtocolHandler).oscpu;
 
     return Str.sync.get("client.name2", [user, appName, system]);
-  },
-
-  getDeviceName() {
-    const deviceName = Svc.Prefs.get("client.name", "");
-
-    if (deviceName === "") {
-      return this.getDefaultDeviceName();
-    }
-
-    return deviceName;
-  },
-
-  getDeviceType() {
-    return Svc.Prefs.get("client.type", DEVICE_TYPE_DESKTOP);
-  },
-
-  formatTimestamp(date) {
-    // Format timestamp as: "%Y-%m-%d %H:%M:%S"
-    let year = String(date.getFullYear());
-    let month = String(date.getMonth() + 1).padStart(2, "0");
-    let day = String(date.getDate()).padStart(2, "0");
-    let hours = String(date.getHours()).padStart(2, "0");
-    let minutes = String(date.getMinutes()).padStart(2, "0");
-    let seconds = String(date.getSeconds()).padStart(2, "0");
-
-    return `${year}-${month}-${day} ${hours}:${minutes}:${seconds}`;
   }
 };
 
diff --git a/services/sync/moz.build b/services/sync/moz.build
index 5e5de10b73..ceb4eb5022 100644
--- a/services/sync/moz.build
+++ b/services/sync/moz.build
@@ -1,30 +1,24 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
 # vim: set filetype=python:
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-with Files('**'):
-    BUG_COMPONENT = ('Mozilla Services', 'Firefox Sync: Backend')
-
 DIRS += ['locales']
 
 XPCSHELL_TESTS_MANIFESTS += ['tests/unit/xpcshell.ini']
 
 EXTRA_COMPONENTS += [
-    'SyncComponents.manifest',
+    'Weave.js',
 ]
 
 EXTRA_PP_COMPONENTS += [
-    'Weave.js',
+    'SyncComponents.manifest',
 ]
 
 EXTRA_JS_MODULES['services-sync'] += [
     'modules/addonsreconciler.js',
     'modules/addonutils.js',
-    'modules/bookmark_validator.js',
-    'modules/browserid_identity.js',
-    'modules/collection_validator.js',
     'modules/engines.js',
     'modules/identity.js',
     'modules/jpakeclient.js',
@@ -35,22 +29,12 @@ EXTRA_JS_MODULES['services-sync'] += [
     'modules/record.js',
     'modules/resource.js',
     'modules/rest.js',
+    'modules/service.js',
     'modules/status.js',
-    'modules/SyncedTabs.jsm',
-    'modules/telemetry.js',
     'modules/userapi.js',
     'modules/util.js',
 ]
 
-EXTRA_PP_JS_MODULES['services-sync'] += [
-    'modules/constants.js',
-    'modules/service.js',
-]
-
-# Definitions used by constants.js
-DEFINES['weave_version'] = '1.54.1'
-DEFINES['weave_id'] = '{340c2bbc-ce74-4362-90b5-7c26312808ef}'
-
 EXTRA_JS_MODULES['services-sync'].engines += [
     'modules/engines/addons.js',
     'modules/engines/bookmarks.js',
@@ -78,3 +62,4 @@ TESTING_JS_MODULES.services.sync += [
 JS_PREFERENCE_FILES += [
     'services-sync.js',
 ]
+
diff --git a/services/sync/services-sync.js b/services/sync/services-sync.js
index 9473d9a9dc..640fb4abc5 100644
--- a/services/sync/services-sync.js
+++ b/services/sync/services-sync.js
@@ -2,17 +2,16 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-pref("services.sync.serverURL", "https://auth.services.mozilla.com/");
+pref("services.sync.serverURL", "https://pmsync.palemoon.org/sync/index.php/");
 pref("services.sync.userURL", "user/");
 pref("services.sync.miscURL", "misc/");
-pref("services.sync.termsURL", "https://services.mozilla.com/tos/");
-pref("services.sync.privacyURL", "https://services.mozilla.com/privacy-policy/");
-pref("services.sync.statusURL", "https://services.mozilla.com/status/");
-pref("services.sync.syncKeyHelpURL", "https://services.mozilla.com/help/synckey");
+pref("services.sync.termsURL", "http://www.palemoon.org/sync/terms.shtml");
+pref("services.sync.privacyURL", "http://www.palemoon.org/sync/privacy.shtml");
+pref("services.sync.statusURL", "https://pmsync.palemoon.org/status/");
+pref("services.sync.syncKeyHelpURL", "http://www.palemoon.org/sync/keyhelp.shtml");
 
 pref("services.sync.lastversion", "firstrun");
 pref("services.sync.sendVersionInfo", true);
-pref("services.sync.APILevel", 2);
 
 pref("services.sync.scheduler.eolInterval",         604800); // 1 week
 pref("services.sync.scheduler.idleInterval",         3600);  // 1 hour
@@ -25,7 +24,12 @@ pref("services.sync.scheduler.sync11.singleDeviceInterval", 86400); // 1 day
 
 pref("services.sync.errorhandler.networkFailureReportTimeout", 1209600); // 2 weeks
 
-pref("services.sync.engine.addons", true);
+// A "master" pref for Sync being enabled. Will be set to false if the sync
+// customization UI finds all our builtin engines disabled (and addons are
+// free to force this to true if they have their own engine)
+pref("services.sync.enabled", true);
+// Our engines.
+pref("services.sync.engine.addons", false);
 pref("services.sync.engine.bookmarks", true);
 pref("services.sync.engine.history", true);
 pref("services.sync.engine.passwords", true);
@@ -33,21 +37,24 @@ pref("services.sync.engine.prefs", true);
 pref("services.sync.engine.tabs", true);
 pref("services.sync.engine.tabs.filteredUrls", "^(about:.*|chrome://weave/.*|wyciwyg:.*|file:.*|blob:.*)$");
 
-pref("services.sync.jpake.serverURL", "https://setup.services.mozilla.com/");
+pref("services.sync.jpake.serverURL", "https://keyserver.palemoon.org/");
 pref("services.sync.jpake.pollInterval", 1000);
 pref("services.sync.jpake.firstMsgMaxTries", 300); // 5 minutes
 pref("services.sync.jpake.lastMsgMaxTries", 300);  // 5 minutes
 pref("services.sync.jpake.maxTries", 10);
 
+// Allow add-ons to be synced from non-trusted sources.
+pref("services.sync.addons.ignoreRepositoryChecking", true);
+
 // If true, add-on sync ignores changes to the user-enabled flag. This
 // allows people to have the same set of add-ons installed across all
 // profiles while maintaining different enabled states.
 pref("services.sync.addons.ignoreUserEnabledChanges", false);
 
 // Comma-delimited list of hostnames to trust for add-on install.
-pref("services.sync.addons.trustedSourceHostnames", "addons.mozilla.org");
+pref("services.sync.addons.trustedSourceHostnames", "addons.palemoon.org,addons.mozilla.org");
 
-pref("services.sync.log.appender.console", "Fatal");
+pref("services.sync.log.appender.console", "Warn");
 pref("services.sync.log.appender.dump", "Error");
 pref("services.sync.log.appender.file.level", "Trace");
 pref("services.sync.log.appender.file.logOnError", true);
@@ -69,28 +76,12 @@ pref("services.sync.log.logger.engine.passwords", "Debug");
 pref("services.sync.log.logger.engine.prefs", "Debug");
 pref("services.sync.log.logger.engine.tabs", "Debug");
 pref("services.sync.log.logger.engine.addons", "Debug");
-pref("services.sync.log.logger.engine.extension-storage", "Debug");
 pref("services.sync.log.logger.engine.apps", "Debug");
 pref("services.sync.log.logger.identity", "Debug");
 pref("services.sync.log.logger.userapi", "Debug");
 pref("services.sync.log.cryptoDebug", false);
 
+pref("services.sync.tokenServerURI", "https://token.services.mozilla.com/1.0/sync/1.5");
+
 pref("services.sync.fxa.termsURL", "https://accounts.firefox.com/legal/terms");
 pref("services.sync.fxa.privacyURL", "https://accounts.firefox.com/legal/privacy");
-
-pref("services.sync.telemetry.submissionInterval", 43200); // 12 hours in seconds
-pref("services.sync.telemetry.maxPayloadCount", 500);
-
-// Note that services.sync.validation.enabled is located in application/[application name]/app/profile/[application name].js
-
-// We consider validation this frequently. After considering validation, even
-// if we don't end up validating, we won't try again unless this much time has passed.
-pref("services.sync.validation.interval", 86400); // 24 hours in seconds
-
-// We only run validation `services.sync.validation.percentageChance` percent of
-// the time, even if it's been the right amount of time since the last validation,
-// and you meet the maxRecord checks.
-pref("services.sync.validation.percentageChance", 10);
-
-// We won't validate an engine if it has more than this many records on the server.
-pref("services.sync.validation.maxRecords", 100);
diff --git a/services/sync/tests/tps/addons/api/restartless-xpi@tests.mozilla.org.xml b/services/sync/tests/tps/addons/api/restartless-xpi@tests.mozilla.org.xml
index 6eb153ad19..9a5f6d52b7 100644
--- a/services/sync/tests/tps/addons/api/restartless-xpi@tests.mozilla.org.xml
+++ b/services/sync/tests/tps/addons/api/restartless-xpi@tests.mozilla.org.xml
@@ -12,7 +12,7 @@
       <application_id>1</application_id>
       <min_version>3.6</min_version>
       <max_version>*</max_version>
-      <appID>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</appID>
+      <appID>{8de7fcbb-c55c-4fbe-bfc5-fc555c87dbc4}</appID>
     </application></compatible_applications>
   <all_compatible_os><os>ALL</os></all_compatible_os>
 
diff --git a/services/sync/tests/tps/addons/api/unsigned-xpi@tests.mozilla.org.xml b/services/sync/tests/tps/addons/api/unsigned-xpi@tests.mozilla.org.xml
index 14a056013b..d7a577b31f 100644
--- a/services/sync/tests/tps/addons/api/unsigned-xpi@tests.mozilla.org.xml
+++ b/services/sync/tests/tps/addons/api/unsigned-xpi@tests.mozilla.org.xml
@@ -12,7 +12,7 @@
       <application_id>1</application_id>
       <min_version>3.6</min_version>
       <max_version>*</max_version>
-      <appID>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</appID>
+      <appID>{8de7fcbb-c55c-4fbe-bfc5-fc555c87dbc4}</appID>
     </application></compatible_applications>
   <all_compatible_os><os>ALL</os></all_compatible_os>
 
diff --git a/services/sync/tests/tps/all_tests.json b/services/sync/tests/tps/all_tests.json
index ca7031e59a..fdcbe18210 100644
--- a/services/sync/tests/tps/all_tests.json
+++ b/services/sync/tests/tps/all_tests.json
@@ -1,5 +1,4 @@
 { "tests": [
-    "test_bookmark_conflict.js",
     "test_sync.js",
     "test_prefs.js",
     "test_tabs.js",
@@ -17,6 +16,7 @@
     "test_bug575423.js",
     "test_bug546807.js",
     "test_history_collision.js",
+    "test_privbrw_formdata.js",
     "test_privbrw_passwords.js",
     "test_privbrw_tabs.js",
     "test_bookmarks_in_same_named_folder.js",
diff --git a/services/sync/tests/tps/test_addon_nonrestartless_xpi.js b/services/sync/tests/tps/test_addon_nonrestartless_xpi.js
index b6c85b3515..d9a15fc50a 100644
--- a/services/sync/tests/tps/test_addon_nonrestartless_xpi.js
+++ b/services/sync/tests/tps/test_addon_nonrestartless_xpi.js
@@ -6,7 +6,7 @@
 // syncs between profiles.
 EnableEngines(["addons"]);
 
-var phases = {
+let phases = {
   "phase01": "profile1",
   "phase02": "profile1",
   "phase03": "profile2",
@@ -33,8 +33,7 @@ Phase("phase01", [
   [Sync]
 ]);
 Phase("phase02", [
-  [Addons.verify, [id], STATE_ENABLED],
-  [Sync]
+  [Addons.verify, [id], STATE_ENABLED]
 ]);
 Phase("phase03", [
   [Addons.verifyNot, [id]],
@@ -42,7 +41,6 @@ Phase("phase03", [
 ]);
 Phase("phase04", [
   [Addons.verify, [id], STATE_ENABLED],
-  [Sync]
 ]);
 
 // Now we disable the add-on
@@ -53,15 +51,13 @@ Phase("phase05", [
 ]);
 Phase("phase06", [
   [Addons.verify, [id], STATE_DISABLED],
-  [Sync]
 ]);
 Phase("phase07", [
   [Addons.verify, [id], STATE_ENABLED],
   [Sync]
 ]);
 Phase("phase08", [
-  [Addons.verify, [id], STATE_DISABLED],
-  [Sync]
+  [Addons.verify, [id], STATE_DISABLED]
 ]);
 
 // Now we re-enable it again.
@@ -72,15 +68,13 @@ Phase("phase09", [
 ]);
 Phase("phase10", [
   [Addons.verify, [id], STATE_ENABLED],
-  [Sync]
 ]);
 Phase("phase11", [
   [Addons.verify, [id], STATE_DISABLED],
   [Sync]
 ]);
 Phase("phase12", [
-  [Addons.verify, [id], STATE_ENABLED],
-  [Sync]
+  [Addons.verify, [id], STATE_ENABLED]
 ]);
 
 // And we uninstall it
@@ -92,14 +86,12 @@ Phase("phase13", [
   [Sync]
 ]);
 Phase("phase14", [
-  [Addons.verifyNot, [id]],
-  [Sync]
+  [Addons.verifyNot, [id]]
 ]);
 Phase("phase15", [
   [Addons.verify, [id], STATE_ENABLED],
   [Sync]
 ]);
 Phase("phase16", [
-  [Addons.verifyNot, [id]],
-  [Sync]
+  [Addons.verifyNot, [id]]
 ]);
diff --git a/services/sync/tests/tps/test_addon_reconciling.js b/services/sync/tests/tps/test_addon_reconciling.js
index a4244ab03f..14dda8ade1 100644
--- a/services/sync/tests/tps/test_addon_reconciling.js
+++ b/services/sync/tests/tps/test_addon_reconciling.js
@@ -6,7 +6,7 @@
 // the proper action is taken.
 EnableEngines(["addons"]);
 
-var phases = {
+let phases = {
   "phase01": "profile1",
   "phase02": "profile2",
   "phase03": "profile1",
@@ -34,9 +34,6 @@ Phase("phase02", [
 Phase("phase03", [
   [Sync], // Get GUID updates, potentially.
   [Addons.setEnabled, [id], STATE_DISABLED],
-  // We've changed the state, but don't want this profile to sync until phase5,
-  // so if we ran a validation now we'd be expecting to find errors.
-  [Addons.skipValidation]
 ]);
 Phase("phase04", [
   [EnsureTracking],
diff --git a/services/sync/tests/tps/test_addon_restartless_xpi.js b/services/sync/tests/tps/test_addon_restartless_xpi.js
index b242c95f0e..7d45406bde 100644
--- a/services/sync/tests/tps/test_addon_restartless_xpi.js
+++ b/services/sync/tests/tps/test_addon_restartless_xpi.js
@@ -5,7 +5,7 @@
 // other profiles.
 EnableEngines(["addons"]);
 
-var phases = {
+let phases = {
   "phase01": "profile1",
   "phase02": "profile2",
   "phase03": "profile1",
diff --git a/services/sync/tests/tps/test_addon_sanity.js b/services/sync/tests/tps/test_addon_sanity.js
index 2409180949..0d738eb678 100644
--- a/services/sync/tests/tps/test_addon_sanity.js
+++ b/services/sync/tests/tps/test_addon_sanity.js
@@ -9,7 +9,7 @@
 
 EnableEngines(["addons"]);
 
-var phases = { "phase1": "profile1",
+let phases = { "phase1": "profile1",
                "phase2": "profile1" };
 
 const id = "unsigned-xpi@tests.mozilla.org";
@@ -25,6 +25,5 @@ Phase("phase1", [
 
 Phase("phase2", [
   // Add-on should be present after restart
-  [Addons.verify, [id], STATE_ENABLED],
-  [Sync] // Sync to ensure everything is initialized enough for the addon validator to run
+  [Addons.verify, [id], STATE_ENABLED]
 ]);
diff --git a/services/sync/tests/tps/test_addon_wipe.js b/services/sync/tests/tps/test_addon_wipe.js
index 60131abc0f..2aafbd6bf3 100644
--- a/services/sync/tests/tps/test_addon_wipe.js
+++ b/services/sync/tests/tps/test_addon_wipe.js
@@ -8,7 +8,7 @@
 
 EnableEngines(["addons"]);
 
-var phases = {
+let phases = {
   "phase01": "profile1",
   "phase02": "profile1",
   "phase03": "profile1"
@@ -30,6 +30,5 @@ Phase("phase02", [
 ]);
 Phase("phase03", [
   [Addons.verify, [id1], STATE_ENABLED],
-  [Addons.verify, [id2], STATE_ENABLED],
-  [Sync] // Sync to ensure that the addon validator can run without error
+  [Addons.verify, [id2], STATE_ENABLED]
 ]);
diff --git a/services/sync/tests/tps/test_bookmark_conflict.js b/services/sync/tests/tps/test_bookmark_conflict.js
deleted file mode 100644
index cfe9d782e8..0000000000
--- a/services/sync/tests/tps/test_bookmark_conflict.js
+++ /dev/null
@@ -1,143 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
-   http://creativecommons.org/publicdomain/zero/1.0/ */
-
-/*
- * The list of phases mapped to their corresponding profiles.  The object
- * here must be in strict JSON format, as it will get parsed by the Python
- * testrunner (no single quotes, extra comma's, etc).
- */
-EnableEngines(["bookmarks"]);
-
-var phases = { "phase1": "profile1",
-               "phase2": "profile2",
-               "phase3": "profile1",
-               "phase4": "profile2" };
-
-
-// the initial list of bookmarks to add to the browser
-var bookmarksInitial = {
-  "menu": [
-    { folder: "foldera" },
-    { folder: "folderb" },
-    { folder: "folderc" },
-    { folder: "folderd" },
-  ],
-
-  "menu/foldera": [{ uri: "http://www.cnn.com", title: "CNN" }],
-  "menu/folderb": [{ uri: "http://www.apple.com", title: "Apple", tags: [] }],
-  "menu/folderc": [{ uri: "http://www.yahoo.com", title: "Yahoo" }],
-
-  "menu/folderd": []
-};
-
-// a list of bookmarks to delete during a 'delete' action on P2
-var bookmarksToDelete = {
-  "menu": [
-    { folder: "foldera" },
-    { folder: "folderb" },
-  ],
-  "menu/folderc": [{ uri: "http://www.yahoo.com", title: "Yahoo" }],
-};
-
-
-// the modifications to make on P1, after P2 has synced, but before P1 has gotten
-// P2's changes
-var bookmarkMods = {
-  "menu": [
-    { folder: "foldera" },
-    { folder: "folderb" },
-    { folder: "folderc" },
-    { folder: "folderd" },
-  ],
-
-  // we move this child out of its folder (p1), after deleting the folder (p2)
-  // and expect the child to come back to p2 after sync.
-  "menu/foldera": [{
-    uri: "http://www.cnn.com",
-    title: "CNN",
-    changes: { location: "menu/folderd" }
-  }],
-
-  // we rename this child (p1) after deleting the folder (p2), and expect the child
-  // to be moved into great grandparent (menu)
-  "menu/folderb": [{
-    uri: "http://www.apple.com",
-    title: "Apple",
-    tags: [],
-    changes: { title: "Mac" }
-  }],
-
-
-  // we move this child (p1) after deleting the child (p2) and expect it to survive
-  "menu/folderc": [{
-    uri: "http://www.yahoo.com",
-    title: "Yahoo",
-    changes: { location: "menu/folderd" }
-  }],
-
-  "menu/folderd": []
-};
-
-// a list of bookmarks to delete during a 'delete' action
-var bookmarksToDelete = {
-  "menu": [
-    { folder: "foldera" },
-    { folder: "folderb" },
-  ],
-  "menu/folderc": [
-    { uri: "http://www.yahoo.com", title: "Yahoo" },
-  ],
-};
-
-
-
-// expected bookmark state after conflict resolution
-var bookmarksExpected = {
-  "menu": [
-    { folder: "folderc" },
-    { folder: "folderd" },
-    { uri: "http://www.apple.com", title: "Mac", },
-  ],
-
-  "menu/folderc": [],
-
-  "menu/folderd": [
-    { uri: "http://www.cnn.com", title: "CNN" },
-    { uri: "http://www.yahoo.com", title: "Yahoo" }
-  ]
-};
-
-// Add bookmarks to profile1 and sync.
-Phase("phase1", [
-  [Bookmarks.add, bookmarksInitial],
-  [Bookmarks.verify, bookmarksInitial],
-  [Sync],
-  [Bookmarks.verify, bookmarksInitial],
-]);
-
-// Sync to profile2 and verify that the bookmarks are present. Delete
-// bookmarks/folders, verify that it's not present, and sync
-Phase("phase2", [
-  [Sync],
-  [Bookmarks.verify, bookmarksInitial],
-  [Bookmarks.delete, bookmarksToDelete],
-  [Bookmarks.verifyNot, bookmarksToDelete],
-  [Sync]
-]);
-
-// Using profile1, modify the bookmarks, and sync *after* the modification,
-// and then sync again to propagate the reconciliation changes.
-Phase("phase3", [
-  [Bookmarks.verify, bookmarksInitial],
-  [Bookmarks.modify, bookmarkMods],
-  [Sync],
-  [Bookmarks.verify, bookmarksExpected],
-  [Bookmarks.verifyNot, bookmarksToDelete],
-]);
-
-// Back in profile2, do a sync and verify that we're in the expected state
-Phase("phase4", [
-  [Sync],
-  [Bookmarks.verify, bookmarksExpected],
-  [Bookmarks.verifyNot, bookmarksToDelete],
-]);
diff --git a/services/sync/tests/tps/test_bug530717.js b/services/sync/tests/tps/test_bug530717.js
index 4a11b0a277..1252b382f5 100644
--- a/services/sync/tests/tps/test_bug530717.js
+++ b/services/sync/tests/tps/test_bug530717.js
@@ -23,7 +23,7 @@ var prefs1 = [
   { name: "browser.urlbar.maxRichResults",
     value: 20
   },
-  { name: "privacy.clearOnShutdown.siteSettings",
+  { name: "security.OCSP.require",
     value: true
   }
 ];
@@ -35,7 +35,7 @@ var prefs2 = [
   { name: "browser.urlbar.maxRichResults",
     value: 18
   },
-  { name: "privacy.clearOnShutdown.siteSettings",
+  { name: "security.OCSP.require",
     value: false
   }
 ];
diff --git a/services/sync/tests/tps/test_bug563989.js b/services/sync/tests/tps/test_bug563989.js
index faf63de659..ec890a1a2c 100644
--- a/services/sync/tests/tps/test_bug563989.js
+++ b/services/sync/tests/tps/test_bug563989.js
@@ -88,8 +88,7 @@ Phase('phase2', [
   [Sync],
   [Bookmarks.verify, bookmarks_initial],
   [Bookmarks.delete, bookmarks_to_delete],
-  [Bookmarks.verifyNot, bookmarks_to_delete],
-  [Bookmarks.skipValidation]
+  [Bookmarks.verifyNot, bookmarks_to_delete]
 ]);
 
 // Using profile1, sync again with wipe-server set to true.  Verify our
diff --git a/services/sync/tests/tps/test_client_wipe.js b/services/sync/tests/tps/test_client_wipe.js
index ba9815db54..049b385fe0 100644
--- a/services/sync/tests/tps/test_client_wipe.js
+++ b/services/sync/tests/tps/test_client_wipe.js
@@ -108,7 +108,7 @@ var prefs1 = [
   { name: "browser.urlbar.maxRichResults",
     value: 20
   },
-  { name: "privacy.clearOnShutdown.siteSettings",
+  { name: "security.OCSP.require",
     value: true
   }
 ];
@@ -120,7 +120,7 @@ var prefs2 = [
   { name: "browser.urlbar.maxRichResults",
     value: 18
   },
-  { name: "privacy.clearOnShutdown.siteSettings",
+  { name: "security.OCSP.require",
     value: false
   }
 ];
diff --git a/services/sync/tests/tps/test_formdata.js b/services/sync/tests/tps/test_formdata.js
index decb58dd89..2c93f6592a 100644
--- a/services/sync/tests/tps/test_formdata.js
+++ b/services/sync/tests/tps/test_formdata.js
@@ -31,11 +31,6 @@ var formdata1 = [
   }
 ];
 
-// This is currently pointless - it *looks* like it is trying to check that
-// one of the entries in formdata1 has been removed, but (a) the delete code
-// isn't active (see comments below), and (b) the way the verification works
-// means it would never do the right thing - it only checks all the entries
-// here exist, but not that they are the only entries in the DB.
 var formdata2 = [
   { fieldname: "testing",
     value: "success",
@@ -52,11 +47,6 @@ var formdata_delete = [
   }
 ];
 
-var formdata_new = [
-  { fieldname: "new-field",
-    value: "new-value"
-  }
-]
 /*
  * Test phases
  */
@@ -82,15 +72,12 @@ Phase('phase3', [
   [Formdata.delete, formdata_delete],
 //[Formdata.verifyNot, formdata_delete],
   [Formdata.verify, formdata2],
-  // add new data after the first Sync, ensuring the tracker works.
-  [Formdata.add, formdata_new],
   [Sync],
 ]);
 
 Phase('phase4', [
   [Sync],
   [Formdata.verify, formdata2],
-  [Formdata.verify, formdata_new],
 //[Formdata.verifyNot, formdata_delete]
 ]);
 
diff --git a/services/sync/tests/tps/test_prefs.js b/services/sync/tests/tps/test_prefs.js
index 3afff130da..48ffe80e56 100644
--- a/services/sync/tests/tps/test_prefs.js
+++ b/services/sync/tests/tps/test_prefs.js
@@ -19,7 +19,7 @@ var prefs1 = [
   { name: "browser.urlbar.maxRichResults",
     value: 20
   },
-  { name: "privacy.clearOnShutdown.siteSettings",
+  { name: "security.OCSP.require",
     value: true
   }
 ];
@@ -31,7 +31,7 @@ var prefs2 = [
   { name: "browser.urlbar.maxRichResults",
     value: 18
   },
-  { name: "privacy.clearOnShutdown.siteSettings",
+  { name: "security.OCSP.require",
     value: false
   }
 ];
diff --git a/services/sync/tests/tps/test_privbrw_formdata.js b/services/sync/tests/tps/test_privbrw_formdata.js
new file mode 100644
index 0000000000..e1661611e8
--- /dev/null
+++ b/services/sync/tests/tps/test_privbrw_formdata.js
@@ -0,0 +1,73 @@
+/* Any copyright is dedicated to the Public Domain.
+   http://creativecommons.org/publicdomain/zero/1.0/ */
+
+/*
+ * The list of phases mapped to their corresponding profiles.  The object
+ * here must be in strict JSON format, as it will get parsed by the Python
+ * testrunner (no single quotes, extra comma's, etc).
+ */
+EnableEngines(["forms"]);
+
+var phases = { "phase1": "profile1",
+               "phase2": "profile2",
+               "phase3": "profile1",
+               "phase4": "profile2" };
+
+/*
+ * Form data
+ */
+
+// the form data to add to the browser
+var formdata1 = [
+   { fieldname: "name",
+     value: "xyz",
+     date: -1
+   },
+   { fieldname: "email",
+     value: "abc@gmail.com",
+     date: -2
+   },
+   { fieldname: "username",
+     value: "joe"
+   }
+];
+
+// the form data to add in private browsing mode
+var formdata2 = [
+   { fieldname: "password",
+     value: "secret",
+     date: -1
+   },
+   { fieldname: "city",
+     value: "mtview"
+   }
+];
+
+/*
+ * Test phases
+ */
+
+Phase('phase1', [
+  [Formdata.add, formdata1],
+  [Formdata.verify, formdata1],
+  [Sync]
+]);
+
+Phase('phase2', [
+  [Sync],
+  [Formdata.verify, formdata1]
+]);
+
+Phase('phase3', [
+  [Sync],
+  [Windows.add, { private: true }],
+  [Formdata.add, formdata2],
+  [Formdata.verify, formdata2],
+  [Sync],
+]);
+
+Phase('phase4', [
+  [Sync],
+  [Formdata.verify, formdata1],
+  [Formdata.verifyNot, formdata2]
+]);
diff --git a/services/sync/tests/unit/fake_login_manager.js b/services/sync/tests/unit/fake_login_manager.js
index 6f3148c45a..32adcbcb52 100644
--- a/services/sync/tests/unit/fake_login_manager.js
+++ b/services/sync/tests/unit/fake_login_manager.js
@@ -4,7 +4,7 @@ Cu.import("resource://services-sync/util.js");
 // Fake Sample Data
 // ----------------------------------------
 
-var fakeSampleLogins = [
+let fakeSampleLogins = [
   // Fake nsILoginInfo object.
   {hostname: "www.boogle.com",
    formSubmitURL: "http://www.boogle.com/search",
diff --git a/services/sync/tests/unit/head_appinfo.js b/services/sync/tests/unit/head_appinfo.js
index d2a680df53..eea47905fc 100644
--- a/services/sync/tests/unit/head_appinfo.js
+++ b/services/sync/tests/unit/head_appinfo.js
@@ -1,54 +1,65 @@
 /* Any copyright is dedicated to the Public Domain.
    http://creativecommons.org/publicdomain/zero/1.0/ */
 
-var {classes: Cc, interfaces: Ci, results: Cr, utils: Cu} = Components;
-Cu.import("resource://gre/modules/Services.jsm");
-Cu.import("resource://gre/modules/XPCOMUtils.jsm");
+const {classes: Cc, interfaces: Ci, results: Cr, utils: Cu} = Components;
 
-var gSyncProfile;
+let gSyncProfile;
 
 gSyncProfile = do_get_profile();
 
 // Init FormHistoryStartup and pretend we opened a profile.
-var fhs = Cc["@mozilla.org/satchel/form-history-startup;1"]
+let fhs = Cc["@mozilla.org/satchel/form-history-startup;1"]
             .getService(Ci.nsIObserver);
 fhs.observe(null, "profile-after-change", null);
 
-// An app is going to have some prefs set which xpcshell tests don't.
-Services.prefs.setCharPref("identity.sync.tokenserver.uri", "http://token-server");
 
-// Set the validation prefs to attempt validation every time to avoid non-determinism.
-Services.prefs.setIntPref("services.sync.validation.interval", 0);
-Services.prefs.setIntPref("services.sync.validation.percentageChance", 100);
-Services.prefs.setIntPref("services.sync.validation.maxRecords", -1);
-Services.prefs.setBoolPref("services.sync.validation.enabled", true);
+Cu.import("resource://gre/modules/XPCOMUtils.jsm");
 
 // Make sure to provide the right OS so crypto loads the right binaries
-function getOS() {
-  switch (mozinfo.os) {
-    case "win":
-      return "WINNT";
-    case "mac":
-      return "Darwin";
-    default:
-      return "Linux";
-  }
-}
+let OS = "XPCShell";
+if ("@mozilla.org/windows-registry-key;1" in Cc)
+  OS = "WINNT";
+else if ("nsILocalFileMac" in Ci)
+  OS = "Darwin";
+else
+  OS = "Linux";
 
-Cu.import("resource://testing-common/AppInfo.jsm", this);
-updateAppInfo({
+let XULAppInfo = {
+  vendor: "Mozilla",
   name: "XPCShell",
   ID: "xpcshell@tests.mozilla.org",
   version: "1",
+  appBuildID: "20100621",
   platformVersion: "",
-  OS: getOS(),
-});
+  platformBuildID: "20100621",
+  inSafeMode: false,
+  logConsoleErrors: true,
+  OS: OS,
+  XPCOMABI: "noarch-spidermonkey",
+  QueryInterface: XPCOMUtils.generateQI([Ci.nsIXULAppInfo, Ci.nsIXULRuntime]),
+  invalidateCachesOnRestart: function invalidateCachesOnRestart() { }
+};
+
+let XULAppInfoFactory = {
+  createInstance: function (outer, iid) {
+    if (outer != null)
+      throw Cr.NS_ERROR_NO_AGGREGATION;
+    return XULAppInfo.QueryInterface(iid);
+  }
+};
+
+let registrar = Components.manager.QueryInterface(Ci.nsIComponentRegistrar);
+registrar.registerFactory(Components.ID("{fbfae60b-64a4-44ef-a911-08ceb70b9f31}"),
+                          "XULAppInfo", "@mozilla.org/xre/app-info;1",
+                          XULAppInfoFactory);
+
 
 // Register resource aliases. Normally done in SyncComponents.manifest.
 function addResourceAlias() {
+  Cu.import("resource://gre/modules/Services.jsm");
   const resProt = Services.io.getProtocolHandler("resource")
                           .QueryInterface(Ci.nsIResProtocolHandler);
-  for (let s of ["common", "sync", "crypto"]) {
+  for each (let s in ["common", "sync", "crypto"]) {
     let uri = Services.io.newURI("resource://gre/modules/services-" + s + "/", null,
                                  null);
     resProt.setSubstitution("services-" + s, uri);
diff --git a/services/sync/tests/unit/head_errorhandler_common.js b/services/sync/tests/unit/head_errorhandler_common.js
deleted file mode 100644
index f4af60d9de..0000000000
--- a/services/sync/tests/unit/head_errorhandler_common.js
+++ /dev/null
@@ -1,112 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
-   http://creativecommons.org/publicdomain/zero/1.0/ */
-
-Cu.import("resource://services-sync/engines.js");
-
-// Common code for test_errorhandler_{1,2}.js -- pulled out to make it less
-// monolithic and take less time to execute.
-const EHTestsCommon = {
-
-  service_unavailable(request, response) {
-    let body = "Service Unavailable";
-    response.setStatusLine(request.httpVersion, 503, "Service Unavailable");
-    response.setHeader("Retry-After", "42");
-    response.bodyOutputStream.write(body, body.length);
-  },
-
-  sync_httpd_setup() {
-    let global = new ServerWBO("global", {
-      syncID: Service.syncID,
-      storageVersion: STORAGE_VERSION,
-      engines: {clients: {version: Service.clientsEngine.version,
-                          syncID: Service.clientsEngine.syncID},
-                catapult: {version: Service.engineManager.get("catapult").version,
-                           syncID: Service.engineManager.get("catapult").syncID}}
-    });
-    let clientsColl = new ServerCollection({}, true);
-
-    // Tracking info/collections.
-    let collectionsHelper = track_collections_helper();
-    let upd = collectionsHelper.with_updated_collection;
-
-    let handler_401 = httpd_handler(401, "Unauthorized");
-    return httpd_setup({
-      // Normal server behaviour.
-      "/1.1/johndoe/storage/meta/global": upd("meta", global.handler()),
-      "/1.1/johndoe/info/collections": collectionsHelper.handler,
-      "/1.1/johndoe/storage/crypto/keys":
-        upd("crypto", (new ServerWBO("keys")).handler()),
-      "/1.1/johndoe/storage/clients": upd("clients", clientsColl.handler()),
-
-      // Credentials are wrong or node reallocated.
-      "/1.1/janedoe/storage/meta/global": handler_401,
-      "/1.1/janedoe/info/collections": handler_401,
-
-      // Maintenance or overloaded (503 + Retry-After) at info/collections.
-      "/maintenance/1.1/broken.info/info/collections": EHTestsCommon.service_unavailable,
-
-      // Maintenance or overloaded (503 + Retry-After) at meta/global.
-      "/maintenance/1.1/broken.meta/storage/meta/global": EHTestsCommon.service_unavailable,
-      "/maintenance/1.1/broken.meta/info/collections": collectionsHelper.handler,
-
-      // Maintenance or overloaded (503 + Retry-After) at crypto/keys.
-      "/maintenance/1.1/broken.keys/storage/meta/global": upd("meta", global.handler()),
-      "/maintenance/1.1/broken.keys/info/collections": collectionsHelper.handler,
-      "/maintenance/1.1/broken.keys/storage/crypto/keys": EHTestsCommon.service_unavailable,
-
-      // Maintenance or overloaded (503 + Retry-After) at wiping collection.
-      "/maintenance/1.1/broken.wipe/info/collections": collectionsHelper.handler,
-      "/maintenance/1.1/broken.wipe/storage/meta/global": upd("meta", global.handler()),
-      "/maintenance/1.1/broken.wipe/storage/crypto/keys":
-        upd("crypto", (new ServerWBO("keys")).handler()),
-      "/maintenance/1.1/broken.wipe/storage": EHTestsCommon.service_unavailable,
-      "/maintenance/1.1/broken.wipe/storage/clients": upd("clients", clientsColl.handler()),
-      "/maintenance/1.1/broken.wipe/storage/catapult": EHTestsCommon.service_unavailable
-    });
-  },
-
-  CatapultEngine: (function() {
-    function CatapultEngine() {
-      SyncEngine.call(this, "Catapult", Service);
-    }
-    CatapultEngine.prototype = {
-      __proto__: SyncEngine.prototype,
-      exception: null, // tests fill this in
-      _sync: function _sync() {
-        if (this.exception) {
-          throw this.exception;
-        }
-      }
-    };
-
-    return CatapultEngine;
-  }()),
-
-
-  generateCredentialsChangedFailure() {
-    // Make sync fail due to changed credentials. We simply re-encrypt
-    // the keys with a different Sync Key, without changing the local one.
-    let newSyncKeyBundle = new SyncKeyBundle("johndoe", "23456234562345623456234562");
-    let keys = Service.collectionKeys.asWBO();
-    keys.encrypt(newSyncKeyBundle);
-    keys.upload(Service.resource(Service.cryptoKeysURL));
-  },
-
-  setUp(server) {
-    return configureIdentity({ username: "johndoe" }).then(
-      () => {
-        Service.serverURL  = server.baseURI + "/";
-        Service.clusterURL = server.baseURI + "/";
-      }
-    ).then(
-      () => EHTestsCommon.generateAndUploadKeys()
-    );
-  },
-
-  generateAndUploadKeys() {
-    generateNewKeys(Service.collectionKeys);
-    let serverKeys = Service.collectionKeys.asWBO("crypto", "keys");
-    serverKeys.encrypt(Service.identity.syncKeyBundle);
-    return serverKeys.upload(Service.resource(Service.cryptoKeysURL)).success;
-  }
-};
diff --git a/services/sync/tests/unit/head_helpers.js b/services/sync/tests/unit/head_helpers.js
index 3c59e1de55..04534dc8ef 100644
--- a/services/sync/tests/unit/head_helpers.js
+++ b/services/sync/tests/unit/head_helpers.js
@@ -4,39 +4,8 @@
 Cu.import("resource://services-common/async.js");
 Cu.import("resource://testing-common/services/common/utils.js");
 Cu.import("resource://testing-common/PlacesTestUtils.jsm");
-Cu.import("resource://services-sync/util.js");
-Cu.import("resource://gre/modules/XPCOMUtils.jsm");
 
-XPCOMUtils.defineLazyGetter(this, 'SyncPingSchema', function() {
-  let ns = {};
-  Cu.import("resource://gre/modules/FileUtils.jsm", ns);
-  let stream = Cc["@mozilla.org/network/file-input-stream;1"]
-               .createInstance(Ci.nsIFileInputStream);
-  let jsonReader = Cc["@mozilla.org/dom/json;1"]
-                   .createInstance(Components.interfaces.nsIJSON);
-  let schema;
-  try {
-    let schemaFile = do_get_file("sync_ping_schema.json");
-    stream.init(schemaFile, ns.FileUtils.MODE_RDONLY, ns.FileUtils.PERMS_FILE, 0);
-    schema = jsonReader.decodeFromStream(stream, stream.available());
-  } finally {
-    stream.close();
-  }
-
-  // Allow tests to make whatever engines they want, this shouldn't cause
-  // validation failure.
-  schema.definitions.engine.properties.name = { type: "string" };
-  return schema;
-});
-
-XPCOMUtils.defineLazyGetter(this, 'SyncPingValidator', function() {
-  let ns = {};
-  Cu.import("resource://testing-common/ajv-4.1.1.js", ns);
-  let ajv = new ns.Ajv({ async: "co*" });
-  return ajv.compile(SyncPingSchema);
-});
-
-var provider = {
+let provider = {
   getFile: function(prop, persistent) {
     persistent.value = true;
     switch (prop) {
@@ -51,7 +20,7 @@ var provider = {
 Services.dirsvc.QueryInterface(Ci.nsIDirectoryService).registerProvider(provider);
 
 // This is needed for loadAddonTestFunctions().
-var gGlobalScope = this;
+let gGlobalScope = this;
 
 function ExtensionsTestPath(path) {
   if (path[0] != "/") {
@@ -76,24 +45,6 @@ function loadAddonTestFunctions() {
   createAppInfo("xpcshell@tests.mozilla.org", "XPCShell", "1", "1.9.2");
 }
 
-function webExtensionsTestPath(path) {
-  if (path[0] != "/") {
-    throw Error("Path must begin with '/': " + path);
-  }
-
-  return "../../../../toolkit/components/extensions/test/xpcshell" + path;
-}
-
-/**
- * Loads the WebExtension test functions by importing its test file.
- */
-function loadWebExtensionTestFunctions() {
-  const path = webExtensionsTestPath("/head_sync.js");
-  let file = do_get_file(path);
-  let uri = Services.io.newFileURI(file);
-  Services.scriptloader.loadSubScript(uri.spec, gGlobalScope);
-}
-
 function getAddonInstall(name) {
   let f = do_get_file(ExtensionsTestPath("/addons/" + name + ".xpi"));
   let cb = Async.makeSyncCallback();
@@ -255,192 +206,3 @@ function do_check_array_eq(a1, a2) {
     do_check_eq(a1[i], a2[i]);
   }
 }
-
-// Helper function to get the sync telemetry and add the typically used test
-// engine names to its list of allowed engines.
-function get_sync_test_telemetry() {
-  let ns = {};
-  Cu.import("resource://services-sync/telemetry.js", ns);
-  let testEngines = ["rotary", "steam", "sterling", "catapult"];
-  for (let engineName of testEngines) {
-    ns.SyncTelemetry.allowedEngines.add(engineName);
-  }
-  ns.SyncTelemetry.submissionInterval = -1;
-  return ns.SyncTelemetry;
-}
-
-function assert_valid_ping(record) {
-  // This is called as the test harness tears down due to shutdown. This
-  // will typically have no recorded syncs, and the validator complains about
-  // it. So ignore such records (but only ignore when *both* shutdown and
-  // no Syncs - either of them not being true might be an actual problem)
-  if (record && (record.why != "shutdown" || record.syncs.length != 0)) {
-    if (!SyncPingValidator(record)) {
-      deepEqual([], SyncPingValidator.errors, "Sync telemetry ping validation failed");
-    }
-    equal(record.version, 1);
-    record.syncs.forEach(p => {
-      lessOrEqual(p.when, Date.now());
-      if (p.devices) {
-        ok(!p.devices.some(device => device.id == p.deviceID));
-        equal(new Set(p.devices.map(device => device.id)).size,
-              p.devices.length, "Duplicate device ids in ping devices list");
-      }
-    });
-  }
-}
-
-// Asserts that `ping` is a ping that doesn't contain any failure information
-function assert_success_ping(ping) {
-  ok(!!ping);
-  assert_valid_ping(ping);
-  ping.syncs.forEach(record => {
-    ok(!record.failureReason);
-    equal(undefined, record.status);
-    greater(record.engines.length, 0);
-    for (let e of record.engines) {
-      ok(!e.failureReason);
-      equal(undefined, e.status);
-      if (e.validation) {
-        equal(undefined, e.validation.problems);
-        equal(undefined, e.validation.failureReason);
-      }
-      if (e.outgoing) {
-        for (let o of e.outgoing) {
-          equal(undefined, o.failed);
-          notEqual(undefined, o.sent);
-        }
-      }
-      if (e.incoming) {
-        equal(undefined, e.incoming.failed);
-        equal(undefined, e.incoming.newFailed);
-        notEqual(undefined, e.incoming.applied || e.incoming.reconciled);
-      }
-    }
-  });
-}
-
-// Hooks into telemetry to validate all pings after calling.
-function validate_all_future_pings() {
-  let telem = get_sync_test_telemetry();
-  telem.submit = assert_valid_ping;
-}
-
-function wait_for_ping(callback, allowErrorPings, getFullPing = false) {
-  return new Promise(resolve => {
-    let telem = get_sync_test_telemetry();
-    let oldSubmit = telem.submit;
-    telem.submit = function(record) {
-      telem.submit = oldSubmit;
-      if (allowErrorPings) {
-        assert_valid_ping(record);
-      } else {
-        assert_success_ping(record);
-      }
-      if (getFullPing) {
-        resolve(record);
-      } else {
-        equal(record.syncs.length, 1);
-        resolve(record.syncs[0]);
-      }
-    };
-    callback();
-  });
-}
-
-// Short helper for wait_for_ping
-function sync_and_validate_telem(allowErrorPings, getFullPing = false) {
-  return wait_for_ping(() => Service.sync(), allowErrorPings, getFullPing);
-}
-
-// Used for the (many) cases where we do a 'partial' sync, where only a single
-// engine is actually synced, but we still want to ensure we're generating a
-// valid ping. Returns a promise that resolves to the ping, or rejects with the
-// thrown error after calling an optional callback.
-function sync_engine_and_validate_telem(engine, allowErrorPings, onError) {
-  return new Promise((resolve, reject) => {
-    let telem = get_sync_test_telemetry();
-    let caughtError = null;
-    // Clear out status, so failures from previous syncs won't show up in the
-    // telemetry ping.
-    let ns = {};
-    Cu.import("resource://services-sync/status.js", ns);
-    ns.Status._engines = {};
-    ns.Status.partial = false;
-    // Ideally we'd clear these out like we do with engines, (probably via
-    // Status.resetSync()), but this causes *numerous* tests to fail, so we just
-    // assume that if no failureReason or engine failures are set, and the
-    // status properties are the same as they were initially, that it's just
-    // a leftover.
-    // This is only an issue since we're triggering the sync of just one engine,
-    // without doing any other parts of the sync.
-    let initialServiceStatus = ns.Status._service;
-    let initialSyncStatus = ns.Status._sync;
-
-    let oldSubmit = telem.submit;
-    telem.submit = function(ping) {
-      telem.submit = oldSubmit;
-      ping.syncs.forEach(record => {
-        if (record && record.status) {
-          // did we see anything to lead us to believe that something bad actually happened
-          let realProblem = record.failureReason || record.engines.some(e => {
-            if (e.failureReason || e.status) {
-              return true;
-            }
-            if (e.outgoing && e.outgoing.some(o => o.failed > 0)) {
-              return true;
-            }
-            return e.incoming && e.incoming.failed;
-          });
-          if (!realProblem) {
-            // no, so if the status is the same as it was initially, just assume
-            // that its leftover and that we can ignore it.
-            if (record.status.sync && record.status.sync == initialSyncStatus) {
-              delete record.status.sync;
-            }
-            if (record.status.service && record.status.service == initialServiceStatus) {
-              delete record.status.service;
-            }
-            if (!record.status.sync && !record.status.service) {
-              delete record.status;
-            }
-          }
-        }
-      });
-      if (allowErrorPings) {
-        assert_valid_ping(ping);
-      } else {
-        assert_success_ping(ping);
-      }
-      equal(ping.syncs.length, 1);
-      if (caughtError) {
-        if (onError) {
-          onError(ping.syncs[0]);
-        }
-        reject(caughtError);
-      } else {
-        resolve(ping.syncs[0]);
-      }
-    }
-    Svc.Obs.notify("weave:service:sync:start");
-    try {
-      engine.sync();
-    } catch (e) {
-      caughtError = e;
-    }
-    if (caughtError) {
-      Svc.Obs.notify("weave:service:sync:error", caughtError);
-    } else {
-      Svc.Obs.notify("weave:service:sync:finish");
-    }
-  });
-}
-
-// Avoid an issue where `client.name2` containing unicode characters causes
-// a number of tests to fail, due to them assuming that we do not need to utf-8
-// encode or decode data sent through the mocked server (see bug 1268912).
-Utils.getDefaultDeviceName = function() {
-  return "Test device name";
-};
-
-
diff --git a/services/sync/tests/unit/head_http_server.js b/services/sync/tests/unit/head_http_server.js
index 26f62310c3..c917c4988c 100644
--- a/services/sync/tests/unit/head_http_server.js
+++ b/services/sync/tests/unit/head_http_server.js
@@ -1,4 +1,4 @@
-var Cm = Components.manager;
+const Cm = Components.manager;
 
 // Shared logging for all HTTP server functions.
 Cu.import("resource://gre/modules/Log.jsm");
@@ -178,13 +178,9 @@ ServerCollection.prototype = {
    * @return an array of IDs.
    */
   keys: function keys(filter) {
-    let ids = [];
-    for (let [id, wbo] of Object.entries(this._wbos)) {
-      if (wbo.payload && (!filter || filter(id, wbo))) {
-        ids.push(id);
-      }
-    }
-    return ids;
+    return [id for ([id, wbo] in Iterator(this._wbos))
+               if (wbo.payload &&
+                   (!filter || filter(id, wbo)))];
   },
 
   /**
@@ -198,13 +194,8 @@ ServerCollection.prototype = {
    * @return an array of ServerWBOs.
    */
   wbos: function wbos(filter) {
-    let os = [];
-    for (let [id, wbo] of Object.entries(this._wbos)) {
-      if (wbo.payload) {
-        os.push(wbo);
-      }
-    }
-
+    let os = [wbo for ([id, wbo] in Iterator(this._wbos))
+              if (wbo.payload)];
     if (filter) {
       return os.filter(filter);
     }
@@ -276,7 +267,7 @@ ServerCollection.prototype = {
   count: function(options) {
     options = options || {};
     let c = 0;
-    for (let [id, wbo] of Object.entries(this._wbos)) {
+    for (let [id, wbo] in Iterator(this._wbos)) {
       if (wbo.modified && this._inResultSet(wbo, options)) {
         c++;
       }
@@ -287,23 +278,12 @@ ServerCollection.prototype = {
   get: function(options) {
     let result;
     if (options.full) {
-      let data = [];
-      for (let [id, wbo] of Object.entries(this._wbos)) {
-        // Drop deleted.
-        if (wbo.modified && this._inResultSet(wbo, options)) {
-          data.push(wbo.get());
-        }
-      }
-      let start = options.offset || 0;
+      let data = [wbo.get() for ([id, wbo] in Iterator(this._wbos))
+                            // Drop deleted.
+                            if (wbo.modified &&
+                                this._inResultSet(wbo, options))];
       if (options.limit) {
-        let numItemsPastOffset = data.length - start;
-        data = data.slice(start, start + options.limit);
-        // use options as a backchannel to set x-weave-next-offset
-        if (numItemsPastOffset > options.limit) {
-          options.nextOffset = start + options.limit;
-        }
-      } else if (start) {
-        data = data.slice(start);
+        data = data.slice(0, options.limit);
       }
       // Our implementation of application/newlines.
       result = data.join("\n") + "\n";
@@ -311,18 +291,10 @@ ServerCollection.prototype = {
       // Use options as a backchannel to report count.
       options.recordCount = data.length;
     } else {
-      let data = [];
-      for (let [id, wbo] of Object.entries(this._wbos)) {
-        if (this._inResultSet(wbo, options)) {
-          data.push(id);
-        }
-      }
-      let start = options.offset || 0;
+      let data = [id for ([id, wbo] in Iterator(this._wbos))
+                     if (this._inResultSet(wbo, options))];
       if (options.limit) {
-        data = data.slice(start, start + options.limit);
-        options.nextOffset = start + options.limit;
-      } else if (start) {
-        data = data.slice(start);
+        data = data.slice(0, options.limit);
       }
       result = JSON.stringify(data);
       options.recordCount = data.length;
@@ -337,8 +309,7 @@ ServerCollection.prototype = {
 
     // This will count records where we have an existing ServerWBO
     // registered with us as successful and all other records as failed.
-    for (let key in input) {
-      let record = input[key];
+    for each (let record in input) {
       let wbo = this.wbo(record.id);
       if (!wbo && this.acceptNew) {
         this._log.debug("Creating WBO " + JSON.stringify(record.id) +
@@ -361,7 +332,7 @@ ServerCollection.prototype = {
 
   delete: function(options) {
     let deleted = [];
-    for (let [id, wbo] of Object.entries(this._wbos)) {
+    for (let [id, wbo] in Iterator(this._wbos)) {
       if (this._inResultSet(wbo, options)) {
         this._log.debug("Deleting " + JSON.stringify(wbo));
         deleted.push(wbo.id);
@@ -383,7 +354,7 @@ ServerCollection.prototype = {
 
       // Parse queryString
       let options = {};
-      for (let chunk of request.queryString.split("&")) {
+      for each (let chunk in request.queryString.split("&")) {
         if (!chunk) {
           continue;
         }
@@ -403,36 +374,29 @@ ServerCollection.prototype = {
       if (options.limit) {
         options.limit = parseInt(options.limit, 10);
       }
-      if (options.offset) {
-        options.offset = parseInt(options.offset, 10);
-      }
 
       switch(request.method) {
         case "GET":
-          body = self.get(options, request);
-          // see http://moz-services-docs.readthedocs.io/en/latest/storage/apis-1.5.html
-          // for description of these headers.
-          let { recordCount: records, nextOffset } = options;
-
-          self._log.info("Records: " + records + ", nextOffset: " + nextOffset);
+          body = self.get(options);
+          // "If supported by the db, this header will return the number of
+          // records total in the request body of any multiple-record GET
+          // request."
+          let records = options.recordCount;
+          self._log.info("Records: " + records);
           if (records != null) {
             response.setHeader("X-Weave-Records", "" + records);
           }
-          if (nextOffset) {
-            response.setHeader("X-Weave-Next-Offset", "" + nextOffset);
-          }
-          response.setHeader("X-Last-Modified", "" + this.timestamp);
           break;
 
         case "POST":
-          let res = self.post(readBytesFromInputStream(request.bodyInputStream), request);
+          let res = self.post(readBytesFromInputStream(request.bodyInputStream));
           body = JSON.stringify(res);
           response.newModified = res.modified;
           break;
 
         case "DELETE":
           self._log.debug("Invoking ServerCollection.DELETE.");
-          let deleted = self.delete(options, request);
+          let deleted = self.delete(options);
           let ts = new_timestamp();
           body = JSON.stringify(ts);
           response.newModified = ts;
@@ -541,7 +505,7 @@ function track_collections_helper() {
  * find out what it needs without monkeypatching. Use this object as your
  * prototype, and override as appropriate.
  */
-var SyncServerCallback = {
+let SyncServerCallback = {
   onCollectionDeleted: function onCollectionDeleted(user, collection) {},
   onItemDeleted: function onItemDeleted(user, collection, wboID) {},
 
@@ -581,13 +545,13 @@ SyncServer.prototype = {
    * Start the SyncServer's underlying HTTP server.
    *
    * @param port
-   *        The numeric port on which to start. -1 implies the default, a
-   *        randomly chosen port.
+   *        The numeric port on which to start. A falsy value implies the
+   *        default, a randomly chosen port.
    * @param cb
    *        A callback function (of no arguments) which is invoked after
    *        startup.
    */
-  start: function start(port = -1, cb) {
+  start: function start(port, cb) {
     if (this.started) {
       this._log.warn("Warning: server already started on " + this.port);
       return;
@@ -605,7 +569,7 @@ SyncServer.prototype = {
     } catch (ex) {
       _("==========================================");
       _("Got exception starting Sync HTTP server.");
-      _("Error: " + Log.exceptionStr(ex));
+      _("Error: " + Utils.exceptionStr(ex));
       _("Is there a process already listening on port " + port + "?");
       _("==========================================");
       do_throw(ex);
@@ -703,10 +667,10 @@ SyncServer.prototype = {
       throw new Error("Unknown user.");
     }
     let userCollections = this.users[username].collections;
-    for (let [id, contents] of Object.entries(collections)) {
+    for (let [id, contents] in Iterator(collections)) {
       let coll = userCollections[id] ||
                  this._insertCollection(userCollections, id);
-      for (let [wboID, payload] of Object.entries(contents)) {
+      for (let [wboID, payload] in Iterator(contents)) {
         coll.insert(wboID, payload);
       }
     }
@@ -740,8 +704,7 @@ SyncServer.prototype = {
       throw new Error("Unknown user.");
     }
     let userCollections = this.users[username].collections;
-    for (let name in userCollections) {
-      let coll = userCollections[name];
+    for each (let [name, coll] in Iterator(userCollections)) {
       this._log.trace("Bulk deleting " + name + " for " + username + "...");
       coll.delete({});
     }
@@ -805,10 +768,7 @@ SyncServer.prototype = {
    */
   respond: function respond(req, resp, code, status, body, headers) {
     resp.setStatusLine(req.httpVersion, code, status);
-    if (!headers)
-      headers = this.defaultHeaders;
-    for (let header in headers) {
-      let value = headers[header];
+    for each (let [header, value] in Iterator(headers || this.defaultHeaders)) {
       resp.setHeader(header, value);
     }
     resp.setHeader("X-Weave-Timestamp", "" + this.timestamp(), false);
@@ -1035,7 +995,7 @@ SyncServer.prototype = {
  */
 function serverForUsers(users, contents, callback) {
   let server = new SyncServer(callback);
-  for (let [user, pass] of Object.entries(users)) {
+  for (let [user, pass] in Iterator(users)) {
     server.registerUser(user, pass);
     server.createContents(user, contents);
   }
diff --git a/services/sync/tests/unit/prefs_test_prefs_store.js b/services/sync/tests/unit/prefs_test_prefs_store.js
deleted file mode 100644
index 109757a35c..0000000000
--- a/services/sync/tests/unit/prefs_test_prefs_store.js
+++ /dev/null
@@ -1,25 +0,0 @@
-// This is a "preferences" file used by test_prefs_store.js
-
-// The prefs that control what should be synced.
-// Most of these are "default" prefs, so the value itself will not sync.
-pref("services.sync.prefs.sync.testing.int", true);
-pref("services.sync.prefs.sync.testing.string", true);
-pref("services.sync.prefs.sync.testing.bool", true);
-pref("services.sync.prefs.sync.testing.dont.change", true);
-// this one is a user pref, so it *will* sync.
-user_pref("services.sync.prefs.sync.testing.turned.off", false);
-pref("services.sync.prefs.sync.testing.nonexistent", true);
-pref("services.sync.prefs.sync.testing.default", true);
-
-// The preference values - these are all user_prefs, otherwise their value
-// will not be synced.
-user_pref("testing.int", 123);
-user_pref("testing.string", "ohai");
-user_pref("testing.bool", true);
-user_pref("testing.dont.change", "Please don't change me.");
-user_pref("testing.turned.off", "I won't get synced.");
-user_pref("testing.not.turned.on", "I won't get synced either!");
-
-// A pref that exists but still has the default value - will be synced with
-// null as the value.
-pref("testing.default", "I'm the default value");
diff --git a/services/sync/tests/unit/sync_ping_schema.json b/services/sync/tests/unit/sync_ping_schema.json
deleted file mode 100644
index 56114fb93e..0000000000
--- a/services/sync/tests/unit/sync_ping_schema.json
+++ /dev/null
@@ -1,198 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-04/schema#",
-  "description": "schema for Sync pings, documentation avaliable in toolkit/components/telemetry/docs/sync-ping.rst",
-  "type": "object",
-  "additionalProperties": false,
-  "required": ["version", "syncs", "why"],
-  "properties": {
-    "version": { "type": "integer", "minimum": 0 },
-    "discarded": { "type": "integer", "minimum": 1 },
-    "why": { "enum": ["shutdown", "schedule"] },
-    "syncs": {
-      "type": "array",
-      "minItems": 1,
-      "items": { "$ref": "#/definitions/payload" }
-    }
-  },
-  "definitions": {
-    "payload": {
-      "type": "object",
-      "additionalProperties": false,
-      "required": ["when", "uid", "took"],
-      "properties": {
-        "didLogin": { "type": "boolean" },
-        "when": { "type": "integer" },
-        "uid": {
-          "type": "string",
-          "pattern": "^[0-9a-f]{32}$"
-        },
-        "devices": {
-          "type": "array",
-          "items": { "$ref": "#/definitions/device" }
-        },
-        "deviceID": {
-          "type": "string",
-          "pattern": "^[0-9a-f]{64}$"
-        },
-        "status": {
-          "type": "object",
-          "anyOf": [
-            { "required": ["sync"] },
-            { "required": ["service"] }
-          ],
-          "additionalProperties": false,
-          "properties": {
-            "sync": { "type": "string" },
-            "service": { "type": "string" }
-          }
-        },
-        "why": { "enum": ["startup", "schedule", "score", "user", "tabs"] },
-        "took": { "type": "integer", "minimum": -1 },
-        "failureReason": { "$ref": "#/definitions/error" },
-        "engines": {
-          "type": "array",
-          "minItems": 1,
-          "items": { "$ref": "#/definitions/engine" }
-        }
-      }
-    },
-    "device": {
-      "required": ["os", "id", "version"],
-      "additionalProperties": false,
-      "type": "object",
-      "properties": {
-        "id": { "type": "string", "pattern": "^[0-9a-f]{64}$" },
-        "os": { "type": "string" },
-        "version": { "type": "string" }
-      }
-    },
-    "engine": {
-      "required": ["name"],
-      "additionalProperties": false,
-      "properties": {
-        "failureReason": { "$ref": "#/definitions/error" },
-        "name": { "enum": ["addons", "bookmarks", "clients", "forms", "history", "passwords", "prefs", "tabs"] },
-        "took": { "type": "integer", "minimum": 1 },
-        "status": { "type": "string" },
-        "incoming": {
-          "type": "object",
-          "additionalProperties": false,
-          "anyOf": [
-            {"required": ["applied"]},
-            {"required": ["failed"]},
-            {"required": ["newFailed"]},
-            {"required": ["reconciled"]}
-          ],
-          "properties": {
-            "applied": { "type": "integer", "minimum": 1 },
-            "failed": { "type": "integer", "minimum": 1 },
-            "newFailed": { "type": "integer", "minimum": 1 },
-            "reconciled": { "type": "integer", "minimum": 1 }
-          }
-        },
-        "outgoing": {
-          "type": "array",
-          "minItems": 1,
-          "items": { "$ref": "#/definitions/outgoingBatch" }
-        },
-        "validation": {
-          "type": "object",
-          "additionalProperties": false,
-          "anyOf": [
-            { "required": ["checked"] },
-            { "required": ["failureReason"] }
-          ],
-          "properties": {
-            "checked": { "type": "integer", "minimum": 0 },
-            "failureReason": { "$ref": "#/definitions/error" },
-            "took": { "type": "integer" },
-            "version": { "type": "integer" },
-            "problems": {
-              "type": "array",
-              "minItems": 1,
-              "$ref": "#/definitions/validationProblem"
-            }
-          }
-        }
-      }
-    },
-    "outgoingBatch": {
-      "type": "object",
-      "additionalProperties": false,
-      "anyOf": [
-        {"required": ["sent"]},
-        {"required": ["failed"]}
-      ],
-      "properties": {
-        "sent": { "type": "integer", "minimum": 1 },
-        "failed": { "type": "integer", "minimum": 1 }
-      }
-    },
-    "error": {
-      "oneOf": [
-        { "$ref": "#/definitions/httpError" },
-        { "$ref": "#/definitions/nsError" },
-        { "$ref": "#/definitions/shutdownError" },
-        { "$ref": "#/definitions/authError" },
-        { "$ref": "#/definitions/otherError" },
-        { "$ref": "#/definitions/unexpectedError" },
-        { "$ref": "#/definitions/sqlError" }
-      ]
-    },
-    "httpError": {
-      "required": ["name", "code"],
-      "properties": {
-        "name": { "enum": ["httperror"] },
-        "code": { "type": "integer" }
-      }
-    },
-    "nsError": {
-      "required": ["name", "code"],
-      "properties": {
-        "name": { "enum": ["nserror"] },
-        "code": { "type": "integer" }
-      }
-    },
-    "shutdownError": {
-      "required": ["name"],
-      "properties": {
-        "name": { "enum": ["shutdownerror"] }
-      }
-    },
-    "authError": {
-      "required": ["name"],
-      "properties": {
-        "name": { "enum": ["autherror"] },
-        "from": { "enum": ["tokenserver", "fxaccounts", "hawkclient"] }
-      }
-    },
-    "otherError": {
-      "required": ["name"],
-      "properties": {
-        "name": { "enum": ["othererror"] },
-        "error": { "type": "string" }
-      }
-    },
-    "unexpectedError": {
-      "required": ["name"],
-      "properties": {
-        "name": { "enum": ["unexpectederror"] },
-        "error": { "type": "string" }
-      }
-    },
-    "sqlError": {
-      "required": ["name"],
-      "properties": {
-        "name": { "enum": ["sqlerror"] },
-        "code": { "type": "integer" }
-      }
-    },
-    "validationProblem": {
-      "required": ["name", "count"],
-      "properties": {
-        "name": { "type": "string" },
-        "count": { "type": "integer" }
-      }
-    }
-  }
-}
\ No newline at end of file
diff --git a/services/sync/tests/unit/systemaddon-search.xml b/services/sync/tests/unit/systemaddon-search.xml
deleted file mode 100644
index d34e3937c3..0000000000
--- a/services/sync/tests/unit/systemaddon-search.xml
+++ /dev/null
@@ -1,27 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<searchresults total_results="1">
-  <addon id="5618">
-  <name>System Add-on Test</name>
-  <type id="1">Extension</type>
-  <guid>system1@tests.mozilla.org</guid>
-  <slug>addon11</slug>
-  <version>1.0</version>
-
-  <compatible_applications><application>
-      <name>Firefox</name>
-      <application_id>1</application_id>
-      <min_version>3.6</min_version>
-      <max_version>*</max_version>
-      <appID>xpcshell@tests.mozilla.org</appID>
-    </application></compatible_applications>
-  <all_compatible_os><os>ALL</os></all_compatible_os>
-
-  <install os="ALL" size="999">http://127.0.0.1:8888/system.xpi</install>
-    <created epoch="1252903662">
-      2009-09-14T04:47:42Z
-    </created>
-    <last_updated epoch="1315255329">
-      2011-09-05T20:42:09Z
-    </last_updated>
-    </addon>
-</searchresults>
diff --git a/services/sync/tests/unit/test_addon_utils.js b/services/sync/tests/unit/test_addon_utils.js
index bbbd81d0d8..49824cd4ce 100644
--- a/services/sync/tests/unit/test_addon_utils.js
+++ b/services/sync/tests/unit/test_addon_utils.js
@@ -3,7 +3,6 @@
 
 "use strict";
 
-Cu.import("resource://gre/modules/Log.jsm");
 Cu.import("resource://gre/modules/Preferences.jsm");
 Cu.import("resource://services-sync/addonutils.js");
 Cu.import("resource://services-sync/util.js");
@@ -11,7 +10,7 @@ Cu.import("resource://services-sync/util.js");
 const HTTP_PORT = 8888;
 const SERVER_ADDRESS = "http://127.0.0.1:8888";
 
-var prefs = new Preferences();
+let prefs = new Preferences();
 
 prefs.set("extensions.getAddons.get.url",
           SERVER_ADDRESS + "/search/guid:%IDS%");
@@ -36,7 +35,7 @@ function createAndStartHTTPServer(port=HTTP_PORT) {
     return server;
   } catch (ex) {
     _("Got exception starting HTTP server on port " + port);
-    _("Error: " + Log.exceptionStr(ex));
+    _("Error: " + Utils.exceptionStr(ex));
     do_throw(ex);
   }
 }
@@ -61,9 +60,6 @@ add_test(function test_handle_empty_source_uri() {
   do_check_true("installedIDs" in result);
   do_check_eq(0, result.installedIDs.length);
 
-  do_check_true("skipped" in result);
-  do_check_true(result.skipped.includes(ID));
-
   server.stop(run_next_test);
 });
 
@@ -83,18 +79,44 @@ add_test(function test_ignore_untrusted_source_uris() {
     let sourceURI = ioService.newURI(s, null, null);
     let addon = {sourceURI: sourceURI, name: "bad", id: "bad"};
 
-    let canInstall = AddonUtils.canInstallAddon(addon);
-    do_check_false(canInstall, "Correctly rejected a bad URL");
+    try {
+      let cb = Async.makeSpinningCallback();
+      AddonUtils.getInstallFromSearchResult(addon, cb, true);
+      cb.wait();
+    } catch (ex) {
+      do_check_neq(null, ex);
+      do_check_eq(0, ex.message.indexOf("Insecure source URI"));
+      continue;
+    }
+
+    // We should never get here if an exception is thrown.
+    do_check_true(false);
   }
 
+  let count = 0;
   for (let s of good) {
     let sourceURI = ioService.newURI(s, null, null);
     let addon = {sourceURI: sourceURI, name: "good", id: "good"};
 
-    let canInstall = AddonUtils.canInstallAddon(addon);
-    do_check_true(canInstall, "Correctly accepted a good URL");
+    // Despite what you might think, we don't get an error in the callback.
+    // The install won't work because the underlying Addon instance wasn't
+    // proper. But, that just results in an AddonInstall that is missing
+    // certain values. We really just care that the callback is being invoked
+    // anyway.
+    let callback = function onInstall(error, install) {
+      do_check_null(error);
+      do_check_neq(null, install);
+      do_check_eq(sourceURI.spec, install.sourceURI.spec);
+
+      count += 1;
+
+      if (count >= good.length) {
+        run_next_test();
+      }
+    };
+
+    AddonUtils.getInstallFromSearchResult(addon, callback, true);
   }
-  run_next_test();
 });
 
 add_test(function test_source_uri_rewrite() {
@@ -103,6 +125,8 @@ add_test(function test_source_uri_rewrite() {
   // This tests for conformance with bug 708134 so server-side metrics aren't
   // skewed.
 
+  Svc.Prefs.set("addons.ignoreRepositoryChecking", true);
+
   // We resort to monkeypatching because of the API design.
   let oldFunction = AddonUtils.__proto__.installAddonFromSearchResult;
 
@@ -127,15 +151,12 @@ add_test(function test_source_uri_rewrite() {
   let server = createAndStartHTTPServer();
 
   let installCallback = Async.makeSpinningCallback();
-  let installOptions = {
-    id: "rewrite@tests.mozilla.org",
-    requireSecureURI: false,
-  }
-  AddonUtils.installAddons([installOptions], installCallback);
+  AddonUtils.installAddons([{id: "rewrite@tests.mozilla.org"}], installCallback);
 
   installCallback.wait();
   do_check_true(installCalled);
   AddonUtils.__proto__.installAddonFromSearchResult = oldFunction;
 
+  Svc.Prefs.reset("addons.ignoreRepositoryChecking");
   server.stop(run_next_test);
 });
diff --git a/services/sync/tests/unit/test_addons_engine.js b/services/sync/tests/unit/test_addons_engine.js
index 64e4e32e8c..ca2e4bd965 100644
--- a/services/sync/tests/unit/test_addons_engine.js
+++ b/services/sync/tests/unit/test_addons_engine.js
@@ -13,20 +13,19 @@ Cu.import("resource://services-sync/service.js");
 Cu.import("resource://services-sync/util.js");
 Cu.import("resource://testing-common/services/sync/utils.js");
 
-var prefs = new Preferences();
+let prefs = new Preferences();
 prefs.set("extensions.getAddons.get.url",
           "http://localhost:8888/search/guid:%IDS%");
-prefs.set("extensions.install.requireSecureOrigin", false);
 
 loadAddonTestFunctions();
 startupManager();
 
-var engineManager = Service.engineManager;
+let engineManager = Service.engineManager;
 
 engineManager.register(AddonsEngine);
-var engine = engineManager.get("addons");
-var reconciler = engine._reconciler;
-var tracker = engine._tracker;
+let engine = engineManager.get("addons");
+let reconciler = engine._reconciler;
+let tracker = engine._tracker;
 
 function advance_test() {
   reconciler._addons = {};
@@ -36,6 +35,8 @@ function advance_test() {
   reconciler.saveState(null, cb);
   cb.wait();
 
+  Svc.Prefs.reset("addons.ignoreRepositoryChecking");
+
   run_next_test();
 }
 
@@ -103,6 +104,7 @@ add_test(function test_get_changed_ids() {
   tracker.clearChangedIDs();
 
   _("Ensure reconciler changes are populated.");
+  Svc.Prefs.set("addons.ignoreRepositoryChecking", true);
   let addon = installAddon("test_bootstrap1_1");
   tracker.clearChangedIDs(); // Just in case.
   changes = engine.getChangedIDs();
@@ -149,6 +151,9 @@ add_test(function test_disabled_install_semantics() {
   // This is essentially a test for bug 712542, which snuck into the original
   // add-on sync drop. It ensures that when an add-on is installed that the
   // disabled state and incoming syncGUID is preserved, even on the next sync.
+
+  Svc.Prefs.set("addons.ignoreRepositoryChecking", true);
+
   const USER       = "foo";
   const PASSWORD   = "password";
   const PASSPHRASE = "abcdeabcdeabcdeabcdeabcdea";
diff --git a/services/sync/tests/unit/test_addons_reconciler.js b/services/sync/tests/unit/test_addons_reconciler.js
index d93bdfc038..8cfa37d78f 100644
--- a/services/sync/tests/unit/test_addons_reconciler.js
+++ b/services/sync/tests/unit/test_addons_reconciler.js
@@ -71,7 +71,7 @@ add_test(function test_install_detection() {
 
   const KEYS = ["id", "guid", "enabled", "installed", "modified", "type",
                 "scope", "foreignInstall"];
-  for (let key of KEYS) {
+  for each (let key in KEYS) {
     do_check_true(key in record);
     do_check_neq(null, record[key]);
   }
diff --git a/services/sync/tests/unit/test_addons_store.js b/services/sync/tests/unit/test_addons_store.js
index b52cfab316..b21f6afe13 100644
--- a/services/sync/tests/unit/test_addons_store.js
+++ b/services/sync/tests/unit/test_addons_store.js
@@ -3,47 +3,25 @@
 
 "use strict";
 
-Cu.import("resource://gre/modules/Log.jsm");
 Cu.import("resource://gre/modules/Preferences.jsm");
 Cu.import("resource://services-sync/addonutils.js");
 Cu.import("resource://services-sync/engines/addons.js");
 Cu.import("resource://services-sync/service.js");
 Cu.import("resource://services-sync/util.js");
-Cu.import("resource://testing-common/services/sync/utils.js");
-Cu.import("resource://gre/modules/FileUtils.jsm");
 
 const HTTP_PORT = 8888;
 
-var prefs = new Preferences();
+let prefs = new Preferences();
 
 prefs.set("extensions.getAddons.get.url", "http://localhost:8888/search/guid:%IDS%");
-prefs.set("extensions.install.requireSecureOrigin", false);
-
-const SYSTEM_ADDON_ID = "system1@tests.mozilla.org";
-let systemAddonFile;
-
-// The system add-on must be installed before AddonManager is started.
-function loadSystemAddon() {
-  let addonFilename = SYSTEM_ADDON_ID + ".xpi";
-  const distroDir = FileUtils.getDir("ProfD", ["sysfeatures", "app0"], true);
-  do_get_file(ExtensionsTestPath("/data/system_addons/system1_1.xpi")).copyTo(distroDir, addonFilename);
-  systemAddonFile = FileUtils.File(distroDir.path);
-  systemAddonFile.append(addonFilename);
-  systemAddonFile.lastModifiedTime = Date.now();
-  // As we're not running in application, we need to setup the features directory
-  // used by system add-ons.
-  registerDirectory("XREAppFeat", distroDir);
-}
-
 loadAddonTestFunctions();
-loadSystemAddon();
 startupManager();
 
 Service.engineManager.register(AddonsEngine);
-var engine     = Service.engineManager.get("addons");
-var tracker    = engine._tracker;
-var store      = engine._store;
-var reconciler = engine._reconciler;
+let engine     = Service.engineManager.get("addons");
+let tracker    = engine._tracker;
+let store      = engine._store;
+let reconciler = engine._reconciler;
 
 /**
  * Create a AddonsRec for this application with the fields specified.
@@ -77,16 +55,12 @@ function createAndStartHTTPServer(port) {
     server.registerFile("/search/guid:missing-xpi%40tests.mozilla.org",
                         do_get_file("missing-xpi-search.xml"));
 
-    server.registerFile("/search/guid:system1%40tests.mozilla.org",
-                        do_get_file("systemaddon-search.xml"));
-    server.registerFile("/system.xpi", systemAddonFile);
-
     server.start(port);
 
     return server;
   } catch (ex) {
     _("Got exception starting HTTP server on port " + port);
-    _("Error: " + Log.exceptionStr(ex));
+    _("Error: " + Utils.exceptionStr(ex));
     do_throw(ex);
   }
 }
@@ -94,7 +68,6 @@ function createAndStartHTTPServer(port) {
 function run_test() {
   initTestLogging("Trace");
   Log.repository.getLogger("Sync.Engine.Addons").level = Log.Level.Trace;
-  Log.repository.getLogger("Sync.Tracker.Addons").level = Log.Level.Trace;
   Log.repository.getLogger("Sync.AddonsRepository").level =
     Log.Level.Trace;
 
@@ -219,6 +192,7 @@ add_test(function test_apply_uninstall() {
 add_test(function test_addon_syncability() {
   _("Ensure isAddonSyncable functions properly.");
 
+  Svc.Prefs.set("addons.ignoreRepositoryChecking", true);
   Svc.Prefs.set("addons.trustedSourceHostnames",
                 "addons.mozilla.org,other.example.com");
 
@@ -228,8 +202,8 @@ add_test(function test_addon_syncability() {
   do_check_true(store.isAddonSyncable(addon));
 
   let dummy = {};
-  const KEYS = ["id", "syncGUID", "type", "scope", "foreignInstall", "isSyncable"];
-  for (let k of KEYS) {
+  const KEYS = ["id", "syncGUID", "type", "scope", "foreignInstall"];
+  for each (let k in KEYS) {
     dummy[k] = addon[k];
   }
 
@@ -243,10 +217,6 @@ add_test(function test_addon_syncability() {
   do_check_false(store.isAddonSyncable(dummy));
   dummy.scope = addon.scope;
 
-  dummy.isSyncable = false;
-  do_check_false(store.isAddonSyncable(dummy));
-  dummy.isSyncable = addon.isSyncable;
-
   dummy.foreignInstall = true;
   do_check_false(store.isAddonSyncable(dummy));
   dummy.foreignInstall = false;
@@ -272,16 +242,16 @@ add_test(function test_addon_syncability() {
     "https://untrusted.example.com/foo", // non-trusted hostname`
   ];
 
-  for (let uri of trusted) {
+  for each (let uri in trusted) {
     do_check_true(store.isSourceURITrusted(createURI(uri)));
   }
 
-  for (let uri of untrusted) {
+  for each (let uri in untrusted) {
     do_check_false(store.isSourceURITrusted(createURI(uri)));
   }
 
   Svc.Prefs.set("addons.trustedSourceHostnames", "");
-  for (let uri of trusted) {
+  for each (let uri in trusted) {
     do_check_false(store.isSourceURITrusted(createURI(uri)));
   }
 
@@ -296,6 +266,8 @@ add_test(function test_addon_syncability() {
 add_test(function test_ignore_hotfixes() {
   _("Ensure that hotfix extensions are ignored.");
 
+  Svc.Prefs.set("addons.ignoreRepositoryChecking", true);
+
   // A hotfix extension is one that has the id the same as the
   // extensions.hotfix.id pref.
   let prefs = new Preferences("extensions.");
@@ -304,8 +276,8 @@ add_test(function test_ignore_hotfixes() {
   do_check_true(store.isAddonSyncable(addon));
 
   let dummy = {};
-  const KEYS = ["id", "syncGUID", "type", "scope", "foreignInstall", "isSyncable"];
-  for (let k of KEYS) {
+  const KEYS = ["id", "syncGUID", "type", "scope", "foreignInstall"];
+  for each (let k in KEYS) {
     dummy[k] = addon[k];
   }
 
@@ -327,6 +299,7 @@ add_test(function test_ignore_hotfixes() {
 
   uninstallAddon(addon);
 
+  Svc.Prefs.reset("addons.ignoreRepositoryChecking");
   prefs.reset("hotfix.id");
 
   run_next_test();
@@ -336,6 +309,8 @@ add_test(function test_ignore_hotfixes() {
 add_test(function test_get_all_ids() {
   _("Ensures that getAllIDs() returns an appropriate set.");
 
+  Svc.Prefs.set("addons.ignoreRepositoryChecking", true);
+
   _("Installing two addons.");
   let addon1 = installAddon("test_install1");
   let addon2 = installAddon("test_bootstrap1_1");
@@ -354,6 +329,7 @@ add_test(function test_get_all_ids() {
   addon1.install.cancel();
   uninstallAddon(addon2);
 
+  Svc.Prefs.reset("addons.ignoreRepositoryChecking");
   run_next_test();
 });
 
@@ -379,6 +355,9 @@ add_test(function test_change_item_id() {
 add_test(function test_create() {
   _("Ensure creating/installing an add-on from a record works.");
 
+  // Set this so that getInstallFromSearchResult doesn't end up
+  // failing the install due to an insecure source URI scheme.
+  Svc.Prefs.set("addons.ignoreRepositoryChecking", true);
   let server = createAndStartHTTPServer(HTTP_PORT);
 
   let addon = installAddon("test_bootstrap1_1");
@@ -398,6 +377,7 @@ add_test(function test_create() {
 
   uninstallAddon(newAddon);
 
+  Svc.Prefs.reset("addons.ignoreRepositoryChecking");
   server.stop(run_next_test);
 });
 
@@ -432,18 +412,8 @@ add_test(function test_create_bad_install() {
   let record = createRecordForThisApp(guid, id, true, false);
 
   let failed = store.applyIncomingBatch([record]);
-  // This addon had no source URI so was skipped - but it's not treated as
-  // failure.
-  // XXX - this test isn't testing what we thought it was. Previously the addon
-  // was not being installed due to requireSecureURL checking *before* we'd
-  // attempted to get the XPI.
-  // With requireSecureURL disabled we do see a download failure, but the addon
-  // *does* get added to |failed|.
-  // FTR: onDownloadFailed() is called with ERROR_NETWORK_FAILURE, so it's going
-  // to be tricky to distinguish a 404 from other transient network errors
-  // where we do want the addon to end up in |failed|.
-  // This is being tracked in bug 1284778.
-  //do_check_eq(0, failed.length);
+  do_check_eq(1, failed.length);
+  do_check_eq(guid, failed[0]);
 
   let addon = getAddonFromAddonManagerByID(id);
   do_check_eq(null, addon);
@@ -451,56 +421,19 @@ add_test(function test_create_bad_install() {
   server.stop(run_next_test);
 });
 
-add_test(function test_ignore_system() {
-  _("Ensure we ignore system addons");
-  // Our system addon should not appear in getAllIDs
-  engine._refreshReconcilerState();
-  let num = 0;
-  for (let guid in store.getAllIDs()) {
-    num += 1;
-    let addon = reconciler.getAddonStateFromSyncGUID(guid);
-    do_check_neq(addon.id, SYSTEM_ADDON_ID);
-  }
-  do_check_true(num > 1, "should have seen at least one.")
-  run_next_test();
-});
-
-add_test(function test_incoming_system() {
-  _("Ensure we handle incoming records that refer to a system addon");
-  // eg, loop initially had a normal addon but it was then "promoted" to be a
-  // system addon but wanted to keep the same ID. The server record exists due
-  // to this.
-
-  // before we start, ensure the system addon isn't disabled.
-  do_check_false(getAddonFromAddonManagerByID(SYSTEM_ADDON_ID).userDisabled);
-
-  // Now simulate an incoming record with the same ID as the system addon,
-  // but flagged as disabled - it should not be applied.
-  let server = createAndStartHTTPServer(HTTP_PORT);
-  // We make the incoming record flag the system addon as disabled - it should
-  // be ignored.
-  let guid = Utils.makeGUID();
-  let record = createRecordForThisApp(guid, SYSTEM_ADDON_ID, false, false);
-
-  let failed = store.applyIncomingBatch([record]);
-  do_check_eq(0, failed.length);
-
-  // The system addon should still not be userDisabled.
-  do_check_false(getAddonFromAddonManagerByID(SYSTEM_ADDON_ID).userDisabled);
-
-  server.stop(run_next_test);
-});
-
 add_test(function test_wipe() {
   _("Ensures that wiping causes add-ons to be uninstalled.");
 
   let addon1 = installAddon("test_bootstrap1_1");
 
+  Svc.Prefs.set("addons.ignoreRepositoryChecking", true);
   store.wipe();
 
   let addon = getAddonFromAddonManagerByID(addon1.id);
   do_check_eq(null, addon);
 
+  Svc.Prefs.reset("addons.ignoreRepositoryChecking");
+
   run_next_test();
 });
 
@@ -515,6 +448,7 @@ add_test(function test_wipe_and_install() {
   let record = createRecordForThisApp(installed.syncGUID, installed.id, true,
                                       false);
 
+  Svc.Prefs.set("addons.ignoreRepositoryChecking", true);
   store.wipe();
 
   let deleted = getAddonFromAddonManagerByID(installed.id);
@@ -528,6 +462,7 @@ add_test(function test_wipe_and_install() {
   let fetched = getAddonFromAddonManagerByID(record.addonID);
   do_check_true(!!fetched);
 
+  Svc.Prefs.reset("addons.ignoreRepositoryChecking");
   server.stop(run_next_test);
 });
 
diff --git a/services/sync/tests/unit/test_addons_tracker.js b/services/sync/tests/unit/test_addons_tracker.js
index 01bf37ab9e..690a57d037 100644
--- a/services/sync/tests/unit/test_addons_tracker.js
+++ b/services/sync/tests/unit/test_addons_tracker.js
@@ -11,13 +11,14 @@ Cu.import("resource://services-sync/util.js");
 
 loadAddonTestFunctions();
 startupManager();
+Svc.Prefs.set("addons.ignoreRepositoryChecking", true);
 Svc.Prefs.set("engine.addons", true);
 
 Service.engineManager.register(AddonsEngine);
-var engine     = Service.engineManager.get("addons");
-var reconciler = engine._reconciler;
-var store      = engine._store;
-var tracker    = engine._tracker;
+let engine     = Service.engineManager.get("addons");
+let reconciler = engine._reconciler;
+let store      = engine._store;
+let tracker    = engine._tracker;
 
 // Don't write out by default.
 tracker.persistChangedIDs = false;
diff --git a/services/sync/tests/unit/test_bookmark_duping.js b/services/sync/tests/unit/test_bookmark_duping.js
deleted file mode 100644
index 1e6c6ed2e1..0000000000
--- a/services/sync/tests/unit/test_bookmark_duping.js
+++ /dev/null
@@ -1,644 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
-   http://creativecommons.org/publicdomain/zero/1.0/ */
-
-Cu.import("resource://gre/modules/PlacesUtils.jsm");
-Cu.import("resource://services-common/async.js");
-Cu.import("resource://gre/modules/Log.jsm");
-Cu.import("resource://services-sync/engines.js");
-Cu.import("resource://services-sync/engines/bookmarks.js");
-Cu.import("resource://services-sync/service.js");
-Cu.import("resource://services-sync/util.js");
-Cu.import("resource://testing-common/services/sync/utils.js");
-Cu.import("resource://services-sync/bookmark_validator.js");
-
-
-initTestLogging("Trace");
-
-const bms = PlacesUtils.bookmarks;
-
-Service.engineManager.register(BookmarksEngine);
-
-const engine = new BookmarksEngine(Service);
-const store = engine._store;
-store._log.level = Log.Level.Trace;
-engine._log.level = Log.Level.Trace;
-
-function promiseOneObserver(topic) {
-  return new Promise((resolve, reject) => {
-    let observer = function(subject, topic, data) {
-      Services.obs.removeObserver(observer, topic);
-      resolve({ subject: subject, data: data });
-    }
-    Services.obs.addObserver(observer, topic, false);
-  });
-}
-
-function setup() {
- let server = serverForUsers({"foo": "password"}, {
-    meta: {global: {engines: {bookmarks: {version: engine.version,
-                                          syncID: engine.syncID}}}},
-    bookmarks: {},
-  });
-
-  generateNewKeys(Service.collectionKeys);
-
-  new SyncTestingInfrastructure(server.server);
-
-  let collection = server.user("foo").collection("bookmarks");
-
-  Svc.Obs.notify("weave:engine:start-tracking");   // We skip usual startup...
-
-  return { server, collection };
-}
-
-function* cleanup(server) {
-  Svc.Obs.notify("weave:engine:stop-tracking");
-  Services.prefs.setBoolPref("services.sync-testing.startOverKeepIdentity", true);
-  let promiseStartOver = promiseOneObserver("weave:service:start-over:finish");
-  Service.startOver();
-  yield promiseStartOver;
-  yield new Promise(resolve => server.stop(resolve));
-  yield bms.eraseEverything();
-}
-
-function getFolderChildrenIDs(folderId) {
-  let index = 0;
-  let result = [];
-  while (true) {
-    let childId = bms.getIdForItemAt(folderId, index);
-    if (childId == -1) {
-      break;
-    }
-    result.push(childId);
-    index++;
-  }
-  return result;
-}
-
-function createFolder(parentId, title) {
-  let id = bms.createFolder(parentId, title, 0);
-  let guid = store.GUIDForId(id);
-  return { id, guid };
-}
-
-function createBookmark(parentId, url, title, index = bms.DEFAULT_INDEX) {
-  let uri = Utils.makeURI(url);
-  let id = bms.insertBookmark(parentId, uri, index, title)
-  let guid = store.GUIDForId(id);
-  return { id, guid };
-}
-
-function getServerRecord(collection, id) {
-  let wbo = collection.get({ full: true, ids: [id] });
-  // Whew - lots of json strings inside strings.
-  return JSON.parse(JSON.parse(JSON.parse(wbo).payload).ciphertext);
-}
-
-function* promiseNoLocalItem(guid) {
-  // Check there's no item with the specified guid.
-  let got = yield bms.fetch({ guid });
-  ok(!got, `No record remains with GUID ${guid}`);
-  // and while we are here ensure the places cache doesn't still have it.
-  yield Assert.rejects(PlacesUtils.promiseItemId(guid));
-}
-
-function* validate(collection, expectedFailures = []) {
-  let validator = new BookmarkValidator();
-  let records = collection.payloads();
-
-  let problems = validator.inspectServerRecords(records).problemData;
-  // all non-zero problems.
-  let summary = problems.getSummary().filter(prob => prob.count != 0);
-
-  // split into 2 arrays - expected and unexpected.
-  let isInExpectedFailures = elt =>  {
-    for (let i = 0; i < expectedFailures.length; i++) {
-      if (elt.name == expectedFailures[i].name && elt.count == expectedFailures[i].count) {
-        return true;
-      }
-    }
-    return false;
-  }
-  let expected = [];
-  let unexpected = [];
-  for (let elt of summary) {
-    (isInExpectedFailures(elt) ? expected : unexpected).push(elt);
-  }
-  if (unexpected.length || expected.length != expectedFailures.length) {
-    do_print("Validation failed:");
-    do_print(JSON.stringify(summary));
-    // print the entire validator output as it has IDs etc.
-    do_print(JSON.stringify(problems, undefined, 2));
-    // All server records and the entire bookmark tree.
-    do_print("Server records:\n" + JSON.stringify(collection.payloads(), undefined, 2));
-    let tree = yield PlacesUtils.promiseBookmarksTree("", { includeItemIds: true });
-    do_print("Local bookmark tree:\n" + JSON.stringify(tree, undefined, 2));
-    ok(false);
-  }
-}
-
-add_task(function* test_dupe_bookmark() {
-  _("Ensure that a bookmark we consider a dupe is handled correctly.");
-
-  let { server, collection } = this.setup();
-
-  try {
-    // The parent folder and one bookmark in it.
-    let {id: folder1_id, guid: folder1_guid } = createFolder(bms.toolbarFolder, "Folder 1");
-    let {id: bmk1_id, guid: bmk1_guid} = createBookmark(folder1_id, "http://getfirefox.com/", "Get Firefox!");
-
-    engine.sync();
-
-    // We've added the bookmark, its parent (folder1) plus "menu", "toolbar", "unfiled", and "mobile".
-    equal(collection.count(), 6);
-    equal(getFolderChildrenIDs(folder1_id).length, 1);
-
-    // Now create a new incoming record that looks alot like a dupe.
-    let newGUID = Utils.makeGUID();
-    let to_apply = {
-      id: newGUID,
-      bmkUri: "http://getfirefox.com/",
-      type: "bookmark",
-      title: "Get Firefox!",
-      parentName: "Folder 1",
-      parentid: folder1_guid,
-    };
-
-    collection.insert(newGUID, encryptPayload(to_apply), Date.now() / 1000 + 10);
-    _("Syncing so new dupe record is processed");
-    engine.lastSync = engine.lastSync - 0.01;
-    engine.sync();
-
-    // We should have logically deleted the dupe record.
-    equal(collection.count(), 7);
-    ok(getServerRecord(collection, bmk1_guid).deleted);
-    // and physically removed from the local store.
-    yield promiseNoLocalItem(bmk1_guid);
-    // Parent should still only have 1 item.
-    equal(getFolderChildrenIDs(folder1_id).length, 1);
-    // The parent record on the server should now reference the new GUID and not the old.
-    let serverRecord = getServerRecord(collection, folder1_guid);
-    ok(!serverRecord.children.includes(bmk1_guid));
-    ok(serverRecord.children.includes(newGUID));
-
-    // and a final sanity check - use the validator
-    yield validate(collection);
-  } finally {
-    yield cleanup(server);
-  }
-});
-
-add_task(function* test_dupe_reparented_bookmark() {
-  _("Ensure that a bookmark we consider a dupe from a different parent is handled correctly");
-
-  let { server, collection } = this.setup();
-
-  try {
-    // The parent folder and one bookmark in it.
-    let {id: folder1_id, guid: folder1_guid } = createFolder(bms.toolbarFolder, "Folder 1");
-    let {id: bmk1_id, guid: bmk1_guid} = createBookmark(folder1_id, "http://getfirefox.com/", "Get Firefox!");
-    // Another parent folder *with the same name*
-    let {id: folder2_id, guid: folder2_guid } = createFolder(bms.toolbarFolder, "Folder 1");
-
-    do_print(`folder1_guid=${folder1_guid}, folder2_guid=${folder2_guid}, bmk1_guid=${bmk1_guid}`);
-
-    engine.sync();
-
-    // We've added the bookmark, 2 folders plus "menu", "toolbar", "unfiled", and "mobile".
-    equal(collection.count(), 7);
-    equal(getFolderChildrenIDs(folder1_id).length, 1);
-    equal(getFolderChildrenIDs(folder2_id).length, 0);
-
-    // Now create a new incoming record that looks alot like a dupe of the
-    // item in folder1_guid, but with a record that points to folder2_guid.
-    let newGUID = Utils.makeGUID();
-    let to_apply = {
-      id: newGUID,
-      bmkUri: "http://getfirefox.com/",
-      type: "bookmark",
-      title: "Get Firefox!",
-      parentName: "Folder 1",
-      parentid: folder2_guid,
-    };
-
-    collection.insert(newGUID, encryptPayload(to_apply), Date.now() / 1000 + 10);
-
-    _("Syncing so new dupe record is processed");
-    engine.lastSync = engine.lastSync - 0.01;
-    engine.sync();
-
-    // We should have logically deleted the dupe record.
-    equal(collection.count(), 8);
-    ok(getServerRecord(collection, bmk1_guid).deleted);
-    // and physically removed from the local store.
-    yield promiseNoLocalItem(bmk1_guid);
-    // The original folder no longer has the item
-    equal(getFolderChildrenIDs(folder1_id).length, 0);
-    // But the second dupe folder does.
-    equal(getFolderChildrenIDs(folder2_id).length, 1);
-
-    // The record for folder1 on the server should reference neither old or new GUIDs.
-    let serverRecord1 = getServerRecord(collection, folder1_guid);
-    ok(!serverRecord1.children.includes(bmk1_guid));
-    ok(!serverRecord1.children.includes(newGUID));
-
-    // The record for folder2 on the server should only reference the new new GUID.
-    let serverRecord2 = getServerRecord(collection, folder2_guid);
-    ok(!serverRecord2.children.includes(bmk1_guid));
-    ok(serverRecord2.children.includes(newGUID));
-
-    // and a final sanity check - use the validator
-    yield validate(collection);
-  } finally {
-    yield cleanup(server);
-  }
-});
-
-add_task(function* test_dupe_reparented_locally_changed_bookmark() {
-  _("Ensure that a bookmark with local changes we consider a dupe from a different parent is handled correctly");
-
-  let { server, collection } = this.setup();
-
-  try {
-    // The parent folder and one bookmark in it.
-    let {id: folder1_id, guid: folder1_guid } = createFolder(bms.toolbarFolder, "Folder 1");
-    let {id: bmk1_id, guid: bmk1_guid} = createBookmark(folder1_id, "http://getfirefox.com/", "Get Firefox!");
-    // Another parent folder *with the same name*
-    let {id: folder2_id, guid: folder2_guid } = createFolder(bms.toolbarFolder, "Folder 1");
-
-    do_print(`folder1_guid=${folder1_guid}, folder2_guid=${folder2_guid}, bmk1_guid=${bmk1_guid}`);
-
-    engine.sync();
-
-    // We've added the bookmark, 2 folders plus "menu", "toolbar", "unfiled", and "mobile".
-    equal(collection.count(), 7);
-    equal(getFolderChildrenIDs(folder1_id).length, 1);
-    equal(getFolderChildrenIDs(folder2_id).length, 0);
-
-    // Now create a new incoming record that looks alot like a dupe of the
-    // item in folder1_guid, but with a record that points to folder2_guid.
-    let newGUID = Utils.makeGUID();
-    let to_apply = {
-      id: newGUID,
-      bmkUri: "http://getfirefox.com/",
-      type: "bookmark",
-      title: "Get Firefox!",
-      parentName: "Folder 1",
-      parentid: folder2_guid,
-    };
-
-    collection.insert(newGUID, encryptPayload(to_apply), Date.now() / 1000 + 10);
-
-    // Make a change to the bookmark that's a dupe, and set the modification
-    // time further in the future than the incoming record. This will cause
-    // us to issue the infamous "DATA LOSS" warning in the logs but cause us
-    // to *not* apply the incoming record.
-    engine._tracker.addChangedID(bmk1_guid, Date.now() / 1000 + 60);
-
-    _("Syncing so new dupe record is processed");
-    engine.lastSync = engine.lastSync - 0.01;
-    engine.sync();
-
-    // We should have logically deleted the dupe record.
-    equal(collection.count(), 8);
-    ok(getServerRecord(collection, bmk1_guid).deleted);
-    // and physically removed from the local store.
-    yield promiseNoLocalItem(bmk1_guid);
-    // The original folder still longer has the item
-    equal(getFolderChildrenIDs(folder1_id).length, 1);
-    // The second folder does not.
-    equal(getFolderChildrenIDs(folder2_id).length, 0);
-
-    // The record for folder1 on the server should reference only the GUID.
-    let serverRecord1 = getServerRecord(collection, folder1_guid);
-    ok(!serverRecord1.children.includes(bmk1_guid));
-    ok(serverRecord1.children.includes(newGUID));
-
-    // The record for folder2 on the server should reference nothing.
-    let serverRecord2 = getServerRecord(collection, folder2_guid);
-    ok(!serverRecord2.children.includes(bmk1_guid));
-    ok(!serverRecord2.children.includes(newGUID));
-
-    // and a final sanity check - use the validator
-    yield validate(collection);
-  } finally {
-    yield cleanup(server);
-  }
-});
-
-add_task(function* test_dupe_reparented_to_earlier_appearing_parent_bookmark() {
-  _("Ensure that a bookmark we consider a dupe from a different parent that " +
-    "appears in the same sync before the dupe item");
-
-  let { server, collection } = this.setup();
-
-  try {
-    // The parent folder and one bookmark in it.
-    let {id: folder1_id, guid: folder1_guid } = createFolder(bms.toolbarFolder, "Folder 1");
-    let {id: bmk1_id, guid: bmk1_guid} = createBookmark(folder1_id, "http://getfirefox.com/", "Get Firefox!");
-    // One more folder we'll use later.
-    let {id: folder2_id, guid: folder2_guid} = createFolder(bms.toolbarFolder, "A second folder");
-
-    do_print(`folder1=${folder1_guid}, bmk1=${bmk1_guid} folder2=${folder2_guid}`);
-
-    engine.sync();
-
-    // We've added the bookmark, 2 folders plus "menu", "toolbar", "unfiled", and "mobile".
-    equal(collection.count(), 7);
-    equal(getFolderChildrenIDs(folder1_id).length, 1);
-
-    let newGUID = Utils.makeGUID();
-    let newParentGUID = Utils.makeGUID();
-
-    // Have the new parent appear before the dupe item.
-    collection.insert(newParentGUID, encryptPayload({
-      id: newParentGUID,
-      type: "folder",
-      title: "Folder 1",
-      parentName: "A second folder",
-      parentid: folder2_guid,
-      children: [newGUID],
-      tags: [],
-    }), Date.now() / 1000 + 10);
-
-    // And also the update to "folder 2" that references the new parent.
-    collection.insert(folder2_guid, encryptPayload({
-      id: folder2_guid,
-      type: "folder",
-      title: "A second folder",
-      parentName: "Bookmarks Toolbar",
-      parentid: "toolbar",
-      children: [newParentGUID],
-      tags: [],
-    }), Date.now() / 1000 + 10);
-
-    // Now create a new incoming record that looks alot like a dupe of the
-    // item in folder1_guid, with a record that points to a parent with the
-    // same name which appeared earlier in this sync.
-    collection.insert(newGUID, encryptPayload({
-      id: newGUID,
-      bmkUri: "http://getfirefox.com/",
-      type: "bookmark",
-      title: "Get Firefox!",
-      parentName: "Folder 1",
-      parentid: newParentGUID,
-      tags: [],
-    }), Date.now() / 1000 + 10);
-
-
-    _("Syncing so new records are processed.");
-    engine.lastSync = engine.lastSync - 0.01;
-    engine.sync();
-
-    // Everything should be parented correctly.
-    equal(getFolderChildrenIDs(folder1_id).length, 0);
-    let newParentID = store.idForGUID(newParentGUID);
-    let newID = store.idForGUID(newGUID);
-    deepEqual(getFolderChildrenIDs(newParentID), [newID]);
-
-    // Make sure the validator thinks everything is hunky-dory.
-    yield validate(collection);
-  } finally {
-    yield cleanup(server);
-  }
-});
-
-add_task(function* test_dupe_reparented_to_later_appearing_parent_bookmark() {
-  _("Ensure that a bookmark we consider a dupe from a different parent that " +
-    "doesn't exist locally as we process the child, but does appear in the same sync");
-
-  let { server, collection } = this.setup();
-
-  try {
-    // The parent folder and one bookmark in it.
-    let {id: folder1_id, guid: folder1_guid } = createFolder(bms.toolbarFolder, "Folder 1");
-    let {id: bmk1_id, guid: bmk1_guid} = createBookmark(folder1_id, "http://getfirefox.com/", "Get Firefox!");
-    // One more folder we'll use later.
-    let {id: folder2_id, guid: folder2_guid} = createFolder(bms.toolbarFolder, "A second folder");
-
-    do_print(`folder1=${folder1_guid}, bmk1=${bmk1_guid} folder2=${folder2_guid}`);
-
-    engine.sync();
-
-    // We've added the bookmark, 2 folders plus "menu", "toolbar", "unfiled", and "mobile".
-    equal(collection.count(), 7);
-    equal(getFolderChildrenIDs(folder1_id).length, 1);
-
-    // Now create a new incoming record that looks alot like a dupe of the
-    // item in folder1_guid, but with a record that points to a parent with the
-    // same name, but a non-existing local ID.
-    let newGUID = Utils.makeGUID();
-    let newParentGUID = Utils.makeGUID();
-
-    collection.insert(newGUID, encryptPayload({
-      id: newGUID,
-      bmkUri: "http://getfirefox.com/",
-      type: "bookmark",
-      title: "Get Firefox!",
-      parentName: "Folder 1",
-      parentid: newParentGUID,
-      tags: [],
-    }), Date.now() / 1000 + 10);
-
-    // Now have the parent appear after (so when the record above is processed
-    // this is still unknown.)
-    collection.insert(newParentGUID, encryptPayload({
-      id: newParentGUID,
-      type: "folder",
-      title: "Folder 1",
-      parentName: "A second folder",
-      parentid: folder2_guid,
-      children: [newGUID],
-      tags: [],
-    }), Date.now() / 1000 + 10);
-    // And also the update to "folder 2" that references the new parent.
-    collection.insert(folder2_guid, encryptPayload({
-      id: folder2_guid,
-      type: "folder",
-      title: "A second folder",
-      parentName: "Bookmarks Toolbar",
-      parentid: "toolbar",
-      children: [newParentGUID],
-      tags: [],
-    }), Date.now() / 1000 + 10);
-
-    _("Syncing so out-of-order records are processed.");
-    engine.lastSync = engine.lastSync - 0.01;
-    engine.sync();
-
-    // The intended parent did end up existing, so it should be parented
-    // correctly after de-duplication.
-    equal(getFolderChildrenIDs(folder1_id).length, 0);
-    let newParentID = store.idForGUID(newParentGUID);
-    let newID = store.idForGUID(newGUID);
-    deepEqual(getFolderChildrenIDs(newParentID), [newID]);
-
-    // Make sure the validator thinks everything is hunky-dory.
-    yield validate(collection);
-  } finally {
-    yield cleanup(server);
-  }
-});
-
-add_task(function* test_dupe_reparented_to_future_arriving_parent_bookmark() {
-  _("Ensure that a bookmark we consider a dupe from a different parent that " +
-    "doesn't exist locally and doesn't appear in this Sync is handled correctly");
-
-  let { server, collection } = this.setup();
-
-  try {
-    // The parent folder and one bookmark in it.
-    let {id: folder1_id, guid: folder1_guid } = createFolder(bms.toolbarFolder, "Folder 1");
-    let {id: bmk1_id, guid: bmk1_guid} = createBookmark(folder1_id, "http://getfirefox.com/", "Get Firefox!");
-    // One more folder we'll use later.
-    let {id: folder2_id, guid: folder2_guid} = createFolder(bms.toolbarFolder, "A second folder");
-
-    do_print(`folder1=${folder1_guid}, bmk1=${bmk1_guid} folder2=${folder2_guid}`);
-
-    engine.sync();
-
-    // We've added the bookmark, 2 folders plus "menu", "toolbar", "unfiled", and "mobile".
-    equal(collection.count(), 7);
-    equal(getFolderChildrenIDs(folder1_id).length, 1);
-
-    // Now create a new incoming record that looks alot like a dupe of the
-    // item in folder1_guid, but with a record that points to a parent with the
-    // same name, but a non-existing local ID.
-    let newGUID = Utils.makeGUID();
-    let newParentGUID = Utils.makeGUID();
-
-    collection.insert(newGUID, encryptPayload({
-      id: newGUID,
-      bmkUri: "http://getfirefox.com/",
-      type: "bookmark",
-      title: "Get Firefox!",
-      parentName: "Folder 1",
-      parentid: newParentGUID,
-      tags: [],
-    }), Date.now() / 1000 + 10);
-
-    _("Syncing so new dupe record is processed");
-    engine.lastSync = engine.lastSync - 0.01;
-    engine.sync();
-
-    // We should have logically deleted the dupe record.
-    equal(collection.count(), 8);
-    ok(getServerRecord(collection, bmk1_guid).deleted);
-    // and physically removed from the local store.
-    yield promiseNoLocalItem(bmk1_guid);
-    // The intended parent doesn't exist, so it remains in the original folder
-    equal(getFolderChildrenIDs(folder1_id).length, 1);
-
-    // The record for folder1 on the server should reference the new GUID.
-    let serverRecord1 = getServerRecord(collection, folder1_guid);
-    ok(!serverRecord1.children.includes(bmk1_guid));
-    ok(serverRecord1.children.includes(newGUID));
-
-    // As the incoming parent is missing the item should have been annotated
-    // with that missing parent.
-    equal(PlacesUtils.annotations.getItemAnnotation(store.idForGUID(newGUID), "sync/parent"),
-          newParentGUID);
-
-    // Check the validator. Sadly, this is known to cause a mismatch between
-    // the server and client views of the tree.
-    let expected = [
-      // We haven't fixed the incoming record that referenced the missing parent.
-      { name: "orphans", count: 1 },
-    ];
-    yield validate(collection, expected);
-
-    // Now have the parent magically appear in a later sync - but
-    // it appears as being in a different parent from our existing "Folder 1",
-    // so the folder itself isn't duped.
-    collection.insert(newParentGUID, encryptPayload({
-      id: newParentGUID,
-      type: "folder",
-      title: "Folder 1",
-      parentName: "A second folder",
-      parentid: folder2_guid,
-      children: [newGUID],
-      tags: [],
-    }), Date.now() / 1000 + 10);
-    // We also queue an update to "folder 2" that references the new parent.
-    collection.insert(folder2_guid, encryptPayload({
-      id: folder2_guid,
-      type: "folder",
-      title: "A second folder",
-      parentName: "Bookmarks Toolbar",
-      parentid: "toolbar",
-      children: [newParentGUID],
-      tags: [],
-    }), Date.now() / 1000 + 10);
-
-    _("Syncing so missing parent appears");
-    engine.lastSync = engine.lastSync - 0.01;
-    engine.sync();
-
-    // The intended parent now does exist, so it should have been reparented.
-    equal(getFolderChildrenIDs(folder1_id).length, 0);
-    let newParentID = store.idForGUID(newParentGUID);
-    let newID = store.idForGUID(newGUID);
-    deepEqual(getFolderChildrenIDs(newParentID), [newID]);
-
-    // validation now has different errors :(
-    expected = [
-      // The validator reports multipleParents because:
-      // * The incoming record newParentGUID still (and correctly) references
-      //   newGUID as a child.
-      // * Our original Folder1 was updated to include newGUID when it
-      //   originally de-deuped and couldn't find the parent.
-      // * When the parent *did* eventually arrive we used the parent annotation
-      //   to correctly reparent - but that reparenting process does not change
-      //   the server record.
-      // Hence, newGUID is a child of both those server records :(
-      { name: "multipleParents", count: 1 },
-    ];
-    yield validate(collection, expected);
-
-  } finally {
-    yield cleanup(server);
-  }
-});
-
-add_task(function* test_dupe_empty_folder() {
-  _("Ensure that an empty folder we consider a dupe is handled correctly.");
-  // Empty folders aren't particularly interesting in practice (as that seems
-  // an edge-case) but duping folders with items is broken - bug 1293163.
-  let { server, collection } = this.setup();
-
-  try {
-    // The folder we will end up duping away.
-    let {id: folder1_id, guid: folder1_guid } = createFolder(bms.toolbarFolder, "Folder 1");
-
-    engine.sync();
-
-    // We've added 1 folder, "menu", "toolbar", "unfiled", and "mobile".
-    equal(collection.count(), 5);
-
-    // Now create new incoming records that looks alot like a dupe of "Folder 1".
-    let newFolderGUID = Utils.makeGUID();
-    collection.insert(newFolderGUID, encryptPayload({
-      id: newFolderGUID,
-      type: "folder",
-      title: "Folder 1",
-      parentName: "Bookmarks Toolbar",
-      parentid: "toolbar",
-      children: [],
-    }), Date.now() / 1000 + 10);
-
-    _("Syncing so new dupe records are processed");
-    engine.lastSync = engine.lastSync - 0.01;
-    engine.sync();
-
-    yield validate(collection);
-
-    // Collection now has one additional record - the logically deleted dupe.
-    equal(collection.count(), 6);
-    // original folder should be logically deleted.
-    ok(getServerRecord(collection, folder1_guid).deleted);
-    yield promiseNoLocalItem(folder1_guid);
-  } finally {
-    yield cleanup(server);
-  }
-});
-// XXX - TODO - folders with children. Bug 1293163
diff --git a/services/sync/tests/unit/test_bookmark_engine.js b/services/sync/tests/unit/test_bookmark_engine.js
index 9de6c5c0dc..bd4c740cbc 100644
--- a/services/sync/tests/unit/test_bookmark_engine.js
+++ b/services/sync/tests/unit/test_bookmark_engine.js
@@ -2,10 +2,9 @@
    http://creativecommons.org/publicdomain/zero/1.0/ */
 
 Cu.import("resource://gre/modules/PlacesUtils.jsm");
-Cu.import("resource://gre/modules/PlacesSyncUtils.jsm");
 Cu.import("resource://gre/modules/BookmarkJSONUtils.jsm");
+Cu.import("resource://services-common/async.js");
 Cu.import("resource://gre/modules/Log.jsm");
-Cu.import("resource://services-sync/constants.js");
 Cu.import("resource://services-sync/engines.js");
 Cu.import("resource://services-sync/engines/bookmarks.js");
 Cu.import("resource://services-sync/service.js");
@@ -13,168 +12,9 @@ Cu.import("resource://services-sync/util.js");
 Cu.import("resource://testing-common/services/sync/utils.js");
 Cu.import("resource://gre/modules/Promise.jsm");
 
-initTestLogging("Trace");
-
 Service.engineManager.register(BookmarksEngine);
 
-function* assertChildGuids(folderGuid, expectedChildGuids, message) {
-  let tree = yield PlacesUtils.promiseBookmarksTree(folderGuid);
-  let childGuids = tree.children.map(child => child.guid);
-  deepEqual(childGuids, expectedChildGuids, message);
-}
-
-add_task(function* test_change_during_sync() {
-  _("Ensure that we track changes made during a sync.");
-
-  let engine  = new BookmarksEngine(Service);
-  let store   = engine._store;
-  let tracker = engine._tracker;
-  let server = serverForFoo(engine);
-  new SyncTestingInfrastructure(server.server);
-
-  let collection = server.user("foo").collection("bookmarks");
-
-  let bz_id = PlacesUtils.bookmarks.insertBookmark(
-    PlacesUtils.bookmarksMenuFolderId, Utils.makeURI("https://bugzilla.mozilla.org/"),
-    PlacesUtils.bookmarks.DEFAULT_INDEX, "Bugzilla");
-  let bz_guid = yield PlacesUtils.promiseItemGuid(bz_id);
-    _(`Bugzilla GUID: ${bz_guid}`);
-
-  Svc.Obs.notify("weave:engine:start-tracking");
-
-  try {
-    let folder1_id = PlacesUtils.bookmarks.createFolder(
-      PlacesUtils.bookmarks.toolbarFolder, "Folder 1", 0);
-    let folder1_guid = store.GUIDForId(folder1_id);
-    _(`Folder GUID: ${folder1_guid}`);
-
-    let bmk1_id = PlacesUtils.bookmarks.insertBookmark(
-      folder1_id, Utils.makeURI("http://getthunderbird.com/"),
-      PlacesUtils.bookmarks.DEFAULT_INDEX, "Get Thunderbird!");
-    let bmk1_guid = store.GUIDForId(bmk1_id);
-    _(`Thunderbird GUID: ${bmk1_guid}`);
-
-    // Sync is synchronous, so, to simulate a bookmark change made during a
-    // sync, we create a server record that adds a bookmark as a side effect.
-    let bmk2_guid = "get-firefox1"; // New child of Folder 1, created remotely.
-    let bmk3_id = -1; // New child of Folder 1, created locally during sync.
-    let folder2_guid = "folder2-1111"; // New folder, created remotely.
-    let tagQuery_guid = "tag-query111"; // New tag query child of Folder 2, created remotely.
-    let bmk4_guid = "example-org1"; // New tagged child of Folder 2, created remotely.
-    {
-      // An existing record changed on the server that should not trigger
-      // another sync when applied.
-      let bzBmk = new Bookmark("bookmarks", bz_guid);
-      bzBmk.bmkUri      = "https://bugzilla.mozilla.org/";
-      bzBmk.description = "New description";
-      bzBmk.title       = "Bugzilla";
-      bzBmk.tags        = ["new", "tags"];
-      bzBmk.parentName  = "Bookmarks Toolbar";
-      bzBmk.parentid    = "toolbar";
-      collection.insert(bz_guid, encryptPayload(bzBmk.cleartext));
-
-      let remoteFolder = new BookmarkFolder("bookmarks", folder2_guid);
-      remoteFolder.title      = "Folder 2";
-      remoteFolder.children   = [bmk4_guid, tagQuery_guid];
-      remoteFolder.parentName = "Bookmarks Menu";
-      remoteFolder.parentid   = "menu";
-      collection.insert(folder2_guid, encryptPayload(remoteFolder.cleartext));
-
-      let localFxBmk = new Bookmark("bookmarks", bmk2_guid);
-      localFxBmk.bmkUri        = "http://getfirefox.com/";
-      localFxBmk.description   = "Firefox is awesome.";
-      localFxBmk.title         = "Get Firefox!";
-      localFxBmk.tags          = ["firefox", "awesome", "browser"];
-      localFxBmk.keyword       = "awesome";
-      localFxBmk.loadInSidebar = false;
-      localFxBmk.parentName    = "Folder 1";
-      localFxBmk.parentid      = folder1_guid;
-      let remoteFxBmk = collection.insert(bmk2_guid, encryptPayload(localFxBmk.cleartext));
-      remoteFxBmk.get = function get() {
-        _("Inserting bookmark into local store");
-        bmk3_id = PlacesUtils.bookmarks.insertBookmark(
-          folder1_id, Utils.makeURI("https://mozilla.org/"),
-          PlacesUtils.bookmarks.DEFAULT_INDEX, "Mozilla");
-
-        return ServerWBO.prototype.get.apply(this, arguments);
-      };
-
-      // A tag query referencing a nonexistent tag folder, which we should
-      // create locally when applying the record.
-      let localTagQuery = new BookmarkQuery("bookmarks", tagQuery_guid);
-      localTagQuery.bmkUri     = "place:type=7&folder=999";
-      localTagQuery.title      = "Taggy tags";
-      localTagQuery.folderName = "taggy";
-      localTagQuery.parentName = "Folder 2";
-      localTagQuery.parentid   = folder2_guid;
-      collection.insert(tagQuery_guid, encryptPayload(localTagQuery.cleartext));
-
-      // A bookmark that should appear in the results for the tag query.
-      let localTaggedBmk = new Bookmark("bookmarks", bmk4_guid);
-      localTaggedBmk.bmkUri     = "https://example.org";
-      localTaggedBmk.title      = "Tagged bookmark";
-      localTaggedBmk.tags       = ["taggy"];
-      localTaggedBmk.parentName = "Folder 2";
-      localTaggedBmk.parentid   = folder2_guid;
-      collection.insert(bmk4_guid, encryptPayload(localTaggedBmk.cleartext));
-    }
-
-    yield* assertChildGuids(folder1_guid, [bmk1_guid], "Folder should have 1 child before first sync");
-
-    _("Perform first sync");
-    {
-      let changes = engine.pullNewChanges();
-      deepEqual(changes.ids().sort(), [folder1_guid, bmk1_guid, "toolbar"].sort(),
-        "Should track bookmark and folder created before first sync");
-      yield sync_engine_and_validate_telem(engine, false);
-    }
-
-    let bmk2_id = store.idForGUID(bmk2_guid);
-    let bmk3_guid = store.GUIDForId(bmk3_id);
-    _(`Mozilla GUID: ${bmk3_guid}`);
-    {
-      equal(store.GUIDForId(bmk2_id), bmk2_guid,
-        "Remote bookmark should be applied during first sync");
-      ok(bmk3_id > -1,
-        "Bookmark created during first sync should exist locally");
-      ok(!collection.wbo(bmk3_guid),
-        "Bookmark created during first sync shouldn't be uploaded yet");
-
-      yield* assertChildGuids(folder1_guid, [bmk1_guid, bmk3_guid, bmk2_guid],
-        "Folder 1 should have 3 children after first sync");
-      yield* assertChildGuids(folder2_guid, [bmk4_guid, tagQuery_guid],
-        "Folder 2 should have 2 children after first sync");
-      let taggedURIs = PlacesUtils.tagging.getURIsForTag("taggy");
-      equal(taggedURIs.length, 1, "Should have 1 tagged URI");
-      equal(taggedURIs[0].spec, "https://example.org/",
-        "Synced tagged bookmark should appear in tagged URI list");
-    }
-
-    _("Perform second sync");
-    {
-      let changes = engine.pullNewChanges();
-      deepEqual(changes.ids().sort(), [bmk3_guid, folder1_guid].sort(),
-        "Should track bookmark added during last sync and its parent");
-      yield sync_engine_and_validate_telem(engine, false);
-
-      ok(collection.wbo(bmk3_guid),
-        "Bookmark created during first sync should be uploaded during second sync");
-
-      yield* assertChildGuids(folder1_guid, [bmk1_guid, bmk3_guid, bmk2_guid],
-        "Folder 1 should have same children after second sync");
-      yield* assertChildGuids(folder2_guid, [bmk4_guid, tagQuery_guid],
-        "Folder 2 should have same children after second sync");
-    }
-  } finally {
-    store.wipe();
-    Svc.Prefs.resetBranch("");
-    Service.recordManager.clearCache();
-    yield new Promise(resolve => server.stop(resolve));
-    Svc.Obs.notify("weave:engine:stop-tracking");
-  }
-});
-
-add_task(function* bad_record_allIDs() {
+add_test(function bad_record_allIDs() {
   let server = new SyncServer();
   server.start();
   let syncTesting = new SyncTestingInfrastructure(server.server);
@@ -192,6 +32,9 @@ add_task(function* bad_record_allIDs() {
   _("Record is " + badRecordID);
   _("Type: " + PlacesUtils.bookmarks.getItemType(badRecordID));
 
+  _("Fetching children.");
+  store._getChildren("toolbar", {});
+
   _("Fetching all IDs.");
   let all = store.getAllIDs();
 
@@ -201,7 +44,49 @@ add_task(function* bad_record_allIDs() {
 
   _("Clean up.");
   PlacesUtils.bookmarks.removeItem(badRecordID);
-  yield new Promise(r => server.stop(r));
+  server.stop(run_next_test);
+});
+
+add_test(function test_ID_caching() {
+  let server = new SyncServer();
+  server.start();
+  let syncTesting = new SyncTestingInfrastructure(server.server);
+
+  _("Ensure that Places IDs are not cached.");
+  let engine = new BookmarksEngine(Service);
+  let store = engine._store;
+  _("All IDs: " + JSON.stringify(store.getAllIDs()));
+
+  let mobileID = store.idForGUID("mobile");
+  _("Change the GUID for that item, and drop the mobile anno.");
+  store._setGUID(mobileID, "abcdefghijkl");
+  PlacesUtils.annotations.removeItemAnnotation(mobileID, "mobile/bookmarksRoot");
+
+  let err;
+  let newMobileID;
+
+  // With noCreate, we don't find an entry.
+  try {
+    newMobileID = store.idForGUID("mobile", true);
+    _("New mobile ID: " + newMobileID);
+  } catch (ex) {
+    err = ex;
+    _("Error: " + Utils.exceptionStr(err));
+  }
+
+  do_check_true(!err);
+
+  // With !noCreate, lookup works, and it's different.
+  newMobileID = store.idForGUID("mobile", false);
+  _("New mobile ID: " + newMobileID);
+  do_check_true(!!newMobileID);
+  do_check_neq(newMobileID, mobileID);
+
+  // And it's repeatable, even with creation enabled.
+  do_check_eq(newMobileID, store.idForGUID("mobile", false));
+
+  do_check_eq(store.GUIDForId(mobileID), "abcdefghijkl");
+  server.stop(run_next_test);
 });
 
 function serverForFoo(engine) {
@@ -212,7 +97,7 @@ function serverForFoo(engine) {
   });
 }
 
-add_task(function* test_processIncoming_error_orderChildren() {
+add_test(function test_processIncoming_error_orderChildren() {
   _("Ensure that _orderChildren() is called even when _processIncoming() throws an error.");
 
   let engine = new BookmarksEngine(Service);
@@ -259,11 +144,11 @@ add_task(function* test_processIncoming_error_orderChildren() {
 
     let error;
     try {
-      yield sync_engine_and_validate_telem(engine, true)
+      engine.sync();
     } catch(ex) {
       error = ex;
     }
-    ok(!!error);
+    do_check_true(!!error);
 
     // Verify that the bookmark order has been applied.
     let new_children = store.createRecord(folder1_guid).children;
@@ -278,11 +163,11 @@ add_task(function* test_processIncoming_error_orderChildren() {
     store.wipe();
     Svc.Prefs.resetBranch("");
     Service.recordManager.clearCache();
-    yield new Promise(resolve => server.stop(resolve));
+    server.stop(run_next_test);
   }
 });
 
-add_task(function* test_restorePromptsReupload() {
+add_task(function test_restorePromptsReupload() {
   _("Ensure that restoring from a backup will reupload all records.");
   let engine = new BookmarksEngine(Service);
   let store  = engine._store;
@@ -319,7 +204,8 @@ add_task(function* test_restorePromptsReupload() {
     backupFile.append("t_b_e_" + Date.now() + ".json");
 
     _("Backing up to file " + backupFile.path);
-    yield BookmarkJSONUtils.exportToFile(backupFile.path);
+    backupFile.create(Ci.nsILocalFile.NORMAL_FILE_TYPE, 0600);
+    yield BookmarkJSONUtils.exportToFile(backupFile);
 
     _("Create a different record and sync.");
     let bmk2_id = PlacesUtils.bookmarks.insertBookmark(
@@ -331,17 +217,17 @@ add_task(function* test_restorePromptsReupload() {
 
     let error;
     try {
-      yield sync_engine_and_validate_telem(engine, false);
+      engine.sync();
     } catch(ex) {
       error = ex;
-      _("Got error: " + Log.exceptionStr(ex));
+      _("Got error: " + Utils.exceptionStr(ex));
     }
     do_check_true(!error);
 
     _("Verify that there's only one bookmark on the server, and it's Thunderbird.");
     // Of course, there's also the Bookmarks Toolbar and Bookmarks Menu...
     let wbos = collection.keys(function (id) {
-      return ["menu", "toolbar", "mobile", "unfiled", folder1_guid].indexOf(id) == -1;
+      return ["menu", "toolbar", "mobile", folder1_guid].indexOf(id) == -1;
     });
     do_check_eq(wbos.length, 1);
     do_check_eq(wbos[0], bmk2_guid);
@@ -371,14 +257,14 @@ add_task(function* test_restorePromptsReupload() {
     do_check_true(found);
 
     _("Have the correct number of IDs locally, too.");
-    do_check_eq(count, ["menu", "toolbar", "mobile", "unfiled", folder1_id, bmk1_id].length);
+    do_check_eq(count, ["menu", "toolbar", folder1_id, bmk1_id].length);
 
     _("Sync again. This'll wipe bookmarks from the server.");
     try {
-      yield sync_engine_and_validate_telem(engine, false);
+      engine.sync();
     } catch(ex) {
       error = ex;
-      _("Got error: " + Log.exceptionStr(ex));
+      _("Got error: " + Utils.exceptionStr(ex));
     }
     do_check_true(!error);
 
@@ -391,9 +277,7 @@ add_task(function* test_restorePromptsReupload() {
     let folderWBOs   = payloads.filter(function (wbo) {
                          return ((wbo.type == "folder") &&
                                  (wbo.id   != "menu") &&
-                                 (wbo.id   != "toolbar") &&
-                                 (wbo.id   != "unfiled") &&
-                                 (wbo.id   != "mobile"));
+                                 (wbo.id   != "toolbar"));
                        });
 
     do_check_eq(bookmarkWBOs.length, 1);
@@ -420,12 +304,10 @@ function FakeRecord(constructor, r) {
   for (let x in r) {
     this[x] = r[x];
   }
-  // Borrow the constructor's conversion functions.
-  this.toSyncBookmark = constructor.prototype.toSyncBookmark;
 }
 
 // Bug 632287.
-add_task(function* test_mismatched_types() {
+add_test(function test_mismatched_types() {
   _("Ensure that handling a record that changes type causes deletion " +
     "then re-adding.");
 
@@ -437,7 +319,6 @@ add_task(function* test_mismatched_types() {
     "description":null,
     "parentid": "toolbar"
   };
-  oldRecord.cleartext = oldRecord;
 
   let newRecord = {
     "id": "l1nZZXfB8nC7",
@@ -453,7 +334,6 @@ add_task(function* test_mismatched_types() {
        "oT74WwV8_j4P", "IztsItWVSo3-"],
     "parentid": "toolbar"
   };
-  newRecord.cleartext = newRecord;
 
   let engine = new BookmarksEngine(Service);
   let store  = engine._store;
@@ -466,8 +346,8 @@ add_task(function* test_mismatched_types() {
     let bms = PlacesUtils.bookmarks;
     let oldR = new FakeRecord(BookmarkFolder, oldRecord);
     let newR = new FakeRecord(Livemark, newRecord);
-    oldR.parentid = PlacesUtils.bookmarks.toolbarGuid;
-    newR.parentid = PlacesUtils.bookmarks.toolbarGuid;
+    oldR._parent = PlacesUtils.bookmarks.toolbarFolder;
+    newR._parent = PlacesUtils.bookmarks.toolbarFolder;
 
     store.applyIncoming(oldR);
     _("Applied old. It's a folder.");
@@ -490,11 +370,11 @@ add_task(function* test_mismatched_types() {
     store.wipe();
     Svc.Prefs.resetBranch("");
     Service.recordManager.clearCache();
-    yield new Promise(r => server.stop(r));
+    server.stop(run_next_test);
   }
 });
 
-add_task(function* test_bookmark_guidMap_fail() {
+add_test(function test_bookmark_guidMap_fail() {
   _("Ensure that failures building the GUID map cause early death.");
 
   let engine = new BookmarksEngine(Service);
@@ -514,9 +394,7 @@ add_task(function* test_bookmark_guidMap_fail() {
   engine.lastSync = 1;   // So we don't back up.
 
   // Make building the GUID map fail.
-
-  let pbt = PlacesUtils.promiseBookmarksTree;
-  PlacesUtils.promiseBookmarksTree = function() { return Promise.reject("Nooo"); };
+  store.getAllIDs = function () { throw "Nooo"; };
 
   // Ensure that we throw when accessing _guidMap.
   engine._syncStartup();
@@ -542,11 +420,26 @@ add_task(function* test_bookmark_guidMap_fail() {
   }
   do_check_eq(err, "Nooo");
 
-  PlacesUtils.promiseBookmarksTree = pbt;
-  yield new Promise(r => server.stop(r));
+  server.stop(run_next_test);
+});
+
+add_test(function test_bookmark_is_taggable() {
+  let engine = new BookmarksEngine(Service);
+  let store = engine._store;
+
+  do_check_true(store.isTaggable("bookmark"));
+  do_check_true(store.isTaggable("microsummary"));
+  do_check_true(store.isTaggable("query"));
+  do_check_false(store.isTaggable("folder"));
+  do_check_false(store.isTaggable("livemark"));
+  do_check_false(store.isTaggable(null));
+  do_check_false(store.isTaggable(undefined));
+  do_check_false(store.isTaggable(""));
+
+  run_next_test();
 });
 
-add_task(function* test_bookmark_tag_but_no_uri() {
+add_test(function test_bookmark_tag_but_no_uri() {
   _("Ensure that a bookmark record with tags, but no URI, doesn't throw an exception.");
 
   let engine = new BookmarksEngine(Service);
@@ -555,43 +448,30 @@ add_task(function* test_bookmark_tag_but_no_uri() {
   // We're simply checking that no exception is thrown, so
   // no actual checks in this test.
 
-  yield PlacesSyncUtils.bookmarks.insert({
-    kind: PlacesSyncUtils.bookmarks.KINDS.BOOKMARK,
-    syncId: Utils.makeGUID(),
-    parentSyncId: "toolbar",
-    url: "http://example.com",
-    tags: ["foo"],
-  });
-  yield PlacesSyncUtils.bookmarks.insert({
-    kind: PlacesSyncUtils.bookmarks.KINDS.BOOKMARK,
-    syncId: Utils.makeGUID(),
-    parentSyncId: "toolbar",
-    url: "http://example.org",
-    tags: null,
-  });
-  yield PlacesSyncUtils.bookmarks.insert({
-    kind: PlacesSyncUtils.bookmarks.KINDS.BOOKMARK,
-    syncId: Utils.makeGUID(),
-    url: "about:fake",
-    parentSyncId: "toolbar",
-    tags: null,
-  });
+  store._tagURI(null, ["foo"]);
+  store._tagURI(null, null);
+  store._tagURI(Utils.makeURI("about:fake"), null);
 
-  let record = new FakeRecord(BookmarkFolder, {
-    parentid:    "toolbar",
+  let record = {
+    _parent:     PlacesUtils.bookmarks.toolbarFolder,
     id:          Utils.makeGUID(),
     description: "",
     tags:        ["foo"],
     title:       "Taggy tag",
     type:        "folder"
-  });
+  };
+
+  // Because update() walks the cleartext.
+  record.cleartext = record;
 
   store.create(record);
   record.tags = ["bar"];
   store.update(record);
+
+  run_next_test();
 });
 
-add_task(function* test_misreconciled_root() {
+add_test(function test_misreconciled_root() {
   _("Ensure that we don't reconcile an arbitrary record with a root.");
 
   let engine = new BookmarksEngine(Service);
@@ -636,9 +516,6 @@ add_task(function* test_misreconciled_root() {
 
   _("Applying record.");
   engine._processIncoming({
-    getBatched() {
-      return this.get();
-    },
     get: function () {
       this.recordHandler(encrypted);
       return {success: true}
@@ -655,7 +532,7 @@ add_task(function* test_misreconciled_root() {
   do_check_eq(parentGUIDBefore, parentGUIDAfter);
   do_check_eq(parentIDBefore, parentIDAfter);
 
-  yield new Promise(r => server.stop(r));
+  server.stop(run_next_test);
 });
 
 function run_test() {
diff --git a/services/sync/tests/unit/test_bookmark_invalid.js b/services/sync/tests/unit/test_bookmark_invalid.js
deleted file mode 100644
index af476a7f97..0000000000
--- a/services/sync/tests/unit/test_bookmark_invalid.js
+++ /dev/null
@@ -1,63 +0,0 @@
-Cu.import("resource://gre/modules/PlacesUtils.jsm");
-Cu.import("resource://gre/modules/Log.jsm");
-Cu.import("resource://gre/modules/Task.jsm");
-Cu.import("resource://services-sync/engines.js");
-Cu.import("resource://services-sync/engines/bookmarks.js");
-Cu.import("resource://services-sync/service.js");
-Cu.import("resource://services-sync/util.js");
-
-Service.engineManager.register(BookmarksEngine);
-
-var engine = Service.engineManager.get("bookmarks");
-var store = engine._store;
-var tracker = engine._tracker;
-
-add_task(function* test_ignore_invalid_uri() {
-  _("Ensure that we don't die with invalid bookmarks.");
-
-  // First create a valid bookmark.
-  let bmid = PlacesUtils.bookmarks.insertBookmark(PlacesUtils.unfiledBookmarksFolderId,
-                                                  Services.io.newURI("http://example.com/", null, null),
-                                                  PlacesUtils.bookmarks.DEFAULT_INDEX,
-                                                  "the title");
-
-  // Now update moz_places with an invalid url.
-  yield PlacesUtils.withConnectionWrapper("test_ignore_invalid_uri", Task.async(function* (db) {
-    yield db.execute(
-      `UPDATE moz_places SET url = :url, url_hash = hash(:url)
-       WHERE id = (SELECT b.fk FROM moz_bookmarks b
-       WHERE b.id = :id LIMIT 1)`,
-      { id: bmid, url: "<invalid url>" });
-  }));
-
-  // Ensure that this doesn't throw even though the DB is now in a bad state (a
-  // bookmark has an illegal url).
-  engine._buildGUIDMap();
-});
-
-add_task(function* test_ignore_missing_uri() {
-  _("Ensure that we don't die with a bookmark referencing an invalid bookmark id.");
-
-  // First create a valid bookmark.
-  let bmid = PlacesUtils.bookmarks.insertBookmark(PlacesUtils.unfiledBookmarksFolderId,
-                                                  Services.io.newURI("http://example.com/", null, null),
-                                                  PlacesUtils.bookmarks.DEFAULT_INDEX,
-                                                  "the title");
-
-  // Now update moz_bookmarks to reference a non-existing places ID
-  yield PlacesUtils.withConnectionWrapper("test_ignore_missing_uri", Task.async(function* (db) {
-    yield db.execute(
-      `UPDATE moz_bookmarks SET fk = 999999
-       WHERE id = :id`
-      , { id: bmid });
-  }));
-
-  // Ensure that this doesn't throw even though the DB is now in a bad state (a
-  // bookmark has an illegal url).
-  engine._buildGUIDMap();
-});
-
-function run_test() {
-  initTestLogging('Trace');
-  run_next_test();
-}
diff --git a/services/sync/tests/unit/test_bookmark_legacy_microsummaries_support.js b/services/sync/tests/unit/test_bookmark_legacy_microsummaries_support.js
index 207372ed68..a7e3a46477 100644
--- a/services/sync/tests/unit/test_bookmark_legacy_microsummaries_support.js
+++ b/services/sync/tests/unit/test_bookmark_legacy_microsummaries_support.js
@@ -85,12 +85,12 @@ function run_test() {
   do_check_eq(PlacesUtils.bookmarks.getKeywordForBookmark(id), null);
 
   do_check_throws(
-    () => PlacesUtils.annotations.getItemAnnotation(id, GENERATORURI_ANNO),
+    function () PlacesUtils.annotations.getItemAnnotation(id, GENERATORURI_ANNO),
     Cr.NS_ERROR_NOT_AVAILABLE
   );
 
   do_check_throws(
-    () => PlacesUtils.annotations.getItemAnnotation(id, STATICTITLE_ANNO),
+    function () PlacesUtils.annotations.getItemAnnotation(id, STATICTITLE_ANNO),
     Cr.NS_ERROR_NOT_AVAILABLE
   );
 
diff --git a/services/sync/tests/unit/test_bookmark_livemarks.js b/services/sync/tests/unit/test_bookmark_livemarks.js
index 8adde76d84..d7cda091b0 100644
--- a/services/sync/tests/unit/test_bookmark_livemarks.js
+++ b/services/sync/tests/unit/test_bookmark_livemarks.js
@@ -12,11 +12,11 @@ Cu.import("resource://testing-common/services/common/utils.js");
 
 const DESCRIPTION_ANNO = "bookmarkProperties/description";
 
-var engine = Service.engineManager.get("bookmarks");
-var store = engine._store;
+let engine = Service.engineManager.get("bookmarks");
+let store = engine._store;
 
 // Record borrowed from Bug 631361.
-var record631361 = {
+let record631361 = {
   id: "M5bwUKK8hPyF",
   index: 150,
   modified: 1296768176.49,
@@ -103,11 +103,20 @@ add_test(function test_livemark_descriptions() {
 add_test(function test_livemark_invalid() {
   _("Livemarks considered invalid by nsLivemarkService are skipped.");
 
+  _("Parent is 0, which is invalid. Will be set to unfiled.");
+  let noParentRec = makeLivemark(record631361.payload, true);
+  noParentRec._parent = 0;
+  store.create(noParentRec);
+  let recID = store.idForGUID(noParentRec.id, true);
+  do_check_true(recID > 0);
+  do_check_eq(PlacesUtils.bookmarks.getFolderIdForItem(recID), PlacesUtils.bookmarks.unfiledBookmarksFolder);
+
   _("Parent is unknown. Will be set to unfiled.");
   let lateParentRec = makeLivemark(record631361.payload, true);
   let parentGUID = Utils.makeGUID();
   lateParentRec.parentid = parentGUID;
-  do_check_eq(-1, store.idForGUID(parentGUID));
+  lateParentRec._parent = store.idForGUID(parentGUID);   // Usually done by applyIncoming.
+  do_check_eq(-1, lateParentRec._parent);
 
   store.create(lateParentRec);
   recID = store.idForGUID(lateParentRec.id, true);
@@ -124,7 +133,7 @@ add_test(function test_livemark_invalid() {
 
   _("Parent is a Livemark. Will be skipped.");
   let lmParentRec = makeLivemark(record631361.payload, true);
-  lmParentRec.parentid = store.GUIDForId(recID);
+  lmParentRec._parent = recID;
   store.create(lmParentRec);
   // No exception, but no creation occurs.
   do_check_eq(-1, store.idForGUID(lmParentRec.id, true));
diff --git a/services/sync/tests/unit/test_bookmark_order.js b/services/sync/tests/unit/test_bookmark_order.js
index 7625a813f5..56806dba02 100644
--- a/services/sync/tests/unit/test_bookmark_order.js
+++ b/services/sync/tests/unit/test_bookmark_order.js
@@ -2,61 +2,53 @@
    http://creativecommons.org/publicdomain/zero/1.0/ */
 
 _("Making sure after processing incoming bookmarks, they show up in the right order");
-Cu.import("resource://gre/modules/PlacesUtils.jsm");
-Cu.import("resource://gre/modules/Task.jsm");
+Cu.import("resource://gre/modules/PlacesUtils.jsm", this);
 Cu.import("resource://services-sync/engines/bookmarks.js");
 Cu.import("resource://services-sync/service.js");
 Cu.import("resource://services-sync/util.js");
 
-var check = Task.async(function* (expected, message) {
-  let root = yield PlacesUtils.promiseBookmarksTree();
+function getBookmarks(folderId) {
+  let bookmarks = [];
+
+  let pos = 0;
+  while (true) {
+    let itemId = PlacesUtils.bookmarks.getIdForItemAt(folderId, pos);
+    _("Got itemId", itemId, "under", folderId, "at", pos);
+    if (itemId == -1)
+      break;
+
+    switch (PlacesUtils.bookmarks.getItemType(itemId)) {
+      case PlacesUtils.bookmarks.TYPE_BOOKMARK:
+        bookmarks.push(PlacesUtils.bookmarks.getItemTitle(itemId));
+        break;
+      case PlacesUtils.bookmarks.TYPE_FOLDER:
+        bookmarks.push(getBookmarks(itemId));
+        break;
+      default:
+        _("Unsupported item type..");
+    }
+
+    pos++;
+  }
+
+  return bookmarks;
+}
 
-  let bookmarks = (function mapTree(children) {
-    return children.map(child => {
-      let result = {
-        guid: child.guid,
-        index: child.index,
-      };
-      if (child.children) {
-        result.children = mapTree(child.children);
-      }
-      if (child.annos) {
-        let orphanAnno = child.annos.find(
-          anno => anno.name == "sync/parent");
-        if (orphanAnno) {
-          result.requestedParent = orphanAnno.value;
-        }
-      }
-      return result;
-    });
-  }(root.children));
+function check(expected) {
+  let bookmarks = getBookmarks(PlacesUtils.bookmarks.unfiledBookmarksFolder);
 
   _("Checking if the bookmark structure is", JSON.stringify(expected));
   _("Got bookmarks:", JSON.stringify(bookmarks));
-  deepEqual(bookmarks, expected);
-});
+  do_check_true(Utils.deepEquals(bookmarks, expected));
+}
 
-add_task(function* test_bookmark_order() {
+function run_test() {
   let store = new BookmarksEngine(Service)._store;
   initTestLogging("Trace");
 
   _("Starting with a clean slate of no bookmarks");
   store.wipe();
-  yield check([{
-    guid: PlacesUtils.bookmarks.menuGuid,
-    index: 0,
-  }, {
-    guid: PlacesUtils.bookmarks.toolbarGuid,
-    index: 1,
-  }, {
-    // Index 2 is the tags root. (Root indices depend on the order of the
-    // `CreateRoot` calls in `Database::CreateBookmarkRoots`).
-    guid: PlacesUtils.bookmarks.unfiledGuid,
-    index: 3,
-  }, {
-    guid: PlacesUtils.bookmarks.mobileGuid,
-    index: 4,
-  }], "clean slate");
+  check([]);
 
   function bookmark(name, parent) {
     let bookmark = new Bookmark("http://weave.server/my-bookmark");
@@ -83,447 +75,64 @@ add_task(function* test_bookmark_order() {
     store._orderChildren();
     delete store._childrenToOrder;
   }
-  let id10 = "10_aaaaaaaaa";
+
   _("basic add first bookmark");
-  apply(bookmark(id10, ""));
-  yield check([{
-    guid: PlacesUtils.bookmarks.menuGuid,
-    index: 0,
-  }, {
-    guid: PlacesUtils.bookmarks.toolbarGuid,
-    index: 1,
-  }, {
-    guid: PlacesUtils.bookmarks.unfiledGuid,
-    index: 3,
-    children: [{
-      guid: id10,
-      index: 0,
-    }],
-  }, {
-    guid: PlacesUtils.bookmarks.mobileGuid,
-    index: 4,
-  }], "basic add first bookmark");
-  let id20 = "20_aaaaaaaaa";
+  apply(bookmark("10", ""));
+  check(["10"]);
+
   _("basic append behind 10");
-  apply(bookmark(id20, ""));
-  yield check([{
-    guid: PlacesUtils.bookmarks.menuGuid,
-    index: 0,
-  }, {
-    guid: PlacesUtils.bookmarks.toolbarGuid,
-    index: 1,
-  }, {
-    guid: PlacesUtils.bookmarks.unfiledGuid,
-    index: 3,
-    children: [{
-      guid: id10,
-      index: 0,
-    }, {
-      guid: id20,
-      index: 1,
-    }],
-  }, {
-    guid: PlacesUtils.bookmarks.mobileGuid,
-    index: 4,
-  }], "basic append behind 10");
+  apply(bookmark("20", ""));
+  check(["10", "20"]);
 
-  let id31 = "31_aaaaaaaaa";
-  let id30 = "f30_aaaaaaaa";
   _("basic create in folder");
-  apply(bookmark(id31, id30));
-  let f30 = folder(id30, "", [id31]);
+  apply(bookmark("31", "f30"));
+  let f30 = folder("f30", "", ["31"]);
   apply(f30);
-  yield check([{
-    guid: PlacesUtils.bookmarks.menuGuid,
-    index: 0,
-  }, {
-    guid: PlacesUtils.bookmarks.toolbarGuid,
-    index: 1,
-  }, {
-    guid: PlacesUtils.bookmarks.unfiledGuid,
-    index: 3,
-    children: [{
-      guid: id10,
-      index: 0,
-    }, {
-      guid: id20,
-      index: 1,
-    }, {
-      guid: id30,
-      index: 2,
-      children: [{
-        guid: id31,
-        index: 0,
-      }],
-    }],
-  }, {
-    guid: PlacesUtils.bookmarks.mobileGuid,
-    index: 4,
-  }], "basic create in folder");
+  check(["10", "20", ["31"]]);
 
-  let id41 = "41_aaaaaaaaa";
-  let id40 = "f40_aaaaaaaa";
   _("insert missing parent -> append to unfiled");
-  apply(bookmark(id41, id40));
-  yield check([{
-    guid: PlacesUtils.bookmarks.menuGuid,
-    index: 0,
-  }, {
-    guid: PlacesUtils.bookmarks.toolbarGuid,
-    index: 1,
-  }, {
-    guid: PlacesUtils.bookmarks.unfiledGuid,
-    index: 3,
-    children: [{
-      guid: id10,
-      index: 0,
-    }, {
-      guid: id20,
-      index: 1,
-    }, {
-      guid: id30,
-      index: 2,
-      children: [{
-        guid: id31,
-        index: 0,
-      }],
-    }, {
-      guid: id41,
-      index: 3,
-      requestedParent: id40,
-    }],
-  }, {
-    guid: PlacesUtils.bookmarks.mobileGuid,
-    index: 4,
-  }], "insert missing parent -> append to unfiled");
-
-  let id42 = "42_aaaaaaaaa";
+  apply(bookmark("41", "f40"));
+  check(["10", "20", ["31"], "41"]);
 
   _("insert another missing parent -> append");
-  apply(bookmark(id42, id40));
-  yield check([{
-    guid: PlacesUtils.bookmarks.menuGuid,
-    index: 0,
-  }, {
-    guid: PlacesUtils.bookmarks.toolbarGuid,
-    index: 1,
-  }, {
-    guid: PlacesUtils.bookmarks.unfiledGuid,
-    index: 3,
-    children: [{
-      guid: id10,
-      index: 0,
-    }, {
-      guid: id20,
-      index: 1,
-    }, {
-      guid: id30,
-      index: 2,
-      children: [{
-        guid: id31,
-        index: 0,
-      }],
-    }, {
-      guid: id41,
-      index: 3,
-      requestedParent: id40,
-    }, {
-      guid: id42,
-      index: 4,
-      requestedParent: id40,
-    }],
-  }, {
-    guid: PlacesUtils.bookmarks.mobileGuid,
-    index: 4,
-  }], "insert another missing parent -> append");
+  apply(bookmark("42", "f40"));
+  check(["10", "20", ["31"], "41", "42"]);
 
   _("insert folder -> move children and followers");
-  let f40 = folder(id40, "", [id41, id42]);
+  let f40 = folder("f40", "", ["41", "42"]);
   apply(f40);
-  yield check([{
-    guid: PlacesUtils.bookmarks.menuGuid,
-    index: 0,
-  }, {
-    guid: PlacesUtils.bookmarks.toolbarGuid,
-    index: 1,
-  }, {
-    guid: PlacesUtils.bookmarks.unfiledGuid,
-    index: 3,
-    children: [{
-      guid: id10,
-      index: 0,
-    }, {
-      guid: id20,
-      index: 1,
-    }, {
-      guid: id30,
-      index: 2,
-      children: [{
-        guid: id31,
-        index: 0,
-      }],
-    }, {
-      guid: id40,
-      index: 3,
-      children: [{
-        guid: id41,
-        index: 0,
-      }, {
-        guid: id42,
-        index: 1,
-      }]
-    }],
-  }, {
-    guid: PlacesUtils.bookmarks.mobileGuid,
-    index: 4,
-  }], "insert folder -> move children and followers");
+  check(["10", "20", ["31"], ["41", "42"]]);
 
   _("Moving 41 behind 42 -> update f40");
-  f40.children = [id42, id41];
+  f40.children = ["42", "41"];
   apply(f40);
-  yield check([{
-    guid: PlacesUtils.bookmarks.menuGuid,
-    index: 0,
-  }, {
-    guid: PlacesUtils.bookmarks.toolbarGuid,
-    index: 1,
-  }, {
-    guid: PlacesUtils.bookmarks.unfiledGuid,
-    index: 3,
-    children: [{
-      guid: id10,
-      index: 0,
-    }, {
-      guid: id20,
-      index: 1,
-    }, {
-      guid: id30,
-      index: 2,
-      children: [{
-        guid: id31,
-        index: 0,
-      }],
-    }, {
-      guid: id40,
-      index: 3,
-      children: [{
-        guid: id42,
-        index: 0,
-      }, {
-        guid: id41,
-        index: 1,
-      }]
-    }],
-  }, {
-    guid: PlacesUtils.bookmarks.mobileGuid,
-    index: 4,
-  }], "Moving 41 behind 42 -> update f40");
+  check(["10", "20", ["31"], ["42", "41"]]);
 
   _("Moving 10 back to front -> update 10, 20");
-  f40.children = [id41, id42];
+  f40.children = ["41", "42"];
   apply(f40);
-  yield check([{
-    guid: PlacesUtils.bookmarks.menuGuid,
-    index: 0,
-  }, {
-    guid: PlacesUtils.bookmarks.toolbarGuid,
-    index: 1,
-  }, {
-    guid: PlacesUtils.bookmarks.unfiledGuid,
-    index: 3,
-    children: [{
-      guid: id10,
-      index: 0,
-    }, {
-      guid: id20,
-      index: 1,
-    }, {
-      guid: id30,
-      index: 2,
-      children: [{
-        guid: id31,
-        index: 0,
-      }],
-    }, {
-      guid: id40,
-      index: 3,
-      children: [{
-        guid: id41,
-        index: 0,
-      }, {
-        guid: id42,
-        index: 1,
-      }]
-    }],
-  }, {
-    guid: PlacesUtils.bookmarks.mobileGuid,
-    index: 4,
-  }], "Moving 10 back to front -> update 10, 20");
+  check(["10", "20", ["31"], ["41", "42"]]);
 
   _("Moving 20 behind 42 in f40 -> update 50");
-  apply(bookmark(id20, id40));
-  yield check([{
-    guid: PlacesUtils.bookmarks.menuGuid,
-    index: 0,
-  }, {
-    guid: PlacesUtils.bookmarks.toolbarGuid,
-    index: 1,
-  }, {
-    guid: PlacesUtils.bookmarks.unfiledGuid,
-    index: 3,
-    children: [{
-      guid: id10,
-      index: 0,
-    }, {
-      guid: id30,
-      index: 1,
-      children: [{
-        guid: id31,
-        index: 0,
-      }],
-    }, {
-      guid: id40,
-      index: 2,
-      children: [{
-        guid: id41,
-        index: 0,
-      }, {
-        guid: id42,
-        index: 1,
-      }, {
-        guid: id20,
-        index: 2,
-      }]
-    }],
-  }, {
-    guid: PlacesUtils.bookmarks.mobileGuid,
-    index: 4,
-  }], "Moving 20 behind 42 in f40 -> update 50");
+  apply(bookmark("20", "f40"));
+  check(["10", ["31"], ["41", "42", "20"]]);
 
   _("Moving 10 in front of 31 in f30 -> update 10, f30");
-  apply(bookmark(id10, id30));
-  f30.children = [id10, id31];
+  apply(bookmark("10", "f30"));
+  f30.children = ["10", "31"];
   apply(f30);
-  yield check([{
-    guid: PlacesUtils.bookmarks.menuGuid,
-    index: 0,
-  }, {
-    guid: PlacesUtils.bookmarks.toolbarGuid,
-    index: 1,
-  }, {
-    guid: PlacesUtils.bookmarks.unfiledGuid,
-    index: 3,
-    children: [{
-      guid: id30,
-      index: 0,
-      children: [{
-        guid: id10,
-        index: 0,
-      }, {
-        guid: id31,
-        index: 1,
-      }],
-    }, {
-      guid: id40,
-      index: 1,
-      children: [{
-        guid: id41,
-        index: 0,
-      }, {
-        guid: id42,
-        index: 1,
-      }, {
-        guid: id20,
-        index: 2,
-      }]
-    }],
-  }, {
-    guid: PlacesUtils.bookmarks.mobileGuid,
-    index: 4,
-  }], "Moving 10 in front of 31 in f30 -> update 10, f30");
+  check([["10", "31"], ["41", "42", "20"]]);
 
   _("Moving 20 from f40 to f30 -> update 20, f30");
-  apply(bookmark(id20, id30));
-  f30.children = [id10, id20, id31];
+  apply(bookmark("20", "f30"));
+  f30.children = ["10", "20", "31"];
   apply(f30);
-  yield check([{
-    guid: PlacesUtils.bookmarks.menuGuid,
-    index: 0,
-  }, {
-    guid: PlacesUtils.bookmarks.toolbarGuid,
-    index: 1,
-  }, {
-    guid: PlacesUtils.bookmarks.unfiledGuid,
-    index: 3,
-    children: [{
-      guid: id30,
-      index: 0,
-      children: [{
-        guid: id10,
-        index: 0,
-      }, {
-        guid: id20,
-        index: 1,
-      }, {
-        guid: id31,
-        index: 2,
-      }],
-    }, {
-      guid: id40,
-      index: 1,
-      children: [{
-        guid: id41,
-        index: 0,
-      }, {
-        guid: id42,
-        index: 1,
-      }]
-    }],
-  }, {
-    guid: PlacesUtils.bookmarks.mobileGuid,
-    index: 4,
-  }], "Moving 20 from f40 to f30 -> update 20, f30");
+  check([["10", "20", "31"], ["41", "42"]]);
 
   _("Move 20 back to front -> update 20, f30");
-  apply(bookmark(id20, ""));
-  f30.children = [id10, id31];
+  apply(bookmark("20", ""));
+  f30.children = ["10", "31"];
   apply(f30);
-  yield check([{
-    guid: PlacesUtils.bookmarks.menuGuid,
-    index: 0,
-  }, {
-    guid: PlacesUtils.bookmarks.toolbarGuid,
-    index: 1,
-  }, {
-    guid: PlacesUtils.bookmarks.unfiledGuid,
-    index: 3,
-    children: [{
-      guid: id30,
-      index: 0,
-      children: [{
-        guid: id10,
-        index: 0,
-      }, {
-        guid: id31,
-        index: 1,
-      }],
-    }, {
-      guid: id40,
-      index: 1,
-      children: [{
-        guid: id41,
-        index: 0,
-      }, {
-        guid: id42,
-        index: 1,
-      }],
-    }, {
-      guid: id20,
-      index: 2,
-    }],
-  }, {
-    guid: PlacesUtils.bookmarks.mobileGuid,
-    index: 4,
-  }], "Move 20 back to front -> update 20, f30");
+  check([["10", "31"], ["41", "42"], "20"]);
 
-});
+}
diff --git a/services/sync/tests/unit/test_bookmark_places_query_rewriting.js b/services/sync/tests/unit/test_bookmark_places_query_rewriting.js
index 0ddf81583e..8b764d6755 100644
--- a/services/sync/tests/unit/test_bookmark_places_query_rewriting.js
+++ b/services/sync/tests/unit/test_bookmark_places_query_rewriting.js
@@ -7,54 +7,45 @@ Cu.import("resource://services-sync/engines/bookmarks.js");
 Cu.import("resource://services-sync/service.js");
 Cu.import("resource://services-sync/util.js");
 
-var engine = new BookmarksEngine(Service);
-var store = engine._store;
-
-function makeTagRecord(id, uri) {
-  let tagRecord = new BookmarkQuery("bookmarks", id);
-  tagRecord.queryId = "MagicTags";
-  tagRecord.parentName = "Bookmarks Toolbar";
-  tagRecord.bmkUri = uri;
-  tagRecord.title = "tagtag";
-  tagRecord.folderName = "bar";
-  tagRecord.parentid = PlacesUtils.bookmarks.toolbarGuid;
-  return tagRecord;
-}
+let engine = new BookmarksEngine(Service);
+let store = engine._store;
 
 function run_test() {
   initTestLogging("Trace");
   Log.repository.getLogger("Sync.Engine.Bookmarks").level = Log.Level.Trace;
   Log.repository.getLogger("Sync.Store.Bookmarks").level = Log.Level.Trace;
 
+  let tagRecord = new BookmarkQuery("bookmarks", "abcdefabcdef");
   let uri = "place:folder=499&type=7&queryType=1";
-  let tagRecord = makeTagRecord("abcdefabcdef", uri);
+  tagRecord.queryId = "MagicTags";
+  tagRecord.parentName = "Bookmarks Toolbar";
+  tagRecord.bmkUri = uri;
+  tagRecord.title = "tagtag";
+  tagRecord.folderName = "bar";
 
   _("Type: " + tagRecord.type);
   _("Folder name: " + tagRecord.folderName);
-  store.applyIncoming(tagRecord);
+  store.preprocessTagQuery(tagRecord);
+
+  _("Verify that the URI has been rewritten.");
+  do_check_neq(tagRecord.bmkUri, uri);
 
-  let tags = PlacesUtils.getFolderContents(PlacesUtils.tagsFolderId).root;
+  let tags = store._getNode(PlacesUtils.tagsFolderId);
+  tags.containerOpen = true;
   let tagID;
-  try {
-    for (let i = 0; i < tags.childCount; ++i) {
-      let child = tags.getChild(i);
-      if (child.title == "bar") {
-        tagID = child.itemId;
-      }
-    }
-  } finally {
-    tags.containerOpen = false;
+  for (let i = 0; i < tags.childCount; ++i) {
+    let child = tags.getChild(i);
+    if (child.title == "bar")
+      tagID = child.itemId;
   }
+  tags.containerOpen = false;
 
   _("Tag ID: " + tagID);
-  let insertedRecord = store.createRecord("abcdefabcdef", "bookmarks");
-  do_check_eq(insertedRecord.bmkUri, uri.replace("499", tagID));
+  do_check_eq(tagRecord.bmkUri, uri.replace("499", tagID));
 
   _("... but not if the type is wrong.");
   let wrongTypeURI = "place:folder=499&type=2&queryType=1";
-  let wrongTypeRecord = makeTagRecord("fedcbafedcba", wrongTypeURI);
-  store.applyIncoming(wrongTypeRecord);
-
-  insertedRecord = store.createRecord("fedcbafedcba", "bookmarks");
-  do_check_eq(insertedRecord.bmkUri, wrongTypeURI);
+  tagRecord.bmkUri = wrongTypeURI;
+  store.preprocessTagQuery(tagRecord);
+  do_check_eq(tagRecord.bmkUri, wrongTypeURI);
 }
diff --git a/services/sync/tests/unit/test_bookmark_smart_bookmarks.js b/services/sync/tests/unit/test_bookmark_smart_bookmarks.js
index 942cf2761c..4e9b2834dd 100644
--- a/services/sync/tests/unit/test_bookmark_smart_bookmarks.js
+++ b/services/sync/tests/unit/test_bookmark_smart_bookmarks.js
@@ -16,8 +16,8 @@ var IOService = Cc["@mozilla.org/network/io-service;1"]
 
 
 Service.engineManager.register(BookmarksEngine);
-var engine = Service.engineManager.get("bookmarks");
-var store = engine._store;
+let engine = Service.engineManager.get("bookmarks");
+let store = engine._store;
 
 // Clean up after other tests. Only necessary in XULRunner.
 store.wipe();
@@ -57,7 +57,7 @@ function serverForFoo(engine) {
 
 // Verify that Places smart bookmarks have their annotation uploaded and
 // handled locally.
-add_task(function *test_annotation_uploaded() {
+add_test(function test_annotation_uploaded() {
   let server = serverForFoo(engine);
   new SyncTestingInfrastructure(server.server);
 
@@ -110,9 +110,9 @@ add_task(function *test_annotation_uploaded() {
   let collection = server.user("foo").collection("bookmarks");
 
   try {
-    yield sync_engine_and_validate_telem(engine, false);
+    engine.sync();
     let wbos = collection.keys(function (id) {
-                 return ["menu", "toolbar", "mobile", "unfiled"].indexOf(id) == -1;
+                 return ["menu", "toolbar", "mobile"].indexOf(id) == -1;
                });
     do_check_eq(wbos.length, 1);
 
@@ -141,7 +141,7 @@ add_task(function *test_annotation_uploaded() {
     do_check_eq(smartBookmarkCount(), startCount);
 
     _("Sync. Verify that the downloaded record carries the annotation.");
-    yield sync_engine_and_validate_telem(engine, false);
+    engine.sync();
 
     _("Verify that the Places DB now has an annotated bookmark.");
     _("Our count has increased again.");
diff --git a/services/sync/tests/unit/test_bookmark_store.js b/services/sync/tests/unit/test_bookmark_store.js
index 902206ba6c..53ea433e6b 100644
--- a/services/sync/tests/unit/test_bookmark_store.js
+++ b/services/sync/tests/unit/test_bookmark_store.js
@@ -11,17 +11,17 @@ const PARENT_ANNO = "sync/parent";
 
 Service.engineManager.register(BookmarksEngine);
 
-var engine = Service.engineManager.get("bookmarks");
-var store = engine._store;
-var tracker = engine._tracker;
+let engine = Service.engineManager.get("bookmarks");
+let store = engine._store;
+let tracker = engine._tracker;
 
 // Don't write some persistence files asynchronously.
 tracker.persistChangedIDs = false;
 
-var fxuri = Utils.makeURI("http://getfirefox.com/");
-var tburi = Utils.makeURI("http://getthunderbird.com/");
+let fxuri = Utils.makeURI("http://getfirefox.com/");
+let tburi = Utils.makeURI("http://getthunderbird.com/");
 
-add_task(function* test_ignore_specials() {
+add_test(function test_ignore_specials() {
   _("Ensure that we can't delete bookmark roots.");
 
   // Belt...
@@ -30,7 +30,6 @@ add_task(function* test_ignore_specials() {
   do_check_neq(null, store.idForGUID("toolbar"));
 
   store.applyIncoming(record);
-  yield store.deletePending();
 
   // Ensure that the toolbar exists.
   do_check_neq(null, store.idForGUID("toolbar"));
@@ -40,11 +39,11 @@ add_task(function* test_ignore_specials() {
 
   // Braces...
   store.remove(record);
-  yield store.deletePending();
   do_check_neq(null, store.idForGUID("toolbar"));
   engine._buildGUIDMap();
 
   store.wipe();
+  run_next_test();
 });
 
 add_test(function test_bookmark_create() {
@@ -81,8 +80,8 @@ add_test(function test_bookmark_create() {
     _("Have the store create a new record object. Verify that it has the same data.");
     let newrecord = store.createRecord(fxrecord.id);
     do_check_true(newrecord instanceof Bookmark);
-    for (let property of ["type", "bmkUri", "description", "title",
-                          "keyword", "parentName", "parentid"]) {
+    for each (let property in ["type", "bmkUri", "description", "title",
+                               "keyword", "parentName", "parentid"]) {
       do_check_eq(newrecord[property], fxrecord[property]);
     }
     do_check_true(Utils.deepEquals(newrecord.tags.sort(),
@@ -167,7 +166,7 @@ add_test(function test_bookmark_createRecord() {
 
     _("Verify that the record is created accordingly.");
     let record = store.createRecord(bmk1_guid);
-    do_check_eq(record.title, "");
+    do_check_eq(record.title, null);
     do_check_eq(record.description, null);
     do_check_eq(record.keyword, null);
 
@@ -198,7 +197,7 @@ add_test(function test_folder_create() {
     _("Have the store create a new record object. Verify that it has the same data.");
     let newrecord = store.createRecord(folder.id);
     do_check_true(newrecord instanceof BookmarkFolder);
-    for (let property of ["title", "parentName", "parentid"])
+    for each (let property in ["title", "parentName", "parentid"])
       do_check_eq(newrecord[property], folder[property]);
 
     _("Folders have high sort index to ensure they're synced first.");
@@ -244,7 +243,7 @@ add_test(function test_folder_createRecord() {
   }
 });
 
-add_task(function* test_deleted() {
+add_test(function test_deleted() {
   try {
     _("Create a bookmark that will be deleted.");
     let bmk1_id = PlacesUtils.bookmarks.insertBookmark(
@@ -256,7 +255,7 @@ add_task(function* test_deleted() {
     let record = new PlacesItem("bookmarks", bmk1_guid);
     record.deleted = true;
     store.applyIncoming(record);
-    yield store.deletePending();
+
     _("Ensure it has been deleted.");
     let error;
     try {
@@ -272,6 +271,7 @@ add_task(function* test_deleted() {
   } finally {
     _("Clean up.");
     store.wipe();
+    run_next_test();
   }
 });
 
@@ -428,106 +428,6 @@ add_test(function test_empty_query_doesnt_die() {
   run_next_test();
 });
 
-function assertDeleted(id) {
-  let error;
-  try {
-    PlacesUtils.bookmarks.getItemType(id);
-  } catch (e) {
-    error = e;
-  }
-  equal(error.result, Cr.NS_ERROR_ILLEGAL_VALUE)
-}
-
-add_task(function* test_delete_buffering() {
-  store.wipe();
-  try {
-    _("Create a folder with two bookmarks.");
-    let folder = new BookmarkFolder("bookmarks", "testfolder-1");
-    folder.parentName = "Bookmarks Toolbar";
-    folder.parentid = "toolbar";
-    folder.title = "Test Folder";
-    store.applyIncoming(folder);
-
-
-    let fxRecord = new Bookmark("bookmarks", "get-firefox1");
-    fxRecord.bmkUri        = fxuri.spec;
-    fxRecord.title         = "Get Firefox!";
-    fxRecord.parentName    = "Test Folder";
-    fxRecord.parentid      = "testfolder-1";
-
-    let tbRecord = new Bookmark("bookmarks", "get-tndrbrd1");
-    tbRecord.bmkUri        = tburi.spec;
-    tbRecord.title         = "Get Thunderbird!";
-    tbRecord.parentName    = "Test Folder";
-    tbRecord.parentid      = "testfolder-1";
-
-    store.applyIncoming(fxRecord);
-    store.applyIncoming(tbRecord);
-
-    let folderId = store.idForGUID(folder.id);
-    let fxRecordId = store.idForGUID(fxRecord.id);
-    let tbRecordId = store.idForGUID(tbRecord.id);
-
-    _("Check everything was created correctly.");
-
-    equal(PlacesUtils.bookmarks.getItemType(fxRecordId),
-          PlacesUtils.bookmarks.TYPE_BOOKMARK);
-    equal(PlacesUtils.bookmarks.getItemType(tbRecordId),
-          PlacesUtils.bookmarks.TYPE_BOOKMARK);
-    equal(PlacesUtils.bookmarks.getItemType(folderId),
-          PlacesUtils.bookmarks.TYPE_FOLDER);
-
-    equal(PlacesUtils.bookmarks.getFolderIdForItem(fxRecordId), folderId);
-    equal(PlacesUtils.bookmarks.getFolderIdForItem(tbRecordId), folderId);
-    equal(PlacesUtils.bookmarks.getFolderIdForItem(folderId),
-          PlacesUtils.bookmarks.toolbarFolder);
-
-    _("Delete the folder and one bookmark.");
-
-    let deleteFolder = new PlacesItem("bookmarks", "testfolder-1");
-    deleteFolder.deleted = true;
-
-    let deleteFxRecord = new PlacesItem("bookmarks", "get-firefox1");
-    deleteFxRecord.deleted = true;
-
-    store.applyIncoming(deleteFolder);
-    store.applyIncoming(deleteFxRecord);
-
-    _("Check that we haven't deleted them yet, but that the deletions are queued");
-    // these will throw if we've deleted them
-    equal(PlacesUtils.bookmarks.getItemType(fxRecordId),
-           PlacesUtils.bookmarks.TYPE_BOOKMARK);
-
-    equal(PlacesUtils.bookmarks.getItemType(folderId),
-           PlacesUtils.bookmarks.TYPE_FOLDER);
-
-    equal(PlacesUtils.bookmarks.getFolderIdForItem(fxRecordId), folderId);
-
-    ok(store._foldersToDelete.has(folder.id));
-    ok(store._atomsToDelete.has(fxRecord.id));
-    ok(!store._atomsToDelete.has(tbRecord.id));
-
-    _("Process pending deletions and ensure that the right things are deleted.");
-    let updatedGuids = yield store.deletePending();
-
-    deepEqual(updatedGuids.sort(), ["get-tndrbrd1", "toolbar"]);
-
-    assertDeleted(fxRecordId);
-    assertDeleted(folderId);
-
-    ok(!store._foldersToDelete.has(folder.id));
-    ok(!store._atomsToDelete.has(fxRecord.id));
-
-    equal(PlacesUtils.bookmarks.getFolderIdForItem(tbRecordId),
-          PlacesUtils.bookmarks.toolbarFolder);
-
-  } finally {
-    _("Clean up.");
-    store.wipe();
-  }
-});
-
-
 function run_test() {
   initTestLogging('Trace');
   run_next_test();
diff --git a/services/sync/tests/unit/test_bookmark_tracker.js b/services/sync/tests/unit/test_bookmark_tracker.js
index 9b92425790..6060fbae47 100644
--- a/services/sync/tests/unit/test_bookmark_tracker.js
+++ b/services/sync/tests/unit/test_bookmark_tracker.js
@@ -2,80 +2,24 @@
    http://creativecommons.org/publicdomain/zero/1.0/ */
 
 Cu.import("resource://gre/modules/PlacesUtils.jsm");
-Cu.import("resource://gre/modules/PlacesSyncUtils.jsm");
-Cu.import("resource://gre/modules/Task.jsm");
 Cu.import("resource://services-sync/constants.js");
 Cu.import("resource://services-sync/engines/bookmarks.js");
 Cu.import("resource://services-sync/engines.js");
 Cu.import("resource://services-sync/service.js");
 Cu.import("resource://services-sync/util.js");
-Cu.import("resource:///modules/PlacesUIUtils.jsm");
 
 Service.engineManager.register(BookmarksEngine);
-var engine = Service.engineManager.get("bookmarks");
-var store  = engine._store;
-var tracker = engine._tracker;
+let engine = Service.engineManager.get("bookmarks");
+let store  = engine._store;
+let tracker = engine._tracker;
 
 store.wipe();
 tracker.persistChangedIDs = false;
 
-const DAY_IN_MS = 24 * 60 * 60 * 1000;
-
-// Test helpers.
-function* verifyTrackerEmpty() {
-  let changes = engine.pullNewChanges();
-  equal(changes.count(), 0);
-  equal(tracker.score, 0);
-}
-
-function* resetTracker() {
-  tracker.clearChangedIDs();
-  tracker.resetScore();
-}
-
-function* cleanup() {
-  store.wipe();
-  yield resetTracker();
-  yield stopTracking();
-}
-
-// startTracking is a signal that the test wants to notice things that happen
-// after this is called (ie, things already tracked should be discarded.)
-function* startTracking() {
-  Svc.Obs.notify("weave:engine:start-tracking");
-}
-
-function* stopTracking() {
-  Svc.Obs.notify("weave:engine:stop-tracking");
-}
-
-function* verifyTrackedItems(tracked) {
-  let changes = engine.pullNewChanges();
-  let trackedIDs = new Set(changes.ids());
-  for (let guid of tracked) {
-    ok(changes.has(guid), `${guid} should be tracked`);
-    ok(changes.getModifiedTimestamp(guid) > 0,
-      `${guid} should have a modified time`);
-    trackedIDs.delete(guid);
-  }
-  equal(trackedIDs.size, 0, `Unhandled tracked IDs: ${
-    JSON.stringify(Array.from(trackedIDs))}`);
-}
-
-function* verifyTrackedCount(expected) {
-  let changes = engine.pullNewChanges();
-  equal(changes.count(), expected);
-}
-
-// Copied from PlacesSyncUtils.jsm.
-function findAnnoItems(anno, val) {
-  let annos = PlacesUtils.annotations;
-  return annos.getItemsWithAnnotation(anno, {}).filter(id =>
-    annos.getItemAnnotation(id, anno) == val);
-}
-
-add_task(function* test_tracking() {
-  _("Test starting and stopping the tracker");
+function test_tracking() {
+  _("Verify we've got an empty tracker to work with.");
+  let tracker = engine._tracker;
+  do_check_empty(tracker.changedIDs);
 
   let folder = PlacesUtils.bookmarks.createFolder(
     PlacesUtils.bookmarks.bookmarksMenuFolder,
@@ -89,630 +33,60 @@ add_task(function* test_tracking() {
   try {
     _("Create bookmark. Won't show because we haven't started tracking yet");
     createBmk();
-    yield verifyTrackedCount(0);
+    do_check_empty(tracker.changedIDs);
     do_check_eq(tracker.score, 0);
 
     _("Tell the tracker to start tracking changes.");
-    yield startTracking();
+    Svc.Obs.notify("weave:engine:start-tracking");
     createBmk();
     // We expect two changed items because the containing folder
     // changed as well (new child).
-    yield verifyTrackedCount(2);
+    do_check_attribute_count(tracker.changedIDs, 2);
     do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 2);
 
     _("Notifying twice won't do any harm.");
-    yield startTracking();
+    Svc.Obs.notify("weave:engine:start-tracking");
     createBmk();
-    yield verifyTrackedCount(3);
+    do_check_attribute_count(tracker.changedIDs, 3);
     do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 4);
 
     _("Let's stop tracking again.");
-    yield resetTracker();
-    yield stopTracking();
+    tracker.clearChangedIDs();
+    tracker.resetScore();
+    Svc.Obs.notify("weave:engine:stop-tracking");
     createBmk();
-    yield verifyTrackedCount(0);
+    do_check_empty(tracker.changedIDs);
     do_check_eq(tracker.score, 0);
 
     _("Notifying twice won't do any harm.");
-    yield stopTracking();
+    Svc.Obs.notify("weave:engine:stop-tracking");
     createBmk();
-    yield verifyTrackedCount(0);
+    do_check_empty(tracker.changedIDs);
     do_check_eq(tracker.score, 0);
 
   } finally {
     _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_batch_tracking() {
-  _("Test tracker does the correct thing during and after a places 'batch'");
-
-  yield startTracking();
-
-  PlacesUtils.bookmarks.runInBatchMode({
-    runBatched: function() {
-      let folder = PlacesUtils.bookmarks.createFolder(
-        PlacesUtils.bookmarks.bookmarksMenuFolder,
-        "Test Folder", PlacesUtils.bookmarks.DEFAULT_INDEX);
-      // We should be tracking the new folder and its parent (and need to jump
-      // through blocking hoops...)
-      Async.promiseSpinningly(Task.spawn(verifyTrackedCount(2)));
-      // But not have bumped the score.
-      do_check_eq(tracker.score, 0);
-    }
-  }, null);
-
-  // Out of batch mode - tracker should be the same, but score should be up.
-  yield verifyTrackedCount(2);
-  do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE);
-  yield cleanup();
-});
-
-add_task(function* test_nested_batch_tracking() {
-  _("Test tracker does the correct thing if a places 'batch' is nested");
-
-  yield startTracking();
-
-  PlacesUtils.bookmarks.runInBatchMode({
-    runBatched: function() {
-
-      PlacesUtils.bookmarks.runInBatchMode({
-        runBatched: function() {
-          let folder = PlacesUtils.bookmarks.createFolder(
-            PlacesUtils.bookmarks.bookmarksMenuFolder,
-            "Test Folder", PlacesUtils.bookmarks.DEFAULT_INDEX);
-          // We should be tracking the new folder and its parent (and need to jump
-          // through blocking hoops...)
-          Async.promiseSpinningly(Task.spawn(verifyTrackedCount(2)));
-          // But not have bumped the score.
-          do_check_eq(tracker.score, 0);
-        }
-      }, null);
-      _("inner batch complete.");
-      // should still not have a score as the outer batch is pending.
-      do_check_eq(tracker.score, 0);
-    }
-  }, null);
-
-  // Out of both batches - tracker should be the same, but score should be up.
-  yield verifyTrackedCount(2);
-  do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE);
-  yield cleanup();
-});
-
-add_task(function* test_tracker_sql_batching() {
-  _("Test tracker does the correct thing when it is forced to batch SQL queries");
-
-  const SQLITE_MAX_VARIABLE_NUMBER = 999;
-  let numItems = SQLITE_MAX_VARIABLE_NUMBER * 2 + 10;
-  let createdIDs = [];
-
-  yield startTracking();
-
-  PlacesUtils.bookmarks.runInBatchMode({
-    runBatched: function() {
-      for (let i = 0; i < numItems; i++) {
-        let syncBmkID = PlacesUtils.bookmarks.insertBookmark(
-                          PlacesUtils.bookmarks.unfiledBookmarksFolder,
-                          Utils.makeURI("https://example.org/" + i),
-                          PlacesUtils.bookmarks.DEFAULT_INDEX,
-                          "Sync Bookmark " + i);
-        createdIDs.push(syncBmkID);
-      }
-    }
-  }, null);
-
-  do_check_eq(createdIDs.length, numItems);
-  yield verifyTrackedCount(numItems + 1); // the folder is also tracked.
-  yield cleanup();
-});
-
-add_task(function* test_onItemAdded() {
-  _("Items inserted via the synchronous bookmarks API should be tracked");
-
-  try {
-    yield startTracking();
-
-    _("Insert a folder using the sync API");
-    let syncFolderID = PlacesUtils.bookmarks.createFolder(
-      PlacesUtils.bookmarks.bookmarksMenuFolder, "Sync Folder",
-      PlacesUtils.bookmarks.DEFAULT_INDEX);
-    let syncFolderGUID = engine._store.GUIDForId(syncFolderID);
-    yield verifyTrackedItems(["menu", syncFolderGUID]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 2);
-
-    yield resetTracker();
-    yield startTracking();
-
-    _("Insert a bookmark using the sync API");
-    let syncBmkID = PlacesUtils.bookmarks.insertBookmark(syncFolderID,
-      Utils.makeURI("https://example.org/sync"),
-      PlacesUtils.bookmarks.DEFAULT_INDEX,
-      "Sync Bookmark");
-    let syncBmkGUID = engine._store.GUIDForId(syncBmkID);
-    yield verifyTrackedItems([syncFolderGUID, syncBmkGUID]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 2);
-
-    yield resetTracker();
-    yield startTracking();
-
-    _("Insert a separator using the sync API");
-    let syncSepID = PlacesUtils.bookmarks.insertSeparator(
-      PlacesUtils.bookmarks.bookmarksMenuFolder,
-      PlacesUtils.bookmarks.getItemIndex(syncFolderID));
-    let syncSepGUID = engine._store.GUIDForId(syncSepID);
-    yield verifyTrackedItems(["menu", syncSepGUID]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 2);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_async_onItemAdded() {
-  _("Items inserted via the asynchronous bookmarks API should be tracked");
-
-  try {
-    yield startTracking();
-
-    _("Insert a folder using the async API");
-    let asyncFolder = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_FOLDER,
-      parentGuid: PlacesUtils.bookmarks.menuGuid,
-      title: "Async Folder",
-    });
-    yield verifyTrackedItems(["menu", asyncFolder.guid]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 2);
-
-    yield resetTracker();
-    yield startTracking();
-
-    _("Insert a bookmark using the async API");
-    let asyncBmk = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: asyncFolder.guid,
-      url: "https://example.org/async",
-      title: "Async Bookmark",
-    });
-    yield verifyTrackedItems([asyncFolder.guid, asyncBmk.guid]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 2);
-
-    yield resetTracker();
-    yield startTracking();
-
-    _("Insert a separator using the async API");
-    let asyncSep = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_SEPARATOR,
-      parentGuid: PlacesUtils.bookmarks.menuGuid,
-      index: asyncFolder.index,
-    });
-    yield verifyTrackedItems(["menu", asyncSep.guid]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 2);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_async_onItemChanged() {
-  _("Items updated using the asynchronous bookmarks API should be tracked");
-
-  try {
-    yield stopTracking();
-
-    _("Insert a bookmark");
-    let fxBmk = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: PlacesUtils.bookmarks.menuGuid,
-      url: "http://getfirefox.com",
-      title: "Get Firefox!",
-    });
-    _(`Firefox GUID: ${fxBmk.guid}`);
-
-    yield startTracking();
-
-    _("Update the bookmark using the async API");
-    yield PlacesUtils.bookmarks.update({
-      guid: fxBmk.guid,
-      title: "Download Firefox",
-      url: "https://www.mozilla.org/firefox",
-      // PlacesUtils.bookmarks.update rejects last modified dates older than
-      // the added date.
-      lastModified: new Date(Date.now() + DAY_IN_MS),
-    });
-
-    yield verifyTrackedItems([fxBmk.guid]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 3);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_onItemChanged_itemDates() {
-  _("Changes to item dates should be tracked");
-
-  try {
-    yield stopTracking();
-
-    _("Insert a bookmark");
-    let fx_id = PlacesUtils.bookmarks.insertBookmark(
-      PlacesUtils.bookmarks.bookmarksMenuFolder,
-      Utils.makeURI("http://getfirefox.com"),
-      PlacesUtils.bookmarks.DEFAULT_INDEX,
-      "Get Firefox!");
-    let fx_guid = engine._store.GUIDForId(fx_id);
-    _(`Firefox GUID: ${fx_guid}`);
-
-    yield startTracking();
-
-    _("Reset the bookmark's added date");
-    // Convert to microseconds for PRTime.
-    let dateAdded = (Date.now() - DAY_IN_MS) * 1000;
-    PlacesUtils.bookmarks.setItemDateAdded(fx_id, dateAdded);
-    yield verifyTrackedItems([fx_guid]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE);
-    yield resetTracker();
-
-    _("Set the bookmark's last modified date");
-    let dateModified = Date.now() * 1000;
-    PlacesUtils.bookmarks.setItemLastModified(fx_id, dateModified);
-    yield verifyTrackedItems([fx_guid]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_onItemChanged_changeBookmarkURI() {
-  _("Changes to bookmark URIs should be tracked");
-
-  try {
-    yield stopTracking();
-
-    _("Insert a bookmark");
-    let fx_id = PlacesUtils.bookmarks.insertBookmark(
-      PlacesUtils.bookmarks.bookmarksMenuFolder,
-      Utils.makeURI("http://getfirefox.com"),
-      PlacesUtils.bookmarks.DEFAULT_INDEX,
-      "Get Firefox!");
-    let fx_guid = engine._store.GUIDForId(fx_id);
-    _(`Firefox GUID: ${fx_guid}`);
-
-    _("Set a tracked annotation to make sure we only notify once");
-    PlacesUtils.annotations.setItemAnnotation(
-      fx_id, PlacesSyncUtils.bookmarks.DESCRIPTION_ANNO, "A test description", 0,
-      PlacesUtils.annotations.EXPIRE_NEVER);
-
-    yield startTracking();
-
-    _("Change the bookmark's URI");
-    PlacesUtils.bookmarks.changeBookmarkURI(fx_id,
-      Utils.makeURI("https://www.mozilla.org/firefox"));
-    yield verifyTrackedItems([fx_guid]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_onItemTagged() {
-  _("Items tagged using the synchronous API should be tracked");
-
-  try {
-    yield stopTracking();
-
-    _("Create a folder");
-    let folder = PlacesUtils.bookmarks.createFolder(
-      PlacesUtils.bookmarks.bookmarksMenuFolder, "Parent",
-      PlacesUtils.bookmarks.DEFAULT_INDEX);
-    let folderGUID = engine._store.GUIDForId(folder);
-    _("Folder ID: " + folder);
-    _("Folder GUID: " + folderGUID);
-
-    _("Track changes to tags");
-    let uri = Utils.makeURI("http://getfirefox.com");
-    let b = PlacesUtils.bookmarks.insertBookmark(
-      folder, uri,
-      PlacesUtils.bookmarks.DEFAULT_INDEX, "Get Firefox!");
-    let bGUID = engine._store.GUIDForId(b);
-    _("New item is " + b);
-    _("GUID: " + bGUID);
-
-    yield startTracking();
-
-    _("Tag the item");
-    PlacesUtils.tagging.tagURI(uri, ["foo"]);
-
-    // bookmark should be tracked, folder should not be.
-    yield verifyTrackedItems([bGUID]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 5);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_onItemUntagged() {
-  _("Items untagged using the synchronous API should be tracked");
-
-  try {
-    yield stopTracking();
-
-    _("Insert tagged bookmarks");
-    let uri = Utils.makeURI("http://getfirefox.com");
-    let fx1ID = PlacesUtils.bookmarks.insertBookmark(
-      PlacesUtils.bookmarks.bookmarksMenuFolder, uri,
-      PlacesUtils.bookmarks.DEFAULT_INDEX, "Get Firefox!");
-    let fx1GUID = engine._store.GUIDForId(fx1ID);
-    // Different parent and title; same URL.
-    let fx2ID = PlacesUtils.bookmarks.insertBookmark(
-      PlacesUtils.bookmarks.toolbarFolder, uri,
-      PlacesUtils.bookmarks.DEFAULT_INDEX, "Download Firefox");
-    let fx2GUID = engine._store.GUIDForId(fx2ID);
-    PlacesUtils.tagging.tagURI(uri, ["foo"]);
-
-    yield startTracking();
-
-    _("Remove the tag");
-    PlacesUtils.tagging.untagURI(uri, ["foo"]);
-
-    yield verifyTrackedItems([fx1GUID, fx2GUID]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 2);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_async_onItemUntagged() {
-  _("Items untagged using the asynchronous API should be tracked");
-
-  try {
-    yield stopTracking();
-
-    _("Insert tagged bookmarks");
-    let fxBmk1 = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: PlacesUtils.bookmarks.menuGuid,
-      url: "http://getfirefox.com",
-      title: "Get Firefox!",
-    });
-    let fxBmk2 = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: PlacesUtils.bookmarks.toolbarGuid,
-      url: "http://getfirefox.com",
-      title: "Download Firefox",
-    });
-    let tag = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_FOLDER,
-      parentGuid: PlacesUtils.bookmarks.tagsGuid,
-      title: "some tag",
-    });
-    let fxTag = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: tag.guid,
-      url: "http://getfirefox.com",
-    });
-
-    yield startTracking();
-
-    _("Remove the tag using the async bookmarks API");
-    yield PlacesUtils.bookmarks.remove(fxTag.guid);
-
-    yield verifyTrackedItems([fxBmk1.guid, fxBmk2.guid]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 2);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_async_onItemTagged() {
-  _("Items tagged using the asynchronous API should be tracked");
-
-  try {
-    yield stopTracking();
-
-    _("Insert untagged bookmarks");
-    let folder1 = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_FOLDER,
-      parentGuid: PlacesUtils.bookmarks.menuGuid,
-      title: "Folder 1",
-    });
-    let fxBmk1 = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: folder1.guid,
-      url: "http://getfirefox.com",
-      title: "Get Firefox!",
-    });
-    let folder2 = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_FOLDER,
-      parentGuid: PlacesUtils.bookmarks.menuGuid,
-      title: "Folder 2",
-    });
-    // Different parent and title; same URL.
-    let fxBmk2 = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: folder2.guid,
-      url: "http://getfirefox.com",
-      title: "Download Firefox",
-    });
-
-    yield startTracking();
-
-    // This will change once tags are moved into a separate table (bug 424160).
-    // We specifically test this case because Bookmarks.jsm updates tagged
-    // bookmarks and notifies observers.
-    _("Insert a tag using the async bookmarks API");
-    let tag = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_FOLDER,
-      parentGuid: PlacesUtils.bookmarks.tagsGuid,
-      title: "some tag",
-    });
-
-    _("Tag an item using the async bookmarks API");
-    yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: tag.guid,
-      url: "http://getfirefox.com",
-    });
-
-    yield verifyTrackedItems([fxBmk1.guid, fxBmk2.guid]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 6);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_onItemKeywordChanged() {
-  _("Keyword changes via the synchronous API should be tracked");
-
-  try {
-    yield stopTracking();
-    let folder = PlacesUtils.bookmarks.createFolder(
-      PlacesUtils.bookmarks.bookmarksMenuFolder, "Parent",
-      PlacesUtils.bookmarks.DEFAULT_INDEX);
-    let folderGUID = engine._store.GUIDForId(folder);
-    _("Track changes to keywords");
-    let uri = Utils.makeURI("http://getfirefox.com");
-    let b = PlacesUtils.bookmarks.insertBookmark(
-      folder, uri,
-      PlacesUtils.bookmarks.DEFAULT_INDEX, "Get Firefox!");
-    let bGUID = engine._store.GUIDForId(b);
-    _("New item is " + b);
-    _("GUID: " + bGUID);
-
-    yield startTracking();
-
-    _("Give the item a keyword");
-    PlacesUtils.bookmarks.setKeywordForBookmark(b, "the_keyword");
-
-    // bookmark should be tracked, folder should not be.
-    yield verifyTrackedItems([bGUID]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE);
-
-  } finally {
-    _("Clean up.");
-    yield cleanup();
+    store.wipe();
+    tracker.clearChangedIDs();
+    tracker.resetScore();
+    Svc.Obs.notify("weave:engine:stop-tracking");
   }
-});
-
-add_task(function* test_async_onItemKeywordChanged() {
-  _("Keyword changes via the asynchronous API should be tracked");
-
-  try {
-    yield stopTracking();
-
-    _("Insert two bookmarks with the same URL");
-    let fxBmk1 = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: PlacesUtils.bookmarks.menuGuid,
-      url: "http://getfirefox.com",
-      title: "Get Firefox!",
-    });
-    let fxBmk2 = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: PlacesUtils.bookmarks.toolbarGuid,
-      url: "http://getfirefox.com",
-      title: "Download Firefox",
-    });
-
-    yield startTracking();
-
-    _("Add a keyword for both items");
-    yield PlacesUtils.keywords.insert({
-      keyword: "the_keyword",
-      url: "http://getfirefox.com",
-      postData: "postData",
-    });
-
-    yield verifyTrackedItems([fxBmk1.guid, fxBmk2.guid]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 2);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_async_onItemKeywordDeleted() {
-  _("Keyword deletions via the asynchronous API should be tracked");
-
-  try {
-    yield stopTracking();
-
-    _("Insert two bookmarks with the same URL and keywords");
-    let fxBmk1 = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: PlacesUtils.bookmarks.menuGuid,
-      url: "http://getfirefox.com",
-      title: "Get Firefox!",
-    });
-    let fxBmk2 = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: PlacesUtils.bookmarks.toolbarGuid,
-      url: "http://getfirefox.com",
-      title: "Download Firefox",
-    });
-    yield PlacesUtils.keywords.insert({
-      keyword: "the_keyword",
-      url: "http://getfirefox.com",
-    });
-
-    yield startTracking();
-
-    _("Remove the keyword");
-    yield PlacesUtils.keywords.remove("the_keyword");
-
-    yield verifyTrackedItems([fxBmk1.guid, fxBmk2.guid]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 2);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_onItemPostDataChanged() {
-  _("Post data changes should be tracked");
-
-  try {
-    yield stopTracking();
-
-    _("Insert a bookmark");
-    let fx_id = PlacesUtils.bookmarks.insertBookmark(
-      PlacesUtils.bookmarks.bookmarksMenuFolder,
-      Utils.makeURI("http://getfirefox.com"),
-      PlacesUtils.bookmarks.DEFAULT_INDEX,
-      "Get Firefox!");
-    let fx_guid = engine._store.GUIDForId(fx_id);
-    _(`Firefox GUID: ${fx_guid}`);
-
-    yield startTracking();
+}
 
-    // PlacesUtils.setPostDataForBookmark is deprecated, but still used by
-    // PlacesTransactions.NewBookmark.
-    _("Post data for the bookmark should be ignored");
-    yield PlacesUtils.setPostDataForBookmark(fx_id, "postData");
-    yield verifyTrackerEmpty();
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
+function test_onItemChanged() {
+  // Anno that's in ANNOS_TO_TRACK.
+  const DESCRIPTION_ANNO = "bookmarkProperties/description";
 
-add_task(function* test_onItemAnnoChanged() {
-  _("Item annotations should be tracked");
+  _("Verify we've got an empty tracker to work with.");
+  let tracker = engine._tracker;
+  do_check_empty(tracker.changedIDs);
+  do_check_eq(tracker.score, 0);
 
   try {
-    yield stopTracking();
+    Svc.Obs.notify("weave:engine:stop-tracking");
     let folder = PlacesUtils.bookmarks.createFolder(
       PlacesUtils.bookmarks.bookmarksMenuFolder, "Parent",
       PlacesUtils.bookmarks.DEFAULT_INDEX);
-    let folderGUID = engine._store.GUIDForId(folder);
     _("Track changes to annos.");
     let b = PlacesUtils.bookmarks.insertBookmark(
       folder, Utils.makeURI("http://getfirefox.com"),
@@ -721,225 +95,27 @@ add_task(function* test_onItemAnnoChanged() {
     _("New item is " + b);
     _("GUID: " + bGUID);
 
-    yield startTracking();
+    Svc.Obs.notify("weave:engine:start-tracking");
     PlacesUtils.annotations.setItemAnnotation(
-      b, PlacesSyncUtils.bookmarks.DESCRIPTION_ANNO, "A test description", 0,
+      b, DESCRIPTION_ANNO, "A test description", 0,
       PlacesUtils.annotations.EXPIRE_NEVER);
-    // bookmark should be tracked, folder should not.
-    yield verifyTrackedItems([bGUID]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE);
-    yield resetTracker();
-
-    PlacesUtils.annotations.removeItemAnnotation(b,
-      PlacesSyncUtils.bookmarks.DESCRIPTION_ANNO);
-    yield verifyTrackedItems([bGUID]);
+    do_check_true(tracker.changedIDs[bGUID] > 0);
     do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_onItemAdded_filtered_root() {
-  _("Items outside the change roots should not be tracked");
-
-  try {
-    yield startTracking();
-
-    _("Create a new root");
-    let rootID = PlacesUtils.bookmarks.createFolder(
-      PlacesUtils.bookmarks.placesRoot,
-      "New root",
-      PlacesUtils.bookmarks.DEFAULT_INDEX);
-    let rootGUID = engine._store.GUIDForId(rootID);
-    _(`New root GUID: ${rootGUID}`);
-
-    _("Insert a bookmark underneath the new root");
-    let untrackedBmkID = PlacesUtils.bookmarks.insertBookmark(
-      rootID,
-      Utils.makeURI("http://getthunderbird.com"),
-      PlacesUtils.bookmarks.DEFAULT_INDEX,
-      "Get Thunderbird!");
-    let untrackedBmkGUID = engine._store.GUIDForId(untrackedBmkID);
-    _(`New untracked bookmark GUID: ${untrackedBmkGUID}`);
-
-    _("Insert a bookmark underneath the Places root");
-    let rootBmkID = PlacesUtils.bookmarks.insertBookmark(
-      PlacesUtils.bookmarks.placesRoot,
-      Utils.makeURI("http://getfirefox.com"),
-      PlacesUtils.bookmarks.DEFAULT_INDEX, "Get Firefox!");
-    let rootBmkGUID = engine._store.GUIDForId(rootBmkID);
-    _(`New Places root bookmark GUID: ${rootBmkGUID}`);
-
-    _("New root and bookmark should be ignored");
-    yield verifyTrackedItems([]);
-    // ...But we'll still increment the score and filter out the changes at
-    // sync time.
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 6);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_onItemDeleted_filtered_root() {
-  _("Deleted items outside the change roots should be tracked");
-
-  try {
-    yield stopTracking();
-
-    _("Insert a bookmark underneath the Places root");
-    let rootBmkID = PlacesUtils.bookmarks.insertBookmark(
-      PlacesUtils.bookmarks.placesRoot,
-      Utils.makeURI("http://getfirefox.com"),
-      PlacesUtils.bookmarks.DEFAULT_INDEX, "Get Firefox!");
-    let rootBmkGUID = engine._store.GUIDForId(rootBmkID);
-    _(`New Places root bookmark GUID: ${rootBmkGUID}`);
-
-    yield startTracking();
-
-    PlacesUtils.bookmarks.removeItem(rootBmkID);
-
-    // We shouldn't upload tombstones for items in filtered roots, but the
-    // `onItemRemoved` observer doesn't have enough context to determine
-    // the root, so we'll end up uploading it.
-    yield verifyTrackedItems([rootBmkGUID]);
-    // We'll increment the counter twice (once for the removed item, and once
-    // for the Places root), then filter out the root.
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 2);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
 
-add_task(function* test_onPageAnnoChanged() {
-  _("Page annotations should not be tracked");
-
-  try {
-    yield stopTracking();
-
-    _("Insert a bookmark without an annotation");
-    let pageURI = Utils.makeURI("http://getfirefox.com");
-    PlacesUtils.bookmarks.insertBookmark(
-      PlacesUtils.bookmarks.bookmarksMenuFolder,
-      pageURI,
-      PlacesUtils.bookmarks.DEFAULT_INDEX,
-      "Get Firefox!");
-
-    yield startTracking();
-
-    _("Add a page annotation");
-    PlacesUtils.annotations.setPageAnnotation(pageURI, "URIProperties/characterSet",
-      "UTF-8", 0, PlacesUtils.annotations.EXPIRE_NEVER);
-    yield verifyTrackerEmpty();
-    yield resetTracker();
-
-    _("Remove the page annotation");
-    PlacesUtils.annotations.removePageAnnotation(pageURI,
-      "URIProperties/characterSet");
-    yield verifyTrackerEmpty();
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_onFaviconChanged() {
-  _("Favicon changes should not be tracked");
-
-  try {
-    yield stopTracking();
-
-    let pageURI = Utils.makeURI("http://getfirefox.com");
-    let iconURI = Utils.makeURI("http://getfirefox.com/icon");
-    PlacesUtils.bookmarks.insertBookmark(
-      PlacesUtils.bookmarks.bookmarksMenuFolder,
-      pageURI,
-      PlacesUtils.bookmarks.DEFAULT_INDEX,
-      "Get Firefox!");
-
-    yield PlacesTestUtils.addVisits(pageURI);
-
-    yield startTracking();
-
-    _("Favicon annotations should be ignored");
-    let iconURL = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAA" +
-      "AAAA6fptVAAAACklEQVQI12NgAAAAAgAB4iG8MwAAAABJRU5ErkJggg==";
-
-    PlacesUtils.favicons.replaceFaviconDataFromDataURL(iconURI, iconURL, 0,
-      Services.scriptSecurityManager.getSystemPrincipal());
-
-    yield new Promise(resolve => {
-      PlacesUtils.favicons.setAndFetchFaviconForPage(pageURI, iconURI, true,
-        PlacesUtils.favicons.FAVICON_LOAD_NON_PRIVATE, (iconURI, dataLen, data, mimeType) => {
-          resolve();
-        },
-        Services.scriptSecurityManager.getSystemPrincipal());
-    });
-    yield verifyTrackerEmpty();
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_onLivemarkAdded() {
-  _("New livemarks should be tracked");
-
-  try {
-    yield startTracking();
-
-    _("Insert a livemark");
-    let livemark = yield PlacesUtils.livemarks.addLivemark({
-      parentGuid: PlacesUtils.bookmarks.menuGuid,
-      // Use a local address just in case, to avoid potential aborts for
-      // non-local connections.
-      feedURI: Utils.makeURI("http://localhost:0"),
-    });
-    // Prevent the livemark refresh timer from requesting the URI.
-    livemark.terminate();
-
-    yield verifyTrackedItems(["menu", livemark.guid]);
-    // Three changes: one for the parent, one for creating the livemark
-    // folder, and one for setting the "livemark/feedURI" anno on the folder.
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 3);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_onLivemarkDeleted() {
-  _("Deleted livemarks should be tracked");
-
-  try {
-    yield stopTracking();
-
-    _("Insert a livemark");
-    let livemark = yield PlacesUtils.livemarks.addLivemark({
-      parentGuid: PlacesUtils.bookmarks.menuGuid,
-      feedURI: Utils.makeURI("http://localhost:0"),
-    });
-    livemark.terminate();
-
-    yield startTracking();
-
-    _("Remove a livemark");
-    yield PlacesUtils.livemarks.removeLivemark({
-      guid: livemark.guid,
-    });
-
-    yield verifyTrackedItems(["menu", livemark.guid]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 2);
   } finally {
     _("Clean up.");
-    yield cleanup();
+    store.wipe();
+    tracker.clearChangedIDs();
+    tracker.resetScore();
+    Svc.Obs.notify("weave:engine:stop-tracking");
   }
-});
+}
 
-add_task(function* test_onItemMoved() {
-  _("Items moved via the synchronous API should be tracked");
+function test_onItemMoved() {
+  _("Verify we've got an empty tracker to work with.");
+  let tracker = engine._tracker;
+  do_check_empty(tracker.changedIDs);
+  do_check_eq(tracker.score, 0);
 
   try {
     let fx_id = PlacesUtils.bookmarks.insertBookmark(
@@ -948,590 +124,55 @@ add_task(function* test_onItemMoved() {
       PlacesUtils.bookmarks.DEFAULT_INDEX,
       "Get Firefox!");
     let fx_guid = engine._store.GUIDForId(fx_id);
-    _("Firefox GUID: " + fx_guid);
     let tb_id = PlacesUtils.bookmarks.insertBookmark(
       PlacesUtils.bookmarks.bookmarksMenuFolder,
       Utils.makeURI("http://getthunderbird.com"),
       PlacesUtils.bookmarks.DEFAULT_INDEX,
       "Get Thunderbird!");
     let tb_guid = engine._store.GUIDForId(tb_id);
-    _("Thunderbird GUID: " + tb_guid);
 
-    yield startTracking();
+    Svc.Obs.notify("weave:engine:start-tracking");
 
     // Moving within the folder will just track the folder.
     PlacesUtils.bookmarks.moveItem(
       tb_id, PlacesUtils.bookmarks.bookmarksMenuFolder, 0);
-    yield verifyTrackedItems(['menu']);
+    do_check_true(tracker.changedIDs['menu'] > 0);
+    do_check_eq(tracker.changedIDs['toolbar'], undefined);
+    do_check_eq(tracker.changedIDs[fx_guid], undefined);
+    do_check_eq(tracker.changedIDs[tb_guid], undefined);
     do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE);
-    yield resetTracker();
+    tracker.clearChangedIDs();
+    tracker.resetScore();
 
     // Moving a bookmark to a different folder will track the old
     // folder, the new folder and the bookmark.
-    PlacesUtils.bookmarks.moveItem(fx_id, PlacesUtils.bookmarks.toolbarFolder,
+    PlacesUtils.bookmarks.moveItem(tb_id, PlacesUtils.bookmarks.toolbarFolder,
                                    PlacesUtils.bookmarks.DEFAULT_INDEX);
-    yield verifyTrackedItems(['menu', 'toolbar', fx_guid]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 3);
-
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_async_onItemMoved_update() {
-  _("Items moved via the asynchronous API should be tracked");
-
-  try {
-    yield stopTracking();
-
-    let fxBmk = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: PlacesUtils.bookmarks.menuGuid,
-      url: "http://getfirefox.com",
-      title: "Get Firefox!",
-    });
-    let tbBmk = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: PlacesUtils.bookmarks.menuGuid,
-      url: "http://getthunderbird.com",
-      title: "Get Thunderbird!",
-    });
-
-    yield startTracking();
-
-    _("Repositioning a bookmark should track the folder");
-    yield PlacesUtils.bookmarks.update({
-      guid: tbBmk.guid,
-      parentGuid: PlacesUtils.bookmarks.menuGuid,
-      index: 0,
-    });
-    yield verifyTrackedItems(['menu']);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE);
-    yield resetTracker();
-
-    _("Reparenting a bookmark should track both folders and the bookmark");
-    yield PlacesUtils.bookmarks.update({
-      guid: tbBmk.guid,
-      parentGuid: PlacesUtils.bookmarks.toolbarGuid,
-      index: PlacesUtils.bookmarks.DEFAULT_INDEX,
-    });
-    yield verifyTrackedItems(['menu', 'toolbar', tbBmk.guid]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 3);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_async_onItemMoved_reorder() {
-  _("Items reordered via the asynchronous API should be tracked");
-
-  try {
-    yield stopTracking();
-
-    _("Insert out-of-order bookmarks");
-    let fxBmk = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: PlacesUtils.bookmarks.menuGuid,
-      url: "http://getfirefox.com",
-      title: "Get Firefox!",
-    });
-    _(`Firefox GUID: ${fxBmk.guid}`);
-
-    let tbBmk = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: PlacesUtils.bookmarks.menuGuid,
-      url: "http://getthunderbird.com",
-      title: "Get Thunderbird!",
-    });
-    _(`Thunderbird GUID: ${tbBmk.guid}`);
-
-    let mozBmk = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: PlacesUtils.bookmarks.menuGuid,
-      url: "https://mozilla.org",
-      title: "Mozilla",
-    });
-    _(`Mozilla GUID: ${mozBmk.guid}`);
-
-    yield startTracking();
-
-    _("Reorder bookmarks");
-    yield PlacesUtils.bookmarks.reorder(PlacesUtils.bookmarks.menuGuid,
-      [mozBmk.guid, fxBmk.guid, tbBmk.guid]);
-
-    // As with setItemIndex, we should only track the folder if we reorder
-    // its children, but we should bump the score for every changed item.
-    yield verifyTrackedItems(["menu"]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 3);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_onItemMoved_setItemIndex() {
-  _("Items with updated indices should be tracked");
-
-  try {
-    yield stopTracking();
-
-    let folder_id = PlacesUtils.bookmarks.createFolder(
-      PlacesUtils.bookmarks.bookmarksMenuFolder,
-      "Test folder",
-      PlacesUtils.bookmarks.DEFAULT_INDEX);
-    let folder_guid = engine._store.GUIDForId(folder_id);
-    _(`Folder GUID: ${folder_guid}`);
-
-    let tb_id = PlacesUtils.bookmarks.insertBookmark(
-      folder_id,
-      Utils.makeURI("http://getthunderbird.com"),
-      PlacesUtils.bookmarks.DEFAULT_INDEX,
-      "Thunderbird");
-    let tb_guid = engine._store.GUIDForId(tb_id);
-    _(`Thunderbird GUID: ${tb_guid}`);
-
-    let fx_id = PlacesUtils.bookmarks.insertBookmark(
-      folder_id,
-      Utils.makeURI("http://getfirefox.com"),
-      PlacesUtils.bookmarks.DEFAULT_INDEX,
-      "Firefox");
-    let fx_guid = engine._store.GUIDForId(fx_id);
-    _(`Firefox GUID: ${fx_guid}`);
-
-    let moz_id = PlacesUtils.bookmarks.insertBookmark(
-      PlacesUtils.bookmarks.bookmarksMenuFolder,
-      Utils.makeURI("https://mozilla.org"),
-      PlacesUtils.bookmarks.DEFAULT_INDEX,
-      "Mozilla"
-    );
-    let moz_guid = engine._store.GUIDForId(moz_id);
-    _(`Mozilla GUID: ${moz_guid}`);
-
-    yield startTracking();
-
-    // PlacesSortFolderByNameTransaction exercises
-    // PlacesUtils.bookmarks.setItemIndex.
-    let txn = new PlacesSortFolderByNameTransaction(folder_id);
-
-    // We're reordering items within the same folder, so only the folder
-    // should be tracked.
-    _("Execute the sort folder transaction");
-    txn.doTransaction();
-    yield verifyTrackedItems([folder_guid]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE);
-    yield resetTracker();
-
-    _("Undo the sort folder transaction");
-    txn.undoTransaction();
-    yield verifyTrackedItems([folder_guid]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_onItemDeleted_removeFolderTransaction() {
-  _("Folders removed in a transaction should be tracked");
-
-  try {
-    yield stopTracking();
-
-    _("Create a folder with two children");
-    let folder_id = PlacesUtils.bookmarks.createFolder(
-      PlacesUtils.bookmarks.bookmarksMenuFolder,
-      "Test folder",
-      PlacesUtils.bookmarks.DEFAULT_INDEX);
-    let folder_guid = engine._store.GUIDForId(folder_id);
-    _(`Folder GUID: ${folder_guid}`);
-    let fx_id = PlacesUtils.bookmarks.insertBookmark(
-      folder_id,
-      Utils.makeURI("http://getfirefox.com"),
-      PlacesUtils.bookmarks.DEFAULT_INDEX,
-      "Get Firefox!");
-    let fx_guid = engine._store.GUIDForId(fx_id);
-    _(`Firefox GUID: ${fx_guid}`);
-    let tb_id = PlacesUtils.bookmarks.insertBookmark(
-      folder_id,
-      Utils.makeURI("http://getthunderbird.com"),
-      PlacesUtils.bookmarks.DEFAULT_INDEX,
-      "Get Thunderbird!");
-    let tb_guid = engine._store.GUIDForId(tb_id);
-    _(`Thunderbird GUID: ${tb_guid}`);
-
-    yield startTracking();
-
-    let txn = PlacesUtils.bookmarks.getRemoveFolderTransaction(folder_id);
-    // We haven't executed the transaction yet.
-    yield verifyTrackerEmpty();
-
-    _("Execute the remove folder transaction");
-    txn.doTransaction();
-    yield verifyTrackedItems(["menu", folder_guid, fx_guid, tb_guid]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 6);
-    yield resetTracker();
-
-    _("Undo the remove folder transaction");
-    txn.undoTransaction();
-
-    // At this point, the restored folder has the same ID, but a different GUID.
-    let new_folder_guid = yield PlacesUtils.promiseItemGuid(folder_id);
-
-    yield verifyTrackedItems(["menu", new_folder_guid]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 2);
-    yield resetTracker();
-
-    _("Redo the transaction");
-    txn.redoTransaction();
-    yield verifyTrackedItems(["menu", new_folder_guid]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 2);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_treeMoved() {
-  _("Moving an entire tree of bookmarks should track the parents");
-
-  try {
-    // Create a couple of parent folders.
-    let folder1_id = PlacesUtils.bookmarks.createFolder(
-      PlacesUtils.bookmarks.bookmarksMenuFolder,
-      "First test folder",
-      PlacesUtils.bookmarks.DEFAULT_INDEX);
-    let folder1_guid = engine._store.GUIDForId(folder1_id);
-
-    // A second folder in the first.
-    let folder2_id = PlacesUtils.bookmarks.createFolder(
-      folder1_id,
-      "Second test folder",
-      PlacesUtils.bookmarks.DEFAULT_INDEX);
-    let folder2_guid = engine._store.GUIDForId(folder2_id);
-
-    // Create a couple of bookmarks in the second folder.
-    let fx_id = PlacesUtils.bookmarks.insertBookmark(
-      folder2_id,
-      Utils.makeURI("http://getfirefox.com"),
-      PlacesUtils.bookmarks.DEFAULT_INDEX,
-      "Get Firefox!");
-    let fx_guid = engine._store.GUIDForId(fx_id);
-    let tb_id = PlacesUtils.bookmarks.insertBookmark(
-      folder2_id,
-      Utils.makeURI("http://getthunderbird.com"),
-      PlacesUtils.bookmarks.DEFAULT_INDEX,
-      "Get Thunderbird!");
-    let tb_guid = engine._store.GUIDForId(tb_id);
-
-    yield startTracking();
-
-    // Move folder 2 to be a sibling of folder1.
-    PlacesUtils.bookmarks.moveItem(
-      folder2_id, PlacesUtils.bookmarks.bookmarksMenuFolder, 0);
-    // the menu and both folders should be tracked, the children should not be.
-    yield verifyTrackedItems(['menu', folder1_guid, folder2_guid]);
+    do_check_true(tracker.changedIDs['menu'] > 0);
+    do_check_true(tracker.changedIDs['toolbar'] > 0);
+    do_check_eq(tracker.changedIDs[fx_guid], undefined);
+    do_check_true(tracker.changedIDs[tb_guid] > 0);
     do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 3);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_onItemDeleted() {
-  _("Bookmarks deleted via the synchronous API should be tracked");
-
-  try {
-    let fx_id = PlacesUtils.bookmarks.insertBookmark(
-      PlacesUtils.bookmarks.bookmarksMenuFolder,
-      Utils.makeURI("http://getfirefox.com"),
-      PlacesUtils.bookmarks.DEFAULT_INDEX,
-      "Get Firefox!");
-    let fx_guid = engine._store.GUIDForId(fx_id);
-    let tb_id = PlacesUtils.bookmarks.insertBookmark(
-      PlacesUtils.bookmarks.bookmarksMenuFolder,
-      Utils.makeURI("http://getthunderbird.com"),
-      PlacesUtils.bookmarks.DEFAULT_INDEX,
-      "Get Thunderbird!");
-    let tb_guid = engine._store.GUIDForId(tb_id);
-
-    yield startTracking();
-
-    // Delete the last item - the item and parent should be tracked.
-    PlacesUtils.bookmarks.removeItem(tb_id);
-
-    yield verifyTrackedItems(['menu', tb_guid]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 2);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_async_onItemDeleted() {
-  _("Bookmarks deleted via the asynchronous API should be tracked");
-
-  try {
-    yield stopTracking();
-
-    let fxBmk = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: PlacesUtils.bookmarks.menuGuid,
-      url: "http://getfirefox.com",
-      title: "Get Firefox!",
-    });
-    let tbBmk = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: PlacesUtils.bookmarks.menuGuid,
-      url: "http://getthunderbird.com",
-      title: "Get Thunderbird!",
-    });
-
-    yield startTracking();
-
-    _("Delete the first item");
-    yield PlacesUtils.bookmarks.remove(fxBmk.guid);
 
-    yield verifyTrackedItems(["menu", fxBmk.guid]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 2);
   } finally {
     _("Clean up.");
-    yield cleanup();
+    store.wipe();
+    tracker.clearChangedIDs();
+    tracker.resetScore();
+    Svc.Obs.notify("weave:engine:stop-tracking");
   }
-});
-
-add_task(function* test_async_onItemDeleted_eraseEverything() {
-  _("Erasing everything should track all deleted items");
-
-  try {
-    yield stopTracking();
 
-    let fxBmk = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: PlacesUtils.bookmarks.mobileGuid,
-      url: "http://getfirefox.com",
-      title: "Get Firefox!",
-    });
-    _(`Firefox GUID: ${fxBmk.guid}`);
-    let tbBmk = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: PlacesUtils.bookmarks.mobileGuid,
-      url: "http://getthunderbird.com",
-      title: "Get Thunderbird!",
-    });
-    _(`Thunderbird GUID: ${tbBmk.guid}`);
-    let mozBmk = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: PlacesUtils.bookmarks.menuGuid,
-      url: "https://mozilla.org",
-      title: "Mozilla",
-    });
-    _(`Mozilla GUID: ${mozBmk.guid}`);
-    let mdnBmk = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: PlacesUtils.bookmarks.menuGuid,
-      url: "https://developer.mozilla.org",
-      title: "MDN",
-    });
-    _(`MDN GUID: ${mdnBmk.guid}`);
-    let bugsFolder = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_FOLDER,
-      parentGuid: PlacesUtils.bookmarks.toolbarGuid,
-      title: "Bugs",
-    });
-    _(`Bugs folder GUID: ${bugsFolder.guid}`);
-    let bzBmk = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: bugsFolder.guid,
-      url: "https://bugzilla.mozilla.org",
-      title: "Bugzilla",
-    });
-    _(`Bugzilla GUID: ${bzBmk.guid}`);
-    let bugsChildFolder = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_FOLDER,
-      parentGuid: bugsFolder.guid,
-      title: "Bugs child",
-    });
-    _(`Bugs child GUID: ${bugsChildFolder.guid}`);
-    let bugsGrandChildBmk = yield PlacesUtils.bookmarks.insert({
-      type: PlacesUtils.bookmarks.TYPE_BOOKMARK,
-      parentGuid: bugsChildFolder.guid,
-      url: "https://example.com",
-      title: "Bugs grandchild",
-    });
-    _(`Bugs grandchild GUID: ${bugsGrandChildBmk.guid}`);
-
-    yield startTracking();
-
-    yield PlacesUtils.bookmarks.eraseEverything();
-
-    // `eraseEverything` removes all items from the database before notifying
-    // observers. Because of this, grandchild lookup in the tracker's
-    // `onItemRemoved` observer will fail. That means we won't track
-    // (bzBmk.guid, bugsGrandChildBmk.guid, bugsChildFolder.guid), even
-    // though we should.
-    yield verifyTrackedItems(["menu", mozBmk.guid, mdnBmk.guid, "toolbar",
-                              bugsFolder.guid, "mobile", fxBmk.guid,
-                              tbBmk.guid]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 10);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_onItemDeleted_removeFolderChildren() {
-  _("Removing a folder's children should track the folder and its children");
-
-  try {
-    let fx_id = PlacesUtils.bookmarks.insertBookmark(
-      PlacesUtils.mobileFolderId,
-      Utils.makeURI("http://getfirefox.com"),
-      PlacesUtils.bookmarks.DEFAULT_INDEX,
-      "Get Firefox!");
-    let fx_guid = engine._store.GUIDForId(fx_id);
-    _(`Firefox GUID: ${fx_guid}`);
-
-    let tb_id = PlacesUtils.bookmarks.insertBookmark(
-      PlacesUtils.mobileFolderId,
-      Utils.makeURI("http://getthunderbird.com"),
-      PlacesUtils.bookmarks.DEFAULT_INDEX,
-      "Get Thunderbird!");
-    let tb_guid = engine._store.GUIDForId(tb_id);
-    _(`Thunderbird GUID: ${tb_guid}`);
-
-    let moz_id = PlacesUtils.bookmarks.insertBookmark(
-      PlacesUtils.bookmarks.bookmarksMenuFolder,
-      Utils.makeURI("https://mozilla.org"),
-      PlacesUtils.bookmarks.DEFAULT_INDEX,
-      "Mozilla"
-    );
-    let moz_guid = engine._store.GUIDForId(moz_id);
-    _(`Mozilla GUID: ${moz_guid}`);
-
-    yield startTracking();
-
-    _(`Mobile root ID: ${PlacesUtils.mobileFolderId}`);
-    PlacesUtils.bookmarks.removeFolderChildren(PlacesUtils.mobileFolderId);
-
-    yield verifyTrackedItems(["mobile", fx_guid, tb_guid]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 4);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_onItemDeleted_tree() {
-  _("Deleting a tree of bookmarks should track all items");
-
-  try {
-    // Create a couple of parent folders.
-    let folder1_id = PlacesUtils.bookmarks.createFolder(
-      PlacesUtils.bookmarks.bookmarksMenuFolder,
-      "First test folder",
-      PlacesUtils.bookmarks.DEFAULT_INDEX);
-    let folder1_guid = engine._store.GUIDForId(folder1_id);
-
-    // A second folder in the first.
-    let folder2_id = PlacesUtils.bookmarks.createFolder(
-      folder1_id,
-      "Second test folder",
-      PlacesUtils.bookmarks.DEFAULT_INDEX);
-    let folder2_guid = engine._store.GUIDForId(folder2_id);
-
-    // Create a couple of bookmarks in the second folder.
-    let fx_id = PlacesUtils.bookmarks.insertBookmark(
-      folder2_id,
-      Utils.makeURI("http://getfirefox.com"),
-      PlacesUtils.bookmarks.DEFAULT_INDEX,
-      "Get Firefox!");
-    let fx_guid = engine._store.GUIDForId(fx_id);
-    let tb_id = PlacesUtils.bookmarks.insertBookmark(
-      folder2_id,
-      Utils.makeURI("http://getthunderbird.com"),
-      PlacesUtils.bookmarks.DEFAULT_INDEX,
-      "Get Thunderbird!");
-    let tb_guid = engine._store.GUIDForId(tb_id);
-
-    yield startTracking();
-
-    // Delete folder2 - everything we created should be tracked.
-    PlacesUtils.bookmarks.removeItem(folder2_id);
-
-    yield verifyTrackedItems([fx_guid, tb_guid, folder1_guid, folder2_guid]);
-    do_check_eq(tracker.score, SCORE_INCREMENT_XLARGE * 6);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
-
-add_task(function* test_mobile_query() {
-  _("Ensure we correctly create the mobile query");
-
-  try {
-    // Creates the organizer queries as a side effect.
-    let leftPaneId = PlacesUIUtils.leftPaneFolderId;
-    _(`Left pane root ID: ${leftPaneId}`);
-
-    let allBookmarksIds = findAnnoItems("PlacesOrganizer/OrganizerQuery", "AllBookmarks");
-    equal(allBookmarksIds.length, 1, "Should create folder with all bookmarks queries");
-    let allBookmarkGuid = yield PlacesUtils.promiseItemGuid(allBookmarksIds[0]);
-
-    _("Try creating query after organizer is ready");
-    tracker._ensureMobileQuery();
-    let queryIds = findAnnoItems("PlacesOrganizer/OrganizerQuery", "MobileBookmarks");
-    equal(queryIds.length, 0, "Should not create query without any mobile bookmarks");
-
-    _("Insert mobile bookmark, then create query");
-    yield PlacesUtils.bookmarks.insert({
-      parentGuid: PlacesUtils.bookmarks.mobileGuid,
-      url: "https://mozilla.org",
-    });
-    tracker._ensureMobileQuery();
-    queryIds = findAnnoItems("PlacesOrganizer/OrganizerQuery", "MobileBookmarks", {});
-    equal(queryIds.length, 1, "Should create query once mobile bookmarks exist");
-
-    let queryId = queryIds[0];
-    let queryGuid = yield PlacesUtils.promiseItemGuid(queryId);
+}
 
-    let queryInfo = yield PlacesUtils.bookmarks.fetch(queryGuid);
-    equal(queryInfo.url, `place:folder=${PlacesUtils.mobileFolderId}`, "Query should point to mobile root");
-    equal(queryInfo.title, "Mobile Bookmarks", "Query title should be localized");
-    equal(queryInfo.parentGuid, allBookmarkGuid, "Should append mobile query to all bookmarks queries");
+function run_test() {
+  initTestLogging("Trace");
 
-    _("Rename root and query, then recreate");
-    yield PlacesUtils.bookmarks.update({
-      guid: PlacesUtils.bookmarks.mobileGuid,
-      title: "renamed root",
-    });
-    yield PlacesUtils.bookmarks.update({
-      guid: queryGuid,
-      title: "renamed query",
-    });
-    tracker._ensureMobileQuery();
-    let rootInfo = yield PlacesUtils.bookmarks.fetch(PlacesUtils.bookmarks.mobileGuid);
-    equal(rootInfo.title, "Mobile Bookmarks", "Should fix root title");
-    queryInfo = yield PlacesUtils.bookmarks.fetch(queryGuid);
-    equal(queryInfo.title, "Mobile Bookmarks", "Should fix query title");
+  Log.repository.getLogger("Sync.Engine.Bookmarks").level = Log.Level.Trace;
+  Log.repository.getLogger("Sync.Store.Bookmarks").level = Log.Level.Trace;
+  Log.repository.getLogger("Sync.Tracker.Bookmarks").level = Log.Level.Trace;
 
-    _("Point query to different folder");
-    yield PlacesUtils.bookmarks.update({
-      guid: queryGuid,
-      url: "place:folder=BOOKMARKS_MENU",
-    });
-    tracker._ensureMobileQuery();
-    queryInfo = yield PlacesUtils.bookmarks.fetch(queryGuid);
-    equal(queryInfo.url.href, `place:folder=${PlacesUtils.mobileFolderId}`,
-      "Should fix query URL to point to mobile root");
+  test_tracking();
+  test_onItemChanged();
+  test_onItemMoved();
+}
 
-    _("We shouldn't track the query or the left pane root");
-    yield verifyTrackedCount(0);
-    do_check_eq(tracker.score, 0);
-  } finally {
-    _("Clean up.");
-    yield cleanup();
-  }
-});
diff --git a/services/sync/tests/unit/test_bookmark_validator.js b/services/sync/tests/unit/test_bookmark_validator.js
deleted file mode 100644
index cc0b3b08fc..0000000000
--- a/services/sync/tests/unit/test_bookmark_validator.js
+++ /dev/null
@@ -1,347 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
-   http://creativecommons.org/publicdomain/zero/1.0/ */
-
-Components.utils.import("resource://services-sync/bookmark_validator.js");
-Components.utils.import("resource://services-sync/util.js");
-
-function inspectServerRecords(data) {
-  return new BookmarkValidator().inspectServerRecords(data);
-}
-
-add_test(function test_isr_rootOnServer() {
-  let c = inspectServerRecords([{
-    id: 'places',
-    type: 'folder',
-    children: [],
-  }]);
-  ok(c.problemData.rootOnServer);
-  run_next_test();
-});
-
-add_test(function test_isr_empty() {
-  let c = inspectServerRecords([]);
-  ok(!c.problemData.rootOnServer);
-  notEqual(c.root, null);
-  run_next_test();
-});
-
-add_test(function test_isr_cycles() {
-  let c = inspectServerRecords([
-    {id: 'C', type: 'folder', children: ['A', 'B'], parentid: 'places'},
-    {id: 'A', type: 'folder', children: ['B'], parentid: 'B'},
-    {id: 'B', type: 'folder', children: ['A'], parentid: 'A'},
-  ]).problemData;
-
-  equal(c.cycles.length, 1);
-  ok(c.cycles[0].indexOf('A') >= 0);
-  ok(c.cycles[0].indexOf('B') >= 0);
-  run_next_test();
-});
-
-add_test(function test_isr_orphansMultiParents() {
-  let c = inspectServerRecords([
-    { id: 'A', type: 'bookmark', parentid: 'D' },
-    { id: 'B', type: 'folder', parentid: 'places', children: ['A']},
-    { id: 'C', type: 'folder', parentid: 'places', children: ['A']},
-
-  ]).problemData;
-  deepEqual(c.orphans, [{ id: "A", parent: "D" }]);
-  equal(c.multipleParents.length, 1)
-  ok(c.multipleParents[0].parents.indexOf('B') >= 0);
-  ok(c.multipleParents[0].parents.indexOf('C') >= 0);
-  run_next_test();
-});
-
-add_test(function test_isr_orphansMultiParents2() {
-  let c = inspectServerRecords([
-    { id: 'A', type: 'bookmark', parentid: 'D' },
-    { id: 'B', type: 'folder', parentid: 'places', children: ['A']},
-  ]).problemData;
-  equal(c.orphans.length, 1);
-  equal(c.orphans[0].id, 'A');
-  equal(c.multipleParents.length, 0);
-  run_next_test();
-});
-
-add_test(function test_isr_deletedParents() {
-  let c = inspectServerRecords([
-    { id: 'A', type: 'bookmark', parentid: 'B' },
-    { id: 'B', type: 'folder', parentid: 'places', children: ['A']},
-    { id: 'B', type: 'item', deleted: true},
-  ]).problemData;
-  deepEqual(c.deletedParents, ['A'])
-  run_next_test();
-});
-
-add_test(function test_isr_badChildren() {
-  let c = inspectServerRecords([
-    { id: 'A', type: 'bookmark', parentid: 'places', children: ['B', 'C'] },
-    { id: 'C', type: 'bookmark', parentid: 'A' }
-  ]).problemData;
-  deepEqual(c.childrenOnNonFolder, ['A'])
-  deepEqual(c.missingChildren, [{parent: 'A', child: 'B'}]);
-  deepEqual(c.parentNotFolder, ['C']);
-  run_next_test();
-});
-
-
-add_test(function test_isr_parentChildMismatches() {
-  let c = inspectServerRecords([
-    { id: 'A', type: 'folder', parentid: 'places', children: [] },
-    { id: 'B', type: 'bookmark', parentid: 'A' }
-  ]).problemData;
-  deepEqual(c.parentChildMismatches, [{parent: 'A', child: 'B'}]);
-  run_next_test();
-});
-
-add_test(function test_isr_duplicatesAndMissingIDs() {
-  let c = inspectServerRecords([
-    {id: 'A', type: 'folder', parentid: 'places', children: []},
-    {id: 'A', type: 'folder', parentid: 'places', children: []},
-    {type: 'folder', parentid: 'places', children: []}
-  ]).problemData;
-  equal(c.missingIDs, 1);
-  deepEqual(c.duplicates, ['A']);
-  run_next_test();
-});
-
-add_test(function test_isr_duplicateChildren()  {
-  let c = inspectServerRecords([
-    {id: 'A', type: 'folder', parentid: 'places', children: ['B', 'B']},
-    {id: 'B', type: 'bookmark', parentid: 'A'},
-  ]).problemData;
-  deepEqual(c.duplicateChildren, ['A']);
-  run_next_test();
-});
-
-// Each compareServerWithClient test mutates these, so we can't just keep them
-// global
-function getDummyServerAndClient() {
-  let server = [
-    {
-      id: 'menu',
-      parentid: 'places',
-      type: 'folder',
-      parentName: '',
-      title: 'foo',
-      children: ['bbbbbbbbbbbb', 'cccccccccccc']
-    },
-    {
-      id: 'bbbbbbbbbbbb',
-      type: 'bookmark',
-      parentid: 'menu',
-      parentName: 'foo',
-      title: 'bar',
-      bmkUri: 'http://baz.com'
-    },
-    {
-      id: 'cccccccccccc',
-      parentid: 'menu',
-      parentName: 'foo',
-      title: '',
-      type: 'query',
-      bmkUri: 'place:type=6&sort=14&maxResults=10'
-    }
-  ];
-
-  let client = {
-    "guid": "root________",
-    "title": "",
-    "id": 1,
-    "type": "text/x-moz-place-container",
-    "children": [
-      {
-        "guid": "menu________",
-        "title": "foo",
-        "id": 1000,
-        "type": "text/x-moz-place-container",
-        "children": [
-          {
-            "guid": "bbbbbbbbbbbb",
-            "title": "bar",
-            "id": 1001,
-            "type": "text/x-moz-place",
-            "uri": "http://baz.com"
-          },
-          {
-            "guid": "cccccccccccc",
-            "title": "",
-            "id": 1002,
-            "annos": [{
-              "name": "Places/SmartBookmark",
-              "flags": 0,
-              "expires": 4,
-              "value": "RecentTags"
-            }],
-            "type": "text/x-moz-place",
-            "uri": "place:type=6&sort=14&maxResults=10"
-          }
-        ]
-      }
-    ]
-  };
-  return {server, client};
-}
-
-
-add_test(function test_cswc_valid() {
-  let {server, client} = getDummyServerAndClient();
-
-  let c = new BookmarkValidator().compareServerWithClient(server, client).problemData;
-  equal(c.clientMissing.length, 0);
-  equal(c.serverMissing.length, 0);
-  equal(c.differences.length, 0);
-  run_next_test();
-});
-
-add_test(function test_cswc_serverMissing() {
-  let {server, client} = getDummyServerAndClient();
-  // remove c
-  server.pop();
-  server[0].children.pop();
-
-  let c = new BookmarkValidator().compareServerWithClient(server, client).problemData;
-  deepEqual(c.serverMissing, ['cccccccccccc']);
-  equal(c.clientMissing.length, 0);
-  deepEqual(c.structuralDifferences, [{id: 'menu', differences: ['childGUIDs']}]);
-  run_next_test();
-});
-
-add_test(function test_cswc_clientMissing() {
-  let {server, client} = getDummyServerAndClient();
-  client.children[0].children.pop();
-
-  let c = new BookmarkValidator().compareServerWithClient(server, client).problemData;
-  deepEqual(c.clientMissing, ['cccccccccccc']);
-  equal(c.serverMissing.length, 0);
-  deepEqual(c.structuralDifferences, [{id: 'menu', differences: ['childGUIDs']}]);
-  run_next_test();
-});
-
-add_test(function test_cswc_differences() {
-  {
-    let {server, client} = getDummyServerAndClient();
-    client.children[0].children[0].title = 'asdf';
-    let c = new BookmarkValidator().compareServerWithClient(server, client).problemData;
-    equal(c.clientMissing.length, 0);
-    equal(c.serverMissing.length, 0);
-    deepEqual(c.differences, [{id: 'bbbbbbbbbbbb', differences: ['title']}]);
-  }
-
-  {
-    let {server, client} = getDummyServerAndClient();
-    server[2].type = 'bookmark';
-    let c = new BookmarkValidator().compareServerWithClient(server, client).problemData;
-    equal(c.clientMissing.length, 0);
-    equal(c.serverMissing.length, 0);
-    deepEqual(c.differences, [{id: 'cccccccccccc', differences: ['type']}]);
-  }
-  run_next_test();
-});
-
-add_test(function test_cswc_serverUnexpected() {
-  let {server, client} = getDummyServerAndClient();
-  client.children.push({
-    "guid": "dddddddddddd",
-    "title": "",
-    "id": 2000,
-    "annos": [{
-      "name": "places/excludeFromBackup",
-      "flags": 0,
-      "expires": 4,
-      "value": 1
-    }, {
-      "name": "PlacesOrganizer/OrganizerFolder",
-      "flags": 0,
-      "expires": 4,
-      "value": 7
-    }],
-    "type": "text/x-moz-place-container",
-    "children": [{
-      "guid": "eeeeeeeeeeee",
-      "title": "History",
-      "annos": [{
-        "name": "places/excludeFromBackup",
-        "flags": 0,
-        "expires": 4,
-        "value": 1
-      }, {
-        "name": "PlacesOrganizer/OrganizerQuery",
-        "flags": 0,
-        "expires": 4,
-        "value": "History"
-      }],
-      "type": "text/x-moz-place",
-      "uri": "place:type=3&sort=4"
-    }]
-  });
-  server.push({
-    id: 'dddddddddddd',
-    parentid: 'places',
-    parentName: '',
-    title: '',
-    type: 'folder',
-    children: ['eeeeeeeeeeee']
-  }, {
-    id: 'eeeeeeeeeeee',
-    parentid: 'dddddddddddd',
-    parentName: '',
-    title: 'History',
-    type: 'query',
-    bmkUri: 'place:type=3&sort=4'
-  });
-
-  let c = new BookmarkValidator().compareServerWithClient(server, client).problemData;
-  equal(c.clientMissing.length, 0);
-  equal(c.serverMissing.length, 0);
-  equal(c.serverUnexpected.length, 2);
-  deepEqual(c.serverUnexpected, ["dddddddddddd", "eeeeeeeeeeee"]);
-  run_next_test();
-});
-
-function validationPing(server, client, duration) {
-  return wait_for_ping(function() {
-    // fake this entirely
-    Svc.Obs.notify("weave:service:sync:start");
-    Svc.Obs.notify("weave:engine:sync:start", null, "bookmarks");
-    Svc.Obs.notify("weave:engine:sync:finish", null, "bookmarks");
-    let validator = new BookmarkValidator();
-    let data = {
-      // We fake duration and version just so that we can verify they're passed through.
-      duration,
-      version: validator.version,
-      recordCount: server.length,
-      problems: validator.compareServerWithClient(server, client).problemData,
-    };
-    Svc.Obs.notify("weave:engine:validate:finish", data, "bookmarks");
-    Svc.Obs.notify("weave:service:sync:finish");
-  }, true); // Allow "failing" pings, since having validation info indicates failure.
-}
-
-add_task(function *test_telemetry_integration() {
-  let {server, client} = getDummyServerAndClient();
-  // remove "c"
-  server.pop();
-  server[0].children.pop();
-  const duration = 50;
-  let ping = yield validationPing(server, client, duration);
-  ok(ping.engines);
-  let bme = ping.engines.find(e => e.name === "bookmarks");
-  ok(bme);
-  ok(bme.validation);
-  ok(bme.validation.problems)
-  equal(bme.validation.checked, server.length);
-  equal(bme.validation.took, duration);
-  bme.validation.problems.sort((a, b) => String.localeCompare(a.name, b.name));
-  equal(bme.validation.version, new BookmarkValidator().version);
-  deepEqual(bme.validation.problems, [
-    { name: "badClientRoots", count: 3 },
-    { name: "sdiff:childGUIDs", count: 1 },
-    { name: "serverMissing", count: 1 },
-    { name: "structuralDifferences", count: 1 },
-  ]);
-});
-
-function run_test() {
-  run_next_test();
-}
diff --git a/services/sync/tests/unit/test_browserid_identity.js b/services/sync/tests/unit/test_browserid_identity.js
index 531c01bf6d..f3cde9f8f9 100644
--- a/services/sync/tests/unit/test_browserid_identity.js
+++ b/services/sync/tests/unit/test_browserid_identity.js
@@ -16,14 +16,13 @@ Cu.import("resource://gre/modules/FxAccountsCommon.js");
 Cu.import("resource://services-sync/service.js");
 Cu.import("resource://services-sync/status.js");
 Cu.import("resource://services-sync/constants.js");
-Cu.import("resource://services-common/tokenserverclient.js");
 
 const SECOND_MS = 1000;
 const MINUTE_MS = SECOND_MS * 60;
 const HOUR_MS = MINUTE_MS * 60;
 
-var identityConfig = makeIdentityConfig();
-var browseridManager = new BrowserIDManager();
+let identityConfig = makeIdentityConfig();
+let browseridManager = new BrowserIDManager();
 configureFxAccountIdentity(browseridManager, identityConfig);
 
 /**
@@ -32,14 +31,11 @@ configureFxAccountIdentity(browseridManager, identityConfig);
  * headers.  We will use this to test clock skew compensation in these headers
  * below.
  */
-var MockFxAccountsClient = function() {
+let MockFxAccountsClient = function() {
   FxAccountsClient.apply(this);
 };
 MockFxAccountsClient.prototype = {
-  __proto__: FxAccountsClient.prototype,
-  accountStatus() {
-    return Promise.resolve(true);
-  }
+  __proto__: FxAccountsClient.prototype
 };
 
 function MockFxAccounts() {
@@ -77,7 +73,7 @@ add_test(function test_initial_state() {
   }
 );
 
-add_task(function* test_initialializeWithCurrentIdentity() {
+add_task(function test_initialializeWithCurrentIdentity() {
     _("Verify start after initializeWithCurrentIdentity");
     browseridManager.initializeWithCurrentIdentity();
     yield browseridManager.whenReadyToAuthenticate.promise;
@@ -87,57 +83,7 @@ add_task(function* test_initialializeWithCurrentIdentity() {
   }
 );
 
-add_task(function* test_initialializeWithAuthErrorAndDeletedAccount() {
-    _("Verify sync unpair after initializeWithCurrentIdentity with auth error + account deleted");
-
-    var identityConfig = makeIdentityConfig();
-    var browseridManager = new BrowserIDManager();
-
-    // Use the real `_getAssertion` method that calls
-    // `mockFxAClient.signCertificate`.
-    let fxaInternal = makeFxAccountsInternalMock(identityConfig);
-    delete fxaInternal._getAssertion;
-
-    configureFxAccountIdentity(browseridManager, identityConfig, fxaInternal);
-    browseridManager._fxaService.internal.initialize();
-
-    let signCertificateCalled = false;
-    let accountStatusCalled = false;
-
-    let MockFxAccountsClient = function() {
-      FxAccountsClient.apply(this);
-    };
-    MockFxAccountsClient.prototype = {
-      __proto__: FxAccountsClient.prototype,
-      signCertificate() {
-        signCertificateCalled = true;
-        return Promise.reject({
-          code: 401,
-          errno: ERRNO_INVALID_AUTH_TOKEN,
-        });
-      },
-      accountStatus() {
-        accountStatusCalled = true;
-        return Promise.resolve(false);
-      }
-    };
-
-    let mockFxAClient = new MockFxAccountsClient();
-    browseridManager._fxaService.internal._fxAccountsClient = mockFxAClient;
-
-    yield browseridManager.initializeWithCurrentIdentity();
-    yield Assert.rejects(browseridManager.whenReadyToAuthenticate.promise,
-                     "should reject due to an auth error");
-
-    do_check_true(signCertificateCalled);
-    do_check_true(accountStatusCalled);
-    do_check_false(browseridManager.account);
-    do_check_false(browseridManager._token);
-    do_check_false(browseridManager.hasValidToken());
-    do_check_false(browseridManager.account);
-});
-
-add_task(function* test_initialializeWithNoKeys() {
+add_task(function test_initialializeWithNoKeys() {
     _("Verify start after initializeWithCurrentIdentity without kA, kB or keyFetchToken");
     let identityConfig = makeIdentityConfig();
     delete identityConfig.fxaccount.user.kA;
@@ -306,7 +252,7 @@ add_test(function test_RESTResourceAuthenticatorSkew() {
   run_next_test();
 });
 
-add_task(function* test_ensureLoggedIn() {
+add_task(function test_ensureLoggedIn() {
   configureFxAccountIdentity(browseridManager);
   yield browseridManager.initializeWithCurrentIdentity();
   yield browseridManager.whenReadyToAuthenticate.promise;
@@ -318,8 +264,8 @@ add_task(function* test_ensureLoggedIn() {
 
   // arrange for no logged in user.
   let fxa = browseridManager._fxaService
-  let signedInUser = fxa.internal.currentAccountState.storageManager.accountData;
-  fxa.internal.currentAccountState.storageManager.accountData = null;
+  let signedInUser = fxa.internal.currentAccountState.signedInUser;
+  fxa.internal.currentAccountState.signedInUser = null;
   browseridManager.initializeWithCurrentIdentity();
   Assert.ok(!browseridManager._shouldHaveSyncKeyBundle,
             "_shouldHaveSyncKeyBundle should be false so we know we are testing what we think we are.");
@@ -327,8 +273,7 @@ add_task(function* test_ensureLoggedIn() {
   yield Assert.rejects(browseridManager.ensureLoggedIn(), "expecting rejection due to no user");
   Assert.ok(browseridManager._shouldHaveSyncKeyBundle,
             "_shouldHaveSyncKeyBundle should always be true after ensureLogin completes.");
-  // Restore the logged in user to what it was.
-  fxa.internal.currentAccountState.storageManager.accountData = signedInUser;
+  fxa.internal.currentAccountState.signedInUser = signedInUser;
   Status.login = LOGIN_FAILED_LOGIN_REJECTED;
   yield Assert.rejects(browseridManager.ensureLoggedIn(),
                        "LOGIN_FAILED_LOGIN_REJECTED should have caused immediate rejection");
@@ -404,7 +349,7 @@ add_test(function test_computeXClientStateHeader() {
   run_next_test();
 });
 
-add_task(function* test_getTokenErrors() {
+add_task(function test_getTokenErrors() {
   _("BrowserIDManager correctly handles various failures to get a token.");
 
   _("Arrange for a 401 - Sync should reflect an auth error.");
@@ -437,75 +382,7 @@ add_task(function* test_getTokenErrors() {
   Assert.equal(Status.login, LOGIN_FAILED_NETWORK_ERROR, "login state is LOGIN_FAILED_NETWORK_ERROR");
 });
 
-add_task(function* test_refreshCertificateOn401() {
-  _("BrowserIDManager refreshes the FXA certificate after a 401.");
-  var identityConfig = makeIdentityConfig();
-  var browseridManager = new BrowserIDManager();
-  // Use the real `_getAssertion` method that calls
-  // `mockFxAClient.signCertificate`.
-  let fxaInternal = makeFxAccountsInternalMock(identityConfig);
-  delete fxaInternal._getAssertion;
-  configureFxAccountIdentity(browseridManager, identityConfig, fxaInternal);
-  browseridManager._fxaService.internal.initialize();
-
-  let getCertCount = 0;
-
-  let MockFxAccountsClient = function() {
-    FxAccountsClient.apply(this);
-  };
-  MockFxAccountsClient.prototype = {
-    __proto__: FxAccountsClient.prototype,
-    signCertificate() {
-      ++getCertCount;
-    }
-  };
-
-  let mockFxAClient = new MockFxAccountsClient();
-  browseridManager._fxaService.internal._fxAccountsClient = mockFxAClient;
-
-  let didReturn401 = false;
-  let didReturn200 = false;
-  let mockTSC = mockTokenServer(() => {
-    if (getCertCount <= 1) {
-      didReturn401 = true;
-      return {
-        status: 401,
-        headers: {"content-type": "application/json"},
-        body: JSON.stringify({}),
-      };
-    } else {
-      didReturn200 = true;
-      return {
-        status: 200,
-        headers: {"content-type": "application/json"},
-        body: JSON.stringify({
-          id:           "id",
-          key:          "key",
-          api_endpoint: "http://example.com/",
-          uid:          "uid",
-          duration:     300,
-        })
-      };
-    }
-  });
-
-  browseridManager._tokenServerClient = mockTSC;
-
-  yield browseridManager.initializeWithCurrentIdentity();
-  yield browseridManager.whenReadyToAuthenticate.promise;
-
-  do_check_eq(getCertCount, 2);
-  do_check_true(didReturn401);
-  do_check_true(didReturn200);
-  do_check_true(browseridManager.account);
-  do_check_true(browseridManager._token);
-  do_check_true(browseridManager.hasValidToken());
-  do_check_true(browseridManager.account);
-});
-
-
-
-add_task(function* test_getTokenErrorWithRetry() {
+add_task(function test_getTokenErrorWithRetry() {
   _("tokenserver sends an observer notification on various backoff headers.");
 
   // Set Sync's backoffInterval to zero - after we simulated the backoff header
@@ -547,7 +424,7 @@ add_task(function* test_getTokenErrorWithRetry() {
   Assert.ok(Status.backoffInterval >= 200000);
 });
 
-add_task(function* test_getKeysErrorWithBackoff() {
+add_task(function test_getKeysErrorWithBackoff() {
   _("Auth server (via hawk) sends an observer notification on backoff headers.");
 
   // Set Sync's backoffInterval to zero - after we simulated the backoff header
@@ -581,7 +458,7 @@ add_task(function* test_getKeysErrorWithBackoff() {
   Assert.ok(Status.backoffInterval >= 100000);
 });
 
-add_task(function* test_getKeysErrorWithRetry() {
+add_task(function test_getKeysErrorWithRetry() {
   _("Auth server (via hawk) sends an observer notification on retry headers.");
 
   // Set Sync's backoffInterval to zero - after we simulated the backoff header
@@ -615,7 +492,7 @@ add_task(function* test_getKeysErrorWithRetry() {
   Assert.ok(Status.backoffInterval >= 100000);
 });
 
-add_task(function* test_getHAWKErrors() {
+add_task(function test_getHAWKErrors() {
   _("BrowserIDManager correctly handles various HAWK failures.");
 
   _("Arrange for a 401 - Sync should reflect an auth error.");
@@ -648,7 +525,7 @@ add_task(function* test_getHAWKErrors() {
   Assert.equal(Status.login, LOGIN_FAILED_NETWORK_ERROR, "login state is LOGIN_FAILED_NETWORK_ERROR");
 });
 
-add_task(function* test_getGetKeysFailing401() {
+add_task(function test_getGetKeysFailing401() {
   _("BrowserIDManager correctly handles 401 responses fetching keys.");
 
   _("Arrange for a 401 - Sync should reflect an auth error.");
@@ -669,7 +546,7 @@ add_task(function* test_getGetKeysFailing401() {
   Assert.equal(Status.login, LOGIN_FAILED_LOGIN_REJECTED, "login was rejected");
 });
 
-add_task(function* test_getGetKeysFailing503() {
+add_task(function test_getGetKeysFailing503() {
   _("BrowserIDManager correctly handles 5XX responses fetching keys.");
 
   _("Arrange for a 503 - Sync should reflect a network error.");
@@ -690,7 +567,7 @@ add_task(function* test_getGetKeysFailing503() {
   Assert.equal(Status.login, LOGIN_FAILED_NETWORK_ERROR, "state reflects network error");
 });
 
-add_task(function* test_getKeysMissing() {
+add_task(function test_getKeysMissing() {
   _("BrowserIDManager correctly handles getKeys succeeding but not returning keys.");
 
   let browseridManager = new BrowserIDManager();
@@ -708,17 +585,7 @@ add_task(function* test_getKeysMissing() {
     fetchAndUnwrapKeys: function () {
       return Promise.resolve({});
     },
-    fxAccountsClient: new MockFxAccountsClient(),
-    newAccountState(credentials) {
-      // We only expect this to be called with null indicating the (mock)
-      // storage should be read.
-      if (credentials) {
-        throw new Error("Not expecting to have credentials passed");
-      }
-      let storageManager = new MockFxaStorageManager();
-      storageManager.initialize(identityConfig.fxaccount.user);
-      return new AccountState(storageManager);
-    },
+    fxAccountsClient: new MockFxAccountsClient()
   });
 
   // Add a mock to the currentAccountState object.
@@ -730,6 +597,9 @@ add_task(function* test_getKeysMissing() {
     return Promise.resolve(this.cert.cert);
   };
 
+  // Ensure the new FxAccounts mock has a signed-in user.
+  fxa.internal.currentAccountState.signedInUser = browseridManager._fxaService.internal.currentAccountState.signedInUser;
+
   browseridManager._fxaService = fxa;
 
   yield browseridManager.initializeWithCurrentIdentity();
@@ -744,41 +614,6 @@ add_task(function* test_getKeysMissing() {
   Assert.ok(ex.message.indexOf("missing kA or kB") >= 0);
 });
 
-add_task(function* test_signedInUserMissing() {
-  _("BrowserIDManager detects getSignedInUser returning incomplete account data");
-
-  let browseridManager = new BrowserIDManager();
-  let config = makeIdentityConfig();
-  // Delete stored keys and the key fetch token.
-  delete identityConfig.fxaccount.user.kA;
-  delete identityConfig.fxaccount.user.kB;
-  delete identityConfig.fxaccount.user.keyFetchToken;
-
-  configureFxAccountIdentity(browseridManager, identityConfig);
-
-  let fxa = new FxAccounts({
-    fetchAndUnwrapKeys: function () {
-      return Promise.resolve({});
-    },
-    fxAccountsClient: new MockFxAccountsClient(),
-    newAccountState(credentials) {
-      // We only expect this to be called with null indicating the (mock)
-      // storage should be read.
-      if (credentials) {
-        throw new Error("Not expecting to have credentials passed");
-      }
-      let storageManager = new MockFxaStorageManager();
-      storageManager.initialize(identityConfig.fxaccount.user);
-      return new AccountState(storageManager);
-    },
-  });
-
-  browseridManager._fxaService = fxa;
-
-  let status = yield browseridManager.unlockAndVerifyAuthState();
-  Assert.equal(status, LOGIN_FAILED_LOGIN_REJECTED);
-});
-
 // End of tests
 // Utility functions follow
 
@@ -803,17 +638,7 @@ function* initializeIdentityWithHAWKResponseFactory(config, cbGetResponse) {
       callback.call(this);
     },
     get: function(callback) {
-      // Skip /status requests (browserid_identity checks if the account still
-      // exists after an auth error)
-      if (this._uri.startsWith("http://mockedserver:9999/account/status")) {
-        this.response = {
-          status: 200,
-          headers: {"content-type": "application/json"},
-          body: JSON.stringify({exists: true}),
-        };
-      } else {
-        this.response = cbGetResponse("get", null, this._uri, this._credentials, this._extra);
-      }
+      this.response = cbGetResponse("get", null, this._uri, this._credentials, this._extra);
       callback.call(this);
     }
   }
@@ -833,18 +658,11 @@ function* initializeIdentityWithHAWKResponseFactory(config, cbGetResponse) {
   fxaClient.hawk = new MockedHawkClient();
   let internal = {
     fxAccountsClient: fxaClient,
-    newAccountState(credentials) {
-      // We only expect this to be called with null indicating the (mock)
-      // storage should be read.
-      if (credentials) {
-        throw new Error("Not expecting to have credentials passed");
-      }
-      let storageManager = new MockFxaStorageManager();
-      storageManager.initialize(config.fxaccount.user);
-      return new AccountState(storageManager);
-    },
   }
   let fxa = new FxAccounts(internal);
+  fxa.internal.currentAccountState.signedInUser = {
+      accountData: config.fxaccount.user,
+  };
 
   browseridManager._fxaService = fxa;
   browseridManager._signedInUser = null;
@@ -862,29 +680,3 @@ function getTimestampDelta(hawkAuthHeader, now=Date.now()) {
   return Math.abs(getTimestamp(hawkAuthHeader) - now);
 }
 
-function mockTokenServer(func) {
-  let requestLog = Log.repository.getLogger("testing.mock-rest");
-  if (!requestLog.appenders.length) { // might as well see what it says :)
-    requestLog.addAppender(new Log.DumpAppender());
-    requestLog.level = Log.Level.Trace;
-  }
-  function MockRESTRequest(url) {};
-  MockRESTRequest.prototype = {
-    _log: requestLog,
-    setHeader: function() {},
-    get: function(callback) {
-      this.response = func();
-      callback.call(this);
-    }
-  }
-  // The mocked TokenServer client which will get the response.
-  function MockTSC() { }
-  MockTSC.prototype = new TokenServerClient();
-  MockTSC.prototype.constructor = MockTSC;
-  MockTSC.prototype.newRESTRequest = function(url) {
-    return new MockRESTRequest(url);
-  }
-  // Arrange for the same observerPrefix as browserid_identity uses.
-  MockTSC.prototype.observerPrefix = "weave:service";
-  return new MockTSC();
-}
diff --git a/services/sync/tests/unit/test_clients_engine.js b/services/sync/tests/unit/test_clients_engine.js
index d2123f80a0..919913f820 100644
--- a/services/sync/tests/unit/test_clients_engine.js
+++ b/services/sync/tests/unit/test_clients_engine.js
@@ -12,7 +12,7 @@ Cu.import("resource://testing-common/services/sync/utils.js");
 const MORE_THAN_CLIENTS_TTL_REFRESH = 691200; // 8 days
 const LESS_THAN_CLIENTS_TTL_REFRESH = 86400;  // 1 day
 
-var engine = Service.clientsEngine;
+let engine = Service.clientsEngine;
 
 /**
  * Unpack the record with this ID, and verify that it has the same version that
@@ -31,10 +31,10 @@ function check_record_version(user, id) {
     let cleartext = rec.decrypt(Service.collectionKeys.keyForCollection("clients"));
 
     _("Payload is " + JSON.stringify(cleartext));
-    equal(Services.appinfo.version, cleartext.version);
-    equal(2, cleartext.protocols.length);
-    equal("1.1", cleartext.protocols[0]);
-    equal("1.5", cleartext.protocols[1]);
+    do_check_eq(Services.appinfo.version, cleartext.version);
+    do_check_eq(2, cleartext.protocols.length);
+    do_check_eq("1.1", cleartext.protocols[0]);
+    do_check_eq("1.5", cleartext.protocols[1]);
 }
 
 add_test(function test_bad_hmac() {
@@ -64,7 +64,7 @@ add_test(function test_bad_hmac() {
     let coll  = user.collection("clients");
 
     // Treat a non-existent collection as empty.
-    equal(expectedCount, coll ? coll.count() : 0, stack);
+    do_check_eq(expectedCount, coll ? coll.count() : 0, stack);
   }
 
   function check_client_deleted(id) {
@@ -77,7 +77,7 @@ add_test(function test_bad_hmac() {
     generateNewKeys(Service.collectionKeys);
     let serverKeys = Service.collectionKeys.asWBO("crypto", "keys");
     serverKeys.encrypt(Service.identity.syncKeyBundle);
-    ok(serverKeys.upload(Service.resource(Service.cryptoKeysURL)).success);
+    do_check_true(serverKeys.upload(Service.resource(Service.cryptoKeysURL)).success);
   }
 
   try {
@@ -89,11 +89,11 @@ add_test(function test_bad_hmac() {
     generateNewKeys(Service.collectionKeys);
 
     _("First sync, client record is uploaded");
-    equal(engine.lastRecordUpload, 0);
+    do_check_eq(engine.lastRecordUpload, 0);
     check_clients_count(0);
     engine._sync();
     check_clients_count(1);
-    ok(engine.lastRecordUpload > 0);
+    do_check_true(engine.lastRecordUpload > 0);
 
     // Our uploaded record has a version.
     check_record_version(user, engine.localID);
@@ -109,7 +109,7 @@ add_test(function test_bad_hmac() {
     generateNewKeys(Service.collectionKeys);
     let serverKeys = Service.collectionKeys.asWBO("crypto", "keys");
     serverKeys.encrypt(Service.identity.syncKeyBundle);
-    ok(serverKeys.upload(Service.resource(Service.cryptoKeysURL)).success);
+    do_check_true(serverKeys.upload(Service.resource(Service.cryptoKeysURL)).success);
 
     _("Sync.");
     engine._sync();
@@ -130,8 +130,8 @@ add_test(function test_bad_hmac() {
     engine._sync();
 
     _("Old record was not deleted, new one uploaded.");
-    equal(deletedCollections.length, 0);
-    equal(deletedItems.length, 0);
+    do_check_eq(deletedCollections.length, 0);
+    do_check_eq(deletedItems.length, 0);
     check_clients_count(2);
 
     _("Now try the scenario where our keys are wrong *and* there's a bad record.");
@@ -162,14 +162,14 @@ add_test(function test_bad_hmac() {
     generateNewKeys(Service.collectionKeys);
     let oldKey = Service.collectionKeys.keyForCollection();
 
-    equal(deletedCollections.length, 0);
-    equal(deletedItems.length, 0);
+    do_check_eq(deletedCollections.length, 0);
+    do_check_eq(deletedItems.length, 0);
     engine._sync();
-    equal(deletedItems.length, 1);
+    do_check_eq(deletedItems.length, 1);
     check_client_deleted(oldLocalID);
     check_clients_count(1);
     let newKey = Service.collectionKeys.keyForCollection();
-    ok(!oldKey.equals(newKey));
+    do_check_false(oldKey.equals(newKey));
 
   } finally {
     Svc.Prefs.resetBranch("");
@@ -181,91 +181,18 @@ add_test(function test_bad_hmac() {
 add_test(function test_properties() {
   _("Test lastRecordUpload property");
   try {
-    equal(Svc.Prefs.get("clients.lastRecordUpload"), undefined);
-    equal(engine.lastRecordUpload, 0);
+    do_check_eq(Svc.Prefs.get("clients.lastRecordUpload"), undefined);
+    do_check_eq(engine.lastRecordUpload, 0);
 
     let now = Date.now();
     engine.lastRecordUpload = now / 1000;
-    equal(engine.lastRecordUpload, Math.floor(now / 1000));
+    do_check_eq(engine.lastRecordUpload, Math.floor(now / 1000));
   } finally {
     Svc.Prefs.resetBranch("");
     run_next_test();
   }
 });
 
-add_test(function test_full_sync() {
-  _("Ensure that Clients engine fetches all records for each sync.");
-
-  let now = Date.now() / 1000;
-  let contents = {
-    meta: {global: {engines: {clients: {version: engine.version,
-                                        syncID: engine.syncID}}}},
-    clients: {},
-    crypto: {}
-  };
-  let server = serverForUsers({"foo": "password"}, contents);
-  let user   = server.user("foo");
-
-  new SyncTestingInfrastructure(server.server);
-  generateNewKeys(Service.collectionKeys);
-
-  let activeID = Utils.makeGUID();
-  server.insertWBO("foo", "clients", new ServerWBO(activeID, encryptPayload({
-    id: activeID,
-    name: "Active client",
-    type: "desktop",
-    commands: [],
-    version: "48",
-    protocols: ["1.5"],
-  }), now - 10));
-
-  let deletedID = Utils.makeGUID();
-  server.insertWBO("foo", "clients", new ServerWBO(deletedID, encryptPayload({
-    id: deletedID,
-    name: "Client to delete",
-    type: "desktop",
-    commands: [],
-    version: "48",
-    protocols: ["1.5"],
-  }), now - 10));
-
-  try {
-    let store = engine._store;
-
-    _("First sync. 2 records downloaded; our record uploaded.");
-    strictEqual(engine.lastRecordUpload, 0);
-    engine._sync();
-    ok(engine.lastRecordUpload > 0);
-    deepEqual(user.collection("clients").keys().sort(),
-              [activeID, deletedID, engine.localID].sort(),
-              "Our record should be uploaded on first sync");
-    deepEqual(Object.keys(store.getAllIDs()).sort(),
-              [activeID, deletedID, engine.localID].sort(),
-              "Other clients should be downloaded on first sync");
-
-    _("Delete a record, then sync again");
-    let collection = server.getCollection("foo", "clients");
-    collection.remove(deletedID);
-    // Simulate a timestamp update in info/collections.
-    engine.lastModified = now;
-    engine._sync();
-
-    _("Record should be updated");
-    deepEqual(Object.keys(store.getAllIDs()).sort(),
-              [activeID, engine.localID].sort(),
-              "Deleted client should be removed on next sync");
-  } finally {
-    Svc.Prefs.resetBranch("");
-    Service.recordManager.clearCache();
-
-    try {
-      server.deleteCollections("foo");
-    } finally {
-      server.stop(run_next_test);
-    }
-  }
-});
-
 add_test(function test_sync() {
   _("Ensure that Clients engine uploads a new client record once a week.");
 
@@ -288,30 +215,30 @@ add_test(function test_sync() {
   try {
 
     _("First sync. Client record is uploaded.");
-    equal(clientWBO(), undefined);
-    equal(engine.lastRecordUpload, 0);
+    do_check_eq(clientWBO(), undefined);
+    do_check_eq(engine.lastRecordUpload, 0);
     engine._sync();
-    ok(!!clientWBO().payload);
-    ok(engine.lastRecordUpload > 0);
+    do_check_true(!!clientWBO().payload);
+    do_check_true(engine.lastRecordUpload > 0);
 
     _("Let's time travel more than a week back, new record should've been uploaded.");
     engine.lastRecordUpload -= MORE_THAN_CLIENTS_TTL_REFRESH;
     let lastweek = engine.lastRecordUpload;
     clientWBO().payload = undefined;
     engine._sync();
-    ok(!!clientWBO().payload);
-    ok(engine.lastRecordUpload > lastweek);
+    do_check_true(!!clientWBO().payload);
+    do_check_true(engine.lastRecordUpload > lastweek);
 
     _("Remove client record.");
     engine.removeClientData();
-    equal(clientWBO().payload, undefined);
+    do_check_eq(clientWBO().payload, undefined);
 
     _("Time travel one day back, no record uploaded.");
     engine.lastRecordUpload -= LESS_THAN_CLIENTS_TTL_REFRESH;
     let yesterday = engine.lastRecordUpload;
     engine._sync();
-    equal(clientWBO().payload, undefined);
-    equal(engine.lastRecordUpload, yesterday);
+    do_check_eq(clientWBO().payload, undefined);
+    do_check_eq(engine.lastRecordUpload, yesterday);
 
   } finally {
     Svc.Prefs.resetBranch("");
@@ -336,16 +263,16 @@ add_test(function test_client_name_change() {
 
   let initialScore = tracker.score;
 
-  equal(Object.keys(tracker.changedIDs).length, 0);
+  do_check_eq(Object.keys(tracker.changedIDs).length, 0);
 
   Svc.Prefs.set("client.name", "new name");
 
   _("new name: " + engine.localName);
-  notEqual(initialName, engine.localName);
-  equal(Object.keys(tracker.changedIDs).length, 1);
-  ok(engine.localID in tracker.changedIDs);
-  ok(tracker.score > initialScore);
-  ok(tracker.score >= SCORE_INCREMENT_XLARGE);
+  do_check_neq(initialName, engine.localName);
+  do_check_eq(Object.keys(tracker.changedIDs).length, 1);
+  do_check_true(engine.localID in tracker.changedIDs);
+  do_check_true(tracker.score > initialScore);
+  do_check_true(tracker.score >= SCORE_INCREMENT_XLARGE);
 
   Svc.Obs.notify("weave:engine:stop-tracking");
 
@@ -369,16 +296,15 @@ add_test(function test_send_command() {
   engine._sendCommandToClient(action, args, remoteId);
 
   let newRecord = store._remoteClients[remoteId];
-  let clientCommands = engine._readCommands()[remoteId];
-  notEqual(newRecord, undefined);
-  equal(clientCommands.length, 1);
+  do_check_neq(newRecord, undefined);
+  do_check_eq(newRecord.commands.length, 1);
 
-  let command = clientCommands[0];
-  equal(command.command, action);
-  equal(command.args.length, 2);
-  deepEqual(command.args, args);
+  let command = newRecord.commands[0];
+  do_check_eq(command.command, action);
+  do_check_eq(command.args.length, 2);
+  do_check_eq(command.args, args);
 
-  notEqual(tracker.changedIDs[remoteId], undefined);
+  do_check_neq(tracker.changedIDs[remoteId], undefined);
 
   run_next_test();
 });
@@ -402,7 +328,7 @@ add_test(function test_command_validation() {
     ["__UNKNOWN__", [],       false]
   ];
 
-  for (let [action, args, expectedResult] of testCommands) {
+  for each (let [action, args, expectedResult] in testCommands) {
     let remoteId = Utils.makeGUID();
     let rec = new ClientsRec("clients", remoteId);
 
@@ -412,26 +338,24 @@ add_test(function test_command_validation() {
     engine.sendCommand(action, args, remoteId);
 
     let newRecord = store._remoteClients[remoteId];
-    notEqual(newRecord, undefined);
-
-    let clientCommands = engine._readCommands()[remoteId];
+    do_check_neq(newRecord, undefined);
 
     if (expectedResult) {
       _("Ensuring command is sent: " + action);
-      equal(clientCommands.length, 1);
+      do_check_eq(newRecord.commands.length, 1);
 
-      let command = clientCommands[0];
-      equal(command.command, action);
-      deepEqual(command.args, args);
+      let command = newRecord.commands[0];
+      do_check_eq(command.command, action);
+      do_check_eq(command.args, args);
 
-      notEqual(engine._tracker, undefined);
-      notEqual(engine._tracker.changedIDs[remoteId], undefined);
+      do_check_neq(engine._tracker, undefined);
+      do_check_neq(engine._tracker.changedIDs[remoteId], undefined);
     } else {
       _("Ensuring command is scrubbed: " + action);
-      equal(clientCommands, undefined);
+      do_check_eq(newRecord.commands, undefined);
 
       if (store._tracker) {
-        equal(engine._tracker[remoteId], undefined);
+        do_check_eq(engine._tracker[remoteId], undefined);
       }
     }
 
@@ -455,11 +379,10 @@ add_test(function test_command_duplication() {
   engine.sendCommand(action, args, remoteId);
 
   let newRecord = store._remoteClients[remoteId];
-  let clientCommands = engine._readCommands()[remoteId];
-  equal(clientCommands.length, 1);
+  do_check_eq(newRecord.commands.length, 1);
 
   _("Check variant args length");
-  engine._saveCommands({});
+  newRecord.commands = [];
 
   action = "resetEngine";
   engine.sendCommand(action, [{ x: "foo" }], remoteId);
@@ -468,8 +391,7 @@ add_test(function test_command_duplication() {
   _("Make sure we spot a real dupe argument.");
   engine.sendCommand(action, [{ x: "bar" }], remoteId);
 
-  clientCommands = engine._readCommands()[remoteId];
-  equal(clientCommands.length, 2);
+  do_check_eq(newRecord.commands.length, 2);
 
   run_next_test();
 });
@@ -486,7 +408,7 @@ add_test(function test_command_invalid_client() {
     error = ex;
   }
 
-  equal(error.message.indexOf("Unknown remote client ID: "), 0);
+  do_check_eq(error.message.indexOf("Unknown remote client ID: "), 0);
 
   run_next_test();
 });
@@ -500,174 +422,13 @@ add_test(function test_process_incoming_commands() {
 
   var handler = function() {
     Svc.Obs.remove(ev, handler);
-
-    Svc.Prefs.resetBranch("");
-    Service.recordManager.clearCache();
-    engine._resetClient();
-
     run_next_test();
   };
 
   Svc.Obs.add(ev, handler);
 
   // logout command causes processIncomingCommands to return explicit false.
-  ok(!engine.processIncomingCommands());
-});
-
-add_test(function test_filter_duplicate_names() {
-  _("Ensure that we exclude clients with identical names that haven't synced in a week.");
-
-  let now = Date.now() / 1000;
-  let contents = {
-    meta: {global: {engines: {clients: {version: engine.version,
-                                        syncID: engine.syncID}}}},
-    clients: {},
-    crypto: {}
-  };
-  let server = serverForUsers({"foo": "password"}, contents);
-  let user   = server.user("foo");
-
-  new SyncTestingInfrastructure(server.server);
-  generateNewKeys(Service.collectionKeys);
-
-  // Synced recently.
-  let recentID = Utils.makeGUID();
-  server.insertWBO("foo", "clients", new ServerWBO(recentID, encryptPayload({
-    id: recentID,
-    name: "My Phone",
-    type: "mobile",
-    commands: [],
-    version: "48",
-    protocols: ["1.5"],
-  }), now - 10));
-
-  // Dupe of our client, synced more than 1 week ago.
-  let dupeID = Utils.makeGUID();
-  server.insertWBO("foo", "clients", new ServerWBO(dupeID, encryptPayload({
-    id: dupeID,
-    name: engine.localName,
-    type: "desktop",
-    commands: [],
-    version: "48",
-    protocols: ["1.5"],
-  }), now - 604810));
-
-  // Synced more than 1 week ago, but not a dupe.
-  let oldID = Utils.makeGUID();
-  server.insertWBO("foo", "clients", new ServerWBO(oldID, encryptPayload({
-    id: oldID,
-    name: "My old desktop",
-    type: "desktop",
-    commands: [],
-    version: "48",
-    protocols: ["1.5"],
-  }), now - 604820));
-
-  try {
-    let store = engine._store;
-
-    _("First sync");
-    strictEqual(engine.lastRecordUpload, 0);
-    engine._sync();
-    ok(engine.lastRecordUpload > 0);
-    deepEqual(user.collection("clients").keys().sort(),
-              [recentID, dupeID, oldID, engine.localID].sort(),
-              "Our record should be uploaded on first sync");
-
-    deepEqual(Object.keys(store.getAllIDs()).sort(),
-              [recentID, dupeID, oldID, engine.localID].sort(),
-              "Duplicate ID should remain in getAllIDs");
-    ok(engine._store.itemExists(dupeID), "Dupe ID should be considered as existing for Sync methods.");
-    ok(!engine.remoteClientExists(dupeID), "Dupe ID should not be considered as existing for external methods.");
-
-    // dupe desktop should not appear in .deviceTypes.
-    equal(engine.deviceTypes.get("desktop"), 2);
-    equal(engine.deviceTypes.get("mobile"), 1);
-
-    // dupe desktop should not appear in stats
-    deepEqual(engine.stats, {
-      hasMobile: 1,
-      names: [engine.localName, "My Phone", "My old desktop"],
-      numClients: 3,
-    });
-
-    ok(engine.remoteClientExists(oldID), "non-dupe ID should exist.");
-    ok(!engine.remoteClientExists(dupeID), "dupe ID should not exist");
-    equal(engine.remoteClients.length, 2, "dupe should not be in remoteClients");
-
-    // Check that a subsequent Sync doesn't report anything as being processed.
-    let counts;
-    Svc.Obs.add("weave:engine:sync:applied", function observe(subject, data) {
-      Svc.Obs.remove("weave:engine:sync:applied", observe);
-      counts = subject;
-    });
-
-    engine._sync();
-    equal(counts.applied, 0); // We didn't report applying any records.
-    equal(counts.reconciled, 4); // We reported reconcilliation for all records
-    equal(counts.succeeded, 0);
-    equal(counts.failed, 0);
-    equal(counts.newFailed, 0);
-
-    _("Broadcast logout to all clients");
-    engine.sendCommand("logout", []);
-    engine._sync();
-
-    let collection = server.getCollection("foo", "clients");
-    let recentPayload = JSON.parse(JSON.parse(collection.payload(recentID)).ciphertext);
-    deepEqual(recentPayload.commands, [{ command: "logout", args: [] }],
-              "Should send commands to the recent client");
-
-    let oldPayload = JSON.parse(JSON.parse(collection.payload(oldID)).ciphertext);
-    deepEqual(oldPayload.commands, [{ command: "logout", args: [] }],
-              "Should send commands to the week-old client");
-
-    let dupePayload = JSON.parse(JSON.parse(collection.payload(dupeID)).ciphertext);
-    deepEqual(dupePayload.commands, [],
-              "Should not send commands to the dupe client");
-
-    _("Update the dupe client's modified time");
-    server.insertWBO("foo", "clients", new ServerWBO(dupeID, encryptPayload({
-      id: dupeID,
-      name: engine.localName,
-      type: "desktop",
-      commands: [],
-      version: "48",
-      protocols: ["1.5"],
-    }), now - 10));
-
-    _("Second sync.");
-    engine._sync();
-
-    deepEqual(Object.keys(store.getAllIDs()).sort(),
-              [recentID, oldID, dupeID, engine.localID].sort(),
-              "Stale client synced, so it should no longer be marked as a dupe");
-
-    ok(engine.remoteClientExists(dupeID), "Dupe ID should appear as it synced.");
-
-    // Recently synced dupe desktop should appear in .deviceTypes.
-    equal(engine.deviceTypes.get("desktop"), 3);
-
-    // Recently synced dupe desktop should now appear in stats
-    deepEqual(engine.stats, {
-      hasMobile: 1,
-      names: [engine.localName, "My Phone", engine.localName, "My old desktop"],
-      numClients: 4,
-    });
-
-    ok(engine.remoteClientExists(dupeID), "recently synced dupe ID should now exist");
-    equal(engine.remoteClients.length, 3, "recently synced dupe should now be in remoteClients");
-
-  } finally {
-    Svc.Prefs.resetBranch("");
-    Service.recordManager.clearCache();
-
-    try {
-      server.deleteCollections("foo");
-    } finally {
-      server.stop(run_next_test);
-    }
-  }
+  do_check_false(engine.processIncomingCommands());
 });
 
 add_test(function test_command_sync() {
@@ -693,58 +454,40 @@ add_test(function test_command_sync() {
   }
 
   _("Create remote client record");
-  server.insertWBO("foo", "clients", new ServerWBO(remoteId, encryptPayload({
-    id: remoteId,
-    name: "Remote client",
-    type: "desktop",
-    commands: [],
-    version: "48",
-    protocols: ["1.5"],
-  }), Date.now() / 1000));
+  let rec = new ClientsRec("clients", remoteId);
+  engine._store.create(rec);
+  let remoteRecord = engine._store.createRecord(remoteId, "clients");
+  engine.sendCommand("wipeAll", []);
+
+  let clientRecord = engine._store._remoteClients[remoteId];
+  do_check_neq(clientRecord, undefined);
+  do_check_eq(clientRecord.commands.length, 1);
 
   try {
     _("Syncing.");
     engine._sync();
-
-    _("Checking remote record was downloaded.");
-    let clientRecord = engine._store._remoteClients[remoteId];
-    notEqual(clientRecord, undefined);
-    equal(clientRecord.commands.length, 0);
-
-    _("Send a command to the remote client.");
-    engine.sendCommand("wipeAll", []);
-    let clientCommands = engine._readCommands()[remoteId];
-    equal(clientCommands.length, 1);
-    engine._sync();
-
     _("Checking record was uploaded.");
-    notEqual(clientWBO(engine.localID).payload, undefined);
-    ok(engine.lastRecordUpload > 0);
+    do_check_neq(clientWBO(engine.localID).payload, undefined);
+    do_check_true(engine.lastRecordUpload > 0);
 
-    notEqual(clientWBO(remoteId).payload, undefined);
+    do_check_neq(clientWBO(remoteId).payload, undefined);
 
     Svc.Prefs.set("client.GUID", remoteId);
     engine._resetClient();
-    equal(engine.localID, remoteId);
+    do_check_eq(engine.localID, remoteId);
     _("Performing sync on resetted client.");
     engine._sync();
-    notEqual(engine.localCommands, undefined);
-    equal(engine.localCommands.length, 1);
+    do_check_neq(engine.localCommands, undefined);
+    do_check_eq(engine.localCommands.length, 1);
 
     let command = engine.localCommands[0];
-    equal(command.command, "wipeAll");
-    equal(command.args.length, 0);
+    do_check_eq(command.command, "wipeAll");
+    do_check_eq(command.args.length, 0);
 
   } finally {
     Svc.Prefs.resetBranch("");
     Service.recordManager.clearCache();
-
-    try {
-      let collection = server.getCollection("foo", "clients");
-      collection.remove(remoteId);
-    } finally {
-      server.stop(run_next_test);
-    }
+    server.stop(run_next_test);
   }
 });
 
@@ -769,19 +512,18 @@ add_test(function test_send_uri_to_client_for_display() {
 
   let newRecord = store._remoteClients[remoteId];
 
-  notEqual(newRecord, undefined);
-  let clientCommands = engine._readCommands()[remoteId];
-  equal(clientCommands.length, 1);
+  do_check_neq(newRecord, undefined);
+  do_check_eq(newRecord.commands.length, 1);
 
-  let command = clientCommands[0];
-  equal(command.command, "displayURI");
-  equal(command.args.length, 3);
-  equal(command.args[0], uri);
-  equal(command.args[1], engine.localID);
-  equal(command.args[2], title);
+  let command = newRecord.commands[0];
+  do_check_eq(command.command, "displayURI");
+  do_check_eq(command.args.length, 3);
+  do_check_eq(command.args[0], uri);
+  do_check_eq(command.args[1], engine.localID);
+  do_check_eq(command.args[2], title);
 
-  ok(tracker.score > initialScore);
-  ok(tracker.score - initialScore >= SCORE_INCREMENT_XLARGE);
+  do_check_true(tracker.score > initialScore);
+  do_check_true(tracker.score - initialScore >= SCORE_INCREMENT_XLARGE);
 
   _("Ensure unknown client IDs result in exception.");
   let unknownId = Utils.makeGUID();
@@ -793,11 +535,7 @@ add_test(function test_send_uri_to_client_for_display() {
     error = ex;
   }
 
-  equal(error.message.indexOf("Unknown remote client ID: "), 0);
-
-  Svc.Prefs.resetBranch("");
-  Service.recordManager.clearCache();
-  engine._resetClient();
+  do_check_eq(error.message.indexOf("Unknown remote client ID: "), 0);
 
   run_next_test();
 });
@@ -821,26 +559,22 @@ add_test(function test_receive_display_uri() {
 
   // Received 'displayURI' command should result in the topic defined below
   // being called.
-  let ev = "weave:engine:clients:display-uris";
+  let ev = "weave:engine:clients:display-uri";
 
   let handler = function(subject, data) {
     Svc.Obs.remove(ev, handler);
 
-    equal(subject[0].uri, uri);
-    equal(subject[0].clientId, remoteId);
-    equal(subject[0].title, title);
-    equal(data, null);
+    do_check_eq(subject.uri, uri);
+    do_check_eq(subject.client, remoteId);
+    do_check_eq(subject.title, title);
+    do_check_eq(data, null);
 
     run_next_test();
   };
 
   Svc.Obs.add(ev, handler);
 
-  ok(engine.processIncomingCommands());
-
-  Svc.Prefs.resetBranch("");
-  Service.recordManager.clearCache();
-  engine._resetClient();
+  do_check_true(engine.processIncomingCommands());
 });
 
 add_test(function test_optional_client_fields() {
@@ -848,590 +582,27 @@ add_test(function test_optional_client_fields() {
 
   const SUPPORTED_PROTOCOL_VERSIONS = ["1.1", "1.5"];
   let local = engine._store.createRecord(engine.localID, "clients");
-  equal(local.name, engine.localName);
-  equal(local.type, engine.localType);
-  equal(local.version, Services.appinfo.version);
-  deepEqual(local.protocols, SUPPORTED_PROTOCOL_VERSIONS);
+  do_check_eq(local.name, engine.localName);
+  do_check_eq(local.type, engine.localType);
+  do_check_eq(local.version, Services.appinfo.version);
+  do_check_array_eq(local.protocols, SUPPORTED_PROTOCOL_VERSIONS);
 
   // Optional fields.
   // Make sure they're what they ought to be...
-  equal(local.os, Services.appinfo.OS);
-  equal(local.appPackage, Services.appinfo.ID);
+  do_check_eq(local.os, Services.appinfo.OS);
+  do_check_eq(local.appPackage, Services.appinfo.ID);
 
   // ... and also that they're non-empty.
-  ok(!!local.os);
-  ok(!!local.appPackage);
-  ok(!!local.application);
+  do_check_true(!!local.os);
+  do_check_true(!!local.appPackage);
+  do_check_true(!!local.application);
 
   // We don't currently populate device or formfactor.
   // See Bug 1100722, Bug 1100723.
 
-  engine._resetClient();
   run_next_test();
 });
 
-add_test(function test_merge_commands() {
-  _("Verifies local commands for remote clients are merged with the server's");
-
-  let now = Date.now() / 1000;
-  let contents = {
-    meta: {global: {engines: {clients: {version: engine.version,
-                                        syncID: engine.syncID}}}},
-    clients: {},
-    crypto: {}
-  };
-  let server = serverForUsers({"foo": "password"}, contents);
-  let user   = server.user("foo");
-
-  new SyncTestingInfrastructure(server.server);
-  generateNewKeys(Service.collectionKeys);
-
-  let desktopID = Utils.makeGUID();
-  server.insertWBO("foo", "clients", new ServerWBO(desktopID, encryptPayload({
-    id: desktopID,
-    name: "Desktop client",
-    type: "desktop",
-    commands: [{
-      command: "displayURI",
-      args: ["https://example.com", engine.localID, "Yak Herders Anonymous"],
-    }],
-    version: "48",
-    protocols: ["1.5"],
-  }), now - 10));
-
-  let mobileID = Utils.makeGUID();
-  server.insertWBO("foo", "clients", new ServerWBO(mobileID, encryptPayload({
-    id: mobileID,
-    name: "Mobile client",
-    type: "mobile",
-    commands: [{
-      command: "logout",
-      args: [],
-    }],
-    version: "48",
-    protocols: ["1.5"],
-  }), now - 10));
-
-  try {
-    let store = engine._store;
-
-    _("First sync. 2 records downloaded.");
-    strictEqual(engine.lastRecordUpload, 0);
-    engine._sync();
-
-    _("Broadcast logout to all clients");
-    engine.sendCommand("logout", []);
-    engine._sync();
-
-    let collection = server.getCollection("foo", "clients");
-    let desktopPayload = JSON.parse(JSON.parse(collection.payload(desktopID)).ciphertext);
-    deepEqual(desktopPayload.commands, [{
-      command: "displayURI",
-      args: ["https://example.com", engine.localID, "Yak Herders Anonymous"],
-    }, {
-      command: "logout",
-      args: [],
-    }], "Should send the logout command to the desktop client");
-
-    let mobilePayload = JSON.parse(JSON.parse(collection.payload(mobileID)).ciphertext);
-    deepEqual(mobilePayload.commands, [{ command: "logout", args: [] }],
-      "Should not send a duplicate logout to the mobile client");
-  } finally {
-    Svc.Prefs.resetBranch("");
-    Service.recordManager.clearCache();
-    engine._resetClient();
-
-    try {
-      server.deleteCollections("foo");
-    } finally {
-      server.stop(run_next_test);
-    }
-  }
-});
-
-add_test(function test_duplicate_remote_commands() {
-  _("Verifies local commands for remote clients are sent only once (bug 1289287)");
-
-  let now = Date.now() / 1000;
-  let contents = {
-    meta: {global: {engines: {clients: {version: engine.version,
-                                        syncID: engine.syncID}}}},
-    clients: {},
-    crypto: {}
-  };
-  let server = serverForUsers({"foo": "password"}, contents);
-  let user   = server.user("foo");
-
-  new SyncTestingInfrastructure(server.server);
-  generateNewKeys(Service.collectionKeys);
-
-  let desktopID = Utils.makeGUID();
-  server.insertWBO("foo", "clients", new ServerWBO(desktopID, encryptPayload({
-    id: desktopID,
-    name: "Desktop client",
-    type: "desktop",
-    commands: [],
-    version: "48",
-    protocols: ["1.5"],
-  }), now - 10));
-
-  try {
-    let store = engine._store;
-
-    _("First sync. 1 record downloaded.");
-    strictEqual(engine.lastRecordUpload, 0);
-    engine._sync();
-
-    _("Send tab to client");
-    engine.sendCommand("displayURI", ["https://example.com", engine.localID, "Yak Herders Anonymous"]);
-    engine._sync();
-
-    _("Simulate the desktop client consuming the command and syncing to the server");
-    server.insertWBO("foo", "clients", new ServerWBO(desktopID, encryptPayload({
-      id: desktopID,
-      name: "Desktop client",
-      type: "desktop",
-      commands: [],
-      version: "48",
-      protocols: ["1.5"],
-    }), now - 10));
-
-    _("Send another tab to the desktop client");
-    engine.sendCommand("displayURI", ["https://foobar.com", engine.localID, "Foo bar!"], desktopID);
-    engine._sync();
-
-    let collection = server.getCollection("foo", "clients");
-    let desktopPayload = JSON.parse(JSON.parse(collection.payload(desktopID)).ciphertext);
-    deepEqual(desktopPayload.commands, [{
-      command: "displayURI",
-      args: ["https://foobar.com", engine.localID, "Foo bar!"],
-    }], "Should only send the second command to the desktop client");
-  } finally {
-    Svc.Prefs.resetBranch("");
-    Service.recordManager.clearCache();
-    engine._resetClient();
-
-    try {
-      server.deleteCollections("foo");
-    } finally {
-      server.stop(run_next_test);
-    }
-  }
-});
-
-add_test(function test_upload_after_reboot() {
-  _("Multiple downloads, reboot, then upload (bug 1289287)");
-
-  let now = Date.now() / 1000;
-  let contents = {
-    meta: {global: {engines: {clients: {version: engine.version,
-                                        syncID: engine.syncID}}}},
-    clients: {},
-    crypto: {}
-  };
-  let server = serverForUsers({"foo": "password"}, contents);
-  let user   = server.user("foo");
-
-  new SyncTestingInfrastructure(server.server);
-  generateNewKeys(Service.collectionKeys);
-
-  let deviceBID = Utils.makeGUID();
-  let deviceCID = Utils.makeGUID();
-  server.insertWBO("foo", "clients", new ServerWBO(deviceBID, encryptPayload({
-    id: deviceBID,
-    name: "Device B",
-    type: "desktop",
-    commands: [{
-      command: "displayURI", args: ["https://deviceclink.com", deviceCID, "Device C link"]
-    }],
-    version: "48",
-    protocols: ["1.5"],
-  }), now - 10));
-  server.insertWBO("foo", "clients", new ServerWBO(deviceCID, encryptPayload({
-    id: deviceCID,
-    name: "Device C",
-    type: "desktop",
-    commands: [],
-    version: "48",
-    protocols: ["1.5"],
-  }), now - 10));
-
-  try {
-    let store = engine._store;
-
-    _("First sync. 2 records downloaded.");
-    strictEqual(engine.lastRecordUpload, 0);
-    engine._sync();
-
-    _("Send tab to client");
-    engine.sendCommand("displayURI", ["https://example.com", engine.localID, "Yak Herders Anonymous"], deviceBID);
-
-    const oldUploadOutgoing = SyncEngine.prototype._uploadOutgoing;
-    SyncEngine.prototype._uploadOutgoing = () => engine._onRecordsWritten.call(engine, [], [deviceBID]);
-    engine._sync();
-
-    let collection = server.getCollection("foo", "clients");
-    let deviceBPayload = JSON.parse(JSON.parse(collection.payload(deviceBID)).ciphertext);
-    deepEqual(deviceBPayload.commands, [{
-      command: "displayURI", args: ["https://deviceclink.com", deviceCID, "Device C link"]
-    }], "Should be the same because the upload failed");
-
-    _("Simulate the client B consuming the command and syncing to the server");
-    server.insertWBO("foo", "clients", new ServerWBO(deviceBID, encryptPayload({
-      id: deviceBID,
-      name: "Device B",
-      type: "desktop",
-      commands: [],
-      version: "48",
-      protocols: ["1.5"],
-    }), now - 10));
-
-    // Simulate reboot
-    SyncEngine.prototype._uploadOutgoing = oldUploadOutgoing;
-    engine = Service.clientsEngine = new ClientEngine(Service);
-
-    engine._sync();
-
-    deviceBPayload = JSON.parse(JSON.parse(collection.payload(deviceBID)).ciphertext);
-    deepEqual(deviceBPayload.commands, [{
-      command: "displayURI",
-      args: ["https://example.com", engine.localID, "Yak Herders Anonymous"],
-    }], "Should only had written our outgoing command");
-  } finally {
-    Svc.Prefs.resetBranch("");
-    Service.recordManager.clearCache();
-    engine._resetClient();
-
-    try {
-      server.deleteCollections("foo");
-    } finally {
-      server.stop(run_next_test);
-    }
-  }
-});
-
-add_test(function test_keep_cleared_commands_after_reboot() {
-  _("Download commands, fail upload, reboot, then apply new commands (bug 1289287)");
-
-  let now = Date.now() / 1000;
-  let contents = {
-    meta: {global: {engines: {clients: {version: engine.version,
-                                        syncID: engine.syncID}}}},
-    clients: {},
-    crypto: {}
-  };
-  let server = serverForUsers({"foo": "password"}, contents);
-  let user   = server.user("foo");
-
-  new SyncTestingInfrastructure(server.server);
-  generateNewKeys(Service.collectionKeys);
-
-  let deviceBID = Utils.makeGUID();
-  let deviceCID = Utils.makeGUID();
-  server.insertWBO("foo", "clients", new ServerWBO(engine.localID, encryptPayload({
-    id: engine.localID,
-    name: "Device A",
-    type: "desktop",
-    commands: [{
-      command: "displayURI", args: ["https://deviceblink.com", deviceBID, "Device B link"]
-    },
-    {
-      command: "displayURI", args: ["https://deviceclink.com", deviceCID, "Device C link"]
-    }],
-    version: "48",
-    protocols: ["1.5"],
-  }), now - 10));
-  server.insertWBO("foo", "clients", new ServerWBO(deviceBID, encryptPayload({
-    id: deviceBID,
-    name: "Device B",
-    type: "desktop",
-    commands: [],
-    version: "48",
-    protocols: ["1.5"],
-  }), now - 10));
-  server.insertWBO("foo", "clients", new ServerWBO(deviceCID, encryptPayload({
-    id: deviceCID,
-    name: "Device C",
-    type: "desktop",
-    commands: [],
-    version: "48",
-    protocols: ["1.5"],
-  }), now - 10));
-
-  try {
-    let store = engine._store;
-
-    _("First sync. Download remote and our record.");
-    strictEqual(engine.lastRecordUpload, 0);
-
-    let collection = server.getCollection("foo", "clients");
-    const oldUploadOutgoing = SyncEngine.prototype._uploadOutgoing;
-    SyncEngine.prototype._uploadOutgoing = () => engine._onRecordsWritten.call(engine, [], [deviceBID]);
-    let commandsProcessed = 0;
-    engine._handleDisplayURIs = (uris) => { commandsProcessed = uris.length };
-
-    engine._sync();
-    engine.processIncomingCommands(); // Not called by the engine.sync(), gotta call it ourselves
-    equal(commandsProcessed, 2, "We processed 2 commands");
-
-    let localRemoteRecord = JSON.parse(JSON.parse(collection.payload(engine.localID)).ciphertext);
-    deepEqual(localRemoteRecord.commands, [{
-      command: "displayURI", args: ["https://deviceblink.com", deviceBID, "Device B link"]
-    },
-    {
-      command: "displayURI", args: ["https://deviceclink.com", deviceCID, "Device C link"]
-    }], "Should be the same because the upload failed");
-
-    // Another client sends another link
-    server.insertWBO("foo", "clients", new ServerWBO(engine.localID, encryptPayload({
-      id: engine.localID,
-      name: "Device A",
-      type: "desktop",
-      commands: [{
-        command: "displayURI", args: ["https://deviceblink.com", deviceBID, "Device B link"]
-      },
-      {
-        command: "displayURI", args: ["https://deviceclink.com", deviceCID, "Device C link"]
-      },
-      {
-        command: "displayURI", args: ["https://deviceclink2.com", deviceCID, "Device C link 2"]
-      }],
-      version: "48",
-      protocols: ["1.5"],
-    }), now - 10));
-
-    // Simulate reboot
-    SyncEngine.prototype._uploadOutgoing = oldUploadOutgoing;
-    engine = Service.clientsEngine = new ClientEngine(Service);
-
-    commandsProcessed = 0;
-    engine._handleDisplayURIs = (uris) => { commandsProcessed = uris.length };
-    engine._sync();
-    engine.processIncomingCommands();
-    equal(commandsProcessed, 1, "We processed one command (the other were cleared)");
-
-    localRemoteRecord = JSON.parse(JSON.parse(collection.payload(deviceBID)).ciphertext);
-    deepEqual(localRemoteRecord.commands, [], "Should be empty");
-  } finally {
-    Svc.Prefs.resetBranch("");
-    Service.recordManager.clearCache();
-
-    // Reset service (remove mocks)
-    engine = Service.clientsEngine = new ClientEngine(Service);
-    engine._resetClient();
-
-    try {
-      server.deleteCollections("foo");
-    } finally {
-      server.stop(run_next_test);
-    }
-  }
-});
-
-add_test(function test_deleted_commands() {
-  _("Verifies commands for a deleted client are discarded");
-
-  let now = Date.now() / 1000;
-  let contents = {
-    meta: {global: {engines: {clients: {version: engine.version,
-                                        syncID: engine.syncID}}}},
-    clients: {},
-    crypto: {}
-  };
-  let server = serverForUsers({"foo": "password"}, contents);
-  let user   = server.user("foo");
-
-  new SyncTestingInfrastructure(server.server);
-  generateNewKeys(Service.collectionKeys);
-
-  let activeID = Utils.makeGUID();
-  server.insertWBO("foo", "clients", new ServerWBO(activeID, encryptPayload({
-    id: activeID,
-    name: "Active client",
-    type: "desktop",
-    commands: [],
-    version: "48",
-    protocols: ["1.5"],
-  }), now - 10));
-
-  let deletedID = Utils.makeGUID();
-  server.insertWBO("foo", "clients", new ServerWBO(deletedID, encryptPayload({
-    id: deletedID,
-    name: "Client to delete",
-    type: "desktop",
-    commands: [],
-    version: "48",
-    protocols: ["1.5"],
-  }), now - 10));
-
-  try {
-    let store = engine._store;
-
-    _("First sync. 2 records downloaded.");
-    engine._sync();
-
-    _("Delete a record on the server.");
-    let collection = server.getCollection("foo", "clients");
-    collection.remove(deletedID);
-
-    _("Broadcast a command to all clients");
-    engine.sendCommand("logout", []);
-    engine._sync();
-
-    deepEqual(collection.keys().sort(), [activeID, engine.localID].sort(),
-      "Should not reupload deleted clients");
-
-    let activePayload = JSON.parse(JSON.parse(collection.payload(activeID)).ciphertext);
-    deepEqual(activePayload.commands, [{ command: "logout", args: [] }],
-      "Should send the command to the active client");
-  } finally {
-    Svc.Prefs.resetBranch("");
-    Service.recordManager.clearCache();
-    engine._resetClient();
-
-    try {
-      server.deleteCollections("foo");
-    } finally {
-      server.stop(run_next_test);
-    }
-  }
-});
-
-add_test(function test_send_uri_ack() {
-  _("Ensure a sent URI is deleted when the client syncs");
-
-  let now = Date.now() / 1000;
-  let contents = {
-    meta: {global: {engines: {clients: {version: engine.version,
-                                        syncID: engine.syncID}}}},
-    clients: {},
-    crypto: {}
-  };
-  let server = serverForUsers({"foo": "password"}, contents);
-  let user   = server.user("foo");
-
-  new SyncTestingInfrastructure(server.server);
-  generateNewKeys(Service.collectionKeys);
-
-  try {
-    let fakeSenderID = Utils.makeGUID();
-
-    _("Initial sync for empty clients collection");
-    engine._sync();
-    let collection = server.getCollection("foo", "clients");
-    let ourPayload = JSON.parse(JSON.parse(collection.payload(engine.localID)).ciphertext);
-    ok(ourPayload, "Should upload our client record");
-
-    _("Send a URL to the device on the server");
-    ourPayload.commands = [{
-      command: "displayURI",
-      args: ["https://example.com", fakeSenderID, "Yak Herders Anonymous"],
-    }];
-    server.insertWBO("foo", "clients", new ServerWBO(engine.localID, encryptPayload(ourPayload), now));
-
-    _("Sync again");
-    engine._sync();
-    deepEqual(engine.localCommands, [{
-      command: "displayURI",
-      args: ["https://example.com", fakeSenderID, "Yak Herders Anonymous"],
-    }], "Should receive incoming URI");
-    ok(engine.processIncomingCommands(), "Should process incoming commands");
-    const clearedCommands = engine._readCommands()[engine.localID];
-    deepEqual(clearedCommands, [{
-      command: "displayURI",
-      args: ["https://example.com", fakeSenderID, "Yak Herders Anonymous"],
-    }], "Should mark the commands as cleared after processing");
-
-    _("Check that the command was removed on the server");
-    engine._sync();
-    ourPayload = JSON.parse(JSON.parse(collection.payload(engine.localID)).ciphertext);
-    ok(ourPayload, "Should upload the synced client record");
-    deepEqual(ourPayload.commands, [], "Should not reupload cleared commands");
-  } finally {
-    Svc.Prefs.resetBranch("");
-    Service.recordManager.clearCache();
-    engine._resetClient();
-
-    try {
-      server.deleteCollections("foo");
-    } finally {
-      server.stop(run_next_test);
-    }
-  }
-});
-
-add_test(function test_command_sync() {
-  _("Notify other clients when writing their record.");
-
-  engine._store.wipe();
-  generateNewKeys(Service.collectionKeys);
-
-  let contents = {
-    meta: {global: {engines: {clients: {version: engine.version,
-                                        syncID: engine.syncID}}}},
-    clients: {},
-    crypto: {}
-  };
-  let server    = serverForUsers({"foo": "password"}, contents);
-  new SyncTestingInfrastructure(server.server);
-
-  let user       = server.user("foo");
-  let collection = server.getCollection("foo", "clients");
-  let remoteId   = Utils.makeGUID();
-  let remoteId2  = Utils.makeGUID();
-
-  function clientWBO(id) {
-    return user.collection("clients").wbo(id);
-  }
-
-  _("Create remote client record 1");
-  server.insertWBO("foo", "clients", new ServerWBO(remoteId, encryptPayload({
-    id: remoteId,
-    name: "Remote client",
-    type: "desktop",
-    commands: [],
-    version: "48",
-    protocols: ["1.5"]
-  }), Date.now() / 1000));
-
-  _("Create remote client record 2");
-  server.insertWBO("foo", "clients", new ServerWBO(remoteId2, encryptPayload({
-    id: remoteId2,
-    name: "Remote client 2",
-    type: "mobile",
-    commands: [],
-    version: "48",
-    protocols: ["1.5"]
-  }), Date.now() / 1000));
-
-  try {
-    equal(collection.count(), 2, "2 remote records written");
-    engine._sync();
-    equal(collection.count(), 3, "3 remote records written (+1 for the synced local record)");
-
-    let notifiedIds;
-    engine.sendCommand("wipeAll", []);
-    engine._tracker.addChangedID(engine.localID);
-    engine.getClientFxaDeviceId = (id) => "fxa-" + id;
-    engine._notifyCollectionChanged = (ids) => (notifiedIds = ids);
-    _("Syncing.");
-    engine._sync();
-    deepEqual(notifiedIds, ["fxa-fake-guid-00","fxa-fake-guid-01"]);
-    ok(!notifiedIds.includes(engine.getClientFxaDeviceId(engine.localID)),
-      "We never notify the local device");
-
-  } finally {
-    Svc.Prefs.resetBranch("");
-    Service.recordManager.clearCache();
-
-    try {
-      server.deleteCollections("foo");
-    } finally {
-      server.stop(run_next_test);
-    }
-  }
-});
-
 function run_test() {
   initTestLogging("Trace");
   Log.repository.getLogger("Sync.Engine.Clients").level = Log.Level.Trace;
diff --git a/services/sync/tests/unit/test_collection_getBatched.js b/services/sync/tests/unit/test_collection_getBatched.js
deleted file mode 100644
index c6523d497a..0000000000
--- a/services/sync/tests/unit/test_collection_getBatched.js
+++ /dev/null
@@ -1,195 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
-   http://creativecommons.org/publicdomain/zero/1.0/ */
-
-Cu.import("resource://services-sync/record.js");
-Cu.import("resource://services-sync/service.js");
-
-function run_test() {
-  initTestLogging("Trace");
-  Log.repository.getLogger("Sync.Collection").level = Log.Level.Trace;
-  run_next_test();
-}
-
-function recordRange(lim, offset, total) {
-  let res = [];
-  for (let i = offset; i < Math.min(lim + offset, total); ++i) {
-    res.push(JSON.stringify({ id: String(i), payload: "test:" + i }));
-  }
-  return res.join("\n") + "\n";
-}
-
-function get_test_collection_info({ totalRecords, batchSize, lastModified,
-                                    throwAfter = Infinity,
-                                    interruptedAfter = Infinity }) {
-  let coll = new Collection("http://example.com/test/", WBORecord, Service);
-  coll.full = true;
-  let requests = [];
-  let responses = [];
-  let sawRecord = false;
-  coll.get = function() {
-    ok(!sawRecord); // make sure we call record handler after all requests.
-    let limit = +this.limit;
-    let offset = 0;
-    if (this.offset) {
-      equal(this.offset.slice(0, 6), "foobar");
-      offset = +this.offset.slice(6);
-    }
-    requests.push({
-      limit,
-      offset,
-      spec: this.spec,
-      headers: Object.assign({}, this.headers)
-    });
-    if (--throwAfter === 0) {
-      throw "Some Network Error";
-    }
-    let body = recordRange(limit, offset, totalRecords);
-    this._onProgress.call({ _data: body });
-    let response = {
-      body,
-      success: true,
-      status: 200,
-      headers: {}
-    };
-    if (--interruptedAfter === 0) {
-      response.success = false;
-      response.status = 412;
-      response.body = "";
-    } else if (offset + limit < totalRecords) {
-      // Ensure we're treating this as an opaque string, since the docs say
-      // it might not be numeric.
-      response.headers["x-weave-next-offset"] = "foobar" + (offset + batchSize);
-    }
-    response.headers["x-last-modified"] = lastModified;
-    responses.push(response);
-    return response;
-  };
-
-  let records = [];
-  coll.recordHandler = function(record) {
-    sawRecord = true;
-    // ensure records are coming in in the right order
-    equal(record.id, String(records.length));
-    equal(record.payload, "test:" + records.length);
-    records.push(record);
-  };
-  return { records, responses, requests, coll };
-}
-
-add_test(function test_success() {
-  const totalRecords = 11;
-  const batchSize = 2;
-  const lastModified = "111111";
-  let { records, responses, requests, coll } = get_test_collection_info({
-    totalRecords,
-    batchSize,
-    lastModified,
-  });
-  let response = coll.getBatched(batchSize);
-
-  equal(requests.length, Math.ceil(totalRecords / batchSize));
-
-  // records are mostly checked in recordHandler, we just care about the length
-  equal(records.length, totalRecords);
-
-  // ensure we're returning the last response
-  equal(responses[responses.length - 1], response);
-
-  // check first separately since its a bit of a special case
-  ok(!requests[0].headers["x-if-unmodified-since"]);
-  ok(!requests[0].offset);
-  equal(requests[0].limit, batchSize);
-  let expectedOffset = 2;
-  for (let i = 1; i < requests.length; ++i) {
-    let req = requests[i];
-    equal(req.headers["x-if-unmodified-since"], lastModified);
-    equal(req.limit, batchSize);
-    if (i !== requests.length - 1) {
-      equal(req.offset, expectedOffset);
-    }
-
-    expectedOffset += batchSize;
-  }
-
-  // ensure we cleaned up anything that would break further
-  // use of this collection.
-  ok(!coll._headers["x-if-unmodified-since"]);
-  ok(!coll.offset);
-  ok(!coll.limit || (coll.limit == Infinity));
-
-  run_next_test();
-});
-
-add_test(function test_total_limit() {
-  _("getBatched respects the (initial) value of the limit property");
-  const totalRecords = 100;
-  const recordLimit = 11;
-  const batchSize = 2;
-  const lastModified = "111111";
-  let { records, responses, requests, coll } = get_test_collection_info({
-    totalRecords,
-    batchSize,
-    lastModified,
-  });
-  coll.limit = recordLimit;
-  let response = coll.getBatched(batchSize);
-
-  equal(requests.length, Math.ceil(recordLimit / batchSize));
-  equal(records.length, recordLimit);
-
-  for (let i = 0; i < requests.length; ++i) {
-    let req = requests[i];
-    if (i !== requests.length - 1) {
-      equal(req.limit, batchSize);
-    } else {
-      equal(req.limit, recordLimit % batchSize);
-    }
-  }
-
-  equal(coll._limit, recordLimit);
-
-  run_next_test();
-});
-
-add_test(function test_412() {
-  _("We shouldn't record records if we get a 412 in the middle of a batch");
-  const totalRecords = 11;
-  const batchSize = 2;
-  const lastModified = "111111";
-  let { records, responses, requests, coll } = get_test_collection_info({
-    totalRecords,
-    batchSize,
-    lastModified,
-    interruptedAfter: 3
-  });
-  let response = coll.getBatched(batchSize);
-
-  equal(requests.length, 3);
-  equal(records.length, 0); // record handler shouldn't be called for anything
-
-  // ensure we're returning the last response
-  equal(responses[responses.length - 1], response);
-
-  ok(!response.success);
-  equal(response.status, 412);
-  run_next_test();
-});
-
-add_test(function test_get_throws() {
-  _("We shouldn't record records if get() throws for some reason");
-  const totalRecords = 11;
-  const batchSize = 2;
-  const lastModified = "111111";
-  let { records, responses, requests, coll } = get_test_collection_info({
-    totalRecords,
-    batchSize,
-    lastModified,
-    throwAfter: 3
-  });
-
-  throws(() => coll.getBatched(batchSize), "Some Network Error");
-
-  equal(requests.length, 3);
-  equal(records.length, 0);
-  run_next_test();
-});
diff --git a/services/sync/tests/unit/test_collections_recovery.js b/services/sync/tests/unit/test_collections_recovery.js
index 0e7f546766..377a05383d 100644
--- a/services/sync/tests/unit/test_collections_recovery.js
+++ b/services/sync/tests/unit/test_collections_recovery.js
@@ -6,7 +6,7 @@ Cu.import("resource://services-sync/service.js");
 Cu.import("resource://services-sync/util.js");
 Cu.import("resource://testing-common/services/sync/utils.js");
 
-add_identity_test(this, function* test_missing_crypto_collection() {
+add_identity_test(this, function test_missing_crypto_collection() {
   let johnHelper = track_collections_helper();
   let johnU      = johnHelper.with_updated_collection;
   let johnColls  = johnHelper.collections;
@@ -33,10 +33,7 @@ add_identity_test(this, function* test_missing_crypto_collection() {
   };
   let collections = ["clients", "bookmarks", "forms", "history",
                      "passwords", "prefs", "tabs"];
-  // Disable addon sync because AddonManager won't be initialized here.
-  Service.engineManager.unregister("addons");
-
-  for (let coll of collections) {
+  for each (let coll in collections) {
     handlers["/1.1/johndoe/storage/" + coll] =
       johnU(coll, new ServerCollection({}, true).handler());
   }
@@ -53,7 +50,7 @@ add_identity_test(this, function* test_missing_crypto_collection() {
     };
 
     _("Startup, no meta/global: freshStart called once.");
-    yield sync_and_validate_telem();
+    Service.sync();
     do_check_eq(fresh, 1);
     fresh = 0;
 
@@ -63,12 +60,12 @@ add_identity_test(this, function* test_missing_crypto_collection() {
 
     _("Simulate a bad info/collections.");
     delete johnColls.crypto;
-    yield sync_and_validate_telem();
+    Service.sync();
     do_check_eq(fresh, 1);
     fresh = 0;
 
     _("Regular sync: no need to freshStart.");
-    yield sync_and_validate_telem();
+    Service.sync();
     do_check_eq(fresh, 0);
 
   } finally {
diff --git a/services/sync/tests/unit/test_corrupt_keys.js b/services/sync/tests/unit/test_corrupt_keys.js
index 009461c2a9..2db080a8f8 100644
--- a/services/sync/tests/unit/test_corrupt_keys.js
+++ b/services/sync/tests/unit/test_corrupt_keys.js
@@ -14,7 +14,7 @@ Cu.import("resource://services-sync/util.js");
 Cu.import("resource://testing-common/services/sync/utils.js");
 Cu.import("resource://gre/modules/Promise.jsm");
 
-add_task(function* test_locally_changed_keys() {
+add_task(function test_locally_changed_keys() {
   let passphrase = "abcdeabcdeabcdeabcdeabcdea";
 
   let hmacErrorCount = 0;
@@ -51,7 +51,7 @@ add_task(function* test_locally_changed_keys() {
                           }]}]};
     delete Svc.Session;
     Svc.Session = {
-      getBrowserState: () => JSON.stringify(myTabs)
+      getBrowserState: function () JSON.stringify(myTabs)
     };
 
     setBasicCredentials("johndoe", "password", passphrase);
@@ -59,7 +59,6 @@ add_task(function* test_locally_changed_keys() {
     Service.clusterURL = server.baseURI;
 
     Service.engineManager.register(HistoryEngine);
-    Service.engineManager.unregister("addons");
 
     function corrupt_local_keys() {
       Service.collectionKeys._default.keyPair = [Svc.Crypto.generateRandomKey(),
@@ -87,7 +86,7 @@ add_task(function* test_locally_changed_keys() {
     do_check_true(Service.isLoggedIn);
 
     // Sync should upload records.
-    yield sync_and_validate_telem();
+    Service.sync();
 
     // Tabs exist.
     _("Tabs modified: " + johndoe.modified("tabs"));
@@ -140,9 +139,7 @@ add_task(function* test_locally_changed_keys() {
 
     _("HMAC error count: " + hmacErrorCount);
     // Now syncing should succeed, after one HMAC error.
-    let ping = yield wait_for_ping(() => Service.sync(), true);
-    equal(ping.engines.find(e => e.name == "history").incoming.applied, 5);
-
+    Service.sync();
     do_check_eq(hmacErrorCount, 1);
     _("Keys now: " + Service.collectionKeys.keyForCollection("history").keyPair);
 
@@ -186,9 +183,7 @@ add_task(function* test_locally_changed_keys() {
     Service.lastHMACEvent = 0;
 
     _("Syncing...");
-    ping = yield sync_and_validate_telem(true);
-
-    do_check_eq(ping.engines.find(e => e.name == "history").incoming.failed, 5);
+    Service.sync();
     _("Keys now: " + Service.collectionKeys.keyForCollection("history").keyPair);
     _("Server keys have been updated, and we skipped over 5 more HMAC errors without adjusting history.");
     do_check_true(johndoe.modified("crypto") > old_key_time);
@@ -209,7 +204,6 @@ add_task(function* test_locally_changed_keys() {
 function run_test() {
   let logger = Log.repository.rootLogger;
   Log.repository.rootLogger.addAppender(new Log.DumpAppender());
-  validate_all_future_pings();
 
   ensureLegacyIdentityManager();
 
diff --git a/services/sync/tests/unit/test_engine.js b/services/sync/tests/unit/test_engine.js
index be637efc87..000cd5b4ad 100644
--- a/services/sync/tests/unit/test_engine.js
+++ b/services/sync/tests/unit/test_engine.js
@@ -25,8 +25,8 @@ SteamTracker.prototype = {
   __proto__: Tracker.prototype
 };
 
-function SteamEngine(name, service) {
-  Engine.call(this, name, service);
+function SteamEngine(service) {
+  Engine.call(this, "Steam", service);
   this.wasReset = false;
   this.wasSynced = false;
 }
@@ -44,7 +44,7 @@ SteamEngine.prototype = {
   }
 };
 
-var engineObserver = {
+let engineObserver = {
   topics: [],
 
   observe: function(subject, topic, data) {
@@ -69,7 +69,7 @@ function run_test() {
 
 add_test(function test_members() {
   _("Engine object members");
-  let engine = new SteamEngine("Steam", Service);
+  let engine = new SteamEngine(Service);
   do_check_eq(engine.Name, "Steam");
   do_check_eq(engine.prefName, "steam");
   do_check_true(engine._store instanceof SteamStore);
@@ -79,7 +79,7 @@ add_test(function test_members() {
 
 add_test(function test_score() {
   _("Engine.score corresponds to tracker.score and is readonly");
-  let engine = new SteamEngine("Steam", Service);
+  let engine = new SteamEngine(Service);
   do_check_eq(engine.score, 0);
   engine._tracker.score += 5;
   do_check_eq(engine.score, 5);
@@ -97,7 +97,7 @@ add_test(function test_score() {
 
 add_test(function test_resetClient() {
   _("Engine.resetClient calls _resetClient");
-  let engine = new SteamEngine("Steam", Service);
+  let engine = new SteamEngine(Service);
   do_check_false(engine.wasReset);
 
   engine.resetClient();
@@ -112,7 +112,7 @@ add_test(function test_resetClient() {
 
 add_test(function test_invalidChangedIDs() {
   _("Test that invalid changed IDs on disk don't end up live.");
-  let engine = new SteamEngine("Steam", Service);
+  let engine = new SteamEngine(Service);
   let tracker = engine._tracker;
   tracker.changedIDs = 5;
   tracker.saveChangedIDs(function onSaved() {
@@ -127,7 +127,7 @@ add_test(function test_invalidChangedIDs() {
 
 add_test(function test_wipeClient() {
   _("Engine.wipeClient calls resetClient, wipes store, clears changed IDs");
-  let engine = new SteamEngine("Steam", Service);
+  let engine = new SteamEngine(Service);
   do_check_false(engine.wasReset);
   do_check_false(engine._store.wasWiped);
   do_check_true(engine._tracker.addChangedID("a-changed-id"));
@@ -150,7 +150,7 @@ add_test(function test_wipeClient() {
 
 add_test(function test_enabled() {
   _("Engine.enabled corresponds to preference");
-  let engine = new SteamEngine("Steam", Service);
+  let engine = new SteamEngine(Service);
   try {
     do_check_false(engine.enabled);
     Svc.Prefs.set("engine.steam", true);
@@ -165,18 +165,16 @@ add_test(function test_enabled() {
 });
 
 add_test(function test_sync() {
-  let engine = new SteamEngine("Steam", Service);
+  let engine = new SteamEngine(Service);
   try {
     _("Engine.sync doesn't call _sync if it's not enabled");
     do_check_false(engine.enabled);
     do_check_false(engine.wasSynced);
     engine.sync();
-
     do_check_false(engine.wasSynced);
 
     _("Engine.sync calls _sync if it's enabled");
     engine.enabled = true;
-
     engine.sync();
     do_check_true(engine.wasSynced);
     do_check_eq(engineObserver.topics[0], "weave:engine:sync:start");
@@ -191,7 +189,7 @@ add_test(function test_sync() {
 
 add_test(function test_disabled_no_track() {
   _("When an engine is disabled, its tracker is not tracking.");
-  let engine = new SteamEngine("Steam", Service);
+  let engine = new SteamEngine(Service);
   let tracker = engine._tracker;
   do_check_eq(engine, tracker.engine);
 
diff --git a/services/sync/tests/unit/test_errorhandler.js b/services/sync/tests/unit/test_errorhandler.js
new file mode 100644
index 0000000000..c087acc9ff
--- /dev/null
+++ b/services/sync/tests/unit/test_errorhandler.js
@@ -0,0 +1,1893 @@
+/* Any copyright is dedicated to the Public Domain.
+   http://creativecommons.org/publicdomain/zero/1.0/ */
+
+Cu.import("resource://services-sync/engines/clients.js");
+Cu.import("resource://services-sync/constants.js");
+Cu.import("resource://services-sync/engines.js");
+Cu.import("resource://services-sync/keys.js");
+Cu.import("resource://services-sync/policies.js");
+Cu.import("resource://services-sync/service.js");
+Cu.import("resource://services-sync/status.js");
+Cu.import("resource://services-sync/util.js");
+Cu.import("resource://testing-common/services/sync/utils.js");
+Cu.import("resource://gre/modules/FileUtils.jsm");
+
+const FAKE_SERVER_URL = "http://dummy:9000/";
+const logsdir = FileUtils.getDir("ProfD", ["weave", "logs"], true);
+
+const PROLONGED_ERROR_DURATION =
+  (Svc.Prefs.get('errorhandler.networkFailureReportTimeout') * 2) * 1000;
+
+const NON_PROLONGED_ERROR_DURATION =
+  (Svc.Prefs.get('errorhandler.networkFailureReportTimeout') / 2) * 1000;
+
+Service.engineManager.clear();
+
+function setLastSync(lastSyncValue) {
+  Svc.Prefs.set("lastSync", (new Date(Date.now() - lastSyncValue)).toString());
+}
+
+function CatapultEngine() {
+  SyncEngine.call(this, "Catapult", Service);
+}
+CatapultEngine.prototype = {
+  __proto__: SyncEngine.prototype,
+  exception: null, // tests fill this in
+  _sync: function _sync() {
+    if (this.exception) {
+      throw this.exception;
+    }
+  }
+};
+
+let engineManager = Service.engineManager;
+engineManager.register(CatapultEngine);
+
+// This relies on Service/ErrorHandler being a singleton. Fixing this will take
+// a lot of work.
+let errorHandler = Service.errorHandler;
+
+function run_test() {
+  initTestLogging("Trace");
+
+  Log.repository.getLogger("Sync.Service").level = Log.Level.Trace;
+  Log.repository.getLogger("Sync.SyncScheduler").level = Log.Level.Trace;
+  Log.repository.getLogger("Sync.ErrorHandler").level = Log.Level.Trace;
+
+  ensureLegacyIdentityManager();
+
+  run_next_test();
+}
+
+function generateCredentialsChangedFailure() {
+  // Make sync fail due to changed credentials. We simply re-encrypt
+  // the keys with a different Sync Key, without changing the local one.
+  let newSyncKeyBundle = new SyncKeyBundle("johndoe", "23456234562345623456234562");
+  let keys = Service.collectionKeys.asWBO();
+  keys.encrypt(newSyncKeyBundle);
+  keys.upload(Service.resource(Service.cryptoKeysURL));
+}
+
+function service_unavailable(request, response) {
+  let body = "Service Unavailable";
+  response.setStatusLine(request.httpVersion, 503, "Service Unavailable");
+  response.setHeader("Retry-After", "42");
+  response.bodyOutputStream.write(body, body.length);
+}
+
+function sync_httpd_setup() {
+  let global = new ServerWBO("global", {
+    syncID: Service.syncID,
+    storageVersion: STORAGE_VERSION,
+    engines: {clients: {version: Service.clientsEngine.version,
+                        syncID: Service.clientsEngine.syncID},
+              catapult: {version: engineManager.get("catapult").version,
+                         syncID: engineManager.get("catapult").syncID}}
+  });
+  let clientsColl = new ServerCollection({}, true);
+
+  // Tracking info/collections.
+  let collectionsHelper = track_collections_helper();
+  let upd = collectionsHelper.with_updated_collection;
+
+  let handler_401 = httpd_handler(401, "Unauthorized");
+  return httpd_setup({
+    // Normal server behaviour.
+    "/1.1/johndoe/storage/meta/global": upd("meta", global.handler()),
+    "/1.1/johndoe/info/collections": collectionsHelper.handler,
+    "/1.1/johndoe/storage/crypto/keys":
+      upd("crypto", (new ServerWBO("keys")).handler()),
+    "/1.1/johndoe/storage/clients": upd("clients", clientsColl.handler()),
+
+    // Credentials are wrong or node reallocated.
+    "/1.1/janedoe/storage/meta/global": handler_401,
+    "/1.1/janedoe/info/collections": handler_401,
+
+    // Maintenance or overloaded (503 + Retry-After) at info/collections.
+    "/maintenance/1.1/broken.info/info/collections": service_unavailable,
+
+    // Maintenance or overloaded (503 + Retry-After) at meta/global.
+    "/maintenance/1.1/broken.meta/storage/meta/global": service_unavailable,
+    "/maintenance/1.1/broken.meta/info/collections": collectionsHelper.handler,
+
+    // Maintenance or overloaded (503 + Retry-After) at crypto/keys.
+    "/maintenance/1.1/broken.keys/storage/meta/global": upd("meta", global.handler()),
+    "/maintenance/1.1/broken.keys/info/collections": collectionsHelper.handler,
+    "/maintenance/1.1/broken.keys/storage/crypto/keys": service_unavailable,
+
+    // Maintenance or overloaded (503 + Retry-After) at wiping collection.
+    "/maintenance/1.1/broken.wipe/info/collections": collectionsHelper.handler,
+    "/maintenance/1.1/broken.wipe/storage/meta/global": upd("meta", global.handler()),
+    "/maintenance/1.1/broken.wipe/storage/crypto/keys":
+      upd("crypto", (new ServerWBO("keys")).handler()),
+    "/maintenance/1.1/broken.wipe/storage": service_unavailable,
+    "/maintenance/1.1/broken.wipe/storage/clients": upd("clients", clientsColl.handler()),
+    "/maintenance/1.1/broken.wipe/storage/catapult": service_unavailable
+  });
+}
+
+function setUp(server) {
+  return configureIdentity({username: "johndoe"}).then(
+    () => {
+      Service.serverURL  = server.baseURI + "/";
+      Service.clusterURL = server.baseURI + "/";
+    }
+  ).then(
+    () => generateAndUploadKeys()
+  );
+}
+
+function generateAndUploadKeys() {
+  generateNewKeys(Service.collectionKeys);
+  let serverKeys = Service.collectionKeys.asWBO("crypto", "keys");
+  serverKeys.encrypt(Service.identity.syncKeyBundle);
+  return serverKeys.upload(Service.resource(Service.cryptoKeysURL)).success;
+}
+
+function clean() {
+  Service.startOver();
+  Status.resetSync();
+  Status.resetBackoff();
+  errorHandler.didReportProlongedError = false;
+}
+
+add_identity_test(this, function test_401_logout() {
+  let server = sync_httpd_setup();
+  yield setUp(server);
+
+  // By calling sync, we ensure we're logged in.
+  Service.sync();
+  do_check_eq(Status.sync, SYNC_SUCCEEDED);
+  do_check_true(Service.isLoggedIn);
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:service:sync:error", onSyncError);
+  function onSyncError() {
+    _("Got weave:service:sync:error in first sync.");
+    Svc.Obs.remove("weave:service:sync:error", onSyncError);
+
+    // Wait for the automatic next sync.
+    function onLoginError() {
+      _("Got weave:service:login:error in second sync.");
+      Svc.Obs.remove("weave:service:login:error", onLoginError);
+
+      do_check_eq(Status.login, LOGIN_FAILED_LOGIN_REJECTED);
+      do_check_false(Service.isLoggedIn);
+
+      // Clean up.
+      Utils.nextTick(function () {
+        Service.startOver();
+        server.stop(deferred.resolve);
+      });
+    }
+    Svc.Obs.add("weave:service:login:error", onLoginError);
+  }
+
+  // Make sync fail due to login rejected.
+  yield configureIdentity({username: "janedoe"});
+  Service._updateCachedURLs();
+
+  _("Starting first sync.");
+  Service.sync();
+  _("First sync done.");
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_credentials_changed_logout() {
+  let server = sync_httpd_setup();
+  yield setUp(server);
+
+  // By calling sync, we ensure we're logged in.
+  Service.sync();
+  do_check_eq(Status.sync, SYNC_SUCCEEDED);
+  do_check_true(Service.isLoggedIn);
+
+  generateCredentialsChangedFailure();
+  Service.sync();
+
+  do_check_eq(Status.sync, CREDENTIALS_CHANGED);
+  do_check_false(Service.isLoggedIn);
+
+  // Clean up.
+  Service.startOver();
+  let deferred = Promise.defer();
+  server.stop(deferred.resolve);
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_no_lastSync_pref() {
+  // Test reported error.
+  Status.resetSync();
+  errorHandler.dontIgnoreErrors = true;
+  Status.sync = CREDENTIALS_CHANGED;
+  do_check_true(errorHandler.shouldReportError());
+
+  // Test unreported error.
+  Status.resetSync();
+  errorHandler.dontIgnoreErrors = true;
+  Status.login = LOGIN_FAILED_NETWORK_ERROR;
+  do_check_true(errorHandler.shouldReportError());
+
+});
+
+add_identity_test(this, function test_shouldReportError() {
+  Status.login = MASTER_PASSWORD_LOCKED;
+  do_check_false(errorHandler.shouldReportError());
+
+  // Give ourselves a clusterURL so that the temporary 401 no-error situation
+  // doesn't come into play.
+  Service.serverURL  = FAKE_SERVER_URL;
+  Service.clusterURL = FAKE_SERVER_URL;
+
+  // Test dontIgnoreErrors, non-network, non-prolonged, login error reported
+  Status.resetSync();
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = true;
+  Status.login = LOGIN_FAILED_NO_PASSWORD;
+  do_check_true(errorHandler.shouldReportError());
+
+  // Test dontIgnoreErrors, non-network, non-prolonged, sync error reported
+  Status.resetSync();
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = true;
+  Status.sync = CREDENTIALS_CHANGED;
+  do_check_true(errorHandler.shouldReportError());
+
+  // Test dontIgnoreErrors, non-network, prolonged, login error reported
+  Status.resetSync();
+  setLastSync(PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = true;
+  Status.login = LOGIN_FAILED_NO_PASSWORD;
+  do_check_true(errorHandler.shouldReportError());
+
+  // Test dontIgnoreErrors, non-network, prolonged, sync error reported
+  Status.resetSync();
+  setLastSync(PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = true;
+  Status.sync = CREDENTIALS_CHANGED;
+  do_check_true(errorHandler.shouldReportError());
+
+  // Test dontIgnoreErrors, network, non-prolonged, login error reported
+  Status.resetSync();
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = true;
+  Status.login = LOGIN_FAILED_NETWORK_ERROR;
+  do_check_true(errorHandler.shouldReportError());
+
+  // Test dontIgnoreErrors, network, non-prolonged, sync error reported
+  Status.resetSync();
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = true;
+  Status.sync = LOGIN_FAILED_NETWORK_ERROR;
+  do_check_true(errorHandler.shouldReportError());
+
+  // Test dontIgnoreErrors, network, prolonged, login error reported
+  Status.resetSync();
+  setLastSync(PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = true;
+  Status.login = LOGIN_FAILED_NETWORK_ERROR;
+  do_check_true(errorHandler.shouldReportError());
+
+  // Test dontIgnoreErrors, network, prolonged, sync error reported
+  Status.resetSync();
+  setLastSync(PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = true;
+  Status.sync = LOGIN_FAILED_NETWORK_ERROR;
+  do_check_true(errorHandler.shouldReportError());
+
+  // Test non-network, prolonged, login error reported
+  do_check_false(errorHandler.didReportProlongedError);
+  Status.resetSync();
+  setLastSync(PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = false;
+  Status.login = LOGIN_FAILED_NO_PASSWORD;
+  do_check_true(errorHandler.shouldReportError());
+  do_check_true(errorHandler.didReportProlongedError);
+
+  // Second time with prolonged error and without resetting
+  // didReportProlongedError, sync error should not be reported.
+  Status.resetSync();
+  setLastSync(PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = false;
+  Status.login = LOGIN_FAILED_NO_PASSWORD;
+  do_check_false(errorHandler.shouldReportError());
+  do_check_true(errorHandler.didReportProlongedError);
+
+  // Test non-network, prolonged, sync error reported
+  Status.resetSync();
+  setLastSync(PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = false;
+  errorHandler.didReportProlongedError = false;
+  Status.sync = CREDENTIALS_CHANGED;
+  do_check_true(errorHandler.shouldReportError());
+  do_check_true(errorHandler.didReportProlongedError);
+  errorHandler.didReportProlongedError = false;
+
+  // Test network, prolonged, login error reported
+  Status.resetSync();
+  setLastSync(PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = false;
+  Status.login = LOGIN_FAILED_NETWORK_ERROR;
+  do_check_true(errorHandler.shouldReportError());
+  do_check_true(errorHandler.didReportProlongedError);
+  errorHandler.didReportProlongedError = false;
+
+  // Test network, prolonged, sync error reported
+  Status.resetSync();
+  setLastSync(PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = false;
+  Status.sync = LOGIN_FAILED_NETWORK_ERROR;
+  do_check_true(errorHandler.shouldReportError());
+  do_check_true(errorHandler.didReportProlongedError);
+  errorHandler.didReportProlongedError = false;
+
+  // Test non-network, non-prolonged, login error reported
+  Status.resetSync();
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = false;
+  Status.login = LOGIN_FAILED_NO_PASSWORD;
+  do_check_true(errorHandler.shouldReportError());
+  do_check_false(errorHandler.didReportProlongedError);
+
+  // Test non-network, non-prolonged, sync error reported
+  Status.resetSync();
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = false;
+  Status.sync = CREDENTIALS_CHANGED;
+  do_check_true(errorHandler.shouldReportError());
+  do_check_false(errorHandler.didReportProlongedError);
+
+  // Test network, non-prolonged, login error reported
+  Status.resetSync();
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = false;
+  Status.login = LOGIN_FAILED_NETWORK_ERROR;
+  do_check_false(errorHandler.shouldReportError());
+  do_check_false(errorHandler.didReportProlongedError);
+
+  // Test network, non-prolonged, sync error reported
+  Status.resetSync();
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = false;
+  Status.sync = LOGIN_FAILED_NETWORK_ERROR;
+  do_check_false(errorHandler.shouldReportError());
+  do_check_false(errorHandler.didReportProlongedError);
+
+  // Test server maintenance, sync errors are not reported
+  Status.resetSync();
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = false;
+  Status.sync = SERVER_MAINTENANCE;
+  do_check_false(errorHandler.shouldReportError());
+  do_check_false(errorHandler.didReportProlongedError);
+
+  // Test server maintenance, login errors are not reported
+  Status.resetSync();
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = false;
+  Status.login = SERVER_MAINTENANCE;
+  do_check_false(errorHandler.shouldReportError());
+  do_check_false(errorHandler.didReportProlongedError);
+
+  // Test prolonged, server maintenance, sync errors are reported
+  Status.resetSync();
+  setLastSync(PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = false;
+  Status.sync = SERVER_MAINTENANCE;
+  do_check_true(errorHandler.shouldReportError());
+  do_check_true(errorHandler.didReportProlongedError);
+  errorHandler.didReportProlongedError = false;
+
+  // Test prolonged, server maintenance, login errors are reported
+  Status.resetSync();
+  setLastSync(PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = false;
+  Status.login = SERVER_MAINTENANCE;
+  do_check_true(errorHandler.shouldReportError());
+  do_check_true(errorHandler.didReportProlongedError);
+  errorHandler.didReportProlongedError = false;
+
+  // Test dontIgnoreErrors, server maintenance, sync errors are reported
+  Status.resetSync();
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = true;
+  Status.sync = SERVER_MAINTENANCE;
+  do_check_true(errorHandler.shouldReportError());
+  // dontIgnoreErrors means we don't set didReportProlongedError
+  do_check_false(errorHandler.didReportProlongedError);
+
+  // Test dontIgnoreErrors, server maintenance, login errors are reported
+  Status.resetSync();
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = true;
+  Status.login = SERVER_MAINTENANCE;
+  do_check_true(errorHandler.shouldReportError());
+  do_check_false(errorHandler.didReportProlongedError);
+
+  // Test dontIgnoreErrors, prolonged, server maintenance,
+  // sync errors are reported
+  Status.resetSync();
+  setLastSync(PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = true;
+  Status.sync = SERVER_MAINTENANCE;
+  do_check_true(errorHandler.shouldReportError());
+  do_check_false(errorHandler.didReportProlongedError);
+
+  // Test dontIgnoreErrors, prolonged, server maintenance,
+  // login errors are reported
+  Status.resetSync();
+  setLastSync(PROLONGED_ERROR_DURATION);
+  errorHandler.dontIgnoreErrors = true;
+  Status.login = SERVER_MAINTENANCE;
+  do_check_true(errorHandler.shouldReportError());
+  do_check_false(errorHandler.didReportProlongedError);
+});
+
+add_identity_test(this, function test_shouldReportError_master_password() {
+  _("Test error ignored due to locked master password");
+  let server = sync_httpd_setup();
+  yield setUp(server);
+
+  // Monkey patch Service.verifyLogin to imitate
+  // master password being locked.
+  Service._verifyLogin = Service.verifyLogin;
+  Service.verifyLogin = function () {
+    Status.login = MASTER_PASSWORD_LOCKED;
+    return false;
+  };
+
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  Service.sync();
+  do_check_false(errorHandler.shouldReportError());
+
+  // Clean up.
+  Service.verifyLogin = Service._verifyLogin;
+  clean();
+  let deferred = Promise.defer();
+  server.stop(deferred.resolve);
+  yield deferred.promise;
+});
+
+// Test that even if we don't have a cluster URL, a login failure due to
+// authentication errors is always reported.
+add_identity_test(this, function test_shouldReportLoginFailureWithNoCluster() {
+  // Ensure no clusterURL - any error not specific to login should not be reported.
+  Service.serverURL  = "";
+  Service.clusterURL = "";
+
+  // Test explicit "login rejected" state.
+  Status.resetSync();
+  // If we have a LOGIN_REJECTED state, we always report the error.
+  Status.login = LOGIN_FAILED_LOGIN_REJECTED;
+  do_check_true(errorHandler.shouldReportError());
+  // But any other status with a missing clusterURL is treated as a mid-sync
+  // 401 (ie, should be treated as a node reassignment)
+  Status.login = LOGIN_SUCCEEDED;
+  do_check_false(errorHandler.shouldReportError());
+});
+
+// XXX - how to arrange for 'Service.identity.basicPassword = null;' in
+// an fxaccounts environment?
+add_task(function test_login_syncAndReportErrors_non_network_error() {
+  // Test non-network errors are reported
+  // when calling syncAndReportErrors
+  let server = sync_httpd_setup();
+  yield setUp(server);
+  Service.identity.basicPassword = null;
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:login:error", function onSyncError() {
+    Svc.Obs.remove("weave:ui:login:error", onSyncError);
+    do_check_eq(Status.login, LOGIN_FAILED_NO_PASSWORD);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  errorHandler.syncAndReportErrors();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_sync_syncAndReportErrors_non_network_error() {
+  // Test non-network errors are reported
+  // when calling syncAndReportErrors
+  let server = sync_httpd_setup();
+  yield setUp(server);
+
+  // By calling sync, we ensure we're logged in.
+  Service.sync();
+  do_check_eq(Status.sync, SYNC_SUCCEEDED);
+  do_check_true(Service.isLoggedIn);
+
+  generateCredentialsChangedFailure();
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:sync:error", function onSyncError() {
+    Svc.Obs.remove("weave:ui:sync:error", onSyncError);
+    do_check_eq(Status.sync, CREDENTIALS_CHANGED);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  errorHandler.syncAndReportErrors();
+  yield deferred.promise;
+});
+
+// XXX - how to arrange for 'Service.identity.basicPassword = null;' in
+// an fxaccounts environment?
+add_task(function test_login_syncAndReportErrors_prolonged_non_network_error() {
+  // Test prolonged, non-network errors are
+  // reported when calling syncAndReportErrors.
+  let server = sync_httpd_setup();
+  yield setUp(server);
+  Service.identity.basicPassword = null;
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:login:error", function onSyncError() {
+    Svc.Obs.remove("weave:ui:login:error", onSyncError);
+    do_check_eq(Status.login, LOGIN_FAILED_NO_PASSWORD);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  setLastSync(PROLONGED_ERROR_DURATION);
+  errorHandler.syncAndReportErrors();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_sync_syncAndReportErrors_prolonged_non_network_error() {
+  // Test prolonged, non-network errors are
+  // reported when calling syncAndReportErrors.
+  let server = sync_httpd_setup();
+  yield setUp(server);
+
+  // By calling sync, we ensure we're logged in.
+  Service.sync();
+  do_check_eq(Status.sync, SYNC_SUCCEEDED);
+  do_check_true(Service.isLoggedIn);
+
+  generateCredentialsChangedFailure();
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:sync:error", function onSyncError() {
+    Svc.Obs.remove("weave:ui:sync:error", onSyncError);
+    do_check_eq(Status.sync, CREDENTIALS_CHANGED);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  setLastSync(PROLONGED_ERROR_DURATION);
+  errorHandler.syncAndReportErrors();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_login_syncAndReportErrors_network_error() {
+  // Test network errors are reported when calling syncAndReportErrors.
+  yield configureIdentity({username: "broken.wipe"});
+  Service.serverURL  = FAKE_SERVER_URL;
+  Service.clusterURL = FAKE_SERVER_URL;
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:login:error", function onSyncError() {
+    Svc.Obs.remove("weave:ui:login:error", onSyncError);
+    do_check_eq(Status.login, LOGIN_FAILED_NETWORK_ERROR);
+
+    clean();
+    deferred.resolve();
+  });
+
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  errorHandler.syncAndReportErrors();
+  yield deferred.promise;
+});
+
+
+add_test(function test_sync_syncAndReportErrors_network_error() {
+  // Test network errors are reported when calling syncAndReportErrors.
+  Services.io.offline = true;
+
+  Svc.Obs.add("weave:ui:sync:error", function onSyncError() {
+    Svc.Obs.remove("weave:ui:sync:error", onSyncError);
+    do_check_eq(Status.sync, LOGIN_FAILED_NETWORK_ERROR);
+
+    Services.io.offline = false;
+    clean();
+    run_next_test();
+  });
+
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  errorHandler.syncAndReportErrors();
+});
+
+add_identity_test(this, function test_login_syncAndReportErrors_prolonged_network_error() {
+  // Test prolonged, network errors are reported
+  // when calling syncAndReportErrors.
+  yield configureIdentity({username: "johndoe"});
+
+  Service.serverURL  = FAKE_SERVER_URL;
+  Service.clusterURL = FAKE_SERVER_URL;
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:login:error", function onSyncError() {
+    Svc.Obs.remove("weave:ui:login:error", onSyncError);
+    do_check_eq(Status.login, LOGIN_FAILED_NETWORK_ERROR);
+
+    clean();
+    deferred.resolve();
+  });
+
+  setLastSync(PROLONGED_ERROR_DURATION);
+  errorHandler.syncAndReportErrors();
+  yield deferred.promise;
+});
+
+add_test(function test_sync_syncAndReportErrors_prolonged_network_error() {
+  // Test prolonged, network errors are reported
+  // when calling syncAndReportErrors.
+  Services.io.offline = true;
+
+  Svc.Obs.add("weave:ui:sync:error", function onSyncError() {
+    Svc.Obs.remove("weave:ui:sync:error", onSyncError);
+    do_check_eq(Status.sync, LOGIN_FAILED_NETWORK_ERROR);
+
+    Services.io.offline = false;
+    clean();
+    run_next_test();
+  });
+
+  setLastSync(PROLONGED_ERROR_DURATION);
+  errorHandler.syncAndReportErrors();
+});
+
+add_task(function test_login_prolonged_non_network_error() {
+  // Test prolonged, non-network errors are reported
+  let server = sync_httpd_setup();
+  yield setUp(server);
+  Service.identity.basicPassword = null;
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:login:error", function onSyncError() {
+    Svc.Obs.remove("weave:ui:login:error", onSyncError);
+    do_check_eq(Status.sync, PROLONGED_SYNC_FAILURE);
+    do_check_true(errorHandler.didReportProlongedError);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  setLastSync(PROLONGED_ERROR_DURATION);
+  Service.sync();
+  yield deferred.promise;
+});
+
+add_task(function test_sync_prolonged_non_network_error() {
+  // Test prolonged, non-network errors are reported
+  let server = sync_httpd_setup();
+  yield setUp(server);
+
+  // By calling sync, we ensure we're logged in.
+  Service.sync();
+  do_check_eq(Status.sync, SYNC_SUCCEEDED);
+  do_check_true(Service.isLoggedIn);
+
+  generateCredentialsChangedFailure();
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:sync:error", function onSyncError() {
+    Svc.Obs.remove("weave:ui:sync:error", onSyncError);
+    do_check_eq(Status.sync, PROLONGED_SYNC_FAILURE);
+    do_check_true(errorHandler.didReportProlongedError);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  setLastSync(PROLONGED_ERROR_DURATION);
+  Service.sync();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_login_prolonged_network_error() {
+  // Test prolonged, network errors are reported
+  yield configureIdentity({username: "johndoe"});
+  Service.serverURL  = FAKE_SERVER_URL;
+  Service.clusterURL = FAKE_SERVER_URL;
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:login:error", function onSyncError() {
+    Svc.Obs.remove("weave:ui:login:error", onSyncError);
+    do_check_eq(Status.sync, PROLONGED_SYNC_FAILURE);
+    do_check_true(errorHandler.didReportProlongedError);
+
+    clean();
+    deferred.resolve();
+  });
+
+  setLastSync(PROLONGED_ERROR_DURATION);
+  Service.sync();
+  yield deferred.promise;
+});
+
+add_test(function test_sync_prolonged_network_error() {
+  // Test prolonged, network errors are reported
+  Services.io.offline = true;
+
+  Svc.Obs.add("weave:ui:sync:error", function onSyncError() {
+    Svc.Obs.remove("weave:ui:sync:error", onSyncError);
+    do_check_eq(Status.sync, PROLONGED_SYNC_FAILURE);
+    do_check_true(errorHandler.didReportProlongedError);
+
+    Services.io.offline = false;
+    clean();
+    run_next_test();
+  });
+
+  setLastSync(PROLONGED_ERROR_DURATION);
+  Service.sync();
+});
+
+add_task(function test_login_non_network_error() {
+  // Test non-network errors are reported
+  let server = sync_httpd_setup();
+  yield setUp(server);
+  Service.identity.basicPassword = null;
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:login:error", function onSyncError() {
+    Svc.Obs.remove("weave:ui:login:error", onSyncError);
+    do_check_eq(Status.login, LOGIN_FAILED_NO_PASSWORD);
+    do_check_false(errorHandler.didReportProlongedError);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  Service.sync();
+  yield deferred.promise;
+});
+
+add_task(function test_sync_non_network_error() {
+  // Test non-network errors are reported
+  let server = sync_httpd_setup();
+  yield setUp(server);
+
+  // By calling sync, we ensure we're logged in.
+  Service.sync();
+  do_check_eq(Status.sync, SYNC_SUCCEEDED);
+  do_check_true(Service.isLoggedIn);
+
+  generateCredentialsChangedFailure();
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:sync:error", function onSyncError() {
+    Svc.Obs.remove("weave:ui:sync:error", onSyncError);
+    do_check_eq(Status.sync, CREDENTIALS_CHANGED);
+    do_check_false(errorHandler.didReportProlongedError);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  Service.sync();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_login_network_error() {
+  yield configureIdentity({username: "johndoe"});
+  Service.serverURL  = FAKE_SERVER_URL;
+  Service.clusterURL = FAKE_SERVER_URL;
+
+  let deferred = Promise.defer();
+  // Test network errors are not reported.
+  Svc.Obs.add("weave:ui:clear-error", function onClearError() {
+    Svc.Obs.remove("weave:ui:clear-error", onClearError);
+
+    do_check_eq(Status.login, LOGIN_FAILED_NETWORK_ERROR);
+    do_check_false(errorHandler.didReportProlongedError);
+
+    Services.io.offline = false;
+    clean();
+    deferred.resolve()
+  });
+
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  Service.sync();
+  yield deferred.promise;
+});
+
+add_test(function test_sync_network_error() {
+  // Test network errors are not reported.
+  Services.io.offline = true;
+
+  Svc.Obs.add("weave:ui:sync:finish", function onUIUpdate() {
+    Svc.Obs.remove("weave:ui:sync:finish", onUIUpdate);
+    do_check_eq(Status.sync, LOGIN_FAILED_NETWORK_ERROR);
+    do_check_false(errorHandler.didReportProlongedError);
+
+    Services.io.offline = false;
+    clean();
+    run_next_test();
+  });
+
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  Service.sync();
+});
+
+add_identity_test(this, function test_sync_server_maintenance_error() {
+  // Test server maintenance errors are not reported.
+  let server = sync_httpd_setup();
+  yield setUp(server);
+
+  const BACKOFF = 42;
+  let engine = engineManager.get("catapult");
+  engine.enabled = true;
+  engine.exception = {status: 503,
+                      headers: {"retry-after": BACKOFF}};
+
+  function onSyncError() {
+    do_throw("Shouldn't get here!");
+  }
+  Svc.Obs.add("weave:ui:sync:error", onSyncError);
+
+  do_check_eq(Status.service, STATUS_OK);
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:sync:finish", function onSyncFinish() {
+    Svc.Obs.remove("weave:ui:sync:finish", onSyncFinish);
+
+    do_check_eq(Status.service, SYNC_FAILED_PARTIAL);
+    do_check_eq(Status.sync, SERVER_MAINTENANCE);
+    do_check_false(errorHandler.didReportProlongedError);
+
+    Svc.Obs.remove("weave:ui:sync:error", onSyncError);
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  Service.sync();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_info_collections_login_server_maintenance_error() {
+  // Test info/collections server maintenance errors are not reported.
+  let server = sync_httpd_setup();
+  yield setUp(server);
+
+  Service.username = "broken.info";
+  yield configureIdentity({username: "broken.info"});
+  Service.serverURL = server.baseURI + "/maintenance/";
+  Service.clusterURL = server.baseURI + "/maintenance/";
+
+  let backoffInterval;
+  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
+    Svc.Obs.remove("weave:service:backoff:interval", observe);
+    backoffInterval = subject;
+  });
+
+  function onUIUpdate() {
+    do_throw("Shouldn't experience UI update!");
+  }
+  Svc.Obs.add("weave:ui:login:error", onUIUpdate);
+
+  do_check_false(Status.enforceBackoff);
+  do_check_eq(Status.service, STATUS_OK);
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:clear-error", function onLoginFinish() {
+    Svc.Obs.remove("weave:ui:clear-error", onLoginFinish);
+
+    do_check_true(Status.enforceBackoff);
+    do_check_eq(backoffInterval, 42);
+    do_check_eq(Status.service, LOGIN_FAILED);
+    do_check_eq(Status.login, SERVER_MAINTENANCE);
+    do_check_false(errorHandler.didReportProlongedError);
+
+    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  Service.sync();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_meta_global_login_server_maintenance_error() {
+  // Test meta/global server maintenance errors are not reported.
+  let server = sync_httpd_setup();
+  yield setUp(server);
+
+  yield configureIdentity({username: "broken.meta"});
+  Service.serverURL = server.baseURI + "/maintenance/";
+  Service.clusterURL = server.baseURI + "/maintenance/";
+
+  let backoffInterval;
+  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
+    Svc.Obs.remove("weave:service:backoff:interval", observe);
+    backoffInterval = subject;
+  });
+
+  function onUIUpdate() {
+    do_throw("Shouldn't get here!");
+  }
+  Svc.Obs.add("weave:ui:login:error", onUIUpdate);
+
+  do_check_false(Status.enforceBackoff);
+  do_check_eq(Status.service, STATUS_OK);
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:clear-error", function onLoginFinish() {
+    Svc.Obs.remove("weave:ui:clear-error", onLoginFinish);
+
+    do_check_true(Status.enforceBackoff);
+    do_check_eq(backoffInterval, 42);
+    do_check_eq(Status.service, LOGIN_FAILED);
+    do_check_eq(Status.login, SERVER_MAINTENANCE);
+    do_check_false(errorHandler.didReportProlongedError);
+
+    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  Service.sync();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_crypto_keys_login_server_maintenance_error() {
+  // Test crypto/keys server maintenance errors are not reported.
+  let server = sync_httpd_setup();
+  yield setUp(server);
+
+  yield configureIdentity({username: "broken.keys"});
+  Service.serverURL = server.baseURI + "/maintenance/";
+  Service.clusterURL = server.baseURI + "/maintenance/";
+
+  // Force re-download of keys
+  Service.collectionKeys.clear();
+
+  let backoffInterval;
+  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
+    Svc.Obs.remove("weave:service:backoff:interval", observe);
+    backoffInterval = subject;
+  });
+
+  function onUIUpdate() {
+    do_throw("Shouldn't get here!");
+  }
+  Svc.Obs.add("weave:ui:login:error", onUIUpdate);
+
+  do_check_false(Status.enforceBackoff);
+  do_check_eq(Status.service, STATUS_OK);
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:clear-error", function onLoginFinish() {
+    Svc.Obs.remove("weave:ui:clear-error", onLoginFinish);
+
+    do_check_true(Status.enforceBackoff);
+    do_check_eq(backoffInterval, 42);
+    do_check_eq(Status.service, LOGIN_FAILED);
+    do_check_eq(Status.login, SERVER_MAINTENANCE);
+    do_check_false(errorHandler.didReportProlongedError);
+
+    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  Service.sync();
+  yield deferred.promise;
+});
+
+add_task(function test_sync_prolonged_server_maintenance_error() {
+  // Test prolonged server maintenance errors are reported.
+  let server = sync_httpd_setup();
+  yield setUp(server);
+
+  const BACKOFF = 42;
+  let engine = engineManager.get("catapult");
+  engine.enabled = true;
+  engine.exception = {status: 503,
+                      headers: {"retry-after": BACKOFF}};
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:sync:error", function onUIUpdate() {
+    Svc.Obs.remove("weave:ui:sync:error", onUIUpdate);
+    do_check_eq(Status.service, SYNC_FAILED);
+    do_check_eq(Status.sync, PROLONGED_SYNC_FAILURE);
+    do_check_true(errorHandler.didReportProlongedError);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  do_check_eq(Status.service, STATUS_OK);
+
+  setLastSync(PROLONGED_ERROR_DURATION);
+  Service.sync();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_info_collections_login_prolonged_server_maintenance_error(){
+  // Test info/collections prolonged server maintenance errors are reported.
+  let server = sync_httpd_setup();
+  yield setUp(server);
+
+  yield configureIdentity({username: "broken.info"});
+  Service.serverURL = server.baseURI + "/maintenance/";
+  Service.clusterURL = server.baseURI + "/maintenance/";
+
+  let backoffInterval;
+  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
+    Svc.Obs.remove("weave:service:backoff:interval", observe);
+    backoffInterval = subject;
+  });
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
+    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
+    do_check_true(Status.enforceBackoff);
+    do_check_eq(backoffInterval, 42);
+    do_check_eq(Status.service, SYNC_FAILED);
+    do_check_eq(Status.sync, PROLONGED_SYNC_FAILURE);
+    do_check_true(errorHandler.didReportProlongedError);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  do_check_false(Status.enforceBackoff);
+  do_check_eq(Status.service, STATUS_OK);
+
+  setLastSync(PROLONGED_ERROR_DURATION);
+  Service.sync();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_meta_global_login_prolonged_server_maintenance_error(){
+  // Test meta/global prolonged server maintenance errors are reported.
+  let server = sync_httpd_setup();
+  yield setUp(server);
+
+  yield configureIdentity({username: "broken.meta"});
+  Service.serverURL = server.baseURI + "/maintenance/";
+  Service.clusterURL = server.baseURI + "/maintenance/";
+
+  let backoffInterval;
+  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
+    Svc.Obs.remove("weave:service:backoff:interval", observe);
+    backoffInterval = subject;
+  });
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
+    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
+    do_check_true(Status.enforceBackoff);
+    do_check_eq(backoffInterval, 42);
+    do_check_eq(Status.service, SYNC_FAILED);
+    do_check_eq(Status.sync, PROLONGED_SYNC_FAILURE);
+    do_check_true(errorHandler.didReportProlongedError);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  do_check_false(Status.enforceBackoff);
+  do_check_eq(Status.service, STATUS_OK);
+
+  setLastSync(PROLONGED_ERROR_DURATION);
+  Service.sync();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_download_crypto_keys_login_prolonged_server_maintenance_error(){
+  // Test crypto/keys prolonged server maintenance errors are reported.
+  let server = sync_httpd_setup();
+  yield setUp(server);
+
+  yield configureIdentity({username: "broken.keys"});
+  Service.serverURL = server.baseURI + "/maintenance/";
+  Service.clusterURL = server.baseURI + "/maintenance/";
+  // Force re-download of keys
+  Service.collectionKeys.clear();
+
+  let backoffInterval;
+  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
+    Svc.Obs.remove("weave:service:backoff:interval", observe);
+    backoffInterval = subject;
+  });
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
+    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
+    do_check_true(Status.enforceBackoff);
+    do_check_eq(backoffInterval, 42);
+    do_check_eq(Status.service, SYNC_FAILED);
+    do_check_eq(Status.sync, PROLONGED_SYNC_FAILURE);
+    do_check_true(errorHandler.didReportProlongedError);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  do_check_false(Status.enforceBackoff);
+  do_check_eq(Status.service, STATUS_OK);
+
+  setLastSync(PROLONGED_ERROR_DURATION);
+  Service.sync();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_upload_crypto_keys_login_prolonged_server_maintenance_error(){
+  // Test crypto/keys prolonged server maintenance errors are reported.
+  let server = sync_httpd_setup();
+
+  // Start off with an empty account, do not upload a key.
+  yield configureIdentity({username: "broken.keys"});
+  Service.serverURL = server.baseURI + "/maintenance/";
+  Service.clusterURL = server.baseURI + "/maintenance/";
+
+  let backoffInterval;
+  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
+    Svc.Obs.remove("weave:service:backoff:interval", observe);
+    backoffInterval = subject;
+  });
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
+    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
+    do_check_true(Status.enforceBackoff);
+    do_check_eq(backoffInterval, 42);
+    do_check_eq(Status.service, SYNC_FAILED);
+    do_check_eq(Status.sync, PROLONGED_SYNC_FAILURE);
+    do_check_true(errorHandler.didReportProlongedError);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  do_check_false(Status.enforceBackoff);
+  do_check_eq(Status.service, STATUS_OK);
+
+  setLastSync(PROLONGED_ERROR_DURATION);
+  Service.sync();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_wipeServer_login_prolonged_server_maintenance_error(){
+  // Test that we report prolonged server maintenance errors that occur whilst
+  // wiping the server.
+  let server = sync_httpd_setup();
+
+  // Start off with an empty account, do not upload a key.
+  yield configureIdentity({username: "broken.wipe"});
+  Service.serverURL = server.baseURI + "/maintenance/";
+  Service.clusterURL = server.baseURI + "/maintenance/";
+
+  let backoffInterval;
+  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
+    Svc.Obs.remove("weave:service:backoff:interval", observe);
+    backoffInterval = subject;
+  });
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
+    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
+    do_check_true(Status.enforceBackoff);
+    do_check_eq(backoffInterval, 42);
+    do_check_eq(Status.service, SYNC_FAILED);
+    do_check_eq(Status.sync, PROLONGED_SYNC_FAILURE);
+    do_check_true(errorHandler.didReportProlongedError);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  do_check_false(Status.enforceBackoff);
+  do_check_eq(Status.service, STATUS_OK);
+
+  setLastSync(PROLONGED_ERROR_DURATION);
+  Service.sync();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_wipeRemote_prolonged_server_maintenance_error(){
+  // Test that we report prolonged server maintenance errors that occur whilst
+  // wiping all remote devices.
+  let server = sync_httpd_setup();
+
+  server.registerPathHandler("/1.1/broken.wipe/storage/catapult", service_unavailable);
+  yield configureIdentity({username: "broken.wipe"});
+  Service.serverURL = server.baseURI + "/maintenance/";
+  Service.clusterURL = server.baseURI + "/maintenance/";
+  generateAndUploadKeys();
+
+  let engine = engineManager.get("catapult");
+  engine.exception = null;
+  engine.enabled = true;
+
+  let backoffInterval;
+  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
+    Svc.Obs.remove("weave:service:backoff:interval", observe);
+    backoffInterval = subject;
+  });
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:sync:error", function onUIUpdate() {
+    Svc.Obs.remove("weave:ui:sync:error", onUIUpdate);
+    do_check_true(Status.enforceBackoff);
+    do_check_eq(backoffInterval, 42);
+    do_check_eq(Status.service, SYNC_FAILED);
+    do_check_eq(Status.sync, PROLONGED_SYNC_FAILURE);
+    do_check_eq(Svc.Prefs.get("firstSync"), "wipeRemote");
+    do_check_true(errorHandler.didReportProlongedError);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  do_check_false(Status.enforceBackoff);
+  do_check_eq(Status.service, STATUS_OK);
+
+  Svc.Prefs.set("firstSync", "wipeRemote");
+  setLastSync(PROLONGED_ERROR_DURATION);
+  Service.sync();
+  yield deferred.promise;
+});
+
+add_task(function test_sync_syncAndReportErrors_server_maintenance_error() {
+  // Test server maintenance errors are reported
+  // when calling syncAndReportErrors.
+  let server = sync_httpd_setup();
+  yield setUp(server);
+
+  const BACKOFF = 42;
+  let engine = engineManager.get("catapult");
+  engine.enabled = true;
+  engine.exception = {status: 503,
+                      headers: {"retry-after": BACKOFF}};
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:sync:error", function onUIUpdate() {
+    Svc.Obs.remove("weave:ui:sync:error", onUIUpdate);
+    do_check_eq(Status.service, SYNC_FAILED_PARTIAL);
+    do_check_eq(Status.sync, SERVER_MAINTENANCE);
+    do_check_false(errorHandler.didReportProlongedError);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  do_check_eq(Status.service, STATUS_OK);
+
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  errorHandler.syncAndReportErrors();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_info_collections_login_syncAndReportErrors_server_maintenance_error() {
+  // Test info/collections server maintenance errors are reported
+  // when calling syncAndReportErrors.
+  let server = sync_httpd_setup();
+  yield setUp(server);
+
+  yield configureIdentity({username: "broken.info"});
+  Service.serverURL = server.baseURI + "/maintenance/";
+  Service.clusterURL = server.baseURI + "/maintenance/";
+
+  let backoffInterval;
+  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
+    Svc.Obs.remove("weave:service:backoff:interval", observe);
+    backoffInterval = subject;
+  });
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
+    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
+    do_check_true(Status.enforceBackoff);
+    do_check_eq(backoffInterval, 42);
+    do_check_eq(Status.service, LOGIN_FAILED);
+    do_check_eq(Status.login, SERVER_MAINTENANCE);
+    do_check_false(errorHandler.didReportProlongedError);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  do_check_false(Status.enforceBackoff);
+  do_check_eq(Status.service, STATUS_OK);
+
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  errorHandler.syncAndReportErrors();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_meta_global_login_syncAndReportErrors_server_maintenance_error() {
+  // Test meta/global server maintenance errors are reported
+  // when calling syncAndReportErrors.
+  let server = sync_httpd_setup();
+  yield setUp(server);
+
+  yield configureIdentity({username: "broken.meta"});
+  Service.serverURL = server.baseURI + "/maintenance/";
+  Service.clusterURL = server.baseURI + "/maintenance/";
+
+  let backoffInterval;
+  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
+    Svc.Obs.remove("weave:service:backoff:interval", observe);
+    backoffInterval = subject;
+  });
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
+    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
+    do_check_true(Status.enforceBackoff);
+    do_check_eq(backoffInterval, 42);
+    do_check_eq(Status.service, LOGIN_FAILED);
+    do_check_eq(Status.login, SERVER_MAINTENANCE);
+    do_check_false(errorHandler.didReportProlongedError);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  do_check_false(Status.enforceBackoff);
+  do_check_eq(Status.service, STATUS_OK);
+
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  errorHandler.syncAndReportErrors();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_download_crypto_keys_login_syncAndReportErrors_server_maintenance_error() {
+  // Test crypto/keys server maintenance errors are reported
+  // when calling syncAndReportErrors.
+  let server = sync_httpd_setup();
+  yield setUp(server);
+
+  yield configureIdentity({username: "broken.keys"});
+  Service.serverURL = server.baseURI + "/maintenance/";
+  Service.clusterURL = server.baseURI + "/maintenance/";
+  // Force re-download of keys
+  Service.collectionKeys.clear();
+
+  let backoffInterval;
+  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
+    Svc.Obs.remove("weave:service:backoff:interval", observe);
+    backoffInterval = subject;
+  });
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
+    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
+    do_check_true(Status.enforceBackoff);
+    do_check_eq(backoffInterval, 42);
+    do_check_eq(Status.service, LOGIN_FAILED);
+    do_check_eq(Status.login, SERVER_MAINTENANCE);
+    do_check_false(errorHandler.didReportProlongedError);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  do_check_false(Status.enforceBackoff);
+  do_check_eq(Status.service, STATUS_OK);
+
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  errorHandler.syncAndReportErrors();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_upload_crypto_keys_login_syncAndReportErrors_server_maintenance_error() {
+  // Test crypto/keys server maintenance errors are reported
+  // when calling syncAndReportErrors.
+  let server = sync_httpd_setup();
+
+  // Start off with an empty account, do not upload a key.
+  yield configureIdentity({username: "broken.keys"});
+  Service.serverURL = server.baseURI + "/maintenance/";
+  Service.clusterURL = server.baseURI + "/maintenance/";
+
+  let backoffInterval;
+  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
+    Svc.Obs.remove("weave:service:backoff:interval", observe);
+    backoffInterval = subject;
+  });
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
+    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
+    do_check_true(Status.enforceBackoff);
+    do_check_eq(backoffInterval, 42);
+    do_check_eq(Status.service, LOGIN_FAILED);
+    do_check_eq(Status.login, SERVER_MAINTENANCE);
+    do_check_false(errorHandler.didReportProlongedError);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  do_check_false(Status.enforceBackoff);
+  do_check_eq(Status.service, STATUS_OK);
+
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  errorHandler.syncAndReportErrors();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_wipeServer_login_syncAndReportErrors_server_maintenance_error() {
+  // Test crypto/keys server maintenance errors are reported
+  // when calling syncAndReportErrors.
+  let server = sync_httpd_setup();
+
+  // Start off with an empty account, do not upload a key.
+  yield configureIdentity({username: "broken.wipe"});
+  Service.serverURL = server.baseURI + "/maintenance/";
+  Service.clusterURL = server.baseURI + "/maintenance/";
+
+  let backoffInterval;
+  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
+    Svc.Obs.remove("weave:service:backoff:interval", observe);
+    backoffInterval = subject;
+  });
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
+    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
+    do_check_true(Status.enforceBackoff);
+    do_check_eq(backoffInterval, 42);
+    do_check_eq(Status.service, LOGIN_FAILED);
+    do_check_eq(Status.login, SERVER_MAINTENANCE);
+    do_check_false(errorHandler.didReportProlongedError);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  do_check_false(Status.enforceBackoff);
+  do_check_eq(Status.service, STATUS_OK);
+
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  errorHandler.syncAndReportErrors();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_wipeRemote_syncAndReportErrors_server_maintenance_error(){
+  // Test that we report prolonged server maintenance errors that occur whilst
+  // wiping all remote devices.
+  let server = sync_httpd_setup();
+
+  yield configureIdentity({username: "broken.wipe"});
+  Service.serverURL = server.baseURI + "/maintenance/";
+  Service.clusterURL = server.baseURI + "/maintenance/";
+  generateAndUploadKeys();
+
+  let engine = engineManager.get("catapult");
+  engine.exception = null;
+  engine.enabled = true;
+
+  let backoffInterval;
+  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
+    Svc.Obs.remove("weave:service:backoff:interval", observe);
+    backoffInterval = subject;
+  });
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:sync:error", function onUIUpdate() {
+    Svc.Obs.remove("weave:ui:sync:error", onUIUpdate);
+    do_check_true(Status.enforceBackoff);
+    do_check_eq(backoffInterval, 42);
+    do_check_eq(Status.service, SYNC_FAILED);
+    do_check_eq(Status.sync, SERVER_MAINTENANCE);
+    do_check_eq(Svc.Prefs.get("firstSync"), "wipeRemote");
+    do_check_false(errorHandler.didReportProlongedError);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  do_check_false(Status.enforceBackoff);
+  do_check_eq(Status.service, STATUS_OK);
+
+  Svc.Prefs.set("firstSync", "wipeRemote");
+  setLastSync(NON_PROLONGED_ERROR_DURATION);
+  errorHandler.syncAndReportErrors();
+  yield deferred.promise;
+});
+
+add_task(function test_sync_syncAndReportErrors_prolonged_server_maintenance_error() {
+  // Test prolonged server maintenance errors are
+  // reported when calling syncAndReportErrors.
+  let server = sync_httpd_setup();
+  yield setUp(server);
+
+  const BACKOFF = 42;
+  let engine = engineManager.get("catapult");
+  engine.enabled = true;
+  engine.exception = {status: 503,
+                      headers: {"retry-after": BACKOFF}};
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:sync:error", function onUIUpdate() {
+    Svc.Obs.remove("weave:ui:sync:error", onUIUpdate);
+    do_check_eq(Status.service, SYNC_FAILED_PARTIAL);
+    do_check_eq(Status.sync, SERVER_MAINTENANCE);
+    // syncAndReportErrors means dontIgnoreErrors, which means
+    // didReportProlongedError not touched.
+    do_check_false(errorHandler.didReportProlongedError);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  do_check_eq(Status.service, STATUS_OK);
+
+  setLastSync(PROLONGED_ERROR_DURATION);
+  errorHandler.syncAndReportErrors();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_info_collections_login_syncAndReportErrors_prolonged_server_maintenance_error() {
+  // Test info/collections server maintenance errors are reported
+  // when calling syncAndReportErrors.
+  let server = sync_httpd_setup();
+  yield setUp(server);
+
+  yield configureIdentity({username: "broken.info"});
+  Service.serverURL = server.baseURI + "/maintenance/";
+  Service.clusterURL = server.baseURI + "/maintenance/";
+
+  let backoffInterval;
+  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
+    Svc.Obs.remove("weave:service:backoff:interval", observe);
+    backoffInterval = subject;
+  });
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
+    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
+    do_check_true(Status.enforceBackoff);
+    do_check_eq(backoffInterval, 42);
+    do_check_eq(Status.service, LOGIN_FAILED);
+    do_check_eq(Status.login, SERVER_MAINTENANCE);
+    // syncAndReportErrors means dontIgnoreErrors, which means
+    // didReportProlongedError not touched.
+    do_check_false(errorHandler.didReportProlongedError);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  do_check_false(Status.enforceBackoff);
+  do_check_eq(Status.service, STATUS_OK);
+
+  setLastSync(PROLONGED_ERROR_DURATION);
+  errorHandler.syncAndReportErrors();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_meta_global_login_syncAndReportErrors_prolonged_server_maintenance_error() {
+  // Test meta/global server maintenance errors are reported
+  // when calling syncAndReportErrors.
+  let server = sync_httpd_setup();
+  yield setUp(server);
+
+  yield configureIdentity({username: "broken.meta"});
+  Service.serverURL = server.baseURI + "/maintenance/";
+  Service.clusterURL = server.baseURI + "/maintenance/";
+
+  let backoffInterval;
+  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
+    Svc.Obs.remove("weave:service:backoff:interval", observe);
+    backoffInterval = subject;
+  });
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
+    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
+    do_check_true(Status.enforceBackoff);
+    do_check_eq(backoffInterval, 42);
+    do_check_eq(Status.service, LOGIN_FAILED);
+    do_check_eq(Status.login, SERVER_MAINTENANCE);
+    // syncAndReportErrors means dontIgnoreErrors, which means
+    // didReportProlongedError not touched.
+    do_check_false(errorHandler.didReportProlongedError);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  do_check_false(Status.enforceBackoff);
+  do_check_eq(Status.service, STATUS_OK);
+
+  setLastSync(PROLONGED_ERROR_DURATION);
+  errorHandler.syncAndReportErrors();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_download_crypto_keys_login_syncAndReportErrors_prolonged_server_maintenance_error() {
+  // Test crypto/keys server maintenance errors are reported
+  // when calling syncAndReportErrors.
+  let server = sync_httpd_setup();
+  yield setUp(server);
+
+  yield configureIdentity({username: "broken.keys"});
+  Service.serverURL = server.baseURI + "/maintenance/";
+  Service.clusterURL = server.baseURI + "/maintenance/";
+  // Force re-download of keys
+  Service.collectionKeys.clear();
+
+  let backoffInterval;
+  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
+    Svc.Obs.remove("weave:service:backoff:interval", observe);
+    backoffInterval = subject;
+  });
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
+    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
+    do_check_true(Status.enforceBackoff);
+    do_check_eq(backoffInterval, 42);
+    do_check_eq(Status.service, LOGIN_FAILED);
+    do_check_eq(Status.login, SERVER_MAINTENANCE);
+    // syncAndReportErrors means dontIgnoreErrors, which means
+    // didReportProlongedError not touched.
+    do_check_false(errorHandler.didReportProlongedError);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  do_check_false(Status.enforceBackoff);
+  do_check_eq(Status.service, STATUS_OK);
+
+  setLastSync(PROLONGED_ERROR_DURATION);
+  errorHandler.syncAndReportErrors();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_upload_crypto_keys_login_syncAndReportErrors_prolonged_server_maintenance_error() {
+  // Test crypto/keys server maintenance errors are reported
+  // when calling syncAndReportErrors.
+  let server = sync_httpd_setup();
+
+  // Start off with an empty account, do not upload a key.
+  yield configureIdentity({username: "broken.keys"});
+  Service.serverURL = server.baseURI + "/maintenance/";
+  Service.clusterURL = server.baseURI + "/maintenance/";
+
+  let backoffInterval;
+  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
+    Svc.Obs.remove("weave:service:backoff:interval", observe);
+    backoffInterval = subject;
+  });
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
+    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
+    do_check_true(Status.enforceBackoff);
+    do_check_eq(backoffInterval, 42);
+    do_check_eq(Status.service, LOGIN_FAILED);
+    do_check_eq(Status.login, SERVER_MAINTENANCE);
+    // syncAndReportErrors means dontIgnoreErrors, which means
+    // didReportProlongedError not touched.
+    do_check_false(errorHandler.didReportProlongedError);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  do_check_false(Status.enforceBackoff);
+  do_check_eq(Status.service, STATUS_OK);
+
+  setLastSync(PROLONGED_ERROR_DURATION);
+  errorHandler.syncAndReportErrors();
+  yield deferred.promise;
+});
+
+add_identity_test(this, function test_wipeServer_login_syncAndReportErrors_prolonged_server_maintenance_error() {
+  // Test crypto/keys server maintenance errors are reported
+  // when calling syncAndReportErrors.
+  let server = sync_httpd_setup();
+
+  // Start off with an empty account, do not upload a key.
+  yield configureIdentity({username: "broken.wipe"});
+  Service.serverURL = server.baseURI + "/maintenance/";
+  Service.clusterURL = server.baseURI + "/maintenance/";
+
+  let backoffInterval;
+  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
+    Svc.Obs.remove("weave:service:backoff:interval", observe);
+    backoffInterval = subject;
+  });
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
+    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
+    do_check_true(Status.enforceBackoff);
+    do_check_eq(backoffInterval, 42);
+    do_check_eq(Status.service, LOGIN_FAILED);
+    do_check_eq(Status.login, SERVER_MAINTENANCE);
+    // syncAndReportErrors means dontIgnoreErrors, which means
+    // didReportProlongedError not touched.
+    do_check_false(errorHandler.didReportProlongedError);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  do_check_false(Status.enforceBackoff);
+  do_check_eq(Status.service, STATUS_OK);
+
+  setLastSync(PROLONGED_ERROR_DURATION);
+  errorHandler.syncAndReportErrors();
+  yield deferred.promise;
+});
+
+add_task(function test_sync_engine_generic_fail() {
+  let server = sync_httpd_setup();
+
+  let engine = engineManager.get("catapult");
+  engine.enabled = true;
+  engine.sync = function sync() {
+    Svc.Obs.notify("weave:engine:sync:error", "", "catapult");
+  };
+
+  let log = Log.repository.getLogger("Sync.ErrorHandler");
+  Svc.Prefs.set("log.appender.file.logOnError", true);
+
+  do_check_eq(Status.engines["catapult"], undefined);
+
+  let deferred = Promise.defer();
+  // Don't wait for reset-file-log until the sync is underway.
+  // This avoids us catching a delayed notification from an earlier test.
+  Svc.Obs.add("weave:engine:sync:finish", function onEngineFinish() {
+    Svc.Obs.remove("weave:engine:sync:finish", onEngineFinish);
+
+    log.info("Adding reset-file-log observer.");
+    Svc.Obs.add("weave:service:reset-file-log", function onResetFileLog() {
+      Svc.Obs.remove("weave:service:reset-file-log", onResetFileLog);
+
+      // Put these checks here, not after sync(), so that we aren't racing the
+      // log handler... which resets everything just a few lines below!
+      _("Status.engines: " + JSON.stringify(Status.engines));
+      do_check_eq(Status.engines["catapult"], ENGINE_UNKNOWN_FAIL);
+      do_check_eq(Status.service, SYNC_FAILED_PARTIAL);
+
+      // Test Error log was written on SYNC_FAILED_PARTIAL.
+      let entries = logsdir.directoryEntries;
+      do_check_true(entries.hasMoreElements());
+      let logfile = entries.getNext().QueryInterface(Ci.nsILocalFile);
+      do_check_true(logfile.leafName.startsWith("error-sync-"), logfile.leafName);
+
+      clean();
+      server.stop(deferred.resolve);
+    });
+  });
+
+  do_check_true(yield setUp(server));
+  Service.sync();
+  yield deferred.promise;
+});
+
+add_test(function test_logs_on_sync_error_despite_shouldReportError() {
+  _("Ensure that an error is still logged when weave:service:sync:error " +
+    "is notified, despite shouldReportError returning false.");
+
+  let log = Log.repository.getLogger("Sync.ErrorHandler");
+  Svc.Prefs.set("log.appender.file.logOnError", true);
+  log.info("TESTING");
+
+  // Ensure that we report no error.
+  Status.login = MASTER_PASSWORD_LOCKED;
+  do_check_false(errorHandler.shouldReportError());
+
+  Svc.Obs.add("weave:service:reset-file-log", function onResetFileLog() {
+    Svc.Obs.remove("weave:service:reset-file-log", onResetFileLog);
+
+    // Test that error log was written.
+    let entries = logsdir.directoryEntries;
+    do_check_true(entries.hasMoreElements());
+    let logfile = entries.getNext().QueryInterface(Ci.nsILocalFile);
+    do_check_true(logfile.leafName.startsWith("error-sync-"), logfile.leafName);
+
+    clean();
+    run_next_test();
+  });
+  Svc.Obs.notify("weave:service:sync:error", {});
+});
+
+add_test(function test_logs_on_login_error_despite_shouldReportError() {
+  _("Ensure that an error is still logged when weave:service:login:error " +
+    "is notified, despite shouldReportError returning false.");
+
+  let log = Log.repository.getLogger("Sync.ErrorHandler");
+  Svc.Prefs.set("log.appender.file.logOnError", true);
+  log.info("TESTING");
+
+  // Ensure that we report no error.
+  Status.login = MASTER_PASSWORD_LOCKED;
+  do_check_false(errorHandler.shouldReportError());
+
+  Svc.Obs.add("weave:service:reset-file-log", function onResetFileLog() {
+    Svc.Obs.remove("weave:service:reset-file-log", onResetFileLog);
+
+    // Test that error log was written.
+    let entries = logsdir.directoryEntries;
+    do_check_true(entries.hasMoreElements());
+    let logfile = entries.getNext().QueryInterface(Ci.nsILocalFile);
+    do_check_true(logfile.leafName.startsWith("error-sync-"), logfile.leafName);
+
+    clean();
+    run_next_test();
+  });
+  Svc.Obs.notify("weave:service:login:error", {});
+});
+
+// This test should be the last one since it monkeypatches the engine object
+// and we should only have one engine object throughout the file (bug 629664).
+add_task(function test_engine_applyFailed() {
+  let server = sync_httpd_setup();
+
+  let engine = engineManager.get("catapult");
+  engine.enabled = true;
+  delete engine.exception;
+  engine.sync = function sync() {
+    Svc.Obs.notify("weave:engine:sync:applied", {newFailed:1}, "catapult");
+  };
+
+  let log = Log.repository.getLogger("Sync.ErrorHandler");
+  Svc.Prefs.set("log.appender.file.logOnError", true);
+
+  let deferred = Promise.defer();
+  Svc.Obs.add("weave:service:reset-file-log", function onResetFileLog() {
+    Svc.Obs.remove("weave:service:reset-file-log", onResetFileLog);
+
+    do_check_eq(Status.engines["catapult"], ENGINE_APPLY_FAIL);
+    do_check_eq(Status.service, SYNC_FAILED_PARTIAL);
+
+    // Test Error log was written on SYNC_FAILED_PARTIAL.
+    let entries = logsdir.directoryEntries;
+    do_check_true(entries.hasMoreElements());
+    let logfile = entries.getNext().QueryInterface(Ci.nsILocalFile);
+    do_check_true(logfile.leafName.startsWith("error-sync-"), logfile.leafName);
+
+    clean();
+    server.stop(deferred.resolve);
+  });
+
+  do_check_eq(Status.engines["catapult"], undefined);
+  do_check_true(yield setUp(server));
+  Service.sync();
+  yield deferred.promise;
+});
diff --git a/services/sync/tests/unit/test_errorhandler_1.js b/services/sync/tests/unit/test_errorhandler_1.js
deleted file mode 100644
index ea2070b480..0000000000
--- a/services/sync/tests/unit/test_errorhandler_1.js
+++ /dev/null
@@ -1,913 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
-   http://creativecommons.org/publicdomain/zero/1.0/ */
-
-Cu.import("resource://services-sync/engines/clients.js");
-Cu.import("resource://services-sync/constants.js");
-Cu.import("resource://services-sync/engines.js");
-Cu.import("resource://services-sync/keys.js");
-Cu.import("resource://services-sync/policies.js");
-Cu.import("resource://services-sync/service.js");
-Cu.import("resource://services-sync/status.js");
-Cu.import("resource://services-sync/util.js");
-Cu.import("resource://testing-common/services/sync/utils.js");
-Cu.import("resource://gre/modules/FileUtils.jsm");
-
-var fakeServer = new SyncServer();
-fakeServer.start();
-
-do_register_cleanup(function() {
-  return new Promise(resolve => {
-    fakeServer.stop(resolve);
-  });
-});
-
-var fakeServerUrl = "http://localhost:" + fakeServer.port;
-
-const logsdir = FileUtils.getDir("ProfD", ["weave", "logs"], true);
-
-const PROLONGED_ERROR_DURATION =
-  (Svc.Prefs.get('errorhandler.networkFailureReportTimeout') * 2) * 1000;
-
-const NON_PROLONGED_ERROR_DURATION =
-  (Svc.Prefs.get('errorhandler.networkFailureReportTimeout') / 2) * 1000;
-
-Service.engineManager.clear();
-
-function setLastSync(lastSyncValue) {
-  Svc.Prefs.set("lastSync", (new Date(Date.now() - lastSyncValue)).toString());
-}
-
-var engineManager = Service.engineManager;
-engineManager.register(EHTestsCommon.CatapultEngine);
-
-// This relies on Service/ErrorHandler being a singleton. Fixing this will take
-// a lot of work.
-var errorHandler = Service.errorHandler;
-
-function run_test() {
-  initTestLogging("Trace");
-
-  Log.repository.getLogger("Sync.Service").level = Log.Level.Trace;
-  Log.repository.getLogger("Sync.SyncScheduler").level = Log.Level.Trace;
-  Log.repository.getLogger("Sync.ErrorHandler").level = Log.Level.Trace;
-
-  ensureLegacyIdentityManager();
-
-  run_next_test();
-}
-
-
-function clean() {
-  Service.startOver();
-  Status.resetSync();
-  Status.resetBackoff();
-  errorHandler.didReportProlongedError = false;
-}
-
-add_identity_test(this, function* test_401_logout() {
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-
-  // By calling sync, we ensure we're logged in.
-  yield sync_and_validate_telem();
-  do_check_eq(Status.sync, SYNC_SUCCEEDED);
-  do_check_true(Service.isLoggedIn);
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:service:sync:error", onSyncError);
-  function onSyncError() {
-    _("Got weave:service:sync:error in first sync.");
-    Svc.Obs.remove("weave:service:sync:error", onSyncError);
-
-    // Wait for the automatic next sync.
-    function onLoginError() {
-      _("Got weave:service:login:error in second sync.");
-      Svc.Obs.remove("weave:service:login:error", onLoginError);
-
-      let expected = isConfiguredWithLegacyIdentity() ?
-                     LOGIN_FAILED_LOGIN_REJECTED : LOGIN_FAILED_NETWORK_ERROR;
-
-      do_check_eq(Status.login, expected);
-      do_check_false(Service.isLoggedIn);
-
-      // Clean up.
-      Utils.nextTick(function () {
-        Service.startOver();
-        server.stop(deferred.resolve);
-      });
-    }
-    Svc.Obs.add("weave:service:login:error", onLoginError);
-  }
-
-  // Make sync fail due to login rejected.
-  yield configureIdentity({username: "janedoe"});
-  Service._updateCachedURLs();
-
-  _("Starting first sync.");
-  let ping = yield sync_and_validate_telem(true);
-  deepEqual(ping.failureReason, { name: "httperror", code: 401 });
-  _("First sync done.");
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_credentials_changed_logout() {
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-
-  // By calling sync, we ensure we're logged in.
-  yield sync_and_validate_telem();
-  do_check_eq(Status.sync, SYNC_SUCCEEDED);
-  do_check_true(Service.isLoggedIn);
-
-  EHTestsCommon.generateCredentialsChangedFailure();
-
-  let ping = yield sync_and_validate_telem(true);
-  equal(ping.status.sync, CREDENTIALS_CHANGED);
-  deepEqual(ping.failureReason, {
-    name: "unexpectederror",
-    error: "Error: Aborting sync, remote setup failed"
-  });
-
-  do_check_eq(Status.sync, CREDENTIALS_CHANGED);
-  do_check_false(Service.isLoggedIn);
-
-  // Clean up.
-  Service.startOver();
-  let deferred = Promise.defer();
-  server.stop(deferred.resolve);
-  yield deferred.promise;
-});
-
-add_identity_test(this, function test_no_lastSync_pref() {
-  // Test reported error.
-  Status.resetSync();
-  errorHandler.dontIgnoreErrors = true;
-  Status.sync = CREDENTIALS_CHANGED;
-  do_check_true(errorHandler.shouldReportError());
-
-  // Test unreported error.
-  Status.resetSync();
-  errorHandler.dontIgnoreErrors = true;
-  Status.login = LOGIN_FAILED_NETWORK_ERROR;
-  do_check_true(errorHandler.shouldReportError());
-
-});
-
-add_identity_test(this, function test_shouldReportError() {
-  Status.login = MASTER_PASSWORD_LOCKED;
-  do_check_false(errorHandler.shouldReportError());
-
-  // Give ourselves a clusterURL so that the temporary 401 no-error situation
-  // doesn't come into play.
-  Service.serverURL  = fakeServerUrl;
-  Service.clusterURL = fakeServerUrl;
-
-  // Test dontIgnoreErrors, non-network, non-prolonged, login error reported
-  Status.resetSync();
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = true;
-  Status.login = LOGIN_FAILED_NO_PASSWORD;
-  do_check_true(errorHandler.shouldReportError());
-
-  // Test dontIgnoreErrors, non-network, non-prolonged, sync error reported
-  Status.resetSync();
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = true;
-  Status.sync = CREDENTIALS_CHANGED;
-  do_check_true(errorHandler.shouldReportError());
-
-  // Test dontIgnoreErrors, non-network, prolonged, login error reported
-  Status.resetSync();
-  setLastSync(PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = true;
-  Status.login = LOGIN_FAILED_NO_PASSWORD;
-  do_check_true(errorHandler.shouldReportError());
-
-  // Test dontIgnoreErrors, non-network, prolonged, sync error reported
-  Status.resetSync();
-  setLastSync(PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = true;
-  Status.sync = CREDENTIALS_CHANGED;
-  do_check_true(errorHandler.shouldReportError());
-
-  // Test dontIgnoreErrors, network, non-prolonged, login error reported
-  Status.resetSync();
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = true;
-  Status.login = LOGIN_FAILED_NETWORK_ERROR;
-  do_check_true(errorHandler.shouldReportError());
-
-  // Test dontIgnoreErrors, network, non-prolonged, sync error reported
-  Status.resetSync();
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = true;
-  Status.sync = LOGIN_FAILED_NETWORK_ERROR;
-  do_check_true(errorHandler.shouldReportError());
-
-  // Test dontIgnoreErrors, network, prolonged, login error reported
-  Status.resetSync();
-  setLastSync(PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = true;
-  Status.login = LOGIN_FAILED_NETWORK_ERROR;
-  do_check_true(errorHandler.shouldReportError());
-
-  // Test dontIgnoreErrors, network, prolonged, sync error reported
-  Status.resetSync();
-  setLastSync(PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = true;
-  Status.sync = LOGIN_FAILED_NETWORK_ERROR;
-  do_check_true(errorHandler.shouldReportError());
-
-  // Test non-network, prolonged, login error reported
-  do_check_false(errorHandler.didReportProlongedError);
-  Status.resetSync();
-  setLastSync(PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = false;
-  Status.login = LOGIN_FAILED_NO_PASSWORD;
-  do_check_true(errorHandler.shouldReportError());
-  do_check_true(errorHandler.didReportProlongedError);
-
-  // Second time with prolonged error and without resetting
-  // didReportProlongedError, sync error should not be reported.
-  Status.resetSync();
-  setLastSync(PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = false;
-  Status.login = LOGIN_FAILED_NO_PASSWORD;
-  do_check_false(errorHandler.shouldReportError());
-  do_check_true(errorHandler.didReportProlongedError);
-
-  // Test non-network, prolonged, sync error reported
-  Status.resetSync();
-  setLastSync(PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = false;
-  errorHandler.didReportProlongedError = false;
-  Status.sync = CREDENTIALS_CHANGED;
-  do_check_true(errorHandler.shouldReportError());
-  do_check_true(errorHandler.didReportProlongedError);
-  errorHandler.didReportProlongedError = false;
-
-  // Test network, prolonged, login error reported
-  Status.resetSync();
-  setLastSync(PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = false;
-  Status.login = LOGIN_FAILED_NETWORK_ERROR;
-  do_check_true(errorHandler.shouldReportError());
-  do_check_true(errorHandler.didReportProlongedError);
-  errorHandler.didReportProlongedError = false;
-
-  // Test network, prolonged, sync error reported
-  Status.resetSync();
-  setLastSync(PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = false;
-  Status.sync = LOGIN_FAILED_NETWORK_ERROR;
-  do_check_true(errorHandler.shouldReportError());
-  do_check_true(errorHandler.didReportProlongedError);
-  errorHandler.didReportProlongedError = false;
-
-  // Test non-network, non-prolonged, login error reported
-  Status.resetSync();
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = false;
-  Status.login = LOGIN_FAILED_NO_PASSWORD;
-  do_check_true(errorHandler.shouldReportError());
-  do_check_false(errorHandler.didReportProlongedError);
-
-  // Test non-network, non-prolonged, sync error reported
-  Status.resetSync();
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = false;
-  Status.sync = CREDENTIALS_CHANGED;
-  do_check_true(errorHandler.shouldReportError());
-  do_check_false(errorHandler.didReportProlongedError);
-
-  // Test network, non-prolonged, login error reported
-  Status.resetSync();
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = false;
-  Status.login = LOGIN_FAILED_NETWORK_ERROR;
-  do_check_false(errorHandler.shouldReportError());
-  do_check_false(errorHandler.didReportProlongedError);
-
-  // Test network, non-prolonged, sync error reported
-  Status.resetSync();
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = false;
-  Status.sync = LOGIN_FAILED_NETWORK_ERROR;
-  do_check_false(errorHandler.shouldReportError());
-  do_check_false(errorHandler.didReportProlongedError);
-
-  // Test server maintenance, sync errors are not reported
-  Status.resetSync();
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = false;
-  Status.sync = SERVER_MAINTENANCE;
-  do_check_false(errorHandler.shouldReportError());
-  do_check_false(errorHandler.didReportProlongedError);
-
-  // Test server maintenance, login errors are not reported
-  Status.resetSync();
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = false;
-  Status.login = SERVER_MAINTENANCE;
-  do_check_false(errorHandler.shouldReportError());
-  do_check_false(errorHandler.didReportProlongedError);
-
-  // Test prolonged, server maintenance, sync errors are reported
-  Status.resetSync();
-  setLastSync(PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = false;
-  Status.sync = SERVER_MAINTENANCE;
-  do_check_true(errorHandler.shouldReportError());
-  do_check_true(errorHandler.didReportProlongedError);
-  errorHandler.didReportProlongedError = false;
-
-  // Test prolonged, server maintenance, login errors are reported
-  Status.resetSync();
-  setLastSync(PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = false;
-  Status.login = SERVER_MAINTENANCE;
-  do_check_true(errorHandler.shouldReportError());
-  do_check_true(errorHandler.didReportProlongedError);
-  errorHandler.didReportProlongedError = false;
-
-  // Test dontIgnoreErrors, server maintenance, sync errors are reported
-  Status.resetSync();
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = true;
-  Status.sync = SERVER_MAINTENANCE;
-  do_check_true(errorHandler.shouldReportError());
-  // dontIgnoreErrors means we don't set didReportProlongedError
-  do_check_false(errorHandler.didReportProlongedError);
-
-  // Test dontIgnoreErrors, server maintenance, login errors are reported
-  Status.resetSync();
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = true;
-  Status.login = SERVER_MAINTENANCE;
-  do_check_true(errorHandler.shouldReportError());
-  do_check_false(errorHandler.didReportProlongedError);
-
-  // Test dontIgnoreErrors, prolonged, server maintenance,
-  // sync errors are reported
-  Status.resetSync();
-  setLastSync(PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = true;
-  Status.sync = SERVER_MAINTENANCE;
-  do_check_true(errorHandler.shouldReportError());
-  do_check_false(errorHandler.didReportProlongedError);
-
-  // Test dontIgnoreErrors, prolonged, server maintenance,
-  // login errors are reported
-  Status.resetSync();
-  setLastSync(PROLONGED_ERROR_DURATION);
-  errorHandler.dontIgnoreErrors = true;
-  Status.login = SERVER_MAINTENANCE;
-  do_check_true(errorHandler.shouldReportError());
-  do_check_false(errorHandler.didReportProlongedError);
-});
-
-add_identity_test(this, function* test_shouldReportError_master_password() {
-  _("Test error ignored due to locked master password");
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-
-  // Monkey patch Service.verifyLogin to imitate
-  // master password being locked.
-  Service._verifyLogin = Service.verifyLogin;
-  Service.verifyLogin = function () {
-    Status.login = MASTER_PASSWORD_LOCKED;
-    return false;
-  };
-
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  Service.sync();
-  do_check_false(errorHandler.shouldReportError());
-
-  // Clean up.
-  Service.verifyLogin = Service._verifyLogin;
-  clean();
-  let deferred = Promise.defer();
-  server.stop(deferred.resolve);
-  yield deferred.promise;
-});
-
-// Test that even if we don't have a cluster URL, a login failure due to
-// authentication errors is always reported.
-add_identity_test(this, function test_shouldReportLoginFailureWithNoCluster() {
-  // Ensure no clusterURL - any error not specific to login should not be reported.
-  Service.serverURL  = "";
-  Service.clusterURL = "";
-
-  // Test explicit "login rejected" state.
-  Status.resetSync();
-  // If we have a LOGIN_REJECTED state, we always report the error.
-  Status.login = LOGIN_FAILED_LOGIN_REJECTED;
-  do_check_true(errorHandler.shouldReportError());
-  // But any other status with a missing clusterURL is treated as a mid-sync
-  // 401 (ie, should be treated as a node reassignment)
-  Status.login = LOGIN_SUCCEEDED;
-  do_check_false(errorHandler.shouldReportError());
-});
-
-// XXX - how to arrange for 'Service.identity.basicPassword = null;' in
-// an fxaccounts environment?
-add_task(function* test_login_syncAndReportErrors_non_network_error() {
-  // Test non-network errors are reported
-  // when calling syncAndReportErrors
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-  Service.identity.basicPassword = null;
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:login:error", function onSyncError() {
-    Svc.Obs.remove("weave:ui:login:error", onSyncError);
-    do_check_eq(Status.login, LOGIN_FAILED_NO_PASSWORD);
-
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  errorHandler.syncAndReportErrors();
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_sync_syncAndReportErrors_non_network_error() {
-  // Test non-network errors are reported
-  // when calling syncAndReportErrors
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-
-  // By calling sync, we ensure we're logged in.
-  Service.sync();
-  do_check_eq(Status.sync, SYNC_SUCCEEDED);
-  do_check_true(Service.isLoggedIn);
-
-  EHTestsCommon.generateCredentialsChangedFailure();
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:sync:error", function onSyncError() {
-    Svc.Obs.remove("weave:ui:sync:error", onSyncError);
-    do_check_eq(Status.sync, CREDENTIALS_CHANGED);
-    // If we clean this tick, telemetry won't get the right error
-    server.stop(() => {
-      clean();
-      deferred.resolve();
-    });
-  });
-
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  let ping = yield wait_for_ping(() => errorHandler.syncAndReportErrors(), true);
-  equal(ping.status.sync, CREDENTIALS_CHANGED);
-  deepEqual(ping.failureReason, {
-    name: "unexpectederror",
-    error: "Error: Aborting sync, remote setup failed"
-  });
-  yield deferred.promise;
-});
-
-// XXX - how to arrange for 'Service.identity.basicPassword = null;' in
-// an fxaccounts environment?
-add_task(function* test_login_syncAndReportErrors_prolonged_non_network_error() {
-  // Test prolonged, non-network errors are
-  // reported when calling syncAndReportErrors.
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-  Service.identity.basicPassword = null;
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:login:error", function onSyncError() {
-    Svc.Obs.remove("weave:ui:login:error", onSyncError);
-    do_check_eq(Status.login, LOGIN_FAILED_NO_PASSWORD);
-
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  setLastSync(PROLONGED_ERROR_DURATION);
-  errorHandler.syncAndReportErrors();
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_sync_syncAndReportErrors_prolonged_non_network_error() {
-  // Test prolonged, non-network errors are
-  // reported when calling syncAndReportErrors.
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-
-  // By calling sync, we ensure we're logged in.
-  Service.sync();
-  do_check_eq(Status.sync, SYNC_SUCCEEDED);
-  do_check_true(Service.isLoggedIn);
-
-  EHTestsCommon.generateCredentialsChangedFailure();
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:sync:error", function onSyncError() {
-    Svc.Obs.remove("weave:ui:sync:error", onSyncError);
-    do_check_eq(Status.sync, CREDENTIALS_CHANGED);
-    // If we clean this tick, telemetry won't get the right error
-    server.stop(() => {
-      clean();
-      deferred.resolve();
-    });
-  });
-
-  setLastSync(PROLONGED_ERROR_DURATION);
-  let ping = yield wait_for_ping(() => errorHandler.syncAndReportErrors(), true);
-  equal(ping.status.sync, CREDENTIALS_CHANGED);
-  deepEqual(ping.failureReason, {
-    name: "unexpectederror",
-    error: "Error: Aborting sync, remote setup failed"
-  });
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_login_syncAndReportErrors_network_error() {
-  // Test network errors are reported when calling syncAndReportErrors.
-  yield configureIdentity({username: "broken.wipe"});
-  Service.serverURL  = fakeServerUrl;
-  Service.clusterURL = fakeServerUrl;
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:login:error", function onSyncError() {
-    Svc.Obs.remove("weave:ui:login:error", onSyncError);
-    do_check_eq(Status.login, LOGIN_FAILED_NETWORK_ERROR);
-
-    clean();
-    deferred.resolve();
-  });
-
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  errorHandler.syncAndReportErrors();
-  yield deferred.promise;
-});
-
-
-add_test(function test_sync_syncAndReportErrors_network_error() {
-  // Test network errors are reported when calling syncAndReportErrors.
-  Services.io.offline = true;
-
-  Svc.Obs.add("weave:ui:sync:error", function onSyncError() {
-    Svc.Obs.remove("weave:ui:sync:error", onSyncError);
-    do_check_eq(Status.sync, LOGIN_FAILED_NETWORK_ERROR);
-
-    Services.io.offline = false;
-    clean();
-    run_next_test();
-  });
-
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  errorHandler.syncAndReportErrors();
-});
-
-add_identity_test(this, function* test_login_syncAndReportErrors_prolonged_network_error() {
-  // Test prolonged, network errors are reported
-  // when calling syncAndReportErrors.
-  yield configureIdentity({username: "johndoe"});
-
-  Service.serverURL  = fakeServerUrl;
-  Service.clusterURL = fakeServerUrl;
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:login:error", function onSyncError() {
-    Svc.Obs.remove("weave:ui:login:error", onSyncError);
-    do_check_eq(Status.login, LOGIN_FAILED_NETWORK_ERROR);
-
-    clean();
-    deferred.resolve();
-  });
-
-  setLastSync(PROLONGED_ERROR_DURATION);
-  errorHandler.syncAndReportErrors();
-  yield deferred.promise;
-});
-
-add_test(function test_sync_syncAndReportErrors_prolonged_network_error() {
-  // Test prolonged, network errors are reported
-  // when calling syncAndReportErrors.
-  Services.io.offline = true;
-
-  Svc.Obs.add("weave:ui:sync:error", function onSyncError() {
-    Svc.Obs.remove("weave:ui:sync:error", onSyncError);
-    do_check_eq(Status.sync, LOGIN_FAILED_NETWORK_ERROR);
-
-    Services.io.offline = false;
-    clean();
-    run_next_test();
-  });
-
-  setLastSync(PROLONGED_ERROR_DURATION);
-  errorHandler.syncAndReportErrors();
-});
-
-add_task(function* test_login_prolonged_non_network_error() {
-  // Test prolonged, non-network errors are reported
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-  Service.identity.basicPassword = null;
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:login:error", function onSyncError() {
-    Svc.Obs.remove("weave:ui:login:error", onSyncError);
-    do_check_eq(Status.sync, PROLONGED_SYNC_FAILURE);
-    do_check_true(errorHandler.didReportProlongedError);
-
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  setLastSync(PROLONGED_ERROR_DURATION);
-  Service.sync();
-  yield deferred.promise;
-});
-
-add_task(function* test_sync_prolonged_non_network_error() {
-  // Test prolonged, non-network errors are reported
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-
-  // By calling sync, we ensure we're logged in.
-  Service.sync();
-  do_check_eq(Status.sync, SYNC_SUCCEEDED);
-  do_check_true(Service.isLoggedIn);
-
-  EHTestsCommon.generateCredentialsChangedFailure();
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:sync:error", function onSyncError() {
-    Svc.Obs.remove("weave:ui:sync:error", onSyncError);
-    do_check_eq(Status.sync, PROLONGED_SYNC_FAILURE);
-    do_check_true(errorHandler.didReportProlongedError);
-    server.stop(() => {
-      clean();
-      deferred.resolve();
-    });
-  });
-
-  setLastSync(PROLONGED_ERROR_DURATION);
-
-  let ping = yield sync_and_validate_telem(true);
-  equal(ping.status.sync, PROLONGED_SYNC_FAILURE);
-  deepEqual(ping.failureReason, {
-    name: "unexpectederror",
-    error: "Error: Aborting sync, remote setup failed"
-  });
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_login_prolonged_network_error() {
-  // Test prolonged, network errors are reported
-  yield configureIdentity({username: "johndoe"});
-  Service.serverURL  = fakeServerUrl;
-  Service.clusterURL = fakeServerUrl;
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:login:error", function onSyncError() {
-    Svc.Obs.remove("weave:ui:login:error", onSyncError);
-    do_check_eq(Status.sync, PROLONGED_SYNC_FAILURE);
-    do_check_true(errorHandler.didReportProlongedError);
-
-    clean();
-    deferred.resolve();
-  });
-
-  setLastSync(PROLONGED_ERROR_DURATION);
-  Service.sync();
-  yield deferred.promise;
-});
-
-add_test(function test_sync_prolonged_network_error() {
-  // Test prolonged, network errors are reported
-  Services.io.offline = true;
-
-  Svc.Obs.add("weave:ui:sync:error", function onSyncError() {
-    Svc.Obs.remove("weave:ui:sync:error", onSyncError);
-    do_check_eq(Status.sync, PROLONGED_SYNC_FAILURE);
-    do_check_true(errorHandler.didReportProlongedError);
-
-    Services.io.offline = false;
-    clean();
-    run_next_test();
-  });
-
-  setLastSync(PROLONGED_ERROR_DURATION);
-  Service.sync();
-});
-
-add_task(function* test_login_non_network_error() {
-  // Test non-network errors are reported
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-  Service.identity.basicPassword = null;
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:login:error", function onSyncError() {
-    Svc.Obs.remove("weave:ui:login:error", onSyncError);
-    do_check_eq(Status.login, LOGIN_FAILED_NO_PASSWORD);
-    do_check_false(errorHandler.didReportProlongedError);
-
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  Service.sync();
-  yield deferred.promise;
-});
-
-add_task(function* test_sync_non_network_error() {
-  // Test non-network errors are reported
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-
-  // By calling sync, we ensure we're logged in.
-  Service.sync();
-  do_check_eq(Status.sync, SYNC_SUCCEEDED);
-  do_check_true(Service.isLoggedIn);
-
-  EHTestsCommon.generateCredentialsChangedFailure();
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:sync:error", function onSyncError() {
-    Svc.Obs.remove("weave:ui:sync:error", onSyncError);
-    do_check_eq(Status.sync, CREDENTIALS_CHANGED);
-    do_check_false(errorHandler.didReportProlongedError);
-
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  Service.sync();
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_login_network_error() {
-  yield configureIdentity({username: "johndoe"});
-  Service.serverURL  = fakeServerUrl;
-  Service.clusterURL = fakeServerUrl;
-
-  let deferred = Promise.defer();
-  // Test network errors are not reported.
-  Svc.Obs.add("weave:ui:clear-error", function onClearError() {
-    Svc.Obs.remove("weave:ui:clear-error", onClearError);
-
-    do_check_eq(Status.login, LOGIN_FAILED_NETWORK_ERROR);
-    do_check_false(errorHandler.didReportProlongedError);
-
-    Services.io.offline = false;
-    clean();
-    deferred.resolve()
-  });
-
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  Service.sync();
-  yield deferred.promise;
-});
-
-add_test(function test_sync_network_error() {
-  // Test network errors are not reported.
-  Services.io.offline = true;
-
-  Svc.Obs.add("weave:ui:sync:finish", function onUIUpdate() {
-    Svc.Obs.remove("weave:ui:sync:finish", onUIUpdate);
-    do_check_eq(Status.sync, LOGIN_FAILED_NETWORK_ERROR);
-    do_check_false(errorHandler.didReportProlongedError);
-
-    Services.io.offline = false;
-    clean();
-    run_next_test();
-  });
-
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  Service.sync();
-});
-
-add_identity_test(this, function* test_sync_server_maintenance_error() {
-  // Test server maintenance errors are not reported.
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-
-  const BACKOFF = 42;
-  let engine = engineManager.get("catapult");
-  engine.enabled = true;
-  engine.exception = {status: 503,
-                      headers: {"retry-after": BACKOFF}};
-
-  function onSyncError() {
-    do_throw("Shouldn't get here!");
-  }
-  Svc.Obs.add("weave:ui:sync:error", onSyncError);
-
-  do_check_eq(Status.service, STATUS_OK);
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:sync:finish", function onSyncFinish() {
-    Svc.Obs.remove("weave:ui:sync:finish", onSyncFinish);
-
-    do_check_eq(Status.service, SYNC_FAILED_PARTIAL);
-    do_check_eq(Status.sync, SERVER_MAINTENANCE);
-    do_check_false(errorHandler.didReportProlongedError);
-
-    Svc.Obs.remove("weave:ui:sync:error", onSyncError);
-    server.stop(() => {
-      clean();
-      deferred.resolve();
-    })
-  });
-
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  let ping = yield sync_and_validate_telem(true);
-  equal(ping.status.sync, SERVER_MAINTENANCE);
-  deepEqual(ping.engines.find(e => e.failureReason).failureReason, { name: "httperror", code: 503 })
-
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_info_collections_login_server_maintenance_error() {
-  // Test info/collections server maintenance errors are not reported.
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-
-  Service.username = "broken.info";
-  yield configureIdentity({username: "broken.info"});
-  Service.serverURL = server.baseURI + "/maintenance/";
-  Service.clusterURL = server.baseURI + "/maintenance/";
-
-  let backoffInterval;
-  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
-    Svc.Obs.remove("weave:service:backoff:interval", observe);
-    backoffInterval = subject;
-  });
-
-  function onUIUpdate() {
-    do_throw("Shouldn't experience UI update!");
-  }
-  Svc.Obs.add("weave:ui:login:error", onUIUpdate);
-
-  do_check_false(Status.enforceBackoff);
-  do_check_eq(Status.service, STATUS_OK);
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:clear-error", function onLoginFinish() {
-    Svc.Obs.remove("weave:ui:clear-error", onLoginFinish);
-
-    do_check_true(Status.enforceBackoff);
-    do_check_eq(backoffInterval, 42);
-    do_check_eq(Status.service, LOGIN_FAILED);
-    do_check_eq(Status.login, SERVER_MAINTENANCE);
-    do_check_false(errorHandler.didReportProlongedError);
-
-    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  Service.sync();
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_meta_global_login_server_maintenance_error() {
-  // Test meta/global server maintenance errors are not reported.
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-
-  yield configureIdentity({username: "broken.meta"});
-  Service.serverURL = server.baseURI + "/maintenance/";
-  Service.clusterURL = server.baseURI + "/maintenance/";
-
-  let backoffInterval;
-  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
-    Svc.Obs.remove("weave:service:backoff:interval", observe);
-    backoffInterval = subject;
-  });
-
-  function onUIUpdate() {
-    do_throw("Shouldn't get here!");
-  }
-  Svc.Obs.add("weave:ui:login:error", onUIUpdate);
-
-  do_check_false(Status.enforceBackoff);
-  do_check_eq(Status.service, STATUS_OK);
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:clear-error", function onLoginFinish() {
-    Svc.Obs.remove("weave:ui:clear-error", onLoginFinish);
-
-    do_check_true(Status.enforceBackoff);
-    do_check_eq(backoffInterval, 42);
-    do_check_eq(Status.service, LOGIN_FAILED);
-    do_check_eq(Status.login, SERVER_MAINTENANCE);
-    do_check_false(errorHandler.didReportProlongedError);
-
-    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  Service.sync();
-  yield deferred.promise;
-});
diff --git a/services/sync/tests/unit/test_errorhandler_2.js b/services/sync/tests/unit/test_errorhandler_2.js
deleted file mode 100644
index 41f8ee7276..0000000000
--- a/services/sync/tests/unit/test_errorhandler_2.js
+++ /dev/null
@@ -1,1012 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
-   http://creativecommons.org/publicdomain/zero/1.0/ */
-
-Cu.import("resource://services-sync/engines/clients.js");
-Cu.import("resource://services-sync/constants.js");
-Cu.import("resource://services-sync/engines.js");
-Cu.import("resource://services-sync/keys.js");
-Cu.import("resource://services-sync/policies.js");
-Cu.import("resource://services-sync/service.js");
-Cu.import("resource://services-sync/status.js");
-Cu.import("resource://services-sync/util.js");
-Cu.import("resource://testing-common/services/sync/utils.js");
-Cu.import("resource://gre/modules/FileUtils.jsm");
-
-var fakeServer = new SyncServer();
-fakeServer.start();
-
-do_register_cleanup(function() {
-  return new Promise(resolve => {
-    fakeServer.stop(resolve);
-  });
-});
-
-var fakeServerUrl = "http://localhost:" + fakeServer.port;
-
-const logsdir = FileUtils.getDir("ProfD", ["weave", "logs"], true);
-
-const PROLONGED_ERROR_DURATION =
-  (Svc.Prefs.get('errorhandler.networkFailureReportTimeout') * 2) * 1000;
-
-const NON_PROLONGED_ERROR_DURATION =
-  (Svc.Prefs.get('errorhandler.networkFailureReportTimeout') / 2) * 1000;
-
-Service.engineManager.clear();
-
-function setLastSync(lastSyncValue) {
-  Svc.Prefs.set("lastSync", (new Date(Date.now() - lastSyncValue)).toString());
-}
-
-var engineManager = Service.engineManager;
-engineManager.register(EHTestsCommon.CatapultEngine);
-
-// This relies on Service/ErrorHandler being a singleton. Fixing this will take
-// a lot of work.
-var errorHandler = Service.errorHandler;
-
-function run_test() {
-  initTestLogging("Trace");
-
-  Log.repository.getLogger("Sync.Service").level = Log.Level.Trace;
-  Log.repository.getLogger("Sync.SyncScheduler").level = Log.Level.Trace;
-  Log.repository.getLogger("Sync.ErrorHandler").level = Log.Level.Trace;
-
-  ensureLegacyIdentityManager();
-
-  run_next_test();
-}
-
-
-function clean() {
-  Service.startOver();
-  Status.resetSync();
-  Status.resetBackoff();
-  errorHandler.didReportProlongedError = false;
-}
-
-add_identity_test(this, function* test_crypto_keys_login_server_maintenance_error() {
-  Status.resetSync();
-  // Test crypto/keys server maintenance errors are not reported.
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-
-  yield configureIdentity({username: "broken.keys"});
-  Service.serverURL = server.baseURI + "/maintenance/";
-  Service.clusterURL = server.baseURI + "/maintenance/";
-
-  // Force re-download of keys
-  Service.collectionKeys.clear();
-
-  let backoffInterval;
-  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
-    Svc.Obs.remove("weave:service:backoff:interval", observe);
-    backoffInterval = subject;
-  });
-
-  function onUIUpdate() {
-    do_throw("Shouldn't get here!");
-  }
-  Svc.Obs.add("weave:ui:login:error", onUIUpdate);
-
-  do_check_false(Status.enforceBackoff);
-  do_check_eq(Status.service, STATUS_OK);
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:clear-error", function onLoginFinish() {
-    Svc.Obs.remove("weave:ui:clear-error", onLoginFinish);
-
-    do_check_true(Status.enforceBackoff);
-    do_check_eq(backoffInterval, 42);
-    do_check_eq(Status.service, LOGIN_FAILED);
-    do_check_eq(Status.login, SERVER_MAINTENANCE);
-    do_check_false(errorHandler.didReportProlongedError);
-
-    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  Service.sync();
-  yield deferred.promise;
-});
-
-add_task(function* test_sync_prolonged_server_maintenance_error() {
-  // Test prolonged server maintenance errors are reported.
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-
-  const BACKOFF = 42;
-  let engine = engineManager.get("catapult");
-  engine.enabled = true;
-  engine.exception = {status: 503,
-                      headers: {"retry-after": BACKOFF}};
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:sync:error", function onUIUpdate() {
-    Svc.Obs.remove("weave:ui:sync:error", onUIUpdate);
-    do_check_eq(Status.service, SYNC_FAILED);
-    do_check_eq(Status.sync, PROLONGED_SYNC_FAILURE);
-    do_check_true(errorHandler.didReportProlongedError);
-
-    server.stop(() => {
-      clean();
-      deferred.resolve();
-    });
-  });
-
-  do_check_eq(Status.service, STATUS_OK);
-
-  setLastSync(PROLONGED_ERROR_DURATION);
-  let ping = yield sync_and_validate_telem(true);
-  deepEqual(ping.status.sync, PROLONGED_SYNC_FAILURE);
-  deepEqual(ping.engines.find(e => e.failureReason).failureReason,
-            { name: "httperror", code: 503 });
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_info_collections_login_prolonged_server_maintenance_error(){
-  // Test info/collections prolonged server maintenance errors are reported.
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-
-  yield configureIdentity({username: "broken.info"});
-  Service.serverURL = server.baseURI + "/maintenance/";
-  Service.clusterURL = server.baseURI + "/maintenance/";
-
-  let backoffInterval;
-  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
-    Svc.Obs.remove("weave:service:backoff:interval", observe);
-    backoffInterval = subject;
-  });
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
-    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
-    do_check_true(Status.enforceBackoff);
-    do_check_eq(backoffInterval, 42);
-    do_check_eq(Status.service, SYNC_FAILED);
-    do_check_eq(Status.sync, PROLONGED_SYNC_FAILURE);
-    do_check_true(errorHandler.didReportProlongedError);
-
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  do_check_false(Status.enforceBackoff);
-  do_check_eq(Status.service, STATUS_OK);
-
-  setLastSync(PROLONGED_ERROR_DURATION);
-  Service.sync();
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_meta_global_login_prolonged_server_maintenance_error(){
-  // Test meta/global prolonged server maintenance errors are reported.
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-
-  yield configureIdentity({username: "broken.meta"});
-  Service.serverURL = server.baseURI + "/maintenance/";
-  Service.clusterURL = server.baseURI + "/maintenance/";
-
-  let backoffInterval;
-  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
-    Svc.Obs.remove("weave:service:backoff:interval", observe);
-    backoffInterval = subject;
-  });
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
-    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
-    do_check_true(Status.enforceBackoff);
-    do_check_eq(backoffInterval, 42);
-    do_check_eq(Status.service, SYNC_FAILED);
-    do_check_eq(Status.sync, PROLONGED_SYNC_FAILURE);
-    do_check_true(errorHandler.didReportProlongedError);
-
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  do_check_false(Status.enforceBackoff);
-  do_check_eq(Status.service, STATUS_OK);
-
-  setLastSync(PROLONGED_ERROR_DURATION);
-  Service.sync();
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_download_crypto_keys_login_prolonged_server_maintenance_error(){
-  // Test crypto/keys prolonged server maintenance errors are reported.
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-
-  yield configureIdentity({username: "broken.keys"});
-  Service.serverURL = server.baseURI + "/maintenance/";
-  Service.clusterURL = server.baseURI + "/maintenance/";
-  // Force re-download of keys
-  Service.collectionKeys.clear();
-
-  let backoffInterval;
-  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
-    Svc.Obs.remove("weave:service:backoff:interval", observe);
-    backoffInterval = subject;
-  });
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
-    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
-    do_check_true(Status.enforceBackoff);
-    do_check_eq(backoffInterval, 42);
-    do_check_eq(Status.service, SYNC_FAILED);
-    do_check_eq(Status.sync, PROLONGED_SYNC_FAILURE);
-    do_check_true(errorHandler.didReportProlongedError);
-
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  do_check_false(Status.enforceBackoff);
-  do_check_eq(Status.service, STATUS_OK);
-
-  setLastSync(PROLONGED_ERROR_DURATION);
-  Service.sync();
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_upload_crypto_keys_login_prolonged_server_maintenance_error(){
-  // Test crypto/keys prolonged server maintenance errors are reported.
-  let server = EHTestsCommon.sync_httpd_setup();
-
-  // Start off with an empty account, do not upload a key.
-  yield configureIdentity({username: "broken.keys"});
-  Service.serverURL = server.baseURI + "/maintenance/";
-  Service.clusterURL = server.baseURI + "/maintenance/";
-
-  let backoffInterval;
-  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
-    Svc.Obs.remove("weave:service:backoff:interval", observe);
-    backoffInterval = subject;
-  });
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
-    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
-    do_check_true(Status.enforceBackoff);
-    do_check_eq(backoffInterval, 42);
-    do_check_eq(Status.service, SYNC_FAILED);
-    do_check_eq(Status.sync, PROLONGED_SYNC_FAILURE);
-    do_check_true(errorHandler.didReportProlongedError);
-
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  do_check_false(Status.enforceBackoff);
-  do_check_eq(Status.service, STATUS_OK);
-
-  setLastSync(PROLONGED_ERROR_DURATION);
-  Service.sync();
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_wipeServer_login_prolonged_server_maintenance_error(){
-  // Test that we report prolonged server maintenance errors that occur whilst
-  // wiping the server.
-  let server = EHTestsCommon.sync_httpd_setup();
-
-  // Start off with an empty account, do not upload a key.
-  yield configureIdentity({username: "broken.wipe"});
-  Service.serverURL = server.baseURI + "/maintenance/";
-  Service.clusterURL = server.baseURI + "/maintenance/";
-
-  let backoffInterval;
-  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
-    Svc.Obs.remove("weave:service:backoff:interval", observe);
-    backoffInterval = subject;
-  });
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
-    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
-    do_check_true(Status.enforceBackoff);
-    do_check_eq(backoffInterval, 42);
-    do_check_eq(Status.service, SYNC_FAILED);
-    do_check_eq(Status.sync, PROLONGED_SYNC_FAILURE);
-    do_check_true(errorHandler.didReportProlongedError);
-
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  do_check_false(Status.enforceBackoff);
-  do_check_eq(Status.service, STATUS_OK);
-
-  setLastSync(PROLONGED_ERROR_DURATION);
-  Service.sync();
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_wipeRemote_prolonged_server_maintenance_error(){
-  // Test that we report prolonged server maintenance errors that occur whilst
-  // wiping all remote devices.
-  let server = EHTestsCommon.sync_httpd_setup();
-
-  server.registerPathHandler("/1.1/broken.wipe/storage/catapult", EHTestsCommon.service_unavailable);
-  yield configureIdentity({username: "broken.wipe"});
-  Service.serverURL = server.baseURI + "/maintenance/";
-  Service.clusterURL = server.baseURI + "/maintenance/";
-  EHTestsCommon.generateAndUploadKeys();
-
-  let engine = engineManager.get("catapult");
-  engine.exception = null;
-  engine.enabled = true;
-
-  let backoffInterval;
-  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
-    Svc.Obs.remove("weave:service:backoff:interval", observe);
-    backoffInterval = subject;
-  });
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:sync:error", function onUIUpdate() {
-    Svc.Obs.remove("weave:ui:sync:error", onUIUpdate);
-    do_check_true(Status.enforceBackoff);
-    do_check_eq(backoffInterval, 42);
-    do_check_eq(Status.service, SYNC_FAILED);
-    do_check_eq(Status.sync, PROLONGED_SYNC_FAILURE);
-    do_check_eq(Svc.Prefs.get("firstSync"), "wipeRemote");
-    do_check_true(errorHandler.didReportProlongedError);
-    server.stop(() => {
-      clean();
-      deferred.resolve();
-    });
-  });
-
-  do_check_false(Status.enforceBackoff);
-  do_check_eq(Status.service, STATUS_OK);
-
-  Svc.Prefs.set("firstSync", "wipeRemote");
-  setLastSync(PROLONGED_ERROR_DURATION);
-  let ping = yield sync_and_validate_telem(true);
-  deepEqual(ping.failureReason, { name: "httperror", code: 503 });
-  yield deferred.promise;
-});
-
-add_task(function* test_sync_syncAndReportErrors_server_maintenance_error() {
-  // Test server maintenance errors are reported
-  // when calling syncAndReportErrors.
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-
-  const BACKOFF = 42;
-  let engine = engineManager.get("catapult");
-  engine.enabled = true;
-  engine.exception = {status: 503,
-                      headers: {"retry-after": BACKOFF}};
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:sync:error", function onUIUpdate() {
-    Svc.Obs.remove("weave:ui:sync:error", onUIUpdate);
-    do_check_eq(Status.service, SYNC_FAILED_PARTIAL);
-    do_check_eq(Status.sync, SERVER_MAINTENANCE);
-    do_check_false(errorHandler.didReportProlongedError);
-
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  do_check_eq(Status.service, STATUS_OK);
-
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  errorHandler.syncAndReportErrors();
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_info_collections_login_syncAndReportErrors_server_maintenance_error() {
-  // Test info/collections server maintenance errors are reported
-  // when calling syncAndReportErrors.
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-
-  yield configureIdentity({username: "broken.info"});
-  Service.serverURL = server.baseURI + "/maintenance/";
-  Service.clusterURL = server.baseURI + "/maintenance/";
-
-  let backoffInterval;
-  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
-    Svc.Obs.remove("weave:service:backoff:interval", observe);
-    backoffInterval = subject;
-  });
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
-    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
-    do_check_true(Status.enforceBackoff);
-    do_check_eq(backoffInterval, 42);
-    do_check_eq(Status.service, LOGIN_FAILED);
-    do_check_eq(Status.login, SERVER_MAINTENANCE);
-    do_check_false(errorHandler.didReportProlongedError);
-
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  do_check_false(Status.enforceBackoff);
-  do_check_eq(Status.service, STATUS_OK);
-
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  errorHandler.syncAndReportErrors();
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_meta_global_login_syncAndReportErrors_server_maintenance_error() {
-  // Test meta/global server maintenance errors are reported
-  // when calling syncAndReportErrors.
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-
-  yield configureIdentity({username: "broken.meta"});
-  Service.serverURL = server.baseURI + "/maintenance/";
-  Service.clusterURL = server.baseURI + "/maintenance/";
-
-  let backoffInterval;
-  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
-    Svc.Obs.remove("weave:service:backoff:interval", observe);
-    backoffInterval = subject;
-  });
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
-    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
-    do_check_true(Status.enforceBackoff);
-    do_check_eq(backoffInterval, 42);
-    do_check_eq(Status.service, LOGIN_FAILED);
-    do_check_eq(Status.login, SERVER_MAINTENANCE);
-    do_check_false(errorHandler.didReportProlongedError);
-
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  do_check_false(Status.enforceBackoff);
-  do_check_eq(Status.service, STATUS_OK);
-
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  errorHandler.syncAndReportErrors();
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_download_crypto_keys_login_syncAndReportErrors_server_maintenance_error() {
-  // Test crypto/keys server maintenance errors are reported
-  // when calling syncAndReportErrors.
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-
-  yield configureIdentity({username: "broken.keys"});
-  Service.serverURL = server.baseURI + "/maintenance/";
-  Service.clusterURL = server.baseURI + "/maintenance/";
-  // Force re-download of keys
-  Service.collectionKeys.clear();
-
-  let backoffInterval;
-  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
-    Svc.Obs.remove("weave:service:backoff:interval", observe);
-    backoffInterval = subject;
-  });
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
-    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
-    do_check_true(Status.enforceBackoff);
-    do_check_eq(backoffInterval, 42);
-    do_check_eq(Status.service, LOGIN_FAILED);
-    do_check_eq(Status.login, SERVER_MAINTENANCE);
-    do_check_false(errorHandler.didReportProlongedError);
-
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  do_check_false(Status.enforceBackoff);
-  do_check_eq(Status.service, STATUS_OK);
-
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  errorHandler.syncAndReportErrors();
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_upload_crypto_keys_login_syncAndReportErrors_server_maintenance_error() {
-  // Test crypto/keys server maintenance errors are reported
-  // when calling syncAndReportErrors.
-  let server = EHTestsCommon.sync_httpd_setup();
-
-  // Start off with an empty account, do not upload a key.
-  yield configureIdentity({username: "broken.keys"});
-  Service.serverURL = server.baseURI + "/maintenance/";
-  Service.clusterURL = server.baseURI + "/maintenance/";
-
-  let backoffInterval;
-  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
-    Svc.Obs.remove("weave:service:backoff:interval", observe);
-    backoffInterval = subject;
-  });
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
-    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
-    do_check_true(Status.enforceBackoff);
-    do_check_eq(backoffInterval, 42);
-    do_check_eq(Status.service, LOGIN_FAILED);
-    do_check_eq(Status.login, SERVER_MAINTENANCE);
-    do_check_false(errorHandler.didReportProlongedError);
-
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  do_check_false(Status.enforceBackoff);
-  do_check_eq(Status.service, STATUS_OK);
-
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  errorHandler.syncAndReportErrors();
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_wipeServer_login_syncAndReportErrors_server_maintenance_error() {
-  // Test crypto/keys server maintenance errors are reported
-  // when calling syncAndReportErrors.
-  let server = EHTestsCommon.sync_httpd_setup();
-
-  // Start off with an empty account, do not upload a key.
-  yield configureIdentity({username: "broken.wipe"});
-  Service.serverURL = server.baseURI + "/maintenance/";
-  Service.clusterURL = server.baseURI + "/maintenance/";
-
-  let backoffInterval;
-  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
-    Svc.Obs.remove("weave:service:backoff:interval", observe);
-    backoffInterval = subject;
-  });
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
-    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
-    do_check_true(Status.enforceBackoff);
-    do_check_eq(backoffInterval, 42);
-    do_check_eq(Status.service, LOGIN_FAILED);
-    do_check_eq(Status.login, SERVER_MAINTENANCE);
-    do_check_false(errorHandler.didReportProlongedError);
-
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  do_check_false(Status.enforceBackoff);
-  do_check_eq(Status.service, STATUS_OK);
-
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  errorHandler.syncAndReportErrors();
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_wipeRemote_syncAndReportErrors_server_maintenance_error(){
-  // Test that we report prolonged server maintenance errors that occur whilst
-  // wiping all remote devices.
-  let server = EHTestsCommon.sync_httpd_setup();
-
-  yield configureIdentity({username: "broken.wipe"});
-  Service.serverURL = server.baseURI + "/maintenance/";
-  Service.clusterURL = server.baseURI + "/maintenance/";
-  EHTestsCommon.generateAndUploadKeys();
-
-  let engine = engineManager.get("catapult");
-  engine.exception = null;
-  engine.enabled = true;
-
-  let backoffInterval;
-  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
-    Svc.Obs.remove("weave:service:backoff:interval", observe);
-    backoffInterval = subject;
-  });
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:sync:error", function onUIUpdate() {
-    Svc.Obs.remove("weave:ui:sync:error", onUIUpdate);
-    do_check_true(Status.enforceBackoff);
-    do_check_eq(backoffInterval, 42);
-    do_check_eq(Status.service, SYNC_FAILED);
-    do_check_eq(Status.sync, SERVER_MAINTENANCE);
-    do_check_eq(Svc.Prefs.get("firstSync"), "wipeRemote");
-    do_check_false(errorHandler.didReportProlongedError);
-
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  do_check_false(Status.enforceBackoff);
-  do_check_eq(Status.service, STATUS_OK);
-
-  Svc.Prefs.set("firstSync", "wipeRemote");
-  setLastSync(NON_PROLONGED_ERROR_DURATION);
-  errorHandler.syncAndReportErrors();
-  yield deferred.promise;
-});
-
-add_task(function* test_sync_syncAndReportErrors_prolonged_server_maintenance_error() {
-  // Test prolonged server maintenance errors are
-  // reported when calling syncAndReportErrors.
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-
-  const BACKOFF = 42;
-  let engine = engineManager.get("catapult");
-  engine.enabled = true;
-  engine.exception = {status: 503,
-                      headers: {"retry-after": BACKOFF}};
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:sync:error", function onUIUpdate() {
-    Svc.Obs.remove("weave:ui:sync:error", onUIUpdate);
-    do_check_eq(Status.service, SYNC_FAILED_PARTIAL);
-    do_check_eq(Status.sync, SERVER_MAINTENANCE);
-    // syncAndReportErrors means dontIgnoreErrors, which means
-    // didReportProlongedError not touched.
-    do_check_false(errorHandler.didReportProlongedError);
-
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  do_check_eq(Status.service, STATUS_OK);
-
-  setLastSync(PROLONGED_ERROR_DURATION);
-  errorHandler.syncAndReportErrors();
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_info_collections_login_syncAndReportErrors_prolonged_server_maintenance_error() {
-  // Test info/collections server maintenance errors are reported
-  // when calling syncAndReportErrors.
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-
-  yield configureIdentity({username: "broken.info"});
-  Service.serverURL = server.baseURI + "/maintenance/";
-  Service.clusterURL = server.baseURI + "/maintenance/";
-
-  let backoffInterval;
-  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
-    Svc.Obs.remove("weave:service:backoff:interval", observe);
-    backoffInterval = subject;
-  });
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
-    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
-    do_check_true(Status.enforceBackoff);
-    do_check_eq(backoffInterval, 42);
-    do_check_eq(Status.service, LOGIN_FAILED);
-    do_check_eq(Status.login, SERVER_MAINTENANCE);
-    // syncAndReportErrors means dontIgnoreErrors, which means
-    // didReportProlongedError not touched.
-    do_check_false(errorHandler.didReportProlongedError);
-
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  do_check_false(Status.enforceBackoff);
-  do_check_eq(Status.service, STATUS_OK);
-
-  setLastSync(PROLONGED_ERROR_DURATION);
-  errorHandler.syncAndReportErrors();
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_meta_global_login_syncAndReportErrors_prolonged_server_maintenance_error() {
-  // Test meta/global server maintenance errors are reported
-  // when calling syncAndReportErrors.
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-
-  yield configureIdentity({username: "broken.meta"});
-  Service.serverURL = server.baseURI + "/maintenance/";
-  Service.clusterURL = server.baseURI + "/maintenance/";
-
-  let backoffInterval;
-  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
-    Svc.Obs.remove("weave:service:backoff:interval", observe);
-    backoffInterval = subject;
-  });
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
-    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
-    do_check_true(Status.enforceBackoff);
-    do_check_eq(backoffInterval, 42);
-    do_check_eq(Status.service, LOGIN_FAILED);
-    do_check_eq(Status.login, SERVER_MAINTENANCE);
-    // syncAndReportErrors means dontIgnoreErrors, which means
-    // didReportProlongedError not touched.
-    do_check_false(errorHandler.didReportProlongedError);
-
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  do_check_false(Status.enforceBackoff);
-  do_check_eq(Status.service, STATUS_OK);
-
-  setLastSync(PROLONGED_ERROR_DURATION);
-  errorHandler.syncAndReportErrors();
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_download_crypto_keys_login_syncAndReportErrors_prolonged_server_maintenance_error() {
-  // Test crypto/keys server maintenance errors are reported
-  // when calling syncAndReportErrors.
-  let server = EHTestsCommon.sync_httpd_setup();
-  yield EHTestsCommon.setUp(server);
-
-  yield configureIdentity({username: "broken.keys"});
-  Service.serverURL = server.baseURI + "/maintenance/";
-  Service.clusterURL = server.baseURI + "/maintenance/";
-  // Force re-download of keys
-  Service.collectionKeys.clear();
-
-  let backoffInterval;
-  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
-    Svc.Obs.remove("weave:service:backoff:interval", observe);
-    backoffInterval = subject;
-  });
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
-    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
-    do_check_true(Status.enforceBackoff);
-    do_check_eq(backoffInterval, 42);
-    do_check_eq(Status.service, LOGIN_FAILED);
-    do_check_eq(Status.login, SERVER_MAINTENANCE);
-    // syncAndReportErrors means dontIgnoreErrors, which means
-    // didReportProlongedError not touched.
-    do_check_false(errorHandler.didReportProlongedError);
-
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  do_check_false(Status.enforceBackoff);
-  do_check_eq(Status.service, STATUS_OK);
-
-  setLastSync(PROLONGED_ERROR_DURATION);
-  errorHandler.syncAndReportErrors();
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_upload_crypto_keys_login_syncAndReportErrors_prolonged_server_maintenance_error() {
-  // Test crypto/keys server maintenance errors are reported
-  // when calling syncAndReportErrors.
-  let server = EHTestsCommon.sync_httpd_setup();
-
-  // Start off with an empty account, do not upload a key.
-  yield configureIdentity({username: "broken.keys"});
-  Service.serverURL = server.baseURI + "/maintenance/";
-  Service.clusterURL = server.baseURI + "/maintenance/";
-
-  let backoffInterval;
-  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
-    Svc.Obs.remove("weave:service:backoff:interval", observe);
-    backoffInterval = subject;
-  });
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
-    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
-    do_check_true(Status.enforceBackoff);
-    do_check_eq(backoffInterval, 42);
-    do_check_eq(Status.service, LOGIN_FAILED);
-    do_check_eq(Status.login, SERVER_MAINTENANCE);
-    // syncAndReportErrors means dontIgnoreErrors, which means
-    // didReportProlongedError not touched.
-    do_check_false(errorHandler.didReportProlongedError);
-
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  do_check_false(Status.enforceBackoff);
-  do_check_eq(Status.service, STATUS_OK);
-
-  setLastSync(PROLONGED_ERROR_DURATION);
-  errorHandler.syncAndReportErrors();
-  yield deferred.promise;
-});
-
-add_identity_test(this, function* test_wipeServer_login_syncAndReportErrors_prolonged_server_maintenance_error() {
-  // Test crypto/keys server maintenance errors are reported
-  // when calling syncAndReportErrors.
-  let server = EHTestsCommon.sync_httpd_setup();
-
-  // Start off with an empty account, do not upload a key.
-  yield configureIdentity({username: "broken.wipe"});
-  Service.serverURL = server.baseURI + "/maintenance/";
-  Service.clusterURL = server.baseURI + "/maintenance/";
-
-  let backoffInterval;
-  Svc.Obs.add("weave:service:backoff:interval", function observe(subject, data) {
-    Svc.Obs.remove("weave:service:backoff:interval", observe);
-    backoffInterval = subject;
-  });
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:ui:login:error", function onUIUpdate() {
-    Svc.Obs.remove("weave:ui:login:error", onUIUpdate);
-    do_check_true(Status.enforceBackoff);
-    do_check_eq(backoffInterval, 42);
-    do_check_eq(Status.service, LOGIN_FAILED);
-    do_check_eq(Status.login, SERVER_MAINTENANCE);
-    // syncAndReportErrors means dontIgnoreErrors, which means
-    // didReportProlongedError not touched.
-    do_check_false(errorHandler.didReportProlongedError);
-
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  do_check_false(Status.enforceBackoff);
-  do_check_eq(Status.service, STATUS_OK);
-
-  setLastSync(PROLONGED_ERROR_DURATION);
-  errorHandler.syncAndReportErrors();
-  yield deferred.promise;
-});
-
-add_task(function* test_sync_engine_generic_fail() {
-  let server = EHTestsCommon.sync_httpd_setup();
-
-let engine = engineManager.get("catapult");
-  engine.enabled = true;
-  engine.sync = function sync() {
-    Svc.Obs.notify("weave:engine:sync:error", ENGINE_UNKNOWN_FAIL, "catapult");
-  };
-
-  let log = Log.repository.getLogger("Sync.ErrorHandler");
-  Svc.Prefs.set("log.appender.file.logOnError", true);
-
-  do_check_eq(Status.engines["catapult"], undefined);
-
-  let deferred = Promise.defer();
-  // Don't wait for reset-file-log until the sync is underway.
-  // This avoids us catching a delayed notification from an earlier test.
-  Svc.Obs.add("weave:engine:sync:finish", function onEngineFinish() {
-    Svc.Obs.remove("weave:engine:sync:finish", onEngineFinish);
-
-    log.info("Adding reset-file-log observer.");
-    Svc.Obs.add("weave:service:reset-file-log", function onResetFileLog() {
-      Svc.Obs.remove("weave:service:reset-file-log", onResetFileLog);
-
-      // Put these checks here, not after sync(), so that we aren't racing the
-      // log handler... which resets everything just a few lines below!
-      _("Status.engines: " + JSON.stringify(Status.engines));
-      do_check_eq(Status.engines["catapult"], ENGINE_UNKNOWN_FAIL);
-      do_check_eq(Status.service, SYNC_FAILED_PARTIAL);
-
-      // Test Error log was written on SYNC_FAILED_PARTIAL.
-      let entries = logsdir.directoryEntries;
-      do_check_true(entries.hasMoreElements());
-      let logfile = entries.getNext().QueryInterface(Ci.nsILocalFile);
-      do_check_true(logfile.leafName.startsWith("error-sync-"), logfile.leafName);
-
-      clean();
-
-      let syncErrors = sumHistogram("WEAVE_ENGINE_SYNC_ERRORS", { key: "catapult" });
-      do_check_true(syncErrors, 1);
-
-      server.stop(() => {
-        clean();
-        deferred.resolve();
-      });
-    });
-  });
-
-  do_check_true(yield EHTestsCommon.setUp(server));
-  let ping = yield sync_and_validate_telem(true);
-  deepEqual(ping.status.service, SYNC_FAILED_PARTIAL);
-  deepEqual(ping.engines.find(e => e.status).status, ENGINE_UNKNOWN_FAIL);
-
-  yield deferred.promise;
-});
-
-add_test(function test_logs_on_sync_error_despite_shouldReportError() {
-  _("Ensure that an error is still logged when weave:service:sync:error " +
-    "is notified, despite shouldReportError returning false.");
-
-  let log = Log.repository.getLogger("Sync.ErrorHandler");
-  Svc.Prefs.set("log.appender.file.logOnError", true);
-  log.info("TESTING");
-
-  // Ensure that we report no error.
-  Status.login = MASTER_PASSWORD_LOCKED;
-  do_check_false(errorHandler.shouldReportError());
-
-  Svc.Obs.add("weave:service:reset-file-log", function onResetFileLog() {
-    Svc.Obs.remove("weave:service:reset-file-log", onResetFileLog);
-
-    // Test that error log was written.
-    let entries = logsdir.directoryEntries;
-    do_check_true(entries.hasMoreElements());
-    let logfile = entries.getNext().QueryInterface(Ci.nsILocalFile);
-    do_check_true(logfile.leafName.startsWith("error-sync-"), logfile.leafName);
-
-    clean();
-    run_next_test();
-  });
-  Svc.Obs.notify("weave:service:sync:error", {});
-});
-
-add_test(function test_logs_on_login_error_despite_shouldReportError() {
-  _("Ensure that an error is still logged when weave:service:login:error " +
-    "is notified, despite shouldReportError returning false.");
-
-  let log = Log.repository.getLogger("Sync.ErrorHandler");
-  Svc.Prefs.set("log.appender.file.logOnError", true);
-  log.info("TESTING");
-
-  // Ensure that we report no error.
-  Status.login = MASTER_PASSWORD_LOCKED;
-  do_check_false(errorHandler.shouldReportError());
-
-  Svc.Obs.add("weave:service:reset-file-log", function onResetFileLog() {
-    Svc.Obs.remove("weave:service:reset-file-log", onResetFileLog);
-
-    // Test that error log was written.
-    let entries = logsdir.directoryEntries;
-    do_check_true(entries.hasMoreElements());
-    let logfile = entries.getNext().QueryInterface(Ci.nsILocalFile);
-    do_check_true(logfile.leafName.startsWith("error-sync-"), logfile.leafName);
-
-    clean();
-    run_next_test();
-  });
-  Svc.Obs.notify("weave:service:login:error", {});
-});
-
-// This test should be the last one since it monkeypatches the engine object
-// and we should only have one engine object throughout the file (bug 629664).
-add_task(function* test_engine_applyFailed() {
-  let server = EHTestsCommon.sync_httpd_setup();
-
-  let engine = engineManager.get("catapult");
-  engine.enabled = true;
-  delete engine.exception;
-  engine.sync = function sync() {
-    Svc.Obs.notify("weave:engine:sync:applied", {newFailed:1}, "catapult");
-  };
-
-  let log = Log.repository.getLogger("Sync.ErrorHandler");
-  Svc.Prefs.set("log.appender.file.logOnError", true);
-
-  let deferred = Promise.defer();
-  Svc.Obs.add("weave:service:reset-file-log", function onResetFileLog() {
-    Svc.Obs.remove("weave:service:reset-file-log", onResetFileLog);
-
-    do_check_eq(Status.engines["catapult"], ENGINE_APPLY_FAIL);
-    do_check_eq(Status.service, SYNC_FAILED_PARTIAL);
-
-    // Test Error log was written on SYNC_FAILED_PARTIAL.
-    let entries = logsdir.directoryEntries;
-    do_check_true(entries.hasMoreElements());
-    let logfile = entries.getNext().QueryInterface(Ci.nsILocalFile);
-    do_check_true(logfile.leafName.startsWith("error-sync-"), logfile.leafName);
-
-    clean();
-    server.stop(deferred.resolve);
-  });
-
-  do_check_eq(Status.engines["catapult"], undefined);
-  do_check_true(yield EHTestsCommon.setUp(server));
-  Service.sync();
-  yield deferred.promise;
-});
diff --git a/services/sync/tests/unit/test_errorhandler_eol.js b/services/sync/tests/unit/test_errorhandler_eol.js
index c8d2ff4be0..381bc72687 100644
--- a/services/sync/tests/unit/test_errorhandler_eol.js
+++ b/services/sync/tests/unit/test_errorhandler_eol.js
@@ -43,7 +43,7 @@ function sync_httpd_setup(infoHandler) {
   return httpd_setup(handlers);
 }
 
-function* setUp(server) {
+function setUp(server) {
   yield configureIdentity({username: "johndoe"});
   Service.serverURL = server.baseURI + "/";
   Service.clusterURL = server.baseURI + "/";
@@ -66,7 +66,7 @@ function do_check_hard_eol(eh, start) {
   do_check_true(Status.eol);
 }
 
-add_identity_test(this, function* test_200_hard() {
+add_identity_test(this, function test_200_hard() {
   let eh = Service.errorHandler;
   let start = Date.now();
   let server = sync_httpd_setup(handler200("hard-eol"));
@@ -88,7 +88,7 @@ add_identity_test(this, function* test_200_hard() {
   yield deferred.promise;
 });
 
-add_identity_test(this, function* test_513_hard() {
+add_identity_test(this, function test_513_hard() {
   let eh = Service.errorHandler;
   let start = Date.now();
   let server = sync_httpd_setup(handler513);
@@ -114,7 +114,7 @@ add_identity_test(this, function* test_513_hard() {
   yield deferred.promise;
 });
 
-add_identity_test(this, function* test_200_soft() {
+add_identity_test(this, function test_200_soft() {
   let eh = Service.errorHandler;
   let start = Date.now();
   let server = sync_httpd_setup(handler200("soft-eol"));
diff --git a/services/sync/tests/unit/test_errorhandler_filelog.js b/services/sync/tests/unit/test_errorhandler_filelog.js
index 993a478fd6..0ce82b1703 100644
--- a/services/sync/tests/unit/test_errorhandler_filelog.js
+++ b/services/sync/tests/unit/test_errorhandler_filelog.js
@@ -21,7 +21,7 @@ const DELAY_BUFFER       = 500;  // Buffer for timers on different OS platforms.
 const PROLONGED_ERROR_DURATION =
   (Svc.Prefs.get('errorhandler.networkFailureReportTimeout') * 2) * 1000;
 
-var errorHandler = Service.errorHandler;
+let errorHandler = Service.errorHandler;
 
 function setLastSync(lastSyncValue) {
   Svc.Prefs.set("lastSync", (new Date(Date.now() - lastSyncValue)).toString());
@@ -35,8 +35,6 @@ function run_test() {
   Log.repository.getLogger("Sync.SyncScheduler").level = Log.Level.Trace;
   Log.repository.getLogger("Sync.ErrorHandler").level = Log.Level.Trace;
 
-  validate_all_future_pings();
-
   run_next_test();
 }
 
@@ -47,22 +45,20 @@ add_test(function test_noOutput() {
   // Clear log output from startup.
   Svc.Prefs.set("log.appender.file.logOnSuccess", false);
   Svc.Obs.notify("weave:service:sync:finish");
-  Svc.Obs.add("weave:service:reset-file-log", function onResetFileLogOuter() {
-    Svc.Obs.remove("weave:service:reset-file-log", onResetFileLogOuter);
-    // Clear again without having issued any output.
-    Svc.Prefs.set("log.appender.file.logOnSuccess", true);
 
-    Svc.Obs.add("weave:service:reset-file-log", function onResetFileLogInner() {
-      Svc.Obs.remove("weave:service:reset-file-log", onResetFileLogInner);
+  // Clear again without having issued any output.
+  Svc.Prefs.set("log.appender.file.logOnSuccess", true);
 
-      errorHandler._logManager._fileAppender.level = Log.Level.Trace;
-      Svc.Prefs.resetBranch("");
-      run_next_test();
-    });
+  Svc.Obs.add("weave:service:reset-file-log", function onResetFileLog() {
+    Svc.Obs.remove("weave:service:reset-file-log", onResetFileLog);
 
-    // Fake a successful sync.
-    Svc.Obs.notify("weave:service:sync:finish");
+    errorHandler._logManager._fileAppender.level = Log.Level.Trace;
+    Svc.Prefs.resetBranch("");
+    run_next_test();
   });
+
+  // Fake a successful sync.
+  Svc.Obs.notify("weave:service:sync:finish");
 });
 
 add_test(function test_logOnSuccess_false() {
@@ -85,14 +81,16 @@ add_test(function test_logOnSuccess_false() {
 });
 
 function readFile(file, callback) {
-  NetUtil.asyncFetch({
-    uri: NetUtil.newURI(file),
-    loadUsingSystemPrincipal: true
-  }, function (inputStream, statusCode, request) {
+  NetUtil.asyncFetch2(file, function (inputStream, statusCode, request) {
     let data = NetUtil.readInputStreamToString(inputStream,
                                                inputStream.available());
     callback(statusCode, data);
-  });
+  },
+  null,      // aLoadingNode
+  Services.scriptSecurityManager.getSystemPrincipal(),
+  null,      // aTriggeringPrincipal
+  Ci.nsILoadInfo.SEC_NORMAL,
+  Ci.nsIContentPolicy.TYPE_OTHER);
 }
 
 add_test(function test_logOnSuccess_true() {
@@ -269,51 +267,6 @@ add_test(function test_login_error_logOnError_true() {
   Svc.Obs.notify("weave:service:login:error");
 });
 
-
-add_test(function test_errorLog_dumpAddons() {
-  Svc.Prefs.set("log.appender.file.logOnError", true);
-
-  let log = Log.repository.getLogger("Sync.Test.FileLog");
-
-  // We need to wait until the log cleanup started by this test is complete
-  // or the next test will fail as it is ongoing.
-  Svc.Obs.add("services-tests:common:log-manager:cleanup-logs", function onCleanupLogs() {
-    Svc.Obs.remove("services-tests:common:log-manager:cleanup-logs", onCleanupLogs);
-    run_next_test();
-  });
-
-  Svc.Obs.add("weave:service:reset-file-log", function onResetFileLog() {
-    Svc.Obs.remove("weave:service:reset-file-log", onResetFileLog);
-
-    let entries = logsdir.directoryEntries;
-    do_check_true(entries.hasMoreElements());
-    let logfile = entries.getNext().QueryInterface(Ci.nsILocalFile);
-    do_check_eq(logfile.leafName.slice(-4), ".txt");
-    do_check_true(logfile.leafName.startsWith("error-sync-"), logfile.leafName);
-    do_check_false(entries.hasMoreElements());
-
-    // Ensure we logged some addon list (which is probably empty)
-    readFile(logfile, function (error, data) {
-      do_check_true(Components.isSuccessCode(error));
-      do_check_neq(data.indexOf("Addons installed"), -1);
-
-      // Clean up.
-      try {
-        logfile.remove(false);
-      } catch(ex) {
-        dump("Couldn't delete file: " + ex + "\n");
-        // Stupid Windows box.
-      }
-
-      Svc.Prefs.resetBranch("");
-    });
-  });
-
-  // Fake an unsuccessful sync due to prolonged failure.
-  setLastSync(PROLONGED_ERROR_DURATION);
-  Svc.Obs.notify("weave:service:sync:error");
-});
-
 // Check that error log files are deleted above an age threshold.
 add_test(function test_logErrorCleanup_age() {
   _("Beginning test_logErrorCleanup_age.");
diff --git a/services/sync/tests/unit/test_errorhandler_sync_checkServerError.js b/services/sync/tests/unit/test_errorhandler_sync_checkServerError.js
index 953f59fcba..18cea2ccee 100644
--- a/services/sync/tests/unit/test_errorhandler_sync_checkServerError.js
+++ b/services/sync/tests/unit/test_errorhandler_sync_checkServerError.js
@@ -13,7 +13,7 @@ Cu.import("resource://testing-common/services/sync/utils.js");
 
 initTestLogging("Trace");
 
-var engineManager = Service.engineManager;
+let engineManager = Service.engineManager;
 engineManager.clear();
 
 function promiseStopServer(server) {
@@ -59,7 +59,7 @@ function sync_httpd_setup() {
   return httpd_setup(handlers);
 }
 
-function* setUp(server) {
+function setUp(server) {
   yield configureIdentity({username: "johndoe"});
   Service.serverURL = server.baseURI + "/";
   Service.clusterURL = server.baseURI + "/";
@@ -75,7 +75,7 @@ function generateAndUploadKeys(server) {
 }
 
 
-add_identity_test(this, function* test_backoff500() {
+add_identity_test(this, function test_backoff500() {
   _("Test: HTTP 500 sets backoff status.");
   let server = sync_httpd_setup();
   yield setUp(server);
@@ -102,7 +102,7 @@ add_identity_test(this, function* test_backoff500() {
   yield promiseStopServer(server);
 });
 
-add_identity_test(this, function* test_backoff503() {
+add_identity_test(this, function test_backoff503() {
   _("Test: HTTP 503 with Retry-After header leads to backoff notification and sets backoff status.");
   let server = sync_httpd_setup();
   yield setUp(server);
@@ -138,7 +138,7 @@ add_identity_test(this, function* test_backoff503() {
   yield promiseStopServer(server);
 });
 
-add_identity_test(this, function* test_overQuota() {
+add_identity_test(this, function test_overQuota() {
   _("Test: HTTP 400 with body error code 14 means over quota.");
   let server = sync_httpd_setup();
   yield setUp(server);
@@ -167,7 +167,7 @@ add_identity_test(this, function* test_overQuota() {
   yield promiseStopServer(server);
 });
 
-add_identity_test(this, function* test_service_networkError() {
+add_identity_test(this, function test_service_networkError() {
   _("Test: Connection refused error from Service.sync() leads to the right status code.");
   let server = sync_httpd_setup();
   yield setUp(server);
@@ -193,14 +193,13 @@ add_identity_test(this, function* test_service_networkError() {
   yield deferred.promise;
 });
 
-add_identity_test(this, function* test_service_offline() {
+add_identity_test(this, function test_service_offline() {
   _("Test: Wanting to sync in offline mode leads to the right status code but does not increment the ignorable error count.");
   let server = sync_httpd_setup();
   yield setUp(server);
   let deferred = Promise.defer();
   server.stop(() => {
     Services.io.offline = true;
-    Services.prefs.setBoolPref("network.dns.offline-localhost", false);
 
     try {
       do_check_eq(Status.sync, SYNC_SUCCEEDED);
@@ -215,13 +214,12 @@ add_identity_test(this, function* test_service_offline() {
       Service.startOver();
     }
     Services.io.offline = false;
-    Services.prefs.clearUserPref("network.dns.offline-localhost");
     deferred.resolve();
   });
   yield deferred.promise;
 });
 
-add_identity_test(this, function* test_engine_networkError() {
+add_identity_test(this, function test_engine_networkError() {
   _("Test: Network related exceptions from engine.sync() lead to the right status code.");
   let server = sync_httpd_setup();
   yield setUp(server);
@@ -248,7 +246,7 @@ add_identity_test(this, function* test_engine_networkError() {
   yield promiseStopServer(server);
 });
 
-add_identity_test(this, function* test_resource_timeout() {
+add_identity_test(this, function test_resource_timeout() {
   let server = sync_httpd_setup();
   yield setUp(server);
 
@@ -276,7 +274,6 @@ add_identity_test(this, function* test_resource_timeout() {
 });
 
 function run_test() {
-  validate_all_future_pings();
   engineManager.register(CatapultEngine);
   run_next_test();
 }
diff --git a/services/sync/tests/unit/test_extension_storage_crypto.js b/services/sync/tests/unit/test_extension_storage_crypto.js
deleted file mode 100644
index f93e4970dc..0000000000
--- a/services/sync/tests/unit/test_extension_storage_crypto.js
+++ /dev/null
@@ -1,93 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
- * http://creativecommons.org/publicdomain/zero/1.0/ */
-
-"use strict";
-
-Cu.import("resource://services-crypto/utils.js");
-Cu.import("resource://services-sync/engines/extension-storage.js");
-Cu.import("resource://services-sync/util.js");
-
-/**
- * Like Assert.throws, but for generators.
- *
- * @param {string | Object | function} constraint
- *        What to use to check the exception.
- * @param {function} f
- *        The function to call.
- */
-function* throwsGen(constraint, f) {
-  let threw = false;
-  let exception;
-  try {
-    yield* f();
-  }
-  catch (e) {
-    threw = true;
-    exception = e;
-  }
-
-  ok(threw, "did not throw an exception");
-
-  const debuggingMessage = `got ${exception}, expected ${constraint}`;
-  let message = exception;
-  if (typeof exception === "object") {
-    message = exception.message;
-  }
-
-  if (typeof constraint === "function") {
-    ok(constraint(message), debuggingMessage);
-  } else {
-    ok(constraint === message, debuggingMessage);
-  }
-
-}
-
-/**
- * An EncryptionRemoteTransformer that uses a fixed key bundle,
- * suitable for testing.
- */
-class StaticKeyEncryptionRemoteTransformer extends EncryptionRemoteTransformer {
-  constructor(keyBundle) {
-    super();
-    this.keyBundle = keyBundle;
-  }
-
-  getKeys() {
-    return Promise.resolve(this.keyBundle);
-  }
-}
-const BORING_KB = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef";
-const STRETCHED_KEY = CryptoUtils.hkdf(BORING_KB, undefined, `testing storage.sync encryption`, 2*32);
-const KEY_BUNDLE = {
-  sha256HMACHasher: Utils.makeHMACHasher(Ci.nsICryptoHMAC.SHA256, Utils.makeHMACKey(STRETCHED_KEY.slice(0, 32))),
-  encryptionKeyB64: btoa(STRETCHED_KEY.slice(32, 64)),
-};
-const transformer = new StaticKeyEncryptionRemoteTransformer(KEY_BUNDLE);
-
-add_task(function* test_encryption_transformer_roundtrip() {
-  const POSSIBLE_DATAS = [
-    "string",
-    2,          // number
-    [1, 2, 3],  // array
-    {key: "value"}, // object
-  ];
-
-  for (let data of POSSIBLE_DATAS) {
-    const record = {data: data, id: "key-some_2D_key", key: "some-key"};
-
-    deepEqual(record, yield transformer.decode(yield transformer.encode(record)));
-  }
-});
-
-add_task(function* test_refuses_to_decrypt_tampered() {
-  const encryptedRecord = yield transformer.encode({data: [1, 2, 3], id: "key-some_2D_key", key: "some-key"});
-  const tamperedHMAC = Object.assign({}, encryptedRecord, {hmac: "0000000000000000000000000000000000000000000000000000000000000001"});
-  yield* throwsGen(Utils.isHMACMismatch, function*() {
-    yield transformer.decode(tamperedHMAC);
-  });
-
-  const tamperedIV = Object.assign({}, encryptedRecord, {IV: "aaaaaaaaaaaaaaaaaaaaaa=="});
-  yield* throwsGen(Utils.isHMACMismatch, function*() {
-    yield transformer.decode(tamperedIV);
-  });
-});
diff --git a/services/sync/tests/unit/test_extension_storage_engine.js b/services/sync/tests/unit/test_extension_storage_engine.js
deleted file mode 100644
index 1b27927033..0000000000
--- a/services/sync/tests/unit/test_extension_storage_engine.js
+++ /dev/null
@@ -1,62 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
- * http://creativecommons.org/publicdomain/zero/1.0/ */
-
-"use strict";
-
-Cu.import("resource://services-sync/engines.js");
-Cu.import("resource://services-sync/engines/extension-storage.js");
-Cu.import("resource://services-sync/service.js");
-Cu.import("resource://services-sync/util.js");
-Cu.import("resource://testing-common/services/sync/utils.js");
-Cu.import("resource://gre/modules/ExtensionStorageSync.jsm");
-
-Service.engineManager.register(ExtensionStorageEngine);
-const engine = Service.engineManager.get("extension-storage");
-do_get_profile();   // so we can use FxAccounts
-loadWebExtensionTestFunctions();
-
-function mock(options) {
-  let calls = [];
-  let ret = function() {
-    calls.push(arguments);
-    return options.returns;
-  }
-  Object.setPrototypeOf(ret, {
-    __proto__: Function.prototype,
-    get calls() {
-      return calls;
-    }
-  });
-  return ret;
-}
-
-add_task(function* test_calling_sync_calls__sync() {
-  let oldSync = ExtensionStorageEngine.prototype._sync;
-  let syncMock = ExtensionStorageEngine.prototype._sync = mock({returns: true});
-  try {
-    // I wanted to call the main sync entry point for the entire
-    // package, but that fails because it tries to sync ClientEngine
-    // first, which fails.
-    yield engine.sync();
-  } finally {
-    ExtensionStorageEngine.prototype._sync = oldSync;
-  }
-  equal(syncMock.calls.length, 1);
-});
-
-add_task(function* test_calling_sync_calls_ext_storage_sync() {
-  const extension = {id: "my-extension"};
-  let oldSync = ExtensionStorageSync.syncAll;
-  let syncMock = ExtensionStorageSync.syncAll = mock({returns: Promise.resolve()});
-  try {
-    yield* withSyncContext(function* (context) {
-      // Set something so that everyone knows that we're using storage.sync
-      yield ExtensionStorageSync.set(extension, {"a": "b"}, context);
-
-      yield engine._sync();
-    });
-  } finally {
-    ExtensionStorageSync.syncAll = oldSync;
-  }
-  do_check_true(syncMock.calls.length >= 1);
-});
diff --git a/services/sync/tests/unit/test_extension_storage_tracker.js b/services/sync/tests/unit/test_extension_storage_tracker.js
deleted file mode 100644
index fac51a8977..0000000000
--- a/services/sync/tests/unit/test_extension_storage_tracker.js
+++ /dev/null
@@ -1,38 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
- * http://creativecommons.org/publicdomain/zero/1.0/ */
-
-"use strict";
-
-Cu.import("resource://services-sync/constants.js");
-Cu.import("resource://services-sync/engines.js");
-Cu.import("resource://services-sync/engines/extension-storage.js");
-Cu.import("resource://services-sync/service.js");
-Cu.import("resource://services-sync/util.js");
-Cu.import("resource://gre/modules/ExtensionStorageSync.jsm");
-
-Service.engineManager.register(ExtensionStorageEngine);
-const engine = Service.engineManager.get("extension-storage");
-do_get_profile();   // so we can use FxAccounts
-loadWebExtensionTestFunctions();
-
-add_task(function* test_changing_extension_storage_changes_score() {
-  const tracker = engine._tracker;
-  const extension = {id: "my-extension-id"};
-  Svc.Obs.notify("weave:engine:start-tracking");
-  yield* withSyncContext(function*(context) {
-    yield ExtensionStorageSync.set(extension, {"a": "b"}, context);
-  });
-  do_check_eq(tracker.score, SCORE_INCREMENT_MEDIUM);
-
-  tracker.resetScore();
-  yield* withSyncContext(function*(context) {
-    yield ExtensionStorageSync.remove(extension, "a", context);
-  });
-  do_check_eq(tracker.score, SCORE_INCREMENT_MEDIUM);
-
-  Svc.Obs.notify("weave:engine:stop-tracking");
-});
-
-function run_test() {
-  run_next_test();
-}
diff --git a/services/sync/tests/unit/test_forms_tracker.js b/services/sync/tests/unit/test_forms_tracker.js
index f14e208b38..5f7aaa6483 100644
--- a/services/sync/tests/unit/test_forms_tracker.js
+++ b/services/sync/tests/unit/test_forms_tracker.js
@@ -40,18 +40,6 @@ function run_test() {
     addEntry("address", "Memory Lane");
     do_check_attribute_count(tracker.changedIDs, 3);
 
-
-    _("Check that ignoreAll is respected");
-    tracker.clearChangedIDs();
-    tracker.score = 0;
-    tracker.ignoreAll = true;
-    addEntry("username", "johndoe123");
-    addEntry("favoritecolor", "green");
-    removeEntry("name", "John Doe");
-    tracker.ignoreAll = false;
-    do_check_empty(tracker.changedIDs);
-    equal(tracker.score, 0);
-
     _("Let's stop tracking again.");
     tracker.clearChangedIDs();
     Svc.Obs.notify("weave:engine:stop-tracking");
@@ -63,8 +51,6 @@ function run_test() {
     removeEntry("email", "john@doe.com");
     do_check_empty(tracker.changedIDs);
 
-
-
   } finally {
     _("Clean up.");
     engine._store.wipe();
diff --git a/services/sync/tests/unit/test_fxa_node_reassignment.js b/services/sync/tests/unit/test_fxa_node_reassignment.js
index 3e4cefd534..2f61afd6fb 100644
--- a/services/sync/tests/unit/test_fxa_node_reassignment.js
+++ b/services/sync/tests/unit/test_fxa_node_reassignment.js
@@ -1,368 +1,321 @@
-/* Any copyright is dedicated to the Public Domain.
-   http://creativecommons.org/publicdomain/zero/1.0/ */
-
-_("Test that node reassignment happens correctly using the FxA identity mgr.");
-// The node-reassignment logic is quite different for FxA than for the legacy
-// provider.  In particular, there's no special request necessary for
-// reassignment - it comes from the token server - so we need to ensure the
-// Fxa cluster manager grabs a new token.
-
-Cu.import("resource://gre/modules/Log.jsm");
-Cu.import("resource://services-common/rest.js");
-Cu.import("resource://services-sync/constants.js");
-Cu.import("resource://services-sync/service.js");
-Cu.import("resource://services-sync/status.js");
-Cu.import("resource://services-sync/util.js");
-Cu.import("resource://testing-common/services/sync/rotaryengine.js");
-Cu.import("resource://services-sync/browserid_identity.js");
-Cu.import("resource://testing-common/services/sync/utils.js");
-
-Service.engineManager.clear();
-
-function run_test() {
-  Log.repository.getLogger("Sync.AsyncResource").level = Log.Level.Trace;
-  Log.repository.getLogger("Sync.ErrorHandler").level  = Log.Level.Trace;
-  Log.repository.getLogger("Sync.Resource").level      = Log.Level.Trace;
-  Log.repository.getLogger("Sync.RESTRequest").level   = Log.Level.Trace;
-  Log.repository.getLogger("Sync.Service").level       = Log.Level.Trace;
-  Log.repository.getLogger("Sync.SyncScheduler").level = Log.Level.Trace;
-  initTestLogging();
-
-  Service.engineManager.register(RotaryEngine);
-
-  // Setup the FxA identity manager and cluster manager.
-  Status.__authManager = Service.identity = new BrowserIDManager();
-  Service._clusterManager = Service.identity.createClusterManager(Service);
-
-  // None of the failures in this file should result in a UI error.
-  function onUIError() {
-    do_throw("Errors should not be presented in the UI.");
-  }
-  Svc.Obs.add("weave:ui:login:error", onUIError);
-  Svc.Obs.add("weave:ui:sync:error", onUIError);
-
-  run_next_test();
-}
-
-
-// API-compatible with SyncServer handler. Bind `handler` to something to use
-// as a ServerCollection handler.
-function handleReassign(handler, req, resp) {
-  resp.setStatusLine(req.httpVersion, 401, "Node reassignment");
-  resp.setHeader("Content-Type", "application/json");
-  let reassignBody = JSON.stringify({error: "401inator in place"});
-  resp.bodyOutputStream.write(reassignBody, reassignBody.length);
-}
-
-var numTokenRequests = 0;
-
-function prepareServer(cbAfterTokenFetch) {
-  let config = makeIdentityConfig({username: "johndoe"});
-  // A server callback to ensure we don't accidentally hit the wrong endpoint
-  // after a node reassignment.
-  let callback = {
-    __proto__: SyncServerCallback,
-    onRequest(req, resp) {
-      let full = `${req.scheme}://${req.host}:${req.port}${req.path}`;
-      do_check_true(full.startsWith(config.fxaccount.token.endpoint),
-                    `request made to ${full}`);
-    }
-  }
-  let server = new SyncServer(callback);
-  server.registerUser("johndoe");
-  server.start();
-
-  // Set the token endpoint for the initial token request that's done implicitly
-  // via configureIdentity.
-  config.fxaccount.token.endpoint = server.baseURI + "1.1/johndoe/";
-  // And future token fetches will do magic around numReassigns.
-  let numReassigns = 0;
-  return configureIdentity(config).then(() => {
-    Service.identity._tokenServerClient = {
-      getTokenFromBrowserIDAssertion: function(uri, assertion, cb) {
-        // Build a new URL with trailing zeros for the SYNC_VERSION part - this
-        // will still be seen as equivalent by the test server, but different
-        // by sync itself.
-        numReassigns += 1;
-        let trailingZeros = new Array(numReassigns + 1).join('0');
-        let token = config.fxaccount.token;
-        token.endpoint = server.baseURI + "1.1" + trailingZeros + "/johndoe";
-        token.uid = config.username;
-        numTokenRequests += 1;
-        cb(null, token);
-        if (cbAfterTokenFetch) {
-          cbAfterTokenFetch();
-        }
-      },
-    };
-    return server;
-  });
-}
-
-function getReassigned() {
-  try {
-    return Services.prefs.getBoolPref("services.sync.lastSyncReassigned");
-  } catch (ex) {
-    if (ex.result == Cr.NS_ERROR_UNEXPECTED) {
-      return false;
-    }
-    do_throw("Got exception retrieving lastSyncReassigned: " +
-             Log.exceptionStr(ex));
-  }
-}
-
-/**
- * Make a test request to `url`, then watch the result of two syncs
- * to ensure that a node request was made.
- * Runs `between` between the two. This can be used to undo deliberate failure
- * setup, detach observers, etc.
- */
-function* syncAndExpectNodeReassignment(server, firstNotification, between,
-                                       secondNotification, url) {
-  _("Starting syncAndExpectNodeReassignment\n");
-  let deferred = Promise.defer();
-  function onwards() {
-    let numTokenRequestsBefore;
-    function onFirstSync() {
-      _("First sync completed.");
-      Svc.Obs.remove(firstNotification, onFirstSync);
-      Svc.Obs.add(secondNotification, onSecondSync);
-
-      do_check_eq(Service.clusterURL, "");
-
-      // Track whether we fetched a new token.
-      numTokenRequestsBefore = numTokenRequests;
-
-      // Allow for tests to clean up error conditions.
-      between();
-    }
-    function onSecondSync() {
-      _("Second sync completed.");
-      Svc.Obs.remove(secondNotification, onSecondSync);
-      Service.scheduler.clearSyncTriggers();
-
-      // Make absolutely sure that any event listeners are done with their work
-      // before we proceed.
-      waitForZeroTimer(function () {
-        _("Second sync nextTick.");
-        do_check_eq(numTokenRequests, numTokenRequestsBefore + 1, "fetched a new token");
-        Service.startOver();
-        server.stop(deferred.resolve);
-      });
-    }
-
-    Svc.Obs.add(firstNotification, onFirstSync);
-    Service.sync();
-  }
-
-  // Make sure that we really do get a 401 (but we can only do that if we are
-  // already logged in, as the login process is what sets up the URLs)
-  if (Service.isLoggedIn) {
-    _("Making request to " + url + " which should 401");
-    let request = new RESTRequest(url);
-    request.get(function () {
-      do_check_eq(request.response.status, 401);
-      Utils.nextTick(onwards);
-    });
-  } else {
-    _("Skipping preliminary validation check for a 401 as we aren't logged in");
-    Utils.nextTick(onwards);
-  }
-  yield deferred.promise;
-}
-
-// Check that when we sync we don't request a new token by default - our
-// test setup has configured the client with a valid token, and that token
-// should be used to form the cluster URL.
-add_task(function* test_single_token_fetch() {
-  _("Test a normal sync only fetches 1 token");
-
-  let numTokenFetches = 0;
-
-  function afterTokenFetch() {
-    numTokenFetches++;
-  }
-
-  // Set the cluster URL to an "old" version - this is to ensure we don't
-  // use that old cached version for the first sync but prefer the value
-  // we got from the token (and as above, we are also checking we don't grab
-  // a new token). If the test actually attempts to connect to this URL
-  // it will crash.
-  Service.clusterURL = "http://example.com/";
-
-  let server = yield prepareServer(afterTokenFetch);
-
-  do_check_false(Service.isLoggedIn, "not already logged in");
-  Service.sync();
-  do_check_eq(Status.sync, SYNC_SUCCEEDED, "sync succeeded");
-  do_check_eq(numTokenFetches, 0, "didn't fetch a new token");
-  // A bit hacky, but given we know how prepareServer works we can deduce
-  // that clusterURL we expect.
-  let expectedClusterURL = server.baseURI + "1.1/johndoe/";
-  do_check_eq(Service.clusterURL, expectedClusterURL);
-  yield new Promise(resolve => server.stop(resolve));
-});
-
-add_task(function* test_momentary_401_engine() {
-  _("Test a failure for engine URLs that's resolved by reassignment.");
-  let server = yield prepareServer();
-  let john   = server.user("johndoe");
-
-  _("Enabling the Rotary engine.");
-  let engine = Service.engineManager.get("rotary");
-  engine.enabled = true;
-
-  // We need the server to be correctly set up prior to experimenting. Do this
-  // through a sync.
-  let global = {syncID: Service.syncID,
-                storageVersion: STORAGE_VERSION,
-                rotary: {version: engine.version,
-                         syncID:  engine.syncID}}
-  john.createCollection("meta").insert("global", global);
-
-  _("First sync to prepare server contents.");
-  Service.sync();
-
-  _("Setting up Rotary collection to 401.");
-  let rotary = john.createCollection("rotary");
-  let oldHandler = rotary.collectionHandler;
-  rotary.collectionHandler = handleReassign.bind(this, undefined);
-
-  // We want to verify that the clusterURL pref has been cleared after a 401
-  // inside a sync. Flag the Rotary engine to need syncing.
-  john.collection("rotary").timestamp += 1000;
-
-  function between() {
-    _("Undoing test changes.");
-    rotary.collectionHandler = oldHandler;
-
-    function onLoginStart() {
-      // lastSyncReassigned shouldn't be cleared until a sync has succeeded.
-      _("Ensuring that lastSyncReassigned is still set at next sync start.");
-      Svc.Obs.remove("weave:service:login:start", onLoginStart);
-      do_check_true(getReassigned());
-    }
-
-    _("Adding observer that lastSyncReassigned is still set on login.");
-    Svc.Obs.add("weave:service:login:start", onLoginStart);
-  }
-
-  yield syncAndExpectNodeReassignment(server,
-                                      "weave:service:sync:finish",
-                                      between,
-                                      "weave:service:sync:finish",
-                                      Service.storageURL + "rotary");
-});
-
-// This test ends up being a failing info fetch *after we're already logged in*.
-add_task(function* test_momentary_401_info_collections_loggedin() {
-  _("Test a failure for info/collections after login that's resolved by reassignment.");
-  let server = yield prepareServer();
-
-  _("First sync to prepare server contents.");
-  Service.sync();
-
-  _("Arrange for info/collections to return a 401.");
-  let oldHandler = server.toplevelHandlers.info;
-  server.toplevelHandlers.info = handleReassign;
-
-  function undo() {
-    _("Undoing test changes.");
-    server.toplevelHandlers.info = oldHandler;
-  }
-
-  do_check_true(Service.isLoggedIn, "already logged in");
-
-  yield syncAndExpectNodeReassignment(server,
-                                      "weave:service:sync:error",
-                                      undo,
-                                      "weave:service:sync:finish",
-                                      Service.infoURL);
-});
-
-// This test ends up being a failing info fetch *before we're logged in*.
-// In this case we expect to recover during the login phase - so the first
-// sync succeeds.
-add_task(function* test_momentary_401_info_collections_loggedout() {
-  _("Test a failure for info/collections before login that's resolved by reassignment.");
-
-  let oldHandler;
-  let sawTokenFetch = false;
-
-  function afterTokenFetch() {
-    // After a single token fetch, we undo our evil handleReassign hack, so
-    // the next /info request returns the collection instead of a 401
-    server.toplevelHandlers.info = oldHandler;
-    sawTokenFetch = true;
-  }
-
-  let server = yield prepareServer(afterTokenFetch);
-
-  // Return a 401 for the next /info request - it will be reset immediately
-  // after a new token is fetched.
-  oldHandler = server.toplevelHandlers.info
-  server.toplevelHandlers.info = handleReassign;
-
-  do_check_false(Service.isLoggedIn, "not already logged in");
-
-  Service.sync();
-  do_check_eq(Status.sync, SYNC_SUCCEEDED, "sync succeeded");
-  // sync was successful - check we grabbed a new token.
-  do_check_true(sawTokenFetch, "a new token was fetched by this test.")
-  // and we are done.
-  Service.startOver();
-  let deferred = Promise.defer();
-  server.stop(deferred.resolve);
-  yield deferred.promise;
-});
-
-// This test ends up being a failing meta/global fetch *after we're already logged in*.
-add_task(function* test_momentary_401_storage_loggedin() {
-  _("Test a failure for any storage URL after login that's resolved by" +
-    "reassignment.");
-  let server = yield prepareServer();
-
-  _("First sync to prepare server contents.");
-  Service.sync();
-
-  _("Arrange for meta/global to return a 401.");
-  let oldHandler = server.toplevelHandlers.storage;
-  server.toplevelHandlers.storage = handleReassign;
-
-  function undo() {
-    _("Undoing test changes.");
-    server.toplevelHandlers.storage = oldHandler;
-  }
-
-  do_check_true(Service.isLoggedIn, "already logged in");
-
-  yield syncAndExpectNodeReassignment(server,
-                                      "weave:service:sync:error",
-                                      undo,
-                                      "weave:service:sync:finish",
-                                      Service.storageURL + "meta/global");
-});
-
-// This test ends up being a failing meta/global fetch *before we've logged in*.
-add_task(function* test_momentary_401_storage_loggedout() {
-  _("Test a failure for any storage URL before login, not just engine parts. " +
-    "Resolved by reassignment.");
-  let server = yield prepareServer();
-
-  // Return a 401 for all storage requests.
-  let oldHandler = server.toplevelHandlers.storage;
-  server.toplevelHandlers.storage = handleReassign;
-
-  function undo() {
-    _("Undoing test changes.");
-    server.toplevelHandlers.storage = oldHandler;
-  }
-
-  do_check_false(Service.isLoggedIn, "already logged in");
-
-  yield syncAndExpectNodeReassignment(server,
-                                      "weave:service:login:error",
-                                      undo,
-                                      "weave:service:sync:finish",
-                                      Service.storageURL + "meta/global");
-});
+/* Any copyright is dedicated to the Public Domain.

+   http://creativecommons.org/publicdomain/zero/1.0/ */

+

+_("Test that node reassignment happens correctly using the FxA identity mgr.");

+// The node-reassignment logic is quite different for FxA than for the legacy

+// provider.  In particular, there's no special request necessary for

+// reassignment - it comes from the token server - so we need to ensure the

+// Fxa cluster manager grabs a new token.

+

+Cu.import("resource://gre/modules/Log.jsm");

+Cu.import("resource://services-common/rest.js");

+Cu.import("resource://services-sync/constants.js");

+Cu.import("resource://services-sync/service.js");

+Cu.import("resource://services-sync/status.js");

+Cu.import("resource://services-sync/util.js");

+Cu.import("resource://testing-common/services/sync/rotaryengine.js");

+Cu.import("resource://services-sync/browserid_identity.js");

+Cu.import("resource://testing-common/services/sync/utils.js");

+

+Service.engineManager.clear();

+

+function run_test() {

+  Log.repository.getLogger("Sync.AsyncResource").level = Log.Level.Trace;

+  Log.repository.getLogger("Sync.ErrorHandler").level  = Log.Level.Trace;

+  Log.repository.getLogger("Sync.Resource").level      = Log.Level.Trace;

+  Log.repository.getLogger("Sync.RESTRequest").level   = Log.Level.Trace;

+  Log.repository.getLogger("Sync.Service").level       = Log.Level.Trace;

+  Log.repository.getLogger("Sync.SyncScheduler").level = Log.Level.Trace;

+  initTestLogging();

+

+  Service.engineManager.register(RotaryEngine);

+

+  // Setup the FxA identity manager and cluster manager.

+  Status.__authManager = Service.identity = new BrowserIDManager();

+  Service._clusterManager = Service.identity.createClusterManager(Service);

+

+  // None of the failures in this file should result in a UI error.

+  function onUIError() {

+    do_throw("Errors should not be presented in the UI.");

+  }

+  Svc.Obs.add("weave:ui:login:error", onUIError);

+  Svc.Obs.add("weave:ui:sync:error", onUIError);

+

+  run_next_test();

+}

+

+

+// API-compatible with SyncServer handler. Bind `handler` to something to use

+// as a ServerCollection handler.

+function handleReassign(handler, req, resp) {

+  resp.setStatusLine(req.httpVersion, 401, "Node reassignment");

+  resp.setHeader("Content-Type", "application/json");

+  let reassignBody = JSON.stringify({error: "401inator in place"});

+  resp.bodyOutputStream.write(reassignBody, reassignBody.length);

+}

+

+let numTokenRequests = 0;

+

+function prepareServer(cbAfterTokenFetch) {

+  let config = makeIdentityConfig({username: "johndoe"});

+  let server = new SyncServer();

+  server.registerUser("johndoe");

+  server.start();

+

+  // Set the token endpoint for the initial token request that's done implicitly

+  // via configureIdentity.

+  config.fxaccount.token.endpoint = server.baseURI + "1.1/johndoe";

+  // And future token fetches will do magic around numReassigns.

+  let numReassigns = 0;

+  return configureIdentity(config).then(() => {

+    Service.identity._tokenServerClient = {

+      getTokenFromBrowserIDAssertion: function(uri, assertion, cb) {

+        // Build a new URL with trailing zeros for the SYNC_VERSION part - this

+        // will still be seen as equivalent by the test server, but different

+        // by sync itself.

+        numReassigns += 1;

+        let trailingZeros = new Array(numReassigns + 1).join('0');

+        let token = config.fxaccount.token;

+        token.endpoint = server.baseURI + "1.1" + trailingZeros + "/johndoe";

+        token.uid = config.username;

+        numTokenRequests += 1;

+        cb(null, token);

+        if (cbAfterTokenFetch) {

+          cbAfterTokenFetch();

+        }

+      },

+    };

+    Service.clusterURL = config.fxaccount.token.endpoint;

+    return server;

+  });

+}

+

+function getReassigned() {

+  try {

+    return Services.prefs.getBoolPref("services.sync.lastSyncReassigned");

+  } catch (ex if (ex.result == Cr.NS_ERROR_UNEXPECTED)) {

+    return false;

+  } catch (ex) {

+    do_throw("Got exception retrieving lastSyncReassigned: " +

+             Utils.exceptionStr(ex));

+  }

+}

+

+/**

+ * Make a test request to `url`, then watch the result of two syncs

+ * to ensure that a node request was made.

+ * Runs `between` between the two. This can be used to undo deliberate failure

+ * setup, detach observers, etc.

+ */

+function syncAndExpectNodeReassignment(server, firstNotification, between,

+                                       secondNotification, url) {

+  _("Starting syncAndExpectNodeReassignment\n");

+  let deferred = Promise.defer();

+  function onwards() {

+    let numTokenRequestsBefore;

+    function onFirstSync() {

+      _("First sync completed.");

+      Svc.Obs.remove(firstNotification, onFirstSync);

+      Svc.Obs.add(secondNotification, onSecondSync);

+

+      do_check_eq(Service.clusterURL, "");

+

+      // Track whether we fetched a new token.

+      numTokenRequestsBefore = numTokenRequests;

+

+      // Allow for tests to clean up error conditions.

+      between();

+    }

+    function onSecondSync() {

+      _("Second sync completed.");

+      Svc.Obs.remove(secondNotification, onSecondSync);

+      Service.scheduler.clearSyncTriggers();

+

+      // Make absolutely sure that any event listeners are done with their work

+      // before we proceed.

+      waitForZeroTimer(function () {

+        _("Second sync nextTick.");

+        do_check_eq(numTokenRequests, numTokenRequestsBefore + 1, "fetched a new token");

+        Service.startOver();

+        server.stop(deferred.resolve);

+      });

+    }

+

+    Svc.Obs.add(firstNotification, onFirstSync);

+    Service.sync();

+  }

+

+  // Make sure that it works!

+  _("Making request to " + url + " which should 401");

+  let request = new RESTRequest(url);

+  request.get(function () {

+    do_check_eq(request.response.status, 401);

+    Utils.nextTick(onwards);

+  });

+  yield deferred.promise;

+}

+

+add_task(function test_momentary_401_engine() {

+  _("Test a failure for engine URLs that's resolved by reassignment.");

+  let server = yield prepareServer();

+  let john   = server.user("johndoe");

+

+  _("Enabling the Rotary engine.");

+  let engine = Service.engineManager.get("rotary");

+  engine.enabled = true;

+

+  // We need the server to be correctly set up prior to experimenting. Do this

+  // through a sync.

+  let global = {syncID: Service.syncID,

+                storageVersion: STORAGE_VERSION,

+                rotary: {version: engine.version,

+                         syncID:  engine.syncID}}

+  john.createCollection("meta").insert("global", global);

+

+  _("First sync to prepare server contents.");

+  Service.sync();

+

+  _("Setting up Rotary collection to 401.");

+  let rotary = john.createCollection("rotary");

+  let oldHandler = rotary.collectionHandler;

+  rotary.collectionHandler = handleReassign.bind(this, undefined);

+

+  // We want to verify that the clusterURL pref has been cleared after a 401

+  // inside a sync. Flag the Rotary engine to need syncing.

+  john.collection("rotary").timestamp += 1000;

+

+  function between() {

+    _("Undoing test changes.");

+    rotary.collectionHandler = oldHandler;

+

+    function onLoginStart() {

+      // lastSyncReassigned shouldn't be cleared until a sync has succeeded.

+      _("Ensuring that lastSyncReassigned is still set at next sync start.");

+      Svc.Obs.remove("weave:service:login:start", onLoginStart);

+      do_check_true(getReassigned());

+    }

+

+    _("Adding observer that lastSyncReassigned is still set on login.");

+    Svc.Obs.add("weave:service:login:start", onLoginStart);

+  }

+

+  yield syncAndExpectNodeReassignment(server,

+                                      "weave:service:sync:finish",

+                                      between,

+                                      "weave:service:sync:finish",

+                                      Service.storageURL + "rotary");

+});

+

+// This test ends up being a failing info fetch *after we're already logged in*.

+add_task(function test_momentary_401_info_collections_loggedin() {

+  _("Test a failure for info/collections after login that's resolved by reassignment.");

+  let server = yield prepareServer();

+

+  _("First sync to prepare server contents.");

+  Service.sync();

+

+  _("Arrange for info/collections to return a 401.");

+  let oldHandler = server.toplevelHandlers.info;

+  server.toplevelHandlers.info = handleReassign;

+

+  function undo() {

+    _("Undoing test changes.");

+    server.toplevelHandlers.info = oldHandler;

+  }

+

+  do_check_true(Service.isLoggedIn, "already logged in");

+

+  yield syncAndExpectNodeReassignment(server,

+                                      "weave:service:sync:error",

+                                      undo,

+                                      "weave:service:sync:finish",

+                                      Service.infoURL);

+});

+

+// This test ends up being a failing info fetch *before we're logged in*.

+// In this case we expect to recover during the login phase - so the first

+// sync succeeds.

+add_task(function test_momentary_401_info_collections_loggedout() {

+  _("Test a failure for info/collections before login that's resolved by reassignment.");

+

+  let oldHandler;

+  let sawTokenFetch = false;

+

+  function afterTokenFetch() {

+    // After a single token fetch, we undo our evil handleReassign hack, so

+    // the next /info request returns the collection instead of a 401

+    server.toplevelHandlers.info = oldHandler;

+    sawTokenFetch = true;

+  }

+

+  let server = yield prepareServer(afterTokenFetch);

+

+  // Return a 401 for the next /info request - it will be reset immediately

+  // after a new token is fetched.

+  oldHandler = server.toplevelHandlers.info

+  server.toplevelHandlers.info = handleReassign;

+

+  do_check_false(Service.isLoggedIn, "not already logged in");

+

+  Service.sync();

+  do_check_eq(Status.sync, SYNC_SUCCEEDED, "sync succeeded");

+  // sync was successful - check we grabbed a new token.

+  do_check_true(sawTokenFetch, "a new token was fetched by this test.")

+  // and we are done.

+  Service.startOver();

+  let deferred = Promise.defer();

+  server.stop(deferred.resolve);

+  yield deferred.promise;

+});

+

+// This test ends up being a failing meta/global fetch *after we're already logged in*.

+add_task(function test_momentary_401_storage_loggedin() {

+  _("Test a failure for any storage URL after login that's resolved by" +

+    "reassignment.");

+  let server = yield prepareServer();

+

+  _("First sync to prepare server contents.");

+  Service.sync();

+

+  _("Arrange for meta/global to return a 401.");

+  let oldHandler = server.toplevelHandlers.storage;

+  server.toplevelHandlers.storage = handleReassign;

+

+  function undo() {

+    _("Undoing test changes.");

+    server.toplevelHandlers.storage = oldHandler;

+  }

+

+  do_check_true(Service.isLoggedIn, "already logged in");

+

+  yield syncAndExpectNodeReassignment(server,

+                                      "weave:service:sync:error",

+                                      undo,

+                                      "weave:service:sync:finish",

+                                      Service.storageURL + "meta/global");

+});

+

+// This test ends up being a failing meta/global fetch *before we've logged in*.

+add_task(function test_momentary_401_storage_loggedout() {

+  _("Test a failure for any storage URL before login, not just engine parts. " +

+    "Resolved by reassignment.");

+  let server = yield prepareServer();

+

+  // Return a 401 for all storage requests.

+  let oldHandler = server.toplevelHandlers.storage;

+  server.toplevelHandlers.storage = handleReassign;

+

+  function undo() {

+    _("Undoing test changes.");

+    server.toplevelHandlers.storage = oldHandler;

+  }

+

+  do_check_false(Service.isLoggedIn, "already logged in");

+

+  yield syncAndExpectNodeReassignment(server,

+                                      "weave:service:login:error",

+                                      undo,

+                                      "weave:service:sync:finish",

+                                      Service.storageURL + "meta/global");

+});

+

diff --git a/services/sync/tests/unit/test_fxa_service_cluster.js b/services/sync/tests/unit/test_fxa_service_cluster.js
index b4f83a7fe6..f6f97184a9 100644
--- a/services/sync/tests/unit/test_fxa_service_cluster.js
+++ b/services/sync/tests/unit/test_fxa_service_cluster.js
@@ -1,68 +1,68 @@
-/* Any copyright is dedicated to the Public Domain.
-   http://creativecommons.org/publicdomain/zero/1.0/ */
-
-Cu.import("resource://services-sync/service.js");
-Cu.import("resource://services-sync/util.js");
-Cu.import("resource://testing-common/services/sync/fxa_utils.js");
-Cu.import("resource://testing-common/services/sync/utils.js");
-
-add_task(function* test_findCluster() {
-  _("Test FxA _findCluster()");
-
-  _("_findCluster() throws on 500 errors.");
-  initializeIdentityWithTokenServerResponse({
-    status: 500,
-    headers: [],
-    body: "",
-  });
-
-  yield Service.identity.initializeWithCurrentIdentity();
-  yield Assert.rejects(Service.identity.whenReadyToAuthenticate.promise,
-                       "should reject due to 500");
-
-  Assert.throws(function() {
-    Service._clusterManager._findCluster();
-  });
-
-  _("_findCluster() returns null on authentication errors.");
-  initializeIdentityWithTokenServerResponse({
-    status: 401,
-    headers: {"content-type": "application/json"},
-    body: "{}",
-  });
-
-  yield Service.identity.initializeWithCurrentIdentity();
-  yield Assert.rejects(Service.identity.whenReadyToAuthenticate.promise,
-                       "should reject due to 401");
-
-  cluster = Service._clusterManager._findCluster();
-  Assert.strictEqual(cluster, null);
-
-  _("_findCluster() works with correct tokenserver response.");
-  let endpoint = "http://example.com/something";
-  initializeIdentityWithTokenServerResponse({
-    status: 200,
-    headers: {"content-type": "application/json"},
-    body:
-      JSON.stringify({
-        api_endpoint: endpoint,
-        duration: 300,
-        id: "id",
-        key: "key",
-        uid: "uid",
-      })
-  });
-
-  yield Service.identity.initializeWithCurrentIdentity();
-  yield Service.identity.whenReadyToAuthenticate.promise;
-  cluster = Service._clusterManager._findCluster();
-  // The cluster manager ensures a trailing "/"
-  Assert.strictEqual(cluster, endpoint + "/");
-
-  Svc.Prefs.resetBranch("");
-});
-
-function run_test() {
-  initTestLogging();
-  run_next_test();
-}
+/* Any copyright is dedicated to the Public Domain.

+   http://creativecommons.org/publicdomain/zero/1.0/ */

+

+Cu.import("resource://services-sync/service.js");

+Cu.import("resource://services-sync/util.js");

+Cu.import("resource://testing-common/services/sync/fxa_utils.js");

+Cu.import("resource://testing-common/services/sync/utils.js");

+

+add_task(function test_findCluster() {

+  _("Test FxA _findCluster()");

+

+  _("_findCluster() throws on 500 errors.");

+  initializeIdentityWithTokenServerResponse({

+    status: 500,

+    headers: [],

+    body: "",

+  });

+

+  yield Service.identity.initializeWithCurrentIdentity();

+  yield Assert.rejects(Service.identity.whenReadyToAuthenticate.promise,

+                       "should reject due to 500");

+

+  Assert.throws(function() {

+    Service._clusterManager._findCluster();

+  });

+

+  _("_findCluster() returns null on authentication errors.");

+  initializeIdentityWithTokenServerResponse({

+    status: 401,

+    headers: {"content-type": "application/json"},

+    body: "{}",

+  });

+

+  yield Service.identity.initializeWithCurrentIdentity();

+  yield Assert.rejects(Service.identity.whenReadyToAuthenticate.promise,

+                       "should reject due to 401");

+

+  cluster = Service._clusterManager._findCluster();

+  Assert.strictEqual(cluster, null);

+

+  _("_findCluster() works with correct tokenserver response.");

+  let endpoint = "http://example.com/something";

+  initializeIdentityWithTokenServerResponse({

+    status: 200,

+    headers: {"content-type": "application/json"},

+    body:

+      JSON.stringify({

+        api_endpoint: endpoint,

+        duration: 300,

+        id: "id",

+        key: "key",

+        uid: "uid",

+      })

+  });

+

+  yield Service.identity.initializeWithCurrentIdentity();

+  yield Service.identity.whenReadyToAuthenticate.promise;

+  cluster = Service._clusterManager._findCluster();

+  // The cluster manager ensures a trailing "/"

+  Assert.strictEqual(cluster, endpoint + "/");

+

+  Svc.Prefs.resetBranch("");

+});

+

+function run_test() {

+  initTestLogging();

+  run_next_test();

+}

diff --git a/services/sync/tests/unit/test_fxa_startOver.js b/services/sync/tests/unit/test_fxa_startOver.js
index 6293796484..e27d86ea00 100644
--- a/services/sync/tests/unit/test_fxa_startOver.js
+++ b/services/sync/tests/unit/test_fxa_startOver.js
@@ -1,63 +1,63 @@
-/* Any copyright is dedicated to the Public Domain.
- * http://creativecommons.org/publicdomain/zero/1.0/ */
-
-Cu.import("resource://testing-common/services/sync/utils.js");
-Cu.import("resource://services-sync/identity.js");
-Cu.import("resource://services-sync/browserid_identity.js");
-Cu.import("resource://services-sync/service.js");
-
-function run_test() {
-  initTestLogging("Trace");
-  run_next_test();
-}
-
-add_task(function* test_startover() {
-  let oldValue = Services.prefs.getBoolPref("services.sync-testing.startOverKeepIdentity", true);
-  Services.prefs.setBoolPref("services.sync-testing.startOverKeepIdentity", false);
-
-  ensureLegacyIdentityManager();
-  yield configureIdentity({username: "johndoe"});
-
-  // The boolean flag on the xpcom service should reflect a legacy provider.
-  let xps = Cc["@mozilla.org/weave/service;1"]
-            .getService(Components.interfaces.nsISupports)
-            .wrappedJSObject;
-  do_check_false(xps.fxAccountsEnabled);
-
-  // we expect the "legacy" provider (but can't instanceof that, as BrowserIDManager
-  // extends it)
-  do_check_false(Service.identity instanceof BrowserIDManager);
-
-  Service.serverURL = "https://localhost/";
-  Service.clusterURL = Service.serverURL;
-
-  Service.login();
-  // We should have a cluster URL
-  do_check_true(Service.clusterURL.length > 0);
-
-  // remember some stuff so we can reset it after.
-  let oldIdentity = Service.identity;
-  let oldClusterManager = Service._clusterManager;
-  let deferred = Promise.defer();
-  Services.obs.addObserver(function observeStartOverFinished() {
-    Services.obs.removeObserver(observeStartOverFinished, "weave:service:start-over:finish");
-    deferred.resolve();
-  }, "weave:service:start-over:finish", false);
-
-  Service.startOver();
-  yield deferred.promise; // wait for the observer to fire.
-
-  // the xpcom service should indicate FxA is enabled.
-  do_check_true(xps.fxAccountsEnabled);
-  // should have swapped identities.
-  do_check_true(Service.identity instanceof BrowserIDManager);
-  // should have clobbered the cluster URL
-  do_check_eq(Service.clusterURL, "");
-
-  // we should have thrown away the old identity provider and cluster manager.
-  do_check_neq(oldIdentity, Service.identity);
-  do_check_neq(oldClusterManager, Service._clusterManager);
-
-  // reset the world.
-  Services.prefs.setBoolPref("services.sync-testing.startOverKeepIdentity", oldValue);
-});
+/* Any copyright is dedicated to the Public Domain.

+ * http://creativecommons.org/publicdomain/zero/1.0/ */

+

+Cu.import("resource://testing-common/services/sync/utils.js");

+Cu.import("resource://services-sync/identity.js");

+Cu.import("resource://services-sync/browserid_identity.js");

+Cu.import("resource://services-sync/service.js");

+

+function run_test() {

+  initTestLogging("Trace");

+  run_next_test();

+}

+

+add_task(function* test_startover() {

+  let oldValue = Services.prefs.getBoolPref("services.sync-testing.startOverKeepIdentity", true);

+  Services.prefs.setBoolPref("services.sync-testing.startOverKeepIdentity", false);

+

+  ensureLegacyIdentityManager();

+  yield configureIdentity({username: "johndoe"});

+

+  // The boolean flag on the xpcom service should reflect a legacy provider.

+  let xps = Cc["@mozilla.org/weave/service;1"]

+            .getService(Components.interfaces.nsISupports)

+            .wrappedJSObject;

+  do_check_false(xps.fxAccountsEnabled);

+

+  // we expect the "legacy" provider (but can't instanceof that, as BrowserIDManager

+  // extends it)

+  do_check_false(Service.identity instanceof BrowserIDManager);

+

+  Service.serverURL = "https://localhost/";

+  Service.clusterURL = Service.serverURL;

+

+  Service.login();

+  // We should have a cluster URL

+  do_check_true(Service.clusterURL.length > 0);

+

+  // remember some stuff so we can reset it after.

+  let oldIdentity = Service.identity;

+  let oldClusterManager = Service._clusterManager;

+  let deferred = Promise.defer();

+  Services.obs.addObserver(function observeStartOverFinished() {

+    Services.obs.removeObserver(observeStartOverFinished, "weave:service:start-over:finish");

+    deferred.resolve();

+  }, "weave:service:start-over:finish", false);

+

+  Service.startOver();

+  yield deferred.promise; // wait for the observer to fire.

+

+  // the xpcom service should indicate FxA is enabled.

+  do_check_true(xps.fxAccountsEnabled);

+  // should have swapped identities.

+  do_check_true(Service.identity instanceof BrowserIDManager);

+  // should have clobbered the cluster URL

+  do_check_eq(Service.clusterURL, "");

+

+  // we should have thrown away the old identity provider and cluster manager.

+  do_check_neq(oldIdentity, Service.identity);

+  do_check_neq(oldClusterManager, Service._clusterManager);

+

+  // reset the world.

+  Services.prefs.setBoolPref("services.sync-testing.startOverKeepIdentity", oldValue);

+});

diff --git a/services/sync/tests/unit/test_history_store.js b/services/sync/tests/unit/test_history_store.js
index 207b621e07..2381f103d5 100644
--- a/services/sync/tests/unit/test_history_store.js
+++ b/services/sync/tests/unit/test_history_store.js
@@ -68,12 +68,12 @@ function ensureThrows(func) {
   };
 }
 
-var store = new HistoryEngine(Service)._store;
+let store = new HistoryEngine(Service)._store;
 function applyEnsureNoFailures(records) {
   do_check_eq(store.applyIncomingBatch(records).length, 0);
 }
 
-var fxuri, fxguid, tburi, tbguid;
+let fxuri, fxguid, tburi, tbguid;
 
 function run_test() {
   initTestLogging("Trace");
@@ -189,8 +189,8 @@ add_test(function test_invalid_records() {
                               .DBConnection;
   let stmt = connection.createAsyncStatement(
     "INSERT INTO moz_places "
-  + "(url, url_hash, title, rev_host, visit_count, last_visit_date) "
-  + "VALUES ('invalid-uri', hash('invalid-uri'), 'Invalid URI', '.', 1, " + TIMESTAMP3 + ")"
+  + "(url, title, rev_host, visit_count, last_visit_date) "
+  + "VALUES ('invalid-uri', 'Invalid URI', '.', 1, " + TIMESTAMP3 + ")"
   );
   Async.querySpinningly(stmt);
   stmt.finalize();
@@ -198,7 +198,7 @@ add_test(function test_invalid_records() {
   stmt = connection.createAsyncStatement(
     "INSERT INTO moz_historyvisits "
   + "(place_id, visit_date, visit_type, session) "
-  + "VALUES ((SELECT id FROM moz_places WHERE url_hash = hash('invalid-uri') AND url = 'invalid-uri'), "
+  + "VALUES ((SELECT id FROM moz_places WHERE url = 'invalid-uri'), "
   + TIMESTAMP3 + ", " + Ci.nsINavHistoryService.TRANSITION_TYPED + ", 1)"
   );
   Async.querySpinningly(stmt);
@@ -226,7 +226,7 @@ add_test(function test_invalid_records() {
                type: Ci.nsINavHistoryService.TRANSITION_EMBED}]}
   ]);
 
-  _("Make sure we handle records with invalid visit codes or visit dates, gracefully ignoring those visits.");
+  _("Make sure we report records with invalid visits, gracefully handle non-integer dates.");
   let no_date_visit_guid = Utils.makeGUID();
   let no_type_visit_guid = Utils.makeGUID();
   let invalid_type_visit_guid = Utils.makeGUID();
@@ -235,11 +235,11 @@ add_test(function test_invalid_records() {
     {id: no_date_visit_guid,
      histUri: "http://no.date.visit/",
      title: "Visit has no date",
-     visits: [{type: Ci.nsINavHistoryService.TRANSITION_EMBED}]},
+     visits: [{date: TIMESTAMP3}]},
     {id: no_type_visit_guid,
      histUri: "http://no.type.visit/",
      title: "Visit has no type",
-     visits: [{date: TIMESTAMP3}]},
+     visits: [{type: Ci.nsINavHistoryService.TRANSITION_EMBED}]},
     {id: invalid_type_visit_guid,
      histUri: "http://invalid.type.visit/",
      title: "Visit has invalid type",
@@ -251,7 +251,14 @@ add_test(function test_invalid_records() {
      visits: [{date: 1234.567,
                type: Ci.nsINavHistoryService.TRANSITION_EMBED}]}
   ]);
-  do_check_eq(failed.length, 0);
+  do_check_eq(failed.length, 3);
+  failed.sort();
+  let expected = [no_date_visit_guid,
+                  no_type_visit_guid,
+                  invalid_type_visit_guid].sort();
+  for (let i = 0; i < expected.length; i++) {
+    do_check_eq(failed[i], expected[i]);
+  }
 
   _("Make sure we handle records with javascript: URLs gracefully.");
   applyEnsureNoFailures([
diff --git a/services/sync/tests/unit/test_history_tracker.js b/services/sync/tests/unit/test_history_tracker.js
index 5ed022fb0a..ca1090b790 100644
--- a/services/sync/tests/unit/test_history_tracker.js
+++ b/services/sync/tests/unit/test_history_tracker.js
@@ -22,13 +22,13 @@ function onScoreUpdated(callback) {
 
 Service.engineManager.clear();
 Service.engineManager.register(HistoryEngine);
-var engine = Service.engineManager.get("history");
-var tracker = engine._tracker;
+let engine = Service.engineManager.get("history");
+let tracker = engine._tracker;
 
 // Don't write out by default.
 tracker.persistChangedIDs = false;
 
-var _counter = 0;
+let _counter = 0;
 function addVisit() {
   let uriString = "http://getfirefox.com/" + _counter++;
   let uri = Utils.makeURI(uriString);
diff --git a/services/sync/tests/unit/test_hmac_error.js b/services/sync/tests/unit/test_hmac_error.js
index 272c0de470..e41ff37974 100644
--- a/services/sync/tests/unit/test_hmac_error.js
+++ b/services/sync/tests/unit/test_hmac_error.js
@@ -8,7 +8,7 @@ Cu.import("resource://testing-common/services/sync/rotaryengine.js");
 Cu.import("resource://testing-common/services/sync/utils.js");
 
 // Track HMAC error counts.
-var hmacErrorCount = 0;
+let hmacErrorCount = 0;
 (function () {
   let hHE = Service.handleHMACEvent;
   Service.handleHMACEvent = function () {
@@ -49,7 +49,7 @@ function shared_setup() {
   return [engine, rotaryColl, clientsColl, keysWBO, global];
 }
 
-add_task(function *hmac_error_during_404() {
+add_test(function hmac_error_during_404() {
   _("Attempt to replicate the HMAC error setup.");
   let [engine, rotaryColl, clientsColl, keysWBO, global] = shared_setup();
 
@@ -83,14 +83,13 @@ add_task(function *hmac_error_during_404() {
 
   try {
     _("Syncing.");
-    yield sync_and_validate_telem();
-
+    Service.sync();
     _("Partially resetting client, as if after a restart, and forcing redownload.");
     Service.collectionKeys.clear();
     engine.lastSync = 0;        // So that we redownload records.
     key404Counter = 1;
     _("---------------------------");
-    yield sync_and_validate_telem();
+    Service.sync();
     _("---------------------------");
 
     // Two rotary items, one client record... no errors.
@@ -98,7 +97,7 @@ add_task(function *hmac_error_during_404() {
   } finally {
     Svc.Prefs.resetBranch("");
     Service.recordManager.clearCache();
-    yield new Promise(resolve => server.stop(resolve));
+    server.stop(run_next_test);
   }
 });
 
diff --git a/services/sync/tests/unit/test_identity_manager.js b/services/sync/tests/unit/test_identity_manager.js
index 1ac198adee..97dace95f5 100644
--- a/services/sync/tests/unit/test_identity_manager.js
+++ b/services/sync/tests/unit/test_identity_manager.js
@@ -5,7 +5,7 @@ Cu.import("resource://services-sync/constants.js");
 Cu.import("resource://services-sync/identity.js");
 Cu.import("resource://services-sync/util.js");
 
-var identity = new IdentityManager();
+let identity = new IdentityManager();
 
 function run_test() {
   initTestLogging("Trace");
diff --git a/services/sync/tests/unit/test_interval_triggers.js b/services/sync/tests/unit/test_interval_triggers.js
index eca5ec2897..0f355e636e 100644
--- a/services/sync/tests/unit/test_interval_triggers.js
+++ b/services/sync/tests/unit/test_interval_triggers.js
@@ -10,13 +10,8 @@ Cu.import("resource://testing-common/services/sync/utils.js");
 Svc.DefaultPrefs.set("registerEngines", "");
 Cu.import("resource://services-sync/service.js");
 
-var scheduler = Service.scheduler;
-var clientsEngine = Service.clientsEngine;
-
-// Don't remove stale clients when syncing. This is a test-only workaround
-// that lets us add clients directly to the store, without losing them on
-// the next sync.
-clientsEngine._removeRemoteClient = id => {};
+let scheduler = Service.scheduler;
+let clientsEngine = Service.clientsEngine;
 
 function promiseStopServer(server) {
   let deferred = Promise.defer();
@@ -46,7 +41,7 @@ function sync_httpd_setup() {
   });
 }
 
-function* setUp(server) {
+function setUp(server) {
   yield configureIdentity({username: "johndoe"});
   Service.serverURL = server.baseURI + "/";
   Service.clusterURL = server.baseURI + "/";
@@ -65,7 +60,7 @@ function run_test() {
   run_next_test();
 }
 
-add_identity_test(this, function* test_successful_sync_adjustSyncInterval() {
+add_identity_test(this, function test_successful_sync_adjustSyncInterval() {
   _("Test successful sync calling adjustSyncInterval");
   let syncSuccesses = 0;
   function onSyncFinish() {
@@ -164,7 +159,7 @@ add_identity_test(this, function* test_successful_sync_adjustSyncInterval() {
   yield promiseStopServer(server);
 });
 
-add_identity_test(this, function* test_unsuccessful_sync_adjustSyncInterval() {
+add_identity_test(this, function test_unsuccessful_sync_adjustSyncInterval() {
   _("Test unsuccessful sync calling adjustSyncInterval");
 
   let syncFailures = 0;
@@ -269,7 +264,7 @@ add_identity_test(this, function* test_unsuccessful_sync_adjustSyncInterval() {
   yield promiseStopServer(server);
 });
 
-add_identity_test(this, function* test_back_triggers_sync() {
+add_identity_test(this, function test_back_triggers_sync() {
   let server = sync_httpd_setup();
   yield setUp(server);
 
@@ -301,7 +296,7 @@ add_identity_test(this, function* test_back_triggers_sync() {
   yield deferred.promise;
 });
 
-add_identity_test(this, function* test_adjust_interval_on_sync_error() {
+add_identity_test(this, function test_adjust_interval_on_sync_error() {
   let server = sync_httpd_setup();
   yield setUp(server);
 
@@ -332,7 +327,7 @@ add_identity_test(this, function* test_adjust_interval_on_sync_error() {
   yield promiseStopServer(server);
 });
 
-add_identity_test(this, function* test_bug671378_scenario() {
+add_identity_test(this, function test_bug671378_scenario() {
   // Test scenario similar to bug 671378. This bug appeared when a score
   // update occurred that wasn't large enough to trigger a sync so
   // scheduleNextSync() was called without a time interval parameter,
diff --git a/services/sync/tests/unit/test_jpakeclient.js b/services/sync/tests/unit/test_jpakeclient.js
index 783edb4603..ff13c5716f 100644
--- a/services/sync/tests/unit/test_jpakeclient.js
+++ b/services/sync/tests/unit/test_jpakeclient.js
@@ -38,8 +38,8 @@ function new_channel() {
   return cid;
 }
 
-var server;
-var channels = {};  // Map channel -> ServerChannel object
+let server;
+let channels = {};  // Map channel -> ServerChannel object
 function server_new_channel(request, response) {
   check_headers(request);
   let cid = new_channel();
@@ -48,7 +48,7 @@ function server_new_channel(request, response) {
   response.bodyOutputStream.write(body, body.length);
 }
 
-var error_report;
+let error_report;
 function server_report(request, response) {
   check_headers(request);
 
@@ -68,7 +68,7 @@ function server_report(request, response) {
 }
 
 // Hook for test code.
-var hooks = {};
+let hooks = {};
 function initHooks() {
   hooks.onGET = function onGET(request) {};
 }
@@ -146,7 +146,7 @@ ServerChannel.prototype = {
 /**
  * Controller that throws for everything.
  */
-var BaseController = {
+let BaseController = {
   displayPIN: function displayPIN() {
     do_throw("displayPIN() shouldn't have been called!");
   },
@@ -369,7 +369,7 @@ add_test(function test_wrongPIN() {
     displayPIN: function displayPIN(pin) {
       this.cid = pin.slice(JPAKE_LENGTH_SECRET);
       let secret = pin.slice(0, JPAKE_LENGTH_SECRET);
-      secret = Array.prototype.slice.call(secret).reverse().join("");
+      secret = [char for each (char in secret)].reverse().join("");
       let new_pin = secret + this.cid;
       _("Received PIN " + pin + ", but I'm entering " + new_pin);
 
diff --git a/services/sync/tests/unit/test_keys.js b/services/sync/tests/unit/test_keys.js
index a828b619cd..6a2fdd0273 100644
--- a/services/sync/tests/unit/test_keys.js
+++ b/services/sync/tests/unit/test_keys.js
@@ -7,7 +7,7 @@ Cu.import("resource://services-sync/keys.js");
 Cu.import("resource://services-sync/record.js");
 Cu.import("resource://services-sync/util.js");
 
-var collectionKeys = new CollectionKeyManager();
+let collectionKeys = new CollectionKeyManager();
 
 function sha256HMAC(message, key) {
   let h = Utils.makeHMACHasher(Ci.nsICryptoHMAC.SHA256, key);
diff --git a/services/sync/tests/unit/test_load_modules.js b/services/sync/tests/unit/test_load_modules.js
index 0b222520c6..4f561bae62 100644
--- a/services/sync/tests/unit/test_load_modules.js
+++ b/services/sync/tests/unit/test_load_modules.js
@@ -9,7 +9,6 @@ const modules = [
   "engines/addons.js",
   "engines/bookmarks.js",
   "engines/clients.js",
-  "engines/extension-storage.js",
   "engines/forms.js",
   "engines/history.js",
   "engines/passwords.js",
@@ -20,6 +19,7 @@ const modules = [
   "jpakeclient.js",
   "keys.js",
   "main.js",
+  "notifications.js",
   "policies.js",
   "record.js",
   "resource.js",
diff --git a/services/sync/tests/unit/test_node_reassignment.js b/services/sync/tests/unit/test_node_reassignment.js
index 66d21b6f1f..7fe5ed7eda 100644
--- a/services/sync/tests/unit/test_node_reassignment.js
+++ b/services/sync/tests/unit/test_node_reassignment.js
@@ -23,7 +23,7 @@ function run_test() {
   Log.repository.getLogger("Sync.Service").level       = Log.Level.Trace;
   Log.repository.getLogger("Sync.SyncScheduler").level = Log.Level.Trace;
   initTestLogging();
-  validate_all_future_pings();
+
   ensureLegacyIdentityManager();
 
   Service.engineManager.register(RotaryEngine);
@@ -92,12 +92,11 @@ function prepareServer() {
 function getReassigned() {
   try {
     return Services.prefs.getBoolPref("services.sync.lastSyncReassigned");
+  } catch (ex if (ex.result == Cr.NS_ERROR_UNEXPECTED)) {
+    return false;
   } catch (ex) {
-    if (ex.result == Cr.NS_ERROR_UNEXPECTED) {
-      return false;
-    }
     do_throw("Got exception retrieving lastSyncReassigned: " +
-             Log.exceptionStr(ex));
+             Utils.exceptionStr(ex));
   }
 }
 
@@ -107,7 +106,7 @@ function getReassigned() {
  * Runs `between` between the two. This can be used to undo deliberate failure
  * setup, detach observers, etc.
  */
-function* syncAndExpectNodeReassignment(server, firstNotification, between,
+function syncAndExpectNodeReassignment(server, firstNotification, between,
                                        secondNotification, url) {
   let deferred = Promise.defer();
   function onwards() {
@@ -161,7 +160,7 @@ function* syncAndExpectNodeReassignment(server, firstNotification, between,
   yield deferred.promise;
 }
 
-add_task(function* test_momentary_401_engine() {
+add_task(function test_momentary_401_engine() {
   _("Test a failure for engine URLs that's resolved by reassignment.");
   let server = yield prepareServer();
   let john   = server.user("johndoe");
@@ -213,7 +212,7 @@ add_task(function* test_momentary_401_engine() {
 });
 
 // This test ends up being a failing fetch *after we're already logged in*.
-add_task(function* test_momentary_401_info_collections() {
+add_task(function test_momentary_401_info_collections() {
   _("Test a failure for info/collections that's resolved by reassignment.");
   let server = yield prepareServer();
 
@@ -236,7 +235,7 @@ add_task(function* test_momentary_401_info_collections() {
                                       Service.infoURL);
 });
 
-add_task(function* test_momentary_401_storage_loggedin() {
+add_task(function test_momentary_401_storage_loggedin() {
   _("Test a failure for any storage URL, not just engine parts. " +
     "Resolved by reassignment.");
   let server = yield prepareServer();
@@ -261,7 +260,7 @@ add_task(function* test_momentary_401_storage_loggedin() {
                                       Service.storageURL + "meta/global");
 });
 
-add_task(function* test_momentary_401_storage_loggedout() {
+add_task(function test_momentary_401_storage_loggedout() {
   _("Test a failure for any storage URL, not just engine parts. " +
     "Resolved by reassignment.");
   let server = yield prepareServer();
@@ -283,7 +282,7 @@ add_task(function* test_momentary_401_storage_loggedout() {
                                       Service.storageURL + "meta/global");
 });
 
-add_task(function* test_loop_avoidance_storage() {
+add_task(function test_loop_avoidance_storage() {
   _("Test that a repeated failure doesn't result in a sync loop " +
     "if node reassignment cannot resolve the failure.");
 
@@ -383,7 +382,7 @@ add_task(function* test_loop_avoidance_storage() {
   yield deferred.promise;
 });
 
-add_task(function* test_loop_avoidance_engine() {
+add_task(function test_loop_avoidance_engine() {
   _("Test that a repeated 401 in an engine doesn't result in a sync loop " +
     "if node reassignment cannot resolve the failure.");
   let server = yield prepareServer();
diff --git a/services/sync/tests/unit/test_notifications.js b/services/sync/tests/unit/test_notifications.js
new file mode 100644
index 0000000000..9d6da1d2db
--- /dev/null
+++ b/services/sync/tests/unit/test_notifications.js
@@ -0,0 +1,32 @@
+Cu.import("resource://services-sync/notifications.js");
+
+function run_test() {
+  var logStats = initTestLogging("Info");
+
+  var blah = 0;
+
+  function callback(i) {
+    blah = i;
+  }
+
+  let button = new NotificationButton("label", "accessKey", callback);
+
+  button.callback(5);
+
+  do_check_eq(blah, 5);
+  do_check_eq(logStats.errorsLogged, 0);
+
+  function badCallback() {
+    throw new Error("oops");
+  }
+
+  button = new NotificationButton("label", "accessKey", badCallback);
+
+  try {
+    button.callback();
+  } catch (e) {
+    do_check_eq(e.message, "oops");
+  }
+
+  do_check_eq(logStats.errorsLogged, 1);
+}
diff --git a/services/sync/tests/unit/test_password_store.js b/services/sync/tests/unit/test_password_store.js
index d232d5e634..c56901d79d 100644
--- a/services/sync/tests/unit/test_password_store.js
+++ b/services/sync/tests/unit/test_password_store.js
@@ -5,137 +5,6 @@ Cu.import("resource://services-sync/engines/passwords.js");
 Cu.import("resource://services-sync/service.js");
 Cu.import("resource://services-sync/util.js");
 
-
-function checkRecord(name, record, expectedCount, timeCreated,
-                     expectedTimeCreated, timePasswordChanged,
-                     expectedTimePasswordChanged, recordIsUpdated) {
-  let engine = Service.engineManager.get("passwords");
-  let store = engine._store;
-
-  let count = {};
-  let logins = Services.logins.findLogins(count, record.hostname,
-                                          record.formSubmitURL, null);
-
-  _("Record" + name + ":" + JSON.stringify(logins));
-  _("Count" + name + ":" +  count.value);
-
-  do_check_eq(count.value, expectedCount);
-
-  if (expectedCount > 0) {
-    do_check_true(!!store.getAllIDs()[record.id]);
-    let stored_record = logins[0].QueryInterface(Ci.nsILoginMetaInfo);
-
-    if (timeCreated !== undefined) {
-      do_check_eq(stored_record.timeCreated, expectedTimeCreated);
-    }
-
-    if (timePasswordChanged !== undefined) {
-      if (recordIsUpdated) {
-        do_check_true(stored_record.timePasswordChanged >= expectedTimePasswordChanged);
-      } else {
-        do_check_eq(stored_record.timePasswordChanged, expectedTimePasswordChanged);
-      }
-      return stored_record.timePasswordChanged;
-    }
-  } else {
-    do_check_true(!store.getAllIDs()[record.id]);
-  }
-}
-
-
-function changePassword(name, hostname, password, expectedCount, timeCreated,
-                        expectedTimeCreated, timePasswordChanged,
-                        expectedTimePasswordChanged, insert, recordIsUpdated) {
-
-  const BOGUS_GUID = "zzzzzz" + hostname;
-
-  let record = {id: BOGUS_GUID,
-                  hostname: hostname,
-                  formSubmitURL: hostname,
-                  username: "john",
-                  password: password,
-                  usernameField: "username",
-                  passwordField: "password"};
-
-  if (timeCreated !== undefined) {
-    record.timeCreated = timeCreated;
-  }
-
-  if (timePasswordChanged !== undefined) {
-    record.timePasswordChanged = timePasswordChanged;
-  }
-
-
-  let engine = Service.engineManager.get("passwords");
-  let store = engine._store;
-
-  if (insert) {
-    do_check_eq(store.applyIncomingBatch([record]).length, 0);
-  }
-
-  return checkRecord(name, record, expectedCount, timeCreated,
-                     expectedTimeCreated, timePasswordChanged,
-                     expectedTimePasswordChanged, recordIsUpdated);
-
-}
-
-
-function test_apply_records_with_times(hostname, timeCreated, timePasswordChanged) {
-  // The following record is going to be inserted in the store and it needs
-  // to be found there. Then its timestamps are going to be compared to
-  // the expected values.
-  changePassword(" ", hostname, "password", 1, timeCreated, timeCreated,
-                 timePasswordChanged, timePasswordChanged, true);
-}
-
-
-function test_apply_multiple_records_with_times() {
-  // The following records are going to be inserted in the store and they need
-  // to be found there. Then their timestamps are going to be compared to
-  // the expected values.
-  changePassword("A", "http://foo.a.com", "password", 1, undefined, undefined,
-                 undefined, undefined, true);
-  changePassword("B", "http://foo.b.com", "password", 1, 1000, 1000, undefined,
-                 undefined, true);
-  changePassword("C", "http://foo.c.com", "password", 1, undefined, undefined,
-                 1000, 1000, true);
-  changePassword("D", "http://foo.d.com", "password", 1, 1000, 1000, 1000,
-                 1000, true);
-
-  // The following records are not going to be inserted in the store and they
-  // are not going to be found there.
-  changePassword("NotInStoreA", "http://foo.aaaa.com", "password", 0,
-                 undefined, undefined, undefined, undefined, false);
-  changePassword("NotInStoreB", "http://foo.bbbb.com", "password", 0, 1000,
-                 1000, undefined, undefined, false);
-  changePassword("NotInStoreC", "http://foo.cccc.com", "password", 0,
-                 undefined, undefined, 1000, 1000, false);
-  changePassword("NotInStoreD", "http://foo.dddd.com", "password", 0, 1000,
-                 1000, 1000, 1000, false);
-}
-
-
-function test_apply_same_record_with_different_times() {
-  // The following record is going to be inserted multiple times in the store
-  // and it needs to be found there. Then its timestamps are going to be
-  // compared to the expected values.
-  var timePasswordChanged = 100;
-  timePasswordChanged = changePassword("A", "http://a.tn", "password", 1, 100,
-                                       100, 100, timePasswordChanged, true);
-  timePasswordChanged = changePassword("A", "http://a.tn", "password", 1, 100,
-                                       100, 800, timePasswordChanged, true,
-                                       true);
-  timePasswordChanged = changePassword("A", "http://a.tn", "password", 1, 500,
-                                       100, 800, timePasswordChanged, true,
-                                       true);
-  timePasswordChanged = changePassword("A", "http://a.tn", "password2", 1, 500,
-                                       100,  1536213005222, timePasswordChanged,
-                                       true, true);
-  timePasswordChanged = changePassword("A", "http://a.tn", "password2", 1, 500,
-                                       100, 800, timePasswordChanged, true, true);
-}
-
-
 function run_test() {
   initTestLogging("Trace");
   Log.repository.getLogger("Sync.Engine.Passwords").level = Log.Level.Trace;
@@ -161,9 +30,12 @@ function run_test() {
 
   let engine = Service.engineManager.get("passwords");
   let store = engine._store;
+  function applyEnsureNoFailures(records) {
+    do_check_eq(store.applyIncomingBatch(records).length, 0);
+  }
 
   try {
-    do_check_eq(store.applyIncomingBatch([recordA, recordB]).length, 0);
+    applyEnsureNoFailures([recordA, recordB]);
 
     // Only the good record makes it to Services.logins.
     let badCount = {};
@@ -183,17 +55,7 @@ function run_test() {
 
     do_check_true(!!store.getAllIDs()[BOGUS_GUID_B]);
     do_check_true(!store.getAllIDs()[BOGUS_GUID_A]);
-
-    test_apply_records_with_times("http://afoo.baz.com", undefined, undefined);
-    test_apply_records_with_times("http://bfoo.baz.com", 1000, undefined);
-    test_apply_records_with_times("http://cfoo.baz.com", undefined, 2000);
-    test_apply_records_with_times("http://dfoo.baz.com", 1000, 2000);
-
-    test_apply_multiple_records_with_times();
-
-    test_apply_same_record_with_different_times();
-
   } finally {
     store.wipe();
   }
-}
\ No newline at end of file
+}
diff --git a/services/sync/tests/unit/test_password_tracker.js b/services/sync/tests/unit/test_password_tracker.js
index 09ca141a68..ddfc524ab0 100644
--- a/services/sync/tests/unit/test_password_tracker.js
+++ b/services/sync/tests/unit/test_password_tracker.js
@@ -8,9 +8,9 @@ Cu.import("resource://services-sync/service.js");
 Cu.import("resource://services-sync/util.js");
 
 Service.engineManager.register(PasswordEngine);
-var engine = Service.engineManager.get("passwords");
-var store  = engine._store;
-var tracker = engine._tracker;
+let engine = Service.engineManager.get("passwords");
+let store  = engine._store;
+let tracker = engine._tracker;
 
 // Don't do asynchronous writes.
 tracker.persistChangedIDs = false;
diff --git a/services/sync/tests/unit/test_password_validator.js b/services/sync/tests/unit/test_password_validator.js
deleted file mode 100644
index a4a148fbe7..0000000000
--- a/services/sync/tests/unit/test_password_validator.js
+++ /dev/null
@@ -1,158 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
-   http://creativecommons.org/publicdomain/zero/1.0/ */
-
-Components.utils.import("resource://services-sync/engines/passwords.js");
-
-function getDummyServerAndClient() {
-  return {
-    server: [
-      {
-        id: "11111",
-        guid: "11111",
-        hostname: "https://www.11111.com",
-        formSubmitURL: "https://www.11111.com/login",
-        password: "qwerty123",
-        passwordField: "pass",
-        username: "foobar",
-        usernameField: "user",
-        httpRealm: null,
-      },
-      {
-        id: "22222",
-        guid: "22222",
-        hostname: "https://www.22222.org",
-        formSubmitURL: "https://www.22222.org/login",
-        password: "hunter2",
-        passwordField: "passwd",
-        username: "baz12345",
-        usernameField: "user",
-        httpRealm: null,
-      },
-      {
-        id: "33333",
-        guid: "33333",
-        hostname: "https://www.33333.com",
-        formSubmitURL: "https://www.33333.com/login",
-        password: "p4ssw0rd",
-        passwordField: "passwad",
-        username: "quux",
-        usernameField: "user",
-        httpRealm: null,
-      },
-    ],
-    client: [
-      {
-        id: "11111",
-        guid: "11111",
-        hostname: "https://www.11111.com",
-        formSubmitURL: "https://www.11111.com/login",
-        password: "qwerty123",
-        passwordField: "pass",
-        username: "foobar",
-        usernameField: "user",
-        httpRealm: null,
-      },
-      {
-        id: "22222",
-        guid: "22222",
-        hostname: "https://www.22222.org",
-        formSubmitURL: "https://www.22222.org/login",
-        password: "hunter2",
-        passwordField: "passwd",
-        username: "baz12345",
-        usernameField: "user",
-        httpRealm: null,
-
-      },
-      {
-        id: "33333",
-        guid: "33333",
-        hostname: "https://www.33333.com",
-        formSubmitURL: "https://www.33333.com/login",
-        password: "p4ssw0rd",
-        passwordField: "passwad",
-        username: "quux",
-        usernameField: "user",
-        httpRealm: null,
-      }
-    ]
-  };
-}
-
-
-add_test(function test_valid() {
-  let { server, client } = getDummyServerAndClient();
-  let validator = new PasswordValidator();
-  let { problemData, clientRecords, records, deletedRecords } =
-      validator.compareClientWithServer(client, server);
-  equal(clientRecords.length, 3);
-  equal(records.length, 3)
-  equal(deletedRecords.length, 0);
-  deepEqual(problemData, validator.emptyProblemData());
-
-  run_next_test();
-});
-
-add_test(function test_missing() {
-  let validator = new PasswordValidator();
-  {
-    let { server, client } = getDummyServerAndClient();
-
-    client.pop();
-
-    let { problemData, clientRecords, records, deletedRecords } =
-        validator.compareClientWithServer(client, server);
-
-    equal(clientRecords.length, 2);
-    equal(records.length, 3)
-    equal(deletedRecords.length, 0);
-
-    let expected = validator.emptyProblemData();
-    expected.clientMissing.push("33333");
-    deepEqual(problemData, expected);
-  }
-  {
-    let { server, client } = getDummyServerAndClient();
-
-    server.pop();
-
-    let { problemData, clientRecords, records, deletedRecords } =
-        validator.compareClientWithServer(client, server);
-
-    equal(clientRecords.length, 3);
-    equal(records.length, 2)
-    equal(deletedRecords.length, 0);
-
-    let expected = validator.emptyProblemData();
-    expected.serverMissing.push("33333");
-    deepEqual(problemData, expected);
-  }
-
-  run_next_test();
-});
-
-
-add_test(function test_deleted() {
-  let { server, client } = getDummyServerAndClient();
-  let deletionRecord = { id: "444444", guid: "444444", deleted: true };
-
-  server.push(deletionRecord);
-  let validator = new PasswordValidator();
-
-  let { problemData, clientRecords, records, deletedRecords } =
-      validator.compareClientWithServer(client, server);
-
-  equal(clientRecords.length, 3);
-  equal(records.length, 4);
-  deepEqual(deletedRecords, [deletionRecord]);
-
-  let expected = validator.emptyProblemData();
-  deepEqual(problemData, expected);
-
-  run_next_test();
-});
-
-
-function run_test() {
-  run_next_test();
-}
diff --git a/services/sync/tests/unit/test_postqueue.js b/services/sync/tests/unit/test_postqueue.js
deleted file mode 100644
index e60008a96e..0000000000
--- a/services/sync/tests/unit/test_postqueue.js
+++ /dev/null
@@ -1,455 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
- * http://creativecommons.org/publicdomain/zero/1.0/ */
-
-let { PostQueue } = Cu.import("resource://services-sync/record.js", {});
-
-initTestLogging("Trace");
-
-function makeRecord(nbytes) {
-  // make a string 2-bytes less - the added quotes will make it correct.
-  return {
-    toJSON: () => "x".repeat(nbytes-2),
-  }
-}
-
-function makePostQueue(config, lastModTime, responseGenerator) {
-  let stats = {
-    posts: [],
-  }
-  let poster = (data, headers, batch, commit) => {
-    let thisPost = { nbytes: data.length, batch, commit };
-    if (headers.length) {
-      thisPost.headers = headers;
-    }
-    stats.posts.push(thisPost);
-    return responseGenerator.next().value;
-  }
-
-  let done = () => {}
-  let pq = new PostQueue(poster, lastModTime, config, getTestLogger(), done);
-  return { pq, stats };
-}
-
-add_test(function test_simple() {
-  let config = {
-    max_post_bytes: 1000,
-    max_post_records: 100,
-    max_batch_bytes: Infinity,
-    max_batch_records: Infinity,
-  }
-
-  const time = 11111111;
-
-  function* responseGenerator() {
-    yield { success: true, status: 200, headers: { 'x-weave-timestamp': time + 100, 'x-last-modified': time + 100 } };
-  }
-
-  let { pq, stats } = makePostQueue(config, time, responseGenerator());
-  pq.enqueue(makeRecord(10));
-  pq.flush(true);
-
-  deepEqual(stats.posts, [{
-    nbytes: 12, // expect our 10 byte record plus "[]" to wrap it.
-    commit: true, // we don't know if we have batch semantics, so committed.
-    headers: [["x-if-unmodified-since", time]],
-    batch: "true"}]);
-
-  run_next_test();
-});
-
-// Test we do the right thing when we need to make multiple posts when there
-// are no batch semantics
-add_test(function test_max_post_bytes_no_batch() {
-  let config = {
-    max_post_bytes: 50,
-    max_post_records: 4,
-    max_batch_bytes: Infinity,
-    max_batch_records: Infinity,
-  }
-
-  const time = 11111111;
-  function* responseGenerator() {
-    yield { success: true, status: 200, headers: { 'x-weave-timestamp': time + 100, 'x-last-modified': time + 100 } };
-    yield { success: true, status: 200, headers: { 'x-weave-timestamp': time + 200, 'x-last-modified': time + 200 } };
-  }
-
-  let { pq, stats } = makePostQueue(config, time, responseGenerator());
-  pq.enqueue(makeRecord(20)); // total size now 22 bytes - "[" + record + "]"
-  pq.enqueue(makeRecord(20)); // total size now 43 bytes - "[" + record + "," + record + "]"
-  pq.enqueue(makeRecord(20)); // this will exceed our byte limit, so will be in the 2nd POST.
-  pq.flush(true);
-
-  deepEqual(stats.posts, [
-    {
-      nbytes: 43, // 43 for the first post
-      commit: false,
-      headers: [["x-if-unmodified-since", time]],
-      batch: "true",
-    },{
-      nbytes: 22,
-      commit: false, // we know we aren't in a batch, so never commit.
-      headers: [["x-if-unmodified-since", time + 100]],
-      batch: null,
-    }
-  ]);
-  equal(pq.lastModified, time + 200);
-
-  run_next_test();
-});
-
-// Similar to the above, but we've hit max_records instead of max_bytes.
-add_test(function test_max_post_records_no_batch() {
-  let config = {
-    max_post_bytes: 100,
-    max_post_records: 2,
-    max_batch_bytes: Infinity,
-    max_batch_records: Infinity,
-  }
-
-  const time = 11111111;
-
-  function* responseGenerator() {
-    yield { success: true, status: 200, headers: { 'x-weave-timestamp': time + 100, 'x-last-modified': time + 100 } };
-    yield { success: true, status: 200, headers: { 'x-weave-timestamp': time + 200, 'x-last-modified': time + 200 } };
-  }
-
-  let { pq, stats } = makePostQueue(config, time, responseGenerator());
-  pq.enqueue(makeRecord(20)); // total size now 22 bytes - "[" + record + "]"
-  pq.enqueue(makeRecord(20)); // total size now 43 bytes - "[" + record + "," + record + "]"
-  pq.enqueue(makeRecord(20)); // this will exceed our records limit, so will be in the 2nd POST.
-  pq.flush(true);
-
-  deepEqual(stats.posts, [
-    {
-      nbytes: 43, // 43 for the first post
-      commit: false,
-      batch: "true",
-      headers: [["x-if-unmodified-since", time]],
-    },{
-      nbytes: 22,
-      commit: false, // we know we aren't in a batch, so never commit.
-      batch: null,
-      headers: [["x-if-unmodified-since", time + 100]],
-    }
-  ]);
-  equal(pq.lastModified, time + 200);
-
-  run_next_test();
-});
-
-// Batch tests.
-
-// Test making a single post when batch semantics are in place.
-add_test(function test_single_batch() {
-  let config = {
-    max_post_bytes: 1000,
-    max_post_records: 100,
-    max_batch_bytes: 2000,
-    max_batch_records: 200,
-  }
-  const time = 11111111;
-  function* responseGenerator() {
-    yield { success: true, status: 202, obj: { batch: 1234 },
-            headers: { 'x-last-modified': time, 'x-weave-timestamp': time + 100 },
-    };
-  }
-
-  let { pq, stats } = makePostQueue(config, time, responseGenerator());
-  ok(pq.enqueue(makeRecord(10)).enqueued);
-  pq.flush(true);
-
-  deepEqual(stats.posts, [
-    {
-      nbytes: 12, // expect our 10 byte record plus "[]" to wrap it.
-      commit: true, // we don't know if we have batch semantics, so committed.
-      batch: "true",
-      headers: [["x-if-unmodified-since", time]],
-    }
-  ]);
-
-  run_next_test();
-});
-
-// Test we do the right thing when we need to make multiple posts when there
-// are batch semantics in place.
-add_test(function test_max_post_bytes_batch() {
-  let config = {
-    max_post_bytes: 50,
-    max_post_records: 4,
-    max_batch_bytes: 5000,
-    max_batch_records: 100,
-  }
-
-  const time = 11111111;
-  function* responseGenerator() {
-    yield { success: true, status: 202, obj: { batch: 1234 },
-            headers: { 'x-last-modified': time, 'x-weave-timestamp': time + 100 },
-    };
-    yield { success: true, status: 202, obj: { batch: 1234 },
-            headers: { 'x-last-modified': time + 200, 'x-weave-timestamp': time + 200 },
-   };
-  }
-
-  let { pq, stats } = makePostQueue(config, time, responseGenerator());
-  ok(pq.enqueue(makeRecord(20)).enqueued); // total size now 22 bytes - "[" + record + "]"
-  ok(pq.enqueue(makeRecord(20)).enqueued); // total size now 43 bytes - "[" + record + "," + record + "]"
-  ok(pq.enqueue(makeRecord(20)).enqueued); // this will exceed our byte limit, so will be in the 2nd POST.
-  pq.flush(true);
-
-  deepEqual(stats.posts, [
-    {
-      nbytes: 43, // 43 for the first post
-      commit: false,
-      batch: "true",
-      headers: [['x-if-unmodified-since', time]],
-    },{
-      nbytes: 22,
-      commit: true,
-      batch: 1234,
-      headers: [['x-if-unmodified-since', time]],
-    }
-  ]);
-
-  equal(pq.lastModified, time + 200);
-
-  run_next_test();
-});
-
-// Test we do the right thing when the batch bytes limit is exceeded.
-add_test(function test_max_post_bytes_batch() {
-  let config = {
-    max_post_bytes: 50,
-    max_post_records: 20,
-    max_batch_bytes: 70,
-    max_batch_records: 100,
-  }
-
-  const time0 = 11111111;
-  const time1 = 22222222;
-  function* responseGenerator() {
-    yield { success: true, status: 202, obj: { batch: 1234 },
-            headers: { 'x-last-modified': time0, 'x-weave-timestamp': time0 + 100 },
-    };
-    yield { success: true, status: 202, obj: { batch: 1234 },
-            headers: { 'x-last-modified': time1, 'x-weave-timestamp': time1 },
-    };
-    yield { success: true, status: 202, obj: { batch: 5678 },
-            headers: { 'x-last-modified': time1, 'x-weave-timestamp': time1 + 100 },
-    };
-    yield { success: true, status: 202, obj: { batch: 5678 },
-            headers: { 'x-last-modified': time1 + 200, 'x-weave-timestamp': time1 + 200 },
-    };
-  }
-
-  let { pq, stats } = makePostQueue(config, time0, responseGenerator());
-  ok(pq.enqueue(makeRecord(20)).enqueued); // total size now 22 bytes - "[" + record + "]"
-  ok(pq.enqueue(makeRecord(20)).enqueued); // total size now 43 bytes - "[" + record + "," + record + "]"
-  // this will exceed our POST byte limit, so will be in the 2nd POST - but still in the first batch.
-  ok(pq.enqueue(makeRecord(20)).enqueued); // 22 bytes for 2nd post, 55 bytes in the batch.
-  // this will exceed our batch byte limit, so will be in a new batch.
-  ok(pq.enqueue(makeRecord(20)).enqueued); // 22 bytes in 3rd post/2nd batch
-  ok(pq.enqueue(makeRecord(20)).enqueued); // 43 bytes in 3rd post/2nd batch
-  // This will exceed POST byte limit, so will be in the 4th post, part of the 2nd batch.
-  ok(pq.enqueue(makeRecord(20)).enqueued); // 22 bytes for 4th post/2nd batch
-  pq.flush(true);
-
-  deepEqual(stats.posts, [
-    {
-      nbytes: 43, // 43 for the first post
-      commit: false,
-      batch: "true",
-      headers: [['x-if-unmodified-since', time0]],
-    },{
-      // second post of 22 bytes in the first batch, committing it.
-      nbytes: 22,
-      commit: true,
-      batch: 1234,
-      headers: [['x-if-unmodified-since', time0]],
-    }, {
-      // 3rd post of 43 bytes in a new batch, not yet committing it.
-      nbytes: 43,
-      commit: false,
-      batch: "true",
-      headers: [['x-if-unmodified-since', time1]],
-    },{
-      // 4th post of 22 bytes in second batch, committing it.
-      nbytes: 22,
-      commit: true,
-      batch: 5678,
-      headers: [['x-if-unmodified-since', time1]],
-    },
-  ]);
-
-  equal(pq.lastModified, time1 + 200);
-
-  run_next_test();
-});
-
-// Test we split up the posts when we exceed the record limit when batch semantics
-// are in place.
-add_test(function test_max_post_bytes_batch() {
-  let config = {
-    max_post_bytes: 1000,
-    max_post_records: 2,
-    max_batch_bytes: 5000,
-    max_batch_records: 100,
-  }
-
-  const time = 11111111;
-  function* responseGenerator() {
-    yield { success: true, status: 202, obj: { batch: 1234 },
-            headers: { 'x-last-modified': time, 'x-weave-timestamp': time + 100 },
-    };
-    yield { success: true, status: 202, obj: { batch: 1234 },
-            headers: { 'x-last-modified': time + 200, 'x-weave-timestamp': time + 200 },
-   };
-  }
-
-  let { pq, stats } = makePostQueue(config, time, responseGenerator());
-  ok(pq.enqueue(makeRecord(20)).enqueued); // total size now 22 bytes - "[" + record + "]"
-  ok(pq.enqueue(makeRecord(20)).enqueued); // total size now 43 bytes - "[" + record + "," + record + "]"
-  ok(pq.enqueue(makeRecord(20)).enqueued); // will exceed record limit, so will be in 2nd post.
-  pq.flush(true);
-
-  deepEqual(stats.posts, [
-    {
-      nbytes: 43, // 43 for the first post
-      commit: false,
-      batch: "true",
-      headers: [['x-if-unmodified-since', time]],
-    },{
-      nbytes: 22,
-      commit: true,
-      batch: 1234,
-      headers: [['x-if-unmodified-since', time]],
-    }
-  ]);
-
-  equal(pq.lastModified, time + 200);
-
-  run_next_test();
-});
-
-// Test that a single huge record fails to enqueue
-add_test(function test_huge_record() {
-  let config = {
-    max_post_bytes: 50,
-    max_post_records: 100,
-    max_batch_bytes: 5000,
-    max_batch_records: 100,
-  }
-
-  const time = 11111111;
-  function* responseGenerator() {
-    yield { success: true, status: 202, obj: { batch: 1234 },
-            headers: { 'x-last-modified': time, 'x-weave-timestamp': time + 100 },
-    };
-    yield { success: true, status: 202, obj: { batch: 1234 },
-            headers: { 'x-last-modified': time + 200, 'x-weave-timestamp': time + 200 },
-   };
-  }
-
-  let { pq, stats } = makePostQueue(config, time, responseGenerator());
-  ok(pq.enqueue(makeRecord(20)).enqueued);
-
-  let { enqueued, error } = pq.enqueue(makeRecord(1000));
-  ok(!enqueued);
-  notEqual(error, undefined);
-
-  // make sure that we keep working, skipping the bad record entirely
-  // (handling the error the queue reported is left up to caller)
-  ok(pq.enqueue(makeRecord(20)).enqueued);
-  ok(pq.enqueue(makeRecord(20)).enqueued);
-
-  pq.flush(true);
-
-  deepEqual(stats.posts, [
-    {
-      nbytes: 43, // 43 for the first post
-      commit: false,
-      batch: "true",
-      headers: [['x-if-unmodified-since', time]],
-    },{
-      nbytes: 22,
-      commit: true,
-      batch: 1234,
-      headers: [['x-if-unmodified-since', time]],
-    }
-  ]);
-
-  equal(pq.lastModified, time + 200);
-
-  run_next_test();
-});
-
-// Test we do the right thing when the batch record limit is exceeded.
-add_test(function test_max_records_batch() {
-  let config = {
-    max_post_bytes: 1000,
-    max_post_records: 3,
-    max_batch_bytes: 10000,
-    max_batch_records: 5,
-  }
-
-  const time0 = 11111111;
-  const time1 = 22222222;
-  function* responseGenerator() {
-    yield { success: true, status: 202, obj: { batch: 1234 },
-            headers: { 'x-last-modified': time0, 'x-weave-timestamp': time0 + 100 },
-    };
-    yield { success: true, status: 202, obj: { batch: 1234 },
-            headers: { 'x-last-modified': time1, 'x-weave-timestamp': time1 },
-    };
-    yield { success: true, status: 202, obj: { batch: 5678 },
-            headers: { 'x-last-modified': time1, 'x-weave-timestamp': time1 + 100 },
-    };
-    yield { success: true, status: 202, obj: { batch: 5678 },
-            headers: { 'x-last-modified': time1 + 200, 'x-weave-timestamp': time1 + 200 },
-    };
-  }
-
-  let { pq, stats } = makePostQueue(config, time0, responseGenerator());
-
-  ok(pq.enqueue(makeRecord(20)).enqueued);
-  ok(pq.enqueue(makeRecord(20)).enqueued);
-  ok(pq.enqueue(makeRecord(20)).enqueued);
-
-  ok(pq.enqueue(makeRecord(20)).enqueued);
-  ok(pq.enqueue(makeRecord(20)).enqueued);
-
-  ok(pq.enqueue(makeRecord(20)).enqueued);
-  ok(pq.enqueue(makeRecord(20)).enqueued);
-  ok(pq.enqueue(makeRecord(20)).enqueued);
-
-  ok(pq.enqueue(makeRecord(20)).enqueued);
-
-  pq.flush(true);
-
-  deepEqual(stats.posts, [
-    { // 3 records
-      nbytes: 64,
-      commit: false,
-      batch: "true",
-      headers: [['x-if-unmodified-since', time0]],
-    },{ // 2 records -- end batch1
-      nbytes: 43,
-      commit: true,
-      batch: 1234,
-      headers: [['x-if-unmodified-since', time0]],
-    }, { // 3 records
-      nbytes: 64,
-      commit: false,
-      batch: "true",
-      headers: [['x-if-unmodified-since', time1]],
-    },{ // 1 record -- end batch2
-      nbytes: 22,
-      commit: true,
-      batch: 5678,
-      headers: [['x-if-unmodified-since', time1]],
-    },
-  ]);
-
-  equal(pq.lastModified, time1 + 200);
-
-  run_next_test();
-});
\ No newline at end of file
diff --git a/services/sync/tests/unit/test_prefs_store.js b/services/sync/tests/unit/test_prefs_store.js
index 9c321bceb3..51b220d53e 100644
--- a/services/sync/tests/unit/test_prefs_store.js
+++ b/services/sync/tests/unit/test_prefs_store.js
@@ -23,22 +23,25 @@ function makePersona(id) {
 }
 
 function run_test() {
-  _("Test fixtures.");
-  // read our custom prefs file before doing anything.
-  Services.prefs.readUserPrefs(do_get_file("prefs_test_prefs_store.js"));
-  // Now we've read from this file, any writes the pref service makes will be
-  // back to this prefs_test_prefs_store.js directly in the obj dir. This
-  // upsets things in confusing ways :) We avoid this by explicitly telling the
-  // pref service to use a file in our profile dir.
-  let prefFile = do_get_profile();
-  prefFile.append("prefs.js");
-  Services.prefs.savePrefFile(prefFile);
-  Services.prefs.readUserPrefs(prefFile);
-
   let store = Service.engineManager.get("prefs")._store;
   let prefs = new Preferences();
   try {
 
+    _("Test fixtures.");
+    Svc.Prefs.set("prefs.sync.testing.int", true);
+    Svc.Prefs.set("prefs.sync.testing.string", true);
+    Svc.Prefs.set("prefs.sync.testing.bool", true);
+    Svc.Prefs.set("prefs.sync.testing.dont.change", true);
+    Svc.Prefs.set("prefs.sync.testing.turned.off", false);
+    Svc.Prefs.set("prefs.sync.testing.nonexistent", true);
+
+    prefs.set("testing.int", 123);
+    prefs.set("testing.string", "ohai");
+    prefs.set("testing.bool", true);
+    prefs.set("testing.dont.change", "Please don't change me.");
+    prefs.set("testing.turned.off", "I won't get synced.");
+    prefs.set("testing.not.turned.on", "I won't get synced either!");
+
     _("The GUID corresponds to XUL App ID.");
     let allIDs = store.getAllIDs();
     let ids = Object.keys(allIDs);
@@ -58,22 +61,17 @@ function run_test() {
     do_check_eq(record.value["testing.int"], 123);
     do_check_eq(record.value["testing.string"], "ohai");
     do_check_eq(record.value["testing.bool"], true);
-    // non-existing prefs get null as the value
     do_check_eq(record.value["testing.nonexistent"], null);
-    // as do prefs that have a default value.
-    do_check_eq(record.value["testing.default"], null);
     do_check_false("testing.turned.off" in record.value);
     do_check_false("testing.not.turned.on" in record.value);
 
-    _("Prefs record contains non-default pref sync prefs too.");
-    do_check_eq(record.value["services.sync.prefs.sync.testing.int"], null);
-    do_check_eq(record.value["services.sync.prefs.sync.testing.string"], null);
-    do_check_eq(record.value["services.sync.prefs.sync.testing.bool"], null);
-    do_check_eq(record.value["services.sync.prefs.sync.testing.dont.change"], null);
-    // but this one is a user_pref so *will* be synced.
+    _("Prefs record contains pref sync prefs too.");
+    do_check_eq(record.value["services.sync.prefs.sync.testing.int"], true);
+    do_check_eq(record.value["services.sync.prefs.sync.testing.string"], true);
+    do_check_eq(record.value["services.sync.prefs.sync.testing.bool"], true);
+    do_check_eq(record.value["services.sync.prefs.sync.testing.dont.change"], true);
     do_check_eq(record.value["services.sync.prefs.sync.testing.turned.off"], false);
-    do_check_eq(record.value["services.sync.prefs.sync.testing.nonexistent"], null);
-    do_check_eq(record.value["services.sync.prefs.sync.testing.default"], null);
+    do_check_eq(record.value["services.sync.prefs.sync.testing.nonexistent"], true);
 
     _("Update some prefs, including one that's to be reset/deleted.");
     Svc.Prefs.set("testing.deleteme", "I'm going to be deleted!");
@@ -99,28 +97,28 @@ function run_test() {
     // Ensure we don't go to the network to fetch personas and end up leaking
     // stuff.
     Services.io.offline = true;
-    do_check_false(!!prefs.get("lightweightThemes.selectedThemeID"));
+    do_check_false(!!prefs.get("lightweightThemes.isThemeSelected"));
     do_check_eq(LightweightThemeManager.currentTheme, null);
 
     let persona1 = makePersona();
     let persona2 = makePersona();
     let usedThemes = JSON.stringify([persona1, persona2]);
     record.value = {
-      "lightweightThemes.selectedThemeID": persona1.id,
+      "lightweightThemes.isThemeSelected": true,
       "lightweightThemes.usedThemes": usedThemes
     };
     store.update(record);
-    do_check_eq(prefs.get("lightweightThemes.selectedThemeID"), persona1.id);
+    do_check_true(prefs.get("lightweightThemes.isThemeSelected"));
     do_check_true(Utils.deepEquals(LightweightThemeManager.currentTheme,
                   persona1));
 
     _("Disable persona");
     record.value = {
-      "lightweightThemes.selectedThemeID": null,
+      "lightweightThemes.isThemeSelected": false,
       "lightweightThemes.usedThemes": usedThemes
     };
     store.update(record);
-    do_check_false(!!prefs.get("lightweightThemes.selectedThemeID"));
+    do_check_false(prefs.get("lightweightThemes.isThemeSelected"));
     do_check_eq(LightweightThemeManager.currentTheme, null);
 
     _("Only the current app's preferences are applied.");
@@ -131,37 +129,6 @@ function run_test() {
     store.update(record);
     do_check_eq(prefs.get("testing.int"), 42);
 
-    _("The light-weight theme preference is handled correctly.");
-    let lastThemeID = undefined;
-    let orig_updateLightWeightTheme = store._updateLightWeightTheme;
-    store._updateLightWeightTheme = function(themeID) {
-      lastThemeID = themeID;
-    }
-    try {
-      record = new PrefRec("prefs", PREFS_GUID);
-      record.value = {
-        "testing.int": 42,
-      };
-      store.update(record);
-      do_check_true(lastThemeID === undefined,
-                    "should not have tried to change the theme with an unrelated pref.");
-      Services.prefs.setCharPref("lightweightThemes.selectedThemeID", "foo");
-      record.value = {
-        "lightweightThemes.selectedThemeID": "foo",
-      };
-      store.update(record);
-      do_check_true(lastThemeID === undefined,
-                    "should not have tried to change the theme when the incoming pref matches current value.");
-
-      record.value = {
-        "lightweightThemes.selectedThemeID": "bar",
-      };
-      store.update(record);
-      do_check_eq(lastThemeID, "bar",
-                  "should have tried to change the theme when the incoming pref was different.");
-    } finally {
-      store._updateLightWeightTheme = orig_updateLightWeightTheme;
-    }
   } finally {
     prefs.resetBranch("");
   }
diff --git a/services/sync/tests/unit/test_records_crypto.js b/services/sync/tests/unit/test_records_crypto.js
index 392a746efa..4d623c917a 100644
--- a/services/sync/tests/unit/test_records_crypto.js
+++ b/services/sync/tests/unit/test_records_crypto.js
@@ -10,7 +10,7 @@ Cu.import("resource://services-sync/service.js");
 Cu.import("resource://services-sync/util.js");
 Cu.import("resource://testing-common/services/sync/utils.js");
 
-var cryptoWrap;
+let cryptoWrap;
 
 function crypted_resource_handler(metadata, response) {
   let obj = {id: "resource",
@@ -148,32 +148,6 @@ function run_test() {
     do_check_eq(bookmarkItem.decrypt(Service.collectionKeys.keyForCollection("bookmarks")).stuff,
         "my payload here");
 
-    do_check_true(Service.collectionKeys.hasKeysFor(["bookmarks"]));
-
-    // Add a key for some new collection and verify that it isn't the
-    // default key.
-    do_check_false(Service.collectionKeys.hasKeysFor(["forms"]));
-    do_check_false(Service.collectionKeys.hasKeysFor(["bookmarks", "forms"]));
-    let oldFormsKey = Service.collectionKeys.keyForCollection("forms");
-    do_check_eq(oldFormsKey, Service.collectionKeys._default);
-    let newKeys = Service.collectionKeys.ensureKeysFor(["forms"]);
-    do_check_true(newKeys.hasKeysFor(["forms"]));
-    do_check_true(newKeys.hasKeysFor(["bookmarks", "forms"]));
-    let newFormsKey = newKeys.keyForCollection("forms");
-    do_check_neq(newFormsKey, oldFormsKey);
-
-    // Verify that this doesn't overwrite keys
-    let regetKeys = newKeys.ensureKeysFor(["forms"]);
-    do_check_eq(regetKeys.keyForCollection("forms"), newFormsKey);
-
-    const emptyKeys = new CollectionKeyManager();
-    payload = {
-      default: Service.collectionKeys._default.keyPairB64,
-      collections: {}
-    };
-    // Verify that not passing `modified` doesn't throw
-    emptyKeys.setContents(payload, null);
-
     log.info("Done!");
   }
   finally {
diff --git a/services/sync/tests/unit/test_resource.js b/services/sync/tests/unit/test_resource.js
index 8f5534c929..027d662b41 100644
--- a/services/sync/tests/unit/test_resource.js
+++ b/services/sync/tests/unit/test_resource.js
@@ -7,9 +7,9 @@ Cu.import("resource://services-sync/identity.js");
 Cu.import("resource://services-sync/resource.js");
 Cu.import("resource://services-sync/util.js");
 
-var logger;
+let logger;
 
-var fetched = false;
+let fetched = false;
 function server_open(metadata, response) {
   let body;
   if (metadata.method == "GET") {
@@ -45,7 +45,7 @@ function server_404(metadata, response) {
   response.bodyOutputStream.write(body, body.length);
 }
 
-var pacFetched = false;
+let pacFetched = false;
 function server_pac(metadata, response) {
   pacFetched = true;
   let body = 'function FindProxyForURL(url, host) { return "DIRECT"; }';
@@ -55,7 +55,7 @@ function server_pac(metadata, response) {
 }
 
 
-var sample_data = {
+let sample_data = {
   some: "sample_data",
   injson: "format",
   number: 42
@@ -140,7 +140,7 @@ function server_headers(metadata, response) {
   header_names = header_names.sort();
 
   headers = {};
-  for (let header of header_names) {
+  for each (let header in header_names) {
     headers[header] = metadata.getHeader(header);
   }
   let body = JSON.stringify(headers);
@@ -442,8 +442,6 @@ function run_test() {
   // It throws and logs.
   do_check_eq(error.result, Cr.NS_ERROR_MALFORMED_URI);
   do_check_eq(error, "Error: NS_ERROR_MALFORMED_URI");
-  // Note the strings haven't been formatted yet, but that's OK for this test.
-  do_check_eq(warnings.pop(), "${action} request to ${url} failed: ${ex}");
   do_check_eq(warnings.pop(),
               "Got exception calling onProgress handler during fetch of " +
               server.baseURI + "/json");
@@ -467,7 +465,6 @@ function run_test() {
   // It throws and logs.
   do_check_eq(error.result, Cr.NS_ERROR_XPC_JS_THREW_STRING);
   do_check_eq(error, "Error: NS_ERROR_XPC_JS_THREW_STRING");
-  do_check_eq(warnings.pop(), "${action} request to ${url} failed: ${ex}");
   do_check_eq(warnings.pop(),
               "Got exception calling onProgress handler during fetch of " +
               server.baseURI + "/json");
diff --git a/services/sync/tests/unit/test_resource_async.js b/services/sync/tests/unit/test_resource_async.js
index 0db91a1b59..c4b9a3804c 100644
--- a/services/sync/tests/unit/test_resource_async.js
+++ b/services/sync/tests/unit/test_resource_async.js
@@ -7,9 +7,9 @@ Cu.import("resource://services-sync/identity.js");
 Cu.import("resource://services-sync/resource.js");
 Cu.import("resource://services-sync/util.js");
 
-var logger;
+let logger;
 
-var fetched = false;
+let fetched = false;
 function server_open(metadata, response) {
   let body;
   if (metadata.method == "GET") {
@@ -45,7 +45,7 @@ function server_404(metadata, response) {
   response.bodyOutputStream.write(body, body.length);
 }
 
-var pacFetched = false;
+let pacFetched = false;
 function server_pac(metadata, response) {
   _("Invoked PAC handler.");
   pacFetched = true;
@@ -55,7 +55,7 @@ function server_pac(metadata, response) {
   response.bodyOutputStream.write(body, body.length);
 }
 
-var sample_data = {
+let sample_data = {
   some: "sample_data",
   injson: "format",
   number: 42
@@ -140,7 +140,7 @@ function server_headers(metadata, response) {
   header_names = header_names.sort();
 
   headers = {};
-  for (let header of header_names) {
+  for each (let header in header_names) {
     headers[header] = metadata.getHeader(header);
   }
   let body = JSON.stringify(headers);
@@ -148,7 +148,7 @@ function server_headers(metadata, response) {
   response.bodyOutputStream.write(body, body.length);
 }
 
-var quotaValue;
+let quotaValue;
 Observers.add("weave:service:quota:remaining",
               function (subject) { quotaValue = subject; });
 
@@ -221,7 +221,7 @@ add_test(function test_new_channel() {
 });
 
 
-var server;
+let server;
 
 add_test(function setup() {
   server = httpd_setup({
diff --git a/services/sync/tests/unit/test_resource_header.js b/services/sync/tests/unit/test_resource_header.js
index 4f28e01da2..1835cc0e06 100644
--- a/services/sync/tests/unit/test_resource_header.js
+++ b/services/sync/tests/unit/test_resource_header.js
@@ -11,7 +11,7 @@ function run_test() {
   run_next_test();
 }
 
-var httpServer = new HttpServer();
+let httpServer = new HttpServer();
 httpServer.registerPathHandler("/content", contentHandler);
 httpServer.start(-1);
 
@@ -20,8 +20,8 @@ const TEST_URL = "http://localhost:" + HTTP_PORT + "/content";
 const BODY = "response body";
 
 // Keep headers for later inspection.
-var auth = null;
-var foo  = null;
+let auth = null;
+let foo  = null;
 function contentHandler(metadata, response) {
   _("Handling request.");
   auth = metadata.getHeader("Authorization");
diff --git a/services/sync/tests/unit/test_resource_ua.js b/services/sync/tests/unit/test_resource_ua.js
index 31c2cd3791..279a2b3e69 100644
--- a/services/sync/tests/unit/test_resource_ua.js
+++ b/services/sync/tests/unit/test_resource_ua.js
@@ -7,18 +7,15 @@ Cu.import("resource://services-sync/service.js");
 Cu.import("resource://services-sync/util.js");
 Cu.import("resource://testing-common/services/sync/utils.js");
 
-var httpProtocolHandler = Cc["@mozilla.org/network/protocol;1?name=http"]
-                          .getService(Ci.nsIHttpProtocolHandler);
-
 // Tracking info/collections.
-var collectionsHelper = track_collections_helper();
-var collections = collectionsHelper.collections;
+let collectionsHelper = track_collections_helper();
+let collections = collectionsHelper.collections;
 
-var meta_global;
-var server;
+let meta_global;
+let server;
 
-var expectedUA;
-var ua;
+let expectedUA;
+let ua;
 function uaHandler(f) {
   return function(request, response) {
     ua = request.getHeader("User-Agent");
@@ -40,10 +37,7 @@ function run_test() {
   Service.clusterURL = server.baseURI + "/";
   _("Server URL: " + server.baseURI);
 
-  // Note this string is missing the trailing ".destkop" as the test
-  // adjusts the "client.type" pref where that portion comes from.
   expectedUA = Services.appinfo.name + "/" + Services.appinfo.version +
-               " (" + httpProtocolHandler.oscpu + ")" +
                " FxSync/" + WEAVE_VERSION + "." +
                Services.appinfo.appBuildID;
 
diff --git a/services/sync/tests/unit/test_score_triggers.js b/services/sync/tests/unit/test_score_triggers.js
index 513be685a8..98d3e094a8 100644
--- a/services/sync/tests/unit/test_score_triggers.js
+++ b/services/sync/tests/unit/test_score_triggers.js
@@ -12,13 +12,13 @@ Cu.import("resource://testing-common/services/sync/utils.js");
 
 Service.engineManager.clear();
 Service.engineManager.register(RotaryEngine);
-var engine = Service.engineManager.get("rotary");
-var tracker = engine._tracker;
+let engine = Service.engineManager.get("rotary");
+let tracker = engine._tracker;
 engine.enabled = true;
 
 // Tracking info/collections.
-var collectionsHelper = track_collections_helper();
-var upd = collectionsHelper.with_updated_collection;
+let collectionsHelper = track_collections_helper();
+let upd = collectionsHelper.with_updated_collection;
 
 function sync_httpd_setup() {
   let handlers = {};
diff --git a/services/sync/tests/unit/test_service_attributes.js b/services/sync/tests/unit/test_service_attributes.js
index 931c7741a3..dc82f5edb2 100644
--- a/services/sync/tests/unit/test_service_attributes.js
+++ b/services/sync/tests/unit/test_service_attributes.js
@@ -29,6 +29,7 @@ function test_urls() {
 
     Service.serverURL = "http://weave.server/";
     Service.clusterURL = "http://weave.cluster/";
+    do_check_eq(Svc.Prefs.get("clusterURL"), "http://weave.cluster/");
 
     do_check_eq(Service.userBaseURL, "http://weave.cluster/1.1/johndoe/");
     do_check_eq(Service.infoURL,
@@ -62,11 +63,11 @@ function test_urls() {
     _("The 'serverURL' attributes updates/resets preferences.");
     // Identical value doesn't do anything
     Service.serverURL = Service.serverURL;
-    do_check_eq(Service.clusterURL, "http://weave.cluster/");
+    do_check_eq(Svc.Prefs.get("clusterURL"), "http://weave.cluster/");
 
     Service.serverURL = "http://different.auth.node/";
     do_check_eq(Svc.Prefs.get("serverURL"), "http://different.auth.node/");
-    do_check_eq(Service.clusterURL, "");
+    do_check_eq(Svc.Prefs.get("clusterURL"), undefined);
 
   } finally {
     Svc.Prefs.resetBranch("");
@@ -83,12 +84,12 @@ function test_syncID() {
     do_check_eq(Svc.Prefs.get("client.syncID"), undefined);
 
     // Performing the first get on the attribute will generate a new GUID.
-    do_check_eq(Service.syncID, "fake-guid-00");
-    do_check_eq(Svc.Prefs.get("client.syncID"), "fake-guid-00");
+    do_check_eq(Service.syncID, "fake-guid-0");
+    do_check_eq(Svc.Prefs.get("client.syncID"), "fake-guid-0");
 
     Svc.Prefs.set("client.syncID", Utils.makeGUID());
-    do_check_eq(Svc.Prefs.get("client.syncID"), "fake-guid-01");
-    do_check_eq(Service.syncID, "fake-guid-01");
+    do_check_eq(Svc.Prefs.get("client.syncID"), "fake-guid-1");
+    do_check_eq(Service.syncID, "fake-guid-1");
   } finally {
     Svc.Prefs.resetBranch("");
     new FakeGUIDService();
diff --git a/services/sync/tests/unit/test_service_detect_upgrade.js b/services/sync/tests/unit/test_service_detect_upgrade.js
index 0f46832d98..528bd751b1 100644
--- a/services/sync/tests/unit/test_service_detect_upgrade.js
+++ b/services/sync/tests/unit/test_service_detect_upgrade.js
@@ -60,7 +60,7 @@ add_test(function v4_upgrade() {
                           }]}]};
     delete Svc.Session;
     Svc.Session = {
-      getBrowserState: () => JSON.stringify(myTabs)
+      getBrowserState: function () JSON.stringify(myTabs)
     };
 
     Service.status.resetSync();
@@ -229,7 +229,7 @@ add_test(function v5_upgrade() {
                           }]}]};
     delete Svc.Session;
     Svc.Session = {
-      getBrowserState: () => JSON.stringify(myTabs)
+      getBrowserState: function () JSON.stringify(myTabs)
     };
 
     Service.status.resetSync();
diff --git a/services/sync/tests/unit/test_service_getStorageInfo.js b/services/sync/tests/unit/test_service_getStorageInfo.js
index 841dceb78b..4d463044bd 100644
--- a/services/sync/tests/unit/test_service_getStorageInfo.js
+++ b/services/sync/tests/unit/test_service_getStorageInfo.js
@@ -7,10 +7,7 @@ Cu.import("resource://services-sync/service.js");
 Cu.import("resource://services-sync/util.js");
 Cu.import("resource://testing-common/services/sync/utils.js");
 
-var httpProtocolHandler = Cc["@mozilla.org/network/protocol;1?name=http"]
-                          .getService(Ci.nsIHttpProtocolHandler);
-
-var collections = {steam:  65.11328,
+let collections = {steam:  65.11328,
                    petrol: 82.488281,
                    diesel: 2.25488281};
 
@@ -40,7 +37,6 @@ add_test(function test_success() {
                                      Service.identity.username,
                                      Service.identity.basicPassword));
     let expectedUA = Services.appinfo.name + "/" + Services.appinfo.version +
-                     " (" + httpProtocolHandler.oscpu + ")" +
                      " FxSync/" + WEAVE_VERSION + "." +
                      Services.appinfo.appBuildID + ".desktop";
     do_check_eq(handler.request.getHeader("User-Agent"), expectedUA);
diff --git a/services/sync/tests/unit/test_service_login.js b/services/sync/tests/unit/test_service_login.js
index 2ecb0a377b..52ee5e63ab 100644
--- a/services/sync/tests/unit/test_service_login.js
+++ b/services/sync/tests/unit/test_service_login.js
@@ -183,7 +183,7 @@ add_test(function test_login_on_sync() {
     // This test exercises these two branches.
 
     _("We're ready to sync if locked.");
-    Service.enabled = true;
+    Svc.Prefs.set("enabled", true);
     Services.io.offline = false;
     Service.scheduler.checkSyncStatus();
     do_check_true(scheduleCalled);
diff --git a/services/sync/tests/unit/test_service_passwordUTF8.js b/services/sync/tests/unit/test_service_passwordUTF8.js
index e781050b36..733911291b 100644
--- a/services/sync/tests/unit/test_service_passwordUTF8.js
+++ b/services/sync/tests/unit/test_service_passwordUTF8.js
@@ -11,13 +11,13 @@ const APPLES = "\uf8ff\uf8ff\uf8ff\uf8ff";
 const LOWBYTES = "\xff\xff\xff\xff";
 
 // Poor man's /etc/passwd.  Static since there's no btoa()/atob() in xpcshell.
-var basicauth = {};
+let basicauth = {};
 basicauth[LOWBYTES] = "Basic am9obmRvZTr/////";
 basicauth[Utils.encodeUTF8(JAPANESE)] = "Basic am9obmRvZTrjk7/jl7/jm7/jn78=";
 
 // Global var for the server password, read by info_collections(),
 // modified by change_password().
-var server_password;
+let server_password;
 
 function login_handling(handler) {
   return function (request, response) {
diff --git a/services/sync/tests/unit/test_service_startOver.js b/services/sync/tests/unit/test_service_startOver.js
index 8994205480..6fb0a66d7d 100644
--- a/services/sync/tests/unit/test_service_startOver.js
+++ b/services/sync/tests/unit/test_service_startOver.js
@@ -28,7 +28,7 @@ function run_test() {
   run_next_test();
 }
 
-add_identity_test(this, function* test_resetLocalData() {
+add_identity_test(this, function test_resetLocalData() {
   yield configureIdentity();
   Service.status.enforceBackoff = true;
   Service.status.backoffInterval = 42;
diff --git a/services/sync/tests/unit/test_service_startup.js b/services/sync/tests/unit/test_service_startup.js
index 5148f6d133..6ced39da93 100644
--- a/services/sync/tests/unit/test_service_startup.js
+++ b/services/sync/tests/unit/test_service_startup.js
@@ -10,7 +10,6 @@ Svc.Prefs.set("registerEngines", "Tab,Bookmarks,Form,History");
 Cu.import("resource://services-sync/service.js");
 
 function run_test() {
-  validate_all_future_pings();
   _("When imported, Service.onStartup is called");
   initTestLogging("Trace");
 
@@ -21,7 +20,7 @@ function run_test() {
 
   // Test fixtures
   Service.identity.username = "johndoe";
-  do_check_true(xps.enabled);
+  do_check_false(xps.enabled);
 
   Cu.import("resource://services-sync/service.js");
 
@@ -30,7 +29,7 @@ function run_test() {
 
   _("Engines are registered.");
   let engines = Service.engineManager.getAll();
-  do_check_true(Utils.deepEquals(engines.map(engine => engine.name),
+  do_check_true(Utils.deepEquals([engine.name for each (engine in engines)],
                                  ['tabs', 'bookmarks', 'forms', 'history']));
 
   _("Observers are notified of startup");
@@ -46,4 +45,10 @@ function run_test() {
     Svc.Prefs.resetBranch("");
     do_test_finished();
   });
+
+  do_check_false(xps.enabled);
+
+  Service.identity.account = "johndoe";
+  Service.clusterURL = "http://localhost/";
+  do_check_true(xps.enabled);
 }
diff --git a/services/sync/tests/unit/test_service_sync_locked.js b/services/sync/tests/unit/test_service_sync_locked.js
index ee952c7eef..e2cbbfa92e 100644
--- a/services/sync/tests/unit/test_service_sync_locked.js
+++ b/services/sync/tests/unit/test_service_sync_locked.js
@@ -5,17 +5,14 @@ Cu.import("resource://services-sync/service.js");
 Cu.import("resource://services-sync/util.js");
 
 function run_test() {
-  validate_all_future_pings();
   let debug = [];
   let info  = [];
 
   function augmentLogger(old) {
     let d = old.debug;
     let i = old.info;
-    // For the purposes of this test we don't need to do full formatting
-    // of the 2nd param, as the ones we care about are always strings.
-    old.debug = function(m, p) { debug.push(p ? m + ": " + p : m); d.call(old, m, p); }
-    old.info  = function(m, p) { info.push(p ? m + ": " + p : m);  i.call(old, m, p); }
+    old.debug = function(m) { debug.push(m); d.call(old, m); }
+    old.info  = function(m) { info.push(m);  i.call(old, m); }
     return old;
   }
 
@@ -31,7 +28,9 @@ function run_test() {
   Service.sync();
   Service._locked = false;
 
-  do_check_true(debug[debug.length - 2].startsWith("Exception calling WrappedLock: Could not acquire lock. Label: \"service.js: login\"."));
-  do_check_eq(info[info.length - 1], "Cannot start sync: already syncing?");
+  do_check_eq(debug[debug.length - 2],
+              "Exception: Could not acquire lock. Label: \"service.js: login\". No traceback available");
+  do_check_eq(info[info.length - 1],
+              "Cannot start sync: already syncing?");
 }
 
diff --git a/services/sync/tests/unit/test_service_sync_remoteSetup.js b/services/sync/tests/unit/test_service_sync_remoteSetup.js
index 83dbf3cd7b..852ba64d5e 100644
--- a/services/sync/tests/unit/test_service_sync_remoteSetup.js
+++ b/services/sync/tests/unit/test_service_sync_remoteSetup.js
@@ -10,7 +10,6 @@ Cu.import("resource://testing-common/services/sync/fakeservices.js");
 Cu.import("resource://testing-common/services/sync/utils.js");
 
 function run_test() {
-  validate_all_future_pings();
   let logger = Log.repository.rootLogger;
   Log.repository.rootLogger.addAppender(new Log.DumpAppender());
 
@@ -54,27 +53,15 @@ function run_test() {
     return_timestamp(request, response, ts);
   }
 
-  const GLOBAL_PATH = "/1.1/johndoe/storage/meta/global";
-  const INFO_PATH = "/1.1/johndoe/info/collections";
-
-  let handlers = {
+  let server = httpd_setup({
     "/1.1/johndoe/storage": storageHandler,
     "/1.1/johndoe/storage/crypto/keys": upd("crypto", keysWBO.handler()),
     "/1.1/johndoe/storage/crypto": upd("crypto", cryptoColl.handler()),
     "/1.1/johndoe/storage/clients": upd("clients", clients.handler()),
-    "/1.1/johndoe/storage/meta": upd("meta", wasCalledHandler(metaColl)),
     "/1.1/johndoe/storage/meta/global": upd("meta", wasCalledHandler(meta_global)),
+    "/1.1/johndoe/storage/meta": upd("meta", wasCalledHandler(metaColl)),
     "/1.1/johndoe/info/collections": collectionsHelper.handler
-  };
-
-  function mockHandler(path, mock) {
-    server.registerPathHandler(path, mock(handlers[path]));
-    return {
-      restore() { server.registerPathHandler(path, handlers[path]); }
-    }
-  }
-
-  let server = httpd_setup(handlers);
+  });
 
   try {
     _("Log in.");
@@ -102,63 +89,6 @@ function run_test() {
     Service.recordManager.get(Service.metaURL).payload.syncID = "foobar";
     do_check_true(Service._remoteSetup());
 
-    let returnStatusCode = (method, code) => (oldMethod) => (req, res) => {
-      if (req.method === method) {
-        res.setStatusLine(req.httpVersion, code, "");
-      } else {
-        oldMethod(req, res);
-      }
-    };
-
-    let mock = mockHandler(GLOBAL_PATH, returnStatusCode("GET", 401));
-    Service.recordManager.del(Service.metaURL);
-    _("Checking that remoteSetup returns false on 401 on first get /meta/global.");
-    do_check_false(Service._remoteSetup());
-    mock.restore();
-
-    Service.login("johndoe", "ilovejane", syncKey);
-    mock = mockHandler(GLOBAL_PATH, returnStatusCode("GET", 503));
-    Service.recordManager.del(Service.metaURL);
-    _("Checking that remoteSetup returns false on 503 on first get /meta/global.");
-    do_check_false(Service._remoteSetup());
-    do_check_eq(Service.status.sync, METARECORD_DOWNLOAD_FAIL);
-    mock.restore();
-
-    mock = mockHandler(GLOBAL_PATH, returnStatusCode("GET", 404));
-    Service.recordManager.del(Service.metaURL);
-    _("Checking that remoteSetup recovers on 404 on first get /meta/global.");
-    do_check_true(Service._remoteSetup());
-    mock.restore();
-
-    let makeOutdatedMeta = () => {
-      Service.metaModified = 0;
-      let infoResponse = Service._fetchInfo();
-      return {
-        status: infoResponse.status,
-        obj: {
-          crypto: infoResponse.obj.crypto,
-          clients: infoResponse.obj.clients,
-          meta: 1
-        }
-      };
-    }
-
-    _("Checking that remoteSetup recovers on 404 on get /meta/global after clear cached one.");
-    mock = mockHandler(GLOBAL_PATH, returnStatusCode("GET", 404));
-    Service.recordManager.set(Service.metaURL, { isNew: false });
-    do_check_true(Service._remoteSetup(makeOutdatedMeta()));
-    mock.restore();
-
-    _("Checking that remoteSetup returns false on 503 on get /meta/global after clear cached one.");
-    mock = mockHandler(GLOBAL_PATH, returnStatusCode("GET", 503));
-    Service.status.sync = "";
-    Service.recordManager.set(Service.metaURL, { isNew: false });
-    do_check_false(Service._remoteSetup(makeOutdatedMeta()));
-    do_check_eq(Service.status.sync, "");
-    mock.restore();
-
-    metaColl.delete({});
-
     _("Do an initial sync.");
     let beforeSync = Date.now()/1000;
     Service.sync();
@@ -230,6 +160,7 @@ function run_test() {
 
     do_check_false(Service.verifyAndFetchSymmetricKeys());
     do_check_eq(Service.status.login, LOGIN_FAILED_INVALID_PASSPHRASE);
+
   } finally {
     Svc.Prefs.resetBranch("");
     server.stop(do_test_finished);
diff --git a/services/sync/tests/unit/test_service_sync_specified.js b/services/sync/tests/unit/test_service_sync_specified.js
deleted file mode 100644
index 7cb0f9d9c6..0000000000
--- a/services/sync/tests/unit/test_service_sync_specified.js
+++ /dev/null
@@ -1,160 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
-   http://creativecommons.org/publicdomain/zero/1.0/ */
-
-Cu.import("resource://services-sync/constants.js");
-Cu.import("resource://services-sync/engines.js");
-Cu.import("resource://services-sync/engines/clients.js");
-Cu.import("resource://services-sync/record.js");
-Cu.import("resource://services-sync/service.js");
-Cu.import("resource://services-sync/util.js");
-Cu.import("resource://testing-common/services/sync/utils.js");
-
-initTestLogging();
-Service.engineManager.clear();
-
-let syncedEngines = []
-
-function SteamEngine() {
-  SyncEngine.call(this, "Steam", Service);
-}
-SteamEngine.prototype = {
-  __proto__: SyncEngine.prototype,
-  _sync: function _sync() {
-    syncedEngines.push(this.name);
-  }
-};
-Service.engineManager.register(SteamEngine);
-
-function StirlingEngine() {
-  SyncEngine.call(this, "Stirling", Service);
-}
-StirlingEngine.prototype = {
-  __proto__: SteamEngine.prototype,
-  _sync: function _sync() {
-    syncedEngines.push(this.name);
-  }
-};
-Service.engineManager.register(StirlingEngine);
-
-// Tracking info/collections.
-var collectionsHelper = track_collections_helper();
-var upd = collectionsHelper.with_updated_collection;
-
-function sync_httpd_setup(handlers) {
-
-  handlers["/1.1/johndoe/info/collections"] = collectionsHelper.handler;
-  delete collectionsHelper.collections.crypto;
-  delete collectionsHelper.collections.meta;
-
-  let cr = new ServerWBO("keys");
-  handlers["/1.1/johndoe/storage/crypto/keys"] =
-    upd("crypto", cr.handler());
-
-  let cl = new ServerCollection();
-  handlers["/1.1/johndoe/storage/clients"] =
-    upd("clients", cl.handler());
-
-  return httpd_setup(handlers);
-}
-
-function setUp() {
-  syncedEngines = [];
-  let engine = Service.engineManager.get("steam");
-  engine.enabled = true;
-  engine.syncPriority = 1;
-
-  engine = Service.engineManager.get("stirling");
-  engine.enabled = true;
-  engine.syncPriority = 2;
-
-  let server = sync_httpd_setup({
-    "/1.1/johndoe/storage/meta/global": new ServerWBO("global", {}).handler(),
-  });
-  new SyncTestingInfrastructure(server, "johndoe", "ilovejane",
-                                "abcdeabcdeabcdeabcdeabcdea");
-  return server;
-}
-
-function run_test() {
-  initTestLogging("Trace");
-  validate_all_future_pings();
-  Log.repository.getLogger("Sync.Service").level = Log.Level.Trace;
-  Log.repository.getLogger("Sync.ErrorHandler").level = Log.Level.Trace;
-
-  run_next_test();
-}
-
-add_test(function test_noEngines() {
-  _("Test: An empty array of engines to sync does nothing.");
-  let server = setUp();
-
-  try {
-    _("Sync with no engines specified.");
-    Service.sync([]);
-    deepEqual(syncedEngines, [], "no engines were synced");
-
-  } finally {
-    Service.startOver();
-    server.stop(run_next_test);
-  }
-});
-
-add_test(function test_oneEngine() {
-  _("Test: Only one engine is synced.");
-  let server = setUp();
-
-  try {
-
-    _("Sync with 1 engine specified.");
-    Service.sync(["steam"]);
-    deepEqual(syncedEngines, ["steam"])
-
-  } finally {
-    Service.startOver();
-    server.stop(run_next_test);
-  }
-});
-
-add_test(function test_bothEnginesSpecified() {
-  _("Test: All engines are synced when specified in the correct order (1).");
-  let server = setUp();
-
-  try {
-    _("Sync with both engines specified.");
-    Service.sync(["steam", "stirling"]);
-    deepEqual(syncedEngines, ["steam", "stirling"])
-
-  } finally {
-    Service.startOver();
-    server.stop(run_next_test);
-  }
-});
-
-add_test(function test_bothEnginesSpecified() {
-  _("Test: All engines are synced when specified in the correct order (2).");
-  let server = setUp();
-
-  try {
-    _("Sync with both engines specified.");
-    Service.sync(["stirling", "steam"]);
-    deepEqual(syncedEngines, ["stirling", "steam"])
-
-  } finally {
-    Service.startOver();
-    server.stop(run_next_test);
-  }
-});
-
-add_test(function test_bothEnginesDefault() {
-  _("Test: All engines are synced when nothing is specified.");
-  let server = setUp();
-
-  try {
-    Service.sync();
-    deepEqual(syncedEngines, ["steam", "stirling"])
-
-  } finally {
-    Service.startOver();
-    server.stop(run_next_test);
-  }
-});
diff --git a/services/sync/tests/unit/test_service_sync_updateEnabledEngines.js b/services/sync/tests/unit/test_service_sync_updateEnabledEngines.js
index ee1800fd3f..c945cb6c24 100644
--- a/services/sync/tests/unit/test_service_sync_updateEnabledEngines.js
+++ b/services/sync/tests/unit/test_service_sync_updateEnabledEngines.js
@@ -41,15 +41,13 @@ function StirlingEngine() {
 StirlingEngine.prototype = {
   __proto__: SteamEngine.prototype,
   // This engine's enabled state is the same as the SteamEngine's.
-  get prefName() {
-    return "steam";
-  }
+  get prefName() "steam"
 };
 Service.engineManager.register(StirlingEngine);
 
 // Tracking info/collections.
-var collectionsHelper = track_collections_helper();
-var upd = collectionsHelper.with_updated_collection;
+let collectionsHelper = track_collections_helper();
+let upd = collectionsHelper.with_updated_collection;
 
 function sync_httpd_setup(handlers) {
 
@@ -86,7 +84,6 @@ function run_test() {
   initTestLogging("Trace");
   Log.repository.getLogger("Sync.Service").level = Log.Level.Trace;
   Log.repository.getLogger("Sync.ErrorHandler").level = Log.Level.Trace;
-  validate_all_future_pings();
 
   run_next_test();
 }
diff --git a/services/sync/tests/unit/test_service_wipeServer.js b/services/sync/tests/unit/test_service_wipeServer.js
index 9320f4b88a..3fc45cf86b 100644
--- a/services/sync/tests/unit/test_service_wipeServer.js
+++ b/services/sync/tests/unit/test_service_wipeServer.js
@@ -31,7 +31,7 @@ FakeCollection.prototype = {
   }
 };
 
-function* setUpTestFixtures(server) {
+function setUpTestFixtures(server) {
   let cryptoService = new FakeCryptoService();
 
   Service.serverURL = server.baseURI + "/";
@@ -52,7 +52,7 @@ function promiseStopServer(server) {
   return deferred.promise;
 }
 
-add_identity_test(this, function* test_wipeServer_list_success() {
+add_identity_test(this, function test_wipeServer_list_success() {
   _("Service.wipeServer() deletes collections given as argument.");
 
   let steam_coll = new FakeCollection();
@@ -86,7 +86,7 @@ add_identity_test(this, function* test_wipeServer_list_success() {
   }
 });
 
-add_identity_test(this, function* test_wipeServer_list_503() {
+add_identity_test(this, function test_wipeServer_list_503() {
   _("Service.wipeServer() deletes collections given as argument.");
 
   let steam_coll = new FakeCollection();
@@ -127,7 +127,7 @@ add_identity_test(this, function* test_wipeServer_list_503() {
   }
 });
 
-add_identity_test(this, function* test_wipeServer_all_success() {
+add_identity_test(this, function test_wipeServer_all_success() {
   _("Service.wipeServer() deletes all the things.");
 
   /**
@@ -157,7 +157,7 @@ add_identity_test(this, function* test_wipeServer_all_success() {
   Svc.Prefs.resetBranch("");
 });
 
-add_identity_test(this, function* test_wipeServer_all_404() {
+add_identity_test(this, function test_wipeServer_all_404() {
   _("Service.wipeServer() accepts a 404.");
 
   /**
@@ -189,7 +189,7 @@ add_identity_test(this, function* test_wipeServer_all_404() {
   Svc.Prefs.resetBranch("");
 });
 
-add_identity_test(this, function* test_wipeServer_all_503() {
+add_identity_test(this, function test_wipeServer_all_503() {
   _("Service.wipeServer() throws if it encounters a non-200/404 response.");
 
   /**
@@ -221,7 +221,7 @@ add_identity_test(this, function* test_wipeServer_all_503() {
   Svc.Prefs.resetBranch("");
 });
 
-add_identity_test(this, function* test_wipeServer_all_connectionRefused() {
+add_identity_test(this, function test_wipeServer_all_connectionRefused() {
   _("Service.wipeServer() throws if it encounters a network problem.");
   let server = httpd_setup({});
   yield setUpTestFixtures(server);
diff --git a/services/sync/tests/unit/test_status.js b/services/sync/tests/unit/test_status.js
index 378aafe908..bc2d67f425 100644
--- a/services/sync/tests/unit/test_status.js
+++ b/services/sync/tests/unit/test_status.js
@@ -18,9 +18,9 @@ function run_test() {
 
 
   // Check login status
-  for (let code of [LOGIN_FAILED_NO_USERNAME,
-                    LOGIN_FAILED_NO_PASSWORD,
-                    LOGIN_FAILED_NO_PASSPHRASE]) {
+  for each (let code in [LOGIN_FAILED_NO_USERNAME,
+                         LOGIN_FAILED_NO_PASSWORD,
+                         LOGIN_FAILED_NO_PASSPHRASE]) {
     Status.login = code;
     do_check_eq(Status.login, code);
     do_check_eq(Status.service, CLIENT_NOT_CONFIGURED);
diff --git a/services/sync/tests/unit/test_syncedtabs.js b/services/sync/tests/unit/test_syncedtabs.js
deleted file mode 100644
index fe2cb6d1b2..0000000000
--- a/services/sync/tests/unit/test_syncedtabs.js
+++ /dev/null
@@ -1,221 +0,0 @@
-/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*-
- * vim:set ts=2 sw=2 sts=2 et:
-*/
-"use strict";
-
-Cu.import("resource://services-sync/main.js");
-Cu.import("resource://services-sync/SyncedTabs.jsm");
-Cu.import("resource://gre/modules/Log.jsm");
-
-const faviconService = Cc["@mozilla.org/browser/favicon-service;1"]
-                       .getService(Ci.nsIFaviconService);
-
-Log.repository.getLogger("Sync.RemoteTabs").addAppender(new Log.DumpAppender());
-
-// A mock "Tabs" engine which the SyncedTabs module will use instead of the real
-// engine. We pass a constructor that Sync creates.
-function MockTabsEngine() {
-  this.clients = {}; // We'll set this dynamically
-}
-
-MockTabsEngine.prototype = {
-  name: "tabs",
-  enabled: true,
-
-  getAllClients() {
-    return this.clients;
-  },
-
-  getOpenURLs() {
-    return new Set();
-  },
-}
-
-// A clients engine that doesn't need to be a constructor.
-let MockClientsEngine = {
-  clientSettings: null, // Set in `configureClients`.
-
-  isMobile(guid) {
-    if (!guid.endsWith("desktop") && !guid.endsWith("mobile")) {
-      throw new Error("this module expected guids to end with 'desktop' or 'mobile'");
-    }
-    return guid.endsWith("mobile");
-  },
-  remoteClientExists(id) {
-    return this.clientSettings[id] !== false;
-  },
-  getClientName(id) {
-    if (this.clientSettings[id]) {
-      return this.clientSettings[id];
-    }
-    let engine = Weave.Service.engineManager.get("tabs");
-    return engine.clients[id].clientName;
-  },
-}
-
-// Configure Sync with our mock tabs engine and force it to become initialized.
-Services.prefs.setCharPref("services.sync.username", "someone@somewhere.com");
-
-Weave.Service.engineManager.unregister("tabs");
-Weave.Service.engineManager.register(MockTabsEngine);
-Weave.Service.clientsEngine = MockClientsEngine;
-
-// Tell the Sync XPCOM service it is initialized.
-let weaveXPCService = Cc["@mozilla.org/weave/service;1"]
-                        .getService(Ci.nsISupports)
-                        .wrappedJSObject;
-weaveXPCService.ready = true;
-
-function configureClients(clients, clientSettings = {}) {
-  // Configure the instance Sync created.
-  let engine = Weave.Service.engineManager.get("tabs");
-  // each client record is expected to have an id.
-  for (let [guid, client] of Object.entries(clients)) {
-    client.id = guid;
-  }
-  engine.clients = clients;
-  // Apply clients collection overrides.
-  MockClientsEngine.clientSettings = clientSettings;
-  // Send an observer that pretends the engine just finished a sync.
-  Services.obs.notifyObservers(null, "weave:engine:sync:finish", "tabs");
-}
-
-// The tests.
-add_task(function* test_noClients() {
-  // no clients, can't be tabs.
-  yield configureClients({});
-
-  let tabs = yield SyncedTabs.getTabClients();
-  equal(Object.keys(tabs).length, 0);
-});
-
-add_task(function* test_clientWithTabs() {
-  yield configureClients({
-    guid_desktop: {
-      clientName: "My Desktop",
-      tabs: [
-      {
-        urlHistory: ["http://foo.com/"],
-        icon: "http://foo.com/favicon",
-      }],
-    },
-    guid_mobile: {
-      clientName: "My Phone",
-      tabs: [],
-    }
-  });
-
-  let clients = yield SyncedTabs.getTabClients();
-  equal(clients.length, 2);
-  clients.sort((a, b) => { return a.name.localeCompare(b.name);});
-  equal(clients[0].tabs.length, 1);
-  equal(clients[0].tabs[0].url, "http://foo.com/");
-  equal(clients[0].tabs[0].icon, "http://foo.com/favicon");
-  // second client has no tabs.
-  equal(clients[1].tabs.length, 0);
-});
-
-add_task(function* test_staleClientWithTabs() {
-  yield configureClients({
-    guid_desktop: {
-      clientName: "My Desktop",
-      tabs: [
-      {
-        urlHistory: ["http://foo.com/"],
-        icon: "http://foo.com/favicon",
-      }],
-    },
-    guid_mobile: {
-      clientName: "My Phone",
-      tabs: [],
-    },
-    guid_stale_mobile: {
-      clientName: "My Deleted Phone",
-      tabs: [],
-    },
-    guid_stale_desktop: {
-      clientName: "My Deleted Laptop",
-      tabs: [
-      {
-        urlHistory: ["https://bar.com/"],
-        icon: "https://bar.com/favicon",
-      }],
-    },
-    guid_stale_name_desktop: {
-      clientName: "My Generic Device",
-      tabs: [
-      {
-        urlHistory: ["https://example.edu/"],
-        icon: "https://example.edu/favicon",
-      }],
-    },
-  }, {
-    guid_stale_mobile: false,
-    guid_stale_desktop: false,
-    // We should always use the device name from the clients collection, instead
-    // of the possibly stale tabs collection.
-    guid_stale_name_desktop: "My Laptop",
-  });
-  let clients = yield SyncedTabs.getTabClients();
-  clients.sort((a, b) => { return a.name.localeCompare(b.name);});
-  equal(clients.length, 3);
-  equal(clients[0].name, "My Desktop");
-  equal(clients[0].tabs.length, 1);
-  equal(clients[0].tabs[0].url, "http://foo.com/");
-  equal(clients[1].name, "My Laptop");
-  equal(clients[1].tabs.length, 1);
-  equal(clients[1].tabs[0].url, "https://example.edu/");
-  equal(clients[2].name, "My Phone");
-  equal(clients[2].tabs.length, 0);
-});
-
-add_task(function* test_clientWithTabsIconsDisabled() {
-  Services.prefs.setBoolPref("services.sync.syncedTabs.showRemoteIcons", false);
-  yield configureClients({
-    guid_desktop: {
-      clientName: "My Desktop",
-      tabs: [
-      {
-        urlHistory: ["http://foo.com/"],
-        icon: "http://foo.com/favicon",
-      }],
-    },
-  });
-
-  let clients = yield SyncedTabs.getTabClients();
-  equal(clients.length, 1);
-  clients.sort((a, b) => { return a.name.localeCompare(b.name);});
-  equal(clients[0].tabs.length, 1);
-  equal(clients[0].tabs[0].url, "http://foo.com/");
-  // expect the default favicon (empty string) due to the pref being false.
-  equal(clients[0].tabs[0].icon, "");
-  Services.prefs.clearUserPref("services.sync.syncedTabs.showRemoteIcons");
-});
-
-add_task(function* test_filter() {
-  // Nothing matches.
-  yield configureClients({
-    guid_desktop: {
-      clientName: "My Desktop",
-      tabs: [
-      {
-        urlHistory: ["http://foo.com/"],
-        title: "A test page.",
-      },
-      {
-        urlHistory: ["http://bar.com/"],
-        title: "Another page.",
-      }],
-    },
-  });
-
-  let clients = yield SyncedTabs.getTabClients("foo");
-  equal(clients.length, 1);
-  equal(clients[0].tabs.length, 1);
-  equal(clients[0].tabs[0].url, "http://foo.com/");
-  // check it matches the title.
-  clients = yield SyncedTabs.getTabClients("test");
-  equal(clients.length, 1);
-  equal(clients[0].tabs.length, 1);
-  equal(clients[0].tabs[0].url, "http://foo.com/");
-});
diff --git a/services/sync/tests/unit/test_syncengine.js b/services/sync/tests/unit/test_syncengine.js
index 8c01ca0489..393e496078 100644
--- a/services/sync/tests/unit/test_syncengine.js
+++ b/services/sync/tests/unit/test_syncengine.js
@@ -10,7 +10,7 @@ function makeSteamEngine() {
   return new SyncEngine('Steam', Service);
 }
 
-var server;
+let server;
 
 function test_url_attributes() {
   _("SyncEngine url attributes");
@@ -35,12 +35,12 @@ function test_syncID() {
     do_check_eq(Svc.Prefs.get("steam.syncID"), undefined);
 
     // Performing the first get on the attribute will generate a new GUID.
-    do_check_eq(engine.syncID, "fake-guid-00");
-    do_check_eq(Svc.Prefs.get("steam.syncID"), "fake-guid-00");
+    do_check_eq(engine.syncID, "fake-guid-0");
+    do_check_eq(Svc.Prefs.get("steam.syncID"), "fake-guid-0");
 
     Svc.Prefs.set("steam.syncID", Utils.makeGUID());
-    do_check_eq(Svc.Prefs.get("steam.syncID"), "fake-guid-01");
-    do_check_eq(engine.syncID, "fake-guid-01");
+    do_check_eq(Svc.Prefs.get("steam.syncID"), "fake-guid-1");
+    do_check_eq(engine.syncID, "fake-guid-1");
   } finally {
     Svc.Prefs.resetBranch("");
   }
diff --git a/services/sync/tests/unit/test_syncengine_sync.js b/services/sync/tests/unit/test_syncengine_sync.js
index 97289962f1..6a6d047bf5 100644
--- a/services/sync/tests/unit/test_syncengine_sync.js
+++ b/services/sync/tests/unit/test_syncengine_sync.js
@@ -15,22 +15,13 @@ function makeRotaryEngine() {
   return new RotaryEngine(Service);
 }
 
-function clean() {
+function cleanAndGo(server) {
   Svc.Prefs.resetBranch("");
   Svc.Prefs.set("log.logger.engine.rotary", "Trace");
   Service.recordManager.clearCache();
-}
-
-function cleanAndGo(server) {
-  clean();
   server.stop(run_next_test);
 }
 
-function promiseClean(server) {
-  clean();
-  return new Promise(resolve => server.stop(resolve));
-}
-
 function configureService(server, username, password) {
   Service.clusterURL = server.baseURI;
 
@@ -181,7 +172,7 @@ add_test(function test_syncStartup_syncIDMismatchResetsClient() {
   try {
 
     // Confirm initial environment
-    do_check_eq(engine.syncID, 'fake-guid-00');
+    do_check_eq(engine.syncID, 'fake-guid-0');
     do_check_eq(engine._tracker.changedIDs["rekolok"], undefined);
 
     engine.lastSync = Date.now() / 1000;
@@ -676,7 +667,7 @@ add_test(function test_processIncoming_mobile_batchSize() {
 });
 
 
-add_task(function *test_processIncoming_store_toFetch() {
+add_test(function test_processIncoming_store_toFetch() {
   _("If processIncoming fails in the middle of a batch on mobile, state is saved in toFetch and lastSync.");
   Service.identity.username = "foo";
   Svc.Prefs.set("client.type", "mobile");
@@ -723,10 +714,11 @@ add_task(function *test_processIncoming_store_toFetch() {
 
     let error;
     try {
-      yield sync_engine_and_validate_telem(engine, true);
+      engine.sync();
     } catch (ex) {
       error = ex;
     }
+    do_check_true(!!error);
 
     // Only the first two batches have been applied.
     do_check_eq(Object.keys(engine._store.items).length,
@@ -738,7 +730,7 @@ add_task(function *test_processIncoming_store_toFetch() {
     do_check_eq(engine.lastSync, collection.wbo("record-no-99").modified);
 
   } finally {
-    yield promiseClean(server);
+    cleanAndGo(server);
   }
 });
 
@@ -1229,7 +1221,7 @@ add_test(function test_processIncoming_failed_records() {
 });
 
 
-add_task(function *test_processIncoming_decrypt_failed() {
+add_test(function test_processIncoming_decrypt_failed() {
   _("Ensure that records failing to decrypt are either replaced or refetched.");
 
   Service.identity.username = "foo";
@@ -1288,10 +1280,7 @@ add_task(function *test_processIncoming_decrypt_failed() {
     });
 
     engine.lastSync = collection.wbo("nojson").modified - 1;
-    let ping = yield sync_engine_and_validate_telem(engine, true);
-    do_check_eq(ping.engines[0].incoming.applied, 2);
-    do_check_eq(ping.engines[0].incoming.failed, 4);
-    do_check_eq(ping.engines[0].incoming.newFailed, 4);
+    engine.sync();
 
     do_check_eq(engine.previousFailed.length, 4);
     do_check_eq(engine.previousFailed[0], "nojson");
@@ -1305,7 +1294,7 @@ add_task(function *test_processIncoming_decrypt_failed() {
     do_check_eq(observerSubject.failed, 4);
 
   } finally {
-    yield promiseClean(server);
+    cleanAndGo(server);
   }
 });
 
@@ -1369,7 +1358,7 @@ add_test(function test_uploadOutgoing_toEmptyServer() {
 });
 
 
-add_task(function *test_uploadOutgoing_failed() {
+add_test(function test_uploadOutgoing_failed() {
   _("SyncEngine._uploadOutgoing doesn't clear the tracker of objects that failed to upload.");
 
   Service.identity.username = "foo";
@@ -1412,7 +1401,7 @@ add_task(function *test_uploadOutgoing_failed() {
     do_check_eq(engine._tracker.changedIDs['peppercorn'], PEPPERCORN_CHANGED);
 
     engine.enabled = true;
-    yield sync_engine_and_validate_telem(engine, true);
+    engine.sync();
 
     // Local timestamp has been set.
     do_check_true(engine.lastSyncLocal > 0);
@@ -1427,14 +1416,11 @@ add_task(function *test_uploadOutgoing_failed() {
     do_check_eq(engine._tracker.changedIDs['peppercorn'], PEPPERCORN_CHANGED);
 
   } finally {
-    yield promiseClean(server);
+    cleanAndGo(server);
   }
 });
 
-/* A couple of "functional" tests to ensure we split records into appropriate
-   POST requests. More comprehensive unit-tests for this "batching" are in
-   test_postqueue.js.
-*/
+
 add_test(function test_uploadOutgoing_MAX_UPLOAD_RECORDS() {
   _("SyncEngine._uploadOutgoing uploads in batches of MAX_UPLOAD_RECORDS");
 
@@ -1444,18 +1430,9 @@ add_test(function test_uploadOutgoing_MAX_UPLOAD_RECORDS() {
   // Let's count how many times the client posts to the server
   var noOfUploads = 0;
   collection.post = (function(orig) {
-    return function(data, request) {
-      // This test doesn't arrange for batch semantics - so we expect the
-      // first request to come in with batch=true and the others to have no
-      // batch related headers at all (as the first response did not provide
-      // a batch ID)
-      if (noOfUploads == 0) {
-        do_check_eq(request.queryString, "batch=true");
-      } else {
-        do_check_eq(request.queryString, "");
-      }
+    return function() {
       noOfUploads++;
-      return orig.call(this, data, request);
+      return orig.apply(this, arguments);
     };
   }(collection.post));
 
@@ -1500,44 +1477,6 @@ add_test(function test_uploadOutgoing_MAX_UPLOAD_RECORDS() {
   }
 });
 
-add_test(function test_uploadOutgoing_largeRecords() {
-  _("SyncEngine._uploadOutgoing throws on records larger than MAX_UPLOAD_BYTES");
-
-  Service.identity.username = "foo";
-  let collection = new ServerCollection();
-
-  let engine = makeRotaryEngine();
-  engine.allowSkippedRecord = false;
-  engine._store.items["large-item"] = "Y".repeat(MAX_UPLOAD_BYTES*2);
-  engine._tracker.addChangedID("large-item", 0);
-  collection.insert("large-item");
-
-
-  let meta_global = Service.recordManager.set(engine.metaURL,
-                                              new WBORecord(engine.metaURL));
-  meta_global.payload.engines = {rotary: {version: engine.version,
-                                         syncID: engine.syncID}};
-
-  let server = sync_httpd_setup({
-      "/1.1/foo/storage/rotary": collection.handler()
-  });
-
-  let syncTesting = new SyncTestingInfrastructure(server);
-
-  try {
-    engine._syncStartup();
-    let error = null;
-    try {
-      engine._uploadOutgoing();
-    } catch (e) {
-      error = e;
-    }
-    ok(!!error);
-  } finally {
-    cleanAndGo(server);
-  }
-});
-
 
 add_test(function test_syncFinish_noDelete() {
   _("SyncEngine._syncFinish resets tracker's score");
@@ -1667,7 +1606,7 @@ add_test(function test_syncFinish_deleteLotsInBatches() {
 });
 
 
-add_task(function *test_sync_partialUpload() {
+add_test(function test_sync_partialUpload() {
   _("SyncEngine.sync() keeps changedIDs that couldn't be uploaded.");
 
   Service.identity.username = "foo";
@@ -1715,12 +1654,11 @@ add_task(function *test_sync_partialUpload() {
     engine.enabled = true;
     let error;
     try {
-      yield sync_engine_and_validate_telem(engine, true);
+      engine.sync();
     } catch (ex) {
       error = ex;
     }
-
-    ok(!!error);
+    do_check_true(!!error);
 
     // The timestamp has been updated.
     do_check_true(engine.lastSyncLocal > 456);
@@ -1738,7 +1676,7 @@ add_task(function *test_sync_partialUpload() {
     }
 
   } finally {
-    yield promiseClean(server);
+    cleanAndGo(server);
   }
 });
 
diff --git a/services/sync/tests/unit/test_syncscheduler.js b/services/sync/tests/unit/test_syncscheduler.js
index 730a3f996d..d496b88382 100644
--- a/services/sync/tests/unit/test_syncscheduler.js
+++ b/services/sync/tests/unit/test_syncscheduler.js
@@ -26,13 +26,8 @@ CatapultEngine.prototype = {
 
 Service.engineManager.register(CatapultEngine);
 
-var scheduler = new SyncScheduler(Service);
-var clientsEngine = Service.clientsEngine;
-
-// Don't remove stale clients when syncing. This is a test-only workaround
-// that lets us add clients directly to the store, without losing them on
-// the next sync.
-clientsEngine._removeRemoteClient = id => {};
+let scheduler = new SyncScheduler(Service);
+let clientsEngine = Service.clientsEngine;
 
 function sync_httpd_setup() {
   let global = new ServerWBO("global", {
@@ -74,7 +69,6 @@ function setUp(server) {
 function cleanUpAndGo(server) {
   let deferred = Promise.defer();
   Utils.nextTick(function () {
-    clientsEngine._store.wipe();
     Service.startOver();
     if (server) {
       server.stop(deferred.resolve);
@@ -90,7 +84,6 @@ function run_test() {
 
   Log.repository.getLogger("Sync.Service").level = Log.Level.Trace;
   Log.repository.getLogger("Sync.scheduler").level = Log.Level.Trace;
-  validate_all_future_pings();
 
   // The scheduler checks Weave.fxaEnabled to determine whether to use
   // FxA defaults or legacy defaults.  As .fxaEnabled checks the username, we
@@ -148,33 +141,22 @@ add_test(function test_prefAttributes() {
               Svc.Prefs.get("scheduler.immediateInterval") * 1000);
 
   _("Custom values for prefs will take effect after a restart.");
-  Svc.Prefs.set("scheduler.sync11.singleDeviceInterval", 420);
-  Svc.Prefs.set("scheduler.idleInterval", 230);
-  Svc.Prefs.set("scheduler.activeInterval", 180);
+  Svc.Prefs.set("scheduler.sync11.singleDeviceInterval", 42);
+  Svc.Prefs.set("scheduler.idleInterval", 23);
+  Svc.Prefs.set("scheduler.activeInterval", 18);
   Svc.Prefs.set("scheduler.immediateInterval", 31415);
   scheduler.setDefaults();
-  do_check_eq(scheduler.idleInterval, 230000);
-  do_check_eq(scheduler.singleDeviceInterval, 420000);
-  do_check_eq(scheduler.activeInterval, 180000);
+  do_check_eq(scheduler.idleInterval, 23000);
+  do_check_eq(scheduler.singleDeviceInterval, 42000);
+  do_check_eq(scheduler.activeInterval, 18000);
   do_check_eq(scheduler.immediateInterval, 31415000);
 
-  _("Custom values for interval prefs can't be less than 60 seconds.");
-  Svc.Prefs.set("scheduler.sync11.singleDeviceInterval", 42);
-  Svc.Prefs.set("scheduler.idleInterval", 50);
-  Svc.Prefs.set("scheduler.activeInterval", 50);
-  Svc.Prefs.set("scheduler.immediateInterval", 10);
-  scheduler.setDefaults();
-  do_check_eq(scheduler.idleInterval, 60000);
-  do_check_eq(scheduler.singleDeviceInterval, 60000);
-  do_check_eq(scheduler.activeInterval, 60000);
-  do_check_eq(scheduler.immediateInterval, 60000);
-
   Svc.Prefs.resetBranch("");
   scheduler.setDefaults();
   run_next_test();
 });
 
-add_identity_test(this, function* test_updateClientMode() {
+add_identity_test(this, function test_updateClientMode() {
   _("Test updateClientMode adjusts scheduling attributes based on # of clients appropriately");
   do_check_eq(scheduler.syncThreshold, SINGLE_USER_THRESHOLD);
   do_check_eq(scheduler.syncInterval, scheduler.singleDeviceInterval);
@@ -204,7 +186,7 @@ add_identity_test(this, function* test_updateClientMode() {
   yield cleanUpAndGo();
 });
 
-add_identity_test(this, function* test_masterpassword_locked_retry_interval() {
+add_identity_test(this, function test_masterpassword_locked_retry_interval() {
   _("Test Status.login = MASTER_PASSWORD_LOCKED results in reschedule at MASTER_PASSWORD interval");
   let loginFailed = false;
   Svc.Obs.add("weave:service:login:error", function onLoginError() {
@@ -241,7 +223,7 @@ add_identity_test(this, function* test_masterpassword_locked_retry_interval() {
   yield cleanUpAndGo(server);
 });
 
-add_identity_test(this, function* test_calculateBackoff() {
+add_identity_test(this, function test_calculateBackoff() {
   do_check_eq(Status.backoffInterval, 0);
 
   // Test no interval larger than the maximum backoff is used if
@@ -263,7 +245,7 @@ add_identity_test(this, function* test_calculateBackoff() {
   yield cleanUpAndGo();
 });
 
-add_identity_test(this, function* test_scheduleNextSync_nowOrPast() {
+add_identity_test(this, function test_scheduleNextSync_nowOrPast() {
   let deferred = Promise.defer();
   Svc.Obs.add("weave:service:sync:finish", function onSyncFinish() {
     Svc.Obs.remove("weave:service:sync:finish", onSyncFinish);
@@ -278,7 +260,7 @@ add_identity_test(this, function* test_scheduleNextSync_nowOrPast() {
   yield deferred.promise;
 });
 
-add_identity_test(this, function* test_scheduleNextSync_future_noBackoff() {
+add_identity_test(this, function test_scheduleNextSync_future_noBackoff() {
   _("scheduleNextSync() uses the current syncInterval if no interval is provided.");
   // Test backoffInterval is 0 as expected.
   do_check_eq(Status.backoffInterval, 0);
@@ -327,7 +309,7 @@ add_identity_test(this, function* test_scheduleNextSync_future_noBackoff() {
   yield cleanUpAndGo();
 });
 
-add_identity_test(this, function* test_scheduleNextSync_future_backoff() {
+add_identity_test(this, function test_scheduleNextSync_future_backoff() {
  _("scheduleNextSync() will honour backoff in all scheduling requests.");
   // Let's take a backoff interval that's bigger than the default sync interval.
   const BACKOFF = 7337;
@@ -377,7 +359,7 @@ add_identity_test(this, function* test_scheduleNextSync_future_backoff() {
   yield cleanUpAndGo();
 });
 
-add_identity_test(this, function* test_handleSyncError() {
+add_identity_test(this, function test_handleSyncError() {
   let server = sync_httpd_setup();
   yield setUp(server);
 
@@ -443,7 +425,7 @@ add_identity_test(this, function* test_handleSyncError() {
   yield deferred.promise;
 });
 
-add_identity_test(this, function* test_client_sync_finish_updateClientMode() {
+add_identity_test(this, function test_client_sync_finish_updateClientMode() {
   let server = sync_httpd_setup();
   yield setUp(server);
 
@@ -477,7 +459,7 @@ add_identity_test(this, function* test_client_sync_finish_updateClientMode() {
   yield cleanUpAndGo(server);
 });
 
-add_identity_test(this, function* test_autoconnect_nextSync_past() {
+add_identity_test(this, function test_autoconnect_nextSync_past() {
   let deferred = Promise.defer();
   // nextSync will be 0 by default, so it's way in the past.
 
@@ -493,7 +475,7 @@ add_identity_test(this, function* test_autoconnect_nextSync_past() {
   yield deferred.promise;
 });
 
-add_identity_test(this, function* test_autoconnect_nextSync_future() {
+add_identity_test(this, function test_autoconnect_nextSync_future() {
   let deferred = Promise.defer();
   let previousSync = Date.now() + scheduler.syncInterval / 2;
   scheduler.nextSync = previousSync;
@@ -522,7 +504,7 @@ add_identity_test(this, function* test_autoconnect_nextSync_future() {
 
 // XXX - this test can't be run with the browserid identity as it relies
 // on the syncKey getter behaving in a certain way...
-add_task(function* test_autoconnect_mp_locked() {
+add_task(function test_autoconnect_mp_locked() {
   let server = sync_httpd_setup();
   yield setUp(server);
 
@@ -559,7 +541,7 @@ add_task(function* test_autoconnect_mp_locked() {
   yield deferred.promise;
 });
 
-add_identity_test(this, function* test_no_autoconnect_during_wizard() {
+add_identity_test(this, function test_no_autoconnect_during_wizard() {
   let server = sync_httpd_setup();
   yield setUp(server);
 
@@ -582,7 +564,7 @@ add_identity_test(this, function* test_no_autoconnect_during_wizard() {
   yield deferred.promise;
 });
 
-add_identity_test(this, function* test_no_autoconnect_status_not_ok() {
+add_identity_test(this, function test_no_autoconnect_status_not_ok() {
   let server = sync_httpd_setup();
 
   // Ensure we don't actually try to sync (or log in for that matter).
@@ -605,7 +587,7 @@ add_identity_test(this, function* test_no_autoconnect_status_not_ok() {
   yield deferred.promise;
 });
 
-add_identity_test(this, function* test_autoconnectDelay_pref() {
+add_identity_test(this, function test_autoconnectDelay_pref() {
   let deferred = Promise.defer();
   Svc.Obs.add("weave:service:sync:finish", function onSyncFinish() {
     Svc.Obs.remove("weave:service:sync:finish", onSyncFinish);
@@ -625,7 +607,7 @@ add_identity_test(this, function* test_autoconnectDelay_pref() {
   yield deferred.promise;
 });
 
-add_identity_test(this, function* test_idle_adjustSyncInterval() {
+add_identity_test(this, function test_idle_adjustSyncInterval() {
   // Confirm defaults.
   do_check_eq(scheduler.idle, false);
 
@@ -645,7 +627,7 @@ add_identity_test(this, function* test_idle_adjustSyncInterval() {
   yield cleanUpAndGo();
 });
 
-add_identity_test(this, function* test_back_triggersSync() {
+add_identity_test(this, function test_back_triggersSync() {
   // Confirm defaults.
   do_check_false(scheduler.idle);
   do_check_eq(Status.backoffInterval, 0);
@@ -668,7 +650,7 @@ add_identity_test(this, function* test_back_triggersSync() {
   yield deferred.promise;
 });
 
-add_identity_test(this, function* test_active_triggersSync_observesBackoff() {
+add_identity_test(this, function test_active_triggersSync_observesBackoff() {
   // Confirm defaults.
   do_check_false(scheduler.idle);
 
@@ -699,7 +681,7 @@ add_identity_test(this, function* test_active_triggersSync_observesBackoff() {
   yield deferred.promise;
 });
 
-add_identity_test(this, function* test_back_debouncing() {
+add_identity_test(this, function test_back_debouncing() {
   _("Ensure spurious back-then-idle events, as observed on OS X, don't trigger a sync.");
 
   // Confirm defaults.
@@ -727,7 +709,7 @@ add_identity_test(this, function* test_back_debouncing() {
   yield deferred.promise;
 });
 
-add_identity_test(this, function* test_no_sync_node() {
+add_identity_test(this, function test_no_sync_node() {
   // Test when Status.sync == NO_SYNC_NODE_FOUND
   // it is not overwritten on sync:finish
   let server = sync_httpd_setup();
@@ -742,7 +724,7 @@ add_identity_test(this, function* test_no_sync_node() {
   yield cleanUpAndGo(server);
 });
 
-add_identity_test(this, function* test_sync_failed_partial_500s() {
+add_identity_test(this, function test_sync_failed_partial_500s() {
   _("Test a 5xx status calls handleSyncError.");
   scheduler._syncErrors = MAX_ERROR_COUNT_BEFORE_BACKOFF;
   let server = sync_httpd_setup();
@@ -769,7 +751,7 @@ add_identity_test(this, function* test_sync_failed_partial_500s() {
   yield cleanUpAndGo(server);
 });
 
-add_identity_test(this, function* test_sync_failed_partial_400s() {
+add_identity_test(this, function test_sync_failed_partial_400s() {
   _("Test a non-5xx status doesn't call handleSyncError.");
   scheduler._syncErrors = MAX_ERROR_COUNT_BEFORE_BACKOFF;
   let server = sync_httpd_setup();
@@ -799,7 +781,7 @@ add_identity_test(this, function* test_sync_failed_partial_400s() {
   yield cleanUpAndGo(server);
 });
 
-add_identity_test(this, function* test_sync_X_Weave_Backoff() {
+add_identity_test(this, function test_sync_X_Weave_Backoff() {
   let server = sync_httpd_setup();
   yield setUp(server);
 
@@ -842,9 +824,9 @@ add_identity_test(this, function* test_sync_X_Weave_Backoff() {
   Service.sync();
 
   do_check_true(Status.backoffInterval >= BACKOFF * 1000);
-  // Allowing 3 seconds worth of of leeway between when Status.minimumNextSync
+  // Allowing 1 second worth of of leeway between when Status.minimumNextSync
   // was set and when this line gets executed.
-  let minimumExpectedDelay = (BACKOFF - 3) * 1000;
+  let minimumExpectedDelay = (BACKOFF - 1) * 1000;
   do_check_true(Status.minimumNextSync >= Date.now() + minimumExpectedDelay);
 
   // Verify that the next sync is actually going to wait that long.
@@ -854,7 +836,7 @@ add_identity_test(this, function* test_sync_X_Weave_Backoff() {
   yield cleanUpAndGo(server);
 });
 
-add_identity_test(this, function* test_sync_503_Retry_After() {
+add_identity_test(this, function test_sync_503_Retry_After() {
   let server = sync_httpd_setup();
   yield setUp(server);
 
@@ -901,9 +883,9 @@ add_identity_test(this, function* test_sync_503_Retry_After() {
 
   do_check_true(Status.enforceBackoff);
   do_check_true(Status.backoffInterval >= BACKOFF * 1000);
-  // Allowing 3 seconds worth of of leeway between when Status.minimumNextSync
+  // Allowing 1 second worth of of leeway between when Status.minimumNextSync
   // was set and when this line gets executed.
-  let minimumExpectedDelay = (BACKOFF - 3) * 1000;
+  let minimumExpectedDelay = (BACKOFF - 1) * 1000;
   do_check_true(Status.minimumNextSync >= Date.now() + minimumExpectedDelay);
 
   // Verify that the next sync is actually going to wait that long.
@@ -913,7 +895,7 @@ add_identity_test(this, function* test_sync_503_Retry_After() {
   yield cleanUpAndGo(server);
 });
 
-add_identity_test(this, function* test_loginError_recoverable_reschedules() {
+add_identity_test(this, function test_loginError_recoverable_reschedules() {
   _("Verify that a recoverable login error schedules a new sync.");
   yield configureIdentity({username: "johndoe"});
   Service.serverURL = "http://localhost:1234/";
@@ -957,7 +939,7 @@ add_identity_test(this, function* test_loginError_recoverable_reschedules() {
   yield deferred.promise;
 });
 
-add_identity_test(this, function* test_loginError_fatal_clearsTriggers() {
+add_identity_test(this, function test_loginError_fatal_clearsTriggers() {
   _("Verify that a fatal login error clears sync triggers.");
   yield configureIdentity({username: "johndoe"});
 
@@ -974,22 +956,11 @@ add_identity_test(this, function* test_loginError_fatal_clearsTriggers() {
   Svc.Obs.add("weave:service:login:error", function onLoginError() {
     Svc.Obs.remove("weave:service:login:error", onLoginError);
     Utils.nextTick(function aLittleBitAfterLoginError() {
+      do_check_eq(Status.login, LOGIN_FAILED_LOGIN_REJECTED);
+
+      do_check_eq(scheduler.nextSync, 0);
+      do_check_eq(scheduler.syncTimer, null);
 
-      if (isConfiguredWithLegacyIdentity()) {
-        // for the "legacy" identity, a 401 on info/collections means the
-        // password is wrong, so we enter a "login rejected" state.
-        do_check_eq(Status.login, LOGIN_FAILED_LOGIN_REJECTED);
-
-        do_check_eq(scheduler.nextSync, 0);
-        do_check_eq(scheduler.syncTimer, null);
-      } else {
-        // For the FxA identity, a 401 on info/collections means a transient
-        // error, probably due to an inability to fetch a token.
-        do_check_eq(Status.login, LOGIN_FAILED_NETWORK_ERROR);
-        // syncs should still be scheduled.
-        do_check_true(scheduler.nextSync > Date.now());
-        do_check_true(scheduler.syncTimer.delay > 0);
-      }
       cleanUpAndGo(server).then(deferred.resolve);
     });
   });
@@ -1004,7 +975,7 @@ add_identity_test(this, function* test_loginError_fatal_clearsTriggers() {
   yield deferred.promise;
 });
 
-add_identity_test(this, function* test_proper_interval_on_only_failing() {
+add_identity_test(this, function test_proper_interval_on_only_failing() {
   _("Ensure proper behavior when only failed records are applied.");
 
   // If an engine reports that no records succeeded, we shouldn't decrease the
diff --git a/services/sync/tests/unit/test_syncstoragerequest.js b/services/sync/tests/unit/test_syncstoragerequest.js
index 14e5daade7..7c5246baba 100644
--- a/services/sync/tests/unit/test_syncstoragerequest.js
+++ b/services/sync/tests/unit/test_syncstoragerequest.js
@@ -8,9 +8,6 @@ Cu.import("resource://services-sync/service.js");
 Cu.import("resource://services-sync/util.js");
 Cu.import("resource://testing-common/services/sync/utils.js");
 
-var httpProtocolHandler = Cc["@mozilla.org/network/protocol;1?name=http"]
-                          .getService(Ci.nsIHttpProtocolHandler);
-
 function run_test() {
   Log.repository.getLogger("Sync.RESTRequest").level = Log.Level.Trace;
   initTestLogging();
@@ -25,7 +22,6 @@ add_test(function test_user_agent_desktop() {
   let server = httpd_setup({"/resource": handler});
 
   let expectedUA = Services.appinfo.name + "/" + Services.appinfo.version +
-                   " (" + httpProtocolHandler.oscpu + ")" +
                    " FxSync/" + WEAVE_VERSION + "." +
                    Services.appinfo.appBuildID + ".desktop";
 
@@ -45,7 +41,6 @@ add_test(function test_user_agent_mobile() {
 
   Svc.Prefs.set("client.type", "mobile");
   let expectedUA = Services.appinfo.name + "/" + Services.appinfo.version +
-                   " (" + httpProtocolHandler.oscpu + ")" +
                    " FxSync/" + WEAVE_VERSION + "." +
                    Services.appinfo.appBuildID + ".mobile";
 
diff --git a/services/sync/tests/unit/test_tab_engine.js b/services/sync/tests/unit/test_tab_engine.js
index 0492502306..db4b20a70d 100644
--- a/services/sync/tests/unit/test_tab_engine.js
+++ b/services/sync/tests/unit/test_tab_engine.js
@@ -1,7 +1,6 @@
 /* Any copyright is dedicated to the Public Domain.
    http://creativecommons.org/publicdomain/zero/1.0/ */
 
-Cu.import("resource://services-sync/constants.js");
 Cu.import("resource://services-sync/engines/tabs.js");
 Cu.import("resource://services-sync/record.js");
 Cu.import("resource://services-sync/service.js");
@@ -24,12 +23,11 @@ add_test(function test_getOpenURLs() {
   _("Test getOpenURLs.");
   let [engine, store] = getMocks();
 
-  let superLongURL = "http://" + (new Array(MAX_UPLOAD_BYTES).join("w")) + ".com/";
-  let urls = ["http://bar.com", "http://foo.com", "http://foobar.com", superLongURL];
-  function fourURLs() {
+  let urls = ["http://bar.com", "http://foo.com", "http://foobar.com"];
+  function threeURLs() {
     return urls.pop();
   }
-  store.getWindowEnumerator = mockGetWindowEnumerator.bind(this, fourURLs, 1, 4);
+  store.getWindowEnumerator = mockGetWindowEnumerator.bind(this, threeURLs, 1, 3);
 
   let matches;
 
@@ -42,10 +40,6 @@ add_test(function test_getOpenURLs() {
   matches = openurlsset.has("http://barfoo.com");
   ok(!matches);
 
-  _("  test matching works (too long)");
-  matches = openurlsset.has(superLongURL);
-  ok(!matches);
-
   run_next_test();
 });
 
diff --git a/services/sync/tests/unit/test_tab_store.js b/services/sync/tests/unit/test_tab_store.js
index 93b60f0c7a..f8265492fb 100644
--- a/services/sync/tests/unit/test_tab_store.js
+++ b/services/sync/tests/unit/test_tab_store.js
@@ -20,26 +20,32 @@ function test_create() {
   _("Create a first record");
   let rec = {id: "id1",
              clientName: "clientName1",
-             cleartext: { "foo": "bar" },
+             cleartext: "cleartext1",
              modified: 1000};
   store.applyIncoming(rec);
-  deepEqual(store._remoteClients["id1"], { lastModified: 1000, foo: "bar" });
+  do_check_eq(store._remoteClients["id1"], "cleartext1");
+  do_check_eq(Svc.Prefs.get("notifyTabState"), 1);
 
   _("Create a second record");
   rec = {id: "id2",
          clientName: "clientName2",
-         cleartext: { "foo2": "bar2" },
+         cleartext: "cleartext2",
          modified: 2000};
   store.applyIncoming(rec);
-  deepEqual(store._remoteClients["id2"], { lastModified: 2000, foo2: "bar2" });
+  do_check_eq(store._remoteClients["id2"], "cleartext2");
+  do_check_eq(Svc.Prefs.get("notifyTabState"), 0);
 
   _("Create a third record");
   rec = {id: "id3",
          clientName: "clientName3",
-         cleartext: { "foo3": "bar3" },
+         cleartext: "cleartext3",
          modified: 3000};
   store.applyIncoming(rec);
-  deepEqual(store._remoteClients["id3"], { lastModified: 3000, foo3: "bar3" });
+  do_check_eq(store._remoteClients["id3"], "cleartext3");
+  do_check_eq(Svc.Prefs.get("notifyTabState"), 0);
+
+  // reset the notifyTabState
+  Svc.Prefs.reset("notifyTabState");
 }
 
 function test_getAllTabs() {
@@ -53,20 +59,20 @@ function test_getAllTabs() {
   _("Get all tabs.");
   tabs = store.getAllTabs();
   _("Tabs: " + JSON.stringify(tabs));
-  equal(tabs.length, 1);
-  equal(tabs[0].title, "title");
-  equal(tabs[0].urlHistory.length, 2);
-  equal(tabs[0].urlHistory[0], "http://foo.com");
-  equal(tabs[0].urlHistory[1], "http://bar.com");
-  equal(tabs[0].icon, "image");
-  equal(tabs[0].lastUsed, 1);
+  do_check_eq(tabs.length, 1);
+  do_check_eq(tabs[0].title, "title");
+  do_check_eq(tabs[0].urlHistory.length, 2);
+  do_check_eq(tabs[0].urlHistory[0], "http://foo.com");
+  do_check_eq(tabs[0].urlHistory[1], "http://bar.com");
+  do_check_eq(tabs[0].icon, "image");
+  do_check_eq(tabs[0].lastUsed, 1);
 
   _("Get all tabs, and check that filtering works.");
   let twoUrls = ["about:foo", "http://fuubar.com"];
   store.getWindowEnumerator = mockGetWindowEnumerator.bind(this, "http://foo.com", 1, 1, () => 2, () => twoUrls);
   tabs = store.getAllTabs(true);
   _("Filtered: " + JSON.stringify(tabs));
-  equal(tabs.length, 0);
+  do_check_eq(tabs.length, 0);
 
   _("Get all tabs, and check that the entries safety limit works.");
   let allURLs = [];
@@ -79,10 +85,10 @@ function test_getAllTabs() {
   tabs = store.getAllTabs((url) => url.startsWith("about"));
 
   _("Sliced: " + JSON.stringify(tabs));
-  equal(tabs.length, 1);
-  equal(tabs[0].urlHistory.length, 25);
-  equal(tabs[0].urlHistory[0], "http://foo40.bar");
-  equal(tabs[0].urlHistory[24], "http://foo16.bar");
+  do_check_eq(tabs.length, 1);
+  do_check_eq(tabs[0].urlHistory.length, 25);
+  do_check_eq(tabs[0].urlHistory[0], "http://foo40.bar");
+  do_check_eq(tabs[0].urlHistory[24], "http://foo16.bar");
 }
 
 function test_createRecord() {
@@ -99,14 +105,14 @@ function test_createRecord() {
 
   store.getWindowEnumerator = mockGetWindowEnumerator.bind(this, "http://foo.com", 1, 1);
   record = store.createRecord("fake-guid");
-  ok(record instanceof TabSetRecord);
-  equal(record.tabs.length, 1);
+  do_check_true(record instanceof TabSetRecord);
+  do_check_eq(record.tabs.length, 1);
 
   _("create a big record");
   store.getWindowEnumerator = mockGetWindowEnumerator.bind(this, "http://foo.com", 1, numtabs);
   record = store.createRecord("fake-guid");
-  ok(record instanceof TabSetRecord);
-  equal(record.tabs.length, 256);
+  do_check_true(record instanceof TabSetRecord);
+  do_check_eq(record.tabs.length, 256);
 }
 
 function run_test() {
diff --git a/services/sync/tests/unit/test_tab_tracker.js b/services/sync/tests/unit/test_tab_tracker.js
index f98920a445..e7dd488296 100644
--- a/services/sync/tests/unit/test_tab_tracker.js
+++ b/services/sync/tests/unit/test_tab_tracker.js
@@ -5,7 +5,7 @@ Cu.import("resource://services-sync/engines/tabs.js");
 Cu.import("resource://services-sync/service.js");
 Cu.import("resource://services-sync/util.js");
 
-var clientsEngine = Service.clientsEngine;
+let clientsEngine = Service.clientsEngine;
 
 function fakeSvcWinMediator() {
   // actions on windows are captured in logs
@@ -15,11 +15,9 @@ function fakeSvcWinMediator() {
     getEnumerator: function() {
       return {
         cnt: 2,
-        hasMoreElements: function() {
-          return this.cnt-- > 0;
-        },
+        hasMoreElements: function() this.cnt-- > 0,
         getNext: function() {
-          let elt = {addTopics: [], remTopics: [], numAPL: 0, numRPL: 0};
+          let elt = {addTopics: [], remTopics: []};
           logs.push(elt);
           return {
             addEventListener: function(topic) {
@@ -27,15 +25,7 @@ function fakeSvcWinMediator() {
             },
             removeEventListener: function(topic) {
               elt.remTopics.push(topic);
-            },
-            gBrowser: {
-              addProgressListener() {
-                elt.numAPL++;
-              },
-              removeProgressListener() {
-                elt.numRPL++;
-              },
-            },
+            }
           };
         }
       };
@@ -61,7 +51,7 @@ function run_test() {
   logs = fakeSvcWinMediator();
   Svc.Obs.notify("weave:engine:start-tracking");
   do_check_eq(logs.length, 2);
-  for (let log of logs) {
+  for each (let log in logs) {
     do_check_eq(log.addTopics.length, 5);
     do_check_true(log.addTopics.indexOf("pageshow") >= 0);
     do_check_true(log.addTopics.indexOf("TabOpen") >= 0);
@@ -69,15 +59,13 @@ function run_test() {
     do_check_true(log.addTopics.indexOf("TabSelect") >= 0);
     do_check_true(log.addTopics.indexOf("unload") >= 0);
     do_check_eq(log.remTopics.length, 0);
-    do_check_eq(log.numAPL, 1, "Added 1 progress listener");
-    do_check_eq(log.numRPL, 0, "Didn't remove a progress listener");
   }
 
   _("Test listeners are unregistered on windows");
   logs = fakeSvcWinMediator();
   Svc.Obs.notify("weave:engine:stop-tracking");
   do_check_eq(logs.length, 2);
-  for (let log of logs) {
+  for each (let log in logs) {
     do_check_eq(log.addTopics.length, 0);
     do_check_eq(log.remTopics.length, 5);
     do_check_true(log.remTopics.indexOf("pageshow") >= 0);
@@ -85,12 +73,10 @@ function run_test() {
     do_check_true(log.remTopics.indexOf("TabClose") >= 0);
     do_check_true(log.remTopics.indexOf("TabSelect") >= 0);
     do_check_true(log.remTopics.indexOf("unload") >= 0);
-    do_check_eq(log.numAPL, 0, "Didn't add a progress listener");
-    do_check_eq(log.numRPL, 1, "Removed 1 progress listener");
   }
 
   _("Test tab listener");
-  for (let evttype of ["TabOpen", "TabClose", "TabSelect"]) {
+  for each (let evttype in ["TabOpen", "TabClose", "TabSelect"]) {
     // Pretend we just synced.
     tracker.clearChangedIDs();
     do_check_false(tracker.modified);
@@ -109,19 +95,4 @@ function run_test() {
   tracker.onTab({type: "pageshow", originalTarget: "pageshow"});
   do_check_true(Utils.deepEquals(Object.keys(engine.getChangedIDs()),
                                  [clientsEngine.localID]));
-
-  // Pretend we just synced and saw some progress listeners.
-  tracker.clearChangedIDs();
-  do_check_false(tracker.modified);
-  tracker.onLocationChange({ isTopLevel: false }, undefined, undefined, 0);
-  do_check_false(tracker.modified, "non-toplevel request didn't flag as modified");
-
-  tracker.onLocationChange({ isTopLevel: true }, undefined, undefined,
-                           Ci.nsIWebProgressListener.LOCATION_CHANGE_SAME_DOCUMENT);
-  do_check_false(tracker.modified, "location change within the same document request didn't flag as modified");
-
-  tracker.onLocationChange({ isTopLevel: true }, undefined, undefined, 0);
-  do_check_true(tracker.modified, "location change for a new top-level document flagged as modified");
-  do_check_true(Utils.deepEquals(Object.keys(engine.getChangedIDs()),
-                                 [clientsEngine.localID]));
 }
diff --git a/services/sync/tests/unit/test_telemetry.js b/services/sync/tests/unit/test_telemetry.js
deleted file mode 100644
index 50a3d136ba..0000000000
--- a/services/sync/tests/unit/test_telemetry.js
+++ /dev/null
@@ -1,564 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
-   http://creativecommons.org/publicdomain/zero/1.0/ */
-
-Cu.import("resource://services-common/observers.js");
-Cu.import("resource://services-sync/telemetry.js");
-Cu.import("resource://services-sync/service.js");
-Cu.import("resource://services-sync/record.js");
-Cu.import("resource://services-sync/resource.js");
-Cu.import("resource://services-sync/constants.js");
-Cu.import("resource://services-sync/engines.js");
-Cu.import("resource://services-sync/engines/bookmarks.js");
-Cu.import("resource://services-sync/engines/clients.js");
-Cu.import("resource://testing-common/services/sync/utils.js");
-Cu.import("resource://testing-common/services/sync/fxa_utils.js");
-Cu.import("resource://testing-common/services/sync/rotaryengine.js");
-Cu.import("resource://gre/modules/osfile.jsm", this);
-
-Cu.import("resource://gre/modules/PlacesUtils.jsm");
-Cu.import("resource://services-sync/util.js");
-
-initTestLogging("Trace");
-
-function SteamStore(engine) {
-  Store.call(this, "Steam", engine);
-}
-
-SteamStore.prototype = {
-  __proto__: Store.prototype,
-};
-
-function SteamTracker(name, engine) {
-  Tracker.call(this, name || "Steam", engine);
-}
-
-SteamTracker.prototype = {
-  __proto__: Tracker.prototype
-};
-
-function SteamEngine(service) {
-  Engine.call(this, "steam", service);
-}
-
-SteamEngine.prototype = {
-  __proto__: Engine.prototype,
-  _storeObj: SteamStore,
-  _trackerObj: SteamTracker,
-  _errToThrow: null,
-  _sync() {
-    if (this._errToThrow) {
-      throw this._errToThrow;
-    }
-  }
-};
-
-function BogusEngine(service) {
-  Engine.call(this, "bogus", service);
-}
-
-BogusEngine.prototype = Object.create(SteamEngine.prototype);
-
-function cleanAndGo(server) {
-  Svc.Prefs.resetBranch("");
-  Svc.Prefs.set("log.logger.engine.rotary", "Trace");
-  Service.recordManager.clearCache();
-  return new Promise(resolve => server.stop(resolve));
-}
-
-// Avoid addon manager complaining about not being initialized
-Service.engineManager.unregister("addons");
-
-add_identity_test(this, function *test_basic() {
-  let helper = track_collections_helper();
-  let upd = helper.with_updated_collection;
-
-  yield configureIdentity({ username: "johndoe" });
-  let handlers = {
-    "/1.1/johndoe/info/collections": helper.handler,
-    "/1.1/johndoe/storage/crypto/keys": upd("crypto", new ServerWBO("keys").handler()),
-    "/1.1/johndoe/storage/meta/global": upd("meta",  new ServerWBO("global").handler())
-  };
-
-  let collections = ["clients", "bookmarks", "forms", "history", "passwords", "prefs", "tabs"];
-
-  for (let coll of collections) {
-    handlers["/1.1/johndoe/storage/" + coll] = upd(coll, new ServerCollection({}, true).handler());
-  }
-
-  let server = httpd_setup(handlers);
-  Service.serverURL = server.baseURI;
-
-  yield sync_and_validate_telem(true);
-
-  yield new Promise(resolve => server.stop(resolve));
-});
-
-add_task(function* test_processIncoming_error() {
-  let engine = new BookmarksEngine(Service);
-  let store  = engine._store;
-  let server = serverForUsers({"foo": "password"}, {
-    meta: {global: {engines: {bookmarks: {version: engine.version,
-                                           syncID: engine.syncID}}}},
-    bookmarks: {}
-  });
-  new SyncTestingInfrastructure(server.server);
-  let collection = server.user("foo").collection("bookmarks");
-  try {
-    // Create a bogus record that when synced down will provoke a
-    // network error which in turn provokes an exception in _processIncoming.
-    const BOGUS_GUID = "zzzzzzzzzzzz";
-    let bogus_record = collection.insert(BOGUS_GUID, "I'm a bogus record!");
-    bogus_record.get = function get() {
-      throw "Sync this!";
-    };
-    // Make the 10 minutes old so it will only be synced in the toFetch phase.
-    bogus_record.modified = Date.now() / 1000 - 60 * 10;
-    engine.lastSync = Date.now() / 1000 - 60;
-    engine.toFetch = [BOGUS_GUID];
-
-    let error, ping;
-    try {
-      yield sync_engine_and_validate_telem(engine, true, errPing => ping = errPing);
-    } catch(ex) {
-      error = ex;
-    }
-    ok(!!error);
-    ok(!!ping);
-    equal(ping.uid, "0".repeat(32));
-    deepEqual(ping.failureReason, {
-      name: "othererror",
-      error: "error.engine.reason.record_download_fail"
-    });
-
-    equal(ping.engines.length, 1);
-    equal(ping.engines[0].name, "bookmarks");
-    deepEqual(ping.engines[0].failureReason, {
-      name: "othererror",
-      error: "error.engine.reason.record_download_fail"
-    });
-
-  } finally {
-    store.wipe();
-    yield cleanAndGo(server);
-  }
-});
-
-add_task(function *test_uploading() {
-  let engine = new BookmarksEngine(Service);
-  let store  = engine._store;
-  let server = serverForUsers({"foo": "password"}, {
-    meta: {global: {engines: {bookmarks: {version: engine.version,
-                                           syncID: engine.syncID}}}},
-    bookmarks: {}
-  });
-  new SyncTestingInfrastructure(server.server);
-
-  let parent = PlacesUtils.toolbarFolderId;
-  let uri = Utils.makeURI("http://getfirefox.com/");
-  let title = "Get Firefox";
-
-  let bmk_id = PlacesUtils.bookmarks.insertBookmark(parent, uri,
-    PlacesUtils.bookmarks.DEFAULT_INDEX, "Get Firefox!");
-
-  let guid = store.GUIDForId(bmk_id);
-  let record = store.createRecord(guid);
-
-  let collection = server.user("foo").collection("bookmarks");
-  try {
-    let ping = yield sync_engine_and_validate_telem(engine, false);
-    ok(!!ping);
-    equal(ping.engines.length, 1);
-    equal(ping.engines[0].name, "bookmarks");
-    ok(!!ping.engines[0].outgoing);
-    greater(ping.engines[0].outgoing[0].sent, 0)
-    ok(!ping.engines[0].incoming);
-
-    PlacesUtils.bookmarks.setItemTitle(bmk_id, "New Title");
-
-    store.wipe();
-    engine.resetClient();
-
-    ping = yield sync_engine_and_validate_telem(engine, false);
-    equal(ping.engines.length, 1);
-    equal(ping.engines[0].name, "bookmarks");
-    equal(ping.engines[0].outgoing.length, 1);
-    ok(!!ping.engines[0].incoming);
-
-  } finally {
-    // Clean up.
-    store.wipe();
-    yield cleanAndGo(server);
-  }
-});
-
-add_task(function *test_upload_failed() {
-  Service.identity.username = "foo";
-  let collection = new ServerCollection();
-  collection._wbos.flying = new ServerWBO('flying');
-
-  let server = sync_httpd_setup({
-      "/1.1/foo/storage/rotary": collection.handler()
-  });
-
-  let syncTesting = new SyncTestingInfrastructure(server);
-
-  let engine = new RotaryEngine(Service);
-  engine.lastSync = 123; // needs to be non-zero so that tracker is queried
-  engine.lastSyncLocal = 456;
-  engine._store.items = {
-    flying: "LNER Class A3 4472",
-    scotsman: "Flying Scotsman",
-    peppercorn: "Peppercorn Class"
-  };
-  const FLYING_CHANGED = 12345;
-  const SCOTSMAN_CHANGED = 23456;
-  const PEPPERCORN_CHANGED = 34567;
-  engine._tracker.addChangedID("flying", FLYING_CHANGED);
-  engine._tracker.addChangedID("scotsman", SCOTSMAN_CHANGED);
-  engine._tracker.addChangedID("peppercorn", PEPPERCORN_CHANGED);
-
-  let meta_global = Service.recordManager.set(engine.metaURL, new WBORecord(engine.metaURL));
-  meta_global.payload.engines = { rotary: { version: engine.version, syncID: engine.syncID } };
-
-  try {
-    engine.enabled = true;
-    let ping = yield sync_engine_and_validate_telem(engine, true);
-    ok(!!ping);
-    equal(ping.engines.length, 1);
-    equal(ping.engines[0].incoming, null);
-    deepEqual(ping.engines[0].outgoing, [{ sent: 3, failed: 2 }]);
-    engine.lastSync = 123;
-    engine.lastSyncLocal = 456;
-
-    ping = yield sync_engine_and_validate_telem(engine, true);
-    ok(!!ping);
-    equal(ping.engines.length, 1);
-    equal(ping.engines[0].incoming.reconciled, 1);
-    deepEqual(ping.engines[0].outgoing, [{ sent: 2, failed: 2 }]);
-
-  } finally {
-    yield cleanAndGo(server);
-  }
-});
-
-add_task(function *test_sync_partialUpload() {
-  Service.identity.username = "foo";
-
-  let collection = new ServerCollection();
-  let server = sync_httpd_setup({
-      "/1.1/foo/storage/rotary": collection.handler()
-  });
-  let syncTesting = new SyncTestingInfrastructure(server);
-  generateNewKeys(Service.collectionKeys);
-
-  let engine = new RotaryEngine(Service);
-  engine.lastSync = 123;
-  engine.lastSyncLocal = 456;
-
-
-  // Create a bunch of records (and server side handlers)
-  for (let i = 0; i < 234; i++) {
-    let id = 'record-no-' + i;
-    engine._store.items[id] = "Record No. " + i;
-    engine._tracker.addChangedID(id, i);
-    // Let two items in the first upload batch fail.
-    if (i != 23 && i != 42) {
-      collection.insert(id);
-    }
-  }
-
-  let meta_global = Service.recordManager.set(engine.metaURL,
-                                              new WBORecord(engine.metaURL));
-  meta_global.payload.engines = {rotary: {version: engine.version,
-                                          syncID: engine.syncID}};
-
-  try {
-    engine.enabled = true;
-    let ping = yield sync_engine_and_validate_telem(engine, true);
-
-    ok(!!ping);
-    ok(!ping.failureReason);
-    equal(ping.engines.length, 1);
-    equal(ping.engines[0].name, "rotary");
-    ok(!ping.engines[0].incoming);
-    ok(!ping.engines[0].failureReason);
-    deepEqual(ping.engines[0].outgoing, [{ sent: 234, failed: 2 }]);
-
-    collection.post = function() { throw "Failure"; }
-
-    engine._store.items["record-no-1000"] = "Record No. 1000";
-    engine._tracker.addChangedID("record-no-1000", 1000);
-    collection.insert("record-no-1000", 1000);
-
-    engine.lastSync = 123;
-    engine.lastSyncLocal = 456;
-    ping = null;
-
-    try {
-      // should throw
-      yield sync_engine_and_validate_telem(engine, true, errPing => ping = errPing);
-    } catch (e) {}
-    // It would be nice if we had a more descriptive error for this...
-    let uploadFailureError = {
-      name: "othererror",
-      error: "error.engine.reason.record_upload_fail"
-    };
-
-    ok(!!ping);
-    deepEqual(ping.failureReason, uploadFailureError);
-    equal(ping.engines.length, 1);
-    equal(ping.engines[0].name, "rotary");
-    deepEqual(ping.engines[0].incoming, {
-      failed: 1,
-      newFailed: 1,
-      reconciled: 232
-    });
-    ok(!ping.engines[0].outgoing);
-    deepEqual(ping.engines[0].failureReason, uploadFailureError);
-
-  } finally {
-    yield cleanAndGo(server);
-  }
-});
-
-add_task(function* test_generic_engine_fail() {
-  Service.engineManager.register(SteamEngine);
-  let engine = Service.engineManager.get("steam");
-  engine.enabled = true;
-  let store  = engine._store;
-  let server = serverForUsers({"foo": "password"}, {
-    meta: {global: {engines: {steam: {version: engine.version,
-                                      syncID: engine.syncID}}}},
-    steam: {}
-  });
-  new SyncTestingInfrastructure(server.server);
-  let e = new Error("generic failure message")
-  engine._errToThrow = e;
-
-  try {
-    let ping = yield sync_and_validate_telem(true);
-    equal(ping.status.service, SYNC_FAILED_PARTIAL);
-    deepEqual(ping.engines.find(e => e.name === "steam").failureReason, {
-      name: "unexpectederror",
-      error: String(e)
-    });
-  } finally {
-    Service.engineManager.unregister(engine);
-    yield cleanAndGo(server);
-  }
-});
-
-add_task(function* test_engine_fail_ioerror() {
-  Service.engineManager.register(SteamEngine);
-  let engine = Service.engineManager.get("steam");
-  engine.enabled = true;
-  let store  = engine._store;
-  let server = serverForUsers({"foo": "password"}, {
-    meta: {global: {engines: {steam: {version: engine.version,
-                                      syncID: engine.syncID}}}},
-    steam: {}
-  });
-  new SyncTestingInfrastructure(server.server);
-  // create an IOError to re-throw as part of Sync.
-  try {
-    // (Note that fakeservices.js has replaced Utils.jsonMove etc, but for
-    // this test we need the real one so we get real exceptions from the
-    // filesystem.)
-    yield Utils._real_jsonMove("file-does-not-exist", "anything", {});
-  } catch (ex) {
-    engine._errToThrow = ex;
-  }
-  ok(engine._errToThrow, "expecting exception");
-
-  try {
-    let ping = yield sync_and_validate_telem(true);
-    equal(ping.status.service, SYNC_FAILED_PARTIAL);
-    let failureReason = ping.engines.find(e => e.name === "steam").failureReason;
-    equal(failureReason.name, "unexpectederror");
-    // ensure the profile dir in the exception message has been stripped.
-    ok(!failureReason.error.includes(OS.Constants.Path.profileDir), failureReason.error);
-    ok(failureReason.error.includes("[profileDir]"), failureReason.error);
-  } finally {
-    Service.engineManager.unregister(engine);
-    yield cleanAndGo(server);
-  }
-});
-
-add_task(function* test_initial_sync_engines() {
-  Service.engineManager.register(SteamEngine);
-  let engine = Service.engineManager.get("steam");
-  engine.enabled = true;
-  let store  = engine._store;
-  let engines = {};
-  // These are the only ones who actually have things to sync at startup.
-  let engineNames = ["clients", "bookmarks", "prefs", "tabs"];
-  let conf = { meta: { global: { engines } } };
-  for (let e of engineNames) {
-    engines[e] = { version: engine.version, syncID: engine.syncID };
-    conf[e] = {};
-  }
-  let server = serverForUsers({"foo": "password"}, conf);
-  new SyncTestingInfrastructure(server.server);
-  try {
-    let ping = yield wait_for_ping(() => Service.sync(), true);
-
-    equal(ping.engines.find(e => e.name === "clients").outgoing[0].sent, 1);
-    equal(ping.engines.find(e => e.name === "tabs").outgoing[0].sent, 1);
-
-    // for the rest we don't care about specifics
-    for (let e of ping.engines) {
-      if (!engineNames.includes(engine.name)) {
-        continue;
-      }
-      greaterOrEqual(e.took, 1);
-      ok(!!e.outgoing)
-      equal(e.outgoing.length, 1);
-      notEqual(e.outgoing[0].sent, undefined);
-      equal(e.outgoing[0].failed, undefined);
-    }
-  } finally {
-    yield cleanAndGo(server);
-  }
-});
-
-add_task(function* test_nserror() {
-  Service.engineManager.register(SteamEngine);
-  let engine = Service.engineManager.get("steam");
-  engine.enabled = true;
-  let store  = engine._store;
-  let server = serverForUsers({"foo": "password"}, {
-    meta: {global: {engines: {steam: {version: engine.version,
-                                      syncID: engine.syncID}}}},
-    steam: {}
-  });
-  new SyncTestingInfrastructure(server.server);
-  engine._errToThrow = Components.Exception("NS_ERROR_UNKNOWN_HOST", Cr.NS_ERROR_UNKNOWN_HOST);
-  try {
-    let ping = yield sync_and_validate_telem(true);
-    deepEqual(ping.status, {
-      service: SYNC_FAILED_PARTIAL,
-      sync: LOGIN_FAILED_NETWORK_ERROR
-    });
-    let enginePing = ping.engines.find(e => e.name === "steam");
-    deepEqual(enginePing.failureReason, {
-      name: "nserror",
-      code: Cr.NS_ERROR_UNKNOWN_HOST
-    });
-  } finally {
-    Service.engineManager.unregister(engine);
-    yield cleanAndGo(server);
-  }
-});
-
-add_identity_test(this, function *test_discarding() {
-  let helper = track_collections_helper();
-  let upd = helper.with_updated_collection;
-  let telem = get_sync_test_telemetry();
-  telem.maxPayloadCount = 2;
-  telem.submissionInterval = Infinity;
-  let oldSubmit = telem.submit;
-
-  let server;
-  try {
-
-    yield configureIdentity({ username: "johndoe" });
-    let handlers = {
-      "/1.1/johndoe/info/collections": helper.handler,
-      "/1.1/johndoe/storage/crypto/keys": upd("crypto", new ServerWBO("keys").handler()),
-      "/1.1/johndoe/storage/meta/global": upd("meta",  new ServerWBO("global").handler())
-    };
-
-    let collections = ["clients", "bookmarks", "forms", "history", "passwords", "prefs", "tabs"];
-
-    for (let coll of collections) {
-      handlers["/1.1/johndoe/storage/" + coll] = upd(coll, new ServerCollection({}, true).handler());
-    }
-
-    server = httpd_setup(handlers);
-    Service.serverURL = server.baseURI;
-    telem.submit = () => ok(false, "Submitted telemetry ping when we should not have");
-
-    for (let i = 0; i < 5; ++i) {
-      Service.sync();
-    }
-    telem.submit = oldSubmit;
-    telem.submissionInterval = -1;
-    let ping = yield sync_and_validate_telem(true, true); // with this we've synced 6 times
-    equal(ping.syncs.length, 2);
-    equal(ping.discarded, 4);
-  } finally {
-    telem.maxPayloadCount = 500;
-    telem.submissionInterval = -1;
-    telem.submit = oldSubmit;
-    if (server) {
-      yield new Promise(resolve => server.stop(resolve));
-    }
-  }
-})
-
-add_task(function* test_no_foreign_engines_in_error_ping() {
-  Service.engineManager.register(BogusEngine);
-  let engine = Service.engineManager.get("bogus");
-  engine.enabled = true;
-  let store  = engine._store;
-  let server = serverForUsers({"foo": "password"}, {
-    meta: {global: {engines: {bogus: {version: engine.version, syncID: engine.syncID}}}},
-    steam: {}
-  });
-  engine._errToThrow = new Error("Oh no!");
-  new SyncTestingInfrastructure(server.server);
-  try {
-    let ping = yield sync_and_validate_telem(true);
-    equal(ping.status.service, SYNC_FAILED_PARTIAL);
-    ok(ping.engines.every(e => e.name !== "bogus"));
-  } finally {
-    Service.engineManager.unregister(engine);
-    yield cleanAndGo(server);
-  }
-});
-
-add_task(function* test_sql_error() {
-  Service.engineManager.register(SteamEngine);
-  let engine = Service.engineManager.get("steam");
-  engine.enabled = true;
-  let store  = engine._store;
-  let server = serverForUsers({"foo": "password"}, {
-    meta: {global: {engines: {steam: {version: engine.version,
-                                      syncID: engine.syncID}}}},
-    steam: {}
-  });
-  new SyncTestingInfrastructure(server.server);
-  engine._sync = function() {
-    // Just grab a DB connection and issue a bogus SQL statement synchronously.
-    let db = PlacesUtils.history.QueryInterface(Ci.nsPIPlacesDatabase).DBConnection;
-    Async.querySpinningly(db.createAsyncStatement("select bar from foo"));
-  };
-  try {
-    let ping = yield sync_and_validate_telem(true);
-    let enginePing = ping.engines.find(e => e.name === "steam");
-    deepEqual(enginePing.failureReason, { name: "sqlerror", code: 1 });
-  } finally {
-    Service.engineManager.unregister(engine);
-    yield cleanAndGo(server);
-  }
-});
-
-add_task(function* test_no_foreign_engines_in_success_ping() {
-  Service.engineManager.register(BogusEngine);
-  let engine = Service.engineManager.get("bogus");
-  engine.enabled = true;
-  let store  = engine._store;
-  let server = serverForUsers({"foo": "password"}, {
-    meta: {global: {engines: {bogus: {version: engine.version, syncID: engine.syncID}}}},
-    steam: {}
-  });
-
-  new SyncTestingInfrastructure(server.server);
-  try {
-    let ping = yield sync_and_validate_telem();
-    ok(ping.engines.every(e => e.name !== "bogus"));
-  } finally {
-    Service.engineManager.unregister(engine);
-    yield cleanAndGo(server);
-  }
-});
\ No newline at end of file
diff --git a/services/sync/tests/unit/test_utils_catch.js b/services/sync/tests/unit/test_utils_catch.js
index 5f50bf7e43..a10e5eb0d8 100644
--- a/services/sync/tests/unit/test_utils_catch.js
+++ b/services/sync/tests/unit/test_utils_catch.js
@@ -8,46 +8,38 @@ function run_test() {
     catch: Utils.catch,
     _log: {
       debug: function(str) {
-        didThrow = str.search(/^Exception/) == 0;
+        didThrow = str.search(/^Exception: /) == 0;
       },
       info: function(str) {
         wasLocked = str.indexOf("Cannot start sync: already syncing?") == 0;
       }
     },
 
-    func: function() {
-      return this.catch(function() {
-        rightThis = this == obj;
-        didCall = true;
-        return 5;
-      })();
-    },
+    func: function() this.catch(function() {
+      rightThis = this == obj;
+      didCall = true;
+      return 5;
+    })(),
 
-    throwy: function() {
-      return this.catch(function() {
-        rightThis = this == obj;
-        didCall = true;
-        throw 10;
-      })();
-    },
+    throwy: function() this.catch(function() {
+      rightThis = this == obj;
+      didCall = true;
+      throw 10;
+    })(),
 
-    callbacky: function() {
-      return this.catch(function() {
-        rightThis = this == obj;
-        didCall = true;
-        throw 10;
-      }, function(ex) {
-        wasTen = (ex == 10)
-      })();
-    },
+    callbacky: function() this.catch(function() {
+      rightThis = this == obj;
+      didCall = true;
+      throw 10;
+    }, function(ex) {
+      wasTen = (ex == 10)
+    })(),
 
-    lockedy: function() {
-      return this.catch(function() {
-        rightThis = this == obj;
-        didCall = true;
-        throw("Could not acquire lock.");
-      })();
-    }
+    lockedy: function() this.catch(function() {
+      rightThis = this == obj;
+      didCall = true;
+      throw("Could not acquire lock.");
+    })()
   };
 
   _("Make sure a normal call will call and return");
diff --git a/services/sync/tests/unit/test_utils_deferGetSet.js b/services/sync/tests/unit/test_utils_deferGetSet.js
index 9d58a9873e..55c0fcb0e6 100644
--- a/services/sync/tests/unit/test_utils_deferGetSet.js
+++ b/services/sync/tests/unit/test_utils_deferGetSet.js
@@ -6,12 +6,8 @@ function run_test() {
   base.prototype = {
     dst: {},
 
-    get a() {
-      return "a";
-    },
-    set b(val) {
-      this.dst.b = val + "!!!";
-    }
+    get a() "a",
+    set b(val) this.dst.b = val + "!!!"
   };
   let src = new base();
 
diff --git a/services/sync/tests/unit/test_utils_deriveKey.js b/services/sync/tests/unit/test_utils_deriveKey.js
index 17dd889c70..e205fa9f80 100644
--- a/services/sync/tests/unit/test_utils_deriveKey.js
+++ b/services/sync/tests/unit/test_utils_deriveKey.js
@@ -1,7 +1,7 @@
 Cu.import("resource://services-crypto/WeaveCrypto.js");
 Cu.import("resource://services-sync/util.js");
 
-var cryptoSvc = new WeaveCrypto();
+let cryptoSvc = new WeaveCrypto();
 
 function run_test() {
   if (this.gczeal) {
diff --git a/services/sync/tests/unit/test_utils_lock.js b/services/sync/tests/unit/test_utils_lock.js
index d1830787e6..fd8a4b1f52 100644
--- a/services/sync/tests/unit/test_utils_lock.js
+++ b/services/sync/tests/unit/test_utils_lock.js
@@ -27,23 +27,19 @@ function run_test() {
       this._locked = false;
     },
 
-    func: function() {
-      return this._lock("Test utils lock",
-                        function() {
-                          rightThis = this == obj;
-                          didCall = true;
-                          return 5;
-                        })();
-    },
+    func: function() this._lock("Test utils lock",
+    function() {
+      rightThis = this == obj;
+      didCall = true;
+      return 5;
+    })(),
 
-    throwy: function() {
-      return this._lock("Test utils lock throwy",
-                        function() {
-                          rightThis = this == obj;
-                          didCall = true;
-                          this.throwy();
-                        })();
-    }
+    throwy: function() this._lock("Test utils lock throwy",
+    function() {
+      rightThis = this == obj;
+      didCall = true;
+      this.throwy();
+    })()
   };
 
   _("Make sure a normal call will call and return");
diff --git a/services/sync/tests/unit/test_utils_notify.js b/services/sync/tests/unit/test_utils_notify.js
index 5bd38da5f2..c191bbfef6 100644
--- a/services/sync/tests/unit/test_utils_notify.js
+++ b/services/sync/tests/unit/test_utils_notify.js
@@ -9,21 +9,17 @@ function run_test() {
       trace: function() {}
     },
 
-    func: function() {
-      return this.notify("bar", "baz", function() {
-        rightThis = this == obj;
-        didCall = true;
-        return 5;
-      })();
-    },
+    func: function() this.notify("bar", "baz", function() {
+      rightThis = this == obj;
+      didCall = true;
+      return 5;
+    })(),
 
-    throwy: function() {
-      return this.notify("bad", "one", function() {
-        rightThis = this == obj;
-        didCall = true;
-        throw 10;
-      })();
-    }
+    throwy: function() this.notify("bad", "one", function() {
+      rightThis = this == obj;
+      didCall = true;
+      throw 10;
+    })()
   };
 
   let state = 0;
diff --git a/services/sync/tests/unit/test_warn_on_truncated_response.js b/services/sync/tests/unit/test_warn_on_truncated_response.js
index 1f0d87ba96..a9f070ee41 100644
--- a/services/sync/tests/unit/test_warn_on_truncated_response.js
+++ b/services/sync/tests/unit/test_warn_on_truncated_response.js
@@ -12,11 +12,11 @@ function run_test() {
   run_next_test();
 }
 
-var BODY = "response body";
+let BODY = "response body";
 // contentLength needs to be longer than the response body
 // length in order to get a mismatch between what is sent in
 // the response and the content-length header value.
-var contentLength = BODY.length + 1;
+let contentLength = BODY.length + 1;
 
 function contentHandler(request, response) {
   _("Handling request.");
diff --git a/services/sync/tests/unit/xpcshell.ini b/services/sync/tests/unit/xpcshell.ini
index 4c0f0e7b7d..7e97835ac5 100644
--- a/services/sync/tests/unit/xpcshell.ini
+++ b/services/sync/tests/unit/xpcshell.ini
@@ -1,7 +1,8 @@
 [DEFAULT]
-head = head_appinfo.js ../../../common/tests/unit/head_helpers.js head_helpers.js head_http_server.js head_errorhandler_common.js
+head = head_appinfo.js ../../../common/tests/unit/head_helpers.js head_helpers.js head_http_server.js
 tail =
 firefox-appdir = browser
+skip-if = toolkit == 'gonk'
 support-files =
   addon1-search.xml
   bootstrap1-search.xml
@@ -10,10 +11,6 @@ support-files =
   missing-xpi-search.xml
   places_v10_from_v11.sqlite
   rewrite-search.xml
-  sync_ping_schema.json
-  systemaddon-search.xml
-  !/services/common/tests/unit/head_helpers.js
-  !/toolkit/components/webextensions/test/xpcshell/head_sync.js
 
 # The manifest is roughly ordered from low-level to high-level. When making
 # systemic sweeping changes, this makes it easier to identify errors closer to
@@ -39,7 +36,6 @@ support-files =
 # We have a number of other libraries that are pretty much standalone.
 [test_addon_utils.js]
 run-sequentially = Restarts server, can't change pref.
-tags = addons
 [test_httpd_sync_server.js]
 [test_jpakeclient.js]
 # Bug 618233: this test produces random failures on Windows 7.
@@ -56,7 +52,6 @@ skip-if = os == "win" || os == "android"
 # Generic Sync types.
 [test_browserid_identity.js]
 [test_collection_inc_get.js]
-[test_collection_getBatched.js]
 [test_collections_recovery.js]
 [test_identity_manager.js]
 [test_keys.js]
@@ -97,7 +92,6 @@ skip-if = os == "mac" || os == "linux"
 [test_service_sync_remoteSetup.js]
 # Bug 676978: test hangs on Android (see also testing/xpcshell/xpcshell.ini)
 skip-if = os == "android"
-[test_service_sync_specified.js]
 [test_service_sync_updateEnabledEngines.js]
 # Bug 676978: test hangs on Android (see also testing/xpcshell/xpcshell.ini)
 skip-if = os == "android"
@@ -109,8 +103,7 @@ skip-if = os == "mac" || os == "linux"
 
 [test_corrupt_keys.js]
 [test_declined.js]
-[test_errorhandler_1.js]
-[test_errorhandler_2.js]
+[test_errorhandler.js]
 [test_errorhandler_filelog.js]
 # Bug 676978: test hangs on Android (see also testing/xpcshell/xpcshell.ini)
 skip-if = os == "android"
@@ -121,6 +114,7 @@ skip-if = os == "android"
 [test_hmac_error.js]
 [test_interval_triggers.js]
 [test_node_reassignment.js]
+[test_notifications.js]
 [test_score_triggers.js]
 [test_sendcredentials_controller.js]
 [test_status.js]
@@ -136,18 +130,12 @@ skip-if = os == "android"
 # Finally, we test each engine.
 [test_addons_engine.js]
 run-sequentially = Hardcoded port in static files.
-tags = addons
 [test_addons_reconciler.js]
-tags = addons
 [test_addons_store.js]
 run-sequentially = Hardcoded port in static files.
-tags = addons
 [test_addons_tracker.js]
-tags = addons
 [test_bookmark_batch_fail.js]
-[test_bookmark_duping.js]
 [test_bookmark_engine.js]
-[test_bookmark_invalid.js]
 [test_bookmark_legacy_microsummaries_support.js]
 [test_bookmark_livemarks.js]
 [test_bookmark_order.js]
@@ -158,13 +146,8 @@ tags = addons
 # Too many intermittent "ASSERTION: thread pool wasn't shutdown: '!mPool'" (bug 804479)
 skip-if = debug
 [test_bookmark_tracker.js]
-requesttimeoutfactor = 4
-[test_bookmark_validator.js]
 [test_clients_engine.js]
 [test_clients_escape.js]
-[test_extension_storage_crypto.js]
-[test_extension_storage_engine.js]
-[test_extension_storage_tracker.js]
 [test_forms_store.js]
 [test_forms_tracker.js]
 # Too many intermittent "ASSERTION: thread pool wasn't shutdown: '!mPool'" (bug 804479)
@@ -176,21 +159,13 @@ skip-if = debug
 skip-if = debug
 [test_places_guid_downgrade.js]
 [test_password_store.js]
-[test_password_validator.js]
 [test_password_tracker.js]
 # Too many intermittent "ASSERTION: thread pool wasn't shutdown: '!mPool'" (bug 804479)
 skip-if = debug
 [test_prefs_store.js]
-support-files = prefs_test_prefs_store.js
 [test_prefs_tracker.js]
 [test_tab_engine.js]
 [test_tab_store.js]
 [test_tab_tracker.js]
 
 [test_warn_on_truncated_response.js]
-[test_postqueue.js]
-
-# Synced tabs.
-[test_syncedtabs.js]
-
-[test_telemetry.js]
diff --git a/services/sync/tps/extensions/mozmill/resource/driver/controller.js b/services/sync/tps/extensions/mozmill/resource/driver/controller.js
index 8d66a41aef..1a4e6f3b61 100644
--- a/services/sync/tps/extensions/mozmill/resource/driver/controller.js
+++ b/services/sync/tps/extensions/mozmill/resource/driver/controller.js
@@ -870,7 +870,7 @@ MozMillController.prototype.mouseMove = function (doc, start, dest) {
 
 /**
  * Drag an element to the specified offset on another element, firing mouse and
- * drag events. Adapted from EventUtils.js synthesizeDrop()
+ * drag events. Adapted from ChromeUtils.js synthesizeDrop()
  *
  * @deprecated Use the MozMillElement object
  *
diff --git a/services/sync/tps/extensions/mozmill/resource/driver/mozelement.js b/services/sync/tps/extensions/mozmill/resource/driver/mozelement.js
index 850c865231..ae55cb0ce0 100644
--- a/services/sync/tps/extensions/mozmill/resource/driver/mozelement.js
+++ b/services/sync/tps/extensions/mozmill/resource/driver/mozelement.js
@@ -131,7 +131,7 @@ MozMillElement.prototype.__defineGetter__("element", function () {
 
 /**
  * Drag an element to the specified offset on another element, firing mouse and
- * drag events. Adapted from EventUtils.js synthesizeDrop()
+ * drag events. Adapted from ChromeUtils.js synthesizeDrop()
  *
  * By default it will drag the source element over the destination's element
  * center with a "move" dropEffect.
@@ -218,7 +218,7 @@ MozMillElement.prototype.dragToElement = function(aElement, aOffsetX, aOffsetY,
     EventUtils.synthesizeMouse(destNode, destCoords.x, destCoords.y,
                                { type: "mousemove" }, destWindow);
 
-    var event = destWindow.document.createEvent("DragEvent");
+    var event = destWindow.document.createEvent("DragEvents");
     event.initDragEvent("dragenter", true, true, destWindow, 0, 0, 0, 0, 0,
                         false, false, false, false, 0, null, dataTransfer);
     event.initDragEvent("dragover", true, true, destWindow, 0, 0, 0, 0, 0,
diff --git a/services/sync/tps/extensions/mozmill/resource/stdlib/securable-module.js b/services/sync/tps/extensions/mozmill/resource/stdlib/securable-module.js
index 2648afd274..bfa7ef5a9f 100644
--- a/services/sync/tps/extensions/mozmill/resource/stdlib/securable-module.js
+++ b/services/sync/tps/extensions/mozmill/resource/stdlib/securable-module.js
@@ -40,8 +40,6 @@
    const Cu = Components.utils;
    const Cr = Components.results;
 
-   Cu.import("resource://gre/modules/NetUtil.jsm");
-
    var exports = {};
 
    var ios = Cc['@mozilla.org/network/io-service;1']
@@ -315,26 +313,17 @@
        else
          baseURI = ios.newURI(base, null, null);
        var newURI = ios.newURI(path, null, baseURI);
-       var channel = NetUtil.newChannel({
-          uri: newURI,
-          loadUsingSystemPrincipal: true
-       });
+       var channel = ios.newChannelFromURI(newURI);
        try {
-         channel.open2().close();
-       } catch (e) {
-         if (e.result != Cr.NS_ERROR_FILE_NOT_FOUND) {
-           throw e;
-         }
+         channel.open().close();
+       } catch (e if e.result == Cr.NS_ERROR_FILE_NOT_FOUND) {
          return null;
        }
        return newURI.spec;
      },
      getFile: function getFile(path) {
-       var channel = NetUtil.newChannel({
-         uri: path,
-         loadUsingSystemPrincipal: true
-       });
-       var iStream = channel.open2();
+       var channel = ios.newChannel(path, null, null);
+       var iStream = channel.open();
        var ciStream = Cc["@mozilla.org/intl/converter-input-stream;1"].
                       createInstance(Ci.nsIConverterInputStream);
        var bufLen = 0x8000;
diff --git a/services/sync/tps/extensions/mozmill/resource/stdlib/utils.js b/services/sync/tps/extensions/mozmill/resource/stdlib/utils.js
index 73e13e11f1..f27bbaaf72 100644
--- a/services/sync/tps/extensions/mozmill/resource/stdlib/utils.js
+++ b/services/sync/tps/extensions/mozmill/resource/stdlib/utils.js
@@ -19,7 +19,7 @@ Cu.import("resource://gre/modules/NetUtil.jsm");
 Cu.import("resource://gre/modules/Services.jsm");
 
 const applicationIdMap = {
-  '{ec8030f7-c20a-464f-9b0e-13a3a9e97384}': 'Firefox'
+  '{8de7fcbb-c55c-4fbe-bfc5-fc555c87dbc4}': 'Firefox'
 }
 const applicationName = applicationIdMap[Services.appinfo.ID] || Services.appinfo.name;
 
diff --git a/services/sync/tps/extensions/tps/install.rdf b/services/sync/tps/extensions/tps/install.rdf
index 3dcdc5e445..cc9491b07f 100644
--- a/services/sync/tps/extensions/tps/install.rdf
+++ b/services/sync/tps/extensions/tps/install.rdf
@@ -12,7 +12,7 @@
     <em:targetApplication>
       <!-- Firefox -->
       <Description>
-        <em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
+        <em:id>{8de7fcbb-c55c-4fbe-bfc5-fc555c87dbc4}</em:id>
         <em:minVersion>24.0.*</em:minVersion>
         <em:maxVersion>31.0.*</em:maxVersion>
       </Description>
diff --git a/services/sync/tps/extensions/tps/resource/auth/fxaccounts.jsm b/services/sync/tps/extensions/tps/resource/auth/fxaccounts.jsm
index 86d0ed113e..f5daa14be7 100644
--- a/services/sync/tps/extensions/tps/resource/auth/fxaccounts.jsm
+++ b/services/sync/tps/extensions/tps/resource/auth/fxaccounts.jsm
@@ -12,7 +12,6 @@ const {classes: Cc, interfaces: Ci, utils: Cu} = Components;
 
 Cu.import("resource://gre/modules/FxAccounts.jsm");
 Cu.import("resource://gre/modules/FxAccountsClient.jsm");
-Cu.import("resource://gre/modules/FxAccountsConfig.jsm");
 Cu.import("resource://services-common/async.js");
 Cu.import("resource://services-sync/main.js");
 Cu.import("resource://tps/logger.jsm");
@@ -68,10 +67,7 @@ var Authentication = {
     Logger.AssertTrue(account["username"], "Username has been found");
     Logger.AssertTrue(account["password"], "Password has been found");
 
-    Logger.logInfo("Login user: " + account["username"]);
-
-    // Required here since we don't go through the real login page
-    Async.promiseSpinningly(FxAccountsConfig.ensureConfigured());
+    Logger.logInfo("Login user: " + account["username"] + '\n');
 
     let client = new FxAccountsClient();
     client.signIn(account["username"], account["password"], true).then(credentials => {
@@ -96,26 +92,5 @@ var Authentication = {
     } catch (error) {
       throw new Error("signIn() failed with: " + error.message);
     }
-  },
-
-  /**
-   * Sign out of Firefox Accounts. It also clears out the device ID, if we find one.
-   */
-  signOut() {
-    if (Authentication.isLoggedIn) {
-      let user = Authentication.getSignedInUser();
-      if (!user) {
-        throw new Error("Failed to get signed in user!");
-      }
-      let fxc = new FxAccountsClient();
-      let { sessionToken, deviceId } = user;
-      if (deviceId) {
-        Logger.logInfo("Destroying device " + deviceId);
-        Async.promiseSpinningly(fxc.signOutAndDestroyDevice(sessionToken, deviceId, { service: "sync" }));
-      } else {
-        Logger.logError("No device found.");
-        Async.promiseSpinningly(fxc.signOut(sessionToken, { service: "sync" }));
-      }
-    }
   }
 };
diff --git a/services/sync/tps/extensions/tps/resource/auth/sync.jsm b/services/sync/tps/extensions/tps/resource/auth/sync.jsm
index 35ffeb2690..676b17a918 100644
--- a/services/sync/tps/extensions/tps/resource/auth/sync.jsm
+++ b/services/sync/tps/extensions/tps/resource/auth/sync.jsm
@@ -80,9 +80,5 @@ var Authentication = {
     }
 
     return true;
-  },
-
-  signOut() {
-    Weave.Service.logout();
   }
 };
diff --git a/services/sync/tps/extensions/tps/resource/modules/addons.jsm b/services/sync/tps/extensions/tps/resource/modules/addons.jsm
index 1570b42b18..8dae75edeb 100644
--- a/services/sync/tps/extensions/tps/resource/modules/addons.jsm
+++ b/services/sync/tps/extensions/tps/resource/modules/addons.jsm
@@ -9,7 +9,7 @@ const {classes: Cc, interfaces: Ci, utils: Cu} = Components;
 
 Cu.import("resource://gre/modules/AddonManager.jsm");
 Cu.import("resource://gre/modules/addons/AddonRepository.jsm");
-Cu.import("resource://gre/modules/NetUtil.jsm");
+Cu.import("resource://gre/modules/Services.jsm");
 Cu.import("resource://services-common/async.js");
 Cu.import("resource://services-sync/addonutils.js");
 Cu.import("resource://services-sync/util.js");
@@ -20,11 +20,15 @@ const STATE_ENABLED = 1;
 const STATE_DISABLED = 2;
 
 function GetFileAsText(file) {
-  let channel = NetUtil.newChannel({
-    uri: file,
-    loadUsingSystemPrincipal: true
-  });
-  let inputStream = channel.open2();
+  let channel = Services.io.newChannel2(file,
+                                        null,
+                                        null,
+                                        null,      // aLoadingNode
+                                        Services.scriptSecurityManager.getSystemPrincipal(),
+                                        null,      // aTriggeringPrincipal
+                                        Ci.nsILoadInfo.SEC_NORMAL,
+                                        Ci.nsIContentPolicy.TYPE_OTHER);
+  let inputStream = channel.open();
   if (channel instanceof Ci.nsIHttpChannel &&
       channel.responseStatus != 200) {
     return "";
diff --git a/services/sync/tps/extensions/tps/resource/modules/bookmarks.jsm b/services/sync/tps/extensions/tps/resource/modules/bookmarks.jsm
index 857c0c1e83..6a288bbec4 100644
--- a/services/sync/tps/extensions/tps/resource/modules/bookmarks.jsm
+++ b/services/sync/tps/extensions/tps/resource/modules/bookmarks.jsm
@@ -13,7 +13,6 @@ var EXPORTED_SYMBOLS = ["PlacesItem", "Bookmark", "Separator", "Livemark",
 const {classes: Cc, interfaces: Ci, utils: Cu} = Components;
 
 Cu.import("resource://gre/modules/PlacesBackups.jsm");
-Cu.import("resource://gre/modules/PlacesSyncUtils.jsm");
 Cu.import("resource://gre/modules/PlacesUtils.jsm");
 Cu.import("resource://gre/modules/Services.jsm");
 Cu.import("resource://services-common/async.js");
@@ -110,11 +109,6 @@ PlacesItem.prototype = {
     return string;
   },
 
-  GetSyncId() {
-    let guid = Async.promiseSpinningly(PlacesUtils.promiseItemGuid(this.props.item_id));
-    return PlacesSyncUtils.bookmarks.guidToSyncId(guid);
-  },
-
   /**
    * GetPlacesNodeId
    *
@@ -438,19 +432,8 @@ Bookmark.prototype = {
    * @return nothing
    */
   SetKeyword: function(keyword) {
-    if (keyword != null) {
-      // Mirror logic from PlacesSyncUtils's updateBookmarkMetadata
-      let entry = Async.promiseSpinningly(PlacesUtils.keywords.fetch({
-        url: this.props.uri,
-      }));
-      if (entry) {
-        Async.promiseSpinningly(PlacesUtils.keywords.remove(entry));
-      }
-      Async.promiseSpinningly(PlacesUtils.keywords.insert({
-        keyword: keyword,
-        url: this.props.uri
-      }));
-    }
+    if (keyword != null)
+      PlacesUtils.bookmarks.setKeywordForBookmark(this.props.item_id, keyword);
   },
 
   /**
@@ -559,11 +542,11 @@ Bookmark.prototype = {
   Update: function() {
     Logger.AssertTrue(this.props.item_id != -1 && this.props.item_id != null,
       "Invalid item_id during Remove");
+    this.SetKeyword(this.updateProps.keyword);
     this.SetDescription(this.updateProps.description);
     this.SetLoadInSidebar(this.updateProps.loadInSidebar);
     this.SetTitle(this.updateProps.title);
     this.SetUri(this.updateProps.uri);
-    this.SetKeyword(this.updateProps.keyword);
     this.SetTags(this.updateProps.tags);
     this.SetLocation(this.updateProps.location);
     this.SetPosition(this.updateProps.position);
@@ -595,8 +578,7 @@ Bookmark.prototype = {
     if (!this.CheckDescription(this.props.description))
       return -1;
     if (this.props.keyword != null) {
-      let { keyword } = Async.promiseSpinningly(
-        PlacesSyncUtils.bookmarks.fetch(this.GetSyncId()));
+      let keyword = PlacesUtils.bookmarks.getKeywordForBookmark(this.props.item_id);
       if (keyword != this.props.keyword) {
         Logger.logPotentialError("Incorrect keyword - expected: " +
           this.props.keyword + ", actual: " + keyword +
diff --git a/services/sync/tps/extensions/tps/resource/modules/forms.jsm b/services/sync/tps/extensions/tps/resource/modules/forms.jsm
index deb1a28a57..ece2e14f7c 100644
--- a/services/sync/tps/extensions/tps/resource/modules/forms.jsm
+++ b/services/sync/tps/extensions/tps/resource/modules/forms.jsm
@@ -13,45 +13,74 @@ const {classes: Cc, interfaces: Ci, utils: Cu} = Components;
 
 Cu.import("resource://tps/logger.jsm");
 
-Cu.import("resource://gre/modules/FormHistory.jsm");
-Cu.import("resource://gre/modules/Log.jsm");
+let formService = Cc["@mozilla.org/satchel/form-history;1"]
+                  .getService(Ci.nsIFormHistory2);
 
 /**
  * FormDB
  *
- * Helper object containing methods to interact with the FormHistory module.
+ * Helper object containing methods to interact with the moz_formhistory
+ * SQLite table.
  */
-var FormDB = {
-  _update(data) {
-    return new Promise((resolve, reject) => {
-      let handlers = {
-        handleError(error) {
-          Logger.logError("Error occurred updating form history: " + Log.exceptionStr(error));
-          reject(error);
-        },
-        handleCompletion(reason) {
-          resolve();
-        }
-      }
-      FormHistory.update(data, handlers);
-    });
+let FormDB = {
+  /**
+   * makeGUID
+   *
+   * Generates a brand-new globally unique identifier (GUID).  Borrowed
+   * from Weave's utils.js.
+   *
+   * @return the new guid
+   */
+  makeGUID: function makeGUID() {
+    // 70 characters that are not-escaped URL-friendly
+    const code =
+      "!()*-.0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz~";
+
+    let guid = "";
+    let num = 0;
+    let val;
+
+    // Generate ten 70-value characters for a 70^10 (~61.29-bit) GUID
+    for (let i = 0; i < 10; i++) {
+      // Refresh the number source after using it a few times
+      if (i == 0 || i == 5)
+        num = Math.random();
+
+      // Figure out which code to use for the next GUID character
+      num *= 70;
+      val = Math.floor(num);
+      guid += code[val];
+      num -= val;
+    }
+
+    return guid;
   },
 
   /**
    * insertValue
    *
-   * Adds the specified value for the specified fieldname into form history.
+   * Inserts the specified value for the specified fieldname into the
+   * moz_formhistory table.
    *
    * @param fieldname The form fieldname to insert
    * @param value The form value to insert
    * @param us The time, in microseconds, to use for the lastUsed
    *        and firstUsed columns
-   * @return Promise<undefined>
+   * @return nothing
    */
-  insertValue(fieldname, value, us) {
-    let data = { op: "add", fieldname, value, timesUsed: 1,
-                 firstUsed: us, lastUsed: us }
-    return this._update(data);
+  insertValue: function (fieldname, value, us) {
+    let query = this.createStatement(
+      "INSERT INTO moz_formhistory " +
+      "(fieldname, value, timesUsed, firstUsed, lastUsed, guid) VALUES " +
+      "(:fieldname, :value, :timesUsed, :firstUsed, :lastUsed, :guid)");
+    query.params.fieldname = fieldname;
+    query.params.value = value;
+    query.params.timesUsed = 1;
+    query.params.firstUsed = us;
+    query.params.lastUsed = us;
+    query.params.guid = this.makeGUID();
+    query.execute();
+    query.reset();
   },
 
   /**
@@ -61,10 +90,15 @@ var FormDB = {
    *
    * @param id The id of the row to update
    * @param newvalue The new value to set
-   * @return Promise<undefined>
+   * @return nothing
    */
-  updateValue(id, newvalue) {
-    return this._update({ op: "update", guid: id, value: newvalue });
+  updateValue: function (id, newvalue) {
+    let query = this.createStatement(
+      "UPDATE moz_formhistory SET value = :value WHERE id = :id");
+    query.params.id = id;
+    query.params.value = newvalue;
+    query.execute();
+    query.reset();
   },
 
   /**
@@ -75,44 +109,52 @@ var FormDB = {
    *
    * @param fieldname The fieldname of the row to query
    * @param value The value of the row to query
-   * @return Promise<null if no row is found with the specified fieldname and value,
-   *         or an object containing the row's guid, lastUsed, and firstUsed
-   *         values>
+   * @return null if no row is found with the specified fieldname and value,
+   *         or an object containing the row's id, lastUsed, and firstUsed
+   *         values
    */
-  getDataForValue(fieldname, value) {
-    return new Promise((resolve, reject) => {
-      let result = null;
-      let handlers = {
-        handleResult(oneResult) {
-          if (result != null) {
-            reject("more than 1 result for this query");
-            return;
-          }
-          result = oneResult;
-        },
-        handleError(error) {
-          Logger.logError("Error occurred updating form history: " + Log.exceptionStr(error));
-          reject(error);
-        },
-        handleCompletion(reason) {
-          resolve(result);
-        }
-      }
-      FormHistory.search(["guid", "lastUsed", "firstUsed"], { fieldname }, handlers);
-    });
+  getDataForValue: function (fieldname, value) {
+    let query = this.createStatement(
+      "SELECT id, lastUsed, firstUsed FROM moz_formhistory WHERE " +
+      "fieldname = :fieldname AND value = :value");
+    query.params.fieldname = fieldname;
+    query.params.value = value;
+    if (!query.executeStep())
+      return null;
+
+    return {
+      id: query.row.id,
+      lastUsed: query.row.lastUsed,
+      firstUsed: query.row.firstUsed
+    };
   },
 
   /**
-   * remove
+   * createStatement
    *
-   * Removes the specified GUID from the database.
+   * Creates a statement from a SQL string.  This function is borrowed
+   * from Weave's forms.js.
    *
-   * @param guid The guid of the item to delete
-   * @return Promise<>
+   * @param query The SQL query string
+   * @return the mozIStorageStatement created from the specified SQL
    */
-   remove(guid) {
-    return this._update({ op: "remove", guid });
-  },
+  createStatement: function createStatement(query) {
+    try {
+      // Just return the statement right away if it's okay
+      return formService.DBConnection.createStatement(query);
+    }
+    catch(ex) {
+      // Assume guid column must not exist yet, so add it with an index
+      formService.DBConnection.executeSimpleSQL(
+        "ALTER TABLE moz_formhistory ADD COLUMN guid TEXT");
+      formService.DBConnection.executeSimpleSQL(
+        "CREATE INDEX IF NOT EXISTS moz_formhistory_guid_index " +
+        "ON moz_formhistory (guid)");
+    }
+
+    // Try creating the query now that the column exists
+    return formService.DBConnection.createStatement(query);
+  }
 };
 
 /**
@@ -162,18 +204,18 @@ FormData.prototype = {
     Logger.AssertTrue(this.fieldname != null && this.value != null,
       "Must specify both fieldname and value");
 
-    return FormDB.getDataForValue(this.fieldname, this.value).then(formdata => {
-      if (!formdata) {
-        // this item doesn't exist yet in the db, so we need to insert it
-        return FormDB.insertValue(this.fieldname, this.value,
-                                  this.hours_to_us(this.date));
-      } else {
-        /* Right now, we ignore this case.  If bug 552531 is ever fixed,
-           we might need to add code here to update the firstUsed or
-           lastUsed fields, as appropriate.
-         */
-      }
-    });
+    let formdata = FormDB.getDataForValue(this.fieldname, this.value);
+    if (!formdata) {
+      // this item doesn't exist yet in the db, so we need to insert it
+      FormDB.insertValue(this.fieldname, this.value,
+                         this.hours_to_us(this.date));
+    }
+    else {
+      /* Right now, we ignore this case.  If bug 552531 is ever fixed,
+         we might need to add code here to update the firstUsed or
+         lastUsed fields, as appropriate.
+       */
+    }
   },
 
   /**
@@ -185,22 +227,21 @@ FormData.prototype = {
    * @return true if this entry exists in the database, otherwise false
    */
   Find: function() {
-    return FormDB.getDataForValue(this.fieldname, this.value).then(formdata => {
-      let status = formdata != null;
-      if (status) {
-        /*
-        //form history dates currently not synced!  bug 552531
-        let us = this.hours_to_us(this.date);
-        status = Logger.AssertTrue(
-          us >= formdata.firstUsed && us <= formdata.lastUsed,
-          "No match for with that date value");
-
-        if (status)
-        */
-          this.id = formdata.guid;
-      }
-      return status;
-    });
+    let formdata = FormDB.getDataForValue(this.fieldname, this.value);
+    let status = formdata != null;
+    if (status) {
+      /*
+      //form history dates currently not synced!  bug 552531
+      let us = this.hours_to_us(this.date);
+      status = Logger.AssertTrue(
+        us >= formdata.firstUsed && us <= formdata.lastUsed,
+        "No match for with that date value");
+
+      if (status)
+      */
+        this.id = formdata.id;
+    }
+    return status;
   },
 
   /**
@@ -214,6 +255,7 @@ FormData.prototype = {
   Remove: function() {
     /* Right now Weave doesn't handle this correctly, see bug 568363.
      */
-    return FormDB.remove(this.id);
+    formService.removeEntry(this.fieldname, this.value);
+    return true;
   },
 };
diff --git a/services/sync/tps/extensions/tps/resource/modules/history.jsm b/services/sync/tps/extensions/tps/resource/modules/history.jsm
index 78deb42ab8..3e750a5f0f 100644
--- a/services/sync/tps/extensions/tps/resource/modules/history.jsm
+++ b/services/sync/tps/extensions/tps/resource/modules/history.jsm
@@ -70,8 +70,8 @@ var HistoryEntry = {
       "WHERE place_id = (" +
         "SELECT id " +
         "FROM moz_places " +
-        "WHERE url_hash = hash(:url) AND url = :url) " +
-      "ORDER BY date DESC LIMIT 20");
+        "WHERE url = :url) " +
+      "ORDER BY date DESC LIMIT 10");
     this.__defineGetter__("_visitStm", () => stm);
     return stm;
   },
@@ -189,16 +189,9 @@ var HistoryEntry = {
       PlacesUtils.history.removePagesFromHost(item.host, false);
     }
     else if ("begin" in item && "end" in item) {
-      let cb = Async.makeSpinningCallback();
-      let msSinceEpoch = parseInt(usSinceEpoch / 1000);
-      let filter = {
-        beginDate: new Date(msSinceEpoch + (item.begin * 60 * 60 * 1000)),
-        endDate: new Date(msSinceEpoch + (item.end * 60 * 60 * 1000))
-      };
-      PlacesUtils.history.removeVisitsByFilter(filter)
-      .catch(ex => Logger.AssertTrue(false, "An error occurred while deleting history: " + ex))
-      .then(result => {cb(null, result)}, err => {cb(err)});
-      Async.waitForSyncCallback(cb);
+      PlacesUtils.history.removeVisitsByTimeframe(
+          usSinceEpoch + (item.begin * 60 * 60 * 1000 * 1000),
+          usSinceEpoch + (item.end * 60 * 60 * 1000 * 1000));
     }
     else {
       Logger.AssertTrue(false, "invalid entry in delete history");
diff --git a/services/sync/tps/extensions/tps/resource/tps.jsm b/services/sync/tps/extensions/tps/resource/tps.jsm
index f4cc0214aa..ca3e4d578e 100644
--- a/services/sync/tps/extensions/tps/resource/tps.jsm
+++ b/services/sync/tps/extensions/tps/resource/tps.jsm
@@ -14,21 +14,13 @@ const {classes: Cc, interfaces: Ci, utils: Cu} = Components;
 var module = this;
 
 // Global modules
-Cu.import("resource://gre/modules/Log.jsm");
 Cu.import("resource://gre/modules/XPCOMUtils.jsm");
 Cu.import("resource://gre/modules/Services.jsm");
-Cu.import("resource://gre/modules/AppConstants.jsm");
-Cu.import("resource://gre/modules/PlacesUtils.jsm");
-Cu.import("resource://gre/modules/FileUtils.jsm");
 Cu.import("resource://services-common/async.js");
 Cu.import("resource://services-sync/constants.js");
 Cu.import("resource://services-sync/main.js");
 Cu.import("resource://services-sync/util.js");
-Cu.import("resource://services-sync/telemetry.js");
-Cu.import("resource://services-sync/bookmark_validator.js");
-Cu.import("resource://services-sync/engines/passwords.js");
-Cu.import("resource://services-sync/engines/forms.js");
-Cu.import("resource://services-sync/engines/addons.js");
+
 // TPS modules
 Cu.import("resource://tps/logger.jsm");
 
@@ -50,11 +42,6 @@ var prefs = Cc["@mozilla.org/preferences-service;1"]
 var mozmillInit = {};
 Cu.import('resource://mozmill/driver/mozmill.js', mozmillInit);
 
-XPCOMUtils.defineLazyGetter(this, "fileProtocolHandler", () => {
-  let fileHandler = Services.io.getProtocolHandler("file");
-  return fileHandler.QueryInterface(Ci.nsIFileProtocolHandler);
-});
-
 // Options for wiping data during a sync
 const SYNC_RESET_CLIENT = "resetClient";
 const SYNC_WIPE_CLIENT  = "wipeClient";
@@ -90,7 +77,7 @@ const ACTIONS = [
 const OBSERVER_TOPICS = ["fxaccounts:onlogin",
                          "fxaccounts:onlogout",
                          "private-browsing",
-                         "profile-before-change",
+                         "quit-application-requested",
                          "sessionstore-windows-restored",
                          "weave:engine:start-tracking",
                          "weave:engine:stop-tracking",
@@ -107,14 +94,13 @@ var TPS = {
   _currentPhase: -1,
   _enabledEngines: null,
   _errors: 0,
+  _finalPhase: false,
   _isTracking: false,
   _operations_pending: 0,
   _phaseFinished: false,
   _phaselist: {},
   _setupComplete: false,
   _syncActive: false,
-  _syncCount: 0,
-  _syncsReportedViaTelemetry: 0,
   _syncErrors: 0,
   _syncWipeAction: null,
   _tabsAdded: 0,
@@ -122,18 +108,12 @@ var TPS = {
   _test: null,
   _triggeredSync: false,
   _usSinceEpoch: 0,
-  _requestedQuit: false,
-  shouldValidateAddons: false,
-  shouldValidateBookmarks: false,
-  shouldValidatePasswords: false,
-  shouldValidateForms: false,
 
   _init: function TPS__init() {
     // Check if Firefox Accounts is enabled
     let service = Cc["@mozilla.org/weave/service;1"]
                   .getService(Components.interfaces.nsISupports)
                   .wrappedJSObject;
-    this.fxaccounts_enabled = service.fxAccountsEnabled;
 
     this.delayAutoSync();
 
@@ -141,27 +121,13 @@ var TPS = {
       Services.obs.addObserver(this, aTopic, true);
     }, this);
 
-    // Configure some logging prefs for Sync itself.
-    Weave.Svc.Prefs.set("log.appender.dump", "Debug");
     // Import the appropriate authentication module
-    if (this.fxaccounts_enabled) {
-      Cu.import("resource://tps/auth/fxaccounts.jsm", module);
-    }
-    else {
-      Cu.import("resource://tps/auth/sync.jsm", module);
-    }
+    Cu.import("resource://tps/auth/sync.jsm", module);
   },
 
-  DumpError(msg, exc = null) {
+  DumpError: function TPS__DumpError(msg) {
     this._errors++;
-    let errInfo;
-    if (exc) {
-      errInfo = Log.exceptionStr(exc); // includes details and stack-trace.
-    } else {
-      // always write a stack even if no error passed.
-      errInfo = Log.stackTrace(new Error());
-    }
-    Logger.logError(`[phase ${this._currentPhase}] ${msg} - ${errInfo}`);
+    Logger.logError("[phase" + this._currentPhase + "] " + msg);
     this.quit();
   },
 
@@ -177,7 +143,14 @@ var TPS = {
           Logger.logInfo("private browsing " + data);
           break;
 
-        case "profile-before-change":
+        case "quit-application-requested":
+          // Ensure that we eventually wipe the data on the server
+          if (this._errors || !this._phaseFinished || this._finalPhase) {
+            try {
+              this.WipeServer();
+            } catch (ex) {}
+          }
+
           OBSERVER_TOPICS.forEach(function(topic) {
             Services.obs.removeObserver(this, topic);
           }, this);
@@ -253,7 +226,7 @@ var TPS = {
       }
     }
     catch (e) {
-      this.DumpError("Observer failed", e);
+      this.DumpError("Exception caught: " + Utils.exceptionStr(e));
       return;
     }
   },
@@ -286,7 +259,6 @@ var TPS = {
   },
 
   quit: function TPS__quit() {
-    this._requestedQuit = true;
     this.goQuitApplication();
   },
 
@@ -371,25 +343,23 @@ var TPS = {
   },
 
   HandleForms: function (data, action) {
-    this.shouldValidateForms = true;
     for (let datum of data) {
       Logger.logInfo("executing action " + action.toUpperCase() +
                      " on form entry " + JSON.stringify(datum));
       let formdata = new FormData(datum, this._usSinceEpoch);
       switch(action) {
         case ACTION_ADD:
-          Async.promiseSpinningly(formdata.Create());
+          formdata.Create();
           break;
         case ACTION_DELETE:
-          Async.promiseSpinningly(formdata.Remove());
+          formdata.Remove();
           break;
         case ACTION_VERIFY:
-          Logger.AssertTrue(Async.promiseSpinningly(formdata.Find()),
-                            "form data not found");
+          Logger.AssertTrue(formdata.Find(), "form data not found");
           break;
         case ACTION_VERIFY_NOT:
-          Logger.AssertTrue(!Async.promiseSpinningly(formdata.Find()),
-                            "form data found, but it shouldn't be present");
+          Logger.AssertTrue(!formdata.Find(),
+            "form data found, but it shouldn't be present");
           break;
         default:
           Logger.AssertTrue(false, "invalid action: " + action);
@@ -433,32 +403,31 @@ var TPS = {
   },
 
   HandlePasswords: function (passwords, action) {
-    this.shouldValidatePasswords = true;
     try {
       for (let password of passwords) {
         let password_id = -1;
         Logger.logInfo("executing action " + action.toUpperCase() +
                       " on password " + JSON.stringify(password));
-        let passwordOb = new Password(password);
+        var password = new Password(password);
         switch (action) {
           case ACTION_ADD:
-            Logger.AssertTrue(passwordOb.Create() > -1, "error adding password");
+            Logger.AssertTrue(password.Create() > -1, "error adding password");
             break;
           case ACTION_VERIFY:
-            Logger.AssertTrue(passwordOb.Find() != -1, "password not found");
+            Logger.AssertTrue(password.Find() != -1, "password not found");
             break;
           case ACTION_VERIFY_NOT:
-            Logger.AssertTrue(passwordOb.Find() == -1,
+            Logger.AssertTrue(password.Find() == -1,
               "password found, but it shouldn't exist");
             break;
           case ACTION_DELETE:
-            Logger.AssertTrue(passwordOb.Find() != -1, "password not found");
-            passwordOb.Remove();
+            Logger.AssertTrue(password.Find() != -1, "password not found");
+            password.Remove();
             break;
           case ACTION_MODIFY:
-            if (passwordOb.updateProps != null) {
-              Logger.AssertTrue(passwordOb.Find() != -1, "password not found");
-              passwordOb.Update();
+            if (password.updateProps != null) {
+              Logger.AssertTrue(password.Find() != -1, "password not found");
+              password.Update();
             }
             break;
           default:
@@ -475,7 +444,6 @@ var TPS = {
   },
 
   HandleAddons: function (addons, action, state) {
-    this.shouldValidateAddons = true;
     for (let entry of addons) {
       Logger.logInfo("executing action " + action.toUpperCase() +
                      " on addon " + JSON.stringify(entry));
@@ -505,10 +473,9 @@ var TPS = {
   },
 
   HandleBookmarks: function (bookmarks, action) {
-    this.shouldValidateBookmarks = true;
     try {
       let items = [];
-      for (let folder in bookmarks) {
+      for (folder in bookmarks) {
         let last_item_pos = -1;
         for (let bookmark of bookmarks[folder]) {
           Logger.clearPotentialError();
@@ -597,163 +564,10 @@ var TPS = {
     Logger.logInfo("mozmill setTest: " + obj.name);
   },
 
-  Cleanup() {
-    try {
-      this.WipeServer();
-    } catch (ex) {
-      Logger.logError("Failed to wipe server: " + Log.exceptionStr(ex));
-    }
-    try {
-      if (Authentication.isLoggedIn) {
-        // signout and wait for Sync to completely reset itself.
-        Logger.logInfo("signing out");
-        let waiter = this.createEventWaiter("weave:service:start-over:finish");
-        Authentication.signOut();
-        waiter();
-        Logger.logInfo("signout complete");
-      }
-    } catch (e) {
-      Logger.logError("Failed to sign out: " + Log.exceptionStr(e));
-    }
-  },
-
-  /**
-   * Use Sync's bookmark validation code to see if we've corrupted the tree.
-   */
-  ValidateBookmarks() {
-
-    let getServerBookmarkState = () => {
-      let bookmarkEngine = Weave.Service.engineManager.get('bookmarks');
-      let collection = bookmarkEngine.itemSource();
-      let collectionKey = bookmarkEngine.service.collectionKeys.keyForCollection(bookmarkEngine.name);
-      collection.full = true;
-      let items = [];
-      collection.recordHandler = function(item) {
-        item.decrypt(collectionKey);
-        items.push(item.cleartext);
-      };
-      collection.get();
-      return items;
-    };
-    let serverRecordDumpStr;
-    try {
-      Logger.logInfo("About to perform bookmark validation");
-      let clientTree = Async.promiseSpinningly(PlacesUtils.promiseBookmarksTree("", {
-        includeItemIds: true
-      }));
-      let serverRecords = getServerBookmarkState();
-      // We can't wait until catch to stringify this, since at that point it will have cycles.
-      serverRecordDumpStr = JSON.stringify(serverRecords);
-
-      let validator = new BookmarkValidator();
-      let {problemData} = validator.compareServerWithClient(serverRecords, clientTree);
-
-      for (let {name, count} of problemData.getSummary()) {
-        // Exclude mobile showing up on the server hackily so that we don't
-        // report it every time, see bug 1273234 and 1274394 for more information.
-        if (name === "serverUnexpected" && problemData.serverUnexpected.indexOf("mobile") >= 0) {
-          --count;
-        }
-        if (count) {
-          // Log this out before we assert. This is useful in the context of TPS logs, since we
-          // can see the IDs in the test files.
-          Logger.logInfo(`Validation problem: "${name}": ${JSON.stringify(problemData[name])}`);
-        }
-        Logger.AssertEqual(count, 0, `Bookmark validation error of type ${name}`);
-      }
-    } catch (e) {
-      // Dump the client records (should always be doable)
-      DumpBookmarks();
-      // Dump the server records if gotten them already.
-      if (serverRecordDumpStr) {
-        Logger.logInfo("Server bookmark records:\n" + serverRecordDumpStr + "\n");
-      }
-      this.DumpError("Bookmark validation failed", e);
-    }
-    Logger.logInfo("Bookmark validation finished");
-  },
-
-  ValidateCollection(engineName, ValidatorType) {
-    let serverRecordDumpStr;
-    let clientRecordDumpStr;
-    try {
-      Logger.logInfo(`About to perform validation for "${engineName}"`);
-      let engine = Weave.Service.engineManager.get(engineName);
-      let validator = new ValidatorType(engine);
-      let serverRecords = validator.getServerItems(engine);
-      let clientRecords = Async.promiseSpinningly(validator.getClientItems());
-      try {
-        // This substantially improves the logs for addons while not making a
-        // substantial difference for the other two
-        clientRecordDumpStr = JSON.stringify(clientRecords.map(r => {
-          let res = validator.normalizeClientItem(r);
-          delete res.original; // Try and prevent cyclic references
-          return res;
-        }));
-      } catch (e) {
-        // ignore the error, the dump string is just here to make debugging easier.
-        clientRecordDumpStr = "<Cyclic value>";
-      }
-      try {
-        serverRecordDumpStr = JSON.stringify(serverRecords);
-      } catch (e) {
-        // as above
-        serverRecordDumpStr = "<Cyclic value>";
-      }
-      let { problemData } = validator.compareClientWithServer(clientRecords, serverRecords);
-      for (let { name, count } of problemData.getSummary()) {
-        if (count) {
-          Logger.logInfo(`Validation problem: "${name}": ${JSON.stringify(problemData[name])}`);
-        }
-        Logger.AssertEqual(count, 0, `Validation error for "${engineName}" of type "${name}"`);
-      }
-    } catch (e) {
-      // Dump the client records if possible
-      if (clientRecordDumpStr) {
-        Logger.logInfo(`Client state for ${engineName}:\n${clientRecordDumpStr}\n`);
-      }
-      // Dump the server records if gotten them already.
-      if (serverRecordDumpStr) {
-        Logger.logInfo(`Server state for ${engineName}:\n${serverRecordDumpStr}\n`);
-      }
-      this.DumpError(`Validation failed for ${engineName}`, e);
-    }
-    Logger.logInfo(`Validation finished for ${engineName}`);
-  },
-
-  ValidatePasswords() {
-    return this.ValidateCollection("passwords", PasswordValidator);
-  },
-
-  ValidateForms() {
-    return this.ValidateCollection("forms", FormValidator);
-  },
-
-  ValidateAddons() {
-    return this.ValidateCollection("addons", AddonValidator);
-  },
-
   RunNextTestAction: function() {
     try {
       if (this._currentAction >=
-          this._phaselist[this._currentPhase].length) {
-        // Run necessary validations and then finish up
-        if (this.shouldValidateBookmarks) {
-          this.ValidateBookmarks();
-        }
-        if (this.shouldValidatePasswords) {
-          this.ValidatePasswords();
-        }
-        if (this.shouldValidateForms) {
-          this.ValidateForms();
-        }
-        if (this.shouldValidateAddons) {
-          this.ValidateAddons();
-        }
-        // Force this early so that we run the validation and detect missing pings
-        // *before* we start shutting down, since if we do it after, the python
-        // code won't notice the failure.
-        SyncTelemetry.shutdown();
+          this._phaselist["phase" + this._currentPhase].length) {
         // we're all done
         Logger.logInfo("test phase " + this._currentPhase + ": " +
                        (this._errors ? "FAIL" : "PASS"));
@@ -761,7 +575,7 @@ var TPS = {
         this.quit();
         return;
       }
-      this.seconds_since_epoch = prefs.getIntPref("tps.seconds_since_epoch", 0);
+
       if (this.seconds_since_epoch)
         this._usSinceEpoch = this.seconds_since_epoch * 1000 * 1000;
       else {
@@ -769,7 +583,7 @@ var TPS = {
         return;
       }
 
-      let phase = this._phaselist[this._currentPhase];
+      let phase = this._phaselist["phase" + this._currentPhase];
       let action = phase[this._currentAction];
       Logger.logInfo("starting action: " + action[0].name);
       action[0].apply(this, action.slice(1));
@@ -781,64 +595,12 @@ var TPS = {
       this._currentAction++;
     }
     catch(e) {
-      if (Async.isShutdownException(e)) {
-        if (this._requestedQuit) {
-          Logger.logInfo("Sync aborted due to requested shutdown");
-        } else {
-          this.DumpError("Sync aborted due to shutdown, but we didn't request it");
-        }
-      } else {
-        this.DumpError("RunNextTestAction failed", e);
-      }
+      this.DumpError("Exception caught: " + Utils.exceptionStr(e));
       return;
     }
     this.RunNextTestAction();
   },
 
-  _getFileRelativeToSourceRoot(testFileURL, relativePath) {
-    let file = fileProtocolHandler.getFileFromURLSpec(testFileURL);
-    let root = file // <root>/services/sync/tests/tps/test_foo.js
-      .parent // <root>/services/sync/tests/tps
-      .parent // <root>/services/sync/tests
-      .parent // <root>/services/sync
-      .parent // <root>/services
-      .parent // <root>
-      ;
-    root.appendRelativePath(relativePath);
-    return root;
-  },
-
-  // Attempt to load the sync_ping_schema.json and initialize `this.pingValidator`
-  // based on the source of the tps file. Assumes that it's at "../unit/sync_ping_schema.json"
-  // relative to the directory the tps test file (testFile) is contained in.
-  _tryLoadPingSchema(testFile) {
-    try {
-      let schemaFile = this._getFileRelativeToSourceRoot(testFile,
-        "services/sync/tests/unit/sync_ping_schema.json");
-
-      let stream = Cc["@mozilla.org/network/file-input-stream;1"]
-                   .createInstance(Ci.nsIFileInputStream);
-
-      let jsonReader = Cc["@mozilla.org/dom/json;1"]
-                       .createInstance(Components.interfaces.nsIJSON);
-
-      stream.init(schemaFile, FileUtils.MODE_RDONLY, FileUtils.PERMS_FILE, 0);
-      let schema = jsonReader.decodeFromStream(stream, stream.available());
-      Logger.logInfo("Successfully loaded schema")
-
-      // Importing resource://testing-common/* isn't possible from within TPS,
-      // so we load Ajv manually.
-      let ajvFile = this._getFileRelativeToSourceRoot(testFile, "testing/modules/ajv-4.1.1.js");
-      let ajvURL = fileProtocolHandler.getURLSpecFromFile(ajvFile);
-      let ns = {};
-      Cu.import(ajvURL, ns);
-      let ajv = new ns.Ajv({ async: "co*" });
-      this.pingValidator = ajv.compile(schema);
-    } catch (e) {
-      this.DumpError(`Failed to load ping schema and AJV relative to "${testFile}".`, e);
-    }
-  },
-
   /**
    * Runs a single test phase.
    *
@@ -870,11 +632,8 @@ var TPS = {
 
       Logger.init(logpath);
       Logger.logInfo("Sync version: " + WEAVE_VERSION);
-      Logger.logInfo("Firefox buildid: " + Services.appinfo.appBuildID);
-      Logger.logInfo("Firefox version: " + Services.appinfo.version);
-      Logger.logInfo("Firefox source revision: " + (AppConstants.SOURCE_REVISION_URL || "unknown"));
-      Logger.logInfo("Firefox platform: " + AppConstants.platform);
-      Logger.logInfo('Firefox Accounts enabled: ' + this.fxaccounts_enabled);
+      Logger.logInfo(Services.appinfo.name + " buildid: " + Services.appinfo.appBuildID);
+      Logger.logInfo(Services.appinfo.name + " version: " + Services.appinfo.version);
 
       // do some sync housekeeping
       if (Weave.Service.isLoggedIn) {
@@ -887,15 +646,12 @@ var TPS = {
         this.waitForEvent("weave:service:ready");
       }
 
-      // We only want to do this if we modified the bookmarks this phase.
-      this.shouldValidateBookmarks = false;
-
       // Always give Sync an extra tick to initialize. If we waited for the
       // service:ready event, this is required to ensure all handlers have
       // executed.
       Utils.nextTick(this._executeTestPhase.bind(this, file, phase, settings));
     } catch(e) {
-      this.DumpError("RunTestPhase failed", e);
+      this.DumpError("Exception caught: " + Utils.exceptionStr(e));
       return;
     }
   },
@@ -907,28 +663,17 @@ var TPS = {
    */
   _executeTestPhase: function _executeTestPhase(file, phase, settings) {
     try {
-      this.config = JSON.parse(prefs.getCharPref('tps.config'));
       // parse the test file
       Services.scriptloader.loadSubScript(file, this);
       this._currentPhase = phase;
-      if (this._currentPhase.startsWith("cleanup-")) {
-        let profileToClean = Cc["@mozilla.org/toolkit/profile-service;1"]
-                             .getService(Ci.nsIToolkitProfileService)
-                             .selectedProfile.name;
-        this.phases[this._currentPhase] = profileToClean;
-        this.Phase(this._currentPhase, [[this.Cleanup]]);
-      } else {
-        // Don't bother doing this for cleanup phases.
-        this._tryLoadPingSchema(file);
-      }
-      let this_phase = this._phaselist[this._currentPhase];
+      let this_phase = this._phaselist["phase" + this._currentPhase];
 
       if (this_phase == undefined) {
         this.DumpError("invalid phase " + this._currentPhase);
         return;
       }
 
-      if (this.phases[this._currentPhase] == undefined) {
+      if (this.phases["phase" + this._currentPhase] == undefined) {
         this.DumpError("no profile defined for phase " + this._currentPhase);
         return;
       }
@@ -948,66 +693,49 @@ var TPS = {
           }
         }
       }
-      Logger.logInfo("Starting phase " + this._currentPhase);
 
-      Logger.logInfo("setting client.name to " + this.phases[this._currentPhase]);
-      Weave.Svc.Prefs.set("client.name", this.phases[this._currentPhase]);
+      Logger.logInfo("Starting phase " + parseInt(phase, 10) + "/" +
+                     Object.keys(this._phaselist).length);
+
+      Logger.logInfo("setting client.name to " + this.phases["phase" + this._currentPhase]);
+      Weave.Svc.Prefs.set("client.name", this.phases["phase" + this._currentPhase]);
+
+      // TODO Phases should be defined in a data type that has strong
+      // ordering, not by lexical sorting.
+      let currentPhase = parseInt(this._currentPhase, 10);
+
+      // Login at the beginning of the test.
+      if (currentPhase <= 1) {
+        this_phase.unshift([this.Login]);
+      }
+
+      // Wipe the server at the end of the final test phase.
+      if (currentPhase >= Object.keys(this.phases).length) {
+        this._finalPhase = true;
+      }
+
+      // If a custom server was specified, set it now
+      if (this.config["serverURL"]) {
+        Weave.Service.serverURL = this.config.serverURL;
+        prefs.setCharPref('tps.serverURL', this.config.serverURL);
+      }
 
-      this._interceptSyncTelemetry();
+      // Store account details as prefs so they're accessible to the Mozmill
+      // framework.
+      prefs.setCharPref('tps.account.username', this.config.sync_account.username);
+      prefs.setCharPref('tps.account.password', this.config.sync_account.password);
+      prefs.setCharPref('tps.account.passphrase', this.config.sync_account.passphrase);
 
       // start processing the test actions
       this._currentAction = 0;
     }
     catch(e) {
-      this.DumpError("_executeTestPhase failed", e);
+      this.DumpError("Exception caught: " + Utils.exceptionStr(e));
       return;
     }
   },
 
   /**
-   * Override sync telemetry functions so that we can detect errors generating
-   * the sync ping, and count how many pings we report.
-   */
-  _interceptSyncTelemetry() {
-    let originalObserve = SyncTelemetry.observe;
-    let self = this;
-    SyncTelemetry.observe = function() {
-      try {
-        originalObserve.apply(this, arguments);
-      } catch (e) {
-        self.DumpError("Error when generating sync telemetry", e);
-      }
-    };
-    SyncTelemetry.submit = record => {
-      Logger.logInfo("Intercepted sync telemetry submission: " + JSON.stringify(record));
-      this._syncsReportedViaTelemetry += record.syncs.length + (record.discarded || 0);
-      if (record.discarded) {
-        if (record.syncs.length != SyncTelemetry.maxPayloadCount) {
-          this.DumpError("Syncs discarded from ping before maximum payload count reached");
-        }
-      }
-      // If this is the shutdown ping, check and see that the telemetry saw all the syncs.
-      if (record.why === "shutdown") {
-        // If we happen to sync outside of tps manually causing it, its not an
-        // error in the telemetry, so we only complain if we didn't see all of them.
-        if (this._syncsReportedViaTelemetry < this._syncCount) {
-          this.DumpError(`Telemetry missed syncs: Saw ${this._syncsReportedViaTelemetry}, should have >= ${this._syncCount}.`);
-        }
-      }
-      if (!record.syncs.length) {
-        // Note: we're overwriting submit, so this is called even for pings that
-        // may have no data (which wouldn't be submitted to telemetry and would
-        // fail validation).
-        return;
-      }
-      if (!this.pingValidator(record)) {
-        // Note that we already logged the record.
-        this.DumpError("Sync ping validation failed with errors: " + JSON.stringify(this.pingValidator.errors));
-      }
-    };
-  },
-
-  /**
    * Register a single phase with the test harness.
    *
    * This is called when loading individual test files.
@@ -1018,10 +746,6 @@ var TPS = {
    *         Array of functions/actions to perform.
    */
   Phase: function Test__Phase(phasename, fnlist) {
-    if (Object.keys(this._phaselist).length === 0) {
-      // This is the first phase, add that we need to login.
-      fnlist.unshift([this.Login]);
-    }
     this._phaselist[phasename] = fnlist;
   },
 
@@ -1067,56 +791,28 @@ var TPS = {
   },
 
   /**
-   * Return an object that when called, will block until the named event
-   * is observed. This is similar to waitForEvent, although is typically safer
-   * if you need to do some other work that may make the event fire.
-   *
-   * eg:
-   *    doSomething(); // causes the event to be fired.
-   *    waitForEvent("something");
-   * is risky as the call to doSomething may trigger the event before the
-   * waitForEvent call is made. Contrast with:
-   *
-   *   let waiter = createEventWaiter("something"); // does *not* block.
-   *   doSomething(); // causes the event to be fired.
-   *   waiter(); // will return as soon as the event fires, even if it fires
-   *             // before this function is called.
-   *
-   * @param aEventName
-   *        String event to wait for.
-   */
-  createEventWaiter(aEventName) {
-    Logger.logInfo("Setting up wait for " + aEventName + "...");
-    let cb = Async.makeSpinningCallback();
-    Svc.Obs.add(aEventName, cb);
-    return function() {
-      try {
-        cb.wait();
-      } finally {
-        Svc.Obs.remove(aEventName, cb);
-        Logger.logInfo(aEventName + " observed!");
-      }
-    }
-  },
-
-
-  /**
    * Synchronously wait for the named event to be observed.
    *
    * When the event is observed, the function will wait an extra tick before
    * returning.
    *
-   * Note that in general, you should probably use createEventWaiter unless you
-   * are 100% sure that the event being waited on can only be sent after this
-   * call adds the listener.
-   *
    * @param aEventName
    *        String event to wait for.
    */
   waitForEvent: function waitForEvent(aEventName) {
-    this.createEventWaiter(aEventName)();
+    Logger.logInfo("Waiting for " + aEventName + "...");
+    let cb = Async.makeSpinningCallback();
+    Svc.Obs.add(aEventName, cb);
+    cb.wait();
+    Svc.Obs.remove(aEventName, cb);
+    Logger.logInfo(aEventName + " observed!");
+
+    cb = Async.makeSpinningCallback();
+    Utils.nextTick(cb);
+    cb.wait();
   },
 
+
   /**
    * Waits for Sync to logged in before returning
    */
@@ -1153,18 +849,11 @@ var TPS = {
     }
 
     Logger.logInfo("Setting client credentials and login.");
-    let account = this.fxaccounts_enabled ? this.config.fx_account
-                                          : this.config.sync_account;
+    let account = this.config.sync_account;
     Authentication.signIn(account);
     this.waitForSetupComplete();
     Logger.AssertEqual(Weave.Status.service, Weave.STATUS_OK, "Weave status OK");
     this.waitForTracking();
-    // If fxaccounts is enabled we get an initial sync at login time - let
-    // that complete.
-    if (this.fxaccounts_enabled) {
-      this._triggeredSync = true;
-      this.waitForSyncFinished();
-    }
   },
 
   /**
@@ -1189,12 +878,10 @@ var TPS = {
     }
 
     this.Login(false);
-    ++this._syncCount;
 
     this._triggeredSync = true;
     this.StartAsyncOperation();
     Weave.Service.sync();
-    Logger.logInfo("Sync is complete");
   },
 
   WipeServer: function TPS__WipeServer() {
@@ -1230,9 +917,6 @@ var Addons = {
   verifyNot: function Addons__verifyNot(addons) {
     TPS.HandleAddons(addons, ACTION_VERIFY_NOT);
   },
-  skipValidation() {
-    TPS.shouldValidateAddons = false;
-  }
 };
 
 var Bookmarks = {
@@ -1250,9 +934,6 @@ var Bookmarks = {
   },
   verifyNot: function Bookmarks__verifyNot(bookmarks) {
     TPS.HandleBookmarks(bookmarks, ACTION_VERIFY_NOT);
-  },
-  skipValidation() {
-    TPS.shouldValidateBookmarks = false;
   }
 };
 
@@ -1301,9 +982,6 @@ var Passwords = {
   },
   verifyNot: function Passwords__verifyNot(passwords) {
     this.HandlePasswords(passwords, ACTION_VERIFY_NOT);
-  },
-  skipValidation() {
-    TPS.shouldValidatePasswords = false;
   }
 };
 
@@ -1337,4 +1015,4 @@ var Windows = {
 };
 
 // Initialize TPS
-TPS._init();
+TPS._init();
\ No newline at end of file
diff --git a/toolkit/components/microformats/update/package.json b/toolkit/components/microformats/update/package.json
index 8f829439f1..3719866940 100644
--- a/toolkit/components/microformats/update/package.json
+++ b/toolkit/components/microformats/update/package.json
@@ -16,6 +16,6 @@
 	"dependencies": {
 		"download-github-repo": "0.1.x",
 		"fs-extra": "0.19.x",
-		"request": "2.58.x"
+		"request": ">=2.68.0"
 	}
-}
\ No newline at end of file
+}
diff --git a/toolkit/content/browser-content.js b/toolkit/content/browser-content.js
index e1114672c1..2276f8a0d1 100644
--- a/toolkit/content/browser-content.js
+++ b/toolkit/content/browser-content.js
@@ -841,35 +841,6 @@ var FindBar = {
         fakeEvent[k] = event[k];
       }
     }
-#ifdef MC_PALEMOON
-    let findBarId = "FindToolbar";
-    // The FindBar is in the chrome window's context, not in tabbrowser
-    // - see also bug 537013
-    let chromeWin = null;
-    try {
-       chromeWin = content
-         .QueryInterface(Ci.nsIInterfaceRequestor)
-         .getInterface(Ci.nsIWebNavigation)
-         .QueryInterface(Ci.nsIDocShellTreeItem)
-         .rootTreeItem
-         .QueryInterface(Ci.nsIInterfaceRequestor)
-         .getInterface(Ci.nsIDOMWindow)
-         .QueryInterface(Ci.nsIDOMChromeWindow);
-    } catch (e) {
-      Cu.reportError(
-          "The FindBar - the chrome window's context was not detected:\n" + e);
-    }
-    if (chromeWin && chromeWin.document.getElementById(findBarId)) {
-      try {
-        chromeWin.document.getElementById(findBarId)
-            .browser = Services.wm.getMostRecentWindow("navigator:browser")
-                .gBrowser.mCurrentBrowser;
-      } catch (e) {
-        Cu.reportError(
-            "The FindBar - cannot set the property 'browser':\n" + e);
-      }
-    }
-#endif
 
     // sendSyncMessage returns an array of the responses from all listeners
     let rv = sendSyncMessage("Findbar:Keypress", {
diff --git a/toolkit/content/jar.mn b/toolkit/content/jar.mn
index c11d3abed4..e1d432cb34 100644
--- a/toolkit/content/jar.mn
+++ b/toolkit/content/jar.mn
@@ -39,7 +39,7 @@ toolkit.jar:
    content/global/plugins.html
    content/global/plugins.css
    content/global/browser-child.js
-*  content/global/browser-content.js
+   content/global/browser-content.js
 *  content/global/buildconfig.html
    content/global/contentAreaUtils.js
 #ifndef MOZ_FENNEC
diff --git a/toolkit/library/dummydll/dummydll.cpp b/toolkit/library/dummydll/dummydll.cpp
deleted file mode 100644
index 5e1c04bd39..0000000000
--- a/toolkit/library/dummydll/dummydll.cpp
+++ /dev/null
@@ -1,17 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include <windows.h>
-
-BOOL WINAPI DllMain(
-  HANDLE hModule,
-  DWORD dwReason,
-  LPVOID lpvReserved
-)
-{
-  if (dwReason == DLL_PROCESS_ATTACH) {
-    ::DisableThreadLibraryCalls((HMODULE)hModule);
-  }
-  return TRUE;
-}
diff --git a/toolkit/library/moz.build b/toolkit/library/moz.build
index 71f9a86de2..5191b5a212 100644
--- a/toolkit/library/moz.build
+++ b/toolkit/library/moz.build
@@ -106,9 +106,6 @@ if CONFIG['OS_ARCH'] == 'WINNT' and not CONFIG['GNU_CC']:
 
 DIRS += ['gtest']
 
-if CONFIG['OS_ARCH'] == 'WINNT':
-  DIRS += ['dummydll']
-
 # js needs to come after xul for now, because it is an archive and its content
 # is discarded when it comes first.
 USE_LIBS += [
@@ -177,14 +174,6 @@ if CONFIG['MOZ_WMF']:
         'strmiids',
     ]
 
-if CONFIG['MOZ_DIRECTSHOW']:
-    OS_LIBS += [
-        'dmoguids',
-        'wmcodecdspuuid',
-        'strmiids',
-        'msdmo',
-    ]
-
 if CONFIG['OS_ARCH'] == 'FreeBSD':
     OS_LIBS += [
         'util',
diff --git a/toolkit/mozapps/extensions/content/extensions.xul b/toolkit/mozapps/extensions/content/extensions.xul
index c5eeb534ff..292ecf8d37 100644
--- a/toolkit/mozapps/extensions/content/extensions.xul
+++ b/toolkit/mozapps/extensions/content/extensions.xul
@@ -186,7 +186,7 @@
              placeholder="&search.placeholder;"/>
   </hbox>
 
-  <hbox flex="1">
+  <hbox id="main" flex="1">
 
     <!-- category list -->
     <richlistbox id="categories">
diff --git a/toolkit/toolkit.mozbuild b/toolkit/toolkit.mozbuild
index b4aebbef0b..da4e7cd853 100644
--- a/toolkit/toolkit.mozbuild
+++ b/toolkit/toolkit.mozbuild
@@ -58,15 +58,6 @@ if CONFIG['MOZ_WEBRTC']:
         '/media/mtransport',
     ]
 
-if CONFIG['MOZ_OMX_PLUGIN']:
-    DIRS += [
-        '/media/omx-plugin/lib/ics/libutils',
-        '/media/omx-plugin/lib/ics/libstagefright',
-        '/media/omx-plugin/lib/ics/libvideoeditorplayer',
-        '/media/omx-plugin',
-        '/media/omx-plugin/kk',
-    ]
-
 if CONFIG['ENABLE_TESTS']:
     DIRS += ['/testing/specialpowers']
 
diff --git a/widget/nsBaseWidget.cpp b/widget/nsBaseWidget.cpp
index 909660f715..c6ec3a4068 100644
--- a/widget/nsBaseWidget.cpp
+++ b/widget/nsBaseWidget.cpp
@@ -73,7 +73,6 @@
 #endif
 #include "gfxConfig.h"
 #include "mozilla/layers/CompositorSession.h"
-#include "VRManagerChild.h"
 
 #ifdef DEBUG
 #include "nsIObserver.h"
@@ -366,7 +365,6 @@ nsBaseWidget::OnRenderingDeviceReset()
   // Update the texture factory identifier.
   clm->UpdateTextureFactoryIdentifier(identifier);
   ImageBridgeChild::IdentifyCompositorTextureHost(identifier);
-  gfx::VRManagerChild::IdentifyTextureHost(identifier);
 }
 
 void
@@ -1377,7 +1375,6 @@ void nsBaseWidget::CreateCompositor(int aWidth, int aHeight)
     // compositors used with ImageBridge and VR (and more generally web content).
     if (WidgetTypeSupportsAcceleration()) {
       ImageBridgeChild::IdentifyCompositorTextureHost(textureFactoryIdentifier);
-      gfx::VRManagerChild::IdentifyTextureHost(textureFactoryIdentifier);
     }
   }