Merge with main repo.

25 files changed, 2777 insertions, 154 deletions

diff --git a/ChangeLog b/ChangeLog
index d6b11e2a..4262cd6a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -32,6 +32,26 @@ dillo-3.1 [not released yet]
  - Work on collapsing spaces: more cases supported.
  - Fix crash that's possible searching for text while page still being built.
    Patches: Sebastian Geerken
++- HTML5 character references.
+ - Give images lower priority when requesting resources (responsiveness).
+ - Reuse of connections for HTTP (disable w/ http_persistent_conns in dillorc).
+ - Abort failed queries.
+ - HTTP Strict Transport Security (disable with http_strict_transport_security
+   preference in dillorc).
+ - Fix bug when closing popup using window manager (bug introduced in 3.0.3).
+   Patches: corvid
++- Doxygen fixes.
+   Patch: Jeremy Henty
++- Move HTTPS from dpi into the browser, enable SNI, add certificate hostname
+   checking from wget, check more locations for CA bundles and add
+   --with-ca-certs-file and --with-ca-certs-dir to configure, some improvement
+   to security warning popups, etc.
+   Patch: corvid, Benjamin Johnson
+
+-----------------------------------------------------------------------------
+
+dillo-3.0.5 [June 30, 2015]
+
 +- Image buffer/cache improvements.
  - Fix for segfault when there's no dpid and view source is requested.
  - Fix view-source dpi to handle null characters correctly.
@@ -39,30 +59,19 @@ dillo-3.1 [not released yet]
    Patches: Jorge Arellano Cid
 +- Crosscompile/buildroot-friendly fltk-config test.
    Patch: Peter Seiderer
-+- HTML5 character references.
- - Give images lower priority when requesting resources (responsiveness).
- - Reuse of connections for HTTP (enable w/ http_persistent_conns in dillorc).
- - Fix X11 icon name.
- - Abort failed queries.
++- Fix X11 icon name.
  - In location bar, tend toward showing beginning of URL instead of end.
  - Handle irix's version of vsnprintf().
  - INPUT, TEXTAREA placeholder attribute.
  - Better notification when user's domainrc settings block page redirection.
  - Fix bug with font_factor preference and CSS font-size:(larger|smaller).
  - Recognize Menu key in keysrc.
+ - HTTPS: change cipher list to "ALL:!aNULL:!eNULL:!LOW:!EXPORT40:!RC4",
+   disable SSL3, disable TLS compression.
    Patches: corvid
 +- Avoid requesting background images if an ancestor has display:none.
  - Ignore built-in search url if any are specified in dillorc.
    Patches: Johannes Hofmann
-+- Doxygen fixes.
-   Patch: Jeremy Henty
-+- Move HTTPS from dpi into the browser, enable SNI, add certificate hostname
-   checking from wget, check more locations for CA bundles and add
-   --with-ca-certs-file and --with-ca-certs-dir to configure, some improvement
-   to security warning popups, change cipher list from "ALL" to
-   "ALL:!aNULL:!eNULL:!LOW:!EXPORT40:!RC4", disable SSL3, disable TLS
-   compression, etc.
-   Patch: corvid, Benjamin Johnson
 
 -----------------------------------------------------------------------------
 
diff --git a/README b/README
index be71ecf1..ea6dd41d 100644
--- a/README
+++ b/README
@@ -53,8 +53,8 @@ FLTK-1.3
 Dillo3
 ------
 
-     tar jxvf dillo-3.0.4.1.tar.bz2
-     cd dillo-3.0.4.1
+     tar jxvf dillo-3.0.5.tar.bz2
+     cd dillo-3.0.5
      ./configure; make
      sudo make install-strip
 
diff --git a/dillorc b/dillorc
index 18d52dd0..eb856d37 100644
--- a/dillorc
+++ b/dillorc
@@ -184,10 +184,19 @@ search_url="Google http://www.google.com/search?ie=UTF-8&oe=UTF-8&q=%s"
 # Maximum number of simultaneous TCP connections to a single server or proxy.
 # http_max_conns=6
 
-# Change this if you want Dillo to reuse HTTP connections to a server or proxy
-# when possible instead of making a new connection for every request for a new
+# If enabled, Dillo will reuse HTTP connections to a server or proxy when
+# possible rather than making a new connection for every request for a new
 # page/image/stylesheet.
-#http_persistent_conns=NO
+#http_persistent_conns=YES
+
+# This mechanism allows servers to specify that they are only to be contacted
+# through HTTPS and not HTTP.
+#
+# Overall, this is a valuable security measure against TLS stripping
+# attacks, etc., but in principle a site could contrive to use this as a
+# tracking mechanism. The term is "HSTS super cookie", although note that these
+* HSTS directives are not saved between browser sessions.
+#http_strict_transport_security=YES
 
 # Set the proxy information for http/https.
 # Note that the http_proxy environment variable overrides this setting.
diff --git a/dpi/cookies.c b/dpi/cookies.c
index 51767241..46be18fc 100644
--- a/dpi/cookies.c
+++ b/dpi/cookies.c
@@ -45,6 +45,7 @@ int main(void)
 #include <stdio.h>
 #include <time.h>       /* for time() and time_t */
 #include <ctype.h>
+#include <limits.h>
 #include <netdb.h>
 #include <signal.h>
 #include "dpiutil.h"
@@ -607,7 +608,7 @@ static void Cookies_too_many(DomainNode *node)
 {
    CookieData_t *lru = Cookies_get_LRU(node ? node->cookies : all_cookies);
 
-   MSG("Too many cookies!\n"
+   MSG("Too many cookies! "
        "Removing LRU cookie for \'%s\': \'%s=%s\'\n", lru->domain,
        lru->name, lru->value);
    if (!node)
@@ -835,11 +836,20 @@ static CookieData_t *Cookies_parse(char *cookie_str, const char *server_date)
       } else if (dStrAsciiCasecmp(attr, "Max-Age") == 0) {
          value = Cookies_parse_value(&str);
          if (isdigit(*value) || *value == '-') {
+            long age;
             time_t now = time(NULL);
-            long age = strtol(value, NULL, 10);
             struct tm *tm = gmtime(&now);
 
-            tm->tm_sec += age;
+            errno = 0;
+            age = (*value == '-') ? 0 : strtol(value, NULL, 10);
+
+            if (errno == ERANGE ||
+                (age > 0 && (age > INT_MAX - tm->tm_sec))) {
+               /* let's not overflow */
+               tm->tm_sec = INT_MAX;
+            } else {
+               tm->tm_sec += age;
+            }
             cookie->expires_at = mktime(tm);
             if (age > 0 && cookie->expires_at == (time_t) -1) {
                cookie->expires_at = cookies_future_time;
diff --git a/dpi/https.c b/dpi/https.c
index da75b9e8..766b3afb 100644
--- a/dpi/https.c
+++ b/dpi/https.c
@@ -22,11 +22,12 @@
  * (at your option) any later version.
  *
  * As a special exception permission is granted to link the code of
- * the https dillo plugin with the OpenSSL project's "OpenSSL"
- * library, and distribute the linked executables, without including
- * the source code for OpenSSL in the source distribution. You must
- * obey the GNU General Public License, version 3, in all respects
- * for all of the code used other than "OpenSSL".
+ * the https dillo plugin with the OpenSSL project's OpenSSL library
+ * (or a modified version of that library), and distribute the linked
+ * executables, without including the source code for the SSL library
+ * in the source distribution. You must obey the GNU General Public
+ * License, version 3, in all respects for all of the code used other
+ * than the SSL library.
  *
  */
 
@@ -193,9 +194,11 @@ static void yes_ssl_support(void)
    if (exit_error == 0){
       /* Don't want: eNULL, which has no encryption; aNULL, which has no
        * authentication; LOW, which as of 2014 use 64 or 56-bit encryption;
-       * EXPORT40, which uses 40-bit encryption.
+       * EXPORT40, which uses 40-bit encryption; RC4, for which methods were
+       * found in 2013 to defeat it somewhat too easily.
        */
-      SSL_CTX_set_cipher_list(ssl_context, "ALL:!aNULL:!eNULL:!LOW:!EXPORT40");
+      SSL_CTX_set_cipher_list(ssl_context,
+                              "ALL:!aNULL:!eNULL:!LOW:!EXPORT40:!RC4");
 
       /* Need to do this if we want to have the option of dealing
        * with self-signed certs
diff --git a/src/IO/about.c b/src/IO/about.c
index 1fe6485b..07dbbb01 100644
--- a/src/IO/about.c
+++ b/src/IO/about.c
@@ -270,23 +270,32 @@ const char *const AboutSplash=
 "<tr>\n"
 " <td bgcolor='#CCCCCC'>\n"
 "  <h4>Release overview</h4>\n"
-"  December 24, 2014\n"
+"  June 30, 2015\n"
 "<tr>\n"
 " <td bgcolor='#FFFFFF'>\n"
 "  <table border='0' cellspacing='0' cellpadding='5'>\n"
 "  <tr>\n"
 "   <td>\n"
 "<p>\n"
-"The dillo-3.0.4.1 release brings you fixes:\n"
+"Among the changes in dillo-3.0.5 are:\n"
 "<ul>\n"
-"<li> for linking with the recently-released fltk-1.3.3\n"
-" (we don't use <tt>fl_oldfocus</tt> anymore).\n"
-"<li> to make sure that windows are resizable with fltk-1.3.3.\n"
-"<li> not to load background images, or follow redirections or meta refresh,\n"
-"     in <tt>--local</tt> mode (security).\n"
-"<li> to permit linking on OS X (remove our <tt>Fl_Printer</tt> stub).\n"
-"<li> for a crash when searching from the address bar and no search urls are\n"
-"     found in dillorc.\n"
+"<li>Image buffer/cache improvements.\n"
+"<li>Fix for segfault when there's no dpid and view source is requested.\n"
+"<li>Fix view-source dpi to handle null characters correctly.\n"
+"<li>Made view-source dpi use CSS formatting (it's shorter and cleaner).\n"
+"<li>Crosscompile/buildroot-friendly fltk-config test.\n"
+"<li>Fix X11 icon name.\n"
+"<li>In location bar, tend toward showing beginning of URL instead of end.\n"
+"<li>Handle irix's version of vsnprintf().\n"
+"<li>INPUT, TEXTAREA placeholder attribute.\n"
+"<li>Better notification when user's domainrc settings block page\n"
+"    redirection.\n"
+"<li>Fix bug with font_factor preference and CSS font-size:(larger|smaller).\n"
+"<li>Recognize Menu key in keysrc.\n"
+"<li>HTTPS: change cipher list to \"ALL:!aNULL:!eNULL:!LOW:!EXPORT40:!RC4\",\n"
+"    disable SSL3, disable TLS compression.\n"
+"<li>Avoid requesting background images if an ancestor has display:none.\n"
+"<li>Ignore built-in search url if any are specified in dillorc.\n"
 "</ul>\n"
 "<p>\n"
 "...that shouldn't have to wait until dillo-3.1 is ready with its floating\n"
diff --git a/src/IO/tls.c b/src/IO/tls.c
index f0f33215..3d14deef 100644
--- a/src/IO/tls.c
+++ b/src/IO/tls.c
@@ -21,7 +21,9 @@
  * all respects for all of the code used other than OpenSSL or LibreSSL.
  */
 
-/* https://www.ssllabs.com/ssltest/viewMyClient.html */
+/* https://www.ssllabs.com/ssltest/viewMyClient.html
+ * https://github.com/lgarron/badssl.com
+ */
 
 /*
  * Using TLS in Applications: http://datatracker.ietf.org/wg/uta/documents/
@@ -62,7 +64,7 @@ void a_Tls_init()
 
 #define CERT_STATUS_NONE 0
 #define CERT_STATUS_RECEIVING 1
-#define CERT_STATUS_GOOD 2
+#define CERT_STATUS_CLEAN 2
 #define CERT_STATUS_BAD 3
 #define CERT_STATUS_USER_ACCEPTED 4
 
@@ -400,18 +402,129 @@ int a_Tls_connect_ready(const DilloUrl *url)
    return ret;
 }
 
+static int Tls_cert_status(const DilloUrl *url)
+{
+   Server_t *s = dList_find_sorted(servers, url, Tls_servers_by_url_cmp);
+
+   return s ? s->cert_status : CERT_STATUS_NONE;
+}
+
 /*
  * Did we find problems with the certificate, and did the user proceed to
  * reject the connection?
  */
 static int Tls_user_said_no(const DilloUrl *url)
 {
-   Server_t *s = dList_find_sorted(servers, url, Tls_servers_by_url_cmp);
+   return Tls_cert_status(url) == CERT_STATUS_BAD;
+}
+
+/*
+ * Did everything seem proper with the certificate -- no warnings to
+ * click through?
+ */
+int a_Tls_certificate_is_clean(const DilloUrl *url)
+{
+   return Tls_cert_status(url) == CERT_STATUS_CLEAN;
+}
+
+/*
+ * We are both checking whether the certificates are using a strong enough
+ * hash algorithm and key as well as printing out certificate information the
+ * first time that we see it. Mixing these two actions together is generally
+ * not good practice, but feels justified by the fact that it's so much
+ * trouble to get this information out of openssl even once.
+ *
+ * Return FALSE if MD5 (MD*) hash is found and user does not accept it,
+ * otherwise TRUE.
+ */
+static bool_t Tls_check_cert_strength(SSL *ssl, Server_t *srv, int *choice)
+{
+   /* print for first connection to server */
+   const bool_t print_chain = srv->cert_status == CERT_STATUS_RECEIVING;
+   bool_t success = TRUE;
 
-   if (!s)
-      return FALSE;
+   STACK_OF(X509) *sk = SSL_get_peer_cert_chain(ssl);
 
-   return s->cert_status == CERT_STATUS_BAD;
+   if (sk) {
+      const uint_t buflen = 4096;
+      char buf[buflen];
+      int rc, i, n = sk_X509_num(sk);
+      X509 *cert = NULL;
+      EVP_PKEY *public_key;
+      int key_type, key_bits;
+      const char *type_str;
+      BIO *b;
+
+      for (i = 0; i < n; i++) {
+         cert = sk_X509_value(sk, i);
+         public_key = X509_get_pubkey(cert);
+
+         /* We are trying to find a way to get the hash function used
+          * with a certificate. This way, which is not very pleasant, puts
+          * a string such as "sha256WithRSAEncryption" in our buffer and we
+          * then trim off the "With..." part.
+          */
+         b = BIO_new(BIO_s_mem());
+         rc = i2a_ASN1_OBJECT(b, cert->sig_alg->algorithm);
+
+         if (rc > 0) {
+            rc = BIO_gets(b, buf, buflen);
+         }
+         if (rc <= 0) {
+            strcpy(buf, "(unknown)");
+            buf[buflen-1] = '\0';
+         } else {
+            char *s = strstr(buf, "With");
+
+            if (s) {
+               *s = '\0';
+               if (!strcmp(buf, "sha1")) {
+                  if (print_chain)
+                     MSG_WARN("In 2015, browsers have begun to deprecate SHA1 "
+                              "certificates.\n");
+               } else if (!strncmp(buf, "md", 2) && success == TRUE) {
+                  const char *msg = "A certificate in the chain uses the MD5 "
+                                    "signature algorithm, which is too weak "
+                                    "to trust.";
+                  *choice = a_Dialog_choice("Dillo TLS security warning", msg,
+                                            "Continue", "Cancel", NULL);
+                  if (*choice != 1)
+                     success = FALSE;
+               }
+            }
+         }
+         BIO_free(b);
+
+         if (print_chain)
+            MSG("%s ", buf);
+
+         key_type = EVP_PKEY_type(public_key->type);
+         type_str = key_type == EVP_PKEY_RSA ? "RSA" :
+                    key_type == EVP_PKEY_DSA ? "DSA" :
+                    key_type == EVP_PKEY_DH ? "DH" :
+                    key_type == EVP_PKEY_EC ? "EC" : "???";
+         key_bits = EVP_PKEY_bits(public_key);
+         X509_NAME_oneline(X509_get_subject_name(cert), buf, buflen);
+         buf[buflen-1] = '\0';
+         if (print_chain)
+            MSG("%d-bit %s: %s\n", key_bits, type_str, buf);
+         EVP_PKEY_free(public_key);
+
+         if (key_type == EVP_PKEY_RSA && key_bits <= 1024) {
+            if (print_chain)
+               MSG_WARN("In 2014/5, browsers have been deprecating 1024-bit "
+                        "RSA keys.\n");
+         }
+      }
+
+      if (cert) {
+         X509_NAME_oneline(X509_get_issuer_name(cert), buf, buflen);
+         buf[buflen-1] = '\0';
+         if (print_chain)
+            MSG("root: %s\n", buf);
+      }
+   }
+   return success;
 }
 
 /******************** BEGINNING OF STUFF DERIVED FROM wget-1.16.3 */
@@ -668,7 +781,7 @@ static void Tls_get_issuer_name(X509 *cert, char *buf, uint_t buflen)
    if (cert) {
       X509_NAME_oneline(X509_get_issuer_name(cert), buf, buflen);
    } else {
-      strncpy(buf, "(unknown)", buflen);
+      strcpy(buf, "(unknown)");
       buf[buflen-1] = '\0';
    }
 }
@@ -683,7 +796,7 @@ static void Tls_get_expiration_str(X509 *cert, char *buf, uint_t buflen)
       rc = BIO_gets(b, buf, buflen);
    }
    if (rc <= 0) {
-      strncpy(buf, "(unknown)", buflen);
+      strcpy(buf, "(unknown)");
       buf[buflen-1] = '\0';
    }
    BIO_free(b);
@@ -694,14 +807,14 @@ static void Tls_get_expiration_str(X509 *cert, char *buf, uint_t buflen)
  * to do.
  * Return: -1 if connection should be canceled, or 0 if it should continue.
  */
-static int Tls_examine_certificate(SSL *ssl, Server_t *srv,const char *host)
+static int Tls_examine_certificate(SSL *ssl, Server_t *srv)
 {
    X509 *remote_cert;
    long st;
    const uint_t buflen = 4096;
    char buf[buflen], *cn, *msg;
    int choice = -1, ret = -1;
-   char *title = dStrconcat("Dillo TLS security warning: ", host, NULL);
+   char *title = dStrconcat("Dillo TLS security warning: ",srv->hostname,NULL);
 
    remote_cert = SSL_get_peer_certificate(ssl);
    if (remote_cert == NULL){
@@ -715,8 +828,8 @@ static int Tls_examine_certificate(SSL *ssl, Server_t *srv,const char *host)
       if (choice == 1){
          ret = 0;
       }
-
-   } else if (Tls_check_cert_hostname(remote_cert, host, &choice)) {
+   } else if (Tls_check_cert_strength(ssl, srv, &choice) &&
+              Tls_check_cert_hostname(remote_cert, srv->hostname, &choice)) {
       /* Figure out if (and why) the remote system can't be trusted */
       st = SSL_get_verify_result(ssl);
       switch (st) {
@@ -752,11 +865,9 @@ static int Tls_examine_certificate(SSL *ssl, Server_t *srv,const char *host)
             case 2:
                break;
             case 3:
-               /* Save certificate to a file here and recheck the chain */
-               /* Potential security problems because we are writing
-                * to the filesystem */
+               /* Save certificate to a file */
                Tls_save_certificate_home(remote_cert);
-               ret = 1;
+               ret = 0;
                break;
             default:
                break;
@@ -889,13 +1000,17 @@ static int Tls_examine_certificate(SSL *ssl, Server_t *srv,const char *host)
    }
    dFree(title);
 
-   if (choice == 2)
+   if (choice == -1) {
+      srv->cert_status = CERT_STATUS_CLEAN;          /* no warning popups */
+   } else if (choice == 1) {
+      srv->cert_status = CERT_STATUS_USER_ACCEPTED;  /* clicked Continue */
+   } else {
+      /* 2 for Cancel, or 0 when window closed. Treating 0 as meaning 'No' is
+       * probably not exactly correct, but adding complexity to handle this
+       * obscure case does not seem justifiable.
+       */
       srv->cert_status = CERT_STATUS_BAD;
-   else if (choice == -1)
-      srv->cert_status = CERT_STATUS_GOOD;
-   else
-      srv->cert_status = CERT_STATUS_USER_ACCEPTED;
-
+   }
    return ret;
 }
 
@@ -936,82 +1051,6 @@ static void Tls_close_by_key(int connkey)
    }
 }
 
-static void Tls_print_cert_chain(SSL *ssl)
-{
-   STACK_OF(X509) *sk = SSL_get_peer_cert_chain(ssl);
-
-   if (sk) {
-      const uint_t buflen = 4096;
-      char buf[buflen];
-      int rc, i, n = sk_X509_num(sk);
-      X509 *cert = NULL;
-      EVP_PKEY *public_key;
-      int key_type, key_bits;
-      const char *type_str;
-      BIO *b;
-
-      for (i = 0; i < n; i++) {
-         cert = sk_X509_value(sk, i);
-         public_key = X509_get_pubkey(cert);
-
-         /* We are trying to find a way to get the hash function used
-          * with a certificate. This way, which is not very pleasant, puts
-          * a string such as "sha256WithRSAEncryption" in our buffer and we
-          * then trim off the "With..." part.
-          */
-         b = BIO_new(BIO_s_mem());
-         rc = i2a_ASN1_OBJECT(b, cert->sig_alg->algorithm);
-
-         if (rc > 0) {
-            rc = BIO_gets(b, buf, buflen);
-         }
-         if (rc <= 0) {
-            strcpy(buf, "(unknown)");
-            buf[buflen-1] = '\0';
-         } else {
-            char *s = strstr(buf, "With");
-
-            if (s) {
-               *s = '\0';
-               if (!strcmp(buf, "sha1")) {
-                  MSG_WARN("In 2015, browsers have begun to deprecate SHA1 "
-                           "certificates.\n");
-               } else if (!strncmp(buf, "md", 2)) {
-                  MSG_ERR("Browsers stopped accepting MD5 certificates around "
-                          "2012.\n");
-               }
-            }
-         }
-         BIO_free(b);
-         MSG("%s ", buf);
-
-
-         key_type = EVP_PKEY_type(public_key->type);
-         type_str = key_type == EVP_PKEY_RSA ? "RSA" :
-                    key_type == EVP_PKEY_DSA ? "DSA" :
-                    key_type == EVP_PKEY_DH ? "DH" :
-                    key_type == EVP_PKEY_EC ? "EC" : "???";
-         key_bits = EVP_PKEY_bits(public_key);
-         X509_NAME_oneline(X509_get_subject_name(cert), buf, buflen);
-         buf[buflen-1] = '\0';
-         MSG("%d-bit %s: %s\n", key_bits, type_str, buf);
-         EVP_PKEY_free(public_key);
-
-         if (key_type == EVP_PKEY_RSA && key_bits <= 1024) {
-            /* TODO: Gather warnings into one popup. */
-            MSG_WARN("In 2014/5, browsers have been deprecating 1024-bit RSA "
-                     "keys.\n");
-         }
-      }
-
-      if (cert) {
-         X509_NAME_oneline(X509_get_issuer_name(cert), buf, buflen);
-         buf[buflen-1] = '\0';
-         MSG("root: %s\n", buf);
-      }
-   }
-}
-
 /*
  * Connect, set a callback if it's still not completed. If completed, check
  * the certificate and report back to http.
@@ -1080,18 +1119,17 @@ static void Tls_connect(int fd, int connkey)
                                         Tls_servers_by_url_cmp);
 
       if (srv->cert_status == CERT_STATUS_RECEIVING) {
-         /* Making first connection with the server. Show some information. */
+         /* Making first connection with the server. Show cipher used. */
          SSL *ssl = conn->ssl;
          const char *version = SSL_get_version(ssl);
          const SSL_CIPHER *cipher = SSL_get_current_cipher(ssl);
 
          MSG("%s: %s, cipher %s\n", URL_AUTHORITY(conn->url), version,
              SSL_CIPHER_get_name(cipher));
-         Tls_print_cert_chain(ssl);
       }
 
       if (srv->cert_status == CERT_STATUS_USER_ACCEPTED ||
-          (Tls_examine_certificate(conn->ssl, srv, URL_HOST(conn->url))!=-1)) {
+          (Tls_examine_certificate(conn->ssl, srv) != -1)) {
          failed = FALSE;
       }
    }
diff --git a/src/IO/tls.h b/src/IO/tls.h
index e3892cb2..9bc89de5 100644
--- a/src/IO/tls.h
+++ b/src/IO/tls.h
@@ -15,6 +15,7 @@ void a_Tls_init();
 
 
 #ifdef ENABLE_SSL
+int a_Tls_certificate_is_clean(const DilloUrl *url);
 int a_Tls_connect_ready(const DilloUrl *url);
 void a_Tls_reset_server_state(const DilloUrl *url);
 
@@ -30,6 +31,7 @@ int a_Tls_read(void *conn, void *buf, size_t len);
 int a_Tls_write(void *conn, void *buf, size_t len);
 #else
 
+#define a_Tls_certificate_is_clean(host) 0
 #define a_Tls_connect_ready(url) TLS_CONNECT_NEVER
 #define a_Tls_reset_server_state(url) ;
 #define a_Tls_handshake(fd, url) ;
diff --git a/src/Makefile.am b/src/Makefile.am
index 57a68148..425f8614 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -37,6 +37,8 @@ dillo_SOURCES = \
 	bw.c \
 	cookies.c \
 	cookies.h \
+        hsts.c \
+        hsts.h \
 	auth.c \
 	auth.h \
 	md5.c \
@@ -128,5 +130,5 @@ dillo_SOURCES = \
 	xembed.cc \
 	xembed.hh
 
-dist_sysconf_DATA = domainrc keysrc
+dist_sysconf_DATA = domainrc keysrc hsts_preload
 EXTRA_DIST = chg srch
diff --git a/src/cache.c b/src/cache.c
index d8f1a123..b082ef89 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -26,6 +26,7 @@
 #include "dicache.h"
 #include "nav.h"
 #include "cookies.h"
+#include "hsts.h"
 #include "misc.h"
 #include "capi.h"
 #include "decode.h"
@@ -653,7 +654,7 @@ static void Cache_parse_header(CacheEntry_t *entry)
 {
    char *header = entry->Header->str;
    bool_t server1point0 = !strncmp(entry->Header->str, "HTTP/1.0", 8);
-   char *Length, *Type, *location_str, *encoding, *connection;
+   char *Length, *Type, *location_str, *encoding, *connection, *hsts;
 #ifndef DISABLE_COOKIES
    Dlist *Cookies;
 #endif
@@ -721,6 +722,14 @@ static void Cache_parse_header(CacheEntry_t *entry)
       dFree(connection);
    }
 
+   if (prefs.http_strict_transport_security &&
+       !dStrAsciiCasecmp(URL_SCHEME(entry->Url), "https") &&
+       !a_Url_host_is_ip(URL_HOST(entry->Url)) &&
+       (hsts = Cache_parse_field(header, "Strict-Transport-Security"))) {
+      a_Hsts_set(hsts, entry->Url);
+      dFree(hsts);
+   }
+
    /*
     * Get Transfer-Encoding and initialize decoder
     */
diff --git a/src/capi.c b/src/capi.c
index 8c4a1ae2..0e561b77 100644
--- a/src/capi.c
+++ b/src/capi.c
@@ -340,6 +340,46 @@ static void Capi_dpi_send_source(BrowserWindow *bw, DilloUrl *url)
 }
 
 /*
+ * Shall we permit this request to open a URL?
+ */
+static bool_t Capi_request_permitted(DilloWeb *web)
+{
+   bool_t permit = FALSE;
+
+   /* web->requester is NULL if the action is initiated by user */
+   if (!web->requester)
+      return TRUE;
+
+   if (web->flags & ~WEB_RootUrl &&
+       !dStrAsciiCasecmp(URL_SCHEME(web->requester), "https")) {
+      const char *s = URL_SCHEME(web->url);
+
+      /* As of 2015, blocking of "active" mixed content is widespread
+       * (style sheets, javascript, fonts, etc.), but the big browsers aren't
+       * quite in a position to block "passive" mixed content (images) yet.
+       * (Not clear whether there's consensus on which category to place
+       * background images in.)
+       *
+       * We are blocking both, and only permitting secure->insecure page
+       * redirection for now (e.g., duckduckgo has been seen providing links
+       * to https URLs that redirect to http). As the web security landscape
+       * evolves, we may be able to remove that permission.
+       */
+      if (dStrAsciiCasecmp(s, "https") && dStrAsciiCasecmp(s, "data")) {
+         MSG("capi: Blocked mixed content: %s -> %s\n",
+             URL_STR(web->requester), URL_STR(web->url));
+         return FALSE;
+      }
+   }
+
+   if (a_Capi_get_flags(web->url) & CAPI_IsCached ||
+       a_Domain_permit(web->requester, web->url)) {
+      permit = TRUE;
+   }
+   return permit;
+}
+
+/*
  * Most used function for requesting a URL.
  * TODO: clean up the ad-hoc bindings with an API that allows dynamic
  *       addition of new plugins.
@@ -355,11 +395,7 @@ int a_Capi_open_url(DilloWeb *web, CA_Callback_t Call, void *CbData)
    const char *scheme = URL_SCHEME(web->url);
    int safe = 0, ret = 0, use_cache = 0;
 
-   /* web->requester is NULL if the action is initiated by user */
-   if (a_Capi_get_flags(web->url) & CAPI_IsCached ||
-       web->requester == NULL ||
-       a_Domain_permit(web->requester, web->url)) {
-
+   if (Capi_request_permitted(web)) {
       /* reload test */
       reload = (!(a_Capi_get_flags(web->url) & CAPI_IsCached) ||
                 (URL_FLAGS(web->url) & URL_E2EQuery));
diff --git a/src/dialog.cc b/src/dialog.cc
index 03949a1c..64f60e38 100644
--- a/src/dialog.cc
+++ b/src/dialog.cc
@@ -382,6 +382,8 @@ int a_Dialog_choice(const char *title, const char *msg, ...)
     va_end(ap);
    window->end();
 
+   choice_answer = 0;
+
    window->show();
    while (window->shown())
       Fl::wait();
diff --git a/src/dillo.cc b/src/dillo.cc
index 62ff9685..c7ae62c2 100644
--- a/src/dillo.cc
+++ b/src/dillo.cc
@@ -51,6 +51,7 @@
 #include "capi.h"
 #include "dicache.h"
 #include "cookies.h"
+#include "hsts.h"
 #include "domain.h"
 #include "auth.h"
 #include "styleengine.hh"
@@ -469,6 +470,7 @@ int main(int argc, char **argv)
    a_Dicache_init();
    a_Bw_init();
    a_Cookies_init();
+   a_Hsts_init(Paths::getPrefsFP(PATHS_HSTS_PRELOAD));
    a_Auth_init();
    a_UIcmd_init();
    StyleEngine::init();
@@ -582,6 +584,7 @@ int main(int argc, char **argv)
     */
    a_Domain_freeall();
    a_Cookies_freeall();
+   a_Hsts_freeall();
    a_Cache_freeall();
    a_Dicache_freeall();
    a_Http_freeall();
diff --git a/src/form.cc b/src/form.cc
index 92ee3a42..8c966ff2 100644
--- a/src/form.cc
+++ b/src/form.cc
@@ -23,6 +23,7 @@
 #include "msg.h"
 #include "prefs.h"
 #include "uicmd.hh"
+#include "dialog.hh"
 
 using namespace lout;
 using namespace dw;
@@ -1037,6 +1038,16 @@ void DilloHtmlForm::eventHandler(Resource *resource, EventButton *event)
  */
 void DilloHtmlForm::submit(DilloHtmlInput *active_input, EventButton *event)
 {
+   if (!dStrAsciiCasecmp(URL_SCHEME(html->page_url), "https") &&
+       dStrAsciiCasecmp(URL_SCHEME(action), "https")) {
+      int choice = a_Dialog_choice("Dillo: Insecure form submission",
+                                   "A form on a SECURE page wants to use an "
+                                   "INSECURE protocol to submit data.",
+                                   "Continue", "Cancel", NULL);
+      if (choice != 1)
+         return;
+   }
+
    DilloUrl *url = buildQueryUrl(active_input);
    if (url) {
       if (event && event->button == 2) {
diff --git a/src/hsts.c b/src/hsts.c
new file mode 100644
index 00000000..ecbd9765
--- /dev/null
+++ b/src/hsts.c
@@ -0,0 +1,364 @@
+/*
+ * File: hsts.c
+ * HTTP Strict Transport Security
+ *
+ * Copyright 2015 corvid
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ */
+
+/* To preload hosts, as of 2015, chromium is the list keeper:
+ * https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json
+ * although mozilla's is easier to work from (and they trim it based on
+ * criteria such as max-age must be at least some number of months)
+ * https://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/nsSTSPreloadList.inc?raw=1
+ */
+
+#include <time.h>
+#include <errno.h>
+#include <limits.h> /* for INT_MAX */
+#include <ctype.h> /* for isspace */
+#include <stdlib.h> /* for strtol */
+
+#include "hsts.h"
+#include "msg.h"
+#include "../dlib/dlib.h"
+#include "IO/tls.h"
+
+typedef struct {
+   char *host;
+   time_t expires_at;
+   bool_t subdomains;
+} HstsData_t;
+
+/* When there is difficulty in representing future dates, use the (by far)
+ * most likely latest representable time of January 19, 2038.
+ */
+static time_t hsts_latest_representable_time;
+static Dlist *domains;
+
+static void Hsts_free_policy(HstsData_t *p)
+{
+   dFree(p->host);
+   dFree(p);
+}
+
+void a_Hsts_freeall()
+{
+   if (prefs.http_strict_transport_security) {
+      HstsData_t *policy;
+      int i, n = dList_length(domains);
+
+      for (i = 0; i < n; i++) {
+         policy = dList_nth_data(domains, i);
+         Hsts_free_policy(policy);
+      }
+      dList_free(domains);
+   }
+}
+
+/*
+ * Compare function for searching a domain node by domain string
+ */
+static int Domain_node_domain_str_cmp(const void *v1, const void *v2)
+{
+   const HstsData_t *node = v1;
+   const char *host = v2;
+
+   return dStrAsciiCasecmp(node->host, host);
+}
+
+static HstsData_t *Hsts_get_policy(const char *host)
+{
+   return dList_find_sorted(domains, host, Domain_node_domain_str_cmp);
+}
+
+static void Hsts_remove_policy(HstsData_t *policy)
+{
+   if (policy) {
+      _MSG("HSTS: removed policy for %s\n", policy->host);
+      Hsts_free_policy(policy);
+      dList_remove(domains, policy);
+   }
+}
+
+/*
+ * Return the time_t for a future time.
+ */
+static time_t Hsts_future_time(long seconds_from_now)
+{
+   time_t ret, now = time(NULL);
+   struct tm *tm = gmtime(&now);
+
+   if (seconds_from_now > INT_MAX - tm->tm_sec)
+      tm->tm_sec = INT_MAX;
+   else
+      tm->tm_sec += seconds_from_now;
+
+   ret = mktime(tm);
+   if (ret == (time_t) -1)
+      ret = hsts_latest_representable_time;
+
+   return ret;
+}
+
+/*
+ * Compare function for searching domains.
+ */
+static int Domain_node_cmp(const void *v1, const void *v2)
+{
+   const HstsData_t *node1 = v1, *node2 = v2;
+
+   return dStrAsciiCasecmp(node1->host, node2->host);
+}
+
+static void Hsts_set_policy(const char *host, long max_age, bool_t subdomains)
+{
+   time_t exp = Hsts_future_time(max_age);
+   HstsData_t *policy = Hsts_get_policy(host);
+
+   _MSG("HSTS: %s %s%s: until %s", (policy ? "modify" : "add"), host,
+       (subdomains ? " and subdomains" : ""), ctime(&exp));
+
+   if (policy == NULL) {
+      policy = dNew0(HstsData_t, 1);
+      policy->host = dStrdup(host);
+      dList_insert_sorted(domains, policy, Domain_node_cmp);
+   }
+   policy->subdomains = subdomains;
+   policy->expires_at = exp;
+}
+
+/*
+ * Read the next attribute.
+ */
+static char *Hsts_parse_attr(const char **header_str)
+{
+   const char *str;
+   uint_t len;
+
+   while (dIsspace(**header_str))
+      (*header_str)++;
+
+   str = *header_str;
+   /* find '=' at end of attr, ';' after attr/val pair, '\0' end of string */
+   len = strcspn(str, "=;");
+   *header_str += len;
+
+   while (len && (str[len - 1] == ' ' || str[len - 1] == '\t'))
+      len--;
+   return dStrndup(str, len);
+}
+
+/*
+ * Get the value in *header_str.
+ */
+static char *Hsts_parse_value(const char **header_str)
+{
+   uint_t len;
+   const char *str;
+
+   if (**header_str == '=') {
+      (*header_str)++;
+      while (dIsspace(**header_str))
+         (*header_str)++;
+
+      str = *header_str;
+      /* finds ';' after attr/val pair or '\0' at end of string */
+      len = strcspn(str, ";");
+      *header_str += len;
+
+      while (len && (str[len - 1] == ' ' || str[len - 1] == '\t'))
+         len--;
+   } else {
+      str = *header_str;
+      len = 0;
+   }
+   return dStrndup(str, len);
+}
+
+/*
+ * Advance past any value.
+ */
+static void Hsts_eat_value(const char **str)
+{
+   if (**str == '=')
+      *str += strcspn(*str, ";");
+}
+
+/*
+ * The reponse for this url had an HSTS header, so let's take action.
+ */
+void a_Hsts_set(const char *header, const DilloUrl *url)
+{
+   long max_age;
+   const char *host = URL_HOST(url);
+   bool_t max_age_valid = FALSE, subdomains = FALSE;
+
+   _MSG("HSTS header for %s: %s\n", host, header);
+
+   if (!a_Tls_certificate_is_clean(url)) {
+      /* RFC 6797 gives rationale in section 14.3. */
+      _MSG("But there were certificate warnings, so ignore it (!)\n");
+      return;
+   }
+
+   /* Iterate until there is nothing left of the string */
+   while (*header) {
+      char *attr;
+      char *value;
+
+      /* Get attribute */
+      attr = Hsts_parse_attr(&header);
+
+      /* Get the value for the attribute and store it */
+      if (dStrAsciiCasecmp(attr, "max-age") == 0) {
+         value = Hsts_parse_value(&header);
+         if (isdigit(*value)) {
+            errno = 0;
+            max_age = strtol(value, NULL, 10);
+            if (errno == ERANGE)
+               max_age = INT_MAX;
+            max_age_valid = TRUE;
+         }
+         dFree(value);
+      } else if (dStrAsciiCasecmp(attr, "includeSubDomains") == 0) {
+         subdomains = TRUE;
+         Hsts_eat_value(&header);
+      } else if (dStrAsciiCasecmp(attr, "preload") == 0) {
+         /* 'preload' is not part of the RFC, but what does google care for
+          * standards? They require that 'preload' be specified by a domain
+          * in order to be added to their preload list.
+          */
+      } else {
+         MSG("HSTS: header contains unknown attribute: '%s'\n", attr);
+         Hsts_eat_value(&header);
+      }
+
+      dFree(attr);
+
+      if (*header == ';')
+         header++;
+   }
+   if (max_age_valid) {
+      if (max_age > 0)
+         Hsts_set_policy(host, max_age, subdomains);
+      else
+         Hsts_remove_policy(Hsts_get_policy(host));
+   }
+}
+
+static bool_t Hsts_expired(HstsData_t *policy)
+{
+   time_t now = time(NULL);
+   bool_t ret = (now > policy->expires_at) ? TRUE : FALSE;
+
+   if (ret) {
+      _MSG("HSTS: expired\n");
+   }
+   return ret;
+}
+
+bool_t a_Hsts_require_https(const char *host)
+{
+   bool_t ret = FALSE;
+
+   if (host) {
+      HstsData_t *policy = Hsts_get_policy(host);
+
+      if (policy) {
+         _MSG("HSTS: matched host %s\n", host);
+         if (Hsts_expired(policy))
+            Hsts_remove_policy(policy);
+         else
+            ret = TRUE;
+      }
+      if (!ret) {
+         const char *domain_str;
+
+         for (domain_str = strchr(host+1, '.');
+              domain_str != NULL && *domain_str;
+              domain_str = strchr(domain_str+1, '.')) {
+            policy = Hsts_get_policy(domain_str+1);
+
+            if (policy && policy->subdomains) {
+               _MSG("HSTS: matched %s under %s subdomain rule\n", host,
+                   policy->host);
+               if (Hsts_expired(policy)) {
+                  Hsts_remove_policy(policy);
+               } else {
+                  ret = TRUE;
+                  break;
+               }
+            }
+         }
+      }
+   }
+   return ret;
+}
+
+static void Hsts_preload(FILE *stream)
+{
+   const int LINE_MAXLEN = 4096;
+   const long ONE_YEAR = 60 * 60 * 24 * 365;
+
+   char *rc, *subdomains;
+   char line[LINE_MAXLEN];
+   char domain[LINE_MAXLEN];
+
+   /* Get all lines in the file */
+   while (!feof(stream)) {
+      line[0] = '\0';
+      rc = fgets(line, LINE_MAXLEN, stream);
+      if (!rc && ferror(stream)) {
+         MSG_WARN("HSTS: Error while reading preload entries: %s\n",
+                  dStrerror(errno));
+         return; /* bail out */
+      }
+
+      /* Remove leading and trailing whitespace */
+      dStrstrip(line);
+
+      if (line[0] != '\0' && line[0] != '#') {
+         int i = 0, j = 0;
+
+         /* Get the domain */
+         while (line[i] != '\0' && !dIsspace(line[i]))
+            domain[j++] = line[i++];
+         domain[j] = '\0';
+
+         /* Skip past whitespace */
+         while (dIsspace(line[i]))
+            i++;
+
+         subdomains = line + i;
+
+         if (dStrAsciiCasecmp(subdomains, "true") == 0)
+            Hsts_set_policy(domain, ONE_YEAR, TRUE);
+         else if (dStrAsciiCasecmp(subdomains, "false") == 0)
+            Hsts_set_policy(domain, ONE_YEAR, FALSE);
+         else {
+            MSG_WARN("HSTS: format of line not recognized. Ignoring '%s'.\n",
+                     line);
+         }
+      }
+   }
+}
+
+void a_Hsts_init(FILE *preload_file)
+{
+   if (prefs.http_strict_transport_security) {
+      struct tm future_tm = {7, 14, 3, 19, 0, 138, 0, 0, 0, 0, 0};
+
+      hsts_latest_representable_time = mktime(&future_tm);
+      domains = dList_new(32);
+
+      if (preload_file)
+         Hsts_preload(preload_file);
+   }
+}
+
diff --git a/src/hsts.h b/src/hsts.h
new file mode 100644
index 00000000..693aec10
--- /dev/null
+++ b/src/hsts.h
@@ -0,0 +1,19 @@
+#ifndef __HSTS_H__
+#define __HSTS_H__
+
+#include "d_size.h"
+#include "url.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */
+
+void  a_Hsts_init(FILE *fp);
+void  a_Hsts_set(const char *header, const DilloUrl *url);
+bool_t a_Hsts_require_https(const char *host);
+void  a_Hsts_freeall( void );
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+#endif /* !__HSTS_H__ */
diff --git a/src/hsts_preload b/src/hsts_preload
new file mode 100755
index 00000000..22e3aa3c
--- /dev/null
+++ b/src/hsts_preload
@@ -0,0 +1,2037 @@
+# This HTTP Strict Transport Security preload file was created on 2015-06-28
+# from the list in
+# https://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/nsSTSPreloadList.inc
+# Format: domain include_subdomains
+
+007sascha.de true
+0x0a.net true
+1000minds.com true
+17hats.com true
+188trafalgar.ca true
+18f.gsa.gov true
+1a-diamantscheiben.de true
+1a-jva.de true
+1a-vermessung.at true
+1a-werkstattgeraete.de true
+2048game.co.uk true
+2600hq.com true
+301.website true
+302.nyc true
+314chan.org true
+3do3dont.com true
+47ronin.com false
+4g-server.eu true
+4sqsu.eu true
+5apps.com false
+7183.org true
+8ack.de true
+9point6.com true
+abecodes.net false
+abiapp.net true
+abmahnhelfer.de true
+accounts.firefox.com true
+accounts.google.com true
+aclu.org false
+acuica.co.uk false
+acus.gov true
+adambyers.com true
+adamkostecki.de true
+adamstas.com true
+addvocate.com true
+adlershop.ch true
+admin.fedoraproject.org true
+admin.google.com true
+admin.stg.fedoraproject.org true
+adorai.tk true
+adsfund.org true
+advanced-online.eu true
+aerolog.co true
+aes256.ru true
+aeyoun.com true
+afp548.com true
+afrodigital.uk true
+agrios.de true
+ahoyconference.com true
+ahwatukeefoothillsmontessori.com true
+aids.gov true
+aie.de true
+aircomms.com true
+airlea.com true
+aiticon.com true
+ajouin.com true
+akachanikuji.com true
+akselinurmio.fi true
+al-shami.net true
+aladdinschools.appspot.com true
+alainwolf.net true
+alaninkenya.org true
+alanrickmanflipstable.com true
+alecvannoten.be true
+alethearose.com true
+alexgaynor.net true
+alexsexton.com true
+alexyang.me true
+allinonecyprus.com true
+alza.cz true
+alza.de true
+alza.sk true
+alzashop.com true
+amaforums.org false
+amdouglas.uk true
+anadoluefessk.org true
+anadoluefessporkulubu.org true
+anakros.me true
+andere-gedanken.net true
+andreasbreitenlohner.de true
+andrewimeson.com true
+andymartin.cc true
+anetaben.nl true
+angularjs.org true
+anime.my false
+animurecs.com true
+ankakaak.com true
+ankarakart.com.tr true
+annahmeschluss.de true
+annevankesteren.com true
+annevankesteren.nl true
+annevankesteren.org true
+anonym-surfen.de true
+ansdell.net true
+antipolygraph.org true
+antoniomarques.eu true
+anycoin.me true
+apachehaus.de false
+apadvantage.com true
+api.intercom.io false
+api.lookout.com false
+api.simple.com false
+api.xero.com false
+apis.google.com true
+apn-einstellungen.de true
+aponow.de true
+app.lookout.com false
+app.manilla.com true
+app.recurly.com true
+app.simpletax.ca false
+app.yinxiang.com false
+appengine.google.com true
+apple-watch-zubehoer.de true
+apps-for-fishing.com true
+apps.facebook.com false
+apps.fedoraproject.org true
+apps.stg.fedoraproject.org true
+aprz.de true
+aranycsillag.net true
+arbitrary.ch true
+archlinux.de true
+areafiftylan.nl true
+arendburgers.nl true
+arguggi.co.uk true
+arivo.com.br true
+arlen.io true
+armytricka.cz true
+aroonchande.com true
+arteseideias.com.pt true
+arty.name true
+ask.fedoraproject.org true
+ask.stg.fedoraproject.org true
+atc.io true
+athenelive.com true
+atishchenko.com true
+atlantischild.hu true
+atlassian.net true
+atte.fi true
+auf-feindgebiet.de true
+aurainfosec.com true
+aurainfosec.com.au true
+auraredeye.com true
+auraredshield.com true
+authentication.io true
+autoledky.sk true
+axka.com false
+azirevpn.com true
+badges.fedoraproject.org true
+badges.stg.fedoraproject.org true
+baer.im true
+baff.lu true
+bagelsbakery.com true
+balcan-underground.net true
+balikonos.cz true
+bank.simple.com false
+bardiharborow.com true
+barslecht.com true
+barslecht.nl true
+baruch.me true
+bassh.net true
+bautied.de true
+bayrisch-fuer-anfaenger.de true
+bccx.com true
+bcrook.com false
+beach-inspector.com true
+beamitapp.com true
+beastowner.com true
+beastowner.li true
+bedeta.de true
+bedreid.dk true
+beercandle.com true
+ben-energy.com true
+benchling.com true
+beneathvt.com true
+benjamin.pe true
+benjamins.com true
+bentertain.de true
+best-wedding-quotes.com true
+bfelob.gov true
+bgneuesheim.de true
+bhatia.at true
+biathloncup.ru true
+biddl.com true
+big-andy.co.uk true
+bigbrownpromotions.com.au true
+bigdinosaur.org true
+billigssl.dk true
+bit-sentinel.com true
+bit.voyage true
+bitbucket.org false
+bitchan.it true
+bitcoin.de true
+bitcoinx.ro true
+bitfactory.ws true
+bitmex.com true
+bitmon.net true
+bitnet.io true
+bitpod.de true
+bjornjohansen.no true
+bl4ckb0x.com true
+bl4ckb0x.de true
+bl4ckb0x.info true
+bl4ckb0x.net true
+bl4ckb0x.org true
+blablacar.co.uk true
+blablacar.com true
+blablacar.com.tr true
+blablacar.com.ua true
+blablacar.de true
+blablacar.es true
+blablacar.fr true
+blablacar.hr true
+blablacar.hu true
+blablacar.in true
+blablacar.it true
+blablacar.mx true
+blablacar.nl true
+blablacar.pl true
+blablacar.pt true
+blablacar.ro true
+blablacar.rs true
+blablacar.ru true
+blackberrycentral.com true
+blessnet.jp true
+blockchain.info true
+blocksatz-medien.de true
+bloemendal.me true
+blog.cyveillance.com true
+blog.gparent.org true
+blog.linode.com false
+blog.torproject.org false
+blubbablasen.de true
+bodo-wolff.de false
+bohramt.de true
+boiseonlinemall.com true
+bonitabrazilian.co.nz true
+bookingapp.nl true
+bownty.dk true
+boxcryptor.com true
+boypoint.de true
+bradkovach.com true
+brage.info false
+braineet.com true
+brainfork.ml true
+braintreegateway.com true
+brakemanpro.com true
+bran.cc true
+branchtrack.com false
+brandbuilderwebsites.com true
+breeswish.org true
+brks.xyz true
+broeselei.at true
+brossmanit.com true
+brunosouza.org true
+buddhistische-weisheiten.org true
+bugzil.la true
+bugzilla.mozilla.org true
+buiko.com true
+buildkite.com true
+bulktrade.de true
+bundaberg.com true
+burtrum.org true
+business.facebook.com false
+business.lookout.com false
+businesshosting.nl true
+bustimes.org true
+buzzconcert.com true
+bygningsregistrering.dk true
+bysymphony.com true
+bytepark.de false
+bzv-fr.eu true
+ca.gparent.org true
+cackette.com true
+call.me true
+calomel.org true
+calories.org true
+calvin.me true
+camolist.com true
+canhazip.com true
+cao.gov true
+capitaltg.com true
+cardoni.net true
+caremad.io true
+carezone.com false
+carlosalves.info true
+cartouche24.eu true
+cartucce24.it true
+casa-su.casa true
+catnapstudios.com true
+cbhq.net true
+cdlcenter.com true
+cdnb.co true
+cdt.org true
+certible.com true
+certly.io true
+cfo.gov true
+chahub.com true
+chainmonitor.com true
+chartstoffarm.de false
+chatbot.me true
+check.torproject.org false
+checkout.google.com true
+cheesetart.my false
+chrisirwin.ca true
+chrisjean.com true
+chrome-devtools-frontend.appspot.com true
+chrome.com false
+chrome.google.com true
+chromiumcodereview.appspot.com false
+chroniclesofgeorge.com true
+chulado.com true
+cio.gov true
+cklie.de true
+ckliemann.com true
+ckliemann.net true
+cktennis.com true
+clan-ww.com true
+clapping-rhymes.com true
+classdojo.com true
+clerkendweller.uk true
+clevisto.com true
+climateinteractive.org true
+clintwilson.technology true
+cloud.google.com true
+cloudcert.org true
+cloudns.com.au true
+cloudpebble.net true
+cloudsecurityalliance.org true
+cloudstoragemaus.com true
+cloudup.com true
+code-poets.co.uk true
+code.facebook.com false
+code.google.com true
+codepoints.net true
+codepref.com true
+codepx.com true
+codereview.appspot.com false
+codereview.chromium.org true
+coinapult.com true
+coinbase.com true
+coindam.com false
+collinmbarrett.com true
+coloradocomputernetworking.net true
+comdurav.com true
+commencepayments.com true
+completionist.audio true
+comssa.org.au true
+config.schokokeks.org false
+conformal.com true
+conrad-kostecki.de true
+console.support true
+consumersentinel.gov true
+contributor.google.com true
+controlcenter.gigahost.dk true
+cor-ser.es true
+cordial-restaurant.com true
+costablancavoorjou.com true
+cotonea.de true
+courtlistener.com true
+covenantoftheriver.org true
+covoiturage.fr true
+cpvmatch.eu true
+cracker.in.th true
+crm.onlime.ch false
+crowdjuris.com true
+crute.me true
+crypto.cat false
+crypto.graphics true
+cryptobin.org true
+cryptography.io true
+cryptopartyatx.org true
+cryptopush.com true
+csacongress.org true
+cspbuilder.info true
+csuw.net true
+cube.de true
+cupcake.io true
+cupcake.is true
+curiosity-driven.org true
+curlybracket.co.uk true
+curtacircuitos.com.br false
+cyanogenmod.xxx true
+cybershambles.com true
+cybozu.com true
+cybozulive.com true
+cycleluxembourg.lu true
+cyon.ch true
+cyphertite.com true
+cyprus-company-service.com true
+czakey.net true
+czbix.com true
+czk.mk true
+d42.no true
+daknob.net true
+danielalvarez.net true
+danonsecurity.com true
+danskoferie.dk true
+danw.io true
+daphne.informatik.uni-freiburg.de true
+darchoods.net false
+darkengine.io true
+darknode.in true
+darkpony.ru true
+darkserver.fedoraproject.org true
+darkserver.stg.fedoraproject.org true
+darlo.co.uk true
+darom.jp true
+dash-board.jp false
+data-abundance.com true
+data.qld.gov.au false
+datasnitch.co.uk true
+datenkeks.de true
+daveoc64.co.uk true
+davidlyness.com true
+davidmcevoy.org.uk true
+davidnoren.com true
+daylightpirates.org true
+dbgamestudio.com true
+dccode.gov true
+deadbeef.ninja true
+dealcruiser.nl true
+debtkit.co.uk true
+dedimax.de true
+dee.pe true
+defcon.org true
+dekasan.ru true
+deliverance.co.uk false
+denh.am true
+depechemode-live.com true
+derevtsov.com false
+derhil.de true
+desmaakvanplanten.be true
+detectify.com false
+developer.mydigipass.com false
+developers.facebook.com false
+devinfo.net false
+devklog.net true
+diamante.ro true
+die-besten-weisheiten.de true
+digital1st.co.uk true
+dillonkorman.com true
+dinamoelektrik.com true
+disking.co.uk true
+dist.torproject.org false
+dixmag.com false
+dl.google.com true
+dlc.viasinc.com true
+dm.lookout.com false
+dm.mylookout.com false
+dn42.us true
+dnmlab.it true
+dnsman.se true
+doc.python.org true
+docs.google.com true
+docs.python.org true
+dohosting.ru true
+domainkauf.de true
+domains.google.com true
+donmez.uk true
+donmez.ws true
+donotcall.gov true
+doridian.com true
+doridian.de true
+doridian.net true
+doridian.org true
+dpsg-roden.de true
+dragons-of-highlands.cz true
+dreadbyte.com true
+dreamsforabetterworld.com.au true
+drive.google.com true
+dropbox.com true
+dropboxer.net true
+drtroyhendrickson.com true
+drumbandesperanto.nl true
+dubrovskiy.net true
+ducohosting.com true
+dyeager.org true
+dylanscott.com.au true
+dynaloop.net true
+dzlibs.io true
+e-kontakti.fi true
+e.mail.ru true
+earmarks.gov true
+easysimplecrm.com false
+eatsleeprepeat.net true
+ebanking.indovinabank.com.vn true
+ecake.in true
+ecdn.cz true
+ecfs.link true
+ecg.fr false
+ecosystem.atlassian.net true
+ectora.com true
+ed.gs true
+edge-cloud.net true
+edit.yahoo.com false
+edix.ru true
+eduid.se true
+eduroam.no true
+edyou.eu true
+ef.gy true
+eff.org true
+egfl.org.uk true
+egit.co true
+ego4u.com true
+ego4u.de true
+eksisozluk.com true
+electronic-ignition-system.com true
+ellegaard.dk true
+elliquiy.com true
+emailprivacytester.com true
+emptypath.com true
+encircleapp.com true
+encryptallthethings.net true
+encrypted.google.com true
+energy-drink-magazin.de true
+enigmail.net true
+enorekcah.com true
+enskat.de true
+enskatson-sippe.de true
+entropia.de false
+erisrenee.com true
+eromixx.com true
+erotische-aanbiedingen.nl true
+errors.zenpayroll.com false
+eru.me true
+esoa.net true
+espra.com true
+ethack.org true
+ethercalc.com true
+ethercalc.org true
+ethitter.com true
+etoprekrasno.ru true
+eurotramp.com true
+eva.cz true
+evalesc.com true
+everhome.de true
+eveshamglass.co.uk true
+evstatus.com true
+exiahost.com false
+exon.io true
+expatads.com true
+explodie.org true
+expoundite.net true
+extendwings.com true
+ezequiel-garzon.com true
+ezequiel-garzon.net true
+f-droid.org true
+f2f.cash true
+fa-works.com true
+fabhub.io true
+facebook.com false
+factor.cc false
+fairbill.com true
+fakturoid.cz true
+falconvintners.com true
+fangs.ink true
+fant.dk true
+faq.lookout.com false
+fassadenverkleidung24.de true
+fastcomcorp.net true
+fatherhood.gov true
+faucetbox.com true
+federalregister.gov true
+fedorahosted.org true
+fedorapeople.org true
+feedbin.com false
+feedthebot.com true
+feen.us true
+feminists.co true
+ferienhaus-polchow-ruegen.de false
+fewo-thueringer-wald.de true
+ffbans.org true
+fidelapp.com true
+fiftyshadesofluca.ml true
+fiken.no true
+filedir.com false
+filip-prochazka.com true
+finn.io false
+firebaseio-demo.com true
+firebaseio.com true
+firebirdrangecookers.com true
+firefart.at true
+firemail.io true
+firma-offshore.com true
+firstlook.org true
+fischer-its.com true
+fish-hook.ru true
+fitkram.cz true
+fj.simple.com false
+flagspot.net true
+flamer-scene.com true
+fleximus.org false
+floobits.com true
+florian-lillpopp.de true
+florianlillpopp.de true
+florianmitrea.uk true
+floweslawncare.com true
+flushstudios.com true
+fluxfingers.net true
+flynn.io true
+fniephaus.com true
+food4health.guide true
+foodwise.marketing true
+forewordreviews.com true
+forgix.com true
+forodeespanol.com true
+forum.linode.com false
+forum.quantifiedself.com true
+foxelbox.com true
+fralef.me false
+frederik-braun.com true
+freenetproject.org true
+freeshell.de true
+freesounding.com true
+freesounding.ru true
+freethought.org.au true
+fretscha.com true
+froggstack.de true
+fronteers.nl true
+fruchthof24.de true
+frusky.de false
+frusky.net true
+ftccomplaintassistant.gov true
+fteproxy.org true
+fundingempire.com true
+futos.de true
+fuzzing-project.org true
+fx5.de true
+g2g.com true
+gallery44.org true
+gambit.pro true
+gambitnash.co.uk true
+gambitnash.com true
+gambitprint.com true
+gamercredo.com true
+gamercredo.net true
+gameserver-sponsor.de true
+garron.net true
+gavick.com true
+gaytorrent.ru true
+gc.net true
+ge3k.net true
+gemeinfreie-lieder.de true
+genuxation.com true
+genuxtsg.com true
+geoip.fedoraproject.org true
+geoip.stg.fedoraproject.org true
+gerardozamudio.mx true
+gernert-server.de true
+get.zenpayroll.com false
+getable.com true
+getbambu.com false
+getcloak.com false
+getcolor.com true
+getdigitized.net true
+getfedora.org true
+getfittedstore.com true
+getmango.com true
+getnikola.com true
+getsello.com true
+getssl.uz true
+gheorghesarcov.ga true
+giacomopelagatti.it true
+github.com true
+github.party false
+gizzo.sk true
+glass.google.com true
+globalittech.com false
+globuli-info.de true
+glossopnorthendafc.co.uk true
+gmail.com false
+gmantra.org true
+gmcd.co true
+gnetwork.eu true
+go-zh.org true
+go.xero.com false
+gocardless.com true
+gokmenguresci.com true
+goldendata.io true
+golfscape.com false
+google true
+googlemail.com false
+googleplex.com true
+gopay.cz true
+goshop.cz true
+gothamlimo.com true
+goto.google.com true
+gotspot.com true
+gplintegratedit.com true
+gpsfix.cz true
+gra2.com true
+grandcapital.id true
+grandcapital.ru true
+grc.com false
+greensolid.biz true
+gregorytlee.me true
+grepular.com true
+grigalanzsoftware.com true
+grimm-gastrobedarf.de true
+grocock.me.uk true
+groetzner.net true
+groszek.pl true
+groups.google.com true
+gtraxapp.com true
+gudini.net true
+gugga.dk false
+guidetoiceland.is true
+gunnarhafdal.com true
+guphi.net true
+guru-naradi.cz true
+gurusupe.com true
+guthabenkarten-billiger.de true
+gvt2.com true
+gvt3.com true
+gw2treasures.com true
+gwijaya.com true
+h2check.org true
+haber1903.com true
+hachre.de false
+hack.li true
+hackerone-user-content.com true
+hackerone.com true
+haircrazy.com true
+hangouts.google.com true
+hansvaneijsden.com true
+happylifestyle.com true
+happyteamlabs.com true
+harvestapp.com true
+hash-list.com true
+hasilocke.de true
+haste.ch true
+haufschild.de true
+hausverbrauch.de true
+haveibeenpwned.com true
+hboeck.de true
+healthcare.gov false
+heartlandrentals.com true
+heavystresser.com true
+heftkaufen.de true
+heha.co false
+heid.ws true
+heijblok.com true
+helichat.de true
+help.simpletax.ca false
+helpadmin.net true
+helpium.de true
+hemlockhillscabinrentals.com true
+henriknoerr.com true
+heppler.net true
+herbert.io true
+herocentral.de true
+herzbotschaft.de true
+heute-kaufen.de true
+hex2013.com true
+hexony.com true
+hg.python.org true
+hicn.gq true
+hicoria.com true
+history.google.com false
+hiv.gov true
+hledejpravnika.cz true
+hobbyspeed.com true
+holymoly.lu true
+honeybadger.io false
+horza.org true
+hostedtalkgadget.google.com true
+hostinginnederland.nl true
+hostix.de true
+howrandom.org true
+howsmyssl.com true
+howsmytls.com true
+hozana.si true
+hpac-portal.com true
+hrackydomino.cz true
+hs-group.net true
+hsmr.cc true
+hsr.gov true
+hstsfail.appspot.com true
+html5.org true
+httpswatch.com true
+hushfile.it true
+i10z.com true
+i5y.co.uk true
+iamcarrico.com true
+ian.sh true
+iban.is true
+id-co.in true
+id-conf.com true
+id.atlassian.com true
+id.mayfirst.org false
+ideaweb.de true
+ieval.ro true
+ihrlotto.de true
+ijohan.nl true
+ikkatsu-satei.jp true
+ilbuongiorno.it true
+ilikerainbows.co true
+ilikerainbows.co.uk false
+imaginary.ca true
+imagr.io true
+imgg.es true
+imouto.my false
+impex.com.bd true
+in.xero.com false
+inb4.us true
+inbox.google.com true
+indiecert.net true
+indovinabank.com.vn true
+influxus.com true
+infogrfx.com true
+informnapalm.org true
+iniiter.com true
+initrd.net true
+inkbunny.net true
+inleaked.com true
+innophate-security.com true
+innophate-security.nl true
+insighti.org true
+insouciant.org true
+instasex.ch true
+integromat.com true
+interasistmen.se true
+interserved.com true
+iostips.ru true
+ipomue.com false
+ipsec.pl true
+iqualtech.com true
+iranianlawschool.com true
+iridiumbrowser.de true
+irische-segenswuensche.info true
+irmag.ru true
+ironfistdesign.com true
+isimonbrown.co.uk true
+isitchristmas.com true
+isogram.nl true
+it-schwerin.de true
+itdashboard.gov true
+itriskltd.com true
+itsamurai.ru true
+itshost.ru true
+ix8.ru true
+izdiwho.com true
+j-lsolutions.com true
+jackyyf.com false
+jacobparry.ca false
+jacuzziprozone.com true
+jahliveradio.com false
+jakub-boucek.cz true
+jamesbywater.co.uk true
+jamesbywater.com true
+jamesbywater.me true
+jamesbywater.uk true
+jamielinux.com true
+janoberst.com true
+jbn.mx true
+jelmer.co.uk true
+jelmer.uk true
+jeremyness.com true
+jetaprices.com true
+jettshome.org true
+jfreitag.de true
+jh-media.eu false
+jimshaver.net true
+jira.com true
+jitsi.org false
+jkb.pics true
+jkbuster.com true
+jmdekker.it true
+jmedved.com true
+jogorama.com.br true
+johannes.io true
+johners.me true
+johnmichel.org true
+jonas-keidel.de true
+jonaswitmer.ch true
+jonathan.ir true
+jondevin.com true
+jonnybarnes.uk true
+jonpads.com true
+jpbike.cz true
+jrc9.ca true
+julianmeyer.de true
+juliansimioni.com true
+jwilsson.com true
+jwilsson.me true
+jwnotifier.org true
+k-dev.de true
+kaheim.de true
+kalevlamps.co.uk true
+kalmar.com true
+kaneo-gmbh.de true
+kanzashi.com true
+karaoketonight.com true
+kardize24.pl true
+karmaspa.se true
+kartonmodellbau.org true
+kaufberatung.community true
+kavovary-kava.cz true
+kdex.de true
+kdyby.org true
+kedarastudios.com true
+keeleysam.com true
+keeleysam.me true
+keepa.com true
+keepclean.me true
+keeperapp.com true
+keepersecurity.com true
+kernel-error.de true
+kevincox.ca true
+keybase.io true
+keycdn.com true
+keycom.co.uk true
+keyerror.com true
+khanovaskola.cz true
+khipu.com true
+khmath.com true
+ki-on.net true
+kinderbuecher-kostenlos.de true
+kinganywhere.eu true
+kingmanhall.org true
+kinogb.net false
+kinsights.com false
+kintone.com true
+kirei.se true
+kissflow.com true
+kitsta.com true
+klarmobil-empfehlen.de true
+klatschreime.de true
+klausbrinch.dk true
+klaxn.com true
+kleidertauschpartys.de true
+kliemann.me true
+klingeletest.de true
+knip.ch true
+knowledgehook.com true
+koen.io true
+koenrouwhorst.nl true
+koenvdheuvel.me true
+kojipkgs.fedoraproject.org true
+kollawat.me true
+komandakovalchuk.com false
+konklone.com true
+koop-bremen.de true
+koordinate.net true
+korinar.com true
+kosho.org true
+kpdyer.com true
+kpebetka.net true
+kraken.io true
+kredite.sale true
+kredite24.de true
+ks-watch.de true
+kuppingercole.com true
+kupschke.net true
+kura.io true
+labaia.info true
+laf.in.net true
+lagerauftrag.info true
+lancejames.com true
+lapetition.be true
+lasst-uns-beten.de true
+lastpass.com false
+laukstein.com true
+launchkey.com true
+lavalite.de true
+lavval.com true
+lb-toner.de true
+leadbook.ru true
+leakedminecraft.net true
+leanclub.org true
+ledhouse.sk true
+legoutdesplantes.be true
+leibniz-remscheid.de true
+leifdreizler.com true
+lellyboi.ml true
+lence.net true
+leninalbertop.com.ve true
+leonardcamacho.me true
+leonax.net true
+leonklingele.de true
+les-corsaires.net true
+libfte.org true
+libraryfreedomproject.org true
+lichtspot.de true
+liebel.org true
+light.mail.ru true
+lighting-centres.co.uk true
+lillpopp.eu true
+lilpwny.com true
+limitededitioncomputers.com true
+limitededitionsolutions.com true
+limpid.nl true
+lingolia.com true
+linode.com false
+linorman1997.me true
+linux-admin-california.com true
+linx.li true
+linx.net true
+lists.mayfirst.org false
+lists.stg.fedoraproject.org true
+livej.am true
+livekaarten.nl true
+ljs.io true
+lloyd-day.me true
+lmmtfy.io true
+lnx.li true
+lobste.rs true
+lockify.com true
+lodash.com true
+loenshotel.de true
+loftboard.eu true
+logentries.com false
+login.corp.google.com true
+login.launchpad.net true
+login.persona.org true
+login.sapo.pt true
+login.ubuntu.com true
+login.xero.com false
+login.yahoo.com false
+lolicore.ch true
+lookout.com false
+lookyman.net true
+lookzook.com true
+lore.azurewebsites.net true
+ludwig.im true
+luelistan.net true
+lumi.do false
+luneta.nearbuysystems.com false
+luxwatch.com true
+lymia.moe true
+lyst.co.uk true
+m.facebook.com false
+m.mail.ru true
+m0wef.uk true
+maartenvandekamp.nl true
+mach-politik.ch true
+madars.org true
+madeitwor.se true
+mafamane.com true
+maff.scot false
+magneticanvil.com true
+mahamed91.pw true
+mail-settings.google.com true
+mail.de true
+mail.google.com true
+mail.yahoo.com false
+mailbox.org true
+mailmag.net true
+makeitdynamic.com true
+makeyourlaws.org true
+mall.cz true
+mall.hu true
+mall.pl true
+mall.sk true
+malnex.de true
+malwre.io true
+mammaw.com true
+man3s.jp true
+manage.zenpayroll.com false
+manageprojects.com true
+manager.linode.com false
+mandala-ausmalbilder.de true
+manicode.com true
+markayapilandirma.com true
+market.android.com true
+markhaehnel.de true
+markusueberallassetmanagement.de true
+marshut.net true
+massivum.de false
+masters.black true
+matatall.com false
+mathiasbynens.be true
+matteomarescotti.it true
+mattfin.ch true
+mattmccutchen.net true
+mattsvensson.com true
+max.gov true
+maximelouet.me true
+mbasic.facebook.com false
+mbp.banking.co.at false
+mcard.vn true
+mccrypto.de true
+mcnext.net true
+md5file.com true
+mdfnet.se false
+me.net.nz true
+meamod.com true
+mebio.us true
+medallia.io true
+mediacru.sh true
+medium.com true
+medovea.ru true
+medtehnika.ua true
+meetfinch.com true
+meetings2.com true
+mega.co.nz true
+megaplan.cz true
+megaplan.ru true
+mehmetince.net true
+meinebo.it true
+members.mayfirst.org false
+members.nearlyfreespeech.net false
+mercuryamericas.com true
+meritz.rocks true
+mertcangokgoz.com true
+metrobriefs.com true
+mevs.cz true
+mh-bloemen.co.jp true
+miasarafina.de true
+michalspacek.cz true
+miconcinemas.com true
+mig5.net true
+mijn-email.org true
+mike-bland.com true
+miketabor.com true
+mikewest.org true
+miku.hatsune.my false
+mim.properties true
+mimeit.de true
+mimovrste.com true
+mindcoding.ro true
+mindoktor.se true
+minecraftvoter.com true
+mineover.es true
+minez-nightswatch.com false
+minikneet.com true
+minnesotadata.com true
+mironet.cz true
+miskatonic.org true
+miss-inventory.co.uk true
+mister.hosting true
+mitell.jp false
+mittenhacks.com true
+mjanja.ch true
+mkcert.org true
+mkw.st true
+mnsure.org true
+mobilcom-debitel-empfehlen.de true
+mobile.usaa.com false
+mobilux.lv true
+mobobe.com true
+modeldimension.com true
+mokote.com true
+mondwandler.de true
+morethanadream.lv true
+moriz.de true
+moriz.net true
+mothereff.in true
+mountainmusicpromotions.com true
+mountainroseherbs.com true
+movlib.org true
+mp3juices.is true
+mpreserver.com true
+mqas.net true
+mr-hosting.com true
+msa-aesch.ch true
+msc-seereisen.net true
+mtau.com true
+mthode.org true
+mths.be true
+mtouch.facebook.com false
+mudcrab.us true
+mujadin.se true
+multigamecard.com true
+munich-rage.de true
+munki.org true
+munuc.org true
+musi.cx true
+musicgamegalaxy.de true
+musmann.io true
+mustika.cf true
+mutamatic.com true
+mutantmonkey.in true
+mutantmonkey.info true
+mutantmonkey.sexy true
+mvno.io true
+mvsecurity.nl true
+mwe.st false
+my.onlime.ch false
+my.xero.com false
+myaccount.google.com true
+mygadgetguardian.lookout.com false
+mygretchen.de true
+mykontool.de true
+mylookout.com false
+myni.io true
+mynigma.org true
+myplaceonline.com true
+myprintcard.de true
+myvirtualserver.com true
+nachsendeauftrag.net true
+nachsenden.info true
+naiharngym.com true
+nameid.org true
+namepros.com true
+nan.zone true
+nanderson.me true
+narodniki.com true
+nationalpriorities.org true
+nayahe.ru true
+nbl.org.tw true
+nctx.co.uk true
+ndarville.com true
+nectarleaf.com true
+neg9.org false
+neilwynne.com false
+neko.li true
+nella-project.org true
+nellacms.com true
+nellacms.org true
+nellafw.org true
+nerven.se true
+net-safe.info true
+netbox.cc true
+netera.se true
+netrelay.email true
+netrider.net.au true
+newstarnootropics.com true
+nextend.net true
+ng-security.com true
+nginxnudes.com true
+nicolaw.uk true
+nieselregen.com true
+niloxy.com true
+nmctest.net true
+nmd.so true
+nodari.com.ar true
+noemax.com true
+noob-box.net true
+nopex.no true
+northernmuscle.ca true
+nos-oignons.net true
+nostraforma.com false
+notalone.gov true
+nouvelle-vague-saint-cast.fr true
+novacoast.com true
+nowhere.dk true
+npw.net true
+nsboutique.com true
+nu3.at true
+nu3.ch true
+nu3.co.uk true
+nu3.com true
+nu3.de true
+nu3.dk true
+nu3.fi true
+nu3.fr true
+nu3.no true
+nu3.se true
+null.tips true
+nutsandboltsmedia.com true
+nuvini.com true
+nwa.xyz true
+nwgh.org true
+nymphetomania.net true
+oakslighting.co.uk true
+ocrami.us true
+offshore-firma.org true
+oguya.ch true
+ohling.org true
+ohnemusik.com true
+okmx.de true
+olivierlemoal.fr true
+omitech.co.uk true
+onedot.nl true
+onedrive.com true
+onedrive.live.com false
+onsitemassageco.com true
+ooonja.de true
+openacademies.com true
+oplop.appspot.com true
+opsmate.com false
+optimus.io true
+orbograph-hrcm.com true
+orcahq.com true
+orhideous.name true
+oscarvk.ch true
+osquery.io true
+osterkraenzchen.de true
+otakuworld.de true
+ouvirmusica.com.br true
+ovenapp.io true
+oversight.io true
+ownmovies.fr true
+p.linode.com false
+packagist.org false
+pactf.com true
+pajonzeck.de true
+palava.tv true
+pap.la false
+parent5446.us true
+partyvan.eu true
+partyvan.it true
+partyvan.nl true
+partyvan.se true
+passphrase.today true
+passport.yandex.by true
+passport.yandex.com true
+passport.yandex.com.tr true
+passport.yandex.kz true
+passport.yandex.ru true
+passport.yandex.ua true
+passwd.io true
+password.codes true
+passwords.google.com true
+pasta-factory.co.il true
+paste.linode.com false
+pastebin.linode.com false
+patechmasters.com true
+patriksimek.cz true
+patt.us true
+pauladamsmith.com true
+paulschreiber.com true
+pay.gigahost.dk true
+paymentaccuracy.gov true
+payments-reference.org true
+paymill.com true
+paymill.de true
+paypal.com false
+payroll.xero.com false
+pbprint.ru false
+pclob.gov true
+pdf.yt true
+peercraft.com true
+pentesterlab.com true
+perfectionis.me true
+personaldatabasen.no true
+pestici.de true
+petplum.com true
+petrolplus.ru true
+pharmaboard.de true
+phil.tw true
+philosopherswool.com true
+phoenix.dj true
+phoenixlogan.com true
+phryanjr.com false
+phurl.de true
+pi-supply.com true
+picksin.club true
+picsto.re true
+pieperhome.de true
+pierre-schmitz.com true
+pieterhordijk.com true
+pijuice.com true
+piratedb.com true
+piratedot.com true
+pirateproxy.sx true
+pixel.facebook.com false
+pixi.me true
+play.google.com true
+plothost.com true
+plus.google.com false
+plus.sandbox.google.com false
+plzenskybarcamp.cz true
+pmg-offshore-company.com true
+pmg-purchase.com true
+pmg-purchase.net true
+poedgirl.com true
+pollpodium.nl true
+polymathematician.com true
+polypho.nyc true
+ponythread.com true
+portal.tirol.gv.at true
+posteo.de false
+postfinance.ch true
+posttigo.com true
+prakharprasad.com true
+prefontaine.name true
+preissler.co.uk true
+preloaded-hsts.badssl.com true
+presidentials2016.com true
+privategiant.com true
+profiles.google.com true
+progressiveplanning.com true
+projectascension.io true
+projektzentrisch.de true
+prontolight.com true
+proofwiki.org true
+propagandism.org true
+prospo.co true
+prowhisky.de true
+proximato.com true
+proxybay.club true
+proxybay.co true
+proxybay.info true
+ptn.moscow true
+puac.de true
+pubkey.is true
+publications.qld.gov.au false
+puiterwijk.org true
+pult.co false
+purewebmasters.com false
+pwd.ovh true
+pypa.io true
+pypi.python.org true
+python.org false
+qa.fedoraproject.org true
+qa.stg.fedoraproject.org true
+qetesh.de true
+qualityhomesystems.com true
+quebecmailbox.com true
+quli.nl true
+quuz.org true
+r3s1stanc3.me true
+rad-route.de true
+radiormi.com true
+rafaelcz.de true
+ragingserenity.com true
+railgun.ac true
+raiseyourflag.com true
+ramsor-gaming.de true
+rasing.me true
+raspass.me true
+ravchat.com true
+rawstorieslondon.com true
+raydobe.me false
+raymii.org true
+reaconverter.com true
+red-t-shirt.ru true
+redirect.fedoraproject.org true
+redirect.stg.fedoraproject.org true
+redletter.link true
+redlink.de true
+redteam-pentesting.de true
+reedloden.com true
+refundo.cz true
+refundo.sk true
+reg.ru false
+release-monitoring.org true
+reliable-mail.de true
+renem.net true
+report-uri.io true
+research.facebook.com false
+research.md true
+residentsinsurance.co.uk true
+resources.flowfinity.com true
+reviews.anime.my true
+riccy.org true
+richiemail.net true
+ricochet.im true
+riesenmagnete.de true
+rika.me true
+rippleunion.com true
+rischard.org true
+rlalique.com true
+rmmanfredi.com true
+robertof.ovh true
+robinadr.com true
+robinsonyu.com true
+robteix.com true
+robtex.com true
+rodosto.com true
+roeper.party true
+roland.io true
+romab.com true
+roman-pavlik.cz true
+romans-place.me.uk true
+romulusapp.com false
+room-checkin24.de true
+roosterpgplus.nl true
+roots.io true
+roquecenter.org true
+rosenkeller.org true
+rotunneling.net true
+roundcube.mayfirst.org false
+royalacademy.org.uk true
+rpy.xyz true
+rssr.se true
+ru-sprachstudio.ch true
+rubecodeberg.com true
+rubendv.be true
+rubyshop.nl true
+rudloff.pro true
+rusadmin.biz true
+ruudkoot.nl true
+rws-vertriebsportal.de true
+ryan-goldstein.com true
+s-c.se true
+sabahattin-gucukoglu.com true
+safescan.com true
+sagerus.com true
+sageth.com true
+saintsrobotics.com true
+sakaki.anime.my true
+salaervergleich.com true
+sale4ru.ru true
+salserocafe.com true
+samba.org true
+samfunnet.no false
+samizdat.cz true
+samuelkeeley.com true
+sanatfilan.com false
+sandbox.mydigipass.com false
+sarahlicity.co.uk true
+saulchristie.com true
+save.gov true
+saveaward.gov true
+savvytime.com true
+schachburg.de true
+schokokeks.org true
+schreiber-netzwerk.eu true
+schreibnacht.de true
+schwarzer.it true
+sciencex.com true
+scotthel.me true
+scotthelme.co.uk true
+scoutdb.ch true
+scrambl.is true
+scrambler.in false
+scrap.tf true
+screenlight.tv true
+scribe.systems true
+script.google.com true
+sdsl-speedtest.de true
+search-one.de true
+sec.gd true
+secretserveronline.com true
+secure.facebook.com false
+securedrop.org true
+securesuisse.ch true
+securify.nl true
+security-carpet.com true
+security.google.com true
+securityheaders.com true
+securitysnobs.com false
+secuvera.de true
+seifried.org true
+sellocdn.com true
+servergno.me true
+servertastic.com true
+servethecity-karlsruhe.de false
+setuid.io true
+seyahatsagliksigortalari.com true
+sh-network.de true
+shaaaaaaaaaaaaa.com true
+shadex.net true
+shakepeers.org true
+shamka.ru true
+shanewadleigh.com true
+shasso.com true
+shellsec.pw true
+shenyuqi.com true
+sherbers.de true
+shiinko.com false
+shipard.com true
+shodan.io true
+shopontarget.com true
+shortdiary.me true
+sidium.de true
+siewert-kau.de true
+sigterm.sh true
+sikayetvar.com true
+silentcircle.com false
+simbolo.co.uk false
+simple.com false
+simpletax.ca false
+simplia.cz true
+simplystudio.com true
+siraweb.org true
+siriad.com true
+sites.google.com true
+sitesko.de true
+sitesten.com true
+sizzle.co.uk true
+sjoorm.com true
+skeeley.com true
+skhosting.eu true
+skogsbruket.fi true
+skogskultur.fi true
+skydrive.live.com false
+slack-files.com true
+slack.com true
+slattery.co true
+sleio.com true
+slever.cz true
+slevomat.cz true
+slidebatch.com true
+slope.haus true
+slse.ca true
+smartcleaningcenter.nl true
+smartcoin.com.br true
+smartlend.se true
+smartship.co.jp true
+smith.is true
+snailing.org true
+snakehosting.dk true
+snazel.co.uk true
+sneezry.com true
+sny.no true
+soccergif.com true
+soci.ml true
+sockeye.cc true
+soia.ca true
+solihullcarnival.co.uk true
+solihulllionsclub.org.uk true
+sorz.org true
+souki.cz true
+soulfulglamour.uk true
+soulogic.com true
+sour.is true
+sourceway.de true
+southside-crew.com true
+souvik.me true
+spartantheatre.org true
+spawn.cz true
+speedcounter.net true
+spencerbaer.com true
+spideroak.com true
+spongepowered.org true
+spreadsheets.google.com true
+spreed.me true
+sprueche-zum-valentinstag.de true
+sprueche-zur-geburt.info true
+sprueche-zur-hochzeit.de true
+sprueche-zur-konfirmation.de true
+spyroszarzonis.com true
+squareup.com false
+srevilak.net true
+sro.center true
+ssl.google-analytics.com true
+sslmate.com true
+stablelib.com true
+stage.wepay.com false
+standardssuck.org true
+starapple.nl true
+static.wepay.com false
+staticanime.net false
+stationary-traveller.eu true
+stereo.lu true
+stereochro.me true
+stesti.cz true
+stevegrav.es true
+steventress.com true
+stewartremodelingadvantage.com true
+sticklerjs.org true
+stirling.co true
+stocktrade.de false
+storedsafe.com true
+stormhub.org true
+strasweb.fr false
+stretchmyan.us true
+stripe.com true
+strongest-privacy.com true
+stuartbaxter.co false
+studienportal.eu true
+studydrive.net true
+stulda.cz true
+subeesu.com true
+subrosa.io true
+sufix.cz true
+suite73.org true
+sunjaydhama.com true
+suos.io true
+supplies24.at true
+supplies24.es true
+support.mayfirst.org false
+surkatty.org true
+survivalmonkey.com true
+svager.cz true
+swehack.org false
+sychov.pro true
+sylaps.com true
+sysctl.se true
+sysdb.io true
+syss.de true
+t23m-navi.jp false
+tadigitalstore.com true
+tageau.com true
+taken.pl true
+talideon.com true
+talk.google.com true
+talkgadget.google.com true
+tallr.se true
+tallshoe.com true
+tas2580.net true
+taskotron.fedoraproject.org true
+taskotron.stg.fedoraproject.org true
+tatort-fanpage.de true
+tauchkater.de true
+tbspace.de true
+tcgrepublic.com true
+tdelmas.ovh true
+tdrs.info true
+teachforcanada.ca true
+teamnorthgermany.de true
+teamupturn.com true
+techhipster.net true
+techhub.ml true
+techllage.com true
+techloaner.com true
+technotonic.com.au false
+tegelsensanitaironline.nl true
+tekshrek.com true
+tempus-aquilae.de true
+tent.io true
+terraelectronica.ru true
+terraweb.net true
+terrax.info true
+terrax.net true
+terrty.net true
+testsuite.org true
+texte-zur-taufe.de true
+thca.ca true
+theamp.com true
+thebimhub.com true
+thecoffeehouse.xyz true
+thecustomizewindows.com true
+theescapistswiki.com true
+thefrozenfire.com true
+thehiddenbay.net true
+themoep.at true
+thepaymentscompany.com true
+thepiratebay.al true
+therapynotes.com true
+thetomharling.com true
+theunitedstates.io true
+theweilai.com true
+thomastimepieces.com.au true
+thouni.de true
+thumbtack.com true
+thusoy.com true
+thyngster.com false
+tickopa.co.uk true
+tid.jp true
+timmy.ws true
+timotrans.de true
+timotrans.eu true
+timtaubert.de true
+tinfoilsecurity.com false
+tinkertry.com false
+tinte24.de true
+tintenfix.net true
+tipps-fuer-den-haushalt.de true
+tittelbach.at true
+titties.ml true
+tls.li true
+tmtopup.com true
+tno.io true
+tobias-kluge.de true
+todesschaf.org true
+todoist.com true
+tollsjekk.no true
+tom.horse true
+tomfisher.eu true
+tomharling.co.uk true
+tomharling.uk true
+tomrichards.net true
+tomvote.com true
+toner24.at true
+toner24.co.uk true
+toner24.es true
+toner24.fr true
+toner24.it true
+toner24.nl true
+toner24.pl true
+tonerdepot.de true
+tonerjet.at true
+tonerjet.co.uk true
+tonerklick.de true
+tonerkurier.de true
+tonermaus.de true
+tonermonster.de true
+tonex.de true
+tonex.nl true
+tonytan.cn true
+tonywebster.com true
+topbargains.com.au true
+topodin.com true
+topshelfguild.com true
+toptexture.com true
+tor2web.org true
+tormentedradio.com true
+torproject.org false
+torquato.de false
+toshnix.com true
+totem-eshop.cz true
+touch.facebook.com false
+touch.mail.ru true
+tox.im true
+tpbproxy.co true
+traas.org true
+tracktivity.com.au true
+translate.fedoraproject.org true
+translate.googleapis.com true
+translate.stg.fedoraproject.org true
+trashnothing.com true
+trauertexte.info true
+tresorit.com true
+tribaldos.com true
+tribut.de true
+ts3.consulting true
+tuamoronline.com true
+tucuxi.org true
+tuitle.com true
+tunebitfm.de true
+tuxplace.nl true
+twentymilliseconds.com true
+twisto.cz true
+twitter.com false
+twitteroauth.com true
+twofactorauth.org true
+twolinepassbrewing.com true
+typingrevolution.com true
+uae-company-service.com true
+ub3rk1tten.com false
+ubanquity.com true
+ubertt.org true
+ucfirst.nl true
+ukdefencejournal.org.uk true
+ukhas.net true
+ukrainians.ch true
+ulabox.com true
+unison.com true
+unitedadmins.com true
+unknownphenomena.net true
+unravel.ie true
+unterfrankenclan.de true
+uonstaffhub.com true
+uow.ninja true
+upitnik.rs true
+upload.facebook.com false
+uptrends.com true
+uptrends.de true
+usaa.com false
+uscntalk.com true
+uspsoig.gov true
+utilityapi.com true
+utleieplassen.no true
+vaddder.com true
+vasanth.org true
+vbh2o.com true
+vechkasov.ru true
+venicerealdeal.com true
+vhost.co.id true
+viasinc.com false
+vijos.org true
+visionless.me false
+vitrado.de true
+vmoagents.com false
+vocaloid.my true
+voicesuk.co.uk true
+vomitb.in true
+vortexhobbies.com true
+votocek.cz true
+votockova.cz true
+vox.vg true
+vpnzoom.com true
+vrobert.fr false
+vrtak-cz.net true
+vserver-preis-vergleich.de true
+vyplnto.cz true
+vzk.io false
+w-spotlight.appspot.com true
+wallet.google.com true
+walnutgaming.co.uk true
+walnutgaming.com true
+warrencreative.com false
+watsonhall.uk true
+wbg-vs.de true
+wearvr.com true
+webandmore.de false
+webandwords.com.au true
+webassadors.com false
+webcollect.org.uk true
+webeau.com true
+webfilings-eu-mirror.appspot.com true
+webfilings-eu.appspot.com true
+webfilings-mirror-hrd.appspot.com true
+webfilings.appspot.com true
+weblogzwolle.nl true
+webmail.gigahost.dk false
+webmail.onlime.ch false
+webmail.schokokeks.org false
+webmaniabr.com true
+webmarketingfestival.it true
+webogram.org true
+webrebels.org true
+websenat.de true
+webswitch.io true
+webtalis.nl true
+webtiles.co.uk true
+webtrh.cz true
+weggeweest.nl true
+welches-kinderfahrrad.de true
+welpy.com false
+wepay.com false
+wepay.in.th true
+wesecom.com true
+wesleyharris.ca true
+wettertoertchen.com true
+wevahoo.com true
+wf-bigsky-master.appspot.com true
+wf-demo-eu.appspot.com true
+wf-demo-hrd.appspot.com true
+wf-dogfood-hrd.appspot.com true
+wf-pentest.appspot.com true
+wf-staging-hr.appspot.com true
+wf-training-hrd.appspot.com true
+wf-training-master.appspot.com true
+wf-trial-hrd.appspot.com true
+whatwg.org true
+whd-guide.de true
+when-release.ru true
+when.fm true
+wherephoto.com true
+whitestagforge.com true
+whocalld.com true
+whonix.org true
+widememory.com false
+wieninternational.at true
+wifirst.net true
+wiki.python.org true
+wildbee.org true
+wilf1rst.com true
+williamsapiens.com true
+williamsonshore.com true
+willnorris.com true
+wills.co.tt true
+winhistory-forum.net true
+wisv.ch true
+wit.ai true
+wondershift.biz true
+wootton95.com true
+worldcubeassociation.org true
+wownmedia.com true
+wpletter.de true
+writeapp.me false
+wtfismyip.com true
+wubthecaptain.eu true
+wunderlist.com true
+wundi.net true
+wurzelzwerg.net true
+wvr-law.de true
+www.aclu.org false
+www.airbnb.com true
+www.apollo-auto.com true
+www.banking.co.at false
+www.braintreepayments.com false
+www.capitainetrain.com false
+www.cyveillance.com true
+www.dropbox.com true
+www.dropcam.com false
+www.entropia.de false
+www.eternalgoth.co.uk true
+www.etsy.com true
+www.evernote.com false
+www.facebook.com false
+www.gamesdepartment.co.uk false
+www.getcloak.com false
+www.gmail.com false
+www.googlemail.com false
+www.gov.uk false
+www.grc.com false
+www.healthcare.gov false
+www.heliosnet.com true
+www.honeybadger.io false
+www.intercom.io false
+www.irccloud.com false
+www.lastpass.com false
+www.linode.com false
+www.lookout.com false
+www.makeyourlaws.org true
+www.mydigipass.com false
+www.mylookout.com false
+www.noisebridge.net false
+www.opsmate.com true
+www.paypal.com false
+www.python.org true
+www.roddis.net true
+www.schokokeks.org true
+www.simbolo.co.uk false
+www.simple.com false
+www.therapynotes.com true
+www.tinfoilsecurity.com false
+www.torproject.org false
+www.twitter.com false
+www.usaa.com false
+www.viasinc.com true
+www.wepay.com false
+www.zenpayroll.com false
+wzrd.in true
+wzyboy.org true
+x.io true
+xbrlsuccess.appspot.com true
+xcoop.me true
+xenesisziarovky.sk true
+xf-liam.com true
+xho.me true
+xiaolvmu.me true
+xn--maraa-rta.org true
+xpd.se true
+xps2pdf.co.uk true
+xtrim.ru true
+xuntier.ch true
+y-o-w.com true
+yafuoku.ru true
+yahvehyireh.com true
+yamaken.jp true
+yanovich.net true
+yaporn.tv false
+yello.website true
+yenniferallulli.com true
+yenniferallulli.de true
+yenniferallulli.es true
+yenniferallulli.moda true
+yenniferallulli.nl true
+yetii.net true
+yksityisyydensuoja.fi true
+yokeepo.com true
+yorcom.nl true
+youdowell.com true
+yoursecondphone.co true
+ypart.eu true
+yunzhu.li true
+yunzhu.org true
+z.ai true
+zalan.do true
+zapier.com true
+zbasenem.pl true
+zenpayroll.com false
+zentraler-kreditausschuss.de true
+zentralwolke.de true
+zeplin.io false
+zeropush.com true
+zhang-hao.com true
+zhovner.com true
+zifb.in true
+zixiao.wang true
+zlatosnadno.cz true
+zlavomat.sk true
+zotero.org true
+zravypapir.cz true
diff --git a/src/html.cc b/src/html.cc
index a92771d3..e8d84738 100644
--- a/src/html.cc
+++ b/src/html.cc
@@ -2203,9 +2203,9 @@ DilloImage *a_Html_image_new(DilloHtml *html, const char *tag, int tagsize)
       return NULL;
 
    alt_ptr = a_Html_get_attr_wdef(html, tag, tagsize, "alt", NULL);
-   if ((!alt_ptr || !*alt_ptr) && !prefs.load_images) {
+   if (!alt_ptr || !*alt_ptr) {
       dFree(alt_ptr);
-      alt_ptr = dStrdup("[IMG]"); // Place holder for img_off mode
+      alt_ptr = dStrdup("[IMG]");
    }
 
    dw::Image *dw = new dw::Image(alt_ptr);
diff --git a/src/nav.c b/src/nav.c
index 4ccb28be..3aac475a 100644
--- a/src/nav.c
+++ b/src/nav.c
@@ -353,6 +353,7 @@ void a_Nav_push(BrowserWindow *bw, const DilloUrl *url,
    a_Nav_cancel_expect(bw);
    a_Bw_expect(bw, url);
    Nav_open_url(bw, url, requester, 0);
+   a_UIcmd_set_location_text(bw, URL_STR(url));
 }
 
 /*
diff --git a/src/paths.hh b/src/paths.hh
index 8f52cd86..ecc02f8b 100644
--- a/src/paths.hh
+++ b/src/paths.hh
@@ -15,6 +15,7 @@
 #define PATHS_RC_PREFS  "dillorc"
 #define PATHS_RC_KEYS   "keysrc"
 #define PATHS_RC_DOMAIN "domainrc"
+#define PATHS_HSTS_PRELOAD "hsts_preload"
 
 class Paths {
 public:
diff --git a/src/prefs.c b/src/prefs.c
index 65ebcdae..39416a04 100644
--- a/src/prefs.c
+++ b/src/prefs.c
@@ -63,9 +63,10 @@ void a_Prefs_init(void)
    prefs.http_language = NULL;
    prefs.http_proxy = NULL;
    prefs.http_max_conns = 6;
-   prefs.http_persistent_conns = FALSE;
+   prefs.http_persistent_conns = TRUE;
    prefs.http_proxyuser = NULL;
    prefs.http_referer = dStrdup(PREFS_HTTP_REFERER);
+   prefs.http_strict_transport_security = TRUE;
    prefs.http_user_agent = dStrdup(PREFS_HTTP_USER_AGENT);
    prefs.limit_text_width = FALSE;
    prefs.adjust_min_width = TRUE;
diff --git a/src/prefs.h b/src/prefs.h
index ac52786e..d22ef656 100644
--- a/src/prefs.h
+++ b/src/prefs.h
@@ -94,6 +94,7 @@ typedef struct {
    bool_t load_stylesheets;
    bool_t parse_embedded_css;
    bool_t http_persistent_conns;
+   bool_t http_strict_transport_security;
    int32_t buffered_drawing;
    char *font_serif;
    char *font_sans_serif;
diff --git a/src/prefsparser.cc b/src/prefsparser.cc
index d01dcac5..a57a1642 100644
--- a/src/prefsparser.cc
+++ b/src/prefsparser.cc
@@ -171,6 +171,8 @@ void PrefsParser::parse(FILE *fp)
       { "http_proxy", &prefs.http_proxy, PREFS_URL, 0 },
       { "http_proxyuser", &prefs.http_proxyuser, PREFS_STRING, 0 },
       { "http_referer", &prefs.http_referer, PREFS_STRING, 0 },
+      { "http_strict_transport_security",&prefs.http_strict_transport_security,
+        PREFS_BOOL, 0 },
       { "http_user_agent", &prefs.http_user_agent, PREFS_STRING, 0 },
       { "limit_text_width", &prefs.limit_text_width, PREFS_BOOL, 0 },
       { "adjust_min_width", &prefs.adjust_min_width, PREFS_BOOL, 0 },
diff --git a/src/url.c b/src/url.c
index e2eac48a..5ffe58fd 100644
--- a/src/url.c
+++ b/src/url.c
@@ -46,6 +46,7 @@
 #include <ctype.h>
 
 #include "url.h"
+#include "hsts.h"
 #include "msg.h"
 
 static const char *HEX = "0123456789ABCDEF";
@@ -140,10 +141,17 @@ static DilloUrl *Url_object_new(const char *uri_str)
 
    url = dNew0(DilloUrl, 1);
 
+   /* url->buffer is given a little extra room in case HSTS needs to transform
+    * a URL string ending in ":80" to ":443".
+    */
+   int len = strlen(uri_str)+2;
+   s = dNew(char, len);
+   memcpy(s, uri_str, len-1);
+   s = dStrstrip(s);
+
    /* remove leading & trailing space from buffer */
-   url->buffer = dStrstrip(dStrdup(uri_str));
+   url->buffer = s;
 
-   s = (char *) url->buffer;
    p = strpbrk(s, ":/?#");
    if (p && p[0] == ':' && p > s) {                /* scheme */
       *p = 0;
@@ -412,6 +420,33 @@ DilloUrl* a_Url_new(const char *url_str, const char *base_url)
 
    dFree(str1);
    dFree(str2);
+
+   /*
+    * A site's HTTP Strict Transport Security policy may direct us to transform
+    * URLs like "http://en.wikipedia.org:80" to "https://en.wikipedia.org:443".
+    */
+   if (prefs.http_strict_transport_security &&
+       url->scheme && !dStrAsciiCasecmp(url->scheme, "http") &&
+       a_Hsts_require_https(a_Url_hostname(url))) {
+      const char *const scheme = "https";
+
+      MSG("url: HSTS transformation for %s.\n", url->url_string->str);
+      url->scheme = scheme;
+      if (url->port == URL_HTTP_PORT)
+         url->port = URL_HTTPS_PORT;
+
+      if (url->authority) {
+         int len = strlen(url->authority);
+
+         if (len >= 3 && !strcmp(url->authority + len-3, ":80")) {
+            strcpy((char *)url->authority + len-2, "443");
+         }
+      }
+      
+      dStr_free(url->url_string, TRUE);
+      url->url_string = NULL;
+   }
+
    return url;
 }
 
diff --git a/test/cookies.c b/test/cookies.c
index ff744c97..85031043 100644
--- a/test/cookies.c
+++ b/test/cookies.c
@@ -539,14 +539,33 @@ static void maxage()
    a_Cookies_set("name=val; max-age=0", "maxage0.com", "/", NULL);
    expect(__LINE__, "", "http", "maxage0.com", "/");
 
+   a_Cookies_set("name=val; max-age=-0", "maxage-0.com", "/", NULL);
+   expect(__LINE__, "", "http", "maxage-0.com", "/");
+
    a_Cookies_set("name=val; max-age=100", "maxage100.com", "/", NULL);
    expect(__LINE__, "Cookie: name=val\r\n", "http", "maxage100.com", "/");
 
    a_Cookies_set("name=val; max-age=-100", "maxage-100.com", "/", NULL);
    expect(__LINE__, "", "http", "maxage-100.com", "/");
 
-   a_Cookies_set("name=val; max-age=2000000000", "maxage-huge.com", "/", NULL);
-   expect(__LINE__, "Cookie: name=val\r\n", "http", "maxage-huge.com", "/");
+   a_Cookies_set("name=val; max-age=2000000000", "maxage2bil.com", "/", NULL);
+   expect(__LINE__, "Cookie: name=val\r\n", "http", "maxage2bil.com", "/");
+
+   a_Cookies_set("name=val; max-age=3000000000", "maxage3bil.com", "/", NULL);
+   expect(__LINE__, "Cookie: name=val\r\n", "http", "maxage3bil.com", "/");
+
+   a_Cookies_set("name=val; max-age=7000000000", "maxage7bil.com", "/", NULL);
+   expect(__LINE__, "Cookie: name=val\r\n", "http", "maxage7bil.com", "/");
+
+   a_Cookies_set("name=val; max-age=-2000000000", "maxage-2bil.com", "/",NULL);
+   expect(__LINE__, "", "http", "maxage-2bil.com", "/");
+
+   a_Cookies_set("name=val; max-age=-3000000000", "maxage-3bil.com", "/",NULL);
+   expect(__LINE__, "", "http", "maxage-3bil.com", "/");
+
+   a_Cookies_set("name=val; max-age=-7000000000", "maxage-7bil.com", "/",NULL);
+   expect(__LINE__, "", "http", "maxage-7bil.com", "/");
+
    /* just having a server date shouldn't matter */
 
    a_Cookies_set("name=val; max-age=0", "maxage0s.com", "/", server_date);