diff --git a/dom/security/nsHTTPSOnlyUtils.cpp b/dom/security/nsHTTPSOnlyUtils.cpp
index b5512d8f78ef..b62bd7c99418 100644
--- a/dom/security/nsHTTPSOnlyUtils.cpp
+++ b/dom/security/nsHTTPSOnlyUtils.cpp
@@ -691,7 +691,8 @@ bool nsHTTPSOnlyUtils::CouldBeHttpsOnlyError(nsIChannel* aChannel,
 }
 
 /* static */
-bool nsHTTPSOnlyUtils::TestIfPrincipalIsExempt(nsIPrincipal* aPrincipal) {
+bool nsHTTPSOnlyUtils::TestIfPrincipalIsExempt(nsIPrincipal* aPrincipal,
+                                               bool aCheckForHTTPSFirst) {
   static nsCOMPtr<nsIPermissionManager> sPermMgr;
   if (!sPermMgr) {
     sPermMgr = mozilla::components::PermissionManager::Service();
@@ -705,7 +706,11 @@ bool nsHTTPSOnlyUtils::TestIfPrincipalIsExempt(nsIPrincipal* aPrincipal) {
   NS_ENSURE_SUCCESS(rv, false);
 
   return perm == nsIHttpsOnlyModePermission::LOAD_INSECURE_ALLOW ||
-         perm == nsIHttpsOnlyModePermission::LOAD_INSECURE_ALLOW_SESSION;
+         perm == nsIHttpsOnlyModePermission::LOAD_INSECURE_ALLOW_SESSION ||
+         (aCheckForHTTPSFirst &&
+          (perm == nsIHttpsOnlyModePermission::HTTPSFIRST_LOAD_INSECURE_ALLOW ||
+           perm == nsIHttpsOnlyModePermission::
+                       HTTPSFIRST_LOAD_INSECURE_ALLOW_SESSION));
 }
 
 /* static */
@@ -744,7 +749,8 @@ void nsHTTPSOnlyUtils::TestSitePermissionAndPotentiallyAddExemption(
   NS_ENSURE_SUCCESS_VOID(rv);
 
   uint32_t httpsOnlyStatus = loadInfo->GetHttpsOnlyStatus();
-  bool isPrincipalExempt = TestIfPrincipalIsExempt(principal);
+  bool isPrincipalExempt = TestIfPrincipalIsExempt(
+      principal, isHttpsFirst || isSchemelessHttpsFirst);
   if (isPrincipalExempt) {
     httpsOnlyStatus |= nsILoadInfo::HTTPS_ONLY_EXEMPT;
   } else {
diff --git a/dom/security/nsHTTPSOnlyUtils.h b/dom/security/nsHTTPSOnlyUtils.h
index d582e62f36f8..cd23af3aecee 100644
--- a/dom/security/nsHTTPSOnlyUtils.h
+++ b/dom/security/nsHTTPSOnlyUtils.h
@@ -132,7 +132,8 @@ class nsHTTPSOnlyUtils {
    * @param  aPrincipal The principal for whom the exception should be checked
    * @return            True if exempt
    */
-  static bool TestIfPrincipalIsExempt(nsIPrincipal* aPrincipal);
+  static bool TestIfPrincipalIsExempt(nsIPrincipal* aPrincipal,
+                                      bool aCheckForHTTPSFirst = false);
 
   /**
    * Tests if the HTTPS-Only Mode upgrade exception is set for channel result
diff --git a/dom/security/nsIHttpsOnlyModePermission.idl b/dom/security/nsIHttpsOnlyModePermission.idl
index 7eabdb67151e..42d8bf01194a 100644
--- a/dom/security/nsIHttpsOnlyModePermission.idl
+++ b/dom/security/nsIHttpsOnlyModePermission.idl
@@ -3,8 +3,9 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsISupports.idl"
+
 /**
- * An interface to test for cookie permissions
+ * HTTPS-Only/First permission types
  */
 [scriptable, uuid(73f4f039-d6ff-41a7-9eb3-00db57b0b7f4)]
 interface nsIHttpsOnlyModePermission : nsISupports
@@ -23,4 +24,12 @@ interface nsIHttpsOnlyModePermission : nsISupports
    * any methods on this interface.
    */
   const uint32_t LOAD_INSECURE_ALLOW_SESSION = 9;
+  /**
+    * While LOAD_INSECURE_ALLOW and LOAD_INSECURE_ALLOW_SESSION apply to both
+    * HTTPS-Only and HTTPS-First, the following two values work analogous, but
+    * only apply to HTTPS-First. Permissions with these values set will not be
+    * displayed in the UI.
+   */
+  const uint32_t HTTPSFIRST_LOAD_INSECURE_ALLOW = 10;
+  const uint32_t HTTPSFIRST_LOAD_INSECURE_ALLOW_SESSION = 11;
 };