I have a local server serving HTTPS using a self-signed certificate. It does not serve http. The certificate is issued with cn=host1.subdomain1.domain1. The server is reachable under name host2, too. If I open https://host2 I get warnings, but I can define an exception for the certificate and can access the servers content. The server does not and did never return an HSTS header. If I access the server via https://host1.subdomain1.domain1, Firefox gives a HSTS warning and doesn't allow an exception. It is possible that servers at domain1 or subdomain1.domain1 delivered HSTS headers. Possibly they applied to sub-domains, too.
But: Even after clearing history and about:permissions entries, the behaviour is the same. So, where does the HSTS information come from?