The CTPolicyManager assumes that file URLs will always be forced to host-less versions when interacting with the blacklist manager. However, this isn't part of the API contract of that, as file:// URLs can totally contain hosts, and it's up to the policy manager to make decisions on which URL schemes it cares about and how it extracts hosts.