Isolate HPKP and HSTS to url bar domain
HPKP pinning (where an HTTP header can list a key to pin) may enable third party tracking if an adversary creates multiple certificates for many domains.
HPKP is already memory-only. In normal Firefox, it is saved to disk in the same location as HSTS is.
We should isolate HPKP to the url bar domain, and verify that it and HSTS are cleared on New Identity (I believe they are).
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information