Double-key HSTS for third party content
With proper cache+identifier siloing to url bar origin, it is no longer a security issue to allow 3rd party content from HSTS urls to get loaded from non-HSTS sites. Therefore, we can disable HSTS enforcement for third parties in this case.
This will eliminate a super-cookie vector that HSTS creates (registering 32 domains, using HSTS for each domain as a bit).
This is going to be a painful patch to write, though...