InformAction Forums

According to the initial post of https://bugzilla.mozilla.org/show_bug.cgi?id=689608 the HSTS implementation of NoScript (and Chrome) differ from Firefox' native implementation in the regard that it respects HSTS for sites with self-signed certificates and a Firefox dev explains the rationale behind doing it differently.
Therefore

NoScript considers a self-signed certificate which user already choose to import (trust) like any other one (in fact, it doesn't cause any "error" message in Firefox either).

what about the draft https://tools.ietf.org/html/draft-ietf- ... ort-sec-02 specifying the exact behavior in case of self-certificate that differ from the "user accepting it through a UI" and so from the noscript implementation?
I also agree that if a user accept a certificate he must know what he is doing but in case of a malicious site that present a crafted cert, it is possible that the legit site should be Dossed, doesn't it?