diff -r 000000000000 -r 6474c204b198 security/manager/ssl/tests/unit/test_sts_holepunch.js
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/security/manager/ssl/tests/unit/test_sts_holepunch.js	Wed Dec 31 06:09:35 2014 +0100
@@ -0,0 +1,36 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+"use strict";
+
+// bug 961528: chart.apis.google.com doesn't handle https. Check that
+// it isn't considered HSTS (other example.apis.google.com hosts should be
+// HSTS as long as they're on the preload list, however).
+function run_test() {
+  let SSService = Cc["@mozilla.org/ssservice;1"]
+                    .getService(Ci.nsISiteSecurityService);
+  do_check_false(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                                        "chart.apis.google.com", 0));
+  do_check_false(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                                        "CHART.APIS.GOOGLE.COM", 0));
+  do_check_false(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                                        "sub.chart.apis.google.com", 0));
+  do_check_false(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                                        "SUB.CHART.APIS.GOOGLE.COM", 0));
+  do_check_true(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                                       "example.apis.google.com", 0));
+  do_check_true(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                                       "EXAMPLE.APIS.GOOGLE.COM", 0));
+  do_check_true(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                                       "sub.example.apis.google.com", 0));
+  do_check_true(SSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HSTS,
+                                       "SUB.EXAMPLE.APIS.GOOGLE.COM", 0));
+  // also check isSecureURI
+  let chartURI = Services.io.newURI("http://chart.apis.google.com", null, null);
+  do_check_false(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
+                                       chartURI, 0));
+  let otherURI = Services.io.newURI("http://other.apis.google.com", null, null);
+  do_check_true(SSService.isSecureURI(Ci.nsISiteSecurityService.HEADER_HSTS,
+                                      otherURI, 0));
+}